Last Updated on July 24, 2019 by Admin
Implementing Network Security (Version 2.0) – CCNA Security (IINS) Certification Practice Exam Online
CCNAS – Certification Practice Exam
Quiz-summary
0 of 55 questions completed
Questions:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
Information
CCNAS – Certification Practice Exam
You have already completed the quiz before. Hence you can not start it again.
Quiz is loading...
You must sign in or sign up to start the quiz.
You have to finish following quiz, to start this quiz:
Results
0 of 55 questions answered correctly
Your time:
Time has elapsed
You have reached 0 of 0 points, (0)
Average score |
|
Your score |
|
Categories
- Not categorized 0%
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- Answered
- Review
-
Question 1 of 55
1. Question
2 pointsWhich two characteristics describe a virus? (Choose two.)Correct
Incorrect
A virus is malicious code that is attached to legitimate programs or executable files. Most viruses require end user activation, can lie dormant for an extended period, and then activate at a specific time or date. In contrast, a worm executes arbitrary code and installs copies of itself in the memory of the infected computer. The main purpose of a worm is automatic replication to spread quickly across a network. A worm does not require a host program to run.
Hint
A virus is malicious code that is attached to legitimate programs or executable files. Most viruses require end user activation, can lie dormant for an extended period, and then activate at a specific time or date. In contrast, a worm executes arbitrary code and installs copies of itself in the memory of the infected computer. The main purpose of a worm is automatic replication to spread quickly across a network. A worm does not require a host program to run. -
Question 2 of 55
2. Question
2 pointsWhich two options can limit the information discovered from port scanning? (Choose two.)Correct
Incorrect
Using an intrusion prevention system (IPS) and firewall can limit the information that can be discovered with a port scanner. Authentication, encryption, and passwords provide no protection from loss of information from port scanning.
Hint
Using an intrusion prevention system (IPS) and firewall can limit the information that can be discovered with a port scanner. Authentication, encryption, and passwords provide no protection from loss of information from port scanning. -
Question 3 of 55
3. Question
2 pointsWhich two options provide secure remote access to a router? (Choose two.)Correct
Incorrect
For security, all traffic between the administrator computer and the router should be encrypted by using HTTPS or SSH instead of HTTP or Telnet.
Hint
For security, all traffic between the administrator computer and the router should be encrypted by using HTTPS or SSH instead of HTTP or Telnet. -
Question 4 of 55
4. Question
1 pointsRefer to the exhibit. An administrator issues these IOS login enhancement commands to increase the security for login connections. What can be concluded about them?Correct
Incorrect
When the login block-for command is implemented, it automatically invokes a one-second delay between login attempts. The login block-for command that is presented means that login will be disabled for 150 seconds, if more than 5 login failures occur within 60 seconds. These enhancements do not apply to console connections. When quiet mode is enabled, all login attempts are denied except for the hosts permitted in the ACL.
Hint
When the login block-for command is implemented, it automatically invokes a one-second delay between login attempts. The login block-for command that is presented means that login will be disabled for 150 seconds, if more than 5 login failures occur within 60 seconds. These enhancements do not apply to console connections. When quiet mode is enabled, all login attempts are denied except for the hosts permitted in the ACL. -
Question 5 of 55
5. Question
1 pointsA network administrator notices that unsuccessful login attempts have caused a router to enter quiet mode. How can the administrator maintain remote access to the networks even during quiet mode?Correct
Incorrect
Quiet mode prevents any further login attempts for a period of time. Quiet mode is enabled via the login quiet-mode access-class command. Quiet mode behavior can be overridden for specific networks by building and implementing an access control list (ACL).Hint
Quiet mode prevents any further login attempts for a period of time. Quiet mode is enabled via the login quiet-mode access-class command. Quiet mode behavior can be overridden for specific networks by building and implementing an access control list (ACL). -
Question 6 of 55
6. Question
3 pointsWhen configuring SSH on a router to implement secure network management, a network engineer has issued the login local and transport input ssh line vty commands. What three additional configuration actions have to be performed to complete the SSH configuration? (Choose three.)Correct
Incorrect
SSH is automatically enabled after the RSA keys are generated. Setting user privilege levels and configuring role-based CLI access are good security practices but are not a requirement of implementing SSH.
