CCNA Security Chapter 2 Quiz

Questions and Answers

What are the three main areas of router security?

Network Security, User Authentication, Data Confidentiality

Network Security, Data Confidentiality, User Authentication

Physical Security, Network Security, User Authentication

Physical Security, User Authentication, Data Confidentiality (correct)

Which of these are NOT types of router security approaches?

DMZ Approach

Single Router Approach

Intrusion Detection System (IDS) Approach (correct)

Defense in Depth Approach

Which one of these is NOT a secure administrative access task?

Ensure the confidentiality of data (correct)

Authenticate access

Restrict device accessibility

Log and account for all access

What types of remote access to a router are mentioned in the text?

Telnet/SSH connection and modem/aux port (A)

What is a recommendation for creating a strong password?

Use a password length of 10 or more characters, including uppercase and lowercase letters, numbers, symbols, and spaces. (D)

What is the name of the command used to configure privilege levels?

privilege level (D)

What is the default privilege level for login with the router prompt?

1 (B)

Which privilege level is reserved for the enable mode privileges?

15 (A)

What is the name of the mode accessed at the router# prompt?

Privileged EXEC mode (C)

What is the purpose of configuring privilege levels?

To control the availability of commands based on user privileges. (B)

What are the two ways to connect to an SSH-enabled router? (Select all that apply)

Using an SSH server like Cisco router (A), Using an SSH client like Putty (D)

Which of these is NOT a common SSH client?

Hyper-V (D)

Which of these options are NOT limitations of privilege levels?

No access control to device hardware, such as chassis, fans and power supplies. (D)

What is the primary purpose of role-based CLI access?

To simplify network management by grouping similar tasks under specific roles. (B)

Which of the following is NOT a typical task associated with the "Security operator" role in a role-based CLI configuration?

Configure routing protocols. (B)

The Cisco IOS Resilient Configuration feature is primarily designed to:

Ensure that the router can recover from a major hardware failure. (B)

What is the main function of the syslog feature?

To log system events and security alerts. (D)

What is the primary advantage of using SNMPv3 over previous versions of SNMP?

SNMPv3 provides enhanced security features. (C)

Which of the following is a method of managing a Cisco device remotely, not using in-band management?

Console port (C)

What is one characteristic of a weak password?

Based on easily identifiable information (C)

Which option best describes a strong password?

12^h u4@1p7 (A)

Which command syntax is used to configure an unencrypted password?

enable algorithm-type (D)

What is one of the virtual login security enhancements mentioned?

Implement delays between successive login attempts (C)

How can system logging assist in login management?

It generates syslog messages for login detection (B)

Deliberately misspelling a password can enhance its strength.

True (A)

Passwords should be written down and stored in obvious places.

False (B)

A password consisting only of simple dictionary words is considered weak.

True (A)

Generating system-logging messages is not beneficial for login detection.

False (B)

It is advisable to change passwords often for better security.

True (A)

A strong password should be at least 10 characters long.

True (A)

The single router approach is the only method for securing an edge router.

False (B)

SSH is used for secure remote management of devices.

True (A)

The task of presenting legal notification is part of securing device access.

True (A)

Using a mix of symbols and spaces is not recommended for strong passwords.

False (B)

Level 0 is predefined for administrative access privileges.

False (B)

Privilege level 15 is reserved for enable mode privileges.

True (A)

A Cisco router can only function as an SSH client.

False (B)

Level 1 offers the highest command availability at the router prompt.

False (B)

SSH clients like PuTTY and OpenSSH can be used to connect to SSH-enabled routers.

True (A)

Privilege levels range from 0 to 15.

True (A)

User EXEC mode corresponds to privilege level 0.

False (B)

Command availability can be customized between levels 2 and 14.

True (A)

Commands available at lower privilege levels are always executable at higher privilege levels.

True (A)

The role of a WAN engineer includes configuring firewall settings.

False (B)

Assigning a command with multiple keywords restricts access to specific commands that utilize those keywords.

False (B)

The Cisco IOS resilient configuration feature is designed to secure the Cisco IOS image and configuration files.

True (A)

In-band management refers to management access that occurs through a separate channel, like a dedicated console port.

False (B)

Secure SNMPv3 access can be configured using Access Control Lists (ACL).

True (A)

Configuring NetFlow is part of the responsibilities of a security operator.

