642-552 SND practice questions

Webmaster · June 2006

This is not a question of the day thing, consider them beta as long as I haven't moved them to our test engine yet.

Here's the first one:

1. Which of the following commands configure a router to send syslog messages with a severity of 3 and lower to a syslog server with the IP address 192.168.220.40?

a. Router(config)# logging on 192.168.220.40
Router(config)# logging trap warnings

b. Router(config)# logging on
Router(config)# syslog 192.168.220.40
Router(config)# logging trap errors

c. Router(config)# logging 192.168.220.40
Router(config)# logging trap errors

d. Router(config)# syslog 192.168.220.40
Router(config)# logging trap warnings

I'll post the answer and the next question tomorrow.

Webmaster · June 2006

Answer: C

Explanation: Syslog messages have a severity level ranging from 0 to 7, where 0 is the most severe. When you log to the console, all events (up to level 7) are logged, and when you log to a syslog server, events up to level 6 are logged. The following table shows the severity levels and their names:

Level	Level name	Description
0		Emergencies	Router unusable
1		Alerts		Immediate action needed
2		Critical		Critical conditions
3		Errors		Error conditions
4		Warnings		Warning conditions
5		Notifications	Normal but important conditions
6		Informational	Informational messages
7		Debugging		Debugging messages

Higher level events, thus less critical, are not always interesting and logging them all may use up too many system and network resources. When you configure syslogging, you can specify the severity level. The default is informational (level 6), which means level 7 debugging messages are ignored. Use the following commands to configure a router to use syslogging to send messages to a central syslog server.

Enable logging to syslog server:
Router(config)# logging ip address

Configure the severity level for syslog messages:
Router(config)# logging trap level

Webmaster · June 2006

Question nr. 2

You are the network administrator at a small company. You just used AutoSecure to configure a router. Which of the following commands should you use to change the minimum password length to 8 characters?

a. security passwords min-length 8
b. passwords min-length 8
c. auto secure passwords-length 8
d. security passwords length 8
e. None of the above, AutoSecure configures the minimum password length of 8 by default.

Answer + Explanation + new question tomorrow...

Webmaster · June 2006

Answer: A

Explanation: AutoSecure configures a minimum password length of six characters. This affects user passwords, enable passwords and secrets, and line passwords. The minimum length can be increased by using the following command in global config mode:
Router(config)# security passwords min-length length

Webmaster · June 2006

3. Which of the following features can be configured during the forwarding plane portion of AutoSecure?

a. ICMP redirects
b. SSH and SCP
c. Maintenance Operations Protocol (MOP)
d. Unicast Reverse Path Forwarding (uRPF)

Anyone?

determinedgerman · June 2006

Well Johan,

Next time you might want to specify that you want someone to answer those questions...LOL!

Anyway...I will take a shot at it......

My answer would be A but I am not sure on this. I researched it a little and maybe I am reading the question wrong but it could be both answers.

ENLIGHTEN ME

Cisco AutoSecure-Configuring Interface Specific Services - IP Redirect

-An ICMP redirect message instructs hosts on a network to use a specific router as its path to a particular destination. In a properly functioning IP network, a router will send redirects only to hosts on its own local subnets, no host will ever send a redirect, and no redirect will ever be sent more than one network hop away. These messages are useful for diagnosis. An attacker may use this as a method to map the network.

-It can be beneficial to filter out incoming ICMP redirects messages at the input interfaces of any router that lies at an untrusted border. For better security, disable these messages at all interfaces.

-Cisco AutoSecure disables IP redirects on each interface using the no ip redirect interface configuration command.

Cisco AutoSecure-Configuring Ingress Filtering - Unicast RFP

-Unicast Reverse Path Forwarding (RPF) is an input function on an interface that can be set to check if the source address is reachable by the interface that received it, or is reachable by any interface. Unicast RFP is a defense against spoofing and DoS attacks.

