Cisco.Certkey.642-637.v2014-04-04.by.TERRY · 2014. 4. 4. · You have configured a guest VLAN...

Cisco.Certkey.642-637.v2014-04-04.by.TERRy.65q

Number: 642-637Passing Score: 800Time Limit: 60 minFile Version: 22.2

http://www.gratisexam.com/

Cisco 642-637 Exam

Exam Name: Securing Networks with Cisco Routers and Switches (SECURE) v1.0

Sections1. Router Security2. Switch Security3. VPN4. Zone Based Firewall5. IPS6. Drag and Drop7. Simlet-VPN8. Lab-ZBFW9. User Feedback

Exam A

QUESTION 1You have configured a guest VLAN using 802.1X on a Cisco Catalyst switch. A client incapable of using 802.1Xhas accessed the port and has been assigned to the guest VLAN. What happens when a client capable ofusing 802.1Xjoins the network on the same port?

A. The client capable of using 802.1X is allowed access and proper security policies are applied to the client.B. EAPOL packets will not be allowed on the guest VLAN and the access attempt with fail.C. The port is put into the unauthorized state in the user-configured access VLAN, and authentication is

restarted.D. This is considered a security breach by the authentication server and all users on the access port will be

placed into the restricted VLAN.

Correct Answer: CSection: Switch SecurityExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/switches/lan/cataly st4500/12.2/31sga/configuration/guide/dot1x.html#wp1198927

Usage Guidelines for Using Authentication Failed VL AN AssignmentWhen an authentication failed port is moved to an unauthorized state the authentication process is restarted. Ifyou should fail the authentication process again the authenticator waits in the held state. After you havecorrectly re-authenticated all 802.1x ports are reinitialized and treated as normal 802.1x ports.

QUESTION 2Which two of these are benefits of implementing a zone-based policy firewall in transparent mode? (Choosetwo.)

A. Less firewall management is needed.B. It can be easily introduced into an existing network.C. IP readdressing is unnecessary.D. It adds the ability to statefully inspect non-IP traffic.E. It has less impact on data flows.

Correct Answer: BCSection: Zone Based FirewallExplanation

Explanation/Reference:CCNP Security FIREWALL 642-618 Official Cert Guide, 2012David Hucaby, Dave Garneau, Anthony SequeiraPage 633

Using Transparent Firewall ModeAn ASA can also be configured to operate in transparent firewall mode, such that it appears to operate as aLayer 2 device, without becoming a router hop or a gateway to its connected networks. This is also known as aLayer 2 firewall or a stealth firewall, because the ASA’s interfaces have no assigned IP addresses and cannotbe detected or manipulated. Only a single management address is used for traffic sourced by the transparentfirewallitself or destined for a management session.

As a Layer 2 device, an ASA in transparent firewall mode can be installed or wedged into an existing network,separating the inside and outside without changing any existing IP addresses. In Figure 12-2, notice how theASA running in transparent firewall mode has its inside and outside interfaces connected to the same IP

subnet. This is commonly called a “bump-in-the-wire” because the ASA doesn’t break or segment the IP subnetalong a wire but instead more or less becomes part of the wire. This makes a new installation straightforward.

QUESTION 3When configuring a zone-based policy firewall, what will be the resulting action if you do not specify any zonepairs for a possible pair of zones?

A. All sessions will pass through the zone without being inspected.B. All sessions will be denied between these two zones by default.C. All sessions will have to pass through the router "self zone" for inspection before being allowed to pass to

the destination zone.D. This configuration statelessly allows packets to be delivered to the destination zone.

Correct Answer: BSection: Zone Based FirewallExplanation

Explanation/Reference:CCNP Security Secure Official Cert Guide, 2011Sean Wilkins, Franklin H. Smith IIIPage 309

Zone Pair ConfigurationThe configuration of the zone pair is important because its configuration dictates the direction in which traffic isallowed to flow. As stated previously, a zone pair is unidirectional and is the part of the configuration thatcontrols traffic between zones; this is referred to as interzone. If no zone pair is defined, traffic will not flow b etween zones

QUESTION 4Which statement best describes inside policy based NAT?


A. Policy NAT rules are those that determine which addresses need to be translated per the enterprise securitypolicy

B. Policy NAT consists of policy rules based on outside sources attempting to communicate with insideendpoints.

C. These rules use source addresses as the decision for translation policies.D. These rules are sensitive to all communicating endpoints.

Correct Answer: ASection: Router SecurityExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/security/asa/asa82/ configuration/guide/nat_overview.html

Policy NAT

QUESTION 5Refer to the exhibit. What can be determined about the IPS category configuration shown?

A. All categories are disabled.B. All categories are retired.C. After all other categories were disabled, a custom category named "os ios" was createdD. Only attacks on the Cisco IOS system result in preventative actions.

Correct Answer: DSection: IPSExplanation


Deploying Cisco IOS Software IPS Signature PoliciesThis configuration task is completed by entering the signature category configuration mode using the ip ipssignature-category command. See Example 13-3 for the relevant configuration. First, retire and disable allsignatures because only the desired signatures will be enabled. This is achieved using the category allcommand.

Then, use the retired true and enabled false commands to disable and retire all signatures by default. Next,enable all signatures that are designed to prevent attacks against Cisco IOS Software devices andassign a preventative action to them. Enter the category that comprises these signatures using the categoryos ios command and enable them by using the retired false and enabled true commands. Use the event-action produce-alert deny-packet-inline command to enable these signatures to generate an alert and dropthe offending packets when they trigger.

QUESTION 6Which two of these will match a regular expression with the following configuration parameters?[a-zA-Z][0-9][a-z] (Choose two.)

A. Q3hB. B4MnC. aaB132AAD. c7lm

E. BBpjnrIT

Correct Answer: ADSection: IPSExplanation


Zone-Based Layer 7 Policy Firewall Configuration

QUESTION 7You are troubleshooting reported connectivity issues from remote users who are accessing corporateheadquarters via an IPsec VPN connection. What should be your first step in troubleshooting these issues?

A. issue a show crypto isakmp policy command to verify matching policies of the tunnel endpointsB. ping the tunnel endpointC. run a traceroute to verify the tunnel pathD. debug the connection process and look for any error messages in tunnel establishment

Correct Answer: BSection: VPNExplanation


Troubleshooting FlowFollow these steps to proceed through the recommended flow for troubleshooting IKE peering:

Step 1. Verify peer reachability using the ping and tracero ute commands with the tunnel source and destination IPaddresses on both peers. If connectivity is verified, proceed to Step 2; otherwise, check the path between thetwo peers for routing or access (firewall or access list) issues.

Step 2. Verify the IKE policy on both peers using the show crypto isakmp policy command. Debug messagesrevealed by the debug crypto isakmp command will also point out IKE policy mismatches.

Step 3. Verify IKE peer authentication. The debug crypto isakmp command will display unsuccessful authentication.

Step 4. Upon successful completion of Steps 1–3, the IKE SA should be establishing. This can be verified with the show crypto isakmp sa command and looking for a state of QM_IDLE.

QUESTION 8Which of these is correct regarding the configuration of virtual-access interfaces?

A. They cannot be saved to the startup configuration.B. You must use static routes inside the tunnels.

C. DVTI interfaces should be assigned a unique IP address range.D. The Virtual-Access 1 interface must be enabled in an up/up state administratively

Correct Answer: ASection: VPNExplanation

Explanation/Reference:

Virtual Templates and Virtual Access InterfacesWhen a dynamic VTI is created as spoke peers attempt to create VPN connections with the hub peer, dynamicVTIs on the hub do not appear as a tunnel interface as they do with static VTIs . Instead, they appear asvirtual access interfaces that are created from information configured in a virtual template interface. Virtualtemplate interfaces are sets of common settings that contain the information needed to build the virtual accessinterfaces.

The settings in the virtual template interface are for all dynamic interfaces and include the hub IP address insidethe tunnel (unnumbered), the tunnel mode (IPsec), and the tunnel protection, and can optionally include otherCisco IOS Software services, such as Net-Flow accounting or firewall policy settings. The router uses thisinformation to create a virtual access interface (DVTI). Other information in the virtual template interface isadded to the virtual access interface as the spoke completes IKE negotiations, such as the tunnel source anddestination IP address.

Example 15-10 portrays a virtual template and the virtual access interface that is created as tunnels to the hubare established. A virtual access interface is dynamically created based on a preconfigured virtual template thatincludes all the required IPsec configuration as well as any Cisco IOS Software features that are desired, suchas QoS, NetFlow, or ACLs.

