Last Updated on November 1, 2019 by Admin
Implementing Network Security ( Version 2.0) – CCNAS Chapter 8 Exam Online
CCNAS – Chapter 8 Exam
Quiz-summary
0 of 25 questions completed
Questions:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
Information
CCNAS – Chapter 8 Exam
You have already completed the quiz before. Hence you can not start it again.
Quiz is loading...
You must sign in or sign up to start the quiz.
You have to finish following quiz, to start this quiz:
Results
0 of 25 questions answered correctly
Your time:
Time has elapsed
You have reached 0 of 0 points, (0)
Average score |
|
Your score |
|
Categories
- Not categorized 0%
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- Answered
- Review
-
Question 1 of 25
1. Question
1 pointsRefer to the exhibit. How will traffic that does not match that defined by access list 101 be treated by the router?
Correct
Incorrect
The access list 101 is part of the crypto map configuration on the router. The purpose of the access list is to identify interesting traffic that should be sent encrypted over a VPN. Traffic that does not match the access-list is not interesting and is not sent encrypted but rather sent unencrypted in plain text.
Hint
The access list 101 is part of the crypto map configuration on the router. The purpose of the access list is to identify interesting traffic that should be sent encrypted over a VPN. Traffic that does not match the access-list is not interesting and is not sent encrypted but rather sent unencrypted in plain text.
-
Question 2 of 25
2. Question
3 pointsWhat three protocols must be permitted through the company firewall for establishment of IPsec site-to-site VPNs? (Choose three.)
Correct
Incorrect
ESP, AH, and ISAKMP must all be permitted through the perimeter routers and firewalls in order for IPsec site-to-site VPNs to be established. NTP and HTTPS are application protocols and are not required for IPsec.
Hint
ESP, AH, and ISAKMP must all be permitted through the perimeter routers and firewalls in order for IPsec site-to-site VPNs to be established. NTP and HTTPS are application protocols and are not required for IPsec.
-
Question 3 of 25
3. Question
1 pointsWhich statement describes the effect of key length in deterring an attacker from hacking through an encryption key?
Correct
Incorrect
While preventing brute-force attacks and other forced decryption concerns, the longer the key length, the harder it is to break. A 64-bit key can take one year to break with a sophisticated computer, while a 128-bit key may take 1019 years to decrypt. Different encryption algorithms will provide varying key lengths for implementation.
Hint
While preventing brute-force attacks and other forced decryption concerns, the longer the key length, the harder it is to break. A 64-bit key can take one year to break with a sophisticated computer, while a 128-bit key may take 1019 years to decrypt. Different encryption algorithms will provide varying key lengths for implementation.
-
Question 4 of 25
4. Question
1 pointsWhat is the purpose of configuring multiple crypto ACLs when building a VPN connection between remote sites?
Correct
Incorrect
A crypto ACL can define “interesting traffic” that is used to build a VPN, and forward that “interesting traffic” across the VPN to another VPN-enabled router. Multiple crypto ACLs are used to define multiple different types of traffic and utilize different IPsec protection corresponding to the different types of traffic.
Hint
A crypto ACL can define “interesting traffic” that is used to build a VPN, and forward that “interesting traffic” across the VPN to another VPN-enabled router. Multiple crypto ACLs are used to define multiple different types of traffic and utilize different IPsec protection corresponding to the different types of traffic.
-
Question 5 of 25
5. Question
1 pointsConsider the following configuration on a Cisco ASA:
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
What is the purpose of this command?
Correct
Incorrect
The transform set is negotiated during Phase 2 of the IPsec VPN connection process. The purpose of the transform set is to define what encryption and authentication schemes can be used. The device doing the VPN initiation offers the acceptable transform sets in order of preference, in this case, ESP authentication using DES for encryption or ESP authentication using SHA-HMAC authentication and integrity for the data payload. Remember that ESP provides confidentiality with encryption and integrity with authentication. The ESP-DES-SHA is the name of the transform set. The parameters that follow (esp-des and esp-sha-hmac) are the specific types of encryption or authentication that is supported by the ASA for the VPN tunnel that uses this transform set.