-Unicast RFP depends on Cisco Express Forwarding. If the router does not support Cisco Express Forwarding, then you cannot use Unicast RFP. Unicast RFP is best suited for routers that act as a boundary between two networks (i.e filtering edge router between a LAN and the Internet). When used properly, it can provide a better performance than an access list for ingress and egress filtering.
-Cisco AutoSecure automatically configures strict Unicast RPF if the router platform supports this function. It configures all interfaces connected to the Internet by using the ip verify source reachable-via interface command. This helps drop any source-spoofed packets.

Webmaster · June 2006

Yes, thank you, that is the general idea of these questions, it's no fun if I have to answer them all myself

, and mainly to catch mistakes before I add them to our test engine. Which is the case with this one, you are not reading it wrong, I wrote it wrong. I reworded this one right before posting, which I shouldn't have done. The question should read:

Which of the following features can be configured during the forwarding plane portion of AutoSecure?

www.techexams.net/technotes/ccsp/SND_642-551/autosecure.shtml

determinedgerman · June 2006

There ya go......keep them coming Johan...keep them coming.....!

Webmaster · June 2006

Ok so, the answer was D. The others can be configured/disabled during the management plane portion.

Explanation: Unicast Reverse Path Forwarding (uRPF) can be configured during the forwarding plane portion of AutoSecure to help mitigate spoofing attacks. uRPF blocks all IP packets that don’t have a verifiable IP source address. ICMP redirects and MOP are disabled for each interface, and if available, SSH and SCP are enabled for secure access and file transport, during the management plane portion of AutoSecure.

New one coming up!

Webmaster · June 2006

4. Which of the following best describes a structured threat?

a. A student using an automatic scanning tool to find known vulnerabilities.
b. A disgruntled employee abusing his access privileges to destroy company data.
c. A worm terrorizing the Internet creating a DoS situation for internal users.
d. A hacker is hired by a competitor to gain unauthorized access and steal company secrets.

Take your best shot, and feel free to join in even if you are not studying for this exam.

determinedgerman · June 2006

Answer: D

Cisco's SAFE Implementation categorizes external threats as structured or unstructured. "Structure," in this context, refers to the degree of organization and planning, or the amount of method applied in the attack, as opposed to haphazard efforts that might seem almost random to an observer. Note that both structured and unstructured threats can be malicious in intent or can be the result of human clumsiness or error.

GO GERMANY

GO ORANJE

Webmaster · June 2006

Answer D indeed.

Explanation: Structured threats refer to skilled hackers who have the motivation, the tools and the skills to write new tools, the technical knowledge, and a reason to attack a network. Common reasons are money, recognition, and hate. Unstructured refers to unskilled attackers, the “script kiddies”, who usually do not have a lot of resources nor knowledge about the target, nor advanced hacking skills, but can be disastrous nevertheless. Especially when they play with the tools written by more knowledgeable hackers.

Webmaster · June 2006

Here's the next one:

5. Which of the following security configuration task does AutoSecure perform to mitigate spoofing attacks? (Choose all that apply)

a. Denies all IANA reserved IP address blocks
b. Denies RFC 1918 private IP address blocks
c. Enables Unicast Reverse Path Forwarding (uRPF)
d. Denies multicast, class-E addresses as the source address
e. Disables IP directed broadcasts on all interfaces

Webmaster · June 2006

Answers: A, B, C, and D

Explanation: Cisco AutoSecure builds the following three extended-named ACLs for ingress filtering (anti-spoofing):
- autosec_iana_reserved_block – Denies all IANA reserved IP address blocks.
- autosec_private_block – Denies RFC 1918 private IP address blocks.
- autosec_complete_block – Denies multicast, class-E, and other reserved IP addresses prohibited for source address
Although the Cisco AutoSecure user interface refers to the third ACL as "autosec_complete_block", in reality, the router creates it as "autosec_complete_bogon".

uRPF blocks all IP packets that don’t have a verifiable IP source address. Disabling IP directed broadcasts does not necessarily prevent spoofing attack but is essential to prevent Smurf DoS attacks.

