cisco ccna security all exams
TRANSCRIPT
CiQu
1. Wor
2. W
3. Us
apdis
4. W
5. W
isco Cuestions
What are the der?
paralyze
probe, ppenetratpersist,
Which two arThey alwa
They attemThey are dThey are c
Examples
sers report tppearing on splaying the
An
A A Th
What are thre
buffer oping sw
port red
trust export scaInternet
What occurs d
One devicLarge amounavailablImproperlsystem to A programmalicious
CCNAand an
basic phase
e, probe, pepenetrate, pete, persist, ppropagate,
re characterays precede mpt to compdifficult to ccommonly linclude sm
to the helpdtheir compuese random n access attavirus has inDoS attack
he computer
ee types of aoverflow
weep direction xploitation an t informatio
during a spoce falsifies dounts of netle to intendely formattedcrash.
m writes datcode.
A Secunswers 1
es of attack
enetrate, perersist, propapropagate, pparalyze, pr
istics of Doaccess atta
promise theconduct andlaunched wi
murf attacks
desk that icouter screensgraphics?
ack has occnfected the ck has been lars are subjec
access attack
on query
oofing attacdata to gain twork trafficed users.
d packets ar
ta beyond th
rity, c100% c
that can be
rsist, and pragate, and pparalyze, anrobe, and pe
oS attacks? (acks. e availabilityd are initiateith a tool caand ping of
ons usually ss. What cou
curred. computers.aunched agact to a recon
ks? (Choose
ck? access to p
c are sent to
e forwarded
he allocated
chaptecorrect.
used by a v
opagate paralyze nd probe enetrate
(Choose tw
y of a netwoed only by valled L0phtCf death attac
seen on the uld be a reas
ainst the netnnaissance
e three.)
rivileged ino a target de
d to a target
d memory to
er 1 E
virus or wor
o.)
ork, host, orvery skilled Crack. cks.
menu bar ason that com
twork. attack.
nformation. evice to mak
t device to c
o enable the
Exam.
rm in sequen
r applicationattackers.
are randomlmputers are
ke resources
cause the tar
e execution
.
ntial
n.
ly
s
rget
of
6. W
7. W
thetar
8. W
9. W
10. W
p
11. A
u
What is a cha
A Trojan HA proxy TAn FTP TA Trojan Hlaunched i
Which phase e network torgeting and
Which two st
A virus tyA virus haA virus reA virus pr
A virus ca
What is a ping
A ping swrange of IPA ping swpackets seA ping swnumbers oA ping swdomain, in
Which type program to e
A disgruntleusernames a
aracteristic oHorse can b
Trojan HorsTrojan HorseHorse can bit closes.
of worm mo slow dowinfecting ot
atements arypically requas an enablieplicates itserovides the aan be dorma
g sweep? weep is a net
P addressesweep is a sofent across a
weep is a scaon a host to
weep is a quencluding the
of security execute a spvirus worm proxy TrojaDenial of S
ed employeeand passwor
D
of a Trojan be carried ine opens pore stops anti-be hard to d
mitigation reqwn or stop th
ther systemcontaiinoculquarantreatm
re characteriuires end-usng vulnerabelf by indepattacker witant and then
twork scanns. ftware appliLAN.
anning techndetect listenery and respe addresses
threat can bpecific unwa
an horse Service Troj
e is using Wrds. What tyDenial of S
Horse? n a virus or rt 21 on the -virus progretect becau
quires comphe worm and
ms? inment phaslation phasentine phase
ment phase
istics of a vser activatiobility, a proppendently exth sensitive
n activate at
ning techniq
ication that
nique that ening serviceponse protoassigned to
be describedanted functi
jan horse
Wireshark toype of netwoervice
worm. target syste
rams or firewse it closes
partmentalizd prevent cu
se e
virus? (Chooon. pagation mexploiting vudata, such aa specific t
que that indi
enables the
examines a res.
ocol that ideo that domai
d as softwarion?
o discover adork attack d
em. walls from when the ap
zation and surrently infe
ose two.)
echanism, aulnerabilitieas passwordtime or date
icates the li
e capture of
range of TC
ntifies inforin.
re that attach
dministrativdoes this des
functioningpplication th
segmentatioected hosts
and a payloas in networkds. e.
ive hosts in
all network
CP or UDP p
rmation abo
hes to anoth
ve Telnet scribe?
g. hat
on of from
ad.ks.
a
k
port
out a
her
12. W
13. W
14. A
n
15. W
16. H
What occursidentifica
modificarunning transfer oextension
What are the
enabinfe
paypenprob
prop
A network anetwork. Wh
An A rA dCis
What are thrdisable
determ
identifyidentify
identifydiscove
How is a Smby sendinof the tarby sendinof 65,535
by sendinfrom a spby sendinspoofed s
prt
s during theation of vulnation of syst
of exploit con of the atta
e three majobling vulne
ecting vulneyload netration mebing mechapagation me
administratohat could beFTP Trojaneconnaissan
denial of serco Security
ree goals ofe used ports ine potentiay active servy peripheraly operating er system pa
murf attack cng a large nrget device ng an echo 5 bytes ng a large npoofed sourng a large nsource addr
port redirecreconnaissatrust exploit
e persist phanerable targtem files and
ode throughack to vulne
or componerability
erability
echanism anism echanism
or detects une causing thn Horse is ence attack isrvice attack y Agent is te
f a port scanand service
al vulnerabivices l configuratsystems asswords
conducted?number of p
request in a
number of ICrce address number of Tress
ction ance tation
ase of a worgets d registry se
h an attack verable neigh
ents of a wor
nknown seshis security bexecuting. s occurring.is occurring
esting the ne
n attack? (Ches ilities
tions
ackets, over
an IP packet
CMP requeson the same
TCP SYN pa
rm attack?
ettings to en
vector hboring targ
rm attack? (
sions involvbreach?
. g. etwork.
hoose three
rflowing th
t larger than
sts to directe network ackets to a t
nsure that th
ets
(Choose thr
ving port 21
e.)
e allocated
n the maxim
ted broadcas
target devic
he attack co
ree.)
1 on the
buffer mem
mum packet
st addresses
ce from a
ode is
mory
size
s
17. W
s
18 W
tw
19. W
mv
20. W
s
21. W
Which accesystem passw
Which two nwo.)
virudata
anti
intruapp
Which phasemodified filevulnerability
Which charapecified by
the integan inventhe restridata
the procestandard
Which statemA hackerdialup acA hacker
A hackeranalog teA hackerlocal areafax mach
ss attack meword by usi
buffer oport redDenial obrute-foIP spoofpacket s
network secu
us scanning a encryptioni-spoofing teusion proteclying user a
e of worm mes or systemy that the w
acteristic bey the ISO/IEgration of sentory and claiction of acc
ess of ensurs, and regul
ment descrir uses passwccount. r gains unaur mimics a telephone ner uses a proga, dialing eahines.
ethod involving an elect
overflow attdirection attaof Service aorce attack fing attacksniffer attac
urity solutio
n echnologiesction systemauthenticatio
mitigation inm settings thorm used to
est describesEC? ecurity into assification cess rights t
ring conformlations
ibes phone fword-crackin
uthorized actone using aetwork. gram that auach one in s
ves a softwaronic dictioack ack attack
k
ons can be u
s ms on
nvolves termhat the wormo exploit the
coninoquatre
s the networ
applicationscheme for
to networks
mance with
freaking? ng program
ccess to netwa whistle to
utomaticallysearch of co
are programonary?
used to miti
minating thm introducee system? ntainment oculation arantine atment
rk security
s r informatio, systems, a
security inf
ms to gain ac
works via wmake free l
y scans teleomputers, bu
m attempting
gate DoS at
e worm proed, and patch
Compliance
on assets applications
formation p
ccess to a co
wireless accelong-distanc
ephone numulletin board
g to discove
ttacks? (Cho
ocess, removhing the
e domain as
s, functions,
policies,
omputer via
ess points. ce calls on a
mbers withind systems, a
er a
oose
ving
s
, and
a a
an
n a and
22. W
Which two sPort redicapture a
PasswordHorses, o
Buffer ovoverwritePort scandetect lisTrust expcapture a
statements drection atta
all network d attacks caor packet snverflow attae valid datanning attackstening servploitation atand copy all
describe acccks use a nepackets tha
an be implemniffers. acks write da or exploit sks scan a ranvices. ttacks can ul network tr
cess attacksetwork adap
at are sent acmented usin
data beyondsystems to enge of TCP
use a laptop raffic in a pu
? (Choose tpter card in cross a LANng brute-for
the allocateexecute malor UDP po
acting as a ublic locatio
two.) promiscuou
N. ce attack m
ed buffer mlicious code
ort numbers
rogue acceon on a wire
us mode to
methods, Tro
memory to e. on a host to
ss point to eless hotspo
ojan
o
ot.
CiQu 1.
Regen
2. By
wh
3.
Recoinfde
4. W
isco Cuestions
efer to the exnerated mes
This mesThis mesinvestigaThis mesaction.
This mesThis mes
y default, hohen the logi
efer to the eonfigured asformation cetail comma
Bo
RoRo
ThTh
What are two
CCNAand an
xhibit. Whassage? (Chossage is a lessage appeaation. ssage appea
ssage indicassage indica
ow many sein block-for
exhibit. Rous the NTP mcan be obtainand on R2? oth routers aouter R1 is touter R2 is the IP addreshe IP addres
o characteris
A Secunswers 1
at two pieceoose two.) evel five notared because
ared because
ates that serates that enh
econds of der command
uters R1 andmaster, and t
ned from th(Choose tw
are configurthe master, athe master, ass of R1 is 1ss of R2 is 1
stics of the S
rity, c100% c
es of inform
tification me a minor er
e a major er
rvice timestahanced secu
elay betweed is configur
d R2 are conthe other is he partial ouwo.) red to use Nand R2 is thand R1 is th
192.168.1.2.192.168.1.2.
SDM Secur
chaptecorrect.
ation can be
message. rror occurre
rror occurre
amps have burity was co
en virtual lored?
one two three four five
nnected via an NTP clie
utput of the
NTPv2. he client. he client. . .
rity Audit w
er 2 E
e gathered f
ed requiring
ed requiring
been globalonfigured on
gin attempt
a serial linkent. Which show ntp a
wizard? (Cho
Exam.
from the
g further
g immediate
lly enabled.n the vty po
ts is invoked
k. One routetwo pieces
associations
oose two.)
.
e
orts.
d
er is of s
5. If
wi
6.
Re
7. W
recEX
It uses inteIt automatsecurity co
It displayssecurity-re
It requiresnetwork aIt is initiatfunctions
AAA is alreith a specifi
assign a
assign cassign uassociatcreate a
create a
efer to the eJR-Admin
JR-AdminJR-AdminJR-AdminJR-Adminone of tho
Which recomcovery on aXEC mode?
Keep a as a bacDisable router cConfigupersonn
Locate tpersonnProvisio
eractive diatically enabonfigurations a screen welated confis users to firand which coted from CLand forward
eady enableic view? (Cha secret passcommands tusers who cte the view
a superviewa view using
exhibit. Whin can issue sn can issue pn can issue on can issue dn cannot issuose defined.
mmended seca Cisco IOS? secure copy
ckup. all unused an be acces
ure secure anel can accethe router in
nel. on the route
alogs and prles Cisco IOns to secure
with Fix-it chiguration chrst identify wonnect to thLI and execuding plane s
ed, which thhoose threesword to theto the view
can use the vwith the roo
w using the pg the parser
ich statemenshow, ping,ping and reonly ping cdebug and rue any com
curity practi router for t
y of the rout
ports and inssed. dministrativss the routen a secure lo
er with the m
rompts to imOS firewall e the router.heck boxes
hanges to imwhich route
he outside nutes a scriptservices are
hree CLI ste.) e view
view ot view
parser viewr viewview-
nt regarding, and reload
eload commommands.reload com
mmand becau
ice preventsthe purpose
ter Cisco IO
nterfaces to
ve control toer. ocked room
maximum am
mplement Aand implem
to let you cmplement. er interfaces
network. t in which t
e tested agai
eps are requ
w view-name-name comm
g the JR-Add command
mands.
mmands. use the priv
s attackers fof gaining
OS image an
reduce the
o ensure tha
m that is acce
mount of m
AAA. ments Cisco
choose whic
s connect to
the managminst known v
uired to conf
e command mand
dmin accounds.
vilege level
from performaccess to th
nd router co
number of
at only auth
essible only
memory poss
o IOS IPS
ch potential
o the inside
ment plane vulnerabilit
figure a rou
nt is true?
does not ma
ming passwhe privilege
onfiguration
ways that th
horized
y to authoriz
sible.
ties.
uter
atch
word d
n file
he
zed
8. W
9.
Rewh
10. W
(
11. A
foa
12. W
Which three o
CBASNMsyslsecuinter
enab
efer to the ehich type of
secret viroot view
supervieCLI view
Which threeChoose thre
SNMTCP
SSHCisc
pas
fire
An administfor use with accept only
Which statem
options can AC MP og
urity bannerrface IP addble secret pa
exhibit. Basef view is SUiew, with a w, with a leew, containiw, containin
e services onee.) MP P interceptsH access to co Discoversword encrywall on all
trator defineSSH. Whicencrypted S
configurenable ingenerate configurenable ingenerate
ment descri
be configur
r dress assword
ed on the ouUPPORT? level 5 encr
evel 5 encrying SHOWVng SHOWV
n a router do
s the router ry Protocolyption servioutside inte
ed a local usch three addSSH connece the IP dom
nbound vty the SSH ke
e DNS on thnbound vty
two-way p
ibes the ope
red by Cisc
utput of the
rypted passwypted secret VIEW and V
VIEW and V
oes Cisco S
ice erfaces
ser account ditional stepctions? (Chomain name Telnet sessieys he router SSH sessiore-shared k
eration of th
o AutoSecu
show runn
word password VERIFYVI
VERIFYVIE
SDM One-S
with a secrps are requiroose three.)on the routeions
ns keys
he Cisco SD
ure? (Choos
ning-config
IEW views EW comma
tep Lockdo
ret passwordred to config
er
DM Security
se three.)
g command,
ands
own enable?
d on router Rgure R1 to
y Audit wiza
?
R1
ard?
