300-735 : Automating Cisco Security Solutions (SAUTO) : Part 02

300-735 : Automating Cisco Security Solutions (SAUTO) : Part 02

  1. Which of the following devices are least likely to deny a connection inline when an attack is detected? (Select 2 choices.)

    • an IPS
    • a router
    • an IDS
    • a Layer 3 switch
    • a Layer 2 switch
    Explanation:
    A Layer 2 switch and an Intrusion Detection System (IDS) are least likely to deny a connection inline when an attack is detected. An IDS is a network monitoring device that does not sit inline with the flow of network traffic? an IDS passively monitors a copy of network traffic, not the actual packet. Typically, an IDS has one promiscuous network interface attached to each monitored network. A promiscuous device listens to all data flowing past it regardless of the destination. Because traffic does not flow through the IDS, the IDS cannot mitigate singlepacket attacks and is unable to directly block malicious traffic, like a virus, before it passes onto the network. However, an IDS can actively send alerts to a management station when it detects malicious traffic.
    A Layer 2 switch is a device that operates at Layer 2 of the Open Systems Interconnection (OSI) network model. Although a Layer 2 switch can implement security controls, such as port security and virtual LAN (VLAN) access control lists (ACLs), a Layer 2 switch by itself is not typically configured to detect and mitigate external security threats.
    An Intrusion Prevention System (IPS) sits inline with the flow of traffic, thus actively monitoring network traffic and blocking malicious traffic, such as an atomic or singlepacket attack, before it passes onto the network. Blocking an attack inline can prevent the attack from spreading further into the network. An IPS requires at least two interfaces for each monitored network: one interface listens to traffic entering the IPS, and the other listens to traffic leaving the IPS. In addition, an IPS acts similarly to a Layer 2 bridge in that it passes traffic through to destinations on the same subnet? an IPS cannot route to destinations on a different subnet. An interface of an IPS can be put in promiscuous mode? when this happens, the device operates as an IDS on that interface. However, an IPS does not require that a physical interface be in promiscuous mode in order to monitor network traffic.
    A router is a device that connects multiple subnets of the same or different networks and passes information between them. The functionality of a router can vary depending on the size of the network on which it is deployed. For example, a Cisco IPS Advanced Integration Module (AIM) can be installed in a router to integrate IPS functionality at the hardware level. Alternatively, an IOS feature set with IPS capabilities can be installed to provide IPS functionality at the software level. A router operating as an IPS can serve as a part of the network security structure as well as a bridge between two segments of the network. A Layer 3 switch is a device that can operate at both Layer 2 and Layer 3 of the OSI model. Layer 3 switches perform switching operations at Layer 2 but are also capable of forwarding traffic at Layer 3. Although a Layer 3 switch by itself is not typically configured to detect and mitigate external security threats, some chassisbases Layer 3 switches, such as Cisco Catalyst 6500 series switches, support hardware modules that can provide IPS functionality.

  2. Which of the following traffic can be statefully inspected by Cisco IOS ZFW? (Select the best answer.)

    • IPv6 unicast traffic
    • IPv6 multicast traffic
    • IPv4 unicast traffic
    • IPv4 multicast traffic
    Explanation:
    In a Cisco IOS zonebased policy firewall (ZFW) configuration, IP version 4 (IPv4) unicast traffic can be statefully inspected. As of IOS ZFW 12.4(15), ZFW is not capable of stateful inspection of any type of IPv6 traffic, nor is it capable of stateful inspection of IPv4 multicast traffic. ZFW is the latest iteration of Cisco’s stateful firewall implementation, which was formerly called ContextBased Access Control (CBAC). With ZFW, virtual security zones are specified and then interfaces are assigned to the appropriate zone. By default, all traffic is implicitly permitted to flow between interfaces that have been assigned to the same zone? however, all traffic between zones is blocked. In addition, all traffic to and from an interface is implicitly blocked by default when the interface is assigned to a zone, but there are a few exceptions. Traffic to or from other interfaces in the same zone is permitted as is traffic to or from the router itself.
    In order for traffic to flow between zones, stateful packet inspection policies must be configured to explicitly permit traffic between zones. The basic process is as follows:
    1. Define the required zones.
    2. Create zonepairs for zones that will pass traffic between themselves.
    3. Define class maps to match the appropriate traffic for each zonepair.
    4. Define policy maps to specify the actions that should be performed on matching traffic.
    5. Apply the policy maps to the zonepairs.
    6. Assign interfaces to their appropriate zones.
    Inspection rules can be created for a large number of traffic types, including the following:
    – Domain Name System (DNS)
    – Internet Control Message Protocol (ICMP)
    – Network Basic Input/Output System (NetBIOS)
    – Sun Remote Procedure Call (RPC)

    However, stateful inspection of multicast traffic, such as Internet Group Management Protocol (IGMP), is not supported by ZFW and must be handled by other security features, such as Control Plane Policing (CoPP).

