Professional Documents
Culture Documents
0)
Close Window
Assessment System
Below you will find the assessment items as presented on the exam as well as the scoring rules associated with the item.
Use of the exam information in the Exam Viewer is subject to the terms of the Academy Connection Website Usage Agreement between you and Cisco.
The purpose of the Exam Viewer is to support instruction while not compromising exam security for other Cisco Networking Academies or students. This
material should not be distributed outside a proctored and controlled setting. If misuse is found, action will be taken to limit access to assessment content.
Please remember to logout and close your browser window after using the Exam Viewer.
Max Value = 2
Network Security 2
2 A network administrator needs to secure a corporate network made up of Cisco routers and switches against intrusion. Due to budget
constraints, the administrator is unable to purchase additional devices or hardware modules. Which Cisco product provides an effective
solution?
Cisco IDS Network Module
Cisco IPS 4240
Cisco IDSM-2
Cisco IOS IPS
Max Value = 2
Network Security 2
3 Which method of detecting anomalies is used by the Cisco PIX IDS feature?
signature
heuristic
artificial intelligence
deterministic
Max Value = 2
Network Security 2
4 During some testing, the PIX Security Appliance IDS was configured to exclude the ICMP Echo Reply signature. The Echo Reply
Message Number is 400010 and its Signature ID is 2000. Which command should be executed to include the Echo Reply signature
again?
pixfirewall(config)# ip audit signature 400010 enable
pixfirewall(config)# ip audit signature 2000 enable
pixfirewall(config)# no ip audit signature 2000 disable
pixfirewall(config)# no ip audit signature 400010 disable
Max Value = 2
Network Security 2
5 Which feature was introduced in Cisco PIX Firewall Software Version 6.2 to reduce CPU utilization while verifying the validity of
incoming TCP sessions?
TCP SYN attack
TCP Intercept
SYN cookies
AAA Flood Guard
Max Value = 2
Network Security 2
6 What is the function of the DNS Guard feature of the Cisco PIX Security Appliance?
It ensures that the full UDP timeout period is available for each DNS query.
It tears down the UDP conduit as soon as the first DNS response is received.
It drops attempted connections to internal DNS servers after a configured maximum is reached.
It allows port 53 UDP connections only to specifically configured DNS servers.
Max Value = 2
Network Security 2
7 A host IP address has been shunned by the PIX Security Appliance. Which would apply to traffic originating from that IP address?
All packets would be blocked until the default blocking time had expired.
All packets would be blocked unless they entered the PIX Security Appliance from a trusted network.
All packets would be blocked regardless of the PIX Security Appliance interface that they arrived on.
All packets would be blocked unless an ACL specifically allowed the packets.
Max Value = 2
Network Security 2
8 Which two statements correctly describe the FragGuard and Virtual Reassembly features of a PIX Security Appliance? (Choose two.)
Full assembly is performed on ICMP error messages and the buffer space that must be reserved is minimized.
Full assembly is performed on all IP fragments, except ICMP error messages, and the buffer space that must be reserved is
maximized.
Virtual assembly is performed on all IP fragments, except ICMP error messages, and the buffer space that must be reserved is
minimized.
Virtual assembly is performed on ICMP error messages and the buffer space that must be reserved is maximized.
Max Value = 2
Network Security 2
9 What is the name of an encryption system which uses the same key to encrypt and decrypt a message?
Diffie-Hellman
asymmetric encryption
symmetric encryption
MD5
SHA
Max Value = 2
Network Security 2
10 The originator of a message derives a hash and encrypts it with its private key. The encrypted hash is attached to the message and
forwarded to the remote end. At the remote end, the encrypted hash is decrypted using the originator's public key. If the decrypted hash
matches the re-computed hash, the message is genuine. What is being described?
the incorrect use of a hash
the use of a digital signature for origin authentication
symmetric encryption for enhanced secrecy of data
public key encryption for the secure encryption of data
the use of a digital signature for data encryption
Max Value = 2
Network Security 2
11 What is the role of a crypto extended ACL that is applied to an outbound interface?
It permits or denies all traffic based on a protocol or an IP address.
