SEC 450 Advanced Network Security
with Lab Entire Class
Follow Below Link to Download Tutorial
Email us At: Support@homeworklance.com or lancehomework@gmail.com
Devry SEC450 Week 1 Discussion DQ 1
& DQ 2 Latest 2016
DQ 1
|
|
|
Security Policy issues (graded)
(graded)
|
What are the key components of a good
security policy? What are some of the most common attacks and how can a network
be protected against these attacks?
DQ 2
|
iLab Experiences (graded)
|
Discuss your experiences with the
Skillsoft Lab 1. What parts of the iLab did you find difficult or unclear? What
did you learn about security in completing the assigned iLab?
Devry SEC450 Week 2 Discussion DQ 1
& DQ 2 Latest 2016
DQ 1
|
Router Security (graded)
|
Discuss the methods that can be used
on standard IOS router that will prevent unauthorized access to the router.
Also, discuss how privilege levels and role-based CLI can improve the security
on the router.
DQ 2
|
iLab Experiences (graded)
|
Read the Week 2 iLab instructions
and discuss the expectations you have regarding this lab. Do you think it is
important to prevent access to unused ports and services on the routers within
your network? How did your actual lab experiences meet your expectations? Are
there specific insights or challenges you encountered you would like to share with
the class.
Devry SEC450 Week 3 Discussion DQ 1
& DQ 2 Latest 2016
DQ 1
|
Layer 2 (Switch) Security (graded)
|
|
|
Discuss the attacks that can occur
on a layer 2 switch and how the network can be impacted by these attacks. Also,
discuss the methods that can be used to mitigate the effects of these attacks
on the network.
DQ 2
|
iLab Experiences (graded)
|
|
|
Read the Week 3 iLab instructions
and discuss the expectations you have regarding this lab. Do you think it is
important to prevent access to unused ports and services on the routers within
your network? How did your actual lab experiences meet your expectations? Are
there specific insights or challenges you encountered that you would like to
share with the class?
What did you learn about security
ACLs in completing this lab?
Devry SEC450 Week 4 Discussion DQ 1
& DQ 2 Latest 2016
DQ 1
|
Security ACLs and Firewall
(graded)
|
Discuss the security ACLs, we
covered this week in the text reading and the lecture. Describe different
scenarios where a specific type of ACL can enhance network security. Compare
CBAC firewalls versus zone-based firewalls. What are the advantages and
disadvantages of each?
DQ 2
|
iLab Experiences and WLAN Security
(graded)
|
Read the Week 4 iLab instructions
and discuss the expectations you have regarding this lab. Do you think the
wireless LAN is secure on your network? What wireless security measures can you
take to secure the WLAN? How did your actual lab experiences meet your
expectations? Are there specific insights or challenges you encountered that
you would like to share with the class?
What did you learn about wireless
access points and roaming in completing this lab?
Devry SEC450 Week 5 Discussion DQ 1
& DQ 2 Latest 2016
DQ 1
|
AAA Servers (graded)
|
Compare the relative merits of
TACACS+ and RADIUS AAA servers. What advantages and disadvantages does each
type of AAA server have?
DQ 2
|
|
|
iLab Experiences and Analyzing
Bandwidth Needs (graded)
|
- Read the Week 5 iLab instructions and discuss the
expectations you have regarding this lab. Do you think the overhead
involved in securing communication links can affect the bandwidth
requirements of a network? How did your actual lab experiences meet your
expectations? Are there specific insights or challenges you encountered
that you would like to share with the class?
- What did you learn about analyzing bandwidth
requirements for serial links in completing this lab?
Devry SEC450 Week 6 Discussion DQ 1
& DQ 2 Latest 2016
DQ 1
|
Virtual Private Networks (graded)
|
Discuss what you learned about the
configuration and operation of virtual private networks.
DQ 2
|
iLab Experiences (graded)
|
Read the Week 6 iLab instructions
and discuss the expectations you have regarding this lab. Periodic security
audits are necessary to ensure continued protection of a company network. Why
is it important to use and run a scheduled security audit on your network? How
did your actual lab experiences meet your expectations? Are there specific
insights or challenges you encountered that you would like to share with the
class? What did you learn about security audits in completing this lab?