  3. Which of the following are Cisco IOS privilege levels that are not typically assigned by default? (Select 3 choices.)

    • 1
    • 5
    • 7
    • 10
    • 15
    Explanation:
    Of the available choices, privilege levels 5, 7, and 10 are custom privilege levels and are not typically assigned by default. Privilege levels can be used to limit the IOS commands that a user can access. However, you are limited to 16 privilege levels, some of which are used by default by the IOS. For example, privilege levels 1 and 15 are default IOS privilege levels. Privilege level 1 allows a user to issue any command that is available at the user EXEC > prompt. Privilege level 15 allows a user to issue any command that is available at the privileged EXEC # prompt. The highest level of access on a Cisco router is provided by IOS privilege level 15.
    Each privilege level is associated with a list of commands that are available at that level. Users assigned to a privilege level have access to all of the commands at that privilege level and all lower privilege levels. Changing the commands that are available to a privilege level might provide access to a user who should not be allowed access to the command, or it might restrict access to another user who should be allowed access to the command.
    Because the default privilege level for a newly created local user account is 1, a newly created user will always have access to the disable, enable, exit, help, and logoutcommands? These commands are associated with a privilege level of 0. However, peruser privilege levels can sometimes conflict with the privilege levels set for virtual terminal (VTY) interfaces. In the event of a conflict, per user privileges override the privileges configured for the VTY line causing the conflict.

  4. A Cisco ASA queries an LDAP server for a VPN user OU attribute of bsnsw and receives multiple results.Which of the following is the ASA most likely to match? (Select the best answer.)

    • the last result in the list of results containing the attribute
    • the first result in the list of results containing the attribute
    • the most specific result in the list of results containing the attribute
    • the shortest result in the list of results beginning with the lowest alphanumeric character
    Explanation:
    Of the choices provided, the Cisco Adaptive Security Appliance (ASA) is most likely to match the shortest Lightweight Directory Access Protocol (LDAP) result beginning with the lowest alphanumeric character in the list of results containing the organizational unit (OU) attribute of bsnsw. When using LDAP attribute maps on an ASA, there is a limit on the number of Active Directory (AD) multivalued attributes matched by an LDAP attribute map. LDAP attribute maps are used to authorize virtual private network (VPN) users based on specified AD attributes, such as group membership or department name. If an LDAP query returns a multivalued attribute, such as the list of groups of which a user is a member, the ASA will match only one of the returned values to the appropriate group policy. The ASA will select the matching group policy with the least number of characters in the name and that starts with the lowest alphanumeric character.
    The following sample output from a running configuration defines five group policy mappings:
    ldap attributemap ExampleMap mapname memberOf GroupPolicy mapvalue memberOf CN=Managers,CN=Users,OU=bsnsw,DC=boson,DC=com Group5 mapvalue memberOf CN=Marketing,CN=Users,OU=bsnsw,DC=boson,DC=com Group4 mapvalue memberOf CN=Employees,CN=Users,OU=bsnsw,DC=boson,DC=com Group3 mapvalue memberOf CN=Engineers,CN=Users,OU=bsnsw,DC=boson,DC=com Group2 mapvalue memberOf CN=Finance,CN=Users,OU=bsnsw,DC=boson,DC=com Group1

    The ldap attributemap ExampleMap command creates an LDAP attribute map named ExampleMap. The LDAP attribute map contains a mapname statement, which maps the AD memberOf attribute to the ASA GroupPolicy attribute, and a series of mapvaluecommands, which map matching LDAP response strings to ASA attributes. The mapvalue commands specify the mapping between AD group membership attributes in an LDAP response and the ASA group policy to which they should be applied. When the ASA receives a reply to an LDAP authorization query for the VPN user in this scenario, the following multiattribute response is compared to the mapvalue statements in the LDAP attribute map:

    memberOf: value = CN=Managers,CN=Users,OU=bsnsw,DC=boson,DC=com
    memberOf: value = CN=Marketing,CN=Users,OU=bsnsw,DC=boson,DC=com
    memberOf: value = CN=Employees,CN=Users,OU=bsnsw,DC=boson,DC=com
    memberOf: value = CN=Finance,CN=Users,OU=bsnsw,DC=boson,DC=com

    If an LDAP query returns a multivalued attribute, the ASA will match only one of the returned values to the appropriate group policy. The ASA will select the matching group policy with the least number of characters in the name and that starts with the lowest alphanumeric character. In this scenario, four of the five configured mapvalue statements will match the LDAP query response. Because the group policies in the matched statement have names of identical length, the ASA will select the name based on its alphabetical preference. Alphabetically, the name Group1 comes before any of the other matching group policy names: Group3, Group4, and Group5.

  5. Which of the following is a type of phishing attack that specifically targets highranking corporate executives? (Select the best answer.)