Hint
SSH is automatically enabled after the RSA keys are generated. Setting user privilege levels and configuring role-based CLI access are good security practices but are not a requirement of implementing SSH. -
Question 7 of 55
7. Question
2 pointsAn administrator assigned a level of router access to the user ADMIN using the commands below. Router(config)# privilege exec level 14 show ip route Router(config)# enable algorithm-type scrypt secret level 14 cisco-level-10 Router(config)# username ADMIN privilege 14 algorithm-type scrypt secret cisco-level-10 Which two actions are permitted to the user ADMIN? (Choose two.)Correct
Incorrect
Assigning a command such as show ip route to a specific privilege level automatically assigns all commands associated with the first few keywords to the specified privilege level. So, the show and the show ip commands are automatically set to the privilege level where show ip route is set, which is necessary because the show ip route command cannot be executed without access to the show and show ip commands. Assigning the show ip route command allows the user to issue all show commands, such as show version.Hint
Assigning a command such as show ip route to a specific privilege level automatically assigns all commands associated with the first few keywords to the specified privilege level. So, the show and the show ip commands are automatically set to the privilege level where show ip route is set, which is necessary because the show ip route command cannot be executed without access to the show and show ip commands. Assigning the show ip route command allows the user to issue all show commands, such as show version. -
Question 8 of 55
8. Question
1 pointsWhat is a characteristic of a role-based CLI view of router configuration?Correct
Incorrect
A CLI view has no command hierarchy, and therefore, no higher or lower views. Deleting a superview does not delete the associated CLI views. Only a root view user can configure a new view and add or remove commands from the existing views.
Hint
A CLI view has no command hierarchy, and therefore, no higher or lower views. Deleting a superview does not delete the associated CLI views. Only a root view user can configure a new view and add or remove commands from the existing views. -
Question 9 of 55
9. Question
1 pointsWhat function is provided by the Cisco IOS Resilient Configuration feature?Correct
Incorrect
The Cisco IOS Resilient Configuration feature allows a secure copy of the IOS and running configuration file to be stored locally on a router. If flash memory or NVRAM is inadvertently or maliciously erased, the router can be quickly restored using the stored files.
Hint
The Cisco IOS Resilient Configuration feature allows a secure copy of the IOS and running configuration file to be stored locally on a router. If flash memory or NVRAM is inadvertently or maliciously erased, the router can be quickly restored using the stored files. -
Question 10 of 55
10. Question
1 pointsWhat service or protocol does the Secure Copy Protocol rely on to ensure that secure copy transfers are from authorized users?Correct
Incorrect
Secure Copy Protocol (SCP) is used to securely copy IOS images and configuration files to a SCP server. To perform this, SCP will use SSH connections from users authenticated through AAA.
Hint
Secure Copy Protocol (SCP) is used to securely copy IOS images and configuration files to a SCP server. To perform this, SCP will use SSH connections from users authenticated through AAA. -
Question 11 of 55
11. Question
1 pointsWhat level of syslog is associated with Log_Alert?Correct
Incorrect
Syslog levels range from 0 to 7: Level 0 is Log_Emerg Level 1 is Log_Alert Level 2 is Log_Crit Level 3 is Log_Err Level 4 is Log_Warning Level 5 is Log_Notice Level 6 is Log_Info Level 7 is Log_Debug
Hint
Syslog levels range from 0 to 7: Level 0 is Log_Emerg Level 1 is Log_Alert Level 2 is Log_Crit Level 3 is Log_Err Level 4 is Log_Warning Level 5 is Log_Notice Level 6 is Log_Info Level 7 is Log_Debug -
Question 12 of 55
12. Question
1 pointssyslog server has received the message shown. *Mar 1 00:07:18.783: %SYS-5-CONFIG_I: Configured from console by vty0 (172.16.45.1) What can be determined from the syslog message?Correct
Incorrect
The message shown is a level 5 Log_Notice and displays that a user with an IP address of 172.16.45.1 has configured this device remotely.
Hint
The message shown is a level 5 Log_Notice and displays that a user with an IP address of 172.16.45.1 has configured this device remotely. -
Question 13 of 55
13. Question
2 pointsIn the implementation of secure network management, what are two services or functions of the management plane of a Cisco router that should be configured? (Choose two.)Correct
Incorrect
Cisco Express Forwarding, traffic filtering with ACLs, and Cisco IOS firewall inspection are forwarding plane services that provide security. Management plane security includes these features:legal notification using a banner secure password and login functions secure NTP secure SSH access TCP intercept services
Hint
Cisco Express Forwarding, traffic filtering with ACLs, and Cisco IOS firewall inspection are forwarding plane services that provide security. Management plane security includes these features:legal notification using a banner secure password and login functions secure NTP secure SSH access TCP intercept services -
Question 14 of 55
14. Question
1 pointsWhich AAA component can be established using token cards?Correct
Incorrect
The authentication component of AAA is established using username and password combinations, challenge and response questions, and token cards. The authorization component of AAA determines which resources the user can access and which operations the user is allowed to perform. The accounting and auditing component of AAA keeps track of how network resources are used.
