Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
315 Cards in this Set
- Front
- Back
|
AAA stands for |
authentication authorization accounting |
|
|
RADIUS runs over |
UDP |
|
|
TACACS+ runs over |
TCP |
|
|
What must be setup before generating an RSA key? |
ip domain-name Non-default hostname |
|
|
Command to generate an RSA key |
crypto key generate rsa |
|
|
Command to change SSH to version 2 |
(config)# ip ssh version 2 |
|
|
Command to limit vty lines to SSH only |
(config-line)# transport input ssh |
|
|
What hashing is used for enable secret with a level 5 |
MD5 |
|
|
The IronPort Security Gateway secures what? |
Email (Spam, encryption, viruses) |
|
|
What is ScanSafe? |
Cloud based Software as a Service that scans email and web |
|
|
CIA stands for |
Confidentiality |
|
|
Define SIEM technology |
Security Information & Event Management Logs data, reports for compliance |
|
|
What is an asset |
An item that needs protection, has value to the company |
|
|
What is a vulnerability & list 3 |
Exploitable weakness of some type such as software, design errors, human factor, hardware vulnerabilities, or physical access |
|
|
What is a threat |
what you are protecting against, anything that attempts to gain access, compromise, or destroy an asset |
|
|
3 Common security zones |
Inside Outside DMZ |
|
|
What is risk |
The potential for unauthorized access, destruction, or damage to an asset. Countermeasures can reduce potential for risk |
|
|
What is a covert channel attack |
Using a program in an unintended way, most common is tunneling through another protocol. |
|
|
Describe trust exploitation |
Get access to a resource trusted by the target resource |
|
|
What is reflected DDOS |
Initial query is spoofed, response is reflected to victim |
|
|
What accronym is used for IKE phase 1 negotiation for IKE phase 2 |
HAGLE |
|
|
What does HAGLE stand for |
hash authentication group (diffie-helmen) lifetime encryption |
|
|
What are 2 symmetrical encryption algorithms |
AES, 3DES |
|
|
What are 2 hashing algorithms |
MD5, SHA-256 |
|
|
What's the difference between manual and inline key exchange |
inband is done online, out of band is a manual copy and paste |
|
|
What is the PKI |
public key infrastructure, the set of standards, procedures, and roles used to create, manage, distribute, store, use, and revoke digital signatures. |
|
|
What is a digital signature |
A hash that's been encrypted with the sender's private key |
|
|
What is a digital certificate? |
Contains information used for public key info.. Issuer, version, S/N, algorithm, hash. |
|
|
When is a digital certificate trusted? |
When it is signed by a trusted issuer (such as verisign) |
|
|
2 commands to enable https |
ip http secure-server |
|
|
2 commands to enable snmp v3 |
snmp-server group OUR-GROUP v3 priv read READ-VIEW |
|
|
4 commands to configure security for NTP |
ntp server 192.0.2.10 key 1 ntp authentication-key 1 md5 niceKey ntp trusted-key 1 ntp authenticate |
|
|
what does the *, [space], or . mean when view show clock detail |
* = not authoritative [space] = time is authoritative . = time is authoritative but not synchronized |
|
|
Set up SCP for file transport |
Set up AAA first then "ip scp server enable" |
|
|
Setup AAA with local authentication 3 commands |
username admin priv 15 secret password aaa new-model aaa authenticatin login default local |
|
|
Which protocol (TACACS+ or RADIUS) encrypts the whole packet |
TACACS+ |
|
|
Command to enable authentication via tacacs with local backup |
aaa authentication login AUTHEN_via_TACACS group tacacs+ local |
|
|
Command to add a tacacs server |
tacacs-server host 192.168.1.252 key cisco123 |
|
|
Command to test a AAA server |
test aaa group tacacas+ admin cisco123 legacy |
|
|
What occurs during IKE phase 1 |
A secure authenticated channel is created using diffie-helman key exchange to generate a shared secret key to encrypt further IKE communications |
|
|
What's the difference between IKE phase 1 main mode and aggressive mode? |
Main mode protects the identity of the peers, aggressive does not. |
|
|
What's the difference between transport mode and tunnel mode? |
Tunnel mode encrypts the entire packet and creates a new IP packet and header, Transport only encrypts the payload |
|
|
What can't AH provide compared to ESP? |
Encryption |
|
|
What is hairpinning? |
