Please share with us your experience after taking the FIREWALL 642-617 exam, your materials, the way you learned, your recommendations…

Please share with us your experience after taking the SECURE 642-637 exam, your materials, the way you learned, your recommendations…

Please share with us your experience after taking the IPS v7.0 642-627 exam, your materials, the way you learned, your recommendations…

Please share with us your experience after taking the VPN 642-647 exam, your materials, the way you learned, your recommendations…

Next Gen University main campus is located in Santa Cruz. The University has recently established various remote campuses offering e-learning services. The University is using Ipsec VPN connectivity between its main and remote campuses San Jose(SJ), Los Angeles(LA), Sacremento(SAC). As a recent addition to the IT/Networking team, you have been tasked to document the Ipsec VPN configurations to the remote campuses using the Cisco Router and SDM utility. Using the SDM output from VPN Tasks under the Configure tab to answer this question.

Note:

Before reading the answers and explanations, you can try answering these 4 questions. Below are the screenshots that are necessary to answer all the questions.

Click on the Configure tab on the top menu and then click on the VPN tab on the left-side menu to see these tabs

+ Tab VPN\Site-to-Site VPN (notice: you have to click on the “Edit Site to Site VPN” tab to see the image below

+ Tab VPN\VPN Components\IPSec\IPSec Policies

+ Tab Dynamic Crypto is empty so there is no screenshot for this tab

+ Tab IPSec Profiles is empty so there is no screenshot for this tab

+ Tab VPN\VPN Components\IPSec\Transform Sets

+ Tab VPN\VPN Components\IPSec\IPSec Rules

Question 1

Which one of these statements is correct in regards to Next Gen University Ipsec tunnel between its Santa Cruz main campus and its SJ remote campus?

A. It is using Ipsec tunnel mode, AES encryption, and SHA HMAC integrity Check.
B. It is using Ipsec transport mode, 3DES encryption, and SHA HMAC integrity Check.
C. It is using Ipsec tunnel mode to protect the traffic between the 10.10.10.0/24 and the 10.2.54.0/24 subnet.
D. It is using digital certificate to authenticate between the Ipsec peers and DH group 2.
E. It is using pre-shared key to authenticate between the Ipsec peers and DH group 5.

Answer: C

Explanation

From the Site-to-site VPN tab, we specify that the SJ’s IP address is 192.168.2.57 with IPsec Rule of 152. Click on the IPSec Rules group to see what rule 152 is -> rule 152 is permit source 10.10.10.0/24 to destination 10.2.54.0/24.

Also, in the description of the above tab, we can see “Tunnel to SJ remote campus” -> it uses Tunnel mode (although it is only the description and can be anything but we can believe it uses Tunnel mode). If you don’t want to accept this explanation then have a look at the IPSec Policy & Seq No. columns, which are SDM_CMAP_1 & 1. Click on the VPN Components\IPSec\IPSec Policies group we will learn the corresponding Transform Set is ESP-3DES-SHA. Then click on the Transform Sets group we can see the corresponding mode is TUNNEL.

Question 2

Which one of these statements is correct in regards to Next Gen University Ipsec tunnel between its Santa Cruz main campus and its SAC remote campus?

A. The SAC remote campus remote router is using dynamic IP address; therefore, the Santa Cruz router is using a dynamic crypto map.
B. Dead Peer Detection (DPD) is used to monitor the Ipsec tunnel, so if there is no traffic traversing between the two sites, the Ipsec tunnel will disconnect.
C. Tunnel mode is used; therefore, a GRE tunnel interface will be configured.
D. Only the ESP protocol is being used; AH is not being used.

Answer: D

Explanation

A is not correct because the VPN Components\IPSec\Dynamic Crypto Map group is empty -> the Santa Cruz router is not using a dynamic crypto map.

Not sure about answer B. We can find DPD information in the VPN Components\IKE\IKE Profiles group but I am not sure if this group exists in the exam.

C is not correct as we can use Tunnel mode without a GRE tunnel.

D is correct as we can see there is no AH configured under AH Integrity column in the VPN Components\IPSec\Transform Sets group (while in the ESP Integrity column it is ESP_SHA_HMAC).

Question 3

Which of these is used to define which traffic will be protected by IPsec between the Next Gen University Santa Cruz main campus and its SAC remote campus?

A. ACL 177
B. ACL 167
C. ACL 152
D. ESP-3DES-SHA1 transform set
E. ESP-3DES-SHA2 transform set
F. IKE Phase 1

Answer: A

Explanation

In the VPN\Site-to-site-VPN group we can easily see the SAC remote campus is protected by IPSec rule 177, which is an access-list

Question 4

The Ipsec tunnel to the SAC remote campus terminates at which IP address, and what is the protected subnet behind the SAC remote campus router? (Choose two)

A. 192.168.2.57
B. 192.168.5.48
C. 192.168.8.58
D. 10.2.54.0/24
E. 10.5.66.0/24
F. 10.8.75.0/24

Answer: C F

Explanation

Note:

Some terminologies you should know when configuring SDM

IPSec

A framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer. IPSec uses IKE to handle negotiation of protocols and algorithms based on local policy and to generate the encryption and authentication keys to be used by IPSec. IPSec can be used to protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.

IPSec Policy

In SDM, an IPSec policy is a named set of crypto map associated with a VPN connection.

Internet Key Exchange (IKE)

Internet Key Exchange (IKE) is a standard method for arranging for secure, authenticated communications. IKE establishes session keys (and associated cryptographic and networking configuration) between two hosts across the network.

Cisco SDM lets you create IKE policies that will protect the identities of peers during authentication. Cisco SDM also lets you create pre-shared keys that peers exchange.

IKE Policies

IKE negotiations must be protected; therefore, each IKE negotiation begins by each peer agreeing on a common (shared) IKE policy. This policy states which security parameters will be used to protect subsequent IKE negotiations. This window shows the IKE policies configured on the router, and allows you to add, edit, or remove an IKE policy from the router’s configuration. If no IKE policies have been configured on the router, this window shows the default IKE policy.

After the two peers agree on a policy, the security parameters of the policy are identified by a security association established at each peer. These security associations apply to all subsequent IKE traffic during the negotiation.

Hash

The authentication algorithm for negotiation. There are two possible values:
+ Secure Hash Algorithm (SHA)
+ Message Digest 5 (MD5)

Authentication

The authentication method to be used.
+ Pre-SHARE: Authentication will be performed using pre-shared keys.
+ RSA_SIG: Authentication will be performed using digital signatures.

D-H Group

Diffie-Hellman (D-H) Group. Diffie-Hellman is a public-key cryptography protocol that allows two routers to establish a shared secret over an unsecure communications channel. The options are as follows:
+ group1 – 768-bit D-H Group. D-H Group 1.
+ group2 – 1024-bit D-H Group. D-H Group 2. This group provides more security than group 1, but requires more processing time.
+ group5 – 1536-bit D-H Group. D-H Group 5. This group provides more security than group 2, but requires more processing time.

AH

Authentication Header. This is an older IPSec protocol that is less important in most networks than ESP. AH provides authentication services but does not provide encryption services. It is provided to ensure compatibility with IPSec peers that do not support ESP, which provides both authentication and encryption.

AH-MD5-HMAC: Authentication Header with the MD5 (HMAC variant) hash algorithm.
AH-SHA-HMAC: Authentication Header with the SHA (HMAC variant) hash algorithm.

DES

Data Encryption Standard. Standard cryptographic algorithm developed and standardized by the U.S. National Institute of Standards and Technology (NIST). Uses a secret 56-bit encryption key. The DES algorithm is included in many encryption standards.

3DES

Triple DES. An encryption algorithm that uses three 56-bit DES encryption keys (effectively 168 bits) in quick succession. An alternative 3DES version uses just two 56-bit DES keys, but uses one of them twice, resulting effectively in a 112-bit key length. Legal for use only in the United States.

ESP

Encapsulating Security Payload. An IPSec protocol that provides both data integrity and confidentiality. Also known as Encapsulating Security Payload, ESP provides confidentiality, data origin authentication, replay-detection, connectionless integrity, partial sequence integrity, and limited traffic flow confidentiality.

+ ESP-MD5-HMAC: ESP (Encapsulating Security Payload) transform using the MD5-variant SHA authentication algorithm.
+ ESP-SHA-HMAC: ESP (Encapsulating Security Payload) transform using the HMAC-variant SHA authentication algorithm.

GRE

Generic routing encapsulation. Tunneling protocol developed by Cisco that can encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to Cisco routers at remote points over an IP internetwork. By connecting multiprotocol subnetworks in a single-protocol backbone environment, IP tunneling using GRE allows network expansion across a single-protocol backbone environment.

HMAC

Hash-based Message Authentication Code. HMAC is a mechanism for message authentication using cryptographic hash functions. HMAC can be used with any iterative cryptographic hash function, e.g., MD5, SHA-1, in combination with a secret shared key. The cryptographic strength of HMAC depends on the properties of the underlying hash function.

MD5

Message Digest 5. A one-way hashing function that produces a 128-bit hash. Both MD5 and Secure Hashing Algorithm (SHA) are variations on MD4 and are designed to strengthen the security of the MD4 hashing algorithm. Cisco uses hashes for authentication within the IPSec framework. MD5 verifies the integrity and authenticates the origin of a communication.

SHA

Some encryption systems use the Secure Hashing Algorithm to generate digital signatures, as an alternative to MD5.

