Home > CCNA – Security Questions

CCNA – Security Questions

March 7th, 2011 Go to comments

Here you will find answers to Security Questions

Question 1

Which component of VPN technology ensures that data can be read only by its intended recipient?

A. data integrity
B. encryption
C. key exchange
D. authentication


Answer: D

Explanation

First you need to understand what these terms mean:

Data integrity: verifying that the packet was not changed as the packet transited the Internet

Encryption: conversion of data into a form, called a ciphertext, that cannot be easily understood by unauthorized people

Authentication: the process of determining whether someone or something is, in fact, who or what it is declared to be. Authentication can take place at both sides, the sender and the receiver.

Key exchange: is any method in cryptography by which cryptographic keys are exchanged between users, allowing use of a cryptographic algorithm.

So in this question we realize that only authentication involves in the end user while others are about processing data -> D is correct.

Question 2

What can be done to secure the virtual terminal interfaces on a router? (Choose two)

A. Administratively shut down the interface.
B. Physically secure the interface.
C. Create an access list and apply it to the virtual terminal interfaces with the access-group command.
D. Configure a virtual terminal password and login process.
E. Enter an access list and apply it to the virtual terminal interfaces using the access-class command.


Answer: D E

Explanation

It is a waste to administratively shut down the interface. Moreover, someone can still access the virtual terminal interfaces via other interfaces -> A is not correct.

We can not physically secure a virtual interface because it is “virtual” -> B is not correct.

To apply an access list to a virtual terminal interface we must use the “access-class” command. The “access-group” command is only used to apply an access list to a physical interface -> C is not correct; E is correct.

The most simple way to secure the virtual terminal interface is to configure a username & password to prevent unauthorized login -> D is correct.

Question 3

The enable secret command is used to secure access to which CLI mode?

A. user EXEC mode
B. global configuration mode
C. privileged EXEC mode
D. auxiliary setup mode


Answer: C

Question 4

Which type of attack is characterized by flood of packet that requesting a TCP connection to a server?

A. denial of service
B. brute force
C. reconnaissance
D. Trojan horse


Answer: A

Question 5

Which IPsec security protocol should be used when confidentiality is required?

A. AH
B. MD5
C. PSK
D. ESP


Answer: D

Explanation

IPsec is a pair of protocols, Encapsulating Security Payload (ESP) and Authentication Header (AH), which provide security services for IP datagrams.

ESP can provide the properties authentication, integrity, replay protection, and confidentiality of the data (it secures everything in the packet that follows the IP header).

AH provides authentication, integrity, and replay protection (but not confidentiality) of the sender.

Question 6

What algorithm technology must be used for ensuring data integrity when dataflow goes over VPN tunnel? (Choose two)

A. RSA
B. DH-1
C. DH-2
D. HMAC-MD5
E. HMAC-SHA1


Answer: D E

Explanation

Data integrity ensures data has not been altered in the transmission. A data-integrity algorithm adds a hash to the message to guarantee the integrity of the message.

A Hashed Message Authentication Code (HMAC) is a data-integrity algorithm that ensures the integrity of the message. Two popular algorithms a VPN gateway uses for verifying integrity of data are HMAC-Message Digest 5 (HMAC-MD5) and HMAC-Secure Hash Algorithm 1 (HMAC-SHA1)

+ HMAC-MD5 uses a 128-bit shared-secret key of any size. The variable-length message and shared-secret key are combined and run through the HMAC-MD5 hash algorithm. The output is a 128-bit hash. The hash is appended to the original message and is forwarded to the remote end.

+ HMAC-SHA-1 uses a secret key of any size. The variable-length message and the shared-secret key are combined and run through the HMAC-SHA-1 hash algorithm. The output is a 160-bit hash. The hash is appended to the original message and is forwarded to the remote end.

Diffie-Hellman Group 1 (DH-1) & Diffie-Hellman Group 2 (DH-2) are two encryption algorithms for VPN, not data integrity algorithms.