Hint
The authentication component of AAA is established using username and password combinations, challenge and response questions, and token cards. The authorization component of AAA determines which resources the user can access and which operations the user is allowed to perform. The accounting and auditing component of AAA keeps track of how network resources are used. -
Question 15 of 55
15. Question
1 pointsDuring the AAA process, when will authorization be implemented?Correct
Incorrect
AAA authorization is implemented immediately after the user is authenticated against a specific AAA data source.
Hint
AAA authorization is implemented immediately after the user is authenticated against a specific AAA data source. -
Question 16 of 55
16. Question
1 pointsWhat function is provided by the RADIUS protocol?Correct
Incorrect
When an AAA user is authenticated, RADIUS uses UDP port 1645 or 1812 for authentication and UDP port 1646 or 1813 for accounting. TACACS provides separate authorization and accounting services. When a RADIUS client is authenticated, it is also authorized. TACACS provides secure connectivity using TCP port 49. RADIUS hides passwords during transmission and does not encrypt the complete packet.
Hint
When an AAA user is authenticated, RADIUS uses UDP port 1645 or 1812 for authentication and UDP port 1646 or 1813 for accounting. TACACS provides separate authorization and accounting services. When a RADIUS client is authenticated, it is also authorized. TACACS provides secure connectivity using TCP port 49. RADIUS hides passwords during transmission and does not encrypt the complete packet. -
Question 17 of 55
17. Question
1 pointsWhat does the TACACS+ protocol provide in a AAA deployment?Correct
Incorrect
TACACS+ utilizes TCP port 49, provides authorization on a per-user or per-group basis, encrypts the entire packet, and does not provide compatibility with previous TACACS protocols.
Hint
TACACS+ utilizes TCP port 49, provides authorization on a per-user or per-group basis, encrypts the entire packet, and does not provide compatibility with previous TACACS protocols. -
Question 18 of 55
18. Question
2 pointsA network administrator is configuring an AAA server to manage RADIUS authentication. Which two features are included in RADIUS authentication? (Choose two.)Correct
Incorrect
RADIUS authentication supports the following features:RADIUS authentication and authorization as one process Encrypts only the password Utilizes UDP Supports remote-access technologies, 802.1X, and Session Initiation Protocol (SIP)
Hint
RADIUS authentication supports the following features:RADIUS authentication and authorization as one process Encrypts only the password Utilizes UDP Supports remote-access technologies, 802.1X, and Session Initiation Protocol (SIP) -
Question 19 of 55
19. Question
1 pointsAn administrator is comparing multiple implementations of AAA. Which AAA method is server-based and considered the most secure?Correct
Incorrect
-
Question 20 of 55
20. Question
2 pointsA network administrator is configuring an AAA server to manage TACACS+ authentication. What are two attributes of TACACS+ authentication? (Choose two.)Correct
Incorrect
TACACS+ authentication includes the following attributes: Separates authentication and authorization processes Encrypts all communication, not just passwords Utilizes TCP port 49
Hint
TACACS+ authentication includes the following attributes: Separates authentication and authorization processes Encrypts all communication, not just passwords Utilizes TCP port 49 -
Question 21 of 55
21. Question
2 pointsWhich two UDP port numbers may be used for server-based AAA RADIUS authentication? (Choose two.)Correct
Incorrect
RADIUS authentication and accounting utilize the following UDP port numbers:UDP port 1645 or 1812 for authentication UDP port 1646 or 1813 for accounting TACACS+ uses TCP port 49.
Hint
RADIUS authentication and accounting utilize the following UDP port numbers:UDP port 1645 or 1812 for authentication UDP port 1646 or 1813 for accounting TACACS+ uses TCP port 49. -
Question 22 of 55
22. Question
1 pointsWhich functionality does the TACACS single-connection keyword provide to AAA services?Correct
Incorrect
The single-connection keyword enhances TCP performance with TACACS+ by maintaining a single TCP connection for the life of the session. Without the single-connection keyword, a TCP connection is opened and closed per session.Hint
The single-connection keyword enhances TCP performance with TACACS+ by maintaining a single TCP connection for the life of the session. Without the single-connection keyword, a TCP connection is opened and closed per session. -
Question 23 of 55
23. Question
1 pointsWhat is an effective deployment of IPS and IDS appliances in a corporate network?Correct
Incorrect
An IPS is deployed in inline mode whereas an IDS is deployed in promiscuous mode. An effective deployment of IPS/IDS is to place an IPS right behind the border router to filter the traffic inbound to and outbound from the corporate internal network. IPS and IDS technologies can complement each other. Although an IDS will not stop an intrusion attack immediately, it can be used to validate IPS operation because the IDS can be configured for deeper packet inspection offline. This allows the IPS to focus on fewer but more critical traffic patterns inline. Placing IPS and IDS in the DMZ network will not protect the corporate internal network.
