CCNA – Security Questions
Here you will find answers to Security Questions
Question 1
Which component of VPN technology ensures that data can be read only by its intended recipient?
A. data integrity
B. encryption
C. key exchange
D. authentication
Answer: D
Explanation
First you need to understand what these terms mean:
Data integrity: verifying that the packet was not changed as the packet transited the Internet
Encryption: conversion of data into a form, called a ciphertext, that cannot be easily understood by unauthorized people
Authentication: the process of determining whether someone or something is, in fact, who or what it is declared to be. Authentication can take place at both sides, the sender and the receiver.
Key exchange: is any method in cryptography by which cryptographic keys are exchanged between users, allowing use of a cryptographic algorithm.
So in this question we realize that only authentication involves in the end user while others are about processing data -> D is correct.
Question 2
What can be done to secure the virtual terminal interfaces on a router? (Choose two)
A. Administratively shut down the interface.
B. Physically secure the interface.
C. Create an access list and apply it to the virtual terminal interfaces with the access-group command.
D. Configure a virtual terminal password and login process.
E. Enter an access list and apply it to the virtual terminal interfaces using the access-class command.
Answer: D E
Explanation
It is a waste to administratively shut down the interface. Moreover, someone can still access the virtual terminal interfaces via other interfaces -> A is not correct.
We can not physically secure a virtual interface because it is “virtual” -> B is not correct.
To apply an access list to a virtual terminal interface we must use the “access-class” command. The “access-group” command is only used to apply an access list to a physical interface -> C is not correct; E is correct.
The most simple way to secure the virtual terminal interface is to configure a username & password to prevent unauthorized login -> D is correct.
Question 3
The enable secret command is used to secure access to which CLI mode?
A. user EXEC mode
B. global configuration mode
C. privileged EXEC mode
D. auxiliary setup mode
Answer: C
Question 4
Which type of attack is characterized by flood of packet that requesting a TCP connection to a server?
A. denial of service
B. brute force
C. reconnaissance
D. Trojan horse
Answer: A
Question 5
Which IPsec security protocol should be used when confidentiality is required?
A. AH
B. MD5
C. PSK
D. ESP
Answer: D
Explanation
IPsec is a pair of protocols, Encapsulating Security Payload (ESP) and Authentication Header (AH), which provide security services for IP datagrams.
ESP can provide the properties authentication, integrity, replay protection, and confidentiality of the data (it secures everything in the packet that follows the IP header).
AH provides authentication, integrity, and replay protection (but not confidentiality) of the sender.
Question 6
What algorithm technology must be used for ensuring data integrity when dataflow goes over VPN tunnel? (Choose two)
A. RSA
B. DH-1
C. DH-2
D. HMAC-MD5
E. HMAC-SHA1
Answer: D E
Explanation
Data integrity ensures data has not been altered in the transmission. A data-integrity algorithm adds a hash to the message to guarantee the integrity of the message.
A Hashed Message Authentication Code (HMAC) is a data-integrity algorithm that ensures the integrity of the message. Two popular algorithms a VPN gateway uses for verifying integrity of data are HMAC-Message Digest 5 (HMAC-MD5) and HMAC-Secure Hash Algorithm 1 (HMAC-SHA1)
+ HMAC-MD5 uses a 128-bit shared-secret key of any size. The variable-length message and shared-secret key are combined and run through the HMAC-MD5 hash algorithm. The output is a 128-bit hash. The hash is appended to the original message and is forwarded to the remote end.
+ HMAC-SHA-1 uses a secret key of any size. The variable-length message and the shared-secret key are combined and run through the HMAC-SHA-1 hash algorithm. The output is a 160-bit hash. The hash is appended to the original message and is forwarded to the remote end.
Diffie-Hellman Group 1 (DH-1) & Diffie-Hellman Group 2 (DH-2) are two encryption algorithms for VPN, not data integrity algorithms.
RSA is also an encryption algorithm, not data integrity algorithm.
