Apply the ACL to the vty lines without the in or out option required when applying ACLs to interfaces.
The ACL is applied to the Telnet port with the ip access-group command.
The ACL must be applied to each vty line individually.
The ACL should be applied to all vty lines in the in direction to prevent an unwanted user from connecting to an unsecured port.
FW(config)# interface g0/1 FW(config-if)# ip inspect OUTBOUND in FW(config-if)# ip access-group INSIDE out
FW(config)# interface g0/1 FW(config-if)# ip inspect OUTBOUND in FW(config-if)# ip access-group INSIDE in
FW(config)# interface g0/0 FW(config-if)# ip inspect OUTBOUND in FW(config-if)# ip access-group INSIDE in
W(config)# interface g0/0 FW(config-if)# ip inspect INSIDE in FW(config-if)# ip access-group OUTBOUND in
SSL VPNs provide support for more applications.
SSL VPNs do not require any pre-installed client software.
SSL VPNs provide superior authentication.
SSL VPNs provide stronger encryption as a remote-access solution.
Network IPS is operating system-dependent and must be customized for each platform.
Network IPS is incapable of examining encrypted traffic.
Network IPS is unable to provide a clear indication of the extent to which the network is being attacked.
Network IPS sensors are difficult to deploy when new networks are added.
Network IPS has a difficult time reconstructing fragmented traffic to determine if an attack was successful.
To have stronger encryption options
To support secure access for users on a multitude of devices
To have stronger authentication options
To provide stronger overall security
Cisco VPN client mode
Full client mode
Thin client mode
It sets an access class ACL on VTY lines.
It enables TCP intercepts.
It provides an option for configuring SNMPv3 on all routers.
It enables the Secure Copy Protocol (SCP).
It supports AAA configuration.
An IDS uses signature-based technology to detect malicious packets, whereas an IPS uses profile-based technology.
An IDS would allow malicious traffic to pass before it is addressed, whereas an IPS stops it immediately.
An IDS can negatively impact the packet flow, whereas an IPS can not.
An IDS needs to be deployed together with a firewall device, whereas an IPS can replace a firewall.
Use ISL encapsulation on all trunk links.
Disable STP on all nontrunk ports.
Disable trunk negotiation for trunk ports and statically set nontrunk ports as access ports.
Use VLAN 1 as the native VLAN on trunk ports.
A packet-filtering firewall typically can filter up to the transport layer, whereas a stateful firewall can filter up to the session layer.
Both stateful and packet-filtering firewalls can filter at the application layer.
A packet-filtering firewall uses session layer information to track the state of a connection, whereas a stateful firewall uses application layer information to track the state of a connection.
A stateful firewall can filter application layer information, whereas a packet-filtering firewall cannot filter beyond the network layer.
Aaa new-model global configuration command
Changes to the configuration register
Ability to access ROMMON
Password encryption service
Permit ipv6 any any fragments
Permit icmp any any nd-ns
Permit icmp any any echo-reply
Permit icmp any any nd-na
Permit tcp any any ack
Permit ipv6 any any routing
ESA provides isolation between processes.
It obtains real-time updates from the Cisco SIO.
It uses the network infrastructure to enforce security policy compliance.
It combines advanced threat defense and secure mobility for email.
The Telnet connection between RouterA and RouterB is not working correctly.
The enable password and the Telnet password need to be the same.
The password cisco123 is wrong.
The administrator does not have enough rights on the PC that is being used.
The root user must be assigned to each privilege level that is defined.
It is required that all 16 privilege levels be defined, whether they are used or not.
Views are required to define the CLI commands that each user can access.
There is no access control to specific interfaces on a router.
Creating a user account that needs access to most but not all commands can be a tedious process.
Commands set on a higher privilege level are not available for lower privilege users.
The data is divided into three blocks of equal length for encryption.
The data is encrypted using a key length that is three times longer than the key used for DES.
The data is encrypted three times with three different keys.
The data is encrypted, decrypted, and encrypted using three different keys.
Storm control with the trap option
PortFast with BPDU guard enabled
Port security with the shutdown violation mode
Router management interfaces must be manually assigned to the self zone.
A router interface can belong to multiple zones.
The pass action works in only one direction.
Service policies are applied in interface configuration mode.
Not broadcasting the SSID
Not allowing personal wireless devices
Using an authentication server
Support for SSL VPNs
Support for more concurrent user sessions
Support for IPsec VPNs
Support for AAA external authentication
Operation and maintenance
Acquisition and development
To deny inbound IPv6 and SSH traffic unless it originates from within the organization
To allow inbound traffic from only designated sources
To allow SSH connections initiated from the Internet to enter the network
To deny all inbound traffic and log TCP and UDP transmissions
Implement a strong password policy.
Deploy antisniffer software.
Include a firewall and IPS in the network security design.
Design the network by using the principle of minimum trust.
What is the cost versus benefit analysis of implementing various security technologies?
What are the reliable, well-understood, and recommended security practices that similar organizations currently employ?
