CCNA Security set 3

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

What command can you use to verify the binding table status? A. Show ip dhcp snooping binding B. Show ip dhcp snooping database C. show ip dhcp snooping statistics D. show ip dhcp pool E. show ip dhcp source binding F. show ip dhcp snooping

B. Show ip dhcp snooping database

What are the primary attack methods of VLAN hopping? (Choose two.) A. VoIP hopping B. Switch spoofing C. CAM-table overflow D. Double tagging

B. Switch spoofing D. Double tagging

Which IPS mode provides the maximum number of actions? A. Inline B. bypass C. span D. failover E. promiscuous

A. Inline

What is the benefit of web application firewall? A. It accelerate web traffic B. It blocks know vulnerabilities without patching applications C. It supports all networking protocols. D. It simplifies troubleshooting

A. It accelerate web traffic

Which protocol provides security to Secure Copy? A. IPsec B. SSH C. HTTPS D. ESP

B. SSH

Which wildcard mask is associated with a subnet mask of /27? A. 0.0.0.31 B. 0.0.0.27 C. 0.0.0.224 D. 0.0.0.255

A. 0.0.0.31

Refer to the exhibit. With which NTP server has the router synchronized? 209.114.111.1 Configure, ipv4, same, valid, stratum 2 ref ID 132.163.4.103, time D7AD124D.9D6FC576 (03:17:33.614 UTC Sun Aug 31 2014) our mode client, peer mode server, our poll intvl 64, peer poll intvl 64 root delay 46.34 msec, root disp 23.52, reach 1, sync dist 268.59 delay 63.27 msec, offset 7.9817 msec, dispersion 187.56, jitter 2.07 msec precision 2**23, version 4 204.2.134.164 Configure, ipv4, same, valid, stratum 2 ref ID 241.199.164.101, time D7AD1D149.9EB5272B (03:25:13.619 UTC Sun Aug 31 2014) our mode client, peer mode server, our poll intvl 64, peer poll intvl 256 root delay 30.83 msec, root disp 4.88, reach 1, sync dist 223.80 delay 28.69 msec, offset 6.4331 msec, dispersion 187.56, jitter 1.39 msec precision 2**23, version 4 192.168.10.7 Configure, ipv4, our_master, sane, valid, stratum 3 ref ID 108.61.73.243, time D7AD0D8F.AE79A23A (02:57:19.681 UTC Sun Aug 31 2014) our mode client, peer mode server, our poll intvl 64, peer poll intvl 64 root delay 86.45 msec, root disp 87.82, reach 377, sync dist 134.25 delay 0.89 msec, offset 19.5087 msec, dispersion 1.69, jitter 0.84 msec precision 2**23, version 4 A. 192.168.10.7 B. 108.61.73.243 C. 209.114.111.1 D. 204.2.134.164 E. 132.163.4.103 F. 241.199.164.101

A. 192.168.10.7

What is the default timeout interval during which a router waits for responses from a TACACS server before declaring a timeout failure? A. 5 seconds B. 10 seconds C. 15 seconds D. 20 seconds

A. 5 seconds

Which statement correctly describes the function of a private VLAN? A. A private VLAN partitions the Layer 2 broadcast domain of a VLAN into subdomains B. A private VLAN partitions the Layer 3 broadcast domain of a VLAN into subdomains C. A private VLAN enables the creation of multiple VLANs using one broadcast domain D. A private VLAN combines the Layer 2 broadcast domains of many VLANs into one major broadcast domain

A. A private VLAN partitions the Layer 2 broadcast domain of a VLAN into subdomains

What is the Firepower impact flag used for? A. A value that indicates the potential severity of an attack. B. A value that the administrator assigns to each signature. C. A value that sets the priority of a signature. D. A value that measures the application awareness.

A. A value that indicates the potential severity of an attack.

On which Cisco Configuration Professional screen do you enable AAA? A. AAA Summary B. AAA Servers and Groups C. Authentication Policies D. Authorization Policies

A. AAA Summary

Which two next generation encryption algorithms does Cisco recommend? (Choose two) A. AES B. 3DES C. DES D. MD5 E. DH-1024 F. SHA-384

A. AES F. SHA-384

According to Cisco best practices, which three protocols should the default ACL allow an access port to enable wired BYOD devices to supply valid credentials and connect to the network? (Choose three) A. BOOTP (DHCP) B. TFTP C. DNS D. MAB E. HTTP F. 802.1x

A. BOOTP (DHCP) B. TFTP C. DNS

Which security measures can protect the control plane of a Cisco router? (Choose two.) A. CCPr B. Parser views C. Access control lists D. Port security E. CoPP

A. CCPr E. CoPP

A data breach has occurred and your company database has been copied. Which security principle has been violated? A. Confidentiality B. Access C. Control D. Availability

A. Confidentiality

You want to allow all of your companies' users to access the Internet without allowing other Web servers to collect the IP addresses of individual users. What two solutions can you use? (Choose two). A. Configure a proxy server to hide users local IP addresses B. Assign unique IP addresses to all users. C. Assign the same IP addresses to all users D. Install a Web content filter to hide users local IP addresses E. Configure a firewall to use Port Address Translation.

A. Configure a proxy server to hide users local IP addresses E. Configure a firewall to use Port Address Translation.

What is the most common Cisco Discovery Protocol version 1 attack? A. Denial of Service B. MAC-address spoofing C. CAM-table overflow D. VLAN hopping

A. Denial of Service

Refer to the exhibit. You have configured R1 and R2 as shown, but the routers are unable to establish a site-to-site VPN tunnel. What action can you take to correct the problem? R1 Interface Gigabit Ethernet 0/0 IP address 10.20.20.4 255.255.255.255.0 Crypto isakmp policy 1 Authentication pre-share Lifetime 84600 Crypto isakmp key test67890 address 10.20.20.4 R2 Interface Gigabit Ethernet 0/0 IP address 10.20.20.4 255.255.255.255.0 Crypto isakmp policy 10 Authentication pre-share Lifetime 84600 Crypto isakmp key test12345 address 10.30.30.5 A. Edit the crypto keys on R1 and R2 to match. B. Edit the crypto isakmp key command on each router with the address value of its own interface C. Edit the ISAKMP policy sequence numbers on R1 and R2 to match. D. Set a valid value for the crypto key lifetime on each router.

A. Edit the crypto keys on R1 and R2 to match.

What type of security support is provided by the Open Web Application Security Project? A. Education about common Web site vulnerabilities B. A web site security framework C. A security discussion forum for Web site developers D. Scoring of common vulnerabilities and exposures

A. Education about common Web site vulnerabilities

What type of security support is provided by the Open Web Application Security Project? A. Education about common Web site vulnerabilities. B. A Web site security framework. C. A security discussion forum for Web site developers. D. Scoring of common vulnerabilities and exposures.