ISAKMP

The Internet Security Association Key Management Protocol is the basis for IKE. ISAKMP authenticates communicating peers, creates and manages security associations, and defines key generation techniques.

Pre-shared Key

One of three authentication methods offered in IPSec, with the other two methods being RSA encrypted nonces, and RSA signatures. Pre-shared keys allow for one or more clients to use individual shared secrets to authenticate encrypted tunnels to a gateway using IKE. Pre-shared keys are commonly used in small networks of up to 10 clients. With pre-shared keys, there is no need to involve a CA for security.

Digital certification and wildcard pre-shared keys (which allow for one or more clients to use a shared secret to authenticate encrypted tunnels to a gateway) are alternatives to pre-shared keys. Both digital certification and wildcard pre-shared keys are more scalable than pre-shared keys.

Reference:

+ http://www.aboutcisco.biz/en/US/docs/routers/access/cisco_router_and_security_device_manager/25/software/user/guide/IKE.html

+ http://docstore.mik.ua/univercd/cc/td/doc/product/software/sdm/22ug/glossary.htm

You are the network security administrator for Big Money Bank Co. You are informed that an attacker has performed a CAM table overflow attack by sending spoofed MAC addresses on one of the switch ports. The attacker has since been identified and escorted out of the campus. You now need to take action to configure the switch port to protect against this kind of attack in the future.

For purposes of this test, the attacker was connected via a hub to the Fa0/12 interface of the switch. The topology is provided for your use. The enable password of the switch is cisco. Your task is to configure the Fa0/12 interface on the switch to limit the maximum number of MAC addresses that are allowed to access the port to two and to shutdown the interface when there is a violation.

Answer and Explanation

The purpose of this sim is straightforward:

• Limit the maximum number of MAC addresses that are allowed to access the port to two.
• Shutdown the interface when there is a violation.

Please remember that we have to access interface Fa0/12 to fulfill the requirements. Before making any configuration, we should use the show running-config to check the status of interface Fa0/12

Switch>enable
Password: cisco

Switch#show running-config

The interface Fa0/12 hasn’t been configured with anything.

Switch#configure terminal
Switch(config)#interface fa0/12
Switch(config-if)#switchport mode access

First, enable the “port security” feature on this interface:

Switch(config-if)#switchport port-security

Set the maximum number of secure MAC addresses for this interface to 2:

Switch(config-if)#switchport port-security maximum 2

Shutdown if the security is violated:

Switch(config-if)#switchport port-security violation shutdown
Switch(config-if)#no shutdown
Switch(config-if)#end

Now you should check if the configuration is correct or not by typing the command show port-security interface fa0/12

Switch#show port-security interface fa0/12

Notice that the parameters should be like this:
+ Port Security: Enabled
+ Violation Mode: Shutdown
+ Maximum MAC Address: 2

Save the configuration
Switch#copy running-config startup-config

Just for your information, when the security is violated the port is in the error-disabled state. We can bring it out of this state by entering the “errdisable recovery cause psecure-violation” global configuration command or we can manually re-enable it by entering the “shutdown” and “no shutdown” commands in the interface configuration.

To access the Cisco Router and Security Device Manager(SDM) utility click on the console host icon that is connected to a ISR router.You can click on the grey buttons below to view the different windows.
Each of the windows can be minimized by clicking on the [-].You can also reposition a window by dragging it by the title bar.
The “Tab” key and most commands that use the “Control”or “Escape” keys are not supported and are not necessary to complete this simulation.

(Note: If you don’t understand how Zone-Based-Firewall works, check out my article at http://www.securitytut.com/ccna-security-knowledge/cisco-ios-zone-based-firewall-tutorial/)

(Notice: the access list, class-map, policy-map, zones, zone-pair… in the real exam might be different!)

Question 1

Which two options correctly Identify the associated interface with the correct security zone? (Choose two)

A. FastEthernet0/1 is associated to the “out-zone” zone.
B. FastEthernet0/0 is associated to the “in-zone” zone.
C. FastEthernet0/0 and 0/1 are associated to the “self” zone.
D. FastEthernet0/0 and 0/1 are associated to the “in-zone” zone.
E. FastEthernet0/0 and 0/1 are associated to the “out-zone” zone.
F. FastEthernet0/0 and 0/1 are not associated to any zone.

Answer: A B

Explanation

Under the Additional Tasks, click on the Zones group. At the right side box we will see the FastEthernet0/0 is assigned to the in-zone and the FastEthernet0/1 is assigned to the out-zone.

(Notice: In the real exam, you might see more zones than the image above)

Question 2

Which statement is correct regarding the “sdm-permit” policy map?

A. Traffic not matched by any of the class maps within that policy map will be inspected .
B. Traffic matching the “sdm-access” traffic class will be inspected.
C. Traffic matching the “SDM_CA_SERVER” traffic class will be dropped.
D. That policy map is applied to traffic sourced from the “self” zone and destined to the “out-zone” zone.

Answer: B or C

Explanation

A is not correct because there is a default class-map at the end of this policy map named “class-default”. This class-map will drop all the traffic that is not matched with the SDM_CA_SERVER class-map (it works in the same way as the implicit “deny all” line at the end of each access list). Therefore traffic not matched by any of the class maps within that policy map will be dropped.

D is not correct because the policy map is applied from the source “out-zone” to the destination “self”.

We haven’t had enough information about the correct answer yet, hope someone will describe this question clearly after taking the exam.

Question 3

Which three protocols are matched by the “sdm-cls-insp-traffic” class map? (Choose three)

A. sql-net
B. pop3
C. 12tp
D. ftp

Answer: A B D

Explanation

Click on the C3PL\Class Map\Inspection group and click on the sdm-cls-insp-traffic line at the upper right side box to see which protocols are matched by the “sdm-cls-insp-traffic” class map.

Question 4

Within the “sdm-permit” policy map, what is the action assigned to the traffic class “class-default”?

A. inspect
B. pass
C. drop
D. police

Answer: C

Explanation

Under the C3PL\Policy Map\Protocol Inspection group we can see the policy maps, which class-maps and which actions are assigned to the class-maps.

Question 5

Which policy map is associated to the “sdm-zp-in-out” security zone pair?

A. sdm-permit-icmpreply
B. sdm-permit
C. sdm-inspect
D. sdm-insp-traffic

Answer: C

Explanation

There are 2 places where you can get information about the policy map associated to the “sdm-zp-in-out” security zone pair:

+ At the “Home” tab (you might click on the to see the Firewall policies)

+ At the Zone-pair group in the Additional Tasks

Question 6

Within the “sdm-inspect” policy map, what is the action assigned to the traffic class “sdm-invalid-src”, and which traffic is matched by the traffic class “sdm-invalid-src” ? (Choose two)

A. traffic matched by ACL 105
B. traffic matched by the nested “sdm-cls-insp-traffic” class map
C. drop/log
D. traffic matched by ACL 104

Answer: A C

Explanation

Under the “Firewall and ACL” tab, search for the “sdm-inspect” policy map we can see the access list 105 is used by this policy map. We can also see the action assigned to the traffic class “sdm-invalid-src” (drop/log).

Notice that the Access list number can be also seen in the C3PL\Class Map\Inspection and the Drop/log action can be seen in the C3PL\Policy Map\Protocol Inspection group.

(Reference: http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a008060f6dd.html#wp1063104)

Please share with us your experience after taking the CANAC exam, your materials, the way you learned, your recommendations…

Please share with us your experience after taking the SNRS exam, your materials, the way you learned, your recommendations…

Please share with us your experience after taking the SNAF exam, your materials, the way you learned, your recommendations…

Please share with us your experience after taking the SNAA exam, your materials, the way you learned, your recommendations…

Please share with us your experience after taking the MARS exam, your materials, the way you learned, your recommendations…

Please share with us your experience after taking the IPS exam, your materials, the way you learned, your recommendations…

Security zone is a group of interfaces to which a policy can be applied. By default, traffic can flow freely within that zone but all traffic to and from that zone is dropped by default. To allow traffic pass between zones, administrators must explicitly declare by creating a zone-pair and a policy for that zone. Another notice is that traffic originated from the router itself is allowed to pass freely.

Zone-pair allows you to specify a uni-directional firewall policy between two zones. In other words, a zone-pair specifies the direction of the interesting traffic. This direction is defined by specifying a source and destination zone. Notice that we can’t defined a zone as both source and destination zone.

Zone Policy defines what we want to allow or deny to go between zones. For example we just want to allow HTTP while dropping SMTP, ICMP… We have 3 actions “pass”, “drop” and “inspect”. The “pass” and “drop” actions are self-explanatory. The action “inspect” tell the router to use a pre-defined class-map to filter the traffic.

Now enough theory! It’s time for the configuration.

In this scenario, we are going to configure 2 zones “inside” and “outside”. In this example, we will configure two tasks:

+ Only allow ping (icmp) traffic from the INSIDE Zone to OUTSIDE Zone (not vice versa).

Notice: you need to make sure all the networks are reachable with a routing protocol before configuring zone-based-firewall.

First we divide the networks into 2 zones: Inside and Outside.

