Cisco Sources:Free Cisco Certification
Home   |   Labs   |   Tutorials   |   Books   |  Link Exchange  |  Comments
 



QUESTION 1 The security team at Cisco Sources Inc. is working on network security design. What is an example of a trust model?

A. One example is NTFS

B. One example is NTP

C. One example is NFS

D. One example is NOS Answer: C Explanation: One of the key factors to building a successful network security design is to identify and enforce a proper trust model. The proper trust model defines who needs to talk to whom and what kind of traffic needs to be exchanged; all other traffic should be denied. Once the proper trust model has been identified, then the security designer should decide how to enforce the model. As more critical resources are globally available and new forms of network attacks evolve, the network security infrastructure tends to become more sophisticated, and more products are available. Firewalls, routers, LAN switches, intrusion detection systems, AAA servers, and VPNs are some of the technologies and products that can help enforce the model. Of course, each one of these products and technologies plays a particular role within the overall security implementation, and it is essential for the designer to understand how these elements can be deployed. Network File Sharing seems to be the best answer out of all the answers listed. Reference: Securing Networks with Private VLANs and VLAN Access Control Lists

QUESTION 2 You are the administrator at Cisco Sources Inc. and you need to implement a firewall in the SAFE SMR small network design. In which module does the firewall exist in the SAFE SMR small network design?

A. The Internet module

B. The Corporate Internet module

C. The Campus module

D. The Edge module Answer: B Explanation: Corporate Internet Module Key Devices:

  • SMTP server-Acts as a relay between the Internet and the intranet mail servers
  • DNS server-Serves as authoritative external DNS server for the enterprise; relays internal requests to the Internet
  • FTP/HTTP server-Provides public information about the organization
    • Firewall or firewall router-Provides network-level protection of resources, stateful filtering of traffic, and VPN
    • termination for remote sites and users
  • Layer 2 switch (with private VLAN support)-Ensures that data from managed devices can only cross directly to the IOS firewall Reference: Safe White papers; 11 SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks

QUESTION 3 Kathy the security administrator at Cisco Sources Inc. is implementing HIDS in the SAFE SMR small network corporate Internet module. On what device within the SAFE SMR small network corporate Internet module should Kathy perform HIDS local attack mitigation?

A. HIDS is performed on Public services servers

B. HIDS is performed on Layer 2 switch

C. HIDS is performed on Firewall

D. HIDS is performed on Routers Answer: A Explanation: Application layer attacks-Mitigated through HIDS on the public servers Reference: Safe White papers; 11 SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks

QUESTION 4 The security team at Cisco Sources Inc. is working on implementing IOS firewall in their SAFE SMR small network design. What is the primary function of the IOS firewall in the SAFE SMR small network design?

A. The primary function is it provides remote site connectivity and general filtering for sessions initiated through the firewall.

B. The primary function is it provides host DoS mitigation.

C. The primary function is it authenticates IPSec tunnels.

D. The primary function is it provides remote site authentication.

E. The primary function is it provides connection state enforcement and detailed filtering for sessions initiated through the firewall. Answer: E Explanation: Layer 2 switch (with private VLAN support)-Ensures that data from managed devices can only cross directly to the IOS firewall Reference: Safe White papers; 11 SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks

QUESTION 5 You are the administrator at Cisco Sources Inc. and you are configuring the PIX Firewall. The ip verify reverse-path command implements which of the following on the PIX Firewall? (Choose two)

A. The ip verify reverse-path command performs a route lookup based on the destination address.

B. The ip verify reverse-path command performs a route lookup based on the source address.

C. The ip verify reverse-path command provides session state information based on source address.

D. The ip verify reverse-path command provides ingress filtering.

E. The ip verify reverse-path command provides session state information based on destination address. Answer: B D

Explanation: Use the ip verify unicast reverse-path interface command on the input interface on the router at the upstream end of the connection. This feature examines each packet received as input on that interface. If the source IP address does not have a route in the CEF tables that points back to the same interface on which the packet arrived, the router drops the packet. Reference: Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks

QUESTION 6 John the security administrator at Cisco Sources Inc. is working on mitigating all threats to the network. What threats are expected for the SAFE SMR small network campus module? (Choose two)

A. The IP spoofing threat

B. The Packet sniffers threat

C. The Application layer attacks threat

D. The Denial of service threat Answer: B; C Explanation: Threats Mitigated

  • Packet sniffers-A switched infrastructure limits the effectiveness of sniffing
  • Virus and Trojan-horse applications-Host-based virus scanning prevents most viruses and many Trojan horses
  • Unauthorized access-This type of access is mitigated through the use of host-based intrusion detection and application access control
  • Application layer attacks-Operating systems, devices, and applications are kept upto- date with the latest security fixes, and they are protected by HIDS
  • Trust exploitation-Private VLANs prevent hosts on the same subnet from communicating unless necessary
  • Port redirection-HIDS prevents port redirection agents from being installed Reference: Safe White papers; 14 SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks

QUESTION 7 Jason the security administrator at Cisco Sources Inc. is working on filtering network traffic. In the SAFE SMR midsize network design, access list 101 deny ip 10.0.0.0.0 255.255.255 any is an example of what kind of filtering?

A. It is an example of RFC 2728

B. It is an example of RFC 2827

C. It is an example of RFC 1918

D. It is an example of RFC 1920 Answer: C Explanation: ! RFC 1918 filtering. Note network 172.16.x.x was not included in the ! filter here since it is used to simulate the ISP in the lab. access-list 103 deny ip 10.0.0.0 0.255.255.255 any access-list 103 deny ip 192.168.0.0 0.0.255.255 any Reference: SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks Page 47

QUESTION 8 Jason is the security administrator at Cisco Sources Inc. and wants to know which is true with regard to creating an RPC entry with the NFS program number?

A. The true statement is NFS traffic designated as friendly will be allowed through the firewall.

B. The true statement is no NFS traffic will be allowed through the firewall.

C. The true statement is all NFS traffic will be allowed through the firewall.

D. The true statement is NFS traffic designated as hostile will not be allowed through the firewall. Answer: C

QUESTION 9 You are the security administrator at Cisco Sources Inc. and you are working on filtering network traffic. access list 101 deny ip 192.168.8.8 0.0.0.255 any is an example of an ACL entry to filter what type of addresses?

A. It is an example of RFC 1920

B. It is an example of RFC 2728

C. It is an example of RFC 2827

D. It is an example of RFC 1918 Answer: D Explanation: ! RFC 1918 filtering. Note network 172.16.x.x was not included in the ! filter here since it is used to simulate the ISP in the lab. access-list 103 deny ip 10.0.0.0 0.255.255.255 any access-list 103 deny ip 192.168.0.0 0.0.255.255 any Reference: Page 47 SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks

QUESTION 10 You are the administrator at Cisco Sources Inc and you are implementing a small filtering router. As an alternative design in the SAFE SRM small network campus module, a small filtering router can be placed between the rest of the network and which devices?

A. The rest of the network and Layer 2 switches

B. The rest of the network and corporate users

C. The rest of the network and management stations

D. The rest of the network and routers Answer: C Explanation: Alternatives Setting a small filtering router or firewall between the management stations and the rest of the network can improve overall security. This setup will allow management traffic to flow only in the specific direction deemed necessary by the administrators. If the level of trust within the organization is high, HIDS can potentially be eliminated, though this is not recommended. Reference: Page 15 SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks

Top of pageTop of page 01 of 20 Next

Home |  Labs |  Tutorials |  Books | Contact Us | Add to Favourites | Make Your Home Page

© Copyrights 2007 CCNA by Cisco Sources ® All rights reserved