A. Education about common Web site vulnerabilities.

A clientless SSL VPN user who is connecting on a Windows Vista computer is missing the menu option for Remote Desktop Protocol on the portal web page. Which action should you take to begin troubleshooting? A. Ensure that the RDP2 plug-in is installed on the VPN gateway B. Reboot the VPN gateway C. Instruct the user to reconnect to the VPN gateway D. Ensure that the RDP plug-in is installed on the VPN gateway

A. Ensure that the RDP2 plug-in is installed on the VPN gateway

When is the best time to perform an anti-virus signature update? A. Every time a new update is available B. When the system detects a browser hook C. When a new virus is discovered in the wild D. When the local scanner has detected a new virus

A. Every time a new update is available

Refer to the exhibit while troubleshooting site-to-site VPN, you issued the show crypto isakmp sa command. What does the given output shows? Dst src state conn-id slot 10.10.10.2 10.1.1.5 MM_NO_STATE 1 0 A. IKE Phase 1 main mode was created on 10.1.1.5, but it failed to negotiate with 10.10.10.2 B. IKE Phase 1 main mode has successfully negotiate between 10.1.1.5 and10.10.10.2 C. IKE Phase 1 aggressive mode was created on 10.1.1.5, but it failed to negotiate with 10.10.10.2 D. IKE Phase 1 aggressive mode was create on 10.1.1.5, but it failed to negotiate with 10.10.10.2

A. IKE Phase 1 main mode was created on 10.1.1.5, but it failed to negotiate with 10.10.10.2

Which sensor mode can deny attackers inline? A. IPS B. fail-close C. IDS D. fail-open

A. IPS

Refer to the exhibit. While troubleshooting site-to-site VPN, you issued the show crypto isakmp sa command. What does the given output show? Dst Src State Conn-id Slot 10.10.10.2 10.1.1.5 QN_IDLE 1 0 A. IPSec Phase 1 is established between 10.10.10.2 and 10.1.1.5 B. IPSec Phase 2 is established between 10.10.10.2 and 10.1.1.5 C. IPSec Phase 1 is down due to a QM_IDLE state (quick mode) D. IPsec Phase 2 is down due to a QM_IDLE state

A. IPSec Phase 1 is established between 10.10.10.2 and 10.1.1.5

Refer to the exhibit. While troubleshooting site-to-site VPN, you issued the show crypto ipsec sa command. What does the given output show? current peer: 10.1.1.5 PERMIT, flags=(origin_is_acl,) #pkts encaps: 1205, #pkts encrypt: 1205, #pkts digest: 1205, #pkts decaps: 1168, #pkts decrypt: 1168, #pkts verify: 1168, #pkts compressed: 0 , #pkts decompressed: 0 #pkts not compressed: 0 , #pkts compr. failed: 0 #pkts decompressed failed: 0 , send errors:0 , #recv errors:0 local crypto endpt: 10.1.1.1 remote crypto endpt: 10.1.1.5 A. IPSec Phase 2 is established between 10.1.1.1 and 10.1.1.5. B. ISAKMP security associations are established between 10.1.1.5 and 10.1.1.1. C. IKE version 2 security associations are established between 10.1.1.1 and 10.1.1.5. D. IPSec Phase 2 is down due to a mismatch between encrypted and decrypted packets.

A. IPSec Phase 2 is established between 10.1.1.1 and 10.1.1.5

Scenario In this simulation, you have access to ASDM only. Review the various ASA configurations using ASDM then answer the five multiple choice questions about the ASA SSLVPN configurations. To access ASDM, click the ASA icon in the topology diagram. Note: Not all ASDM functionalities are enabled in this simulation. To see all the menu options available on the left navigation pane, you may also need to un-expand the expanded menu first. Which four tunneling protocols are enabled in the DfltGrpPolicy group policy? (choose four) A. IPsec IKEv1 B. IPsec IKEv2 C. L2TP/IPsec D. Clientless SSL VPN E. SSL VPN Client F. PPTP

A. IPsec IKEv1 B. IPsec IKEv2 C. L2TP/IPsec D. Clientless SSL VPN Via - Configuration > Remote Access VPN > Clientless SSL VPN Access > Group Policies

Which of the following are features of IPsec transport mode? (Choose three.) A. IPsec transport mode is used between end stations B. IPsec transport mode is used between gateways C. IPsec transport mode supports multicast D. IPsec transport mode supports unicast E. IPsec transport mode encrypts only the payload F. IPsec transport mode encrypts the entire packet

A. IPsec transport mode is used between end stations D. IPsec transport mode supports unicast E. IPsec transport mode encrypts only the payload

How does a device on a network using ISE receive its digital certificate during the new-device registration process? A. ISE acts as a SCEP proxy to enable the device to receive a certificate from a central CA server B. The device request a new certificate directly from a central CA C. ISE issues a pre-defined certificate from a local database D. ISE issues a certificate from its internal CA server.

A. ISE acts as a SCEP proxy to enable the device to receive a certificate from a central CA server

In a security context, which action can you take to address compliance? A. Implement rules to prevent a vulnerability B. Correct or counteract a vulnerability C. Reduce the severity of a vulnerability D. Follow directions from the security appliance manufacturer to remediate a vulnerability

A. Implement rules to prevent a vulnerability

Which two services define cloud networks? (Choose two.) A. Infrastructure as a Service B. Platform as a Service C. Compute as a Service D. Security as a Service E. Tenancy as a Service

A. Infrastructure as a Service B. Platform as a Service

Which option is the most effective placement of an IPS device within the infrastructure? A. Inline, behind the internet router and firewall B. Inline, before the internet router and firewall C. Promiscuously, after the Internet router and before the firewall D. Promiscuously, before the Internet router and the firewall

A. Inline, behind the internet router and firewall

What can the SMTP preprocessor in a FirePOWER normalize? A. It can extract and decode email attachments in client to server traffic B. It can look up the email sender C. it compares known threats to the email sender D. It can forward the SMTP traffic to an email filter server E. It uses the Traffic Anomaly Detector

A. It can extract and decode email attachments in client to server traffic

Which three statements about host-based IPS are true? (Choose three) A. It can view encrypted files B. It can be deployed at the perimeter C. It uses signature-based policies D. It can have more restrictive policies than network-based IPS E. It works with deployed firewalls F. It can generate alerts based on behavior at the desktop level.

A. It can view encrypted files D. It can have more restrictive policies than network-based IPS F. It can generate alerts based on behavior at the desktop level.

Which three statements about host-based IPS are true? (Choose three) A. It can view encrypted files B. It can be deployed at the perimeter C. It uses signature-based polices D. It can have more restrictive policies than network-based IPS E. It works with deployed firewalls F. It can generate alerts based on behavior at the desktop level

A. It can view encrypted files. D. It can have more restrictive policies than network-based IPS. F. It can generate alerts based on behavior at the desktop level.