Devry SEC450 Week 7 Discussion DQ 1
& DQ 2 Latest 2016
DQ 1
|
|
|
Intrusion Detection/Prevention
Systems (IDS/IPS) (graded)
|
Intrusion detection systems can be
implemented on IOS firewall routers and security appliances. They can also be
dedicated in in-line hardware devices. Why is intrusion detection important in
networks with connections to the Internet, and what are the functions of IDS?
What are the differences between intrusion detection systems (IDS) and
intrusion prevention systems (IPS)?
DQ 2
|
|
|
iLab Experiences (graded)
|
Read the Week 7 iLab instructions
and discuss the expectations you have regarding this lab. Periodic security
audits are necessary to ensure continued protection of a company network. Why
is it important to use and run a scheduled security audit on your network? How
did your actual lab experiences meet your expectations? Are there specific
insights or challenges you encountered that you would like to share with the
class?
What did you learn about security
audits in completing this lab?
i labs
iLab 2 of 7: Security Demands
Note!
Submit your assignment to the
Dropbox, located at the top of this page.
(See the Syllabus section “Due Dates
for Assignments & Exams” for due dates.)
iLAB OVERVIEW
Scenario and Summary
In this lab, the students will
examine the following objectives.
- Create ACL to meet the requirements of the security
demands.
- Modify existing ACL to meet additional security
requirements.
Deliverables
Students will complete all tasks
specified in the iLab Instructions document. As the iLab tasks are completed,
students will enter CLI commands, and answer questions in the iLab Report
document. This iLab Report document will be submitted to the iLab Dropbox for
Week 2.
Supporting Documentation
- SEC450 ACL Tutorial
- Textbook (Chapter 3)
- Webliography links on Access Control List
Required Software
- Access the software at Skillsoft
iLAB STEPS
STEP 1: Access Skillsoft iLab
Access Skillsoft Labs at the
provided iLab link, and select Catalog. Click to Launch the
course and then select Lab2. Then, download the PDF instructions. Ensure
that you open and read the iLab instructions before you begin the lab.
PLEASE NOTE: Lab instr
STEP 2: Perform iLab 2
Download and open SEC450_W2_Security_Demands_Lab2_Report.docx. Follow the instructions to perform all procedures in this
week lab. Instructions in red indicate tasks that you need to answer and
include in the lab report.
STEP 3: Complete Your Lab Report
When you are satisfied with your
documentation, submit your completed report to the Dropbox.
Submit your lab to the Dropbox,
located at the top of this page. For instructions on how to use the Dropbox,
read these step-by-step instructionsor
watch this Dropbox Tutorial.
See the Syllabus section “Due Dates for
Assignments & Exams” for due date information.
Student
Security Demands Lab
SEC450 Week 2 iLab2 Report
Copy below each of the tasks that
appears inred in the pdf lab Instructions from Skillsoft. Then, write the
answer following each of the tasks. Submit this document to the iLab Dropbox in
Week 2.
week 3
Lab 3 of 7: Database Security
Demands
Note!
Submit your assignment to the
Dropbox, located at the top of this page.
(See the Syllabus section “Due Dates
for Assignments & Exams” for due dates.)
iLAB OVERVIEW
SEC450 ACL Tutorial
This document highlights the most
important concepts on Access Control List (ACL) that you need to learn in order
to configure ACL in CLI. This tutorial does not intend by any mean to cover all
ACL applications, but only those scenarios used in the SEC450 iLabs.
Introduction to Access Control List
- A host-based firewall essentially works closing and/or
opening ports in a computer. The engine behind firewalls is built with
Access Control Lists (ACL).
- Network-based firewalls are implemented in
device-specific appliances and routers. Basically, firewalls in routers
filter packets through interfaces to permit or deny them.
- Ports are layer-4 address specified in TCP/IP protocol
suit that identify networking processes running in clients and servers.
- ACLs are configured using shell-specific commands. In
Cisco IOS, CLI commands access-list and access-group are used to create
and apply ACL on an interface.
- ACL can be named by number ID or a name. Naming ACL is
useful to identify ACL’s purpose.
- ACL are classified in Standard ACL and Extended ACL.
- Standard ACL’s number IDs are assigned from 1 to 99.
Extended ACL’s number IDs are from 100 to 199.
