Help
Options
Didn't know it?
click below
click below
Knew it?
click below
click below
Don't Know
Remaining cards (0)
Know
retry
shuffle
restart
0:00
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
CCNAS V2.0 FINAL
Hit the Stacks hard
| Question | Answer |
|---|---|
| hacker on the outside network sends an IP packet with source address 172.30.1.50, des address 10.0.0.3, source port 23, and destination port 2447, what does the Cisco IOS fir with the packet? | The packet is dropped. |
| To facilitate the troubleshooting process, which inbound ICMP message should be permitted on an outside interface? | echo reply |
| Which command is used to activate an IPv6 ACL named ENG_ACL on an interface so that the router filters traffic prior to accessing the routing table? | ipv6 traffic-filter ENG_ACL in |
| Which statement describes a typical security policy for a DMZ firewall configuration? | Traffic that originates from the DMZ interface is selectively permitted to the outside interface. |
| Refer to the exhibit. Which statement describes the function of the ACEs? | These ACEs allow for IPv6 neighbor discovery traffic. |
| When an inbound Internet-traffic ACL is being implemented, what should be included to prevent the spoofing of internal networks? | ACEs to prevent traffic from private address spaces |
| In addition to the criteria used by extended ACLs, what conditions are used by a classic firewall to filter traffic? | application layer protocol session information |
| A router has been configured as a classic firewall and an inbound ACL applied to the external interface. Which action does the router take after inbound-to-outbound traffic is inspected and a new entry is created in the state table? | A dynamic ACL entry is added to the external interface in the inbound direction. |
| If the provided ACEs are in the same ACL, which ACE should be listed first in the ACL according to best practice? | permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq snmptrap |
| Interface Serial0/0/0 connects to the ISP, GigabitEthernet0/0 connects to the DMZ, and GigabitEthernet/01 connects to the internal private network. Which type of traffic would receive the least amount of inspection (have the most freedom of travel)? | traffic that is going from the private network to the DMZ |
| Refer to the exhibit. The ACL statement is the only one explicitly configured on the router. Based on this information, which two conclusions can be drawn regarding remote access network connections? (Choose two.) | SSH connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are allowed. Telnet connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are blocked. |
| Which two actions are taken if the access list is placed inbound on a router Gigabit Ethernet port that has the IP address 192.168.10.254 assigned? (Choose two.) | A Telnet or SSH session is allowed from any device on the 192.168.10.0 into the router with this access list assigned. Devices on the 192.168.10.0/24 network are not allowed to ping other devices on the 192.168.11.0 network. |
| What is one benefit of using a stateful firewall instead of a proxy server? | better performance |
| What is one limitation of a stateful firewall? | not as effective with UDP- or ICMP-based traffic |
| When a Cisco IOS Zone-Based Policy Firewall is being configured via CLI, which step must be taken after zones have been created? | Establish policies between zones. |
| A network administrator is implementing a Classic Firewall and a Zone-Based Firewall concurrently on a router. Which statement best describes this implementation? | The two models cannot be implemented on a single interface. |
| Which two rules about interfaces are valid when implementing a Zone-Based Policy Firewall? (Choose two.) | If both interfaces are members of the same zone, all traffic will be passed. If neither interface is a zone member, then the action is to pass traffic. |
| Which command will verify a Zone-Based Policy Firewall configuration? | show running-config |
| Refer to the exhibit. The network "A" contains multiple corporate servers that are accessed by hosts from the Internet for information about the corporation. What term is used to describe the network marked as "A"? | DMZ |
| Which type of packet is unable to be filtered by an outbound ACL? | router-generated packet |
| When a Cisco IOS Zone-Based Policy Firewall is being configured, which two actions can be applied to a traffic class? (Choose two.) | drop inspect |
| A firewall monitors the state of connections as network traffic flows into and out of the organization. | A stateful firewall tracks packets as they leave the organization, inspecting and allowing return packets as they return to the originating device. |
