Securing Networks with Cisco Routers and Switches Exam(SNRS) : 642-502 Exam
642-502 SNRS
Securing Networks with Cisco Routers and Switches Exam
Retired June 20, 2007
Exam Number: 642-502
Associated Certifications: CCSP
Duration: 90 minutes (60-70 questions)
Available Languages: English
Click Here to Register: Pearson VUE or Prometric
Exam Policies: Read current policies and requirements
Exam Tutorial: Review type of exam questions
Exam Description Exam Topics Recommended Training Additional Resources
Exam Description
The Securing Networks with Cisco Routers and Switches exam is one of the exams associated with the Cisco Certified Security Professional certification. Candidates can prepare for this exam by taking the SNRS v1.0 course. This exam includes simulations and tests a candidate’s knowledge and ability to secure networks using Cisco routers and switches.
Exam Topics
The following information provides general guidelines for the content likely to be included on the exam. However, other related topics may also appear on any specific delivery of the exam. In order to better reflect the contents of the exam and for clarity purposes the guidelines below may change at any time without notice.
Implement Layer 2 security
Utilize Cisco IOS and Cat OS commands to mitigate Layer 2 attacks
Implement Cisco Identity-Based Networking Services
Implement Cisco 802.1X Port-Based Authentication
Identify and describe Layer 2 security best practices
Configure Cisco IOS Firewall features to meet security requirements
Identify and describe the capabilities of the IOS firewall feature set
Configure CBAC to dynamically mitigate identified threats to the network
Verify and troubleshoot CBAC configuration and operation
Configure authentication proxy to apply security policies on a per-user basis
Verify and troubleshoot authentication proxy configuration and operation
Configure Cisco IOS-based IPS to identify and mitigate threats to network resources
Identify and describe the capabilities of the IOS-IPS feature set
Configure the IPS features to identify threats and dynamically block them from entering the network
Verify and troubleshoot IDS operation
Maintain and update the signatures
Configure basic IPSec VPNs to secure site-to-site and remote access to network resources
Select the correct IPSec implementation based on specific stated requirements
Configure IPSec Encryption for site-to-site VPN using pre-shared keys
Configure IPSec Encryption for site-to-site VPN using certificate authority
Verify and troubleshoot IPSec operation
Configure EZ-VPN server
Configure EZ-VPN remote using both hardware and software clients.
Troubleshoot EZ-VPN
Configure authentication, authorization and accounting to provide basic secure access control for networks
Configure administrative access to the Cisco Secure ACS server
Configure AAA clients on the Cisco Secure ACS (for routers)
Configure users, groups and access rights
Configure router to enable AAA to use TACACS+
Configure router to enable AAA to use a Radius server
Verify and troubleshoot AAA operation
Use management applications to configure and monitor IOS security features
Initialize SDM communications on Cisco routers
Perform a LAN interface configuration of a Cisco router using SDM
Use SDM to define and establish a site-to-site VPN
Exam Number/Code: 642-502
Exam Name:Securing Networks with Cisco Routers and Switches Exam(SNRS)
“Securing Networks with Cisco Routers and Switches Exam(SNRS)”, also known as 642-502 exam, is a Cisco certification. With the complete collection of questions and answers, Passguides has assembled to take you through 63 Q&A we offer correct answe to your 642-502 Exam preparation. In the 642-502 exam resources, you will cover every field and category in CCSP helping to ready you for your successful Cisco Certification.
Free Demo DownloadPassguides offers free demo for 642-502 exam (Securing Networks with Cisco Routers and Switches Exam(SNRS)). You can check out the interface, question quality and usability of our practice exams before you decide to buy it.
Exam DetailsThe Securing Networks with Cisco Routers and Switches exam is one of the exams associated with the Cisco Certified Security Professional certification. Candidates can prepare for this exam by taking the SNRS v1.0 course. This exam includes simulations and tests a candidate’s knowledge and ability to secure networks using Cisco routers and switches.
QUESTION 11:
Which two are typical Layer 2 attacks? (Choose two.)
