Pages

Tuesday, July 7, 2015

CCIE Security 350-018 Quiz and QA - Security Protocols

Quiz:
1 What are the three components of AAA? (Choose the three best answers.)
a. Accounting
b. Authorization
c. Adapting
d. Authentication

AAA is used for authentication, authorization, and accounting. Answer c is incorrect
because adapting is not part of the security options available with AAA.

2 What IOS command must be issued to start AAA on a Cisco router?
a. aaa old-model
b. aaa model
c. aaa new model
d. aaa new-model
e. aaa new_model

The aaa new-model command starts authentication, authorization and accounting
(AAA). Answers a, b, and c are incorrect because they represent invalid IOS
commands.
$XI.

3 What algorithm initiates and encrypts a session between two routers’ exchange keys
between two encryption devices?
a. Routing algorithm
b. Diffie-Hellman algorithm
c. The switching engine
d. The stac compression algorithm

When using encryption between two routers, the Diffie-Hellman algorithm is used to
exchange keys. This algorithm initiates the session between two routers and ensures
that it is secure. Answer a is incorrect because the routing algorithm is used for
routing, not for encryption. Answer c is incorrect because a switching engine is used
to switch frames and has nothing to do with encryption. Answer d is incorrect
because the stac compression algorithm is used by PPP; it compresses data on a PPP
WAN link.

4 Can you configure RADIUS and TACACS+ concurrently on a Cisco IOS router?
a. No.
b. Yes, provided you have the same lists names applied to the same interfaces.
c. Yes, provided you have the different lists names applied to the same interfaces.
d. Yes, provided you have the different lists names applied to different interfaces.

List names and interfaces must be different.

5 How do you enable a RADIUS server to debug messages for Cisco Secure on a UNIX
server?
a. Terminal monitor
b. Edit the configuration file on the router
c. Edit the syslog.conf and csu.cfg files
d. Not possible, as UNIX does not run IOS

You can enable debugging on a UNIX host running Cisco Secure by editing the
syslog.confg and csu.cfg files.

6 What RADIUS attribute is used by vendors and not predefined by RFC 2138?
a. 1
b. 2
c. 3
d. 4
e. 13
f. 26
g. 333
h. 33

Attribute 26 is a vendor-specific attribute. Cisco uses vendor ID 9.

7 RADIUS can support which of the following protocols?
a. PPP
b. OSPF
c. AppleTalk
d. IPX
e. NLSP

RADIUS supports PPP and none of the multiprotocols listed in options b, c, d, or e.

8 When a RADIUS server identifies the wrong password entered by the remote users, what
packet type is sent?
a. Accept-user
b. Reject-users
c. Reject-deny
d. Reject-accept
e. Reject-Error
f. Access-reject

RADIUS sends an access-reject error if the password entered is invalid.

9 Identify the false statement about RADIUS.
a. RADIUS is a defined standard in RFC 2138/2139.
b. RADIUS runs over TCP port 1812.
c. RADIUS runs over UDP port 1812.
d. RADIUS accounting information runs over port 1646.

RADIUS does not deploy TCP.

10 What is the RADIUS key for the following configuration? If this configuration is not valid,
why isn’t it?
aaa authentication login use-radius group radius local
aaa authentication ppp user-radius if-needed group radius
aaa authorization exec default group radius
aaa authorization network default group radius
radius-server 3.3.3.3
radius-server key IlovemyMum
a. IlovemyMum
b. Ilovemymum
c. This configuration will not work because the command aaa new-model is missing.
d. 3.3.3.3

Because aaa new-model is not configured, this is not a valid configuration and no
requests will be sent to the RADIUS server.

11 What is the RADIUS key for the following configuration?
Aaa new-model
aaa authentication login use-radius group radius local
aaa authentication ppp user-radius if-needed group radius
aaa authorization exec default group radius
aaa authorization network default group radius
radius-server 3.3.3.3
radius-server key IlovemyMum
a. IlovemyMum
b. Ilovemymum
c. This configuration will not work
d. 3.3.3.3

The key is case-sensitive; the IOS command, radius-server key IlovemyMum, defines
the key as IlovemyMum.

12 What versions of TACACS does Cisco IOS support? (Select the best three answers.)
a. TACACS+
b. TACACS
c. Extended TACACS
d. Extended TACACS+

There is no Cisco Extended TACACS+ support.

