CCNA Security FAQ: Security at the Network Perimeter
Q1. Match the following deployment scenarios for a Cisco IOS router with the correct
description:
- Single Perimeter: ___
- Two Perimeters: ___
- Screen Subnet: ___
Descriptions:
A. The router establishes the trusted network boundary at the Internet and protects a single LAN.
B. A DMZ is established on a firewall that, in turn, is deployed inside the Cisco IOS router.
C. A firewall establishes a second perimeter behind the router
Q2. Which of the following is not a feature of Cisco Integrated Services routers? (Choose
all that apply.)
A. USB Port (most models)
B. Unified Network Services
C. Integrated PoE VoIP port
D. Integrated Security
E. Firewire port
Q3. True or false. By default, Cisco router passwords must contain at least 10 characters.
Q4. Which statement about the service password-encryption command is correct?
A. It encrypts all passwords in the router’s configuration file with an AES (Advanced Encryption Standard) 256-bit level encryption.
B. With the exception of the hashed enable secret, all passwords on the router are encrypted.
C. All passwords on the router are encrypted.
D. It has no effect unless the service password secret-encrypt command is also issued.
E. None of the above
Q5. You have entered the following commands to create a view called ISP:
Which one of the following commands enable users of this view to access the configure mode from a terminal?
A. commands configure include all terminal
B. commands exec include all configure
C. commands include exec configure
D. commands exec include configure terminal
E. None of the above.
Answer: The correct answer is B. This is a bit of a trick question because answer B enables configuration from not only the terminal but also from other sources. The syntax of the other (but wrong) answers is all mixed up
Q6. Referring to the following list, select the five items that comprise the five basic services that SDM manages:
A. Wireless
B. Intrusion Protection Services (IPS)
C. Routing
D. Switching
E. Security
F. Interfaces
G. AAA
H. QoS
Q7. What (in the right order) does AAA stand for?
A. Access, accountability, administration
B. Administration, access, accounting
C. Accounting, access, administration
D. Authentication, authorization, accounting
E. Authorization, accounting, administration
F. None of the above.
Q8. Which of the following is true about the Cisco Secure ACS Solution Engine? (Choose all that are correct.)
A. Must be installed on an existing installation of Windows Server.
B. Must be installed on an existing installation of Windows Server or Sun Solaris.
C. An appliance-based solution that supports up to 50 AAA clients, as well as 350 unique user logons in a 24-hour period.
D. An appliance-based solution.
E. TACACS+ only
F. None of the above.
Q9. Fill in the blanks with the correct words from the list:
When designing an AAA solution, remote administrative access is also known as _____ mode. Another name for remote network access is _____ mode.
A. Packet, character
B. Character, network
C. Network, character
D. Character, packet
E. Packet, network
Q10. What command will display a list of all local AAA users who have been locked out?
A. show aaa local user lockout
B. show aaa user all
C. show aaa sessions
D. show aaa local lockout
E. None of the above.
Q11. Which protocols are supported in the AAA dialog between a Cisco IOS router and Cisco Secure ACS? (Choose all that apply.)
A. LDAP
B. Active Directory
C. OBDC
D. RADIUS
E. TACACS+
F. Kerberos
Q12. Which of the following statements is most correct concerning RADIUS and TACACS+?
A. RADIUS has rich accounting and TACACS+ is capable of customizable userlevel policies such as command authorization.
B. RADIUS encrypts the whole communication between the AAA client and server, whereas TACACS+ only encrypts the password.
C. RADIUS uses UDP for transport and TACACS+ uses TCP.
D. RADIUS is a proprietary standard, whereas TACACS+ is Open Source.
E. RADIUS uses UDP ports 1645 and 1646 exclusively
Q13. Which of the following are not included in the three main task areas in setting up for external AAA? (Choose all that apply.)
A. Configure the AAA network.
B. Install AAA supplicant software on IP hosts that will authenticate to the IOS router.
C. Identify traffic to which AAA is applied.
D. Set up users.
E. Install Cisco Secure ACS Solution Engine module on the Cisco IOS router.
Q14. Select the one answer with the correct two terms to fill in the following blanks. There are two distinct types of AAA authorization policies:
- ________ policies that define access rules to the router.
- ________ policies that define access rules through the router.
Choices:
A. Network, Exec
B. Packet, Character
C. Character, Packet
D. Exec, Network
E. Administrative, User