CCNA Sec - Misc
AES, IDEA, and 3DES are symmetrical or asymmetrical?
Symmetrical
What does the Diffie-Hellman exchange create as a result of it running? Symmetrical keys Asymmetrical keys Digitally signed keys PSKs
Symmetrical keys
In a Zone-Based Firewall, where is the policy applied that will enforce the filtering or inspection of traffic? To the zone pair To the policy map To the interfaces To the control plane
To the zone pair
When implementing authentication on routing protocols, what are you not protecting the control plane from? VLAN hopping Rerouting of traffic Rogue default gateways MITM attacks
VLAN Hopping
What protocol is used by a router or an ASA when tunneling packets to a WSA?
WCCP
What is the correct command to apply a crypto map to an interface? crypto access-group crypto group crypto map group crypto map
crypto map
You are using the local database on the router for storing usernames and passwords. What command will enforce future passwords to be the recommended minimum length for a good password? password security min-length 10 security min-length password 10 security passwords min-length 10 min-length password security 10
security passwords min-length 10
Which of the following is the correct syntax to apply root guard to an interface? no spanning-tree root spanning-tree root guard spanning-tree guard root Root guard is applied globally, not to an interface
spanning-tree guard root
A zone pair identifies a _____________ flow of traffic?
unidirectional
What command is used to create security zones on a Cisco router? zone-pair security zone security zone enable zone-pair enable
zone security
You are generating crypto keys for use with SSH and digital signing. When prompted for the length of the modulus, which is the recommended minimum length that you should specify? 2048 1024 512 4096
1024
Which of the following is not an example of an asymmetric algorithm? DSA 3DES DH RSA
3DES
What protocols are used in VPN tunnels? (Choose two.) A. UDP port 500 or 4500 for IKEv1 negotiation B. TCP or UDP port 500 for IKEv1 negotiation C. ESP (protocol 51) is used in IPsec tunnels D. Protocol ESP (protocol 50) and AH (protocol 51) in IPSec packets
A D
You want to use SSL for VPN remote-access services, but you also want to dynamically assign a virtual IP to the VPN client for use while on your network. Which option provides this? SSL Clientless VPN SSL Thin Client Cisco VPN Client AnyConnect
AnyConnect
Which category of encryption algorithms uses the most CPU resources? Haching Authentication Asymmetrical Symmetrical
Asymmetrical
What is the third step of IKE Phase 1? Negotiate Encryption Negotiate Hashing Diffie-Hellman Exchange Authenticate the peer
Authenticate the peer
Which is an IPsec component that could be negotiated by IKE Phase 1, but not in IKE Phase 2? DH Exchange Authentication Hashing Encryption
Authentication
AH?
Authentication Header
<enable secret level 7 0 secret 5> Consider the output, which is true about this config? A. The secret, stored in plain text in the config will be secret 5 B. The password for a custom priv level will be stored as a hash in the config C. The enable password will be stored in plain text in the config D. The enable secret will be stored in plain text in the config
B
A host on your internal network at 10.20.30.40 using its local port 1044 accessed an HTTPS server at 172.16.50.60. What would be an entry in the return path ACL that would permit the reply traffic? A. access-list 199 permit tcp host 172.16.50.60 eq 80 host 10.20.30.40 eq 1044 B. access-list 199 permit tcp host 172.16.50.60 eq 443 host 10.20.30.40 eq 1044 C. access-list 199 permit tcp host 10.20.30.40 eq 443 host 172.16.50.60 eq 1044 D. access-list 199 permit tcp host 172.16.50.60 eq 1044 host 10.20.30.40 eq 443
B
If you configure a Zoned-Based Firewall that includes a policy for traffic directed to and from the self zone, which of the following could create a denial of service? A. Not allowing FTP traffic B. Not allowing specific routing protocol traffic C. Not allowing ICMP traffic D. Not allowing telnet traffic
B
The enable secret is stored as an MD5 hash, and the enable password is stored in plain text. Which of the following is true about these passwords? A. If both are configured, the enable password will be required to enter privileged mode B. The enable password is still supported for backward compatibility C. The service password-encryption utility will convert an enable password to an enable secret D. If both are configured, either can be used to enter priv mode.
