Home > Security Questions 2

Security Questions 2

October 27th, 2018 Go to comments

Question 1


In fact in question wants to mention about site-to-site VPN. A site-to-site VPN allows offices in multiple fixed locations to establish secure connections with each other over a public network such as the Internet. A site-to-site VPN means that two sites create a VPN tunnel by encrypting and sending data between two devices. One set of rules for creating a site-to-site VPN is defined by IPsec.


In the topology above, Remote Campus sites can connect to the Main Campus through site-to-site VPNs.

Question 2


SSH, or secure shell, is a secure protocol that provides a built-in encryption mechanism for establishing a secured connection between two parties, authenticating each side to the other, and passing commands and output back and forth.

Note: Virtual Private Networks (VPNs) are only secure if encrypted. The word “private” only means a given user’s virtual network is not shared with others. In reality a VPN still runs on a shared infrastructure and is not secured if not encrypted. VPNs are used over a connection you already have. That might be a leased line. It might be an ADSL connection. It could be a mobile network connection.

Therefore answer “SSH” is still better than the answer “VPN”.

Question 3


The “transport input” command is used to define which protocols to use to connect to a specific line (vty, console, aux…) of the router. The “transport input all” command will allow all protocols (including SSH and Telnet) to do this.

Question 4


This question wants to ask how to use the router as the SSH client to connect into other routers. The table below shows the parameters used with SSH:

SSH command parameters Description
-v specifies whether we are going to use version 1 or version 2
-c {3des | aes128-cbc | aes192-cbc j aes256-cbc} specifies the encryption you are going to use when communicating with the router. This value is optional; if you choose not to use it, the routers will negotiate the encryption algorithm to use automatically
-l username specifies the username to use when logging in to the remote router
-m {hmac-md5 | hmac-md5-96 | hmac-sha1 | hmac-sha1-96} specifies the type of hashing algorithm to use when sending your password. It is optional and if you do not use it, the routers will negotiate what type of hashing to use.
ip-address | hostname we need to specify the IP address or, if you have DNS or static hostnames configured, the name of the router you want to connect to

For example the command “ssh -v 2 -l admin” means “use SSH version 2 to connect to a router at with username “admin”.

Answer C is not correct because it is missing the version needed to use.

Question 5

Question 6

Question 7


When you connect to a switch/router via Telnet, you first need to provide Telnet password first. Then to access Privileged mode (Switch#) you need to provide secret password after typing “enable” before making any changes.

Question 9

Question 10



(DHCP) Spoofing attack is a type of attack in that the attacker listens for DHCP Requests from clients and answers them with fake DHCP Response before the authorized DHCP Response comes to the clients. The fake DHCP Response often gives its IP address as the client default gateway -> all the traffic sent from the client will go through the attacker computer, the attacker becomes a “man-in-the-middle”.

The attacker can have some ways to make sure its fake DHCP Response arrives first. In fact, if the attacker is “closer” than the DHCP Server then he doesn’t need to do anything. Or he can DoS the DHCP Server so that it can’t send the DHCP Response.

VLAN Hopping: By altering the VLAN ID on packets encapsulated for trunking, an attacking device can send or receive packets on various VLANs, bypassing Layer 3 security measures. VLAN hopping can be accomplished by switch spoofing or double tagging.

1) Switch spoofing:


The attacker can connect an unauthorized Cisco switch to a Company switch port. The unauthorized switch can send DTP frames and form a trunk with the Company Switch. If the attacker can establish a trunk link to the Company switch, it receives traffic to all VLANs through the trunk because all VLANs are allowed on a trunk by default.

(Instead of using a Cisco Switch, the attacker can use a software to create and send DTP frames).

2) Double-Tagging:


In this attack, the attacking computer generates frames with two 802.1Q tags. The first tag matches the native VLAN of the trunk port (VLAN 10 in this case), and the second matches the VLAN of a host it wants to attack (VLAN 20).

When the packet from the attacker reaches Switch A, Switch A only sees the first VLAN 10 and it matches with its native VLAN 10 so this VLAN tag is removed. Switch A forwards the frame out all links with the same native VLAN 10. Switch B receives the frame with an tag of VLAN 20 so it removes this tag and forwards out to the Victim computer.

Note: This attack only works if the trunk (between two switches) has the same native VLAN as the attacker.

