Embed Size (px)
Citation preview
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
E-SecurityCO73046Network Security
Prof. Bill BuchananContact: [email protected]: C.63Telephone: X2759MSN Messenger: [email protected]: http://www.dcs.napier.ac.uk/~bill
http://buchananweb.co.uk
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
Work Schedule
1 4 Feb1: Introduction2: Security Fundamentals
2 11 Feb 3: IDSLab 1: Packet CaptureLab 2: Packet Capture (Filter)
3 18 Feb 4: EncryptionLab 3: Packet Capture (IDS)Lab 4: Packet Capture (ARP)
4 25 Feb 5: Authentication (Part 1) Lab 5: IDS Snort 1
5 3 Mar 5: Authentication (Part 2) Lab 6: IDS Snort 2
Week Date Academic Assessment Lab/Tutorial
6 10 Mar 6: Software Security Lab 7: Private-key encryption
7 17 Mar7: Network Security8: Secure Protocols
Lab 8: Public-key encryption
8 7 AprMCQ Test [40%] Friday, 11 Apr 2008
9 14 AprSecurity Specialisation (.NET Security or Network Security)
10 21 AprSecurity Specialisation (.NET Security or Network Security)
Specialisation Lab
11 28 AprSecurity Specialisation (.NET Security or Network Security)
Specialisation Lab
12 5 MaySecurity Specialisation (.NET Security or Network Security)
C/W hand-in (IDS) [50%]MCQ Test [10%]
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
AcademicElement
On-line test:40%
.NET SecurityOn-line test:
10%
Cisco Academy NS 1On-line test:
10%
Coursework: Agent-based IDSWeb-CT submission:
50%
Wee
k 1-
8W
eek
8-13
MCQ Test
Web-CT submission
On-linetest
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
PIX Certification Questions
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
• The Cisco Secure PIX Firewall Advanced exam (CSPFA 642-521) is one of the exams associated with the Cisco Certified Security Professional and the Cisco Firewall Specialist certifications. Candidates can prepare for this exam by taking the CSPFA v3.2 course. This exam includes simulations and tests a candidate's knowledge and ability to describe, configure, verify and manage the PIX Firewall product family. CCNA or CCDA recertification candidates who pass the 642-521 CSPFA exam will be considered recertified at the CCNA or CCDA level.
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
1. What is CA?
A. Configured applications B. Cisco authentication C. Certificate authority D. Command approval
1. What is CA?
A. Configured applications B. Cisco authentication C. Certificate authority D. Command approval
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
2. How many interfaces does the PIX 506 support?
A. 4 B. 2 C. 6 D. 3
2. How many interfaces does the PIX 506 support?
A. 4 B. 2 C. 6 D. 3
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
3. How do you change the activation key on the PIX?
A. Reset the PIX B. With the checksum command C. Copy a PIX image to the flash D. The activation key cannot be changed
3. How do you change the activation key on the PIX?
A. Reset the PIX B. With the checksum command C. Copy a PIX image to the flash D. The activation key cannot be changed
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
4. When configuring ACL to identify traffic that requires encryption, two entries are needed. One for inbound traffic and one for outbound traffic.
A. True B. False
4. When configuring ACL to identify traffic that requires encryption, two entries are needed. One for inbound traffic and one for outbound traffic.
A. True B. False
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
5. What is the different about the PIX privileged access mode as opposed to the privileged access mode of a Cisco IOS router?
A. The "?" command does not work on the PIX B. No difference C. Each configuration command is automatically saved to flash D. The ability to view the running configuration from the configuration mode
5. What is the different about the PIX privileged access mode as opposed to the privileged access mode of a Cisco IOS router?
A. The "?" command does not work on the PIX B. No difference C. Each configuration command is automatically saved to flash D. The ability to view the running configuration from the configuration mode
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
7. What are some application layer protocols that CBAC can inspect? (choose all that apply)
A. TFTP B. TCP C. SMTP D. UDP E. HTTP F. FTP
7. What are some application layer protocols that CBAC can inspect? (choose all that apply)
A. TFTP B. TCP C. SMTP D. UDP E. HTTP F. FTP
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
8. What two commands are needed for inbound access? (choose two)
A. Static B. Access-list C. PAT D. NAT
8. What two commands are needed for inbound access? (choose two)
A. Static B. Access-list C. PAT D. NAT
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
9. In CBAC, what is a state table?
A. A table containing access-list information B. A table containing information about the state of CBAC C. A table containing information about the state of the packet's connection D. A table containing routing information
9. In CBAC, what is a state table?
A. A table containing access-list information B. A table containing information about the state of CBAC C. A table containing information about the state of the packet's connection D. A table containing routing information
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
10. What is required for stateful failover on the PIX 515? (choose all that apply)
A. Unrestricted software license B. Cisco failover cable C. Cisco IOS failover feature set D. 2 Ethernet interfaces interconnected
10. What is required for stateful failover on the PIX 515? (choose all that apply)
A. Unrestricted software license B. Cisco failover cable C. Cisco IOS failover feature set D. 2 Ethernet interfaces interconnected
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
11. What is the purpose of a syslog server?
A. To host websites B. To collect system messages C. To maintain current backup configurations D. To maintain URL filtering information
11. What is the purpose of a syslog server?
A. To host websites B. To collect system messages C. To maintain current backup configurations D. To maintain URL filtering information
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
12. Default "fixup protocol" commands cannot be disabled.
A. True B. False
12. Default "fixup protocol" commands cannot be disabled.
A. True B. False
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
13. What command deletes all authentication proxy entries?
A. Clear ip authentication-proxy cache B. Clear ip authentication-proxy cache all C. Clear ip authentication-proxy cache D. Clear authentication-proxy all entries
13. What command deletes all authentication proxy entries?
A. Clear ip authentication-proxy cache B. Clear ip authentication-proxy cache all C. Clear ip authentication-proxy cache D. Clear authentication-proxy all entries
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
14. At what frequency does the PIX send hello packets to the failover unit?
A. 15 seconds B. 60 seconds C. 6 seconds D. 20 seconds
14. At what frequency does the PIX send hello packets to the failover unit?
A. 15 seconds B. 60 seconds C. 6 seconds D. 20 seconds
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
15. In AAA, what does the method keyword "local" mean?
A. That the AAA server is local B. Deny if login request is local C. Use the local database for authentication D. Authenticate if login request is local
15. In AAA, what does the method keyword "local" mean?
A. That the AAA server is local B. Deny if login request is local C. Use the local database for authentication D. Authenticate if login request is local
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
16. What three types of entries does the PAM table provide? (choose 3)
A. User defined B. Internet specific C. Host specific D. System defined.
16. What three types of entries does the PAM table provide? (choose 3)
A. User defined B. Internet specific C. Host specific D. System defined.
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
17. During IPSec security associations negotiation, if there are multiple transform sets, which one is used?
A. Is does not matter B. The first common one C. The first one D. The last one
17. During IPSec security associations negotiation, if there are multiple transform sets, which one is used?
A. Is does not matter B. The first common one C. The first one D. The last one
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
18. CBAC inspection can only be configured in one direction.
A. False B. True
18. CBAC inspection can only be configured in one direction.
A. False B. True
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
19. How do you identify a syslog server on the PIX?
A. logging host 10.1.1.1 B. TFTP server 10.1.1.1 C. syslog-server 10.1.1.1 D. syslog server 10.1.1.1
19. How do you identify a syslog server on the PIX?
A. logging host 10.1.1.1 B. TFTP server 10.1.1.1 C. syslog-server 10.1.1.1 D. syslog server 10.1.1.1
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
20. In CBAC, where are dynamic access entries added?
A. A new access-list is configured for each access entry B. At the beginning of the access-list C. A separate access-list is created for access entries D. At the end of the access-list
20. In CBAC, where are dynamic access entries added?
A. A new access-list is configured for each access entry B. At the beginning of the access-list C. A separate access-list is created for access entries D. At the end of the access-list
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
21. You establish an IPSec tunnel with a remote peer. You verify by viewing the security associations. You view the security associations two days later and find they are not there. What is the problem?
A. This would not happen B. You have used an incorrect command to view the security associations C. Your PIX is not powered up. D. No traffic was identified to be encrypted.
21. You establish an IPSec tunnel with a remote peer. You verify by viewing the security associations. You view the security associations two days later and find they are not there. What is the problem?
A. This would not happen B. You have used an incorrect command to view the security associations C. Your PIX is not powered up. D. No traffic was identified to be encrypted.
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
22. What is the purpose of the "route 0 0" command?
A. To configure a static route B. To enable routing on the PIX C. To configure a default route D. To route between 2 interfaces
22. What is the purpose of the "route 0 0" command?
A. To configure a static route B. To enable routing on the PIX C. To configure a default route D. To route between 2 interfaces
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
23. What does DDOS stand for?
A. Distributed denial of service B. Dedicated Department of Security C. Dead, Denied, Out of Service D. Demand denial of service
23. What does DDOS stand for?
A. Distributed denial of service B. Dedicated Department of Security C. Dead, Denied, Out of Service D. Demand denial of service
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
24. In CBAC, how are half-open sessions measured?
A. Both TCP & UPD half-open sessions are calculated B. Only UDP half-open sessions are calculated C. CBAC does not calculate half-open sessions D. Only TCP half-open sessions are calculated
24. In CBAC, how are half-open sessions measured?
A. Both TCP & UPD half-open sessions are calculated B. Only UDP half-open sessions are calculated C. CBAC does not calculate half-open sessions D. Only TCP half-open sessions are calculated
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
25. AAA stands for authentication, authorization, &______________.
A. application B. accounting C. access control D. authenticity
25. AAA stands for authentication, authorization, &______________.
A. application B. accounting C. access control D. authenticity
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
26. A transform set is a combination of ________ _______ & ____________. (choose all that apply)
A. access-list B. crypto maps C. security protocols D. algorithms
26. A transform set is a combination of ________ _______ & ____________. (choose all that apply)
A. access-list B. crypto maps C. security protocols D. algorithms
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
27. At what layer of the OSI model does IPSec provide security?
A. 4 B. 7 C. 8 D. 3
27. At what layer of the OSI model does IPSec provide security?
A. 4 B. 7 C. 8 D. 3
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
28. What is the purpose of the "clear access-list" command?
A. Remove an access-list from an interface B. To clear all access-list from the PIX C. To clear all access-list counters D. Invalid command
28. What is the purpose of the "clear access-list" command?
A. Remove an access-list from an interface B. To clear all access-list from the PIX C. To clear all access-list counters D. Invalid command
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
29. What are the two licenses supported on the PIX515?
A. Unrestricted B. Limited C. Restricted D. Unlimited
29. What are the two licenses supported on the PIX515?
A. Unrestricted B. Limited C. Restricted D. Unlimited
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
30. How are transform sets selected in manually established security associations?
A. Transform sets are not used in manually established security associations B. Manually established security associations only have one transform set C. The first transform set is always used D. The first common transform set is used
30. How are transform sets selected in manually established security associations?
A. Transform sets are not used in manually established security associations B. Manually established security associations only have one transform set C. The first transform set is always used D. The first common transform set is used
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
31. Access-list are supported with Radius authorization.
A. True. B. False
31. Access-list are supported with Radius authorization.
A. True. B. False
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
32. How do you view active NAT translations?
A. show nat-translations B. show ip-nat translations C. show xlate D. show translations
32. How do you view active NAT translations?
A. show nat-translations B. show ip-nat translations C. show xlate D. show translations
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
33. What does IKE Extended authentication provide?
A. Authentication of multiple IPSec peers B. Auto-negotiation of IPSec security associations C. User authentication using Radius/TACACS+
33. What does IKE Extended authentication provide?
A. Authentication of multiple IPSec peers B. Auto-negotiation of IPSec security associations C. User authentication using Radius/TACACS+
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
34. What are two purposes of NAT? (choose 2)
A. To build routing tables B. To expedite packet inspection C. To connect two separate interfaces D. To conserve non-RFC1918 addresses E. To hide internal servers and workstations real IP addresses from the Internet
34. What are two purposes of NAT? (choose 2)
A. To build routing tables B. To expedite packet inspection C. To connect two separate interfaces D. To conserve non-RFC1918 addresses E. To hide internal servers and workstations real IP addresses from the Internet
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
35. Only one IPSec tunnel can exist between two peers.
A. False B. True
35. Only one IPSec tunnel can exist between two peers.
A. False B. True
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
36. How many hello packets must be missed before the failover unit will become active?
A. 2 B. 3 C. 1 D. 5
36. How many hello packets must be missed before the failover unit will become active?
A. 2 B. 3 C. 1 D. 5
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
37. What are the two transport layer protocols? (choose 2)
A. TCP B. IP C. ICMP D. UDP
37. What are the two transport layer protocols? (choose 2)
A. TCP B. IP C. ICMP D. UDP
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
38. How do you configure a PAT address?
A. Nat (Outside) 1 1.1.1.1 1.1.1.1 255.255.255.255 B. IP PAT (Outside) 1 1.1.1.1 255.255.255.255 C. PAT (Outside) 1 1.1.1.1 255.255.255.255 D. Global (Outside) 1 1.1.1.1 1.1.1.1 255.255.255.255
38. How do you configure a PAT address?
A. Nat (Outside) 1 1.1.1.1 1.1.1.1 255.255.255.255 B. IP PAT (Outside) 1 1.1.1.1 255.255.255.255 C. PAT (Outside) 1 1.1.1.1 255.255.255.255 D. Global (Outside) 1 1.1.1.1 1.1.1.1 255.255.255.255
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
39. How many interfaces does the PIX 515R support?
A. 3 B. 4 C. 2 D. 6
39. How many interfaces does the PIX 515R support?
A. 3 B. 4 C. 2 D. 6
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
40. What are some advantages of using the PIX firewall over other firewalls such as Microsoft Proxy? (choose all that apply)
A. No security problems from running on top of other operating systems B. PIX firewall is plug and play, no configuration required C. PIX inspects on lower layer protocols D. PIX does stateful packet inspections E. One box solution
40. What are some advantages of using the PIX firewall over other firewalls such as Microsoft Proxy? (choose all that apply)
A. No security problems from running on top of other operating systems B. PIX firewall is plug and play, no configuration required C. PIX inspects on lower layer protocols D. PIX does stateful packet inspections E. One box solution
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
41. You decide you need more interfaces for your PIX 515 and you already have the unrestricted license installed. The PIX firewall only shipped with 2 Ethernet interfaces. You install a new Ethernet interface that you ordered from Cisco. After you power the PIX on, you assign an IP address to the interface and configure a NAT & global statement for the new network. But users on the new network are unable to browse the Internet. What else do you need to do?
