210-260.exam
Number : 210-260 Passing Score : 800 Time Limit : 120 min File Version : 1.0
http://www.gratisexam.com/
Cisco
210-260
Implementing Cisco Network Security
Version 1.0
http://www.gratisexam.com/ Exam A
QUESTION 1 The Serial 0/0 interfaces on Router1 and Router2 are directly connected on the 192.168.51.48/30 network. You issue the following commands on Router1: interface serial 0/0 ip ospf messagedigestkey 1 md5 b0s0n router ospf 1routerid 1.1.1.1 network 10.10.10.0 0.0.0.255 area 1 network 192.168.51.48 0.0.0.3 area 0 area 0 authentication
You issue the following commands on Router2: interface serial 0/0 ip ospf authenticationkey b0s0n router ospf 2routerid 2.2.2.2 network 10.10.20.0 0.0.0.255 area 2 network 192.168.51.48 0.0.0.3 area 0 area 0 authentication
Router1 and Router2 do not form an OSPF adjacency.
Which of the following is most likely the problem? (Select the best answer.)
A. an OSPF area mismatch B. an OSPF authentication mismatch C. an OSPF process ID mismatch D. an OSPF router ID mismatch
Correct Answer: B Section: (none) Explanation
Explanation/Reference: Explanation: Of the available choices, a mismatched authentication type is most likely to be the cause of the problem in this scenario. A mismatched authentication key or a mismatched authentication type could cause two Open Shortest Path First (OSPF) routers to not form an adjacency. In this scenario, the Serial 0/0 interface on Router1 is configured to use a Message Digest 5 (MD5) authentication key of b0s0n. The Serial 0/0 interface on Router2, on the other hand, is configured to use a plaintext authentication key of b0s0n. If the correct authentication type were configured between the Serial 0/0 interfaces on the routers, OSPF authentication would succeed and an adjacency would be formed. A mismatched process ID will not prevent an OSPF router from establishing an adjacency with a neighbor. An OSPF process ID is used to identify the OSPF
http://www.gratisexam.com/ process only to the local router. In this scenario, the router ospf 1 command has been issued on Router1, which configures Router1 with an OSPF process ID of 1. The router ospf 2 command has been issued on Router2, which configures Router2 with an OSPF process ID of 2. An OSPF area mismatch is not the reason that Router1 and Router2 do not form an adjacency in this scenario. In order to establish an adjacency, OSPF routers must be configured with the same area ID, Hello timer value, Dead timer value, and authentication password. In this scenario, the Serial 0/0 interface on Router1 has been configured to operate in area 0, which is also known as the backbone area. Similarly, the Serial 0/0 interface on Router2 has been configured to operate in area 0. OSPF router IDs should never match between routers. A router ID is a unique 32bit identifier that resembles an IP address. A router ID conflict could cause routers to not form an adjacency. If you do not manually configure a router ID on an OSPF router, then the router ID is the highest IP address configured among loopback interfaces on the router, even if a physical interface is configured with a higher IP address. Cisco recommends using a loopback interface instead of a physical interface for the router ID? a loopback interface is never in the down state, thus OSPF is considered to be more stable when the router ID is configured from the IP address of a loopback interface. In this scenario, the router IDs on Router1 and Router2 have been manually configured by using the routerid ipaddresscommand. Reference: Cisco: Sample Configuration for Authentication in OSPF: Configurations for Plain Text Authentication
QUESTION 2 In which of the following authentication protocols is support for TLS 1.2 specifically required? (Select the best answer.)
http://www.gratisexam.com/
A. EAPFASTv1 B. EAPFASTv2 C. EAPMD5 D. EAPTLS E. EAPPEAP
Correct Answer: B Section: (none) Explanation
Explanation/Reference: Explanation: Of the available choices, only Extensible Authentication ProtocolFlexible Authentication via Secure Tunneling Version 2 (EAPFASTv2) is specifically required to support Transport Layer Security (TLS) 1.2. EAPFAST is an authentication protocol that can be used for pointtopoint connections and for both wired and wireless links. EAPFAST Version 1 (EAPFASTv1) supported TLS 1.0 and higher. However, EAPFASTv2 made support of TLS 1.2 a requirement, thereby providing EAPFASTv2 with a stronger encryption algorithm than EAPFASTv1. EAPTransport Layer Security (EAPTLS) does not specifically require support for TLS 1.2, although EAPTLS is designed to support TLS 1.0 and higher. EAPTLS is an Internet Engineering Task Force (IETF) standard that is defined in Request for Comments (RFC) 5216. Protected EAP (PEAP) does not specifically require support for TLS 1.2. PEAP is an open standard developed by Cisco, Microsoft, and RSA. PEAP and other later
http://www.gratisexam.com/ variants of EAP, such as EAPTLS, and EAPTunneled TLS (EAPTTLS), are replacing Lightweight EAP (LEAP). PEAP supports TLS 1.0 and higher. EAP Message Digest 5 (EAPMD5) does not specifically require support for TLS 1.2. EAPMD5 uses an MD5 hash function to provide security and is therefore considered weak when compared to later methods. EAP is an IETF standard that was originally defined in RFC 2284. It does not support TLS at all. Reference: IETF: Flexible Authentication via Secure Tunnel Extension Authentication Protocol (EAPFAST) Version 2: 1.2. Major Differences from Version 1
QUESTION 3 Router2 is configured to obtain time from three different NTP servers. You want to determine from which of the three servers Router2 is currently synchronizing time. Which of the following commands would not achieve your goal? (Select the best answer.)
A. show clock detail B. show ntp associations C. show ntp associations detail D. show ntp status
Correct Answer: A Section: (none) Explanation
Explanation/Reference: Explanation: Of the available choices, only the show clock detail command would not enable you to determine from which of the three Network Time Protocol (NTP) servers Router2 is synchronizing time. The show clock detail command displays the date and time as it is configured on the device and general information about the source of the configuration. However, this command does not reveal the IP address or NTP peer status of an NTP source. The following is sample output from the show clock detail command: Router2#show clock detail 09:12:20.299 UTC Sat Jul 4 2015 Time source is NTP The show ntp associations command and the show ntp associations detail command would both enable you to determine from which of the three NTP servers Router2 is synchronizing time. The show ntp associations command displays both the address of the NTP server from which the client obtains its time and the address of the reference clock to which the NTP server is synchronized. When issued with the detail keyword, you can additionally determine the IP address of the NTP peer from which time was synchronized, the NTP source authentication status, the NTP hierarchical status of the server from which time was obtained, whether the NTP peer passes basic sanity checks, whether NTP believes the time is valid, and the stratum of the NTP peer. The following is sample output from both the show ntp associations command and the show ntp associations detail command:
http://www.gratisexam.com/ The presence of our_master in the output of the show ntp associations detail command indicates the status of the device at the NTP peer IP address of 203.0.113.1. Similarly, the asterisk (*) in the output of the show ntp associations command indicates that Router2’s NTP master is the device with the IP address of 203.0.113.1. The show ntp status command would enable you to determine from which of the three NTP servers Router2 is synchronizing time. The show ntp status command displays no information when NTP is not running on a device. When NTP is running, the show ntp status command provides information about whether the local clock is synchronized, the local clock’s stratum level, and the IP address of the NTP peer that the local device is using as a reference clock. The following is sample output from the show ntp status command:
Reference: Cisco: Cisco IOS Basic System Management Command Reference: show clock
QUESTION 4 Which of the following indicates that aggressive mode ISAKMP peers have created SAs? (Select the best answer.)
http://www.gratisexam.com/ A. AG_NO_STATE B. MM_NO_STATEC. AG_AUTH C. MM_KEY_AUTH D. QM_IDLE
Correct Answer: A Section: (none) Explanation
Explanation/Reference: Explanation: Of the available choices, the AG_NO_STATE state is most likely to indicate that aggressive mode Internet Security Association and Key Management Protocol (ISAKMP) peers have created security associations (SAs). The show crypto isakmp sa command displays the status of current IKE SAs on the router. The following states are used during aggressive mode: - AG_NO_STATE - The peers have created the SA. - AG_INIT_EXCH - The peers have negotiated SA parameters and exchanged keys. - AG_AUTH - The peers have authenticated the SA.
The MM_NO_STATE state is the first transaction to occur when setting up Internet Key Exchange (IKE) SAs in main mode MM_NO_STATE indicates that the ISAKMP peers have created their SAs. However, an exchange that does not move past this stage indicates that main mode has failed. The following states are used during main mode: - MM_NO_STATE - The peers have created the SA. - MM_SA_SETUP - The peers have negotiated SA parameters. - MM_KEY_EXCH - The peers have exchanged DiffieHellman (DH) keys and have generated a shared secret. - MM_KEY_AUTH - The peers have authenticated the SA. Quick mode is used during IKE phase 2. The only state in quick mode is QM_IDLE, which indicates that IKE phase 1 has completed successfully and that there is an active IKE SA between peers. Reference: Cisco: Most Common DMVPN Troubleshooting Solutions Cisco: Cisco IOS Security Command Reference: show crypto isakmp sa
QUESTION 5 Which of the following is least likely to be considered an advanced persistent threat? (Select the best answer.)
A. Operation Aurora B. Heartbleed C. the 2011 RSA breach D. Stuxnet
Correct Answer: B
http://www.gratisexam.com/ Section: (none) Explanation
Explanation/Reference: Explanation: Of the available options, Heartbleed is least likely to be considered an advanced persistent threat. An advanced persistent threat is an intrusion in which the attacker has advanced knowledge of intrusion tools and techniques, is fully intent on using the intrusion to achieve a specific mission or goals, and has organizational backing, funding, and motivation. For example, an attacker who obtains access to an organization’s network and remains there for an extended period of time to collect data that can then be used to the attacker’s advantage can be considered an advanced persistent threat. Heartbleed is a vulnerability, not an advanced persistent attack. Heartbleed is the OpenSSL vulnerability that could allow an attacker to obtain approximately 64 kilobytes (KB) of information from a web server's memory at regular intervals. The Heartbleed bug, which was discovered in 2014, was a memoryhandling bug present in OpenSSL from version 1.0.1 through version 1.0.1f. OpenSSL 1.0.1g was the first version to fix the bug. By exploiting this vulnerability, an attacker can obtain a server's private key, which could in turn allow the attacker to decrypt communications with the server or perform maninthemiddle attacks against the server. Although Heartbleed could be used as a component of an attack in an advanced persistent threat, it is not itself an advanced persistent threat. Operation Aurora could be considered an advanced persistent threat. Operation Aurora was a monthslong attack in 2009 that was carried out against multiple companies, including Google and Adobe? it began with a targeted email spear phishing attack. The email delivered malware that was capable of exploiting an Internet Explorer vulnerability to obtain access to the contents of partially freed memory. After compromising company workstations, the attackers used those workstations to obtain access to other company resources and information, which eventually resulted in the loss of intellectual property. The attack was eventually traced to two Chinese education facilities that were thought to have ties to a Google competitor in China. The 2011 RSA breach could be considered an advanced persistent threat. The RSA breach was an attack against RSA's SecurID twofactor authentication system. Similar to Operation Aurora, the 2011 RSA breach began with a targeted phishing email that contained a Microsoft Excel attachment. The Excel attachment contained a zeroday exploit that was able to install a back door on a user’s workstation. From there, the attacker compromised other workstations in what appeared to be an effort to retrieve information related to SecurID, such as source code or customer information. Stuxnet is more likely than Heartbleed to be considered an advanced persistent threat. Stuxnet exploited vulnerabilities in both the printer spooler service and the processing of .lnk files. Stuxnet was used in an act of cyber warfare against Iranian industrial control systems (ICSs). It was written to target specific ICSs by modifying code on programmable logic controllers (PLCs). Stuxnet initially exploited vulnerabilities in the printer spooler service? however, later variants exploited a vulnerability in the way that Windows processes shortcuts (.lnk files). Research from Symantec published in 2011 indicated that at the time, over 60% percent of the Stuxnetaffected hosts had been in Iran. Symantec analyzed Stuxnet and its variants and discovered that five organizations were the primary targets of infection and that further infections were likely collateral damage from the aggressive manner in which the worm spreads throughout the network. Given the considerable cost in resources and manhours that would have been required to craft the Stuxnet worm, it was theorized that it was likely intended to sabotage highvalue targets such as nuclear materials refinement facilities. Reference: SANS: Assessing Outbound Traffic to Uncover Advanced Persistent Threat (PDF) Security Tracker: Cisco Unified Communications Manager OpenSSL TLS Heartbeat Buffer Overread Lets Remote Users Obtain Potentially Sensitive Information National Vulnerability Database: Vulnerability Summary for CVE20140160 Common Vulnerabilities and Exposures: CVE20140160
QUESTION 6 Which of the following best describes the purpose of SNMP? (Select the best answer.)
A. to manage network devices B. to send email
http://www.gratisexam.com/ C. to create VPNs D. to transfer files
Correct Answer: A Section: (none) Explanation
Explanation/Reference: Explanation: Simple Network Management Protocol (SNMP) is used to manage network devices. SNMP can be used to remotely monitor and configure a wide variety of network devices, such as routers, switches, and network printers. SNMP version 1 (SNMPv1) and SNMPv2 use community strings to provide authentication. However, neither SNMPv1 nor SNMPv2 uses encryption? all data and community strings are sent in clear text. A malicious user can sniff an SNMP community string and use it to access and modify network devices. SNMPv3 is an enhancement to the SNMP protocol that uses encryption to provide confidentiality, integrity, and authentication. SNMP is not used to send email. Simple Mail Transfer Protocol (SMTP) is used to send email. Post Office Protocol 3 (POP3) and Internet Message Access Protocol 4 (IMAP4) are used to receive email. SNMP is not used to create virtual private networks (VPNs). To create a VPN, you would typically use a protocol that can encrypt the data on the virtual network, such as IP Security (IPSec). A VPN is often used when it is necessary to connect two locations that are separated by a public network, such as the Internet. SNMP is not used to transfer files. To transfer files between computers, you should use File Transfer Protocol (FTP), Trivial FTP (TFTP), or Secure FTP (SFTP). Reference: Cisco: Simple Network Management Protocol: Versions of SNMP
QUESTION 7 You create a static pointtopoint VTI tunnel on RouterA. Afterward, you issue the show runningconfig command and receive the following output:
Which of the following is the authentication transform that will be used by the static VTI tunnel? (Select the best answer.)
A. ESP with 128bit AES
http://www.gratisexam.com/ B. ESP with 256bit AES C. ESP with 56bit DES D. ESP with 168bit 3DES E. ESP with MD5 F. ESP with SHA G. AH with MD5 H. AH with SHA
Correct Answer: F Section: (none) Explanation
Explanation/Reference: Explanation: The static virtual tunnel interface (VTI) tunnel will use Encapsulating Security Payload (ESP) with Secure Hash Algorithm (SHA) as the authentication transform, as indicated by the crypto ipsec transformset command. The syntax of the crypto ipsec transformset command is crypto ipsec transformset transformname transform1 [transform2] [transform3] [transform4]. Up to four transforms can be specified in an IP Security (IPSec) transform set: one ESP authentication transform, one authentication header (AH) transform, one ESP encryption transform, and one IP compression transform. ESP can use the Message Digest 5 (MD5) and SHA algorithms for authentication. The following keywords can be used to specify the ESP authentication transform: - espmd5hmac - espshahmac
AH can also use the MD5 and SHA algorithms for authentication. The following keywords can be used to specify the AH transform: - ahmd5hmac
- uses AH with MD5 - ahshahmac - uses AH with SHA
ESP can use the following encryption methods: -128bit, 192bit, and 256bit Advanced Encryption Standard (AES) - 56bit Data Encryption Standard (DES) - 168bit Triple DES (3DES) -160bit Softwareoptimized Encryption ALgorithm (SEAL) -Null encryption
The following keywords can be used to specify the ESP encryption transform: - espies - espaes 192 - espaes 256 - espdes
http://www.gratisexam.com/ - esp3des - espseal - espnull
The LempelZivStac (LZS) algorithm is the only IP compression method that can be used in an IPSec transform set. To configure a transform set to use LZS IP compression, you should use the complzs keyword. Reference: Cisco: Cisco IOS Security Command Reference: crypto ipsec transformset
QUESTION 8 To ease administrative overhead, you want to add a third party feed to a Security Intelligence device so that the IP addresses of known malicious hosts are automatically blacklisted. However, you have not determined whether the feed is valid. Which of the following are you most likely to do? (Select the best answer.)
http://www.gratisexam.com/
A. Implement the feed, and add IP addresses to a custom whitelist as necessary. B. Enforce Security Intelligence filtering by Security Zone. C. Configure the monitor-only setting, and examine the logs. D. Configure a custom blacklist that contains only malicious IP addresses.
Correct Answer: C Section: (none) Explanation
Explanation/Reference: Explanation: Most likely, you will configure the monitor-only setting and examine the logs if you want to add a thirdparty feed to a Security Intelligence device but you have not determined whether the feed is valid. Security Intelligence devices, such as a Cisco Sourcefire Intrusion Prevention System (IPS), are capable of accepting manually imported lists of network addresses or feeds from third parties. Such devices can block IP addresses or networks based on their reputation, which mitigates device overhead that comes from having to analyze traffic from those networks. The monitor-only setting enables traffic from networks that are listed within a given feed to be analyzed by the Security Intelligence device but also logs the fact that the given network matches the thirdparty feed. This enables an administrator to review the logs and the analysis of traffic from networks on the feed to determine the validity of the feed. Although you could implement the feed and add IP addresses to a custom whitelist as necessary, doing so might increase administrative overhead if the feed turns out to be invalid. On Security Intelligence devices, whitelists can be used to override blacklisted IP addresses. Whitelists can thus be used to enable communication with legitimate IP addresses that are listed on third-party feeds or other blacklists that might be too broadly defined. From an administrative overhead standpoint,
http://www.gratisexam.com/ you are more likely to validate the feed, then implement the feed, and finally add IP addresses or networks to the whitelist as necessary. You are less likely to enforce Security Intelligence filtering by Security Zone than configure the monitor only setting in this scenario, because doing so would neither validate nor invalidate the IP addresses that are contained on the third-party feed. Enforcing blacklisting by security zone can be used to enhance the performance of a Security Intelligence device by limiting the blacklisting to the specific security zones that process the given traffic. For example, the blacklisting of IP addresses that send email traffic could be restricted to a Security Zone that handles only email traffic. You are not likely to configure a custom blacklist that contains only malicious IP addresses, because doing so defeats the purpose of easing administrative overhead in this scenario. Security Intelligence devices allow the creation of custom blacklists so that you can manually block specific IP addresses or networks. However, compiling and validating such a list would require more administrative overhead in this scenario than simply validating a third-party feed prior to implementing it. Reference: Cisco: Blacklisting Using Security Intelligence IP Address Reputation: Choosing a Security Intelligence Strategy
QUESTION 9 Which of the following is primarily true of SEM systems? (Select the best answer.)
A. They perform real-time analysis and detection. B. They focus on policy and standards compliance. C. They consolidate logs to a central server. D. They analyze log data and report findings.
Correct Answer: A Section: (none) Explanation
Explanation/Reference: Explanation: Security Event Management (SEM) systems perform realtime analysis and detection. SEM systems typically analyze log data from a number of sources. Some systems also incorporate incident handling tools that enable administrators to more effectively mitigate threats when they occur. Security Information Management (SIM) systems, on the other hand, are focused more on the collection and analysis of logs in a nonrealtime fashion. For example, a SIM system might centralize logging on a single device for review and analysis. Some SIM systems also provide assessment tools that can flag potentially threatening events. A Security Information and Event Management (SIEM) system combines both the realtime aspects of a SEM system and the indepth analysis and timeline generation of a SIM system. Therefore, a SIEM system is a hybrid of a SIM system and a SEM system. Reference: SANS: IDFAQ: What is The Role of a SIEM in Detecting Events of Interest? Search Security: Tech Target: security information and event management (SIEM)
QUESTION 10 You want to configure Cisco ISE as a SCEP proxy to a Microsoft Windows 2008 R2 Server root CA. Which of the following also needs to be configured? (Select the best answer.)
http://www.gratisexam.com/ A. AD on the CA B. a root CA on the Cisco ISE C. a manually installed certificate on the connecting BYOD device D. NDES on a CA or domain member server
Correct Answer: D Section: (none) Explanation
Explanation/Reference: Explanation: Microsoft Network Device Enrollment Service (NDES) on a certificate authority (CA) or domain member server also needs to be configured if you want to configure Cisco Identity Services Engine (ISE) as a Simple Certificate Enrollment Protocol (SCEP) proxy to a Microsoft Windows 2008 R2 Server root CA. Implementing ISE as a SCEP proxy enables bring your own device (BYOD) users to register their devices on their own, without administrative overhead from the IT department. You are not required to configure a root CA on the Cisco ISE. Configuring ISE as a SCEP proxy indicates that ISE communicates with the CA on the behalf of its client devices. However, the ISE does need to be configured with a SCEP CA profile. When configured with a SCEP CA profile, the ISE will contain a SCEP NDES server registration authority (RA) certificate in the Certificate Store. RAs verify requests for certificates and enable the CA to issue them. You are not required to configure Active Directory (AD) on the CA. AD is typically configured on domain controllers, although member servers and workstations can connect to the AD domain. You are not required to manually install a certificate on the connecting BYOD device. Manually installing a client certificate on the BYOD device would defeat the purpose of configuring the ISE as a SCEP proxy, because administrative intervention would be required. Reference: Cisco: ISE SCEP Support for BYOD Configuration Example: Background Information
QUESTION 11 You issue the following commands on a Cisco router: tacacsserver host ts1 single-connection timeout 20 tacacsserver timeout 30
Which of the following are true about how the Cisco router communicates with the TACACS+ server? (Select 2 choices.)
A. The router will maintain an open TCP connection. B. The router will maintain an open TCP connection for no more than 20 seconds. C. The router will maintain an open TCP connection for no more than 30 seconds. D. The router will wait 20 seconds for the server to reply before declaring an error. E. The router will wait 30 seconds for the server to reply before declaring an error.
Correct Answer: AD Section: (none)
http://www.gratisexam.com/ Explanation
Explanation/Reference: Explanation: The router will maintain an open Transmission Control Protocol (TCP) connection. In addition, the router will wait 20 seconds for the server to reply before declaring an error. The tacacsserver host ts1 singleconnection timeout 20 command in this scenario configures a router to connect to a Terminal Access Controller Access Control System Plus (TACACS+) server named ts1. The singleconnection keyword configures the router to maintain an open connection to the TACACS+ server. The timeout 20 keyword configures the router to wait 20 seconds for the TACACS+ server to reply before declaring an error with the connection. The router will not wait 30 seconds for the server to reply before declaring an error. The tacacsserver host ts1 singleconnection timeout 20 command in this scenario configures the router to wait only 20 seconds for the server to reply before declaring an error. If the timeout 20 keyword had not been specified in this scenario, the tacacsserver timeout 30 command would have configured the router to wait 30 seconds for the server to reply before declaring an error. The timeout 20 keyword in this scenario overrides the value assigned by the tacacsserver timeout command. The router will maintain an open connection for an indeterminate amount of time, not for a 20second or 30second interval. When the singleconnection keyword is not configured, a Cisco router will open and close a TCP connection to the TACACS+ server each time it needs to perform an operation. When the singleconnection keyword is configured, the router connects to the TACACS+ server and maintains that connection even when it is not performing an operation. This setting enhances the efficiency of the communications between the router and the TACACS+ server because the router is not having to constantly close and open connections. Reference: Cisco: Configuring TACACS+: Identifying the TACACS+ Server Host
QUESTION 12 You want to implement a VPN with an alwayson fail close policy for Cisco AnyConnect clients. Which of the following does Cisco recommend that you do? (Select the best answer.)
A. Start with a fail open policy, and implement fail close in phases. B. Start with the fail close policy, and implement fail open as necessary. C. Implement always-on, and leave the failure policy at the default setting. D. Implement always-on with a fail open policy, and enable the Disconnect button.
Correct Answer: A Section: (none) Explanation
Explanation/Reference: Explanation: Cisco recommends that you start with a fail open policy and implement fail close in phases if you want to implement a virtual private network (VPN) with an always on fail close policy. The always on feature enables Cisco AnyConnect clients to establish a VPN session automatically whenever the client detects that the host is connected to an untrusted network. For example, a laptop that is used both on a corporate LAN and for remote work might be configured to automatically connect to the corporate VPN whenever the laptop is not directly connected to the corporate LAN. However, any number of problems could prevent the client from actually establishing a connection to the VPN. There are two types of connect failure policies that you can enable for Cisco AnyConnect always on clients. The fail open policy allows the client to complete a
http://www.gratisexam.com/ connection to the local network for access to the Internet or local resources. However, because a VPN session has not been established, the security of the AnyConnect device that is connected to the remote network could be compromised. The fail closed policy, on the other hand, prevents all network access from the Cisco AnyConnect client except to local devices and devices that are available by using split tunneling. This extra layer of security could prevent the user from accessing the Internet and thus could compromise productivity if the user relies on Internet access to complete work related tasks. Because the fail closed policy is so restrictive, Cisco recommends implementing it by using a phased approach that includes initially implementing fail open and surveying user activity for AnyConnect issues that might prevent seamless connections. There is no need to enable the Disconnect button, because the button is enabled by default when the always on feature is enabled. The Disconnect button enables users to manually disconnect from a VPN session that has been automatically established by the AnyConnect client. The Disconnect button can be disabled by an administrator. Cisco does not recommend leaving the failure policy at the default setting if you want to implement a fail close policy. The fail close policy is the default failure policy when connect failure policies are enabled. Reference: Cisco: Configuring VPN Access: Connect Failure Policy for Always on VPNCategory: VPN
QUESTION 13 Your company is using a shopping cart web application that is known to be vulnerable to a code injection attack. Your company has no support agreement for the application, and the application is no longer updated by its author. Modifying the code would require the hiring of additional help and an extensive interview process. Which of the following should your company do in the meantime to most quickly mitigate the threat? (Select the best answer.)
A. Use the grep command to examine web logs for evidence of an attack. B. Shut down the site. C. Replace the shopping cart application with a different one. D. Implement a WAF.
Correct Answer: D Section: (none) Explanation
Explanation/Reference: Explanation: Your company should implement a web application firewall (WAF) to mitigate the shopping cart web application threat. A WAF sits between a web application and the end user in order to protect the application from malicious activity and known vulnerabilities. Therefore, by installing a WAF, it is possible to protect a vulnerable web application without modifying the application code. Although you should issue the grep command to examine web application logs for evidence of an attack, doing so would not quickly mitigate the threat posed by the unpatched vulnerability. Searching for evidence of an attack takes time. Even if evidence of an attack were found in the log, discovering that evidence does not mitigate the threat. Although you should consider replacing the shopping cart application with a different one that is supported and regularly updated, doing so would not be the quickest way to mitigate the threat. Depending on the complexity of the data and the availability of conversion tools, it could take many weeks or months to successfully migrate a shopping cart from one web application to another. You should not shut down the site. Shutting down the site would cause a severe business interruption because users would no longer be able to purchase products
http://www.gratisexam.com/ by using the shopping cart. Reference: OWASP: Category:OWASP Best Practices: Use of Web Application Firewalls
QUESTION 14 Which of the following is a Cisco IPS appliance feature that analyzes normal network activity to detect hosts that are infected with worms? (Select the best answer.)
A. anomaly detection B. global correlation C. reputation filtering D. a signature definition E. a threat rating
Correct Answer: A Section: (none) Explanation
Explanation/Reference: Explanation: Anomaly detection is a Cisco Intrusion Prevention System (IPS) appliance feature that analyzes normal network activity to detect hosts that are infected with worms. The IPS anomaly detection feature enables IPS to learn what type of network activity is normal activity for the network that is being protected. If a network starts to become congested by traffic that is generated by a worm or if a host that is infected with a worm connects to the network and attempts to infect other hosts, the anomaly detection feature can trigger a specific response, such as denying traffic from the infected host or alerting an administrator. Signature definitions do not analyze normal network activity to detect hosts that are infected with worms. A signature definition is a set of rules to which a Cisco IPS appliance can compare network traffic to determine whether an attack is occurring. If the network activity matches a signature definition, IPS can trigger a specific response from other defined event action rule sets, such as denying traffic from a host or alerting an administrator. IPS administrators can manually configure signature definitions in Cisco IPS Device Manager (IDM) or use the Signature Wizard to create custom signature definitions. Global correlation does not analyze normal network activity to detect hosts that are infected with worms. Global correlation enables IPS sensors to allow or deny traffic based on the reputation of the sending device. When you enable global correlation, IPS devices will periodically receive updates that include information about known malicious devices on the Internet from the Cisco SensorBase Network. In addition, global correlation will send statistical information about attacks against your company's network to the Cisco SensorBase Network. Cisco uses that information to detect threat patterns on the Internet. Reputation filtering does not analyze normal network activity to detect hosts that are infected with worms. Reputation filtering denies packets from hosts that are considered to have a malicious reputation based on the global correlation information that is available from the Cisco SensorBase Network. Reputation filtering is different from global correlation inspection in that reputation filtering denies traffic before the traffic is compared to any signature definitions. In addition, reputation filtering does not generate alerts. Threat ratings do not analyze normal network activity to detect hosts that are infected with worms. A threat rating is an event action risk rating that has been lowered because of a specific action taken by IPS. A risk rating is a numerical representation of the risk presented to a network by a specific attack. Risk ratings can range from 0 through 100. Depending on the actions IPS has taken in response to an event, IPS will subtract a value from the threat rating of the event. For example, if IPS responds to a specific event by issuing a request to block the attacking host, a value of 20 will be subtracted from the threat rating. Reference: Cisco: Configuring Anomaly Detections: Understanding Anomaly Detection
http://www.gratisexam.com/ QUESTION 15 Which of the following can be used to encrypt email messages, files, and disk drives? (Select the best answer.)
A. L2TP B. PEM C. PGP D. S/MIME
Correct Answer: C Section: (none) Explanation
Explanation/Reference: Explanation: Pretty Good Privacy (PGP) is software that can be used to encrypt email messages, files, and disk drives. PGP can be used to provide confidentiality, integrity, and nonrepudiation. PGP uses an asymmetric encryption method to encrypt information. To encrypt a file or a message by using PGP, you must use the recipient's public key. The recipient will then use his or her private key to decrypt the file or message. Many modern operating systems (OSs) offer their own builtin support for file level and disk level encryption. Therefore, third-party software is often no longer necessary for encrypting files. Privacy Enhanced Mail (PEM) and Secure/Multipurpose Internet Mail Extensions (S/MIME) can be used to encrypt email messages, but they cannot be used to encrypt files or disk drives. PEM is defined in Requests for Comments (RFCs) 1421 through 1424 but was never widely used. S/MIME, which was created by RSA Data Security, is now an RFC standard defined in RFCs 3369, 3370, 3850, and 3851. Although Layer 2 Tunneling Protocol (L2TP) can be used along with an encryption protocol to encrypt files and email messages while they are sent over a virtual private network (VPN), L2TP is not used to encrypt disk drives. L2TP does not offer any security on its own but provides the tunnel by which IP packets encapsulated in User Datagram Protocol (UDP) packets can travel. Reference: Search Security: Tech Target: Pretty Good Privacy (PGP) Microsoft TechNet: Understanding S/MIME
QUESTION 16 Refer to the exhibit:
You have created a network object NAT rule in ASDM to translate the real IP address of a DMZ web server, DMZWWWINT, to an IP address in the OUTSIDE network, DMZWWWEXT. The DMZ interface has a security level of 50, and the OUTSIDE interface has a security level of 0. In addition, the ASA is running system software version 8.4.
http://www.gratisexam.com/ Which of the following statements are true regarding the ACL that will be required to enable hosts in the OUTSIDE network to communicate with the DMZ web server? (Select 2 choices.)