    • vishing
    • pharming
    • whaling
    • dumpster diving
    Explanation:
    Whaling is a type of spear phishing attack used to retrieve sensitive information from highranking executives of a corporation. Phishing is a social engineering technique in which a malicious person uses a seemingly legitimate electronic communication, such as email or a webpage, in an attempt to dupe a user into submitting personal information, such as a Social Security number (SSN), account login information, or financial information. Spear phishing is a form of phishing that targets specific individuals. Spear phishing is considered whaling when it specifically targets highranking executives of a corporation, such as chief executive officers (CEOs) or chief financial officers (CFOs). To mitigate the effects of a phishing attack, users should use email clients and web browsers that provide phishing filters. In addition, users should also be wary of any unsolicited email or web content that requests personal information.
    Pharming is another form of phishing that is used to retrieve sensitive information by directing users to fake websites. Malicious users can direct users to fake websites through Domain Name System (DNS) poisoning or host file manipulation. Both DNS and host files are used to crossreference Uniform Resource Locators (URLs) and IP addresses. When a user specifies a URL, either a DNS server or the local host file converts it to an IP address so that requests can be forwarded to the correct location. Both a DNS server and a host file can be altered so that users are directed to websites that appear authentic but instead are used for malicious information gathering. These phony websites often ask users for passwords or other sensitive information. A pharming attack is not effective unless a user voluntarily provides information to the website.
    Like whaling and pharming, vishing is another form of phishing that is used to obtain sensitive information. Vishing accomplishes its goal through the use of voice communication networks. Perpetrators of vishing attacks use a variety of methods to retrieve information. For example, an attacker might spoof phone numbers of legitimate businesses in order to deceive a victim. An attacker might also use a misleading voice or email message that instructs the potential victim to contact a phony call center that is masked as a legitimate business. After telephone communications are established, the perpetrators will attempt to coax sensitive information from users, such as credit card or bank account numbers.
    Dumpster diving is an attack in which malicious users obtain information that has been thrown in the trash. Dumpster divers seek to recover discarded documents that might contain sensitive information such as account login credentials, passwords, or bank account numbers. To prevent unauthorized users from obtaining information from discarded documents, individuals and companies should shred documents containing confidential data before disposing of such documents.

  6. The Serial 0/0 interfaces on Router1 and Router2 are directly connected on the 192.168.51.48/30 network. You issue the following commands on Router1: interface serial 0/0 ip ospf authenticationkey b0s0n router ospf 1 routerid 1.1.1.1 network 10.10.10.0 0.0.0.255 area 1 network 192.168.51.48 0.0.0.3 area 1 area 0 authentication

    You issue the following commands on Router2:
interface serial 0/0 ip ospf
authenticationkey b0s0n router
ospf 2routerid 2.2.2.2 network
10.10.20.0 0.0.0.255 area 2
network 192.168.51.48 0.0.0.3
area 0 area 0 authentication

    Router1 and Router2 do not form an OSPF adjacency.
    Which of the following is most likely the problem? (Select the best answer.)

    • an OSPF area mismatch
    • an OSPF authentication mismatch
    • an OSPF process ID mismatch
    • an OSPF router ID mismatch
    Explanation:
    Of the available choices, an Open Shortest Path First (OSPF) area mismatch is most likely the reason that Router1 and Router2 do not form an adjacency in this scenario. In order to establish an adjacency, OSPF routers must be configured with the same area ID, Hello timer value, Dead timer value, and authentication password. In this scenario, the Serial 0/0 interface on Router1 has been configured to operate in area 1. The Serial 0/0 interface on Router2 has been configured to operate in area 0, which is also known as the backbone area.
    A mismatched process ID will not prevent an OSPF router from establishing an adjacency with a neighbor. An OSPF process ID is used to identify the OSPF process only to the local router. In this scenario, the router ospf 1 command has been issued on Router1, which configures Router1 with an OSPF process ID of 1. The router ospf 2 command has been issued on Router2, which configures Router2 with an OSPF process ID of 2.
    Although a mismatched authentication key or a mismatched authentication type could cause two OSPF routers to not form an adjacency, the OSPF authentication type and key in this scenario are correctly configured. The Serial 0/0 interface on Router1 is configured to use an authentication key of b0s0n. The Serial 0/0 interface on Router1 is also configured to use an authentication key of b0s0n. In addition, each router’s OSPF process is configured to use plaintext authentication in OSPF Area 0. If the correct area were configured between the Serial 0/0 interfaces on the routers, OSPF authentication would succeed. OSPF router IDs should never match between routers. A router ID is a unique 32bit identifier that resembles an IP address. A router ID conflict could cause routers to not form an adjacency. If you do not manually configure a router ID on an OSPF router, then the router ID is the highest IP address configured among loopback interfaces on the router, even if a physical interface is configured with a higher IP address. Cisco recommends using a loopback interface instead of a physical interface for the router ID? a loopback interface is never in the down state, thus OSPF is considered to be more stable when the router ID is configured from the IP address of a loopback interface. In this scenario, the router IDs on Router1 and Router2 have been manually configured by using the routerid ipaddresscommand.

  7. EAPFASTv2 implemented a requirement to support which of the following cryptographic protocols? (Select the best answer.)

    • TLS 1.0
    • TLS 1.1
    • TLS 1.2
    • TLS 1.3
    Explanation:
    Extensible Authentication ProtocolFlexible Authentication via Secure Tunneling Version 2 (EAPFASTv2) implemented a requirement to support Transport Layer Security (TLS) 1.2. EAPFAST is an authentication protocol that can be used for pointtopoint connections and for both wired and wireless links. EAPFAST Version 1 (EAPFASTv1) supported TLS 1.0 and higher. However, EAPFASTv2 made support of TLS 1.2 a requirement, thereby providing EAPFASTv2 with a stronger encryption algorithm than EAPFASTv1.
    The EAPFAST authentication process consists of three phases. The first phase, which is optional and is considered phase 0, consists of provisioning a client with a Protected Access Credential (PAC), which is a digital credential that is used for authentication. A PAC can be manually configured on a client, in which case phase 0 is not required. The second phase, which is referred to as phase 1, involves creating a secure tunnel between the client and the server. The final phase, which is referred to as phase 2, involves authenticating the client. If the client is authenticated, the client will be able to access the network.
    Neither EAPFASTv1 nor EAPFASTv2 is specifically required to support TLS 1.3. TLS 1.3 is a working draft that is based on TLS 1.2. Some of the proposed changes to TLS in TLS 1.3 include the removal of support for Elliptic Curve Cryptography (ECC), Message Digest 5 (MD5), and Secure Hash Algorithm 224 (SHA224).

