Sunteți pe pagina 1din 167

210-260.

exam

Number: 210-260
Passing Score: 800
Time Limit: 120 min
File Version: 1.0

http://www.gratisexam.com/

Cisco

210-260

Implementing Cisco Network Security

Version 1.0

http://www.gratisexam.com/
Exam A

QUESTION 1
Which of the following are not default values in an IKE policy on an ASA running software version 8.4 or higher? (Select 2 choices.)

A. PSKbased authentication method


B. 168bit DES encryption algorithm
C. 1024bit DH group
D. MD5 hash algorithm
E. 14,400second lifetime

Correct Answer: DE
Section: (none)
Explanation

Explanation/Reference:
Explanation:
The Message Digest 5 (MD5) algorithm and a 14,400second lifetime are not default values in an Internet Key Exchange (IKE) policy on a Cisco Adaptive Security
Appliance (ASA) running software version 8.2. Virtual private network (VPN) peers establish a connection through a series of negotiations and authentications.
Initially, the VPN peers negotiate an IKE security association (SA) and establish a tunnel for key management and authentication. This initial phase is referred to as
IKE phase 1. The key management tunnel is used to protect the subsequent negotiation of IP Security (IPSec) SAs. This secondary negotiation phase is referred to
as IKE phase 2.
Each VPN peer defines a collection of security parameters in an IKE policy. These parameters are used to negotiate the creation of the key management tunnel in
IKE phase 1. There are six required parameters in an IKE policy:
- Policy priority - specifies the order in which policies are negotiated with a peer
- Authentication method - indicates whether a preshared key (PSK) or an RSA digital certificate is used to verify the identity of an IKE peer
- Encryption algorithm - indicates the data protection method used to secure IKE traffic
- Hashbased Message Authentication Code (HMAC) algorithm - indicates the data integrity method used to verify the integrity of IKE traffic
- DiffieHellman (DH) group - specifies how keying material is generated between IKE peers
-Lifetime - specifies the length of time that a key is considered valid? the default is 86,400 seconds, or 24 hours

If an IKE policy does not specify a parameter and its associated value, the ASA will use the default value. The default IKE policy settings are shown below:

The default IKE policy settings are combined with the configuration parameters specified in the running configuration. For example, because the following block of
commands does not specify an HMAC algorithm, an ASA running software revision 8.4 or higher would use the default value, which is SHA1:
ASA(config)#crypto ikev1 policy 1

http://www.gratisexam.com/
ASA(configikev1policy)#authentication rsasig
ASA(configikev1policy)#encryption aes 192
ASA(configikev1policy)#group 1
ASA(configikev1policy)#lifetime 14400
In order for VPN peers to successfully negotiate a key management tunnel during IKE phase 1, the peers must agree on security parameters. For example, when
ASA1 sends an IKE policy proposal to ASA2, the IKE policy is compared with the IKE policies defined on ASA2. The proposed policy must be an exact match to
one of ASA2's locally defined policies? otherwise, it will be rejected. The one exception to this rule is the value of the IKE lifetime parameter. An IKE lifetime is
considered a match if the value specified by the remote peer is less than or equal to the IKE lifetime defined in the local policy. If the IKE lifetime value is less than
that of the local policy, the ASA will use the lesser of the two values.
Reference:
Cisco: Cisco ASA 5500 Series Configuration Guide using the CLI, 8.2: ISAKMP Overview

QUESTION 2
Which of the following is specifically filtered by a URL filtering subscription service on a Cisco router? (Select the best answer.)

http://www.gratisexam.com/

A. traffic sent from specific domains


B. traffic that contains specific keywords
C. traffic that contains malicious software
D. traffic that matches predefined categories

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:
On a Cisco router, traffic that matches predefined categories is filtered by a Uniform Resource Locator
(URL) filtering subscription service. URL filtering inspects Hypertext Transfer Protocol (HTTP) requests and blocks access to websites that match certain criteria.
Subscriptionbased URL filtering services, which are offered by Trend Micro, Websense, and Secure Computing, assign websites to categories, which are used by
administrators to limit or block access to these sites. URL filtering is commonly configured on perimeter routers to prevent users from inadvertently accessing URLs
that have been deemed inappropriate or identified as containing malware.
Although a URL filtering subscription service does not specifically filter traffic that contains malicious software as a payload, you can configure the local URL filtering
service so that access to websites known to distribute malicious software is filtered. For example, if a particular URL is known to harbor malware, you could filter
that specific URL or the entire domain. However, to filter traffic that contains malicious software as a payload, you should install an Intrusion Prevention System
(IPS).

http://www.gratisexam.com/
Reference:
Cisco: Subscriptionbased Cisco IOS Content Filtering
Cisco: Cisco IOS Content Filtering Configuration Guide

QUESTION 3
Which of the following actions could you take to mitigate VLAN hopping attacks? (Select the best answer.)

A. Implement sticky MAC addresses.


B. Change the native VLAN on trunk ports to an unused VLAN.
C. Implement DAI.
D. Limit the number of MAC addresses permitted on a port.

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:
You should change the native virtual LAN (VLAN) on trunk ports to an unused VLAN to mitigate VLAN hopping attacks. In a VLAN hopping attack, an attacker
sends doubletagged 802.1Q frames over a trunk link. A doubletagged frame is an Ethernet frame containing two distinct 802.1Q headers. Although doubletagging
can be used as a legitimate way to tunnel traffic through a network and is commonly used by service providers, it can also be used by an attacker to circumvent
security controls on an access switch. In a VLAN hopping attack, the attacker attempts to inject packets into other VLANs by accessing the native VLAN on a trunk
and sending doubletagged 802.1Q frames to the switch. The switch strips the outer 802.1Q header from the received frame and then forwards the frame, which still
includes an 802.1Q header, across a trunk port to the VLAN of the target host. A successful VLAN hopping attack enables an attacker to send unidirectional traffic
to other VLANs without the use of a router.
Implementing sticky secure Media Access Control (MAC) addresses can help mitigate MAC spoofing attacks. In a MAC spoofing attack, an attacker uses the MAC
address of another known host on the network in order to bypass port security measures. MAC spoofing can also be used to impersonate another host on the
network.
Limiting the number of MAC addresses permitted on a port can help mitigate MAC flooding attacks. In a MAC flooding attack, an attacker generates thousands of
forged frames every minute with the intention of overwhelming the switch's MAC address table. Once this table is flooded, the switch can no longer make intelligent
forwarding decisions and all traffic is flooded. This allows the attacker to view all data sent through the switch because all traffic will be sent out each port. A MAC
flooding attack is also known as a content addressable memory (CAM) table overflow attack.
Implementing Dynamic ARP Inspection (DAI) can help mitigate Address Resolution Protocol (ARP) poisoning attacks. In an ARP poisoning attack, which is also
known as an ARP spoofing attack, the attacker sends a gratuitous ARP (GARP) message to a host. The GARP message associates the attacker's MAC address
with the IP address of a valid host on the network. Subsequently, traffic sent to the valid host address will go through the attacker's computer rather than directly to
the intended recipient.
Reference:
Cisco: Implementation of Security: VLAN Hopping

QUESTION 4
Which of the following devices typically sits inline? (Select the best answer.)

http://www.gratisexam.com/
A. a HIDS
B. a HIPS
C. a NIDS
D. a NIPS

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:
A Networkbased Intrusion Prevention System (NIPS) typically sits inline, which means that all traffic from the external network must flow through and be analyzed
by the NIPS before the traffic can enter the internal network. Therefore, a NIPS can detect and drop malicious traffic, which prevents malicious traffic from
infiltrating the internal network. A NIPS can work in conjunction with a network firewall? however, Cisco recommends deploying a NIPS on the inside interface of the
firewall in order to prevent the NIPS from wasting resources by analyzing traffic that will ultimately be blocked by the firewall. This enables the NIPS to efficiently
analyze the traffic that the firewall permits onto the network, rather than processing every inbound packet.
A Hostbased Intrusion Prevention System (HIPS) is software that is installed on a host device and analyzes traffic that enters the host. Any traffic that is suspected
to be malicious is blocked before it can affect the host device. Many modern, hostbased firewall applications include components that provide HIPS functionality.
A Networkbased Intrusion Detection System (NIDS) typically does not sit inline in the flow of traffic. Instead, a NIDS merely sniffs the network traffic by using a
promiscuous network interface. Because network traffic does not flow through a NIDS, the NIDS can detect malicious traffic but cannot prevent it from infiltrating
the network. When a NIDS detects malicious traffic, it can alert other network devices in the traffic path so that further traffic can be blocked. In addition, a NIDS
can be configured to send a Transmission Control Protocol (TCP) reset notification or an Internet Control Message Protocol (ICMP) unreachable message to the
source and destination addresses.
A Hostbased Intrusion Detection System (HIDS) is software that is installed on a host device and analyzes changes made to the device. The primary difference
between a HIDS and a HIPS is that a HIPS can detect and block malicious traffic before the traffic can affect the host? a HIDS can detect a threat only after it has
already affected the host. Two examples of HIDS applications are Tripwire and OSSEC. Tripwire monitors the integrity of critical files and sends alerts if changes
are made to them. OSSEC is an opensource application that monitors logs, registries, and critical files. In addition, OSSEC can detect rootkits, which are malware
processes that actively hide their presence from the host operating system.
Reference:
CCNA Security 210260 Official Cert Guide, Chapter 17, Difference Between IPS and IDS, pp. 460462Cisco: Cisco IPS Mitigation Capabilities

QUESTION 5
Which of the following statements is true regarding a stateless packetfiltering firewall? (Select the best answer.)

A. It can operate at Layer 4 of the OSI model.


B. It is more secure than a stateful packetfiltering firewall.
C. It tracks packets as a part of a stream.
D. It is not susceptible to IP spoofing attacks.

http://www.gratisexam.com/
Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:
A stateless packetfiltering firewall can operate at Layer 4 of the Open Systems Interconnection (OSI) model.
A stateless packetfiltering firewall, which is also referred to as a static packetfiltering firewall, evaluates and either blocks or allows individual packets based on the
Layer 3 and Layer 4 information in the packet header. Specifically, stateless packetfiltering firewalls can use the source and destination IP addresses, source and
destination port numbers, and protocol type listed in the packet header? these values are commonly known as the 5tuple. Because a stateless packetfiltering
firewall allows all traffic from an approved IP address, stateless packetfiltering firewalls are susceptible to IP spoofing attacks? an IP spoofing attack is a type of
attack wherein an attacker uses the source IP address of a trusted host to send messages to other computers. This allows the attacker to send messages that
appear to come from legitimate hosts on the network. In addition, because a stateless packetfiltering firewall evaluates packets individually, it cannot evaluate data
streams or track connections.
By contrast, stateful packetfiltering firewalls traditionally operate at Layers 3, 4, and 5 of the OSI model. Stateful packetfiltering firewalls are more secure than
stateless packetfiltering firewalls and are commonly used because of their versatility and ability to dynamically monitor and filter packets. Session information is
maintained and tracked by stateful packetfiltering firewalls in order to determine whether packets should be permitted or blocked. For example, when monitoring
Transmission Control Protocol (TCP) traffic, the stateful packet filter adds an entry to the state table when a TCP session is permitted. Subsequent packets are
verified against the state table to ensure that the packets are in the expected sequence. If the TCP packet sequence numbers are not in the expected range, the
packets are dropped.
Reference:
CCNA Security 210260 Official Cert Guide, Chapter 14, Static Packet Filtering, p. 362

QUESTION 6
An SNMP readonly community named READONLY is configured on a Cisco router.
Which of the following fields in the output of the show snmp command on the router will increment if an NMS makes a set request to the READONLY community?
(Select the best answer.)

A. Unknown community name


B. Illegal operation for community name supplied
C. Input queue packet drops
D. No such name errors

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:
In this scenario, the Illegal operation for community name supplied field in the output of the show snmp command on the router will increment if a network
management station (NMS) makes a Simple Network Management Protocol (SNMP) set request to the READONLY community. SNMP communities can be

http://www.gratisexam.com/
configured to be either readonly or readwrite. Readonly communities enable an NMS to retrieve Management Information Base (MIB) data from a community,
whereas readwrite communities enable an NMS to modify and retrieve MIB data. The show snmp command displays accumulated SNMP statistics, as shown in the
following sample output:
Chassis: 42792565171230
SNMP packets input
2 Bad SNMP version errors
5 Unknown community name
4 Illegal operation for community name supplied
0 Encoding errors
0 Number of requested variables
0 Number of altered variables 680 Getrequest PDU
479 Getnext PDUs
60 Setrequest PDUs
0 Input queue packet drops (Maximum queue size 1000)
1230 SNMP packets output
0 Too big errors (Maximum packet size 1500)
No such name errors
Bad values errors
0 General errors
762 Response PDUs
0 Trap PDUs
SNMP logging: disabled
The Illegal operation for community name supplied field in the sample output indicates that four SNMP packets requested an operation that was not allowed for the
associated community, such as a set request for a community that permits only get requests. The Unknown community name field indicates that five SNMP
packets were received with unknown community strings. The Input queue packet drops field indicates that no packets were dropped because the input queue had
reached its maximum size. The No such name errors field indicates that five SNMP packets were received for MIBs that did not exist on the router. The sample
output also indicates the number of get, getNext, and set requests that have been received by the router as well as statistics on the number of various types of
SNMP packets the router has sent in response to NMS queries.
Reference:
Cisco: Cisco IOS SNMP Support Command Reference: show snmp

QUESTION 7
Which of the following statements is true of all firewalls? (Select the best answer.)

A. They maintain a state table.


B. They hide the source of network connections.
C. They operate at Layer 7 of the OSI model.
D. They are multihomed devices.

Correct Answer: D
Section: (none)

http://www.gratisexam.com/
Explanation

Explanation/Reference:
Explanation:
All firewalls are multihomed devices. A multihomed device is a device that connects to more than one network segment. The purpose of a firewall is to block
undesired network traffic and to allow desired network traffic to pass from one network interface to another.
Some firewalls, such as proxy firewalls, can be configured to hide the source of network connections. However, stateful firewalls and packet filtering firewalls are
not typically configured to hide the source of network connections. A proxy firewall terminates the connection with the source device and initiates a new connection
with the destination device, thereby hiding the true source of the traffic. When the reply comes from the destination device, the proxy firewall forwards the reply to
the original source device. Network Address Translation (NAT) and Port Address Translation (PAT) can also be used to hide the source of network connections.
Some firewalls, such as stateful firewalls, maintain a state table. However, other firewalls, such as packet filtering firewalls, do not. A stateful firewall makes filtering
decisions based on the state of each session. When an outbound session is initiated, the stateful firewall will create an entry in the firewall’s state table and
dynamically allow the return traffic in the inbound direction. Inbound traffic from other sources will be blocked unless there is a corresponding outbound session
listed in the state table.
A packet filtering firewall makes simple filtering decisions based on each individual packet. As a result, packet filtering firewalls are not particularly flexible. For
example, if you want to configure traffic on a port to flow inbound as well as outbound, you must open up the port in both directions. However, doing so might
expose the internal network to undesirable inbound traffic on that port. Therefore, stateful firewalls are more secure than packet filtering firewalls.
Some firewalls, such as applicationlevel proxy firewalls, operate at Layer 7 of the Open Systems Interconnection (OSI) model, which is called the Application layer.
However, stateful firewalls and packet filtering firewalls operate at the Network and Transport layers. An applicationlevel proxy firewall can make filtering decisions
based on Application layer data. However, to do so, the firewall must be able to understand the corresponding Application layer protocol. As a result,
applicationlevel proxy firewalls are often designed to filter data for a particular Application layer protocol, such as Hypertext Transfer Protocol (HTTP) or File
Transfer Protocol (FTP). For example, an HTTP proxy can block malicious or otherwise undesirable web traffic, but it might not be able to block malicious FTP
traffic.
Reference:
CCNA Security 210260 Official Cert Guide, Chapter 14, Firewall Technologies, p. 358

QUESTION 8
You issue the following block of commands on a Cisco router:
RouterA(config)#privilege exec level 10 show users
RouterA(config)#username boson password cisco
RouterA(config)#username boson privilege 15
RouterA(config)#username boson autocommand show users
RouterA(config)#line vty 0 4
RouterA(configline)#login local
RouterA(configline)#privilege level 7
Which of the following statements accurately describes what happens when the user boson successfully initiates a Telnet session to RouterA? (Select the best
answer.)

A. The autocommand command fails, and the user is disconnected.


B. The autocommand command fails, and the user is not disconnected.
C. The autocommand command succeeds, and the user is disconnected.

http://www.gratisexam.com/
D. The autocommand command succeeds, and the user is not disconnected.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
When the user boson successfully initiates a Telnet session to RouterA in this scenario, the autocommand command succeeds and the user is disconnected from
the router. When issued with the username command, the autocommand keyword can execute a specific command immediately after a user successfully logs in to
a Cisco router. In this scenario, the autocommand specifies that the show users command should execute immediately after the user logs in. The command output
is displayed to the user terminal, and then the user’s session is terminated. You can prevent the user session from being terminated either by using the nohangup
keyword or by issuing the no username username autocommand command to remove the autocommand keyword. However, the no username username
autocommand command will delete both the autocommandkeyword and the specified user name from the local database? therefore, you will need to issue the
username username password password again to recreate the user entry. By contrast, the nohangup keyword does not affect the autocommand keyword but
instead changes the default behavior so that the user session is not disconnected.
The privilege exec level 10 show users command in this scenario changes the required privilege level of the show users command to level 10. The default EXEC
privilege level is level 1? therefore, this command removes the show users command from the EXEC shells of all users with privilege levels less than 10. The
default enable privilege level is level 15? therefore, any user could enter privileged EXEC mode and execute the command. The username boson privilege 15
command in this scenario configures the user boson with a privilege level of 15. Because the user’s base privilege level is already 15, the user is not required to
issue the enable command to enter privileged EXEC mode. The following block of commands configures the four default virtual terminal (VTY) interfaces on
RouterA to use the local database for authentication and to assign user sessions a default privilege level of 7:
RouterA(config)#line vty 0 4
RouterA(configline)#login local
RouterA(configline)#privilege level 7
Although Telnet users are assigned a default privilege level of 7 in this scenario, peruser privileges override the privileges configured for the VTY line. Therefore,
the user boson will be granted privilege level 15 when connected to a VTY line through a Telnet session. By contrast, a user without a specified privilege level will
be granted privilege level 7 in this scenario. Because the show users command has been assigned a required privilege level of 10, the boson user will be able to
execute the command, whereas a Telnet user with the default privilege level would be unable to execute the command without first issuing the enable command to
enter privileged EXEC mode.
If the boson user was assigned a privilege level that was insufficient to execute the show users command, the autocommand keyword would still attempt to execute
the command. The autocommand keyword does not verify that a user has sufficient privileges to execute the specified command. However, the command would
cause the router to display an error message instead of the expected command output. The user session would be disconnected after the error message was
displayed.
In no case would the user session remain connected. The nohangup keyword must be used with the username command to change the default behavior so that a
user session is not disconnected after the command specified by the autocommand command is executed.
Reference:
Cisco: RoleBased CLI Access: username

QUESTION 9

http://www.gratisexam.com/
You administer the network shown above. SwitchE is the root bridge for the network. You connect SwitchF to a port on SwitchB. SwitchF has a priority value of 0
and the MAC address 0000.0c42.0729.
Which statement is most accurate regarding root bridge selection after SwitchF is connected to SwitchB? (Select the best answer.)

A. SwitchB will immediately become the root bridge.


B. SwitchE will remain the root bridge.
C. SwitchF will immediately become the root bridge.
D. SwitchE will remain the root bridge until it is powered down, and then SwitchF will become the root bridge.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
After you connect SwitchF to a port on SwitchB, SwitchF will become the root bridge because it has the lowest possible priority value and it has a lower Media
Access Control (MAC) address than any of the other switches with a priority value of 0. The root bridge is the switch with the lowest bridge ID (BID), which is
composed of a 2byte bridge priority and a 6byte MAC address. The bridge priority is considered first in the determination of the lowest BID. When two or more
switches have the lowest priority, the switch with the lowest MAC address will become the root bridge. Because SwitchF has a lower MAC address than SwitchE,
SwitchF will become the root bridge.

http://www.gratisexam.com/
SwitchE will not remain the root bridge, because SwitchF has the same priority and a lower MAC address.
When a switch is powered on, it sends out bridge protocol data units (BPDUs) that contain the switch's BID. As soon as a switch receives a BPDU with a lower BID
than the current root switch BID, the switch will consider that BPDU to be superior, replace the root switch BID with the BID from the BPDU, and recalculate the root
port and port costs. This can have an undesired effect on how packets are sent through a switched network. Therefore, when connecting a switch to a switched
network, you must ensure that the switch has a higher priority value than the root bridge, unless you want the switch to assume the root bridge role. This is
especially true if the switch is older or contains inferior technology, such as ports that are capable of only 10megabits per second (Mbps) transmission or halfduplex
operation. Alternatively, you can issue the spanningtree guard root command to enable the root guard feature. The root guard feature, when enabled on a port,
prevents superior BPDUs received on a neighbor switch connected to that port from becoming the root bridge. If superior BPDUs are received on a port enabled
with root guard, the port enters the rootinconsistent state and the port is blocked until the port stops receiving superior BPDUs.
SwitchB will not become the root bridge. SwitchB has a priority value of 65535, which is the highest possible priority value. The root bridge is the switch with the
lowest priority value. You can set the bridge priority by issuing the spanningtree priority value command, where value is a number from 0 through 65535? the default
priority is 32768.
SwitchE will not remain the root bridge until it is powered down? SwitchF will immediately replace SwitchE as the root bridge. Root bridges do not behave the same
as Open Shortest Path First (OSPF) designated routers (DRs) and backup DRs (BDRs) do. A DR is not replaced by another DR even if a router with a higher
OSPF priority is introduced. A DR remains the DR until it fails or is powered down? then the BDR becomes the DR and a new BDR is selected.
Reference:
Cisco: Understanding and Configuring Spanning Tree Protocol (STP) on Catalyst Switches Cisco: Spanning Tree Protocol Root Guard Enhancement

QUESTION 10
Which of the following statements is true regarding the outbreak control feature of AMP for Endpoints? (Select the best answer.)

A. It cannot block polymorphic malware.


B. It must wait for a content update before blocking specific files.
C. It cannot whitelist specific applications.
D. It can use application blocking lists to contain compromised applications.

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:
The outbreak control feature of Cisco Advanced Malware Protection (AMP) for Endpoints can use application blocking lists to contain compromised applications.
AMP for Endpoints is a hostbased malware detection and prevention platform that runs on Microsoft Windows, Mac OS X, Linux, and Google Android. Like many
other antimalware packages, AMP for Endpoints monitors network traffic and application behavior to protect a host from malicious traffic. However, unlike many of
its competitors, AMP for
Endpoints continues its analysis after a disposition has been assigned to a file or traffic flow. When malware is detected, the outbreak control feature of AMP for
Endpoints can use application blocking to ensure that a compromised application is contained and that it does not spread the infection. Outbreak control provides
for granular control over which applications are blocked and can use whitelists to ensure that missioncritical software continues to run even during an outbreak.
The outbreak feature works in conjunction with the continuous analysis, continuous detection, and retrospective security features of AMP for Endpoints to quickly
contain and control the spread of malware. Once a file or application has been detected as malicious, the outbreak control feature can use custom detection rules

http://www.gratisexam.com/
to quickly block the specific file or application without waiting for a signature file content update. In addition, custom signatures can be created to detect polymorphic
malware, which is malicious software than can evolve its code or behavior as it propagates.
Reference:
Cisco: Cisco Advanced Malware Protection Solution Overview
Cisco: Cisco Advanced Malware Protection for Endpoints Data Sheet

QUESTION 11
You want to use ASDM to create an inspection rule that will drop and log SHOUTcast media streams.
Which of the following inspection rules should you configure to achieve your goal? (Select the best answer.)

http://www.gratisexam.com/

A. H.323 H.225
B. H.323 RAS
C. HTTP
D. RTSP
E. IM

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
You should configure a Hypertext Transfer Protocol (HTTP) inspection rule to drop and log SHOUTcast media streams on a Cisco Adaptive Security Appliance
(ASA). When HTTP inspection is enabled in a service policy, such as the global service policy, you can opt to use the default inspection rules or you can customize
the inspection rules by applying an HTTP inspect map. You can select a custom HTTP inspect map from the Select HTTP Inspect Map dialog box, as shown
below:

http://www.gratisexam.com/
You can modify the configuration of an HTTP inspect map from the Configuration > Firewall > Objects > Inspect Maps > HTTP pane of Cisco Adaptive Security
Device Manager (ASDM). This pane enables you to add, delete, and modify HTTP inspect maps. To modify an existing map, you should first click the Customize
button, which opens the Edit HTTP Inspect Map dialog box, as shown in the following exhibit:

http://www.gratisexam.com/
You can reset the inspection map to its default security level by clicking the Default Level button, or you can slide the Security Level slider to select a predefined
setting. Alternatively, you can click the Details button to expand the Edit HTTP Inspect Map dialog box into a larger window with more options, as shown below:

http://www.gratisexam.com/
You can use the Parameters tab of the expanded Edit HTTP Inspect Map dialog box to enable protocol violation checks and to select the actions that the ASA
should take if protocol violations are found. You can also use the tab to configure server string spoofing and the maximum body length for HTTP request and
response searches. The Inspections tab of the expanded Edit HTTP Inspect Map dialog box displays the details of the inspection map, as shown in the exhibit
below:

http://www.gratisexam.com/
The Inspections tab displays the inspection rules that apply to the current inspect map. The Match Type column indicates whether traffic must match or not match
the criterion specified in the remaining columns. The Criterion column specifies what type of inspection is being performed. If the traffic is being inspected for a
value, that value is indicated in the Value column. The Action column indicates what action will be applied to sessions that meet the rules requirements, and the Log
column indicates whether the action triggers a system log (syslog) message. If you wanted to add an inspection rule that dropped and logged SHOUTcast media
streams, you could click the Add button to open the Add HTTP Inspect dialog box and then select the _default_shoutcasttunnelingprotocol item from the HTTP
Traffic Class dropdown list box, as shown in the following exhibit:

http://www.gratisexam.com/
The items listed in the dropdown list are class maps that have been defined on the ASA. Names that begin with _default are predefined in the system default
configuration and can be referenced directly from ASDM or by the class command in a policy map. The _default_shoutcasttunnelingprotocol class map is a
predefined class map that can identify SHOUTcast media streams by their HTTP metadata, as shown in the following exhibit:

http://www.gratisexam.com/
You cannot configure H.323 H.225; H.323 Registration, Admission, and Status (RAS); Instant Messaging (IM); or RealTime Streaming Protocol (RTSP) inspection
rules to drop and log SHOUTcast media streams on an ASA. SHOUTcast media streams use HTTP, not H.323 or H.225. H.323 H.225 and H.323 RAS inspection
rules provide support for International Telecommunication Union (ITU) H.323compliant applications such as Cisco CallManager. IM inspection rules provide the
ASA with the ability to enforce security policies for a variety of mainstream IM applications. RTSP inspection rules enable an ASA to process media streams that
are commonly produced by RealAudio, Apple QuickTime, and Cisco IP television (IPTV) connections.
Reference:
Cisco: Configuring Application Layer Protocol Inspection: HTTP Class Map
Cisco: Configuring Inspection of Basic Internet Protocols: Configuring an HTTP Inspection Policy Map for Additional Inspection Control
Cisco: Configuring Application Layer Protocol Inspection: Add/Edit HTTP Map

QUESTION 12
On which of the following screens in ASDM can you enable users to select which connection profile they will use when they establish a clientless SSL VPN
connection? (Select the best answer.)

A. the Edit User Account dialog box for each user who should be able to select a connection profile
B. the Edit Internal Group Policy dialog box for each group policy that is associated with the clientless SSL VPN connection profiles
C. the main Connection Profiles pane
D. the main Group Policies pane
E. the main Local Users pane

http://www.gratisexam.com/
Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
You can enable users to select which connection profile they will use on the portal login page on the main Connection Profiles pane for clientless Secure Sockets
Layer (SSL) virtual private network (VPN) connections in Cisco Adaptive Security Device Manager (ASDM). When you configure a clientless SSL VPN connection,
you can require that a user use a specific connection profile or you can allow users to select the connection profile to use on the login page of the clientless SSL
VPN portal. You can select the Allow user to select connection profile, identified by its alias, on the login page option on the Connection Profiles pane in ASDM to
allow users to select which connection profile they will use. This option is shown in the following exhibit:

http://www.gratisexam.com/
When this option is selected, a dropdown list will be displayed on the login page of the clientless SSL VPN portal. The dropdown list will contain a list of the
connection profiles from which the user can select.
You cannot configure the main Group Policies pane or the main Local Users pane to enable users to select connection profiles on the clientless SSL VPN portal.
On these panes, you can view a basic summary of information for any configured group policies or user accounts, respectively. To configure group policy or user
account information, you must select a group policy or a user account and click the Edit button to configure them. The resulting configuration dialog boxes-Edit User
Account for users and Edit Internal Group Policy for group policies-enable you to make configuration changes, but neither of these dialog boxes contains an option
for enabling users to select the connection profile on the clientless SSL VPN portal.
Reference:
Cisco: General VPN Setup: About Connection Profiles

QUESTION 13
Which of the following can be configured on the General screen of the Add Internal Group Policy dialog box in ASDM when creating a group policy for clientless
SSL VPN users? (Select 3 choices.)

A. a banner message for VPN clients


B. the bookmark list to apply to VPN clients
C. the tunneling protocols that clients can use to establish a VPN connection
D. the name of the group policy
E. a group URL that VPN users can access
F. the portal customization object to apply to VPN connections

Correct Answer: ACD


Section: (none)
Explanation

Explanation/Reference:
Explanation:
Of the choices available, you can configure a banner message for virtual private network (VPN) clients, the tunneling protocols that clients can use to establish VPN
connections, and the name of the group policy on the General screen of the Add Internal Group Policydialog box in Cisco Adaptive Security Device Manager
(ASDM) when creating a group policy for clientless Secure Sockets Layer (SSL) VPN users. You can create a group policy on a Cisco Adaptive Security Appliance
(ASA) to specify security policies and network settings that are used when remote VPN users log in to the ASA. To create a group policy for clientless SSL VPN
users in ASDM, you should click Configuration, click the Remote Access VPN button, expand Clientless SSL VPN Access, and click Group Policies. You can then
create a new group policy by clicking Add, which will open the Add Internal Group Policy dialog box. The dialog box opens to the General screen, on which you can
configure general properties for the group policy, including the name of the group policy, a banner message to be displayed to VPN users, the tunneling protocols
that clients can use to establish a VPN connection, the VPN access hours, a web access control list (ACL), the number of simultaneous logins, a virtual LAN
(VLAN) restriction, the connection profile to use for the connection, the maximum connect time, and the idle timeout time. The General screen of the Add Internal
Group Policy dialog box, with the name, banner message, and tunneling protocols configured, is shown in the following exhibit:

http://www.gratisexam.com/
The bookmark list to apply to VPN clients is not configured on the General screen of the Add Internal Group Policy dialog box. You can specify the bookmark list on
the Portalscreen of the Add Internal Group Policy dialog box.
The portal customization object to apply to VPN clients is not configured on the Generalscreen of the Add Internal Group Policy dialog box. You can specify the
portal customization object on the Customization screen of the Add Internal Group Policydialog box.
A group Uniform Resource Locator (URL) that VPN users can access is not configured on the General screen of the Add Internal Group Policy dialog box. You
configure a group URL in a connection profile, not in a group policy. To configure a group URL, you should access the SSL VPN screen of the Add SSL VPN
Connection Profile dialog box in ASDM.
Reference:
Cisco: General VPN Setup: Adding or Editing a Remote Access Internal Group Policy, General Attributes

QUESTION 14
Which of the following show clock command output symbols indicates that time reported by the software clock is authoritative but not synchronized with the
configured time source? (Select the best answer.)

A. #
B. *
C. ~
D. .
E. +

http://www.gratisexam.com/
Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:
The period (.) is the show clock command output symbol that indicates that time reported by the software clock is authoritative but not synchronized with the
configured time source. The show clock command displays the current time as reported by the system software clock. The time can be configured manually or
derived from an external time source, such as a Network Time Protocol (NTP) server. If the software clock is configured to use an external time source and that
source becomes unreachable, the time might become unsynchronized due to clock drift. When this happens, the show clockcommand uses the . symbol to indicate
that the time is still considered authoritative but is no longer guaranteed to be synchronized with the external time source. The following command output indicates
that the software clock is authoritative but not synchronized with its time source:
.10:06:40.603 UTC Tue Jan 13 2015
The asterisk (*) is displayed in the output of the show clock command to indicate that time reported by the software clock is not authoritative. If the software clock is
not set by a timing source, the system will flag the time as not authoritative and the output of the show clock command will indicate the flag with the * symbol, as
shown in the following command output:
*10:06:40.603 UTC Tue Jan 13 2015
By contrast, if the time is set by a timing source and is synchronized with that source, the time is considered authoritative and the output of the show clock
command will not display any additional symbols. For example, the absence of additional symbols in the following command output indicates that the software clock
is authoritative and synchronized with its time source:
10:06:40.603 UTC Tue Jan 13 2015
The pound sign (#), tilde (~), and plus sign (+) are displayed in the output of the show ntp associations command, not the show clock command. The output of the
show ntp associations command shows the IP addresses of configured NTP servers and their respective clock sources, strata, and reachability statistics. For
example, in the following command output, the NTP server at IP address 128.227.205.3 is a stratum 1 server that uses a global positioning system (GPS) time
source as its time source:
address ref clock st when poll reach delay offset disp
*~128.227.205.3 .GPS. 1 17 64 377 0.000 0.000 0.230
~71.40.128.157 204.9.54.119 2 18 64 377 0.000 321 1.816
~184.22.97.162 132.163.4.101 2 5 64 377 0.000 314 1.134
* sys.peer, # selected, + candidate, outlyer, x falseticker, ~ configured
The * next to the IP address in the command output indicates that this server is an NTP master time source to which the Cisco device is synched. A # next to the IP
address indicates that the server is an NTP master time source to which the Cisco device is not yet synched. A + next to the IP address indicates that the server is
an NTP master time source that is selected for synchronization but the synchronization process has not yet begun. A ~next to an IP address indicates that the
address was manually configured.
Reference:
Cisco: Cisco IOS Basic System Management Command Reference: show clock

QUESTION 15
Which of the following statements are true regarding policies in Cisco Security Manager? (Select 2 choices.)

A. Rule-based policies can contain hundreds of rules containing values for the same set of parameters.
B. Settings-based policies can define only one set of parameters for each settings based policy defined on a device.

http://www.gratisexam.com/
C. Local policies are well-suited to smaller networks and to devices requiring standard configurations.
D. Any changes that you make to a shared policy are not automatically applied to all the devices to which it is assigned.
E. The Default section of a shared policy contains rules that cannot be overridden by local rules.