Webmaster · June 2006

The following may be a bit on the easy side, but essential info nevertheless:

6. Which of the following commands disables the auxiliary port on a Cisco IOS router?

a. Router(config-line)# no exec
b. Router(config-line)# no login
c. Router(config)# no aux
d. Router(config)# no line aux 0

usman_a · July 2006

a. Router(config-line)# no exec

Webmaster wrote:

The following may be a bit on the easy side, but essential info nevertheless:

6. Which of the following commands disables the auxiliary port on a Cisco IOS router?

a. Router(config-line)# no exec
b. Router(config-line)# no login
c. Router(config)# no aux
d. Router(config)# no line aux 0

Webmaster · July 2006

Didn't realize I didn't post the answer yet...

Yes, answer a is correct.

Explanation: Configuring the no exec in line configuration mode for the AUX port (line aux 0) disables it entirely. You can also disable access to any line (TTY or VTY) by configuring it with the login and no password commands. This is the default configuration for VTYs (i.e. telnet) but not TTYs (i.e. AUX and console ports). Cisco recommends disabling any unused port.

usman_a · July 2006

Woohoo - uzi does his lil uzi woohoo dance... :P

Webmaster wrote:

Didn't realize I didn't post the answer yet...

Yes, answer a is correct.

Explanation: Configuring the no exec in line configuration mode for the AUX port (line aux 0) disables it entirely. You can also disable access to any line (TTY or VTY) by configuring it with the login and no password commands. This is the default configuration for VTYs (i.e. telnet) but not TTYs (i.e. AUX and console ports). Cisco recommends disabling any unused port.

mdang · November 2006

Hi,

I really enjoy reading questions and answers. Please post more here.

Thanks.

theevilmuffin · February 2007

mdang wrote:

Hi,

I really enjoy reading questions and answers. Please post more here.

Thanks.

Same here!

rocket arena · March 2007

hey what is that test engine that you menctioned? is it in this web page?

Webmaster · March 2007

Hi,

Yes, I was referring to our own online test engine. When I don't write a set a once I sometimes post them in the forums and then add them, per 10 to our test engine. For a complete list of our practice exams:

www.techexams.net/pexams.php

That list doesn't include an exam with the above questions though. I was preparing for this exam around the time I wrote the above questions (and on the TechNotes in the other Sticky), but for several reasons I stopped. But, these questions are written for the 551, not the 552 exam. I'm guessing they still all apply, but, the exam objectives changed. So, what I'll do is go over these questions, the TechNotes, and write about 20 more very soon, and get this topic started again.

Thanks,
Johan

theevilmuffin · March 2007

Looking forward to it!

Webmaster · March 2007

Ok, I've written enough now to keep this topic going for a while (1 question per day, 7 days a week). The first one is a bit easy, though the others aren't very hard either. I keep hearing the actual exam is also easy, but regardless, the exam objectives are quite clear and especially for a smaller set it's not hard for me to write questions that are at least relevant for the exam.

7. You are the network administrator for a small company with a six Cisco routers. Your manager instructed you to lock down the routers by requiring strong passwords. You need to configure the routers to require a minimum length of 6 for all passwords and to lock access after 3 failed logon attempts. Which of the following commands produce the desired results? (Choose all that apply)

a. security authentication 3 6 0
b. security authentication failure rate 3
c. security password min-length 6
d. security passwords length min 6
e. security authentication fail-rate 3
f. security logon max 3

I'll post the answer, explanation, and corrsponding exam objective somewhere within the next 24 hours.

To follow determinedgerman's advice: I hereby specify that I would like people to post the answer to these questions

Oh, and that doesn't include you Cisco gurus who already passed this exam or knew the answer before looking at them.

pr3d4t0r · March 2007

B,C for question 7

Webmaster · March 2007

Yep, the correct answers are b and c.

Question 7 Answer and Explanation:

Answer: b, c

Explanation: A common method for malicious individuals to discover passwords is by brute force dictionary attack. This means the attacker will try a huge list of passwords one by one until he successfully logs on. In reality he will use a small application to do the work for him. By requiring a minimum length of 6 characters for all passwords, the possible number of different passwords it so large, it becomes unfeasible for the attacker to ‘guess’ the password. It is of course essential to choose passwords that are not on a list of real words or names.

