1
Which two end points can be on the other side of an ASA
site-to-site VPN configured using ASDM? (Choose two.)
another ASA
DSL switch
multilayer switch
ISR router
Frame Relay switch
2
Which statement describes the Cisco Cloud Web Security?
It is a security appliance that provides an all-in-one
solution for securing and controlling web traffic.
It is a cloud-based security service
to scan traffic for malware and policy enforcement.
It is an advanced firewall solution to guard web servers
against security threats.
It is a secure web server specifically designed for cloud
computing.
3
A company deploys a network-based IPS. Which statement
describes a false negative alarm that is issued by the IPS sensor?
A normal user packet passes and no alarm is generated.
An attack packet passes and no alarm is generated.
A normal user packet passes and an alarm is generated.
An attack packet passes and an alarm
is generated.
4
A security technician uses an asymmetric algorithm to
encrypt messages with a private key and then forwards that data to another
technician. What key must be used to decrypt this data?
The public key of the receiver.
The private key of the receiver.
The public key of the sender.
The private key of the sender.
5
Why is Diffie-Hellman algorithm typically avoided for
encrypting data?
DH requires a shared key which is easily exchanged between
sender and receiver.
DH runs too quickly to be implemented with a high level of
security.
Most data traffic is encrypted using asymmetrical
algorithms.
The large numbers used by DH make it
too slow for bulk data transfers.
6
Which security implementation will provide management plane
protection for a network device?
role-based access control
routing protocol authentication
antispoofing
access control lists
7
What is a characteristic of a DMZ zone?
Traffic originating from the inside network going to the DMZ
network is not permitted.
Traffic originating from the DMZ network going to the inside
network is permitted.
Traffic originating from the inside
network going to the DMZ network is selectively permitted.
Traffic originating from the outside network going to the
DMZ network is selectively permitted.
8
What service or protocol does the Secure Copy Protocol rely
on to ensure that secure copy transfers are from authorized users?
RADIUS
SNMP
IPsec
AAA
9
What algorithm is used with IPsec to provide data
confidentiality?
Diffie-Hellman
MD5
RSA
SHA
AES
10
What are two drawbacks in assigning user privilege levels on
a Cisco router? (Choose two.)
Privilege
levels must be set to permit access control to specific device interfaces,
ports, or slots.
AAA must be enabled.
Only a root user can add or remove
commands.
Commands from a lower level are always executable at a
higher level.
Assigning a command with multiple
keywords allows access to all commands using those keywords.
11
What is a limitation to using OOB management on a large
enterprise network?
Terminal servers can have direct console connections to user
devices needing management.
OOB management requires the creation of VPNs.
Production traffic shares the network with management
traffic.
All devices appear to be attached to a single management
network.
12
When configuring SSH on a router to implement secure network
management, a network engineer has issued the login local and transport input
ssh line vty commands. What three additional configuration actions have to be
performed to complete the SSH configuration? (Choose three.)
Generate the asymmetric RSA keys.
Configure role-based CLI access.
Create a valid local username and
password database.
Set the user privilege levels.
Manually enable SSH after the RSA
keys are generated.
Configure the correct IP domain
name.
13
Which interface setting can be configured in ASDM through
the Device Setup tab?
NAT
security level
port-security
EtherChannel
14
What is the default preconfigured security level for the
outside network interface on a Cisco ASA 5505?
0
100
255
1
15
Which feature is specific to the Security Plus upgrade
license of an ASA 5505 and provides increased availability?
stateful packet inspection
routed mode
redundant ISP connections
transparent mode
16
Which security document includes implementation details,
usually with step-by-step instructions and graphics?
overview document
standard document
procedure document
guideline document
17
What is a characteristic of an ASA site-to-site VPN?
ASA site-to-site VPNs create a secure single-user-to-LAN
connection.
The first echo request packet sent to test the establishment
of the tunnel always succeeds.
The IPsec protocol protects the data transmitted through the
site-to-site tunnel.
ASA site-to-site VPNs can only be
established between ASA devices.
