CCNA – Security Questions
Here you will find answers to Security Questions
Question 1
Which component of VPN technology ensures that data can be read only by its intended recipient?
A. data integrity
B. encryption
C. key exchange
D. authentication
Answer: D
Explanation
First you need to understand what these terms mean:
Data integrity: verifying that the packet was not changed as the packet transited the Internet
Encryption: conversion of data into a form, called a ciphertext, that cannot be easily understood by unauthorized people
Authentication: the process of determining whether someone or something is, in fact, who or what it is declared to be. Authentication can take place at both sides, the sender and the receiver.
Key exchange: is any method in cryptography by which cryptographic keys are exchanged between users, allowing use of a cryptographic algorithm.
So in this question we realize that only authentication involves in the end user while others are about processing data -> D is correct.
Question 2
What can be done to secure the virtual terminal interfaces on a router? (Choose two)
A. Administratively shut down the interface.
B. Physically secure the interface.
C. Create an access list and apply it to the virtual terminal interfaces with the access-group command.
D. Configure a virtual terminal password and login process.
E. Enter an access list and apply it to the virtual terminal interfaces using the access-class command.
Answer: D E
Explanation
It is a waste to administratively shut down the interface. Moreover, someone can still access the virtual terminal interfaces via other interfaces -> A is not correct.
We can not physically secure a virtual interface because it is “virtual” -> B is not correct.
To apply an access list to a virtual terminal interface we must use the “access-class” command. The “access-group” command is only used to apply an access list to a physical interface -> C is not correct; E is correct.
The most simple way to secure the virtual terminal interface is to configure a username & password to prevent unauthorized login -> D is correct.
Question 3
The enable secret command is used to secure access to which CLI mode?
A. user EXEC mode
B. global configuration mode
C. privileged EXEC mode
D. auxiliary setup mode
Answer: C
Question 4
Which type of attack is characterized by flood of packet that requesting a TCP connection to a server?
A. denial of service
B. brute force
C. reconnaissance
D. Trojan horse
Answer: A
Question 5
Which IPsec security protocol should be used when confidentiality is required?
A. AH
B. MD5
C. PSK
D. ESP
Answer: D
Explanation
IPsec is a pair of protocols, Encapsulating Security Payload (ESP) and Authentication Header (AH), which provide security services for IP datagrams.
ESP can provide the properties authentication, integrity, replay protection, and confidentiality of the data (it secures everything in the packet that follows the IP header).
AH provides authentication, integrity, and replay protection (but not confidentiality) of the sender.
Question 6
What algorithm technology must be used for ensuring data integrity when dataflow goes over VPN tunnel? (Choose two)
A. RSA
B. DH-1
C. DH-2
D. HMAC-MD5
E. HMAC-SHA1
Answer: D E
Explanation
Data integrity ensures data has not been altered in the transmission. A data-integrity algorithm adds a hash to the message to guarantee the integrity of the message.
A Hashed Message Authentication Code (HMAC) is a data-integrity algorithm that ensures the integrity of the message. Two popular algorithms a VPN gateway uses for verifying integrity of data are HMAC-Message Digest 5 (HMAC-MD5) and HMAC-Secure Hash Algorithm 1 (HMAC-SHA1)
+ HMAC-MD5 uses a 128-bit shared-secret key of any size. The variable-length message and shared-secret key are combined and run through the HMAC-MD5 hash algorithm. The output is a 128-bit hash. The hash is appended to the original message and is forwarded to the remote end.
+ HMAC-SHA-1 uses a secret key of any size. The variable-length message and the shared-secret key are combined and run through the HMAC-SHA-1 hash algorithm. The output is a 160-bit hash. The hash is appended to the original message and is forwarded to the remote end.
Diffie-Hellman Group 1 (DH-1) & Diffie-Hellman Group 2 (DH-2) are two encryption algorithms for VPN, not data integrity algorithms.
RSA is also an encryption algorithm, not data integrity algorithm.
(Reference: Implementing Cisco IOS Network Security IINS)
Question 7
What are two security appliances that can be installed in a network? (Choose two)
A. ATM
B. IDS
C. IOS
D. IOX
E. IPS
F. SDM
Answer: B E
Explanation
Intrusion detection system (IDS) and intrusion prevention system (IPS) solutions form an integral part of a robust network defense solution.