Refer to the exhibit. What is the effect of the given command sequence? crypto ikev1 policy 1 encryption aes hash md5 authentication pre-share group 2 lifetime 14400 A. It configures IKE Phase 1 B. It configures a site-to-site VPN Tunnel C. It configures a crypto policy with a key size of 14400 D. It configures IPSec Phase 2

A. It configures IKE Phase 1

What is the effect of the given command sequence? crypto map mymap 20 match address 201 access-list 201 permit ip 10.10.10.0 255.255.255.0 10.100.100.0 255.255.255.0 A. It defines IPSec policy for traffic sourced from 10.10.10.0/24 with a destination of 10.100.100.0/24 B. It defines IPSec policy for traffic sourced from 10.100.100.0/24 with a destination of 10.10.10.0/24 C. it defines IKE policy for traffic sourced from 10.10.10.0/24 with a destination of 10.100.100.0/24 D. It defines IKE policy for traffic sourced from 10.100.100.0/24 with a destination of 10.10.10.0/24

A. It defines IPSec policy for traffic sourced from 10.10.10.0/24 with a destination of 10.100.100.0/24

What is an advantage of implementing a Trusted Platform Module for disk encryption? A. It provides hardware authentication B. It allows the hard disk to be transferred to another device without requiring re-encryption.dis C. it supports a more complex encryption algorithm than other disk-encryption technologies. D. it can protect against single points of failure.

A. It provides hardware authentication

When an administrator initiates a device wipe command from the ISE, what is the immediate effect? A. It requests the administrator to choose between erasing all device data or only managed corporate data. B. It requests the administrator to enter the device PIN or password before proceeding with the operation C. It immediately erases all data on the device. D. It notifies the device user and proceeds with the erase operation

A. It requests the administrator to choose between erasing all device data or only managed corporate data.

When a company puts a security policy in place, what is the effect on the company's business? A. Minimizing risk B. Minimizing total cost of ownership C. Minimizing liability D. Maximizing compliance

A. Minimizing risk

Which network device does NTP authenticate? A. Only the time source (NTP server) B. Only the client device C. The firewall and the client device D. The client device and the time source

A. Only the time source (NTP server)

Which feature filters CoPP packets? A. Policy maps B. route maps C. access control lists D. class maps

A. Policy maps

What is the Cisco preferred countermeasure to mitigate CAM overflows? A. Port security B. Dynamic port security C. IP source guard D. Root guard

A. Port security

Which two feature do CoPP and CPPr use to protect the control plane? (Choose two) A. QoS (Copp feature) B. traffic classification (CPPr feature) C. access lists D. policy maps E. class maps F. Cisco Express Forwarding

A. QoS (Copp feature) B. traffic classification (CPPr feature)

Which three ways does the RADIUS protocol differ from TACACS?? (Choose three) A. RADIUS authenticates and authorizes simultaneously. Causing fewer packets to be transmitted B. RADIUS encrypts only the password field in an authentication packets C. RADIUS can encrypt the entire packet that is sent to the NAS D. RADIUS uses UDP to communicate with the NAS E. RADIUS uses TCP to communicate with the NAS F. RADIUS support per-command authentication

A. RADIUS authenticates and authorizes simultaneously. Causing fewer packets to be transmitted B. RADIUS encrypts only the password field in an authentication packets D. RADIUS uses UDP to communicate with the NAS

In which stage of an attack does the attacker discover devices on a target network? A. Reconnaissance B. Covering tracks C. Gaining access D. Maintaining access

A. Reconnaissance

Refer to the exhibit. The Admin user is unable to enter configuration mode on a device with the given configuration. What change can you make to the configuration to correct the problem? Username Helpdesk privilege 9 password 0 helpdesk Username Monitor privilege 8 password 0 watcher Username Admin password checkme Username Admin privilege 6 autocommand show running Privilege exec level 6 configure terminal A. Remove the Autocommand keyword and arguments from the Username Admin privilege line B. Change the Privilege exec level value to 15 C. Remove the two Username Admin lines D. Remove the Privilege exec line.

A. Remove the Autocommand keyword and arguments from the Username Admin privilege line

Which alert protocol is used with Cisco IPS Manager Express to support up to 10 sensors? A. SDEE B. Syslog C. SNMP D. CSM

A. SDEE

If a switch port goes directly into a blocked state only when a superior BPDU is received, what mechanism must be in use? A. STP BPDU guard B. loop guard C. STP Root guard D. EtherChannel guard

A. STP BPDU guard

When a switch has multiple links connected to a downstream switch, what is the first step that STP takes to prevent loops? A. STP elects the root bridge B. STP selects the root port C. STP selects the designated port D. STP blocks one of the ports

A. STP elects the root bridge

Which statements about smart tunnels on a Cisco firewall are true? (Choose two.) A. Smart tunnels can be used by clients that do not have administrator privileges B. Smart tunnels support all operating systems C. Smart tunnels offer better performance than port forwarding D. Smart tunnels require the client to have the application installed locally

A. Smart tunnels can be used by clients that do not have administrator privileges D. Smart tunnels require the client to have the application installed locally

Which type of address translation should be used when a Cisco ASA is in transparent mode? A. Static NAT B. Dynamic NAT C. Overload D. Dynamic PAT

A. Static NAT

In which three ways does the TACACS protocol differ from RADIUS? (Choose three) A. TACACS uses TCP to communicate with the NAS B. TACACS can encrypt the entire packet that is sent to the NAS C. TACACS authenticates and authorizes simultaneously, causing fewer packets to be transmitted D. TACACS uses UDP to communicate with the NAS E. TACACS encrypts only the password field in an authentication packet F. TACACS support per-command authorization

A. TACACS uses TCP to communicate with the NAS B. TACACS can encrypt the entire packet that is sent to the NAS F. TACACS support per-command authorization

What is one requirement for locking a wired or wireless device from ISE? A. The ISE agent must be installed on the device B. The device must be connected to the network when the lock command is executed C. The user must approve the locking action D. The organization must implement an acceptable use policy allowing device locking

A. The ISE agent must be installed on the device

What are purposes of the Internet Key Exchange in an IPsec VPN? (Choose two.) A. The Internet Key Exchange protocol establishes security associations B. The Internet Key Exchange protocol provides data confidentiality C. The Internet Key Exchange protocol provides replay detection D. The Internet Key Exchange protocol is responsible for mutual authentication

A. The Internet Key Exchange protocol establishes security associations D. The Internet Key Exchange protocol is responsible for mutual authentication

Which statement about a PVLAN isolated port configured on a switch is true? A. The isolated port can communicate only with the promiscuous port B. The isolated port can communicate with other isolated ports and the promiscuous port C. The isolated port can communicate only with community ports D. The isolated port can communicate only with other isolated ports

A. The isolated port can communicate only with the promiscuous port

After reloading a router, you issue the dir command to verify the installation and observe that the image file appears to be missing. For what reason could the image file fail to appear in the dir output? A. The secure boot-image command is configured B. The secure boot-comfit command is configured C. The confreg 0x24 command is configured. D. The reload command was issued from ROMMON.

A. The secure boot-image command is configured

If a router configuration includes the line aaa authentication login default group tacacs+ enable, which events will occur when the TACACS+ server returns an error? (Choose two.) A. The user will be prompted to authenticate using the enable password B. Authentication attempts to the router will be denied C. Authentication will use the router`s local database D. Authentication attempts will be sent to the TACACS+ server

A. The user will be prompted to authenticate using the enable password B. Authentication attempts to the router will be denied

Which two statements about stateless firewalls are true? (Choose two.) A. They compare the 5-tuple of each incoming packet against configurable rules. B. They cannot track connections. C. They are designed to work most efficiently with stateless protocols such as HTTP or HTTPS. D. Cisco IOS cannot implement them because the platform is Stateful by nature. E. The Cisco ASA is implicitly stateless because it blocks all traffic by default.