13. A
pc
14. W
th
15. W
in
16. W
(
17. W
s
The wiza
The wizaThe wizatraffic. The wizacomparis
An administprivileged Ecustom acco
Which threehe network
Which servinformation
Which two oChoose two
Choose Apply t
Deliver ComparSelect th
Which statemimilar confi
aaa conf
ard configurard compareard monitor
ard logs the sons.
trator needsEXEC commount?
pripripripri
e areas of roperimeter? physical sflash secuoperating remote acrouter harzone isola
ce is enableabout the ro
operations ao.) the One-St
the documenthe configu
re the routerhe Firewall
ment matchfiguration fufiguration c
res a router es a router cs network d
effectivene
to create a mands. Whic
ivilege execivilege execivilege execivilege exec
outer securit(Choose th
security urity
system secucess securit
rdening ation
ed on a Ciscouter and po
are required
tep Lockdownted networuration chanr configurat and ACL t
hes the CLI unctions? ommands a
to prevent uconfiguratiodata and log
ess of netwo
user accounch privilege
c level 0c level 1c level 2c level 15
ty must be mhree.)
urity ty
co router byotentially m
d to impleme
wn feature.rk policies.nges to the rtion againstask on the S
commands
and the SDM
unauthorizeon against regs possible u
ork security
nt with custe command
maintained t
y default thamake it more
HTTPCDPFTPNTPTFTP
ent Cisco S
router. t recommenSDM Confi
to the SDM
M Basic Fire
ed access. ecommendeunauthorize
y measures f
tom access td is used to c
to secure an
at can reveale vulnerableP
P
DM One-St
nded settingsguration scr
M wizard tha
ewall wizar
ed settings. d or malicio
for baseline
to most create this
n edge route
l significante to attack?
tep Lockdow
s. reen.
at performs
rd
ous
er at
t
wn?
18.
R
19. W
a
20. W
pw
auto secwizard class-maSDM IPsetup pr
Refer to the The ADMThe ADMcomman
The ADMThe ADM
Which threearchive on a
Restart tIOS imaRestart tCisco IO
Boot thefilenameCopy theimage flRestore comman
Restore filename
Which set ofpassword uswhen a user
RRRRRRRRR
RR
cure privileg
aps, policy-S wizard
rivileged EX
exhibit. WhMIN passwoMIN passwod. MIN passwoMIN passwo
e commandsa router on wthe router inage name usthe router, eOS image nae secure booe. e secure boolash commathe secure c
nd. the secure c
e command.
f commandsing MD5, aattempts to
R1(config)# R1(config)# R1(config-linR1(config)# R1(config)# R1(config-linR1(config)# R1(config)# R1(config-linR1(config)# R1(config)#
ged EXEC
-maps, and
XEC comma
hat is the sigord is encryord is encry
ord is hasheord is hashe
s are requirewhich Ciscon ROM monsing the direnter privileame using thotset Cisco I
otset Cisco and. configuratio
configuratio.
s are requirand force tho access the
username line con 0ne)# login lusername line con 0ne)# login iusername line con 0ne)# login lusername line con 0
command a
service-po
and and the
gnificance oypted using ypted via the
ed using MDed using SH
ed to restoreo IOS resilienitor mode acommand.
eged EXEC he show flaIOS image u
IOS image
on file using
on file using
red to createhe router to a
console? admin pas
local admin pas
internal admin Adm
local admin secr
and the SDM
licy configu
e SDM Secu
of secret 5 iDH group 5e service pa
D5. HA.
e a primary ence is enaband display
mode, and ash commanusing the bo
to flash usi
g the copy c
g the secure
e a usernamaccess the in
ssword Adm
ssword Adm
min01pa55
ret Admin0
M One-Step
uration com
urity Audit w
in the gener5. assword-en
bootset frombled? (Choo
the secure
display the nd. oot comman
ing the copy
config-back
e boot-conf
e of admin,nternal user
min01pa55
min01pa55
5 encr md5
01pa55
p Lockdown
mmands and
wizard
rated output
ncryption
m a secure ose three.) bootset Cis
secure boo
nd with the
y IOS-back
kup flash
fig restore
hash the rname datab
n
the
t?
co
tset
kup-
base
21.
R(
22. W
RRRR
Refer to the Choose two
BufferedBufferedmessageAll mess
All messThe rout192.168
The sysl
What are twA vulnercommunCommonSNMP. If the mainformati
SNMP reSNMP-e
SNMP reSNMP-e
R1(config-linR1(config)# R1(config)# R1(config-lin
exhibit. Who.) d logging wd logging wes. sages with asages with ater interface.1.3. log server IP
wo characterrability of Snity strings inly known c
anager sendion and set ead-only co
enabled deviead-write co
enabled devi
ne)# login lusername line con 0ne)# login i
hich two sta
will be enablwill be enabl
a trap level a trap level e IP address
P address is
istics of SNNMPv1, SNin plaintext.community
s one of theinformation
ommunity stice. ommunity sice.
local admin secr
internal
atements de
ed on the roed on the sy
of 4 and higof 4 and low
s that is conn
s 192.168.1.
NMP commuNMPv2, and strings shou
e correct rean in an agentrings can b
strings can b
ret Admin0
escribe the c
outer for Loyslog server
gher (less crwer (more cnected to th
.3.
unity stringd SNMPv3
uld be used
ad-only comnt. e used to ge
be used to s
01pa55
current SDM
ogging Lever for Loggin
ritical) will critical) willhe syslog ser
s? (Choose is that they
when confi
mmunity stri
et informati
et informati
M logging se
el 7 messageng Level 7
be logged. l be logged.rver is
two.) y send the
figuring secu
ings, it can
ion from an
ion on an
etup?
es.
.
ure
get
23. W
w
24. W
tw
25.
Rtw
26. W
d
What is the mwith SSH?
Which two cwo.)
CLI view
Users logassociateA single
CommanDeleting
Refer to the wo.)
The CiscoROMmoncommandThe CiscoThe CiscomismatchThe Cisco
What are thrdevice confi
naa
e
cI
minimum re
characteristi
ws have pasgged in to aed CLI viewsuperview
nds cannot ba superview
exhibit. Wh
o IOS imagn mode willd. o IOS Resilo IOS Resilh. o IOS confi
ree requiremigurations vnetwork deva separate nat least one encryption oconnection Internet
ecommende
ics apply to
swords, buta superview ws.
can be sharbe configurew deletes al
hat two fact
ge and confil be inacces
lient Configlient Config
iguration fil
ments that mvia secure invices config
network segrouter actinof all remotto network
ed modulus
256 512 768 1024 2048
o Role-Base
t superviewcan access
red among med for a spell associated
ts can be det
guration filssible upon
guration featguration feat
les have bee
must be met n-band managured to accment conneng as a termte access madevices thr
key length
d CLI Acce
s do not havall comman
multiple CLecific supervd CLI views
termined fro
es have beeentering the
ture is enabture has det
en erased.
if an adminagement? (Ccommodate ecting all ma
minal serveranagement rough a prod
for keys ge
ess supervie
ve passwordnds specifie
LI views. view. s.
om the outp
en properly e privileged
bled. tected an im
nistrator waChoose threSSH anagement
traffic duction netw
enerated to u
ews? (Choo
ds. ed within th
put? (Choos
secured. d EXEC relo
mage version
ants to mainee.)
devices
work or the
use
se
e
se
oad
n
ntain
CiQu
1. W
2. W
3. Du
W
4. W
d
isco Cuestions
Why is local dIt specifie
It providesIt requiresIt is more device.
What is a cha
AuthorizaAccountinAccountinoperationsAuthorizaof time the
ue to implemWhich AAA
Which two ACharacter requires uCharacter requires u
Character requires uPacket morequires u
Packet mouse of dialPacket morequires u
direct acces
CCNAand an
database aus a differens for authens a login andefficient fo
aracteristic oation can onng services ang services ds the user isation recordse resource i
mented secucomponent
acacauauau
AAA access mode prov
use of the comode prov
use of dialupmode prov
use of the coode provideuse of dialupode providelup or VPNode provideuse of the co
ss to the con
A Secunswers 1
uthenticationnt password ntication andd password
or users who
of AAA? ly be impleare implemdetermine w allowed to s what the uis accessed,
urity controaccomplish
ccessibilityccounting uditing uthenticationuthorization
method statides remote
onsole, vty, ides remote
p or VPN. ides users w
onsole, vty, s users with
p or VPN. s remote us
N. s users with
onsole, vty,
nsole ports o
rity, c100% c
n preferred for each lind accountabcombinatio
o only need
mented afteented prior
which resouperform.
user does, inand any ch
ols, a user cahes this?
n
tements aree users withor tty ports
e users with
with adminior tty ports
h administra
sers with acc
h administraor tty ports
of all netwo
chaptecorrect.
over a passne or port. bility. on on consoto enter a p
er a user is ato authentic
urces the use
ncluding whhanges that w
an only acce
e true? (Cho access to n. access to n
strative priv. ative privile
cess to netw
ative privile.
ork devices
er 3 E
word-only l
le, vty linespassword to
authenticatecating a useer can acces
hat is accesswere made.
ess a server
oose two.) network reso
network reso
vilege EXE
ege EXEC a
work resourc
ege EXEC a
Exam.
login?
s, and aux pgain entry t
ed. er. ss and which
sed, the amo
r with FTP.
ources and
ources and
C access an
access and
ces and requ
access and
.
ports.to a
h
ount
nd
uires
5. W
6. W
au
7.
Remesta
Which two st
Server-basLocal AAof the rout
Server-bascommunicServer-basuses the loLocal AACisco Sec
What is a diffuthentication
Local AA
Local AAlocal doesA method optional wThe login authentica
efer to the exessage. On tatements areThe lockedThe lockedThe lockedPa55w0rd.The lockedStr0ngPa5The lockedusername A
atements desed AAA auA is ideal foter for authesed AAA aucate betweesed AAA auocal databasA authenticure ACS fo
ference betwn for authenA authenticA provides
s not. d list must bewhen using l
local commation succee
xhibit. Routthe basis of e true? (Chod-out user fad-out user is d-out user sh.
d-out user sh5w0rd.
d-out user stAdmin com
escribe AAAuthenticatio
for large comentication.uthentication the routeruthenticatiose of the roucation requiror Windows
ween using nticating admcation suppoa way to co
e configurelocal AAA mand suppoeds, even if
ter R1 has bthe informa
oose two.) ailed authen
locked out hould have u
hould have u
ays locked mmand is is
A authenticon is more smplex netwo
on can use thr and a AAAon is ideal fouter for authres the serv Server.
the login loministrator orts encryptonfigure bac
d when usinauthenticati
orts the keywall methods
been configuation presen
ntication. for 10 minu
used the use
used the use
out until thesued.
ation? (Chocalable thanorks becaus
he RADIUSA server. or large comhentication.vices of an e
ocal commaaccess? ted passworckup metho
ng the loginion. word none, s return an e
ured as shownted, which
utes by defaername Adm
ername adm
e clear aaa
oose two.) n local AAAse it uses the
S or TACAC
mplex netwo
external serv
and and usin
rds; login loods of authe
n local comm
which ensuerror.
wn, with thtwo AAA a
ault. min and pas
min and pas
local user
A authenticae local data
CS+ protoc
orks becaus
ver, such as
ng local AA
ocal does nontication; lo
mand, but i
ures that
e resulting lauthenticati
ssword
ssword
lockout
ation.abase
ols to
se it
the
AA
ot. ogin
s
log ion
8.
Reatt10
9. W
ke
10. W
11. W
efer to the etempts to us0.10.10.1. H
The R1 10The vty lincommandThe aaa lohigher.
The adminStr0ngPa
When configueyword loca
It acceptIt defaulThe logiIt uses th
What is a chTACACSTACACS
TACACSgroup baTACACSor 1813 f
Which statem
exhibit. Rouse Telnet fro
However, Te0.10.10.1 rones must be. ocal authen
nistrative us55w0rd.
uring a methal? ts a locally clts to the vtyin succeeds,he enable pa
haracteristicS+ is an opeS+ is backwS+ provides
asis. S+ uses UDfor accounti
ment identif
uter R1 is coom router Relnet access outer interfae configured
ntication at
ser should u
hod list for
configured y line passw, even if all assword for
c of TACACen IETF sta
ward compas authorizat
DP port 1645ing
fies an impo
onfigured asR2 to router
is denied. Wce must be
d with the lo
ttempts ma
use the usern
AAA authe
username, rword for auth
methods rer authenticat
CS+? andard. atible with Ttion of route
5 or 1812 fo
ortant differ
s shown. AnR1 using th
Which optioenabled.
ogin authen
ax-fail comm
name Admi
entication, w
regardless ohentication
eturn an errotion.
TACACS aner command
or authentic
rence betwe
n administrahe interfaceon corrects t
ntication de
mand must b
in and passw
what is the e
of case. . or.
nd XTACAds on a per-u
cation, and U
een TACAC
ative user IP address this problem
efault
be set to 2 o
word
effect of the
CS. user or per-
UDP port 1
CS+ and
m?
or
e
-
646
R
12. In
13. W
p
14. W
15. W
d
16. A
li
RADIUS? TACACSRADIUSThe RAD
The TACauthorizaRADIUSauthoriza
n regards toa web serthe compnetwork
a router,
What is the rprior to crea
The admThe admThe admThe admto apply
When config
A Web bThe CiscTelnet caconfiguraThe Ciscsoftware
Which AAAdetailed acco
TACACaccounti
RADIUSusers TACACper-userRADIUSuser or p
After accounist applied?
S+ providesS. DIUS protocCACS+ protation. S can cause ation reques
o Cisco Securver, email
puter used busers who mswitch, fire
result if an ating a user wministrator iministrator iministrator iministrator iy changes.
guring a Cisbrowser is uco Secure Aan be used tation is com
co Secure Aon the adm
A protocol aounting for
CS+ becauseing S because it
CS+ becauser or per-grouS because itper-group ba
nting is enab
s extensive
col encryptstocol allows
delays by est.
ure ACS, wserver, or F
by a networkmust accessewall, or VP
administratwith full acis immediatis denied allis allowed fuis allowed fu
sco Secure Aused to confiACS can be ato configuremplete. ACS can be aministrator w
and feature bcustomer in
e it combine
t supports d
e it requires up basis t requires seasis
bled on an I
accounting
s the entire s for separa
establishing
what is a clieFTP serverk administras privileged PN concentr
tor configurccess rights?ely locked ol access excfull access ufull access u
ACS, how ifigure a Ciscaccessed froe a Cisco Se
accessed remworkstation.
best supportnvoicing? es authentic
detailed acco
select auth
elect author
IOS device,
capabilities
packet tranation of auth
a new TCP
ent device?
ator EXEC com
rator
res the aaa a? out of the sy
cept to aaa ausing the enuntil a router
is the configco Secure Aom the routecure ACS s
motely after
t a large ISP
ation and au
ounting that
orization po
rization poli
, how is a d
s when com
nsmission. hentication f
P session for
mmands
authorizati
ystem. authorizatiable secretr reboot, wh
guration intACS. er console. server after
r installing
P that needs
uthorization
t is required
olicies to be
icies to be a
default accou
mpared to
from
r each
ion comman
ion commant password. hich is requ
erface acce
an initial
ACS client
s to implem
n, but separa
d for billing
e applied on
applied on a
unting meth
nd
nds.
uired
ssed?
t
ment
ates
n a
a per-
hod
17.
