Net Auth 18-22
steps to config site-to-site IPsec VPN
1: config the ISAKMP policies for IKE phase 1 2: config the ISAKMP policies for IKE phase 2 3: config a crypto map for IPsec policy 4: apply the IPsec policy 5: verify the IPsec tunnel is operaional
Which two scenarios are examples of remote access VPNs? (Choose two.)
A mobile sales agent is connecting to the company network via the Internet connection at a hotel. An employee who is working from home uses VPN client software on a laptop in order to connect to the company network.
Which two statements describe the IPsec protocol framework? (Choose two.)
AH uses IP protocol 51. AH provides integrity and authentication.
Which protocol creates a virtual point-to-point connection to tunnel unencrypted traffic between Cisco routers from a variety of protocols?
GRE
What technology is used to negotiate security associations and calculate shared keys for an IPsec VPN tunnel?
IKE
What can be configured as part of a network object?
IP address and mask
Which statement accurately describes a characteristic of IPsec?
IPsec is a framework of open standards that relies on existing algorithms.
What type of traffic is supported by IPsec?
IPsec only supports unicast traffic.
What takes place during IKE Phase 2 when establishing an IPsec VPN?
IPsec security associations are exchanged.
How does network scanning help assess operations security?
It can detect open TCP ports on network systems.
Which two statements describe a remote access VPN? (Choose two.)
It may require VPN client software on hosts. It is used to connect individual hosts securely to a company network over the Internet.
Which is a requirement of a site-to-site VPN?
It requires a VPN gateway at each end of the tunnel to encrypt and decrypt traffic.
A network analyst is testing the security of the systems and networks of a corporation. What tool could be used to audit and recover passwords?
L0phtCrack
How is "tunneling" accomplished in a VPN?
New headers from one or more VPN protocols encapsulate the original packets.
Router R1 has configured ISAKMP policies numbered 1, 5, 9, and 203. Router R2 only has default policies. How will R1 attempt to negotiate the IKE Phase 1 ISAKMP tunnel with R2?
R1 will attempt to match policy #1 with the most secure matching policy on R2.
Refer to the exhibit. What HMAC algorithm is being used to provide data integrity?
SHA
Refer to the exhibit. A network administrator is configuring the security level for the ASA. Which statement describes the default result if the administrator tries to assign the Inside interface with the same security level as the DMZ interface?
The ASA will not allow traffic in either direction between the Inside interface and the DMZ.
What are three characteristics of the ASA routed mode? (Choose three.)
The interfaces of the ASA separate Layer 3 networks and require different IP addresses in different subnets. It is the traditional firewall deployment mode. NAT can be implemented between connected networks.
Which statement describes the effect of key length in deterring an attacker from hacking through an encryption key?
The longer the key, the more key possibilities exist.
Refer to the exhibit. Based on the security levels of the interfaces on the ASA, what statement correctly describes the flow of traffic allowed on the interfaces?
Traffic that is sent from the DMZ and the LAN to the Internet is considered outbound.
What testing tool is available for network administrators who need a GUI version of Nmap?
Zenmap
Which license provides up to 50 IPsec VPN users on an ASA 5506-X device?
a purchased Security Plus upgrade license
What is needed to define interesting traffic in the creation of an IPsec tunnel?
access list
What is the function of a policy map configuration when an ASA firewall is being configured?
binding class maps with actions
What are three characteristics of SIEM? (Choose three.)
can be implemented as software or as a service examines logs and events from systems and applications to detect security threats consolidates duplicate event data to minimize the volume of gathered data
What is the goal of network penetration testing?
determining the feasibility and the potential consequences of a successful attack
Refer to the exhibit. What kind of NAT is configured on the ASA device?
dynamic PAT
A network analyst wants to monitor the activity of all new interns. Which type of security testing would track when the interns sign on and sign off the network?
integrity checker
What interface configuration command is used on an ASA to request an IP address from an upstream DSL device?
ip address pppoe
What are the two modes used in IKE Phase 1? (Choose two.)
main aggressive
What is the purpose of configuring an IP address on an ASA device in transparent mode?
management
When configuring interfaces on an ASA, which two pieces of information must be included? (Choose two.)
security level name
Refer to the exhibit. A network administrator is verifying the security configuration of an ASA. Which command produces the exhibited output?
show interface ip brief
Refer to the exhibit. What show command displays whether the securityk9 software is installed on the router and whether the EULA license has been activated?
show version
Two corporations have just completed a merger. The network engineer has been asked to connect the two corporate networks without the expense of leased lines. Which solution would be the most cost effective method of providing a proper and secure connection between the two corporate networks?
site-to-site VPN
What mechanism is used by an ASA device to allow inspected outbound traffic to return to the originating sender who is on an inside network?
stateful packet inspection
What is the purpose of the Tripwire network testing tool?
to assess configuration against established policies, recommended best practices, and compliance standards
When the CLI is used to configure an ISR for a site-to-site VPN connection, what is the purpose of the crypto map command in interface configuration mode?
to bind the interface to the ISAKMP policy
Consider the following configuration on a Cisco ASA:crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmacWhat is the purpose of this command?
to define the encryption and integrity algorithms that are used to build the IPsec tunnel
What is a function of the GRE protocol?
to encapsulate multiple OSI Layer 3 protocol packet types inside an IP tunnel
In which two instances will traffic be denied as it crosses the ASA 5505 device? (Choose two.)
traffic originating from the DMZ network going to the inside network traffic originating from the outside network going to the inside network
which two instances will traffic be denied as it crosses the ASA 5506-X device? (Choose two.)
traffic originating from the outside network going to the inside network traffic originating from the DMZ network going to the inside network
