350 Final

47. In the implementation of network security, how does the deployment of a Cisco ASA firewall differ from a Cisco IOS router? ASA devices use ACLs that are always numbered. ASA devices do not support an implicit deny within ACLs. ASA devices support interface security levels. ASA devices use ACLs configured with a wildcard mask.

ASA devices support interface security levels.

36. A company is concerned about data theft if any of the corporate laptops are stolen. Which Windows tool would the company use to protect the data on the laptops? AMP 802.1X RADIUS BitLocker

BitLocker

54. What is a benefit of having users or remote employees use a VPN to connect to the existing network rather than growing the network infrastructure? security scalability cost savings compatibility

scalability

27. Which type of firewall is commonly part of a router firewall and allows or blocks traffic based on Layer 3 and Layer 4 information? stateless firewall stateful firewall proxy firewall application gateway firewall

stateless firewall

2When a Cisco IOS Zone-Based Policy Firewall is being configured via CLI, which step must be taken after zones have been created? - Assign interfaces to zones. - Establish policies between zones. - Design the physical infrastructure. - Identify subsets within zones.

- Establish policies between zones.

31. What are two shared characteristics of the IDS and the IPS? (Choose two.) Both are deployed as sensors. Both analyze copies of network traffic. Both use signatures to detect malicious traffic. Both have minimal impact on network performance.​ Both rely on an additional network device to respond to malicious traffic.

Both are deployed as sensors. Both use signatures to detect malicious traffic.

DAI will validate only the destination MAC addresses.

DAI will validate both source and destination MAC addresses as well as the IP addresses in the order specified. If all parameters are valid then the ARP packet is allowed to pass. DAI will validate both source and destination MAC addresses as well as the IP addresses in the order specified. When one set of parameters are valid, the ARP packet is allowed to pass. DAI will validate only the IP addresses. DAI will validate only the destination MAC addresses.

43. Which cipher played a significant role in World War II? RC4 Caesar Enigma One-time pad

Enigma

60. What are two hashing algorithms used with IPsec AH to guarantee authenticity? (Choose two.) MD5 SHA AES DH RSA

MD5 SHA

37. What protocol is used to encapsulate the EAP data between the authenticator and authentication server performing 802.1X authentication? RADIUS TACACS+ SSH MD5

RADIUS

63. What are two monitoring tools that capture network traffic and forward it to network monitoring devices? (Choose two.) SIEM Wireshark SNMP SPAN network tap

SPAN network tap

12. What protocol is used by SCP for secure transport? IPSec HTTPS SSH Telnet TFTP

SSH

64. What is the IPS detection engine that is included in the SEC license for 4000 Series ISRs? Security Onion Snort ASDM AMP

Snort

42. During a recent pandemic, employees from ABC company were allowed to work from home. What security technology should be implemented to ensure that data communications between the employees and the ABC Head Office network remain confidential? a symmetric or asymmetric encryption algorithm such as AES or PKI a hashing algorithm such as MD5 a hash message authentication code such as HMAC a hash-generating algorithm such as SHA

a symmetric or asymmetric encryption algorithm such as AES or PKI

56. What technology allows users to verify the identity of a website and to trust code that is downloaded from the Internet? asymmetric key algorithm digital signature encryption hash algorithm

digital signature

32. When a Cisco IOS Zone-Based Policy Firewall is being configured, which two actions can be applied to a traffic class? (Choose two.) log hold drop inspect copy forward

drop inspect

10. Which benefit does SSH offer over Telnet for remotely managing a router? encryption TCP usage authorization connections via multiple VTY lines

encryption

50. What three tasks can a network administrator accomplish with the Nmap and Zenmap security testing tools? (Choose three.) operating system fingerprinting assessment of Layer 3 protocol support on hosts open UDP and TCP port detection security event analysis and reporting password recovery development of IDS signatures

operating system fingerprinting assessment of Layer 3 protocol support on hosts open UDP and TCP port detection

26. What is an advantage in using a packet filtering firewall versus a high-end firewall appliance? Packet filters perform almost all the tasks of a high-end firewall at a fraction of the cost. Packet filters represent a complete firewall solution. Packet filters are not susceptible to IP spoofing. Packet filters provide an initial degree of security at the data-link and network layer.

Packet filters perform almost all the tasks of a high-end firewall at a fraction of the cost.