ARP attack (like ARP poisoning/spoofing) is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. This results in the linking of an attacker’s MAC address with the IP address of a legitimate computer or server on the network. This is an attack based on ARP which is at Layer 2.

Question 11


802.1x is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN.

Question 12


IPsec is a pair of protocols, Encapsulating Security Payload (ESP) and Authentication Header (AH), which provide security services for IP datagrams.

ESP can provide the properties authentication, integrity, replay protection, and confidentiality of the data (it secures everything in the packet that follows the IP header).

AH provides authentication, integrity, and replay protection (but not confidentiality) of the sender.

Question 13

Which two statements about stateful firewalls in an enterprise network are true? (Choose two)

A. They are more susceptible to DoS attacks than stateless firewalls
B. They can filter HTTP and HTTPS traffic in the inbound direction only
C. They are most effective when placed in front of the router connected to the internet
D. They can track the number of active TCP connections
E. They can use information about previous packets to make decisions about future packets


Answer: D E


The stateful firewall (with ASA being in that category) monitors the state of each TCP connection from the time the first TCP connection initiation request is sent using a SYN packet, and tracking the state of the connection like the packet sequence and TCP flags looking for any deviations or anomalies in the TCP connection state and blocking them.

Although a TCP connection is a bi-directional connection, the stateful firewall keeps track of the initiator of the TCP connection, thus adding directionality to a TCP connection. A stateful firewall allows connections in one direction (for example, TCP destination port 80 for a web server) only by default and maintains a state table that also records the random TCP source port used by the client, as a part of the connection state. Such firewalls that treat the bidirectional communications of a TCP connection as a single connection and maintain the current state of connections are called stateful firewalls -> This allows tracking of future packets through the established connection -> Answer E is correct.

Some firewalls monitor the traffic in each direction without maintaining any state of the TCP connections, but monitoring traffic as per the defined security policies. Such firewalls are called stateless firewalls.

Reference: Implementing Cisco Networking Solutions Book by Harpreet Singh

In stateful inspection, the firewall not only inspects packets up through the application layer/layer7 determining a packet’s header information and data content, but also monitors and keeps track of the connection’s state. For all active connections traversing the firewall, the state information, which may include IP addresses and ports involved, the sequence numbers and acknowledgement numbers of the packets traversing the connection, TCP packet flags, etc. is maintained in a state table (-> answer D is correct). Filtering decisions are based not only on rules but also on the connection state established by prior packets on that connection. This enables to prevent a variety of DoS, DDoS, and other security violations -> stateful firewall is effective for Dos, DDos attack -> Answer A is not correct.

Comments (17) Comments
  1. nickaro
    August 15th, 2017

    About Q.4

    Why can’t it be A the correct answer? It’s exactly the same than B, but with version 1 instead of 2. Perhaps it is less secure, but I think it’s a possible correct answer too.

    Thank you in advance.

  2. Imran Shahid
    September 1st, 2017

    hi nickaro,

    Thanks for your comment. I agree with you and i have not seen anyone mentioning the version of SSH , so most of the engineers in ISP do simply ssh -l admin [IP] , so i guess C is also a decent choice. Thanks

  3. Jessy
    September 3rd, 2017

    Why the dump answers are different from de PDF and site answers?

  4. 1Way
    September 23rd, 2017

    I’m pretty sure if you don’t specify the version ‘-v 1’ or ‘-v 2’ on a Cisco device when using it as an SSH client then it uses v2 as a default.

  5. 1Way
    September 23rd, 2017

    Q5. The question asks to correlate system alerts “directly” with the employee that triggers the alert. Surely ‘B’ would be a higher priority than ‘D’ in that process?

  6. potocki
    January 30th, 2018

    Why in Q1 DMVPN is not the right answer? The question is about security in multiple sites, so when it is “multiple” I firstly think of DMVPN, Dynamic Multiple Virtual Private Network.. For me, VPN is basically tunnel between two sites, not multiple..
    Also, I don’t understand Question 5. Can anyone explain?
    Thanks in advance

  7. cthelite
    February 27th, 2018

    potocki Q1: The key word in the question is “security”. Is DMVPN any more secure than VPN? No, because DMVPN is VPN… enhanced. You keyed on the word “multiple”, but can you have multiple VPN connections without DMVPN? Of course. For Cisco tests, they obviously have a keyword or phrase that yields the correct answer, but also a word or phrase to confound. When the word “multiple” is used, it obviously brings to mind d-M-vpn… they play mind games to challenge people to think… to search for a correct answer and understand it better and thus make better engineers. The key to this question isn’t multiple, but security. DMVPN is both secure and multiple, true, but DMVPN wasn’t created to provide security to multiple sites… it was created to MESH multiple secure sites. VPN, however, WAS created to provide security to a remote site. And certainly there can be multiple sites.

