CCNA Security Final v1.1 part 10
Which statement describes a factor to be considered when configuring a zone-based policy firewall? - An interface can belong to multiple zones. - The router always filters the traffic between interfaces in the same zone. - The CBAC ip inspect command can coexist with ZPF as long as it is used on interfaces that are in the same security zones. - A zone must be configured with the zone security global command before it can be used in the zone-member security command.
- A zone must be configured with the zone security global command before it can be used in the zone-member security command.
What precaution should be considered when the no service password-recovery command has been issued on an IOS device? - The passwords in the configuration files are in clear text. - IOS recovery requires a new system flash with the IOS image. - When the password is lost, access to the device will be terminated. - The device must use simple password authentication and cannot have user authentication.
- IOS recovery requires a new system flash with the IOS image.
Which mitigation technique can help prevent MAC table overflow attacks? - root guard - BPDU guard - storm control - switchport security
- switchport security
Which three additional precautions should be taken when remote access is required in addition to local access of networking devices? (Choose three) - A legal notice should not be displayed when access is obtained. - All activity to the specified ports that are required for access should be unrestricted. - All configuration activities should required the use of SSH or HTTPS. - All administrative traffic should be dedicated to the management network. - The number of failed login attempts should not be limited, but the time between attempts should. - Packet filtering should be required so that only identified administration hosts and protocols can gain access.
- All activity to the specified ports that are required for access should be unrestricted. - All configuration activities should required the use of SSH or HTTPS. - Packet filtering should be required so that only identified administration hosts and protocols can gain access.
Router(config)# ntp authenticate Router(config)# ntp authentication-key 42 md5 aNiceKey Router(config)# ntp trusted-key 2 Refer to the exhibit. What will be the effect of the commands that are shown on R1? - Authentication with the NTP master will be successful, and R1 will get the time from the NTP master. - Authentication with the NTP master will be successful, but R1 will not get the time from the NTP master. - Authentication with the NTP master will fail, and R1 will get the time from the NTP master. - Authentication with the NTP master will fail, and R1 will not get the time from the NTP master.
- Authentication with the NTP master will fail, and R1 will not get the time from the NTP master.
Which three statements are characteristics of the IPsec protocol? (Choose three) - IPsec is a framework of open standards. - IPsec is implemented at Layer 4 of the OSI model. - IPsec ensures data integrity by using a hash algorithm. - IPsec uses digital certificates to guarantee confidentiality - IPsec is bound to specific encryption algorithms, such as 3DES and AES. - IPsec authenticates users and devices that communicate independently.
- IPsec is a framework of open standards. - IPsec ensures data integrity by using a hash algorithm. - IPsec authenticates users and devices that communicate independently.
Which two statements describe appropriate general guidelines for configuring and applying ACLs? (Choose two) - Multiple ACLs per protocol and per direction can be applied to an interface. - If an ACL contains no permit statements, all traffic is denied by default. - The most specific ACL statements should be entered first because of the top-down sequential nature of ACLs . - Standard ACLs are placed closest to the source, whereas Extended ACLs are placed closest to the destination. - If a single ACL is to be applied to multiple interfaces, it must be configured with a unique number for each interface.
- If an ACL contains no permit statements, all traffic is denied by default. - The most specific ACL statements should be entered first because of the top-down sequential nature of ACLs
What functionality is provided by Cisco SPAN in a switched network? - It mitigates MAC address overflow attacks. - It mirrors traffic that passes through a switch port or VLAN to another port for traffic analysis. - It protects the switched network from receiving BPDUs on ports that should not be receiving them. - It inspects voice protocols to ensure that SIP, SCCP, H.323, and MGCP requests conform to voice standards . - It copies traffic that passes through a switch interface and sends the data directly to a syslog or SNMP server for analysis.
- It mirrors traffic that passes through a switch port or VLAN to another port for traffic analysis.
Refer to the exhibit. Based on the IPS configuration that is provided, which statement is true? - The signatures in all categories will be retired and not be used by the IPS. - The signatures in all categories will be compiled into memory and used by the IPS. - Only the signatures in the ios_ips basic category will be compiled into memory and used by the IPS. - The signatures in the ios_ips basic category will be retired and the remaining signatures will be compiled into memory and used by the IPS.
- Only the signatures in the ios_ips basic category will be compiled into memory and used by the IPS.
An organization requires that individual users be authorized to issue specific Cisco IOS commands. Which AAA protocols support this requirement? - TACACS+ because it separates authentication and authorization, allowing for more customization. - RADIUS because it supports multiple protocols, including ARA and NetBEUI. - TACACS+ because it supports extensive accounting on a per-user or per-group basis . - RADIUS because it implements authentication and authorization as one process.
- RADIUS because it implements authentication and authorization as one process.
Which three major subpolicies should comprise a comprehensive security policy that meets the security needs of a typical enterprise? (Choose three) - end-user policies - departmental policies - governing policies - human resource policies - organizational policies - technical policies
- end-user policies - governing policies - technical policies
Refer to the exhibit. Based on the provided configuration, which traffic will be examined by the IPS that is configured on router R1? - Traffic that is initiated from LAN 1 and LAN 2 - http traffic that is initiated from LAN 1 - return traffic from the web server - traffic that is destined to LAN 1 and LAN 2 - no traffic will be inspected
- http traffic that is initiated from LAN 1
What login enhancement configuration command helps successive login DoS attacks? - exec-timeout - login block-for - privilege exec level - service password-encryption
- login block-for
Refer to the exhibit. Which type of VPN is implemented? - remote-access GRE VPN - remote-access IPsec VPN - remote-access SSL VPN - site-to-site GRE VPN - site-to-site IPsec VPN - site-to-site SSL VPN
- remote-access IPsec VPN
Refer to the exhibit. An administrator is configuring ZPF using the SDM Basic Firewall Configuration wizard. Which command is generated after the administrator selects the Finish button? - zone security Out-zone on interface Fa0/0 - zone security Out-zone on interface S0/0/0 - zone member security Out-zone on interface Fa0/0 - zone member security Out-zone on interface s0/0/0
- zone security Out-zone on interface S0/0/0
