NETW450 Advanced Network Security with Lab Entire Class
https://homeworklance.com/downloads/netw450-advanced-network-security-lab-entire-class/
NETW450 Advanced Network Security with Lab Entire Class Devry NETW 450 Week 1 Discussion DQ 1 & DQ 2 Latest 2016 DQ 1
Security Policy issues (graded) (graded) What are the key components of a good security policy? What are some of the most common attacks and how can a network be protected against these attacks? DQ 2
iLab Experiences (graded)
Discuss your experiences with the Skillsoft Lab 1. What parts of the iLab did you find difficult or unclear? What did you learn about security in completing the assigned iLab?
Devry NETW 450 Week 2 Discussion DQ 1 & DQ 2 Latest 2016 DQ 1
Router Security (graded) Discuss the methods that can be used on standard IOS router that will prevent unauthorized access to the router. Also, discuss how privilege levels and role-based CLI can improve the security on the router. DQ 2 iLab Experiences (graded) Read the Week 2 iLab instructions and discuss the expectations you have regarding this lab. Do you think it is important to prevent access to unused ports and services on the routers within your network? How did your actual lab experiences meet your expectations? Are there specific insights or challenges you encountered you would like to share with the class.
Devry NETW 450 Week 3 Discussion DQ 1 & DQ 2 Latest 2016 DQ 1 Layer 2 (Switch) Security (graded)
Discuss the attacks that can occur on a layer 2 switch and how the network can be impacted by these attacks. Also, discuss the methods that can be used to mitigate the effects of these attacks on the network.
DQ 2 iLab Experiences (graded)
Read the Week 3 iLab instructions and discuss the expectations you have regarding this lab. Do you think it is important to prevent access to unused ports and services on the routers within your network? How did your actual lab experiences meet your expectations? Are there specific insights or challenges you encountered that you would like to share with the class? What did you learn about security ACLs in completing this lab?
Devry NETW 450 Week 4 Discussion DQ 1 & DQ 2 Latest 2016 DQ 1 Security ACLs and Firewall (graded) Discuss the security ACLs, we covered this week in the text reading and the lecture. Describe different scenarios where a specific type of ACL can enhance network security. Compare CBAC firewalls versus zone-based firewalls. What are the advantages and disadvantages of each? DQ 2 iLab Experiences and WLAN Security (graded)
Read the Week 4 iLab instructions and discuss the expectations you have regarding this lab. Do you think the wireless LAN is secure on your network? What wireless security measures can you take to secure the WLAN? How did your actual lab experiences meet your expectations? Are there specific insights or challenges you encountered that you would like to share with the class? What did you learn about wireless access points and roaming in completing this lab?
Devry NETW 450 Week 5 Discussion DQ 1 & DQ 2 Latest 2016
DQ 1 AAA Servers (graded)
Compare the relative merits of TACACS+ and RADIUS AAA servers. What advantages and disadvantages does each type of AAA server have?
DQ 2
iLab Experiences and Analyzing Bandwidth Needs (graded)
Read the Week 5 iLab instructions and discuss the expectations you have regarding this lab. Do you think the overhead involved in securing communication links can affect the bandwidth requirements of a network? How did your actual lab experiences meet your expectations? Are there specific insights or challenges you encountered that you would like to share with the class? What did you learn about analyzing bandwidth requirements for serial links in completing this lab?
Devry NETW 450 Week 6 Discussion DQ 1 & DQ 2 Latest 2016 DQ 1 Virtual Private Networks (graded)
Discuss what you learned about the configuration and operation of virtual private networks.
DQ 2
iLab Experiences (graded)
Read the Week 6 iLab instructions and discuss the expectations you have regarding this lab. Periodic security audits are necessary to ensure continued protection of a company network. Why is it important to use and run a scheduled security audit on your network? How did your actual lab experiences meet your expectations? Are there specific insights or challenges you encountered that you would like to share with the class? What did you learn about security audits in completing this lab?
