Thursday, 1 September 2016

Pass4sure 200-120 Question Answer

A receiving host computes the checksum on a frame and determines that the frame is damaged. The frame is then discarded. At which OSI layer did this happen? 

A. session
B. transport
C. network
D. data link
E. physical

Answer: D

Which of the following correctly describe steps in the OSI data encapsulation process? (Choose two.)

A. The transport layer divides a data stream into segments and may add reliability and flow control information.
B. The data link layer adds physical source and destination addresses and an FCS to the segment.
C. Packets are created when the network layer encapsulates a frame with source and destination host addresses and protocol-related control information.
D. Packets are created when the network layer adds Layer 3 addresses and control information to a segment.
E. The presentation layer translates bits into voltages for transmission across the physical link.

Answer: A, D

Monday, 11 July 2016

Cisco Unveils Three DNA Network Security Technologies

Cisco has announced three new security applications that will form part of its Digital Network Architecture for embedding security software solutions within network infrastructure.

Cisco has announced three new technologies for its Digital Network Architecture (DNA) solution to enable network engineers, application developers, channel partners, and IT customers to embed improved and simplified security within their network infrastructure layer: Umbrella Branch, Stealthwatch Learning Network License, and Meraki MX Security Appliances with Advanced Malware Protection (AMP) and Threat Grid. 200-120 Exam Question

All three are designed to improve mobility and cloud security threats, according to the networking giant.

The first technology, Cisco's Umbrella Branch cloud-delivered security software, provides businesses with increased control over guest Wi-Fi usage via content filtering. It can be activated on the Cisco Integrated Services Routers (ISR) 4,000 series, and works to filter and block malware, command and control (C2) callbacks, and phishing threats before they reach the network.

The company's second new DNA security technology, the distributed machine-learning Cisco Stealthwatch Learning Network, was acquired as part of Cisco's $452 million Lancope purchase.

It utilises what Cisco labels "adaptive security anomaly detection" to allow its ISR 4,000 series to analyse and identify malicious traffic and data on the network device to provide protection against threats.

"Stealthwatch Learning Networks -- this is the ability to simply upgrade software through branch infrastructure," David Goeckeler, senior vice president and general manager of Cisco's Networking and Security Business, said during the keynote speech by CEO Chuck Robbins at Cisco Live Las Vegas on Monday morning.

"All of your branch routers then work with each other to understand where anomalies are in the network, and search things that shouldn't be there."

Lastly, Cisco Meraki MX Security Appliances with AMP and Threat Grid form an enterprise unified threat-management (UTM) system that enables network administrators to locate, manage, and remediate security threats by combining Meraki cloud management with Cisco's threat-protection software. The solution works through an automated cloud-based system for checking files against cloud databases to locate and block malicious content.

"Organisations need to address the expanding threat landscape across mobility and cloud, while facing increasingly sophisticated security attacks," Jeff Reed, senior vice president of Networking Infrastructure and Solutions at Cisco, said.

"With DNA, Cisco is reinventing how we secure networks for the digital era by embedding advanced security capabilities into a single network architecture. But technology alone isn't enough; we are also preparing IT professionals with new skills, training network-savvy developers, and helping customers navigate the journey to digital-ready networks."

In addition to these three Cisco security services, Nectar Services also announced a quality-of-service (QoS) application for DNA.

The network monitoring, management, and diagnostic software provider optimises voice, video, and collaboration across Cisco Unified Communications Manager and Microsoft Skype for Business, which both run on Cisco-based networks.

"One of the fundamental challenges we consistently see in UC [unified communications] environments is the inconsistent deployment of QoS across the enterprise network that can negatively impact the end-user experience," said Nectar CTO Joseph Fuccillo.

"Nectar Evolution brings simplicity, automation, and repeatability that can ensure consistent end-to-end QoS in Cisco and Microsoft UC environments."

Nectar said it provides UC device agnostic configuration, reduced the total cost of ownership, and improves the overall UC and end-user experience by using its policy engine with a pre-determined QoS policy deployed by DNA.

DNA, first unveiled in March, allows engineers, developers, partners, and customers to build and manage what Cisco calls "digital-ready networks".

