Pass4sure Cisco Certification

Securing Networks with Cisco Routers and Switches Exam

Retired June 20, 2007
Exam Number: 642-502
Associated Certifications: CCSP
Duration: 90 minutes (60-70 questions)
Available Languages: English
Click Here to Register: Pearson VUE or Prometric
Exam Policies: Read current policies and requirements
Exam Tutorial: Review type of exam questions

Exam Description Exam Topics Recommended Training Additional Resources
Exam Description
The Securing Networks with Cisco Routers and Switches exam is one of the exams associated with the Cisco Certified Security Professional certification. Candidates can prepare for this exam by taking the SNRS v1.0 course. This exam includes simulations and tests a candidate’s knowledge and ability to secure networks using Cisco routers and switches.

Exam Topics
The following information provides general guidelines for the content likely to be included on the exam. However, other related topics may also appear on any specific delivery of the exam. In order to better reflect the contents of the exam and for clarity purposes the guidelines below may change at any time without notice.

Implement Layer 2 security
Utilize Cisco IOS and Cat OS commands to mitigate Layer 2 attacks
Implement Cisco Identity-Based Networking Services
Implement Cisco 802.1X Port-Based Authentication
Identify and describe Layer 2 security best practices

Configure Cisco IOS Firewall features to meet security requirements
Identify and describe the capabilities of the IOS firewall feature set
Configure CBAC to dynamically mitigate identified threats to the network
Verify and troubleshoot CBAC configuration and operation
Configure authentication proxy to apply security policies on a per-user basis
Verify and troubleshoot authentication proxy configuration and operation

Configure Cisco IOS-based IPS to identify and mitigate threats to network resources
Identify and describe the capabilities of the IOS-IPS feature set
Configure the IPS features to identify threats and dynamically block them from entering the network
Verify and troubleshoot IDS operation
Maintain and update the signatures

Configure basic IPSec VPNs to secure site-to-site and remote access to network resources
Select the correct IPSec implementation based on specific stated requirements
Configure IPSec Encryption for site-to-site VPN using pre-shared keys
Configure IPSec Encryption for site-to-site VPN using certificate authority
Verify and troubleshoot IPSec operation
Configure EZ-VPN server
Configure EZ-VPN remote using both hardware and software clients.
Troubleshoot EZ-VPN

Configure authentication, authorization and accounting to provide basic secure access control for networks
Configure administrative access to the Cisco Secure ACS server
Configure AAA clients on the Cisco Secure ACS (for routers)
Configure users, groups and access rights
Configure router to enable AAA to use TACACS+
Configure router to enable AAA to use a Radius server
Verify and troubleshoot AAA operation

Use management applications to configure and monitor IOS security features
Initialize SDM communications on Cisco routers
Perform a LAN interface configuration of a Cisco router using SDM
Use SDM to define and establish a site-to-site VPN

Question: 1
A new Company switch has been installed and you wish to secure it. Which Cisco Catalyst IOS
command can be used to mitigate a CAM table overflow attack?

A. switch(config-if)# port-security maximum 1
B. switch(config)# switchport port-security
C. switch(config-if)# port-security
D. switch(config-if)# switchport port-security maximum 1
E. switch(config-if)# switchport access
F. switch(config-if)# access maximum 1
Answer: D Explanation:
Enabling and Configuring Port Security:
Beginning in privileged EXEC mode, follow these steps to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port:

To ensure that only a single station’s MAC address is allowed on a given port, specify the value
of the “switchport port-security maximum” command to 1. This will safeguard against CAM
overflow attacks.

Reference:

http://www.cisco.com/en/US/products/hw/switches/ps5206/products_configuration_guide_chapter

09186a00801

Question: 2 SIMULATION
The following diagram displays a portion of the Company network:

TK

Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco
Exam Code: 642- 502 Total Questions: 143

You work for the Company, which has a server connected to their infrastructure through a switch
named Houston. Although Company uses VLANs for security, an attacker is trying to overflow the CAM table by sending out spoofed MAC addresses through a port on the same switch as the server. Your task is to configure the switch to protect the switch from a CAM table overflow
attack. For purposes of this test, we will assume that the attacker is plugged into port Fa0/12. The
topology is pictured in the exhibit. The enable password for the switch is Company. The following passwords have been assigned to the Houston switch:
Console passwords: california VTY lines 0-4 password: city Enable passwords: Company
Start the simulation by clicking on the host.

Answer:
Switch1(config)# interface fastethernet0/12
Switch1(config-if)# switchport mode access Switch1(config-if)# switchport port-security Switch1(config-if)# switchport port-security maximum 1
Switch1(config-if)# end

Explanation:
Enabling and Configuring Port Security:
Beginning in privileged EXEC mode, follow these steps to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port:

TK

Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco
Exam Code: 642- 502 Total Questions: 143

To ensure that only a single station’s MAC address is allowed on a given port, specify the value
of the “switchport port-security maximum” command to 1. This will safeguard against CAM
overflow attacks.

Reference:

http://www.cisco.com/en/US/products/hw/switches/ps5206/products_configuration_guide_chapter

09186a00801

Question: 3
You want to increase the security of a newly installed switch. Which Cisco Catalyst IOS command
is used to mitigate a MAC spoofing attack?

