Study your flashcards anywhere!

Download the official Cram app for free >

  • Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off

How to study your flashcards.

Right/Left arrow keys: Navigate between flashcards.right arrow keyleft arrow key

Up/Down arrow keys: Flip the card between the front and back.down keyup key

H key: Show hint (3rd side).h key

A key: Read text to speech.a key


Play button


Play button




Click to flip

315 Cards in this Set

  • Front
  • Back

AAA stands for




RADIUS runs over


TACACS+ runs over


What must be setup before generating an RSA key?

ip domain-name

Non-default hostname

Command to generate an RSA key

crypto key generate rsa

Command to change SSH to version 2

(config)# ip ssh version 2

Command to limit vty lines to SSH only

(config-line)# transport input ssh

What hashing is used for enable secret with a level 5


The IronPort Security Gateway secures what?

Email (Spam, encryption, viruses)

What is ScanSafe?

Cloud based Software as a Service that scans email and web

CIA stands for


Define SIEM technology

Security Information & Event Management

Logs data, reports for compliance

What is an asset

An item that needs protection, has value to the company

What is a vulnerability & list 3

Exploitable weakness of some type such as software, design errors, human factor, hardware vulnerabilities, or physical access

What is a threat

what you are protecting against, anything that attempts to gain access, compromise, or destroy an asset

3 Common security zones




What is risk

The potential for unauthorized access, destruction, or damage to an asset. Countermeasures can reduce potential for risk

What is a covert channel attack

Using a program in an unintended way, most common is tunneling through another protocol.

Describe trust exploitation

Get access to a resource trusted by the target resource

What is reflected DDOS

Initial query is spoofed, response is reflected to victim

What accronym is used for IKE phase 1 negotiation for IKE phase 2


What does HAGLE stand for



group (diffie-helmen)



What are 2 symmetrical encryption algorithms


What are 2 hashing algorithms

MD5, SHA-256

What's the difference between manual and inline key exchange

inband is done online, out of band is a manual copy and paste

What is the PKI

public key infrastructure, the set of standards, procedures, and roles used to create, manage, distribute, store, use, and revoke digital signatures.

What is a digital signature

A hash that's been encrypted with the sender's private key

What is a digital certificate?

Contains information used for public key info.. Issuer, version, S/N, algorithm, hash.

When is a digital certificate trusted?

When it is signed by a trusted issuer (such as verisign)

2 commands to enable https

ip http secure-server
ip http authentication local

2 commands to enable snmp v3

snmp-server group OUR-GROUP v3 priv read READ-VIEW
snmp-server user user1 OUR-GROUP v3 auth md5 pass123 priv aes pass123

4 commands to configure security for NTP

ntp server key 1

ntp authentication-key 1 md5 niceKey

ntp trusted-key 1

ntp authenticate

what does the *, [space], or . mean when view show clock detail

* = not authoritative

[space] = time is authoritative

. = time is authoritative but not synchronized

Set up SCP for file transport

Set up AAA first

then "ip scp server enable"

Setup AAA with local authentication 3 commands

username admin priv 15 secret password

aaa new-model

aaa authenticatin login default local

Which protocol (TACACS+ or RADIUS) encrypts the whole packet


Command to enable authentication via tacacs with local backup

aaa authentication login AUTHEN_via_TACACS group tacacs+ local

Command to add a tacacs server

tacacs-server host key cisco123

Command to test a AAA server

test aaa group tacacas+ admin cisco123 legacy

What occurs during IKE phase 1

A secure authenticated channel is created using diffie-helman key exchange to generate a shared secret key to encrypt further IKE communications

What's the difference between IKE phase 1 main mode and aggressive mode?

Main mode protects the identity of the peers, aggressive does not.

What's the difference between transport mode and tunnel mode?

Tunnel mode encrypts the entire packet and creates a new IP packet and header, Transport only encrypts the payload

What can't AH provide compared to ESP?


What is hairpinning?

AKANAT Loopback. Describes communication between 2 hosts behind the same NATdevice. One machine on the LAN is able to access another via the external IPaddress of the firewall

What is split tunneling?