- Standard ACL only uses source IP address in an IP
packet to filter through an interface. Hence, standard ACL denies or
permits all packets (IP) with the same source IP regardless upper
protocols, destination IP address, etc. Example 1:
Router(config)#access-list 8 deny host 172.12.3.5
- Extended ACL does filtering packets based on protocol,
source IP address, source port number, destination IP address, and
destination port number. Example 2: Router(config)#access-list 102 deny
tcp host 10.0.3.2 host 172.129.4.1. Deny tcp packets with source IP
address 10.0.3.2 and destination IP address 172.129.4.1.
- Since, Standard ACLs only have source IP address; the
rule is to apply them in an interface as closer as possible to the
destination IP address.
- For the contrary, the rule for Extended ACLs is to
apply them in an interface as closer as possible to the source IP address.
- Use Extended ACL in all iLabs as they are more granular
on packet filtering.
Create Extended ACL in global
configuration
- You can use access-list command options lt, gt, eq,
neq, and range (less than, greater than, equal, not equal, range of ports)
to do operation with port numbers.
Example 3: access-list 102 deny tcp
any host 11.23.45.7 gt 20 denies all packets with any source IP address to
destination IP address 11.23.45.7 and destination tcp port greater than 20.
Example 4: access-list 107 permit
udp any any permits all packets with udp protocol with any source IP address to
any destination IP address.
- Extended ACL can do packet filtering based on source
port number and destination port number.
- Extended ACL Syntax can be as follows.
access-list <#,name>
<protocol> host <source_ip> <port_qualifier>
<source_port_number> host <dest_ip> <port_qualifier>
<dest_port_number>
where:
<#,name> is a number between
100 to 199 or a one-word name
<protocol> is any protocol in
the TCP/IP suite
<source_ip> and
<dest_ip> are the source and destination IP addresses
<port_qualifier> is optional,
and can be eq, gt, lt, neq, and range
<source_port_number> and
<dest_port_number> follow <port_qualifier> to specify the port
number(s). <port_qualifier> and <port_number> can be replaced by
the application protocol. Example, http instead of eq 80.
- Creation of ACL follows the three Ps rule. One ACL per
protocol, per interface, per traffic direction. Per protocol means ones
protocol such as IP, TCP, IPX, UDP, or ICMP can be specified. Per
interface means the ACL is applied to an interface to make it active. Per
direction means the ACL needs to specify which direction at the interface,
packet in or out, filtering applies.
- Steps for configuring a new ACL are: First, create the
ACL in CLI global configuration using access-list command(s). Then, apply
the ACL using access-group command in CLI interface configuration. The ACL
is activated unless it is applied to an interface.
- An ACL consists of one or more access-list commands.
Routers process the ACL commands in order; top first to bottom last
likewise a scripting or computer program. That is why the order of
access-list commands makes a difference.
- The effectiveness of an access-list command depends
upon previous access-list commands. Therefore, always write the commands
following the order; more-specific-traffic commands first and, then
more-generic-traffic commands last. Example 5: It makes sense to write an
ACL as
Router(config)#access-list 101 deny
tcp host 10.0.3.2 any
Router(config)#access-list 101
permit tcp any any
But never follows the order below,
because the second command is more specific, and therefore, “deny” is worthless
because the first command already lets packets passing through.
Router(config)#access-list 101
permit tcp any any
Router(config)#access-list 101 deny
tcp host 10.0.3.2 any
- All ACL have a hidden access-list command at the end
that denies all packets (i.e., deny ip any any). Hence, packets that are
not specifically permitted in a command will always be denied by the ACL.
Example 6: Use command
Router(config)#access-list 105 permit ip any any at the end of ACL if it
requires to permit all other traffic after denying packets with Router(config)#access-list
105 deny icmp any host 192.168.10.244
- Wildcard option is used in access-list commands
filtering packets from a subnet of source and/or destination IP addresses
instead of single hosts. IP addresses in each of those subnets must be
continuous. Filtering on port numbers is also applicable, but it have been
omitted for the sake of simplicity. Here is the syntax.
access-list <#,name>
<protocol> <source_ip> <source_wildcard> < <dest_ip>
<dest_wildcard>
where:
<#,name> is a number between
100 to 199 or a one-word name
<protocol> is any protocol in
the TCP/IP suite
<source_ip> and
<dest_ip> are the source and destination IP addresses
<source_wildcard> and
<dest_wildcard> specify the subnet ranges of source and destination IP
addresses
- Wildcard in ACL has the same meaning as in routing
protocols such as EIGRP and OSPF. Wildcard bit 0 means the bit in the IP
address must be the same as the corresponding bit in the subnet IP
addresses. Wildcard bit 1 means the bit in the IP address can be any value
(0 or 1).
