QUESTION 91
Which two considerations about secure network management are important? (Choose two.)
A. |
log tampering |
B. |
encryption algorithm strength |
C. |
accurate time stamping |
D. |
off-site storage |
E. |
Use RADIUS for router commands authorization. |
F. |
Do not use a loopback interface for device management access. |
Correct Answer: AC
Explanation:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/best/practices/recommend ations.html
Enable Timestamped Messages
Enable timestamps on log messages:
Router(config)# service timestamps log datetime localtime show-timezone msec
Enable timestamps on system debug messages:
Router(config)# service timestamps debug datetime localtime show-timezone msec
QUESTION 92
Which command enables Cisco IOS image resilience?
A. |
secure boot-<IOS image filename> |
B. |
secure boot-running-config |
C. |
secure boot-start |
D. |
secure boot-image |
Correct Answer: D
Explanation:
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html
secure boot-config
To take a snapshot of the router running configuration and securely archive it in persistent storage, use the secure boot-config command in global configuration mode. To remove the secure configuration archive and disable configuration resilience, use the no form of this command.
secure boot-config [restore filename]
no secure boot-config
Usage Guidelines
Without any parameters, this command takes a snapshot of the router running configuration and securely archives it in persistent storage. Like the image, the configuration archive is hidden and cannot be viewed or removed directly from the command-line interface (CLI) prompt . It is recommended that you run this command after the router has been fully configured to reach a steady state of operation and the running configuration is considered complete for a restoration, if required. A syslog message is printed on the console notifying the user of configuration resilience activation. The secure archive uses the time of creation as its filename. For example, .runcfg- 20020616-081702.ar was created July 16 2002 at
8:17:02.
The restore option reproduces a copy of the secure configuration archive as the supplied filename (disk0:running-config, slot1:runcfg, and so on). The restore operation will work only if configuration resilience is enabled. The number of restored copies that can be created is unlimited.
The no form of this command removes the secure configuration archive and disables configuration resilience.
An enable, disable, enable sequence has the effect of upgrading the configuration archive if any changes were made to the running configuration since the last time the feature was disabled.
The configuration upgrade scenario is similar to an image upgrade. The feature detects a different version of Cisco IOS and notifies the user of a version mismatch. The same command can be run to upgrade the configuration archive to a newer version after new configuration commands corresponding to features in the new image have been issued.
The correct sequence of steps to upgrade the configuration archive after an image upgrade is as follows:
Issue the secure boot-config command secure boot-image
To enable Cisco IOS image resilience, use the secure boot-image command in global configuration mode. To disable Cisco IOS image resilience and release the secured image so that it can be safely removed, use the no form of this command.
secure boot-image
no secure boot-image
Usage Guidelines
This command enables or disables the securing of the running Cisco IOS image. The following two possible scenarios exist with this command.
When turned on for the first time, the running image (as displayed in the show version command output) is secured, and a syslog entry is generated. This command will function properly only when the system is configured to run an image from a disk with an Advanced Technology Attachment (ATA) interface. Images booted from a TFTP server cannot be secured. Because this command has the effect of “hiding” the running image, the image file will not be included in any directory listing of the disk. The no form of this command releases the image so that it can be safely removed.
If the router is configured to boot up with Cisco IOS resilience and an image with a different version of Cisco IOS is detected, a message similar to the following is displayed at bootup:
ios resilience :Archived image and configuration version 12.2 differs from running version 12.3.
Run secure boot-config and image commands to upgrade archives to running version. To upgrade the image archive to the new running image, reenter this command from the console. A message will be displayed about the upgraded image. The old image is released and will be visible in the dir command output.
QUESTION 93
Which router management feature provides for the ability to configure multiple administrative views?
A. |
role-based CLI |
B. |
virtual routing and forwarding |
C. |
secure config privilege {level} |
D. |
parser view view name |
Correct Answer: A
Explanation:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html
Role-Based CLI Access
The Role-Based CLI Access feature allows the network administrator to define “views,” which are a set of operational commands and configuration capabilities that provide selective or partial access to Cisco IOS EXEC and configuration (Config) mode commands. Views restrict user access to Cisco IOS command-line interface (CLI) and configuration information; that is, a view can define what commands are accepted and what configuration information is visible. Thus, network administrators can exercise better control over access to Cisco networking devices.
QUESTION 94
Which syslog level is associated with LOG_WARNING?
A. |
1 |
B. |
2 |
C. |
3 |
D. |
4 |
E. |
5 |
F. |
6 |
G. |
7 |
|
0 |
Correct Answer: D
Explanation:
QUESTION 95
Which step is important to take when implementing secure network management?