| The action in a Cisco IOS Zone- Based Policy Firewall is similar to a permit statement in an ACL. | pass |
| What is a disadvantage of a pattern-based detection mechanism? | It cannot detect unknown attacks. |
| What is a required condition to enable IPS activity reporting using the SDEE format? | Enable an HTTP or HTTPS service on the router. |
| A network administrator is configuring an IOS IPS with the command R1(config)# ip ips signature-definition Which configuration task can be achieved with this command? | Retire or unretire an individual signature |
| Refer to the exhibit. What is the result of issuing the Cisco IOS IPS commands on route | All traffic that is permitted by the ACL is subject to inspection by the IPS. |
| What information must an IPS track in order to detect attacks matching a composite signature? | the state of packets related to the attack |
| Refer to the exhibit. Based on the configuration, which traffic will be examined by the IP that is configured on router R1? | no traffic will be inspected |
| Which type of IPS signature detection is used to distract and confuse attackers? | honeypot-based detection |
| to prepare for IPS and VPN features, a network administra opens the file realm-cisco.pub.key.txt, and copies and pastes the contents to the router the global configuration prompt. What is the result after this configuration step? | A crypto key is created for IOS IPS to verify the master signature file. |
| What are two disadvantages of using an IDS? (Choose two.) | The IDS does not stop malicious traffic. The IDS requires other devices to respond to attacks. |
| What are two drawbacks to using HIPS? (Choose two.) | HIPS has difficulty constructing an accurate network picture or coordinating events that occur across the entire network. With HIPS, the network administrator must verify support for all the different operating systems used in the network. |
| A system analyst is configuring and tuning a recently deployed IPS appliance. By exam the IPS alarm log, the analyst notices that the IPS does not generate alarms for a few k attack packets. Which term describes the lack of alarms by the IPS? | false negative |
| What are two shared characteristics of the IDS and the IPS? (Choose two.) | Both use signatures to detect malicious traffic. Both are deployed as sensors. |
| What is a disadvantage of network-based IPS as compared to host-based IPS? | Network-based IPS cannot examine encrypted traffic. |
| Refer to the exhibit. A network administrator enters the command on a Cisco IOS IPS route What is the effect? | Alert messages are sent in syslog format. |
| Which two benefits does the IPS version 5.x signature format provide over the version 4 signature format? (Choose two.) | addition of a signature risk rating support for encrypted signature parameters |
| What is the purpose in configuring an IOS IPS crypto key when enabling IOS IPS on a C router? | to verify the digital signature for the master signature file |
| will generate an alert when an attack is detected. Alerts for the subsequent detection of the same attack are suppressed for a p defined period of time. Another alert will be generated at the end of the period indicating number of the attack detected. | summary alert |
| True or False? A Cisco IDS does not affect the flow of traffic when it operates in promiscuous mode. | true |
| Refer to the exhibit. Which statement best describes how incoming traffic on serial 0/0 is handled? | Traffic matching ACL 100 will be scanned and reported. |
| Refer to the exhibit. Based on the IPS configuration provided, which conclusion can be drawn? | Only the signatures in the ios_ips basic category will be compiled into memory and used by the IPS. |
| of the ip ips notify sdee command caused performance degradation on the Cisco IOS IPS router. The network administrato enters the ip sdee events 50 command in an attempt to remedy the performance issue What is the immediate effect of this command? | All events that were stored in the previous buffer are lost. |
| Which statement is true about an atomic alert that is generated by an IPS? | It is an alert that is generated every time a specific signature has been found. |
| An IPS sensor has detected the string confidential across multiple packets in a TCP session. Which type of signature trigger and signature type does this describe? | Type: Atomic signature Trigger: Pattern-based detection Type: Composite signature |
| Which STP stability mechanism is used to prevent a rogue switch from becoming the root switch? | root guard |