Correct Answer: AB
Section: (none)
Explanation

Explanation/Reference:
Explanation:
In Cisco Security Manager (CSM), rulebased policies can contain hundreds of rules containing values for the same set of parameters and settingsbased policies
can define only one set of parameters for each settingsbased policy defined on a device. CSM is a graphicsbased management application that can be used to
configure a wide variety of Cisco devices, such as routers, switches, firewall appliances, Intrusion Prevention System (IPS) appliances, and Catalyst service
modules. One of the advantages of CSM is its ability to centralize the administration of security policies across a large number of Cisco devices. CSM categorizes
policies into two general types: rulebased policies and settingsbased policies. Rulesbased policies, such as access control lists (ACLs) and inspection rules, are
stored in a tabular fashion and can contain many different values for the same set of parameters. These policies are processed in order and the first matching table
entry will be applied, even if there are other matching table entries farther down the table. Because of the nature in which rulesbased policies are processed, they
can contain hundreds of rules with values for the same set of parameters. By contrast, settingsbased policies can define only a single set of parameters for each
settingsbased policy defined on a device. Settingsbased policies, such as Quality of Service (QoS) policies and IP Security (IPSec) policies, contain a set of
parameters that, as a whole, define a particular hardware or security configuration feature.
CSM policies can be either local or shared. A local policy is specific to a particular device, and any changes affect only its associated device. By contrast, a shared
policy is applicable to a group of devices and any changes are automatically applied to all of its associated devices. Because local policies are specific to individual
devices, it can become cumbersome to manage the policies in a network with a large number of devices? therefore, local policies are better suited to smaller
networks and shared policies are better suited to larger networks.
Shared policies use an inheritance hierarchy to determine which policy rules are implemented on a particular device. There are two kinds of shared policy rules:
mandatory and default. Mandatory rules cannot be overridden by either child policy rules or local rules. By contrast, default rules can be overridden by both child
policy rules and local rules. Inheritance enables you to nest multiple shared rules and ensure that certain policies cannot be overridden while still maintaining the
flexibility to override some default settings.
Reference:
Cisco: Managing Policies: Understanding Policies

QUESTION 16
Which of the following authentication methods are supported by both RADIUS and TACACS+ server groups on a Cisco ASA firewall? (Select 3 choices.)

A. ASCII
B. CHAP
C. MSCHAPv1
D. MSCHAPv2
E. PAP

http://www.gratisexam.com/
Correct Answer: BCE
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Remote Authentication DialIn User Service (RADIUS) and Terminal Access Controller Access Control
System Plus (TACACS+) server groups on a Cisco Adaptive Security Appliance (ASA) support Challenge
Handshake Authentication Protocol (CHAP), Microsoft CHAP version 1 (MSCHAPv1), and Password Authentication Protocol (PAP). A Cisco ASA supports a
number of different Authentication, Authorization, and Accounting (AAA) server types, such as RADIUS, TACACS+, Lightweight Directory Access Protocol (LDAP),
Kerberos, and RSA Security Dynamics, Inc. (SDI) servers.
When authenticating with a TACACS+ server, a Cisco ASA can use the following authentication protocols:
- ASCII
- PAP
- CHAP
- MSCHAPv1
When authenticating with a RADIUS server, a Cisco ASA can use the following authentication protocols:
- PAP
- CHAP
- MSCHAPv1
- MSCHAPv2
- Authentication Proxy Mode (for example, RADIUS to RSA/SDI, RADIUS to Active Directory, and others)
Reference:
Cisco: Configuring AAA Servers and the Local Database: Radius Server Support
Cisco: Configuring AAA Servers and the Local Database: TACACS+ Server Support

QUESTION 17
Which of the following statements is true regarding ZFW traffic action characteristics? (Select the best answer.)

A. The pass action is bidirectional and automatically permits return traffic.


B. The inspect action is unidirectional and can be used to maintain state information.
C. The drop action silently discards packets and does not generate ICMP host unreachable messages.
D. The pass action can provide an audit trail including session start, stop, and duration values.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
The drop action in a zonebased policy firewall (ZFW) configuration silently discards packets and does not generate Internet Control Message Protocol (ICMP) host

http://www.gratisexam.com/
unreachable messages. ZFWs include many of the features of previous firewall versions, including stateful packet inspection and Uniform Resource Locator (URL)
filtering. However, several new firewall features are also included, such as the ability to create security zones to which security policies can be applied. With ZFWs,
policies are applied to a security zone pair rather than to an interface. This provides for more granular implementation of firewall policies? different policies can be
applied to hosts connected to the same interface. Before a policy can be applied to an interface, the interface must be added to a zone. To permit traffic from one
zone to another, you must create a zone pair between the zones. Once you have configured zones and zone pairs, you can apply one of three actions, pass, drop,
or inspect, to the traffic between the zones.
The drop action is the default action that is applied to traffic sent from one zone to another on a router that is configured with a ZFW. Unless a policy has been
configured to allow traffic to be sent between two zones, the traffic will be dropped.
The pass action can be applied to permit traffic from one zone to another. However, because the pass action is unidirectional, no return traffic will be allowed by the
pass action. Another policy would need to be applied in the destination zone to allow return traffic to the originating zone.
The inspect action can be used to maintain state information for a connection sent through a ZFW. Consequently, unlike the pass action, the inspect action is
bidirectional and will allow return traffic to the zone from the destination. For example, if a ZFW is used in between an internal network and the Internet, the inspect
action can be used to allow the internal hosts to retrieve information from the Internet. That is, data from the Internet will be permitted by the inspect action. In
addition, the inspect action can provide an audit trail including session start time, stop time, duration, quantity of data transferred, and source and destination IP
addresses.
Reference:
Cisco: ZoneBased Policy Firewall Design and Application Guide: Configuring ZoneBased Policy Firewall PolicyMapsCategory:
Cisco Firewall Technologies

QUESTION 18
You have configured an ASA to accept SSL VPN connections. DTLS and DPD are configured on the ASA.
Which of the following is most likely to occur if a Cisco AnyConnect client that is not configured for DTLS attempts to connect to the ASA? (Select the best answer.)

A. The client will be unable to establish a connection to the ASA.


B. The client will still be able to connect by using DTLS and will be able to communicate on the remote network.
C. The client will be able to connect by using TLS and will be able to communicate on the remote network.
D. The client will be able to establish a connection to the ASA but will be unable to communicate on the remote network.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
The client will be able to connect by using Transport Layer Security (TLS) and will be able to communicate on the remote network. Datagram TLS (DTLS) is the
default transport method for Secure Sockets Layer (SSL) virtual private network (VPN) connections on Cisco Adaptive Security Appliance (ASA) devices. However,
if DTLS is not enabled on the VPN client, TLS can be used as a fallback method for data transport. In such a scenario, the client will establish a TLS connection
and will be able to communicate on the remote network, provided that the user has access to the client network. In order for an ASA to fall back to TLS, Dead Peer
Detection (DPD) must be enabled on the ASA. DPD is a feature that can determine whether the other end of a link is not responding and the connection has failed.
If DPD determines that the client is not responding, the connection will revert to using TLS as the transport method.
Reference:

http://www.gratisexam.com/
Cisco: Configuring AnyConnect VPN Client Connections: Configuring DTLS

QUESTION 19
Refer to the exhibit.

You want to use network object NAT to configure the ASA to perform PAT on traffic that originates from the 192.168.13.0/24 network attached to the INSIDE
interface and that is destined to any networks connected to OUTSIDE interface.
Which of the following blocks of commands should you issue to achieve your goal? (Select the best answer.)

A. asa(config)#object network INSIDENetwork


asa(confignetworkobject)#subnet 192.168.13.0 255.255.255.0
asa(confignetworkobject)#nat (INSIDE,OUTSIDE) dynamic interface
B. asa(config)#object network OUTSIDENetwork
asa(confignetworkobject)#subnet 198.51.100.0 255.255.255.0
asa(confignetworkobject)#nat (any,INSIDE) dynamic interface
C. asa(config)#object network INSIDENetwork
asa(confignetworkobject)#subnet 192.168.13.0 255.255.255.0
asa(confignetworkobject)#nat (OUTSIDE,INSIDE) dynamic interface
D. asa(config)#object network INSIDENetwork
asa(confignetworkobject)#subnet 192.168.13.0 255.255.255.0
asa(confignetworkobject)#nat (any,OUTSIDE) dynamic interface

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:
You should issue the following block of commands to achieve your goal in this scenario:

http://www.gratisexam.com/
asa(config)#object network INSIDENetwork
asa(confignetworkobject)#subnet 192.168.13.0 255.255.255.0
asa(confignetworkobject)#nat (INSIDE, OUTSIDE) dynamic interface

When the nat command is issued from network object configuration mode, it is referred to as the nat (object) command and it can be used to configure network
object Network Address Translation (NAT) on the Cisco Adaptive Security Appliance (ASA). Network object NAT enables you to easily specify a mapping for the
source address in a packet. The command block in this scenario configures a network object named INSIDENetwork, defines a subnet IP address and network
mask for the INSIDENetwork object, and specifies that the real source IP address of packets from the INSIDE interface should be dynamically translated to the
mapped IP address corresponding to the IP address assigned to the OUTSIDE interface. The effect of the translation on matching packets is illustrated by the
following graphic:

The nat (object) command can be used to create a dynamic NAT rule which translates traffic for a particular network object. The abbreviated syntax to create a
dynamic NAT rule with the nat (object) command is nat (real_interface,mapped_interface) dynamic {mapped_object | mapped_ host_IP | interface}
[fallthrough_interface], where real_interface represents the source interface of the original packet and mapped_interfacerepresents the source interface of the
translated packet. The source IP address of the original packet is based on the definition of the network object? in this scenario, the network object is a network
subnet. The dynamic keyword is used to specify a dynamic NAT rule and the interface parameter is used to specify a Port Address Translation (PAT) rule. An
optional fallthrough interface can be specified if dynamic NAT is configured to use a pool of addresses to ensure that translation continues even if every IP address
in the pool has been assigned a translation.
Alternatively, you could use Adaptive Security Device Manager (ASDM) instead of the command line to configure the network object NAT rule in this scenario. You
can create a network object rule in ASDM by accessing the Configuration > Firewall > NAT Rules pane, clicking the Add dropdown list, and selecting the Add
“Network Object” NAT ruleoption to open the Add Network Object dialog box. The following sample Add Network Object dialog box corresponds to the block of
commands in this scenario:

http://www.gratisexam.com/
You should not issue the following block of commands to achieve your goal in this scenario:
asa(config)#object network INSIDENetwork
asa(confignetworkobject)#subnet 192.168.13.0 255.255.255.0
asa(confignetworkobject)#nat (any,OUTSIDE) dynamic interface

The nat (any,OUTSIDE) dynamic interface command in this block of commands maps the source IP address of traffic that originates from the 192.168.13.0/24
subnet, from any interface, to the IP address assigned to the OUTSIDE interface. Although this block of commands would configure the ASA to perform the
required translation for traffic originating from the INSIDE interface, it would also perform the translation for any traffic from the 192.168.13.0/24 subnet originating
from any other interface. Because the scenario requires the translation to occur only for traffic originating from the INSIDE interface, you should not issue this block
of commands.
You should not issue the following block of commands to achieve your goal in this scenario:
asa(config)#object network INSIDENetwork
asa(confignetworkobject)#subnet 192.168.13.0 255.255.255.0
asa(confignetworkobject)#nat (OUTSIDE, INSIDE) dynamic interface

The nat (OUTSIDE, INSIDE) dynamic interface command maps the source IP address of traffic that originates from the 192.168.13.0/24 subnet, from only the
OUTSIDE interface, to the IP address assigned to the INSIDE interface. Because the 192.168.13.0/24 network is directly connected to the INSIDE interface and not
the OUTSIDE interface, this translation rule would not achieve the requirements of the scenario.
You should not issue the following block of commands to achieve your goal in this scenario:
asa(config)#object network INSIDENetwork
asa(confignetworkobject)#subnet 192.168.13.0 255.255.255.0
asa(confignetworkobject)#nat (OUTSIDE, INSIDE) dynamic interface

This block of commands creates a network object that corresponds to the network directly connected to the OUTSIDE interface. The nat (any,INSIDE) dynamic

http://www.gratisexam.com/
interface command maps the source IP address of traffic that originates from the 198.51.100.0/24 subnet, from any interface, to the IP address assigned to the
INSIDE interface.
Reference:
Cisco: Configuring Network Object NAT: Configuring Dynamic PAT (Hide)
Cisco: Cisco ASA Series Command Reference: nat (object)

QUESTION 20
You are using ASDM to verify a clientless SSL VPN configuration made by a junior administrator on an ASA. Please click exhibit to answer the following questions.
Exhibit:

http://www.gratisexam.com/
http://www.gratisexam.com/
When a user logs in to the clientless SSL VPN portal by using extranet tunnel group, which of the following statements is true regarding the appearance of the
portal? (Select the best answer.)

A. No text will be displayed in the title portion of the portal screen.


B. The text “SSL VPN Service” will be displayed in the title portion of the portal screen.
C. The text “Boson Extranet” will be displayed in the title portion of the portal screen.
D. The text “Boson SSL VPN Service” will be displayed in the title portion of the portal screen.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
When a user logs in to the clientless Secure Sockets Layer (SSL) virtual private network (VPN) portal by using the extranet tunnel group, the text “Boson Extranet”
will be displayed in the title portion of the portal screen. When users log in to a clientless SSL VPN session, the users are presented with a portal screen that
contains information and links to resources to which the user has access. You can customize the appearance of the portal by modifying the DfltCustomization
customization object or by creating a new customization object and linking it to the appropriate tunnel group (s). You can then link a customization object to a
specific tunnel group, which is also known as a connection profile.
To determine which customization object has been applied to a tunnel group, you should click
Configuration, click the Remote Access VPN button, expand Clientless SSL VPN Access, click Connection Profiles, and then select the appropriate connection
profile from the list. For this scenario, you want to determine the customization object that will be applied to the extranet tunnel group, so you should doubleclick
extranet in the list of connection profiles, expand Advanced, and click Clientless SSL VPN. The Portal Page Customization entry indicates that this connection
profile uses the extranet_customization customization object, as shown in the following exhibit:

http://www.gratisexam.com/
To view the details of a customization object in Cisco Adaptive Security Device Manager (ASDM), you should click Configuration, click the Remote Access VPN
button, expand Clientless SSL VPN Access, expand Portal, and click Customization, which will display the Customization Objects pane. In this scenario, two
customization objects have been created: boson_customization and extranet_customization. To view the details of a customization object, you should doubleclick
the customization object, which will open the SSL VPN Customization Editor in a browser window. To determine the text that will be displayed in the title portion of
the portal screen, you should navigate to the Portal area of the SSL VPN Customization Editor by clicking the Portal tab and then click Title Panel, as shown in the
following exhibit:

http://www.gratisexam.com/
The text that will be displayed in the title portion of the portal is displayed in the Text entry of the Title Panel pane; the Text entry contains the text “Boson Extranet”,
which is the text that will be displayed in the title portion of the portal when users establish a VPN connection, as shown in the following exhibit.

The text “SSL VPN Service” is the default text that will be displayed if you do not customize the Text entry of the Title Panel. In this scenario, the text has been
customized, so the text “SSL VPN Service” will not be displayed.
The text “Boson SSL VPN Service” will be displayed only for tunnel groups that use the boson_customization customization object. This text will not be displayed for
the extranet tunnel group.
Reference:
Cisco: Customizing Clientless SSL VPN: Customizing the External Portal Page

QUESTION 21
You are using ASDM to verify a clientless SSL VPN configuration made by a junior administrator on an ASA. Please click exhibit to answer the following questions.
Exhibit:

http://www.gratisexam.com/
http://www.gratisexam.com/
Which of the following statements is true regarding how the on-screen keyboard will be displayed when a user establishes a clientless SSL VPN session by using
the boson connection profile? (Select the best answer.)

A. The on-screen keyboard will not be displayed on any pages.


B. The on-screen keyboard will be displayed only on the login page.
C. The on-screen keyboard will be displayed on any portal page that requires authentication.
D. The on-screen keyboard will be displayed on every portal page.

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:
In this scenario, the onscreen keyboard will be displayed only on the login page when a user establishes a clientless Secure Sockets Layer (SSL) virtual private
network (VPN) session by using the boson connection profile. When users log in to a clientless SSL VPN session, you can configure an onscreen keyboard to be
displayed in certain areas of the portal. The onscreen keyboard enables users to enter information, such as passwords, by using the onscreen keyboard instead of
a physical keyboard. For example, you can configure the onscreen keyboard to be displayed on the login page, and users can use this keyboard to enter their login
information. By default, the onscreen keyboard is disabled. To enable the onscreen keyboard, you should click Configuration, click the Remote Access VPN button,
expand Clientless SSL VPN Access, expand Portal, and click Customization, which will display the Customization Objects pane. This pane contains an OnScreen
Keyboard area that provides several options for configuring the onscreen keyboard. You can select from the following onscreen keyboard options:
- Do not show OnScreen keyboard - This option disables the onscreen keyboard.
- Show only for the login page - This option enables the onscreen keyboard for the login page.
- Show for all portal pages requiring authentication - This option enables the onscreen keyboard for any page that requires that the user be authenticated.
In this scenario, the Show only for the login page option is selected, as shown in the following exhibit:

http://www.gratisexam.com/
This setting will apply to any customization object that you create. Therefore, selecting the Show only for the login page option will configure the onscreen keyboard
to be displayed on the login page for all customization objects and for any connection profiles associated with those customization objects.
Reference:
CCNP Security VPN 210260 Quick Reference, Chapter 4, Deploying Basic Navigation Customization, pp.
153-154

QUESTION 22
You are using ASDM to verify a clientless SSL VPN configuration made by a junior administrator on an ASA. Please click exhibit to answer the following questions.

Exhibit:

http://www.gratisexam.com/
http://www.gratisexam.com/
Which of the following statements are true regarding the extranet connection profile? (Select three.)

A. It will use the boson_grp group policy.


B. It will use the DfltGrpPolicy group policy.
C. It will use the local AAA database for authentication.
D. It will use digital certificates for authentication.
E. It will use the DfltCustomization customization object.
F. It will use the boson_customization customization object.
G. It will use the extranet_customization customization object.

Correct Answer: BCG


Section: (none)
Explanation

Explanation/Reference:
Explanation:
The extranet connection profile will use the DfltGrpPolicy group policy, the local Authentication, Authorization, and Accounting (AAA) database for authentication,
and the extranet_customization customization object. When creating a connection profile in Cisco Adaptive Security Device Manager (ASDM), you can specify a
number of parameters. For example, you can specify the type of authentication to use and the default group policy to use for VPN connections made by using the
connection profile. This information can be configured or modified on the Add or Edit Clientless SSL VPN Connection Profile dialog box in ASDM. To access this
dialog box in ASDM, you should click Configuration, click the Remote Access VPN button, expand Clientless SSL VPN Access, and click Connection Profiles. You
can then doubleclick a connection profile to open the Edit Clientless SSL VPN Connection Profile dialog box for the selected connection profile. The Edit Clientless
SSL VPN Connection Profile dialog box for the extranet tunnel group is shown in the following exhibit:

http://www.gratisexam.com/
The Authentication section of the Basic screen of the Edit Clientless SSL VPN Connection Profile dialog box indicates that the tunnel group will use the local AAA
database for user authentication. Thus any VPN connections made by using this tunnel group will be authenticated against the AAA database.
The Default Group Policy section indicates that the DfltGrpPolicy group policy will be applied to this connection profile. That is, the settings in the DfltGrpPolicy
group policy will apply to VPN users who connect by using the extranet tunnel group.
The Clientless SSL VPN screen of the Edit Clientless SSL VPN Connection Profiledialog box indicates that the extranet connection profile will use the
extranet_customization customization object. This screen is shown in the following exhibit:

http://www.gratisexam.com/
Reference:
Cisco: Configuring Tunnel Groups, Group Policies, and Users: Connection Profiles

QUESTION 23
You are using ASDM to verify a clientless SSL VPN configuration made by a junior administrator on an ASA. Please click exhibit to answer the following questions.

Exhibit:

http://www.gratisexam.com/
http://www.gratisexam.com/
Which of the following statements is true regarding the display of a banner message when users establish a clientless SSL VPN session by using the extranet
connection profile? (Select the best answer.)

A. No banner message will be displayed.


B. A generic banner message will be displayed that states “Welcome to SSL VPN Service.”
C. A custom banner message will be displayed that states “Welcome to Boson Software!”
D. For each user, a custom banner message will be displayed for each user that states “Welcome user-name.”

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:
No banner message will be displayed when users establish a clientless Secure Sockets Layer (SSL) virtual private network (VPN) session by using the extranet
connection profile. You can configure a banner message to be displayed when users establish a clientless SSL VPN connection. This information is configured in
the group policy that is associated with the connection profile used to create the connection.
In this scenario, you want to determine whether a banner message will be displayed when the extranet connection profile is used. The extranet connection profile
uses the DfltGrpPolicy group policy, so you should view the details of that group policy. To view the details of the DfltGrpPolicy group policy, you should click
Configuration, expand Clientless SSL VPN Access, and click Group Policies. You can then doubleclick DfltGrpPolicy (System Default), which will open the Edit
Internal Group Policy dialog box, which is shown in the following exhibit:

The Banner entry contains no value. As a result, clientless SSL VPN connections made by using connection profiles that use the DfltGrpPolicy group policy will not
display a banner to users when they establish a connection.

http://www.gratisexam.com/
VPN connections made by using the boson connection profile will display the message “Welcome to Boson Software!” This message will not be displayed for
connections made by using the extranet connection profile.
No group policy has been configured with a banner of “Welcome to SSL VPN Service.” In addition, no group policy has been configured with a banner of “Welcome
username.” Thus no VPN connections in this scenario will display either of these banner messages.
Reference:
Cisco: General VPN Setup: Adding or Editing a Remote Access Internal Group Policy, General Attributes

QUESTION 24
You are using ASDM to verify a clientless SSL VPN configuration made by a junior administrator on an ASA. Please click exhibit to answer the following questions.

Exhibit:

http://www.gratisexam.com/
http://www.gratisexam.com/
A. No bookmarks will be displayed.
B. The boson.com and files.boson.com bookmarks will be displayed.
C. The extranet.boson.com and projects.boson.com bookmarks will be displayed.
D. The boson.com, files.boson.com, extranet.boson.com, and projects.boson.com bookmarks will be displayed.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
The extranet.boson.com and projects.boson.com bookmarks will be displayed to users who establish a clientless Secure Sockets Layer (SSL) virtual private
network (VPN) session by using the extranet connection profile. You can create a bookmark list to specify a list of Uniform Resource Locators (URLs) that will be
displayed to users when they establish a clientless SSL VPN connection. To configure a bookmark list, you should access the Bookmarks pane of Cisco Adaptive
Security Device Manager (ASDM) by clicking Configuration, clicking the Remote Access VPN button, expanding Clientless SSL VPN Access, expanding Portal, and
clicking Bookmarks. In this scenario, two bookmark lists have been created: URLs and Extranet. The URLs bookmark list contains two URLs, which are boson.com
and files.boson.com. The Extranet bookmark list also contains two URLs, which are extranet.boson.com and projects.boson.com.
The bookmark list that will be applied to a tunnel group is specified in the group policy that is associated with the tunnel group. In this scenario, the extranet tunnel
group is linked to the DfltGrpPolicy group policy. Thus you should view the details of this group policy to determine which links will be displayed. This is
accomplished by clicking Configuration, clicking the Remote Access VPN button, expanding Clientless SSL VPN Access, selecting Group Policies, and
doubleclicking DfltGrpPolicy (System Default). You should then click Portal, which will display the Portal pane of the Edit Internal Group Policy dialog box, as shown
in the following exhibit:

http://www.gratisexam.com/
The Bookmark List entry indicates that the Extranet bookmark list is associated with the DfltGrpPolicy group policy. Because this list contains the
extranet.boson.com and projects.boson.com URLs, you can conclude that these URLs will be displayed to users who connect by using the extranet tunnel group.
Reference:
Cisco: Configuring Clientless SSL VPN: Configuring Bookmarks

QUESTION 25
Which of the following are inband management tools that do not use encryption? (Select 3 choices.)

A. SNMPv1

http://www.gratisexam.com/
B. SNMPv2
C. SNMPv3

http://www.gratisexam.com/
D. Telnet
E. SSH

Correct Answer: ABD


Section: (none)
Explanation

Explanation/Reference:
Explanation:
Of the available choices, Simple Network Management Protocol version 1 (SNMPv1), SNMP version 2 (SNMPv2), and Telnet are all inband management tools that
do not use encryption. Encryption is a method of encoding network traffic so that it cannot be read intransit. Thus encryption can be used to defeat eavesdropping
attacks.
Simple Network Management Protocol (SNMP) is used to remotely monitor and manage network devices. Telnet is used to create a terminal connection to remote
devices. When a Cisco device is operating in its normal state, another device can connect to it by using inband methods, such as virtual terminal (VTY) application
protocols.
Three versions of SNMP currently exist. SNMPv1 and SNMPv2 do not provide encryption? password information, known as community strings, is sent as plain text
with messages. SNMPv3 improves upon SNMPv1 and SNMPv2 by providing encryption, authentication, and message integrity to ensure that the messages are not
tampered with during transmission.
Secure Shell (SSH) is a VTY protocol that can be used to securely replace Telnet. Telnet is considered to be an insecure method of remote connection because it
sends credentials over the network in clear text.
Therefore, you should replace Telnet with an encrypted application, such as SSH, where possible.
Reference:
Cisco: SNMP Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches): Versions of SNMP
Cisco: Cisco Guide to Hardening IOS Devices: Use Secure Protocols When Possible

QUESTION 26
Your company’s Cisco ISE device and all of its supplicants support EAPFASTv2. A user’s authentication fails. However, the user’s device attempts to authenticate
and succeeds.
Which of the following is true? (Select the best answer.)

A. The user will have no access.


B. The user will have restricted access.
C. The user will have full access.
D. The device will have full access but the user will have no access.

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:

http://www.gratisexam.com/
The user will have restricted access if user authentication to the Cisco Identity Services Engine (ISE) fails but the user’s device authentication succeeds. Extensible
Authentication Protocol (EAP)Flexible
Authentication via Secure Tunneling (FAST) with EAP chaining, which is also sometimes called EAPFAST version 2 (EAPFASTv2), enables the validation of both
user and device credentials in a single EAP transaction. EAP chaining enables a Cisco security device to validate authentication credentials for both a user and the
user’s device. In order to enable EAP chaining, both the Cisco security device and the supplicant device must support EAP chaining.
The Cisco ISE will assign a different level of authorization access depending on one of four success and failure possibilities, as shown in the following table:

EAP-FAST is an authentication protocol that can be used for pointtopoint connections and for both wired and wireless links. The EAP-FAST authentication process
consists of three phases. The first phase, which is optional and is considered phase 0, consists of provisioning a client with a PAC, which is a digital credential that
is used for authentication. A PAC can be manually configured on a client, in which case phase 0 is not required. The second phase, which is referred to as phase 1,
involves creating a secure tunnel between the client and the server. The final phase, which is referred to as phase 2, involves authenticating the client. If the client
is authenticated, the client will be able to access the network.
Reference:
Cisco: Cisco Identity Services Engine Administrator Guide, Release 1.3: Simple Authentication Policy Configuration Settings

QUESTION 27
Which of the following features prevent attacks that consume CPU and memory resources? (Select 2 choices.)

A. CoPP
B. CPPr
C. CPU Threshold Notifications
D. Memory Threshold Notifications

Correct Answer: AB
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Control Plane Policing (CoPP) and Control Plane Protection (CPPr) prevent attacks that consume CPU and memory resources. Both CoPP and CPPr use class
maps to filter and ratelimit traffic. However, CPPr separates control plane traffic into three subinterfaces: the host subinterface, the transit subinterface, and the
Cisco Express Forwarding (CEF)exception subinterface. For this reason, Cisco recommends that you use CPPr instead of CoPP whenever possible. To configure
CPPr, you must perform the following steps:
- Create access control lists (ACLs) to identify traffic.
- Create a traffic class.

http://www.gratisexam.com/
- Create a traffic policy, and associate the traffic class to the policy.
- Apply the policy to the specific control plane subinterface.
CoPP is similar to CPPr, except CoPP does not separate control plane traffic into three subinterfaces. To configure CoPP, you must perform the following steps:
- Create ACLs to identify traffic.
- Create a traffic class.
- Create a traffic policy, and associate the traffic class to the policy.
- Apply the policy to the control plane interface.

The host subinterface contains control plane IP traffic that is destined for a router interface, including traffic from the following sources and protocols:
- Terminating tunnels
- Secure Shell (SSH)
- Simple Network Management Protocol (SNMP)
- Internal Border Gateway Protocol (iBGP)
- Enhanced Interior Gateway Routing Protocol (EIGRP)
The transit subinterface contains control plane IP traffic that is traversing the router, including the following traffic:
- Nonterminating tunnel traffic
- Traffic that is softwareswitched by the route processor
The CEFexception subinterface contains control plane traffic redirected by CEF for process switching, including traffic from the following sources and protocols:
- NonIP hosts
- Address Resolution Protocol (ARP)
- External BGP (eBGP)
- Open Shortest Path First (OSPF)
- Label Distribution Protocol (LDP)
- Layer 2 keepalives

CPU Threshold Notifications and Memory Threshold Notifications do not prevent attacks that consume CPU and memory resources. However, these features can
automatically send notifications if excessive CPU or memory consumption is detected. Excessive resource consumption could occur if CoPP or CPPr protection
features have been circumvented or are misconfigured. Notifications are typically sent as SNMP trap messages.
Reference:
Cisco: Control Plane Protection

QUESTION 28
Which of the following can be detected by the Cisco ESA CASE? (Select 2 choices.)

A. snowshoe spam
B. phishing attacks
C. DDoS attacks
D. MAC spoofing attacks
E. DNS poisoning attacks

Correct Answer: AB

http://www.gratisexam.com/
Section: (none)
Explanation

Explanation/Reference:
Explanation:
A Cisco Email Security Appliance (ESA) is designed to protect against email threats, such as malware attachments, phishing scams, and spam. The Cisco Context
Adaptive Scanning Engine (CASE) on an ESA is a contextual analysis technology that is intended to detect email threats as they are received. CASE checks the
reputation of email senders, scans the content of email messages, and analyzes the construction of email messages. As part of this process, CASE submits the
email sender to the Cisco SenderBase Network, which contains data on hundreds of thousands of email networks. The sender is assigned a score based on this
information. The content of the email messaging is scanned because it could contain language, links, or a call to action that is indicative of a phishing scam.
Snowshoe spammers establish many false company names and identities, often with unique post office addresses and telephone numbers, so that reputation filters
do not perceive the source of the spam as a threat. In addition, the spam output is spread across multiple IP addresses and domain names in order to defeat
blacklists.
Phishing is a social engineering technique in which a malicious person uses a seemingly legitimate electronic communication, such as email or a webpage, in an
attempt to dupe a user into submitting personal information, such as a Social Security number (SSN), account login information, or financial information. To mitigate
the effects of a phishing attack, users should use email clients and web browsers that provide phishing filters. In addition, users should also be wary of any
unsolicited email or web content that requests personal information. The CASE on a Cisco ESA appliance is capable of detecting phishing scams.
The Cisco ESA CASE does not protect against Distributed Denial of Service (DDoS) attacks. A DDoS attack is a coordinated Denial of Service (DoS) attack that
uses multiple attackers to target a single host. For example, a large number of zombie hosts in a botnet could flood a target device with packets.
The Cisco ESA CASE does not protect against Media Access Control (MAC) spoofing attacks. A MAC spoofing attack uses the MAC address of another host on
the network in order to bypass port security measures.
The Cisco ESA CASE does not protect against Domain Name System (DNS) poisoning attacks. DNS poisoning is an attack that modifies the DNS cache by
providing invalid information. In a DNS poisoning attack, a malicious user attempts to exploit a DNS server by replacing the IP addresses of legitimate hosts with
the IP address of one or more malicious hosts.
Reference:
Cisco: Cisco Email Security Appliance Data Sheet
Spamhaus: Frequently Asked Questions (FAQ): Snowshoe Spamming

QUESTION 29
You are configuring dynamic PAT on a Cisco ASA 5500 using the CLI. The ASA is running software version 8.3.
Which of the following IP addresses must be configured within a network object or object group? (Select the best answer.)

A. inside global
B. outside global
C. inside local
D. outside local

Correct Answer: A
Section: (none)
Explanation

http://www.gratisexam.com/
Explanation/Reference:
Explanation:
Of the available options, an inside local address must be configured within a network object or object group if you are configuring dynamic Port Address Translation
(PAT) on a Cisco Adaptive Security Appliance (ASA) 5500 using the commandline interface (CLI) if the ASA is running software version 8.3. A local address is a
source or destination IP address as seen from the perspective of a host on the inside network.
On a Cisco ASA, a network object is a data structure that is used in place of inline IP information. You might use a network object in place of configuring IP
addresses, subnet masks, protocols, and port numbers if you must configure that same information in multiple places. If the information you configure within the
object ever changes, you then need only modify the single object instead of locating and modifying each instance of the inline IP information.
An object group is simply a group of network objects. By grouping network objects, you can enable the use of a single application control engine (ACE) to make
requests of multiple devices.
An inside local address is an IP address that represents an internal host to the inside network. Inside local addresses are typically private IP addresses defined by
Request for Comments (RFC) 1918. When a NAT router receives a packet from a local host destined for the Internet, the router changes the inside local address
to an inside global address and forwards the packet to its destination.
You can configure an inside global address inline or as part of a network object or object group on an ASA running software version 8.3. An inside global address is
an IP address that represents an internal host to the outside network. Inside global addresses are typically public IP addresses assigned by the administrator of the
outside network.
You would not configure an outside global address in this scenario. An outside global address is an IP address that represents an external host to the outside
network. Outside global addresses are typically public IP addresses assigned to an Internet host by the host’s operator. The outside global address is usually the
address registered with the Domain Name System (DNS) server that maps a host’s public IP address to a friendly name, such as www.example.com.You are not
likely to configure an outside local address in this scenario. An outside local address is an IP address that represents an external host to the inside network. The
outside local address is often the same as the outside global address, particularly when inside hosts attempt to access resources on the Internet. However, in some
configurations, it is necessary to configure a NAT translation that allows a local address on the internal network to identify an outside host.
Reference:
Cisco: Cisco ASA 5500 Series Configuration Guide Using the CLI, 8.3: Configuring Dynamic PAT (Hide)

QUESTION 30
Which of the following phishing techniques is most likely to occur as a result of DNS poisoning? (Select the best answer.)

A. vishing
B. pharming
C. whaling
D. dumpster diving

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Pharming is the phishing technique that is most likely to occur as a result of Domain Name System (DNS) poisoning. Phishing is a social engineering technique in
which a malicious person uses a seemingly legitimate electronic communication, such as email or a webpage, in an attempt to dupe a user into submitting personal

http://www.gratisexam.com/
information, such as a Social Security number (SSN), account login information, or financial information. Pharming is used to retrieve sensitive information by
directing users to fake websites. Malicious users can direct users to fake websites through DNS poisoning or host file manipulation. Both DNS and host files are
used to crossreference Uniform Resource Locators (URLs) and IP addresses. When a user specifies a URL, either a DNS server or the local host file converts it to
an IP address so that requests can be forwarded to the correct location. Both a DNS server and a host file can be altered so that users are directed to websites that
appear authentic but instead are used for malicious information gathering. These phony websites often ask users for passwords or other sensitive information. A
pharming attack is not effective unless a user voluntarily provides information to the website.
Whaling is a type of spear phishing attack used to retrieve sensitive information from highranking executives of a corporation. Spear phishing is a form of phishing
that targets specific individuals. Spear phishing is considered whaling when it specifically targets highranking executives of a corporation, such as chief executive
officers (CEOs) or chief financial officers (CFOs). To mitigate the effects of a phishing attack, users should use email clients and web browsers that provide
phishing filters. In addition, users should also be wary of any unsolicited email or web content that requests personal information.
Like whaling and pharming, vishing is another form of phishing that is used to obtain sensitive information. Vishing accomplishes its goal through the use of voice
communication networks. Perpetrators of vishing attacks use a variety of methods to retrieve information. For example, an attacker might spoof phone numbers of
legitimate businesses in order to deceive a victim. An attacker might also use a misleading voice or email message that instructs the potential victim to contact a
phony call center that is masked as a legitimate business. After telephone communications are established, the perpetrators will attempt to coax sensitive
information from users, such as credit card or bank account numbers.
Dumpster diving is an attack in which malicious users obtain information that has been thrown in the trash. Dumpster divers seek to recover discarded documents
that might contain sensitive information such as account login credentials, passwords, or bank account numbers. To prevent unauthorized users from obtaining
information from discarded documents, individuals and companies should shred documents containing confidential data before disposing of such documents.
Reference:
Cisco: Protect Against Social Engineering: Security Awareness Is a Vital Defense

QUESTION 31
The Serial 0/0 interfaces on Router1 and Router2 are directly connected on the 192.168.51.48/30 network. You issue the following commands on Router1:
interface serial 0/0 ip ospf
messagedigestkey 1 md5 b0s0n router
ospf 1routerid 1.1.1.1 network
10.10.10.0 0.0.0.255 area 1 network
192.168.51.48 0.0.0.3 area 0 area 0
authentication

You issue the following commands on Router2:

interface serial 0/0 ip ospf


authenticationkey b0s0n router
ospf 2routerid 2.2.2.2 network
10.10.20.0 0.0.0.255 area 2
network 192.168.51.48 0.0.0.3
area 0 area 0 authentication

Router1 and Router2 do not form an OSPF adjacency.