AKANAT Loopback. Describes communication between 2 hosts behind the same NATdevice. One machine on the LAN is able to access another via the external IPaddress of the firewall |
|
|
What is split tunneling? |
Whena computer on a VPN goes through the VPN to access the public internet |
|
|
What is always-on vpn? |
Prevents access to an unprotected network without being on a VPN. Connects when you login to the computer and detects an untrusted network |
|
|
Why is NAT Traversal necessary? |
When the IP packet headers are authenticated, the IP or port can't be changed due to hashing |
|
|
What is the order (5) of clientless VPN polices? |
DAP Group policy Group policy specified by connection profile Default group policiy |
|
|
What are the 4 classifications in the Traffic Light Protocol (TLP) |
Red (not shared) Amber (only share with members of own org) Green (Share with peers/partners) White (Shared without restriction) |
|
|
3 classifications of countermeasures |
Administrative Physical Logical |
|
|
What kind of countermeasure is having a written acceptable use policy? |
Administrative |
|
|
What kind of countermeasure is a locked wiring closet? |
Physical |
|
|
What kind of countermeasure is a logical control like password, firewall, IPS, access list? |
Logical |
|
|
What is the rule of least privilege |
Give user minimal access, only that which is required |
|
|
What tool gives the most granular information to help in the identification of malware |
Packet capture |
|
|
How does Cisco provide advance malware protection (AMP)? |
Cisco FirePOWER |
|
|
How is Next-gen intrusion prevention system (NGIPS) centrally managed? |
Cisco FireSIGHT |
|
|
What is Identity Services Engine (ISE) used for? |
It is an identity and access control policy platform that can validate the computer meets requirements of company's policy (virus definition, service pack, etc) |
|
|
What has more granularity and is proprietary Cisco? TACACS or Radius |
TACACS |
|
|
What provides AAA on the Cisco BYOD solution? |
Identity Services Engine (ISE) |
|
|
What is AAA stand for |
Authentication, authorization, and accounting |
|
|
What does AnyConnect use to provide secure access to corporate network? |
VPN with 802.1X |
|
|
What typically serves as the primary VPN termination point? |
ASA |
|
|
What does RSA SecurID provide? |
One time password generation and logging |
|
|
IPSEC works on layer |
3 |
|
|
4 benefits of VPNs |
Confidentiality Data Integrity Authentication Anti-replay |
|
|
Regarding CIA, which is focused on authorized users changing data? |
Integrity |
|
|
Regarding CIA, using plain text protocols may compromise...
|
Confidentiality |
|
|
What is a popular option for implementing confidentiality in motion? |
Encryption |
|
|
What is the program on Kali Linux that initiates a CAM table overflow attack? |
macof |
|
|
Default max mac addresses when port security is enabled |
1 |
|
|
What are the 4 port security violation actions |
Protect Restrict Shutdown port Shutdown VLAN |
|
|
What port security option sends no alerts? |
Protect |
|
|
What is the default port security violation action? |
Shutdown port |
|
|
What is the port security option that would provide the largest amount of administrative overhead? |
Static |
|
|
Can port security work on Trunk ports |
yes |
|
|
Can port security work on dynamic ports? (not static access or trunk)? |
no |
|
|
When a port security violation occurs and it is shutdown, what does it show on sh ip int brief? |
Err-disabled |
|
|
If in SSH or Telnet, what command lets you see log messages? |
terminal monitor (priv exec mode) |
|
|
Interface command to make port security have 5 max MAC addresses |
switchport port-security maximum 5 |
|
|
Regarding port security, which option places MAC addresses into running config without typing them? |
switchport port-security mac-address sticky |
|
|
What is the status for port-security when it is properly engaged? |
Enabled |
|
|
What type of attack uses up all the available IP addresses? |
DHCP Starvation |
|
|
Which DHCP messages are blocked from untrusted ports in a DHCP Snooping environment? |
(DORA) Offer and ACK |
|
|
When using DHCP snooping, what is the default state for a port? |
Untrusted |
|
|
When using DHCP snooping, which message are ALLOWED from untrusted ports? |
DORA- Discover and request |
|
|
What command enables DHCP snooping in global config? |
ip dhcp snooping |
|
|
