PrepKing - GRATIS EXAM€¦ · A. Asymmetric encryption is slower than symmetric encryption B....
Transcript of PrepKing - GRATIS EXAM€¦ · A. Asymmetric encryption is slower than symmetric encryption B....
PrepKing
Number: 642-566Passing Score: 800Time Limit: 120 minFile Version: 9.8
http://www.gratisexam.com/
PrepKing 642-566
Exam A
QUESTION 1You are the network consultant from Your company. Please point out two requirements that call for thedeployment of 802.1X.
A. Authenticate users on switch or wireless portsB. Grant or Deny network access at the port level, based on configured authorization policiesC. Allow network access during thequeit periodD. Verify security posture using TACAS+
Correct Answer: ABSection: (none)Explanation
Explanation/Reference:
QUESTION 2Open Shortest Path First (OSPF) is a dynamic routing protocol for use in Internet Protocol (IP)networks. An OSPF router on the network is running at an abnormally high CPU rate. By use ofdifferent OSPF debug commands on Router, the network administrator determines that router isreceiving many OSPF link state packets from an unknown OSPF neighbor, thus forcing manyOSPF path recalculations and affecting router's CPU usage. Which OSPF configuration should theadministrator enable to prevent this kind of attack on the Router?
A. Multi-Area OSPFB. OSPF stub AreaC. OSPF MD5 AuthenticationD. OSPF not-so-stubby Area
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 3Which one of the following Cisco Security Management products is able to perform (syslog) eventsnormalization?
A. Cisco IMEB. Cisco Security ManagerC. Cisco ASDMD. Cisco Security MARS
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
QUESTION 4Can you tell me which one of the following platforms has the highest IPSec throughput and can
support the highest number of tunnels?
A. Cisco 6500/7600 + VPN SPAB. Cisco ASR 1000-5GC. Cisco 7200 NPE-GE+VSAD. Cisco 7200 NPE-GE+VAM2+
Correct Answer: ASection: (none)Explanation
Explanation/Reference:
QUESTION 5Which two methods can be used to perform IPSec peer authentication? (Choose two.)
A. One-time PasswordB. AAAC. Pre-shared keyD. Digital Certificate
Correct Answer: CDSection: (none)Explanation
Explanation/Reference:
QUESTION 6Cisco Security Agent is the first endpoint security solution that combines zero-update attackprotection, data loss prevention, and signature-based antivirus in a single agent. This unique blendof capabilities defends servers and desktops against sophisticated day-zero attacks and enforcesacceptable-use and compliance policies within a simple management infrastructure. What arethree functions of CSA in helping to secure customer environments?
A. Control of executable contentB. Identification of vulnerabilitiesC. Application ControlD. System hardening
Correct Answer: ACDSection: (none)Explanation
Explanation/Reference:
QUESTION 7Cisco Secure Access Control Server (ACS) is an access policy control platform that helps youcomply with growing regulatory and corporate requirements. Which three of these items arefeatures of the Cisco Secure Access Control Server?
http://www.gratisexam.com/
A. NDSB. RSA CertificatesC. LDAPD. Kerberos
Correct Answer: ABCSection: (none)Explanation
Explanation/Reference:
QUESTION 8Observe the following protocols carefully, which one is used to allow the utilization of Cisco WideArea Application Engines or Cisco IronPort S-Series web security appliances to localize web trafficpatterns I the network and to enable the local fulfillment of content requests?
A. TLSB. DTLSC. WCCPD. HTTPS
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 9Which one is not a factor that can affect the risk rating of an IPS alert?
A. RelevanceB. Attacker locationC. Event severityD. Signature fidelity
Correct Answer: BSection: (none)Explanation
Explanation/Reference:
QUESTION 10For the following items, which two are differences between symmetric and asymmetric encryptionalgorithms? (Choose two.)
A. Asymmetric encryption is slower than symmetric encryptionB. Asymmetric encryption is more suitable than symmetric encryption for real-time bulk encryptionC. Symmetric encryption is used in digital signatures and asymmetric encryption is used in
HMACsD. Asymmetric encryption requires a much larger key size to achieve the same level of protection
as asymmetric encryption
Correct Answer: ADSection: (none)Explanation
Explanation/Reference:
QUESTION 11Deploying the NAC appliance in in-band mode is better than out-of-band mode. Why?
A. Nessus scanningB. Higher number of users per NAC ApplianceC. Bandwidth enforcement policyD. NAC Appliance Agent deployment
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 12IPSec-based site-to-site VPNs is better than traditional WAN networks in what?
A. Delay guarantees, span, performance, security and low costB. Bandwidth guarantees, support for non-IP protocols, scalability and modular design guidelinesC. Bandwidth guarantees, flexibility, security and low costD. Span, flexibility, security and low cost
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
QUESTION 13Which VPN technology can not be used over the internet?
A. VTIB. GRE overIPsecC. IPsec direct encapsulationD. GET VPN
Correct Answer: DSection: (none)
Explanation
Explanation/Reference:
QUESTION 14DRAG AND DROPMatch each IKE component to its supported option:
Select and Place:
Correct Answer:
Section: (none)Explanation
Explanation/Reference:
QUESTION 15DRAG AND DROPWhich item is correct about the relationship between the VPN types and their descriptions?
Select and Place:
Correct Answer:
Section: (none)Explanation
Explanation/Reference:
QUESTION 16DRAG AND DROPSelect the best security control to minimize the WAN security threats. Not all the security controlsare required.
Select and Place:
Correct Answer:
Section: (none)Explanation
Explanation/Reference:
QUESTION 17Which is the primary benefit that DTLS offers over TLS?
A. Both the application and TLS can retransmit loss packetsB. Improves securityC. Provides low latency for real-time applicationsD. Uses TCP instead of UDP to provide a reliable Transport mechanism
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 18DRAG DROPWhich option is correct about the relationship between the terms and their description?
Select and Place:
Correct Answer:
Section: (none)Explanation
Explanation/Reference:
QUESTION 19Cisco AutoSecure is a new Cisco IOS Security Command Line Interface (CLI) command, whichtwo statements are true regarding the Cisco AutoSecure? (Choose two.)
A. Enabletcp-keeplive-in and tcp-keepalives-outB. Disabletcp-keeplives-in and tcp-keepalives-outC. Enables log messages to include sequence numbers and time stampsD. Blocks all IANA-reserved IP address blocks
Correct Answer: CDSection: (none)Explanation
Explanation/Reference:
QUESTION 20Exhibit:
In order to support IPSec VPN, which three traffic types should ACL1 permit on the firewall in frontof the IPSec VPN gateway? (Choose three.)
A. IP Protocol 50B. UDP port 4500C. UDP Port 10000D. UDP Port 5000
Correct Answer: ABDSection: (none)Explanation
Explanation/Reference:
QUESTION 21Which of these items is a feature of a system-level approach to security management?
A. Multiple cross-vendor management platformsB. Complex OperationsC. Responsibility sharingD. Single-element managementE. High Availability
Correct Answer: ESection: (none)Explanation
Explanation/Reference:
QUESTION 22Which typical design choices should be taken into consideration while designing Cisco solution-based enterprise remote-access solutions?
A. Authentication: one-time passwords, digital certificatesB. EndpointSecurity : Managed endponts versus unmanaged endpoints protection (Cisco Security
Agent, Cisco NAC Agent, Cisco Secure Desktop)C. Traffic protection: IPSec versus SSLD. Central Site aggregation device: ISR versus Cisco ASA, high-availability options
Correct Answer: ABCDSection: (none)Explanation
Explanation/Reference:
QUESTION 23What can be used to enable IPSec Usage across Port Address Translation (PAT) devices?
A. Port ForwardingB. IPSec Tunnel ModeC. PRID. NAT-T
Correct Answer: DSection: (none)
Explanation
Explanation/Reference:
QUESTION 24Cisco NAC Appliance, formerly Cisco Clean Access (CCA), is a network access control solution developed byCisco Systems that helps ensure a secure and clean network environment. Which Cisco NAC Appliance designis the most scalable architecture for campus LANs because it offershigh performance after posture verification?
A. In-band real-ip gatewayB. Layer 2 out-of-bandC. In-band virtual gatewayD. Layer 3 centraldeployment
Correct Answer: BSection: (none)Explanation
Explanation/Reference:
QUESTION 25Which functionality can be used by the Cisco Security MARS security appliance to achieve eventsaggregation?
