Last Updated on September 19, 2021 by Admin 3

300-735 : Automating Cisco Security Solutions (SAUTO) : Part 12

  1. Which of the following facilitates the use of one authentication framework for connecting to both wired and wireless devices on a Cisco Unified Wireless Network? (Select the best answer.)

    • ACS
    • CSA
    • CTA
    • SSC
    Explanation:
    Cisco Secure Services Client (SSC) is client security software that facilitates the use of one authentication framework for connecting to both wired and wireless devices on a Cisco Unified Wireless Network. SSC makes use of the Extensible Authentication Protocol (EAP), WiFi Protected Access (WPA), and WPA2 standards to control network access and enforce security policies for clients using Microsoft Windows platforms.
    Cisco Secure Access Control System (ACS) is an Authentication, Authorization, and Accounting (AAA) server that uses Remote Authentication DialIn User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+) to provide AAA services for users, hosts, and network infrastructure devices such as switches and routers. ACS is typically implemented in a cluster configuration. An ACS deployment typically consists of a primary server responsible for configuration, authentication, and policy enforcement and one or more secondary servers serving as a backup in case the primary server
    fails. In largescale deployments, the primary server’s function is typically relegated to configuration and synchronization services, whereas the secondary servers provide AAA services to the network clients.
    Cisco Trust Agent (CTA) is responsible for ascertaining the status of security applications and management tools that are installed on a client. As client software, CTA communicates host posture information back to a network access device on a Cisco Network Admission Control (NAC) framework. NAC is a Cisco feature that prevents hosts from accessing the network if they do not comply with organizational requirements, such as containing an updated antivirus definition file. When NAC is configured on an access device, such as a router or switch, the NAC device intercepts connections from hosts that are not yet registered on the network. When a host attempts to connect to the network, the access device queries the CTA running on the host for the host’s security status. The access device then sends this information to the ACS, which determines whether the host is in compliance with organizational security policies. If the host is in compliance, it is allowed to access the network? if the host is not in compliance, it can be denied access, quarantined, or allowed limited network access.
    Cisco Security Agent (CSA) is a Hostbased Intrusion Prevention System (HIPS) that can be installed on host computers, servers, and pointofsale (POS) computers. CSA can help protect these devices from malicious network traffic, such as zeroday attacks. In addition, CSA can provide local firewall services, antivirus services, and security policy enforcement. CSA does not facilitate the use of one authentication framework for connecting to both wired and wireless devices on a Cisco Unified Wireless Network.
  2. An outside host has established an SSH connection with an inside host. Both hosts have sent and received data over the SSH session.

    Which of the following lines of output from the show conn command best represents the state of the connection in this scenario? (Select the best answer.)

    • TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags SaAB
    • TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags saA
    • TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags aB
    • TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags A
    • TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags U
    • TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags UIOB
    Explanation:
    The following line of output from the show conn command on a Cisco Adaptive Security Appliance (ASA) best represents the state of a Secure Shell (SSH) connection that has been established and on which both hosts have sent and received data:
    TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags UIOB
    The output of the show conn command uses connection flags to indicate the status of each entry in the ASA connection database. The connection database is used by the stateful firewall feature of the ASA to track the state of each network connection that passes through it. The flags that an ASA uses to track a connection entry are dependent on the interface that initiated the connection. Typically, each connection entry has corresponding inside and outside interfaces. In terms of the connection database, the inside interface for the entry is the interface with the higher security level, whereas the outside interface for the entry is the interface with the lower security level. In addition, a data flow from the inside interface to the outside interface is considered to be moving in the outbound direction and a data flow from the outside interface to the inside interface is considered to be moving in the inbound direction.
    When an ASA receives the first packet from a Transmission Control Protocol (TCP) connection, it creates an entry in the connection database. The ASA immediately adds the B flag to the entry if the connection was initiated from the outside. The ASA then uses various flags to indicate the progress of the TCP threeway handshake. For example, if a connection is initiated from the inside, the ASA will add the saA flags to the entry, as shown in the following command output: TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags saA
    The s flag indicates that the ASA is awaiting a SYN segment from the outside host, and the a flag indicates that the ASA is waiting for an ACK response segment to the SYN that was initiated from the inside host. When the corresponding SYN/ACK segment is received from the outside host, it will satisfy both of these flags and the ASA will clear the flags from the entry, as shown in the following command output:
    TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags A
    The remaining A flag indicates that the ASA is awaiting an ACK segment from the inside host. When the host on the inside responds to the SYN/ACK segment with the corresponding ACK segment, the ASA will clear the A flag and will mark the connection with the U flag, as shown in the following command output:
    TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags U
    The U flag indicates that the threeway handshake is complete and that the TCP session is established. Once the TCP session is established, the host can begin to exchange data. In this example, the inside host has established an SSH session to an outside server. When the outside server sends data to the inside host, the ASA will add the I flag to the entry to indicate that data has passed through the session in the inbound direction. Likewise, the ASA will add the O flag to the entry to indicate that data has passed through the session in the outbound direction. Thus a normal TCP session should have flags similar to those shown in the following command output:
    TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags UIO
    By contrast, if the connection were initiated from the outside, the ASA would have added the SaAB flags to the entry, as shown in the following command output:
    TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags SaAB
    The S flag indicates that the ASA is awaiting a SYN segment from the inside host, and the A flag indicates that the ASA is waiting for an ACK response segment to the SYN that was initiated from the outside host. When the corresponding SYN/ACK segment is received from the inside host, it will satisfy both of these flags and the ASA will clear the flags from the entry, as shown in the following command output:
    TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags aB
    The remaining a flag indicates that the ASA is awaiting an ACK segment from the outside host. When the host on the outside responds to the SYN/ACK segment with the corresponding ACK segment, the ASA will clear the a flag and will mark the connection with
  3. Which of the following is a term used to describe a network of tools that are used to gather information about attack methods that are used by malicious users? (Select the best answer.)

