CCNP2 V5.0 QUIZ6

What is the benefit of the network-based IPS (NIPS) over host-based IPS (HIPS) deployment models? NIPS provides individual host protection.

NIPS relies on centrally managed software agents.

NIPS monitors all operations within an operating system. NIPS monitors network segments.

What are the two main improvements stateful firewalls have over packet filters? (Choose two.) Stateful firewalls maintain a session table.

Stateful firewalls recognize dynamic applications. Stateful firewalls operate only at the session layer.

Stateful firewalls intercept and establish connections on behalf of the client.

Stateful firewalls understand TCP flags such as established.

Stateful firewalls can filter ICMP based on types and codes.

Which two statements are true when SDM is used to configure the Cisco IOS Firewall features? (Choose two.)

In the Create Firewall tab there are two wizards to choose from. The Basic Firewall wizard applies either predefined rules or individually customized rules depending on the security level requested. The workstation that is running SDM must be communicating through the DMZ defined port on the router. A trusted interface is an interface that does not trust traffic from other interfaces on the router. SDM applies access rules to selected inside (trusted) and outside (untrusted) interfaces.

Which three statements about the Cisco IOS Firewall feature set are true? (Choose three.) The Cisco IOS Authentication Proxy feature can retrieve user-profiles from a Cisco Secure Access Control Server (ACS), RADIUS, or TACACS+ authentication server. The Cisco IOS Authentication Proxy feature is not compatible with Network Address Translation (NAT).

The Cisco IOS Firewall feature specifically filters TCP and UDP packets based on application layer protocol session information. The Cisco IOS Firewall feature generates an alert that can be logged to the logging destinations or via Security Device Event Exchange (SDEE). The Cisco IOS IPS feature acts as an offline intrusion prevention sensor.

The Cisco IOS IPS feature can detect an attack and send an alarm, drop the packet, send TCP resets, or block an IP address.

Sida 1 av 6QUIZ6_CCNP2_V5.0

2011-05-26mhtml:file://D:\Mina dokument\NIT -09\CCNP 2 - WAN\QUIZ6_CCNP2_V5.0.mhtCreate PDF files without this message by purchasing novaPDF printer (http://www.novapdf.com)

http://www.novapdf.com


Refer to the exhibit. On the basis of the information that is provided, which statement is true? If the router is unable to find the 128MB.sdf file, it will load the default.sdf file from NVRAM.

In the next screen, the Select Interfaces screen will be displayed. IPS is already enabled on this router.

The 128MB.sdf SDF is the backup IPS signature file.

The 128MB.sdf SDF requires 128 MB of flash to operate.

When applying the 128MB.sdf SDF, it could take several minutes to deliver the configuration to the router.

Refer to the exhibit. On the basis of the information that is provided, which statement is true?





Event notification will be forwarded to the Security Device Event Exchange (SDEE) only if the syslog server is unavailable. The IPS fail closed function should be enabled.

Router RTA successfully loaded the IPS signatures from the 128MB.sdf file.

Router RTA successfully loaded the IPS signatures from the 128MB.sdf and the default.sdf file.

The default.sdf file contains the built-in IPS signatures. Traffic that is exiting the Fa0/0 and Fa0/1 interfaces will be inspected.

Which statement is true about stateful inspections of UDP packets? Sequence numbers are checked to ensure that the expected packet is being forwarded. All packets matching the flow are permitted until an idle timer expires.

A channel on a well-known port is opened and then additional channels are negotiated through the initial session.

UDP packets are not usually tracked through stateful inspections.

What deletes half-open, idle, and half-closed TCP sessions from the state table? Time-outs result in the deletion of those sessions.

The administrator must flush them out manually.

They are automatically flushed out every 24 hours. They are removed when the table becomes too large.

Which statement is true about Cisco IDS? It is an active device in the traffic path. It listens to only select traffic to determine if it is malicious or not.

It is not able to send a TCP reset to the end host.

When malicious traffic is detected, the subsequent traffic is blocked but the initial packets are transmitted.

Of the four approaches to identify malicious traffic, which approach will look for packets that are destined to or from a particular port? signature-based

policy-based

anomaly-based

honeypot

How are anomaly-based approaches detected when using an IPS and IDS? IPS and IDS monitor the network for an increase of unusual events in a certain type of traffic.