A. SessionalizationB. Events action filtersC. SummarizationD. Cisco Security Managerpolicy correlations
Correct Answer: ASection: (none)Explanation
Explanation/Reference:
QUESTION 26Which one of the following elements is essential to perform events analysis and correlation?
A. Implementation of a centralized provisioning system, such as Cisco Security ManagerB. Elimination of all the true positive eventsC. Implementation of different security controls and platforms when using the defense-in-depth
approachD. Time synchronization between all the devices
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
QUESTION 27
You are network engineer at Your company. Please point out two functions of Cisco Security Agent.
A. Spam filteringB. AuthenticationC. Resource ProtectionD. Control of executable content
Correct Answer: CDSection: (none)Explanation
Explanation/Reference:
QUESTION 28DRAG DROPWhich option is correct about the relationship between the malware type and its description?Make the appropriate matches.
Select and Place:
Correct Answer:
Section: (none)Explanation
Explanation/Reference:
QUESTION 29Which one of the following platforms could support the highest number of SSL sessions?
A. Cisco 7200 NPE-GE+VAM2+B. Cisco ASA 5580C. Cisco 6500/7600 + VPN SPAD. Cisco ASR 1000-5G
Correct Answer: BSection: (none)Explanation
Explanation/Reference:
QUESTION 30What will happen if a preconfigured usage threshold is exceeded while using the Cisco IOSNetwork Foundation Protection (NFP) Memory Thresholding Notification and CPU ThresholdingNotification features?
A. The router will send an SNMP trap to a management stationB. The router will rebootC. The router will switch from process switching to Cisco Express Forwarding switchingD. The router will switch from Cisco Express Forwarding switching to process switching
Correct Answer: ASection: (none)Explanation
Explanation/Reference:
QUESTION 31Select the advantage of the Cisco ASA phone proxy feature:
A. Enables advanced H.323 inspection services that support H.323 versions 1 along with DirectCall Signaling (DCS) and Gatekeeper-Routed Call Signaling (GKRCS) to provide flexible securityintegration in a variety of H.323-driven VoIP environments
B. Enables inspection of the RTSP protocols that are used to control communications between theclient and server for streaming applications
C. Allows telecommuters to connect their IP phones to the corporate IP telephony networksecurely over the Internet, without the need to connect over a VPN tunnel
D. Allows businesses to configure granular policies for SCCP traffic, such as enforcing onlyregistered phone calls to send traffic through the Cisco ASA security appliance and filtering tomessage IDs to allow or disallow specific messages
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 32Which two Cisco products/feature provide the best security controls for a web server havingapplications running on it that perform inadequate input data validation? (Choose two.)
A. Cisco Application Velocity System (AVS)B. Cisco IOS Flexible Packet Matching (FPM)C. Cisco Security Agent data access controlsD. Cisco ACE XML Gateway
Correct Answer: CDSection: (none)Explanation
Explanation/Reference:
QUESTION 33Which two protocols can perform high-availability IPS design by use of the Cisco IPS 4200 Series Sensorappliance?(Choose two.)
A. HSRPB. Spanning TreeC. EtherChannel load balancingD. SDEE
Correct Answer: BCSection: (none)Explanation
Explanation/Reference:
QUESTION 34______________ are needed for a device to join a certificate-authenticated network?
A. The certificates of the certificate authority and the peerB. The certificates of the device and its peerC. The certificates of the certificate authority, the device and the peerD. The certificates of the certificate authority and the device
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
QUESTION 35An incident in MARS is _______________.
A. A series of raw message sent to the MARS viasyslog, SNMPB. A series of events that is correlated to represent a single occurrence using related information
within a given timeframeC. A series of events that triggered a defined rule in the systemD. A series of behaviors in a session that describe an anomaly, worm or virus
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 36You are working as a Network Engineer at Your company. Please suggest one encryption protocol to yourcustomer from an enterprise with standard security requirements.
A. WEPB. DES EAP-TLS bidirectional authenticationC. MD5
D. AES-128
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
QUESTION 37Which item can authenticate remote IPSec VPN Users?
A. PFSB. Pre-shared KeyC. Diffie-Hellman (DH)D. XUATH
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
QUESTION 38Which is the best countermeasure to protect against rogue access points that are outside theenterprise physical perimeter and that attempt to attract legitimate clients?
A. Wireless IDS/IPSB. EAP-TLS bidirectional authenticationC. Personal firewallD. Management Frame Protection
Correct Answer: BSection: (none)Explanation
Explanation/Reference:
QUESTION 39Cisco IOS Intrusion Prevention System (IPS) is an inline, deep-packet inspection feature thateffectively mitigates a wide range of network attacks. A component of the Cisco IOS IntegratedThreat Control Framework and complemented by Cisco IOS Flexible Packet Matching feature,Cisco IOS IPS provides your network with the intelligence to accurately identify, classify and stopor block malicious traffic in real time. Which statement is true regarding Cisco IOS IPSperformance and capabilities?
A. It offers a wider signature coverage than the IDSM-2 ModuleB. It uses a parallel signature-scanning engine to scan for multiple patterns within a signature
micro-engine at any given timeC. It has a minimal impact on router memoryD. It should be enabled to maximize the coverage, except for false-positives reduction
Correct Answer: BSection: (none)
Explanation
Explanation/Reference:
QUESTION 40Which one can be used to provide logical separation between the voice and data traffic at theaccess layer?
A. Protected PortsB. FirewallC. Port SecurityD. Auxiliary VLAN
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
QUESTION 41Which type of native encryption is supported by the LWAPP protocol?
A. RC5B. AESC. ECCD. IDEA
Correct Answer: BSection: (none)Explanation
Explanation/Reference:
QUESTION 42Which three descriptions are true with regard to the perimeter-endpoint security architecture?(Choose three.)
A. The architecture is easy to operate and to maintain and is flexible for adding new servicesB. The network is partitioned into security domainsC. The architecture uses a restrictive access modelD. The architecture offers integration of network and endpoint security
Correct Answer: BCDSection: (none)Explanation
Explanation/Reference:
QUESTION 43Which Cisco product can provide endpoint-based trusted-traffic marking while implementing QoS?
A. Cisco Trust Agent
B. Cisco Secure Services ClientC. Cisco Secure DesktopD. Cisco Security Agent
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
QUESTION 44What will the NAC Appliance Agent check on the client Machine? (Choose thee.)
A. IP AddressB. Presence of Cisco Security AgentC. Registry KeysD. Microsofthotfixes
Correct Answer: BCDSection: (none)Explanation
Explanation/Reference:
QUESTION 45In reconnaissance attacks, which two attack methods are typically used? (Choose two.)
A. Operating system and application fingerprintingB. Buffer overflowsC. TCP/UDP port scanning and sweepingD. APR spoofing
Correct Answer: ACSection: (none)Explanation
Explanation/Reference:
QUESTION 46Which functions can be provided by Cisco SSL VPN solution by use of the Cisco Secure Desktop?(Select All that apply.)
A. Secure VaultB. Cache CleanerC. Pre-login assessmentD. Advanced Endpoint Assessment
Correct Answer: ABCDSection: (none)Explanation
Explanation/Reference:
QUESTION 47Which description is true about the hybrid user authentication model for remote-access IPSecVPNs?
A. VPN Servers and users authenticate by using digital certificatesB. VPN servers authenticate by using digital certificates and users authenticate by using pre-
shared keysC. VPN Servers and users authenticate by using pre-shared keysD. VPN servers authenticate by using digital certificates and users authenticate by using
usernames and passwords
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
QUESTION 48Which two of the following settings can be monitored by the Cisco Security Agent (release 5.2 andlater) to control user's wireless access? (Choose two.)
A. Antivirus VersionB. Protection types such as WEP, TKIPC. Wireless card type (802.11a,b or g)D. SSIDs
Correct Answer: BDSection: (none)Explanation
Explanation/Reference:
QUESTION 49What should be taken into consideration while performing Cisco NAC Appliance design? Select allthat apply.
A. edge deployment versus central deploymentB. in-band versus out-of-bandC. Real-IP Gateway versus virtual gatewayD. Layer 2 versus Layer 3E. None of the other alternatives apply.