A. MAC spoofing
B. CAM table overflow
C. Route poisoning
D. DHCP Starvation
E. ARP Starvation
F. Spam
G. Worm Hole
Answer: A, B
Explanation:
Layer 2 network attacks include all of the following:
CAM Table Overflow
VLAN Hopping
Spanning-Tree Protocol Manipulation
MAC Spoofing Attack
Private VLAN Attacks
DHCP Starvation
Cisco Discovery Protocol
VLAN Trunking Protocol
IEEE 802.1x
MAC Spoofing Attack
MAC spoofing attacks involve the use of a known MAC address of another host to
attempt to make the target switch forward frames destined for the remote host to the
642-502
Passguides.com – The Power of Knowing
network attacker. By sending a single frame with the other host’s source Ethernet address,
the network attacker overwrites the CAM table entry so that the switch forwards packets
destined for the host to the network attacker. Until the host sends traffic it will not
receive any traffic. When the host sends out traffic, the CAM table entry is rewritten once
more so that it moves back to the original port.
CAM Table Overflow:
The CAM table in a switch contains information such as the MAC addresses available on
a given physical port of a switch, as well as the associated VLAN parameters. When a
Layer 2 switch receives a frame, the switch looks in the CAM table for the destination
MAC address. If an entry exists for the MAC address in the CAM table, the switch
forwards the frame to the port designated in the CAM table for that MAC address. If the
MAC address does not exist in the CAM table, the switch forwards the frame out every
port on the switch, effectively acting like a hub. If a response is seen, the switch updates
the CAM table.
Reference:
http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a00801
4
QUESTION 12:
You want to increase the security levels at layer 2 within the Certkiller switched
LAN. Which three are typical Layer 2 attack mitigation techniques? (Select three)
A. Switch security
B. Port security
C. ARP snooping
D. DHCP snooping
E. Port snooping
F. 802.1x authentication
Answer: B, D, F
Explanation:
Network Attack Mitigation:
Use the port security commands to mitigate MAC-spoofing attacks. The port security
command provides the capability to specify the MAC address of the system connected to
a particular port. The command also provides the ability to specify an action to take if a
port-security violation occurs. However, as with the CAM table-overflow attack
mitigation, specifying a MAC address on every port is an unmanageable solution.
Hold-down timers in the interface configuration menu can be used to mitigate ARP
spoofing attacks by setting the length of time an entry will stay in the ARP cache.
However, hold-down timers by themselves are insufficient. Modification of the ARP
cache expiration time on all end systems would be required as well as static ARP entries.
Even in a small network this approach does not scale well. One solution would be to use
private VLANs to help mitigate these network attacks.
Another solution that can be used to mitigate various ARP-based network exploits is the
642-502
Passguides.com – The Power of Knowing
use of DHCP snooping along with Dynamic ARP Inspection (DAI). These Catalyst
feature validate ARP packets in a network and permit the interception, logging, and
discarding of ARP packets with invalid MAC address to IP address bindings.
DHCP Snooping provides security by filtering trusted DHCP messages and then using
these messages to build and maintain a DHCP snooping binding table. DHCP Snooping
considers DHCP messages originating from any user facing port that is not a DHCP
server port or an upling to a DHCP server as untrusted. From a DHCP Snooping
perspective these untrusted, user-facing ports should not send DHCP server type
responses such as DHCPOffer, DHCPAck, or DHCPNak. Untrusted DHCP messages are
messages received from outside the network or firewall. The DHCP snooping binding
table contains the MAC address, IP address, lease time, binding type, VLAN number,
and interface information corresponding to the local untrusted interfaces of a switch; it
does not contain information regarding hosts interconnected with a trusted interface. An
untrusted interface is an interface configured to receive messages from outside the
network or firewall. A trusted interface is an interface that is configured to receive only
messages from within the network. The DHCP snooping binding table can contain both
dynamic as well as static MAC address to IP address bindings.
Another effective mitigation strategy is to deploy 802.1x on access switches and wireless
access points to ensure that all access to the network infrastructure requires
authentication. Consider deploying PEAP for use with wireless LANs.
Reference:
Free Sample :PassGuide-it certification Printable PDF Or software
Download: Actualtest offers free demo for IT certification Exams You can check out the interface, question quality and usability of our IT Simulation exams before you decide to buy it. We are the only one site can offer demo for almost all products
http://demo.passguide.com/download
http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a00801
4
QUESTION 13:
The Certkiller security administrator is in charge of creating a security policy for
the company. Which two statements about the creation of a security policy are true?
