click below
click below
Normal Size Small Size show me how
CCNA Sec V2 MID2
Question | Answer |
---|---|
Refer to the exhibit. The ACL statement is the only one explicitly configured on the router. Based on this information, which two conclusions can be drawn regarding remote access network connections? (Choose two.) | SSH connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are allowed. Telnet connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are blocked. |
Which two are characteristics of ACLs? (Choose two.) | Extended ACLs can filter on destination TCP and UDP ports. Extended ACLs can filter on source and destination IP addresses. |
Which zone-based policy firewall zone is system-defined and applies to traffic destined for the router or originating from the router? | self zone |
efer to the exhibit. If a hacker on the outside network sends an IP packet with source address 172.30.1.50, destination address 10.0.0.3, source port 23, and destination port 2447, what does the Cisco IOS firewall do with the packet? | The packet is dropped. |
Which two parameters are tracked by CBAC for TCP traffic but not for UDP traffic? (Choose two.) | sequence number SYN and ACK flags |
What is the first step in configuring a Cisco IOS zone-based policy firewall using the CLI? | Create zones. |
Class maps identify traffic and traffic parameters for policy application based on which three criteria? (Choose three.) | access group protocol subordinate class map |
Which statement describes the characteristics of packet-filtering and stateful firewalls as they relate to the OSI model? | A packet-filtering firewall typically can filter up to the transport layer, while a stateful firewall can filter up to the session layer. |
For a stateful firewall, which information is stored in the stateful session flow table? | source and destination IP addresses, and port numbers and sequencing information associated with a particular session |
What is a limitation of using object groups within an access control entry? | It is not possible to delete an object group or make an object group empty if the object group is already applied to an ACE. |
When using CCP to apply an ACL, the administrator received an informational message indicating that a rule was already associated with the designated interface in the designated | A new combined access rule was created using the new access rule number. Duplicate ACEs were removed. |
Which statement correctly describes how an ACL can be used with the access-class command to filter vty access to a router? | An extended ACL can be used to restrict vty access based on specific source addresses and protocol but the destination can only specify the keyword any. |
To facilitate the troubleshooting process, which inbound ICMP message should be permitted on an outside interface? | echo reply |
Which command is used to activate an IPv6 ACL named ENG_ACL on an interface so that the router filters traffic prior to accessing the routing table? | ipv6 traffic-filter ENG_ACL in |
Which statement describes a typical security policy for a DMZ firewall configuration? | Traffic that originates from the DMZ interface is selectively permitted to the outside interface. OR Traffic that originates from the inside interface is generally blocked entirely or very selectively permitted to the outside interface. |
When configuring a Cisco IOS zone-based policy firewall, which two actions can be applied to a traffic class? (Choose two.) | drop inspect |
Refer to the exhibit. Which statement describes the function of the ACEs? | These ACEs allow for IPv6 neighbor discovery traffic. |
When implementing an inbound Internet traffic ACL, what should be included to prevent the spoofing of internal networks? | ACEs to prevent traffic from private address spaces |
Which statement describes one of the rules governing interface behavior in the context of implementing a zone-based policy firewall configuration? | By default, traffic is allowed to flow among interfaces that are members of the same zone. |
Refer to the exhibit. Which statement is true about the effect of this Cisco IOS zone-based policy firewall configuration? | The firewall will automatically allow HTTP, HTTPS, and FTP traffic from fa0/0 to s0/0 and will track the connections. Tracking the connection allows only return traffic to be permitted through the firewall in the opposite direction. |
In addition to the criteria used by extended ACLs, what conditions are used by a classic firewall to filter traffic? | Application layer protocol session information |
Refer to the exhibit. Which Cisco IOS security feature is implemented on router FW? | classic firewall |
Which three statements describe zone-based policy firewall rules that govern interface behavior and the traffic moving between zone member interfaces? (Choose three.) | Pass, inspect, and drop options can only be applied between two zones If traffic is to flow between all interfaces in a router, each interface must be a member of a zone. To permit traffic to and from a zone member interface, a policy all |
