No User Avatar
Register
20 Jan 2010 @ 10:22AM

Updated: 20 Jan 2010 @ 10:22AM
Display Tests
Comments (0)
Test 1
  1. Which three of these are common causes of persistent vulnerabilities in networks? (Choose three.)
    • new exploits in existing software
    • misconfigured hardware or software
    • poor network design
    • changes in the TCP/IP protocol
    • changes in the core routers on the Internet
    • end-user carelessness
  2. A company deployed a web server on the company DMZ to provide external web services. While reviewing firewall log files, the administrator discovered that a connection was made to the internal e-mail server from the web server in DMZ. After reviewing the e-mail server logs, the administrator discovered that an unauthorized account was created. What type of attack was successfully carried out?
    • phishing
    • port redirection
    • trust exploitation
    • man-in-the-middle
  3. A large investment firm has been attacked by a worm. In which order should the network support team perform the steps to mitigate the attack?

    A. inoculation
    B. treatment
    C. containment
    D. quarantine
    • C,A,D,B
    • A,B,C,D
    • A,C,B,D
    • D,A,C,B
    • C,B,A,D
  4. Which type of action does the "ping sweep" pose to an organization?
    • eavesdropping
    • reconnaissance
    • denial of service
    • unauthorized access
  5. At XYZ Company, the policy for network use requires that employees log in to a Windows domain controller when they power on their work computers. Although XYZ does not implement all possible security measures, outgoing traffic is filtered using a firewall. Which security model is the company using?
    • open access
    • closed access
    • hybrid access
    • restrictive access
  6. An employee of ABC Company receives an e-mail from a co-worker with an attachment. The employee opens the attachment and receives a call from the network administrator a few minutes later, stating that the employee's machine has been attacked and is sending SMTP messages. Which category of attack is this?
    • denial of service
    • trojan horse
    • port scanning
    • password attack
    • social engineering
  7. Which two of these are examples of DDoS network attacks? (Choose two.)
    • smurf attack
    • Tribal Flood Network (TFN)
    • teardrop.c
    • man-in-the-middle attack
    • port redirection
    • social engineering
  8. Which two are examples of Distributed Denial of Service attacks? (Choose two.)
    • SYN Flood
    • Stacheldraht
    • Ping of Death
    • Smurf
    • WinNuke
    • Targa.c
  9. Which type of attack prevents a user from accessing the targeted file server?
    • Reconnaissance attack
    • Denial of service attack
    • Prevention of entry attack
    • Disruption of structure attack
  10. A new network administrator is assigned the task of conducting a risk assessment of the company's network. The administrator immediately conducts a vulnerability assessment. Which important task should the administrator have completed first?
    • threat identification
    • security level application
    • patch and update deployment
    • asset identification
    • perimeter security upgrade
  11. Users are unable to access a company server. The system logs show that the server is operating slowly because it is receiving a high level of fake requests for service. Which type of attack is occurring?
    • reconnaissance
    • access
    • DoS
    • worms, viruses, and Trojan horses
  12. In which type of attack does the potential intruder attempt to discover and map out systems, services, and vulnerabilities?
    • stake out
    • reconnaissance
    • tapping
    • sniffing
  13. What is a major characteristic of a Worm?
    • malicious software that copies itself into other executable programs
    • tricks users into running the infected software
    • a set of computer instructions that lies dormant until triggered by a specific event
    • exploits vulnerabilities with the intent of propagating itself across a network
  14. Which tool is used to test security by rapidly performing a port scan of a single host or a range of hosts?
    • Cisco Router Audit Tool (RAT)
    • Microsoft Baseline Security Analyzer
    • Network Mapper (Nmap)
    • Cisco AutoSecure
  15. Which two are technological weaknesses that can lead to a breach in an organization's security? (Choose two.)
    • software compatibility weakness
    • DHCP security weakness
    • TCP/IP protocol weakness
    • operating system weakness
    • LDAP weakness
  16. Which Cisco tool can be used to convert Cisco PIX Security Appliance conduit statements to equivalent access-list statements?
    • Cisco AutoSecure
    • Output Interpreter
    • Cisco Router Audit Tool
    • Microsoft Baseline Security Analyzer
    • PIX Outbound/Conduit Conversion Tool
Comments (0)
Test 2
  1. On a Monday morning, network engineers notice that the log files on the central server are larger than normal. Examining the log reveals that the majority of the entries are from sensors deployed on the perimeter of the network. The logs reveal that a worm attack was successfully stopped by the perimeter devices. Based on this information, which of these technologies is this company using?
    • NIDS using passive technology
    • NIDS using active technology
    • HIDS using passive technology
    • HIPS using active technology
  2. Which router command will result in the router only accepting passwords of 16 characters or more?
    • service password-encryption
    • enable secret min-length 16
    • security passwords min-length 16
    • security passwords max-length 16
  3. Why does SSH provide better security than Telnet?
    • SSH compresses data while Telnet does not compress data.
    • SSH encrypts data with private key while Telnet uses public key.
    • SSH encrypts data while Telnet uses clear text in transmitting data.
    • SSH encrypts data with public key while Telnet uses hashing algorithm.
  4. A security team is charged with hardening network devices. What must be accomplished first before deciding how to configure security on any device?
    • Audit all relevant network devices.
    • Document all router configurations.
    • Create or update security policies.
    • Complete a vulnerability assessment.
  5. What is the effect of applying this command to a Cisco router?