Hint
An IPS is deployed in inline mode whereas an IDS is deployed in promiscuous mode. An effective deployment of IPS/IDS is to place an IPS right behind the border router to filter the traffic inbound to and outbound from the corporate internal network. IPS and IDS technologies can complement each other. Although an IDS will not stop an intrusion attack immediately, it can be used to validate IPS operation because the IDS can be configured for deeper packet inspection offline. This allows the IPS to focus on fewer but more critical traffic patterns inline. Placing IPS and IDS in the DMZ network will not protect the corporate internal network. -
Question 24 of 55
24. Question
1 pointsWhich statement describes the function of the SPAN tool used in a Cisco switch?Correct
Incorrect
To analyze network traffic passing through a switch, switched port analyzer (SPAN) can be used. SPAN can send a copy of traffic from one port to another port on the same switch where a network analyzer or monitoring device is connected. SPAN is not required for syslog or SNMP. SPAN is used to mirror traffic, while syslog and SNMP are configured to send data directly to the appropriate server.
Hint
To analyze network traffic passing through a switch, switched port analyzer (SPAN) can be used. SPAN can send a copy of traffic from one port to another port on the same switch where a network analyzer or monitoring device is connected. SPAN is not required for syslog or SNMP. SPAN is used to mirror traffic, while syslog and SNMP are configured to send data directly to the appropriate server. -
Question 25 of 55
25. Question
3 pointsWhat are three attributes of IPS signatures? (Choose three.)Correct
Incorrect
IPS signatures have three distinctive attributes: • type • trigger (alarm) • action
Hint
IPS signatures have three distinctive attributes: • type • trigger (alarm) • action -
Question 26 of 55
26. Question
1 pointsA system analyst is configuring and tuning a recently deployed IPS appliance. By examining the IPS alarm log, the analyst notices that the IPS does not generate alarms for a few known attack packets. Which term describes the lack of alarms by the IPS?Correct
Incorrect
The alarms generated by an IPS can be classified into 4 types:A false positive occurs when an IPS generates an alarm on normal user traffic that should not have triggered an alarm. A false negative occurs when an IPS fails to generate an alarm after processing attack traffic the IPS is configured to detect. A true positive occurs when an IPS generates an alarm in response to known attack traffic. A true negative occurs when normal network traffic does not generate an alarm.
Hint
The alarms generated by an IPS can be classified into 4 types:A false positive occurs when an IPS generates an alarm on normal user traffic that should not have triggered an alarm. A false negative occurs when an IPS fails to generate an alarm after processing attack traffic the IPS is configured to detect. A true positive occurs when an IPS generates an alarm in response to known attack traffic. A true negative occurs when normal network traffic does not generate an alarm. -
Question 27 of 55
27. Question
1 pointsWhich IPS signature trigger type is based on a defined profile of normal network activity?Correct
Incorrect
There are four IPS trigger types: pattern-based detection anomaly-based detection policy-based detection honeypot-based detection Anomaly-based detection compares network activity to a predefined profile of what is considered normal activity.
Hint
There are four IPS trigger types: pattern-based detection anomaly-based detection policy-based detection honeypot-based detection Anomaly-based detection compares network activity to a predefined profile of what is considered normal activity. -
Question 28 of 55
28. Question
1 pointsWhich type of IPS signature alarm occurs from normal traffic that should not have triggered an alarm?Correct
Incorrect
There are four IPS alarms: False positive - occurs when normal traffic triggers an alarm False negative - occurs when known malicious traffic that should trigger an alarm does not True positive - occurs when traffic that is known to be malicious triggers an attack True negative - occurs when normal traffic does not trigger an alarm
Hint
There are four IPS alarms: False positive - occurs when normal traffic triggers an alarm False negative - occurs when known malicious traffic that should trigger an alarm does not True positive - occurs when traffic that is known to be malicious triggers an attack True negative - occurs when normal traffic does not trigger an alarm -
Question 29 of 55
29. Question
1 pointsWhich condition describes a true positive IPS signature alarm?Correct
Incorrect
There are four IPS alarms: False positive - occurs when normal traffic triggers an alarm False negative - occurs when known malicious traffic that should trigger an alarm does not True positive - occurs when traffic that is known to be malicious triggers an attack True negative - occurs when normal traffic does not trigger an alarm
Hint
There are four IPS alarms: False positive - occurs when normal traffic triggers an alarm False negative - occurs when known malicious traffic that should trigger an alarm does not True positive - occurs when traffic that is known to be malicious triggers an attack True negative - occurs when normal traffic does not trigger an alarm -
Question 30 of 55
30. Question
1 pointsA security specialist configures an IPS so that it will generate an alert when an attack is first detected. Alerts for the subsequent detection of the same attack are suppressed for a pre-defined period of time. Another alert will be generated at the end of the period indicating the number of the attack detected. Which IPS alert monitoring mechanism is configured?Correct
Incorrect
Alerts generated by an IPS should be monitored closely to ensure proper actions are taken against malicious attacks. IPS solutions incorporate two types of alerts, atomic alerts and summary alerts. Atomic alerts are generated every time a signature triggers. A summary alert is a single alert that indicates multiple occurrences of the same signature from the same source address or port. With a summary alter, the first detection of the attack triggers a normal alert. Subsequent detection of the same attack is counted until the end of the signature summary interval. When the length of time specified by the summary interval has elapsed, a summary alarm is sent, indicating the number of alarms that occurred during the time interval.