A. |
Implement in-band management whenever possible. |
B. |
Implement telnet for encrypted device management access. |
C. |
Implement SNMP with read/write access for troubleshooting purposes. |
D. |
Synchronize clocks on hosts and devices. |
E. |
Implement management plane protection using routing protocol authentication. |
Correct Answer: D
Explanation:
http://www.cisco.com/en/US/tech/tk869/tk769/technologies_white_paper09186a0080117070.shtml
Background Information
Network time synchronization, to the degree required for modern performance analysis, is an essential exercise. Depending on the business models, and the services being provided, the characterization of network performance can be considered an important competitive service differentiator. In these cases, great expense may be incurred deploying network management systems and directing engineering resources towards analyzing the collected performance data. However, if proper attention is not given to the often-overlooked principle of time synchronization, those efforts may be rendered useless.
QUESTION 96
Which statement is true when you have generated RSA keys on your Cisco router to prepare for secure device management?
A. |
You must then zeroize the keys to reset secure shell before configuring other parameters. |
B. |
The SSH protocol is automatically enabled. |
C. |
You must then specify the general-purpose key size used for authentication with the crypto key generate rsa general-keys modulus command. |
D. |
All vty ports are automatically enabled for SSH to provide secure management. |
Correct Answer: B
Explanation:
http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml
Generate an RSA key pair for your router, which automatically enables SSH. carter(config)#crypto key generate rsa
Refer to crypto key generate rsa – Cisco IOS Security Command Reference, Release 12.3 for more information on the usage of this command.
QUESTION 97
Refer to the exhibit. You are a network manager for your organization. You are looking at your Syslog server reports. Based on the Syslog message shown, which two statements are true? (Choose two.)
A. |
Service timestamps have been globally enabled. |
B. |
This is a normal system-generated information message and does not require further investigation. |
C. |
This message is unimportant and can be ignored. |
D. |
This message is a level 5 notification message. |
Correct Answer: AD
Explanation:
http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/swlog.html
System Log Message Format
System log messages can contain up to 80 characters and a percent sign (%), which follows the optional sequence number or time-stamp information, if configured. Messages appear in this format:
seq no:timestamp: %facility-severity-MNEMONIC:description (hostname-n) The part of the message preceding the percent sign depends on the setting of the service sequence-numbers, service timestamps log datetime, service timestamps log datetime [localtime] [msec] [show-timezone], or service timestamps log uptime global configuration command.
seq no:
Stamps log messages with a sequence number only if the service sequence-numbers global configuration command is configured.
For more information, see the “Enabling and Disabling Sequence Numbers in Log Messages” section.
timestamp formats:
mm/dd hh:mm:ss
or
hh:mm:ss (short uptime)
or
d h (long uptime)
Date and time of the message or event. This information appears only if the service timestamps log [datetime | log] global configuration command is configured.
For more information, see the “Enabling and Disabling Time Stamps on Log Messages” section.facility
The facility to which the message refers (for example, SNMP, SYS, and so forth). For a list of supported facilities, see Table 29-4.severity
Single-digit code from 0 to 7 that is the severity of the message. For a description of the severity levels, see Table 29-3.
MNEMONIC
Text string that uniquely describes the message.
description
Text string containing detailed information about the event being reported.
http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/swlog.html
This example shows part of a logging display with the service timestamps log datetime global configuration command enabled:
*Mar 1 18:46:11: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) (Switch-2)
QUESTION 98
Refer to the exhibit. Which statement is correct based on the show login command output shown?
A. |
When the router goes into quiet mode, any host is permitted to access the router via Telnet, SSH, and HTTP, since the quiet-mode access list has not been configured. |
B. |
The login block-for command is configured to block login hosts for 93 seconds. |
C. |
All logins from any sources are blocked for another 193 seconds. |
D. |
Three or more login requests have failed within the last 100 seconds. |
Correct Answer: D
Explanation:
http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_login_enhance_ ps6922_TSD_Products_Configuration_Guide_Chapter.html
Showing login Parameters: Example
The following sample output from the show login command verifies that the router is in quiet mode. In this example, the login block-for command was configured to block login hosts for 100 seconds if 3 or more login requests fail within 100 seconds.
Router# show login
A default login delay of 1 seconds is applied.
No Quiet-Mode access list has been configured.
All successful login is logged and generate SNMP traps.
All failed login is logged and generate SNMP traps.
Router enabled to watch for login Attacks.
If more than 2 login failures occur in 100 seconds or less, logins will be disabled for 100 seconds. Router presently in Quiet-Mode, will remain in Quiet-Mode for 93 seconds, Denying logins from all sources.
QUESTION 99
Which two considerations about secure network monitoring are important? (Choose two.)