Hint
The transform set is negotiated during Phase 2 of the IPsec VPN connection process. The purpose of the transform set is to define what encryption and authentication schemes can be used. The device doing the VPN initiation offers the acceptable transform sets in order of preference, in this case, ESP authentication using DES for encryption or ESP authentication using SHA-HMAC authentication and integrity for the data payload. Remember that ESP provides confidentiality with encryption and integrity with authentication. The ESP-DES-SHA is the name of the transform set. The parameters that follow (esp-des and esp-sha-hmac) are the specific types of encryption or authentication that is supported by the ASA for the VPN tunnel that uses this transform set.
-
Question 6 of 25
6. Question
1 pointsWhich transform set provides the best protection?
Correct
Incorrect
DES uses 56-bit keys. 3DES uses 56-bit keys, but encrypts three times. AES uses 128-bit keys. AES-256 uses 256-bit keys and is the strongest.
Hint
DES uses 56-bit keys. 3DES uses 56-bit keys, but encrypts three times. AES uses 128-bit keys. AES-256 uses 256-bit keys and is the strongest.
-
Question 7 of 25
7. Question
2 pointsWhich two protocols must be allowed for an IPsec VPN tunnel is operate properly? (Choose two.)
Correct
Incorrect
ESP uses protocol 50. AH uses protocol 51. ISAKMP uses UDP port 500.
Hint
ESP uses protocol 50. AH uses protocol 51. ISAKMP uses UDP port 500.
-
Question 8 of 25
8. Question
1 pointsWhen is a security association (SA) created if an IPsec VPN tunnel is used to connect between two sites?
Correct
Incorrect
As seen in the 8.4.1.1 Figure, an IPsec VPN connection creates two SAs: (1) at the completion of the IKE Phase 1 once the peers negotiate the IKE SA policy, and (2) at the end of IKE Phase 2 after the transform sets are negotiated.
Hint
As seen in the 8.4.1.1 Figure, an IPsec VPN connection creates two SAs: (1) at the completion of the IKE Phase 1 once the peers negotiate the IKE SA policy, and (2) at the end of IKE Phase 2 after the transform sets are negotiated.
-
Question 9 of 25
9. Question
2 pointsWhich two statements accurately describe characteristics of IPsec? (Choose two.)
Correct
Incorrect
IPsec can secure a path between two network devices. IPsec can provide the following security functions:
- Confidentiality – IPsec ensures confidentiality by using encryption.
- Integrity – IPsec ensures that data arrives unchanged at the destination using a hash algorithm, such as MD5 or SHA.
- Authentication – IPsec uses Internet Key Exchange (IKE) to authenticate users and devices that can carry out communication independently. IKE uses several types of authentication, including username and password, one-time password, biometrics, pre-shared keys (PSKs), and digital certificates.
- Secure key exchange – IPsec uses the Diffie-Hellman (DH) algorithm to provide a public key exchange method for two peers to establish a shared secret key.
Hint
IPsec can secure a path between two network devices. IPsec can provide the following security functions:
- Confidentiality – IPsec ensures confidentiality by using encryption.
- Integrity – IPsec ensures that data arrives unchanged at the destination using a hash algorithm, such as MD5 or SHA.
- Authentication – IPsec uses Internet Key Exchange (IKE) to authenticate users and devices that can carry out communication independently. IKE uses several types of authentication, including username and password, one-time password, biometrics, pre-shared keys (PSKs), and digital certificates.
- Secure key exchange – IPsec uses the Diffie-Hellman (DH) algorithm to provide a public key exchange method for two peers to establish a shared secret key.
-
Question 10 of 25
10. Question
1 pointsWhich action do IPsec peers take during the IKE Phase 2 exchange?
