ccna security

Prévia do material em texto

c0achGreece (1 AUGUST 2019) ***********ALL 67 QUESTIONS OF THE TEST*********** 
Q01 Which next-generation encryption algorithms support four variants? 
A. SHA2 
B. SHA1 
C. MD5 
D. HMAC 
Answer: A 
 
Q02 Which type of malicious software can create a back‐door into a device or network?  
A. worm  
B. Trojan  
C. virus  
D. bot  
Answer: B 
 
Q03 Which attack can be prevented by OSPF authentication?  
A. smurf attack  
B. IP spoofing attack  
C. buffer overflow attack  
D. denial of service attack  
Answer: D 
 
Q04 Which SNMPv3 security level provides authentication using HMAC with MD5, but does not use 
encryption?  
A. authNoPriv 
B. noAuthNoPriv 
C. NoauthPriv 
D. authPriv 
Answer: A 
 
Q05 What are two advanced features of the Cisco AMP solution for endpoints? (Choose two)  
A. reflection  
B. foresight  
C. sandboxing  
D. contemplation  
E. reputation  
Answer: CE 
 
Q06 What does the DH group refer to:  
A. length of key hashing 
B. length of key exchange  
C. tunnel lifetime key 
D. length of key for authentication 
E. length of key for encryption 
Answer: B 
 
 
Q07 In which two modes can the Cisco Web Security Appliance be deployed? (Choose two.) 
A. explicit proxy mode 
B. as a transparent proxy using the Secure Sockets Layer protocol 
C. as a transparent proxy using the Hyper Text Transfer Protocol 
D. as a transparent proxy using the Web Cache Communication Protocol 
E. explicit active mode 
Answer: AD 
 
Q08 Which type of mechanism does Cisco FirePOWER deploy to protect against email threats that are 
detected moving across other networks?  
A. reputation‐based 
B. signature‐based 
C. antivirus scanning 
D. policy‐based 
Answer: A 
 
Q09 Which action does standard antivirus software perform as part of the file‐analysis process?  
A. execute the file in a simulated environment to examine its behavior  
B. examine the execution instructions in the file  
C. flag the unexamined file as a potential threat  
D. create a backup copy of the file  
Answer: A 
 
Q10 When you edit an IPS subsignature, what is the effect on the parent signature and the family of 
signatures? 
A. The change applies to the parent signature and the subsignature that you edit. 
B. The change applies to the parent signature and the entire family of subsignatures. 
C. The change applies only to subsignatures that are numbered sequentially after the subsignature 
 that you edit. 
D. Other signatures are unaffected; the change applies only to the subsignature that you edit. 
Answer: D 
 
Q11 Which two ESA services are available for incoming and outgoing mails? (Choose two.) 
A. DLP 
B. reputation filter 
C. content filter 
D. anti-Dos 
E. antispam 
Answer: CE 
 
Q12 Which EAP method uses Protected Access Credentials? 
A. EAP-FAST 
B. EAP-TLS 
C. EAP-PEAP 
D. EAP-GTC 
Answer: A 
 
Q13 You have implemented a dynamic blacklist, using intelligence to block illicit network activity. 
However, the blacklist contains several approved connections that users must access for business 
purposes. Which action can you take to retain the blacklist while allowing users to access the approved 
sites? 
 
 
 
A. Disable the dynamic blacklist and create a static blacklist in its place. 
B. Create a whitelist and manually add the approved addresses. 
C. Disable the dynamic blacklist and deny the specific address on a whitelist while permitting the others. 
D. Edit the dynamic blacklist to remove the approved addresses. 
Answer: B 
 
Q14 Which two configurations can prevent VLAN hopping attack from attackers at VLAN 10? (Choose 
two.) 
A. creating VLAN 99 and using switchport trunk native vlan 99 command on trunk ports 
B. enabling BPDU guard on all access ports 
C. using switchport trunk native vlan 10 command on trunk ports 
D. using switchport nonegotiate command on dynamic desirable ports 
E. applying ACL between VLANs 
F: using switchport mode access command on all host ports 
Answer: AF 
 
