642-501 - SECUR - Securing Cisco IOS Networks
Go back to Cisco
In which of the following ways will the proxy respond to HTTP if no valid authentication entry exists in the authentication?
Proxy will prompt the user for user and password
Which command will deny the perimeter router the ability to divulge topology information by telling external hosts which subnets are not configured?
no ip unreachables
What is the default mode TCP Intercept operates in?
Which of the following commands can debug communications between an IOS router, and a CA server?
debug crypto pki messages
What are the ACL number ranges for IP standard ACL's? Select all that apply.
What OSI layers can CBAC filter on? Select all that apply.
Which of the following router commands will allow all users to be authenticated, even if the TACACS+ server fails?
aaa authentication list1 tacacs+ none
Johnand Kathy are working together at Inc. to find the more secure approach for pre-shared keys between peers.Which one of these answers is correct?
Specify different keys to share between different pairs of peers.
How do you set the threshold of half-open sessions CBAC will allow per minute before deleting them?
ip inspect one-minute high (number)
What are the two components of Cisco Easy VPN (EzVPN)?
Which command can you use to disable finger replies on a perimeter router?
The no service finger command
James the security administrator for Inc. has to know which has algorithms is used to authenticate packet data before he can go any further. Which algorithm is used to authenticate packet data?
MD5 and SHA
Jacob at Inc. was given the assignment to secure the network from giving out unauthorized information. His first step is to prevent the perimeter router from divulging topology information by telling external hosts which subnets are not configured. Which command fits this objective?
no ip unreachable
Kathy is looking for the command that deletes all of the routers RSA keys. Which command is correct?
crypto key zeroize rsa
What command configures the amount of time CBAC will wait for a TCP session to become established before dropping the connection in the state table?
ip inspect tcp synwait-time (seconds)
By default how long will CBAC monitor an idle TCP session in the state table before deleting the entry?
John and Kathy are working on configuring the IOS firewall together. They are figuring out what CBAC uses for inspection rules to configure on a per-application protocol basis. Which one of these is the correct one?
Alerts and audit trails
Which of the following factors determine an IPSEC policy?
to establish IKE policy
Kathy is in charge of configuring a Cisco router for IKE using RSA signatures, before she initiates the crypto key generate rsa command, what should Kathy do?
Kathy should configure a hostname and IP domain name for your router.
John is the administrator working on configuring the authentication proxy feature. He is not sure what the authentication proxy feature does on the Cisco IOS Firewall.
Apply specific security polices on a per-user basis at Inc.
Which of the following commands will alter the CBAC DNS timeout timer to 10 seconds?
ip inspect dns-timeout 10
Which of the following is NOT an IOS Firewall default IKE policy parameter?
How many IDS signatures can the Cisco IOS Firewall scan for?
Providing end-to-end protection of message between two hosts is possible when which of the following ESP modes are used?
The security team at Inc. was asked the question, what attack is most often used in social engineering. They all answered this wrong. What is the correct answer?
Which of the following commands correctly references access list 120 in a crypto map?
Router(config-crypto-map)#match address 120
Which of the following correctly sets the IOS Firewall authentication-proxy idle timer to 20 minutes?
ip auth-proxy auth-cache-time 20
Which of the following situations brought on by a user will trigger the authentication proxy or the Cisco firewall?
When a user initiate HTTP session through the firewall
Which of the following will happen during the aggressive mode of the CBAC on the Cisco IOS Firewall?
CBAC will delete half-open sessions as needed to accommodate new connections requests.
Which of the following configuration register values will allow a Cisco router to go immediately into ROM mode at any time during a routers operation?
How many incomplete connections must a router have by default before TCP Intercept will start dropping incomplete connections?
Which of the following statements best describes a digital certificate?
It is assigned by CA
Which of the following cannot be configured on a router unless the IOS Firewall feature set is installed? Select all that apply.
What is the maximum key size you can generate when using RSA Encrypted Nonces as your IKE authentication method?
What is the range of the number of characters the IOS enable secret password can be?
What operating systems can CSACS be installed on? Select all that apply.
Kathy the security administrator for Inc. is working on defending the network. One of the attacks she is working to defend is SYN flooding and is looking to know which Cisco IOS feature defends against SYN flooding DoS attacks.
You are the security administrator for and you need to know what CBAC does on the Cisco IOS Firewall. Which one of these is the best answer?
Provides secure, per-application access control across network perimeters at Inc.
The security team at Inc., is looking for the command that disables the chargenand echo services on an IOS router?
no service tcp-small-servers
The security team at Inc., is looking for the command that lets you view any configured CA certificates?
show crypto ca certificates
George is the administrator at Inc. working on acquiring a position in the security department. He is studying the OSI layer model and is trying to find out which OSI layer does IPSecprovide security services?
What must you change the configuration register value to, when you need to perform password recovery on a router?
Johnthe administrator wants to know which type of key exchange mechanism is Diffie-Hellman.
Public key exchange
Kathy from the security department at Inc. wants to know what does a half-open TCP session on the Cisco IOS Firewall mean.
Session has not reached the established state.
Which of the following represents the aggressive mode of CBAC in Cisco IOS firewall?
Delete half-open session as needed to accommodate new connection requests
Which of the following commands correctly sets the IOS Firewall IDS spam threshold?
ip audit smtp spam 500
Johnthe manager of the I.T. Department at Inc. wants to know, what is the purpose of the ip host global configuration command.
Defines a static host name-to-address mapping in the host cache.
Which of the following router commands enables the AAA process?
Which of the following is the Cisco IOS command to disable finger service?
no service finger
Which of the following is the default login URL for CSACS 3.0?