Mahmood Chapter Final Exam
authenticator authentication server
The switch port to which a client attaches is configured for the 802.1X protocol. The client must authenticate before being allowed to pass data onto the network. Between which two 802.1X roles is EAP data encapsulated using RADIUS? (Choose two.) encrypter authenticator data nonrepudiation server supplicant authentication server
echo reply
To facilitate the troubleshooting process, which inbound ICMP message should be permitted on an outside interface? echo request echo reply time-stamp request time-stamp reply router advertisement
PVLAN Edge
Two devices that are connected to the same switch need to be totally isolated from one another. Which Cisco switch security feature will provide this isolation? PVLAN Edge DTP SPAN BPDU guard
main aggressive
What are the two modes used in IKE Phase 1? (Choose two.) passive primary main secondary aggressive
both use signatures to detect patterns both can detect atomic patterns
What are two characteristics of both IPS and IDS sensors? (Choose two.) neither introduce latency or jitter both use signatures to detect patterns both are deployed inline in the data stream both can stop trigger packets both can detect atomic patterns
It often requires assistance from other network devices to respond to an attack.
What is a characteristic of an IDS? It can affect network performance by introducing latency and jitter. It often requires assistance from other network devices to respond to an attack. It is installed inline with the network traffic flow. It can be configured to drop trigger packets that are associated with a connection.
access list
What is needed to define interesting traffic in the creation of an IPsec tunnel? security associations hashing algorithm access list transform set
A firewall is a system that enforces an access control policy between internal corporate networks and external networks.
When implementing components into an enterprise network, what is the purpose of a firewall? A firewall is a system that inspects network traffic and makes forwarding decisions based solely on Layer 2 Ethernet MAC addresses. A firewall is a system that is designed to secure, monitor, and manage mobile devices, including corporate-owned devices and employee-owned devices. A firewall is a system that stores vast quantities of sensitive and business-critical information. A firewall is a system that enforces an access control policy between internal corporate networks and external networks.
authentication
Which AAA component can be established using token cards? accounting authorization auditing authentication
4000 series ISR
Which Cisco platform supports Cisco Snort IPS? 800 series ISR 3900 series ISR 4000 series ISR 2900 series ISR
802.1x
Which protocol defines port-based authentication to restrict unauthorized hosts from connecting to the LAN through publicly accessible switch ports? RADIUS TACACS+ 802.1x SSH
The pass action works in only one direction.
Which statement describes Cisco IOS Zone-Based Policy Firewall operation? a. The pass action works in only one direction. b. Router management interfaces must be manually assigned to the self zone. c. A router interface can belong to multiple zones. d. Service policies are applied in interface configuration mode.
A zone establishes a security border of a network.
Which statement describes a zone when implementing ZPF on a Cisco router? Only one zone can be attached to a single interface. A zone is used to define security policies for a unique interface on the router. A zone is used to implement traffic filtering for either TCP or UDP. A zone establishes a security border of a network.
debugging
Which syslog message type is accessible only to an administrator and only via the Cisco CLI? errors alerts debugging emergency
If both interfaces are members of the same zone, all traffic will be passed. If neither interface is a zone member, then the action is to pass traffic.
Which two rules about interfaces are valid when implementing a Zone-Based Policy Firewall? (Choose two.) a. If neither interface is a zone member, then the action is to pass traffic. b. If one interface is a zone member, but the other is not, all traffic will be passed. c. If both interfaces belong to the same zone-pair and a policy exists, all traffic will be passed. d. If both interfaces are members of the same zone, all traffic will be passed. e. If one interface is a zone member and a zone-pair exists, all traffic will be passed.
traffic originating from the DMZ network and traveling to the private network
Which type of traffic is usually blocked when implementing a demilitarized zone? traffic that is returning from the public network and traveling to the DMZ network traffic originating from the private network and traveling to the DMZ network traffic originating from the DMZ network and traveling to the private network traffic that is returning from the DMZ network and traveling to the private network
These devices are more varied in type and are portable.
Why are traditional network security perimeters not suitable for the latest consumer-based network endpoint devices? These devices are not managed by the corporate IT department. These devices pose no risk to security as they are not directly connected to the corporate network. These devices connect to the corporate network through public wireless networks. These devices are more varied in type and are portable.
After an endpoint is breached, an attacker can gain access to other devices.
Why is it important to protect endpoints? After an endpoint is breached, an attacker can gain access to other devices. Endpoints are the starting point for VLAN attacks. Endpoints are susceptible to STP manipulation attacks that can disrupt the rest of the LAN. A breached endpoint gives a threat actor access to system configuration that can modify security policy.
Snort
5. Which tool can perform real-time traffic and port analysis, and can also detect port scans, fingerprinting and buffer overflow attacks? SIEM Nmap Snort Netflow
172.16.0.255 172.16.15.36
A network administrator configures an ACL with the command R1(config)# access-list 1 permit 172.16.0.0 0.0.15.255 . Which two IP addresses will match this ACL statement? (Choose two.) 172.16.0.255 172.16.15.36 172.16.16.12 172.16.31.24 172.16.65.21
message encryption message source validation
A network administrator is analyzing the features supported by the multiple versions of SNMP. What are two features that are supported by SNMPv3 but not by SNMPv1 or SNMPv2c? (Choose two.) message encryption community-based security SNMP trap mechanism message source validation bulk retrieval of MIB information
to check the destination MAC address in the Ethernet header against the target MAC address in the ARP body
A network administrator is configuring DAI on a switch with the command ip arp inspection validate dst-mac . What is the purpose of this configuration command? a. to check the destination MAC address in the Ethernet header against the MAC address table b. to check the destination MAC address in the Ethernet header against the user-configured ARP ACLs c. to check the destination MAC address in the Ethernet header against the target MAC address in the ARP body d. to check the destination MAC address in the Ethernet header against the source MAC address in the ARP body
All point-to-point links between switches.
A network administrator uses the spanning-tree loopguard default global configuration command to enable Loop Guard on switches. What components in a LAN are protected with Loop Guard? All Root Guard enabled ports. All PortFast enabled ports. All point-to-point links between switches. All BPDU Guard enabled ports.
L0phtCrack
A network analyst is testing the security of the systems and networks of a corporation. What tool could be used to audit and recover passwords? L0phtCrack SuperScan Nessus Metasploit
integrity checker
A network analyst wants to monitor the activity of all new interns. Which type of security testing would track when the interns sign on and sign off the network? vulnerability scanning password cracking network scanning integrity checker
area 0 authentication message-digest ip ospf message-digest-key 1 md5 1A2b3C
A network engineer is implementing security on all company routers. Which two commands must be issued to force authentication via the password 1A2b3C for all OSPF-enabled interfaces in the backbone area of the company network? (Choose two.) area 0 authentication message-digest ip ospf message-digest-key 1 md5 1A2b3C username OSPF password 1A2b3C enable password 1A2b3C area 1 authentication message-digest
deny tcp any host 2001:db8:48:1c::50 eq 80 permit ipv6 any any ipv6 traffic-filter WebFilter in
A security specialist designs an ACL to deny access to a web server from all sales staff. The sales staff are assigned addressing from the IPv6 subnet 2001:db8:48:2c::/64. The web server is assigned the address 2001:db8:48:1c::50/64. Configuring the WebFilter ACL on the LAN interface for the sales staff will require which three commands? (Choose three.) permit tcp any host 2001:db8:48:1c::50 eq 80 deny tcp host 2001:db8:48:1c::50 any eq 80 deny tcp any host 2001:db8:48:1c::50 eq 80 permit ipv6 any any deny ipv6 any any ip access-group WebFilter in ipv6 traffic-filter WebFilter in
IKE Phase 1 - 1 IKE Phase 2 - 2 Config crypto map -3 Apply IPsec policy -4 Verify tunnel is operational
A site-to-site IPsec VPN is to be configured. Place the configuration steps in order. IKE Phase 1 IKE Phase 2 Config crypto map Apply IPsec policy Verify tunnel is operational
to create a CLI view named TECH-view
A student is learning about role-based views and role-based view configurations. The student enters the Router(config)# parser view TECH-view command. What is the purpose of this command? to create a CLI view named TECH-view to enter the superview named TECH-view to check the current setup of the CLI view named TECH-view to enter the CLI view named TECH-view
Router(config)# aaa new-model
A student is learning role-based CLI access and CLI view configurations. The student opens Packet Tracer and adds a router. Which command should be used first for creating a CLI view named TECH-View? Router# enable view Router(config)# aaa new-model Router# enable view TECH-view Router(config)# parser view TECH-view
It identifies the address of the RADIUS server and ports on the server used for RADIUS traffic.