Create Inside zone and Outside zone

Router(config)#zone security INSIDE
Router(config)#zone security OUTSIDE

(In fact, we don’t need to type “exit” before typing “zone security OUTSIDE”)

Assign IP addresses and apply zones to interfaces

Router(config)#interface fa0/0
Router(config-if)#ip address 10.0.1.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#zone-member security INSIDE

Router(config)#interface fa0/1
Router(config-if)#ip address 10.0.2.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#zone-member security INSIDE

Router(config)#interface fa1/0
Router(config-if)#ip address 12.12.12.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#zone-member security OUTSIDE

Define “interesting” traffic with class-map

Router(config)#class-map type inspect match-any CLASS_MAP_IN_TO_OUT
Router(config-cmap)#match protocol icmp

In the class-map configuration, we have two most used parameters: match-any and match-all. If match-any is used, traffic must meet only one of the match criteria in the class map. In contrast, if match-all is specified, traffic must match all the criteria of that class-map. In this example we just want to check if it is “icmp” protocol or not so we can use either “match-any” or “match-all”. Maybe you will ask: “How can I use “match-all” as a packet can’t match 2 or more protocols?” The answer is we can use “match-all” in order from more specific to less specific protocol. For example:

match protocol http
match protocol tcp

We defined what traffic we want to monitor. Now we need to specify what we want to do with that traffic.

Router(config)#policy-map type inspect POLICY_MAP_IN_TO_OUT
Router(config-pmap)#class type inspect CLASS_MAP_IN_TO_OUT
Router(config-pmap-c)#inspect

I want to explain more about the “inspect” action in the policy-map POLICY_MAP_IN_TO_OUT. Unlike the “drop” and “pass” actions, when using this action we need to tell the router which class-map the router must look up for the “interesting traffic”.

Notice that at the end of each policy-map there is a hidden class class-default that drops “all other” traffic by default, just like the implicit “deny all” at the end of each access list. Something like this:

class class-default
drop

Ok, mostly done! The last thing is specifying the direction of this firewall (recall that the Zone based Firewall is uni-directional). We do this with a zone-pair.

Router(config)#zone-pair security ZONE_PAIR_IN_TO_OUT source INSIDE destination OUTSIDE
Router(config-sec-zone-pair)#service-policy type inspect POLICY_MAP_IN_TO_OUT

As you see, we define the direction by specifying the source and destination. Of course traffic will flow from the source to the destination. In this case we only permit traffic from INSIDE to OUTSIDE.

A big notice is “return traffic is allowed by default”. So if a policy permits the traffic in the outbound direction, it also permits the return traffic in the inbound direction.

It is not possible for traffic to flow between an interface that is a member of a security zone and one that is not a member of a security zone, because a policy can be applied only between two zones. If an interface on a router cannot be part of a security zone or firewall policy, it may be necessary to put that interface in a security zone and configure a “pass all” policy between that zone and other zones where traffic should flow.

In conclusion to configure Zone Based Policy Firewall we need to do these steps:

+ Specify zones.
+ Specify what type of traffic (protocol) we want to monitor with a class-map.
+ Specify what action we want to do (drop, permit or inspect) with a policy-map.
+ Specify the direction we want to apply the filter with a zone-pair.

In this example we configured:

+ Zones: INSIDE and OUTSIDE
+ Type of traffic: icmp (ping)
+ Action: inspect (because we don’t allow or deny all types of traffic so we must use “inspect” action)
+ Direction: INSIDE to OUTSIDE

We can say this firewall in plain text: “only allow icmp traffic from INSIDE to OUTSIDE, drop other traffic”.

Now if we make a ping from a PC (INSIDE) to 12.12.12.2 (OUTSIDE) then it works well

(INSIDE)#ping 12.12.12.2
!!!!!

but a ping from 12.12.12.2 (OUTSIDE) to a PC (INSIDE) will be dropped

(OUTSIDE)#ping 10.0.1.1
…..

Nowadays, many companies and corporations have their branch offices far away from its headquarters but they need to communicate as if they were in a LAN. This is the place where site-to-site VPN comes into play. Site-to-site VPNs connect entire networks to each other, for example, they can connect a branch office network to a company headquarters network. In the past, a leased line or Frame Relay connection was required to connect sites, but because most corporations now have Internet access, these connections can be replaced with site-to-site VPNs.

Organizations use virtual private networks (VPNs) to create an end-to-end private network connection (tunnel) over third-party networks such as the Internet or extranets. The tunnel eliminates the distance barrier and enables remote users to access central site network resources. However, VPNs cannot guarantee that the information remains secure while traversing the tunnel. For this reason, modern cryptographic methods are applied to VPNs to establish secure, end-to-end, private network connections.

The IP Security (IPsec) protocol provides a framework for configuring secure VPNs and is commonly deployed over the Internet to connect branch offices, remote employees, and business partners. It is a reliable way to maintain communication privacy while streamlining operations, reducing costs, and allowing flexible network administration.

IPSec VPN negotiation can be broken down into five steps

Step 1. An IPsec tunnel is initiated when Host A sends “interesting” traffic to Host B. Traffic is considered interesting when it travels between the IPsec peers and meets the criteria that is defined in the crypto access control list (ACL).

Step 2. Router1 and Router2 negotiate a Security Association (SA) used to form an IKE Phase 1 tunnel, which is also known as an ISAKMP tunnel.

Step 3. Within the protection of the IKE Phase 1 tunnel, an IKE Phase 2 tunnel is negotiated and set up. An IKE Phase 2 tunnel is also known as an IPsec tunnel.

Step 4. After the IPsec tunnel is established, interesting traffic flows through the protected IPsec tunnel

Step 5. After no interesting traffic has been seen for a specified amount of time, or if the IPsec SA is deleted, the IPsec tunnel is torn down.

Elements of a site-to-site VPN:

+ Headend VPN device: Acts as a VPN termination device, located at a primary network location (for example, a headquarters location)

+ VPN access device: Serves as a VPN termination device, located at a remote office

+ Tunnel: Provides a logical connection over which traffic flows (for example, an IP Security [IPsec] tunnel and/or a Generic Router Encapsulation [GRE] tunnel)

+ Broadband service: Transports traffic to and from the Internet (for example, over a cable or DSL connection)

Now you understand the fundamental of IPsec site-to-site VPN. In summary, the site-to-site VPN requires Internet or other common environments as the transport so security is the primary concern and this can be protected by IPsec. IPsec operates at Layer 3 of the OSI model (Network layer) and it is independant of the applications. It means that the applications don’t require any modifications to use IPsec.

IPsec Modes

IPsec uses 2 modes to establish a secure communication channel between network nodes, Transport mode & Tunnel mode.  These 2 modes are different in what parts of IP headers and payloads are to be kept confidential. In Transport mode, security is provided only for the transport layer and above while Tunnel mode will encapsulate the original IP header and creates a new IP header that is sent unencrypted across the untrusted network. We will not go deeper in these modes to keep this tutorial simple.

IPsec Transforms

IPsec delivers data confidentiality services by executing a “transform” on plain text data into a block of ciphertext. Common ciphers used in the IPsec transforms are DES, 3DES, and AES. 3DES and AES are considered to be stronger encryption ciphers than DES, as they use longer encryption keys (128-bit key for 3DES and 256-bit key for AES).

Note:

Confidentiality ensures that only authorized individuals can view sensitive data. Powerful methods of ensuring confidentiality are encryption and access controls.

Integrity ensures that data has not been changed by an unauthorized individual.

Availability ensures that access to the data is uninterrupted. Denial-of-service (DoS) attacks attempt to compromise data availability. These attacks typically try to fail a system using an unexpected condition or input, or fail an entire network with a large quantity of information.

Question 1

Which classes does the U.S. government place classified data into? (Choose three)
A. SBU
B. Confidential
C. Secret
D. Top-secret

Answer: B C D

Explanation

Data should be classified so that administrators can do their best to secure that data. Below is a common way to classify data that many governments, including the military, use:

• Unclassified: Data that has little or no confidentiality, integrity, or availability requirements and therefore little effort is made to secure it.

• Sensitive But Unclassified (SBU): Data that could prove embarrassing if revealed, but no great security breach will occur.

• Confidential: Data that must comply with confidentiality requirements. This is the lowest level of classified data in this scheme.

• Secret: Data for which you take significant effort to keep secure. The number of individuals who have access to this data is usually considerably fewer than the number of people who are authorized to access confidential data.

• Top secret: Data for which you make great effort and sometimes incur considerable cost to guarantee its secrecy. Usually a small number of individuals have access to top-secret data, on condition that there is a need to know.

But in the U.S, the government only classifies data into three levels: Confidential, Secret and Top Secret.

Question 2

Which method is of gaining access to a system that bypasses normal security measures?

A. Creating a back door
B. Starting a Smurf attack
C. Conducting social engineering
D. Launching a DoS attack

Answer: A

Explanation

A back door is a method of bypassing normal authentication to secure remote access to a computer while attempting to remain undetected. The most common backdoor point is a listening port that provides remote access to the system for users (hackers) who do not have, or do not want to use, access or administrative privileges.

Question 3

Which statement is true about a Smurf attack?

A. It sends ping requests to a subnet, requesting that devices on that subnet send ping replies to a target system.
B. It intercepts the third step in a TCP three-way handshake to hijack a session.
C. It uses Trojan horse applications to create a distributed collection of “zombie” computers, which can be used to launch a coordinated DDoS attack.
D. It sends ping requests in segments of an invalid size.

Answer: A

Explanation

Smurf attacks use ICMP echo request packets directed at IP broadcast addresses from a remote site. The intent is to cause DoS. The smurf program builds a network packet that appears to originate from another address (this is known as spoofing an IP address). The packet contains an ICMP ping message that is addressed to an IP broadcast address, meaning all IP addresses in a given network. The echo responses to the ping message are sent back to the “victim” address. Enough pings and resultant echoes can flood the network making it unusable for real traffic.