13 TACACS+ is transported over which TCP port number?
a. 520
b. 23
c. 21
d. 20
e. 49

14 What is the predefined TACACS+ server key for the following configuration?
radius-server host 3.3.3.3
radius-server key CCIEsrock
a. 3.3.3.3
b. Not enough data
c. CCIESROCK
d. CCIEsRock
e. CCIEsrock

The key is case-sensitive and is defined by the IOS command, radius-server key
CCIEsrock.

15 What does the following command accomplish?
tacacs_server host 3.3.3.3
a. Defines the remote TACACS+ server as 3.3.3.3
b. Defines the remote RADIUS server as 3.3.3.3
c. Not a valid IOS command
d. 3.3.3.3
e. Host unknown; no DNS details for 3.3.3.3 provided

The IOS command to define a remote TACACS+ server is tacacs-server host
ip-address.

16 Which of the following protocols does TACACS+ support?
a. PPP
b. AppleTalk
c. NetBIOS
d. All the above

TACACS+ has multiprotocol support for PPP, AppleTalk, NetBIOS and IPX.

17 Kerberos is defined at what layer of the OSI model?
a. Layer 1
b. Layer 2
c. Layer 3
d. Layer 4
e. Layer 5
f. Layer 6
g. Layer 7

Kerberos is an application layer protocol defined at Layer 7 of the OSI model.

18 What definition best describes a key distribution center when Kerberos is applied to a
network?
a. A general term that refers to authentication tickets
b. An authorization level label for Kerberos principals
c. Applications and services that have been modified to support the Kerberos credential
infrastructure
d. A domain consisting of users, hosts, and network services that are registered to a
Kerberos server
e. A Kerberos server and database program running on a network host

The KDC is a server and database program running on a network host.

19 What definition best describes a Kerberos credential?
a. A general term that refers to authentication tickets
b. An authorization level label for Kerberos principals
c. Applications and services that have been modified to support the Kerberos credential
infrastructure
d. A domain consisting of users, hosts, and network services that are registered to a
Kerberos server
e. A Kerberos server and database program running on a network host

A credential is a general term that refers to authentication tickets, such as ticket
granting tickets (TGTs) and service credentials. Kerberos credentials verify the
identity of a user or service. If a network service decides to trust the Kerberos server
that issued a ticket, it can be used in place of retyping a username and password.
Credentials have a default lifespan of eight hours.

20 What definition best describes Kerberized?
a. A general term that refers to authentication tickets
b. An authorization level label for Kerberos principals
c. Applications and services that have been modified to support the Kerberos credential
infrastructure
d. A domain consisting of users, hosts, and network services that are registered to a
Kerberos server
e. A Kerberos server and database program running on a network host

Kerberized refers to applications and services that have been modified to support the
Kerberos credential infrastructure.

21 What definition best describes a Kerberos realm?
a. A general term that refers to authentication tickets
b. An authorization level label for the Kerberos principals
c. Applications and services that have been modified to support the Kerberos credential
infrastructure
d. A domain consisting of users, hosts, and network services that are registered to a
Kerberos server
e. A Kerberos server and database program running on a network host

The Kerberos realm is also used to map a DNS domain to a Kerberos realm.

22 What IOS command enables VPDN in the global configuration mode?
a. vpdn-enable
b. vpdn enable
c. vpdn enable in interface mode
d. Both a and c are correct

To Enable VPDN in global configuration mode, the correct IOS command is vpdn
enable.

23 What is the number of bits used with a standard DES encryption key?
a. 56 bits
b. 32 bits; same as IP address
c. 128 bits
d. 256 bits
e. 65,535 bits
f. 168 bits

DES applies a 56-bit key. The documented time taken to discover the 56-bit key is
7 hours on a Pentium III computer, so DES is not a common encryption algorithm
used in today’s networks.

24 What is the number of bits used with a 3DES encryption key?
a. 56 bits
b. 32 bits; same as IP address
c. 128 bits
d. 256 bits
e. 65,535 bits
f. 168 bits

Triple DES (3DES) is today’s standard encryption with a 168-bit key.

25 In IPSec, what encapsulation protocol only encrypts the data and not the IP header?
a. ESP
b. AH
c. MD5
d. HASH
e. Both a and b are correct

ESP only encrypts the data, not the IP header.