  8. You issue the show ntp associations detail command on Router2 and receive the following output: Router2#show ntp associations detail 10.0.12.1 configured, authenticated, our_master, sane, valid, stratum 3 ref ID 127.127.1.1, time BF6C06E0.55040FD5 (09:02:04.717 UTC Thu Jul 25 2013) <output omitted>Which of the following is true? (Select the best answer.)

    • Router2 has successfully authenticated the NTP clients connected to Router2.
    • NTP on Router2 is synchronized with a master on another device.
    • NTP on Router2 is synchronized with itself.
    • Router2 has been configured with an NTP stratum level of 3.
    Explanation:
    Network Time Protocol (NTP) on Router2 is synchronized with an NTP master on another device. Specifically, NTP on Router2 is synchronized with the NTP peer that has the IP address of 10.0.12.1. The show ntp associations command displays both the address of the NTP server from which the client obtains its time and the address of the reference clock to which the NTP server is synchronized. When issued with the detail keyword, you can additionally determine the IP address of the NTP peer from which time was synchronized, the NTP source authentication status, the NTP hierarchical status of the server from which time was obtained, whether the NTP peer passes basic sanity checks, whether NTP believes the time is valid, and the stratum of the NTP peer.
    NTP on Router2 is not synchronized with itself. If Router2 were the NTP master in this scenario, the output of the show ntp associations detail command would display the peer’s IP address as 127.127.1.1. The IP address of 127.127.1.1 typically indicates the local NTP server. Furthermore, the presence of our_master in the output indicates the status of the device at the NTP peer IP address of 10.0.12.1, not the status of the local device. Finally, the ref ID field in the output in this scenario indicates a reference clock of 127.127.1.1. The ref ID field contains the IP address of the NTP peer’s source of time, not the local device. Therefore, the device with the IP address of 10.0.12.1 has obtained its time from its own local NTP server.
    There is no information in this scenario that indicates whether Router2 has successfully authenticated the NTP clients connected to Router2. The presence of the term authenticated in the output of the show ntp associations detail command in this scenario indicates that the time source has been authenticated, not the client.
    Router2 has not been configured with an NTP stratum level of 3. The stratum field in the output specifies the NTP stratum level of the NTP peer, not the local device. NTP uses stratum to establish a hierarchy of authoritative time sources. The stratum value is typically a representation of the difference in accuracy, or network delay, between the NTP client and Universal Coordinated Time (UTC). An NTP client that receives its time from an NTP server is usually operating with a higher stratum value, and thus lower accuracy, than the NTP server from which the client obtained the time.

  9. Which of the following is most likely to indicate that the configured main mode ISAKMP policy does not match the policy proposed by the remote peer? (Select the best answer.)

    • AG_NO_STATE
    • MM_NO_STATE
    • AG_AUTH
    • MM_KEY_AUTH
    • QM_IDLE
    Explanation:
    Of the available choices, the MM_NO_STATE state is most likely to indicate that the configured main mode Internet Security Association and Key Management Protocol (ISAKMP) policy does not match the policy proposed by the remote peer. The MM_NO_STATE state is the first transaction to occur when setting up Internet Key Exchange (IKE) security associations (SAs) in main mode. The show crypto isakmp sacommand displays the status of current IKE SAs on the router. MM_NO_STATE indicates that the ISAKMP peers have created their SAs. However, an exchange that does not move past this stage indicates that main mode has failed. The following states are used during main mode:
    MM_NO_STATE – The peers have created the SA.
    MM_SA_SETUP – The peers have negotiated SA parameters.
    MM_KEY_EXCH – The peers have exchanged DiffieHellman (DH) keys and have generated a shared secret.
    MM_KEY_AUTH – The peers have authenticated the SA.

    The following states are used during aggressive mode:
    AG_NO_STATE – The peers have created the SA.
    AG_INIT_EXCH – The peers have negotiated SA parameters and exchanged keys.
    AG_AUTH – The peers have authenticated the SA.

    Quick mode is used during IKE phase 2. The only state in quick mode is QM_IDLE, which indicates that IKE phase 1 has completed successfully and that there is an active IKE SA between peers.