(Reference: Implementing Cisco IOS Network Security IINS)
Question 7
What are two security appliances that can be installed in a network? (Choose two)
A. ATM
B. IDS
C. IOS
D. IOX
E. IPS
F. SDM
Answer: B E
Explanation
Intrusion detection system (IDS) and intrusion prevention system (IPS) solutions form an integral part of a robust network defense solution.
IDS monitors network and system activities for malicious activities or policy violations and produces reports to a Management Station.
IPS provides policies and rules for network traffic along with an intrusion detection system for alerting system or network administrators to suspicious traffic, but allows the administrator to provide the action upon being alerted.
The key to differentiating an IDS from an IPS is that an IPS responds immediately and does not allow any malicious traffic to pass, whereas an IDS allows malicious traffic to pass before it can respond.
(Reference: Implementing Cisco IOS Network Security IINS)
Note: Asynchronous Transfer Mode (ATM) is a layer 2 WAN transport protocol. It encodes data into small, fixed-sized cells consisting of 48 bytes of payload and 5 bytes of cell header -> A is not correct
Cisco Router and Security Device Manager (SDM) is a Web-based device-management tool for Cisco routers that can help you configure a router via a web browser -> In general, it only helps simplify the network management, router configuration so it is not a security appliance -> F is not correct.
Question 8
Which device might be installed at a branch office to enable and manage an IPsec site-to-site VPN?
A. Cisco IOS IPsec/SSL VPN client
B. Cisco VPN Client
C. ISDN terminal adapter
D. Cisco Adaptive Security Appliance
Answer: D
Explanation
An example of IPsec site-to-site VPN is your corporation has departments in many countries which need to communicate with each other. A popular solution is site-to-site (LAN-to-LAN) VPN to create private networks through the Internet. But as we know, Internet is not a safe environment for important data to be transferred. That is the reason why we need IPsec, a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session.
Cisco Adaptive Security Appliance (ASA) supports IPsec, that’s all I can say! If you wish to learn more about the configuration, please read http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml
Question 9
Refer to the exhibit. What is the result of setting the no login command?
| Router#config t Router(config)#line vty 0 4 Router(config-line)#password c1sc0 Router(config-line)#no login |
A. This is a virtually limitless supply of IP addresses
B. Telnet access requires a new password at first login
C. Telnet access requires a password
D. Telnet access is denied
Answer: No correct answer
Explanation
There is a mistake in this question because this configuration will let someone telnet to that router without the password (so the line “password c1sco” is not necessary).
If we want to deny telnet we can configure like this:
Router(config)#line vty 0 4
Router(config-line)#no password (if the password is set before)
Router(config-line)#login
With this configuration, when someone tries to telnet to this router, a message “Password required, but none set” is displayed.
Question 10
What is the effect of using the service password-encryption command?
A. Only passwords configured after the command has been entered will be encrypted.
B. Only the enable password will be encrypted.
C. Only the enable secret password will be encrypted
D. It will encrypt the secret password and remove the enable secret password from the configuration.
E. It will encrypt all current and future passwords.
Answer: E
Explanation
The secret password (configured by the command “enable secret “) is always encrypted even if the “service password-encryption” command is not used. Moreover, the secret password is not removed from the configuration with this command, we still see it in encrypted form in the running-config -> D is not correct.
The “enable password ” does not encrypt the password and can be viewed in clear text in the running-config. By using the “service password-encryption” command, that password is encrypted (both current and future passwords) -> A is not correct, E is correct.
Answer B – Only the enable password will be encrypted seems to be correct but it implies the secret password will not be encrypted and stay in clear text, which is not correct.
For your information, the secret password is encrypted with MD5 one-way hash algorithm which is harder to break than the encryption algorithm used by the “service password-encryption” command.
Question 11
Which command sets and automatically encrypts the privileged enable mode password?
A. enable password c1sco
B. secret enable c1sco
C. password enable c1sco
D. enable secret c1sco
Answer: D
Ad Q1: The explanation of terms is correct, however the correct answer should be B.
Authentication in this case ensures that the data originated from the particular source. The ability to decrypt the ciphertext (i.e. possession of decryption key) ensures that only the intended recipient can read it. Therefore it should be encryption.