A. The ACL should be applied to the OUTSIDE interface. B. The ACL should be applied to the DMZ interface. C. The ACL should reference the DMZWWWEXT object as its source address. D. The ACL should reference the DMZWWWINT object as its source address. E. The ACL should reference the DMZWWWEXT object as its destination address. F. The ACL should reference the DMZWWWINT object as its destination address.
Correct Answer: AF Section: (none) Explanation
Explanation/Reference: Explanation: In this scenario, the access control list (ACL) should be applied to the OUTSIDE interface and should reference the DMZWWWINT object as its destination address. The Network Address Translation (NAT) rule in this scenario creates a static mapping between the address of the web server in the DMZ network, which has been defined as an object named DMZWWWINT, and an address in the OUTSIDE network, which has been defined as an object named DMZWWWEXT. This static mapping enables hosts on the outside network to communicate with the DMZ web server by using the DMZWWWEXT address. However, the Cisco Adaptive Security Appliance (ASA) will deny inbound traffic from the OUTSIDE interface by default unless it is return traffic from an existing connection or an ACL exists which explicitly permits the traffic. You can view, edit, and add ACLs from the Configuration > Firewall > Access Rules pane in Adaptive Security Device Manager (ASDM). By default, the Access Rules pane contains implicit rules that permit traffic from higher security interfaces to lower security interfaces and that deny all traffic that has not been otherwise permitted, as shown in the following exhibit:
You can click the Add button in the Access Rules pane to create a new ACL. When you click the Add button, ASDM will display the Add Access Rule dialog box, as shown in the following exhibit:
http://www.gratisexam.com/ In the Add Access Rule dialog box, you should click the Interface dropdown and select the OUTSIDE interface if it is not already selected. The ACL should be applied to the OUTSIDE interface? otherwise, the traffic from the OUTSIDE network would be denied before reaching any of the other ASA interfaces. You should ensure that the Permit radio button is selected in order to permit the traffic specified by the ACL. The Source Criteriasection of the Add Access Rule dialog box can maintain its default values because traffic from any source and user should be permitted to access the DMZ web server. The network object corresponding to the DMZ web server should be specified in the Destination field of the Destination Criteria section. Because the ASA is running a system software revision that is greater than or equal to version 8.3, the ACL required for this scenario must use the object named DMZWWWINT as its destination and not the object named DMZWWWEXT, as would be the case for system software revisions less than version 8.3. Finally, the Service field should be used to specify the protocols that will be permitted by the ACL. By default, all IP traffic is permitted? however, as this rule will apply to a web server, it is more secure to limit the permitted protocols to Hypertext Transfer Protocol (HTTP) and Secure HTTP (HTTPS). You can either type the protocol object names into the field, or click the browse button to select protocols from a list. By default, the Add Access Rules dialog box enables the rule in the inbound direction, which is precisely what is needed in this scenario. The following exhibit shows the Add Access Rules dialog box with sample values that would be suitable for this scenario:
http://www.gratisexam.com/ When you click the OK button, the Access Rules pane will automatically update to display the newly created ACL, as shown in the following exhibit:
You would not apply an ACL to the DMZ interface. Although you could apply a similar ACL to the DMZ interface in the outbound direction, traffic from the OUTSIDE interface would be denied by the implicit Global policy before it had a chance to reach the DMZ interface. There is no need to apply an ACL to the DMZ interface in the inbound direction because traffic from higher security interfaces is permitted to lower security interfaces by default. You would not need to supply a source address to the ACL in this scenario, because all traffic passing through the OUTSIDE interface in the inbound direction is specified instead. Although you could specify individual hosts or subnets in a similar ACL, it is significantly more efficient to specify any traffic on the OUTSIDE interface. Typically, the OUTSIDE interface of an ASA connects to the greatest number of additional networks, such as the Internet, and it would quickly become impractical to specify all permitted hosts or subnets. Reference:
http://www.gratisexam.com/ Cisco: Configuring Access Rules: Configuring Access Rules
QUESTION 17 According to the branch location ACL design guidelines in the Cisco BYOD Design Guide, which protocols should not be permitted by the default ACL that is applied to the access ports of a Layer 2 switch? (Select 2 choices.)
A. BOOTP B. DNS C. HTTP D. HTTPS E. ICMP F. TFTP
Correct Answer: CD Section: (none) Explanation
Explanation/Reference: Explanation: According to the branch location access control list (ACL) design guidelines in the Cisco Bring Your Own Device (BYOD) Design Guide, Hypertext Transfer Protocol (HTTP) and Secure HTTP (HTTPS) should not be permitted by the default ACL that is applied to the access ports of a Layer 2 switch. In a BYOD environment, 802.1X, Web Authentication (WebAuth), or Media Access Control (MAC) Authentication Bypass (MAB) are used to authenticate and authorize the user and the user’s associated device for network access. Once a wired device authenticates with the Cisco Identity Services Engine (ISE), a downloadable ACL (dACL) is typically applied to the appropriate access port on the Layer 2 switch to which the device is attached. HTTP and HTTPS traffic should be permitted by an ACL that is used to redirect web traffic to the ISE for browserbased authentication if 802.1x or MAB authentication are unavailable. Cisco recommends denying Domain Name System (DNS) traffic or specifically excluding the IP address of the ISE to prevent redirection loops. For example, the following ACL denies DNS traffic and permits HTTP and HTTPS traffic for redirection to the ISE:
switch(config)#ip accesslist extended REDIRECT-ACL switch(configextnacl)#deny udp any any eq domain switch(configextnacl)#permit tcp any any eq www switch(configextnacl)#permit tcp any any eq 443
Cisco recommends applying a default ACL to the access ports of Layer 2 switches to mitigate against situations where a configuration error might prevent a dACL from being applied to the appropriate access port during the authorization/authentication process. The default ACL should permit Bootstrap Protocol (BOOTP), DNS, Trivial File Transfer Protocol (TFTP), and Internet Control Message Protocol (ICMP). In addition, the default ACL should explicitly deny and log all other IP traffic. For example, the following ACL complies with Cisco’s best common practices (BCP) as outlined in the BYOD Design Guide: switch(config)#ip accesslist extended DEFAULT-ACL switch(configextnacl)#permit icmp any any switch(configextnacl)#permit udp any eq bootpc any eq bootps switch(configextnacl)#permit udp any any eq domain
http://www.gratisexam.com/ switch(configextnacl)#permit udp any any eq tftp switch(configextnacl)#deny ip any any log
Reference: Cisco: Cisco Bring Your Own Device (BYOD) CVD: ACL Design at Branch Location
QUESTION 18 You have issued the following commands to modify the 802.1X configuration on a switch port: switch(configif)#authentication order mab dot1x switch(configif)#authentication priority dot1x mab switch(configif)#authentication event fail action nextmethod switch(configif)#authentication event noresponse action authorize vlan 1313
A new host is attached to the switch port. The host’s MAC address is in the authentication database, but the host’s certificate for 802.1X authentication is expired. Which of the following statements is true regarding the host in this scenario? (Select the best answer.)
http://www.gratisexam.com/
A. MAB will authorize the host for network access, and the switch port will ignore the host’s 802.1X authentication attempts. B. MAB will authorize the host for network access? however, the host will lose network access when it attempts to authenticate with 802.1X. C. The host will fail 802.1X authentication and will be assigned to VLAN 1313. D. The host will fail 802.1X authentication, and the switch will place the port into an unauthorized state.
Correct Answer: B Section: (none) Explanation
Explanation/Reference: Explanation: In this scenario, Media Access Control (MAC) Authentication Bypass (MAB) will authorize the host for network access? however, the host will lose network access when it attempts to authenticate with 802.1X. A switch port can be configured to use 802.1X, MAB, or Web Authentication (WebAuth) to authenticate clients. The authentication order command is used to specify the order in which the switch should attempt the configured authentication methods. By default, a switch will attempt 802.1X authentication before other authentication methods. The authentication order mab dot1x command configures the switch to first use MAB to authenticate a client based on its MAC address. If the client’s MAC address is not in the authentication database, the switch will then attempt to authenticate the client with 802.1X. In this scenario, the client’s MAC address is in the authentication database and MAB will authorize the client for network access. Normally, the configured authentication order is mirrored by the priority of each authentication method? however, you can use the authentication priority command to
http://www.gratisexam.com/ change the priority. If the priority mirrored the authentication order in this scenario, the switch would ignore Extensible Authentication Protocol over LAN (EAPoL) messages after the client was authenticated by MAB and the client would continue to have authorized network access. However, the authentication priority dot1x mab command changes the default priority behavior and assigns a higher priority to 802.1X authentication than it does to MAB. This enables a client to use 802.1X authentication even if it has successfully been authenticated by MAB. Unfortunately, the client will lose network access when it attempts 802.1X authentication because its certificate is expired.The authentication event fail action command specifies how the switch should react if an 802.1X client is detected and the client fails to authenticate. There are two configurable parameters: nextmethod and authorize vlanid. The authorize vlanid parameter configures the port to a specific restricted virtual LAN (VLAN). The nextmethod parameter configures the switch to attempt authentication by using the next authentication method specified in the authentication order command. If the nextmethod parameter is configured, the switch will indefinitely cycle through authentication methods unless WebAuth is configured. If WebAuth is configured, the authentication process will not loop back to other authentication methods and the switch will ignore EAPoL messages on the port. The authentication event noresponse action authorize vlan 1313 command specifies the VLAN into which a switch should place a port if it does not receive a response to the EAPoL messages it sends on that port. This enables devices that do no support 802.1X to be assigned to a guest VLAN. When a guest VLAN is configured, the switch will grant non802.1Xcapable clients access to the guest VLAN? however, if an 802.1Xcapable device is detected, the switch will place the port into an unauthorized state and will deny access to all devices on the port. Reference: Cisco: Flexible Authentication Order, Priority, and Failed Authentication: Case 2: Order MAB Dot1x and Priority Dot1x MAB
QUESTION 19 Which of the following are symmetric encryption algorithms? (Select 3 choices.)
A. AES B. RC4 C. 3DES D. ECC E. DH F. DSA
Correct Answer: ABC Section: (none) Explanation
Explanation/Reference: Explanation: Advanced Encryption Standard (AES), RC4, and Triple Data Encryption Standard (3DES) are symmetric encryption algorithms. When symmetric encryption algorithms are used, the same encryption key is used to encrypt and decrypt data. In addition, because symmetric encryption algorithms use less complex mathematics than asymmetric encryption algorithms when encrypting and decrypting data, they often perform faster than asymmetric encryption algorithms. Two types of symmetric encryption algorithms exist: block ciphers and stream ciphers. Block ciphers derive their name from the fact that they encrypt fixedlength blocks of data. For example, AES encrypts 128bit blocks of data. By contrast, stream ciphers are typically faster than block ciphers because stream ciphers can encrypt text of variable length depending on the size of the frame to be encrypted? stream ciphers are not limited to specific block sizes. For example, RC4, a stream cipher, can encrypt data in streams of 8 through 2,048 bits. Other examples of symmetric encryption algorithms include International Data Encryption Algorithm (IDEA), Skipjack, and Blowfish.
http://www.gratisexam.com/ DiffieHellman (DH), Digital Signature Algorithm (DSA), and Elliptical Curve Cryptography (ECC) are asymmetric algorithms. DH is an asymmetric key exchange method. DSA and ECC are asymmetric encryption algorithms. Asymmetric encryption, also known as public key encryption, uses a public key to encrypt data and a different, yet mathematically related, private key to decrypt data. Public key infrastructure (PKI) uses a certificate authority (CA) to tie a public key to a user ID to further ensure the confidentiality of data. Other examples of asymmetric encryption algorithms include RSA and ElGamal. Reference: CCNA Security 210260 Official Cert Guide, Chapter 5, Symmetric and Asymmetric Algorithms, pp. 92-94
QUESTION 20 Which of the following statements is correct regarding the traffic types that can be matched in a class map on a Cisco ASA? (Select the best answer.)
A. A class map can match traffic by TCP port number but not by UDP port number. B. A class map can match traffic by UDP port number but not by IP precedence. C. A class map can match traffic by TCP port number but not by IP precedence. D. A class map can match traffic by UDP port number but not by TCP port number. E. A class map can match traffic by TCP port number, by UDP port number, and by IP precedence.
Correct Answer: E Section: (none) Explanation
Explanation/Reference: Explanation: A class map can match traffic by Transmission Control Protocol (TCP) port number, by User Datagram Protocol (UDP) port number, and by IP precedence on a Cisco Adaptive Security Appliance (ASA). A class map is one of the three basic components of Modular Policy Framework (MPF)? policy maps and service policies are the other two components. MPF is a Cisco ASA feature that provides a flexible method of enabling security policies on an interface. A class map identifies a specific flow of traffic, a policy map determines the action that will be performed on the traffic, and a service policy ties this action to a specific interface. Generally, each class map can contain only a single match statement, and a packet can match only a single class map within the policy map of a particular feature type. For example, if a packet matched a class map for File Transfer Protocol (FTP) inspection and a class map for traffic policing, the ASA would apply both policy map actions to the packet. However, if a packet matched a class map for FTP inspection and a second, different class map that included FTP inspection, the ASA would apply only the actions of the first matching policy map. You can use the match command from class map configuration mode to identify traffic based on specified characteristics. The keywords you can use to identify traffic in a class map are closely tied to their respective characteristics. The match command supports the following key words: accesslist, port, defaultinspectiontraffic, dscp, precedence, rtp, tunnelgroup, and any. For example, you could issue the following commands to create a class map named CLASSMAP that identifies traffic using TCP port 25: asa(config)#classmap CLASSMAP asa(configcmap)#match port tcp eq 25
Once traffic has been identified by a class map, the associated policy map can take action on that traffic. A policy map typically contains references to one or more class maps and defines actions that should be performed on traffic matched by the specified class maps. If traffic matches multiple class maps for different actions within a policy map-for instance, if traffic matches a class map for application inspection as well as a class map for priority queuing-the actions of both class maps
http://www.gratisexam.com/ will be applied to the traffic. To continue the example from above, you could issue the following commands to configure a policy map named POLICYMAP that matches traffic specified by the class map named CLASSMAP and then processes the traffic with the Hypertext Transfer Protocol (HTTP) inspection engine: asa(config)#policymap POLICYMAP asa(configpmap)#class CLASSMAP asa(configpmapc)#inspect http
A policy map does not act on traffic until the map has been applied to an interface by a service policy. A service policy can be applied globally to all interfaces, which will apply application inspection to only traffic entering the appliance? alternatively, a service policy can be applied to a single interface, which will apply application inspection to traffic entering and exiting the interface. An interface service policy overrides a global service policy: if traffic matches both an interface policy and a global policy, only the interface policy will be applied to that particular traffic flow. To complete the example, you could issue the following commands to apply the POLICYMAP policy map to the inside interface: asa(config)#servicepolicy POLICYMAP interface inside
Reference: Cisco: Service Policy Using the Modular Policy Framework: Feature Matching Within a Service Policy
QUESTION 21 Which of the following EAP authentication protocols requires both a client and a server digital certificate? (Select the best answer.)
A. LEAP B. PEAP C. EAP-FAST D. EAP-TLS
Correct Answer: D Section: (none) Explanation
Explanation/Reference: Explanation: Extensible Authentication Protocol (EAP)Transport Layer Security (TLS) requires both a client and a server digital certificate. EAPTLS is an authentication protocol that can be used for pointtopoint connections and for both wired and wireless links. EAPTLS performs mutual authentication to secure the authentication process. When EAPTLS is used, a digital certificate must be installed on the authentication server and each client that must authenticate with the server. The digital certificate used on clients and the server must be obtained from the same certificate authority (CA). Protected EAP (PEAP) does not require that clients be configured with digital certificates. When EAPPEAP is used, only servers are required to be configured with digital certificates. Clients can use alternative authentication methods, such as onetime passwords (OTPs). Lightweight EAP (LEAP) does not require either the server or the client to be configured with a digital certificate. When LEAP is used, the client initiates an authentication attempt with a Remote Authentication DialIn User Service (RADIUS) server. The RADIUS server responds with a challenge response. If the challenge/response process is successful, the client then validates that the RADIUS server is correct for the network. If the RADIUS server is validated, the client
http://www.gratisexam.com/ will connect to the network. Similar to LEAP, EAPFlexible Authentication via Secure Tunneling (FAST) does not require either the server or the client to be configured with a digital certificate. When EAPFAST is used, Protected Access Credentials (PACs) are used to authenticate users. The EAPFAST authentication process consists of three phases. The first phase, which is optional and is considered phase 0, consists of provisioning a client with a PAC, which is a digital credential that is used for authentication. A PAC can be manually configured on a client, in which case phase 0 is not required. The second phase, which is referred to as phase 1, involves creating a secure tunnel between the client and the server. The final phase, which is referred to as phase 2, involves authenticating the client. If the client is authenticated, the client will be able to access the network. Reference: Cisco: EAPTLS Deployment Guide for Wireless LAN Networks: 5.2 Certificate Requirements
QUESTION 22 The system software on a Cisco Catalyst 3750 series switch was corrupted during a failed upgrade, and now the switch no longer passes the POST on restart. You want to use the Xmodem Protocol to recover the system software. To which of the following ports on the switch could you connect? (Select the best answer.)
A. an Ethernet port in the management VLAN B. the auxiliary port C. the console port D. the highest numbered Ethernet port on the switch E. the lowest numbered Ethernet port on the switch
Correct Answer: C Section: (none) Explanation
Explanation/Reference: Explanation: You should connect to the console port of a Cisco Catalyst 3750 series switch to use the Xmodem Protocol for system software recovery. Xmodem is a simple, errorcorrecting transfer protocol that can be used to transfer an IOS software image from a PC to Cisco switch or router through its console port. When the system software image on a switch or router becomes corrupted, the system will fail the poweron self-test (POST) when it reloads and it will typically halt in an administrative mode, which is commonly called readonly memory (ROM) monitor (ROMmon) mode. You can identify this mode on a switch or router by the command prompt that is displayed at the console: switch: on a switch and rommon1> on a router. When in ROMmon mode, a switch or router will no longer forward packets and thus can no longer be reached through traditional inband management methods, such as through a management virtual LAN (VLAN) or an active network interface. Instead, you must use an outofband management method to access a switch or router in ROMmon mode. The only outofband access method available on a Cisco 3750 series switch that supports Xmodem for system software recovery is the console port. On a Cisco router, you could use either the console port or the auxiliary (AUX) port for outofband access if the router is in ROMmon mode. The AUX port on a Cisco router is typically capable of supporting most of the features available on a console port. Cisco switches either do not have AUX ports or do not support certain features, such as system recovery, on their AUX ports if they have them. Reference: Cisco: Recovering Catalyst Fixed Configuration Switches from a Corrupted or Missing Image
http://www.gratisexam.com/ QUESTION 23 Which of the following security functions is associated with the control plane? (Select the best answer.)
A. device configuration protection B. device resource protection C. traffic accounting D. traffic filtering
Correct Answer: B Section: (none) Explanation
Explanation/Reference: Explanation: Device resource protection is a security function that is associated with the control plane. Cisco devices are generally divided into three planes: the control plane, the management plane, and the data plane. Each plane is responsible for different operations, and each plane can be secured by implementing various security methods. The control plane is responsible for the creation and maintenance of structures related to routing and forwarding. These functions are heavily dependent on the CPU and memory availability. Therefore, control plane security methods protect against unauthorized traffic destined for the router, which can modify route paths and consume excessive resources. Path modification can be caused by manipulating the traffic generated by routing protocols, VLAN Trunking Protocol (VTP), and Spanning Tree Protocol (STP). Path modification attacks can be mitigated by implementing routing protocol authentication and filtering, VTP authentication, and STP protection features. In addition, excessive CPU and memory consumption can be caused by control plane flooding. Resource consumption attacks can be mitigated by implementing control plane filtering and rate limiting with Control Plane Policing (CoPP) and Control Plane Protection (CPPr). Traffic accounting and traffic filtering are security features that are associated with the data plane. The data plane is responsible for traffic passing through the router, which is referred to as transit traffic. Therefore, data plane security protects against unauthorized packet transmission and interception. Threats such as IP spoofing, Media Access Control (MAC) address spoofing, Address Resolution Protocol (ARP) spoofing, Dynamic Host Configuration Protocol (DHCP) spoofing, unauthorized traffic interception, and unauthorized network access can be mitigated and monitored by implementing features such as the following: -ARP inspection - Antispoofing access control lists (ACLs) - DHCP snooping - Port ACLs (PACLs) - Private virtual LANs (VLANs) - Unicast Reverse Path Forwarding (uRPF) - VLAN ACLs (VACLs)
Device configuration protection is associated with the management plane. Management plane security protects against unauthorized device access and configuration. Unauthorized access can be mitigated by implementing a strong Authentication, Authorization, and Accounting (AAA) solution and by implementing Management Plane Protection (MPP), which creates protected management channels over which administrators must connect in order to access device administration features. Management traffic can be encrypted by implementing Secure Shell (SSH). You can mitigate unauthorized configuration of a device by implementing RoleBased Access Control (RBAC), whereby administrators are limited to using only the features they need to accomplish their jobs. Detection and logging of management plane access can be performed by implementing Simple Network Management Protocol version 3 (SNMPv3) and Syslog servers. Reference:
http://www.gratisexam.com/ Cisco: Cisco Guide to Harden Cisco IOS Devices
QUESTION 24 Which of the following statements are true regarding IDS devices? (Select 2 choices.)
A. They can send alerts. B. They do not sit inline with the flow of network traffic. C. They can directly block a virus before it infiltrates the network. D. They can detect malicious traffic only by signature matching. E. They function identically to IPS devices.
Correct Answer: AB Section: (none) Explanation
Explanation/Reference: Explanation: Intrusion Detection System (IDS) devices can send alerts and do not sit inline with the flow of network traffic. An IDS is a network monitoring device that passively monitors network traffic and actively sends alerts to a management station when it detects malicious traffic. An IDS typically has one promiscuous network interface attached to each monitored network. Because traffic does not flow through the IDS, the IDS is unable to directly block malicious traffic? however, an IDS can do any of the following: - Request that another device block a connection - Request that another device block a particular host - Reset TCP connections
An IDS can prevent further instances of previously detected malicious traffic from passing onto the network by creating access control lists (ACLs) on routers in the traffic path or by configuring other security devices that reside in the flow of traffic. Although signaturebased pattern matching is the primary method used by an IDS to detect malicious traffic, an IDS can also consider policy definitions and historical traffic behavior when analyzing network packets. By contrast, an Intrusion Prevention System (IPS) typically sits inline with the flow of traffic and can therefore block malicious traffic before it passes onto the network. An inline IPS can perform the following actions: - Block traffic from a particular host - Block a particular connection - Modify traffic - Reset TCP connections However, if an IPS sits inline with traffic, a failed IPS device can cause all traffic to be dropped. Analyzing all of the traffic that passes through the IPS can cause latency and jitter. Alternatively, an IPS can be configured to operate in promiscuous mode, which would make it functionally similar to an IDS. Typically, an IPS is configured to use signaturebased pattern matching to block traffic that has been definitively marked as malicious. Traffic that is suspect but has not been confirmed as malicious is referred to as gray area traffic and is not discarded by an IPS. If an IDS is used in conjunction with an IPS, the IDS can be configured to monitor the gray area traffic in greater detail without affecting the flow of traffic through the IPS.
Reference:
http://www.gratisexam.com/ Cisco: Managed Security Services Partnering for Network Security: Managed Intrusion Detection and Prevention Systems
QUESTION 25 Which of the following statements are true regarding TACACS+? (Select 2 choices.)
A. It encrypts the entire body of a packet. B. It combines authorization and authentication functions. C. It provides router command authorization capabilities. D. It uses UDP for packet delivery. E. It was developed as an IETF standard protocol.
Correct Answer: AC Section: (none) Explanation
Explanation/Reference: Explanation: Terminal Access Controller Access Control System Plus (TACACS+) encrypts the entire body of a packet and provides router command authorization capabilities. TACACS+ is a Ciscoproprietary protocol that uses Transmission Control Protocol (TCP) for transport during Authentication, Authorization, and Accounting (AAA) operations. TACACS+ provides more security and flexibility than other authentication protocols, such as Remote Authentication DialIn User Service (RADIUS), which is an open standard protocol commonly used as an alternative to TACACS+. Because TACACS+ can be used to encrypt the entire body of a packet, users who intercept the encrypted packet cannot view the user name or contents of the packet. In addition, TACACS+ provides flexibility by separating the authentication, authorization, and accounting functions of AAA. This enables granular control of access to resources. For example, TACACS+ gives administrators control over access to configuration commands? users can be permitted or denied access to specific configuration commands. Because of this flexibility, TACACS+ is used with Cisco Secure Access Control Server (ACS), which is a software tool that is used to manage user authorization for router access. RADIUS, not TACACS+, was developed as an Internet Engineering Task Force (IETF) standard protocol. Like TACACS+, RADIUS is a protocol used with AAA operations. However, RADIUS uses User Datagram Protocol (UDP) for packet delivery and is less secure and less flexible than TACACS+. RADIUS encrypts only the password of a packet? the rest of the packet would be viewable if the packet were intercepted by a malicious user. With RADIUS, the authentication and authorization functions of AAA are combined into a single function, which limits the flexibility that administrators have when configuring these functions. Furthermore, RADIUS does not provide router command authorization capabilities. Reference: Cisco: TACACS+ and RADIUS Comparison: Compare TACACS+ and RADIUS
QUESTION 26 Which of the following protocols can IPSec use to provide the integrity component of the CIA triad? (Select 2 choices.)
A. GRE B. AH C. AES
http://www.gratisexam.com/ D. ESP E. DES
Correct Answer: BD Section: (none) Explanation
Explanation/Reference: Explanation: IP Security (IPSec) can use either Authentication Header (AH) or Encapsulating Security Payload (ESP) to provide the integrity component of the confidentiality, integrity, and availability (CIA) triad. The integrity component of the CIA triad ensures that data is not modified in transit by unauthorized parties. AH and ESP are integral parts of the IPSec protocol suite and can be used to ensure the integrity of a packet. Data integrity is provided by using checksums on each end of the connection. If the data generates the same checksum value on each end of the connection, the data was not modified in transit. In addition, AH and ESP can authenticate the origin of transmitted data. Data authentication is provided through various methods, including user name/password combinations, preshared keys (PSKs), digital certificates, and onetime passwords (OTPs). Although AH and ESP perform similar functions, ESP provides additional security by encrypting the contents of the packet. AH does not encrypt the contents of the packet. In addition to data authentication and data integrity, IPSec can provide confidentiality, which is another component of the CIA triad. IPSec uses encryption protocols, such as Advanced Encryption Standard (AES) or Data Encryption Standard (DES), to provide data confidentiality. Because the data is encrypted, an attacker cannot read the data if he or she intercepts the data before it reaches the destination. IPSec does not use either AES or DES for data authentication or data integrity. Generic Routing Encapsulation (GRE) is a protocol designed to tunnel any Layer 3 protocol through an IP transport network. Because the focus of GRE is to transport many different protocols, it has very limited security features. By contrast, IPSec has strong data confidentiality and data integrity features, but it can transport only IP traffic. GRE over IPSec combines the best features of both protocols to securely transport any protocol over an IP network. However, GRE itself does not provide data integrity or data authentication. Reference: CCNA Security 210260 Official Cert Guide, Chapter 1, Confidentiality, Integrity, and Availability, pp. 14-15 IETF: RFC 4301: Security Architecture for the Internet Protocol: 3.2. How IPsec Works
QUESTION 27 RouterA is configured to establish an IKE tunnel with RouterB. You issue the show crypto isakmp sa command on RouterA and receive the following output: dst src state connid slot 10.1.2.3 10.1.2.4 MM_SA_SETUP 1 0 Which of the following statements is true? (Select the best answer.)
http://www.gratisexam.com/
A. RouterA has negotiated ISAKMP SA parameters with RouterB. B. RouterA has exchanged keys with RouterB.
http://www.gratisexam.com/ C. RouterA has generated a shared secret. D. RouterA uses three transactions to negotiate an ISAKMP SA. E. RouterA has established an active IKE SA.
Correct Answer: A Section: (none) Explanation
Explanation/Reference: Explanation: RouterA has negotiated Internet Security Association and Key Management Protocol (ISAKMP) security association (SA) parameters with RouterB. The show crypto isakmp sa command displays the status of current Internet Key Exchange (IKE) SAs on the router. The MM_SA_SETUP state indicates that the IKE peers are using main mode for phase 1 negotiations and that they have successfully negotiated security parameters. IKE has two modes for phase 1 security negotiation: main mode and aggressive mode. The following states are used during main mode: - MM_NO_STATE - The peers have created the SA. - MM_SA_SETUP - The peers have negotiated SA parameters. - MM_KEY_EXCH - The peers have exchanged DiffieHellman (DH) keys and have generated a shared secret. - MM_KEY_AUTH - The peers have authenticated the SA. The following states are used during aggressive mode: - AG_NO_STATE - The peers have created the SA. - AG_INIT_EXCH - The peers have negotiated SA parameters and exchanged keys. - AG_AUTH - The peers have authenticated the SA.
Quick mode is used during IKE phase 2. The only state in quick mode is QM_IDLE, which indicates that IKE phase 1 has completed successfully and that there is an active IKE SA between peers. Because RouterA is using main mode, RouterA requires six transactions, not three, to negotiate an ISAKMP SA. Main mode requires six transactions for IKE peers to negotiate security parameters, generate a shared secret, and mutually authenticate. Aggressive mode requires only three transactions to negotiate security parameters, establish a key management tunnel, and mutually authenticate. RouterA has not yet exchanged keys with RouterB or generated a shared secret. Key exchange and shared secret generation occurs during the MM_KEY_EXCH state. Reference: Cisco: Cisco IOS Security Command Reference: show crypto isakmp sa
QUESTION 28 Which of the following worms was used in an act of cyber warfare against Iranian ICSs? (Select the best answer.)
A. Blaster B. Nachi C. Stuxnet D. Welchia
http://www.gratisexam.com/ Correct Answer: C Section: (none) Explanation
Explanation/Reference: Explanation: The Stuxnet worm was used in an act of cyber warfare against Iranian industrial control systems (ICSs). Stuxnet is a Microsoft Windows worm that was discovered in the wild as early as 2008. It was written to target specific ICSs by modifying code on programmable logic controllers (PLCs). Stuxnet initially exploited vulnerabilities in the printer spooler service? however, later variants exploited a vulnerability in the way that Windows processes shortcuts. Research from Symantec published in 2011 indicated that at the time, more than 60% percent of the Stuxnetaffected hosts had been in Iran. Symantec analyzed Stuxnet and its variants and discovered that five organizations were the primary targets of infection and that further infections were likely collateral damage from the aggressive manner in which the worm spreads throughout the network. Given the considerable cost in resources and manhours that would have been required to craft the Stuxnet worm, it was theorized that it was likely intended to sabotage highvalue targets such as nuclear materials refinement facilities. Blaster is a worm that targeted a vulnerability in the Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) service on Microsoft Windows hosts. The worm carried a destructive payload that configured the target host to engage in Denial of Service (DoS) attacks on Microsoft update servers. Like Blaster, Welchia is a worm that targeted a vulnerability in the DCOM RPC service. In fact, Welchia exploited the exact same vulnerability as the Blaster worm. Welchia was developed to scan the network for vulnerable machines, infect them, and then remove the Blaster worm if present. It was even designed to download and install the appropriate patch from Microsoft to fix the vulnerability that it and Blaster initially exploited to infect the target machine. However, despite the goodnatured design intentions of the Welchia worm, its networkscanning component inadvertently caused DoS attacks on several large networks, including those of the United States armed forces. Welchia was also referred to by the name Nachi. Reference: Cisco: Protecting Industrial Control Systems with Cisco IPS Industrial Signatures Symantec: Security Response: W32.Stuxnet Dossier (PDF)
QUESTION 29 Which of the following statements is true regarding the Cisco IOS Resilient Configuration feature? (Select the best answer.)