    router(config)# no service finger
    • UNIX commands are disabled on the router.
    • All TCP/IP services are disabled.
    • PING usage is disabled.
    • Users logged into the router remotely will not be able to see if other users are logged into the router.
  6. The Security Wheel promotes a continuous process to retest and reapply updated security measures. What is the core or %u201Chub%u201D component of the Security Wheel?
    • testing policy
    • monitor
    • improve
    • security policy
  7. Which command will encrypt all passwords in the router configuration file?
    • enable secret
    • password encrypt all
    • enable password-encryption
    • service password-encryption
    • no clear-text password
  8. Which two objectives must a security policy accomplish? (Choose two.)
    • provide a checklist for the installation of secure servers
    • describe how the firewall must be configured
    • document the resources to be protected
    • identify the security objectives of the organization
    • identify the specific tasks involved in hardening a router
  9. Which encryption type uses the MD5 hash algorithm?
    • Type 0
    • Type 1
    • Type 5
    • Type 7
  10. Real-time intrusion detection occurs at which stage of the Security Wheel?
    • securing stage
    • monitoring stage
    • testing stage
    • improvement stage
    • reconnaissance stage
  11. Which command sets the inactivity timer, for a particular line or group of lines, to four minutes and fifteen seconds?
    • router(config)# line-timeout 4 15
    • router(config-line)# line-timeout 4 15
    • router(config-line)# exec-timeout 255
    • router(config-line)# timeout 255
    • router(config-line)# exec-timeout 4 15
    • router(config-line)# line-timeout 255
  12. Which configuration will allow an administrator to access the console port using a password of password?
    • router(config)# line aux 0
      router(config-line)# login
      router(config-line)# password password
    • router(config)# line console 0
      router(config-line)# login
      router(config-line)# password password
    • router(config)# line console 0
      router(config-line)# password password
    • router(config)# line console 0
      router(config-line)# access
      router(config-line)# password password
    • router(config)# line vty 0
      router(config-line)# password password
    • router(config)# line vty 0
      router(config-line)# access
      router(config-line)# password password
  13. Which two steps are necessary to ensure that your HIDS and HIPS do not miss any exploits? (Choose two.)
    • upgrade the HIDS and HIPS software as new versions are released
    • perform periodic vulnerability assessment
    • monitor alerts and logs
    • update signatures on a regular basis
    • ensure that all security patches are loaded on the host machine
  14. After providing for all operational requirements of the network, the network support team has determined that the servers should be hardened against security threats so that the network can operate at full potential. At which stage of the network life cycle does server hardening occur?
    • planning
    • design
    • implementation
    • operation
    • optimization
  15. XYZ Company recently adopted software for installation on critical servers that will detect malicious attacks as they occur. In addition, the software will stop the execution of the attacks and send an alarm to the network administrator. Which technology does this software utilize?
    • host-based intrusion detection
    • host-based intrusion protection
    • host-based intrusion prevention
    • host-based intrusion notification
  16. A network administrator installs a new stateful firewall. Which type of security solution is this?
    • secure connectivity
    • threat defense
    • policy enforcement
    • trust and identity
    • authentication
  17. Which privilege level has the most access to the Cisco IOS?
    • level 0
    • level 1
    • level 7
    • level 15
    • level 16
    • level 20
  18. A network administrator has just completed security training and has decided to change from HIDS to HIPS to protect hosts. Which of these would be a major advantage gained from the change?
    • HIPS does not require host-based client software.
    • HIPS would prevent the need to update signature files as often.
    • HIPS would be able to prevent intrusions.
    • HIPS would consume fewer system resources.
  19. The network administrator of company XYZ likes to secure routers by disabling the password recovery procedure for anyone who gains physical access to the router. Which command would be used to achieve this goal?
    • router(config)# no rommon-mode
    • router(config)# no password-recovery
    • router(config)# no service password-recovery
    • router(config)# no rommon-password recovery
  20. MD5 can be used for authenticating routing protocol updates for which three protocols? (Choose three.)
    • RIPv1
    • RIPv2
    • IGRP
    • EIGRP
    • BGP
  21. A partial router configuration is shown in the graphic. The network administrator adds the following command at the router prompt.

    router(config)# security passwords min-length 10

    Which of the following is correct?
    • The current password will continue to be used as a valid password until changed.
    • No password is required.
    • The current password is invalid and will not allow a login.
    • A password that is at least ten characters long must immediately be implemented for a successful login.
  22. What are three major functions performed by the security management subsystem, CiscoWorks VMS? (Choose three.)
    • to manage access control lists for Cisco PIX Security Appliances
    • to enforce access control policies between two processes running on a server
    • to capture and analyze network traffic, and respond to network intrusions
    • to identify sensitive network resources
    • to respond to first-stage denial of service network attacks
    • to monitor and log access to network resources
Comments (0)
Test 3
20 Jan 2010 @ 10:48AM
by Satis

