Security Questions
Question 1
Explanation
Lines (CON, AUX, VTY) default to level 1 privileges.
Question 2
Explanation
MACsec, defined in 802.1AE, provides MAC-layer encryption over wired networks by using out-of-band methods for encryption keying. The MACsec Key Agreement (MKA) Protocol provides the required session keys and manages the required encryption keys. MKA and MACsec are implemented after successful authentication using the 802.1x Extensible Authentication Protocol (EAP-TLS) or Pre Shared Key (PSK) framework.
A switch using MACsec accepts either MACsec or non-MACsec frames, depending on the policy associated with the MKA peer. MACsec frames are encrypted and protected with an integrity check value (ICV). When the switch receives frames from the MKA peer, it decrypts them and calculates the correct ICV by using session keys provided by MKA. The switch compares that ICV to the ICV within the frame. If they are not identical, the frame is dropped. The switch also encrypts and adds an ICV to any frames sent over the secured port (the access point used to provide the secure MAC service to a MKA peer) using the current session key.
Note: Cisco Trustsec is the solution which includes MACsec.
Question 3
Explanation
The ultimate goal of Cisco TrustSec technology is to assign a tag (known as a Security Group Tag, or SGT) to the user’s or device’s traffic at ingress (inbound into the network), and then enforce the access policy based on the tag elsewhere in the infrastructure (in the data center, for example). This SGT is used by switches, routers, and firewalls to make forwarding decisions. For instance, an SGT may be assigned to a Guest user, so that Guest traffic may be isolated from non-Guest traffic throughout the infrastructure.
Question 4
Explanation
The Cisco TrustSec solution simplifies the provisioning and management of network access control through the use of software-defined segmentation to classify network traffic and enforce policies for more flexible access controls. Traffic classification is based on endpoint identity, not IP address, enabling policy change without net-work redesign.
Question 5
Explanation
The “enable secret” password is always encrypted (independent of the “service password-encryption” command) using MD5 hash algorithm. The “enable password” does not encrypt the password and can be view in clear text in the running-config. In order to encrypt the “enable password”, use the “service password-encryption” command. This command will encrypt the passwords by using the Vigenere encryption algorithm. Unfortunately, the Vigenere encryption method is cryptographically weak and trivial to reverse.
The MD5 hash is a stronger algorithm than Vigenere so answer D is correct.
Question 6
Explanation
Firepower Threat Defense (FTD) provides six interface modes which are: Routed, Switched, Inline Pair, Inline Pair with Tap, Passive, Passive (ERSPAN).
When Inline Pair Mode is in use, packets can be blocked since they are processed inline
When you use Inline Pair mode, the packet goes mainly through the FTD Snort engine
When Tap Mode is enabled, a copy of the packet is inspected and dropped internally while the actual traffic goes through FTD unmodified
Question 7
Question 8
Explanation
Ransomware are malicious software that locks up critical resources of the users. Ransomware uses well-established public/private key cryptography which leaves the only way of recovering the files being the payment of the ransom, or restoring files from backups.
Cisco Advanced Malware Protection (AMP) for Endpoints Malicious Activity Protection (MAP) engine defends your endpoints by monitoring the system and identifying processes that exhibit malicious activities when they execute and stops them from running. Because the MAP engine detects threats by observing the behavior of the process at run time, it can generically determine if a system is under attack by a new variant of ransomware or malware that may have eluded other security products and detection technology, such as legacy signature-based malware detection. The first release of the MAP engine targets identification, blocking, and quarantine of ransomware attacks on the endpoint.
Question 9
Explanation
Clustering lets you group multiple Firepower Threat Defense (FTD) units together as a single logical device. Clustering is only supported for the FTD device on the Firepower 9300 and the Firepower 4100 series. A cluster provides all the convenience of a single device (management, integration into a network) while achieving the increased throughput and redundancy of multiple devices.
Question 10
Explanation
The “exec-timeout” command is used to configure the inactive session timeout on the console port or the virtual terminal. The syntax of this command is:
exec-timeout minutes [seconds]
Therefore we need to use the “exec-timeout 10 0” command to set the user inactivity timer to 600 seconds (10 minutes).
