Exam Prep Questions

Question 1

Which of the following is not a benefit of a layered approach to security?

  • A. It simplifies configuration issues by placing a technology in several places; configuration files can be mostly copied from one location to another.

  • B. It protects against threats originating inside the network as well as those of external origin.

  • C. It complicates penetration efforts by requiring them to defeat multiple technologies.

  • D. It protects against external threats that get past an initial layer of defense.

A1:

Answer A is correct. A layered approach to security enables the network to use multiple technologies so that one technology protects the network from any vulnerabilities or weaknesses in another (which means that answer A is correct). In fact, because there are different technologies, there can be many different configurations; also, a given device can be configured quite differently, depending on where it is placed as well as what it protects. Configurations are thus not likely to be very repeatable. Layering also protects against threats that originate inside the outer layer (answer B) and those that penetrate an outer layer (answer D).

Question 2
graphics/trick_icon.gif

Which of these is a benefit of taking a modular approach to security?

  • A. It minimizes the cost of implementation.

  • B. It maximizes the opportunity to phase in the best technology.

  • C. It allows the architecture to focus on the security relationships between modules.

  • D. It allows the architecture to focus on the security relationships within the modules.

A2:

Answer C is correct. The two principal advantages of taking a modular approach to network security are the capability to focus on the security relationships between the modules (answer C) and the capability to implement security on a module-by-module basis (to optimize one module at a time). By working one module at a time, you can space out security purchases, which could prevent you from getting quantity discounts (eliminating answer A). Depending on the technologies chosen , what is already present, and what your new devices must interwork with, you might or might not be able to phase in the best technology (eliminating answer B). Finally, answer D misstates the relationships advantage as well as the internal optimization advantage (it takes part of one and part of the other to make a new and incorrect whole).

Question 3

Which of these is not one of the design objectives of the Enterprise SAFE Blueprint?

  • A. Use out-of- band (OOB) management only

  • B. Require AAA for access to network devices

  • C. Make security cost-effective

  • D. Implement security throughout the infrastructure

A3:

Answer A is correct. Although there are significant advantages to OOB network management, it is not always practicaland the SAFE Blueprint is about practical network security. The design objectives for the SAFE Blueprint are as follows :

  • Security and attack mitigation based on policy

  • Security implementation through the infrastructure (not just on specialized security devices)

  • Cost-effective deployment

  • Secure management and reporting

  • Authentication and authorization of users and administrators to critical network resources

  • Intrusion detection for critical resources and subnets

Question 4

In addition to the design objectives, what is a strong design goal of the Enterprise SAFE Blueprint? (Choose two.)

  • A. Repeatability

  • B. Resiliency

  • C. Scalability

  • D. Modularity

  • E. Multihoming

A4:

Answers B and C are correct. The Enterprise SAFE Blueprint is designed with high availability (resiliency) and scalability in mind. All servers and networking devices are redundant, and multiple data paths are available. Scalability is reflected in the enterprise campus separation of the Management module from the building Access-Distribution-Core design; thus, management traffic can fan out to wherever it is needed. Repeatability (answer A) is not the same as scalabilitythere need not be repeated instances of any of the edge modules or most of the campus modules (except for the Building Access and Building Distribution modules). Although modularity (answer D) is the approach used, it is not a design goal it is a design technique . Finally, multihoming (answer E) is a technique used to increase resiliency, but it is only a techniqueand one of many, at that.

Question 5
graphics/trick_icon.gif

What does Cisco recommend as the first basis for a choice between a multifunction device and a dedicated device?

  • A. Cost-effectiveness of the initial acquisition (capital expenditure).

  • B. Life-cycle cost-effectiveness.

  • C. Operating cost because that dwarfs acquisition costs after a short time.

  • D. None of these is correct.

A5:

Answer D is correct. Cisco says nothing about cost as the primary factor in choosing between a multifunction device and a dedicated device (such as the choice between a router with an IOS firewall and a PIX firewall). That eliminates all three available answers, leaving only answer D. In fact, after you have decided on a technology, Cisco's recommendation is that your choice be based on performance: your requirements versus what the different devices can deliver. When you are satisfied that both the multifunction device and the dedicated device meet performance needs, costcapital, operational, and/or life cycle, depending on your organization's policiescan become a factor.

Question 6

Which of the following is not one of the SAFE axioms?

  • A. Routers are targets.

  • B. Hosts are sometimes targets.

  • C. Switches are targets.

  • D. Networks are targets.

  • E. Applications are targets.

A6:

Answer B is correct. The SAFE Blueprint axioms are as follows:

  • Routers are targets.

  • Switches are targets.

  • Hosts are targets.

  • Networks are targets.