RE
18. H
a
AccountiA nameddesired inAccountiadded to
The defaexcept th
Refer to the EXEC sessio
aaa aaaa aaaa a
aaa aaaa aaaa a
How does a authorization
reduces o
reduces dreduces bcredentiareduces nwith auth
ing method d accountingnterfaces. ing method the server g
ault accounthose with na
exhibit. In ton commanaccountingaccountingaccountingaccountingaccountingaccounting
Cisco Secun process? overhead bydelays in thbandwidth uals number of ahentication
lists are apg method lis
lists are nogroup. ing methodamed accou
the networknds? g connectiong connectiong exec start-g exec start-g network sg network s
ure ACS imp
y using UDPe authorizatutilization o
authorizatio
plied only tst must be e
ot applied to
d list is automunting metho
k shown, wh
n start-stopn start-stop-stop group-stop grouptart-stop gtart-stop g
prove perfo
P for authortion queriesof the author
on queries by
to the VTY explicitly de
o any interfa
matically apod lists.
hich AAA c
p group radp group tacp radiusp tacacs+roup radiuroup tacac
ormance of t
rization ques by using prization que
y combinin
interfaces. efined and a
aces until an
pplied to all
command lo
diuscacs+
uscs+
the TACAC
eries persistent TCeries by allo
g the author
applied to
n interface i
l interfaces,
ogs the use o
CS+
CP sessionsowing cache
rization pro
s
of
ed
ocess
19.
Ra
20. W
Refer to the address and
What is an e
AuthentiUser accCharacteAll autho
exhibit. Whsecure pass
User SeGroup SNetworkSystem InterfacAdmini
effect if AAicated users ess to speci
er mode authorization req
hich Cisco Ssword of an etup Setup k ConfiguraConfiguratie Configurastration Con
AA authorizaare granted
ific serviceshorization iquests to the
Secure ACSAAA clien
ation ion ation ntrol
ation on a dd full accesss is determins limited, ane TACACS
S menu is rent?
device is nots rights. ned by the and packet m
S server rece
equired to c
t configured
authenticatimode denieseive a REJE
configure th
d?
on process.s all requestECT respons
e IP
s. se.
CiQu
1. Wop
2. W
3. W
ap
4.
Rezo
isco Cuestions
Which statemperation?
The pass aA router iService poRouter ma
Which locatioa location
a location a location traffic as pif using threturn traf
When using Cpplied?
a gana z
a z
efer to the eone-based fi
CCNAand an
ment accurat
action workinterface canolicies are aanagement
on is recommas close to as close to centered be
possible he establishffic is allow
Cisco IOS z
global servin interface zone zone pair
exhibit. Baserewall com
A Secunswers 9
tely describe
ks in only onn belong to applied in ininterfaces m
mended forthe destinatthe source
etween traff
ed keywordwed
zone-based p
ice policy
ed on the SDmponent bein
rity, c95.8% c
es Cisco IO
ne directionmultiple zo
nterface conmust be man
r extended ntion of traffof traffic asfic destinati
d, a location
policy firew
DM screen ng configure
chaptecorrect.
OS zone-bas
n. ones. nfiguration mnually assig
numbered orfic as possibs possible ions and sou
n close to th
wall, where
shown, whied?
er 4 E.
ed policy fi
mode. gned to the s
r extended nble
urces to filte
he destinatio
is the inspe
ich statemen
Exam.
irewall
self zone.
named ACL
er as much
on to ensure
ction policy
nt describes
.
Ls?
e that
y
s the
5.
Rethe
6. W
a class mprotocolsa class mthen DNSa class m
a class mprotocolsa class mDNS pro
efer to the exe effect this
HTTP traUnmatchICMP rep
Traffic fr127.0.0.0Traffic frthe 10.1.
Which type oICMPbroadmulti
router
map that insps
map that prioS
map that denmap that insps
map that inspotocols
xhibit. Basezone-based
affic from thhed traffic toplies from trom the in-z0/8 range. rom the in-z1.0/29 rang
of packet is uP packet dcast packetcast packet r-generated
pects all traf
oritizes traff
nies all traffipects all traf
pects all traf
ed on the SDd policy firehe in-zone to the router the router tozone to the o
zone to the oe.
unable to be
t
d packet
ffic that use
fic that uses
ic that uses ffic that use
ffic, except
DM screen sewall has onto the out-zofrom the ou
o the out-zonout-zone is
out-zone is
e filtered by
es the HTTP
s HTTP first
the HTTP, es the HTTP
traffic that
shown, whin traffic? (Cone is inspeut-zone is pne are deniedenied if th
denied if th
y an outboun
P, IM, P2P,
t, followed
SMTP, andP, SMTP, an
uses the HT
ich two stateChoose two.)ected. ermitted. ed. he source ad
he destinatio
nd ACL?
and email
by SMTP, a
d DNS protond DNS
TTP, SMTP
ements desc)
ddress is in t
on address i
and
ocols
P, and
cribe
the
is in
7.
Read24
8. W
de
9. W
10. In
C
efer to the eddress 172.3447, what do
The paThe paThe ini
The pa
Which zone-bestined for th
Which statemA transparsoftware rA packet-fnetwork aAn applicarouter to f
A stateful an initiatio
n addition tCBAC to fil
TCP/IIP sou
exhibit. If a 30.1.50, destoes the Cisc
acket is forwacket is forwitial packet
acket is drop
based policyhe router or
ment correctlrent firewalrunning on ifiltering fire
addressing dation gatew
filter Layer firewall mo
on, data tran
to the criterilter traffic? IP protocol urce and de
hacker on thtination add
co IOS firewwarded, and warded, and
is dropped, pped.
y firewall zor originating
self zonesystem zolocal zoneinside zonoutside zo
ly describesll is typicallit. ewall expan
design. way firewall
3 and Layeronitors the snsfer, or term
ia used by e
numbers stination ad
he outside ndress 10.0.0wall do withan alert is gno alert is gbut subseq
one is systeg from the r
one e ne one
s a type of fy implemen
nds the num
(proxy firer 4 informatstate of conmination st
extended AC
ddresses
network sen0.3, source ph the packetgenerated. generated.
quent packet
em-defined arouter?
filtering firented on a PC
mber of IP ad
wall) is tyption. nections, wate.
CLs, what c
nds an IP paport 23, andt?
ts are forwa
and applies
ewall? C or server w
ddresses ava
ically imple
whether the c
conditions a
acket with sd destination
arded.
to traffic
with firewa
ailable and
emented on
connection
are used by
ource n port
all
hides
a
is in
11. W
fi
12.
R
13. W
w
applic
TCP/U
Which statemfirewalls as t
Both statA statefufiltering
A packetstateful fA packetconnectiothe state
Refer to the
DMintpetruun
Which threewith Cisco S
cation layerUDP source
ment descrithey relate tteful and paul firewall cfirewall cant-filtering fifirewall can t-filtering fion, while a of a connec
exhibit. WhMZ ternal netwo
erimeter secusted netwontrusted netw
e actions canSDM? (Cho
r protocol see and destin
ibes the chato the OSI m
acket-filterinan filter app
nnot filter birewall typicfilter up to
irewall usesstateful fire
ction.
hat is repres
ork urity bound
ork work
n a Cisco IOoose three.)
insp
ession informnation port n
aracteristics model? ng firewallsplication layeyond the ncally can filthe session
s session layewall uses a
sented by th
dary
OS zone-bas
pect
mation numbers
of packet-f
s can filter ayer informanetwork layelter up to thn layer. yer informatapplication l
he area mark
sed policy f
filtering and
at the application, while er. e transport
tion to tracklayer inform
ked as “A”?
firewall take
d stateful
cation layer.a packet-
layer, while
k the state omation to tra
?
e if configur
.
e a
of a ack
red
14. A
inin
15. F
16.
Rrore
A router hasnterface. Wnspected an
A dyndirectThe into theThe ecan beWhenadded
For a statefuTCP conTCP SYNinside proutbound
source aninformati
Refer to the outer. Basedemote acces
SSH connare allowTelnet conetwork aSSH connare allow
Telnet conetwork aSSH connare blockTelnet conetwork a
s CBAC conWhich actionnd a new entnamic ACL tion. nternal inter
e Internet. entry remaine reused by
n traffic retud to the state
ul firewall, wntrol header N packets arivate IP addd and inbound destinatiion associat
exhibit. Thd on this infss network cnections fro
wed. onnections fare allowednections fro
wed. onnections fare blockednections fro
ked. onnections fare allowed
evadroanapasforw
nfigured andn does the rotry is createentry is add
rface ACL i
ns in the staty the host. urns from itse table.
which informand trailer
and the assodress and th
und access ruon IP addreted with a p
e ACL stateformation, wconnections
om the 192.
from the 192d. om the 192.
from the 192d. om the 192.
from the 192d.
aluate op alyze ss ward
d an inbounouter take afed in the staded to the e
is reconfigu
te table afte
s destinatio
mation is stinformation
ociated returhe translatedules (ACL e
esses, and poparticular se
ement is thewhich two cs? (Choose 168.1.0/24
2.168.1.0/2
168.2.0/24
2.168.1.0/2
168.1.0/24
2.168.2.0/2
nd ACL appfter inbound
ate table? external inte
ured to allow
er the sessio
n, it is reins
tored in the n associatedrn ACK pacd inside globentries) ort numbers
ession
e only one econclusionstwo.) network to
4 network t
network to
4 network t
network to
4 network t
plied to the ed-to-outbou
erface in the
w the host I
on is termina
spected, and
stateful sesd with a partckets bal IP addre
s and seque
explicitly cos can be draw
the 192.168
to the 192.1
the 192.168
to the 192.1
the 192.168
to the 192.1
external und traffic is
e inbound
P address a
ated so that
d a new entr
ssion flow taticular sessi
ess
ncing
onfigured onwn regardin
8.2.0/24 net
68.2.0/24
8.1.0/24 net
68.2.0/24
8.2.0/24 net
68.1.0/24
s
access
it
ry is
able?ion
n the ng
twork
twork
twork
17. W
b
18.
Rb
19. W
tr
20. W
th
When configbe applied to
Refer to the be applied?
Which two praffic? (Cho
What is the fhe CLI?
CreaDefiDefiAssiAssi
guring a Ciso a traffic cl
exhibit. In
inside inteoutside ininside andno interfac
parameters oose two.)
source porprotocol IDsequence ndestinationSYN and A
first step in
ate zones. ine traffic cline firewall ign policy mign router in
sco IOS zonlass? (Choo
a two-interf
erface nterface d outside intces
are tracked
rt D number n port ACK flags
configuring
lasses. policies.
maps to zonnterfaces to
ne-based poose three.)
drop inspectpass reroutequeue shape
face CBAC
terfaces
by CBAC f
g a Cisco IO
e pairs. zones.
olicy firewal
implement
for TCP tra
OS zone-ba
ll, which thr
tation, wher
ffic but not
sed policy f
ree actions
re should AC
for UDP
firewall usin
can
CLs
ng
21. W
22. W
a
23. W
fi
Which two a
ExtendedExtended
ExtendedStandardStandard
Which type an ACL?
packets tpackets t
packets wspace packets waddress s
When logginfiltered by th
toa
po
are characted ACLs cand ACLs cand ACLs cand ACLs can d ACLs can
of packets e
that are not that are not with source
with destinaspace
ng is enablehe ACL? opology-bas
autonomous process switoptimum sw
eristics of An filter on den filter on son filter on so
filter on soufilter on sou
exiting the n
encryptedtranslated wIP addresse
ation IP add
ed for an AC
sed switchinswitching
tching witching
ACLs? (Choestination Tource and deource and deurce and deurce and de
network of
with NAT es outside o
dresses outsi
CL entry, ho
ng
ose two.) TCP and UDestination IPestination IPestination IPestination TC
an organiza
of the organi
ide of the or
ow does the
DP ports. P addressesP addressesP addresses.CP and UD
ation should
ization's net
rganization'
e router swit
s. s.
DP ports.
d be blocked
twork addre
's network
tch packets
d by
ess
CiQu
1. Anse
2. A
masig
3. W
4. W
be
isco Cuestions
n IPS sensossion. Whic
network adalicious andgnature?
What are two
HIPS has events hapHIPS insta
With HIPSoperating If the netwforms of thWith HIPS
Which type oeyond a spec
CCNAand an
or has detectch type of siTrigger: AnType: AtomTrigger: AnType: ComTrigger: PaType: AtomTrigger: PaType: ComTrigger: PoType: AtomTrigger: PoType: Com
dministratord likely to b
o major drawdifficulty cppening acrallations areS, the netwosystems use
work traffic he traffic. S, the succe
of intrusion dcified threshpattern-basanomaly-bpolicy-basehoney pot-
A Secunswers 1
ted the strinignature trignomaly-basmic signaturnomaly-bas
mposite signattern-basedmic signaturattern-based
mposite signolicy-based mic signaturolicy-based
mposite sign
r tunes a sigbe an immed
higmelowinf
wbacks to uonstructing oss the entie vulnerableork adminised in the nestream is en
ess or failure
detection trhold of normsed detectioased detectied detectionbased detec
rity, c100% c
ng confidengger and sigsed detectiore sed detectionature d detectionre
d detectionnature
detectionre detection
nature
nature to dediate threat.
gh edium w formational
sing HIPS?an accuratere network.e to fragmenstor must veetwork. ncrypted, H
e of an attac
riggers an acmal activityn ion n ction
chaptecorrect.
tial across mgnature typen
n
etect abnormWhat is the
(Choose twe network p. ntation attacerify suppor
HIPS is unab
ck cannot b
ction if excey?
er 5 E
multiple pae does this d
mal activitye perceived
wo.) picture or co
cks or variart for all the
ble to access
e readily de
essive activ
Exam.
ckets in a Tdescribe?
that might severity of
oordinating
able TTL atte different
s unencrypt
etermined.
vity occurs
.
TCP
be f the
the
tacks.
ted
5. W
tw
6. W
co
7. W
TC
8.
Which two stwo.)
It makes
It is unaIt monitIt provid
It is inde
What informaommand?
detailealarmsthe num
the def
When editingCP flow?
DeDeDe
De
atements ch
s hosts visibable to examtors to see ifdes applicatependent of
ation is prov
d IPS signa that were smber of pacfault actions
g IPS signatu
eny Packet eny TCP Coeny Attackeeny Connec
haracterize a
ble to attackmine encryptf an attack wtion-level enf the operati
vided by the
atures sent since thckets that ars for attack
ures with SD
Inline onnection er Inline ction Inline
a network-b
kers. ted traffic.was successncryption pring system o
e show ip ip
he last resetre audited signatures
DM, which
based IPS im
sful. rotection. on hosts.
ps configur
h action drop
mplementat
ration confi
ps all future
ion? (Choo
iguration
e packets fro
se
om a
Redisdo
9.
Reshcothe
efer to the esplayed the
oes not respoThe aThe a
The aThe atermi
efer to the ehould be seleonsidered the TCP flow
exhibit. A usdialog box
ond within action is allaction is allaction is denaction is deninated.
exhibit. Wheected to cre
he source of w? (Choose t
ser was instshown. Wh4 minutes aowed, and aowed, and Cnied, and a nied, and th
en modifyinate an ACL
f the attack atwo.)
Deny AtDeny CoDeny PaProduceReset TC
talling a Flahich defaultand 20 secona log entry iCSA does nlog entry is
he FlashPlay
ng an IPS siL that deniesand drops th
ttacker Inlinonnection Inacket Inlinee Alert CP Connect
ash Player ut action is tands? is recorded.not prompt ts recorded.yerUpdate.e
ignature acts all traffic fhe packet an
ne nline
tion
upgrade wheaken by CSA
. the user aga
exe applicat
tion, which tfrom the IP nd all future
en the CSA A if the use
ain.
tion is
two check b address tha
e packets fro
r
boxes at is om
10.
