CCIE Security FAQ Security Protocols

ccie-security-faq-security-protocols

CCIE Security FAQ Security Protocols

Q1. What are the three components of AAA? (Choose the three best answers.)
a. Accounting
b. Authorization
c. Adapting
d. Authentication

Answer:a, b, and d
Explanation: AAA is used for authentication, authorization, and accounting. Answer c is incorrect because adapting is not part of the security options available with AAA.

Q2. What IOS command must be issued to start AAA on a Cisco router?
a. aaa old-model
b. aaa model
c. aaa new model
d. aaa new-model
e. aaa new_model

Answer:d
Explanation: The aaa new-model command starts authentication, authorization and accounting (AAA). Answers a, b, and c are incorrect because they represent invalid IOS commands.

Q3. What algorithm initiates and encrypts a session between two routers’ exchange keys between two encryption devices?
a. Routing algorithm
b. Diffie-Hellman algorithm
c. The switching engine
d. The stac compression algorithm

Answer:b
Explanation: When using encryption between two routers, the Diffie-Hellman algorithm is used to exchange keys. This algorithm initiates the session between two routers and ensures that it is secure. Answer a is incorrect because the routing algorithm is used for routing, not for encryption. Answer c is incorrect because a switching engine is used to switch frames and has nothing to do with encryption. Answer d is incorrect because the stac compression algorithm is used by PPP; it compresses data on a PPP WAN link.

 

Q4. Can you configure RADIUS and TACACS+ concurrently on a Cisco IOS router?
a. No.
b. Yes, provided you have the same lists names applied to the same interfaces.
c. Yes, provided you have the different lists names applied to the same interfaces.
d. Yes, provided you have the different lists names applied to different interfaces.

Answer:d
Explanation: List names and interfaces must be different.

 

Q5. How do you enable a RADIUS server to debug messages for Cisco Secure on a UNIX server?
a. Terminal monitor
b. Edit the configuration file on the router
c. Edit the syslog.conf and csu.cfg files
d. Not possible, as UNIX does not run IOS

Answer:c
Explanation: You can enable debugging on a UNIX host running Cisco Secure by editing the syslog.confg and csu.cfg files.

Q6. What RADIUS attribute is used by vendors and not predefined by RFC 2138?
a. 1
b. 2
c. 3
d. 4
e. 13
f. 26
g. 333
h. 33

Answer:f
Explanation: Attribute 26 is a vendor-specific attribute. Cisco uses vendor ID 9.

Q7. RADIUS can support which of the following protocols?
a. PPP
b. OSPF
c. AppleTalk
d. IPX
e. NLSP

Answer:a
Explanation: RADIUS supports PPP and none of the multiprotocols listed in options b, c, d, or e.

Q8. When a RADIUS server identifies the wrong password entered by the remote users, what packet type is sent?
a. Accept-user
b. Reject-users
c. Reject-deny
d. Reject-accept
e. Reject-Error
f. Access-reject

Answer:f
Explanation: RADIUS sends an access-reject error if the password entered is invalid.

Q9. Identify the false statement about RADIUS.
a. RADIUS is a defined standard in RFC 2138/2139.
b. RADIUS runs over TCP port 1812.
c. RADIUS runs over UDP port 1812.
d. RADIUS accounting information runs over port 1646.

Answer:b
Explanation: RADIUS does not deploy TCP.

Q10. What is the RADIUS key for the following configuration? If this configuration is not valid,why isn’t it?

a. IlovemyMum
b. Ilovemymum
c. This configuration will not work because the command aaa new-model is missing.
d. 3.3.3.3

Answer:c
Explanation: Because aaa new-model is not configured, this is not a valid configuration and no requests will be sent to the RADIUS server.

Q11. What is the RADIUS key for the following configuration?

a. IlovemyMum
b. Ilovemymum
c. This configuration will not work
d. 3.3.3.3

Answer:a
Explanation: The key is case-sensitive; the IOS command, radius-server key IlovemyMum, defines the key as IlovemyMum.