Hint
Alerts generated by an IPS should be monitored closely to ensure proper actions are taken against malicious attacks. IPS solutions incorporate two types of alerts, atomic alerts and summary alerts. Atomic alerts are generated every time a signature triggers. A summary alert is a single alert that indicates multiple occurrences of the same signature from the same source address or port. With a summary alter, the first detection of the attack triggers a normal alert. Subsequent detection of the same attack is counted until the end of the signature summary interval. When the length of time specified by the summary interval has elapsed, a summary alarm is sent, indicating the number of alarms that occurred during the time interval. -
Question 31 of 55
31. Question
1 pointsIn configuring a Cisco router to prepare for IPS and VPN features, a network administrator opens the file realm-cisco.pub.key.txt, and copies and pastes the contents to the router at the global configuration prompt. What is the result after this configuration step?Correct
Incorrect
The third step in implementing IOS IPS is to configure the Cisco IOS IPS public key that is located in the realm-cisco.pub.key.txt file. This public key is used to verify digital signature for the master signature file, and can be downloaded from cisco.com. To configure the IOS IPS crypto key, open the text file, and copy and paste the contents to the router at the global configuration prompt. Public/private key pairs for IPsec VPN and SSH server are generated using different methods.
Hint
The third step in implementing IOS IPS is to configure the Cisco IOS IPS public key that is located in the realm-cisco.pub.key.txt file. This public key is used to verify digital signature for the master signature file, and can be downloaded from cisco.com. To configure the IOS IPS crypto key, open the text file, and copy and paste the contents to the router at the global configuration prompt. Public/private key pairs for IPsec VPN and SSH server are generated using different methods. -
Question 32 of 55
32. Question
1 pointsWhat type of data does the DLP feature of Cisco Email Security Appliance scan in order to prevent customer data from being leaked outside of the company?Correct
Incorrect
Cisco ESAs control outbound messages through data-loss prevention (DLP), email encryption, and optional integration with the RSA Enterprise Manager. This control helps ensure that the outbound messages comply with industry standards and are protected in transit.
Hint
Cisco ESAs control outbound messages through data-loss prevention (DLP), email encryption, and optional integration with the RSA Enterprise Manager. This control helps ensure that the outbound messages comply with industry standards and are protected in transit. -
Question 33 of 55
33. Question
1 pointsWhat is the role of the Cisco NAC Agent in implementing a secure networking infrastructure?Correct
Incorrect
Cisco NAC is used in the Cisco Borderless Network Architecture to authenticate users and ensure user devices are compliant with security policies. The Cisco NAC Agent is optional agent software that runs on endpoints and performs deep inspection of the security profile of that device.
Hint
Cisco NAC is used in the Cisco Borderless Network Architecture to authenticate users and ensure user devices are compliant with security policies. The Cisco NAC Agent is optional agent software that runs on endpoints and performs deep inspection of the security profile of that device. -
Question 34 of 55
34. Question
3 pointsWhich three functions are provided under Cisco NAC framework solution? (Choose three.)Correct
Incorrect
The goal of both the Cisco NAC framework and the Cisco NAC Appliance is to ensure that only hosts that are authenticated and have their security posture examined and approved are permitted onto the network. They provide four important functions: authentication, authorization, and accounting; posture assessment (evaluating an incoming device against the security policies), quarantining of non-compliant systems, and remediation of noncompliant devices. They do not provide VPN connection or intrusion detection/prevention services.
Hint
The goal of both the Cisco NAC framework and the Cisco NAC Appliance is to ensure that only hosts that are authenticated and have their security posture examined and approved are permitted onto the network. They provide four important functions: authentication, authorization, and accounting; posture assessment (evaluating an incoming device against the security policies), quarantining of non-compliant systems, and remediation of noncompliant devices. They do not provide VPN connection or intrusion detection/prevention services. -
Question 35 of 55
35. Question
1 pointsWhat mitigation plan is best for thwarting a DoS attack that is creating a switch buffer overflow?Correct
Incorrect
A MAC address (CAM) table overflow attack, buffer overflow, and MAC address spoofing can all be mitigated by configuring port security. A network administrator would typically not want to disable STP because it prevents Layer 2 loops. DTP is disabled to prevent VLAN hopping. Placing unused ports in an unused VLAN prevents unauthorized wired connectivity.