R6
11. W
12. W
s
13. W
Refer to the 6130 10 com
ItItIt
ItIt
What is a diNetwork
NetworkNetworkNetwork
Which two fignatures? (
Why is a netThe IDS The IDS
The IDS The IDS The statepieces of
exhibit. Whmmand? t is the alertt is the signt is the signt is the subst is the sign
sadvantage k-based IPS k-based IPS k-based IPS k-based IPS
files could b(Choose twIOS-Sxxx-IOS-Sxxx-IOS-Sxxx-realm-ciscrealm-cisc
twork that dmust track must track permits marequires sig
eful propertif data to ma
hat is the sig
t severity. ature numbature versio
signature IDature fidelit
of networkis less cost-cannot examdoes not deshould not
be used to imo.) -CLI.bin -CLI.pkg -CLI.sdf o.priv.key.to.pub.key.t
deploys onlythe three-wthe three-w
alicious singgnificant roies of atomi
atch an attac
gnificance o
er. on. D. ty rating.
k-based IPS -effective.mine encrypetect lower lbe used wit
mplement C
txt txt
y IDS particway handshaway handshagle packets uter resourcic attacks usck signature
of the numb
as compare
pted traffic.level netwoth multiple
Cisco IOS IP
cularly vulnake of estabake of estabinto the netces to maintsually requi
e.
ber 10 in the
ed to host-b
. ork events. operating sy
PS with ver
nerable to anblished TCPblished UDPtwork. tain the eveire the IDS
e signature
ased IPS?
ystems.
rsion 5.x for
n atomic attP connectionP connection
ent horizon. to have sev
rmat
tack?ns. ns.
veral
14.
Resig
15. W
lo
16.
RT
efer to the egnature take
Reset tDrop t
GeneraDrop t
Create
Which two Cogging? (Ch
Refer to the Top Threats
Create IEdit IPS
exhibit. Base if an attacthe TCP conthe packet aate an alarmthe packet ae an ACL th
Cisco IOS choose two.)
logging oip ips noip http seip ips noip sdee e
exhibit. Whtable and dIPS S
sed on the Sck is detectennection to
and all futurm message tand permit rhat denies tr
commands a) on tify logerver tify sdeevents 500
hich option deploy signa
SDM screen ed? (Choose
terminate tre packets frthat can be sremaining paffic from t
are required
tab on the Satures assoc
shown, whe two.) the TCP flowrom this TCsent to a sysackets from
the attacker
d to enable I
SDM IPS scciated with t
hich two act
w. CP flow. slog server.
m this TCP fIP address.
IPS SDEE m
creen is usethose threats
tions will th
flow. .
message
d to view ths?
he
he
17. W
c
18.
Rr
19. W
in
20.
SecurityIPS Mig
Which Ciscocategory nam
R1(R1(R1(
R1(R1(R1(R1(R1(R1(R1(R1(R1(
Refer to the outer R1?
A namedA numbAll traff
All traff
What are twn a network
Configurtime to eConfigurpacks.
Ensure thsynchronUpdate scontrol w
Place signetwork.
y Dashboargration
o IOS confimed ios_ips(config)# ip(config-ips-(config-ips-(config)# ip(config-ips-(config-ips-(config)# ip(config-ips-(config-ips-(config)# ip(config-ips-(config-ips-
exhibit. Wh
d ACL deteered ACL i
fic that is defic that is pe
wo IPS confik? (Choose tre all sensorensure that tre the senso
hat signaturnized with thsignature pawhen settinggnature pack
rd
iguration ops into memop ips signatu-category)# -category-acp ips signatu-category)# -category-acp ips signatu-category)# -category-acp ips signatu-category)# -category-ac
hat is the re
ermines the is applied toenied by theermitted by
iguration betwo.) rs to check they are all s
ors to simult
re levels thahe signature
acks manualg up a large ks on a dedi
ption instrucory and use ure-categocategory a
ction)# retirure-categocategory io
ction)# retirure-categocategory a
ction)# enabure-categocategory io
ction)# enab
sult of issui
traffic to beo S0/0/0 in te ACL is subthe ACL is
est practices
the server fosynchronizetaneously ch
at are suppore packs on tlly rather thdeploymen
icated FTP s
cts the IPS tit to scan trry
all red false ry os_ips basicred false ry
all bled true ry os_ips basicbled true
ing the Cisc
e inspected.the outbounbject to inspsubject to i
s that can he
for new signed. heck the FT
rted on the the sensors.an automati
nt of sensorsserver withi
to compile araffic?
c
c
co IOS IPS
nd direction.pection by tinspection b
elp improve
nature packs
TP server for
managemen ically to mas. in the mana
a signature
commands
. the IPS. by the IPS.
e IPS efficie
s at the sam
r new signa
nt console a
aintain close
agement
on
ency
e
ature
are
e
RW
21. W
v
Refer to the Windows sy
Cisco SeNetwork
Cisco SeA netwoAgent.
Which two bversion 4.x s
addsupp
addsupp
supp
exhibit. Whystem tray? ecurity Agenk-based IPSecurity Agenork-based IP
benefits doesignature fo
dition of signport for IPX
dition of a siport for comport for enc
hat is the sig
nt is installe is active annt is active
PS sensor ha
es the IPS vormat? (Chonature micrX and Appleignature riskmma-delimicrypted sign
gnificance o
ed but inactnd has detecand has detas pushed an
version 5.x soose two.) ro engines eTalk protok rating ited data imnature param
of the small
tive. cted a potentected a poten alert to a h
signature fo
cols
mport meters
l red flag wa
ntial securityential securhost runnin
rmat provid
aving in the
y problem. rity problemng Cisco Sec
de over the
e
m. curity
CiQu
1. Wh
2. As
3. Ho
4. Wh
isco Cuestions
hich two me
Use a ded
Place all u
Disable tru
Enable DT
Ensure tha
a recommen
All access
All trunk
VLAN 1 s
VLAN 1 s
ow is a reflec
It provides
It allows an
It acts like a
It allows anareas of the
hich attack is
LAN storm
CCNAand an
asures are re
icated native
nused ports
unk negotiat
TP on all trun
at the native
nded practic
s ports shoul
ports should
hould be use
hould not be
ctor port use
a dedicated
n RSPAN sess
a loopback in
n IDS device te network.
s mitigated b
m
A Secunswers 1
ecommende
e VLAN for a
in a separat
tion on all po
nk ports.
e VLAN is use
ce for Layer 2
ld be assigne
d be assigned
ed for manag
e used.
d in an RSPA
connection
sion to be ba
nterface in t
to direct ma
by using port
rity, c100% c
ed to mitigate
ll trunk port
te guest VLA
orts connecti
ed for manag
2 security, ho
ed to VLAN 1
d to VLAN 1.
gement traff
AN configurat
for the IDS d
ackward com
hat it reflect
licious traffic
t security?
chaptecorrect.
e VLAN hopp
s.
N.
ing to works
gement traff
ow should VL
1.
fic.
tion?
device.
mpatible with
ts the captur
c to it, isolat
er 6 E
ping attacks?
tations.
ic.
LAN 1 be tre
h a SPAN sess
ed traffic to
ing that traff
Exam.
? (Choose tw
ated?
sion.
the RSPAN V
fic from othe
.
wo.)
VLAN.
er
5. Wrec
6. Whthaoth
7. Wh
VLAN hop
STP mani
MAC add
Which technoceiving BPDU
hich three swat it will dynaher MAC add
s
s
s
s
s
s
hen configur
pping
pulation
ress table ov
ology is usedUs on ports t
witch securitamically leardress is conn
switchport m
switchport m
switchport p
switchport p
switchport p
switchport p
ring a switch
prote
reset
restric
verflow
to protect that should n
RSPAN
PortFa
Root g
Loop g
BPDU
ty commandsrn a single Mnected? (Cho
mode access
mode trunk
port‐security
port‐security
port‐security
port‐security
port for por
ct
ct
he switched not be receiv
N
ast
guard
guard
guard
s are requireMAC address oose three.)
y
y maximum 2
y mac‐addres
y mac‐addres
rt security, w
infrastructuving them?
ed to enable and disable t
2
ss sticky
ss mac‐addre
what is the de
ure from prob
port securitythe port if a
ess
efault violati
blems cause
y on a port shost with an
on mode?
d by
so ny
8. Wh
9. Whpono
10. Wsw
hich three st
SPAN can s
RSPAN is re
SPAN can bswitch.
SPAN can cswitch.
RSPAN is reswitch.
RSPAN can malicious b
hich Cisco enosture assessoncompliant
C
C
C
C
Which attack witches?
LAN
VLA
STP
shutd
tatements ar
send a copy o
equired for s
be configured
copy traffic o
equired to co
be used to fbehavior.
ndpoint secument, quarasystems?
Cisco Access
Cisco Security
Cisco Intrusio
Cisco Networ
relies on the
N storm attac
AN hopping a
P manipulatio
down
re true regar
of traffic to a
syslog and SN
d to send a c
on a source p
opy traffic on
forward traff
urity productantining of no
Control Serv
y Agent wor
on Preventio
rk Admission
e default aut
ck
attack
on attack
ding SPAN a
a port on ano
NMP implem
copy of traffi
port or sourc
n a source VL
fic to reach a
t helps maintoncompliant
ver
kstation
on System ro
n Control app
tomatic trun
nd RSPAN? (
other switch
mentation.
c to a destin
e VLAN to a
LAN to a des
an IDS that is
tain networkt systems, an
uter
pliance
king configu
(Choose thre
.
nation port o
destination
stination port
s analyzing tr
k stability by nd remediati
ration on mo
ee.)
n the same
port on the
t on the sam
raffic for
providing on of
ost Cisco
same
me
11. Wsp
12. W(C
13. W
14. W
MA
With IP voice pecifically? (
Which two elChoose two.
policy co
network
threat pr
attack de
risk asses
Which frames
Which option
An attacke
AC address sp
systems on Choose two
ements are p)
ompliance us
infection mo
rotection usi
etection usin
ssment com
s are spoofed
BPDU
DTP
ISL
802.1q
n best describ
er gains acce
poofing attac
data networ.)
CoWPAtty
Kismet
SPIT
virus
vishing
part of the C
sing products
onitoring usi
ng products
ng products s
pliance using
d in STP man
bes a MAC a
ess to anothe
ck
rks, which tw
Cisco strategy
s such as Cisc
ing products
such as Cisc
such as Cisco
g products su
nipulation at
ddress spoof
er host and m
wo types of a
y for address
co NAC
such as Cisc
co Security A
o NAC
uch as Cisco
tacks?
fing attack?
masquerade
attacks target
sing endpoin
co Secure AC
Agent
Security Age
s as the right
t VoIP
nt security?
CS
ent
tful user of tthat
15. W
16. W
17. Am(C
device.
An attackeof a targe
An attackefrom a rog
An attackefilter netw
What happen
An SDEE aaddress is
An STP mthe netwo
A port viotransmits
An SNMP address is
Which device
Ci
Ci
Ci
Ci
An administramultiple VLANChoose two.
Disable
er alters thet host.
er alters thegue host dev
er floods thework access b
ns when the
alert is geners detected.
ulticast notifork topology
olation occurtraffic over
trap is sent s added to or
e supports th
isco NAC
isco IronPort
isco Security
isco Catalyst
ator wants toNs on a netw)
e DTP on por
MAC addres
MAC addresvice.
e MAC addrebased on MA
MAC addres
rated, and th
fication packy is detected.
s when a MAa secure por
to the networ an old addr
e use of SPA
t
y Agent
t switch
o prevent a rwork. Which t
rts that requ
ss of his host
ss of the swi
ess table of aAC addresses
s notification
he switch res
ket is forward.
AC address ort.
ork managemress is delete
AN to enable
rogue Layer two actions
ire trunking.
t to match an
tch to gain a
a switch so ths.
n feature is e
sets the inter
ded to all sw
outside of the
ment systemed from the f
monitoring
2 device fromhelp mitigat
nother know
access to the
hat the switc
enabled on a
rface when a
witches any ti
e range of al
m whenever aforwarding t
of malicious
m interceptine this type o
wn MAC addr
network de
ch can no lon
a switch?
an invalid MA
ime a change
lowed addre
a new MAC ables.
s activity?
ng traffic froof activity?
ress
vice
nger
AC
e in
esses
om
18.
Rco
19. Hsu
Place u
Secure
Set the
Turn ofon eac
Refer to the eommand, ho
All trafficFastEthe
All trafficFastEthe
Native VLFastEthe
Native VLFastEthe
How many Cisupport?
unused active
e the native V
e native VLAN
ff trunking oh port.
exhibit. Baseow will SPAN
c transmittedrnet 0/1.
c received onrnet 0/1.
LAN traffic rernet 0/1.
LAN traffic trrnet 0/1.
sco Security
1,
e ports in an
VLAN, VLAN
N on the trun
on all trunk p
d on the outN operate on
d from VLAN
n VLAN 10 or
eceived on V
ransmitted f
Agent client
000
n unused VLA
1, with encry
nk ports to a
orts and ma
tput generatthe switch?
10 or receiv
r transmitted
VLAN 10 or tr
rom VLAN 10
ts can one M
AN.
yption.
an unused VL
nually config
ed by the sh
ved on VLAN
d from VLAN
ransmitted fr
0 or received
Management
LAN.
gure each VL
ow monitor
20 is forwar
20 is forwar
rom VLAN 20
d on VLAN 20
Center for C
LAN as requir
session 1
rded to
rded to
0 is forwarde
0 is forwarde
CSA console
red
ed to
ed to
20. W
21. Ifap
Which three a
F
S
iS
IP
F
ID
f a switch is cction trap paort? (Choose
10
10
1,
are SAN tran
ibre Channe
ATA
SCSI
P PBX
CIP
DE
configured warameters, we two.)
The port i
The switch
An SNMP
The port i
The switch
0,000
00,000
000,000
nsport techno
l
with the stormwhich two ac
s disabled.
h is rebooted
log message
s placed in a
h forwards c
ologies? (Cho
m‐control cotions does th
d.
e is sent.
blocking sta
ontrol traffic
oose three.)
ommand andhe switch tak
ate.
c only.
d the action ske when a st
shutdown antorm occurs
nd on a
CiQu
1. W
2. W
3. W
4. W
lin
5. W
me
6. W
isco Cuestions
Which symm
What is the baThe data i
The data iThe data iThe data iused for D
What does it Exclusive It is not feIt uses a tw
Two mess
Which three pnks? (Choos
Which two enessage? (Ch
Which statem
CCNAand an
metrical encr3ADRS
asic methodis encryptedis encryptedis divided inis encryptedDES.
mean whenORs are pe
easible to cowo-way funsages with th
primary funse three.) accountinganti-replay authenticatauthorizatioconfidentiaintegrity
ncryption alhoose two.)
ment describ
A Secunswers 1
ryption algo3DES AES DES RSA SHA
d used by 3Dd three timesd, decryptednto three blod using a key
n a hashing erformed onompute the hnction that che same has
nctions are r
g protectiontion on ality
lgorithms ar
A
P
bes asymme
rity, c100% c
orithm is the
DES to encrs with three
d, and encryocks of equay length tha
algorithm in input data hash given
computes a hsh are unlik
required to s
re commonl
3DES AES IPsec PKI SHA
tric encrypt
chaptecorrect.
e most diffic
rypt plaintee different kypted using tal length forat is three tim
is collision rand producthe input dahash from t
kely to occu
secure comm
ly used to e
tion algorith
er 7 E
cult to crack
ext? keys. three differer encryptionmes longer
resistant? ce a digest. ata. the input anur.
munication
ncrypt the c
hms?
