PrepKing - GRATIS EXAM - Convert VCE to PDF for free ... · PrepKing 640-553 Sections 1. Drag and Drop 2. Labs 3. ... As a candidate for CCNA examination, ... by an access control

PrepKing

Number: 640-553Passing Score: 804Time Limit: 120 minFile Version: 6.5

http://www.gratisexam.com/

PrepKing 640-553

Sections1. Drag and Drop2. Labs3. Cryptography4. IOS Security5. Security6. SDM7. VPNs8. Zone-based Firewall SDM Simlet9. Site-to-site VPN SDM Lab Sim10.Other

Exam A

QUESTION 1As a network engineer at Cisco.com, you are responsible for Cisco network. Which will be necessarily takeninto consideration when implementing Syslogging in your network?

A. Log all messages to the system buffer so that they can be displayed when accessing the router.B. Use SSH to access your Syslog information.C. Enable the highest level of Syslogging available to ensure you log all possible event messages.D. Syncronize clocks on the network with a protocol such as Network Time Protocol.

Correct Answer: DSection: IOS SecurityExplanation

Explanation/Reference:The time stamps in a syslog are tough to correlate to other syslogs if the time is off. NTP is invaluable inensuring that all network devices are time- sync'd .

Reference: Chapter 5, page 174.

QUESTION 2Which classes does the U.S. government place classified data into? (Choose three.)

A. SBUB. ConfidentialC. SecretD. Top-secret

Correct Answer: BCDSection: SecurityExplanation

Explanation/Reference:Table: Government and Military Data Classification:

QUESTION 3You are a network technician at Cisco.com. Which description is correct when you have generated RSA keyson your Cisco router to prepare for secure device management?

A. All vty ports are automatically enabled for SSH to provide secure management.B. The SSH protocol is automatically enabled.C. You must then zeroize the keys to reset secure shell before configuring other parameters.D. You must then specify the general-purpose key size used for authentication with the crypto key generate rsa

general-keys modulus command.

Correct Answer: BSection: IOS SecurityExplanation

Explanation/Reference:The steps to enable SSH on a router are:

1) Configure a domain name on a router using the " ip domain-name name " command2) Use the "crypto key generate rsa general-keys modulus size " command, where cisco recommends the sizeto be at least 1024 bits.3) Configure SSH... like authentication-retries, and "transport input" on the vty lines to permit ssh whentelnetting into the router.

Reference: Chapter 5, pages 183-185, section "Enabling Secure Shell on a Router"

QUESTION 4Which method is of gaining access to a system that bypasses normal security measures?

A. Creating a back doorB. Starting a Smurf attackC. Conducting social engineeringD. Launching a DoS attack

Correct Answer: ASection: SecurityExplanation

Explanation/Reference:

QUESTION 5As a candidate for CCNA examination, when you are familiar with the basic commands, if you input thecommand "enable secret level 5 password" in the global mode , what does it indicate?

A. Set the enable secret command to privilege level 5.B. The enable secret password is hashed using SHA.C. The enable secret password is hashed using MD5.D. The enable secret password is encrypted using Cisco proprietary level 5 encryption.E. The enable secret password is for accessing exec privilege level 5.

Correct Answer: ESection: IOS SecurityExplanation

Explanation/Reference:The key to this answer is the presence of the word "level" in the command. That tells youthat in this case the 5 has nothing to do with hashes or encryption, but rather is the secretpassword for access level 5 commands.

Reference: Chapter 3, page 93, Section "Configuring Privilege Levels"

QUESTION 6Which statement is true about a Smurf attack?

A. It sends ping requests to a subnet, requesting that devices on that subnet send ping replies to a targetsystem.

B. It intercepts the third step in a TCP three-way handshake to hijack a session.C. It uses Trojan horse applications to create a distributed collection of "zombie" computers, which can be

used to launch a coordinated DDoS attack.D. It sends ping requests in segments of an invalid size.


Explanation/Reference:"Smurf attack" can use ICMP traffic directed to a subnet to flood a target system with ping replies.

Example: in the figure below that the attacker sends a ping to the subnet broadcastaddress of 172.16.0.0/16. This collection of pings instructs devices on that subnet to sendtheir ping replies to the target system at IP address 10.2.2.2, thus flooding the targetsystem's bandwidth and processing resources.

QUESTION 7Which three items are Cisco best-practice recommendations for securing a network? (Choose three.)

A. Deploy HIPS software on all end-user workstations.B. Routinely apply patches to operating systems and applications.C. Disable unneeded services and ports on hosts.D. Require strong passwords, and enable password expiration.

Correct Answer: BCDSection: SecurityExplanation


QUESTION 8For the following attempts, which one is to ensure that no one employee becomes a pervasive security threat,that data can be recovered from backups, and that information system changes do not compromise a system'ssecurity?

A. Disaster recoveryB. Strategic security planningC. Implementation securityD. Operations security

Correct Answer: DSection: SecurityExplanation



QUESTION 9For the following options ,which one accurately matches the CLI command(s) to the equivalent SDM wizard thatperforms similar configuration functions?

A. setup exec command and the SDM Security Audit wizardB. auto secure exec command and the SDM One-Step Lockdown wizardC. aaa configuration commands and the SDM Basic Firewall wizardD. Cisco Common Classification Policy Language configuration commands and the SDM Site-to-Site VPN

wizard

Correct Answer: BSection: SDMExplanation

Explanation/Reference:Running "auto secure" from the CLI, particularly with the "no-interact" parameter, automaticallysecures the router... very similar to using the "One-step Lockdown" wizard in the SDM.

Reference: Chapter 5, pages 161-171, section " AutoSecure " and "Cisco SDM One-Step Lockdown"

QUESTION 10Which three options are network evaluation techniques? (Choose three.)

A. Scanning a network for active IP addresses and open ports on those IP addressesB. Using password-cracking utilitiesC. Performing end-user training on the use of antispyware softwareD. Performing virus scans

Correct Answer: ABDSection: SecurityExplanation


QUESTION 11Which is the main difference between host-based and network-based intrusion prevention?

A. Network-based IPS is better suited for inspection of SSL and TLS encrypted data flows.B. Host-based IPS can work in promiscuous mode or inline mode.C. Network-based IPS can provide protection to desktops and servers without the need of installing specialized

software on the end hosts and servers.D. Host-based IPS deployment requires less planning than network-based IPS.

Correct Answer: CSection: SecurityExplanation


QUESTION 12Which one is the most important based on the following common elements of a network design?

A. Business needsB. Best practicesC. Risk analysisD. Security policy


Explanation/Reference:A common temptation when designing a security solution for a network is to make the network so secure that itcannot easilybe used for its intended purpose. Therefore, when designing a network security solution, designers shouldrecognize that business needs supersede all other needs. However, other factors do enter into the design equation.

Consider the following elements of a secure network design:

* Business needs: Business needs dictate what an organization wants to accomplish withits network. Note that this need is the most important of all the needs.

* Risk analysis: As previously discussed, a comprehensive risk analysis can be used toassign an appropriate level of resources (for example, an appropriate amount of money) toa potential security risk.

*Security policy: Earlier in this chapter you read about the elements of a security policy. Asecurity policy typically contains multiple documents, targeting specific audiences withinan organization. These individual documents provide day-to-day guidance, relating tonetwork security, for all organizational employees.

* Best practices: Rather than the mandatory rules imposed by a security policy, a set ofbest practices (developed internally and/or externally) can offer proven methods forachieving a desired result.

* Security operations: Day-to-day security operations entail responding to an incident,

monitoring and maintaining a system, and auditing a system (to ensure compliance withan organization's security policy).

QUESTION 13Given the exhibit below. You are a network manager of your company. You are reading your Syslog serverreports. On the basis of the Syslog message shown, which two descriptions are correct? (Choose two.)

A. This message is a level 5 notification message.B. This message is unimportant and can be ignored.C. This is a normal system-generated information message and does not require further investigation.D. Service timestamps have been globally enabled.

Correct Answer: ADSection: IOS SecurityExplanation

Explanation/Reference:Without having run the "service timestamps" commands, syslog messages take thefollowing form:17w5d: %LINK-3-UPDOWN: Interface GigabitEthernet0/41, changed state to down.The default is to show the uptime of the router/switch, not the specific time and date,leaving you to try and count backwards from today to determine when the event occurred.By issuing the "service timestamps log datetime localtime " command, reading the output,never mind troubleshooting, is greatly simplified. The above output changes to:Aug 20 09:11:22 EST: %LINK-3-UPDOWN: Interface GigabitEthernet0/41, changedstate to downAnd from the output in the question, the alert is a level-5 notification. The output levelsare:0 - Emergencies1 - Alerts2 - Critical3 - Errors4 - Warnings5 - Notifications6 - Informational7 - DebuggingThe level of a particular message will be indicated by the Sys-level... in this case, a '5'.Reference: Chapter 5, page 176, table 5-4

QUESTION 14Examine the following items, which one offers a variety of security solutions, including firewall, IPS, VPN,antispyware, antivirus, and antiphishing features?

A. Cisco 4200 series IPS applianceB. Cisco ASA 5500 series security applianceC. Cisco IOS routerD. Cisco PIX 500 series security appliance

Correct Answer: BSection: SecurityExplanation

Explanation/Reference:The Cisco advances in firewall technologies include the acquisition of the original PrivateInternet Exchange (PIX) technology in 1995. Today Cisco continues to develop PIXcapabilities. The Cisco PIX appliances represent network layer firewalls that employstateful inspection. These firewalls allow internal connections out (outbound traffic) andonly allow inbound traffic that is a response to a valid request or that is explicitly allowedby an access control list (ACL). Cisco PIX technology may be configured to perform avariety of critical network functions, including Network Address Translation (NAT) andPort Address Translation (PAT).In addition to working with Cisco PIX appliances, you may choose to use the features ofthe Cisco IOS Firewall embedded in Cisco IOS software. This allows you to turn yourrouter into an effective, robust firewall with many of the capabilities of the Cisco PIXSecurity Appliance.Cisco offers the Adaptive Security Appliance (ASA), which provides an easy-to-deploysolution that integrates firewall, Unified Communications (voice/video) security, SSL andIPsec VPN, intrusion prevention system (IPS), and content security services.

QUESTION 15The enable secret password appears as an MD5 hash in a router's configuration file, whereas the enablepassword is not hashed (or encrypted, if the password-encryption service is not enabled). What is the reason that Cisco still support the use of both enable secret and enablepasswords in a router's configuration?

A. The enable password is used for IKE Phase I, whereas the enable secret password is used for IKE PhaseII.

B. The enable password is considered to be a router's public key, whereas the enable secret password isconsidered to be a router's private key.

C. Because the enable secret password is a hash, it cannot be decrypted. Therefore, the enable password isused to match the password that was entered, and the enable secret is used to verify that the enable password has not been modified sincethe hash was generated.

D. The enable password is present for backward compatibility.


Explanation/Reference:Enable password is not encrypted (or hashed) by default. Therefore, the enable password is considered weakerthan the enable secret password. However, Cisco IOS still supports the enable password for backwardcompatibility. For example, if the IOS version on a router were rolled back to a version that supported theenablepassword but not the enable secret password, the enable password would offer some level of security.Enable secret password is used to permit access to a router's privileged mode. The password is stored inthe router's configuration as an MD5 hash value, making it difficult for an attacker toguess and impossible to see with the naked eye.

QUESTION 16How does CLI view differ from a privilege level?

A. A CLI view supports only commands configured for that specific view, whereas a privilege level supportscommands available to that level and all the lower levels.

B. A CLI view supports only monitoring commands, whereas a privilege level allows a user to make changes toan IOS configuration.

C. A CLI view and a privilege level perform the same function. However, a CLI view is used on a Catalystswitch, whereas a privilege level is used on an IOS router.

