18-22 NetSEC
Which two scenarios are examples of remote access VPNs? (Choose two.) All users at a large branch office can access company resources through a single VPN connection. A small branch office with three employees has a Cisco ASA that is used to create a VPN connection to the HQ. A toy manufacturer has a permanent VPN connection to one of its parts suppliers. A mobile sales agent is connecting to the company network via the Internet connection at a hotel. An employee who is working from home uses VPN client software on a laptop in order to connect to the company network.
A mobile sales agent is connecting to the company network via the Internet connection at a hotel. An employee who is working from home uses VPN client software on a laptop in order to connect to the company network.
A network analyst wants to monitor the activity of all new interns. Which type of security testing would track when the interns sign on and sign off the network? vulnerability scanning password cracking network scanning integrity checker
integrity checker
What technology is used to negotiate security associations and calculate shared keys for an IPsec VPN tunnel? PSK SHA 3DES IKE
IKE
A site-to-site IPsec VPN is to be configured. Place the configuration steps in order. Configure IKE PHASE 2 Apply IPSec Policy Verify Ipsec Tunnel Configure a Crypto Map Configure the ISAKMP policies for Phase 1
Phase 1 Phase 2 Crypto Map IPsec Policy IPsec Tunnel
What testing tool is available for network administrators who need a GUI version of Nmap? SuperScan SIEM Nessus Zenmap
Zenmap
What is needed to define interesting traffic in the creation of an IPsec tunnel? security associations hashing algorithm access list transform set
access list
What is the goal of network penetration testing? determining the feasibility and the potential consequences of a successful attack detecting potential weaknesses in systems detecting configuration changes on network systems detecting weak passwords
determining the feasibility and the potential consequences of a successful attack
Refer to the exhibit. What kind of NAT is configured on the ASA device? dynamic NAT Twice NAT dynamic PAT static NAT
dynamic PAT
What mechanism is used by an ASA device to allow inspected outbound traffic to return to the originating sender who is on an inside network? access control lists Network Address Translation security zones stateful packet inspection
stateful packet inspection
Refer to the exhibit. What HMAC algorithm is being used to provide data integrity? MD5 AES SHA DH
SHA
What is the purpose of configuring an IP address on an ASA device in transparent mode? management routing NAT VPN connectivity
management
In which two instances will traffic be denied as it crosses the ASA 5506-X device? (Choose two.) traffic originating from the inside network going to the outside network traffic originating from the inside network going to the DMZ network traffic originating from the outside network going to the inside network traffic originating from the outside network going to the DMZ network traffic originating from the DMZ network going to the inside network
traffic originating from the outside network going to the inside network traffic originating from the DMZ network going to the inside network
Which protocol creates a virtual point-to-point connection to tunnel unencrypted traffic between Cisco routers from a variety of protocols? IKE IPsec OSPF GRE
GRE
Which two statements describe a remote access VPN? (Choose two.) It may require VPN client software on hosts. It requires hosts to send TCP/IP traffic through a VPN gateway. It connects entire networks to each other. It is used to connect individual hosts securely to a company network over the Internet. It requires static configuration of the VPN tunnel.
It may require VPN client software on hosts. It is used to connect individual hosts securely to a company network over the Internet.
Which statement describes the effect of key length in deterring an attacker from hacking through an encryption key? The length of a key does not affect the degree of security. The shorter the key, the harder it is to break. The length of a key will not vary between encryption algorithms. The longer the key, the more key possibilities exist.
The longer the key, the more key possibilities exist.