A switch has the following command issued as part of an 802.1X deployment. address ipv4 10.1.1.50 auth-port 1812 acct-port 1813 What is the purpose of this command? It identifies the address of the default gateway and the ports used for traffic destined for remote networks. It identifies the address of the RADIUS server and ports on the server used for RADIUS traffic. It identifies the address of the RADIUS server and the ports used for EAPOL messages. It identifies the address of the switch to which the client connects and the ports used for the EAPOL messages.
Layer 2
At which layer of the OSI model does Spanning Tree Protocol operate? Layer 1 Layer 2 Layer 3 Layer 4
authorization
Because of implemented security controls, a user can only access a server with FTP. Which AAA component accomplishes this? accessibility accounting auditing authentication authorization
to define the encryption and integrity algorithms that are used to build the IPsec tunnel
Consider the following configuration on a Cisco ASA:crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmacWhat is the purpose of this command? to define the ISAKMP parameters that are used to establish the tunnel to define the encryption and integrity algorithms that are used to build the IPsec tunnel to define what traffic is allowed through and protected by the tunnel to define only the allowed encryption algorithms
determine the zones
Designing a ZPF requires several steps. Which step involves defining boundaries where traffic is subjected to policy restrictions as it crosses to another region of the network? determine the zones design the physical infrastructure identify subsets within zones and merge traffic requirements establish policies between zones
design the physical infrastructure
Designing a ZPF requires several steps. Which step involves dictating the number of devices between most-secure and least-secure zones and determining redundant devices? determine the zones design the physical infrastructure establish policies between zones identify subsets within zones and merge traffic requirements
by implementing DHCP snooping on trusted ports
How can DHCP spoofing attacks be mitigated? by disabling DTP negotiations on nontrunking ports by implementing port security by the application of the ip verify source command to untrusted ports by implementing DHCP snooping on trusted ports
drop
How does ZPF handle traffic between an interface that is a zone member and another interface that does not belong to any zone? inspect allow drop pass
Traffic is usually blocked when it is originating from the DMZ network and traveling to a private network.
How does a firewall handle traffic that is originating from the DMZ network and traveling to a private network? Traffic is usually blocked when it is originating from the DMZ network and traveling to a private network. Traffic is usually not filtered using firewall rules when it is originating from the DMZ network and traveling to a private network. Traffic is usually allowed when it is originating from the DMZ network and traveling to a private network. Traffic is allowed when it is originating from the private network, but the response traffic from the DMZ network will be blocked.
Traffic that is originating from the public network is usually blocked when traveling to the private network.
How does a firewall handle traffic when it is originating from the public network and traveling to the private network? Traffic that is originating from the public network is not inspected when traveling to the private network. Traffic that is originating from the public network is usually blocked when traveling to the private network. Traffic that is originating from the public network is usually permitted with little or no restrictions when traveling to the private network. Traffic that is originating from the public network is selectively permitted when traveling to the private network.
It can detect open TCP ports on network systems.
How does network scanning help assess operations security? It can detect open TCP ports on network systems. It can detect weak or blank passwords. It can simulate attacks from malicious sources. It can log abnormal activity.
New headers from one or more VPN protocols encapsulate the original packets.
How is "tunneling" accomplished in a VPN? New headers from one or more VPN protocols encapsulate the original packets. All packets between two hosts are assigned to a single physical medium to ensure that the packets are kept private. Packets are disguised to look like other types of traffic so that they will be ignored by potential attackers. A dedicated circuit is established between the source and destination devices for the duration of the connection.
permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq snmptrap
If the provided ACEs are in the same ACL, which ACE should be listed first in the ACL according to best practice? permit ip any any permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq snmptrap permit tcp 172.16.0.0 0.0.3.255 any established permit udp any any range 10000 20000 deny udp any host 172.16.1.5 eq snmptrap deny tcp any any eq telnet
the Layer 2 address with the lowest hexadecimal value
If two switches are configured with the same priority and the same extended system ID, what determines which switch becomes the root bridge? the lowest IP address the MAC address with the highest hexadecimal value the highest BID the Layer 2 address with the lowest hexadecimal value
end-user station
In an 802.1x deployment, which device is a supplicant? RADIUS server access point switch end-user station
to allow IPv6 to MAC address resolution
In the creation of an IPv6 ACL, what is the purpose of the implicit final command entries, permit icmp any any nd-na and permit icmp any any nd-ns ? to allow forwarding of ICMPv6 packets to allow automatic address configuration to allow IPv6 to MAC address resolution to allow forwarding of IPv6 multicast packets
configuring class maps
In what step of zone-based policy firewall configuration is traffic identified for policy application? creating policy maps configuring class maps defining zones assigning policy maps to zones
traffic originating from the DMZ network going to the inside network traffic originating from the outside network going to the inside network
In which two instances will traffic be denied as it crosses the ASA 5505 device? (Choose two.) traffic originating from the inside network going to the DMZ network traffic originating from the inside network going to the outside network traffic originating from the outside network going to the DMZ network traffic originating from the DMZ network going to the inside network traffic originating from the outside network going to the inside network
traffic originating from the outside network going to the inside network traffic originating from the DMZ network going to the inside network
In which two instances will traffic be denied as it crosses the ASA 5506-X device? (Choose two.) traffic originating from the inside network going to the outside network traffic originating from the inside network going to the DMZ network traffic originating from the outside network going to the inside network traffic originating from the outside network going to the DMZ network traffic originating from the DMZ network going to the inside network
S0/0/0
Refer to the exhibit. A VPN tunnel is configured on the WAN between R1 and R2. On which R1 interface(s) would a crypto map be applied in order to create a VPN between R1 and R2? G0/0 and G0/1 G0/0 all R1 interfaces S0/0/0
permit tcp host 2001:DB8:CAFE:10::A 2001:DB8:CAFE:30::/64 eq 23 sequence 5
Refer to the exhibit. A network administrator created an IPv6 ACL to block the Telnet traffic from the 2001:DB8:CAFE:10::/64 network to the 2001:DB8:CAFE:30::/64 network. What is a command the administrator could use to allow only a single host 2001:DB8:CAFE:10::A/64 to telnet to the 2001:DB8:CAFE:30::/64 network? permit tcp 2001:DB8:CAFE:10::A/64 2001:DB8:CAFE:30::/64 eq 23 permit tcp 2001:DB8:CAFE:10::A/64 eq 23 2001:DB8:CAFE:30::/64 permit tcp host 2001:DB8:CAFE:10::A eq 23 2001:DB8:CAFE:30::/64 permit tcp host 2001:DB8:CAFE:10::A 2001:DB8:CAFE:30::/64 eq 23 sequence 5
The ASA will not allow traffic in either direction between the Inside interface and the DMZ.