A. Enable the new interface in the configuration B. Add the "conduit permit any any" statement to your configuration C. Nothing. The problem is probably with the clients workstations, not the PIX. D. Add the Cisco client proxy software to each workstation on the new network.
41. You decide you need more interfaces for your PIX 515 and you already have the unrestricted license installed. The PIX firewall only shipped with 2 Ethernet interfaces. You install a new Ethernet interface that you ordered from Cisco. After you power the PIX on, you assign an IP address to the interface and configure a NAT & global statement for the new network. But users on the new network are unable to browse the Internet. What else do you need to do?
A. Enable the new interface in the configuration B. Add the "conduit permit any any" statement to your configuration C. Nothing. The problem is probably with the clients workstations, not the PIX. D. Add the Cisco client proxy software to each workstation on the new network.
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
42. What two concepts are included in data authentication? (choose all that apply)
A. Anti replay B. Data origin authentication C. Data integrity. D. Data confidentiality
42. What two concepts are included in data authentication? (choose all that apply)
A. Anti replay B. Data origin authentication C. Data integrity. D. Data confidentiality
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
43. What is the layer-4 difference between Radius and TACACS+?
A. Radius uses TCP & TACACS+ uses UDP B. Radius uses UDP & TACACS+ uses TCP C. TACACS+ uses FTP & Radius uses TFTP D. There is no layer-4 difference between Radius & TACACS+
43. What is the layer-4 difference between Radius and TACACS+?
A. Radius uses TCP & TACACS+ uses UDP B. Radius uses UDP & TACACS+ uses TCP C. TACACS+ uses FTP & Radius uses TFTP D. There is no layer-4 difference between Radius & TACACS+
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
44. "Logging timestamp" specifies that syslog messages sent to the syslog server should have a time stamp value on each message.
A. True B. False
44. "Logging timestamp" specifies that syslog messages sent to the syslog server should have a time stamp value on each message.
A. True B. False
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
45. What does the " crypto access-list" command accomplish?
A. There are no such access list B. They block non-encrypted traffic C. They identify crypto map statements D. Identifies which traffic is to be encrypted
45. What does the " crypto access-list" command accomplish?
A. There are no such access list B. They block non-encrypted traffic C. They identify crypto map statements D. Identifies which traffic is to be encrypted
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
46. What is the purpose of the outbound access-list for a CBAC solution?
A. To block all traffic, CBAC will then inspect the traffic and allow legitimate traffic out B. Packets you want inspected by CBAC C. The is no need for an outbound access-list in a CBAC solution D. To identify legitimate inbound traffic from the Internet
46. What is the purpose of the outbound access-list for a CBAC solution?
A. To block all traffic, CBAC will then inspect the traffic and allow legitimate traffic out B. Packets you want inspected by CBAC C. The is no need for an outbound access-list in a CBAC solution D. To identify legitimate inbound traffic from the Internet
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
47. How do you delete the following PAM entry? IP port-map http port 81
A. clear IP port-map http port 81 B. This is a system-defined entry and cannot be deleted C. no IP port-map http port 81 D. delete IP port-map http port 81
47. How do you delete the following PAM entry? IP port-map http port 81
A. clear IP port-map http port 81 B. This is a system-defined entry and cannot be deleted C. no IP port-map http port 81 D. delete IP port-map http port 81
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
48. What is the first step in configuring IPSec without CA?
A. Crypto B. ISAKMP C. IKE D. IPSEC
48. What is the first step in configuring IPSec without CA?
A. Crypto B. ISAKMP C. IKE D. IPSEC
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
49. What version of IOS was the "ip port-map" command introduced?
A. 13.(1) B. 12.1 C. 11.0(1) D. 12.05(t)
49. What version of IOS was the "ip port-map" command introduced?
A. 13.(1) B. 12.1 C. 11.0(1) D. 12.05(t)
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
50. What is the purpose of the "fixup protocol" commands?
A. To identify what protocols are permitted through the PIX B. Change PIX firewall application protocol feature C. To identify what protocols are to be blocked by the PIX D. To map a protocol to a TCP or UDP port
50. What is the purpose of the "fixup protocol" commands?
A. To identify what protocols are permitted through the PIX B. Change PIX firewall application protocol feature C. To identify what protocols are to be blocked by the PIX D. To map a protocol to a TCP or UDP port
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
51. Without stateful failover, how are active connections handled?
A. Connections are maintained between the PIX and the failover unit B. Dropped C. UDP connections are maintained D. TCP connections are maintained
51. Without stateful failover, how are active connections handled?
A. Connections are maintained between the PIX and the failover unit B. Dropped C. UDP connections are maintained D. TCP connections are maintained
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
52. How many default routes can be assigned to the PIX firewall?
A. 1 per network B. 1. C. As many as required D. 1 per interface E. 1 for the primary PIX and 1 for the standby PIX
52. How many default routes can be assigned to the PIX firewall?
A. 1 per network B. 1. C. As many as required D. 1 per interface E. 1 for the primary PIX and 1 for the standby PIX
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
53. You have a PIX firewall and you are only given one public IP address from your ISP to use on the PIX. You do not have any type of servers that need be accessed from the Internet. What is a valid quick solution to your problem?
A. Get a new ISP B. PAT C. Request additional IP addresses from your ISP D. NAT
53. You have a PIX firewall and you are only given one public IP address from your ISP to use on the PIX. You do not have any type of servers that need be accessed from the Internet. What is a valid quick solution to your problem?
A. Get a new ISP B. PAT C. Request additional IP addresses from your ISP D. NAT
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
54. What three purposes does the failover cable serve? (choose all that apply)
A. Power status of the other unit B. Communication link C. Unit identification of both units D. Stateful information
54. What three purposes does the failover cable serve? (choose all that apply)
A. Power status of the other unit B. Communication link C. Unit identification of both units D. Stateful information
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
55. Which PIX interface(s) do you apply the crypto map statements?
A. To the outside interface B. To the inside interface C. To any interfaces that IPSec packets will traverse D. All PIX interfaces
55. Which PIX interface(s) do you apply the crypto map statements?
A. To the outside interface B. To the inside interface C. To any interfaces that IPSec packets will traverse D. All PIX interfaces
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
56. What is the purpose of authentication proxy?
A. Proxy of user logins B. To enable AAA C. Policies on per user basis D. For user accounting
56. What is the purpose of authentication proxy?
A. Proxy of user logins B. To enable AAA C. Policies on per user basis D. For user accounting
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
57. You are required to have two crypto access-list for IPSec. One is to identify outbound traffic to be encrypted, and the other is to identify inbound traffic that should be encrypted.
A. False B. True
57. You are required to have two crypto access-list for IPSec. One is to identify outbound traffic to be encrypted, and the other is to identify inbound traffic that should be encrypted.
A. False B. True
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
58. PAT is not supported with the "fixup protocol rtsp" command.
A. True B. False
58. PAT is not supported with the "fixup protocol rtsp" command.
A. True B. False
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
59. How do you configure a pool of public IP addresses?
A. Global command B. Pool command C. NAT command. D. Static command
59. How do you configure a pool of public IP addresses?
A. Global command B. Pool command C. NAT command. D. Static command
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
60. What is the purpose of the "logging trap" command?
A. Enables syslog traps B. This is not a valid PIX command C. Sends logs to a host named trap D. Enables SMTP traps
60. What is the purpose of the "logging trap" command?
A. Enables syslog traps B. This is not a valid PIX command C. Sends logs to a host named trap D. Enables SMTP traps
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
61. The inbound access-list or conduit statements must include permit statements for all IPSec traffic.
A. False B. True
61. The inbound access-list or conduit statements must include permit statements for all IPSec traffic.
A. False B. True
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
62. What is one difference between conduit statements and access-list?
A. Conduit statements can only contain permit statements B. Conduit statements list the destination address before the source address and access- C. Conduit statements do not contain the implicit deny any at the end D. Access-list cannot be applied to the interfaces of the PIX
62. What is one difference between conduit statements and access-list?
A. Conduit statements can only contain permit statements B. Conduit statements list the destination address before the source address and access- C. Conduit statements do not contain the implicit deny any at the end D. Access-list cannot be applied to the interfaces of the PIX
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
63. How do you configure a Web sense server on the PIX?
A. server 10.1.1.1 B. websense-server 10.1.1.1 C. url-server 10.1.1.1 D. websense 10.1.1.1
63. How do you configure a Web sense server on the PIX?
A. server 10.1.1.1 B. websense-server 10.1.1.1 C. url-server 10.1.1.1 D. websense 10.1.1.1
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
64. How many hosts will PAT support?
A. 1024 B. unlimited C. 64000 D. 1
64. How many hosts will PAT support?
A. 1024 B. unlimited C. 64000 D. 1
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
65. When configuring a security association in IPSec, the global lifetime default (the time when the security association is renegotiated) is 28,800 seconds.
A. True B. False
65. When configuring a security association in IPSec, the global lifetime default (the time when the security association is renegotiated) is 28,800 seconds.
A. True B. False
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
66. What is the goal of a DDOS attack?
A. To use the network to attack another network B. To steal vital information C. To take control of the network D. To stop the network from working
66. What is the goal of a DDOS attack?
A. To use the network to attack another network B. To steal vital information C. To take control of the network D. To stop the network from working
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
67. What is required for stateful failover? (choose all that apply)
A. FDDI interface B. 1 interface interconnected C. PIX failover cable. D. 3 interfaces interconnected
67. What is required for stateful failover? (choose all that apply)
A. FDDI interface B. 1 interface interconnected C. PIX failover cable. D. 3 interfaces interconnected
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
68. What does ACS stand for?
A. Another Cisco Server B. Authentication, Control, Secure C. Access Control Server D. Access, Control, Security
68. What does ACS stand for?
A. Another Cisco Server B. Authentication, Control, Secure C. Access Control Server D. Access, Control, Security
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
69. With the PIX Firewall, you can configure:
A. Separate groups of TACACS+ or RADIUS servers for specifying different types of B. None of the above. PIX does not support TACACS+ or RADIUS. C. Only TACACS+ for inbound & outbound connections D. Only RADIUS for inbound & outbound connections
69. With the PIX Firewall, you can configure:
A. Separate groups of TACACS+ or RADIUS servers for specifying different types of B. None of the above. PIX does not support TACACS+ or RADIUS. C. Only TACACS+ for inbound & outbound connections D. Only RADIUS for inbound & outbound connections
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
70. What command applies CBAC to an interface?
A. router# ip inspect NAME in interface outside B. router(conf)#ip inspect NAME in C. router(conf-if)#ip inspect NAME in D. router(conf)#ip inspect NAME out
70. What command applies CBAC to an interface?
A. router# ip inspect NAME in interface outside B. router(conf)#ip inspect NAME in C. router(conf-if)#ip inspect NAME in D. router(conf)#ip inspect NAME out
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
71. In CBAC, where does the router get the state table information?
A. By inspecting the packet B. From a PIX firewall C. From routing tables D. Configured by administrator
71. In CBAC, where does the router get the state table information?
A. By inspecting the packet B. From a PIX firewall C. From routing tables D. Configured by administrator
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
72. What three protocols does the PIX provide credential prompts, with the proper configuration of an AAA server? (choose 3)
A. HTTP B. TFTP C. FTP D. HTTPS E. Telnet F. SSL
72. What three protocols does the PIX provide credential prompts, with the proper configuration of an AAA server? (choose 3)
A. HTTP B. TFTP C. FTP D. HTTPS E. Telnet F. SSL
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
73. What command is required to save the configuration to a remote device?
A. radius-server B. Copy C. Save D. write
73. What command is required to save the configuration to a remote device?
A. radius-server B. Copy C. Save D. write
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
74. Authentication proxy only works with TACACS+.
A. False B. True
74. Authentication proxy only works with TACACS+.
A. False B. True
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
75. What is a dynamic crypto map?
A. There is no such thing as a dynamic crypto map B. When the PIX gets the entire crypto map configuration from a CA C. A crypto map created solely by the PIX upon negotiation with an IPSec peer D. A crypto map without all the parameters configured
75. What is a dynamic crypto map?
A. There is no such thing as a dynamic crypto map B. When the PIX gets the entire crypto map configuration from a CA C. A crypto map created solely by the PIX upon negotiation with an IPSec peer D. A crypto map without all the parameters configured
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
76. What command displays the authentication proxy configuration?
A. Show version proxy-authentication B. Show proxy-authentication C. Show all proxy-authentication D. Show ip proxy-authentication
76. What command displays the authentication proxy configuration?
A. Show version proxy-authentication B. Show proxy-authentication C. Show all proxy-authentication D. Show ip proxy-authentication
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
77. What is a false-positive alarms?
A. Alarms that do not reach their intended destination B. Legitimate alarms that are not triggered C. Alarms caused by legitimate traffic D. Alarms that an administrator ignores
77. What is a false-positive alarms?
A. Alarms that do not reach their intended destination B. Legitimate alarms that are not triggered C. Alarms caused by legitimate traffic D. Alarms that an administrator ignores
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
78. What is data confidentiality?
A. IPSec receiver can detect & reject replayed packets B. Receiver authenticates packets to ensure no alterations have been made C. Packets are encrypted before they are transmitted across a network D. Receiver can authenticate source of IPSec packets
78. What is data confidentiality?
A. IPSec receiver can detect & reject replayed packets B. Receiver authenticates packets to ensure no alterations have been made C. Packets are encrypted before they are transmitted across a network D. Receiver can authenticate source of IPSec packets
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
79. You can configure conduit statements on a PIX Firewall, but not access-list.
A. False B. True
79. You can configure conduit statements on a PIX Firewall, but not access-list.
A. False B. True
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
80. How is inbound access controlled? (choose all that apply)
A. Global B. Access-list C. Static D. NAT
80. How is inbound access controlled? (choose all that apply)
A. Global B. Access-list C. Static D. NAT
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
81. How is outbound access enabled? (choose all that apply)
A. Global B. Static C. NAT D. Access-list
81. How is outbound access enabled? (choose all that apply)
A. Global B. Static C. NAT D. Access-list
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
82. In CBAC, how are dynamic access-list entries saved?
A. They are not saved B. Write memory C. Write tftp D. Save access-list
82. In CBAC, how are dynamic access-list entries saved?
A. They are not saved B. Write memory C. Write tftp D. Save access-list
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
83. The PIX is a single point of failure and has no solution for redundancy. Cisco is working on a solution for this right now.
