CCNA Security Final v1.1 part 6
What are two disadvantages of using network IPS? (Choose two.) Network IPS has a difficult time reconstructing fragmented traffic to determine if an attack was successful. Network IPS is incapable of examining encrypted traffic. Network IPS is operating system-dependent and must be customized for each platform. Network IPS is unable to provide a clear indication of the extent to which the network is being attacked. Network IPS sensors are difficult to deploy when new networks are added.
Network IPS has a difficult time reconstructing fragmented traffic to determine if an attack was successful. Network IPS is incapable of examining encrypted traffic.
What must be configured before any Role-Based CLI views can be created? aaa new-model command multiple privilege levels secret password for the root user usernames and passwords
aaa new-model command
Which component of AAA is used to determine which resources a user can access and which operations the user is allowed to perform? auditing accounting authorization authentication
authorization
Refer to the exhibit. Based on the output from the show secure bootset command on router R1, which three conclusions can be drawn regarding Cisco IOS Resilience? (Choose three.) A copy of the Cisco IOS image file has been made. A copy of the router configuration file has been made. The Cisco IOS image file is hidden and cannot be copied, modified, or deleted. The Cisco IOS image filename will be listed when the show flash command is issued on R1. The copy tftp flash command was issued on R1. The secure boot-config command was issued on R1.
A copy of the router configuration file has been made. The Cisco IOS image file is hidden and cannot be copied, modified, or deleted. The secure boot-config command was issued on R1.
Which statement correctly describes a type of filtering firewall? A transparent firewall is typically implemented on a PC or server with firewall software running on it. A packet-filtering firewall expands the number of IP addresses available and hides network addressing design. An application gateway firewall (proxy firewall) is typically implemented on a router to filter Layer 3 and Layer 4 information. A stateful firewall monitors the state of connections, whether the connection is in an initiation, data transfer, or termination state.
A stateful firewall monitors the state of connections, whether the connection is in an initiation, data transfer, or termination state.
Which three statements describe zone-based policy firewall rules that govern interface behavior and the traffic moving between zone member interfaces? (Choose three.) An interface can be assigned to multiple security zones. Interfaces can be assigned to a zone before the zone is created. Pass, inspect, and drop options can only be applied between two zones. If traffic is to flow between all interfaces in a router, each interface must be a member of a zone. Traffic is implicitly prevented from flowing by default among interfaces that are members of the same zone. To permit traffic to and from a zone member interface, a policy allowing or inspecting traffic must be configured between that zone and any other zone.
Pass, inspect, and drop options can only be applied between two zones. If traffic is to flow between all interfaces in a router, each interface must be a member of a zone. To permit traffic to and from a zone member interface, a policy allowing or inspecting traffic must be configured between that zone and any other zone.
Which three statements should be considered when applying ACLs to a Cisco router? (Choose three.) Place generic ACL entries at the top of the ACL. Place more specific ACL entries at the top of the ACL. Router-generated packets pass through ACLs on the router without filtering. ACLs always search for the most specific entry before taking any filtering action. A maximum of three IP access lists can be assigned to an interface per direction (in or out). An access list applied to any interface without a configured ACL allows all traffic to pass.
Place more specific ACL entries at the top of the ACL. Router-generated packets pass through ACLs on the router without filtering. An access list applied to any interface without a configured ACL allows all traffic to pass.
Refer to the exhibit. Which option tab on the CCP screen is used to view the Top Threats table and deploy signatures associated with those threats? Create IPS Edit IPS Security Dashboard IPS Sensor IPS Migration
Security Dashboard
Refer to the exhibit. What information can be obtained from the AAA configuration statements? The authentication method list used for Telnet is named ACCESS. The authentication method list used by the console port is named ACCESS. The local database is checked first when authenticating console and Telnet access to the router. If the TACACS+ AAA server is not available, no users can establish a Telnet session with the router. If the TACACS+ AAA server is not available, console access to the router can be authenticated using the local database.
The authentication method list used for Telnet is named ACCESS.
Which statement describes the CCP Security Audit wizard? After the wizard identifies the vulnerabilities, the CCP One-Step Lockdown feature must be used to make all security-related configuration changes. After the wizard identifies the vulnerabilities, it automatically makes all security-related configuration changes. The wizard autosenses the inside trusted and outside untrusted interfaces to determine possible security problems that might exist. The wizard is based on the Cisco IOS AutoSecure feature. The wizard is enabled by using the Intrusion Prevention task.
The wizard is based on the Cisco IOS AutoSecure feature.