Refer to the exhibit. A network administrator is configuring the security level for the ASA. Which statement describes the default result if the administrator tries to assign the Inside interface with the same security level as the DMZ interface? The ASA allows inbound traffic initiated on the Internet to the DMZ, but not to the Inside interface. The ASA console will display an error message. The ASA will not allow traffic in either direction between the Inside interface and the DMZ. The ASA allows traffic from the Inside to the DMZ, but blocks traffic initiated on the DMZ to the Inside interface.
It is a superview.
Refer to the exhibit. A student uses the show parser view all command to see a summary of all views configured on router R1. What is indicated by the symbol * next to JR-ADMIN? It is a root view. It is a CLI view without a command configured. It is a superview. It is a CLI view.
superview, containing SHOWVIEW and VERIFYVIEW views
Refer to the exhibit. Based on the output of the show running-config command, which type of view is SUPPORT? CLI view, containing SHOWVIEW and VERIFYVIEW commands superview, containing SHOWVIEW and VERIFYVIEW views secret view, with a level 5 encrypted password root view, with a level 5 encrypted secret password
Traffic that is sent from the DMZ and the LAN to the Internet is considered outbound.
Refer to the exhibit. Based on the security levels of the interfaces on the ASA, what statement correctly describes the flow of traffic allowed on the interfaces? Traffic that is sent from the LAN and the Internet to the DMZ is considered inbound. Traffic that is sent from the DMZ and the Internet to the LAN is considered outbound. Traffic that is sent from the LAN to the DMZ is considered inbound. Traffic that is sent from the LAN to the DMZ is considered is considered inbound. Traffic that is sent from the DMZ and the LAN to the Internet is considered outbound.
This port is currently up. Security violations will cause this port to shut down immediately. The switch port mode for this interface is access mode.
Refer to the exhibit. The network administrator is configuring the port security feature on switch SWC. The administrator issued the command show port-security interface fa 0/2 to verify the configuration. What can be concluded from the output that is shown? (Choose three.) Three security violations have been detected on this interface. This port is currently up. The port is configured as a trunk link. Security violations will cause this port to shut down immediately. There is no device currently connected to this port. The switch port mode for this interface is access mode.
OSPF
Refer to the exhibit. What information in the syslog message identifies the facility? ADJCHG Loading Done OSPF level 5
R1 will attempt to match policy #1 with the most secure matching policy on R2.
Router R1 has configured ISAKMP policies numbered 1, 5, 9, and 203. Router R2 only has default policies. How will R1 attempt to negotiate the IKE Phase 1 ISAKMP tunnel with R2? R1 and R2 cannot match policies because the policy numbers are different. R1 will attempt to match policy #1 with the most secure matching policy on R2. R1 will try to match policy #203 with the most secure default policy on R2. R1 will begin to try to match policy #1 with policy #65514 on R2.
site-to-site VPN
Two corporations have just completed a merger. The network engineer has been asked to connect the two corporate networks without the expense of leased lines. Which solution would be the most cost effective method of providing a proper and secure connection between the two corporate networks? Cisco AnyConnect Secure Mobility Client with SSL Cisco Secure Mobility Clientless SSL VPN Frame Relay remote access VPN using IPsec site-to-site VPN
denylisting
Websites are rated based on the latest website reputation intelligence. Which endpoint security measure prevents endpoints from connecting to websites that have a bad rating? spam filtering DLP host-based IPS antimalware software denylisting
levels 2 through 14
What IOS privilege levels are available to assign for custom user-level privileges? levels 1 through 15 levels 0, 1, and 15 levels 2 through 14 levels 0 and 1
VLAN hopping
What Layer 2 attack is mitigated by disabling Dynamic Trunking Protocol? VLAN hopping DHCP spoofing ARP poisoning ARP spoofing
Disable automatic trunking negotiation.
What action can a network administrator take to help mitigate the threat of VLAN hopping attacks? Configure all switch ports to be members of VLAN 1. Enable PortFast on all switch ports. Disable automatic trunking negotiation. Disable VTP.
DHCP snooping
What additional security measure must be enabled along with IP Source Guard to protect against address spoofing? port security BPDU Guard DHCP snooping root guard
log pass alert
What are three actions that can be performed by Snort in IDS mode? (Choose three.) log drop sdrop pass alert reject
examines logs and events from systems and applications to detect security threats consolidates duplicate event data to minimize the volume of gathered data
What are three characteristics of SIEM? (Choose three.) can be implemented as software or as a service Microsoft port scanning tool designed for Windows examines logs and events from systems and applications to detect security threats consolidates duplicate event data to minimize the volume of gathered data uses penetration testing to determine most network vulnerabilities provides real-time reporting for short-term security event analysis
Commands cannot be configured for a superview. Deleting a superview does not delete the associated CLI views. A single CLI view can be shared within multiple superviews.
What are three characteristics of superviews in the Cisco role-based CLI access feature? (Choose three.) A user uses the command enable view superview-name to enter a superview. A user uses a superview to configure commands inside associated CLI views. Commands cannot be configured for a superview. Level 15 privilege access is used to configure a new superview. Deleting a superview does not delete the associated CLI views. A single CLI view can be shared within multiple superviews.
The interfaces of the ASA separate Layer 3 networks and require different IP addresses in different subnets. It is the traditional firewall deployment mode. NAT can be implemented between connected networks.
What are three characteristics of the ASA routed mode? (Choose three.) This mode is referred to as a "bump in the wire." In this mode, the ASA is invisible to an attacker. The interfaces of the ASA separate Layer 3 networks and require different IP addresses in different subnets. It is the traditional firewall deployment mode. This mode does not support VPNs, QoS, or DHCP Relay. NAT can be implemented between connected networks.
drop or prevent the activity allow the activity
What are two actions that an IPS can perform whenever a signature detects the activity for which it is configured? (Choose two.) disable the link reconverge the network drop or prevent the activity allow the activity restart the infected device
A firewall will sanitize protocol flow. A firewall will reduce security management complexity.
What are two benefits of implementing a firewall in a network? (Choose two.) A firewall will inspect network traffic and forward traffic based solely on the Layer 2 Ethernet MAC address. A firewall will sanitize protocol flow. A firewall will prevent unauthorized traffic from being tunneled or hidden as legitimate traffic through an enterprise network. A firewall will provide accessibility of applications and sensitive resources to external untrusted users. A firewall will reduce security management complexity.
Extended ACLs can filter on destination TCP and UDP ports. Extended ACLs can filter on source and destination IP addresses.
What are two characteristics of ACLs? (Choose two.) Extended ACLs can filter on destination TCP and UDP ports. Standard ACLs can filter on source TCP and UDP ports. Extended ACLs can filter on source and destination IP addresses. Standard ACLs can filter on source and destination IP addresses. Standard ACLs can filter on source and destination TCP and UDP ports.
uses connection information maintained in a state table analyzes traffic at Layers 3, 4 and 5 of the OSI model
What are two characteristics of a stateful firewall? (Choose two.) uses static packet filtering techniques uses connection information maintained in a state table analyzes traffic at Layers 3, 4 and 5 of the OSI model uses complex ACLs which can be difficult to configure prevents Layer 7 attacks
It requires the assistance of another network device to respond to an attack. It does not impact the flow of packets in forwarded traffic.
What are two characteristics of an IPS operating in promiscuous mode? (Choose two.) It can stop malicious traffic from reaching the intended target for all types of attacks. It sits directly in the path of the traffic flow. It requires the assistance of another network device to respond to an attack. It does not impact the flow of packets in forwarded traffic. It sends alerts and drops any malicious packets.
Performs most filtering and firewall control in software. Analyzes traffic at Layers 3, 4, 5 and 7 of the OSI model.
