Refer to the exhibit. what hmac algorithm is being used to provide data integrity?
Question 1 Show Which component of VPN technology ensures that data can be read only by its intended recipient? A. data integrity Answer: D Explanation First you need to understand what these terms mean: Data integrity: verifying that the packet was not changed as the packet transited the Internet Encryption: conversion of data into a form, called a ciphertext, that cannot be easily understood by unauthorized people Authentication: the process of determining whether someone or something is, in fact, who or what it is declared to be. Authentication can take place at both sides, the sender and the receiver. Key exchange: is any method in cryptography by which cryptographic keys are exchanged between users, allowing use of a cryptographic algorithm. So in this question we realize that only authentication involves in the end user while others are about processing data -> D is correct. Question 2 What can be done to secure the virtual terminal interfaces on a router? (Choose two) A. Administratively shut down the interface. Answer: D E Explanation It is a waste to administratively shut down the interface. Moreover, someone can still access the virtual terminal interfaces via other interfaces -> A is not correct. We can not physically secure a virtual interface because it is “virtual” -> B is not correct. To apply an access list to a virtual terminal interface we must use the “access-class” command. The “access-group” command is only used to apply an access list to a physical interface -> C is not correct; E is correct. The most simple way to secure the virtual terminal interface is to configure a username & password to prevent unauthorized login -> D is correct. Question 3 The enable secret command is used to secure access to which CLI mode? A. user EXEC mode Answer: C Question 4 Which type of attack is characterized by flood of packet that requesting a TCP connection to a server? A. denial of service Answer: A Question 5 Which IPsec security protocol should be used when confidentiality is required? A. AH Answer: D Explanation IPsec is a pair of protocols, Encapsulating Security Payload (ESP) and Authentication Header (AH), which provide security services for IP datagrams. ESP can provide the properties authentication, integrity, replay protection, and confidentiality of the data (it secures everything in the packet that follows the IP header). AH provides authentication, integrity, and replay protection (but not confidentiality) of the sender. Question 6 What algorithm technology must be used for ensuring data integrity when dataflow goes over VPN tunnel? (Choose two) A. RSA Answer: D E Explanation Data integrity ensures data has not been altered in the transmission. A data-integrity algorithm adds a hash to the message to guarantee the integrity of the message. A Hashed Message Authentication Code (HMAC) is a data-integrity algorithm that ensures the integrity of the message. Two popular algorithms a VPN gateway uses for verifying integrity of data are HMAC-Message Digest 5 (HMAC-MD5) and HMAC-Secure Hash Algorithm 1 (HMAC-SHA1) + HMAC-MD5 uses a 128-bit shared-secret key of any size. The variable-length message and shared-secret key are combined and run through the HMAC-MD5 hash algorithm. The output is a 128-bit hash. The hash is appended to the original message and is forwarded to the remote end. + HMAC-SHA-1 uses a secret key of any size. The variable-length message and the shared-secret key are combined and run through the HMAC-SHA-1 hash algorithm. The output is a 160-bit hash. The hash is appended to the original message and is forwarded to the remote end. Diffie-Hellman Group 1 (DH-1) & Diffie-Hellman Group 2 (DH-2) are two encryption algorithms for VPN, not data integrity algorithms. RSA is also an encryption algorithm, not data integrity algorithm. (Reference: Implementing Cisco IOS Network Security IINS) Question 7 What are two security appliances that can be installed in a network? (Choose two) A. ATM Answer: B E Explanation Intrusion detection system (IDS) and intrusion prevention system (IPS) solutions form an integral part of a robust network defense solution. IDS monitors network and system activities for malicious activities or policy violations and produces reports to a Management Station. IPS provides policies and rules for network traffic along with an intrusion detection system for alerting system or network administrators to suspicious traffic, but allows the administrator to provide the action upon being alerted. The key to differentiating an IDS from an IPS is that an IPS responds immediately and does not allow any malicious traffic to pass, whereas an IDS allows malicious traffic to pass before it can respond. (Reference: Implementing Cisco IOS Network Security IINS) Note: Asynchronous Transfer Mode (ATM) is a layer 2 WAN transport protocol. It encodes data into small, fixed-sized cells consisting of 48 bytes of payload and 5 bytes of cell header -> A is not correct Cisco Router and Security Device Manager (SDM) is a Web-based device-management tool for Cisco routers that can help you configure a router via a web browser -> In general, it only helps simplify the network management, router configuration so it is not a security appliance -> F is not correct. Question 8 Which device might be installed at a branch office to enable and manage an IPsec site-to-site VPN? A. Cisco IOS IPsec/SSL VPN client Answer: D Explanation An example of IPsec site-to-site VPN is your corporation has departments in many countries which need to communicate with each other. A popular solution is site-to-site (LAN-to-LAN) VPN to create private networks through the Internet. But as we know, Internet is not a safe environment for important data to be transferred. That is the reason why we need IPsec, a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. Cisco Adaptive Security Appliance (ASA) supports IPsec, that’s all I can say! If you wish to learn more about the configuration, please read http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml Question 9 Refer to the exhibit. What is the result of setting the no login command? Router#config t A. This is a virtually limitless supply of IP addresses Answer: No correct answer Explanation There is a mistake in this question because this configuration will let someone telnet to that router without the password (so the line “password c1sco” is not necessary). If we want to deny telnet we can configure like this: Router(config)#line vty 0 4 With this configuration, when someone tries to telnet to this router, a message “Password required, but none set” is displayed. Question 10 What is the effect of using the service password-encryption command? A. Only passwords configured after the command has been entered will be
encrypted. Answer: E Explanation The secret password (configured by the command “enable secret “) is always encrypted even if the “service password-encryption” command is not used. Moreover, the secret password is not removed from the configuration with this command, we still see it in encrypted form in the running-config -> D is not correct. The “enable password ” does not encrypt the password and can be viewed in clear text in the running-config. By using the “service password-encryption” command, that password is encrypted (both current and future passwords) -> A is not correct, E is correct. Answer B – Only the enable password will be encrypted seems to be correct but it implies the secret password will not be encrypted and stay in clear text, which is not correct. For your information, the secret password is encrypted with MD5 one-way hash algorithm which is harder to break than the encryption algorithm used by the “service password-encryption” command. Question 11 Which command sets and automatically encrypts the privileged enable mode password? A. enable password c1sco Answer: D What algorithm is used for data integrity?Secure Hash Algorithm (SHA) is one of many available hashing algorithms used to verify data integrity. The other options are not hashing algorithms, but symmetric encryption algorithms.
What algorithm will be used for providing confidentiality?Symmetric-key algorithms
Symmetric key algorithms are used for: Providing data confidentiality by using the same key for encrypting and decrypting data. Providing Message Authentication Codes (MACs) for source and integrity authentication services. The key is used to create the MAC and then to validate it.
What are the two common data integrity algorithm used in IPsec?Two main algorithms facilitate data integrity within the IPSec framework—MD5 and SHA-1. HMAC guarantees the message's integrity. At the local end, the message and a shared secret key are sent through a hash algorithm, which produces a hash value.
Which two IPsec protocols are used to provide data integrity Choose 2?IPsec originally defined two protocols for securing IP packets: Authentication Header (AH) and Encapsulating Security Payload (ESP). The former provides data integrity and anti-replay services, and the latter encrypts and authenticates data.
|