NETW450
Advanced Network Security with Lab Full Class
Devry
NETW 450 Week 1 Discussion DQ 1 & DQ 2 Latest 2016
DQ 1
|
Security
Policy issues (graded) (graded)
|
What
are the key components of a good security policy? What are some of the most
common attacks and how can a network be protected against these attacks?
DQ 2
|
iLab
Experiences (graded)
|
Discuss
your experiences with the Skillsoft Lab 1. What parts of the iLab did you find
difficult or unclear? What did you learn about security in completing the
assigned iLab?
Devry
NETW 450 Week 2 Discussion DQ 1 & DQ 2 Latest 2016
DQ
1
|
Router
Security (graded)
|
Discuss
the methods that can be used on standard IOS router that will prevent
unauthorized access to the router. Also, discuss how privilege levels and
role-based CLI can improve the security on the router.
DQ
2
|
iLab
Experiences (graded)
|
Read
the Week 2 iLab instructions and discuss the expectations you have regarding
this lab. Do you think it is important to prevent access to unused ports and
services on the routers within your network? How did your actual lab
experiences meet your expectations? Are there specific insights or challenges
you encountered you would like to share with the class.
Devry
NETW 450 Week 3 Discussion DQ 1 & DQ 2 Latest 2016
DQ 1
|
Layer
2 (Switch) Security (graded)
|
Discuss
the attacks that can occur on a layer 2 switch and how the network can be
impacted by these attacks. Also, discuss the methods that can be used to
mitigate the effects of these attacks on the network.
DQ 2
|
iLab
Experiences (graded)
|
Read
the Week 3 iLab instructions and discuss the expectations you have regarding
this lab. Do you think it is important to prevent access to unused ports and
services on the routers within your network? How did your actual lab
experiences meet your expectations? Are there specific insights or challenges
you encountered that you would like to share with the class?
What
did you learn about security ACLs in completing this lab?
Devry
NETW 450 Week 4 Discussion DQ 1 & DQ 2 Latest 2016
DQ
1
|
Security
ACLs and Firewall (graded)
|
Discuss
the security ACLs, we covered this week in the text reading and the lecture.
Describe different scenarios where a specific type of ACL can enhance network
security. Compare CBAC firewalls versus zone-based firewalls. What are the
advantages and disadvantages of each?
DQ
2
|
iLab
Experiences and WLAN Security (graded)
|
Read
the Week 4 iLab instructions and discuss the expectations you have regarding
this lab. Do you think the wireless LAN is secure on your network? What
wireless security measures can you take to secure the WLAN? How did your actual
lab experiences meet your expectations? Are there specific insights or
challenges you encountered that you would like to share with the class?
What
did you learn about wireless access points and roaming in completing this lab?
Devry
NETW 450 Week 5 Discussion DQ 1 & DQ 2 Latest 2016
DQ
1
|
AAA
Servers (graded)
|
Compare
the relative merits of TACACS+ and RADIUS AAA servers. What advantages and
disadvantages does each type of AAA server have?
DQ
2
|
iLab
Experiences and Analyzing Bandwidth Needs (graded)
|
Read
the Week 5 iLab instructions and discuss the expectations you have regarding
this lab. Do you think the overhead involved in securing communication links
can affect the bandwidth requirements of a network? How did your actual lab
experiences meet your expectations? Are there specific insights or challenges
you encountered that you would like to share with the class?
What
did you learn about analyzing bandwidth requirements for serial links in completing
this lab?
Devry
NETW 450 Week 6 Discussion DQ 1 & DQ 2 Latest 2016
DQ 1
|
Virtual
Private Networks (graded)
|
Discuss
what you learned about the configuration and operation of virtual private
networks.
DQ 2
|
iLab
Experiences (graded)
|
Read
the Week 6 iLab instructions and discuss the expectations you have regarding
this lab. Periodic security audits are necessary to ensure continued protection
of a company network. Why is it important to use and run a scheduled security
audit on your network? How did your actual lab experiences meet your
expectations? Are there specific insights or challenges you encountered that
you would like to share with the class? What did you learn about security
audits in completing this lab?
