Securing Cisco Networking Devices (SND) : 642-552 Exam
642-552 SND
Securing Cisco Network Devices Exam
Last day to test November 17, 2008
Exam Number: 642-552
Associated Certifications: CCSP/Cisco Firewall Specialist/Cisco IPS Specialist/Cisco VPN Specialist
Duration: 75 minutes
Available Languages: English
Click Here to Register: Pearson VUE
Exam Policies: Read current policies and requirements
Exam Tutorial: Review type of exam questions
Exam Description Exam Topics Recommended Training Additional Resources
Exam Description
The Securing Cisco Network Devices 642-552 SND is the exam associated with the Cisco Certified Security Professional, Cisco Firewall Specialist, Cisco IPS Specialist, and Cisco VPN Specialist certifications. Candidates can prepare for this exam by taking the Securing Cisco Network Devices v2.0 (SND) course. This exam tests a candidate’s knowledge of securing Cisco routers and switches and their associated networks. Topics covered include; Security threats facing modern network infrastructures, Securing Cisco routers, Implementing basic AAA, Using ACLs to mitigate router and network threats, Implementing secure management and reporting, Mitigating common Layer 2 attacks, and Implementing Cisco IOS Firewall features, Cisco IOS IPS features, and IPsec VPN features using Cisco Security Device Manager
Exam Topics
The following information provides general guidelines for the content likely to be included on the exam. However, other related topics may also appear on any specific delivery of the exam. In order to better reflect the contents of the exam and for clarity purposes the guidelines below may change at any time without notice.
Describe the security threats facing modern network infrastructures
Describe and mitigate the common threats to the physical installation
Describe and list mitigation methods for common network attacks
Describe and list mitigation methods for Worm, Virus, and Trojan Horse attacks
Describe the main activities in each phase of a secure network lifecycle
Explain how to meet the security needs of a typical enterprise with a comprehensive security policy
Describe the Cisco Self Defending Network architecture
Secure Cisco routers
Secure Cisco routers using the SDM Security Audit feature
Use the One-Step Lockdown feature in SDM to secure a Cisco router
Secure administrative access to Cisco routers by setting strong encrypted passwords, exec timeout, login failure rate and using IOS login enhancements
Secure administrative access to Cisco routers by configuring multiple privilege levels
Secure administrative access to Cisco routers by configuring role based CLI
Secure the Cisco IOS image and configuration file
Implement basic AAA using Cisco routers
Explain the functions and importance of AAA
Describe the features of TACACS+ and RADIUS AAA protocols
Describe the methods of authentication that are used to provide access through a router (packet mode) and to provide access to the router (character mode)
Mitigate threats to Cisco routers and networks using ACLs
Explain the functionality of standard, extended, and named IP ACLs used by routers to filter packets
Configure and verify IP ACLs to mitigate given threats (filter IP traffic destined for Telnet, SNMP, and DDoS attacks) in a network using CLI
Configure IP ACLs to prevent IP address spoofing using CLI
Discuss the caveats to be considered when building ACLs
Implement secure network management and reporting
Describe the factors to be considered when planning for secure management and reporting of network devices
Use CLI to configure SSH on Cisco routers to enable secured management access
Use CLI to configure Cisco routers to send Syslog messages to a Syslog server
Describe SNMPv3 and NTPv3
Mitigate common Layer 2 attacks
Describe the common Layer 2 attacks and how to mitigate them (VLAN hopping, STP attacks, ARP spoofing, MAC spoofing, CAM overflow)
Describe the function and benefit of the security features in Cisco Catalyst switches (IBNS, PVLAN, SPAN port)
Describe common threats to WLANs
Describe the security features of the 802.11 protocol
Implement the Cisco IOS firewall feature set using SDM
Describe the operational strengths and weaknesses of the different firewall technologies
Explain stateful firewall operations and the function of the state table
Explain the types of NAT that can be implemented in a firewall
Configure and verify basic and advanced firewall on a Cisco router using SDM
Implement the Cisco IOS IPS feature set using SDM
Define network based vs. host based intrusion detection and prevention
Explain IPS technologies, attack responses, and monitoring options
Enable and verify Cisco IOS IPS operations using SDM
Implement IPsec VPN on Cisco routers using SDM
Explain IKE protocol functionality and phases
Describe the building blocks of IPsec and the security functions it provides
Explain hash-based message authentication code (HMAC) operations
Explain the different methods of encryption
Explain the purpose of the Diffie-Hellman key agreement protocol
Describe how IPsec establishes origin authentication
Describe the PKI environment at a high level
Describe the different types of IPsec VPN implementations
Configure and verify an IPsec site-to-site VPN with pre-shared key authentication using SDM
Explain Cisco Easy VPN Server and Cisco Easy VPN Remote
Configure and verify remote access VPNs using the Cisco Easy VPN Server feature of Cisco SDM
Exam Number/Code: 642-552
Exam Name:Securing Cisco Networking Devices (SND)
“Securing Cisco Networking Devices (SND)”, also known as 642-552 exam, is a Cisco certification. With the complete collection of questions and answers, Actualtests has assembled to take you through 60 Q&A to your 642-552 Exam preparation. In the 642-552 exam resources, you will cover every field and category in CCSP helping to ready you for your successful Cisco Certification.
