“网络设备安全”自我水平测试评估

“网络设备安全”自我水平测试评估1.WhichoptionistrueabouttheHTTPserverontheCiscoIOSSoftware?TheHTTPserverisonbydefault.TheHTTPserverusesMD5forauthenticationbydefault.TheHTTPserversupportsport80and443bydefault.HTTPserverrequiresauthenticationtoprovideaccesstotherouter.关于运行CiscoIOS软件的HTTP服务器，哪一个选项正确？HTTP服务器在默认状态下被启用。HTTP服务器默认状态下使用MD5进行身份认证。HTTP服务器默认支持端口80和443。HTTP服务器要求身份认证以支持接入路由器。2.Whichtwoplaceswouldbethemostappropriateplacetoinstallyourzone-basedfirewall?(Choosetwo.)betweendatacentersubnetsbetweentheinternalnetworkandanexternalnetworksuchastheInternetbetweenintranetsitesbetweenremoteVPNusersandthecentralsiteVPNserver哪两个地方是最适合安装基于区域的防火墙的位置？（选择两项。）数据中心子网之间内部网络和外部网络（如互联网）之间内联网站点之间远程VPN用户和中央站点VPN服务器之间3.WhatcommandtellsyouthestateofyourconnectiontoyourIKESApeer?showcryptosashowsapeeripsecshowipsecpeersashowcryptoisakmpsashowcryptoipsecsa哪一命令能够显示出与IKESA对等体的连接状态？showcryptosashowsapeeripsecshowipsecpeersashowcryptoisakmpsashowcryptoipsecsa4.Whatisapotentialsecurityweaknessofthetraditionalstatefulfirewall?cannotsupportnon-TCPflowsretainsthestateoftheuserdatapacketanddynamicallyassignedportsinthestatetablecannottrackthestateofeachconnectionsetuptoensurethateachconnectionfollowsalegitimateTCPthree-wayhandshakecannotdetectapplication-layerattacks传统的状态防火墙存在哪些潜在的安全漏洞？不能支持非TCP数据流保留用户数据包状态和在状态表中动态分配端口不能跟踪每一个连接设置的状态，以确保每一个连接都遵循合法的TCP三次握手协议。不能检测到应用层攻击5.WhichoptionusesIPdirectedbroadcaststoattackarouter?smurfattackTCPSYNfloodattackbufferoverflowattackMACfloodattack哪一个选项使用了IP直接广播来攻击路由器？Smurf攻击TCPSYN泛洪攻击缓冲区溢出攻击MAC泛洪攻击6.Whatisthebestcommandforanadministratortousefortroubleshootingpacket-levelauthenticationissues?debugauthenticationdebugaaaauthenticationauthenticationdebugaaashowauthenticationshowaaaauthentication管理员在排除数据包一级身份认证问题时应采取的最有效命令是什么？debugauthenticationdebugaaaauthenticationdebugaaaauthenticationshowauthenticationshowaaaauthentication7.YourlogsrevealthatsomeonehasattemptedtogainaccesstoanASAastheadministrator.Whattypeofattackdoesthisindicate?Reconnaissanceunauthorizedaccessdenialofserviceman-in-the-middleSmurf您的日志显示曾有人试图以管理员的身份访问ASA。这一记录表明出现哪类攻击？侦察未经授权的访问拒绝服务中间人smurf8.Ifyouwereaskedtodefinethepurposeofafirewallwithinyournetwork,whichoptionwouldbeyourbestanswer?Firewallsaredevicesthatpreventaccesstoyournetwork.Firewallsaredevicesthatpermitaccesstoyournetwork.Firewallsaredevicesthatcontrolaccesstoyournetworkassets.Firewallsaredevicesthatenforceanetworkaccesscontrollist.如果要定义防火墙在网络中的用途，您会选择哪一选项？防火墙是用于防止接入您网络的设备。防火墙是用于允许接入您网络的设备。防火墙是用于控制接入您网络资产的设备。防火墙是用于执行网络接入控制列表的设备。