Devry
NETW 450 Week 7 Discussion DQ 1 & DQ 2 Latest 2016
DQ 1
|
Intrusion
Detection/Prevention Systems (IDS/IPS) (graded)
|
Intrusion
detection systems can be implemented on IOS firewall routers and security
appliances. They can also be dedicated in in-line hardware devices. Why is
intrusion detection important in networks with connections to the Internet, and
what are the functions of IDS? What are the differences between intrusion
detection systems (IDS) and intrusion prevention systems (IPS)?
DQ 2
|
iLab
Experiences (graded)
|
Read
the Week 7 iLab instructions and discuss the expectations you have regarding
this lab. Periodic security audits are necessary to ensure continued protection
of a company network. Why is it important to use and run a scheduled security
audit on your network? How did your actual lab experiences meet your
expectations? Are there specific insights or challenges you encountered that
you would like to share with the class?
What
did you learn about security audits in completing this lab?
i
labs
iLab
2 of 7: Security Demands
Note!
Submit
your assignment to the Dropbox, located at the top of this page.
(See
the Syllabus section “Due Dates for Assignments & Exams” for due dates.)
iLAB
OVERVIEW
Scenario
and Summary
In
this lab, the students will examine the following objectives.
Create
ACL to meet the requirements of the security demands.
Modify
existing ACL to meet additional security requirements.
Deliverables
Students
will complete all tasks specified in the iLab Instructions document. As the
iLab tasks are completed, students will enter CLI commands, and answer
questions in the iLab Report document. This iLab Report document will be
submitted to the iLab Dropbox for Week 2.
Supporting
Documentation
Textbook
(Chapter 3)
Webliography
links on Access Control List
Required
Software
iLAB
STEPS
STEP
1: Access Skillsoft iLab
Access
Skillsoft Labs at the provided iLab link, and select Catalog. Click
to Launch the
course and then select Lab2. Then,
download the PDF instructions. Ensure that you open and read the iLab instructions
before you begin the lab.
PLEASE
NOTE: Lab instr
STEP
2: Perform iLab 2
Download
and open SEC450_W2_Security_Demands_Lab2_Report.docx. Follow
the instructions to perform all procedures in this week lab. Instructions in
red indicate tasks that you need to answer and include in the lab report.
STEP
3: Complete Your Lab Report
When
you are satisfied with your documentation, submit your completed report to the
Dropbox.
Submit
your lab to the Dropbox, located at the top of this page. For instructions on
how to use the Dropbox, read these step-by-step instructionsor watch
this Dropbox Tutorial.
See
the Syllabus section “Due Dates for Assignments & Exams” for due date
information.
Student
Security
Demands Lab
NETW
450 Week 2 iLab2 Report
Copy
below each of the tasks that appears inred in the pdf lab Instructions from
Skillsoft. Then, write the answer following each of the tasks. Submit this
document to the iLab Dropbox in Week 2.
week
3
Lab 3
of 7: Database Security Demands
Note!
Submit
your assignment to the Dropbox, located at the top of this page.
(See
the Syllabus section “Due Dates for Assignments & Exams” for due dates.)
iLAB
OVERVIEW
NETW
450 ACL Tutorial
This
document highlights the most important concepts on Access Control List (ACL)
that you need to learn in order to configure ACL in CLI. This tutorial does not
intend by any mean to cover all ACL applications, but only those scenarios used
in the SEC450 iLabs.
Introduction
to Access Control List
A
host-based firewall essentially works closing and/or opening ports in a
computer. The engine behind firewalls is built with Access Control Lists (ACL).
Network-based
firewalls are implemented in device-specific appliances and routers. Basically,
firewalls in routers filter packets through interfaces to permit or deny them.
Ports
are layer-4 address specified in TCP/IP protocol suit that identify networking
processes running in clients and servers.
ACLs
are configured using shell-specific commands. In Cisco IOS, CLI commands
access-list and access-group are used to create and apply ACL on an interface.
ACL
can be named by number ID or a name. Naming ACL is useful to identify ACL’s purpose.
ACL
are classified in Standard ACL and Extended ACL.
Standard
ACL’s number IDs are assigned from 1 to 99. Extended ACL’s number IDs are from
100 to 199.
Standard
ACL only uses source IP address in an IP packet to filter through an interface.
Hence, standard ACL denies or permits all packets (IP) with the same source IP
regardless upper protocols, destination IP address, etc. Example 1:
Router(config)#access-list 8 deny host 172.12.3.5
Extended
ACL does filtering packets based on protocol, source IP address, source port
number, destination IP address, and destination port number. Example 2:
Router(config)#access-list 102 deny tcp host 10.0.3.2 host 172.129.4.1. Deny
tcp packets with source IP address 10.0.3.2 and destination IP address
172.129.4.1.
