Network Security FAQ: Understanding Vulnerabilities The Need for Security
Q1. What are the three common classes of attack?
A. Access attack
B. DoS attack
C. Smurf attack
D. Reconnaissance attack
Answer: A, B, D. The three common classes of attack are access attack, reconnaissance attack, and DoS attack.
Answer C is not a class of attack, but rather a type of DoS attack.
Q2. Which of the following are types of access attacks? (Choose three)
A. Trust exploitation
B. TCP SYN attack
C. Port redirection
Answer: A, C, D. Trust exploitation, port redirection, and man-in-the-middle are all types of access attacks.
Answer B is incorrect because a TCP SYN attack is a form of DoS attack.
Q3. Which of the following are tools that can be used for a reconnaissance attack? (Choose three)
A. Port redirection
B. Ping sweep
C. Port scan
D. Packet sniffer
Answer: B, C, D. Ping sweeps, port scans, and packet sniffers are all tools that can be utilized for a reconnaissance attack. Answer A is incorrect because port redirection is a type of access attack.
Q4. Which of the following are types of DoS attacks? (Choose three)
A. Smurf attack
B. Packet sniffer
D. TCP SYN attack
Answer: A, C, D. Smurf attacks, DDoS attacks, and TCP SYN attacks are all types of DoS attacks.
Answer B is incorrect because a packet sniffer is a tool used for a reconnaissance attack.
FIGURE: DDoS attack
Q5. What command can be configured on a Cisco device to mitigate smurf attacks?
A. ip tcp intercept
B. ip directed-broadcast
C. no ip directed-broadcast
D. no ip tcp intercept
Answer: C. The no ip directed-broadcast command can be configured on a Cisco device to block smurf attacks.
Answers A and D are incorrect because they are related to the TCP SYN attack. Answer B is incorrect because it does not contain the keyword no.
Q6. When a valid host IP address is assumed by an attacking system, it is called ________________.
B. Ping of death
C. IP spoofing
D. Teardrop attack
Answer: C. When a valid host IP address is assumed by an attacking system, it is called IP spoofing.
Answer A is incorrect because filtering is used to filter traffic. Answer B is incorrect because the ping of death is when an ICMP echo request packet that is larger than 65,535 bytes is sent to a target destination, causing it to overflow, crash, and/or reboot. Answer D is incorrect because a teardrop attack happens when the Offset field of the TCP header is changed.
Q7. What do the three A’s in AAA stand for?
A. Authentication, authorization, advertising
B. Authorization, accounting, activating
C. Authentication, accounting, activating
D. Authentication, authorization, accounting
Answer: D. AAA stands for authentication, authorization, and accounting.
Answer A is incorrect because advertising is not a service of AAA. Answers B and C are incorrect because activating is not a service of AAA.
Q8. Which protocol uses TCP port 22?
Answer: B. SSH uses TCP port 22.
Answer A is incorrect because SSL uses TCP port 443. Answer C is incorrect because SNMP uses UDP port 161. Answer D is incorrect because NTP uses UDP port 123.
Q9. Which of the following are Cisco IOS secure management features? (Choose three)
Answer: A, B, D. Syslog, SSH, and SNMP are all Cisco IOS secure management features.
Answer C is incorrect because AAA consists of a group of three services that are used in conjunction with an authentication server and a software service such as TACACS or RADIUS to provide a secure network connection with a record of user activities.
Q10. Which protocol provides a secure channel between two devices at the Application layer (Layer 7) of the OSI model?
Answer: A. SSL is a protocol that provides a secure channel between two devices at the Application layer (Layer 7) of the OSI model.
Answer B is incorrect because IPsec functions at Layer 3 of the OSI model. Answer C is incorrect because SNMP is a management protocol that monitors the network and manages configurations. Answer D is incorrect because NTP is a protocol that synchronizes clocks on the local network to provide accurate local time on the user system.
Q11. Define trust exploitation.
Answer: Trust exploitation occurs when a device or group of devices on a shared segment erroneously trusts information that has been provided by an untrustworthy source.
Q12. Describe a TCP SYN attack.
Answer: In a TCP SYN attack, a SYN request is sent to a device with a spoofed IP address. The attacking system does not acknowledge the resulting SYN-ACK, which causes the session connection queues to fill up and stop taking new connection requests.
Q13. What are the three services that make up AAA?