Correct Answer: ABCDSection: (none)Explanation
Explanation/Reference:
QUESTION 50You are the network consultant from Your company. Please point out two technologies that addressISO 17799 requirements to detecting, preventing and responding to attacks and intrusions.
A. Cisco Security AgentB. 802.1XC. Cisco Security MARSD. Cisco Secure Access Control Server
Correct Answer: ACSection: (none)Explanation
Explanation/Reference:
QUESTION 51In today's typical single-tier firewall system, which three security components can be found?(Choose three.)
A. Network Admission ControlB. IPSC. Stateful Packet filtering with Application Inspection and ControlD. Application Proxy
Correct Answer: BCDSection: (none)Explanation
Explanation/Reference:
QUESTION 52Before damage can occur to the network, Cisco Security Agent block malicious behavior through___________
A. FirewallB. Interception of operation system callsC. User query and responseD. Third-party Anti-virus software
Correct Answer: BSection: (none)Explanation
Explanation/Reference:
QUESTION 53Cisco IOS Control Plane Protection is able to be used to protect traffic to which three router control planesubinterfaces? (Choose three.)
A. transitB. cpuC. hostD. CEF-exception
Correct Answer: ACD
Section: (none)Explanation
Explanation/Reference:
QUESTION 54Which item will be performed on Cisco IP Phones so that they can authenticate it before obtainingnetwork access?
A. Cisco Security AgentB. One-time PasswordC. IEEE 802.1X SupplicantD. AAA Client
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 55Can you tell me which authentication protocol can provide single sign-on (SSO) services?
A. EAPB. TACACS+C. RADIUSD. Kerberos
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
QUESTION 56Why GET VPN is not deployed over the public Internet?
A. Because the GET VPN group members use multicast to register with the key serversB. Because the GET VPN key servers and group members to requires a secure path to exchange
the Key Encryption Key (KEK) and the traffic Encryption Key (TEK)C. Because the GET VPN uses IPSec transport mode, which would expose the IP Addresses to
the public if using the InternetD. Because the GET VPN preserves the original source and destination IP addresses, which may
be private addresses that are not routable over the Internet
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
QUESTION 57
The Cisco IOS Resilient Configuration feature enables a router to secure and maintain a workingcopy of the running image and configuration so that those files can withstand malicious attempts toerase the contents of persistent storage (NVRAM and flash), What is the objective of the CiscoIOS resilient configuration?
A. Improve the speed of Cisco IOS image or configuration recovery processB. Allow a compromise of the routerC. Enable primary and backup operations of two Cisco IOS routersD. Enable redundant Cisco IOS images for fault tolerance router operations
Correct Answer: ASection: (none)Explanation
Explanation/Reference:
QUESTION 58While implementing a proxy component within a firewall system, which method will be used?
A. In-band or out-of-bandB. Layer 2 or Layer 3C. Transparent or non-transparentD. Routed or bridged
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 59The Cisco Security Monitoring, Analysis and Response System (Cisco Security MARS) is anappliance-based, all-inclusive solution that provides unmatched insight and control of your existingsecurity deployment. What is not the advantage of Cisco Security MARS?
A. Contains scalable, distributed event and analysis architectureB. Is network topologyawareC. Performs automatic Mitigation on Layer 2 devicesD. Provides rapid profile-based provisioning capabilities
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
QUESTION 60Adaptive Threat Defense or ATD encompasses three areas: Anti-X defense, application securityand network control and containment. Identify three components of the anit-X defense pillar.
A. URL filteringB. Application-level role-based access control
C. Distributed denial of service mitigationD. Anomaly detection
Correct Answer: ACDSection: (none)Explanation
Explanation/Reference:
QUESTION 61Refer to the following EAP authentication methods, which one needs both a client and a serverdigital certificate?
A. EAP-FASTB. PEAP-GTCC. EAP-TLSD. EAP-MS-CHAP
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 62Cisco NAC Appliance (formerly Cisco Clean Access) is an easily deployed Network AdmissionControl (NAC) product that allows network administrator to authenticate, authorize, evaluate andremediate wired, wireless and remote users and their machines prior to allowing users onto thenetwork. It identifies whether networked devices such as laptops, desktops and other corporateassets are compliant with a network's security policies and it repairs any vulnerabilities beforepermitting access to the network. Which two of these statements describe features of the NACAppliance Architecture? (Choose two.)
A. NAC Appliance Client evaluates the endpoint security informationB. NAC Appliance Manager acts as an authentication proxy for external authentication serversC. NAC Appliance Server acts as an authentication proxy for internal user authenticationD. NAC Appliance Manager determines the appropriate access policy
Correct Answer: BDSection: (none)Explanation
Explanation/Reference:
QUESTION 63Refer to the following Cisco products, which two are best positioned for data loss prevention? (Choose two.)
A. Cisco Security Agent 6.0B. Cisco IPS 6.0C. Cisco NAC ApplianceD. CiscoIronPort C-Series Appliances
Correct Answer: AD
Section: (none)Explanation
Explanation/Reference:
QUESTION 64_______________ is a valid method to verify a network security designing?
A. Network AuditB. Computer SimulationC. Pilot or prototype networkD. Network Security
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 65Cisco NAC Appliance (formerly Cisco Clean Access) is an easily deployed Network AdmissionControl (NAC) product that allows network administrator to authenticate, authorize, evaluate andremediate wired, wireless and remote users and their machines prior to allowing users onto thenetwork. It identifies whether networked devices such as laptops, desktops and other corporateassets are compliant with a network's security policies and it repairs any vulnerabilities beforepermitting access to the network. In which way do components of the NAC Appliance architecturecommunicate?
A. Sending check-up instructions to the NAC Appliance ServerB. Sending remediation instructions to the NAC Appliance AgentC. Sending procedure instructions to the NAC Appliance ServerD. Sending sends block instructions to the NAC Appliance Agent
Correct Answer: BSection: (none)Explanation
Explanation/Reference:
QUESTION 66You are the network engineer at Your company. Which component should not be included in asecurity policy?
A. Identification and authentication policyB. Incident handling procedureC. Security best practiceD. Statement of authority and scope
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 67While using the Gateway Load Balancing Protocol to enable high-availability Cisco IOS Firewalls,what should be configured to maintain symmetric flow of traffic?
A. Static RoutingB. CEFC. Dynamic RoutingD. Network Address Translation (NAT)
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
QUESTION 68You are the network engineer at Your company. Please point out two components included in adetailed design document for a security solution.
A. Proof of ConceptB. IDSC. Existing Network InfrastructureD. WEP
Correct Answer: ACSection: (none)Explanation
Explanation/Reference:
QUESTION 69IPS platform ________ can operate in inline mode only.
A. Cisco IOS IPSB. Cisco IPS 4200 Series SensorC. IDSM-2D. Cisco ASA AIP SSM
Correct Answer: ASection: (none)Explanation
Explanation/Reference:
QUESTION 70You are the network consultant from Your company. Please point out two keys features of thecollaborative security approach.
A. Network Admission ControlB. Automated event and action filters
C. Coordinated defense of potential entry pointsD. Integration of security features in network equipment
Correct Answer: ACSection: (none)Explanation
Explanation/Reference:
QUESTION 71The Cisco IOS Resilient Configuration feature enables a router to secure and maintain a workingcopy of the running image and configuration so that those files can withstand malicious attempts toerase the contents of persistent storage (NVRAM and Flash). What is the objective of the CiscoIOS resilient configuration?
A. Improve the sped of Cisco IOS image or configuration recovery processB. Enable primary and backup operations of two Cisco IOS routersC. Allow a compromise of the routerD. Enable redundant Cisco IOS images for fault tolerance router operations
Correct Answer: ASection: (none)Explanation
Explanation/Reference:
QUESTION 72Which three functions can be provided by the Cisco ACE 4710 Appliance in the enterprise data center?(Choose three.)
A. HTTPS session decryption through SSL/TLS terminationB. SYN flooding attacks protectionC. XML firewallingD. HTTP protocol verification
Correct Answer: ABDSection: (none)Explanation
Explanation/Reference:
QUESTION 73Secure Sockets Layer (SSL) is a cryptographic protocol that provides security and data integrity forcommunications over TCP/IP networks such as the interne. When SSL uses TCP encapsulation on Cisco SSLVPNs, the user's TCP session is transported over another TCPsession, thus making flow control inefficient if a packet is lost. Which is the best solution of thisproblem?
