CCNA Security V2 Final Exam (Part 2)
What two algorithms can be part of an IPsec policy to provide encryption and hashing to protect interesting traffic? (Choose two.) - PSK - DH - RSA - AES - SHA
- AES - SHA
Which two end points can be on the other side of an ASA site-to-site VPN configured using ASDM? (Choose two.) - DSL switch - Frame Relay switch - ISR router - another ASA - multilayer switch
- ISR router - another ASA
Which two protocols can be selected using the Cisco AnyConnect VPN Wizard to protect the traffic inside a VPN tunnel? (Choose two.) - Telnet - SSH - SSL - ESP - IPsec
- SSL - IPsec
What two assurances does digital signing provide about code that is downloaded from the Internet? (Choose two.) - The code contains no errors. - The code contains no viruses. - The code has not been modified since it left the software publisher. - The code is authentic and is actually sourced by the publisher. - The code was encrypted with both a private and public key.
- The code has not been modified since it left the software publisher. - The code is authentic and is actually sourced by the publisher.
An administrator assigned a level of router access to the user ADMIN using the commands below. Router(config)# privilege exec level 14 show ip route Router(config)# enable algorithm-type scrypt secret level 14 cisco-level-10 Router(config)# username ADMIN privilege 14 algorithm-type scrypt secret cisco-level-10 Which two actions are permitted to the user ADMIN? (Choose two.) - The user can execute all subcommands under the show ip interfaces command. - The user can issue the show version command. - The user can only execute the subcommands under the show ip route command. - The user can issue all commands because this privilege level can execute all Cisco IOS commands. - The user can issue the ip route command.
- The user can issue the show version command. - The user can only execute the subcommands under the show ip route command.
What are three characteristics of SIEM? (Choose three.) - can be implemented as software or as a service - Microsoft port scanning tool designed for Windows - examines logs and events from systems and applications to detect security threats - consolidates duplicate event data to minimize the volume of gathered data - uses penetration testing to determine most network vulnerabilities - provides real-time reporting for short-term security event analysis
- can be implemented as software or as a service - examines logs and events from systems and applications to detect security threats - consolidates duplicate event data to minimize the volume of gathered data
Which three actions can the Cisco IOS Firewall IPS feature be configured to take when an intrusion activity is detected? (Choose three.) - reset UDP connection - reset TCP connection - alert - isolate - inoculate - drop
- reset TCP connection - alert - drop
What are two characteristics of a stateful firewall? (Choose two.) - uses connection information maintained in a state table - uses static packet filtering techniques - analyzes traffic at Layers 3, 4 and 5 of the OSI model - uses complex ACLs which can be difficult to configure prevents Layer 7 attacks
- uses connection information maintained in a state table - analyzes traffic at Layers 3, 4 and 5 of the OSI model
http://ccnav6.com/wp-content/uploads/2016/02/Q26.jpg Refer to the exhibit. If a network administrator is using ASDM to configure a site-to-site VPN between the CCNAS-ASA and R3, which IP address would the administrator use for the peer IP address textbox on the ASA if data traffic is to be encrypted between the two remote LANs? - 209.165.201.1 - 192.168.1.3 - 172.16.3.1 - 172.16.3.3 - 192.168.1.1
209.165.201.1
Which statement describes the use of certificate classes in the PKI? - A class 5 certificate is more trustworthy than a class 4 certificate. - Email security is provided by the vendor, not by a certificate. - The lower the class number, the more trusted the certificate. - A vendor must issue only one class of certificates when acting as a CA.
A class 5 certificate is more trustworthy than a class 4 certificate.
What is a characteristic of a role-based CLI view of router configuration? - When a superview is deleted, the associated CLI views are deleted. - A single CLI view can be shared within multiple superviews. - A CLI view has a command hierarchy, with higher and lower views. - Only a superview user can configure a new view and add or remove commands from the existing views.
A single CLI view can be shared within multiple superviews.