Q12. What versions of TACACS does Cisco IOS support? (Select the best three answers.)
a. TACACS+
b. TACACS
c. Extended TACACS
d. Extended TACACS+

Answer:a, b, and c
Explanation: There is no Cisco Extended TACACS+ support.

Q13. TACACS+ is transported over which TCP port number?
a. 520
b. 23
c. 21
d. 20
e. 49

Answer:e

Q14. What is the predefined TACACS+ server key for the following configuration?

a. 3.3.3.3
b. Not enough data
c. CCIESROCK
d. CCIEsRock
e. CCIEsrock

Answer:e
Explanation: The key is case-sensitive and is defined by the IOS command, radius-server key
CCIEsrock.

Q15. What does the following command accomplish?

a. Defines the remote TACACS+ server as 3.3.3.3
b. Defines the remote RADIUS server as 3.3.3.3
c. Not a valid IOS command
d. 3.3.3.3
e. Host unknown; no DNS details for 3.3.3.3 provided

Answer:c
Explanation: The IOS command to define a remote TACACS+ server is tacacs-server host ip-address.

Q16. Which of the following protocols does TACACS+ support?
a. PPP
b. AppleTalk
c. NetBIOS
d. All the above

Answer:d
Explanation: TACACS+ has multiprotocol support for PPP, AppleTalk, NetBIOS and IPX.

Q17. Kerberos is defined at what layer of the OSI model?
a. Layer 1
b. Layer 2
c. Layer 3
d. Layer 4
e. Layer 5
f. Layer 6
g. Layer 7

Answer:g
Explanation: Kerberos is an application layer protocol defined at Layer 7 of the OSI model.

Q18. What definition best describes a key distribution center when Kerberos is applied to a network?
a. A general term that refers to authentication tickets

b. An authorization level label for Kerberos principals

c. Applications and services that have been modified to support the Kerberos credential infrastructure

d. A domain consisting of users, hosts, and network services that are registered to a Kerberos server

e. A Kerberos server and database program running on a network host

Answer:e
Explanation: The KDC is a server and database program running on a network host.

Q19. What definition best describes a Kerberos credential?
a. A general term that refers to authentication tickets

b. An authorization level label for Kerberos principals

c. Applications and services that have been modified to support the Kerberos credential infrastructure

d. A domain consisting of users, hosts, and network services that are registered to a Kerberos server

e. A Kerberos server and database program running on a network host

Answer:a
Explanation: A credential is a general term that refers to authentication tickets, such as ticket granting tickets (TGTs) and service credentials. Kerberos credentials verify the identity of a user or service. If a network service decides to trust the Kerberos server that issued a ticket, it can be used in place of retyping a username and password. Credentials have a default lifespan of eight hours.

Q20. What definition best describes Kerberized?
a. A general term that refers to authentication tickets

b. An authorization level label for Kerberos principals

c. Applications and services that have been modified to support the Kerberos credential infrastructure

d. A domain consisting of users, hosts, and network services that are registered to a Kerberos server

e. A Kerberos server and database program running on a network host

Answer:c
Explanation: Kerberized refers to applications and services that have been modified to support the Kerberos credential infrastructure.

Q21. What definition best describes a Kerberos realm?
a. A general term that refers to authentication tickets
b. An authorization level label for the Kerberos principals
c. Applications and services that have been modified to support the Kerberos credential infrastructure
d. A domain consisting of users, hosts, and network services that are registered to a Kerberos server
e. A Kerberos server and database program running on a network host

Answer:d
Explanation: The Kerberos realm is also used to map a DNS domain to a Kerberos realm.

Q22. What IOS command enables VPDN in the global configuration mode?
a. vpdn-enable
b. vpdn enable
c. vpdn enable in interface mode
d. Both a and c are correct

Answer:b
Explanation: To Enable VPDN in global configuration mode, the correct IOS command is vpdn enable.

Q23. What is the number of bits used with a standard DES encryption key?
a. 56 bits
b. 32 bits; same as IP address
c. 128 bits
d. 256 bits
e. 65,535 bits
f. 168 bits

Answer:a
Explanation: DES applies a 56-bit key. The documented time taken to discover the 56-bit key is 7 hours on a Pentium III computer, so DES is not a common encryption algorithm used in today’s networks.