  10. Which of the following could be best described as an advanced persistent attack? (Select the best answer.)

    • a DDoS attack
    • Operation Aurora
    • the Heartbleed vulnerability
    • POODLE
    Explanation:
    Of the available choices, Operation Aurora could be best described as an advanced persistent threat. An advanced persistent threat is an intrusion in which the attacker has advanced knowledge of intrusion tools and techniques, is fully intent on using the intrusion to achieve a specific mission or goals, and has organizational backing, funding, and motivation. For example, an attacker who obtains access to an organization’s network and remains there for an extended period of time to collect data that can then be used to the attacker’s advantage can be considered an advanced persistent threat.
    Operation Aurora was a monthslong attack in 2009 that was carried out against multiple companies, including Google and Adobe? it began with a targeted email spear phishing attack. The email delivered malware that was capable of exploiting an Internet Explorer vulnerability to obtain access to the contents of partially freed memory. After compromising company workstations, the attackers used those workstations to obtain access to other company resources and information, which eventually resulted in the loss of intellectual property. The attack was eventually traced to two Chinese education facilities that were thought to have ties to a Google competitor in China.
    A Distributed Denial of Service (DDoS) attack is less likely to be described as an advanced persistent threat than Operation Aurora. A DDoS attack is a coordinated Denial of Service (DoS) attack that uses multiple attackers to target a single host. For example, a large number of zombie hosts in a botnet could flood a target device with packets. Because the flood of packets originates from multiple hosts and typically targets public services, such as the web service, the target device might not detect the attack. If enough packets are sent to the target device within a short period of time, the target will be unable to respond to legitimate packets because it is waiting for a response to each of the requests originated by the attacker. Although a DDoS attack might be organized, it is unlikely to persist for an extended period of time and is not as likely as an advanced persistent threat to result in the collection of data that can be used to the attacker’s advantage.
    Heartbleed is a vulnerability, not an advanced persistent attack. Heartbleed is the OpenSSL vulnerability that could allow an attacker to obtain approximately 64 kilobytes (KB) of information from a web server’s memory at regular intervals. The Heartbleed bug, which was discovered in 2014, was a memoryhandling bug present in OpenSSL from version 1.0.1 through version 1.0.1f. OpenSSL 1.0.1g was the first version to fix the bug. By exploiting this vulnerability, an attacker can obtain a server’s private key, which could in turn allow the attacker to decrypt communications with the server or perform maninthemiddle attacks against the server. Although Heartbleed could be used as a component of an attack in an advanced persistent threat, it is not itself an advanced persistent threat.
    Padding Oracle On Downgraded Legacy Encryption (POODLE) was originally a maninthemiddle attack that was designed to exploit vulnerabilities in security protocol fallback mechanisms. This technique caused the encryption system to fall back from Transport Layer Security (TLS) to Secure Sockets Layer (SSL) 3.0. That variant of the POODLE attack could decrypt a single byte of an encrypted message by making up to 256 SSL 3.0 requests while eavesdropping on an encrypted connection. A later variant of POODLE discovered in 2014 is capable of exploiting bugs in the implementation of block cipher mode in TLS from version 1.0 through version 1.2. The POODLE attack is not by itself an advanced persistent threat.

  11. Which of the following SNMP versions was the first version to offer both authentication and encryption? (Select the best answer.)

    • SNMPv1
    • SNMPv2
    • SNMPv3
    • SNMPv4
    Explanation:
    Simple Network Management Protocol version 3 (SNMPv3) was the first version to offer both authentication and encryption. Simple Network Management Protocol (SNMP) is used to remotely monitor and manage network devices. SNMP version 1 (SNMPv1) and SNMPv2 use community strings to provide authentication. However, neither SNMPv1 nor SNMPv2 uses encryption? all data and community strings are sent in clear text. A malicious user can sniff an SNMP community string and use it to access and modify network devices. SNMPv3 is an enhancement to the SNMP protocol that uses encryption to provide confidentiality, integrity, and authentication. SNMPv4 is not currently recognized as a standard.

  12. Which of the following commands will configure a static pointtopoint VTI tunnel to use 128bit encryption? (Select the best answer.)

    • crypto ipsec transform-set set1 esp-aes esp-sha-hmac
    • crypto ipsec transform-set set1 esp-des esp-sha-hmac
    • crypto ipsec transform-set set1 esp-3des esp-sha-hmac
    • crypto ipsec transform-set set1 esp-seal esp-sha-hmac
    • crypto ipsec transform-set set1 esp-null esp-sha-hmac
    Explanation:
    The crypto ipsec transform-set set1 esp-aes esp-sha-hmac command will configure a static pointtopoint virtual tunnel interface (VTI) tunnel to use 128bit encryption. The syntax of the crypto ipsec transformset command is crypto ipsec transform-set transformname transform1 [transform2] [transform3] [transform4]. Up to four transforms can be specified in an IP Security (IPSec) transform set: one Encapsulating Security Payload (ESP) authentication transform, one authentication header (AH) transform, one ESP encryption transform, and one IP compression transform. For example, the crypto ipsec transformset set1 esp-aes esp-sha-hmac command specifies one ESP encryption transform and one ESP authentication transform? an AH transform and an IP compression transform could also be specified.
    The following keywords can be used to specify the ESP encryption transform:
    – esp-aes
    – esp-aes 192
    – esp-aes 256
    – esp-des
    – esp-3des
    – esp-seal
    – esp-null

    When the esp-aes keyword is issued without additional parameters, the 128bit Advanced Encryption Standard (AES) encryption algorithm is used. When the esp-aes 192 or esp-aes 256 keyword is issued, 192bit AES or 256bit AES is used, respectively.
    The esp-des keyword does not configure a static pointtopoint VTI tunnel to use 128bit encryption. Data Encryption Standard (DES) offers only 56bit encryption.
    The esp-3des keyword does not configure a static pointtopoint VTI tunnel to use 128bit encryption. Triple DES (3DES) offers 168bit encryption.
    The esp-seal keyword does not configure a static pointtopoint VTI tunnel to use 128bit encryption. Softwareoptimized Encryption ALgorithm (SEAL) offers 160bit encryption.
    The esp-null keyword does not configure a static pointtopoint VTI tunnel to use 128bit encryption. The esp-null keyword configures ESP to use null encryption.

