Netsec final
Netsec Final Exam Quiz
Test your knowledge on network security with our comprehensive Netsec Final Exam Quiz. This quiz consists of 71 challenging questions covering a range of topics, including AAA, IPSec, Cisco ASA configurations, and more. Perfect for students or professionals preparing for certifications or looking to refresh their skills.
- 71 detailed questions
- Multiple choice and checkbox formats
- Ideal for network security preparation
Which statement describes a difference between the Cisco ASA IOS CLI feature and the router IOS CLI feature?
ASA uses the ? Command whereas a router uses the help command to receive help on a brief description and the syntax of a command.
To use a show command in a general configuration mode, ASA can use the command directly whereas a router will need to enter the do command before issuing the show command.
To complete a partially typed command, ASA uses the Ctrl+Tab key combination whereas a router uses the Tab key.
To indicate the CLI EXEC mode, ASA uses the % symbol whereas a router uses the # symbol.
Refer to the exhibit. A network administrator is configuring AAA implementation on an ASA device. What does the option link3 indicate?
The network name where the AAA server resides
The specific AAA server name
The sequence of servers in the AAA server group
The interface name
What provides both secure segmentation and threat defense in a Secure Data Center solution?
Cisco Security Manager software
AAA server
Adaptive Security Appliance
Intrusion prevention system
What are the three core components of the Cisco Secure Data Center solution?
Mesh network
Secure segmentation
Visibility
Threat defense
Servers
Infrastructure
What are three characteristics of ASA transparent mode?
This mode does not support VPNs, QoS, or DHCP Relay.
It is the traditional firewall deployment mode.
This mode is referred to as a “bump in the wire.”
NAT can be implemented between connected networks.
In this mode the ASA is invisible to an attacker.
The interfaces of the ASA separate Layer 3 networks and require IP addresses in different subnets.
What is needed to allow specific traffic that is sourced on the outside network of an ASA firewall to reach an internal network?
ACL
NAT
Dynamic routing protocols
Outside security zone level 0
Which action do IPsec peers take during the IKE Phase 2 exchange?
Exchange of DH keys
Negotiation of IPsec policy
Negotiation of IKE policy sets
Verification of peer identity
Which command raises the privilege level of the ping command to 7?
User exec ping level 7
Authorization exec ping level 7
Accounting exec level 7 ping
Privilege exec level 7 ping
What is a characteristic of a role-based CLI view of router configuration?
A CLI view has a command hierarchy, with higher and lower views.
When a superview is deleted, the associated CLI views are deleted.
A single CLI view can be shared within multiple superviews.
Only a superview user can configure a new view and add or remove commands from the existing views.
Which type of packet is unable to be filtered by an outbound ACL?
Multicast packet
ICMP packet
Broadcast packet
Router-generated packet
What would be the primary reason an attacker would launch a MAC address overflow attack?
So that the switch stops forwarding traffic
So that legitimate hosts cannot obtain a MAC address
So that the attacker can see frames that are destined for other hosts
So that the attacker can execute arbitrary code on the switch
Which two features are included by both TACACS+ and RADIUS protocols?
SIP support
Password encryption
802.1X support
Separate authentication and authorization processes
Utilization of transport layer protocols
What function is provided by the RADIUS protocol?
RADIUS provides encryption of the complete packet during transfer.
RADIUS provides separate AAA services.
RADIUS provides separate ports for authorization and accounting.
RADIUS provides secure communication using TCP port 49.
Which zone-based policy firewall zone is system-defined and applies to traffic destined for the router or originating from the router?
Local zone
Inside zone
Self zone
System zone
Outside zone
What are two benefits of using a ZPF rather than a Classic Firewall?
ZPF allows interfaces to be placed into zones for IP inspection.
The ZPF is not dependent on ACLs.
Multiple inspection actions are used with ZPF.
ZPF policies are easy to read and troubleshoot.
With ZPF, the router will allow packets unless they are explicitly blocked.
Which two protocols generate connection information within a state table and are supported for stateful filtering?
Icmp
Udp
Dhcp
Tcp
Http
What is the next step in the establishment of an IPsec VPN after IKE Phase 1 is complete?
Negotiation of the ISAKMP policy
Negotiation of the IPsec SA policy
Detection of interesting traffic
Authentication of peers
Which algorithm can ensure data integrity?
Rsa
Aes
Md5
Pki
A company implements a security policy that ensures that a file sent from the headquarters office to the branch office can only be opened with a predetermined code. This code is changed every day. Which two algorithms can be used to achieve this task?