Exam.
k?
ent keys. n. than the ke
nd output da
across netw
contents of
.
ey
ata.
work
a
7. W
8. Ho
9.
Re
They incluThey haveThey are a
They are ralgorithms
Which statem
The sendeThe sendeencryptionThe sendeasymmetriThe sendeanother fo
ow do modeUse statistUse an algconduct a
Use a keyconduct a Use frequeare not use
efer to the e
ude DES, 3De key lengthalso called srelatively sls.
ment describer and receiver and receivn. er and receivic encryptio
er and receivor asymmetr
ern cryptogrtical analysigorithm thatsuccessful space large successful ency analysed in the cip
exhibit. Whi
DES, and Ahs ranging frshared-secrelow because
bes the use over must usver must us
ver must uson. ver must usric encryptio
raphers defis to eliminat requires thattack. enough thaattack.
sis to ensurepher messag
ich type of c
AES. from 80 to 2et key algore they are ba
of keys for ee the same ke the same k
e the same k
e two keys:on.
fend againstate the moshe attacker t
at it takes to
e that the mge.
cipher meth
256 bits. rithms. ased on diff
encryption?key when ukey when u
keys for bot
one for sym
t brute-forcet common eto have both
oo much mo
ost popular
hod is depic
ficult compu
? using symmusing asymm
th symmetr
mmetric enc
e attacks? encryption kh ciphertext
oney and too
letters used
ted?
utational
etric encrypmetric
ric and
cryption and
keys. t and plainte
o much time
d in the lang
ption.
d
ext to
e to
guage
10. W
11. A
mW
12. W
13. W
14. T
pp
Css
tr
Which statem
A one-wThe outpThe inpuA crypto
A customer maintain proWhich featu
Which encry
IPsecKeyeMessSecuSecuTran
Which statemHMAC iHMAC uthe-midd
HMAC uintegrity HMAC uconfiden
The networkprevents cusprovides this
Caesar ciphestream ciphesubstitution ransposition
ment descriay cryptogr
put of a cryput of a cryptographic has
purchases aoof that the ure of digita
authenintegrnonreconfid
yption protoc protocol sed MD5 sage Digest
ure Sockets ure Hash Algnsport Layer
ment is a feis based on uses a secredle attacks. uses a secreassurance.
uses protocontiality.
k administrastomers froms type of gu
er er cipher
n cipher
ibes a cryptoraphic hash ptographic hographic hash function
an item fromdata exchanl signaturesnticity of dirity of digitapudiation odentiality of
ocol providesuite
t 5 Layer gorithm 1 r Security
eature of HMthe RSA hat key that is
t key as inp
ols such as S
ator for an em claiming uarantee?
autconintno
ographic hafunction is
hash functioash functionis used to p
m an e-commnge took plas is requiredigitally signally signed d
of the transaf the public
es network l
MAC? ash functions only know
put to the ha
SSL or TLS
e-commercethat legitim
thenticationnfidentialitytegrity
onrepudiatio
ash functionhard to inv
on can be ann has a fixedprovide conf
merce site. ace between
d? ned data data
action key
layer confid
n. wn to the sen
ash function
S to provide
e website remate orders a
n y
on
n? ert.
ny length. d length. fidentiality.
The e-commn the site an
dentiality?
nder and de
n, adding au
e session lay
equires a serare fake. W
merce site mnd the custom
feats man-in
uthentication
yer
rvice that What service
must mer.
n-
n to
15. W
16.
R
17. A
ds
18. W
(
What is a chRSA is mRSA is aRSA is uenvironm
RSA keycan be us
Refer to the e
An administdigital signinhould the P
Which two sChoose two
A class 0A class 0The lowA class 5
A class 4
haracteristicmuch faster a common syused to protements. ys of 512 bitsed for incre
exhibit. Wh
trator requirng operation
PKI support?
statements co.) 0 certificate0 certificate
wer the class5 certificate4 certificate
c of the RSAthan DES.ymmetric aect corporat
ts can be useased secur
hich encrypt3DESAES DES RC4 SEAL
res a PKI thns than for ?
certificatenonrepudiusage keyvariable k
correctly de
e is for testine is more tru number, th
e is for userse is for onlin
A algorithm?
algorithm. te data in hi
sed for fasterit
tion algorith
hat supports keys used f
e keys iation keys
ys keys
escribe certi
ng purposesusted than ahe more truss with a focne business
?
igh-through
er processin
hm is descri
a longer liffor encryptin
ficate classe
s. a class 1 certsted the certcus on verifi
transaction
hput, low-lat
g, while key
ibed in the e
fetime for kng data. Wh
es used in th
tificate. tificate. ication of em
ns between c
tency
ys of 2048 b
exhibit?
keys used fohich feature
he PKI?
mail. companies.
bits
r e
19. T
o
20. W
21. W
In
22. W
th
Two users moption descr
The CA
The userAfter usethe involCA certiis done i
Why is RSAThe keyThe pub
The algoThe sign
Which algornternet?
Which charahat weak cr
must authentribes the CAis always re
rs must obtaer verificatilved certificificates are rin-band ove
A typically uys must be ablic keys muorithms usenature keys
rithm would
acteristic ofryptographic
verificatioexchange generationrevocation
ticate each oA authenticaequired, eveain the certiion is compcates expireretrieved ou
er a network
used to prota fixed lengtust be kept sed to encryp
must be ch
d provide th
MD5SHA-1SHA-23DES
f security kec keys are non
n n and destru
other using ation proceden after useificate of thelete, the CA
es. ut-of-band uk.
ect only smth. secret.
pt data are slhanged frequ
he best integ
1 2
ey managemnot used?
uction
digital certdure? er verificatioe CA and th
A is no long
using the PS
mall amounts
low. uently.
grity check f
ment is respo
tificates and
on is complehen their owger required,
STN, and th
s of data?
for data that
onsible for m
d a CA. Whi
ete. wn certificat, even if one
he authentic
t is sent ove
making cert
ich
te. e of
ation
er the
tain
CiQu
1. W
2. W
algco
3. W
shau
4. W
5. A
VPCi
isco Cuestions
What are twoIt supportsIt supports
It has the oThe thin c
It is compand NAT.
When verifyingorithm, ha
onfigured, as
When configuhare commauthentication
Configupolicy cConfiguconfiguConfiguconfigu
Configu
Which actionexchan
negotiaverificanegotia
network adPN devices isco IOS fea
CCNAand an
o benefits ofs all client/ss the same loption of on
client mode atible with
ng IPsec cosh algorithms well as de
show crshow crshow crshow cr
uring a site-and is confign configurature the messconfiguratioure the DH guration commure a hostnauration commure a PSK w
n do IPsec penge of DH kation of IPsation of peeation of IKE
dministratorto simplify
ature wouldCCC
A Secunswers 1
f an SSL VPserver applilevel of crypnly requirinfunctions wDMVPNs,
onfigurationm, authenticefault settingrypto maprypto ipsecrypto isakmrypto ipsec
-to-site IPsegured in thetion is requisage encrypon commandgroup identmand. ame with themand.
with the cryp
eers take dukeys ec policy er identity E policy set
r is planningy VPN deplod provide thiCisco Easy VCisco VPN CCisco IOS S
rity, c100% c
PN? (Chooscations. ptographic
ng an SSL-ewithout requCisco IOS F
ns, which shcation methgs?
c samp policyc transform
ec VPN usine ISAKMP ired?
ption algoritd. tifier with th
e crypto isa
pto isakmp
uring the IK
s
g to implemoyment for ris solution?VPN Client SL VPN
chaptecorrect.
se two.)
security as nabled web
uiring any dFirewall, IP
how commaod, and Dif
m-set
ng the CLI, policy. Whi
thm with the
he groupnu
akmp ident
p key globa
KE Phase 2 e
ment centraliremote offic
er 8 E
an IPsec VPb browser. downloads oPsec, IPS, C
and displaysffie-Hellman
the authenich addition
e encryptio
umber ISAK
tity hostnam
l configurat
exchange?
ized manageces and tele
Exam.
PN.
or software. Cisco Easy V
s the encrypn group
ntication prnal peer
ontype ISAK
KMP policy
me global
tion comma
ement of Cieworkers. W
.
VPN,
ption
re-
KMP
and.
isco Which
6. W
7.
Reco
8. W
on
Which two stIPsec worIPsec wor
IPsec worIPsec is a algorithmsIPsec is a algorithmsIPsec is a
efer to the eonfiguring a
IntegrIPsec
ConfiAuthe
Diffie
With the Ciscn the Cisco E
D
atements acrks at the aprks at the trarks at the neframework s. framework s. framework
exhibit. Whian IPsec VPNrity options
c protocol opfidentiality oentication oe-Hellman o
co Easy VPNEasy VPN S
Cisco ENetwor
Dynamic Mu
ccurately depplication laansport layeetwork layer
of propriet
of standard
of open sta
ich two IPseN on a Cisc
s include MDptions incluoptions incluoptions incluoptions incl
N feature, wServer for thExpress Forwrk Access C
ultipoint VP
escribe charayer and proer and protecr and operatary standard
ds develope
andards that
ec framewoco ISR routeD5 and RSA
ude GRE anude DES, 3ude pre-sharlude DH1, D
which procehe internal Iwarding
Control
PN
racteristics ootects all appcts data at thtes over all ds that depe
d by Cisco
t relies on ex
ork componeer? (ChooseA.
nd AH. DES, and Ared key and
DH2, and D
ess ensures tIP address o
of IPsec? (Cplication dahe network Layer 2 proend on Cisc
that relies o
xisting algo
ents are vale two.)
AES. d SHA.
DH5.
that a static of each VPN
Choose two.ata.
layer. otocols. o specific
on OSI
orithms.
id options w
route is creN client?
.)
when
eated
9.
Reis ad
10. W
11. W
S
efer to the eusing the SD
dministrator
What is requVPN clientA site-to-siThe host mA web brow
What are twSite VPN W
On-DemReverseReverse
xhibit. A siDM Site-toenter in the
10.1.1.10.1.1.10.2.2.10.2.2.192.16192.16
uired for a ht software mite VPN mu
must be in a wser must b
wo authenticWizard? (Cho
MD5
mand Routie Path Forwe Route Inje
te-to-site V-Site VPN W
e highlighte1 2 1 2 8.1.1 8.3.1
host to use amust be instaust be preconstationary lo
be installed
ation methooose two.)
ing warding ection
VPN is requiWizard on R
ed field?
an SSL VPNalled. nfigured. ocation. on the host
ods that can
ired from RR1. Which
N?
.
n be configu
1 to R3. ThIP address s
ured using th
he administrshould the
he SDM Sit
rator
te-to-
12. W
in
13. W
S
14. W
15. W
Which UDPnformation
Which requiSite VPN wi
AE3DPrThTh
Which IPsectunnetranspauthe
encapgener
Which statem
It must bIt is ideaIt requireIt is comAfter theinformati
SHA pre-shencrypdigital
P port must bbetween se
irement necizard insteaES encryptiDES encrypre-shared kehe remote phe remote p
c protocol shel mode port mode entication hepsulating seric routing e
ment describe statically lly suited foes using a V
mmonly imple initial connion.
hared keys pted noncesl certificate
be permittedecurity gatew
cessitates usad of the Quion is requirtion is requ
eys are to beeer is a Cisceer IP addre
hould be se
eader ecurity payloencapsulatio
ibes an imposet up.
or use by mVPN client olemented ovnection is e
s s
d on any IPways?
sing the Stepuick Setup ored.
uired. e used. co router. ess is unkno
elected when
oad on
ortant chara
obile workeon the host Pver dialup astablished,
P interface u
400500600700
p-by-Step ooption?
own.
n confidenti
acteristic of
ers. PC.
and cable mit can dynam
used to exch
option of the
iality is requ
f a site-to-sit
odem netwomically cha
hange IKE
e SDM Site-
uired?
te VPN?
orks. ange connec
-to-
ction
16.
Ris
17. A
W
18. W
19. W
Refer to the s being conf
A user launcWhat does th
thethe
thethe
What is the dMD5 SHA
RSA pre-shRSA
When using EE
no
exhibit. Bafigured?
group politransform IKE propouser authe
ches Cisco Vhe user selee SSL conne IKE negote desired pre Cisco Enc
default IKE
signatures hared keys encrypted s
ESP tunnelESP headerESP trailer new IP headoriginal IP h
sed on the S
icy set
osal entication
VPN Clientect before enection typetiation procreconfiguredcryption Tec
E policy valu
sconces
l mode, whir
der header
SDM screen
t software tontering the u
ess d VPN servchnology to
ue for authe
ich portion
n, which Ea
o connect reusername an
ver site o be applied
entication?
of the pack
asy VPN Ser
emotely to and passwor
d
ket is not aut
rver compo
a VPN servird?
thenticated?
onent
ice.
?
20.
Rtr
Refer to the eraffic to be e
exhibit. Undencrypted o
Access RIPsec RuFirewallSDM De
der the ACLon a secure cRules ules l Rules efault Rules
L Editor, whconnection?
s
hich option?
n is used to sspecify the
21.
Rbru
22. H
th
Refer to the etween R1 unning conf
changchangchang
changchang
How many bhrough a GR
exhibit. A nand R2. Asfiguration oge the tunnege the tunnege the tunnege the tunnege the tunne
bytes of oveRE tunnel?
network admsuming the f R1, what mel source inel destinatioel IP addresel destinatioel IP addres
erhead are a
ministrator iR2 GRE comust the ad
nterface to Fon to 192.16ss to 192.16on to 209.16ss to 209.16
added to eac
is troubleshonfigurationdministratorFa0/0 68.5.1 68.3.1 65.200.22565.201.1
ch IP packet
8162432
hooting a GRn is correct r do to fix th
t while it is
6 4 2
RE VPN tunand based o
he problem?
transported
nnel on the ?
d
CiQu
1. W
2. W
ba
3. W
tw
4. W
to
5. W
se
isco Cuestions
Which three sprinciples
foundation
set of mor
standard thset of reguset of lega
Which compoandwidth-int
re
acinid
What are the wo.)