D. A CLI view can function without a AAA configuration, whereas a privilege level requires AAA to beconfigured.

Correct Answer: ASection: IOS SecurityExplanation


QUESTION 17When configuring Cisco IOS login enhancements for virtual connections, what is the "quiet period"?

A. A period of time when no one is attempting to log inB. The period of time in which virtual logins are blocked as security services fully initializeC. The period of time in which virtual login attempts are blocked, following repeated failed login attemptsD. The period of time between successive login attempts

Correct Answer: CSection: IOS SecurityExplanation

Explanation/Reference:This question is about Cisco IOS Login Enhancements for Virtual Connections featurewhich adds the following requirements to the login process:- Create a delay between repeated login attempts.- Suspend the login process if a denial-of-service (DoS) attack is suspected.- Create syslog messages upon the success and/or failure of a login attempt.These login enhancements are not enabled by default. To enable the login enhancementswith their default settings, you can issue the login block-for command in globalconfiguration mode. The default login settings specify the following:- A delay of 1 second occurs between successive login attempts.- No virtual connection (that is, a connection using Telnet, SSH, or HTTP) can be madeduring the "quiet period," which is a period of time in which virtual login attempts areblocked, following repeated failed login attempts.

QUESTION 18Which result is of securing the Cisco IOS image by use of the Cisco IOS image resilience feature?

A. When the router boots up, the Cisco IOS image will be loaded from a secured FTP location.B. The Cisco IOS image file will not be visible in the output from the show flash command.C. The show version command will not show the Cisco IOS image file location.D. The running Cisco IOS image will be encrypted and then automatically backed up to a TFTP server.


Explanation/Reference:Answer: BThe IOS image resilience feature doesn't encrypt or backup the IOS... it just hides it. Itdoes this by removing it from the directory listing when you issue the "show flash"command. The command to enable this feature is "secure boot-image".

QUESTION 19

Which three statements are valid SDM configuration wizards? (Choose three.)

A. Security AuditB. VPNC. STPD. NAT

Correct Answer: ABDSection: SDMExplanation

Explanation/Reference:The detailed information is in the attached picture which is a screenshot of SDMconfiguration wizard.

QUESTION 20How do you define the authentication method that will be used with AAA?

A. With a method listB. With the method command

C. With the method aaa commandD. With a method statement



QUESTION 21What is the objective of the aaa authentication login console-in local command?

A. It specifies the login authorization method list named console-in using the local RADIUS username-password database.

B. It specifies the login authorization method list named console-in using the local username-passworddatabase on the router.

C. It specifies the login authentication method list named console-in using the local user database on therouter.

D. It specifies the login authentication list named console-in using the local username- password database onthe router.



QUESTION 22Which description is true about the show login command output displayed in the exhibit?

A. All logins from any sources are blocked for another 193 seconds.B. The login block-for command is configured to block login hosts for 93 seconds.C. When the router goes into quiet mode, any host is permitted to access the router via Telnet, SSH, and

HTTP, since the quiet-mode access list has not been configured.D. Three or more login requests have failed within the last 100 seconds.

Correct Answer: DSection: IOS Security

Explanation


QUESTION 23Which one of the following commands can be used to enable AAA authentication to determine if a user canaccess the privilege command level?

A. aaa authentication enable default localB. aaa authentication enable levelC. aaa authentication enable method defaultD. aaa authentication enable default



QUESTION 24Which two ports are used with RADIUS authentication and authorization?(Choose two.)

A. TCP port 2002B. UDP port 2000C. UDP port 1645D. UDP port 1812

Correct Answer: CDSection: IOS SecurityExplanation

Explanation/Reference:This question is about Ports Used by Cisco Secure ACS for Client Communication:

RADIUS authentication authorization use UDP protocol at port 1645 and 1812RADIUS accounting use UDP protocol at port 1646 and 1813

about B option: The Administrative HTTP port for new sessions use TCP protocol at port 2002

There is NO services by cisco secure ACS use UDP port 2000, but there are services use TCP port 2000:

1- Cisco Secure ACS database replication TCP 20002- RDBMS synchronization TCP 20003- User-changeable password web application TCP 2000

QUESTION 25For the following items, which management topology keeps management traffic isolated from productiontraffic?

A. OOBB. SAFEC. MARSD. OTP

Correct Answer: ASection: OtherExplanation


QUESTION 26What are four methods used by hackers? (Choose four.)

A. social engineering attackB. Trojan horse attackC. front door attacksD. buffer Unicode attackE. privilege escalation attackF. footprint analysis attack

Correct Answer: ABEFSection: SecurityExplanation


QUESTION 27Information about a managed device's resources and activity is defined by a series of objects. What defines thestructure of these management objects?

A. FIBB. LDAPC. CEFD. MIB

Correct Answer: DSection: OtherExplanation


QUESTION 28After enabling port security on a Cisco Catalyst switch, what is the default action when the configured maximumof allowed MAC addresses value is exceeded?

A. The port is shut down.B. The port's violation mode is set to restrict.C. The MAC address table is cleared and the new MAC address is entered into the table.D. The port remains enabled, but bandwidth is throttled until old MAC addresses are aged out.



QUESTION 29When configuring SSH, which is the Cisco minimum recommended modulus value?

A. 2048 bitsB. 256 bitsC. 1024 bitsD. 512 bits

Correct Answer: CSection: CryptographyExplanation


QUESTION 30When using the Cisco SDM Quick Setup Siteto-Site VPN wizard, which three parameters do you configure?(Choose three.)

A. Interface for the VPN connectionB. IP address for the remote peerC. Transform set for the IPsec tunnelD. Source interface where encrypted traffic originates



QUESTION 31If you click the Configure button along the top of Cisco SDM's graphical interface,which Tasks button permitsyou to configure such features as SSH, NTP, SNMP, and syslog?

A. Additional TasksB. Security AuditC. Intrusion PreventionD. Interfaces and Connections

Correct Answer: ASection: SDMExplanation


QUESTION 32Which item is correct regarding Cisco IOS IPS on Cisco IOS Release 12.4(11)T and later ?

A. uses Cisco IPS 5.x signature formatB. supports SDEE, SYSLOG, and SNMP for sending Cisco IPS alertsC. requires the Basic or Advanced Signature Definition FileD. uses the built-in signatures that come with the Cisco IOS image as backup


Explanation/Reference:This topic was not mentioned once in the entire Certification Guide, so be glad you cameacross the question here. Starting in IOS 12.4(11 )T , version 4.x signature files are nolonger supported, and only the 5.x format is accepted. 4.x files have to be migrated to the5.x format.

QUESTION 33Examine the following options , which Spanning Tree Protocol (STP) protection mechanism disables a switchport if the port receives a Bridge Protocol Data Unit (BPDU)?

A. PortFastB. BPDU GuardC. UplinkFastD. Root Guard



QUESTION 34For the following options, which feature is the foundation of Cisco Self-Defending Network technology?

A. policy managementB. secure connectivityC. threat control and containmentD. secure network platform


Explanation/Reference:While all four answers have their merits, the Self-Defending Network model is concernedwith a secure network platform. Once the secure network foundation is established, theother concerns can be addressed.

Reference: Chapter 2, page 69, Figure 2.5

Incorrect:A: A dynamic organizational policy allows efficiency when responding to attacks andmaintaining consistency of configuration when rolling out multiple devices.B: Secure connectivity in an insecure network is a futile concept... taking care of thesecure network must occur first. IPsec and SSL VPNs can now be used to secureremote-access.C: Threat control can only occur once the foundation of a secure network is addressed.Viruses and spyware, whether from internet sources or email, must be protected against tokeep servers and applications safe.

QUESTION 35

If a switch is working in the fail-open mode, what will happen when the switch's CAM table fills to capacity and anew frame arrives?

A. The switch sends a NACK segment to the frame's source MAC address.B. A copy of the frame is forwarded out all switch ports other than the port the frame was received on.C. The frame is dropped.D. The frame is transmitted on the native VLAN.


Explanation/Reference:A Cisco Catalyst switch uses a Content Addressable Memory (CAM) table to store theinformation used by the switch to make forwarding decisions. Specifically, the CAMtable contains a listing of MAC addresses that have been learned from each switch port.Then, when a frame enters the switch, the switch interrogates the frame's destinationMAC address. If the destination MAC address is known to exist off one of the switchports, the frame is forwarded out only that port.However, the switch's CAM table, however, does have a finite size. Therefore, if theCAM table ever fills to capacity, the switch is unable to learn new MAC addresses. As aresult, when frames arrive destined for these unlearned MAC addresses, the switch floodsa copy of these frames out all other switch interfaces, other than the interfaces they werereceived on.

QUESTION 36Which kind of table will be used by most firewalls today to keep track of the connections through the firewall?

A. queuingB. netflowC. dynamic ACLD. reflexive ACLE. state

Correct Answer: ESection: IOS SecurityExplanation

Explanation/Reference:The "State" table keeps track of all connection information for traffic flows through thefirewall. The state table holds info from the headers, including source/destination IP's(layer 3) and port information (layer 4). It particularly takes note of SYNs , RSTs , ACKsand FINs , and other control codes.

Reference: Chapter 10, pages 335, 336. Section: " Stateful Packet Filtering and the State Table"

Incorrect:A: No queuing table exists.B: The Netflow table is very similar to a State Table, in that it keeps track of IP flows asthey are received by a cisco router or switch. It is used by routers and switches, though,not by firewalls.C: Dynamic ACL's are stored in a router's config , not in a table.D: Reflexive ACL's are inherent in Cisco firewalls, and allow return traffic from anestablished flow to return through a firewall that would otherwise block such traffic. Thetraffic is run against the information in the State table to see if it is return traffic... if itexists, a reflexive acl is created. They are not stored in a table.

QUESTION 37Which type of MAC address is dynamically learned by a switch port and then added to the switch's runningconfiguration?

A. Pervasive secure MAC addressB. Static secure MAC addressC. Sticky secure MAC addressD. Dynamic secure MAC address


Explanation/Reference:To mitigate MAC address spoofing attacks, a switch administrator can configure theCisco Catalyst switch to use sticky secure MAC addresses. When configured for stickysecure MAC addresses, a Catalyst switch dynamically learns MAC addresses connectedto various ports. These dynamically learned MAC addresses are added to the switch'srunning configuration, thus preventing an attacker from spoofing a previously learnedaddress.

QUESTION 38In an IEEE 802.1x deployment, between which two devices EAPOL messages typically are sent?

A. Between the RADIUS server and the authenticatorB. Between the authenticator and the authentication serverC. Between the supplicant and the authentication serverD. Between the supplicant and the authenticator



QUESTION 39Which one of the Cisco IOS commands can be used to verify that either the Cisco IOS image, the configurationfiles, or both have been properly backed up and secured?

A. show flashB. show secure bootsetC. show archiveD. show file systems


Explanation/Reference:To protect a router's image and configuration from an attacker's attempt to erase thosefiles, the Cisco IOS Resilient Configuration feature keeps a secure copy of these files.These files are called the bootset.

The following table shows the steps required to configure Cisco IOS ResilientConfiguration. Step 3 is the answer.

QUESTION 40Which item is the great majority of software vulnerabilities that have been discovered?

A. Stack vulnerabilitiesB. Software overflowsC. Heap overflowsD. Buffer overflows


Explanation/Reference:Buffer overflowA programming error that may result in erratic program behavior, amemory access exception and program termination, or a possible breach of systemsecurity. When user or other source interacts with an application, it has to carefully verifyall input, because the input might contain improperly formatted data, control sequences,or simply too much data for the application to work with. When these things occur, a

buffer overflow condition can arise. Attackers realize this and try to exploit thisvulnerability. In fact, buffer overflows are a very common type of exploitation used by attackers.Buffer overflows are one of the most commonly exploited computer security risks because of thestructure of how computers handle data.An attacker who unleashes a buffer overflow exploit essentially tries to overwritememory on an application stack by supplying too much data to the input buffer. Becausethis form of attack uses the application's very nature against itself, it can be hard to stop.As soon as an attacker discovers the vulnerabilities that lead to this condition, he or shecan repackage exploit code for widespread use.