Devry NETW 450 Week 7 Discussion DQ 1 & DQ 2 Latest 2016
DQ 1
Intrusion Detection/Prevention Systems (IDS/IPS) (graded)
Intrusion detection systems can be implemented on IOS firewall routers and security appliances. They can also be dedicated in in-line hardware devices. Why is intrusion detection important in networks with connections to the Internet, and what are the functions of IDS? What are the differences between intrusion detection systems (IDS) and intrusion prevention systems (IPS)? DQ 2
iLab Experiences (graded)
Read the Week 7 iLab instructions and discuss the expectations you have regarding this lab. Periodic security audits are necessary to ensure continued protection of a company network. Why is it important to use and run a scheduled security audit on your network? How did your actual lab experiences meet your expectations? Are there specific insights or challenges you encountered that you would like to share with the class? What did you learn about security audits in completing this lab? i labs iLab 2 of 7: Security Demands Note! Submit your assignment to the Dropbox, located at the top of this page. (See the Syllabus section “Due Dates for Assignments & Exams” for due dates.)
iLAB OVERVIEW Scenario and Summary In this lab, the students will examine the following objectives. Create ACL to meet the requirements of the security demands. Modify existing ACL to meet additional security requirements.
Deliverables Students will complete all tasks specified in the iLab Instructions document. As the iLab tasks are completed, students will enter CLI commands, and answer questions in the iLab Report document. This iLab Report document will be submitted to the iLab Dropbox for Week 2. Supporting Documentation SEC450 ACL Tutorial Textbook (Chapter 3) Webliography links on Access Control List
Required Software Access the software at Skillsoft iLAB STEPS
STEP 1: Access Skillsoft iLab Back to Top Access Skillsoft Labs at the provided iLab link, and select Catalog. Click to Launch the course and then select Lab2. Then, download the PDF instructions. Ensure that you open and read the iLab instructions before you begin the lab. PLEASE NOTE: Lab instr STEP 2: Perform iLab 2 Back to Top Download and open SEC450_W2_Security_Demands_Lab2_Report.docx. Follow the instructions to perform all procedures in this week lab. Instructions in red indicate tasks that you need to answer and include in the lab report. STEP 3: Complete Your Lab Report Back to Top When you are satisfied with your documentation, submit your completed report to the Dropbox. Submit your lab to the Dropbox, located at the top of this page. For instructions on how to use the Dropbox, read these step-by-step instructionsor watch this Dropbox Tutorial. See the Syllabus section “Due Dates for Assignments & Exams” for due date information. Student Security Demands Lab NETW 450 Week 2 iLab2 Report Copy below each of the tasks that appears inred in the pdf lab Instructions from Skillsoft. Then, write the answer following each of the tasks. Submit this document to the iLab Dropbox in Week 2.
week 3
Lab 3 of 7: Database Security Demands Note! Submit your assignment to the Dropbox, located at the top of this page. (See the Syllabus section “Due Dates for Assignments & Exams” for due dates.) iLAB OVERVIEW NETW 450 ACL Tutorial
This document highlights the most important concepts on Access Control List (ACL) that you need to learn in order to configure ACL in CLI. This tutorial does not intend by any mean to cover all ACL applications, but only those scenarios used in the SEC450 iLabs. Introduction to Access Control List A host-based firewall essentially works closing and/or opening ports in a computer. The engine behind firewalls is built with Access Control Lists (ACL).
Network-based firewalls are implemented in device-specific appliances and routers. Basically, firewalls in routers filter packets through interfaces to permit or deny them.
Ports are layer-4 address specified in TCP/IP protocol suit that identify networking processes running in clients and servers.
ACLs are configured using shell-specific commands. In Cisco IOS, CLI commands access-list and access-group are used to create and apply ACL on an interface.
ACL can be named by number ID or a name. Naming ACL is useful to identify ACL’s purpose.
ACL are classified in Standard ACL and Extended ACL.
Standard ACL’s number IDs are assigned from 1 to 99. Extended ACL’s number IDs are from 100 to 199.