Whena computer on a VPN goes through the VPN to access the public internet

What is always-on vpn?

Prevents access to an unprotected network without being on a VPN. Connects when you login to the computer and detects an untrusted network

Why is NAT Traversal necessary?

When the IP packet headers are authenticated, the IP or port can't be changed due to hashing

What is the order (5) of clientless VPN polices?

User Profile policy

Group policy

Group policy specified by connection profile

Default group policiy

What are the 4 classifications in the Traffic Light Protocol (TLP)

Red (not shared)

Amber (only share with members of own org)

Green (Share with peers/partners)

White (Shared without restriction)

3 classifications of countermeasures




What kind of countermeasure is having a written acceptable use policy?


What kind of countermeasure is a locked wiring closet?


What kind of countermeasure is a logical control like password, firewall, IPS, access list?


What is the rule of least privilege

Give user minimal access, only that which is required

What tool gives the most granular information to help in the identification of malware

Packet capture

How does Cisco provide advance malware protection (AMP)?

Cisco FirePOWER

How is Next-gen intrusion prevention system (NGIPS) centrally managed?

Cisco FireSIGHT

What is Identity Services Engine (ISE) used for?

It is an identity and access control policy platform that can validate the computer meets requirements of company's policy (virus definition, service pack, etc)

What has more granularity and is proprietary Cisco? TACACS or Radius


What provides AAA on the Cisco BYOD solution?

Identity Services Engine (ISE)

What is AAA stand for

Authentication, authorization, and accounting

What does AnyConnect use to provide secure access to corporate network?

VPN with 802.1X

What typically serves as the primary VPN termination point?


What does RSA SecurID provide?

One time password generation and logging

IPSEC works on layer


4 benefits of VPNs


Data Integrity



Regarding CIA, which is focused on authorized users changing data?


Regarding CIA, using plain text protocols may compromise...


What is a popular option for implementing confidentiality in motion?


What is the program on Kali Linux that initiates a CAM table overflow attack?


Default max mac addresses when port security is enabled


What are the 4 port security violation actions



Shutdown port

Shutdown VLAN

What port security option sends no alerts?


What is the default port security violation action?

Shutdown port

What is the port security option that would provide the largest amount of administrative overhead?


Can port security work on Trunk ports


Can port security work on dynamic ports? (not static access or trunk)?


When a port security violation occurs and it is shutdown, what does it show on sh ip int brief?


If in SSH or Telnet, what command lets you see log messages?

terminal monitor (priv exec mode)

Interface command to make port security have 5 max MAC addresses

switchport port-security maximum 5

Regarding port security, which option places MAC addresses into running config without typing them?

switchport port-security mac-address sticky

What is the status for port-security when it is properly engaged?


What type of attack uses up all the available IP addresses?

DHCP Starvation

Which DHCP messages are blocked from untrusted ports in a DHCP Snooping environment?


Offer and ACK

When using DHCP snooping, what is the default state for a port?


When using DHCP snooping, which message are ALLOWED from untrusted ports?


Discover and request

What command enables DHCP snooping in global config?

ip dhcp snooping

How can you rate limit DHCP messages to help prevent exhaustion in the DHCP Snooping environment?

Interface command:

ip dhcp snooping limit rate 10

Refers to 10 packets per second

What command shows ip dhcp snooping statistics?

show ip dhcp snooping database

In PVLAN, what are the 3 port types?

Promiscuous, isolated, community

What version of VTP supports PVLAN?

Version 3

How do you create an isolated VLAN?

vlan 200

private-vlan isolated

How do you set a primary VLAN in the context of PVLAN, then how do you associate them?

vlan 100

private-vlan primary

private-vlan association 200,300,400,500

In PVLAN, how do you set a port as promiscuous then map the other VLANs?

switchport mode private-vlan promiscuous

switchport private-vlan mapping 100 200,300,400,500

In PVLAN, how do you set a port to a private vlan and associate it?

switchport mode private-vlan host

switchport private-vlan host-association 100 200

Command to show private vlan configuration, active ports

show vlan private-vlan

In PVLAN, how can security be bypassed?