26 In IPSec, what encapsulation protocol encrypts the entire IP packet?
a. ESH
b. AH
c. MD5
d. HASH
e. Both a and b are correct

AH encrypts the entire IP packet. The time to live (TTL) is not encrypted because
this value decreases by one (1) every time a router is traversed.

27 Which of the following is AH’s destination IP port?
a. 23
b. 21
c. 50
d. 51
e. 500
f. 444

The AH destination port number is 51.

28 Which of the following is ESP’s destination IP port?
a. 23
b. 21
c. 50
d. 51
e. 500
f. 444

The ESP destination IP port number is 50.

29 Which of the following is not part of IKE phase I negotiations?
a. Authenticating IPSec peers
b. Exchanges keys
c. Establishes IKE security
d. Negotiates SA parameters

IKE phase II negotiates SA parameters.

30 Which of the following is not part of IKE phase II?
a. Negotiates IPSec SA parameters
b. Periodically updates IPSec SAs
c. Rarely updates SAs (at most, once a day)
d. Established IPSec security parameters

IKE phase II updates SAs at periodically-defined intervals.

31 Which is the faster mode in IPSEC?
a. Main mode
b. Fast mode
c. Aggressive mode
d. Quick mode

Aggressive mode is faster than Main mode but is less secure. They can both occur
in Phase I. Phase II only has Quick mode. Fast mode does not exist in the IPSec
standard set of security protocols.

32 Certificate Enrollment Process (CEP) runs over what TCP port number? (Choose the best
two answers.)
a. Same as HTTP
b. Port 80
c. Port 50
d. Port 51
e. Port 333
f. Port 444

CEP uses the same port as HTTP, port 80.

Q & A
1 Define the AAA model and a typical application on a Cisco IOS router.
Answer: Authentication, authorization, and accounting (pronounced triple A)
provides security to Cisco IOS routers and network devices beyond the simple user
authentication available on IOS devices.
AAA provides a method to identify which users are logged into a router and each
user’s authority level. AAA also provides the capability to monitor user activity and
provide accounting information.
Typically, AAA is used to authenticate and authorize Cisco IOS commands, and
provides accounting information to the network administrator.

2 Can you allow a remote user authorization before the user is authenticated with AAA?
Answer: Before authorization occurs, the remote user must be authenticated. Cisco
IOS routers allow you to configure AAA authorization, but no access will be
permitted until the remote user is authenticated.

3 What IOS command is required when enabling AAA for the first time?
Answer: aaa new-model must be entered globally before additional IOS commands
are entered.

4 What is the privilege level of the following user? Assume AAA is not configured.
R2>
Answer: The privilege level ranges from 0 to 15 (the higher the level, the more
commands are available). Because the user is not in PRIV exec mode, the default
privilege level for an EXEC user is 1. Only basic show commands are available in
priv level 1.
R2>show priv
Current privilege level is 1

5 Define four possible RADIUS responses when authenticating the user through a RADIUS
server.
Answer: The four possible responses are as follows:
• ACCEPT—The user is authenticated.
• REJECT—The user is not authenticated and is prompted to reenter the
username and password, or access is denied. The RADIUS server sends this
response when the user enters an invalid username/password pairing.
• CHALLENGE—The RADIUS server issues a challenge. The challenge collects
additional data from the user.
• CHANGE PASSWORD—The RADIUS server issues a request asking the user
to select a new password.

6 What are RADIUS attributes? Supply five common examples.
Answer: RADIUS supports a number of predefined attributes that can be exchanged
between client and server, such as the client’s IP address. RADIUS attributes carry
specific details about authentication.
RFC 2138 defines a number of RADIUS predefined attributes.
The following bulleted lists provides details from the most common attributes:
• Attribute type 1—Username (defined usernames can be numeric, simple ASCII
characters, or an SMTP address)
• Attribute type 2—Password (defines the password; passwords are encrypted
using MD5)
• Attribute type 3—CHAP Password (only used in access-request packets)
• Attribute type 4—NAS IP address (defines the NAS server’s IP address; only
used in access-request packets)
• Attribute type 5—NAS port (not UDP port number); and indicates that the
NAS’s physical port number ranges from 0 to 65535
• Attribute type 6—Service-type (type of service requested or type of service to
be provided); for Cisco devices is Callback and is not supported
• Attribute type 7—Protocol (defines what framing is required; for example, PPP
is defined when this attribute is set to 1, SLIP is 2)
• Attribute type 8—IP address (defines the IP address to be used by the
remote user)
• Attribute type 9—IP subnet mask (defines the subnet mask to be used by the
remote user)
• Attribute type 10—Routing
• Attribute type 13—Compression
• Attribute type 19—Callback number
• Attribute type 20—Callback ID
• Attribute type 26—Vendor-specific (Cisco [vendor-ID 9] uses one defined
option, vendor type 1, named cisco-avpair)