Question 4

With the increasing development of network, various network attacks appear. Which statement best describes the relationships between the attack method and the result?

A.
Ping Sweep – 1 and 3
Port Scan – 2, 4 and 5

B.
Ping Sweep – 2 and 4
Port Scan – 1, 3 and 5

C.
Ping Sweep – 1 and 5
Port Scan – 2, 3 and 4

D.
Ping Sweep – 2 and 3
Port Scan – 1, 4 and 5

Answer: B

Explanation

Ping sweep: ping a series of IP addresses. Ping replies might indicate to an attacker that network resources can be reached at those IP addresses.

Port scan: Searching a network host for open ports. A port scan seeks to identify all listening ports on an identified host. Port scans often help attackers identify the operating system running on the target system. An attacker might perform a port scan to determine what services are available at specific IP addresses. For example, the Telnet application communicates on TCP port 23, and Simple Mail Transfer Protocol (SMTP) communicates on TCP port 25…

Question 5

Which one is the most important based on the following common elements of a network design?

A. Business needs
B. Best practices
C. Risk analysis
D. Security policy

Answer: A

Explanation

Business goals and risk analysis drive the need for network security. Regardless of the security implications, business needs must come first. The security system design must accommodate the goals of the business, not hinder them.

Note:

Business needs mean “what does your organization want to do with the network?”

Question 6

How does CLI view differ from a privilege level?

A. A CLI view supports only commands configured for that specific view, whereas a privilege level supports commands available to that level and all the lower levels.
B. A CLJ view supports only monitoring commands, whereas a privilege level allows a user to make changes to an IOS configuration.
C. A CLI view and a privilege level perform the same function. However, a CU view is used on a Catalyst switch, whereas a privilege level is used on an IOS router.
D. A CLI view can function without a AAA configuration, whereas a privilege level requires AAA to be configured.

Answer: A

Question 7

What are four methods used by hackers? (Choose four)

A.    social engineering attack
B.    Trojan horse attack
C.    front door attacks
D.    buffer Unicode attack
E.    privilege escalation attack
F.    footprint analysis attack

Answer: A B E F

Explanation

Social engineering: Using social skills to manipulate people inside the network to provide the information needed to
access the network. For example, an outside attacker calls a receptionist and pretends to be a member of the company’s IT department, and he convinces the receptionist to tell him her username and password. The attacker then can use those credentials to log into the network.

Trojan horse: a piece of software that appears to be a legitimate application but that also performs some unseen malicious functions.

Privilege escalation: An attacker compromises another subsystem and then, through this compromised subsystem, attacks the application.

Footprinting is the process of gathering all available information  about a target. A simple example is to use google or yahoo search engine to locate information about employees or the organization itself.

Question 8

Which protocol will use a LUN as a way to differentiate the individual disk drives that comprise a target device

A. iSCSI
B. ATA
C. SCSI
D. HBA

Answer: C

Explanation

In computer storage, a logical unit number (LUN) is an address for an individual disk drive and, by extension, the disk device itself. The term is used in the SCSI protocol as a way to differentiate individual disk drives within a common SCSI target device, such as a disk array.

Question 9

Which VoIP components can permit or deny a call attempt on the basis of a network’s available bandwidth?

A. MCU
B. Gatekeeper
C. Application server
D. Gateway

Answer: B

Question 10

Which option ensures that data is not modified in transit

A. Authentication
B. Integrity
C. Authorization
D. Confidentiality

Answer: B

If you are not sure about Access list, please read my Access List tutorial

Question 1

Which statement best describes the Turbo ACL feature? (Choose all that apply)

A. The Turbo ACL feature processes ACLs into lookup tables for greater efficiency.
B. The Turbo ACL feature leads to increased latency, because the time it takes to match the packet is variable.
C. The Turbo ACL feature leads to reduced latency, because the time it takes to match the packet is fixed and consistent.
D. Turbo ACLs increase the CPU load by matching the packet to a predetermined list.

Answer: A C

Question 2

Which statement best describes configuring access control lists to control Telnet traffic destined to the router itself

A. The ACL must be applied to each vty line individually.
B. The ACL should be applied to all vty lines in the in direction to prevent an unwanted user from connecting to an unsecured port.
C. The ACL is applied to the Telnet port with the ip access-group command.
D. The ACL applied to the vty lines has no in or out option like ACL being applied to an interface.

Answer: B

Question 3

Which description is correct based on the exhibit and partial configuration?

A. All traffic from network 10.0.0.0 will be permitted.
B. This ACL will prevent any host on the Internet from spoofing the inside network address as the source address for packets coming into the router from the Internet.
C. Access-list 101 will prevent address spoofing from interface E0.
D. All traffic destined for network 172.16.150.0 will be denied due to the implicit deny all.

Answer: C

Question 4

Examine the following options, which access list will permit HTTP traffic sourced from host 10.1.129.100 port 3030 destined to host 192.168.1.10

A. access-list 101 permit tcp 10.1.129.0 0.0.0.255 eq www 192.168.1.10 0.0.0.0 eq www
B. access-list 101 permit tcp 10.1.128.0 0.0.1.255 eq 3030 192.168.1.0 0.0.0.15 eq www
C. access-list 101 permit tcp host 192.168.1.10 eq 80 10.1.0.0 0.0.255.255 eq 3030
D. access-list 101 permit tcp any eq 3030

Answer: B

Question 5

Which three statements about applying access control lists to a Cisco router are true? (Choose three)

A. Place more specific ACL entries at the top of the ACL.
B. ACLs always search for the most specific entry before taking any filtering action.
C. Router-generated packets cannot be filtered by ACLs on the router.
D. Place generic ACL entries at the top of the ACL to filter general traffic and thereby reduce “noise” on the network.
E. If an access list is applied but is not configured, all traffic will pass.

Answer: A C E

Question 6

A standard access control list has been configured on a router and applied to interface Serial 0 in an outbound direction. No ACL is applied to Interface Serial 1 on the same router. What will happen when traffic being filtered by the access list does not match the configured ACL statements for Serial0?

A. The source IP address is checked, and, if a match is not found, traffic is routed out interface Serial 1.
B. The resulting action is determined by the destination IP address.
C. The resulting action is determined by the destination IP address and port number.
D. The traffic is dropped.

Answer: D

Question 7

Which location will be recommended for extended or extended named ACLs?

A. a location as close to the destination traffic as possible
B. an intermediate location to filter as much traffic as possible
C. when using the established keyword, a location close to the destination point to ensure that return traffic is allowed
D. a location as dose to the source traffic as possible

Answer: D

Notice: In the exam, some Drag and Drop Questions may be represented as multiple-choice questions.

Question 1

On the basis of the description of SSL-based VPN, place the correct descriptions in the proper locations.

Answer:

+ The authentication process uses hashing technologies.
+ Asymmetric algorithms are used for authentication and key exchange.
+ Symmetric algorithms are used for bulk encryption.

Question 2

Which three common examples are of AAA implementation on Cisco routers? Please place the correct descriptions in the proper locations.

Answer:

+ performing router commands authorization using TACACS+
+ authenticating remote users who are accessing the corporate LAN through IPSec VPN connections
+ authenticating administrator access to the router console port, auxiliary port, and vty ports

Question 3

Drag two characteristics of the SDM Security Audit wizard on the above to the list on the below.

Answer:

+ requires users to first identify which router interfaces connect to the inside network and which connect to the outside network
+ displays a screen with Fix-it check boxes to let you choose which potential security-related configuration changes to implement

Question 4

On the basis of the Cisco IOS Zone-Based Policy Firewall, by default, which three types of traffic are permitted by the router when some interfaces of the routers are assigned to a zone?

Drag three proper characterizations on the above to the list on the below.

Answer:

+ traffic flowing among the interfaces that are members of the same zone
+ traffic flowing among the interfaces that are not assigned to any zone
+ traffic flowing to and from the router interfaces (the self zone)

Question 5

Drag three proper statements about the IPsec protocol on the above to the list on the below.

Answer:

Three correct statements are:

+ IPsec is a framework of open standards.
+ IPsec ensures data integrity by using checksums.
+ IPsec authenticates users and devices that can carry out communication independently.

Question 1

Which item is the great majority of software vulnerabilities that have been discovered?

A. Stack vulnerabilities
B. Software overflows
C. Heap overflows
D. Buffer overflows

Answer: D

Question 2

Which statement is true about vishing?

A. Influencing users to forward a call to a toll number (for example, a long distance or international number)
B. Influencing users to provide personal information over the phone
C. Using an inside facilitator to intentionally forward a call to a toll number (for example, a long distance or international number)
D. Influencing users to provide personal information over a web page

Answer: B

Explanation

Vishing (voice phishing) uses telephony to glean information, such as account details, directly from users. Because many users tend to trust the security of a telephone versus the security of the web, some users are more likely to provide confidential information over the telephone. User education is the most effective method to combat vishing attacks.

Question 3

In a brute-force attack, what percentage of the keyspace must an attacker generally search through until he or she finds the key that decrypts the data?

A. Roughly 66 percent
B. Roughly 10 percent
C. Roughly 75 percent
D. Roughly 50 percent

Answer: D

Question 4

Observe the following options carefully, which two attacks focus on RSA? (Choose all that apply.)