Which of the following is most likely the problem? (Select the best answer.)

http://www.gratisexam.com/
A. an OSPF area mismatch
B. an OSPF authentication mismatch
C. an OSPF process ID mismatch
D. an OSPF router ID mismatch

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Of the available choices, a mismatched authentication type is most likely to be the cause of the problem in this scenario. A mismatched authentication key or a
mismatched authentication type could cause two Open
Shortest Path First (OSPF) routers to not form an adjacency. In this scenario, the Serial 0/0 interface on Router1 is configured to use a Message Digest 5 (MD5)
authentication key of b0s0n. The Serial 0/0 interface on Router2, on the other hand, is configured to use a plaintext authentication key of b0s0n. If the correct
authentication type were configured between the Serial 0/0 interfaces on the routers, OSPF authentication would succeed and an adjacency would be formed.
A mismatched process ID will not prevent an OSPF router from establishing an adjacency with a neighbor. An OSPF process ID is used to identify the OSPF
process only to the local router. In this scenario, the router ospf 1 command has been issued on Router1, which configures Router1 with an OSPF process ID of 1.
The router ospf 2 command has been issued on Router2, which configures Router2 with an OSPF process ID of 2. An OSPF area mismatch is not the reason that
Router1 and Router2 do not form an adjacency in this scenario. In order to establish an adjacency, OSPF routers must be configured with the same area ID, Hello
timer value, Dead timer value, and authentication password. In this scenario, the Serial 0/0 interface on Router1 has been configured to operate in area 0, which is
also known as the backbone area. Similarly, the Serial 0/0 interface on Router2 has been configured to operate in area 0.
OSPF router IDs should never match between routers. A router ID is a unique 32bit identifier that resembles an IP address. A router ID conflict could cause routers
to not form an adjacency. If you do not manually configure a router ID on an OSPF router, then the router ID is the highest IP address configured among loopback
interfaces on the router, even if a physical interface is configured with a higher IP address. Cisco recommends using a loopback interface instead of a physical
interface for the router ID? a loopback interface is never in the down state, thus OSPF is considered to be more stable when the router ID is configured from the IP
address of a loopback interface. In this scenario, the router IDs on Router1 and Router2 have been manually configured by using the routerid ipaddresscommand.
Reference:
Cisco: Sample Configuration for Authentication in OSPF: Configurations for Plain Text Authentication

QUESTION 32
In which of the following authentication protocols is support for TLS 1.2 specifically required? (Select the best answer.)

A. EAPFASTv1
B. EAPFASTv2
C. EAPMD5
D. EAPTLS
E. EAPPEAP

Correct Answer: B

http://www.gratisexam.com/
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Of the available choices, only Extensible Authentication ProtocolFlexible Authentication via Secure Tunneling Version 2 (EAPFASTv2) is specifically required to
support Transport Layer Security (TLS) 1.2. EAPFAST is an authentication protocol that can be used for pointtopoint connections and for both wired and wireless
links. EAPFAST Version 1 (EAPFASTv1) supported TLS 1.0 and higher. However, EAPFASTv2 made support of TLS 1.2 a requirement, thereby providing
EAPFASTv2 with a stronger encryption algorithm than EAPFASTv1.
EAPTransport Layer Security (EAPTLS) does not specifically require support for TLS 1.2, although EAPTLS is designed to support TLS 1.0 and higher. EAPTLS is
an Internet Engineering Task Force (IETF) standard that is defined in Request for Comments (RFC) 5216.
Protected EAP (PEAP) does not specifically require support for TLS 1.2. PEAP is an open standard developed by Cisco, Microsoft, and RSA. PEAP and other later
variants of EAP, such as EAPTLS, and EAPTunneled TLS (EAPTTLS), are replacing Lightweight EAP (LEAP). PEAP supports TLS 1.0 and higher.
EAP Message Digest 5 (EAPMD5) does not specifically require support for TLS 1.2. EAPMD5 uses an MD5 hash function to provide security and is therefore
considered weak when compared to later methods. EAP is an IETF standard that was originally defined in RFC 2284. It does not support TLS at all.
Reference:
IETF: Flexible Authentication via Secure Tunnel Extension Authentication Protocol (EAPFAST) Version 2:
1.2. Major Differences from Version 1

QUESTION 33
Router2 is configured to obtain time from three different NTP servers. You want to determine from which of the three servers Router2 is currently synchronizing
time.
Which of the following commands would not achieve your goal? (Select the best answer.)

A. show clock detail


B. show ntp associations
C. show ntp associations detail
D. show ntp status

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Of the available choices, only the show clock detail command would not enable you to determine from which of the three Network Time Protocol (NTP) servers
Router2 is synchronizing time. The show clock detail command displays the date and time as it is configured on the device and general information about the
source of the configuration. However, this command does not reveal the IP address or NTP peer status of an NTP source. The following is sample output from the
show clock detail command:
Router2#show clock detail
09:12:20.299 UTC Sat Jul 4 2015

http://www.gratisexam.com/
Time source is NTP
The show ntp associations command and the show ntp associations detail command would both enable you to determine from which of the three NTP servers
Router2 is synchronizing time. The show ntp associations command displays both the address of the NTP server from which the client obtains its time and the
address of the reference clock to which the NTP server is synchronized. When issued with the detail keyword, you can additionally determine the IP address of the
NTP peer from which time was synchronized, the NTP source authentication status, the NTP hierarchical status of the server from which time was obtained,
whether the NTP peer passes basic sanity checks, whether NTP believes the time is valid, and the stratum of the NTP peer. The following is sample output from
both the show ntp associations command and the show ntp associations detail command:

The presence of our_master in the output of the show ntp associations detail command indicates the status of the device at the NTP peer IP address of
203.0.113.1. Similarly, the asterisk (*) in the output of the show ntp associations command indicates that Router2’s NTP master is the device with the IP address of
203.0.113.1.
The show ntp status command would enable you to determine from which of the three NTP servers Router2 is synchronizing time. The show ntp status command
displays no information when NTP is not running on a device. When NTP is running, the show ntp status command provides information about whether the local
clock is synchronized, the local clock’s stratum level, and the IP address of the NTP peer that the local device is using as a reference clock. The following is sample
output from the show ntp status command:

http://www.gratisexam.com/
Reference:
Cisco: Cisco IOS Basic System Management Command Reference: show clock

QUESTION 34
Which of the following indicates that aggressive mode ISAKMP peers have created SAs? (Select the best answer.)

A. AG_NO_STATE
B. MM_NO_STATEC. AG_AUTH
C. MM_KEY_AUTH
D. QM_IDLE

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Of the available choices, the AG_NO_STATE state is most likely to indicate that aggressive mode Internet
Security Association and Key Management Protocol (ISAKMP) peers have created security associations (SAs). The show crypto isakmp sa command displays the
status of current IKE SAs on the router. The following states are used during aggressive mode:
- AG_NO_STATE - The peers have created the SA.
- AG_INIT_EXCH - The peers have negotiated SA parameters and exchanged keys.
- AG_AUTH - The peers have authenticated the SA.

The MM_NO_STATE state is the first transaction to occur when setting up Internet Key Exchange (IKE) SAs in main mode MM_NO_STATE indicates that the
ISAKMP peers have created their SAs. However, an exchange that does not move past this stage indicates that main mode has failed. The following states are
used during main mode:
- MM_NO_STATE - The peers have created the SA.
- MM_SA_SETUP - The peers have negotiated SA parameters.
- MM_KEY_EXCH - The peers have exchanged DiffieHellman (DH) keys and have generated a shared secret.
- MM_KEY_AUTH - The peers have authenticated the SA.
Quick mode is used during IKE phase 2. The only state in quick mode is QM_IDLE, which indicates that IKE phase 1 has completed successfully and that there is
an active IKE SA between peers.
Reference:
Cisco: Most Common DMVPN Troubleshooting Solutions
Cisco: Cisco IOS Security Command Reference: show crypto isakmp sa

QUESTION 35
Which of the following is least likely to be considered an advanced persistent threat? (Select the best answer.)

http://www.gratisexam.com/
A. Operation Aurora
B. Heartbleed
C. the 2011 RSA breach
D. Stuxnet

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Of the available options, Heartbleed is least likely to be considered an advanced persistent threat. An advanced persistent threat is an intrusion in which the
attacker has advanced knowledge of intrusion tools and techniques, is fully intent on using the intrusion to achieve a specific mission or goals, and has
organizational backing, funding, and motivation. For example, an attacker who obtains access to an organization’s network and remains there for an extended
period of time to collect data that can then be used to the attacker’s advantage can be considered an advanced persistent threat.
Heartbleed is a vulnerability, not an advanced persistent attack. Heartbleed is the OpenSSL vulnerability that could allow an attacker to obtain approximately 64
kilobytes (KB) of information from a web server's memory at regular intervals. The Heartbleed bug, which was discovered in 2014, was a memoryhandling bug
present in OpenSSL from version 1.0.1 through version 1.0.1f. OpenSSL 1.0.1g was the first version to fix the bug. By exploiting this vulnerability, an attacker can
obtain a server's private key, which could in turn allow the attacker to decrypt communications with the server or perform maninthemiddle attacks against the
server. Although Heartbleed could be used as a component of an attack in an advanced persistent threat, it is not itself an advanced persistent threat.
Operation Aurora could be considered an advanced persistent threat. Operation Aurora was a monthslong attack in 2009 that was carried out against multiple
companies, including Google and Adobe? it began with a targeted email spear phishing attack. The email delivered malware that was capable of exploiting an
Internet Explorer vulnerability to obtain access to the contents of partially freed memory. After compromising company workstations, the attackers used those
workstations to obtain access to other company resources and information, which eventually resulted in the loss of intellectual property. The attack was eventually
traced to two Chinese education facilities that were thought to have ties to a Google competitor in China.
The 2011 RSA breach could be considered an advanced persistent threat. The RSA breach was an attack against RSA's SecurID twofactor authentication system.
Similar to Operation Aurora, the 2011 RSA breach began with a targeted phishing email that contained a Microsoft Excel attachment. The Excel attachment
contained a zeroday exploit that was able to install a back door on a user’s workstation. From there, the attacker compromised other workstations in what appeared
to be an effort to retrieve information related to SecurID, such as source code or customer information.
Stuxnet is more likely than Heartbleed to be considered an advanced persistent threat. Stuxnet exploited vulnerabilities in both the printer spooler service and the
processing of .lnk files. Stuxnet was used in an act of cyber warfare against Iranian industrial control systems (ICSs). It was written to target specific ICSs by
modifying code on programmable logic controllers (PLCs). Stuxnet initially exploited vulnerabilities in the printer spooler service? however, later variants exploited a
vulnerability in the way that Windows processes shortcuts (.lnk files). Research from Symantec published in 2011 indicated that at the time, over 60% percent of the
Stuxnetaffected hosts had been in Iran. Symantec analyzed Stuxnet and its variants and discovered that five organizations were the primary targets of infection and
that further infections were likely collateral damage from the aggressive manner in which the worm spreads throughout the network. Given the considerable cost in
resources and manhours that would have been required to craft the Stuxnet worm, it was theorized that it was likely intended to sabotage highvalue targets such as
nuclear materials refinement facilities.
Reference:
SANS: Assessing Outbound Traffic to Uncover Advanced Persistent Threat (PDF)
Security Tracker: Cisco Unified Communications Manager OpenSSL TLS Heartbeat Buffer Overread Lets Remote Users Obtain Potentially Sensitive Information
National Vulnerability Database: Vulnerability Summary for CVE20140160

http://www.gratisexam.com/
Common Vulnerabilities and Exposures: CVE20140160

QUESTION 36
Which of the following best describes the purpose of SNMP? (Select the best answer.)

A. to manage network devices


B. to send email
C. to create VPNs
D. to transfer files

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Simple Network Management Protocol (SNMP) is used to manage network devices. SNMP can be used to remotely monitor and configure a wide variety of
network devices, such as routers, switches, and network printers. SNMP version 1 (SNMPv1) and SNMPv2 use community strings to provide authentication.
However, neither SNMPv1 nor SNMPv2 uses encryption? all data and community strings are sent in clear text. A malicious user can sniff an SNMP community
string and use it to access and modify network devices. SNMPv3 is an enhancement to the SNMP protocol that uses encryption to provide confidentiality, integrity,
and authentication.
SNMP is not used to send email. Simple Mail Transfer Protocol (SMTP) is used to send email. Post Office Protocol 3 (POP3) and Internet Message Access
Protocol 4 (IMAP4) are used to receive email.
SNMP is not used to create virtual private networks (VPNs). To create a VPN, you would typically use a protocol that can encrypt the data on the virtual network,
such as IP Security (IPSec). A VPN is often used when it is necessary to connect two locations that are separated by a public network, such as the Internet.
SNMP is not used to transfer files. To transfer files between computers, you should use File Transfer Protocol (FTP), Trivial FTP (TFTP), or Secure FTP (SFTP).
Reference:
Cisco: Simple Network Management Protocol: Versions of SNMP

QUESTION 37
You create a static pointtopoint VTI tunnel on RouterA. Afterward, you issue the show runningconfig command and receive the following output:

http://www.gratisexam.com/
Which of the following is the authentication transform that will be used by the static VTI tunnel? (Select the best answer.)

A. ESP with 128bit AES


B. ESP with 256bit AES
C. ESP with 56bit DES
D. ESP with 168bit 3DES
E. ESP with MD5
F. ESP with SHA
G. AH with MD5
H. AH with SHA

Correct Answer: F
Section: (none)
Explanation

Explanation/Reference:
Explanation:
The static virtual tunnel interface (VTI) tunnel will use Encapsulating Security Payload (ESP) with Secure Hash Algorithm (SHA) as the authentication transform, as
indicated by the crypto ipsec transformset command. The syntax of the crypto ipsec transformset command is crypto ipsec transformset transformname
transform1 [transform2] [transform3] [transform4]. Up to four transforms can be specified in an IP Security (IPSec) transform set: one ESP authentication
transform, one authentication header (AH) transform, one ESP encryption transform, and one IP compression transform.
ESP can use the Message Digest 5 (MD5) and SHA algorithms for authentication. The following keywords can be used to specify the ESP authentication transform:
- espmd5hmac
- espshahmac

AH can also use the MD5 and SHA algorithms for authentication. The following keywords can be used to specify the AH transform:

http://www.gratisexam.com/
- ahmd5hmac

- uses AH with MD5


- ahshahmac
- uses AH with SHA

ESP can use the following encryption methods:


-128bit, 192bit, and 256bit Advanced Encryption Standard (AES)
- 56bit Data Encryption Standard (DES)
- 168bit Triple DES (3DES)
-160bit Softwareoptimized Encryption ALgorithm (SEAL)
-Null encryption

The following keywords can be used to specify the ESP encryption transform:
- espies
- espaes 192
- espaes 256
- espdes
- esp3des
- espseal
- espnull

The LempelZivStac (LZS) algorithm is the only IP compression method that can be used in an IPSec transform set. To configure a transform set to use LZS IP
compression, you should use the complzs keyword.
Reference:
Cisco: Cisco IOS Security Command Reference: crypto ipsec transformset

QUESTION 38
To ease administrative overhead, you want to add a third party feed to a Security Intelligence device so that the IP addresses of known malicious hosts are
automatically blacklisted. However, you have not determined whether the feed is valid.
Which of the following are you most likely to do? (Select the best answer.)

A. Implement the feed, and add IP addresses to a custom whitelist as necessary.


B. Enforce Security Intelligence filtering by Security Zone.
C. Configure the monitor-only setting, and examine the logs.
D. Configure a custom blacklist that contains only malicious IP addresses.

Correct Answer: C
Section: (none)
Explanation

http://www.gratisexam.com/
Explanation/Reference:
Explanation:
Most likely, you will configure the monitor-only setting and examine the logs if you want to add a thirdparty feed to a Security Intelligence device but you have not
determined whether the feed is valid. Security Intelligence devices, such as a Cisco Sourcefire Intrusion Prevention System (IPS), are capable of accepting
manually imported lists of network addresses or feeds from third parties. Such devices can block IP addresses or networks based on their reputation, which
mitigates device overhead that comes from having to analyze traffic from those networks.
The monitor-only setting enables traffic from networks that are listed within a given feed to be analyzed by the Security Intelligence device but also logs the fact that
the given network matches the thirdparty feed. This enables an administrator to review the logs and the analysis of traffic from networks on the feed to determine
the validity of the feed.
Although you could implement the feed and add IP addresses to a custom whitelist as necessary, doing so might increase administrative overhead if the feed turns
out to be invalid. On Security Intelligence devices, whitelists can be used to override blacklisted IP addresses. Whitelists can thus be used to enable communication
with legitimate IP addresses that are listed on third-party feeds or other blacklists that might be too broadly defined. From an administrative overhead standpoint,
you are more likely to validate the feed, then implement the feed, and finally add IP addresses or networks to the whitelist as necessary.
You are less likely to enforce Security Intelligence filtering by Security Zone than configure the monitor only setting in this scenario, because doing so would neither
validate nor invalidate the IP addresses that are contained on the third-party feed. Enforcing blacklisting by security zone can be used to enhance the performance
of a Security Intelligence device by limiting the blacklisting to the specific security zones that process the given traffic. For example, the blacklisting of IP addresses
that send email traffic could be restricted to a Security Zone that handles only email traffic.
You are not likely to configure a custom blacklist that contains only malicious IP addresses, because doing so defeats the purpose of easing administrative
overhead in this scenario. Security Intelligence devices allow the creation of custom blacklists so that you can manually block specific IP addresses or networks.
However, compiling and validating such a list would require more administrative overhead in this scenario than simply validating a third-party feed prior to
implementing it.
Reference:
Cisco: Blacklisting Using Security Intelligence IP Address Reputation: Choosing a Security Intelligence Strategy

QUESTION 39
Which of the following is primarily true of SEM systems? (Select the best answer.)

A. They perform real-time analysis and detection.


B. They focus on policy and standards compliance.
C. They consolidate logs to a central server.
D. They analyze log data and report findings.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Security Event Management (SEM) systems perform realtime analysis and detection. SEM systems typically analyze log data from a number of sources. Some
systems also incorporate incident handling tools that enable administrators to more effectively mitigate threats when they occur.
Security Information Management (SIM) systems, on the other hand, are focused more on the collection and analysis of logs in a nonrealtime fashion. For example,

http://www.gratisexam.com/
a SIM system might centralize logging on a single device for review and analysis. Some SIM systems also provide assessment tools that can flag potentially
threatening events.
A Security Information and Event Management (SIEM) system combines both the realtime aspects of a SEM system and the indepth analysis and timeline
generation of a SIM system. Therefore, a SIEM system is a hybrid of a SIM system and a SEM system.
Reference:
SANS: IDFAQ: What is The Role of a SIEM in Detecting Events of Interest?
Search Security: Tech Target: security information and event management (SIEM)

QUESTION 40
You want to configure Cisco ISE as a SCEP proxy to a Microsoft Windows 2008 R2 Server root CA. Which of the following also needs to be configured? (Select the
best answer.)

http://www.gratisexam.com/

A. AD on the CA
B. a root CA on the Cisco ISE
C. a manually installed certificate on the connecting BYOD device
D. NDES on a CA or domain member server

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Microsoft Network Device Enrollment Service (NDES) on a certificate authority (CA) or domain member server also needs to be configured if you want to configure
Cisco Identity Services Engine (ISE) as a Simple Certificate Enrollment Protocol (SCEP) proxy to a Microsoft Windows 2008 R2 Server root CA.
Implementing ISE as a SCEP proxy enables bring your own device (BYOD) users to register their devices on their own, without administrative overhead from the IT
department.
You are not required to configure a root CA on the Cisco ISE. Configuring ISE as a SCEP proxy indicates that ISE communicates with the CA on the behalf of its
client devices. However, the ISE does need to be configured with a SCEP CA profile. When configured with a SCEP CA profile, the ISE will contain a SCEP NDES
server registration authority (RA) certificate in the Certificate Store. RAs verify requests for certificates and enable the CA to issue them.
You are not required to configure Active Directory (AD) on the CA. AD is typically configured on domain controllers, although member servers and workstations can
connect to the AD domain.
You are not required to manually install a certificate on the connecting BYOD device. Manually installing a client certificate on the BYOD device would defeat the
purpose of configuring the ISE as a SCEP proxy, because administrative intervention would be required.
Reference:

http://www.gratisexam.com/
Cisco: ISE SCEP Support for BYOD Configuration Example: Background Information

QUESTION 41
You issue the following commands on a Cisco router:
tacacsserver host ts1 single-connection timeout 20
tacacsserver timeout 30

Which of the following are true about how the Cisco router communicates with the TACACS+ server? (Select 2 choices.)

A. The router will maintain an open TCP connection.


B. The router will maintain an open TCP connection for no more than 20 seconds.
C. The router will maintain an open TCP connection for no more than 30 seconds.
D. The router will wait 20 seconds for the server to reply before declaring an error.
E. The router will wait 30 seconds for the server to reply before declaring an error.

Correct Answer: AD
Section: (none)
Explanation

Explanation/Reference:
Explanation:
The router will maintain an open Transmission Control Protocol (TCP) connection. In addition, the router will wait 20 seconds for the server to reply before declaring
an error. The tacacsserver host ts1 singleconnection timeout 20 command in this scenario configures a router to connect to a Terminal Access Controller Access
Control System Plus (TACACS+) server named ts1. The singleconnection keyword configures the router to maintain an open connection to the TACACS+ server.
The timeout 20 keyword configures the router to wait 20 seconds for the TACACS+ server to reply before declaring an error with the connection.
The router will not wait 30 seconds for the server to reply before declaring an error. The tacacsserver host ts1 singleconnection timeout 20 command in this
scenario configures the router to wait only 20 seconds for the server to reply before declaring an error. If the timeout 20 keyword had not been specified in this
scenario, the tacacsserver timeout 30 command would have configured the router to wait 30 seconds for the server to reply before declaring an error. The timeout
20 keyword in this scenario overrides the value assigned by the tacacsserver timeout command.
The router will maintain an open connection for an indeterminate amount of time, not for a 20second or 30second interval. When the singleconnection keyword is
not configured, a Cisco router will open and close a TCP connection to the TACACS+ server each time it needs to perform an operation. When the
singleconnection keyword is configured, the router connects to the TACACS+ server and maintains that connection even when it is not performing an operation.
This setting enhances the efficiency of the communications between the router and the TACACS+ server because the router is not having to constantly close and
open connections.
Reference:
Cisco: Configuring TACACS+: Identifying the TACACS+ Server Host

QUESTION 42
You want to implement a VPN with an alwayson fail close policy for Cisco AnyConnect clients.
Which of the following does Cisco recommend that you do? (Select the best answer.)

http://www.gratisexam.com/
A. Start with a fail open policy, and implement fail close in phases.
B. Start with the fail close policy, and implement fail open as necessary.
C. Implement always-on, and leave the failure policy at the default setting.
D. Implement always-on with a fail open policy, and enable the Disconnect button.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Cisco recommends that you start with a fail open policy and implement fail close in phases if you want to implement a virtual private network (VPN) with an always
on fail close policy. The always on feature enables Cisco AnyConnect clients to establish a VPN session automatically whenever the client detects that the host is
connected to an untrusted network. For example, a laptop that is used both on a corporate LAN and for remote work might be configured to automatically connect
to the corporate VPN whenever the laptop is not directly connected to the corporate LAN. However, any number of problems could prevent the client from actually
establishing a connection to the VPN.
There are two types of connect failure policies that you can enable for Cisco AnyConnect always on clients. The fail open policy allows the client to complete a
connection to the local network for access to the Internet or local resources. However, because a VPN session has not been established, the security of the
AnyConnect device that is connected to the remote network could be compromised.
The fail closed policy, on the other hand, prevents all network access from the Cisco AnyConnect client except to local devices and devices that are available by
using split tunneling. This extra layer of security could prevent the user from accessing the Internet and thus could compromise productivity if the user relies on
Internet access to complete work related tasks. Because the fail closed policy is so restrictive, Cisco recommends implementing it by using a phased approach that
includes initially implementing fail open and surveying user activity for AnyConnect issues that might prevent seamless connections.
There is no need to enable the Disconnect button, because the button is enabled by default when the always on feature is enabled. The Disconnect button enables
users to manually disconnect from a VPN session that has been automatically established by the AnyConnect client. The Disconnect button can be disabled by an
administrator.
Cisco does not recommend leaving the failure policy at the default setting if you want to implement a fail close policy. The fail close policy is the default failure policy
when connect failure policies are enabled.
Reference:
Cisco: Configuring VPN Access: Connect Failure Policy for Always on VPNCategory:
VPN

QUESTION 43
Your company is using a shopping cart web application that is known to be vulnerable to a code injection attack. Your company has no support agreement for the
application, and the application is no longer updated by its author. Modifying the code would require the hiring of additional help and an extensive interview process.
Which of the following should your company do in the meantime to most quickly mitigate the threat? (Select the best answer.)

A. Use the grep command to examine web logs for evidence of an attack.
B. Shut down the site.
C. Replace the shopping cart application with a different one.
D. Implement a WAF.

http://www.gratisexam.com/
Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Your company should implement a web application firewall (WAF) to mitigate the shopping cart web application threat. A WAF sits between a web application and
the end user in order to protect the application from malicious activity and known vulnerabilities. Therefore, by installing a WAF, it is possible to protect a vulnerable
web application without modifying the application code.
Although you should issue the grep command to examine web application logs for evidence of an attack, doing so would not quickly mitigate the threat posed by the
unpatched vulnerability. Searching for evidence of an attack takes time. Even if evidence of an attack were found in the log, discovering that evidence does not
mitigate the threat.
Although you should consider replacing the shopping cart application with a different one that is supported and regularly updated, doing so would not be the
quickest way to mitigate the threat. Depending on the complexity of the data and the availability of conversion tools, it could take many weeks or months to
successfully migrate a shopping cart from one web application to another.
You should not shut down the site. Shutting down the site would cause a severe business interruption because users would no longer be able to purchase products
by using the shopping cart.
Reference:
OWASP: Category:OWASP Best Practices: Use of Web Application Firewalls

QUESTION 44
Which of the following is a Cisco IPS appliance feature that analyzes normal network activity to detect hosts that are infected with worms? (Select the best answer.)

A. anomaly detection
B. global correlation
C. reputation filtering
D. a signature definition
E. a threat rating

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Anomaly detection is a Cisco Intrusion Prevention System (IPS) appliance feature that analyzes normal network activity to detect hosts that are infected with
worms. The IPS anomaly detection feature enables IPS to learn what type of network activity is normal activity for the network that is being protected. If a network
starts to become congested by traffic that is generated by a worm or if a host that is infected with a worm connects to the network and attempts to infect other
hosts, the anomaly detection feature can trigger a specific response, such as denying traffic from the infected host or alerting an administrator.
Signature definitions do not analyze normal network activity to detect hosts that are infected with worms. A signature definition is a set of rules to which a Cisco IPS

http://www.gratisexam.com/
appliance can compare network traffic to determine whether an attack is occurring. If the network activity matches a signature definition, IPS can trigger a specific
response from other defined event action rule sets, such as denying traffic from a host or alerting an administrator. IPS administrators can manually configure
signature definitions in Cisco IPS Device Manager (IDM) or use the Signature Wizard to create custom signature definitions.
Global correlation does not analyze normal network activity to detect hosts that are infected with worms. Global correlation enables IPS sensors to allow or deny
traffic based on the reputation of the sending device. When you enable global correlation, IPS devices will periodically receive updates that include information
about known malicious devices on the Internet from the Cisco SensorBase Network. In addition, global correlation will send statistical information about attacks
against your company's network to the Cisco SensorBase Network. Cisco uses that information to detect threat patterns on the Internet.
Reputation filtering does not analyze normal network activity to detect hosts that are infected with worms. Reputation filtering denies packets from hosts that are
considered to have a malicious reputation based on the global correlation information that is available from the Cisco SensorBase Network. Reputation filtering is
different from global correlation inspection in that reputation filtering denies traffic before the traffic is compared to any signature definitions. In addition, reputation
filtering does not generate alerts.
Threat ratings do not analyze normal network activity to detect hosts that are infected with worms. A threat rating is an event action risk rating that has been
lowered because of a specific action taken by IPS. A risk rating is a numerical representation of the risk presented to a network by a specific attack. Risk ratings
can range from 0 through 100. Depending on the actions IPS has taken in response to an event, IPS will subtract a value from the threat rating of the event. For
example, if IPS responds to a specific event by issuing a request to block the attacking host, a value of 20 will be subtracted from the threat rating.
Reference:
Cisco: Configuring Anomaly Detections: Understanding Anomaly Detection

QUESTION 45
Which of the following can be used to encrypt email messages, files, and disk drives? (Select the best answer.)

A. L2TP
B. PEM
C. PGP
D. S/MIME

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Pretty Good Privacy (PGP) is software that can be used to encrypt email messages, files, and disk drives. PGP can be used to provide confidentiality, integrity, and
nonrepudiation. PGP uses an asymmetric encryption method to encrypt information. To encrypt a file or a message by using PGP, you must use the recipient's
public key. The recipient will then use his or her private key to decrypt the file or message. Many modern operating systems (OSs) offer their own builtin support for
file level and disk level encryption. Therefore, third-party software is often no longer necessary for encrypting files.
Privacy Enhanced Mail (PEM) and Secure/Multipurpose Internet Mail Extensions (S/MIME) can be used to encrypt email messages, but they cannot be used to
encrypt files or disk drives. PEM is defined in Requests for Comments (RFCs) 1421 through 1424 but was never widely used. S/MIME, which was created by RSA
Data Security, is now an RFC standard defined in RFCs 3369, 3370, 3850, and 3851.
Although Layer 2 Tunneling Protocol (L2TP) can be used along with an encryption protocol to encrypt files and email messages while they are sent over a virtual
private network (VPN), L2TP is not used to encrypt disk drives. L2TP does not offer any security on its own but provides the tunnel by which IP packets

http://www.gratisexam.com/
encapsulated in User Datagram Protocol (UDP) packets can travel.
Reference:
Search Security: Tech Target: Pretty Good Privacy (PGP)
Microsoft TechNet: Understanding S/MIME

QUESTION 46
Refer to the exhibit:

You have created a network object NAT rule in ASDM to translate the real IP address of a DMZ web server, DMZWWWINT, to an IP address in the OUTSIDE
network, DMZWWWEXT. The DMZ interface has a
security level of 50, and the OUTSIDE interface has a security level of 0. In addition, the ASA is running system software version 8.4.
Which of the following statements are true regarding the ACL that will be required to enable hosts in the OUTSIDE network to communicate with the DMZ web
server? (Select 2 choices.)

A. The ACL should be applied to the OUTSIDE interface.


B. The ACL should be applied to the DMZ interface.
C. The ACL should reference the DMZWWWEXT object as its source address.
D. The ACL should reference the DMZWWWINT object as its source address.
E. The ACL should reference the DMZWWWEXT object as its destination address.
F. The ACL should reference the DMZWWWINT object as its destination address.

Correct Answer: AF
Section: (none)
Explanation

Explanation/Reference:
Explanation:
In this scenario, the access control list (ACL) should be applied to the OUTSIDE interface and should reference the DMZWWWINT object as its destination
address. The Network Address Translation (NAT) rule in this scenario creates a static mapping between the address of the web server in the DMZ network, which
has been defined as an object named DMZWWWINT, and an address in the OUTSIDE network, which has been defined as an object named DMZWWWEXT.
This static mapping enables hosts on the outside network to communicate with the DMZ web server by using the DMZWWWEXT address. However, the Cisco
Adaptive Security Appliance (ASA) will deny inbound traffic from the OUTSIDE interface by default unless it is return traffic from an existing connection or an ACL
exists which explicitly permits the traffic.
You can view, edit, and add ACLs from the Configuration > Firewall > Access Rules pane in Adaptive Security Device Manager (ASDM). By default, the Access

http://www.gratisexam.com/
Rules pane contains implicit rules that permit traffic from higher security interfaces to lower security interfaces and that deny all traffic that has not been otherwise
permitted, as shown in the following exhibit:

You can click the Add button in the Access Rules pane to create a new ACL. When you click the Add button, ASDM will display the Add Access Rule dialog box, as
shown in the following exhibit:

In the Add Access Rule dialog box, you should click the Interface dropdown and select the OUTSIDE interface if it is not already selected. The ACL should be
applied to the OUTSIDE interface? otherwise, the traffic from the OUTSIDE network would be denied before reaching any of the other ASA interfaces. You should
ensure that the Permit radio button is selected in order to permit the traffic specified by the ACL. The Source Criteriasection of the Add Access Rule dialog box can

http://www.gratisexam.com/
maintain its default values because traffic from any source and user should be permitted to access the DMZ web server. The network object corresponding to the
DMZ web server should be specified in the Destination field of the Destination Criteria section. Because the ASA is running a system software revision that is
greater than or equal to version 8.3, the ACL required for this scenario must use the object named DMZWWWINT as its destination and not the object named
DMZWWWEXT, as would be the case for system software revisions less than version 8.3. Finally, the Service field should be used to specify the protocols that will
be permitted by the ACL. By default, all IP traffic is permitted? however, as this rule will apply to a web server, it is more secure to limit the permitted protocols to
Hypertext Transfer Protocol (HTTP) and Secure HTTP (HTTPS). You can either type the protocol object names into the field, or click the browse button to select
protocols from a list. By default, the Add Access Rules dialog box enables the rule in the inbound direction, which is precisely what is needed in this scenario. The
following exhibit shows the Add Access Rules dialog box with sample values that would be suitable for this scenario:

When you click the OK button, the Access Rules pane will automatically update to display the newly created ACL, as shown in the following exhibit:

http://www.gratisexam.com/
You would not apply an ACL to the DMZ interface. Although you could apply a similar ACL to the DMZ interface in the outbound direction, traffic from the OUTSIDE
interface would be denied by the implicit Global policy before it had a chance to reach the DMZ interface. There is no need to apply an ACL to the DMZ interface in
the inbound direction because traffic from higher security interfaces is permitted to lower security interfaces by default. You would not need to supply a source
address to the ACL in this scenario, because all traffic passing through the OUTSIDE interface in the inbound direction is specified instead. Although you could
specify individual hosts or subnets in a similar ACL, it is significantly more efficient to specify any traffic on the OUTSIDE interface. Typically, the OUTSIDE
interface of an ASA connects to the greatest number of additional networks, such as the Internet, and it would quickly become impractical to specify all permitted
hosts or subnets.
Reference:
Cisco: Configuring Access Rules: Configuring Access Rules

QUESTION 47
According to the branch location ACL design guidelines in the Cisco BYOD Design Guide, which protocols should not be permitted by the default ACL that is
applied to the access ports of a Layer 2 switch? (Select 2 choices.)