    • botnet
    • honeynet
    • honeypot
    • sinkhole
    • black hole
    Explanation:
    A honeynet is a network of honeypots. A honeypot is a tool used to gather information about the attack methods used by malicious users. Honeypots, which can be composed of hardware or virtual assets, contain seemingly valuable information designed to attract malicious activities. By attracting malicious users to honeypots, administrators can analyze the methods and tools used in an attack and then use that information to protect legitimate resources.
    A botnet is a network of compromised computers, known as zombies, which can be used to send spam as well as perform Distributed Denial of Service (DDoS) attacks and Denial of Service (DoS) attacks. In addition, zombies can collect personally identifiable information (PII), such as account login information and bank account information. Zombies are controlled remotely by malicious users without the knowledge of the computer’s owner. A host can become a zombie by executing a virus or by using an operating system (OS) that does not contain the latest updates.
    A black hole is a trafficfiltering destination used to mitigate networkbased attacks originating from a known host address or range of addresses. With blackhole traffic filtering, all traffic from an address or range of addresses is considered malicious and is routed to a black hole, typically the null interface of a router. Packets routed to the null interface are discarded without further processing by the router.
    Similarly, a sinkhole is a trafficfiltering destination used to mitigate networkbased attacks. With sinkhole traffic filtering, all traffic from an address or range of addresses is considered suspicious and is routed to a sinkhole, which is a device that can capture the traffic and analyze it before determining whether the traffic should be discarded.
  4. Which of the following most accurately describes transparent mode tunneling? (Select the best answer.)

    • It enables traffic to exit the same interface through which it entered.
    • It enables traffic to flow between interfaces that share the same security level.
    • It enables a VPN tunnel to form through a firewall or NAT device.
    • It enables a VPN tunnel to determine which traffic flows should be encrypted.
    Explanation:
    Transparent mode on a Cisco Adaptive Security Appliance (ASA) enables a virtual private network (VPN) tunnel to form through a firewall or Network Address Translation (NAT) device. When transparent tunneling is enabled on a VPN client, encrypted packets are encapsulated in Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) packets prior to transmission through the firewall or NAT device.
    Hairpinning enables ASA traffic to exit the same interface through which it entered. The samesecuritytraffic permit intrainterface command enables hairpinning. By default, an ASA does not allow packets to enter and exit through the same physical interface. However, because multiple logical virtual LANs (VLANs) can be assigned to the same physical interface, it is sometimes necessary to allow a packet to enter and exit through the same interface. The samesecuritytraffic permit intrainterface command allows packets to be sent and received from the same interface even if the traffic is protected by IP Security (IPSec) security policies. Another scenario for which you would need to use the samesecuritytraffic permit intrainterface command is if multiple users need to connect via VPN through the same physical interface. These users will not be able communicate with one another unless the samesecuritytraffic permit intrainterface command has been issued from global configuration mode.
    Likewise, the samesecuritytraffic permit interinterface command enables traffic to flow between interfaces that share the same security level. Typically, interfaces with the same security level are not allowed to communicate.
    Split tunneling enables a VPN tunnel to determine which traffic flows should be encrypted. Without split tunneling, all traffic that passes through a remote VPN router is encrypted and forwarded through a tunnel to the VPN server, which is an inefficient use of the bandwidth and processing power of the VPN server and the remote VPN router. Traffic that is destined for the Internet or another unprotected network does not need to be encrypted or forwarded to the VPN server. Split tunneling uses an access control list (ACL) to determine which traffic flows are permitted to pass through the encrypted tunnel. Traffic destined for a protected network at the VPN server site is encrypted and allowed to pass through the tunnel, whereas all other traffic is processed normally. This method reduces both the processing load on the router and the amount of traffic that passes through the encrypted tunnel. Split tunneling can also be applied to traffic from remote access VPN clients.
  5. Which of the following would you most likely configure on a host to alert you about possible attacks without filtering traffic? (Select the best answer.)

