Exam Title

: Nortel 920-449 : NNCSE Contivity Security

Version : R6.1

www.prepking.com

Prepking - King of Computer Certification Important Information, Please Read Carefully

Other Prepking products A) Offline Testing engine Use the offline Testing engine product to practice the questions in an exam environment. B) Study Guide (not available for all exams) Build a foundation of knowledge which will be useful also after passing the exam. Latest Version We are constantly reviewing our products. New material is added and old material is updated. Free updates are available for 90 days after the purchase. You should check your member zone at Prepking and update 3-4 days before the scheduled exam date. Here is the procedure to get the latest version: 1.Go towww.Prepking.com 2.Click on Member zone/Log in (right side) 3. Then click My Account 4.The latest versions of all purchased products are downloadable from here. Just click the links. For most updates,it is enough just to print the new questions at the end of the new version, not the whole document. Feedback If you spot a possible improvement then please let us know. We always interested in improving product quality. Feedback should be send to feedback@Prepking.com. You should include the following: Exam number, version, page number, question number, and your login ID. Our experts will answer your mail promptly. Copyright Each PDF file contains a unique serial number associated with your particular name and contact information for security purposes. So if we find out that a particular PDF file is being distributed by you, Prepking reserves the right to take legal action against you according to the International Copyright Laws. Explanations This product does not include explanations at the moment. If you are interested in providing explanations for this exam, please contact feedback@Prepking.com..

www.prepking.com

 1. A Contivity configuration has two private interfaces (LAN 0 and LAN 1) and one public interface (LAN 3) with Application servers residing on LAN 0. An administrator needs to create a default rule in order to allow users from LAN 1 and tunneled users from LAN 3 to access the application servers in LAN 0. What would be the most secure interface classification for the source interface? A. Any B. Trusted C. Tunnel: Any D. LAN 1 and LAN 3 Answer: B 2. A technician is setting up a rule base for a Contivity Stateful Firewall configuration. to enable a Lockdown rule. What will be the impact of this rule? The technician plans

A. non-tunneled traffic will be blocked B. access to the firewall will be blocked C. outgoing traffic through the firewall will be blocked D. incoming traffic through the firewall will be blocked Answer: B 3. A company has a main office and three branch offices. Each branch office has a branch office tunnel (BOT) connection to the main office. The following conditions exist: - Contivity firewall is disabled but each BOT has a default setting of ermit all?tunnel filter configured under the group profile. - Contivity firewall is disabled but each BOT has a default setting of ?ermit all?tunnel filter configured under the group profile. The company has their own internal/private DNS server which resides in the main office. - Contivity from each branch offices is acting as DNS proxy. - Workstations from the branch offices are pointing to their local Contivity as the default gateway and DNS server. All workstations from the branch offices can reach all devices in the main office via IP address but cannot reach them through DNS names. What is the most likely cause of the problem? A. The access control of ermit all?given to the BOT group is enough to allow DNS to pass through the tunnel so the DNS server could be The access control of ?ermit all?given to the BOT group is enough to allow DNS to pass through the tunnel so the DNS server could be down. B. DNS server is up but main office's Contivity has DNS setting unchecked under the allow management traffic for remote servers portion of the permit all rule. C. DNS server is up but branch offices' Contivity has DNS setting unchecked under the allow management traffic for remote servers portion of the permit all rule. D. Main office's Contivity has DNS setting checked under the allow management traffic for remote servers portion of the permit all rule but DNS server could be down. Answer: C
www.prepking.com

 4. Contivity Stateful Firewall has been enabled on a customer's Contivity system. The customer wants to

extend user authentication on traffic between branch office connections in their VPN environment and a technician has set up Firewall User Authentication (FWUA). How will this affect system users?