Example 15-10 Virtual Template and Virtual Access Interface Confi gurationInterface Virtual-template 1Ip unnumbered FastEthernet0/0Tunnel mode ipsec ipv4Tunnel protection ipsec profile Profile1Ip flow ingressZone-member security B2BVPN-ZoneInterface Virtual-access 125Ip unnumbered FastEthernet0/0Tunnel source 10.1.1.1Tunnel mode ipsec ipv4Tunnel destination 10.1.1.2Tunnel protection ipsec profile Profile1No tunnel protection ipsec initiateIp flow ingressZone-member security B2BVPN-Zone

QUESTION 9Which action does the command private-vlan association 100,200 take?

A. configures VLANs 100 and 200 and associates them as a communityB. associates VLANs 100 and 200 with the primary VLANC. creates two private VLANs with the designation of VLAN 100 and VLAN 200D. assigns VLANs 100 and 200 as an association of private VLANs

Correct Answer: BSection: Switch SecurityExplanation

Explanation/Reference:CCNP Security Secure Official Cert Guide, 2011Sean Wilkins, Franklin H. Smith III

Private VLANs (PVLAN)The use of VLANs is common in many modern networks to isolate the various parts of the network. Theseparts are typically separated by administrative use or by the type of endpoint device. Each of these VLANs mustbe assigned a separate IP subnet, with a common Layer 3 device performing the routing between them andproviding any security filtering.

In situations where the number of different VLANs becomes excessive because of traffic isolationrequirements, there is another alternative. The private VLAN feature offers the ability to isolate different deviceswithin the same VLAN and IP subnet. This works by defining ports into three different classifications, which areas follows:

Promiscuous ports: Communicate with all other port types. Configured in a primary VLAN.

Community ports: Communicate with other devices inside the same community and with all promiscuousports. Configured in a secondary VLAN that is tiered to a primary VLAN.

Isolated ports: Communicate only with other promiscuous ports. Configured in a secondary VLAN that istiered to a primary VLAN.

The private VLAN feature can also be used across switches as long as the trunks between the switchessupport the 802.1Q trunking standard; however, the private VLAN feature is not supported by Cisco VLANTrunking Protocol (VTP). All devices using the private VLAN feature must be configured as VTP transparent.

QUESTION 10Which of these allows you to add event actions globally based on the risk rating of each event, without havingto configure each signature individually?

A. event action summarizationB. event action filterC. event action overrideD. signature event action processor

Correct Answer: CSection: IPSExplanation


Signature Event Action Overrides (SEAO)The SEAP signature event action overrides (SEAO) are a Cisco IOS Software IPS configuration tool that allowsone or more actions to be added to all active signatures based on the calculated risk rating of each event.

Event action overrides provide a way to add actions globally without having to configure each signature orsignature category. Each event action override is associated with an event risk rating range. If a signature eventoccurs and the event risk rating for the event falls within the configured range for the event action override, theaction will be added to the event. For example, if you set the risk rating range for the “deny packet inline” actionto 85–100, for every signature event that has an event risk rating calculation that falls within this range, the“drop packet inline” action will be added to the event.

QUESTION 11Which of these is true regarding tunnel configuration when deploying a Cisco ISR as a DMVPN hub router?

A. Only one tunnel can be created per tunnel source interface.B. Only one tunnel can be created and should be associated with a loopback interface for dynamic redundancyC. The GRE tunnel key is used to encrypt the traffic going through the tunnel through the hub.D. You can run multiple parallel DMVPNs on the hub router, but each tunnel requires a unique tunnel key.

Correct Answer: DSection: VPNExplanation


Task 4: Create an mGRE Tunnel InterfaceTask 4 creates the mGRE tunnel interface. Enter the interface tunnel command and then configure basic GREparameters. The tunnel mode gre multipoint command designates the tunnel interface as mGRE and the tunnelsource command specifies the physical interface to which the GRE tunnel is bound. The tunnel key commandis required and must match the tunnel key configured on the spokes. This command allows networkadministrators to run more than one DMVPN at a time on the same router.

The GRE tunnel key therefore uniquely identifies th e DMVPN.

QUESTION 12Which two types of deployments can be implemented for a zone-based policy firewall? (Choose two.)

A. routed modeB. interzone modeC. fail open modeD. transparent modeE. inspection mode

Correct Answer: ADSection: Zone Based FirewallExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/ios-xml/ios/sec_dat a_zbf/configuration/12-4t/sec-zone-pol-fw.html#GUID-96D83ADE-473F-4948-B0BF-005497493A34

Zone-Based Policy Firewall

Prerequisites for Zone-Based Policy Firewall

Before you create zones, you must consider what should constitute zones. The general guideline is that youshould group interfaces that are similar when they are viewed from a security perspective. The Wide AreaApplication Services (WAAS) and Cisco IOS firewall interoperability capability applies only on the Zone-BasedPolicy Firewall feature in Cisco IOS Release 12.4(11)T2 and later releases.

Zones and Transparent FirewallsThe Cisco firewall supports transparent firewalls where the interfaces are placed in bridging mode and thefirewall inspects the bridged traffic.

To configure a transparent firewall, use the bridge command to enable the bridging of a specified protocol in aspecified bridge and the zone-member security command to attach an interface to a zone. The bridgecommand on the interface indicates that the interface is in bridging mode.

A bridged interface can be a zone member. In a typical case, the Layer 2 domain is partitioned into zones and apolicy is applied the same way as for Layer 3 interfaces.

QUESTION 13What is the result of configuring the command dot1x system-auth-control on a Cisco Catalyst switch?

A. enables the switch to operate as the 802.1X supplicantB. globally enables 802.1X on the switchC. globally enables 802.1X and defines ports as 802.1X-capableD. places the configuration sub-mode intodotix-auth mode, in which you can identify the authentication server

parameters

Correct Answer: BSection: Switch SecurityExplanation


Tasks 1 and 2: Enable 802.1X Globally and on Indivi dual User PortsStep 1. Enable 802.1X globally on the switch with the dot1x system-auth-control global command.

Step 2. On the ports that will require 802.1X authentication, ensure that the interface is configured as a Layer 2access port with the switchport mode access interface command.

Tasks 3 and 4 configure 802.1X globally and then en able 802.1X on user (access) ports on the switch:Step 3. Make sure that the user interfaces are assigned to a proper access VLAN with the switchport accessvlan vlan-id interface command.

Step 4. Enable 802.1X port control on the user interfaces using the authentication port-control interfacecommand.

Enable 802.1X Globally and Add New RADIUS Authentication MethodRouter# configure terminalRouter(config)# dot1x system-auth-controlRouter(config)# interface FastEthernet 2/1Router(config-if)# switchport mode accessRouter(config-if)# switchport access vlan 90Router(config-if)# authentication port-control autoRouter(config)# endRouter# copy running-config startup-config

QUESTION 14Refer to the exhibit. Given the partial configuration shown, which two statements are correct? (Choose two.)

A. The tunnel will use the routing protocol configured for GigabitEthemet 1/1 for all tunnel communication withthe peer.

B. The IP route statement to reach the remote network behind the DMVPN peer is incorrect, it should be iproute 192.168.2.0 255.255.255.0 tunnel 0.

C. This is an example of a static point-to-point VTI tunnel.D. The tunnel will use esp-sha-hmac encryption in ESP tunnel mode.E. The tunnel will use 128-bit AES encryption in ESP tunnel mode.

Correct Answer: CESection: VPNExplanation

Explanation/Reference:CCNP Security Secure Official Cert Guide, 2011Sean Wilkins, Franklin H. Smith IIIPage 399-401

Configuration ScenarioThe configuration scenario used in the topic’s configuration sequence that follows includes two IKE peers thathave untrusted interfaces using the IP addresses of 172.17.1.1 and 172.17.2.4. A static VTI tunnel between theIP addresses with static routing will be configured. Assumptions are that connectivity between the two peersexists and that IKE sessions are permitted along the path between the two outside interfaces of each peer. Alsoassumed is that basic IKE peering, as covered in the previous topic, is in place.

Task 1: (Optional) Configure an IKE Policy on Each PeerRefer to the section, “Task 1: (Optional) Configure an IKE Policy on Each Peer,” under the section “ConfiguringBasic IKE Peering,” which documented how to configure IKE peering between the two peers.

Task 2: (Optional) Configure an IPsec Transform SetThe second configuration task is the optional task of creating a custom IPsec transform set. For example, toconfigure an IPsec transform set named AES128-SHA that uses ESP tunnel mode, with 128-bit AES encryptionand SHA-1 HMAC integrity/authentication algorithms, you would enter the following:

Router(config)# crypto ipsec transform-set AES128-SHA esp-aes 128 e sp-sha-hmac

Task 3: Configure an IPsec Protection ProfileTask 3 in the VTI-based VPN peering sequence is the configuration of an IPsec protection profile. The IPsecprotection profile specifies the traffic protection policy for the VTI tunnel and includes the following basicparameters:

IPsec transform set used in the protection policy: The default IPsec transform set will be used if acustom transform set has not been configured.IPsec SA (session key) lifetimes: The default lifetime of 1 hour will be used if not configured differently.Perfect Forward Secrecy (PFS): PFS will not be negotiated by default.

