ccna security final part 2
80. Place the system development cycle (SDLC) phases in the order they occur (Not all options are used) (Drag and drop)
1st -> Initiation 2nd -> Acqusition and Development 3rd -> Implementation 4th -> Operations and Maintenance 5th -> Disposition
75. In a corporate network where SAN is deployed, what happens if the SAN fabric is compromised? A. Data is compromised. B. Server CPUs become overloaded. C. Configurations can be changed or lost. D. End devices become infected.
A. Data is compromised.
Refer to the exhibit. What is the purpose of the highlighted inspect line? A. It is the action to take on the traffic from the 10.10.10.0/24 network. B. It specifies the named class-map to apply to the traffic_going policy. C. It dictates to the firewall to track all outgoing sessions no matter the source in order to determine whether a return packet is allowed. D. It is the command used to apply a rate limit to a specific class of traffic
A. It is the action to take on the traffic from the 10.10.10.0/24 network.
58. What are two protocols that are used by AAA to authenticate users against a central database of usernames and password? (Choose two.) A. TACACS+ B. NTP C. SSH D. RADIUS E. HTTPS F. CHAP
A. TACACS+ D. RADIUS
63. Refer to the exhibit. According to the command output, which three statements are true about the DHCP options entered on the ASA 5505? (Choose three.) A. The dhcpd auto-config outside command was issued to enable the DHCP client. B. The dhcpd enable inside command was issued to enable the DHCP server. C. The dhcpd address [start-of-pool]-[end-of-pool] inside command was issued to enable the DHCP client. D. The dhcpd auto-config outside command was issued to enable the DHCP server. E. The dhcpd enable inside command was issued to enable the DHCP client. F. The dhcpd address [start-of-pool]-[end-of-pool] inside command was issued to enable the DHCP server
A. The dhcpd auto-config outside command was issued to enable the DHCP client. B. The dhcpd enable inside command was issued to enable the DHCP server. F. The dhcpd address [start-of-pool]-[end-of-pool] inside command was issued to enable the DHCP server
76. What three phases would be addressed as part of doing business continuity planning? (Choose three.) A. a recovery phase B. an emergency response phase C. a quarantine or containment phase D. a return to normal operation phase E. a reaction phase F. an initiation phase
A. a recovery phase B. an emergency response phase D. a return to normal operation phase
74. Refer to the exhibit. An administrator creates three zones (A, B, and C) in an ASA that filters traffic. Traffic originating from Zone A going to Zone C is denied, and traffic originating from Zone B going to Zone C is denied. What is a possible scenario for Zones A, B, and C A. A - DMZ, B - Inside, C - Outside B. A - DMZ, B - Outside, C - Inside C. A - Inside, B - DMZ, C - Outside D. A - Outside, B - Inside, C - DMZ
B. A - DMZ, B - Outside, C - Inside
68. What is a CLI initiated script that locks down the control plane of a Cisco router in one step? A. Control Plane Protection B. Cisco AutoSecure C. IP Source Guard D. Control Plane Policing
B. Cisco AutoSecure
70. What is one way to prevent attackers from eavesdropping on VoIP conversations? A. Use Forced Authorization Codes. B. Implement separate voice VLANs. C. Configure IP phones to use only signed firmware files. D. Create ACLs to allow only VoIP protocols.
B. Implement separate voice VLANs.
Refer to the exhibit. Which pair of crypto isakmp key commands would correctly configure PSK on the two routers? A. R1# crypto isakmp key ciscopass address 209.165.200.226 R2# crypto isakmp key secure address 209.165.200.227 B. R1# crypto isakmp key ciscopass address 209.165.200.227 R2# crypto isakmp key ciscopass address 209.165.200.226 C. R1# crypto isakmp key ciscopass hostname R1 R2# crypto isakmp key ciscopass hostname R2 C. R1# crypto isakmp key ciscopass address 209.165.200.226 R2# crypto isakmp key ciscopass address 209.165.200.227
B. R1# crypto isakmp key ciscopass address 209.165.200.227 R2# crypto isakmp key ciscopass address 209.165.200.226
65. Which three types of remote access VPNs are supported on ASA devices? (Choose three.) A. Clientless SSL VPN using the Cisco AnyConnect Client B. SSL or IPsec (IKEv2) VPN using the Cisco AnyConnect Client C. IPsec (IKEv1) VPN using a web browser D. SSL or IPsec (IKEv2) VPN using the Cisco VPN Client E. Clientless SSL VPN using a web browser F. IPsec (IKEv1) VPN using the Cisco VPN Client
B. SSL or IPsec (IKEv2) VPN using the Cisco AnyConnect Client E. Clientless SSL VPN using a web browser F. IPsec (IKEv1) VPN using the Cisco VPN Client
61. Refer to the exhibit. An administrator has configured an ASA 5505 as indicated but is still unable to ping the inside interface from an inside host. What is the cause of this problem? A. An IP address should be configured on the Ethernet 0/0 and 0/1 interfaces. B. The no shutdown command should be entered on interface Ethernet 0/1. C. The security level of the inside interface should be 0 and the outside interface should be 100. D. VLAN 1 should be the outside interface and VLAN 2 should be the inside interface. E. VLAN 1 should be assigned to interface Ethernet 0/0 and VLAN 2 to Ethernet 0/1.