34. What is a characteristic of an IPS atomic signature? it can be slow and inefficient to analyze traffic it requires several pieces of data to match an attack it is a stateful signature it is the simplest type of signature

t is the simplest type of signature

18. What is indicated by the use of the local-case keyword in a local AAA authentication configuration command sequence? that user access is limited to vty terminal lines that passwords and usernames are case-sensitive that AAA is enabled globally on the router that a default local database AAA authentication is applied to all lines

that passwords and usernames are case-sensitive

58. What is the standard for a public key infrastructure to manage digital certificates? PKI NIST-SP800 x.503 x.509

x.509

A - DMZ, B - Outside, C - Inside

A - Inside, B - DMZ, C - Outside A - DMZ, B - Outside, C - Inside A - Outside, B - Inside, C - DMZ A - DMZ, B - Inside, C - Outside

57. Which two statements correctly describe certificate classes used in the PKI? (Choose two.) A class 0 certificate is for testing purposes. A class 0 certificate is more trusted than a class 1 certificate. The lower the class number, the more trusted the certificate. A class 5 certificate is for users with a focus on verification of email. A class 4 certificate is for online business transactions between companies.

A class 4 certificate is for online business transactions between companies.

23. Which statement describes the characteristics of packet-filtering and stateful firewalls as they relate to the OSI model? Both stateful and packet-filtering firewalls can filter at the application layer. A stateful firewall can filter application layer information, whereas a packet-filtering firewall cannot filter beyond the network layer. A packet-filtering firewall typically can filter up to the transport layer, whereas a stateful firewall can filter up to the session layer. A packet-filtering firewall uses session layer information to track the state of a connection, whereas a stateful firewall uses application layer information to track the state of a connection.

A packet-filtering firewall typically can filter up to the transport layer, whereas a stateful firewall can filter up to the session layer.

24. Which special hardware module, when integrated into ASA, provides advanced IPS features? Content Security and Control (CSC) Advanced Inspection and Prevention (AIP) Advanced Inspection and Prevention Security Services Card (AIP-SSC) Advanced Inspection and Prevention Security Services Module (AIP-SSM)

Advanced Inspection and Prevention (AIP)

59. Which two statements describe remote access VPNs? (Choose two.) Remote access VPNs are used to connect entire networks, such as a branch office to headquarters. End users are not aware that VPNs exists. A leased line is required to implement remote access VPNs. Client software is usually required to be able to access the network. Remote access VPNs support the needs of telecommuters and mobile users.

Client software is usually required to be able to access the network. Remote access VPNs support the needs of telecommuters and mobile users.

40. What are three techniques for mitigating VLAN hopping attacks? (Choose three.) Disable DTP. Enable trunking manually. Set the native VLAN to an unused VLAN. Enable BPDU guard. Enable Source Guard. Use private VLANs.

Disable DTP. Enable trunking manually. Set the native VLAN to an unused VLAN.

38. A company requires the use of 802.1X security. What type of traffic can be sent if the authentication port-control auto command is configured, but the client has not yet been authenticated? SNMP EAPOL broadcasts such as ARP any data encrypted with 3DES or AES

EAPOL

29. What are two benefits offered by a zone-based policy firewall on a Cisco router? (Choose two.) Policies are defined exclusively with ACLs. Policies are applied to unidirectional traffic between zones. Policies provide scalability because they are easy to read and troubleshoot. Any interface can be configured with both a ZPF and an IOS Classic Firewall. Virtual and physical interfaces are put in different zones to enhance security.

Policies are applied to unidirectional traffic between zones. Policies provide scalability because they are easy to read and troubleshoot.

39. Which two security features can cause a switch port to become error-disabled? (Choose two.) root guard PortFast with BPDU guard enabled protected ports storm control with the trap option port security with the shutdown violation mode

PortFast with BPDU guard enabled port security with the shutdown violation mode

tcp

Refer to the exhibit. A network administrator is configuring an object group on an ASA device. Which configuration keyword should be used after the object group name SERVICE1 ? udp tcp icmp ip

Outside 0, Inside 100, DMZ 50

Refer to the exhibit. A network administrator is configuring the security level for the ASA. What is a best practice for assigning the security level on the three interfaces? Outside 100, Inside 10, DMZ 40 Outside 40, Inside 100, DMZ 0 Outside 0, Inside 35, DMZ 90 Outside 0, Inside 100, DMZ 50

notification

Refer to the exhibit. What type of syslog message is displayed? informational warning debugging notification

45. Why are DES keys considered weak keys? They are more resource intensive. DES weak keys are difficult to manage. They produce identical subkeys. DES weak keys use very long key sizes.

They produce identical subkeys.