Example 15-6 shows the crypto ipsec profile global configuration command being used to create a namedIPsec profile (MYIPsecProfile). Inside profile configuration mode, the administrator has specified a customtransform set using the set transform-set command and specifying the name of the custom transform set.

Example 15-6 Configure IPsec Protection ProfileRouter(config)# crypto ipsec profile MYIPsecProfileRouter(ipsec-profile)# set transform-set AES128-SHARouter(ipsec-profile)# endRouter# copy running-config startup-config

Task 4: Configure a Virtual Tunnel Interface (VTI)The fourth configuration task for VTI-based VPN peering is the creation and basic configuration of the VTI:

Step 1. Using a new, unused tunnel interface number, create a new tunnel interface using the interfacetunnel configuration command and give it an IP address and subnet mask using the ip address interfaceconfiguration command. As an alternative, use IP unnumbered addressing as shown in Example 15-7 byissuing the ip unnumbered command.

Step 2. Configure a tunnel source address by using the tunnel source interface configuration command.

Step 3. With the tunnel destination interface configuration command, configure a tunnel destinationaddress by specifying the remote peer’s remote IP address.

Example 15-7 Configure a Virtual Tunnel Interface (VTI)Router(config)# interface Tunnel0Router(config-if)# ip unnumbered GigabitEthernet0/0Router(config-if)# tunnel source GigabitEthernet0/0Router(config-if)# tunnel destination 172.17.2.4Router(config-if)# endRouter# copy running-config startup-config

Task 5: Apply the Protection Profile to the Tunnel InterfaceTask 5 is a required task that configures the IPsec encapsulation on the tunnel using the tunnel mode ipsecipv4 command and applies the traffic protection policy to the tunnel by using the tunnel protection ipsecprofile command. Example 15-8 illustrates the usage of these commands.

Example 15-8 Apply a Protection Profile to a Tunnel InterfaceRouter(config)# interface Tunnel0Router(config-if)# tunnel mode ipsec ipv4Router(config-if)# tunnel protection ipsec profile MYIPsecProfileRouter(config-if)# endRouter# copy running-config startup-config

Task 6: Configure Routing into the VTI TunnelIn the sixth and final configuration task, Example 15-9 shows a configuration that is routing to all reachablenetworks through the tunnel. The example shows a static route for the 10.1.2.0/24 network that is pointing tothe Tunnel0 interface. The other VPN router will have a similar configuration that routes the 10.1.1.0/24 network(the local router’s inside LAN) into the VTI VPN tunnel.

QUESTION 15You are troubleshooting a Cisco Easy VPN installation that is experiencing session establishment problems.You have verified that matching IKE and IPsec polices exist on both peers. The remote client has alsosuccessfully entered authentication credentials. What is the next step to take in troubleshooting this problem?

A. verify that the router is not denying traffic from the tunnel

B. verify that the router is able to assign an IP address to the clientC. examine routing tablesD. issue a ping from the client to the router to verify reachability

Correct Answer: BSection: VPNExplanation


Troubleshoot Basic EZVPN OperationTo provide the same stability with a VPN connection that is achieved with traditional circuits, you must be ableto troubleshoot and restore the connectivity.

Troubleshooting Flow: VPN Session EstablishmentTo troubleshoot issues with session establishment, perform the following steps:

Step 1.Check that IKE and IPsec protocols successfully negotiated based on matching IKE and IPsec policies on theclient on the ISR. The debug crypto isakmp and debug crypto ipsec commands display information helpfulto identifying mismatched parameters.

Step 2. Verify that user authentication works. Use the debug aaa authentication command to display the AAAfunctions and output.

Step 3. Verify that the router is able to assign IP address es to the client. The ISR will indicate failures to assign an IP address in the output of the debug crypto isakmp command.

Troubleshooting Flow: VPN Data FlowIf the EZVPN session establishes successfully but connectivity over the tunnel fails, perform the followingtroubleshooting steps:

Step 1. If using split tunneling, check that the correct routes are being protected and that they are present in therouting table.

Step 2. Verify that the ISR is not denying traffic from the VPN tunnel.

Step 3. Verify that the protected network has a route to the client-assigned

QUESTION 16You are troubleshooting a problem related to IPsec connectivity issues. You see that there is no ISAKMPsecurity association established between peers. You debug the connection process and see an error messageof 1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0. What does this message indicate?

A. This indicates a policy mismatch.B. This indicates that the offered attributes did not contain a payload.C. IKE has failed initial attempts and will resend policy offerings to the peer router.

D. The time stamp of the message shows that it is one day old. This could indicate a possible mismatch ofsystem clocks and invalidate the connection attempt.

Correct Answer: ASection: VPNExplanation


Verify IKE SA EstablishmentUse the debug crypto isakmp command to look for the ISAKMP policy using rsa-sig for authentication,successful certificate authorization when a peer matches the profile, and the successful establishment of theIKE SA.

The following shows what the output of this command looks like.

Router# debug crypto isakmp20:26:58: ISAKMP (8): beginning Main Mode exchange20:26:58: ISAKMP (8): processing SA payload. message ID = 020:26:58: ISAKMP (8): Checking ISAKMP transform 1 against priority 10 policy20:26:58: ISAKMP: encryption DES-CBC20:26:58: ISAKMP: hash SHA20:26:58: ISAKMP: default group 120:26:58: ISAKMP: auth pre-share20:26:58: ISAKMP (8): atts are acceptable. Next payload is 0

QUESTION 17Which command will enable a SCEP interface when you are configuring a Cisco router to be a certificateserver?

A. seep enable (under interface configuration mode)B. cryptopki seep enableC. grant autoD. ip http server

Correct Answer: DSection: Router SecurityExplanation


Configure the SCEP InterfaceTe SCEP interface is configured on the Certificate Server. This is essentially enabling the Cisco IOS SoftwareHTTP server that provides the SCEP server to PKI clients. The CA will automatically enable and disable SCEPservices based on the state of the HTTP server. If the HTTP server is not enabled, only manual Public KeyCryptography Standards (PKCS) #10 enrollment is supported on the Cisco IOS Software Certificate Server. Toenable the HTTP server, enter the following command:

Router(config)# ip http server

QUESTION 18

When 802.1X is implemented, how do the client (supplicant) and authenticator communicate?

A. RADIUSB. TACACS+C. MABD. EAPOL

Correct Answer: DSection: Switch SecurityExplanation


Implementing and Configuring Basic 802.1XNote: EAPOL is used between the supplicant and the authenticator, while RADIUS is used between theauthenticator and the authentication server.

QUESTION 19Which of these is an implementation guideline when deploying the IP Source Guard feature in an environmentwith multiple switches?

A. Do not configure IP Source Guard on inter-switch links.B. Configure PACLs for DHCP-addressed end devices.C. IP Source Guard must be configured in the trunk sub-configuration mode to work on inter-switch links.D. Configure static IP Source Guard mapping for all access ports.

Correct Answer: ASection: Switch SecurityExplanation


IP Source GuardThe IP Source Guard (IPSG) feature mitigates the chances of IP spoofing. The IPSG feature works on Layer 2ports by restricting IP traffic based on the entries that exist in the DHCP snooping binding table. When enabled,IPSG will not allow any IP traffic over the switchport except for that traffic coming from the entry listed in theDHCP snooping table (*** and hence would not be a candidate for inter-switch links - my addition***) A portaccess list will then be dynamically created based on the DHCP binding.

IPSG also offers the capability to configure a static IP source binding that can be used in situations without theuse of the DHCP snooping binding table. The behavior of IP Source Guard depends on how it is enabled; thetwo available options include:

Source IP address filtering: When using this type of filtering, IPSG allows packets with an IP sourceaddress that is in the DHCP snooping binding database.

Source IP and MAC address filtering: When using this type of filtering, IPSG allows packets whose IPaddress and MAC address match the DHCP snooping binding table.

QUESTION 20You have configured Management Plane Protection on an interface on a Cisco router. What is the resultingaction on implementing MPP?

A. Inspection of protected management interfaces is automatically configured to ensure that managementprotocols comply with standards.

B. The router gives preference to the configured management interface. If that interface becomes unavailable,management protocols will be allowed on alternate interfaces.

C. Along with normal user data traffic, management traffic is also allowed only on the protected interface.D. Only management protocols are allowed on the protected interface.