Standard ACL only uses source IP address in an IP packet to filter through an interface. Hence, standard ACL denies or permits all packets (IP) with the same source IP regardless upper protocols, destination IP address, etc. Example 1: Router(config)#access-list 8 deny host 172.12.3.5
Extended ACL does filtering packets based on protocol, source IP address, source port number, destination IP address, and destination port number. Example 2: Router(config)#access-list 102 deny tcp host 10.0.3.2 host 172.129.4.1. Deny tcp packets with source IP address 10.0.3.2 and destination IP address 172.129.4.1.
Since, Standard ACLs only have source IP address; the rule is to apply them in an interface as closer as possible to the destination IP address.
For the contrary, the rule for Extended ACLs is to apply them in an interface as closer as possible to the source IP address.
Use Extended ACL in all iLabs as they are more granular on packet filtering. Create Extended ACL in global configuration You can use access-list command options lt, gt, eq, neq, and range (less than, greater than, equal, not equal, range of ports) to do operation with port numbers. Example 3: access-list 102 deny tcp any host 11.23.45.7 gt 20 denies all packets with any source IP address to destination IP address 11.23.45.7 and destination tcp port greater than 20. Example 4: access-list 107 permit udp any any permits all packets with udp protocol with any source IP address to any destination IP address.
Extended ACL can do packet filtering based on source port number and destination port number. Extended ACL Syntax can be as follows. access-list <#,name> <protocol> host <source_ip> <port_qualifier> <source_port_number> host <dest_ip> <port_qualifier> <dest_port_number> where: <#,name> is a number between 100 to 199 or a one-word name <protocol> is any protocol in the TCP/IP suite <source_ip> and <dest_ip> are the source and destination IP addresses <port_qualifier> is optional, and can be eq, gt, lt, neq, and range
<source_port_number> and <dest_port_number> follow <port_qualifier> to specify the port number(s). <port_qualifier> and <port_number> can be replaced by the application protocol. Example, http instead of eq 80.
Creation of ACL follows the three Ps rule. One ACL per protocol, per interface, per traffic direction. Per protocol means ones protocol such as IP, TCP, IPX, UDP, or ICMP can be specified. Per interface means the ACL is applied to an interface to make it active. Per direction means the ACL needs to specify which direction at the interface, packet in or out, filtering applies.
Steps for configuring a new ACL are: First, create the ACL in CLI global configuration using accesslist command(s). Then, apply the ACL using access-group command in CLI interface configuration. The ACL is activated unless it is applied to an interface.
An ACL consists of one or more access-list commands. Routers process the ACL commands in order; top first to bottom last likewise a scripting or computer program. That is why the order of access-list commands makes a difference.
The effectiveness of an access-list command depends upon previous access-list commands. Therefore, always write the commands following the order; more-specific-traffic commands first and, then more-generic-traffic commands last. Example 5: It makes sense to write an ACL as Router(config)#access-list 101 deny tcp host 10.0.3.2 any Router(config)#access-list 101 permit tcp any any But never follows the order below, because the second command is more specific, and therefore, “deny” is worthless because the first command already lets packets passing through. Router(config)#access-list 101 permit tcp any any Router(config)#access-list 101 deny tcp host 10.0.3.2 any
All ACL have a hidden access-list command at the end that denies all packets (i.e., deny ip any any). Hence, packets that are not specifically permitted in a command will always be denied by the ACL. Example 6: Use command Router(config)#access-list 105 permit ip any any at the end of ACL if it requires to permit all other traffic after denying packets with Router(config)#access-list 105 deny icmp any host 192.168.10.244
Wildcard option is used in access-list commands filtering packets from a subnet of source and/or destination IP addresses instead of single hosts. IP addresses in each of those subnets must be continuous. Filtering on port numbers is also applicable, but it have been omitted for the sake of simplicity. Here is the syntax. access-list <#,name> <protocol> <source_ip> <source_wildcard> < <dest_ip> <dest_wildcard> where: <#,name> is a number between 100 to 199 or a one-word name <protocol> is any protocol in the TCP/IP suite <source_ip> and <dest_ip> are the source and destination IP addresses <source_wildcard> and <dest_wildcard> specify the subnet ranges of source and destination IP addresses
Wildcard in ACL has the same meaning as in routing protocols such as EIGRP and OSPF. Wildcard bit 0 means the bit in the IP address must be the same as the corresponding bit in the subnet IP addresses. Wildcard bit 1 means the bit in the IP address can be any value (0 or 1).