A. Users will now have transparent access to the Contivity Stateful Firewall. B. Users will be automatically authenticated for internal authorization services such as LDAP. C. Users will be automatically authenticated for external authorization services such as RADIUS. D. Users will be required to log into the Contivity Stateful Firewall before they are granted network access. Answer: D 5. A Contivity has two private interfaces (LAN and DMZ) and one public interfaces (INT). Workstation1 with an IP address of 10.10.10.1/24 is in the network that is directly attached to the private interface LAN. Workstation2 with an IP address of 20.20.20.1/24 is in the network that is directly attached to private interface DMZ. The requirement is to block only traffic from workstation1 to workstation2 using interface filters to be applied to the private interface DMZ. Select the most appropriate filter action, direction, and address for the access control filter. A. Filter action = Deny ; Direction = Inbound ; Address = 20.20.20.1 B. Filter action = Deny ; Direction = Inbound ; Address = 10.10.10.1 C. Filter action = Deny ; Direction = Outbound ; Address = 10.10.10.1 D. Filter action = Deny ; Direction = Outbound ; Address = 20.20.20.1 Answer: C 6. Company A and Company B established a branch office tunnel connection using Contivity v4.8 with the following setup: Company A - private interface (LAN A) has an IP address of 192.168.3.1/24 Company A FTP server with IP address192.168.3.3/24 which resides in LAN A Company B - private interface (LAN B) has an IP address of 192.168.30.2/24 The security policy allows users from LAN B to access Company A's FTP server to download files with no other access to the rest of Company A's network. In Company A's Contivity Stateful Firewall configuration, what would be the most likely default rule? A. Source interface = LAN B ; Destination Interface = LAN A ; Source = 192.168.30.0/24 ; Destination = 192.168.3.3/24 ; Service = FTP ; Action = Allow B. Source interface = LAN B ; Destination Interface = Trusted ; Source = 192.168.30.0/24 ; Destination = 192.168.3.3/24 ; Service = FTP ; Action = Allow C. Source interface = Tunnel: Any; Destination Interface = LAN A ; Source = 192.168.30.0/24; Destination = 192.168.3.3/24 ; Service = FTP ; Action = Allow D. Source interface = Branch Tunnel: Any ; Destination Interface = Trusted ; Source = 192.168.30.0/24 ; Destination = 192.168.3.3/24 ; Service = FTP; Action = Allow Answer: D 7. A Contivity has a private interface (LAN) and a public interface (DMZ). Workstation1 with an IP address of
www.prepking.com

 10.10.10.1/24 is in the network that is directly attached to the private interface LAN. Workstation2 with an IP address of 20.20.20.1/24 is in the network that is directly attached to public interface DMZ. The requirement is to block only traffic from workstation1 to workstation2 using interface filters applied to the private interface LAN. Select the most appropriate filter action, direction, and address for the access control filter. A. Filter action = Deny ; Direction = Inbound ; Address = 20.20.20.1 B. Filter action = Deny ; Direction = Inbound ; Address = 10.10.10.1 C. Filter action = Deny ; Direction = Outbound ; Address = 20.20.20.1 D. Filter action = Deny ; Direction = Outbound ; Address = 10.10.10.1 Answer: A 8. A technician is debugging a problem on a Contivity system and has input Override rules to be in effect during this time. Which statement best describes how the Override rules will function? A. will be processed first B. will override all rules in the policy C. will override the rest of the rules described later in the policy D. will apply only to the specific interface identified in the override rule Answer: C 9. A customer's Contivity system is currently supporting a network of tunneled and non-tunneled traffic. Assume Contivity Stateful Firewall has just been enabled but no specific rules have been configured. How will the tunneled and non-tunneled traffic be handled? A. Tunneled and non-tunneled traffic is allowed until rules restricting specific traffic are established. B. Tunneled traffic is allowed but non-tunneled traffic is disallowed until rules allowing for specific traffic are established C. Non-tunneled traffic is allowed but tunneled traffic is disallowed until rules allowing for specific traffic are established. D. Tunnels can be established, but all data traffic is disallowed from passing through the CES until rules allowing for specific traffic are established. Answer: D 10. A company has a Contivity v4.8 configured with branch office tunnel connections under /Base/Partners group for all of its business partners. User tunnel access is also provided for all employees and partners. The Contivity has two private interfaces (LAN and DMZ) and one public interface. Application servers reside in the DMZ. The following rules are in effect: Interface specific rule 1 : Source interface rule = LAN ; Source interface = LAN ; Destination interface = DMZ ; Source = Any ; Destination = Any ; Service = Any ; Action = Allow Default rule 1 : Source interface = Trusted ; Destination Interface = Trusted ; Source = Any ;

Destination = Any ; Service = Any ; Action = Allow The company's security policy dictates that only local users and remote users through a branch office tunnel can access application servers in the DMZ. However,
www.prepking.com

 even users via user tunnel connection also appear to have access to the application servers in the DMZ. How can the rules be changed to resolve the problem? A. Interface specific rule 1 is correct but the source interface for default rule 1 is wrong and should be changed to Branch Tunnel: Any. B. Default rule 1 is correct but the source interface for interface specific rule 1 is wrong and should be changed to Branch Tunnel: Any. C. Interface specific rule 1 is correct but the source interface for default rule 1 is wrong and should be changed to Branch Tunnel:/Base/Partners. D. Default rule 1 is correct but the source interface for interface specific rule 1 is wrong and should be changed to Branch Tunnel:/Base/Partners. Answer: A 11. A Contivity has been set up to classify packets by the interface on which they arrive at the gateway. The policy rules have been constructed to ignore this classification. How did the rule designate the interface in order to ignore the classification? A. designated as Any B. designated as Ignore C. designate as Trusted D. designated as Untrusted Answer: A 12. A Contivity customer is using certificate authentication for user and branch office tunnels. A supervisor