Since,
Standard ACLs only have source IP address; the rule is to apply them in an
interface as closer as possible to the destination IP address.
For
the contrary, the rule for Extended ACLs is to apply them in an interface as
closer as possible to the source IP address.
Use
Extended ACL in all iLabs as they are more granular on packet filtering.
Create
Extended ACL in global configuration
You
can use access-list command options lt, gt, eq, neq, and range (less than,
greater than, equal, not equal, range of ports) to do operation with port
numbers.
Example
3: access-list 102 deny tcp any host 11.23.45.7 gt 20 denies all packets with
any source IP address to destination IP address 11.23.45.7 and destination tcp
port greater than 20.
Example
4: access-list 107 permit udp any any permits all packets with udp protocol
with any source IP address to any destination IP address.
Extended
ACL can do packet filtering based on source port number and destination port
number.
Extended
ACL Syntax can be as follows.
access-list
<#,name> <protocol> host <source_ip> <port_qualifier>
<source_port_number> host <dest_ip> <port_qualifier>
<dest_port_number>
where:
<#,name>
is a number between 100 to 199 or a one-word name
<protocol>
is any protocol in the TCP/IP suite
<source_ip>
and <dest_ip> are the source and destination IP addresses
<port_qualifier>
is optional, and can be eq, gt, lt, neq, and range
<source_port_number>
and <dest_port_number> follow <port_qualifier> to specify the port
number(s). <port_qualifier> and <port_number> can be replaced by
the application protocol. Example, http instead of eq 80.
Creation
of ACL follows the three Ps rule. One ACL per protocol, per interface, per
traffic direction. Per protocol means ones protocol such as IP, TCP, IPX, UDP,
or ICMP can be specified. Per interface means the ACL is applied to an
interface to make it active. Per direction means the ACL needs to specify which
direction at the interface, packet in or out, filtering applies.
Steps
for configuring a new ACL are: First, create the ACL in CLI global
configuration using access-list command(s). Then, apply the ACL using
access-group command in CLI interface configuration. The ACL is activated
unless it is applied to an interface.
An
ACL consists of one or more access-list commands. Routers process the ACL
commands in order; top first to bottom last likewise a scripting or computer
program. That is why the order of access-list commands makes a difference.
The
effectiveness of an access-list command depends upon previous access-list
commands. Therefore, always write the commands following the order;
more-specific-traffic commands first and, then more-generic-traffic commands last.
Example 5: It makes sense to write an ACL as
Router(config)#access-list
101 deny tcp host 10.0.3.2 any
Router(config)#access-list
101 permit tcp any any
But
never follows the order below, because the second command is more specific, and
therefore, “deny” is worthless because the first command already lets packets
passing through.
Router(config)#access-list
101 permit tcp any any
Router(config)#access-list
101 deny tcp host 10.0.3.2 any
All
ACL have a hidden access-list command at the end that denies all packets (i.e.,
deny ip any any). Hence, packets that are not specifically permitted in a
command will always be denied by the ACL.
Example
6: Use command Router(config)#access-list 105 permit ip any any at the end of
ACL if it requires to permit all other traffic after denying packets with
Router(config)#access-list 105 deny icmp any host 192.168.10.244
Wildcard
option is used in access-list commands filtering packets from a subnet of
source and/or destination IP addresses instead of single hosts. IP addresses in
each of those subnets must be continuous. Filtering on port numbers is also
applicable, but it have been omitted for the sake of simplicity. Here is the
syntax.
access-list
<#,name> <protocol> <source_ip> <source_wildcard> <
<dest_ip> <dest_wildcard>
where:
<#,name>
is a number between 100 to 199 or a one-word name
<protocol>
is any protocol in the TCP/IP suite
<source_ip>
and <dest_ip> are the source and destination IP addresses
<source_wildcard>
and <dest_wildcard> specify the subnet ranges of source and destination
IP addresses
Wildcard
in ACL has the same meaning as in routing protocols such as EIGRP and OSPF.
Wildcard bit 0 means the bit in the IP address must be the same as the
corresponding bit in the subnet IP addresses. Wildcard bit 1 means the bit in
the IP address can be any value (0 or 1).
