CCNA Security Finals Part 2/3
Which statement describes the use of certificate classes in the PKI?
A class 5 certificate is more trustworthy than a class 4 certificate.
What is a characteristic of a role-based CLI view of router configuration?
A single CLI view can be shared within multiple superviews.
What two algorithms can be part of an IPsec policy to provide encryption and hashing to protect interesting traffic? (Choose two.)
AES SHA
An organization has configured an IPS solution to use atomic alerts. What type of response will occur when a signature is detected?
An alert is triggered each time a signature is detected.
What is required for auto detection and negotiation of NAT when establishing a VPN link?
Both VPN end devices must be NAT-T capable.
Fill in the blank.? A stateful signature is also known as a _______________? signature.
Composite
What represents a best practice concerning discovery protocols such as CDP and LLDP on network devices?
Disable both protocols on all interfaces where they are not required.
Which two end points can be on the other side of an ASA site-to-site VPN configured using ASDM? (Choose two.)
ISR router another ASA
Which security measure is best used to limit the success of a reconnaissance attack from within a campus area network?
Implement encryption for sensitive traffic.
What is a feature of the TACACS+ protocol?
It encrypts the entire body of the packet for more secure communications.
Why is hashing cryptographically stronger compared to a cyclical redundancy check (CRC)?
It is virtually impossible for two different sets of data to calculate the same hash output.
What is the benefit of the network-based IPS (NIPS) over host-based IPS (HIPS) deployment models?
NIPS monitors all operations within an operating system.
Refer to the exhibit. Based on the configuration that is shown, which statement is true about the IPS signature category?
Only signatures in the ios_ips basic category will be compiled into memory for scanning.
Match the network security testing technique with how it is used to test network security. (Not all options are used)?
Penetration testing = used to determine the possible consequences of successful attacks on the network Vulnerability scanning = used to find weaknesses and misconfigurations on network systems Network scanning = used to discover available resources on the network
Which two protocols can be selected using the Cisco AnyConnect VPN Wizard to protect the traffic inside a VPN tunnel? (Choose two.)
SSL IPsec
Refer to the exhibit. An administrator issues these IOS login enhancement commands to increase the security for login connections. What can be concluded about them?
The hosts that are identified in the ACL will have access to the device.
An administrator assigned a level of router access to the user ADMIN using the commands below.? Router(config)# privilege exec level 14 show ip route Router(config)# enable algorithm-type scrypt secret level 14 cisco-level-10 Router(config)# username ADMIN privilege 14 algorithm-type scrypt secret cisco-level-10 Which two actions are permitted to the user ADMIN? (Choose two.)
The user can issue the show version command. The user can only execute the subcommands under the show ip route command.
Refer to the exhibit. What two pieces of information can be gathered from the generated message? (Choose two.)
This message is a level five notification message. This message indicates that service timestamps have been globally enabled.
Refer to the exhibit. The network administrator is configuring the port security feature on switch SWC. The administrator issued the command show port-security interface fa 0/2 to verify the configuration. What can be concluded from the output that is shown? (Choose three.)
This port is currently up. Security violations will cause this port to shut down immediately. There is no device currently connected to this port.
A company deploys a Cisco ASA with the Cisco CWS connector enabled as the firewall on the border of corporate network. An employee on the internal network is accessing a public website. What should the employee do in order to make sure the web traffic is protected by the Cisco CWS?
Use a web browser to visit the destination website.
What Layer 2 attack is mitigated by disabling Dynamic Trunking Protocol?
VLAN hopping
In an AAA-enabled network, a user issues the configure terminal command from the privileged executive mode of operation. What AAA function is at work if this command is rejected?
authorization
What is the function of a policy map configuration when an ASA firewall is being configured?
binding class maps with actions
Which type of traffic is subject to filtering on an ASA 5505 device?
inside to DMZ
A network analyst wants to monitor the activity of all new interns. Which type of security testing would track when the interns sign on and sign off the network?
integrity checker
Which two ports can send and receive Layer 2 traffic from a community port on a PVLAN? (Choose two.)
promiscuous ports community ports belonging to the same community
Which three actions can the Cisco IOS Firewall IPS feature be configured to take when an intrusion activity is detected? (Choose three.)
reset TCP connection alert drop
What function is provided by the Tripwire network security tool?
security policy compliance
Which IDS/IPS signature alarm will look for packets that are destined to or from a particular port?
signature-based
What mechanism is used by an ASA 5505 device to allow inspected outbound traffic to return to the originating sender who is on an inside network?
stateful packet inspection
In which two instances will traffic be denied as it crosses the ASA 5505 device? (Choose two.)
traffic originating from the DMZ network going to the inside network traffic originating from the outside network going to the inside network