PopQuiz
Cisco Exam #640-442: Managing Cisco Network Security (MCNS)
10 questions. Answers can be found at end of quiz.
courtesy of MeasureUp
1. From the list below, choose the three most common types of security weaknesses. (Choose Three)
a. TCP/IP Weakness
b. Configuration Weakness
c. Technology Weakness
d. Administrative Weakness
e. Political Weaknes
f. Policy Weakness
2. Cisco cryptosystems use which two hashing algorithms to ensure packet integrity?
a. RSA
b. MD5
c. SHA-1
d. ESP
e. AH
f. IKE
3. In order for IPSec to work properly, what ports must be NOT be blocked by access-lists?
a. UDP port 500, IP port 50 , IP port 51
b. UDP port 1024, IP port 50 , IP port 51
c. UDP port 500, IP port 23 , IP port 51
d. UDP port 100, IP port 50 , IP port 51
e. UDP port 500, IP port 50 , IP port 510
4. A dynamic crypto map receives the missing pieces of the crypto map when ___________________?
a. the IKE negotiation takes place to mirror a peer's configuration
b. the S/Key negotiation takes place to mirror a peer's configuration
c. the remainder of the crypto map settings are entered manually
d. the IPSec negotiation takes place to mirror a peer's configuration
e. the complete policy is downloaded from the TACACS+ server
5. Cisco Secure ACS for NT can authenticate usernames and passwords against which three of the following? (Choose Three)
a. Windows NT user database
b. CSNT ACS Database
c. ESP Database
d. Certificate Authority Database
e. Token Server Database.
6. If you invoke the PIX firewall command "static" with the "em_limit" option specified, you are:
a. specifying the number of "embolism" connections which limits the number of partially completed connections.
b. specifying the number of "embryonic" connections which limits the number of partially completed connections.
c. specifying the number of "employee" connections which limits the number of partially completed connections.
d. specifying the number of "emissary" connections which limits the number of transient connections coming from an outside interface.
e. specifying the number of "embattled" connections which limits the number of DoS packets generated by a "Smurf" attack.
7. NAT on the PIX Firewall provides which of the following benefits to internal network clients? (Choose Three)
a. It allows internal network hosts the ability to choose which "global" address they want to use for translation services.
b. It allows internal network addresses of connected hosts to be hidden from the outside world.
c. It allows a network administrator to use address classes that wouldn't ordinarily be available.
d. It allows external network users to see the internal addresses of web servers, mail servers and DNS servers.
e. It allows the use of reserved addressing schemes for internal network hosts.
8. If you notice that the number of existing half-open sessions is beginning to rise, what could this indicate? (Select all that apply)
a. Answers
b. Man in the Middle attack
c. Serial Scan
d. IP Spoofing
e. Port Scan
f. DoS attack
9. What technology would you use if you wanted to allow only specific users access to network assets?
a. Lock-and-Key
b. CBAC
c. S/Key
d. SHA-1
e. IPSec
10. Which PIX Firewall command would use If you wanted to create a static translation between the global IP address of 192.168.1.10 and a webserver (on the dmz) with the address of 10.10.1.15?
a. static (dmz, dmz) 192.168.1.10 10.10.1.15
b. static (dmz, outside) 10.10.1.15 192.168.1.10
c. static (dmz, outside) 192.168.1.10 10.10.1.15
d. static (outside, dmz) 192.168.1.10 10.10.1.15
e. static (inside, outside) 192.168.1.10 10.10.1.15
Answers
1. B, C and F are correct. The three most common types of "weaknesses" are:
Configuration Weakness
- Insecure user accounts
- Insecure default settings within products
- Misconfigured network equipment
- System accounts with easily guessed (or hacked) passwords
- Misconfigured internet services
Technology Weakness
-TCP/IP weaknesses
- Operating System weaknesses
- Network Equipment weaknesses
Network Security Policy Weakness
- Lack of a written security policy
- Internal Politics
- Lack of business continuity
- Logical access controls to network gear are not applied
- Security Admin is lax, no monitoring or auditing
- Lack of awareness of being attacked
- No change control in software or hardware installations
- No disaster recovery plans
2. B and C are correct. The Message Digest 5 (MD5) uses an algorithm that creates 128 bit
"hashes" or "message digests" for packets to ensure that they have not been tampered with . The output of the MD5 hash process is always the same length regardless of the length of the data that in input. This is referred to as "padding". SHA-1 is a one-way cryptographic function which takes a message of less than 18 quintillion bits in length and produces a 160-bit message digest. This means that no matter how long the original message was, it will always be 160 bits in length after the algorithm has been run. Both MD5 and SHA-1 encode a message in such a way that it would become immediately apparent if the message was tampered with when it reached its destination.
3. A is correct. When you deploy IPSec, you need to be sure that then inbound traffic will be able to get through your perimeter router. This is relatively easy to do. You need to make sure the following traffic related ports are not blocked by your perimeter router.