Free Demo Download Actualtests offers free demo for 642-552 exam (Securing Cisco Networking Devices (SND)). You can check out the interface, question quality and usability of our practice exams before you decide to buy it.
Exam DetailsThe Securing Cisco Network Devices 642-552 SND is the exam associated with the Cisco Certified Security Professional, Cisco Firewall Specialist, Cisco IPS Specialist, and Cisco VPN Specialist certifications. Candidates can prepare for this exam by taking the Securing Cisco Network Devices v2.0 (SND) course. This exam tests a candidate’s knowledge of securing Cisco routers and switches and their associated networks. Topics covered include; Security threats facing modern network infrastructures, Securing Cisco routers, Implementing basic AAA, Using ACLs to mitigate router and network threats, Implementing secure management and reporting, Mitigating common Layer 2 attacks, and Implementing Cisco IOS Firewall features, Cisco IOS IPS features, and IPsec VPN features using Cisco Security Device Manager
Free Sample :PassGuide-it certification Printable PDF Or software
Download: Actualtest offers free demo for IT certification Exams You can check out the interface, question quality and usability of our IT Simulation exams before you decide to buy it. We are the only one site can offer demo for almost all products
http://demo.passguide.com/download
QUESTION 11:
What should be the first step in migrating a network to a secure infrastructure?
A. developing a security policy
B. securing the perimeter
C. implementing antivirus protection
D. securing the DMZ
Answer: A
Explanation: The development of a security policy is the first step to a secure
infrastructure, without this availability of your network will be compromised.
QUESTION 12:
What is a DoS attack?
A. when an intruder attacks networks or systems to retrieve data, gain access, or escalate
access privileges
B. when an intruder attempts to discover and map systems, services, and vulnerabilities
642-552
Actualtests.com – The Power of Knowing
C. when malicious software is inserted onto a host in order to damage a system, corrupt a
system, replicate itself, or deny services or access to networks, systems, or services
D. When an intruder attacks your network in a way that damages or corrupts your
computer system, or denies you and others access to your networks, systems, or services
Answer: D
Explanation:
Denial of Service (DoS) is an attack designed to render a computer or network incapable
of providing normal services. The most common DoS attacks will target the computer’s
network bandwidth or connectivity. Bandwidth attacks flood the network with such a
high volume of traffic, that all available network resources are consumed and legitimate
user requests cannot get through. Connectivity attacks flood a computer with such a high
volume of connection requests, that all available operating system resources are
consumed and the computer can no longer process legitimate user requests.
A “denial-of-service” attack is characterized by an explicit attempt by attackers to
prevent legitimate users of a service from using that service. Examples include
* attempts to “flood” a network, thereby preventing legitimate network traffic
* attempts to disrupt connections between two machines, thereby preventing access to a
service
* attempts to prevent a particular individual from accessing a service
* attempts to disrupt service to a specific system or person
QUESTION 13:
Which method of mitigation packet-sniffer attacks is most cost effective?