A. True B. False
83. The PIX is a single point of failure and has no solution for redundancy. Cisco is working on a solution for this right now.
A. True B. False
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
84. A crypto map statement can contain multiple access-lists.
A. False B. True
84. A crypto map statement can contain multiple access-lists.
A. False B. True
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
85. How do you apply conduit statements to the outside interface?
A. With the use of the conduit-outside statement B. With the use of the conduit-group statement C. No configuration required D. Conduit statements cannot be applied to the outside interface
85. How do you apply conduit statements to the outside interface?
A. With the use of the conduit-outside statement B. With the use of the conduit-group statement C. No configuration required D. Conduit statements cannot be applied to the outside interface
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
86. What does the "clear filter" command accomplish?
A. Clears all filter counters displayed by the show filters command B. Resets all filters to their original state C. Invalid PIX command D. Removes all filters from the PIX configuration
86. What does the "clear filter" command accomplish?
A. Clears all filter counters displayed by the show filters command B. Resets all filters to their original state C. Invalid PIX command D. Removes all filters from the PIX configuration
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
87. What two commands are needed for outbound access? (choose 2)
A. PAT B. Access list C. NAT D. Global
87. What two commands are needed for outbound access? (choose 2)
A. PAT B. Access list C. NAT D. Global
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
88. How does CBAC handle ICMP?
A. Only ICMP echo packets are inspected B. All ICMP traffic is inspected by CBAC C. ICMP traffic is not inspected by CBAC D. ICMP traffic is denied by CBAC
88. How does CBAC handle ICMP?
A. Only ICMP echo packets are inspected B. All ICMP traffic is inspected by CBAC C. ICMP traffic is not inspected by CBAC D. ICMP traffic is denied by CBAC
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
89. What two commands enable viewing the url filtering information? (choose 2)
A. show url-cache stats B. show url-filtering C. show filter-url D. show perfmon
89. What two commands enable viewing the url filtering information? (choose 2)
A. show url-cache stats B. show url-filtering C. show filter-url D. show perfmon
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
90. What are the two types of global timeouts for IPSec on the PIX? (choose 2)
A. bandwidth B. uptime C. number of PPTP connections D. time
90. What are the two types of global timeouts for IPSec on the PIX? (choose 2)
A. bandwidth B. uptime C. number of PPTP connections D. time
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
91. What command is utilized to upgrade the IOS version of the PIX?
A. Copy tftp flash B. Copy flash tftp C. Write tftp flash D. Save tftp flash
91. What command is utilized to upgrade the IOS version of the PIX?
A. Copy tftp flash B. Copy flash tftp C. Write tftp flash D. Save tftp flash
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
92. What is the command to assign an IP address to an interface?
A. nameif inside IP address 10.1.1.1 255.255.255.0 B. ip address inside 10.1.1.1 255.255.255.0 C. inside address 10.1.1.1 255.255.255.0 D. inside ip address 10.1.1.1 255.255.255.0
92. What is the command to assign an IP address to an interface?
A. nameif inside IP address 10.1.1.1 255.255.255.0 B. ip address inside 10.1.1.1 255.255.255.0 C. inside address 10.1.1.1 255.255.255.0 D. inside ip address 10.1.1.1 255.255.255.0
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
93. How do you reset a security association with an IPSec peer?
A. Clear ipsec sa <peer name> B. Disconnect the PIX from the network C. Delete security-association D. You must delete all IPSec configurations and reconfigure
93. How do you reset a security association with an IPSec peer?
A. Clear ipsec sa <peer name> B. Disconnect the PIX from the network C. Delete security-association D. You must delete all IPSec configurations and reconfigure
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
94. How is URL filtering accomplished?
A. With a Web sense server B. With a Cisco IDS C. With a PIX failover unit D. URL filtering is not supported
94. How is URL filtering accomplished?
A. With a Web sense server B. With a Cisco IDS C. With a PIX failover unit D. URL filtering is not supported
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
95. What is the default time-out for authentication proxy?
A. 60 seconds B. 6 minutes C. 60 minutes D. 360 seconds
95. What is the default time-out for authentication proxy?
A. 60 seconds B. 6 minutes C. 60 minutes D. 360 seconds
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
96. What traffic is identified in the inbound access-list on a CBAC router?
A. Permitting traffic to be inspected by CBAC B. FTP C. Denying traffic to be inspected by CBAC D. HTTP
96. What traffic is identified in the inbound access-list on a CBAC router?
A. Permitting traffic to be inspected by CBAC B. FTP C. Denying traffic to be inspected by CBAC D. HTTP
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
97. How do you map a port to a specific host?
A. You cannot map to a specific host B. IP port-map http port 81 host 10.1.1.1 C. An access-list permitting the host is required D. IP port-map http port 81 10.1.1.1
97. How do you map a port to a specific host?
A. You cannot map to a specific host B. IP port-map http port 81 host 10.1.1.1 C. An access-list permitting the host is required D. IP port-map http port 81 10.1.1.1
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
98. What command displays all security associations?
A. show ipsec security-associations B. show ipsec security-associations C. show ip security-associations D. show ipsec security-associations all
98. What command displays all security associations?
A. show ipsec security-associations B. show ipsec security-associations C. show ip security-associations D. show ipsec security-associations all
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
99. When do you need an access-list applied inbound to the inside interface?
A. When you want to block all outbound traffic B. When you want to control the outbound traffic C. Access-list cannot be applied to the inside interface D. When you want to control inbound public traffic
99. When do you need an access-list applied inbound to the inside interface?
A. When you want to block all outbound traffic B. When you want to control the outbound traffic C. Access-list cannot be applied to the inside interface D. When you want to control inbound public traffic
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
100. What does CBAC stand for?
A. Control Based on Access list B. Cisco Based Accounting Control. C. Context Based Access Control D. Cisco Based Access Control
100. What does CBAC stand for?
A. Control Based on Access list B. Cisco Based Accounting Control. C. Context Based Access Control D. Cisco Based Access Control
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
101. How does the PIX initiate new IPSec security associations using dynamic crypto maps?
A. By sending its public key to the remote peer B. By sending an IKE key to the remote peer C. By sending security association request to the remote peer D. The PIX cannot initiate an IPSec sa using dynamic crypto maps
101. How does the PIX initiate new IPSec security associations using dynamic crypto maps?
A. By sending its public key to the remote peer B. By sending an IKE key to the remote peer C. By sending security association request to the remote peer D. The PIX cannot initiate an IPSec sa using dynamic crypto maps
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
102. What is the purpose of a Web sense server?
A. To host our website B. It is a syslog server for the PIX C. URL filtering D. To monitor the state of your Internet connection
102. What is the purpose of a Web sense server?
A. To host our website B. It is a syslog server for the PIX C. URL filtering D. To monitor the state of your Internet connection
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
103. How are outbound UDP sessions handled?
A. A connection state is maintained on the PIX. B. All UDP traffic is permitted inbound unless blocked with an access-list C. The PIX does not recognize UDP sessions D. All UDP traffic is blocked outbound unless permitted with an access-list
103. How are outbound UDP sessions handled?
A. A connection state is maintained on the PIX. B. All UDP traffic is permitted inbound unless blocked with an access-list C. The PIX does not recognize UDP sessions D. All UDP traffic is blocked outbound unless permitted with an access-list
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
104. How does a user receive a login screen through authentication proxy?
A. Clicking on the authentication proxy icon on the desktop B. They do not, as authentication proxy uses their NT login C. By opening a Internet browser D. From a command prompt
104. How does a user receive a login screen through authentication proxy?
A. Clicking on the authentication proxy icon on the desktop B. They do not, as authentication proxy uses their NT login C. By opening a Internet browser D. From a command prompt
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
105. What command enables AAA on a Cisco router?
A. aaa radius B. aaa enable C. enable aaa D. aaa new-model
105. What command enables AAA on a Cisco router?
A. aaa radius B. aaa enable C. enable aaa D. aaa new-model
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
106. What does the "conduit" command do?
A. Nothing, the conduit is not a valid command on the PIX B. Enables the conduit interface on the PIX. C. Permits/denies traffic if the specified conditions are met. D. Maps a local address to a global address.
106. What does the "conduit" command do?
A. Nothing, the conduit is not a valid command on the PIX B. Enables the conduit interface on the PIX. C. Permits/denies traffic if the specified conditions are met. D. Maps a local address to a global address.
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
107. What are the two ways security associations can be established? (choose 2)
A. Manual B. CRYPTO C. ISAKMP D. IKE.
107. What are the two ways security associations can be established? (choose 2)
A. Manual B. CRYPTO C. ISAKMP D. IKE.
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
108. How do you determine the amount of memory and flash installed in the PIX?
A. show flash B. show dram C. show version D. show memory
108. How do you determine the amount of memory and flash installed in the PIX?
A. show flash B. show dram C. show version D. show memory
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
109. What is the purpose of PAM?
A. To identify users via port mapping B. To create address pools for NAT C. There is no such feature D. To customize TCP & UDP port numbers
109. What is the purpose of PAM?
A. To identify users via port mapping B. To create address pools for NAT C. There is no such feature D. To customize TCP & UDP port numbers
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
110. Which interfaces does the PIX send "hello" packets out of for failover?
A. Only interfaces directly connected to each other B. Inside C. All including the failover cable D. None, just over the failover cable
110. Which interfaces does the PIX send "hello" packets out of for failover?
A. Only interfaces directly connected to each other B. Inside C. All including the failover cable D. None, just over the failover cable
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
111. What is the purpose of the xlate command?
A. To configure translations B. To configure PIX global timeouts C. Xlate is not a valid command D. To view and clear translations
111. What is the purpose of the xlate command?
A. To configure translations B. To configure PIX global timeouts C. Xlate is not a valid command D. To view and clear translations
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
112. How do you clear the logging buffer?
A. clear buffer B. delete log C. clear logging D. delete log
112. How do you clear the logging buffer?
A. clear buffer B. delete log C. clear logging D. delete log
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
113. What command saves the CA settings & policies?
A. ca save all B. save ca C. Write memory D. They cannot be saved
113. What command saves the CA settings & policies?
A. ca save all B. save ca C. Write memory D. They cannot be saved
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
114. How is the configuration maintained between the primary PIX and the standby unit?
A. Standby is configured and configuration is replicated to primary B. Primary is configured and configuration is replicated to standby C. Both must be configured separately D. The standby does not maintain a current configuration until failover occurs
114. How is the configuration maintained between the primary PIX and the standby unit?
A. Standby is configured and configuration is replicated to primary B. Primary is configured and configuration is replicated to standby C. Both must be configured separately D. The standby does not maintain a current configuration until failover occurs
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
115. How does CBAC allow traffic through the router?
A. All traffic is blocked by the router B. Traffic must be permitted in the pre-configured access-list C. All traffic is allowed through D. Using access-list entries
115. How does CBAC allow traffic through the router?
A. All traffic is blocked by the router B. Traffic must be permitted in the pre-configured access-list C. All traffic is allowed through D. Using access-list entries
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
116. In the following command, what does the keyword "http" represent?
Ip port-map http port 81
A. It identifies the table for the port-mapping to reference B. Nothing, the command is invalid C. it identifies the application name D. it redirects all http traffic from port 80
116. In the following command, what does the keyword "http" represent?
Ip port-map http port 81
A. It identifies the table for the port-mapping to reference B. Nothing, the command is invalid C. it identifies the application name D. it redirects all http traffic from port 80
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
117. What is the purpose of the "nameif" command?
A. To shutdown an interface on the PIX B. To enable an interface on the PIX C. The nameif is not a valid PIX command. D. To assign a security level and name to an interface.
