Home > Security Questions

Security Questions

January 27th, 2021 in ENCOR 350-401 Go to comments

Question 1

Explanation

Lines (CON, AUX, VTY) default to level 1 privileges.

Question 2

Explanation

MACsec, defined in 802.1AE, provides MAC-layer encryption over wired networks by using out-of-band methods for encryption keying. The MACsec Key Agreement (MKA) Protocol provides the required session keys and manages the required encryption keys. MKA and MACsec are implemented after successful authentication using the 802.1x Extensible Authentication Protocol (EAP-TLS) or Pre Shared Key (PSK) framework.

A switch using MACsec accepts either MACsec or non-MACsec frames, depending on the policy associated with the MKA peer. MACsec frames are encrypted and protected with an integrity check value (ICV). When the switch receives frames from the MKA peer, it decrypts them and calculates the correct ICV by using session keys provided by MKA. The switch compares that ICV to the ICV within the frame. If they are not identical, the frame is dropped. The switch also encrypts and adds an ICV to any frames sent over the secured port (the access point used to provide the secure MAC service to a MKA peer) using the current session key.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-9/configuration_guide/sec/b_169_sec_9300_cg/macsec_encryption.html

Note: Cisco Trustsec is the solution which includes MACsec.

Question 3

Explanation

Cisco TrustSec uses tags to represent logical group privilege. This tag, called a Security Group Tag (SGT), is used in access policies. The SGT is understood and is used to enforce traffic by Cisco switches, routers and firewalls . Cisco TrustSec is defined in three phases: classification, propagation and enforcement.
When users and devices connect to a network, the network assigns a specific security group. This process is called classification. Classification can be based on the results of the authentication or by associating the SGT with an IP, VLAN, or port-profile (-> Answer A and answer C are not correct as they say “assigned … on a switch” only. Answer D is not correct either as it says “assigned to each router”).

Question 4

Explanation

The Cisco TrustSec solution simplifies the provisioning and management of network access control through the use of software-defined segmentation to classify network traffic and enforce policies for more flexible access controls. Traffic classification is based on endpoint identity, not IP address, enabling policy change without net-work redesign.

Reference: https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Apr2016/User-to-DC_Access_Control_Using_TrustSec_Deployment_April2016.pdf

Question 5

Explanation

The “enable secret” password is always encrypted (independent of the “service password-encryption” command) using MD5 hash algorithm. The “enable password” does not encrypt the password and can be view in clear text in the running-config. In order to encrypt the “enable password”, use the “service password-encryption” command. This command will encrypt the passwords by using the Vigenere encryption algorithm. Unfortunately, the Vigenere encryption method is cryptographically weak and trivial to reverse.

The MD5 hash is a stronger algorithm than Vigenere so answer D is correct.

Question 6

Explanation

Firepower Threat Defense (FTD) provides six interface modes which are: Routed, Switched, Inline Pair, Inline Pair with Tap, Passive, Passive (ERSPAN).

When Inline Pair Mode is in use, packets can be blocked since they are processed inline
When you use Inline Pair mode, the packet goes mainly through the FTD Snort engine
When Tap Mode is enabled, a copy of the packet is inspected and dropped internally while the actual traffic goes through FTD unmodified

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200924-configuring-firepower-threat-defense-int.html

Question 7

Question 8

Explanation

Ransomware are malicious software that locks up critical resources of the users. Ransomware uses well-established public/private key cryptography which leaves the only way of recovering the files being the payment of the ransom, or restoring files from backups.

Cisco Advanced Malware Protection (AMP) for Endpoints Malicious Activity Protection (MAP) engine defends your endpoints by monitoring the system and identifying processes that exhibit malicious activities when they execute and stops them from running. Because the MAP engine detects threats by observing the behavior of the process at run time, it can generically determine if a system is under attack by a new variant of ransomware or malware that may have eluded other security products and detection technology, such as legacy signature-based malware detection. The first release of the MAP engine targets identification, blocking, and quarantine of ransomware attacks on the endpoint.

Reference: https://www.cisco.com/c/dam/en/us/products/collateral/security/amp-for-endpoints/white-paper-c11-740980.pdf

Question 9

Explanation

Clustering lets you group multiple Firepower Threat Defense (FTD) units together as a single logical device. Clustering is only supported for the FTD device on the Firepower 9300 and the Firepower 4100 series. A cluster provides all the convenience of a single device (management, integration into a network) while achieving the increased throughput and redundancy of multiple devices.

Question 10

Explanation

The “exec-timeout” command is used to configure the inactive session timeout on the console port or the virtual terminal. The syntax of this command is:

exec-timeout minutes [seconds]

Therefore we need to use the “exec-timeout 10 0” command to set the user inactivity timer to 600 seconds (10 minutes).

Question 11

Explanation

If you’re a website owner and your website displays this error message, then there could be two reasons why the browser says the cert authority is invalid:
+ You’re using a self-signed SSL certificate, OR
+ The certificate authority (CA) that issued your SSL certificate isn’t trusted by your web browser.

Comments
  1. joe
    April 27th, 2020

    Hey, where can i find the pdf file for encor questions and answers. Thanks.

  2. Nedal_Shboul
    May 18th, 2020

    I think B is wrong and C is correct ans, right?

    https://www.cisco.com/c/dam/en/us/solutions/collateral/borderless-networks/trustsec/C07-730151-00_overview_of_trustSec_og.pdf

    Q3:
    Which feature does Cisco TrustSec use to provide scalable, secure communication throughout a network?
    A. security group tag ACL assigned to each port on a switch
    B. security group tag number assigned to each port on a network
    C. security group tag number assigned to each user on a switch
    D. security group tag ACL assigned to each router on a network

  3. RON BERSERKER
    June 6th, 2020

    Q3
    I also think C is correct.

    Because a SGT is not an ACL, is a number assigned, and you don’t assign a SGT to each port, but to each user that is usually connected though a switch.

  4. Update
    June 13th, 2020

    Can anyone confirm correct answer for Q3?

  5. GZ
    July 11th, 2020

    Q3:
    SGT tags define role or business use case and can be assigned to users, endpoints, or other resources as they ingress the TrustSec network. It can happen in two ways:
    1- Dynamic: assigned dynamically and can be downloaded as an authorization option from ISE when authenticating using 801.1x, MAB or WebAuth.
    2- Static: used in data centre env, where dynamic assignment is not possible so statically assigned in several ways:
    -IP to STG tag
    -Subnet to SGT tag
    -VLAN to SGT tag
    -L2/L3 interface to STG tag
    -Port to SGT interface

    C (Incorrect) because it mentions only those users who are connected to a switch(seems the wired users), how about other users who are connected wireless or coming from another network or branch and might not go to switch and go to ISE through Router/firewall. It seems if the answer option was such that the users connecting on a network might have been correct.
    B (Correct) this is true as it explains one of the scenarios where an SGT tag is assigned to a port on a network.

  6. mimou
    August 8th, 2020

    the correct answer is C

  7. Mbubba
    September 7th, 2020

    the correct answer is B, a user does not receive a SGT. the port of on a network does. for example a port on a switch. if the endpoint wants to authenticate through ISE, then ISE will push back attributes via radius. you can check this on the cli with the command show access-session interface gigabitethernet 1/0/1 detail. the SGT will show up there.

  8. esfin
    December 21st, 2020

    Please @digitaltut, I’m a premium member. Could you review Q3? What is the correct answer?

  9. DNA
    January 15th, 2021

    An SGT is assigned to each device/user and not to the port. The user/device is attached to the port. The policy is enforced at the endpoint.
    Therefore is C the best answer.

  1. No trackbacks yet.