A. switch(config-if)# port-security mac-address 0000.ffff.aaaa
B. switch(config)# switchport port-security mac-address 0000.ffff.aaaa
C. switch(config-if)# switchport port-security mac-address 0000.ffff.aaaa
D. switch(config)# port-security mac-address 0000.ffff.aaaa
E. switch(config-if)# mac-address 0000.ffff.aaaa
F. switch(config)# security mac-address 0000.ffff.aaaa
Answer: C Explanation:
You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the workstations that are allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses
outside the group of defined addresses. If you limit the number of secure MAC addresses to one
and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port. If a port is configured as a secure port and the maximum number of secure MAC addresses is reached, when the MAC address of a workstation attempting to access the port is different from any of the identified secure MAC addresses, a security violation occurs.
If a workstation with a secure MAC that is address configured or learned on one secure port attempts to access another secure port, a violation is flagged. After you have set the maximum number of secure MAC addresses on a port, the secure addresses are included in an address table in one of these ways:

TK

Exam Name: Securing Networks with Cisco Routers and Switches
Exam Type: Cisco
Exam Code: 642- 502 Total Questions: 143

You can configure all secure MAC addresses by using the switchport port-security mac-address
mac_address interface configuration command. You can allow the port to dynamically configure secure MAC addresses with the MAC addresses of connected devices. You can configure a number of addresses and allow the rest to be dynamically configured.

Reference:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter0

9186a00800d

Question: 4
The security administrator for Company Inc. is working on defending the network against SYN
flooding attacks. Which of the following are tools to protect the network from TCP SYN attacks?

A. Route authentication
B. Encryption
C. ACLs
D. TCP intercept
E. None of the above.
Answer: D Explanation:
The TCP intercept feature implements software to protect TCP servers from TCP SYN-flooding attacks, which are a type of denial-of-service attack. A SYN-flooding attack occurs when a hacker floods a server with a barrage of requests for connection. Because these messages have
unreachable return addresses, the connections cannot be established. The resulting volume of
unresolved open connections eventually overwhelms the server and can cause it to deny service
to valid requests, thereby preventing legitimate users from connecting to a web site, accessing e- mail, using FTP service, and so on. The TCP intercept feature helps prevent SYN-flooding attacks by intercepting and validating TCP connection requests. In intercept mode, the TCP
intercept software intercepts TCP synchronization (SYN) packets from clients to servers that
match an extended access list. The software establishes a connection with the client on behalf of the destination server, and if successful, establishes the connection with the server on behalf of the client and knits the two half-connections together transparently. Thus, connection attempts from unreachable hosts will never reach the server. The software continues to intercept and forward packets throughout the duration of the connection. The number of SYNs per second and the number of concurrent connections proxied depends on the platform, memory, processor, and
other factors

Reference:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter

09186a00800c
The exec timeout command prevents unauthorized users from misusing abandoned sessions (for instance if the network administrator went on vacation and left an enabled login session active on his desktop system). There is a trade-off here between security (shorter timeouts) and usability
(longer timeouts). Check your local policies and operational needs to determine the best value. In
most cases, this should be no more than 10 minutes. To configure the timeout values, perform the following steps:
router(config)# line INSTANCE
router(config-line)# exec-timeout $(EXEC_TIMEOUT)
router(config-line)# exit

Reference: http://www.cisco.com/warp/public/793/access_dial/comm_server.html

Question: 5

Free 642-502 Exams’s PDF Download
Free Testking offers free demo for 642-502 PDF(Securing Networks with Cisco Routers and Switches Exam(SNRS)). You can check out the interface, question quality and usability of our practice exams . We are the only one site can offer demo for almost all Securing Networks with Cisco Routers and Switches Exam(SNRS).

Recommended Training about 642-502 exam PDF
The following courses are the recommended training for 642-502 exam PDF.
642-502 Q & A with Explanations
642-502 Audio Exam
642-502 Study Guide
642-502 Preparation Lab

Exam Number/Code: 642-502
Exam Name: Securing Networks with Cisco Routers and Switches Exam(SNRS)
VUE Code: 642-502
Questions Type: Single choice, Multiple choice, Simulate,
Question Numbers of Real-exam: 60-70 questions

“Securing Networks with Cisco Routers and Switches Exam(SNRS)”, also known as 642-502 exam, is a Cisco certification.
Preparing for the 642-502 exam? Searching 642-502 Test Questions, 642-502 Practice Exam, 642-502 Dumps?

With the complete collection of questions and answers, Pass4sure has assembled to take you through 63 Q&A we offer correct answe to your 642-502 Exam preparation. In the 642-502 exam resources, you will cover every field and category in CCSP helping to ready you for your successful Cisco Certification.

Questions and Answers : 63 Q&A we offer correct answe
Updated: May 4th , 2008
Market Price: $129.99
Member Price: $89.99

Pass4sure 642-502 SNRS
Updated : 09/18/2008
Price : $27.49 $24.99

Free download?pass4sure 642-502 SNRS
Free download?testking 642-502 SNRS

PassGuide Braindumps: provides high quality Cisco exam practice questions and Training Materials.Hel you Pass Cisco Certifications

Download Free Latest Pass4sure P4S PassForsure Braindumps

1. Free Pass4sure 642-503 SNRS 2.93
2. Free Pass4sure 642-066 ARSFE 2.95
3. Free Pass4sure 642-425 IPTT 2.73
4. Free pass4sure 640-816 ICND2 2.93
5. Free pass4sure cisco ccsp dumps 2.83
6. Free pass4sure ccna 640-802 3.22
7. Free Pass4sure 642-551 SND 2.83
8. Free Pass4sure 642-873 ARCH 2.93
9. Free Pass4sure 642-964 CDCNIS 2.83
10. Free Pass4sure 640-822 ICND1 2.83