Example 7: access-list 105 deny udp
172.16.7.3 0.0.0.3 any means to deny all packets with udp protocol with source
IP addresses from 172.16.7.0 to 172.16.7.3 to any destination IP address. Note
that .3 is in binary .00000011 and .000000xx for wildcard, where x means any (0
or 1).
Example 8: access-list 109 permit
tcp host 192.168.6.3 eq 80 10.0.0.0 0.0.0.255 means to permit all tcp packets
from source IP address 192.168.6.3 and source port tcp 80 (e.g., http server)
to destination IP addresses in range 10.0.0.0 to 10.0.0.255. The fact that
10.0.0.0 would not qualify for host IP in classful networks is irrelevant to
the ACL.
- Using wildcard with all 0s is the same as using the
option host in access-list commands. Example 9: access-list 110 permit ip
host 10.23.4.3 host 10.30.2.1 and access-list 110 permit ip 10.23.4.3
0.0.0.0 10.30.2.1 0.0.0.0 are equivalent commands. Both permit filtering
packets with source IP address 10.23.4.3 and destination IP address
10.30.2.1.
- Only use wildcard in access-list commands when the ACL
requires filtering packets on subnet of IP addresses; either at source,
destination, or both.
Applying ACL to an Interface to
activation
- Example 10: Assume you need to create an ACL in router
that permits filtering any traffic excepting udp packets with source IP
address 10.23.4.3 and destination IP address 10.30.2.1 as shown in the
network diagram below.
- First, you need to create an extended ACL in CLI global
configuration.
Router#config t
Router(config)#access-list 103 deny
udp host 10.23.4.3 host 10.30.2.1
Router(config)#access-list 103
permit ip any any
- Second, you need to apply ACL 103 in an interface
closer to the source (e.g., extended ACL rule of thumb). The closer
interface is S0/1 in Router for traffic coming from IP 10.23.4.3. Thus,
you go to interface configuration in CLI to activate the ACL.
Router(config)#interface s0/1
Router(config-if)#ip access-group
103 in
- If you need to make any correction after creating an
ACL, then erase first the ACL from global and interface configurations. To
erase ACL 103 from the previous example execute the following commands.
Router(config)#interface s0/1
Router(config-if)#no ip access-group
103
Router(config)#no ip access-list 103
Now, you can start over creating ACL
103. If you do not erase the ACL, then new access-list commands will be
compounding in the configuration file producing unexpected behavior. Use
command show run to verify the ACL is erased and created again correctly.
Verify ACL Configuration
- Example 11: Let’s say you have been asked to create an
ACL in a router R to deny TCP traffic coming through interface Serial 0/2
from source IP address 10.16.2.1 to destination IP address172.16.5.3 with
destination port number greater than 200. Also, the ACL should permit filtering
any other traffic.
- There are two configuration tasks you need to do in
CLI. First, create the ACL. Second, apply the ACL to interface Serial 0/2.
- So, in CLI,
R> enable
R# config t
R(config)# access-list 101 deny tcp
host 10.16.2.1 host 172.16.5.3 gt 200
R(config)# access-list 101 permit ip
any any this command is needed to permit any other traffic after denying the
selecting packets from the first command.
R(config)# interface serial0/2
R(config-if)# ip access-group 101 in
this command is to apply the ACL to serial0/2 for traffic coming in.
R(config-if)# exit
R# show run this is to verify the
ACL configuration is correct in running-config.file
R#show running-config
version 12.3
!
hostname R
!
interface FastEthernet0/0
ip address 192.168.200.1
255.255.255.0
!
interface FastEthernet0/1
ip address 192.168.20.1
255.255.255.0
shutdown
!
interface Serial0/0
ip address 200.100.20.2
255.255.255.0
!
interface Serial0/1
ip address 192.168.30.2
255.255.255.0
shutdown
!
interface Serial0/2
ip address 192.168.40.1
255.255.255.0
ip access-group 101 in
!
router rip
network 192.168.200.0
network 200.100.20.0
!
ip default-network 200.100.20.0
ip route 0.0.0.0 0.0.0.0 serial0/0
!