Q24. What is the number of bits used with a 3DES encryption key?
a. 56 bits
b. 32 bits; same as IP address
c. 128 bits
d. 256 bits
e. 65,535 bits
f. 168 bits

Answer:f
Explanation: Triple DES (3DES) is today’s standard encryption with a 168-bit key.

Q25. In IPSec, what encapsulation protocol only encrypts the data and not the IP header?
a. ESP
b. AH
c. MD5
d. HASH
e. Both a and b are correct

Answer:a
Explanation: ESP only encrypts the data, not the IP header.

Q26. In IPSec, what encapsulation protocol encrypts the entire IP packet?
a. ESH
b. AH
c. MD5
d. HASH
e. Both a and b are correct

Answer:b
Explanation: AH encrypts the entire IP packet. The time to live (TTL) is not encrypted because this value decreases by one (1) every time a router is traversed.

Q27. Which of the following is AH’s destination IP port?
a. 23
b. 21
c. 50
d. 51
e. 500
f. 444

Answer:d
Explanation: The AH destination port number is 51.

Q28. Which of the following is ESP’s destination IP port?
a. 23
b. 21
c. 50
d. 51
e. 500
f. 444

Answer:c
Explanation: The ESP destination IP port number is 50.

Q29. Which of the following is not part of IKE phase I negotiations?
a. Authenticating IPSec peers
b. Exchanges keys
c. Establishes IKE security
d. Negotiates SA parameters

Answer:d
Explanation: IKE phase II negotiates SA parameters.

Q30. Which of the following is not part of IKE phase II?
a. Negotiates IPSec SA parameters
b. Periodically updates IPSec SAs
c. Rarely updates SAs (at most, once a day)
d. Established IPSec security parameters

Answer:c
Explanation: IKE phase II updates SAs at periodically-defined intervals.

Q31. Which is the faster mode in IPSEC?
a. Main mode
b. Fast mode
c. Aggressive mode
d. Quick mode

Answer:c
Explanation: Aggressive mode is faster than Main mode but is less secure. They can both occur in Phase I. Phase II only has Quick mode. Fast mode does not exist in the IPSec standard set of security protocols.

Q32. Certificate Enrollment Process (CEP) runs over what TCP port number? (Choose the best two answers.)
a. Same as HTTP
b. Port 80
c. Port 50
d. Port 51
e. Port 333
f. Port 444

Answer:a and b
Explanation: CEP uses the same port as HTTP, port 80.

Q33. Define the AAA model and a typical application on a Cisco IOS router.

Answer:Authentication, authorization, and accounting (pronounced triple A) provides security to Cisco IOS routers and network devices beyond the simple user authentication available on IOS devices.

AAA provides a method to identify which users are logged into a router and each user’s authority level. AAA also provides the capability to monitor user activity and provide accounting information.

Typically, AAA is used to authenticate and authorize Cisco IOS commands, and provides accounting information to the network administrator.

Q34. Can you allow a remote user authorization before the user is authenticated with AAA?

Answer:Before authorization occurs, the remote user must be authenticated. Cisco IOS routers allow you to configure AAA authorization, but no access will be permitted until the remote user is authenticated.

Q35. What IOS command is required when enabling AAA for the first time?
Answer: aaa new-model must be entered globally before additional IOS commands are entered.

Q36. What is the privilege level of the following user? Assume AAA is not configured.

Answer:The privilege level ranges from 0 to 15 (the higher the level, the more commands are available). Because the user is not in PRIV exec mode, the default privilege level for an EXEC user is 1. Only basic show commands are available in priv level 1.

Q37. Define four possible RADIUS responses when authenticating the user through a RADIUS server.

Answer:The four possible responses are as follows:

  • ACCEPT—The user is authenticated.
  • REJECT—The user is not authenticated and is prompted to reenter the username and password, or access is denied. The RADIUS server sends this response when the user enters an invalid username/password pairing.
  • CHALLENGE—The RADIUS server issues a challenge. The challenge collects additional data from the user.
  • CHANGE PASSWORD—The RADIUS server issues a request asking the user to select a new password.