A. They compare the 5-tuple of each incoming packet against configurable rules. B. They cannot track connections.

Which type of security control is defense in depth? A. Threat mitigation B. Risk analysis C. Botnet mitigation D. Overt and covert channels

A. Threat mitigation

What is a reason for an organization to deploy a personal firewall? A. To protect endpoints such as desktops from malicious activity B. To protect one virtual network segment from another C. To determine whether a host meets minimum security posture requirements D. To create a separate, non-persistent virtual environment that can be destroyed after a session E. To protect the network from DoS and syn-flood attacks

A. To protect endpoints such as desktops from malicious activity

In which three cases does the ASA firewall permit inbound HTTP GET requests during normal operations? (Choose three) A. When matching ACL entries are configured B. when matching NAT entries are configured C. When the firewall requires strict HTTP inspection D. When the firewall requires HTTP inspection E. When the firewall receives a SYN-ACK packet F. When the firewall receives a SYN packet

A. When matching ACL entries are configured B. when matching NAT entries are configured E. When the firewall receives a SYN-ACK packet

Which two statements about Telnet access to the ASA are true? (Choose two). A. You may VPN to the lowest security interface to telnet to an inside interface. B. You must configure an AAA server to enable Telnet. C. You can access all interfaces on an ASA using Telnet. D. You must use the command virtual telnet to enable Telnet. E. Best practice is to disable Telnet and use SSH.

A. You may VPN to the lowest security interface to telnet to an inside interface. E. Best practice is to disable Telnet and use SSH.

Refer to the exhibit. What type of firewall would use the given configuration line? UDP Outside 209.165.201.225:53 inside 10.0.0.10:52464, idle 0:00:01, bytes 266, flags A. a Stateful firewall B. a personal firewall C. a proxy firewall D. an application firewall E. a stateless firewall

A. a Stateful firewall

What type of algorithm uses the same key to encrypt and decrypt data? A. a symmetric algorithm B. an asymmetric algorithm C. a Public Key infrastructure algorithm D. an IP Security algorithm

A. a symmetric algorithm

Which tool can an attacker use to attempt a DDos attack? A. botnet B. Trojan horse C. virus D. adware

A. botnet

What are the three layers of a hierarchical network design? (Choose three.) A. core B. access C. server D. user E. internet F. distribution

A. core B. access F. distribution

What type of attack was the Stuxnet virus? A. cyber warfare B. hactivism C. botnet D. social engineering

A. cyber warfare

What three actions are limitations when running IPS in promiscuous mode? (Choose three.) A. deny attacker B. deny packet C. modify packet D. request block connection E. request block host F. reset TCP connection

A. deny attacker B. deny packet C. modify packet

What three actions are limitations when running IPS in promiscuous mode? (Choose three) A. deny attacker B. request block connection C. deny packet D. modify packet E. request block host F. reset TCP connection

A. deny attacker C. deny packet D. modify packet

What is the purpose of the Integrity component of the CIA triad? A. to ensure that only authorized parties can modify data B. to determine whether data is relevant C. to create a process for accessing data D. to ensure that only authorized parties can view data

A. to ensure that only authorized parties can modify data

What VPN feature allows traffic to exit the security appliance through the same interface it entered? A. hairpinning B. NAT C. NAT traversal D. split tunneling

A. hairpinning

Which two authentication types does OSPF support? (Choose two) A. plaintext B. MD5 C. HMAC D. AES 256 E. SHA-1 F. DES

A. plaintext B. MD5

What VPN feature allows Internet traffic and local LAN/WAN traffic to use the same network connection? A. split tunneling B. Hairpinning C. tunnel mode D. transparent mode

A. split tunneling

Which accounting notices are used to send a failed authentication attempt record to a AAA server? (Choose two.) A. start-stop B. stop-record C. stop-only D. stop

A. start-stop C. stop-only

What is the best way to confirm that AAA authentication is working properly? A. use the test aaa command B. use the Cisco-recommended configuration for AAA authentication C. Log into and out of the router, and then check the NAS authentication log D. Ping the NAS to confirm connectivity

A. use the test aaa command

In which two situations should you use out-of-band management? (Choose two) A. when a network device fails to forward packets B. when management applications need concurrent access to the device C. when you require ROMMON access D. when you require administrator access from multiple locations E. when the control plane fails to respond

A. when a network device fails to forward packets C. when you require ROMMON access

How many times was a read-only string used to attempt a write operation? Router# show snmp Chassis: FTX123456789 0 SNMP packets input 6 Bad SNMP version errors 3 Unknown community name 9 Illegal operation for community name supplied 4 Encoding errors 2 Number of requested variables 0 Number of altered variables 98 Get-request PDUs 12 Get-next PDUs 2 Set-request PDUs 0 Input queue packet drops (Maximum queue size 1000) 0 SNMP packets output 0 Too big errors (Maximum packet size 1500) 0 No such name errors 0 Bad values errors 0 General errors 31 Response PDUs 1 Trap PDUs A. 6 B. 9 C. 4 D. 3 E. 2

B. 9

What features can protect the data plane? (Choose three.) A. policing B. ACLs C. IPS D. Antispoofing (Antispoofing is a technique for identifying and dropping packets that have a false source address) E. QoS F. DHCP-snooping

B. ACLs D. Antispoofing (Antispoofing is a technique for identifying and dropping packets that have a false source address) F. DHCP-snooping

Which statement about Cisco ACS authentication and authorization is true? A. ACS can query multiple Active Directory domains B. ACS servers can be clustered to provide scalability C. ACS can use only one authorization profile to allow or deny requests D. ACS uses TACACS to proxy other authentication servers

B. ACS servers can be clustered to provide scalability

Which type of IPS can identify worms that are propagating in a network? A. Policy-based IPS B. Anomaly-based IPS C. Reputation-based IPS D. Signature-based IPS

B. Anomaly-based IPS

You have implemented a Source fire IPS and configured it to block certain addresses utilizing Security Intelligence IP address Reputation. A user calls and is not able to access a certain IP address. What action can you take to allow the user access to the IP address? A. Create a custom blacklist to allow traffic B. Create a white list and add the appropriate IP address to allow traffic. C. Create a user based access control rule to allow the traffic. D. Create a network based access control rule to allow the traffic. E. Create a rule to bypass inspection to allow the traffic

B. Create a white list and add the appropriate IP address to allow traffic.

Which countermeasures can mitigate ARP spoofing/poisoning/flooding attacks? (Choose two.) A. Port security B. DHCP snooping C. IP source guard (Prevents spoofing of Layer 3 information by hosts.) D. Dynamic ARP inspection (Prevents spoofing of Layer 2 information by hosts.)