117. What is the purpose of the "nameif" command?
A. To shutdown an interface on the PIX B. To enable an interface on the PIX C. The nameif is not a valid PIX command. D. To assign a security level and name to an interface.
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
118. How do you view the running configuration?
A. write terminal B. show running-configuration C. show all-configuration D. show configuration
118. How do you view the running configuration?
A. write terminal B. show running-configuration C. show all-configuration D. show configuration
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
119. What platforms support CBAC? (choose all that apply)
A. PIX 515 B. 1600 C. PIX 506 D. 2500
119. What platforms support CBAC? (choose all that apply)
A. PIX 515 B. 1600 C. PIX 506 D. 2500
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
120. By default what are the two interface names on the PIX Firewall? (choose 2)
A. Ethernet B. DMZ C. Serial D. 100Mb E. Inside F. Outside
120. By default what are the two interface names on the PIX Firewall? (choose 2)
A. Ethernet B. DMZ C. Serial D. 100Mb E. Inside F. Outside
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
121. What command clears the IPSec security associations?
A. clear ipsec sa B. clear security-associations C. clear ipsec D. clear sa
121. What command clears the IPSec security associations?
A. clear ipsec sa B. clear security-associations C. clear ipsec D. clear sa
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
122. How does activex blocking affect activex traffic to servers identified by an alias command?
A. Allows activex traffic to the server B. Inspects the activex applet from the servers C. Does not block activex traffic from the server D. Blocks all activex traffic from the server
122. How does activex blocking affect activex traffic to servers identified by an alias command?
A. Allows activex traffic to the server B. Inspects the activex applet from the servers C. Does not block activex traffic from the server D. Blocks all activex traffic from the server
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
Test 1Author: Prof Bill Buchanan
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
1. In which type of attack does the potential intruder attempt to discover and map out systems, services, and vulnerabilities?
A stake out
B reconnaissance
C tapping
D sniffing
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
1. In which type of attack does the potential intruder attempt to discover and map out systems, services, and vulnerabilities?
A stake out
B reconnaissance
C tapping
D sniffing
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
2. Which type of attack prevents a user from accessing the targeted file server?
A Reconnaissance attack
B Denial of service attack
C Prevention of entry attack
D Disruption of structure attack
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
2. Which type of attack prevents a user from accessing the targeted file server?
A Reconnaissance attack
B Denial of service attack
C Prevention of entry attack
D Disruption of structure attack
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
3. Which type of action does the "ping sweep" pose to an organization?
A eavesdropping
B reconnaissance
C denial of service
D unauthorized access
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
3. Which type of action does the "ping sweep" pose to an organization?
A eavesdropping
B reconnaissance
C denial of service
D unauthorized access
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
3. Which type of action does the "ping sweep" pose to an organization?
A eavesdropping
B reconnaissance
C denial of service
D unauthorized access
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
4. An employee of ABC Company receives an e-mail from a co-worker with an attachment. The employee opens the attachment and receives a call from the network administrator a few minutes later, stating that the employee's machine has been attacked and is sending SMTP messages. Which category of attack is this?
A denial of service B trojan horse C port scanning D password attack E social engineering
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
4. An employee of ABC Company receives an e-mail from a co-worker with an attachment. The employee opens the attachment and receives a call from the network administrator a few minutes later, stating that the employee's machine has been attacked and is sending SMTP messages. Which category of attack is this?
A denial of service B trojan horse C port scanning D password attack E social engineering
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
5. What is a major characteristic of a Worm?
A malicious software that copies itself into other executable programs
B tricks users into running the infected software C a set of computer instructions that lies dormant
until triggered by a specific event D exploits vulnerabilities with the intent of
propagating itself across a network
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
5. What is a major characteristic of a Worm?
A malicious software that copies itself into other executable programs
B tricks users into running the infected software C a set of computer instructions that lies dormant
until triggered by a specific event D exploits vulnerabilities with the intent of
propagating itself across a network
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
6. A large investment firm has been attacked by a worm. In which order should the network support team perform the steps to mitigate the attack?
A. inoculationB. treatmentC. containmentD. quarantine
A C,A,D,B B A,B,C,D C A,C,B,D D D,A,C,B E C,B,A,D
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
6. A large investment firm has been attacked by a worm. In which order should the network support team perform the steps to mitigate the attack?
A. inoculationB. treatmentC. containmentD. quarantine
A C,A,D,B B A,B,C,D C A,C,B,D D D,A,C,B E C,B,A,D
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
7 At XYZ Company, the policy for network use requires that employees log in to a Windows domain controller when they power on their work computers. Although XYZ does not implement all possible security measures, outgoing traffic is filtered using a firewall. Which security model is the company using?
A open access B closed access C hybrid access D restrictive access
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
7 At XYZ Company, the policy for network use requires that employees log in to a Windows domain controller when they power on their work computers. Although XYZ does not implement all possible security measures, outgoing traffic is filtered using a firewall. Which security model is the company using?
A open access B closed access C hybrid access D restrictive access
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
8 Which three of these are common causes of persistent vulnerabilities in networks? (Choose three.)
A new exploits in existing software
B misconfigured hardware or software
C poor network design
D changes in the TCP/IP protocol
E changes in the core routers on the Internet
F end-user carelessness
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
8 Which three of these are common causes of persistent vulnerabilities in networks? (Choose three.)
A new exploits in existing software
B misconfigured hardware or software
C poor network design
D changes in the TCP/IP protocol
E changes in the core routers on the Internet
F end-user carelessness
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
9. A new network administrator is assigned the task of conducting a risk assessment of the company's network. The administrator immediately conducts a vulnerability assessment. Which important task should the administrator have completed first?
A threat identification B security level application C patch and update deployment D asset identification E perimeter security upgrade
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
9. A new network administrator is assigned the task of conducting a risk assessment of the company's network. The administrator immediately conducts a vulnerability assessment. Which important task should the administrator have completed first?
A threat identification B security level application C patch and update deployment D asset identification E perimeter security upgrade
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
10.A company deployed a web server on the company DMZ to provide external web services. While reviewing firewall log files, the administrator discovered that a connection was made to the internal e-mail server from the web server in DMZ. After reviewing the e-mail server logs, the administrator discovered that an unauthorized account was created. What type of attack was successfully carried out?
A phishing B port redirection C trust exploitation D man-in-the-middle
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
10.A company deployed a web server on the company DMZ to provide external web services. While reviewing firewall log files, the administrator discovered that a connection was made to the internal e-mail server from the web server in DMZ. After reviewing the e-mail server logs, the administrator discovered that an unauthorized account was created. What type of attack was successfully carried out?
A phishing B port redirection C trust exploitation D man-in-the-middle
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
11.Users are unable to access a company server. The system logs show that the server is operating slowly because it is receiving a high level of fake requests for service. Which type of attack is occurring?
A reconnaissance
B access
C DoS
D worms, viruses, and Trojan horses
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
11.Users are unable to access a company server. The system logs show that the server is operating slowly because it is receiving a high level of fake requests for service. Which type of attack is occurring?
A reconnaissance
B access
C DoS
D worms, viruses, and Trojan horses
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
12.Which two are examples of Distributed Denial of Service attacks? (Choose two.)
A SYN Flood
B Stacheldraht
C Ping of Death
D Smurf
E WinNuke
F Targa.c
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
12.Which two are examples of Distributed Denial of Service attacks? (Choose two.)
A SYN Flood
B Stacheldraht
C Ping of Death
D Smurf
E WinNuke
F Targa.c
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
13.Which two of these are examples of DDoS network attacks? (Choose two.)
A smurf attack
B Tribal Flood Network (TFN)
C teardrop.c
D man-in-the-middle attack
E port redirection
F social engineering
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
13.Which two of these are examples of DDoS network attacks? (Choose two.)
A smurf attack
B Tribal Flood Network (TFN)
C teardrop.c
D man-in-the-middle attack
E port redirection
F social engineering
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
14.Which Cisco tool can be used to convert Cisco PIX Security Appliance conduit statements to equivalent access-list statements?
A Cisco AutoSecure
B Output Interpreter
C Cisco Router Audit Tool
D Microsoft Baseline Security Analyzer
E PIX Outbound/Conduit Conversion Tool
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
14.Which Cisco tool can be used to convert Cisco PIX Security Appliance conduit statements to equivalent access-list statements?
A Cisco AutoSecure
B Output Interpreter
C Cisco Router Audit Tool
D Microsoft Baseline Security Analyzer
E PIX Outbound/Conduit Conversion Tool
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
15.Which tool is used to test security by rapidly performing a port scan of a single host or a range of hosts?
A Cisco Router Audit Tool (RAT)
B Microsoft Baseline Security Analyzer
C Network Mapper (Nmap)
D Cisco AutoSecure
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
15.Which tool is used to test security by rapidly performing a port scan of a single host or a range of hosts?
A Cisco Router Audit Tool (RAT)
B Microsoft Baseline Security Analyzer
C Network Mapper (Nmap)
D Cisco AutoSecure
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
16.Which two are technological weaknesses that can lead to a breach in an organization's security? (Choose two.)
A software compatibility weakness
B DHCP security weakness
C TCP/IP protocol weakness
D operating system weakness
E LDAP weakness
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
16.Which two are technological weaknesses that can lead to a breach in an organization's security? (Choose two.)
A software compatibility weakness
B DHCP security weakness
C TCP/IP protocol weakness
D operating system weakness
E LDAP weakness
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
Test 2Author: Prof Bill Buchanan
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
1 What is the effect of applying this command to a Cisco router?
router(config)# no service finger A UNIX commands are disabled on the router. B All TCP/IP services are disabled. C PING usage is disabled. D Users logged into the router remotely will not be able to see
if other users are logged into the router.
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
2 Why does SSH provide better security than Telnet?
A SSH compresses data while Telnet does not compress data. B SSH encrypts data with private key while Telnet uses public
key. C SSH encrypts data while Telnet uses clear text in transmitting
data. D SSH encrypts data with public key while Telnet uses hashing
algorithm.
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
2 Why does SSH provide better security than Telnet?
A SSH compresses data while Telnet does not compress data. B SSH encrypts data with private key while Telnet uses public
key. C SSH encrypts data while Telnet uses clear text in
transmitting data. D SSH encrypts data with public key while Telnet uses hashing
algorithm.
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
3 The network administrator of company XYZ likes to secure routers by disabling the password recovery procedure for anyone who gains physical access to the router. Which command would be used to achieve this goal?
A router(config)# no rommon-mode B router(config)# no password-recovery C router(config)# no service password-recovery D router(config)# no rommon-password recovery
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
3 The network administrator of company XYZ likes to secure routers by disabling the password recovery procedure for anyone who gains physical access to the router. Which command would be used to achieve this goal?
A router(config)# no rommon-mode B router(config)# no password-recovery C router(config)# no service password-recovery D router(config)# no rommon-password recovery
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
4 A partial router configuration is shown in the graphic. The network administrator adds the following command at the router prompt.
router(config)# security passwords min-length 10
Which of the following is correct? A The current password will continue to be used as a valid password
until changed. B No password is required. C The current password is invalid and will not allow a login. D A password that is at least ten characters long must immediately be
implemented for a successful login. version 12.3hostname routerline con 0line aux 0line vty 0 4 login password cisco
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
4 A partial router configuration is shown in the graphic. The network administrator adds the following command at the router prompt.
router(config)# security passwords min-length 10
Which of the following is correct? A The current password will continue to be used as a valid
password until changed. B No password is required. C The current password is invalid and will not allow a login. D A password that is at least ten characters long must immediately be
implemented for a successful login. version 12.3hostname routerline con 0line aux 0line vty 0 4 login password cisco
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
5 Which two steps are necessary to ensure that your HIDS and HIPS do not miss any exploits? (Choose two.)
A upgrade the HIDS and HIPS software as new versions are released
B perform periodic vulnerability assessment C monitor alerts and logs D update signatures on a regular basis E ensure that all security patches are loaded on the host
machine
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
5 Which two steps are necessary to ensure that your HIDS and HIPS do not miss any exploits? (Choose two.)
A upgrade the HIDS and HIPS software as new versions are released
B perform periodic vulnerability assessment C monitor alerts and logs D update signatures on a regular basis E ensure that all security patches are loaded on the host
machine
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
6 The Security Wheel promotes a continuous process to retest and reapply updated security measures. What is the core or “hub” component of the Security Wheel?
A testing policy B monitor C improve D security policy
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
6 The Security Wheel promotes a continuous process to retest and reapply updated security measures. What is the core or “hub” component of the Security Wheel?
A testing policy B monitor C improve D security policy
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
7 After providing for all operational requirements of the network, the network support team has determined that the servers should be hardened against security threats so that the network can operate at full potential. At which stage of the network life cycle does server hardening occur?
A planning B design C implementation D operation E optimization
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
7 After providing for all operational requirements of the network, the network support team has determined that the servers should be hardened against security threats so that the network can operate at full potential. At which stage of the network life cycle does server hardening occur?
A planning B design C implementation D operation E optimization
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
8 What are three major functions performed by the security management subsystem, CiscoWorks VMS? (Choose three.)
A to manage access control lists for Cisco PIX Security Appliances B to enforce access control policies between two processes running on a server
C to capture and analyze network traffic, and respond to network intrusions D to identify sensitive network resources E to respond to first-stage denial of service network attacks F to monitor and log access to network resources
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
8 What are three major functions performed by the security management subsystem, CiscoWorks VMS? (Choose three.)
A to manage access control lists for Cisco PIX Security Appliances B to enforce access control policies between two processes running on a server
C to capture and analyze network traffic, and respond to network intrusions D to identify sensitive network resources E to respond to first-stage denial of service network attacks F to monitor and log access to network resources
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
9 A network administrator has just completed security training and has decided to change from HIDS to HIPS to protect hosts. Which of these would be a major advantage gained from the change?