Answer: Authentication identifies a user by login and password. Authorization determines what a user is allowed to do by putting together a list of attributes. Accounting assembles and sends usage information.
Q14. What can a Cisco ACL help mitigate?
- IP spoofing
- TCP SYN attacks
- Smurf attacks
- ICMP and traceroute
Q15. List the similarities and differences between an IPS and IDS.
Answer: Both IPS and IDS listen promiscuously to all incoming traffic. IPS is an active device that is inline with the traffic path. It can identify attacks and block them in the system. IDS is a passive device that may not be inline with the path of traffic. IDS can also generate alerts and send TCP resets when necessary.
Q16.What is IP fragmentation offset used for?
Answer: IP fragmentation offset is used to keep track of the different parts of a datagram. It may be necessary to split larger datagrams as they travel from one router to the next router in a small packet network.
Q17. Name the method attackers use to replace the IP address of the sender or, in some rare cases, the destination address with a different IP address.
Answer: This method is called IP address spoofing.
Q18. What is a covert TCP/IP channel?
Answer: Covert TCP/IP channels are instances in which communication channels are established and data can be secretly passed between two end systems.
Q19. The Ping of Death attack is a good example of what type of attack?
Answer: The Ping of Death attack is a good example of the IP fragmentation attack.
Q20. What happens during a buffer overflow?
Answer: During a buffer overflow, more data is retrieved than can be stored in a buffer location. The additional information must go into an adjacent buffer, resulting in overwriting the valid data held there.
Q21. List the two tasks the attacker must perform during a buffer overflow attack.
- The attacker must place dirty code in the program’s code address space.
- The attacker codes the privileged program so that it jumps to that particular part of the code.
Q22. List two spoofing attacks.
Answer: Two spoofing attacks would be ARP spoofing and DNS spoofing.
Q23. During an ARP spoofing attack, does the attacker exploit the hardware address or the IP address of a host?
Answer: The attacker exploits the hardware address of a host.
Q24. List two antispoofing measures for an ARP spoofing attack.
Answer: Two antispoofing measures for an ARP spoofing attack are ARP server and static ARP.
Q25. There are a number of techniques that can be used in a social engineering attack. List three techniques.
Answer: Three social engineering techniques include reverse social engineering, e-mails and phone calls, and authority abuse.
Q26. Which of the following statements is false when a packet is being compared to an access list?
A. It’s always compared with each line of the access list in sequential order.
B. Once the packet matches the condition on a line of the access list, the packet is acted upon and no further comparisons take place.
C. There is an implicit “deny” at the end of each access list.
D. Until all lines have been analyzed, the comparison is not over.
Answer: D. It’s compared with lines of the access list only until a match is made. Once the packet matches the condition on a line of the access list, the packet is acted upon and no further comparisons take place.
Q27. You need to create an access list that will prevent hosts in the network range of 192.168.160.0 to 192.168.191.0. Which of the following lists will you use?
A. access-list 10 deny 192.168.160.0 255.255.224.0
B. access-list 10 deny 192.168.160.0 0.0.191.255
C. access-list 10 deny 192.168.160.0 0.0.31.255
D. access-list 10 deny 192.168.0.0 0.0.31.255
Answer: C. The range of 192.168.160.0 to 192.168.191.0 is a block size of 32. The network address is 192.168.160.0 and the mask would be 255.255.224.0, which for an access list must be a wildcard format of 0.0.31.255. The 31 is used for a block size of 32. The wildcard is always one less than the block size.
Q28. You have created a named access list called Blocksales. Which of the following is a valid command for applying this to packets trying to enter interface Fa0/0 of your router?
A. (config)#ip access-group 110 in
B. (config-if)#ip access-group 110 in
C. (config-if)#ip access-group Blocksales in
D. (config-if)#Blocksales ip access-list in
Answer: C. Using a named access list just replaces the number used when applying the list to the router’s interface. ip access-group Blocksales in is correct.
Q29. Which access list statement will permit all HTTP sessions to network 192.168.144.0/24 containing web servers?
A. access-list 110 permit tcp 192.168.144.0 0.0.0.255 any eq 80
B. access-list 110 permit tcp any 192.168.144.0 0.0.0.255 eq 80
C. access-list 110 permit tcp 192.168.144.0 0.0.0.255 192.168.144.0 0.0.0.255 any eq 80
D. access-list 110 permit udp any 192.168.144.0 eq 80
Answer: B. The list must specify TCP as the Transport layer protocol and use a correct wildcard mask (in this case 0.0.0.255), and it must specify the destination port (80). It also should specify all as the set of computers allowed to have this access.