Correct Answer: CSection: Router SecurityExplanation


Management Plane ProtectionIn many situations, it is possible to know which device interface or interfaces will always be used formanagement traffic. It is in these situations when the Management Plane Protection (MPP) feature can beused. MPP enables you to limit the source of management traffic to a specific interface (or interfaces) on adevice. This is important because many of these protocols are inherently insecure. This ability providesadditional protection from management plane attacks that are sourced off of interfaces that should nevercontain management traffic.

To use the MPP feature, IP Cisco Express Forwarding (CEF) must be enabled on the device. Also note that ifthe management of a device is handled through the use of a loopback interface, the management interface tobe used in MPP configuration is the physical interface where management traffic will be processed.

QUESTION 21Refer to the exhibit. What can be determined from the configuration shown?

A. The community SNMP string is SNMP-MGMT-VIEW.B. All interfaces will be included in the SNMP GETs.C. This SNMP group will only allow read access to interface MIBs.D. The SNMP server group is using 128-bit SHA authentication.



SNMP Version 3 ConfigurationThe configuration of SNMP version 3 is different from that of the other versions because the securitymechanism is much more complex and offers a much higher level of security. Security is configured throughthe creation of users and groups; the groups are given access to specific SNMP MIB objects through views,and the users are assigned to specific groups. Version 3 also supports the use of both authentication (MD5 orSecure Hash Algorithm [SHA]) and encryption (Data Encryption Standard [DES], Triple DES [3DES],orAdvanced Encryption Standard [AES]) of SNMP traffic. Users can be set up on the local device and/or on theremote management server.

The security digests required for authenticating and encrypting packets utilize an EngineID that is automaticallygenerated on the local device (local EngineID) but is required to be configured for each remote device/remotemanagement server when exchanging packets (remote EngineID). Remote users can also be configured, butthe remote EngineID is required before these users can be created to ensure proper security exchangeinformation. Table 10-13 describes the different commands that are required to create and configure SNMPv3users and groups.

Example below shows the configuration of a new SNMP group called v3group that is used for authorization andprovides a read view of ciscoview. This configuration also shows a new SNMP user called v3user configured touse MD5 for authorization with a password of ciscopass.

Router# configure terminalRouter(config)# snmp-server group v3group v3 auth read ciscoviewRouter(config)# snmp-server user v3user v3group v3 auth md5 ciscopass

QUESTION 22When enabling the Cisco IOS IPS feature, which step should you perform to prevent rogue signature updatesfrom being installed on the router?

A. configure authentication and authorization for maintaining signature updatesB. install a known RSA public key that correlates to a private key used by CiscoC. manually import signature updates from Cisco to a secure server, and then transfer files from the secure

server to the routerD. use the SDEE protocol for all signature updates from a known secure management station

Correct Answer: BSection: IPSExplanation


The first configuration task in this sequence is to import a known RSA public key whose private key is used byCisco IPS engineering to digitally sign all signature packages and updates for Cisco IPS sensors. This publickey will be used by the Cisco ISR to validate the digital signature of signature packages and updates asauthentic. This is important because it is designed to prevent rogue updates from being deployed onto CiscoIPS sensors.This is not associated with the Cisco IPS licensing framework.

To install the known RSA public key, create an RSA public key chain on the router, using the crypto keypubkey-chain rsa command, and inside it, create a new named signature key with the name realm-cisco.pub

using the named-key command. Then, enter the keystring command and paste the text from the realm-cisco.pub.key.txt file, which is found at Cisco.com. Below is an example:

Router# configure terminalRouter(config)# crypto key pubkey-chain rsaRouter(config-pubkey-chain)# named-key realm-cisco.pub signatureTranslating “realm-cisco.pub”Router(config-pubkey-key)# key-stringEnter a public key as a hexadecimal number ....! Note: The $ to the left of the hex characters represent there are morenumbers present than would fit on one line.Router(config-pubkey)# $2A864886 F70D0101 01050003 82010F00 3082010A 02820101Router(config-pubkey)# $D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16Router(config-pubkey)# $912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128Router(config-pubkey)# $085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053ERouter(config-pubkey)# $0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35Router(config-pubkey)# $994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85Router(config-pubkey)# $5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36Router(config-pubkey)# $A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AERouter(config-pubkey)# $80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3Router(config-pubkey)# F3020301 0001Router(config-pubkey)# quitRouter(config-pubkey-key)# end

QUESTION 23Drag and Drop #1

Select and Place:

Correct Answer:

Section: Switch SecurityExplanation


Gathering Input Parameters Because 802.1X authentication requires several technologies to work together, up-front planning helps ensurethe success of the deployment. Part of this planning involves gathering important input information:

Determine the list of LAN switches that currently a llow unauthorized users full access to thenetwork. Use this list to determine which of these devices should be configured with 802.1X and thefeature availability on the switches.

Determine what authentication database (such as Win dows AD) is being used for user credentials.This allows you to determine whether you can levera ge the same one and make the 802.1Xdeployment transparent to your users.

Determine the types of clients being used on the network (platform and operating systems). This is requiredto choose a compatible supplicant and to configure it appropriately.

Determine the software distribution mechanism in us e by the organization. This will affectprovisioning and supporting the supplicant on curre nt and future client workstations.

Determine whether the network path between the supp licant and the authentication server istrusted. A trusted network path allows an anonymous EAP-FAST implementation, whereas anontrusted network path requires separate EAP-FAST credentials.

QUESTION 24Drag & Drop #3

Select and Place:

Correct Answer:

Section: VPNExplanation

Explanation/Reference:CCNP Security Secure Official Cert Guide, 2011Sean Wilkins, Franklin H. Smith IIIPage 396-397 - & Various Web Pages

Clear IPSEC Security Associatioon (SA's)In IPsec there are two sets of SAs. One for the IKE phase 1, and another for IKE phase 2. In production, if the IKE phase 1 had succeeded, and it was just IKE phase 2 that was being the problem, wemight clear just the SA for phase 2.

router# clear crypto sa

Verify Local IKE PoliciesUse the show crypto isakmp policy command to display the parameters configured for each local IKE policy.

Unless you have added custom IKE policies with the crypto isakmp policy command or have removed thedefault IKE policies with the no crypto isakmp default policy command, the default IKE policies will bedisplayed as the output of the show isakmp policy command. Example 15-4 shows the parameters that aredisplayed after the command is issued.

Router# show crypto isakmp policyGlobal IKE policyProtection suite of policy 10Encryption algorithm: AES - Advanced Encryption Standard (128 bit keys)Hash algorithm: Secure Hash AlgorithmAuthentication method: Pre-shared KeyDiffie-Hellman Group: #14 (2048 bit)Lifetime: 3600 seconds, no volume limit

Verify the IPsec Protection Policy SettingsThe show crypto ipsec transform-set verifies our IPsec status and shows that we're using tunnel mode (ratherthan transport mode). Tunnel mode is appropriate for a router-to-router configuration as opposed to an endnode talking to another end node. ----!

R2#show crypto ipsec transform-setTransform set MySet: { ah-sha-hmac } will negotiate = { Tunnel, }, { esp-256-aes } will negotiate = { Tunnel, },

Verify Local IKE SessionsUse the show crypto isakmp sa command to display the current IKE Security Associations (SA) on the localrouter. The QM_IDLE status indicates successful establishment of the IKE SA, meaning that the ISAKMPprocess is idle after having successfully negotiated

Router# show crypto isakmp saIPv4 Crypto ISAKMP SADst src state conn-id status172.17.2.4 172.17.1.1 QM_IDLE 1004 ACTIVE

Deleting the Active IKE Security Associations (SA's )This command deletes the active IKE security associations.

clear crypto isakmp


Select and Place:

Correct Answer:

Section: Router SecurityExplanation

Explanation/Reference:CCNP Security Secure Official Cert Guide, 2011Sean Wilkins, Franklin H. Smith IIIPage 298 Zone-Based Policy Firewall OverviewAIC provides the ability to perform in-memory reassembly of Layer 4 sessions to obtain stream informationbetween the two connected hosts. It also provides the ability to monitor application layer protocol informationand verify that this information is conforming to established standards.

The ZBPFW feature also supports the use of Port to Application Matching (PAM). This feature can be usedwhen nonstandard ports are used for common services. For example, if HTTP is configured to be used on port8000 instead of 80, with PAM, port 8000 can be mapped as an HTTP port and be analyzed as a normal HTTPconnection. The HTTP inspection-matching abilities are quite extensive and include several options for theHTTP request, HTTP response, or both. There are also a couple of different options that can be used to detectother criteria, including non-HTTP traffic using HTTP ports and whether the traffic contains Java applet(s).

The use of the Layer 7 policies with a zone-based firewall is also supported. This capability allows the device tocontrol the traffic through attributes that are provided at Layers 5–7. A requirement of these policies is that theymust be nested under an existing Layer 3/4 policy map to be applied (using the service-policy command) andthere must be an inspect action configured first.

