|
QUESTION 31 What is the consequence that one can expect when an IPSec authentication header (AH) is used in conjunction with NAT on the same IPSec endpoint?
A. NAT has no impact on the authentication header.
B. IPSec communication will fail due to AH creating a hash on the entire IP packet before NAT.
C. Only IKE will fail due to AH using only IKE negotiation.
D. AH is no a factor when used in conjunction with NAT, unless Triple DES is included in the transform set. Answer: B Explanation: AH runs the entire IP packet, including invariant header fields such as source and destination IP address, through a message digest algorithm to produce a keyed hash. This hash is used by the recipient to authenticate the packet. If any field in the original IP packet is modified, authentication will fail and the recipient will discard the packet. AH is intended to prevent unauthorized modification, source spoofing, and man-in-the-middle attacks. But NAT, by definition, modifies IP packets. Therefore, AH + NAT simply cannot work.
QUESTION 32 Which of the following statements regarding Routing Information Protocol (RIP) is valid?
A. RIP runs on TCP port 520.
B. RIP runs directly on top of IP with the protocol ID 89.
C. RIP runs on UDP port 520.
D. RIP does not run on top of IP. Answer: C
QUESTION 33 A Cisco Highway security System Administrator is reviewing the network system log files. He notes the following: What should he assume has happened and what should he do about the situation?
A. He should contact the attacker's ISP as soon as possible and have the connection disconnected.
B. He should log the event as suspicious activity, continue to investigate, and take further steps according to site security policy.
C. He should log the file size, and archive the information, because the router crashed.
D. He should run a file system check, because the Syslog server has a self correcting file system problem.
E. He should disconnect from the Internet discontinue any further unauthorized use, because an attack has taken place. Answer: B Explanation: This question is much like one from vconsole (see reference)" You should never assume a host has been compromised without verification. Typically, disconnecting a server is an extreme measure and should only be done when it is confirmed there is a compromise or the server contains such sensitive data that the loss of service outweighs the risk. Never assume that any administrator or automatic process is making changes to a system. Always investigate the root cause of the change on the system and follow your organizations security policy." Cisco Certified Internet work Expert Security Exam V1.7/Vconsole update questions by John Kaberna See ccbootcamp.com
QUESTION 34 Which of the following statements regarding Certificate Revocation List (CRL) is valid when using PKI?
A. The CRL resides on the CA server and is built by querying the router or PIX to determine which clients' certificate status in the past.
B. The CRL is used to check presented certificates to determine if they are revoked.
C. A router or PIX will not require that the other end of the IPSec tunnel have a certificate if the crl optional command is in place.
D. The router's CRL includes a list of clients that have presented invalid certificates to the router in the past. Answer: B Explanation: A router or PIX will not require that the other end of the IPSec tunnel have a certificate if the crl optional command is in place --THIS SEEMS A REASONABLE ANSWER BUT HERE IS WHY I DISCOUNT IT--"will not require that the other end of the IPSec tunnel have a certificate" --The PIX allows the Certificate even if the CA DOES NOT RESPOND. I have not seen it stated that it will allow NO certificate. To allow other peers' certificates to still be accepted by your router even if the appropriate Certificate Revocation List (CRL) is not accessible to your router, use the crl optional configuration command. If the PIX Firewall does not receive a certificate from the CA within 1 minute (default) of sending a certificate request, it will resend the certificate request. The PIX Firewall will continue sending a certificate request every 1 minute until a certificate is received or until 20 requests have been sent. With the keyword crl optional included within the command statement, other peer's certificates can still be accepted by your PIX Firewall even if the CRL is not accessible to your PIX Firewall.
QUESTION 35 Which of the following responses will an experiences Security Manager disprove of when a remote user tries to login to a secure network using Telnet, but accidentally types in an invalid username or password? (Choose all that apply.)
A. Authentication Failure
B. Logon Attempt Failed
C. Invalid Username
D. Invalid Password
E. Access Denied Answer: C, D Explanation: I think there are only two answers for this question. "Authentication failure" and "Logon attempt failed" does reveal some information, in that authentication and logon - both messages about login have failed. The BEST is Access Denied and Invalid user and password are CLEARLY WRONG.
QUESTION 36 Some packet filtering implementations block Java by finding the magic number 0xCAFEBABE at the beginning of documents returned via HTTP. The newly appointed Cisco Highway trainee technician want to know how this Java filter be circumvented. What will your reply be?
