SWITCH Chapter 6 CCNP 6.0 2012 100% Take Assessment – SWITCH Chapter 6 – CCNP SWITCH: Implementing Cisco IP Switching (Version 6.0) – Answers – 2011 – 2012

1. Which statement is true about a local SPAN configuration? 

A port can act as the destination port for all SPAN sessions configured on the switch.
A port can be configured to act as a source and destination port for a single SPAN session.
Both Layer 2 and Layer 3 switched ports can be configured as source or destination ports for a single SPAN session.
Port channel interfaces (EtherChannel) can be configured as source and destination ports for a single SPAN session.

2.
Refer to the exhibit. Which statement is true about the local SPAN configuration on switch SW1?
The SPAN session transmits to a device on port Fa3/21 a copy of all traffic that is monitored on port Fa3/1.
The SPAN session transmits to a device on port Fa3/21 a copy of all traffic that is monitored on port Fa3/1, but only if port Fa3/1 is configured in VLAN 10.
The SPAN session transmits to a device on port Fa3/21 a copy of all traffic that is monitored on port Fa3/1, but only if port Fa3/1 is configured as trunk.
The SPAN session transmits to a device on port Fa3/21 only a copy of unicast traffic that is monitored on port Fa3/1. All multicast and BPDU frames will be excluded from the monitoring process.

3.
Refer to the exhibit. Which statement is true about the VSPAN configuration on switch SW1?
The VSPAN session that is configured on port Fa3/4 can monitor only the ingress traffic for any of the VLANs.
The VSPAN session that is configured on port Fa3/4 can monitor only the egress traffic for any of the VLANs.
Port Fa3/4 must be associated with VLAN 10 or VLAN 20 in order to monitor the traffic for any of the VLANs.
The VSPAN session transmits a copy of the ingress traffic for VLAN 10 and the egress traffic for VLAN 20 out interface Fa3/4.

4. Which configuration guideline applies to using the capture option in VACL?
Capture ports transmit traffic that belongs to all VLANs.
The capture port captures all packets that are received on the port.
The switch has a restriction on the number of capture ports.
The capture port needs to be in the spanning-tree forwarding state for the VLAN.

5. All access ports on a switch are configured with the administrative mode of dynamic auto. An attacker, connected to one of the ports, sends a malicious DTP frame. What is the intent of the attacker?
VLAN hopping
DHCP spoofing attack
MAC flooding attack
ARP poisoning attack

6.
Refer to the exhibit. A network engineer is securing a network against DHCP spoofing attacks. On all switches, the engineer applied the ip dhcp snooping command and enabled DHCP snooping on all VLANs with the ip dhcp snooping vlan command. What additional step should be taken to configure the security required on the network?
Issue the ip dhcp snooping trust command on all uplink interfaces on SW1, SW2 and SW3.
Issue the ip dhcp snooping trust command on all interfaces on SW2 and SW3.
Issue the ip dhcp snooping trust command on all interfaces on SW1, SW2, and SW3.
Issue the ip dhcp snooping trust command on all interfaces on SW1, SW2, and SW3 except interface Fa0/1 on SW1.

7. Which countermeasure can be implemented to determine the validity of an ARP packet, based on the valid MAC-address-to-IP address bindings stored in a DHCP snooping database?
DHCP spoofing
dynamic ARP inspection
CAM table inspection

8. MAC snooping How should unused ports on a switch be configured in order to prevent VLAN hopping attacks?
Configure them with the UDLD feature.
Configure them with the PAgP protocol.
Configure them as trunk ports for the native VLAN 1.
Configure them as access ports and associate them with an unused VLAN.

9.
Refer to the exhibit. Given the configuration on the ALSwitch, what is the end result?
forces all hosts that are attached to a port to authenticate before being allowed access to the network
disables 802.1x port-based authentication and causes the port to allow normal traffic without authenticating the client
enables 802.1x authentication on the port
globally disables 802.1x authentication

10.
Refer to the exhibit. Network policy dictates that security functions should be administered using AAA. Which configuration would create a default login authentication list that uses RADIUS as the first authentication method, the enable password as the second method, and the local database as the final method?
SW-1(config)# aaa new-model
SW-1(config)# radius-server host 10.10.10.12 key secret
SW-1(config)# aaa authentication default group-radius local

SW-1(config)# aaa new-model
SW-1(config)# radius-server host 10.10.10.12 key secret
SW-1(config)# aaa authentication default group-radius enable local

SW-1(config)# aaa new-model
SW-1(config)# radius-server host 10.10.10.12 key secret
SW-1(config)# aaa authentication login default group radius enable local

SW-1(config)# aaa new-model
SW-1(config)# radius server host 10.10.10.12 key secret
SW-1(config)# aaa authentication login default group radius enable local none

SW-1(config)# aaa new-model
SW-1(config)# radius server host 10.10.10.12 key secret
SW-1(config)# aaa authentication login default group-radius enable local none

11.
Refer to the exhibit. A switch is being configured to support AAA authentication on the console connection. Given the information in the exhibit, which three statements are correct? (Choose three.)
The authentication login admin line console command is required.
The login authentication admin line console command is required.
The configuration creates an authentication list that uses a named access list called group as the first authentication method, a TACACS+ server as the second method, the local username database as the third method, the enable password as the fourth method, and none as the last method.
The configuration creates an authentication list that uses a TACACS+ server as the first authentication method, the local username database as the second method, the enable password as the third method, and none as the last method.
The none keyword enables any user logging in to successfully authenticate if all other methods return an error.
The none keyword specifies that a user cannot log in if all other methods have failed.

12. What is one way to mitigate spanning-tree compromises?
Statically configure the primary and backup root bridge.
Implement private VLANs.
Place all unused ports into a common VLAN (not VLAN 1).
Configure MAC address VLAN access maps.

13. What is one way to mitigate ARP spoofing?
Enable dynamic ARP inspection.
Configure MAC address VLAN access maps.
Enable root guard.
Implement private VLANs. Bottom of Form

14. What are two purposes for an attacker launching a MAC table flood? (Choose two.)
to initiate a man-in-the-middle attack
to initiate a denial of service (DoS) attack
to capture data from the network
to gather network topology information
to exhaust the address space available to the DHCP

15.
Refer to the exhibit. After the configuration has been applied to ACSw22, frames that are bound for the node on port FastEthernet 0/1 are periodically being dropped. What should be done to correct the issue?
Add the switchport port-security mac-address sticky command to the interface configuration.
Change the port speed to speed auto with the interface configuration mode.
Use the switchport mode trunk command in the interface configuration.
Remove the switchport command from the interface configuration.

16.
Refer to the exhibit. What is the state of the monitoring session?
This is a remote monitored session.
No data is being sent from the session.
SPAN session number 2 is being used.
The session is only monitoring data sent out Fa0/1.

17. What is the function of the 6500 Network Analysis Module?
monitors traffic on ingress ports
sends TCP resets to an attacker TCP session
gathers multilayer information from data flows that pass through the switch
provides remote monitoring of multiple switches across a switched network

18. What technology can be used to help mitigate MAC address flooding attacks?
root guard
Private VLANs
DHCP snooping
VLAN access maps
Dynamic ARP Inspection

19. What advantage for monitoring traffic flows does using VACLs with the capture option offer over using SPAN?
VLAN ACLs can be used to capture denied traffic.
VLAN ACLs can be used to capture traffic on a spanning-tree blocked port.
VLAN ACLs can be used to capture traffic based on Layer 2, 3, or 4 information.
VLAN ACLs can be used to capture traffic to the CPU separate from the traffic that is hardware switched.