A. BOOTP
B. DNS
C. HTTP
D. HTTPS
E. ICMP
F. TFTP

Correct Answer: CD
Section: (none)
Explanation

Explanation/Reference:
Explanation:
According to the branch location access control list (ACL) design guidelines in the Cisco Bring Your Own Device (BYOD) Design Guide, Hypertext Transfer Protocol
(HTTP) and Secure HTTP (HTTPS) should not be permitted by the default ACL that is applied to the access ports of a Layer 2 switch. In a BYOD environment,
802.1X, Web Authentication (WebAuth), or Media Access Control (MAC) Authentication Bypass (MAB) are used to authenticate and authorize the user and the
user’s associated device for network access. Once a wired device authenticates with the Cisco Identity Services Engine (ISE), a downloadable ACL (dACL) is
typically applied to the appropriate access port on the Layer 2 switch to which the device is attached. HTTP and HTTPS traffic should be permitted by an ACL that
is used to redirect web traffic to the ISE for browserbased authentication if 802.1x or MAB authentication are unavailable. Cisco recommends denying Domain
Name System (DNS) traffic or specifically excluding the IP address of the ISE to prevent redirection loops. For example, the following ACL denies DNS traffic and
permits HTTP and HTTPS traffic for redirection to the ISE:

switch(config)#ip accesslist extended REDIRECT-ACL


switch(configextnacl)#deny udp any any eq domain
switch(configextnacl)#permit tcp any any eq www
switch(configextnacl)#permit tcp any any eq 443

http://www.gratisexam.com/
Cisco recommends applying a default ACL to the access ports of Layer 2 switches to mitigate against situations where a configuration error might prevent a dACL
from being applied to the appropriate access port during the authorization/authentication process. The default ACL should permit Bootstrap Protocol (BOOTP),
DNS, Trivial File Transfer Protocol (TFTP), and Internet Control Message Protocol (ICMP). In addition, the default ACL should explicitly deny and log all other IP
traffic. For example, the following ACL complies with Cisco’s best common practices (BCP) as outlined in the BYOD Design Guide:
switch(config)#ip accesslist extended DEFAULT-ACL
switch(configextnacl)#permit icmp any any
switch(configextnacl)#permit udp any eq bootpc any eq bootps
switch(configextnacl)#permit udp any any eq domain
switch(configextnacl)#permit udp any any eq tftp
switch(configextnacl)#deny ip any any log

Reference:
Cisco: Cisco Bring Your Own Device (BYOD) CVD: ACL Design at Branch Location

QUESTION 48
You have issued the following commands to modify the 802.1X configuration on a switch port:
switch(configif)#authentication order mab dot1x
switch(configif)#authentication priority dot1x mab
switch(configif)#authentication event fail action nextmethod
switch(configif)#authentication event noresponse action authorize
vlan 1313

A new host is attached to the switch port. The host’s MAC address is in the authentication database, but the host’s certificate for 802.1X authentication is expired.
Which of the following statements is true regarding the host in this scenario? (Select the best answer.)

A. MAB will authorize the host for network access, and the switch port will ignore the host’s 802.1X authentication attempts.
B. MAB will authorize the host for network access? however, the host will lose network access when it attempts to authenticate with 802.1X.
C. The host will fail 802.1X authentication and will be assigned to VLAN 1313.
D. The host will fail 802.1X authentication, and the switch will place the port into an unauthorized state.

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:
In this scenario, Media Access Control (MAC) Authentication Bypass (MAB) will authorize the host for network access? however, the host will lose network access
when it attempts to authenticate with 802.1X. A switch port can be configured to use 802.1X, MAB, or Web Authentication (WebAuth) to authenticate clients. The
authentication order command is used to specify the order in which the switch should attempt the configured authentication methods. By default, a switch will
attempt 802.1X authentication before other authentication methods. The authentication order mab dot1x command configures the switch to first use MAB to
authenticate a client based on its MAC address. If the client’s MAC address is not in the authentication database, the switch will then attempt to authenticate the

http://www.gratisexam.com/
client with 802.1X. In this scenario, the client’s MAC address is in the authentication database and MAB will authorize the client for network access.
Normally, the configured authentication order is mirrored by the priority of each authentication method? however, you can use the authentication priority command
to change the priority. If the priority mirrored the authentication order in this scenario, the switch would ignore Extensible Authentication Protocol over LAN (EAPoL)
messages after the client was authenticated by MAB and the client would continue to have authorized network access. However, the authentication priority dot1x
mab command changes the default priority behavior and assigns a higher priority to 802.1X authentication than it does to MAB. This enables a client to use 802.1X
authentication even if it has successfully been authenticated by MAB. Unfortunately, the client will lose network access when it attempts 802.1X authentication
because its certificate is expired.The authentication event fail action command specifies how the switch should react if an 802.1X client is detected and the client
fails to authenticate. There are two configurable parameters: nextmethod and authorize vlanid. The authorize vlanid parameter configures the port to a specific
restricted virtual LAN (VLAN). The nextmethod parameter configures the switch to attempt authentication by using the next authentication method specified in the
authentication order command. If the nextmethod parameter is configured, the switch will indefinitely cycle through authentication methods unless WebAuth is
configured. If WebAuth is configured, the authentication process will not loop back to other authentication methods and the switch will ignore EAPoL messages on
the port.
The authentication event noresponse action authorize vlan 1313 command specifies the VLAN into which a switch should place a port if it does not receive a
response to the EAPoL messages it sends on that port. This enables devices that do no support 802.1X to be assigned to a guest VLAN. When a guest VLAN is
configured, the switch will grant non802.1Xcapable clients access to the guest VLAN? however, if an 802.1Xcapable device is detected, the switch will place the
port into an unauthorized state and will deny access to all devices on the port.
Reference:
Cisco: Flexible Authentication Order, Priority, and Failed Authentication: Case 2: Order MAB Dot1x and Priority Dot1x MAB

QUESTION 49
Which of the following are symmetric encryption algorithms? (Select 3 choices.)

A. AES
B. RC4
C. 3DES
D. ECC
E. DH
F. DSA

Correct Answer: ABC


Section: (none)
Explanation

Explanation/Reference:
Explanation:
Advanced Encryption Standard (AES), RC4, and Triple Data Encryption Standard (3DES) are symmetric encryption algorithms. When symmetric encryption
algorithms are used, the same encryption key is used to encrypt and decrypt data. In addition, because symmetric encryption algorithms use less complex
mathematics than asymmetric encryption algorithms when encrypting and decrypting data, they often perform faster than asymmetric encryption algorithms.
Two types of symmetric encryption algorithms exist: block ciphers and stream ciphers. Block ciphers derive their name from the fact that they encrypt fixedlength
blocks of data. For example, AES encrypts 128bit blocks of data. By contrast, stream ciphers are typically faster than block ciphers because stream ciphers can
encrypt text of variable length depending on the size of the frame to be encrypted? stream ciphers are not limited to specific block sizes. For example, RC4, a

http://www.gratisexam.com/
stream cipher, can encrypt data in streams of 8 through 2,048 bits. Other examples of symmetric encryption algorithms include International Data Encryption
Algorithm (IDEA), Skipjack, and Blowfish.
DiffieHellman (DH), Digital Signature Algorithm (DSA), and Elliptical Curve Cryptography (ECC) are asymmetric algorithms. DH is an asymmetric key exchange
method. DSA and ECC are asymmetric encryption algorithms. Asymmetric encryption, also known as public key encryption, uses a public key to encrypt data and a
different, yet mathematically related, private key to decrypt data. Public key infrastructure (PKI) uses a certificate authority (CA) to tie a public key to a user ID to
further ensure the confidentiality of data. Other examples of asymmetric encryption algorithms include RSA and ElGamal.
Reference:
CCNA Security 210260 Official Cert Guide, Chapter 5, Symmetric and Asymmetric Algorithms, pp. 92-94

QUESTION 50
Which of the following statements is correct regarding the traffic types that can be matched in a class map on a Cisco ASA? (Select the best answer.)

A. A class map can match traffic by TCP port number but not by UDP port number.
B. A class map can match traffic by UDP port number but not by IP precedence.
C. A class map can match traffic by TCP port number but not by IP precedence.
D. A class map can match traffic by UDP port number but not by TCP port number.
E. A class map can match traffic by TCP port number, by UDP port number, and by IP precedence.

Correct Answer: E
Section: (none)
Explanation

Explanation/Reference:
Explanation:
A class map can match traffic by Transmission Control Protocol (TCP) port number, by User Datagram Protocol (UDP) port number, and by IP precedence on a
Cisco Adaptive Security Appliance (ASA). A class map is one of the three basic components of Modular Policy Framework (MPF)? policy maps and service policies
are the other two components. MPF is a Cisco ASA feature that provides a flexible method of enabling security policies on an interface. A class map identifies a
specific flow of traffic, a policy map determines the action that will be performed on the traffic, and a service policy ties this action to a specific interface. Generally,
each class map can contain only a single match statement, and a packet can match only a single class map within the policy map of a particular feature type. For
example, if a packet matched a class map for File Transfer Protocol (FTP) inspection and a class map for traffic policing, the ASA would apply both policy map
actions to the packet. However, if a packet matched a class map for FTP inspection and a second, different class map that included FTP inspection, the ASA would
apply only the actions of the first matching policy map.
You can use the match command from class map configuration mode to identify traffic based on specified characteristics. The keywords you can use to identify
traffic in a class map are closely tied to their respective characteristics. The match command supports the following key words: accesslist, port,
defaultinspectiontraffic, dscp, precedence, rtp, tunnelgroup, and any.
For example, you could issue the following commands to create a class map named CLASSMAP that identifies traffic using TCP port 25:

asa(config)#classmap CLASSMAP
asa(configcmap)#match port tcp eq 25

Once traffic has been identified by a class map, the associated policy map can take action on that traffic. A policy map typically contains references to one or more

http://www.gratisexam.com/
class maps and defines actions that should be performed on traffic matched by the specified class maps. If traffic matches multiple class maps for different actions
within a policy map-for instance, if traffic matches a class map for application inspection as well as a class map for priority queuing-the actions of both class maps
will be applied to the traffic. To continue the example from above, you could issue the following commands to configure a policy map named POLICYMAP that
matches traffic specified by the class map named CLASSMAP and then processes the traffic with the Hypertext Transfer Protocol (HTTP) inspection engine:

asa(config)#policymap POLICYMAP
asa(configpmap)#class CLASSMAP
asa(configpmapc)#inspect http

A policy map does not act on traffic until the map has been applied to an interface by a service policy. A service policy can be applied globally to all interfaces,
which will apply application inspection to only traffic entering the appliance? alternatively, a service policy can be applied to a single interface, which will apply
application inspection to traffic entering and exiting the interface. An interface service policy overrides a global service policy: if traffic matches both an interface
policy and a global policy, only the interface policy will be applied to that particular traffic flow. To complete the example, you could issue the following commands to
apply the POLICYMAP policy map to the inside interface:

asa(config)#servicepolicy POLICYMAP interface inside

Reference:
Cisco: Service Policy Using the Modular Policy Framework: Feature Matching Within a Service Policy

QUESTION 51
Which of the following EAP authentication protocols requires both a client and a server digital certificate? (Select the best answer.)

http://www.gratisexam.com/

A. LEAP
B. PEAP
C. EAP-FAST
D. EAP-TLS

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Extensible Authentication Protocol (EAP)Transport Layer Security (TLS) requires both a client and a server digital certificate. EAPTLS is an authentication protocol

http://www.gratisexam.com/
that can be used for pointtopoint connections and for both wired and wireless links. EAPTLS performs mutual authentication to secure the authentication process.
When EAPTLS is used, a digital certificate must be installed on the authentication server and each client that must authenticate with the server. The digital
certificate used on clients and the server must be obtained from the same certificate authority (CA).
Protected EAP (PEAP) does not require that clients be configured with digital certificates. When EAPPEAP is used, only servers are required to be configured with
digital certificates. Clients can use alternative authentication methods, such as onetime passwords (OTPs).
Lightweight EAP (LEAP) does not require either the server or the client to be configured with a digital certificate. When LEAP is used, the client initiates an
authentication attempt with a Remote Authentication DialIn User Service (RADIUS) server. The RADIUS server responds with a challenge response. If the
challenge/response process is successful, the client then validates that the RADIUS server is correct for the network. If the RADIUS server is validated, the client
will connect to the network.
Similar to LEAP, EAPFlexible Authentication via Secure Tunneling (FAST) does not require either the server or the client to be configured with a digital certificate.
When EAPFAST is used, Protected Access Credentials (PACs) are used to authenticate users. The EAPFAST authentication process consists of three phases.
The first phase, which is optional and is considered phase 0, consists of provisioning a client with a PAC, which is a digital credential that is used for authentication.
A PAC can be manually configured on a client, in which case phase 0 is not required. The second phase, which is referred to as phase 1, involves creating a
secure tunnel between the client and the server. The final phase, which is referred to as phase 2, involves authenticating the client. If the client is authenticated, the
client will be able to access the network.
Reference:
Cisco: EAPTLS Deployment Guide for Wireless LAN Networks: 5.2 Certificate Requirements

QUESTION 52
The system software on a Cisco Catalyst 3750 series switch was corrupted during a failed upgrade, and now the switch no longer passes the POST on restart. You
want to use the Xmodem Protocol to recover the system software.
To which of the following ports on the switch could you connect? (Select the best answer.)

A. an Ethernet port in the management VLAN


B. the auxiliary port
C. the console port
D. the highest numbered Ethernet port on the switch
E. the lowest numbered Ethernet port on the switch

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
You should connect to the console port of a Cisco Catalyst 3750 series switch to use the Xmodem Protocol for system software recovery. Xmodem is a simple,
errorcorrecting transfer protocol that can be used to transfer an IOS software image from a PC to Cisco switch or router through its console port. When the system
software image on a switch or router becomes corrupted, the system will fail the poweron self-test (POST) when it reloads and it will typically halt in an
administrative mode, which is commonly called readonly memory (ROM) monitor (ROMmon) mode. You can identify this mode on a switch or router by the
command prompt that is displayed at the console: switch: on a switch and rommon1> on a router. When in ROMmon mode, a switch or router will no longer forward
packets and thus can no longer be reached through traditional inband management methods, such as through a management virtual LAN (VLAN) or an active

http://www.gratisexam.com/
network interface. Instead, you must use an outofband management method to access a switch or router in ROMmon mode. The only outofband access method
available on a Cisco 3750 series switch that supports Xmodem for system software recovery is the console port.
On a Cisco router, you could use either the console port or the auxiliary (AUX) port for outofband access if the router is in ROMmon mode. The AUX port on a
Cisco router is typically capable of supporting most of the features available on a console port. Cisco switches either do not have AUX ports or do not support
certain features, such as system recovery, on their AUX ports if they have them.
Reference:
Cisco: Recovering Catalyst Fixed Configuration Switches from a Corrupted or Missing Image

QUESTION 53
Which of the following security functions is associated with the control plane? (Select the best answer.)

A. device configuration protection


B. device resource protection
C. traffic accounting
D. traffic filtering

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Device resource protection is a security function that is associated with the control plane. Cisco devices are generally divided into three planes: the control plane,
the management plane, and the data plane. Each plane is responsible for different operations, and each plane can be secured by implementing various security
methods.
The control plane is responsible for the creation and maintenance of structures related to routing and forwarding. These functions are heavily dependent on the
CPU and memory availability. Therefore, control plane security methods protect against unauthorized traffic destined for the router, which can modify route paths
and consume excessive resources. Path modification can be caused by manipulating the traffic generated by routing protocols, VLAN Trunking Protocol (VTP), and
Spanning Tree Protocol (STP). Path modification attacks can be mitigated by implementing routing protocol authentication and filtering, VTP authentication, and
STP protection features. In addition, excessive CPU and memory consumption can be caused by control plane flooding. Resource consumption attacks can be
mitigated by implementing control plane filtering and rate limiting with Control Plane Policing (CoPP) and Control Plane Protection (CPPr).
Traffic accounting and traffic filtering are security features that are associated with the data plane. The data plane is responsible for traffic passing through the
router, which is referred to as transit traffic. Therefore, data plane security protects against unauthorized packet transmission and interception. Threats such as IP
spoofing, Media Access Control (MAC) address spoofing, Address Resolution Protocol (ARP) spoofing, Dynamic Host Configuration Protocol (DHCP) spoofing,
unauthorized traffic interception, and unauthorized network access can be mitigated and monitored by implementing features such as the following:
-ARP inspection
- Antispoofing access control lists (ACLs)
- DHCP snooping - Port ACLs (PACLs)
- Private virtual LANs (VLANs)
- Unicast Reverse Path Forwarding (uRPF)
- VLAN ACLs (VACLs)

http://www.gratisexam.com/
Device configuration protection is associated with the management plane. Management plane security protects against unauthorized device access and
configuration. Unauthorized access can be mitigated by implementing a strong Authentication, Authorization, and Accounting (AAA) solution and by implementing
Management Plane Protection (MPP), which creates protected management channels over which administrators must connect in order to access device
administration features. Management traffic can be encrypted by implementing Secure Shell (SSH). You can mitigate unauthorized configuration of a device by
implementing RoleBased Access Control (RBAC), whereby administrators are limited to using only the features they need to accomplish their jobs. Detection and
logging of management plane access can be performed by implementing Simple Network Management Protocol version 3 (SNMPv3) and Syslog servers.
Reference:
Cisco: Cisco Guide to Harden Cisco IOS Devices

QUESTION 54
Which of the following statements are true regarding IDS devices? (Select 2 choices.)

A. They can send alerts.


B. They do not sit inline with the flow of network traffic.
C. They can directly block a virus before it infiltrates the network.
D. They can detect malicious traffic only by signature matching.
E. They function identically to IPS devices.

Correct Answer: AB
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Intrusion Detection System (IDS) devices can send alerts and do not sit inline with the flow of network traffic. An IDS is a network monitoring device that passively
monitors network traffic and actively sends alerts to a management station when it detects malicious traffic. An IDS typically has one promiscuous network interface
attached to each monitored network. Because traffic does not flow through the IDS, the IDS is unable to directly block malicious traffic? however, an IDS can do
any of the following:
- Request that another device block a connection
- Request that another device block a particular host
- Reset TCP connections

An IDS can prevent further instances of previously detected malicious traffic from passing onto the network by creating access control lists (ACLs) on routers in the
traffic path or by configuring other security devices that reside in the flow of traffic. Although signaturebased pattern matching is the primary method used by an IDS
to detect malicious traffic, an IDS can also consider policy definitions and historical traffic behavior when analyzing network packets.
By contrast, an Intrusion Prevention System (IPS) typically sits inline with the flow of traffic and can therefore block malicious traffic before it passes onto the
network. An inline IPS can perform the following actions:
- Block traffic from a particular host
- Block a particular connection
- Modify traffic

http://www.gratisexam.com/
- Reset TCP connections
However, if an IPS sits inline with traffic, a failed IPS device can cause all traffic to be dropped. Analyzing all of the traffic that passes through the IPS can cause
latency and jitter. Alternatively, an IPS can be configured to operate in promiscuous mode, which would make it functionally similar to an IDS. Typically, an IPS is
configured to use signaturebased pattern matching to block traffic that has been definitively marked as malicious. Traffic that is suspect but has not been confirmed
as malicious is referred to as gray area traffic and is not discarded by an IPS. If an IDS is used in conjunction with an IPS, the IDS can be configured to monitor the
gray area traffic in greater detail without affecting the flow of traffic through the IPS.

Reference:
Cisco: Managed Security Services Partnering for Network Security: Managed Intrusion Detection and Prevention Systems

QUESTION 55
Which of the following statements are true regarding TACACS+? (Select 2 choices.)

A. It encrypts the entire body of a packet.


B. It combines authorization and authentication functions.
C. It provides router command authorization capabilities.
D. It uses UDP for packet delivery.
E. It was developed as an IETF standard protocol.

Correct Answer: AC
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Terminal Access Controller Access Control System Plus (TACACS+) encrypts the entire body of a packet and provides router command authorization capabilities.
TACACS+ is a Ciscoproprietary protocol that uses Transmission Control Protocol (TCP) for transport during Authentication, Authorization, and Accounting (AAA)
operations. TACACS+ provides more security and flexibility than other authentication protocols, such as Remote Authentication DialIn User Service (RADIUS),
which is an open standard protocol commonly used as an alternative to TACACS+. Because TACACS+ can be used to encrypt the entire body of a packet, users
who intercept the encrypted packet cannot view the user name or contents of the packet. In addition, TACACS+ provides flexibility by separating the authentication,
authorization, and accounting functions of AAA. This enables granular control of access to resources. For example, TACACS+ gives administrators control over
access to configuration commands? users can be permitted or denied access to specific configuration commands. Because of this flexibility, TACACS+ is used
with Cisco Secure Access Control Server (ACS), which is a software tool that is used to manage user authorization for router access.
RADIUS, not TACACS+, was developed as an Internet Engineering Task Force (IETF) standard protocol.
Like TACACS+, RADIUS is a protocol used with AAA operations. However, RADIUS uses User Datagram Protocol (UDP) for packet delivery and is less secure
and less flexible than TACACS+. RADIUS encrypts only the password of a packet? the rest of the packet would be viewable if the packet were intercepted by a
malicious user. With RADIUS, the authentication and authorization functions of AAA are combined into a single function, which limits the flexibility that
administrators have when configuring these functions.
Furthermore, RADIUS does not provide router command authorization capabilities.
Reference:
Cisco: TACACS+ and RADIUS Comparison: Compare TACACS+ and RADIUS

http://www.gratisexam.com/
QUESTION 56
Which of the following protocols can IPSec use to provide the integrity component of the CIA triad? (Select 2 choices.)

A. GRE
B. AH
C. AES
D. ESP
E. DES

Correct Answer: BD
Section: (none)
Explanation

Explanation/Reference:
Explanation:
IP Security (IPSec) can use either Authentication Header (AH) or Encapsulating Security Payload (ESP) to provide the integrity component of the confidentiality,
integrity, and availability (CIA) triad. The integrity component of the CIA triad ensures that data is not modified in transit by unauthorized parties. AH and ESP are
integral parts of the IPSec protocol suite and can be used to ensure the integrity of a packet. Data integrity is provided by using checksums on each end of the
connection. If the data generates the same checksum value on each end of the connection, the data was not modified in transit. In addition, AH and ESP can
authenticate the origin of transmitted data. Data authentication is provided through various methods, including user name/password combinations, preshared keys
(PSKs), digital certificates, and onetime passwords (OTPs). Although AH and ESP perform similar functions, ESP provides additional security by encrypting the
contents of the packet. AH does not encrypt the contents of the packet.
In addition to data authentication and data integrity, IPSec can provide confidentiality, which is another component of the CIA triad. IPSec uses encryption protocols,
such as Advanced Encryption Standard (AES) or Data Encryption Standard (DES), to provide data confidentiality. Because the data is encrypted, an attacker
cannot read the data if he or she intercepts the data before it reaches the destination. IPSec does not use either AES or DES for data authentication or data
integrity.
Generic Routing Encapsulation (GRE) is a protocol designed to tunnel any Layer 3 protocol through an IP transport network. Because the focus of GRE is to
transport many different protocols, it has very limited security features. By contrast, IPSec has strong data confidentiality and data integrity features, but it can
transport only IP traffic. GRE over IPSec combines the best features of both protocols to securely transport any protocol over an IP network. However, GRE itself
does not provide data integrity or data authentication.
Reference:
CCNA Security 210260 Official Cert Guide, Chapter 1, Confidentiality, Integrity, and Availability, pp. 14-15
IETF: RFC 4301: Security Architecture for the Internet Protocol: 3.2. How IPsec Works

QUESTION 57
RouterA is configured to establish an IKE tunnel with RouterB. You issue the show crypto isakmp sa command on RouterA and receive the following output:
dst src state connid slot
10.1.2.3 10.1.2.4 MM_SA_SETUP 1 0
Which of the following statements is true? (Select the best answer.)

http://www.gratisexam.com/
A. RouterA has negotiated ISAKMP SA parameters with RouterB.
B. RouterA has exchanged keys with RouterB.
C. RouterA has generated a shared secret.
D. RouterA uses three transactions to negotiate an ISAKMP SA.
E. RouterA has established an active IKE SA.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:
RouterA has negotiated Internet Security Association and Key Management Protocol (ISAKMP) security association (SA) parameters with RouterB. The show
crypto isakmp sa command displays the status of current Internet Key Exchange (IKE) SAs on the router. The MM_SA_SETUP state indicates that the IKE peers
are using main mode for phase 1 negotiations and that they have successfully negotiated security parameters. IKE has two modes for phase 1 security negotiation:
main mode and aggressive mode. The following states are used during main mode:
- MM_NO_STATE - The peers have created the SA.
- MM_SA_SETUP - The peers have negotiated SA parameters.
- MM_KEY_EXCH - The peers have exchanged DiffieHellman (DH) keys and have generated a shared secret.
- MM_KEY_AUTH - The peers have authenticated the SA.
The following states are used during aggressive mode:
- AG_NO_STATE - The peers have created the SA.
- AG_INIT_EXCH - The peers have negotiated SA parameters and exchanged keys.
- AG_AUTH - The peers have authenticated the SA.

Quick mode is used during IKE phase 2. The only state in quick mode is QM_IDLE, which indicates that IKE phase 1 has completed successfully and that there is
an active IKE SA between peers.
Because RouterA is using main mode, RouterA requires six transactions, not three, to negotiate an ISAKMP SA. Main mode requires six transactions for IKE peers
to negotiate security parameters, generate a shared secret, and mutually authenticate. Aggressive mode requires only three transactions to negotiate security
parameters, establish a key management tunnel, and mutually authenticate.
RouterA has not yet exchanged keys with RouterB or generated a shared secret. Key exchange and shared secret generation occurs during the MM_KEY_EXCH
state.
Reference:
Cisco: Cisco IOS Security Command Reference: show crypto isakmp sa

QUESTION 58
Which of the following worms was used in an act of cyber warfare against Iranian ICSs? (Select the best answer.)

A. Blaster
B. Nachi
C. Stuxnet

http://www.gratisexam.com/
D. Welchia

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
The Stuxnet worm was used in an act of cyber warfare against Iranian industrial control systems (ICSs). Stuxnet is a Microsoft Windows worm that was discovered
in the wild as early as 2008. It was written to target specific ICSs by modifying code on programmable logic controllers (PLCs). Stuxnet initially exploited
vulnerabilities in the printer spooler service? however, later variants exploited a vulnerability in the way that Windows processes shortcuts. Research from
Symantec published in 2011 indicated that at the time, more than 60% percent of the Stuxnetaffected hosts had been in Iran. Symantec analyzed Stuxnet and its
variants and discovered that five organizations were the primary targets of infection and that further infections were likely collateral damage from the aggressive
manner in which the worm spreads throughout the network. Given the considerable cost in resources and manhours that would have been required to craft the
Stuxnet worm, it was theorized that it was likely intended to sabotage highvalue targets such as nuclear materials refinement facilities.
Blaster is a worm that targeted a vulnerability in the Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) service on Microsoft Windows
hosts. The worm carried a destructive payload that configured the target host to engage in Denial of Service (DoS) attacks on Microsoft update servers.
Like Blaster, Welchia is a worm that targeted a vulnerability in the DCOM RPC service. In fact, Welchia exploited the exact same vulnerability as the Blaster worm.
Welchia was developed to scan the network for vulnerable machines, infect them, and then remove the Blaster worm if present. It was even designed to download
and install the appropriate patch from Microsoft to fix the vulnerability that it and Blaster initially exploited to infect the target machine. However, despite the
goodnatured design intentions of the Welchia worm, its networkscanning component inadvertently caused DoS attacks on several large networks, including those
of the United States armed forces. Welchia was also referred to by the name Nachi.
Reference:
Cisco: Protecting Industrial Control Systems with Cisco IPS Industrial Signatures
Symantec: Security Response: W32.Stuxnet Dossier (PDF)

QUESTION 59
Which of the following statements is true regarding the Cisco IOS Resilient Configuration feature? (Select the best answer.)

A. Extra space is not required to secure the primary IOS image file.
B. Image or configuration mismatches are not automatically detected.
C. Only remote storage can be used for securing configuration files.
D. The feature can be disabled remotely.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Extra space is not required to secure the primary IOS image file with the Cisco IOS Resilient Configuration feature. The Resilient Configuration feature is designed

http://www.gratisexam.com/
to protect system and configuration files from tampering and accidental deletion. You can issue the following block of commands to enable the Resilient
Configuration feature:

Router#configure terminal
Router(config)#secure boot-image
Router(config)#secure boot-config

When the feature is enabled, the primary system image file and associated running configuration are securely archived in local persistent storage? you cannot
select a remote storage location. The secure bootimage command enables the image resilience component of the Resilient Configuration feature and effectively
hides the system image from the directory structure. This means that the system image will no longer be displayed when the dir command is issued from the
command prompt of an EXEC shell? you can issue the show secure bootset command to verify that the system image has been archived. In addition, because the
system image file is not copied to a secure location, extra storage is not required to secure it. By contrast, the secure bootconfig command creates a hidden copy of
the running configuration file. The secured versions of the system image and running configuration are referred to as the primary bootset.
You can restore either or both components of the primary bootset at any time. The system image can be restored from readonly memory (ROM) monitor
(ROMmon) mode and the running configuration can be restored from the global configuration mode by using the restore parameter of the secure bootconfig
command. Once the system image and running configuration have been secured, the router will track version mismatches and produce a console message if the
system image or running configuration have mismatched versions. Once the Resilient Configuration feature is enabled, it can only be disabled from the console.
Reference:
Cisco: Cisco IOS Resilient Configuration: Feature Design of Cisco IOS Resilient Configuration

QUESTION 60
Which of the following can be installed on a host to analyze and prevent malicious traffic on that host? (Select the best answer.)

A. antivirus software
B. a HIPS
C. a personal firewall
D. a proxy server

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:
A Hostbased Intrusion Prevention System (HIPS) can be installed on a host to analyze and prevent malicious traffic on that host. An Intrusion Prevention System
(IPS) can be used to actively monitor, analyze, and block malicious traffic before it infects devices. HIPS software can be installed on a host computer to protect
that computer against malicious traffic. By contrast, a Networkbased IPS (NIPS) is an independent operating platform, often a standalone appliance or a hardware
module installed in a chassis. A NIPS device can be installed inline on a network to monitor and prevent malicious traffic from being sent to other devices on the
network. One advantage of using a NIPS over a HIPS is that a NIPS can detect lowlevel network events, such as the scanning of random hosts on the network? a
HIPS can only detect scans for which it is the target. A HIPS and a NIPS can be used together to provide an additional layer of protection.
Although you could install a personal firewall to protect a host from malicious traffic, a personal firewall does not perform traffic analysis. However, a personal

http://www.gratisexam.com/
firewall can work in conjunction with other software, such as a HIPS or a NIPS, to protect a host from a wider array of malicious activities. For example, Cisco
Advanced Malware Protection (AMP) for Endpoints can work in conjunction with a personal firewall to provide threat protection and advanced analytics.
You could not install antivirus software to analyze and prevent malicious traffic on that host. Antivirus software monitors the file system and memory space on a
host for malicious code. Although the antivirus software might protect the host from malicious file execution, it would be unable to protect the host from malicious
traffic. Some antivirus vendors offer integrated security suites, which feature personal firewall, HIPS, antivirus, and antimalware components.
You could not install a proxy server on a host to analyze and prevent malicious traffic on that host. A proxy server is typically an application layer gateway that
provides resource caching and traffic filtering for a particular class of traffic, such as web content. Although you could install a proxy server locally on a host, it
would not have a significant effect on malicious traffic directed at the host nor would it be able to analyze its content.
Reference:
CCNA Security 210260 Official Cert Guide, Chapter 19, Mitigation Technologies for Endpoint Threats, pp. 498-499

QUESTION 61
Which of the following traffic types can be detected by the FirePOWER ratebased prevention preprocessor engine? (Select the best answer.)

A. Back Orifice traffic


B. distributed port scan traffic
C. port sweep traffic
D. SYN flood traffic

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:
The FirePOWER ratebased prevention preprocessor engine can detect SYN flood traffic. A FirePOWER Intrusion Prevention System (IPS) has several predefined
preprocessor engines that can be used in network policies to detect specific threats? the preprocessors focus on detecting Back Orifice attacks, detecting port scan
attacks, preventing ratebased attacks, and detecting sensitive data. The ratebased prevention preprocessor detects traffic abnormalities based on the frequency of
certain types of traffic. The following traffic patterns can trigger ratebased attack prevention:

-Traffic containing excessive incomplete Transmission Control Protocol (TCP) connections


-Traffic containing excessive complete TCP connections
-Excessive rule matches for a particular IP address or range of IP addresses
-Excessive rule matches for one particular rule regardless of IP address

Distributed port scan traffic and port sweep traffic can be detected by the portscan detection preprocessor. Port scanning traffic can be an indicator that an attacker
is conducting network reconnaissance prior to an attack. Although legitimate port scanning traffic can periodically exist on a network, the portscan detection
preprocessor can distinguish between legitimate scanning and potentially malicious traffic based on the activity patterns found in the analysis of port scanning
traffic.
The FirePOWER IPS has a preprocessor dedicated to Back Orifice traffic. Back Orifice and its variants exploit a vulnerability in Microsoft Windows hosts to gain
complete administrative control of the host. Back Orifice traffic can be identified by the presence of a specific token, known as a magic cookie, in the first eight

http://www.gratisexam.com/
bytes of a User Datagram Protocol (UDP) packet.
Reference:
Cisco: Detecting Specific Threats: Understanding RateBased Attack Prevention

QUESTION 62
Which of the following commands should you issue to allow a packet to exit an ASA through the same interface through which it entered the ASA? (Select the best
answer.)