A. Extra space is not required to secure the primary IOS image file. B. Image or configuration mismatches are not automatically detected. C. Only remote storage can be used for securing configuration files. D. The feature can be disabled remotely.
Correct Answer: A Section: (none) Explanation
Explanation/Reference: Explanation: Extra space is not required to secure the primary IOS image file with the Cisco IOS Resilient Configuration feature. The Resilient Configuration feature is designed to protect system and configuration files from tampering and accidental deletion. You can issue the following block of commands to enable the Resilient Configuration feature:
http://www.gratisexam.com/ Router#configure terminal Router(config)#secure boot-image Router(config)#secure boot-config
When the feature is enabled, the primary system image file and associated running configuration are securely archived in local persistent storage? you cannot select a remote storage location. The secure bootimage command enables the image resilience component of the Resilient Configuration feature and effectively hides the system image from the directory structure. This means that the system image will no longer be displayed when the dir command is issued from the command prompt of an EXEC shell? you can issue the show secure bootset command to verify that the system image has been archived. In addition, because the system image file is not copied to a secure location, extra storage is not required to secure it. By contrast, the secure bootconfig command creates a hidden copy of the running configuration file. The secured versions of the system image and running configuration are referred to as the primary bootset. You can restore either or both components of the primary bootset at any time. The system image can be restored from readonly memory (ROM) monitor (ROMmon) mode and the running configuration can be restored from the global configuration mode by using the restore parameter of the secure bootconfig command. Once the system image and running configuration have been secured, the router will track version mismatches and produce a console message if the system image or running configuration have mismatched versions. Once the Resilient Configuration feature is enabled, it can only be disabled from the console. Reference: Cisco: Cisco IOS Resilient Configuration: Feature Design of Cisco IOS Resilient Configuration
QUESTION 30 Which of the following can be installed on a host to analyze and prevent malicious traffic on that host? (Select the best answer.)
A. antivirus software B. a HIPS C. a personal firewall D. a proxy server
Correct Answer: B Section: (none) Explanation
Explanation/Reference: Explanation: A Hostbased Intrusion Prevention System (HIPS) can be installed on a host to analyze and prevent malicious traffic on that host. An Intrusion Prevention System (IPS) can be used to actively monitor, analyze, and block malicious traffic before it infects devices. HIPS software can be installed on a host computer to protect that computer against malicious traffic. By contrast, a Networkbased IPS (NIPS) is an independent operating platform, often a standalone appliance or a hardware module installed in a chassis. A NIPS device can be installed inline on a network to monitor and prevent malicious traffic from being sent to other devices on the network. One advantage of using a NIPS over a HIPS is that a NIPS can detect lowlevel network events, such as the scanning of random hosts on the network? a HIPS can only detect scans for which it is the target. A HIPS and a NIPS can be used together to provide an additional layer of protection. Although you could install a personal firewall to protect a host from malicious traffic, a personal firewall does not perform traffic analysis. However, a personal firewall can work in conjunction with other software, such as a HIPS or a NIPS, to protect a host from a wider array of malicious activities. For example, Cisco Advanced Malware Protection (AMP) for Endpoints can work in conjunction with a personal firewall to provide threat protection and advanced analytics.
http://www.gratisexam.com/ You could not install antivirus software to analyze and prevent malicious traffic on that host. Antivirus software monitors the file system and memory space on a host for malicious code. Although the antivirus software might protect the host from malicious file execution, it would be unable to protect the host from malicious traffic. Some antivirus vendors offer integrated security suites, which feature personal firewall, HIPS, antivirus, and antimalware components. You could not install a proxy server on a host to analyze and prevent malicious traffic on that host. A proxy server is typically an application layer gateway that provides resource caching and traffic filtering for a particular class of traffic, such as web content. Although you could install a proxy server locally on a host, it would not have a significant effect on malicious traffic directed at the host nor would it be able to analyze its content. Reference: CCNA Security 210260 Official Cert Guide, Chapter 19, Mitigation Technologies for Endpoint Threats, pp. 498-499
QUESTION 31 Which of the following traffic types can be detected by the FirePOWER ratebased prevention preprocessor engine? (Select the best answer.)
A. Back Orifice traffic B. distributed port scan traffic C. port sweep traffic D. SYN flood traffic
Correct Answer: D Section: (none) Explanation
Explanation/Reference: Explanation: The FirePOWER ratebased prevention preprocessor engine can detect SYN flood traffic. A FirePOWER Intrusion Prevention System (IPS) has several predefined preprocessor engines that can be used in network policies to detect specific threats? the preprocessors focus on detecting Back Orifice attacks, detecting port scan attacks, preventing ratebased attacks, and detecting sensitive data. The ratebased prevention preprocessor detects traffic abnormalities based on the frequency of certain types of traffic. The following traffic patterns can trigger ratebased attack prevention:
-Traffic containing excessive incomplete Transmission Control Protocol (TCP) connections -Traffic containing excessive complete TCP connections -Excessive rule matches for a particular IP address or range of IP addresses -Excessive rule matches for one particular rule regardless of IP address
Distributed port scan traffic and port sweep traffic can be detected by the portscan detection preprocessor. Port scanning traffic can be an indicator that an attacker is conducting network reconnaissance prior to an attack. Although legitimate port scanning traffic can periodically exist on a network, the portscan detection preprocessor can distinguish between legitimate scanning and potentially malicious traffic based on the activity patterns found in the analysis of port scanning traffic. The FirePOWER IPS has a preprocessor dedicated to Back Orifice traffic. Back Orifice and its variants exploit a vulnerability in Microsoft Windows hosts to gain complete administrative control of the host. Back Orifice traffic can be identified by the presence of a specific token, known as a magic cookie, in the first eight bytes of a User Datagram Protocol (UDP) packet. Reference: Cisco: Detecting Specific Threats: Understanding RateBased Attack Prevention
http://www.gratisexam.com/ QUESTION 32 Which of the following commands should you issue to allow a packet to exit an ASA through the same interface through which it entered the ASA? (Select the best answer.)
A. samesecuritytraffic permit interinterface B. samesecuritytraffic permit intrainterface C. securitylevel 0 D. securitylevel 100 E. established
Correct Answer: B Section: (none) Explanation
Explanation/Reference: Explanation: To allow a packet to exit a Cisco Adaptive Security Appliance (ASA) through the same interface through which it entered, which is also known as hairpinning, you should issue the samesecuritytraffic permit intrainterface command. By default, an ASA does not allow packets to enter and exit through the same physical interface. However, because multiple logical virtual LANs (VLANs) can be assigned to the same physical interface, it is sometimes necessary to allow a packet to enter and exit through the same interface. The samesecuritytraffic permit intrainterface command allows packets to be sent and received from the same interface even if the traffic is protected by IP Security (IPSec) security policies. Another scenario for which you would need to use the samesecuritytraffic permit intrainterface command is if multiple users need to connect via virtual private network (VPN) through the same physical interface. These users will not be able communicate with one another unless the samesecuritytraffic permit intrainterface command has been issued from global configuration mode. You should not issue the samesecuritytraffic permit interinterface command to allow a packet to exit through the same interface through which it entered. The samesecuritytraffic permit interinterface command is used to allow communication between different interfaces that share the same security level. Typically, interfaces with the same security level are not allowed to communicate with each other. You should not issue either the securitylevel 0 command or the securitylevel 100command to allow a packet to exit through the same interface through which it entered. The securitylevel command is used to set the security level on a physical interface. Security level 0 should be used to achieve the lowest security level possible, whereas security level 100 should be used to achieve the highest security level available. You should not issue the established command to allow a packet to exit through the same interface through which it entered. The established command is used to allow inbound traffic on any interface that has already established an outbound connection with the ASA. For example, you could issue the established tcp 4567 0 command to configure the ASA to allow an external host to initiate a connection through the ASA to an internal host after the internal host has first established a Transmission Control Protocol (TCP) connection to port 4567 on the external host. The established command is often used to support protocols such as streaming media protocols that negotiate the ports for return traffic.Reference: Cisco: Configuring Interfaces: Allowing Same Security Level Communication
QUESTION 33 Which of the following devices requires that a physical interface be in promiscuous mode in order to monitor network traffic? (Select the best answer.)
A. an IPS B. a firewall
http://www.gratisexam.com/ C. a router D. an IDS E. an ASA
Correct Answer: D Section: (none) Explanation
Explanation/Reference: Explanation: An Intrusion Detection System (IDS) requires that a physical interface be in promiscuous mode in order to monitor network traffic. An IDS is a network monitoring device that does not sit inline with the flow of network traffic? an IDS passively monitors a copy of network traffic, not the actual packet. Typically, an IDS has one promiscuous network interface attached to each monitored network. A promiscuous device listens to all data flowing past it regardless of the destination. Because traffic does not flow through the IDS, the IDS cannot mitigate singlepacket attacks and is unable to directly block malicious traffic, like a virus, before it passes onto the network. However, an IDS can actively send alerts to a management station when it detects malicious traffic. An Intrusion Prevention System (IPS) sits inline with the flow of traffic, thus actively monitoring network traffic and blocking malicious traffic, such as an atomic or singlepacket attack, before it passes onto the network. Blocking an attack inline can prevent the attack from spreading further into the network. An IPS requires at least two interfaces for each monitored network: one interface listens to traffic entering the IPS, and the other listens to traffic leaving the IPS. In addition, an IPS acts similarly to a Layer 2 bridge in that it passes traffic through to destinations on the same subnet? an IPS cannot route to destinations on a different subnet. An interface of an IPS can be put in promiscuous mode? when this happens, the device operates as an IDS on that interface. However, an IPS does not require that a physical interface be in promiscuous mode in order to monitor network traffic. A firewall is a network security device that protects a trusted network from an untrusted network, such as the Internet. Firewalls can operate in either routed mode or transparent mode. In routed mode, the firewall acts as a Layer 3 device that can perform Network Address Translation (NAT) and route traffic between virtual LANs (VLANs) on different subnets. In transparent mode, the firewall acts as a Layer 2 bridge in that it can pass traffic through to destinations on the same subnet but cannot route to destinations on a different subnet. Although a firewall is a security appliance that permits or denies traffic on a network, a firewall does not require that a physical interface be in promiscuous mode in order to monitor network traffic. A router is a device that connects multiple subnets of the same or different networks and passes information between them. The functionality of a router can vary depending on the size of the network on which it is deployed. For example, a Cisco IPS Advanced Integration Module (AIM) can be installed in a router to integrate IPS functionality at the hardware level. Alternatively, an IOS feature set with IPS capabilities can be installed to provide IPS functionality at the software level. A router operating as an IPS or IDS can serve as a part of the network security structure as well as a bridge between two segments of the network. Although a router can function as an IPS or IDS, a router does not require that a physical interface be in promiscuous mode in order to monitor network traffic. The Cisco Adaptive Security Appliance (ASA) is a multifunction appliance that can provide firewall, virtual private network (VPN), intrusion prevention, and content security services. The Cisco ASA is based on the framework of the Private Internet Exchange (PIX) firewall appliance. If used as an IPS device in IDS mode, or promiscuous mode, the Cisco ASA can have a physical interface in promiscuous mode? however, Cisco ASA does not require that a physical interface be in promiscuous mode in order to monitor network traffic. Reference: CCNA Security 210260 Official Cert Guide, Chapter 17, Difference Between IPS and IDS, pp. 460-462 Cisco: Cisco IPS Mitigation Capabilities
QUESTION 34 Which of the following is typically implemented in a cluster configuration? (Select the best answer.)
http://www.gratisexam.com/ A. ACS B. CSA C. CTA D. SSC
Correct Answer: A Section: (none) Explanation
Explanation/Reference: Explanation: Cisco Secure Access Control System (ACS) is typically implemented in a cluster configuration. ACS is an Authentication, Authorization, and Accounting (AAA) server that uses Remote Authentication DialIn User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+) to provide AAA services for users, hosts, and network infrastructure devices such as switches and routers. An ACS deployment typically consists of a primary server responsible for configuration, authentication, and policy enforcement and one or more secondary servers serving as a backup in case the primary server fails. In largescale deployments, the primary server’s function is typically relegated to configuration and synchronization services, whereas the secondary servers provide AAA services to the network clients. Cisco Trust Agent (CTA) is responsible for ascertaining the status of security applications and management tools that are installed on a client. As client software, CTA communicates host posture information back to a network access device on a Cisco Network Admission Control (NAC) framework. NAC is a Cisco feature that prevents hosts from accessing the network if they do not comply with organizational requirements, such as containing an updated antivirus definition file. When NAC is configured on an access device, such as a router or switch, the NAC device intercepts connections from hosts that are not yet registered on the network. When a host attempts to connect to the network, the access device queries the CTA running on the host for the host's security status. The access device then sends this information to the ACS, which determines whether the host is in compliance with organizational security policies. If the host is in compliance, it is allowed to access the network? if the host is not in compliance, it can be denied access, quarantined, or allowed limited network access. Cisco Secure Services Client (SSC) is client security software that facilitates the use of one authentication framework for connecting to both wired and wireless devices on a Cisco Unified Wireless Network. SSC makes use of the Extensible Authentication Protocol (EAP), WiFi Protected Access (WPA), and WPA2 standards to control network access and enforce security policies for clients using Microsoft Windows platforms. Cisco SSC is not typically implemented in a cluster configuration. Cisco Security Agent (CSA) is a Hostbased Intrusion Prevention System (HIPS) that can be installed on host computers, servers, and pointofsale (POS) computers. CSA can help protect these devices from malicious network traffic, such as zeroday attacks. In addition, CSA can provide local firewall services, antivirus services, and security policy enforcement. CSA is not typically implemented in a cluster configuration.Reference: Cisco: Understanding the ACS Server Deployment (PDF)
QUESTION 35 Which of the following traffic types are blocked by default in a zone-based policy firewall configuration? (Select 2 choices.)
A. traffic to or from the self zone B. traffic between interfaces in the same zone C. traffic between interfaces in a zone and interfaces not assigned to any zone D. traffic between interfaces in different zones
http://www.gratisexam.com/ E. traffic directly to or received from the router
Correct Answer: CD Section: (none) Explanation
Explanation/Reference: Explanation: In a zonebased policy firewall (ZFW) configuration, all traffic between interfaces in different zones is blocked by default. In addition, all traffic between interfaces that have been assigned to a zone and interfaces that are not assigned to any zone is blocked by default. ZFW is the latest iteration of Cisco’s stateful firewall implementation, which was formerly called ContextBased Access Control (CBAC). With ZFW, virtual security zones are specified and then interfaces are assigned to the appropriate zone. By default, all traffic is implicitly permitted to flow between interfaces that have been assigned to the same zone? however, all traffic between zones is blocked. In addition, all traffic to and from an interface is implicitly blocked by default when the interface is assigned to a zone, but there are a few exceptions. Traffic to or from other interfaces in the same zone is permitted, as is traffic to or from the router itself. When ZFW is configured, a special zone called the self zone is automatically created and contains the IP addresses of all the router interfaces. By default, all traffic to or from the self zone is implicitly permitted? this implicit permission ensures that management access to the router is not lost when ZFW is configured. In order for traffic to flow between userconfigured zones, stateful packet inspection policies must be configured to explicitly permit traffic between the zones. The basic process is as follows: 1. Define the required zones. 2. Create zonepairs for zones that will pass traffic between themselves. 3. Define class maps to match the appropriate traffic for each zonepair. 4. Define policy maps to specify the actions that should be performed on matching traffic. 5. Apply the policy maps to the zonepairs. 6. Assign interfaces to their appropriate zones. Although inspection rules can be created for a large number of traffic types, stateful inspection of multicast traffic is not supported by ZFW and must be handled by other security features, such as Control Plane Policing (CoPP). Reference: Cisco: ZoneBased Policy Firewall Design and Application Guide: Rules For Applying ZoneBased Policy FirewallCategory: Cisco Firewall Technologies
QUESTION 36 An inside host has initiated a TCP connection through a Cisco ASA to an outside server. The outside server has responded with a SYN/ACK segment? however, the inside host has not yet responded with an ACK segment. Which of the following lines of output from the show conn command best represents the state of the connection in this scenario? (Select the best answer.)
A. TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags SaAB B. TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags saA C. TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags aB D. TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags A E. TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags U F. TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags UIO
http://www.gratisexam.com/ Correct Answer: D Section: (none) Explanation
Explanation/Reference: Explanation: The following line of output from the show conn command on a Cisco Adaptive Security Appliance (ASA) best represents the state of a connection that is waiting on only the ACK segment from an inside host: TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags A
The output of the show conn command uses connection flags to indicate the status of each entry in the ASA connection database. The connection database is used by the stateful firewall feature of the ASA to track the state of each network connection that passes through it. The flags that an ASA uses to track a connection entry are dependent on the interface that initiated the connection. Typically, each connection entry has corresponding inside and outside interfaces. In terms of the connection database, the inside interface for the entry is the interface with the higher security level, whereas the outside interface for the entry is the interface with the lower security level. In addition, a data flow from the inside interface to the outside interface is considered to be moving in the outbound direction and a data flow from the outside interface to the inside interface is considered to be moving in the inbound direction. When an ASA receives the first packet from a Transmission Control Protocol (TCP) connection, it creates an entry in the connection database. The ASA immediately adds the B flag to the entry if the connection was initiated from the outside. The ASA then uses various flags to indicate the progress of the TCP threeway handshake. For example, if a connection is initiated from the inside, the ASA will add the saA flags to the entry, as shown in the following command output:TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags saA The s flag indicates that the ASA is awaiting a SYN segment from the outside host, and the a flag indicates that the ASA is waiting for an ACK response segment to the SYN that was initiated from the inside host. When the corresponding SYN/ACK segment is received from the outside host, it will satisfy both of these flags and the ASA will clear the flags from the entry, as shown in the following command output: TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags A
The remaining A flag indicates that the ASA is awaiting an ACK segment from the inside host. When the host on the inside responds to the SYN/ACK segment with the corresponding ACK segment, the ASA will clear the A flag and will mark the connection with the U flag, as shown in the following command output: TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags U
The U flag indicates that the threeway handshake is complete and that the TCP session is established. Once the TCP session is established, the host can begin to exchange data. In this example, the inside host has established a Secure Shell (SSH) session to an outside server. When the outside server sends data to the inside host, the ASA will add the I flag to the entry to indicate that data has passed through the session in the inbound direction. Likewise, the ASA will add the O flag to the entry to indicate that data has passed through the session in the outbound direction. Thus a normal TCP session should have flags similar to those shown in the following command output: TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags UIO
By contrast, if the connection were initiated from the outside, the ASA would have added the SaAB flags to the entry, as shown in the following command output: TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags SaAB
The S flag indicates that the ASA is awaiting a SYN segment from the inside host, and the A flag indicates that the ASA is waiting for an ACK response segment to the SYN that was initiated from the outside host. When the corresponding SYN/ACK segment is received from the inside host, it will satisfy both of these flags and
http://www.gratisexam.com/ the ASA will clear the flags from the entry, as shown in the following command output: TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags aB
The remaining a flag indicates that the ASA is awaiting an ACK segment from the outside host. When the host on the outside responds to the SYN/ACK segment with the
QUESTION 37 Which of the following is an IOS privilege level that provides the highest level of access on a Cisco router? (Select the best answer.)
http://www.gratisexam.com/
A. 0 B. 1 C. 15 D. 16
Correct Answer: C Section: (none) Explanation
Explanation/Reference: Explanation: The highest level of access on a Cisco router is provided by IOS privilege level 15. Privilege levels can be used to limit the IOS commands that a user can access. However, you are limited to 16 privilege levels, some of which are used by default by the IOS. For example, privilege levels 1 and 15 are default IOS privilege levels. Privilege level 1 allows a user to issue any command that is available at the user EXEC > prompt. Privilege level 15 allows a user to issue any command that is available at the privileged EXEC # prompt. Each privilege level is associated with a list of commands that are available at that level. Users assigned to a privilege level have access to all of the commands at that privilege level and all lower privilege levels. Changing the commands that are available to a privilege level might provide access to a user who should not be allowed access to the command, or it might restrict access to another user who should be allowed access to the command. Because the default privilege level for a newly created local user account is 1, a newly created user will always have access to the disable, enable, exit, help, and logoutcommands? these commands are associated with privilege level 0. However, per user privilege levels can sometimes conflict with the privilege levels set for virtual terminal (VTY) interfaces. In the event of a conflict, per user privileges override the privileges configured for the VTY line causing the conflict. Although there are 16 distinct privilege levels that can be assigned on a Cisco router, 16 is not a valid value for a privilege level. Valid values for user assigned privilege levels are whole numbers ranging from 0 through 15. Reference: CCNA Security 210260 Official Cert Guide, Chapter 11, Custom Privilege Levels, p. 287 Cisco: IOS Privilege Levels Cannot See Complete Running Configuration: Privilege Levels
http://www.gratisexam.com/ QUESTION 38 Which of the following statements is true regarding LDAP attribute maps on an ASA? (Select the best answer.)
A. There is a defined limit on the number of LDAP attribute maps you can configure. B. There is a defined limit on the number of attributes that can be mapped in each LDAP attribute map. C. There is a defined limit on the number of LDAP servers to which an LDAP attribute map can be applied. D. There is a defined limit on the number of AD multivalued attributes matched by an LDAP attribute map.
Correct Answer: D Section: (none) Explanation
Explanation/Reference: Explanation: When using Lightweight Directory Access Protocol (LDAP) attribute maps on a Cisco Adaptive Security Appliance (ASA), there is a limit on the number of Active Directory (AD) multivalued attributes matched by an LDAP attribute map. LDAP attribute maps are used to authorize virtual private network (VPN) users based on specified AD attributes, such as group membership or department name. If an LDAP query returns a multivalued attribute, such as the list of groups of which a user is a member, the ASA will match only one of the returned values to the appropriate group policy. The ASA will select the matching group policy with the least number of characters in the name and that starts with the lowest alphanumeric character. There is no defined limit on the number of LDAP attribute maps you can configure on an ASA. Because LDAP attribute maps are dynamically allocated as they are needed, configuring a large number of attribute maps does not unnecessarily burden the ASA during normal operations. Likewise, there is no defined limit on the number of attributes that can be mapped in each LDAP attribute map. There is no defined limit on the number of LDAP servers to which an LDAP attribute map can be applied. When an LDAP attribute map is applied to a server, the ASA only verifies that the specified attribute map exists. The same LDAP attribute map can be applied to multiple, different servers. Reference: Cisco: ASA Use of LDAP Attribute Maps Configuration Example: FAQ
QUESTION 39
http://www.gratisexam.com/ Which of the following can be determined from the Route Details tab of the VPN Client Statistics dialog box shown above? (Select the best answer.)
A. The VPN client cannot access devices on the local LAN. B. The VPN client is configured to use split tunneling. C. The VPN client is configured to use transparent tunneling. D. The VPN client cannot access devices on the 172.16.20.0/24 network.
Correct Answer: B Section: (none) Explanation
Explanation/Reference: Explanation: The Route Details tab of the VPN Client Statistics dialog box displayed below indicates that the virtual private network (VPN) client is configured to use split tunneling:
http://www.gratisexam.com/ By default, all traffic from a VPN client is passed through an encrypted tunnel to the VPN server. However, with split tunneling, only traffic destined for a protected subnet is passed through the encrypted tunnel? all other traffic is processed normally. You can define protected subnets on the VPN server by entering the network address of each protected subnet on the Split Tunneling tab of the Group Policy window or by specifying an access control list (ACL) that includes each protected subnet. When a client establishes a VPN session, the list of protected subnets is passed from the VPN server to the VPN client as part of the session configuration parameters. Alternatively, the VPN client can be configured to pass all nonlocal traffic through an encrypted tunnel to the VPN server. If the group policy on the VPN server permits local LAN access and the VPN client is configured to allow local LAN access, all traffic that is not destined to the local LAN is sent through the encrypted tunnel. For example, if the VPN client had a locally configured route to the 192.168.13.0/24 network, packets destined for that network would be processed normally. However, any packets destined for a network not in the VPN client's routing table, such as the Internet, would pass through the encrypted tunnel to the VPN server. This configuration is represented on the Route Details tab of the VPN Client Statistics dialog box shown below:
http://www.gratisexam.com/ The VPN Client Statistics dialog box does not indicate that the client cannot access devices on the 172.16.20.0/24 network. Because the 172.16.20.0/24 network is listed in the Secured Routes pane, traffic destined for the 172.16.20.0/24 network will pass through the encrypted tunnel to the VPN server. However, traffic destined for a network not in the Secured Routes pane, such as the Internet or the local LAN, will not pass through the tunnel and will be processed normally. Likewise, the VPN Client Statistics dialog box does not indicate that the client cannot access devices on the local LAN. Because the router is configured for split tunneling, only traffic destined for a network in the Secured Routes pane is passed through an encrypted tunnel to the VPN server. All other traffic, including local LAN traffic, is processed normally. You cannot determine from the Route Details tab of the VPN Client Statistics dialog box whether the client is configured to use transparent tunneling. The Tunnel Details tab of the VPN Client Statistics dialog box indicates whether the client is configured to use transparent tunneling. Transparent tunneling facilitates the creation of IP Security (IPSec) tunnels through a firewall or Network Address Translation (NAT) device. When transparent tunneling is enabled on the client, encrypted packets are encapsulated in Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) packets prior to transmission through the firewall or NAT device. Reference: Cisco: ASA/PIX: Allow Split Tunneling for VPN Clients on the ASA Configuration Example: Connect with the VPN Client CCNA Security 210260 Official Cert Guide, Chapter 8, Split Tunneling, pp. 227-228
QUESTION 40 Which of the following IPS detection methods is a string pattern-based detection method? (Select the best answer.)
A. anomalybased detection B. profilebased detection C. signaturebased detection D. policybased detection
http://www.gratisexam.com/ Correct Answer: C Section: (none) Explanation
Explanation/Reference: Explanation: Signaturebased detection is a string patternbased detection method. Patternbased detection methods use specific strings of text to detect malicious traffic. Many signaturebased detection methods can also use protocols and port numbers to further specify malicious traffic patterns. The benefit of signaturebased detection methods is that the number of false positives generated is typically low. However, the drawback is that a modified attack cannot be detected by an old signature? the modified attack will not be detected until a new signature is added for the modified attack. Therefore, Cisco recommends updating signature files, including antivirus signatures, every time a new update is available. Anomalybased detection methods and profilebased detection methods detect abnormal behavior on a network. Traffic is classified as normal or abnormal based on information that is dynamically learned or manually programmed. The benefit of anomalybased detection is that anything that is not specified as normal is classified as abnormal? therefore, anomalybased detection can typically detect a wide range of threats. One drawback of anomalybased detection is that new traffic patterns are required on a regular basis on all but the smallest of networks, which leads to a lot of false positives. Another drawback is the memory and processing power required to handle profiles for each user. Policybased detection methods use algorithms to detect patterns in network traffic. The benefit of policybased detection methods is that they can often detect when a coordinated attack, such as a Distributed Denial of Service (DDoS) attack, is happening, whereas a signaturebased detection method might detect only a collection of individual Denial of Service (DoS) attacks. Reference: CCNA Security 210260 Official Cert Guide, Chapter 17, SignatureBased IPS/IDS, p. 464 Symantec: Network Intrusion Detection Signatures, Part One
QUESTION 41 You have been asked to add a key to an existing keychain. You issue the following commands to enter key chain key configuration mode: RouterA(config)#key chain chain1 RouterA(configkeychain)#key 2 RouterA(configkeychainkey)#keystring key2
The new key should be valid for three hours, and the router should begin sending the key at 9 a.m. on January 13, 2015. Which of the following commands should you issue next to achieve your goal? (Select the best answer.)
A. accep-tlifetime 09:00:00 Jan 13 2015 duration 3 B. accep-tlifetime 09:00:00 Jan 13 2015 duration 180 C. send-lifetime 09:00:00 Jan 13 2015 duration 180 D. send-lifetime 09:00:00 Jan 13 2015 duration 10800
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
http://www.gratisexam.com/ Explanation: You should issue the send-lifetime 09:00:00 Jan 13 2015 duration 10800 command to specify that the key in this scenario should be valid for three hours and that the router should begin sending the key at 9 a.m. on January 13, 2015. The send-lifetime command is used to specify the period of time during which a key should be sent by a router for authentication. The syntax for this command is send-lifetime starttime {infinite | endtime | duration seconds}, where starttime specifies the date and time that the key should start being sent. By default, keys are valid indefinitely? however, you can use the durationkeyword to specify a duration value between 1 and 2,147,483,646 seconds. In this scenario, the duration is 10800 seconds, which is three hours, and the start time is 09:00:00 Jan 13 2015, which corresponds to 9 a.m. on January 13, 2015. You should not issue the sendlifetime 09:00:00 Jan 13 2015 duration 180command, because the key duration is incorrectly specified as 180 seconds, which is three minutes, instead of 10,800 seconds, or three hours. You should not issue the accept-lifetime 09:00:00 Jan 13 2015 duration 3 command or the accept-lifetime 09:00:00 Jan 13 2015 duration 180 command. The accept-lifetime command specifies the time period during which a received key is considered valid. By default, received keys are valid indefinitely. If no send-lifetime command has been issued, the accept-lifetime command will limit the period of time in which the received key is valid, but it will have no effect on the period of time during which the router sends the key for authentication. Reference: Cisco: IP Routing ProtocolIndependent Commands: send-lifetime
QUESTION 42 Which of the following can be mitigated by installing a personal firewall on a laptop? (Select the best answer.)
A. a SYN flood attack B. a crosssite scripting attack C. a portscanning attack D. a sessionhijacking attack
Correct Answer: C Section: (none) Explanation
Explanation/Reference: Explanation: Installing a personal firewall on a laptop can mitigate a portscanning attack. In a portscanning attack, an attacker uses a portscanning application to probe a computer to determine which ports are open and vulnerable to an attack. After determining which ports are open, the attacker can attempt to access the computer through an open port. With a personal firewall, you can protect a host from malicious traffic by permitting or denying specific applications or network ports access to the host or its network interface. Typically, a personal firewall provides sufficient granularity to specify the direction of a particular flow of traffic. For example, you could permit outbound web traffic but deny all inbound traffic that does not correspond to established outbound connections. Installing a personal firewall on a laptop would not mitigate a sessionhijacking attack. A sessionhijacking attack requires that the attacker determine the Initial Sequence Number (ISN) for a new Transmission Control Protocol (TCP) session. The ISN is used during the TCP threeway handshake to synchronize the states of the sending and receiving hosts. If an attacker can guess the ISN or any subsequent sequence number for a connection, the attacker can hijack the session. Typically, an attacker will disrupt the connection by forcing one of the hosts to become unsynchronized and will then assume the identity of the unsynchronized host by spoofing its IP address. Session hijacking relies on the attacker being able to determine the correct sequence number for any given segment in a TCP session. Because some hosts use incremental ISNs and random sequence numbers, an attacker can determine the ISN for a new connection on a vulnerable host by first
http://www.gratisexam.com/ initiating a connection to the host and determining the current ISN. Installing a personal firewall on a laptop would not mitigate a crosssite scripting (XSS) attack. An XSS attack takes advantage of weaknesses within a web application to insert malicious code into input fields on a web form. If the attack is successful, the attacker might be able to inject code into the webpage, which could allow the attacker to perform a variety of malicious tasks, such as redirecting visitors to another website or harvesting cookies from the victim's computer. Serverside input validation can be used to mitigate XSS attacks performed on web forms. However, other types of XSS attacks, such as a link in an email to lure victims to a webpage containing malicious script, are not mitigated by input validation. Installing a personal firewall on a laptop would not mitigate a SYN flood attack. A SYN flood attack sends a large volume of SYN segments to a target host in an attempt to saturate the target's TCP connection table. The SYN flood attack exploits the TCP threeway handshake by sending TCP SYN segments from spoofed IP addresses. When the target host replies to the spoofed IP addresses, the target's packets are ignored because the spoofed hosts do not have corresponding entries in their TCP connection tables. The target host will continue to wait for responses from the spoofed hosts until the TCP handshake times out. With a sufficient number of SYN requests, the target's TCP connection table can become full. Once the TCP connection table is full, the target host will be unable to accept new TCP connections. Reference: CCNA Security 210260 Official Cert Guide, Chapter 19, Personal Firewalls and Host Intrusion Prevention Systems, pp. 498-499
QUESTION 43 When a switch is configured with private VLANs, which of the following ports can an isolated port communicate with? (Select the best answer.)