How can you rate limit DHCP messages to help prevent exhaustion in the DHCP Snooping environment? |
Interface command: ip dhcp snooping limit rate 10 Refers to 10 packets per second |
|
|
What command shows ip dhcp snooping statistics? |
show ip dhcp snooping database |
|
|
In PVLAN, what are the 3 port types? |
Promiscuous, isolated, community |
|
|
What version of VTP supports PVLAN? |
Version 3 |
|
|
How do you create an isolated VLAN? |
vlan 200 private-vlan isolated |
|
|
How do you set a primary VLAN in the context of PVLAN, then how do you associate them? |
vlan 100
private-vlan primary private-vlan association 200,300,400,500 |
|
|
In PVLAN, how do you set a port as promiscuous then map the other VLANs? |
switchport mode private-vlan promiscuous
switchport private-vlan mapping 100 200,300,400,500 |
|
|
In PVLAN, how do you set a port to a private vlan and associate it? |
switchport mode private-vlan host switchport private-vlan host-association 100 200 |
|
|
Command to show private vlan configuration, active ports |
show vlan private-vlan |
|
|
In PVLAN, how can security be bypassed? |
If a device sends a packet to layer 2 device of gateway and layer 3 address of a host in another PVLAN. Hairpin routing |
|
|
How can hairpin routing be prevented in PVLAN? |
Put in an access control list inbound on gateway port to deny access coming FROM the network getting routed back to the same network |
|
|
What does DAI stand for? |
Dynamic ARP Inspection |
|
|
What is a gratuitous ARP? |
An unsolicited ARP that has the senders MAC and IP |
|
|
Where does DAI get the information it needs to detect attacks? |
DHCP Snooping database or static |
|
|
What is an ARP ACL used for in DAI? |
Statically map the layer 2 and layer 3 information on a non-DHCP port (like gateway) |
|
|
How does err-disabled port become reactive? |
Manually shut/no shut |
|
|
What does DAI protect against? |
ARP poisoning attack, causing MiTM |
|
|
What type of port is impractical to put DAI on? |
Trunk ports |
|
|
Command to enable DAI on vlan 1 |
ip arp inspection vlan 1
|
|
|
What happens if you go over rate limit set by ARP inspection? |
Goes into err-disabled state |
|
|
What command shows interface status, like err-disabled and reason |
show interfaces status |
|
|
Command to bring an interface up after errdisabled state after 30 seconds |
errdisable recovery cause [arp-inspection]
errdisable recover interval 30 |
|
|
Command to show statistics from DAI for vlan 1 |
show ip arp inspection statistics vlan 1 |
|
|
Packets per second arp violation results in
|
Err-disabled |
|
|
3 types of stateful filtering (IOS Firewall) |
Reflexive ACL CBAC - Context Based Access Control Zone based firewall |
|
|
Current/best way to do firewall on router IOS |
Zone based firewall |
|
|
3 sections of NAT on ASA |
Manual Auto Manual after auto |
|
|
Command to show NAT translations on ASA |
show xlate |
|
|
Command to show NAT policies on ASA |
show nat |
|
|
What's the other term for object nat? |
auto nat |
|
|
What is twice nat? |
Translation is done on both the source and destination addresses |
|
|
By default, security levels (lower/higher) can flow to (lower/higher) |
High security zone can go to low |
|
|
What needs to be added to the default inspection for ping to work |
ICMP |
|
|
What 2 commands are needed to start the HTTP server for ASDM |
http server enable http 192.168.100.0 255.255.255.0 INSIDE |
|
|
What 3 things must be configured on an interface on the ASA |
Security level, nameif ip address |
|
|
What are class maps used for? |
Identify traffic |
|
|
What are policy maps used for? |
Specify the action to take |
|
|
What are service policies used for? |
How we apply the policy map, what interfaces |
|
|
What are the 3 sections to configure in MPF? |
Class map, policy map, service policy |
|
|
Command used to allow a queue to form on an interface |
priority-queue [inside] |
|
|
What is the DSCP for VoIP traffic? |
46, EF (expedited forwarding) |
|
|
In MPF , how can you limit half-formed sessions |
In policy map, set the embryonic connection max lower |
|
|
What is a TCP connection called that is not fully formed? |
Embryonic connection |
|
|
When forming a IKE phase 1 tunnel, what needs to match
|
HAGE (not lifetime) |
|
|
What is the default encryption algorithm in IKE phase 1 on newer ASAs? |
3DES - 168 bit key |
|
|
What is the default hashing algorithm in IKE phase 1 on newer ASA? |