Updated: 20 Jan 2010 @ 12:48PM
  1. Which command will produce output, similar to that shown in the graphic, to verify the installation of a FWSM on a router?
    • show port
    • show module
    • show firewall
    • show interface
  2. The Cisco Security Device Manager (SDM) allows administrators to securely configure supported routers by using which security protocol in Microsoft Internet Explorer?
    • IPSec
    • SSL
    • SSH
    • L2TP
    • PPTP
  3. The configuration in the graphic has been entered into a PIX Security Appliance with three interfaces. The interfaces are inside, outside, and DMZ. What source address range will the traffic from inside devices use when they access devices in the DMZ?
    • 10.0.0.1 to 10.0.0.254
    • 172.16.0.20 to 172.16.0.254
    • 172.16.0.1 to 172.16.0.254
    • 192.168.0.20 to 192.168.0.254
    • 10.0.0.1 to 10.255.255.254
  4. A network team is configuring a Cisco PIX Security Appliance for NAT so that local addresses are translated. The team is creating a global address pool using a subnet of network 192.168.5.0 with a 27-bit mask. What is the proper syntax to set up this global address pool?
    • pix1(config)# global (inside) 1 192.168.5.33-192.168.5.62
    • pix1(config)# global (outside) 1 192.168.5.33-192.168.5.62
    • pix1(config)# global (inside) 1 192.168.5.65-192.168.5.95
    • pix1(config)# global (outside) 1 192.168.5.65-192.168.5.95
    • pix1(config)# global (inside) 1 192.168.5.64-192.168.5.127
    • pix1(config)# global (outside) 1 192.168.5.65-192.168.5.127
  5. The network administrator for a small technology firm needs to implement security on the network. The administrator needs a PIX Security Appliance that will handle three Ethernet interfaces. Which PIX model would be the best choice for the company?
    • 506E
    • 515E
    • 525
    • 535
  6. Which command would configure a PIX Security Appliance to send syslog messages from its inside interface to a syslog server with the IP address of 10.0.0.3?
    • pixfirewall(config)# syslog inside 10.0.0.3
    • pixfirewall(config)# logging inside 10.0.0.3
    • pixfirewall(config)# syslog host inside 10.0.0.3
    • pixfirewall(config)# logging host inside 10.0.0.3
  7. What source IP address will the traffic from devices in the 10.0.2.0 network have when they leave the trusted network?
    • 192.168.0.8 always
    • 192.168.0.9 always
    • 192.168.0.8 if ports are available, or 192.168.0.9 if 192.168.0.8's ports are exhausted
    • 192.168.0.9 if ports are available, or 192.168.0.8 if 192.168.0.9's ports are exhausted
  8. Which protocol provides time synchronization?
    • STP
    • TSP
    • NTP
    • SMTP
    • L2TP
  9. The commands in the graphic have been entered into a PIX Security Appliance. Which two statements are accurate descriptions of what will happen to outgoing traffic when it leaves the trusted network? (Choose two.)
    • The source IP address will be from a pool of addresses in the 192.168.0.3 to 192.168.0.254 range.
    • The source port will be a random port above port 1023.
    • The source IP address will be 192.168.0.2 for all outgoing traffic.
    • The source port will be port 1024.
    • The source IP address will be in the range 10.0.0.1 to 10.0.255.254.
  10. A network administrator has configured an access control list on the Cisco PIX Security Appliance that allows inside hosts to ping outside hosts for troubleshooting. Which debug command can be used to troubleshoot if pings between hosts are not successful?
    • debug icmp inside outside
    • debug ping
    • debug icmp trace
    • debug trace icmp
  11. Which command displays the value of the activation key?
    • write net
    • show version
    • show terminal
    • show configure
  12. What is the maximum number of licensed users supported by the Cisco 501 Security Appliance?
    • 25
    • 100
    • 250
    • 1000
    • 2500
    • unlimited
  13. Once the SDM startup wizard has been completed for the first time, which two are required on a host PC for connection to the Cisco router via HTTP or HTTPS using SDM? (Choose two.)
    • IP address from 10.10.10.2 to 10.10.10.254
    • IP address from 10.0.0.2 to 10.0.0.254
    • IP address from 10.10.10.1 to 10.10.10.254
    • SSL capability
    • Java and JavaScript enabled on the browser
    • VPN connection
  14. A network administrator has received a Cisco PIX Security Appliance from another division within the company. The existing configuration has IP addresses that will cause problems on the network. What command sequence will successfully clear all the existing IP addresses and configure a new IP address on ethernet0?
    • pix1(config)# clear ip all
      pix1(config)# interface ethernet0
      pix1(config-if)# ip address 192.168.1.2
    • ix1(config)# clear ip
      pix1(config)# interface ethernet0
      pix1(config-if)# ip address 192.168.1.2 255.255.255.0
    • pix1(config)# no ip address
      pix1(config)# interface ethernet0
      pix1(config-if)# ip address 192.168.1.2 255.255.255.0
    • pix1(config)# clear ip
      pix1(config)# interface ethernet0
      pix1(config-if)# ip address 192.168.1.2 0.0.0.255
  15. Which algorithm implements stateful connection control through the PIX Security Appliance?
    • Network Address Translation Algorithm
    • Access Control Security Algorithm
    • Adaptive Security Algorithm
    • Spanning Tree Protocol Algorithm
  16. Which three are requested by the Cisco PIX Security Appliance setup dialog? (Choose three.)
    • domain name
    • outside IP address
    • inside IP address
    • hostname
    • date and time
  17. Which two commands will configure a static default route on the PIX Security Appliance in the network shown in the graphic? (Choose two.)
    • route inside outside 0.0.0.0 0.0.0.0 172.16.0.2 1
    • route outside 0.0.0.0 0.0.0.0 172.16.0.2 1
    • ip route inside outside 0 0 192.168.0.2 1
    • route outside 0 0 172.16.0.2 1
    • ip route inside outside 0 0 172.16.0.2 1
    • route outside 0 0 192.168.0.2 1
  18. Interface Ethernet3 on a PIX Security Appliance has been configured with three subinterfaces to pass tagged traffic from three different VLANs. What protocol will be used to tag the VLAN traffic?
    • ISL
    • 802.1x
    • VTP
    • 802.1q
Comments (0)
Test 4
  1. How are transactions between a RADIUS client and a RADIUS server authenticated?
    • by using a shared secret which is never sent over the network
    • by hashing the secret using MD5 and then sending it over the network
    • by hashing the secret using MD4 and then sending it over the network
    • by using a clear-text password and then sending it over the network
  2. The S/KEY system involves three main components. There is a client and a host. What is the third component?
    • a plain text password
    • a password calculator
    • a public and private key
    • biometric authentication
  3. RADIUS uses which transport layer protocol?
    • IP
    • TCP
    • UDP
    • ICMP
    • DLC
  4. Which authentication method is susceptible to playback attacks?
    • passwords using S/KEY
    • passwords using token card
    • passwords requiring periodic change
    • passwords using one-time password technology
  5. A network administrator wishes to use port-level authentication technology to determine network access and assign IP addresses from different DHCP pools to authenticated and unauthenticated users. What standardized framework supports this objective?
    • IEEE 802.1x
    • IEEE 802.11af
    • IEEE 802.1q
    • IEEE 802.1p
  6. After a security audit, network managers realized that the authentication method used by their telecommuting employees needed to be improved. They set up a server and installed client software on the employee laptops of their remote users. They also provided a device for each remote user that generated a password every time they needed to make a remote network connection. Which authentication technology does this process describe?
    • authentication with S/KEY
    • authentication with token card
    • authentication with encrypted password
    • authentication with compressed password
  7. What function does a digital certificate offer to information security?
    • authorization
    • accounting
    • nonrepudiation
    • intrusion prevention
  8. Bookline Inc., an online bookstore, recently installed a web server running Microsoft Windows 2003 Server. Where should the company obtain a digital signature for the web server in order to assure customers that they are connecting to Bookline's server and not an impersonating web server?
    • a digital signature generated by the CA in Microsoft's corporate headquarters
    • a digital signature generated by the CA from a trusted third party
    • a digital signature generated by the CA from a government agency
    • a digital signature generated by any CA that establishes a secure connection
  9. A large law firm wishes to secure dialup access to its corporate network for employees working at home. Since much of the data to be transmitted is highly confidential, the firm requires a high level of encryption and also prefers that each component of AAA be provided separately. Which security protocol best meets these requirements?
    • TACACS
    • XTACACS
    • TACACS+
    • RADIUS
  10. Which two statements are true of Cisco Identity Based Networking Services (IBNS)? (Choose two.)
    • Cisco IBNS uses Cisco-proprietary protocols.
    • Cisco IBNS is a standards-based solution.
    • Cisco IBNS associates users with physical ports.
    • Cisco IBNS associates policies with physical ports.
    • Cisco IBNS associates policies with users.
  11. The administration manager has decided to implement Network Admission Control (NAC) on the corporate network. The Cisco Trust Agent software and NAC-compliant routers and switches have been installed. Which two additional NAC components are required to implement the NAC solution? (Choose two.)
    • access control policy server
    • TACACS+ server
    • NAC cosponsor application server
    • VPN systems
    • remote access server
    • posture validation management system
  12. What are three reasons TACACS+ is preferred over RADIUS for authentication services? (Choose three.)
    • RADIUS has limited name space for attributes.
    • RADIUS is not an industry supported standard.
    • TACACS+ encrypts the entire TACACS+ packet.
    • TACACS+ authentication is included with more recent Windows Server versions.
    • TACACS+ separates authentication and authorization.
    • RADIUS uses TCP as a transport protocol creating additional overhead.
  13. A static username/password authentication method is susceptible to which three types of attacks? (Choose three.)
    • playback
    • theft
    • teardrop
    • syn flood
    • eavesdropping
  14. Company security policy requires the use of a centralized AAA server for network access authentication. Which two protocols are supported by the AAA server? (Choose two.)
    • IPSec
    • SSL
    • RADIUS
    • TACACS+
    • SSH
  15. Which three are functions of AAA? (Choose three.)
    • accounting
    • availability
    • authentication
    • architecture
    • authorization
    • accessibility
  16. Which authentication method sends passwords over the network in clear text yet protects against eavesdropping and password cracking attacks?
    • authentication with FTP
    • authentication with Telnet
    • authentication with S/KEY
    • authentication in POP3 e-mail
Comments (0)
Test 5
  1. What will be the result of executing the command in the graphic?
    • The default login method will use TACACS+ only.
    • TACACS+ accounting will be enabled at login.
    • The enable password will be used if a TACACS+ server is not available.
    • The default TACACS+ user shell will be enabled.
  2. Which two actions are available when using the Cisco Secure ACS
    database replication features? (Choose two.)
    • update of configuration items from a late release to an earlier release of Cisco Secure ACS
    • bidirectional database replication between a primary and a secondary Cisco Secure ACS
    • scheduled replication of part of the database from a primary to a secondary Cisco Secure ACS
    • export of configuration items from a primary to a secondary Cisco Secure ACS
  3. Which AAA service reduces IT operating costs by providing detailed reporting and monitoring of network user behavior, and also by keeping a record of every access connection and device configuration change across the network?
    • authentication
    • accreditation
    • accounting
    • authorization
  4. After Cisco Secure ACS is implemented, users report that they are restricted from accessing the network. The Cisco Secure ACS switches and routers are communicating properly. What is the first step for troubleshooting the problem?
    • Execute debug commands on the router.
    • Check the available logs in CSACS Reports and Activity for abnormalities.
    • Verify that the administrator has an account allowing remote access to the CSACS.
    • Verify that the CSACS user database is enabled.
  5. Refer to the exhibit. Which two services can the network access server use to direct requests from the remote user to the Cisco Secure ACS authentication service? (Choose two.)
    • CSAuth
    • CSUtil
    • RADIUS
    • RDBMS
    • TACACS+
  6. Which tool is used to set up CSACS for Windows Server after the initial installation is completed?
    • web browser
    • telnet session
    • command line interface on the Windows server
    • router configured as an AAA client
  7. What tool should you use to add a single user account to the Cisco Secure ACS for Windows user database?
    • database replication
    • Unknown User Policy
    • RDBMS Synchronization
    • Cisco Secure ACS HTML interface
  8. Cisco Secure ACS can use a number of databases for username and password authentication. Which three databases does Cisco Secure ACS support? (Choose three.)
    • Windows 2000 server user database
    • NDS database
    • Windows 2000 server authentication database
    • Microsoft Access database
    • Cisco Secure ACS user database
  9. Which basic user-network security protocol is supported by Cisco Secure ACS and requires a single log in by users?
    • CHAP
    • IPSec
    • RADIUS
    • PAP
  10. RTA(config)# aaa new-model