A. ports within the same community B. ports within a different community C. other isolated ports D. promiscuous ports
Correct Answer: D Section: (none) Explanation
Explanation/Reference: Explanation: An isolated port can communicate with promiscuous ports when a switch is configured with private virtual LANs (VLANs). Private VLANs can be configured on a switch to help isolate traffic within a VLAN. Private VLANs can provide Layer 2 separation between ports that belong to the same VLAN. Because the separation exists at Layer 2, the hosts can exist on the same IP subnet. The VLAN to which the hosts belong is called the primary VLAN. To create a private VLAN, you must create secondary VLANs and associate them with the primary VLAN. There are two types of secondary VLANs: community VLANs and isolated VLANs. Ports that belong to a community VLAN can communicate with promiscuous ports and with other ports that belong to the same community. However, they cannot communicate with isolated ports or with ports that belong to other communities. Ports that belong to an isolated VLAN can communicate only with promiscuous ports. After configuring the private VLAN, you can configure ports to participate in the private VLAN. When configuring a port to participate in a private VLAN, you must configure the port by issuing the switchport mode privatevlan {promiscuous | host} command. The promiscuous keyword configures the port to communicate with any secondary VLAN. Consequently, devices that should be reachable from any secondary VLAN should be connected to promiscuous ports. For example, a router, a firewall, or a gateway that any host should be able to reach should be connected to a promiscuous port. By contrast, devices connected to isolated or community VLANs should be connected to host ports, which are configured by using the host keyword.
http://www.gratisexam.com/ Reference: Cisco: Configuring Private VLANs: Understanding Private VLANs
QUESTION 44 Which of the following statements is not true regarding the IaaS service model? (Select the best answer.)
A. The consumer has control over the configuration of the OS running on the physical infrastructure in the cloud. B. The consumer has control over the physical infrastructure in the cloud. C. The consumer has control over the allocation of processing, memory, storage, and network resources within the cloud. D. The consumer has control over development tools or APIs in the cloud running on the physical infrastructure in the cloud.
Correct Answer: B Section: (none) Explanation
Explanation/Reference: Explanation: In the Infrastructure as a Service (IaaS) service model, the consumer does not have control over the physical infrastructure in the cloud. The National Institute of Standards and Technology (NIST) defines three service models in its definition of cloud computing: Software as a Service (SaaS), IaaS, and Platform as a Service (PaaS). The SaaS service model enables its consumer to access applications running in the cloud infrastructure but does not enable the consumer to manage the cloud infrastructure or the configuration of the provided applications. A company that licenses a service provider’s office suite and email service that is delivered to end users through a web browser is using SaaS. SaaS providers use an Internetenabled licensing function, a streaming service, or a web application to provide end users with software that they might otherwise install and activate locally. Webbased email clients, such as Gmail and Outlook.com, are examples of SaaS. The PaaS service model provides its consumer with a bit more freedom than the SaaS model by enabling the consumer to install and possibly configure providersupported applications in the cloud infrastructure. A company that uses a service provider’s infrastructure, programming tools, and programming languages to develop and serve cloudbased applications is using PaaS. PaaS enables a consumer to use the service provider’s development tools or Application Programmer Interface (API) to develop and deploy specific cloudbased applications or services. Another example of PaaS might be using a third party’s MySQL database and Apache services to build a cloudbased customer relationship management (CRM) platform. The IaaS service model provides the greatest degree of freedom by enabling its consumer to provision processing, memory, storage, and network resources within the cloud infrastructure. The IaaS service model also enables its consumer to install applications, including operating systems (OSs) and custom applications. However, with IaaS, the cloud infrastructure remains in control of the service provider. A company that hires a service provider to deliver cloudbased processing and storage that will house multiple physical or virtual hosts configured in a variety of ways is using IaaS. For example, a company that wanted to establish a web server farm by configuring multiple Linux Apache MySQL PHP (LAMP) servers could save hardware costs by virtualizing the farm and using a provider’s cloud service to deliver the physical infrastructure and bandwidth for the virtual farm. Control over the OS, software, and server configuration would remain the responsibility of the organization, whereas the physical infrastructure and bandwidth would be the responsibility of the service provider. Reference: NIST: Special Publication 800145: The NIST Definition of Cloud Computing (PDF)
QUESTION 45 Which of the following emailrelated FirePOWER preprocessors can extract and decode attachments in clienttoserver traffic? (Select the best answer.)
http://www.gratisexam.com/ A. only the IMAP preprocessor B. only the POP3 preprocessor C. only the SMTP preprocessor D. only the POP3 and SMTP preprocessors E. only the IMAP and SMTP preprocessors F. the IMAP, POP3, and SMTP preprocessors
Correct Answer: F Section: (none) Explanation
Explanation/Reference: Explanation: On a Cisco FirePOWER Intrusion Prevention System (IPS), the Internet Message Access Protocol (IMAP), Post Office Protocol version 3 (POP3), and Simple Mail Transfer Protocol (SMTP) preprocessors can extract and decode attachments in clienttoserver traffic. The FirePOWER IMAP, POP3, and SMTP preprocessors are Application layer inspection engines with the capability to decode email traffic and to normalize the resulting data prior to forwarding the traffic to the intrusion rules engine for analysis. In addition to generating an event when they observe anomalous traffic, the FirePOWER emailrelated preprocessor engines can inspect the commands that pass between a client and a server to ensure that they are compliant with the relevant Request for Comments (RFC). For example, the IMAP preprocessor can generate an event when either a client command or a server response does not comply with RFC 3501, which is the RFC that defines the IMAP protocol, and the POP3 preprocessor can do the same for commands that do not comply with RFC 1939, which is the RFC that defines the POP3 protocol. By contrast, the SMTP preprocessor provides the ability to normalize all, none, or a specific set of SMTP commands, although a base set of commands will always be considered as part of the custom valid set if normalization is enabled. Reference: Cisco: Application Layer Preprocessors: The IMAP Preprocessor Cisco: Application Layer Preprocessors: The POP Preprocessor Cisco: Application Layer Preprocessors: The SMTP Preprocessor
QUESTION 46 Which of the following authentication methods is not used with OSPFv3? (Select the best answer.)
A. plaintext B. MD5 C. SHA1 D. IPv6 IPSec
Correct Answer: A Section: (none) Explanation
http://www.gratisexam.com/ Explanation/Reference: Explanation: Plaintext authentication is not used with Open Shortest Path First version 3 (OSPFv3), which is also called OSPF for IP version 6 (IPv6). OSPFv3 uses IPv6 IP Security (IPSec) authentication, which in turn uses either Message Digest 5 (MD5) or the Secure Hash Algorithm 1 (SHA1). Although plaintext authentication is not used by OSPFv3, you can configure OSPFv3 either to encrypt the MD5 or SHA1 hash that is used by IPv6 IPSec or to leave the hash unencrypted. Encrypting the hash provides an extra layer of security but requires additional processing that could introduce latency. You can issue either the ospfv3 authentication command or the ipv6 ospf authentication command to configure authentication for OSPFv3 on an interface. MD5 and plaintext authentication are supported by OSPF version 2 (OSPFv2), which is the IPv4 version of OSPF. By default, no authentication method is used with OSPFv2. To configure a router for MD5 authentication, you should first configure the authentication password by issuing the ip ospf authenticationkey password command in interface configuration mode. Then you should configure MD5 authentication for an OSPF interface by issuing the ip ospf authentication messagedigest command in interface configuration mode. Because plaintext authentication is notoriously insecure, Cisco recommends using MD5 authentication for OSPFv2 instead of plaintext authentication. Reference: Cisco: IPv6 Routing: OSPFv3 Authentication Support with IPsec: How to Configure IPv6 Routing: OSPFv3 Authentication Support with IPsec
QUESTION 47 You have configured a Cisco Catalyst switch to store its binding table on a local TFTP server. Which of the following commands can you issue to verify the URL that the agent will use to store the binding table on the TFTP server? (Select the best answer.)
A. show ip dhcp snooping B. show ip dhcp snooping database C. show ip dhcp snooping binding D. show ip dhcp snooping statistics
Correct Answer: B Section: (none) Explanation
Explanation/Reference: Explanation: You can issue the show ip dhcp snooping database command to verify the Uniform Resource Locator (URL) that the agent will use to store the binding table when Dynamic Host Configuration Protocol (DHCP) snooping is configured on a Cisco Catalyst switch to store the binding table on a local Trivial File Transfer Protocol (TFTP) server. DHCP snooping ensures that DHCP servers reside on trusted switch interfaces and that all DHCP traffic from untrusted interfaces is verified before being forwarded. When a switch is configured to use DHCP snooping, the switch tracks client Media Access Control (MAC) addresses and their associated DHCP client hardware addresses in the DHCP snooping binding database, which is also known as the binding table. If the switch receives DHCP packets that do not match entries in the binding table, the switch drops the packets. The binding table can be stored locally or it can be stored on a remote server. The show ip dhcp snooping database command can be used to display the status of the DHCP snooping binding table agent and statistics regarding the status of the binding table, such as the URL where the binding table can be found and how many successful writes have been committed to the table. For example, the following sample output indicates that the binding table is stored in a file named bindingtable on the TFTP server with an IP address of 1.2.3.4:
http://www.gratisexam.com/ The show ip dhcp snooping command displays general information regarding the DHCP snooping configuration on a switch, such as the virtual LANs (VLANs) for which DHCP snooping is enabled and the trusted state of each interface. For example, the following sample output indicates that DHCP snooping is enabled for VLANs 101, 201, and 301:
The show ip dhcp snooping binding command displays the dynamic entries in the binding table. You must use the show ip source binding command to view both static and dynamic binding table entries. For example, the following sample output from the show ip dhcp snooping binding command indicates that two DHCP clients from VLAN 101 have entries in the binding table:
The show ip dhcp snooping statistics command displays statistical information regarding the number of frames that have been forwarded or dropped by the DHCP snooping configuration on a switch. You can use the detail keyword to display expanded statistics, which include the number of packets dropped for each denial category, such as binding mismatches or exceeded rate limits. For example, the following sample output from the show ip dhcp snooping statistics command indicates that 1,450 packets were forwarded and 105 packets were dropped from untrusted ports:
Packets Forwarded = 1450
http://www.gratisexam.com/ Packets Dropped = 118 Packets Dropped From untrusted ports = 105
Reference: Cisco: Cisco IOS IP Addressing Services Command Reference: show ip dhcp snooping database
QUESTION 48 You have configured a CoPP policy to mitigate the effects of DoS attacks on the router. Which of the following packet types does the CoPP policy affect? (Select the best answer.)
http://www.gratisexam.com/
A. packets originating from the control plane B. packets destined to the control plane C. packets originating from the data plane D. packets destined to the data plane
Correct Answer: B Section: (none) Explanation
Explanation/Reference: Explanation: The Control Plane Policing (CoPP) policy in this scenario affects packets that are destined to the control plane of a router. Packets destined to the control plane are typically packets intended to create or perform network operations on a router, such as packets from dynamic routing protocols or Address Resolution Protocol (ARP) packets. These packets cannot be handled by Cisco’s normal fastpath switching mechanisms, such as Cisco Express Forwarding (CEF), because they require special handling by the router's CPU, which is also known as the route processor. CoPP is a Cisco IOS feature that protects the route processor of a router or switch from malicious traffic, such as Denial of Service (DoS) attacks. The control plane is one of the four logical components that collectively define a router? the remaining components are the data plane, the management plane, and the services plane. The control plane is the home of the route processor and is essential to the forwarding of packets because routing protocol operation, network management, and processbased switching all involve the control plane. CoPP filters the types of packets that enter or exit the control plane and controls the rate at which permitted packets enter or exit the control plane. Because traffic must pass through the control plane to reach the management plane, CoPP protects the management plane as well. The CoPP policy in this scenario does not affect packets that originate from the control plane of a router. DoS attacks that target a router use packets either that are destined to the router itself or that require special handling by the router's route processor. Because packets originating from the control plane have already passed through the route processor, a CoPP policy that affects packets exiting the control plane would not mitigate the effects of a DoS attack. Cisco considers all packets that pass through a router without any interaction from the route processor as data plane traffic, which is also known as transit traffic.
http://www.gratisexam.com/ Because DoS attacks on a router target the route processor, a CoPP policy that protects a router from DoS attacks would not affect packets originating from or destined to the data plane. Reference: Cisco: Control Plane Policing: Benefits of Control Plane Policing
QUESTION 49 Which of the following is the most likely reason for an organization to implement an extranet? (Select the best answer.)
A. to provide customers with largescale computer services B. to provide internal departments with independent security policies C. to provide internal users with a customized website D. to provide customers with access to the company’s internal network
Correct Answer: D Section: (none) Explanation
Explanation/Reference: Explanation: A company can implement an extranet to provide customers with access to the company’s internal network. An extranet is a portion of a company’s internal network that is accessible to specific people outside of the company, such as business partners, suppliers, or customers. By creating an extranet, a company can provide a location for sharing information with external users. For example, a consulting company could create an extranet for external customers to view and comment on the consulting company’s progress on various projects. In many extranet implementations, the external customer network shares a bilateral connection with the company’s internal network. This bilateral connection not only enables the external customer to access portions of the company’s internal network, but it also enables portions of the company’s internal network to access the portions of the external customer’s network. An extranet is not implemented to provide customers with largescale computer services. A company could implement a cloud computing infrastructure to provide largescale computer services over a vast network, such as the Internet. Cloud computing allows for access to applications, storage space, and other services on demand without requiring that the services be installed locally. Cloud computing can be used to replace or supplement highly utilized local systems. The use of cloudbased services can simplify IT management by reducing or eliminating the amount of time needed to install, upgrade, and manage services. An extranet is not implemented to provide internal departments with independent security policies. A company could implement security contexts on a firewall, such as the Cisco Adaptive Security Appliance (ASA), to provide internal departments with independent security policies. Security contexts divide a single ASA into multiple virtual devices with unique policies that can be managed by separate administrative domains. This division enables a single physical ASA to provide security services for different departments while keeping the departments logically separated. An extranet is not implemented to provide internal users with a customized website. Instead, an intranet can be created to provide internal users with their own website. An intranet provides a location for sharing information among members of the company. Unlike an extranet, an intranet is typically available only to internal users. Reference: SANS: SANS Institute InfoSec Reading Room: Security Considerations for Extranets (PDF)Category: Security Concepts
QUESTION 50 Which of the following is the default connection profile that is applied to clientless SSL VPN connections? (Select the best answer.)
http://www.gratisexam.com/ A. DefaultRAGroup B. DefaultWEBVPNGroup C. DefaultSSLVPNGroup D. DefaultL2LGroup
Correct Answer: B Section: (none) Explanation
Explanation/Reference: Explanation: The DefaultWEBVPNGroup connection profile is the default connection profile that is applied to clientless Secure Sockets Layer (SSL) virtual private network (VPN) connections. Connection profiles are used to separate remote VPN users into groups. For example, you can use one connection profile for contractors and another connection profile for managers, with each profile providing access to different resources. If no connection profile is associated with a particular user or if the user did not select a connection profile when the user initiated the VPN connection, the default connection profile will be used. For SSL VPN connections, the default connection profile is the DefaultWEBVPNGroup profile. You can edit the default connection profiles, but you cannot delete them. The DefaultRAGroup connection profile is not the default connection profile for clientless SSL VPN connections. This profile is the default profile used for full tunneling IP Security (IPSec) VPN connections. The DefaultL2LGroup connection profile is not the default connection profile for clientless SSL VPN connections. This profile is the default profile used for IPSec LANtoLAN VPN connections. The DefaultSSLVPNGroup connection profile is not the default connection profile for clientless SSL VPN connections. This is not a default profile that is provided by Cisco. You can create a connection profile named DefaultSSLVPNGroup, but it will not be used by default for clientless SSL VPN connections. Reference: Cisco: Configuring Tunnel Groups, Group Policies, and Users: Connection Profiles
QUESTION 51 You are configuring a connection profile for Cisco AnyConnect SSL VPN users. You have accessed the Add SSL VPN Connection Profile dialog box in ASDM. You want to configure a group URL for the connection profile. On which of the following screens of this dialog box will you be able to accomplish your goal? (Select the best answer.)
A. the Basic screen B. the General screen C. the Authorization screen D. the SSL VPN screen
Correct Answer: D Section: (none) Explanation
http://www.gratisexam.com/ Explanation/Reference: Explanation: You can configure a group Uniform Resource Locator (URL) for the connection profile that you are configuring for Cisco AnyConnect Secure Sockets Layer (SSL) virtual private network (VPN) users on the SSL VPN screen of the Add SSL VPN Connection Profiledialog box in Cisco Adaptive Security Device Manager (ASDM). If you configure a group URL for SSL VPN users, the users can connect to the group URL and will not be required to select a tunnel group when they establish a connection. In such a scenario, the user is presented with only user name and password fields on the login screen. The Cisco Adaptive Security Appliance (ASA) examines the URL from which the user is connecting and automatically applies the connection profile associated with the URL. Configuring a group URL can help improve security because the user is not presented with a list of available connection profiles. To configure a group URL for a new SSL VPN connection profile in ASDM, you should click Configuration, expand Network (Client) Access, click AnyConnect Connection Profiles, and click Add under Connection Profiles, which will open the Add SSL VPN Connection Profile dialog box. In the Add SSL VPN Connection Profile dialog box, expand Advanced and click SSL VPN to open the SSL VPN screen, which is shown in the following exhibit:
You cannot configure a group URL on the Basic screen of the Add SSL VPN Connection Profile dialog box in ASDM. On the Basic screen, you can configure the connection profile name, the Authentication, Authorization, and Accounting (AAA) server group, the default group policy, and client addressing information, such as Dynamic Host Configuration Protocol (DHCP) servers and IP address pools. You cannot configure a group URL on the General screen of the Add SSL VPN Connection Profile dialog box in ASDM. On the General screen, you can enable password management and configure password expiration notification options.
http://www.gratisexam.com/ You cannot configure a group URL on the Authorization screen of the Add SSL VPN Connection Profile dialog box in ASDM. On the Authorization screen, you can configure an authorization server group and user name certificate mapping. Reference: Cisco: General VPN Setup: Add or Edit SSL VPN Connections > Advanced > SSL VPN
QUESTION 52 You are configuring a connection profile for clientless SSL VPN connections. You have accessed the Add Clientless SSL VPN Connection Profile dialog box in ASDM. Which of the following authentication methods can you configure in this dialog box? (Select the best answer.)
A. only AAA B. only OTP C. only digital certificates D. both AAA and OTP E. both AAA and digital certificates
Correct Answer: E Section: (none) Explanation
Explanation/Reference: Explanation: You can configure Authentication, Authorization, and Accounting (AAA) and digital certificate authentication on the Add Clientless SSL VPN Connection Profile dialog box in Cisco Adaptive Security Device Manager (ASDM). Connection profiles are used to separate remote virtual private network (VPN) users into groups. For example, you can use one connection profile for contractors and another connection profile for managers, with each profile providing access to different resources. You can configure a new connection profile by using ASDM. To configure a new connection profile for clientless Secure Sockets Layer (SSL) VPN connections by using ASDM, you should click Configuration, click the Remote Access VPN button, expand Clientless SSL VPN Access, and click Connection Profiles, which will open the Connection Profiles configuration pane. From this pane, you can view a list of existing connection profiles and you can create new connection profiles. You should click the Add button under Connection Profiles in the Connection Profiles screen to create a new connection profile and to open the Add Clientless SSL VPN Connection Profile dialog box, which is shown in the following exhibit:
http://www.gratisexam.com/ In this dialog box, you can configure the connection profile details, including the authentication method to use, the Domain Name System (DNS) server to use, and the group policy to apply to the connection profile. There are two authentication methods that are supported: AAA and Certificate. You can configure the connection profile to use either or both of the methods. You cannot configure onetime passwords (OTPs) as an authentication method for connection profiles on the Add Clientless SSL VPN Connection Profile dialog box in ASDM. OTP is a two factor user authentication method that typically uses a personal identification number (PIN) in conjunction with code generated by a hardware or software token. The token is synchronized with a central server and periodically generates a code. The code is only valid until the next code is generated, which typically occurs in less than 60 seconds. Reference: Cisco: Configuring Tunnel Groups, Group Policies, and Users: Connection Profile Connection Parameters for SSL VPN Sessions
QUESTION 53 Which of the following can you mitigate by implementing DAI? (Select the best answer.)
A. ARP poisoning attacks B. MAC spoofing attacks C. MAC flooding attacks
http://www.gratisexam.com/ D. VLAN hopping attacks
Correct Answer: A Section: (none) Explanation
Explanation/Reference: Explanation: Implementing Dynamic ARP Inspection (DAI) can help mitigate Address Resolution Protocol (ARP) poisoning attacks. In an ARP poisoning attack, which is also known as an ARP spoofing attack, the attacker sends a gratuitous ARP (GARP) message to a host. The GARP message associates the attacker’s Media Access Control (MAC) address with the IP address of a valid host on the network. Subsequently, traffic sent to the valid host address will go through the attacker’s computer rather than directly to the intended recipient. You should change the native virtual LAN (VLAN) on trunk ports to an unused VLAN to mitigate VLAN hopping attacks. In a VLAN hopping attack, attacker sends doubletagged 802.1Q frames over a trunk link. A doubletagged frame is an Ethernet frame containing two distinct 802.1Q headers. Although doubletagging can be used as a legitimate way to tunnel traffic through a network and is commonly used by service providers, it can also be used by an attacker to circumvent security controls on an access switch. In a VLAN hopping attack, the attacker attempts to inject packets into other VLANs by accessing the native VLAN on a trunk and sending doubletagged 802.1Q frames to the switch. The switch strips the outer 802.1Q header from the received frame and then forwards the frame, which still includes an 802.1Q header, across a trunk port to the VLAN of the target host. A successful VLAN hopping attack enables an attacker to send unidirectional traffic to other VLANs without the use of a router. Implementing sticky secure MAC addresses can help mitigate MAC spoofing attacks. In a MAC spoofing attack, an attacker uses the MAC address of another known host on the network in order to bypass port security measures. MAC spoofing can also be used to impersonate another host on the network. Limiting the number of MAC addresses permitted on a port can help mitigate MAC flooding attacks. In a MAC flooding attack, an attacker generates thousands of forged frames every minute with the intention of overwhelming the switch’s MAC address table. Once this table is flooded, the switch can no longer make intelligent forwarding decisions and all traffic is flooded. This allows the attacker to view all data sent through the switch because all traffic will be sent out each port. A MAC flooding attack is also known as a content addressable memory (CAM) table overflow attack. Reference: Cisco: Implementation of Security: ARP Spoofing Attack
QUESTION 54 You have configured a lawful intercept view, five CLI views, and two superviews on a Cisco router. How many additional CLI views can you create? (Select the best answer.)
A. one B. two C. six D. seven
Correct Answer: D Section: (none) Explanation
http://www.gratisexam.com/ Explanation/Reference: Explanation: You can create seven additional commandline interface (CLI) views on a Cisco router if you have already configured a lawful intercept view, five CLI views, and two superviews. A CLI view enables an administrator to provide granular access to IOS commands and interfaces to a specific user or group of users. CLI views can be grouped under a superview to provide access to all of the commands within each view. On hardware platforms that support it, a single lawful intercept view can be created to provide secure access to a specific set of commands pertaining to voice calls and their associated Simple Network Management Protocol (SNMP) data. The maximum number of CLI views you can create on a Cisco router is 15. This includes one lawful intercept view and any combination of CLI views and superviews? however, this does not include the root view, which is created by default and does not count against the number of available views. In this scenario, you have created eight views: one lawful intercept view, five CLI views, and two superviews. Because you can configure a maximum of 15 views, you can create only seven more views. Each of the newly created views could be a CLI view or a superview but could not be a lawful intercept view, because one has already been created. Reference: Cisco: RoleBased CLI Access: Restrictions for RoleBased CLI Access
QUESTION 55 Which of the following statements is true regarding the aaa new-modelcommand? (Select the best answer.)
A. The aaa new-model command must be issued prior to enabling AAA accounting on a router. B. The aaa new-model command must be issued after enabling AAA authentication on a router. C. The aaa new-model command configures AAA to work only with RADIUS servers. D. The aaa new-model command configures AAA to work only with TACACS+ servers. E. The aaa new-model command has been deprecated in Cisco IOS versions 12.3 and later.
Correct Answer: A Section: (none) Explanation
Explanation/Reference: Explanation: The aaa new-model command must be issued prior to enabling Authentication, Authorization, and Accounting (AAA) accounting on a router. AAA can be used to control access to a router or switch. Before configuring authentication, authorization, or accounting using AAA, you must first issue the aaa new-model command to enable AAA on the device? the aaa authentication, aaa authorization, and aaa accounting commands cannot be issued until the aaa new-model command is issued. When the aaa new-model command is issued, local authentication is applied immediately to all router lines and interfaces? any existing authentication methods are superseded by the aaa new-model command. All future connection attempts will be authenticated using the method defined in the aaa authentication command. When implementing AAA, you can configure users to be authenticated against a local database, against a Remote Authentication DialIn User Service (RADIUS) server, or against a Terminal Access Controller Access Control System Plus (TACACS+) server. You are not limited to a single type of authentication with AAA.
The aaa newmodel command has not been deprecated in Cisco IOS versions 12.3 and later. This command is required in these versions of Cisco IOS in order to implement AAA on a router or a switch. Reference:
http://www.gratisexam.com/ Cisco: Configuring Basic AAA on an Access Server: Enabling AAA
QUESTION 56 Which of the following signature microengines typically has the greatest effect on Cisco IOS IPS performance? (Select the best answer.)
A. atomic-ip B. normalizer C. service-http D. service-smb-advanced E. string-tcp
Correct Answer: E Section: (none) Explanation
Explanation/Reference: Explanation: Of the choices provided, the stringtcp signature microengine (SME) typically has the greatest effect on Cisco IOS Intrusion Prevention System (IPS) performance. An SME compiles a specific category of signatures and loads them into the IPS regular expression table. Within each category is a number of signatures that can analyze a packet or stream of packets for a particular pattern. For example, the atomicip SME contains signatures that can recognize a pattern in a single packet, whereas the servicehttp SME contains signatures than can recognize a pattern in a stream of Hypertext Transfer Protocol (HTTP) packets. In general, the more of a packet or stream of packets that an SME needs to analyze, the greater its impact on the available memory and CPU of the router. The stringtcp SME can analyze one or more Transmission Control Protocol (TCP) packets and search for a particular string of text. The atomicip SME can analyze the Layer 3 and Layer 4 header fields of a single packet. Because the atomicip SME signatures operate on a single packet, they cannot preserve state information between packets. However, atomicip SME signatures do not consume large amounts of memory or CPU resources like stringbased SMEs can consume. The servicehttp and servicesmbadvanced SMEs can analyze Layer 5 through 7 information for HTTP and Server Message Block (SMB) network services, respectively. Service SMEs are typically the most complicated SMEs because they understand and implement a significant portion of the network services for which they are designed. For example, the servicehttp SME can effectively mimic the characteristics of a web server in order analyze the HTTP payload between a web server and its client. Because service SMEs have a deep knowledge of their underlying protocols, they can be optimized to decode only particular portions of a data stream, thereby reducing their impact on the memory and CPU utilization. The normalizer SME is targeted at fragmented IP datagrams. The normalizer SME reassembles the fragmented IP datagrams and then analyzes the completed datagram before deciding whether the datagram should be forwarded or discarded. If the normalizer SME decides that a datagram should be forwarded but the datagram is too large to transmit, it will refragment the datagram prior to forwarding it. If the normalizer SME had to analyze fragmented datagrams based on the many different ways that destination devices might reassemble them, it could consume a significant amount of memory and CPU resources? however, because the normalizer SME reassembles datagrams without regard to how the target device will receive them, the process can be optimized with regard to memory and CPU utilization. Reference: Cisco: Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 5.1: Example String TCP Signature
QUESTION 57
http://www.gratisexam.com/ You have configured the password management feature for a tunnel group on an ASA. The ASA is using a Cisco Secure ACS RADIUS server for AAA authentication. Which of the following actions will occur after a remote user with an expired password attempts to establish a VPN connection? (Select the best answer.)
A. The AnyConnect client will display an authentication failed dialog box and will not permit the user to establish the VPN connection until an admin unlocks the user’s account. B. The AnyConnect client will display a dialog box that prompts the user for a new password. C. The AnyConnect client will display a dialog box that prompts the user for both their old password and a new password. D. The AnyConnect client will display a dialog box notifying the user that their password has expired but will permit the user to establish the VPN connection with the expired password.