B. DHCP snooping D. Dynamic ARP inspection (Prevents spoofing of Layer 2 information by hosts.)

Which SOURCEFIRE logging action should you choose to record the most detail about a connection? A. Enable logging at the beginning of the session B. Enable logging at the end of the session C. Enable alerts via SNMP to log events off-box D. Enable eStreamer to log events off-box

B. Enable logging at the end of the session

Which statement about extended access lists is true? A. Extended access lists perform filtering that is based on source and destination and are most effective when applied to the destination B. Extended access lists perform filtering that is based on source and destination and are most effective when applied to the source C. Extended access lists perform filtering that is based on destination and are most effective when applied to the source D. Extended access lists perform filtering that is based on source and are most effective when applied to the destination

B. Extended access lists perform filtering that is based on source and destination and are most effective when applied to the source

Which of the following statements about access lists are true? (Choose three.) A. Extended access lists should be placed as near as possible to the destination B. Extended access lists should be placed as near as possible to the source C. Standard access lists should be placed as near as possible to the destination D. Standard access lists should be placed as near as possible to the source E. Standard access lists filter on the source address F. Standard access lists filter on the destination address

B. Extended access lists should be placed as near as possible to the source C. Standard access lists should be placed as near as possible to the destination E. Standard access lists filter on the source address

Which address block is reserved for locally assigned unique local addresses? A. 2002::/16 B. FD00::/8 C. 2001::/32 D. FB00::/8

B. FD00::/8

Which statement about the communication between interfaces on the same security level is true? A. All Traffic is allowed by default between interfaces on the same security level. B. Interface on the same security level require additional configuration to permit inter-interface communication. C. Configuring interface on the same security level can cause asymmetric routing. D. You can configure only one interface on an individual security level.

B. Interface on the same security level require additional configuration to permit inter-interface communication.

What improvement does EAP-FASTv2 provide over EAP-FAST? A. It support more secure encryption protocols. B. It allows multiple credentials to be passed in a single EAP exchange C. It addresses security vulnerabilities found in the original protocol. D. It allows faster authentication by using fewer packets.

B. It allows multiple credentials to be passed in a single EAP exchange

What is the effect of the send-lifetime local 23:59:00 31 December 31 2013 infinite command? A. It configures the device to begin transmitting the authentication key to other devices at 00:00:00 local time on January 1, 2014 and continue using the key indefinitely. B. It configures the device to begin transmitting the authentication key to other devices at 23:59:00 local time on December 31, 2013 and continue using the key indefinitely. C. It configures the device to begin accepting the authentication key from other devices immediately and stop accepting the key at 23:59:00 local time on December 31, 2013. D. It configures the device to generate a new authentication key and transmit it to other devices at 23:59 00 local time on December 31, 2013. E. It configures the device to begin accepting the authentication key from other devices at 23:59:00 local time on December 31, 2013 and continue accepting the key indefinitely. F. It configures the device to begin accepting the authentication key from other devices at 00:00:00 local time on January 1, 2014 and continue accepting the key indefinitely.

B. It configures the device to begin transmitting the authentication key to other devices at 23:59:00 local time on December 31, 2013 and continue using the key indefinitely.

How does the Cisco ASA use Active Directory to authorize VPN users? A. It sends the username and password to retire an ACCEPT or Reject message from the Active Directory server B. It queries the Active Directory server for a specific attribute for the specific user C. It downloads and stores the Active Directory database to query for future authorization D. It redirects requests to the Active Directory server defined for the VPN group

B. It queries the Active Directory server for a specific attribute for the specific use

What is an advantage of placing an IPS on the inside of a network? A. It can provide higher throughput. B. It receives traffic that has already been filtered. C. It receives every inbound packet. D. It can provide greater security.

B. It receives traffic that has already been filtered.

In which type of attack does the attacker attempt to overload the CAM table on a switch so that the switch acts as a hub? A. gratuitous ARP B. MAC flooding C. MAC spoofing D. DoS

B. MAC flooding

What is the only permitted operation for processing multicast traffic on zone-based firewalls? A. Stateful inspection for multicast traffic is supported only between the self-zone and the internal zone B. Only control plane policing can protect the control plane against multicast traffic C. Stateful inspection of multicast traffic is supported only for the self zone D. Stateful inspection of multicast traffic is supported only for the internal zone

B. Only control plane policing can protect the control plane against multicast traffic

Which tasks is the session management path responsible for? (Choose three.) A. Verifying IP checksums B. Performing route lookup C. Performing session lookup D. Allocating NAT translations E. Checking TCP sequence numbers F. Checking packets against the access list

B. Performing route lookup D. Allocating NAT translations F. Checking packets against the access list

Which FirePOWER preprocessor engine is used to prevent SYN attacks? A. Anomaly. B. Rate-Based Prevention C. Port scan Detection D. Inline Normalization

B. Rate-Based Prevention

Which protocols use encryption to protect the confidentiality of data transmitted between two parties? (Choose two.) A. FTP B. SSH C. Telnet D. AAA E. HTTPS F. HTTP

B. SSH E. HTTPS

If the native VLAN on a trunk is different on each end of the link, what is a potential consequence? A. The interface on both switches may shut down B. STP loops may occur C. The switch with the higher native VLAN may shut down D. The interface with the lower native VLAN may shut down

B. STP loops may occur

Scenario In this simulation, you have access to ASDM only. Review the various ASA configurations using ASDM then answer the five multiple choice questions about the ASA SSLVPN configurations. To access ASDM, click the ASA icon in the topology diagram. Note: Not all ASDM functionalities are enabled in this simulation. To see all the menu options available on the left navigation pane, you may also need to un-expand the expanded menu first. When users login to the Clientless SSL VPN using https://209.165.201.2/test, which group policy will be applied? A. test B. Sales C. DefaultRAGroup D. DefaultWEBVPNGroup E. clientless F. DFTGrpPolicy

B. Sales Via - Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles > Edit

Which components does HMAC use to determine the authenticity and integrity of a message? A. The password B. The hash C. The key D. The transform set

B. The hash C. The key

Which security zone is automatically defined by the system? A. The source zone B. The self zone C. The destination zone D. The inside zone

B. The self zone

An attacker installs a rogue switch that sends superior BPDUs on your network. What is a possible result of this activity? A. The switch could offer fake DHCP addresses. B. The switch could become the root bridge. C. The switch could be allowed to join the VTP domain D. The switch could become a transparent bridge.

B. The switch could become the root bridge.

Refer to the exhibit. Which statement about the device time is true? R1> show clock detail .22:22:35.123 UTC Tue Feb 26 2013 Time source is NTP A. The time is authoritative because the clock is in sync B. The time is authoritative, but the NTP process has lost contact with its servers C. The clock is out of sync D. NTP is configured incorrectly E. The time is not authoritative

B. The time is authoritative, but the NTP process has lost contact with its servers

Which Statement about personal firewalls is true? A. They can protect the network against attacks B. They can protect a system by denying probing requests C. They are resilient against kernel attacks D. They can protect email messages and private documents in a similar way to a VPN

B. They can protect a system by denying probing requests

Which Cisco feature can help mitigate spoofing attacks by verifying symmetry of the traffic path? A. Unidirectional Link Detection B. Unicast Reverse Path Forwarding C. TrustSec D. IP Source Guard

B. Unicast Reverse Path Forwarding

Which Cisco product can help mitigate web-based attacks within a network? A. Adaptive Security Appliance B. Web Security Appliance C. Email Security Appliance D. Identity Services Engine

B. Web Security Appliance

Which firewall configuration must you perform to allow traffic to flow in both directions between two zones? A. You can configure a single zone pair that allows bidirectional traffic flows from for any zone except the self-zone B. You must configure two zone pair, one for each direction C. You can configure a single zone pair that allows bidirectional traffic flows for any zone D. You can configure a single zone pair that allows bidirectional traffic flows only if the source zone is the less secure zone.