has suggested configuring CMP (Certificate Management Protocol) on the Contivity switches company wide in order to reduce the administrator's workload. the administrator? A. CMP automates the processes of CRL updates and CRL distributions to all Contivity switches. B. CMP allows the Contivity switch to act as a CA (Certification Authority) for other Contivity switches on the network. C. CMP automates the process of client certificate distribution so the clients don't have to generate a certificate request. D. CMP offers management of the entire certificate and key life cycle for the Contivity switch's server and CA certificates. Answer: D 13. You have a CES2700 in your central office with about 1700 CES1100's at remote branch offices. All of the CES1100's have a nailed-up Peer-to-Peer branch office tunnel to the central office. You are using AES with Group 8 on the tunnels for security and the re-key timer is set to 1 hour. As more and more tunnels are activated, you noticed that CPU utilization increases significantly and network performance has begun
www.prepking.com

In what way would the configuration of CMP benefit

 to slightly degrade. What is the best initial step in trying to increase network performance and reduce the load on the CPU without making a significant sacrifice in security? A. Increase the re-key timer to 8 hours. B. Upgrade the CES2700 to a CES5000. C. Deploy a second CES2700 and move half of the tunnels to the second switch. D. Change the level of security used on the tunnels to 3DES with Group 7 (ECC 163-bit field). Answer: A 14. A large banking company wants to deploy several hundred Contivity 1100's at remote branch offices. Each branch will have a primary Peer-to-Peer branch office tunnel to a CES5000 at the corporate headquarters and a backup Peer-to-Peer tunnel to a secondary CES5000. The bank has stated that the encryption algorithm used on the tunnels should be the most secure and fasted encryption available on the switch. Which encryption algorithm will best meet these needs? A. 3DES with Group 2 (1024-bit prime) B. AES with Group 8 (ECC 283-bit field) C. 3DES with Group 7 (ECC 163-bit field) D. AES-128 with Group 5 (1536-bit prime) Answer: B 15. The new Director of IT at your company has informed you that the use of PFS (Perfect Forward Secrecy) will be a security requirement on all of the company's branch office tunnel configurations. What added security benefit does PFS offer to branch office tunnels? A. The Contivity switch will encrypt the IKE phase I negotiations. B. The session key will automatically be renegotiated between every packet. C. The Contivity switch will place an outer encrypted header around the original encrypted header. D. The compromise of one or both of the session keys will not allow previous session keys to be broken. Answer: D 16. A customer's Contivity switch is configured to authenticate users by their user certificates. Each user is placed into a default group upon successful authentication. Since the customer's user base is growing

rapidly, they would like to create a user group for each department within the company and have each user be placed into respective groups upon successful authentication. solution? A. Configure a 'User Access Policy' from the user's group IPsec configuration screen. B. Configure a 'User Access Policy' in the CA certificate details section to determine group membership. C. Use a separate Certification Authority (CA) for each group, and set each group as the 'Default Group' for its respective CA certificate. D. Configure 'Group Access Control' in the CA certificate details section to use the Subject DN of the user
www.prepking.com

Which approach will support this

 certificate to determine group membership. Answer: D 17. The following message has been displayed on a Contivity switch: "Warning: System CA certificates may have been tampered with, please reinstall!" What step should be taken to verify whether a certificate has, or has not been, tampered with? A. Recover the certificate and verify that the fingerprint identifier matches the previous identifier. B. Reinstall the certificate and verify that the new fingerprint identifier matches the previous identifier. C. Verify the certificate's fingerprint identifier matches with the fingerprint supplied directly by the certificate's issuer. D. Verify the certificate's issuer and the certificate issuer's serial number is that of the configured Certification Authority (CA). Answer: C 18. A customer has eight Contivity 5000 Extranet switches that share an external LDAP server. Users are