Alarms are sent when traffic violates a listing of rules and regulations for the network. Packet headers or data payloads are matched against a sequence or a string of bytes in a certain context . IPS and IDS are used to lure an attacker either to leave the real targets alone or to give the administrator the time to tighten the network defense.





Refer to the exhibit. Based on the IOS firewall configuration, which three statements are true? (Choose three.) Host 10.7.7.7 will not be able to communicate with hosts on the inside network.

Via the use of TCP with source port 80, host 10.7.7.7 will be able to reply to hosts on the outside network . All IP traffic that originates from the inside to the DMZ or outside will create inspection state table entries. An extended IP access-list is required on interface FastEthernet0/0 to allow the firewall inspection engine to track IP traffic that originates from the inside network. TCP traffic that is destined for port 80 on host 10.7.7.7 from the outside will be allowed without a match in the inspection state table. All remaining incoming traffic from the outside must have a match. Because of improper configuration, hosts on the outside will be able to originate TCP traffic if the traffic is destined for the inside hosts.

Which two statements about the Cisco IOS Firewall feature set are true? (Choose two.) The Cisco IOS Firewall feature set is only supported on Cisco ISR routers.

The Cisco IOS Firewall feature set is installed by default on all newer Cisco IOS images.

The Cisco IOS Firewall feature set is an option available for Cisco IOS images.

The Cisco IOS Firewall feature set is the new name for what was previously known as CBAC. The Cisco IOS Firewall feature set is only supported on Cisco 2600 routers or higher.

The Cisco IOS Firewall feature set includes the Cisco IOS Firewall which was previously known as CBAC.

Which feature of the Cisco IOS Firewall feature set helps identify packets and flows that appear to be malicious network activity?

authentication proxy

packet filtering

CBAC

intrusion prevention system

Cisco IOS Firewall Authentication Proxy

Which statement about accessibility to the SDM is true?

The SDM can never be accessed from an untrusted domain.

With the use of either HTTP or HTTPS, the SDM can be accessed from a trusted or untrusted domain .

With the use of HTTPS, the SDM can be accessed from an untrusted domain.

With the use of HTTP, the SDM can be accessed from an untrusted domain if the Allow Untrusted HTTP access box is checked in the Advanced Firewall Configuration menu.

Which two Cisco IOS Firewall configuration statements are true? (Choose two.) The Cisco IOS Firewall can be configured in two directions on one or more interfaces.

The Cisco IOS Firewall can be configured in only one direction using one interface. The Cisco IOS Firewall is typically configured on an internal or external router interface.

By default, the Cisco IOS Firewall will be configured on the outside interface if nothing is selected.





Which three actions can the Cisco IOS Firewall IPS feature be configured to take when an intrusion signature is detected? (Choose three.) alarm

drop inoculate

isolate

reset TCP connection

reset UDP connection

What is being configured when the command ip inspect is issued on a Cisco router? application layer gateway inspection

Cisco IOS Intrusion Detection System

Cisco IOS Intrusion Prevention System Cisco IOS Firewall

packet filtering

Refer to the exhibit. Which statement best describes how incoming traffic on serial 0/0 is handled? Traffic that is coming from any source other than 172.31.235.0/24 will be scanned and reported.

Traffic that is sourced from 172.31.235.0/24 will be scanned and reported. Traffic that is sourced from 172.31.235.0/24 will be sent directly to its destination without being scanned or reported.

Traffic not matching ACL 100 will be dropped.

Traffic matching ACL 100 will be scanned and reported.

Traffic not matching ACL 100 will be scanned and reported.

Refer to the exhibit. On the basis of the information in the exhibit, which statement is true?

Checking the Allow Secure SDM Access From Outside Interfaces checkbox will display a screen to specify a host IP address or a network





address. Clicking the Next button will display the Firewall ACL Configuration screen. Leaving the Allow Secure SDM Access From Outside Interfaces unchecked and clicking Next will display a Warning screen stating that SDM cannot be launched by interface Fa0/1. Once the Firewall Wizard has delivered the configuration to the router, the interface IP addresses must be assigned.

Valid choices for the outside (untrusted) interfaces include FastEthernet and serial interfaces.





CCNP2 V5.0 QUIZ6

Documents

Transcript of CCNP2 V5.0 QUIZ6