-- IKE uses UDP port 500
-- ESP uses protocol 50
-- AH uses protocol 51
The access-lists you would need to create would look something like the examples below: (these would be entered on the perimeter router)
access-list 110 permit ahp host 192.168.10.1 host 192.168.5.1
access-list 110 permit esp host 192.168.10.1 host 192.168.5.1
access-list 110 permit udp host 192.168.10.1 host 192.168.5.1 eq isakmp
4. D is correct. In a network topology that includes clients connecting via a VPN, the use of dynamic crypto maps is a very attractive. This is due to the fact that the need for VPN client connectivity can typically be spur of the moment or without very much planning. When the VPN client attempts connectivity to an IPSec peer (the router in this case) a negotiation will take place between the VPN client and the router to determine what crypto parameters will be used. This negotiation takes place only after the VPN Client has successfully authenticated itself in some way.
5. A, B and E are correct. The Cisco Secure ACS (Access Control Server) for Windows NT is a software package that provides a centralized management point for AAA services being provided by either RADIUS or TACACS+. It manages these functions through a Windows GUI or a secured webpage. CSNT is capable of supporting the following database type:
- Windows NT user database (a.k.a. the SAM)
- CSNT ACS Database (CSNT can maintain its own user database)
- Token Server Database (many token servers maintain an independent user database)
- Novell NDS
And the following authentication protocols:
- PAP
- CHAP
- MS-CHAP
- ARAP
6. B is correct. The "em_limit" command line option specifies that number of half-open or "partially connected" connections that are allowed until the PIX Firewall stops responding to them. Properly setting the "em_limit" option through trial and error is what can help prevent a PIX Firewall from succumbing to a SYN Attack.
7. B, C and E are correct. The term Network Address Translation (NAT) allows internal network addresses of connected hosts to be hidden from the outside world by translating internal (protected) network host addresses into globally (external) available network addresses. The command "firewall1(config)# nat (inside) 1 0.0.0.0 0.0.0.0" tells the PIX Firewall to start NAT translation on the "inside" interface, using the global pool of addresses specified in the "global 1" command previously issued and allow hosts matching the "local ip" 0.0.0.0 and "netmask" of 0.0.0.0 which tells the PIX that anyone on the inside can start a translation session.
Here is what it would look like if entered on the PIX.
firewall1(config)# global (outside) 1 192.168.1.10-192.168.1.15 netmask 255.255.255.0
firewall1(config)# nat (inside) 1 0.0.0.0 0.0.0.0
The number that comes after the NAT command tells the PIX to use the pool of addresses specified in the "global" command of the same number.
8. E and F are correct. CBAC will monitor the number of existing half-open sessions and start or stop deleting them when a specific threshold has been reached. By default, CBAC will START deleting existing half-open sessions when its counters reach the number 500. It will STOP deleting existing half-open sessions when that number gets down to 400. An unusually high number of "half-open" sessions could indicate a Denial of Service (DoS) attack is in progress, since many DoS attacks use a flood of "half-open" sessions as a means to overwhelm the target. Port Scans quickly probe some (or all) TCP/IP ports in the hopes of getting a response. These quick probes take the form of "half-open" sessions.
9. A is correct. Cisco's "Lock and Key" technology allows the creation of an access-list that dynamically responds to specific user profiles granting or denying access based on details such as time of day, or any other desired parameters. The strength of the "lock and key" dynamic access-lists lies in the authentication to either TACACS+ or RADIUS. The process goes something like this:
1) A user telnets to a router that has been configured with a "lock and key" access list.
2) The router gets the telnet request and attempts authentication by whatever means has been previously specified (TACACS+, RADIUS, Local Login)
3) If authentication is successful, then the user is allowed to continue with the telnet session, if authentication fails, the telnet session is denied.
10. Cis correct. When answering this question, you need to keep in mind that the PIX Firewall by default will not allow a lower security value interface to communicate with a higher security value interface. The only way to circumvent this restriction is with the use of the "conduit" and "static" commands.
firewall1(config)# conduit permit tcp host 192.168.1.10 eq www any 0 0
The above command tells the PIX Firewall to allow traffic from any host with any port to communicate with the webserver (www) from the global address of 192.168.1.10.
The "conduit" command's best friend is the "static" command, it tells the firewall that global ip address 192.168.1.10 will always be translated to the internal address of the webserver which is 10.10.1.15
firewall1(config)# static (dmz, outside) 192.168.1.10 10.10.1.15
For the "conduit" and "static" commands to work, they must both contain the same global IP address as the source or "foreign address" in their command line syntax.
Questions and answers provided by MeasureUp. To order the full version of this exam simulation, click here.
For more CertCities.com pop quizzes, click here. For our list of free, non-braindump practice exams available from across the Web, click here.
More Pop Quiz:
|