Correct Answer: B Section: (none) Explanation
Explanation/Reference: Explanation: In this scenario, the Cisco AnyConnect virtual private network (VPN) client will display a dialog box that prompts the user for a new password after a remote user with an expired password attempts to establish a VPN connection. When a Cisco Adaptive Security Appliance (ASA) is configured to use the password management feature for a particular tunnel group, the ASA will use Microsoft Challenge Handshake Authentication Protocol version 2 (MSCHAPv2) rather than Password Authentication Protocol (PAP) when communicating with the Remote Authentication DialIn User Service (RADIUS) server and the AnyConnect client. MSCHAPv2 supports password expiry and password change capabilities that are not inherently supported by PAP or RADIUS. This enables the ASA to understand RadiusReject messages with password expiry information instead of simply treating the messages as authentication failure messages. When the ASA receives the RadiusReject message with password expiry information, it sends a MODE_CFG message to the AnyConnect VPN client, causing it to display a dialog box that prompts the user for a new password. The ASA then forwards the new password to the RADIUS server, and if the new password meets the configured password requirements, the user is authenticated and the ASA can finish establishing the VPN connection. The AnyConnect client will not prevent the user from establishing a VPN connection until an administrator unlocks the user’s account. Because the password management feature is enabled on the ASA, it has the capability to prompt the user to update their expired password. However, if the password management feature was not enabled on the ASA in this scenario, then RadiusReject messages received from the RADIUS server would be interpreted as an authentication failure message and users with expired passwords would be unable to establish VPN connections. The AnyConnect client will not prompt the user for both their old password and a new password nor will it permit the user to establish the VPN connection with an expired password.Reference: Cisco: ASA Remote Access VPN IKE/SSL Password Expiry and Change for RADIUS, TACACS, and LDAP Configuration Example: ASA with ACS via RADIUS
QUESTION 58 You want to issue the following block of commands on a Cisco ASA: ASA(config)#nat (DMZ, INSIDE) source dynamic any interface destination static INSIDESQLEXT INSIDESQLINT You do not have CLI access to the ASA and must use ASDM instead. Which of the following samples of the Add NAT Rule dialog box corresponds to the configuration needed to achieve your goal? (Select the best answer.)
http://www.gratisexam.com/ http://www.gratisexam.com/ A. Option A B. Option B C. Option C D. Option D
Correct Answer: D Section: (none) Explanation
Explanation/Reference: Explanation: The following sample of the Add NAT Rule dialog box corresponds to the Cisco Adaptive Security Appliance (ASA) configuration needed to achieve your goal using Cisco Adaptive Security Device Manager (ASDM):
http://www.gratisexam.com/ In the exhibit shown above, the Match Criteria: Original Packet section of the Add NAT Rule dialog box contains fields that correspond to the interface and IP address information in a matching packet prior to translation. The Source Interface field specifies the real source interface, the Source Address field specifies the real source IP address, the Destination Interface field specifies the real destination interface, the Destination Address field specifies the real destination IP address, and the Service: field specifies the real protocol port numbers for the original packet. By contrast, the Action: Translated Packet section of the Add NAT Rule dialog box contains fields that correspond to the mapped interface and IP address information in a matching packet after translation. The Source NAT Type field specifies the type of Network Address Translation (NAT), the Source Address field specifies the mapped source IP address, the Destination Address: field specifies the mapped destination IP address, and the Service: field specifies the mapped protocol numbers for the translated packet. The sample Add NAT Rule dialog box configures the ASA to map the real source IP address traffic from any network attached to the DMZ network to the IP address assigned to the INSIDE interface. In addition, the mapped destination IP address defined in the INSIDESQLEXT object is mapped to the real destination IP address defined in the INSIDESQLINT object. The following diagram depicts the translation of the addresses within matching packets where INSIDESQLEXT has an IP address of 192.168.15.2 and INSIDESQLINT has an IP address of 192.168.13.2:
You could use the nat (DMZ, INSIDE) source dynamic any interface destination static INSIDESQLEXT INSIDESQLINT command from global configuration mode to configure the same dynamic NAT rule as shown in the sample. Add NAT Rule dialog box. When the nat command is issued from global configuration mode, it is referred to as the nat (global) command and it can be used to configure twice NAT on the ASA. Twice NAT enables you to specify a mapping for both the source address and destination address in a packet. The nat (global) command in this scenario can be used to create a dynamic NAT rule which translates traffic between the DMZ and INSIDE interfaces of the ASA. The abbreviated syntax to create a dynamic NAT rule with the nat (global) command is nat (real_interface,mapped_interface) source dynamic {real_object | any} {mapped_object | interface} destination static {mapped_object | interface} {real_object| any}. The following sample of the Add NAT Rule dialog box corresponds to the nat (DMZ, INSIDE) source dynamic any interface destination static INSIDESQLINT INSIDESQLEXT command:
http://www.gratisexam.com/ The following sample of the Add NAT Rule dialog box corresponds to the nat (INSIDE, DMZ) source dynamic any interface destination static INSIDESQLEXT INSIDESQLINT command:
The following sample of the Add NAT Rule dialog box corresponds to the nat (INSIDE, DMZ) source dynamic any interface destination static INSIDESQLINT INSIDESQLEXT command:
http://www.gratisexam.com/ Reference: Cisco: Configuring Twice NAT: Configuring Dynamic PAT (Hide) Cisco: Cisco ASA Series Command Reference: nat (global)
QUESTION 59 You are using ASDM to verify an IPSec VPN configuration made by another administrator on an ASA. Please click exhibit to answer the following questions.
Exhibit:
http://www.gratisexam.com/ http://www.gratisexam.com/ Which of the following tunneling protocols are supported by the boson group policy? (Select the best answer.)
A. only clientless SSL VPN B. only SSL VPN Client C. only IPSec D. both clientless SSL VPN and SSL VPN Client E. both clientless SSL VPN and IPSec F. clientless SSL VPN, SSL VPN Client, and IPSec
Correct Answer: C Section: (none) Explanation
Explanation/Reference: Explanation: The boson group policy supports only IP Security (IPSec) as a tunneling protocol. You can specify the tunneling protocols that can be used to establish a connection to a tunnel group, which is also known as a connection profile, either in a group policy or within a user account, depending on whether the tunneling protocol configuration should be applied to a group or to a single user. When you configure a tunneling protocol, you can specify one or more of the following four options: Clientless SSL VPN, SSL VPN Client, IPSec, or L2TP/IPSec. In this scenario, you can view the tunneling protocols that are configured for the boson group policy user account by accessing the group policy information in Cisco Adaptive Security Device Manager (ASDM) by clicking Configuration, clicking the Remote Access VPN button, expanding Network (Client) Access, clicking Group Policies, and double clicking the boson group policy, which will open the Edit Internal Group Policy dialog box. The More Options section on the General pane displays the Tunneling Protocols entry. This entry for the boson group policy is configured with the IPsec option, which means that the boson group policy supports only IPSec connections. The following exhibit displays the General pane of the Edit Internal Group Policy dialog box for the boson group policy:
http://www.gratisexam.com/ Reference: Cisco: General VPN Setup: Adding or Editing a Remote Access Internal Group Policy, General Attributes
QUESTION 60 You are using ASDM to verify an IPSec VPN configuration made by another administrator on an ASA. Please click exhibit to answer the following questions.
Exhibit:
http://www.gratisexam.com/ http://www.gratisexam.com/ Which of the following IP address ranges will be used to assign address to VPN clients who connect by using the boson connection profile? (Select the best answer.)
A. 10.1.1.50 through 10.1.1.75 B. 10.1.10.50 through 10.1.10.75 C. 192.168.0.100 through 192.168.0.125 D. 192.168.10.100 through 192.168.10.125
Correct Answer: A Section: (none) Explanation
Explanation/Reference: Explanation: Virtual private network (VPN) clients who connect by using the boson connection profile will be assigned an IP address in the range from 10.1.1.50 through 10.1.1.75. You can create a local IP address pool on a Cisco Adaptive Security Appliance (ASA) to deploy IP addresses to remote VPN clients. The IP address pool can then be applied to Cisco AnyConnect or IP Security (IPSec) connection profiles. To view the IP address pool that is associated with the boson connection profile in Cisco Adaptive Security Device Manager (ASDM), you should click Configuration, click the Remote Access VPN button, expand Network (Client) Access, click IPsec Connection Profiles, and then doubleclick boson, which will open the Edit IPsec Remote Access Connection Profile dialog box, as shown in the following exhibit:
http://www.gratisexam.com/ The Client Address Pools entry indicates that the boson_remote address pool has been configured for this connection profile. To view the IP addresses associated with this address pool, you should expand Address Assignment under Network (Client) Access and then click Address Pools, which will display the Address Pools pane, as shown in the following exhibit:
http://www.gratisexam.com/ On this pane, you can determine that the boson_remote address pool will distribute IP addresses in the range from 10.1.1.50 through 10.1.1.75. The boson_internal address pool will distribute IP addresses in the range from 10.1.10.50 through 10.1.10.75. The boson_extranet address pool will distribute IP addresses in the range from 192.168.0.100 through 192.168.0.125. The temporary address pool will distribute IP addresses in the range from 192.168.10.100 through 192.168.10.125. The boson_remote address pool will not distribute IP addresses in any of these ranges. Reference: Cisco: Deploying the AnyConnect Cisco Mobility Client: Configure a method of address assignment
QUESTION 61 You are using ASDM to verify an IPSec VPN configuration made by another administrator on an ASA. Please click exhibit to answer the following questions.
http://www.gratisexam.com/ Exhibit:
http://www.gratisexam.com/ http://www.gratisexam.com/ Which of the following group policies will be based when a user establishes a VPN connection by using the boson connection profile? (Select the best answer.)
A. internal B. temporary C. DfltGrpPolicy D. boson
Correct Answer: D Section: (none) Explanation
Explanation/Reference: Explanation: The boson connection profile will use the boson group policy. When creating an IP Security (IPSec) connection profile in Cisco Adaptive Security Device Manager (ASDM), you can specify a number of parameters. For example, you can specify the type of authentication to use and the default group policy to use for VPN connections made by using the connection profile. This information can be configured or modified on the Add or Edit IPsec Remote Access Connection Profile dialog box in ASDM. To access this dialog box in ASDM, you should click Configuration, click the Remote Access VPN button, expand Network (Client) Access, click IPsec Connection Profiles, and then doubleclick the connection profile that you want to view. The Edit IPsec Remote Access Connection Profile dialog box for the boson connection profile is shown in the following exhibit:
http://www.gratisexam.com/ On the Basic pane, you can determine that the Group Policy setting is configured to use the boson group policy. Thus the boson connection profile will not use the DfltGrpPolicy, the internal, or the temporary group policies. Reference: Cisco: Configuring Tunnel Groups, Group Policies, and Users: Connection Profiles
QUESTION 62 You are using ASDM to verify an IPSec VPN configuration made by another administrator on an ASA. Please click exhibit to answer the following questions.
Exhibit:
http://www.gratisexam.com/ http://www.gratisexam.com/ Which of the following will occur when a user attempts to establish a VPN connection to the ASA by using the boson connection profile and the boson user account? (Select the best answer.)
A. The user will be unable to establish a VPN connection. B. A banner will be displayed that states “Welcome to Boson Software!” C. The internal group policy will be applied to the connection. D. The VPN traffic will be sent by using only VLAN 2.
Correct Answer: B Section: (none) Explanation
Explanation/Reference: Explanation: Of the choices available, a banner will be displayed that states “Welcome to Boson Software!” when a user attempts to establish a virtual private network (VPN) connection to the Cisco Adaptive Security Appliance (ASA) by using the boson connection profile and the boson user account. You can configure a banner message to be displayed when users establish a VPN connection. This information is configured in the group policy that is associated with the connection profile used to create the connection. In this scenario, the boson connection profile is associated with the boson group policy. The boson group policy is configured to inherit the banner settings from the default group policy, DfltGrpPolicy. You can view the banner settings by clicking Configuration, clicking the Remote Access VPN button, expanding Network (Client) Access, clicking Group Policies, and doubleclicking the boson group policy, which will open the Edit Internal Group Policy dialog box, as shown in the following exhibit:
http://www.gratisexam.com/ Therefore, to determine whether a banner message will be displayed, you should view the details of the DfltGrpPolicy group policy. By viewing the details of the default group policy, you can determine that a banner message has been configured that states “Welcome to Boson Software!” The following exhibit displays the details of the DfltGrpPolicy group policy:
http://www.gratisexam.com/ Because the boson group policy inherits the Banner setting, VPN connections made by using connection profiles that use the boson group policy will display the “Welcome to Boson Software!” banner message. The boson user will be able to establish a VPN connection. There is nothing in the boson user’s profile settings that would prevent the user from making a VPN connection. Moreover, the user will also be able to establish a management session with the ASA, because the boson user has been granted administrative access to the device. The internal group policy will not apply to a VPN connection made by using the boson connection profile and the boson user account. The boson connection profile is associated with the boson group policy, not the internal group policy. The VPN traffic will not be sent by using only virtual LAN (VLAN) 2 when a user makes a VPN connection by using the boson connection profile and the boson user account. Although you can configure VLAN restrictions for a group policy, none have been configured in this scenario. Reference: Cisco: General VPN Setup: Adding or Editing a Remote Access Internal Group Policy, General Attribute
QUESTION 63 You are using ASDM to verify an IPSec VPN configuration made by another administrator on an ASA. Please click exhibit to answer the following questions. Exhibit:
http://www.gratisexam.com/ http://www.gratisexam.com/ Which of the following users have been assigned to use the boson group policy? (Select the best answer.)
A. only jane B. only john C. only boson D. both john and jane E. john, jane, and boson
Correct Answer: D Section: (none) Explanation
Explanation/Reference: Explanation: Both the john and jane user accounts have been configured to use the boson group policy. When configuring a user account, you can specify the group policy to associate with the user account. This is configured on the VPN Policy pane of the Add or Edit User Account dialog box. You can access the Add or Edit User Account dialog box in Cisco Adaptive Security Device Manager (ASDM) by clicking Configuration, clicking the Remote Access VPN button, expanding AAA/Local Users, clicking Local Users, doubleclicking the user, and clicking VPN Policy, as shown in the following exhibit:
http://www.gratisexam.com/ For both the john and jane user accounts, the Group Policy setting is configured to use the boson group policy. You can also view the group policy configuration for all users on the Local Users pane in ASDM. For example, in the following exhibit, the VPN Group Policy column indicates that only the john and jane user accounts are configured to use the boson group policy:
http://www.gratisexam.com/ Reference: Cisco: Configuring AAA Servers and the Local Database: Configuring VPN Policy Attributes for a User
QUESTION 64 You manage your company’s Cisco devices by using Telnet. Your supervisor is concerned about eavesdropping over inband device management and has asked you to recommend a solution that would allow you to disable the Telnet servers on each device. Which of the following are you most likely to recommend as a replacement? (Select the best answer.)
http://www.gratisexam.com/
A. SNMPv3 B. SSH C. SFTP
http://www.gratisexam.com/ D. SCP
Correct Answer: B Section: (none) Explanation
Explanation/Reference: Explanation: Most likely, you will recommend Secure Shell (SSH) as a replacement for Telnet as a method of inband management on your company’s Cisco devices. SSH is a virtual terminal (VTY) protocol that can be used to securely replace Telnet. Telnet is considered to be an insecure method of remote connection because it sends credentials over the network in clear text. Therefore, you should replace Telnet with an encrypted application, such as SSH, where possible. Encryption is a method of encoding network traffic so that it cannot be read intransit. Thus encryption can be used to defeat eavesdropping attacks. You are not likely to recommend any version of Simple Network Management Protocol (SNMP) as a replacement for Telnet. However, if your company were using SNMP version 1 (SNMPv1) or SNMPv2 as a means of inband management, you might recommend that your company use SNMPv3 instead. Three versions of SNMP currently exist. SNMPv1 and SNMPv2 do not provide encryption? password information, known as community strings, is sent as plain text with messages. SNMPv3 improves upon SNMPv1 and SNMPv2 by providing encryption, authentication, and message integrity to ensure that the messages are not tampered with during transmission. You are not likely to recommend either Secure File Transfer Protocol (SFTP) or Secure Copy (SCP) as a replacement for Telnet. However, either of those applications could replace File Transfer Protocol (FTP), which is a protocol that is used to exchange files between devices. FTP transmits all data as clear text. Both SFTP and SCP transmit information in an encrypted format. Reference: Cisco: Cisco Guide to Hardening IOS Devices: Use Secure Protocols When Possible Cisco: SNMP Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches): Versions of SNMP
QUESTION 65 Which of the following commands should you issue when troubleshooting basic IKE peering to determine whether PSKs are present and matching on both peers? (Select the best answer.)
A. ping B. traceroute C. show crypto isakmp policy D. debug crypto isakmp
Correct Answer: D Section: (none) Explanation
Explanation/Reference: Explanation: You should issue the debug crypto isakmp command to determine whether preshared keys (PSKs) are present and matching on both peers. If there is a PSK mismatch between the peers, you will see the 1d00h:%CRYPTO4IKMP_BAD_MESSAGE: IKE message from 10.11.12.13 failed its sanity check or is malformed
http://www.gratisexam.com/ debug error message. If a PSK is missing on one of the peers, you will see the 1d00h:#CRYPTO4IKMP_NO_PRESHARED_KEY: Preshared key for remote peer at 10.11.12.13 is missing debug error message. To create a PSK, issue the crypto isakmp key key {address | ipaddress [mask] | hostname name} [noxauth] command. When troubleshooting basic Internet Key Exchange (IKE) peering, you should perform the following steps: 1. Verify that the peers can reach each other. 2. Verify that the IKE policies match on both peers. 3. Verify that the peers successfully authenticate each other.
To verify that the peers can reach each other, you can issue the ping command. A successful ping indicates that connectivity between the peers exists. If the ping is not successful, you can issue the traceroute command to see where the fault is occurring along the path between the two peers. To verify that the IKE policies match on both peers, you can issue the show crypto isakmp policy command to display the IKE phase 1 policy settings that are configured on the router, including the encryption algorithm, hash algorithm, authentication method, DiffieHellman (DH) key exchange mechanism, and security association (SA) lifetime. The following displays sample output from the show crypto isakmp policy command:
RouterA#show crypto isakmp policy Global IKE policy Protection suite of priority 20 encryption algorithm: AES - Advanced Encryption Standard (128 bit keys) hash algorithm: Secure Hash Standard authentication method: PreShared Key DiffieHellman group: #14 (2048 bit) lifetime: 3600 seconds, no volume limit
To configure IKE phase 1 policy parameters, issue the crypto isakmp policy prioritycommand to enter ISAKMP policy configuration mode, where you can issue the following commands: - authentication - encryption - group - hash - lifetime You can issue the debug crypto isakmp command to determine whether an IKE phase 1 policy mismatch is occurring. The debug error message 1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0 will appear when there is a phase 1 policy mismatch between the peers.
To verify that the peers successfully authenticate each other, you should issue the debug crypto isakmp command. If the PSKs are present and matching on both peers, the IKE SA should establish successfully and communication between the sites should occur. Reference: Cisco: IPsec Troubleshooting: Understanding and Using debug Commands: debug crypto isakmp Cisco: Configuring Internet Key Exchange Version 2 (IKEv2): Example How a Policy Is Matched
QUESTION 66 Your company has installed and configured a Sourcefire device. You want to reduce false positives from a trusted source.
Which of the following could you do? (Select 2 choices.)
A. Configure an Allow action with an Intrusion Policy. B. Configure a Block action with an Intrusion Policy.
http://www.gratisexam.com/ C. Configure a Trust action. D. Configure an Allow action without an Intrusion Policy. E. Configure a Block action without an Intrusion Policy. F. Configure a Monitor action.
Correct Answer: CD Section: (none) Explanation
Explanation/Reference: Explanation: You could configure a Sourcefire Allow action without an Intrusion Policy to reduce false positives from a trusted source. Alternatively, you could configure a Trust action. A false positive occurs when an intrusion detection system (IDS) or intrusion prevention system (IPS) identifies nonmalicious traffic as malicious. Sourcefire devices are commercial Cisco IDSs based on the opensource IDS known as Snort. A Sourcefire device can match traffic based on a number of conditions, including security zones, networks, virtual LAN (VLAN) tags, source or destination ports, applications, Uniform Resource Locators (URLs), or users. The Sourcefire is also capable of handling traffic matching a given condition by applying an action, or rule, to the traffic. The actions that are supported by a Sourcefire include all of the following: - Monitor - Trust - Block - Interactive Block - Allow Configuring actions is a step in configuring granular access control rules, which in turn is part of developing an Access Control Policy. A Sourcefire can inspect and log traffic that is passed by the Allow action. Sourcefire inspection occurs when an Intrusion Policy is applied to this action. Applying an action without an Intrusion Policy performs the given action when traffic matches a condition but does not inspect the traffic. Therefore, you could apply an Allow action without an Intrusion Policy to allow all traffic matching a given condition and prevent that traffic from generating a false positive. Conversely, you might apply an Allow action with an Intrusion Policy to permit all but malicious traffic that matches a given condition. The Trust action allows traffic to pass uninspected and not logged. Therefore, the Trust action can never prevent malicious traffic from passing through the Sourcefire and will never generate false positives.You cannot configure a Block action with an Intrusion Policy. In addition, you should not configure a Block action to prevent false positives in this scenario. The Block action blocks traffic and does not perform any type of inspection. You do not need to configure a Monitor action. The Monitor action does not determine whether traffic is blocked or allowed based on a matching condition? its purpose is to track traffic from the network. This action is primarily used to log all traffic that connects to the Sourcefire. The Monitor action will log the traffic even if does not match any other condition and is not allowed to pass. Reference: Cisco: Options to Reduce False Positive Intrusion Events: 2. Trust or Allow Rule Cisco: FireSIGHT System User Guide Version 5.4.1: Using Rule Actions to Determine Traffic Handling and Inspection
QUESTION 67 Which of the following is a reason to use the roundrobin assignment feature of dynamic PAT addresses? (Select the best answer.)
A. You want to send traffic to more than one remote device.
http://www.gratisexam.com/ B. You want to map a single internal IP address to a single routable IP address. C. You want to prevent the misinterpretation of traffic as a DoS attack. D. You want to use a single mapped routable address.
Correct Answer: C Section: (none) Explanation
Explanation/Reference: Explanation: You would use the roundrobin assignment feature of dynamic Port Address Translation (PAT) addresses if you want to prevent the misinterpretation of traffic as a Denial of Service (DoS) attack. Dynamic PAT is a form of Network Address Translation (NAT) that enables IP source addresses to be translated from many unique IP addresses to one of a pool of routable IP address. NAT is most often used to conserve routable IP addresses on the public side of a NAT router. When PAT is configured, an inside local address, along with a port number, is typically mapped to a single inside global address. The NAT router uses port numbers to keep track of which packets belong to each host. Dynamic PAT is capable of mapping internal source addresses to more than one routable IP address. Some security appliances could mistake a large number of packets from a single IP address as a DoS attack attempt. Therefore, dynamic PAT supports the use of roundrobin to enable internal IP source addresses to map to more than just one routable IP source address. By using dynamic PAT’s roundrobin assignment of IP addresses, the risk of misidentification of large amounts of traffic as a DoS attack can be mitigated. You could use PAT if you wanted to translate many internal addresses to a single routable IP address. However, you would not need to use the dynamic PAT roundrobin feature to achieve this task. Roundrobin is used to cycle through a pool of routable IP addresses instead of translating to a single routable IP address. You would use static NAT to map a single internal IP address to a single routable IP address. Static NAT translates a single inside local IP address to a single inside global IP address? the static mapping is permanently present in the NAT translation table. It is therefore possible for someone on an outside network to access a device on an inside network by using its inside global IP address. You would not need to use dynamic PAT if you want to send traffic to more than one remote device. PAT neither specifically enables nor specifically prevents the sending of traffic from one device to multiple remote devices. Reference: Cisco: Information About NAT: Dynamic PAT: Dynamic PAT Disadvantages and Advantages
QUESTION 68 You are configuring manual NAT on a Cisco Firepower device. Which of the following best describes the order in which the NAT rules will be processed? (Select the best answer.)
A. on a firstmatch basis in the order that they appear in the configuration B. the most general rules first followed by the most specific rules C. static rules first followed by dynamic rules D. shortest prefix first followed by longer prefixes
Correct Answer: A Section: (none) Explanation
http://www.gratisexam.com/ Explanation/Reference: Explanation: The Firepower will process the Network Address Translation (NAT) rules on a firstmatch basis in the order that they appear in the configuration if you are configuring manual NAT. There are two methods of implementing NAT on a Cisco Firepower device: manual NAT and auto NAT. Of the two methods, auto NAT is the simplest to configure because NAT rules are configured as components of a network object. Both source and destination addresses are compared to the rules within the object. Manual NAT, on the other hand, enables you to specify both the source address and the destination address of a mapping in a single rule. Therefore, you can configure more granular mapping rules by using manual NAT. Both manual NAT rules and auto NAT rules are stored in the same translation table. The table is divided into three sections. Section 1 and Section 3 contain manual NAT rules, with Section 1 containing the most specific manual NAT rules and Section 3 containing the most general NAT rules. Section 2 contains auto NAT rules. When the Firepower matches traffic to the NAT translation table, manual NAT rules in Section 1 are processed first and in the order in which they were configured. Manual NAT rules are added to Section 1 by default. If a match is found, rules in Section 2 and Section 3 are ignored. If the traffic does not match any of the manual NAT rules in Section 1, the auto NAT rules in Section 2 are processed. Auto NAT rules are automatically ordered by the device. Regardless of the order in which you configured the rules in the network object, auto NAT will always attempt to match static rules before dynamic rules. In addition, auto NAT will always attempt to match the longest address prefix first, meaning that the rule that contains the smallest quantity of real IP addresses will be processed before rules containing a larger quantity of real IP addresses. Therefore, a static NAT mapping that matches 10.10.10.0/24 will be processed before a dynamic NAT mapping that matches 10.10.10.10/32, even though the 10.10.10.10/32 address has a longer prefix. If the traffic matches one of the auto NAT rules, rules in Section 3 are ignored. If the traffic does not match any of the auto NAT rules, the device will next attempt to match the traffic to the Section 3 manual NAT rules. Similar to Section 1, the manual NAT rules in Section 3 are processed in the order that they appear in the configuration. However, you must specifically place manual NAT rules in this section because the device will not automatically place manual NAT rules there. Cisco recommends that the most general manual NAT rules be placed in this section, with the most specific of those general rules configured first. Reference: Cisco: Firepower Management Center Configuration Guide, Version 6.0.1: NAT Rule Order
QUESTION 69 Which of the following is least likely to be considered a form of malware? (Select the best answer.)
A. bots B. DDoS C. Trojan horses D. viruses
Correct Answer: B Section: (none) Explanation
Explanation/Reference: Explanation: Of the available choices, a Distributed Denial of Service (DDoS) attack is least likely to be considered a form of malware. Malware, which is a term formed from the combination of the words malicious and software, is unwanted software that is specifically designed to be malicious. Malware can damage or disrupt systems, steal
http://www.gratisexam.com/ information from a user, or perform other unwanted and malicious actions. A DDoS attack is a coordinated Denial of Service (DoS) attack that uses multiple attackers to target a single host. For example, a large number of zombie hosts in a botnet could flood a target device with packets. Because the flood of packets originates from multiple hosts and typically targets public services, such as the web service, the target device might not detect the attack. If enough packets are sent to the target device within a short period of time, the target will be unable to respond to legitimate packets because it is waiting for a response to each of the requests originated by the attacker. Bots are forms of malware. A bot is a type of automated software that can be used as a remote command and control tool to exploit a compromised system for malicious purposes. For example, a botnet is a network of bots on compromised systems that can be used to carry out coordinated attacks, such as a DDoS attack. Viruses are forms of malware. A virus is a type of software that can make copies of itself and inject them into other software. Viruses can therefore spread across systems and networks. The level of damage that can be inflicted by a virus ranges from annoyances to destruction of data. Trojan horses are forms of malware. A Trojan horse is a malicious program that entices the user to execute it by appearing to be a legitimate application. Trojan horses can be used to annoy users, steal information, destroy data, or install back doors. Reference: Cisco: What Is the Difference: Viruses, Worms, Trojans, and Bots?
QUESTION 70 Which of the following occurs when an IDS or IPS does not identify malicious traffic that enters the network? (Select the best answer.)
A. a false positive B. a false negative C. a true positive D. a true negative
Correct Answer: B Section: (none) Explanation
Explanation/Reference: Explanation: A false negative occurs when an intrusion detection system (IDS) or intrusion prevention system (IPS) does not identify malicious traffic that enters the network. False negatives can often lead to disastrous network security problems. To properly secure a network, you should reduce the number of false negatives as much as possible by finetuning IDS and IPS rules, even if more false positives are reported. Penetration testing can help determine when an IDS or IPS is not detecting a genuine attack. A false positive occurs when an IDS or IPS identifies nonmalicious traffic as malicious. Tuning must be performed to minimize the number of false positives while eliminating false negatives. Not only can too many false positives overburden a router, they can also overburden a network administrator because false positives must usually be verified as harmless. A true positive occurs when an IDS or IPS correctly identifies malicious traffic as malicious. For instance, a true positive occurs when a virus or an attack is identified and the appropriate action is taken. A true negative occurs when an IDS or IPS correctly identifies harmless traffic as harmless. For example, a true negative occurs when an administrator correctly enters a password or when Hypertext Transfer Protocol (HTTP) traffic is sent to a web server. Reference: Cisco: Cisco Secure IPS Excluding False Positive Alarms: False Positive and False Negative Alarms
http://www.gratisexam.com/ QUESTION 71 Which of the following lost or stolen device options are available to employees when MDM is integrated with ISE? (Select 3 choices.)
A. report device as lost or stolen B. initiate a PIN lock C. initiate a full or corporate wipe D. quarantine the device E. revoke the device’s digital certificate
Correct Answer: ABC Section: (none) Explanation
Explanation/Reference: Explanation: When Mobile Device Management (MDM) platforms are integrated with Cisco Identity Services Engine (ISE), employees have the ability to report a device as lost or stolen, initiate a personal identification number (PIN) lock, or initiate a full or corporate wipe. A corporate wipe, which is also known as a selective wipe, removes only corporate data and applications from the device. A full wipe, which is also known as a factory reset, removes all data from the device. An employee is also capable of reinstating a device to gain access without having to reregister the device with ISE. Each of these options is available to the employee by using ISE’s My Devices portal. ISE is a nextgeneration Authentication, Authorization, and Accounting (AAA) platform with integrated posture assessment, network access control, and client provisioning. ISE integrates with a number of MDM frameworks, such as MobileIron and AirWatch. From ISE, you can easily provision network devices with native supplicants available for Microsoft Windows, Mac OS X, Apple iOS, and Google Android. The supplicants act as agents that enable you to perform various functions on the network device, such as installing software or locking the screen with a PIN lock. Only ISE administrators can quarantine a device and revoke the device’s digital certificate. However, administrators are also capable of performing wipes and PIN locks without user notification or intervention. Unlike employees, who initiate full wipes or corporate wipes by using the My Devices portal, an administrator initiates a wipe or a PIN lock by using the ISE Endpoints screen. Whether an administrator can initiate a full wipe or a corporate wipe depends on the MDM server policies and configuration. In a Bring Your Own Device (BYOD) environment, administrators will most likely be able to perform only a corporate wipe or a PIN lock on a device. If the device is a corporate device that an employee is simply allowed to use, an administrator might be able to perform a full wipe from the Endpoints screen by selecting Full Wipe from the MDM Access dropdown menu. Administrators can additionally force connected devices off the network, add devices to the Blacklist Identity Group, and disable the device’s RSA SecurID token. Reference: Cisco: Managing a Lost or Stolen Device (PDF) Cisco: Managing Network Devices: Wiping or Locking a DeviceCategory: Secure Access
QUESTION 72 Which of the following private VLAN port types communicate only with promiscuous ports? (Select the best answer.)
http://www.gratisexam.com/ http://www.gratisexam.com/
A. community ports B. isolated ports C. SPAN ports D. promiscuous ports
Correct Answer: B Section: (none) Explanation
Explanation/Reference: Explanation: Isolated private virtual LAN (VLAN) ports can communicate only with promiscuous ports. Private VLANs can be configured on a switch to help isolate traffic within a VLAN. Private VLANs can provide Layer 2 separation between ports that belong to the same VLAN. Because the separation exists at Layer 2, the hosts can exist on the same IP subnet. The VLAN to which the hosts belong is called the primary VLAN. To create a private VLAN, you must create secondary VLANs and associate them with the primary VLAN. Community private VLAN ports can communicate with promiscuous ports and with other ports that belong to the same community. However, they cannot communicate with isolated ports or with ports that belong to other communities. Promiscuous ports can communicate with all other private VLAN port types. Switch Port Analyzer (SPAN) ports are not a private VLAN port type. SPAN is a means of monitoring traffic on a switch by copying packets from a source port to a monitored port or mirrored port. Reference: Cisco: Configuring Isolated Private VLANs on Catalyst Switches: Background Theory
QUESTION 73 On which of the following layers of the hierarchical network design model should you implement PortFast, BPDU guard, and root guard? (Select the best answer.)