A HIPS does not require host-based client software. B HIPS would prevent the need to update signature files as often. C HIPS would be able to prevent intrusions. D HIPS would consume fewer system resources.
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
9 A network administrator has just completed security training and has decided to change from HIDS to HIPS to protect hosts. Which of these would be a major advantage gained from the change?
A HIPS does not require host-based client software. B HIPS would prevent the need to update signature files as often. C HIPS would be able to prevent intrusions. D HIPS would consume fewer system resources.
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
10 A network administrator installs a new stateful firewall. Which type of security solution is this?
A secure connectivity B threat defense C policy enforcement D trust and identity E authentication
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
10 A network administrator installs a new stateful firewall. Which type of security solution is this?
A secure connectivity B threat defense C policy enforcement D trust and identity E authentication
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
11 XYZ Company recently adopted software for installation on critical servers that will detect malicious attacks as they occur. In addition, the software will stop the execution of the attacks and send an alarm to the network administrator. Which technology does this software utilize?
A host-based intrusion detection B host-based intrusion protection C host-based intrusion prevention D host-based intrusion notification
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
11 XYZ Company recently adopted software for installation on critical servers that will detect malicious attacks as they occur. In addition, the software will stop the execution of the attacks and send an alarm to the network administrator. Which technology does this software utilize?
A host-based intrusion detection B host-based intrusion protection C host-based intrusion prevention D host-based intrusion notification
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
12 A security team is charged with hardening network devices. What must be accomplished first before deciding how to configure security on any device?
A Audit all relevant network devices.
B Document all router configurations.
C Create or update security policies.
D Complete a vulnerability assessment.
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
12 A security team is charged with hardening network devices. What must be accomplished first before deciding how to configure security on any device?
A Audit all relevant network devices.
B Document all router configurations.
C Create or update security policies.
D Complete a vulnerability assessment.
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
13 On a Monday morning, network engineers notice that the log files on the central server are larger than normal. Examining the log reveals that the majority of the entries are from sensors deployed on the perimeter of the network. The logs reveal that a worm attack was successfully stopped by the perimeter devices. Based on this information, which of these technologies is this company using?
A NIDS using passive technology B HIPS using passive technology C NIDS using active technology D HIDS using passive technology E HIPS using active technology
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
13 On a Monday morning, network engineers notice that the log files on the central server are larger than normal. Examining the log reveals that the majority of the entries are from sensors deployed on the perimeter of the network. The logs reveal that a worm attack was successfully stopped by the perimeter devices. Based on this information, which of these technologies is this company using?
A NIDS using passive technology B HIPS using passive technology C NIDS using active technology D HIDS using passive technology E HIPS using active technology
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
14 Which two objectives must a security policy accomplish? (Choose two.)
A provide a checklist for the installation of secure servers
B describe how the firewall must be configured
C document the resources to be protected
D identify the security objectives of the organization
E identify the specific tasks involved in hardening a router
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
14 Which two objectives must a security policy accomplish? (Choose two.)
A provide a checklist for the installation of secure servers
B describe how the firewall must be configured
C document the resources to be protected
D identify the security objectives of the organization
E identify the specific tasks involved in hardening a router
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
15 Which router command will result in the router only accepting passwords of 16 characters or more?
A service password-encryption
B enable secret min-length 16
C security passwords min-length 16
D security passwords max-length 16
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
15 Which router command will result in the router only accepting passwords of 16 characters or more?
A service password-encryption
B enable secret min-length 16
C security passwords min-length 16
D security passwords max-length 16
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
16 Which command will encrypt all passwords in the router configuration file?
A enable secret B password encrypt all C enable password-encryption D service password-encryption E no clear-text password
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
16 Which command will encrypt all passwords in the router configuration file?
A enable secret B password encrypt all C enable password-encryption D service password-encryption E no clear-text password
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
17 MD5 can be used for authenticating routing protocol updates for which three protocols? (Choose three.)
A RIPv1
B RIPv2
C IGRP
D EIGRP
E BGP
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
17 MD5 can be used for authenticating routing protocol updates for which three protocols? (Choose three.)
A RIPv1
B RIPv2
C IGRP
D EIGRP
E BGP
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
18 Which configuration will allow an administrator to access the console port using a password of password?
A router(config)# line aux 0
router(config-line)# login router(config-line)# password password
B router(config)# line console 0 router(config-line)# login router(config-line)# password password
C router(config)# line console 0 router(config-line)# password password D
D router(config)# line console 0 router(config-line)# access router(config-line)# password password
E router(config)# line vty 0 router(config-line)# password password
F router(config)# line vty 0 router(config-line)# access router(config-line)# password password
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
18 Which configuration will allow an administrator to access the console port using a password of password?
A router(config)# line aux 0
router(config-line)# login router(config-line)# password password
B router(config)# line console 0 router(config-line)# login router(config-line)# password password
C router(config)# line console 0 router(config-line)# password password D
D router(config)# line console 0 router(config-line)# access router(config-line)# password password
E router(config)# line vty 0 router(config-line)# password password
F router(config)# line vty 0 router(config-line)# access router(config-line)# password password
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
19 Which command sets the inactivity timer, for a particular line or group of lines, to four minutes and fifteen seconds?
A router(config)# line-timeout 4 15
B router(config-line)# line-timeout 4 15
C router(config-line)# exec-timeout 255
D router(config-line)# timeout 255
E router(config-line)# exec-timeout 4 15
F router(config-line)# line-timeout 255
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
19 Which command sets the inactivity timer, for a particular line or group of lines, to four minutes and fifteen seconds?
A router(config)# line-timeout 4 15
B router(config-line)# line-timeout 4 15
C router(config-line)# exec-timeout 255
D router(config-line)# timeout 255
E router(config-line)# exec-timeout 4 15
F router(config-line)# line-timeout 255
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
20 Which encryption type uses the MD5 hash algorithm?
A Type 0
B Type 1
C Type 5
D Type 7
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
20 Which encryption type uses the MD5 hash algorithm?
A Type 0
B Type 1
C Type 5
D Type 7
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
21 Real-time intrusion detection occurs at which stage of the Security Wheel?
A securing stage
B monitoring stage
C testing stage
D improvement stage
E reconnaissance stage
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
21 Real-time intrusion detection occurs at which stage of the Security Wheel?
A securing stage
B monitoring stage
C testing stage
D improvement stage
E reconnaissance stage
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
22 Which privilege level has the most access to the Cisco IOS?
A level 0 B level 1 C level 7 D level 15 E level 16 F level 20
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
22 Which privilege level has the most access to the Cisco IOS?
A level 0 B level 1 C level 7 D level 15 E level 16 F level 20
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
1 Which algorithm implements stateful connection control through the PIX Security Appliance?
A Network Address Translation
B Algorithm Access Control
C Security Algorithm Adaptive
D Security Algorithm
E Spanning Tree Protocol Algorithm
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
2 Once the SDM startup wizard has been completed for the first time, which two are required on a host PC for connection to the Cisco router via HTTP or HTTPS using SDM? (Choose two.)
A IP address from 10.10.10.2 to 10.10.10.254 B IP address from 10.0.0.2 to 10.0.0.254 C IP address from 10.10.10.1 to 10.10.10.254 D SSL capability E Java and JavaScript enabled on the browser F VPN connection
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
3 The Cisco Security Device Manager (SDM) allows administrators to securely configure supported routers by using which security protocol in Microsoft Internet Explorer?
A IPSec
B SSL
C SSH
D L2TP
E PPTP
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
4 The network administrator for a small technology firm needs to implement security on the network. The administrator needs a PIX Security Appliance that will handle three Ethernet interfaces. Which PIX model would be the best choice for the company?
A 506E B 515E C 525 D 535
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
5 What is the maximum number of licensed users supported by the Cisco 501 Security Appliance?
A 25
B 100
C 250
D 1000
E 2500
F unlimited
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
6 A network administrator has received a Cisco PIX Security Appliance from another division within the company. The existing configuration has IP addresses that will cause problems on the network. What command sequence will successfully clear all the existing IP addresses and configure a new IP address on ethernet0?
A pix1(config)# clear ip all pix1(config)# interface ethernet0 pix1(config-if)# ip address 192.168.1.2
B pix1(config)# clear ip pix1(config)# interface ethernet0 pix1(config-if)# ip address 192.168.1.2 255.255.255.0
C pix1(config)# no ip address pix1(config)# interface ethernet0 pix1(config-if)# ip address 192.168.1.2 255.255.255.0
D pix1(config)# clear ip pix1(config)# interface ethernet0 pix1(config-if)# ip address 192.168.1.2 0.0.0.255
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
7 A network team is configuring a Cisco PIX Security Appliance for NAT so that local addresses are translated. The team is creating a global address pool using a subnet of network 192.168.5.0 with a 27-bit mask. What is the proper syntax to set up this global address pool?
A pix1(config)# global (inside) 1 192.168.5.33-192.168.5.62B pix1(config)# global (outside) 1 192.168.5.33-192.168.5.62C pix1(config)# global (inside) 1 192.168.5.65-192.168.5.95D pix1(config)# global (outside) 1 192.168.5.65-192.168.5.95E pix1(config)# global (inside) 1 192.168.5.64-192.168.5.127F pix1(config)# global (outside) 1 192.168.5.65-192.168.5.127
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
8 Which command displays the value of the activation key?
A write net
B show version
C show terminal
D show configure
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
9 A network administrator has configured an access control list on the Cisco PIX Security Appliance that allows inside hosts to ping outside hosts for troubleshooting. Which debug command can be used to troubleshoot if pings between hosts are not successful?
A debug icmp inside outside B debug ping C debug icmp trace D debug trace icmp
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
10 Which protocol provides time synchronization?
A STP
B TSP
C NTP
D SMTP
E L2TP
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
11 Which command would configure a PIX Security Appliance to send syslog messages from its inside interface to a syslog server with the IP address of 10.0.0.3?
A pixfirewall(config)# syslog inside 10.0.0.3B pixfirewall(config)# logging inside 10.0.0.3C pixfirewall(config)# syslog host inside 10.0.0.3D pixfirewall(config)# logging host inside 10.0.0.3
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
12 The configuration in the graphic has been entered into a PIX Security Appliance with three interfaces. The interfaces are inside, outside, and DMZ. What source address range will the traffic from inside devices use when they access devices in the DMZ?
A 10.0.0.1 to 10.0.0.254 B 172.16.0.20 to 172.16.0.254 C 172.16.0.1 to 172.16.0.254 D 192.168.0.20 to 192.168.0.254 E 10.0.0.1 to 10.255.255.254
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
13 What source IP address will the traffic from devices in the 10.0.2.0 network have when they leave the trusted network?
A 192.168.0.8 always B 192.168.0.9 always C 192.168.0.8 if ports are available, or 192.168.0.9 if
192.168.0.8's ports are exhausted D 192.168.0.9 if ports are available, or 192.168.0.8 if
192.168.0.9's ports are exhausted
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
14 The commands in the graphic have been entered into a PIX Security Appliance. Which two statements are accurate descriptions of what will happen to outgoing traffic when it leaves the trusted network? (Choose two.)
A The source IP address will be from a pool of addresses in the 192.168.0.3 to 192.168.0.254 range.
B The source port will be a random port above port 1023. C The source IP address will be 192.168.0.2 for all outgoing traffic. D The source port will be port 1024. E The source IP address will be in the range 10.0.0.1 to
10.0.255.254.
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
15 Which three are requested by the Cisco PIX Security Appliance setup dialog? (Choose three.)
A domain name B outside IP address C inside IP address D hostname E date and time
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
16 Interface Ethernet3 on a PIX Security Appliance has been configured with three subinterfaces to pass tagged traffic from three different VLANs. What protocol will be used to tag the VLAN traffic?
A ISL
B 802.1x
C VTP
D 802.1q
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
17 Which two commands will configure a static default route on the PIX Security Appliance in the network shown in the graphic? (Choose two.)
A route inside outside 0.0.0.0 0.0.0.0 172.16.0.2 1 B route outside 0.0.0.0 0.0.0.0 172.16.0.2 1 C ip route inside outside 0 0 192.168.0.2 1 D route outside 0 0 172.16.0.2 1 E ip route inside outside 0 0 172.16.0.2 1 F route outside 0 0 192.168.0.2 1
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
18 Which command will produce output, similar to that shown in the graphic, to verify the installation of a FWSM on a router?
A show port
B show module
C show firewall
D show interface
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
Test 4
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
1 How are transactions between a RADIUS client and a RADIUS server authenticated?
A by using a shared secret which is never sent over the network
B by hashing the secret using MD5 and then sending it over the network
C by hashing the secret using MD4 and then sending it over the network
D by using a clear-text password and then sending it over the network
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
2 The S/KEY system involves three main components. There is a client and a host. What is the third component?
A a plain text password
B a password calculator
C a public and private key
D biometric authentication
Client, host, password calculator
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
3 RADIUS uses which transport layer protocol?
A IP
B TCP
C UDP
D ICMP
E DLC
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
4 Which authentication method is susceptible to playback attacks?
A passwords using S/KEY
B passwords using token card
C passwords requiring periodic change
D passwords using one-time password technology
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
5 Which authentication method sends passwords over the network in clear text yet protects against eavesdropping and password cracking attacks?