(Choose two)
A. It helps Chief Information Officers determine the return on investment of network
security at Certkiller Inc.
B. It defines how to track down and prosecute policy offenders at Certkiller Inc.
C. It helps determine which vendor security equipment or software is better than others.
D. It clears the general security framework so you can implement network security at
Certkiller Inc.
E. It provides a process to audit existing network security at Certkiller Inc.
F. It defines which behavior is and is not allowed at Certkiller Inc.
Answer: E, F
Explanation:
Reasons to create a network security policy:
1. Provides a process to audit existing network security
2. Provides a general security framework for implementing network security
3. Defines which behavior is and is not allowed
642-502
Passguides.com – The Power of Knowing
4. Often helps determine which tools and procedures are needed for the organization
5. Helps communicate consensus among a group of key decision-makers and defines
responsibilities of users and administrators
6. Defines a process for handling network security incidents
7. Enables global security implementation and enforcement
8. Creates a basis for legal action if necessary
Reference: Managing Cisco Network Security, Cisco Press, page 43
QUESTION 14:
The Certkiller routers have all been upgraded to a firewall feature set IOS. What are
three main components of the Cisco IOS Firewall feature set? (Choose three)
A. Context-based Access Control
B. Port security
C. Authentication proxy
D. Authentication, authorization, and accounting
E. Intrusion Prevention System
F. Neighbor router authentication
Answer: A, C, E
Explanation:
The Cisco IOS firewall feature set contains the following features:
Context-Based Access Control (CBAC)-CBAC creates temporary openings in access
lists at firewall interfaces. These openings are created when specified traffic exits your
internal network through the firewall. The openings allow returning traffic (that would
normally be blocked) and additional data channels to enter your internal network back
through the firewall. The traffic is allowed back through the firewall only if the traffic is
part of the same session as the original traffic that triggered CBAC when exiting through
the firewall.
Cisco IOS Intrusion Prevention System (IPS)-The Cisco IOS IPS feature restructures the
existing Cisco IOS Intrusion Detection System (IDS), allowing customers to choose to
load the default, built-in signatures or to load a Signature Definition File (SDF) called
attack-drop.sdf onto the router. The attack-drop.sdf file contains 118 high-fidelity
Intrusion Prevention System (IPS) signatures, providing customers with the latest
available detection of security threats.
Cisco IOS Firewall Authentication Proxy-Authentication proxy provides dynamic,
per-user authentication and authorization, authenticating users against industry standard
TACACS+ and RADIUS authentication protocols. Per-user authentication and
authorization of connections provide more robust protection against network attacks.
Reference:
http://www.cisco.com/en/US/products/ps5854/prod_configuration_guide09186a00802c9587.html
QUESTION 15:
642-502
Passguides.com – The Power of Knowing
Router CK1 is configured with the IOS firewall feature set to prevent TCP based
attacks. How many incomplete connections must this router have by default before
TCP Intercept will start dropping incomplete connections?
A. 500
B. 1100
C. 700
D. 900
E. 200
F. 250
Answer: B
Explanation:
Once the number of incomplete connections (TCP SYN) reaches 1100, TCP Intercept
will start deleting incomplete sessions (oldest session first, by default). Configure the
incomplete session threshold with the “ip tcp intercept max-incomplete high (number)”
command.
QUESTION 16:
Which of the following represents the behavior of the CBAC aggressive mode in a
Cisco IOS firewall?
A. Delete all half-open session
B. Re-initiate half open session
C. Complete all half open sessions, make the full open session
D. Delete half-open session as needed to accommodate new connection requests
E. All of the above, based on configuration
Answer: D
Explanation:
A TCP SYN attack occurs when an attacking source host generates TCP SYN packets
with random source addresses and sends them in rapid succession to a victim host. The
victim destination host sends a SYN ACK back to the random source address and adds an
entry to the connection queue. Since the SYN ACK is destined for an incorrect or
nonexistent host, the acknowledgment is never completed and the entry remains in the
connection queue until a timer expires. The connection queue fills up and legitimate users
cannot use TCP services. However, with CBAC, TCP packets flow from the outside only
in response to traffic sent from the inside. The attacking host can’t get its packets through,
and the attack does not succeed. In addition, by inspecting inbound on the external
interface (interface serial 0 in the example above), CBAC can account for half-open
connections through the firewall and begin closing those half-open connections in an
aggressive mode. The firewall will calm down once the number of half-open connections
settles down to a user-defined value.