    • a botnet
    • a honeypot
    • a personal firewall
    • a HIDS
    Explanation:
    Most likely, you would configure a Hostbased Intrusion Detection System (HIDS) to alert you about possible attacks without taking action to protect the system. A HIDS is a software or hardwarebased system that detects intrusions by monitoring system activity, such as resource usage. By monitoring and auditing activity on the host, the HIDS can detect anomalies associated with an intrusion and can issue an alert. Although a HIDS could alert you about incoming traffic, it would not be able to filter that traffic.
    You could configure a personal firewall to block incoming traffic on a specific port. A personal firewall is a softwarebased system that controls the flow of network traffic. A personal firewall can be configured to allow traffic or to block traffic. For example, you can configure a firewall to block or allow traffic based on the port on which that traffic is being sent.
    You are not likely to configure a honeypot on a host to alert you about possible attacks without filtering traffic. A honeypot is a decoy system that is made to appear vulnerable to network intruders for the purpose of trapping them? it also logs information about the attack for further study.
    You would not install a botnet to block incoming traffic on a specific port. A botnet is a network of zombies. Zombies, or bots, are compromised computers that can be used to perform Denial of Service (DoS) or Distributed DoS (DDoS) attacks and to send spam.
  6. Which of the following forms of malware are typically standalone software that appear to be legitimate applications? (Select the best answer.)

    • bots
    • Trojan horses
    • viruses
    • worms
    Explanation:
    Of the available choices, Trojan horses are the forms of malware that are typically standalone software that appear to be legitimate applications. Malware, which is a term formed from the combination of the words malicious and software, is unwanted software that is specifically designed to be malicious. Malware can damage or disrupt systems, steal information from a user, or perform other unwanted and malicious actions. Trojan horses can be used to annoy users, steal information, destroy data, or install back doors.
    Bots are forms of malware but are not typically standalone software that appear to be legitimate applications. A bot is a type of automated software that can be used as a remote command and control tool to exploit a compromised system for malicious purposes. For example, a botnet is a network of bots on compromised systems that can be used to carry out coordinated attacks, such as a Distributed Denial of Service (DDoS) attack.
    Viruses are forms of malware but are not typically standalone software that appear to be legitimate applications. A virus is a type of software that can make copies of itself and inject them into other software. Viruses can therefore spread across systems and networks. The level of damage that can be inflicted by viruses ranges from annoyances to destruction of data.
    Worms are forms of malware but are not typically standalone software that appear to be legitimate applications. Similar to a virus, a worm is a type of software that can make copies of itself and propagate across a network. However, a worm is typically standalone software that does not require human interaction in order to propagate.
  7. The IPS on your company’s network is blocking normal web traffic.

    Which of the following best describes what the IPS has identified? (Select the best answer.)

    • a false positive
    • a false negative
    • a true positive
    • a true negative
    Explanation:
    The intrusion prevention system (IPS) has identified a false positive. A false positive occurs when an intrusion detection system (IDS) or an IPS identifies nonmalicious traffic as malicious. Tuning must be performed to minimize the number of false positives while eliminating false negatives. Not only can too many false positives overburden a device, they can also overburden a network administrator because false positives must usually be verified as harmless.
    A false negative occurs when an IDS or IPS does not identify malicious traffic that enters the network. False negatives can often lead to disastrous network security problems. To properly secure a network, you should reduce the number of false negatives as much as possible by finetuning IDS and IPS rules, even if more false positives are reported. Penetration testing can help determine when an IDS or IPS is not detecting a genuine attack.
    A true positive occurs when an IDS or IPS correctly identifies malicious traffic as malicious. For instance, a true positive occurs when a virus or an attack is identified and the appropriate action is taken.
    A true negative occurs when an IDS or IPS correctly identifies harmless traffic as harmless. For example, a true negative occurs when an administrator correctly enters a password or when Hypertext Transfer Protocol (HTTP) traffic is sent to a web server.
  8. Which of the following EAP methods requires digital certificates to be installed on the server but not on the client? (Select the best answer.)