20. What Cisco tool can be used to monitor events happening in the switch?
Embedded Event Manager
Intrusion Prevention System
Network Analysis module
Switched Port Analyzer

21. Which two statements are true about the interface fa0/0.10 command? (Choose two.)
The command applies VLAN 10 to router interface fa0/0.
The command is used in the configuration of router-on-a-stick inter-VLAN routing.
The command configures a subinterface.
The command configures interface fa0/0 as a trunk link.
Because the IP address is applied to the physical interface, the command does not include an IP address.

22. Which three elements must be used when configuring a router interface for VLAN trunking? (Choose three.)
one subinterface per VLAN
one physical interface for each subinterface
one IP network or subnetwork for each subinterface
one trunked link per VLAN
a management domain for each subinterface
a compatible trunking protocol encapsulation for each subinterface

23. Which statement is true about ARP when inter-VLAN routing is being used on the network?
When router-on-a-stick inter-VLAN routing is in use, each subinterface has a separate MAC address to send in response to ARP requests.
When VLANs are in use, the switch responds to ARP requests with the MAC address of the port to which the PC is connected.
When router-on-a-stick inter-VLAN routing is in use, the router returns the MAC address of the physical interface in response to ARP requests.
When traditional inter-VLAN routing is in use, devices on all VLANs use the same physical router interface as their source of proxy ARP responses.

24.
Refer to the exhibit. The commands for a router to connect to a trunked uplink are shown in the exhibit. A packet is received from IP address 192.168.1.54. The packet destination address is 192.168.1.120. What will the router do with this packet?
The router will forward the packet out interface FastEthernet 0/1.1 tagged for VLAN 10.
The router will forward the packet out interface FastEthernet 0/1.2 tagged for VLAN 60.
The router will forward the packet out interface FastEthernet 0/1.3 tagged for VLAN 120.
The router will not process the packet since the source and destination are on the same subnet.
The router will drop the packet since no network that includes the source address is attached to the router.

25.
Refer to the exhibit. R1 is routing between networks 192.168.10.0/28 and 192.168.30.0/28. PC1 can ping R1 interface F0/1, but cannot ping PC3. What is causing this failure?
PC1 and PC3 are not in the same VLAN.
The PC3 network address configuration is incorrect.
The S1 interface F0/11 should be assigned to VLAN30.
The F0/0 and F0/1 interfaces on R1 must be configured as trunks.

26.
Refer to the exhibit. PC1 has attempted to ping PC2 but has been unsuccessful. What could account for this failure?
PC1 and R1 interface F0/0.1 are on different subnets.
The encapsulation is missing on the R1 interface F0/0.
An IP address has not been assigned to the R1 physical interface.
The encapsulation command on the R1 F0/0.3 interface is incorrect.

27. What is important to consider while configuring the subinterfaces of a router when implementing inter-VLAN routing?
The physical interface must have an IP address configured.
The subinterface numbers must match the VLAN ID number.
The no shutdown command must be given on each subinterface.
The IP address of each subinterface must be the default gateway address for each VLAN subnet.

28. A router has two FastEthernet interfaces and needs to connect to four VLANs in the local network. How can this be accomplished using the fewest number of physical interfaces without unnecessarily decreasing network performance?
Implement a router-on-a-stick configuration.
Add a second router to handle the inter-VLAN traffic.
Use a hub to connect the four VLANS with a FastEthernet interface on the router.
Interconnect the VLANs via the two additional FastEthernet interfaces.

29.
Refer to the exhibit. Which two statements are true about the operation of the subinterfaces? (Choose two.)
Incoming traffic that has a VLAN ID of 2 is processed by subinterface fa0/0.2.
Incoming traffic with VLAN ID 0 is processed by interface fa0/0.
Subinterfaces use unique MAC addresses by adding the 802.1Q VLAN ID to the hardware address.
Traffic inbound on this router is processed by different subinterfaces, depending on the VLAN from which the traffic originated.
Reliability of both subinterfaces is poor because ARP is timing out.
Both subinterfaces remain up with line protocol up, even if fa0/0 line protocol is down.

30.
Refer to the exhibit. Port Fa0/0 on router R1 is connected to port Fa0/1 on switch S1. After the commands shown are entered on both devices, the network administrator determines that the devices on VLAN 2 are unable to ping the devices on VLAN 1. What is the likely problem?
R1 is configured for router-on-a-stick, but S1 is not configured for trunking.
R1 does not have the VLANs entered in the VLAN database.
Spanning Tree Protocol is blocking port Fa0/0 on R1.
The subinterfaces on R1 have not been brought up with the no shutdown command yet.

31.
Refer to the exhibit. The network administrator correctly configures RTA to perform inter-VLAN routing. The administrator connects RTA to port 0/4 on SW2, but inter-VLAN routing does not work. What could be the possible cause of the problem with the SW2 configuration?
Port 0/4 is not active.
Port 0/4 is not a member of VLAN1.
Port 0/4 is configured in access mode.
Port 0/4 is using the wrong trunking protocol.

32. What distinguishes traditional routing from router-on-a-stick?
Traditional routing is only able to use a single switch interface. Router-on-a-stick can use multiple switch interfaces.
Traditional routing requires a routing protocol. Router-on-a-stick only needs to route directly connected networks.
Traditional routing uses one port per logical network. Router-on-a-stick uses subinterfaces to connect multiple logical networks to a single router port.
Traditional routing uses multiple paths to the router and therefore requires STP. Router-on-a-stick does not provide multiple connections and therefore eliminates the need for STP.

33.
Refer to the exhibit. Which three statements describe the network design shown in the exhibit? (Choose three.)
This design will not scale easily.
The router merges the VLANs into a single broadcast domain.
This design uses more switch and router ports than are necessary.
This design exceeds the maximum number of VLANs that can be attached to a switch.
This design requires the use of the ISL or 802.1q protocol on the links between the switch and the router.
If the physical interfaces between the switch and router are operational, the devices on the different VLANs can communicate through the router.

34.
Refer to the exhibit. Switch1 is correctly configured for the VLANs that are displayed in the graphic. The configuration that is shown was applied to RTA to allow for interVLAN connectivity between hosts attached to Switch1. After testing the network, the administrator logged the following report:

Hosts within each VLAN can communicate with each other. 
Hosts in VLAN5 and VLAN33 are able to communicate with each other. 
Hosts connected to Fa0/1 through Fa0/5 do not have connectivity to host in other VLANs.

Why are hosts connected to Fa0/1 through Fa0/5 unable to communicate with hosts in different VLANs?
The router interface is shut down.
The VLAN IDs do not match the subinterface numbers.
All of the subinterface addresses on the router are in the same subnet.
The router was not configured to forward traffic for VLAN2.
The physical interface, FastEthernet0/0, was not configured with an IP address.

35. Devices on the network are connected to a 24-port Layer 2 switch that is configured with VLANs. Switch ports 0/2 to 0/4 are assigned to VLAN 10. Ports 0/5 to 0/8 are assigned to VLAN 20, and ports 0/9 to 0/12 are assigned to VLAN 30. All other ports are assigned to the default VLAN. Which solution allows all VLANs to communicate between each other while minimizing the number of ports necessary to connect the VLANs?
Configure ports 0/13 to 0/16 with the appropriate IP addresses to perform routing between VLANs.
Add a router to the topology and configure one FastEthernet interface on the router with multiple subinterfaces for VLANs 1, 10, 20, and 30.
Obtain a router with multiple LAN interfaces and configure each interface for a separate subnet, thereby allowing communication between VLANs.
Obtain a Layer 3 switch and configure a trunk link between the switch and router, and configure the router physical interface with an IP address on the native VLAN.