Correct
Incorrect
The IKE protocol executes in two phases. During Phase 1 the two sides negotiate IKE policy sets, authenticate each other, and set up a secure channel. During the second phase IKE negotiates security associations between the peers.
Hint
The IKE protocol executes in two phases. During Phase 1 the two sides negotiate IKE policy sets, authenticate each other, and set up a secure channel. During the second phase IKE negotiates security associations between the peers.
-
Question 11 of 25
11. Question
3 pointsWhich three statements describe the IPsec protocol framework? (Choose three.)
Correct
Incorrect
The two primary protocols used with IPsec are AH and ESP. AH is protocol number 51 and provides data authentication and integrity for IP packets that are exchanged between the peers. ESP, which is protocol number 50, performs packet encryption.
Hint
The two primary protocols used with IPsec are AH and ESP. AH is protocol number 51 and provides data authentication and integrity for IP packets that are exchanged between the peers. ESP, which is protocol number 50, performs packet encryption.
-
Question 12 of 25
12. Question
1 pointsWhich statement accurately describes a characteristic of IPsec?
Correct
Incorrect
IPsec can secure a path between two network devices. IPsec can provide the following security functions:
- Confidentiality – IPsec ensures confidentiality by using encryption.
- Integrity – IPsec ensures that data arrives unchanged at the destination using a hash algorithm, such as MD5 or SHA.
- Authentication – IPsec uses Internet Key Exchange (IKE) to authenticate users and devices that can carry out communication independently. IKE uses several types of authentication, including username and password, one-time password, biometrics, pre-shared keys (PSKs), and digital certificates.
- Secure key exchange– IPsec uses the Diffie-Hellman (DH) algorithm to provide a public key exchange method for two peers to establish a shared secret key.
Hint
IPsec can secure a path between two network devices. IPsec can provide the following security functions:
- Confidentiality – IPsec ensures confidentiality by using encryption.
- Integrity – IPsec ensures that data arrives unchanged at the destination using a hash algorithm, such as MD5 or SHA.
- Authentication – IPsec uses Internet Key Exchange (IKE) to authenticate users and devices that can carry out communication independently. IKE uses several types of authentication, including username and password, one-time password, biometrics, pre-shared keys (PSKs), and digital certificates.
- Secure key exchange– IPsec uses the Diffie-Hellman (DH) algorithm to provide a public key exchange method for two peers to establish a shared secret key.
-
Question 13 of 25
13. Question
2 pointsWhich two IPsec protocols are used to provide data integrity?
Correct
Incorrect
The IPsec framework uses various protocols and algorithms to provide data confidentiality, data integrity, authentication, and secure key exchange. Two popular algorithms used to ensure that data is not intercepted and modified (data integrity) are MD5 and SHA. AES is an encryption protocol and provides data confidentiality. DH (Diffie-Hellman) is an algorithm used for key exchange. RSA is an algorithm used for authentication.
Hint
The IPsec framework uses various protocols and algorithms to provide data confidentiality, data integrity, authentication, and secure key exchange. Two popular algorithms used to ensure that data is not intercepted and modified (data integrity) are MD5 and SHA. AES is an encryption protocol and provides data confidentiality. DH (Diffie-Hellman) is an algorithm used for key exchange. RSA is an algorithm used for authentication.
-
Question 14 of 25
14. Question
1 pointsWhat is the function of the Diffie-Hellman algorithm within the IPsec framework?
Correct
Incorrect
The IPsec framework uses various protocols and algorithms to provide data confidentiality, data integrity, authentication, and secure key exchange. DH (Diffie-Hellman) is an algorithm used for key exchange. DH is a public key exchange method that allows two IPsec peers to establish a shared secret key over an insecure channel.
Hint
The IPsec framework uses various protocols and algorithms to provide data confidentiality, data integrity, authentication, and secure key exchange. DH (Diffie-Hellman) is an algorithm used for key exchange. DH is a public key exchange method that allows two IPsec peers to establish a shared secret key over an insecure channel.