What are two characteristics of an application gateway firewall? (Choose two.) Provides an integrated intrusion prevention and detection feature. Performs most filtering and firewall control in software. Uses a simple policy table look-up to filter traffic based on Layer 3 and Layer 4 information. Analyzes traffic at Layers 3, 4, 5 and 7 of the OSI model. Uses connection information maintained in a state table and analyzes traffic at OSI Layers 3, 4, and 5.
It saves a secure copy of the primary image and device configuration that cannot be removed by a user. It minimizes the downtime of a device that has had the image and configuration deleted.
What are two characteristics of the Cisco IOS Resilient Configuration feature? (Choose two.) It maintains a mirror image of the configuration file in RAM. It sends a backup copy of the IOS image to a TFTP server. It saves a secure copy of the primary image and device configuration that cannot be removed by a user. It minimizes the downtime of a device that has had the image and configuration deleted. It is a universal feature that can be activated on all Cisco devices.
encryption of the password only the use of UDP ports for authentication and accounting
What are two characteristics of the RADIUS protocol? (Choose two.) encryption of the entire body of the packet encryption of the password only the use of UDP ports for authentication and accounting the separation of the authentication and authorization processes the use of TCP port 49
A stateless firewall will examine each packet individually while a stateful firewall observes the state of a connection. A stateful firewall will prevent spoofing by determining whether packets belong to an existing connection while a stateless firewall follows pre-configured rule sets.
What are two differences between stateful and stateless firewalls? (Choose two.) a. A stateless firewall is able to filter sessions that use dynamic port negotiations while a stateful firewall cannot. b. A stateless firewall will examine each packet individually while a stateful firewall observes the state of a connection. c. A stateless firewall will provide more logging information than a stateful firewall. d. A stateful firewall will prevent spoofing by determining whether packets belong to an existing connection while a stateless firewall follows pre-configured rule sets. e. A stateless firewall provides more stringent control over security than a stateful firewall.
host-based IPS antimalware software
What are two examples of traditional host-based security measures? (Choose two.) host-based IPS NAS 802.1X antimalware software host-based NAC
incident response security posture check
What are two main capabilities of a NAC system? (Choose two.) route filtering incident response DMZ protection security posture check administrative role assignment
A misconfigured firewall can create a single point of failure. Network performance can slow down.
What are two possible limitations of using a firewall in a network? (Choose two.) It provides accessibility of applications and sensitive resources to external untrusted users. It increases security management complexity by requiring off-loading network access control to the device. A misconfigured firewall can create a single point of failure. Network performance can slow down. It cannot sanitize protocol flows.
IP address and mask
What can be configured as part of a network object? interface type IP address and mask upper layer protocol source and destination MAC address
the lowest bridge ID
What determines which switch becomes the STP root bridge for a given VLAN? the highest priority the lowest bridge ID the highest MAC address the lowest IP address
the client that is requesting authentication
What device is considered a supplicant during the 802.1X authentication process? the router that is serving as the default gateway the authentication server that is performing client authentication the client that is requesting authentication the switch that is controlling network access
the state of packets related to the attack
What information must an IPS track in order to detect attacks matching a composite signature? the total number of packets in the attack the state of packets related to the attack the attacking period used by the attacker the network bandwidth consumed by all packets
ip address pppoe
What interface configuration command is used on an ASA to request an IP address from an upstream DSL device? ip address ip-address netmask ip address dhcp setroute dhcpd address IP_address1 [ -IP_address2 ] if_name ip address pppoe
a rule management application that can be used to automatically download Snort rule updates
What is PulledPork? an open source network IPS that performs real-time traffic analysis and generates alerts when threats are detected on IP networks a centralized management tool to push the rule sets based on preconfigured policy, to Cisco routers a virtual service container that runs on the Cisco ISR router operating system a rule management application that can be used to automatically download Snort rule updates
it is available for free
What is a characteristic of the Community Rule Set type of Snort term-based subscriptions? it has 60-day delayed access to updated signatures it uses Cisco Talos to provide coverage in advance of exploits it is fully supported by Cisco it is available for free
It is available for a fee.
What is a characteristic of the Snort subscriber rule set term-based subscription? It is available for a fee. It provides 30-day delayed access to updated signatures. It focuses on reactive responses to security threats. It does not provide access to Cisco support.
it provides the lowest level of protection
What is a characteristic of the connectivity policy setting when configuring Snort threat protection? it attempts to balance network security with network performance it prioritizes security over connectivity it provides the lowest level of protection it enables the highest number of signatures to be verified
It can stop malicious packets.
What is a feature of an IPS? It has no impact on latency. It can stop malicious packets. It is deployed in offline mode. It is primarily focused on identifying possible incidents.
to encapsulate multiple OSI Layer 3 protocol packet types inside an IP tunnel
What is a function of the GRE protocol? to configure the set of encryption and hashing algorithms that will be used to transform the data sent through the IPsec tunnel to encapsulate multiple OSI Layer 3 protocol packet types inside an IP tunnel to configure the IPsec tunnel lifetime to provide encryption through the IPsec tunnel
a passive device that forwards all traffic and physical layer errors to an analysis device
What is a network tap? a Cisco technology that provides statistics on packets flowing through a router or multilayer switch a technology used to provide real-time reporting and long-term analysis of security events a feature supported on Cisco switches that enables the switch to copy frames and forward them to an analysis device a passive device that forwards all traffic and physical layer errors to an analysis device
A command must be issued to enable the SCP server side functionality.
What is a requirement to use the Secure Copy Protocol feature? At least one user with privilege level 1 has to be configured for local authentication. A command must be issued to enable the SCP server side functionality. A transfer can only originate from SCP clients that are routers. The Telnet protocol has to be configured on the SCP server side.
It is a computer attack that exploits unreported software vulnerabilities.
What is a zero-day attack? It is an attack that results in no hosts able to connect to a network. It is an attack that has no impact on the network because the software vendor has mitigated the vulnerability. It is a computer attack that exploits unreported software vulnerabilities. It is a computer attack that occurs on the first day of the month.
It is a set of rules used to detect typical intrusive activity.
What is an IPS signature? It is the timestamp that is applied to logged security events and alarms. It is the authorization that is required to implement a security policy. It is a set of rules used to detect typical intrusive activity. It is a security script that is used to detect unknown threats.
HIPS protects critical system resources and monitors operating system processes.
What is an advantage of HIPS that is not provided by IDS? HIPS provides quick analysis of events through detailed logging. HIPS deploys sensors at network entry points and protects critical network segments. HIPS monitors network processes and protects critical files. HIPS protects critical system resources and monitors operating system processes.
It can stop trigger packets.
What is an advantage of using an IPS? It is installed outside of the data traffic flow. It does not impact network traffic if there is a sensor overload. It can stop trigger packets. It has no impact on network latency.
an installable version of a virtual machine
What is contained in an OVA file? a current compilation of known threats and prevention mechanisms an installable version of a virtual machine a list of atomic and composite signatures a set of rules for an IDS or IPS to detect intrusion activity
A legitimate network IP address is hijacked by a rogue node.