Cisco Cisco Cisco
Cisco
Cisco
Which statemIT and netw
Employeethe law. ApplicatioemployeeEmployeeprovisionsThe netwoservices to
Which two Ccurity? (Ch
Cisco A
Cisco N
CCNAand an
statements dput into act
ns for curreral principlehat is higheulations estaal standards
onent of thetensive app
emote accescceptable usncident handdentification
two compo
Intrusion PNetwork ASecurity AgSecurity MSecurity M
ment could bwork securies breaching
on of the Co.
es with greas of the Codork is to be o the organi
isco Threat hoose two.) Application CNetwork Adm
A Secunswers 9
describe ethtion in placnt laws
es that goverer than the laablished by that specify
e security poplications ths policies se policies dling procedn and authen
nents in the
Prevention Admission C
gent Manager MARS
be expected ty?
g the Code o
ode of Ethic
ater than 5 yde of Ethicsused by emization.
Control an
Control Engmission Con
rity, c90% co
hics in netwe of laws
rn civil behaw the judiciar
y enforceab
olicy lists spat are not al
dures ntication po
e Cisco Secu
Control
to be includ
of Ethics wi
cs to use of
years of serv.
mployees to p
d Containm
gine ntrol
chapterrect.
ork security
havior
ry system ble actions w
pecific websllowed on th
olicies
urity Manag
ded in a Co
ill be prosec
the network
vice can clai
provide dili
ment technol
er 9 E
y? (Choose
when the law
sites, newsghe company
gement Suit
de of Ethics
cuted to the
k is at the di
im exempti
igent and co
logies addre
Exam.
three.)
w is broken
groups, or y network?
te? (Choose
s that is rela
e full extent
iscretion of
on from
ompetent
ess endpoin
.
e
ated
of
f the
nt
6. W
7. W
inc
8. W
(C
9. W
(C
10. W
e
Cisco SeCisco Sevirtual p
What are thre
Which securitclude VPN
securethreat operatiapplica
What three arChoose three
remo
netwservinetw
netwident
What are the Choose two.
secure csecure csecure c
secure c
secure c
Which term equipment to
ecurity Ageecurity Monprivate netw
ee key princadaptabilitauthenticacollaboratconfidentiintegrationintegrity
ty services, access? communiccontrol andional controation contro
reas should e.) ote access
work maintenice level agr
work qualitywork equipm
tification an
two major e) communicatcommunicatcommunicatcommunicatcommunicat
describes ao the operat
ent nitoring, An
work
ciples of a Cty
ation tion iality n
available th
ations d containmenol and policol for infrast
be consider
nance reement
y of servicement providend authentic
elements of
tions for extions for inttions for mations for remtions for sit
a completelytional facilit
nalysis, and
Cisco Self-D
hrough the C
nt y managemtructure
red when de
er cation
f the Cisco S
xtranets tranets anagementmote accesste-to-site co
y redundantty, that is mbackup sitecold site hot site reserve site
d Response S
Defending N
Cisco Self-D
ment
esigning a n
Secure Com
s onnections
t backup facmaintained in
e
e
System
Network? (C
Defending N
network secu
mmunication
cility, with an the event
Choose three
Network,
urity policy
ns solution?
almost idenof a disaste
e.)
y?
?
ntical er?
11. W
im
12. W
13. W
14. W
tw
15. W
s
Which threemplement th
What is a feaParticipa
EmployeAll emplnetworksTraining organizat
What is a deSecurity
Security cycle. Security of the sySecurity maintena
What are thewo.)
awaresecurisecuriself-d
trainin
Which threeecurity poli
e detailed dohe security
asbeguprrisst
ature of an ation in the nee groups arloyees becos. for all emp
tion.
esign featureis considereis purposef
requiremenstem develocost and rep
ance phase o
e two major
eness campaity policy deity solution
defending neng and educ
e documentsicy for an or
bacbacserincgovend
ocuments arpolicies? (C
sset inventoest practicesuidelines rocedures sk assessmeandards
effective nenetwork secre identifiedme trained
ployees cove
e of a secured once thefully include
nts are assesopment life porting conof the system
r componen
aign evelopmentdevelopme
etwork implcation
s comprise trganizationckup policyckup policyver policy
cident policyverning polid-user polic
re used by sChoose threory s
ent
etwork secucurity trainid and the train the desig
ers the full s
e network l network is ed in every
ssed and fulcycle.
nsiderations m developm
nts of a secu
t ent lementation
the hierarch? (Choose t
y icy
cy
security stafee.)
urity trainingng is volunt
aining is cusgn and imple
scope of sec
ife cycle mfully operaphase of th
lly impleme
are determiment life cyc
urity awaren
n
hical structuthree.)
ff for an org
g program? tary. stomized to ementation
curity issue
anagement ational. e system de
ented in the
ined in the ocle.
ness program
ure of a com
ganization to
their needsof secure
s related to
process?
evelopment
initiation ph
operations a
m? (Choose
mprehensive
o
s.
the
life
hase
and
16. W
h
17. W
w
18. W
s
When an orghandled?
A task reA task isindividuaA task mresults. A task istask for a
Which netwwithin the ne
Which princhould be bu
tec
ganization i
equires two broken dowal.
must be comp
rotated ama specific am
work securityetwork?
networkpassworpenetratvulnerab
ciple of the Cuilt in?
adcoinsim
hnical polic
implements
individualswn into two
pleted twice
mong individmount of tim
y test requir
k scan rd crack ion test bility scan
Cisco Self-D
dapt ollaborate ntegrate mplify
cy
the two-per
s who reviewo parts, and
e by two op
duals withinme.
res a networ
Defending N
rson contro
w and approeach part is
perators who
n a team, eac
rk administr
Network em
l principle,
ove the wors assigned to
o must achi
ch completi
rator to laun
mphasizes th
how are tas
rk of each oto a different
eve the sam
ing the entir
nch an attac
hat security
sks
ther. t
me
re
ck
y
19.
Rtw(
20. W
in
21. W
Refer to the wo technoloChoose two
CisCisCisInt
IPs
SS
Which securnstructions
What is the pto design
to supporto conduto reprim
exhibit. Whogies ensureo.) sco NAC apsco Securitysco Securityrusion Prevsec VPN L VPN
rity documeand graphic
guidelinestandardproceduroverview
primary focn and develort deployme
uct regular emand person
hen impleme confidenti
ppliances any Managery Monitorinvention Syst
ent includescs? e document
d documentre documenw document
cus of netwoop secure apent and perimployee ba
nnel who do
menting the Ciality when
nd Cisco Se
ng, Analysistem
s implement
t
nt t
ork operatiopplication ciodic mainteackground co not adhere
Cisco Self-Dreferring to
curity Agen
s, and Respo
tation detail
ons securityode enance of sechecks e to security
Defending No secure com
nt
onse System
ls, usually w
y?
ecure system
policies
Network, wmmunication
m
with step-by
ms
which ns?
y-step
22. Wthim
Which type he value of mplementat
of analysis assets, the c
tions? QualitatQuantitaQualitatQuantita
uses a mathcost of thre
tive Risk Anative Risk Ative Asset Aative Contin
hematical mats being re
nalysis Analysis Analysis nuity Analy
model that asealized, and
ysis
ssigns a mothe cost of
onetary figursecurity
re to
Ci1. W
2. W
de
3. W
4. W
5. W
co
6. A
isco CWhat will be
aaa newchange tpasswor
ability to
What occurs aevice manag
All vty poThe generkey generaThe keys mparameter
The gener
Which action
altering thbombardinforcing theflooding th
What functionIt mitigate
It mirrors traffic anaIt protectsbe receivinIt inspectsconform toIt copies trto a syslog
What precautommand has
The pass
IOS recoWhen theThe deviauthentic
network tec
CCNAdisabled as
w-model globto the confird encryptioo access RO
after RSA kgement? orts are autoral-purpose ate rsa genemust be zerrs. rated keys c
n best descrihe MAC addng a switch e election ohe LAN wit
nality is proes MAC addtraffic that
alysis. s the switcheng them. s voice protoo voice stanraffic that pg or SNMP
tion should bs been issuewords in th
overy require password ce must use
cation.
chnician is c
A Secu a result of bal configuguration reg
on service.OMmon.
keys are gen
omatically ckey size mu
eral-keys moroized to res
an be used
ibe a MAC dress of an awith fake s
of a rogue roth excessive
ovided by Cdress overflpasses throu
ed network
ocols to ensndards. passes throuserver for a
be considered on an IOShe configurares a new syis lost, acce
e simple pas
configuring
rity, fthe no serv
uration commgister.
nerated on a
onfigured fust be specio commandset secure sh
by SSH.
address spoattacking hosource MACoot bridge e traffic
Cisco SPANow attacks.ugh a switc
from receiv
sure that SIP
ugh a switchanalysis.
red when thS device? ation files arystem flash wess to the dessword auth
g SNMPv3 a
final evice passwomand.
a Cisco rout
for SSH to pified for authd. hell before c
oofing attackost to matchC addresses
N in a switch
ch port or V
ving BPDU
P, SCCP, H
h interface a
e no servic
re in clear tewith the IOevice will bhentication a
and has set
exam.ord-recover
ter to prepar
provide secuhentication
configuring
k? h that of a le.
hed network
LAN to ano
Us on ports th
H.323, and M
and sends th
e password
ext. S image. e terminateand cannot h
a security le
ry command
re for secure
ure managemwith the cr
g other
egitimate ho
k?
other port fo
hat should n
MGCP reque
he data direc
d–recovery
d. have user
evel of auth
d ?
e
ment.ypto
ost.
or
not
ests
ctly
y
h.
W
7.
Re
8. Ro
RoRoRe
9. W
att
What is the efAuthenticAuthentic
Authenticmethod. Authenticalgorithmsalgorithms
efer to the e
outer(configouter(configouter(configefer to the e
Authenticfrom the NAuthentictime from
AuthenticNTP mastAuthenticthe NTP m
What login entacks?
exec
ffect of thisates a packeates a packeates a packe
ates a packes and encryps.
exhibit. Whiremote-accremote-accremote-accsite-to-site site-to-site site-to-site
g)# ntp authg)# ntp authg)# ntp trusexhibit. Whaation with t
NTP masteration with tthe NTP m
ation with tter. ation with t
master.
nhancement
-timeout
setting? et using theet by a strinet by using
et by using pts the pack
ich type of Vess GRE Vess IPsec Vess SSL VPGRE VPNIPsec VPNSSL VPN
henticatehenticationsted-key 2at will be ththe NTP mar. the NTP ma
master. the NTP ma
the NTP ma
t configurat
SHA algorng match of either the H
either the Hket using eit
VPN is impPN
VPN PN
n-key 42 md
he effect of taster will be
aster will be
aster will fai
aster will fai
tion comma
rithm only.the usernam
HMAC with
HMAC MD5ther the DE
plemented?
d5 aNiceKe
the commane successful
e successful
il, and R1 w
il, and R1 w
and helps su
me or commh MD5 meth
5 or HMACES, 3DES or
ey
nds that are, and R1 wi
, but R1 wil
will get the t
will not get t
uccessive log
munity stringhod or the S
C SHA r AES
shown on Rill get the tim
ll not get th
time from th
the time fro
gin DoS
g. SHA
R1? me
he
he
om
10. W
11. N
(RW
12. W
th
13. R
RRRRr
14. W
loginpriviservi
What are accattacks thattacks thattacks th
attacks thservices,
Nov 30 11:010.64.2.2)
Refer to the What can be
This isThis isThis isThis is
Which threehat meets th
R1(config)#R1(config)#R1(config)#R1(config)#Refer to the outer R1. A
Which mitigroB
n block-for lege exec leice passwor
cess attackshat prevent hat modify ohat exploit vhat involve and vulner
00:24 EST:
exhibit. Ane determineds a notificats an alert ms an error ms an error m
e major subphe security n
end-usdepartgovernhumanorganitechnic
# logging ho# logging tr# logging so# logging on
exhibit. AnAt what trap
gation technoot guard
BPDU guard
evel rd-encryptio
s? users from or corrupt trvulnerabilitthe unautho
rability
%SYS-5-C
n administrad from the mion messagessage for w
message for wmessage indi
policies shoneeds of a tser policiestmental polining policien resource pizational pocal policies
ost 10.1.1.1ap errors
ource-interfn n administra
level is the
nique can he
d
on
accessing nraffic as thaies to gain aorized disco
ONFIG-I: C
ator is exammessage? e for a normwhich immewhich warnicating the s
ould compriypical enter
icies es policies licies
7
face loopba
ator has entee logging fun
elp prevent
network servat traffic traaccess to seovery and m
Configured
mining the m
mal but signediate actionning conditiosystem is un
se a comprerprise? (Cho
ack 0
ered the comnction set?
MAC table
vices avels across ensitive infomapping of s
from conso
message in a
nificant condn is needed ons exist.
nusable
ehensive secoose three)
mmands tha
overflow a
the networkormation systems,
ole by vty0
a syslog serv
dition
curity polic
at are shown
attacks?
k
ver.
y
n on
2 3 5 6
15. A
I
16.
Rs
st
sw
An organizaOS comman
TACACmore cuRADIUTACACbasis.
RADIUprocess
Refer to the tatement is
The signThe signIPS.
Only theand usedThe signsignature
torm controwitchport se
ation requirends. WhichCS+ becausustomizatio
US because CS+ becaus
US because s.
exhibit. Batrue?
natures in allnatures in all
signatures d by the IPSnatures in thes will be co
ol ecurity
es that indivh AAA protose it separaten. it supports m
se it support
it implemen
ased on the I
l categoriesl categories
in the ios_i. e ios_ips baompiled into
vidual usersocols suppoes authentic
multiple prots extensive
nts authenti
IPS configu
will be reti will be com
ips basic cat
asic categoro memory a
be authorizort this requication and a
otocols, ince accounting
cation and a
uration that
ired and notmpiled into
tegory will
ry will be reand used by
zed to issueirement?
authorization
luding ARAg on a per-u
authorizatio
is provided
t be used bymemory an
be compiled
etired and thy the IPS.
specific Ci
n, allowing
A and NetBuser or per-g
on as one
, which
y the IPS. nd used by t
d into mem
he remaining
isco
for
EUI.group
he
mory
g
17.
Re
18.
