CCNA Security FAQ: Security at the Network Perimeter

CCNA Security FAQ: Security at the Network Perimeter

Q1. Match the following deployment scenarios for a Cisco IOS router with the correct

  1. Single Perimeter: ___
  2. Two Perimeters: ___
  3. Screen Subnet: ___


A. The router establishes the trusted network boundary at the Internet and protects a single LAN.

B. A DMZ is established on a firewall that, in turn, is deployed inside the Cisco IOS router.

C. A firewall establishes a second perimeter behind the router

Answer: 1—A; 2—C; 3—B.

Q2. Which of the following is not a feature of Cisco Integrated Services routers? (Choose
all that apply.)
A. USB Port (most models)
B. Unified Network Services
C. Integrated PoE VoIP port
D. Integrated Security
E. Firewire port

Answer: The answers are C and E. Cisco ISRs do not contain integrated Power over Ethernet (PoE) ports or VoIP ports or Firewire ports. Some of the features are available as option cards on modular ISRs.

Q3. True or false. By default, Cisco router passwords must contain at least 10 characters.

Answer: False. It is also a trick question! Cisco recommends that passwords should be at least 10 characters in length, but there is no default rule. Passwords can be blank. That is why this chapter stresses basics such as best practices for passwords.

Q4. Which statement about the service password-encryption command is correct?

A. It encrypts all passwords in the router’s configuration file with an AES (Advanced Encryption Standard) 256-bit level encryption.

B. With the exception of the hashed enable secret, all passwords on the router are encrypted.

C. All passwords on the router are encrypted.

D. It has no effect unless the service password secret-encrypt command is also issued.

E. None of the above

Answer: B is correct. Answer D is a trick because that command doesn’t exist and answer A is just plain wrong. Answer C is tricky too because we learn in this chapter that passwords on the router are not encrypted unless we use the service password-encryption command.

Q5. You have entered the following commands to create a view called ISP:

Which one of the following commands enable users of this view to access the configure mode from a terminal?
A. commands configure include all terminal
B. commands exec include all configure
C. commands include exec configure
D. commands exec include configure terminal
E. None of the above.

Answer: The correct answer is B. This is a bit of a trick question because answer B enables configuration from not only the terminal but also from other sources. The syntax of the other (but wrong) answers is all mixed up

Q6. Referring to the following list, select the five items that comprise the five basic services that SDM manages:
A. Wireless
B. Intrusion Protection Services (IPS)
C. Routing
D. Switching
E. Security
F. Interfaces
H. QoS

Answer: Choices A, C, D, E, and H are correct. The other items can be configured in the SDM,but they are not considered one of the five basic services that the SDM manages.

Q7. What (in the right order) does AAA stand for?
A. Access, accountability, administration
B. Administration, access, accounting
C. Accounting, access, administration
D. Authentication, authorization, accounting
E. Authorization, accounting, administration
F. None of the above.

Answer: D.

Q8. Which of the following is true about the Cisco Secure ACS Solution Engine? (Choose all that are correct.)

A. Must be installed on an existing installation of Windows Server.

B. Must be installed on an existing installation of Windows Server or Sun Solaris.

C. An appliance-based solution that supports up to 50 AAA clients, as well as 350 unique user logons in a 24-hour period.

D. An appliance-based solution.

E. TACACS+ only

F. None of the above.

Answer: D is correct. Answer C is meant to confuse because Cisco Secure ACS Express is being described and is also an appliance-based solution. Answers A, B, and E are simply wrong

Q9. Fill in the blanks with the correct words from the list:
When designing an AAA solution, remote administrative access is also known as _____ mode. Another name for remote network access is _____ mode.
A. Packet, character
B. Character, network
C. Network, character
D. Character, packet
E. Packet, network

Answer: D.

Q10. What command will display a list of all local AAA users who have been locked out?
A. show aaa local user lockout
B. show aaa user all
C. show aaa sessions
D. show aaa local lockout
E. None of the above.

Answer: A is the correct answer. Answer B is the command that displays detailed statistics of all logged in users. Answer C is used to display current sessions of users who have been authenticated, authorized, or accounted by the AAA module. The command in answer D doesn’t exist.

Q11. Which protocols are supported in the AAA dialog between a Cisco IOS router and Cisco Secure ACS? (Choose all that apply.)
B. Active Directory
F. Kerberos

Answer: This is a trick question. The question is not which protocols does Cisco Secure ACS work with to authenticate to an external database. If that was the question, you could choose everything in the list. Answers D and E are correct because only RADIUS and TACACS+ are choices for protocols that work between the AAA client (the Cisco IOS router) and the AAA server (Cisco Secure ACS).

Q12. Which of the following statements is most correct concerning RADIUS and TACACS+?

A. RADIUS has rich accounting and TACACS+ is capable of customizable userlevel policies such as command authorization.

B. RADIUS encrypts the whole communication between the AAA client and server, whereas TACACS+ only encrypts the password.

C. RADIUS uses UDP for transport and TACACS+ uses TCP.

D. RADIUS is a proprietary standard, whereas TACACS+ is Open Source.

E. RADIUS uses UDP ports 1645 and 1646 exclusively

Answer: A and C are correct. Answer B is backwards. It’s TACACS+ that encrypts the whole communication, whereas RADIUS encrypts only the password. Answer D is incorrect but for a tricky reason. Although RADIUS is open source, TACACS+ isn’t quite a proprietary standard because Cisco has published it as an RFC (Request for Comment), part of the IETF standards track. Answer E is incorrect because RADIUS can use either ports 1645 and 1646 or ports 1812 and 1813 for authentication/authorization and accounting, respectively.

Q13. Which of the following are not included in the three main task areas in setting up for external AAA? (Choose all that apply.)
A. Configure the AAA network.

B. Install AAA supplicant software on IP hosts that will authenticate to the IOS router.

C. Identify traffic to which AAA is applied.

D. Set up users.

E. Install Cisco Secure ACS Solution Engine module on the Cisco IOS router.

Answer: B and E are correct. Answer B is correct because you do not need special software on an IP host in order to enable AAA for the network. Answer E is correct because the Cisco Secure ACS Solution Engine is an appliance that comprises a self-contained AAA server solution. It is not an add-on module for a router, and the router is the AAA client in this scenario anyway

Q14. Select the one answer with the correct two terms to fill in the following blanks. There are two distinct types of AAA authorization policies:

  • ________ policies that define access rules to the router.
  • ________ policies that define access rules through the router.

A. Network, Exec
B. Packet, Character
C. Character, Packet
D. Exec, Network
E. Administrative, User

Answer: D is correct. The use of the terms “packet” and “character” are deliberately misleading because these refer to types of access in general (see Figure 3.10), but not specific types of AAA authorization policies. Answer E is simply wrong but sounds like it might be right to someone who hasn’t read the Exam Cram.icies. Usually not mandatory.

About the author


Leave a Comment