What is involved in an IP address spoofing attack? A rogue node replies to an ARP request with its own MAC address indicated for the target IP address. Bogus DHCPDISCOVER messages are sent to consume all the available IP addresses on a DHCP server. A rogue DHCP server provides false IP configuration parameters to legitimate DHCP clients. A legitimate network IP address is hijacked by a rogue node.
integrated use of an intrusion prevention system (IPS)
What is one benefit of using a next-generation firewall rather than a stateful firewall? reactive protection against Internet threats support of TCP-based packet filtering support of logging integrated use of an intrusion prevention system (IPS)
better performance
What is one benefit of using a stateful firewall instead of a proxy server? ability to perform user authentication better performance ability to perform packet filtering prevention of Layer 7 attacks
not as effective with UDP- or ICMP-based traffic
What is one limitation of a stateful firewall? a. weak user authentication b. cannot filter unnecessary traffic c. not as effective with UDP- or ICMP-based traffic d. poor log information
blocks the traffic flow or bypasses IPS checking in the event of an IPS engine failure
What is provided by the fail open and close functionality of Snort IPS? provides the ability to automatically disable problematic signatures that routinely cause false positives and pass traffic blocks the traffic flow or bypasses IPS checking in the event of an IPS engine failure keeps Snort current with the latest threat protection and term-based subscriptions keeps track of the health of the Snort engine that is running in the service container
The switch will forward all received frames to all other ports.
What is the behavior of a switch as a result of a successful CAM table attack? The switch will drop all received frames. The switch interfaces will transition to the error-disabled state. The switch will forward all received frames to all other ports. The switch will shut down.
Local implementation does not scale well.
What is the biggest issue with local implementation of AAA? Local implementation supports only TACACS+ servers. Local implementation cannot provide secure authentication. Local implementation does not scale well. Local implementation supports only RADIUS servers.
Create zones.
What is the first step in configuring a Cisco IOS zone-based policy firewall via the CLI? Define traffic classes. Assign router interfaces to zones. Define firewall policies. Assign policy maps to zone pairs. Create zones.
binding class maps with actions
What is the function of a policy map configuration when an ASA firewall is being configured? binding a service policy to an interface binding class maps with actions identifying interesting traffic using ACLs to match traffic
determining the feasibility and the potential consequences of a successful attack
What is the goal of network penetration testing? determining the feasibility and the potential consequences of a successful attack detecting potential weaknesses in systems detecting configuration changes on network systems detecting weak passwords
to ensure that only hosts that are authenticated and have had their security posture examined and approved are permitted onto the network
What is the goal of the Cisco NAC framework and the Cisco NAC appliance? to ensure that only hosts that are authenticated and have had their security posture examined and approved are permitted onto the network to monitor data from the company to the ISP in order to build a real-time database of current spam threats from both internal and external sources to provide anti-malware scanning at the network perimeter for both authenticated and non-authenticated devices to provide protection against a wide variety of web-based threats, including adware, phishing attacks, Trojan horses, and worms
Local AAA authentication provides a way to configure backup methods of authentication, but login local does not.
What is the one major difference between local AAA authentication and using the login local command when configuring device access authentication? The login local command requires the administrator to manually configure the usernames and passwords, but local AAA authentication does not. Local AAA authentication allows more than one user account to be configured, but login local does not. Local AAA authentication provides a way to configure backup methods of authentication, but login local does not. The login local command uses local usernames and passwords stored on the router, but local AAA authentication does not.
a promiscuous port
What is the only type of port that an isolated port can forward traffic to on a private VLAN? another isolated port any access port in the same PVLAN a community port a promiscuous port
control
What is the only type of traffic that is forwarded by a PVLAN protected port to other protected ports? broadcast control user management
limit authenticated user access to AAA client services
What is the primary function of the aaa authorization command? permit AAA server access to AAA client services limit authenticated user access to AAA client services permit authenticated user access to AAA client services limit AAA server access to AAA client services
management
What is the purpose of configuring an IP address on an ASA device in transparent mode? management routing NAT VPN connectivity
to assess configuration against established policies, recommended best practices, and compliance standards
What is the purpose of the Tripwire network testing tool? to perform vulnerability scanning to provide information about vulnerabilities and aid in penetration testing and IDS signature development to assess configuration against established policies, recommended best practices, and compliance standards to detect unauthorized wired network access to provide password auditing and recovery
All traffic is permitted.
What is the result in the self zone if a router is the source or destination of traffic? No traffic is permitted. All traffic is permitted. Only traffic that originates in the router is permitted. Only traffic that is destined for the router is permitted.
Legitimate clients are unable to lease IP addresses.
What is the result of a DHCP starvation attack? Legitimate clients are unable to lease IP addresses. Clients receive IP address assignments from a rogue DHCP server. The attacker provides incorrect DNS and default gateway information to clients. The IP addresses assigned to legitimate clients are hijacked.
Cisco Talos
What is the source for IPS rule updates when using a Cisco intrusion prevention service? Cisco Talos SIEM Security Onion Cisco.com
stateful packet inspection
What mechanism is used by an ASA device to allow inspected outbound traffic to return to the originating sender who is on an inside network? access control lists Network Address Translation security zones stateful packet inspection
Enable port security.
What mitigation plan is best for thwarting a DoS attack that is creating a MAC address table overflow? Disable STP. Enable port security. Disable DTP. Place unused ports in an unused VLAN.
DHCP starvation
What network attack seeks to create a DoS for clients by preventing them from being able to obtain a DHCP lease? DHCP starvation DHCP spoofing CAM table attack IP address spoofing
SPAN
What network monitoring tool can be used to copy packets moving through one port, and send those copies to another port for analysis? SPAN syslog NAC SNMD
access-list 10 permit 192.168.16.0 0.0.3.255
What single access list statement matches all of the following networks? 192.168.16.0 192.168.17.0 192.168.18.0 192.168.19.0 access-list 10 permit 192.168.16.0 0.0.3.255 access-list 10 permit 192.168.16.0 0.0.0.255 access-list 10 permit 192.168.16.0 0.0.15.255 access-list 10 permit 192.168.0.0 0.0.15.255
normal traffic that is correctly being ignored and forwarded
What situation will generate a true negative IPS alarm type? normal traffic that generates a false alarm a verified security incident that is detected a known attack that is not detected normal traffic that is correctly being ignored and forwarded
IPsec security associations are exchanged.
What takes place during IKE Phase 2 when establishing an IPsec VPN? Traffic is exchanged between IPsec peers. IPsec security associations are exchanged. ISAKMP security associations are exchanged. Interesting traffic is identified.
IKE
What technology is used to negotiate security associations and calculate shared keys for an IPsec VPN tunnel? PSK SHA 3DES IKE
signature
What term describes a set of rules used by an IDS or IPS to detect typical intrusion activity? event file trigger signature definition
Zenmap
What testing tool is available for network administrators who need a GUI version of Nmap? SuperScan SIEM Nessus Zenmap
IP phones switches
What two internal LAN elements need to be secured? (Choose two.) edge routers IP phones fiber connections switches cloud-based hosts
They include two implicit permit statements by default. They use prefix lengths to indicate how much of an address to match.
What two statements describe characteristics of IPv6 access control lists? (Choose two.) They permit ICMPv6 router advertisements by default. They can be named or numbered. They include two implicit permit statements by default. They are applied to an interface with the ip access-group command . They use prefix lengths to indicate how much of an address to match.
Remove the inbound/outbound reference to the ACL from the interface. Use the no access-list command to remove the entire ACL.
What two steps provide the quickest way to completely remove an ACL from a router? (Choose two.) Removal of the ACEs is the only step required. Modify the number of the ACL so that it doesn't match the ACL associated with the interface. Copy the ACL into a text editor, add no before each ACE, then copy the ACL back into the router. Remove the inbound/outbound reference to the ACL from the interface. Use the no access-list command to remove the entire ACL. Use the no keyword and the sequence number of every ACE within the named ACL to be removed.
outbound messages
What type of data does the DLP feature of Cisco Email Security Appliance scan in order to prevent customer data from being leaked outside of the company? inbound messages outbound messages messages stored on a client device messages stored on the email server
IPsec only supports unicast traffic.