Q15 What is a limitation of network-based IPS? 
A. It is unable to monitor attacks across the entire network. 
B. It is most effective at the individual host level. 
C. It must be individually configured to support every operating system on the network. 
D. Large installations require numerous sensors to fully protect the network. 
Answer: D 
 
Q16 Which statement represents a difference between an access list on an ASA versus an access list 
on a router? 
A. The ASA does not support extended access lists 
B. The ASA does not support number access lists 
C. The ASA does not ever use a wildcard mask 
D. The ASA does not support standard access lists 
Answer: C 
 
Q17 Which three descriptions of RADIUS are true? (Choose three.) 
A. It supports multiple transport protocols. 
B. It uses TCP as its transport protocol. 
C. Only the password is encrypted. 
D. It uses UDP as its transport protocol. 
E. It separates authentication, authorization and accounting. 
F. It combines authentication and authorization. 
Answer: CDF 
 
Q18 Which two models of ASA tend to be used in a data center? (Choose two.) 
A. 5555X 
B. ASA service module 
C. 5585X 
D. 5540 
E. 5520 
F. 5512X 
Answer: BC 
 
Q19 Which statement about interface and global access rules is true? 
A. Interface access rules are processed before global access rules. 
B. The implicit allow is processed after both the global and interface access rules. 
C. If an interface access rule is applied, the global access rule is ignored. 
D. Global access rules apply only to outbound traffic, but interface access rules can be applied in 
either direction. 
Answer: A 
 
Q20 Which security term refers to the likelihood that a weakness will be exploited to cause damage to 
an asset? 
A. threat 
B. vulnerability 
C. risk 
D. countermeasure 
Answer: C 
 
Q21 Which two descriptions of TACACS+ are true? (Choose two.) 
A. It uses TCP as its transport protocol. 
B. It combines authentication and authorization. 
C. Only the password is encrypted. 
D. The TACACS+ header is unencrypted 
E. It uses UDP as its transport protocol. 
Answer: AD 
 
Q22 Which term refers to the electromagnetic interference that can radiate from network cables? 
A. emanations 
B. multimode distortion 
C. Gaussian distributions 
D. Doppler waves 
Answer: A 
 
Q23 Which mitigation technology for web-based threats prevents the removal of confidential data from 
the network? 
A. AMP 
B. DLP 
C. DCA 
D. CTA 
Answer: B 
 
Q24 What are two limitations of the self-zone policies on a zone-based firewall? (Choose two) 
A. They restrict SNMP traffic. 
B. They are unable to implement application inspection. 
C. They are unable to block HTTPS traffic. 
D. They are unable to support HTTPS traffic. 
E. They are unable to perform rate limiting. 
Answer: BE 
 
Q25 What are two default behaviors of the traffic on a zone-based firewall? (Choose two.) 
A. The CBAC rules that are configured on router interfaces apply to zone interfaces. 
B. Communication is blocked between interfaces that are members of the same zone. 
C. Traffic within self zone uses an implicit deny all 
D. All traffic between zones is implicitly blocked. 
E. Communication is allowed between interfaces that are members of the same zone. 
Answer: DE 
 
Q26 Which two statements about Hardware-Based encryption are true? (Choose two.) 
A. It is potentially easier to compromise than software-based encryption. 
B. It can be implemented without impacting performance. 
C. It is widely accessible. 
D. It is highly cost-effective 
E. It requires minimal configuration 
Answer: BD 
 
Q27 Which path do you follow to enable AAA through the SDM? 
A. Configure >Tasks >AAA 
B. Configure > Authentication >AAA 
C. Configure > Additional Authentication > AAA 
D. Configure > Additional Tasks > AAA 
E. Configure > AAA 
Answer: D 
 
Q28 Refer to the exhibit. Which type of NAT is configured on a Cisco ASA? 
 
nat (ins,any) dynamic interface 
 
A. dynamic NAT 
B. source identity NAT 
C. dynamic PAT 
D. identity twiceNAT 
Answer: C 
 
 
Q29 When connecting to an external resource, you must change a source IP address to use one IP 
address from a range of 207.165.201.1 to 207.165.201.30. Which option do you implement? 
A. static destination NAT that uses a subnet as a real destination 
B. dynamic source NAT that uses a range as a mapped source 
C. dynamic Source NAT that uses an IP address as a mapped source 
D .static destination NAT that uses a subnet as a real source 
Answer: B 
 
Q30 Refer to the exhibit. What is the effect of the given configuration? 
 