B. You must configure two zone pair, one for each direction

What mechanism does asymmetric cryptography use to secure data? A. an RSA nonce B. a public/private key pair. C. an MD5 hash. D. Shared secret keys.

B. a public/private key pair.

Which command is needed to enable SSH support on a Cisco Router? A. crypto key lock rsa B. crypto key generate rsa C. crypto key zeroize rsa D. crypto key unlock rsa

B. crypto key generate rsa

In which type of attack does an attacker send email message that ask the recipient to click a link such as https://www.cisco.net.cc/securelogs? A. pharming B. phishing C. solicitation D. secure transaction

B. phishing

If the router ospf 200 command, what does the value 200 stands for? A. Administrative distance value B. process ID C. Area ID. D. ABR ID

B. process ID

Which actions can a promiscuous IPS take to mitigate an attack? A. modifying packets B. requesting connection blocking C. denying packets D. resetting the TCP connection E. requesting host blocking F. denying frames

B. requesting connection blocking D. resetting the TCP connection E. requesting host blocking

If a switch receives a superior BPDU and goes directly into a blocked state, what mechanism must be in use? A. Ether channel guard B. root guard C. loop guard D. BPDU guard

B. root guard

What are two ways to protect eavesdropping when you perform device-management task? (Choose two) A. use SNMPv2 B. use SSH connection C. use SNMPv3 D. use in-band management E. use out-band management

B. use SSH connection C. use SNMPv3

What are two default Cisco IOS privilege levels? (Choose two) A. 0 B. 5 C. 1 D. 7 E. 10 F. 15

C. 1 F. 15

If you change the native VLAN on the port to an unused VLAN, what happens if an attacker attempts a double tagging attack? A. The trunk port would go into an error-disable state. B. A VLAN hopping attack would be successful C. A VLAN hopping attack would be prevented D. the attacked VLAN will be pruned

C. A VLAN hopping attack would be prevented

What is a valid implicit permit rule for traffic that is traversing the ASA firewall? A. Unicast IPv6 traffic from a higher security interface to a lower security interface is permitted in transparent mode only B. Only BPDUs from a higher security interface to a lower security interface are permitted in routed mode. C. ARPs in both directions are permitted in transparent mode only D. Unicast IPv4 traffic from a higher security interface to a lower security interface is permitted in routed mode only E. Only BPDUs from a higher security interface to a lower security interface are permitted in transparent mode.

C. ARPs in both directions are permitted in transparent mode only

Which statement about communication over failover interfaces is true? A. All information that is sent over the failover interface is sent as clear text, but the Stateful failover link is encrypted by default. B. All information that is sent over the failover and Stateful failover interfaces is encrypted by default C. All information that is sent over the failover and Stateful failover interfaces is sent as clear text by default

C. All information that is sent over the failover and Stateful failover interfaces is sent as clear text by default

You have implemented Sourcefire IPS and configure it to block certain addresses utilizing security intelligence IP Addresses Reputation. A user calls and is not able to access a certain IP address. What action can you take to allow the user access to the IP address? A. Create a user based access control rule to allow the traffic. B. Create a custom blacklist to allow the traffic. C. Create a whitelist and add the appropriate IP address to allow the traffic. D. Create a rule to bypass inspection to allow the traffic.

C. Create a whitelist and add the appropriate IP address to allow the traffic.

What hash type does Cisco use to validate the integrity of downloaded images? A. Sha1 B. Sha2 C. Md5 D. Md1

C. Md5

Which option describes information that must be considered when you apply an access list to a physical interface? A. Protocol used for filtering B. Direction of the access class C. Direction of the access group D. Direction of the access list

C. Direction of the access group

Which EAP method uses protected Access Credentials? A. EAP-TLS B. EAP-PEAP C. EAP-FAST (replace PEAP) D. EAP-GTC

C. EAP-FAST (replace PEAP)

Which statement about IOS privilege levels is true? A. Each privilege level is independent of all other privilege levels. B. Each privilege level supports the commands at its own level and all levels above it. C. Each privilege level supports the commands at its own level and all levels below it. D. Privilege-level commands are set explicitly for each user.

C. Each privilege level supports the commands at its own level and all levels below it.

How can the administrator enable permanent client installation in a Cisco AnyConnect VPN firewall configuration? A. Issue the command anyconnect keep-installer under the group policy or username webvpn mode B. Issue the command anyconnect keep-installer installed in the global configuration C. Issue the command anyconnect keep-installer installed under the group policy or username webvpn mode D. Issue the command anyconnect keep-installer installer under the group policy or username webvpn mode

C. Issue the command anyconnect keep-installer installed under the group policy or username webvpn mode

Which statement about application blocking is true? A. It blocks access to files with specific extensions B. It blocks access to specific network addresses C. It blocks access to specific programs D. It blocks access to specific network services.

C. It blocks access to specific programs

Which type of mirroring does SPAN technology perform? A. Remote mirroring over Layer 2 B. Remote mirroring over Layer 3 C. Local mirroring over Layer 2 D. Local mirroring over Layer 3

C. Local mirroring over Layer 2

What statement provides the best definition of malware? A. Malware is tools and applications that remove unwanted programs. B. Malware is a software used by nation states to commit cyber-crimes. C. Malware is unwanted software that is harmful or destructive D. Malware is a collection of worms, viruses and Trojan horses that is distributed as a single.....

C. Malware is unwanted software that is harmful or destructive

Which RADIUS server authentication protocols are supported on Cisco ASA firewalls? (Choose three.) A. EAP B. ASCII C. PAP D. PEAP E. MS-CHAPv1 F. MS-CHAPv2

C. PAP E. MS-CHAPv1 F. MS-CHAPv2

Scenario In this simulation, you have access to ASDM only. Review the various ASA configurations using ASDM then answer the five multiple choice questions about the ASA SSLVPN configurations. To access ASDM, click the ASA icon in the topology diagram. Note: Not all ASDM functionalities are enabled in this simulation. To see all the menu options available on the left navigation pane, you may also need to un-expand the expanded menu first. Which two statements regarding the ASA VPN configurations are correct? (Choose two) A. The Inside-SRV bookmark has not been applied to the Sales group policy B. The ASA has a certificate issued by an external Certificate Authority associated to the ASDM_Trustpoint1 C. The Inside-SRV bookmark references the https://192.168.1.2 URL D. Any Connect, IPSec IKEv1 and IPSec IKEv2 VPN access is enabled on the outside interface E. Only Clientless SSL VPN VPN access is allowed with the Sales group Policy F. The DefaultWEBVPNGroup Connection Profile is using the AAA with Radius server method