7 What protocols does RADIUS use when sending messages between the server and client?
Answer: RADIUS transports through UDP destination port number 1812.

8 What predefined destination UDP port number is RADIUS accounting information sent to?
Answer: UDP port 1646

9 What does the following command accomplish on a Cisco IOS router?
aaa authentication ppp user-radius
if-needed group radius
Answer: The aaa authentication ppp user-radius if-needed group radius command
configures the Cisco IOS software to use RADIUS authentication for lines using PPP
with CHAP or PAP, if the user has not already been authorized. If the EXEC facility
has authenticated the user, RADIUS authentication is not performed. User-radius is
the name of the method list that defines RADIUS as the if-needed authentication
method.

10 What is the RADIUS server IP address and key for the following configuration?
radius-server host 3.3.3.3
radius-server key GuitarsrocKthisplaneT
Answer: The radius-server host command defines the RADIUS server host’s IP
address. The IP address is 3.3.3.3.
The radius-server key command defines the shared secret text string between the
NAS and the RADIUS server host. The key is case-sensitive like all passwords on
Cisco IOS devices, so the key is defined as GuitarsrocKthisplaneT.

11 TACACS+ is transported over what TCP destination port number?
Answer: TCP port 49

12 What information is encrypted between a Cisco router and a TACACS+ server?
Answer: All data communication between TACACS+ devices is encrypted, excluding
the IP header.

13 What are the four possible packet types from a TACACS+ server when a user attempts to
authenticate a Telnet session to a Cisco router configured for AAA, for example?
Answer: The four packets types are as follows:
• ACCEPT—The user is authenticated and service can begin. If the network
access server is configured to require authorization, authorization will begin at
this time.
• REJECT—The user has failed to authenticate. The user can be denied further
access or will be prompted to retry the login sequence, depending on the
TACACS+ daemon.
• ERROR—An error occurred at some time during authentication. This can be
either at the daemon or in the network connection between the daemon and the
NAS. If an ERROR response is received, the network access server typically
tries to use an alternative method for authenticating the user.
• CONTINUE—The user is prompted for additional authentication information.

14 What is the significance of the sequence number in the TACACS+ frame format?
Answer: The sequence number is the number of the current packet flow for the
current session. The sequence number starts with 1 and each subsequent packet will
increment by one. The client only sends odd numbers. TACACS+ servers only send
even numbers.

15 What does the following IOS command accomplish?
aaa authentication ppp default if-needed group tacacs+ local
Answer: The aaa authentication command defines a method list, “default,” to
be used on serial interfaces running PPP. The keyword default means that PPP
authentication is applied by default to all interfaces. The if-needed keyword means
that if the user has already authenticated through the ASCII login procedure, PPP
authentication is not necessary and can be skipped. If authentication is needed, the
keyword group tacacs+ means that authentication will be done through TACACS+.
If TACACS+ returns an ERROR during authentication, the keyword local indicates
that authentication will be attempted using the local database on the NAS.

16 What IOS command defines the remote TACACS+ server?
Answer: To define the TACACS+ server, the IOS command is tacacs-server host ip
address.

17 What are the major difference between TACACS+ and RADIUS?
Answer: The following are difference between RADIUS and TACACS+
Packet delivery :
UDP 
TCP

Packet encryption :
RADIUS encrypts only the password in the accessrequest packet, from the client to the server.
TACACS+ encrypts theentire body of the packet,but leaves a standard TACACS+ header.

AAA support:
RADIUS combines authentication and authorization.
TACACS+ uses the AAA architecture, separating authentication, authorization,and accounting.

Multiprotocol support:
None.
TACACS+ supports other protocols, such as AppleTalk, NetBIOS, and IPX.

Router management:
RADIUS does not allow users to control which commands can be executed on a router.
TACACS+ allows network administrators control over which commands can be executed on a router.

