CCNAS Practice Final

What is the default preconfigured security level for the outside network interface on a Cisco ASA 5505?

0

What service or protocol does the Secure Copy Protocol rely on to ensure that secure copy transfers are from authorized users?

AAA

What algorithm is used with IPsec to provide data confidentiality

AES

What is a limitation to using OOB management on a large enterprise network?

All devices appear to be attached to a single management network.*

A company deploys a network-based IPS. Which statement describes a false negative alarm that is issued by the IPS sensor?

An attack packet passes and no alarm is generated.*

Which type of ASDM connection would provide secure remote access for remote users into corporate networks?

AnyConnect SSL VPN*

What are two drawbacks in assigning user privilege levels on a Cisco router?

Assigning a command with multiple keywords allows access to all commands using those keywords.* Commands from a lower level are always executable at a higher level.

What does the keyword default specify when used with the aaa authentication login command?

Authentication is automatically applied to the con 0, aux, and vty lines.*

Which three forwarding plane services and functions are enabled by the Cisco AutoSecure feature?​

Cisco IOS firewall inspection* Cisco Express Forwarding (CEF)* traffic filtering with ACLs*

The ISAKMP policy for the IKE Phase 1 tunnel was configured, but the tunnel does not yet exist. Which action should be taken next before IKE Phase 1 negotiations can begin?

Configure an ACL to define interesting traffic.*

Which feature of the Cisco Network Foundation Protection framework prevents a route processor from being overwhelmed by unnecessary traffic?

Control Plane Policing*

When configuring SSH on a router to implement secure network management, a network engineer has issued the login local and transport input ssh line vty commands. What three additional configuration actions have to be performed to complete the SSH configuration?

Create a valid local username and password database.* Generate the asymmetric RSA keys Configure the correct IP domain name

What is an advantage of HIPS that is not provided by IDS?

HIPS protects critical system resources and monitors operating system processes

What can be configured as part of a network object

IP address and mask*

Which two statements describe the use of asymmetric algorithms?

If a private key is used to encrypt the data, a public key must be used to decrypt the data.* If a public key is used to encrypt the data, a private key must be used to decrypt the data.*

Which statement describes the Cisco Cloud Web Security?

It is a cloud-based security service to scan traffic for malware and policy enforcement.*

What is the result of a DHCP starvation attack?

Legitimate clients are unable to lease IP addresses.*

What are two protocols that are used by AAA to authenticate users against a central database of usernames and password?

RADIUS* TACACS+*

What term describes a set of rules used by an IDS or IPS to detect typical intrusion activity?

Signature

How are Intrusion Prevention System (IPS) and Intrusion Detection System (IDS) components used conjunctively?

The IDS will send alert messages about "gray area" traffic while the IPS will block malicious traffic.*

What is a characteristic of an ASA site-to-site VPN?

The IPsec protocol protects the data transmitted through the site-to-site tunnel.*

What is a result of enabling the Cisco IOS image resilience feature?

The feature can only be disabled through a console session.*

Why is Diffie-Hellman algorithm typically avoided for encrypting data?

The large numbers used by DH make it too slow for bulk data transfers.*

A syslog server has received the message shown.

The message informs the administrator that a user with an IP address of 172.16.45.1 configured this device remotely.*

Which statement accurately describes Cisco IOS Zone-Based Policy Firewall operation?

The pass action works in only one direction.

A security technician uses an asymmetric algorithm to encrypt messages with a private key and then forwards that data to another technician. What key must be used to decrypt this data?

The public key of the sender.

What is a characteristic of a DMZ zone?

Traffic originating from the outside network going to the DMZ network is selectively permitted.*

Which type of VLAN-hopping attack may be prevented by designating an unused VLAN as the native VLAN?

VLAN double-tagging*

What is a characteristic of asymmetric algorithms?

Very long key lengths are used.*

On what switch ports should PortFast be enabled to enhance STP stability?

all end-user ports*

Which router component determines the number of signatures and engines that can be supported in an IPS implementation?

available memory

How can DHCP spoofing attacks be mitigated?

by implementing DHCP snooping on trusted ports*

A user complains about not being able to gain access to the network. What command would be used by the network administrator to determine which AAA method list is being used for this particular user as the user logs on?

debug aaa authentication*

What can be used as an alternative to HMAC?

digital signatures*

A network administrator is configuring an AAA server to manage TACACS+ authentication. What are two attributes of TACACS+ authentication?

encryption for all communication* separate processes for authentication and authorization*

What type of ACL offers greater flexibility and control over network access?

extended

What is the function of the Hashed Message Authentication Code (HMAC) algorithm in setting up an IPsec VPN?

guarantees message integrity*

What are three characteristics of the RADIUS protocol?

is an open IETF standard AAA protocol* uses UDP ports for authentication and accounting* is widely used in VOIP and 802.1X implementations*

What is the next step in the establishment of an IPsec VPN after IKE Phase 1 is complete?

negotiation of the IPsec SA policy*

What ports can receive forwarded traffic from an isolated port that is part of a PVLAN?

only promiscuous ports*

What three tasks can a network administrator accomplish with the Nmap and Zenmap security testing tools?

open UDP and TCP port detection* operating system fingerprinting* assessment of Layer 3 protocol support on hosts*

Which security document includes implementation details, usually with step-by-step instructions and graphics?

procedure document*

Which service should be disabled on a router to prevent a malicious host from falsely responding to ARP requests with the intent to redirect the Ethernet frames?

proxy ARP*

What information does the SIEM network security management tool provide to network administrators?

real time reporting and analysis of security events*

Which three areas of router security must be maintained to secure an edge router at the network perimeter?

router hardening, operating system security, and physical security.

Which interface setting can be configured in ASDM through the Device Setup tab?

security level

A network administrator is configuring an AAA server to manage RADIUS authentication. Which two features are included in RADIUS authentication?

single process for authentication and authorization* hidden passwords during transmission*

What is the purpose of AAA accounting

to collect and report data usage

What technology is used to separate physical interfaces on the ASA 5505 device into different security zones?

virtual local-area networks*