A. DDoS attack
B. BPA attack
C. Adaptive chosen ciphertext attack
D. Man-in-the-middle attack

Answer: B C

Question 1

As a network engineer at securitytut.com, you are responsible for the network. Which one will be necessarily taken into consideration when implementing Syslogging in your network?

A. Log all messages to the system buffer so that they can be displayed when accessing the router.
B. Use SSH to access your Syslog information.
C. Enable the highest level of Syslogging available to ensure you log all possible event messages.
D. Syncronize clocks on the network with a protocol such as Network Time Protocol.

Answer: D

Question 2

Which description is correct when you have generated RSA keys on your Cisco router to prepare for secure device management?

A. All vty ports are automatically enabled for SSH to provide secure management.
B. The SSH protocol is automatically enabled.
C. You must then zeroize the keys to reset secure shell before configuring other parameters.
D. You must then specify the general-purpose key size used for authentication with the crypto key generate rsa general-keys modulus command.

Answer: B

Question 3

As a candidate for CCNA examination, when you are familiar with the basic commands, if you input the command “enable secret level 5 password” in the global mode, what does it indicate?

A. Set the enable secret command to privilege level 5.
B. The enable secret password is hashed using SHA.
C. The enable secret password is hashed using MD5.
D. The enable secret password is encrypted using Cisco proprietary level 5 encryption.
E. The enable secret password is for accessing exec privilege level 5.

Answer: E

Question 4

Please choose the correct description about Cisco Self-Defending Network characteristics.

A. INTEGRATED – 1
COLLABORATIVE – 2
ADAPTIVE – 3

B. INTEGRATED – 2
COLLABORATIVE – 1
ADAPTIVE – 3

C. INTEGRATED – 2
COLLABORATIVE – 3
ADAPTIVE – 1

D. INTEGRATED – 3
COLLABORATIVE – 2
ADAPTIVE – 1

Answer: B

Question 5

Which three items are Cisco best-practice recommendations for securing a network? (Choose three)

A. Deploy HIPS software on all end-user workstations.
B. Routinely apply patches to operating systems and applications.
C. Disable unneeded services and ports on hosts.
D. Require strong passwords, and enable password expiration.

Answer: B C D

Question 6

Given the exhibit below. You are a network manager of your company. You are reading your Syslog server reports. On the basis of the Syslog message shown, which two descriptions are correct? (Choose two)

A.    This message is a level 5 notification message.
B.    This message is unimportant and can be ignored.
C.    This is a normal system-generated information message and does not require further investigation.
D.    Service timestamps have been globally enabled.

Answer: A D

Explanation

Time stamps can be enabled on a router to either debugging or logging messages independently (sometimes it is really important for the administrators to solve the problems)

This Syslog message indicates that someone has configured the router using the vty 0 port.

Service timestamps have been enabled with the command “service timestamps” in the global configuration mode. For example, we can create a similar message as shown above with the command:

Router(config)# service timestamps log datetime localtime show-timezone

For your information, below are the Cisco Log Severity Messages:

(Reference: Implementing Cisco IOS Network Security Self-Study)

Question 7

Examine the following items, which one offers a variety of security solutions, including firewall, IPS, VPN, antispyware, antivirus, and antiphishing features?

A. Cisco 4200 series IPS appliance
B. Cisco ASA 5500 series security appliance
C. Cisco IOS router
D. Cisco PIX 500 series security appliance

Answer: B

Explanation

Cisco ASA 5500 series Adaptive Security Appliances are easy-to-deploy solutions that integrate world-class firewall, Cisco Unified Communications (voice and video) security, Secure Sockets Layer (SSL) and IPsec VPN, IPS, and content security services in a flexible, modular product family.

Cisco IPS 4200 series: Cisco IPS 4200 series sensors offer significant protection to your network by helping to detect, classify, and stop threats, including worms, spyware and adware, network viruses, and application abuse.

The Cisco PIX 500 series Security Appliances deliver robust user and application policy enforcement, multivector attack protection, and secure connectivity services in cost-effective, easy-to-deploy solutions.

Question 8

For the following items, which management topology keeps management traffic isolated from production traffic?

A. OOB
B. SAFE
C. MARS
D. OTP

Answer: A

Explanation

Two primary schools of thought exist about how management traffic should be sent between a management station and a managed device. One approach is to allow management traffic to traverse a production data network. The other approach is to use a separate network to transport management traffic. This approach, where management
traffic is isolated from production data traffic, is called out-of-band (OOB) management.

(Reference: CCNA Security Official Exam Certification Guide)

Question 9

Information about a managed device resources and activity is defined by a series of objects. What defines the structure of these management objects?

A. FIB
B. LDAP
C. CEF
D. MIB

Answer: D

Explanation

Management Information Base (MIB) is the database of confguration variables that resides on the networking device.

Question 10

Which item is correct regarding Cisco IOS IPS on Cisco IOS Release 12.4(11)T and later?

A. uses Cisco IPS 5.x signature format
B. supports SDEE, SYSLOG, and SNMP for sending Cisco IPS alerts
C. requires the Basic or Advanced Signature Definition File
D. uses the built-in signatures that come with the Cisco IOS image as backup

Answer: A

Question 11

If a switch is working in the fail-open mode, what will happen when the switch’s CAM table fills to capacity and a new frame arrives?

A. The switch sends a NACK segment to the frame’s source MAC address.
B. A copy of the frame is forwarded out all switch ports other than the port the frame was received on.
C. The frame is dropped.
D. The frame is transmitted on the native VLAN.

Answer: B

Explanation

If that component defaults to a mode in which it forwards traffic, rather than performing its previous security function on that traffic, the component is said to be operating in fail-open mode. However, if a security component denies traffic that it cannot inspect, the component is said to be operating in fail-closed (also known as fail-safe) mode, which would be the more secure of the two modes.

(Reference: CCNA Security Official Exam Certification Guide)

Question 12

What is the purpose of the secure boot-config global configuration?

A. backs up the Cisco IOS image from flash to a TFTP server
B. enables Cisco IOS image resilience
C. takes a snapshot of the router running configuration and securely archives it in persistent storage
D. stores a secured copy of the Cisco IOS image in its persistent storage

Answer: C

Question 13

What Cisco Security Agent Interceptor is in charge of intercepting all read/write requests to the rc files in UNIX?

A. Network interceptor
B. Configuration interceptor
C. Execution space interceptor
D. File system interceptor

Answer: B

Explanation

Configuration interceptor: Read/write requests to the Registry in Windows or to rc configuration files on UNIX are intercepted. This interception occurs because modification of the operating system configuration can have serious consequences. Therefore, Cisco Security Agent tightly controls read/write requests to the Registry.

Question 14

Which two statements are correct regarding a Cisco IP phone’s web access feature? (Choose two)

A. It is enabled by default.
B. It uses HTTPS.
C. It can provide IP address information about other servers in the network.
D. It requires login credentials, based on the UCM user database.

Answer: A C

Question 15

When configuring role-based CLI on a Cisco router, which action will be taken first?

A. Create a parser view called “root view”
B. Log in to the router as the root user
C. Enable role-based CLI globally on the router using the privileged EXEC mode Cisco IOS command
D. Enable the root view on the router

Answer: D

Question 16

Which key method is used to detect and prevent attacks by use of IDS and/or IPS technologies?

A. Signature-based detection
B. Anomaly-based detection
C. Honey pot detection
D. Policy-based detection

Answer: A

Question 17

Which one of the following items may be added to a password stored in MD5 to make it more secure?

A. Rainbow table
B. Cryptotext
C. Ciphertext
D. Salt

Answer: D

Question 1

How do you define the authentication method that will be used with AAA?

A. With a method list
B. With the method command
C. With the method aaa command
D. With a method statement

Answer: A

Explanation

A method list is a sequential list of authentication methods to query to authenticate a user. Method lists enable you to designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails.

When you first enable AAA, there is a default method list named default, which is automatically applied to all interfaces and lines, but which has no authentication methods defined. To configure AAA authentication, you must first either define a list of authentication methods for the default method, or configure your own named method lists and apply them to interfaces or lines. For flexibility, you can apply different method lists to different interfaces and lines. If an interface or line has a nondefault method list applied to it, that method overrides the default method list.

(Reference: Implementing Cisco IOS Network Security – Self Study)

Question 2

What is the objective of the aaa authentication login console-in local command?

A. It specifies the login authorization method list named console-in using the local RADIUS username-password database
B. It specifies the login authorization method list named console-in using the local username-password database on the router
C. It specifies the login authentication method list named console-in using the local user database on the router
D. It specifies the login authentication list named console-in using the local username- password database on the router

Answer: C

Question 3

Which one of the following commands can be used to enable AAA authentication to determine if a user can access the privilege command level?

A. aaa authentication enable default local
B. aaa authentication enable level
C. aaa authentication enable method default
D. aaa authentication enable default

Answer: D

Question 4

Which two ports are used with RADIUS authentication and authorization? (Choose two)

A. TCP port 2002
B. UDP port 2000
C. UDP port 1645
D. UDP port 1812

Answer: C D

Question 5

Which two statements about configuring the Cisco ACS server to perform router command authorization are true? (Choose two)

A. In the ACS User Group setup screen, use the Shell Command Authorization Set options to configure which commands and command arguments to permit or deny.
B. From the ACS Interface Configuration screen, select RADIUS (Cisco IOS/PIX 6.0), and then enable the Shell (exec) option on the RADIUS Services screen.
C. When adding the router as an AAA client on the Cisco ACS server, choose the TACACS+ (Cisco IOS) protocol.
D. Configure the Cisco ACS server to forward authentication of users to an external user databases, like Windows Database.