If a device sends a packet to layer 2 device of gateway and layer 3 address of a host in another PVLAN. Hairpin routing

How can hairpin routing be prevented in PVLAN?

Put in an access control list inbound on gateway port to deny access coming FROM the network getting routed back to the same network

What does DAI stand for?

Dynamic ARP Inspection

What is a gratuitous ARP?

An unsolicited ARP that has the senders MAC and IP

Where does DAI get the information it needs to detect attacks?

DHCP Snooping database or static

What is an ARP ACL used for in DAI?

Statically map the layer 2 and layer 3 information on a non-DHCP port (like gateway)

How does err-disabled port become reactive?

Manually shut/no shut

What does DAI protect against?

ARP poisoning attack, causing MiTM

What type of port is impractical to put DAI on?

Trunk ports

Command to enable DAI on vlan 1

ip arp inspection vlan 1

What happens if you go over rate limit set by ARP inspection?

Goes into err-disabled state

What command shows interface status, like err-disabled and reason

show interfaces status

Command to bring an interface up after errdisabled state after 30 seconds

errdisable recovery cause [arp-inspection]

errdisable recover interval 30

Command to show statistics from DAI for vlan 1

show ip arp inspection statistics vlan 1

Packets per second arp violation results in


3 types of stateful filtering (IOS Firewall)

Reflexive ACL

CBAC - Context Based Access Control

Zone based firewall

Current/best way to do firewall on router IOS

Zone based firewall

3 sections of NAT on ASA



Manual after auto

Command to show NAT translations on ASA

show xlate

Command to show NAT policies on ASA

show nat

What's the other term for object nat?

auto nat

What is twice nat?

Translation is done on both the source and destination addresses

By default, security levels (lower/higher) can flow to (lower/higher)

High security zone can go to low

What needs to be added to the default inspection for ping to work


What 2 commands are needed to start the HTTP server for ASDM

http server enable


What 3 things must be configured on an interface on the ASA

Security level,


ip address

What are class maps used for?

Identify traffic

What are policy maps used for?

Specify the action to take

What are service policies used for?

How we apply the policy map, what interfaces

What are the 3 sections to configure in MPF?

Class map, policy map, service policy

Command used to allow a queue to form on an interface

priority-queue [inside]

What is the DSCP for VoIP traffic?

46, EF (expedited forwarding)

In MPF , how can you limit half-formed sessions

In policy map, set the embryonic connection max lower

What is a TCP connection called that is not fully formed?

Embryonic connection

When forming a IKE phase 1 tunnel, what needs to match

HAGE (not lifetime)

What is the default encryption algorithm in IKE phase 1 on newer ASAs?

3DES - 168 bit key

What is the default hashing algorithm in IKE phase 1 on newer ASA?


What is the default authentication protocol on IKE phase 1 on newer ASA?

preshared keys

What is the default diffie hellman group for IKE on a newer ASA?

#2 - 1024 bit

What is the default lifetime for IKE on a newer ASA?

86400 seconds

URL filtering subscription service filters based on what?

Predefined categories

What is a NIPS and where does it sit?

Networkbased Intrusion Prevention System typically sits inline.

What layer does a stateless packetfiltering firewall operate on?


What layers do stateful packetfiltering firewalls operate on?

3, 4, and 5

What is the definition of a multihomed device?

Connects more than 1 network segment

What happens after a user logs in and has an autocommand configured?

It shows and then they are disconnected

What command has to be added so users can stay logged in after an autocommand executes?


What is AMP for Endpoints

It's a host based malware detection and prevention platform. It monitors net traffic and application behavior to protect a host

Can AMP for Endpoints block polymorphic malware?


How does AMP for Endpoints contain compromised applications?

Uses application blocking lists

What does SHOUTcast media stream use, what should be inspected?


What NTP symbol means the time is authoritative but not synchronized?

period (.)

What NTP symbol means the time is not authoritative?


What NTP symbol means the time is synchronized and authoritative?

No symbol before the time shown

Default router mode (routed or transparent)


What mode in ASA can not do VPNs?


What command enables transparent mode?

firewall transparent

What needs to be created to manage a firewall in transparent mode?

