Baixe o app para aproveitar ainda mais
Prévia do material em texto
c0achGreece (1 AUGUST 2019) ***********ALL 67 QUESTIONS OF THE TEST*********** Q01 Which next-generation encryption algorithms support four variants? A. SHA2 B. SHA1 C. MD5 D. HMAC Answer: A Q02 Which type of malicious software can create a back‐door into a device or network? A. worm B. Trojan C. virus D. bot Answer: B Q03 Which attack can be prevented by OSPF authentication? A. smurf attack B. IP spoofing attack C. buffer overflow attack D. denial of service attack Answer: D Q04 Which SNMPv3 security level provides authentication using HMAC with MD5, but does not use encryption? A. authNoPriv B. noAuthNoPriv C. NoauthPriv D. authPriv Answer: A Q05 What are two advanced features of the Cisco AMP solution for endpoints? (Choose two) A. reflection B. foresight C. sandboxing D. contemplation E. reputation Answer: CE Q06 What does the DH group refer to: A. length of key hashing B. length of key exchange C. tunnel lifetime key D. length of key for authentication E. length of key for encryption Answer: B Q07 In which two modes can the Cisco Web Security Appliance be deployed? (Choose two.) A. explicit proxy mode B. as a transparent proxy using the Secure Sockets Layer protocol C. as a transparent proxy using the Hyper Text Transfer Protocol D. as a transparent proxy using the Web Cache Communication Protocol E. explicit active mode Answer: AD Q08 Which type of mechanism does Cisco FirePOWER deploy to protect against email threats that are detected moving across other networks? A. reputation‐based B. signature‐based C. antivirus scanning D. policy‐based Answer: A Q09 Which action does standard antivirus software perform as part of the file‐analysis process? A. execute the file in a simulated environment to examine its behavior B. examine the execution instructions in the file C. flag the unexamined file as a potential threat D. create a backup copy of the file Answer: A Q10 When you edit an IPS subsignature, what is the effect on the parent signature and the family of signatures? A. The change applies to the parent signature and the subsignature that you edit. B. The change applies to the parent signature and the entire family of subsignatures. C. The change applies only to subsignatures that are numbered sequentially after the subsignature that you edit. D. Other signatures are unaffected; the change applies only to the subsignature that you edit. Answer: D Q11 Which two ESA services are available for incoming and outgoing mails? (Choose two.) A. DLP B. reputation filter C. content filter D. anti-Dos E. antispam Answer: CE Q12 Which EAP method uses Protected Access Credentials? A. EAP-FAST B. EAP-TLS C. EAP-PEAP D. EAP-GTC Answer: A Q13 You have implemented a dynamic blacklist, using intelligence to block illicit network activity. However, the blacklist contains several approved connections that users must access for business purposes. Which action can you take to retain the blacklist while allowing users to access the approved sites? A. Disable the dynamic blacklist and create a static blacklist in its place. B. Create a whitelist and manually add the approved addresses. C. Disable the dynamic blacklist and deny the specific address on a whitelist while permitting the others. D. Edit the dynamic blacklist to remove the approved addresses. Answer: B Q14 Which two configurations can prevent VLAN hopping attack from attackers at VLAN 10? (Choose two.) A. creating VLAN 99 and using switchport trunk native vlan 99 command on trunk ports B. enabling BPDU guard on all access ports C. using switchport trunk native vlan 10 command on trunk ports D. using switchport nonegotiate command on dynamic desirable ports E. applying ACL between VLANs F: using switchport mode access command on all host ports Answer: AF Q15 What is a limitation of network-based IPS? A. It is unable to monitor attacks across the entire network. B. It is most effective at the individual host level. C. It must be individually configured to support every operating system on the network. D. Large installations require numerous sensors to fully protect the network. Answer: D Q16 Which statement represents a difference between an access list on an ASA versus an access list on a router? A. The ASA does not support extended access lists B. The ASA does not support number access lists C. The ASA does not ever use a wildcard mask D. The ASA does not support standard access lists Answer: C Q17 Which three descriptions of RADIUS are true? (Choose three.) A. It supports multiple transport protocols. B. It uses TCP as its transport protocol. C. Only the password is encrypted. D. It uses UDP as its transport protocol. E. It separates authentication, authorization and accounting. F. It combines authentication and authorization. Answer: CDF Q18 Which two models of ASA tend to be used in a data center? (Choose two.) A. 5555X B. ASA service module C. 5585X D. 5540 E. 5520 