A. DAPB. Cisco Secure DesktopC. DTLSD. SSL Traversal
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 74Which method can be used by Cisco SSL VPN solution to provide connections between aWinsock2, TCP-based application and a private site without requiring administrative privileges?
A. Application plug-insB. Port ForwardingC. Cisco Secure DesktopD. Smart tunnels
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
QUESTION 75Study the exhibit below carefully, which statement is true about the security architecture, which isused to protect the multi-tiered web application?
A. The firewall systems in the first and second tiers should be implemented with identical securitycontrols to provide defense in depth.
B. This architecture supports application tiers that are dual homed.C. All the servers are protected by the dual-tier firewall systems and do not require additional
endpoint security controls.D. The second-tier Cisco ASA AIP-SSM should be tuned for inspecting Oracle attack signatures
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
QUESTION 76You work as a network operator for an IT company. You have just detected a distributed DoSattack which appears to have sources from many hosts in network X/24. You must take preventiveaction to block all offending traffic, so you announce a BGP route, with the next-hop attribute of172.31.1.1, for the X/24 network of the attacker. Which two methods will be adopted by the routersat the regional office, branch office, and telecommuter location to prevent traffic going to and fromthe attacker? (Choose two.)
A. a prefix list to block routing updates about the X/24 networkB. a static route to 172.31.1.1/32, which points to a null interfaceC. a dynamic ACL entry to block any traffic that is sourced from the X/24 networkD. strict uRPF
Correct Answer: BDSection: (none)Explanation
Explanation/Reference:
QUESTION 77You are a network engineer of your company. Study the following exhibit carefully, which threeCisco IOS features could be used on the VPN gateways (Cisco IOS routers) to implement highavailability for remote-access IPsec VPN? (Choose three.)
A. Dynamic VTIsB. Reverse Route Injection (RRI)C. cooperative key serversD. Dead Peer Detection (DPD)
Correct Answer: ABDSection: (none)Explanation
Explanation/Reference:
QUESTION 78Which Cisco Security product is used to perform a Security Posture Assessment of clientworkstations?
A. Adaptive Security ApplianceB. Cisco Security AgentC. Cisco Security Posture Assessment ToolD. Cisco NAS ApplianceE. Cisco ACS
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
QUESTION 79Which three policy types can be assigned to a network user role in the Cisco NAC Appliancearchitecture? (Choose three.)
A. Allowed IP Address rangesB. Network Port Scanning Plug-insC. VPN and roaming policiesD. Inactivity periodE. Session DurationF. Minimum Password length
Correct Answer: BCESection: (none)Explanation
Explanation/Reference:
QUESTION 80Which two components should be included in a network design document? (Choose two.)
A. Complete network blueprintB. Operating ExpenseC. Risk AnalysisD. Configuration for each deviceE. Detailed part list
Correct Answer: AESection: (none)Explanation
Explanation/Reference:
QUESTION 81DRAG DROPLook at the picture.
Select and Place:
Correct Answer:
Section: (none)Explanation
Explanation/Reference:
QUESTION 82Which statement is true about the Cisco Security MARS Global Controller?
A. Rules that are created on a Local Controller can be pushed to the Global ControllerB. Most data archiving is done by the Global ControllerC. The Global Controller receives detailed incidents information from the Local Controllers and
correlates the incidents between multiple Local ControllersD. The Global Controller Centrally Manages of a group of Local Controllers
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
QUESTION 83Which certificates are needed for a device to join a certificate-authenticated network?
A. The Certificates of the device and its peerB. The Certificates of the certificate authority, the device and the peerC. The Certificates of the certificate authority and the peerD. The Certificates of the certificate authority and the device
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
QUESTION 84Which three Cisco Security products help to prevent application misuse and abuse? (Choosethree.)
A. Cisco ASA 5500 Series Adaptive Security AppliancesB. Cisco IOS FW and IPSC. Cisco Traffic Anomaly DetectorD. Cisco Security AgentE. Cisco Trust AgentF. NAC Appliance (Cisco Clean Access)
Correct Answer: ABDSection: (none)Explanation
Explanation/Reference:
QUESTION 85DRAG DROPYou work as a network engineer at Your company. Your boss, , is interested attackmethodologies. Match the descriptions with the proper methodology. Use only options that apply.
Select and Place:
Correct Answer:
Section: (none)Explanation
Explanation/Reference:
QUESTION 86Which two of these features are integrated security components of the Cisco Adaptive SecurityAppliance? (Chose two.)
A. VRF-aware firewallB. Cisco ASA AIP SSMC. VTID. Control Plane PolicingE. Anti-XF. DMVPN
Correct Answer: BESection: (none)Explanation
Explanation/Reference:
QUESTION 87Which two of these statements describes features of the NAC Appliance architecture? (Choosetwo.)
A. NAC Appliance Servers managed by the same NAC Appliance Manager can run in mixed mode(inline or out-of-band)
B. NAC Appliance Agent has the auto-upgrade featureC. NAC Appliance High Availability uses VRRPD. The standard NAC Appliance Managercan mange up to 40 NAC Appliance Servers failover
pairsE. The NAC Appliance Agent is bundled with the NAC Appliance Server Software
Correct Answer: ABSection: (none)Explanation
Explanation/Reference:
QUESTION 88Which three of these security products complement each other to achieve a secure remote-accesssolution? (Choose three.)
A. Cisco GET VPNB. Cisco Security MARSC. URL Filtering ServerD. Cisco Secure Access Control ServerE. NAC ApplianceF. Adaptive Security Appliance
Correct Answer: DEFSection: (none)Explanation
Explanation/Reference:
QUESTION 89What are two functions of Cisco Security Agent? (Choose two.)
A. Span FilteringB. AuthenticationC. Resource ProtectionD. User trackingE. Control of Executable Content
Correct Answer: CESection: (none)Explanation
Explanation/Reference:
QUESTION 90
Which two should be included in an analysis of a security posture assessment? (Choose two.)
A. Identification of bottlenecks inside the networkB. Recommendations based on security best practiceC. Identification of critical deficienciesD. Service offerE. Detailed action plan
Correct Answer: BCSection: (none)Explanation
Explanation/Reference:
QUESTION 91Which three of these security products complement each other to achieve a secure e-bankingsolution? (Choose three.)
A. Cisco Trust AgentB. CCA AgentC. Cisco Security AgentD. Cisco IOS DMVPNE. Cisco Intrusion Prevention SystemF. Cisco Adaptive Security Appliance
Correct Answer: CEFSection: (none)Explanation
Explanation/Reference:
QUESTION 92Your company, wants to implement the PCI Data Security Standard to protect sensitive cardholderinformation. They are planning to use RSA to ensure data privacy, integrity and originauthentication. Which two of these statements describe features of the RSA keys? (Choose two.)
A. The private key only decryptsB. The private key both encrypts and decryptsC. The public key only decryptsD. The public key both encrypts and decryptsE. The private key only encryptsF. The public key only encrypts
Correct Answer: BDSection: (none)Explanation
Explanation/Reference:
QUESTION 93Which three technologies address SO 17799 requirements for unauthorized access prevention?(Choose three.)
A. Cisco Secure Access Control ServerB. 802.1XC. SSL VPND. Network Admission ControlE. Intrusion Prevention SystemF. Cisco Security MARS
Correct Answer: ABDSection: (none)Explanation
Explanation/Reference:
QUESTION 94Which two of these features are supported by Cisco Security MARS running software version4.2.x? (Choose two.)
A. Attack capture and playbackB. Use login authentication using external AAA ServerC. Inline or promiscuous mode operationD. NetFlow for Network profiling and anomaly detectionE. Role-based access and dashboardsF. Hierarchical Design using global and local controllers
Correct Answer: DFSection: (none)Explanation
Explanation/Reference:
QUESTION 95Which of these characteristics is a feature of AES?
A. It is not supported by hardware accelerators but runs very fast in softwareB. It provides strong encryption and authenticationC. It has a variable key lengthD. It should be used with key lengths greater than 1024 bits
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 96Which protocol should be used to provide secure communications when performing shunning on anetwork device?
A. SSHB. Telnet
C. SNMPV2D. SSLE. SNMPv3
Correct Answer: ASection: (none)Explanation
Explanation/Reference:
QUESTION 97DRAG DROPLook at the picture.