18
How can DHCP spoofing attacks be mitigated?
by the application of the ip verify source command to
untrusted ports
by implementing port security
by disabling DTP negotiations on nontrunking ports
by implementing DHCP snooping on trusted ports
19
Which feature of the Cisco Network Foundation Protection
framework prevents a route processor from being overwhelmed by unnecessary
traffic?
access control lists
Control Plane Policing
port security
IP Source Guard
21 What ports can receive forwarded traffic from an isolated
port that is part of a PVLAN?
only isolated ports
only promiscuous ports
all other ports within the same community
other isolated ports and community
ports
22
How are Intrusion Prevention System (IPS) and Intrusion
Detection System (IDS) components used conjunctively?
The IDS blocks offending traffic and the IPS verifies that
offending traffic was blocked.
The IDS will send alert messages
about "gray area" traffic while the IPS will block malicious traffic.
The IPS will send alert messages when the IDS sends traffic
through that is marked as malicious.
The IPS will block all traffic that the IDS does not mark as
legitimate.
23
What are three characteristics of the RADIUS protocol?
(Choose three.)
is an open IETF standard AAA
protocol
is widely used in VOIP and 802.1X implementations
separates authentication and authorization processes
utilizes TCP port 49
uses UDP ports for authentication
and accounting
encrypts the entire body of the
packet
24
What three tasks can a network administrator accomplish with
the Nmap and Zenmap security testing tools? (Choose three.)
development of IDS signatures
open UDP and TCP port detection
assessment of Layer 3 protocol
support on hosts
security event analysis and reporting
operating system fingerprinting
password recovery
25
What can be configured as part of a network object?
interface type
IP address and mask
source and destination MAC address
upper layer protocol
26
What can be used as an alternative to HMAC?
MD5
digital signatures
symmetric encryption algorithms
SHA
27
Which type of ASDM connection would provide secure remote
access for remote users into corporate networks?
Java Web Start VPN
ASDM Launcher
AnyConnect SSL VPN
site-to-site VPN
28
A company deploys a hub-and-spoke VPN topology where the
security appliance is the hub and the remote VPN networks are the spokes. Which
VPN method should be used in order for one spoke to communicate with another
spoke through the single public interface of the security appliance?
hairpinning
MPLS
GRE
split tunneling
29
What is the function of the Hashed Message Authentication
Code (HMAC) algorithm in setting up an IPsec VPN?
creates a secure channel for key negotiation
protects IPsec keys during session negotiation
guarantees message integrity
authenticates the IPsec peers
30
Which type of VLAN-hopping attack may be prevented by
designating an unused VLAN as the native VLAN?
VLAN double-tagging
DTP spoofing
DHCP starvation
DHCP spoofing
31
Which router component determines the number of signatures
and engines that can be supported in an IPS implementation?
CPU speed
available memory
number of interfaces
USB availability
32
What term describes a set of rules used by an IDS or IPS to
detect typical intrusion activity?
event file
definition
signature
trigger
33
Which three areas of router security must be maintained to
secure an edge router at the network perimeter? (Choose three.)
remote access security
router hardening
flash security
physical security
zone isolation
operating system security
34
A security technician is evaluating a new operations
security proposal designed to limit access to all servers. What is an advantage
of using network security testing to evaluate the new proposal?
Network security testing proactively
evaluates the effectiveness of the proposal before any real threat occurs.
Network security testing is specifically designed to
evaluate administrative tasks involving server and workstation access.
Network security testing is simple because it requires just
one test to evaluate the new proposal.
Network security testing is most effective when deploying
new security proposals.
35
Which service should be disabled on a router to prevent a
malicious host from falsely responding to ARP requests with the intent to
redirect the Ethernet frames?
LLDP
CDP
reverse ARP
proxy ARP
36
Which two statements describe the use of asymmetric
algorithms? (Choose two.)
If a public key is used to encrypt
the data, a private key must be used to decrypt the data.
If a private key is used to encrypt the data, a private key
must be used to decrypt the data.
Public and private keys may be used interchangeably.
If a private key is used to encrypt
the data, a public key must be used to decrypt the data.
If a public key is used to encrypt the data, a public key
must be used to decrypt the data.
37
Which three forwarding plane services and functions are
enabled by the Cisco AutoSecure feature? (Choose three.)