Answer: A C

Question 6

What should be enabled before any user views can be created during role-based CLI configuration?

A. usernames and passwords
B. secret password for the root user
C. aaa new-model command
D. multiple privilege levels

Answer: C

Question 7

For the following statements, which one is perceived as a drawback of implementing Fibre Channel Authentication Protocol (FCAP)?

A.    It is restricted in size to only three segments
B.    It requires the implementation of IKE
C.    It relies on an underlying Public Key Infrastructure (PKI)
D.    It requires the use of netBT as the network protocol

Answer: C

Explanation

FCAP relies on an underlying public key infrastructure (PKI) to provide enterprise-class security. By using PKI, often present in more security-conscious organizations, as a foundational element, along with a certificate-based protocol, FCAP provides numerous advantages. Central among these are strong authentication and management data integrity.
For some organizations, the complexities associated with a PKI can be daunting. This is the only significant argument against FCAP.

(Reference: CCNA Security Official Exam Certification Guide)

Question 8

A. TACACS+ – 1 and 3
RADIUS – 2 and 4

B. TACACS+ – 2 and 4
RADIUS – 1 and 3

C. TACACS+ – 1 and 4
RADIUS – 2 and 3

D. TACACS+ – 2 and 3
RADIUS – 1 and 4

Answer: B

Question 9

Which statement is correct regarding the aaa configurations based on the exhibit provided?

A. The authentication method list used by the console port is named test
B. The authentication method list used by the vty port is named test
C. If the TACACS+ AAA server is not available, console access to the router can be authenticated using the local database
D. If the TACACS+ AAA server is not available, no users will be able to establish a Telnet session with the router

Answer: B

Question 10

Which one of the aaa accounting commands can be used to enable logging of both the start and stop records for user terminal sessions on the router?

A. aaa accounting connection start-stop tacacs+
B. aaa accounting network start-stop tacacs+
C. aaa accounting exec start-stop tacacs+
D. aaa accounting system start-stop tacacs+

Answer: C

Question 11

For the following items ,which one can be used to authenticate the IPsec peers during IKE Phase 1?

A. XAUTH
B. pre-shared key
C. integrity check value
D. Diffie-Hellman Nonce

Answer: B

Explanation

Internet Key Exchange (IKE) executes the following phases:

+ IKE Phase 1: Two IPsec peers perform the initial negotiation of SAs. Phase 1 generates an Internet Security
Association and Key Management Protocol (ISAKMP) SA, used for management traffic. Public key techniques or, alternatively, a pre-shared key, are used to mutually authenticate the communicating parties. Phase 1 operates in either Main Mode or Aggressive Mode. Main Mode protects the identity of the peers, Aggressive Mode does not.

+ IKE Phase 2: SAs are negotiated by the IKE process ISAKMP on behalf of other services, such as IPsec, that need
encryption key material for operation. IKE Phase 2 is used to build IPsec SAs, which are for passing end-user data.
Additional service negotiations occur in IKE Phase 1, DPD, Mode Config, and so on.

Question 12

Which statement is true about a certificate authority (CA)?

A. A trusted third party responsible for signing the private keys of entities in a PKIbased system
B. A trusted third party responsible for signing the public keys of entities in a PKIbased system
C. An entity responsible for registering the private key encryption used in a PKI
D. An agency responsible for granting and revoking public-private key pairs

Answer: B

Question 13

In computer security, AAA commonly stands for “authentication, authorization and accounting”. Which three of the following are common examples of AAA implementation on Cisco routers? (Choose three)

A. authenticating remote users who are accessing the corporate LAN through IPSec VPN connections
B. authenticating administrator access to the router console port, auxiliary port, and vty ports
C. securing the router by locking down all unused services
D. performing router commands authorization using TACACS+

Answer: A B D

Question 14

When configuring AAA login authentication on Cisco routers, which two authentication methods should be used as the final method to ensure that the administrator can log in to the router in case the external AAA server fails?

A. Group RADIUS
B. Group TACACS+
C. Local
D. Krb5
E. Enable
F. If-authenticated

Answer: C E

Explanation

If you are working with multiple authentication methods, it is a best practice to have either local or enable authentication as the final method to recover from a severed link to the chosen method server.

Notice:

+ “Local authentication”: login authentication method list named console-in using the local username-password database on the router (command: aaa authentication login console-in local)

+ “Enable authentication”: specify a default login authentication method list using the enable password (command: aaa authentication login default enable)

Question 1

Which kind of table will be used by most firewalls today to keep track of the connections through the firewall?

A. queuing
B. netflow
C. dynamic ACL
D. reflexive ACL
E. state

Answer: E

Explanation

There are four generations of firewall technologies developed between 1983 and 1995: static packet-filtering firewalls, circuit-level firewalls, application layer firewalls and dynamic packet-filtering firewalls.

The dynamic packet-filtering firewalls, sometimes called stateful firewalls, keeps track of the actual communication process through the use of a state table. The state table is part of the internal structure of the firewall and tracks all sessions and inspects all packets passing through the firewall. These firewalls operate at Layers 3, 4 and 5.

Question 2

On the basis of the show policy-map type inspect zone-pair session command output provided in the exhibit. What can be determined about this Cisco IOS zone based firewall policy?

A. This is an outbound policy (applied to traffic sourced from the more secured zone destined to the less secured zone).
B. All packets will be dropped since the class-default traffic class is matching all traffic.
C. This is an inbound policy (applied to traffic sourced from the less secured zone destined to the more secured zone).
D. Stateful packet inspection will be applied only to HTTP packets that also match ACL 110.

Answer: D

Question 3

Which statement best describes Cisco IOS Zone-Based Policy Firewall?

A. A router interface can belong to multiple zones.
B. The pass action works in only one direction.
C. Policy maps are used to classify traffic into different traffic classes, and class maps are used to assign action to the traffic classes.
D. A zone-pair is bidirectional because it specifies traffic flowing among the interfaces within the zone-pair in both directions.

Answer: B

Explanation

The Cisco IOS zone-based policy firewall can take three possible actions when you configure it using Cisco SDM:

• Inspect: This action configures Cisco IOS stateful packet inspection.
• Drop: This action is analogous to deny in an ACL.
• Pass: This action is analogous to permit in an ACL. The pass action does not track the state of connections or sessions within the traffic; pass allows the traffic only in one direction. A corresponding policy must be applied to allow return traffic to pass in the opposite direction.

Question 4

When configuring Cisco IOS Zone-Based Policy Firewall, what are the three actions that can be applied to a traffic class? (Choose three)

A. Pass
B. Police
C. Inspect
D. Drop
E. Queue
F. Shape

Answer: A C D

Explanation

Please read the explanation of question 3

Question 5

Which type of firewall is needed to open appropriate UDP ports required for RTP streams?

A. Proxy firewall
B. Packet filtering firewall
C. Stateful firewall
D. Stateless firewall

Answer: C

Question 6

What is a static packet-filtering firewall used for ?

A. It analyzes network traffic at the network and transport protocol layers.
B. It validates the fact that a packet is either a connection request or a data packet belonging to a connection.
C. It keeps track of the actual communication process through the use of a state table.
D. It evaluates network packets for valid data at the application layer before allowing connections.

Answer: A

Question 7

Which information is stored in the stateful session flow table while using a stateful firewall?

A. all TCP and UDP header information only
B. the source and destination IP addresses, port numbers, TCP sequencing information, and additional flags for each TCP or UDP connection associated with a particular session
C. the outbound and inbound access rules (ACL entries)
D. the inside private IP address and the translated inside global IP address

Answer: B

Question 8

Which firewall best practices can help mitigate worm and other automated attacks?

A. Restrict access to firewalls
B. Segment security zones
C. Use logs and alerts
D. Set connection limits

Answer: D

Question 9

Refer to Cisco IOS Zone-Based Policy Firewall, where will the inspection policy be applied?

A. to the interface
B. to the zone-pair
C. to the global service policy
D. to the zone

Answer: B

Question 10

Which two actions can be configured to allow traffic to traverse an interface when zone-based security is being employed? (Choose two)

A. Flow
B. Inspect
C. Pass
D. Allow

Answer: B C

Question 11

Which feature is a potential security weakness of a traditional stateful firewall?

A. It cannot ensure each TCP connection follows a legitimate TCP three-way handshake
B. It cannot detect application-layer attacks
C. It cannot support UDP flows
D. The status of TCP sessions is retained in the state table after the sessions terminate

Answer: B

Question 1

Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream. IPsec operation requires which two functions? (Choose two)

A. using PKI for pre-shared-key authentication
B. using AH protocols for encryption and authentication
C. using IKE to negotiate the SA
D. using Diffie-Hellman to establish a shared-secret key

Answer: C D

Question 2

With which three tasks does the IPS Policies Wizard help you? (Choose three)

A. Selecting the interface to which the IPS rule will be applied
B. Selecting the direction of traffic that will be inspected
C. Selecting the inspection policy that will be applied to the interface
D. Selecting the Signature Definition File (SDF) that the router will use

Answer: A B D

Question 3

Examine the following options ,when editing global IPS settings, which one determines if the IOS-based IPS feature will drop or permit traffic for a particular IPS signature engine while a new signature for that engine is being compiled?

