CCNA Security FAQ: Introduction to Endpoint, SAN, and Voice Security

CCNA Security FAQ: Introduction to Endpoint, SAN, and Voice Security

Question. Which is not one of the three prongs of the Cisco Host Security Strategy?
A. Endpoint protection
B. Cisco network admission control
C. Network infection containment
D. Comprehensive network security policy
E. Cisco routers

Answers: D and E are the correct choices. Cisco’s Host Security Strategy comprises endpoint protection using CSA, network admission control using NAC, and network infection containment.

Question. What are the two main software elements that must be secured in order that an endpoint proves its trustworthiness? (Choose one answer.)
A. Applications, operating system
B. Encrypted code, peer review
C. Cisco NAC, CSA
D. Anti-virus software, host firewall
E. None of the above.

Answer: A is correct. Cisco has specific products to address application and operating system security. The other choices, while ostensibly software (and also good ideas!), do not represent the high-level answer that was being looked for.
Question. Which of the following is not a reason for an organization to incorporate a SAN in its enterprise infrastructure?
A. To meet changing business priorities, applications, and revenue growth

B. To decrease the threat of viruses and worm attacks against data storage devices

C. To increase the performance of long-distance replication, backup, and recovery

D. To decrease both capital and operating expenses associated with data storage

Answer: B
Question. Which of the following is the basis of all the major SAN transport technologies?

Answer: D
Question. Which of the following represent SAN transport technologies? (Choose all that apply.)
A. Fibre Channel

Answer: A, C, and D
Question. Which of the following are classes of SAN attacks? (Choose all that apply.)
A. Viruses
B. Snooping
C. Worms
D. Spoofing
E. Denial of service (DoS)

Answer: B, D, and E
Question. Spoofing represents an attack against data ____________.
A. Confidentiality
B. Availability
C. Accuracy
D. Integration

Answer: A

Question. Applications and operating systems are susceptible to DoS and access attacks in the same way that network devices are. What are some specific attacks that endpoints may be susceptible to?
A. Brute force attacks
B. Known cipher attacks
C. Buffer overflows
D. Worms, viruses, and Trojan horses
E. None of the above.

Answers: C and D are correct. Answers A and B are incorrect because these are attacks against cryptosystems and were explained in Chapter 6, “Introducing Cryptographic Services.” They are deliberately misleading because the reader will recognize the terminology.

Question. True or false. Worms are like microorganisms that invade a human host, attaching to other programs and executing unwanted functions on that host.

Answer: The correct answer is false. The definition provided is for a virus. Worms take their names from burrowing organisms that live in the “soil” of an infected host. The worm replicates into the memory of an infected host that, in turn, infects other computers.
Question. A LUN is used by which of the following protocols as a way to differentiate the individual disk drives that comprise a target device?

Answer: C
Question. At what level is LUN masking implemented?
A. Drive
B. Disk
C. Controller
D. Host Bus Adapter

Answer: D
Question. Which of the following statements correctly describes Fibre Channel zoning?
A. Combining a Fibre Channel fabric into larger subsets

B. Partitioning a Fibre Channel fabric into smaller subsets

C. Segmenting a Fibre Channel fabric through the use of a LUN mask into smaller subsets

D. Combining the Fibre Channel fabric, through the use of LUN masks, into larger sections

Answer: B
Question. Which of the following is perceived as a drawback of implementing Fibre Channel Authentication Protocol (FCAP)?
A. It requires the use of netBT as the network protocol.
B. It is restricted in size to only three segments.
C. It relies on an underlying Public Key Infrastructure (PKI).
D. It requires the implementation of IKE

Answer: C
Question. Which of the following are the two primary port authentication protocols used with VSANs? (Choose two.)

Answer: B and C

Question. Put the five Ps of the phases of a worm attack in the correct order by putting the number indicating the correct order in the blank opposite the phase name.
Penetrate:   ___
Propagate:  ___
Persist:        ___
Probe:          ___
Paralyze:     ___

Answers: The correct order is 1—Probe, 2—Penetrate, 3—Persist, 4—Propagate, and 5— Paralyze (a—2, b—4, c—3, d—1, e—5).

Question. Match the following descriptions of NAC components with the letter corresponding to its name from the list of choices.