| Which feature is part of the Antimalware Protection security solution? | file retrospection |
| Which two functions are provided by Network Admission Control? (Choose two.) | enforcing network security policy for hosts that connect to the network ensuring that only authenticated hosts can access the network |
| What two mechanisms are used by Dynamic ARP inspection to validate ARP packets fo addresses that are dynamically assigned or IP addresses that are static? (Choose two.) | ARP ACLs MAC-address-to-IP-address bindings |
| Which three functions are provided under Cisco NAC framework solution? (Choose thre | remediation for noncompliant devices AAA services scanning for policy compliance |
| What additional security measure must be enabled along with IP Source Guard to prote against address spoofing? | DHCP snooping |
| What are three techniques for mitigating VLAN hopping attacks? (Choose three.) | Disable DTP. Set the native VLAN to an unused VLAN. Enable trunking manually. |
| What is the role of the Cisco NAC Server within the Cisco Secure Borderless Network Architecture? | assessing and enforcing security policy compliance in the NAC environment |
| What protocol should be disabled to help mitigate VLAN hopping attacks? | DTP |
| Two devices that are connected to the same switch need to be totally isolated from one another. Which Cisco switch security feature will provide this isolation? | PVLAN Edge |
| What is the behavior of a switch as a result of a successful CAM table attack? | The switch will forward all received frames to all other ports. |
| What network attack seeks to create a DoS for clients by preventing them from being ab obtain a DHCP lease? | DHCP starvation |
| What is the role of the Cisco NAC Guest Server within the Cisco Borderless Network architecture? | It provides the ability for creation and reporting of guest accounts. |
| In what situation would a network administrator most likely implement root guard? | on all switch ports that connect to another switch that is not the root bridge |
| is a mitigation technique to prevent rogue DHCP servers from providing fa configuration parameters. | snooping |
| Which spanning-tree enhancement prevents the spanning-tree topology from changing blocking a port that receives a superior BPDU? | root guard |
| What is the only type of port that an isolated port can forward traffic to on a private VLAN | a promiscuous port |
| switchport port-security mac-address 0023.189d.6456 command and a workstation been connected. What could be the reason that the Fa0/2 interface is shutdown? | The MAC address of PC1 that connects to the Fa0/2 interface is not the configured MAC address. |
| How can a user connect to the Cisco Cloud Web Security service directly? | by using a proxy autoconfiguration file in the end device |
| What is the role of the Cisco NAC Manager in implementing a secure networking infrastructure? | to define role-based user access and endpoint security policies |
| Which security feature should be enabled in order to prevent an attacker from overflowin the MAC address table of a switch? | port security |
| What security countermeasure is effective for preventing CAM table overflow attacks? | port security |
| What component of Cisco NAC is responsible for performing deep inspection of device security profiles? | Cisco NAC Agent |
| What security benefit is gained from enabling BPDU guard on PortFast enabled interfac | preventing rogue switches from being added to the network |
| What is the focus of cryptanalysis? | breaking encrypted codes |
| How many bits does the Data Encryption Standard (DES) use for data encryption? | 56 bits |
| Which statement describes the Software-Optimized Encryption Algorithm (SEAL)? | SEAL is a stream cipher. |
| Which encryption algorithm is an asymmetric algorithm? | DH |
| An online retailer needs a service to support the nonrepudiation of the transaction. Which component is used for this service? | the digital signatures |
| In which situation is an asymmetric key algorithm used? | A network administrator connects to a Cisco router with SSH. |
| What is the purpose of a nonrepudiation service in secure communications? | to ensure that the source of the communications is confirmed |
| Which objective of secure communications is achieved by encrypting data? | confidentiality |
| Why is the 3DES algorithm often preferred over the AES algorithm? | 3DES is more trusted because it has been proven secure for a longer period than AES. |
| What is the most common use of the Diffie-Helman algorithm in communications security? | to secure the exchange of keys used to encrypt data |
