Bash, the Crucial Exams Chat Bot
AI Bot
Security Devices and Architectures (CCNACBR) Flashcards
Cisco CCNA Cybersecurity 200-201 CCNACBR Flashcards
Study our Security Devices and Architectures (CCNACBR) flashcards for the Cisco CCNA Cybersecurity 200-201 CCNACBR exam with 56+ flashcards. View as flashcards, a searchable table, or as a fun matching game.
| Front | Back |
| 802.1X components | Supplier authenticator and authentication server are required for port based network access control |
| Active active firewall HA | Both firewalls process traffic often requires session synchronization and load balancing |
| Active passive firewall HA | Passive unit stands by while active unit handles traffic and sessions failover on fault |
| Application layer gateway definition | Device that understands and translates specific application protocols to apply security controls |
| Benefits of segmentation for compliance and security | Reduces scope of breaches and helps meet regulatory separation requirements |
| Best firewall placement for defense in depth | Perimeter edge internal segmentation points and host level controls for layered protection |
| Best placement for IDS using a SPAN port | Use SPAN on a core or aggregation switch to mirror traffic to the IDS sensor |
| Best placement for IPS inline | Place IPS inline at choke points such as internet edge or between trust zones |
| Best practices for router hardening | Disable unused services use ACLs limit management access and apply patching and strong credentials |
| Certificate based device authentication benefit | Provides strong non repudiable identity and enables secure automated mutual TLS connections |
| Default deny principle | Explicitly deny all then allow only required traffic to minimize exposure |
| Difference between remote access VPN and site to site VPN | Remote access VPNs connect users site to site VPNs connect networks |
| Difference between stateful firewall and stateless firewall | Stateful tracks connection state and enforces context while stateless filters each packet independently |
| False positive versus false negative | False positive is benign activity flagged as malicious false negative is malicious activity missed |
| Firewall deployment mode routed versus transparent | Routed mode acts as L3 hop transparent mode bridges at L2 without IP routing |
| Function of Network Access Control NAC | Enforces pre admission checks posture assessment and remediation for endpoints |
| Host based IDS versus network based IDS | Host IDS monitors a single host while network IDS monitors traffic on a network segment |
| How does NAT affect firewall rules | NAT may change packet addresses so rules must match post NAT addresses or use NAT aware policies |
| How to mitigate ARP spoofing on switches | Enable DHCP snooping DAI and use static IP MAC bindings where possible |
| IDS versus IPS | IDS is passive and alerts IPS is inline and blocks traffic |
| IPS inline risk factors | Inline IPS can introduce latency and may block legitimate traffic causing availability issues |
| Logging and SIEM integration best practices | Centralize logs normalize and correlate events for detection and compliance |
| Management plane separation benefit | Use out of band management to protect device management from data plane compromise |
| Microsegmentation technologies compared | VLANs provide coarse separation host firewalls enable granular control and software overlays add flexibility |
| Mitigating asymmetric NAT with IDS and IPS | Use network taps or route return traffic through the same inspection path and enable NAT aware sensors |
| Order of ACL evaluation on many devices | ACLs are processed top down with first match applied and implicit deny at end |
| Out of band management purpose | Separate management network limits exposure of device control plane to the production network |
| Packet filtering firewall versus application firewall | Packet filter inspects headers while application firewall inspects application layer data and protocol semantics |
| Port mirroring limitations on high throughput | SPAN can drop packets and lacks precise timing compared to hardware TAPs |
| Primary features of a Next Generation Firewall | Application awareness SSL inspection intrusion prevention and user identification |
| Proxy firewall behaviour | Acts as an intermediary terminates client connections and inspects application layer data |
| Purpose of a DMZ | Isolate public facing services from internal networks to reduce exposure of internal hosts |
| Purpose of a VPN concentrator | Terminate many VPN tunnels centrally and manage encryption and authentication for remote sites |
| Purpose of port security on switches | Restrict MAC addresses per port to prevent unauthorized devices from connecting |
| Rate limiting and traffic shaping use cases | Protect critical links mitigate floods and ensure fair bandwidth distribution |
| Role of access control lists ACLs on routers | Enforce traffic filtering at network edges or interfaces for simple stateless control |
| Role of state table in stateful inspection | Tracks TCP UDP and ICMP sessions to allow return traffic without extra rules |
| Screened subnet architecture | Uses a DMZ with bastion host and external and internal firewalls for layered protection |
| Segmenting IoT best practices | Place IoT on separate VLANs apply strict ACLs and limit internet access to necessary services |
| Signature based detection versus anomaly detection | Signature uses known patterns anomaly looks for deviations from baseline |
| TLS interception purpose and risk | Inspect encrypted traffic to detect threats but introduces privacy legal and certificate management risks |
| Use of AAA for device access | Authentication authorization and accounting centralize control and auditing of administrative access |
| Use of choke point for network security | Centralize inspection at a small number of enforced points to simplify monitoring and control |
| Use of TAP versus SPAN for monitoring | TAP provides full duplex copy with no packet loss SPAN may drop packets under load |
| VLAN segmentation benefit | Limits broadcast domains reduces attack surface and enables policy based separation |
| WAF role versus traditional firewall | WAF protects web applications from layer7 attacks like SQL injection and XSS |
| What is a bastion host | A hardened server placed in a DMZ to provide external services with minimal attack surface |
| What is DHCP snooping | Switch feature that builds a binding table and prevents rogue DHCP servers |
| What is Dynamic ARP Inspection | Validates ARP packets against DHCP snooping table to prevent ARP spoofing |
| What is microsegmentation | Fine grained segmentation often enforced by host based controls to limit lateral movement |
| Why avoid asymmetric routing with inline devices | Asymmetric paths can prevent devices from seeing full flow breaking stateful inspection |
| Why disable TELNET and use SSH | SSH provides encrypted management preventing credential exposure over the network |
| Why enable BPDU guard on edge ports | Protect against rogue switches and topology changes by disabling ports that receive bridge protocol data units |
| Why synchronize sessions across firewall HA | Preserves active connections during failover for seamless user experience |
| Why use a hardened bastion host in DMZ | Minimize installed services and lock down configuration to reduce attack surface on internet facing services |
| Zero trust principle in architectures | Assume no implicit trust verify every access and enforce least privilege across network and workloads |
About the Flashcards
Flashcards for the Cisco CCNA Cybersecurity exam help you quickly review core network security terminology and concepts. Cards cover firewall types and deployment (stateful vs stateless, packet filters, application firewalls, NGFW features), IDS versus IPS behavior and placement, and inspection strategies including TAP versus SPAN and TLS interception tradeoffs.
Additional cards cover segmentation and hardening: DMZs and bastion hosts, VLANs and microsegmentation, and layer 2 protections such as DHCP snooping, Dynamic ARP Inspection, BPDU guard, and port security. Operational topics include ACL processing, NAT impacts, firewall HA and session synchronization, AAA and out of band management, VPN types, logging/SIEM, and zero trust principles.
Topics covered in this flashcard deck:
- Firewall types and modes
- IDS and IPS placement
- VLANs and microsegmentation
- Layer 2 security controls
- Access control lists (ACLs)
- VPNs, NAT, TLS risks