RSA is also an encryption algorithm, not data integrity algorithm.

(Reference: Implementing Cisco IOS Network Security IINS)

Question 7

What are two security appliances that can be installed in a network? (Choose two)

A. ATM
B. IDS
C. IOS
D. IOX
E. IPS
F. SDM


Answer: B E

Explanation

Intrusion detection system (IDS) and intrusion prevention system (IPS) solutions form an integral part of a robust network defense solution.

IDS monitors network and system activities for malicious activities or policy violations and produces reports to a Management Station.

IPS provides policies and rules for network traffic along with an intrusion detection system for alerting system or network administrators to suspicious traffic, but allows the administrator to provide the action upon being alerted.

The key to differentiating an IDS from an IPS is that an IPS responds immediately and does not allow any malicious traffic to pass, whereas an IDS allows malicious traffic to pass before it can respond.

(Reference: Implementing Cisco IOS Network Security IINS)

Note: Asynchronous Transfer Mode (ATM) is a layer 2 WAN transport protocol. It encodes data into small, fixed-sized cells consisting of 48 bytes of payload and 5 bytes of cell header -> A is not correct

Cisco Router and Security Device Manager (SDM) is a Web-based device-management tool for Cisco routers that can help you configure a router via a web browser -> In general, it only helps simplify the network management, router configuration so it is not a security appliance -> F is not correct.

Question 8

Which device might be installed at a branch office to enable and manage an IPsec site-to-site VPN?

A. Cisco IOS IPsec/SSL VPN client
B. Cisco VPN Client
C. ISDN terminal adapter
D. Cisco Adaptive Security Appliance


Answer: D

Explanation

An example of IPsec site-to-site VPN is your corporation has departments in many countries which need to communicate with each other. A popular solution is site-to-site (LAN-to-LAN) VPN to create private networks through the Internet. But as we know, Internet is not a safe environment for important data to be transferred. That is the reason why we need IPsec, a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session.

Cisco Adaptive Security Appliance (ASA) supports IPsec, that’s all I can say! If you wish to learn more about the configuration, please read http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml

Question 9

Refer to the exhibit. What is the result of setting the no login command?

Router#config t
Router(config)#line vty 0 4
Router(config-line)#password c1sc0
Router(config-line)#no login

A. This is a virtually limitless supply of IP addresses
B. Telnet access requires a new password at first login
C. Telnet access requires a password
D. Telnet access is denied


Answer: No correct answer

Explanation

There is a mistake in this question because this configuration will let someone telnet to that router without the password (so the line “password c1sco” is not necessary).

If we want to deny telnet we can configure like this:

Router(config)#line vty 0 4
Router(config-line)#no password (if the password is set before)
Router(config-line)#login

With this configuration, when someone tries to telnet to this router, a message “Password required, but none set” is displayed.

Question 10

What is the effect of using the service password-encryption command?

A. Only passwords configured after the command has been entered will be encrypted.
B. Only the enable password will be encrypted.
C. Only the enable secret password will be encrypted
D. It will encrypt the secret password and remove the enable secret password from the configuration.
E. It will encrypt all current and future passwords.


Answer: E

Explanation

The secret password (configured by the command “enable secret “) is always encrypted even if the “service password-encryption” command is not used. Moreover, the secret password is not removed from the configuration with this command, we still see it in encrypted form in the running-config -> D is not correct.

The “enable password ” does not encrypt the password and can be viewed in clear text in the running-config. By using the “service password-encryption” command, that password is encrypted (both current and future passwords) -> A is not correct, E is correct.

Answer B – Only the enable password will be encrypted seems to be correct but it implies the secret password will not be encrypted and stay in clear text, which is not correct.

For your information, the secret password is encrypted with MD5 one-way hash algorithm which is harder to break than the encryption algorithm used by the “service password-encryption” command.

Question 11

Which command sets and automatically encrypts the privileged enable mode password?