A authentication with FTP
B authentication with Telnet
C authentication with S/KEY
D authentication in POP3 e-mail
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
6 After a security audit, network managers realized that the authentication method used by their telecommuting employees needed to be improved. They set up a server and installed client software on the employee laptops of their remote users. They also provided a device for each remote user that generated a password every time they needed to make a remote network connection. Which
A authentication technology does this process describe? B authentication with S/KEY authentication with token cardC authentication with encrypted password D authentication with compressed password
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
7 What function does a digital certificate offer to information security?
A authorization
B accounting
C nonrepudiation
D intrusion prevention
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
8 Bookline Inc., an online bookstore, recently installed a web server running Microsoft Windows 2003 Server. Where should the company obtain a digital signature for the web server in order to assure customers that they are connecting to Bookline's server and not an impersonating web server?
A a digital signature generated by the CA in Microsoft's corporate headquarters
B a digital signature generated by the CA from a trusted third party C a digital signature generated by the CA from a government agency D a digital signature generated by any CA that establishes a secure
connection
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
9 A large law firm wishes to secure dialup access to its corporate network for employees working at home. Since much of the data to be transmitted is highly confidential, the firm requires a high level of encryption and also prefers that each component of AAA be provided separately. Which security protocol best meets these requirements?
A TACACS B XTACACS C TACACS+ D RADIUS
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
10 Which two statements are true of Cisco Identity Based Networking Services (IBNS)? (Choose two.)
A Cisco IBNS uses Cisco-proprietary protocols.
B Cisco IBNS is a standards-based solution.
C Cisco IBNS associates users with physical ports.
D Cisco IBNS associates policies with physical ports.
E Cisco IBNS associates policies with users.
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
11 The administration manager has decided to implement Network Admission Control (NAC) on the corporate network. The Cisco Trust Agent software and NAC-compliant routers and switches have been installed. Which two additional NAC components are required to implement the NAC solution? (Choose two.)
A access control policy server B TACACS+ server C NAC cosponsor application server D VPN systems E remote access server F posture validation management system
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
12 What are three reasons TACACS+ is preferred over RADIUS for authentication services? (Choose three.)
A RADIUS has limited name space for attributes. B RADIUS is not an industry supported standard.C TACACS+ encrypts the entire TACACS+ packet. D TACACS+ authentication is included with more recent
Windows Server versions. E TACACS+ separates authentication and authorization. F RADIUS uses TCP as a transport protocol creating
additional overhead.
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
13 A static username/password authentication method is susceptible to which three types of attacks? (Choose three.)
A playback
B theft
C teardrop
D syn flood
E eavesdropping
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
14 Company security policy requires the use of a centralized AAA server for network access authentication. Which two protocols are supported by the AAA server? (Choose two.)
A IPSec
B SSL
C RADIUS
D TACACS+
E SSH
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
15 Which three are functions of AAA? (Choose three.)
A accounting
B availability
C authentication
D architecture
E authorization
F accessibility
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
16 A network administrator wishes to use port-level authentication technology to determine network access and assign IP addresses from different DHCP pools to authenticated and unauthenticated users. What standardized framework supports this objective?
A IEEE 802.1x B IEEE 802.11af C IEEE 802.1q D IEEE 802.1p
Test 4
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
Test 5
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
1 What will be the result of executing the command in the graphic?
A The default login method will use TACACS+ only.
B TACACS+ accounting will be enabled at login.
C The enable password will be used if a TACACS+ server is not available.
D The default TACACS+ user shell will be enabled.
Test 5
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
2 A network administrator is setting up a computer to run Cisco Secure ACS to support a Cisco VPN 3000 concentrator. Which protocol does the administrator need to enable on CSACS?
A MD5 B HMAC C RADIUS D TACACS+ E IEEE 802.1X
Test 5
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
3 Which AAA service reduces IT operating costs by providing detailed reporting and monitoring of network user behavior, and also by keeping a record of every access connection and device configuration change across the network?
A authentication
B accreditation
C accounting
D authorization
Test 5
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
4 Cisco Secure ACS can use a number of databases for username and password authentication. Which three databases does Cisco Secure ACS support? (Choose three.)
A Windows 2000 server user database B NDS database C Windows 2000 server authentication database D Microsoft Access database E Cisco Secure ACS user database
Test 5
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
5 After Cisco Secure ACS is implemented, users report that they are restricted from accessing the network. The Cisco Secure ACS switches and routers are communicating properly. What is the first step for troubleshooting the problem?
A Execute debug commands on the router. B Check the available logs in CSACS Reports and Activity
for abnormalities. C Verify that the administrator has an account allowing remote
access to the CSACS. D Verify that the CSACS user database is enabled.
After Cisco Secure ACS is implemented, users report that they are restricted from accessing the network. The Cisco Secure ACS switches and routers are communicating properly. What is the first step for troubleshooting the problem?
Execute debug commands on the router.
Check the available logs in CSACS Reports and Activity for abnormalities.
Verify that the administrator has an account allowing remote access to the CSACS.
Verify that the CSACS user database is enabled.
Test 5
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
6 What tool should you use to add a single user account to the Cisco Secure ACS for Windows user database?
A database replication
B Unknown User Policy
C RDBMS Synchronization
D Cisco Secure ACS HTML interface
Test 5
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
7 Which two actions are available when using the Cisco Secure ACS database replication features? (Choose two.)
A update of configuration items from a late release to an earlier release of Cisco Secure ACS
B bidirectional database replication between a primary and a secondary Cisco Secure ACS
C scheduled replication of part of the database from a primary to a secondary Cisco Secure ACS
D export of configuration items from a primary to a secondary Cisco Secure ACS
Test 5
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
8 Refer to the exhibit. Which two services can the network access server use to direct requests from the remote user to the Cisco Secure ACS authentication service? (Choose two.)
A CSAuth B CSUtil C RADIUS D RDBMS E TACACS+
Test 5
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
9 RTA(config)# tacacs-server key 2bor!2b@? RTA(config)# tacacs-server host 10.1.2.4 RTA(config)# tacacs-server host 10.1.2.5
What will be the effect of these commands on router RTA?
A The TACACS+ server is now authenticating for the hosts 10.1.2.4 and 10.1.2.5.
B The TACACS+ server key has been exported to the hosts 10.1.2.4 and 10.1.2.5.
C The TACACS+ servers 10.1.2.4 and 10.1.2.5 and the router have been set to share the same authentication key.
D The TACACS+ servers are 10.1.2.4 and 10.1.2.5 and the configuration adds router RTA as a third TACACS+ server
Test 5
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
10 RTA(config)# aaa new-model RTA(config)# aaa authentication login default group tacacs+ enable
After entering the configuration shown, the administrator loses the connection to the router before having the chance to create a new TACACS+ account. What is the easiest way for the administrator to regain administrative access to router RTA?
A Connect to the router, and use the default TACACS+ username and password.
B Erase NVRAM, and redo the configuration from scratch. C Connect to the router, and supply the enable password. D Perform a password recovery procedure on the router.
Test 5
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
11 Which two user databases does Cisco Secure ACS for Windows use to authenticate users? (Choose two.)
A external user database with appropriate API
B RADIUS user database
C TACACS+ user database
D Windows 2000 Server user database
E Windows XP user database
Test 5
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
12 An information technology organization uses Cisco Secure ACS for Windows Server version 3.2. The system administrators want to provide a method for users to change their own passwords without intervention from the IT organization. What is required to allow users to change passwords with a web-based utility?
A Enable UCP on Windows 2000 Server. B Configure a Microsoft IIS 4.0 or later. C Enable UCP on Cisco Secure ACS for Windows. D Configure IIS logging with the user Secure ACS password.
Test 5
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
13 Which tool is used to set up CSACS for Windows Server after the initial installation is completed?
A web browser
B telnet session
C command line interface on the Windows server
D router configured as an AAA client
Test 5
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
14 Which basic user-network security protocol is supported by Cisco Secure ACS and requires a single log in by users?
A CHAP
B IPSec
C RADIUS
D PAP
Test 5
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
15 In the Cisco Secure ACS Windows architecture CSRadius provides communication between RADIUS AAA clients and which service?
A CSAdmin
B CSAuth
C CSLog
D CSMon
Test 5
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
16 There are five ways to create user accounts in the Cisco Secure ACS for Windows 2000 Servers. Which two support importing user accounts from external sources? (Choose two.)
A Cisco Secure ACS HTML interface B Unknown User Policy C RDBMS Synchronization D CSUtil.exe E Database Replication
Test 5
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
Test 6
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
1 Which command associates the group MYGROUP with the AAA server using the TACACS+ protocol?
A Pixfirewall(config)# aaa-server MYGROUP tacacs+ protocol
B Pixfirewall(config)# aaa-server protocol tacacs+ MYGROUP
C Pixfirewall(config)# aaa-server tacacs+ protocol MYGROUP
D Pixfirewall(config)# aaa-server MYGROUP protocol tacacs+
Test 6
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
2 Which configuration command defines the association of initiating HTTP protocol traffic with an authentication proxy name MYPROXY?
A Router(config)# ip auth-proxy MYPROXY http
B Router(config)# auth-proxy MYPROXY ip http
C Router(config)# ip auth-proxy name MYPROXY http
D Router(config)# auth-proxy name MYPROXY ip http
Test 6
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
3 With the following configuration command, how long does the PIX Security Appliance try to access the AAA server 10.0.1.10 before choosing the next AAA server if there is no response from 10.0.1.10?
aaa-server MYTACACS (inside) host 10.0.1.10 secretkey
A 12 seconds B 15 seconds C 20 seconds D 30 seconds
Test 6
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
4 Which command will enable AAA services on a router?
A Router(config)# aaa enable
B Router(config)# aaa new-model
C Router(config)# aaa set enable
D Router(config)# aaa new-model enable
Test 6
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
5 What is the default timeout in minutes for the inactivity-timer parameter of the ip auth-proxy command?
A 15
B 30
C 45
D 60
E 90
Test 6
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
6 The network administrator configured the aaa authorization command below on the PIX Security Appliance. What is the effect of this command?
pix(config)# aaa authorization include tcp/22 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 auth1
A FTP traffic from outside is subject to authorization by the AAA server.B SSH traffic from outside is subject to authorization by the AAA server. C HTTP traffic from outside is subject to authorization by the AAA server. D SMTP traffic from outside is subject to authorization by the AAA server.
Test 6
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
7 Which type of authentication is being used when authentication is required via the PIX Security Appliance before direct traffic flow is allowed between users and the company web server?
A access authentication B console access authentication C cut-through proxy authentication D tunnel access authentication
Test 6
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
8 What will be the effect in the router after these configuration commands are entered?
Router(config)# ip auth-proxy name aprule http Router(config)# interface ethernet0 Router(config-if)# ip auth-proxy aprule
A An authentication proxy rule called aprule is created making all authentication proxy services available only through the ethernet0 interface.
B An authentication proxy rule called aprule has been created for the HTTP protocol and is associated with the ethernet0 interface.
C An authentication proxy rule called aprule has been created for all protocols except the HTTP protocol and is associated with the ethernet0 interface.
D An authentication proxy rule called aprule has been created for the HTTP server running internally to the router and is associated with anyone attempting to access the web server from the ethernet0 interface.
Test 6
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
9 When Cisco IOS Firewall authentication proxy is enabled, a user sends HTTP traffic which will trigger the authentication proxy. What is the first action taken by the proxy?
A The user will be asked to supply a valid username and password. B The TACACS+ server will be contacted to see if the user is a valid
user. C The authentication proxy will check to see if the user has already
been authenticated. D If the authentication proxy has no user account for the user, it will
check to see if a default guest user has been defined.
Test 6
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
10 A TACACS+ server is configured to provide authentication, authorization, and accounting. The IP address of the server is 192.168.50.1, and the AAA authentication encryption key is S3crtK3y. Which command sequence will configure a Cisco router to communicate with the TACACS+ server?
A Router(config)# aaa new-model Router(config)# aaa authentication default group tacacs+ Router(config)# aaa authorization auth-proxy default group tacacs+ Router(config)# aaa tacacs-server host 192.168.50.1 Router(config)# aaa tacacs-server key S3crtK3y
B Router(config)# aaa enable Router(config)# aaa authentication default group tacacs+ Router(config)# aaa authorization auth-proxy default group tacacs+ Router(config)# tacacs-server host 192.168.50.1 Router(config)# tacacs-server key S3crtK3y
C Router(config)# aaa enable Router(config)# aaa authentication login default group tacacs+ Router(config)# aaa authorization auth-proxy default group tacacs+ Router(config)# aaa tacacs-server host 192.168.50.1 Router(config)# aaa tacacs-server key S3crtK3y
D Router(config)# aaa new-model Router(config)# aaa authentication login default group tacacs+ Router(config)# aaa authorization auth-proxy default group tacacs+ Router(config)# tacacs-server host 192.168.50.1 Router(config)# tacacs-server key S3crtK3y
Test 6
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
11 The lead network administrator notices that unknown users have made router configuration changes. These changes are adversely affecting the network. Which command can be entered on the router to help identify future configuration changes and who made these changes?
A aaa accounting B show uauth C aaa accounting console D aaa accounting match
Test 6
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
12 Refer to the exhibit. Since ABC, Inc. is strengthening security, a PIX Security Appliance firewall must be configured with AAA services. Accounting should be provided for all FTP and HTTP traffic from any host to the WWW server at 192.168.2.10.
Which command sequence would successfully process the desired traffic to the NY_ACS accounting server?