Q30. Which of the following access lists will allow only HTTP traffic into network 22.214.171.124?
A. access-list 100 permit tcp any 126.96.36.199 0.0.0.255 eq www
B. access-list 10 deny tcp any 188.8.131.52 eq www
C. access-list 100 permit 184.108.40.206 0.0.0.255 eq www
D. access-list 110 permit ip any 220.127.116.11 0.0.0.255
E. access-list 110 permit www 18.104.22.168 0.0.0.255
Answer: A. The fist thing to check in a question like this is the access-list number. Right away, you can see that the second option is wrong because it is using a standard IP access-list number. The second thing to check is the protocol. If you are fitering by upper-layer protocol, then you must be using either UDP or TCP; this eliminates the fourth option. The third and last answers have the wrong syntax.
Q31. What router command allows you to determine whether an IP access list is enabled on a particular interface?
A. show ip port
B. show access-lists
C. show ip interface
D. show access-lists interface
Answer: C. Of the available choices, only the show ip interface command will tell you which interfaces have access lists applied. show access-lists will not show you which interfaces have an access list applied.
Q32. In the work area, connect the show command to its function on the right.
Q33. If you wanted to deny all Telnet connections to only network 192.168.10.0, which command could you use?
A. access-list 100 deny tcp 192.168.10.0 255.255.255.0 eq telnet
B. access-list 100 deny tcp 192.168.10.0 0.255.255.255 eq telnet
C. access-list 100 deny tcp any 192.168.10.0 0.0.0.255 eq 23
D. access-list 100 deny 192.168.10.0 0.0.0.255 any eq 23
Answer: C. The extended access list ranges are 100–199 and 2000–2699, so the access-list number of 100 is valid. Telnet uses TCP, so the protocol TCP is valid. Now you just need to look for the source and destination address. Only the third option has the correct sequence of parameters. Option B may work, but the question specifially states “only” to network 192.168.10.0, and the wildcard in option B is too broad.
Q34. If you wanted to deny FTP access from network 22.214.171.124 to network 126.96.36.199 but allow everything else, which of the following command strings is valid?
A. access-list 110 deny 188.8.131.52 to network 184.108.40.206 eq ftp access-list 111 permit ip any 0.0.0.0 255.255.255.255
B. access-list 1 deny ftp 220.127.116.11 18.104.22.168 any any
C. access-list 100 deny tcp 22.214.171.124 0.0.0.255 126.96.36.199 0.0.0.255 eq ftp
D. access-list 198 deny tcp 188.8.131.52 0.0.0.255 184.108.40.206 0.0.0.255 eq ftp
access-list 198 permit ip any 0.0.0.0 255.255.255.255
Answer: D. Extended IP access lists use numbers 100–199 and 2000–2699 and fiter based on source and destination IP address, protocol number, and port number. The last option is correct because of the second line that specifis permit ip any any. (I used 0.0.0.0 255.255.255.255, which is the same as the any option.) The third option does not have this, so it would deny access but not allow everything else.
Q35. You want to create an extended access list that denies the subnet of the following host:
172.16.50.172/20. Which of the following would you start your list with?
A. access-list 110 deny ip 172.16.48.0 255.255.240.0 any
B. access-list 110 udp deny 172.16.0.0 0.0.255.255 ip any
C. access-list 110 deny tcp 172.16.64.0 0.0.31.255 any eq 80
D. access-list 110 deny ip 172.16.48.0 0.0.15.255 any
Answer: D. First, you must know that a /20 is 255.255.240.0, which is a block size of 16 in the third octet. Counting by 16s, this makes our subnet 48 in the third octet, and the wildcard for the third octet would be 15 since the wildcard is always one less than the block size.
Q36. Which of the following is the wildcard (inverse) version of a /27 mask?
Answer: B. To fid the wildcard (inverse) version of this mask, the zero and one bits are simply reversed as follows:
11111111.11111111.11111111.11100000 (27 one bits, or /27)
00000000.00000000.00000000.00011111 (wildcard/inverse mask)
Q37. You want to create an extended access list that denies the subnet of the following host:
172.16.198.94/19. Which of the following would you start your list with?