A. |
log tampering |
B. |
encryption algorithm strength |
C. |
accurate time stamping |
D. |
off-site storage |
E. |
Use RADIUS for router commands authorization. |
F. |
Do not use a loopback interface for device management access. |
Correct Answer: AC
Explanation:
A coordinated clock is important primarily to provide chronological, sequential, and coordinated logs. If clock sources are hijacked, events posted to logs can be out of sequence and not coordinated. The risks include:
The date of clock events could be modified so that they would not appear on daily/weekly reports.
The date could be modified back far enough so that events would be instantly purged at the logging server.
The dates on multiple devices could be modified so that causal events would not appear correlated in time.
The net result of such tampering would corrupt the logs, therefore crippling the forensic analysis of events.
Reference: http://www.cisco.com/web/about/security/intelligence/05_11_nsa-scty-compliance.html
QUESTION 100
You suspect that an attacker in your network has configured a rogue Layer 2 device to intercept traffic from multiple VLANs, which allows the attacker to capture potentially sensitive data. Which two methods will help to mitigate this type of activity? (Choose two.)
A. |
Turn off all trunk ports and manually configure each VLAN as required on each port. |
B. |
Place unused active ports in an unused VLAN. |
C. |
Secure the native VLAN, VLAN 1, with encryption. |
D. |
Set the native VLAN on the trunk ports to an unused VLAN. |
E. |
Disable DTP on ports that require trunking. |
Correct Answer: DE
Explanation:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/layer2.html
Layer 2 LAN Port Modes
Table 17-2 lists the Layer 2 LAN port modes and describes how they function on LAN ports.
switchport mode access
Puts the LAN port into permanent nontrunking mode and negotiates to convert the link into a nontrunk link. The LAN port becomes a nontrunk port even if the neighboring LAN port does not agree to the change.
switchport mode dynamic desirable
Makes the LAN port actively attempt to convert the link to a trunk link. The LAN port becomes a trunk port if the neighboring LAN port is set to trunk, desirable, or auto mode. This is the default mode for all LAN ports.
switchport mode dynamic auto
Makes the LAN port willing to convert the link to a trunk link. The LAN port becomes a trunk port if the
neighboring LAN port is set to trunk or desirable mode.
switchport mode trunk
Puts the LAN port into permanent trunking mode and negotiates to convert the link into a trunk link. The LAN port becomes a trunk port even if the neighboring port does not agree to the change.
switchport nonegotiate
Puts the LAN port into permanent trunking mode but prevents the port from generating DTP frames. You must configure the neighboring port manually as a trunk port to establish a trunk link.
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml
Double Encapsulation Attack
When double-encapsulated 802.1Q packets are injected into the network from a device whose VLAN happens to be the native VLAN of a trunk, the VLAN identification of those packets cannot be preserved from end to end since the 802.1Q trunk would always modify the packets by stripping their outer tag. After the external tag is removed, the internal tag permanently becomes the packet’s only VLAN identifier. Therefore, by doubleencapsulating packets with two different tags, traffic can be made to hop across VLANs.
This scenario is to be considered a misconfiguration, since the 802.1Q standard does not necessarily force the users to use the native VLAN in these cases. As a matter of fact, the proper configuration that should always be used is to clear the native VLAN from all 802.1Q trunks (alternatively, setting them to 802.1q-all-tagged mode achieves the exact same result). In cases where the native VLAN cannot be cleared, then always pick an unused VLAN as native VLAN of all the trunks; don’t use this VLAN for any other purpose.
Protocols like STP, DTP, and UDLD (check out [3]) should be the only rightful users of the native VLAN and their traffic should be completely isolated from any data packets.
Free VCE & PDF File for Cisco 640-554 Real Exam
Instant Access to Free VCE Files: CCNA | CCNP | CCIE …
Instant Access to Free PDF Files: CCNA | CCNP | CCIE …
100-105 Dumps VCE PDF
200-105 Dumps VCE PDF
300-101 Dumps VCE PDF
300-115 Dumps VCE PDF
300-135 Dumps VCE PDF
300-320 Dumps VCE PDF
400-101 Dumps VCE PDF
640-911 Dumps VCE PDF
640-916 Dumps VCE PDF
70-410 Dumps VCE PDF
70-411 Dumps VCE PDF
70-412 Dumps VCE PDF
70-413 Dumps VCE PDF
70-414 Dumps VCE PDF
70-417 Dumps VCE PDF
70-461 Dumps VCE PDF
70-462 Dumps VCE PDF
70-463 Dumps VCE PDF
70-464 Dumps VCE PDF
70-465 Dumps VCE PDF
70-480 Dumps VCE PDF
70-483 Dumps VCE PDF
70-486 Dumps VCE PDF
70-487 Dumps VCE PDF
220-901 Dumps VCE PDF
220-902 Dumps VCE PDF
N10-006 Dumps VCE PDF
SY0-401 Dumps VCE PDF