A. Enable Engine Fail Closed
B. Enable Fail Opened
C. Enable Signature Default
D. Enable Default IOS Signature

Answer: A

Question 4

Based on the following items, which two types of interfaces are found on all network-based IPS sensors? (Choose two)

A. Loopback interface
B. Monitoring interface
C. Command and control interface
D. Management interface

Answer: B C

Question 1

For the following options, which one accurately matches the CU command(s) to the equivalent SDM wizard that performs similar configuration functions?

A. setup exec command and the SDM Security Audit wizard

B. auto secure exec command and the SDM One-Step Lockdown wizard

C. aaa configuration commands and the SDM Basic Firewall wizard

D. Cisco Common Classification Policy Language configuration commands and the SDM Site-to-Site VPN wizard

Answer: B

Question 2

Which three statements are valid SDM configuration wizards? (Choose three)

A. Security Audit

B. VPN

C. STP

D. NAT

Answer: A B D

Question 3

Which two protocols enable Cisco SDM to pull IPS alerts from a Cisco ISR router? (Choose two)

A:FTP

B:HTTPS

C.TFTP

D.SSH

E.Syslog

F.SDEE

Answer: B F

Question 4

When using the Cisco SDM Quick Setup Site-to-Site VPN wizard, which three parameters do you configure? (Choose three)

A. Interface for the VPN connection

B. IP address for the remote peer

C. Transform set for the IPsec tunnel

D. Source interface where encrypted traffic originates

Answer: A B D

Explanation

The image below shows parameters when using Cisco SDM Quick Setup Site-to-Site VPN wizard

Question 5

If you click the Configure button along the top of Cisco SDM’s graphical interface,which Tasks button permits you to configure such features as SSH, NTP, SNMP, and syslog?

A. Additional Tasks

B. Security Audit

C. Intrusion Prevention

D. Interfaces and Connections

Answer: A

Question 6

Cisco SDM (Security Device Manager) is a Web-based device management tool for Cisco routers that can simplify router deployments and reduce ownership costs. Select two protocols from the following to enable Cisco SDM to pull IPS alerts from a Cisco ISR router. (Choose two)

A. TFTP

B. SDEE

C. SSH

D. HTTPS

Answer: B D

Explanation

We must also enable HTTP or HTTPS on the router when we enable SDEE. The use of HTTPS ensures that data is secured as it traverses the network.

Question 7

Refer to the exhibit. You are the network security administrator responsible for router security. Your network uses internal IP addressing according to RFC 1918 specifications. From the default rules shown, which access control list would prevent IP address spoofing of these internal networks?

A. SDM_Default_196
B. SDM_Default_197
C. SDM_Default_198
D. SDM_Default_199

Answer: C

Explanation

Click on each access-list, in the SDM_DEFAULT_198 you will see something like this

To mitigate IP address spoofing, do not allow any IP packets containing the source address of any internal hosts or networks inbound to our private network. The SDM_DEFAULT_198 denies all packets containing the following IP addresses in their source field:

+ Current network 0.0.0.0/8 (only valid as source address)
+ Any local host addresses (127.0.0.0/8)
+ Any reserved private addresses (RFC 1918, Address Allocation for Private Internets)
+ Any addresses in the IP multicast address range (224.0.0.0/4)

Note: 0.0.0.0/8: addresses in this block refer to source hosts on “this” network.

For your information, we will apply this access list to the external interface of the router.

Question 8

Refer to the exhibit. Based on the VPN connection shown, which statement is true?

A. Traffic that matches access list 103 will be protected.
B. This VPN configuration will not work because the tunnel IP and peer IP are the same.
C. The tunnel is down as result of being a static rule. It should be configured as a Dynamic IPsec policy.
D. The tunnel is down because the transform set needs to Include the Authentication Header parameter.

Answer: A

Question 1

When configuring Cisco IOS login enhancements for virtual connections, what is the “quiet period”?

A. A period of time when no one is attempting to log in
B. The period of time in which virtual logins are blocked as security services fully initialize
C. The period of time in which virtual login attempts are blocked, following repeated failed login attempts
D. The period of time between successive login attempts

Answer: C

Explanation

If the configured number of connection attempts fails within a specified time period, the Cisco IOS device does not accept any additional connections for a period of time that is called the quiet period. This feature is not enabled by default, we can enable its default settings, issue the login block-for command in global configuration mode. Administrators can use this feature to protect from DoS and/or dictionary attacks.

Question 2

Which result is of securing the Cisco IOS image by use of the Cisco IOS image resilience feature?

A. When the router boots up, the Cisco IOS image will be loaded from a secured FTP location.
B. The Cisco IOS image file will not be visible in the output from the show flash command.
C. The show version command will not show the Cisco IOS image file location.
D. The running Cisco IOS image will be encrypted and then automatically backed up to a TFTP server.

Answer: B

Explanation

We can enable this feature with the secure boot-image command in the global configuration mode to secure the Cisco IOS image. The running image is secured and the image file is not included in any directory listing of the disk.

Question 3

Which description is true about the show login command output displayed in the exhibit?

A. All logins from any sources are blocked for another 193 seconds.
B. The login block-for command is configured to block login hosts for 93 seconds.
C. When the router goes into quiet mode, any host is permitted to access the router via Telnet, SSH, and HTTP, since the quiet-mode access list has not been configured.
D. Three or more login requests have failed within the last 100 seconds.

Answer: D

Question 4

After enabling port security on a Cisco Catalyst switch, what is the default action when the configured maximum of allowed MAC addresses value is exceeded?

A. The port is shut down.
B. The port’s violation mode is set to restrict.
C. The MAC address table is cleared and the new MAC address is entered into the table.
D. The port remains enabled, but bandwidth is throttled until old MAC addresses are aged out.

Answer: A

Question 5

When configuring SSH, which is the Cisco minimum recommended modulus value?

A. 2048 bits
B. 256 bits
C. 1024 bits
D. 512 bits

Answer: C

Question 6

Examine the following options , which Spanning Tree Protocol (STP) protection mechanism disables a switch port if the port receives a Bridge Protocol Data Unit (BPDU)?

A. PortFast
B. BPDU Guard
C. UplinkFast
D. Root Guard

Answer: B

Question 7

For the following options, which feature is the foundation of Cisco Self-Defending Network technology?

A. policy management
B. secure connectivity
C. threat control and containment
D. secure network platform

Answer: D

Question 8

Which type of intrusion prevention technology will be primarily used by the Cisco IPS security appliances?

A. rule-based
B. protocol analysis-based
C. signature-based
D. profile-based

Answer: C

Question 9

What will be enabled by the scanning technology – The Dynamic Vector Streaming (DVS)?

A. Firmware-level virus detection
B. Layer 4 virus detection
C. Signature-based spyware filtering
D. Signature-based virus filtering

Answer: C

Explanation

The DVS engine is a new scanning technology that enables signature-based spyware filtering. This solution is complemented by a comprehensive set of management and reporting tools that provide ease of administration and complete visibility into threat-related activities.

Question 10

Which statement is not a reason for an organization to incorporate a SAN in its enterprise infrastructure?

A. To increase the performance of long-distance replication, backup, and recovery
B. To decrease the threat of viruses and worm attacks against data storage devices
C. To decrease both capital and operating expenses associated with data storage
D. To meet changing business priorities, applications, and revenue growth

Answer: B

Question 11

Which two functions are required for IPsec operation? (Choose two)

A. using AH protocols for encryption and authentication
B. using SHA for encryption
C. using DifTie-Hellman to establish a shared-secret key
D. using PKI for pre-shared-key authentication
E. using IKE to negotiate the SA

Answer: C E

Question 12

In your company’s network, an attacker who has configured a rogue layer 2 device is intercepting traffic from multiple VLANS to capture potentially sensitive data. How to solve this problem? (Choose two)

A.    Secure the native VLAN, VLAN 1 with encryption
B.    Disable DTP on ports that require trunking
C.    Place unused active ports in an unused VLAN
D.    Set the native VLAN on the trunk ports to an unused VLAN

Answer: B D

Question 1

You suspect an attacker in your network has configured a rogue layer 2 device to intercept traffic from multiple VLANS, thereby allowing the attacker to capture potentially sensitive data. Which two methods will help to mitigate this type of activity? (Choose two)

A. Turn off all trunk ports and manually configure each VLAN as required on each port
B. Disable DTP on ports that require trunking
C. Secure the native VLAN, VLAN 1 with encryption
D. Set the native VLAN on the trunk ports to an unused VLAN
E. Place unused active ports in an unused VLAN

Answer: B D

Question 2

In an IEEE 802. lx deployment, between which two devices EAPOL messages typically are sent?

A. Between the RADIUS server and the authenticator
B. Between the authenticator and the authentication server
C. Between the supplicant and the authentication server
D. Between the supplicant and the authenticator

Answer: D

Explanation

On many networks, a PC sends a DHCP request to obtain an IP address for use on the network. However, with Cisco Identity-Based Networking Services (IBNS), an 802.1x-enabled PC initially sends an Extensible Authentication Protocol over LAN (EAPOL) request. The Cisco Catalyst switch connected to the PC sees the EAPOL request and responds to the PC with a challenge. The challenge asks the PC to provide credentials for network access, such as a valid username and password combination. The switch forwards these credentials to a RADIUS server for verification. Upon verification of the supplied credentials, the switch grants the PC access to the network.

In this question, the supplicant is the 802.1x-enabled PC and the authenticator is the secured switch.

Note: A storage-area network (SAN) is a specialized network that enables fast, reliable access among servers and external
storage resources.