Example
7: access-list 105 deny udp 172.16.7.3 0.0.0.3 any means to deny all packets
with udp protocol with source IP addresses from 172.16.7.0 to 172.16.7.3 to any
destination IP address. Note that .3 is in binary .00000011 and .000000xx for
wildcard, where x means any (0 or 1).
Example
8: access-list 109 permit tcp host 192.168.6.3 eq 80 10.0.0.0 0.0.0.255 means
to permit all tcp packets from source IP address 192.168.6.3 and source port
tcp 80 (e.g., http server) to destination IP addresses in range 10.0.0.0 to
10.0.0.255. The fact that 10.0.0.0 would not qualify for host IP in classful
networks is irrelevant to the ACL.
Using
wildcard with all 0s is the same as using the option host in access-list
commands. Example 9: access-list 110 permit ip host 10.23.4.3 host 10.30.2.1
and access-list 110 permit ip 10.23.4.3 0.0.0.0 10.30.2.1 0.0.0.0 are
equivalent commands. Both permit filtering packets with source IP address
10.23.4.3 and destination IP address 10.30.2.1.
Only
use wildcard in access-list commands when the ACL requires filtering packets on
subnet of IP addresses; either at source, destination, or both.
Applying
ACL to an Interface to activation
Example
10: Assume you need to create an ACL in router that permits filtering any
traffic excepting udp packets with source IP address 10.23.4.3 and destination
IP address 10.30.2.1 as shown in the network diagram below.
First,
you need to create an extended ACL in CLI global configuration.
Router#config
t
Router(config)#access-list
103 deny udp host 10.23.4.3 host 10.30.2.1
Router(config)#access-list
103 permit ip any any
Second,
you need to apply ACL 103 in an interface closer to the source (e.g., extended
ACL rule of thumb). The closer interface is S0/1 in Router for traffic coming
from IP 10.23.4.3. Thus, you go to interface configuration in CLI to activate
the ACL.
Router(config)#interface
s0/1
Router(config-if)#ip
access-group 103 in
If
you need to make any correction after creating an ACL, then erase first the ACL
from global and interface configurations. To erase ACL 103 from the previous
example execute the following commands.
Router(config)#interface
s0/1
Router(config-if)#no
ip access-group 103
Router(config)#no
ip access-list 103
Now,
you can start over creating ACL 103. If you do not erase the ACL, then new
access-list commands will be compounding in the configuration file producing
unexpected behavior. Use command show run to verify the ACL is erased and
created again correctly.
Verify
ACL Configuration
Example
11: Let’s say you have been asked to create an ACL in a router R to deny TCP
traffic coming through interface Serial 0/2 from source IP address 10.16.2.1 to
destination IP address172.16.5.3 with destination port number greater than 200.
Also, the ACL should permit filtering any other traffic.
There
are two configuration tasks you need to do in CLI. First, create the ACL.
Second, apply the ACL to interface Serial 0/2.
So,
in CLI,
R>
enable
R#
config t
R(config)#
access-list 101 deny tcp host 10.16.2.1 host 172.16.5.3 gt 200
R(config)#
access-list 101 permit ip any any this command is needed to permit any other
traffic after denying the selecting packets from the first command.
R(config)#
interface serial0/2
R(config-if)#
ip access-group 101 in this command is to apply the ACL to serial0/2 for
traffic coming in.
R(config-if)#
exit
R#
show run this is to verify the ACL configuration is correct in
running-config.file
R#show
running-config
version
12.3
!
hostname
R
!
interface
FastEthernet0/0
ip
address 192.168.200.1 255.255.255.0
!
interface
FastEthernet0/1
ip
address 192.168.20.1 255.255.255.0
shutdown
!
interface
Serial0/0
ip
address 200.100.20.2 255.255.255.0
!
interface
Serial0/1
ip
address 192.168.30.2 255.255.255.0
shutdown
!
interface
Serial0/2
ip
address 192.168.40.1 255.255.255.0
ip
access-group 101 in
!
router
rip
network
192.168.200.0
network
200.100.20.0
!
ip
default-network 200.100.20.0
ip
route 0.0.0.0 0.0.0.0 serial0/0
!
!
access-list
101 permit tcp host 10.16.2.1 host 172.16.5.3 gt 200
access-list
101 permit ip any any
!