Q38. What are RADIUS attributes? Supply five common examples.

Answer:RADIUS supports a number of predefined attributes that can be exchanged between client and server, such as the client’s IP address. RADIUS attributes carry specific details about authentication.

RFC 2138 defines a number of RADIUS predefined attributes.

The following bulleted lists provides details from the most common attributes:

  • Attribute type 1—Username (defined usernames can be numeric, simple ASCII characters, or an SMTP
  • address)
  • Attribute type 2—Password (defines the password; passwords are encrypted using MD5)
  • Attribute type 3—CHAP Password (only used in access-request packets)
  • Attribute type 4—NAS IP address (defines the NAS server’s IP address; only used in access-request packets)
  • Attribute type 5—NAS port (not UDP port number); and indicates that the NAS’s physical port number ranges from 0 to 65535
  • Attribute type 6—Service-type (type of service requested or type of service to be provided); for Cisco devices is Callback and is not supported
  • Attribute type 7—Protocol (defines what framing is required; for example, PPP is defined when this attribute is set to 1, SLIP is 2)
  • Attribute type 8—IP address (defines the IP address to be used by the remote user)
  • Attribute type 9—IP subnet mask (defines the subnet mask to be used by the remote user)
  • Attribute type 10—Routing
  • Attribute type 13—Compression
  • Attribute type 19—Callback number
  • Attribute type 20—Callback ID
  • Attribute type 26—Vendor-specific (Cisco [vendor-ID 9] uses one defined option, vendor type 1, named cisco-avpair)

Q39. What protocols does RADIUS use when sending messages between the server and client?

Answer:RADIUS transports through UDP destination port number 1812.

Q40. What predefined destination UDP port number is RADIUS accounting information sent to?

Answer:UDP port 1646

Q41. What does the following command accomplish on a Cisco IOS router?

Answer:The aaa authentication ppp user-radius if-needed group radius command configures the Cisco IOS software to use RADIUS authentication for lines using PPP with CHAP or PAP, if the user has not already been authorized. If the EXEC facility has authenticated the user, RADIUS authentication is not performed. User-radius is the name of the method list that defines RADIUS as the if-needed authentication method.

Q42. What is the RADIUS server IP address and key for the following configuration?

Answer:The radius-server host command defines the RADIUS server host’s IP address. The IP address is 3.3.3.3.

The radius-server key command defines the shared secret text string between the NAS and the RADIUS server host. The key is case-sensitive like all passwords on Cisco IOS devices, so the key is defined as GuitarsrocKthisplaneT.

Q43. TACACS+ is transported over what TCP destination port number?

Answer:TCP port 49

Q44. What information is encrypted between a Cisco router and a TACACS+ server?

Answer:All data communication between TACACS+ devices is encrypted, excluding the IP header.

Q45. What are the four possible packet types from a TACACS+ server when a user attempts to authenticate a Telnet session to a Cisco router configured for AAA, for example?

Answer:The four packets types are as follows:

  • ACCEPT—The user is authenticated and service can begin. If the network access server is configured to require authorization, authorization will begin at this time.
  • REJECT—The user has failed to authenticate. The user can be denied further access or will be prompted to retry the login sequence, depending on the TACACS+ daemon.
  • ERROR—An error occurred at some time during authentication. This can be either at the daemon or in the network connection between the daemon and the NAS. If an ERROR response is received, the network access server typically tries to use an alternative method for authenticating the user.
  • CONTINUE—The user is prompted for additional authentication information.

Q46. What is the significance of the sequence number in the TACACS+ frame format?

Answer:The sequence number is the number of the current packet flow for the current session. The sequence number starts with 1 and each subsequent packet will increment by one. The client only sends odd numbers. TACACS+ servers only send even numbers.

Q47. What does the following IOS command accomplish?