IDS monitors network and system activities for malicious activities or policy violations and produces reports to a Management Station.
IPS provides policies and rules for network traffic along with an intrusion detection system for alerting system or network administrators to suspicious traffic, but allows the administrator to provide the action upon being alerted.
The key to differentiating an IDS from an IPS is that an IPS responds immediately and does not allow any malicious traffic to pass, whereas an IDS allows malicious traffic to pass before it can respond.
(Reference: Implementing Cisco IOS Network Security IINS)
Note: Asynchronous Transfer Mode (ATM) is a layer 2 WAN transport protocol. It encodes data into small, fixed-sized cells consisting of 48 bytes of payload and 5 bytes of cell header -> A is not correct
Cisco Router and Security Device Manager (SDM) is a Web-based device-management tool for Cisco routers that can help you configure a router via a web browser -> In general, it only helps simplify the network management, router configuration so it is not a security appliance -> F is not correct.
Question 8
Which device might be installed at a branch office to enable and manage an IPsec site-to-site VPN?
A. Cisco IOS IPsec/SSL VPN client
B. Cisco VPN Client
C. ISDN terminal adapter
D. Cisco Adaptive Security Appliance
Answer: D
Explanation
An example of IPsec site-to-site VPN is your corporation has departments in many countries which need to communicate with each other. A popular solution is site-to-site (LAN-to-LAN) VPN to create private networks through the Internet. But as we know, Internet is not a safe environment for important data to be transferred. That is the reason why we need IPsec, a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session.
Cisco Adaptive Security Appliance (ASA) supports IPsec, that’s all I can say! If you wish to learn more about the configuration, please read http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml
Question 9
Refer to the exhibit. What is the result of setting the no login command?
| Router#config t Router(config)#line vty 0 4 Router(config-line)#password c1sc0 Router(config-line)#no login |
A. This is a virtually limitless supply of IP addresses
B. Telnet access requires a new password at first login
C. Telnet access requires a password
D. Telnet access is denied
Answer: No correct answer
Explanation
There is a mistake in this question because this configuration will let someone telnet to that router without the password (so the line “password c1sco” is not necessary).
If we want to deny telnet we can configure like this:
Router(config)#line vty 0 4
Router(config-line)#no password (if the password is set before)
Router(config-line)#login
With this configuration, when someone tries to telnet to this router, a message “Password required, but none set” is displayed.
Question 10
What is the effect of using the service password-encryption command?
A. Only passwords configured after the command has been entered will be encrypted.
B. Only the enable password will be encrypted.
C. Only the enable secret password will be encrypted
D. It will encrypt the secret password and remove the enable secret password from the configuration.
E. It will encrypt all current and future passwords.
Answer: E
Explanation
The secret password (configured by the command “enable secret “) is always encrypted even if the “service password-encryption” command is not used. Moreover, the secret password is not removed from the configuration with this command, we still see it in encrypted form in the running-config -> D is not correct.
The “enable password ” does not encrypt the password and can be viewed in clear text in the running-config. By using the “service password-encryption” command, that password is encrypted (both current and future passwords) -> A is not correct, E is correct.
Answer B – Only the enable password will be encrypted seems to be correct but it implies the secret password will not be encrypted and stay in clear text, which is not correct.
For your information, the secret password is encrypted with MD5 one-way hash algorithm which is harder to break than the encryption algorithm used by the “service password-encryption” command.
Question 11
Which command sets and automatically encrypts the privileged enable mode password?
A. enable password c1sco
B. secret enable c1sco
C. password enable c1sco
D. enable secret c1sco
Answer: D
@usGhana: For Q9, in the exam you will see an answer like this: “Telnet access without a password”. That is the correct answer.
i am going to give the exam on Feb,6……………… plz send me what kind of question will be updated on that date………….. my email id is swapank06@gmail.com. As soon as possible send me the updated question answer in my email account………………..
Hi 9tut… Hi Guys! Can you please help me… I will take exam this Feb. Please send me latest dump so that I will have an idea for the exam.. rico.blake@ymail.com
Thanks Guys!
