Which component of VPN technology ensures that data can be read only by its intended recipient?
A. data integrity
B. encryption
C. key exchange
D. authentication
B. encryption
C. key exchange
D. authentication
Answer: D
Explanation
Once you understand what these terms mean, its easy to answer:
Data integrity: verifying that the packet was not changed as the packet transited the Internet
Encryption: conversion of data into a form, called a ciphertext, that cannot be easily understood by unauthorized people
Authentication:
the process of determining whether someone or something is, in fact,
who or what it is declared to be. Authentication can take place at both
sides, the sender and the receiver.
Key
exchange: is any method in cryptography by which cryptographic keys are
exchanged between users, allowing use of a cryptographic algorithm.
So
in this question we realize that only authentication involves in the
end user while others are about processing data -> D is correct.
Question 2
What can be done to secure the virtual terminal interfaces on a router? (Choose two)
A. Administratively shut down the interface.
B. Physically secure the interface.
C. Create an access list and apply it to the virtual terminal interfaces with the access-group command.
D. Configure a virtual terminal password and login process.
E. Enter an access list and apply it to the virtual terminal interfaces using the access-class command.
B. Physically secure the interface.
C. Create an access list and apply it to the virtual terminal interfaces with the access-group command.
D. Configure a virtual terminal password and login process.
E. Enter an access list and apply it to the virtual terminal interfaces using the access-class command.
Answer: D E
Explanation
It
is a waste to administratively shut down the interface. Moreover,
someone can still access the virtual terminal interfaces via other
interfaces -> A is not correct.
We can not physically secure a virtual interface because it is “virtual” -> B is not correct.
To
apply an access list to a virtual terminal interface we must use the
“access-class” command. The “access-group” command is only used to apply
an access list to a physical interface -> C is not correct; E is
correct.
The
most simple way to secure the virtual terminal interface is to
configure a username & password to prevent unauthorized login -> D
is correct.
Question 3
The enable secret command is used to secure access to which CLI mode?
A. user EXEC mode
B. global configuration mode
C. privileged EXEC mode
D. auxiliary setup mode
B. global configuration mode
C. privileged EXEC mode
D. auxiliary setup mode
Answer: C
Question 4
Which type of attack is characterized by flood of packet that requesting a TCP connection to a server?
A. denial of service
B. brute force
C. reconnaissance
D. Trojan horse
B. brute force
C. reconnaissance
D. Trojan horse
Answer: A
Question 5
Which IPsec security protocol should be used when confidentiality is required?
A. AH
B. MD5
C. PSK
D. ESP
B. MD5
C. PSK
D. ESP
Answer: D
Explanation
IPsec
is a pair of protocols, Encapsulating Security Payload (ESP) and
Authentication Header (AH), which provide security services for IP
datagrams.
ESP
can provide the properties authentication, integrity, replay
protection, and confidentiality of the data (it secures everything in
the packet that follows the IP header).
AH provides authentication, integrity, and replay protection (but not confidentiality) of the sender.
Question 6
What algorithm technology must be used for ensuring data integrity when dataflow goes over VPN tunnel? (Choose two)
A. RSA
B. DH-1
C. DH-2
D. HMAC-MD5
E. HMAC-SHA1
B. DH-1
C. DH-2
D. HMAC-MD5
E. HMAC-SHA1
Answer: D E
Explanation
Data
integrity ensures data has not been altered in the transmission. A
data-integrity algorithm adds a hash to the message to guarantee the
integrity of the message.
A
Hashed Message Authentication Code (HMAC) is a data-integrity algorithm
that ensures the integrity of the message. Two popular algorithms a VPN
gateway uses for verifying integrity of data are HMAC-Message Digest 5
(HMAC-MD5) and HMAC-Secure Hash Algorithm 1 (HMAC-SHA1)
+ HMAC-MD5 uses
a 128-bit shared-secret key of any size. The variable-length message
and shared-secret key are combined and run through the HMAC-MD5 hash
algorithm. The output is a 128-bit hash. The hash is appended to the
original message and is forwarded to the remote end.
+ HMAC-SHA-1 uses
a secret key of any size. The variable-length message and the
shared-secret key are combined and run through the HMAC-SHA-1 hash
algorithm. The output is a 160-bit hash. The hash is appended to the
original message and is forwarded to the remote end.
Diffie-Hellman
Group 1 (DH-1) & Diffie-Hellman Group 2 (DH-2) are two encryption
algorithms for VPN, not data integrity algorithms.
RSA is also an encryption algorithm, not data integrity algorithm.
