Network Security FAQ: Understanding Vulnerabilities The Need for Security
Q1. What are the three common classes of attack?
A. Access attack
B. DoS attack
C. Smurf attack
D. Reconnaissance attack
Q2. Which of the following are types of access attacks? (Choose three)
A. Trust exploitation
B. TCP SYN attack
C. Port redirection
Q3. Which of the following are tools that can be used for a reconnaissance attack? (Choose three)
A. Port redirection
B. Ping sweep
C. Port scan
D. Packet sniffer
Q4. Which of the following are types of DoS attacks? (Choose three)
A. Smurf attack
B. Packet sniffer
D. TCP SYN attack
Q5. What command can be configured on a Cisco device to mitigate smurf attacks?
A. ip tcp intercept
B. ip directed-broadcast
C. no ip directed-broadcast
D. no ip tcp intercept
Q6. When a valid host IP address is assumed by an attacking system, it is called ________________.
B. Ping of death
C. IP spoofing
D. Teardrop attack
Q7. What do the three A’s in AAA stand for?
A. Authentication, authorization, advertising
B. Authorization, accounting, activating
C. Authentication, accounting, activating
D. Authentication, authorization, accounting
Q8. Which protocol uses TCP port 22?
Q9. Which of the following are Cisco IOS secure management features? (Choose three)
Q10. Which protocol provides a secure channel between two devices at the Application layer (Layer 7) of the OSI model?
Q11. Define trust exploitation.
Q12. Describe a TCP SYN attack.
Q13. What are the three services that make up AAA?
Q14. What can a Cisco ACL help mitigate?
- IP spoofing
- TCP SYN attacks
- Smurf attacks
- ICMP and traceroute
Q15. List the similarities and differences between an IPS and IDS.
Q16.What is IP fragmentation offset used for?
Q17. Name the method attackers use to replace the IP address of the sender or, in some rare cases, the destination address with a different IP address.
Q18. What is a covert TCP/IP channel?
Q19. The Ping of Death attack is a good example of what type of attack?
Q20. What happens during a buffer overflow?
Q21. List the two tasks the attacker must perform during a buffer overflow attack.
- The attacker must place dirty code in the program’s code address space.
- The attacker codes the privileged program so that it jumps to that particular part of the code.
Q22. List two spoofing attacks.
Q23. During an ARP spoofing attack, does the attacker exploit the hardware address or the IP address of a host?
Q24. List two antispoofing measures for an ARP spoofing attack.
Q25. There are a number of techniques that can be used in a social engineering attack. List three techniques.
Q26. Which of the following statements is false when a packet is being compared to an access list?
A. It’s always compared with each line of the access list in sequential order.
B. Once the packet matches the condition on a line of the access list, the packet is acted upon and no further comparisons take place.
C. There is an implicit “deny” at the end of each access list.
D. Until all lines have been analyzed, the comparison is not over.
Q27. You need to create an access list that will prevent hosts in the network range of 192.168.160.0 to 192.168.191.0. Which of the following lists will you use?
A. access-list 10 deny 192.168.160.0 255.255.224.0
B. access-list 10 deny 192.168.160.0 0.0.191.255
C. access-list 10 deny 192.168.160.0 0.0.31.255
D. access-list 10 deny 192.168.0.0 0.0.31.255
Q28. You have created a named access list called Blocksales. Which of the following is a valid command for applying this to packets trying to enter interface Fa0/0 of your router?
A. (config)#ip access-group 110 in
B. (config-if)#ip access-group 110 in
C. (config-if)#ip access-group Blocksales in
D. (config-if)#Blocksales ip access-list in
Q29. Which access list statement will permit all HTTP sessions to network 192.168.144.0/24 containing web servers?
A. access-list 110 permit tcp 192.168.144.0 0.0.0.255 any eq 80
B. access-list 110 permit tcp any 192.168.144.0 0.0.0.255 eq 80
C. access-list 110 permit tcp 192.168.144.0 0.0.0.255 192.168.144.0 0.0.0.255 any eq 80
D. access-list 110 permit udp any 192.168.144.0 eq 80
Q30. Which of the following access lists will allow only HTTP traffic into network 220.127.116.11?
A. access-list 100 permit tcp any 18.104.22.168 0.0.0.255 eq www
B. access-list 10 deny tcp any 22.214.171.124 eq www
C. access-list 100 permit 126.96.36.199 0.0.0.255 eq www
D. access-list 110 permit ip any 188.8.131.52 0.0.0.255
E. access-list 110 permit www 184.108.40.206 0.0.0.255
Q31. What router command allows you to determine whether an IP access list is enabled on a particular interface?
A. show ip port
B. show access-lists
C. show ip interface
D. show access-lists interface
Q32. In the work area, connect the show command to its function on the right.
Q33. If you wanted to deny all Telnet connections to only network 192.168.10.0, which command could you use?