36.
Refer to the exhibit. What two conclusions can be drawn from the output that is shown? (Choose two.)
The no shutdown command has not been issued on the FastEthernet 0/0 interface.
Both of the directly connected routes that are shown will share the same physical interface of the router.
A routing protocol must be configured on the network in order for the inter-VLAN routing to be successful.
Inter-VLAN routing between hosts on the 172.17.10.0/24 and 172.17.30.0/24 networks is successful on this network.
Hosts in this network must be configured with the IP address that is assigned to the router physical interface as their default gateway.

37.
Refer to the exhibit. All devices are configured as shown in the exhibit. PC2 can successfully ping the F0/0 interface on R1. PC2 cannot ping PC1. What might be the reason for this failure?
R1 interface F0/1 has not been configured for subinterface operation.
S1 interface F0/6 needs to be configured for operation in VLAN10.
S1 interface F0/8 is in the wrong VLAN.
S1 port F0/6 is not in VLAN10.

38. What are the steps which must be completed in order to enable inter-VLAN routing using router-on-a-stick?
Configure the physical interfaces on the router and enable a routing protocol.
Create the VLANs on the router and define the port membership assignments on the switch.
Create the VLANs on the switch to include port membership assignment and enable a routing protocol on the router.
Create the VLANs on the switch to include port membership assignment and configure subinterfaces on the router matching the VLANs.

39. In which situation could individual router physical interfaces be used for InterVLAN routing, instead of a router-on-a-stick configuration?
a network with more than 100 subnetworks
a network with a limited number of VLANs
a network with experienced support personnel
a network using a router with one LAN interface

40. What two statements are true regarding the use of subinterfaces for inter-VLAN routing? (Choose two.)
subinterfaces have no contention for bandwidth
more switch ports required than in traditional inter-VLAN routing
fewer router ports required than in traditional inter-VLAN routing
simpler Layer 3 troubleshooting than with traditional inter-VLAN routing
less complex physical connection than in traditional inter-VLAN routing

Read more ...

CCNAS Final Exam CCNA Security 1.0 2012 100%-CCNAS Final Exam – CCNA Security: Implementing Network Security (Version 1.0) – Answers – 2011 – 2012

1. What will be disabled as a result of the no service password-recovery command ?

aaa new-model global configuration command.
change to the configuration register.
password encryption service.
ability to access ROMmon.
2. What occurs after RSA keys are generated on a Cisco router to prepare for secure device management?
All vty ports are automatically configured for SSH to provide secure management.
The general-purpose key size must be specified for authentication with the crypto key generate rsa general-keys mo command.
The keys must be zeroized to reset secure shell before configuring other parameters.
The generated keys can be used by SSH.

3. Which action best describe a MAC address spoofing attack?
altering the MAC address of an attacking host to match that of a legitimate host.
bombarding a switch with fake source MAC addresses.
forcing the election of a rogue root bridge
flooding the LAN with excessive traffic

4. What functionality is provided by Cisco SPAN in a switched network?
It mitigates MAC address overflow attacks.
It mirrors traffic that passes through a switch port or VLAN to another port for traffic analysis.
It protects the switched network from receiving BPDUs on ports that should not be receiving them.
It inspects voice protocols to ensure that SIP, SCCP, H.323, and MGCP requests conform to voice standards.
It copies traffic that passes through a switch interface and sends the data directly to a syslog or SNMP server for analysis.

5. What precaution should be considered when the no service password–recovery command has been issued on an IOS device?
The passwords in the configuration files are in clear text.
IOS recovery requires a new system flash with the IOS image.
When the password is lost, access to the device will be terminated.
The device must use simple password authentication and cannot have user authentication.

6. A network technician is configuring SNMPv3 and has set a security level of auth. What is the effect of this setting?
Authenticates a packet using the SHA algorithm only.
Authenticates a packet by a string match of the username or community string.
Authenticates a packet by using either the HMAC with MD5 method or the SHA method.
Authenticates a packet by using either the HMAC MD5 or HMAC SHA algorithms and encrypts the packet using either the DES, 3DES or AES algorithms.

7.
Refer to the exhibit. Which type of VPN is implemented?
remote-access GRE VPN
remote-access IPsec VPN
remote-access SSL VPN
site-to-site GRE VPN
site-to-site IPsec VPN
site-to-site SSL VPN

8. Router(config)# ntp authenticate
Router(config)# ntp authentication-key 42 md5 aNiceKey
Router(config)# ntp trusted-key 2
Refer to the exhibit. What will be the effect of the commands that are shown on R1?
Authentication with the NTP master will be successful, and R1 will get the time from the NTP master.
Authentication with the NTP master will be successful, but R1 will not get the time from the NTP master.
Authentication with the NTP master will fail, and R1 will get the time from the NTP master.
Authentication with the NTP master will fail, and R1 will not get the time from the NTP master.

9. What login enhancement configuration command helps successive login DoS attacks?
exec-timeout
login block-for
privilege exec level
service password-encryption

10. What are access attacks?
attacks that prevent users from accessing network services
attacks that modify or corrupt traffic as that traffic travels across the network
attacks that exploit vulnerabilities to gain access to sensitive information
attacks that involve the unauthorized discovery and mapping of systems, services, and vulnerability

11. Nov 30 11:00:24 EST: %SYS-5-CONFIG-I: Configured from console by vty0 (10.64.2.2)
Refer to the exhibit. An administrator is examining the message in a syslog server. What can be determined from the message?
This is a notification message for a normal but significant condition
This is an alert message for which immediate action is needed
This is an error message for which warning conditions exist.
This is an error message indicating the system is unusable

12. Which three major subpolicies should comprise a comprehensive security policy that meets the security needs of a typical enterprise? (Choose three)
end-user policies
departmental policies
governing policies
human resource policies
organizational policies
technical policies

13. R1(config)# logging host 10.1.1.17
R1(config)# logging trap errors
R1(config)# logging source-interface loopback 0
R1(config)# logging on
Refer to the exhibit. An administrator has entered the commands that are shown on router R1. At what trap level is the logging function set?
2
3
5
6

14. Which mitigation technique can help prevent MAC table overflow attacks?
root guard
BPDU guard
storm control
switchport security

15. An organization requires that individual users be authorized to issue specific Cisco IOS commands. Which AAA protocols support this requirement?
TACACS+ because it separates authentication and authorization, allowing for more customization.
RADIUS because it supports multiple protocols, including ARA and NetBEUI.
TACACS+ because it supports extensive accounting on a per-user or per-group basis.
RADIUS because it implements authentication and authorization as one process.

16.
Refer to the exhibit. Based on the IPS configuration that is provided, which statement is true?
The signatures in all categories will be retired and not be used by the IPS.
The signatures in all categories will be compiled into memory and used by the IPS.
Only the signatures in the ios_ips basic category will be compiled into memory and used by the IPS.
The signatures in the ios_ips basic category will be retired and the remaining signatures will be compiled into memory and used by the IPS.