What type of traffic is supported by IPsec? IPsec supports all IPv4 traffic. IPsec supports layer 2 multicast traffic. IPsec supports all traffic permitted through an ACL. IPsec only supports unicast traffic.
pass Inspect drop
When a Cisco IOS zone-based policy firewall is being configured, which three actions can be applied to a traffic class? (Choose three.) pass shape reroute queue inspect drop
pass inspect drop
When a Cisco IOS zone-based policy firewall is being configured, which three actions can be applied to a traffic class? (Choose three.) pass shape reroute queue inspect drop
drop inspect
When a Cisco IOS zone-based policy firewall is being configured, which two actions can be applied to a traffic class? (Choose two.) forward copy drop inspect log hold
Traffic must match all of the match criteria specified in the statement.
When configuring a class map for a zone-based policy firewall, how is the match criteria applied when using the match-all parameter? Traffic must match all of the criteria solely defined by ACLs. Traffic must match at least one of the match criteria statements. Traffic must match all of the match criteria specified in the statement. Traffic must match the first criteria in the statement.
security level name
When configuring interfaces on an ASA, which two pieces of information must be included? (Choose two.) group association service level FirePower version security level access list name
remark
When creating an ACL, which keyword should be used to document and interpret the purpose of the ACL statement on a Cisco device? remark description established eq
Traffic between interfaces in the same zone is not subject to any policy and passes freely.
When implementing a ZPF, what is the default security setting when forwarding traffic between two interfaces in the same zone? a. Traffic between interfaces in the same zone is selectively forwarded based on Layer 3 information. b. Traffic between interfaces in the same zone is not subject to any policy and passes freely. c. Traffic between interfaces in the same zone is blocked. d. Traffic between interfaces in the same zone is selectively forwarded based on the default policy restrictions.
A zone is a group of one or more interfaces that have similar functions or features.
When implementing a ZPF, which statement describes a zone? A zone is a group of hardened computers known as bastion hosts. A zone is a group of one or more devices that provide backup and disaster recovery mechanisms. A zone is a group of administrative devices that protect against rogue access point installations. A zone is a group of one or more interfaces that have similar functions or features.
to bind the interface to the ISAKMP policy
When the CLI is used to configure an ISR for a site-to-site VPN connection, what is the purpose of the crypto map command in interface configuration mode? to configure the transform set to bind the interface to the ISAKMP policy to force IKE Phase 1 negotiations to begin to negotiate the SA policy
the switch that the client is connected to
When using 802.1X authentication, what device controls physical access to the network, based on the authentication status of the client? the authentication server the router that is serving as the default gateway the supplicant the switch that the client is connected to
to a zone pair
When using Cisco IOS zone-based policy firewall, where is the inspection policy applied? to a global service policy to a zone to an interface to a zone pair
when an organization needs to control the port authorization state on a switch
When would the authentication port-control command be used during an 802.1X implementation? when a client has sent an EAPOL-logoff message when the authentication server is located at another location and cannot be reached when the authentication server is located in the cloud when an organization needs to control the port authorization state on a switch
WSA (The Cisco Web Security Appliance)
Which Cisco appliance can be used to filter network traffic contents to report and deny traffic based on the web server reputation? ASA AVC ESA WSA
IP Source Guard
Which Cisco solution helps prevent MAC and IP address spoofing attacks? Port Security DHCP Snooping IP Source Guard Dynamic ARP Inspection
honey pot-based detection
Which IPS signature trigger category uses a decoy server to divert attacks away from production devices? honey pot-based detection policy-based detection pattern-based detection anomaly-based detection
Pattern-Based Detection
Which IPS signature trigger category uses the simplest triggering mechanism and searches for a specific and pre-defined atomic or composite pattern? Pattern-Based Detection Honey Pot-Based Detection Policy-Based Detection Anomaly-Based Detection
local AAA
Which authentication method stores usernames and passwords in the router and is ideal for small networks? server-based AAA over TACACS+ local AAA over RADIUS server-based AAA local AAA over TACACS+ local AAA server-based AAA over RADIUS
true positive
Which classification indicates that an alert is verified as an actual security incident? false positive true positive false negative true negative
aaa authentication dot1x
Which command is used as part of the 802.1X configuration to designate the authentication method that will be used? dot1x system-auth-control aaa authentication dot1x aaa new-model dot1x pae authenticator
aaa new-model
Which command is used to enable AAA as part of the 802.1X configuration process on a Cisco device? aaa new-model dot1x pae authenticator dot1x system-auth-control aaa authentication dot1x
router(config)# privilege exec level 14 show access-lists
Which command will move the show access-lists command to privilege level 14? router(config)# privilege level 14 command show access-lists router(config)# privilege exec level 14 show access-lists router(config)# set privilege level 14 show access-lists router(config)# show access-lists privilege level 14
Cisco FirePOWER NGIPS
Which device is a dedicated inline threat prevention appliance that is effective against both known and unknown threats? Cisco IOS IPS Cisco ASA Cisco Snort IPS Cisco FirePOWER NGIPS
RADIUS server
Which device is used as the authentication server in an 802.1X implementation? wireless router Ethernet switch access point RADIUS server
host-based firewall
Which host-based security measure is used to restrict incoming and outgoing connections? host-based firewall antivirus/antimalware software host-based IPS rootkit
Cisco IOS IPS
Which intrusion prevention service was available on first-generation ISR routers and is no longer supported by Cisco? Cisco IOS IPS Cisco Firepower Next-Generation External Snort IPS Server Cisco Snort IPS
It requires a VPN gateway at each end of the tunnel to encrypt and decrypt traffic.
Which is a requirement of a site-to-site VPN? It requires hosts to use VPN client software to encapsulate traffic. It requires the placement of a VPN server at the edge of the company network. It requires a VPN gateway at each end of the tunnel to encrypt and decrypt traffic. It requires a client/server architecture.
a purchased Security Plus upgrade license
Which license provides up to 50 IPsec VPN users on an ASA 5506-X device? the most commonly pre-installed Base license a purchased Security Plus upgrade license a purchased Base license a purchased AnyConnect Premium license
Traffic exiting and entering a switch is copied to a network monitoring device.
Which network monitoring capability is provided by using SPAN? Statistics on packets flowing through Cisco routers and multilayer switches can be captured. Traffic exiting and entering a switch is copied to a network monitoring device. Real-time reporting and long-term analysis of security events are enabled. Network analysts are able to access network device log files and to monitor network behavior.
IDS
Which network monitoring technology passively monitors network traffic to detect attacks? IDS TAP RSPAN IPS
network tap
Which network technology uses a passive splitting device that forwards all traffic, including Layer 1 errors, to an analysis device? IDS network tap SNMP NetFlow
Snort IPS
Which open source network monitoring technology performs real-time traffic analysis and generates alerts when threats are detected on IP networks? Snort IPS RSPAN SPAN IOS IPS
Level 15
Which privilege level is predefined for the privileged EXEC mode? level 0 level 1 level 15 level 16
Enable DHCP snooping on selected VLANs.
Which procedure is recommended to mitigate the chances of ARP spoofing? Enable DHCP snooping on selected VLANs. Enable IP Source Guard on trusted ports. Enable DAI on the management VLAN. Enable port security globally.
GRE
Which protocol creates a virtual point-to-point connection to tunnel unencrypted traffic between Cisco routers from a variety of protocols? IKE IPsec OSPF GRE
SSH
Which protocol should be used to mitigate the vulnerability of using Telnet to remotely manage network devices? SNMP TFTP SSH SCP
Sdrop
Which rule action will cause Snort IPS to block a packet without logging it? Sdrop doup alert reject
port-based network access control
Which security service is provided by 802.1x? malware analysis of files malware analysis and protection across the full attack continuum protection against emerging threats for Cisco products port-based network access control
IPsec is a framework of open standards that relies on existing algorithms.