A. samesecuritytraffic permit interinterface


B. samesecuritytraffic permit intrainterface
C. securitylevel 0
D. securitylevel 100
E. established

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:
To allow a packet to exit a Cisco Adaptive Security Appliance (ASA) through the same interface through which it entered, which is also known as hairpinning, you
should issue the samesecuritytraffic permit intrainterface command. By default, an ASA does not allow packets to enter and exit through the same physical
interface. However, because multiple logical virtual LANs (VLANs) can be assigned to the same physical interface, it is sometimes necessary to allow a packet to
enter and exit through the same interface. The samesecuritytraffic permit intrainterface command allows packets to be sent and received from the same interface
even if the traffic is protected by IP Security (IPSec) security policies. Another scenario for which you would need to use the samesecuritytraffic permit intrainterface
command is if multiple users need to connect via virtual private network (VPN) through the same physical interface. These users will not be able communicate with
one another unless the samesecuritytraffic permit intrainterface command has been issued from global configuration mode.
You should not issue the samesecuritytraffic permit interinterface command to allow a packet to exit through the same interface through which it entered. The
samesecuritytraffic permit interinterface command is used to allow communication between different interfaces that share the same security level. Typically,
interfaces with the same security level are not allowed to communicate with each other.
You should not issue either the securitylevel 0 command or the securitylevel 100command to allow a packet to exit through the same interface through which it
entered. The securitylevel command is used to set the security level on a physical interface. Security level 0 should be used to achieve the lowest security level
possible, whereas security level 100 should be used to achieve the highest security level available.
You should not issue the established command to allow a packet to exit through the same interface through which it entered. The established command is used to
allow inbound traffic on any interface that has already established an outbound connection with the ASA. For example, you could issue the established tcp 4567 0
command to configure the ASA to allow an external host to initiate a connection through the ASA to an internal host after the internal host has first established a
Transmission Control Protocol (TCP) connection to port 4567 on the external host. The established command is often used to support protocols such as streaming
media protocols that negotiate the ports for return traffic.Reference: Cisco: Configuring Interfaces: Allowing Same Security Level Communication

QUESTION 63
Which of the following devices requires that a physical interface be in promiscuous mode in order to monitor network traffic? (Select the best answer.)

http://www.gratisexam.com/
A. an IPS
B. a firewall
C. a router
D. an IDS
E. an ASA

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:
An Intrusion Detection System (IDS) requires that a physical interface be in promiscuous mode in order to monitor network traffic. An IDS is a network monitoring
device that does not sit inline with the flow of network traffic? an IDS passively monitors a copy of network traffic, not the actual packet. Typically, an IDS has one
promiscuous network interface attached to each monitored network. A promiscuous device listens to all data flowing past it regardless of the destination. Because
traffic does not flow through the IDS, the IDS cannot mitigate singlepacket attacks and is unable to directly block malicious traffic, like a virus, before it passes onto
the network. However, an IDS can actively send alerts to a management station when it detects malicious traffic.
An Intrusion Prevention System (IPS) sits inline with the flow of traffic, thus actively monitoring network traffic and blocking malicious traffic, such as an atomic or
singlepacket attack, before it passes onto the network. Blocking an attack inline can prevent the attack from spreading further into the network. An IPS requires at
least two interfaces for each monitored network: one interface listens to traffic entering the IPS, and the other listens to traffic leaving the IPS. In addition, an IPS
acts similarly to a Layer 2 bridge in that it passes traffic through to destinations on the same subnet? an IPS cannot route to destinations on a different subnet. An
interface of an IPS can be put in promiscuous mode? when this happens, the device operates as an IDS on that interface. However, an IPS does not require that a
physical interface be in promiscuous mode in order to monitor network traffic.
A firewall is a network security device that protects a trusted network from an untrusted network, such as the Internet. Firewalls can operate in either routed mode
or transparent mode. In routed mode, the firewall acts as a Layer 3 device that can perform Network Address Translation (NAT) and route traffic between virtual
LANs (VLANs) on different subnets. In transparent mode, the firewall acts as a Layer 2 bridge in that it can pass traffic through to destinations on the same subnet
but cannot route to destinations on a different subnet. Although a firewall is a security appliance that permits or denies traffic on a network, a firewall does not
require that a physical interface be in promiscuous mode in order to monitor network traffic.
A router is a device that connects multiple subnets of the same or different networks and passes information between them. The functionality of a router can vary
depending on the size of the network on which it is deployed. For example, a Cisco IPS Advanced Integration Module (AIM) can be installed in a router to integrate
IPS functionality at the hardware level. Alternatively, an IOS feature set with IPS capabilities can be installed to provide IPS functionality at the software level. A
router operating as an IPS or IDS can serve as a part of the network security structure as well as a bridge between two segments of the network. Although a router
can function as an IPS or IDS, a router does not require that a physical interface be in promiscuous mode in order to monitor network traffic.
The Cisco Adaptive Security Appliance (ASA) is a multifunction appliance that can provide firewall, virtual private network (VPN), intrusion prevention, and content
security services. The Cisco ASA is based on the framework of the Private Internet Exchange (PIX) firewall appliance. If used as an IPS device in IDS mode, or
promiscuous mode, the Cisco ASA can have a physical interface in promiscuous mode? however, Cisco ASA does not require that a physical interface be in
promiscuous mode in order to monitor network traffic.
Reference:
CCNA Security 210260 Official Cert Guide, Chapter 17, Difference Between IPS and IDS, pp. 460-462 Cisco: Cisco IPS Mitigation Capabilities

http://www.gratisexam.com/
QUESTION 64
Which of the following is typically implemented in a cluster configuration? (Select the best answer.)

A. ACS
B. CSA
C. CTA
D. SSC

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Cisco Secure Access Control System (ACS) is typically implemented in a cluster configuration. ACS is an
Authentication, Authorization, and Accounting (AAA) server that uses Remote Authentication DialIn User Service (RADIUS) and Terminal Access Controller Access
Control System Plus (TACACS+) to provide AAA services for users, hosts, and network infrastructure devices such as switches and routers. An ACS deployment
typically consists of a primary server responsible for configuration, authentication, and policy enforcement and one or more secondary servers serving as a backup
in case the primary server fails. In largescale deployments, the primary server’s function is typically relegated to configuration and synchronization services,
whereas the secondary servers provide AAA services to the network clients.
Cisco Trust Agent (CTA) is responsible for ascertaining the status of security applications and management tools that are installed on a client. As client software,
CTA communicates host posture information back to a network access device on a Cisco Network Admission Control (NAC) framework. NAC is a Cisco feature
that prevents hosts from accessing the network if they do not comply with organizational requirements, such as containing an updated antivirus definition file. When
NAC is configured on an access device, such as a router or switch, the NAC device intercepts connections from hosts that are not yet registered on the network.
When a host attempts to connect to the network, the access device queries the CTA running on the host for the host's security status. The access device then
sends this information to the ACS, which determines whether the host is in compliance with organizational security policies. If the host is in compliance, it is allowed
to access the network? if the host is not in compliance, it can be denied access, quarantined, or allowed limited network access.
Cisco Secure Services Client (SSC) is client security software that facilitates the use of one authentication framework for connecting to both wired and wireless
devices on a Cisco Unified Wireless Network. SSC makes use of the Extensible Authentication Protocol (EAP), WiFi Protected Access (WPA), and WPA2
standards to control network access and enforce security policies for clients using Microsoft Windows platforms. Cisco SSC is not typically implemented in a cluster
configuration.
Cisco Security Agent (CSA) is a Hostbased Intrusion Prevention System (HIPS) that can be installed on host computers, servers, and pointofsale (POS) computers.
CSA can help protect these devices from malicious network traffic, such as zeroday attacks. In addition, CSA can provide local firewall services, antivirus services,
and security policy enforcement. CSA is not typically implemented in a cluster configuration.Reference:
Cisco: Understanding the ACS Server Deployment (PDF)

QUESTION 65
Which of the following traffic types are blocked by default in a zone-based policy firewall configuration? (Select 2 choices.)

A. traffic to or from the self zone


B. traffic between interfaces in the same zone

http://www.gratisexam.com/
C. traffic between interfaces in a zone and interfaces not assigned to any zone

http://www.gratisexam.com/
D. traffic between interfaces in different zones
E. traffic directly to or received from the router

Correct Answer: CD
Section: (none)
Explanation

Explanation/Reference:
Explanation:
In a zonebased policy firewall (ZFW) configuration, all traffic between interfaces in different zones is blocked by default. In addition, all traffic between interfaces
that have been assigned to a zone and interfaces that are not assigned to any zone is blocked by default. ZFW is the latest iteration of Cisco’s stateful firewall
implementation, which was formerly called ContextBased Access Control (CBAC). With ZFW, virtual security zones are specified and then interfaces are assigned
to the appropriate zone. By default, all traffic is implicitly permitted to flow between interfaces that have been assigned to the same zone? however, all traffic
between zones is blocked. In addition, all traffic to and from an interface is implicitly blocked by default when the interface is assigned to a zone, but there are a few
exceptions. Traffic to or from other interfaces in the same zone is permitted, as is traffic to or from the router itself. When ZFW is configured, a special zone called
the self zone is automatically created and contains the IP addresses of all the router interfaces. By default, all traffic to or from the self zone is implicitly permitted?
this implicit permission ensures that management access to the router is not lost when ZFW is configured.
In order for traffic to flow between userconfigured zones, stateful packet inspection policies must be configured to explicitly permit traffic between the zones. The
basic process is as follows:
1. Define the required zones.
2. Create zonepairs for zones that will pass traffic between themselves.
3. Define class maps to match the appropriate traffic for each zonepair.
4. Define policy maps to specify the actions that should be performed on matching traffic.
5. Apply the policy maps to the zonepairs.
6. Assign interfaces to their appropriate zones.
Although inspection rules can be created for a large number of traffic types, stateful inspection of multicast traffic is not supported by ZFW and must be handled by
other security features, such as Control Plane Policing (CoPP).
Reference:
Cisco: ZoneBased Policy Firewall Design and Application Guide: Rules For Applying ZoneBased Policy FirewallCategory:
Cisco Firewall Technologies

QUESTION 66
An inside host has initiated a TCP connection through a Cisco ASA to an outside server. The outside server has responded with a SYN/ACK segment? however,
the inside host has not yet responded with an ACK segment.

http://www.gratisexam.com/
Which of the following lines of output from the show conn command best represents the state of the connection in this scenario? (Select the best answer.)

A. TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags SaAB
B. TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags saA
C. TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags aB
D. TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags A
E. TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags U
F. TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags UIO

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:
The following line of output from the show conn command on a Cisco Adaptive Security Appliance (ASA) best represents the state of a connection that is waiting on
only the ACK segment from an inside host:
TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags A

The output of the show conn command uses connection flags to indicate the status of each entry in the ASA connection database. The connection database is
used by the stateful firewall feature of the ASA to track the state of each network connection that passes through it. The flags that an ASA uses to track a
connection entry are dependent on the interface that initiated the connection. Typically, each connection entry has corresponding inside and outside interfaces. In
terms of the connection database, the inside interface for the entry is the interface with the higher security level, whereas the outside interface for the entry is the
interface with the lower security level. In addition, a data flow from the inside interface to the outside interface is considered to be moving in the outbound direction
and a data flow from the outside interface to the inside interface is considered to be moving in the inbound direction.
When an ASA receives the first packet from a Transmission Control Protocol (TCP) connection, it creates an entry in the connection database. The ASA
immediately adds the B flag to the entry if the connection was initiated from the outside. The ASA then uses various flags to indicate the progress of the TCP
threeway handshake. For example, if a connection is initiated from the inside, the ASA will add the saA flags to the entry, as shown in the following command
output:TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags saA
The s flag indicates that the ASA is awaiting a SYN segment from the outside host, and the a flag indicates that the ASA is waiting for an ACK response segment to
the SYN that was initiated from the inside host. When the corresponding SYN/ACK segment is received from the outside host, it will satisfy both of these flags and
the ASA will clear the flags from the entry, as shown in the following command output:
TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags A

The remaining A flag indicates that the ASA is awaiting an ACK segment from the inside host. When the host on the inside responds to the SYN/ACK segment with
the corresponding ACK segment, the ASA will clear the A flag and will mark the connection with the U flag, as shown in the following command output:
TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags U

The U flag indicates that the threeway handshake is complete and that the TCP session is established. Once the TCP session is established, the host can begin to
exchange data. In this example, the inside host has established a Secure Shell (SSH) session to an outside server. When the outside server sends data to the
inside host, the ASA will add the I flag to the entry to indicate that data has passed through the session in the inbound direction. Likewise, the ASA will add the O

http://www.gratisexam.com/
flag to the entry to indicate that data has passed through the session in the outbound direction. Thus a normal TCP session should have flags similar to those
shown in the following command output:
TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags UIO

By contrast, if the connection were initiated from the outside, the ASA would have added the SaAB flags to the entry, as shown in the following command output:
TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags SaAB

The S flag indicates that the ASA is awaiting a SYN segment from the inside host, and the A flag indicates that the ASA is waiting for an ACK response segment to
the SYN that was initiated from the outside host. When the corresponding SYN/ACK segment is received from the inside host, it will satisfy both of these flags and
the ASA will clear the flags from the entry, as shown in the following command output:
TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags aB

The remaining a flag indicates that the ASA is awaiting an ACK segment from the outside host. When the host on the outside responds to the SYN/ACK segment
with the

QUESTION 67
Which of the following is an IOS privilege level that provides the highest level of access on a Cisco router? (Select the best answer.)

A. 0
B. 1
C. 15
D. 16

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
The highest level of access on a Cisco router is provided by IOS privilege level 15. Privilege levels can be used to limit the IOS commands that a user can access.
However, you are limited to 16 privilege levels, some of which are used by default by the IOS. For example, privilege levels 1 and 15 are default IOS privilege
levels. Privilege level 1 allows a user to issue any command that is available at the user EXEC > prompt. Privilege level 15 allows a user to issue any command that
is available at the privileged EXEC # prompt.
Each privilege level is associated with a list of commands that are available at that level. Users assigned to a privilege level have access to all of the commands at
that privilege level and all lower privilege levels. Changing the commands that are available to a privilege level might provide access to a user who should not be
allowed access to the command, or it might restrict access to another user who should be allowed access to the command.
Because the default privilege level for a newly created local user account is 1, a newly created user will always have access to the disable, enable, exit, help, and
logoutcommands? these commands are associated with privilege level 0. However, per user privilege levels can sometimes conflict with the privilege levels set for
virtual terminal (VTY) interfaces. In the event of a conflict, per user privileges override the privileges configured for the VTY line causing the conflict.
Although there are 16 distinct privilege levels that can be assigned on a Cisco router, 16 is not a valid value for a privilege level. Valid values for user assigned
privilege levels are whole numbers ranging from 0 through 15.

http://www.gratisexam.com/
Reference:
CCNA Security 210260 Official Cert Guide, Chapter 11, Custom Privilege Levels, p. 287
Cisco: IOS Privilege Levels Cannot See Complete Running Configuration: Privilege Levels

QUESTION 68
Which of the following statements is true regarding LDAP attribute maps on an ASA? (Select the best answer.)

A. There is a defined limit on the number of LDAP attribute maps you can configure.
B. There is a defined limit on the number of attributes that can be mapped in each LDAP attribute map.
C. There is a defined limit on the number of LDAP servers to which an LDAP attribute map can be applied.
D. There is a defined limit on the number of AD multivalued attributes matched by an LDAP attribute map.

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:
When using Lightweight Directory Access Protocol (LDAP) attribute maps on a Cisco Adaptive Security Appliance (ASA), there is a limit on the number of Active
Directory (AD) multivalued attributes matched by an LDAP attribute map. LDAP attribute maps are used to authorize virtual private network (VPN) users based on
specified AD attributes, such as group membership or department name. If an LDAP query returns a multivalued attribute, such as the list of groups of which a user
is a member, the ASA will match only one of the returned values to the appropriate group policy. The ASA will select the matching group policy with the least
number of characters in the name and that starts with the lowest alphanumeric character.
There is no defined limit on the number of LDAP attribute maps you can configure on an ASA. Because LDAP attribute maps are dynamically allocated as they are
needed, configuring a large number of attribute maps does not unnecessarily burden the ASA during normal operations. Likewise, there is no defined limit on the
number of attributes that can be mapped in each LDAP attribute map.
There is no defined limit on the number of LDAP servers to which an LDAP attribute map can be applied. When an LDAP attribute map is applied to a server, the
ASA only verifies that the specified attribute map exists. The same LDAP attribute map can be applied to multiple, different servers.
Reference:
Cisco: ASA Use of LDAP Attribute Maps Configuration Example: FAQ

QUESTION 69

http://www.gratisexam.com/
Which of the following can be determined from the Route Details tab of the VPN Client Statistics dialog box shown above? (Select the best answer.)

A. The VPN client cannot access devices on the local LAN.


B. The VPN client is configured to use split tunneling.
C. The VPN client is configured to use transparent tunneling.
D. The VPN client cannot access devices on the 172.16.20.0/24 network.

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:
The Route Details tab of the VPN Client Statistics dialog box displayed below indicates that the virtual private network (VPN) client is configured to use split
tunneling:

http://www.gratisexam.com/
By default, all traffic from a VPN client is passed through an encrypted tunnel to the VPN server. However, with split tunneling, only traffic destined for a protected
subnet is passed through the encrypted tunnel? all other traffic is processed normally. You can define protected subnets on the VPN server by entering the network
address of each protected subnet on the Split Tunneling tab of the Group Policy window or by specifying an access control list (ACL) that includes each protected
subnet. When a client establishes a VPN session, the list of protected subnets is passed from the VPN server to the VPN client as part of the session configuration
parameters.
Alternatively, the VPN client can be configured to pass all nonlocal traffic through an encrypted tunnel to the VPN server. If the group policy on the VPN server
permits local LAN access and the VPN client is configured to allow local LAN access, all traffic that is not destined to the local LAN is sent through the encrypted
tunnel. For example, if the VPN client had a locally configured route to the 192.168.13.0/24 network, packets destined for that network would be processed
normally. However, any packets destined for a network not in the VPN client's routing table, such as the Internet, would pass through the encrypted tunnel to the
VPN server. This configuration is represented on the Route Details tab of the VPN Client Statistics dialog box shown below:

http://www.gratisexam.com/
The VPN Client Statistics dialog box does not indicate that the client cannot access devices on the 172.16.20.0/24 network. Because the 172.16.20.0/24 network is
listed in the Secured Routes pane, traffic destined for the 172.16.20.0/24 network will pass through the encrypted tunnel to the VPN server. However, traffic
destined for a network not in the Secured Routes pane, such as the Internet or the local LAN, will not pass through the tunnel and will be processed normally.
Likewise, the VPN Client Statistics dialog box does not indicate that the client cannot access devices on the local LAN. Because the router is configured for split
tunneling, only traffic destined for a network in the Secured Routes pane is passed through an encrypted tunnel to the VPN server. All other traffic, including local
LAN traffic, is processed normally.
You cannot determine from the Route Details tab of the VPN Client Statistics dialog box whether the client is configured to use transparent tunneling. The Tunnel
Details tab of the VPN Client Statistics dialog box indicates whether the client is configured to use transparent tunneling. Transparent tunneling facilitates the
creation of IP Security (IPSec) tunnels through a firewall or Network Address Translation (NAT) device. When transparent tunneling is enabled on the client,
encrypted packets are encapsulated in Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) packets prior to transmission through the firewall or
NAT device.
Reference:
Cisco: ASA/PIX: Allow Split Tunneling for VPN Clients on the ASA Configuration Example: Connect with the VPN Client
CCNA Security 210260 Official Cert Guide, Chapter 8, Split Tunneling, pp. 227-228

QUESTION 70
Which of the following IPS detection methods is a string pattern-based detection method? (Select the best answer.)

A. anomalybased detection
B. profilebased detection
C. signaturebased detection
D. policybased detection

http://www.gratisexam.com/
Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Signaturebased detection is a string patternbased detection method. Patternbased detection methods use specific strings of text to detect malicious traffic. Many
signaturebased detection methods can also use protocols and port numbers to further specify malicious traffic patterns. The benefit of signaturebased detection
methods is that the number of false positives generated is typically low. However, the drawback is that a modified attack cannot be detected by an old signature?
the modified attack will not be detected until a new signature is added for the modified attack. Therefore, Cisco recommends updating signature files, including
antivirus signatures, every time a new update is available.
Anomalybased detection methods and profilebased detection methods detect abnormal behavior on a network. Traffic is classified as normal or abnormal based on
information that is dynamically learned or manually programmed. The benefit of anomalybased detection is that anything that is not specified as normal is classified
as abnormal? therefore, anomalybased detection can typically detect a wide range of threats. One drawback of anomalybased detection is that new traffic patterns
are required on a regular basis on all but the smallest of networks, which leads to a lot of false positives. Another drawback is the memory and processing power
required to handle profiles for each user.
Policybased detection methods use algorithms to detect patterns in network traffic. The benefit of policybased detection methods is that they can often detect when
a coordinated attack, such as a Distributed Denial of Service (DDoS) attack, is happening, whereas a signaturebased detection method might detect only a
collection of individual Denial of Service (DoS) attacks.
Reference:
CCNA Security 210260 Official Cert Guide, Chapter 17, SignatureBased IPS/IDS, p. 464 Symantec: Network Intrusion Detection Signatures, Part One

QUESTION 71
You have been asked to add a key to an existing keychain. You issue the following commands to enter key chain key configuration mode:
RouterA(config)#key chain chain1
RouterA(configkeychain)#key 2
RouterA(configkeychainkey)#keystring key2

The new key should be valid for three hours, and the router should begin sending the key at 9 a.m. on January 13, 2015.
Which of the following commands should you issue next to achieve your goal? (Select the best answer.)

A. accep-tlifetime 09:00:00 Jan 13 2015 duration 3


B. accep-tlifetime 09:00:00 Jan 13 2015 duration 180
C. send-lifetime 09:00:00 Jan 13 2015 duration 180
D. send-lifetime 09:00:00 Jan 13 2015 duration 10800

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:

http://www.gratisexam.com/
Explanation:
You should issue the send-lifetime 09:00:00 Jan 13 2015 duration 10800 command to specify that the key in this scenario should be valid for three hours and that
the router should begin sending the key at 9 a.m. on January 13, 2015. The send-lifetime command is used to specify the period of time during which a key should
be sent by a router for authentication. The syntax for this command is send-lifetime starttime {infinite | endtime | duration seconds}, where starttime specifies the
date and time that the key should start being sent. By default, keys are valid indefinitely? however, you can use the durationkeyword to specify a duration value
between 1 and 2,147,483,646 seconds. In this scenario, the duration is 10800 seconds, which is three hours, and the start time is 09:00:00 Jan 13 2015, which
corresponds to 9 a.m. on January 13, 2015.
You should not issue the sendlifetime 09:00:00 Jan 13 2015 duration 180command, because the key duration is incorrectly specified as 180 seconds, which is
three minutes, instead of 10,800 seconds, or three hours.
You should not issue the accept-lifetime 09:00:00 Jan 13 2015 duration 3 command or the accept-lifetime 09:00:00 Jan 13 2015 duration 180 command. The
accept-lifetime command specifies the time period during which a received key is considered valid. By default, received keys are valid indefinitely. If no send-
lifetime command has been issued, the accept-lifetime command will limit the period of time in which the received key is valid, but it will have no effect on the period
of time during which the router sends the key for authentication.
Reference:
Cisco: IP Routing ProtocolIndependent Commands: send-lifetime

QUESTION 72
Which of the following can be mitigated by installing a personal firewall on a laptop? (Select the best answer.)

A. a SYN flood attack


B. a crosssite scripting attack
C. a portscanning attack
D. a sessionhijacking attack

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Installing a personal firewall on a laptop can mitigate a portscanning attack. In a portscanning attack, an attacker uses a portscanning application to probe a
computer to determine which ports are open and vulnerable to an attack. After determining which ports are open, the attacker can attempt to access the computer
through an open port. With a personal firewall, you can protect a host from malicious traffic by permitting or denying specific applications or network ports access to
the host or its network interface. Typically, a personal firewall provides sufficient granularity to specify the direction of a particular flow of traffic. For example, you
could permit outbound web traffic but deny all inbound traffic that does not correspond to established outbound connections.
Installing a personal firewall on a laptop would not mitigate a sessionhijacking attack. A sessionhijacking attack requires that the attacker determine the Initial
Sequence Number (ISN) for a new Transmission Control Protocol (TCP) session. The ISN is used during the TCP threeway handshake to synchronize the states of
the sending and receiving hosts. If an attacker can guess the ISN or any subsequent sequence number for a connection, the attacker can hijack the session.
Typically, an attacker will disrupt the connection by forcing one of the hosts to become unsynchronized and will then assume the identity of the unsynchronized host
by spoofing its IP address. Session hijacking relies on the attacker being able to determine the correct sequence number for any given segment in a TCP session.
Because some hosts use incremental ISNs and random sequence numbers, an attacker can determine the ISN for a new connection on a vulnerable host by first

http://www.gratisexam.com/
initiating a connection to the host and determining the current ISN.
Installing a personal firewall on a laptop would not mitigate a crosssite scripting (XSS) attack. An XSS attack takes advantage of weaknesses within a web
application to insert malicious code into input fields on a web form. If the attack is successful, the attacker might be able to inject code into the webpage, which
could allow the attacker to perform a variety of malicious tasks, such as redirecting visitors to another website or harvesting cookies from the victim's computer.
Serverside input validation can be used to mitigate XSS attacks performed on web forms. However, other types of XSS attacks, such as a link in an email to lure
victims to a webpage containing malicious script, are not mitigated by input validation.
Installing a personal firewall on a laptop would not mitigate a SYN flood attack. A SYN flood attack sends a large volume of SYN segments to a target host in an
attempt to saturate the target's TCP connection table. The SYN flood attack exploits the TCP threeway handshake by sending TCP SYN segments from spoofed IP
addresses. When the target host replies to the spoofed IP addresses, the target's packets are ignored because the spoofed hosts do not have corresponding
entries in their TCP connection tables. The target host will continue to wait for responses from the spoofed hosts until the TCP handshake times out. With a
sufficient number of SYN requests, the target's TCP connection table can become full. Once the TCP connection table is full, the target host will be unable to
accept new TCP connections.
Reference:
CCNA Security 210260 Official Cert Guide, Chapter 19, Personal Firewalls and Host Intrusion Prevention Systems, pp. 498-499

QUESTION 73
When a switch is configured with private VLANs, which of the following ports can an isolated port communicate with? (Select the best answer.)

A. ports within the same community


B. ports within a different community
C. other isolated ports
D. promiscuous ports

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:
An isolated port can communicate with promiscuous ports when a switch is configured with private virtual
LANs (VLANs). Private VLANs can be configured on a switch to help isolate traffic within a VLAN. Private VLANs can provide Layer 2 separation between ports that
belong to the same VLAN. Because the separation exists at Layer 2, the hosts can exist on the same IP subnet. The VLAN to which the hosts belong is called the
primary VLAN. To create a private VLAN, you must create secondary VLANs and associate them with the primary VLAN. There are two types of secondary VLANs:
community VLANs and isolated VLANs. Ports that belong to a community VLAN can communicate with promiscuous ports and with other ports that belong to the
same community. However, they cannot communicate with isolated ports or with ports that belong to other communities. Ports that belong to an isolated VLAN can
communicate only with promiscuous ports.
After configuring the private VLAN, you can configure ports to participate in the private VLAN. When configuring a port to participate in a private VLAN, you must
configure the port by issuing the switchport mode privatevlan {promiscuous | host} command. The promiscuous keyword configures the port to communicate with
any secondary VLAN. Consequently, devices that should be reachable from any secondary VLAN should be connected to promiscuous ports. For example, a
router, a firewall, or a gateway that any host should be able to reach should be connected to a promiscuous port. By contrast, devices connected to isolated or
community VLANs should be connected to host ports, which are configured by using the host keyword.

http://www.gratisexam.com/
Reference:
Cisco: Configuring Private VLANs: Understanding Private VLANs

QUESTION 74
Which of the following statements is not true regarding the IaaS service model? (Select the best answer.)

A. The consumer has control over the configuration of the OS running on the physical infrastructure in the cloud.
B. The consumer has control over the physical infrastructure in the cloud.
C. The consumer has control over the allocation of processing, memory, storage, and network resources within the cloud.
D. The consumer has control over development tools or APIs in the cloud running on the physical infrastructure in the cloud.

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:
In the Infrastructure as a Service (IaaS) service model, the consumer does not have control over the physical infrastructure in the cloud. The National Institute of
Standards and Technology (NIST) defines three service models in its definition of cloud computing: Software as a Service (SaaS), IaaS, and Platform as a Service
(PaaS).
The SaaS service model enables its consumer to access applications running in the cloud infrastructure but does not enable the consumer to manage the cloud
infrastructure or the configuration of the provided applications. A company that licenses a service provider’s office suite and email service that is delivered to end
users through a web browser is using SaaS. SaaS providers use an Internetenabled licensing function, a streaming service, or a web application to provide end
users with software that they might otherwise install and activate locally. Webbased email clients, such as Gmail and Outlook.com, are examples of SaaS.
The PaaS service model provides its consumer with a bit more freedom than the SaaS model by enabling the consumer to install and possibly configure
providersupported applications in the cloud infrastructure. A company that uses a service provider’s infrastructure, programming tools, and programming languages
to develop and serve cloudbased applications is using PaaS. PaaS enables a consumer to use the service provider’s development tools or Application Programmer
Interface (API) to develop and deploy specific cloudbased applications or services. Another example of PaaS might be using a third party’s MySQL database and
Apache services to build a cloudbased customer relationship management (CRM) platform.
The IaaS service model provides the greatest degree of freedom by enabling its consumer to provision processing, memory, storage, and network resources within
the cloud infrastructure. The IaaS service model also enables its consumer to install applications, including operating systems (OSs) and custom applications.
However, with IaaS, the cloud infrastructure remains in control of the service provider. A company that hires a service provider to deliver cloudbased processing
and storage that will house multiple physical or virtual hosts configured in a variety of ways is using IaaS. For example, a company that wanted to establish a web
server farm by configuring multiple Linux Apache MySQL PHP (LAMP) servers could save hardware costs by virtualizing the farm and using a provider’s cloud
service to deliver the physical infrastructure and bandwidth for the virtual farm. Control over the OS, software, and server configuration would remain the
responsibility of the organization, whereas the physical infrastructure and bandwidth would be the responsibility of the service provider.
Reference:
NIST: Special Publication 800145: The NIST Definition of Cloud Computing (PDF)

QUESTION 75
Which of the following emailrelated FirePOWER preprocessors can extract and decode attachments in clienttoserver traffic? (Select the best answer.)

http://www.gratisexam.com/
A. only the IMAP preprocessor
B. only the POP3 preprocessor
C. only the SMTP preprocessor
D. only the POP3 and SMTP preprocessors
E. only the IMAP and SMTP preprocessors
F. the IMAP, POP3, and SMTP preprocessors

Correct Answer: F
Section: (none)
Explanation

Explanation/Reference:
Explanation:
On a Cisco FirePOWER Intrusion Prevention System (IPS), the Internet Message Access Protocol (IMAP), Post Office Protocol version 3 (POP3), and Simple Mail
Transfer Protocol (SMTP) preprocessors can extract and decode attachments in clienttoserver traffic. The FirePOWER IMAP, POP3, and SMTP preprocessors are
Application layer inspection engines with the capability to decode email traffic and to normalize the resulting data prior to forwarding the traffic to the intrusion rules
engine for analysis.
In addition to generating an event when they observe anomalous traffic, the FirePOWER emailrelated preprocessor engines can inspect the commands that pass
between a client and a server to ensure that they are compliant with the relevant Request for Comments (RFC). For example, the IMAP preprocessor can generate
an event when either a client command or a server response does not comply with RFC 3501, which is the RFC that defines the IMAP protocol, and the POP3
preprocessor can do the same for commands that do not comply with RFC 1939, which is the RFC that defines the POP3 protocol. By contrast, the SMTP
preprocessor provides the ability to normalize all, none, or a specific set of SMTP commands, although a base set of commands will always be considered as part
of the custom valid set if normalization is enabled.
Reference:
Cisco: Application Layer Preprocessors: The IMAP Preprocessor
Cisco: Application Layer Preprocessors: The POP Preprocessor
Cisco: Application Layer Preprocessors: The SMTP Preprocessor

QUESTION 76
Which of the following authentication methods is not used with OSPFv3? (Select the best answer.)

A. plaintext
B. MD5
C. SHA1
D. IPv6 IPSec

Correct Answer: A
Section: (none)
Explanation

http://www.gratisexam.com/
Explanation/Reference:
Explanation:
Plaintext authentication is not used with Open Shortest Path First version 3 (OSPFv3), which is also called OSPF for IP version 6 (IPv6). OSPFv3 uses IPv6 IP
Security (IPSec) authentication, which in turn uses either Message Digest 5 (MD5) or the Secure Hash Algorithm 1 (SHA1). Although plaintext authentication is not
used by OSPFv3, you can configure OSPFv3 either to encrypt the MD5 or SHA1 hash that is used by IPv6 IPSec or to leave the hash unencrypted. Encrypting the
hash provides an extra layer of security but requires additional processing that could introduce latency. You can issue either the ospfv3 authentication command
or the ipv6 ospf authentication command to configure authentication for OSPFv3 on an interface.
MD5 and plaintext authentication are supported by OSPF version 2 (OSPFv2), which is the IPv4 version of OSPF. By default, no authentication method is used with
OSPFv2. To configure a router for MD5 authentication, you should first configure the authentication password by issuing the ip ospf authenticationkey password
command in interface configuration mode. Then you should configure MD5 authentication for an OSPF interface by issuing the ip ospf authentication
messagedigest command in interface configuration mode. Because plaintext authentication is notoriously insecure, Cisco recommends using MD5 authentication
for OSPFv2 instead of plaintext authentication.
Reference:
Cisco: IPv6 Routing: OSPFv3 Authentication Support with IPsec: How to Configure IPv6 Routing: OSPFv3 Authentication Support with IPsec

QUESTION 77
You have configured a Cisco Catalyst switch to store its binding table on a local TFTP server.
Which of the following commands can you issue to verify the URL that the agent will use to store the binding table on the TFTP server? (Select the best answer.)

A. show ip dhcp snooping


B. show ip dhcp snooping database
C. show ip dhcp snooping binding
D. show ip dhcp snooping statistics

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:
You can issue the show ip dhcp snooping database command to verify the Uniform Resource Locator (URL) that the agent will use to store the binding table when
Dynamic Host Configuration Protocol (DHCP) snooping is configured on a Cisco Catalyst switch to store the binding table on a local Trivial File Transfer Protocol
(TFTP) server. DHCP snooping ensures that DHCP servers reside on trusted switch interfaces and that all DHCP traffic from untrusted interfaces is verified before
being forwarded. When a switch is configured to use DHCP snooping, the switch tracks client Media Access Control (MAC) addresses and their associated DHCP
client hardware addresses in the DHCP snooping binding database, which is also known as the binding table. If the switch receives DHCP packets that do not
match entries in the binding table, the switch drops the packets. The binding table can be stored locally or it can be stored on a remote server.
The show ip dhcp snooping database command can be used to display the status of the DHCP snooping binding table agent and statistics regarding the status of
the binding table, such as the URL where the binding table can be found and how many successful writes have been committed to the table. For example, the
following sample output indicates that the binding table is stored in a file named bindingtable on the TFTP server with an IP address of 1.2.3.4:

http://www.gratisexam.com/
The show ip dhcp snooping command displays general information regarding the DHCP snooping configuration on a switch, such as the virtual LANs (VLANs) for
which DHCP snooping is enabled and the trusted state of each interface. For example, the following sample output indicates that DHCP snooping is enabled for
VLANs 101, 201, and 301:

The show ip dhcp snooping binding command displays the dynamic entries in the binding table. You must use the show ip source binding command to view both
static and dynamic binding table entries. For example, the following sample output from the show ip dhcp snooping binding command indicates that two DHCP
clients from VLAN 101 have entries in the binding table:

The show ip dhcp snooping statistics command displays statistical information regarding the number of frames that have been forwarded or dropped by the DHCP
snooping configuration on a switch. You can use the detail keyword to display expanded statistics, which include the number of packets dropped for each denial
category, such as binding mismatches or exceeded rate limits. For example, the following sample output from the show ip dhcp snooping statistics command
indicates that 1,450 packets were forwarded and 105 packets were dropped from untrusted ports:

Packets Forwarded = 1450

http://www.gratisexam.com/
Packets Dropped = 118
Packets Dropped From untrusted ports = 105

Reference:
Cisco: Cisco IOS IP Addressing Services Command Reference: show ip dhcp snooping database

QUESTION 78
You have configured a CoPP policy to mitigate the effects of DoS attacks on the router.
Which of the following packet types does the CoPP policy affect? (Select the best answer.)

