640-554 Implementing Cisco IOS Network Security (IINS v2.0)

Page 1   
Question 1

Which three items are Cisco best-practice recommendations for securing a network?
(Choose three.)
A. Routinely apply patches to operating systems and applications.
B. Disable unneeded services and ports on hosts.
C. Deploy HIPS software on all end-user workstations.
D. Require strong passwords, and enable password expiration.

Answer : A,B,D Topic 2, Security and Cisco Routers

Question 2

You are the security admin for a small company. This morning your manager has supplied
you with a list of Cisco ISR and CCP configuration questions. Using CCP, your job is to
navigate the pre-configured CCP in order to find answers to your business question.

What is included in the Network Object Group INSIDE? (Choose two)

  • A. Network
  • B. Network
  • C. Network
  • D. Network
  • E. Network

Answer : B,C

Question 3

Which two options are characteristics of the Cisco Configuration Professional Security
Audit wizard? (Choose two.)

  • A. displays a screen with fix-it check boxes to let you choose which potential security- related configuration changes to implement
  • B. has two modes of operation: interactive and non-interactive
  • C. automatically enables Cisco IOS firewall and Cisco IOS IPS to secure the router
  • D. uses interactive dialogs and prompts to implement role-based CLI
  • E. requires users to first identify which router interfaces connect to the inside network and which connect to the outside network

Answer : A,E

Explanation: http://www.cisco.com/en/US/docs/net_mgmt/cisco_configuration_professional/v2_7/olh/ccp .pdf Perform Security Audit This option starts the Security Audit wizard. The Security Audit wizard tests your router configuration to determine if any potential security problems exist in the configuration, and then presents you with a screen that lets you determine which of those security problems you want tofix. Once determined, the Security Audit wizard will make the necessary changes to the router configuration to fix those problems To have Cisco CP perform a security audit and then fix the problems it has found: Step 1 In the Feature bar, select Configure > Security > Security Audit. Step 2 Click Perform Security Audit. The Welcome page of the Security Audit wizard appears. Step 3 Click Next>. The Security Audit Interface Configuration page appears. Step 4 The Security Audit wizard needs to know which of your router interfaces connect to your inside network and which connect outside of your network. For each interface listed, check either the Inside or Outside check box to indicate where the interface connects. Step 5 Click Next> . The Security Audit wizard tests your router configuration to determine which possible security problems may exist. A screen showing the progress of this action appears, listing all of the configuration options being tested for, and whether or not the current router configuration passes those tests. If you want to save this report to a file, click Save Report. Step 6 Click Close. The Security Audit Report Card screen appears, showing a list of possible security problems. Step 7 Check the Fix it boxes next to any problems that you want Cisco Configuration Professional (Cisco CP) to fix. For a description of the problem and a list of the Cisco IOS commands that will be added to your configuration, click the problem description to display a help page about that problem. Step 8 Click Next>. Step 9 The Security Audit wizard may display one

Question 4

What are three of the security conditions that Cisco Configuration Professional One-Step
Lockdown can automatically detect and correct on a Cisco router? (Choose three.)

  • A. One-Step Lockdown can set the enable secret password.
  • B. One-Step Lockdown can disable unused ports.
  • C. One-Step Lockdown can disable the TCP small servers service.
  • D. One-Step Lockdown can enable IP Cisco Express Forwarding.
  • E. One-Step Lockdown can enable DHCP snooping.
  • F. One-Step Lockdown can enable SNMP version 3.

Answer : A,C,D

Question 5

During role-based CLI configuration, what must be enabled before any user views can be

  • A. multiple privilege levels
  • B. usernames and passwords
  • C. aaa new-model command
  • D. secret password for the root user
  • E. HTTP and/or HTTPS server
  • F. TACACS server group

Answer : C

Explanation: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html Configuring a CLI View Use this task to create a CLI view and add commands or interfaces to the view, as appropriate. Prerequisites Before you create a view, you must perform the following tasks: Enable AAA via the aaa new-model command. (For more information on enabling AAA, see the chapter "Configuring Authentication" in the Cisco IOS Security ConfigurationGuide, Release 12.3. Ensure that your system is in root viewnot privilege level 15. SUMMARY STEPS 1. enable view 2. configure terminal 3. parser view view-name 4. secret 5 encrypted-password 5. commands parser-mode {include | include-exclusive | exclude} [all] [interface interface- name | command] 6. exit 7. exit 8. enable [privilege-level] [view view-name] 9. show parser view [all]

Question 6

Answer :

Question 7

In which twomodes can Cisco Configuration Professional Security Audit operate? (Choose

  • A. Security Audit wizard
  • B. Lockdown
  • C. One-Step Lockdown
  • D. AutoSecure

Answer : A,C

Question 8

Which type of management reporting is defined by separating management traffic from
production traffic?

