CCNA Cyber Ops FAQ: NetFlow for Cybersecurity
Q1. Which of the following are some common uses of NetFlow? (Choose three.)
A. To see what is actually happening across the entire network
B. To identify DoS attacks
C. To quickly identify compromised endpoints and network infrastructure devices
D. To perform network scans to detect vulnerabilities
Q2. Flexible NetFlow, Cisco’s next-generation NetFlow, can track a wide range of Layer 2, IPv4, and IPv6 flow information. Which of the following are examples of that information? (Choose four.)
A. Source and destination IPv4 or IPv6 addresses
B. Source and destination ports
C. Packet and byte counts
D. Flow timestamps
F. Application ID
Answer: A, B, C, and D. Flexible NetFlow can track a wide range of Layer 2, IPv4, and IPv6 flow information, including the following:
- Source and destination MAC addresses
- Source and destination IPv4 or IPv6 addresses
- Source and destination ports
- Packet and byte counts
- Flow timestamps
- Input and output interface numbers
- TCP flags and encapsulated protocol (TCP/UDP)
- Sections of packet for deep packet inspection
- All fields in an IPv4 header
- All fields in an IPv6 header
- Routing information
Q3. NetFlow supports different types of cache. Which of the following are the NetFlow cache types? (Choose three.)
Q4. IPFIX is a flow standard based on what version of NetFlow?
A. Version 1
B. Version 5
C. Version 7
D. Version 9
Q5. What is one of the benefits of NetFlow templates?
A. Templates make flow records more organized and better structured.
B. Templates provide a vendor-neutral support for companies that create applications that provide collector or analysis capabilities for NetFlow so that they are not required to reinvent their product each time a new NetFlow feature is added.
C. Templates provide a faster way of processing NetFlow records.
D. Templates can be used to detect zero-day attacks faster because they provide support for indicators of compromise.
Q6. What protocol is used by IPFIX for packet transport?
Q7. NetFlow is a great tool for anomaly and DDoS detection. Before implementing these detection capabilities, you should perform which of the following tasks?
A. Enable NetFlow in more than two interfaces.
B. Enable BGP for route redirection.
C. Develop a traffic baseline.
D. Enable anti-spoofing protection.
Q8. Many network telemetry sources can also be correlated with NetFlow when responding to security incidents and performing network forensics. Which of the following are examples of other telemetry sources that can be correlated with NetFlow? (Choose two.)
A. Dynamic Host Configuration Protocol (DHCP) logs
B. VPN logs
C. Core dumps
D. Process utilization and hardware inventory logs
Q9.Which of the following are examples of open source tools that can be used for NetFlow analysis? (Choose three.)
B. Elasticsearch, Logstash, Kibana (ELK)
Q10. Which of the following are components of the Cisco Lancope StealthWatch solution?
A. StealthWatch Management Console
D. ISE Connector
Q11. Using NetFlow along with identity management systems, an administrator can detect which of the following? (Select all that apply.)
A. Who initiated the data transfer
B. The hosts (IP addresses) involved
C. Who configured NetFlow
D. Which RADIUS server has an active NetFlow connection
Q12. Network forensics can be an intimidating topic for many security professionals. Everyone knows that forensic investigation may entail many other sources of information, including end hosts, servers, and any affected systems. Each forensics team needs to have awareness of many different areas, such as which of the following? (Select all that apply.)
A. Assets, risks, impacts, and the likelihood of events
B. Incident response policies and procedures in mock events as well as NetFlow to analyze what is happening in the network
C. The current budget
D. Evidence handling and chain of custody (even NetFlow events can be used as evidence)
evidence and what chain of custody is.
Q13. What are some telemetry sources that are good for attribution? (Select all that apply.)
A. DHCP server logs
B. VPN server logs
C. 802.1x authentication logs
D. IP route table
Q14. What are some of the necessary steps in order to configure Flexible NetFlow in a Cisco IOS or Cisco IOS-XE device? (Select all that apply.)
A. Configure a flow record.
B. Configure a flow monitor.
C. Configure a neighbor.
D. Apply a crypto map to an interface.
1. Configure a flow record.
2. Configure a flow monitor.
3. Configure a flow exporter for the flow monitor.
4. Apply the flow monitor to an interface.
Q15. It is extremely important that your syslog and other messages are timestamped with the correct date and time. The use of which of the following protocols is strongly recommended?
Q16. Which of the following is not an example of a Flexible NetFlow component?
A. Flow records
B. Flow monitors
C. Flow NTP
D. Flow samplers
Q17. Which of the following is not a component of the 5-tuple of a flow in NetFlow?
A. Source IP address
B. Destination IP address
D. Source port
E. Destination port
Q18. Which of the following is not true about the NetFlow immediate cache?
A. It is the default cache used in many NetFlow implementations.
B. The flow accounts for a single packet.
C. It is desirable for real-time traffic monitoring and DDoS detection.
D. It is used when only very small flows are expected (NetFlow sampling).
Q19. Flexible NetFlow can track a wide range of Layer 2, IPv4, and IPv6 flow information, except which of the following?
A. Source and destination MAC addresses
D. Encryption security association serial numbers
Q20. Which of the following statements is true about Flexible NetFlow?
A. It is supported in IPv6 and IPv4, but only when IPv6 tunnels are used.
B. It supports IPv4, but not IPv6.
C. It supports encryption of NetFlow data to a collector.
D. It uses the concept of templates.