B
What command applies an IPv6 packet-filtering ACL to an interface? A. traffic-filter B. ipv6 traffic-filter C. ipv6 access-group D. access-group
B
What is one of the goals of AnyConnect? A. Perform intrusion prevention, from any host who is connecting B. Protect traffic for mobile employees C. Implement group tags, thus allowing network resources to prioritize traffic. D. Implement stateful filtering of inbound packets from any connection
B
What prevents an eavesdropper from interpreting the cipher text being sent between two VPN peers? A. The Cipher B. The Key C. The Authentication Method D. The Hash
B
Which element of a Zone-Based Firewall has the responsibility for identifying the traffic? A. Zone Pair B. Class map, type inspect C. Service policy type inspect D. Policy map, type inspect
B
Which of the following is the correct syntax to apply BPDU guard to a single interface? A. spanning-tree portfast bpduguard B. spanning-tree bpduguard enable C. spanning0tree bpduguard D. bpduguard
B
Why can't legacy HIPS be considered enough to protect against malware? A. Malware does not run when A/V is running on a machine. B. Today's malware is sophisticated. C. There is so much malware that HIPS cannot store all malicious malware patterns to look for. D. HIPS vendors cannot keep up with malware.
B
You want to implement as many of the Cisco-defined security controls as possible in your organization. Which of the following is an example of a physical control? A. Properly screening potential employees B. The use of power protection systems C. The use of security appliances D. The use of authorization systems
B
Which solution allows for one method to be used on the first two vty lines, and a different method to be used on the rest of the vty lines? (Choose two.) A. This cannot be done, all vty lines must use the same method. B. Create two method lists and assign the first on the first two lines and assign the second list to the remaining vty lines C. Use the default method for all the vty lines D. Create a default and custom method list, assign the custom list to the first two vty lines
B D
Which Spanning Tree Protocol protection feature shuts down an edge port the moment it sees Spanning Tree Protocol on that port?
BPDU guard
In which area of the Cisco borderless network security architecture would we see security controls for malware and viruses? Borderless end zone Policy management layer Borderless Internet Borderless data center
Borderless end zone
Given a MAC address of 0018.b921.9278, what would the EUI-64 host ID be on that same interface? A. 18:B9FF:EE21:9278 B. 218:B9FF:EE21:9278 C. 218:B9FF:FE21:9278 D. 18:B9FF:FE21:9278
C
What is MD5? A. A process that takes a block of data and creates a small fixed-sized hash value that is 160 bits in length. B. A process that encrypts a block of data and creates a small fixed-sized hash value that is 128 bits in length. C. A process that takes a block of data and creates a small fixed-sized hash value that is 128 bits in length. D. A process that decrypts a block of data and creates a small fixed-sized hash value that is 128 bits in length.
C
What is a configuration difference between ACLs on the ASA and ACLs on IOS? A. The ASA supports only extended ACLs B. The IOS supports both standard and extended ACLs C. The ASA uses standard masks in ACL entries D. ACLs are applied to interface on the IOS, and the on the ASA they are applied only to the global policy
C
What is an application layer gateway (ALG) in the context of Cisco ASA firewalls? A. The feature of checking whether installed applications are signed by a trusted source B. The function of recognizing and collecting statistics about OSI L7 applications C. The function of application proxying to enforce security controls D. The feature of blocking applications that do not conform to the defined policies
C
What is used to verify a digital signature of the sender? A. The pre-shared key B. The HMAC C. The public key of the sender D. The keys generated by the Diffie-Hellman exchange
C
You are implementing an IPsec VPN site-to-site tunnel for your client. Which of the following allows for DH to be run during both IKE Phase 1 and IKE Phase 2? A. crypto isakmp policy with RSA, and sha-hmac in Phase 2 B. crpto isakmp policy with group 1, and AES is phase 2 C. crypto isakmp policy with group 2, and PFS in Phase 2 D. crypto isakmp policy with PFS, and 3DES in Phase 2
C
What is the name of an enterprise level tool that enables configuration, management, and monitoring of IOS routers, ASA firewalls, IP sensors, and Catalyst series switches?
CSM
You would like to use a Cisco product that can help you ensure more consistency in the security configuration of all your Cisco devices. You struggle with the command-line interface of Cisco IOS and would like to ensure that the product has a graphical user interface. What product should you use? CSM SDM ASDM IPS
CSM
CRL?
Certificate Revocation List
CSM?
Cisco Security Manager
Which of the following is considered to be an enterprise-level management system? ASA Device Manager Cisco Configuration Professional Cisco Security Manager IPS Manager Express
Cisco Security Manager
Service Policy, Class Map, and Policy Map; Which one has the job of categorizing or classifying/identifying traffic?