When logging is enabled for an ACL entry, how does the router switch packets filtered by the ACL? | process switching |
When a Cisco IOS zone-based policy firewall is being configured, which two actions can be applied to a traffic class? (Choose two.) | inspect drop |
A router has been configured as a classic firewall and an inbound ACL applied to the external interface. Which action does the router take after inbound-to-outbound traffic is inspected and a new entry is created in the state table. | A dynamic ACL entry is added to the external interface in the inbound direction. |
Refer to the exhibit. What is represented by the area marked as “A”? | DMZ |
Which type of packet is unable to be filtered by an outbound ACL? | router-generated packet |
Which two parameters are tracked by a classic firewall for TCP traffic but not for UDP traffic? (Choose two.) | sequence number SYN and ACK flags |
Refer to the exhibit. When modifying an IPS signature action, which two check boxes should be selected to create an ACL that denies all traffic from the IP address that is considered the source of the attack and drops the packet and all future pac | Deny Attacker Inline Deny Connection Inline |
Why is a network that deploys only IDS particularly vulnerable to an atomic attack? | The IDS permits malicious single packets into the network. |
Refer to the exhibit. What is the result of issuing the Cisco IOS IPS commands on router R1? | All traffic that is permitted by the ACL is subject to inspection by the IPS |
Which two files could be used to implement Cisco IOS IPS with version 5.x format signatures? (Choose two.) | IOS-Sxxx-CLI.pkg realm-cisco.pub.key.txt |
A network administrator tunes a signature to detect abnormal activity that might be malicious and likely to be an immediate threat. What is the perceived severity of the signature? | medium |
Which two benefits does the IPS version 5.x signature format provide over the version 4.x signature format? (Choose two.) | addition of a signature risk rating support for encrypted signature parameters |
Which two Cisco IOS commands are required to enable IPS SDEE message logging? (Choose two.) | ip server ip ips notify sdee |
Refer to the exhibit. What is the significance of the number 10 in the signature 6130 10 command? | It is the subsignature ID. |
What is a disadvantage of network-based IPS as compared to host-based IPS? | Network-based IPS cannot examine encrypted traffic. |
What information is provided by the show ip ips configuration configuration command? | the default actions for attack signatures |
Which statement is true about an atomic alert that is generated by an IPS? | It is an alert that is generated every time a specific signature has been found. |
Which Cisco IPS feature allows for regular threat updates from the Cisco SensorBase Network database? | global correlation |
Which protocol is used when an IPS sends signature alarm messages? | SDEE |
Refer to the exhibit. Based on the configuration that is shown, which statement is true about the IPS signature category? | Only signatures in the ios_ips basic category will be compiled into memory for scanning. |
A network security administrator would like to check the number of packets that have been audited by the IPS. What command should the administrator use? | show ip ips statistics |
Refer to the exhibit. Based on the configuration commands that are shown, how will IPS event notifications be sent? | syslog format |
Refer to the exhibit. What action will be taken if a signature match occurs? | The packet will be allowed, and an alert will be generated. |
An administrator is using CCP to modify a signature action so that if a match occurs, the packet and all future packets from the TCP flow are dropped. What action should the administrator select? | deny-connection-inline |
Refer to the exhibit. Based on the configuration, what traffic is inspected by the IPS? | all traffic entering the s0/0/1 interface and all traffic entering and leaving the fa0/1 interface |
Refer to the exhibit. As an administrator is configuring an IPS, the error message that is shown appears. What does this error message indicate? | The public crypto key is invalid or entered incorrectly. |
Refer to the exhibit. An administrator has configured router R1 as indicated. However, SDEE messages fail to log. Which solution corrects this problem? | Issue the ip ips notify sdee command in global configuration. |
What is a zero-day attack? | an attack that targets software vulnerabilities unknown or unpatched by the software vendor |
What is a disadvantage of a pattern-based detection mechanism? | It cannot detect unknown attacks. |
Refer to the exhibit. Which option tab on the CCP screen is used to view the Top Threats table and deploy signatures associated with those threats? | Security Dashboard |
As a recommended practice for Layer 2 security, how should VLAN 1 be treated? | VLAN 1 should not be used. |
With IP voice systems on data networks, which two types of attacks target VoIP specifically? (Choose two.) | SPIT vishing |