R1> enable User EXEC mode
R1# config t privileged EXEC mode
R1(config)# configuration mode
R1(config-if)# interface level
R1(confi-router)# routing engine level
R1(config-line)# line level vty,tty etc.
Followed steps can not confuse you.
Thanks to all CISCO ENGINEERS.any comment you are all at liberty.
olesimbe@yahoo.com
I got the answers from Question #1 with a different question…02/11/12
Which component of Security ensures that data Is not modified in transit.
A. data integrity
B. encryption
C. key exchange
D. authentication
In this case the answer was A
Hi! Am preparing my IINS and need ios to use with GNS3, can anyone help. Where i can download it. Plz am desparate.
Hi Am preparing my IINS and need IOS to use with GNS3, can anyone help. Where i can download it. My e-mail is: nissy357@yahoo.com
hi !
in Q5!
Which IPsec security protocol should be used when confidentiality is required?
A. AH
B. MD5
C. PSK
D. ESP
confidentiality here correspond to encryption?
if I wrong, please feedback to me!
Thanks!
@everybody
at Question 1
the best answer is A.data integrity (or) D.authentication ?
Pls. explain me.
thanks.
BAP- I BELEIVE D IS THE ANSWERE http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml
@The Crypt Keeper
thank you so much! :)
I also have the same question of @bap
and thanks very much! :)
do these questions belong to CCNASec exam?
Hi guys, is there a website that helps for the CCNA security exam?
9tut made me pass my CCNA, thanks so much
Q7 & 8 was there in today’s exam.
http://www.examcollection.com/cisco/Cisco.Acme.640-802.v2012-02-07.by.Arpit.486q.vce.file.html
Most Valid Dump.. All most 99% answers are correct.
@9tut
Thanks for the great site!
AS for Q1,
I think the right answer should be B:
Authentication happen at the beginning of the VPN transfer, it will allow the VPN tunnel took place, the early VPN has authentication only protocols, such as IPSEC AH, which is because consider of the load of the end device. anything transferred in plan text can be seen by anyone in the middle(the outside of IPSEC is just IP packets)
So, Authentication will allow the VPN transfer happen, but is the encryption prevent any on in the middle to read the message.
Please send the latest dumps kstojilkov@yahoo.com
Please send the latest dumps ravenshield_12@yahoo.com thanks..
passed 1000 today, lab is the same vtp(5 question), eigrp and acl2
I just using “collisio” and 9tut, only about 3 question not covered in “collisio”, 2 is very easy,only one has problem:
What are the possible mode for a trunk switch port? (choose 3)
A. auto
B. on
C. forword
D. block
E.transparent
F. disirable
My answer is A,B,F
I am really not sure about B
beside “collisio”, 9tut cover about 38-40 questions(include 3 lab) out of 48(include 3 lab)
pass is 825
Thanks 9tut! great work.
About Data traversing the internet:
Confidentiality (data CANNOT be seen by others): Encryption (DES, 3DES & AES)
Data Integrity (data CANNOT be modified): Authentication (SHA1 & MD5)
About the sender/receiver:
(end-user or device) authentication: PreSharedKeys & Certificate Authority
Now to the IPSec world:
ESP & AH are two protocols
ESP – Encapsulating Security Payload: Offers Confidentiality (encryption), Authentication (device) & Data Integrity
AH – Authentication Header: Offers Authentication & integrity (does NOT do encryption / confidentiality)
access-class vs. access-group
group is used for interfaces and class is used for lines (line con 0, line vty)
lines are usually management where interfaces forward data
what does exec stand for? executable??
IPS vs. IDS — isn’t one of them older?? and the newer one was created to replace the older one??!!!
Hi,
Can someone please explain to me why Q1 ans is not B. encryption? Encryption is the only way to ensure that the data “…can be read only by its intended recipient.” which is what the qn. is asking. Authentication only guarantees that the receiver is really who they claim to be but it does not necessarily or automatically ensure that they can read the data. The person who is able to decrypt is the one who will be able to read the data.
@ Sandpiper: It should be encryption IMO, and in another author, who wrote for “CISSP” book opinion:
“Confidentiality
Ensures that only the intended recipient can read the transmitted data while, at the same time, thwarting efforts by other parties that might intercept it. Confidentiality is provided by encryption algorithms, such as DES or 3DES.