Cisco Express Forwarding (CEF)
Cisco IOS firewall inspection
secure password and login functions
legal notification using a banner
secure SSH access
traffic filtering with ACLs
38
What is the purpose of AAA accounting?
to collect and report data usage
to prove users are who they say they are
to determine which operations the user can perform
to determine which resources the user can access
39
What type of ACL offers greater flexibility and control over
network access?
flexible
numbered standard
named standard
extended
40
What are two protocols that are used by AAA to authenticate
users against a central database of usernames and password? (Choose two.)
HTTPS
RADIUS
SSH
CHAP
NTP
TACACS+
41
What information does the SIEM network security management
tool provide to network administrators?
assessment of system security configurations
real time reporting and analysis of
security events
detection of open TCP and UDP ports
a map of network systems and services
42
What is the next step in the establishment of an IPsec VPN
after IKE Phase 1 is complete?
negotiation of the IPsec SA policy
detection of interesting traffic
negotiation of the ISAKMP policy
authentication of peers
43
A syslog server has received the message shown.
*Mar 1 00:07:18.783: %SYS-5-CONFIG_I: Configured from
console by vty0 (172.16.45.1)
What can be determined from the syslog message?
The message is a Log_Alert notification message.
The message informs the administrator that a user with an IP
address of 172.16.45.1 configured this device remotely.
The message is a normal notification and should not be
reviewed.
The message description displays
that the console line was accessed locally.
44
Which two types of hackers are typically classified as grey
hat hackers? (Choose two.)
cyber criminals
state-sponsored hackers
vulnerability brokers
hacktivists
script kiddies
45
On what switch ports should PortFast be enabled to enhance
STP stability?
only ports that are elected as designated ports
only ports that attach to a neighboring switch
all end-user ports
all trunk ports that are not root ports
46
What technology is used to separate physical interfaces on
the ASA 5505 device into different security zones?
access control lists
quality of service
Network Address Translation
virtual local-area networks
47
A network administrator is configuring an AAA server to
manage RADIUS authentication. Which two features are included in RADIUS
authentication? (Choose two.)
hidden passwords during transmission
encryption for only the data
single process for authentication and authorization
separate processes for
authentication and authorization
encryption for all communication
48
Which statement accurately describes Cisco IOS Zone-Based
Policy Firewall operation?
A router interface can belong to
multiple zones.
The pass action works in only one direction.
Service policies are applied in interface configuration
mode.
Router management interfaces must be manually assigned to
the self zone.
49
What does the keyword default specify when used with the aaa
authentication login command?
The local username/password database is accessed for
authentication.
Authentication is automatically enabled for the vty lines
utilizing the enable password.
Authentication is automatically
applied to the con 0, aux, and vty lines.
Authentication must be specifically set for all lines,
otherwise access is denied and no authentication is performed.
50
A network administrator is configuring an AAA server to
manage TACACS+ authentication. What are two attributes of TACACS+
authentication? (Choose two.)
TCP port 40
separate processes for authentication and authorization
UDP port 1645
encryption for all communication
encryption for only the password of a user
single process for authentication
and authorization
51
What is the result of a DHCP starvation attack?
Legitimate clients are unable to lease IP addresses.
Clients receive IP address
assignments from a rogue DHCP server.
The IP addresses assigned to legitimate clients are
hijacked.
The attacker provides incorrect DNS and default gateway
information to clients.
52
What is an advantage of HIPS that is not provided by IDS?
HIPS deploys sensors at network entry points and protects
critical network segments.
HIPS provides quick analysis of events through detailed
logging.
HIPS protects critical system
resources and monitors operating system processes.
HIPS monitors network processes and protects critical files.
53
What is a result of enabling the Cisco IOS image resilience
feature?
The feature can only be disabled through a console session.
Multiple primary bootset files can be accessed.
Images on a TFTP server can be
secured.
Secured files can be viewed in the output of a CLI-issued
command.
54
What is a characteristic of asymmetric algorithms?
Both the sender and the receiver
know the key before communication is shared.
Asymmetric algorithms are easier for hardware to accelerate.
Very long key lengths are used.
Key management is more difficult with asymmetric algorithms
than it is with symmetric algorithms.
55
A user complains about not being able to gain access to the
network. What command would be used by the network administrator to determine
which AAA method list is being used for this particular user as the user logs
on?
debug aaa authorization
debug aaa authentication
debug aaa protocol
debug aaa accounting
Nhận xét
Đăng nhận xét