  1. A device deployed in-band or out-of-band to perform network access control.
  2. Software that resides on a client endpoint and is queried to establish an endpoint’s compliance with the network security policy.
  3. A GUI-based central administrative interface for IT security personnel.

a. NAS
b. NAM
c. NAA
d. NAD
e. NAC

Answers: 1—a, 2—c, 3—b. Answers d and e do not match any of the descriptions. NAS stands for NAC Appliance Server. NAM stands for NAC Appliance Manager, and NAA stands for NAC Appliance Agent. A rule of thumb is that the GUI used to manage a single network device is called a “manager.” For example, Cisco IPS appliances use the IPS Device Manager (IDM). Cisco IOS routers use the Cisco Security Device Manager (SDM). Thus, the GUI to manage a single NAC appliance is the NAC Appliance Manager (NAM).
Question. You administer a network that contains analog telephony devices connected to voice gateways. These voice gateways connect to the Public Switched Telephone Network (PSTN). Which of the following best describes this type of network?
B. IP telephony
C. Converged communications
D. Unified communications

Answer: B
Question. Which of the following are justifications for migrating from a traditional telephony network to a VoIP network? (Choose all that apply.)
A. Reduced recurring expenses
B. Reduced end-to-end delay
C. Advanced functionality
D. Adaptability

Answers: A, C, and D
Question. Which of the following VoIP components can permit or deny a call attempt based on a network’s available bandwidth?
A. Gateway
B. Gatekeeper
D. Application server

Answer: B
Question. Which two protocols can be used to carry voice media packets? (Choose two.)

Answer: B and C
Question. Which of the following attacks against a VoIP network attempts to deplete the resources available on a server (for example, processing resources)?
A. Accessing VoIP resources without appropriate credentials
B. Gleaning information from unsecured VoIP network resources
C. Launching a denial-of-service (DoS) attack
D. Capturing telephone conversations

Answer: C

Question. Cisco Security Agent (CSA) comprises four interceptors to intercept application calls to the operating system kernel. Fill in the blanks in the description of two of these interceptors with the choices from the list.
The ________ interceptor ensures that each application plays by the rules by only allowing write access to memory that is owned by that application. The ________ interceptor intercepts read/write requests to the system registry or (in Unix) the run control (rc) files.
a. Execution space
b. Network
c. File System
d. Configuration

Answers: a and d (in that order) are correct.

Question. Which one of the following SAN interconnection technologies is used for SAN-to-SAN connectivity?
C. Fiber Channel
D. None of the above

Answer: A is correct. Fiber Channel over IP (FCIP) is used to interconnect SANs over an IP network. Choice B, iSCSI, is used for host-to-SAN connectivity over an IP network, whereas choice C, Fiber Channel, is a technology used in the fabric of a fiber SAN switch to connect hosts (such as application servers) to the SAN volumes.
Question. VoIP spam is also known by which of the following acronyms?

Answer: D
Question. Which of the following best describes vishing?
A. Influencing users to provide personal information over a web page

B. Influencing users to provide personal information over the phone

C. Influencing users to forward a call to a toll number (for example, a long distance or international number)

D. Using an inside facilitator to intentionally forward a call to a toll number (for example, a long distance or international number)

Answer: B
Question. Which of the following Cisco Catalyst switch mechanisms can be used to prevent a man-in-the-middle attack launched against a SIP network?

Answer: B
Question. A Cisco IP phone can send traffic from an attached PC in a data VLAN while sending voice packets in a separate VLAN. What is the name given to this separate voice VLAN?
B. Auxiliary VLAN
C. Native VLAN
D. Access VLAN

Answer: B
Question. What type of firewall is required to open appropriate UDP ports required for RTP streams?
A. Stateless firewall
B. Proxy firewall
C. Stateful firewall
D. Packet filtering firewall

Answer: C
Question. Which two of the following statements are true about a Cisco IP phone’s web access feature? (Choose two.)
A. It is enabled by default.
B. It requires login credentials, based on the UCM user database.
C. It can provide IP address information about other servers in the network.
D. It uses HTTPS.

Answer: A and C

Question. Fiber Channel VSANs are most analogous to what security feature?
C. 802.1X

Answer: A is correct. Fiber channel zones are analogous to ACLs (answer B) and Fiber Channel port security is similar to 802.1X port-based authentication (answer C).

FIGURE 9.4 VSANs and zoning.

Question. True or false. SPIT (SPAM over IP Telephony) is a very real and current threat for VoIP networks.

Answer: False. SPIT is an emerging threat, but not one that has been seen in the wild as yet. It serves most to underline that as the technology evolves, so do the attack methods.

About the author


Leave a Comment