Bash, the Crucial Exams Chat Bot
AI Bot
Network Security and Secure Device Configuration (CCST) Flashcards
Cisco CCST Cybersecurity 100-160 Flashcards
Study our Network Security and Secure Device Configuration (CCST) flashcards for the Cisco CCST Cybersecurity 100-160 exam with 42+ flashcards. View as flashcards, a searchable table, or as a fun matching game.
| Front | Back |
| Basic DDoS mitigation strategies | Rate limit filter at edge use scrubbing services and deploy redundant resources |
| Best placement for ACLs | Place standard ACLs close to destination and extended ACLs close to source |
| Common DoS attack examples | SYN flood ICMP flood UDP flood and application layer attacks |
| Difference between data control and management planes | Data plane forwards packets control plane handles routing decisions management plane handles device access |
| Difference between standard and extended ACLs | Standard ACLs filter by source IP only Extended ACLs filter by source destination and protocol |
| How to mitigate ARP spoofing | Enable DAI use static ARP entries and use port security where possible |
| How to mitigate SYN floods | Use SYN cookies rate limiting and stateful firewalls to protect servers |
| How to mitigate VLAN hopping | Disable auto trunking use native VLAN protection and apply explicit trunk pruning |
| Image integrity verification | Verify digital signatures and checksums before installing firmware or OS images |
| IPsec tunnel mode versus transport mode | Tunnel mode encapsulates entire packet for gateway to gateway Transport mode encrypts payload only |
| Key IPsec components | IKE negotiates keys SA defines encrypted channel ESP provides confidentiality and integrity |
| Logging best practices | Send logs to remote syslog servers use timestamps and maintain retention policies |
| Password and secret best practices | Use encrypted secrets strong complexity and store centrally with rotation policies |
| Risk of native VLAN on trunks | Native VLAN can allow VLAN tags to be stripped leading to potential VLAN hopping so avoid using default native VLAN |
| Secure boot and ROMMON protections | Configure passwords restrict boot vars and use secure boot features to prevent tampering |
| Secure device management methods | Use SSH HTTPS SNMPv3 and disable insecure services like Telnet and SNMPv1v2c |
| Site to site versus remote access VPN | Site to site connects networks Remote access connects individual clients |
| SNMPv3 advantages | Provides authentication and encryption unlike SNMPv1 and SNMPv2c which are insecure |
| Stateful versus stateless firewall | Stateful tracks connection state and allows return traffic Stateless does not track state |
| TACACS plus versus RADIUS | TACACS plus separates auth and authorization and uses TCP RADIUS uses UDP and combines them |
| TLS versus SSL | TLS is modern secure protocol SSL is deprecated due to security flaws |
| What are firewall zones | Group interfaces into zones and control traffic between zones based on policies |
| What does implicit deny mean | Final implicit deny drops traffic not explicitly permitted by ACLs |
| What does sticky MAC do | Learns MACs dynamically and saves them to running configuration for persistent binding |
| What is a DMZ | Isolated network segment for public facing services to reduce exposure of internal networks |
| What is a VLAN | Logical segmentation at layer 2 used to separate broadcast domains and enforce policies |
| What is a wildcard mask | Wildcard mask is inverse of netmask used in Cisco ACLs for flexible matches |
| What is AAA | Centralizes Authentication Authorization and Accounting for device and network access control |
| What is BCP38 | Best current practice to filter packets with spoofed source addresses at network edge |
| What is BPDU guard | Protects network by disabling ports that receive bridge protocol data units unexpectedly |
| What is Control Plane Policing CoPP | Applies rate limits to traffic destined to the router CPU to protect control plane resources |
| What is DHCP snooping | Tracks trusted DHCP servers and builds binding table to prevent rogue DHCP servers |
| What is Dynamic ARP Inspection | Uses DHCP snooping bindings to validate ARP packets and prevent ARP spoofing |
| What is management plane protection | Use ACLs control plane policing and dedicated management VRFs to protect device management |
| What is NAT static dynamic and PAT | Static NAT one to one Dynamic NAT many to many PAT many to one using ports |
| What is network segmentation | Separation of network into smaller isolated zones to limit lateral movement and contain breaches |
| What is root guard | Prevents a port from becoming the root bridge and preserves spanning tree topology |
| What is switch port security | Limits MAC addresses per port and can restrict or shut down ports on violations |
| What is Unicast RPF | Prevents IP spoofing by verifying source reachability using routing table reverse path checks |
| Why ACL order matters | ACLs are evaluated top to bottom first match applies so order matters |
| Why disable unused services | Turn off HTTP finger ldap and other unused services to reduce attack surface |
| Why enable ACL logging | Log matches for auditing troubleshooting and detecting suspicious activity |
Related Study Materials
About the Flashcards
This study deck offers a thorough review of fundamental network security principles. These flashcards for the Cisco CCST Cybersecurity exam are designed to help you master key terminology and concepts. The content focuses on securing network infrastructure, covering topics from access control lists and network segmentation to device hardening and VPN technologies. Use these cards to reinforce your knowledge of the policies and configurations that create a resilient and secure network.
You will also review specific security mechanisms and threat mitigation strategies. The cards cover Layer 2 security features like port security and DHCP snooping, plus best practices for secure device administration. The questions also review the fundamentals of firewalls, NAT, and the AAA framework, ensuring you are prepared to address a wide range of security challenges on the exam.
Topics covered in this flashcard deck:
- Network Segmentation and ACLs
- VPN and Encryption Technologies
- Layer 2 Security Controls
- Threat Mitigation Strategies
- Secure Device Management and AAA
- Firewall and NAT Concepts