RF
Refer to the examined by
Refer to the Firewall Con
exhibit. Bay the IPS th
Traffic thahttp trafficreturn traftraffic thatno traffic w
exhibit. Annfiguration
ased on the phat is configuat is initiatec that is initffic from thet is destinedwill be insp
n administrawizard. Wh
provided coured on roud from LAN
tiated from Le web served to LAN 1 pected
ator is confighich comma
onfigurationuter R1? N 1 and LALAN 1
er and LAN 2
guring ZPFand is gener
n, which traf
AN 2
2
using the Srated after th
ffic will be
SDM Basic he administtrator
s
19. W
a
20. W
21. Win
22. W
p
elects the Fzone
zonezonezone
Which two sapplying AC
Multiple If an AC
The mosdown seqStandardplaced cl
If a singla unique
Which three
IPsec is aIPsec is i
IPsec ensIPsec use
IPsec is bIPsec aut
Which threen addition t
A legal
All activunrestri
All confAll admThe numattempts
Packet fand prot
Which statempolicy firew
An interfThe routeThe CBAinterface
Finish buttone security Oe security Oe member se member s
statements dCLs? (Choo
ACLs per pL contains t specific Aquential natd ACLs are plosest to thele ACL is tonumber for
e statementsa frameworimplementesures data ines digital cebound to spthenticates u
e additional o local accenotice shouvity to the scted. figuration a
ministrative tmber of fails should. filtering shotocols can g
ment descriwall?
face can beler always fi
AC ip inspees that are in
n? Out-zone on Out-zone on
ecurity Outecurity Out
describe appse two) protocol andno permit s
ACL statemeture of ACLplaced close
e destinationo be appliedr each interf
s are charactrk of open sted at Layer 4ntegrity by ertificates topecific encryusers and d
precautionsess of netwould not be dspecified po
activities shotraffic shoued login att
ould be requgain access.
ibes a factor
long to multilters the tract command
n the same s
interface Finterface S
t-zone on int-zone on in
propriate ge
d per directtatements, aents shouldLs. est to the son. d to multipleface.
teristics of ttandards. 4 of the OSusing a has
o guarantee yption algor
devices that
s should be orking devicisplayed wh
orts that are
ould requireuld be dedictempts shou
uired so that
r to be cons
tiple zones.affic betweed can coexisecurity zon
a0/0 0/0/0
nterface Fa0nterface s0/0
eneral guide
tion can be aall traffic is be entered
ource, where
e interfaces,
the IPsec pr
SI model. sh algorithmconfidentia
rithms, suchcommunica
taken whences? (Chooshen access irequired fo
ed the use oated to the m
uld not be lim
t only ident
idered when
en interfacesst with ZPF
nes.
/0 0/0
elines for co
applied to adenied by d
first becaus
eas Extende
, it must be
rotocol? (Ch
m. ality h as 3DES aate independ
n remote accse three) is obtained. r access sho
of SSH or Hmanagemenmited, but th
tified admin
n configurin
s in the samF as long as
onfiguring a
an interface.default. se of the top
ed ACLs ar
configured
hoose three)
and AES. dently.
cess is requ
ould be
HTTPS. nt network. he time betw
nistration ho
ng a zone-b
me zone. it is used on
and
.
p-
e
with
)
uired
ween
osts
based
n
23. W
C
24. W
(
25. W
w
26. W
27. W
c
A zone mbe used i
What is a reConfiguratio
The CisccommanThe Ciscserver. The CiscNVRAMWhen thlocation
What are thrChoose thre
Authenti
AuthentiVPN conImplemepeers usi
ImplemeSecuringTracking
When port swhen the ma
The vioThe MAthe tablThe poraddress
The por
Which three
AH useAH pro
AH proESP useESP req
ESP pro
Which threecommand au
must be conin the zone-
sult of secuon feature? co IOS imagnd. co IOS imag
co IOS imagM. he router bo
ree commonee) icating admiicating remonnections enting publiing digital centing commg the router bg Cisco Netf
security is enaximum numolation modAC addressle. rt remains eses are agedrt is shut do
e statementss IP protocovides encryvides integres UDP proquires both ovides encry
e statementsuthorization
figured with-member sec
uring the Cis
ge file is no
ge is encryp
ge is encryp
ots up, the C
n examples
inistrator acote users wh
c key infrascertificatesmand authorby locking flow accoun
nabled on amber of allo
de for the po table is cle
enabled, butd out. own.
s describe thol 51.
yption and inrity and authtocol 50. authenticatiyption, auth
s describe limn? (Choose t
h the zone scurity comm
sco IOS ima
ot visible in
pted and the
pted and the
Cisco IOS i
of AAA im
ccess to the ho are acces
structure to
rization withdown all unnting statist
a Cisco Cataowed MAC ort is set to reared, and th
t the bandw
he IPsec pro
ntegrity. hentication.
ion and enchentication,
mitations inthree.)
security glomand.
age using th
the output o
en automatic
en automatic
image is loa
mplementatio
router consssing the co
authenticat
h TACACSnused servicics
alyst switchaddresses i
restrict. he new MA
width is throt
otocol frame
.
ryption. and integrit
n using priv
bal comman
he Cisco IO
of the show
cally backe
cally backe
aded from a
on on Cisco
sole port, anorporate LAN
e and autho
S+ ces
h, what is theis exceeded
C address i
ttled until th
ework? (Ch
ty.
vilege levels
nd before it
S Resilient
w flash
d up to a TF
d up to the
secure FTP
o routers?
nd vty portsAN through I
orize IPsec V
e default acd?
s entered in
he old MAC
hoose three)
s for assigni
t can
FTP
P
IPsec
VPN
ction
nto
C
ing
28. W
c
29.
RH
30. W
th
There isThe root
Commanusers Views a
Creatingtedious pIt is requ
Which Ciscocategory nam
R1(R1(R1(
R1(R1(R1(R1(R1(R1(R1(R1(R1(
Refer to the However, SD
Issue
Issue Issue Issue
Which threehree.)
s no access ct user must nds set on a
are required g a user accprocess uired that al
o IOS confimed ios_ips(config)# ip(config-ips-(config-ips-(config)# ip(config-ips-(config-ips-(config)# ip(config-ips-(config-ips-(config)# ip(config-ips-(config-ips-
exhibit. AnDEE messathe loggingthe ip ips nthe ip audithe clear ip
e principles
adaptacollaboinsulatintegramitiga
control to spbe assigned
a higher priv
to define thount that ne
ll 16 privile
iguration ops into memop ips signatu-category)# -category-acp ips signatu-category)# -category-acp ips signatu-category)# -category-acp ips signatu-category)# -category-ac
n administraages fail to lg on commanotify sdeeit notify logp ips sdee e
are enabled
ability oration tion ation ation
pecific interd to each prvilege level
he CLI comeeds access
ege levels be
ption instrucory and use ure-categorycategory al
ction)# retirure-categorycategory io
ction)# retirure-categorycategory al
ction)# enabure-categorycategory io
ction)# enab
ator has conlog. Which and in globacommand i
g command events comm
d by a Cisco
rfaces on a ivilege level are not ava
mmands that to most but
e defined, w
cts the IPS tit to scan tr
y ll red false y os_ips basicred false y ll bled true y os_ips basicbled true
nfigured rousolution coral configurain global coin global c
mand to cle
o Self-Defen
router. el defined. ailable for lo
each user ct not all com
whether they
to compile araffic?
c
c
uter R1 as inrrects this pation. onfigurationonfiguration
ear the SDEE
nding Netw
ower privile
can access. mmands can
y are used
a signature
ndicated. problem?
. n. E buffer.
ork? (Choo
eged
n be a
ose
31. W
32. W
1
33. W
n
34.
What are tw
Networkif an attaNetworkNetworkplatformNetworknetwork Network
Which acces10.1.129.100
access-access-access-eq www
access-eq wwwaccess-4300
Which type network bas
scalabi
wo disadvantk IPS has a dack was succk IPS is incak IPS is oper.
k IPS is unabis being att
k IPS sensor
ss list statem0 port 4300list 101 perlist 101 perlist 101 per
w list 101 per
w list 101 per
of SDM ruled on proto
ility
tages of usindifficult timcessful. apable of exrating system
ble to proviacked.
rs are difficu
ment permit0 and destinermit tcp anyrmit tcp 192rmit tcp 10.1
rmit tcp 10.1
rmit tcp hos
le is createdocol and por
NAC rNAT rIPsec raccess
ng network me reconstru
xamining enm-dependen
de a clear in
ult to deploy
ts HTTP traed to host 1
y eq 4300 2.168.30.10 1.129.0 0.0.
1.128.0 0.0.
t 192.168.3
d to govern rt number?rule rule rule
s rule
IPS?(Chooucting fragm
ncrypted trafnt and must
ndication of
y whennew
affic that is s92.168.30.1
0.0.0.0 eq 8.0.255 eq w
.1.255 eq 43
0.10 eq 80
the traffic th
ose two.) mented traffi
ffic. t be customi
f the extent
w networks a
sourced from10?
80 10.1.0.0 www 192.16
300 192.168
10.1.0.0 0.0
hat can ente
ic to determ
ized for eac
to which th
are added.
m host
0.0.255.25568.30.10 0.0
8.30.0 0.0.0
0.255.255 e
er and leave
mine
ch
he
5 0.0.0
0.15
q
e the
RC
35.
Ro
36.
Rw
Refer to the Configure m
Choose AChoose Aand outpuChoose Akeys. Choose Ainput andChoose AChoose Aas the inp
Refer to the on switch S1
Port Fa0/percent oPort Fa0/exceeds 2
Port Fa0/2,000,00Port Fa0/percent oPort Fa0/exceeds 8
Refer to the within 10 se
Subsequ
exhibit. Whmenu, whichAdditional TAdditional Tut protocol. Additional T
Additional Td output proAdditional TAdditional Tput and outp
exhibit. Wh1? (Choose /5 storm conof the total b/6 storm con2,000,000 p/6 storm con0 packets p/5 storm conof the total b/5 storm con80.1 percen
exhibit. Wheconds usinguent virtual
hen configuh two steps aTasks > RouTasks > Rou
Tasks > Rou
Tasks > Routocol.
Tasks > RouTasks > Rouput protocol
hich two statwo.) ntrol for brobandwidth.ntrol for mupackets per ntrol for mu
per second.ntrol for mubandwidth.ntrol for bro
nt of 2,000,0
hich three thg an incorrelogin attem
uring SSH oare requireduter Access uter Access
uter Propert
uter Propert
uter Access uter Access l
atements are
oadcasts wi
ulticasts andsecond. ulticasts wil
ulticasts wil
oadcasts and000 packets
hings occurect password
mpts from th
n a router ud? (Choose t> SSH to g> VTY to s
ies > Netflo
ies > Loggi
> AAA to g> Managem
e correct reg
ll be activat
d broadcasts
ll be activat
ll be activat
d multicasts per second
r if a user atd? (Choose
he user are b
using SDM ftwo.)
generate the specify SSH
ow to gener
ing to specif
generate thement Access
garding the
ted if traffic
s will be act
ted if traffic
ted if traffic
s will be actd.
ttempts to lothree.)
blocked for
from the
RSA keys. H as the inpu
ate the RSA
fy SSH as th
e RSA keyss to specify
configurati
c exceeds 80
tivated if tra
c exceeds
c exceeds 80
tivated if tra
og in four ti
60 seconds.
ut
A
he
s. SSH
ion
0.1
affic
0.1
affic
mes
.
37. W
38. W
d
39. A
ss
40. W
41. Wth
During tnetworkSubsequ
A messauser.
During tNo user
Which type LANMAMA
STPVLA
What occursdevice mana
All vty pmanagemThe genecrypto keThe keysparamete
The gene
An organizaites to viewecurely acc
Which two g
Apply inproductioImplememanagemAttach al
Use IPSe
Which threehree.)
the quiet mok 172.16.1.0uent consoleage is gener
the quiet mocan log in v
of Layer 2 N storm C address sC address ta
P manipulatiAN attack
s after RSA agement? ports are autment. eral-purposeey generate s must be zeers. erated keys
ation has mow inventory cess all of th
guidelines rn-band manaon network.ent separate ment networll network dec, SSH,or S
e commands
ode, an adm0/24. e login attemrated indicat
ode, an admvirtually fro
attack make
spoofing able overfloion
keys are ge
tomatically
e key size mrsa general
eroized to re
can be used
obile workeand place o
heclient/servclientless remote-acsite-to-siteHTTPS-e
relate to in-bagement on. network se
rk. devices to thSSL
s are require
ministrator c
mpts are bloting the use
ministrator com any host
es a host ap
ow
enerated on
configured
must be specl-keys mo ceset secure
d by SSH.
ers who usecorders.Whicver applicatSSL VPN
ccess IPsec e IPsec VPNnabled SSL
band networly to device
egments for
he same ma
ed to config
can virtually
ocked for 60ername and
can log in frt for 60 seco
pear as the
a Cisco rou
for SSH to
cified for auommand. shell before
corporate-owh type of V
tions of the
VPN N
L VPN
rkmanagemes that must
the product
anagement n
gure SSH on
y log in from
0 seconds. source IP a
rom host 17onds.
root bridge
uter to prepa
provide sec
uthentication
e configurin
wned laptopVPN allows t
organizatio
ment? (Choot be manage
tion network
network.
na Cisco rou
m any host o
address of th
2.16.1.2.
for a LAN?
are for secu
cure
n with the
ng other
ps at customthese worken?
ose two.) ed on the
k and the
uter? (Choo
on
he
?
ure
mer ers to
ose
42. A
pc
43.
Raple
44. W
r
45. W
ip doma
transpono ip dopasswoservice crypto k
Anadministrprivileged Ecustom acco
Refer to the pplied it to eaving inter
The resulThe resulThe sourcinterface The traffi
Which statemouter itself?
The ACLThe ACLApply thapplying
The ACLanunwan
Which three
ain-name nart input ssh omain-lookurdpasswordpassword-e
keygenerate
rator needs EXEC commount?
pripripripri
exhibit. Aninterface se
rface serial 0lting action lting action ce IP addresserial 0/0/1ic is droppe
ment descri? L must be apL is applied he ACL to thg ACLs to inL should be nted user fro
e statements
ame in globon a vty lin
up in globad on a vty linencryption ie rsa in glob
to create a umands. Whic
ivilege execivilege execivilege execivilege exec
n administraerial 0/0/0 in0/0/0 that dis determinis determinss is checke. d
ibes configu
pplied to eato the Teln
he vty lines nterfaces. applied to
om connecti
s describe S
bal configurne l configuratne in global cobal configur
user accounch privilege
c level 0 c level 1 c level 2 c level 15
ator has confn the outbouoes notmatc
ned by the dned by the ded and, if a m
uring ACLs
ach vty line net port with
without the
all vty linesing to an un
SL-based V
ation mode
tion mode
onfigurationration mode
nt with custoe command
figureda staunddirectionch the confiestination IPestination IPmatch is not
to controlT
individuallyh the ip acceein orout op
s in thein dirnsecured por
VPNs? (Cho
n mode e
om access tis used to c
andard ACLn. What hapigured ACLP address. P address ant found, traf
Telnet traffic
y. ess-group coption require
rection to prt.
oose three.)
o most create this
L on R1 andppens to tra
L statements
nd portnumffic isrouted
c destined t
ommand. ed when
prevent
d ffic
s?
mber. d out
to the
46.
Rst
47. W
c
A symmeIt is imposameroutSpecial-p
Symmetr
The authThe applSSLclienThe primhardware
Refer to the eatements? The authenThe authenThe local dto the routIf the TACsession wiIf the TACauthentica
Which two Ccentrally ma
CiscoCiscoCisco
Cisco
Cisco
etric algoritossible to coter. purpose clieric algorithm
hentication plication prognt software.
mary restricte.
exhibit. Wh
ntication mentication medatabase is ter. CACS+ AAith the routeCACS+ AAated using th
Cisco IPSmanagedIPS so Adaptive So IPS Devico Router ando Security Mo Security M
thms are useonfigure SS
ent softwarems are usedprocess usesgramming i
tion of SSL
hat informat
ethod list usethod list uschecked fir
AA server is er.