17.
Refer to the exhibit. Based on the provided configuration, which traffic will be examined by the IPS that is configured on router R1?
Traffic that is initiated from LAN 1 and LAN 2
http traffic that is initiated from LAN 1
return traffic from the web server
traffic that is destined to LAN 1 and LAN 2
no traffic will be inspected

18.
Refer to the exhibit. An administrator is configuring ZPF using the SDM Basic Firewall Configuration wizard. Which command is generated after the administrator selects the Finish button?
zone security Out-zone on interface Fa0/0
zone security Out-zone on interface S0/0/0
zone member security Out-zone on interface Fa0/0
zone member security Out-zone on interface s0/0/0

19. Which two statements describe appropriate general guidelines for configuring and applying ACLs? (Choose two)
Multiple ACLs per protocol and per direction can be applied to an interface.
If an ACL contains no permit statements, all traffic is denied by default.
The most specific ACL statements should be entered first because of the top-down sequential nature of ACLs.
Standard ACLs are placed closest to the source, whereas Extended ACLs are placed closest to the destination.
If a single ACL is to be applied to multiple interfaces, it must be configured with a unique number for each interface.

20. Which three statements are characteristics of the IPsec protocol? (Choose three)
IPsec is a framework of open standards.
IPsec is implemented at Layer 4 of the OSI model.
IPsec ensures data integrity by using a hash algorithm.
IPsec uses digital certificates to guarantee confidentiality
IPsec is bound to specific encryption algorithms, such as 3DES and AES.
IPsec authenticates users and devices that communicate independently.

21. Which three additional precautions should be taken when remote access is required in addition to local access of networking devices? (Choose three)
A legal notice should not be displayed when access is obtained.
All activity to the specified ports that are required for access should be unrestricted.
All configuration activities should required the use of SSH or HTTPS.
All administrative traffic should be dedicated to the management network.
The number of failed login attempts should not be limited, but the time between attempts should.
Packet filtering should be required so that only identified administration hosts and protocols can gain access.

22. Which statement describes a factor to be considered when configuring a zone-based policy firewall?
An interface can belong to multiple zones.
The router always filters the traffic between interfaces in the same zone.
The CBAC ip inspect command can coexist with ZPF as long as it is used on interfaces that are in the same security zones.
A zone must be configured with the zone security global command before it can be used in the zone-member security command.

23. What is a result of securing the Cisco IOS image using the Cisco IOS Resilient Configuration feature?
The Cisco IOS image file is not visible in the output of the show flash command.
The Cisco IOS image is encrypted and then automatically backed up to a TFTP server.
The Cisco IOS image is encrypted and then automatically backed up to the NVRAM.
When the router boots up, the Cisco IOS image is loaded from a secure FTP location

24. What are three common examples of AAA implementation on Cisco routers? (Choose three)
Authenticating administrator access to the router console port, and vty ports
Authenticating remote users who are accessing the corporate LAN through IPsec VPN connections
Implementing public key infrastructure to authenticate and authorize IPsec VPN peers using digital certificates
Implementing command authorization with TACACS+
Securing the router by locking down all unused services
Tracking Cisco Netflow accounting statistics

25. When port security is enabled on a Cisco Catalyst switch, what is the default action when the maximum number of allowed MAC addresses is exceeded?
The violation mode for the port is set to restrict.
The MAC address table is cleared, and the new MAC address is entered into the table.
The port remains enabled, but the bandwidth is throttled until the old MAC addresses are aged out.
The port is shut down.

27. Which three statements describe the IPsec protocol framework? (Choose three)
AH uses IP protocol 51.
AH provides encryption and integrity.
AH provides integrity and authentication.
ESP uses UDP protocol 50.
ESP requires both authentication and encryption.
ESP provides encryption, authentication, and integrity.

28. Which three statements describe limitations in using privilege levels for assigning command authorization? (Choose three.)
There is no access control to specific interfaces on a router.
The root user must be assigned to each privilege level defined.
Commands set on a higher privilege level are not available for lower privileged users
Views are required to define the CLI commands that each user can access.
Creating a user account that needs access to most but not all commands can be a tedious process
It is required that all 16 privilege levels be defined, whether they are used

29. Which Cisco IOS configuration option instructs the IPS to compile a signature category named ios_ips into memory and use it to scan traffic?
R1(config)# ip ips signature-category
R1(config-ips-category)# category all
R1(config-ips-category-action)# retired false

R1(config)# ip ips signature-category
R1(config-ips-category)# category ios_ips basic
R1(config-ips-category-action)# retired false

R1(config)# ip ips signature-category
R1(config-ips-category)# category all
R1(config-ips-category-action)# enabled true

R1(config)# ip ips signature-category
R1(config-ips-category)# category ios_ips basic
R1(config-ips-category-action)# enabled true

30.
Refer to the exhibit. An administrator has configured router R1 as indicated. However, SDEE messages fail to log. Which solution corrects this problem?
Issue the logging on command in global configuration.
Issue the ip ips notify sdee command in global configuration.
Issue the ip audit notify log command in global configuration.
Issue the clear ip ips sdee events command to clear the SDEE buffer.

31. Which three principles are enabled by a Cisco Self-Defending Network? (Choose three.)
adaptability
collaboration
insulation
integration
mitigation
scalability

32. What are two disadvantages of using network IPS?(Choose two.)
Network IPS has a difficult time reconstructing fragmented traffic to determine if an attack was successful.
Network IPS is incapable of examining encrypted traffic.
Network IPS is operating system-dependent and must be customized for each platform.
Network IPS is unable to provide a clear indication of the extent to which the network is being attacked.
Network IPS sensors are difficult to deploy whennew networks are added.

33. Which access list statement permits HTTP traffic that is sourced from host 10.1.129.100 port 4300 and destined to host 192.168.30.10?
access-list 101 permit tcp any eq 4300
access-list 101 permit tcp 192.168.30.10 0.0.0.0 eq 80 10.1.0.0 0.0.255.255
access-list 101 permit tcp 10.1.129.0 0.0.0.255 eq www 192.168.30.10 0.0.0.0 eq www
access-list 101 permit tcp 10.1.128.0 0.0.1.255 eq 4300 192.168.30.0 0.0.0.15 eq www
access-list 101 permit tcp host 192.168.30.10 eq 80 10.1.0.0 0.0.255.255 eq 4300

34. Which type of SDM rule is created to govern the traffic that can enter and leave the network based on protocol and port number?
NAC rule
NAT rule
IPsec rule
access rule

35.
Refer to the exhibit. When configuring SSH on a router using SDM from the Configure menu, which two steps are required? (Choose two.)
Choose Additional Tasks > Router Access > SSH to generate the RSA keys.
Choose Additional Tasks > Router Access > VTY to specify SSH as the input and output protocol.
Choose Additional Tasks > Router Properties > Netflow to generate the RSA keys.
Choose Additional Tasks > Router Properties > Logging to specify SSH as the input and output protocol.
Choose Additional Tasks > Router Access > AAA to generate the RSA keys.
Choose Additional Tasks > Router Access > Management Access to specify SSH as the input and output protocol

36.
Refer to the exhibit. Which two statements are correct regarding the configuration on switch S1? (Choose two.)
Port Fa0/5 storm control for broadcasts will be activated if traffic exceeds 80.1 percent of the total bandwidth.
Port Fa0/6 storm control for multicasts and broadcasts will be activated if traffic exceeds 2,000,000 packets per second.
Port Fa0/6 storm control for multicasts will be activated if traffic exceeds 2,000,000 packets per second.
Port Fa0/5 storm control for multicasts will be activated if traffic exceeds 80.1 percent of the total bandwidth.
Port Fa0/5 storm control for broadcasts and multicasts will be activated if traffic exceeds 80.1 percent of 2,000,000 packets per second.