Hmac
Md5
3des
Sha1
Aes
An administrator discovers that a user is accessing a newly established website that may be detrimental to company security. What action should the administrator take first in terms of the security policy?
Ask the user to stop immediately and inform the user that this constitutes grounds for dismissal.
Create a firewall rule blocking the respective website.
Revise the AUP immediately and get all users to sign the updated AUP.
Immediately suspend the network privileges of the user.
If AAA is already enabled, which three CLI steps are required to configure a router with a specific view? (Choose three.)
Create a superview using the parser view view-name command.
Associate the view with the root view.
Assign users who can use the view.
Create a view using the parser view view-name command.
Assign a secret password to the view.
Assign commands to the view.
What network testing tool is used for password auditing and recovery
Nessus
Metasploit
L0phtcrack
SuperScan
Which two statements describe the characteristics of symmetric algorithms?
They are commonly used with VPN traffic.
They use a pair of a public key and a private key.
They are commonly implemented in the SSL and SSH protocols.
They provide confidentiality, integrity, and availability.
They are referred to as a pre-shared key or secret key.
The use of 3DES within the IPsec framework is an example of which of the five IPsec building blocks?
Authentication
Nonrepudiation
Integrity
Diffie-Hellman
Confidentiality
What function is provided by Snort as part of the Security Onion?
To generate network intrusion alerts by the use of rules and signatures
To normalize logs from various NSM data logs so they can be represented, stored, and accessed through a common schema
To display full-packet captures for analysis
To view pcap transcripts generated by intrusion detection tools
What are two drawbacks to using HIPS?
With HIPS, the success or failure of an attack cannot be readily determined.
With HIPS, the network administrator must verify support for all the different operating systems used in the network.
HIPS has difficulty constructing an accurate network picture or coordinating events that occur across the entire network.
If the network traffic stream is encrypted, HIPS is unable to access unencrypted forms of the traffic.
HIPS installations are vulnerable to fragmentation attacks or variable TTL attacks.
In an AAA-enabled network, a user issues the configure terminal command from the privileged executive mode of operation. What AAA function is at work if this command is rejected?
Authorization
Authentication
Auditing
Accounting
A company has a file server that shares a folder named Public. The network security policy specifies that the Public folder is assigned Read-Only rights to anyone who can log into the server while the Edit rights are assigned only to the network admin group. Which component is addressed in the AAA network service framework?
Automation
Accounting
Authentication
Authorization
What is a characteristic of a DMZ zone?
Traffic originating from the inside network going to the DMZ network is not permitted.
Traffic originating from the outside network going to the DMZ network is selectively permitted.
Traffic originating from the DMZ network going to the inside network is permitted.
Traffic originating from the inside network going to the DMZ network is selectively permitted.
What security countermeasure is effective for preventing CAM table overflow attacks?
DHCP snooping
Dynamic ARP Inspection
IP source guard
Port security
Which method is used to identify interesting traffic needed to create an IKE phase 1 tunnel?
Transform sets
A permit access list entry
Hashing algorithms
A security association
How does a firewall handle traffic when it is originating from the public network and traveling to the DMZ network?
Traffic that is originating from the public network is inspected and selectively permitted when traveling to the DMZ network.
Traffic that is originating from the public network is usually permitted with little or no restriction when traveling to the DMZ network.
Traffic that is originating from the public network is usually forwarded without inspection when traveling to the DMZ network.
Traffic that is originating from the public network is usually blocked when traveling to the DMZ network.
A client connects to a Web server. Which component of this HTTP connection is not examined by a stateful firewall?
The source IP address of the client traffic
The destination port number of the client traffic
The actual contents of the HTTP connection
The source port number of the client traffic
Which network monitoring technology uses VLANs to monitor traffic on remote switches?
Ips
Ids
Tap
Rspan
Which rule action will cause Snort IPS to block and log a packet?
Log
Drop
Alert
Sdrop
Upon completion of a network security course, a student decides to pursue a career in cryptanalysis. What job would the student be doing as a cryptanalyst?
Cracking code without access to the shared secret key
Creating hashing codes to authenticate data
Making and breaking secret codes
Creating transposition and substitution ciphers
What command is used on a switch to set the port access entity type so the interface acts only as an authenticator and will not respond to any messages meant for a supplicant?
Dot1x pae authenticator
Authentication port-control auto
Aaa authentication dot1x default group radius
Dot1x system-auth-control
What are two disadvantages of using an IDS?
The IDS does not stop malicious traffic.
The IDS works offline using copies of network traffic.
The IDS has no impact on traffic.
The IDS analyzes actual forwarded packets.
The IDS requires other devices to respond to attacks.