Example 7: access-list 105 deny udp 172.16.7.3 0.0.0.3 any means to deny all packets with udp protocol with source IP addresses from 172.16.7.0 to 172.16.7.3 to any destination IP address. Note that .3 is in binary . 00000011 and .000000xx for wildcard, where x means any (0 or 1). Example 8: access-list 109 permit tcp host 192.168.6.3 eq 80 10.0.0.0 0.0.0.255 means to permit all tcp packets from source IP address 192.168.6.3 and source port tcp 80 (e.g., http server) to destination IP addresses in range 10.0.0.0 to 10.0.0.255. The fact that 10.0.0.0 would not qualify for host IP in classful networks is irrelevant to the ACL.
Using wildcard with all 0s is the same as using the option host in access-list commands. Example 9: access-list 110 permit ip host 10.23.4.3 host 10.30.2.1 and access-list 110 permit ip 10.23.4.3 0.0.0.0 10.30.2.1 0.0.0.0 are equivalent commands. Both permit filtering packets with source IP address 10.23.4.3 and destination IP address 10.30.2.1.
Only use wildcard in access-list commands when the ACL requires filtering packets on subnet of IP
addresses; either at source, destination, or both. Applying ACL to an Interface to activation Example 10: Assume you need to create an ACL in router that permits filtering any traffic excepting
udp packets with source IP address 10.23.4.3 and destination IP address 10.30.2.1 as shown in the network diagram below. First, you need to create an extended ACL in CLI global configuration. Router#config t Router(config)#access-list 103 deny udp host 10.23.4.3 host 10.30.2.1 Router(config)#access-list 103 permit ip any any
Second, you need to apply ACL 103 in an interface closer to the source (e.g., extended ACL rule of thumb). The closer interface is S0/1 in Router for traffic coming from IP 10.23.4.3. Thus, you go to interface configuration in CLI to activate the ACL. Router(config)#interface s0/1 Router(config-if)#ip access-group 103 in
If you need to make any correction after creating an ACL, then erase first the ACL from global and interface configurations. To erase ACL 103 from the previous example execute the following commands. Router(config)#interface s0/1 Router(config-if)#no ip access-group 103 Router(config)#no ip access-list 103
Now, you can start over creating ACL 103. If you do not erase the ACL, then new access-list commands will be compounding in the configuration file producing unexpected behavior. Use command show run to verify the ACL is erased and created again correctly. Verify ACL Configuration Example 11: Let’s say you have been asked to create an ACL in a router R to deny TCP traffic coming through interface Serial 0/2 from source IP address 10.16.2.1 to destination IP address172.16.5.3 with destination port number greater than 200. Also, the ACL should permit filtering any other traffic.
There are two configuration tasks you need to do in CLI. First, create the ACL. Second, apply the ACL to interface Serial 0/2.
So, in CLI,
R> enable R# config t R(config)# access-list 101 deny tcp host 10.16.2.1 host 172.16.5.3 gt 200 R(config)# access-list 101 permit ip any any this command is needed to permit any other traffic after denying the selecting packets from the first command. R(config)# interface serial0/2 R(config-if)# ip access-group 101 in this command is to apply the ACL to serial0/2 for traffic coming in. R(config-if)# exit R# show run this is to verify the ACL configuration is correct in running-config.file
R#show running-config version 12.3 ! hostname R ! interface FastEthernet0/0 ip address 192.168.200.1 255.255.255.0 ! interface FastEthernet0/1 ip address 192.168.20.1 255.255.255.0 shutdown ! interface Serial0/0 ip address 200.100.20.2 255.255.255.0 ! interface Serial0/1 ip address 192.168.30.2 255.255.255.0 shutdown ! interface Serial0/2 ip address 192.168.40.1 255.255.255.0 ip access-group 101 in ! router rip network 192.168.200.0 network 200.100.20.0 ! ip default-network 200.100.20.0 ip route 0.0.0.0 0.0.0.0 serial0/0 ! ! access-list 101 permit tcp host 10.16.2.1 host 172.16.5.3 gt 200 access-list 101 permit ip any any ! !