The network administrator for an e-commerce website requires a service that prevents customers from claiming that legitimate orders are fake. What service provides this type of guarantee? | nonrepudiation |
How do modern cryptographers defend against brute-force attacks? | Use a keyspace large enough that it takes too much money and too much time to conduct a successful attack. |
What is the basic method used by 3DES to encrypt plaintext? | The data is encrypted, decrypted, and encrypted using three different keys. |
A customer purchases an item from an e-commerce site. The e-commerce site must maintain proof that the data exchange took place between the site and the customer. Which feature of digital signatures is required? | nonrepudiation of the transaction |
Why is RSA typically used to protect only small amounts of data? | The algorithms used to encrypt data are slow. |
An administrator requires a PKI that supports a longer lifetime for keys used for digital signing operations than for keys used for encrypting data. Which feature should the PKI support? | usage keys |
What is one benefit of using a next-generation firewall rather than a stateful firewall? | integrated use of an intrusion prevention system (IPS) |
What is one advantage of using a next-generation firewall rather than a stateful firewall? | proactive rather than reactive protection from Internet threats |
The inspect action in a Cisco IOS Zone-Based Policy Firewall configures Cisco IOS | stateful |
Consider the access list command applied outbound on a router serial interface. What is the effect of applying this access list command? | No traffic will be allowed outbound on the serial interface. |
Where is the firewall policy applied when using Classic Firewall? | interfaces |
Consider the configured access list. R1# show access-lists extended IP access list 100 deny tcp host 10.1.1.2 host 10.1.1.1 eq telnet deny tcp host 10.1.2.2 host 10.1.2.1 eq telnet permit ip any any (15 matches) | The access list has been applied to an interface. |
Which ICMP message type should be stopped inbound? | echo |
What is the result in the self zone if a router is the source or destination of traffic? | All traffic is permitted. |
action in a Cisco IOS Zone-Based Policy Firewall is similar to a deny statement in an ACL. | drop |
What are two characteristics of ACLs? (Choose two.) | Extended ACLs can filter on destination TCP and UDP ports. Extended ACLs can filter on source and destination IP addresses. |
Which two types of addresses should be denied inbound on a router interface that attaches to the Internet? (Choose two.) | private IP addresses any IP address that starts with the number 127 |
Which statement is a characteristic of a packet filtering firewall? | They are susceptible to IP spoofing. |
Where would the following ACE be placed? | on an IPv6-enabled router interface that connects to another router |
Which statement describes a stateful firewall? | It can determine if the connection is in the initiation, data transfer, or termination phase. |
A network administrator was testing an IPS device by releasing multiple packets into the network. The administrator examined the log and noticed that a group of alarms were generated by the IPS that identified normal user traffic. | false positive |
A network administrator configures the alert generation of an IPS device in such a way that when multiple attack packets that match the same signature are detected, a single alert for the first pack | summary alerts |
What is a disadvantage of network-based IPS devices? | They cannot detect attacks that are launched using encrypted packets. |
Which command helps verify the Cisco IOS IPS configuration? | show ip ips configuration |
What is a zero-day attack? | It is a computer attack that exploits unreported software vulnerabilities. |
What is an IPS signature? | It is a set of rules used to detect typical intrusive activity. |
What are two actions that an IPS can perform whenever a signature detects the activity for which it is configured? (Choose two.) | allow the activity drop or prevent the activity |
Refer to the exhibit. A network administrator is configuring an IOS IPS. Which statement describes the IPS signatures that are enabled? | These signatures detect attacks within a single packet |
A network administrator is configuring the action type for a specific IPS signature that identifies an attack that contains a specific series of TCP packets. Once detected, the action to be taken is to terminate the current packet and future pack | R1(config-sigdef-sig)# event-action deny-connection-inline |
Which Cisco feature sends copies of frames entering one port to a different port on the same switch in order to perform traffic analysis? | SPAN |
Which command releases the dynamic resources associated with the Cisco IOS IPS on a Cisco router? | Router# clear ip ips configuration |
Which set of Cisco IOS commands instructs the IPS to compile a signature category named ios_ips into memory and use it to scan traffic? | R1(config)# ip ips signature-category R1(config-ips-category)# category ios_ips basic R1(config-ips-category-action)# retired false |