  13. Which of the following is true of BPDU traffic on a Cisco zonebased firewall in transparent mode? (Select the best answer.)

    • It is denied by default.
    • It is permitted only in the inbound direction.
    • It is permitted only in the outbound direction.
    • It is permitted in both inbound and outbound directions.
    • It can be controlled by ARP inspection but not by access rules.
    Explanation:
    Bridge protocol data unit (BPDU) traffic is permitted in both inbound and outbound directions when a Cisco zonebased firewall, such as a Cisco Adaptive Security Appliance (ASA), is operating in transparent mode. In addition, Address Resolution Protocol (ARP) is permitted in both inbound and outbound directions when operating in transparent mode. The default bidirectional flow of ARP traffic in transparent mode is known as an implicit permit. All of the following traffic is implicitly permitted when a Cisco zonebased firewall is operating in transparent mode:
    – IP version 4 (IPv4) traffic from a higher security interface to a lower security interface
    – IPv6 traffic from a higher security interface to a lower security interface
    – ARP traffic in both directions
    – BPDU traffic in both directions

    Thus a Cisco zonebased firewall operating in transparent mode implicitly permits certain types of traffic at both Layer 2 and Layer 3 of the Open Systems Interconnection (OSI) network model. However, when a Cisco zonebased firewall is operating in routed mode, only Layer 3 IPv4 and IPv6 traffic from a higher security interface to a lower security interface are implicitly permitted.
    In either mode, an extended access rule is required to permit additional types of IPv4 traffic. To permit additional types of IPv6 traffic, an IPv6 access rule is required. ARP traffic, not BPDU traffic, can be controlled by ARP inspection but not by access rules. To permit other types of Layer 2 traffic, an EtherType rule is required.

  14. You issue the following command on a Cisco device: test aaa group radius user1 b0s0n newcode profile profile1Which of the following is true? (Select the best answer.)

    • The command will fail.
    • The command will succeed but report an error.
    • The command will succeed without error.
    • There is not enough information to determine the success or failure of the command.
    Explanation:
    There is not enough information in this scenario to determine the success or failure of the command. In order to determine whether the command would succeed or fail, you would need to know whether the profile named profile1 had been configured in this scenario. In addition, you would need to know whether the Remote Authentication DialIn User Service (RADIUS) server in this scenario is operational on the network.
    The test aaa group command is used to verify an Authentication, Authorization, and Accounting (AAA) server configuration. However, the command works only with a RADIUS configuration, not with a Terminal Access Controller Access Control System Plus (TACACS+) configuration. The syntax of the test aaa command is test aaa {groupname | radius} username password newcode [profile profilename], where groupname is a subset of RADIUS servers, username is the name for the test user, and password is the test user’s password.
    The test aaa group command can associate a Dialed Number Identification Service (DNIS) or Caller Line Identification (CLID) named user profile with a record sent to the server. The newcode keyword configures the command to support a CLID or DNIS user profile association with the RADIUS server. The profile profilename keyword associates the user profile specified by profilename with the RADIUS server.
    The test aaa group command can generate either a “User rejected” message or a “User successfully authenticated” message if the RADIUS server is alive. In order to generate either of those messages, the test aaa command must be able to connect to the RADIUS server.

  15. Which of the following is least likely to be a function of a Cisco ESA? (Select the best answer.)

    • protecting against phishing
    • protecting against spam
    • protecting against a DDoS attacks
    • protecting against malicious files
    Explanation:
    Protecting against a Distributed Denial of Service (DDoS) attack is least likely to be a function of a Cisco Email Security Appliance (ESA). A DDoS attack is a security threat that attacks availability by overwhelming a device or network with traffic from many varying sources. An ESA is designed to protect against email threats, such as malware attachments, phishing scams, and spam.
    The Cisco Context Adaptive Scanning Engine (CASE) on an ESA is a technology that is intended to detect email threats as they are received. CASE checks the reputation of email senders, scans the content of email messages, and analyzes the construction of email messages. As part of this process, CASE submits the email sender to the Cisco SenderBase Network, which contains data on hundreds of thousands of email networks. The sender is assigned a score based on this information. The content of the email messaging is scanned because it could contain language, links, or a call to action that is indicative of a phishing scam.

  16. You upload a file named isitbad.zip to AMP for analysis. While reviewing the AMP logs, you receive the following output:

    Wed Feb 17 12:41:05 2015 Info: File reputation query initiating. File Name =

    ‘isitbad.zip’, MID = 852, File Size = 174401 bytes, File Type = application/zipWed

    Feb 17 12:41:10 2015 Info: Response received for file reputation query from Cloud.

    File Name = ‘isitbad.zip’, MID = 852, Disposition = unscannable,

    Malware = None, Reputation Score = 0, sha256 =

    78d80f8fb0e6eaa2988d11607ec6a00840147f8188f6db8b7d00d907440d7aaa, upload_action = 1

    Which of the following is true? (Select the best answer.)