line con 0 line aux 0 line vty 0 4 password cisco line vty 5 15 password cisco ! end
If the ACL is not correct, then delete it with the command below and start over again R# config t R(config)# no access-list 101 R(config)# interface serial0/2 R(config-if)#no ip access-group 10
week 4
AAA Server Authentication Lab NETW 450 Week 4 iLab4 Report Copy below each of the tasks that appears inred in the pdf lab instructions from Skillsoft. Then, write the answer following each of the tasks. Submit this documment to the iLab Dropbox in Week 4.
iLab 5 of 7: VPN – Virtual Private Networks Note! Submit your assignment to the Dropbox, located at the top of this page. (See the Syllabus section “Due Dates for Assignments & Exams” for due dates.) Student Name: Date: IPSec Site-to-Site VPN Lab SEC450 Week 5 iLab5 Report Copy below each of the tasks that appears inred in the pdf lab Instructions from Skillsoft. Then, write the answer following each of the tasks. Submit this documment to the iLab Dropbox in Week 5.
week 6 iLab 6 of 7: IDS/IPS – Intrusion Detection/Prevention Systems Note! Submit your assignment to the Dropbox, located at the top of this page. (See the Syllabus section “Due Dates for Assignments & Exams” for due dates.) Student Name: Date: Intrusion Detention System (IDS/IPS) Lab
NETW 450 Week 6 iLab6 Report Copy below each of the tasks that appears inred in the pdf Lab Instructions from Skillsoft. Then, write the answer following each of the tasks. Submit this documment to the iLab DropBox in Week 6.
week 7
iLab 7 of 7: Network Vulnerability Case Study Note! Submit your assignment to the Dropbox, located at the top of this page. (See the Syllabus section “Due Dates for Assignments & Exams” for due dates.) Student Name _________________________________ Date _____________
NETW 450 Network Vulnerability Case Study—iLab7
1. 2. 3. 4. 5.
Objectives In this lab, students will examine the following objectives. Differentiate the use of IDS and IPS to detect network attacks. Design a network with IDS/IPS. Justify the use of IDS/IPS for a given network solution. Scenario A small company is using the topology shown below to secure its intranet while providing a less-secured environment to its eCommerce DMZ server. The company is concerned that firewalls are not enough to detect and prevent network attacks. Hence, deployment of sensors to intrusion detection systems (IDS) and/or intrusion prevention systems (IPS) are needed in the network. Your job is to provide recommendations, including a network design with IDS/IPS, that meet the company’s requirements. Initial Topology Company’s Requirements Detect any malicious traffic entering the e-commerce server without performance penalty to traffic getting in the server from revenue-generating customers. Stop any malicious traffic entering the human resources LAN (HR LAN). Detect any malicious traffic entering the computer terminal in the marketing LAN (MKT LAN). Stop any traffic entering the File Server in MKT LAN. Deploy a centralized database and analysis console in the intranet to managing and monitoring both IDS and IPS sensors. Note: RED text indicates the required questions to answer Task 1—Layout the New Network Design Click on the Initial Network Topology link on the iLab page in Week 7, and save in your computer the MS Powerpoint fileInitial_Network_Topology_iLab7.ppt. This file contains a diagram for the initial network topology and pictures of all components needed to create the new network design.