Question 1

Which two primary port authentication protocols are used with VSANs? (Choose two.)

A. ESP
B. CHAP
C. DHCHAP
D. SPAP

Answer: B C

Explanation

Two primary port authentication protocols when working with VSANs:

+ Challenge Handshake Authentication Protocol (CHAP): CHAP is the mandatory protocol for iSCCI, as chosen by the Internet Engineering Task Force (IETF). CHAP is based on shared secrets.

+ Diffie-Hellman Challenge Handshake Authentication Protocol (DHCHAP): DHCHAP may be used to authenticate devices connecting to a Fibre Channel switch. By using Fibre Channel authentication, you allow only trusted devices to be added to a fabric. This prevents unauthorized devices from accessing the Fibre Channel switch.

Question 1

Please choose the correct matching relationships between the cryptography algorithms and the type of algorithm.

A. Symmetric – 1, 2 and 3
Asymmetric – 4, 5 and 6

B. Symmetric – 1, 4 and 5
Asymmetric – 2, 3 and 6

C. Symmetric – 2, 4 and 5
Asymmetric – 1, 3 and 6

D. Symmetric – 2, 5 and 6
Asymmetric – 1, 3 and 4

Answer: B

Question 2

What is the objective of Diffie-Hellman?

A. used for asymmetric public key encryption
B. used between the initiator and the responder to establish a basic security policy
C. used to verify the identity of the peer
D. used to establish a symmetric shared key via a public key exchange process

Answer: D

Question 3

Which description about asymmetric encryption algorithms is correct?

A. They use different keys for decryption but the same key for encryption of data
B. They use the same key for encryption and decryption of data
C. They use different keys for encryption and decryption of data
D. They use the same key for decryption but different keys for encryption of data

Answer: C

Question 4

Regarding constructing a good encryption algorithm, what does creating an avalanche effect indicate?

A. Changing only a few bits of a plain-text message causes the ciphertext to be completely different
B. Changing only a few bits of a ciphertext message causes the plain text to be completely different
C. Altering the key length causes the plain text to be completely different
D. Altering the key length causes the ciphertext to be completely different

Answer: A

Question 5

Stream ciphers run on which of the following?

A. Individual blocks, one at a time, with the transformations varying during the encryption
B. Individual digits, one at a time, with the transformations varying during the encryption
C. Fixed-length groups of digits called blocks
D. Fixed-length groups of bits called blocks

Answer: B

Question 6

Which description is true about ECB mode?

A. ECB mode uses the same 64-bit key to serially encrypt each 56-bit plain-text block.
B. In ECB mode, each 56-bit plain-text block is exclusive ORed (XORed) bitwise with the previous ciphertext block.
C. ECB mode uses the same 56-bit key to serially encrypt each 64-bit plain-text block.
D. In ECB mode, each 64-bit plain-text block is exclusive ORed (XORed) bitwise with the previous ciphertext block.

Answer: C

Explanation

ECB mode serially encrypts each 64-bit plaintext block using the same 56-bit key. If two identical plaintext blocks are encrypted using the same key, their ciphertext blocks are the same. Therefore, an attacker could identify similar or identical traffic flowing through a communications channel, and use this information. The attacker could then build a catalogue of messages, which have a certain meaning, and replay them later, without knowing their real meaning. For example, an attacker might capture a login sequence of someone with administrative privilege whose traffic is protected by DES-ECB and then replay it. That risk is undesirable so CBC mode was invented to mitigate this risk.

(Reference: Implementing Cisco IOS Network Security Self Study)

Question 7

Which example is of a function intended for cryptographic hashing?

A. SHA-135
B. MD65
C. XR12
D. MD5

Answer: D

Question 8

What is the MD5 algorithm used for?

A. takes a variable-length message and produces a 168-bit message digest
B. takes a fixed-length message and produces a 128-bit message digest
C. takes a variable-length message and produces a 128-bit message digest
D. takes a message less than 2A64 bits as input and produces a 160-bit message digest

Answer: C

Question 9

Which algorithm was the first to be found suitable for both digital signing and encryption?

A. SHA-1
B. MD5
C. HMAC
D. RSA

Answer: D

Question 10

Before a Diffie-Hellman exchange may begin, the two parties involved must agree on what?

A. Two nonsecret keys
B. Two secret numbers
C. Two secret keys
D. Two nonsecret numbers

Answer: D

Question 11

Which item is the correct matching relationships associated with IKE Phase?

A.IKE Phase 1 – 1 and 2
IKE Phase 2 – 3, 4 and 5

B. IKE Phase 1 – 1 and 4
IKE Phase 2 – 2, 3 and 5

C. IKE Phase 1 – 2 and 3
IKE Phase 2 – 1, 4 and 5

D. IKE Phase 1 – 2 and 4
IKE Phase 2 – 1, 3 and 5

Answer: B

Question 12

Which three are distinctions between asymmetric and symmetric algorithms? (Choose all that apply)

A. Asymmetric algorithms are based on more complex mathematical computations.
B. Only symmetric algorithms have a key exchange technology built in.
C. Only asymmetric algorithms have a key exchange technology built in.
D. Asymmetric algorithms are used quite often as key exchange protocols for symmetric algorithms.

Answer: A C D

Question 13

For the following statements, which one is the strongest symmetrical encryption algorithm?

A. 3DES
B. DES
C. AES
D. Diffie-Hellman

Answer: C

Question 14

Which Public Key Cryptographic Standards (PKCS) defines the syntax for encrypted messages and messages with digital signatures?

A. PKCS #12
B. PKCS #10
C. PKCS #8
D. PKCS #7

Answer: D

Question 1

You work as a network engineer, do you know an IPsec tunnel is negotiated within the protection of which type of tunnel?

A. GRE tunnel
B. L2TP tunnel
C. L2F tunnel
D. ISAKMP tunnel

Answer: D

Question 2

For the following items, which one acts as a VPN termination device and is located at a primary network location?

A. Headend VPN device
B. Tunnel
C. Broadband service
D. VPN access device

Answer: A

Question 1

For the following attempts, which one is to ensure that no employee becomes a pervasive security threat, that data can be recovered from backups, and that information system changes do not compromise a system’s security?

A.    Disaster recovery
B.    Strategic security planning
C.    Implementation security
D.    Operations security

Answer: D

Note:

Operations security: day-to-day security operations entail responding to an incident, monitoring and maintaining a system, and auditing a system (to ensure compliance with an organization’s security policy).

Question 2

Which three options are network evaluation techniques? (Choose three)

A. Scanning a network for active IP addresses and open ports on those IP addresses
B. Using password-cracking utilities
C. Performing end-user training on the use of antispyware software
D. Performing virus scans

Answer: A B D

Question 3

Which is the main difference between host-based and network-based intrusion prevention?

A. Network-based IPS is better suited for inspection of SSL and TLS encrypted data flows.
B. Host-based IPS can work in promiscuous mode or inline mode.
C. Network-based IPS can provide protection to desktops and servers without the need of installing specialized software on the end hosts and servers.
D. Host-based IPS deployment requires less planning than network-based IPS.

Answer: C

Question 4

The enable secret password appears as an MD5 hash in a router’s configuration file, whereas the enable password is not hashed (or encrypted, if the password-encryption service is not enabled). What is the reason that Cisco still support the use of both enable secret and enable passwords in a router’s configuration?

A. The enable password is used for IKE Phase I, whereas the enable secret password is used for IKE Phase II.
B. The enable password is considered to be a router’s public key, whereas the enable secret password is considered to be a router’s private key.
C. Because the enable secret password is a hash, it cannot be decrypted. Therefore, the enable password is used to match the password that was entered, and the enable secret is used to verify that the enable password has not been modified since the hash was generated.
D. The enable password is present for backward compatibility.

Answer: D

Question 5

Which type of MAC address is dynamically learned by a switch port and then added to the switch’s running configuration?

A. Pervasive secure MAC address
B. Static secure MAC address
C. Sticky secure MAC address
D. Dynamic secure MAC address

Answer: C

Question 6

Which are the best practices for attack mitigations?

A. 1, 2, 3 and 5
B. 2, 5, 6 and 8
C. 2, 5, 6 and 7
D. 2, 3, 6 and 8
E. 3, 4, 6 and 7

Answer: B

Question 7

Which one of the Cisco IOS commands can be used to verify that either the Cisco IOS image, the configuration files, or both have been properly backed up and secured?

A. show flash
B. show secure bootset
C. show archive
D. show file systems

Answer: B

Explanation

We use secure boot-image command to protect the IOS image, and the command secure boot-config to protect
the running configuration. These protected files will not even appear in a dir listing of flash. To see these protected files, use the show secure bootset command.

Question 8

Which name is of the e-mail traffic monitoring service that underlies that architecture of IronPort?

A. IronPort M-Series
B. E-Base
C. TrafMon
D. SenderBase

Answer: D

Question 9

Based on the username global configuration mode command displayed in the exhibit. What does the option secret 5 indicate about the enable secret password?

A. It is encrypted using DH group 5.
B. It is hashed using SHA.
C. It is hashed using MD5.
D. It is encrypted using a proprietary Cisco encryption algorithm.

Answer: C

Question 10

What will be disabled as a result of the no service password-recovery command?

A. password encryption service
B. ROMMON
C. changes to the config-register setting
D. the xmodem privilege EXEC mode command to recover the Cisco IOS image

Answer: B

Your posts are warmly welcome!

Please don’t ask for links to download copyright materials here…