|
QUESTION 11 John the security administrator at Cisco Highway is working on mitigating DoS in the network. How are DoS attacks mitigated in the SAFE SMR small network corporate Internet module? (Choose two)
A. Mitigated by CAR at ISP edge.
B. Mitigated by NIDS
C. Mitigated by TCP setup controls at the firewall to limit exposure.
D. Mitigated by HIDS on the public serves.
E. Mitigated by virus scanning at the host level. Answer: A C Explanation: Threat Mitigation
. Denial of service-Committed access rate (CAR) at ISP edge and TCP setup controls at firewall to limit exposure Reference: Page 11SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks
QUESTION 12 James the security administrator is working on cryptographic authentication. What is the earliest version of NTP that supports a cryptographic authentication mechanism between peers?
A. The earliest version is 5
B. The earliest version is 4
C. The earliest version is 3
D. The earliest version is 2
E. The earliest version is 1 Answer: C Explanation: Version 3 and above of NTP supports a cryptographic authentication mechanism between peers. Reference: SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks
QUESTION 13 James the security administrator at Cisco Highway Inc.is working on establishing VPNs. IF tunneling is disabled, how do remote users access the Internet when they have a VPN tunnel established in the software access option in the SAFE SMR remote user design environment?
A. The remote users access to the Internet is not allowed.
B. The remote access to the Internet is provided via the corporate connection.
C. The remote user must disable the VPN tunnel to access the Internet.
D. The remote access to the Internet is provided via the ISP connection. Answer: B Explanation: Split tunneling can also be enabled or disabled via the central site. For the SAFE design, split tunneling was disabled, making it necessary for all remote users to access the Internet via the corporate connection when they have a VPN tunnel established. Reference: Page 28SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks
QUESTION 14 You are the network security administrator for the German company Cisco Highway Inc.Cisco Highway Inc.has recently acquired Acme, a small company in another country in Europe, and wants you to start creating a VPN tunnel over the Internet from the outside interface of the Cisco Highway's corporate PIX Firewall to the outside interface of Acme's branch office router using pre-shared keys. IKE has already been enabled on both devices. First configure the pre-shared key on each device and then configure the IKE parameters on each device. Use the following values as necessary: Parameter Value policy priority number 20 encryption algorithm 3des has algorithm md5 authentication method pre-share Diffie-Hellman Group ID 2 SA lifetime 83000 Pre-shared Key myCisco Highway Transform Set Name Cisco Highwayset ISAKMP Identity Type IP address PIX Firewall Outside Interface Address 192.168.1.2 Branch Office Outside Interface 172.26.26.101 Crypto Map Name Cisco Highwaymap Netmask 255.255.255.0
. IPSec parameters are not configured, should not be configure ed, and consequently the tunnel will not be established. The Router and PIX have been configured with the following specifications: Acme Branch Office Router Name: Cisco Highway2 E0/0 : 10.2.1.1/24 E0/1 : 172.26.26.101/24 Enable Password: Cisco Highway Corporate Office PIX Name: Cisco Highway1 E0 : 192.168.1.2/24 E1 : 10.0.1.1/24 Enable password: Cisco Highway Click on the picture of the host connected to a router by a serial console cable.
Answer: Router Configuration Acme(config)# isakmp enable e0/1 Acme(config-isakmp)# crypto isakmp policy 20 Acme(config-isakmp)# encryption 3des Acme(config-isakmp)# hash md5 Acme(config-isakmp)# authentication pre-share Acme(config-isakmp)# group 2 Acme(config-isakmp)# lifetime 83000 Acme(config-isakmp)# crypto isakmp key myCisco Highway address 192.164.1.2 Ref: Configuring Internet Key Exchange Security Protocol PIX Firewall Configuration Cisco Highway(config)# isakmp enable outside Cisco Highway(config)# isakmp key myCisco Highway address 172.26.26.101 netmask 255.255.255.0 Cisco Highway(config)# isakmp policy 20 authentication pre-share Cisco Highway(config)# isakmp policy 20 encryption 3des Cisco Highway(config)# isakmp policy 20 hash md5 Cisco Highway(config)# isakmp policy 20 group 2 Cisco Highway(config)# isakmp policy 20 lifetime 83000 Ref: Configuring IPSec - Router to PIX
QUESTION 15 The security team at Cisco Highway Inc.is working on mitigating attacks on the network. Which are attack mitigation roles for the software access option in the SAFE SMR remote user network environment?