9.Howdoesanapplication-layerfirewallwork?operatesatLayers3,4,and5,andkeepstrackoftheactualapplicationcommunicationprocessbyusinganapplicationtabledetermineswhethertheconnectionbetweentwoapplicationsisvalidaccordingtoconfigurablerulesdetermineswhethertheconnectionbetweentwoprotocolstacksisvalidaccordingtoconfigurablerulesexaminesthedatainallnetworkpacketsattheapplicationlayerandmaintainscompleteconnectionstateandsequencinginformation应用层防火墙如何工作？在第3、4和5层上工作，使用应用表记录实际应用通信过程根据配置规则判断两个应用间的连接是否有效根据配置规则判断两个协议堆栈间的连接是否有效在应用层上检查所有网络数据包中的数据，保持完整的连接状态和排序信息。10.WhatisthecommandtodisableCDPonaparticularinterface?nocdpneighbornocdprunningnocdpnocdpenable在特定接口上禁用CDP应使用哪一命令？nocdpneighbornocdprunningnocdpnocdpenable11.WhatisthecorrectcommandsyntaxforconfiguringtheIPsecSAlifetime?cryptoipsecsalifetimeipsecsatimecryptosatimeoutcryptoipsecsecurity-associationlifetime哪一个是配置IPsecSA使用寿命的正确命令语法？cryptoipsecsalifetimeipsecsatimecryptosatimeoutcryptoipsecsecurity-associationlifetime“网络设备安全”自我水平测试评估（1级）12.WhichoptionbestdescribesAAAauthorization?Authorizationcannotworkwithoutaccounting.Authorizationprovidesthemeansoftrackingandrecordinguseractivityonthenetwork.Authorizationisthewayauserisidentified.Authorizationdetermineswhichresourcestheuserispermittedtoaccessandwhatoperationtheuserispermittedtoperform.哪一个选项恰当地描述了AAA授权？授权不能在没有进行会计的情况下提供。授权提供了一种方式来跟踪和记录用户的网络活动。授权是用于识别用户的途径。授权用于确定用户能够访问哪些资源，以及用户可以执行哪些操作？13.Howdoyoutrackuseractivityonyournetworkaccessserver?YoucannottrackuseractivitiesonyourNAS.UseAAAauthorizationonly.UseAAAauthenticationonly.EnableaccesscontrolservicesontheNAS.ConfigureAAAaccounting.您如何跟踪网络接入服务器上的用户活动？您不能跟踪NAS上的用户活动。仅使用AAA授权。仅使用AAA身份认证。在NAS上启用接入控制服务。配置AAA会计。14.Whichoptionisthebestanswertosecureroutingupdatesfromroutingprotocols?EnableIPsourceguardontherouter.Enableportsecurityontherouter.Encrypttheupdatemessagesexchangedbetweenrouters.Enableneighborrouterauthentication.哪一选项能够保证对来自路由协议的更新进行路由？在路由器上启用IP源地址保护。在路由器上启用端口安全性。加密路由器间交换的更新消息。支持邻近路由器身份认证。15.Diffie-Hellmankeyexchangeisapublickeycryptographyprotocol.Group1consistsof-bitencryption.16810247681281536Diffie-Hellman密钥交换是一种公共密钥加密协议。Group1包含了多少位加密？1681024768128153616.Whatisthekeydifferencebetweenhost-basedintrusionpreventionandnetwork-basedintrusionprevention?Network-basedIPSisbettersuitedforinspectionofSSLandTLSencrypteddataflows.Network-basedIPSprovidesbetterprotectionagainstOSkernel-levelattacksagainsthostsandservers.Host-basedIPScanworkinpromiscuousmodeorinlinemode.Host-basedIPSismorescalablethennetwork-basedIPS,andhost-basedIPSdeploymentr