A. only on core layer ports B. only on distribution layer ports C. only on access layer ports D. only on core and distribution layer ports E. on core, distribution, and access layer ports
Correct Answer: C Section: (none)
http://www.gratisexam.com/ Explanation
Explanation/Reference: Explanation: You should implement PortFast, BPDU guard, and root guard only on access layer ports. PortFast, BPDU guard, and root guard are enhancements to Spanning Tree Protocol (STP). The access layer is the network hierarchical layer where enduser devices connect to the network. The distribution layer is used to connect the devices at the access layer to those in the core layer. The core layer, which is also referred to as the backbone, is used to provide connectivity to devices connected through the distribution layer. PortFast reduces convergence time by immediately placing user access ports into a forwarding state. PortFast is recommended only for ports that connect to enduser devices, such as desktop computers. Therefore, you would not enable PortFast on ports that connect to other switches, including distribution layer ports and core layer ports. To enable PortFast, issue the spanningtree portfast command from interface configuration mode. BPDU guard disables ports that erroneously receive bridge protocol data units (BPDUs). User access ports should never receive BPDUs, because user access ports should be connected only to enduser devices, not to other switches. When BPDU guard is applied, the receipt of a BPDU on a port with BPDU guard enabled will result in the port being placed into a disabled state, which prevents loops from occurring. To enable BPDU guard, issue the spanningtree bpduguard enable command from interface configuration mode. Root guard is used to prevent newly introduced switches from being elected as the root. The device with the lowest bridge priority is elected the root. If an additional device is added to the network with a lower priority than the current root, it will become the new root. However, this could cause the network to reconfigure in unintended ways, particularly if an access layer switch were to become the root. To prevent this, root guard can be applied to ports that connect to other switches in order to maintain control over which switch is the root. Root guard is applied on a perport basis with the spanningtree guard root command. Reference: Cisco: Campus Network for High Availability Design Guide: Spanning Tree Protocol Versions Cisco: Campus Network for High Availability Design Guide: Best Practices for Optimal ConvergenceCategory: Security Concepts
QUESTION 74 Which of the following is the man-in-the-middle attack that is most likely to be used to cause a workstation to send traffic to a false gateway IP address? (Select the best answer.)
A. ARP spoofing B. DHCP spoofing C. MAC spoofing D. switch spoofing
Correct Answer: B Section: (none) Explanation
Explanation/Reference: Explanation: Dynamic Host Configuration Protocol (DHCP) spoofing is the maninthemiddle attack that is most likely to be used to cause a workstation to send traffic to a false
http://www.gratisexam.com/ gateway IP address. In a DHCP spoofing attack, a rogue DHCP server is attached to the network in an attempt to intercept DHCP requests. The rogue DHCP server can then respond to the DHCP requests with its own IP address as the default gateway address so that all traffic is routed through the rogue DHCP server. DHCP snooping is a security technique that can be used to mitigate DHCP spoofing. In an Address Resolution Protocol (ARP) poisoning attack, which is also known as an ARP spoofing attack, the attacker sends a gratuitous ARP (GARP) message to a host. The GARP message associates the attacker's Media Access Control (MAC) address with the IP address of a valid host on the network. Subsequently, traffic sent to the valid host address will go to the attacker's computer rather than to the intended recipient. MAC spoofing makes network traffic from a device look as if it is coming from a different device. MAC spoofing is often implemented to bypass port security by making a device appear as if it were an authorized device. Malicious users can also use MAC spoofing to intercept network traffic that should be destined for a different device. ARP cache poisoning, content addressable memory (CAM) table flooding, and Denial of Service (DoS) attacks can all be performed by MAC spoofing. Switch spoofing is a virtual LAN (VLAN) hopping attack that is characterized by using Dynamic Trunking Protocol (DTP) to negotiate a trunk link with a switch port in order to capture all traffic that is allowed on the trunk. In a switch spoofing attack, the attacking system is configured to act like a switch with a trunk port. This enables the attacking system to become a member of all VLANs, which enables the attacker to send and receive traffic among the other VLANs. Reference: Cisco: DHCP Snooping: Overview of DHCP Snooping Juniper Networks: Preventing DHCP Spoofing
QUESTION 75 On a Cisco ASA, which of the following RADIUS authentication protocols are not supported? (Select 2 choices.)
A. CHAP B. EAPMD5 C. PAP D. PEAP E. MSCHAPv1F. MSCHAPv2
Correct Answer: BD Section: (none) Explanation
Explanation/Reference: Explanation: Neither Extensible Authentication Protocol (EAP)Message Digest 5 (MD5) nor Protected EAP (PEAP) are supported by the Remote Authentication DialIn User Service (RADIUS) server on a Cisco Adaptive Security Appliance (ASA). RADIUS is an Authentication, Authorization, and Accounting (AAA) server that uses User Datagram Protocol (UDP) for packet delivery. RADIUS and Terminal Access Controller Access Control System Plus (TACACS+) server groups on a Cisco ASA support Challenge Handshake Authentication Protocol (CHAP), Microsoft CHAP version 1 (MSCHAPv1), and Password Authentication Protocol (PAP). A Cisco ASA supports a number of different AAA server types, such as RADIUS, TACACS+, Lightweight Directory Access Protocol (LDAP), Kerberos, and RSA Security Dynamics, Inc. (SDI) servers. When authenticating with a TACACS+ server, a Cisco ASA can use the following authentication protocols: - ASCII
http://www.gratisexam.com/ - PAP - CHAP - MSCHAPv1 When authenticating with a RADIUS server, a Cisco ASA can use the following authentication protocols: - PAP - CHAP - MSCHAPv1 - MSCHAP version 2 (MSCHAPv2) - Authentication Proxy Mode (for example, RADIUS to RSA/SDI, RADIUS to Active Directory, and others) Reference: Cisco: Configuring AAA Servers and the Local Database: RADIUS Server SupportCisco: Configuring AAA Servers and the Local Database: TACACS+ Server Support
QUESTION 76 Which of the following is the best reason to enforce blacklisting by security zone on a Cisco device that uses the Security Intelligence IP Address Reputation feature? (Select the best answer.)
A. to streamline performance of the IPS device B. to ensure that local hosts can communicate with a given IP address C. to validate a blacklist feed that has been obtained from a third party D. to manually control which networks are blocked by the IPS
Correct Answer: A Section: (none) Explanation
Explanation/Reference: Explanation: Most likely, you would enforce blacklisting by security zone to streamline performance of the intrusion prevention system (IPS) device. Enforcing blacklisting by security zone can be used to enhance the performance of a Security Intelligence device by limiting the blacklisting to the specific security zones that process the given traffic. For example, the blacklisting of IP addresses that send email traffic could be restricted to a Security Zone that handles only email traffic. You would configure the monitoronly setting if you wanted to validate a blacklist feed that has been obtained from a third party. Security Intelligence devices, such as a Cisco Sourcefire IPS, are capable of accepting manually imported lists of network addresses or feeds from third parties. Such devices can block IP addresses or networks based on their reputation, which mitigates device overhead that comes from having to analyze traffic from those networks. The monitoronly setting enables traffic from networks that are listed within a given feed to be analyzed by the Security Intelligence device, but also logs the fact that the given network matches the thirdparty feed. This enables an administrator to review the logs and the analysis of traffic from networks on the feed to determine the validity of the feed. You would add IP addresses to a custom whitelist to ensure that local hosts can communicate with a given IP address. On Security Intelligence devices, whitelists can be used to override blacklisted IP addresses. Whitelists can thus be used to enable communication with legitimate IP addresses that are listed on thirdparty feeds or other blacklists that might be too broadly defined. From an administrative overhead standpoint, you should first validate the feed, then implement the feed, and finally add IP addresses or networks to the whitelist as necessary. You would configure a custom blacklist to manually control which networks are blocked by the IPS. Security Intelligence devices allow the creation of custom
http://www.gratisexam.com/ blacklists so that you can manually block specific IP addresses or networks. Reference: Cisco: Blacklisting Using Security Intelligence IP Address Reputation: Choosing a Security Intelligence Strategy
QUESTION 77 Which of the following is not true of SIM systems? (Select the best answer.)
A. They perform realtime threat detection. B. They focus on policy and standards compliance. C. They consolidate logs to a central server. D. They analyze log data and report findings.
Correct Answer: A Section: (none) Explanation
Explanation/Reference: Explanation: Security Information Management (SIM) systems do not perform realtime analysis and detection. SIM systems are focused more on the collection and analysis of logs in a nonrealtime fashion. For example, a SIM system might centralize logging on a single device for review and analysis. Some SIM systems also provide assessment tools that can flag potentially threatening events. Security Event Management (SEM) systems perform realtime analysis and detection. SEM systems typically analyze log data from a number of sources. Some systems also incorporate incident handling tools that enable administrators to more effectively mitigate threats when they occur. A Security Information and Event Management (SIEM) system combines both the realtime aspects of a SEM system and the indepth analysis and timeline generation of a SIM system. Therefore, a SIEM system is a hybrid of a SIM system and a SEM system. Reference: SANS: IDFAQ: What is The Role of a SIEM in Detecting Events of Interest? Search Security: Tech Target: security information and event management (SIEM)
QUESTION 78 In the Cisco ISE GUI, you click Administration > Certificates > Certificate Store and notice that a SCEP NDES server RA certificate is installed on the ISE node. Which of the following best describes the reason the certificate is there? (Select the best answer.)
A. The ISE is a SCEP proxy for a Windows CA. B. The ISE is a CA for the Windows AD domain. C. The ISE has been compromised, and the CA chain has been altered. D. The ISE requires the CA in order to mitigate a Windows Server SCEP bug.
Correct Answer: A Section: (none)
http://www.gratisexam.com/ Explanation
Explanation/Reference: Explanation: The Cisco Identity Services Engine (ISE) is a Simple Certificate Enrollment Protocol (SCEP) proxy for a Windows certificate authority (CA) if you notice that a SCEP Network Device Enrollment Service (NDES) server registration authority (RA) certificate is installed in the ISE's Certificate Store. Implementing ISE as a SCEP proxy enables bring your own device (BYOD) users to register their devices on their own, without administrative overhead from the IT department. The ISE is not a CA for the Windows Active Directory (AD) domain. When configured with a SCEP CA profile, the ISE will contain a SCEP NDES server RA certificate in the Certificate Store. RAs verify requests for certificates and enable the CA to issue them. The ISE does not require the CA in order to mitigate a Windows Server SCEP bug. However, configuring ISE as a SCEP proxy to a Microsoft Windows 2008 R2 Server does require the installation of some Microsoft SCEP implementation hotfixes. There is nothing in this scenario to indicate that the ISE has been compromised. In addition, there is no reason to suspect that the CA chain has been altered. Reference: Cisco: ISE SCEP Support for BYOD Configuration Example: Configure ISE as a SCEP proxy
QUESTION 79 You issue the following commands on a Cisco router: tacacsserver host ts1 timeout 30 tacacsserver timeout 20 Which of the following is true about how the Cisco router communicates with the TACACS+ server? (Select the best answer.)
A. The router will maintain an open TCP connection. B. The router will maintain an open TCP connection for no more than 20 seconds. C. The router will wait 20 seconds for the server to reply before declaring an error. D. The router will wait 30 seconds for the server to reply before declaring an error.
Correct Answer: D Section: (none) Explanation
Explanation/Reference: Explanation: The router will wait 30 seconds for the server to reply before declaring an error. The tacacsserver host ts1 timeout 30 command in this scenario configures a router to connect to a Terminal Access Controller Access Control System Plus (TACACS+) server named ts1. The timeout 30 keyword in this command configures the router to wait 30 seconds for the server to reply before declaring an error. The router will wait 30 seconds, not 20 seconds, for the server to reply before declaring an error. If the timeout 30 keyword had not been specified in this scenario, the tacacsserver timeout 20 command would have configured the router to wait 20 seconds for the server to reply before declaring an error. The timeout 30 keyword in this scenario overrides the value assigned by the tacacsserver timeout command. The router will not maintain an open Transmission Control Protocol (TCP) connection, because the singleconnection keyword has not been issued in this scenario. The singleconnection keyword configures the router to maintain an open connection to the TACACS+ server. When the singleconnection keyword is not configured, a Cisco router will open and close a TCP connection to the TACACS+ server each time it needs to perform an operation. When the singleconnection keyword is configured, the router connects to the TACACS+ server and maintains that connection even when it is not performing an operation. This setting enhances the
http://www.gratisexam.com/ efficiency of the communications between the router and the TACACS+ server because the router does not have to constantly close and open connections. Reference: Cisco: Configuring TACACS+: Identifying the TACACS+ Server Host
QUESTION 80 You are configuring VPN access for Cisco AnyConnect clients. You finish the configuration by establishing a fail open policy. Which of the following is true of AnyConnect clients that fail to establish a VPN session? (Select the best answer.)
A. They are granted full access to the local network, but without security. B. They are granted full access to the local network, including security. C. They are denied full network access, except for local resources. D. They are denied full network access, including local resources.
Correct Answer: A Section: (none) Explanation
Explanation/Reference: Explanation: Cisco AnyConnect clients that fail to establish a virtual private network (VPN) session under a fail open policy are granted full access to the local network, but without the security provided by the Cisco AnyConnect VPN service. Connect failure policies are typically applied when the Cisco AnyConnect alwayson feature is configured. The alwayson feature enables Cisco AnyConnect clients to establish a VPN session automatically whenever the client detects that the host is connected to an untrusted network. For example, a laptop that is used both on a corporate LAN and for remote work might be configured to automatically connect to the corporate VPN whenever the laptop is not directly connected to the corporate LAN. However, any number of problems could prevent the client from actually establishing a connection to the VPN. There are two types of connect failure policies that you can enable for Cisco AnyConnect alwayson clients. The fail open policy allows the client to complete a connection to the local network for access to the Internet or local resources. However, because a VPN session has not been established, the security of the AnyConnect device that is connected to the remote network could be compromised. The fail closed policy, on the other hand, prevents all network access from the Cisco AnyConnect client except to local devices and devices that are available by using split tunneling. This extra layer of security could prevent the user from accessing the Internet and thus could compromise productivity if the user relies on Internet access to complete workrelated tasks. Because the fail closed policy is so restrictive, Cisco recommends implementing it by using a phased approach that includes initially implementing fail open and surveying user activity for AnyConnect issues that might prevent seamless connections. Reference: Cisco: Configuring VPN Access: Connect Failure Policy for Alwayson VPN
QUESTION 81 Which of the following web application threats is not typically mitigated by installing a WAF? (Select the best answer.)
A. exploits related to uncloaked error messages B. exploits against known vulnerabilities C. exploits related to directory traversal vulnerabilities
http://www.gratisexam.com/ D. exploits against unknown vulnerabilities E. exploits related to viruses in file uploads
Correct Answer: D Section: (none) Explanation
Explanation/Reference: Explanation: Of the available choices, exploits related to unknown vulnerabilities are not typically mitigated by installing a web application firewall (WAF). A WAF sits between a web application and the end user in order to protect the application from malicious activity and known vulnerabilities. Therefore, by installing a WAF, it is possible to protect a vulnerable web application without modifying the application code. WAFs are not typically capable of protecting a web application against unknown vulnerabilities. WAFs can protect against known or common unpatched web application vulnerabilities by using techniques such as cloaking to protect against information leakage related to uncloaked error messages, encrypting Uniform Resource Locators (URLs) to protect against exploits related to directory traversal, and checking file uploads for viruses. Reference: OWASP: Category:OWASP Best Practices: Use of Web Application Firewalls
QUESTION 82 Which of the following is a set of rules to which a Cisco IPS appliance can compare network traffic to determine whether an attack is occurring? (Select the best answer.)
A. anomaly detection B. global correlation C. reputation filtering D. a signature definition E. a threat rating
Correct Answer: D Section: (none) Explanation
Explanation/Reference: Explanation: A signature definition is a set of rules to which a Cisco Intrusion Prevention System (IPS) appliance can compare network traffic to determine whether an attack is occurring. If the network activity matches a signature definition, IPS can trigger a specific response from other defined event action rule sets, such as denying traffic from a host or alerting an administrator. IPS administrators can manually configure signature definitions in Cisco IPS Device Manager (IDM) or use the Signature Wizard to create custom signature definitions. Global correlation is not a set of rules to which a Cisco IPS appliance can compare network traffic to determine whether an attack is occurring. Global correlation enables IPS sensors to allow or deny traffic based on the reputation of the sending device. When you enable global correlation, IPS devices will periodically receive
http://www.gratisexam.com/ updates that include information about known malicious devices on the Internet from the Cisco SensorBase Network. In addition, global correlation will send statistical information about attacks against your company's network to the Cisco SensorBase Network. Cisco uses that information to detect threat patterns on the Internet. Reputation filtering is not a set of rules to which a Cisco IPS appliance can compare network traffic to determine whether an attack is occurring. Reputation filtering denies packets from hosts that are considered to have a malicious reputation based on the global correlation information that is available from the Cisco SensorBase Network. Reputation filtering is different from global correlation inspection in that reputation filtering denies traffic before the traffic is compared to any signature definitions. In addition, reputation filtering does not generate alerts. Anomaly detection is not a set of rules to which a Cisco IPS appliance can compare network traffic to determine whether an attack is occurring. Anomaly detection enables IPS to learn what type of network activity is normal activity for the network that is being protected. If a network starts to become congested by traffic that is generated by a worm or if a host that is infected with a worm connects to the network and attempts to infect other hosts, the anomaly detection feature can trigger a specific response, such as denying traffic from the infected host or alerting an administrator. A threat rating is not a set of rules to which a Cisco IPS appliance can compare network traffic to determine whether an attack is occurring. A threat rating is an event action risk rating that has been lowered because of a specific action taken by IPS. A risk rating is a numerical representation of the risk presented to a network by a specific attack. Risk ratings can range from 0 through 100. Depending on the actions IPS has taken in response to an event, IPS will subtract a value from the threat rating of the event. For example, if IPS responds to a specific event by issuing a request to block the attacking host, a value of 20 will be subtracted from the threat rating. Reference: Cisco: Defining Signatures: Understanding Signatures
QUESTION 83 Which of the following describes the primary difference between PGP and S/MIME? (Select the best answer.)
A. PGP can be used to encrypt disk drives, but S/MIME cannot. B. PGP can use SHA1 for data integrity, but S/MIME cannot. C. S/MIME can be used to encrypt email messages, but PGP cannot. D. S/MIME can use RSA for digital signatures, but PGP cannot.
Correct Answer: A Section: (none) Explanation
Explanation/Reference: Explanation: The primary difference between Pretty Good Privacy (PGP) and Secure/Multipurpose Internet Mail Extensions (S/MIME) is that PGP can be used to encrypt not only email messages, but also files and entire disk drives. PGP is software that uses an asymmetric encryption method to encrypt information. To encrypt a file or a message by using PGP, you must use the recipient's public key. The recipient will then use his or her private key to decrypt the file or message. Although PGP is an application and S/MIME is a standardsbased protocol, both can be used to provide confidentiality, integrity, and nonrepudiation for email messages. Confidentiality is provided by an encryption method, such as Triple Data Encryption Standard (3DES or TDES). Integrity is provided by a hashing algorithm, such as Secure Hash Algorithm 1 (SHA1). Nonrepudiation is provided by creating digital signatures with an asymmetric encryption method, such as RSA. Many modern operating systems (OSs) offer their own builtin support for filelevel and disklevel encryption. Therefore, thirdparty software is often no longer necessary for encrypting files.
http://www.gratisexam.com/ Reference: Search Security: Tech Target: Pretty Good Privacy (PGP) Microsoft TechNet: Understanding S/MIME
QUESTION 84 Which of the following failover link configurations can leave an ASA vulnerable to replay attacks? (Select the best answer.)
A. connecting the active and standby units directly with a crossover cable B. connecting the active and standby units to a dedicated VLAN on a switch C. sharing a regular data interface with the stateful failover link D. sharing the LAN failover link with the stateful failover link E. using a dedicated Ethernet interface as the stateful failover link
Correct Answer: C Section: (none) Explanation
Explanation/Reference: Explanation: Sharing a regular data interface with the stateful failover link on a Cisco Adaptive Security Appliance (ASA) can leave the ASA vulnerable to replay attacks. A replay attack is a type of maninthemiddle attack in which the attacker uses a packet sniffer to capture legitimate network data, such as authentication tokens and preshared keys, and then replays the data to a target. In addition, the attacker might delay or modify the captured data before directing it to the target. On an ASA, all LAN failover and stateful failover information is transmitted as clear text by default. Therefore, sharing the stateful failover link with a regular data interface can unnecessarily expose virtual private network (VPN) configuration information, such as user names, passwords, and preshared keys (PSKs) to malicious users on the shared network segment. You can mitigate this risk by configuring a failover key on both the active unit and the standby unit to protect failover information. Cisco strongly recommends using a dedicated Ethernet interface or sharing a LAN failover link instead of sharing the stateful failover link with a regular data interface. ASAs can be configured to participate in either a stateless or a stateful failover implementation. In a stateless failover implementation, the active unit and standby unit use a dedicated LAN link, known as a LAN failover link, for failover traffic. The LAN failover link can use any unnamed Ethernet interface and can connect the failover pair directly, with either a straightthrough or crossover Ethernet cable, or through a switch, with no other devices on the same network segment or virtual LAN (VLAN) as the failover pair. Although all failover traffic is sent as clear text by default, a LAN failover link does not leave an ASA vulnerable to replay attacks because the failover pair are either directly connected or connected through a dedicated VLAN. By contrast, the failover link between two ASAs in a stateful failover implementation can use a dedicated Ethernet link, a shared LAN failover link, or a shared regular data interface. If a dedicated Ethernet link is used for stateful failover, it must follow the same connectivity guidelines as a LAN failover link: it can be either a direct connection or a dedicated VLAN on a switch. Like a LAN failover link, a stateful failover link using either a dedicated Ethernet link or a shared LAN failover link does not leave an ASA vulnerable to replay attacks because the failover pair are either directly connected or connected through a dedicated VLAN. Reference: Cisco: Information About High Availability: Stateful Failover LinkCategory: Cisco Firewall Technologies
QUESTION 85 Which of the following fields make up the header of an ESP packet? (Select 2 choices.)
http://www.gratisexam.com/ A. Next Header B. Pad Length C. Padding D. Security Parameter Index E. Sequence Number
Correct Answer: DE Section: (none) Explanation
Explanation/Reference: Explanation: The Security Parameter Index (SPI) and Sequence Number fields make up the header of an Encapsulating Security Payload (ESP) packet. ESP is an IP Security (IPSec) protocol that provides data integrity and confidentiality for IP traffic. The ESP header is always part of the authenticated data in an ESP packet, but the ESP header itself is never encrypted. By contrast, the ESP trailer, which is made up of the Padding, Pad Length, and Next Header fields, is always part of the authenticated data and is always encrypted. The following diagram illustrates the ESP packet format:
ESP can operate in transport mode or tunnel mode. In transport mode, ESP encrypts only the original payload data and the resultant ESP trailer, leaving the original IP header unencrypted. The following diagram illustrates the components of an ESP packet in transport mode:
http://www.gratisexam.com/ In tunnel mode, ESP encrypts the entire packet, including the original IP header, the original payload data, and the resultant ESP trailer. The following diagram illustrates the components of an ESP packet in tunnel mode:
Reference: IETF: RFC 4303: IP Encapsulating Security Payload (ESP): 2. Encapsulating Security Payload Packet Format
QUESTION 86 You want to use the authentication event noresponse action authorize vlan 101 command to ensure that network devices incapable of using 802.1X authentication are automatically placed into VLAN 101, which is the guest VLAN. Which of the following VLAN types can you specify as an 802.1X guest VLAN? (Select the best answer.)
A. a primary private VLAN B. a secondary private VLAN C. a voice VLAN D. an RSPAN VLAN
Correct Answer: B Section: (none) Explanation
Explanation/Reference: Explanation: Of the choices available, you can configure a secondary private virtual LAN (VLAN) as an 802.1X guest VLAN with the authentication event noresponse action authorize vlan 101 command. The authentication event noresponse action authorize vlancommand specifies the VLAN into which a switch should place a port if it does not receive a response to the 802.1X Extensible Authentication Protocol over LAN (EAPoL) messages it sends on that port. The VLAN ID must be a number from 1 through 4094. The VLAN ID can specify any active VLAN except for a Remote Switch Port Analyzer (RSPAN) VLAN, a primary private VLAN, or a voice VLAN. In addition, a guest VLAN can be configured on only access ports, not on routed ports or trunk ports. When a guest VLAN is configured, the switch will grant non802.1Xcapable clients access to the guest VLAN? however, if an 802.1Xcapable device is detected, the switch will place the port into an unauthorized state and will deny access to all devices on the port. You can use the authentication event fail action command to specify how the switch should react if an 802.1X client is detected and the client fails to authenticate. There are two configurable parameters: nextmethod and authorize vlanid. The authorize vlanid parameter configures a restricted VLAN, which is functionally similar to the guest VLAN. The nextmethod parameter configures the switch to attempt authentication by using the next authentication method specified in the authentication order command. For example, if the authentication order 802.1X mab webauth command has been configured and 802.1X authentication fails, the switch will attempt to use Media Access Control (MAC) Authentication Bypass (MAB) to authenticate the client based on its MAC address? if MAB fails, the switch will attempt webbased authentication. If the nextmethod parameter is configured, the switch will indefinitely cycle through authentication methods unless Web Authentication (WebAuth) is configured. If WebAuth is configured, the authentication process will not loop back to other authentication methods and the switch will ignore EAPoL messages on the port.
http://www.gratisexam.com/ Reference: Cisco: Configuring IEEE 802.1x PortBased Authentication: Configuring a Guest VLAN
QUESTION 87 Which of the following statements is true about network traffic event logging in Cisco FireSIGHT Management Center? (Select the best answer.)
A. Beginningofconnection events contain less information than endofconnection events. B. Performance is optimized by logging both beginningofconnection events and end ofconnection events. C. You can log only beginningofconnection events for encrypted connections handled by an SSL policy. D. You can log only endofconnection events for blocked traffic.
Correct Answer: A Section: (none) Explanation
Explanation/Reference: Explanation: In Cisco FireSIGHT Management Center, beginningofconnection events contain less information than endofconnection events. Cisco FireSIGHT Management Center, which was formerly called Sourcefire Defense Center, can log beginningofconnection and endofconnection events for various types of network traffic. Although most network traffic will generate both kinds of events, blocked or blacklisted traffic is typically denied without further processing and therefore only generates beginningofconnection events. Beginningofconnection events contain a limited amount of information because they are generated based on the information contained in the first few packets of a connection. By contrast, endofconnection events are generated when a connection closes, times out, or can no longer be tracked because of memory constraints. Endofconnection events contain significantly more information than beginningofconnection events because they can draw upon data collected throughout the course of a connection. This additional information can be used to create traffic profiles, generate connection summaries, or graphically represent connection data. In addition, the data can be used for detailed analysis or to trigger correlation rules based on session data. Endofconnection events are also required to log encrypted connections that are handled by a Secure Sockets Layer (SSL) policy because there is not enough information in the first few packets to indicate that a connection is encrypted. Reference: Cisco: Logging Connections in Network Traffic: Logging the Beginning or End of Connections
QUESTION 88 Which of the following are asymmetric algorithms? (Select 3 choices.)
http://www.gratisexam.com/
A. DH
http://www.gratisexam.com/ B. AES C. 3DES D. ECC E. RC4 F. RSA
Correct Answer: ADF Section: (none) Explanation
Explanation/Reference: Explanation: DiffieHellman (DH), Elliptical Curve Cryptography (ECC), and RSA are asymmetric algorithms. DH is an asymmetric key exchange method. DHA and ECC are asymmetric encryption algorithms. Asymmetric encryption, also known as public key encryption, uses a public key to encrypt data and a different, yet mathematically related, private key to decrypt data. Public key infrastructure (PKI) uses a certificate authority (CA) to tie a public key to a user ID to further ensure the confidentiality of data. Asymmetric encryption algorithms use more complex mathematical functions than symmetric encryption algorithms. As a result, asymmetric encryption algorithms take longer to encrypt and decrypt data than symmetric encryption algorithms. Other examples of asymmetric encryption algorithms include Digital Signature Algorithm (DSA) and ElGamal. Advanced Encryption Standard (AES), RC4, and Triple Data Encryption Standard (3DES) are examples of symmetric encryption algorithms. When symmetric encryption algorithms are used, the same encryption key is used to encrypt and decrypt data. Two types of symmetric algorithms exist: block ciphers and stream ciphers. Block ciphers derive their name from the fact that they encrypt blocks of data. For example, AES encrypts 128bit blocks of data. By contrast, stream ciphers are typically faster than block ciphers because stream ciphers encrypt text of variable length depending on the size of the frame to be encrypted? stream ciphers are not limited to specific block sizes. For example, RC4, a stream cipher, can encrypt data in streams of 8 through 2,048 bits. Other examples of symmetric encryption algorithms include International Data Encryption Algorithm (IDEA), Skipjack, and Blowfish. Reference: CCNA Security 210260 Official Cert Guide, Chapter 5, Symmetric and Asymmetric Algorithms, pp. 92-94
QUESTION 89 Which of the following statements are true regarding class maps on a Cisco ASA? (Select 2 choices.)
A. QoS traffic shaping is not available for all class maps. B. Class maps apply specific security measures on a persession basis. C. By default, no class maps are defined on an ASA. D. Class maps must use an ACL to match traffic. E. Class maps can match traffic based on application protocols. F. Class maps identify the interface to which a policy map is applied.
Correct Answer: AE Section: (none) Explanation
http://www.gratisexam.com/ Explanation/Reference: Explanation: Class maps can match traffic based on application protocols, and Quality of Service (QoS) traffic shaping is not available for all class maps on a Cisco Adaptive Security Appliance (ASA). A class map is one of the three basic components of Modular Policy Framework (MPF)? policy maps and service policies are the other two components. MPF is a Cisco ASA feature that provides a flexible method of enabling security policies on an interface. A class map identifies a specific flow of traffic, a policy map determines the action that will be performed on the traffic, and a service policy ties this action to a specific interface. Generally, each class map can contain only a single match statement, and a packet can match only a single class map within the policy map of a particular feature type. For example, if a packet matched a class map for File Transfer Protocol (FTP) inspection and a class map for traffic policing, the ASA would apply both policy map actions to the packet. However, if a packet matched a class map for FTP inspection and a second, different class map that included FTP inspection, the ASA would apply only the actions of the first matching policy map. By default, two class maps are defined on an ASA? the classdefault and inspection_default class maps are part of the default configuration of an ASA. You can use the match command from class map configuration mode to identify traffic based on specified characteristics. The keywords you can use to identify traffic in a class map are closely tied to their respective characteristics. The match command supports the following key words: accesslist, port, defaultinspectiontraffic, dscp, precedence, rtp, tunnelgroup, and any. For example, you could issue the following commands to create a class map named CLASSMAP that identifies traffic using Transmission Control Protocol (TCP) port 8080: asa(config)#classmap CLASSMAP asa(configcmap)#match port tcp eq 8080
Once traffic has been identified by a class map, the associated policy map can take action on that traffic. A policy map typically contains references to one or more class maps and defines actions that should be performed on traffic matched by the specified class maps. If traffic matches multiple class maps for different actions within a policy map-for instance, if traffic matches a class map for application inspection as well as a class map for priority queuing-the actions of both class maps will be applied to the traffic. To continue the example from above, you could issue the following commands to configure a policy map named POLICYMAP that matches traffic specified by the class map named CLASSMAP and then processes the traffic with the Hypertext Transfer Protocol (HTTP) inspection engine: asa(config)#policymap POLICYMAP asa(configpmap)#class CLASSMAP asa(configpmapc)#inspect http
A policy map does not act on traffic until the map has been applied to an interface by a service policy. A service policy identifies the interface to which a policy map is applied? a service policy can be applied globally to all interfaces, which will apply application inspection to only traffic entering the appliance. Alternatively, a service policy can be applied to a single interface, which will apply application inspection to traffic entering and exiting the interface. An interface service policy overrides a global service policy: if traffic matches both an interface policy and a global policy, only the interface policy will be applied to that particular traffic flow. To complete the example, you could issue the following commands to apply the POLICYMAP policy map to the inside interface: asa(config)#servicepolicy POLICYMAP interface inside QoS traffic shaping is available for only the classdefault class map.