A. access-list 110 deny ip 172.16.192.0 0.0.31.255 any
B. access-list 110 deny ip 172.16.0.0 0.0.255.255 any
C. access-list 10 deny ip 172.16.172.0 0.0.31.255 any
D. access-list 110 deny ip 172.16.188.0 0.0.15.255 any
Answer: A. First, you must know that a /19 is 255.255.224.0, which is a block size of 32 in the third octet. Counting by 32s, this makes our subnet 192 in the third octet, and the wildcard for the third octet would be 31 since the wildcard is always one less than the block size.
Q38. The following access list has been applied to an interface on a router:
access-list 101 deny tcp 220.127.116.11 0.0.0.31 host 18.104.22.168
Which of the following IP addresses will be blocked because of this single rule in the list? (Choose all that apply.)
Answer: B. The scope of an access list is determined by the wildcard mask and the network address to which it is applied. For example, in this case the starting point of the list of addresses affected by the mask is the network ID 22.214.171.124. The wildcard mask is 0.0.0.31. Adding the value of the last octet in the mask to the network address (32 + 31 = 63) tells you where the effects of the access list ends, which is 126.96.36.199. Therefore, all addresses in the range 188.8.131.52–184.108.40.206 will be denied by this list.
Q39. Which of the following commands connects access list 110 inbound to interface Ethernet0?
A. Router(config)#ip access-group 110 in
B. Router(config)#ip access-list 110 in
C. Router(config-if)#ip access-group 110 in
D. Router(config-if)#ip access-list 110 in
Answer: C. To place an access list on an interface, use the ip access-group command in interface confiuration mode.
Q40. What is the effect of this single-line access list?
access-list 110 deny ip 172.16.10.0 0.0.0.255 host 220.127.116.11
A. Denies only the computer at 172.16.10
B. Denies all traffic
C. Denies the subnet 172.16.10.0/26
D. Denies the subnet 172.16.10.0/25
Answer: B. With no permit statement, the ACL will deny all traffi.
Q41. You configure the following access list. What will the result of this access list be?
access-list 110 deny tcp 10.1.1.128 0.0.0.63 any eq smtp
access-list 110 deny tcp any any eq 23
int ethernet 0
ip access-group 110 out
A. Email and Telnet will be allowed out E0.
B. Email and Telnet will be allowed in E0.
C. Everything but email and Telnet will be allowed out E0.
D. No IP traffic will be allowed out E0.
Answer: D. If you add an access list to an interface and you do not have at least one permit statement, then you will affectively shut down the interface because of the implicit deny any at the end of every list.
Q42. Which of the following series of commands will restrict Telnet access to the router?
A. Lab_A(config)#access-list 10 permit 172.16.1.1
Lab_A(config)#line con 0
Lab_A(config-line)#ip access-group 10 in
B. Lab_A(config)#access-list 10 permit 172.16.1.1
Lab_A(config)#line vty 0 4
Lab_A(config-line)#access-class 10 out
C. Lab_A(config)#access-list 10 permit 172.16.1.1
Lab_A(config)#line vty 0 4
Lab_A(config-line)#access-class 10 in
D. Lab_A(config)#access-list 10 permit 172.16.1.1
Lab_A(config)#line vty 0 4
Lab_A(config-line)#ip access-group 10 in
Answer: C. Telnet access to the router is restricted by using either a standard or extended IP access list inbound on the VTY lines of the router. The command access-class is used to apply the access list to the VTY lines.
Q43. Which of the following is true regarding access lists applied to an interface?
A. You can place as many access lists as you want on any interface until you run out of memory.
B. You can apply only one access list on any interface.
C. One access list may be configured, per direction, for each layer 3 protocol configured on an interface.
D. You can apply two access lists to any interface.
Answer: C. A Cisco router has rules regarding the placement of access lists on a router interface. You can place one access list per direction for each layer 3 protocol confiured on an interface.
Q44. What is the most common attack on a network today?
A. Lock picking
D. auto secure
Answer: C. The most common attack on a network today is a denial of service (DoS) because they are the easiest attack to achieve.
Q45. You need to stop DoS attacks in real time and have a log of anyone who has tried to attack your network. What should you do your network?
A. Add more routers.
B. Use the auto secure command.
C. Implement IDS/IPS.
D. Configure Naggle.
Answer: C. Implementing intrusion detection services and intrusion prevention services will help notify you and stop attacks in real time.
CCNA Frequently Asked Questions CCNA Exam Questions with Explanation