  • A. IPsec encrypted
  • B. in-band
  • C. out-of-band
  • D. SSH

Answer : C

Explanation: http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/SAFE_RG/chap9.html#wp1 054536 OOB Management Best Practices The OOB network segment hosts console servers, network management stations, AAA servers, analysis and correlation tools, NTP, FTP, syslog servers, network compliance management,and any other management and control services. A single OOB management network may serve all the enterprise network modules located at the headquarters. An OOB management network should be deployed using the following best practices: Provide network isolation Enforce access control Prevent data traffic from transiting the management network

Question 9

Which three applications comprise Cisco Security Manager? (Choose three.)

  • A. Configuration Manager
  • B. Packet Tracer
  • C. Device Manager
  • D. Event Viewer
  • E. Report Manager
  • F. Syslog Monitor

Answer : A,D,E

Question 10

Answer :

Question 11

Which two options are two of the built-in features of IPv6? (Choose two.)

  • A. VLSM
  • B. native IPsec
  • C. controlled broadcasts
  • D. mobile IP
  • E. NAT

Answer : B,D

Explanation: http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-tunnel.html IPv6 IPsec Site-to-Site Protection UsingVirtual Tunnel Interface The IPv6 IPsec feature provides IPv6 crypto site-to-site protection of all types of IPv6 unicast and multicast traffic using native IPsec IPv6 encapsulation. The IPsec virtual tunnel interface (VTI) feature provides this function,using IKE as the management protocol. An IPsec VTI supports native IPsec tunneling and includes most of the properties of a physical interface. The IPsec VTI alleviates the need to apply crypto maps to multiple interfaces and provides a routable interface. The IPsec VTI allows IPv6 routers to work as security gateways, establish IPsec tunnels between other security gateway routers, and provide crypto IPsec protection for traffic from internal network when being transmitting across the public IPv6 Internet. http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-mobile.html Mobile IPv6 Overview Mobile IPv4 provides an IPv4 node with the ability to retain the same IPv4 address and maintain uninterrupted network and application connectivity while traveling across networks. In Mobile IPv6, the IPv6 address space enables Mobile IP deployment in any kind of large environment. No foreign agent is needed to use Mobile IPv6. System infrastructures do not need an upgrade to accept Mobile IPv6 nodes. IPv6 autoconfiguration simplifies mobile node (MN) Care of Address (CoA) assignment. Mobile IPv6 benefits from the IPv6 protocol itself; for example, Mobile IPv6 uses IPv6 option headers (routing, destination, and mobility) and benefits from the use of neighbor discovery. Mobile IPv6 provides optimized routing, which helps avoid triangular routing. Mobile IPv6 nodes work transparently even with nodesthat do not support mobility (although these nodes do not have route optimization). Mobile IPv6 is fully backward-compatible with existing IPv6 specifications. Therefore, any existing host that does

Question 12

Refer to the exhibit.

What does the option secret 5 in the username global configuration mode command
indicate about the user password?

  • A. It is hashed using SHA.
  • B. It is encrypted using DH group 5.
  • C. It is hashed using MD5.
  • D. It is encrypted using the service password-encryption command.
  • E. It is hashed using a proprietary Cisco hashing algorithm.
  • F. It is encrypted using a proprietary Cisco encryption algorithm.