Review the documentation provided in the references at the end of these instructions to get more familiar with the implementation of IDS and IPS in network design. You need to find a network solution that meets the company’s requirements. #1. Paste below your new network design diagram. Task 2—IDS/IPS Recommendations #2. Write an engineering specification document of at least 250 words (e.g., 1 page of full text, double space, and size 12) describing why your network’s design meets each of the company’s requirements. Justify how each recommendation addresses the company’s needs. Task 3—Conclusions #3. Describe in two paragraphs your learning experience in this lab. References: 1.SANS Institute. “Network IDS & IPS Deployment Strategies“—Webliography 2.Paquet, C. (2012). Implementing Cisco IOS network security (IINS) foundation learning guide (2nd ed.). Indianapolis, IN: Cisco Press. 3.NIST. “Guide to Intrusion Detection and Prevention Systems (IDPS)”—Webliography
quizes week 2 1.(TCO 2) Which of the following prompts indicates that you have booted into the IOS stored in Bootstrap ROM (possibly due to a Ctrl-Break entered during power-up)? (Points : 3) Router> > or ROMMON> (Boot)> ROM> Question 2.2.(TCO 2) Which is the command sequence used to configure a console terminal password on a Cisco router? Note: <CR> represents a carriage return or Enter key. (Points : 3) line con 0 <CR> password {password} <CR> line con 0 <CR> password {password] <CR> login <CR> line con 0 <CR> login {password} <CR> line {password} con 0 <CR> Question 3.3.(TCO 2) To enter privileged EXEC mode, you can type the command _____ at the user EXEC prompt. (Points : 3) enter enable activate open Question 4.4.(TCO 2) Which of the following IOS commands will set the minimum length for all router passwords to eight characters? (Points : 3) (config)# service passwords min-length 8 (config)# passwords min-length 8
(config)# security passwords min-length 8 (config)# passwords security min-length 8 Question 5.5.(TCO 2) Which of the following commands will prevent password recovery using ROM monitor mode? (Points : 3) (config)# no rom monitor (config)# no password-recovery (config)# no service password-recovery (config)# no password-recovery service Question 6.6.(TCO 2) To configure role-based CLI on a Cisco router, the first command to enter in privileged mode is _____. (Points : 3) parser view view enable enable view config view Question 7.7.(TCO 2) Which of the following commands is required before you can begin configuring SSH configuration on a Cisco router? (Points : 3) Crypto key generate rsa IP domain-name Crypto key zeroize Transport input ssh Question 8.8.(TCO 2) Which of the following cannot be used to enhance access security on a router? (Points : 3) MD5 encrypted enable passwords SHA encrypted usernames Privilege levels MD5 encrypted username week 4 Question 1. 1.(TCO 4) Which type of access list entry is dynamic and becomes active only when a Telnet session is authenticated? It can be used for inbound or outbound traffic. (Points : 3) Established Lock and key Reflexive CBAC Question 2. 2.(TCO 4) What function CBAC does on a Cisco IOS firewall? (Points : 3) Creates specific security policies for each user. Provides secure, per-application access control across network perimeters. Provides additional visibility at intranet, extranet, and Internet perimeters. Protects the network from internal attacks and threats. Question 3. 3.(TCO 4) Given the configuration shown below, the idle timeout for TCP and UDP sessions is _____. ip inspect audit-trail ip inspect name FWRULE tcp timeout 180
ip inspect name FWRULE udp timeout 180 ! interface FastEthernet0/0 ip access-group 100 in ip inspect FWRULE in ! interface FastEthernet0/1 ip access-group 101 in ! logging on logging 192.168.100.100 ! access-list 100 permit ip any any ! access-list 101 deny ip any any log (Points : 3) 180 minutes 180 seconds 180 days 180 milliseconds Question 4. 4.(TCO 4) Given the configuration shown below, the host at IP address 192.168.100.100 is a _____. ip inspect audit-trail ip inspect name FWRULE tcp timeout 180 ip inspect name FWRULE udp timeout 180 ! interface FastEthernet0/0 ip access-group 100 in ip inspect FWRULE in ! interface FastEthernet0/1 ip access-group 101 in ! logging on logging 192.168.100.100 ! access-list 100 permit ip any any ! access-list 101 deny ip any any log (Points : 3) TACACS+ server syslog server Radius server TACACS server