Which statement accurately describes a characteristic of IPsec? IPsec works at the application layer and protects all application data. IPsec is a framework of standards developed by Cisco that relies on OSI algorithms. IPsec is a framework of proprietary standards that depend on Cisco specific algorithms. IPsec works at the transport layer and protects data at the network layer. IPsec is a framework of open standards that relies on existing algorithms.
The VPG0 interface must have a routable address with access to the internet.
Which statement correctly describes the configuration of a Snort VPG interface? The VPG0 interface must have a routable address with access to the internet. The VPG1 interface must be configured with a public IP address. The VPG1 interface must use a routable static IP address. The VPG1 interface must receive an address from DHCP.
The pass action works in only one direction
Which statement describes Cisco IOS Zone-Based Policy Firewall operation? The pass action works in only one direction. Router management interfaces must be manually assigned to the self zone. A router interface can belong to multiple zones. Service policies are applied in interface configuration mode.
A zone must be configured with the zone security global command before it can be used in the zone-member security command.
Which statement describes a factor to be considered when configuring a zone-based policy firewall? The classic firewall ip inspect command can coexist with ZPF as long as it is used on interfaces that are in the same security zones. The router always filters the traffic between interfaces in the same zone. A zone must be configured with the zone security global command before it can be used in the zone-member security command. An interface can belong to multiple zones.
It does not depend on ACLs.
Which statement describes a feature of a zone-based policy firewall? All traffic through a given interface is subject to the same inspection. It uses a flat, non-hierarchical data structure making it easier to configure and troubleshoot. The router security posture is to allow traffic unless explicitly blocked. It does not depend on ACLs.
Traffic that originates from the DMZ interface is selectively permitted to the outside interface.
Which statement describes a typical security policy for a DMZ firewall configuration? a. Traffic that originates from the DMZ interface is selectively permitted to the outside interface. b. Return traffic from the inside that is associated with traffic originating from the outside is permitted to traverse from the inside interface to the outside interface. c. Return traffic from the outside that is associated with traffic originating from the inside is permitted to traverse from the outside interface to the DMZ interface. d. Traffic that originates from the inside interface is generally blocked entirely or very selectively permitted to the outside interface. e. Traffic that originates from the outside interface is permitted to traverse the firewall to the inside interface with few or no restrictions.
By default, traffic is allowed to flow among interfaces that are members of the same zone.
Which statement describes one of the rules that govern interface behavior in the context of implementing a zone-based policy firewall configuration? An administrator can assign interfaces to zones, regardless of whether the zone has been configured. By default, traffic is allowed to flow between a zone member interface and any interface that is not a zone member. An administrator can assign an interface to multiple security zones. By default, traffic is allowed to flow among interfaces that are members of the same zone.
It treats frames as unknown unicast and floods all incoming frames to all ports within the local VLAN.
Which statement describes the behavior of a switch when the MAC address table is full? It treats frames as unknown unicast and floods all incoming frames to all ports on the switch. It treats frames as unknown unicast and floods all incoming frames to all ports within the collision domain. It treats frames as unknown unicast and floods all incoming frames to all ports across multiple switches. It treats frames as unknown unicast and floods all incoming frames to all ports within the local VLAN.
The longer the key, the more key possibilities exist.
Which statement describes the effect of key length in deterring an attacker from hacking through an encryption key? The length of a key does not affect the degree of security. The shorter the key, the harder it is to break. The length of a key will not vary between encryption algorithms. The longer the key, the more key possibilities exist.
It copies the traffic from one switch port and sends it to another switch port that is connected to a monitoring device.
Which statement describes the function of the SPAN tool used in a Cisco switch? It is a secure channel for a switch to send logging to a syslog server. It provides interconnection between VLANs over multiple switches. It supports the SNMP trap operation on a switch. It copies the traffic from one switch port and sends it to another switch port that is connected to a monitoring device.
They are susceptible to IP spoofing.
Which statement is a characteristic of a packet filtering firewall? They filter fragmented packets. They have a high impact on network performance. They are susceptible to IP spoofing. They examine each packet in the context of the state of a connection.
Configure the key exactly the same way on the server and the router.
Which task is necessary to encrypt the transfer of data between the ACS server and the AAA-enabled router? Configure the key exactly the same way on the server and the router. Specify the single-connection keyword. Create a VPN tunnel between the server and the router. Use identical reserved ports on the server and the router.
authenticator
Which term describes the role of a Cisco switch in the 802.1X port-based access control? agent supplicant authenticator authentication server
content of a security banner enable secret password enable password
Which three items are prompted for a user response during interactive AutoSecure setup? (Choose three.) IP addresses of interfaces content of a security banner enable secret password services to disable enable password interfaces to enable
Layer 3 Layer 4 Layer 5
Which three layers of the OSI model include information that is commonly inspected by a stateful firewall? (Choose three.) Layer 1 Layer 7 Layer 3 Layer 4 Layer 5 Layer 2
An implicit deny any rejects any packet that does not match any ACE. A packet can either be rejected or forwarded as directed by the ACE that is matched. Each statement is checked only until a match is detected or until the end of the ACE list.
Which three statements describe ACL processing of packets? (Choose three.) An implicit deny any rejects any packet that does not match any ACE. A packet can either be rejected or forwarded as directed by the ACE that is matched. A packet that has been denied by one ACE can be permitted by a subsequent ACE. A packet that does not match the conditions of any ACE will be forwarded by default. Each statement is checked only until a match is detected or until the end of the ACE list. Each packet is compared to the conditions of every ACE in the ACL before a forwarding decision is made.
a. To permit traffic to and from a zone member interface, a policy allowing or inspecting traffic must be configured between that zone and any other zone. b. If traffic is to flow between all interfaces in a router, each interface must be a member of a zone. e. Pass, inspect, and drop options can only be applied between two zones
Which three statements describe zone-based policy firewall rules that govern interface behavior and the traffic moving between zone member interfaces? (Choose three.) a. To permit traffic to and from a zone member interface, a policy allowing or inspecting traffic must be configured between that zone and any other zone. b. If traffic is to flow between all interfaces in a router, each interface must be a member of a zone. c. Interfaces can be assigned to a zone before the zone is created. d. An interface can be assigned to multiple security zones. Traffic is implicitly prevented from flowing by default among interfaces that are members of the same zone. e. Pass, inspect, and drop options can only be applied between two zones
Port Security DHCP Snooping
Which two Cisco solutions help prevent DHCP starvation attacks? (Choose two.) Port Security DHCP Snooping Web Security Appliance Dynamic ARP Inspection IP Source Guard
1812 1645
Which two UDP port numbers may be used for server-based AAA RADIUS authentication? (Choose two.) 1812 1645 1813 1646 49
Both include an implicit deny as a final statement. Both can be created by using either a descriptive name or number.
Which two characteristics are shared by both standard and extended ACLs? (Choose two.) Both kinds of ACLs can filter based on protocol type. Both can permit or deny specific services by port number. Both include an implicit deny as a final statement. Both filter packets for a specific destination host IP address. Both can be created by using either a descriptive name or number.
host any
Which two keywords can be used in an access control list to replace a wildcard mask or address and wildcard mask pair? (Choose two.) most host all any some gt
access list number between 1 and 99 source address and wildcard mask
Which two pieces of information are required when creating a standard access control list? (Choose two.) access list number between 1 and 99 source address and wildcard mask destination address and wildcard mask subnet mask and wildcard mask access list number between 100 and 199
promiscuous ports community ports belonging to the same community
Which two ports can send and receive Layer 2 traffic from a community port on a PVLAN? (Choose two.) community ports belonging to other communities promiscuous ports isolated ports within the same community PVLAN edge protected ports community ports belonging to the same community
UDP ICMP
Which two protocols are stateless and do not generate connection information needed to build a state table? (Choose two.) TCP HTTP UDP FTP ICMP
If neither interface is a zone member, then the action is to pass traffic. If both interfaces are members of the same zone, all traffic will be passed.