Device #tunnel group 192.x.x.x ipsec-attributes 
Device# pre-shared-key cisco654 
 
A. It establishes the preshared key for the router 
B. It establishes the preshared key for the switch 
C. It establishes the preshared key for the firewall 
D. It establishes the preshared key for the Cisco ISE appliance. 
Answer: C 
 
Q31 In which type of attack does an attacker overwrite an entry in the CAM table to divert traffic 
destined to a legitimate host? 
A. MAC spoofing 
B. ARP spoofing 
C. CAM table overflow 
D. DHCP spoofing 
Answer: A 
 
Q32 What is an advantage of split tunneling? 
A. It allows users with a VPN connection to a corporate network to access the Internet by using the 
VPN for security 
B. It enables the VPN server to filter traffic more efficiently. 
C. It allows users with a VPN connection to a corporate network to access the Internet without 
sending traffic across the corporate network. 
D. It protects traffic on the private network from users on the public network. 
Answer: C 
 
Q33 What does the policy map do in CoPP? 
A. defines the action to be performed 
B. defines packet selection parameters 
C. defines the packet filter 
D. defines service parameters 
Answer: A 
 
Q34 What is the maximum number of methods that a single method list can contain? 
A. 4 
B. 3 
C. 2 
D. 5 
Answer: A 
 
Q35 Which attack involves large numbers of ICMP packets with a spoofed source IP address? 
A. Teardrop attack 
B. smurf attack 
C. Nuke attack 
D. SYN Flood attack 
Answer: B 
 
Q36 Which type of social engineering attack targets top executives? 
A. baiting 
B. vishing 
C. whaling 
D. spear phishing 
Answer: C 
 
Q37 Which command can you enter to verify the statistics of cisco IOS resilient configuration on cisco 
router? 
A. show binary file 
B. show secure bootset 
C. secure boot-config 
D. secure boot-image 
Answer: B 
 
Q38 What aims to remove the ability to deny an action? 
A. Integrity 
B. Deniability 
C. Accountability 
D. Non-Repudiation 
Answer: D 
 
Q39 You have just deployed SNMPv3 in your environment. Your manager asks you make sure that 
your agents can only talk to the SNMP Manager. 
What would you configure on your SNMP agents to satisfy this request? 
A. Routing Filter with the SNMP managers in it applied outbound 
B. A SNMP View containing the SNMP managers 
C. A standard ACL containing the SNMP managers applied to the SNMMP configuration. 
D. A SNMP Group containing the SNMP managers 
Answer: D 
 
Q40 Drag and drop each feature that can protect against DHCP attacks from the left onto the correct 
description on the right. 
 
 
Answer: 
 
 
Q41 Which two statements are correct about hardware-based encryption are true? (Choose two.) 
A. It is potentially easier to compromise than software-based encryption. 
B. It can be implemented without impacting performance. 
C. It is widely accessible. 
D. It is highly cost effective. 
E. It requires minimal configuration. 
Answer: BD 
 
Q42 Which command do you enter to verify the Phase 1 status of a VPN connection? 
A. debug crypto isakmp 
B. sh crypto session 
C. sh crypto isakmp sa 
D. sh crypto ipsec sa 
Answer: C 
 
Q43 What are two major considerations when choosing between a SPAN and a TAP when 
implementing IPS? (Choose two.) 
A. the amount of bandwidth available 
B. the way in which dropped packets will be handled 
C. the type of analysis the IPS will perform 
D. whether RX and TX signals will use separate ports 
E. the way in which media errors will be handled 
Answer: AB 
 
Q44 Which information can you display by executing the show crypto ipsec sa command? 
A. proxy information for the connection between two peers 
B. IPsec SAs established between two peers 
C. recent changes to the IP address of a peer router 
D. ISAKMP SAs that are established between two peers 
Answer: C 
 
Q45 Which command enables port security to use sticky MAC address on a switch? 
A. switchport port-security 
B. switchport port security mac-address sticky 
C. switchport port-security violation protect 
D. switchport port-security violation restrict 
Answer: B 
 