A. enable password c1sco
B. secret enable c1sco
C. password enable c1sco
D. enable secret c1sco


Answer: D

Comments (208) Comments
Comment pages
  1. pelikan
    May 24th, 2012

    Question # 1

    IMO before ans. B encryption

    but we can choose encryption or perhaps data integrity as we believe, but still wrong at the exam. or answer D. authentication and against your will and have a check 1 point! :-)

    ans. D Authentication

    thanks 9tut

  2. The Kid
    May 25th, 2012

    Q9. Did we ever get a real answer?

  3. MUHAMMAD RASHID
    May 28th, 2012

    I PASSED CCNA EXAM TODAY THANKS TO ALL MIGHTY ALLAH
    960/1000

  4. mohssen from iraq
    June 1st, 2012

    i think for question no. 9 no answer is correct because if you try to make this in packet tracer and see the result it will let you enter to the router without need for password but you have to set the enable password in global configratiopn .

  5. Anonymous
    June 3rd, 2012

    for Q no1
    I also agree to you people, Ans should be ENCRYPTION, which provides Data Confidentiality, not authentication.

  6. sofonias
    June 6th, 2012

    how many question are in the exam and is there any lab question ?

  7. kamal
    June 7th, 2012

    for Q 1

    encryption is to encrypt packets to any end device but to send to a specific user and to ensure that user is specific, is to authenticate. like, i am authenticating the fact that i am kamal by showing you my license, has nothing to do with encryption! authentication – to establish as genuine. question asks about recipient.. not form of data being passed.

  8. kamal
    June 7th, 2012

    @ sofonias – about 48 question expect 5-10 labs with 2-4 simulations and about 5 drag n drops… could be none, keep your fingers crossed, unfortunately i got 815, needed 825, but that was before i discovered this tutorial site! thanks 9tut, will take exam again very soon!

  9. Anonymous
    June 17th, 2012

    Question 9

    Refer to the exhibit. What is the result of setting the no login command?

    Router#config t
    Router(config)#line vty 0 4
    Router(config-line)#password c1sc0
    Router(config-line)#no login
    A. This is a virtually limitless supply of IP addresses
    B. Telnet access requires a new password at first login
    C. Telnet access requires a password
    D. Telnet access is denied

    if there is only no login it means you can access the telnet without password
    Router#config t
    Router(config)#line vty 0 4
    Router(config-line)#no login

  10. God’s Grace
    June 21st, 2012

    I passed my ccna exam today Praise be to God! Thank you Jesus! and thanks to 9TUT for the tutorials and explanations, great site and thanks to xallax for your explanations to questions and thanks to http://www.examcollection.com for the dumps. Pls guys lets donate and help to keep this site up!

    48 ques for exams including 3 simulation, I had EIGRP, Acesslist2 and VTP and ques 7,8 10 . Make sure you practice the simulation, use packet tracer or gns3. Best wishes to all!

  11. AlantheAussie
    June 28th, 2012

    Q9 – Yep
    The “no login” command over-rides the password command and ignor’s the password for VTY lines.

  12. Network_Ninja
    June 30th, 2012

    With regards to question #9 if it comes out on the exam what would be the best answer to choose?

  13. fozzil
    July 4th, 2012

    I think the answer to the first question needs to be Encryption.

    With encryption, we are sure that only the other end can actually decrypt and READ the data that we send, which seems to be the question.

    Authentication is basically to identify if the person at the other end is genuine. In my opinion, authentication has nothing to do with reading of data.

  14. MR S.A
    July 5th, 2012

    @ fozzil why do you say so pliz explain further

  15. yassine
    July 10th, 2012

    Refer to the exhibit. What is the result of setting the no login command?