61. What is the purpose of configuring multiple crypto ACLs when building a VPN connection between remote sites? By applying the ACL on a public interface, multiple crypto ACLs can be built to prevent public users from connecting to the VPN-enabled router. Multiple crypto ACLs can be configured to deny specific network traffic from crossing a VPN. When multiple combinations of IPsec protection are being chosen, multiple crypto ACLs can define different traffic types. Multiple crypto ACLs can define multiple remote peers for connecting with a VPN-enabled router across the Internet or network.

When multiple combinations of IPsec protection are being chosen, multiple crypto ACLs can define different traffic types.

15. A server log includes this entry: User student accessed host server ABC using Telnet yesterday for 10 minutes. What type of log entry is this? authentication authorization accounting accessing

accounting

4. What are two security features commonly found in a WAN design? (Choose two.) WPA2 for data encryption of all data between sites firewalls protecting the main and remote sites outside perimeter security including continuous video surveillance port security on all user-facing ports VPNs used by mobile workers between sites

firewalls protecting the main and remote sites VPNs used by mobile workers between sites

14. What command must be issued on a Cisco router that will serve as an authoritative NTP server? ntp master 1 ntp server 172.16.0.1 ntp broadcast client clock set 11:00:00 DEC 20 2010

ntp master 1

16. Which three types of views are available when configuring the role-based CLI access feature? (Choose three.) superuser view root view superview CLI view admin view config view

root view superview CLI view

52. Which two means can be used to try to bypass the management of mobile devices? (Choose two.) using a fuzzer rooting jailbreaking packet sniffing using a Trojan Horse

rooting jailbreaking

28. A company is deploying a new network design in which the border router has three interfaces. Interface Serial0/0/0 connects to the ISP, GigabitEthernet0/0 connects to the DMZ, and GigabitEthernet/01 connects to the internal private network. Which type of traffic would receive the least amount of inspection (have the most freedom of travel)? traffic that is going from the private network to the DMZ traffic that originates from the public network and that is destined for the DMZ traffic that is returning from the DMZ after originating from the private network traffic that is returning from the public network after originating from the private network

traffic that is going from the private network to the DMZ

9. How does the service password-encryption command enhance password security on Cisco routers and switches? It encrypts passwords as they are sent across the network. It encrypts passwords that are stored in router or switch configuration files. It requires that a user type encrypted passwords to gain console access to a router or switch. It requires encrypted passwords to be used when connecting remotely to a router or switch with Telnet.

It encrypts passwords that are stored in router or switch configuration files.

JR-Admin cannot issue any command because the privilege level does not match one of those defined.

Refer to the exhibit. Which statement about the JR-Admin account is true?. JR-Admin can issue debug and reload commands. JR-Admin can issue ping and reload commands. JR-Admin can issue only ping commands. JR-Admin can issue show , ping , and reload commands. JR-Admin cannot issue any command because the privilege level does not match one of those defined.

55. What is a difference between symmetric and asymmetric encryption algorithms? Symmetric algorithms are typically hundreds to thousands of times slower than asymmetric algorithms. Symmetric encryption algorithms are used to authenticate secure communications. Asymmetric encryption algorithms are used to repudiate messages. Symmetric encryption algorithms are used to encrypt data. Asymmetric encryption algorithms are used to decrypt data. Symmetric encryption algorithms use pre-shared keys. Asymmetric encryption algorithms use different keys to encrypt and decrypt data.

Symmetric encryption algorithms use pre-shared keys. Asymmetric encryption algorithms use different keys to encrypt and decrypt data.

21. Which feature is unique to IPv6 ACLs when compared to those of IPv4 ACLs? the use of wildcard masks an implicit deny any any statement the use of named ACL statements an implicit permit of neighbor discovery packets

an implicit permit of neighbor discovery packets

19. A network administrator is configuring an AAA server to manage RADIUS authentication. Which two features are included in RADIUS authentication? (Choose two.) encryption for all communication hidden passwords during transmission single process for authentication and authorization separate processes for authentication and authorization encryption for only the data

hidden passwords during transmission single process for authentication and authorization

20. A network administrator is explaining to a junior colleague the use of the lt and gt keywords when filtering packets using an extended ACL. Where would the lt or gt keywords be used? in an IPv6 extended ACL that stops packets going to one specific destination VLAN in an IPv4 named standard ACL that has specific UDP protocols that are allowed to be used on a specific server in an IPv6 named ACL that permits FTP traffic from one particular LAN getting to another LAN in an IPv4 extended ACL that allows packets from a range of TCP ports destined for a specific network device

in an IPv4 extended ACL that allows packets from a range of TCP ports destined for a specific network device