What are the current procedures for incident response, monitoring, maintenance, and auditing of the system for compliance?
What are the most likely types of threats given the purpose of the organization?
The state of packets related to the attack
The total number of packets in the attack
The network bandwidth consumed by all packets
The attacking period used by the attacker
Client-based IPsec VPN using AnyConnect
Client-based IPsec VPN using Cisco VPN Client
Clientless SSL VPN
Site-to-site IPsec VPN
Client-based SSL VPN using AnyConnect
Clientless IPsec VPN
R1# crypto isakmp key ciscopass address 184.108.40.206 R2# crypto isakmp key secure address 220.127.116.11
R1# crypto isakmp key ciscopass address 18.104.22.168 R2# crypto isakmp key ciscopass address 22.214.171.124
R1# crypto isakmp key ciscopass hostname R1 R2# crypto isakmp key ciscopass hostname R2
R1# crypto isakmp key ciscopass address 126.96.36.199 R2# crypto isakmp key ciscopass address 188.8.131.52
To identify peripheral configurations
To determine potential vulnerabilities
To disable used ports and services
To identify operating systems
To identify active services
Honey pot-based detection
It requires Cisco routers to act as remote VPN clients.
It enables complete access to the corporate network over an SSL VPN tunnel.
It enables an ASA firewall to act as the VPN head-end device in remote-access VPNs.
It requires remote access to the corporate network via a web browser and SSL.
Cisco Easy VPN Server enables VPN client remote access to a company intranet through creation of secure IPsec tunnels.
ASA ACLs use the subnet mask in defining a network, whereas IOS ACLs use the wildcard mask.
ASA ACLs do not have an implicit deny all at the end, whereas IOS ACLs do.
ASA ACLs use forward and drop ACEs, whereas IOS ACLs use permit and deny ACEs.
Multiple ASA ACLs can be applied on an interface in the ingress direction, whereas only one IOS ACL can be applied.
ASA ACLs are always named, whereas IOS ACLs can be named or numbered.
This is a notification message for a normal but significant condition.
This is an alert message for which immediate action is needed.
This is an error message that indicates the system is unusable.
This is an error message for which warning conditions exist.
Information preservation policy
Operations and maintenance document
Security initiation document
The thin client mode functions without requiring any downloads or software.
It supports all client/server applications.
It is compatible with DMVPNs, Cisco IOS Firewall, IPsec, IPS, Cisco Easy VPN, and NAT.
It has the option of only requiring an SSL-enabled web browser.
It supports the same level of cryptographic security as an IPsec VPN.
Worms are not detected by antivirus programs.
Worms run within a host program.
Worms are more network-based than viruses are.
Worms directly attack the network devices.
It should be as explicit as possible to avoid misunderstanding.
It should specify who is authorized to access network resources.
It should identify how remote users will access the network.
It should identify what network applications and usages are acceptable.
It should enforce minimum password requirements for users.
It should be vague to allow maximum user flexibility.
Change the tunnel IP address to 184.108.40.206.
Change the tunnel destination to 192.168.5.1.
Change the tunnel IP address to 192.168.3.1.
Change the tunnel source interface to Fa0/0.
Change the tunnel destination to 220.127.116.11.
Multiple DNS servers with fault tolerance
Distributed DHCP servers
A syslog server for each IPS sensor
A centralized NTP server
A copy of the router configuration file has been made.
The Cisco IOS image file is hidden and cannot be copied, modified, or deleted.
The Cisco IOS image filename will be listed when the show flash command is issued on R1.
A copy of the Cisco IOS image file has been made.
The secure boot-config command was issued on R1.
The copy tftp flash command was issued on R1.
The ASA console will display an error message.
The ASA will not allow traffic in either direction between the Inside interface and the DMZ.
The ASA allows traffic from the Inside to the DMZ, but blocks traffic initiated on the DMZ to the Inside interface.
The ASA allows inbound traffic initiated on the Internet to the DMZ, but not to the Inside interface.
The classic firewall will perform the same inspection on all traffic that goes through a specific interface.
The classic firewall can only have one policy that affects any given traffic.
The classic firewall security posture is to block unless explicitly allowed.
The classic firewall is limited to two interfaces.
The classic firewall relies heavily on ACLs.
Digitally signed private key
Digitally signed public key
It provides a secure tunnel for returning traffic.
A reflexive ACL provides a lock-and-key function.
It allows incoming packets only after the 3-way handshake is completed.
It provides more detailed filter criteria to match an incoming packet before the packet is allowed through.
To assess and enforce security policy compliance in the NAC environment
To perform deep inspection of device security profiles
To provide post-connection monitoring of all endpoint devices
To define role-based user access and endpoint security policies
It allows users on the 10.5.0.0/24 network access via HTTPS to remote devices on the 10.7.150.0/28, 10.7.151.0/28, 10.7.160.0/28, and 10.7.161.0/28 networks.
It allows devices on the 10.7.150.0/28, 10.7.151.0/28, 10.7.160.0/28, 10.7.161.0/28 networks to receive TCP-based broadcasts.