Authentication
Verification of the identity of a person or process that sent the data. Authentication is provided by mechanisms, such as exchanging digital certificates.
Integrity
Ensures the data received is exactly what was transmitted from the source without alterations or additions. Integrity is provided by hashing algorithms, such as MD5 or SHA.”
This is a great site because of discussions such as this, in attempt to get every last questioned item sorted out, and not settling for any unknown answers. So please, do your own research, and always question things when you are unsure!
tons of conflicting data out there – lets hope cisco doesnt use this question on the exam.
ANy0ne get this exact question and choices on ccna or icnd exams? If so, did you know if you got it right? probably not unfortunately.
I found another author whos answer says authentication = read by intended recipient!!
so maybe both are right answers?! Or maybe neither, and we just say “key exchange” instead :)
Q2, Q5, Q6 with little difference in options were in exam.
In today’s exam was the following question:
Which protocol is an open standard protocol framework that is commonly used in VPNs to provide secure end-to-end connections?
a.ipsec
b.rsa
c.pptp
d.l2tp
@nperik…
is it IPSec???
@Anonymous
As mentioned here: http://www.ciscopress.com/articles/article.asp?p=341484&seqNum=7
IPSec is a framework of open standards, so yes it’s IPSec
@all – Q1 !!!!!!!!!!!!!!!!!!!!
as the Crypt Keeper said – check out http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml
Particularly the following:
Data integrity—This is data integrity mechanisms, through the use of secret-key based or public-key based algorithms, that allow the recipient of a piece of protected data in order to verify that the data has not been modified in transit.
Data confidentiality—This is the method where protected data is manipulated so that no attacker can read it. This is commonly provided by data encryption and keys that are only available to the parties involved in the communication.
So looking at the question again:
Which component of VPN technology ensures that data can be read only by its intended recipient?
I would suggest that the latter indicates that the answer is:
B. encryption
Just to clarify the above further – you CAN authenticate VPN traffic without encryption. Authentication merely create a HASH of the data, yet the data itself if eavesdropped upon could be read by a unintended third party. The HASH is a additional irreversible check sum whose process will be repeated at the receiving end. Should the receiver create the same hash of the received packet, then you can confirm that the packet has not be altered and has indeed be SENT FROM the authenticated source
It DOES NOT ensure that the data itself can only be read by the INTENDED RECIPIENT. Any person able to get hold of these packets could read and understand them.
Based on this alone, I leave you to decide the correct answer (although it’s not the one listed at the top of the page :))
Hi 9tut… Hi Guys! Can you please help me… I will take exam this Feb. Please send me latest dump so that I will have an idea for the exam..
Hi 9tut… Hi Guys! Can you please help me… I will take exam this April . Please send me latest dump so that I will have an idea for the exam.. israel_bigay@yahoo.com
@9tut
Q.9 refers. There are and has been a lot of discussions on this question including your comment on “access without password”, an option that is not present among the suggestions given. Going by what is provided, what is the ‘possible’ answer? If there is non, what is cisco saying about the such exam setting tactics? Thanks
@Ngoroko: Maybe in the exam you will see a correct solution for this which is different with the answers here. Just understand the concept and you will be fine.
I sat CCNA exam last week and got hit with a bunch of IPsec and VPN questions, and failed (802)! None of these were covered in the Cisco press Exam prep books (I have both INTRO and ICND)!
Where does it state what aspects of security / VPN are covered? I really thought these would be more like CCNA(Sec) questions?
Thanks for this great discussion, BTW! Now I can look at IPsec as well for the exam.
Further to my comments of the April 6th, 2012, I have got to re-highlight the key parts of the question.
Which component of VPN technology ensures that DATA can be READ ONLY by its INTENDED RECIPIENT?
Again, “authentication” alone doesn’t means this will happen, yet confidentiality (i.e. “encryption”) will.
passed CCNA exam today, labs were acl2 eigrp vtp with minor changes. Thanku 9tut u guys r awesome. Ques 7,8,10 vr in exam
1- which two statements apply dynamic access list ?
a-they provide a level of security against spoofing
b-they offer simpler management in large internetworks
c-they allow packets to be filtered based on upper-layer session information
d-they are used to authenticate individual users
e-you can set a time-based security policy
f-you can control logging messages
plzzz help with this question cuz i think the answer is (e & b) but the dumps collitio makes (d & e) what is the right answer ???