A. packets originating from the control plane


B. packets destined to the control plane
C. packets originating from the data plane
D. packets destined to the data plane

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:
The Control Plane Policing (CoPP) policy in this scenario affects packets that are destined to the control plane of a router. Packets destined to the control plane are
typically packets intended to create or perform network operations on a router, such as packets from dynamic routing protocols or Address Resolution Protocol
(ARP) packets. These packets cannot be handled by Cisco’s normal fastpath switching mechanisms, such as Cisco Express Forwarding (CEF), because they
require special handling by the router's CPU, which is also known as the route processor. CoPP is a Cisco IOS feature that protects the route processor of a router
or switch from malicious traffic, such as Denial of Service (DoS) attacks.
The control plane is one of the four logical components that collectively define a router? the remaining components are the data plane, the management plane, and
the services plane. The control plane is the home of the route processor and is essential to the forwarding of packets because routing protocol operation, network
management, and processbased switching all involve the control plane. CoPP filters the types of packets that enter or exit the control plane and controls the rate at
which permitted packets enter or exit the control plane. Because traffic must pass through the control plane to reach the management plane, CoPP protects the
management plane as well.
The CoPP policy in this scenario does not affect packets that originate from the control plane of a router. DoS attacks that target a router use packets either that
are destined to the router itself or that require special handling by the router's route processor. Because packets originating from the control plane have already
passed through the route processor, a CoPP policy that affects packets exiting the control plane would not mitigate the effects of a DoS attack.
Cisco considers all packets that pass through a router without any interaction from the route processor as data plane traffic, which is also known as transit traffic.
Because DoS attacks on a router target the route processor, a CoPP policy that protects a router from DoS attacks would not affect packets originating from or
destined to the data plane.
Reference:
Cisco: Control Plane Policing: Benefits of Control Plane Policing

QUESTION 79

http://www.gratisexam.com/
Which of the following is the most likely reason for an organization to implement an extranet? (Select the best answer.)

A. to provide customers with largescale computer services


B. to provide internal departments with independent security policies
C. to provide internal users with a customized website
D. to provide customers with access to the company’s internal network

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:
A company can implement an extranet to provide customers with access to the company’s internal network. An extranet is a portion of a company’s internal
network that is accessible to specific people outside of the company, such as business partners, suppliers, or customers. By creating an extranet, a company can
provide a location for sharing information with external users. For example, a consulting company could create an extranet for external customers to view and
comment on the consulting company’s progress on various projects. In many extranet implementations, the external customer network shares a bilateral
connection with the company’s internal network. This bilateral connection not only enables the external customer to access portions of the company’s internal
network, but it also enables portions of the company’s internal network to access the portions of the external customer’s network.
An extranet is not implemented to provide customers with largescale computer services. A company could implement a cloud computing infrastructure to provide
largescale computer services over a vast network, such as the Internet. Cloud computing allows for access to applications, storage space, and other services on
demand without requiring that the services be installed locally. Cloud computing can be used to replace or supplement highly utilized local systems. The use of
cloudbased services can simplify IT management by reducing or eliminating the amount of time needed to install, upgrade, and manage services.
An extranet is not implemented to provide internal departments with independent security policies. A company could implement security contexts on a firewall, such
as the Cisco Adaptive Security Appliance (ASA), to provide internal departments with independent security policies. Security contexts divide a single ASA into
multiple virtual devices with unique policies that can be managed by separate administrative domains. This division enables a single physical ASA to provide
security services for different departments while keeping the departments logically separated.
An extranet is not implemented to provide internal users with a customized website. Instead, an intranet can be created to provide internal users with their own
website. An intranet provides a location for sharing information among members of the company. Unlike an extranet, an intranet is typically available only to internal
users.
Reference:
SANS: SANS Institute InfoSec Reading Room: Security Considerations for Extranets (PDF)Category: Security Concepts

QUESTION 80
Which of the following is the default connection profile that is applied to clientless SSL VPN connections? (Select the best answer.)

http://www.gratisexam.com/

http://www.gratisexam.com/
A. DefaultRAGroup
B. DefaultWEBVPNGroup
C. DefaultSSLVPNGroup
D. DefaultL2LGroup

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:
The DefaultWEBVPNGroup connection profile is the default connection profile that is applied to clientless Secure Sockets Layer (SSL) virtual private network (VPN)
connections. Connection profiles are used to separate remote VPN users into groups. For example, you can use one connection profile for contractors and another
connection profile for managers, with each profile providing access to different resources. If no connection profile is associated with a particular user or if the user
did not select a connection profile when the user initiated the VPN connection, the default connection profile will be used. For SSL VPN connections, the default
connection profile is the DefaultWEBVPNGroup profile. You can edit the default connection profiles, but you cannot delete them.
The DefaultRAGroup connection profile is not the default connection profile for clientless SSL VPN connections. This profile is the default profile used for full
tunneling IP Security (IPSec) VPN connections.
The DefaultL2LGroup connection profile is not the default connection profile for clientless SSL VPN connections. This profile is the default profile used for IPSec
LANtoLAN VPN connections.
The DefaultSSLVPNGroup connection profile is not the default connection profile for clientless SSL VPN connections. This is not a default profile that is provided by
Cisco. You can create a connection profile named DefaultSSLVPNGroup, but it will not be used by default for clientless SSL VPN connections.
Reference:
Cisco: Configuring Tunnel Groups, Group Policies, and Users: Connection Profiles

QUESTION 81
You are configuring a connection profile for Cisco AnyConnect SSL VPN users. You have accessed the Add SSL VPN Connection Profile dialog box in ASDM. You
want to configure a group URL for the connection profile.
On which of the following screens of this dialog box will you be able to accomplish your goal? (Select the best answer.)

A. the Basic screen


B. the General screen
C. the Authorization screen
D. the SSL VPN screen

Correct Answer: D
Section: (none)
Explanation

http://www.gratisexam.com/
Explanation/Reference:
Explanation:
You can configure a group Uniform Resource Locator (URL) for the connection profile that you are configuring for Cisco AnyConnect Secure Sockets Layer (SSL)
virtual private network (VPN) users on the SSL VPN screen of the Add SSL VPN Connection Profiledialog box in Cisco Adaptive Security Device
Manager (ASDM). If you configure a group URL for SSL VPN users, the users can connect to the group URL and will not be required to select a tunnel group when
they establish a connection. In such a scenario, the user is presented with only user name and password fields on the login screen. The Cisco Adaptive Security
Appliance (ASA) examines the URL from which the user is connecting and automatically applies the connection profile associated with the URL. Configuring a
group URL can help improve security because the user is not presented with a list of available connection profiles.
To configure a group URL for a new SSL VPN connection profile in ASDM, you should click Configuration, expand Network (Client) Access, click AnyConnect
Connection Profiles, and click Add under Connection Profiles, which will open the Add SSL VPN Connection Profile dialog box. In the Add SSL VPN Connection
Profile dialog box, expand Advanced and click SSL VPN to open the SSL VPN screen, which is shown in the following exhibit:

You cannot configure a group URL on the Basic screen of the Add SSL VPN Connection Profile dialog box in ASDM. On the Basic screen, you can configure the
connection profile name, the Authentication, Authorization, and Accounting (AAA) server group, the default group policy, and client addressing information, such as
Dynamic Host Configuration Protocol (DHCP) servers and IP address pools.
You cannot configure a group URL on the General screen of the Add SSL VPN Connection Profile dialog box in ASDM. On the General screen, you can enable
password management and configure password expiration notification options.

http://www.gratisexam.com/
You cannot configure a group URL on the Authorization screen of the Add SSL VPN Connection Profile dialog box in ASDM. On the Authorization screen, you can
configure an authorization server group and user name certificate mapping.
Reference:
Cisco: General VPN Setup: Add or Edit SSL VPN Connections > Advanced > SSL VPN

QUESTION 82
You are configuring a connection profile for clientless SSL VPN connections. You have accessed the Add Clientless SSL VPN Connection Profile dialog box in
ASDM.
Which of the following authentication methods can you configure in this dialog box? (Select the best answer.)

A. only AAA
B. only OTP
C. only digital certificates
D. both AAA and OTP
E. both AAA and digital certificates

Correct Answer: E
Section: (none)
Explanation

Explanation/Reference:
Explanation:
You can configure Authentication, Authorization, and Accounting (AAA) and digital certificate authentication on the Add Clientless SSL VPN Connection Profile
dialog box in Cisco Adaptive Security Device Manager (ASDM). Connection profiles are used to separate remote virtual private network (VPN) users into groups.
For example, you can use one connection profile for contractors and another connection profile for managers, with each profile providing access to different
resources.
You can configure a new connection profile by using ASDM. To configure a new connection profile for clientless Secure Sockets Layer (SSL) VPN connections by
using ASDM, you should click Configuration, click the Remote Access VPN button, expand Clientless SSL VPN Access, and click Connection Profiles, which will
open the Connection Profiles configuration pane. From this pane, you can view a list of existing connection profiles and you can create new connection profiles.
You should click the Add button under Connection Profiles in the Connection Profiles screen to create a new connection profile and to open the Add Clientless SSL
VPN Connection Profile dialog box, which is shown in the following exhibit:

http://www.gratisexam.com/
In this dialog box, you can configure the connection profile details, including the authentication method to use, the Domain Name System (DNS) server to use, and
the group policy to apply to the connection profile. There are two authentication methods that are supported: AAA and Certificate. You can configure the connection
profile to use either or both of the methods.
You cannot configure onetime passwords (OTPs) as an authentication method for connection profiles on the Add Clientless SSL VPN Connection Profile dialog box
in ASDM. OTP is a two factor user authentication method that typically uses a personal identification number (PIN) in conjunction with code generated by a
hardware or software token. The token is synchronized with a central server and periodically generates a code. The code is only valid until the next code is
generated, which typically occurs in less than 60 seconds.
Reference:
Cisco: Configuring Tunnel Groups, Group Policies, and Users: Connection Profile Connection Parameters for SSL VPN Sessions

QUESTION 83
Which of the following can you mitigate by implementing DAI? (Select the best answer.)

A. ARP poisoning attacks


B. MAC spoofing attacks
C. MAC flooding attacks

http://www.gratisexam.com/
D. VLAN hopping attacks

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Implementing Dynamic ARP Inspection (DAI) can help mitigate Address Resolution Protocol (ARP) poisoning attacks. In an ARP poisoning attack, which is also
known as an ARP spoofing attack, the attacker sends a gratuitous ARP (GARP) message to a host. The GARP message associates the attacker’s Media Access
Control (MAC) address with the IP address of a valid host on the network. Subsequently, traffic sent to the valid host address will go through the attacker’s
computer rather than directly to the intended recipient.
You should change the native virtual LAN (VLAN) on trunk ports to an unused VLAN to mitigate VLAN hopping attacks. In a VLAN hopping attack, attacker sends
doubletagged 802.1Q frames over a trunk link. A doubletagged frame is an Ethernet frame containing two distinct 802.1Q headers. Although doubletagging can be
used as a legitimate way to tunnel traffic through a network and is commonly used by service providers, it can also be used by an attacker to circumvent security
controls on an access switch. In a VLAN hopping attack, the attacker attempts to inject packets into other VLANs by accessing the native VLAN on a trunk and
sending doubletagged 802.1Q frames to the switch. The switch strips the outer 802.1Q header from the received frame and then forwards the frame, which still
includes an 802.1Q header, across a trunk port to the VLAN of the target host. A successful VLAN hopping attack enables an attacker to send unidirectional traffic
to other VLANs without the use of a router.
Implementing sticky secure MAC addresses can help mitigate MAC spoofing attacks. In a MAC spoofing attack, an attacker uses the MAC address of another
known host on the network in order to bypass port security measures. MAC spoofing can also be used to impersonate another host on the network.
Limiting the number of MAC addresses permitted on a port can help mitigate MAC flooding attacks. In a MAC flooding attack, an attacker generates thousands of
forged frames every minute with the intention of overwhelming the switch’s MAC address table. Once this table is flooded, the switch can no longer make intelligent
forwarding decisions and all traffic is flooded. This allows the attacker to view all data sent through the switch because all traffic will be sent out each port. A MAC
flooding attack is also known as a content addressable memory (CAM) table overflow attack.
Reference:
Cisco: Implementation of Security: ARP Spoofing Attack

QUESTION 84
You have configured a lawful intercept view, five CLI views, and two superviews on a Cisco router. How many additional CLI views can you create? (Select the best
answer.)

A. one
B. two
C. six
D. seven

Correct Answer: D
Section: (none)
Explanation

http://www.gratisexam.com/
Explanation/Reference:
Explanation:
You can create seven additional commandline interface (CLI) views on a Cisco router if you have already configured a lawful intercept view, five CLI views, and two
superviews. A CLI view enables an administrator to provide granular access to IOS commands and interfaces to a specific user or group of users. CLI views can be
grouped under a superview to provide access to all of the commands within each view. On hardware platforms that support it, a single lawful intercept view can be
created to provide secure access to a specific set of commands pertaining to voice calls and their associated Simple Network Management Protocol (SNMP) data.
The maximum number of CLI views you can create on a Cisco router is 15. This includes one lawful intercept view and any combination of CLI views and
superviews? however, this does not include the root view, which is created by default and does not count against the number of available views. In this scenario,
you have created eight views: one lawful intercept view, five CLI views, and two superviews. Because you can configure a maximum of 15 views, you can create
only seven more views. Each of the newly created views could be a CLI view or a superview but could not be a lawful intercept view, because one has already been
created.
Reference:
Cisco: RoleBased CLI Access: Restrictions for RoleBased CLI Access

QUESTION 85
Which of the following statements is true regarding the aaa new-modelcommand? (Select the best answer.)

A. The aaa new-model command must be issued prior to enabling AAA accounting on a router.
B. The aaa new-model command must be issued after enabling AAA authentication on a router.
C. The aaa new-model command configures AAA to work only with RADIUS servers.
D. The aaa new-model command configures AAA to work only with TACACS+ servers.
E. The aaa new-model command has been deprecated in Cisco IOS versions 12.3 and later.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:
The aaa new-model command must be issued prior to enabling Authentication, Authorization, and Accounting (AAA) accounting on a router. AAA can be used to
control access to a router or switch. Before configuring authentication, authorization, or accounting using AAA, you must first issue the aaa new-model command to
enable AAA on the device? the aaa authentication, aaa authorization, and aaa accounting commands cannot be issued until the aaa new-model command is
issued. When the aaa new-model command is issued, local authentication is applied immediately to all router lines and interfaces? any existing authentication
methods are superseded by the aaa new-model command. All future connection attempts will be authenticated using the method defined in the aaa authentication
command.
When implementing AAA, you can configure users to be authenticated against a local database, against a Remote Authentication DialIn User Service (RADIUS)
server, or against a Terminal Access Controller Access Control System Plus (TACACS+) server. You are not limited to a single type of authentication with AAA.

The aaa newmodel command has not been deprecated in Cisco IOS versions 12.3 and later. This command is required in these versions of Cisco IOS in order to
implement AAA on a router or a switch.
Reference:

http://www.gratisexam.com/
Cisco: Configuring Basic AAA on an Access Server: Enabling AAA

QUESTION 86
Which of the following signature microengines typically has the greatest effect on Cisco IOS IPS performance? (Select the best answer.)

A. atomic-ip
B. normalizer
C. service-http
D. service-smb-advanced
E. string-tcp

Correct Answer: E
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Of the choices provided, the stringtcp signature microengine (SME) typically has the greatest effect on Cisco IOS Intrusion Prevention System (IPS) performance.
An SME compiles a specific category of signatures and loads them into the IPS regular expression table. Within each category is a number of signatures that can
analyze a packet or stream of packets for a particular pattern. For example, the atomicip SME contains signatures that can recognize a pattern in a single packet,
whereas the servicehttp SME contains signatures than can recognize a pattern in a stream of Hypertext Transfer Protocol (HTTP) packets. In general, the more of
a packet or stream of packets that an SME needs to analyze, the greater its impact on the available memory and CPU of the router. The stringtcp SME can analyze
one or more Transmission Control Protocol (TCP) packets and search for a particular string of text.
The atomicip SME can analyze the Layer 3 and Layer 4 header fields of a single packet. Because the atomicip SME signatures operate on a single packet, they
cannot preserve state information between packets. However, atomicip SME signatures do not consume large amounts of memory or CPU resources like
stringbased SMEs can consume.
The servicehttp and servicesmbadvanced SMEs can analyze Layer 5 through 7 information for HTTP and Server Message Block (SMB) network services,
respectively. Service SMEs are typically the most complicated SMEs because they understand and implement a significant portion of the network services for which
they are designed. For example, the servicehttp SME can effectively mimic the characteristics of a web server in order analyze the HTTP payload between a web
server and its client. Because service SMEs have a deep knowledge of their underlying protocols, they can be optimized to decode only particular portions of a data
stream, thereby reducing their impact on the memory and CPU utilization.
The normalizer SME is targeted at fragmented IP datagrams. The normalizer SME reassembles the fragmented IP datagrams and then analyzes the completed
datagram before deciding whether the datagram should be forwarded or discarded. If the normalizer SME decides that a datagram should be forwarded but the
datagram is too large to transmit, it will refragment the datagram prior to forwarding it. If the normalizer SME had to analyze fragmented datagrams based on the
many different ways that destination devices might reassemble them, it could consume a significant amount of memory and CPU resources? however, because the
normalizer SME reassembles datagrams without regard to how the target device will receive them, the process can be optimized with regard to memory and CPU
utilization.
Reference:
Cisco: Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 5.1: Example String TCP Signature

QUESTION 87

http://www.gratisexam.com/
You have configured the password management feature for a tunnel group on an ASA. The ASA is using a
Cisco Secure ACS RADIUS server for AAA authentication.
Which of the following actions will occur after a remote user with an expired password attempts to establish a VPN connection? (Select the best answer.)

A. The AnyConnect client will display an authentication failed dialog box and will not permit the user to establish the VPN connection until an admin unlocks the
user’s account.
B. The AnyConnect client will display a dialog box that prompts the user for a new password.
C. The AnyConnect client will display a dialog box that prompts the user for both their old password and a new password.
D. The AnyConnect client will display a dialog box notifying the user that their password has expired but will permit the user to establish the VPN connection with
the expired password.

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:
In this scenario, the Cisco AnyConnect virtual private network (VPN) client will display a dialog box that prompts the user for a new password after a remote user
with an expired password attempts to establish a VPN connection. When a Cisco Adaptive Security Appliance (ASA) is configured to use the password
management feature for a particular tunnel group, the ASA will use Microsoft Challenge Handshake
Authentication Protocol version 2 (MSCHAPv2) rather than Password Authentication Protocol (PAP) when communicating with the Remote Authentication DialIn
User Service (RADIUS) server and the AnyConnect client. MSCHAPv2 supports password expiry and password change capabilities that are not inherently
supported by PAP or RADIUS. This enables the ASA to understand RadiusReject messages with password expiry information instead of simply treating the
messages as authentication failure messages. When the ASA receives the RadiusReject message with password expiry information, it sends a MODE_CFG
message to the AnyConnect VPN client, causing it to display a dialog box that prompts the user for a new password. The ASA then forwards the new password to
the RADIUS server, and if the new password meets the configured password requirements, the user is authenticated and the ASA can finish establishing the VPN
connection.
The AnyConnect client will not prevent the user from establishing a VPN connection until an administrator unlocks the user’s account. Because the password
management feature is enabled on the ASA, it has the capability to prompt the user to update their expired password. However, if the password management
feature was not enabled on the ASA in this scenario, then RadiusReject messages received from the RADIUS server would be interpreted as an authentication
failure message and users with expired passwords would be unable to establish VPN connections.
The AnyConnect client will not prompt the user for both their old password and a new password nor will it permit the user to establish the VPN connection with an
expired password.Reference:
Cisco: ASA Remote Access VPN IKE/SSL Password Expiry and Change for RADIUS, TACACS, and LDAP Configuration Example: ASA with ACS via RADIUS

QUESTION 88
You want to issue the following block of commands on a Cisco ASA:
ASA(config)#nat (DMZ, INSIDE) source dynamic any interface destination static INSIDESQLEXT INSIDESQLINT
You do not have CLI access to the ASA and must use ASDM instead.
Which of the following samples of the Add NAT Rule dialog box corresponds to the configuration needed to achieve your goal? (Select the best answer.)

http://www.gratisexam.com/
http://www.gratisexam.com/
A. Option A
B. Option B
C. Option C
D. Option D

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:
The following sample of the Add NAT Rule dialog box corresponds to the Cisco Adaptive Security Appliance (ASA) configuration needed to achieve your goal using
Cisco Adaptive Security Device Manager (ASDM):

http://www.gratisexam.com/
In the exhibit shown above, the Match Criteria: Original Packet section of the Add NAT Rule dialog box contains fields that correspond to the interface and IP
address information in a matching packet prior to translation. The Source Interface field specifies the real source interface, the Source Address field specifies the
real source IP address, the Destination Interface field specifies the real destination interface, the Destination Address field specifies the real destination IP address,
and the Service: field specifies the real protocol port numbers for the original packet. By contrast, the Action: Translated Packet section of the Add NAT Rule dialog
box contains fields that correspond to the mapped interface and IP address information in a matching packet after translation. The Source NAT Type field specifies
the type of Network Address Translation (NAT), the Source Address field specifies the mapped source IP address, the Destination Address: field specifies the
mapped destination IP address, and the Service: field specifies the mapped protocol numbers for the translated packet.
The sample Add NAT Rule dialog box configures the ASA to map the real source IP address traffic from any network attached to the DMZ network to the IP
address assigned to the INSIDE interface. In addition, the mapped destination IP address defined in the INSIDESQLEXT object is mapped to the real destination IP
address defined in the INSIDESQLINT object. The following diagram depicts the translation of the addresses within matching packets where INSIDESQLEXT has
an IP address of 192.168.15.2 and INSIDESQLINT has an IP address of 192.168.13.2:

You could use the nat (DMZ, INSIDE) source dynamic any interface destination static INSIDESQLEXT INSIDESQLINT command from global configuration mode to
configure the same dynamic NAT rule as shown in the sample. Add NAT Rule dialog box. When the nat command is issued from global configuration mode, it is
referred to as the nat (global) command and it can be used to configure twice NAT on the ASA. Twice NAT enables you to specify a mapping for both the source
address and destination address in a packet. The nat (global) command in this scenario can be used to create a dynamic NAT rule which translates traffic between
the DMZ and INSIDE interfaces of the ASA. The abbreviated syntax to create a dynamic NAT rule with the nat (global) command is nat
(real_interface,mapped_interface) source dynamic {real_object | any} {mapped_object | interface} destination static {mapped_object | interface} {real_object|
any}.
The following sample of the Add NAT Rule dialog box corresponds to the nat (DMZ, INSIDE) source dynamic any interface destination static INSIDESQLINT
INSIDESQLEXT command:

http://www.gratisexam.com/
The following sample of the Add NAT Rule dialog box corresponds to the nat (INSIDE, DMZ) source dynamic any interface destination static INSIDESQLEXT
INSIDESQLINT command:

The following sample of the Add NAT Rule dialog box corresponds to the nat (INSIDE, DMZ) source dynamic any interface destination static INSIDESQLINT
INSIDESQLEXT command:

http://www.gratisexam.com/
Reference:
Cisco: Configuring Twice NAT: Configuring Dynamic PAT (Hide)
Cisco: Cisco ASA Series Command Reference: nat (global)

QUESTION 89
You are using ASDM to verify an IPSec VPN configuration made by another administrator on an ASA. Please click exhibit to answer the following questions.

Exhibit:

http://www.gratisexam.com/
http://www.gratisexam.com/
Which of the following tunneling protocols are supported by the boson group policy? (Select the best answer.)

A. only clientless SSL VPN


B. only SSL VPN Client
C. only IPSec
D. both clientless SSL VPN and SSL VPN Client
E. both clientless SSL VPN and IPSec
F. clientless SSL VPN, SSL VPN Client, and IPSec

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
The boson group policy supports only IP Security (IPSec) as a tunneling protocol. You can specify the tunneling protocols that can be used to establish a
connection to a tunnel group, which is also known as a connection profile, either in a group policy or within a user account, depending on whether the tunneling
protocol configuration should be applied to a group or to a single user. When you configure a tunneling protocol, you can specify one or more of the following four
options: Clientless SSL VPN, SSL VPN Client, IPSec, or L2TP/IPSec.
In this scenario, you can view the tunneling protocols that are configured for the boson group policy user account by accessing the group policy information in Cisco
Adaptive Security Device Manager (ASDM) by clicking Configuration, clicking the Remote Access VPN button, expanding Network (Client) Access, clicking Group
Policies, and double clicking the boson group policy, which will open the Edit Internal Group Policy dialog box. The More Options section on the General pane
displays the Tunneling Protocols entry. This entry for the boson group policy is configured with the IPsec option, which means that the boson group policy supports
only IPSec connections. The following exhibit displays the General pane of the Edit Internal Group Policy dialog box for the boson group policy:

http://www.gratisexam.com/
Reference:
Cisco: General VPN Setup: Adding or Editing a Remote Access Internal Group Policy, General Attributes

QUESTION 90
You are using ASDM to verify an IPSec VPN configuration made by another administrator on an ASA. Please click exhibit to answer the following questions.

Exhibit:

http://www.gratisexam.com/
http://www.gratisexam.com/
Which of the following IP address ranges will be used to assign address to VPN clients who connect by using the boson connection profile? (Select the best
answer.)

A. 10.1.1.50 through 10.1.1.75


B. 10.1.10.50 through 10.1.10.75
C. 192.168.0.100 through 192.168.0.125
D. 192.168.10.100 through 192.168.10.125

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Virtual private network (VPN) clients who connect by using the boson connection profile will be assigned an
IP address in the range from 10.1.1.50 through 10.1.1.75. You can create a local IP address pool on a Cisco Adaptive Security Appliance (ASA) to deploy IP
addresses to remote VPN clients. The IP address pool can then be applied to Cisco AnyConnect or IP Security (IPSec) connection profiles. To view the IP address
pool that is associated with the boson connection profile in Cisco Adaptive Security Device Manager (ASDM), you should click Configuration, click the Remote
Access VPN button, expand Network (Client) Access, click IPsec Connection Profiles, and then doubleclick boson, which will open the Edit IPsec Remote Access
Connection Profile dialog box, as shown in the following exhibit:

http://www.gratisexam.com/
The Client Address Pools entry indicates that the boson_remote address pool has been configured for this connection profile. To view the IP addresses associated
with this address pool, you should expand Address Assignment under Network (Client) Access and then click Address Pools, which will display the Address Pools
pane, as shown in the following exhibit:

http://www.gratisexam.com/
On this pane, you can determine that the boson_remote address pool will distribute IP addresses in the range from 10.1.1.50 through 10.1.1.75.
The boson_internal address pool will distribute IP addresses in the range from 10.1.10.50 through
10.1.10.75. The boson_extranet address pool will distribute IP addresses in the range from 192.168.0.100 through 192.168.0.125. The temporary address pool will
distribute IP addresses in the range from
192.168.10.100 through 192.168.10.125. The boson_remote address pool will not distribute IP addresses in any of these ranges.
Reference:
Cisco: Deploying the AnyConnect Cisco Mobility Client: Configure a method of address assignment

QUESTION 91
You are using ASDM to verify an IPSec VPN configuration made by another administrator on an ASA.
Please click exhibit to answer the following questions.

http://www.gratisexam.com/
Exhibit:

http://www.gratisexam.com/
http://www.gratisexam.com/
Which of the following group policies will be based when a user establishes a VPN connection by using the boson connection profile? (Select the best answer.)

A. internal
B. temporary
C. DfltGrpPolicy
D. boson

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:
The boson connection profile will use the boson group policy. When creating an IP Security (IPSec) connection profile in Cisco Adaptive Security Device Manager
(ASDM), you can specify a number of parameters. For example, you can specify the type of authentication to use and the default group policy to use for VPN
connections made by using the connection profile. This information can be configured or modified on the Add or Edit IPsec Remote Access Connection Profile
dialog box in ASDM. To access this dialog box in ASDM, you should click Configuration, click the Remote Access VPN button, expand Network (Client) Access,
click IPsec Connection Profiles, and then doubleclick the connection profile that you want to view. The Edit IPsec Remote Access Connection Profile dialog box for
the boson connection profile is shown in the following exhibit:

http://www.gratisexam.com/
On the Basic pane, you can determine that the Group Policy setting is configured to use the boson group policy. Thus the boson connection profile will not use the
DfltGrpPolicy, the internal, or the temporary group policies.
Reference:
Cisco: Configuring Tunnel Groups, Group Policies, and Users: Connection Profiles

QUESTION 92
You are using ASDM to verify an IPSec VPN configuration made by another administrator on an ASA. Please click exhibit to answer the following questions.

Exhibit:

http://www.gratisexam.com/
http://www.gratisexam.com/
Which of the following will occur when a user attempts to establish a VPN connection to the ASA by using the boson connection profile and the boson user
account? (Select the best answer.)

A. The user will be unable to establish a VPN connection.


B. A banner will be displayed that states “Welcome to Boson Software!”
C. The internal group policy will be applied to the connection.
D. The VPN traffic will be sent by using only VLAN 2.

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Of the choices available, a banner will be displayed that states “Welcome to Boson Software!” when a user attempts to establish a virtual private network (VPN)
connection to the Cisco Adaptive Security Appliance (ASA) by using the boson connection profile and the boson user account. You can configure a banner
message to be displayed when users establish a VPN connection. This information is configured in the group policy that is associated with the connection profile
used to create the connection.
In this scenario, the boson connection profile is associated with the boson group policy. The boson group policy is configured to inherit the banner settings from the
default group policy, DfltGrpPolicy. You can view the banner settings by clicking Configuration, clicking the Remote Access VPN button, expanding Network (Client)
Access, clicking Group Policies, and doubleclicking the boson group policy, which will open the Edit Internal Group Policy dialog box, as shown in the following
exhibit:

http://www.gratisexam.com/
Therefore, to determine whether a banner message will be displayed, you should view the details of the DfltGrpPolicy group policy. By viewing the details of the
default group policy, you can determine that a banner message has been configured that states “Welcome to Boson Software!” The following exhibit displays the
details of the DfltGrpPolicy group policy:

http://www.gratisexam.com/
Because the boson group policy inherits the Banner setting, VPN connections made by using connection profiles that use the boson group policy will display the
“Welcome to Boson Software!” banner message.
The boson user will be able to establish a VPN connection. There is nothing in the boson user’s profile settings that would prevent the user from making a VPN
connection. Moreover, the user will also be able to establish a management session with the ASA, because the boson user has been granted administrative access
to the device.
The internal group policy will not apply to a VPN connection made by using the boson connection profile and the boson user account. The boson connection profile
is associated with the boson group policy, not the internal group policy.
The VPN traffic will not be sent by using only virtual LAN (VLAN) 2 when a user makes a VPN connection by using the boson connection profile and the boson user
account. Although you can configure VLAN restrictions for a group policy, none have been configured in this scenario.
Reference:
Cisco: General VPN Setup: Adding or Editing a Remote Access Internal Group Policy, General Attribute

QUESTION 93
You are using ASDM to verify an IPSec VPN configuration made by another administrator on an ASA.
Please click exhibit to answer the following questions.
Exhibit:

http://www.gratisexam.com/
http://www.gratisexam.com/
Which of the following users have been assigned to use the boson group policy? (Select the best answer.)

A. only jane
B. only john
C. only boson
D. both john and jane
E. john, jane, and boson

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Both the john and jane user accounts have been configured to use the boson group policy. When configuring a user account, you can specify the group policy to
associate with the user account. This is configured on the VPN Policy pane of the Add or Edit User Account dialog box. You can access the Add or Edit User
Account dialog box in Cisco Adaptive Security Device Manager (ASDM) by clicking Configuration, clicking the Remote Access VPN button, expanding AAA/Local
Users, clicking Local Users, doubleclicking the user, and clicking VPN Policy, as shown in the following exhibit:

http://www.gratisexam.com/
For both the john and jane user accounts, the Group Policy setting is configured to use the boson group policy. You can also view the group policy configuration for
all users on the Local Users pane in ASDM. For example, in the following exhibit, the VPN Group Policy column indicates that only the john and jane user accounts
are configured to use the boson group policy:

http://www.gratisexam.com/
Reference:
Cisco: Configuring AAA Servers and the Local Database: Configuring VPN Policy Attributes for a User

QUESTION 94
You manage your company’s Cisco devices by using Telnet. Your supervisor is concerned about eavesdropping over inband device management and has asked
you to recommend a solution that would allow you to disable the Telnet servers on each device.
Which of the following are you most likely to recommend as a replacement? (Select the best answer.)

A. SNMPv3
B. SSH
C. SFTP
D. SCP

Correct Answer: B
Section: (none)
Explanation

http://www.gratisexam.com/
Explanation/Reference:
Explanation:
Most likely, you will recommend Secure Shell (SSH) as a replacement for Telnet as a method of inband management on your company’s Cisco devices. SSH is a
virtual terminal (VTY) protocol that can be used to securely replace Telnet. Telnet is considered to be an insecure method of remote connection because it sends
credentials over the network in clear text. Therefore, you should replace Telnet with an encrypted application, such as SSH, where possible. Encryption is a method
of encoding network traffic so that it cannot be read intransit. Thus encryption can be used to defeat eavesdropping attacks.
You are not likely to recommend any version of Simple Network Management Protocol (SNMP) as a replacement for Telnet. However, if your company were using
SNMP version 1 (SNMPv1) or SNMPv2 as a means of inband management, you might recommend that your company use SNMPv3 instead. Three versions of
SNMP currently exist. SNMPv1 and SNMPv2 do not provide encryption? password information, known as community strings, is sent as plain text with messages.
SNMPv3 improves upon SNMPv1 and SNMPv2 by providing encryption, authentication, and message integrity to ensure that the messages are not tampered with
during transmission.
You are not likely to recommend either Secure File Transfer Protocol (SFTP) or Secure Copy (SCP) as a replacement for Telnet. However, either of those
applications could replace File Transfer Protocol (FTP), which is a protocol that is used to exchange files between devices. FTP transmits all data as clear text.
Both SFTP and SCP transmit information in an encrypted format.
Reference:
Cisco: Cisco Guide to Hardening IOS Devices: Use Secure Protocols When Possible
Cisco: SNMP Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches): Versions of SNMP

QUESTION 95
Which of the following commands should you issue when troubleshooting basic IKE peering to determine whether PSKs are present and matching on both peers?
(Select the best answer.)

A. ping
B. traceroute
C. show crypto isakmp policy
D. debug crypto isakmp

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:
You should issue the debug crypto isakmp command to determine whether preshared keys (PSKs) are present and matching on both peers. If there is a PSK
mismatch between the peers, you will see the 1d00h:%CRYPTO4IKMP_BAD_MESSAGE: IKE message from 10.11.12.13 failed its sanity check or is malformed
debug error message. If a PSK is missing on one of the peers, you will see the 1d00h:#CRYPTO4IKMP_NO_PRESHARED_KEY: Preshared key for remote peer at
10.11.12.13 is missing debug error message. To create a PSK, issue the crypto isakmp key key {address | ipaddress [mask] | hostname name} [noxauth]
command.
When troubleshooting basic Internet Key Exchange (IKE) peering, you should perform the following steps:
1. Verify that the peers can reach each other.
2. Verify that the IKE policies match on both peers.

http://www.gratisexam.com/
3. Verify that the peers successfully authenticate each other.

To verify that the peers can reach each other, you can issue the ping command. A successful ping indicates that connectivity between the peers exists. If the ping is
not successful, you can issue the traceroute command to see where the fault is occurring along the path between the two peers.
To verify that the IKE policies match on both peers, you can issue the show crypto isakmp policy command to display the IKE phase 1 policy settings that are
configured on the router, including the encryption algorithm, hash algorithm, authentication method, DiffieHellman (DH) key exchange mechanism, and security
association (SA) lifetime. The following displays sample output from the show crypto isakmp policy command:

RouterA#show crypto isakmp policy


Global IKE policy
Protection suite of priority 20
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys) hash algorithm: Secure Hash Standard authentication
method: PreShared Key DiffieHellman group: #14 (2048 bit) lifetime: 3600 seconds, no volume limit

To configure IKE phase 1 policy parameters, issue the crypto isakmp policy prioritycommand to enter ISAKMP policy configuration mode, where you can issue the
following commands:
- authentication - encryption
- group
- hash
- lifetime
You can issue the debug crypto isakmp command to determine whether an IKE phase 1 policy mismatch is occurring. The debug error message 1d00h: ISAKMP
(0:1): atts are not acceptable. Next payload is 0 will appear when there is a phase 1 policy mismatch between the peers.