!
line
con 0
line
aux 0
line
vty 0 4
password
cisco
line
vty 5 15
password
cisco
!
end
If
the ACL is not correct, then delete it with the command below and start over
again
R#
config t
R(config)#
no access-list 101
R(config)#
interface serial0/2
R(config-if)#no
ip access-group 10
week
4
AAA
Server Authentication Lab
NETW
450 Week 4 iLab4 Report
Copy
below each of the tasks that appears inred in the pdf lab instructions from
Skillsoft. Then, write the answer following each of the tasks. Submit this
documment to the iLab Dropbox in Week 4.
iLab
5 of 7: VPN – Virtual Private Networks
Note!
Submit
your assignment to the Dropbox, located at the top of this page.
(See
the Syllabus section “Due Dates for Assignments & Exams” for due dates.)
Student
Name: Date:
IPSec
Site-to-Site VPN Lab
SEC450
Week 5 iLab5 Report
Copy
below each of the tasks that appears inred in the pdf lab Instructions from
Skillsoft. Then, write the answer following each of the tasks. Submit this
documment to the iLab Dropbox in Week 5.
week
6
iLab
6 of 7: IDS/IPS – Intrusion Detection/Prevention Systems
Note!
Submit
your assignment to the Dropbox, located at the top of this page.
(See
the Syllabus section “Due Dates for Assignments & Exams” for due dates.)
Student
Name: Date:
Intrusion
Detention System (IDS/IPS) Lab
NETW
450 Week 6 iLab6 Report
Copy
below each of the tasks that appears inred in the pdf Lab Instructions from
Skillsoft. Then, write the answer following each of the tasks. Submit this
documment to the iLab DropBox in Week 6.
week
7
iLab
7 of 7: Network Vulnerability Case Study
Note!
Submit
your assignment to the Dropbox, located at the top of this page.
(See
the Syllabus section “Due Dates for Assignments & Exams” for due dates.)
Student
Name _________________________________ Date _____________
NETW
450 Network Vulnerability Case Study—iLab7
Objectives
In
this lab, students will examine the following objectives.
Differentiate
the use of IDS and IPS to detect network attacks.
Design
a network with IDS/IPS.
Justify
the use of IDS/IPS for a given network solution.
Scenario
A
small company is using the topology shown below to secure its intranet while
providing a less-secured environment to its eCommerce DMZ server. The company
is concerned that firewalls are not enough to detect and prevent network
attacks. Hence, deployment of sensors to intrusion detection systems (IDS)
and/or intrusion prevention systems (IPS) are needed in the network. Your job
is to provide recommendations, including a network design with IDS/IPS, that
meet the company’s requirements.
Initial
Topology
Company’s
Requirements
Detect
any malicious traffic entering the e-commerce server without performance
penalty to traffic getting in the server from revenue-generating customers.
Stop
any malicious traffic entering the human resources LAN (HR LAN).
Detect
any malicious traffic entering the computer terminal in the marketing LAN (MKT
LAN).
Stop
any traffic entering the File Server in MKT LAN.
Deploy
a centralized database and analysis console in the intranet to managing and
monitoring both IDS and IPS sensors.
Note:
RED text indicates the required questions to answer
Task
1—Layout the New Network Design
Click
on the Initial
Network Topology link on the iLab page in Week 7, and save in your
computer the MS Powerpoint fileInitial_Network_Topology_iLab7.ppt. This
file contains a diagram for the initial network topology and pictures of all
components needed to create the new network design.
Review
the documentation provided in the references at the end of these instructions
to get more familiar with the implementation of IDS and IPS in network design.
You need to find a network solution that meets the company’s requirements.
#1.
Paste below your new network design diagram.
Task
2—IDS/IPS Recommendations
#2.
Write an engineering specification document of at least 250 words (e.g., 1 page
of full text, double space, and size 12) describing why your network’s design
meets each of the company’s requirements. Justify how each recommendation
addresses the company’s needs.
Task 3—Conclusions
#3. Describe in two paragraphs your learning experience in this lab.
References:
1.SANS
Institute. “Network IDS & IPS Deployment Strategies“—Webliography
2.Paquet,
C. (2012). Implementing
Cisco IOS network security (IINS) foundation learning guide (2nd
ed.). Indianapolis, IN: Cisco Press.
3.NIST.