Q46 When would you configure ip dhcp snooping trust command on a switch? 
A. when the switch is connected to DHCP server. 
B when the switch is connected to client system. 
C. when the switch is serving as an aggregator. 
D. when the switch is working in an edge capacity. 
Answer: A 
 
Q47 Which IDS/IPS state misidentifies acceptable behavior as an attack? 
A. false positive 
B. false negative 
C. true positive 
D. true negative 
Answer: A 
 
Q48 How is management traffic isolated on a Cisco ASR 1002? 
A. Traffic is isolated based upon how you configure routing on the device. 
B. There is no management traffic isolation on a Cisco ASR 1002. 
C. The management interface is configured in a special VRF that provides traffic isolation from the 
default routing table. 
D. Traffic isolation is done on the VLAN level. 
Answer: C 
 
Q49, Q50, Q51, Q52 are the ASA-ASDM Simlet. It was exactly identical to the following. Even the 
answers were the same. (Material below is from Anubis dump): 
SIM 1 
In this simulation, you have access to ASDM only. Review the various ASA configurations 
using ASDM then answer the five multiple choice questions about the ASA SSLVPN 
configurations. To access ASDM, click the ASA icon in the topology diagram. 
Note: Not all ASDM functionalities are enabled in this simulation. To see all the menu options 
available on the left navigation pane, you may also need to un-expand the expanded menu 
first. 
 
 
QUESTION 1 (Q49) 
Which user authentication method is used when user login to the Clientless SSL VPN 
portal using 
https://209.165.201.2/test ? 
A. Both Certificate and AAA with local database. 
B. AAA with RADIUS server. 
C. Both Certificate and AAA with RADIUS server. 
D. AAA with local database. 
E. Certificate. 
Correct Answer: D 
This can be seen from the Connection Profiles Tab of the Remote Access VPN configuration 
where the alias of test is being used. 
 
 
 
QUESTION 2 (Q50) 
When users login to the Clientless SSL VPN using the https://209.165.201.2/test which 
group policy will be applied? 
A. test 
B. Sales 
C. DefaultRAGroup 
D. DefaultWEBVPNGroup 
E. clientless 
F. DFTGrpPolicy 
 
Correct Answer: B 
 
First navigate to the Connection Profiles tab as shown below, highlight the one with the test 
alias: 
 
Then hit the “edit” button and you can clearly see the Sales Group Policy being applied: 
 
 
QUESTION 3 (Q51) 
Which two statements regarding the ASA VPN configurations are correct? (Choose two) 
A. The Inside-SRV bookmark has not been applied to the Sales group policy. 
B. The ASA has a certificate issued by an external Certificate Authority associated to 
 the ASDM_Trustpoint1. 
C. The Inside-SRV bookmark references the https://10.x.x.x URL. 
D. Anyconnect, IPsec IKEv1 and IPsec IKEv2 VPN access is enabled on the outside interface. 
E. Only Clientless SSL VPN VPN access is allowed with the Sales group Policy. 
F. The DefaultWEBVPNGroup Connection Profile is using the AAA with Radius 
 server method. 
Correct Answer: EF 
For answer F: 
 
Not C, Navigate to the Bookmarks tab: 
 
Then hit “edit” and you will see this: 
 
It’s http://192.168.1.2 not the https://10.x.x.x 
 
NOTE: In another dump there is an Answer with 192.168.1.2 IP. In that case that is the right 
option. 
 
Not B, as this ASDM_TrustPoint1 is listed under the Identitiy Certificates,not the CA 
cetificates: 
 
Not D: 
 
QUESTION 4 (Q52) 
Which four tunneling protocols are enabled in the DfltGrpPolicy group policy? (Choose 
four) 
A. IPsec IKEv1 
B. IPsec IKEv2 
C. L2TP/IPsec 
D. Clientless SSL VPN 
E. SSL VPN Client 
F. PPTP 
Correct Answer: ABCD 
By clicking one the Configuration -> Remote Access -> Clientless CCL VPN Access -> 
Group Policies 
tab you can view the DfltGrpPolicy protocols as shown below: 
 