F. 5512X Answer: BC Q19 Which statement about interface and global access rules is true? A. Interface access rules are processed before global access rules. B. The implicit allow is processed after both the global and interface access rules. C. If an interface access rule is applied, the global access rule is ignored. D. Global access rules apply only to outbound traffic, but interface access rules can be applied in either direction. Answer: A Q20 Which security term refers to the likelihood that a weakness will be exploited to cause damage to an asset? A. threat B. vulnerability C. risk D. countermeasure Answer: C Q21 Which two descriptions of TACACS+ are true? (Choose two.) A. It uses TCP as its transport protocol. B. It combines authentication and authorization. C. Only the password is encrypted. D. The TACACS+ header is unencrypted E. It uses UDP as its transport protocol. Answer: AD Q22 Which term refers to the electromagnetic interference that can radiate from network cables? A. emanations B. multimode distortion C. Gaussian distributions D. Doppler waves Answer: A Q23 Which mitigation technology for web-based threats prevents the removal of confidential data from the network? A. AMP B. DLP C. DCA D. CTA Answer: B Q24 What are two limitations of the self-zone policies on a zone-based firewall? (Choose two) A. They restrict SNMP traffic. B. They are unable to implement application inspection. C. They are unable to block HTTPS traffic. D. They are unable to support HTTPS traffic. E. They are unable to perform rate limiting. Answer: BE Q25 What are two default behaviors of the traffic on a zone-based firewall? (Choose two.) A. The CBAC rules that are configured on router interfaces apply to zone interfaces. B. Communication is blocked between interfaces that are members of the same zone. C. Traffic within self zone uses an implicit deny all D. All traffic between zones is implicitly blocked. E. Communication is allowed between interfaces that are members of the same zone. Answer: DE Q26 Which two statements about Hardware-Based encryption are true? (Choose two.) A. It is potentially easier to compromise than software-based encryption. B. It can be implemented without impacting performance. C. It is widely accessible. D. It is highly cost-effective E. It requires minimal configuration Answer: BD Q27 Which path do you follow to enable AAA through the SDM? A. Configure >Tasks >AAA B. Configure > Authentication >AAA C. Configure > Additional Authentication > AAA D. Configure > Additional Tasks > AAA E. Configure > AAA Answer: D Q28 Refer to the exhibit. Which type of NAT is configured on a Cisco ASA? nat (ins,any) dynamic interface A. dynamic NAT B. source identity NAT C. dynamic PAT D. identity twiceNAT Answer: C Q29 When connecting to an external resource, you must change a source IP address to use one IP address from a range of 207.165.201.1 to 207.165.201.30. Which option do you implement? A. static destination NAT that uses a subnet as a real destination B. dynamic source NAT that uses a range as a mapped source C. dynamic Source NAT that uses an IP address as a mapped source D .static destination NAT that uses a subnet as a real source Answer: B Q30 Refer to the exhibit. What is the effect of the given configuration? Device #tunnel group 192.x.x.x ipsec-attributes Device# pre-shared-key cisco654 A. It establishes the preshared key for the router B. It establishes the preshared key for the switch C. It establishes the preshared key for the firewall D. It establishes the preshared key for the Cisco ISE appliance. Answer: C Q31 In which type of attack does an attacker overwrite an entry in the CAM table to divert traffic destined to a legitimate host? A. MAC spoofing B. ARP spoofing C. CAM table overflow D. DHCP spoofing Answer: A Q32 What is an advantage of split tunneling? A. It allows users with a VPN connection to a corporate network to access the Internet by using the VPN for security B. It enables the VPN server to filter traffic more efficiently. C. It allows users with a VPN connection to a corporate network to access the Internet without sending traffic across the corporate network. D. It protects traffic on the private network from users on the public network. Answer: C Q33 What does the policy map do in CoPP? A. defines the action to be performed B. defines packet selection parameters C. defines the packet filter D. defines service parameters Answer: A Q34 What is the maximum number of methods that a single method list can contain? A. 4 B. 3 C. 2 D. 5 Answer: A Q35 Which attack involves large numbers of ICMP packets with a spoofed source IP address? A. Teardrop attack B. smurf attack C. Nuke attack D. SYN Flood attack Answer: B Q36 Which type of social engineering attack targets top executives? A. baiting B. vishing C. whaling D. spear phishing Answer: C Q37 Which command can you enter to verify the statistics of cisco IOS resilient configuration on cisco