!
access-list 101 permit tcp host
10.16.2.1 host 172.16.5.3 gt 200
access-list 101 permit ip any any
!
!
line con 0
line aux 0
line vty 0 4
password cisco
line vty 5 15
password cisco
!
end
- If the ACL is not correct, then delete it with the
command below and start over again
R# config t
R(config)# no access-list 101
R(config)# interface serial0/2
R(config-if)#no ip access-group 10
week 4
AAA Server Authentication Lab
SEC450 Week 4 iLab4 Report
Copy below each of the tasks that
appears inred in the pdf lab instructions from Skillsoft. Then, write the
answer following each of the tasks. Submit this documment to the iLab Dropbox
in Week 4.
iLab 5 of 7: VPN – Virtual Private
Networks
Note!
Submit your assignment to the
Dropbox, located at the top of this page.
(See the Syllabus section “Due Dates
for Assignments & Exams” for due dates.)
Student Name: Date:
IPSec Site-to-Site VPN Lab
SEC450 Week 5 iLab5 Report
Copy below each of the tasks that
appears inred in the pdf lab Instructions from Skillsoft. Then, write the
answer following each of the tasks. Submit this documment to the iLab Dropbox
in Week 5.
week 6
iLab 6 of 7: IDS/IPS – Intrusion
Detection/Prevention Systems
Note!
Submit your assignment to the
Dropbox, located at the top of this page.
(See the Syllabus section “Due Dates
for Assignments & Exams” for due dates.)
Student Name: Date:
Intrusion Detention System (IDS/IPS)
Lab
SEC450 Week 6 iLab6 Report
Copy below each of the tasks that
appears inred in the pdf Lab Instructions from Skillsoft. Then, write the
answer following each of the tasks. Submit this documment to the iLab DropBox
in Week 6.
week 7
iLab 7 of 7: Network Vulnerability
Case Study
Note!
Submit your assignment to the Dropbox,
located at the top of this page.
(See the Syllabus section “Due Dates
for Assignments & Exams” for due dates.)
Student Name
_________________________________ Date _____________
SEC450 Network Vulnerability Case
Study—iLab7
Objectives
In this lab, students will examine
the following objectives.
- Differentiate the use of IDS and IPS to detect network
attacks.
- Design a network with IDS/IPS.
- Justify the use of IDS/IPS for a given network
solution.
Scenario
A small company is using the
topology shown below to secure its intranet while providing a less-secured
environment to its eCommerce DMZ server. The company is concerned that
firewalls are not enough to detect and prevent network attacks. Hence,
deployment of sensors to intrusion detection systems (IDS) and/or intrusion
prevention systems (IPS) are needed in the network. Your job is to provide
recommendations, including a network design with IDS/IPS, that meet the
company’s requirements.
Initial Topology
Company’s Requirements
- Detect any malicious traffic entering the e-commerce
server without performance penalty to traffic getting in the server from
revenue-generating customers.
- Stop any malicious traffic entering the human resources
LAN (HR LAN).
- Detect any malicious traffic entering the computer terminal
in the marketing LAN (MKT LAN).
- Stop any traffic entering the File Server in MKT LAN.
- Deploy a centralized database and analysis console in
the intranet to managing and monitoring both IDS and IPS sensors.
Note: RED text indicates the
required questions to answer
Task 1—Layout the New Network Design
Click on the Initial Network
Topology link on the iLab page in Week 7, and save in your computer the MS
Powerpoint fileInitial_Network_Topology_iLab7.ppt. This file contains a
diagram for the initial network topology and pictures of all components needed
to create the new network design.
Review the documentation provided in
the references at the end of these instructions to get more familiar with the
implementation of IDS and IPS in network design. You need to find a network
solution that meets the company’s requirements.
#1. Paste below your new network
design diagram.
Task 2—IDS/IPS Recommendations
#2. Write an engineering
specification document of at least 250 words (e.g., 1 page of full text, double
space, and size 12) describing why your network’s design meets each of the
company’s requirements. Justify how each recommendation addresses the company’s
needs.
Task 3—Conclusions
#3. Describe in two paragraphs your learning experience in this lab.
References:
1.SANS
Institute. “Network IDS & IPS Deployment Strategies“—Webliography
2.Paquet,
C. (2012). Implementing Cisco IOS network security (IINS) foundation
learning guide (2nd ed.). Indianapolis, IN: Cisco Press.