Bridge virtual interface (BVI)

When using transparent firewalls, what needs to be configured on the ports that are connected in a layer 2 domain?

bridge-group 1

In a transparent firewall what layer 2 traffic is allowed by default?


What happens to a firewall config when you switch from routed mode to transparent mode?

Configuration erases

What type of access list needs to be created to allow layer 2 BPDUs and MPLS to pass through a transparent firewall?

Ethertype ACL

What needs to be allowed on an interface ACL to allow DHCP or routing protocols on a transparent firewall?

Allow ip any any on the inside,

allow the source router going to broadcast IP ( or multicast on outside interface

What feature allows preventing ARP spoofing?

ARP inspection

How can you set ARP inspection to drop packets that are unknown but don't conflict with ARP table

Disable flood

What does proxy arp do?

Allows ASA to respond to ARP request on behalf of the target device

What keyword in an ACL makes it pertain to layer 2?

access-list acl1 ethertype permit bpdu

Command to set hostname on ASA

hostname asa1 (shortening it doesn't work)

Command to allow failover to replicate http traffic

failover replicate http

When setting an active/standby firewall setup, what needs to be set on the standby?

Need to configure the failover link only and turn it on

What command enables active/standby failover?

"failover" global config

What command shows the status of an active/standby firewall

show fail

What needs to be set in interface config mode for the failover link?

No shut only (the rest is done in global config)

How do you set an active and standby IP address for an interface?

ip address standby

Command to encrypt failover communication

failover key cisco

Command to make the active/standby firewall setup to prefer active

failover lan unit primary

Command to disable being active firewall

no fail active

Does active/standby firewall setup to preemption?


Command to set g0/3 as the failover link

failover lan interface fail-1 g0/3

Command to set failover ip address for fail-1

failover interface ip fail-1 standby

Command to set g0/4 as stateful replication link

failover link fail-2 g0/4

Command to change prompt to show hostname, priority, and state

prompt hostname priority state

What plane lets the administrator communicate with the device or monitor logs

Management plane

What plane involves the CPU processing?

Control plane

What plane deals with passing traffic?

Data plane

What is an example of using the management plane?


What is an example of the control plane?

Routing protocol updates, traffic going to the device

What is a way to secure the management plane?

AAA, login restrictions/timeouts, encryption

What is a way to secure the control plane?

Authenticated routing protocols, control plane policing/protection

What is a way to secure the data plane?

ACLs, STP safeguards, port security, firewalls, IPS/IDs

What function in a policy map rate limits traffic?

Police 8000 (bits per second) conform-action transmit exceed-action drop

When typing enable, what is the default priv level it goes to?


When entering a username secret, how is that stored?

MD5 hash

What command allows a certain priv level to execute a command?

privilege exec level 4 ping

When using username secret command, what does 5 mean before the password string

Means the following is an MD5 hash, 0 is plain text

Command to enable aaa

aaa new-model

When you use a "aaa authentication default" command where does that take effect?

Everywhere except console

What command enforces a minimum password length?

security passwords min-length 8

What 2 commands are needed to start SSH

ip domain-name acm

crypto key generate rsa 1024

What command locks an account out after 3 attempts

aaa local authentication attempts max-fail 3

What command clears locked out accounts?

clear aaa local user lockout all

What command lets someone try 10 passwords within 60 seconds, locking the account, and making them wait 300 seconds to try again?

login block-for 300 attempts 10 within 60

What does SSH 1.99 represent

Means it can use version 1 or 2

What port is used for Tacacs+?


What are the modern ports for Radius?

1812 for authentication

1813 for accounting

What 2 messages will the AAA server respond with for a login?


What are the 2 cisco services that run tacacs

Access Control Server (ACS)

Identity Service Engine (ISE)

What is better to use for administrators (tacacs or radius)


What command makes AAA check authorization of commands after getting in config mode?

aaa authorization config-commands

What feature enforces role based access, as in commands allowed

Parser view

What command lets you see what perser view you're in

Show parser view

What command makes a username associated with a parser view

username bob view help-desk priv 15 secret cisco

Command in parser view mode to allow a user in the view to use a command

commands exec include show version

What command lets a specific interface use management features (ssh/https)

control-plane host

management-interface fa2/0 allow ssh https

What needs to be configured on the router to allow CCP access?