“Guide to Intrusion Detection and Prevention Systems (IDPS)”—Webliography
quizes
week
2
1.(TCO
2) Which
of the following prompts indicates that you have booted into the IOS stored in
Bootstrap ROM (possibly due to a Ctrl-Break entered during power-up)? (Points :
3)
Router>
>
or ROMMON>
(Boot)>
ROM>
Question
2.2.(TCO 2) Which
is the command sequence used to configure a console terminal password on a
Cisco router? Note: <CR> represents a carriage return or Enter key.
(Points : 3)
line
con 0 <CR>
password
{password} <CR>
line
con 0 <CR> password {password] <CR> login <CR>
line
con 0 <CR> login {password} <CR>
line
{password} con 0 <CR>
Question
3.3.(TCO 2) To
enter privileged EXEC mode, you can type the command _____ at the user EXEC
prompt. (Points : 3)
enter
enable
activate
open
Question
4.4.(TCO 2) Which
of the following IOS commands will set the minimum length for all router
passwords to eight characters? (Points : 3)
(config)#
service passwords min-length 8
(config)#
passwords min-length 8
(config)#
security passwords min-length 8
(config)#
passwords security min-length 8
Question
5.5.(TCO 2) Which
of the following commands will prevent password recovery using ROM monitor
mode? (Points : 3)
(config)#
no rom monitor
(config)#
no password-recovery
(config)#
no service password-recovery
(config)#
no password-recovery service
Question
6.6.(TCO 2) To
configure role-based CLI on a Cisco router, the first command to enter in
privileged mode is _____. (Points : 3)
parser
view
view
enable
enable
view
config
view
Question
7.7.(TCO 2) Which
of the following commands is required before you can begin configuring SSH
configuration on a Cisco router? (Points : 3)
Crypto
key generate rsa
IP
domain-name
Crypto
key zeroize
Transport
input ssh
Question
8.8.(TCO 2) Which
of the following cannot be used to enhance access security on a router? (Points
: 3)
MD5
encrypted enable passwords
SHA
encrypted usernames
Privilege
levels
MD5
encrypted username
week
4
Question
1. 1.(TCO 4) Which type of access list entry is dynamic and
becomes active only when a Telnet session is authenticated? It can be used for
inbound or outbound traffic. (Points : 3)
Established
Lock
and key
Reflexive
CBAC
Question
2. 2.(TCO 4) What function CBAC does on a Cisco IOS firewall?
(Points : 3)
Creates
specific security policies for each user.
Provides
secure, per-application access control across network perimeters.
Provides
additional visibility at intranet, extranet, and Internet perimeters.
Protects
the network from internal attacks and threats.
Question
3. 3.(TCO 4) Given the configuration shown below, the idle
timeout for TCP and UDP sessions is _____.
ip
inspect audit-trail
ip
inspect name FWRULE tcp timeout 180
ip
inspect name FWRULE udp timeout 180
!
interface
FastEthernet0/0
ip
access-group 100 in
ip
inspect FWRULE in
!
interface
FastEthernet0/1
ip
access-group 101 in
!
logging
on
logging
192.168.100.100
!
access-list
100 permit ip any any
!
access-list
101 deny ip any any log (Points : 3)
180
minutes
180
seconds
180
days
180
milliseconds
Question
4. 4.(TCO 4) Given the configuration shown below, the host at IP
address 192.168.100.100 is a _____.
ip
inspect audit-trail
ip
inspect name FWRULE tcp timeout 180
ip
inspect name FWRULE udp timeout 180
!
interface
FastEthernet0/0
ip
access-group 100 in
ip
inspect FWRULE in
!
interface
FastEthernet0/1
ip
access-group 101 in
!
logging
on
logging
192.168.100.100
!
access-list
100 permit ip any any
!