Question 5. 5.(TCO 4) Which of the following is not a policy action that can be specified for zone-based firewall traffic? (Points : 3) Pass Drop Hold
Inspect
Question 6. 6.(TCO 4) With zone-based firewalls, which of the following is used to define interfaces on routers that have the same security level? (Points : 3) Zones Class maps Policy maps Zone pairs
Question 7. 7.(TCO 4) What is the range of ACL numbers for a standard access list?(Points : 3) 100–199 and 1700–1999 1–99 and 1300–1999 0–99 100–199
Question 8. 8.(TCO 4) In CLI, the zone-pair command is used to associate together which of the following?(Points : 3) Zones and service-policy Class maps and interface Policy maps and interface Class-type and interface
week 6
Question 1.1. (TCO 6) When you are configuring a Cisco IOS firewall router for IPSec using RSA signatures, you need to generate a local RSA key. Before you generate the RSA key, you must _____. (Points : 3) generate general purpose keys configure a domain name for the router contact a third-party certificate authority (CA) enable the key management protocol in global configuration mode
Question 2.2. (TCO 6) IPSec VPNs use ACLs to specify VPN tunnel traffic. Any traffic not permitted in the ACL will be _____. (Points : 3) dropped before it exits the VPN outbound interface passed through the VPN outbound interface with no IPSec protection encrypted and sent out through the VPN outbound interface because the ACL specifies traffic to be restricted sent back to the sender with a message indicating invalid IPSec format
Question 3.3. (TCO 6) The Cisco IOS firewall crypto isakmp policy mode command that will set the isakmp security association lifetime is _____. (Points : 3) lifetime {days}
lifetime {seconds} set lifetime {days} set lifetime {seconds}
Question 4.4. (TCO 6) _____ encryption algorithms use one key to encrypt the data and another key to decrypt the data between the sender and recipient. (Points : 3) Symmetric Asymmetric Balanced Bidirectional
Question 5.5. (TCO 6) The _____ encryption algorithm uses a key size of 168 bits. (Points : 3) DES 3DES AES WEP
Question 6.6. (TCO 6) Which of the following encryption algorithms is considered the most secure? (Points : 3) DES 3DES AES WEP
Question 7.7. (TCO 6) Which of the following commands will delete all of the IOS firewall routerâ&#x20AC;&#x2122;s RSA keys? (Points : 3) crypto key remove rsa crypto key delete rsa crypto key zeroize rsa crypto key remove rsa all
Question 8.8. (TCO 6) What is the size of the keys in an DES algorithm? (Points : 3) 32 bits 96 bits 112 bits 56 bits
week 7
Question 1.1. (TCO 7) The type of IDS signature that triggers on a multiple packet stream is called _____. (Points : 3) atomic
dynamic cyclical compound or composite
Question 2.2. (TCO 7) Which device responds immediately and does not allow malicious traffic to pass? (Points : 3) Intrusion detections system (IDS) Intrusion prevention system (IPS) All of the above Neither of the above
Question 3.3. (TCO 7) An IPS sensor that receives a copy of data for analysis while the original data continues toward the destination is running in _____ mode. (Points : 3) passive active promiscuous inline
Question 4.4. (TCO 7) Most IOS commands used to configure an intrusion prevention system (IPS) begin with the prefix _____. (Points : 3) ids ips ips ip ip ips ios ips
Question 5.5. (TCO 7) Which is an IDS or IPS signature? (Points : 3) A message digest encrypted with the senderâ&#x20AC;&#x2122;s private key A set of rules used to detect typical intrusive activity A binary pattern specific to a virus An appliance that provides anti-intrusion services
Question 6.6. (TCO 7) Which of the following ip actions will drop the packet and all future packets from this TCP flow? (Points : 3) Deny attacker inline Deny connection inline Deny ip host inline Deny packet inline
Question 7.7. (TCO 7) Which of the following are signature types that IOS firewall IDS can detect as requiring the storage of state information? (Points : 3) Atomic Dynamic Cyclical
Compound (composite)
Question 8.8. (TCO 7) Why is a network using IDS only more vulnerable to atomic attacks? (Points : 3) IDS must track three-way handshakes of established TCP connections. IDS cannot track UDP sessions. IDS permits malicious single packets into a network. IDS is not stateful and therefore cannot track multiple-packet attack streams.