    Router#config t
    Router(config)#line vty 0 4
    Router(config-line)#password c1sc0
    Router(config-line)#no login
    A. This is a virtually limitless supply of IP addresses
    B. Telnet access requires a new password at first login
    C. Telnet access requires a password
    D. Telnet access is denied

    Answer; D. Telnet access is denied

  16. fozzil
    July 12th, 2012

    @ MR SA –

    As per my understanding, the question asks us -

    Which component of VPN technology ensures that data can be READ only by its intended recipient?

    Authentication basically is to validate that the other end is genuinely the person that you initially wanted to exchange data with.

    Now, I believe the question is asking about data confidentiality, as to who can actually read your data. Now, considering encryption, we will consider both scenarios – symmetric encryption {where we have the same shared secret key on both sides; we encrypt data using this shared secret key and send it over to the other side} and asymmetric key encryption {where the key used to encrypt data differs from and is complementary to the key used to decrypt data; we exchange public keys, encrypt data using public keys and send over the encrypted data over to the other side}.

    Now be it symmetric or asymmetric encryption, only the other side has the appropriate key(same key in case of symm encryption and the private key in case of asymm encryption) to decrypt data. Anybody in between can launch a Man-In-The-Middle attack and probably sniff packets but all he will see is gibberish, which is useless to him and presents no way for him to actually READ the data.

    I feel for authentication to be the answer, the framing of the question should be “Which component of VPN technology ensures that data can be/is SENT only to its intended recipient?”

    Just my thoughts though.

  17. jeezun
    July 12th, 2012

    Q9 have tried it on packet tracer unable to connect. means cor ans is D.

  18. Nirav Bhatt
    July 12th, 2012

    Guys , I am plannig to give exam in next week, Can someone pls share the link to latest dumps ? Please. Its bt urgent. I need to giv the certificat e to my management.

    Regards,
    Nirav Bhatt

  19. Leo128
    July 12th, 2012

    Q1

    Correct answer to Q1 is B (Encryption) IMHO.

    it is all about the posit that only the intended recipient is able to decrypt the data. Any other recipient or “man in the middle” would get a cryptic useless bunch of numbers.

    This is used to support secure authentication, because you know that your precious login and password will be totally messed-up while they are on their way and can only be decrypted by the intended recipient upon arrival.

  20. rene
    July 13th, 2012

    Question 1 should be exactly as it is. Authentication.

    Read the question carefully: “Which component of VPN technology ensures that data can be read only by its intended recipient?”

    The trick here is “can be read”, you need the correct authentication to read it, encryption has nothing to do with it. What if the data was not encrypted? It’s about access not encryption.

  21. Mike
    July 29th, 2012

    Question number 9 is exactly the way it is in the test. I didn’t know what to answer to this one. I would appreciate if someone knows this answer. I have to take the test again.

  22. Olexiy
    July 30th, 2012

    Q9: correct answer is D (denied telnet connection).
    Explanation: By default vty connections are locked. To unlock them you have to specify password protection. To activate password protection you have to enter such commands: “login” (or “login local”) and “password ” (or username password in global config mode).

  23. jay
    July 31st, 2012

    hey guys i did exam today i got 4 new questions from security i got 815 failed by 10 points is there new dumps for security.

  24. jacsatx
    July 31st, 2012

    jay>sorry to hear about that..keep your head up high!!..Im getting ready myself for a second attempt? What questions do u rmember from security that were on the exam?..everything helps

  25. Jervy
    August 5th, 2012

    Question 1

    Which component of VPN technology ensures that data can be read only by its intended recipient?

    A. data integrity====> verifying that the packet was not changed as the packet transited the Internet ( Not Correct)
    B. encryption ===> conversion of data into a form, called a ciphertext, that cannot be easily understood by unauthorized people (Not correct)
    C. key exchange ===> Not included in the selection (Not Correct)
    D. authentication ===> the process of determining whether someone or something is, in fact, who or what it is declared to be. Authentication can take place at both sides, the sender and the receiver. (Correct Answer)
    The Correct Answer is Authentication (MDS, SHA-1)Or Protection (DH,DH2,DH5,DH7) but only authentication is available to selection, that’s why we need to select authentication. Review the IPSec= The security protocol of VPN…..

