Chapters 25 - 26: Access Control and Infrastructure Security
What protocol is used to encapsulate the EAP data between the authenticator and authentication server performing 802.1X authentication?
RADIUS
Which statement describes a difference between RADIUS and TACACS+?
RADIUS encrypts only the password, whereas TACACS+ encrypts all communication.
Which EAP method makes use of the Protected Extensible Authentication Protocol (PEAP)?
EAP tunneled TLS authentication method
What message is sent every 30 seconds by the 802.1x authenticator to an endpoint to initiate the MAB authentication process?
EAPoL identity request
What are two characteristics of the ZBFW default zone? (Choose two.)
Interfaces that are not members of other zones are placed in this zone by default./It is a system built zone.
Which set of access control entries would allow all users on the 192.168.10.0/24 network to access a web server that is located at 172.17.80.1, but would not allow them to use Telnet?
access-list 103 permit tcp 192.168.10.0 0.0.0.255 host 172.17.80.1 eq 80access-list 103 deny tcp 192.168.10.0 0.0.0.255 any eq 23
Refer to the exhibit. Which two ACLs, if applied to the G0/1 interface of R2, would permit only the two LAN networks attached to R1 to access the network that connects to R2 G0/1 interface? (Choose two.)
access-list 5 permit 192.168.10.0 0.0.0.63/access-list 5 permit 192.168.10.64 0.0.0.63/access-list 1 permit 192.168.10.0 0.0.0.127
Which vulnerability can be mitigated by disabling CDP and LLDP on a Cisco device?
advertising detailed information about a device
Which type of threat defense is provided by Cisco Umbrella?
blocking requests to malicious Internet destinations
Which place in the network (PIN) is considered to be the highest-risk, as it is the ingress and egress point for internet traffic?
edge
What threat protection actions are involved in the "before" phase of the attack continuum?
establishing policies and implementing prevention measures to reduce risks
What are the three phases of TrustSec configuration? (Choose three.)
ingress classification propagation/egress enforcement
Which security appliance passively monitors and analyzes network traffic for potential network intrusion attacks and logs the attacks for analysis?
intrusion detection system
Which command can be issued to protect a Cisco router from unauthorized automatic remote configuration?
no service config
What are two limitations of PACLs? (Choose two.)
no support of ACLs that filter IPv6 packets no filtering of outbound traffic
What is the Control Plane Policing (CoPP) feature designed to accomplish?
prevent unnecessary traffic from overwhelming the route processor
What security capability is provided by applying Cisco WSA web reputation filters before an attack?
prevents client devices from accessing dangerous websites containing malware or phishing links
Which command produces an encrypted password that is easily reversible?
service password-encryption
According to Gartner, Inc. what three capabilities must a next-generation firewall (NGFW) provide in addition to standard firewall features? (Choose three.)
the ability to perform application-level inspection/the ability to leverage external security intelligence/ an integrated IPS
Which secure access solution can be implemented to authenticate endpoints that do not support 802.1x or MAB?
web authentication
Question as presented: Match the Cisco Safe security concepts to the description. (Not all options are used.)
3120
Question as presented: Match the Cisco SAFE component with the description. (Not all options are used.)
2130
Question as presented: Match the security platform to the description. (Not all options are used.)
1302/
Which three statements describe ACL processing of packets? (Choose three.)
A packet can either be rejected or forwarded as directed by the ACE that is matched./Each statement is checked only until a match is detected or until the end of the ACE list./An implicit deny any rejects any packet that does not match any ACE.
What is a feature of a Cisco IOS Zone-Based Policy Firewall?
A router interface can belong to only one zone at a time.
Which is the preferred method for securing device terminal lines?
AAA authentication
Refer to the exhibit. An ACL was configured on R1 with the intention of denying traffic from subnet 172.16.4.0/24 into subnet 172.16.3.0/24. All other traffic into subnet 172.16.3.0/24 should be permitted. This standard ACL was then applied outbound on interface G0/0/0. Which conclusion can be drawn from this configuration?
All traffic will be blocked, not just traffic from the 172.16.4.0/24 subnet
Which solution provides comprehensive network and data protection for organizations before, during, and after a malware attack?
Cisco AMP
Cisco AnyConnect
Cisco AnyConnect
Which Cisco solution is used by Cisco Web Security Appliance to detect and correlate threats in real time?
Cisco Talos
An administrator defined a local user account with a secret password on router R1 for use with SSH. Which three additional steps are required to configure R1 to accept only encrypted SSH connections? (Choose three.)
Configure the IP domain name on the router./ Configure a host name other than "Router"./Generate crypto keys.
Which statement describes Cisco IOS Zone-Based Policy Firewall operation?
The pass action works in only one direction.