10.6.2 Module Quiz – LAN Security Concepts Answers
1. What two protocols are supported on Cisco devices for AAA communications? (Choose two.)
- RADIUS
- LLDP
- HSRP
- VTP
- TACACS+
2. Which service is enabled on a Cisco router by default that can reveal significant information about the router and potentially make it more vulnerable to attack?
- HTTP
- LLDP
- CDP
- FTP
3. When security is a concern, which OSI Layer is considered to be the weakest link in a network system?
- Layer 4
- Layer 7
- Layer 2
- Layer 3
4. Which Layer 2 attack will result in a switch flooding incoming frames to all ports?
- MAC address overflow
- Spanning Tree Protocol manipulation
- IP address spoofing
- ARP poisoning
5. Why is authentication with AAA preferred over a local database method?
- It specifies a different password for each line or port.
- It requires a login and password combination on the console, vty lines, and aux ports.
- It provides a fallback authentication method if the administrator forgets the username or password.
- It uses less network bandwidth.
6. In a server-based AAA implementation, which protocol will allow the router to successfully communicate with the AAA server?
- SSH
- 802.1x
- RADIUS
- TACACS
7. Which Cisco solution helps prevent MAC and IP address spoofing attacks?
- Dynamic ARP Inspection
- IP Source Guard
- Port Security
- DHCP Snooping
8. What is the purpose of AAA accounting?
- to determine which resources the user can access
- to collect and report application usage
- to prove users are who they say they are
- to determine which operations the user can perform
9. Which Layer 2 attack will result in legitimate users not getting valid IP addresses?
- ARP spoofing
- DHCP starvation
- IP address spoofing
- MAC address flooding
10. Which three Cisco products focus on endpoint security solutions? (Choose three.)
- NAC Appliance
- Adaptive Security Appliance
- SSL/IPsec VPN Appliance
- IPS Sensor Appliance
- Web Security Appliance
- Email Security Appliance
11. True or False?
In the 802.1X standard, the client attempting to access the network is referred to as the supplicant.
- false
- true
12. What is involved in an IP address spoofing attack?
- Bogus DHCPDISCOVER messages are sent to consume all the available addresses on a DHCP server.
- A rogue DHCP server provides false IP configuration parameters to legitimate DHCP clients.
- A rogue node replies to an ARP request with its own MAC address indicated for the target IP address.
- A legitimate network IP address is hijacked by a rogue node.
13. What three services are provided by the AAA framework? (Choose three.)
- authentication
- authorization
- accounting
- autoconfiguration
- automation
- autobalancing
14. Because of implemented security controls, a user can only access a server with FTP. Which AAA component accomplishes this?
- authorization
- authentication
- accessibility
- accounting
- auditing
15. What mitigation plan is best for thwarting a DoS attack that is creating a MAC address table overflow?
- Enable port security.
- Disable DTP.
- Disable STP.
- Place unused ports in an unused VLAN.
16. Which of the following encrypts the data on end-devices, which can be decrypted only if a payment is made?
- DDoS
- Ransomware
- Virus
- Worm
17. Which network security device monitors and encrypts SMTP traffic to block threats and prevent data loss?
- ESA
- NAC
- NGFW
- WSA
18. Which AAA component is responsible for determining what access is permitted?
- Accounting
- Administration
- Authentication
- Authorization
19. Which small network router authentication method authenticates device access by referring to local usernames and passwords?
- Local AAA authentication
- Local AAA over RADIUS or TACACS+
- Server-based AAA
- Server-based AAA over RADIUS or TACACS+
20. Which 802.1X term is used to describe the device that is responsible for relaying 802.1X responses?
- Authenticator
- Authentication server
- Client
- Supplicant
21. Which 802.1X term is used to describe the device that is requesting authentication?
- Authenticator
- Authentication server
- Client
- Supplicant
22. Which mitigation technique prevents MAC address table overflow attacks?
- DAI
- Firewalls
- Port security
- VPNs
23. Which mitigation technique prevents ARP spoofing and ARP poisoning attacks?
- DAI
- Firewalls
- Port security
- VPNs
24. Which type of attack does IPSG mitigate?
- It prevents ARP spoofing and ARP poisoning attacks.
- It prevents DHCP starvation and DHCP spoofing attacks.
- It prevents MAC address table overflow attacks.
- It prevents MAC and IP address spoofing.
25. What happens to a compromised switch during a MAC address table attack?
- The switch interfaces will transition to error-disabled state.
- The switch will drop all received frames.
- The switch will flood all incoming frames to all other ports in the VLAN.
- The switch will shut down.
26. Why would a threat actor launch a MAC address overflow attack on a small network?
- To capture frames destined for other LAN devices
- To ensure legitimate hosts cannot forward traffic
- To launch a DoS attack
- To overwhelm the switch and drop frames
27. Which is an example of a DHCP starvation attack?
- A threat actor changes the MAC address of the threat actor’s device to the MAC address of the default gateway.
- A threat actor configures a host with the 802.1Q protocol and forms a trunk with the connected switch.
- A threat actor discovers the IOS version and IP addresses of the local switch.
- A threat actor leases all the available IP addresses on a subnet to deny legitimate clients DHCP resources.
- A threat actor sends a BPDU message with priority 0.
- A threat actor sends a message that causes all other devices to believe the MAC address of the threat actor’s device is the default gateway.
28. Which is an example of an STP attack?
- A threat actor changes the MAC address of the threat actor’s device to the MAC address of the default gateway.
- A threat actor configures a host with the 802.1Q protocol and forms a trunk with the connected switch.
- A threat actor discovers the IOS version and IP addresses of the local switch.
- A threat actor leases all the available IP addresses on a subnet to deny legitimate clients DHCP resources.
- A threat actor sends a BPDU message with priority 0.
- A threat actor sends a message that causes all other devices to believe the MAC address of the threat actor’s device is the default gateway.
29. Which is an example of an address spoofing attack?
- A threat actor changes the MAC address of the threat actor’s device to the MAC address of the default gateway.
- A threat actor configures a host with the 802.1Q protocol and forms a trunk with the connected switch.
- A threat actor discovers the IOS version and IP addresses of the local switch.
- A threat actor leases all the available IP addresses on a subnet to deny legitimate clients DHCP resources.
- A threat actor sends a BPDU message with priority 0.
- A threat actor sends a message that causes all other devices to believe the MAC address of the threat actor’s device is the default gateway.
30. Which is an example of an ARP spoofing attack?
- A threat actor changes the MAC address of the threat actor’s device to the MAC address of the default gateway.
- A threat actor configures a host with the 802.1Q protocol and forms a trunk with the connected switch.
- A threat actor discovers the IOS version and IP addresses of the local switch.
- A threat actor leases all the available IP addresses on a subnet to deny legitimate clients DHCP resources.
- A threat actor sends a BPDU message with priority 0.
- A threat actor sends a message that causes all other devices to believe the MAC address of the threat actor’s device is the default gateway.
31. Which is an example of a CDP reconnaissance attack?
- A threat actor changes the MAC address of the threat actor’s device to the MAC address of the default gateway.
- A threat actor configures a host with the 802.1Q protocol and forms a trunk with the connected switch.
- A threat actor discovers the IOS version and IP addresses of the local switch.
- A threat actor leases all the available IP addresses on a subnet to deny legitimate clients DHCP resources.
- A threat actor sends a BPDU message with priority 0.
- A threat actor sends a message that causes all other devices to believe the MAC address of the threat actor’s device is the default gateway