Hint
A MAC address (CAM) table overflow attack, buffer overflow, and MAC address spoofing can all be mitigated by configuring port security. A network administrator would typically not want to disable STP because it prevents Layer 2 loops. DTP is disabled to prevent VLAN hopping. Placing unused ports in an unused VLAN prevents unauthorized wired connectivity. -
Question 36 of 55
36. Question
1 pointsWhat mitigation method is effective against CAM table overflow attacks?Correct
Incorrect
Port security is the most effective method for preventing CAM table overflow attacks. Port security gives an administrator the ability to manually specify what MAC addresses should be seen on given switch ports. It provides a method for limiting the number of MAC addresses that can be dynamically learned over a switch port.
Hint
Port security is the most effective method for preventing CAM table overflow attacks. Port security gives an administrator the ability to manually specify what MAC addresses should be seen on given switch ports. It provides a method for limiting the number of MAC addresses that can be dynamically learned over a switch port. -
Question 37 of 55
37. Question
1 pointsWhich antispoofing technology is used to mitigate DoS attacks?Correct
Incorrect
Implementing switch port-security will assist in mitigating DoS attacks. In order to mitigate reconnaissance attacks, it is best to use strong authentication, a switched infrastructure, antisniffer software, and encryption.
Hint
Implementing switch port-security will assist in mitigating DoS attacks. In order to mitigate reconnaissance attacks, it is best to use strong authentication, a switched infrastructure, antisniffer software, and encryption. -
Question 38 of 55
38. Question
1 pointsWhat action can a network administrator take to help mitigate the threat of VLAN hopping attacks?Correct
Incorrect
There are two methods for mitigating VLAN hopping attacks:
- disabling automatic trunking negotiation on switchports
- turning trunking off on all unused nontrunk switchport
Hint
There are two methods for mitigating VLAN hopping attacks:- disabling automatic trunking negotiation on switchports
- turning trunking off on all unused nontrunk switchport
-
Question 39 of 55
39. Question
1 pointsIn what situation would a network administrator most likely implement root guard?Correct
Incorrect
Root guard in conjunction with PortFast, and BPDU guard is used to prevent an STP manipulation attack.
Hint
Root guard in conjunction with PortFast, and BPDU guard is used to prevent an STP manipulation attack. -
Question 40 of 55
40. Question
1 pointsWhat can be implemented to help mitigate the threat of a rogue switch becoming the root bridge in an STP domain?Correct
Incorrect
There are several recommended STP stability mechanisms to help mitigate STP manipulation attacks:
- PortFast - Used to immediately bring an interface configured as an access or trunk port to the forwarding state from a blocking state. Applied to all end-user ports.
- BPDU guard - Immediately error-disables a port that receives a BPDU. Applied to all end-user ports.
- Root guard - Prevents a switch from becoming the root switch. Applied to all ports where root switch should not be located.
- Loop guard - Detects unidirectional links to prevent alternate or root ports from becoming designated ports. Applied to all ports that are or can become non-designated.
Hint
There are several recommended STP stability mechanisms to help mitigate STP manipulation attacks:- PortFast - Used to immediately bring an interface configured as an access or trunk port to the forwarding state from a blocking state. Applied to all end-user ports.
- BPDU guard - Immediately error-disables a port that receives a BPDU. Applied to all end-user ports.
- Root guard - Prevents a switch from becoming the root switch. Applied to all ports where root switch should not be located.
- Loop guard - Detects unidirectional links to prevent alternate or root ports from becoming designated ports. Applied to all ports that are or can become non-designated.
-
Question 41 of 55
41. Question
1 pointsWhich network attack is mitigated by enabling BPDU guard?Correct
Incorrect
There are several recommended STP stability mechanisms to help mitigate STP manipulation attacks: PortFast - used to immediately bring an interface configured as an access or trunk port to the forwarding state from a blocking state. Applied to all end-user ports. BPDU guard - immediately error-disables a port that receives a BPDU. Applied to all end-user ports.The receipt of BPDUs may be part of an unauthorized attempt to add a switch to the network. Root guard - prevents a switch from becoming the root switch. Applied to all ports where the root switch should not be located. Loop guard - detects unidirectional links to prevent alternate or root ports from becoming designated ports. Applied to all ports that are or can become nondesignated.
Hint
There are several recommended STP stability mechanisms to help mitigate STP manipulation attacks: PortFast - used to immediately bring an interface configured as an access or trunk port to the forwarding state from a blocking state. Applied to all end-user ports. BPDU guard - immediately error-disables a port that receives a BPDU. Applied to all end-user ports.The receipt of BPDUs may be part of an unauthorized attempt to add a switch to the network. Root guard - prevents a switch from becoming the root switch. Applied to all ports where the root switch should not be located. Loop guard - detects unidirectional links to prevent alternate or root ports from becoming designated ports. Applied to all ports that are or can become nondesignated. -
Question 42 of 55
42. Question
1 pointsWhat type of algorithms require sender and receiver to exchange a secret key that is used to ensure the confidentiality of messages?Correct
Incorrect
Symmetric algorithms use the same key, a secret key, to encrypt and decrypt data. This key must be pre-shared before communication can occur. Asymmetric algorithms require more processing power and overhead on the communicating devices because these keys can be long in order to avoid being hacked.
Hint
Symmetric algorithms use the same key, a secret key, to encrypt and decrypt data. This key must be pre-shared before communication can occur. Asymmetric algorithms require more processing power and overhead on the communicating devices because these keys can be long in order to avoid being hacked. -
Question 43 of 55
43. Question
1 pointsWhat is the primary function of the Diffie-Hellman algorithm?Correct
Incorrect
The Diffie-Hellman (DH) algorithm is a modern key exchange method that allows the exchange of secret keys securely over an untrusted network.
Hint
The Diffie-Hellman (DH) algorithm is a modern key exchange method that allows the exchange of secret keys securely over an untrusted network. -
Question 44 of 55
44. Question
1 pointsHow is asymmetric encryption used to provide confidentiality for VPN traffic?Correct
Incorrect
Asymmetric algorithms use two keys. if a public key encrypts the data, the matching private key decrypts the data. The opposite is also true. If a private key encrypts the data, the corresponding public key decrypts the data.
Hint
Asymmetric algorithms use two keys. if a public key encrypts the data, the matching private key decrypts the data. The opposite is also true. If a private key encrypts the data, the corresponding public key decrypts the data. -
Question 45 of 55
45. Question
1 pointsA security technician uses an asymmetric algorithm to encrypt messages with a private key and then forwards that data to another technician. What key must be used to decrypt this data?Correct
Incorrect
Asymmetric algorithms use two keys. if a public key encrypts the data, the matching private key decrypts the data. The opposite is also true. If a private key encrypts the data, the corresponding public key decrypts the data.
Hint
Asymmetric algorithms use two keys. if a public key encrypts the data, the matching private key decrypts the data. The opposite is also true. If a private key encrypts the data, the corresponding public key decrypts the data. -
Question 46 of 55
46. Question
1 pointsWhich transform set provides the best protection?Correct
Incorrect
DES uses 56-bit keys. 3DES uses 56-bit keys, but encrypts three times. AES uses 128-bit keys. AES-256 uses 256-bit keys and is the strongest.
Hint
DES uses 56-bit keys. 3DES uses 56-bit keys, but encrypts three times. AES uses 128-bit keys. AES-256 uses 256-bit keys and is the strongest. -
Question 47 of 55
47. Question
1 pointsWhen is a security association (SA) created if an IPsec VPN tunnel is used to connect between two sites?Correct
Incorrect
As seen in the 8.4.1.1 Figure, an IPsec VPN connection creates two SAs: (1) at the completion of the IKE Phase 1 once the peers negotiate the IKE SA policy, and (2) at the end of IKE Phase 2 after the transform sets are negotiated.
Hint
As seen in the 8.4.1.1 Figure, an IPsec VPN connection creates two SAs: (1) at the completion of the IKE Phase 1 once the peers negotiate the IKE SA policy, and (2) at the end of IKE Phase 2 after the transform sets are negotiated. -
Question 48 of 55
48. Question
1 pointsWhat is negotiated in the establishment of an IPsec tunnel between two IPsec hosts during IKE Phase 1?Correct
Incorrect
Establishing an IPsec tunnel involves five steps:
- Detection of interesting traffic defined by an ACL
- IKE Phase 1 in which peers negotiate ISAKMP SA policy
- IKE Phase 2 in which peers negotiate IPsec SA policy
- Creation of the IPsec tunnel
- Termination of the IPsec tunnel
Hint
Establishing an IPsec tunnel involves five steps:- Detection of interesting traffic defined by an ACL
- IKE Phase 1 in which peers negotiate ISAKMP SA policy
- IKE Phase 2 in which peers negotiate IPsec SA policy
- Creation of the IPsec tunnel
- Termination of the IPsec tunnel
-
Question 49 of 55
49. Question
1 pointsWhat is the next step in the establishment of an IPsec VPN after IKE Phase 1 is complete?Correct
Incorrect
Establishing an IPsec tunnel involves five steps:
- detection of interesting traffic defined by an ACL
- IKE Phase 1 in which peers negotiate ISAKMP SA policy
- IKE Phase 2 in which peers negotiate IPsec SA policy
- Creation of the IPsec tunnel
- Termination of the IPsec tunnel
Hint
Establishing an IPsec tunnel involves five steps:- detection of interesting traffic defined by an ACL
- IKE Phase 1 in which peers negotiate ISAKMP SA policy
- IKE Phase 2 in which peers negotiate IPsec SA policy
- Creation of the IPsec tunnel
- Termination of the IPsec tunnel
-
Question 50 of 55
50. Question
1 pointsConsider the following configuration on a Cisco ASA: crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac What is the purpose of this command?Correct
Incorrect
The transform set is negotiated during Phase 2 of the IPsec VPN connection process. The purpose of the transform set is to define what encryption and authentication schemes can be used. The device doing the VPN initiation offers the acceptable transform sets in order of preference, in this case, ESP authentication using DES for encryption or ESP authentication using SHA-HMAC authentication and integrity for the data payload. Remember that ESP provides confidentiality with encryption and integrity with authentication. The ESP-DES-SHA is the name of the transform set. The parameters that follow (esp-des and esp-sha-hmac) are the specific types of encryption or authentication that is supported by the ASA for the VPN tunnel that uses this transform set.
Hint
The transform set is negotiated during Phase 2 of the IPsec VPN connection process. The purpose of the transform set is to define what encryption and authentication schemes can be used. The device doing the VPN initiation offers the acceptable transform sets in order of preference, in this case, ESP authentication using DES for encryption or ESP authentication using SHA-HMAC authentication and integrity for the data payload. Remember that ESP provides confidentiality with encryption and integrity with authentication. The ESP-DES-SHA is the name of the transform set. The parameters that follow (esp-des and esp-sha-hmac) are the specific types of encryption or authentication that is supported by the ASA for the VPN tunnel that uses this transform set. -
Question 51 of 55
51. Question
1 pointsRefer to the exhibit. Based on the security levels of the interfaces on ASA1, what traffic will be allowed on the interfaces?Correct
Incorrect
ASA devices have security levels assigned to each interface that are not part of a configured ACL. These security levels allow traffic from more secure interfaces, such as security level 100, to access less secure interfaces, such as level 0. By default, they allow traffic from more secure interfaces (higher security level) to access less secure interfaces (lower security level). Traffic from the less secure interfaces is blocked from accessing more secure interfaces.
Hint
ASA devices have security levels assigned to each interface that are not part of a configured ACL. These security levels allow traffic from more secure interfaces, such as security level 100, to access less secure interfaces, such as level 0. By default, they allow traffic from more secure interfaces (higher security level) to access less secure interfaces (lower security level). Traffic from the less secure interfaces is blocked from accessing more secure interfaces. -
Question 52 of 55
52. Question
1 pointsIn the implementation of security on multiple devices, how do ASA ACLs differ from Cisco IOS ACLs?Correct
Incorrect
The Cisco IOS ACLs are configured with a wildcard mask and the Cisco ASA ACLs are configured with a subnet mask. Both devices use an implicit deny, top down sequential processing, and named or numbered ACLs.
Hint
The Cisco IOS ACLs are configured with a wildcard mask and the Cisco ASA ACLs are configured with a subnet mask. Both devices use an implicit deny, top down sequential processing, and named or numbered ACLs. -
Question 53 of 55
53. Question
1 pointsIn the implementation of network security, how does the deployment of a Cisco ASA firewall differ from a Cisco IOS router?Correct
Incorrect
The differences between ASA devices and Cisco IOS routers include the following: An ASA device configured with ACLs is configured with a subnet mask. An ASA device supports interface security levels. An ASA device configured with an ACL is always named. ASA devices and Cisco IOS routers are similar in that they both support an implicit deny within an ACL.
Hint
The differences between ASA devices and Cisco IOS routers include the following: An ASA device configured with ACLs is configured with a subnet mask. An ASA device supports interface security levels. An ASA device configured with an ACL is always named. ASA devices and Cisco IOS routers are similar in that they both support an implicit deny within an ACL. -
Question 54 of 55
54. Question
2 pointsWhen dynamic NAT on an ASA is being configured, what two parameters must be specified by network objects? (Choose two.)Correct
Incorrect
On an ASA, both the pool of addresses that will be used as inside global address and the range of internal private addresses that should be translated are configured through network objects.
Hint
On an ASA, both the pool of addresses that will be used as inside global address and the range of internal private addresses that should be translated are configured through network objects. -
Question 55 of 55
55. Question
1 pointsWhat function is performed by the class maps configuration object in the Cisco modular policy framework?Correct
Incorrect
There are three configuration objects in the MPF; class maps, policy maps, and service policy. The class maps configuration object uses match criteria to identify interesting traffic.
Hint
There are three configuration objects in the MPF; class maps, policy maps, and service policy. The class maps configuration object uses match criteria to identify interesting traffic.