Enable http secure server and specify authentication

What command runs the security audit

auto secure

What feature checks a packet's source IP to see if it came in on an appropriate interface?

unicast RPF (reverse path forward)

What version of SNMP should be used, which allows encryption and authentication?


2 commands to enable secure boot

secure boot-image

secure boot-config

When setting up AAA for administrators, where do you go?

Device management

For setting up AAA for users, where do you configure it?

firewall > aaa rules

What are the 4 protocols that makes a user stop and authenticate with AAA before proceeding to the server?





(Sometimes SSH)

What commands shows what users are authenticated in the firewall?

show uauth

What is a downloadable ACL, where is it created

Created in AAA server, downloaded onto ASA when a user authenticates, applies to an interface

If there is conflicting information on an interface ACL and downloadable ACL, how do you set the firewall to give precedence to the downloaded one?

In the access rules page, go to advanced, select per-user-override

What are 4 symmetrical encryption algorithms?





What are 2 asymmetrical encryption algorithms?


What are 2 hashing algorithms?


In CIA, how do you assure integrity?


What are the 3 sections of NFP

Management plane

Control plane

Data plane

What are the 5 options for an IKE phase 1 tunnel?






What are the 4 objectives of IPSEC





What are 2 ways an IKE phase 1 tunnel is created, and which has more packets

Main mode (uses more)

Aggressive mode

What is perfect forward secrecy

Using DH in IKE phase 2

Command to see details about ike phase 1 tunnel

show crypto isakmp sa detail

Command to see details about ike phase 2 tunnel

Show crypto ipsec sa

what does isakmp stand for

Internet security association and key management protocol

What layer is ESP and what is the protocol number

Layer 4 IP Protocol 50

What can't AH provide?

Confidentiality (encryption)

How do you prevent NAT occuring over tunnel?

Add line in access list to deny traffic that is going from the inside network to destination, and a line after to allow traffic from the inside going anywhere else

What are 2 things that can be set to cause ipsec tunnel to renegotiate?

Time or data

In SSL who sends a list of ciphers they support?


What is the PKI

Public key infrastructure - responsible for sharing public keys

What type of VPN can be formed when you do not have admin rights on the local computer?

Clientless SSL VPN

What protocol number is ESP


How does a user specify a connection profile (3)

Go to a specific URL, dropdown, or have a certificate

What is a split tunnel?

Only some of the traffic goes through the tunnel (interesting traffic)

Default connection profile for clientless connection


Default connection profile for IPSec


Order of policy assignment for connected VPN users (5)

DAP (dynamic access policy)

User policy

Group policy under user profile

Group policy under connection profile

Default group policy

What happens if something from the user profile is different than the group policy?

User policy rule is applied, group ignored

How do you restrict access to a certain URL on a clientless VPN session?

Webtype ACL

How can you lock a user down to a single connection profile?

Select connection profile (tunnel group) lock under user settings

Command to show the active VPN session information

show vpn-sessiondb

Port IPSEC uses to initiate communication

UDP port 500

IPSec protocol number


Nat traversal port number and layer 4 protocol

Pads UDP port 4500 in front of IPsec header

What are 2 benefits of IKEv2

Nat traversal built in

Dead peer detection

In SSL, how do servers prove their identity?

Digital signature

How does a digital signature work

Sender creates a hash and encrypts it with their private key.

Receiver decrypts with sender's public key and compares hash

What does QM_IDLE IKEv1 phase 1 mean

The tunnel has been established

What is a next-gen encryption standard and hashing algorithm

SHA256 (or higher) and AES

What 3 pieces of information must be in a crypto map

Identify the traffic, set a peer, and set the transform set

Command to see ike phase 1 sessions

sh crypto isakmp sa

What fields in ESP are not encrypted

security parameter index (SPI) and sequence (SEQ)

What command must be added to the crypto map to add a route to the distant network to your routing table

reverse-route [static]

What is UTM

A broad term, unified threat management. Such as a firewall with a IPS module

What is a false positive

Alert generated for benign traffic

What is a true positive

Alert generated for bad traffic

What is a false negative

Malicious traffic with no alert generated

What is a true negative

Good traffic with no alert generated

What are 2 ways an IDS can prevent an attack

Send a TCP reset

Block request (to routers/firewalls)

What can an IPS do that an IDS can't? (2)

Deny traffic

Modify traffic

What kind of identification method can identify a ping sweep?