Cisco said the DNA announcement is the "most significant change" to its enterprise networking model ever, and flagged its intentions to build out a portfolio of security applications for the network-management solution.

Part of the Cisco One suite, DNA was designed to complement its Application Centric Infrastructure (ACI) for datacentre and connected clouds management. Along with the original announcement, Cisco outlined a new APIC-EM Automation Platform; the Cisco Plug and Play cloud automation service; intelligent WAN; network settings management labelled Easy Quality of Service; an upgraded version of its network operating system, named Cisco IOS XE, including network function virtualistion (NFV) for carriers to offer services; and analytics-as-a-service product CMX Cloud.

During his keynote, Robbins labelled security as being critical to Cisco's overarching strategy, with the company also announcing three other security products -- Cisco Umbrella Roaming, Defense Orchestrator, and Security for Digital Transformation -- also announced on Monday.

Wednesday, 8 June 2016

Pass4sure 200-120 Question Answer

A network interface port has collision detection and carrier sensing enabled on a shared twisted pair network. From this statement, what is known about the network interface port? 

A. This is a 10 Mb/s switch port.
B. This is a 100 Mb/s switch port.
C. This is an Ethernet port operating at half duplex.
D. This is an Ethernet port operating at full duplex.
E. This is a port on a network interface card in a PC.

Answer: C                                          

Monday, 9 May 2016

Pass4sure 200-120 Question Answer

Refer to the exhibit.

After HostA pings HostB, which entry will be in the ARP cache of HostA to support this transmission?

Exhibit A
Exhibit B
Exhibit C
Exhibit D
Exhibit E
Exhibit F

Answer: A

Tuesday, 5 April 2016

Considerations For Patching The Cisco ASA Vulnerability

A critical vulnerability in the Internet Key Exchange (IKE) code used in Cisco Adaptive Security Appliances (ASA) that could allow an attacker to remotely execute code was discovered earlier this year. There are no workarounds to this vulnerability, but Cisco has released a patch. Here are a few points to consider when applying this important patch.

About the Cisco ASA Vulnerability

The Cisco ASA IKE buffer overflow is a critical vulnerability that requires a proactive response. Since this vulnerability affects network perimeter defense mechanisms and could allow an intruder to execute arbitrary code and obtain full control of an affected system, I urge professionals to take a close look at possible Cisco ASA remediation actions.

In general, most people think of installing the vendor’s patch as a first resort. While this is advisable, it may not always be feasible. Sometimes the patch is not yet available; in some cases, it can take a vendor days or weeks to issue a patch. Even when the patch is available, some systems might not be able to accommodate it due to limited resources (e.g., memory, processing or HDD space) or other constraints. For example, Cisco ASA appliances may require memory upgrades before installing the patch.

In instances where a patch is not available or cannot be installed, there are other approaches to remediation — such as secondary control patching or configuration setting modification — that organizations may consider.

Let’s take a look at the most common mitigation approaches, starting with the vendor patch.

Installing the Vendor Patch

When possible, a vendor’s patch should be installed on the affected systems to mitigate the vulnerability. But this requires some due diligence before applying the patch; carefully review the requirements and prerequisites for successful patching below.

  • Patch Analysis: Have you reviewed the requirements and prerequisites for the patch? (For example, does the device have enough memory to support the patch?)
  • Change Management: Do you have a change record? It is useful to review the recent configuration settings on the firewall before installing patches.
  • Patch Testing: Have you tested the patch before deploying it to production servers? In a testing environment, perform the following activities:
Use a vulnerability scanner or Nessus Scanner (Plugin ID: 88713) to identify whether the system is vulnerable. 
Validate that patches were installed properly by reviewing patch logs.
Use a testing kit such as Core Impact to confirm whether the patch effectively mitigated the vulnerability.
Disaster Recovery and Business Continuity: What if the device fails during the patch installation? Is there a firewall backup in case a rollback is required? Are the ASAs deployed in a high-availability design to keep the network and business running during the patching?