A. authentication
B. switched infrastructure
C. antisniffer tools
D. cryptography
Answer: D
Cryptography: Rendering packet sniffers irrelevant is the most effective method for
countering packet sniffers. Cryptography is even more effective than preventing or
detecting packet sniffers. If a communication channel is cryptographically secure, the
only data a packet sniffer detects is cipher text (a seemingly random string of bits) and
not the original message.
QUESTION 14:
During which phase of an attack does the attacker attempt to identify targets?
A. penetrate
B. propagate
C. persist
642-552
Actualtests.com – The Power of Knowing
D. probe
E. paralyze
Answer: D
Explanation:
Probe phase: The attacker identifies vulnerable targets in this phase. The goal of this
phase is to find computers that can be subverted. Internet Control Message Protocol
(ICMP) ping scans are used to map networks, and application port scans identify
operating systems and vulnerable software. Passwords can be obtained through social
engineering, a dictionary attack, a brute-force attack, or network sniffing.
Incorrect:
A – Phase 2
B – Phase 4
C – Phase 3
D – Phase 5
QUESTION 15:
What is considered the main administrative vulnerability of Cisco Catalyst
switches?
A. SNMP
B. Telnet
C. Poor passwords
D. Poor encryption
Answer: C
Explantion:
By default, a Cisco switch shows the passwords in plaintext for the following settings in
the configuration file: the .enable. password, the username password, the console line and
the virtual terminal lines.
Using the same password for both the enable secret and other settings on a switch allows
for potential compromise because the password for certain settings (for example, telnet)
may be in plaintext and can be collected on a network using a network analyzer.
Also, setting the same password for the .enable secret. passwords on multiple switches
provides a single point of failure because one compromised switch endangers other
switches.
QUESTION 16:
DRAG DROP
Click and drag the four steps to mitigating worm attacks in order from step 1 to
steep 4.
642-552
Actualtests.com – The Power of Knowing
Answer:
Explanation:
Worm attack mitigation requires diligence on the part of system and network
administration staff. Coordination between system administration, network engineering,
and security operations personnel is critical in responding effectively to a worm incident.
The following are the recommended steps for worm attack mitigation:
1. Containment: Contain the spread of the worm inside your network and within your
network. Compartmentalize parts of your network that have not been infected.
2. Inoculation: Start patching all systems and, if possible, scanning for vulnerable
systems.
3. Quarantine: Track down each infected machine inside your network. Disconnect,
remove, or block infected machines from the network.
4. Treatment: Clean and patch each infected system. Some worms may require complete
core system reinstallations to clean the system.
QUESTION 17:
Certkiller .com network administrators have just configured SSH on their target
router and have now discovered that an intruder has been using this router to
perform a variety of malicious attacks. What have they most likely forgotten to do
and which Cisco IOS commands do they need to use to fix this problem on their
target router?
A. forgot to reset the encryption keys using the crypto key zeroize rsa Cisco IOS global
642-552
Actualtests.com – The Power of Knowing
configuration command
B. forgot to close port 23 and they need to issue the no transport input telnet Cisco IOS
global configuration command
C. forgot to disable vty inbound Telnet sessions and they need to issue the line vty 0 4
and the no transport input telnet Cisco IOS line configuration commands
D. forgot to restrict access to the Telnet service on port 23 using ACLs and they need to
issue the access-list 90 deny any log Cisco IOS global configuration command, and the
line vty 0 4 and access-class 90 in Cisco IOS line configuration commands
Answer: C
Explanation:
Telnet and rlogin commands are known as unsecure commands, they transports the data
packets on plain text format. If anyone can tries to capture the packets they can easily
read. So SSH (Secure Shell) is the most usable Remote Login tool. Which maintains the
secure communication.
Router(Config)#line vty 0 4
Router(Config-router)transport input telnet | ssh | all
May be telnet is enabled so just disable the telnet using no.
QUESTION 18:
To verify role-based CLI configurations, which Cisco IOS CLI commands do you
need use to verify a view?