access-list
101 deny ip any any log (Points : 3)
TACACS+
server
syslog
server
Radius
server
TACACS
server
Question
5. 5.(TCO 4) Which of the following is not a policy action that
can be specified for zone-based firewall traffic? (Points : 3)
Pass
Drop
Hold
Inspect
Question
6. 6.(TCO 4) With zone-based firewalls, which of the following is
used to define interfaces on routers that have the same security level? (Points
: 3)
Zones
Class
maps
Policy
maps
Zone
pairs
Question
7. 7.(TCO 4) What is the range of ACL numbers for a standard
access list?(Points : 3)
100–199
and 1700–1999
1–99
and 1300–1999
0–99
100–199
Question
8. 8.(TCO 4) In CLI, the zone-pair command is used to associate
together which of the following?(Points : 3)
Zones
and service-policy
Class
maps and interface
Policy
maps and interface
Class-type
and interface
week
6
Question
1.1. (TCO 6) When you are configuring a Cisco IOS firewall router
for IPSec using RSA signatures, you need to generate a local RSA key. Before
you generate the RSA key, you must _____. (Points : 3)
generate
general purpose keys
configure
a domain name for the router
contact
a third-party certificate authority (CA)
enable
the key management protocol in global configuration mode
Question
2.2. (TCO 6) IPSec VPNs use ACLs to specify VPN tunnel traffic.
Any traffic not permitted in the ACL will be _____. (Points : 3)
dropped
before it exits the VPN outbound interface
passed
through the VPN outbound interface with no IPSec protection
encrypted
and sent out through the VPN outbound interface because the ACL specifies
traffic to be restricted
sent
back to the sender with a message indicating invalid IPSec format
Question
3.3. (TCO 6) The Cisco IOS firewall crypto isakmp policy mode
command that will set the isakmp security association lifetime is _____.
(Points : 3)
lifetime
{days}
lifetime
{seconds}
set
lifetime {days}
set
lifetime {seconds}
Question
4.4. (TCO 6) _____ encryption algorithms use one key to encrypt
the data and another key to decrypt the data between the sender and recipient.
(Points : 3)
Symmetric
Asymmetric
Balanced
Bidirectional
Question
5.5. (TCO 6) The _____ encryption algorithm uses a key size of
168 bits. (Points : 3)
DES
3DES
AES
WEP
Question
6.6. (TCO 6) Which of the following encryption algorithms is
considered the most secure? (Points : 3)
DES
3DES
AES
WEP
Question
7.7. (TCO 6) Which of the following commands will delete all of
the IOS firewall router’s RSA keys? (Points : 3)
crypto
key remove rsa
crypto
key delete rsa
crypto
key zeroize rsa
crypto
key remove rsa all
Question
8.8. (TCO 6) What is the size of the keys in an DES algorithm?
(Points : 3)
32
bits
96
bits
112
bits
56
bits
week
7
Question
1.1. (TCO 7) The type of IDS signature that triggers on a
multiple packet stream is called _____. (Points : 3)
atomic
dynamic
cyclical
compound
or composite
Question
2.2. (TCO 7) Which device responds immediately and does not allow
malicious traffic to pass? (Points : 3)
Intrusion
detections system (IDS)
Intrusion
prevention system (IPS)
All
of the above
Neither
of the above
Question
3.3. (TCO 7) An IPS sensor that receives a copy of data for
analysis while the original data continues toward the destination is running in
_____ mode. (Points : 3)
passive
active
promiscuous
inline
Question
4.4. (TCO 7) Most IOS commands used to configure an intrusion
prevention system (IPS) begin with the prefix _____. (Points : 3)
ids
ips
ips
ip
ip
ips
ios
ips
Question
5.5. (TCO 7) Which is an IDS or IPS signature? (Points : 3)
A
message digest encrypted with the sender’s private key
A
set of rules used to detect typical intrusive activity
A
binary pattern specific to a virus
An
appliance that provides anti-intrusion services
Question
6.6. (TCO 7) Which of the following ip actions will drop the
packet and all future packets from this TCP flow? (Points : 3)
Deny
attacker inline
Deny
connection inline
Deny
ip host inline
Deny
packet inline
Question
7.7. (TCO 7) Which of the following are signature types that IOS
firewall IDS can detect as requiring the storage of state information? (Points
: 3)
Atomic
Dynamic
Cyclical
Compound
(composite)
Question
8.8. (TCO 7) Why is a network using IDS only more vulnerable to
atomic attacks? (Points : 3)
IDS
must track three-way handshakes of established TCP connections.
IDS
cannot track UDP sessions.
IDS
permits malicious single packets into a network.
IDS
is not stateful and therefore cannot track multiple-packet attack streams.