To verify that the peers successfully authenticate each other, you should issue the debug crypto isakmp command. If the PSKs are present and matching on both
peers, the IKE SA should establish successfully and communication between the sites should occur.
Reference:
Cisco: IPsec Troubleshooting: Understanding and Using debug Commands: debug crypto isakmp
Cisco: Configuring Internet Key Exchange Version 2 (IKEv2): Example How a Policy Is Matched

QUESTION 96
Your company has installed and configured a Sourcefire device. You want to reduce false positives from a trusted source.

Which of the following could you do? (Select 2 choices.)

A. Configure an Allow action with an Intrusion Policy.


B. Configure a Block action with an Intrusion Policy.
C. Configure a Trust action.

http://www.gratisexam.com/
http://www.gratisexam.com/
D. Configure an Allow action without an Intrusion Policy.
E. Configure a Block action without an Intrusion Policy.
F. Configure a Monitor action.

Correct Answer: CD
Section: (none)
Explanation

Explanation/Reference:
Explanation:
You could configure a Sourcefire Allow action without an Intrusion Policy to reduce false positives from a trusted source. Alternatively, you could configure a Trust
action. A false positive occurs when an intrusion detection system (IDS) or intrusion prevention system (IPS) identifies nonmalicious traffic as malicious. Sourcefire
devices are commercial Cisco IDSs based on the opensource IDS known as Snort.
A Sourcefire device can match traffic based on a number of conditions, including security zones, networks, virtual LAN (VLAN) tags, source or destination ports,
applications, Uniform Resource Locators (URLs), or users. The Sourcefire is also capable of handling traffic matching a given condition by applying an action, or
rule, to the traffic. The actions that are supported by a Sourcefire include all of the following:
- Monitor
- Trust
- Block
- Interactive Block
- Allow
Configuring actions is a step in configuring granular access control rules, which in turn is part of developing an Access Control Policy.
A Sourcefire can inspect and log traffic that is passed by the Allow action. Sourcefire inspection occurs when an Intrusion Policy is applied to this action. Applying
an action without an Intrusion Policy performs the given action when traffic matches a condition but does not inspect the traffic. Therefore, you could apply an Allow
action without an Intrusion Policy to allow all traffic matching a given condition and prevent that traffic from generating a false positive. Conversely, you might apply
an Allow action with an Intrusion Policy to permit all but malicious traffic that matches a given condition.
The Trust action allows traffic to pass uninspected and not logged. Therefore, the Trust action can never prevent malicious traffic from passing through the
Sourcefire and will never generate false positives.You cannot configure a Block action with an Intrusion Policy. In addition, you should not configure a Block action
to prevent false positives in this scenario. The Block action blocks traffic and does not perform any type of inspection.
You do not need to configure a Monitor action. The Monitor action does not determine whether traffic is blocked or allowed based on a matching condition? its
purpose is to track traffic from the network. This action is primarily used to log all traffic that connects to the Sourcefire. The Monitor action will log the traffic even if
does not match any other condition and is not allowed to pass.
Reference:
Cisco: Options to Reduce False Positive Intrusion Events: 2. Trust or Allow Rule
Cisco: FireSIGHT System User Guide Version 5.4.1: Using Rule Actions to Determine Traffic Handling and Inspection

http://www.gratisexam.com/
QUESTION 97
Which of the following is a reason to use the roundrobin assignment feature of dynamic PAT addresses? (Select the best answer.)

A. You want to send traffic to more than one remote device.


B. You want to map a single internal IP address to a single routable IP address.
C. You want to prevent the misinterpretation of traffic as a DoS attack.
D. You want to use a single mapped routable address.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
You would use the roundrobin assignment feature of dynamic Port Address Translation (PAT) addresses if you want to prevent the misinterpretation of traffic as a
Denial of Service (DoS) attack. Dynamic PAT is a form of Network Address Translation (NAT) that enables IP source addresses to be translated from many unique
IP addresses to one of a pool of routable IP address. NAT is most often used to conserve routable IP addresses on the public side of a NAT router. When PAT is
configured, an inside local address, along with a port number, is typically mapped to a single inside global address. The NAT router uses port numbers to keep
track of which packets belong to each host.
Dynamic PAT is capable of mapping internal source addresses to more than one routable IP address. Some security appliances could mistake a large number of
packets from a single IP address as a DoS attack attempt. Therefore, dynamic PAT supports the use of roundrobin to enable internal IP source addresses to map
to more than just one routable IP source address. By using dynamic PAT’s roundrobin assignment of IP addresses, the risk of misidentification of large amounts of
traffic as a DoS attack can be mitigated.
You could use PAT if you wanted to translate many internal addresses to a single routable IP address. However, you would not need to use the dynamic PAT
roundrobin feature to achieve this task. Roundrobin is used to cycle through a pool of routable IP addresses instead of translating to a single routable IP address.
You would use static NAT to map a single internal IP address to a single routable IP address. Static NAT translates a single inside local IP address to a single
inside global IP address? the static mapping is permanently present in the NAT translation table. It is therefore possible for someone on an outside network to
access a device on an inside network by using its inside global IP address.
You would not need to use dynamic PAT if you want to send traffic to more than one remote device. PAT neither specifically enables nor specifically prevents the
sending of traffic from one device to multiple remote devices.
Reference:
Cisco: Information About NAT: Dynamic PAT: Dynamic PAT Disadvantages and Advantages

QUESTION 98
You are configuring manual NAT on a Cisco Firepower device.
Which of the following best describes the order in which the NAT rules will be processed? (Select the best answer.)

A. on a firstmatch basis in the order that they appear in the configuration


B. the most general rules first followed by the most specific rules
C. static rules first followed by dynamic rules

http://www.gratisexam.com/
D. shortest prefix first followed by longer prefixes

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:
The Firepower will process the Network Address Translation (NAT) rules on a firstmatch basis in the order that they appear in the configuration if you are
configuring manual NAT. There are two methods of implementing NAT on a Cisco Firepower device: manual NAT and auto NAT. Of the two methods, auto NAT is
the simplest to configure because NAT rules are configured as components of a network object. Both source and destination addresses are compared to the rules
within the object. Manual NAT, on the other hand, enables you to specify both the source address and the destination address of a mapping in a single rule.
Therefore, you can configure more granular mapping rules by using manual NAT.
Both manual NAT rules and auto NAT rules are stored in the same translation table. The table is divided into three sections. Section 1 and Section 3 contain
manual NAT rules, with Section 1 containing the most specific manual NAT rules and Section 3 containing the most general NAT rules. Section 2 contains auto
NAT rules.
When the Firepower matches traffic to the NAT translation table, manual NAT rules in Section 1 are processed first and in the order in which they were configured.
Manual NAT rules are added to Section 1 by default. If a match is found, rules in Section 2 and Section 3 are ignored. If the traffic does not match any of the
manual NAT rules in Section 1, the auto NAT rules in Section 2 are processed.
Auto NAT rules are automatically ordered by the device. Regardless of the order in which you configured the rules in the network object, auto NAT will always
attempt to match static rules before dynamic rules. In addition, auto NAT will always attempt to match the longest address prefix first, meaning that the rule that
contains the smallest quantity of real IP addresses will be processed before rules containing a larger quantity of real IP addresses. Therefore, a static NAT mapping
that matches 10.10.10.0/24 will be processed before a dynamic NAT mapping that matches 10.10.10.10/32, even though the 10.10.10.10/32 address has a longer
prefix. If the traffic matches one of the auto NAT rules, rules in Section 3 are ignored. If the traffic does not match any of the auto NAT rules, the device will next
attempt to match the traffic to the Section 3 manual NAT rules.
Similar to Section 1, the manual NAT rules in Section 3 are processed in the order that they appear in the configuration. However, you must specifically place
manual NAT rules in this section because the device will not automatically place manual NAT rules there. Cisco recommends that the most general manual NAT
rules be placed in this section, with the most specific of those general rules configured first.
Reference:
Cisco: Firepower Management Center Configuration Guide, Version 6.0.1: NAT Rule Order

QUESTION 99
Which of the following is least likely to be considered a form of malware? (Select the best answer.)

A. bots
B. DDoS
C. Trojan horses
D. viruses

Correct Answer: B
Section: (none)

http://www.gratisexam.com/
Explanation

Explanation/Reference:
Explanation:
Of the available choices, a Distributed Denial of Service (DDoS) attack is least likely to be considered a form of malware. Malware, which is a term formed from the
combination of the words malicious and software, is unwanted software that is specifically designed to be malicious. Malware can damage or disrupt systems, steal
information from a user, or perform other unwanted and malicious actions.
A DDoS attack is a coordinated Denial of Service (DoS) attack that uses multiple attackers to target a single host. For example, a large number of zombie hosts in
a botnet could flood a target device with packets. Because the flood of packets originates from multiple hosts and typically targets public services, such as the web
service, the target device might not detect the attack. If enough packets are sent to the target device within a short period of time, the target will be unable to
respond to legitimate packets because it is waiting for a response to each of the requests originated by the attacker.
Bots are forms of malware. A bot is a type of automated software that can be used as a remote command and control tool to exploit a compromised system for
malicious purposes. For example, a botnet is a network of bots on compromised systems that can be used to carry out coordinated attacks, such as a DDoS
attack.
Viruses are forms of malware. A virus is a type of software that can make copies of itself and inject them into other software. Viruses can therefore spread across
systems and networks. The level of damage that can be inflicted by a virus ranges from annoyances to destruction of data.
Trojan horses are forms of malware. A Trojan horse is a malicious program that entices the user to execute it by appearing to be a legitimate application. Trojan
horses can be used to annoy users, steal information, destroy data, or install back doors.
Reference:
Cisco: What Is the Difference: Viruses, Worms, Trojans, and Bots?

QUESTION 100
Which of the following occurs when an IDS or IPS does not identify malicious traffic that enters the network? (Select the best answer.)

A. a false positive
B. a false negative
C. a true positive
D. a true negative

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:
A false negative occurs when an intrusion detection system (IDS) or intrusion prevention system (IPS) does not identify malicious traffic that enters the network.
False negatives can often lead to disastrous network security problems. To properly secure a network, you should reduce the number of false negatives as much
as possible by finetuning IDS and IPS rules, even if more false positives are reported. Penetration testing can help determine when an IDS or IPS is not detecting a
genuine attack.
A false positive occurs when an IDS or IPS identifies nonmalicious traffic as malicious. Tuning must be performed to minimize the number of false positives while
eliminating false negatives. Not only can too many false positives overburden a router, they can also overburden a network administrator because false positives

http://www.gratisexam.com/
must usually be verified as harmless.
A true positive occurs when an IDS or IPS correctly identifies malicious traffic as malicious. For instance, a true positive occurs when a virus or an attack is
identified and the appropriate action is taken.
A true negative occurs when an IDS or IPS correctly identifies harmless traffic as harmless. For example, a true negative occurs when an administrator correctly
enters a password or when Hypertext Transfer Protocol (HTTP) traffic is sent to a web server.
Reference:
Cisco: Cisco Secure IPS Excluding False Positive Alarms: False Positive and False Negative Alarms

QUESTION 101
Which of the following lost or stolen device options are available to employees when MDM is integrated with ISE? (Select 3 choices.)

A. report device as lost or stolen


B. initiate a PIN lock
C. initiate a full or corporate wipe
D. quarantine the device
E. revoke the device’s digital certificate

Correct Answer: ABC


Section: (none)
Explanation

Explanation/Reference:
Explanation:
When Mobile Device Management (MDM) platforms are integrated with Cisco Identity Services Engine
(ISE), employees have the ability to report a device as lost or stolen, initiate a personal identification number (PIN) lock, or initiate a full or corporate wipe. A
corporate wipe, which is also known as a selective wipe, removes only corporate data and applications from the device. A full wipe, which is also known as a factory
reset, removes all data from the device. An employee is also capable of reinstating a device to gain access without having to reregister the device with ISE. Each of
these options is available to the employee by using ISE’s My Devices portal.
ISE is a nextgeneration Authentication, Authorization, and Accounting (AAA) platform with integrated
posture assessment, network access control, and client provisioning. ISE integrates with a number of MDM frameworks, such as MobileIron and AirWatch. From
ISE, you can easily provision network devices with native supplicants available for Microsoft Windows, Mac OS X, Apple iOS, and Google Android. The supplicants
act as agents that enable you to perform various functions on the network device, such as installing software or locking the screen with a PIN lock.
Only ISE administrators can quarantine a device and revoke the device’s digital certificate. However, administrators are also capable of performing wipes and PIN
locks without user notification or intervention. Unlike employees, who initiate full wipes or corporate wipes by using the My Devices portal, an administrator initiates
a wipe or a PIN lock by using the ISE Endpoints screen. Whether an administrator can initiate a full wipe or a corporate wipe depends on the MDM server policies
and configuration. In a Bring Your Own Device (BYOD) environment, administrators will most likely be able to perform only a corporate wipe or a PIN lock on a
device. If the device is a corporate device that an employee is simply allowed to use, an administrator might be able to perform a full wipe from the Endpoints
screen by selecting Full Wipe from the MDM Access dropdown menu. Administrators can additionally force connected devices off the network, add devices to the
Blacklist Identity Group, and disable the device’s RSA SecurID token.
Reference:
Cisco: Managing a Lost or Stolen Device (PDF)

http://www.gratisexam.com/
Cisco: Managing Network Devices: Wiping or Locking a DeviceCategory: Secure Access

QUESTION 102
Which of the following private VLAN port types communicate only with promiscuous ports? (Select the best answer.)

A. community ports
B. isolated ports
C. SPAN ports
D. promiscuous ports

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Isolated private virtual LAN (VLAN) ports can communicate only with promiscuous ports. Private VLANs can be configured on a switch to help isolate traffic within a
VLAN. Private VLANs can provide Layer 2 separation between ports that belong to the same VLAN. Because the separation exists at Layer 2, the hosts can exist
on the same IP subnet. The VLAN to which the hosts belong is called the primary VLAN. To create a private VLAN, you must create secondary VLANs and
associate them with the primary VLAN.
Community private VLAN ports can communicate with promiscuous ports and with other ports that belong to the same community. However, they cannot
communicate with isolated ports or with ports that belong to other communities. Promiscuous ports can communicate with all other private VLAN port types.
Switch Port Analyzer (SPAN) ports are not a private VLAN port type. SPAN is a means of monitoring traffic on a switch by copying packets from a source port to a
monitored port or mirrored port.
Reference:
Cisco: Configuring Isolated Private VLANs on Catalyst Switches: Background Theory

QUESTION 103
On which of the following layers of the hierarchical network design model should you implement PortFast, BPDU guard, and root guard? (Select the best answer.)

A. only on core layer ports


B. only on distribution layer ports
C. only on access layer ports
D. only on core and distribution layer ports
E. on core, distribution, and access layer ports

Correct Answer: C
Section: (none)
Explanation

http://www.gratisexam.com/
Explanation/Reference:
Explanation:
You should implement PortFast, BPDU guard, and root guard only on access layer ports. PortFast, BPDU guard, and root guard are enhancements to Spanning
Tree Protocol (STP). The access layer is the network hierarchical layer where enduser devices connect to the network. The distribution layer is used to connect the
devices at the access layer to those in the core layer. The core layer, which is also referred to as the backbone, is used to provide connectivity to devices connected
through the distribution layer.
PortFast reduces convergence time by immediately placing user access ports into a forwarding state.
PortFast is recommended only for ports that connect to enduser devices, such as desktop computers. Therefore, you would not enable PortFast on ports that
connect to other switches, including distribution layer ports and core layer ports. To enable PortFast, issue the spanningtree portfast command from interface
configuration mode.
BPDU guard disables ports that erroneously receive bridge protocol data units (BPDUs). User access ports should never receive BPDUs, because user access
ports should be connected only to enduser devices, not to other switches. When BPDU guard is applied, the receipt of a BPDU on a port with BPDU guard enabled
will result in the port being placed into a disabled state, which prevents loops from occurring. To enable BPDU guard, issue the spanningtree bpduguard enable
command from interface configuration mode.
Root guard is used to prevent newly introduced switches from being elected as the root. The device with the lowest bridge priority is elected the root. If an additional
device is added to the network with a lower priority than the current root, it will become the new root. However, this could cause the network to reconfigure in
unintended ways, particularly if an access layer switch were to become the root. To prevent this, root guard can be applied to ports that connect to other switches in
order to maintain control over which switch is the root. Root guard is applied on a perport basis with the spanningtree guard root command.
Reference:
Cisco: Campus Network for High Availability Design Guide: Spanning Tree Protocol Versions
Cisco: Campus Network for High Availability Design Guide: Best Practices for Optimal ConvergenceCategory:
Security Concepts

QUESTION 104
Which of the following is the man-in-the-middle attack that is most likely to be used to cause a workstation to send traffic to a false gateway IP address? (Select the
best answer.)

A. ARP spoofing
B. DHCP spoofing
C. MAC spoofing
D. switch spoofing

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Dynamic Host Configuration Protocol (DHCP) spoofing is the maninthemiddle attack that is most likely to be used to cause a workstation to send traffic to a false
gateway IP address. In a DHCP spoofing attack, a rogue DHCP server is attached to the network in an attempt to intercept DHCP requests. The rogue DHCP
server can then respond to the DHCP requests with its own IP address as the default gateway address so that all traffic is routed through the rogue DHCP server.

http://www.gratisexam.com/
DHCP snooping is a security technique that can be used to mitigate DHCP spoofing.
In an Address Resolution Protocol (ARP) poisoning attack, which is also known as an ARP spoofing attack, the attacker sends a gratuitous ARP (GARP) message
to a host. The GARP message associates the attacker's Media Access Control (MAC) address with the IP address of a valid host on the network. Subsequently,
traffic sent to the valid host address will go to the attacker's computer rather than to the intended recipient.
MAC spoofing makes network traffic from a device look as if it is coming from a different device. MAC spoofing is often implemented to bypass port security by
making a device appear as if it were an authorized device. Malicious users can also use MAC spoofing to intercept network traffic that should be destined for a
different device. ARP cache poisoning, content addressable memory (CAM) table flooding, and Denial of Service (DoS) attacks can all be performed by MAC
spoofing.
Switch spoofing is a virtual LAN (VLAN) hopping attack that is characterized by using Dynamic Trunking Protocol (DTP) to negotiate a trunk link with a switch port in
order to capture all traffic that is allowed on the trunk. In a switch spoofing attack, the attacking system is configured to act like a switch with a trunk port. This
enables the attacking system to become a member of all VLANs, which enables the attacker to send and receive traffic among the other VLANs.
Reference:
Cisco: DHCP Snooping: Overview of DHCP Snooping
Juniper Networks: Preventing DHCP Spoofing

QUESTION 105
On a Cisco ASA, which of the following RADIUS authentication protocols are not supported? (Select 2 choices.)

A. CHAP
B. EAPMD5
C. PAP
D. PEAP
E. MSCHAPv1F. MSCHAPv2

Correct Answer: BD
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Neither Extensible Authentication Protocol (EAP)Message Digest 5 (MD5) nor Protected EAP (PEAP) are supported by the Remote Authentication DialIn User
Service (RADIUS) server on a Cisco Adaptive Security Appliance (ASA). RADIUS is an Authentication, Authorization, and Accounting (AAA) server that uses User
Datagram Protocol (UDP) for packet delivery.
RADIUS and Terminal Access Controller Access Control System Plus (TACACS+) server groups on a
Cisco ASA support Challenge Handshake Authentication Protocol (CHAP), Microsoft CHAP version 1 (MSCHAPv1), and Password Authentication Protocol (PAP).
A Cisco ASA supports a number of different AAA server types, such as RADIUS, TACACS+, Lightweight Directory Access Protocol (LDAP), Kerberos, and RSA
Security Dynamics, Inc. (SDI) servers.
When authenticating with a TACACS+ server, a Cisco ASA can use the following authentication protocols:
- ASCII
- PAP
- CHAP

http://www.gratisexam.com/
- MSCHAPv1
When authenticating with a RADIUS server, a Cisco ASA can use the following authentication protocols:
- PAP
- CHAP
- MSCHAPv1
- MSCHAP version 2 (MSCHAPv2)
- Authentication Proxy Mode (for example, RADIUS to RSA/SDI, RADIUS to Active Directory, and others)
Reference:
Cisco: Configuring AAA Servers and the Local Database: RADIUS Server SupportCisco: Configuring AAA Servers and the Local Database: TACACS+ Server
Support

QUESTION 106
Which of the following is the best reason to enforce blacklisting by security zone on a Cisco device that uses the Security Intelligence IP Address Reputation
feature? (Select the best answer.)

A. to streamline performance of the IPS device


B. to ensure that local hosts can communicate with a given IP address
C. to validate a blacklist feed that has been obtained from a third party
D. to manually control which networks are blocked by the IPS

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Most likely, you would enforce blacklisting by security zone to streamline performance of the intrusion prevention system (IPS) device. Enforcing blacklisting by
security zone can be used to enhance the performance of a Security Intelligence device by limiting the blacklisting to the specific security zones that process the
given traffic. For example, the blacklisting of IP addresses that send email traffic could be restricted to a Security Zone that handles only email traffic.
You would configure the monitoronly setting if you wanted to validate a blacklist feed that has been obtained from a third party. Security Intelligence devices, such
as a Cisco Sourcefire IPS, are capable of accepting manually imported lists of network addresses or feeds from third parties. Such devices can block IP addresses
or networks based on their reputation, which mitigates device overhead that comes from having to analyze traffic from those networks. The monitoronly setting
enables traffic from networks that are listed within a given feed to be analyzed by the Security Intelligence device, but also logs the fact that the given network
matches the thirdparty feed. This enables an administrator to review the logs and the analysis of traffic from networks on the feed to determine the validity of the
feed.
You would add IP addresses to a custom whitelist to ensure that local hosts can communicate with a given IP address. On Security Intelligence devices, whitelists
can be used to override blacklisted IP addresses. Whitelists can thus be used to enable communication with legitimate IP addresses that are listed on thirdparty
feeds or other blacklists that might be too broadly defined. From an administrative overhead standpoint, you should first validate the feed, then implement the feed,
and finally add IP addresses or networks to the whitelist as necessary.
You would configure a custom blacklist to manually control which networks are blocked by the IPS. Security Intelligence devices allow the creation of custom
blacklists so that you can manually block specific IP addresses or networks.

http://www.gratisexam.com/
Reference:
Cisco: Blacklisting Using Security Intelligence IP Address Reputation: Choosing a Security Intelligence Strategy

QUESTION 107
Which of the following is not true of SIM systems? (Select the best answer.)

A. They perform realtime threat detection.


B. They focus on policy and standards compliance.
C. They consolidate logs to a central server.
D. They analyze log data and report findings.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Security Information Management (SIM) systems do not perform realtime analysis and detection. SIM systems are focused more on the collection and analysis of
logs in a nonrealtime fashion. For example, a SIM system might centralize logging on a single device for review and analysis. Some SIM systems also provide
assessment tools that can flag potentially threatening events.
Security Event Management (SEM) systems perform realtime analysis and detection. SEM systems typically analyze log data from a number of sources. Some
systems also incorporate incident handling tools that enable administrators to more effectively mitigate threats when they occur.
A Security Information and Event Management (SIEM) system combines both the realtime aspects of a SEM system and the indepth analysis and timeline
generation of a SIM system. Therefore, a SIEM system is a hybrid of a SIM system and a SEM system.
Reference:
SANS: IDFAQ: What is The Role of a SIEM in Detecting Events of Interest?
Search Security: Tech Target: security information and event management (SIEM)

QUESTION 108
In the Cisco ISE GUI, you click Administration > Certificates > Certificate Store and notice that a SCEP NDES server RA certificate is installed on the ISE node.
Which of the following best describes the reason the certificate is there? (Select the best answer.)

A. The ISE is a SCEP proxy for a Windows CA.


B. The ISE is a CA for the Windows AD domain.
C. The ISE has been compromised, and the CA chain has been altered.
D. The ISE requires the CA in order to mitigate a Windows Server SCEP bug.

Correct Answer: A
Section: (none)
Explanation

http://www.gratisexam.com/
Explanation/Reference:
Explanation:
The Cisco Identity Services Engine (ISE) is a Simple Certificate Enrollment Protocol (SCEP) proxy for a Windows certificate authority (CA) if you notice that a SCEP
Network Device Enrollment Service (NDES) server registration authority (RA) certificate is installed in the ISE's Certificate Store. Implementing ISE as a SCEP
proxy enables bring your own device (BYOD) users to register their devices on their own, without administrative overhead from the IT department.
The ISE is not a CA for the Windows Active Directory (AD) domain. When configured with a SCEP CA profile, the ISE will contain a SCEP NDES server RA
certificate in the Certificate Store. RAs verify requests for certificates and enable the CA to issue them.
The ISE does not require the CA in order to mitigate a Windows Server SCEP bug. However, configuring ISE as a SCEP proxy to a Microsoft Windows 2008 R2
Server does require the installation of some Microsoft SCEP implementation hotfixes.
There is nothing in this scenario to indicate that the ISE has been compromised. In addition, there is no reason to suspect that the CA chain has been altered.
Reference:
Cisco: ISE SCEP Support for BYOD Configuration Example: Configure ISE as a SCEP proxy

QUESTION 109
You issue the following commands on a Cisco router:
tacacsserver host ts1 timeout 30 tacacsserver timeout 20
Which of the following is true about how the Cisco router communicates with the TACACS+ server? (Select the best answer.)

A. The router will maintain an open TCP connection.


B. The router will maintain an open TCP connection for no more than 20 seconds.
C. The router will wait 20 seconds for the server to reply before declaring an error.
D. The router will wait 30 seconds for the server to reply before declaring an error.

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:
The router will wait 30 seconds for the server to reply before declaring an error. The tacacsserver host ts1 timeout 30 command in this scenario configures a router
to connect to a Terminal Access Controller Access Control System Plus (TACACS+) server named ts1. The timeout 30 keyword in this command configures the
router to wait 30 seconds for the server to reply before declaring an error.
The router will wait 30 seconds, not 20 seconds, for the server to reply before declaring an error. If the timeout 30 keyword had not been specified in this scenario,
the tacacsserver timeout 20 command would have configured the router to wait 20 seconds for the server to reply before declaring an error. The timeout 30
keyword in this scenario overrides the value assigned by the tacacsserver timeout command.
The router will not maintain an open Transmission Control Protocol (TCP) connection, because the singleconnection keyword has not been issued in this scenario.
The singleconnection keyword configures the router to maintain an open connection to the TACACS+ server. When the singleconnection keyword is not configured,
a Cisco router will open and close a TCP connection to the TACACS+ server each time it needs to perform an operation. When the singleconnection keyword is
configured, the router connects to the TACACS+ server and maintains that connection even when it is not performing an operation. This setting enhances the
efficiency of the communications between the router and the TACACS+ server because the router does not have to constantly close and open connections.

http://www.gratisexam.com/
Reference:
Cisco: Configuring TACACS+: Identifying the TACACS+ Server Host

QUESTION 110
You are configuring VPN access for Cisco AnyConnect clients. You finish the configuration by establishing a fail open policy.
Which of the following is true of AnyConnect clients that fail to establish a VPN session? (Select the best answer.)

http://www.gratisexam.com/

A. They are granted full access to the local network, but without security.
B. They are granted full access to the local network, including security.
C. They are denied full network access, except for local resources.
D. They are denied full network access, including local resources.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Cisco AnyConnect clients that fail to establish a virtual private network (VPN) session under a fail open policy are granted full access to the local network, but
without the security provided by the Cisco
AnyConnect VPN service. Connect failure policies are typically applied when the Cisco AnyConnect alwayson feature is configured. The alwayson feature enables
Cisco AnyConnect clients to establish a VPN session automatically whenever the client detects that the host is connected to an untrusted network. For example, a
laptop that is used both on a corporate LAN and for remote work might be configured to automatically connect to the corporate VPN whenever the laptop is not
directly connected to the corporate LAN. However, any number of problems could prevent the client from actually establishing a connection to the VPN.
There are two types of connect failure policies that you can enable for Cisco AnyConnect alwayson clients. The fail open policy allows the client to complete a
connection to the local network for access to the Internet or local resources. However, because a VPN session has not been established, the security of the
AnyConnect device that is connected to the remote network could be compromised.
The fail closed policy, on the other hand, prevents all network access from the Cisco AnyConnect client except to local devices and devices that are available by
using split tunneling. This extra layer of security could prevent the user from accessing the Internet and thus could compromise productivity if the user relies on
Internet access to complete workrelated tasks. Because the fail closed policy is so restrictive, Cisco recommends implementing it by using a phased approach that
includes initially implementing fail open and surveying user activity for AnyConnect issues that might prevent seamless connections.
Reference:
Cisco: Configuring VPN Access: Connect Failure Policy for Alwayson VPN

QUESTION 111

http://www.gratisexam.com/
Which of the following web application threats is not typically mitigated by installing a WAF? (Select the best answer.)

A. exploits related to uncloaked error messages


B. exploits against known vulnerabilities
C. exploits related to directory traversal vulnerabilities
D. exploits against unknown vulnerabilities
E. exploits related to viruses in file uploads

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Of the available choices, exploits related to unknown vulnerabilities are not typically mitigated by installing a web application firewall (WAF). A WAF sits between a
web application and the end user in order to protect the application from malicious activity and known vulnerabilities. Therefore, by installing a WAF, it is possible to
protect a vulnerable web application without modifying the application code.
WAFs are not typically capable of protecting a web application against unknown vulnerabilities. WAFs can protect against known or common unpatched web
application vulnerabilities by using techniques such as cloaking to protect against information leakage related to uncloaked error messages, encrypting Uniform
Resource Locators (URLs) to protect against exploits related to directory traversal, and checking file uploads for viruses.
Reference:
OWASP: Category:OWASP Best Practices: Use of Web Application Firewalls

QUESTION 112
Which of the following is a set of rules to which a Cisco IPS appliance can compare network traffic to determine whether an attack is occurring? (Select the best
answer.)

A. anomaly detection
B. global correlation
C. reputation filtering
D. a signature definition
E. a threat rating

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:
A signature definition is a set of rules to which a Cisco Intrusion Prevention System (IPS) appliance can compare network traffic to determine whether an attack is

http://www.gratisexam.com/
occurring. If the network activity matches a signature definition, IPS can trigger a specific response from other defined event action rule sets, such as denying traffic
from a host or alerting an administrator. IPS administrators can manually configure signature definitions in Cisco IPS Device Manager (IDM) or use the Signature
Wizard to create custom signature definitions.
Global correlation is not a set of rules to which a Cisco IPS appliance can compare network traffic to determine whether an attack is occurring. Global correlation
enables IPS sensors to allow or deny traffic based on the reputation of the sending device. When you enable global correlation, IPS devices will periodically receive
updates that include information about known malicious devices on the Internet from the Cisco SensorBase Network. In addition, global correlation will send
statistical information about attacks against your company's network to the Cisco SensorBase Network. Cisco uses that information to detect threat patterns on the
Internet.
Reputation filtering is not a set of rules to which a Cisco IPS appliance can compare network traffic to determine whether an attack is occurring. Reputation filtering
denies packets from hosts that are considered to have a malicious reputation based on the global correlation information that is available from the Cisco
SensorBase Network. Reputation filtering is different from global correlation inspection in that reputation filtering denies traffic before the traffic is compared to any
signature definitions. In addition, reputation filtering does not generate alerts.
Anomaly detection is not a set of rules to which a Cisco IPS appliance can compare network traffic to determine whether an attack is occurring. Anomaly detection
enables IPS to learn what type of network activity is normal activity for the network that is being protected. If a network starts to become congested by traffic that is
generated by a worm or if a host that is infected with a worm connects to the network and attempts to infect other hosts, the anomaly detection feature can trigger a
specific response, such as denying traffic from the infected host or alerting an administrator.
A threat rating is not a set of rules to which a Cisco IPS appliance can compare network traffic to determine whether an attack is occurring. A threat rating is an
event action risk rating that has been lowered because of a specific action taken by IPS. A risk rating is a numerical representation of the risk presented to a
network by a specific attack. Risk ratings can range from 0 through 100. Depending on the actions IPS has taken in response to an event, IPS will subtract a value
from the threat rating of the event. For example, if IPS responds to a specific event by issuing a request to block the attacking host, a value of 20 will be subtracted
from the threat rating.
Reference:
Cisco: Defining Signatures: Understanding Signatures

QUESTION 113
Which of the following describes the primary difference between PGP and S/MIME? (Select the best answer.)

A. PGP can be used to encrypt disk drives, but S/MIME cannot.


B. PGP can use SHA1 for data integrity, but S/MIME cannot.
C. S/MIME can be used to encrypt email messages, but PGP cannot.
D. S/MIME can use RSA for digital signatures, but PGP cannot.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:
The primary difference between Pretty Good Privacy (PGP) and Secure/Multipurpose Internet Mail Extensions (S/MIME) is that PGP can be used to encrypt not
only email messages, but also files and entire disk drives. PGP is software that uses an asymmetric encryption method to encrypt information. To encrypt a file or a
message by using PGP, you must use the recipient's public key. The recipient will then use his or her private key to decrypt the file or message.

http://www.gratisexam.com/
Although PGP is an application and S/MIME is a standardsbased protocol, both can be used to provide confidentiality, integrity, and nonrepudiation for email
messages. Confidentiality is provided by an encryption method, such as Triple Data Encryption Standard (3DES or TDES). Integrity is provided by a hashing
algorithm, such as Secure Hash Algorithm 1 (SHA1). Nonrepudiation is provided by creating digital signatures with an asymmetric encryption method, such as RSA.
Many modern operating systems (OSs) offer their own builtin support for filelevel and disklevel encryption. Therefore, thirdparty software is often no longer
necessary for encrypting files.
Reference:
Search Security: Tech Target: Pretty Good Privacy (PGP)
Microsoft TechNet: Understanding S/MIME

QUESTION 114
Which of the following failover link configurations can leave an ASA vulnerable to replay attacks? (Select the best answer.)

A. connecting the active and standby units directly with a crossover cable
B. connecting the active and standby units to a dedicated VLAN on a switch
C. sharing a regular data interface with the stateful failover link
D. sharing the LAN failover link with the stateful failover link
E. using a dedicated Ethernet interface as the stateful failover link

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Sharing a regular data interface with the stateful failover link on a Cisco Adaptive Security Appliance (ASA) can leave the ASA vulnerable to replay attacks. A replay
attack is a type of maninthemiddle attack in which the attacker uses a packet sniffer to capture legitimate network data, such as authentication tokens and
preshared keys, and then replays the data to a target. In addition, the attacker might delay or modify the captured data before directing it to the target. On an ASA,
all LAN failover and stateful failover information is transmitted as clear text by default. Therefore, sharing the stateful failover link with a regular data interface can
unnecessarily expose virtual private network (VPN) configuration information, such as user names, passwords, and preshared keys (PSKs) to malicious users on
the shared network segment. You can mitigate this risk by configuring a failover key on both the active unit and the standby unit to protect failover information.
Cisco strongly recommends using a dedicated Ethernet interface or sharing a LAN failover link instead of sharing the stateful failover link with a regular data
interface.
ASAs can be configured to participate in either a stateless or a stateful failover implementation. In a stateless failover implementation, the active unit and standby
unit use a dedicated LAN link, known as a LAN failover link, for failover traffic. The LAN failover link can use any unnamed Ethernet interface and can connect the
failover pair directly, with either a straightthrough or crossover Ethernet cable, or through a switch, with no other devices on the same network segment or virtual
LAN (VLAN) as the failover pair. Although all failover traffic is sent as clear text by default, a LAN failover link does not leave an ASA vulnerable to replay attacks
because the failover pair are either directly connected or connected through a dedicated VLAN.
By contrast, the failover link between two ASAs in a stateful failover implementation can use a dedicated Ethernet link, a shared LAN failover link, or a shared
regular data interface. If a dedicated Ethernet link is used for stateful failover, it must follow the same connectivity guidelines as a LAN failover link: it can be either a
direct connection or a dedicated VLAN on a switch. Like a LAN failover link, a stateful failover link using either a dedicated Ethernet link or a shared LAN failover
link does not leave an ASA vulnerable to replay attacks because the failover pair are either directly connected or connected through a dedicated VLAN.

http://www.gratisexam.com/
Reference:
Cisco: Information About High Availability: Stateful Failover LinkCategory: Cisco Firewall Technologies

QUESTION 115
Which of the following fields make up the header of an ESP packet? (Select 2 choices.)