Class maps do not apply specific security measures on a persession basis? dynamic access policies (DAPs) can apply specific security measures on a persession basis. Configuring a DAP allows you to resolve complications presented by the frequently inconsistent nature of a virtual private network (VPN). For example, users might access your network from different remote locations, with each location having a different configuration, thus presenting a variety of security issues for each
http://www.gratisexam.com/ individual situation. With a DAP, you can apply specific security measures for each specific situation on a persession basis. Depending on the circumstances of the next connection from a remote location, a different DAP may be applied if the variables have changed. Reference: Cisco: Service Policy Using the Modular Policy Framework: Task Flow for Configuring Hierarchical Policy Maps for QoS Traffic Shaping Cisco: Service Policy Using the Modular Policy Framework: Creating a Layer 3/4 Class Map for Through Traffic
QUESTION 90 Which of the following is true regarding the EAPFAST authentication process? (Select the best answer.)
A. A digital certificate is required only on the client. B. A digital certificate is required only on the server. C. Digital certificates are required on both the client and the server. D. Digital certificates are not required on the client or the server.
Correct Answer: D Section: (none) Explanation
Explanation/Reference: Explanation: Digital certificates are not required on the client or the server during the Extensible Authentication Protocol (EAP)Flexible Authentication via Secure Tunneling (FAST) authentication process? instead, EAPFAST uses Protected Access Credentials (PACs). EAPFAST is an authentication protocol that can be used for pointtopoint connections and for both wired and wireless links. The EAPFAST authentication process consists of three phases. The first phase, which is optional and is considered phase 0, consists of provisioning a client with a PAC, which is a digital credential that is used for authentication. A PAC can be manually configured on a client, in which case phase 0 is not required. The second phase, which is referred to as phase 1, involves creating a secure tunnel between the client and the server. The final phase, which is referred to as phase 2, involves authenticating the client. If the client is authenticated, the client will be able to access the network. Other EAP methods exist that do rely on digital certificates for authentication. For example, EAPTransport Layer Security (TLS) requires both a client and a server digital certificate, whereas Protected EAP (PEAP) requires only servers to be configured with digital certificates. With PEAP, clients can use alternative authentication methods, such as onetime passwords (OTPs). Similar to EAPFAST, Lightweight EAP (LEAP) does not require either the server or the client to be configured with a digital certificate. When LEAP is used, the client initiates an authentication attempt with a Remote Authentication DialIn User Service (RADIUS) server. The RADIUS server responds with a challenge response. If the challenge/response process is successful, the client then validates that the RADIUS server is correct for the network. If the RADIUS server is validated, the client will connect to the network. Reference: Cisco: EAP Methods Summary Cisco: Configuring EAPFAST: Table 31 Connection Settings (PDF)
QUESTION 91 Which of the following security functions is associated with the data plane? (Select 2 choices.)
http://www.gratisexam.com/ A. device configuration protection B. signaling protection C. traffic conditioning D. traffic filtering
Correct Answer: CD Section: (none) Explanation
Explanation/Reference: Explanation: Traffic conditioning and traffic filtering are security features that are associated with the data plane. Cisco devices are generally divided into three planes: the control plane, the management plane, and the data plane. Each plane is responsible for different operations, and each plane can be secured by implementing various security methods. The data plane is responsible for traffic passing through the router, which is referred to as transit traffic. Therefore, data plane security protects against unauthorized packet transmission and interception. Threats such as IP spoofing, Media Access Control (MAC) address spoofing, Address Resolution Protocol (ARP) spoofing, Dynamic Host Configuration Protocol (DHCP) spoofing, unauthorized traffic interception, and unauthorized network access can be mitigated and monitored by implementing features such as the following: - ARP inspection - Antispoofing access control lists (ACLs) - DHCP snooping - Port ACLs (PACLs) - Private virtual LANs (VLANs) - Unicast Reverse Path Forwarding (uRPF) - VLAN ACLs (VACLs)
The control plane is responsible for the creation and maintenance of structures related to routing and forwarding. These functions are heavily dependent on the CPU and memory availability. Therefore, control plane security methods protect against unauthorized traffic destined for the router, which can modify route paths and consume excessive resources. Path modification can be caused by manipulating the traffic generated by routing protocols, VLAN Trunking Protocol (VTP), and Spanning Tree Protocol (STP). Path modification attacks can be mitigated by implementing routing protocol authentication and filtering, VTP authentication, and STP protection features. In addition, excessive CPU and memory consumption can be caused by control plane flooding. Resource consumption attacks can be mitigated by implementing control plane filtering and rate limiting with Control Plane Policing (CoPP) and Control Plane Protection (CPPr). Device configuration protection is associated with the management plane. Management plane security protects against unauthorized device access and configuration. Unauthorized access can be mitigated by implementing a strong Authentication, Authorization, and Accounting (AAA) solution and by implementing Management Plane Protection (MPP), which creates protected management channels over which administrators must connect in order to access device administration features. Management traffic can be encrypted by implementing Secure Shell (SSH). You can mitigate unauthorized configuration of a device by implementing RoleBased Access Control (RBAC), whereby administrators are limited to using only the features they need to accomplish their jobs. Detection and logging of management plane access can be performed by implementing Simple Network Management Protocol version 3 (SNMPv3) and Syslog servers. Reference: Cisco: Cisco Guide to Harden Cisco IOS Devices
http://www.gratisexam.com/ QUESTION 92 Which of following capabilities do an IDS and IPS have in common? (Select the best answer.)
A. blocking a particular connection B. blocking traffic from a particular host C. modifying traffic D. resetting TCP connections
Correct Answer: D Section: (none) Explanation
Explanation/Reference: Explanation: An Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS) can both reset Transmission Control Protocol (TCP) connections. An IDS is a network monitoring device that passively monitors network traffic and actively sends alerts to a management station when it detects malicious traffic. An IDS typically has one promiscuous network interface attached to each monitored network. Because traffic does not flow through the IDS, the IDS is unable to directly block malicious traffic? however, an IDS can do any of the following: - Request that another device block a connection - Request that another device block a particular host - Reset TCP connections
An IDS can prevent further instances of previously detected malicious traffic from passing onto the network by creating access control lists (ACLs) on routers in the traffic path or by configuring other security devices that reside in the flow of traffic. By contrast, an IPS typically sits inline with the flow of traffic and can therefore block malicious traffic before it passes onto the network. An inline IPS can perform the following actions: - Block traffic from a particular host - Block a particular connection - Modify traffic - Reset TCP connections
However, if an IPS sits inline with traffic, a failed IPS device can cause all traffic to be dropped. Analyzing all of the traffic that passes through the IPS can cause latency and jitter. Alternatively, an IPS can be configured to operate in promiscuous mode, which would make it functionally similar to an IDS. Reference: Cisco: Managed Security Services Partnering for Network Security: Managed Intrusion Detection and Prevention Systems
QUESTION 93 Which of the following statements are true regarding RADIUS? (Select 2 choices.)
A. It encrypts only the password in AccessRequest packets. B. It combines authorization and authentication functions.
http://www.gratisexam.com/ C. It provides more flexible security options than TACACS+. D. It uses TCP port 49. E. It is a Ciscoproprietary standard protocol.
Correct Answer: AB Section: (none) Explanation
Explanation/Reference: Explanation: Remote Authentication DialIn User Service (RADIUS) combines authentication and authorization into a single function and encrypts only the password in AccessRequest packets. RADIUS is an Internet Engineering Task Force (IETF) standard protocol for Authentication, Authorization, and Accounting (AAA) operations. RADIUS uses User Datagram Protocol (UDP) for packet delivery. Because RADIUS encrypts only the password of a packet, the rest of the packet would be viewable if the packet were intercepted by a malicious user. RADIUS has fewer flexible security options than Terminal Access Controller Access Control System Plus (TACACS+), because RADIUS combines the authentication and authorization functions of AAA into a single function and does not provide router command authorization capabilities. By contrast, TACACS+ is a Ciscoproprietary protocol that uses Transmission Control Protocol (TCP) for transport during AAA operations. TACACS+ provides more security and flexibility than RADIUS because TACACS+ encrypts the entire body of a packet and separates the authentication, authorization, and accounting functions of AAA. This separation enables granular control of access to resources. For example, TACACS+ gives administrators control over access to configuration commands? users can be permitted or denied access to specific configuration commands. Because of this flexibility, TACACS+ is used with Cisco Secure Access Control Server (ACS), which is a software tool that is used to manage user authorization for router access. Reference: Cisco: TACACS+ and RADIUS Comparison: Compare TACACS+ and RADIUS
QUESTION 94 Which of the following protocols can IPSec use to provide the confidentiality component of the CIA triad? (Select 2 choices.)
A. AES B. AH C. DES D. MD5 E. SHA
Correct Answer: AC Section: (none) Explanation
Explanation/Reference: Explanation: Of the choices available, IP Security (IPSec) can use either Advanced Encryption Standard (AES) or Data Encryption Standard (DES) to provide the confidentiality
http://www.gratisexam.com/ component of the confidentiality, integrity, and availability (CIA) triad. The confidentiality component of the CIA triad ensures that transmitted data cannot be read by an unauthorized party if the data is intercepted before it reaches its destination. Depending on the amount of confidentiality desired, IPSec can use AES or DES with Encapsulating Security Payload (ESP) in either transport mode or tunnel mode. In transport mode, ESP uses AES or DES to encrypt only the original payload data and the resultant ESP trailer, leaving the original IP header unencrypted. The following diagram illustrates the components of an ESP packet in transport mode:
In tunnel mode, ESP uses AES or DES to encrypt the entire packet, including the original IP header, the original payload data, and the resultant ESP trailer. The following diagram illustrates the components of an ESP packet in tunnel mode:
IPSec can use Authentication Header (AH) and ESP to provide the integrity component of the CIA triad, not the confidentiality component. The integrity component of the CIA triad ensures that unauthorized parties have not modified data as it was transmitted over the network. Data integrity is provided by using algorithms such as Message Digest 5 (MD5) or Secure Hash Algorithm (SHA) to produce checksums on each end of the connection. If the data generates the same checksum value on each end of the connection, the data was not modified in transit. In addition, AH and ESP can authenticate the origin of transmitted data. Data authentication is provided through various methods, including user name/password combinations, preshared keys (PSKs), digital certificates, and onetime passwords (OTPs). Reference: CCNA Security 210260 Official Cert Guide, Chapter 1, Confidentiality, Integrity, and Availability, pp. 14-15 IETF: RFC 4301: Security Architecture for the Internet Protocol: 3.2. How IPsec Works
QUESTION 95 You issue the following commands on a Cisco ASA with no other configured interfaces: asa(config)#interface gigabitethernet 0/1 asa(configif)#speed 1000 asa(configif)#duplex full asa(configif)#nameif inside asa(configif)#ip address 10.1.1.1 255.255.255.0 asa(configif)#no shutdown
http://www.gratisexam.com/ asa(configif)#exit asa(config)#telnet 10.1.1.0 255.255.255.0 inside asa(config)#telnet timeout 30
Which of the following statements is true regarding the resulting configuration? (Select the best answer.)
A. Telnet sessions will time out after 30 seconds of inactivity. B. The ASA will assign the interface a security level of 0. C. The ASA will assign the interface a security level of 100. D. Telnet sessions will be denied until a security level is manually assigned.
Correct Answer: C Section: (none) Explanation
Explanation/Reference: Explanation: In this scenario, the Cisco Adaptive Security Appliance (ASA) will assign the GigabitEthernet 0/1 interface a security level of 100. The block of commands in this scenario configures the GigabitEthernet 0/1 interface to operate in fullduplex mode at a speed of 1,000 megabits per second (Mbps), names the interface “inside”, and assigns an IP address 10.1.1.1 with a network mask of 255.255.255.0. In addition, the no shutdown command enables the interface. The telnet commands define a network range that is permitted to Telnet to the inside interface and configure a Telnet idletimeout value. Because no security level is manually assigned to the interface, the ASA will automatically assign the interface a security level. The default security level on an ASA is 0? however, the inside interface is an exception to this rule because it is automatically assigned a security level of 100 if a security level is not explicitly configured. An interface can be assigned any integervalued security level from 0 through 100. Telnet sessions will not be denied to the GigabitEthernet 0/1 interface until a security level is manually assigned. Normally, Telnet traffic is not permitted to the interface with the lowest security. However, if there is only one configured interface and it has been configured with a security level of 100, Telnet traffic is permitted even though the interface simultaneously has the highest security and the lowest security. Because the ASA automatically assigns a security level of 100 to the inside interface, Telnet sessions will be able to access the interface. If there were other active interfaces on the ASA, a Telnet session would be permitted to the interface with the lowest security only if that session was protected by a virtual private network (VPN) tunnel terminating on the interface. Although there are several methods for working around Telnet access restrictions of the ASA, Cisco recommends disabling Telnet and using more secure methods for management access, such as Secure Shell (SSH) or Secure Hypertext Transfer Protocol (HTTPS) instead? neither HTTPS nor SSH is restricted by the security level of an interface. Telnet sessions will not time out after 30 seconds of activity. The telnet timeout 30 command specifies an inactivity timeout length of 30 minutes, not 30 seconds. The telnet timeout command accepts an integer value from 1 through 1440 to specify the number of minutes a Telnet session can remain idle before the ASA closes the connection. Reference: Cisco: Cisco ASA 5500 Series Command Reference: securitylevel
QUESTION 96 Which of the following vulnerabilities did the Blaster worm exploit on target hosts? (Select the best answer.)
A. a buffer overflow vulnerability in the DCOM RPC service
http://www.gratisexam.com/ B. a buffer overflow vulnerability in IIS software C. a buffer overflow vulnerability in Microsoft SQL Server D. a remote code execution vulnerability in the printer spooler service E. a remote code execution vulnerability in the processing of .lnk files
Correct Answer: A Section: (none) Explanation
Explanation/Reference: Explanation: The Blaster worm exploited a buffer overflow vulnerability in the Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) service on Microsoft Windows hosts. The worm carried a destructive payload that configured the target host to engage in Denial of Service (DoS) attacks on Microsoft update servers. Before Microsoft released a patch, several other worms exploited the vulnerability. For example, the Welchia worm targeted the same vulnerability. Welchia was developed to scan the network for vulnerable machines, infect them, and then remove the Blaster worm if present. It was even designed to download and install the appropriate patch from Microsoft to fix the vulnerability that it and Blaster initially exploited to infect the target machine. However, despite the goodnatured design intentions of the Welchia worm, its networkscanning component inadvertently caused DoS attacks on several large networks, including those of the United States armed forces. Stuxnet is an example of a worm that exploited vulnerabilities in both the printer spooler service and the processing of .lnk files. Stuxnet was used in an act of cyber warfare against Iranian industrial control systems (ICSs). It was written to target specific ICSs by modifying code on programmable logic controllers (PLCs). Stuxnet initially exploited vulnerabilities in the printer spooler service? however, later variants exploited a vulnerability in the way that Windows processes shortcuts (.lnk files). Research from Symantec published in 2011 indicated that at the time, over 60% percent of the Stuxnetaffected hosts had been in Iran. Symantec analyzed Stuxnet and its variants and discovered that five organizations were the primary targets of infection and that further infections were likely collateral damage from the aggressive manner in which the worm spreads throughout the network. Given the considerable cost in resources and manhours that would have been required to craft the Stuxnet worm, it was theorized that it was likely intended to sabotage high value targets such as nuclear materials refinement facilities. SQL Slammer is an example of a worm that exploited a buffer overflow vulnerability in Microsoft Structured Query Language (SQL) server software. SQL Slammer spread at a tremendous rate and was reported to have infected as many as 12,000 servers per minute. Its high scanning rate generated enough traffic on many networks to effectively produce DoS effects as collateral damage to the infection. Code Red is an example of a worm that exploited a buffer overflow vulnerability in Microsoft Internet Information Server (IIS) software. Although not as efficient as SQL Slammer, Code Red still managed to infect as many as 2,000 hosts per minute. The initial Code Red variant failed to infect more than a single set of IP addresses? however, a later variant was reported to have affected over 350,000 hosts within the first 14 hours of its release into the wild. Reference: Cisco: The Internet Protocol Journal: Trends in Viruses and Worms
QUESTION 97 Which of the following statements is true regarding the primary bootset when the Cisco IOS Resilient Configuration feature is enabled? (Select the best answer.)
A. The configuration file can be secured on a TFTP server, but the system image must be secured on local storage. B. The system image can be secured on a TFTP server, but the configuration file must be secured on local storage. C. The configuration file and the system image must both be secured on local storage. D. The configuration file and the system image must both be secured on remote storage.
http://www.gratisexam.com/ Correct Answer: C Section: (none) Explanation
Explanation/Reference: Explanation: The configuration file and the system image must both be secured on local storage when the Cisco IOS Resilient Configuration feature is enabled. The Resilient Configuration feature is designed to protect system and configuration files from tampering and accidental deletion. You can issue the following block of commands to enable the Resilient Configuration feature:
Router#configure terminal Router(config)#secure bootimage Router(config)#secure bootconfig
When the feature is enabled, the primary system image file and associated running configuration are securely archived in local persistent storage? you cannot select a remote storage location. The secure bootimage command enables the image resilience component of the Resilient Configuration feature and effectively hides the system image from the directory structure. This means that the system image will no longer be displayed when the dir command is issued from the command prompt of an EXEC shell. In addition, because the system image file is not copied to a secure location, extra storage is not required to secure it. By contrast, the secure bootconfig command creates a hidden copy of the running configuration file. The secured versions of the system image and running configuration are referred to as the primary bootset. You can restore either or both components of the primary bootset at any time. The system image can be restored from readonly memory (ROM) monitor (ROMmon) mode and the running configuration can be restored from the global configuration mode by using the restore parameter of the secure bootconfig command. Once the system image and running configuration have been secured, the router will track version mismatches and produce a console message if the system image or running configuration have mismatched versions. Once the Resilient Configuration feature is enabled, it can only be disabled from the console. Reference: Cisco: Cisco IOS Resilient Configuration: Feature Design of Cisco IOS Resilient ConfigurationCategory: Secure Routing and Switching
QUESTION 98 Which of the following can be installed on a host to ensure that only specified inbound and outbound connections are permitted? (Select the best answer.)
A. antivirus software B. a HIPS C. a personal firewall D. a proxy server
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
http://www.gratisexam.com/ Explanation: A personal firewall can be installed on a host to ensure that only specified inbound and outbound connections are permitted. A personal firewall can protect a host from malicious traffic by permitting or denying specific applications or network ports access to the host or its network interface. Typically, a personal firewall provides sufficient granularity to specify the direction of a particular flow of traffic. For example, you could permit outbound web traffic but deny inbound Internet Control Message Protocol (ICMP) messages. A Hostbased Intrusion Prevention System (HIPS) can be installed on a host to analyze and prevent malicious traffic on that host. An Intrusion Prevention System (IPS) can be used to actively monitor, analyze, and block malicious traffic before it infects devices. HIPS software can be installed on a host computer to protect that computer against malicious traffic. By contrast, a Networkbased IPS (NIPS) is an independent operating platform, often a standalone appliance or a hardware module installed in a chassis. A NIPS device can be installed inline on a network to monitor and prevent malicious traffic from being sent to other devices on the network. One advantage of using a NIPS over a HIPS is that a NIPS can detect lowlevel network events, such as the scanning of random hosts on the network? a HIPS can only detect scans for which it is the target. HIPS and a NIPS can be used together to provide an additional layer of protection. You could not install antivirus software to ensure that only specified inbound and outbound connections are permitted. Antivirus software monitors the file system and memory space on a host for malicious code. Although the antivirus software might protect the host from malicious file execution, it would be unable to protect the host from malicious traffic. Some antivirus vendors offer integrated security suites, which feature personal firewall, HIPS, antivirus, and antimalware components. You could not install a proxy server on a host to ensure that only specified inbound and outbound connections are permitted. A proxy server is typically an application layer gateway that provides resource caching and traffic filtering for a particular class of traffic, such as web content. Although you could install a proxy server locally on a host and use it to process specified outbound connections, it would not be able to restrict outbound connections that were not configured to use the proxy nor would it be able to restrict inbound connections. Reference: CCNA Security 210260 Official Cert Guide, Chapter 19, Mitigation Technologies for Endpoint Threats, pp. 498-499Category: Cisco Firewall Technologies
QUESTION 99 Which of the following statements are true regarding the FirePOWER inline normalization preprocessor engine? (Select 2 choices.)
A. Inline normalization can process IPv4 and ICMPv4 traffic but not IPv6 traffic. B. Inline normalization can process IPv4 and IPv6 traffic but not ICMPv4 traffic. C. Inline normalization cannot detect TCP SYN flood attacks. D. Inline normalization cannot detect TCP session hijacking attacks. E. Inline normalization takes place immediately before decoding by the packet decoder.
Correct Answer: CD Section: (none) Explanation
Explanation/Reference: Explanation: The FirePOWER inline normalization preprocessor engine cannot detect Transmission Control Protocol (TCP) SYN flood attacks or session hijacking attacks. The inline normalization preprocessor can be used by a FirePOWER Intrusion Prevention System (IPS) that is deployed in an inline configuration. Packet normalization can reduce the chances of malicious traffic evading detection. The inline normalization process takes place immediately after the IPS packet decoder decodes the
http://www.gratisexam.com/ packet, which ensures that packets being analyzed by the IPS are identical to the packets that will be assembled by the target host. The inline normalization preprocessor can perform normalizations on various components of Internet Control Message Protocol version 4 (ICMPv4), IP version 4 (IPv4), IPv6, and TCP packets. For example, it can reset the timetolive (TTL) value on a packet if it detects a TTL value outside of a userdefined range. The FirePOWER ratebased prevention preprocessor engine, not the inline normalization detection preprocessor engine, can detect SYN flood traffic. The ratebased prevention preprocessor engine detects traffic abnormalities based on the frequency of certain types of traffic. The following traffic patterns can trigger ratebased attack prevention: - Traffic containing excessive incomplete TCP connections - Traffic containing excessive complete TCP connections - Excessive rule matches for a particular IP address or range of IP addresses - Excessive rule matches for one particular rule regardless of IP address
The FirePOWER TCP stream preprocessor engine, not the inline normalization detection preprocessor, can detect session hijacking attacks. The stream preprocessor assembles the packets of a TCP data stream into a single comprehensive unit for scanning. Because the TCP stream preprocessor has access to multiple packets in a data stream, it can analyze state information, analyze payload anomalies, and identify streambased attacks that are not possible to identify based on singlepacket analysis. Reference: Cisco: Configuring Transport & Network Layer Preprocessing: Normalizing Inline Traffic
QUESTION 100 What is the effect of the samesecuritytraffic permit intrainterface command on a Cisco ASA? (Select the best answer.)
http://www.gratisexam.com/
A. It allows communication between different interfaces that share the same security level. B. It allows traffic to exit the same interface through which it entered. C. It allows outbound traffic and the corresponding return traffic to pass through different ASAs. D. It allows traffic destined to unprotected subnets to bypass a VPN tunnel.
Correct Answer: B Section: (none) Explanation
Explanation/Reference: Explanation: On a Cisco Adaptive Security Appliance (ASA), the samesecuritytraffic permit intrainterface command allows traffic to exit the same interface through which it entered, which is also known as hairpinning. By default, an ASA does not allow packets to enter and exit through the same physical interface. However, because multiple logical virtual LANs (VLANs) can be assigned to the same physical interface, it is sometimes necessary to allow a packet to enter and exit through the same
http://www.gratisexam.com/ interface. The samesecuritytraffic permit intrainterface command allows packets to be sent and received from the same interface even if the traffic is protected by IP Security (IPSec) security policies. Another scenario for which you would need to use the samesecuritytraffic permit intrainterface command is if multiple users need to connect via virtual private network (VPN) through the same physical interface. These users will not be able communicate with one another unless the samesecuritytraffic permit intrainterface command has been issued from global configuration mode. The samesecuritytraffic permit interinterface command, not the samesecuritytraffic permit intrainterface command, allows communication between different interfaces that share the same security level. By default, interfaces with the same security level are not allowed to communicate with each other. A split tunneling policy, not the samesecuritytraffic permit intrainterfacecommand, allows traffic destined to unprotected subnets to bypass an encrypted tunnel. With split tunneling, only traffic destined to protected subnets is routed through the appropriate VPN tunnel. Traffic destined to unprotected subnets, such as the Internet, can bypass the tunnel and be routed normally. You can issue the splittunnelpolicy and splittunnelnetworklist commands to configure a split tunneling policy. Transmission Control Protocol (TCP) bypass, not the samesecuritytraffic permit intrainterface command, allows outbound traffic and the corresponding return traffic to pass through different ASAs. With TCP state bypass, an ASA will allow a specific class of traffic to pass through the ASA without the traffic class having an entry in the ASA's state table. TCP state bypass is disabled by default. You can issue the set connection advancedoptions tcpstatebypass command to enable the TCP state bypass feature. Reference: Cisco: Configuring Interfaces: Allowing Same Security Level Communication Category: VPN
QUESTION 101 Which of the following statements is not true regarding an IPS device? (Select the best answer.)
A. An IPS requires that at least one interface be in promiscuous mode. B. Singlepacket attacks can be mitigated by an IPS. C. Traffic leaves an IPS on a different interface than it entered. D. An IPS cannot route to destinations on different subnets.
Correct Answer: A Section: (none) Explanation
Explanation/Reference: Explanation: An Intrusion Prevention System (IPS) does not require that at least one interface be in promiscuous mode. An IPS sits inline with the flow of traffic, thus actively monitoring network traffic and blocking malicious traffic, such as an atomic or singlepacket attack, before it spreads onto the network. An IPS requires at least two interfaces for each monitored network: one interface listens to traffic entering the IPS, and the other listens to traffic leaving the IPS. In addition, an IPS acts similarly to a Layer 2 bridge in that it can pass traffic through to destinations on the same subnet? an IPS cannot route to destinations on a different subnet. Because all monitored traffic must pass through the IPS, it can add latency to traffic flows on the network. By contrast, an Intrusion Detection System (IDS) typically has one promiscuous network interface attached to each monitored network, with no IP address assigned to the monitoring interface. An IDS is a network monitoring device that does not sit inline with the flow of network traffic? an IDS passively monitors a copy of network traffic, not the actual packet. Since an IDS analyzes a copy of network traffic, an IDS can support asymmetric traffic flows in which the original traffic may use a different return path than it used to arrive at its original destination. Because monitored traffic does not pass through an IDS, it does not add latency to the traffic flow.
http://www.gratisexam.com/ Reference: CCNA Security 210260 Official Cert Guide, Chapter 17, Difference Between IPS and IDS, pp. 460-462 Cisco: Cisco IPS Mitigation Capabilities
QUESTION 102 Which of the following statements is true regarding a split ACS deployment? (Select the best answer.)
A. Cisco recommends using a dedicated log collector instead of the primary or secondary server. B. The split configuration has the drawback of making an administrator less aware of the functional status of each server. C. The AAA load is divided between the primary and secondary servers, which produces a lessthanoptimal AAA flow. D. The primary and secondary servers can be used for different, specialized operations such as network admission and device administration.
Correct Answer: D Section: (none) Explanation
Explanation/Reference: Explanation: In a split Cisco Secure Access Control System (ACS) deployment, the primary and secondary servers can be used for different, specialized operations such as network admission and device administration. ACS is an Authentication, Authorization, and Accounting (AAA) server that uses Remote Authentication DialIn User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+) to provide AAA services for users, hosts, and network infrastructure devices such as switches and routers. An ACS deployment typically consists of a cluster containing a primary server and one or more secondary servers. In a split ACS deployment, the AAA load is distributed between the primary and secondary server. This distribution provides a more optimal AAA flow than a traditional smallscale deployment in which the secondary server functions only as a backup if the primary server fails. The split ACS deployment offers a few other advantages over a traditional smallscale deployment. For example, an administrator will be more aware of the status of the primary and secondary servers because they are both operational in a split ACS deployment. By contrast, in a traditional smallscale deployment, an administrator will be less aware of the status of the secondary server because it is not actively involved in the AAA process. In addition, because both servers are active, each server can be dedicated to a specialized operation. For example, the primary server could be dedicated to device administration operations and the secondary server could be dedicated to network admission operations. If either server fails, the remaining server could take over the full load of AAA operations until the failed server is restored. Reference: Cisco: Understanding the ACS Server Deployment: Split ACS Deployment (PDF)
QUESTION 103 For which of the following traffic types is stateful inspection not supported in a ZFW configuration? (Select the best answer.)
A. DNS B. ICMP C. IGMP D. NetBIOS E. Sun RPC
http://www.gratisexam.com/ Correct Answer: C Section: (none) Explanation
Explanation/Reference: Explanation: Stateful inspection of Internet Group Management Protocol (IGMP) is not supported in a zonebased policy firewall (ZFW) configuration. ZFW is the latest iteration of Cisco’s stateful firewall implementation, which was formerly called ContextBased Access Control (CBAC). With ZFW, virtual security zones are specified and then interfaces are assigned to the appropriate zone. By default, all traffic is implicitly permitted to flow between interfaces that have been assigned to the same zone? however, all traffic between zones is blocked. In addition, all traffic to and from an interface is implicitly blocked by default when the interface is assigned to a zone, but there are a few exceptions. Traffic to or from other interfaces in the same zone is permitted as is traffic to or from the router itself. In order for traffic to flow between zones, stateful packet inspection policies must be configured to explicitly permit traffic between zones. The basic process is as follows: 1. Define the required zones. 2. Create zonepairs for zones that will pass traffic between themselves. 3. Define class maps to match the appropriate traffic for each zonepair. 4. Define policy maps to specify the actions that should be performed on matching traffic. 5. Apply the policy maps to the zonepairs. 6. Assign interfaces to their appropriate zones.
Inspection rules can be created for a large number of traffic types, including the following: - Domain Name System (DNS) - Internet Control Message Protocol (ICMP) - Network Basic Input/Output System (NetBIOS) - Sun Remote Procedure Call (RPC)
However, stateful inspection of multicast traffic, such as IGMP, is not supported by ZFW and must be handled by other security features, such as Control Plane Policing (CoPP). Reference: Cisco: ZoneBased Policy Firewall Design and Application Guide: Rules For Applying ZoneBased Policy FirewallCategory: Cisco Firewall Technologies
QUESTION 104 Which of the following commands is not available to a user with a privilege level of 0? (Select the best answer.)
A. disable B. enable C. exit D. login E. logout
http://www.gratisexam.com/ Correct Answer: D Section: (none) Explanation
Explanation/Reference: Explanation: The login command is not available to a user with a privilege level of 0. Privilege levels can be used to limit the IOS commands that a user can access. The disable, enable, exit, help, and logout commands are available to a user with a privilege level of 0. Because the default privilege level for a newly created local user account is 1, a newly created user will always have access to the basic commands necessary to escalate their privilege level or access the help system. You can assign a user one of 16 privilege levels, some of which are used by default by the IOS. For example, privilege levels 1 and 15 are default IOS privilege levels. Privilege level 1 allows a user to issue any command that is available at the user EXEC > prompt. Privilege level 15 allows a user to issue any command that is available at the privileged EXEC # prompt. Each privilege level is associated with a list of commands that are available at that level. Users assigned to a privilege level have access to all of the commands at that privilege level and all lower privilege levels. Changing the commands that are available to a privilege level might provide access to a user who should not be allowed access to the command, or it might restrict access to another user who should be allowed access to the command. Peruser privilege levels can sometimes conflict with the privilege levels set for virtual terminal (VTY) interfaces. In the event of a conflict, peruser privileges override the privileges configured for the VTY line causing the conflict. Reference: CCNA Security 210260 Official Cert Guide, Chapter 11, Custom Privilege Levels, p. 287 Cisco: IOS Privilege Levels Cannot See Complete Running Configuration: Privilege Levels
QUESTION 105 Which of the following is most likely to cause the greatest amount of disruption on a router? (Select the best answer.)