3.NIST.
“Guide to Intrusion Detection and Prevention Systems (IDPS)”—Webliography
quizes
week 2
1.(TCO 2) Which of the following prompts indicates that you have
booted into the IOS stored in Bootstrap ROM (possibly due to a Ctrl-Break
entered during power-up)? (Points : 3)
Router>
> or ROMMON>
(Boot)>
ROM>
Question 2.2.(TCO 2) Which is the command sequence used to configure a console
terminal password on a Cisco router? Note: <CR> represents a carriage
return or Enter key. (Points : 3)
line con 0 <CR>
password {password} <CR>
line con 0 <CR> password
{password] <CR> login <CR>
line con 0 <CR> login
{password} <CR>
line {password} con 0 <CR>
Question 3.3.(TCO 2) To enter privileged EXEC mode, you can type the command
_____ at the user EXEC prompt. (Points : 3)
enter
enable
activate
open
Question 4.4.(TCO 2) Which of the following IOS commands will set the minimum
length for all router passwords to eight characters? (Points : 3)
(config)# service passwords
min-length 8
(config)# passwords min-length 8
(config)# security passwords min-length
8
(config)# passwords security
min-length 8
Question 5.5.(TCO 2) Which of the following commands will prevent password
recovery using ROM monitor mode? (Points : 3)
(config)# no rom monitor
(config)# no password-recovery
(config)# no service password-recovery
(config)# no password-recovery
service
Question 6.6.(TCO 2) To configure role-based CLI on a Cisco router, the first
command to enter in privileged mode is _____. (Points : 3)
parser view
view enable
enable view
config view
Question 7.7.(TCO 2) Which of the following commands is required before you can
begin configuring SSH configuration on a Cisco router? (Points : 3)
Crypto key generate rsa
IP domain-name
Crypto key zeroize
Transport input ssh
Question 8.8.(TCO 2) Which of the following cannot be used to enhance access
security on a router? (Points : 3)
MD5 encrypted enable passwords
SHA encrypted usernames
Privilege levels
MD5 encrypted username
week 4
Question 1. 1.(TCO 4) Which type of access list entry is dynamic and becomes
active only when a Telnet session is authenticated? It can be used for inbound
or outbound traffic. (Points : 3)
Established
Lock and key
Reflexive
CBAC
Question 2. 2.(TCO 4) What function CBAC does on a Cisco IOS firewall? (Points :
3)
Creates specific security policies
for each user.
Provides secure, per-application
access control across network perimeters.
Provides additional visibility at
intranet, extranet, and Internet perimeters.
Protects the network from internal
attacks and threats.
Question 3. 3.(TCO 4) Given the configuration shown below, the idle timeout for
TCP and UDP sessions is _____.
ip inspect audit-trail
ip inspect name FWRULE tcp timeout
180
ip inspect name FWRULE udp timeout
180
!
interface FastEthernet0/0
ip access-group 100 in
ip inspect FWRULE in
!
interface FastEthernet0/1
ip access-group 101 in
!
logging on
logging 192.168.100.100
!
access-list 100 permit ip any any
!
access-list 101 deny ip any any log
(Points : 3)
180 minutes
180 seconds
180 days
180 milliseconds
Question 4. 4.(TCO 4) Given the configuration shown below, the host at IP address
192.168.100.100 is a _____.
ip inspect audit-trail
ip inspect name FWRULE tcp timeout
180
ip inspect name FWRULE udp timeout
180
!
interface FastEthernet0/0
ip access-group 100 in
ip inspect FWRULE in
!
interface FastEthernet0/1
ip access-group 101 in
!
logging on
logging 192.168.100.100
!
access-list 100 permit ip any any
!