A) Stack vulnerabilities are not the most common type of software vulnerability.B) Software overflow - this concept just doesn't exist.C) Heap overflowA type of buffer overflow that occurs in the heap data area. Memory onthe heap is dynamically allocated by the application at runtime and typically containsprogram data. A heap overflow is not as likely to result in a condition permitting remotecode execution as a buffer overflow.

QUESTION 41Which type of intrusion prevention technology will be primarily used by the Cisco IPS security appliances?

A. rule-basedB. protocol analysis-basedC. signature-basedD. profile-based



QUESTION 42What will be enabled by the scanning technology-The Dynamic Vector Streaming (DVS)?

A. Firmware-level virus detectionB. Layer 4 virus detectionC. Signature-based spyware filteringD. Signature-based virus filtering


Explanation/Reference:The scanning technology-The Dynamic Vector Streaming(DVS) belongs to IronPort.IronPort is designed to protect an enterprise from various Internet threats that targete-mail and web security. IronPort's e-mail security capabilities are readily used by 20percent of the largest enterprise organizations in the world.In addition to enterprise-level e-mail protection, the IronPort S-Series is the industry'sfastest web security appliance. This appliance combines a high-performance securityplatform with Web Reputation technology and a Dynamic Vectoring and Streaming(DVS) engine. The DVS engine is a new scanning technology that enablessignature-based spyware filtering. This solution is complemented by a comprehensive set

of management and reporting tools that provide ease of administration and completevisibility into threatrelated activities.

QUESTION 43What is the purpose of the secure boot-config global configuration?ORWhat does the secure boot-config global configuration accomplish?

A. backs up the Cisco IOS image from flash to a TFTP serverB. enables Cisco IOS image resilienceC. takes a snapshot of the router running configuration and securely archives it in persistent storageD. stores a secured copy of the Cisco IOS image in its persistent storage


Explanation/Reference:The "secure boot- config " is a global config command, which takes a copy of the runningconfiguration and saves it to persistent storage. FYI, persistent storage refers to PCMCIAATA disks, not Flash nor NVRAM. Therefore the command only works on systems withPCMCIA ATA disks installed.Reference: Chapter 3, page 96. Table 3-8

QUESTION 44What Cisco Security Agent Interceptor is in charge of intercepting all read/write requests to the rc files in UNIX?

A. Network interceptorB. Configuration interceptorC. Execution space interceptorD. File system interceptor


Explanation/Reference:This question is about Cisco Security Agent Interceptors:

Because a Configuration Interceptor is responsible forintercepting read/write requests to the registry in Windows or to rc files on UNIX.Interception occurs because modifying the operating system configuration can haveserious consequences. All read/write requests to the registry are tightly controlled forsecurity by the Cisco Security Agent.

A: A network Interceptor is responsible for controlling Network Driver InterfaceSpecification (NDIS) changes and for clearing network connections through the securitypolicy. This also limits how many network connections are allowed within a specifiedtime period to help prevent DoS attacks. Central to its role is providing hardeningfeatures such as SYN flood protection and port scan detection.

C: Execution Space Interceptor:It is the responsibility of this interceptor to deal with maintaining the integrity of thedynamic runtime environment of each application. It does this by detecting and blockingrequests to write to memory not owned by the requesting application.In terms of practical application, when this form of attack occurs, the targeted service,such as SMTP, FTP, or TFTP, crashes. More importantly, the attacker's shell code is not

launched successfully. This also blocks attempts by an application to inject code (such asa shared library or dynamic link library [DLL]) into another. Buffer overflows attacks are alsodetected, helping maintain the integrity of dynamic resources such as the file system and configuration of web services. This also helps preserve the integrity of highly dynamic resourcessuch as memory and network I/O.

D: File System Interceptor is responsible for intercepting all file read or write requestsand either allowing or denying them based on the security policy.

The Reference:CCNA Security- Official Exam Certification Guide by Michael Watkins, Kevin Wallace, CCIE No. 7945 Page271.

QUESTION 45Which name is of the e-mail traffic monitoring service that underlies that architecture of IronPort?

A. IronPort M-SeriesB. E-BaseC. TrafMonD. SenderBase



QUESTION 46Based on the username global configuration mode command displayed in the exhibit. What does the optionsecret 5 indicate about the enable secret password?

A. It is encrypted using DH group 5.B. It is hashed using SHA.C. It is hashed using MD5.D. It is encrypted using a proprietary Cisco encryption algorithm.


Explanation/Reference:When it comes to usernames, the options are plain-text, encrypted, or hashed. If thecommand "username cisco password C1$C0" is used, the output will show the actualplain-text password. The ability to encrypt this password requires the use of the "servicepassword-encryption" command. Now the same password will appear encrypted, with a"7" in front of it to indicate cisco proprietary encryption. The "secret" is different...secrets are hashed, and the hashing algorithm used by cisco is MD5.

Reference: Chapter 3, page 88

Incorrect :A: DH is not used by cisco for encrypting or hashing passwords in the IOS.B: SHA is not employed by cisco in it's hashing functionsD: Cisco does not have a proprietary hashing algorithm... it uses MD5.

QUESTION 47Which statement is not a reason for an organization to incorporate a SAN in its enterprise infrastructure?

A. To increase the performance of long-distance replication, backup, and recoveryB. To decrease the threat of viruses and worm attacks against data storage devicesC. To decrease both capital and operating expenses associated with data storageD. To meet changing business priorities, applications, and revenue growth


Explanation/Reference:For many organizations, incorporating SANs in their enterprise infrastructure allows them to meet three primarybusiness requirements:

* Effectively meet changing business priorities, application requirements, and revenue growth* Increase performance of long-distance replication, backup, and recovery to meet regulatory requirements aswell as industry best practices* Decrease both capital and operating expenses associated with data storage

Answer B is therefore not a valid reason for organizations to incorporate SAN in their infrastructure.

QUESTION 48On the basis of the show policy-map type inspect zone-pair session command output provided in theexhibit.What can be determined about this Cisco IOS zone based firewall policy?

A. This is an outbound policy (applied to traffic sourced from the more secured zone destined to the lesssecured zone).

B. All packets will be dropped since the class-default traffic class is matching all traffic.C. This is an inbound policy (applied to traffic sourced from the less secured zone destined to the more

secured zone).D. Stateful packet inspection will be applied only to HTTP packets that also match ACL 110.


Explanation/Reference:The "TEST-Class" map has two match statements: Match access-group 110, and Matchprotocol HTTP. To qualify for the "TEST-Class" map, both of these conditions apply, asthe "(match-all)" operator indicates. Nothing else matches this class-map, so everythingelse moves on to class-map "class-default", where the action is to Drop the traffic.

Reference: Chapter 10, pages 377, 378

QUESTION 49Which protocol will use a LUN as a way to differentiate the individual disk drives that comprise a target device?

A. iSCSIB. ATAC. SCSID. HBA

Correct Answer: CSection: LabsExplanation

Explanation/Reference:The question is about Using LUN Masking to Defend Against Attacks.The answer is: A Logical Unit Number (LUN) is an address for an individual disk driveand, by extension, the disk device itself. The SCSI protocol uses the term LUN as a wayto differentiate the individual disk drives that comprise a common SCSI target device, suchas a SCSI disk array.

Referece: CCNA: Security - Cisco Press (page 287).

Additional information:To defend against attacks, LUN masking may be employed. In this authorization process,a LUN is made available to some hosts and unavailable to other hosts. Generally, thistechnique of LUN masking is implemented at the host bus adapter (HBA) level.Unfortunately, when LUN masking is implemented at this level, it is vulnerable to anyattack that compromises the HBA. Benefits, with regard to security, are limited with theimplementation of LUN masking. This is because with many HBAs it is possible for anattacker to forge source addresses.For this reason, LUN masking is implemented mainly as a way to protect againstmalfunctioning servers corrupting disks belonging to other servers. An example of whereLUN masking might be useful is in the case of Windows servers attached to a SAN. Insome instances these corrupt non-Windows volumes by attempting to write Windowsvolume labels to them. In these cases, hiding the LUNs of the non- Windows volumesfrom the Windows server can prevent this behavior. With the LUNs masked, theWindows server is unaware of the non-Windows volumes and thereby makes no attemptto write Windows volume labels to them. In today's implementations, typically LUNs arenot individual disk drives but rather virtual partitions (or volumes) within a RAID array.

QUESTION 50What should be enabled before any user views can be created during role-based CLI configuration?ORDuring role-based CLI configuration, what must be enabled before any user views can be created?

A. usernames and passwordsB. secret password for the root userC. aaa new-model commandD. multiple privilege levels


Explanation/Reference:Before role-based CLI views can be created, AAA must be enabled with the " aaanew-model" command. Step 2 is to enable the root view with the "enable view"command. Step 3 creates the actual view with the "parser view view_name " command,and enters the View's edit mode, evidenced by the ( config -view )# prompt. Creating apassword for the view with the "secret password " command is Step 4. Finally, adding thenecessary commands to the view is the 5 th and final step, using the command syntax of

"commands exec include ping" and "commands exec include write".Interestingly, while you assign a local password in Step 4, role-based CLI configurationsare still an advanced scheme that requires enabling AAA.

Reference: Chapter 3, page 94, section "Creating Command-Line Interface Views"

QUESTION 51For the following statements, which one is perceived as a drawback of implementing Fibre ChannelAuthentication Protocol (FCAP)?

A. It is restricted in size to only three segments.B. It requires the implementation of IKE.C. It relies on an underlying Public Key Infrastructure (PKI).D. It requires the use of netBT as the network protocol.



QUESTION 52Which two primary port authentication protocols are used with VSANs? (Choose two.)

A. ESPB. CHAPC. DHCHAPD. SPAP

Correct Answer: BCSection: SecurityExplanation

Explanation/Reference:This question is about virtual storage-area networks (VSAN) aimed at providing trueisolation of SAN-attached devices. There are two primary port authentication protocolswhen working with VSANs:

- Diffie-Hellman Challenge Handshake Authentication Protocol (DHCHAP)- Challenge Handshake Authentication Protocol (CHAP)

DHCHAP may be used to authenticate devices connecting to a Fibre Channel switch. Byusing Fibre Channel authentication, you allow only trusted devices to be added to afabric. This prevents unauthorized devices from accessing the Fibre Channel switch.DHCHAP supports both switch-to-switch and host-to-switch authentication. It's amandatory password-based, key-exchange authentication protocol. Before anyauthentication may be performed, DHCHAP negotiates hash algorithms and Diffie-Hellman (DH) groups. In addition, it supports Message Digest 5 (MD5) and Secure HashAlgorithm 1 (SHA-1)-based authentication.

CHAP is the mandatory protocol for iSCCI, as chosen by the Internet Engineering TaskForce (IETF). CHAP has been around for quite some time and is based on shared secrets.To strengthen CHAP, DHCHAP adds a DH exchange that both strengthens CHAP andprovides an agreed-upon secret key. The goal of DHCHAP is to be a simple, easy-toimplement protocol.

QUESTION 53Which statement best describes Cisco IOS Zone-Based Policy Firewall?ORWhich statement about Cisco IOS Zone-Based Policy Firewall is true?

A. A router interface can belong to multiple zones.B. The pass action works in only one direction.C. Policy maps are used to classify traffic into different traffic classes, and class maps are used to assign

action to the traffic classes.D. A zone-pair is bidirectional because it specifies traffic flowing among the interfaces within the zone-pair in

both directions.