NETW
450 Final Answers
Question
1. 1. (TCO 1) The component of network security that ensures that
authorized users have access to data and network resources is _____. (Points :
6)
data
integrity
data
confidentiality
data
and system availability
data
and user authentication
Question
2. 2. (TCO 1) The type of security control that makes use of
firewalls is called _____. (Points : 6)
administrative
physical
technical
clerical
Question
3. 3. (TCO 2) To configure a role-based CLI on a Cisco router, the
first command to enter in privileged mode is _____. (Points : 6)
parser
view
view
enable
enable
view
config
view
super
view
Question
4. 4. (TCO 2) The show running-config output can be modified using
all of the following pipes except for _____. (Points : 6)
|
begin
|
end
|
include
|
exclude
Question
5. 5. (TCO 3) Which of the following is the default number of MAC
addresses allowed when you execute the switchport port-security command on a
switch port? (Points : 6)
Zero
One
Two
Three
Question
6. 6. (TCO 3) Which switch feature causes a port to skip the
listening and learning states, causing the port to enter the forwarding state
very quickly? (Points : 6)
fastport
portfast
enablefast
portforward
Question
7. 7. (TCO 4) With zone-based firewalls, which of the following is
used to specify actions to be taken when traffic matches a criterion? (Points :
6)
Zones
Class
maps
Policy
maps
Zone
pairs
Question
8. 8. (TCO 4) Which type of access list uses rules placed on the
interface where allowed traffic initiates and permits return traffic for TCP,
UDP, SMTP, and other protocols? (Points : 6)
Established
Lock
and key
Reflexive
CBAC
Question
9. 9. (TCO 5) Which AAA server protocol offers support for ARAP
and NETBEUI protocols as well as IP? (Points : 6)
CSACS
RADIUS
OpenACS
TACACS+
Question
10. 10. (TCO 5) Which of the following is not considered a component
of AAA? (Points : 6)
Authentication
Authorization
Accounting
Administration
Question
11. 11. (TCO 6) The Cisco IOS command that will display all current
IKE security associations (SAs) is _____. (Points : 6)
show
crypto ipsec
show
crypto isakmp
show
crypto ipsec sa
show
crypto isakmp sa
show
crypto ike sa
Question
12. 12. (TCO 6) The Cisco IOS firewall crypto isakmp policy mode
command that will set the isakmp security association lifetime is _____.
(Points : 6)
lifetime
{days}
lifetime
{seconds}
set
lifetime {days}
set
lifetime {seconds}
Question
13. 13. (TCO 7) Cisco routers implementing IPS can save IPS events
in a Syslog server by executing which of the following commands? (Points : 6)
ip
ips log {IP Address}
ip
ips notify syslog
ip
ips notify log
ip
ips notify sdee
Question
14. 14. (TCO 7) Which of the following is not an action that can be
performed by the IOS firewall IDS router when a packet or packet stream matches
a signature? (Points : 6)
Drop
the packet immediately.
Send
an alarm to the Cisco IOS designated Syslog server.
Set
the packet reset flag and forward the packet through.
Block
all future data from the source of the attack for a specified time.
Question
15. 15. (TCO 1) Explain how to mitigate a Smurf attack. (Points :
24)
Question
16. 16. (TCO 2) Type the global configuration mode and line
configuration mode commands that are required to secure the VTY lines 0 through
15 to use the local username admin with the encrypted password adminpass for
remote Telnet or SSH log-ins to the Cisco router. (Points : 24)
Question
17. 17. (TCO 3) What are at least two best practices that should be
implemented for unused ports on a Layer 2 switch for switch security? (Points :
24)
Question
18. 18. (TCO 4) Given the commands shown below and assuming F0/0 is
the inside interface of the network, explain what this ACL does.
access-list
100 permit tcp any any eq 80 time-range MWF
time-range
MWF
periodic
Monday Wednesday Friday 8:00 to 17:00
time-range
absolute
start 00:00 30 Sept 2014 end 01:00 30 Sept 2014
int
f0/0
ip
access-group 100 in Correct Answer: (Points : 24)
Question
19. 19. (TCO 5) Type two global configuration mode commands that
enable AAA authentication and configure a default log-in method list. Use a
TACACS+ server first, then a local username and password, and finally the
enable password. (Points : 24)
Question
20. 20. (TCO 6) Discuss the data encryption algorithms DES and 3DES.
Discuss the key lengths, and rank the algorithms in order of best security.
(Points : 24)
Question
21. 21. (TCO 7) Explain the two benefits of Cisco IPS version 5.x
signature format over the Cisco IPS version 4.x signature format. (Points : 22)
No comments:
Post a Comment