It denies traffic based on a protocol and an encryption algorithm.
It permits only encrypted traffic.
It selects outbound traffic to be encrypted.
Max Value = 2
Network Security 2
12 What is the purpose of the security parameter index (SPI) within the IPSec framework?
It identifies the encryption algorithm being used.
It identifies each established SA.
It identifies the IPSec mode being used.
It identifies the hash algorithm being used.
Max Value = 2
Network Security 2
13 How will the IPSec process be initiated when IPSec is configured on a router?
IPSec actively monitors all traffic and discards it if it is not in an IPSec policy.
IPSec is initiated to establish a connection or discard traffic that is specifically denied by an ACL.
IPSec is initiated to establish a connection or discard traffic that fails to match any ACL.
IPSec is initiated when a packet triggers an ACL that defines traffic to be protected.
Max Value = 2
Network Security 2
14 A remote user launches a web browser to establish a secure tunnel connection across a public network to corporate headquarters. This
is an example of which type of VPN connection?
NAS-initiated remote-access VPN
router-initiated site-to-site VPN
client-initiated remote-access VPN
router-initiated site-to-site VPN
Max Value = 2
Network Security 2
Max Value = 2
Network Security 2
● 3.2.1 Hashing
Max Value = 2
Network Security 2
● 3.6.1 Overview
Max Value = 3
Network Security 2
18 Which IPSec protocol provides encryption protection for the data in a packet, but does not protect the outer headers in the transport
mode?
AH
MD5
ESP
GRE
CET
Max Value = 2
Network Security 2
Max Value = 2
Network Security 2
20 When creating more than one crypto map entry for a given interface, an administrator can assign a sequence number for each map
entry. Which statement is true about the sequence number for crypto map entries?
The lower the sequence number, the higher the priority.
The higher the sequence number, the higher the priority.
The priority is based on the IP address of the IPSec peer.
The priority is in the order of the entries of configuration commands entered.
Max Value = 2
Network Security 2
21 Which statement accurately describes a site-to-site VPN using pre-shared keys for the authentication of IPSec sessions?
It is relatively simple to configure, and it scales well for large numbers of IPSec clients.
It is relatively simple to configure, but it does not scale well for large numbers of IPSec clients.
It is relatively complex to configure, but it scales well for large numbers of IPSec clients.
It is relatively complex to configure, and it does not scale well for large numbers of IPSec clients.
Max Value = 2
Network Security 2
22 For each unidirectional security association (SA) during IKE phase two, how many transform proposals are agreed upon by IPSec
peers?
1
2
4
8
16
Max Value = 2
Network Security 2
23
Which Cisco IOS command generated the output shown in the graphic?
debug crypto ipsec
debug crypto isakmp
debug crypto socket
debug ip peer
show crypto isakmp policy
Max Value = 2
Network Security 2
24 Which three steps should be accomplished when preparing to configure IPSec with digital certificates for authentication? (Choose
three.)
Plan for CA support.
Ensure that ACLs are compatible with the transform set.
Determine the ISAKMP policy.
Ensure that ACLs are compatible with IPSec.
Determine the RSA policy.
Plan the shared secrets between peers.
Max Value = 3
Network Security 2
25 RSA key pairs are used to sign and encrypt IKE key management messages and are required before obtaining a certificate for the
router. Which statement is true regarding special-usage keys?
Special-usage keys use a maximum of 1024 bits instead of the 2048 bits that are used with general-purpose keys.
Special-usage keys are used only for digital signatures.
Special-usage keys are more secure than general-purpose keys because two sets of keys are generated.
Special-usage keys are not universally accepted because these keys use a proprietary algorithm.
Max Value = 2
Network Security 2
26 There are two possible modes for a PIX Security Appliance that is set up as an Easy VPN Remote. The two modes are client and
network extension. Which of the following statements is true if client mode is used?
The PIX Security Appliance does not use PAT to translate IPs of clients connected to the inside interface.
The PIX Security Appliance applies PAT to all clients connected to the inside interface.
The PIX Security Appliance applies reverse NAT to all clients connected to the inside interface.