    I’m not saying it’s a perfect answer, as with most questions on these practice exams. But I think A is the best answer. And it’s not just me, every site on the internet I’ve ever seen with this question the answer is A) VPN.

  8. cthelite
    February 27th, 2018

    Q5: It seems no one can explain this question. I’ve looked on the internet for over an hour and come up blank. I agree with 1Way, B is the best answer. A and C are definitely out. Shared Accounts would obviously be a huge no-no. So eliminating them should be paramount. B seems to be the best answer. “Periodic” user account reviews by definition wouldn’t seem as effective.

    I wonder if anyone has really ever seen a question similar to this on a CCNA exam? I don’t see it on a lot of other exam websites. Just some and never with any explanation. And if it is based on a real question, I wonder if the incorrect answer just continues to be propagated from site to site.

    Maybe someone will eventually provide some insight!

  9. Das
    February 28th, 2018

    Hello cthelite. My exam is on 2nd March. If possible can you kindly tell me where I can find valid dumps. I solved all the question in 9tut. But right now cisco are changing those questions. That is why I am asking. Any help will be appreciated. My mail shouravkumardas @ gmail.com. thank you

  10. cthelite
    April 1st, 2018

    Q5… again:
    Looking at this in a different light… the security admin is trying to track employees that trigger alert logs. (A) and (C) I think are still OUT. Though (B) elimination of shared accounts definitely is a best practice and a step to better security… and a common sense approach… by itself it would not actually track any employees. Doing just this doesn’t find anyone or anything. It’s just a parameter. You’ll still have to look at data, logs, alerts, etc… However, (D) could be construed as more actively identifying an offending employee. By reviewing access, if something were in the logs, you WOULD necessarily see it and identify the offending employee. By itself, it can be considered the only answer that meets the requirement. It’s an oddly stated question and answer, not really keying on any particular Cisco technology or terms, but maybe “D” is the best answer after all.

  11. cthelite
    May 8th, 2018

    Which two statements about TACACS+ are true? (Choose two)
    A It can run on a UNIX server
    B It authenticates against the user database on the local device
    C It is more secure than AAA authentication
    D It is enabled on Cisco routers by default
    E It uses a managed database

    Every site on the internet answers B and C.

    B… really?!

    Answer should be C and E. Agreed?

  12. Charles
    May 22nd, 2018
  13. AnsweringIT
    June 19th, 2018

    QUESTION 303

    In order to comply with new auditing standards, a security administrator must be able to correlate
    system security alert logs directly with the employee who triggers the alert. Which of the following
    should the security administrator implement in order to meet this requirement?

    A. Access control lists on file servers
    B. Elimination of shared accounts
    C. Group-based privileges for accounts
    D. Periodic user account access reviews

    9tut and China Answer: D ???

    B is more accurate imho. Any thoughts ?

  14. Dany1
    June 29th, 2018

    AnsweringIT: answer B is a threat. The question is focuses on employee, WHO TRIGGERS the ALERTS. In FiREWALL LOG are no logs regarding users who create share accounts.
    The are two keys here: trigerrs and employee. One method to combine those is D

    Q1: I choose A (DMVPN) also, even the answer is VPN. But, Let’s think how Cosco would think (or suppose that; because here is not science/is grammar): DMVPN->site-to-many sites connection
    VPN: site-to-site connection and ……Remote CLient VPN used for “maintain security in multiple websites”.
    I am not a native speaker of English and you may be misunderstood

  15. Problem
    August 10th, 2018

    Where is q10 explaination

  16. Michael 22061990
    April 21st, 2019

    please where are the questions located here,i am only seeing the answers to the question

  17. garv
    April 30th, 2019

    @Michael 22061990. This is the link to the questions -http://congressreiki.ranm.org/?all=ccna-questions-and-answers

Add a Comment