18 Kerberos is a third-party authentication protocol operating at what layer of the OSI
model?
Answer: Kerberos is an application layer protocol, which operates at Layer 7 of the
OSI model.

19 What delivery methods and destination ports does Kerberos support?
Answer: Kerberos supports both TCP and UDP, including the following port
numbers:
• TCP/UDP ports 88, 543, and 749
• TCP ports 754, 2105, and 4444

20 What does the Kerberos realm define?
Answer: A Kerberos realm defines a domain consisting of users, hosts, and network
services that are registered to a Kerberos server. The Kerberos server is trusted to
verify the identity of a user or network service to another user or network service.
Kerberos realms must always be in uppercase characters.

21 Applications that have been modified to support Kerberos credential infrastructures are
known as what?
Answer: Kerberized.

22 Define the two steps required in an L2F connection terminating a PPP connection?
Answer: For L2F, the setup for tunneling a PPP session consists of two steps:
Step 1 Establish a tunnel between the NAS and the Home Gateway
(HWY). The HWY is a Cisco router or access server (for example,
an AS5300) that terminates VPDN tunnels and PPP sessions. This
phase takes place only when no active tunnel exists between both
devices.
Step 2 Establish a session between the NAS and the Home Gateway.

23 Define the two steps for setting up L2TP for tunneling a PPP connection.
Answer: For L2FP, the setup for tunneling a PPP session consists of two steps:
Step 1 Establish a tunnel between the LAC and the LNS. The LAC is an
L2TP access concentrator that acts as one side of the L2TP tunnel
endpoint and has a peer to the L2TP network server or LNS. This
phase takes place only when no active tunnel exists between both
devices.
Step 2 Establish a session between the LAC and the LNS.

24 What are the steps taken for a VPDN connection between a remote user and a
remote LAN?
Answer: A VPDN connection between a remote user (router or via PSTN) and the
remote LAN is accomplished in the following steps:
Step 1 The remote user initiates a PPP connection to the ISP using the
analog telephone system or ISDN.
Step 2 The ISP network access server accepts the connection.
Step 3 The ISP network access server authenticates the end user with CHAP or
PAP. The username determine whether the user is a VPDN client. If the user
is not a VPDN client, the client accesses the Internet or other contacted
service.
Step 4 The tunnel endpoints—the NAS and the home gateway—authenticate each
other before any sessions are attempted within a tunnel.
Step 5 If no L2F tunnel exists between the NAS and the remote users’ home
gateway, a tunnel is created. Once the tunnel exists, an unused slot within
the tunnel is allocated.
Step 6 The home gateway accepts or rejects the connection. Initial setup can
include authentication information required to allow the home gateway to
authenticate the user.
Step 7 The home gateway sets up a virtual interface. Link-level frames can now
pass through this virtual interface through the L2F or L2TP tunnel.

25 What are the three most common threats from intruders that network administrators face?
Answer: The most common attacks are as follows:
• Packet snooping (also known as eavesdropping)—When intruders capture and
decode traffic obtaining usernames, passwords, and sensitive data, such as
salary increases for the year.
• Theft of data—When intruders use sniffers, for example, to capture data over
the network and steal that information for later use.
• Impersonation—When an intruder assumes the role of a legitimate device but,
in fact, is not legitimate.

26 What does the Digital Signature standard provides
Answer: DSS is a mechanism that protects data from an undetected change while
traversing the network. DSS verifies the identity of the person sending the data just
as you verify your license signature to the bank manager.

27 What is hash in encryption terminology?
Answer: A hash is defined as the one-way mathematical summary of a message
(data) such that the hash value cannot be easily reconstructed back into the original
message.

28 Name the two modes of operation in IPSec and their characteristics.
Answer: The two modes are transport and tunnel mode.
• Transport mode—Protects payload of the original IP datagram; typically used
for end-to-end sessions.
• Tunnel Mode—Protects the entire IP datagram by encapsulating the entire
datagram in a new IP datagram.

29 What does IKE accomplish?
Answer: IKE negotiates and provides authenticated keys in a secure manner. IKE
was developed by the company previously known as ISAKMP Oakley Key
Resolution.

30 Certificate Enrollment Protocol is transported over what TCP port?
Answer: CEP is transported over TCP port 80 (same as HTTP).

No comments:

Post a Comment