    RTA(config)# aaa authentication login default group tacacs+ enable

    After entering the configuration shown, the administrator loses the connection to the router before having the chance to create a new TACACS+ account. What is the easiest way for the administrator to regain administrative access to router RTA?
    • Connect to the router, and use the default TACACS+ username and password.
    • Erase NVRAM, and redo the configuration from scratch.
    • Connect to the router, and supply the enable password.
    • Perform a password recovery procedure on the router.
  11. Which two user databases does Cisco Secure ACS for Windows use to authenticate users? (Choose two.)
    • external user database with appropriate API
    • RADIUS user database
    • TACACS+ user database
    • Windows 2000 Server user database
    • Windows XP user database
  12. An information technology organization uses Cisco Secure ACS for Windows Server version 3.2. The system administrators want to provide a method for users to change their own passwords without intervention from the IT organization. What is required to allow users to change passwords with a web-based utility?
    • Enable UCP on Windows 2000 Server.
    • Configure a Microsoft IIS 4.0 or later.
    • Enable UCP on Cisco Secure ACS for Windows.
    • Configure IIS logging with the user Secure ACS password.
  13. RTA(config)# tacacs-server key 2bor!2b@?
    RTA(config)# tacacs-server host 10.1.2.4
    RTA(config)# tacacs-server host 10.1.2.5

    What will be the effect of these commands on router RTA?
    • The TACACS+ server is now authenticating for the hosts 10.1.2.4 and 10.1.2.5.
    • The TACACS+ server key has been exported to the hosts 10.1.2.4 and 10.1.2.5.
    • The TACACS+ servers 10.1.2.4 and 10.1.2.5 and the router have been set to share the same authentication key.
    • The TACACS+ servers are 10.1.2.4 and 10.1.2.5 and the configuration adds router RTA as a third TACACS+ server.
  14. A network administrator is setting up a computer to run Cisco Secure ACS to support a Cisco VPN 3000 concentrator. Which protocol does the administrator need to enable on CSACS?
    • MD5 HMAC
    • RADIUS
    • TACACS+
    • IEEE 802.1X
  15. In the Cisco Secure ACS Windows architecture CSRadius provides communication between RADIUS AAA clients and which service?
    • CSAdmin
    • CSAuth
    • CSLog
    • CSMon
  16. There are five ways to create user accounts in the Cisco Secure ACS for Windows 2000 Servers. Which two support importing user accounts from external sources? (Choose two.)
    • Cisco Secure ACS HTML interface
    • Unknown User Policy
    • RDBMS Synchronization
    • CSUtil.exe
    • Database Replication
Comments (0)
Test 6
  1. Which command displays the current authenticated users, the host IP to which they are bound, and any cached IP and port authorization information on a Cisco PIX Security Appliance configured for AAA?
    • pixfirewall(config)# show aaa all
    • pixfirewall(config)# show uauth
    • pixfirewall(config)# show aaa statistics
    • pixfirewall(config)# show aaa-server
  2. Which type of authentication is being used when authentication is required via the PIX Security Appliance before direct traffic flow is allowed between users and the company web server?
    • access authentication
    • console access authentication
    • cut-through proxy authentication
    • tunnel access authentication
  3. What will be the effect in the router after these configuration commands are entered?

    Router(config)# ip auth-proxy name aprule http
    Router(config)# interface ethernet0
    Router(config-if)# ip auth-proxy aprule
    • An authentication proxy rule called aprule is created making all authentication proxy services available only through the ethernet0 interface.
    • An authentication proxy rule called aprule has been created for the HTTP protocol and is associated with the ethernet0 interface.
    • An authentication proxy rule called aprule has been created for all protocols except the HTTP protocol and is associated with the ethernet0 interface.
    • An authentication proxy rule called aprule has been created for the HTTP server running internally to the router and is associated with anyone attempting to access the web server from the ethernet0 interface.
  4. Which two are functions of accounting on the PIX Security Appliance? (Choose two.)
    • to track user activities on the PIX.
    • to control administration of the PIX.
    • to control user access to the PIX.
    • to create records that are stored on a designated AAA server.
    • to build and maintain tunnel sessions with the PIX.
  5. Which configuration command defines the association of initiating HTTP protocol traffic with an authentication proxy name MYPROXY?
    • Router(config)# ip auth-proxy MYPROXY http
    • Router(config)# auth-proxy MYPROXY ip http
    • Router(config)# ip auth-proxy name MYPROXY http
    • Router(config)# auth-proxy name MYPROXY ip http
  6. Which command will enable AAA services on a router?
    • Router(config)# aaa enable
    • Router(config)# aaa new-model
    • Router(config)# aaa set enable
    • Router(config)# aaa new-model enable
  7. The lead network administrator notices that unknown users have made router configuration changes. These changes are adversely affecting the network. Which command can be entered on the router to help identify future configuration changes and who made these changes?
    • aaa accounting
    • show uauth
    • aaa accounting console
    • aaa accounting match
  8. The network administrator configured the aaa authorization command below on the PIX Security Appliance. What is the effect of this command?

    pix(config)# aaa authorization include tcp/22 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 auth1
    • FTP traffic from outside is subject to authorization by the AAA server.
    • SSH traffic from outside is subject to authorization by the AAA server.
    • HTTP traffic from outside is subject to authorization by the AAA server.
    • SMTP traffic from outside is subject to authorization by the AAA server.
  9. A TACACS+ server is configured to provide authentication, authorization, and accounting. The IP address of the server is 192.168.50.1, and the AAA authentication encryption key is S3crtK3y. Which command sequence will configure a Cisco router to communicate with the TACACS+ server?
    • Router(config)# aaa new-model
      Router(config)# aaa authentication default group tacacs+
      Router(config)# aaa authorization auth-proxy default group tacacs+
      Router(config)# aaa tacacs-server host 192.168.50.1
      Router(config)# aaa tacacs-server key S3crtK3y
    • Router(config)# aaa enable
      Router(config)# aaa authentication default group tacacs+
      Router(config)# aaa authorization auth-proxy default group tacacs+
      Router(config)# tacacs-server host 192.168.50.1
      Router(config)# tacacs-server key S3crtK3y
    • Router(config)# aaa enable
      Router(config)# aaa authentication login default group tacacs+
      Router(config)# aaa authorization auth-proxy default group tacacs+
      Router(config)# aaa tacacs-server host 192.168.50.1
      Router(config)# aaa tacacs-server key S3crtK3y
    • Router(config)# aaa new-model
      Router(config)# aaa authentication login default group tacacs+
      Router(config)# aaa authorization auth-proxy default group tacacs+
      Router(config)# tacacs-server host 192.168.50.1
      Router(config)# tacacs-server key S3crtK3y
  10. Which command associates the group MYGROUP with the AAA server using the TACACS+ protocol?
    • Pixfirewall(config)# aaa-server MYGROUP tacacs+ protocol
    • Pixfirewall(config)# aaa-server protocol tacacs+ MYGROUP
    • Pixfirewall(config)# aaa-server tacacs+ protocol MYGROUP
    • Pixfirewall(config)# aaa-server MYGROUP protocol tacacs+
  11. With the following configuration command, how long does the PIX Security Appliance try to access the AAA server 10.0.1.10 before choosing the next AAA server if there is no response from 10.0.1.10?

