Here you will find answers to ISCW - Device Hardening Questions:
Question 1
Refer to the exhibit. Which two statements about the AAA configuration are true? (Choose two)
| aaa new-model username Bob password security aaa authentication enable default group tacacs+ none |
A - A good security practice is to have the none parameter configured as the final method used to ensure that no other authentication method will be used.
B - If a TACACS+ server is not available, then a user connecting via the console port would not be able to gain access since no other authentication method has been defined.
C - If a TACACS+ server is not available, then the user Bob could be able to enter privileged mode as long as the proper enable password is entered.
D - The aaa new-model command forces the router to override every other authentication method previously configured for the router lines.
E - To increase security, group radius should be used instead of group tacacs+.
F - Two authentication options are prescribed by the displayed aaa authentication command.
Answer: D F
Explanation:
The aaa new-model command will override previously configured authentication method -> D is correct.
Two authentication options are prescribed by the above command. They are tacacs+ and none
Question 2
In computer security, AAA stands for authentication, authorization and accounting. Which option about the AAA authentication enable default group radius enable command is correct?
A - If the radius server returns an error, the enable password will be used.
B - If the radius server returns a 'failed' message, the enable password will be used.
C - The command login authentication group will associate the AM authentication to a specified interface.
D - If the group database is unavailable, the radius server will be used.
Answer: A
Question 3
Authentication is the process of determining if a user or identity is who they claim to be. Refer to the exhibit. Which statement about the authentication process is correct?
| hostname Riot ! username Riot privilege 15 password cisco ! aaa new-model aaa authentication login default group tactics+ local aaa authentication login LIST1 none ! |
A - The LIST1 list will disable authentication on the console port.
B - All login requests will be authenticated using the group tacacs+ method.
C - The default login authentication will automatically be applied to all login connections.
D - Because no method list is specified, the LIST1 list will not authenticate anyone on the console port.
Answer: A
Explanation:
The command "aaa authentication login LIST1 none" tells the router not to use any authentication method for the LIST1. The command "login authentication LIST1" under console mode applies the LIST1 for the logging using console port.
Question 4
As a network engineer, do you know for what purpose SDM uses Security Device Event Exchange (SDEE)?
A - to provide a keepalive mechanism
B - to pull event logs from the router
C - to extract relevant SNMP information
D - to perform application-level accounting
Answer: B
Question 5
As a network technician, do you know what is a recommended practice for secure configuration management?
A - Disable post scan.
B - Use SSH or SSL
C - Enable trust levels.
D - Deny echo replies on all edge routers.
Answer: B
Question 6
Network Topology Exhibit:
Configuration Exhibit:
NET(config)# access-list 112 deny icmp any any echo log
NET(config)# access-list 112 deny imp any any redirect log
NET(config)# access-list 112 deny icmp any any mask-request log
NET(config)# access-list 112 permit icmp any 10.1.1.0 0.0.0.255
NET(config)# interface Fa0/1
NET(config-if)# ip access-group 112 in
You work as a network administrator at networkTut.com, study the exhibit carefully. The configuration has been applied to router NET to mitigate the threat of certain types of ICMP-based attacks while allowing some ICMP traffic to the corporate LAN to work. However, the configuration is incorrect. On the basis of the information in the exhibit, which configuration option would correctly configure router NET?
A - The first three statements of ACL 112 should have permitted the ICMP traffic and the last statement should deny the identified traffic.
B - The last statement of ACL 112 should have been "access-list 112 deny icmp any 10.2.1.0 0.0.0.255".
C - The last statement of ACL 112 should have been "access-list 112 permit icmp any 10.2.1.0 0.0.0.255".
D - ACL 112 should have been applied to interface Fa0/0 in an inbound direction.
E - The last statement of ACL 112 should have been "access-list 112 deny icmp any 10.1.1.0 0.0.0.255".
F - ACL 112 should have been applied to interface Fa0/1 in an outbound direction.
G - None of the above.
Answer: C
Explanation
The network 10.2.1.0 is the internal LAN network. If the last statement is "access-list 112 permit icmp any 10.1.1.0 0.0.0.255", it will allow ICMP traffic sent from the Internet to work and thus makes the router vulnerable to ICMP-based attacks.