Deployment Time Frame

If you are patching many ASA firewalls, it might take some time. If you are unable to patch all your firewalls at once, or if a vendor patch is not yet available, consider one of the below options to help protect your network while the process is completed.

Even before a vendor’s patch is available, many intrusion prevention system (IPS) vendors update their IPS signatures to detect and block zero-day exploits and particular vulnerabilities. This mechanism has been used in IBM for more than a decade and is known as virtual patch technology.

Virtual patching can provide an additional layer of protection in front of affected Cisco ASA firewalls and help ensure exploits targeting firewalls are detected and blocked before impact. Many vendors released IPS definitions for the ASA IKE vulnerability:

  • IBM X-Force has published XPU 36.021 for the Cisco ASA Software IKEv1 and IKEv2 buffer overflow vulnerability. The signature is: ISAKMP_CiscoASA_Fragmentation_Overflow.
  • Cisco has an IPS signature 7169-0 and Snort ID: 36903 for this vulnerability.

Configuration Settings Modifications

When a vendor’s patch is not available, configuration changes can be useful and effective — if used properly. For example, disabling the affected service (e.g., IKE),will result in losing the virtual private network (VPN) capability from this firewall. But in return, you have reduced the likelihood of someone exploiting the vulnerability.

Disabling IKEv1 and IKEv2 will limit the exposure until the patch is deployed. Disable them using the following commands:
  •     no crypto ikev1 enable; and
  •     no crypto ikev2 enable.
If the VPN service is mandatory, you could add an access control list on the Internet-facing interfaces to block UDP 4500/500 from all except selected trusted ASA peers. This will ensure that incoming IKE transactions are only accepted from trusted sources.

Pass4sure 200-120 Question Answer

A network administrator is verifying the configuration of a newly installed host by establishing an FTP connection to a remote server. What is the highest layer of the protocol stack that the network administrator is using for this operation? 

A. application
B. presentation
C. session
D. transport
E. internet
F. data link

Answer: A                                                                  

Monday, 21 March 2016

Cisco Invests $500m in Making Berlin A Smart City

Cisco is working with Berlin's government officials to push forward plans in making the city smarter.

The San Jose, California-based IT firm announced plans last week to work with Berlin's Senate Department of Economics, Technology and Research in digitizing the lives of Berlin's residents.

In a statement, the company said telemedicine -- remote communication and the diagnosis of patients across digital platforms -- security and network infrastructure improvements are the main areas of focus.

Cornelia Yzer, Senator for Economics, Technology, and Research in Berlin, and Anil Menon, the Global President of Smart+Connected Communities, joined with Cisco to sign a Memorandum of Understanding, leading to the investment as part of Cisco's $500 million "Deutschland Digital" initiative.

The "Deutschland Digital" program, announced in March this year, is Cisco's answer to accelerating the country's digitization.

Oliver Tuszik, the general manager of Cisco's German branch, said that digitization benefits countries, cities, and companies by "creating competitiveness, improving public services and better quality of life." As a result, Cisco "would like to make our contribution to this transformation, in addition to our ongoing investments."

Through the smart city investment, Cisco hopes to improve telemedicine by establishing a health platform which will allow healthcare professionals, hospitals and emergency services to exchange data -- once permission is granted by patients -- for applications potentially including medical research.

The IT firm and government officials say this platform could also "help provide more efficient medical care for refugees in the city."

Cisco plans to build a similar platform for the use of public safety and emergency services such as the police, fire brigades and hospitals to use to improve the security of Berlin's residents. The Security Operations Center (SOC) is aimed at improving response times in emergency scenarios and severe weather -- and by integrating weather, traffic and environmental data, Cisco hopes core service staff will have the information they need in emergencies to handle them more effectively.

Finally, the tech giant wants to bring the vast range of companies and organizations already turning towards digital solutions together through a "horizontal networking infrastructure" that will be open to all. Based on open international standards, the network will also include security and analytics capabilities.

"We are proud to support Berlin in taking this important step. Digitization is a great opportunity for the city to benefit even more from its attractiveness. By signing this Memorandum of Understanding, we want to contribute to improving the quality of life for all citizens and give the Berlin economy an additional boost," Tuszik commented.