SHA-1 |
|
|
What is the default authentication protocol on IKE phase 1 on newer ASA? |
preshared keys |
|
|
What is the default diffie hellman group for IKE on a newer ASA? |
#2 - 1024 bit |
|
|
What is the default lifetime for IKE on a newer ASA? |
86400 seconds |
|
|
URL filtering subscription service filters based on what? |
Predefined categories |
|
|
What is a NIPS and where does it sit? |
Networkbased Intrusion Prevention System typically sits inline. |
|
|
What layer does a stateless packetfiltering firewall operate on? |
4 |
|
|
What layers do stateful packetfiltering firewalls operate on? |
3, 4, and 5 |
|
|
What is the definition of a multihomed device? |
Connects more than 1 network segment |
|
|
What happens after a user logs in and has an autocommand configured? |
It shows and then they are disconnected |
|
|
What command has to be added so users can stay logged in after an autocommand executes? |
nohangup |
|
|
What is AMP for Endpoints |
It's a host based malware detection and prevention platform. It monitors net traffic and application behavior to protect a host |
|
|
Can AMP for Endpoints block polymorphic malware? |
Yes |
|
|
How does AMP for Endpoints contain compromised applications? |
Uses application blocking lists |
|
|
What does SHOUTcast media stream use, what should be inspected? |
HTTP |
|
|
What NTP symbol means the time is authoritative but not synchronized? |
period (.) |
|
|
What NTP symbol means the time is not authoritative? |
* |
|
|
What NTP symbol means the time is synchronized and authoritative? |
No symbol before the time shown |
|
|
|
|
|
|
Default router mode (routed or transparent) |
Routed |
|
|
What mode in ASA can not do VPNs? |
Transparent |
|
|
What command enables transparent mode? |
firewall transparent |
|
|
What needs to be created to manage a firewall in transparent mode? |
Bridge virtual interface (BVI) |
|
|
When using transparent firewalls, what needs to be configured on the ports that are connected in a layer 2 domain? |
bridge-group 1
|
|
|
In a transparent firewall what layer 2 traffic is allowed by default? |
ARP |
|
|
What happens to a firewall config when you switch from routed mode to transparent mode? |
Configuration erases |
|
|
What type of access list needs to be created to allow layer 2 BPDUs and MPLS to pass through a transparent firewall? |
Ethertype ACL |
|
|
What needs to be allowed on an interface ACL to allow DHCP or routing protocols on a transparent firewall? |
Allow ip any any on the inside, allow the source router going to broadcast IP (255.255.255.255) or multicast on outside interface |
|
|
What feature allows preventing ARP spoofing? |
ARP inspection |
|
|
How can you set ARP inspection to drop packets that are unknown but don't conflict with ARP table |
Disable flood |
|
|
What does proxy arp do? |
Allows ASA to respond to ARP request on behalf of the target device |
|
|
What keyword in an ACL makes it pertain to layer 2? |
access-list acl1 ethertype permit bpdu |
|
|
Command to set hostname on ASA
|
hostname asa1 (shortening it doesn't work) |
|
|
Command to allow failover to replicate http traffic |
failover replicate http
|
|
|
When setting an active/standby firewall setup, what needs to be set on the standby? |
Need to configure the failover link only and turn it on |
|
|
What command enables active/standby failover? |
"failover" global config |
|
|
What command shows the status of an active/standby firewall |
show fail |
|
|
What needs to be set in interface config mode for the failover link? |
No shut only (the rest is done in global config) |
|
|
How do you set an active and standby IP address for an interface? |
ip address 10.0.0.1 255.255.255.0 standby 10.0.0.2 |
|
|
Command to encrypt failover communication |
failover key cisco |
|
|
Command to make the active/standby firewall setup to prefer active |
failover lan unit primary |
|
|
Command to disable being active firewall |
no fail active |
|
|
Does active/standby firewall setup to preemption? |
No |
|
|
Command to set g0/3 as the failover link
|
failover lan interface fail-1 g0/3 |
|
|
Command to set failover ip address for fail-1 |
failover interface ip fail-1 10.1.1.1 255.255.255.252 standby 10.1.1.2
|
|
|
Command to set g0/4 as stateful replication link |
failover link fail-2 g0/4 |
|
|
Command to change prompt to show hostname, priority, and state |
