642-552 - SND - Securing Cisco Network Devices Exam
Go back to Cisco
Which of these two ways does Cisco recommend that you use to mitigate maintenance-related threats? (Choose two.)
Maintain a stock of critical spares for emergency use.
Always follow electrostatic discharge procedures when replacing or working with internal router and switch device components.
Why does PAT fail with ESP packets?
because ESP is a portless protocol riding directly over IP, ESP prevents the PAT from creating IP address and port mappings
Which method of mitigating packet-sniffer attacks is the most effective?
deploy network-level cryptography using IPsec, secure services, and secure protocols
What is a potential security weakness of traditional stateful firewall?
cannot detect application-layer attacks
Using a stateful firewall, which information is stored in the stateful session flow table?
the source and destination IP addresses, port numbers, TCP sequencing information, and additional flags for each TCP or UDP connection associated with a particular session
How does an application-layer firewall work?
examines the data in all network packets at the application layer and maintains complete connection state and sequencing information
Which method does a Cisco router use for protocol type IP packet filtering?
Which security log messaging method is the most common message logging facility and why?
syslog, because this method is capable of providing long-term log storage capabilities and supporting a central location for all router messages
What is the primary type of intrusion prevention technology used by Cisco IPS security appliances?
Router A can not establish a standard IPsec VPN tunnel with router B. An analysis reveals one or more NAT points in the delivery path of each IPsec packet being sent to router B. What is the problem and what is the solution?
IPsec encrypts Layer 4 port information and IKE NAT transversal needs to be configured on this network.
What are two ways of preventing VLAN hopping attacks? (Choose two.)
Disable DTP on all the trunk ports.
Set the native VLAN on all the trunk ports to an unused VLAN.
What is a syslog configuration oversight that makes system event logs hard to interpret and what can be done to fix this oversight?
The system time does not get set on the router, making it difficult to know when events occurred. Recommend that an NTP facility be used to ensure that all the routers operate at the correct time.
Which feature is available only in the Cisco SDM Advanced Firewall Wizard?
configure DMZ interfaces with access and inspection rules
What is the key function of a comprehensive security policy?
informing staff of their obligatory requirements for protecting technology and information assets
What is the first step you need to perform on a router when configuring role-based CLI?
enable the root view on the router
What does the secure boot-config global configuration accomplish?
takes a snapshot of the router running configuration and securely archives it in persistent storage
What two tasks should be done before configuring SSH server operations on Cisco routers? (Choose two.)
Upgrade routers to run a Cisco IOS Release 12.1(3)T image or later with the IPsec feature set.
Ensure routers are configured for local authentication or AAA for username and password authentication.
Which two encryption algorithms are commonly used to encrypt the contents of a message? (Choose two.)
A mission critical server application embeds a private IP address and port number in the payload of packets that is used by the client to reply to the server. Why is implementing NAT over the Internet supporting this type of application an issue?
When the client attempts to reply to the server using the embedded private IP address instead of the public IP address mapped by NAT, the embedded private IP address will not be routable over the Internet.
What are two security risks on 802.11 WLANs that implement WEP using a static 40-bit key with open authentication? (Choose two.)
The IV is transmitted as plaintext, and an attacker can sniff the WLAN to see the IV.
One-way authentication only where the wireless client does not authenticate the wireless-access point.
By default, what will a router do with incoming network traffic when the Cisco IOS IPS software fails to build a SME?
pass traffic packets destined for that SME without scanning them
What is the difference between the attack-drop.sdf file and the 128MB.sdf and the 256MB.sdf files?
attack-drop.sdf has fewer signatures
What does the MD5 algorithm do?
takes a variable-length message and produces a 128-bit message digest
Referring to the partial router configuration shown, which can represent the highest security risk?
using the default exec-timeout, which is too long
Which SDM feature(s) can be used to audit and secure a Cisco router?
Security Audit Wizard or One-Step Lockdown
Which building blocks make up the Adaptive Threat Defense phase of Cisco SDN strategy?
firewall services, IPS and network antivirus services, network intelligence
A client wants their web server on the DMZ to use a private IP address and to be reachable over the Internet with a fixed outside public IP address. Which type of technology will be effective in this scenario?
How can you recover a Cisco IOS image from a router whose password you have lost and on which the no service password-recovery Cisco IOS command has been configured?
Obtain a new Cisco IOS image on a FLASH SIMM or on a PCMCIA card.
Network administrators have just configured SSH on their target router and have now discovered that an intruder has been using this router to perform a variety of malicious attacks. What have they most likely forgotten to do and which Cisco IOS commands do they need to use to fix this problem on their target router?
forgot to disable vty inbound Telnet sessions and they need to issue the line vty 0 4 and the no transport input telnet Cisco IOS line configuration commands
Using 802.1x authentication on a WLAN offers which advantage?
limits access to network resources based on user login identity; especially suited for large mobile user populations
Which IKE function is optional?
XAUTH protocol for user authentication
Why was the Diffie-Hellman key agreement protocol created?
a practical method for establishing a shared secret over an unprotected communications channel was needed
On Cisco routers, which two methods can be used to secure privileged mode access? (Choose two.)
use the enable secret command to secure the enable password using MD5 encrypted hash
use an external Cisco ACS server to authenticate privilege mode access
What is a secure way of providing clock synchronization between network routers?
implement an NTPv3 server synchronized to the UTC via an external clock source like a radio or atomic clock, then configure the other routers as NTPv3 clients
Which of these two functions are required for IPsec operation? (Choose two.)
using IKE to negotiate the SA
using Diffie-Hellman to establish a shared-secret key
To verify role-based CLI configurations, which Cisco IOS CLI commands do you need use to verify a view?
enable view view-name, then use the ? to verify the available commands
Remote users are having a problem using their Cisco VPN Client software to connect to a Cisco Easy VPN Server. Which of the following could be causing the problem?
The Cisco Easy VPN Server is configured with only one ISAKMP policy specifying Diffie-Hellman Group 5.
A malicious program is disguised as another useful program; consequently, when the user executes the program, files get erased and then the malicious program spreads itself using emails as the delivery mechanism. Which type of attack best describes how this scenario got started?
Which of these is true regarding IKE Phase 2?
The SAs used by IPsec are unidirectional, so a separate key exchange is required for each data flow.