Explanation/Reference:One of the principles of zone-based firewalls is that policies are unidirectional.

Reference: Chapter 10, page 369, Section "Examining the Principles Behind Zone-Based Firewalls"

QUESTION 54Which VoIP components can permit or deny a call attempt on the basis of a network's available bandwidth?

A. MCUB. GatekeeperC. Application serverD. Gateway

Correct Answer: BSection: OtherExplanation

Explanation/Reference:Gatekeepers can be thought of as the traffic cops of the WAN. For example, because bandwidth on a WANtypically issomewhat limited, a gatekeeper can monitor the available bandwidth. Then, when there is not enoughbandwidth tosupport another voice call, the gatekeeper can deny future call attempts.

A) MCU: Multipoint Control UnitMCUs are useful for conference calling. In a conference call, you might have multiple people talking at thesame time,and everyone on that conference call can hear them. It takes processing power to mix together these audiostreams.MCUs provide that processing power. MCUs might contain digital signal processors (DSP), which are dedicatedpiecesof computer circuitry that can mix together those audio streams.

D) A gateway in CISCO networking concept does not have anything to do with bandwidth monitoring.

C) Application Server - possibly be but not in this context.

QUESTION 55Which statement is true about vishing?

A. Influencing users to forward a call to a toll number (for example, a long distance or international number)

B. Influencing users to provide personal information over the phoneC. Using an inside facilitator to intentionally forward a call to a toll number (for example, a long distance or

international number)D. Influencing users to provide personal information over a web page

Correct Answer: BSection: OtherExplanation

Explanation/Reference:A related concept to vishing is phishing which is probably known by more people. Theterm phishing recently entered the technical vernacular. The basic concept of phishing isan attacker sending an e-mail to a user. The e-mail appears to be from a legitimatebusiness. The user is asked to confirm her information by entering data on a web page,such as her social security number, bank or credit card account number, birth date, ormother's maiden name. The attacker can then take this user-provided data and use it forfraudulent purposes.

Similar to phishing, the term vishingrefers to maliciously collecting such informationover the phone. Because many users tend to trust the security of a telephone versusthe security of the web, some users are more likely to provide confidentialinformation over the telephone. User education is the most effective method tocombat vishing attacks.

QUESTION 56You work as a network engineer, do you know an IPsec tunnel is negotiated within the protection of which typeof tunnel?

A. GRE tunnelB. L2TP tunnelC. L2F tunnelD. ISAKMP tunnel

Correct Answer: DSection: VPNsExplanation

Explanation/Reference:During IKE Phase 1, a secure ISAKMP session is established, using either mainmode or aggressive mode. During IKE Phase 1, the IPsec endpoints establishtransform sets (that is, a collection of encryption and authentication protocols), hashmethods, and other parameters needed to establish a secure ISAKMP session(sometimes called an ISAKMP tunnel or an IKE Phase 1 tunnel).

QUESTION 57Which type of firewall is needed to open appropriate UDP ports required for RTP streams?

A. Proxy firewallB. Packet filtering firewallC. Stateful firewallD. Stateless firewall



QUESTION 58Which two statements are correct regarding a Cisco IP phone's web access feature? (Choose two.)

A. It is enabled by default.B. It uses HTTPS.C. It can provide IP address information about other servers in the network.D. It requires login credentials, based on the UCM user database.

Correct Answer: ACSection: OtherExplanation


QUESTION 59Which option ensures that data is not modified in transit?

A. AuthenticationB. IntegrityC. AuthorizationD. Confidentiality



QUESTION 60What is a static packet-filtering firewall used for?

A. It analyzes network traffic at the network and transport protocol layers.B. It validates the fact that a packet is either a connection request or a data packet belonging to a connection.C. It keeps track of the actual communication process through the use of a state table.D. It evaluates network packets for valid data at the application layer before allowing connections.


Explanation/Reference:There are four generations of firewall technologies including static packet-filteringfirewalls, circuit-level firewalls, application layer firewalls, and dynamic packet-filteringfirewalls. The table lists the four main types of firewall technologies:

QUESTION 61Which information is stored in the stateful session flow table while using a stateful firewall?

A. all TCP and UDP header information onlyB. the source and destination IP addresses, port numbers, TCP sequencing information, and additional flags

for each TCP or UDP connection associated with a particular sessionC. the outbound and inbound access rules (ACL entries)D. the inside private IP address and the translated inside global IP address


Explanation/Reference:The state table holds info from the headers, including source/destination IP's (layer 3) and

port information (layer 4). It particularly takes note of SYNs , RSTs , ACKs and FINs ,andother control codes.

Reference: Chapter 10, pages 335, 336. Section: " Stateful Packet Filtering and the State Table"

QUESTION 62Which firewall best practices can help mitigate worm and other automated attacks?

A. Restrict access to firewallsB. Segment security zonesC. Use logs and alertsD. Set connection limits



QUESTION 63Refer to Cisco IOS Zone-Based Policy Firewall, where will the inspection policy be applied?

A. to the interfaceB. to the zone-pairC. to the global service policyD. to the zone


Explanation/Reference:Reference: Chapter 10, page 373, section "Understanding Security Zones", and page 375, section "Workingwith Zone Pairs"

QUESTION 64Which statement best describes the Turbo ACL feature? (Choose all that apply.)

A. The Turbo ACL feature processes ACLs into lookup tables for greater efficiency.B. The Turbo ACL feature leads to increased latency, because the time it takes to match the packet is

variable.C. The Turbo ACL feature leads to reduced latency, because the time it takes to match the packet is fixed and

consistent.D. Turbo ACLs increase the CPU load by matching the packet to a predetermined list.

Correct Answer: ACSection: IOS SecurityExplanation

Explanation/Reference:The Cisco 7200 series, Cisco 7500 series, and Cisco 12000 series routers support theTurbo ACL feature, which processes ACLs into lookup tables for greater efficiency.Turbo ACLs use the packet header to access these tables in a small, fixed number oflookups, independent of the existing number of ACL entries. The Turbo ACL feature hasa number of benefits:

* For ACLs with more than three entries, the CPU load is lower when matching thepacket to the predetermined packet matching. The Turbo ACL feature fixes the CPU load,regardless of the size of the ACL, allowing the use of larger ACLs without adding CPUoverhead.* The Turbo ACL feature leads to much reduced latency because the time it takes tomatch the packet is fixed.More importantly, the time taken to match is consistent,allowing for better network stability and more accurate transit times.

QUESTION 65Which statement best describes configuring access control lists to control Telnet traffic destined to the routeritself?

A. The ACL must be applied to each vty line individually.B. The ACL should be applied to all vty lines in the in direction to prevent an unwanted user from connecting to

an unsecured port.C. The ACL is applied to the Telnet port with the ip access-group command.D. The ACL applied to the vty lines has no in or out option like ACL being applied to an interface.


Explanation/Reference:ACL's are applied in the IN direction, and using the "line vty 0 4" command, can be applied to them allsimultaneously.

Reference: Chapter 10, page 360, section title: Configuring ACLs to Filter Router Service Traffic.

QUESTION 66Which two actions can be configured to allow traffic to traverse an interface when zone-based security is beingemployed? (Choose two.)

A. FlowB. InspectC. PassD. Allow

Correct Answer: BCSection: IOS SecurityExplanation


QUESTION 67When configuring role-based CLI on a Cisco router, which action will be taken first?

A. Create a parser view called "root view."B. Log in to the router as the root user.C. Enable role-based CLI globally on the router using the privileged EXEC mode Cisco IOS command.D. Enable the root view on the router.


Explanation/Reference:Similar to making different commands available to different administrators using privilege levels, role-basedcommand-line interface (CLI) views can be used to provide different sets of configuration information todifferentadministrators. Following are the steps required to configure these views:

Step 1. Enable AAAto support views.Example how to enable AAA on an IOS router:

Router# conf termRouter (config)# aaa new-modelRouter (config)# end

Step 2. Enable the root view:The root view is represented by the set of commands available to an administrator logged inwitha privilege level of 15. You might be required to provide the enable secret password toenable theroot view.Example:

Router # enable viewPassword:.........Router #

Step 3. Create a view

Step 5. Add available commands to the view: The commands parser_mode{include | include-exclusive |exclude} [all][interface interface_identifier | command] command

Step 6. Verify the role-based CLI view configurationTherefore the actual first step to enable AAA which is missing here and the only option left isD: enable root view.

QUESTION 68Which key method is used to detect and prevent attacks by use of IDS and/or IPS technologies?

A. Signature-based detectionB. Anomaly-based detectionC. Honey pot detectionD. Policy-based detection



QUESTION 69Which statement is correct regarding the aaa configurations based on the exhibit provided?

A. The authentication method list used by the console port is named test.B. The authentication method list used by the vty port is named test.C. If the TACACS+ AAA server is not available, console access to the router can be authenticated using the

local database.D. If the TACACS+ AAA server is not available, no users will be able to establish a Telnet session with the

router.


Explanation/Reference:You, as the network administrator, configured "line vty 0 4" to use "test" with thecommand "login authentication test". Everything else is a distraction.

Reference: Chapter 10, page 360, section " vty Filtering "

QUESTION 70Based on the following items, which two types of interfaces are found on all network-based IPS sensors?(Choose two.)

A. Loopback interfaceB. Monitoring interfaceC. Command and control interfaceD. Management interface



QUESTION 71Which feature is a potential security weakness of a traditional stateful firewall?

A. It cannot ensure each TCP connection follows a legitimate TCP three-way handshake.B. It cannot detect application-layer attacks.C. It cannot support UDP flows.D. The status of TCP sessions is retained in the state table after the sessions terminate.


Explanation/Reference:By definition, a stateful firewall constructs a state table which holds info from theheaders, including source/destination IP's (layer 3) and port information (layer 4). Itparticularly takes note of SYNs , RSTs , ACKs and FINs , and other control codes (layer5). It does not inspect anything at layer 7, where malicious URL's, buffer overflows,unauthorized access, etc, can still wreak havoc.

Reference: Chapter 10, page 329. Section: "Benefits of Using Application Layer Firewalls"

QUESTION 72With which three tasks does the IPS Policies Wizard help you? (Choose three.)

A. Selecting the interface to which the IPS rule will be appliedB. Selecting the direction of traffic that will be inspectedC. Selecting the inspection policy that will be applied to the interfaceD. Selecting the Signature Definition File (SDF) that the router will use


Explanation/Reference:The detailed answer is as follows:

The initial screen explains that the IPS Policies Wizard helps you with the following tasks:

* Selecting the interface to which the IPS rule will be applied* Selecting the direction of traffic that will be inspected* Selecting the SDF file to be used by the router

After you click Next, the IPS Wizard prompts you to select the interface(s) to which the IPSrule should be applied, in addition to the direction of traffic (that is, inbound or outbound).

The screenshot for the IPS policies wizards is in the attatched picture.

QUESTION 73What is the objective of Diffie-Hellman?

A. used for asymmetric public key encryptionB. used between the initiator and the responder to establish a basic security policyC. used to verify the identity of the peerD. used to establish a symmetric shared key via a public key exchange process

Correct Answer: DSection: CryptographyExplanation


QUESTION 74Examine the following options ,when editing global IPS settings, which one determines if the IOS-based IPSfeature will drop or permit traffic for a particular IPS signature engine while a new signature for that engine isbeing compiled?

A. Enable Engine Fail ClosedB. Enable Fail OpenedC. Enable Signature DefaultD. Enable Default IOS Signature


Explanation/Reference:Enable Engine Fail Closed: This option determines if the IOS-based IPS feature will drop or permit traffic for aparticular IPS signature engine while a new signature for that engine is being compiled. If this option isenabled, traffic is dropped if IPS services are unavailable. If this option were disabled(which would be known as a fail open configuration), traffic would be passed when IPSservices are unavailable.