Exam B

QUESTION 1Drag and Drop #5 - NAT Types

Select and Place:

Correct Answer:

Section: Drag and DropExplanation

Explanation/Reference:http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/cfgnat.html#wp1042392

Dynamic NATDynamic NAT translates a group of real addresses to a pool of mapped addresses that are routable on thedestination network. The mapped pool may include fewer addresses than the real group. When a host you wantto translate accesses the destination network, the security appliance assigns the host an IP address from themapped pool. The translation is added only when the real host initiates the connection. The translation is inplace only for the duration of the connection, and a given user does not keep the same IP address after thetranslation times out. For an example, see the timeout xlate command in the Cisco Security ApplianceCommand Reference. Users on the destination network, therefore, cannot initiate a reliable connection to ahost that uses dynamic NAT, although the connection is allowed by an access list, and the security appliancerejects any attempt to connect to a real host address directly. See the "Static NAT" or "Static PAT" section forinformation on how to obtain reliable access to hosts.

Port Address TRanslation (PAT)PAT translates multiple real addresses to a single mapped IP address. Specifically, the security appliancetranslates the real address and source port (real socket) to the mapped address and a unique port above 1024

(mapped socket). Each connection requires a separate translation, because the source port differs for eachconnection. For example, 10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026.

After the connection expires, the port translation also expires after 30 seconds of inactivity. The timeout is notconfigurable. Users on the destination network cannot reliably initiate a connection to a host that uses PAT(even if the connection is allowed by an access list). Not only can you not predict the real or mapped portnumber of the host, but the security appliance does not create a translation at all unless the translated host isthe initiator. See the following "Static NAT" or "Static PAT" sections for reliable access to hosts.

PAT lets you use a single mapped address, thus conserving routable addresses. You can even use the securityappliance interface IP address as the PAT address. PAT does not work with some multimedia applications thathave a data stream that is different from the control path. See the "When to Use Application ProtocolInspection" section for more information about NAT and PAT support.

Static NATStatic NAT creates a fixed translation of real address(es) to mapped address(es).With dynamic NAT and PAT,each host uses a different address or port for each subsequent translation. Because the mapped address is thesame for each consecutive connection with static NAT, and a persistent translation rule exists, static NATallows hosts on the destination network to initiate traffic to a translated host (if an access list exists that allowsit).

The main difference between dynamic NAT and a range of addresses for static NAT is that static NAT allows aremote host to initiate a connection to a translated host (if an access list exists that allows it), while dynamicNAT does not. You also need an equal number of mapped addresses as real addresses with static NAT.

Static PATStatic PAT is the same as static NAT, except that it lets you specify the protocol (TCP or UDP) and port for thereal and mapped addresses. This feature lets you identify the same mapped address across many differentstatic statements, provided the port is different for each statement. You cannot use the same mapped addressfor multiple static NAT statements.

For applications that require inspection for secondary channels (for example, FTP and VoIP), the securityappliance automatically translates the secondary ports. For example, if you want to provide a single address forremote users to access FTP, HTTP, and SMTP, but these are all actually different servers on the real network,you can specify static PAT statements for each server that uses the same mapped IP address, but differentports.

Policy NATPolicy NAT lets you identify real addresses for address translation by specifying the source and destinationaddresses in an extended access list. You can also optionally specify the source and destination ports. RegularNAT can only consider the source addresses, and not the destination. For example, with policy NAT, you cantranslate the real address to mapped address A when it accesses server A, but translate the real address tomapped address B when it accesses server B.

QUESTION 2Drag & Drop #7 - Control Plane Security

Select and Place:

Correct Answer:


Explanation/Reference:CCNP Security Secure Official Cert Guide, 2011

Sean Wilkins, Franklin H. Smith IIIPage 43

Essentially, two types of attacks are most commonly launched against the control plane:

The first type involves using commonly used legitimate protocols in a malicious manner. These commonprotocols, or signaling protocols, are what is used to build the information needed to properly forward traffic.These include Spanning Tree Protocol (STP), VLAN Trunking Protocol (VTP), and all routing protocols. Asshown in Table 3-3, following best practices in most cases will help you protect yourself from these types ofattacks. This means utilizing message digest algorithm 5 (MD5) authentication between routing peers andfiltering any inbound route advertisements so that you only accept information that you know is legitimate.Protecting STP can be done with a proper STP deployment. This includes configuration items, such asspecifying which device is the STP root bridge and using other tools, such as BPDU Guard, BPDU Filter,and BPDU Root Guard, as described in the Implementing Cisco IP Switched Networks course.

The second type of attack is essentially a denial of service (DoS) attack against the control plane. Attackingthe router with a large number of legitimate packets can possibly make the CPU on the device too busy tohandle normal traffic. The use of access control lists (ACL), Control Plane Protection (CPPr), and ControlPlane Policing (CoPP) can mitigate these types of attacks.

QUESTION 3Drah & Drop #8 - Data Plane Security

Select and Place:

Correct Answer:


Explanation/Reference:

CCNP Security Secure Official Cert Guide, 2011Sean Wilkins, Franklin H. Smith IIIPage 44

Data PlaneThe data plane performs the forwarding of traffic and can apply services to data, such as security, QoS, and soon. As with the control plane, attacks aimed at the data plane and the proper mitigation strategies are specificto whether the device is a router or a switch. Table 3-4 lists some common data plane attacks on a Cisco IOS Software router or switch and the mitigationtechniques used to prevent them.

Like the control plane, the attacks on the data plane can be placed into two categories. One is which the attackattempts to adversely affect the links connected to the device or the device itself, and the other category is forattacks that can be considered as some form of impersonation. From Table 3-4, you can see several differenttypes of spoofing, which is an attempt to impersonate something that is considered legitimate, such as the MACaddress, IP address, ARP table entry, and so forth. The table lists the various mitigation techniques as well.


Select and Place:

Correct Answer:

Section: IPSExplanation


Signature Event Action Overrides (SEAO)The SEAP signature event action overrides (SEAO) are a Cisco IOS Software IPS configuration tool that allowsone or more actions to be added to all active signatures based on the calculated risk rating of each event.

Event action overrides provide a way to add actions globally without having to configure each signature orsignature category. Each event action override is associated with an event risk rating range. If a signature eventoccurs and the event risk rating for the event falls within the configured range for the event action override, theaction will be added to the event. For example, if you set the risk rating range for the “deny packet inline” actionto 85–100, for every signature event that has an event risk rating calculation that falls within this range, the“drop packet inline” action will be added to the event.

Signature Event Action Filters (SEAF)The SEAP signature event action filters are a Cisco IOS Software IPS configuration tool that allows one ormore actions to be removed from all active signatures based on the attacker and/or target (source anddestination) address and event risk rating criteria.

Signature event action filters are typically used to remove one, several, or all actions from a particular signaturewhen certain circumstances are met, such as when triggered by a specific source IP address.

Target Value RatingThe Target Value Rating (TVR) is assigned to each asset and is used to assign value to a particular asset. Tothe Cisco IPS sensor, each unique asset is identified by its IP address. Assets in the environment that are moreimportant or mission critical would receive a higher value than those assets that are not as important. Thetarget value rating level can be set to zero, low, medium, high, or mission critical. Each target level has anumeric value that is associated with it that is used in the ERR calculation:

Zero (50)Low (75)Medium (100)High (150)Mission Critical (200)

By default, the Cisco IPS sensors consider all assets as having a Medium TVR.

QUESTION 5Drag & Drop #11 - Application Layer Inspection

Select and Place:

Correct Answer:


Explanation/Reference:CCNP Security FIREWALL 642-618 Official Cert Guide, 2012David Hucaby, Dave Garneau, Anthony SequeiraPage 517- 518

Configuring a Policy for Inspecting OSI Layers 5–7

With the ASA MPF structure, you can also configure policies that can be used for inspecting application trafficat OSI Layers 5 through 7. The ASA offers a suite of application inspectors that can provide a variety of securitymeasures. Because applications can be complex and intricate, a security appliance should be able to analyzeand limit various aspects of the application traffic to form an overall security policy. An ASA can do just that byleveraging the four key functions listed in Table 9-10 as part of its application inspection and control (AIC)features.

Protocol verification: Drop any HTTP sessions that do not adhere to the protocol specification. Thisfunction has very few user-configurable options; it is usually enabled or disabled (the default).

Protocol minimization: Allow only specific features of the HTTP protocol to be passed on to the protectedclient or server. When configuring, block everything that is not an acceptable action with the “match not”condition; everything else will be permitted.

For example, suppose you want to minimize the possible HTTP requests that can reach a protected server.Only the GET request should be allowed. In this case, if the request “matches not” GET, then drop it.