Select and Place:
Correct Answer:
Section: (none)Explanation
Explanation/Reference:
QUESTION 98How does CSA protect endpoints?
A. Uses deep-packet application inspection to control application misuse and abuseB. Uses file system, network, registry and execution space interceptors to stop malicious activityC. Works at the application layer to provide buffer overflow protectionD. Uses signatures to detect and stop attacksE. Works in conjunction with antivirus software to lock down the OS
Correct Answer: BSection: (none)Explanation
Explanation/Reference:
QUESTION 99What are the advantages of IPSec-based site-to-site VPNs over traditional WAN networks?
A. Delay guarantees, span, performance, security and low costB. Span, flexibility, security and low cost
C. Bandwidth guarantees, support for non-IP protocols, scalability and modular design guidelinesD. Bandwidth guarantees, flexibility, security and low cost
Correct Answer: BSection: (none)Explanation
Explanation/Reference:
QUESTION 100Identify two ways to create a long-duration query on the Cisco Security MARS Appliance. (Choosetwo.)
A. By Modifying an existing reportB. By submitting a query inlineC. By Submitting a batch queryD. By saving a query as a ruleE. By saving a query as a report
Correct Answer: ACSection: (none)Explanation
Explanation/Reference:
QUESTION 101Which two features work together to provide anti-X defense? (Choose two.)
A. Enhanced Security state assessmentB. Network Security event correlationC. CiscoAutoSecureD. Enhanced Application inspection enginesE. Cisco IPS Sensors
Correct Answer: DESection: (none)Explanation
Explanation/Reference:
QUESTION 102Which IPS platform can operate in inline mode only?
A. Cisco ASA AIP SSMB. IDSM-2C. Cisco IPS 4200 Series SensorD. Cisco IOS IPS
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
QUESTION 103Which three components should be included in a security policy? (Choose three.)
A. Security best practiceB. Incident handling procedureC. Software SpecificationsD. Statement of authority and scopeE. Security product recommendationF. Identification and authentication policy
Correct Answer: BDFSection: (none)Explanation
Explanation/Reference:
QUESTION 104What is the purpose of SNMP community strings when adding reporting devices into a newlyinstalled Cisco Security MARS Appliance?
A. To pull the log information from devicesB. To reconfigure managed devicesC. To discover and display the full topologyD. To import the device configuration
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 105What are three advantages of Cisco Security MARS? (Choose three.)
A. Fixes Vulnerable and infected devices automaticallyB. Is network topologyawareC. Provides rapid profile-based provisioning capabilitiesD. Contains scalable, distributed event analysis architectureE. Performs automatic mitigation on Layer 2 devicesF. Ensures that he user device is not vulnerable
Correct Answer: BDESection: (none)Explanation
Explanation/Reference:
QUESTION 106What is the security issue in classic packet filtering of active FTP sessions?
A. The established keyword can't be used for control or data sessionsB. Allowing control sessions to the client opens up all the high ports on the clientC. Allowing data sessions to the clientopens up all the high ports on the clientD. The control session can't be adequately filtered
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 107Which two components should be included in a detailed design documents for a security solution?(Choose two.)
A. Traffic growth forecastB. Data SourceC. Proof of conceptD. Existing Network InfrastructureE. Weak-link descriptionF. Organizational Chart
Correct Answer: CDSection: (none)Explanation
Explanation/Reference:
QUESTION 108Which statement is true regarding Cisco IOS IPS performance and capabilities?
A. Cisco IOS IPS signatures have a minimal impact on router memoryB. Cisco IOS IPS offersa wider signature coverage than the IDSM-2 moduleC. All Cisco IOS IPS signatures should be enabled to maximize the coverage, except for false-
positives reductionD. Cisco IOS IPS uses a parallel signature-scanning engine to scan for multiple patterns within a
signature micro-engine at any given time
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
QUESTION 109How is Cisco IOS Control Plane Policing Achieved?
A. By usingAutoQoS to rate-limit Control Plane trafficB. By adding a server-policy to virtual terminal lines and the console portC. By Applying a QoS policy in control plane configuration modeD. By disabling unused services
E. By Rate limiting the exchange of routing protocol updates
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 110What are three functions of Cisco Security Agent? (Choose three.)
A. Local ShunningB. Device-based registry scansC. Malicious mobile code protectionD. Flexibility against new attacks through customizable signature "on the fly"E. Spyware and adware protectionF. Protection against buffer overflows
Correct Answer: CEFSection: (none)Explanation
Explanation/Reference:
QUESTION 111What are two main reasons for customer to implement Cisco Clean Access? (Choose Two.)
A. Integrated network intelligence for superior event aggregation, reduction and correlationB. Enforcement of Security Policies by making compliance a condition of accessC. Provision of secure remote accessD. Significant cost savings by automating the process of repairing and updating user machinesE. Focus on validated incidents, not investigating isolated eventsF. Implementation of NAC Phase-1
Correct Answer: BDSection: (none)Explanation
Explanation/Reference:
QUESTION 112Which two statements are true about symmetric key encryption? (Choose two.)
A. RSA is an example of symmetric key encryptionB. The key exchange can take place via anonsecure channelC. It is typically used to encrypt the content of a messageD. It uses secret-key cryptographyE. Encryption and decryption use different keys
Correct Answer: CDSection: (none)
Explanation
Explanation/Reference:
http://www.gratisexam.com/
QUESTION 113Which three elements does the NAC Appliance Agent check on the client machine? (Choosethree.)
A. Presence of Cisco Trust AgentB. Presence of Cisco Security AgentC. Registry KeysD. IP AddressE. Microsofthotfixes
Correct Answer: BCESection: (none)Explanation
Explanation/Reference:
QUESTION 114In which two ways do Cisco ASA 5500 Series Adaptive Security Apliance achieve containmentand control? (Choose two.)
A. By probing end systems for complianceB. By Enabling business to create secure connectionsC. By preventing unauthorized network accessD. By performing traffic anomaly detectionE. By tracking the state of all network communications
Correct Answer: CESection: (none)Explanation
Explanation/Reference:
QUESTION 115Which two statements mitigate the threat of a SYN flood attack? (Choose two.)
A. MARS floodautomitigationB. Cisco IOS IPSC. NAC Appliance Security Posture ValidationD. ASA TCP InterceptE. ASA Enhanced application inspectionF. Cisco IOS FPM
Correct Answer: BDSection: (none)Explanation
Explanation/Reference:
QUESTION 116Which three of these features are key elements of the Adaptive Threat Defense? (Choose three.)
A. Ability of a network to identify, prevent and adapt to security threatsB. Active management and mitigationC. Multilayer intelligenceD. Blend of IP and Security technologiesE. Dynamic adjustment of risk ratingsF. Feature consistency
Correct Answer: BCESection: (none)Explanation
Explanation/Reference:
QUESTION 117Which two technologies can prevent the Slammer worm from compromising a host? (Choose two.)
A. NAC Appliance Security posture validationB. ASAstateful firewallC. Cisco IOS IPSD. ASA enhanced application inspectionE. Cisco IOS FPMF. Cisco Trust Agent
Correct Answer: CESection: (none)Explanation
Explanation/Reference:
QUESTION 118Which two features work together to provide anti-X defense? (Choose two.)
A. Enhanced Application inspection enginesB. Enhanced Security state assessmentC. CiscoAutoSecureD. Network Security event correlationE. Cisco IPS Sensors
Correct Answer: AESection: (none)Explanation
Explanation/Reference:
QUESTION 119Which primary security design components should be addressed while implementing secureWAN solutions?(Not all design components are required.)1. authentication and transmission protection2. network infrastructure device hardening3. boundary access control4. topology5. high availability6. performance and scalability7. resource separation
A. 1, 2, 4, 5, 6B. 1, 2, 3, 4, 5C. 1, 2, 3, 5, 6D. 2, 3, 4, 5, 6
Correct Answer: ASection: (none)Explanation
Explanation/Reference:
QUESTION 120Which two technologies mitigate the threat of a SYN Flood attack? (Choose two.)
A. NAC Appliance Security Posture ValidationB. Cisco IOS IPSC. ASA Enhanced Application inspectionD. Cisco IOS FPME. ASA TCP interceptF. MARS Floodautomitigation
Correct Answer: BESection: (none)Explanation
Explanation/Reference:
QUESTION 121Which two of these features are the most appropriate test parameters for the acceptance test planof a secure connectivity solution? (Choose two.)