    aaa-server MYTACACS (inside) host 10.0.1.10 secretkey
    • 12 seconds
    • 15 seconds
    • 20 seconds
    • 30 seconds
  12. A user has initiated an HTTP session through a firewall and has been authenticated by an authentication proxy. They have not generated any traffic in a while and the idle timer has expired for that user. What will the user have to do to allow them to go through the firewall again?
    • The user can manually restart the idle timer.
    • The user can simply TFTP their user profile to the proxy.
    • The user must wait two minutes before initiating another session.
    • The user can re-authenticate and initiate another HTTP session through the firewall.
  13. Refer to the exhibit. An administrator enters the following configuration to collect accounting statistics for all HTTP traffic to the web server through a PIX Security Appliance.

    fwl(config)# access-list 110 permit tcp any host 192.168.0.2 eq www
    fwl(config)# aaa accounting match 110 outside Web_Server

    The statistics are to be logged to an accounting server as shown in the exhibit. However, after starting the accounting, no data is being logged to the NY_ACS server.

    What changes to the configuration must the administrator make to correct the problem
    • Change %u201C192.168.0.2%u201D to %u201C10.0.0.2%u201D in the access-list configuration line.
    • Change %u201Chost 192.168.0.2%u201D to %u201Cany%u201D in the access-list configuration line.
    • Change %u201CWeb_Server%u201D to %u201CNY_ACS%u201D in the aaa-accounting configuration line.
    • Change %u201Coutside%u201D to %u201Cinside%u201D in the aaa-accounting configuration line.
  14. What is the default timeout in minutes for the inactivity-timer parameter of the ip auth-proxy command?
    • 15
    • 30
    • 45
    • 60
    • 90
  15. When Cisco IOS Firewall authentication proxy is enabled, a user sends HTTP traffic which will trigger the authentication proxy. What is the first action taken by the proxy?

    • The user will be asked to supply a valid username and password.
    • The TACACS+ server will be contacted to see if the user is a valid user.
    • The authentication proxy will check to see if the user has already been authenticated.
    • If the authentication proxy has no user account for the user, it will check to see if a default guest user has been defined.
  16. Refer to the exhibit. Since ABC, Inc. is strengthening security, a PIX Security Appliance firewall must be configured with AAA services. Accounting should be provided for all FTP and HTTP traffic from any host to the WWW server at 192.168.2.10.
    • pixfirewall(config)# access-list 110 permit tcp any host 192.168.2.10 eq ftp
      pixfirewall(config)# access-list 110 permit tcp any host 192.168.2.10 eq http
      pixfirewall(config)# aaa accounting match 110 outside NY_ACS
    • pixfirewall(config)# access-list 110 permit tcp any host 192.168.2.10 eq ftp
      pixfirewall(config)# access-list 110 permit tcp any host 192.168.2.10 eq http
      pixfirewall(config)# aaa accounting access-list 110 outside 10.0.0.2
    • pixfirewall(config)# access-list 110 permit tcp any host 10.0.0.2 eq ftp
      pixfirewall(config)# access-list 110 permit tcp any host 10.0.0.2 eq http
      pixfirewall(config)# aaa accounting match 110 outside NY_ACS
    • pixfirewall(config)# access-list 110 permit tcp any host 192.168.2.10 eq ftp
      pixfirewall(config)# access-list 110 permit tcp any host 192.168.2.10 eq http
      pixfirewall(config)# aaa accounting match 110 outside 10.0.0.2
Comments (0)
Test 7
  1. Which three conclusions can be made based on the configuration below? (Choose three.)

    Switch# configure terminal
    Switch(config)# interface fastethernet0/12
    Switch(config-if)# dot1x port-control auto
    Switch(config-if)# dot1x re-authentication
    Switch(config-if)# dot1x timeout re-authperiod 180
    • Users connected to the switch will need to be reauthenticated after three hours.
    • Users connected to the switch will need to be reauthenticated after three minutes.
    • The switch has been configured for 802.1x authentication.
    • Port 12 of the switch is not a trunk port.
    • Port 12 of the switch is not a static port.
    • Port 12 of the switch is a dynamic-access port.
  2. If an administrator attempts to configure a switch with 802.1x port-based authentication, which three port types will display an error message? (Choose three.)
    • static access ports
    • trunk ports
    • dynamic ports
    • ports on the same VLAN
    • secure ports
    • ports on different VLANs
  3. IEEE 802.1x can be used to authenticate users for wireless access to network resources. Which protocol has Cisco incorporated into its Wireless Security Suite to provide mutual authentication between the client and the authentication server?
    • CHAP
    • EAP
    • PAP
    • WEP
  4. What are three characteristics of PEAP? (Choose three.)
    • authored by Cisco Systems, Microsoft, and RSA Security
    • relies on a shared secret for authentication
    • requires digital certificates for authentication of servers and users
    • supports mutual authentication
    • transports authentication messages through an encrypted tunnel
    • uses a one-way hash of passwords
  5. Port-based authentication is implemented as shown in the graphic. What protocol will be required for the client-to-switch connection and the switch-to-Cisco Secure ACS communications?
    • ISL; RADIUS
    • 802.1x; RADIUS
    • 802.1q; TACACS+
    • L2TP; TACACS+
  6. Refer to the graphic. During 802.1x port-based authentication, each frame exchanged between the end user and the Catalyst 2950 is encapsulated with a frame header. For what protocol are these frames encapsulated?
    • Ethernet
    • RADIUS
    • EAP
    • PPP
    • IP
  7. Which two sections of Cisco Secure ACS can be used to configure RADIUS profiles? (Choose two.)
    • Interface Setup
    • Server Setup
    • Group Setup
    • Network Setup
    • User Setup
  8. A network administrator wants to configure a Catalyst switch to use a RADIUS server at 172.16.23.31 or a backup RADIUS server at 172.16.23.32 if the first server is unavailable. The administrator wants to use the default RADIUS UDP port and a shared key of Rad4Me. Which configuration will accomplish this goal?
    • Switch(config)# radius-server auth-port 1812 key Rad4Me host 172.16.23.31