A. access-list 100 deny tcp 192.168.10.0 255.255.255.0 eq telnet
B. access-list 100 deny tcp 192.168.10.0 0.255.255.255 eq telnet
C. access-list 100 deny tcp any 192.168.10.0 0.0.0.255 eq 23
D. access-list 100 deny 192.168.10.0 0.0.0.255 any eq 23
Q34. If you wanted to deny FTP access from network 220.127.116.11 to network 18.104.22.168 but allow everything else, which of the following command strings is valid?
A. access-list 110 deny 22.214.171.124 to network 126.96.36.199 eq ftp access-list 111 permit ip any 0.0.0.0 255.255.255.255
B. access-list 1 deny ftp 188.8.131.52 184.108.40.206 any any
C. access-list 100 deny tcp 220.127.116.11 0.0.0.255 18.104.22.168 0.0.0.255 eq ftp
D. access-list 198 deny tcp 22.214.171.124 0.0.0.255 126.96.36.199 0.0.0.255 eq ftp
access-list 198 permit ip any 0.0.0.0 255.255.255.255
Q35. You want to create an extended access list that denies the subnet of the following host:
172.16.50.172/20. Which of the following would you start your list with?
A. access-list 110 deny ip 172.16.48.0 255.255.240.0 any
B. access-list 110 udp deny 172.16.0.0 0.0.255.255 ip any
C. access-list 110 deny tcp 172.16.64.0 0.0.31.255 any eq 80
D. access-list 110 deny ip 172.16.48.0 0.0.15.255 any
Q36. Which of the following is the wildcard (inverse) version of a /27 mask?
11111111.11111111.11111111.11100000 (27 one bits, or /27)
00000000.00000000.00000000.00011111 (wildcard/inverse mask)
Q37. You want to create an extended access list that denies the subnet of the following host:
172.16.198.94/19. Which of the following would you start your list with?
A. access-list 110 deny ip 172.16.192.0 0.0.31.255 any
B. access-list 110 deny ip 172.16.0.0 0.0.255.255 any
C. access-list 10 deny ip 172.16.172.0 0.0.31.255 any
D. access-list 110 deny ip 172.16.188.0 0.0.15.255 any
Q38. The following access list has been applied to an interface on a router:
access-list 101 deny tcp 188.8.131.52 0.0.0.31 host 184.108.40.206
Which of the following IP addresses will be blocked because of this single rule in the list? (Choose all that apply.)
Q39. Which of the following commands connects access list 110 inbound to interface Ethernet0?
A. Router(config)#ip access-group 110 in
B. Router(config)#ip access-list 110 in
C. Router(config-if)#ip access-group 110 in
D. Router(config-if)#ip access-list 110 in
Q40. What is the effect of this single-line access list?
access-list 110 deny ip 172.16.10.0 0.0.0.255 host 220.127.116.11
A. Denies only the computer at 172.16.10
B. Denies all traffic
C. Denies the subnet 172.16.10.0/26
D. Denies the subnet 172.16.10.0/25
Q41. You configure the following access list. What will the result of this access list be?
access-list 110 deny tcp 10.1.1.128 0.0.0.63 any eq smtp
access-list 110 deny tcp any any eq 23
int ethernet 0
ip access-group 110 out
A. Email and Telnet will be allowed out E0.
B. Email and Telnet will be allowed in E0.
C. Everything but email and Telnet will be allowed out E0.
D. No IP traffic will be allowed out E0.
Q42. Which of the following series of commands will restrict Telnet access to the router?
A. Lab_A(config)#access-list 10 permit 172.16.1.1
Lab_A(config)#line con 0
Lab_A(config-line)#ip access-group 10 in
B. Lab_A(config)#access-list 10 permit 172.16.1.1
Lab_A(config)#line vty 0 4
Lab_A(config-line)#access-class 10 out
C. Lab_A(config)#access-list 10 permit 172.16.1.1
Lab_A(config)#line vty 0 4
Lab_A(config-line)#access-class 10 in
D. Lab_A(config)#access-list 10 permit 172.16.1.1
Lab_A(config)#line vty 0 4
Lab_A(config-line)#ip access-group 10 in
Q43. Which of the following is true regarding access lists applied to an interface?
A. You can place as many access lists as you want on any interface until you run out of memory.
B. You can apply only one access list on any interface.
C. One access list may be configured, per direction, for each layer 3 protocol configured on an interface.
D. You can apply two access lists to any interface.
Q44. What is the most common attack on a network today?
A. Lock picking
D. auto secure
Q45. You need to stop DoS attacks in real time and have a log of anyone who has tried to attack your network. What should you do your network?
A. Add more routers.
B. Use the auto secure command.
C. Implement IDS/IPS.
D. Configure Naggle.
[mks_button size=”medium” title=”CCNA Frequently Asked Questions” style=”squared” url=”http://www.configrouter.com/cisco-certified-network-associate-faq/” target=”_blank” bg_color=”#000000″ txt_color=”#FFFFFF” icon=”” icon_type=”” nofollow=”0″] [mks_button size=”medium” title=”CCNA Exam Questions with Explanation” style=”squared” url=”http://www.configrouter.com/ccna-online-training/” target=”_blank” bg_color=”#000000″ txt_color=”#FFFFFF” icon=”” icon_type=”” nofollow=”0″]