CCIE Security FAQ Network Security Policies, Vulnerabilities, and Protection


CCIE Security FAQ Network Security Policies, Vulnerabilities, and Protection

Q1. A remote user tries logging into a remote network but fails after three additional tries and is disconnected. What useful information should the network administrator gather? (Select the best two answers.)
a. Username
b. Invalid password
c. Invalid username
d. Valid username

Answer: b and c
Explanation: Network administrators need the invalid username (because it is not an allowable username) and the invalid password used to see if the intruder is using a text-based algorithm to generate passwords.

Q2. What is the first step that should be implemented in securing any network?
a. Create a database of secure passwords.
b. Create the IP address scheme.
c. Run NetRanger or NetSonar.
d. Define a security policy.
e. Configure access lists on all routers.

Answer: d
Explanation: The first step in securing any network must be to define the security policy.

Q3. What primary security method can be designed and deployed to secure and protect any IP network after an attack has been documented?
a. Security policy
b. IP policy
c. Countermeasures
d. Measurement
e. Logging passwords

Answer: c
Explanation: Countermeasures should be in placed in every IP network. For example, back up sensitive data or application software and apply all the required patches.

Q4. A security administrator notices that a log file stored on a local router has increased in size from 32 k to 64 k in a matter of seconds. What should the network administrator do?
a. Increase the buffer to 64 k.
b. Decrease the buffer to 16 k.
c. Log the event as suspicious and notify the incident response team.
d. Nothing, this is normal.
e. Both a and b are correct.

Answer: c
Explanation: Any log file that increases (more data to view) or decreases (for example, cleared by the intruder to hide his actions) should be regarded as suspicious activity.

Q5. What is the primary responsibility of CERT/CC?
a. Define access lists for use on routers
b. Set security standards
c. Coordinate attacks on secure networks
d. Maintain a security standard for networks
e. Nothing to do with security

Answer: d
Explanation: CERT/CC’s primarily responsibility is to aid in the security of any public network; go to for more details.

Q6. Who can use network scanners and probes? (Select the best two answers.)
a. Intruders
b. Security managers
c. End users
d. Cable service providers

Answer: a and b
Explanation: Network scanners are used by intruders just as network administrators use them.

Q7. What is a bastion host?
a. Firewall device supported by Cisco only
b. Network’s last line of defense
c. Network’s first line of defense
d. IP host device designed to route IP packets

Answer: c
Explanation: Bastion hosts are typically the first line of defense. Sometimes, they are sacrificed because they are typically public domain servers and can be quickly restored using backup methods.

Q8. A TCP SYN attack is what type of attack?
b. DoS
c. Telnet/Kerberos attack
d. Ping attack only

Answer: b
Explanation: A TCP SYN attack is a form of denial-of-service attack.

Q9. When an intruder sends a large amount of ICMP echo (ping) traffic using IP broadcasts, this type of DoS attack is known as what?
a. Bastion
b. Land.C
c. Man in the middle
d. Smurf
e. Ping of death

Answer: d
Explanation: A Smurf attack sends large ICMP or ping requests via a broadcast address, ensuring that all devices on the remote network respond and enabling the intruder to list the IP address that is connected to the network for further DOS-based attacks.

Q10. What kind of attack sends a large ICMP echo request packet with the intent of overflowing the input buffers of the destination machine and causing it to crash?
a. Ping of death
b. Smurf
c. Land.C
d. Man in the middle
e. Birthday attack

Answer: a
Explanation: A ping of death sends a large number of ICMP echo request packets causing the end device to overflow, and can cause a remote server to stop functioning for legitimate requests.

Q11. In the context of intrusion detection, what is an exploit signature?
a. DoS attack
b. An attack that is recognized and detected on the network
c. The same as a Smurf attack
d. The same as a man in the middle attack

Answer: b
Explanation: An exploit signature is an attack that is readily detected.

Q12. To stop spam e-mail from overwhelming an e-mail server, what step can you take?
a. Ask the ISP for help.
b. Nothing, because spam e-mail is too difficult to stop to be worth the effort.
c. Install an intrusion detection system that has a signature for spam e-mail.
d. Nothing, because the client software takes care of this.
e. Change the IOS code.
f. Configure the bastion host to stop spam e-mail.

Answer: c
Explanation: Spam e-mail can be controlled with an IDS server.

Q13. Define four reasons networks should be secured.

Answer: IP networks must provide a network security policy for the following reasons:

Inherent technology weaknesses—All network devices and operating systems have inherent vulnerabilities.