B. The no shutdown command should be entered on interface Ethernet 0/1.
51. A company is designing its strategy of deploying Cisco Secure ACS to manage user access. The company is currently using a Windows server for the internal authentication service. The network administrator needs to configure the ACS to contact the Windows server when it cannot find the user in its local database. Which option of external user database setup should be configured on ACS? A. by specific user assignment B. by unknown user policy C. by administrator privilege D. by user priority
B. by unknown user policy
49. Which two commands are needed on every IPv6 ACL to allow IPv6 neighbor discovery? (Choose two.) A. permit ipv6 any any fragments B. permit icmp any any nd-ns C. permit icmp any any echo-reply D. permit icmp any any nd-na E. permit tcp any any ack F. permit ipv6 any any routing
B. permit icmp any any nd-ns D. permit icmp any any nd-na
62. Refer to the exhibit. What will be displayed in the output of the show running-config object command after the exhibited configuration commands are entered on an ASA 5505? A. host 192.168.1.3 B. range 192.168.1.10 192.168.1.20 C. host 192.168.1.4 and range 192.168.1.10 192.168.1.20 D. host 192.168.1.3 and host 192.168.1.4 E. host 192.168.1.4 F. host 192.168.1.3, host 192.168.1.4, and range 192.168.1.10 192.168.1.20
B. range 192.168.1.10 192.168.1.20
78. What is an example of toll fraud? A. the use of a telephony system to send unsolicited and unwanted bulk messages B. the use of a telephony system to make unauthorized long distance calls C. the use of a telephony system to get information, such as account details, directly from users D. the use of a telephony system to illegally intercept voice packets in order to listen in on a call
B. the use of a telephony system to make unauthorized long distance calls
53. Which two options are offered through the Cisco TrustSec Solution for enterprise networks? (Choose two.) A. Easy VPN solution B. IPsec VPN solution C. 802.1X-Based Infrastructure solution D. NAC Appliance-Based Overlay solution E. Firewall and IDS integrated solution
C. 802.1X-Based Infrastructure solution D. NAC Appliance-Based Overlay solution
69. Which three statements should be considered when applying ACLs to a Cisco router? (Choose three.) A. Generic ACL entries should be placed at the top of the ACL. B. A maximum of three IP access lists can be assigned to an interface per direction (in or out). C. An access list applied to any interface without a configured ACL allows all traffic to pass. D. Router-generated packets pass through ACLs on the router without filtering. E. More specific ACL entries should be placed at the top of the ACL. F. ACLs always search for the most specific entry before taking any filtering action.
C. An access list applied to any interface without a configured ACL allows all traffic to pass. D. Router-generated packets pass through ACLs on the router without filtering. E. More specific ACL entries should be placed at the top of the ACL.
60. Which three wizards are included in Cisco ASDM 6.4? (Choose three.) A. ADSL Connection wizard B. Advanced Firewall wizard C. High Availability and Scalability wizard D. Security Audit wizard E. Startup wizard F. VPN wizard
C. High Availability and Scalability wizard E. Startup wizard F. VPN wizard
What are two features of Cisco Easy VPN Server? (Choose two.) A. It requires Cisco routers to act as remote VPN clients. B. It enables complete access to the corporate network over an SSL VPN tunnel. C. It enables an ASA firewall to act as the VPN head-end device in remote-access VPNs. D. It requires remote access to the corporate network via a web browser and SSL. E. Cisco Easy VPN Server enables VPN client remote access to a company intranet through creation of secure IPsec tunnels.
C. It enables an ASA firewall to act as the VPN head-end device in remote-access VPNs. E. Cisco Easy VPN Server enables VPN client remote access to a company intranet through creation of secure IPsec tunnels.
55. Two devices that are connected to the same switch need to be totally isolated from one another. Which Cisco switch security feature will provide this isolation? A. DTP B. BPDU guard C. PVLAN Edge D. SPAN
C. PVLAN Edge
45. Which spanning-tree enhancement prevents the spanning-tree topology from changing by blocking a port that receives a superior BPDU? A. PortFast B. BPDU guard C. root guard D. BDPU filter
C. ROOT GUARD
50. A network technician has been asked to design a virtual private network between two branch routers. Which type of cryptographic key should be used in this scenario? A. asymmetric key B. hash key C. symmetric key D. digital signature
C. SYMMETRIC KEY
54. Which statement accurately describes Cisco IOS zone-based policy firewall operation? A. Router management interfaces must be manually assigned to the self zone. B. A router interface can belong to multiple zones. C. The pass action works in only one direction. D. Service policies are applied in interface configuration mode.