Answer : C

Explanation: Explanation: http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/120s_md5.html Feature Overview Using the Enhanced Password Security feature, you canconfigure MD5 encryption for username passwords. Before the introduction of this feature there were two types of passwords associated with usernames. Type 0 is a clear text password visible to any user who has access to privileged mode on the router. Type7 is a password with a weak, exclusive-or type encryption. Type 7 passwords can be retrieved from the encrypted text by using publicly available tools. MD5 encryption is a one-way hash function that makes reversal of an encrypted password impossible, providing strong encryption protection. Using MD5 encryption, you cannot retrieve clear text passwords. MD5 encrypted passwords cannot be used with protocols that require that the clear text password be retrievable, such as Challenge Handshake AuthenticationProtocol (CHAP). Use the username (secret) command to configure a user name and an associated MD5 encrypted secret. Configuring Enhanced Security Password Router(config)# username name secret 0 password Configures a username and encrypts a clear text password with MD5 encryption. or Router(config)# username name secret 5 encrypted-secret Configures a username and enters an MD5 encrypted text string which is stored as the MD5 encrypted password for the specified username.

Question 13

What does level 5in this enable secret global configuration mode command indicate?
router#enable secret level 5 password

  • A. The enable secret password is hashed using MD5.
  • B. The enable secret password is hashed using SHA.
  • C. The enable secret password is encrypted usingCisco proprietary level 5 encryption.
  • D. Set the enable secret command to privilege level 5.
  • E. The enable secret password is for accessing exec privilege level 5.

Answer : D

Explanation: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfpass.html To configure the router to require an enable password, use either of the following commands in global configuration mode: Router(config)# enable password [level level] {password| encryption-type encrypted- password} Establishes a password for a privilege command mode. Router(config)# enable secret [level level] {password | encryption-type encrypted- password} Specifies a secret password, saved using a non-reversible encryption method. (If enable password and enable secret are both set, users must enter the enable secret password.) Use either of these commands with the level option to define a password for a specific privilege level. After you specify the level and set a password, give the password only to users who need to have access at this level. Use the privilege level configuration command to specify commands accessible at various levels.

Question 14

Which statement is true about configuring access control lists to control Telnet traffic
destined to the router itself?

  • A. The ACL is applied to the Telnet port with the ip access-group command.
  • B. The ACL should be applied to all vty lines in the in direction to prevent an unwanted user from connecting to an unsecured port.
  • C. The ACL applied to the vty lineshas no in or out option like ACL being applied to an interface.
  • D. The ACL must be applied to each vty line individually.

Answer : B

Explanation: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/12-4t/sec-cntrl- acc-vtl.html Controlling Access to a Virtual Terminal Line You can control who can access the virtual terminal lines (vtys) to a router by applying an access list to inbound vtys. You can also control the destinations that the vtys from a router can reach by applying an access list to outbound vtys. Benefits of Controlling Access to a Virtual Terminal Line By applying an access list to an inbound vty, you can control who can access the lines to a router. By applying an access list to an outbound vty, you can control the destinations that the lines from a router can reach.

Question 15

When configuring role-based CLI on a Cisco router, which step is performed first?

  • A. Log in to the router as the root user.
  • B. Create a parser view called "root view."
  • C. Enable role-based CLI globally on the router using the privileged EXEC mode Cisco IOS command.
  • D. Enable the root view on the router.
  • E. Enable AAA authentication and authorization using the local database.
  • F. Create a root local user in the local database.

Answer : D

Explanation: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html Role-Based CLI Access The Role-Based CLI Access feature allows the network administrator to define "views," which are a set of operational commands and configuration capabilities that provide selective or partial access to Cisco IOS EXEC and configuration (Config) mode commands. Views restrict user access to Cisco IOS command-line interface (CLI) and configuration information; that is, a view can define what commands are accepted and what configuration information is visible. Thus, network administrators can exercise better control over access to Cisco networking devices. Configuring a CLI View Prerequisites Before you create a view, you must perform the following tasks: EnableAAA via the aaa new-model command. (For more information on enabling AAA, see the chapter "Configuring Authentication" in the Cisco IOS Security Configuration Guide, Release 12.3. Ensure that your system is in root viewnot privilege level 15. SUMMARY STEPS 1. enable view 2. configure terminal 3. parser view view-name 4. secret 5 encrypted-password 5. commands parser-mode {include | include-exclusive | exclude} [all] [interface interface- name | command] 6. exit 7. exit 8. enable [privilege-level] [view view-name] 9. show parser view [all] DETAILED STEPS Step 1 Enable view Router> enable view Enables root view.

Page 1