Skip to Content

Cisco 350-701: What Are the Two Global Commands to Limit Attack Surface of Internet-Facing Cisco Router?

By: Author Alex Lim

Posted on  - Last updated:

Categories Exam

Learn the two essential global commands – no ip http server and ip ssh version 2 – that a network administrator must implement to enhance security and limit the attack surface of an internet-facing Cisco router. Improve your Cisco 350-701 exam prep with this detailed explanation.

Table of Contents

Question

Which two global commands must the network administrator implement to limit the attack surface of an internet-facing Cisco router? (Choose two.)

A. service tcp-keepalives-in
B. no service password-recovery
C. no cdp run
D. no ip http server
E. ip ssh version 2

Answer

D. no ip http server
E. ip ssh version 2

Explanation

When securing an internet-facing Cisco router, it is crucial to limit the attack surface by disabling unnecessary services and ensuring secure remote access. The two global commands that achieve this are:

  1. no ip http server: This command disables the HTTP server on the Cisco router. By default, Cisco routers have an HTTP server enabled, which can be exploited by attackers. Disabling the HTTP server reduces the attack surface and prevents unauthorized web-based access to the router.
  2. ip ssh version 2: This command enables SSH version 2 on the Cisco router. SSH (Secure Shell) is a secure protocol for remote access to network devices. By specifying version 2, the router uses the more secure and up-to-date version of SSH. This ensures that remote access to the router is encrypted and less vulnerable to attacks compared to older versions of SSH or other insecure protocols like Telnet.

The other options mentioned in the question, while useful in certain scenarios, do not directly limit the attack surface of an internet-facing router:

  • service tcp-keepalives-in: This command enables TCP keepalive packets on incoming connections, helping to detect and close inactive sessions. However, it does not directly limit the attack surface.
  • no service password-recovery: This command disables the password recovery mechanism on the router, preventing unauthorized users from bypassing the password and gaining access. While this is a good security practice, it does not specifically limit the attack surface of an internet-facing router.
  • no cdp run: This command disables the Cisco Discovery Protocol (CDP) globally on the router. CDP is a proprietary protocol used to discover nearby Cisco devices. Disabling CDP can be beneficial in certain environments, but it does not directly limit the attack surface of an internet-facing router.

In summary, to limit the attack surface of an internet-facing Cisco router, the network administrator must implement the global commands “no ip http server” to disable the HTTP server and “ip ssh version 2” to enable secure remote access using SSH version 2.

Cisco 350-701 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Cisco 350-701 exam and earn Cisco 350-701 certification.