googlebot
Buy Differin Gel Online
ADVERTISEMENT

Learn About Implementing Cisco IOS Network Security

  By Certification Magazine —

1 | 2 |

These practice test questions from MeasureUp are based on Cisco’s exam 640-553: Implementing Cisco IOS Network Security (IINS).

The audience for this exam includes individuals who are responsible for securing networks and Cisco devices. Experience with installing, monitoring and troubleshooting networks and Cisco switches and routers will help you prepare for this exam.

Note: Exam 640-553 is a prerequisite for the Cisco Certified Security Professional (CCSP) certification.

FYI: Some of the references used in these questions are books. Here are the details for each book:

Cisco Press Authorized Self-Study Guide:
Implementing Cisco IOS Network Security (IINS)
Publisher: Cisco Press
ISBN: 978-1-58705-815-4

Exam Cram: CCNA Security
Publisher: Pearson Que
ISBN: 0-7897-3800-7


Objective: Implement secure network management and reporting.
Sub-objective: Use CLI and SDM to configure SSH on Cisco routers to enable secured management access.

Single answer, multiple-choice

Which command will generate two pairs of RSA keys named Measureup with a modulus of 2048?

A.    crypto key generate rsa label Measureup modulus 2048
B.    crypto key generate rsa usage-keys modulus 2048
C.    crypto key generate rsa usage-keys label Measureup modulus 2048
D.    crypto key generate rsa modulus 2048

Answer:
C

Tutorial:
You should enter the crypto key generate rsa usage-keys label Measureup modulus 2048 command.

You specify the creation of two pairs of RSA keys using the usage-keys keyword. If you generate special-usage keys, two pairs of RSA keys will be generated. One pair will be used with any Internet Key Exchange (IKE) policy that specifies RSA signatures as the authentication method, and the other pair will be used with any IKE policy that specifies RSA encrypted keys as the authentication method.

If you generate general-purpose keys, only one pair of RSA keys will be generated. This pair will be used with IKE policies specifying either RSA signatures or RSA encrypted keys.

You name the keys using the label keyword. Naming RSA keys allows support for multiple RSA key pairs on a single router.

You should not enter the crypto key generate rsa label Measureup modulus 2048 command. Without the usage-keys keyword, the command defaults to creating a single RSA key pair.

You should not enter the crypto key generate rsa usage-keys modulus 2048 or crypto key generate rsa modulus 2048 commands. Neither of the commands uses the label keyword, and both commands will default to naming the key pairs using the following format: hostname.domain name.

In this example, the router is named MU and belongs to the measureup.com domain, so its default key pair name is mu.measureup.com.

Command output:

MU(config)#crypto key generate rsa usage-keys label Measureup modulus 2048
The name for the keys will be: Measureup
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]
MU(config)#

References:
Perimeter Security
Cisco Press Authorized Self-Study Guide: Implementing Cisco IOS Network Security (IINS)
Chapter 2

Configuring Secure Shell on Routers and Switches Running Cisco IOS
Cisco.com
http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml

Cisco IOS Security Command Reference, Release 12.3 - Security Commands: crypto dynamic-map through ctype
Cisco.com
http://www.cisco.com/en/US/docs/ios/12_3/security/command/reference/sec_c2g.html

Objective: Implement the Cisco IOS firewall feature set using SDM.
Sub-objective: Explain stateful firewall operations and the function of the state table.

Single answer, multiple-choice

The figure represents the traffic of an internal client making a request to a Web server. The traffic transits through a dynamic packet filter.

Which dynamic ACL rule entry applied inbound on the outside interface would permit the response packets from the Web server to the client?

A.    permit tcp host 209.165.200.226 eq 80 host 10.1.1.1 eq 1956
B.    permit tcp host 10.1.1.1 eq 1956 host 209.165.200.226 eq 80
C.    permit tcp host 209.165.200.226 eq 1956 host 10.1.1.1 eq 80
D.    permit tcp host 10.1.1.1 eq 80 host 209.165.200.226 eq 1956

Answer:
A

Tutorial:
The following access control list (ACL) rule entry applied inbound on the outside interface would permit the response packets from the Web server to the client:

permit tcp host 209.165.200.226 eq 80 host 10.1.1.1 eq 1956

The access list is applied inbound on the outside interface. An extended ACL lists first the source and its port, followed by the destination and its port. The response will originate from the Web server 209.165.200.226. Since the original request had come to its port 80, the Web server will use the same port to reply. The response will carry a destination address of 10.1.1.1 to the destination port that was used by the client to open the connection, port 1956.

Reference:
Dynamic or Stateful Packet-Filtering Firewalls
Cisco Press Authorized Self-Study Guide: Implementing Cisco IOS Network Security (IINS)
Chapter 3


Objective: Implement the Cisco IOS IPS feature set using SDM.
Sub-objective: Define network-based vs. host-based intrusion detection and prevention.

Single answer, multiple-choice

Which statement about NIDS sensors is true?

A.    They can act as a central repository for alarms generated by peer sensors.
B.    They can discover that distributed alarms are part of a common attack.
C.    They can perform correlation analysis on the different alarms.
D.    They do not assess the success or failure of the actual attacks.

Answer:
D

Tutorial:
Network-based monitoring systems do not assess the success or failure of the actual attacks. They only indicate the presence of intrusive activity. That's why correlation tools, such as CS-MARS, are useful to act as a central repository of those alarms. All those alarms arriving from different corners of the network, once compared to each other by CS-MARS or other correlation tools, might reveal that the organization is currently under a distributed attack.

A sensor only reports an intrusion. It does not perform analysis to conclude whether the attack seems to be successful. A sensor handles its own alarms, but not those of other sensors on the network.

Reference:
Host and Network IPS
Cisco Press Authorized Self-Study Guide: Implementing Cisco IOS Network Security (IINS)
Chapter 6


Objective: Implement site-to-site VPNs on Cisco Routers using SDM.
Sub-objective: Explain IKE protocol functionality and phases.

1 | 2 |
Viewed 9600 times.
SPONSORED LINKS
gps systems used