Config Router

You are here: Home / Cisco / CCNA Security FAQ: Implementing Secure Management and Hardening the Router

CCNA Security FAQ: Implementing Secure Management and Hardening the Router

by

CCNA Security FAQ: Implementing Secure Management and Hardening the Router

Q1. Which of the following is not a consideration for setting up technical controls in support of secure logging?
A. How can the confidentiality of logs as well as communicating log messages be assured?
B. How do you log events from several devices in one central place?
C. What are the most critical events to log?
D. What are the most important logs?
E. None of the above.

Answer: E is correct because all the choices are valid considerations.

Q2. Fill in the blank with the correct term from the choices.
One communication path between management hosts and the devices they manage is __________, meaning that the traffic flows within a network separate from the production network.
A. In-band
B. Inter-vlan
C. Private
D. Out-of-band
E. Intranet

Answer: The right answer is D, out-of-band (OOB). A design goal for a secure network is to try to separate management traffic from the production networks wherever possible. Answer A is the opposite. The other answers are incorrect because they are not used in this context.

Q3. True or false. A general management guideline is to ensure that clocks on network devices are not synchronized with an external time source because this is a known vulnerability.

Answer:False. This is a bit of a trick question. Yes, there are some known vulnerabilities with synchronizing clocks with external time sources, but these are outweighed by the advantage of having all network devices’ clocks synchronized to a single time source.

Q4. Indicate the number for each logging level:

  • Debugging:       ____
  • Alerts:                ____
  • Emergencies:   ____
  • Notifications:   ____
  • Critical:             ____
  • Informational: ____
  • Warnings:         ____

Answer: The logging levels are the following:

  • Debugging:       7
  • Alerts:                1
  • Emergencies:   0
  • Notifications:   5
  • Critical:             2
  • Informational: 6
  • Warnings:        4

Q5. To what menus do you have to navigate to setup logging in the SDM?
A. Configure->Router Management->Additional Tasks->Logging
B. Configure->Additional Tasks->Router Properties->Logging
C. Monitor->System Properties->Configure->Syslog
D. Configure->Additional Tasks->Router Properties->Syslog
E. Monitor->Logging Options->Syslog Setup

Answer: The correct answer is B. The other choices, although they look vaguely correct, do not
represent real choices..

Q6. Match the following SNMP terms with their definitions:

  1. MIB: ___
  2. Agent: ___
  3. NMS: ___

A. Responds to sets and gets
B. Sends sets and gets
C. Information database

Answer: The correct answers are: 1—C; 2—A; 3—B. MIB stands for Management Information Base and resides on an agent. The information in this database can be queried (get) or configured (set) by a Network Management System (NMS)..

Q7. True or false. Secure Network Time Protocol (SNTP) is more secure than regular NTP as it requires authentication.

Answer: False. SNTP stands for Simple Network Time Protocol and is considered less secure than NTP. NTPv3, on the other hand, is more secure because it implements cryptography and authentication between NTP peers..

8Q. Which of the following is part of Cisco’s list of seven categories of vulnerable router services and interfaces? (Choose all that apply.)
A. Disable unnecessary services and interfaces.
B. Disable commonly configured management services.
C. Ensure path integrity.
D. Disable probes and scans.
E. All of the above.

Answer: E is correct. The complete list is as follows:

  • Disable unnecessary services and interfaces.
  • Disable commonly configured management services.
  • Ensure path integrity.
  • Disable probes and scans.
  • Ensure terminal access security.
  • Disable gratuitous and proxy ARP.
  • Disable IP directed broadcasts.

.

Q9. Fill in the blank with the correct term from the choices.
The Cisco SDM Security Audit Wizard and One-Step Lockdown tools are based on the Cisco _________ feature.
A. Auto-Initiate
B. SafeAudit
C. AuditMany-SecureOnce
D. AutoSecure
E. None of the above

Answer: D is correct. The other choices are made up and don’t appear in any context with Cisco network security.

Q10. True or false. SNMPv3 is implemented in the Cisco SDM Security Audit Wizard but not in the auto secure CLI command.

Answer: False. SNMPv3 is not part of the Cisco SDM Security Audit Wizard.
TABLE 4.2 SNMP Security Models and Levels
4-1