Ensurepass

 

QUESTION 91

Which two considerations about secure network management are important? (Choose two.)

 

A.	log tampering
B.	encryption algorithm strength
C.	accurate time stamping
D.	off-site storage
E.	Use RADIUS for router commands authorization.
F.	Do not use a loopback interface for device management access.

 

Correct Answer: AC

Explanation:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/best/practices/recommend ations.html

 

Enable Timestamped Messages

Enable timestamps on log messages:

Router(config)# service timestamps log datetime localtime show-timezone msec

Enable timestamps on system debug messages:

Router(config)# service timestamps debug datetime localtime show-timezone msec

 

 

QUESTION 92

Which command enables Cisco IOS image resilience?

 

A.	secure boot-<IOS image filename>
B.	secure boot-running-config
C.	secure boot-start
D.	secure boot-image

 

Correct Answer: D

Explanation:

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html

 

secure boot-config

To take a snapshot of the router running configuration and securely archive it in persistent storage, use the secure boot-config command in global configuration mode. To remove the secure configuration archive and disable configuration resilience, use the no form of this command.

 

secure boot-config [restore filename]

no secure boot-config

Usage Guidelines

 

Without any parameters, this command takes a snapshot of the router running configuration and securely archives it in persistent storage. Like the image, the configuration archive is hidden and cannot be viewed or removed directly from the command-line interface (CLI) prompt . It is recommended that you run this command after the router has been fully configured to reach a steady state of operation and the running configuration is considered complete for a restoration, if required. A syslog message is printed on the console notifying the user of configuration resilience activation. The secure archive uses the time of creation as its filename. For example, .runcfg- 20020616-081702.ar was created July 16 2002 at
8:17:02.

 

The restore option reproduces a copy of the secure configuration archive as the supplied filename (disk0:running-config, slot1:runcfg, and so on). The restore operation will work only if configuration resilience is enabled. The number of restored copies that can be created is unlimited.

 

The no form of this command removes the secure configuration archive and disables configuration resilience.

 

An enable, disable, enable sequence has the effect of upgrading the configuration archive if any changes were made to the running configuration since the last time the feature was disabled.

 

The configuration upgrade scenario is similar to an image upgrade. The feature detects a different version of Cisco IOS and notifies the user of a version mismatch. The same command can be run to upgrade the configuration archive to a newer version after new configuration commands corresponding to features in the new image have been issued.

 

The correct sequence of steps to upgrade the configuration archive after an image upgrade is as follows:

 

Configure new commands

Issue the secure boot-config command secure boot-image

 

To enable Cisco IOS image resilience, use the secure boot-image command in global configuration mode. To disable Cisco IOS image resilience and release the secured image so that it can be safely removed, use the no form of this command.

 

secure boot-image

no secure boot-image

Usage Guidelines

 

This command enables or disables the securing of the running Cisco IOS image. The following two possible scenarios exist with this command.

 

When turned on for the first time, the running image (as displayed in the show version command output) is secured, and a syslog entry is generated. This command will function properly only when the system is configured to run an image from a disk with an Advanced Technology Attachment (ATA) interface. Images booted from a TFTP server cannot be secured. Because this command has the effect of “hiding” the running image, the image file will not be included in any directory listing of the disk. The no form of this command releases the image so that it can be safely removed.

 

If the router is configured to boot up with Cisco IOS resilience and an image with a different version of Cisco IOS is detected, a message similar to the following is displayed at bootup:

ios resilience :Archived image and configuration version 12.2 differs from running version 12.3.

Run secure boot-config and image commands to upgrade archives to running version. To upgrade the image archive to the new running image, reenter this command from the console. A message will be displayed about the upgraded image. The old image is released and will be visible in the dir command output.

 

 

QUESTION 93

Which router management feature provides for the ability to configure multiple administrative views?

 

A.	role-based CLI
B.	virtual routing and forwarding
C.	secure config privilege {level}
D.	parser view view name

 

Correct Answer: A

Explanation:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html

 

Role-Based CLI Access

The Role-Based CLI Access feature allows the network administrator to define “views,” which are a set of operational commands and configuration capabilities that provide selective or partial access to Cisco IOS EXEC and configuration (Config) mode commands. Views restrict user access to Cisco IOS command-line interface (CLI) and configuration information; that is, a view can define what commands are accepted and what configuration information is visible. Thus, network administrators can exercise better control over access to Cisco networking devices.