    • EAPFAST
    • EAPPEAP
    • EAPTLS
    • LEAP
    Explanation:
    Protected Extensible Authentication Protocol (PEAP) requires digital certificates to be installed on the server but not on the client. PEAP is an open standard developed by Cisco, Microsoft, and RSA. PEAP and other later variants of Extensible Authentication Protocol (EAP), such as EAPTransport Layer Security (EAPTLS), and EAPTunneled TLS (EAPTTLS), are replacing Lightweight EAP (LEAP). PEAP clients can use alternative authentication methods, such as onetime passwords (OTPs).
    EAPTLS requires both a client and a server digital certificate. EAPTLS is an authentication protocol that can be used for pointtopoint connections and for both wired and wireless links. EAPTLS performs mutual authentication to secure the authentication process. When EAPTLS is used, a digital certificate must be installed on the authentication server and each client that must authenticate with the server. The digital certificate used on clients and the server must be obtained from the same certificate authority (CA).
    LEAP does not require either the server or the client to be configured with a digital certificate. When LEAP is used, the client initiates an authentication attempt with a Remote Authentication DialIn User Service (RADIUS) server. The RADIUS server responds with a challenge response. If the challenge/response process is successful, the client then validates that the RADIUS server is correct for the network. If the RADIUS server is validated, the client will connect to the network.
    Similar to LEAP, EAPFlexible Authentication via Secure Tunneling (FAST) does not require either the server or the client to be configured with a digital certificate. When EAPFAST is used, Protected Access Credentials (PACs) are used to authenticate users. The EAPFAST authentication process consists of three phases. The first phase, which is optional and is considered phase 0, consists of provisioning a client with a PAC, which is a digital credential that is used for authentication. A PAC can be manually configured on a client, in which case phase 0 is not required. The second phase, which is referred to as phase 1, involves creating a secure tunnel between the client and the server. The final phase, which is referred to as phase 2, involves authenticating the client. If the client is authenticated, the client will be able to access the network.
  9. Which of the following lost or stolen device options are not available to employees when MDM is integrated with ISE? (Select 2 choices.)

    • report device as lost or stolen
    • initiate a PIN lock
    • initiate a full or corporate wipe
    • quarantine the device
    • revoke the device’s digital certificate
    Explanation:
    When Mobile Device Management (MDM) platforms are integrated with Cisco Identity Services Engine (ISE), only ISE administrators can quarantine a device and revoke the device’s digital certificate.
    Administrators are also capable of performing wipes and personal identification number (PIN) locks without user notification or intervention. Unlike employees, who initiate full wipes or corporate wipes by using the My Devices portal, an administrator initiates a wipe or a PIN lock by using the ISE Endpoints screen. Whether an administrator can initiate a full wipe or a corporate wipe depends on the MDM server policies and configuration. In a Bring Your Own Device (BYOD) environment, administrators will most likely be able to perform only a corporate wipe or a PIN lock on a device. If the device is a corporate device that an employee is simply allowed to use, an administrator might be able to perform a full wipe from the Endpoints screen by selecting Full Wipefrom the MDM Access dropdown menu. Administrators can additionally force connected devices off the network, add devices to the Blacklist Identity Group, and disable the device’s RSA SecurID token.
    Employees have the ability to report a device as lost or stolen, initiate a PIN lock, or initiate a full or corporate wipe when MDM platforms are integrated with Cisco ISE. A corporate wipe, which is also known as a selective wipe, removes only corporate data and applications from the device. A full wipe, which is also known as a factory reset, removes all data from the device. An employee is also capable of reinstating a device to gain access without having to reregister the device with ISE. Each of these options is available to the employee by using ISE’s My Devices portal.
    ISE is a nextgeneration Authentication, Authorization, and Accounting (AAA) platform with integrated posture assessment, network access control, and client provisioning. ISE integrates with a number of MDM frameworks, such as MobileIron and AirWatch. From ISE, you can easily provision network devices with native supplicants available for Microsoft Windows, Mac OS X, Apple iOS, and Google Android. The supplicants act as agents that enable you to perform various functions on the network device, such as installing software or locking the screen with a PIN lock.
  10. Which of the following private VLAN port types can communicate with promiscuous private VLAN ports but not with isolated private VLAN ports? (Select 2 choices.)