Question 3
The enable secret command is used to secure access to which CLI mode?
A. user EXEC mode
B. global configuration mode
C. privileged EXEC mode
D. auxiliary setup mode
Answer: C
<–i dont think thats the right one. isn't it B? global configuration mode.?
@joy
No, global configuration mode is accessed using the ‘configure terminal’ command.
Ehm to be clear – ‘enable secret’ sets a password required when you enter the ‘enable’ command and ‘enable’ allows you to access the privileged EXEC mode thus it’s B.
@9tut
@Yaw
Regarding Q1.
Please, kindly take a second look at the options you selected.
In my reading and researching, this what I came to:
Data Integrity guarantees that no tampering or alterations occur to data while traveling between the source and destination. VPNs typically use hashes to ensure data integrity.
Basically, in my opinion, I think this ensures that data is read only by its intended recipient.
The answer to this Q1 is option A. Thanks.
@Koffy
Definitely not. Data integrity guarantees that data has not been altered as it travelled over the line. This prevents bit errors, malicious attackers and other ways of altering data and it’s implemented using hashing algorithms. Without any other service plaintext data with added hash can still be read by anyone.
@Yaw
Well, most of my materials are from reliable sources. I still have access to the academy site.
I just copy and paste this explanations from Cisco Academy Site. Please, read it carefully.
Data Confidentiality: A common security concern is protecting data from eavesdroppers. As a design feature, data confidentiality aims at protecting the contents of messages from interception by unauthenticated or unauthorized sources. VPNs achieve confidentiality using mechanism of encapsulation and encryption.
Data Integrity: Receivers have no control over the path the data has travel and therefore do not know if the data has been seen or handles while it journey across the internet. There is always the possibility that the data has been modified. Data integrity guarantees that no tampering or alterations occur to data while it travels between the source and destination. VPNs typically use hashes to ensure data integrity. A hash is like a checksum or a seal that guarantees that no one has read the content, but it is more robust.
Authentication: Authentication ensures that the message comes an authentic source and goes to an authentic destination. User identification gives a user confidence that the party with whom the user establishes communications is who the user thinks the party is. VPN can use password, digital certificate, smart cards, and biometrics to establish the identity of parties at the other end of a network.
It is very important to me that we maintain some kind of integrity on this site. Guys here are relying on the materials offered here to help them get a sense of the concept. Thanks.
@Koffy
The problem here is that in the real Cisco exam is a question slightly different to this one (Q1) and the correct answer to that question is indeed data integrity.
You basically write the same arguments and reasoning as I do but come to different conclusions. I completely agree with the explanations of terms at hand you posted.
Quote from your text:
Data Confidentiality: A common security concern is PROTECTING DATA FROM EAVESDROPPERS. As a design feature, data confidentiality aims at protecting the contents of messages from interception by unauthenticated or unauthorized sources. VPNs achieve confidentiality using mechanism of encapsulation and ENCRYPTION.
Now the question again:
Which component of VPN technology ensures that data can be read only by its intended recipient?
Notice that the question does not say anything about data being altered along the path. The simple concern of this question is who can read it.
And yes it is important to me as well. That is why I shared my thoughts on the matter.
@Yaw
I like your approach and reasoning, and also how you processing the information. Once again, it all comes down to the concept.
“Which component of VPN technology ensures that data can be read only by its intended recipient?”
You are interpreting the question too literally, try reading between the lines. If do, you will realize that the end result or conclusion is Data Integrity.
Data Confidentiality>>Encapsulation and Encryption.
Authentication>>True Identity by way of password, digital certificate, smart cards. and biometrics.
Basically, is defining a process. ie. means to an end. The end being Date Integrity.
Well, so far, at the very least, we agree on something. Thanks.
@ 9tut
please tell me abt the use of…… no login in Q9?
to all of you the right answer is the Cisco way not the obvious way try reading Todd lammle and you will understand that the choosen answer which makes more sense is wrong. It has to be the ways cisco interprets it. Thus the right answer to the question will be Authentication
Question 3
The enable secret command is used to secure access to which CLI mode?