The PIX Security Appliance applies outbound filtering to all clients connected to the inside interface.
Max Value = 2
Network Security 2
● 6.6.3 Easy VPN Client device mode and enabling Easy VPN Remote clients
Max Value = 2
Network Security 2
28 How does an anomaly-based intrusion detection system detect previously unpublished attacks?
by recognizing signatures
by recognizing behavioral deviation from the security policy
by recognizing behavioral deviation from normal user activities
by recognizing behavioral deviation from device security settings
Max Value = 2
Network Security 2
29 The network administrator wants to decrease the size of the event buffer for SDEE. What effect will this have on events already in the
buffer?
All events will be lost.
The oldest events will be lost.
No stored events will be lost.
All events will be sent to the syslog server, then deleted.
Max Value = 2
Network Security 2
30 How many parameters are defined either explicitly or by default for each IKE policy before an IKE security association is established?
three
five
seven
nine
Max Value = 2
Network Security 2
31 WebVPN Content Filtering lets the administrator block or remove the parts of websites that do which three things? (Choose three.)
display images
use obscene terms
deliver cookies
scripting
contain pornography
generate popups
Max Value = 3
Network Security 2
32
The network administrator for ABC Company is configuring an Adaptive Security Appliance to properly handle e-mail communications
for WebVPN users. The only remaining task is to define e-mail and authentication servers. Given the information in the graphic, which
commands will accomplish this task ?
ciscoasa(config-pop3s)# server 10.0.1.0
ciscoasa(config-pop3s)# authentication-server AUTHSERVER
ciscoasa(config-pop3s)# authentication type piggyback
ciscoasa(config-pop3s)# server 10.0.1.10
ciscoasa(config-pop3s)# authentication-server-group AUTHSERVER
ciscoasa(config-pop3s)# authentication piggyback
ciscoasa(config-pop3s)# server 10.0.1.10
ciscoasa(config-pop3s)# authentication-server AUTHSERVER
ciscoasa(config-pop3s)# authentication piggyback
ciscoasa(config-pop3s)# server 10.0.1.10
ciscoasa(config-pop3s)# authentication-server-group AUTHSERVER
ciscoasa(config-pop3s)# authentication type piggyback
Max Value = 2
Network Security 2
33 The network administrator of a large corporate network needs to use IKE authentication with an easily scalable solution for generation
and distribution of public and private keys. Which method should be used?
CA server
pre-shared keys
PGP server
secured HTTP
Max Value = 2
Network Security 2
34 When the Cisco Easy VPN Client initiates the IKE Phase I process, there are two ways to perform authentication. Which two statements
correctly pair the authentication method with the correct IKE Phase I mode? (Choose two.)
pre-shared key authentication, initiate aggressive mode (AM)
pre-shared key authentication, initiate main mode (MM)
digital certificate authentication, initiate aggressive mode (AM)
digital certificate authentication, initiate main mode (MM)
Max Value = 2
Network Security 2
35 An administrator has entered the crypto key zeroize rsa command in global configuration mode. What effect will this command have?
It will reset the counter for the number of times the key has been used.
It will delete all RSA keys on the local and peer routers.
It will delete the RSA keys from the router.
It will reset the timeout countdown timer for RSA key negotiation.
Max Value = 2
Network Security 2
36
The router VPNGATE serves as a Cisco Easy VPN Server. The network administrator entered the following command. What is the
result of the configuration command?
Max Value = 2
Network Security 2
37 When configuring a Cisco PIX Security Appliance as a Cisco Easy VPN Server, what are three possible uses of dynamic crypto maps?
(Choose three.)
initiate new IPSec security associations with remote peers
initiate new IPSec security associations from remote peers with the PIX Security Appliance
evaluate traffic
define interesting traffic
complete all missing configuration parameters on the remote peer
complete any missing configuration parameters necessary for IPSec traffic
Max Value = 3
Network Security 2
38 The Router MC requires that one of two components be in place before the installation can be accomplished. Which two components
will meet this requirement? (Choose two.)