access-list 101 deny ip any any log
(Points : 3)
TACACS+ server
syslog server
Radius server
TACACS server
Question 5. 5.(TCO 4) Which of the following is not a policy action that can be
specified for zone-based firewall traffic? (Points : 3)
Pass
Drop
Hold
Inspect
Question 6. 6.(TCO 4) With zone-based firewalls, which of the following is used
to define interfaces on routers that have the same security level? (Points : 3)
Zones
Class maps
Policy maps
Zone pairs
Question 7. 7.(TCO 4) What is the range of ACL numbers for a standard access
list?(Points : 3)
100–199 and 1700–1999
1–99 and 1300–1999
0–99
100–199
Question 8. 8.(TCO 4) In CLI, the zone-pair command is used to associate together
which of the following?(Points : 3)
Zones and service-policy
Class maps and interface
Policy maps and interface
Class-type and interface
week 6
Question 1.1. (TCO 6) When you are configuring a Cisco IOS firewall router for
IPSec using RSA signatures, you need to generate a local RSA key. Before you
generate the RSA key, you must _____. (Points : 3)
generate general purpose keys
configure a domain name for the
router
contact a third-party certificate
authority (CA)
enable the key management protocol
in global configuration mode
Question 2.2. (TCO 6) IPSec VPNs use ACLs to specify VPN tunnel traffic. Any
traffic not permitted in the ACL will be _____. (Points : 3)
dropped before it exits the VPN
outbound interface
passed through the VPN outbound
interface with no IPSec protection
encrypted and sent out through the
VPN outbound interface because the ACL specifies traffic to be restricted
sent back to the sender with a message
indicating invalid IPSec format
Question 3.3. (TCO 6) The Cisco IOS firewall crypto isakmp policy mode command
that will set the isakmp security association lifetime is _____. (Points : 3)
lifetime {days}
lifetime {seconds}
set lifetime {days}
set lifetime {seconds}
Question 4.4. (TCO 6) _____ encryption algorithms use one key to encrypt the data
and another key to decrypt the data between the sender and recipient. (Points :
3)
Symmetric
Asymmetric
Balanced
Bidirectional
Question 5.5. (TCO 6) The _____ encryption algorithm uses a key size of 168 bits.
(Points : 3)
DES
3DES
AES
WEP
Question 6.6. (TCO 6) Which of the following encryption algorithms is considered
the most secure? (Points : 3)
DES
3DES
AES
WEP
Question 7.7. (TCO 6) Which of the following commands will delete all of the IOS
firewall router’s RSA keys? (Points : 3)
crypto key remove rsa
crypto key delete rsa
crypto key zeroize rsa
crypto key remove rsa all
Question 8.8. (TCO 6) What is the size of the keys in an DES algorithm? (Points :
3)
32 bits
96 bits
112 bits
56 bits
week 7
Question 1.1. (TCO 7) The type of IDS signature that triggers on a multiple
packet stream is called _____. (Points : 3)
atomic
dynamic
cyclical
compound or composite
Question 2.2. (TCO 7) Which device responds immediately and does not allow
malicious traffic to pass? (Points : 3)
Intrusion detections system (IDS)
Intrusion prevention system (IPS)
All of the above
Neither of the above
Question 3.3. (TCO 7) An IPS sensor that receives a copy of data for analysis
while the original data continues toward the destination is running in _____
mode. (Points : 3)
passive
active
promiscuous
inline
Question 4.4. (TCO 7) Most IOS commands used to configure an intrusion prevention
system (IPS) begin with the prefix _____. (Points : 3)
ids ips
ips ip
ip ips
ios ips
Question 5.5. (TCO 7) Which is an IDS or IPS signature? (Points : 3)
A message digest encrypted with the
sender’s private key
A set of rules used to detect
typical intrusive activity
A binary pattern specific to a virus
An appliance that provides
anti-intrusion services
Question 6.6. (TCO 7) Which of the following ip actions will drop the packet and
all future packets from this TCP flow? (Points : 3)
Deny attacker inline
Deny connection inline
Deny ip host inline
Deny packet inline
Question 7.7. (TCO 7) Which of the following are signature types that IOS
firewall IDS can detect as requiring the storage of state information? (Points
: 3)
Atomic
Dynamic
Cyclical
Compound (composite)
Question 8.8. (TCO 7) Why is a network using IDS only more vulnerable to atomic
attacks? (Points : 3)
IDS must track three-way handshakes
of established TCP connections.
IDS cannot track UDP sessions.
IDS permits malicious single packets
into a network.
IDS is not stateful and therefore
cannot track multiple-packet attack streams.