Configuration weaknesses—Common configuration mistakes can be exploited to open weaknesses.

Security policy vulnerabilities—The lack of security policies can lead to vulnerabilities, such as password security.

Outside/inside intruders—There are always internal and external people wanting to exploit network resources and retrieve sensitive data.

Q14. What is the function of the CERT/CC organization, and what are its primary objectives?

Answer: The CERT Coordination Center (CERT/CC) is a center of Internet security expertise, located at the Software Engineering Institute, a U.S. federally funded research and development center operated by Carnegie Mellon University. CERT/CC provides information ranging from protecting your networks from potential problems,to reacting to current problems, to predicting and preparing for future problems. Work involves handling computer security incidents and vulnerabilities, publishing security alerts, researching long-term changes in networked systems, developing information, and even providing training to help you improve security. CERT/CC does not concern itself with the individual or where the intruder is physically located,but ideally tries to restore and prevent similar attacks in the future. CERT/CC is regarded as the industry leader in security concerns.

Q15. What are the primary steps completed by incident response teams?

Answer: Incident responses teams do the following:

Verify the incident.

Determine the magnitude of the incident (hosts affected and how many).

Assess the damage (for example, if public servers have been modified).

Gather and protect the evidence.

Q16. Name common methods used by intruders to disrupt a secure network.

Answer: Intruders can use the following methods (and many more):

Session hijacking—The intruder defines himself with a valid IP address after a session has been established to the real IP address by spoofing IP packets and manipulating the sequence number in an IP packet.

Rerouting—Packets from one source are routed to an intruder source. Routing updates are altered to send IP packets to an incorrect destination, allowing the intruder to read and use the IP data inappropriately.

Denial-of-service (DoS) attacks—A service attack that is used in an attempt to deny legitimate users access to a network they have full rights to.

Probes and scans.

Malicious code.

Q17. In security, what is session hijacking?

Answer: Session hijacking is where the intruder defines himself with a valid IP address after a session has been established to the real IP address by spoofing IP packets and manipulating the sequence number in an IP packet.

Q18. In security terms, what is a man in the middle attack?

Answer: Just as with packet sniffers and IP spoofing attacks, a brute-force password attack can provide access to accounts that can be used to modify critical network files and services. An example that compromises your network’s integrity is an attacker modifying your network’s routing tables. By doing so, the attacker ensures that all network packets are routed to him before they are transmitted to their final destination. In such a case, an attacker can monitor all network traffic, effectively becoming a man in the middle.

Q19. What is a Signature Engine?

Answer: A Signature Engine is a component designed to support many signatures in a certain category. An engine is composed of a parser and an inspector. Each engine has a set of legal parameters that have allowable ranges or sets of values. Exploit signatures are an identifiable pattern of attack.

Q20. What is social engineering?

Answer: Social engineering is the act of tricking or coercing employees into providing information, such as usernames or mail user identifications and even passwords. First-level phone support personnel are typically called by intruders pretending to work for the company to gain valuable information.

Q21. Describe a ping of death attack.

Answer: A ping of death occurs when a large number of ICMP echo request packets cause the end device to overflow. For example, a ping of death can cause a remote server to stop functioning for legitimate requests.

Q22. What is a Land.C attack?

Answer: A Land.C attack is a program designed to send TCP SYN packets (TCP SYN is used in the TCP connection phase) that specify the target’s host address as both source and destination. This program can use TCP port 113 or 139 (source/ destination), which can also cause a system to stop functioning.

Q23. What does the following IOS code accomplish on a Cisco IOS router?

Answer: These commands disable the minor TCP/UDP servers. When the minor TCP/IP servers are disabled, access to the Echo, Discard, Chargen, and Daytime ports causes the Cisco IOS Software to send a TCP Reset packet to the sender and discard the original incoming packet. When these commands are entered in global
configuration, they do not display when you view the configuration (show runningconfig or write terminal) because the default is to disable TCP/UDP small servers. Unlike Cisco Switches, Cisco IOS Software does not display default configuration.

Q24. What is the secret password for the following IOS configuration?

Answer: Secret passwords are encrypted using the MD5 hashing algorithm, so you cannot decipher the secret password, which overrides the enable password.

Q25. What is the purpose of the command service sequence-numbers?

Answer: Essentially, this command enables your syslog entries to be numbered and ensures that they are not tampered with by external sources.

More Resources

About the author


Leave a Comment