QUESTION 75Which description about asymmetric encryption algorithms is correct?

A. They use different keys for decryption but the same key for encryption of data.B. They use the same key for encryption and decryption of data.C. They use different keys for encryption and decryption of data.D. They use the same key for decryption but different keys for encryption of data.



QUESTION 76Regarding constructing a good encryption algorithm, what does creating an avalanche effect indicate?

A. Changing only a few bits of a plain-text message causes the ciphertext to be completely different.B. Changing only a few bits of a ciphertext message causes the plain text to be completely different.C. Altering the key length causes the plain text to be completely different.D. Altering the key length causes the ciphertext to be completely different.

Correct Answer: ASection: CryptographyExplanation

Explanation/Reference:One desirable property of a hash function is the mixing property. What this means is thata small change in the input (1 bit) should cause a large change in the output (about half ofthe bits). This significant change in the outcome is called the avalanche effect.

Example:

The SHA1 function for the first text:SHA1("The quick brown fox jumps over the lazy dog") = 2fd4e1c6 7a2d28fc ed849ee1 bb76e739 1b93eb12When change "dog" to "log":SHA1("The quick brown fox jumps over the lazy log")= de9f2c7f d25e1b3a fad3e85a 0bd17d9b 100db4b3The two results are total different after a little change which is just one "d" to "l".

Reference: CCNA Security - Cisco Press; page 487.

QUESTION 77Which one of the aaa accounting commands can be used to enable logging of both the start and stop recordsfor user terminal sessions on the router?

A. aaa accounting connection start-stop tacacs+B. aaa accounting network start-stop tacacs+C. aaa accounting exec start-stop tacacs+D. aaa accounting system start-stop tacacs+


Explanation/Reference:The question specifies accounting for 'user' terminal sessions on the router. That meansthat of the options available, only exec fits. The rest do not handle user records.

Reference: Chapter 4, pages 125, 126, Table 4-6

QUESTION 78Stream ciphers run on which of the following?

A. Individual blocks, one at a time, with the transformations varying during the encryptionB. Individual digits, one at a time, with the transformations varying during the encryptionC. Fixed-length groups of digits called blocksD. Fixed-length groups of bits called blocks

Correct Answer: BSection: CryptographyExplanation


QUESTION 79Which description is correct based on the exhibit and partial configuration?

A. All traffic from network 10.0.0.0 will be permitted.B. This ACL will prevent any host on the Internet from spoofing the inside network address as the source

address for packets coming into the router from the Internet.C. Access-list 101 will prevent address spoofing from interface E0.D. All traffic destined for network 172.16.150.0 will be denied due to the implicit deny all.


Explanation/Reference:Since only traffic with an originating address of 10.20.20.x is allowed through int e0, aninternal malicious user who plans on spoofing an external, public IP cannot. This ACLinsists that outbound packets MUST have a valid internal IP as its source IP.

Reference: Chapter 10, page 357, 358 Section : "Preventing IP Spoofing with ACLs "

QUESTION 80Which description is true about ECB mode?

A. ECB mode uses the same 64-bit key to serially encrypt each 56-bit plain-text block.B. In ECB mode, each 56-bit plain-text block is exclusive ORed (XORed) bitwise with the previous ciphertext

block.C. ECB mode uses the same 56-bit key to serially encrypt each 64-bit plain-text block.D. In ECB mode, each 64-bit plain-text block is exclusive ORed (XORed) bitwise with the previous ciphertext

block.



QUESTION 81For the following items ,which one can be used to authenticate the IPsec peers during IKE Phase 1?

A. XAUTHB. pre-shared keyC. integrity check valueD. Diffie-Hellman Nonce

Correct Answer: BSection: VPNsExplanation

Explanation/Reference:Authentication options include usernames/passwords, biometrics, preshared keys, and digital certs.

Reference: Chapter 15, page 529, section "Overview of IPsec "

QUESTION 82In a brute-force attack, what percentage of the keyspace must an attacker generally search through until he orshe finds the key that decrypts the data?

A. Roughly 66 percentB. Roughly 10 percentC. Roughly 75 percentD. Roughly 50 percent


Explanation/Reference:All encryption algorithms are vulnerable to a brute-force attack. In this attack, an attackertries every possible key with the decryption algorithm. Generally, a brute-force attackwill succeed about 50 percent of the way through the keyspace. To defend against thisform of attack, modern cryptographers have to create a sufficiently large keyspace so thatattacking it in this way requires too much time and money to be practical.

The Reference: CCNA Security- Official Exam Certification Guide by Michael Watkins, Kevin Wallace, CCIENo. 7945 Page: 439

QUESTION 83What will be disabled as a result of the no service password-recovery command?

A. password encryption serviceB. ROMMONC. changes to the config-register settingD. the xmodem privilege EXEC mode command to recover the Cisco IOS image


Explanation/Reference:Password recovery occurs in the ROMMON, if you have forgotten the password and needto recover. In ROMMON you have the ability to reset the password. Since an attacker thatgains physical access to the router could reboot the device and break the boot sequence toenter ROMMON and do the same, the "no service password-recovery" commandeliminates the possibility of entering ROMMON.

Reference: Chapter 3, page 91.

QUESTION 84Which example is of a function intended for cryptographic hashing?

A. SHA-135B. MD65C. XR12D. MD5



QUESTION 85Which one of the following items may be added to a password stored in MD5 to make it more secure?

A. Rainbow tableB. CryptotextC. CiphertextD. Salt



QUESTION 86What is the MD5 algorithm used for?

A. takes a variable-length message and produces a 168-bit message digestB. takes a fixed-length message and produces a 128-bit message digestC. takes a variable-length message and produces a 128-bit message digestD. takes a message less than 2^64 bits as input and produces a 160-bit message digest



QUESTION 87Which algorithm was the first to be found suitable for both digital signing and encryption?

A. SHA-1B. MD5C. HMACD. RSA



QUESTION 88Examine the following options, which access list will permit HTTP traffic sourced from host 10.1.129.100 port3030 destined to host 192.168.1.10?

A. access-list 101 permit tcp 10.1.129.0 0.0.0.255 eq www 192.168.1.10 0.0.0.0 eq wwwB. access-list 101 permit tcp 10.1.128.0 0.0.1.255 eq 3030 192.168.1.0 0.0.0.15 eq wwwC. access-list 101 permit tcp host 192.168.1.10 eq 80 10.1.0.0 0.0.255.255 eq 3030D. access-list 101 permit tcp any eq 3030


Explanation/Reference:The question provides the following info: FROM 10.1.129.100 on port 3030, to 192.168.1.10 using http (aka,port 80, aka www)The only entry that allows TCP, plus the correct ranges to include the IP's in question, plus the correct protocolsin the correct placement.

QUESTION 89Observe the following options carefully, which two attacks focus on RSA? (Choose all that apply.)

A. DDoS attackB. BPA attackC. Adaptive chosen ciphertext attackD. Man-in-the-middle attack

Correct Answer: BCSection: CryptographyExplanation

Explanation/Reference:The detailed answer:There are essential 3 kinds of attacks against RSA:

1- BPA attack:Branch prediction analysis (BPA) attack: A number of processors use abranch predictor to determine whether a conditional branch in a program's instructionflow is likely to be taken. Generally speaking, these types of processors also implement

simultaneous multithreading (SMT). A branch prediction analysis attack uses a spyprocess to statistically discover the private key when it is processed by these processors.

2- Adaptive chosen ciphertext attack:The first practical adaptive chosen ciphertext attackagainst an RSAencrypted message was described in 1995. This attack used the targetedflaws in the PKCS #1 scheme, which was used in concert with RSA. This attack focusedon RSA implementations of the Secure Socket Layer protocol and was used to recoversession keys. Because of the success of this attack, it is now recommended that RSA beused with other, more secure padding schemes, such as Optimal Asymmetric EncryptionPadding. Additionally, RSA Laboratories has released updated versions of PKCS #1 thatare not vulnerable to this form of attack.

3- Timing attacks:In 1995 an attack against RSA was described wherein if the attacker knew a user'shardware in enough detail, and he could measure the decryption times for several knownciphertexts, he could deduce the decryption key quickly. This same attack could then alsobe applied against the RSA signature scheme as well.One way to defend against this form of attack is to make sure that a consistent amount oftime is required for the decryption operation of each ciphertext. Although this wouldwork, it may not be worth the performance degradation that would result. Most RSAimplementations use an alternative approach known as blinding.In this approach, the multiplicative property of RSA is used. The result of applying RSAblinding is that the decryption time is no longer correlated to the value of the inputciphertext, so the timing attack fails.Reference: page 486 - CCNA: Security.

QUESTION 90A standard access control list has been configured on a router and applied to interface Serial 0 in an outbounddirection. No ACL is applied to Interface Serial 1 on the same router.What will happen when traffic being filtered by the access list does not match the configured ACL statementsfor Serial 0?

A. The source IP address is checked, and, if a match is not found, traffic is routed out interface Serial 1.B. The resulting action is determined by the destination IP address.C. The resulting action is determined by the destination IP address and port number.D. The traffic is dropped.


Explanation/Reference:Tricky one, this one. Just remember that the ACL identifies any traffic that is eitherPermitted or Denied. If nothing matches, then the implicit DENY included in every ACLkicks in, and the traffic is dropped.

Reference: Chapter 10, page 353, Table 10-12. Section: "Considerations When Creating ACLs "

QUESTION 91Before a Diffie-Hellman exchange may begin, the two parties involved must agree on what?

A. Two nonsecret keysB. Two secret numbersC. Two secret keysD. Two nonsecret numbers

Correct Answer: D

Section: CryptographyExplanation


QUESTION 92Which three are distinctions between asymmetric and symmetric algorithms? (Choose all that apply.)

A. Asymmetric algorithms are based on more complex mathematical computations.B. Only symmetric algorithms have a key exchange technology built in.C. Only asymmetric algorithms have a key exchange technology built in.D. Asymmetric algorithms are used quite often as key exchange protocols for symmetric algorithms.

Correct Answer: ACDSection: CryptographyExplanation


QUESTION 93For the following statements, which one is the strongest symmetrical encryption algorithm?

A. 3DESB. DESC. AESD. Diffie-Hellman



QUESTION 94Which statement is true about a certificate authority (CA)?

A. A trusted third party responsible for signing the private keys of entities in a PKIbased systemB. A trusted third party responsible for signing the public keys of entities in a PKIbased systemC. An entity responsible for registering the private key encryption used in a PKID. An agency responsible for granting and revoking public-private key pairs



QUESTION 95Which location will be recommended for extended or extended named ACLs?

A. a location as close to the destination traffic as possible

B. an intermediate location to filter as much traffic as possibleC. when using the established keyword, a location close to the destination point to ensure that return traffic is

allowedD. a location as close to the source traffic as possible



QUESTION 96Which Public Key Cryptographic Standards (PKCS) defines the syntax for encrypted messages and messageswith digital signatures?

A. PKCS #12B. PKCS #10C. PKCS #8D. PKCS #7



QUESTION 97For the following items, which one acts as a VPN termination device and is located at a primary networklocation?

A. Headend VPN deviceB. TunnelC. Broadband serviceD. VPN access device

Correct Answer: ASection: VPNsExplanation


QUESTION 98Look at the exhibit:You suspect an attacker in your network has configured a rogue layer 2 device to intercept traffic from multipleVLANS, thereby allowing the attacker to capture potentially sensitive data. Which two methods will help tomitigate this type of activity? (Choose two.)