  • Applications are targets.

  • Secure management and reporting.

Nothing in the axioms mentions that targeting is anything but all the time, nor can you afford to assume that it might be. All targets in a network are targets of opportunityif they are vulnerable, they likely will be attacked . Therefore, answer B, with its "some of the time" qualifier, is not true.

Question 7

Why is "secure management and reporting" a SAFE axiom ?

  • A. Because logs must be accurate.

  • B. Because configurations must be carefully controlled.

  • C. Because hackers will target the management network.

  • D. All of these are correct.

A7:

Answer D is correct. Because the networking devices control traffic on the networkboth access and routing once inthese devices are a high-value target for hackers. The network managing these devices must therefore be secured to protect them (answer C). Hackers will seek to create the conditions to allow them to enter at will, meaning that they will try to alter networking device configurations. Protecting against that (answer B) is important. Finally, when you are attacked, you must be able to determine what happened where and when; the information stored in logs must be reliable and truthful (answer A). All of these are reasons to secure the management network.

Question 8

What "band" is meant by in-band versus out-of-band ?

  • A. The production network.

  • B. The Layer 3 network is in-band , and the Layer 2 network is out-of-band .

  • C. The Layer 2 network is in-band , and the Layer 3 network is out-of-band .

  • D. None of these is correct.

A8:

Answer A is correct. In-band refers to using the same connectionssame ports, circuits, addresses, and so onas the production traffic (and production traffic is the business's ordinary network traffic, such as email, database requests, DNS requests , and so on). Out-of-band refers to a separate physical and logical network for the network-management traffic versus the production traffic; the two are not commingled. They belong to different VLANs (if VLANs are used on this device), belong to different address blocks, and enter/exit networking devices on different ports (meaning different physical connections). The OSI model layer is not relevant, making the distinction between Layer 2 and Layer 3 meaningless in the context of this question (whether phrased as in answer B or answer C).

Question 9
graphics/trick_icon.gif

The enterprise edge is composed of which major modules?

  • A. E-Commerce, Corporate Management, VPN/Remote Access, and WAN

  • B. E-Commerce, Corporate Internet, VPN/Remote Control, and WAN

  • C. E-Business, Corporate Internet, VPN/Remote Access, and WAN

  • D. E-Commerce, Corporate Internet, VPN/Remote Access, and WAN

A9:

Answer D is correct. This is another example of the need to read the answers as closely as you read the questions. The four major modules in the enterprise edge are as follows:

  • E-Commerce (not E-Business)

  • Corporate Internet (not Corporate Management)

  • VPN/Remote Access (not VPN/Remote Control)

  • WAN

They access the outside world via redundant ISPs (the two ISP modules), the PSTN (via the PSTN module), and the Frame/ATM network (via the Frame/ATM module). They access the campus via the Edge Distribution module, which is part of the enterprise campus, not the enterprise edge.

Question 10

Which of the following modules is not a part of the enterprise campus?

  • A. Server module

  • B. Management module

  • C. Headquarters module

  • D. Enterprise Distribution module

  • E. Building Access module

  • F. Building Distribution module

  • G. Core module

A10:

Answer C is correct. The modules in the enterprise campus are as follows:

  • Management module

  • Server module (for corporate and departmental servers)

  • Building Access module (users)

  • Building Distribution module

  • Core module

  • Enterprise Distribution module

There is no such entity in the SAFE Blueprint as a Headquarters module.

Question 11

The E-Commerce module is protected in which ways? (Choose two.)

  • A. Private VLANs

  • B. One-way routing

  • C. OOB server management

  • D. Multiple layers of firewalling

A11:

Answers A and D are correct. The E-Commerce module consists of several sets of servers, all of which are networked via Layer 2 switches using private VLANs (answer A) to prevent port redirection. There are firewalls on ingress from the Internet and before egress to the Edge Distribution module (answer D). Furthermore, a design alternative is to segregate the server sets even more with stateful firewalls between them. Although OOB management is recommended, it is recommended throughout the enterprise, not just in the E-Commerce module, and it is not limited to the servers (answer C)OOB is recommended for networking devices, especially in high-risk areas such as the E-Commerce module. One-way routing (answer B) is a throw-away (and Cisco does sometimes have throw-away answersunder exam stress, you just might bite on one). Traffic must be exchangedthat means that bidirectional traffic and routing must have a path back for the reply, or it does no good to have a server there for the question.




CSI Exam Cram 2 (Exam 642-541)
CCSP CSI Exam Cram 2 (Exam Cram 642-541)
ISBN: 0789730243
EAN: 2147483647
Year: 2002
Pages: 177
Authors: Annlee Hines

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net