True (A)

Study Notes

Chapter 2: Securing Network Devices

• This chapter focuses on securing network devices, specifically Cisco routers.
• The CCNA Security v2.0 curriculum is being used.
• Dr. Nadhir Ben Halima is the instructor.
• The course follows a structured chapter outline, covering topics from introduction to summary.

Chapter Outline

• The chapter is organized into subsections, including:
  • Introduction
  • Securing Device Access
  • Assigning Administrative Roles
  • Monitoring and Managing Devices
  • Using Automated Security Features
  • Securing the Control Plane
  • Summary

Section 2.1: Securing Device Access

• Upon completion of this section, students should be able to explain securing a network perimeter, configure secure administrative access to Cisco routers, configure enhanced security for virtual logins, and configure an SSH daemon for secure remote management.

Topic 2.1.1: Securing the Edge Router

• This section focuses on edge router security.
• Approaches outlined include:
  • Single Router Approach
  • Defense in Depth Approach
  • DMZ Approach
  • IP addresses are given for LAN 1 (e.g., 192.168.2.0)

Three Areas of Router Security

• Physical Security
• Router Operating System and Configuration File Security
• Router Hardening

Secure Administrative Access

• Tasks for securing administrative access include:
  • Restricting device accessibility
  • Logging and accounting for all access
  • Authenticating access
  • Authorizing actions
  • Presenting legal notification
  • Ensuring data confidentiality

Secure Local and Remote Access

• Diagrams illustrate local access methods (vty, console, aux ports) and remote access using Telnet/SSH, and modem/aux port. Different types of local and remote connections are shown.

Topic 2.1.2: Configuring Secure Administrative Access

• This section details techniques for configuring secure administrative access, including strong password guidelines.

Strong Passwords

• Strong passwords are crucial and include:
  • Length of 10 or more characters
  • Mix of uppercase and lowercase letters, numbers, symbols, and spaces
  • Avoiding passwords based on easily identifiable information
  • Deliberately misspelling words as passwords
  • Changing passwords frequently
  • Avoiding writing down passwords in obvious places
  • Examples of weak and strong passwords are provided.

Increasing Access Security

• Demonstrates configuring password encryption and setting timeouts for console and vty lines. Specific configuration commands are given (e.g., security passwords min-length 10, service password-encryption).

Secret Password Algorithms

• Describes configuring different password types (type 8 and type 9). Syntax for enabling unencrypted passwords is provided (e.g., enable algorithm-type {md5|scrypt|sha256}).

Securing Line Access

• Provides commands for securing console, aux, and vty lines (e.g., disabling passwords, enabling SSH). Specific commands are shown (e.g., username Bob algorithm-type scrypt secret cisco54321).

Topic 2.1.3: Configuring Enhanced Security for Virtual Logins

• This section discusses enhancements to virtual login security.

Enhancing the Login Process

• Enhancements for virtual login security include:
  • Implementing delays between successive login attempts
  • Enabling login shutdown if DoS attacks are suspected
  • Generating system-logging messages for login detection

Enable Login Enhancements

• Includes commands for login delay, preventing excessive login attempts, and setting time limits for login attempts. Example commands are given (e.g., login block-for 120 attempts 5 within 60, login delay 3).

Logging Failed Attempts

• Shows examples of generating login syslog messages. Example commands are provided (login on-success log [every login], security authentication failure rate threshold-rate log).

Topic 2.1.4: Configuring SSH

• Describes steps for configuring SSH access. This includes key generation, and using the show crypto key command to verify key details.

Steps for Configuring SSH

• Details the process of creating and using SSH configuration.
• Includes the 'show crypto key' command and checking if SSH 1.99 is enabled.

Connecting to an SSH-Enabled Router

• Describes how to connect, either as a server or a client using SSH. Supported client tools are mentioned (e.g., PuTTY, OpenSSH, TeraTerm).

Section 2.2: Assigning Administrative Roles

• Upon completing this section, students should be able to configure administrative privilege levels and role-based CLI access to control command availability.

(and so on, continuing with the rest of the existing study notes, each section updated with details and additional information)

Description

Test your knowledge on securing network devices, particularly Cisco routers, as outlined in Chapter 2 of the CCNA Security v2.0 curriculum. This quiz covers key concepts such as securing device access, assigning administrative roles, and using automated security features vital for maintaining network integrity.