A. By using FTP to download using a web browser.
B. By using Gopher.
C. By using Java applets in zipped or tarred archives.
D. By using non-standard ports to enable HTTP downloads.
E. All of the above. Answer: E Explanation: NOT SURE ABOUT THIS ANSWER BUT THE NON-STANDARD PORT AND ZIPPED/TARRED ANSWERS ARE CORRECT. Java blocking can be configured to filter or completely deny access to Java applets that are not embedded in an archive or compressed file. Java applets may be downloaded when you permit access to port 80 (http) (so the non-standard port answer seems logical) Cisco secure PIX firewall Advanced 2.0 9-16 Applets that are transmitted as embedded archives are not recognized and therefore cannot be blocked. CCIE Professional Development Network Security Principles and Practices by Saadat Malik pg 203 also see Cisco Certified Internet work Expert Security Exam v1.7 by John Kaberna pg 404
QUESTION 37 What is the term used to describe an attack that falsifies a broadcast ICMP echo request and includes a primary and secondary victim?
A. Fraggle Attack
B. Man in the Middle Attack
C. Trojan Horse Attack
D. Smurf Attack
E. Back Orifice Attack Answer: D Explanation: Trojan and Back orifice are Trojan horse attacks. Man in the middle spoofs the Ip and redirects the victims packets to the cracker The infamous Smurf attack. preys on ICMP's capability to send traffic to the broadcast address. Many hosts can listen and respond to a single ICMP echo request sent to a broadcast address. Network Intrusion Detection third Edition by Stephen Northcutt and Judy Novak pg 70 The "smurf" attack's cousin is called "fraggle", which uses UDP echo packets in the same fashion as the ICMP echo packets; it was a simple re-write of "smurf".
QUESTION 38 User_A and User_B are logged into Windows NT Workstation Host_A and Host_B respectively. All users are logged in to the domain "CORP". All users run a logon script with the following line: "net use D:\\CORPSVR\data"
- -
- User_A and User_B are both members of the local group "USERS".
- -
- Local group "USERS" is includes in global group "DOMAIN USERS".
- -
- All users, hosts, and groups are in the domain "CORP".
- -
- The directory \\CORPSVR\data has the share permission for local group "USERS" set to "No Access".
- -
- The Microsoft Word document \\CORPSVR\data\word.doc has file permissions for local group "USERS" set to "Full Control".
- -
- The Microsoft Word document \\CORPSVR\data\word.doc is owned by User_B. What would you expect to happen when User _A attempts to edit D:\word.doc given this scenario on a Windows NT 4.0 network?
- A.
- Insufficient information. Permissions on Microsoft Word are set within the application and are not subject to file and share level permissions.
- B.
- Local groups cannot be placed into global groups. The situation could not exist.
- C.
- Access would be denied. Only the owner of a file can edit a document.
- D.
- Access would be denied. "No access" overrides all other permissions unless the file is owned by the user.
- E.
- User_A has full control and can edit the document successfully. Answer: B Explanation: Based on the name of each group, you might think that you'd add local groups to global groups. This isn't the case. You assign users or global groups to local groups to give access to local resources
QUESTION 39 Which of the following is an invalid Cisco Secure Intrusion Detection System function?
A. Cisco Secure Intrusion Detection System sets off an alarm when certain user-configurable strings are matched.
B. Cisco Secure Intrusion Detection System sends e-mail messages at particular alarm levels via event.
C. Cisco Secure Intrusion Detection System performs a trace route to the intruding system.
D. Cisco Secure Intrusion Detection System sends a TCP reset to the intruder when operating in packet sniffing mode. Answer: C Explanation: Trace route is not done.
QUESTION 40 The newly appointed Cisco Highway trainee technician wants to know where Kerberos is mainly used. What will your reply be?
A. Session-layer protocols, for data integrity and checksum verification.
B. Application-layer protocols, like Telnet and FTP.
C. Presentation-layer protocols, as the implicit authentication system for data stream or RPC.
D. Transport and Network-layer protocols, for host to host security in IP, UDP, or TCP.
E. Data link-layer protocols, for cryptography between bridges and routers. Answer: B Explanation: Type Application layer protocol. Ports: 88 (UDP) 464 (TCP, UDP) change/set password.
| 