Refer to the exhibit. The ip verify source command is applied on untrusted interfaces. Which type of attack is mitigated by using this configuration?
DHCP spoofing
DHCP starvation
STP manipulation
MAC and IP address spoofing
What ports can receive forwarded traffic from an isolated port that is part of a PVLAN?
Other isolated ports and community ports
Only promiscuous ports
All other ports within the same community
Only isolated ports
What are two drawbacks in assigning user privilege levels on a Cisco router?
Only a root user can add or remove commands.
Privilege levels must be set to permit access control to specific device interfaces, ports, or slots.
Assigning a command with multiple keywords allows access to all commands using those keywords.
Commands from a lower level are always executable at a higher level.
AAA must be enabled.
What are two reasons to enable OSPF routing protocol authentication on a network?
To prevent data traffic from being redirected and then discarded
To ensure faster network convergence
To provide data security through encryption
To prevent redirection of data traffic to an insecure link
To ensure more efficient routing
Which three services are provided through digital signatures?
Accounting
Authenticity
Compression
Nonrepudiation
Integrity
Encryption
In the implementation of security on multiple devices, how do ASA ACLs differ from Cisco IOS ACLs?
Cisco IOS routers utilize both named and numbered ACLs and Cisco ASA devices utilize only numbered ACLs.
Cisco IOS ACLs are configured with a wildcard mask and Cisco ASA ACLs are configured with a subnet mask.
Cisco IOS ACLs are processed sequentially from the top down and Cisco ASA ACLs are not processed sequentially.
Cisco IOS ACLs utilize an implicit deny all and Cisco ASA ACLs end with an implicit permit all.
Which statement describes an important characteristic of a site-to-site VPN?
It must be statically set up.
It is ideally suited for use by mobile workers.
It requires using a VPN client on the host PC.
After the initial connection is established, it can dynamically change connection information.
It is commonly implemented over dialup and cable modem networks.
What characteristic of the Snort term-based subscriptions is true for both the community and the subscriber rule sets?
Both have a 30-day delayed access to updated signatures.
Both use Cisco Talos to provide coverage in advance of exploits.
Both are fully supported by Cisco and include Cisco customer support.
Both offer threat protection against security threats.
A security analyst is configuring Snort IPS. The analyst has just downloaded and installed the Snort OVA file. What is the next step?
Verify Snort IPS.
Configure Virtual Port Group interfaces.
Enable IPS globally or on desired interfaces.
Activate the virtual services.
The security policy in a company specifies that employee workstations can initiate HTTP and HTTPS connections to outside websites and the return traffic is allowed. However, connections initiated from outside hosts are not allowed. Which parameter can be used in extended ACLs to meet this requirement?
Dcsp
Precedence
Eq
Established
A researcher is comparing the differences between a stateless firewall and a proxy firewall. Which two additional layers of the OSI model are inspected by a proxy firewall?
3
4
5
6
7
Which privilege level has the most access to the Cisco IOS?
0
15
7
16
1
Refer to the exhibit. A network administrator has configured NAT on an ASA device. What type of NAT is used?
Inside NAT
Static NAT
Bidirectional NAT
Outside NAT
A network analyst is configuring a site-to-site IPsec VPN. The analyst has configured both the ISAKMP and IPsec policies. What is the next step?
Configure the hash as SHA and the authentication as pre-shared.
Apply the crypto map to the appropriate outbound interfaces.
Issue the show crypto ipsec sa command to verify the tunnel.
Verify that the security feature is enabled in the IOS.
When an inbound Internet-traffic ACL is being implemented, what should be included to prevent the spoofing of internal networks?
ACEs to prevent traffic from private address spaces
ACEs to prevent broadcast address traffic
ACEs to prevent ICMP traffic
ACEs to prevent HTTP traffic
ACEs to prevent SNMP traffic
When the Cisco NAC appliance evaluates an incoming connection from a remote device against the defined network policies, what feature is being used?
Posture assessment
Remediation of noncompliant systems
Authentication and authorization
Quarantining of noncompliant systems
Which two steps are required before SSH can be enabled on a Cisco router?
Give the router a host name and domain name.
Create a banner that will be displayed to users when they connect.
Generate a set of secret keys to be used for encryption and decryption.
Set up an authentication server to handle incoming connection requests.
Enable SSH on the physical interfaces where the incoming connection requests will be received.
The network administrator for an e-commerce website requires a service that prevents customers from claiming that legitimate orders are fake. What service provides this type of guarantee?
Confidentiality
Authentication
Integrity
Nonrepudiation
What functionality is provided by Cisco SPAN in a switched network?