Answer:The aaa authentication command defines a method list, “default,” to be used on serial interfaces running PPP. The keyword default means that PPP authentication is applied by default to all interfaces. The if-needed keyword means that if the user has already authenticated through the ASCII login procedure, PPP authentication is not necessary and can be skipped. If authentication is needed, the keyword group tacacs+ means that authentication will be done through TACACS+. If TACACS+ returns an ERROR during authentication, the keyword local indicates that authentication will be attempted using the local database on the NAS.

Q48. What IOS command defines the remote TACACS+ server?

Answer:To define the TACACS+ server, the IOS command is tacacs-server host ip address.

Q49. What are the major difference between TACACS+ and RADIUS?

Answer:The following table lists the major differences between TACACS+ and RADIUS.

RADIUSTACACS+
Packet deliveryUDPTCP
Packet encryptionRADIUS encrypts only the password in the accessrequest packet, from the client to the server.TACACS+ encrypts the entire body of the packet, but leaves a standard TACACS+ header
AAA supportRADIUS combines authentication and authorization.TACACS+ uses the AAA architecture, separating authentication, authorization
Multiprotocol supportNoneTACACS+ supports other protocols, such as AppleTalk, NetBIOS, and IPX.
Router managementRADIUS does not allow users to control which commands can be executed on a router.TACACS+ allows network administrators control over which commands can be executed on a router.

Q50. Kerberos is a third-party authentication protocol operating at what layer of the OSI model?

Answer:Kerberos is an application layer protocol, which operates at Layer 7 of the OSI model.

Q51. What delivery methods and destination ports does Kerberos support?

Answer:Kerberos supports both TCP and UDP, including the following port numbers:

  • TCP/UDP ports 88, 543, and 749
  • TCP ports 754, 2105, and 4444

Q52. What does the Kerberos realm define?

Answer:A Kerberos realm defines a domain consisting of users, hosts, and network services that are registered to a Kerberos server. The Kerberos server is trusted to verify the identity of a user or network service to another user or network service. Kerberos realms must always be in uppercase characters.

Q53. Applications that have been modified to support Kerberos credential infrastructures are known as what?

Answer:Kerberized.

Q54. Define the two steps required in an L2F connection terminating a PPP connection?

Answer:For L2F, the setup for tunneling a PPP session consists of two steps:

  • Step 1 Establish a tunnel between the NAS and the Home Gateway (HWY). The HWY is a Cisco router or access server (for example, an AS5300) that terminates VPDN tunnels and PPP sessions. This phase takes place only when no active tunnel exists between both devices.
  • Step 2 Establish a session between the NAS and the Home Gateway.

Q55. Define the two steps for setting up L2TP for tunneling a PPP connection.

Answer:For L2FP, the setup for tunneling a PPP session consists of two steps:

  • Step 1 Establish a tunnel between the LAC and the LNS. The LAC is an L2TP access concentrator that acts as one side of the L2TP tunnel endpoint and has a peer to the L2TP network server or LNS. This phase takes place only when no active tunnel exists between both devices.
  • Step 2 Establish a session between the LAC and the LNS.

Q56. What are the steps taken for a VPDN connection between a remote user and a remote LAN?

Answer:A VPDN connection between a remote user (router or via PSTN) and the remote LAN is accomplished in the following steps:

  • Step 1 The remote user initiates a PPP connection to the ISP using the analog telephone system or ISDN.
  • Step 2 The ISP network access server accepts the connection.
  • Step 3 The ISP network access server authenticates the end user with CHAP or PAP. The username determine whether the user is a VPDN client. If the user is not a VPDN client, the client accesses the Internet or other contacted service.
  • Step 4 The tunnel endpoints—the NAS and the home gateway—authenticate each other before any sessions are attempted within a tunnel.
  • Step 5 If no L2F tunnel exists between the NAS and the remote users’ home gateway, a tunnel is created. Once the tunnel exists, an unused slot within the tunnel is allocated.
  • Step 6 The home gateway accepts or rejects the connection. Initial setup can include authentication information required to allow the home gateway to authenticate the user.
  • Step 7 The home gateway sets up a virtual interface. Link-level frames can now pass through this virtual interface through the L2F or L2TP tunnel.