Question 11
Explanation
If you’re a website owner and your website displays this error message, then there could be two reasons why the browser says the cert authority is invalid:
+ You’re using a self-signed SSL certificate, OR
+ The certificate authority (CA) that issued your SSL certificate isn’t trusted by your web browser.
Hey, where can i find the pdf file for encor questions and answers. Thanks.
I think B is wrong and C is correct ans, right?
https://www.cisco.com/c/dam/en/us/solutions/collateral/borderless-networks/trustsec/C07-730151-00_overview_of_trustSec_og.pdf
Q3:
Which feature does Cisco TrustSec use to provide scalable, secure communication throughout a network?
A. security group tag ACL assigned to each port on a switch
B. security group tag number assigned to each port on a network
C. security group tag number assigned to each user on a switch
D. security group tag ACL assigned to each router on a network
Q3
I also think C is correct.
Because a SGT is not an ACL, is a number assigned, and you don’t assign a SGT to each port, but to each user that is usually connected though a switch.
Can anyone confirm correct answer for Q3?
Q3:
SGT tags define role or business use case and can be assigned to users, endpoints, or other resources as they ingress the TrustSec network. It can happen in two ways:
1- Dynamic: assigned dynamically and can be downloaded as an authorization option from ISE when authenticating using 801.1x, MAB or WebAuth.
2- Static: used in data centre env, where dynamic assignment is not possible so statically assigned in several ways:
-IP to STG tag
-Subnet to SGT tag
-VLAN to SGT tag
-L2/L3 interface to STG tag
-Port to SGT interface
C (Incorrect) because it mentions only those users who are connected to a switch(seems the wired users), how about other users who are connected wireless or coming from another network or branch and might not go to switch and go to ISE through Router/firewall. It seems if the answer option was such that the users connecting on a network might have been correct.
B (Correct) this is true as it explains one of the scenarios where an SGT tag is assigned to a port on a network.
the correct answer is C
the correct answer is B, a user does not receive a SGT. the port of on a network does. for example a port on a switch. if the endpoint wants to authenticate through ISE, then ISE will push back attributes via radius. you can check this on the cli with the command show access-session interface gigabitethernet 1/0/1 detail. the SGT will show up there.
Please @digitaltut, I’m a premium member. Could you review Q3? What is the correct answer?
An SGT is assigned to each device/user and not to the port. The user/device is attached to the port. The policy is enforced at the endpoint.
Therefore is C the best answer.
@all: We rechecked Q.3 and believed “C. security group tag number assigned to each user on a switch” is the best answer. Thanks for your detection!
Question 1
Refer to the exhibit. Which privilege level is assigned to VTY users?
R1# sh run | begin line con
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stoppbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stoppbits 1
line vty 0 4
password 7 03384737389E938
login
line vty 5 15
password 7 03384737389E938
login
!
end
R1#sh run | include aaa | enable
no aaa new-model
R1#
A. 1
B. 7
C. 13
D. 15
Answer: A
Explanation
Lines (CON, AUX, VTY) default to level 1 privileges.
@digitaltut, your answer in the explanation here is not 100% correct. Please amend accordingly.
The privileged levels of Con and AUX is level 15. You can see it in the exhibit.
The privileged level of VTY lines is default to 1, because the command “privileged level “x”” is not specified. (where X is any number between 0 and 15, 0 being the lowest level, and 15 the highest.)
If you do not specify the privileged level for any line, then it defaults to level 1.
@Life Is Study: “Lines (CON, AUX, VTY) default to level 1 privileges”. Please check this link: https://www.oreilly.com/library/view/hardening-cisco-routers/0596001665/ch04.html
@Life is study & Digitaltut,
Thanks, both are right.
Q1 asked abt ‘vty’.
Based on exhibit, privilege level is 1.
+++++++
Lines (CON, AUX, VTY) default to level 1 privileges. This can be changed using the privilege level command under each line. To change the default privilege level of the AUX port, you would type the following:
Router#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#line aux 0
Router(config-line)#privilege level 4
Router(config-line)#^Z
Router#
Or, to change the default privilege level of all VTY access to level 12:
Router#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#line vty 0 4
Router(config-line)#privilege level 12
Router(config-line)#^Z
Router#
++++++
Passed, Yesterday august 1st 2023, question number 9 on my test for sure.