Payload minimization: Allow only specific payloads inside HTTP packets to be delivered to the protectedclient or server. When configuring, block everything that is not an acceptable value with the “match not”condition; everything else will be inherently permitted.

For example, suppose you want to minimize the possible HTTP payloads that can be serviced by aprotected server. Only requests involving a URI that begins with /customer should be allowed. In this case, ifthe URI “matches not” the regular expression /customer, then drop it.

Application layer signatures: Identify and drop known bad HTTP payloads. When configuring, blockspecific content with the “match” condition. Regular expressions are often used to match content.

As an example, suppose that GET requests that include an external link to http:// or https:// should beblocked. In this case, you could configure a regular expression to match against http:// or https:// in theHTTP request header arguments and drop those connections.

QUESTION 6Drag & Drop #13 - Easy VPN

Select and Place:

Correct Answer:

Section: VPNExplanation

Explanation/Reference:http://ccnpsecurity.blogspot.co.uk/2011/12/how-cisc o-easy-vpn-works.html

How the Cisco Easy VPN Works

The Easy VPN Remote Connection Process

Step 1: The VPN Client initiates the IKE Phase 1 process. Step 2: The VPN Client negotiates an IKE SA. Step 3: The Easy VPN Server accepts the SA proposal. Step 4: The Easy VPN Server initiates a username/password challenge. Step 5: The mode configuration process is initiated.

Step 6: The RR process is initiated Step 7: IKE quick mode completes the connection.

QUESTION 7Drag & Drop #14 - IPS Types

Select and Place:

Correct Answer:

Section: IPSExplanation


Sensor AccuracyBecause of the complexity of today’s network environments, security controls, such as IDS or IPS, cansometimes produce incorrect results that are due to either misconfigurations or something in the environment.All events should be vigorously investigated before assuming that an alert is incorrect.

There are four classifications into which the decisions made by IPS and IDS can fall:

True positives: The IPS or IDS sensor triggered because of legitimate malicious activity. This is normal,desired operation.

False positives: The IPS or IDS sensor triggered because of nonmalicious activity. This is usually becauseof errors caused by signatures that are configured to be too relaxed or broad in scope. In other words, thesensor mistook normal traffic patterns to be malicious.

True negatives: The IPS or IDS sensor failed to trigger when there was no malicious activity. This isnormal, desired operation.

False negatives: The IPS or IDS sensor failed to trigger when there was malicious activity. This is usuallybecause of errors caused by signatures that are configured to be too specific.

Care must be taken when tuning signatures. Adjusting signatures to be less restrictive to reduce the number offalse positives can move your sensor closer to the possibility of missing legitimate attacks (false negatives).

Proper knowledge, research, and expertise in a specific environment are required to adjust signatures to astate where they successfully trigger on legitimate malicious activity, yet do not trigger on legitimatenonmalicious activity and block legitimate traffic.

QUESTION 8Refer to the exhibit. Given the partial configuration shown, what can be determined.

A. This is an example of a dynamic policy PAT rule.B. This is an example of a static policy NAT rule.C. Addresses in the 10.10.30.0 network will be exempt from translation when destined for the 10.100.100.0

network.D. The extended access list provides for one-to-one translation mapping of the 10.10.30.0 network to the

10.100.100.0 network



Dynamic NAT ConfigurationThe configuration of dynamic NAT is different because it requires the local addresses (inside local addresses)that will be translated and the external addresses (inside global addresses) that will be used in place of theselocal addresses on the outside network. With dynamic NAT, the source addresses are identified through theuse of a standard IP access control list (ACL). The addresses to be used as the external addresses will bedefined in a NAT pool

Configuring Dynamic NATRouter# configure terminalRouter(config)# access-list 1 permit 172.16.1.0 0.0 .0.255Router(config)# ip nat pool addresspool 209.202.161 .100 209.202.161.110 prefixlength24Router(config)# ip nat inside source list 1 pool ad dresspoolRouter(config)# interface fastethernet0/0Router(config-if)# ip nat insideRouter(config-if)# interface fastethernet0/1Router(config-if)# ip nat outside

QUESTION 9When is it most appropriate to choose IPS functionality based on Cisco IOS software?

A. when traffic rates are low and a complete signature is not requiredB. when accelerated, integrated performance is required using hardware ASIC-based IPS inspectionsC. when integrated policy virtualization is requiredD. when promiscuous inspection meets security requirements

Correct Answer: ASection: IPSExplanation


Software-Based SensorCisco Integrated Services Routers (ISR) can implement the Cisco IPS sensor functionality by using the router’smain CPU to analyze packets. Software-based IPS only works in inline mode, meaning that packets areexamined as they are forwarded by the router. The software-based IPS can support most of the same analysisfeatures as the hardware IPS appliances. One of the benefits of it being inline is that it can drop traffic, blockattacks, send alarms, and reset connections. This allows the router to respond immediately to detected securityattacks.

The IOS Software–based IPS is limited by the router ’s CPU and memory performance , which are sharedwith other processes running on the router. Additionally, the Cisco IOS Software IPS requires a license toenable signatures after a certain date. The IPS signature update license is part of the IOS license configurationand is configured as any other Cisco IOS Software licensed feature. This study guide covers the Cisco IOSSoftware IPS sensor that is available in all Cisco ISR routers.

QUESTION 10You have enabled Cisco IOS IPS on a router in your network. However, you are not seeing expected events onyour monitoring system (such as Cisco IME). On the router, you see events being captured. What is the nextstep in troubleshooting the problem?

A. verify that syslog is configured to send events to the correct serverB. verify SDEE communications


C. verify event action rulesD. verify that the IPS license is valid

Correct Answer: BSection: IPSExplanation

Explanation/Reference:CCNP Security Secure Official Cert Guide, 2011Sean Wilkins, Franklin H. Smith IIIPage 363-364

Cisco IOS Software IPS SensorSeveral Cisco IOS CLI commands can be used to troubleshoot IPS sensor issues. It is recommended togenerate traffic that is known to cause one of the configured signatures to trigger and then use the followingcommands to troubleshoot:

show ip ips licenseshow logging / show ip sdee eventsshow ip ips signaturesshow ip ips event-action-rules filtersdebug ip ips enginedebug ip ips auto-update

The following steps represent the recommended process flow for troubleshooting signature triggering on aCisco IOS Software IPS sensor-enabled router. This process is to troubleshoot a situation in which malicioustraffic does not trigger IPS signatures:

Step 1. Verify that signatures do not actually fire because of triggering events. Use the show logging andshow ip sdee events commands. Events on the router, but not on the event-monitoring software, indicate anSDEE communication issue rather than a signature-triggering issue.

Step 2. Check that the desired IPS functionality is enabled on all required interfaces. The show ip ipsinterfaces command will display all interfaces on which IPS is enabled.

Step 3. Check to see whether the signatures that are expected to trigger are actually loaded on the router. Usethe show logging command to determine whether there were any signature compilation errors. Verify that theIPS license is valid with the show ip ips license command. Use the show ip ips signatures command to findthe signature with the problem and verify that it is enabled and not retired.

Step 4. Ensure that the signature is not being filtered by SEAP event action filters by using the show ip ipsevent-action-rules filters command.

QUESTION 11Which two of these are potential results of an attacker performing a DHCP server spoofing attack? (Choosetwo.)

A. DHCP snoopingB. DoSC. confidentiality breachD. spoofed MAC addressesE. switch ports being converted to anuntrusted state

Correct Answer: BCSection: Router SecurityExplanation


DHCP Server SpoofingWith DHCP server spoofing, the attacker can set up a rogue DHCP server and respond to DHCP requests fromclients on the network. This type of attack can often be grouped with a DHCP starvation attack because thevictim server will not have any new IP addresses to give out, which raises the chance of new clients using therouge DHCP server.

This information, which is given out by the rogue DHCP server, could send all the traffic through a rogue

gateway, which can then capture the traffic for further analysis.

QUESTION 12When Cisco IOS IPS signatures are being tuned, how is the Target Value Rating assigned?

A. It is calculated from the Event Risk Rating.B. It is calculated from a combination of the Attack Severity Rating and Signature Fidelity RatingC. It is manually set by the administrator.D. It is set based upon SEAP functions.

Correct Answer: CSection: IPSExplanation


Target Value RatingThe Target Value Rating (TVR) is assigned to each asset and is used to assign value to a particular asset. Tothe Cisco IPS sensor, each unique asset is identified by its IP address. Assets in the environment that are moreimportant or mission critical would receive a higher value than those assets that are not as important. Thetarget value rating level can be set to zero, low, medium, high, or mission critical . Each target level has anumeric value that is associated with it that is used in the ERR calculation:

Zero (50)Low (75)Medium (100)High (150)Mission Critical (200)

By default, the Cisco IPS sensors consider all assets as having a Medium TVR.