It allows any TCP traffic with port 443 from the 10.7.150.0/28, 10.7.151.0/28, 10.7.160.0/28, and 10.7.161.0/28 networks access to the 10.5.0.0/24 network.
It allows devices on the 10.5.0.0/24 network to have telnet and web access to the 10.7.150.0/28, 10.7.151.0/28, 10.7.160.0/28, and 10.7.161.0/28 networks.
A recovery phase
An emergency response phase
A quarantine or containment phase
A return to normal operation phase
A reaction phase
An initiation phase
It is the action to take on the traffic from the 10.10.10.0/24 network.
It specifies the named class-map to apply to the traffic_going policy.
It dictates to the firewall to track all outgoing sessions no matter the source in order to determine whether a return packet is allowed.
It is the command used to apply a rate limit to a specific class of traffic.
An IP address should be configured on the Ethernet 0/0 and 0/1 interfaces.
The no shutdown command should be entered on interface Ethernet 0/1.
The security level of the inside interface should be 0 and the outside interface should be 100.
VLAN 1 should be the outside interface and VLAN 2 should be the inside interface.
VLAN 1 should be assigned to interface Ethernet 0/0 and VLAN 2 to Ethernet 0/1.
ADSL Connection wizard
ADSL Connection wizard
High Availability and Scalability wizard
Security Audit wizard
Easy VPN solution
IPsec VPN solution
802.1X-Based Infrastructure solution
NAC Appliance-Based Overlay solution
Firewall and IDS integrated solution
Privilege exec level
The switch port mode for this interface is access mode.
The port is configured as a trunk link.
Three security violations have been detected on this interface.
This port is currently up.
Security violations will cause this port to shut down immediately.
There is no device currently connected to this port.
Authenticates a packet by using either the HMAC MD5 or HMAC SHA algorithms and encrypts the packet with either the DES, 3DES or AES algorithms
Authenticates a packet by using the SHA algorithm only
Authenticates a packet by using either the HMAC with MD5 method or the SHA method
Authenticates a packet by a string match of the username or community string
Range 192.168.1.10 192.168.1.20
Host 192.168.1.4 and range 192.168.1.10 192.168.1.20
Host 192.168.1.3 and host 192.168.1.4
Host 192.168.1.3, host 192.168.1.4, and range 192.168.1.10 192.168.1.20
IPsec is supported.
CCP applies the read-only quality to manually created access rules so that accidental modification cannot be made.
CCP automatically applies a rule to the interface or zone most appropriate.
Traffic rules do not have to be configured when CCP is being used.
CCP provides default rules
The enable secret password could be used in the next login attempt.
The authentication process stops.
The enable secret password and a random username could be used in the next login attempt.
The username and password of the local user database could be used in the next login attempt.
Debug aaa accounting
Debug aaa authorization
Debug aaa authentication
Debug aaa protocol
The dhcpd auto-config outside command was issued to enable the DHCP client.
The dhcpd enable inside command was issued to enable the DHCP server.
The dhcpd address [start-of-pool]-[end-of-pool] inside command was issued to enable the DHCP client.
The dhcpd auto-config outside command was issued to enable the DHCP server.
The dhcpd enable inside command was issued to enable the DHCP client.
The dhcpd address [start-of-pool]-[end-of-pool] inside command was issued to enable the DHCP server.
Generic ACL entries should be placed at the top of the ACL.
A maximum of three IP access lists can be assigned to an interface per direction (in or out).
An access list applied to any interface without a configured ACL allows all traffic to pass.
Router-generated packets pass through ACLs on the router without filtering.
More specific ACL entries should be placed at the top of the ACL.
ACLs always search for the most specific entry before taking any filtering action.
The use of a telephony system to send unsolicited and unwanted bulk messages
The use of a telephony system to make unauthorized long distance calls
The use of a telephony system to get information, such as account details, directly from users
The use of a telephony system to illegally intercept voice packets in order to listen in on a call
Use Forced Authorization Codes.
Implement separate voice VLANs.
Configure IP phones to use only signed firmware files.
Create ACLs to allow only VoIP protocols.
Global Trust Center
A – DMZ, B – Inside, C – Outside
A – DMZ, B – Outside, C – Inside
A – Inside, B – DMZ, C – Outside
A – Outside, B – Inside, C – DMZ
By specific user assignment
By unknown user policy
By administrator privilege
By user priority
Clientless SSL VPN using the Cisco AnyConnect Client
SSL or IPsec (IKEv2) VPN using the Cisco AnyConnect Client
IPsec (IKEv1) VPN using a web browser
SSL or IPsec (IKEv2) VPN using the Cisco VPN Client
Clientless SSL VPN using a web browser
IPsec (IKEv1) VPN using the Cisco VPN Client
Utilizing a reference monitor
Access control to resources
Data is compromised.
Server CPUs become overloaded.
Configurations can be changed or lost.
End devices become infected.
Control Plane Protection
IP Source Guard
Control Plane Policing