 

 

QUESTION 94

Which syslog level is associated with LOG_WARNING?

 

A.	1
B.	2
C.	3
D.	4
E.	5
F.	6
G.	7
H.	0

 

Correct Answer: D

Explanation:

 

 

QUESTION 95

Which step is important to take when implementing secure network management?

 

A.	Implement in-band management whenever possible.
B.	Implement telnet for encrypted device management access.
C.	Implement SNMP with read/write access for troubleshooting purposes.
D.	Synchronize clocks on hosts and devices.
E.	Implement management plane protection using routing protocol authentication.

 

Correct Answer: D

Explanation:

http://www.cisco.com/en/US/tech/tk869/tk769/technologies_white_paper09186a0080117070.shtml

 

Background Information

Network time synchronization, to the degree required for modern performance analysis, is an essential exercise. Depending on the business models, and the services being provided, the characterization of network performance can be considered an important competitive service differentiator. In these cases, great expense may be incurred deploying network management systems and directing engineering resources towards analyzing the collected performance data. However, if proper attention is not given to the often-overlooked principle of time synchronization, those efforts may be rendered useless.

 

 

QUESTION 96

Which statement is true when you have generated RSA keys on your Cisco router to prepare for secure device management?

 

A.	You must then zeroize the keys to reset secure shell before configuring other parameters.
B.	The SSH protocol is automatically enabled.
C.	You must then specify the general-purpose key size used for authentication with the crypto key generate rsa general-keys modulus command.
D.	All vty ports are automatically enabled for SSH to provide secure management.

 

Correct Answer: B

Explanation:

http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml

Generate an RSA key pair for your router, which automatically enables SSH. carter(config)#crypto key generate rsa

Refer to crypto key generate rsa – Cisco IOS Security Command Reference, Release 12.3 for more information on the usage of this command.

 

 

QUESTION 97

Refer to the exhibit. You are a network manager for your organization. You are looking at your Syslog server reports. Based on the Syslog message shown, which two statements are true? (Choose two.)

 

 

A.	Service timestamps have been globally enabled.
B.	This is a normal system-generated information message and does not require further investigation.
C.	This message is unimportant and can be ignored.
D.	This message is a level 5 notification message.

 

Correct Answer: AD

Explanation:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/swlog.html

 

System Log Message Format

System log messages can contain up to 80 characters and a percent sign (%), which follows the optional sequence number or time-stamp information, if configured. Messages appear in this format:

seq no:timestamp: %facility-severity-MNEMONIC:description (hostname-n) The part of the message preceding the percent sign depends on the setting of the service sequence-numbers, service timestamps log datetime, service timestamps log datetime [localtime] [msec] [show-timezone], or service timestamps log uptime global configuration command.

seq no:

Stamps log messages with a sequence number only if the service sequence-numbers global configuration command is configured.

For more information, see the “Enabling and Disabling Sequence Numbers in Log Messages” section.

timestamp formats:

mm/dd hh:mm:ss

or

hh:mm:ss (short uptime)

or

d h (long uptime)

Date and time of the message or event. This information appears only if the service timestamps log [datetime | log] global configuration command is configured.

For more information, see the “Enabling and Disabling Time Stamps on Log Messages” section.facility

The facility to which the message refers (for example, SNMP, SYS, and so forth). For a list of supported facilities, see Table 29-4.severity

Single-digit code from 0 to 7 that is the severity of the message. For a description of the severity levels, see Table 29-3.

MNEMONIC

Text string that uniquely describes the message.

description

Text string containing detailed information about the event being reported.

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/swlog.html

This example shows part of a logging display with the service timestamps log datetime global configuration command enabled:

*Mar 1 18:46:11: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) (Switch-2)

 

 

QUESTION 98

Refer to the exhibit. Which statement is correct based on the show login command output shown?

 

 

A.	When the router goes into quiet mode, any host is permitted to access the router via Telnet, SSH, and HTTP, since the quiet-mode access list has not been configured.
B.	The login block-for command is configured to block login hosts for 93 seconds.
C.	All logins from any sources are blocked for another 193 seconds.
D.	Three or more login requests have failed within the last 100 seconds.

 

Correct Answer: D

Explanation:

http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_login_enhance_ ps6922_TSD_Products_Configuration_Guide_Chapter.html

Showing login Parameters: Example

The following sample output from the show login command verifies that the router is in quiet mode. In this example, the login block-for command was configured to block login hosts for 100 seconds if 3 or more login requests fail within 100 seconds.