A. Turn off all trunk ports and manually configure each VLAN as required on each portB. Disable DTP on ports that require trunkingC. Secure the native VLAN, VLAN 1 with encryptionD. Set the native VALN on the trunk ports to an unused VLANE. Place unused active ports in an unused VLAN

Correct Answer: BDSection: IOS SecurityExplanation


QUESTION 99When configuring AAA login authentication on CISCO routers, which two authentication methods should beused as the final method to ensure that the administrator can still log in to the router in case the external AAAserver fails? (Choose two)

A. krb5B. localC. enableD. group RADIUSE. group TACAS+


Explanation/Reference:If you use the " aaa authentication default group tacacs +" command, and don't includeeither "enable" or "local", you are fine, as long as the AAA server never dies or goesoffline. In this config , there's no backup authentication method. By adding either "local"or "enable" after the 'default group tacacs +", you instruct the router to first try the AAAserver, and if unsuccessful, allow either the enable password (or secret) or a localusername/password to suffice.

Reference: Chapter 4, pages 119, 120, sections "Defining a Method List" and "Setting AAA Authentication forLogin"

QUESTION 100Which two protocols enable Cisco SDM to pull IPS alerts from a CISCO ISR router? (Choose two.)

A. FTPB. HTTPSC. TFTPD. SSHE. SyslogF. SDEE

Correct Answer: BFSection: SDMExplanation

Explanation/Reference:SDEE is the protocol used to transport messages from the IPS to the SDM, but SDEE may use HTTPS for thetransport protocol.

QUESTION 101When configuring Cisco IOS Zone-Based Policy Firewall, what are the three actions that can be applied to atraffic class? (Choose three.)

A. PassB. PoliceC. InspectD. DropE. QueueF. Shape

Correct Answer: ACDSection: IOS SecurityExplanation

Explanation/Reference:Reference: Chapter 10, page 371. Section "Zone Membership Rules"

QUESTION 102Which three statements about applying access control lists to a Cisco router are true? (Choose three.)

A. Place more specific ACL entries at the top of the ACL.B. ACLs always search for the most speeific entry before taking any filtering action.C. Router-generated packets cannot be filtered by ACls on the router.D. Place generic ACL entries at the top of the ACL to filter general traffic and thereby reduce "noise" on the

network.E. IF an access list is applied but is not configured, all traffic will pass.

Correct Answer: ACESection: IOS SecurityExplanation

Explanation/Reference:Yes, there is an implicit DENY at the end of every ACL. If, though, you use the " ipaccess-group 101 in" command, but haven't yet created ACL 101, there is no access-list,therefore, there is no implicit DENY. All traffic flows.You could apply an ACL that denies all traffic outbound on an interface and still be ableto ping from that router to a neighbour . Router generated traffic is not checked againstoutbound filters.Since ACL's are read from top down, you will want your most specific ACL's up high toensure they're applied before more generic ACL's lower in the list have a chance to actupon the traffic with undesirable consequences.

Reference: Chapter 10, page 348, 349, section "The Basics of ACLs " and "Cisco ACL Configuration"

QUESTION 103Which two functions are required for IPsec operation? (Choose two.)

A. using AH protocols for encryption and authenticationB. using SHA for encryptionC. using Diffie-Hellman to establish a shared-secret keyD. using PKI for pre-shared-key authenticationE. using IKE to negotiate the SA

Correct Answer: CESection: VPNsExplanation


The question wants to know what's "required", not "optional". From the choices, it'seasier to determine what's "optional" and/or just plain wrong. Those are answers A, B,and D. So are C and E correct?

Reference: Chapter 15, page 530, table 15-3. Under Main Mode, note Exchange #2:Diffie -Hellman securely establishes a shared secret key over the unsecured medium. SoC is good.

Reference: page 531.Not too keen on the wording of this answer, cause you don't really'use' IKE to negotiate the SA. However, the negotiation of the SA happens 'within' theprotection of the IKE Phase 1 tunnel, so that must be what's meant.

QUESTION 104What is the goal of an overall security challenge when planning a security strategy?

A. to harden all exterior-facing networks componentsB. to install firewalls at all critical points in the networkC. to find a balance between the need to open networks to support evolving business requirements and to

need to informD. to educate employees to be on the lookout for suspicious behaviour



QUESTION 105Which threat are the most serious?

A. inside threatsB. outside threatsC. unknown threatsD. reconnaissance threats



QUESTION 106Network security aims to provide which three key services? (choose three)

A. data integrityB. data strategyC. data & system availabilityD. data miningE. data storageF. data confidentiality

Correct Answer: ACF

Section: SecurityExplanation


QUESTION 107Which option is the term for a weakness in a system or its design that can be exploited by a threat

A. a vulnerabilityB. a riskC. an exploitD. an attackE. a joke



QUESTION 108Which option is the term for the likelihood that a particular threat using a specific attack will exploit particularvulnerability of a system that results in an undesirable consequence?




QUESTION 109Which option is the term for what happens when a computer code is developed to take advantage ofvulnerability?For example, suppose that a vulnerability exists in a piece of software, but nobody knows about thisvulnerability.




QUESTION 110What is the first step you should take when considering securing your network?

A. install a firewallB. install an intrusion prevention systemC. update servers and user PCs with the latest patchesD. Develop a security policyE. go drink beer and don?t worry about it



QUESTION 111Which option is a key principal of the Cisco Self-Defending Network strategy?

A. security is static and should prevent most know attack on the networkB. the self-defending network should be the key point of your security policyC. integrate security throughout the existing infractureD. upper management is ultimately responsible for policy implementation



QUESTION 112Which three option are areas of router security?

A. physical securityB. access control list securityC. zone-base firewall securityD. operating system securityE. router hardeningF. cisco IOS-IPS security

Correct Answer: ADESection: SecurityExplanation


QUESTION 113You have several operating groups in your enterprise that require different access restrictions to the routers toperform their jobs roles. These groups range from Help Desk personnel to advanced troubleshooters.What is one methodology for controlling access rights to the router in these situation?

A. configure ACLs to control access for these different groupsB. configure multiple privilege level accessC. implement syslogging to monitor the activities of these groupsD. configure TACACS+ to perform scalable authentication



QUESTION 114Which of these is a GUI tool for performing security configuration on Cisco routers?

A. security appliance device managerB. cisco CLI configuration management toolC. cisco security device managerD. cisco security manager



QUESTION 115When implementing network security, what is an important configuration task that you should perform toassist in correlating network and security events?

A. configure network time protocolB. configure synchronized syslog reportingC. configure a common repository of all network events for ease of monitoringD. configure an automated network monitoring system for event correlation



QUESTION 116Which of these options is a Cisco IOS feature that lets you more easily configure security features on yourrouter?

A. cisco self-defending networkB. implementing AAA command authorizationC. the auto secure CLI commandD. performing a security audit via SDM

Correct Answer: CSection: IOS Security

Explanation


QUESTION 117Which three of these options are some of the best practices when you implement an effective firewall securitypolicy? (choose three)

A. position firewalls at a strategic inside locations to help mitigate nontechnical attacksB. configure logging to capture all events for forensic purposesC. use firewalls as a primary security defense; other security measures and devices shoulde be

implemented to enhance your network securityD. position firewalls at key security boundeeriesE. deny all traffic by default and permit only necessary services

Correct Answer: CDESection: SecurityExplanation


QUESTION 118Which option correctly defines asymmetric encryption?

A. uses the same keys to encrypt and decrypt dataB. uses MD5 hashing algorithms for digital signage encryptionC. uses different keys to encrypt and decrypt dataD. uses SHA-1 hashing algorithms for digital signage encryption



QUESTION 119Which option is a desirable feature of using symmetric encryption algorithms?

A. they are often used for wire-speed encryption in data networksB. they are based on complex mathematical operations and can easily be accelerated by hardwareC. they offer simple key management propertiesD. they are best used for one-time encryption needs



QUESTION 120Which option is true of using cryptographic hashes?

A. they are easily reversed to decipher the message contextB. they convert arbitrary data into fixed length digitsC. they are based on a two-way mathematical functionD. they are used for encrypting bulk data communications



QUESTION 121Which option is true of intrusion prevention systems?

A. they operate in promiscuous modeB. they operate in inline modeC. they have no potential impact on the data segment being monitoredD. they are more vulnerable to evasion techniques than IDS



QUESTION 122Which statement is true when using zone-based firewalls on a Cisco router?

A. policies are applied to traffic moving between zones, not between interfacesB. the firewalls can be configured simultaneously on the same interface as classic CBAC using the ip inspect

CLI commandC. interface ACLs are applied before zone-based policy firewalls when they are applied outbondD. when configuring with the ?PASS? action, stateful inspection is applied to all traffic passing between the

configured zones



QUESTION 123From what configuration mode would you enter the set peer ip-address command to specify the IP address ofan IPsec peer?

A. Transform set configuration modeB. Crypto map configuration modeC. ISAKMP configuration modeD. Interface configuration mode

Correct Answer: BSection: VPNs

Explanation


QUESTION 124What two site-to-site VPN wizards are available in the Cisco SDM interface? (Choose two.)

A. Easy VPN SetupB. Quick SetupC. Step-by-StepD. DMVPN Setup

Correct Answer: BCSection: SDMExplanation


QUESTION 125What command displays all existing IPsec security associations (SA)?

A. show crypto isakmp saB. show crypto ipsec saC. show crypto ike activeD. show crypto sa active



QUESTION 126Which two statements are true about the differences between IDS and IPS? (Choose two.)

A. IPS operates in promiscuous mode.B. IPS receives a copy of the traffic to be analyzed.C. IPS operates in inline mode.D. IDS receives a copy of the traffic to be analyzed.

Correct Answer: CDSection: SecurityExplanation


QUESTION 127What form of attack are all algorithms susceptible to?

A. Meet-in-the-middleB. Spoofing

C. Stream cipherD. Brute-force



QUESTION 128Which type of cipher achieves security by rearranging the letters in a string of text?

A. Vigenère cipherB. Stream cipherC. Transposition cipherD. Block cipher



QUESTION 129Which of the following are techniques used by symmetric encryption cryptography? (Choose all that apply.)

A. Block ciphersB. Message Authentication Codes (MAC)C. One-time padD. Stream ciphersE. Vigenère cipher

Correct Answer: ABDSection: CryptographyExplanation


QUESTION 130DES typically operates in block mode, where it encrypts data in what size blocks?

A. 56-bit blocksB. 40-bit blocksC. 128-bit blocksD. 64-bit blocks



QUESTION 131What method does 3DES use to encrypt plain text?

A. 3DES-EDEB. EDE-3DESC. 3DES-AESD. AES-3DES



QUESTION 132Which of the following is not considered a trustworthy symmetric encryption algorithm?

A. 3DESB. IDEAC. EDED. AES



QUESTION 133On the basis of the description of SSL-based VPN, place the correct descriptions in the proper locations.

Select and Place:

Correct Answer:

Section: Drag and DropExplanation


QUESTION 134Which three common examples are of AAA implementation on Cisco routers? Please place the correctdescriptions in the proper locations.

Select and Place:

Correct Answer:



QUESTION 135Drag two characteristics of the SDM Security Audit wizard on the above to the list on the below.

Select and Place:

Correct Answer:



QUESTION 136On the basis of the Cisco IOS Zone-Based Policy Firewall, by default, which three types of traffic are permittedby the router when some interfaces of the routers are assigned to a zone? Drag three proper characterizations on the above to thelist on the below.

Select and Place:

Correct Answer:



QUESTION 137Drag three proper statements about the IPsec protocol on the above to the list on the below.

Select and Place:

Correct Answer:



QUESTION 138Drop and drog.Match the descriptions on the above with the IKE phases on the below.

Select and Place:

Correct Answer:



QUESTION 139Drag the result on the left to the corresponding attack method on the right.

Select and Place:

Correct Answer:



QUESTION 140On the basis of the description of SSL-based VPN, place the correct descriptions in the proper locations.