It mirrors traffic that passes through a switch port or VLAN to another port for traffic analysis.
It prevents traffic on a LAN from being disrupted by a broadcast storm.
It protects the switched network from receiving BPDUs on ports that should not be receiving them.
It copies traffic that passes through a switch interface and sends the data directly to a syslog or SNMP server for analysis.
It inspects voice protocols to ensure that SIP, SCCP, H.323, and MGCP requests conform to voice standards.
It mitigates MAC address overflow attacks.
Which three statements are generally considered to be best practices in the placement of ACLs?
Filter unwanted traffic before it travels onto a low-bandwidth link.
Place standard ACLs close to the destination IP address of the traffic.
Place standard ACLs close to the source IP address of the traffic.
Place extended ACLs close to the destination IP address of the traffic.
Place extended ACLs close to the source IP address of the traffic.
For every inbound ACL placed on an interface, there should be a matching outbound ACL.
What function is performed by the class maps configuration object in the Cisco modular policy framework?
Identifying interesting traffic
Applying a policy to an interface
Applying a policy to interesting traffic
Restricting traffic through an interface
Which statement is a feature of HMAC?
HMAC uses a secret key that is only known to the sender and defeats man-in-the-middle attacks.
HMAC uses protocols such as SSL or TLS to provide session layer confidentiality.
HMAC uses a secret key as input to the hash function, adding authentication to integrity assurance.
HMAC is based on the RSA hash function.
What is the purpose of the webtype ACLs in an ASA?
To inspect outbound traffic headed towards certain web sites
To restrict traffic that is destined to an ASDM
To monitor return traffic that is in response to web server requests that are initiated from the inside interface
To filter traffic for clientless SSL VPN users
Which two statements describe the effect of the access control list wildcard mask 0.0.0.15?
The first 28 bits of a supplied IP address will be matched.
The last four bits of a supplied IP address will be matched.
The first 28 bits of a supplied IP address will be ignored.
The last four bits of a supplied IP address will be ignored.
The last five bits of a supplied IP address will be ignored.
The first 32 bits of a supplied IP address will be matched.
Which type of firewall is the most common and allows or blocks traffic based on Layer 3, Layer 4, and Layer 5 information?
Stateless firewall
Packet filtering firewall
Next generation firewall
Stateful firewall
Which protocol or measure should be used to mitigate the vulnerability of using FTP to transfer documents between a teleworker and the company file server?
Scp
Tftp
Acl
Oob
What are the three components of an STP bridge ID?
The date and time that the switch was brought online
The hostname of the switch
The MAC address of the switch
The extended system ID
The bridge priority value
The IP address of the management VLAN
What are two differences between stateful and packet filtering firewalls?
A packet filtering firewall will prevent spoofing by determining whether packets belong to an existing connection while a stateful firewall follows pre-configured rule sets.
A stateful firewall provides more stringent control over security than a packet filtering firewall.
A packet filtering firewall is able to filter sessions that use dynamic port negotiations while a stateful firewall cannot.
A stateful firewall will provide more logging information than a packet filtering firewall.
A statefull firewall will examine each packet individually while a packet filtering firewall observes the state of a connection.
What port state is used by 802.1X if a workstation fails authorization?
Disabled
Down
Unauthorized
Blocking
Which two characteristics apply to role-based CLI access superviews?
A specific superview cannot have commands added to it directly.
CLI views have passwords, but superviews do not have passwords.
A single superview can be shared among multiple CLI views.
Deleting a superview deletes all associated CLI views.
Users logged in to a superview can access all commands specified within the associated CLI views.
{"name":"Netsec final", "url":"https://www.quiz-maker.com/QPREVIEW","txt":"Test your knowledge on network security with our comprehensive Netsec Final Exam Quiz. This quiz consists of 71 challenging questions covering a range of topics, including AAA, IPSec, Cisco ASA configurations, and more. Perfect for students or professionals preparing for certifications or looking to refresh their skills.71 detailed questionsMultiple choice and checkbox formatsIdeal for network security preparation","img":"https:/images/course4.png"}
More Quizzes
NSE4
1005033
Security Malware
105116
Adaptive security appliances
20100
CCNA Security Chapter 17 - Cisco IDS/IPS Fundamentals
1160
Chapter 6
1160
Final 6
10546
How dns works, dns attacks, dns cache poisoning, dns spoofing - take the quiz
201036
CCNA Security Chapter 18 - Mitigation Technologies for E-mail- Based and Web-Based Threats
840
Security 3 :
37180
CiscoSecurity
1589
CR2241 - Chapter 7
201050
Protocoale
361844