      Switch(config)# radius-server auth-port 1812 key Rad4Me host 172.16.23.32
    • Switch(config)# radius-server host 172.16.23.31 auth-port 1812 key Rad4Me
      Switch(config)# radius-server host 172.16.23.32 auth-port 1812 key Rad4Me
    • Switch(config)# radius-server host 172.16.23.31 172.16.23.32 key Rad4Me auth-port 1812
    • Switch(config)# radius-server host 172.16.23.31 key Rad4Me auth-port 1812
      Switch(config)# radius-server host 172.16.23.32 key Rad4Me auth-port 1812
  9. In configuring 802.1x authentication method with the aaa authentication dot1x command, at least one of which two possible options must be entered to create a default list when a named list is not specified on a Catalyst switch? (Choose two.)
    • group tacacs+
    • group radius
    • local
    • none
  10. The dot1x port-control auto interface configuration command has been configured on the Catalyst 2950 shown in the graphic. What is the effect of this command when the link between the switch and the end user becomes active?
    • The end user initiates authentication by sending an EAPOL-start frame once it receives an EAP request from the switch.
    • The authentication server initiates authentication after being notified that the link is active.
    • The switch initiates authentication with the end user.
    • The switch automatically places the connected port in an authorized state.
  11. Refer to the graphic. A small company purchased a Cisco Aironet access point to provide wireless connectivity to staff members. Since other companies in the office complex use wireless, the network support staff wants to be certain that only authorized users access the company network through the new access point. For simplicity, they also want a protocol that is used by Aironet wireless access points, requires no certificates, and supports mutual authentication using the logon password for each user. Which protocol should be used?
    • EAP-MD5
    • EAP-TLS
    • LEAP
    • PEAP
  12. A network team has been tasked to develop a Cisco Secure ACS solution for port-based authentication. The network operation center for all three regions is located at Region 1. What is the best solution to ensure availability to a Cisco Secure ACS for port-based authentication?
    • Install a centralized primary and secondary authentication server at Region 1, which Region 2 and 3 will use for authentication.
    • Install a primary authentication server at each region and use one of the authentication servers from another region for redundancy.
    • Install a primary authentication server at Region 1 for Region 2 and 3 to authenticate, and install a secondary authentication server at Region 2 and 3 for redundancy.
    • Install a primary authentication server at each region and a secondary authentication server at Region 1 for the network operation center clients only.
Comments (0)
Test 8
  1. Which two are types of port mapping supported by PAM? (Choose two.)
    • host
    • reverse
    • dynamic
    • DNS
    • subnet-specific
  2. What does CBAC look for when inspecting TCP sequence numbers?
    • CBAC uses the sequence numbers to defragment the full packet.
    • CBAC checks that the sequence numbers are within an expected range.
    • CBAC rejects packets that arrive at an unusually high sequence rate.
    • CBAC matches the source sequence numbers to the destination sequence numbers.
  3. Which statement is correct concerning CBAC inspection rules?
    • Alert, audit-trail, and timeout are configurable per protocol and override corresponding global settings.
    • Alert, audit-trail, and timeout are only globally configurable.
    • Alert, audit-trail, and timeout are not configurable globally.
    • Alert, audit-trail, and timeout are configurable only for TCP.
  4. What happens when the following commands are executed?

    router(config)# no ip inspect udp idle-time 45
    router(config)# ip inspect dns-timeout 10
    • The router will not manage any inactive UDP connections.
    • The only UDP connections that the router will manage are DNS connections.
    • The router proxies DNS requests and manages them for 10 seconds.
    • The router will manage UDP connections for 30 seconds and DNS connections for 10.
  5. The IT department has decided to offer web and FTP services using TCP port 8000. The web server IP address is 192.168.3.4 and the FTP server IP address is 192.168.5.6. What commands are required to configure the perimeter router to redirect the web and FTP traffic?
    • Router(config)# access-list 10 permit 192.168.5.6
      Router(config)# access-list 20 permit 192.168.3.4
      Router(config)# ip port-map http port 8000 list 10
      Router(config)# ip port-map ftp port 8000 list 20
    • Router(config)# access-list 10 permit 192.168.3.4
      Router(config)# access-list 20 permit 192.168.5.6
      Router(config)# ip port-map ftp port 8000 list 10
      Router(config)# ip port-map http port 8000 list 20
    • Router(config)# access-list 10 permit 192.168.3.4
      Router(config)# access-list 20 permit 192.168.5.6
      Router(config)# ip port-map http port 8000 list 10
      Router(config)# ip port-map ftp port 8000 list 20
    • Router(config)# access-list 10 permit 192.168.3.4
      Router(config)# access-list 20 permit 192.168.5.6
      Router(config)# ip port-map http list 10 port 8000
      Router(config)# ip port-map ftp list 20 port 8000
  6. CBAC is configured on the router shown in the graphic, the statement shown in the graphic is included in access control list 101, and the access control list is applied to interface s0/0 as shown. Single-channel TCP inspection is not included in the CBAC inspection rule. What will happen if the workstation tries to send a Telnet packet to the Internet?
    • The packet will be forwarded by the router as soon as it matches the ACL statement.
    • The packet will be dropped by the router when no match is found in CBAC.
    • The packet will be forwarded by the router, but return Telnet traffic will not be allowed.
    • The packet will be forwarded after CBAC inspection determines that Telnet is an allowed protocol.
  7. Refer to the graphic. If the complete configuration CBAC on CorpFW is correctly entered, which two statements describe the outcome of the completed configuration? (Choose two.)
    • CBAC will delete all half-open connections necessary to accommodate new connections after 300 users have accessed the servers within the last six minutes.
    • CBAC will delete all half-open connections necessary to accommodate new connections after 150 users have accessed the FTP servers within the last six minutes.
    • CBAC will delete all half-open connections necessary to accommodate new connections after more than 300 users have half-open attempts to reach the corporate web server within the last minute.
    • CBAC will delete all half-open connections necessary to accommodate new connections after 150 users have accessed the network within the last minute.
    • CBAC will stop deleting half-open connections after fewer than 150 users have accessed the network within the last minute.
  8. The graphic shows a client opening a Telnet session to a remote host. Which ACL entry will be created by CBAC to allow traffic to return to complete a successful Telnet connection?
    • access-list 110 permit udp host 10.0.0.5 eq 23 host 192.168.2.50 eq 2447
    • access-list 110 permit tcp host 10.0.0.5 eq 23 host 192.168.2.50 eq 2447
    • access-list 110 permit tcp host 192.168.2.50 eq 23 host 10.0.0.5 eq 2447
    • access-list 110 permit tcp host 10.0.0.5 eq 2447 host 192.168.2.50 eq 23
  9. A network administrator needs to configure the router to redirect incoming HTTP requests to a web server at port 8020. Which command should be used?
    • Router(config)# ip port-map http eq 8020
    • Router(config)# ip port-map http port 8020
    • Router(config)# ip port-map port 8020 http
    • Router(config)# ip port-map port 8020 eq http
  10. Which statement is true concerning CBAC and fragmentation inspection rules?
    • An inspection rule instructing the router to fragment packets should always be utilized.
    • A fragmentation rule forces fragments to be buffered until the corresponding initial fragment is received.
    • A fragmentation rule forces non-initial fragments to be discarded unless the initial fragment was allowed to pass.
    • A fragmentation rule should not be used on exterior gateways.
  11. What is the result of the command shown below?