You can configure the minimum password length by using the following command:
security password min-length x

To enforce the effects of the minimum required password length, you should also set the maximum failed logon attempts. With only 3 attempts and a password of minimal 6 characters, the attacker will have more chances of winning a lottery than guessing a strong password.

To set the maximum number of logon attempt, using the following command:
security authentication failure rate 3

Exam Objective: Secure administrative access to Cisco routers by setting strong encrypted passwords, exec timeout, login failure rate and using IOS login enhancements

Next question coming up...

Webmaster · March 2007

8. You are the security administrator for a legal company with a Cisco network connecting the main office with several branch offices over the Internet and leased lines. You are in the fortunate position of buying the latest Cisco equipment to implement a network-wide security solution according to Cisco’s Self Defending Network strategy. You already implemented multiple firewalls, VPNs, host and network IPS, the new Cisco Incident Control System and hardened the configuration on all Cisco and non-Cisco systems. You even implemented backup links for network connections, installed UPS systems and provided for proper ventilation and climate control in server rooms and wire closets.

After feeling relatively ‘secure’ for a couple of weeks, you receive a message from the network admin informing you an entire segment with several servers at one of the branch offices is down. You, the network admin, and even users at the branch office cannot connect.

Which of the following is most likely the cause for the network problems?

a. A DDoS attack from the Internet
b. A virus or worm outbreak
c. The IPS is saturating the network
d. Incomprehensive perimeter control

Answer and explanation, and next question within 24 hours....

pr3d4t0r · March 2007

I think the answer is A

Webmaster · March 2007

pr3d4t0r wrote:

I think the answer is A

The answer is actually D. It's bit tricky but it was meant that way because it would be too easy otherwise. The point is to realize how easy physical security and internal indicents are overlooked while they are so common.

Question 8 answer: d

Explanation: Most security incidents are a result of an ‘internal’ breakdown in security. Additionally, while the need for security systems such as firewalls, VPNs, AV etc are becoming more common in virtually all networks, physical security still has a long way to go. It is quite common to implement expensive security appliances but leave server rooms and wire closets unprotected or unlocked. In the above scenario, someone may have unplugged the power cable of a switch or simply turned it off. It doesn’t even matter whether this happened on purpose or not. Comprehensive perimeter control could prevent such incidents by keeping malicious individual out, and could be used to log access to critical areas.

Answer c. is nonsense. Answer a and b describe very common incidents, but with the firewalls, VPNs, IPS and the Cisco’s Incident Control System (allows rapid coordinated network-wide response to viruses and worms to prevent outbreaks) they would not likely bring down an entire network and in this case are more unlikely than a physical internal incident.

Exam Objective: Describe and mitigate the common threats to the physical installation

Next one in a bit...

Webmaster · March 2007

[Edited question nr for above question and answer]

Ok, here's the next one (as always, read carefully):

9. You want to enable SSH for secured management access on all of the routers in your company. Which of the following steps are required when you use the CLI to configure SSH on the Cisco routers? (Choose 2)

a. Use the crypto key generate rsa command to generate a key for SSH
b. Configure SSH timeout and authentication retries
c. Ensure each router is a configured with a host name and a domain
d. Use the transport input ssh command on the vty lines.

Answer and new question tomorrow. Good luck!

Webmaster · March 2007

Correct answers question 9: a, c.

Explanation: Each router must be configured with a host name and domain for SSH to work. The host name must also be different than the default host name for the device (for example, not: Router).

Just as using the crypto key generate rsa command to enable the SSH server on the routers, you can use the remove the key to disable SSH. This can be done by using the crypto key zeroize rsa command.

The routers must also have an IOS edition and version installed that supports running an SSH server on the router, and a username and password must be available (configured in global config mode or trough AAA). Other optional steps include setting the version (if version 2 is available).

Answer b and d, configuring SSH timeout and authentication retries is actually optional, and although it would be wise to allow SSH connections ‘only’ by using the transport input ssh command, it’s not actually a requirement for enabling SSH.

References: Configuring Secure Shell on Routers and Switches Running Cisco IOS

Secure Shell Version 1 Support

Exam Objective: Use CLI to configure SSH on Cisco routers to enable secured management access

New question later today...

642-552 SND practice questions

Comments