When configuring interfaces on an ASA, which two pieces of information must be included? (Choose two.) group association service level FirePower version security level access list name
security level name
Refer to the exhibit. A network administrator is verifying the security configuration of an ASA. Which command produces the exhibited output? show vlan show ip interface brief show interface ip brief show switch vlan
show interface ip brief
Refer to the exhibit. What show command displays whether the securityk9 software is installed on the router and whether the EULA license has been activated? show running-config show version show interfaces s0/0/0 show crypto isakmp policy 1
show version
Two corporations have just completed a merger. The network engineer has been asked to connect the two corporate networks without the expense of leased lines. Which solution would be the most cost effective method of providing a proper and secure connection between the two corporate networks? Cisco AnyConnect Secure Mobility Client with SSL Cisco Secure Mobility Clientless SSL VPN Frame Relay remote access VPN using IPsec site-to-site VPN
site-to-site VPN
When the CLI is used to configure an ISR for a site-to-site VPN connection, what is the purpose of the crypto map command in interface configuration mode? to configure the transform set to bind the interface to the ISAKMP policy to force IKE Phase 1 negotiations to begin to negotiate the SA policy
to bind the interface to the ISAKMP policy
What can be configured as part of a network object? interface type IP address and mask upper layer protocol source and destination MAC address
IP address and mask
What type of traffic is supported by IPsec? IPsec supports all IPv4 traffic. IPsec supports layer 2 multicast traffic. IPsec supports all traffic permitted through an ACL. IPsec only supports unicast traffic.
IPsec only supports unicast traffic.
In which two instances will traffic be denied as it crosses the ASA 5505 device? (Choose two.) traffic originating from the inside network going to the DMZ network traffic originating from the inside network going to the outside network traffic originating from the outside network going to the DMZ network traffic originating from the DMZ network going to the inside network traffic originating from the outside network going to the inside network
traffic originating from the DMZ network going to the inside network traffic originating from the outside network going to the inside network
Which two statements describe the IPsec protocol framework? (Choose two.) AH uses IP protocol 51. AH provides integrity and authentication. AH provides encryption and integrity. ESP uses UDP protocol 51. AH provides both authentication and encryption
AH uses IP protocol 51. AH provides integrity and authentication.
Which statement accurately describes a characteristic of IPsec? IPsec works at the application layer and protects all application data. IPsec is a framework of standards developed by Cisco that relies on OSI algorithms. IPsec is a framework of proprietary standards that depend on Cisco specific algorithms. IPsec works at the transport layer and protects data at the network layer. IPsec is a framework of open standards that relies on existing algorithms.
IPsec is a framework of open standards that relies on existing algorithms.
What takes place during IKE Phase 2 when establishing an IPsec VPN? Traffic is exchanged between IPsec peers. IPsec security associations are exchanged. ISAKMP security associations are exchanged. Interesting traffic is identified.
IPsec security associations are exchanged.
How does network scanning help assess operations security? It can detect open TCP ports on network systems. It can detect weak or blank passwords. It can simulate attacks from malicious sources. It can log abnormal activity.
It can detect open TCP ports on network systems.
Which is a requirement of a site-to-site VPN? It requires hosts to use VPN client software to encapsulate traffic. It requires the placement of a VPN server at the edge of the company network. It requires a VPN gateway at each end of the tunnel to encrypt and decrypt traffic. It requires a client/server architecture.
It requires a VPN gateway at each end of the tunnel to encrypt and decrypt traffic.
A network analyst is testing the security of the systems and networks of a corporation. What tool could be used to audit and recover passwords? L0phtCrack SuperScan Nessus Metasploit
L0phtCrack
How is "tunneling" accomplished in a VPN? New headers from one or more VPN protocols encapsulate the original packets. All packets between two hosts are assigned to a single physical medium to ensure that the packets are kept private. Packets are disguised to look like other types of traffic so that they will be ignored by potential attackers. A dedicated circuit is established between the source and destination devices for the duration of the connection.
New headers from one or more VPN protocols encapsulate the original packets.
Router R1 has configured ISAKMP policies numbered 1, 5, 9, and 203. Router R2 only has default policies. How will R1 attempt to negotiate the IKE Phase 1 ISAKMP tunnel with R2? R1 and R2 cannot match policies because the policy numbers are different. R1 will attempt to match policy #1 with the most secure matching policy on R2. R1 will try to match policy #203 with the most secure default policy on R2. R1 will begin to try to match policy #1 with policy #65514 on R2.
R1 will attempt to match policy #1 with the most secure matching policy on R2.