prompt hostname priority state |
|
|
What plane lets the administrator communicate with the device or monitor logs |
Management plane |
|
|
What plane involves the CPU processing? |
Control plane |
|
|
What plane deals with passing traffic? |
Data plane |
|
|
What is an example of using the management plane? |
Using SSH, CCP, SNMP |
|
|
What is an example of the control plane? |
Routing protocol updates, traffic going to the device |
|
|
What is a way to secure the management plane? |
AAA, login restrictions/timeouts, encryption |
|
|
What is a way to secure the control plane? |
Authenticated routing protocols, control plane policing/protection |
|
|
What is a way to secure the data plane? |
ACLs, STP safeguards, port security, firewalls, IPS/IDs |
|
|
What function in a policy map rate limits traffic? |
Police 8000 (bits per second) conform-action transmit exceed-action drop |
|
|
When typing enable, what is the default priv level it goes to? |
15 |
|
|
When entering a username secret, how is that stored? |
MD5 hash |
|
|
What command allows a certain priv level to execute a command? |
privilege exec level 4 ping |
|
|
When using username secret command, what does 5 mean before the password string |
Means the following is an MD5 hash, 0 is plain text |
|
|
Command to enable aaa |
aaa new-model |
|
|
When you use a "aaa authentication default" command where does that take effect? |
Everywhere except console |
|
|
What command enforces a minimum password length? |
security passwords min-length 8 |
|
|
What 2 commands are needed to start SSH |
ip domain-name acm crypto key generate rsa 1024 |
|
|
What command locks an account out after 3 attempts |
aaa local authentication attempts max-fail 3 |
|
|
What command clears locked out accounts? |
clear aaa local user lockout all
|
|
|
What command lets someone try 10 passwords within 60 seconds, locking the account, and making them wait 300 seconds to try again? |
login block-for 300 attempts 10 within 60 |
|
|
What does SSH 1.99 represent |
Means it can use version 1 or 2 |
|
|
What port is used for Tacacs+? |
49 |
|
|
What are the modern ports for Radius? |
1812 for authentication 1813 for accounting |
|
|
What 2 messages will the AAA server respond with for a login? |
PASS or FAIL |
|
|
What are the 2 cisco services that run tacacs |
Access Control Server (ACS) Identity Service Engine (ISE) |
|
|
What is better to use for administrators (tacacs or radius) |
tacacs |
|
|
What command makes AAA check authorization of commands after getting in config mode? |
aaa authorization config-commands |
|
|
What feature enforces role based access, as in commands allowed |
Parser view |
|
|
What command lets you see what perser view you're in |
Show parser view |
|
|
What command makes a username associated with a parser view |
username bob view help-desk priv 15 secret cisco
|
|
|
Command in parser view mode to allow a user in the view to use a command |
commands exec include show version
|
|
|
What command lets a specific interface use management features (ssh/https) |
control-plane host management-interface fa2/0 allow ssh https |
|
|
What needs to be configured on the router to allow CCP access? |
Enable http secure server and specify authentication |
|
|
What command runs the security audit |
auto secure |
|
|
What feature checks a packet's source IP to see if it came in on an appropriate interface? |
unicast RPF (reverse path forward) |
|
|
What version of SNMP should be used, which allows encryption and authentication? |
v3 |
|
|
2 commands to enable secure boot |
secure boot-image
secure boot-config |
|
|
When setting up AAA for administrators, where do you go? |
Device management |
|
|
For setting up AAA for users, where do you configure it? |
firewall > aaa rules |
|
|
What are the 4 protocols that makes a user stop and authenticate with AAA before proceeding to the server? |
Telnet FTP HTTP HTTPS (Sometimes SSH) |
|
|
What commands shows what users are authenticated in the firewall? |
show uauth |
|
|
What is a downloadable ACL, where is it created |
Created in AAA server, downloaded onto ASA when a user authenticates, applies to an interface |
|
|
If there is conflicting information on an interface ACL and downloadable ACL, how do you set the firewall to give precedence to the downloaded one? |
In the access rules page, go to advanced, select per-user-override |
|
|
What are 4 symmetrical encryption algorithms? |
