The answers to these questions appear in Appendix A, “Answers to the ‘Do I Know This Already’ Quizzes and Q&A.” For more practice with exam format questions, use the exam engine on the website.
Using NetFlow along with identity management systems, an administrator can detect which of the following? (Select all that apply.)
Who initiated the data transfer
The hosts (IP addresses) involved
Who configured NetFlow
Which RADIUS server has an active NetFlow connection
Network forensics can be an intimidating topic for many security professionals. Everyone knows that forensic investigation may entail many other sources of information, including end hosts, servers, and any affected systems. Each forensics team needs to have awareness of many different areas, such as which of the following? (Select all that apply.)
Assets, risks, impacts, and the likelihood of events
Incident response policies and procedures in mock events as well as NetFlow to analyze what is happening in the network
The current budget
Evidence handling and chain of custody (even NetFlow events can be used as evidence)
What are some telemetry sources that are good for attribution? (Select all that apply.)
DHCP server logs
VPN server logs
802.1x authentication logs
IP route table
What are some of the necessary steps in order to configure Flexible NetFlow in a Cisco IOS or Cisco IOS-XE device? (Select all that apply.)
Configure a flow record.
Configure a flow monitor.
Configure a neighbor.
Apply a crypto map to an interface.
It is extremely important that your syslog and other messages are timestamped with the correct date and time. The use of which of the following protocols is strongly recommended?
Which of the following is not an example of a Flexible NetFlow component?
Which of the following is not a component of the 5-tuple of a flow in NetFlow?
Source IP address
Destination IP address
Which of the following is not true about the NetFlow immediate cache?
It is the default cache used in many NetFlow implementations.
The flow accounts for a single packet.
It is desirable for real-time traffic monitoring and DDoS detection.
It is used when only very small flows are expected (NetFlow sampling).
Flexible NetFlow can track a wide range of Layer 2, IPv4, and IPv6 flow information, except which of the following?
Source and destination MAC addresses
Encryption security association serial numbers
Which of the following statements is true about Flexible NetFlow?
It is supported in IPv6 and IPv4, but only when IPv6 tunnels are used.
It supports IPv4, but not IPv6.
It supports encryption of NetFlow data to a collector.
It uses the concept of templates.