CCNA 200-125 Exam: Security Questions 2 With Answers

  1. How do you maintain security in multiple websites?
    • A. VPN*
    • B. DMVPN
    • C. other
    • D. other

    Show (Hide) Explanation/Reference
    In fact in question wants to mention about site-to-site VPN. A site-to-site VPN allows offices in multiple fixed locations to establish secure connections with each other over a public network such as the Internet. A site-to-site VPN means that two sites create a VPN tunnel by encrypting and sending data between two devices. One set of rules for creating a site-to-site VPN is defined by IPsec.

    CCNA 200-125 Exam: Security Questions 2 With Answers 1

    In the topology above, Remote Campus sites can connect to the Main Campus through site-to-site VPNs.

  2. Which of the following encrypts the traffic on a leased line?
    • A. telnet
    • B. ssh*
    • C. vtp
    • D. vpn
    • E. dmvpn

    Show (Hide) Explanation/Reference
    SSH, or secure shell, is a secure protocol that provides a built-in encryption mechanism for establishing a secured connection between two parties, authenticating each side to the other, and passing commands and output back and forth.

    Note: Virtual Private Networks (VPNs) are only secure if encrypted. The word “private” only means a given user’s virtual network is not shared with others. In reality a VPN still runs on a shared infrastructure and is not secured if not encrypted. VPNs are used over a connection you already have. That might be a leased line. It might be an ADSL connection. It could be a mobile network connection.

    Therefore answer “SSH” is still better than the answer “VPN”.

  3. Which command is necessary to permit SSH or Telnet access to a Cisco switch that is otherwise configured for these vty line protocols?
    • A. transport type all
    • B. transport output all
    • C. transport preferred all
    • D. transport input all*

    Show (Hide) Explanation/Reference
    The “transport input” command is used to define which protocols to use to connect to a specific line (vty, console, aux…) of the router. The “transport input all” command will allow all protocols (including SSH and Telnet) to do this.
  4. How to verify SSH connections were secured?
    • A. ssh -v 1 -l admin IP
    • B. ssh -v 2 -l admin IP*
    • C. ssh -l admin IP
    • D. ssh -v 2 admin IP

    Show (Hide) Explanation/Reference
    This question wants to ask how to use the router as the SSH client to connect into other routers. The table below shows the parameters used with SSH:

    SSH command parameters Description
    -v specifies whether we are going to use version 1 or version 2
    -c {3des | aes128-cbc | aes192-cbc j aes256-cbc} specifies the encryption you are going to use when communicating with the router. This value is optional; if you choose not to use it, the routers will negotiate the encryption algorithm to use automatically
    -l username specifies the username to use when logging in to the remote router
    -m {hmac-md5 | hmac-md5-96 | hmac-sha1 | hmac-sha1-96} specifies the type of hashing algorithm to use when sending your password. It is optional and if you do not use it, the routers will negotiate what type of hashing to use.
    ip-address | hostname we need to specify the IP address or, if you have DNS or static hostnames configured, the name of the router you want to connect to

    For example the command “ssh -v 2 -l admin” means “use SSH version 2 to connect to a router at with username “admin”.

    Answer C is not correct because it is missing the version needed to use.

  5. In order to comply with new auditing standards, a security administrator must be able to correlate system security alert logs directly with the employee who triggers the alert. Which of the following should the security administrator implement in order to meet this requirement?
    • A. Access control lists on file servers
    • B. Elimination of shared accounts
    • C. Group-based privileges for accounts
    • D. Periodic user account access reviews*
  6. Which three feature are represented by A letter in AAA? (Choose three)
    • A. authorization*
    • B. accounting*
    • C. authentication*
    • D. accountability
    • E. accessibility
    • F. authority
  7. What are two characteristics of SSH? (Choose two)
    • A. use port 22 *
    • B. unsecured
    • C. encrypted *
    • D. most common remote-access method
    • E. operate at transport
  8. Which two statements about TACACS+ are true? (Choose two)
    • A. It can run on a UNlX server.*
    • B. It authenticates against the user database on the local device.
    • C. It is more secure than AAA authentication.
    • D. It is enabled on Cisco routers by default.
    • E. It uses a managed database.*
  9. Refer to the exhibit. Which user-mode password has just been set?
    R1(config)#line vty 0 4
    R1(config-line)#password C1scO
    • A. Telnet*
    • B. Auxiliary
    • C. SSH
    • D. Console