Class Map
Who's job is it to categorize or classify/identify traffic? Class Map Service Policy Policy Map
Class Map
Which element of a Zone-Based Firewall has the responsibility for identifying the traffic? Service Policy, type inspect Class Map, type inspect Zone Pair Policy Map, type inspect
Class Map, type insepct
What is used to identify traffic? Class Maps Policy Maps Service Policy
Class Maps
Which of the following are used in SNMPv1 for authentication and are not considered secure? Enable secrets Plain-text-shared keys Community strings Enable passwords
Community Strings
Which of the following uses programs or communications in unintended ways, often hiding the original payload of a packet? Covert Channel CAM Table Overflow Trust Exploitation MITM
Covert Channel
What device binds together the policies and transform sets associated with a specific peer? Crypto map Crypto ACLs ISAKMP Policy IKE Phase 1
Crypto map
What command set enables a secure bootset? A. secure bootimage name B. secure boot enable C. secure boot-file D. secure boot-image
D
What is true about securing EIGRP? A. It can be secured using digital certificates. B. It can be secured using HMAC tags and pre-shared keys. C. It can be secured using AES-GCM. D. It is secured using MD5 and key chains.
D
Which element of the ASA MPF is used to activate policy? A. Class Map B. Policy Map C. Security Levels D. Service Policy
D
Which of the following describes the control plane? A. User generated packets forwarded by network devices B. Packets used for configuring the network devices C. Server generated packets forwarded by network devices D. Router generated or received packets used for the operation of the network itself
D
You want to implement as many of the Cisco-defined security controls as possible in your organization. Which of the following is an example of a technical control? A. Routing security awareness programs B. Security monitoring equipment C. Clearly defined security policies D. The use of security appliances
D
What is the key exchange method used in IPsec? PSK RSA DH AES
DH
Which IPsec protocol both encrypts and encapsulates the packet to be protected? ESP AES AH RSA
ESP
ESP?
Encapsulating Security Payload
If you want to specify certain types of traffic in the ACL, you have to use (standard or extended)?
Extended
True or False; ASAs support wildcard masks?
False
What is a hash function that uses an additional secret key that allows authentication of the other party as well as data integrity? ESP SHA AES HMAC
HMAC
What type of hashing involves using a calculation with a secret key as opposed to a hash that anyone can calculate?
HMAC
What does BGP use for authentication?
MD5
Which element can be used as a trigger mechanism for an IPS to implement a countermeasure in legacy Cisco IPS? Risk Rating Attack Severity Rating Signature Fidelity Rating Target Value Rating
Risk Rating
What Cisco-sponsored protocol can simplify the authentication and enrollment between a client and a CA server?
SCEP
Which of the following represents a cloud-based service, provided by Cisco, that baselines the current state of threats worldwide? IPS AnyConnect SIO SecureX
SIO
SDEE?
Security Device Event Exchange
SIO?
Security Intelligence Operations
What is used in a hierarchical PKI that offloads work from the root CA?
Subordinate CA
Which elements of PKI would be found in a hierarchical PKI environment and not found in a monolithic CA environment? PKCS #10 Hash on certs Root certs Subordinate CA
Subordinate CA
When using in-band management traffic, which of the following management protocols should not be used? Telnet HTTPS SSL SSH
Telnet
What is the type of SNMP that is originated at the network devices and is sent to the SNMP manager? Read Write SNMPv3 Trap
Trap
If a crypto map show that PFS what used, that means that DH was run again for phase two, true or false?
True
What is a recommended best practice for securing IPv6? Disable ARP Use manual tunnels instead of automatic ones Disable router advertisements Filter all ICMP traffic
Use manual tunnels instead of automatic ones
Which of the following commands enable you to create a snapshot of the running configuration and store it in persistent storage? secure bootset secure boot-image secure boot-config secure NVRAM:startup-config
secure boot-config
How many flows of traffic can be identified in a zone pair? 3 2 1 4
1
How many zones can an interface be a member of at the same time in a Zoned-Based IOS Firewall? 4 3 2 1
1
How many zones can an interface belong to at one time?