Q57. What are the three most common threats from intruders that network administrators face?

Answer:The most common attacks are as follows:

  • Packet snooping (also known as eavesdropping)—When intruders capture and decode traffic obtaining usernames, passwords, and sensitive data, such as salary increases for the year.
  • Theft of data—When intruders use sniffers, for example, to capture data over the network and steal that information for later use.
  • Impersonation—When an intruder assumes the role of a legitimate device but, in fact, is not legitimate.

Q58. What does the Digital Signature standard provides

Answer:DSS is a mechanism that protects data from an undetected change while traversing the network. DSS verifies the identity of the person sending the data just as you verify your license signature to the bank manager.

Q59. What is hash in encryption terminology?

Answer:A hash is defined as the one-way mathematical summary of a message (data) such that the hash value cannot be easily reconstructed back into the original message.

Q60. Name the two modes of operation in IPSec and their characteristics.

Answer:The two modes are transport and tunnel mode.

  • Transport mode—Protects payload of the original IP datagram; typically used for end-to-end sessions.
  • Tunnel Mode—Protects the entire IP datagram by encapsulating the entire datagram in a new IP datagram.

Q61. What does IKE accomplish?

Answer:IKE negotiates and provides authenticated keys in a secure manner. IKE was developed by the company previously known as ISAKMP Oakley Key Resolution.

Q62. Certificate Enrollment Protocol is transported over what TCP port?

Answer:CEP is transported over TCP port 80 (same as HTTP).

Q63. The following debug output is seen on R1 after the network administrator pings remote network 131.108.100.1 from Router R2’s console port.

Why will the IPSec tunnel not negotiate properly?

Answer:The following debug output advises the network administrator of the problem:

During the IKE negotiation, the router reports a message that identifies the fault as the share password. R2 is configured with the password, CCIe (should match R1’s pre-shared password set to CCIE). See example 5-21, and code line 7.

Changing the IKE password to CCIE with the IOS command, crypto isakmp key CCIE address 131.108.255.1, the following debug output confirms the IPSec connections by pinging from R2 Ethernet 0/0 IP address to R1 Ethernet 0/0 IP address:

The first Ping packet fails because the IPSec tunnel has not yet been created. Then, the IPSec tunnel is successfully brought up between R1 and R2.

Q64. What subnets will be encrypted between Routers R1 and R2?

Answer:Access-list 100 on both routers defines the IP subnets that need to be encrypted between R1 and R2. Packets flowing between subnets 131.108.100.0/24 and 131.108.200.0/24 will be encrypted.
R1’s ACL is as follows:
R2’s ACL is as follows:

Q65. What IOS command produced the following display and from which router?

Answer:The show crypto map IOS command displays the remote peer address and the transform set. The previous displays are taken from R1 because the remote peer address is displayed as 131.108.255.2 (R2’s serial 0/0 IP address).

Q66. Will Host A be able to communicate with Host B or Host C? The following displays are the IP routing tables on R1 and R2. (Assume the gateway configurations on the PCs are correct.)

R1’s IP routing table:

R2’s IP routing table:

Answer:Yes, because IPSec has nothing to do with routing IP data, IPSec will encrypt only data as configured. R1 has a remote entry to the network residing on R2 and R2 has a remote entry to the network residing on R1.

Here is a sample ping request from R2 to R1 and Host A and Host C:

Q67. To allow the IP subnet 131.108.101.0/24 attached to R1 Ethernet 0/1 interface to be encrypted over the IPSec tunnel and to communicate with the remote PC IP address 131.108.200.5, what configuration changes are required on which router?

Answer:Because the source network is located on R1, Access-list 100 on R1 needs to be modified, remembering that, by default, an implicit deny is defined on ACL 100. Network 131.108.101.0/24 is only permitted to encrypt traffic to the static ip address 131.108.200.5, hence the ACL line required on R1 becomes the following:

IP routing is already configured and working. IPSec will ensure only that IP data is encrypted.

More Resources

About the author

Scott

Leave a Comment