DES 3DES AES IDEA |
|
|
What are 2 asymmetrical encryption algorithms? |
RSA, DSA |
|
|
What are 2 hashing algorithms? |
MD5, SHA |
|
|
In CIA, how do you assure integrity? |
Hashing |
|
|
What are the 3 sections of NFP |
Management plane Control plane Data plane |
|
|
What are the 5 options for an IKE phase 1 tunnel? |
Hashing Authentication Group Lifetime Encryption |
|
|
What are the 4 objectives of IPSEC |
Confidentiality Integrity Authentication Anti-replay |
|
|
What are 2 ways an IKE phase 1 tunnel is created, and which has more packets |
Main mode (uses more) Aggressive mode |
|
|
What is perfect forward secrecy |
Using DH in IKE phase 2 |
|
|
Command to see details about ike phase 1 tunnel |
show crypto isakmp sa detail |
|
|
Command to see details about ike phase 2 tunnel |
Show crypto ipsec sa |
|
|
what does isakmp stand for |
Internet security association and key management protocol |
|
|
What layer is ESP and what is the protocol number |
Layer 4 IP Protocol 50 |
|
|
What can't AH provide? |
Confidentiality (encryption) |
|
|
How do you prevent NAT occuring over tunnel? |
Add line in access list to deny traffic that is going from the inside network to destination, and a line after to allow traffic from the inside going anywhere else |
|
|
What are 2 things that can be set to cause ipsec tunnel to renegotiate? |
Time or data |
|
|
In SSL who sends a list of ciphers they support? |
Client |
|
|
What is the PKI |
Public key infrastructure - responsible for sharing public keys |
|
|
What type of VPN can be formed when you do not have admin rights on the local computer? |
Clientless SSL VPN |
|
|
What protocol number is ESP |
50 |
|
|
How does a user specify a connection profile (3) |
Go to a specific URL, dropdown, or have a certificate |
|
|
What is a split tunnel? |
Only some of the traffic goes through the tunnel (interesting traffic) |
|
|
Default connection profile for clientless connection |
DefaultWebVPNGroup |
|
|
Default connection profile for IPSec |
DefaultRAGroup |
|
|
Order of policy assignment for connected VPN users (5) |
DAP (dynamic access policy) User policy Group policy under user profile Group policy under connection profile Default group policy |
|
|
What happens if something from the user profile is different than the group policy? |
User policy rule is applied, group ignored |
|
|
How do you restrict access to a certain URL on a clientless VPN session?
|
Webtype ACL |
|
|
How can you lock a user down to a single connection profile? |
Select connection profile (tunnel group) lock under user settings |
|
|
Command to show the active VPN session information |
show vpn-sessiondb |
|
|
Port IPSEC uses to initiate communication |
UDP port 500 |
|
|
IPSec protocol number
|
50 |
|
|
Nat traversal port number and layer 4 protocol |
Pads UDP port 4500 in front of IPsec header |
|
|
What are 2 benefits of IKEv2 |
Nat traversal built in Dead peer detection |
|
|
In SSL, how do servers prove their identity? |
Digital signature
|
|
|
How does a digital signature work |
Sender creates a hash and encrypts it with their private key. Receiver decrypts with sender's public key and compares hash |
|
|
What does QM_IDLE IKEv1 phase 1 mean |
The tunnel has been established |
|
|
What is a next-gen encryption standard and hashing algorithm |
SHA256 (or higher) and AES |
|
|
What 3 pieces of information must be in a crypto map |
Identify the traffic, set a peer, and set the transform set |
|
|
Command to see ike phase 1 sessions |
sh crypto isakmp sa |
|
|
What fields in ESP are not encrypted |
security parameter index (SPI) and sequence (SEQ) |
|
|
What command must be added to the crypto map to add a route to the distant network to your routing table |
reverse-route [static] |
|
|
What is UTM |
A broad term, unified threat management. Such as a firewall with a IPS module |
|
|
What is a false positive |
Alert generated for benign traffic |
|
|
What is a true positive |
Alert generated for bad traffic |
|
|
What is a false negative |
Malicious traffic with no alert generated |
|
|
What is a true negative |
Good traffic with no alert generated |
|
|
What are 2 ways an IDS can prevent an attack
|
Send a TCP reset Block request (to routers/firewalls) |
|
|
What can an IPS do that an IDS can't? (2) |
Deny traffic Modify traffic |
|
|
What kind of identification method can identify a ping sweep?