A. user EXEC mode
B. global configuration mode
C. privileged EXEC mode
D. auxiliary setup mode
Answer: C
<–i dont think thats the right one. isn't it B? global configuration mode.?
@Dhan Singh:
Router> enable <- this is unprivileged mode
password:
Router# <- this is privileged mode
Router(config)# <- this is global configuration mode
Thus the enable secret command is used to access the privileged mode from unprivileged mode.
@vikas: “no login” means you can telnet to that router without entering a password.
@9tut
thanks for ur reply so if someone get this type of Q then which option is to choose.
Question 9 – I think the explanation is wrong
%Quote%
Router(config)#line vty 0 4
Router(config-line)#no password (if the password is set before)
Router(config-line)#no login
With this configuration, when someone tries to telnet to this router, a message “Password required, but none set” is displayed.
%end of Quote%
If u do so then NO Login is required and the router will let you ‘in’. The message “Password required, but none set” appears if u set LOGIN without a password.
for instance (R0 & R1)
Router1#sh run
…..
!
line con 0
line vty 0 4
no login
!
……
and now you telnet into R1 without any problems!
Router0#telnet 192.168.1.2
Trying 192.168.1.2 …Open
Router1>
It’ a litte confusing but LOGIN requires a password and NO LOGIN let you int without any obstacles.
Meaning – NO LOGIN is bad in a real net environment.
@ 9tut
plz upload tutorial about VPN if u hv. some books alittle confsin on the concept.
@z
maybe this could help…
http://www.securitytut.com/ccna-security-knowledge/ipsec-site-to-site-vpn-tutorial
hello gays do when i MADE CONFIG)# SPANNING TREE PORT FAST DEFAULT THAT MEANS I DISABLE – PORT SECURITY ? PLEASE FEED ME BACK
@ xallax
thanks a lot
hello gays do when i MADE CONFIG)# SPANNING TREE PORT FAST DEFAULT THAT MEANS I DISABLE – PORT SECURITY ? PLEASE FEED ME BACK
@ Koffy
Interesting discussion on Q1. Personally I would have chosen answer B. encryption, based on the definition of confidentiality in this link:
http://etutorials.org/Networking/Cisco+Certified+Security+Professional+Certification/Part+III+Virtual+Private+Networks+VPNs/Chapter+9+Cisco+IOS+IPSec+Introduction/Virtual+Private+Networks/
But please see Todd Lammle’s pdf page 19 here:
http://www.lammle.com/wp-content/uploads/2011/06/CCNA-7th-Edition-Dynamic-Updates-July-2011.pdf
I believe D. authentication is the answer they want, as they use questions from these authors.
@ken jacks
Thanks for your input.
Question 11 looks wrong to me.
Which command sets and automatically encrypts the privileged enable mode password?
A. enable password c1sco <— Encrypts password
B. secret enable c1sco
C. password enable c1sco
D. enable secret c1sco <– Hashes password
I think the correct answer is A.
Any thoughts?
@brandon
try them out and you will see that…
“enable pasword c1sco” will store the password as c1sco in the running-config (unless service password-encryption was set)
“enable secret c1sco” will store an MD5 hash of that password in the running-config
@xallax
Now I see what the question was asking. Thanks for the response.
@ 9tut
At the end what is the Q1 ? God
@brandon
enable password c1sco, is in clear text format by this if you put enable password an then types the enable secret the enable password will be repacled by the enable secret md5 hash because its more secure.
@diego
A. data integrity
what do i care if it’s intact or not if i don’t have the right password to open it anyway
B. encryption
it’s encrypted! jump for joy! still no password… what am i supposed to do with it?
C. key exchange
i send you my key, you send me your key. what if someone gets in-between?
D. authentication
users and passwords… if i had a password and i was the only one to be able to authenticate then i’d be the only one accessing that piece of information.
i pick D. what about you?
in Q9, I agree that there is no right answer. Because with that configuration it means that anyone can try to telnet to the device and they will not be prompted for password, so they are just allowed. But I disagree to the suggested configuration. Configuring the device with “no login” and “no password” is the same with “no login” but with configured password. They are still allowed telnet access. If you want to deny telnet access, the right configuration is this:
Router(config)#line vty 0 4
Router(config-line)#no password (if the password is set before)
Router(config-line)#login
With this configuration, when someone tries to telnet to this router, a message “Password required, but none set” is displayed.
