csadasdasdas

Local AAA authentication provides a way to configure backup methods of authentication, but login local does not.

The login local command requires the administrator to manually configure the usernames and passwords, but local AAA authentication does not.

Local AAA authentication allows more than one user account to be configured, but login local does not.

The login local command uses local usernames and passwords stored on the router, but local AAA authentication does not.

The enable secret password could be used in the next login attempt.

The authentication process stops.

The username and password of the local user database could be used in the next login attempt.

The enable secret password and a random username could be used in the next login attempt.

event-action produce-alert

retired true

event-action deny-attacker-inline

retired false

They are more resource intensive.

DES weak keys use very long key sizes.

They produce identical subkeys.

DES weak keys are difficult to manage.

reactive protection against Internet attacks

granularity control within applications

support of TCP-based packet filtering

support for logging

When the router boots up, the Cisco IOS image is loaded from a secured FTP location.

The Cisco IOS image file is not visible in the output of the show flash command.

The Cisco IOS image is encrypted and then automatically backed up to the NVRAM.

The Cisco IOS image is encrypted and then automatically backed up to a TFTP server.

MPLS

hairpinning

GRE

split tunneling

ISAKMP SA policy

DH groups

interesting traffic

transform sets

step-by-step details regarding methods to deploy company switches

recommended best practices for placement of all company switches

required steps to ensure consistent configuration of all company switches*

list of suggestions regarding how to quickly configure all company switches

RSA

DH

AES

HMAC

an uplink port to another switch

on any port where DHCP snooping is disabled

any untrusted port

access ports only

A router interface can belong to only one zone at a time.

Service policies are applied in interface configuration mode.

Router management interfaces must be manually assigned to the self zone.

The pass action works in multiple directions.

The Telnet connection between RouterA and RouterB is not working correctly.

The password cisco123 is wrong

The administrator does not have enough rights on the PC that is being used.

The enable password and the Telnet password need to be the same.

DHCP spoofing

DHCP starvation

STP manipulation

MAC and IP address spoofing

The crypto map has not yet been applied to an interface.

The current peer IP address should be 172.30.2.1.

There is a mismatch between the transform sets.

The tunnel configuration was established and can be tested with extended pings.

symmetric algorithms

hashing algorithms

asymmetric algorithms

public key algorithms

Packet filters perform almost all the tasks of a high-end firewall at a fraction of the cost

Packet filters provide an initial degree of security at the data-link and network layer.

Packet filters represent a complete firewall solution.

Packet filters are not susceptible to IP spoofing.

aaa accounting network start-stop group tacacs+

aaa accounting network start-stop group radius

aaa accounting connection start-stop group radius

aaa accounting exec start-stop group radius

aaa accounting connection start-stop group tacacs+

aaa accounting exec start-stop group tacacs+

allows a new TCP session to be established for every authorization request

authorizes connections based on a list of IP addresses configured in an ACL on a Cisco ACS server

allows a Cisco ACS server to minimize delay by establishing persistent TCP connections

allows the device to establish only a single connection with the AAA-enabled server

It uses UDP port 500 to exchange IKE information between the security gateways.

IKE Phase 1 can be implemented in three different modes: main, aggressive, or quick.

It allows for the transmission of keys directly across a network.

The purpose of IKE Phase 2 is to negotiate a security association between two IKE peers.

209.165.201.1

192.168.1.3

172.16.3.1

172.16.3.3

192.168.1.1

Traffic that is sent from the LAN and the Internet to the DMZ is considered inbound.

Traffic that is sent from the LAN to the DMZ is considered is considered inbound.

Traffic that is sent from the DMZ and the Internet to the LAN is considered outbound.

Traffic that is sent from the DMZ and the LAN to the Internet is considered outbound.

default route

NAT/PAT

VLAN ID

access list

public Internet to inside

public Internet to DMZ

inside to DMZ

DMZ to inside

honey pot-based

anomaly-based

signature-based

policy-based

When a superview is deleted, the associated CLI views are deleted.

A single CLI view can be shared within multiple superviews.

A CLI view has a command hierarchy, with higher and lower views.

Only a superview user can configure a new view and add or remove commands from the existing views.

A class 5 certificate is more trustworthy than a class 4 certificate.

Email security is provided by the vendor, not by a certificate.

The lower the class number, the more trusted the certificate.

A vendor must issue only one class of certificates when acting as a CA.

Because the login delay command was not used, a one-minute delay between login attempts is assumed.

The hosts that are identified in the ACL will have access to the device.

The login block-for command permits the attacker to try 150 attempts before being stopped to try again.

These enhancements apply to all types of login connections.

Register the destination website on the Cisco ASA.

Use the Cisco AnyConnect Secure Mobility Client first.

Use a web browser to visit the destination website.

Use a web browser to visit the destination website.*

Network Address Translation

access control lists

security zones

stateful packet inspection

DHCP spoofing

ARP spoofing

VLAN hopping

ARP poisoning

authorization

authentication

auditing

accounting

A counter starts and a summary alert is issued when the count reaches a preconfigured number.

The TCP connection is reset.

An alert is triggered each time a signature is detected.

The interface that triggered the alert is shutdown.

A stateful signature is also known as a signature.

A stateful signature is also known as

Hashes are never sent in plain text.

It is easy to generate data with the same CRC.

It is virtually impossible for two different sets of data to calculate the same hash output.

Hashing always uses a 128-bit digest, whereas a CRC can be variable length.

vulnerability scanning

password cracking

network scanning

integrity checker

Both VPN end devices must be configured for NAT.

No ACLs can be applied on either VPN end device.

Both VPN end devices must be NAT-T capable.

Both VPN end devices must be using IPv6.

Only signatures in the ios_ips advanced category will be compiled into memory for scanning.

All signatures categories will be compiled into memory for scanning, but only those signatures within the ios ips advanced category will be used for scanning purposes.

All signature categories will be compiled into memory for scanning, but only those signatures in the ios_ips basic category will be used for scanning purposes.

Only signatures in the ios_ips basic category will be compiled into memory for scanning.

It utilizes UDP to provide more efficient packet transfer.

It combines authentication and authorization as one process.

It encrypts the entire body of the packet for more secure communications.

It hides passwords during transmission using PAP and sends the rest of the packet in plaintext.

It combines authentication and authorization as one process.

It utilizes UDP to provide more efficient packet transfer.

It hides passwords during transmission using PAP and sends the rest of the packet in plaintext.

It encrypts the entire body of the packet for more secure communications.*

Implement restrictions on the use of ICMP echo-reply messages.

Implement a firewall at the edge of the network.

Implement access lists on the border router.

Implement encryption for sensitive traffic.

LLDP on network devices?

Enable CDP on edge devices, and enable LLDP on interior devices.

Use the default router settings for CDP and LLDP.

Use the open standard LLDP rather than CDP.

Disable both protocols on all interfaces where they are not required.

password recovery

security policy compliance

IDS signature development

logging of security events

binding class maps with actions

identifying interesting traffic

binding a service policy to an interface

using ACLs to match traffic

exec default

connection

exec

network

Each ACS server must be configured with a local username database in order to provide authentication services.

Clients using internet services are authenticated by ACS servers, whereas local clients are authenticated through a local username database.

A local username database is required when creating a method list for the default login.

A local username database provides redundancy if ACS servers become unreachable. [adef]