Router# show login

A default login delay of 1 seconds is applied.

No Quiet-Mode access list has been configured.

All successful login is logged and generate SNMP traps.

All failed login is logged and generate SNMP traps.

Router enabled to watch for login Attacks.

If more than 2 login failures occur in 100 seconds or less, logins will be disabled for 100 seconds. Router presently in Quiet-Mode, will remain in Quiet-Mode for 93 seconds, Denying logins from all sources.

 

 

QUESTION 99

Which two considerations about secure network monitoring are important? (Choose two.)

 

A.	log tampering
B.	encryption algorithm strength
C.	accurate time stamping
D.	off-site storage
E.	Use RADIUS for router commands authorization.
F.	Do not use a loopback interface for device management access.

 

Correct Answer: AC

Explanation:

A coordinated clock is important primarily to provide chronological, sequential, and coordinated logs. If clock sources are hijacked, events posted to logs can be out of sequence and not coordinated. The risks include:

The date of clock events could be modified so that they would not appear on daily/weekly reports.

The date could be modified back far enough so that events would be instantly purged at the logging server.

The dates on multiple devices could be modified so that causal events would not appear correlated in time.

The net result of such tampering would corrupt the logs, therefore crippling the forensic analysis of events.

Reference: http://www.cisco.com/web/about/security/intelligence/05_11_nsa-scty-compliance.html

 

 

QUESTION 100

You suspect that an attacker in your network has configured a rogue Layer 2 device to intercept traffic from multiple VLANs, which allows the attacker to capture potentially sensitive data. Which two methods will help to mitigate this type of activity? (Choose two.)

 

A.	Turn off all trunk ports and manually configure each VLAN as required on each port.
B.	Place unused active ports in an unused VLAN.
C.	Secure the native VLAN, VLAN 1, with encryption.
D.	Set the native VLAN on the trunk ports to an unused VLAN.
E.	Disable DTP on ports that require trunking.

 

Correct Answer: DE

Explanation:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/layer2.html

 

Layer 2 LAN Port Modes

Table 17-2 lists the Layer 2 LAN port modes and describes how they function on LAN ports.

switchport mode access

Puts the LAN port into permanent nontrunking mode and negotiates to convert the link into a nontrunk link. The LAN port becomes a nontrunk port even if the neighboring LAN port does not agree to the change.

 

switchport mode dynamic desirable

Makes the LAN port actively attempt to convert the link to a trunk link. The LAN port becomes a trunk port if the neighboring LAN port is set to trunk, desirable, or auto mode. This is the default mode for all LAN ports.

 

switchport mode dynamic auto

Makes the LAN port willing to convert the link to a trunk link. The LAN port becomes a trunk port if the
neighboring LAN port is set to trunk or desirable mode.

 

switchport mode trunk

Puts the LAN port into permanent trunking mode and negotiates to convert the link into a trunk link. The LAN port becomes a trunk port even if the neighboring port does not agree to the change.

 

switchport nonegotiate

Puts the LAN port into permanent trunking mode but prevents the port from generating DTP frames. You must configure the neighboring port manually as a trunk port to establish a trunk link.

 

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml

 

Double Encapsulation Attack

When double-encapsulated 802.1Q packets are injected into the network from a device whose VLAN happens to be the native VLAN of a trunk, the VLAN identification of those packets cannot be preserved from end to end since the 802.1Q trunk would always modify the packets by stripping their outer tag. After the external tag is removed, the internal tag permanently becomes the packet’s only VLAN identifier. Therefore, by doubleencapsulating packets with two different tags, traffic can be made to hop across VLANs.

 

This scenario is to be considered a misconfiguration, since the 802.1Q standard does not necessarily force the users to use the native VLAN in these cases. As a matter of fact, the proper configuration that should always be used is to clear the native VLAN from all 802.1Q trunks (alternatively, setting them to 802.1q-all-tagged mode achieves the exact same result). In cases where the native VLAN cannot be cleared, then always pick an unused VLAN as native VLAN of all the trunks; don’t use this VLAN for any other purpose.

 

Protocols like STP, DTP, and UDLD (check out [3]) should be the only rightful users of the native VLAN and their traffic should be completely isolated from any data packets.

 

Free VCE & PDF File for Cisco 640-554 Real Exam

Instant Access to Free VCE Files: CCNA | CCNP | CCIE …
Instant Access to Free PDF Files: CCNA | CCNP | CCIE …