  26. any1
    August 7th, 2012

    So because question 9 has no answer we are supposed to not answer it on the exam? I’ve never had an exam where the correct move is to NOT answer the question! That makes me feel Cisco is not rooting for our success.

  27. david musashi
    August 7th, 2012

    I just tested q9 in packet tracer myself because I didn’t believe Olexiy. Before putting in the no login my config was:
    line vty 0 4
    exec-timeout 60 0
    password 7 0822455D0A16
    logging synchronous
    login
    and when connecting from a host I receive:
    PC>telnet 192.168.1.2
    Trying 192.168.1.2 …Open
    *****
    DO NOT LOG IN
    *****

    User Access Verification

    Password:

    Now I go back to the CLI of the router and add “no login” to the vty line:
    R2(config)#line vty 0 4
    R2(config-line)#no login

    Finally I go back to the SAME host I was on before, which I was able to telnet from before and was asked a password, this time I get:
    PC>telnet 192.168.1.2
    Trying 192.168.1.2 …Open
    *****
    DO NOT LOG IN
    *****

    R2>

    Notice, no password prompt, I just got right into the router so “D” can NOT be correct for Q9.

  28. david musashi
    August 8th, 2012

    Well, I forwarded this question to the instructor that I had for a CCNA course. I figured that their HAD to be a correct answer. According to the instructor, the answer IS in fact “D”. He says “By default Cisco requires a password on all telnet sessions. However, with the no login command on the telnet sessions it is saying that no one can login in via telnet” Gotta go get ready, sitting the CCNA in about 2 hours.

  29. david musashi
    August 8th, 2012

    Well, I missed it by 10 points. Access list, vtp, and EIGRP sims

  30. Santiago
    August 13th, 2012

    @TUT, Q9

    Please Explain us the correct answer.

    Thanks

  31. jacsatx
    August 16th, 2012

    sorry to hear that David M, Im going for my second attempt on Aug 29th, keep that head up high…if it were an easy test..everyone would be certified.

  32. Utk
    August 26th, 2012

    Conf t
    Line vty 0 4
    Password Cisco
    Transport input ssh

    What does the transport input ssh command do?

    Thanks

  33. kamikaze
    August 26th, 2012

    david musahi – your CCNA instructor is wrong

    issuing the “no login” command will give you vty access without requiring a password.

    I’ve seen this question in a few places and this is the only website I’ve seen that has realised that the answers are all wrong.

    “There is a virtually limitless supply of IP addresses” was given as the correct answer in the ICND2 brain dump on the exam collection website. It looks to me like someone has mistyped a possible answer from an IPv6 question and it has been doing the rounds on the internet.

  34. kamikaze
    August 26th, 2012

    I’d sack your instructor and stick to reading books, using these websites and playing with packet tracer :-)

  35. jacsatx
    August 29th, 2012

    DID IT!!…907…thx 9tut!!!!..CCNA certified….tons of questions from this site…read from top to bottom every question, because you will not know what pops up…q10 on exam…good luck to all…

  36. Shankar
    September 1st, 2012

    friends i m unable to get virtual centExam application registration code cos of that i m unable to work with dumbs …
    can any one pls send virtual centexam registration code…
    pls
    shankar hear
    rshankar36@gmail.com

  37. John K
    September 17th, 2012

    Helllllloooooo guys. I passed my exam last Wednesday with a hit of 907. I was really happy. The questions were all the same from the dumps(SHEKAR). Only a very very few were new. Nonetheless the new qns had the same concept rounding off. The sims were the usual EIGRP, ACL & VTP. Only in ACL there was just alittle play around, this time it was host B. The EIGRP a new router was added. And well there is something to note on the VTP sim. The show mac-address-table is a bug to the sim. Therefore, you can either use show mac or rather show mac address-table.