Cisco Router Security Audit
Cisco Network Analysis Module
CiscoWorks 2000
Cisco Intrusion Detection System
CiscoWorks VMS 2.1 Common Services
Max Value = 2
Network Security 2
39
A network administrator has entered the commands shown in the graphic for a router that will communicate with the Router MC server.
What is the result of this configuration?
The router will be configured to use IPSec to communicate with the MC server.
The router will be configured to use RSA pre-shared keys to communicate with the MC server.
The router will be configured to use SSH to communicate with the MC server.
The router will be configured to use SSL to communicate with the MC server.
Max Value = 2
Network Security 2
Max Value = 3
Network Security 2
41
Refer to the graphic. The network shown requires high availability as well as the need to trunk information between switches. Which two
measures can be used to mitigate CAM table vulnerability and prevent unauthorized access to the security zone? (Choose two.)
port security
CAM table locking
DHCP snooping
802.1x authentication
Max Value = 2
Network Security 2
● 7.1.5 Single security zone, multiple user groups, multiple physical switches
42 In which two situations should multiple security contexts be considered using a single Cisco PIX Security Appliance? (Choose two.)
any network that wants to deploy only one physical firewall
a large enterprise that wants to keep all departments separate
an enterprise that wants to apply a uniform security policy to all departments
a service provider that wants to sell firewall services to customers
Max Value = 2
Network Security 2
43 When changing a Cisco PIX Security Appliance to multiple mode, the PIX Security Appliance converts the running configuration into
which two new files? (Choose two.)
system config
user config
running config
admin config
Max Value = 2
Network Security 2
44 When ARP inspection is enabled on a Cisco PIX Security Appliance, which two statements are correct? (Choose two.)
If the logical address, physical address, and destination interface match an entry in the ARP table, the packet is passed through.
If there is a mismatch between the physical address and the logical address of the source interface, the PIX Security Appliance will
flood the packet through all interfaces.
If the logical address, physical address, and source interface match an entry in the ARP table, the packet is passed through.
If the ARP packet does not match any entries in the static ARP table, the PIX Security Appliance can be set to flood the packet out
all interfaces.
Max Value = 2
Network Security 2
45 Which Cisco SDM mode presents a list of possible security problems so that administrators can pick and choose which vulnerabilities
should be locked down?
Management Console
Monitor
One-Step Lockdown
Security Audit
Max Value = 2
Network Security 2
46 Which two statements are true regarding Secure Shell (SSH) for remote management of the Cisco PIX Security Appliance? (Choose
two.)
The PIX Security Appliance functions as both an SSH client and an SSH server.
Only the remote host initiating an SSH connection is required to be authenticated by the PIX Security Appliance.
The PIX Security Appliance supports SSHv2 in version 7.0 of the software.
The PIX Security Appliance uses AES or DES for symmetric key encryption.
The PIX Security Appliance allows up to five SSH clients to simultaneously access the console.
Max Value = 2
Network Security 2
47 Which two types of hardware failover are available for the Cisco PIX Security Appliance and Cisco Adaptive Security Appliance?
(Choose two.)
master/slave
active/active
primary/secondary
master/master
active/standby
primary/primary
Max Value = 2
Network Security 2
48 Which two licenses can be used for active/active failover on a secondary Cisco PIX Security Appliance? (Choose two.)
failover (FO)
restricted (R)
unrestricted (UR)
failover-active/active (FO-A/A)
failover-active/standby (FO-A/S)
Max Value = 2
Network Security 2
49
A network administrator enters the command shown in the graphic on an Adaptive Security Appliance. Which task is being performed?
file directory management
password recovery
IOS image upgrade
configuration file upload
Max Value = 2
Network Security 2
50
The graphic shows the display on a Cisco PIX Security Appliance after the network administrator issues the show run crypto isakmp
command. What can be determined from the information shown?
The 768-bit Diffie-Hellman group is specified in the IKE policy.
The encryption algorithm used in the IKE policy is 56-bit DES.
Each security association should last one day before expiring as specified in the IKE policy.
The ISAKMP policy uses IKE group 2 and all other groups below.
Max Value = 2
Network Security 2
Reset View
Close Window
All content copyright 1992-2007 Cisco Systems, Inc. Privacy Statement and Trademarks.