C. The Inside-SRV bookmark references the https://192.168.1.2 URL F. The DefaultWEBVPNGroup Connection Profile is using the AAA with Radius server method Via - Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Bookmarks AND Via - Configuration > Remote Access VPN > Certificate Management > Identity Certificates

Refer to the exhibit. Which statement about the given configuration is true? Tacacs server tacacs1 Address ipv4 1.1.1.1 Timeout 20 Single- connection Tacacs server tacacs2 Address ipv4 2.2.2.2 Timeout 20 Single- connection Tacacs server tacacs3 Address ipv4 3.3.3.3 Timeout 20 Single- connection A. The timeout command causes the device to move to the next server after 20 seconds of TACACS inactivity. B. The single-connection command causes the device to process one TACACS request and then move to the next server. C. The single-connection command causes the device to establish one connection for all TACACS transactions. D. The router communicates with the NAS on the default port, TCP 1645

C. The single-connection command causes the device to establish one connection for all TACACS transactions.

How does a zone-based firewall implementation handle traffic between Interfaces in the same Zone? A. traffic between interfaces in the same zone is blocked unless you configure the same security permit command B. Traffic between interfaces in the same zone is always blocked C. Traffic between two interfaces in the same zone is allowed by default D. Traffic between interfaces in the same zone is blocked unless you apply a service policy to the zone pair

C. Traffic between two interfaces in the same zone is allowed by default

Which source port does IKE use when NAT has been detected between two VPN gateways? A. TCP 4500 B. TCP 500 C. UDP 4500 D. UDP 500

C. UDP 4500

What are two users of SIEM software? (Choose two) A. performing automatic network audits B. configuring firewall and IDS devices C. alerting administrators to security events in real time D. scanning emails for suspicious attachments E. collecting and archiving syslog data

C. alerting administrators to security events in real time E. collecting and archiving syslog data

What is the transition order of STP states on a Layer 2 switch interface? A. listening, learning, blocking, forwarding, disabled B. listening, blocking, learning, forwarding, disabled C. blocking, listening, learning, forwarding, disabled D. forwarding, listening, learning, blocking, disabled

C. blocking, listening, learning, forwarding, disabled

Which options are filtering options used to display SDEE message types? A. Stop B. none C. error D. all

C. error D. all

How does PEAP protect EAP exchange? A. It encrypts the exchange using the client certificate. B. it validates the server-supplied certificate and then encrypts the exchange using the client certificate C. it encrypts the exchange using the server certificate D. It validates the client-supplied certificate and then encrypts the exchange using the server certificate.

C. it encrypts the exchange using the server certificate

Which command initializes a lawful intercept view? A. username cisco1 view lawful-intercept password cisco B. parser view cisco li-view C. li-view cisco user cisco1 password cisco D. parser view li-view inclusive

C. li-view cisco user cisco1 password cisco

Which command verifies phase 1 of an IPsec VPN on a Cisco router? A. show crypto map B. show crypto ipsec sa C. show crypto isakmp sa D. show crypto engine connection active

C. show crypto isakmp sa

Your security team has discovered a malicious program that has been harvesting the CEO's email messages and the company's user database for the last 6 months. What type of attack did your team discover? A. social activism B. drive-by spyware C. targeted malware D. advance persistent threat

C. targeted malware D. advance persistent threat

What is the primary purposed of a defined rule in an IPS? A. to detect internal attacks B. to define a set of actions that occur when a specific user logs in to the system C. to configure an event action that is pre-defined by the system administrator D. to configure an event action that takes place when a signature is triggered.

C. to configure an event action that is pre-defined by the system administrator

How many crypto map sets can you apply to a router interface? A. 3 B. 2 C. 4 D. 1

D. 1

Scenario In this simulation, you have access to ASDM only. Review the various ASA configurations using ASDM then answer the five multiple choice questions about the ASA SSLVPN configurations. To access ASDM, click the ASA icon in the topology diagram. Note: Not all ASDM functionalities are enabled in this simulation. Which user authentication method is used when users login to the Clientless SSL VPN portal using https://209165.201.2/test? A. Both Certificate and AAA with LOCAL database B. AAA with RADIUS server C. Both Certificate and AAA with RADIUS server D. AAA with LOCAL database E. Certificate

D. AAA with LOCAL database Via - Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles

Which syslog severity level is level number 7? A. Warning B. Informational C. Notification D. Debugging

D. Debugging

When an IPS detects an attack, which action can the IPS take to prevent the attack from spreading? A. Perform a Layer 6 reset B. Deploy an antimalware system C. Enable bypass mode D. Deny the connection inline

D. Deny the connection inline

A specific URL has been identified as containing malware. What action can you take to block users from accidentally visiting the URL and becoming infected with malware? A. Enable URL filtering on the perimeter firewall and add the URLs you want to allow to the routers local URL list B. Enable URL filtering on the perimeter router and add the URLs you want to allow to the firewalls local URL list C. Create a blacklist that contains the URL you want to block and activate the blacklist on the perimeter router. D. Enable URL filtering on the perimeter router and add the URLs you want to block to the routers local URL list E. Create a whitelist that contains the URls you want to allow and activate the whitelist on the perimeter router.

D. Enable URL filtering on the perimeter router and add the URLs you want to block to the routers local URL list

Which Cisco Security Manager application collects information about device status and uses it to generate notifications and alerts? A. FlexConfig B. Device Manager C. Report Manager D. Health and Performance Monitor

D. Health and Performance Monitor

What is the potential drawback to leaving VLAN 1 as the native VLAN? A. Gratuitous ARPs might be able to conduct a man-in-the-middle attack. B. The CAM might be overloaded, effectively turning the switch into hub. C. VLAN 1 might be vulnerable to IP address spoofing D. It may be susceptible to a VLAN hopping attack

D. It may be susceptible to a VLAN hopping attack

In what type of attack does an attacker virtually change a devices burned in address in an attempt to circumvent access lists and mask the device's true identity? A. gratuitous ARP B. ARP poisoning C. IP Spoofing D. MAC Spoofing

D. MAC Spoofing

Which three ESP fields can be encrypted during transmission? (Choose three) A. Security Parameter Index B. Sequence Number C. MAC Address D. Padding E. Pad Length F. Next Header

D. Padding E. Pad Length F. Next Header

By which kind of threat is the victim tricked into entering username and password information at a disguised website? A. Spoofing B. Malware C. Spam D. Phishing

D. Phishing

Which type of firewall can act on the behalf of the end device? A. Stateful packet B. Application C. Packet D. Proxy

D. Proxy

Which statements about reflexive access lists are true? (Choose three) A. Reflexive access lists create a permanent ACE B. Reflexive access lists approximate session filtering using the established keyword C. Reflexive access lists can be attached to standard named IP ACLs D. Reflexive access lists support UDP sessions E. Reflexive access lists can be attached to extended named IP ACLs F. Reflexive access lists support TCP sessions