A. Next Header
B. Pad Length
C. Padding
D. Security Parameter Index
E. Sequence Number

Correct Answer: DE
Section: (none)
Explanation

Explanation/Reference:
Explanation:
The Security Parameter Index (SPI) and Sequence Number fields make up the header of an Encapsulating Security Payload (ESP) packet. ESP is an IP Security
(IPSec) protocol that provides data integrity and confidentiality for IP traffic. The ESP header is always part of the authenticated data in an ESP packet, but the ESP
header itself is never encrypted. By contrast, the ESP trailer, which is made up of the Padding, Pad Length, and Next Header fields, is always part of the
authenticated data and is always encrypted. The following diagram illustrates the ESP packet format:

ESP can operate in transport mode or tunnel mode. In transport mode, ESP encrypts only the original payload data and the resultant ESP trailer, leaving the original
IP header unencrypted. The following diagram illustrates the components of an ESP packet in transport mode:

http://www.gratisexam.com/
In tunnel mode, ESP encrypts the entire packet, including the original IP header, the original payload data, and the resultant ESP trailer. The following diagram
illustrates the components of an ESP packet in tunnel mode:

Reference:
IETF: RFC 4303: IP Encapsulating Security Payload (ESP): 2. Encapsulating Security Payload Packet Format

QUESTION 116
You want to use the authentication event noresponse action authorize vlan 101 command to ensure that network devices incapable of using 802.1X authentication
are automatically placed into VLAN 101, which is the guest VLAN.
Which of the following VLAN types can you specify as an 802.1X guest VLAN? (Select the best answer.)

A. a primary private VLAN


B. a secondary private VLAN
C. a voice VLAN
D. an RSPAN VLAN

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Of the choices available, you can configure a secondary private virtual LAN (VLAN) as an 802.1X guest VLAN with the authentication event noresponse action
authorize vlan 101 command. The authentication event noresponse action authorize vlancommand specifies the VLAN into which a switch should place a port if it
does not receive a response to the 802.1X Extensible Authentication Protocol over LAN (EAPoL) messages it sends on that port. The VLAN ID must be a number
from 1 through 4094. The VLAN ID can specify any active VLAN except for a Remote Switch Port Analyzer (RSPAN) VLAN, a primary private VLAN, or a voice
VLAN. In addition, a guest VLAN can be configured on only access ports, not on routed ports or trunk ports.
When a guest VLAN is configured, the switch will grant non802.1Xcapable clients access to the guest VLAN? however, if an 802.1Xcapable device is detected, the
switch will place the port into an unauthorized state and will deny access to all devices on the port. You can use the authentication event fail action command to
specify how the switch should react if an 802.1X client is detected and the client fails to authenticate. There are two configurable parameters: nextmethod and

http://www.gratisexam.com/
authorize vlanid. The authorize vlanid parameter configures a restricted VLAN, which is functionally similar to the guest VLAN. The nextmethod parameter
configures the switch to attempt authentication by using the next authentication method specified in the authentication order command. For example, if the
authentication order 802.1X mab webauth command has been configured and 802.1X authentication fails, the switch will attempt to use Media Access Control
(MAC) Authentication Bypass (MAB) to authenticate the client based on its MAC address? if MAB fails, the switch will attempt webbased authentication. If the
nextmethod parameter is configured, the switch will indefinitely cycle through authentication methods unless Web Authentication (WebAuth) is configured. If
WebAuth is configured, the authentication process will not loop back to other authentication methods and the switch will ignore EAPoL messages on the port.
Reference:
Cisco: Configuring IEEE 802.1x PortBased Authentication: Configuring a Guest VLAN

QUESTION 117
Which of the following statements is true about network traffic event logging in Cisco FireSIGHT Management Center? (Select the best answer.)

A. Beginningofconnection events contain less information than endofconnection events.


B. Performance is optimized by logging both beginningofconnection events and end ofconnection events.
C. You can log only beginningofconnection events for encrypted connections handled by an SSL policy.
D. You can log only endofconnection events for blocked traffic.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:
In Cisco FireSIGHT Management Center, beginningofconnection events contain less information than endofconnection events. Cisco FireSIGHT Management
Center, which was formerly called Sourcefire Defense Center, can log beginningofconnection and endofconnection events for various types of network traffic.
Although most network traffic will generate both kinds of events, blocked or blacklisted traffic is typically denied without further processing and therefore only
generates beginningofconnection events. Beginningofconnection events contain a limited amount of information because they are generated based on the
information contained in the first few packets of a connection.
By contrast, endofconnection events are generated when a connection closes, times out, or can no longer be tracked because of memory constraints.
Endofconnection events contain significantly more information than beginningofconnection events because they can draw upon data collected throughout the
course of a connection. This additional information can be used to create traffic profiles, generate connection summaries, or graphically represent connection data.
In addition, the data can be used for detailed analysis or to trigger correlation rules based on session data. Endofconnection events are also required to log
encrypted connections that are handled by a Secure Sockets Layer (SSL) policy because there is not enough information in the first few packets to indicate that a
connection is encrypted.
Reference:
Cisco: Logging Connections in Network Traffic: Logging the Beginning or End of Connections

QUESTION 118
Which of the following are asymmetric algorithms? (Select 3 choices.)

A. DH

http://www.gratisexam.com/
B. AES
C. 3DES
D. ECC
E. RC4
F. RSA

Correct Answer: ADF


Section: (none)
Explanation

Explanation/Reference:
Explanation:
DiffieHellman (DH), Elliptical Curve Cryptography (ECC), and RSA are asymmetric algorithms. DH is an asymmetric key exchange method. DHA and ECC are
asymmetric encryption algorithms. Asymmetric encryption, also known as public key encryption, uses a public key to encrypt data and a different, yet
mathematically related, private key to decrypt data. Public key infrastructure (PKI) uses a certificate authority (CA) to tie a public key to a user ID to further ensure
the confidentiality of data. Asymmetric encryption algorithms use more complex mathematical functions than symmetric encryption algorithms. As a result,
asymmetric encryption algorithms take longer to encrypt and decrypt data than symmetric encryption algorithms. Other examples of asymmetric encryption
algorithms include Digital Signature Algorithm (DSA) and ElGamal.
Advanced Encryption Standard (AES), RC4, and Triple Data Encryption Standard (3DES) are examples of symmetric encryption algorithms. When symmetric
encryption algorithms are used, the same encryption key is used to encrypt and decrypt data. Two types of symmetric algorithms exist: block ciphers and stream
ciphers. Block ciphers derive their name from the fact that they encrypt blocks of data. For example, AES encrypts 128bit blocks of data. By contrast, stream
ciphers are typically faster than block ciphers because stream ciphers encrypt text of variable length depending on the size of the frame to be encrypted? stream
ciphers are not limited to specific block sizes. For example, RC4, a stream cipher, can encrypt data in streams of 8 through 2,048 bits. Other examples of
symmetric encryption algorithms include International Data Encryption Algorithm (IDEA), Skipjack, and Blowfish.
Reference:
CCNA Security 210260 Official Cert Guide, Chapter 5, Symmetric and Asymmetric Algorithms, pp. 92-94

QUESTION 119
Which of the following statements are true regarding class maps on a Cisco ASA? (Select 2 choices.)

A. QoS traffic shaping is not available for all class maps.


B. Class maps apply specific security measures on a persession basis.
C. By default, no class maps are defined on an ASA.
D. Class maps must use an ACL to match traffic.
E. Class maps can match traffic based on application protocols.
F. Class maps identify the interface to which a policy map is applied.

Correct Answer: AE
Section: (none)
Explanation

http://www.gratisexam.com/
Explanation/Reference:
Explanation:
Class maps can match traffic based on application protocols, and Quality of Service (QoS) traffic shaping is not available for all class maps on a Cisco Adaptive
Security Appliance (ASA). A class map is one of the three basic components of Modular Policy Framework (MPF)? policy maps and service policies are the other
two components. MPF is a Cisco ASA feature that provides a flexible method of enabling security policies on an interface. A class map identifies a specific flow of
traffic, a policy map determines the action that will be performed on the traffic, and a service policy ties this action to a specific interface. Generally, each class map
can contain only a single match statement, and a packet can match only a single class map within the policy map of a particular feature type. For example, if a
packet matched a class map for File Transfer Protocol (FTP) inspection and a class map for traffic policing, the ASA would apply both policy map actions to the
packet. However, if a packet matched a class map for FTP inspection and a second, different class map that included FTP inspection, the ASA would apply only
the actions of the first matching policy map. By default, two class maps are defined on an ASA? the classdefault and inspection_default class maps are part of the
default configuration of an ASA.
You can use the match command from class map configuration mode to identify traffic based on specified
characteristics. The keywords you can use to identify traffic in a class map are closely tied to their respective characteristics. The match command supports the
following key words: accesslist, port, defaultinspectiontraffic, dscp, precedence, rtp, tunnelgroup, and any.
For example, you could issue the following commands to create a class map named CLASSMAP that identifies traffic using Transmission Control Protocol (TCP)
port 8080:

asa(config)#classmap CLASSMAP
asa(configcmap)#match port tcp eq 8080

Once traffic has been identified by a class map, the associated policy map can take action on that traffic. A policy map typically contains references to one or more
class maps and defines actions that should be performed on traffic matched by the specified class maps. If traffic matches multiple class maps for different actions
within a policy map-for instance, if traffic matches a class map for application inspection as well as a class map for priority queuing-the actions of both class maps
will be applied to the traffic. To continue the example from above, you could issue the following commands to configure a policy map named POLICYMAP that
matches traffic specified by the class map named CLASSMAP and then processes the traffic with the Hypertext Transfer Protocol (HTTP) inspection engine:

asa(config)#policymap POLICYMAP
asa(configpmap)#class CLASSMAP
asa(configpmapc)#inspect http

A policy map does not act on traffic until the map has been applied to an interface by a service policy. A service policy identifies the interface to which a policy map
is applied? a service policy can be applied globally to all interfaces, which will apply application inspection to only traffic entering the appliance. Alternatively, a
service policy can be applied to a single interface, which will apply application inspection to traffic entering and exiting the interface. An interface service policy
overrides a global service policy: if traffic matches both an interface policy and a global policy, only the interface policy will be applied to that particular traffic flow.
To complete the example, you could issue the following commands to apply the POLICYMAP policy map to the inside interface:

asa(config)#servicepolicy POLICYMAP interface inside


QoS traffic shaping is available for only the classdefault class map.

Class maps do not apply specific security measures on a persession basis? dynamic access policies (DAPs) can apply specific security measures on a persession
basis. Configuring a DAP allows you to resolve complications presented by the frequently inconsistent nature of a virtual private network (VPN). For example, users
might access your network from different remote locations, with each location having a different configuration, thus presenting a variety of security issues for each

http://www.gratisexam.com/
individual situation. With a DAP, you can apply specific security measures for each specific situation on a persession basis. Depending on the circumstances of the
next connection from a remote location, a different DAP may be applied if the variables have changed.
Reference:
Cisco: Service Policy Using the Modular Policy Framework: Task Flow for Configuring Hierarchical Policy Maps for QoS Traffic Shaping
Cisco: Service Policy Using the Modular Policy Framework: Creating a Layer 3/4 Class Map for Through Traffic

QUESTION 120
Which of the following is true regarding the EAPFAST authentication process? (Select the best answer.)

A. A digital certificate is required only on the client.


B. A digital certificate is required only on the server.
C. Digital certificates are required on both the client and the server.
D. Digital certificates are not required on the client or the server.

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Digital certificates are not required on the client or the server during the Extensible Authentication Protocol (EAP)Flexible Authentication via Secure Tunneling
(FAST) authentication process? instead, EAPFAST uses Protected Access Credentials (PACs). EAPFAST is an authentication protocol that can be used for
pointtopoint connections and for both wired and wireless links. The EAPFAST authentication process consists of three phases. The first phase, which is optional
and is considered phase 0, consists of provisioning a client with a PAC, which is a digital credential that is used for authentication. A PAC can be manually
configured on a client, in which case phase 0 is not required. The second phase, which is referred to as phase 1, involves creating a secure tunnel between the
client and the server. The final phase, which is referred to as phase 2, involves authenticating the client. If the client is authenticated, the client will be able to
access the network.
Other EAP methods exist that do rely on digital certificates for authentication. For example, EAPTransport Layer Security (TLS) requires both a client and a server
digital certificate, whereas Protected EAP (PEAP) requires only servers to be configured with digital certificates. With PEAP, clients can use alternative
authentication methods, such as onetime passwords (OTPs).
Similar to EAPFAST, Lightweight EAP (LEAP) does not require either the server or the client to be configured with a digital certificate. When LEAP is used, the
client initiates an authentication attempt with a Remote Authentication DialIn User Service (RADIUS) server. The RADIUS server responds with a challenge
response. If the challenge/response process is successful, the client then validates that the RADIUS server is correct for the network. If the RADIUS server is
validated, the client will connect to the network.
Reference:
Cisco: EAP Methods Summary
Cisco: Configuring EAPFAST: Table 31 Connection Settings (PDF)

QUESTION 121
Which of the following security functions is associated with the data plane? (Select 2 choices.)

http://www.gratisexam.com/
A. device configuration protection
B. signaling protection
C. traffic conditioning
D. traffic filtering

Correct Answer: CD
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Traffic conditioning and traffic filtering are security features that are associated with the data plane. Cisco devices are generally divided into three planes: the control
plane, the management plane, and the data plane. Each plane is responsible for different operations, and each plane can be secured by implementing various
security methods.
The data plane is responsible for traffic passing through the router, which is referred to as transit traffic. Therefore, data plane security protects against
unauthorized packet transmission and interception. Threats such as IP spoofing, Media Access Control (MAC) address spoofing, Address Resolution Protocol
(ARP) spoofing, Dynamic Host Configuration Protocol (DHCP) spoofing, unauthorized traffic interception, and unauthorized network access can be mitigated and
monitored by implementing features such as the following:
- ARP inspection
- Antispoofing access control lists (ACLs)
- DHCP snooping
- Port ACLs (PACLs)
- Private virtual LANs (VLANs)
- Unicast Reverse Path Forwarding (uRPF)
- VLAN ACLs (VACLs)

The control plane is responsible for the creation and maintenance of structures related to routing and forwarding. These functions are heavily dependent on the
CPU and memory availability. Therefore, control plane security methods protect against unauthorized traffic destined for the router, which can modify route paths
and consume excessive resources. Path modification can be caused by manipulating the traffic generated by routing protocols, VLAN Trunking Protocol (VTP), and
Spanning Tree Protocol (STP). Path modification attacks can be mitigated by implementing routing protocol authentication and filtering, VTP authentication, and
STP protection features. In addition, excessive CPU and memory consumption can be caused by control plane flooding. Resource consumption attacks can be
mitigated by implementing control plane filtering and rate limiting with Control Plane Policing (CoPP) and Control Plane Protection (CPPr).
Device configuration protection is associated with the management plane. Management plane security protects against unauthorized device access and
configuration. Unauthorized access can be mitigated by implementing a strong Authentication, Authorization, and Accounting (AAA) solution and by implementing
Management Plane Protection (MPP), which creates protected management channels over which administrators must connect in order to access device
administration features. Management traffic can be encrypted by implementing Secure Shell (SSH). You can mitigate unauthorized configuration of a device by
implementing RoleBased Access Control (RBAC), whereby administrators are limited to using only the features they need to accomplish their jobs. Detection and
logging of management plane access can be performed by implementing Simple Network Management Protocol version 3 (SNMPv3) and Syslog servers.
Reference:
Cisco: Cisco Guide to Harden Cisco IOS Devices

http://www.gratisexam.com/
QUESTION 122
Which of following capabilities do an IDS and IPS have in common? (Select the best answer.)

A. blocking a particular connection


B. blocking traffic from a particular host
C. modifying traffic
D. resetting TCP connections

Correct Answer: D
Section: (none)
Explanation

Explanation/Reference:
Explanation:
An Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS) can both reset Transmission Control Protocol (TCP) connections. An IDS is a
network monitoring device that passively monitors network traffic and actively sends alerts to a management station when it detects malicious traffic. An IDS
typically has one promiscuous network interface attached to each monitored network. Because traffic does not flow through the IDS, the IDS is unable to directly
block malicious traffic? however, an IDS can do any of the following:
- Request that another device block a connection
- Request that another device block a particular host
- Reset TCP connections

An IDS can prevent further instances of previously detected malicious traffic from passing onto the network by creating access control lists (ACLs) on routers in the
traffic path or by configuring other security devices that reside in the flow of traffic.
By contrast, an IPS typically sits inline with the flow of traffic and can therefore block malicious traffic before it passes onto the network. An inline IPS can perform
the following actions:
- Block traffic from a particular host
- Block a particular connection
- Modify traffic
- Reset TCP connections

However, if an IPS sits inline with traffic, a failed IPS device can cause all traffic to be dropped. Analyzing all of the traffic that passes through the IPS can cause
latency and jitter. Alternatively, an IPS can be configured to operate in promiscuous mode, which would make it functionally similar to an IDS.
Reference:
Cisco: Managed Security Services Partnering for Network Security: Managed Intrusion Detection and Prevention Systems

QUESTION 123
Which of the following statements are true regarding RADIUS? (Select 2 choices.)

A. It encrypts only the password in AccessRequest packets.


B. It combines authorization and authentication functions.

http://www.gratisexam.com/
C. It provides more flexible security options than TACACS+.
D. It uses TCP port 49.
E. It is a Ciscoproprietary standard protocol.

Correct Answer: AB
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Remote Authentication DialIn User Service (RADIUS) combines authentication and authorization into a single function and encrypts only the password in
AccessRequest packets. RADIUS is an Internet Engineering Task Force (IETF) standard protocol for Authentication, Authorization, and Accounting (AAA)
operations. RADIUS uses User Datagram Protocol (UDP) for packet delivery. Because RADIUS encrypts only the password of a packet, the rest of the packet
would be viewable if the packet were intercepted by a malicious user. RADIUS has fewer flexible security options than Terminal Access Controller Access Control
System Plus (TACACS+), because RADIUS combines the authentication and authorization functions of AAA into a single function and does not provide router
command authorization capabilities.
By contrast, TACACS+ is a Ciscoproprietary protocol that uses Transmission Control Protocol (TCP) for transport during AAA operations. TACACS+ provides more
security and flexibility than RADIUS because TACACS+ encrypts the entire body of a packet and separates the authentication, authorization, and accounting
functions of AAA. This separation enables granular control of access to resources. For example, TACACS+ gives administrators control over access to
configuration commands? users can be permitted or denied access to specific configuration commands. Because of this flexibility, TACACS+ is used with Cisco
Secure Access Control Server (ACS), which is a software tool that is used to manage user authorization for router access.
Reference:
Cisco: TACACS+ and RADIUS Comparison: Compare TACACS+ and RADIUS

QUESTION 124
Which of the following protocols can IPSec use to provide the confidentiality component of the CIA triad? (Select 2 choices.)

A. AES
B. AH
C. DES
D. MD5
E. SHA

Correct Answer: AC
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Of the choices available, IP Security (IPSec) can use either Advanced Encryption Standard (AES) or Data Encryption Standard (DES) to provide the confidentiality

http://www.gratisexam.com/
component of the confidentiality, integrity, and availability (CIA) triad. The confidentiality component of the CIA triad ensures that transmitted data cannot be read by
an unauthorized party if the data is intercepted before it reaches its destination. Depending on the amount of confidentiality desired, IPSec can use AES or DES
with Encapsulating Security Payload (ESP) in either transport mode or tunnel mode. In transport mode, ESP uses AES or DES to encrypt only the original payload
data and the resultant ESP trailer, leaving the original IP header unencrypted. The following diagram illustrates the components of an ESP packet in transport
mode:

In tunnel mode, ESP uses AES or DES to encrypt the entire packet, including the original IP header, the original payload data, and the resultant ESP trailer. The
following diagram illustrates the components of an ESP packet in tunnel mode:

IPSec can use Authentication Header (AH) and ESP to provide the integrity component of the CIA triad, not the confidentiality component. The integrity component
of the CIA triad ensures that unauthorized parties have not modified data as it was transmitted over the network. Data integrity is provided by using algorithms such
as Message Digest 5 (MD5) or Secure Hash Algorithm (SHA) to produce checksums on each end of the connection. If the data generates the same checksum
value on each end of the connection, the data was not modified in transit. In addition, AH and ESP can authenticate the origin of transmitted data. Data
authentication is provided through various methods, including user name/password combinations, preshared keys (PSKs), digital certificates, and onetime
passwords (OTPs).
Reference:
CCNA Security 210260 Official Cert Guide, Chapter 1, Confidentiality, Integrity, and Availability, pp. 14-15
IETF: RFC 4301: Security Architecture for the Internet Protocol: 3.2. How IPsec Works

QUESTION 125
You issue the following commands on a Cisco ASA with no other configured interfaces:

asa(config)#interface gigabitethernet 0/1

asa(configif)#speed 1000
asa(configif)#duplex full
asa(configif)#nameif inside
asa(configif)#ip address 10.1.1.1 255.255.255.0

http://www.gratisexam.com/
asa(configif)#no shutdown
asa(configif)#exit
asa(config)#telnet 10.1.1.0 255.255.255.0 inside
asa(config)#telnet timeout 30

Which of the following statements is true regarding the resulting configuration? (Select the best answer.)

A. Telnet sessions will time out after 30 seconds of inactivity.


B. The ASA will assign the interface a security level of 0.
C. The ASA will assign the interface a security level of 100.
D. Telnet sessions will be denied until a security level is manually assigned.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
In this scenario, the Cisco Adaptive Security Appliance (ASA) will assign the GigabitEthernet 0/1 interface a security level of 100. The block of commands in this
scenario configures the GigabitEthernet 0/1 interface to operate in fullduplex mode at a speed of 1,000 megabits per second (Mbps), names the interface “inside”,
and assigns an IP address 10.1.1.1 with a network mask of 255.255.255.0. In addition, the no shutdown command enables the interface. The telnet commands
define a network range that is permitted to Telnet to the inside interface and configure a Telnet idletimeout value. Because no security level is manually assigned to
the interface, the ASA will automatically assign the interface a security level. The default security level on an ASA is 0? however, the inside interface is an exception
to this rule because it is automatically assigned a security level of 100 if a security level is not explicitly configured. An interface can be assigned any integervalued
security level from 0 through 100.
Telnet sessions will not be denied to the GigabitEthernet 0/1 interface until a security level is manually assigned. Normally, Telnet traffic is not permitted to the
interface with the lowest security. However, if there is only one configured interface and it has been configured with a security level of 100, Telnet traffic is permitted
even though the interface simultaneously has the highest security and the lowest security. Because the ASA automatically assigns a security level of 100 to the
inside interface, Telnet sessions will be able to access the interface. If there were other active interfaces on the ASA, a Telnet session would be permitted to the
interface with the lowest security only if that session was protected by a virtual private network (VPN) tunnel terminating on the interface. Although there are several
methods for working around Telnet access restrictions of the ASA, Cisco recommends disabling Telnet and using more secure methods for management access,
such as Secure Shell (SSH) or Secure Hypertext Transfer Protocol (HTTPS) instead? neither HTTPS nor SSH is restricted by the security level of an interface.
Telnet sessions will not time out after 30 seconds of activity. The telnet timeout 30 command specifies an inactivity timeout length of 30 minutes, not 30 seconds.
The telnet timeout command accepts an integer value from 1 through 1440 to specify the number of minutes a Telnet session can remain idle before the ASA
closes the connection.
Reference:
Cisco: Cisco ASA 5500 Series Command Reference: securitylevel

QUESTION 126
Which of the following vulnerabilities did the Blaster worm exploit on target hosts? (Select the best answer.)

http://www.gratisexam.com/
A. a buffer overflow vulnerability in the DCOM RPC service
B. a buffer overflow vulnerability in IIS software
C. a buffer overflow vulnerability in Microsoft SQL Server
D. a remote code execution vulnerability in the printer spooler service
E. a remote code execution vulnerability in the processing of .lnk files

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:
The Blaster worm exploited a buffer overflow vulnerability in the Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) service on Microsoft
Windows hosts. The worm carried a destructive payload that configured the target host to engage in Denial of Service (DoS) attacks on Microsoft update servers.
Before Microsoft released a patch, several other worms exploited the vulnerability. For example, the Welchia worm targeted the same vulnerability. Welchia was
developed to scan the network for vulnerable machines, infect them, and then remove the Blaster worm if present. It was even designed to download and install the
appropriate patch from Microsoft to fix the vulnerability that it and Blaster initially exploited to infect the target machine. However, despite the goodnatured design
intentions of the Welchia worm, its networkscanning component inadvertently caused DoS attacks on several large networks, including those of the United States
armed forces.
Stuxnet is an example of a worm that exploited vulnerabilities in both the printer spooler service and the processing of .lnk files. Stuxnet was used in an act of cyber
warfare against Iranian industrial control systems (ICSs). It was written to target specific ICSs by modifying code on programmable logic controllers (PLCs). Stuxnet
initially exploited vulnerabilities in the printer spooler service? however, later variants exploited a vulnerability in the way that Windows processes shortcuts (.lnk
files). Research from Symantec published in 2011 indicated that at the time, over 60% percent of the Stuxnetaffected hosts had been in Iran. Symantec analyzed
Stuxnet and its variants and discovered that five organizations were the primary targets of infection and that further infections were likely collateral damage from the
aggressive manner in which the worm spreads throughout the network. Given the considerable cost in resources and manhours that would have been required to
craft the Stuxnet worm, it was theorized that it was likely intended to sabotage high value targets such as nuclear materials refinement facilities.
SQL Slammer is an example of a worm that exploited a buffer overflow vulnerability in Microsoft Structured Query Language (SQL) server software. SQL Slammer
spread at a tremendous rate and was reported to have infected as many as 12,000 servers per minute. Its high scanning rate generated enough traffic on many
networks to effectively produce DoS effects as collateral damage to the infection.
Code Red is an example of a worm that exploited a buffer overflow vulnerability in Microsoft Internet Information Server (IIS) software. Although not as efficient as
SQL Slammer, Code Red still managed to infect as many as 2,000 hosts per minute. The initial Code Red variant failed to infect more than a single set of IP
addresses? however, a later variant was reported to have affected over 350,000 hosts within the first 14 hours of its release into the wild.
Reference:
Cisco: The Internet Protocol Journal: Trends in Viruses and Worms

QUESTION 127
Which of the following statements is true regarding the primary bootset when the Cisco IOS Resilient Configuration feature is enabled? (Select the best answer.)

A. The configuration file can be secured on a TFTP server, but the system image must be secured on local storage.
B. The system image can be secured on a TFTP server, but the configuration file must be secured on local storage.
C. The configuration file and the system image must both be secured on local storage.

http://www.gratisexam.com/
D. The configuration file and the system image must both be secured on remote storage.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
The configuration file and the system image must both be secured on local storage when the Cisco IOS Resilient Configuration feature is enabled. The Resilient
Configuration feature is designed to protect system and configuration files from tampering and accidental deletion. You can issue the following block of commands
to enable the Resilient Configuration feature:

Router#configure terminal
Router(config)#secure bootimage
Router(config)#secure bootconfig

When the feature is enabled, the primary system image file and associated running configuration are securely archived in local persistent storage? you cannot
select a remote storage location. The secure bootimage command enables the image resilience component of the Resilient Configuration feature and effectively
hides the system image from the directory structure. This means that the system image will no longer be displayed when the dir command is issued from the
command prompt of an EXEC shell. In addition, because the system image file is not copied to a secure location, extra storage is not required to secure it. By
contrast, the secure bootconfig command creates a hidden copy of the running configuration file. The secured versions of the system image and running
configuration are referred to as the primary bootset.
You can restore either or both components of the primary bootset at any time. The system image can be restored from readonly memory (ROM) monitor
(ROMmon) mode and the running configuration can be restored from the global configuration mode by using the restore parameter of the secure bootconfig
command. Once the system image and running configuration have been secured, the router will track version mismatches and produce a console message if the
system image or running configuration have mismatched versions. Once the Resilient Configuration feature is enabled, it can only be disabled from the console.
Reference:
Cisco: Cisco IOS Resilient Configuration: Feature Design of Cisco IOS Resilient ConfigurationCategory: Secure Routing and Switching

QUESTION 128
Which of the following can be installed on a host to ensure that only specified inbound and outbound connections are permitted? (Select the best answer.)

http://www.gratisexam.com/

A. antivirus software
B. a HIPS
C. a personal firewall

http://www.gratisexam.com/
D. a proxy server

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
A personal firewall can be installed on a host to ensure that only specified inbound and outbound connections are permitted. A personal firewall can protect a host
from malicious traffic by permitting or denying specific applications or network ports access to the host or its network interface. Typically, a personal firewall
provides sufficient granularity to specify the direction of a particular flow of traffic. For example, you could permit outbound web traffic but deny inbound Internet
Control Message Protocol (ICMP) messages.
A Hostbased Intrusion Prevention System (HIPS) can be installed on a host to analyze and prevent malicious traffic on that host. An Intrusion Prevention System
(IPS) can be used to actively monitor, analyze, and block malicious traffic before it infects devices. HIPS software can be installed on a host computer to protect
that computer against malicious traffic. By contrast, a Networkbased IPS (NIPS) is an independent operating platform, often a standalone appliance or a hardware
module installed in a chassis. A NIPS device can be installed inline on a network to monitor and prevent malicious traffic from being sent to other devices on the
network. One advantage of using a NIPS over a HIPS is that a NIPS can detect lowlevel network events, such as the scanning of random hosts on the network? a
HIPS can only detect scans for which it is the target. HIPS and a NIPS can be used together to provide an additional layer of protection.
You could not install antivirus software to ensure that only specified inbound and outbound connections are permitted. Antivirus software monitors the file system
and memory space on a host for malicious code. Although the antivirus software might protect the host from malicious file execution, it would be unable to protect
the host from malicious traffic. Some antivirus vendors offer integrated security suites, which feature personal firewall, HIPS, antivirus, and antimalware
components.
You could not install a proxy server on a host to ensure that only specified inbound and outbound connections are permitted. A proxy server is typically an
application layer gateway that provides resource caching and traffic filtering for a particular class of traffic, such as web content. Although you could install a proxy
server locally on a host and use it to process specified outbound connections, it would not be able to restrict outbound connections that were not configured to use
the proxy nor would it be able to restrict inbound connections.
Reference:
CCNA Security 210260 Official Cert Guide, Chapter 19, Mitigation Technologies for Endpoint Threats, pp. 498-499Category:
Cisco Firewall Technologies

QUESTION 129
Which of the following statements are true regarding the FirePOWER inline normalization preprocessor engine? (Select 2 choices.)

A. Inline normalization can process IPv4 and ICMPv4 traffic but not IPv6 traffic.
B. Inline normalization can process IPv4 and IPv6 traffic but not ICMPv4 traffic.
C. Inline normalization cannot detect TCP SYN flood attacks.
D. Inline normalization cannot detect TCP session hijacking attacks.
E. Inline normalization takes place immediately before decoding by the packet decoder.

Correct Answer: CD
Section: (none)

http://www.gratisexam.com/
Explanation

Explanation/Reference:
Explanation:
The FirePOWER inline normalization preprocessor engine cannot detect Transmission Control Protocol (TCP) SYN flood attacks or session hijacking attacks. The
inline normalization preprocessor can be used by a FirePOWER Intrusion Prevention System (IPS) that is deployed in an inline configuration. Packet normalization
can reduce the chances of malicious traffic evading detection. The inline normalization process takes place immediately after the IPS packet decoder decodes the
packet, which ensures that packets being analyzed by the IPS are identical to the packets that will be assembled by the target host. The inline normalization
preprocessor can perform normalizations on various components of Internet Control Message Protocol version 4 (ICMPv4), IP version 4 (IPv4), IPv6, and TCP
packets. For example, it can reset the timetolive (TTL) value on a packet if it detects a TTL value outside of a userdefined range.
The FirePOWER ratebased prevention preprocessor engine, not the inline normalization detection preprocessor engine, can detect SYN flood traffic. The
ratebased prevention preprocessor engine detects traffic abnormalities based on the frequency of certain types of traffic. The following traffic patterns can trigger
ratebased attack prevention:
- Traffic containing excessive incomplete TCP connections
- Traffic containing excessive complete TCP connections
- Excessive rule matches for a particular IP address or range of IP addresses
- Excessive rule matches for one particular rule regardless of IP address

The FirePOWER TCP stream preprocessor engine, not the inline normalization detection preprocessor, can detect session hijacking attacks. The stream
preprocessor assembles the packets of a TCP data stream into a single comprehensive unit for scanning. Because the TCP stream preprocessor has access to
multiple packets in a data stream, it can analyze state information, analyze payload anomalies, and identify streambased attacks that are not possible to identify
based on singlepacket analysis.
Reference:
Cisco: Configuring Transport & Network Layer Preprocessing: Normalizing Inline Traffic

QUESTION 130
What is the effect of the samesecuritytraffic permit intrainterface command on a Cisco ASA? (Select the best answer.)

A. It allows communication between different interfaces that share the same security level.
B. It allows traffic to exit the same interface through which it entered.
C. It allows outbound traffic and the corresponding return traffic to pass through different ASAs.
D. It allows traffic destined to unprotected subnets to bypass a VPN tunnel.

Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
Explanation:
On a Cisco Adaptive Security Appliance (ASA), the samesecuritytraffic permit intrainterface command allows traffic to exit the same interface through which it
entered, which is also known as hairpinning. By default, an ASA does not allow packets to enter and exit through the same physical interface. However, because

http://www.gratisexam.com/
multiple logical virtual LANs (VLANs) can be assigned to the same physical interface, it is sometimes necessary to allow a packet to enter and exit through the
same interface. The samesecuritytraffic permit intrainterface command allows packets to be sent and received from the same interface even if the traffic is
protected by IP Security (IPSec) security policies. Another scenario for which you would need to use the samesecuritytraffic permit intrainterface command is if
multiple users need to connect via virtual private network (VPN) through the same physical interface. These users will not be able communicate with one another
unless the samesecuritytraffic permit intrainterface command has been issued from global configuration mode.
The samesecuritytraffic permit interinterface command, not the samesecuritytraffic permit intrainterface command, allows communication between different
interfaces that share the same security level. By default, interfaces with the same security level are not allowed to communicate with each other.
A split tunneling policy, not the samesecuritytraffic permit intrainterfacecommand, allows traffic destined to unprotected subnets to bypass an encrypted tunnel.
With split tunneling, only traffic destined to protected subnets is routed through the appropriate VPN tunnel. Traffic destined to unprotected subnets, such as the
Internet, can bypass the tunnel and be routed normally. You can issue the splittunnelpolicy and splittunnelnetworklist commands to configure a split tunneling policy.
Transmission Control Protocol (TCP) bypass, not the samesecuritytraffic permit intrainterface command, allows outbound traffic and the corresponding return traffic
to pass through different ASAs. With TCP state bypass, an ASA will allow a specific class of traffic to pass through the ASA without the traffic class having an entry
in the ASA's state table. TCP state bypass is disabled by default. You can issue the set connection advancedoptions tcpstatebypass command to enable the TCP
state bypass feature.
Reference:
Cisco: Configuring Interfaces: Allowing Same Security Level Communication Category:
VPN

http://www.gratisexam.com/

http://www.gratisexam.com/