router? A. show binary file B. show secure bootset C. secure boot-config D. secure boot-image Answer: B Q38 What aims to remove the ability to deny an action? A. Integrity B. Deniability C. Accountability D. Non-Repudiation Answer: D Q39 You have just deployed SNMPv3 in your environment. Your manager asks you make sure that your agents can only talk to the SNMP Manager. What would you configure on your SNMP agents to satisfy this request? A. Routing Filter with the SNMP managers in it applied outbound B. A SNMP View containing the SNMP managers C. A standard ACL containing the SNMP managers applied to the SNMMP configuration. D. A SNMP Group containing the SNMP managers Answer: D Q40 Drag and drop each feature that can protect against DHCP attacks from the left onto the correct description on the right. Answer: Q41 Which two statements are correct about hardware-based encryption are true? (Choose two.) A. It is potentially easier to compromise than software-based encryption. B. It can be implemented without impacting performance. C. It is widely accessible. D. It is highly cost effective. E. It requires minimal configuration. Answer: BD Q42 Which command do you enter to verify the Phase 1 status of a VPN connection? A. debug crypto isakmp B. sh crypto session C. sh crypto isakmp sa D. sh crypto ipsec sa Answer: C Q43 What are two major considerations when choosing between a SPAN and a TAP when implementing IPS? (Choose two.) A. the amount of bandwidth available B. the way in which dropped packets will be handled C. the type of analysis the IPS will perform D. whether RX and TX signals will use separate ports E. the way in which media errors will be handled Answer: AB Q44 Which information can you display by executing the show crypto ipsec sa command? A. proxy information for the connection between two peers B. IPsec SAs established between two peers C. recent changes to the IP address of a peer router D. ISAKMP SAs that are established between two peers Answer: C Q45 Which command enables port security to use sticky MAC address on a switch? A. switchport port-security B. switchport port security mac-address sticky C. switchport port-security violation protect D. switchport port-security violation restrict Answer: B Q46 When would you configure ip dhcp snooping trust command on a switch? A. when the switch is connected to DHCP server. B when the switch is connected to client system. C. when the switch is serving as an aggregator. D. when the switch is working in an edge capacity. Answer: A Q47 Which IDS/IPS state misidentifies acceptable behavior as an attack? A. false positive B. false negative C. true positive D. true negative Answer: A Q48 How is management traffic isolated on a Cisco ASR 1002? A. Traffic is isolated based upon how you configure routing on the device. B. There is no management traffic isolation on a Cisco ASR 1002. C. The management interface is configured in a special VRF that provides traffic isolation from the default routing table. D. Traffic isolation is done on the VLAN level. Answer: C Q49, Q50, Q51, Q52 are the ASA-ASDM Simlet. It was exactly identical to the following. Even the answers were the same. (Material below is from Anubis dump): SIM 1 In this simulation, you have access to ASDM only. Review the various ASA configurations using ASDM then answer the five multiple choice questions about the ASA SSLVPN configurations. To access ASDM, click the ASA icon in the topology diagram. Note: Not all ASDM functionalities are enabled in this simulation. To see all the menu options available on the left navigation pane, you may also need to un-expand the expanded menu first. QUESTION 1 (Q49) Which user authentication method is used when user login to the Clientless SSL VPN portal using https://209.165.201.2/test ? A. Both Certificate and AAA with local database. B. AAA with RADIUS server. C. Both Certificate and AAA with RADIUS server. D. AAA with local database. E. Certificate. Correct Answer: D This can be seen from the Connection Profiles Tab of the Remote Access VPN configuration where the alias of test is being used. QUESTION 2 (Q50) When users login to the Clientless SSL VPN using the https://209.165.201.2/test which group policy will be applied? A. test B. Sales C. DefaultRAGroup D. DefaultWEBVPNGroup E. clientless F. DFTGrpPolicy Correct Answer: B First navigate to the Connection Profiles tab as shown below, highlight the one with the test alias: Then hit the “edit” button and you can clearly see the Sales Group Policy being applied: QUESTION 3 (Q51) Which two statements regarding the ASA VPN configurations are correct? (Choose two) A. The Inside-SRV bookmark has not been applied to the Sales group policy. B. The ASA has a certificate issued by an external Certificate Authority associated to the ASDM_Trustpoint1. C. The Inside-SRV bookmark references the https://10.x.x.x URL. D. Anyconnect, IPsec IKEv1 and IPsec IKEv2 VPN access is enabled on the