A pixfirewall(config)# access-list 110 permit tcp any host 192.168.2.10 eq ftp pixfirewall(config)# access-list 110 permit tcp any host 192.168.2.10 eq http pixfirewall(config)# aaa accounting match 110 outside NY_ACS
B pixfirewall(config)# access-list 110 permit tcp any host 192.168.2.10 eq ftp pixfirewall(config)# access-list 110 permit tcp any host 192.168.2.10 eq http pixfirewall(config)# aaa accounting access-list 110 outside 10.0.0.2
C pixfirewall(config)# access-list 110 permit tcp any host 10.0.0.2 eq ftp pixfirewall(config)# access-list 110 permit tcp any host 10.0.0.2 eq http pixfirewall(config)# aaa accounting match 110 outside NY_ACS
C pixfirewall(config)# access-list 110 permit tcp any host 192.168.2.10 eq ftp pixfirewall(config)# access-list 110 permit tcp any host 192.168.2.10 eq http pixfirewall(config)# aaa accounting match 110 outside 10.0.0.2
Test 6
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
13 Which command displays the current authenticated users, the host IP to which they are bound, and any cached IP and port authorization information on a Cisco PIX Security Appliance configured for AAA?
A pixfirewall(config)# show aaa all B pixfirewall(config)# show uauth C pixfirewall(config)# show aaa statistics D pixfirewall(config)# show aaa-server
Test 6
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
14 Which two are functions of accounting on the PIX Security Appliance? (Choose two.)
A to track user activities on the PIX. B to control administration of the PIX. C to control user access to the PIX. D to create records that are stored on a designated AAA server. E to build and maintain tunnel sessions with the PIX.
Test 6
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
15 Refer to the exhibit. An administrator enters the following configuration to collect accounting statistics for all HTTP traffic to the web server through a PIX Security Appliance.
fwl(config)# access-list 110 permit tcp any host 192.168.0.2 eq www fwl(config)# aaa accounting match 110 outside Web_Server
The statistics are to be logged to an accounting server as shown in the exhibit. However, after starting the accounting, no data is being logged to the NY_ACS server.
What changes to the configuration must the administrator make to correct the problem? A Change “192.168.0.2” to “10.0.0.2” in the access-list configuration line.B Change “host 192.168.0.2” to “any” in the access-list configuration line.C Change “Web_Server” to “NY_ACS” in the aaa-accounting configuration line. D Change “outside” to “inside” in the aaa-accounting configuration line.
Test 6
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
16 A user has initiated an HTTP session through a firewall and has been authenticated by an authentication proxy. They have not generated any traffic in a while and the idle timer has expired for that user. What will the user have to do to allow them to go through the firewall again?
A The user can manually restart the idle timer. B The user can simply TFTP their user profile to the proxy. C The user must wait two minutes before initiating another session. D The user can re-authenticate and initiate another HTTP session through
the firewall.
Test 6
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
Test 7
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
1 IEEE 802.1x can be used to authenticate users for wireless access to network resources. Which protocol has Cisco incorporated into its Wireless Security Suite to provide mutual authentication between the client and the authentication server?
A CHAP B EAP C PAP D WEP
Test 7
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
2 Which two sections of Cisco Secure ACS can be used to configure RADIUS profiles? (Choose two.)
A Interface Setup B Server Setup C Group Setup D Network Setup E User Setup
Test 7
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
3 A network team has been tasked to develop a Cisco Secure ACS solution for port-based authentication. The network operation center for all three regions is located at Region 1. What is the best solution to ensure availability to a Cisco Secure ACS for port-based authentication?
A Install a centralized primary and secondary authentication server at Region 1, which Region 2 and 3 will use for authentication.
B Install a primary authentication server at each region and use one of the authentication servers from another region for redundancy.
C Install a primary authentication server at Region 1 for Region 2 and 3 to authenticate, and install a secondary authentication server at Region 2 and 3 for redundancy.
D Install a primary authentication server at each region and a secondary authentication server at Region 1 for the network operation center clients only.
Test 7
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
4 Port-based authentication is implemented as shown in the graphic. What protocol will be required for the client-to-switch connection and the switch-to-Cisco Secure ACS communications?
A ISL; RADIUS B 802.1x; RADIUS C 802.1q; TACACS+ D L2TP; TACACS+
Test 7
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
5 In configuring 802.1x authentication method with the aaa authentication dot1x command, at least one of which two possible options must be entered to create a default list when a named list is not specified on a Catalyst switch? (Choose two.)
A group tacacs+ B group radius C local D none
Test 7
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
6 A network administrator wants to configure a Catalyst switch to use a RADIUS server at 172.16.23.31 or a backup RADIUS server at 172.16.23.32 if the first server is unavailable. The administrator wants to use the default RADIUS UDP port and a shared key of Rad4Me. Which configuration will accomplish this goal?
A Switch(config)# radius-server auth-port 1812 key Rad4Me host 172.16.23.31 Switch(config)# radius-server auth-port 1812 key Rad4Me host 172.16.23.32
B Switch(config)# radius-server host 172.16.23.31 auth-port 1812 key Rad4Me Switch(config)# radius-server host 172.16.23.32 auth-port 1812 key Rad4Me
C Switch(config)# radius-server host 172.16.23.31 172.16.23.32 key Rad4Me auth-port 1812
D Switch(config)# radius-server host 172.16.23.31 key Rad4Me auth-port 1812 Switch(config)# radius-server host 172.16.23.32 key Rad4Me auth-port 1812
Test 7
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
7 The dot1x port-control auto interface configuration command has been configured on the Catalyst 2950 shown in the graphic. What is the effect of this command when the link between the switch and the end user becomes active?
A The end user initiates authentication by sending an EAPOL-start frame once it receives an EAP request from the switch.
B The authentication server initiates authentication after being notified that the link is active.
C The switch initiates authentication with the end user. D The switch automatically places the connected port in an
authorized state.
Test 7
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
8 Refer to the graphic. A small company purchased a Cisco Aironet access point to provide wireless connectivity to staff members. Since other companies in the office complex use wireless, the network support staff wants to be certain that only authorized users access the company network through the new access point. For simplicity, they also want a protocol that is used by Aironet wireless access points, requires no certificates, and supports mutual authentication using the logon password for each user. Which protocol should be used?
A EAP-MD5 B EAP-TLS C LEAP D PEAP
Test 7
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
9 What are three characteristics of PEAP? (Choose three.)
A authored by Cisco Systems, Microsoft, and RSA SecurityB relies on a shared secret for authentication C requires digital certificates for authentication of servers and
users D supports mutual authentication E transports authentication messages through an encrypted tunnel F uses a one-way hash of passwords
Test 7
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
10 If an administrator attempts to configure a switch with 802.1x port-based authentication, which three port types will display an error message? (Choose three.)
A static access ports B trunk ports C dynamic ports D ports on the same VLAN E secure ports F ports on different VLANs
Test 7
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
11 Refer to the graphic. During 802.1x port-based authentication, each frame exchanged between the end user and the Catalyst 2950 is encapsulated with a frame header. For what protocol are these frames encapsulated?
A Ethernet B RADIUS C EAP D PPP E IP
Test 7
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
12 Which three conclusions can be made based on the configuration below? (Choose three.)
Switch# configure terminal Switch(config)# interface fastethernet0/12 Switch(config-if)# dot1x port-control auto Switch(config-if)# dot1x re-authentication Switch(config-if)# dot1x timeout re-authperiod 180
A Users connected to the switch will need to be reauthenticated after three hours. B Users connected to the switch will need to be reauthenticated after three minutes. C The switch has been configured for 802.1x authentication. D Port 12 of the switch is not a trunk port. E Port 12 of the switch is not a static port. F Port 12 of the switch is a dynamic-access port.
Test 7
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
Test 8
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
Test 8
1 Which command will turn off CBAC alert messages to the console?
A router(config)# ip inspect alert-off B router(config)# no ip inspect alert C router(config)# no ip inspect alert-off D router(config)# ip inspect alert log-only
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
2 The timeout value in the ip inspect name command is configured in which units?
A seconds B milliseconds C microseconds D minutes
Test 8
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
3 What does CBAC look for when inspecting TCP sequence numbers?
A CBAC uses the sequence numbers to defragment the full packet.
B CBAC checks that the sequence numbers are within an expected range.
C CBAC rejects packets that arrive at an unusually high sequence rate.
D CBAC matches the source sequence numbers to the destination sequence numbers.
Test 8
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
4 Which statement is correct concerning CBAC inspection rules?
A Alert, audit-trail, and timeout are configurable per protocol and override corresponding global settings.
B Alert, audit-trail, and timeout are only globally configurable. C Alert, audit-trail, and timeout are not configurable globally. D Alert, audit-trail, and timeout are configurable only for TCP.
Test 8
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
5 Which statement is true concerning CBAC and fragmentation inspection rules?
A An inspection rule instructing the router to fragment packets should always be utilized.
B A fragmentation rule forces fragments to be buffered until the corresponding initial fragment is received.
C A fragmentation rule forces non-initial fragments to be discarded unless the initial fragment was allowed to pass.
D A fragmentation rule should not be used on exterior gateways.
Test 8
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
6 A network administrator needs to configure the router to redirect incoming HTTP requests to a web server at port 8020. Which command should be used?
A Router(config)# ip port-map http eq 8020 B Router(config)# ip port-map http port 8020 C Router(config)# ip port-map port 8020 http D Router(config)# ip port-map port 8020 eq http
Test 8
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
7 The IT department has decided to offer web and FTP services using TCP port 8000. The web server IP address is 192.168.3.4 and the FTP server IP address is 192.168.5.6. What commands are required to configure the perimeter router to redirect the web and FTP traffic?
A Router(config)# access-list 10 permit 192.168.5.6 Router(config)# access-list 20 permit 192.168.3.4 Router(config)# ip port-map http port 8000 list 10 Router(config)# ip port-map ftp port 8000 list 20
B Router(config)# access-list 10 permit 192.168.3.4 Router(config)# access-list 20 permit 192.168.5.6 Router(config)# ip port-map ftp port 8000 list 10 Router(config)# ip port-map http port 8000 list 20
C Router(config)# access-list 10 permit 192.168.3.4 Router(config)# access-list 20 permit 192.168.5.6 Router(config)# ip port-map http port 8000 list 10 Router(config)# ip port-map ftp port 8000 list 20
D Router(config)# access-list 10 permit 192.168.3.4 Router(config)# access-list 20 permit 192.168.5.6 Router(config)# ip port-map http list 10 port 8000 Router(config)# ip port-map ftp list 20 port 8000
Test 8
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
8 The graphic shows a client opening a Telnet session to a remote host. Which ACL entry will be created by CBAC to allow traffic to return to complete a successful Telnet connection?
A access-list 110 permit udp host 10.0.0.5 eq 23 host 192.168.2.50 eq 2447
B access-list 110 permit tcp host 10.0.0.5 eq 23 host 192.168.2.50 eq 2447
C access-list 110 permit tcp host 192.168.2.50 eq 23 host 10.0.0.5 eq 2447
D access-list 110 permit tcp host 10.0.0.5 eq 2447 host 192.168.2.50 eq 23
Test 8
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
9 CBAC is configured on the router shown in the graphic, the statement shown in the graphic is included in access control list 101, and the access control list is applied to interface s0/0 as shown. Single-channel TCP inspection is not included in the CBAC inspection rule. What will happen if the workstation tries to send a Telnet packet to the Internet?
A The packet will be forwarded by the router as soon as it matches the ACL statement.
B The packet will be dropped by the router when no match is found in CBAC. C The packet will be forwarded by the router, but return Telnet traffic will not
be allowed. D The packet will be forwarded after CBAC inspection determines that Telnet
is an allowed protocol.
Test 8
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
10 Which filtering technology maintains complete connection information for each TCP or UDP connection and logs the information in a session flow table?
A packet filtering B stateful filtering C ACL directional filtering D URL filtering
Test 8
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
11 Which filtering technology is often effective but can be circumvented using packet fragmentation?
A packet filtering B stateful filtering C URL filtering D ACL directional filtering
Test 8
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
12 What is the result of the command shown below?
Router(config)# ip inspect name tester icmp alert on audit-trail on timeout 30
A inspects ICMP traffic and sends any alert and audit messages to the log file on tester
B inspects IP traffic and sends an ICMP alert and audit message to tester if an outgoing IP packet is not acknowledged within 30 seconds
C inspects ICMP traffic and maintains state information on common types of ICMP traffic
D inspects ICMP traffic and maintains state information according to the tester rule set
Test 8
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
13 Refer to the graphic. If the complete configuration CBAC on CorpFW is correctly entered, which two statements describe the outcome of the completed configuration? (Choose two.)
A CBAC will delete all half-open connections necessary to accommodate new connections after 300 users have accessed the servers within the last six minutes.
B CBAC will delete all half-open connections necessary to accommodate new connections after 150 users have accessed the FTP servers within the last six minutes.
C CBAC will delete all half-open connections necessary to accommodate new connections after more than 300 users have half-open attempts to reach the corporate web server within the last minute.
D CBAC will delete all half-open connections necessary to accommodate new connections after 150 users have accessed the network within the last minute.
E CBAC will stop deleting half-open connections after fewer than 150 users have accessed the network within the last minute.
