CCNA Cyber Ops FAQ: NetFlow for Cybersecurity

CCNA Cyber Ops FAQ: NetFlow for Cybersecurity

Q1. Which of the following are some common uses of NetFlow? (Choose three.)
A. To see what is actually happening across the entire network
B. To identify DoS attacks
C. To quickly identify compromised endpoints and network infrastructure devices
D. To perform network scans to detect vulnerabilities

Answer: A, B, and C. NetFlow can be used to see what is actually happening across the entire network, to identify DoS attacks, and to quickly identify compromised endpoints and network infrastructure devices. It is not a scanning technology or solution.

Q2. Flexible NetFlow, Cisco’s next-generation NetFlow, can track a wide range of Layer 2, IPv4, and IPv6 flow information. Which of the following are examples of that information? (Choose four.)
A. Source and destination IPv4 or IPv6 addresses
B. Source and destination ports
C. Packet and byte counts
D. Flow timestamps
E. Usernames
F. Application ID

Answer: A, B, C, and D. Flexible NetFlow can track a wide range of Layer 2, IPv4, and IPv6 flow information, including the following:

  • Source and destination MAC addresses
  • Source and destination IPv4 or IPv6 addresses
  • Source and destination ports
  • ToS
  • DSCP
  • Packet and byte counts
  • Flow timestamps
  • Input and output interface numbers
  • TCP flags and encapsulated protocol (TCP/UDP)
  • Sections of packet for deep packet inspection
  • All fields in an IPv4 header
  • All fields in an IPv6 header
  • Routing information

Q3. NetFlow supports different types of cache. Which of the following are the NetFlow cache types? (Choose three.)
A. Normal
B. Flexible
C. Immediate
D. Permanent

Answer: A, C, D. Normal, immediate, and permanent are the three types of NetFlow cache.

Q4. IPFIX is a flow standard based on what version of NetFlow?
A. Version 1
B. Version 5
C. Version 7
D. Version 9

Answer: D. IPFIX is an IETF standard based on NetFlow v9, with several extensions.

Q5. What is one of the benefits of NetFlow templates?
A. Templates make flow records more organized and better structured.
B. Templates provide a vendor-neutral support for companies that create applications that provide collector or analysis capabilities for NetFlow so that they are not required to reinvent their product each time a new NetFlow feature is added.
C. Templates provide a faster way of processing NetFlow records.
D. Templates can be used to detect zero-day attacks faster because they provide support for indicators of compromise.

Answer: B. Templates provide a vendor-neutral support for companies that create applications that provide collector or analysis capabilities for NetFlow so that they are not required to reinvent their product each time a new NetFlow feature is added. Additionally, templates allow for new features to be added to NetFlow more quickly, without breaking current implementations and with backward compatibility.

Q6. What protocol is used by IPFIX for packet transport?
A. SNMP
B. HTTPS
C. SCTP
D. TLS

Answer: C. IPFIX uses the Stream Control Transmission Protocol (SCTP), which provides a packet transport service designed to support several features beyond TCP or UDP capabilities.

Q7. NetFlow is a great tool for anomaly and DDoS detection. Before implementing these detection capabilities, you should perform which of the following tasks?
A. Enable NetFlow in more than two interfaces.
B. Enable BGP for route redirection.
C. Develop a traffic baseline.
D. Enable anti-spoofing protection.

Answer: C. NetFlow, along with other telemetry features, can be enabled within your infrastructure to provide the necessary data used for identifying and classifying threats and anomalies. Before implementing these anomalydetection capabilities, you should perform traffic analysis to gain an understanding of general traffic rates and patterns. This is often referred to as a traffic baseline.

Q8. Many network telemetry sources can also be correlated with NetFlow when responding to security incidents and performing network forensics. Which of the following are examples of other telemetry sources that can be correlated with NetFlow? (Choose two.)
A. Dynamic Host Configuration Protocol (DHCP) logs
B. VPN logs
C. Core dumps
D. Process utilization and hardware inventory logs

Answer: A and B. Both DHCP logs and VPN logs are examples of other telemetry sources that can be correlated with NetFlow.

Q9.Which of the following are examples of open source tools that can be used for NetFlow analysis? (Choose three.)
A. SiLK
B. Elasticsearch, Logstash, Kibana (ELK)
C. Lancope
D. Graylog

Answer: A, B, D. SiLK, ELK, and Graylog are open source tools that can be used for NetFlow analysis.