AA server is he local data
management solutions? (CSecurity Dee Managerd Security D
Manager Monitoring,
ed for autheSL and IPsec
e is requiredd for bulk ens hashing teinterface is u
VPNs is th
ion can be o
sed for Telnsed by the crst whenauth
not availab
not availababase.
and monitoChoose twoevice Manag
Device Man
Analysis, a
entication anc VPNs con
d on the cliencryption. echnologiesused to exte
at they are c
obtained fro
net is namedconsoleport henticating
ble, nousers
ble, consolea
oring tools ao.) ger
nager
and Respons
nd key exchncurrently o
ent machine
. ensively mo
currently su
om the AAA
d ACCESS.is named Aconsole and
can establis
access to th
are example
se System.
hange. on the
e.
odify the
upported on
Aconfigurat
. ACCESS. d Telnet acc
sh a Telnet
he router can
es of GUI-b
nlyin
tion
cess
n be
based,
48.
R
49. W
50.
Refer to the eThe cliThe cliThe cli
The cli
Which three
exhibit.Whiient is authoient is authoient is autheient is authe
e OSI layersLLLLLL
ich AAA fuorizing comorizing comenticating uenticating u
s can be filteLayer 2 Layer 3 Layer 4 Layer 5 Layer 6 Layer 7
unction and mmands usinmmands usin
sing the RAsing the TA
ered by a st
protocol is ng the TACAng the RADADIUS protACACS+pro
ateful firew
in use in thACS+protoIUS protocoocol. otocol
wall? (Choos
he network? col. ol.
se three.)
Rsi
51. W
ph
52. W
53. W
a
54. W
(
Refer to the eignature tak
Reset Drop t
GenerDrop t
Create
Which threeportso that ithost with an
WhichstatemAfter thefeature mAfter therelatedcoThe wizatodeterm
The wizaThe wiza
Which compand which o
Which two pChoose two
exhibit. Baske if an attac
the TCP cothe packet aatean alarmthe packet ae an ACL th
e switch secut will dynam
ny other MAswitchporswitchporswitchporswitchporswitchporswitchpor
ment describe wizard idemust be usede wizardidenonfigurationard autosens
mine possibleard is basedard is enable
ponent of Aoperations th
protocols alo.)
sed on the Sck is detectennection to
and all futurm message thand permit rhat denies tr
urity commmically learAC address irt mode accert mode trunrtport-securirt port-securrtport-securirt port-secur
bes the SDMentifies the vd to make alntifies the vn changes. ses the inside security p
d on the Cisced using the
AAA is usedhe user is al
Auditing accountingauthorizatiauthentica
llow SDM t
FTP HTTPSSDEE SSH SyslogTFTP
SDM screened?(Choose terminate t
re packets frhat can be sremaining praffic from t
mands are rern a single Mis connectedess nk ity rity maximuity mac-addrity mac-ad
M Security Avulnerabilitill security-r
vulnerabiliti
de trusted anproblems thaco IOS Autoe Intrusion P
d to determinllowed to pe
g ion
ation
o gather IPS
nshown, whitwo.)
the TCP florom thisTCent to a sys
packets fromthe attacker
quired to enMAC addresd? (Choose
um 2 dress stickydressmac-a
Audit wizaries, theSDMrelatedconfies, it autom
nd outside uat might exioSecure feaPrevention
ne which reerform?
S alertsfrom
ich two acti
w. P flow. log server.
m this TCP fIP address.
nable port sss and disabthree.)
ddress
rd? M One-Stepiguration ch
matically ma
untrusted inist. ature. task.
esources a u
m a Cisco IS
ions will the
flow. .
ecurity on able the port
Lockdownhanges. akes all secu
nterfaces
user canacce
SR router?
e
a if a
n
urity-
ess
55.
R
56. W
57.
RC
Refer to the eaaa aaaa aaaa aaaa a
aaa aaaa a
What is a feaIt combin
It encrypIt utilizesIt hides pin plain t
Refer to the eBACconfig
R1(co
exhibit. Whaccounting caccounting caccounting eaccounting eaccounting naccounting n
ature of thenes authenti
pts theentires UDP to prpasswords dtext.
exhibit. Whguration on ronfig)# inter
hich AAA cconnection connection exec start-sexec start-snetwork stanetwork sta
e TACACS+ication and
e body of therovide moreduring trans
hich interfacrouter R1?rface fa0/0
command lostart-stop gstart-stop gtop group ratop group ta
art-stop grouart-stop grou
+ protocol?authorizatioe packet fore efficient pmission usi
ce configura
ogs the activgroup radiusgroup tacacsadius acacs+ up radius up tacacs+
on as oneprr more secu
packet transfing PAP and
ation compl
vity of a PPPs s+
rocess. ure communfer. d sends the
etes the
P session?
nications.
rest of theppacket
58.
R
59. W
I
60. W
R1(coR1(coR1(coR1(coR1(coR1(coR1(coR1(coR1(coR1(coR1(co
R1(coR1(coR1(co
Refer to the e
CrzA
Which CiscoOS image a
Which devicCC
onfig-if)# iponfig-if)# iponfig)# interonfig-if)# iponfig-if)# iponfig)# interonfig-if)# iponfig-if)# iponfig)# interonfig-if)# iponfig-if)# iponfig)#interonfig-if)# iponfig-if)#ip
exhibit. WhCBAC firewreflexive Azone-based AAA acces
o IOS priviland configur
Router#Router#Router#Router#
ce supports Cisco NAC Cisco IronPo
p inspect INp access-grorface fa0/1
p inspect INp access-grorface fa0/1
p inspect OUp access-grorface fa0/0
p inspect OUp access-grorface fa0/1p inspect OU
access-grou
hich Cisco Iwall CL firewallpolicy firews control fir
leged EXECration files
# dir # show arch# show secu# show flash
the use of S
ort
NSIDE in oup OUTBO
NSIDE in oup OUTBO
UTBOUNDoup INSIDE
UTBOUNDoup INSIDE
UTBOUNDup INSIDE
IOS security
l wall rewall
C commandhave been p
hive ure bootseth
SPAN to en
OUND in
OUND in
D in E out
D in E in
D in in
y feature is i
d can be useproperly bac
nable monito
implemente
ed to verify cked up and
oring of ma
ed onrouter
that theCiscd secured?
licious activ
R2?
co
vity?
61. Winth
62.
Rd
63. T
IP
C
C
Which threenterface behhree.)
An interfInterface
Pass, ins
If traffic member Traffic ismembers
To permorinspec
Refer to the drawn about
It will useIt will useIt will useIt will be
The use of 3Psec buildin
Cisco SecuriCisco Cataly
e statementshavior and t
face can be es can be asspect,and dr
is to flow bof a zone. s implicitly s of the sam
mit traffic to ting traffic
exhibit. Bat the IKE poe digital cere apredefinee a very strothe default
3DES withinng blocks?
authenconfidDiffie
ity Agent yst switch
s describe zothe traffic m
assigned tosigned to a
rop options between all
prevented fme zone.
and from a must be con
ased on the Solicy being rtificates fored key for aong encryptpolicy with
n the IPsec
ntication dentiality -Hellman
one-based pmoving betw
o multiple sezone beforecan only beinterfaces i
from flowin
zone membnfigured be
SDM screenconfigured?r authenticaauthenticatiotion algorithh the highes
framework
policyfirewaweenzone m
ecurityzonee the zone ie applied bein arouter, e
ng by defau
ber interfacetween that z
n shown, wh? (Choose tw
ation. on. hm. t priority.
is anexamp
all rules thatmember inter
es. s created.
etween two zeach interfac
ult among in
e, a policy azone and an
hich twoconwo.)
ple of which
t govern rfaces? (Ch
zones. ce must be a
nterfaces tha
allowing ny other zon
nclusions ca
h of the five
oose
a
atare
ne.
an be
e
64. W
65. W
A
66. W
67. W
c
68. W
c
Which statemIt uses IPIt uses sonetwork.
It calculaIt uses T
Which threeAccess featu
Which statemAn attackhost. Frames fperformaThe attacforce spa
A softwasourcean
When configcriteria appli
TrafficTrafficTrafficTraffic
Which threecommand au
There isThe root
Commanusers. Views a
integrinonrep
ment descriPsec to estabophisticated
ates shared kCP port 50
e types of viure? (Choos
superoot supeCLI admconf
ment descriker alters th
flood the LAance. cking host banning-tree are tool floond destinatio
guring a claied when usc must matcc must matcc must matcc must matc
e statementsuthorizations no access ct user must nds set on a
are required
ity pudiation
ibes the opeblish the ke
d hashing alg
keys based to exchange
iews are avase three.) eruser viewview
erview view
min view fig view
ibes a MAChe MAC add
AN, creating
broadcasts Srecalculatio
ods a switchon MAC an
ass map for sing the match all of thech the first cch at least och according
s describe limn? (Choose tcontrol to spbe assigned
a higher priv
to define th
eration of thy exchangegorithms to
on the exche IKE infor
ailable when
C address tabdress in a fr
g excessive
STP configuons. h with framed IP addres
zone-basedtch-all para
e match critecriteria in th
one of the mg to an excl
mitations inthree.) pecific interd to each prvilege level
he CLI com
he IKE protoe process. o transmit ke
hange of a srmation betw
n configurin
ble overflowrame to mat
traffic and
uration and
es containinses.
d policy firewameter? eria specifiehe statemen
match criterialusive disjun
n using priv
rfaces on a ivilege level are not ava
mmands that
ocol?
eys directly
series of datween the se
ng the Role
w attack? chthe addre
degrading n
topology ch
ng randomly
wall, how a
ed in the stant. a statementnction criter
vilege levels
router. el defined. ailable for lo
each user c
y across a
ta packets. curity gatew
-BasedCLI
ess of a targ
network
hange BPDU
y generated
are thematch
atement.
s. ria.
sfor assignin
ower privile
can access.
ways
get
Us to
h
ng
eged
69. W
p
70.
Rro(C
71. W
av
CreatingtediouspIt is requ
What is an imprevention?
Host-basHost-basNetworkdataflowNetworkonhosts a
Networkspecializ
Refer to the outer R1, wChoose thre
A copy oA copy oThe CiscoThe Ciscoisissued oThe copyThe secur
Which elemagainst attemvulnerabiliti
g a user accprocess. uired that al
mportant di
sed IPS is msed IPS can k-based IPS ws. k-based IPS and servers.
k-basedIPS czedsoftware
exhibit. Bawhich three cee.) of the Cisco of the routero IOS imago IOS imagon R1. y tftp flash cre boot-con
ment ofthe Cmpts toattacies?
ount that ne
ll 16 privile
ifference be
more scalablwork in prois better sui
provides be. can provideon each on
sed on the oconclusions
IOS image r configuratige file is hidge filename
command wnfig comman
isco Threat ck servers by
eeds access
ege levels be
etween netw
e than netwomiscuous mited for insp
etter protect
e protection ne.
output froms can be draw
file has beeion file has
dden and canwill be liste
was issued ond was issu
Control any exploiting
to most but
e defined, w
work-based a
work-basedIPmode or inlpection of S
tion against
to hosts wit
m the show swn regardin
en made. been made.nnot be coped when the
n R1. ued on R1.
d Containmg application
t not all com
whether they
and host-ba
PS. ine mode.
SSL and TL
t OS kernel-
thout the ne
ecure bootsng Cisco IO
. pied, modifie show flash
ment solutionn and opera
mmands can
y are usedor
asedintrusion
S encrypted
-level attack
eed of instal
set commanOS Resilienc
ed, or deleth command
n defends ating system
n be a
r not.
n
d
ks
lling
nd on ce?
ed.
m
72.
Rc(
73. W
tw
Refer to the conclusions Choose two
NTPv
The IPThe IP
NTP mrouterNTP rNTP s
Which two swo.)
To conduserver paTo condunetwork To condua targeted
threat cthreat cthreat cthreat c
exhibit. Bacan be draw
o.) v1 is being cP address ofP address ofmessages wr. routing updaserver.
statements m
uct an accesassword. uct an accestraffic. uct a reconnd server.
control for econtrol for econtrolfor incontrol for s
ased on the Swn from the
configured.f the NTP sf the NTP c
will be sent a
ates will be
match a typ
ss attack, an
ss attack, an
naissance at
email endpoints nfrastructursystems
SDM NTP Se informatio
erver is 10.lient is 10.1
and received
sent and re
e of attack w
n attacker us
n attacker us
ttack, an atta
e
Server Detaon entered a
1.1.2. 1.1.2. d on interfac
eceived on i
with an app
ses L0phtCr
ses Wiresha
acker initiat
ails screen, wand check bo
ce Serial0/0
interface Se
propriate exa
rack to obta
ark to captur
tes a ping o
which two oxes checke
0/0 for this
rial0/0/0 of
ample?(Cho
ain a Windo
re interestin
of death atta
ed?
f the
oose
ows
ng
ck to
74. T
75. W
76. W
r
77. W
To condua Window
To condunumber oTo conducausing tunrespon
The use of wAH pro
Diffie-H
IKE to PKI forSHA fo
Which three
authentauthent
guarant
provideprovideprovide
Which threeouter? (Cho
Place gen
Place mo
Router-gACLs alwaction. A maxim(in or ou
An accestraffic to
Which consiEnable thmessagesLog all mwhenacc
SynchronProtocol.UseSSH
uct a DoS atws server pucta DoS atofICMP requct a reconnthe server tonsive.
which two ootocols for eHellmanto enegotiate th
r pre-sharedor encryptio
e security seticatesthe soticates the dtees data haes nonrepudes nonrepudes confident
e statementsoose three.) neric ACL ore specific generated paways search
mum of threut). ss list applie
o pass.
ideration is he highest ls.
messages to essing the rnizeclocks o. to access sy
ttack, an attassword.
ttack, an attaquests to dirnaissance ato spawn ma
options are rencryption aestablish a she SA d-key authenon
ervices are pource destinationas not changdiation of tradiation usingtiality of dig
s should be c
entries at thACL entrie
ackets pass h for the mo
ee IP access
ed to any in
important wevel of sysl
the system router. on all netwo
yslog inform
tacker uses
acker initiatrected broadttack, an attaany half-ope
required forand authentshared-secre
ntication
provided by
ged in transiansactionsg HMAC fugitally signe
considered
he top of thees at the topthrough AC
ost specific
lists can be
nterface with
when implelog availabl
buffer so th
ork devices
mation.
handler sys
tes a smurf dcast addresacker createen connectio
r IPsec operication et key
y digital sign
it
unctions ed data
when apply
e ACL. p of the ACLCLs on the rentry befor
e assigned to
hout a confi
menting syse to ensurel
hat they can
with a prot
stems and zo
attack by sesses. es a TCP SYons and bec
ration? (Cho
natures? (Ch
ying ACLs t
L. router withore taking any
o an interfa
igured ACL
slog in a nelogging of a
n be display
tocol such a
ombies to o
ending a lar
YN flood come
oosetwo.)
hoose three
to aCisco
out filteringy filtering
ce perdirect
L allows all
etwork? all possible
yed
as Network T
obtain
rge
.)
g.
tion
event
Time