37.
Refer to the exhibit. Which three things occur if a user attempts to log in four times within 10 seconds using an incorrect password? (Choose three.)
Subsequent virtual login attempts from the user are blocked for 60 seconds.
During the quiet mode, an administrator can virtually log in from any host on network 172.16.1.0/24.
Subsequent console login attempts are blocked for 60 seconds.
A message is generated indicating the username and source IP address of the user.
During the quiet mode, an administrator can log in from host 172.16.1.2.
No user can log in virtually from any host for 60 seconds.

38. Which type of Layer 2 attack makes a host appear as the root bridge for a LAN?
LAN storm
MAC address spoofing
MAC address table overflow
STP manipulation
VLAN attack

39. What occurs after RSA keys are generated on a Cisco router to prepare for secure device management?
All vty ports are automatically configured for SSH to provide secure management.
The general-purpose key size must be specified for authentication with the crypto key generate rsa general-keys mo command.
The keys m
ust be zeroized to reset secure shell before configuring other parameters.
The generated keys can be used by SSH.

40. An organization has mobile workers who usecorporate-owned laptops at customer sites to view inventory and place orders.Which type of VPN allows these workers to securely access all of theclient/server applications of the organization?
clientless SSL VPN
remote-access IPsec VPN
site-to-site IPsec VPN
HTTPS-enabled SSL VPN

41. Which two guidelines relate to in-band networkmanagement? (Choose two.)
Apply in-band management only to devices that must be managed on the production network.
Implement separate network segments for the production network and the management network.
Attach all network devices to the same management network.
Use IPSec, SSH,or SSL

42. Which three commands are required to configure SSH ona Cisco router? (Choose three.)
ip domain-name name in global configuration mode
transport input ssh on a vty line
no ip domain-lookup in global configuration mode
passwordpassword on a vty line
service password-encryption in global configuration mode
crypto keygenerate rsa in global configuration mode

43. Anadministrator needs to create a user account with custom access to most privileged EXEC commands. Which privilege command is used to create this custom account?
privilege exec level 0
privilege exec level 1
privilege exec level 2
privilege exec level 15

44.
Refer to the exhibit. An administrator has configureda standard ACL on R1 and applied it to interface serial 0/0/0 in the outbounddirection. What happens to traffic leaving interface serial 0/0/0 that does notmatch the configured ACL statements?
The resulting action is determined by the destination IP address.
The resulting action is determined by the destination IP address and portnumber.
The source IP address is checked and, if a match is not found, traffic isrouted out interface serial 0/0/1.
The traffic is dropped

45. Which statement describes configuring ACLs to controlTelnet traffic destined to the router itself?
The ACL must be applied to each vty line individually.
The ACL is applied to the Telnet port with the ip access-group command.
Apply the ACL to the vty lines without thein orout option required when applying ACLs to interfaces.
The ACL should be applied to all vty lines in thein direction to prevent anunwanted user from connecting to an unsecured port.

46. Which three statements describe SSL-based VPNs? (Choose three.)
A symmetric algorithms are used for authentication and key exchange.
It is impossible to configure SSL and IPsec VPNs concurrently on the samerouter.
Special-purpose client software is required on the client machine.
Symmetric algorithms are used for bulk encryption.
The authentication process uses hashing technologies.
The application programming interface is used to extensively modify the SSLclient software.
The primary restriction of SSL VPNs is that they are currently supported onlyin hardware.

47.
Refer to the exhibit. What information can be obtained from the AAAconfiguration statements?
The authentication method list used for Telnet is named ACCESS.
The authentication method list used by the consoleport is named ACCESS.
The local database is checked first whenauthenticating console and Telnet access to the router.
If the TACACS+ AAA server is not available, nousers can establish a Telnet session with the router.
If the TACACS+ AAA server is not available, consoleaccess to the router can be authenticated using the local database.

48. Which two Cisco IPSmanagement and monitoring tools are examples of GUI-based, centrally managedIPS solutions? (Choose two.)
Cisco Adaptive Security Device Manager
Cisco IPS Device Manager
Cisco Router and Security Device Manager
Cisco Security Manager
Cisco Security Monitoring, Analysis, and Response System.

49.
Refer to the exhibit.Which AAA function and protocol is in use in the network?
The client is authorizing commands using the TACACS+protocol.
The client is authorizing commands using the RADIUS protocol.
The client is authenticating using the RADIUS protocol.
The client is authenticating using the TACACS+protocol

50. Which three OSI layers can be filtered by a stateful firewall? (Choose three.)
Layer 2
Layer 3
Layer 4
Layer 5
Layer 6
Layer 7

51.
Refer to the exhibit. Based on the SDM screenshown, which two actions will the signature take if an attack is detected?(Choose two.)
Reset the TCP connection to terminate the TCP flow.
Drop the packet and all future packets from thisTCP flow.
Generatean alarm message that can be sent to a syslog server.
Drop the packet and permit remaining packets from this TCP flow.
Create an ACL that denies traffic from the attacker IP address.

52. Which three switch security commands are required to enable port security on a portso that it will dynamically learn a single MAC address and disable the port if a host with any other MAC address is connected? (Choose three.)
switchport mode access
switchport mode trunk
switchportport-security
switchport port-security maximum 2
switchportport-security mac-address sticky
switchport port-security mac-addressmac-address

53. Whichstatement describes the SDM Security Audit wizard?
After the wizard identifies the vulnerabilities, theSDM One-Step Lockdown feature must be used to make all security-relatedconfiguration changes.
After the wizardidentifies the vulnerabilities, it automatically makes all security-relatedconfiguration changes.
The wizard autosenses the inside trusted and outside untrusted interfaces todetermine possible security problems that might exist.
The wizard is based on the Cisco IOS AutoSecure feature.
The wizard is enabled using the Intrusion Prevention task.

54. Which component of AAA is used to determine which resources a user canaccess and which operations the user is allowed to perform?
Auditing
accounting
authorization
authentication

55. Which two protocols allow SDM to gather IPS alertsfrom a Cisco ISR router? (Choose two.)
FTP
HTTPS
SDEE
SSH
Syslog
TFTP

56.
Refer to the exhibit. Which AAA command logs the activity of a PPP session?
aaa accounting connection start-stop group radius
aaa accounting connection start-stop group tacacs+
aaa accounting exec start-stop group radius
aaa accounting exec start-stop group tacacs+
aaa accounting network start-stop group radius
aaa accounting network start-stop group tacacs+

57.What is a feature of the TACACS+ protocol?
It combines authentication and authorization as oneprocess.
It encrypts theentire body of the packet for more secure communications.
It utilizes UDP to provide more efficient packet transfer.
It hides passwords during transmission using PAP and sends the rest of thepacket in plain text.

