CCNA Security v2.0 Final Exam
What is the default preconfigured security level for the outside network interface on a Cisco ASA 5505?
0
What service or protocol does the Secure Copy Protocol rely on to ensure that secure copy transfers area from authorized users?
AAA
What algorithm is used with IPsec to provide data confidentiality
AES
What is a limitation to using OOB management on a large enterprise network?
All devices appear to be attached to a single management network
On what switch port s should PortFast be enabled to enhance STP stability?
All end-user ports
A company deploys a network-based IPS. Which statement describes a false negative alarm that is issued by the IPS sensor?
An attack packet passes an no alarm is generated
hich two end points can be on the other side of an ASA site-to-site VPN configured using ASDM?
Another ASA ISR Router
Which type of ASDM connection would provide secure remote access for remote users into corporate networks?
AnyConnect SSL VPN
What are two drawbacks in assigning user privilege levels on a Cisco router?
Assigning a command with multiple keywords allows access to all commands using those keywords Commands from a lower level are always executable at a higher level
What does the keyword default specify when used with the aaa authentication login command?
Authentication is automatically applied to the con 0, aux, and the vty lines
Which router component determines the number of signatures and engines that can be support
Available memory
How can DHCP spoofing attacks be mitigated?
By implementing DHCP snooping on trusted ports
Which three forwarding plane services and functions are enabled by the Cisco AutoSecure feature?
Cisco IOS firewall inspection Cisco Express Forwarding (CEF) Traffic filtering with ACLs
Which feature of the Cisco Network Foundation Protection framework prevents a route processor from being overwhelmed by unnecessary traffic?
Control Plane Policing
When configuring SSH on a router to implement secure network management, a network engineer has issued the login local and transport input ssh line vty commands. What three additional configuration actions have to be performed to complete the SSH configuration?
Create a valid local username and password database Generate the asymmetric RSA keys Configure the correct IP domain name
What can be used as an alternative to HMAC
Digital Signatures
A network administrator is configuring an AAA server to manage TACACS+ authentication. What are two attributes of TACACS+ authentication?
Encryption for all communication Separate processes for Authentication and Authorization
What type of ACL offers greater flexibility and control over network access?
Extended
What is the function of the Hashed Message Authentication Code (HMAC) algorithm in setting up an IPsec VPN?
Guarantees message integrity
What is the advantage of HIPS that is not provided by IDS
HIPS protects critical system resources and monitors operating system processes
Which two types of hackers are typically classified as grey hat hackers?
Hacktivists Vulnerability Brokers
A company deploys a hub-and-spoke VPN topology where the security appliance is the hub and the remote VPN networks are the spokes. Which VPN method should be used in order for one spoke to communicate with another spoke through the single public interface of the security appliance?
Hairpinning
What can be configured as part of a network object?
IP address and mask
Which two statements describe the use of asymmetric algorithms?
If a private key is used to encrypt the data, a public key must be used to decrypt the data If a public key is used to encrypt the data, a private key must be used to decrypt the data
What are three characteristics of the RADIUS protocol?
Is an open IETF standard AAA protocol Uses UDP ports for Authentication and Accounting Is widely used in VOIP and 802.1X implementations
Which statement describes the Cisco Cloud Web Security?
It is a cloud-based security service to scan traffic for malware and policy enforcement
What is the result of a DHCP starvation attack?
Legitimate clients are unable to lease IP addresses
What is the next step in the establishment of an IPsec VPN after IKE Phase 1 is complete?
Negotiation of the IPsec SA Policy
A security technician is evaluating a new operations security proposal designed to limit access to all servers. What is an advantage of using network security testing to evaluate the new proposal?
Network security testing proactively evaluates the effectiveness of the proposal before any real threat occurs
What ports can receive forwarded traffic from an isolated port that is part of a PVLAN
Only promiscuous ports
What three tasks can a network administrator accomplish with the Nmap and Zenmap secuirty testing tools?
Open UDP and TCP port detection Operating System Fingerprinting Assessment of Layer 3 protocol support on hosts
Which three areas of router security must be maintained to secure an edge router at the network perimeter?
Physical Security Operating System Security Router Hardening
Which security document includes implementation details, usually with step-by-step instructions and graphics?
Procedure Document
Which service should be disabled on a router to prevent a malicious host from falsely responding to ARP requests with the intent to redirect the Ethernet frames?
Proxy ARP
What are the two protocols that are used by AAA to authenticate users against a central database of usernames and password?
RADIUS TACACS+
What information does the SIEM network security management tool provide to network administrators?
Real time reporting and analysis of security events
Which features is specific to the Security Plus upgrade license of an ASA 5505 and provides increased availability?
Redundant ISP connections
Which security implementation will provide management plane protection for a network device?
Role-Based Access Control
Which interface setting can be configured in ASDM through the Device Setup tab?
Security Level
What term describes a set of rules used by an IDS or IPS to detect typical intrusion activity?
Signature
A network administrator is configuring an AAA server to manage RADIUS authentication. Which two features are included in RADIUS authentication?
Single process for authentication and authorization Hidden passwords during transmission
How are Intrusion Prevention System (IPS) and Intrusion Detection System (IDS) components used conjunctive?
The IDS will send alert messages about "gray area" traffic while the IPS will block malicious traffic
What is a characteristic of an ASA Site-to-Site VPN
The IPsec protocol protects the data transmitted through the site-to-site tunnel
What is a result of enabling the Cisco IOS image resilience feature?
The feature can only be disabled through a console session
Why is Diffie-Hellman algorithm typically avoided for encyption
The large number used by DH makes it too slow for bulk data transfer
A syslog server has received the message shown. *Mar 1 00:07:18.787: %SYS-5-CONFIG_I: Configured from console by vty0 (172.16.45.1) What can be determined from the syslog message?
The message informs the administrator that a user with an IP address of 172.16.45.1 configured this device remotely
Which statement accurately describes Cisco IOS Zone-Based Policy Firewall operation?
The pass action works in only one direction
A security technician uses an asymmetric algorithm to encrypt messages with a private key and then forwards that data to another technician. What key must be used to decrypt this data?
The public key of the sender
What is the purpose of AAA Accounting
To collect and report data usage
What is a characteristic of a DMZ zone?
Traffic originating from the outside network going to the DMZ network is selectively permitted
hich type of VLAN-hopping attack may be prevented by designating an unused VLAN as the native VLAN?
VLAN double-tagging
What is a characteristic of asymmetric algorithms?
Very long key lengths are used
What technology is used to separate physical interfaces on the ASA 5505 device into different security zones?
Virtual local-area networks
A user complains about not being able to gain access to the network. What command would be used by the network administrator to determine which AAA method list is being used for this particular user as the user logs on?
debug aaa authentication