    • community ports
    • isolated ports
    • SPAN ports
    • promiscuous ports
    • trunk ports
    Explanation:
    Community private virtual LAN (VLAN) ports can communicate with promiscuous ports and with other ports that belong to the same community, but not with isolated ports. Isolated private VLAN ports, on the other hand, can communicate only with promiscuous ports. Promiscuous private VLAN ports are capable of communicating with any other type of port.
    Private VLANs can be configured on a switch to help isolate traffic within a VLAN. Private VLANs provide Layer 2 separation between ports that belong to the same VLAN. Because the separation exists at Layer 2, the hosts can exist on the same IP subnet. The VLAN to which the hosts belong is called the primary VLAN. To create a private VLAN, you must create secondary VLANs and associate them with the primary VLAN.
    Switch Port Analyzer (SPAN) ports are not a private VLAN port type. SPAN is a means of monitoring traffic on a switch by copying packets from a source port to a monitored port or mirrored port. In addition, trunk ports are not a private VLAN port type. Trunk ports are used to connect switches to other switches.
  11. In which layer of the campus network hierarchy are ACLs and interVLAN routing typically implemented? (Select the best answer.)

    • access
    • core
    • distribution
    • transport
    Explanation:
    The distribution layer of the campus network hierarchy is where access control lists (ACLs) and interVLAN routing are typically implemented. The campus network hierarchy is a design framework that is used to outline different segments of a campus network, how they interact, and best practices for implementation. The campus network hierarchy is broken into three distinct hardware layers: access, distribution, and core.
    The distribution layer serves as an aggregation point for access layer network links. Because the distribution layer is the intermediary between the access layer and the core layer, the distribution layer is the ideal place to enforce security policies, provide load balancing, provide Quality of Service (QoS), and perform tasks that involve packet manipulation, such as routing. Because the distribution layer connects to both the access and core layers, it often comprises multilayer switches that can perform both Layer 3 routing functions and Layer 2 switching functions. You should also perform networkbased intrusion prevention in the distribution layer, protecting the access layer devices from threats.
    The access layer, which typically comprises Layer 2 switches, serves as a media termination point for endpoints, such as servers and workstations. Because access layer devices provide access to the network, the access layer is the ideal place to perform user authentication and port security. Dynamic ARP Inspection (DAI), Dynamic Host Configuration Protocol (DHCP) snooping, and IP spoofing protection are also typically implemented in the access layer. Although you can use ACLs in the access layer to classify and mark traffic for QoS configurations, interVLAN routing is not typically implemented in the access layer.
    The core layer provides fast transport services and redundant connectivity to the distribution layer. The core layer acts as the network’s backbone? thus it is essential that every distribution layer device have multiple paths to the core layer. Multiple paths between the core and distribution layer devices ensure that network connectivity is maintained if a link or device fails in either layer. Because the core layer focuses on low latency and fast transport services, you should not implement mechanisms that can introduce unnecessary latency into the core layer. For example, mechanisms such as processbased switching, packet manipulation, and packet filtering introduce latency and should be avoided in the core layer.
    In all three layers, you should use Network Foundation Protection (NFP) best practices. You should also protect against inadvertent loops by using Spanning Tree Protocol (STP). Finally, you should ensure that control plane traffic is filtered and ratelimited.
    The Transport layer is an Open Systems Interconnection (OSI) model layer, not a campus network hierarchy layer. Therefore, the Transport layer is not where ACLs and interVLAN routing are typically implemented.
  12. Which of the following is a VLAN hopping attack that uses DTP to negotiate a trunk link? (Select the best answer.)

    • ARP spoofing
    • DHCP spoofing
    • MAC spoofing
    • switch spoofing
    Explanation:
    Switch spoofing is a virtual LAN (VLAN) hopping attack that is characterized by using Dynamic Trunking Protocol (DTP) to negotiate a trunk link with a switch port in order to capture all traffic that is allowed on the trunk. In a switch spoofing attack, the attacking system is configured to act like a switch with a trunk port. This enables the attacking system to become a member of all VLANs, which enables the attacker to send and receive traffic among the other VLANs.
    Dynamic Host Configuration Protocol (DHCP) spoofing is a maninthemiddle attack that is most likely to be used to cause a workstation to send traffic to a false gateway IP address. In a DHCP spoofing attack, a rogue DHCP server is attached to the network in an attempt to intercept DHCP requests. The rogue DHCP server can then respond to the DHCP requests with its own IP address as the default gateway address so that all traffic is routed through the rogue DHCP server. DHCP snooping is a security technique that can be used to mitigate DHCP spoofing.
    In an Address Resolution Protocol (ARP) poisoning attack, which is also known as an ARP spoofing attack, the attacker sends a gratuitous ARP (GARP) message to a host. The GARP message associates the attacker’s Media Access Control (MAC) address with the IP address of a valid host on the network. Subsequently, traffic sent to the valid host address will go to the attacker’s computer rather than to the intended recipient.
    MAC spoofing makes network traffic from a device look as if it is coming from a different device. MAC spoofing is often implemented to bypass port security by making a device appear as if it were an authorized device. Malicious users can also use MAC spoofing to intercept network traffic that should be destined for a different device. ARP cache poisoning, content addressable memory (CAM) table flooding, and Denial of Service (DoS) attacks can all be performed by MAC spoofing.
  13. On a Cisco ASA, which of the following authentication protocols is not supported by the TACACS+ server? (Select the best answer.)