(Reference: Implementing Cisco IOS Network Security IINS)
Question 7
What are two security appliances that can be installed in a network? (Choose two)
A. ATM
B. IDS
C. IOS
D. IOX
E. IPS
F. SDM
B. IDS
C. IOS
D. IOX
E. IPS
F. SDM
Answer: B E
Explanation
Intrusion
detection system (IDS) and intrusion prevention system (IPS) solutions
form an integral part of a robust network defense solution.
IDS
monitors network and system activities for malicious activities or
policy violations and produces reports to a Management Station.
IPS
provides policies and rules for network traffic along with an intrusion
detection system for alerting system or network administrators to
suspicious traffic, but allows the administrator to provide the action
upon being alerted.
The
key to differentiating an IDS from an IPS is that an IPS responds
immediately and does not allow any malicious traffic to pass, whereas an
IDS allows malicious traffic to pass before it can respond.
(Reference: Implementing Cisco IOS Network Security IINS)
Note:
Asynchronous Transfer Mode (ATM) is a layer 2 WAN transport protocol.
It encodes data into small, fixed-sized cells consisting of 48 bytes of
payload and 5 bytes of cell header -> A is not correct
Cisco
Router and Security Device Manager (SDM) is a Web-based
device-management tool for Cisco routers that can help you configure a
router via a web browser -> In general, it only helps simplify the
network management, router configuration so it is not a security
appliance -> F is not correct.
Question 8
Which device might be installed at a branch office to enable and manage an IPsec site-to-site VPN?
A. Cisco IOS IPsec/SSL VPN client
B. Cisco VPN Client
C. ISDN terminal adapter
D. Cisco Adaptive Security Appliance
B. Cisco VPN Client
C. ISDN terminal adapter
D. Cisco Adaptive Security Appliance
Answer: D
Explanation
An
example of IPsec site-to-site VPN is your corporation has departments
in many countries which need to communicate with each other. A popular
solution is site-to-site (LAN-to-LAN) VPN to create private networks
through the Internet. But as we know, Internet is not a safe environment
for important data to be transferred. That is the reason why we need
IPsec, a protocol suite for securing Internet Protocol (IP)
communications by authenticating and encrypting each IP packet of a
communication session.
Cisco
Adaptive Security Appliance (ASA) supports IPsec, that’s all I can say!
If you wish to learn more about the configuration, please read http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml
Question 9
What is the effect of using the service password-encryption command?
A. Only passwords configured after the command has been entered will be encrypted.
B. Only the enable password will be encrypted.
C. Only the enable secret password will be encrypted
D. It will encrypt the secret password and remove the enable secret password from the configuration.
E. It will encrypt all current and future passwords.
B. Only the enable password will be encrypted.
C. Only the enable secret password will be encrypted
D. It will encrypt the secret password and remove the enable secret password from the configuration.
E. It will encrypt all current and future passwords.
Answer: E
Explanation
The
secret password (configured by the command “enable secret “) is always
encrypted even if the “service password-encryption” command is not used.
Moreover, the secret password is not removed from the configuration
with this command, we still see it in encrypted form in the
running-config -> D is not correct.
The
“enable password ” does not encrypt the password and can be viewed in
clear text in the running-config. By using the “service
password-encryption” command, that password is encrypted (both current
and future passwords) -> A is not correct, E is correct.
Answer
B – Only the enable password will be encrypted seems to be correct but
it implies the secret password will not be encrypted and stay in clear
text, which is not correct.
For
your information, the secret password is encrypted with MD5 one-way
hash algorithm which is harder to break than the encryption algorithm
used by the “service password-encryption” command.
Question10
Which command sets and automatically encrypts the privileged enable mode password?
A. enable password c1sco
B. secret enable c1sco
C. password enable c1sco
D. enable secret c1sco
B. secret enable c1sco
C. password enable c1sco
D. enable secret c1sco
Answer: D
To provide an additional layer of security,
particularly for passwords that cross the network or are stored on a
TFTP server, you can use either the enable password or enable secret commands.
Both commands accomplish the same thing; that is, they allow you to
establish an encrypted password that users must enter to access enable
mode (the default), or any privilege level you specify.
Cisco recommends that you use the enable secret command because it uses an improved encryption algorithm. Use the enable password command only if you boot an older image of the Cisco IOS software, or if you boot older boot ROMs that do not recognize the enable secret command.
If you configure the enable secret command, it takes precedence over the enable password command; the two commands cannot be in effect simultaneously.
Source: https://sites.google.com/site/beattheccna/ccna-basic-question-1