-
Question 15 of 25
15. Question
1 pointsRefer to the exhibit. What HMAC algorithm is being used to provide data integrity?
Correct
Incorrect
Two popular algorithms that are used to ensure that data is not intercepted and modified (data integrity) are MD5 and SHA. The command Router1(config-isakmp)# hash sha indicates that SHA is being used. AES is an encryption protocol and provides data confidentiality. DH (Diffie-Hellman) is an algorithm that is used for key exchange. RSA is an algorithm used for authentication.
Hint
Two popular algorithms that are used to ensure that data is not intercepted and modified (data integrity) are MD5 and SHA. The command Router1(config-isakmp)# hash sha indicates that SHA is being used. AES is an encryption protocol and provides data confidentiality. DH (Diffie-Hellman) is an algorithm that is used for key exchange. RSA is an algorithm used for authentication.
-
Question 16 of 25
16. Question
1 pointsWhat is needed to define interesting traffic in the creation of an IPsec tunnel?
Correct
Incorrect
In order to bring up an IPsec tunnel, an access list must be configured with a permit statement that will identify interesting traffic. Once interesting traffic is detected by matching the access list, the tunnel security associations can be negotiated.
Hint
In order to bring up an IPsec tunnel, an access list must be configured with a permit statement that will identify interesting traffic. Once interesting traffic is detected by matching the access list, the tunnel security associations can be negotiated.
-
Question 17 of 25
17. Question
1 pointsRefer to the exhibit. What algorithm will be used for providing confidentiality?
Correct
Incorrect
The IPsec framework uses various protocols and algorithms to provide data confidentiality, data integrity, authentication, and secure key exchange. Two popular algorithms that are used to ensure that data is not intercepted and modified (data integrity) are MD5 and SHA. AES is an encryption protocol and provides data confidentiality. DH (Diffie-Hellman) is an algorithm that is used for key exchange. RSA is an algorithm used for authentication.
Hint
The IPsec framework uses various protocols and algorithms to provide data confidentiality, data integrity, authentication, and secure key exchange. Two popular algorithms that are used to ensure that data is not intercepted and modified (data integrity) are MD5 and SHA. AES is an encryption protocol and provides data confidentiality. DH (Diffie-Hellman) is an algorithm that is used for key exchange. RSA is an algorithm used for authentication.
-
Question 18 of 25
18. Question
1 pointsWhich technique is necessary to ensure a private transfer of data using a VPN?
Correct
Incorrect
Confidential and secure transfers of data with VPNs require data encryption.
Hint
Confidential and secure transfers of data with VPNs require data encryption.
-
Question 19 of 25
19. Question
1 pointsWhich statement describes a VPN?
Correct
Incorrect
A VPN is a private network that is created over a public network. Instead of using dedicated physical connections, a VPN uses virtual connections routed through a public network between two network devices.
Hint
A VPN is a private network that is created over a public network. Instead of using dedicated physical connections, a VPN uses virtual connections routed through a public network between two network devices.
-
Question 20 of 25
20. Question
1 pointsWhich protocol provides authentication, integrity, and confidentiality services and is a type of VPN?
Correct
Incorrect
IPsec services allow for authentication, integrity, access control, and confidentiality. With IPsec, the information exchanged between remote sites can be encrypted and verified. Both remote-access and site-to-site VPNs can be deployed using IPsec.
Hint
IPsec services allow for authentication, integrity, access control, and confidentiality. With IPsec, the information exchanged between remote sites can be encrypted and verified. Both remote-access and site-to-site VPNs can be deployed using IPsec.
-
Question 21 of 25
21. Question
1 pointsWhat is the purpose of NAT-T?
Correct
Incorrect
Establishing a VPN between two sites has been a challenge when NAT is involved at either end of the tunnel. The enhanced version of original IKE, IKE version 2, now supports NAT-T. NAT-T has the ability to encapsulate ESP packets inside UDP so that the VPN tunnel can be established through a device that has NAT enabled.