    • ASCII
    • CHAP
    • PAP
    • MSCHAPv1
    • MSCHAPv2
    Explanation:
    The Terminal Access Controller Access Control System Plus (TACACS+) server on a Cisco Adaptive
    Security Appliance (ASA) does not support Microsoft Challenge Handshake Authentication Protocol version
    2 (MSCHAPv2). Remote Authentication DialIn User Service (RADIUS) and TACACS+ server groups on a Cisco ASA support Challenge Handshake Authentication Protocol (CHAP), MSCHAP version 1 (MSCHAPv1), and Password Authentication Protocol (PAP).
    A Cisco ASA supports a number of different Authentication, Authorization, and Accounting (AAA) server types, such as RADIUS, TACACS+, Lightweight Directory Access Protocol (LDAP), Kerberos, and RSA Security Dynamics, Inc. (SDI) servers.
    When authenticating with a TACACS+ server, a Cisco ASA can use the following authentication protocols:
    – ASCII
    – PAP
    – CHAP
    – MSCHAPv1
    When authenticating with a RADIUS server, a Cisco ASA can use the following authentication protocols:
    – PAP
    – CHAP
    – MSCHAPv1
    – MSCHAPv2
    – Authentication Proxy Mode (for example, RADIUS to RSA/SDI, RADIUS to Active Directory, and others)
  14. Which of the following are true of ARP traffic on a Cisco zonebased firewall in transparent mode? (Select 2 choices.)

    • It is denied by default.
    • It is permitted only in the inbound direction.
    • It is permitted only in the outbound direction.
    • It is permitted in both inbound and outbound directions.
    • It can be controlled by ARP inspection but not by access rules.
    Explanation:
    Address Resolution Protocol (ARP) traffic is permitted in both inbound and outbound directions when a Cisco zonebased firewall, such as a Cisco Adaptive Security Appliance (ASA), is operating in transparent mode. In addition, ARP can be controlled by ARP inspection, but not by access rules, on a Cisco ASA that is operating in transparent mode. The default bidirectional flow of ARP traffic in transparent mode is known as an implicit permit. All of the following traffic is implicitly permitted when a Cisco zonebased firewall is operating in transparent mode:
    – IP version 4 (IPv4) traffic from a higher security interface to a lower security interface
    – IPv6 traffic from a higher security interface to a lower security interface
    – ARP traffic in both directions
    – Bridge protocol data unit (BPDU) traffic in both directions
    Thus a Cisco zonebased firewall operating in transparent mode implicitly permits certain types of traffic at both Layer 2 and Layer 3 of the Open Systems Interconnection (OSI) network model. However, when a Cisco zonebased firewall is operating in routed mode, only Layer 3 IPv4 and IPv6 traffic from a higher security interface to a lower security interface are implicitly permitted.
    In either mode, an extended access rule is required to permit additional types of IPv4 traffic. To permit additional types of IPv6 traffic, an IPv6 access rule is required. To permit other types of Layer 2 traffic, an EtherType rule is required.
  15. Which of the following statements about the test aaa group command is not true? (Select the best answer.)

    • It does not work with a RADIUS server configuration.
    • It can be used to verify a AAA server configuration.
    • It can generate a “User rejected” message if the server is alive.
    • It associates a DNIS or CLID named user profile with a record sent to the server.
    Explanation/Reference:
    The Cisco test aaa group command does work with a Remote Authentication DialIn User Service (RADIUS) configuration. The syntax of the test aaa group command is test aaa group {groupname | radius} username password newcode [profile profilename], where groupname is a subset of RADIUS servers, username is the name for the test user, and password is the test user’s password.
    The test aaa group command can associate a Dialed Number Identification Service (DNIS) or Caller Line Identification (CLID) named user profile with a record sent to the server. The newcode keyword configures the command to support a CLID or DNIS user profile association with the RADIUS server. The profile profilename keyword associates the user profile specified by profilename with the RADIUS server.
    The test aaa group command is used to verify an Authentication, Authorization, and Accounting (AAA) server configuration. RADIUS is a protocol that is used with AAA operations. RADIUS uses User Datagram Protocol (UDP) for packet delivery and is less secure and less flexible than TACACS+. RADIUS encrypts only the password of a packet? the rest of the packet would be viewable if the packet were intercepted by a malicious user. With RADIUS, the authentication and authorization functions of AAA are combined into a single function, which limits the flexibility that administrators have when configuring these functions. Furthermore, RADIUS does not provide router command authorization capabilities.
    The test aaa group command can generate either a “User rejected” message or a “User successfully authenticated” message if the RADIUS server is alive. In order to generate either of those messages, the test aaa command must be able to connect to the RADIUS server.
  16. Which of the following tasks does CASE on an ESA not perform when detecting a possible threat? (Select the best answer.)