| Which type of encryption algorithm uses public and private keys to provide authentication, integrity, and confidentiality? | asymmetric |
| How do modern cryptographers defend against brute-force attacks? | Use a keyspace large enough that it takes too much money and too much time to conduct a successful attack. |
| Which encryption protocol provides network layer confidentiality? | IPsec protocol suite |
| Refer to the exhibit. Which encryption algorithm is described in the exhibit? | 3DES |
| Which statement describes asymmetric encryption algorithms? | They are relatively slow because they are based on difficult computational algorithms. |
| Which two non-secret numbers are initially agreed upon when the Diffie-Hellman algorithm is used? (Choose two.) | generator prime modulus |
| In what situation would an asymmetric algorithm most likely be used? | making an online purchase |
| Why is asymmetric algorithm key management simpler than symmetric algorithm key management? | One of the keys can be made public. |
| What is the purpose of code signing? | integrity of source .EXE files |
| Which algorithm can ensure data confidentiality? | AES |
| What is the purpose of a digital certificate? | It authenticates a website and establishes a secure connection to |
| A shared secret is a key used in a encryption algorithm. | symmetric |
| Refer to the exhib will traffic that does not match that defined by access list 101 be treated by the router? | It will be sent unencrypted. |
| What three protocols must be permitted through the company firewall for establishment IPsec site-to-site VPNs? (Choose three.) | AH ISAKMP ESP |
| Which statement describes the effect of key length in deterring an attacker from hacking through an encryption key? | The longer the key, the more key possibilities exist. |
| What is the purpose of configuring multiple crypto ACLs when building a VPN connection between remote sites? | When multiple combinations of IPsec protection are being chosen, multiple crypto ACLs can define different traffic types. |
| Consider the following configuration on a Cisco ASA: crypto ipsec transform-set ESP-DES-SHA espdes esp-sha-hmac What is the purpose of this command? | to define the encryption and integrity algorithms that are |
| Which transform set provides the best protection? | crypto ipsec transform-set ESP-DES-SHA esp-aes-256 espsha- hmac |
| Which three ports must be open to verify that an IPsec VPN tunnel is operating properly? (Choose three.) | 51 50 500 |
| When is a security association (SA) created if an IPsec VPN tunnel is used to connect between two sites? | during both Phase 1 and 2 |
| In which situation would the Cisco Discovery Protocol be disabled? | when a PC with Cisco IP Communicator installed connects to a Cisco switch |
| Which two statements accurately describe characteristics of IPsec? (Choose two.) | IPsec works at the network layer and operates over all IPsec is a framework of open standards that relies on |
| Which action do IPsec peers take during the IKE Phase 2 exchange? | negotiation of IPsec policy |
| Which three statements describe the IPsec protocol framework? (Choose three.) | ESP provides encryption, authentication, and integrity. AH provides integrity and authentication. AH uses IP protocol 51 |
| Which statement accurately describes a characteristic of IPsec? | IPsec is a framework of open standards that relies on existing algorithms. |
| Which two IPsec protocols are used to provide data integrity? | SHA MD5 |
| What is the function of the Diffie-Hellman algorithm within the IPsec framework? | allows peers to exchange shared keys |
| Refer to the exhibit. What HMAC algorithm is being used to provide data integrity? | SHA |
| What is needed to define interesting traffic in the creation of an IPsec tunnel? | access list |
| Refer to the exhibit. What algorithm will be used for providing confidentiality? | AES |
| Which technique is necessary to ensure a private transfer of data using a VPN? | encryption |
| Which statement describes a VPN? | VPNs use virtual connections to create a private network through a public network. |
| Which protocol provides authentication, integrity, and confidentiality services and is a type of VPN? | IPsec |
| What is the purpose of NAT-T? | permits VPN to work when NAT is being used on one or both ends of the VPN |
| Which term describes a situation where VPN traffic that is is received by an interface is routed back out that same interface? | hairpinning |
| What is an important characteristic of remote-access VPNs? | The VPN connection is initiated by the remote user. |
| Which type of site-to-site VPN uses trusted group members to eliminate point-to-point IPsec tunnels between the members of a group? | GETVPN |