Hint
Establishing a VPN between two sites has been a challenge when NAT is involved at either end of the tunnel. The enhanced version of original IKE, IKE version 2, now supports NAT-T. NAT-T has the ability to encapsulate ESP packets inside UDP so that the VPN tunnel can be established through a device that has NAT enabled.
-
Question 22 of 25
22. Question
1 pointsWhich term describes a situation where VPN traffic that is is received by an interface is routed back out that same interface?
Correct
Incorrect
Hairpinning allows VPN traffic that is received on a single interface to be routed back out that same interface. Split tunneling allows traffic that originates from a remote-access client to be split according to traffic that must cross a VPN and traffic destined for the public Internet. MPLS and GRE are two types of Layer 3 VPNs.
Hint
Hairpinning allows VPN traffic that is received on a single interface to be routed back out that same interface. Split tunneling allows traffic that originates from a remote-access client to be split according to traffic that must cross a VPN and traffic destined for the public Internet. MPLS and GRE are two types of Layer 3 VPNs.
-
Question 23 of 25
23. Question
1 pointsWhat is an important characteristic of remote-access VPNs?
Correct
Incorrect
With remote-access VPNs, the remote user does not necessarily have the VPN connection set up at all times. The remote user PC is responsible for initiating the VPN. Information required to establish the VPN connection changes dynamically depending on the location of the user when attempting to connect.
Hint
With remote-access VPNs, the remote user does not necessarily have the VPN connection set up at all times. The remote user PC is responsible for initiating the VPN. Information required to establish the VPN connection changes dynamically depending on the location of the user when attempting to connect.
-
Question 24 of 25
24. Question
1 pointsWhich type of site-to-site VPN uses trusted group members to eliminate point-to-point IPsec tunnels between the members of a group?
Correct
Incorrect
Group Encrypted Transport VPN (GETVPN) uses a trusted group to eliminate point-to-point tunnels and their associated overlay routing. GETVPN is often described as “tunnel-less.” Dynamic Multipoint VPN (DMVPN) enables auto-provisioning of site-to-site IPsec VPNs using a combination of three Cisco IOS features: NHRP, GRE, and IPsec VPNs. Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco that encapsulates multiprotocol traffic between remote Cisco routers, but does not encrypt data. An MPLS VPN consists of a set of sites that are interconnected by means of an MPLS provider core network.
Hint
Group Encrypted Transport VPN (GETVPN) uses a trusted group to eliminate point-to-point tunnels and their associated overlay routing. GETVPN is often described as “tunnel-less.” Dynamic Multipoint VPN (DMVPN) enables auto-provisioning of site-to-site IPsec VPNs using a combination of three Cisco IOS features: NHRP, GRE, and IPsec VPNs. Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco that encapsulates multiprotocol traffic between remote Cisco routers, but does not encrypt data. An MPLS VPN consists of a set of sites that are interconnected by means of an MPLS provider core network.
-
Question 25 of 25
25. Question
1 pointsRefer to the exhibit. Which pair of crypto isakmp key commands would correctly configure PSK on the two routers?
Correct
Incorrect
The correct syntax of the crypto isakmp key command is as follows:
crypto isakmp key keystring address peer-address
or
crypto isakmp key keystring hostname peer-hostnameSo, the correct answer would be the following:
R1(config)# crypto isakmp key cisco123 address 209.165.200.227
R2(config)# crypto isakmp key cisco123 address 209.165.200.226Hint
The correct syntax of the crypto isakmp key command is as follows:
crypto isakmp key keystring address peer-address
or
crypto isakmp key keystring hostname peer-hostnameSo, the correct answer would be the following:
R1(config)# crypto isakmp key cisco123 address 209.165.200.227
R2(config)# crypto isakmp key cisco123 address 209.165.200.226