    • checking the reputation of the email sender
    • scanning the content of the email message
    • analyzing the email message’s call to action
    • analyzing how the message is constructed
    • checking the reputation of the email receiver
    Explanation:
    The Cisco Context Adaptive Scanning Engine (CASE) on an Email Security Appliance (ESA) does not check the reputation of the email receiver when detecting a possible threat. CASE is a technology that is intended to detect email threats as they are received.
    CASE check the reputation of an email sender. As part of this process, CASE submits the email sender to the Cisco SenderBase Network, which contains data on hundreds of thousands of email networks. The sender is assigned a score based on this information.
    CASE scans the content of the email message, including the message’s call to action. The content of the email messaging could contain language, links, or a call to action that is indicative of a phishing scam.
    CASE analyzes how the message is constructed. For example, the message might be constructed in such a way so that it appears to be from a given type of email client. An email message that appears to be from a Microsoft Outlook client might not actually have been sent by using Microsoft Outlook.
  17. You upload a file named isitbad.docx to AMP for analysis. While reviewing the AMP logs, you receive the following output:

    Wed Feb 17 12:41:05 2015 Info: File reputation query initiating. File Name =

    ‘isitbad.docx’, MID = 856, File Size = 174401 bytes, File Type = application/msword

    Wed Feb 17 12:41:10 2015 Info: Response received for file reputation query from Cache.

    File Name = ‘isitbad.docx’, MID = 856, Disposition = file unknown, Malware = None, Reputation Score = 0, sha256 = 78d80f8fb0e6eaa2988d11607ec6a00840147f8188f6db8b7d00d907440d7aaa, upload_action = 1

    Which of the following is true? (Select the best answer.)

    • The file was uploaded to the cloud and determined to be clean.
    • The file was not uploaded to the cloud, and its disposition is unknown.
    • The file was uploaded to the cloud, but its disposition is unknown.
    • The file was uploaded to the cloud and was determined to be malware.
    • The file was not uploaded to the cloud but was determined to be clean.
    • The file was not uploaded to the cloud but was determined to be malware.
    Explanation:
    The file named isitbad.docx was uploaded to Advanced Malware Protection (AMP), but its disposition is unknown. AMP is a feature of the Cisco Email Security Appliance (ESA) that can be used to test a given file against a file reputation service in the cloud. The file reputation service that is used by AMP attempts to authenticate a Secure Hash Algorithm 256 (SHA256) hash for the file that is being uploaded against the file reputation database. The service also rates the data fidelity of the uploaded file by assigning it a reputation score.
    The AMP log output in this scenario indicates that the file named isitbad.docx has been determined to be 174,401 bytes and is a Microsoft Word file. The file was successfully uploaded to the cloud service, which is indicated by both the value of the upload_actionfield, which is 1, and the value of the Disposition field, which is file unknown. If the file had not been uploaded, either the upload_action field would contain a different value, such as 2, or the Disposition field would contain an error phrase that indicates that the file could not be uploaded for a scan, such as unscannable. If the file that is being analyzed is already known to the file reputation service, the upload_action field will contain a value of either 0 or 2 and will not be uploaded to the cloud.
  18. Which of the following commands should you issue when troubleshooting basic IKE peering to determine whether PSKs are present and matching on both peers? (Select the best answer.)

    • ping
    • traceroute
    • show crypto isakmp policy
    • debug crypto isakmp
    Explanation/Reference:
    You should issue the debug crypto isakmp command to determine whether preshared keys (PSKs) are present and matching on both peers. If there is a PSK mismatch between the peers, you will see the 1d00h:%CRYPTO4IKMP_BAD_MESSAGE: IKE message from 10.11.12.13 failed its sanity check or is malformed debug error message. If a PSK is missing on one of the peers, you will see the
    1d00h:#CRYPTO4IKMP_NO_PRESHARED_KEY: Preshared key for remote peer at 10.11.12.13 is missing debug error message. To create a PSK, issue the crypto isakmp key key {address | ipaddress [mask] | hostname name} [noxauth] command.
    When troubleshooting basic Internet Key Exchange (IKE) peering, you should perform the following steps:
    1. Verify that the peers can reach each other.
    2. Verify that the IKE policies match on both peers.
    3. Verify that the peers successfully authenticate each other.