Select and Place:

Correct Answer:



QUESTION 141Drag & Drop

Select and Place:

Correct Answer:



QUESTION 142Scenario:Next Gen University main campus is located in Santa Cruz. The University has recently establisheci variousremote campuses offening -lerning services. The UnverIty is using IPec VPNconnectivity between its main and remote campus Phoenix (PHX), Newadla (ND). Sacremento (SAC). As arecent addition to The IT/Networking team. You have beeni tasked to document theIPsec VPN configurations to the remote campuses using the Cisco Ruler and SDM utility.Using the SDM output from VPN Tasks under the Configure tab, annwer these quetions

Cisco SDM 5.0:

A. 1. Which one of these statements is correct in regards to Next Gen University Psec tunnel between itsSanta Cruz main campus and its PHX remote campus? A: It is using IPsec tunnel mode A&S encryption and SHA HMAC Integrity Check. B: It is using IPsec tunnel mode. 3DES encryption and SHA HMAC Integrity Check. C: It Ia using IPsec tunnel mode to protect the traffic between the 10.10. 10.0/24 and the 10.253.0/24 sbnet, D: It is using digital certificate authenticate between the IPsec peers and DH group 2 E: It Is using pre-shared key to ahentlcate beteen the IPsec pens and OH group 5 F: The Santa Cruz main campus is the Easy VPN server and the PHX remote campus is easy VPN remote. Answer: C 2. Which of these is used to define which traffic will be protected by IPsec between the Next Gen UniversitySanta Cruz main campus and its SAC remote campus? A: ACL 174 B: ACL 168 C: ACL 151 D: ESP-3DES.SHAI transform set E: ESP-3DES-SHA2 transform set F: IKE Phase Answer: A 3. The IPsec tunnel to the SAC remote campus terminates at which IP address, and what is the protectedsubnet behind the SAC remote campus router? (Choose two.) A: 192,168288 B: 192.168.5.28 C: 192.168.8.97

D: 10.2.53.0/124 E: 10.5.64.0/124 F: 10.8.74.0/124 Answer: C, F 4. Which one of these statements is correct in regards to Next Gen University IPsec tunnel between its Santa Cruz main campus and its SAC remote campus? A: The SAC remote campus remote router is using dynamic IP address; therefore, the Santa B: Cruz router is using a dynamic crypto map. C: Dead Peer Detection (DPD) is used to monitor the IPsec tunnel, so if there is no traffic traversing between the two sites, the IPsec tunnel will disconnect. D: Tunnel mode is used: therefore, a GRE tunnel interface will be configured. E: Only the ESP protocol is being used: AH is not being used. Answer: D

Correct Answer: ASection: LabsExplanation


QUESTION 143Refer to the exhibit. You are the network security administrator responsible for router security. Your networkuses internal IP addressing according to RFC 1918 specifications.From the default rules shown, which access control list would prevent IP address spoofing of these internalnetworks?

A. SDM_Default_196B. SDM_Default_197C. SDM_Default_198D. SDM_Default_199

Correct Answer: CSection: LabsExplanation


QUESTION 144Refer to the exhibit. Based on the VPN connection shown, which statement is true?

A. Traffic that matches access list 103 will be protected.B. This VPN configuration will not work because the tunnel IP and peer IP are the same.C. The tunnel is down as result of being a static rule. It should be configured as a Dynamic IPsec policy.D. The tunnel is down because the transform set needs to include the Authentication Header parameter.



QUESTION 145InstructionsTo access the Cisco Router and Security Device Manager(SDM) utility click on the console host icon that isconnected to a ISR router.You can click on the grey buttons below to view the different windows. Each of the windows can be minimizedby clicking on the [-].You can also reposition a window by dragging it by the title bar.The "Tab" key and most commands that use the "Control"or "Escape" keys are not supported and are notnecessary to complete this simulation.

A. 1. Which two options correctly identify the associated interface with the correct security zone? (Choosetwo.)

A: FastEthernet0/1 is associated to the "out-zone" zone.B: FastEthernet0/0 is associated to the "in-zone" zone.C: FastEthernet0/0 and 0/1 are associated to the "self" zone.D: FastEthernet0/0 and 0/1 are associated to the "in-zone" zone.E: FastEthernet0/0 and 0/1 are associated to the "out-zone" zone.F: FastEthernet0/0 and 0/1 are not associated to any zone.

Answer: A, B

2 . Which statements is correct regarding the "sdm-permit" policy map?

A: Traffic not matched by any of the class maps within that policy map will be inspectedB: Traffic matching the "sdm-access" traffic class will be inspected.C: Traffic matching the "SDM_CA_SERVER" traffic class will be dropped.D: That policy map is applied to traffic sourced from the "self" zone and destined to the "out-zone" zone.

Answer: B

3. Within the "sdm-inspect" policy map, what is the action assigned to the traffic class "sdm-invalid-src", andwhich traffic is matched by the traffic class "sdm-invlid-src" ? (Choose two.)A.drop/logB.inspectC.inspect/log

D.traffic matched by ACL 104E.traffic matched by ACL 105F.traffic matched by the nested "sdm-cls-insp-traffic" class mapG.any traffic

Answer: A, D

4. Which three protocols are matched by the "sdm-cls-insp-traffic" class map? (Choose three)

A: sql-netB: pop3C: 12tpD: ftp

Answer: A, B, D

5. Within the "sdm-permit" policy map, what is the action assigned to the traffic class "class-default"?

A: inspectB: passC: dropD: police

Answer: C

6. Which ploicy map is associated to the "adm-zp-in-out" security zone pair?

A.sdm-permit-icmpreplyB.adm-permitC.sdm-inspectD.sdm-insp-trafficE.sdm-access

Answer: C



QUESTION 146LABYou are the passguide network security administrator for Big Money BankCo. You are informed that an attackerhas performed a CAM table overflow attack by sending spoofed MAC addresses on one of the switch ports.The attacker has since been identified and escorted out of the campus. You now need to take action toconfigure the swtich port to protect against this kind of attack in the future. For purposes of this test, theattacker was connected via a hub to the Fa0/12 interface of the switch. The topology is provided for your use.The enable password of the switch is cisco. Your task is to configure the Fa0/12 interface on the switch to limitthe maximum number of MAC addresses that are allowed to access the port to two and to shutdown theinterface when there is a violation.

A. Switch1>enableSwitch1#config tSwitch1(config)#interface fa0/12Switch1(config-if)#switchport mode accessSwitch1(config-if)#switchport port-security maximum 2Switch1(config-if)#switchport port-security violation shutdownSwitch1(config-if)#no shutSwitch1(config-if)#endSwitch1#copy run start



QUESTION 147Please choose the correct description about Cisco Self-Defending Network characteristics.

A. INTEGRATED - PG1COLLABORATIVE - PG2ADAPTIVE - PG3

B. INTEGRATED - PG2COLLABORATIVE - PG1ADAPTIVE - PG3

C. INTEGRATED - PG2COLLABORATIVE - PG3ADAPTIVE - PG1

D. INTEGRATED - PG3COLLABORATIVE - PG2ADAPTIVE - PG1



QUESTION 148With the increasing development of network, various network attacks appear. Which statement best describesthe relationships between the attack method and the result?

A. Ping Sweep - PG1 and PG3Port Scan - PG2, PG4 and PG5

B. Ping Sweep - PG2 and PG4Port Scan - PG1, PG3 and PG5

C. Ping Sweep - PG1 and PG5Port Scan - PG2, PG3 and PG4

D. Ping Sweep - PG2 and PG3Port Scan - PG1, PG4 and PG5



QUESTION 149Please choose the correct matching relationships between the cryptography algorithms and the type ofalgorithm.

A. Symmetric - PG1, PG2 and PG3Asymmetric - PG4, PG5 and PG6

B. Symmetric - PG1, PG4 and PG5Asymmetric - PG2, PG3 and PG6

C. Symmetric - PG2, PG4 and PG5Asymmetric - PG1, PG3 and PG6

D. Symmetric - PG2, PG5 and PG6Asymmetric - PG1, PG3 and PG4



QUESTION 150Which are the best practices for attack mitigations?

A. PG1, PG2, PG3 and PG5B. PG2, PG5, PG6 and PG8

C. PG2, PG5, PG6 and PG7D. PG2, PG3, PG6 and PG8E. PG3, PG4, PG6 and PG7



QUESTION 151Which statement best describes the relationships between AAA function and TACACS+, RADIUS based on theexhibit shown?

A. TACACS+ - PG1 and PG3RADIUS - PG2 and PG4

B. TACACS+ - PG2 and PG4RADIUS - PG1 and PG3

C. TACACS+ - PG1 and PG4RADIUS - PG2 and PG3

D. TACACS+ - PG2 and PG3RADIUS - PG1 and PG4



QUESTION 152Which item is the correct matching relationships associated with IKE Phase?

A. IKE Phase 1 - PG1 and PG2IKE Phase 2 - PG3, PG4 and PG5

B. IKE Phase 1 - PG1 and PG4IKE Phase 2 - PG2, PG3 and PG5

C. IKE Phase 1 - PG2 and PG3IKE Phase 2 - PG1, PG4 and PG5

D. IKE Phase 1 - PG2 and PG4IKE Phase 2 - PG1, PG3 and PG5



QUESTION 153Which two statements about configuring the Cisco ACS server to perform router command authorization areture? (Choose two.)

A. In the ACS User Group setyp screen, use Shell Command Authorization Set options to configure whichcommands and command arguments to permit or deny.

B. From the ACS Interface Configuration screen,select RADIUS (Cisco IOS/PIX 6.0), and then enable theShell (exec) option on the RADIUS Services screen.

C. When adding the router as an AAA client on the Cisco ACS server,choose the TACACS+ (CISCO IOS)protocol.

D. Configure the Cisco ACS server to forward authentication of users to an external user databases, likeWindows Database.

Correct Answer: ACSection: SecurityExplanation


QUESTION 154Which statement best describes the relationships between AAA function and TACACS+, RADIUS based on theexhibit shown?Move the statements to either TACACS+ or to RADIUS.

Select and Place:

Correct Answer:



QUESTION 155Drag&Drop

Select and Place:

Correct Answer:

Section: (none)Explanation


Exam B

QUESTION 1Zone-based Firewall SDM Simlet

Which two options correctly Identify the associated interface with the correct security zone? (Choose two)

A. FastEthernet0/1 is associated to the “out-zone” zone.B. FastEthernet0/0 is associated to the “in-zone” zone.C. FastEthernet0/0 and 0/1 are associated to the “self” zone.D. FastEthernet0/0 and 0/1 are associated to the “in-zone” zone.E. FastEthernet0/0 and 0/1 are associated to the “out-zone” zone.F. FastEthernet0/0 and 0/1 are not associated to any zone.

Correct Answer: ABSection: Zone-based Firewall SDM SimletExplanation


Under the Additional Tasks, click on the Zones group. At the right side box we will see the FastEthernet0/0 isassigned to the in-zone and the FastEthernet0/1 is assigned to the out-zone.

(Notice: In the real exam, you might see more zones than the image above)


Which statement is correct regarding the “sdm-permit” policy map?

A. Traffic not matched by any of the class maps within that policy map will be inspected.B. Traffic matching the “sdm-access” traffic class will be inspected.C. Traffic matching the “SDM_CA_SERVER” traffic class will be dropped.D. That policy map is applied to traffic sourced from the “self” zone and destined to the “out-zone” zone.

Correct Answer: BSection: Zone-based Firewall SDM SimletExplanation

Explanation/Reference:Go to “C3PL/policy Map/Protocol Inspection” and choose “smd-permit”, you will see the following “Match ClassName” and “Action:

SDM_CA_SERVER Inspectsdm-access Inspectclass-default Drop

Based on the above information, the action on Traffic matching the “SDM_CA_SERVER” traffic class is“inspect” not “Drop”. Therefore, the answer C is wrong.