| Refer to the exhibit. Which pair of crypto isakmp key commands would correctly configure PSK on the two routers? | R1(config)# crypto isakmp key cisco123 address 209.165.200.227 R2(config)# crypto isakmp key cisco123 address 209.165.200.226 |
| ministrator creates three zones (A, B, and C) in an ASA that filters traffic. Traffic originating from Zone A going to Zone C is denied, and traffic originating from Zone B going to Zone C is denied. What is a possible scenario for Zones A, B, and C? | A – DMZ, B – Outside, C – Inside |
| What is one of the drawbacks to using transparent mode operation on an ASA device? | no support for QoS |
| What is a characteristic of ASA security levels? | An ACL needs to be configured to explicitly permit traffic from an interface with a lower security level to an interface with a higher security level. |
| Two types of VLAN interfaces were configured on an ASA 5505 with a Base license. The administrator wants to configure a third VLAN interface with limited functionality. Which action should be taken by the administrator to configure the third interface? | The administrator must enter the no forward interface vlan command before the nameif command on the third interface. |
| What command defines a DHCP pool that uses the maximum number of DHCP client addresses available on an ASA 5505 that is using the Base license? | CCNAS-ASA(config)# dhcpd address 192.168.1.25-192.168.1.56 inside |
| Which two statements are true about ASA standard ACLs? (Choose two.) | They are typically only used for OSPF routes. . They identify only the destination IP address. |
| Refer to the exhibit. A network administrator is configuring the security level for the ASA. What is a best practice for assigning the security level on the three interfaces? | Outside 0, Inside 100, DMZ 50 |
| Refer to the exhibit. A network administrator is configuring the security level for the ASA. Which statement describes the default result if the administrator tries to assign the Inside interface with the same security level as the DMZ interface? | The ASA will not allow traffic in either direction between the Inside interface and the DMZ. |
| What is a difference between ASA IPv4 ACLs and IOS IPv4 ACLs? | ASA ACLs use the subnet mask in defining a network, whereas IOS ACLs use the wildcard mask. |
| What is the purpose of the webtype ACLs in an ASA? | to filter traffic for clientless SSL VPN users |
| Refer to the exhibit. A network administrator has configured NAT on an ASA device. What type of NAT is used? | inside NAT |
| Refer to the exhibit. A network administrator is configuring an object group on an ASA device. Which configuration keyword should be used after the object group name SERVICE1? | tcp |
| When dynamic NAT on an ASA is being configured, what two parameters must be specified by network objects? (Choose two.) | a range of private addresses that will be translated the pool of public global addresses |
| What function is performed by the class maps configuration object in the Cisco modular policy framework? | identifying interesting traffic |
| Refer to the exhibit. Based on the security levels of the interfaces on ASA1, what traffic will be allowed on the interfaces? | Traffic from the LAN and DMZ can access the Internet. |
| What are three characteristics of the ASA routed mode? (Choose three.) | The interfaces of the ASA separate Layer 3 networks and require different IP addresses in different subnets. " It is the traditional firewall deployment mode. NAT can be implemented between connected networks. |
| Refer to the exhibit. An administrator has configured an ASA 5505 as indicated but is still unable to ping the inside interface from an inside host. What is the cause of this problem? | The no shutdown command should be entered on interface Ethernet 0/1. |
| Refer to the exhibit. According to the command output, which three statements are true about the DHCP options entered on the ASA 5505? (Choose three.) | The dhcpd enable inside command was issued to enable the DHCP server. The dhcpd address [start-of-pool]-[end-of-pool] inside command was issued to enable the DHCP server. The dhcpd auto-config outside command was issued to enable the DHCP client. |
| Refer to the exhibit. What will be displayed in the output of the show running-config object command after the exhibited configuration commands are entered on an ASA 5505? | range 192.168.1.10 192.168.1.20 |
| What must be configured on a Cisco ASA device to support local authentication? | AAA |