    My thanks to the 9tut online community, to my colleagues Denis & Rogers, my teachers, and to God almighty. I wish you all the best guys. I’m going for the CCNA security soon and am planning to take my exam this coming October. And I hope to eat Christmas with my CCNP. cheers and all the best!

  38. Anonymous
    October 4th, 2012

    Guys I agree with yasine above, that the answer to question 9 is (D)

    9. Refer to the exhibit. What is the result of setting the no login command?

    Router#config t
    Router(config)#line vty 0 4
    Router(config-line)#password c1sc0
    Router(config-line)#no login
    A. This is a virtually limitless supply of IP addresses
    B. Telnet access requires a new password at first login
    C. Telnet access requires a password
    D. Telnet access is denied

    Answer; D. Telnet access is denied

  39. Parsifal
    October 8th, 2012

    Q9 – I guess it depends on IOS and the device and if AAA is setup.

    VTY Authentication Bypass Vulnerability – 2007 – so I guess they have fixed it by now

    http://www.cisco.com/en/US/products/csr/cisco-sr-20070829-vty.html

  40. Mak
    October 13th, 2012

    Q9 – The right answer is D
    To be able to telnet another router the vty lines must be secured either by a password or a username and password combination and the respective ‘login’ or ‘login local’ must be used.
    In other words, if you ,theoretically, can get through via a vty line without entering and passwords the router doesn’t let you and closes down the connection.

  41. sunil
    October 22nd, 2012

    @q9

    i have tried this on GNS and marked that when telnet it do not required password and directly get console of router

  42. Xyz
    October 25th, 2012

    Q9 – Refer to the exhibit. What is the result of setting the no login command?
    Router#config t
    Router(config)#line vty 0 4
    Router(config-line)#password c1sc0
    Router(config-line)#no login
    A. This is a virtually limitless supply of IP addresses
    B. Telnet access requires a new password at first login
    C. Telnet access requires a password
    D. Telnet access is denied

    No correct answer from the choices.

    Telnet access will be denied if you don’t set a password but configured “login”
    If you configured “password and login” password will be required.
    If there’s a password configured but “no login” is also configured, it means logging in without typing password.

    Remember that “no” in configuration negates or cancels the specific command. Since “login” means require user to “login” meaning prompt for password.

  43. Anwar Hussain
    November 12th, 2012

    I have passed CCNA on friday with 881 marks

    thank god

    i got three simulation (1) ACL (2) EIGRP (3) Switching

  44. Maxx
    November 13th, 2012

    Folks! please do not use packet tracer as a proof of concept even though it MAY produce right answer. Use GNS3 instead.

  45. mutant
    November 28th, 2012

    am new to the networking industry nd i have being assisgned to write my ccna in 2 months am familliar with packet tracer my quetion is wat is this GNS3.

    thanks

  46. TDy11
    December 12th, 2012

    @ Q9 access is denied. so the answer is D.

  47. TDy11
    December 13th, 2012

    TY 9tut.

    Today I have passed the CCNA. (860/825)
    50 questions 3 labs (VTP, EIGRP, ACL). 35 from 9tut.

    Also thanks a lot Brar and Sekhar (still valid from examcollection)

    Ty again 9tut

    from here Q 2, 9, 10

  48. Ally
    December 18th, 2012

    Alhamdullilah,Passed Today,just 631 by brar,9tut,Don’t be confused you can pass the exam by only studying these two dumps,lab are the same as 9tut,only slightly change on the IP Addressing,Thanks you 9tut

  49. Ryan
    January 4th, 2013

    @Jervy
    Q1:
    I agree with everything you have written but the last point.
    The Question is:
    Which component of VPN technology ensures that data can be READ ONLY by its intended recipient?

    To make sure I communicate with the intended recipient I have to authenticate the recipient, but this doesn’t prevent others, who are able to sniff the communication to READ the data if it is send in cleartext.

  50. Anonymous
    January 11th, 2013

    hey guys

Comment pages
Add a Comment