QUESTION 13Which of these should you do before configuring IP Source Guard on a Cisco Catalyst switch?

A. enable NTP for event correlationB. enable IP routing authenticationC. configure an access list with exempt DHCP-initiated IP address rangesD. turn DHCP snooping on at least 24 hours in advance



IP Source GuardThe IP Source Guard (IPSG) feature mitigates the chances of IP spoofing. The IPSG feature works on Layer 2ports by restricting IP traffic based on the entries that exist in the DHCP snooping binding table. When enabled,IPSG will not allow any IP traffic over the switchport except for that traffic coming from the entry listed in theDHCP snooping table. A port access list will then be dynamically created based on the DHCP binding.

IPSG also offers the capability to configure a static IP source binding that can be used in situations without theuse of the DHCP snooping binding table. The behavior of IP Source Guard depends on how it is enabled; thetwo available options include:

Source IP address filtering: When using this type of filtering, IPSG allows packets with an IP sourceaddress that is in the DHCP snooping binding database.

Source IP and MAC address filtering: When using this type of filtering, IPSG allows packets whose IPaddress and MAC address match the DHCP snooping binding table.

**NOTE**The requirement to turn on DHCP Snooping prior to enabling the IPSG feature is to allow a valid DHCPSnooping table to be created with bindings that can be used by IPSG.

QUESTION 14What action will the parameter-map type ooo global command enable?

A. globally initiates tuning of the router's TCP normalizer parameters for out-of-order packetsB. globally classifies type ooo packets within the parameter map and subsequent policy mapC. enables a parameter map named oooD. configures a global parameter map for traffic destined to the router itself


Explanation/Reference:http://www.cisco.com/en/US/docs/ios-xml/ios/sec_dat a_zbf/configuration/12-4t/sec-zone-pol-fw.html

Out-of-Order Packet Processing Support in the Zone- Based Firewall ApplicationOut-of-Order (OoO) packet processing support for Common Classification Engine (CCE) firewall applicationand CCE adoptions of the Intrusion Prevention System (IPS) allows packets that arrive out of order to becopied and reassembled in the correct order. The OoO packet processing reduces the need to retransmitdropped packets and reduces the bandwidth needed for the transmission of traffic on a network. To configureOoO support, use the parameter-map type ooo global command.

**NOTE** IPS sessions use OoO parameters that are configured using the parameter-map type ooo global command.

QUESTION 15Which protocol is EAP encapsulated in for communications between the authenticator and the authenticationserver?

A. EAP-MD5B. IPsecC. EAPOLD. RADIUS


Explanation/Reference:CCNP Security Secure Official Cert Guide, 2011Sean Wilkins, Franklin H. Smith III

Implementing and Configuring Basic 802.1XNote: EAPOL is used between the supplicant and the authenticator, while RADIUS is used between theauthenticator and the authentication server.

QUESTION 16Refer to the exhibit. Given the configuration shown, which of these statements is correct?

A. An external service is providing URL filtering via a subscription service.B. All HTTP traffic to websites with the name "Gambling" included in the URL will be reset.C. A service policy on the zone pair needs to be configured in the opposite direction or all return HTTP traffic

will be blocked by policyD. The URL filter policy has been configured in a fail-closed scenario.

Correct Answer: A

Section: Zone Based FirewallExplanation


URL FilterThe URL Filter feature provides the ability to pass, drop, or log the traffic whose URL matches specificconfigured characteristics. These characteristics can be quite robust, including the capability to match trafficbased on something as simple as a domain or something as complex as is provided by category matching(porn, gaming, weapons, and so on).

The more complex configurations use an external URL filtering server, including support for Websense andN2H2. Unlike with the simpler Layer 3/4 configurations demonstrated in the previous section, the URL Filteringfeature requires the configuration of a parameter map. The parameter map is used to define the specificparameters that will be referenced in the class map or policy map.

Parameter Map ConfigurationTwo different types of parameter maps can be configured for the URL Filter feature:

URL filter policy parameter map: Sets up the different parameters to be used with the URL filter policy.URL filter - GLOB parameter map: Specifies a list of domains, URL keywords, or URL metacharacterswhen setting up a local whitelist or blacklist. The options that are available using the URL filter policyparameter map depend on the type of URL filtering that is going to be used: local, N2H2, or Websense.N2H2 and Websense provide competing databases that can be referenced when performing URL filtering.

QUESTION 17Refer to the exhibit. Which two of these are most likely to have caused the issue with NHRP, given this outputof the show command? (Choose two.)

A. There was a network ID mismatch.B. The spoke router has not yet sent a request via Tunnel0.C. The spoke router received a malformed NHRP packet.D. There was an authentication key mismatch.E. The registration request was expecting a return request ID of 1201, but received an ID of 120.

Correct Answer: ADSection: VPNExplanation


Task 1 - Configure an NHRP ServerTo create an NHRP server on the hub router. Create a new NHRP server on the tunnel interface using the ipnhrp network-id interface command. The NHRP network ID must be the same on the NHRP server and its

NHRP clients. If NHRP is being used over an untrusted network, configure NHRP authentication with the ipnhrp authentication command.

To support dynamic routing protocols, enable support of IP multicast traffic with the ip nhrp map multicastdynamic interface command. This allows each spoke to register as a receiver of multicast traffic, causing thehub to replicate and forward multicast packets to the spoke routers.

Task 2 - Configure an NHRP ClientCreate an NHRP client on each spoke router. As configured on the hub, configure the NHRP network ID andNHRP authentication string with the ip nhrp network-id and ip nhrp authentication commands. Then, specifythe location of the NHRP NHS with the ip nhrp nhs interface command. To allow the spoke to register itsmulticast capability with the hub, use the ip nhrp map multicast command. Finally, specify a static NHRP mapthat enables the spoke to reach the NHRP server over its address. Example 17-6 displays the commandsequence being used.

QUESTION 18Refer to the exhibit. What can be determined from the information shown?

A. The user has been restricted to privilege level 1.B. The standard access list should be reconfigured as an extended access list to allow desired user

permissionsC. RBAC has been configured with restricted views.D. IP access list DMZ_ACL has not yet been configured with proper permissions.



RBACRole-Based Access Control (RBAC) is implemented on devices through the use of rolebased CLI access. Role-based CLI access provides the ability to set up to 15 (not including the root view) CLI views that are configuredto run commands that are configured for different job functions. The configuration is similar to setting up

privileges but allows additional control that is not provided using privileges alone.

When using CLI views, all configurations are done using the root view. The root view has the privilegesequivalent to level 15 but with the additional ability to configure CLI views. Role-based CLI access also allowsthe configuration of a superview that can be configured with the privileges from several existing CLI views; thiscan then be used by higherlevel network operations personnel.

The configuration of a CLI view involves the creation of the CLI view, the setting of a password, and severalcommands that are used to specify the commands that will be allowed.

QUESTION 19Refer to the exhibit. Assuming that all other supporting configurations are correct, what can be determined fromthe partial IP admission configuration shown?

A. The router will forward authentication requests toa AAA server for authentication and authorization.B. The user maint3nanc3 will have complete CLI command access once authenticated.C. After a period of 20 minutes, the user will again be required to provide authentication credentials.D. The authentication proxy will fail, because the router's HTTP server has not been enabled.E. All traffic entering interface GO/1 will be intercepted for authentication, but only Telnet traffic will be

authorized.



Configure Web Authentication on the SwitchIn Task 1, support of web authentication will be enabled on the 802.1X authenticator switch, and local AAA andRADIUS parameters will be configured. Also, the switch HTTP server, IP device tracking, and webauthentication interception will be enabled. Perform the following steps:

Step 1. Log in to the switch and enter global configuration mode.

Step 2. Enable default AAA login authentication using the aaa authentication login default globalconfiguration command and set it to use the local RADIUS client. For example, the switch will use all theconfigured RADIUS servers in the default group (group-radius ).

Note: It is recommended that any changes to the AAA configuration be made from a console connection untilconnectivity can be verified after making the changes. It is extremely easy to lock yourself out of a router/switchwhen modifying AAA configurations.

Step 3. Enable default AAA authorization for the auth-proxy that is used by web authentication. It is enabledwith the aaa authorization auth-proxy default global configuration command. In the example, the switch willuse all the configured RADIUS servers in the default group (group-radius ).

Step 4. Configure the local RADIUS client to send and recognize vendor-specific attributes (VSA) required fordynamic ACL assignment using the radius-server vsa send authentication global configuration command.

Step 5. Configure a new IP admission ruleset for proxy HTTP using the ip admission name command inglobal configuration command. Step 6. Enable the HTTP server on the switch using the ip http server command.