Refer to the exhibit. A VPN tunnel is configured on the WAN between R1 and R2. On which R1 interface(s) would a crypto map be applied in order to create a VPN between R1 and R2? G0/0 and G0/1 G0/0 all R1 interfaces S0/0/0
S0/0/0
Refer to the exhibit. A network administrator is configuring the security level for the ASA. Which statement describes the default result if the administrator tries to assign the Inside interface with the same security level as the DMZ interface? The ASA allows inbound traffic initiated on the Internet to the DMZ, but not to the Inside interface. The ASA console will display an error message. The ASA will not allow traffic in either direction between the Inside interface and the DMZ. The ASA allows traffic from the Inside to the DMZ, but blocks traffic initiated on the DMZ to the Inside interface.
The ASA will not allow traffic in either direction between the Inside interface and the DMZ.
What are three characteristics of the ASA routed mode? (Choose three.) This mode is referred to as a "bump in the wire." In this mode, the ASA is invisible to an attacker. The interfaces of the ASA separate Layer 3 networks and require different IP addresses in different subnets. It is the traditional firewall deployment mode. This mode does not support VPNs, QoS, or DHCP Relay. NAT can be implemented between connected networks.
The interfaces of the ASA separate Layer 3 networks and require different IP addresses in different subnets. It is the traditional firewall deployment mode. NAT can be implemented between connected networks.
Refer to the exhibit. Based on the security levels of the interfaces on the ASA, what statement correctly describes the flow of traffic allowed on the interfaces? Traffic that is sent from the LAN and the Internet to the DMZ is considered inbound. Traffic that is sent from the DMZ and the Internet to the LAN is considered outbound. Traffic that is sent from the LAN to the DMZ is considered inbound. Traffic that is sent from the LAN to the DMZ is considered is considered inbound. Traffic that is sent from the DMZ and the LAN to the Internet is considered outbound.
Traffic that is sent from the DMZ and the LAN to the Internet is considered outbound.
Which license provides up to 50 IPsec VPN users on an ASA 5506-X device? the most commonly pre-installed Base license a purchased Security Plus upgrade license a purchased Base license a purchased AnyConnect Premium license
a purchased Security Plus upgrade license
What is the function of a policy map configuration when an ASA firewall is being configured? binding a service policy to an interface binding class maps with actions identifying interesting traffic using ACLs to match traffic
binding class maps with actions
What are three characteristics of SIEM? (Choose three.) can be implemented as software or as a service Microsoft port scanning tool designed for Windows examines logs and events from systems and applications to detect security threats consolidates duplicate event data to minimize the volume of gathered data uses penetration testing to determine most network vulnerabilities provides real-time reporting for short-term security event analysis
can be implemented as software or as a service examines logs and events from systems and applications to detect security threats consolidates duplicate event data to minimize the volume of gathered data
What interface configuration command is used on an ASA to request an IP address from an upstream DSL device? ip address ip-address netmask ip address dhcp setroute dhcpd address IP_address1 [ -IP_address2 ] if_name ip address pppoe
ip address pppoe
What are the two modes used in IKE Phase 1? (Choose two.) passive primary main secondary aggressive
main aggressive
What is the purpose of the Tripwire network testing tool? to perform vulnerability scanning to provide information about vulnerabilities and aid in penetration testing and IDS signature development to assess configuration against established policies, recommended best practices, and compliance standardsterm-39 to detect unauthorized wired network access to provide password auditing and recovery
to assess configuration against established policies, recommended best practices, and compliance standards
Consider the following configuration on a Cisco ASA:crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmacWhat is the purpose of this command? to define the ISAKMP parameters that are used to establish the tunnel to define the encryption and integrity algorithms that are used to build the IPsec tunnel to define what traffic is allowed through and protected by the tunnel to define only the allowed encryption algorithms
to define the encryption and integrity algorithms that are used to build the IPsec tunnel
What is a function of the GRE protocol? to configure the set of encryption and hashing algorithms that will be used to transform the data sent through the IPsec tunnel to encapsulate multiple OSI Layer 3 protocol packet types inside an IP tunnel to configure the IPsec tunnel lifetime to provide encryption through the IPsec tunnel
to encapsulate multiple OSI Layer 3 protocol packet types inside an IP tunnel