A. parser view view-name, then use the ? to verify the available commands
B. enable view view-name, then use the ? to verify the available commands
C. enable view, then use the parser view view-name to verify the available commands
D. show view view-name to verify the available commands
Answer: B
Explanation:
The Role-Based CLI Access feature allows the network administrator to define “views,”
which are a set of operational commands and configuration capabilities that provide
selective or partial access to CiscoIOS EXEC and configuration (Config) mode
commands. Views restrict user access to CiscoIOS command-line interface (CLI) and
configuration information; that is, a view can define what commands are accepted and
what configuration information is visible. Thus, network administrators can exercise
better control over access to Cisco networking devices.
SUMMARY STEPS1.
enable view
2.
configure terminal
3.
parser view view-name
642-552
Actualtests.com – The Power of Knowing
4.
secret 5 encrypted-password
5.
commands parser-mode {include | include-exclusive | exclude} [all] [interface
interface-name | command]
6.
exit
7.
exit
8.
enable [privilege-level] [view view-name]
9.
show parser view [all]
QUESTION 19:
What two tasks should be done before configuring SSH server operations on Cisco
routers? (Choose two.)
A. Upgrade routers to run a Cisco IOS Release 12.1(1)P image.
B. Upgrade routers to run a Cisco IOS Release 12.1(3)T image or later with the IPsec
feature set.
C. Ensure routers are configured for external ODBC authentication.
D. Ensure routers are configured for local authentication or AAA for username and
password authentication.
E. Upgrade routers to run a Cisco IOS Release 11.1(3)T image or later with the IPsec
feature set.
Answer: B,D
Explanation:
Secure Shell (SSH) is a protocol which provides a secure remote access connection to
network devices. Communication between the client and server is encrypted in both SSH
version 1 and SSH version 2. Implement SSH version 2 when possible because it uses a
more enhanced security encryption algorithm.
SSH was introduced into these IOS platforms and images:
1. SSH Version 1.0 (SSH v1) server was introduced in some IOS platforms and images
starting in Cisco IOS Software Release 12.0.5.S.
2. SSH client was introduced in some IOS platforms and images starting in Cisco IOS
Software Release 12.1.3.T.
3. SSH terminal-line access (also known as reverse-Telnet) was introduced in some IOS
platforms and images starting in Cisco IOS Software Release 12.2.2.T.
4. SSH Version 2.0 (SSH v2) support was introduced in some IOS platforms and images
starting in Cisco IOS Software Release 12.1(19)E.
Example of SSH Configuration on Cisco Router
aaanew-model
642-552
Actualtests.com – The Power of Knowing
username cisco password 0 cisco
ip domain-name rtp.cisco.com
cry key generate rsa
ip ssh time-out 60
ip ssh authentication-retries 2
line vty 0 4
transport input SSH
QUESTION 20:
In the Cisco SDM Security Audit Wizard screen shown in the figure, which Fix it
action should be selected to prevent smurf denial of service attacks?
A. IP Mask Reply is enabled
B. IP Unreachables is enabled
C. IP Directed Broadcast is enabled
D. IP Redirects is enabled
E. IP Proxy ARP is enabled
F. Access class is not set on vty lines
Answer: C
Free download:pass4sure CCSP 642-552
Free download?testking CCSP 642-552
Download Free PassGuide Product, Help you pass any it Exams,Click Me
| Actualtests Free Downloads |
|
Type
|
Exam Bible |
NEW Questions & Answers |
Latest Updated
|
Download link |
 |
All Actual-Test 's Exam Pack |
858
|
1 days ago |
Full Download
|
Download Free Latest Actualtests Certification Braindumps
- Free Actualtest Actualtests CCSP 642-532
- Free Actualtest Actualtests CCSP 642-524
- Free Actualtest Actualtests CCSP 642-502
- Free Actualtest Actualtests CCSP 642-542
- Free Actualtest Actualtests CCSP 642-523
- Free Actualtest Actualtests CCSP 642-541
- Free Actualtest Actualtests CCSP 642-522
- Free Actualtest Actualtests CCSP 642-503
- Free Actualtest Actualtests CCSP 642-515
- Free Actualtest Actualtests CCSP 642-551
