CCIE Security FAQ Network Security Policies, Vulnerabilities, and Protection
Q1. A remote user tries logging into a remote network but fails after three additional tries and is disconnected. What useful information should the network administrator gather? (Select the best two answers.)
a. Username
b. Invalid password
c. Invalid username
d. Valid username
Explanation: Network administrators need the invalid username (because it is not an allowable username) and the invalid password used to see if the intruder is using a text-based algorithm to generate passwords.
Q2. What is the first step that should be implemented in securing any network?
a. Create a database of secure passwords.
b. Create the IP address scheme.
c. Run NetRanger or NetSonar.
d. Define a security policy.
e. Configure access lists on all routers.
Explanation: The first step in securing any network must be to define the security policy.
Q3. What primary security method can be designed and deployed to secure and protect any IP network after an attack has been documented?
a. Security policy
b. IP policy
c. Countermeasures
d. Measurement
e. Logging passwords
Explanation: Countermeasures should be in placed in every IP network. For example, back up sensitive data or application software and apply all the required patches.
Q4. A security administrator notices that a log file stored on a local router has increased in size from 32 k to 64 k in a matter of seconds. What should the network administrator do?
a. Increase the buffer to 64 k.
b. Decrease the buffer to 16 k.
c. Log the event as suspicious and notify the incident response team.
d. Nothing, this is normal.
e. Both a and b are correct.
Explanation: Any log file that increases (more data to view) or decreases (for example, cleared by the intruder to hide his actions) should be regarded as suspicious activity.
Q5. What is the primary responsibility of CERT/CC?
a. Define access lists for use on routers
b. Set security standards
c. Coordinate attacks on secure networks
d. Maintain a security standard for networks
e. Nothing to do with security
Explanation: CERT/CC’s primarily responsibility is to aid in the security of any public network; go to www.cert.org for more details.
Q6. Who can use network scanners and probes? (Select the best two answers.)
a. Intruders
b. Security managers
c. End users
d. Cable service providers
Explanation: Network scanners are used by intruders just as network administrators use them.
Q7. What is a bastion host?
a. Firewall device supported by Cisco only
b. Network’s last line of defense
c. Network’s first line of defense
d. IP host device designed to route IP packets
Explanation: Bastion hosts are typically the first line of defense. Sometimes, they are sacrificed because they are typically public domain servers and can be quickly restored using backup methods.
Q8. A TCP SYN attack is what type of attack?
a. ICMP
b. DoS
c. Telnet/Kerberos attack
d. Ping attack only
Explanation: A TCP SYN attack is a form of denial-of-service attack.
Q9. When an intruder sends a large amount of ICMP echo (ping) traffic using IP broadcasts, this type of DoS attack is known as what?
a. Bastion
b. Land.C
c. Man in the middle
d. Smurf
e. Ping of death
Explanation: A Smurf attack sends large ICMP or ping requests via a broadcast address, ensuring that all devices on the remote network respond and enabling the intruder to list the IP address that is connected to the network for further DOS-based attacks.
Q10. What kind of attack sends a large ICMP echo request packet with the intent of overflowing the input buffers of the destination machine and causing it to crash?
a. Ping of death
b. Smurf
c. Land.C
d. Man in the middle
e. Birthday attack
Explanation: A ping of death sends a large number of ICMP echo request packets causing the end device to overflow, and can cause a remote server to stop functioning for legitimate requests.
Q11. In the context of intrusion detection, what is an exploit signature?
a. DoS attack
b. An attack that is recognized and detected on the network
c. The same as a Smurf attack
d. The same as a man in the middle attack
Explanation: An exploit signature is an attack that is readily detected.
Q12. To stop spam e-mail from overwhelming an e-mail server, what step can you take?
a. Ask the ISP for help.
b. Nothing, because spam e-mail is too difficult to stop to be worth the effort.
c. Install an intrusion detection system that has a signature for spam e-mail.
d. Nothing, because the client software takes care of this.
e. Change the IOS code.
f. Configure the bastion host to stop spam e-mail.
Explanation: Spam e-mail can be controlled with an IDS server.
Q13. Define four reasons networks should be secured.
Answer: IP networks must provide a network security policy for the following reasons:
Inherent technology weaknesses—All network devices and operating systems have inherent vulnerabilities.
Configuration weaknesses—Common configuration mistakes can be exploited to open weaknesses.
Security policy vulnerabilities—The lack of security policies can lead to vulnerabilities, such as password security.
Outside/inside intruders—There are always internal and external people wanting to exploit network resources and retrieve sensitive data.
Q14. What is the function of the CERT/CC organization, and what are its primary objectives?
Q15. What are the primary steps completed by incident response teams?
Answer: Incident responses teams do the following:
Verify the incident.
Determine the magnitude of the incident (hosts affected and how many).
Assess the damage (for example, if public servers have been modified).
Gather and protect the evidence.
Q16. Name common methods used by intruders to disrupt a secure network.
Answer: Intruders can use the following methods (and many more):
Session hijacking—The intruder defines himself with a valid IP address after a session has been established to the real IP address by spoofing IP packets and manipulating the sequence number in an IP packet.
Rerouting—Packets from one source are routed to an intruder source. Routing updates are altered to send IP packets to an incorrect destination, allowing the intruder to read and use the IP data inappropriately.
Denial-of-service (DoS) attacks—A service attack that is used in an attempt to deny legitimate users access to a network they have full rights to.
Probes and scans.
Malicious code.
Q17. In security, what is session hijacking?
Q18. In security terms, what is a man in the middle attack?
Q19. What is a Signature Engine?
Q20. What is social engineering?
Q21. Describe a ping of death attack.
Q22. What is a Land.C attack?
Q23. What does the following IOS code accomplish on a Cisco IOS router?
no service udp-small-servers no service tcp-small-servers
configuration, they do not display when you view the configuration (show runningconfig or write terminal) because the default is to disable TCP/UDP small servers. Unlike Cisco Switches, Cisco IOS Software does not display default configuration.
Q24. What is the secret password for the following IOS configuration?
enable secret %$@$%&^$@*$^*@$^* enable pass cisco
Q25. What is the purpose of the command service sequence-numbers?
More Resources