A. Mitigating attacks by using host DoS mitigation
B. Mitigating attacks by using terminate IPSec
C. Mitigating attacks by using stateful packet filtering
D. Mitigating attacks by using basic Layer 7 filtering
E. Mitigating attacks by using authenticate remote site Answer: D E Explanation: The software access option is geared toward the mobile worker as well as the home-office worker. All the remote user requires is a PC with VPN client software and connectivity to the Internet or ISP network via a dial-in or Ethernet connection. The primary function of the VPN software client is to establish a secure, encrypted tunnel from the client device to a VPN head end device. Access and authorization to the network are controlled from the headquarters location when filtering takes place on the firewall and on the client itself if access rights are pushed down via policy. The remote user is first authenticated, and then receives IP parameters such as a virtual IP address, which is used for all VPN traffic, and the location of name servers (DNS and Windows Internet Name Service [WINS]). Split tunneling can also be enabled or disabled via the central site. For the SAFE design, split tunneling was disabled, making it necessary for all remote users to access the Internet via the corporate connection when they have a VPN tunnel established. Because the remote user may not always want the VPN tunnel established when connected to the Internet or ISP network, personal firewall software is recommended to mitigate against unauthorized access to the PC. Virus-scanning software is also recommended to mitigate against viruses and Trojan horse programs infecting the PC.
Reference: Safe White papers; Page 27 & 28 SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks
QUESTION 16 You are the administrator at Cisco Highway Inc.and you are implementing QoS. If you want QoS at the remote site, which option should be selected?
A. You should select software access option
B. You should select remote site router option
C. You should select hardware VPN Client option
D. You should select remote site firewall option Answer: B Explanation: Remote-Site Router Option The remote-site router option is nearly identical to the remote-site firewall option with a few exceptions. When deployed behind a stand-alone broadband access device, the only difference is the router can support advanced applications such as QoS, routing, and more encapsulation options. Additionally, if the broadband capability is integrated into the router, a stand-alone broadband access device is not needed. This option requires that your ISP allow you to manage the broadband router itself, an uncommon scenario. Reference: Page 29 SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks
QUESTION 17 The security team at Cisco Highway Inc.is working on mitigating attacks to the network, Which threats are expected in the SAFE SMR remote user network environment? (Choose two)
A. The expected threats are man-in-the-middle attacks
B. The expected threats are Network reconnaissance
C. The expected threats are Trust exploitation
D. The expected threats are Port redirection attacks Answer: A B Explanation: Network reconnaissance-Protocols filtered at remote-site device to limit effectiveness Man-in-the-middle attacks-Mitigated through encrypted remote traffic Reference: Safe White papers; Page 26 SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks
QUESTION 18 Johnny the security administrator at Cisco Highway Inc.is working on connecting remote users to the network. How many options exist for remote user connectivity in the SAFE SRM remote user network?
A. 5
B. 4
C. 3
D. 2
E. 1 Answer: B Explanation: Remote-User Design This section discusses four different options for providing remote-user connectivity within the SAFE design. Remote connectivity applies to both mobile workers and home-office workers. The primary focus of these designs is providing connectivity from the remote site to the corporate headquarters and through some means, the Internet. The following four options include software-only, software-with-hardware, and hardware-only solutions:
- Software access-Remote user with a software VPN client and personal firewall software on the PC
- Remote-site firewall option-Remote site is protected with a dedicated firewall that provides firewalling and IPSec VPN connectivity to corporate headquarters; WAN connectivity is provided via an ISP-provided broadband access device (i.e. DSL or cable modem). . Hardware VPN client option-Remote site using a dedicated hardware VPN client that provides IPSec VPN connectivity to corporate headquarters; WAN connectivity is provided via an ISP-provided broadband access device
- Remote-site router option-Remote site using a router that provides both firewalling and IPSec VPN connectivity to corporate headquarters. This router can either provide direct broadband access or go through and ISP-provided broadband access device. Reference: Safe White papers; Page 25 SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks
QUESTION 19 James the security administrator at Cisco Highway Inc.is working on the crypto map function on the PIX Firewall. What is the function of a crypto map on a PIX Firewall?
A. The function of a crypto map is to specify which algorithms will be used with the selected security protocol.
B. The function of a crypto map is to define the policy that will be applied to the traffic.
C. The function of a crypto map is to configure a pre-shared authentication key and associate the key with an IPSec peer address or host name.
D. The function of a crypto map is to map transforms to transform sets. Answer: B Explanation: Crypto map entries for IPSec set up security association parameters, tying together the various parts configured for IPSec, including the following; The granularity of the traffic to be protected by a set of security associations Reference: Cisco Secure PIX Firewalls (Cisco press) Page 215
QUESTION 20 Kathy the security administrator at Cisco Highway Inc.is now working on the crypto map function on the PIX Firewall. What is another function of a crypto map on a PIX Firewall?
A. The function of a crypto map is to configure a pre-shared authentication key and associate the key with an IKE peer address or host name.
B. The function of a crypto map is to configure a pre-shared authentication key and associate the key with an IPSec peer address or host name.
C. The function of a crypto map is to filter and classify the traffic to be protected.
D. The function of a crypto map is to specify which algorithms to use with the selected security protocol. Answer: C Explanation: Crypto map entries for IPSec set up security association parameters, tying together the various parts configured
for IPSec, including the following; Which traffic should be protected by IPSec Reference: Cisco Secure PIX Firewalls (Cisco press) Page 215
Search and Find Anything Here
|
|