C. The pass action works in only one direction.
47. Why does a worm pose a greater threat than a virus poses? A. Worms are not detected by antivirus programs. B. Worms run within a host program. C. Worms are more network-based than viruses are. D. Worms directly attack the network devices.
C. Worms are more network-based than viruses are.*
79. A user complains about not being able to gain access to the network. What command would be used by the network administrator to determine which AAA method list is being used for this particular user as the user logs on? A. debug aaa accounting B. debug aaa authorization C. debug aaa authentication D. debug aaa protocol
C. debug aaa authentication
71. A large company deploys several network-based IPS sensors for its headquarters network. Which network service configuration will help the process of correlating attack events happening simultaneously in different points of the network? A. Multiple DNS servers with fault tolerance B. Distributed DHCP servers C. A syslog server for each IPS sensor D. A centralized NTP server
D. A centralized NTP server
56. Why is a reflexive ACL harder to spoof compared to an extended ACL that uses the established keyword? A. It provides a secure tunnel for returning traffic. B. A reflexive ACL provides a lock-and-key function. C. It allows incoming packets only after the 3-way handshake is completed. D. It provides more detailed filter criteria to match an incoming packet before the packet is allowed through.
D. It provides more detailed filter criteria to match an incoming packet before the packet is allowed through.
46. In deploying an IPS in a corporate network, system operators first create a profile of normal network operation by monitoring network activities in normal network uses. After the profile is incorporated into the IPS triggering mechanism, alarms will be generated when the IPS detects excessive activity that is beyond the scope of the profile. Which signature detection mechanism is deployed? A. pattern-based detection B. policy-based detection C. honey pot-based detection D. anomaly-based detection
D. anomaly-based detection
57. Which security feature helps protect a VoIP system from SPIT attacks? A. AES B. BPDU guard C. WPA2 D. authenticated TLS
D. authenticated TLS
77. Logging into a computer as the administrator just to surf the web is a violation of which security technique? A. process isolation B. utilizing a reference monitor C. access control to resources D. least privilege
D. least privilege
73. What command must be issued to enable login enhancements on a Cisco router? A. privilege exec level B. banner motd C. login delay D. login block-for
D. login block-for
72. What is the role of the Cisco NAC Manager in implementing a secure networking infrastructure? A. to assess and enforce security policy compliance in the NAC environment B. to perform deep inspection of device security profiles C. to provide post-connection monitoring of all endpoint devices D. to define role-based user access and endpoint security policies
D. to define role-based user access and endpoint security policies
48. Which security feature would be commonly implemented as part of a large enterprise wireless policy but would not typically be used in a small office/home office network? A. not broadcasting the SSID B. using WPA2 C. not allowing personal wireless devices [Dimented] D. using an authentication server
D. using an authentication server
67. What is an advantage of using CCP rather than the CLI to configure an ACL? A. IPsec is supported. B. CCP applies the read-only quality to manually created access rules so that accidental modification cannot be made. C. CCP automatically applies a rule to the interface or zone most appropriate. D. Traffic rules do not have to be configured when CCP is being used. E. CCP provides default rules.
E. CCP provides default rules.
Refer to the exhibit. A network administrator is troubleshooting a GRE VPN tunnel between R1 and R2. Assuming the R2 GRE configuration is correct and based on the running configuration of R1, what must the administrator do to fix the problem? A. Change the tunnel IP address to 209.165.201.1. B. Change the tunnel destination to 192.168.5.1. C. Change the tunnel IP address to 192.168.3.1. D. Change the tunnel source interface to Fa0/0. E. Change the tunnel destination to 209.165.200.225
E. Change the tunnel destination to 209.165.200.225
66. Refer to the exhibit. The network administrator is configuring the port security feature on switch SWC. The administrator issued the command show port-security interface fa 0/2 to verify the configuration. What can be concluded from the output that is shown? (Choose three.) A. The switch port mode for this interface is access mode. B. The port is configured as a trunk link. C. Three security violations have been detected on this interface. D. This port is currently up. E. Security violations will cause this port to shut down immediately. F. There is no device currently connected to this port.
E. Security violations will cause this port to shut down immediately. F. There is no device currently connected to this port.
81. Fill in the blank. When role-based CLI is used, only the _____________ view has the ability to add or remove commands from existing views.
Root
59. Which security organization updates the training material that helps prepare for the Global Information Assurance Certification (GIAC)? SANS
SANS
64. Fill in the blank. In a syslog implementation, a router that generates and forwards syslog messages is known as a syslog _______
clients