Test 8
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
14 Which two configurations will protect the FTP server in the DMZ from DoS attacks? (Choose two.)
A CorpFW(config)# max-incomplete host 142.22.2.10 CorpFW(config)# ip inspect tcp max-incomplete host 60 block-time 0
B CorpFW(config)# ip inspect tcp max-incomplete host 60 block-time 0 CorpFW(config)# ip inspect name Protect ftp timeout 3600
C CorpFW(config)# interface FastEthernet 0/0 CorpFW(config-if)# max incomplete host 142.22.2.10
D CorpFW(config)# ip inspect max-incomplete high 400 CorpFW(config)# ip inspect max-incomplete low 200
E CorpFW(config)# ip inspect tcp max-incomplete host 60 block-time 0 CorpFW(config)# ip inspect udp max-incomplete host 60 block-time 0
Test 8
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
15 The administrator has two goals. First, the administrator plans to use CBAC to block encapsulated Java applets from IP address 172.16.16.1. Then, the administrator plans to use CBAC to block DoS attacks such as the ping-of-death from external network. Which goals are accomlished when the three commands below are entered?
router(config)# ip access-list 1 deny 172.16.16.1 0.0.0.0 router(config)# ip inspect name FWALL http java-list 1 timeout 120 router(config)# ip inspect name FWALL icmp timeout 50
A The first goal is not accomplished because CBAC cannot block encapsulated Java applets. The second goal is accomplished.
B The first goal is not accomplished because a subnet mask, not a wild card mask, must be used. The second goal is accomplished.
C The first goal is accomplished. The second goal is not accomplished because CBAC provides limited stateful inspection for ICMP.
D Both goals are accomplished.
Test 8
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
16 Which two are types of port mapping supported by PAM? (Choose two.)
A host B reverse C dynamic D DNS E subnet-specific
Test 8
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
17 What is the effect after these two commands are configured on a router?
router(config)# ip inspect max-incomplete high 300 router(config)# ip inspect max-incomplete low 100
A When the combination of half-open TCP and UDP sessions reaches 300, CBAC begins deleting them.
B When the number falls to 100, CBAC stops deleting them. When the number of half-open sessions per minute reaches 300, CBAC begins deleting them.
C When the number falls to 100 per minute, CBAC stops deleting them. When the number of half-open sessions reaches 100, CBAC begins deleting them.
D When the number of cleared sessions equals 300, CBAC stops deleting them. When the number of half-open TCP sessions reaches 300, CBAC begins deleting them. When the number falls to 100, CBAC stops deleting them.
Test 8
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
18 What is indicated if two endpoints in a connection receive reset packets from CBAC?
A A session has ended by CBAC's proxy fin method. B A DoS attack has been halted by CBAC's threshold method.C Sequence checking has occured using CBAC's state table
method. D Spoofing has been prevented using CBAC's session
checking method
Test 8
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
19 What happens when the following commands are executed?
router(config)# no ip inspect udp idle-time 45 router(config)# ip inspect dns-timeout 10
A The router will not manage any inactive UDP connections. B The only UDP connections that the router will manage are DNS
connections. C The router proxies DNS requests and manages them for 10
seconds. D The router will manage UDP connections for 30 seconds and DNS
connections for 10.
Test 8
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
Test 9
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
1 Which three statements describe the use of ACLs on a Cisco PIX Security Appliance? (Choose three.)
A ACLs are used to restrict outbound traffic flowing from a lower to a higher security level interface.
B ACLs are used to restrict outbound traffic flowing from a higher to a lower security level interface.
C If no ACL is attached to an interface, inbound traffic is permitted by default unless explicitly denied.
D If no ACL is attached to an interface, outbound traffic is permitted by default unless explicitly denied.
E Cisco PIX Security Appliance ACLs use a wildcard mask like Cisco IOS ACLs. F Cisco PIX Security Appliance ACLs use a regular subnet mask unlike Cisco IOS
ACLs.
Test 9
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
2 The Cisco PIX Security Appliance allows the use of network, protocol, service and ICMP-type object grouping with ACLs. Which statement describes the service object group?
A It is used to group client hosts, server hosts, or subnets. B It is used to group protocols, such as IP, TCP, and UDP. C It is used to group TCP or UDP port numbers. D It is used to group ICMP message types.
Test 9
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
3 which three channels are used by RTSP applications in standard RTP mode? (Choose three.)
A master control channel B RTP data channel C TCP control channel D RDT data channel E RTP resend channel F RTCP reports
Test 9
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
4 What is the effect when the command shown in the graphic is configured on a Cisco PIX Security Appliance?
A ActiveX objects are allowed to local host 192.168.2.5 only. B ActiveX objects are sent to a filtering server at
192.168.2.5. C ActiveX objects are blocked on all inbound connections to
local host 192.168.2.5. D ActiveX objects are blocked from local host 192.168.2.5 to
all outbound connections.
Test 9
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
5 A network administrator is considering a URL-filtering application server to work with the Cisco PIX Security Appliance running OS version 6.2. Which application would support the filtering of URL strings longer than 1159 bytes?
A N2H2 B Websense C either Websense or N2H2 D any URL-based filtering application
Test 9
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
6 What is the function of the service-policy command within the Modular Policy Framework?
A defines a set of services set by policies B enables a set of policies on an interface C identifies traffic flows according to services D groups a set of policies according to services
Test 9
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
7 Which two commands are used to deny a specific SNMP version and then enable SNMP application inspection on a Cisco PIX Security Appliance? (Choose two.)
A snmp-map B snmp inspect C inspect snmp D inspect snmp-map E snmp-map inspect
Test 9
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
8 The Cisco PIX Security Appliance with software version 6.2 or higher has eliminated the need for the alias command when configuring NAT translation of IP addresses imbedded in DNS messages. Which two commands can now support NAT translation of DNS messages, so that the alias command is no longer required? (Choose two.)
A dns-route B nat C route-map D static E dns
Test 9
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
9 A network administrator configured a Cisco PIX Security Appliance to limit connections to the application server at 192.168.10.5. Which configuration identifies traffic flows for the application server?
A PIX(config)# access-list 125 permit tcp any host 192.168.10.5 PIX(config)# class-map APP_Server PIX(config-cmap)# match any
B PIX(config)# access-list 125 permit tcp any host 192.168.10.5 PIX(config)# service-policy APP_Server PIX(config-smap)# match access-group 125
C PIX(config)# access-list 125 permit tcp any host 192.168.10.5 PIX(config)# policy-map APP_Server PIX(config-pmap)# match access-list 125
D PIX(config)# access-list 125 permit tcp any host 192.168.10.5 PIX(config)# class-map APP_Server PIX(config-cmap)# match access-list 125
Test 9
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
10 A network administrator wants to configure an object group to permit hosts 10.1.1.1, 10.1.1.2, and 10.1.1.3 access to network servers. Which commands must be entered to correctly configure an object group for the three hosts?
A object-group host 3HOSTS network-object host 10.1.1.1 network-object host 10.1.1.2 network-object host 10.1.1.3
B object-group network 3HOSTS network-object host 10.1.1.1 network-object host 10.1.1.2 network-object host 10.1.1.3
C object-group network 3HOSTS host-object host 10.1.1.1 host-object host 10.1.1.2 host-object host 10.1.1.3
D object-group host 3HOSTS host-object host 10.1.1.1 host-object host 10.1.1.2 host-object host 10.1.1.3
Test 9
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
11 A network administrator has created the object group 10HOSTS to allow ten hosts access to specific network services. Which command does an administrator use to verify that the object group has been configured successfully?
A show access-list B show host-group C show 10HOSTS D show object-group
Test 9
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
12 Which two statements describe the object-group and group-object commands? (Choose two.)
A The object-group command is a subcommand of the group-object command.
B The object-group command defines which type of object group will be created.
C The object-group command can contain other group objects. D The group-object command can contain object groups of different
types. E The group-object command enables the construction of hierarchical,
or nested, object groups.
Test 9
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
13 Which command is used to enable a Turbo ACL after it has been configured in global configuration mode?
A pixfirewall(config)# access-list compiled
B pixfirewall(config)# ip access-list compiled
C pixfirewall(config)# access-group ACL_ID turbo
D pixfirewall(config)# access-list compiled ACL_ID
Test 9
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
14 Refer to the graphic. What is the result when the network administrator enters the command shown?
fw1(config)# access-list aclout line 4 permit tcp any host 192.168.0.9 eq www
A It will replace the existing line 4 in the ACL. B It will push the current ACL line 4 and all of the lines that follow down
one line. C It will require the ACL to be deleted and rewritten because it cannot be
inserted as line 4. D It will be appended to the end of the ACL, and the current line 4 will be
deleted.
Test 9
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
15 Refer to the configuration shown in the graphic. Both commands have been entered into the Cisco PIX Security Appliance. Why might the administrator have chosen to allow ICMP unreachable traffic to be permitted at the outside interface?
A Denying ICMP unreachable traffic will disable routing updates. B ICMP unreachable traffic is required by web browsers. C Denying ICMP unreachable traffic can halt PPTP and IPSec
traffic. D ICMP unreachable traffic is required for ACLs to work properly.
Test 9
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
16 Which two URL-filtering applications can be used with the PIX Security Appliance? (Choose two.)
A IIS B Websense C NetSensor D N2H2
Test 9
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
17 Why would Service object groups be placed in an access list?
A A Service object group is used to indicate either the source or the destination port in an access list.
B A Service object group is used in place of the keyword ip, tcp, udp or icmp.
C A Service object group is used in place of source or destination server address.
D A Service object group is used in place of listing individual servers that offer the same service.
Test 9
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
Test 9
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
1 A network administrator wants to configure an access switch to protect it from being exploited by attackers sending BPDUs through PortFast-enabled ports. Which command implements this security option by putting any attacked port in an error-disabled state?
A Switch(config)# spanning-tree portfast bpdudisable default B Switch(config)# spanning-tree portfast bpduerror default C Switch(config)# spanning-tree portfast bpdufilter default D Switch(config)# spanning-tree portfast bpduguard default
Test 10
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
2 As shown in the graphic, an intruder has connected to ports on two different access switches and wishes to spoof as the root bridge. What would the attacker send in the indicated direction to complete this exploit?
A BPDUs with a lower bridge priority B BPDUs with a higher bridge priorityC VTP frames with a lower VLAN identity D VTP frames with a higher VLAN identity
Test 10
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
3 A Cisco Catalyst switch is configured as shown in the graphic. Which type of attack is the network administrator trying to prevent?
A ping flood B CAM table overflow C MAC spoofing D DHCP starvation
Test 10
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
4 Which three statements describe a CAM table overflow attack? (Choose three.)
A The limitations of the switch software image are exploited via flooding of frames. B The limitations of the fixed hardware of the CAM table are exploited via flooding
of MAC addresses. C The limitations of the switch memory cause the switch to operate like a hub in
response to overflowing traffic. D The configuration of VLANs on the switch minimizes the exploit by containing
the flood of traffic to the VLAN supporting the attacker. E The impact of the CAM table overflow attack can be lessened with the
implementation of macof. F The limitation of CAM table size causes the switch to flood traffic to all VLANs
under CAM table overflow attack.
Test 10
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
5 Which two commands can be used to verify port security configuration? (Choose two.)
A Switch# show cam B Switch# show buffer C Switch# show port-security interface interface_id D Switch# show vlan vlan_id port-security E Switch# show port-security vlan vlan_id
Test 10
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
6 Which type of attack involves an attacking system becoming a member of all VLANs? ..
A switch spoofing B double tagging C private proxy D trunk spoofing
Test 10
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
7 The hosts shown in the graphic and all other hosts in the same IP network are members of private VLAN 3 and, by design, should be unable to communicate at Layer 2. What ACL can be configured on the gateway router and applied to interface Fa0/1 to ensure that hosts on the private VLAN are unable to communicate with each other at Layer 3 but are still able to communicate with other networks?
A Router(config)# access-list 135 deny ip any 192.168.20.0 0.0.0.255 Router(config)# access-list 135 permit ip any any Router(config)# interface fastethernet 0/1 Router(config-if)# ip access-group 135 out
B Router(config)# access-list 135 deny ip 192.168.20.0 0.0.0.255 any Router(config)# access-list 135 permit ip any anyRouter(config)# interface fastethernet 0/1 Router(config-if)# ip access-group 135 in
C Router(config)# access-list 135 deny ip 192.168.20.0 0.0.0.255 192.168.20.0 0.0.0.255 Router(config)# access-list 135 permit ip any any Router(config)# interface fastethernet 0/1 Router(config-if)# ip access-group 135 out
D Router(config)# access-list 135 deny ip 192.168.20.0 0.0.0.255 192.168.20.0 0.0.0.255 Router(config)# access-list 135 permit ip any any Router(config)# interface fastethernet 0/1 Router(config-if)# ip access-group 135 in
Test 10
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
8 Which statement describes the purpose of the configuration shown below?
Switch(config)# ip dhcp snooping Switch(config)# ip dhcp snooping vlan 3 Switch(config-if)# ip dhcp snooping trust Switch(config-if)# ip dhcp snooping limit rate 30
A It is meant to disable any hosts that are attached to VLAN 3 and are configured for DHCP configuration rather than static IP addresses.
B It is meant to disable any rogue DHCP servers that are attached to VLAN 3. C It is meant to monitor VLAN 3 for DHCP attacks that will deplete the DHCP
pool. D It is meant to monitor VLAN 3 and disable any hosts that are using static IP
addresses rather than DHCP addresses.
Test 10
Au
tho
r: B
ill B
ucha
nan
Au
tho
r: B
ill B
ucha
nan
9 Which type of output would be produced on a switch after entering the command?
Switch# show ip dhcp snooping binding
A DHCP servers on the snooped network B DHCP clients on all DHCP snooped switches on the network C DHCP clients connected to DHCP snooped ports on the
switch D all active protocols on all DHCP clients connected to DHCP
snooped ports on the switch
Test 10