58.
Refer to the exhibit. Which interface configuration completes the CBACconfiguration on router R1?
R1(config)# interface fa0/0
R1(config-if)# ip inspect INSIDE in
R1(config-if)# ip access-group OUTBOUND in

R1(config)# interface fa0/1
R1(config-if)# ip inspect INSIDE in
R1(config-if)# ip access-group OUTBOUND in

R1(config)# interface fa0/1
R1(config-if)# ip inspect OUTBOUND in
R1(config-if)# ip access-group INSIDE out

R1(config)# interface fa0/0
R1(config-if)# ip inspect OUTBOUND in
R1(config-if)# ip access-group INSIDE in

R1(config)#interface fa0/1
R1(config-if)# ip inspect OUTBOUND in
R1(config-if)#ip access-group INSIDE in

59.
Refer to the exhibit. Which Cisco IOS security feature is implemented onrouter R2?
CBAC firewall
reflexive ACL firewall
zone-based policy firewall
AAA access control firewall

60.Which Cisco IOS privileged EXEC command can be used to verify that theCisco IOS image and configuration files have been properly backed up and secured?
Router# dir
Router# show archive
Router# show secure bootset
Router# show flash

61.Which device supports the use of SPAN to enable monitoring of malicious activity?
Cisco NAC
Cisco IronPort
Cisco Security Agent
Cisco Catalyst switch

62.Which three statements describe zone-based policyfirewall rules that govern interface behavior and the traffic moving betweenzone member interfaces? (Choose three.)
An interface can be assigned to multiple securityzones.
Interfaces can be assigned to a zone before the zone is created.
Pass, inspect,and drop options can only be applied between two zones.
If traffic is to flow between all interfaces in arouter, each interface must be a member of a zone.
Traffic is implicitly prevented from flowing by default among interfaces thatare members of the same zone.
To permit traffic to and from a zone member interface, a policy allowing orinspecting traffic must be configured between that zone and any other zone.

63.
Refer to the exhibit. Based on the SDM screen shown, which twoconclusions can be drawn about the IKE policy being configured? (Choose two.)
It will use digital certificates for authentication.
It will use apredefined key for authentication.
It will use a very strong encryption algorithm.
It will be the default policy with the highest priority.

64.The use of 3DES within the IPsec framework is anexample of which of the five IPsec building blocks?
authentication
confidentiality
Diffie-Hellman
integrity
nonrepudiation

65.Which statement describes the operation of the IKE protocol?
It uses IPsec to establish the key exchange process.
It uses sophisticated hashing algorithms to transmit keys directly across a network.
It calculates shared keys based on the exchange of a series of data packets.
It uses TCP port 50 to exchange IKE information between the security gateways

66.Which three types of views are available when configuring the Role-BasedCLI Access feature? (Choose three.)
superuser view
root view
superview
CLI view
admin view
config view

67.Which statement describes a MAC address table overflow attack?
An attacker alters the MAC address in a frame to matchthe address of a target host.
Frames flood the LAN, creating excessive traffic and degrading network performance.
The attacking host broadcasts STP configuration and topology change BPDUs to force spanning-tree recalculations.
A software tool floods a switch with frames containing randomly generated sourceand destination MAC and IP addresses.

68.When configuring a class map for zone-based policy firewall, how are thematch criteria applied when using the match-all parameter?
Traffic must match all of the match criteria specified in the statement.
Traffic must match the first criteria in the statement.
Traffic must match at least one of the match criteria statements.
Traffic must match according to an exclusive disjunction criteria.

69.Which three statements describe limitations in using privilege levelsfor assigning command authorization? (Choose three.)
There is no access control to specific interfaces on a router.
The root user must be assigned to each privilege level defined.
Commands set on a higher privilege level are not available for lower privileged users.
Views are required to define the CLI commands that each user can access.
Creating a user account that needs access to most but not all commands can be a tediousprocess.
It is required that all 16 privilege levels be defined, whether they are usedor not.

70.What is an important difference between network-based and host-basedintrusion prevention?
Host-based IPS is more scalable than network-basedIPS.
Host-based IPS can work in promiscuous mode or inline mode.
Network-based IPS is better suited for inspection of SSL and TLS encrypted dataflows.
Network-based IPS provides better protection against OS kernel-level attacks onhosts and servers.
Network-basedIPS can provide protection to hosts without the need of installing specializedsoftware on each one.

71.
Refer to the exhibit. Based on the output from the show secure bootset command on router R1, which three conclusions can be drawn regarding Cisco IOS Resilience? (Choose three.)
A copy of the Cisco IOS image file has been made.
A copy of the router configuration file has been made.
The Cisco IOS image file is hidden and cannot be copied, modified, or deleted.
The Cisco IOS image filename will be listed when the show flash command isissued on R1.
The copy tftp flash command was issued on R1.
The secure boot-config command was issued on R1.

72.Which element ofthe Cisco Threat Control and Containment solution defends against attempts toattack servers by exploiting application and operating system vulnerabilities?
threat control for email
threat control for endpoints
threat controlfor infrastructure
threat control for systems

73.
Refer to the exhibit. Based on the SDM NTP Server Details screen, which two conclusions can be drawn from the information entered and check boxes checked? (Choose two.)
NTPv1 is being configured.
The IP address of the NTP server is 10.1.1.2.
The IP address of the NTP client is 10.1.1.2.
NTP messages will be sent and received on interface Serial0/0/0 for this router.
NTP routing updates will be sent and received on interface Serial0/0/0 of the NTP server.

74.Which two statements match a type of attack with an appropriate example?(Choose two.)
To conduct an access attack, an attacker uses L0phtCrack to obtain a Windows server password.
To conduct an access attack, an attacker uses Wireshark to capture interesting network traffic.
To conduct a reconnaissance attack, an attacker initiates a ping of death attack to a targeted server.
To conduct a DoS attack, an attacker uses handler systems and zombies to obtain a Windows server password.
To conducta DoS attack, an attacker initiates a smurf attack by sending a large number ofICMP requests to directed broadcast addresses.
To conduct a reconnaissance attack, an attacker creates a TCP SYN flood causing the server to spawn many half-open connections and become unresponsive.

75.The use of which two options are required for IPsec operation? (Choosetwo.)
AH protocols for encryption and authentication
Diffie-Hellmanto establish a shared-secret key
IKE to negotiate the SA
PKI for pre-shared-key authentication
SHA for encryption

76.Which three security services are provided by digital signatures? (Choose three.)
authenticatesthe source
authenticates the destination
guarantees data has not changed in transit
provides nonrepudiation of transactions
provides nonrepudiation using HMAC functions
provides confidentiality of digitally signed data

77.Which three statements should be considered when applying ACLs to aCisco router? (Choose three.)
Place generic ACL entries at the top of the ACL.
Place more specific ACL entries at the top of the ACL.
Router-generated packets pass through ACLs on the router without filtering.
ACLs always search for the most specific entry before taking any filtering action.
A maximum of three IP access lists can be assigned to an interface perdirection (in or out).
An access list applied to any interface without a configured ACL allows all traffic to pass.

78.Which consideration is important when implementing syslog in a network?
Enable the highest level of syslog available to ensurelogging of all possible event messages.
Log all messages to the system buffer so that they can be displayed whenaccessing the router.
Synchronizeclocks on all network devices with a protocol such as Network Time Protocol.
UseSSH to access syslog information.

Read more ...

CCNAS Chapter 9 CCNA Security 1.0 2012 100%-CCNAS Chapter 9 – CCNA Security: Implementing Network Security (Version 1.0) – Answers – 2011 – 2012

1. Which three statements describe ethics in network security? (Choose three.)

principles put into action in place of laws
foundations for current laws
set of moral principles that govern civil behavior
standard that is higher than the law
set of regulations established by the judiciary system
set of legal standards that specify enforceable actions when the law is broken

2. Which component of the security policy lists specific websites, newsgroups, or bandwidth-intensive applications that are not allowed on the company network?
remote access policies
acceptable use policies
incident handling procedures
identification and authentication policies

3. What are the two components in the Cisco Security Management Suite? (Choose two.)
Cisco Intrusion Prevention
Cisco Network Admission Control
Cisco Security Agent
Cisco Security Manager
Cisco Security MARS

4. Which statement could be expected to be included in a Code of Ethics that is related to IT and network security?
Employees breaching the Code of Ethics will be prosecuted to the full extent of the law.
Application of the Code of Ethics to use of the network is at the discretion of the employee.
Employees with greater than 5 years of service can claim exemption from provisions of the Code of Ethics.
The network is to be used by employees to provide diligent and competent services to the organization.