SEC 450 Final Answers
Question 1. 1. (TCO 1) The component of network security that ensures that
authorized users have access to data and network resources is _____. (Points :
6)
data integrity
data confidentiality
data and system availability
data and user authentication
Question 2. 2. (TCO 1) The type of security control that makes use of firewalls is
called _____. (Points : 6)
administrative
physical
technical
clerical
Question 3. 3. (TCO 2) To configure a role-based CLI on a Cisco router, the first
command to enter in privileged mode is _____. (Points : 6)
parser view
view enable
enable view
config view
super view
Question 4. 4. (TCO 2) The show running-config output can be modified using all of
the following pipes except for _____. (Points : 6)
| begin
| end
| include
| exclude
Question 5. 5. (TCO 3) Which of the following is the default number of MAC
addresses allowed when you execute the switchport port-security command on a
switch port? (Points : 6)
Zero
One
Two
Three
Question 6. 6. (TCO 3) Which switch feature causes a port to skip the listening
and learning states, causing the port to enter the forwarding state very
quickly? (Points : 6)
fastport
portfast
enablefast
portforward
Question 7. 7. (TCO 4) With zone-based firewalls, which of the following is used
to specify actions to be taken when traffic matches a criterion? (Points : 6)
Zones
Class maps
Policy maps
Zone pairs
Question 8. 8. (TCO 4) Which type of access list uses rules placed on the
interface where allowed traffic initiates and permits return traffic for TCP,
UDP, SMTP, and other protocols? (Points : 6)
Established
Lock and key
Reflexive
CBAC
Question 9. 9. (TCO 5) Which AAA server protocol offers support for ARAP and
NETBEUI protocols as well as IP? (Points : 6)
CSACS
RADIUS
OpenACS
TACACS+
Question 10. 10. (TCO 5) Which of the following is not considered a component of
AAA? (Points : 6)
Authentication
Authorization
Accounting
Administration
Question 11. 11. (TCO 6) The Cisco IOS command that will display all current IKE
security associations (SAs) is _____. (Points : 6)
show crypto ipsec
show crypto isakmp
show crypto ipsec sa
show crypto isakmp sa
show crypto ike sa
Question 12. 12. (TCO 6) The Cisco IOS firewall crypto isakmp policy mode command
that will set the isakmp security association lifetime is _____. (Points : 6)
lifetime {days}
lifetime {seconds}
set lifetime {days}
set lifetime {seconds}
Question 13. 13. (TCO 7) Cisco routers implementing IPS can save IPS events in a
Syslog server by executing which of the following commands? (Points : 6)
ip ips log {IP Address}
ip ips notify syslog
ip ips notify log
ip ips notify sdee
Question 14. 14. (TCO 7) Which of the following is not an action that can be
performed by the IOS firewall IDS router when a packet or packet stream matches
a signature? (Points : 6)
Drop the packet immediately.
Send an alarm to the Cisco IOS
designated Syslog server.
Set the packet reset flag and
forward the packet through.
Block all future data from the
source of the attack for a specified time.
Question 15. 15. (TCO 1) Explain how to mitigate a Smurf attack. (Points : 24)
Question 16. 16. (TCO 2) Type the global configuration mode and line configuration
mode commands that are required to secure the VTY lines 0 through 15 to use the
local username admin with the encrypted password adminpass for remote Telnet or
SSH log-ins to the Cisco router. (Points : 24)
Question 17. 17. (TCO 3) What are at least two best practices that should be
implemented for unused ports on a Layer 2 switch for switch security? (Points :
24)
Question 18. 18. (TCO 4) Given the commands shown below and assuming F0/0 is the
inside interface of the network, explain what this ACL does.
access-list 100 permit tcp any any
eq 80 time-range MWF
time-range MWF
periodic Monday Wednesday Friday
8:00 to 17:00
time-range
absolute start 00:00 30 Sept 2014
end 01:00 30 Sept 2014
int f0/0
ip access-group 100 in Correct
Answer: (Points : 24)
Question 19. 19. (TCO 5) Type two global configuration mode commands that enable AAA
authentication and configure a default log-in method list. Use a TACACS+ server
first, then a local username and password, and finally the enable password.
(Points : 24)
Question 20. 20. (TCO 6) Discuss the data encryption algorithms DES and 3DES.
Discuss the key lengths, and rank the algorithms in order of best security.
(Points : 24)
Question 21. 21. (TCO 7) Explain the two benefits of Cisco IPS version 5.x signature
format over the Cisco IPS version 4.x signature format. (Points : 22)