outside interface. E. Only Clientless SSL VPN VPN access is allowed with the Sales group Policy. F. The DefaultWEBVPNGroup Connection Profile is using the AAA with Radius server method. Correct Answer: EF For answer F: Not C, Navigate to the Bookmarks tab: Then hit “edit” and you will see this: It’s http://192.168.1.2 not the https://10.x.x.x NOTE: In another dump there is an Answer with 192.168.1.2 IP. In that case that is the right option. Not B, as this ASDM_TrustPoint1 is listed under the Identitiy Certificates,not the CA cetificates: Not D: QUESTION 4 (Q52) Which four tunneling protocols are enabled in the DfltGrpPolicy group policy? (Choose four) A. IPsec IKEv1 B. IPsec IKEv2 C. L2TP/IPsec D. Clientless SSL VPN E. SSL VPN Client F. PPTP Correct Answer: ABCD By clicking one the Configuration -> Remote Access -> Clientless CCL VPN Access -> Group Policies tab you can view the DfltGrpPolicy protocols as shown below: Q53 There are two versions of IKEv1 and IKEv2. Both IKEv1 and IKEv2 protocol operate in phases. IKEv1 operate in two phases. IKEv2 operates in how many phases? A. 2 B. 3 C. 4 D. 5 Answer: A Q54 Which command successfully creates an administrative user with a password of "cisco" on a Cisco router? A. username Operator privilege 7 password Cisco B. username Operator privilege 1 password Cisco C. username Operator privilege 15 password Cisco D. username Operator password cisco privilege 15 Answer: C Q55 Which IPS detection method examines network traffic for preconfigured patterns? A. signature-based detection B. policy-based detection C. anomaly-based detection D. honey-pot detection Answer: A Q56 What is the main purpose of Control Plane Policing? A. to prevent exhaustion of route-processor resources. B. to define traffic classes. C. to organize the egress packet queues. D. to maintain the policy map. Answer: B Q57 What action must you take on the ISE to blacklist a wired device? A. Issue a COA request for the device’s MAC address to each access switch in the network. B. Add the devices MAC address to a list of blacklisted devices. C. Locate the switch through which the device is connected and push an ACL restricting all access by the device. D. Revoke the device’s certificate so it is unable to authenticate to the network. Answer: B Q58 Which term is most closely aligned with the basic purpose of a SIEM solution? A. Causality B. Accountability C. Non-Repudiation D. Repudiation Answer: B Q59 Which statement about the native VLAN is true? A. It is the Cisco-recommended VLAN for user traffic. B. It is most secure when it is assigned to VLAN1. C. It is susceptible to VLAN hopping attacks. D. It is the Cisco recommended VLAN for switch-management traffic. Answer: C Q60 How does the 802.1x supplicant communicate with the authentication server? A. The supplicant creates EAP packets and sends them to the authenticator, which translates them into RADIUS and forwards them to the authentication server. B. The supplicant creates EAP packets and sends them to the authenticator, which encapsulates them into RADIUS and forwards them to the authentication server. C. The supplicant creates RADIUS packets and sends them to the authenticator, which translates them into EAP and forwards them to the authentication server. D. The supplicant creates RADIUS packets and sends them to the authenticator, which encapsulates them into EAP and forwards them to the authentication server. Answer: B Q61 Drag and drop the steps to configure a WSA from the left into the correct order on the right. Answer: Q62 Which IKE phase 1 parameter can you use to require the site-to-site VPN to use a pre-shared key? A. group B. hash C. authentication D. encryption Answer: C Q63 How can you prevent NAT rules from sending traffic to incorrect interfaces? A. Configure twice NAT instead of object NAT. B. Add the no-proxy-arp command to the nat line. C. Assign the output interface in the NAT statement. D. Use packet-tracer rules to reroute misrouted NAT entries. Answer: B Q64 What is the minimum Cisco IOS version that supports zone-based firewalls? A. 12.4(6)T B. 15.1 C. 15.0 D. 12.1T Answer: A Q65 Which type of firewall can perform deep packet inspection? A. stateless firewall B. packet-filtering firewall C. application firewall D. personal firewall Answer: B Q66 What is the best definition of hairpinning? A. traffic that enters and exits a device through the same interface B. traffic that tunnels through a device interface C. traffic that enters one interface on a device and that exits through another interface D. ingress traffic that traverses the outbound interface on a device Answer: A Q67 What are two features of transparent firewall mode? (Choose two.) A. It allows some traffic that is blocked in routed mode. B. It conceals the presence of the firewall from attackers. C. It is configured by default. D. It acts as a router hop in the network. E. It enables the ASA perform as a router. Answer: AB
Compartilhar