| Which statement describes a difference between the Cisco ASA IOS CLI feature and the router IOS CLI feature? | To use a show command in a general configuration mode, ASA can use the command directly whereas a router will need to enter the do command before issuing the show command. |
| What are two factory default configurations on an ASA 5505? (Choose two.) | PAT is configured to allow internal hosts to access remote networks through an Ethernet interface. . VLAN 1 is assigned a security level of 100. |
| Which type of NAT would be used on an ASA where 10.0.1.0/24 inside addresses are to be translated only if traffic from these addresses is destined for the 198.133.219.0/24 network? | policy NAT |
| Which statement describes a feature of AAA in an ASA device? | Accounting can be used alone. |
| A network administrator is working on the implementation of the Cisco Modular Policy Framework on an ASA device. The administrator issues a clear service-policy command. What is the effect after this command is entered? | All service policy statistics data are removed. |
| What is needed to allow specific traffic that is sourced on the outside network of an ASA firewall to reach an internal network? | ACL |
| Which statement describes the function provided to a network administrator who uses the Cisco Adaptive Security Device Manager (ASDM) GUI that runs as a Java Web Start application? | The administrator can connect to and manage a single ASA. |
| What is one benefit of using ASDM compared to using the CLI to configure the Cisco ASA? | It hides the complexity of security commands. |
| Which type of security is required for initial access to the Cisco ASDM by using the local application option? | SSL |
| Which minimum configuration is required on most ASAs before ASDM can be used? | a dedicated Layer 3 management interface |
| What must be configured on an ASA before it can be accessed by ASDM? | web server access |
| How is an ASA interface configured as an outside interface when using ASDM? | Enter the name "outside" in the Interface Name text box |
| Refer to the exhibit. Which Device Management menu item would be used to access the ASA command line from within Cisco ASDM? | Management Access |
| Which ASDM configuration option is used to configure the ASA enable secret password? | Device Setup |
| Refer to the exhibit. Which Device Setup ASDM menu option would be used to configure the ASA for an NTP server? | System Time |
| True or False? The ASA can be configured through ASDM as a DHCP server. | true |
| Which ASDM interface option would be used to configure an ASA as a DHCP server for local corporate devices? | inside |
| Which ASDM configuration option re-encrypts all shared keys and passwords on an ASA? | master passphrase |
| Which type of encryption is applied to shared keys and passwords when the master passphrase option is enabled through ASDM for an ASA? | AES |
| When the CLI is used to configure an ISR for a site-to-site VPN connection, which two items must be specified to enable a crypto map policy? (Choose two.) | the peer a valid access list |
| What is the purpose of the ACL in the configuration of an ISR site-to-site VPN connection? | to define interesting traffic |
| When ASDM is used to configure an ASA site-to-site VPN, what can be customized to secure traffic? | IKE and ISAKMP |
| Which VPN solution allows the use of a web browser to establish a secure, remote-access VPN tunnel to the ASA? | clientless SSL |
| Which remote-access VPN connection allows the user to connect by using a web browser? | clientless SSL VPN |
| Which remote-access VPN connection allows the user to connect using Cisco AnyConnect? | IPsec (IKEv2) VPN |
| Which statement describes available user authentication methods when using an ASA 5505 device? | The ASA 5505 can use either a AAA server or a local database. |
| Which remote-access VPN connection needs a bookmark list? | clientless SSL VPN |
| What occurs when a user logs out of the web portal on a clientless SSL VPN connection? | The user no longer has access to the VPN. |
| If an outside host does not have the Cisco AnyConnect client preinstalled, how would the host gain access to the client image? | The host initiates a clientless VPN connection using a compliant web browser to download the client. |
| What is an optional feature that is performed during the Cisco AnyConnect Secure Mobility Client VPN establishment phase? | posture assessment |
| Which item describes secure protocol support provided by Cisco AnyConnect? | both SSL and IPsec |
| What is the purpose of configuring an IP address pool to be used for client-based SSL VPN connections? | to assign IP addresses to clients when they connect |
Created by:
fluffyhuffy
Popular Engineering sets