Which two rules about interfaces are valid when implementing a Zone-Based Policy Firewall? (Choose two.) If neither interface is a zone member, then the action is to pass traffic. If one interface is a zone member, but the other is not, all traffic will be passed. If both interfaces belong to the same zone-pair and a policy exists, all traffic will be passed. If both interfaces are members of the same zone, all traffic will be passed. If one interface is a zone member and a zone-pair exists, all traffic will be passed.
A mobile sales agent is connecting to the company network via the Internet connection at a hotel. An employee who is working from home uses VPN client software on a laptop in order to connect to the company network.
Which two scenarios are examples of remote access VPNs? (Choose two.) All users at a large branch office can access company resources through a single VPN connection. A small branch office with three employees has a Cisco ASA that is used to create a VPN connection to the HQ. A toy manufacturer has a permanent VPN connection to one of its parts suppliers. A mobile sales agent is connecting to the company network via the Internet connection at a hotel. An employee who is working from home uses VPN client software on a laptop in order to connect to the company network.
It may require VPN client software on hosts. It is used to connect individual hosts securely to a company network over the Internet.
Which two statements describe a remote access VPN? (Choose two.) It may require VPN client software on hosts. It requires hosts to send TCP/IP traffic through a VPN gateway. It connects entire networks to each other. It is used to connect individual hosts securely to a company network over the Internet. It requires static configuration of the VPN tunnel.
AH uses IP protocol 51. AH provides integrity and authentication.
Which two statements describe the IPsec protocol framework? (Choose two.) AH uses IP protocol 51. AH provides integrity and authentication. AH provides encryption and integrity. ESP uses UDP protocol 51. AH provides both authentication and encryption.
The IOS Classic Firewall and ZPF cannot be combined on a single interface. IOS Classic Firewalls and ZPF models can be enabled on a router concurrently. Concurrently and single interface
Which two statements describe the two configuration models for Cisco IOS firewalls? (Choose two.) ZPF must be enabled in the router configuration before enabling an IOS Classic Firewall. The IOS Classic Firewall and ZPF cannot be combined on a single interface. IOS Classic Firewalls and ZPF models can be enabled on a router concurrently. Both IOS Classic Firewall and ZPF models require ACLs to define traffic filtering policies. IOS Classic Firewalls must be enabled in the router configuration before enabling ZPF.
private IP addresses any IP address that starts with the number 127
Which two types of addresses should be denied inbound on a router interface that attaches to the Internet? (Choose two.) private IP addresses any IP address that starts with the number 127 any IP address that starts with the number 1 NAT translated IP addresses public IP addresses
stateless firewall
Which type of firewall generally has a low impact on network performance? next generation firewall application gateway firewall stateful firewall stateless firewall
packet filtering firewall
Which type of firewall is commonly part of a router firewall and allows or blocks traffic based on Layer 3 or 4 information? next generation firewall stateful firewall packet filtering firewall proxy firewall
packet filtering firewall
Which type of firewall is supported by most routers and is the easiest to implement? packet filtering firewall next generation firewall stateful firewall application gateway firewall
application gateway firewall
Which type of firewall makes use of a proxy server to connect to remote servers on behalf of clients? stateful firewall stateless firewall packet filtering firewall application gateway firewall
show interface ip brief
efer to the exhibit. A network administrator is verifying the security configuration of an ASA. Which command produces the exhibited output? show vlan show ip interface brief show interface ip brief show switch vlan
Snort rule set pull
6. Which Snort IPS feature enables a router to download rule sets directly from cisco.com or snort.org? Snort rule set pull Signature allowed listing Snort rule set push Snort rule set updates
K9 license
7. What is a minimum system requirement to activate Snort IPS functionality on a Cisco router? at least 4 GB RAM at least 4 GB flash ISR 2900 or higher K9 license
unauthorized
A company implements 802.1X security on the corporate network. A PC is attached to the network but has not authenticated yet. Which 802.1X state is associated with this PC? err-disabled disabled unauthorized forwarding
MAC address table overflow
A cybersecurity analyst is using the macof tool to evaluate configurations of switches deployed in the backbone network of an organization. Which type of LAN attack is the analyst targeting during this evaluation? VLAN hopping MAC address table overflow DHCP spoofing VLAN double-tagging
It checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body.
A network administrator is configuring DAI on a switch with the command ip arp inspection validate src-mac. What is the purpose of this configuration command? It checks the source MAC address in the Ethernet header against the user-configured ARP ACLs. It checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body. It checks the source MAC address in the Ethernet header against the target MAC address in the ARP body. It checks the source MAC address in the Ethernet header against the MAC address table.
encryption for all communication separate processes for authentication and authorization
A network administrator is configuring an AAA server to manage TACACS+ authentication. What are two attributes of TACACS+ authentication? (Choose two.) TCP port 40 encryption for all communication single process for authentication and authorization UDP port 1645 encryption for only the password of a user separate processes for authentication and authorization
false positive
A network administrator is trying to download a valid file from an internal server. However, the process triggers an alert on a NMS tool. What condition describes this alert? false negative false positive true negative true positive
authorized
A port has been configured for the 802.1X protocol and the client has successfully authenticated. Which 802.1X state is associated with this PC? up authorized enabled forwarding
supplicant (client) authenticator (switch)
An 802.1X client must authenticate before being allowed to pass data traffic onto the network. During the authentication process, between which two devices is the EAP data encapsulated into EAPOL frames? (Choose two.) data nonrepudiation server authentication server (TACACS) supplicant (client) authenticator (switch) ASA Firewall
privilege exec level 2
An administrator needs to create a user account with custom access to most privileged EXEC commands. Which privilege command is used to create this custom account? privilege exec level 15 privilege exec level 0 privilege exec level 1 privilege exec level 2
the router itself, including all interfaces with assigned IP addresses
In ZPF design, what is described as the self zone? a predefined cluster of routers with configured interfaces a predefined cluster of servers with configured interfaces the outward facing interface on the edge router the router itself, including all interfaces with assigned IP addresses
SHA
Refer to the exhibit. What HMAC algorithm is being used to provide data integrity? MD5 AES SHA DH
Any TCP traffic is allowed to reach the 192.168.254.0 255.255.254.0 network if it is in response to an originated request.
Refer to the exhibit. What is the result of adding the established argument to the end of the ACE? Any traffic is allowed to reach the 192.168.254.0 255.255.254.0 network. Any IP traffic is allowed to reach the 192.168.254.0 255.255.254.0 network as long as it is in response to an originated request. 192.168.254.0 /23 traffic is allowed to reach any network. Any TCP traffic is allowed to reach the 192.168.254.0 255.255.254.0 network if it is in response to an originated request.
dynamic PAT
Refer to the exhibit. What kind of NAT is configured on the ASA device? dynamic NAT Twice NAT dynamic PAT static NAT
show version
Refer to the exhibit. What show command displays whether the securityk9 software is installed on the router and whether the EULA license has been activated? show running-config show version show interfaces s0/0/0 show crypto isakmp policy 1
The router is attached to a stratum 2 device. The IP address of the time source for the router is 192.168.1.1.
Refer to the exhibit. What two statements describe the NTP status of the router? (Choose two.) The router is serving as an authoritative time source. The software clock for the router must be configured with the set clock command so that NTP will function properly. The router is attached to a stratum 2 device. The router is serving as a time source for the device at 192.168.1.1. The IP address of the time source for the router is 192.168.1.1.