These are Correct …
d-they are used to authenticate individual users
e-you can set a time-based security policy
Had Q1 on my exam and answered, D. Telnet and SSH access will be denied but still like to hear other opinions on this question.
The correct asnswer for Q1 si B: encryption.
Q7 & Q8 today in the exam
@9tut
I think that answer D.Authentication for Q1 should be reviewed.
@Koffy and @Yaw have mentioned the definitions of the terms Data Confidentiality, Data Integrity and Authentication found in the CCNA Exploration v4.0 Curriculum. But the curriculum says that those those terms are just characteristics or foundations of a SECURE VPN.
However, one can still establish an UNSECURE VPN connection. For example:
I use Hamachi (vpn software) to play online games and to share files as if my friends and I were on the same network. To do that I need to create a network name=username and a password. Before we can establish a connection to share files or play a game, my friend must authenticate himself by entering the same network name=username and password (here is when authentication and key exchange occur). Once the connection is established if I want to play a game I normally disable the encryption to increase performance by sacrificing confidentiality and integrity. Unlike when I want to share a document or use instant messaging I enable ENCRYPTION TO ENSURE NO ONE BUT THE “INTENDED RECIPIENT=MY FRIEND” IS ABLE TO READ what I’m sending.
Why Authentication is incorrect:
This is my logic: The only moment that data is at risk is when a vpn connection has been established and the data is already traveling through the internet between vpn capable devices. That connection could not have happened without authentication and key exchange in the first place, but that doesn’t necessarily mean that just because authentication was used the data is cannot be read by a hacker placed in the middle. Is not like the hacker using a packet sniffer will be prompted for the authentication username and password to read each packet that was captured. Only two possibilities here, either the data is not encrypted, then hacker will see it in plain text or the data is encrypted, then hacker will just see this bunch of meaningless characters and symbols regardless if authentication its being used.
Why Key exchange is incorrect:
Key exchange is also incorrect because this process only involves exchanging shared secret keys and nothing else. Example: if a (symmetric) shared secret key sent in plain text is capture by a hacker in the middle, now even if the data is encrypted, the hacker will be able to decrypt it. Recommendation: using (asymmetric) Diffie-Hellman algorithm for a secure exchange of shared secret keys.
Why Data Integrity is incorrect:
To me this is the most difficult option to discard but the truth is that Data Integrity mainly focuses on describe the mechanisms to determine whether the data has been modified or not. This is done by using Hashes. The sender will generate a hash of the message and sends it with the message itself. This doesn’t mean the data has been encrypted, it’s just that now the data was added with a hash value to ensure data was not altered. But again, if the data is not encrypted and its sent in plain text, a hacker will be able to read the message. The hacker might not want to modify data but might just want to gather sensitive information. The message arrived to the intended recipient unmodified but the data integrity did not prevent the data from being read which is only done by encryption.
Option B Encryption is correct
Q1
I think the key word should be “recieved” rather than “read”
Hi all, I am taking CCNA 640-802 exam first time on 30/05/2012. Could anyone please send me latest dumps which are valid for UK? My e-mail address is puneet_gill84@yahoo.co.uk. Many thanks.
for Q1..found these…
Confidentiality
Ensures that only the intended recipient can read the transmitted data while, at the same time, thwarting efforts by other parties that might intercept it. Confidentiality is provided by encryption algorithms, such as DES or 3DES.
Authentication
Verification of the identity of a person or process that sent the data. Authentication is provided by mechanisms, such as exchanging digital certificates.
Integrity
Ensures the data received is exactly what was transmitted from the source without alterations or additions. Integrity is provided by hashing algorithms, such as MD5 or SHA.
source: http://etutorials.org/Networking/Cisco+Certified+Security+Professional+Certification/Part+III+Virtual+Private+Networks+VPNs/Chapter+9+Cisco+IOS+IPSec+Introduction/Virtual+Private+Networks/