|
Signature matching |
|
|
What kind of identification method can identify traffic by policies like no telnet allowed? |
Policy based identification |
|
|
What kind of identification method listens to traffic, develops a baseline, then identifies if there's a major change? |
Anomaly based |
|
|
What kind of identification method uses information learned from other resources about current attacks? |
Reputation based |
|
|
What is the SDEE |
Security device event exchange - uses TCP and sends alerts to management stations |
|
|
What is better to minimize latency, IDS or IPS |
IDS |
|
|
Size of SHA-1 |
160 bit |
|
|
Upward limit of SHA-2 |
512 bit |
|
|
Size of MD5 hash |
128 bit |
|
|
What does key space refer to |
Refers to all the possible values for a key. Bigger the key, the more secure |
|
|
What is ECDSA |
Elliptical Curve Digital Signal Algorithm- part of ECC (elliptical curve cryptography) |
|
|
This is a format of a certificate request sent to a CA that wants to receive its identity certificate. This type of request would include the public key for the entity desiring a certificate. |
PKCS#10 |
|
|
This is a format that can be used by a CA as a response to a PKCS#10 request. The response itself will very likely be the identity certificate (or certificates) that had been previous requested |
PKCS#7 |
|
|
RSA Cryptography Standard PKCS# |
PKCS#1 |
|
|
A format used for storing both public and private keys using a symmetric password based key to unlock the data whenever the key needs to be used or accessed |
PKCS#12 |
|
|
Diffie-hellman key exchange PKCS# |
PKCS#3 |
|
|
What is used to automate the process of requesting and installing an identity certificate? |
SCEP - Simple Certificate Enrollment Protocol |
|
|
What list is sent to show when certificates are revoked |
CRL - certificate revocation list |
|
|
3 authentication methods shared by Radius and TACACS |
MSCHAPv1 CHAP PAP |
|
|
An authentication method that Radius can use but TACACS can't |
ASCII |
|
|
An authentication method that TACACS can use but Radius can't |
MSCHAPv2 |
|
|
If a ZBF firewall drops traffic, does it generate ICMP traffic? |
No |
|
|
In a ZBF, is inspect considered unidirectional or bidirectional |
Bidirectional traffic flows |
|
|
What is DTLS |
TLS over UDP (datagram) |
|
|
If the firewalls configured for DTLS and dead peer detection, can an anyconnect client using TLS connect? |
Yes, FW will accept TLS as backup |
|
|
What happens in EAPFASTv2 when user authentication fails but device authentication passes? |
User will have restricted access |
|
|
Define CoPP and CPPr |
Control plane policing Control plane protection |
|
|
EAPFASTv1 minimum level TLS supported |
1.0 |
|
|
EAPFASTv2 minimum level TLS supported |
1.2 |
|
|
What does MM_NO_STATE signify looking at ISAKMP associations |
Main mode was used, peers created the security association. If it doesn't move past here, it failed |
|
|
What does AG_NO_STATE signify looking at ISAKMP association? |
Aggressive mode was used, peers created SA |
|
|
What does QM_IDLE signify looking at ISAKMP association? |
Quick mode was used for IKE phase 2. Only phase for IKE phase 2, means it succeeded |
|
|
What does AG_AUTH signify looking at ISAKMP associaitons? |
Aggressive mode was used, peers authenticated |
|
|
What does a SEM do? |
Security event managers perform real time analysis and detection |
|
|
What does a SIM do? |
Security information management collect and analyze logs, not real time |
|
|
What does microsoft server need in order to handle SCEP requests |
Microsoft Network Device Enrollment Service (NDES) |
|
|
What is a WAF? |
Web Application Firewall - used to protect web sites from known attacks and vulnerabilities |
|
|
Worm used as an act of war against Iranian ICS |
Stuxnet |
|
|
What is CSA? |
Cisco Security Agent - a host based IPS |
|
|
When looking at show conn on a firewall, what does the S, s, A, a mean? |
S is a SYN is expected from the inside s is a SYN is expected from the outside A is an ACK is expected from the inside a is an ACK is expected from tine outside |
|
|
When looking at show conn on a firewall, what does the U mean? |
3 way handshake was complete |
|
|
When looking at show conn on firewall, what will it show when the handshake is complete and data is flowing bidirectionally? |
UIO |
|
|
When looking at show conn on firewall, what does a B represent? |
Initial SYN originated from outside |
|
|
Where is split tunneling configured? |
Group policy |
|
|
Max amount of CLI views for routers
|
15, including lawful intercept |