A. Certificate enrollment and revocationB. High availabilityC. Privacy of key exchangeD. Duration of the key refresh operationE. Resistance Against brute-force attacks
Correct Answer: ABSection: (none)
Explanation
Explanation/Reference:
QUESTION 122Which two technologies address ISO 17799 requirements in detecting, preventing and respondingto attacks and intrusion? (Choose two.)
A. Cisco Trust AgentB. 802.1XC. Cisco Security MARSD. Cisco Security AgentE. Cisco NAC ApplianceF. DMVPN
Correct Answer: CDSection: (none)Explanation
Explanation/Reference:
QUESTION 123When a FWSM is operating in transparent mode, what is true?
A. The FWSM does not support multiple security contextsB. Each directly connected network must be on the same subnetC. The FWSM supports up to 256 VLANsD. Each interface must be on the same LAN
Correct Answer: BSection: (none)Explanation
Explanation/Reference:
QUESTION 124Which encryption protocol is suitable for an enterprise with standard security requirements?
A. SHA-256B. 768-bit RSA encryptionC. DESD. MD5E. AES-128
Correct Answer: ESection: (none)Explanation
Explanation/Reference:
QUESTION 125
Which three factors can affect the risk of an IPS alert? (Choose three.)
A. Attacker LocationB. RelevanceC. Signature FidelityD. Event SeverityE. Signature PriorityF. Asset Integrity
Correct Answer: BCDSection: (none)Explanation
Explanation/Reference:
QUESTION 126Which encryption protocol is suitable for an enterprise with standard security requirements?
A. 768-bit RSA encryptionB. SHA-256C. AES-128D. MD5E. DES
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 127Which three of these items are features of the Cisco Secure Access Control Server? (Choosethree.)
A. CA DatabaseB. LDAPC. RSA CertificatesD. KerberosE. NDSF. Local OTP
Correct Answer: BCESection: (none)Explanation
Explanation/Reference:
QUESTION 128Which two of these characteristics apply to promiscuous IPS operation? (Choose two.)
A. Invisible to the attacker
B. Impacts connectivity in case of failure or overloadC. Increase latencyD. Can use stream normalization techniquesE. Typically used with SPAN on the SwitchesF. Less vulnerable to evasion techniques than inline mode
Correct Answer: AESection: (none)Explanation
Explanation/Reference:
QUESTION 129Your company wishes to adopt the Adaptive Threat Defense Architecture in their security policy.Identify three components of the anti-X defense paillar. (Choose three.)
A. URL filteringB. Distributed denial-of-servicemitifationC. Anomaly detectionD. Application-level role-based access controlE. Network auditingF. Transaction privacy
Correct Answer: ABCSection: (none)Explanation
Explanation/Reference:
QUESTION 130Which three security controls can be provided by digital signatures? (Choose three.)
A. Anti-replayB. IntegrityC. AuthenticityD. Nonrepudiation
Correct Answer: BCDSection: (none)Explanation
Explanation/Reference:
QUESTION 131What are three advantages of Cisco Security MARS? (Choose three.)
A. Performs automatic mitigation on Layer 2 devicesB. Contains scalable, distributed event analysis architectureC. Is network topologyawareD. Fixes Vulnerable and infected devices automaticallyE. Provides rapid profile-based provisioning capabilities
F. Ensures that he user device is not vulnerable
Correct Answer: ABCSection: (none)Explanation
Explanation/Reference:
QUESTION 132Which two of these statements describe feature of the NAC Appliance Architecture? (Choose two.)
A. The standard NAC Appliance Manger can manage up to 40 NAC Appliance Servers failoverpairs
B. The NAC Appliance Agent is bundled with the NAC Appliance Server SoftwareC. NAC Appliance Agent has the auto-upgrade featureD. NAC Appliance Servers managed by the same NAC Appliance Manager can run in mixed
mode (inline or out-of-band)E. NAC Appliance high availability VRRP
Correct Answer: CDSection: (none)Explanation
Explanation/Reference:
QUESTION 133Which IPS feature models worm behavior and correlates the specific time between events,network behavior and multiple exploit behavior to more accurately identify and stop worms?
A. Meta Event GeneratorB. Security Device Event Exchange supportC. Risk RatingD. Traffic normalization
Correct Answer: ASection: (none)Explanation
Explanation/Reference:
QUESTION 134Which two are main security drivers? (Choose two.)
A. Business needsB. Optimal network operationC. Compliance with company policyD. Increased productivityE. Security legislation
Correct Answer: CESection: (none)Explanation
Explanation/Reference:
QUESTION 135What are the major characteristics for designing a VPN for existing networks?
A. Performance, topology and priceB. Topology, high availability, security, scalability, manageability and performanceC. Intended use, existing installation and desired functionalityD. Vendors and the functionality of the installed equipment
Correct Answer: BSection: (none)Explanation
Explanation/Reference:
QUESTION 136What are the advantage of IPSec-based Site-to-Site VPNS over traditional WAN networks?
A. Span, flexibility, security and low costB. Delay guarantees, span, performance, security and low costC. Bandwidth guarantees, support for non-IP Protocols, Scalability and modular design guidelinesD. Bandwidth guarantees, flexibility, security and low cost
Correct Answer: ASection: (none)Explanation
Explanation/Reference:
QUESTION 137Refer to the following Cisco products, which two can provide a captive portal to authenticatewireless users? (Choose two.)
A. Cisco NAC ProfilerB. WLAN ControllerC. Cisco NAC Guest ServerD. Cisco ASA
Correct Answer: BCSection: (none)Explanation
Explanation/Reference:
QUESTION 138Which option is correct about the relationship between the terms and their descriptions? Terms1. true positives2. false positives3. true negatives
4. false negativesDescriptions(a) security control has not acted, even though there was malicious activity(b) security control has not acted, as there was no malicious activity(c) security control acted as a consequence of non-malicious activity(d) security control acted as a consequence of malicious activity
A. a-4,b-3,c-2,d-1B. a-4,b-3,c-1,d-2C. a-4,b-2,c-1,d-3D. a-4,b-2,c-3,d-1
Correct Answer: ASection: (none)Explanation
Explanation/Reference:
QUESTION 139Observe the following Cisco software agents carefully, can you tell me which one uses content scanning toidentify sensitive content and controls the transfer of sensitive content off the local endpoint over removablestorage, locally or network-attached hardware, or network applications?
A. CiscoIronPort Agent 3.0B. Cisco Trust Agent 2.0C. Cisco NAC Appliance Agent 4.1.3D. Cisco Security Agent 6.0
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
QUESTION 140Look at the following items carefully, which Cisco ASA's Unified Communications proxy feature manipulatesboth the signaling and the media channels?
A. CUMA ProxyB. TLS ProxyC. H.323 ProxyD. Phone Proxy
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
QUESTION 141Which Cisco product can provide endpoint-based trusted-traffic marking while implementingQoS?
A. Cisco Trust AgentB. Cisco Secure Services ClientC. Cisco Secure DesktopD. Cisco Security Agent
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
QUESTION 142In multi-tier applications and multi-tier firewall designs, which additional security control can be used to force anattacker to compromise the exposed server before the attacker attempts to penetrate the more protecteddomains?
A. Implement host IPS on the exposed servers in the DMZs.B. Make exposed servers in the DMZs dual homed.C. At each tier, implement a transparent proxy component within the firewall system.D. Implement in-band network admission control at the first tier.
Correct Answer: BSection: (none)Explanation
Explanation/Reference:
QUESTION 143You are the network consultant from Company.com. Please point out three technologies addressISO 17799 requirements for unauthorized access prevention.
A. VPNB. Cisco Secure Access Control ServerC. 802.1XD. Network Admission Control
Correct Answer: BCDSection: (none)Explanation
Explanation/Reference:
QUESTION 144Which Cisco Catalyst Series switch feature can be used to integrate a tap-mode (promiscuous mode) IDS/IPSsensor into the network?
A. PVLAN TrunkB. PVLAN EdgeC. Cisco Express Forwarding SwitchingD. Switch Port ANalyzer (SPAN)
Correct Answer: D
Section: (none)Explanation
Explanation/Reference:
QUESTION 145Cisco Security MARS and Cisco Security Manager could work together to implement which two functions?(Choose two.)