NETW 450 Final Answers
Question 1. 1. (TCO 1) The component of network security that ensures that authorized users have access to data and network resources is _____. (Points : 6) data integrity data confidentiality data and system availability data and user authentication
Question 2. 2. (TCO 1) The type of security control that makes use of firewalls is called _____. (Points : 6) administrative physical technical clerical
Question 3. 3. (TCO 2) To configure a role-based CLI on a Cisco router, the first command to enter in privileged mode is _____. (Points : 6) parser view view enable enable view config view super view
Question 4. 4. (TCO 2) The show running-config output can be modified using all of the following pipes except for _____. (Points : 6) | begin | end | include | exclude
Question 5. 5. (TCO 3) Which of the following is the default number of MAC addresses allowed when you execute the switchport port-security command on a switch port? (Points : 6) Zero One Two Three
Question 6. 6. (TCO 3) Which switch feature causes a port to skip the listening and learning states, causing the port to enter the forwarding state very quickly? (Points : 6) fastport portfast enablefast portforward
Question 7. 7. (TCO 4) With zone-based firewalls, which of the following is used to specify actions to be taken when traffic matches a criterion? (Points : 6) Zones Class maps Policy maps Zone pairs
Question 8. 8. (TCO 4) Which type of access list uses rules placed on the interface where allowed traffic initiates and permits return traffic for TCP, UDP, SMTP, and other protocols? (Points : 6) Established Lock and key Reflexive CBAC
Question 9. 9. (TCO 5) Which AAA server protocol offers support for ARAP and NETBEUI protocols as well as IP? (Points : 6) CSACS RADIUS OpenACS TACACS+
Question 10. 10. (TCO 5) Which of the following is not considered a component of AAA? (Points : 6) Authentication Authorization Accounting Administration
Question 11. 11. (TCO 6) The Cisco IOS command that will display all current IKE security associations (SAs) is _____. (Points : 6) show crypto ipsec show crypto isakmp show crypto ipsec sa show crypto isakmp sa show crypto ike sa
Question 12. 12. (TCO 6) The Cisco IOS firewall crypto isakmp policy mode command that will set the isakmp security association lifetime is _____. (Points : 6) lifetime {days} lifetime {seconds} set lifetime {days} set lifetime {seconds}
Question 13. 13. (TCO 7) Cisco routers implementing IPS can save IPS events in a Syslog server by executing which of the following commands? (Points : 6) ip ips log {IP Address} ip ips notify syslog ip ips notify log ip ips notify sdee
Question 14. 14. (TCO 7) Which of the following is not an action that can be performed by the IOS firewall IDS router when a packet or packet stream matches a signature? (Points : 6) Drop the packet immediately. Send an alarm to the Cisco IOS designated Syslog server. Set the packet reset flag and forward the packet through. Block all future data from the source of the attack for a specified time.
Question 15. 15. (TCO 1) Explain how to mitigate a Smurf attack. (Points : 24)
Question 16. 16. (TCO 2) Type the global configuration mode and line configuration mode commands that are required to secure the VTY lines 0 through 15 to use the local username admin with the encrypted password adminpass for remote Telnet or SSH log-ins to the Cisco router. (Points : 24)
Question 17. 17. (TCO 3) What are at least two best practices that should be implemented for unused ports on a Layer 2 switch for switch security? (Points : 24)
Question 18. 18. (TCO 4) Given the commands shown below and assuming F0/0 is the inside interface of the network, explain what this ACL does. access-list 100 permit tcp any any eq 80 time-range MWF
time-range MWF periodic Monday Wednesday Friday 8:00 to 17:00 time-range absolute start 00:00 30 Sept 2014 end 01:00 30 Sept 2014 int f0/0 ip access-group 100 in Correct Answer: (Points : 24)
Question 19. 19. (TCO 5) Type two global configuration mode commands that enable AAA authentication and configure a default log-in method list. Use a TACACS+ server first, then a local username and password, and finally the enable password. (Points : 24)
Question 20. 20. (TCO 6) Discuss the data encryption algorithms DES and 3DES. Discuss the key lengths, and rank the algorithms in order of best security. (Points : 24)
Question 21. 21. (TCO 7) Explain the two benefits of Cisco IPS version 5.x signature format over the Cisco IPS version 4.x signature format. (Points : 22)