    Show (Hide) Explanation/Reference
    When you connect to a switch/router via Telnet, you first need to provide Telnet password first. Then to access Privileged mode (Switch#) you need to provide secret password after typing “enable” before making any changes.
  10. Which two passwords must be supplied in order to connect by Telnet to a properly secured Cisco switch and make changes to the device configuration? (Choose two)
    • A. tty password
    • B. enable secret password*
    • C. vty password*
    • D. aux password
    • E. console password
    • F. username password
  11. Which two statements about firewalls are true?
    • A. They can be used with an intrusion prevention system.*
    • B. They can limit unauthorized user access to protect data.*
    • C. Each wireless access point requires its own firewall
    • D. They must be placed only at locations where the private network connects to the internet.
    • E. They can prevent attacks from the internet only.
  12. Which three options are types of Layer 2 network attack? (Choose three)
    • A. Spoofing attacks*
    • B. VLAN Hopping*
    • C. Botnet attacks
    • D. DDOS attacks
    • E. ARP Attacks*
    • F. Brute force attacks

    Show (Hide) Explanation/Reference
    CCNA 200-125 Exam: Security Questions 2 With Answers 2

    (DHCP) Spoofing attack is a type of attack in that the attacker listens for DHCP Requests from clients and answers them with fake DHCP Response before the authorized DHCP Response comes to the clients. The fake DHCP Response often gives its IP address as the client default gateway -> all the traffic sent from the client will go through the attacker computer, the attacker becomes a “man-in-the-middle”.

    The attacker can have some ways to make sure its fake DHCP Response arrives first. In fact, if the attacker is “closer” than the DHCP Server then he doesn’t need to do anything. Or he can DoS the DHCP Server so that it can’t send the DHCP Response.

    VLAN Hopping: By altering the VLAN ID on packets encapsulated for trunking, an attacking device can send or receive packets on various VLANs, bypassing Layer 3 security measures. VLAN hopping can be accomplished by switch spoofing or double tagging.

    1) Switch spoofing:

    CCNA 200-125 Exam: Security Questions 2 With Answers 3

    The attacker can connect an unauthorized Cisco switch to a Company switch port. The unauthorized switch can send DTP frames and form a trunk with the Company Switch. If the attacker can establish a trunk link to the Company switch, it receives traffic to all VLANs through the trunk because all VLANs are allowed on a trunk by default.

    (Instead of using a Cisco Switch, the attacker can use a software to create and send DTP frames).

    2) Double-Tagging:

    CCNA 200-125 Exam: Security Questions 2 With Answers 4

    In this attack, the attacking computer generates frames with two 802.1Q tags. The first tag matches the native VLAN of the trunk port (VLAN 10 in this case), and the second matches the VLAN of a host it wants to attack (VLAN 20).

    When the packet from the attacker reaches Switch A, Switch A only sees the first VLAN 10 and it matches with its native VLAN 10 so this VLAN tag is removed. Switch A forwards the frame out all links with the same native VLAN 10. Switch B receives the frame with an tag of VLAN 20 so it removes this tag and forwards out to the Victim computer.

    Note: This attack only works if the trunk (between two switches) has the same native VLAN as the attacker.

    ARP attack (like ARP poisoning/spoofing) is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. This results in the linking of an attacker’s MAC address with the IP address of a legitimate computer or server on the network. This is an attack based on ARP which is at Layer 2.

  13. Which IEEE mechanism is responsible for the authentication of devices when they attempt to connect to a local network?
    • A. 802.1x*
    • B. 802.11
    • C. 802.2x
    • D. 802.3x

    Show (Hide) Explanation/Reference
    802.1x is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN.
  14. Which IPsec security protocol should be used when confidentiality is required?
    • A. AH
    • B. MD5
    • C. PSK
    • D. ESP*

    Show (Hide) Explanation/Reference
    IPsec is a pair of protocols, Encapsulating Security Payload (ESP) and Authentication Header (AH), which provide security services for IP datagrams.

    ESP can provide the properties authentication, integrity, replay protection, and confidentiality of the data (it secures everything in the packet that follows the IP header).

    AH provides authentication, integrity, and replay protection (but not confidentiality) of the sender.

Related Articles

Inline Feedbacks
View all comments