Cisco: Implementing Secure Converged Wide Area Networks
BackBy Certification Magazine — March 26, 2009
The following are questions from MeasureUp Practice Test for the Cisco 642-825: Implementing Secure Converged Wide Area Networks (ISCW) exam . This exam is one of the requirements for the Cisco Certified Network Professional (CCNP) Certification .
The audience for this exam includes individuals who are responsible for extending and securing an enterprise network to support remote sites and workers who telecommute. Experience working with remote access servers and virtual private networks (VPNs) will help you prepare for this exam.
Objective: Implement basic teleworker services.
Sub-objective: Describe xDSL technologies.
Multiple answer, multiple-choice
You are designing an ADSL solution for U.S.-based branch offices.
The Chicago branch office uses 26-gauge wiring and is approximately 7,000 feet from the service provider digital subscriber line access multiplexer (DSLAM).
The Los Angeles branch office uses 26-gauge wiring and is approximately 11,000 feet from the service provider DSLAM.
The New York branch office uses 24-gauge wiring and is approximately 11,000 feet from the service provider DSLAM.
What bandwidth should you expect to receive at each branch office? (Choose three.)
A. 6.1 Mbps downstream bandwidth at the Chicago branch office.
B. 1.5 Mbps downstream bandwidth at the Los Angeles branch office.
C. 1.5 Mbps downstream bandwidth at the Chicago branch office.
D. 6.1 Mbps downstream bandwidth at the Los Angeles branch office.
E. 1.5 Mbps downstream bandwidth at the New York branch office.
F. 6.1 Mbps downstream bandwidth at the New York branch office.
A, B, F
You can expect to receive 6.1 Mbps downstream bandwidth at the Chicago branch office, 1.5 Mbps at the Los Angeles branch office and 6.1 Mbps at the New York branch office.
Several factors affect downstream bandwidth including distance to DSLAM, wire gauge, bridged taps and coupled interference.
The published standards of ADSL specify that 24-gauge wire from 0 to 12,000 feet will receive 6.1 Mbps and at 12,001 to 18,000 feet will receive 1.5 Mbps. 26-gauge wire from 0 to 9,000 feet will receive 6.1 Mbps and at 9,001 to 15,000 feet will receive 1.5 Mbps. Any distance beyond these lengths will require a fiber-based digital loop carrier (DLC).
These are estimates, and the service provider will test your line to determine the bandwidth you can expect to receive.
Internetworking Technology Handbook – Digital Subscriber Line
Objective: Implement a site-to-site IPSec VPN.
Sub-objective: Verify IPSec/GRE Tunnel configurations (i.e., IOS CLI configurations).
Single answer, multiple-choice
You are creating a generic routing encapsulation (GRE) over IP Security (IPSec) VPN between your company headquarters and a branch office. You need to determine which encryption and hash algorithm, authentication method, Diffie-Hellman group and lifetime is defined for Internet Key Exchange (IKE) on your headquarters router. Which command should you execute?
A. show crypto isakmp peer
B. show crypto isakmp sa
C. show crypto isakmp policy
D. show crypto ipsec sa
You should execute the show crypto isakmp policy command. This command will list all IKE policies configured on the router. The output will display the encryption and hash algorithm, authentication method, Diffie-Hellman group and lifetime for each IKS policy.
The show crypto isakmp peer command displays the IP address of all Internet Security Association and Key Management Protocol (ISAKMP) peers the router is configured for, but it does not display ISAKMP policy information.
The show crypto isakmp sa command displays the destination, source, state and status of the phase one ISAKMP Security Association (SA), but it does not display ISAKMP policy information.
The show crypto ipsec sa command displays the current state of the IPSec SA. The output displays the crypto map in use, the local and remote identity, the current peer and port used and the number of encrypted and decrypted packets and other packet counters. It does not display ISAKMP policy information.
Cisco IOS Security Command Reference, Release 12.3 T – Security Commands: show crypto isakmp key through subject-name
Objective: Describe network security strategies.
Sub-objective: Describe and mitigate application-layer attacks (e.g., management protocols).
Multiple answer, multiple-choice
You are creating a security policy for your enterprise. You need to understand application-layer attacks and their mitigation methods. Which statements about Simple Network Management Protocol (SNMP) are true? (Choose four.)