Please update this. Thanks
he guys do when i MADE CONFIG)# SPANNING TREE PORT FAST DEFAULT THAT MEANS I DISABLE – PORT SECURITY ? PLEASE FEED ME BACK
@Vanessa: Yes, thanks for your detection. I updated it!
i m going to give exam 5pm
please help me tomo i have exam
In Q1
statement1:Authentication can take place at both sides, the sender and the receiver
statement2:we realize that only authentication involves in the end user
In your explanation both statement are differ. which one is the correct one?? authentication involves in sender site or receiver site???
another question please give me the correct ans….
which option is used to check at the receiving end to see if the data is unaltered?
a) encryption
b) key exchange
c) data integrity
d) encapsulation
@9tut
regarding Q9
i’d replace option A with “Access to the device is allowed without prompting for a password” as option A has nothing to do with the question given.
thank you
I NEED CCNA SECURITY DUMPS… IF ANYONE HAVE KINDLY SEND ME @ snohman@live.com THANKx IN ADVANCE.
Regards Q7
**********
If we want to deny telnet we can configure like this:
Router(config)#line vty 0 4
Router(config-line)#no password (if the password is set before)
Router(config-line)#login
With this configuration, when someone tries to telnet to this router, a message “Password required, but none set” is displayed.
**********
Actually, the message should be:”[Connection to closed by foreign host]“.
Example:
R1(config)#int f0/0
R1(config-if)#ip add 192.168.0.1 255.255.255.0
R1(config-if)#no shut
R1(config)#line vty 0 4
R1(config-line)#no password
R1(config-line)#no login
PC>telnet 192.168.0.1
Trying 192.168.0.1…Open
—> [Connection to 192.168.0.1 closed by foreign host] <—-
Please, sorry, my comment is not about Q7, but Q9…
Question 6. Does anyone know if Question 6 is correct. I read somewhere else that the answer is HMAC-SHA-1 and RSA
@9tut
Question 1
Which component of VPN technology ensures that data can be read only by its intended recipient?
A. data integrity
B. encryption
C. key exchange
D. authentication
Answer: D…well i disagree with you .. the authentication is concerned is not concerned with the readability it only cares about justifying that i am the person who i claim ..
the only thing that ensures that the data is not readable by others is the encryption and regarding the authentication thing can be done by the encryption mechanism as the authenticated person is the only one who has the cipher key to decrypt the ciphered message…what do you think about it?
i suppose it’s B not D
@ bakkie
Correct answer is C. Keyword is “unaltered”
@ AMIRA
the keyword in the question is “read”, its not about readability. It can be only read by that special someone.
also, when there is encryption there is decryption. not deauthorization and authorization.
data integrity- hash, make sure the data was not changed.
answer for q1 is D
@ ad
yes it is correct, they both are involved with data integrity.
and they are very very similar, too.
all you guys seem to have a problem understanding the difference between data integrity and data encryption…it is a tough one, i know.
key ecchange is needed to be exchanged for the actual encryption and decryption to take place. Adding some data integrity with sha1 or md5 is just an add on to the packets and additional cisco devices or technolgy is need, like cisco ASA. you can google and find ASA devices for sale around 400 dollars or so.
I gave my exam on 3-Jan-2012. This site is valid and and had 90% of the questions on exam. I passed with 905/1000. But in my humble opinion try to cover your basics, even if you don’t you will still pass using this website but don’t do it this way, study and then use this website! Good job 9tut guys!
Question 9
answer should be D. if no login is set then none can connect via telnet.
@anonymous
have you tried it? :)
if “no login” is set then no login is *required*
Question 9
for the router no login means “don’t ask password” so there is no correct answer between the choices.
@9tut
regarding q9, if I shd meet it in the real exams, what option, in your opinion shd I choose?