Refer to the exhibit. As an administrator is configuring an IPS, the error message that is shown appears. What does this error message indicate? | The public crypto key is invalid or entered incorrectly. |
triggering mechanism for the network-based IPS by defining a pattern of web surfing activities. The signature is applied across the corporate campus regardless of the type of web browser used. What type of triggering mechanism is being implemented? | policy-based |
What is involved in an IP address spoofing attack? | A legitimate network IP address is hijacked by a rogue node. |
Why are traditional network security perimeters not suitable for the latest consumer-based network endpoint devices? | These devices are more varied in type and are portable. |
Which two Cisco products are equipped with the integrated connector to the Cisco CWS service? (Choose two.) | Cisco WSA Cisco ASA |
The STP Guard feature provides protection against Layer 2 loops by recognizing unidirectional links and moving them to the blocking state. | loop guard |
Which security solution provides continuous visibility and control before, during, and after an attack to defeat malware across the extended network of an organization? | AMP |
What is the only type of traffic that is forwarded by a PVLAN protected port to other protected ports? | control |
Enabling traffic from one VLAN to be seen by another VLAN is the goal of a VLAN attack. | vlan hoping |
Which two devices are examples of endpoints susceptible to malware-related attacks? (Choose two.) | server desktop |
Which three Cisco products focus on endpoint security solutions? (Choose three.) | Web Security Appliance Email Security Appliance NAC Appliance |
What would be the primary reason an attacker would launch a MAC address overflow attack? | so that the attacker can see frames that are destined for other hosts |
What mitigation plan is best for thwarting a DoS attack that is creating a switch buffer overflow? | Enable port security. |
What two components of traditional web security appliances are examples of functions integrated into a Cisco Web Security Appliance? (Choose two.) | web reporting URL filtering |
At which layer of the OSI model does Spanning Tree Protocol operate? | Layer 2 |
What is the best way to prevent a VLAN hopping attack? | Disable trunk negotiation for trunk ports and statically set nontrunk ports as access ports. |
What are the three components of an STP bridge ID? (Choose three.) | the bridge priority value the extended system ID the MAC address of the switch |
What is a recommended best practice when dealing with the native VLAN? | Assign it to an unused VLAN. |
What is the purpose of the DH algorithm? | to generate a shared secret between two hosts that have not communicated before |
A customer purchases an item from an e-commerce site. The e-commerce site must maintain proof that the data exchange took place between the site and the customer. Which feature of digital signatures is required? | nonrepudiation of the transaction |
During which part of establishing an IPsec VPN tunnel between two sites would NAT-T detection occur? | IKE Phase 1 |
Which protocol creates a virtual point-to-point connection to tunnel unencrypted traffic between Cisco routers from a variety of protocols? | GRE |
Which are the five security associations to configure in ISAKMP policy configuration mode? | Hash, Authentication, Group, Lifetime, Encryption |
What is defined by an ISAKMP policy? | the security associations that IPsec peers are willing to use |
The use of 3DES within the IPsec framework is an example of which of the five IPsec building blocks? | confidentiality |
Which statement describes the operation of the IKE protocol? | It calculates shared keys based on the exchange of a series of data packets. |
Which IPsec security function provides assurance that the data received via a VPN has not been modified in transit?a | integrity |
Which method is used to identify interesting traffic needed to create an IKE phase 1 tunnel? | a permit access list entry |
hich VPN implementation allows traffic that originates from a remote-access client to be separated into trusted VPN traffic and untrusted traffic destined for the public Internet? | split tunneling |
To configure an IKE phase 1 tunnel to identify interesting traffic, each IPsec peer router is configured with an to permit traffic. | ACL |
Refer to the exhibit. What algorithm is being used to provide public key exchange? | Diffie-Hellman |
Which IPsec framework protocol provides data integrity and data authentication, but does not provide data confidentiality? | AH |
What takes place during IKE Phase 2 when establishing an IPsec VPN? | IPsec security associations are exchanged. |
The ISAKMP policy lists the associations that a router is willing to use to establish a tunnel for IKE. | security |
What is the first step in establishing an IPsec VPN? | detection of interesting traffic |
What is a benefit of having users or remote employees use a VPN to connect to the existing network rather than growing the network infrastructure? | scalability |