Signature matching

What kind of identification method can identify traffic by policies like no telnet allowed?

Policy based identification

What kind of identification method listens to traffic, develops a baseline, then identifies if there's a major change?

Anomaly based

What kind of identification method uses information learned from other resources about current attacks?

Reputation based

What is the SDEE

Security device event exchange - uses TCP and sends alerts to management stations

What is better to minimize latency, IDS or IPS


Size of SHA-1

160 bit

Upward limit of SHA-2

512 bit

Size of MD5 hash

128 bit

What does key space refer to

Refers to all the possible values for a key. Bigger the key, the more secure

What is ECDSA

Elliptical Curve Digital Signal Algorithm- part of ECC (elliptical curve cryptography)

This is a format of a certificate request sent to a CA that wants to receive its identity certificate. This type of request would include the public key for the entity desiring a certificate.


This is a format that can be used by a CA as a response to a PKCS#10 request. The response itself will very likely be the identity certificate (or certificates) that had been previous requested


RSA Cryptography Standard PKCS#


A format used for storing both public and private keys using a symmetric password based key to unlock the data whenever the key needs to be used or accessed


Diffie-hellman key exchange PKCS#


What is used to automate the process of requesting and installing an identity certificate?

SCEP - Simple Certificate Enrollment Protocol

What list is sent to show when certificates are revoked

CRL - certificate revocation list

3 authentication methods shared by Radius and TACACS




An authentication method that Radius can use but TACACS can't


An authentication method that TACACS can use but Radius can't


If a ZBF firewall drops traffic, does it generate ICMP traffic?


In a ZBF, is inspect considered unidirectional or bidirectional

Bidirectional traffic flows

What is DTLS

TLS over UDP (datagram)

If the firewalls configured for DTLS and dead peer detection, can an anyconnect client using TLS connect?

Yes, FW will accept TLS as backup

What happens in EAPFASTv2 when user authentication fails but device authentication passes?

User will have restricted access

Define CoPP and CPPr

Control plane policing

Control plane protection

EAPFASTv1 minimum level TLS supported


EAPFASTv2 minimum level TLS supported


What does MM_NO_STATE signify looking at ISAKMP associations

Main mode was used, peers created the security association. If it doesn't move past here, it failed

What does AG_NO_STATE signify looking at ISAKMP association?

Aggressive mode was used, peers created SA

What does QM_IDLE signify looking at ISAKMP association?

Quick mode was used for IKE phase 2. Only phase for IKE phase 2, means it succeeded

What does AG_AUTH signify looking at ISAKMP associaitons?

Aggressive mode was used, peers authenticated

What does a SEM do?

Security event managers perform real time analysis and detection

What does a SIM do?

Security information management collect and analyze logs, not real time

What does microsoft server need in order to handle SCEP requests

Microsoft Network Device Enrollment Service (NDES)

What is a WAF?

Web Application Firewall - used to protect web sites from known attacks and vulnerabilities

Worm used as an act of war against Iranian ICS


What is CSA?

Cisco Security Agent - a host based IPS

When looking at show conn on a firewall, what does the S, s, A, a mean?

S is a SYN is expected from the inside

s is a SYN is expected from the outside

A is an ACK is expected from the inside

a is an ACK is expected from tine outside

When looking at show conn on a firewall, what does the U mean?

3 way handshake was complete

When looking at show conn on firewall, what will it show when the handshake is complete and data is flowing bidirectionally?


When looking at show conn on firewall, what does a B represent?

Initial SYN originated from outside

Where is split tunneling configured?

Group policy

Max amount of CLI views for routers

15, including lawful intercept