5. Which two Cisco Threat Control and Containment technologies address endpoint security? (Choose two.)
Cisco Application Control Engine
Cisco Network Admission Control
Cisco Security Agent
Cisco Security Monitoring, Analysis, and Response System
virtual private network

6. What are three key principles of a Cisco Self-Defending Network? (Choose three.)
adaptability
authentication
collaboration
confidentiality
integration
integrity

7. Which security services, available through the Cisco Self-Defending Network, include VPN access?
secure communications
threat control and containment
operational control and policy management
application control for infrastructure

8. What three areas should be considered when designing a network security policy? (Choose three.)
remote access
network maintenance
service level agreement
network quality of service
network equipment provider
identification and authentication

9. What are the two major elements of the Cisco Secure Communications solution? (Choose two.)
secure communications for extranets
secure communications for intranets
secure communications for management
secure communications for remote access
secure communications for site-to-site connections

10. Which term describes a completely redundant backup facility, with almost identical equipment to the operational facility, that is maintained in the event of a disaster?
backup site
cold site
hot site
reserve site

11. Which three detailed documents are used by security staff for an organization to implement the security policies? (Choose three.)
asset inventory
best practices
guidelines
procedures
risk assessment
standards

12. What is a feature of an effective network security training program?
Participation in the network security training is voluntary.
Employee groups are identified and the training is customized to their needs.
All employees become trained in the design and implementation of secure networks.
Training for all employees covers the full scope of security issues related to the organization.

13. What is a design feature of a secure network life cycle management process?
Security is considered once the network is fully operational.
Security is purposefully included in every phase of the system development life cycle.
Security requirements are assessed and fully implemented in the initiation phase of the system development life cycle.
Security cost and reporting considerations are determined in the operations and maintenance phase of the system development life cycle.

14. What are the two major components of a security awareness program? (Choose two.)
awareness campaign
security policy development
security solution development
self-defending network implementation
training and education

15. Which three documents comprise the hierarchical structure of a comprehensive security policy for an organization? (Choose three.)
backup policy
backup policy
server policy
incident policy
governing policy
end-user policy
technical policy

16. When an organization implements the two-person control principle, how are tasks handled?
A task requires two individuals who review and approve the work of each other.
A task is broken down into two parts, and each part is assigned to a different individual.
A task must be completed twice by two operators who must achieve the same results.
A task is rotated among individuals within a team, each completing the entire task for a specific amount of time.

17. Which network security test requires a network administrator to launch an attack within the network?
network scan
password crack
penetration test
vulnerability scan

18. Which principle of the Cisco Self-Defending Network emphasizes that security should be built in?
adapt
collaborate
integrate
simplify

19.
Refer to the exhibit. When implementing the Cisco Self-Defending Network, which two technologies ensure confidentiality when referring to secure communications? (Choose two.)
Cisco NAC appliances and Cisco Security Agent
Cisco Security Manager
Cisco Security Monitoring, Analysis, and Response System
Intrusion Prevention System
IPsec VPN
SSL VPN

20. Which security document includes implementation details, usually with step-by-step instructions and graphics?
guideline document
standard document
procedure document
overview document

21. What is the primary focus of network operations security?
to design and develop secure application code
to support deployment and periodic maintenance of secure systems
to conduct regular employee background checks
to reprimand personnel who do not adhere to security policies

22. Which type of analysis uses a mathematical model that assigns a monetary figure to the value of assets, the cost of threats being realized, and the cost of security implementations?
Qualitative Risk Analysis
Quantitative Risk Analysis
Qualitative Asset Analysis
Quantitative Continuity Analysis

Read more ...

CCNAS Chapter 7 CCNA Security 1.0 2012 100%-CCNAS Chapter 7 – CCNA Security: Implementing Network Security (Version 1.0) – Answers – 2011 – 2012

1. Which symmetrical encryption algorithm is the most difficult to crack?

3DES
AES
DES
RSA
SHA

2. What is the basic method used by 3DES to encrypt plaintext?
The data is encrypted three times with three different keys.
The data is encrypted, decrypted, and encrypted using three different keys.
The data is divided into three blocks of equal length for encryption.
The data is encrypted using a key length that is three times longer than the key used for DES.

3. What does it mean when a hashing algorithm is collision resistant?
Exclusive ORs are performed on input data and produce a digest.
It is not feasible to compute the hash given the input data.
It uses a two-way function that computes a hash from the input and output data.
Two messages with the same hash are unlikely to occur.

4. Which three primary functions are required to secure communication across network links? (Choose three.)
accounting
anti-replay protection
authentication
authorization
confidentiality
integrity

5. Which two encryption algorithms are commonly used to encrypt the contents of a message? (Choose two.)
3DES
AES
IPsec
PKI
SHA

6. Which statement describes asymmetric encryption algorithms?
They include DES, 3DES, and AES.
They have key lengths ranging from 80 to 256 bits.
They are also called shared-secret key algorithms.
They are relatively slow because they are based on difficult computational algorithms.

7. Which statement describes the use of keys for encryption?
The sender and receiver must use the same key when using symmetric encryption.
The sender and receiver must use the same key when using asymmetric encryption.
The sender and receiver must use the same keys for both symmetric and asymmetric encryption.
The sender and receiver must use two keys: one for symmetric encryption and another for asymmetric encryption.

8. How do modern cryptographers defend against brute-force attacks?
Use statistical analysis to eliminate the most common encryption keys.
Use an algorithm that requires the attacker to have both ciphertext and plaintext to conduct a successful attack.
Use a keyspace large enough that it takes too much money and too much time to conduct a successful attack.
Use frequency analysis to ensure that the most popular letters used in the language are not used in the cipher message.

9.
Refer to the exhibit. Which type of cipher method is depicted?
Caesar cipher
stream cipher
substitution cipher
transposition cipher

10. Which statement describes a cryptographic hash function?
A one-way cryptographic hash function is hard to invert.
The output of a cryptographic hash function can be any length.
The input of a cryptographic hash function has a fixed length.
A cryptographic hash function is used to provide confidentiality.

11. A customer purchases an item from an e-commerce site. The e-commerce site must maintain proof that the data exchange took place between the site and the customer. Which feature of digital signatures is required?
authenticity of digitally signed data
integrity of digitally signed data
nonrepudiation of the transaction
confidentiality of the public key

12. Which encryption protocol provides network layer confidentiality?
IPsec protocol suite
Keyed MD5
Message Digest 5
Secure Sockets Layer
Secure Hash Algorithm 1
Transport Layer Security

13. Which statement is a feature of HMAC?
HMAC is based on the RSA hash function.
HMAC uses a secret key that is only known to the sender and defeats man-in-the-middle attacks.
HMAC uses a secret key as input to the hash function, adding authentication to integrity assurance.
HMAC uses protocols such as SSL or TLS to provide session layer confidentiality.