    Router(config)# ip inspect name tester icmp alert on audit-trail on timeout 30
    • inspects ICMP traffic and sends any alert and audit messages to the log file on tester
    • inspects IP traffic and sends an ICMP alert and audit message to tester if an outgoing IP packet is not acknowledged within 30 seconds
    • inspects ICMP traffic and maintains state information on common types of ICMP traffic
    • inspects ICMP traffic and maintains state information according to the tester rule set
  12. The administrator has two goals. First, the administrator plans to use CBAC to block encapsulated Java applets from IP address 172.16.16.1. Then, the administrator plans to use CBAC to block DoS attacks such as the ping-of-death from external network. Which goals are accomlished when the three commands below are entered?

    router(config)# ip access-list 1 deny 172.16.16.1 0.0.0.0
    router(config)# ip inspect name FWALL http java-list 1 timeout 120
    router(config)# ip inspect name FWALL icmp timeout 50

    • The first goal is not accomplished because CBAC cannot block encapsulated Java applets. The second goal is accomplished.
    • The first goal is not accomplished because a subnet mask, not a wild card mask, must be used. The second goal is accomplished.
    • The first goal is accomplished. The second goal is not accomplished because CBAC provides limited stateful inspection for ICMP.
    • Both goals are accomplished.
  13. What is the effect after these two commands are configured on a router?

    router(config)# ip inspect max-incomplete high 300
    router(config)# ip inspect max-incomplete low 100

    • When the combination of half-open TCP and UDP sessions reaches 300, CBAC begins deleting them. When the number falls to 100, CBAC stops deleting them.
    • When the number of half-open sessions per minute reaches 300, CBAC begins deleting them. When the number falls to 100 per minute, CBAC stops deleting them.
    • When the number of half-open sessions reaches 100, CBAC begins deleting them. When the number of cleared sessions equals 300, CBAC stops deleting them.
    • When the number of half-open TCP sessions reaches 300, CBAC begins deleting them. When the number falls to 100, CBAC stops deleting them.
  14. Which filtering technology is often effective but can be circumvented using packet fragmentation?
    • packet filtering
    • stateful filtering
    • URL filtering
    • ACL directional filtering
  15. Which command will turn off CBAC alert messages to the console?
    • router(config)# ip inspect alert-off
    • router(config)# no ip inspect alert
    • router(config)# no ip inspect alert-off
    • router(config)# ip inspect alert log-only
  16. Which filtering technology maintains complete connection information for each TCP or UDP connection and logs the information in a session flow table?
    • packet filtering
    • stateful filtering
    • ACL directional filtering
    • URL filtering
  17. What is indicated if two endpoints in a connection receive reset packets from CBAC?
    • A session has ended by CBAC's proxy fin method.
    • A DoS attack has been halted by CBAC's threshold method.
    • Sequence checking has occured using CBAC's state table method.
    • Spoofing has been prevented using CBAC's session checking method.
  18. Which two configurations will protect the FTP server in the DMZ from DoS attacks? (Choose two.)
    • CorpFW(config)# max-incomplete host 142.22.2.10
      CorpFW(config)# ip inspect tcp max-incomplete host 60 block-time 0
    • CorpFW(config)# ip inspect tcp max-incomplete host 60 block-time 0
      CorpFW(config)# ip inspect name Protect ftp timeout 36001
    • CorpFW(config)# interface FastEthernet 0/0
      CorpFW(config-if)# max incomplete host 142.22.2.10
    • CorpFW(config)# ip inspect max-incomplete high 400
      CorpFW(config)# ip inspect max-incomplete low 200
    • CorpFW(config)# ip inspect tcp max-incomplete host 60 block-time 0
      CorpFW(config)# ip inspect udp max-incomplete host 60 block-time 0
  19. The timeout value in the ip inspect name command is configured in which units?
    • seconds
    • milliseconds
    • microseconds
    • minutes
Comments (0)
Test 9
20 Jan 2010 @ 12:39PM
by Satis

Updated: 20 Jan 2010 @ 12:39PM
  1. Which two commands are used to deny a specific SNMP version and then enable SNMP application inspection on a Cisco PIX Security Appliance? (Choose two.)
    • snmp-map
    • snmp inspect
    • inspect snmp
    • inspect snmp-map
    • snmp-map inspect
  2. The Cisco PIX Security Appliance allows the use of network, protocol, service and ICMP-type object grouping with ACLs. Which statement describes the service object group?
    • It is used to group client hosts, server hosts, or subnets.
    • It is used to group protocols, such as IP, TCP, and UDP.
    • It is used to group TCP or UDP port numbers.
    • It is used to group ICMP message types.
  3. What is the function of the service-policy command within the Modular Policy Framework?
    • defines a set of services set by policies
    • enables a set of policies on an interface
    • identifies traffic flows according to services
    • groups a set of policies according to services
  4. What is the effect when the command shown in the graphic is configured on a Cisco PIX Security Appliance?
    • ActiveX objects are allowed to local host 192.168.2.5 only.
    • ActiveX objects are sent to a filtering server at 192.168.2.5.
    • ActiveX objects are blocked on all inbound connections to local host 192.168.2.5.
    • ActiveX objects are blocked from local host 192.168.2.5 to all outbound connections.
  5. A network administrator has created the object group 10HOSTS to allow ten hosts access to specific network services. Which command does an administrator use to verify that the object group has been configured successfully?
    • show access-list
    • show host-group
    • show 10HOSTS
    • show object-group
  6. Which three statements describe the use of ACLs on a Cisco PIX Security Appliance? (Choose three.)
    • ACLs are used to restrict outbound traffic flowing from a lower to a higher security level interface.
    • ACLs are used to restrict outbound traffic flowing from a higher to a lower security level interface.
    • If no ACL is attached to an interface, inbound traffic is permitted by default unless explicitly denied.
    • If no ACL is attached to an interface, outbound traffic is permitted by default unless explicitly denied.
    • Cisco PIX Security Appliance ACLs use a wildcard mask like Cisco IOS ACLs.
    • Cisco PIX Security Appliance ACLs use a regular subnet mask unlike Cisco IOS ACLs.
  7. Which three channels are used by RTSP applications in standard RTP mode? (Choose three.)
    • master control channel
    • RTP data channel
    • TCP control channel
    • RDT data channel
    • RTP resend channel
    • RTCP reports
  8. Refer to the graphic. What is the result when the network administrator enters the command shown?