A. False-positive tuningB. Incident-vector analysisC. Firewall events-to-Cisco Security MARS events correlationsD. IPS events-to-Cisco Security MARS events correlations
Correct Answer: CDSection: (none)Explanation
Explanation/Reference:
QUESTION 146Which item is correct about the relationship between the VPN types and their descriptions?1. DMVPN2. GET VPN3. DGVPN4. Dynamic VTI5. Crypto maps(a) supported on Cisco IOS routers and ASAs(b) provides on-demand virtual access interface cloned from a virtual template configuration(c) combines two VPN technologies(d) provides tunnel-less any-to-any connectivity(e) supports routing protocol over VPN tunnels
A. a-5,b-4,c-1,d-2,e-3B. a-5,b-4,c-3,d-1,e-2C. a-5,b-3,c-2,d-4,e-1D. a-5,b-4,c-3,d-2,e-1
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
QUESTION 147Which Cisco ASA configuration is needed to perform active/active failover?
A. Policy-based routingB. Redundant interfacesC. Virtual contextsD. VLANs
Correct Answer: C
Section: (none)Explanation
Explanation/Reference:
QUESTION 148Which two key criteria will be used while sizing Cisco Security MARS model to deploy? (Choose two.)
A. Auto-mitigation requirementsB. Using a one-, two-, or three-tier Cisco Security MARS architectureC. Events-storage requirementsD. Incoming events per second rate
Correct Answer: CDSection: (none)Explanation
Explanation/Reference:
QUESTION 149By use of Cisco ASA active/active stateful failover, what happens if the return packet of an existing connectionis not found in the local Cisco ASA connection table?
A. The local Cisco ASA will forward the packet if it is permitted by the inbound ACL.B. The local Cisco ASA will perform a reverse path forwarding check to determine whether to forward or drop
the packet.C. The local Cisco ASA will determine, based on its routing table, whether to forward or drop the packet.D. The local Cisco ASA will examine the copy of the other Cisco ASA's connection table and, if a match is
found, will forward the packet to the other Cisco ASA.
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
QUESTION 150Which statement best describes the Cisco ASA encrypted voice inspection capability?
A. The Cisco ASA decrypts, inspects, then re-encrypts voice-signaling traffic; all of the existing VoIP inspectionfunctions for SCCP and SIP protocols are preserved.
B. TLS proxy applies to the encryption layer and is configured by using a Layer 3/4 inspection policy on theCisco ASA.
C. The Cisco ASA does not support PAT and NAT for SCCP inspection.D. The Cisco ASA serves as a proxy for both client and server, with the Cisco IP Phone and the Session
Border Controller.
Correct Answer: ASection: (none)Explanation
Explanation/Reference:
QUESTION 151Which one of the following uRPF options allows for asymmetrical routing?
A. Dynamic uRPFB. Strict uRPFC. Loose uRPFD. Unidirectional uRPF
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 152MPLS VPN provides or supports all of the following items except which one?
A. Any-to-any connectivityB. Customer's IGP routingC. ConfidentialityD. Customer's isolation
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 153Look at the following Cisco ASA SSL VPN pre-login checks carefully, which five are supported bythe Cisco Secure Desktop ?(Not all the checks are required.)1. Register check2. File check3. Antivirus check4. Antispam check5. Personal firewall check6. Certificate check7. Windows version check
A. 1,2,3,7,5B. 1,2,6,7,5C. 1,2,3,4,5D. 1,2,4,5,6
Correct Answer: BSection: (none)Explanation
Explanation/Reference:
QUESTION 154While performing point-to-point secure WAN solutions over the Internet, which alternative Cisco IOS method is
available if GRE-over-IPsec tunnels could not be used?
A. Dynamic crypto mapsB. Virtual Tunnel Interfaces (VTIs)C. GET VPND. MPLS VPN
Correct Answer: BSection: (none)Explanation
Explanation/Reference:
QUESTION 155Which one of the following methods can be used to scale Cisco Security MARS deployments?
A. Use the Cisco Security MARSsyslog forwarding feature to offload the syslog storage requirement to anexternal server.
B. Migrate from the Gen1 to Gen2 Cisco Security MARS platforms.C. Use redundant or duplicated Cisco Security MARS appliances to implement a multi-tier architecture.D. Divide the network into multiple zones, then use the global/local controllers approach.
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
QUESTION 156Which functionality can be used by the Cisco Security MARS security appliance to achieveevents aggregation?
A. Events action filtersB. Cisco Security Managerpolicy correlationsC. SummarizationD. Sessionization
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
QUESTION 157Which of these items is a feature of a system-level approach to security management?
A. Multiple cross-vendor management platformsB. Complex OperationsC. Responsibility sharingD. Single-element managementE. High Availability
Correct Answer: ESection: (none)Explanation
Explanation/Reference:
QUESTION 158Which primary security design components should be addressed while performingEnterprise Internet Access protection? (Not all design components are required.)1. resource separation2. network infrastructure device hardening3. network signaling protection4. boundary access control5. compliance assessment6. endpoint protection
A. 1, 3, 4, 6B. 1, 4, 5, 6C. 1, 2, 4, 6D. 1, 2, 3, 6
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 159For the following items, which two are differences between symmetric and asymmetric encryptionalgorithms? (Choose two.)
A. Asymmetric encryption is slower than symmetric encryptionB. Asymmetric encryption is more suitable than symmetric encryption for real-time bulk encryptionC. Symmetric encryption is used in digital signatures and asymmetric encryption is used in HMACsD. Asymmetric encryption requires a much larger key size to achieve the same level of protection as
asymmetric encryption
Correct Answer: ADSection: (none)Explanation
Explanation/Reference:
QUESTION 160Which items are the most common methods used for managing risk?
A. Risk reductionB. Risk avoidanceC. Risk transferD. Risk retention/acceptance
Correct Answer: ABCDSection: (none)
Explanation
Explanation/Reference:
QUESTION 161Which option is correct about the relationship between the malware type and its description?1. virus2. worms3. botnets4. spyware5. Trojan horses6. rootkits(a) collection of compromised computers under a common command-and-control infrastructure(b) typically used to monitor user actions(c) autonomously spreads to other systems without user interaction(d) malware that hides through evasion of the operating system security mechanisms(e) requires some user action to infect the system(f) malware that hides inside anoter legitimate looking application
A. a-3,b-4,c-2,d-6,e-1,f-5B. a-3,b-2,c-1,d-4,e-6,f-5C. a-3,b-4,c-2,d-6,e-5,f-1D. a-3,b-4,c-6,d-2,e-1,f-5
Correct Answer: ASection: (none)Explanation
Explanation/Reference:
QUESTION 162Which item is correct about the relationship between the security risk management related term and its properdefinition?1.asset2.threat3.vulnerability4.risk(a) anything that has value to an organization(b) A weakness in a system or its design that could be exploited(c) The likelihood of a particular attack occurring and resulting in an undesirable consequence(d) Any circumstance or event with the potential to cause harm to an information system
A. a-4, b-3, c-2, d-1B. a-1, b-4, c-3, d-2C. a-1, b-3, c-4, d-2D. a-1, b-3, c-2, d-4
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 163
Which function can be implemented by the Cisco Security Agent data access control feature?
A. Enables trustedQoS marking at the end hostB. Detects changes to system files by examining the file signatureC. Detects attempts to modify the file registryD. Detects malformed HTTP requests by examining the URI in the HTTP request
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
QUESTION 164Which series of steps correctly describes how a challenge-and-response authentication protocolfunctions?
A. 1. The authenticator sends a random challenge string to the subject being authenticated.2. The subject being authenticated hashes the challenge using a shared secret password to form aresponse back to the authenticator.3. The authenticator performs the same hash method with the same shared secret password to calculate alocal response and compare it with the received response.4. If these match, the subject is authenticated.
B. 1. The subject being authenticated sends a random challenge string to the authenticator.2. The authenticator encrypts the challenge string with a private key and sends the encrypted randomchallenge string back to the subject being authenticated.3. The subject being authenticated decrypts the random challenge string with the public key and compare itto the original random challenge.4. If these match, the subject is authenticated.