Step 7. Enable IP tracking, which is required to learn and periodically verify the existence of hosts’ MAC and IPaddresses on interfaces. This is enabled with the ip device tracking global configuration command.

Step 8. On all 802.1X ports, enable web authentication as the last method using the webauth andauthentication order interface commands. Configure a default input ACL that permits minimal traffic (restrictto DHCP) using the ip accessgroup interface command and apply the IP admission ruleset using the ipadmission interface command.

Router# configure terminalRouter(config)# aaa authentication login default default group radi usRouter(config)# aaa authorization auth-proxy default group radiusRouter(config)# radius-server vsa send authenticationRouter(config)# ip admission name WEBAUTH proxy httpRouter(config)# ip http serverRouter(config)# ip device trackingRouter(config)# interface range GigabitEthernet0/1 - 24Router(config-if)# authentication order mab dot1x webauthRouter(config-if)# ip access-group DEFAULT-ACL inRouter(config-if)# ip admission WEBAUTH

QUESTION 20What will the authentication event fail retry 0 action authorize vlan 300 command accomplish?

A. assigns clients that fail 802.1X authentication into the restricted VLAN 300B. assigns clients to VLAN 300 and attempts reauthorization

C. assigns a client to the guest VLAN 300 if it does not receive a response from the client to its EAPOLrequest/identity frame

D. locks out a user who fails an 802.1X authentication and does not allow the user to try to gain networkaccess again for 300 seconds

Correct Answer: ASection: Switch SecurityExplanation


Configure Guest and Authentication Failed PolicyIn Task 7, a special-purpose VLAN is designated for clients that either fail authentication or that do not have an802.1X supplicant. This means that the client does not respond to EAPOL requests and must be placed into a“guest” VLAN. The VLAN used for each of these can be the same or different depending upon yourarchitecture; however, it must exist on the switch before assigning users to it. In the case of authenticationfailure, you must specify the number of times that the switch should retry authentication before assigning theuser to the restricted VLAN. The command for this is authentication event fail retry number action authorizevlan . The command to assign a user to the guest VLAN is authentication event no-response actionauthorize VLAN .

Note: The 802.1X authentication attempt must fail before the switch will assign the user to the guest VLAN.This time can be configured to be shorter on the interfaces upon which you expect to have guest connectionsby using the dot1x timeout quiet-period and dot1x timeout tx-period commands.

Router# configure terminalRouter(config)# interface FastEthernet 2/1Router(config-if)# authentication event fail retry 2 action authorize vlan 100Router(config-if)# authentication event no-response action authorize v lan 100Router(config)# endRouter# copy running-config startup-config

QUESTION 21Which of these are the two types of keys used when implementing GET VPN?(Choose two)

A. public keyB. group encryption C. traffic encryption keyD. pre-shared keyE. key encryptionF. private key

Correct Answer: CESection: VPNExplanation


Key Management ArchitectureAll communication between a key server and group members is encrypted and secured using the Internet Key

Exchange (IKE) Group Domain of Interpretation (GDOI) protocol.

IKE GDOI is a standards-based Internet Security Association and Key Management Protocol (ISAKMP) groupkey management protocol that provides secure group communications. GET VPNs use IKE GDOI as the groupkeying mechanism. IKE GDOI supports the use of two keys: Traffic Encrypting Key (TEK) and Key EncryptingKey (KEK):

TEK: A key that is used to protect traffic between group members

KEK: A key this is used to protect rekeys (during a key refresh) between key servers and group members

The TEK is distributed to all group members by the key server, and they use the TEK to communicate tomembers of the group and to create and verify IPsec packets. The KEK is also distributed to group memberswho in turn use it to decrypt incoming rekey messages from the key server.

When a registration message is received, the key server generates information that contains the rekey policy(one KEK) and the new IPsec SAs (multiple TEK attributes, traffic encryption policy, lifetime, source anddestination information about the traffic that needs to be protected, and the security parameter index (SPI)-IDthat is associated with each TEK). The newly created IPsec SAs are then sent to the group members. The keyserver maintains a table that contains the IP address of each group member and its group association. When agroup member registers, the key server adds the new IP address to its associated group table.

QUESTION 22Which Cisco IOS feature provides secure, on-demand meshed connectivity?

A. Easy VPNB. IPsec VPNC. mGRED. DMVPN



Cisco Dynamic Multipoint VPN (DMVPN): DMVPN is based on a hub-and-spoke configuration but allows spoke-to-spoke tunnels to be dynamically andautomatically provisioned. Configuration scalability is high because only spoke-to-hub peering needs to beconfigured, and as long as PKI is used for authentication, authentication scalability is high as well. DMVPN canbe used in hub-and-spoke, partial mesh, and full mesh environments. It is also adequate for connections thattraverse public networks, such as the Internet, because it supports IP tunnels.

QUESTION 23You have configured a Cisco router to act a PKI certificate server. However,you are experiencing problemsstarting the server. You have verified that al CA parameters have been correctly configured. What is the nextstep you should take in troubleshooting this problem?

A. Disable and restart the router’s HTTP server functionB. Verify the RSA key pair and generate new keysC. Verify that correct time is being used and source are reachableD. Enable the SCEP interface

Correct Answer: C



Configuration Tasks for a Root Certificate ServerPerform the following tasks to implement the Certificate Server on Cisco IOS Software:

Task 1: Create an RSA key pair to be used as the certificate authority key pair. The private key will be usedto sign user certificates, and the public key will be distributed to all routers as the certificate authority self-signed certificate. Although this step is optional, a dedicated key pair will automatically be created of onlyminimally acceptable strength.

Task 2: Create a PKI trustpoint that designates the key pair that is intended to be used within the CertificateServer.

Task 3: Create the Certificate Server itself. A name for the CA is provided during this step.

Task 4: Configure the location of the CA’s files. This can either be on the router itself or on external storageon a remote server.

Task 5: Configure an issuing policy in which the administrator can either manually grant all certificaterequests or the server can automatically issue certificates. An additional enrollment password can also beconfigured to authenticate enrolling entities.

Task 6: Configure the revocation policy in which the specific CRL parameters used by the Certificate Serverare created.

Task 7: Configure the SCEP interface on the Certificate Server router.

Task 8: Enable the Certificate Server after all the parameters have been configured.

QUESTION 24Which three of these are features of data plane security on a Cisco ISR? (Choose three.)

A. Routing protocol filteringB. FPMC. uRPFD. RBACE. CPPrF. Netflow export

Correct Answer: BCFSection: Router SecurityExplanation


Data Plane Attacks and Mitigation Techniques

QUESTION 25When configuring URL filtering with the Trend Micro filtering service. Which of these steps must you take toprepare for configuration?

A. Define blacklists and whitelistsB. Categorize traffic typesC. Synchronize clocks via NTP to ensure accuracy of URL filter updates from the serviceD. Install the appropriate root CA certificate on the router

Correct Answer: BSection: Zone Based FirewallExplanation


URL FilterThe URL Filter feature provides the ability to pass, drop, or log the traffic whose URL matches specificconfigured characteristics. These characteristics can be quite robust, including the capability to match trafficbased on something as simple as a domain or something as complex as is provided by category matching(porn, gaming, weapons, and so on) . The more complex configurations use an external URL filtering server,including supportfor Websense and N2H2.

Unlike with the simpler Layer 3/4 configurations demonstrated in the previous section, the URL Filtering feature

requires the configuration of a parameter map. The parameter map is used to define the specific parametersthat will be referenced in the class map or policy map.

QUESTION 26Which of these correct regarding the functionally of DVTI tunnels?

A. DVTI tunnels are created dynamically from a preconfigured template as tunnels are established to the hubB. DVTI tunnels appear on the hub as tunnel interfacesC. The hub router needs a static DVTI tunnel to each spoke router in order to establish remote

communications from spoke to spokeD. Spoke router require a virtual template to clone the configuration on which the DVTI tunnel is established



Configure Dynamic Point-to-Point IPsec VTI TunnelsDynamic VTIs (DVTI) provide scalable hub configurations in hub-and-spoke VPNs for site-to-site and remote-access connectivity. With DVTIs, there is no requirement to statically map IPsec sessions to physicalinterfaces. Instead, VTIs on the hub are created dynamically as tunnels to the hub are established. A virtualaccess interface is dynamically created based on a preconfigured virtual template that includes all therequired IPsec configuration as well as any Cisco IOS Software features that are desired, such as quality ofservice (QoS), N

Cisco.Certkey.642-637.v2014-04-04.by.TERRY · 2014. 4. 4. · You have configured a guest VLAN...

Documents

Transcript of Cisco.Certkey.642-637.v2014-04-04.by.TERRY · 2014. 4. 4. · You have configured a guest VLAN...