14. The network administrator for an e-commerce website requires a service that prevents customers from claiming that legitimate orders are fake. What service provides this type of guarantee?
authentication
confidentiality
integrity
nonrepudiation

15. What is a characteristic of the RSA algorithm?
RSA is much faster than DES.
RSA is a common symmetric algorithm.
RSA is used to protect corporate data in high-throughput, low-latency environments.
RSA keys of 512 bits can be used for faster processing, while keys of 2048 bits can be used for increased securit

16.
Refer to the exhibit. Which encryption algorithm is described in the exhibit?
3DES
AES
DES
RC4
SEAL

17. An administrator requires a PKI that supports a longer lifetime for keys used for digital signing operations than for keys used for encrypting data. Which feature should the PKI support?
certificate keys
nonrepudiation keys
usage keys
variable keys

18. Which two statements correctly describe certificate classes used in the PKI? (Choose two.)
A class 0 certificate is for testing purposes.
A class 0 certificate is more trusted than a class 1 certificate.
The lower the class number, the more trusted the certificate.
A class 5 certificate is for users with a focus on verification of email.
A class 4 certificate is for online business transactions between companies.

19. Two users must authenticate each other using digital certificates and a CA. Which option describes the CA authentication procedure?
The CA is always required, even after user verification is complete.
The users must obtain the certificate of the CA and then their own certificate.
After user verification is complete, the CA is no longer required, even if one of the involved certificates expires.
CA certificates are retrieved out-of-band using the PSTN, and the authentication is done in-band over a network.

20. Why is RSA typically used to protect only small amounts of data?
The keys must be a fixed length.
The public keys must be kept secret.
The algorithms used to encrypt data are slow.
The signature keys must be changed frequently.

21. Which algorithm would provide the best integrity check for data that is sent over the Internet?
MD5
SHA-1
SHA-2
3DES

22. Which characteristic of security key management is responsible for making certain that weak cryptographic keys are not used?
verification
exchange
generation
revocation and destruction

Read more ...

CCNAS Chapter 8 CCNA Security 1.0 2012 100%-CCNAS Chapter 8 – CCNA Security: Implementing Network Security (Version 1.0) – Answers – 2011 – 2012

1. Which IPsec protocol should be selected when confidentiality is required?

tunnel mode
transport mode
authentication header
encapsulating security payload
generic routing encapsulation

2. When using ESP tunnel mode, which portion of the packet is not authenticated?
ESP header
ESP trailer
new IP header
original IP header.

3. When configuring an IPsec VPN, what is used to define the traffic that is sent through the IPsec tunnel and protected by the IPsec process?
crypto map
crypto ACL
ISAKMP policy
IPsec transform set.

4.
Refer to the exhibit. Which two IPsec framework components are valid options when configuring an IPsec VPN on a Cisco ISR router? (Choose two.)
Integrity options include MD5 and RSA.
IPsec protocol options include GRE and AH.
Confidentiality options include DES, 3DES, and AES.
Authentication options include pre-shared key and SHA.
Diffie-Hellman options include DH1, DH2, and DH5..

5.
Refer to the exhibit. Based on the SDM screen, which Easy VPN Server component is being configured?
group policy
transform set
IKE proposal
user authentication.

6.
Refer to the exhibit. Under the ACL Editor, which option is used to specify the traffic to be encrypted on a secure connection?
Access Rules
IPsec Rules
Firewall Rules
SDM Default Rules.

7. What are two authentication methods that can be configured using the SDM Site-to-Site VPN Wizard? 
(Choose two.)
MD5
SHA
pre-shared keys
encrypted nonces
digital certificates.

8.
Refer to the exhibit. A site-to-site VPN is required from R1 to R3. The administrator is using the SDM Site-to-Site VPN Wizard on R1. Which IP address should the administrator enter in the highlighted field?
10.1.1.1
10.1.1.2
10.2.2.1
10.2.2.2
192.168.1.1
192.168.3.1.

9. What is required for a host to use an SSL VPN?
VPN client software must be installed.
A site-to-site VPN must be preconfigured.
The host must be in a stationary location.
A web browser must be installed on the host.

10. Which two statements accurately describe characteristics of IPsec? (Choose two.)
IPsec works at the application layer and protects all application data.
IPsec works at the transport layer and protects data at the network layer.
IPsec works at the network layer and operates over all Layer 2 protocols.
IPsec is a framework of proprietary standards that depend on Cisco specific algorithms.
IPsec is a framework of standards developed by Cisco that relies on OSI algorithms.
IPsec is a framework of open standards that relies on existing algorithms..

11. When configuring a site-to-site IPsec VPN using the CLI, the authentication pre-share command is configured in the ISAKMP policy. Which additional peer authentication configuration is required?
Configure the message encryption algorithm with the encryptiontype ISAKMP policy configuration command.
Configure the DH group identifier with the groupnumber ISAKMP policy configuration command.
Configure a hostname with the crypto isakmp identity hostname global configuration command.
Configure a PSK with the crypto isakmp key global configuration command..

12. Which action do IPsec peers take during the IKE Phase 2 exchange?
exchange of DH keys
negotiation of IPsec policy
verification of peer identity
negotiation of IKE policy sets.

13.
Refer to the exhibit. A network administrator is troubleshooting a GRE VPN tunnel between R1 and R2. Assuming the R2 GRE configuration is correct and based on the running configuration of R1, what must the administrator do to fix the problem?
change the tunnel source interface to Fa0/0
change the tunnel destination to 192.168.5.1
change the tunnel IP address to 192.168.3.1
change the tunnel destination to 209.165.200.225
change the tunnel IP address to 209.165.201.1.

14. When verifying IPsec configurations, which show command displays the encryption algorithm, hash algorithm, authentication method, and Diffie-Hellman group configured, as well as default settings?
show crypto map
show crypto ipsec sa
show crypto isakmp policy
show crypto ipsec transform-set.

15. With the Cisco Easy VPN feature, which process ensures that a static route is created on the Cisco Easy VPN Server for the internal IP address of each VPN client?
Cisco Express Forwarding
Network Access Control
On-Demand Routing
Reverse Path Forwarding
Reverse Route Injection.

16. Which statement describes an important characteristic of a site-to-site VPN?
It must be statically set up.
It is ideally suited for use by mobile workers.
It requires using a VPN client on the host PC.
It is commonly implemented over dialup and cable modem networks.
After the initial connection is established, it can dynamically change connection information..

17. What is the default IKE policy value for authentication?
MD5
SHA
RSA signatures
pre-shared keys
RSA encrypted sconces.

18. Which requirement necessitates using the Step-by-Step option of the SDM Site-to-Site VPN wizard instead of the Quick Setup option?
AES encryption is required.
3DES encryption is required.
Pre-shared keys are to be used.
The remote peer is a Cisco router.
The remote peer IP address is unknown..

19. How many bytes of overhead are added to each IP packet while it is transported through a GRE tunnel?
8
16
24
32.

20. What are two benefits of an SSL VPN? (Choose two.)
It supports all client/server applications.
It supports the same level of cryptographic security as an IPsec VPN.
It has the option of only requiring an SSL-enabled web browser.
The thin client mode functions without requiring any downloads or software.
It is compatible with DMVPNs, Cisco IOS Firewall, IPsec, IPS, Cisco Easy VPN, and NAT..

21. Which UDP port must be permitted on any IP interface used to exchange IKE information between security gateways?
400
500
600
700

22. A network administrator is planning to implement centralized management of Cisco VPN devices to simplify VPN deployment for remote offices and teleworkers. Which Cisco IOS feature would provide this solution?
Cisco Easy VPN
Cisco VPN Client
Cisco IOS SSL VPN
Dynamic Multipoint VPN

23. A user launches Cisco VPN Client software to connect remotely to a VPN service. What does the user select before entering the username and password?
the SSL connection type
the IKE negotiation process
the desired preconfigured VPN server site
the Cisco Encryption Technology to be applied

Read more ...