 
Q53 There are two versions of IKEv1 and IKEv2. Both IKEv1 and IKEv2 protocol operate in phases. 
IKEv1 operate in two phases. IKEv2 operates in how many phases? 
A. 2 
B. 3 
C. 4 
D. 5 
Answer: A 
 
Q54 Which command successfully creates an administrative user with a password of "cisco" on a 
Cisco router? 
A. username Operator privilege 7 password Cisco 
B. username Operator privilege 1 password Cisco 
C. username Operator privilege 15 password Cisco 
D. username Operator password cisco privilege 15 
Answer: C 
 
Q55 Which IPS detection method examines network traffic for preconfigured patterns? 
A. signature-based detection 
B. policy-based detection 
C. anomaly-based detection 
D. honey-pot detection 
Answer: A 
 
Q56 What is the main purpose of Control Plane Policing? 
A. to prevent exhaustion of route-processor resources. 
B. to define traffic classes. 
C. to organize the egress packet queues. 
D. to maintain the policy map. 
Answer: B 
 
Q57 What action must you take on the ISE to blacklist a wired device? 
A. Issue a COA request for the device’s MAC address to each access switch in the network. 
B. Add the devices MAC address to a list of blacklisted devices. 
C. Locate the switch through which the device is connected and push an ACL restricting all access by 
the device. 
D. Revoke the device’s certificate so it is unable to authenticate to the network. 
Answer: B 
 
Q58 Which term is most closely aligned with the basic purpose of a SIEM solution? 
A. Causality 
B. Accountability 
C. Non-Repudiation 
D. Repudiation 
Answer: B 
 
Q59 Which statement about the native VLAN is true? 
A. It is the Cisco-recommended VLAN for user traffic. 
B. It is most secure when it is assigned to VLAN1. 
C. It is susceptible to VLAN hopping attacks. 
D. It is the Cisco recommended VLAN for switch-management traffic. 
Answer: C 
 
Q60 How does the 802.1x supplicant communicate with the authentication server? 
A. The supplicant creates EAP packets and sends them to the authenticator, which translates them 
into RADIUS and forwards them to the authentication server. 
B. The supplicant creates EAP packets and sends them to the authenticator, which encapsulates them 
into RADIUS and forwards them to the authentication server. 
C. The supplicant creates RADIUS packets and sends them to the authenticator, which translates 
them into EAP and forwards them to the authentication server. 
D. The supplicant creates RADIUS packets and sends them to the authenticator, which encapsulates 
them into EAP and forwards them to the authentication server. 
Answer: B 
 
Q61 Drag and drop the steps to configure a WSA from the left into the correct order on the right. 
 
Answer: 
 
 
Q62 Which IKE phase 1 parameter can you use to require the site-to-site VPN to use a pre-shared 
key? 
A. group 
B. hash 
C. authentication 
D. encryption 
Answer: C 
 
Q63 How can you prevent NAT rules from sending traffic to incorrect interfaces? 
A. Configure twice NAT instead of object NAT. 
B. Add the no-proxy-arp command to the nat line. 
C. Assign the output interface in the NAT statement. 
D. Use packet-tracer rules to reroute misrouted NAT entries. 
Answer: B 
 
Q64 What is the minimum Cisco IOS version that supports zone-based firewalls? 
A. 12.4(6)T 
B. 15.1 
C. 15.0 
D. 12.1T 
Answer: A 
 
Q65 Which type of firewall can perform deep packet inspection? 
A. stateless firewall 
B. packet-filtering firewall 
C. application firewall 
D. personal firewall 
Answer: B 
 
Q66 What is the best definition of hairpinning? 
A. traffic that enters and exits a device through the same interface 
B. traffic that tunnels through a device interface 
C. traffic that enters one interface on a device and that exits through another interface 
D. ingress traffic that traverses the outbound interface on a device 
Answer: A 
 
Q67 What are two features of transparent firewall mode? (Choose two.) 
A. It allows some traffic that is blocked in routed mode. 
B. It conceals the presence of the firewall from attackers. 
C. It is configured by default. 
D. It acts as a router hop in the network. 
E. It enables the ASA perform as a router. 
Answer: AB