C. 1. The subject being authenticated sends a random challenge string to the authenticator.2. The authenticator encrypts the challenge string with a shared secret password and sends the encryptedrandom challenge string back to the subject being authenticated.3. The subject being authenticated decrypts the random challenge string using the same shared secret keyand compare it to the original random challenge.4. If these match, the subject is authenticated..
Correct Answer: ASection: (none)Explanation
Explanation/Reference:
QUESTION 165Which is the primary benefit that DTLS offers over TLS?
A. Both the application and TLS can retransmit loss packetsB. Improves securityC. Provides low latency for real-time applicationsD. Uses TCP instead of UDP to provide a reliable Transport mechanism
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 166Which attack method is typically used by Pharming attacks that are used to fool users intosubmitting sensitive information to malicious servers?
A. DHCP exhaustionB. DNS cache poisoningC. DHCP server spoofingD. IP spoofing
Correct Answer: BSection: (none)Explanation
Explanation/Reference:
QUESTION 167Match each IKE component to its supported option.1. IKE authentication2. IKE encryption3. IKE data authentication/integrity4. IKE key negotiation(a) 3DES or AES(b) MD5 or SHA-1(c) pre-shared key or digital certificates(d) DH Group 1,2,or5
A. a-1, b-2, c-3, d-4B. a-2, b-3, c-4, d-1C. a-2, b-1, c-3, d-4D. a-2, b-3, c-1, d-4
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
QUESTION 168Which one of the following Cisco Security Management products is able to perform (syslog)events normalization?
A. Cisco Security ManagerB. Cisco ASDMC. Cisco Security MARSD. Cisco IME
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 169Which option is correct about the relationship between the malware type and its description?1. virus2. worms3. botnets4. spyware5. Trojan horses6. rootkits(a) collection of compromised computers under a common command-and-control infrastructure(b) typically used to monitor user actions(c) autonomously spreads to other systems without user interaction(d) malware that hides through evasion of the operating system security mechanisms(e) requires some user action to infect the system(f) malware that hides inside anoter legitimate looking application
A. a-3,b-4,c-2,d-6,e-1,f-5B. a-3,b-2,c-1,d-4,e-6,f-5C. a-3,b-4,c-2,d-6,e-5,f-1D. a-3,b-4,c-6,d-2,e-1,f-5
Correct Answer: ASection: (none)Explanation
Explanation/Reference:
QUESTION 170Which series of steps correctly describes how a challenge-and-response authentication protocolfunctions?
A. 1. The authenticator sends a random challenge string to the subject being authenticated.2. The subject being authenticated hashes the challenge using a shared secret password to form aresponse back to the authenticator.3. The authenticator performs the same hash method with the same shared secret password to calculate alocal response and compare it with the received response.4. If these match, the subject is authenticated.
B. 1. The subject being authenticated sends a random challenge string to the authenticator.2. The authenticator encrypts the challenge string with a private key and sends the encrypted randomchallenge string back to the subject being authenticated.3. The subject being authenticated decrypts the random challenge string with the public key and compare itto the original random challenge.4. If these match, the subject is authenticated.
C. 1. The subject being authenticated sends a random challenge string to the authenticator.2. The authenticator encrypts the challenge string with a shared secret password and sends the encryptedrandom challenge string back to the subject being authenticated.3. The subject being authenticated decrypts the random challenge string using the same shared secret keyand compare it to the original random challenge.4. If these match, the subject is authenticated..
Correct Answer: ASection: (none)Explanation
Explanation/Reference:
QUESTION 171Which option is correct about the relationship between the malware type and its description?1. virus2. worms3. botnets4. spyware5. Trojan horses6. rootkits(a) collection of compromised computers under a common command-and-control infrastructure(b) typically used to monitor user actions(c) autonomously spreads to other systems without user interaction(d) malware that hides through evasion of the operating system security mechanisms(e) requires some user action to infect the system(f) malware that hides inside anoter legitimate looking application
A. a-3,b-4,c-2,d-6,e-1,f-5B. a-3,b-2,c-1,d-4,e-6,f-5C. a-3,b-4,c-2,d-6,e-5,f-1D. a-3,b-4,c-6,d-2,e-1,f-5
Correct Answer: ASection: (none)Explanation
Explanation/Reference:
QUESTION 172Which series of steps correctly describes how a challenge-and-response authentication protocolfunctions?
A. 1. The authenticator sends a random challenge string to the subject being authenticated.2. The subject being authenticated hashes the challenge using a shared secret password to form aresponse back to the authenticator.3. The authenticator performs the same hash method with the same shared secret password to calculate alocal response and compare it with the received response.4. If these match, the subject is authenticated.
B. 1. The subject being authenticated sends a random challenge string to the authenticator.2. The authenticator encrypts the challenge string with a private key and sends the encrypted randomchallenge string back to the subject being authenticated.3. The subject being authenticated decrypts the random challenge string with the public key and compare itto the original random challenge.4. If these match, the subject is authenticated.
C. 1. The subject being authenticated sends a random challenge string to the authenticator.2. The authenticator encrypts the challenge string with a shared secret password and sends the encryptedrandom challenge string back to the subject being authenticated.3. The subject being authenticated decrypts the random challenge string using the same shared secret keyand compare it to the original random challenge.4. If these match, the subject is authenticated..
Correct Answer: ASection: (none)Explanation
Explanation/Reference:
QUESTION 173Can you tell me which one of the following platforms has the highest IPSec throughput and cansupport the highest number of tunnels?
A. Cisco 6500/7600 + VPN SPAB. Cisco ASR 1000-5GC. Cisco 7200 NPE-GE+VSAD. Cisco 7200 NPE-GE+VAM2+
Correct Answer: ASection: (none)Explanation
Explanation/Reference:
QUESTION 174Which one is not a factor that can affect the risk rating of an IPS alert?
A. RelevanceB. Attacker locationC. Event severityD. Signature fidelity
Correct Answer: BSection: (none)Explanation
Explanation/Reference:
QUESTION 175Which three of these security products complement each other to achieve a secure e-bankingsolution? (Choose three.)
A. Cisco Trust AgentB. CCA AgentC. Cisco Security AgentD. Cisco IOS DMVPNE. Cisco Intrusion Prevention SystemF. Cisco Adaptive Security Appliance
Correct Answer: CEFSection: (none)Explanation
Explanation/Reference:
QUESTION 176How does CSA protect endpoints?
A. Uses deep-packet application inspection to control application misuse and abuseB. Uses file system, network, registry and execution space interceptors to stop malicious activityC. Works at the application layer to provide buffer overflow protection
D. Uses signatures to detect and stop attacksE. Works in conjunction with antivirus software to lock down the OS
Correct Answer: BSection: (none)Explanation
Explanation/Reference:
QUESTION 177Match each IKE component to its supported option.1. IKE authentication2. IKE encryption3. IKE data authentication/integrity4. IKE key negotiation(a) 3DES or AES(b) MD5 or SHA-1(c) pre-shared key or digital certificates(d) DH Group 1,2,or5
A. a-1, b-2, c-3, d-4B. a-2, b-3, c-4, d-1C. a-2, b-1, c-3, d-4D. a-2, b-3, c-1, d-4
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
QUESTION 178Cisco Security MARS and Cisco Security Manager could work together to implement which two functions?(Choose two.)
A. False-positive tuningB. Incident-vector analysisC. Firewall events-to-Cisco Security MARS events correlationsD. IPS events-to-Cisco Security MARS events correlations
Correct Answer: CDSection: (none)Explanation
Explanation/Reference:
QUESTION 179While performing point-to-point secure WAN solutions over the Internet, which alternative Cisco IOS method isavailable if GRE-over-IPsec tunnels could not be used?
A. Dynamic crypto mapsB. Virtual Tunnel Interfaces (VTIs)C. GET VPN
D. MPLS VPN
Correct Answer: BSection: (none)Explanation
Explanation/Reference:
QUESTION 180Match each IKE component to its supported option.1. IKE authentication2. IKE encryption3. IKE data authentication/integrity4. IKE key negotiation(a) 3DES or AES(b) MD5 or SHA-1(c) pre-shared key or digital certificates(d) DH Group 1,2,or5
A. a-1, b-2, c-3, d-4B. a-2, b-3, c-4, d-1C. a-2, b-1, c-3, d-4D. a-2, b-3, c-1, d-4
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
http://www.gratisexam.com/