A. Only SNMP version 2 uses a password known as a community string for authentication.
B. An access list should be applied only for read-write (RW) access.
C. SNMP version 2 and 3 send encrypted community strings.
D. SNMP version 1 uses a password known as a community string for authentication.
E. SNMP version 2 uses a password known as a community string for authentication.
F. An access list should be applied for read-only (RO) and read-write (RW) access.
G. SNMP version 3 uses a username for authentication.
D, E, F, G
SNMP is a network management protocol used to retrieve information from a device. SNMP versions 1 and 2 use a password known as a community string. The community string is configured on the managed device. The network management system (NMS) uses this community string to identify itself as a trusted system. If the NMS uses a different community string, it will not be able to collect data from or write data to the managed device.
There are two levels of access using SNMP: read only (RO), which allows the reading of information and read write (RW), which allows configuration of the device. If both access methods are required, they should both have an access list applied that allows access from a trusted NMS. If you are not going to write to the network device, RW access should be disabled.
SNMP versions 1 and 2 send community strings in clear text that can easily be read using a packet sniffer. SNMP version 3 uses a username for authentication. SNMP version 3 is not fully supported on all devices or all NMSs, but it should be enabled where supported.
Cisco Applied Mitigation Bulletin: Identifying and Mitigating Exploitation of the SNMP Version 3 Authentication Vulnerabilities
Objective: Implement Cisco Device Hardening.
Sub-objective: Describe, configure and verify AAA for Cisco routers.
Single answer, multiple-choice
You have experienced a connectivity issue between your TACACS+ server and a Cisco router and are concerned that you will be locked out of the router if the TACACS+ server is unavailable. You have created usernames and passwords on the router for the IT staff. Which command will allow access to the router if the TACACS+ server is unavailable?
A. aaa authentication login default group tacacs+ local
B. aaa authentication login default group local tacacs+
C. aaa authentication login default group tacacs+ none
D. aaa authentication login default group tacacs+
The aaa authentication login default group tacacs+ local command will allow access to the router if the TACACS+ server is unavailable.
The router will attempt to authenticate a user by using the methods configured using the aaa authentication command. The methods are processed in the order in which they are defined. The aaa authentication login default group tacacs+ local command specifies that the TACACS+ server should be used. If the server is unavailable, the authentication request will time out and the next method, local, will be used.
The aaa authentication login default group local tacacs+ command specifies the use of the local database first. The local database will always be available, and the router will never try to use the TACACS+ server.
The aaa authentication login default group tacacs+ none command specifies the use of the TACACS+ server first. If the TACACS+ server is unavailable, the next method, none, will be used. When none is specified as an authentication method, no authentication will be used and everyone will have access to the router.
The aaa authentication login default group tacacs+ command specifies the use of the TACACS+ server only. If the TACACS+ server is unavailable, authentication will fail.
Objective: Describe and configure Cisco IOS IPS.
Sub-objective: Configure Cisco IOS IPS using SDM.
Single answer, multiple-choice
You have configured a Cisco IOS Intrusion Protection System (IPS) using the Cisco Router and Security Device Manager (SDM). You are required to configure the Cisco IPS to create a dynamic access list entry to block all traffic matching the IP Localhost Source Spoof signature. Which action should you assign to the signature?
You should set the denyAttackerInline action.
Cisco IPS provides many actions that can be taken when a traffic pattern matches a signature. Depending on the nature of the signature, you can set the action to:
* alarm - Generate an alarm message.
* denyAttackerInline - Create an ACL that denies all traffic from the IP address that the Cisco IOS IPS system considers to be the source of the attack. Same as deny-attacker-inline.
* deny-connection-inline - Drop the packet and all future packets on this TCP flow.
* deny-packet-inline - Do not transmit this packet (inline only). Same as drop.
* denyFlowInline - Create an ACL that denies all traffic belonging to the 5-tuple (src ip, src port, dst ip, dst port and l4 protocol) from the IP address that is considered the source of the attack.
* drop - Drop the offending packet. Same as deny-packet-inline.
* reset - Reset the connection and drop the offending packet.
* reset-tcp-connection - Send TCP RESETS to terminate the TCP flow.
Configuring Cisco IOS IPS Using Cisco SDM and CLI
Cisco IOS IPS Signature Deployment Guide