Module 4: Quiz – Secure Device Access (Answers) Network Security

1. At what point in the enterprise network are packets arriving from the internet examined prior to entering the network?

  • campus core
  • internet edge
  • network edge
  • WAN edge

Explanation: Because the access layer (network edge) is the connection point for endpoints, it plays a big role in ensuring the network is protected from malicious attacks. This protection includes making sure the end users and endpoints that connect to the network are prevented from accessing services for which they are not authorized.

2. What three configuration steps must be performed to implement SSH access to a router? (Choose three.)

  • a password on the console line
  • an IP domain name
  • an encrypted password
  • an enable mode password
  • a unique hostname
  • a user account

Explanation: To implement SSH on a router the following steps need to be performed:

  • Configure a unique hostname.
  • Configure the domain name of the network.
  • Configure a user account to use AAA or local database for authentication.
  • Generate RSA keys.
  • Enable VTY SSH sessions.

3. What is one difference between using Telnet or SSH to connect to a network device for management purposes?

  • Telnet uses UDP as the transport protocol whereas SSH uses TCP.
  • Telnet sends a username and password in plain text, whereas SSH encrypts the username and password.
  • Telnet does not provide authentication whereas SSH provides authentication.
  • Telnet supports a host GUI whereas SSH only supports a host CLI.

Explanation: SSH provides security for remote management connections to a network device. SSH does so through encryption for session authentication (username and password) as well as for data transmission. Telnet sends a username and password in plain text, which can be targeted to obtain the username and password through data capture. Both Telnet and SSH use TCP, support authentication, and connect to hosts in CLI.

4. Which three areas of router security must be maintained to secure an edge router at the network perimeter? (Choose three.)

  • operating system security
  • physical security
  • router hardening
  • zone isolation
  • flash security
  • remote access security

Explanation: There are three areas of router security to maintain:
1) physical security
2) router hardening
3) operating system security

5. What is a good password recommendation for a Cisco router?

  • Use the service password-encryption command to protect a password used to log into a remote device across the network.
  • Use a minimum of 7 characters.
  • Zeroize all passwords used.
  • Use one or more spaces within a multiword phrase.

Explanation: Strong password guidelines for Cisco routers include:

  • Use a minimum password length of eight or more characters remembering that longer is better.
  • A password cannot begin with a space but spaces within a passphrase are allowed on a Cisco router.
  • The service password-encryption command can only protect passwords being viewed within the configuration, not as they are sent across the network.

6. What is the purpose of using a banner message on a Cisco network device?

  • It can provide more security by slowing down attacks.
  • It can be used to create a quiet period where remote connections are refused.
  • It is effective in deflecting threat actors from entering the device.
  • It can protect the organization from a legal perspective.

Explanation: A banner can be used to create messages shown on Cisco network devices. A banner message can protect the organization from a legal perspective and should be reviewed by legal counsel before being deployed.

7. A network administrator establishes a connection to a switch via SSH. What characteristic uniquely describes the SSH connection?

  • direct access to the switch through the use of a terminal emulation program
  • out-of-band access to a switch through the use of a virtual terminal with password authentication
  • remote access to the switch through the use of a telephone dialup connection
  • on-site access to a switch through the use of a directly connected PC and a console cable
  • remote access to a switch where data is encrypted during the session

Explanation: SSH provides a secure remote login through a virtual interface. SSH provides a stronger password authentication than Telnet. SSH also encrypts the data during the session.

8. What command will prevent all unencrypted passwords from displaying in plain text in a configuration file?

  • (config-line)# password secret
  • (config)# enable secret Secret_Password
  • (config)# enable password secret
  • (config)# service password-encryption
  • (config)# enable secret Encrypted_Password

Explanation: To prevent all configured passwords from appearing in plain text in configuration files, an administrator can execute the service password-encryption command. This command encrypts all configured passwords in the configuration file.

9. A network administrator is issuing the login block-for 180 attempts 2 within 30 command on a router. Which threat is the network administrator trying to prevent?

  • a user who is trying to guess a password to access the router
  • a worm that is attempting to access another part of the network
  • an unidentified individual who is trying to access the network equipment room
  • a device that is trying to inspect the traffic on a link

Explanation: The login block-for 180 attempts 2 within 30 command will cause the device to block authentication after 2 unsuccessful attempts within 30 seconds for a duration of 180 seconds. A device inspecting the traffic on a link has nothing to do with the router. The router configuration cannot prevent unauthorized access to the equipment room. A worm would not attempt to access the router to propagate to another part of the network.

10. Which recommended security practice prevents attackers from performing password recovery on a Cisco IOS router for the purpose of gaining access to the privileged EXEC mode?

  • Configure secure administrative control to ensure that only authorized personnel can access the router.
  • Locate the router in a secure locked room that is accessible only to authorized personnel.
  • Provision the router with the maximum amount of memory possible.
  • Keep a secure copy of the router Cisco IOS image and router configuration file as a backup.
  • Disable all unused ports and interfaces to reduce the number of ways that the router can be accessed.

Explanation: Of the three areas of router security, physical security, router hardening, and operating system security, physical security involves locating the router in a secure room accessible only to authorized personnel who can perform password recovery.

11. A company is planning to use a DMZ for their servers and is concerned about securing the network infrastructure. Which device should the network security team use for the edge router?

  • Cisco Nexus switch
  • VPN gateway
  • firewall
  • Layer 2 switch with port security features enabled

Explanation: Firewalls are commonly used on the network edge to create a demilitarized zone (DMZ). The DMZ contains servers that are commonly accessed by external users. By having them in a DMZ, it prevents having servers inside the corporate network with other corporate devices.

12. Which type of access is secured on a Cisco router or switch with the enable secret command?

  • virtual terminal
  • AUX port
  • privileged EXEC
  • console line

Explanation: The enable secret command secures access to the privileged EXEC mode of a Cisco router or switch.

13. What is a common security task performed when securing administrative access to a network infrastructure device?

  • Disable discovery protocols for all user-facing ports.
  • Enable at least two ports for remote access.
  • Log and account for all access.
  • Block local access.

Explanation: When securing both local and remote administrative access to a network device, be sure to record anyone who accesses the device, the actions taken during the access, and the date/time of the access. Other good practices are to limit the number of ports and methods of access, authenticate access, authorize actions performed by those who access the device, display legal notification, and protect data viewed and/or copied. Limit the amount of protocols used for remote access and consider using SSH version 2 or HTTPS. Discovery protocols are not relevant to administrative access.

Related Articles

Inline Feedbacks
View all comments