An organization has configured an IPS solution to use atomic alerts. What type of response will occur when a signature is detected? - A counter starts and a summary alert is issued when the count reaches a preconfigured number. - The TCP connection is reset. - An alert is triggered each time a signature is detected. - The interface that triggered the alert is shutdown.
An alert is triggered each time a signature is detected.
Why is hashing cryptographically stronger compared to a cyclical redundancy check (CRC)? - Hashes are never sent in plain text. - It is easy to generate data with the same CRC. - It is virtually impossible for two different sets of data to calculate the same hash output. - Hashing always uses a 128-bit digest, whereas a CRC can be variable length.
It is virtually impossible for two different sets of data to calculate the same hash output.
http://ccnav6.com/wp-content/uploads/2016/02/Q37.jpg Penetration testing = Network scanning = Vulnerability scanning = used to determine the possible consequences of successful attacks on the network. used to discover available resources on the network. used to find weaknesses and misconfigurations on network systems. used to detect and report changes made to system
Penetration testing = used to determine the possible consequences of successful attacks on the network. Vulnerability scanning = used to find weaknesses and misconfigurations on network systems. Network scanning = used to discover available resources on the network.
http://ccnav6.com/wp-content/uploads/2016/02/Q39.jpg Refer to the exhibit. An administrator issues these IOS login enhancement commands to increase the security for login connections. What can be concluded about them? - Because the login delay command was not used, a one-minute delay between login attempts is assumed. - The hosts that are identified in the ACL will have access to the device. - The login block-for command permits the attacker to try 150 attempts before being stopped to try again. - These enhancements apply to all types of login connections.
The hosts that are identified in the ACL will have access to the device.
http://ccnav6.com/wp-content/uploads/2016/02/Q27.jpg Refer to the exhibit. Based on the security levels of the interfaces on the ASA, what statement correctly describes the flow of traffic allowed on the interfaces? - Traffic that is sent from the LAN and the Internet to the DMZ is considered inbound. - Traffic that is sent from the DMZ and the Internet to the LAN is considered outbound. - Traffic that is sent from the LAN to the DMZ is considered is considered inbound. - Traffic that is sent from the DMZ and the LAN to the Internet is considered outbound.
Traffic that is sent from the DMZ and the LAN to the Internet is considered outbound.
A company deploys a Cisco ASA with the Cisco CWS connector enabled as the firewall on the border of corporate network. An employee on the internal network is accessing a public website. What should the employee do in order to make sure the web traffic is protected by the Cisco CWS? - Register the destination website on the Cisco ASA. - Use the Cisco AnyConnect Secure Mobility Client first. - Use a web browser to visit the destination website. - First visit a website that is located on a web server in the Cisco CWS infrastructure.
Use a web browser to visit the destination website.
Which interface option could be set through ASDM for a Cisco ASA? - default route - access list - VLAN ID - NAT/PAT
VLAN ID
What Layer 2 attack is mitigated by disabling Dynamic Trunking Protocol? - DHCP spoofing - ARP spoofing - VLAN hopping - ARP poisoning
VLAN hopping
In an AAA-enabled network, a user issues the configure terminal command from the privileged executive mode of operation. What AAA function is at work if this command is rejected? - authorization - authentication - auditing - accounting
authorization
Fill in the blank. A stateful signature is also known as a _____________ signature.
composite
Which type of traffic is subject to filtering on an ASA 5505 device? - public Internet to inside - public Internet to DMZ - inside to DMZ - DMZ to inside
inside to DMZ
A network analyst wants to monitor the activity of all new interns. Which type of security testing would track when the interns sign on and sign off the network? - vulnerability scanning - password cracking - network scanning - integrity checker
integrity checker
Which IDS/IPS signature alarm will look for packets that are destined to or from a particular port? - honey pot-based - anomaly-based - signature-based - policy-based
signature-based
What mechanism is used by an ASA 5505 device to allow inspected outbound traffic to return to the originating sender who is on an inside network? - Network Address Translation - access control lists - security zones - stateful packet inspection
stateful packet inspection