1
Which of the following is a loopback address in IPv6? :: ::127:0:0:1 IPv6 has no loopback ::1
::1
SNMPv3 provides advantages over its previous versions. Which of the following is a feature in SNMPv3 whose function is not available in SNMPv1? A. Encryption of SNMP packets B. Allowing both get and set messages C. Sending alert messages from an SNMP managed device to an NMS. D. Sending config changes from a management station to an SNMP managed device
A
What does the crypto access list do in a site-to-site VPN configuration? A. Defines the peers that are allowed to participate in the VPN B. Makes troubleshooting easier by dropping all but the VPN traffic C. Defines what traffic will be encrypted in the VPN tunnel. D. Defines traffic that should be dropped in the tunnel
A
What is the difference between CoPP and CPPr? A. Control plane protection offers more granularities in protecting the CPU from the effects of traffic than control plane policing by dividing the aggregate control plane into three separate control plane categories known as subinterfaces B. Control plane protection is a subset of control plane policing. C. Control plane policing affects traffic going through the routers, and control plane protection affects traffic destined for the router. D. They are two different names for the same feature.
A
Which of the following is a reason that DH is not the first step in setting up an IKE Phase 1 tunnel? A. The peers need to negotiate the details of DH before running DH B. DH is the first step in setting up an IKE Phase 1 tunnel C. The peers need to set up a secure tunnel before running DH D. The VPN peers need to authenticate with each other before running DH
A
Which of the following is true about anomaly-based IPS detection in legacy Cisco IPS? A. Anomaly-based detection is supported on the appliance-based IPS, but not on the IOS B. It is the primary method used on both the appliance and an IOS router. C. It is the primary method used on the appliance, but not on an IOS router. D. It is the primary method used on an IOS router, but not on the appliance
A
In a Zone-Based Firewall, which actions permit traffic through the firewall in the direction of the zone pair? (Choose two.) A. Inspect B. Pass C. Permit D. Prioritize
A B
R1(config)#enable secret 5 $1$zVi7$UAAzKrgfekW1g/a7.JDpj1 the '5' signifies that the string that follows is to be stored as what?
A hash
Of the two (AH and ESP), which one is solely for authentication?
AH
RSA is symmetrical or asymmetrical?
Asymmetrical
Which implementation is valid for TACACS+? A. Authentication of users via console-based command sets B. NetFlow-based accounting C. Command authorization via a list D. Implementing PKI with auth-based authentication
C
Which needs to be in place for crypto ACLs to work in an IPsec implementation? A. The ACLs must be applied as a filtering ACL on the outside interfaces B. The crypto ACLs must be standard ACLs C. The peer's source and destination addresses in the ACLs should mirror each other D. The peer's source and destination addresses in the ACL should be the same.
C
Under typical corporate classification roles, who is responsible for ensuring that data is periodically backed up? Guardian User Custodian Owner
Custodian
<enable secret 5 $1$zVi7$UAAzKrgfekW1g/a7.JDpj1> Which of the following is true based on the above config? A. The password required for the enable secret will be $1$zVi7$UAAzKrgfekW1g/a7.JDpj1 B. This is the enable secret for privilege level 5. C. The enable secret is being protected using Diffie-Hellman 5. D. The hash stored in the configuration will be $1$zVi7$UAAzKrgfekW1g/a7.JDpj1.
D
Of the two (AH and ESP), which one provides data confidentiality and authentication?
ESP
When comparing AH and ESP in IPsec, which mechanism provides encryption as well as authentication? ESP AH and ESP AH Neither
ESP
What type of SSL VPN requires Cisco AnyConnect Secure Mobility Client? Thin Client Web VPN Site to site VPN Full SSL client
Full SSL client
HMAC?
Hashed Message Authentication Code
ISE?
Identity Services Engine
VLAN hopping is associated with layer of the OSI?
L2
What layer do Transparent Firewalls operate at?
L2
Which of the following is a certificate request standard? PKCS #1 PKCS #10 PKCS #7 PKCS #3
PKCS #10
Which of the following is not a valid action in a Zone-Based Firewall policy? Pass Inspect Permit Drop
Permit
What is used to specify policy on traffic identified by class maps? Policy Map Class Map Service Policy
Policy Map
Which algorithm is primarily used in conjunction with digital certificates and digital signatures? DH RSA HMAC SHA
RSA
Which IPsec authentication method requires having identity certificates on each peer? Diffie-Hellman PSKs RSA signatures SSL
RSA signatures
When port security is configured on a switch, what is the default behavior when there is a violation? Protect Shutdown Restrict Warning
Shutdown
What is the primary approach to IPS used by Cisco IPS? Profile Based Honey Pot Signature Based Anomaly Based
Signature Based
SCEP?
Simple Certificate Enrollment Protocol