    • The file was uploaded to the cloud and determined to be clean.
    • The file was not uploaded to the cloud, and its disposition is unknown.
    • The file was uploaded to the cloud, but its disposition is unknown.
    • The file was uploaded to the cloud and was determined to be malware.
    • The file was not uploaded to the cloud but was determined to be clean.
    • The file was not uploaded to the cloud but was determined to be malware.
    Explanation:
    The file named isitbad.zip was not uploaded to Advanced Malware Protection (AMP) for analysis, and its disposition is unknown. AMP is a feature of the Cisco Email Security Appliance (ESA) that can be used to test a given file against a file reputation service in the cloud. The file reputation service that is used by AMP attempts to authenticate a Secure Hash Algorithm 256 (SHA256) hash for the file that is being uploaded against the file reputation database. The service also rates the data fidelity of the uploaded file by assigning it a reputation score.
    The AMP log output in this scenario indicates that the file named isitbad.zip has been determined to be 174,401 bytes and is a ZIP application file. The file was not uploaded to the cloud service, which is indicated by the value of the Disposition field, which is unscannable. If the file had been uploaded, the upload_action field would contain the same value, which is 1, and the Disposition field would contain a phrase that indicates that the file was either unknown, or malicious. If the file that is being analyzed is already known to the file reputation service, the upload_action field will contain a value of either 0 or 2 and will not be uploaded to the cloud.

  17. You are troubleshooting IPSec VPN connectivity between two sites. From the local router, you are able to ping the remote tunnel endpoint.

    Which of the following steps should you perform next? (Select the best answer.)

    • Issue the traceroute command to trace the route to the tunnel endpoint.
    • Verify that the IKE policies match on both peers.
    • Verify that the peers successfully authenticate each other.
    • Reboot both devices.
    Explanation:
    If you are able to ping the remote tunnel endpoint, you should verify that the Internet Key Exchange (IKE) policies match on both peers. Issuing the show crypto isakmp policycommand will display the IKE phase 1 policy settings that are configured on the router, including the encryption algorithm, hash algorithm, authentication method, DiffieHellman (DH) key exchange mechanism, and security association (SA) lifetime. The following displays sample output from the show crypto isakmp policy command: RouterA#show crypto isakmp policy
    Global IKE policy
    Protection suite of priority 20
    encryption algorithm: AES Advanced Encryption Standard (128 bit keys) hash algorithm: Secure Hash Standard authentication method: PreShared Key
    DiffieHellman group: #14 (2048 bit) lifetime:
    3600 seconds, no volume limit
    In order for virtual private network (VPN) peers to successfully negotiate a key management tunnel during IKE phase 1, the peers must agree on security parameters. For example, when RouterA sends an IKE policy proposal to RouterB, the IKE policy is compared with the IKE policies defined on RouterB. The proposed policy must be an exact match to one of RouterB’s locally defined policies? otherwise, it will be rejected. The one exception to this rule is the value of the IKE lifetime parameter. An IKE lifetime is considered a match if the value is less than or equal to the IKE lifetime defined in the local policy. If the IKE lifetime value is less than that of the local policy, the router will use the lesser of the two values. For example, when RouterA initiates a connection to RouterB, RouterA will only consider lifetime values from RouterB’s policies as matching if they are less than or equal to 14,400 seconds.
    You can also issue the debug crypto isakmp command to determine whether an IKE phase 1 policy mismatch is occurring. The debug error message 1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0 will appear when there is a phase 1 policy mismatch between the peers. To configure IKE phase 1 policy parameters, issue the crypto isakmp policy priority command to enter Internet Security Association and Key Management Protocol (ISAKMP) policy configuration mode, where you can issue the following commands:
    – authentication
    – encryption
    – group
    – hash
    – lifetime

    If the IKE phase 1 policies match, you should issue the debug crypto isakmp command to verify that the SA authenticates. If there is a preshared key (PSK) mismatch between the peers, you will see the 1d00h:% CRYPTO4IKMP_BAD_MESSAGE: IKE message from 10.11.12.13 failed its sanity check or is malformed debug error message. If a PSK is missing on one of the peers, you will see the 1d00h:#CRYPTO4IKMP_NO_PRESHARED_KEY: Preshared key for remote peer at 10.11.12.13 is missing debug error message. To create a PSK, issue the crypto isakmp key key {address | ipaddress [mask] | hostname name} [noxauth] command.
    If you can ping the remote tunnel endpoint, there is no need to issue the traceroutecommand to trace the route to the tunnel endpoint. A successful ping indicates that connectivity between the peers exists. If the ping is not successful, you can issue the traceroute command to see where the fault is occurring along the path between the two peers.
    Rebooting peer routers should not be among the first actions you perform when troubleshooting IP Security (IPSec) VPN connectivity between two sites. If you have performed the other troubleshooting steps but are still unable to establish a VPN connection, you might consider rebooting the routers. However, rebooting is not likely to solve the connectivity problems.

  18. You have configured a Cisco ESA with a URL Category action that redirects the URLs of adult content sites to the Cisco Cloud Web Security proxy service. You receive a report that users are successfully accessing some adult content sites from the company network. However, you are able to verify that known adult sites are being redirected.

    Which of the following could be the problem? (Select the best answer.)