    To verify that the peers can reach each other, you can issue the ping command. A successful ping indicates that connectivity between the peers exists. If the ping is not successful, you can issue the traceroute command to see where the fault is occurring along the path between the two peers.
    To verify that the IKE policies match on both peers, you can issue the show crypto isakmp policy command to display the IKE phase 1 policy settings that are configured on the router, including the encryption algorithm, hash algorithm, authentication method, DiffieHellman (DH) key exchange mechanism, and security association (SA) lifetime. The following displays sample output from the show crypto isakmp policy command:
    RouterA#show crypto isakmp policy
    Global IKE policy
    Protection suite of priority 20
    encryption algorithm: AES – Advanced Encryption Standard (128 bit keys)
    hash algorithm: Secure Hash Standard
    authentication method: PreShared Key
    DiffieHellman group: #14 (2048 bit)
    lifetime: 3600 seconds, no volume limit

    In order for virtual private network (VPN) peers to successfully negotiate a key management tunnel during IKE phase 1, the peers must agree on security parameters. For example, when RouterA sends an IKE policy proposal to RouterB, the IKE policy is compared with the IKE policies defined on RouterB. The proposed policy must be an exact match to one of RouterB’s locally defined policies? otherwise, it will be rejected. The one exception to this rule is the value of the IKE lifetime parameter. An IKE lifetime is considered a match if the value is less than or equal to the IKE lifetime defined in the local policy. If the IKE lifetime value is less than that of the local policy, the router will use the lesser of the two values. For example, when RouterA initiates a connection to RouterB, RouterA will only consider lifetime values from RouterB’s policies as matching if they are less than or equal to 14,400 seconds.
    To configure IKE phase 1 policy parameters, issue the crypto isakmp policy prioritycommand to enter Internet Security Association and Key Management Protocol (ISAKMP) policy configuration mode, where you can issue the following commands:
    -authentication
    – encryption
    – group
    – hash
    – lifetime

    You can issue the debug crypto isakmp command to determine whether an IKE phase 1 policy mismatch is occurring. The debug error message 1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0 will appear when there is a phase 1 policy mismatch between the peers.
    To verify that the peers successfully authenticate each other, you should issue the debug crypto isakmp command. If the PSKs are present and matching on both peers, the IKE SA should establish successfully and communication between the sites should occur.

  19. You have configured a Cisco ESA URL filtering with a URL Category action that redirects the URLs of adult content sites and sites that have not been categorized to the Cisco Cloud Web Security proxy service. However, you receive a report that users are successfully accessing adult content sites from the company network.

    Which of the following could be the problem? (Select the best answer.)

    • You did not specify any text to replace the URL.
    • You did not defang the URL so that it cannot be clicked.
    • The connection to the Cisco Cloud Web Security proxy service timed out.
    • The adult content sites being visited are uncategorized.
  20. An inbound TCP SYN packet arrives at the ingress interface of a Cisco ASA 8.2 firewall. The packet is not part of an established session. The packet reaches the interface’s internal buffer and the input counter is incremented.

    Which of the following actions will occur next? (Select the best answer.)

    • The packet will be processed by interface ACLs.
    • The packet is forwarded to the outbound interface.
    • The packet is subjected to an inspection check.
    • The packet’s IP header is translated by NAT/PAT.
    Explanation:
    The inbound Transmission Control Protocol (TCP) SYN packet will be processed by interface access control lists (ACLs) if it is not part of an established session. A Cisco Adaptive Security Appliance (ASA) 8.2 performs all of the following checks when a packet arrives on the inbound interface:
    – Increments the input counter
    – Determines whether the packet is part of an established connection
    – If not an established connection, processes the packet by using the interface ACLs
    – If not an established connection, verifies the packet for translation rules
    – Conducts an inspection of the packet to determine protocol compliance
    – Translates the IP header according to Network Address Translation (NAT) rules
    – Forwards the packet to the outbound interface

    Inbound TCP packets that are not part of an established connection should be SYN packets, which is the first packet that is sent during TCP’s threeway handshake. Inbound TCP SYN packets are permitted by the
    ASA as long as the packet is permitted by an interface ACL rule and is successfully translated by NAT or Port Address Translation (PAT). The TCP SYNACK packet is the second phase of the TCP threeway handshake? it is sent by the host that received the SYN packet to the host that is attempting to establish a connection. Therefore, an ASA will permit an inbound TCP SYNACK packet only if it is part of an established connection.
    It is important to note that the Cisco ASA 8.3 and later modify the ASA packet process algorithm. When configuring NAT for the ASA 8.3 and later, you should use the client’s real IP address instead of the ASA’s public IP address. Thus, if the ASA in this scenario were an ASA 8.3 or later, the packet’s IP header would be translated by NAT or PAT prior to being processed by interface ACLs.