642-502
Passguides.com – The Power of Knowing
QUESTION 17:
What OSI layers can CBAC filter on? Select all that apply.
A. Layer 4
B. Layer 3
C. Layer 2
D. Layer 7
E. Layer 5
Answer: A, B, D
Explanation:
Access lists can filter traffic based on layer 3 and layer 4 information, while CBAC can
filter traffic based on layer 3, 4, and 7 (application layer) information.
QUESTION 18:
Router CK1 has been upgraded with the Cisco firewall IOS. Which of the following
cannot be configured on a router unless the IOS Firewall feature set is installed?
(Select all that apply)
A. PAM
B. Authentication Proxy
C. IDS
D. CBAC
Answer: A, B, C, D
Explanation:
CBAC, PAM, IDS, Authentication Proxy are the four main components of the Cisco IOS
Firewall and cannot be configured until the IOS Firewall feature set is installed on the
router. The following table describes these features in more detail:
642-502
Passguides.com – The Power of Knowing
Reference:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800
c
QUESTION 19:
Router CK1 is being used to prevent Denial of Service attacks on the Certkiller
642-502
Passguides.com – The Power of Knowing
network. Which three thresholds does CBAC on the Cisco IOS Firewall provide
against DoS attacks? (Choose three)
A. The number of half-open sessions based upon time
B. The total number of half-open TCP or UDP sessions
C. The number of fully open sessions based upon time
D. The number of half-open TCP-only sessions per host
E. The total number of fully open TCP or UDP sessions
F. The number of fully open TCP-only sessions per host
Answer: A, B, D
Explanation:
Enhanced denial-of-service detection and prevention defends networks against popular
attack modes, such as SYN (synchronize/start) flooding, port scans, and packet injection,
by inspecting packet sequence numbers in TCP connections. If numbers are not within
expected ranges, the router drops suspicious packets. When the router detects unusually
high rates of new connections, it issues an alert message, and subsequently drops
half-open TCP connection state tables. This prevents system resource depletion.
When the Cisco IOS Firewall detects a possible attack, it tracks user access by source or
destination address and port pairs. It also details the transaction, creating an audit trail.
The CBAC process can be configured to monitor these half opened sessions based on the
total number within a given time frame, the total number at any given point, or the total
number per any individual host. When the number of existing half-open sessions exceeds
the max-incomplete high number, CBAC deletes half-open sessions as required to
accommodate new connection requests. The software continues to delete half-open
requests until the number of existing half-open sessions drops below max-incomplete low
number.
Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps1018/prod_bulletin09186a008010e040.html
QUESTION 20:
The Certkiller network is concerned about SPAM and wants to use IOS tools to
prevent SPAM attacks. By default, how many message recipients must an email
have for the IOS Firewall to consider it a spam attack?
A. 250
B. 500
C. 100
D. 25
E. 5000
F. 50000
G. None of the above
Answer: A
Free download:Passguides CCSP 642-502
Free download?Passguides CCSP 642-502
Download Free PassGuide Product, Help you pass any it Exams,Click Me
| Actualtests Free Downloads |
| Type |
Exam Bible |
NEW Questions & Answers |
Latest Updated |
Download link |
 |
All Actual-Test 's Exam Pack |
858 |
1 days ago |
PassGuide Exams
|
Download Free Latest Actualtests Certification Braindumps
- Free Actualtest Passguides CCSP 642-503
- Free Actualtest Passguides CCSP 642-511
- Free Actualtest Passguides CCSP 642-521
- Free Actualtest Passguides CCSP 642-522
- Free Actualtest Passguides CCSP 642-523
- Free Actualtest Passguides CCSP 642-551
- Free Actualtest Passguides CCSP 642-552
- Free Actualtest Passguides CCSP 642-591
- Free Actualtest Passguides CCSP 642-524
- Free Actualtest Passguides CCSP 642-515