The correct answer is B. Traffic matching the “sdm-access” traffic class will be inspected.


Which three protocols are matched by the “sdm-cls-insp-traffic” class map? (Choose three)

A. sql-netB. pop3C. 12tp D. ftp

Correct Answer: ABDSection: Zone-based Firewall SDM SimletExplanation

Explanation/Reference:Click on the C3PL\Class Map\Inspection group and click on the sdm-cls-insp-traffic line at the upper right sidebox to see which protocols are matched by the “sdm-cls-insp-traffic” class map.


Within the “sdm-permit” policy map, what is the action assigned to the traffic class “class-default”?

A. inspectB. passC. dropD. police

Correct Answer: CSection: Zone-based Firewall SDM SimletExplanation

Explanation/Reference:Under the C3PL\Policy Map\Protocol Inspection group we can see the policy maps, which class-maps andwhich actions are assigned to the class-maps.


Which policy map is associated to the “sdm-zp-in-out” security zone pair?

A. sdm-permit-icmpreplyB. sdm-permitC. sdm-inspectD. sdm-insp-traffic

Correct Answer: CSection: Zone-based Firewall SDM SimletExplanation

Explanation/Reference:There are 2 places where you can get information about the policy map associated to the “sdm-zp-in-out”security zone pair:

+ At the “Home” tab (you might click on the to see the Firewall policies)

+ At the Zone-pair group in the Additional Tasks


Within the “sdm-inspect” policy map, what is the action assigned to the traffic class “sdm-invalid-src”, and whichtraffic is matched by the traffic class “sdm-invalid-src” ? (Choose two)

A. traffic matched by ACL 105B. traffic matched by the nested “sdm-cls-insp-traffic” class mapC. drop/logD. traffic matched by ACL 104

Correct Answer: ACSection: Zone-based Firewall SDM SimletExplanation

Explanation/Reference:Under the “Firewall and ACL” tab, search for the “sdm-inspect” policy map we can see the access list 105 isused by this policy map. We can also see the action assigned to the traffic class “sdm-invalid-src” (drop/log).

Notice: that the Access list number can be also seen in the C3PL\Class Map\Inspection and the Drop/logaction can be seen in the C3PL\Policy Map\Protocol Inspection group.

QUESTION 7Drop and drog.Match the descriptions on the above with the IKE phases on the below.

Select and Place:

Correct Answer:



QUESTION 8Scenario:Next Gen University main campus is located in Santa Cruz. The University has recently establisheci variousremote campuses offening -lerning services. The UnverIty is using IPec VPNconnectivity between its main and remote campus Phoenix (PHX), Newadla (ND). Sacremento (SAC). As arecent addition to The IT/Networking team. You have beeni tasked to document theIPsec VPN configurations to the remote campuses using the Cisco Ruler and SDM utility.Using the SDM output from VPN Tasks under the Configure tab, annwer these quetions

Cisco SDM 5.0:

A. 1. Which one of these statements is correct in regards to Next Gen University Psec tunnel between itsSanta Cruz main campus and its PHX remote campus?

A: It is using IPsec tunnel mode A&S encryption and SHA HMAC Integrity Check. B: It is using IPsec tunnel mode. 3DES encryption and SHA HMAC Integrity Check. C: It Ia using IPsec tunnel mode to protect the traffic between the 10.10. 10.0/24 and the 10.253.0/24 sbnet, D: It is using digital certificate authenticate between the IPsec peers and DH group 2 E: It Is using pre-shared key to ahentlcate beteen the IPsec pens and OH group 5 F: The Santa Cruz main campus is the Easy VPN server and the PHX remote campus is easy VPN remote. Answer: C 2. Which of these is used to define which traffic will be protected by IPsec between the Next Gen UniversitySanta Cruz main campus and its SAC remote campus? A: ACL 174 B: ACL 168 C: ACL 151 D: ESP-3DES.SHAI transform set E: ESP-3DES-SHA2 transform set F: IKE Phase Answer: A 3. The IPsec tunnel to the SAC remote campus terminates at which IP address, and what is the protectedsubnet behind the SAC remote campus router? (Choose two.) A: 192,168288 B: 192.168.5.28 C: 192.168.8.97 D: 10.2.53.0/124 E: 10.5.64.0/124 F: 10.8.74.0/124 Answer: C, F 4. Which one of these statements is correct in regards to Next Gen University IPsec tunnel between its Santa Cruz main campus and its SAC remote campus? A: The SAC remote campus remote router is using dynamic IP address; therefore, the Santa B: Cruz router is using a dynamic crypto map. C: Dead Peer Detection (DPD) is used to monitor the IPsec tunnel, so if there is no traffic traversing between the two sites, the IPsec tunnel will disconnect. D: Tunnel mode is used: therefore, a GRE tunnel interface will be configured. E: Only the ESP protocol is being used: AH is not being used. Answer: D



QUESTION 9Please choose the correct description about Cisco Self-Defending Network characteristics.

A. INTEGRATED - PG1COLLABORATIVE - PG2ADAPTIVE - PG3

B. INTEGRATED - PG2COLLABORATIVE - PG1ADAPTIVE - PG3

C. INTEGRATED - PG2COLLABORATIVE - PG3ADAPTIVE - PG1

D. INTEGRATED - PG3COLLABORATIVE - PG2ADAPTIVE - PG1



QUESTION 10Which are the best practices for attack mitigations?

A. PG1, PG2, PG3 and PG5B. PG2, PG5, PG6 and PG8C. PG2, PG5, PG6 and PG7D. PG2, PG3, PG6 and PG8E. PG3, PG4, PG6 and PG7

Correct Answer: BSection: Security

Explanation



Exam C

QUESTION 1Site-to-site VPN SDM Lab Sim

Which one of these statements is correct in regards to Next Gen University Ipsec tunnel between its SantaCruz main campus and its SJ remote campus?

A. It is using Ipsec tunnel mode, AES encryption, and SHA HMAC integrity Check.B. It is using Ipsec transport mode, 3DES encryption, and SHA HMAC integrity Check.

C. It is using Ipsec tunnel mode to protect the traffic between the 10.10.10.0/24 and the 10.2.54.0/24 subnet.D. It is using digital certificate to authenticate between the Ipsec peers and DH group 2.E. It is using pre-shared key to authenticate between the Ipsec peers and DH group 5.

Correct Answer: CSection: Site-to-site VPN SDM Lab SimExplanation

Explanation/Reference:From the Site-to-site VPN tab, we specify that the SJ’s IP address is 192.168.2.57 with IPsec Rule of 152. Clickon the IPSec Rules group to see what rule 152 is -> rule 152 is permit source 10.10.10.0/24 to destination10.2.54.0/24.

Also, in the description of the above tab, we can see “Tunnel to SJ remote campus” -> it uses Tunnel mode(although it is only the description and can be anything but we can believe it uses Tunnel mode). If you don’twant to accept this explanation then have a look at the IPSec Policy & Seq No. columns, which areSDM_CMAP_1 & 1. Click on the VPN Components\IPSec\IPSec Policies group we will learn the correspondingTransform Set is ESP-3DES-SHA. Then click on the Transform Sets group we can see the correspondingmode is TUNNEL.


Which one of these statements is correct in regards to Next Gen University Ipsec tunnel between its SantaCruz main campus and its SAC remote campus?

A. The SAC remote campus remote router is using dynamic IP address; therefore, the Santa Cruz router isusing a dynamic crypto map.

B. Dead Peer Detection (DPD) is used to monitor the Ipsec tunnel, so if there is no traffic traversing betweenthe two sites, the Ipsec tunnel will disconnect.

C. Tunnel mode is used; therefore, a GRE tunnel interface will be configured.D. Only the ESP protocol is being used; AH is not being used.

Correct Answer: DSection: Site-to-site VPN SDM Lab SimExplanation

Explanation/Reference:A is not correct because the VPN Components\IPSec\Dynamic Crypto Map group is empty -> the Santa Cruzrouter is not using a dynamic crypto map.

Not sure about answer B. We can find DPD information in the VPN Components\IKE\IKE Profiles group but Iam not sure if this group exists in the exam.

C is not correct as we can use Tunnel mode without a GRE tunnel.

D is correct as we can see there is no AH configured under AH Integrity column in the VPN Components\IPSec\Transform Sets group (while in the ESP Integrity column it is ESP_SHA_HMAC).


Which of these is used to define which traffic will be protected by IPsec between the Next Gen University SantaCruz main campus and its SAC remote campus?

A. ACL 177B. ACL 167

C. ACL 152D. ESP-3DES-SHA1 transform setE. ESP-3DES-SHA2 transform setF. IKE Phase 1

Correct Answer: ASection: Site-to-site VPN SDM Lab SimExplanation

Explanation/Reference:In the VPN\Site-to-site-VPN group we can easily see the SAC remote campus is protected by IPSec rule 177,which is an access-list


The Ipsec tunnel to the SAC remote campus terminates at which IP address, and what is the protected subnetbehind the SAC remote campus router? (Choose two)

A. 192.168.2.57B. 192.168.5.48C. 192.168.8.58D. 10.2.54.0/24E. 10.5.66.0/24F. 10.8.75.0/24

Correct Answer: CFSection: Site-to-site VPN SDM Lab SimExplanation






















QUESTION 7Which result is of securing the Cisco IOS image by use of the Cisco IOS image resilience feature?

A. When the router boots up, the Cisco IOS image will be loaded from a secured FTP location.B. The Cisco IOS image file will not be visible in the output from the show flash command.C. The show version command will not show the Cisco IOS image file location.D. The running Cisco IOS image will be encrypted and then automatically backed up to a TFTP server.


Explanation/Reference:Answer: BThe IOS image resilience feature doesn't encrypt or backup the IOS... it just hides it. Itdoes this by removing it from the directory listing when you issue the "show flash"command. The command to enable this feature is "secure boot-image".

QUESTION 8What is the objective of the aaa authentication login console-in local command?

A. It specifies the login authorization method list named console-in using the local RADIUS username-password database.

B. It specifies the login authorization method list named console-in using the local username-passworddatabase on the router.

C. It specifies the login authentication method list named console-in using the local user database on therouter.

D. It specifies the login authentication list named console-in using the local username- password database onthe router.



QUESTION 9What are four methods used by hackers? (Choose four.)

A. social engineering attackB. Trojan horse attackC. front door attacksD. buffer Unicode attackE. privilege escalation attackF. footprint analysis attack

Correct Answer: ABEFSection: Security

Explanation


QUESTION 10If a switch is working in the fail-open mode, what will happen when the switch's CAM table fills to capacity and anew frame arrives?

A. The switch sends a NACK segment to the frame's source MAC address.B. A copy of the frame is forwarded out all switch ports other than the port the frame was received on.C. The frame is dropped.D. The frame is transmitted on the native VLAN.


Explanation/Reference:A Cisco Catalyst switch uses a Content Addressable Memory (CAM) table to store theinformation used by the switch to make forwarding decisions. Specifically, the CAMtable contains a listing of MAC addresses that have been learned from each switch port.Then, when a frame enters the switch, the switch interrogates the frame's destinationMAC address. If the destination MAC address is known to exist off one of the switchports, the frame is forwarded out only that port.However, the switch's CAM table, however, does have a finite size. Therefore, if theCAM table ever fills to capacity, the switch is unable to learn new MAC addresses. As aresult, when frames arrive destined for these unlearned MAC addresses, the switch floodsa copy of these frames out all other switch interfaces, other than the interfaces they werereceived on.


Documents

PrepKing - GRATIS EXAM - Convert VCE to PDF for free ... · PrepKing 640-553 Sections 1. Drag and Drop 2. Labs 3. ... As a candidate for CCNA examination, ... by an access control