A. spyware B. a Trojan horse C. a worm D. a DDoS attack
Correct Answer: D Section: (none) Explanation
Explanation/Reference: Explanation: Of the available choices, a Distributed Denial of Service (DDoS) attack is most likely to cause the greatest amount of disruption on a router. A DDoS attack is a coordinated Denial of Service (DoS) attack that uses multiple attackers to target a single host. For example, a large number of zombie hosts in a botnet could flood a target device with packets. Because the flood of packets originates from multiple hosts and typically targets public services, such as the web service, the target device might not detect the attack. If enough packets are sent to the target device within a short period of time, the target will be unable to respond to legitimate packets because it is waiting for a response to each of the requests originated by the attacker.
http://www.gratisexam.com/ A Trojan horse does not cause the greatest amount of disruption on a router. A Trojan horse is a type of malicious software that appears to be legitimate software. Because a Trojan horse appears to be legitimate, users often load the Trojan horse unknowingly. The Trojan horse can then affect the computer in several ways. Some Trojan horses cause advertising popups to be displayed intermittently. Other Trojan horses can cause more harm by deleting or damaging data. Because a router runs only Ciscoproprietary software, there is little chance that a Trojan horse could inadvertently be installed. Likewise, a worm does not cause the greatest amount of disruption on a router. A worm is a specific type of standalone, malicious software that has the ability to selfpropagate. A worm typically exploits vulnerabilities in an operating system (OS) to compromise a computer and to install copies of itself onto the infected device. Because a router runs only Ciscoproprietary software, there is little chance that a worm could exploit a vulnerability in its OS and infect the router. Although excessive network traffic caused by worm propagation could negatively affect the performance of a router, it is unlikely that this traffic would be comparable to the impact of a DDoS attack. Spyware does not cause the greatest amount of disruption on a router. Spyware is a type of unwanted software that can record a user's actions and personal information. Because a router runs only Ciscoproprietary software, there is little chance that spyware could inadvertently be installed. Reference: Cisco: Defeating DDOS Attacks
QUESTION 106 The following partial command output is from the running configuration of an ASA that has been configured to authorize VPN users based on their group membership in AD: ldap attributemap ExampleMap mapname memberOf GroupPolicy mapvalue memberOf CN=Managers,CN=Users,OU=bsnsw,DC=boson,DC=com Group5 mapvalue memberOf CN=Marketing,CN=Users,OU=bsnsw,DC=boson,DC=com Group4 mapvalue memberOf CN=Employees,CN=Users,OU=bsnsw,DC=boson,DC=com Group3 mapvalue memberOf CN=Engineers,CN=Users,OU=bsnsw,DC=boson,DC=com Group2 mapvalue memberOf CN=Finance,CN=Users,OU=bsnsw,DC=boson,DC=com Group1
An LDAP authorization query for a VPN user returns the following values: memberOf: value = CN=Managers,CN=Users,OU=bsnsw,DC=boson,DC=com memberOf: value = CN=Marketing,CN=Users,OU=bsnsw,DC=boson,DC=com memberOf: value = CN=Employees,CN=Users,OU=bsnsw,DC=boson,DC=com memberOf: value = CN=Finance,CN=Users,OU=bsnsw,DC=boson,DC=com Which group policy will the ASA assign to the user in this scenario? (Select the best answer.)
A. Group1 B. Group2 C. Group3 D. Group4 E. Group5
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
http://www.gratisexam.com/ Explanation: In this scenario, the Cisco Adaptive Security Appliance (ASA) will assign the group policy named Group1 to the virtual private network (VPN) user. Lightweight Directory Access Protocol (LDAP) attribute maps are used to authorize VPN users based on specified Active Directory (AD) attributes, such as group membership or department name. The following sample output from the running configuration defines five group policy mappings: ldap attributemap ExampleMap mapname memberOf GroupPolicy mapvalue memberOf CN=Managers,CN=Users,OU=bsnsw,DC=boson,DC=com Group5 mapvalue memberOf CN=Marketing,CN=Users,OU=bsnsw,DC=boson,DC=com Group4 mapvalue memberOf CN=Employees,CN=Users,OU=bsnsw,DC=boson,DC=com Group3 mapvalue memberOf CN=Engineers,CN=Users,OU=bsnsw,DC=boson,DC=com Group2 mapvalue memberOf CN=Finance,CN=Users,OU=bsnsw,DC=boson,DC=com Group1 The ldap attributemap ExampleMap command creates an LDAP attribute map named ExampleMap. The LDAP attribute map contains a mapname statement, which maps the AD memberOf attribute to the ASA GroupPolicy attribute, and a series of mapvaluecommands, which map matching LDAP response strings to ASA attributes. The mapvalue commands specify the mapping between AD group membership attributes in an LDAP response and the ASA group policy to which they should be applied. When the ASA receives a reply to an LDAP authorization query for the VPN user in this scenario, the following multiattribute response is compared to the mapvalue statements in the LDAP attribute map: memberOf: value = CN=Managers,CN=Users,OU=bsnsw,DC=boson,DC=com memberOf: value = CN=Marketing,CN=Users,OU=bsnsw,DC=boson,DC=com memberOf: value = CN=Employees,CN=Users,OU=bsnsw,DC=boson,DC=com memberOf: value = CN=Finance,CN=Users,OU=bsnsw,DC=boson,DC=com
If an LDAP query returns a multivalued attribute, the ASA will match only one of the returned values to the appropriate group policy. The ASA will select the matching group policy with the least number of characters in the name and that starts with the lowest alphanumeric character. In this scenario, four of the five configured mapvalue statements will match the LDAP query response. Because the group policies in the matched statement have names of identical length, the ASA will select the name based on its alphabetical preference. Alphabetically, the name Group1 comes before any of the other matching group policy names: Group3, Group4, and Group5. Reference: Cisco: ASA Use of LDAP Attribute Maps Configuration Example: FAQ
QUESTION 107 Which of the following descriptions most accurately describes split tunneling? (Select the best answer.)
A. It enables traffic to exit the same interface through which it entered. B. It enables traffic to flow between interfaces that share the same security level. C. It enables a VPN tunnel to form through a firewall or NAT device. D. It enables a VPN tunnel to determine which traffic flows should be encrypted.
Correct Answer: D Section: (none) Explanation
Explanation/Reference: Explanation:
http://www.gratisexam.com/ Split tunneling enables a virtual private network (VPN) tunnel to determine which traffic flows should be encrypted. Without split tunneling, all traffic that passes through a remote VPN router is encrypted and forwarded through a tunnel to the VPN server, which is an inefficient use of the bandwidth and processing power of the VPN server and the remote VPN router. Traffic that is destined for the Internet or another unprotected network does not need to be encrypted or forwarded to the VPN server. Split tunneling uses an access control list (ACL) to determine which traffic flows are permitted to pass through the encrypted tunnel. Traffic destined for a protected network at the VPN server site is encrypted and allowed to pass through the tunnel, whereas all other traffic is processed normally. This method reduces both the processing load on the router and the amount of traffic that passes through the encrypted tunnel. Split tunneling can also be applied to traffic from remote access VPN clients. Transparent tunneling, not split tunneling, enables a VPN tunnel to form through a firewall or Network Address Translation (NAT) device. When transparent tunneling is enabled on a VPN client, encrypted packets are encapsulated in Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) packets prior to transmission through the firewall or NAT device. The samesecuritytraffic permit intrainterface command enables traffic on a Cisco Adaptive Security Appliance (ASA) to exit the same interface through which it entered, which is also known as hairpinning. By default, an ASA does not allow packets to enter and exit through the same physical interface. However, because multiple logical virtual LANs (VLANs) can be assigned to the same physical interface, it is sometimes necessary to allow a packet to enter and exit through the same interface. The samesecuritytraffic permit intrainterface command allows packets to be sent and received from the same interface even if the traffic is protected by IP Security (IPSec) security policies. Another scenario for which you would need to use the samesecuritytraffic permit intrainterface command is if multiple users need to connect via VPN through the same physical interface. These users will not be able communicate with one another unless the samesecuritytraffic permit intrainterface command has been issued from global configuration mode. Likewise, the samesecuritytraffic permit interinterface command enables traffic to flow between interfaces that share the same security level. Typically, interfaces with the same security level are not allowed to communicate.
Reference: CCNA Security 210-260 Official Cert Guide, Chapter 8, Split Tunneling, pp. 227-228
QUESTION 108 Which of the following IPS detection types does not require regularly updated definition files? (Select the best answer.)
A. patternbased B. profilebased C. signaturebased D. reputationbased
Correct Answer: B Section: (none) Explanation
Explanation/Reference: Explanation: Profilebased detection methods, which are also known as anomalybased detection methods, do not require regularly updated definition files. Profilebased detection methods detect abnormal behavior on a network. Traffic is classified as normal or abnormal based on information that is dynamically learned or manually programmed. The benefit of anomalybased detection is that anything that is not specified as normal is classified as abnormal? therefore, anomalybased detection can typically detect a wide range of threats. One drawback of anomalybased detection is that new traffic patterns are required on a regular basis on all but the
http://www.gratisexam.com/ smallest of networks, which leads to a lot of false positives. Another drawback is the memory and processing power required to handle profiles for each user. By contrast, patternbased detection methods, which are also called signaturebased methods, require regularly updated definition files. Patternbased detection methods use specific strings of text to detect malicious traffic. Many signaturebased detection methods can also use protocols and port numbers to further specify malicious traffic patterns. The benefit of signaturebased detection methods is that the number of false positives generated is typically low. However, the drawback is that a modified attack cannot be detected by old signature definition files? the modified attack will not be detected until a new signature is added for the modified attack. Therefore, Cisco recommends updating signature files, including antivirus signatures, every time a new update is available. Reputationbased detection methods use information collected from a global network of security devices to detect malicious traffic. Because the information available is constantly being updated, reputationbased systems require frequent updates to their definition files. The primary advantage to these frequent updates is that many attacks can be detected and prevented based on information gathered from other systems that have already experienced the same attack. Reference: CCNA Security 210260 Official Cert Guide, Chapter 17, SignatureBased IPS/IDS, p. 464
QUESTION 109 Which of the following statements is true regarding the sendlifetime command? (Select the best answer.)
A. The default duration for sending keys is infinite. B. You cannot specify a duration based on a specific start and end time. C. The duration must be specified in oneminute increments. D. The earliest start time value is January 1, 1970.
Correct Answer: A Section: (none) Explanation
Explanation/Reference: Explanation: When using the sendlifetime command, the default duration for sending keys is infinite. The sendlifetime command is used to specify the period of time during which a key should be sent by a router for authentication. The syntax for this command is sendlifetime starttime {infinite | endtime | duration seconds}, where starttime specifies the date and time that the key should start being sent. The earliest valid start time is January 1, 1993. By default, keys are valid indefinitely? however, you can use the duration keyword to specify a duration value between 1 and 2,147,483,646 seconds. For example, the sendlifetime 19:00:00 Feb 24 2015 duration 3600 command specifies that a key should be valid for 3,600 seconds, which is one hour, and that the router should begin sending the key at 19:00:00 Feb 24 2015, which corresponds to 7 p.m. on February 24, 2015. You can specify the duration as a specific start and end time. For example, you could issue the sendlifetime 19:00:00 Feb 24 2015 20:00:00 Feb 24 2015 command to achieve the same onehour duration as the sendlifetime 19:00:00 Feb 24 2015 duration 3600 command. Reference: Cisco: IP Routing ProtocolIndependent Commands: sendlifetime
QUESTION 110 Which of the following is a show ntp associations command output symbol that indicates that an IP address is an NTP master and the router is synchronized with the master? (Select the best answer.)
http://www.gratisexam.com/ A. # B. * C. . D. ~ E. +
Correct Answer: B Section: (none) Explanation
Explanation/Reference: Explanation: The asterisk (*) is a show ntp associations command output symbol that indicates that an IP address is a Network Time Protocol (NTP) master and the router is synchronized with the master. The output of the show ntp associations command displays the IP addresses of configured NTP servers as well as their respective clock sources, strata, and reachability statistics. For example, in the following command output, the NTP server at IP address 128.227.205.3 is a stratum 1 server that uses a global positioning system (GPS) time source as its time source:
The * next to the IP address in the command output indicates that this server is an NTP master time source to which the Cisco device is synched. The pound sign (#) next to the IP address indicates that this server is an NTP master time source to which the Cisco device is not yet synched. The plus sign (+) next to the IP address indicates that this server is an NTP master time source that is selected for synchronization but the synchronization process has not yet begun. A tilde (~) next to an IP address indicates that the address was manually configured. The period (.) is a symbol displayed in the output of the show clock command, not the show ntp associations command. If the time is set by a timing source and is not synchronized with that source, the time is still considered authoritative but the . symbol is displayed in the output of the show clock command to indicate the lack of time synchronization. The following command output indicates that the software clock is authoritative but not synchronized with its time source: .10:06:40.603 UTC Tue Jan 13 2015 The show clock command displays the current time as reported by the system software clock. If the software clock is not set by a timing source, such as NTP, the system will flag the time as not authoritative and the output of the show clock command will indicate the flag with the * symbol, as shown in the following command output: *10:06:40.603 UTC Tue Jan 13 2015 By contrast, if the time is set by a timing source and is synchronized with that source, the time is considered authoritative and the output of the show clock command will not display any additional symbols. For example, the absence of additional symbols in the following command output indicates that the software clock is authoritative and synchronized with its time source: 10:06:40.603 UTC Tue Jan 13 2015 Reference: Cisco: Cisco IOS Basic System Management Command Reference: show ntp associations
http://www.gratisexam.com/ QUESTION 111 Which of the following impact levels is used by FireSIGHT to indicate that either the source or target host is on a monitored network but has no corresponding entry in the network map? (Select the best answer.)
A. 0 B. 1 C. 2 D. 3 E. 4
Correct Answer: E Section: (none) Explanation
Explanation/Reference: Explanation: The impact level 4 is used by Cisco FireSIGHT Defense Center to indicate that either the source or target host is on a monitored network but has no corresponding entry in the network map. FireSIGHT uses impact levels to describe the potential severity of attacks. In the FireSIGHT system, managed devices, like Cisco FirePOWER Intrusion Prevention Systems (IPSs), respond to an intrusion event by flagging the event with an impact level and sending the event to the FireSIGHT Defense Center. The impact level is based on accumulated intrusion data, network discovery data, and vulnerability information. The aggregated intrusion event data typically contains contextual information about the event and includes a copy of the packet that triggered the event. The following table provides a summary of the FireSIGHT impact levels and their meaning:
http://www.gratisexam.com/ Reference: Cisco: Working with Intrusion Events: Using Impact Levels to Evaluate Events
QUESTION 112 Which of the following can the FirePOWER IMAP preprocessor extract in clienttoserver traffic? (Select the best answer.)
A. attachments B. file names C. addresses D. header data
Correct Answer: A Section: (none) Explanation
Explanation/Reference: Explanation:
http://www.gratisexam.com/ On a Cisco FirePOWER Intrusion Prevention System (IPS), the Internet Message Access Protocol (IMAP) preprocessors can extract and decode attachments in clienttoserver traffic. The FirePOWER IMAP preprocessor is an Application layer inspection engine with the capability to decode email traffic and to normalize the resulting data prior to forwarding the traffic to the intrusion rules engine for analysis. Cisco also provides Post Office Protocol version 3 (POP3) and Simple Mail Transfer Protocol (SMTP) preprocessors. In addition to generating an event when they observe anomalous traffic, the FirePOWER emailrelated preprocessor engines can inspect the commands that pass between a client and a server to ensure that they are compliant with the relevant Request for Comments (RFC). For example, the IMAP preprocessor can generate an event when either a client command or a server response does not comply with RFC 3501, which is the RFC that defines the IMAP protocol, and the POP3 preprocessor can do the same for commands that do not comply with RFC 1939, which is the RFC that defines the POP3 protocol. By contrast, the SMTP preprocessor provides the ability to normalize all, none, or a specific set of SMTP commands, although a base set of commands will always be considered as part of the custom valid set if normalization is enabled. In addition, the SMTP preprocessor can extract email file names, addresses, and header data. Reference: Cisco: Application Layer Preprocessors: The IMAP Preprocessor Cisco: Application Layer Preprocessors: The POP Preprocessor Cisco: Application Layer Preprocessors: The SMTP Preprocessor
QUESTION 113 Which of the following routing protocols does not support MD5 authentication for secure route updates? (Select the best answer.)
A. BGP B. OSPF C. RIPv1 D. RIPv2 E. EIGRP
Correct Answer: C Section: (none) Explanation
Explanation/Reference: Explanation: Routing Information Protocol version 1 (RIPv1) does not support Message Digest 5 (MD5) authentication for secure route updates. Routing protocol spoofing can inject false routes into routing tables, which can influence path selection through a routed network. You can mitigate routing table modification by implementing routing protocol authentication and filtering. RIPv1 does not support any form of authentication? however, its successor, RIP version 2 (RIPv2), supports either plaintext authentication or MD5 authentication. Border Gateway Protocol (BGP), Open Shortest Path First (OSPF), RIPv2, Enhanced Interior Gateway Routing Protocol (EIGRP) all support MD5 authentication for secure route updates. Although many of these protocols, such as OSPF, support plaintext authentication as an alternative to MD5, Cisco recommends using MD5 for authentication because it is considerably more secure than plaintext authentication. Alternatively, you can disable all dynamic routing protocols and use static routes to ensure that routes are updated securely. However, static routes work well only on small, reliable networks. Static routes are not scalable, because changes made on one router are not propagated to the other routers on the network? each router must be modified manually.
http://www.gratisexam.com/ Reference: Cisco: Network Foundation Protection: Restrict Routing Protocol Membership Cisco: Sample Configuration for Authentication in RIPv2
QUESTION 114 Which of the following is displayed by the show ip dhcp snooping databasecommand? (Select the best answer.)
A. the DHCP snooping configuration for a switch B. dynamic entries in the binding table C. the status of the binding table D. detailed DHCP snooping statistics
Correct Answer: C Section: (none) Explanation
Explanation/Reference: Explanation: The show ip dhcp snooping database command displays the status of the binding table. When Dynamic Host Configuration Protocol (DHCP) snooping is configured on a Cisco Catalyst switch, the switch tracks client Media Access Control (MAC) addresses and their associated DHCP client hardware addresses in the DHCP snooping binding database, which is also known as the binding table. If the switch receives DHCP packets that do not match entries in the binding table, the switch drops the packets. The binding table can be stored locally or it can be stored on a remote server. The show ip dhcp snooping databasecommand can be used to display the status of the DHCP snooping binding table agent and statistics regarding the status of the binding table, such as the Uniform Resource Locator (URL) where the binding table can be found and how many successful writes have been committed to the table. For example, the following sample output indicates that the binding table is stored in a file named bindingtable on the Trivial File Transfer Protocol (TFTP) server with an IP address of 1.2.3.4:
http://www.gratisexam.com/ The show ip dhcp snooping command displays general information regarding the DHCP snooping configuration on a switch, such as the virtual LANs (VLANs) for which DHCP snooping is enabled and the trusted state of each interface. For example, the following sample output indicates that DHCP snooping is enabled for VLANs 101, 201, and 301:
The show ip dhcp snooping binding command displays the dynamic entries in the binding table. You must use the show ip source binding command to view both static and dynamic binding table entries. For example, the following sample output from the show ip dhcp snooping binding command indicates that two DHCP clients from VLAN 101 have entries in the binding table:
The show ip dhcp snooping statistics detail command displays detailed DHCP snooping statistics, which include the number of packets dropped for each denial category, such as binding mismatches or exceeded rate limits. For example, the following sample output from the show ip dhcp snooping statistics detail command indicates that 2,130 packets were processed by DHCP snooping and 41 packets were dropped because of binding mismatches:
http://www.gratisexam.com/ Reference: Cisco: Cisco IOS IP Addressing Services Command Reference: show ip dhcp snooping database
QUESTION 115 Under normal operating circumstances, which of the following planes sends the least amount of traffic to the route processor of a Cisco router? (Select the best answer.)
http://www.gratisexam.com/
A. the data plane B. the control plane C. the services plane D. the management plane
Correct Answer: A Section: (none) Explanation
Explanation/Reference: Explanation:
http://www.gratisexam.com/ Under normal operating circumstances, the data plane sends the least amount of traffic to the route processor of a Cisco router. The data plane is one of the four logical components that collectively define a router? the remaining components are the control plane, the management plane, and the services plane. Traffic from the data plane consists primarily of usergenerated traffic that is forwarded from one interface to another on a router. This type of traffic is also referred to as transit traffic. Cisco routers can use several different forwarding mechanisms to process transit traffic. The slowest of these Layer 3 switching mechanisms is process switching, which uses the router's CPU, which is also known as the route processor, to determine the next hop and forwarding interface associated with the destination IP address of a received packet. Once a router has a corresponding entry in its route cache or Cisco Express Forwarding (CEF) table, all subsequent packets matching that entry's destination can be fastswitched to the appropriate interface without involving the CPU. The fastswitching mechanism can handle significantly higher throughput than the processswitching mechanism because most, if not all, of its functions can be implemented directly by the switching fabric of the router. By contrast, nearly all traffic from the control plane and management plane is handled by the router processor on a Cisco router. Control plane traffic typically consists of packets that are intended to create or perform network operations on a router, such as packets from dynamic routing protocols or Address Resolution Protocol (ARP) packets, whereas management plane traffic consists of packets used to administer the router, such as Telnet or Secure Shell (SSH) session traffic. These packets cannot be handled by Cisco’s normal fastpath switching mechanisms, because they require special handling by the router's CPU. Traffic from the services plane is a special kind of data plane traffic that requires some degree of processing by the router CPU before it can be placed into the fastswitching path. For example, Generic Routing Encapsulation (GRE) encapsulation or Quality of Service (QoS) processing might need to be applied to traffic before it is placed into the fast path. Although not all services plane traffic must be processed by the CPU, considerably more services plane traffic involves the CPU than data plane traffic does. Reference: Cisco: Control Plane Policing Implementation Best Practices: Introduction: Network Device Operations
QUESTION 116 Which of the following best describes an external cloud? (Select the best answer.)
A. decentralized computer resources that can be accessed over the Internet B. a network zone between the Internet and a private or trusted network C. a portion of a private or trusted network that can be accessed by a business partner D. websites available only to users inside a private network
Correct Answer: A Section: (none) Explanation
Explanation/Reference: Explanation: An external cloud is best described as decentralized computer resources that can be accessed over the Internet. An external cloud allows for computer processes that are typically hosted internally to be moved to an external provider, which can reduce the burden on system and network resources. In cloud computing, there are two accepted types of cloud infrastructure: external and internal. External clouds are managed by a service provider and are further broken down into two categories: public and private. With public clouds, the service provider controls the cloud and its infrastructure, whereas with private clouds, the service provider controls only the infrastructure. Internal clouds are similar to private clouds, except that the cloud is owned and managed by the organization that uses it and not by a thirdparty service provider. A portion of a private or trusted network that can be accessed by a business partner best describes an extranet, not an external cloud. An extranet is a portion of a
http://www.gratisexam.com/ company’s internal network that is accessible to specific people outside of the company, such as business partners, suppliers, or customers. By creating an extranet, a company can provide a location for sharing information with external users. For example, a consulting company could create an extranet for external customers to view and comment on the consulting company’s progress on various projects. In many extranet implementations, the external customer network shares a bilateral connection with the company’s internal network. This bilateral connection not only enables the external customer to access portions of the company’s internal network, but it also enables portions of the company’s internal network to access the portions of the external customer’s network. A network zone between the Internet and a private or trusted network best describes a demilitarized zone (DMZ), not an external cloud. DMZs are typically bordered by two firewalls: one that allows information to flow between the DMZ and the Internet, and one that allows information to flow between the DMZ and the private, or trusted, network. Websites available only to users inside a private network best describe an intranet, not an external cloud. An intranet can be created to provide internal users with their own website. An intranet provides a location for sharing information among members of the company. Unlike an extranet, which is a portion of the company’s network that is accessible by people outside the company, an intranet is typically available only to internal users. Reference: Cisco: The Internet Protocol Journal, Volume 12, No.3: Cloud Computing A Primer
QUESTION 117 Which of the following statements are true regarding the DfltGrpPolicy group policy? (Select 3 choices.)
A. It cannot be modified. B. It is the default policy used with the DefaultRAGroup connection profile. C. It is the default policy used with the DefaultWEBVPNGroup connection profile. D. It can be applied to user profiles. E. It should be deleted if custom group policies are created.
Correct Answer: BCD Section: (none) Explanation
Explanation/Reference: Explanation: The DfltGrpPolicy group policy can be applied to user profiles and is the default policy used with both the DefaultRAGroup and the DefaultWEBVPNGroup connection profiles. Group policies are used with Cisco Adaptive Security Appliances (ASAs) to specify security policies and network settings that are used when remote virtual private network (VPN) users log in to the ASA. Cisco ASAs include the DfltGrpPolicy group policy, which is the default policy used for the default connection profiles that are included on an ASA: DefaultRAGroup and DefaultWEBVPNGroup. You can customize the DfltGrpPolicy group policy and tailor it to match your company’s requirements, and you can inherit policies from it from within custom group policies. In addition to applying this group policy to connection profiles, you can also apply it to user profiles, which you can use to create a specific set of policies for individual users. The DfltGrpPolicy group policy cannot be deleted. You can create custom group policies, but you cannot delete the default group policy. Reference: Cisco: Configuring Tunnel Groups, Group Policies, and Users: Default Group Policy
QUESTION 118 Which of the following is accomplished as a result of issuing the groupurl command on an ASA? (Select the best answer.)
http://www.gratisexam.com/ A. A list of bookmarks will be created for clientless SSL VPN users. B. A VPN access method will be created in which the connection profile is automatically selected for VPN users. C. A webtype ACL will be created for a tunnel group. D. A list of WebVPN servers will be applied to a user account.
Correct Answer: B Section: (none) Explanation
Explanation/Reference: Explanation: Issuing the groupurl command on a Cisco Adaptive Security Appliance (ASA) will create a virtual private network (VPN) access method in which the connection profile is automatically selected for VPN users? the groupurl command will create a group Uniform Resource Locator (URL) for Secure Sockets Layer (SSL) VPN users. If you configure a group URL for SSL VPN users, the users can connect to the group URL and will not be required to select a tunnel group when they establish a connection. In such a scenario, the user is presented with only user name and password fields on the login screen. The Cisco ASA examines the URL from which the user is connecting and automatically applies the connection profile associated with the URL. Configuring a group URL can help improve security because the user is not presented with a list of available connection profiles. You can configure a group URL by using the groupurl command or by using Cisco Adaptive Security Device Manager (ASDM). The syntax of the groupurl command is groupurl url [enable | disable]. This command should be issued from tunnelgroupwebvpn configuration mode. To configure a group URL for a new SSL VPN connection profile in ASDM, you should click Configuration, expand Network (Client) Access, click AnyConnect Connection Profiles, and click Add under Connection Profiles, which will open the Add SSL VPN Connection Profile dialog box. In the Add SSL VPN Connection Profile dialog box, expand Advanced, and click SSL VPN to open the SSL VPN screen? on the SSL VPN screen, you can add a list of group URLs in the Group URLsarea. Issuing the groupurl command will not create a webtype access control list (ACL) for a tunnel group. You can issue the accesslist webtype command to create a webtype ACL. Issuing the groupurl command will not apply a list of WebVPN servers to a user account or create a list of bookmarks for SSL VPN users. You can issue the urllist command to configure a list of WebVPN servers or a list of URLs that will be applied to user profiles. Reference: Cisco: Cisco ASA 5500 Series Command Reference: groupurl
QUESTION 119 What is the default modulus size that is used to create a selfsigned certificate for SSL authentication on a Cisco ASA? (Select the best answer.)
A. 512 bits B. 768 bits C. 1,024 bits D. 2,048 bits
Correct Answer: C Section: (none)
http://www.gratisexam.com/ Explanation
Explanation/Reference: Explanation: The default modulus size that is used to create a selfsigned certificate for Secure Sockets Layer (SSL) authentication on a Cisco Adaptive Security Appliance (ASA) is 1,024 bits. If no trust point has been configured, an ASA dynamically generates a selfsigned certificate when an SSL connection is first established. For example, when a Secure Hypertext Transfer Protocol (HTTPS) or a Cisco Adaptive Security Device Manager (ASDM) connection is made to the ASA, a selfsigned certificate is used to authenticate the ASA to the browser or ASDM client. You can view selfsigned certificates in ASDM by opening the Configuration > Remote Access VPN > Certificate Management > Identity Certificates pane. You can identify a selfsigned certificate in the Identity Certificatespane by looking for a certificate with identical values in the Issued To and Issued Byfields. After selecting a certificate, you can click the Show Details button to display detailed information about the certificate. Below, you can see a selfsigned certificate associated with ASDM_Trustpoint0 and with a modulus of 1,024 bits:
Alternatively, you can examine a certificate by using a modern web browser. When a web browser or ASDM session is presented with a selfsigned certificate, it will issue a warning to indicate that it cannot verify the certificate with a root certificate authority (CA). Below, you can see an example of the warning information presented by a browserbased HTTPS session that receives a selfsigned certificate:
http://www.gratisexam.com/ You can view the details of the certificate by clicking the Certificate information link, which will display the information about the contents of the certificate. You can determine that a certificate is selfsigned by noting that the Issued to and Issued by fields in the certificate contain the same value, as shown in the example below:
http://www.gratisexam.com/ You can click the Details tab to view the contents of the certificate. Because this example is from an ASA with a default configuration, you can see in the following exhibit that the modulus size in the Public key field is 1,024 bits:
http://www.gratisexam.com/ Reference: Cisco: Cisco ASA 5500 Series Command Reference: crypto key generate rsa
QUESTION 120 Which of the following statements is true regarding private VLANs? (Select the best answer.)
A. Isolated ports can communicate only with other isolated ports in the same isolated VLAN. B. Only a single community VLAN can be associated with a primary VLAN. C. Community VLANs can send traffic to isolated ports but cannot receive traffic from them. D. Every port in a private VLAN is a member of the primary VLAN.
Correct Answer: D Section: (none) Explanation
http://www.gratisexam.com/ Explanation/Reference: Explanation: Every port in a private virtual LAN (VLAN) is a member of the primary virtual LAN (VLAN). Private VLANs can be configured on a switch to help isolate traffic and provide Layer 2 separation between ports that belong to the same VLAN. Because the separation exists at Layer 2, the hosts can exist on the same IP subnet. The VLAN to which the hosts belong is called the primary VLAN. To create a private VLAN, you must create one or more secondary VLANs and associate the secondary VLANs with the primary VLAN. There are two types of secondary VLANs: community VLANs and isolated VLANs. When configuring a port to participate in a private VLAN, you must configure the port by issuing the switchport mode privatevlan {promiscuous | host} command. The promiscuous keyword configures the port to communicate with any secondary VLAN. Consequently, devices that should be reachable from any secondary VLAN should be connected to promiscuous ports. For example, a router, a firewall, or a gateway that any host should be able to reach should be connected to a promiscuous port. By contrast, devices connected to isolated or community VLANs should be connected to host ports, which are configured by using the host keyword. You can configure a primary VLAN by issuing the privatevlan primary command, and you can configure secondary VLANs by issuing the privatevlan {isolated | community} command. Devices connected to a community VLAN can communicate with other devices on the community VLAN as well as with the primary VLAN. However, no devices on the community VLAN can communicate with a device that is connected to an isolated port. Ports that belong to an isolated VLAN can communicate only with promiscuous ports. Any traffic received from isolated ports is forwarded only to promiscuous ports? thus isolated ports cannot communicate directly with each other. Reference: Cisco: Configuring Private VLANs: Understanding Private VLANs
http://www.gratisexam.com/
http://www.gratisexam.com/