D. Reflexive access lists support UDP sessions E. Reflexive access lists can be attached to extended named IP ACLs F. Reflexive access lists support TCP sessions

If a packet matches more than one class map in an individual feature type's policy map, how does the ASA handle the packet? A. The ASA will apply the actions from only the most specific matching class map it finds for the feature type B. The ASA will apply the actions from all matching class maps it finds for the feature type C. The ASA will apply the actions from only the last matching class map it finds for the feature type. D. The ASA will apply the actions from only the first matching class map it finds for the feature type

D. The ASA will apply the actions from only the first matching class map it finds for the feature type.

What is a possible reason for the error message? Router(config)#aaa server? % unrecognized command A. The command syntax requires a space after the word "server" B. The command is invalid on the target device C. The router is already running the latest operating system D. The router is a new device on which the aaa new-model command must be applied before continuing

D. The router is a new device on which the aaa new-model command must be applied before continuing

What is the purpose of a honeypot IPS? A. To create customized policies B. To detect unknown attacks C. To normalize streams D. To collect information about attacks

D. To collect information about attacks

For what reason would you configure multiple security contexts on the ASA firewall? A. To enable the use of VFRs on routers that are adjacently connected B. To provide redundancy and high availability within the organization C. To enable the use of multicast routing and QoS through the firewall D. To separate different departments and business units

D. To separate different departments and business units

Refer to the exhibit. Which line in this configuration prevents the HelpDesk user from modifying the interface configuration? Username Engineer privilege 9 password 0 configure Username Monitor privilege 8 password 0 vatcher Username HelpDesk privilege 6 password help Privilege exec level 6 show running Privilege exec level 7show start-up Privilege exec level 9 show configure terminal Privilege exec level 10 interface A. Privilege exec level 9 show configure terminal B. Privilege exec level 7show start-up C. Privilege exec level 10 interface D. Username HelpDesk privilege 6 password help

D. Username HelpDesk privilege 6 password help

Which command will configure a Cisco ASA firewall to authenticate users when they enter the enable syntax using the local database with no fallback method? A. aaa authentication enable c onsole LOCAL SERVER_GROUP B. aaa authentication enable console SERVER_GROUP LOCAL C. aaa authentication enable console local D. aaa authentication enable console LOCAL

D. aaa authentication enable console LOCAL

What configuration allows AnyConnect to authenticate automatically establish a VPN session when a user logs in to the computer? A. proxy B. Trusted Network Detection C. transparent mode D. always-on

D. always-on

Which feature of the Cisco Email Security Appliance can mitigate the impact of snowshoe spam and sophisticated phishing attack? A. holistic understanding of threats B. graymail management and filtering C. signature-based IPS D. contextual analysis

D. contextual analysis

What type of packet creates and performs network operations on a network device? A. data plane packets B. management plane packets C. services plane packets D. control plane packets

D. control plane packets

Which technology can be used to rate data fidelity and to provide an authenticated hash for data? A. Network blocking B. signature updates C. file analysis D. file reputation

D. file reputation

Which of encryption technology has the broadcast platform support to protect operating systems? A. Middleware B. Hardware C. software D. file-level

D. file-level

Which command causes a Layer 2 switch interface to operate as a Layer 3 interface? A. no switchport nonnegotiate B. switchport C. no switchport mode dynamic auto D. no switchport

D. no switchport

Which type of secure connectivity does an extranet provide? A. remote branch offices to your company network B. your company network to the Internet C. new networks to your company network D. other company networks to your company network

D. other company networks to your company network

Which Sourfire secure action should you choose if you want to block only malicious traffic from a particular end-user? A. Trust B. Block C. Allow without inspection D. Monitor E. Allow with inspection

E. Allow with inspection

Refer to the exhibit. What is the effect of the given command? Crypto ipsec transform-set myset esp-md5-hmac esp-esp-aes-256 A. It configures the network to use a different transform set between peers. B. It merges authentication and encryption methods to protect traffic that matches an ACL. C. It configures encryption for MD5 HMAC. D. It configures authentications as AES 256. E. ESP-MD5-HMAC is Hashing with Authentication part F. ESP-ESP-AES-256 is Encryption Part

E. ESP-MD5-HMAC is Hashing with Authentication part F. ESP-ESP-AES-256 is Encryption Part

You have been tasked with blocking user access to website that violate company policy, but the site use dynamic IP Addresses. What is the best practice URL filtering to solve the problem? A. Enable URL filtering and create a blacklist to block the websites that violate company policy. B. Enable URL filtering and create a whitelist to allow only the websites the company policy allow users to access. C. Enable URL filtering and use URL categorization to allow only the websites the company policy allow users to access D. Enable URL filtering and create a whitelist to block the websites that violate company policy. E. Enable URL filtering and use URL categorization to block the websites that violate company policy.

E. Enable URL filtering and use URL categorization to block the websites that violate company policy.

How can you detect a false negative on an IPS? A. View the alert on the IPS B. Use a third-party to audit the next-generation firewall rules C. Review the IPS console D. Review the IPS log E. Use a third-party system to perform penetration testing

E. Use a third-party system to perform penetration testing

Scenario Given the new additional connectivity requirements and the topology diagram, use ASDM to accomplish the required ASA configurations to meet the requirements. New additional connectivity requirements: - Currently, the ASA configurations only allow on the Inside and DMZ networks to access any hosts on the Outside. Your task is to use ASDM to configure the ASA to also allow any host only on the Outside to HTTP to the DMZ server. The hosts on the Outside will need to use the 209.165.201.30 public IP address when HTTPing to the DMZ server. - Currently, hosts on the ASA higher security level interfaces are not able to ping any hosts on the lower security level interfaces. Your task in this simulation is to use ASDM to enable the ASA to dynamically allow the echo-reply responses back through the ASA. Once the correct ASA configurations have been configured: - You can test the connectivity to http://209.165.201,30 from the Outside PC browser. - You can test the pings to the Outside (www.cisco.com) by opening the inside PC command prompt window. In this simulation, only testing pings to www.cisco.com will work. To access ASDM, click the ASA icon in the topology diagram. To access the Firefox Browser on the Outside PC, click the Outside PC icon in the topology diagram. To access the Command prompt on the Inside PC, click the Inside PC icon in the topology diagram. Note: After you make the configuration changes in ASDM, remember to click Apply to apply the configuration changes.

Step1: Firewall, Configuration, NAT Rules, Name=http, IP version=IPv4, IP address=209.165.201.30, Static NAT=172.16.1.2 Step2: Firewall, Config, NAT Rules, Interface=Outside, Action=Permit, Source=any, Destination=209.165.201.30, Service= tcp/http Step3: Firewall, Config, Service policy Rules, Click Global Policy and edit, Rule Action tab, Click ICMP and apply Step4: Ping www.cisco.com from Inside PC


Set pelajaran terkait

Unit Test Review - COMBUSTION: PART 1

View Set

Ap Environmental Science: Sustainability

View Set

Western Civilization I CLEP Exam (ANSWERS)

View Set

Graphing Functions and Equations

View Set

Agency, Employment, Employment Discrimination L201 Unit 4 (heavily tested on final exam)

View Set