authenticated by the switch, which requires a valid user certificate and a user account in the LDAP database. The customer complains that when the eight switches update their CRL, the LDAP server that publishes the CRL seems to be overloaded. The CRL is updated every four hours. effectively reduce the load on the LDAP server during the CRL updates? A. Reduce the 'CRL Update Frequency' on the Contivity switches to every twelve hours. B. Disable 'CRL Retrieval' on the Contivity switches and disable 'CRL Checking Mandatory'. C. Add a second LDAP server that publishes the CRL, and have four of the eight switches use the second LDAP server. D. Set the 'CRL Update Frequency' on six of the Contivity switches to zero, and have only two switches perform the update. Answer: D 19. You are tasked with configuring a Contivity 4600 to connect to a frame relay gateway. You want the How could you

gateway type to be user configurable, with the gateway type determining both the LMI format and the FECN/BECN processing. When configuring the frame relay interface, how must the connection type be set? A. direct B. looped C. switched D. non-switched Answer: C 20. The load balance and fail over features available for user tunnels apply to clients connecting through which method?
www.prepking.com

 A. SSL B. Private interface C. Nortel Networks Contivity VPN client D. Microsoft dial-up networking PPTP client Answer: C 21. You are attempting to establish a VPN user tunnel to a Contivity 1700 using the Contivity VPN Client. When trying to login, a popup window appears with the following message: ogin Failure due to: Remote host not responding? ? RJLQ)DLOXUHGXHWR5HPRWHKRVWQRWUHVSRQGLQJ What are two

probable causes for this Login Failure? (Choose two.) A. The user password is not correct. B. The Contivity 1700 is not accessible. C. User Datagram Protocol (UDP) port 500 is blocked. D. The Group Security Authorization is mis-configured. Answer: BC 22. You are tasked with configuring a Branch Office Tunnel on a Contivity 2700. If the two devices establishing the tunnel have different encryption settings (due to either export laws or administrative configuration), how will the two devices react? A. They will default to DES with SHA1 Integrity. B. They will negotiate upward until each has a compatible encryption capability. C. They will negotiate downward until each has a compatible encryption capability. D. They will negotiate upward until each has a compatible encryption capability.. Answer: C 23. You are tasked with configuring a new Point-to-Point Protocol over Ethernet (PPPoE) connection on the public interface of a Contivity 1100. Which PPPoE usage restriction do you NOT need to consider? A. PPPoE changes are dynamically applied. B. You must set the appropriate filter (deny all by default). C. Cannot use dynamic routing on PPPoE interfaces (unless tunneling). D. PPPoE has a Maximum Transmission Unit (MTU) limitation of 1492 bytes. Answer: A 24. For planning purposes, bandwidth often equals the expected or current use plus a growth potential of: A. 0% B. 50% C. 100% D. 10-20% Answer: D
www.prepking.com

 25. You have configured an IPsec peer to peer branch office tunnel between a Contivity 4600 and a Contivity 1700. When the tunnel tries to initiate, you receive the following message in the Contivity 4600's event log: ISAKMP [13] No proposal chosen in message from X.X.X.X Which condition will generate this message? A. A remote branch office gateway rejected your gateway's attempt to authenticate. B. The encryption types proposed by the remote branch office do not match the encryption types configured locally. C. One side of the connection is configured to support dynamic routing while the other side is configured for static routing. D. The proposal made by the local gateway has been rejected by a remote branch office gateway, or by an IPsec implementation from another vendor. Answer: B 26. Which Branch Office network design provides redundancy with the lowest system overhead? A. Full Mesh B. Hub and Spoke C. Redundant full mesh D. Redundant hub and spoke Answer: D 27. Users at a remote location can not access their local mail server or print locally when they are tunneled into their corporate LAN via a gateway Contivity 1700. The elements have the following addresses: -mail server (10.23.23.5) -print locally (10.23.23.6) -corporate LAN (192.168.1.0) To allow access to the local servers and remain tunneled into the corporate LAN, which accessible address(es) should be used if split tunneling is configured? A. 10.23.23.0 B. 192.168.1.0 C. 192.168.1.255 D. 10.23.23.5 and 10.23.23.6 Answer: B 28. Your customer has asked for your assistance in configuring a PPPoE interface on a Contivity 1050. You have researched PPPoE specifications and determined that PPPoE enforces an MTU size of 1492 bytes. For this reason, all PC's that connect to the Contivity also need to enforce an MTU of 1492 bytes, instead 1500 bytes. What are two ways to set the parameters on the Contivity to address this need? (Choose two.) A. Use the ppoe ip tcp adjust-mss enable?command in the CLI. Use the ?ppoe ip tcp adjust-mss enable?command in the CLI.
www.prepking.com

100% Pass Guaranteed or Full Refund Word to Word Real Exam Questions from Real Test Buy full version of exam from this link below http://www.prepking.com/920-449.htm