Q10. Which of the following are components of the Cisco Lancope StealthWatch solution?
A. StealthWatch Management Console
B. FlowCollector
C. FlowConnector
D. ISE Connector

Answer: A and B. StealthWatch Management Console, FlowCollector, FlowSensor, FlowReplicator, and StealthWatch IDentity are components of the Cisco Lancope StealthWatch solution.

Q11. Using NetFlow along with identity management systems, an administrator can detect which of the following? (Select all that apply.)
A. Who initiated the data transfer
B. The hosts (IP addresses) involved
C. Who configured NetFlow
D. Which RADIUS server has an active NetFlow connection

Answer: A and B. Using NetFlow along with identity management systems, an administrator can detect the person who initiated the data transfer and the host involved.

Q12. Network forensics can be an intimidating topic for many security professionals. Everyone knows that forensic investigation may entail many other sources of information, including end hosts, servers, and any affected systems. Each forensics team needs to have awareness of many different areas, such as which of the following? (Select all that apply.)
A. Assets, risks, impacts, and the likelihood of events

B. Incident response policies and procedures in mock events as well as NetFlow to analyze what is happening in the network

C. The current budget

D. Evidence handling and chain of custody (even NetFlow events can be used as evidence)

Answer: A, B, and D. Each forensics team needs to have awareness of assets, risks, impact, and the likelihood of events. In addition, the team needs to know incident response policies and procedures in mock events and collect NetFlow on a regular basis to analyze what is happening in the network. Other items the team should be aware of are how to handle
evidence and what chain of custody is.

Q13. What are some telemetry sources that are good for attribution? (Select all that apply.)
A. DHCP server logs
B. VPN server logs
C. 802.1x authentication logs
D. IP route table

Answer: A, B, and C. DHCP server logs, VPN server logs, and 802.1x authentication logs are good telemetry sources for attribution for who is the potential threat actor in a security incident or attack.

Q14. What are some of the necessary steps in order to configure Flexible NetFlow in a Cisco IOS or Cisco IOS-XE device? (Select all that apply.)
A. Configure a flow record.
B. Configure a flow monitor.
C. Configure a neighbor.
D. Apply a crypto map to an interface.

Answer: A and B. The following are the steps required to configure Flexible NetFlow in Cisco IOS or Cisco IOS-XE:
1. Configure a flow record.
2. Configure a flow monitor.
3. Configure a flow exporter for the flow monitor.
4. Apply the flow monitor to an interface.

Q15. It is extremely important that your syslog and other messages are timestamped with the correct date and time. The use of which of the following protocols is strongly recommended?
A. SNMP
B. BGP
C. TNP
D. NTP

Answer: D. Network Time Protocol, or NTP, is used to make sure that time is synchronized effectively in network infrastructure devices, servers, and any other computing devices.

Q16. Which of the following is not an example of a Flexible NetFlow component?
A. Flow records
B. Flow monitors
C. Flow NTP
D. Flow samplers

Answer: C. Flow records, monitors, and samplers are examples of Flexible NetFlow components.

Q17. Which of the following is not a component of the 5-tuple of a flow in NetFlow?
A. Source IP address
B. Destination IP address
C. Gateway
D. Source port
E. Destination port

Answer: C. Source and destination IP addresses and ports as well as the protocol are part of the 5-tuple.

Q18. Which of the following is not true about the NetFlow immediate cache?
A. It is the default cache used in many NetFlow implementations.
B. The flow accounts for a single packet.
C. It is desirable for real-time traffic monitoring and DDoS detection.
D. It is used when only very small flows are expected (NetFlow sampling).

Answer: A. The default cache in NetFlow is the “normal cache.”

Q19. Flexible NetFlow can track a wide range of Layer 2, IPv4, and IPv6 flow information, except which of the following?
A. Source and destination MAC addresses
B. ToS
C. DSCP
D. Encryption security association serial numbers

Answer: D. Encryption security association serial numbers are not part of NetFlow or Flexible NetFlow.

Q20. Which of the following statements is true about Flexible NetFlow?
A. It is supported in IPv6 and IPv4, but only when IPv6 tunnels are used.
B. It supports IPv4, but not IPv6.
C. It supports encryption of NetFlow data to a collector.
D. It uses the concept of templates.

Answer: D. Flexible NetFlow is based on NetFlow Version 9 and it uses the concept of templates.

More Resources

About the author

Scott

Leave a Comment