    fw1(config)# access-list aclout line 4 permit tcp any host 192.168.0.9 eq www
    • It will replace the existing line 4 in the ACL.
    • It will push the current ACL line 4 and all of the lines that follow down one line.
    • It will require the ACL to be deleted and rewritten because it cannot be inserted as line 4.
    • It will be appended to the end of the ACL, and the current line 4 will be deleted.
  9. A network administrator is considering a URL-filtering application server to work with the Cisco PIX Security Appliance running OS version 6.2. Which application would support the filtering of URL strings longer than 1159 bytes?
    • N2H2
    • Websense
    • either Websense or N2H2
    • any URL-based filtering application
  10. Refer to the configuration shown in the graphic. Both commands have been entered into the Cisco PIX Security Appliance. Why might the administrator have chosen to allow ICMP unreachable traffic to be permitted at the outside interface?
    • Denying ICMP unreachable traffic will disable routing updates.
    • ICMP unreachable traffic is required by web browsers.
    • Denying ICMP unreachable traffic can halt PPTP and IPSec traffic.
    • ICMP unreachable traffic is required for ACLs to work properly.
  11. Which two statements describe the object-group and group-object commands? (Choose two.)
    • The object-group command is a subcommand of the group-object command.
    • The object-group command defines which type of object group will be created.
    • The object-group command can contain other group objects.
    • The group-object command can contain object groups of different types.
    • The group-object command enables the construction of hierarchical, or nested, object groups.
  12. A network administrator configured a Cisco PIX Security Appliance to limit connections to the application server at 192.168.10.5. Which configuration identifies traffic flows for the application server?
    • PIX(config)# access-list 125 permit tcp any host 192.168.10.5
      PIX(config)# class-map APP_Server
      PIX(config-cmap)# match any
    • PIX(config)# access-list 125 permit tcp any host 192.168.10.5
      PIX(config)# service-policy APP_Server
      PIX(config-smap)# match access-group 125
    • PIX(config)# access-list 125 permit tcp any host 192.168.10.5
      PIX(config)# policy-map APP_Server
      PIX(config-pmap)# match access-list 125
    • PIX(config)# access-list 125 permit tcp any host 192.168.10.5
      PIX(config)# class-map APP_Server
      PIX(config-cmap)# match access-list 125
  13. Which two URL-filtering applications can be used with the PIX Security Appliance? (Choose two.)
    • IIS
    • Websense
    • NetSensor
    • N2H2
  14. A network administrator wants to configure an object group to permit hosts 10.1.1.1, 10.1.1.2, and 10.1.1.3 access to network servers. Which commands must be entered to correctly configure an object group for the three hosts?
    • object-group host 3HOSTS
      network-object host 10.1.1.1
      network-object host 10.1.1.2
      network-object host 10.1.1.3
    • object-group network 3HOSTS
      network-object host 10.1.1.1
      network-object host 10.1.1.2
      network-object host 10.1.1.3
    • object-group network 3HOSTS
      host-object host 10.1.1.1
      host-object host 10.1.1.2
      host-object host 10.1.1.3
    • object-group host 3HOSTS
      host-object host 10.1.1.1
      host-object host 10.1.1.2
      host-object host 10.1.1.3
  15. The Cisco PIX Security Appliance with software version 6.2 or higher has eliminated the need for the alias command when configuring NAT translation of IP addresses embedded in DNS messages. Which two commands can now support NAT translation of DNS messages, so that the alias command is no longer required? (Choose two.)
    • dns-route
    • nat
    • route-map
    • static
    • dns
  16. Which command is used to enable a Turbo ACL after it has been configured in global configuration mode?
    • pixfirewall(config)# access-list compiled
    • pixfirewall(config)# ip access-list compiled
    • pixfirewall(config)# access-group ACL_ID turbo
    • pixfirewall(config)# access-list compiled ACL_ID
  17. Why would Service object groups be placed in an access list?
    • A Service object group is used to indicate either the source or the destination port in an access list.
    • A Service object group is used in place of the keyword ip, tcp, udp or icmp.
    • A Service object group is used in place of source or destination server address.
    • A Service object group is used in place of listing individual servers that offer the same service.
Comments (0)
Test 10
  1. Which two commands can be used to verify port security configuration? (Choose two.)
    • Switch# show cam
    • Switch# show buffer
    • Switch# show port-security interface interface_id
    • Switch# show vlan vlan_id port-security
    • Switch# show port-security vlan vlan_id
  2. Which type of attack involves an attacking system becoming a member of all VLANs?
    • switch spoofing
    • double tagging
    • private proxy
    • trunk spoofing
  3. As shown in the graphic, an intruder has connected to ports on two different access switches and wishes to spoof as the root bridge. What would the attacker send in the indicated direction to complete this exploit?
    • BPDUs with a lower bridge priority
    • BPDUs with a higher bridge priority
    • VTP frames with a lower VLAN identity
    • VTP frames with a higher VLAN identity
  4. Which statement describes the purpose of the configuration shown below?

    Switch(config)# ip dhcp snooping
    Switch(config)# ip dhcp snooping vlan 3
    Switch(config-if)# ip dhcp snooping trust
    Switch(config-if)# ip dhcp snooping limit rate 30
    • It is meant to disable any hosts that are attached to VLAN 3 and are configured for DHCP configuration rather than static IP addresses.
    • It is meant to disable any rogue DHCP servers that are attached to VLAN 3.
    • It is meant to monitor VLAN 3 for DHCP attacks that will deplete the DHCP pool.
    • It is meant to monitor VLAN 3 and disable any hosts that are using static IP addresses rather than DHCP addresses.
  5. Which type of output would be produced on a switch after entering the command?

    Switch# show ip dhcp snooping binding
    • DHCP servers on the snooped network
    • DHCP clients on all DHCP snooped switches on the network
    • DHCP clients connected to DHCP snooped ports on the switch
    • all active protocols on all DHCP clients connected to DHCP snooped ports on the switch
  6. A network administrator wants to configure an access switch to protect it from being exploited by attackers sending BPDUs through PortFast-enabled ports. Which command implements this security option by putting any attacked port in an error-disabled state?
    • Switch(config)# spanning-tree portfast bpdudisable default
    • Switch(config)# spanning-tree portfast bpduerror default
    • Switch(config)# spanning-tree portfast bpdufilter default
    • Switch(config)# spanning-tree portfast bpduguard default
  7. A Cisco Catalyst switch is configured as shown in the graphic. Which type of attack is the network administrator trying to prevent?
    • ping flood
    • CAM table overflow
    • MAC spoofing
    • DHCP starvation
  8. The hosts shown in the graphic and all other hosts in the same IP network are members of private VLAN 3 and, by design, should be unable to communicate at Layer 2. What ACL can be configured on the gateway router and applied to interface Fa0/1 to ensure that hosts on the private VLAN are unable to communicate with each other at Layer 3 but are still able to communicate with other networks?
    • Router(config)# access-list 135 deny ip any 192.168.20.0 0.0.0.255
      Router(config)# access-list 135 permit ip any any
      Router(config)# interface fastethernet 0/1
      Router(config-if)# ip access-group 135 out
    • Router(config)# access-list 135 deny ip 192.168.20.0 0.0.0.255 any
      Router(config)# access-list 135 permit ip any any
      Router(config)# interface fastethernet 0/1
      Router(config-if)# ip access-group 135 in
    • Router(config)# access-list 135 deny ip 192.168.20.0 0.0.0.255 192.168.20.0 0.0.0.255
      Router(config)# access-list 135 permit ip any any
      Router(config)# interface fastethernet 0/1
      Router(config-if)# ip access-group 135 out
    • Router(config)# access-list 135 deny ip 192.168.20.0 0.0.0.255 192.168.20.0 0.0.0.255
      Router(config)# access-list 135 permit ip any any
      Router(config)# interface fastethernet 0/1
      Router(config-if)# ip access-group 135 in
  9. Which three statements describe a CAM table overflow attack? (Choose three.)
    • The limitations of the switch software image are exploited via flooding of frames.
    • The limitations of the fixed hardware of the CAM table are exploited via flooding of MAC addresses.
    • The limitations of the switch memory cause the switch to operate like a hub in response to overflowing traffic.
    • The configuration of VLANs on the switch minimizes the exploit by containing the flood of traffic to the VLAN supporting the attacker.
    • The impact of the CAM table overflow attack can be lessened with the implementation of macof.
    • The limitation of CAM table size causes the switch to flood traffic to all VLANs under CAM table overflow attack.
Comments (0)