    • You did not specify any text to replace the URL.
    • You did not defang the URL so that it cannot be clicked.
    • The connection to the Cisco Cloud Web Security proxy service timed out.
    • The adult content sites being visited are uncategorized.
    Explanation:
    The problem could be that the adult content sites being visited are uncategorized if users are able to access some adult sites while other known adult sites are being redirected. The Cisco Email Security Appliance (ESA) supports Uniform Resource Locator (URL) filtering, which can be used to test the reputation of URL links in email messages or to compare the content of the URL to a list of categories of sites that violate company policy. By using URL filtering with URL categorization, it is possible to limit user access to a given site without relying on a blacklist of the site’s possible IP addresses.
    There are three options for action when a link in an email message matches a given URL category or its reputation score falls within a specified range:
    – Defang the URL – renders the URL unclickable, although the user can still copy and paste the URL
    – Redirect the URL to the Cisco Cloud Web Security proxy service – redirects the URL to a proxy, which blocks the site if it is malicious and displays a message to the user
    – Replace the URL with specific text or the URL to third party proxy service – replaces the link in the original email message with specific warning text provided by the administrator or with a link that redirects to a third party proxy service

    You can also choose to apply any of those actions to sites that are not yet categorized in the URL database.
    In this scenario, sites that fit into the adult URL category should be redirected to the Cisco Cloud Web Security proxy service. However, there is nothing in the scenario to indicate that sites that are uncategorized have been configured to redirect to the Cisco Cloud Web Security proxy service. Therefore, users will be connected to the links as they appear in the original email message.
    The connection to the Cisco Cloud Web Security proxy service is not timing out in this scenario, because connections to some sites in the URL category are being redirected. If a connection to the Cisco Cloud Web Security proxy service times out, URL filtering will automatically allow the user to connect to the target site by using the link in the original email message. Therefore, known adult sites in this scenario would be accessible to users if the connection to the Cisco Cloud Web Security proxy service was timing out. You do not need to defang the URL. In this scenario, you have chosen to redirect adult site content to the Cisco Cloud Web Security proxy. In addition, you do not need to specify text to replace the URL.

  19. An inbound TCP packet arrives at the ingress interface of a Cisco ASA 8.2 firewall. The packet is part of an established session. The packet reaches the interface’s internal buffer and the input counter is incremented.

    Which of the following actions will occur next? (Select the best answer.)

    • The packet will be processed by interface ACLs.
    • The packet is forwarded to the outbound interface.
    • The packet is subjected to an inspection check.
    • The packet’s IP header is translated by NAT/PAT.
    Explanation:
    Because the Transmission Control Protocol (TCP) packet in this scenario is part of an established session, the packet will be subjected to an inspection check after it reaches the interface’s internal buffer and the input counter is incremented. A Cisco Adaptive Security Appliance (ASA) 8.2 performs all of the following checks when a packet arrives on the inbound interface:
    – Increments the input counter
    – Determines whether the packet is part of an established connection
    – If not an established connection, processes the packet by using the interface access control lists (ACLs)
    – If not an established connection, verifies the packet for translation rules
    – Conducts an inspection of the packet to determine protocol compliance
    – Translates the IP header according to Network Address Translation (NAT) rules
    – Forwards the packet to the outbound interface

    It is important to note that the Cisco ASA 8.3 and later modify the ASA packet process algorithm. When configuring NAT for the ASA 8.3 and later, you should use the client’s real IP address instead of the ASA’s public IP address. Thus, if the ASA in this scenario were an ASA 8.3 or later, the packet’s IP header would be translated by NAT or Port Address Translation (PAT) prior to being processed by interface ACLs.
    Inbound TCP packets that are not part of an established connection should be SYN packets, which is the first packet that is sent during TCP’s three-way handshake. Inbound TCP SYN packets are permitted by the ASA as long as the packet is permitted by an interface ACL rule and is successfully translated by NAT or PAT. The TCP SYNACK packet is the second phase of the TCP three-way handshake? it is sent by the host that received the SYN packet to the host that is attempting to establish a connection. Therefore, an ASA will permit an inbound TCP SYNACK packet only if it is part of an established connection.

  20. Which of the following is not an attribute on which an ISE MDM policy can be based? (Select the best answer.)

    • the encryption status of the disk.
    • the jailbreak status of the operating system
    • the revision of the operating system
    • the status of the PIN lock configuration
    • the status of the Bluetooth interface
    Explanation:
    The status of the Bluetooth interface is not an attribute on which a Cisco Identity Services Engine (ISE).
    Mobile Device Management (MDM) policy can be based. ISE is a next generation Authentication,
    Authorization, and Accounting (AAA) platform with integrated posture assessment, network access control, and client provisioning. ISE integrates with a number of MDM frameworks, such as MobileIron and AirWatch. MDM policies can be based on the following attributes:
    – DeviceRegisterStatus
    – DeviceCompliantStatus
    – DiskEncryptionStatus
    – PinLockStatus
    – JailBrokenStatus
    – Manufacturer
    – IMEI
    – SerialNumber
    – OsVersion
    – PhoneNumber

    From ISE, you can easily provision network devices with native supplicants available for Microsoft Windows, Mac OS X, Apple IOS, and Google Android. The supplicants act as agents that enable you to perform various functions on the network device, such as installing software or locking the screen with a personal identification number (PIN) lock.
    For devices like phones, ISE relies on MDM servers to carry out the specific administrative actions selected in ISE. For example, when a selective wipe is selected for a device in ISE, a request is made to the appropriate MDM server to carry out the action. The MDM server communicates with its corresponding agent on the phone and removes all corporate applications and installed profiles, including any subprofiles. The selective wipe also removes the MDM agent, which is typically an installed application. Through an MDM server, ISE can perform a full wipe, a selective wipe, or a PIN lock depending on the severity of the security risk of the lost phone.

Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments