Professional Documents
Culture Documents
Which statement is true about the One-Step lockdown feature of the CCP
Security Audit wizard?
It sets an access class ACL on VTY lines. [ComoEh]
It enables TCP intercepts.
It provides an option for configuring SNMPv3 on all routers.
It enables the Secure Copy Protocol (SCP).
It supports AAA configuration. [Kim]
(Ref: As appeared on Final Exam v1.1)
2. With the Cisco AnyConnect VPN wizard, which two protocols can be used
for tunnel group configuration? (Choose two.)
MPLS
SSH [Dimented]
PPTP
ESP [Johnny]
IPsec [Dimented, Johnny]
4.
7.
10.
11. What is a type of SSL VPN that provides access to a network without
requiring VPN software or a Java applet on the client?
clientless mode [nuno, Snarl and Johnny]
Cisco VPN client mode [Zaf and Dimented]
full client mode
thin client mode
(Ref: 8.6.3.2)
12. What are two reasons for a company to migrate from a classic firewall to
the ZPF model? (Choose two.)
The classic firewall will perform the same inspection on all traffic
that goes through a specific interface.
The classic firewall can only have one policy that affects any given traffic.
The classic firewall security posture is to block unless explicitly allowed.
The classic firewall is limited to two interfaces.
The classic firewall relies heavily on ACLs.
(ref: 4.3.1.2 Benefits of Zone-Based Policy Firewall)
13. What is the main difference between the implementation of IDS and IPS
devices?
An IDS uses signature-based technology to detect malicious packets, whereas
an IPS uses profile-based technology.
An IDS would allow malicious traffic to pass before it is addressed,
whereas an IPS stops it immediately.
An IDS can negatively impact the packet flow, whereas an IPS can not.
An IDS needs to be deployed together with a firewall device, whereas an IPS
can replace a firewall.
14. What information must an IPS track in order to detect attacks matching a
composite signature?
the state of packets related to the attack [Zen]
the total number of packets in the attack [Rahul and Navneet]
the network bandwidth consumed by all packets
the attacking period used by the attacker [Daniel]
17. What is a difference between ASA IPv4 ACLs and IOS IPv4 ACLs?
ASA ACLs use the subnet mask in defining a network, whereas IOS
ACLs use the wildcard mask. [Zaf, Snarl and Dimented]
ASA ACLs do not have an implicit deny all at the end, whereas IOS ACLs do.
ASA ACLs use forward and drop ACEs, whereas IOS ACLs use permit and deny
ACEs.
Multiple ASA ACLs can be applied on an interface in the ingress direction,
whereas only one IOS ACL can be applied.
ASA ACLs are always named, whereas IOS ACLs can be named or
numbered. [Johnny]
(Ref: 9.2.6.1)
19. Why have corporations been shifting remote access security policies to
include support for ASA SSL VPNs?
to have stronger encryption options
to support secure access for users on a multitude of devices [nuno
and Kiros]
to have stronger authentication options
to provide stronger overall security [Dimented]
(ref: 9.3.1.1 Implementing SSL VPNs Using Cisco ASA)
20.
Refer to the exhibit. What is the purpose of the object group-based ACL?
It allows users on the 10.5.0.0/24 network access via HTTPS to
remote devices on the 10.7.150.0/28, 10.7.151.0/28, 10.7.160.0/28,
and 10.7.161.0/28 networks. [nuno]
It allows devices on the 10.7.150.0/28, 10.7.151.0/28, 10.7.160.0/28,
10.7.161.0/28 networks to receive TCP-based broadcasts. [Rahul]
It allows any TCP traffic with port 443 from the 10.7.150.0/28, 10.7.151.0/28,
10.7.160.0/28, and 10.7.161.0/28 networks access to the 10.5.0.0/24
network.
It allows devices on the 10.5.0.0/24 network to have telnet and web access to
the
10.7.150.0/28,
10.7.151.0/28,
10.7.160.0/28,
and
10.7.161.0/28
networks.
21.
Refer to the exhibit. Based on the output from the show secure bootset
command on router R1, which three conclusions can be drawn about Cisco
IOS Resilience? (Choose three.)
The Cisco IOS image file is hidden and cannot be copied, modified, or
deleted.
A copy of the router configuration file has been made.
The Cisco IOS image filename will be listed when the show flash command is
issued on R1.
A copy of the Cisco IOS image file has been made.
The secure boot-config command was issued on R1.
The copy tftp flash command was issued on R1.
(Ref: As appeared on Final Exam v1.1)
23. Which three statements describe limitations in using privilege levels for
assigning command authorization? (Choose three.)
The root user must be assigned to each privilege level that is defined.
It is required that all 16 privilege levels be defined, whether they are used or
not.
Views are required to define the CLI commands that each user can access.
There is no access control to specific interfaces on a router.
Creating a user account that needs access to most but not all
commands can be a tedious process.
Commands set on a higher privilege level are not available for lower
privilege users.
(Ref: As appeared on Final Exam v1.1)
24. Which algorithm is used to automatically generate a shared secret for two
systems to use in establishing an IPsec VPN?
DES
DH
3DES
ESP
AH
SSL
25. What type of security key is generated by the local user software when a
user is connecting to a Cisco ASA through a remote-access SSL VPN?
asymmetric key
digitally signed private key
shared-secret key
digitally signed public key
(Ref: 8.6.3.4)
26. What is one advantage of using a Cisco ASA for remote networking VPN
deployment compared to a Cisco ISR?
support for SSL VPNs [Zaf and Dimented]
support for more concurrent user sessions [nuno, Kiros, Johnny and
Zen]
support for IPsec VPNs
support for AAA external authentication
28. In what two phases of the system development life cycle does risk
assessment take place? (Choose two.)
operation and maintenance
disposition
implementation
initiation
acquisition and development
29. What is one benefit of implementing a secure email service by using the
Cisco Email Security Appliance (ESA)?
ESA provides isolation between processes.
It obtains real-time updates from the Cisco SIO.
It uses the network infrastructure to enforce security policy compliance.
It combines advanced threat defense and secure mobility for email.
(Ref 6.1.2.2 and 6.1.2.3)
30.
Refer to the exhibit. The administrator can ping the S0/0/1 interface of
RouterB but is unable to gain Telnet access to the router by using the
password cisco123. What is a possible cause of the problem?
The Telnet connection between RouterA and RouterB is not working correctly.
The enable password and the Telnet password need to be the same.
The password cisco123 is wrong.
The administrator does not have enough rights on the PC that is being used.
(Ref: As appeared on Final Exam v1.1)
32. Which STP port type is permitted to forward traffic, but is not the port
closest to the root bridge?
root port
33.
34.
36.
servers
are
configured
and
running.
What
will
used
in
happen
if
the
authentication fails?
The
enable
secret
password
could
be
the
next
login
attempt. [Dimented]
The authentication process stops.
The enable secret password and a random username could be used in the
next login attempt.
37. Which two security features can cause a switch port to become errordisabled? (Choose two.)
storm control with the trap option
PortFast with BPDU guard enabled
port security with the shutdown violation mode
root guard
protected ports
(Ref 6.3.1.3 and 6.3.3.2)
38. What are three goals of a port scan attack? (Choose three.)
to identify peripheral configurations
to discover system passwords
to determine potential vulnerabilities
to disable used ports and services [Zen]
to identify operating systems [Johnny, Snarl]
to identify active services
(ref: 1.3.1.4 / As appeared on Final Exam v1.1)
39. Which security policy component would contain procedures for handling
an issue where someone followed a network administrator into the server
room without the administrator noticing and the person removed some
storage drives?
information preservation policy
security policy
operations and maintenance document
security initiation document
are
the
current
procedures
for
incident
response,
monitoring,
41. What are two characteristics of an acceptable use policy? (Choose two.)
It
should
be
as
explicit
as
possible
to
avoid
misunderstanding. [Johnny]
It should specify who is authorized to access network resources. [Dimented]
It should identify how remote users will access the network.
It
should
identify
what
network
applications
and
acceptable.
It should enforce minimum password requirements for users.
It should be vague to allow maximum user flexibility.
usages
are
(Ref 10.7.1.2)
42.
Refer to the exhibit. Which pair of crypto isakmp key commands would
correctly configure PSK on the two routers?
R1# crypto isakmp key ciscopass address 209.165.200.226
R2# crypto isakmp key secure address 209.165.200.227
43. What are two features of Cisco Easy VPN Server? (Choose two.)
44.
47. Why does a worm pose a greater threat than a virus poses?
Worms are not detected by antivirus programs.
Worms run within a host program.
49. Which two commands are needed on every IPv6 ACL to allow IPv6
neighbor discovery? (Choose two.)
permit ipv6 any any fragments
permit icmp any any nd-ns
permit icmp any any echo-reply
permit icmp any any nd-na
permit tcp any any ack
permit ipv6 any any routing
(ref: As appeared in Final Exam v1.1 )
50. A network technician has been asked to design a virtual private network
between two branch routers. Which type of cryptographic key should be used
in this scenario?
52.
Refer to the exhibit. What is the purpose of the highlighted inspect line?
53. Which two options are offered through the Cisco TrustSec Solution for
enterprise networks? (Choose two.)
Easy VPN solution
IPsec VPN solution
802.1X-Based Infrastructure solution
NAC Appliance-Based Overlay solution
Firewall and IDS integrated solution
(Ref: 3.3.3.3)
55. Two devices that are connected to the same switch need to be totally
isolated from one another. Which Cisco switch security feature will provide
this isolation?
DTP
BPDU guard [Zen]
PVLAN Edge [Snarl]
SPAN
(Ref: 6.3.7.1)
56. Why is a reflexive ACL harder to spoof compared to an extended ACL that
uses the established keyword?
It provides a secure tunnel for returning traffic.
A reflexive ACL provides a lock-and-key function.
It allows incoming packets only after the 3-way handshake is completed.
It provides more detailed filter criteria to match an incoming packet
before the packet is allowed through.
57. Which security feature helps protect a VoIP system from SPIT attacks?
AES
BPDU guard
WPA2
authenticated TLS
58. What are two protocols that are used by AAA to authenticate users
against a central database of usernames and password? (Choose two.)
TACACS+
NTP
SSH
RADIUS
HTTPS
CHAP
59. Which security organization updates the training material that helps
prepare for the Global Information Assurance Certification (GIAC)?
SANS
60. Which three wizards are included in Cisco ASDM 6.4? (Choose three.)
ADSL Connection wizard
Advanced Firewall wizard
High Availability and Scalability wizard
Security Audit wizard
Startup wizard
VPN wizard
(Ref: Chapter 10 Test v1.1)
62. Refer to the exhibit. What will be displayed in the output of the show
running-config object command after the exhibited configuration commands
are entered on an ASA 5505?
host 192.168.1.3
range 192.168.1.10 192.168.1.20
host 192.168.1.4 and range 192.168.1.10 192.168.1.20
host 192.168.1.3 and host 192.168.1.4
host 192.168.1.4
host 192.168.1.3, host 192.168.1.4, and range 192.168.1.10 192.168.1.20
(Ref: Chapter 10 Test v1.1)
63. Refer to the exhibit. According to the command output, which three
statements are true about the DHCP options entered on the ASA 5505?
(Choose three.)
The dhcpd auto-config outside command was issued to enable the
DHCP client.
The dhcpd enable inside command was issued to enable the DHCP
server.
The dhcpd address [start-of-pool]-[end-of-pool] inside command was issued to
enable the DHCP client.
The dhcpd auto-config outside command was issued to enable the DHCP
server.
The dhcpd enable inside command was issued to enable the DHCP client.
The dhcpd address [start-of-pool]-[end-of-pool] inside command was
issued to enable the DHCP server.
(Ref: Chapter 10 Test v1.1)
65. Which three types of remote access VPNs are supported on ASA devices?
(Choose three.)
Clientless SSL VPN using the Cisco AnyConnect Client
SSL or IPsec (IKEv2) VPN using the Cisco AnyConnect Client
IPsec (IKEv1) VPN using a web browser
66. Refer to the exhibit. The network administrator is configuring the port
security feature on switch SWC. The administrator issued the command show
port-security interface fa 0/2 to verify the configuration. What can be
concluded from the output that is shown? (Choose three.)
The switch port mode for this interface is access mode.
The port is configured as a trunk link.
Three security violations have been detected on this interface.
This port is currently up.
Security violations will cause this port to shut down immediately.
There is no device currently connected to this port.
67. What is an advantage of using CCP rather than the CLI to configure an
ACL?
IPsec is supported.
CCP applies the read-only quality to manually created access rules so that
accidental modification cannot be made.
CCP automatically applies a rule to the interface or zone most appropriate.
Traffic rules do not have to be configured when CCP is being used.
CCP provides default rules.
68. What is a CLI initiated script that locks down the control plane of a Cisco
router in one step?
Control Plane Protection
Cisco AutoSecure
IP Source Guard
Control Plane Policing
(Ref: 1. CCNA Security Chapter 2.4.2.1 Released in IOS version 12.3, Cisco
AutoSecure is a feature that is initiated from the CLI and executes a script.
2. http://www.ciscopress.com/articles/article.asp?p=1924983&seqNum=3)
Forced
Implement
Configure
Authorization
separate
IP
phones
to
Codes.
voice
use
only
VLANs.
signed
firmware
files.
71. A large company deploys several network-based IPS sensors for its
headquarters network. Which network service configuration will help the
process of correlating attack events happening simultaneously in different
points of the network?
Multiple
DNS
servers
Distributed
A
syslog
with
fault
tolerance
DHCP
server
for
servers
each
IPS
sensor
72. What is the role of the Cisco NAC Manager in implementing a secure
networking infrastructure?
to assess and enforce security policy compliance in the NAC environment
to perform deep inspection of device security profiles
to provide post-connection monitoring of all endpoint devices
to define role-based user access and endpoint security policies
login delay
login block-for
74. Refer to the exhibit. An administrator creates three zones (A, B, and C) in
an ASA that filters traffic. Traffic originating from Zone A going to Zone C is
denied, and traffic originating from Zone B going to Zone C is denied. What is
a possible scenario for Zones A, B, and C
A DMZ, B Inside, C Outside
A DMZ, B Outside, C Inside
A Inside, B DMZ, C Outside
A Outside, B Inside, C DMZ
75. In a corporate network where SAN is deployed, what happens if the SAN
fabric is compromised?
Data is compromised.
Server CPUs become overloaded.
Configurations can be changed or lost.
End devices become infected.
(Ref: Chapter 6, SAN Management)
77. Logging into a computer as the administrator just to surf the web is a
violation of which security technique?
process isolation
utilizing a reference monitor
access control to resources
least privilege
79. A user complains about not being able to gain access to the network.
What command would be used by the network administrator to determine
which AAA method list is being used for this particular user as the user logs
on?
debug
aaa
debug
accounting
aaa
debug
authorization
aaa
authentication
80. Place the system development cycle (SDLC) phases in the order they
occur (Not all options are used)
(Drag and drop)
1st
2nd
->
->
Acqusition
3rd
4th
Initiation
and
->
->
Development
Implementation
Operations
and
Maintenance
81.
Fill
in
the
blank.
When role-based CLI is used, only the _____________ view has the ability to
add or remove commands from existing views.
Answer: Root