CCNA Security Practice Exam Training Questions
10 Questions On NTP, SSH, Telnet, And More!
By Chris Bryant, CCIE #12933
The CCNA Security certification is the most important computer certification to come along in years, and to help you pass this tough exam, here's the first in a series of practice exam questions!
Watch my CCNA Security Resource Page for more practice exam questions and exclusive tutorials you'll see nowhere else!
There's one very important prerequisite to earning your CCNA Security certification - you've got to be CCNA certified first, and there's no more effective method than my Ultimate CCNA Study Package! If you're not certified yet, get started today!
And if you've already earned that certification, get started on your CCNA Security studies right now by clicking that link!
Here are the first 10 questions in this new series!
1. We'll start with a question you learned the answer to in your CCNA studies. When you have an enable secret and an enable password set, which takes precedence over the other?
A. The enable secret takes precedence.
B. The enable password takes precedence.
C. You cannot set both an enable secret and an enable password.
D. You can set them both, but since they must be set to the same value, there is no question of precedence.
2. What device and stratum level are found at the top of the NTP hierarchy?
A. Atomic clocks, stratum 1
B. Atomic clocks, stratum 0
C. NTP Masters, stratum 1
D. NTP Masters, stratum 0
E. NTP Primary, stratum 0
F. NTP Primary, stratum 1
3. What port does NTP use?
4. What are the options for NTP authentication?
A. MD5
B. Bellman-Ford
C. clear text
D. CHAP
E. PAP
5. What command resulted in the following output?
R2#
Clock is synchronized, stratum 10, reference is 172.12.23.3
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**19
reference time is CBB9CEC8.17FBD1B8 (15:05:44.093 UTC Wed Apr 23 2008)
clock offset is -0.6214 msec, root delay is 37.20 msec
root dispersion is 5.04 msec, peer dispersion is 0.53 msec
6. What command will limit the overall number of NTP peers and clients that the local router can form an association with?
7. What authentication option is available for Telnet that is not available with SSH?
8. What command resulted in the following output?
R1(config)#
The name for the keys will be: HQ.HQ.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
9. Name the two options for TCP Intercept mode and describe the major operational difference between the two.
10. Name the two operational modes for Autosecure and describe the major difference between them.
Here are the answers!
1. A. The enable secret always takes precedence over the enable password.
2. B. Atomic clocks are at the top of the NTP hierarchy, and that top level is Stratum 0. Cisco routers cannot get their time directly from a Stratum 0 device.
3. NTP uses UDP port 123. Remember that when you're configuring your ACLs!
4. A. As IOS Help illustrates, the only option here is MD5. You still have to specify that option, though.
R1(config)#ntp authentication-key 1 ?
md5 MD5 authentication
5. That command output is the result of the show ntp status command.
6. You can limit the overall number of NTP peers and clients with the ntp max-associations command.
R3(config)#ntp max-associations ?
<0-4294967295> Number of associations
7. You can use a line password for Telnet, but not for SSH. For SSH, you'll need to use AAA or a locally configured database.
8. That output is the result of the crypto key generate rsa command.
9. TCP Intercept is generally run in intercept mode, allowing the router to intercept those TCP SYN requests and answer them on behalf of the server.
If the SYN source is legitimate, a TCP ACK should be received by the router. If and when that happens, the router considers that three-way handshake to be complete and the SYN source to be legitimate.
In turn, the router opens a TCP connection to the server, and when that connection is complete, the router merges the two open connections into one.
This prevents any non-legitimate SYN packets from ever reaching the server. TCP Intercept can be configured to intercept all incoming SYN packets, or an ACL can be written to identify the source and destination for packets that should be intercepted.
TCP Intercept can also be run in watch mode, a much more passive mode than intercept mode. In watch mode, the router does not intercept the SYN packets, but passes them through to the TCP server.
The router does watch this incomplete connection, and will close it if it's not completed after a certain period of time - by default, 30 seconds.Use the ip tcp intercept-mode command to configure the desired mode.
R1(config)#ip tcp intercept mode ?
intercept Intercept connections
watch Watch connections
R1(config)#ip tcp intercept mode intercept
10. The Autosecure modes:
Interactive, where the admin is prompted for input. This mode is similar to Setup Mode. If you're going to configure anything requiring user interaction - SSH, enable passwords, etc. - you should use this mode.
Non-interactive, where Cisco's recommended settings for Autosecure are put into action. Cisco's recommended settings are very secure - maybe too secure for your network!
Look for other CCNA Security, CCNA Wireless, and CCNA Voice questions and fully-illustrated tutorials on those exclusive Resource Pages!
To your success,
Chris Bryant
CCIE #12933
chris@thebryantadvantage.com
|
