Practice Exam 2

Question 1

James downloads sophisticated hacking software from the Internet. He is a disgruntled employee and tries to hack into his company's Web server. John is a highly motivated and technically competent individual. What type of network threat is James? (Choose all that apply.)

  • A. Unstructured threat

  • B. Structured threat

  • C. External threat

  • D. Internal threat

Question 2

A hacker attacks your network in such a way that damages and corrupts your computer systems and denies intended users' access to a Web server. The attack also denies all authorized users access to the network and services. How would you classify this network attack?

  • A. Reconnaissance attack

  • B. Access attack

  • C. Denial of Service attack

Question 3

Which of the following products is the best choice if the primary role of the equipment is to perform site-to-site VPN with a few remote access connections?

  • A. VPN-enabled router

  • B. VPN 3000 Concentrator

  • C. PIX Firewall

Question 4

Out of the box, which of the following models of VPN Concentrator support hardware encryption? (Choose all that apply.)

  • A. 3005

  • B. 3015

  • C. 3030

  • D. 3060

  • E. 3080

Question 5

You are designing a VPN solution for your enterprise network. The requirement is for 180 site-to-site tunnels. Money is an important factor that needs to be considered when implementing this solution. Which of the following models of VPN Concentrator fits the requirement?

  • A. 3005

  • B. 3015

  • C. 3030

  • D. 3060

Question 6

You have a 3080 VPN Concentrator running in an environment that supports both site-to-site VPN tunnels as well as remote access VPN tunnels. You have 728 branch offices that have site-to-site tunnels established to the Head Office 3080 Concentrator. What are the maximum number of remote access VPN tunnels that can now be established to this VPN 3080 Concentrator?

  • A. 10000

  • B. 9271

  • C. 9722

  • D. 5000

  • E. 9272

Question 7

To establish a site-to-site VPN tunnel between a VPN Concentrator and an IOS router you are required to be running release ___ software on the VPN concentrator and release ____ software on the IOS router.

  • A. 2.5(2), 5.2

  • B. 3.0, 5.2

  • C. 2.5(2), 12.1

  • D. 5.2, 2.5(2)

Question 8

Which feature of IPSec ensures that each packet is unique and not duplicated?

  • A. Confidentiality

  • B. Data integrity

  • C. Origin authentication

  • D. Anti-replay

Question 9

In which key encryption methodology do source and destination tunnel endpoints use one key to encrypt and another key to decrypt the traffic?

  • A. Analog

  • B. Symmetric

  • C. Asymmetric

  • D. Auto-configurable

Question 10

When utilizing RSA encryption, the remote tunnel endpoint decrypts data using sender's _______ key.

  • A. Public

  • B. Private

  • C. Preshared

  • D. Diffie-Hellman

Question 11

Which of the following Diffie-Hellman key exchange algorithms use a key size of 1536 bits?

  • A. Group 1

  • B. Group 2

  • C. Group 5

  • D. Group 7

Question 12

In which of the following methods can you perform peer authentication? (Choose all that apply.)

  • A. Preshared key

  • B. RSA encrypted nonces

  • C. RSA signatures

  • D. DES

  • E. 3DES

Question 13

IPSec is a framework of open standards. Which of the following protocols falls under the IPSec framework?

  • A. Authentication Header

  • B. Encryption Header

  • C. Encrypting Security Payload

  • D. Encapsulating Security Payload

Question 14

In which steps of IPSec are the basic set of security services negotiated and agreed upon? (Choose two.)

  • A. Step 1: Interesting traffic

  • B. Step 2: IKE phase 1

  • C. Step 3: IKE phase 2

  • D. Step 4: Data Transfer

  • E. Step 5: IPSec tunnel termination

Question 15

When peers agree upon security services, each VPN peer device enters information in a security policy database. The information in the security policy database is known as an ____.

  • A. SPI

  • B. SA

  • C. SAD

  • D. IKE phase 2 database

Question 16

A cluster is defined as a group of concentrators working together as a single entity. To the outside client space, this cluster is known by what IP address?

  • A. IP address of the public interface

  • B. IP address of the private interface

  • C. Virtual IP address

  • D. IP address of the external interface

Question 17

When implementing load balancing, load is calculated as a percentage of current active sessions divided by the configured maximum allowed connections. A virtual cluster master maintains load information from which of the following VPN Concentrators?

  • A. All other cluster masters

  • B. All active sessions

  • C. All other non-masters

  • D. All inbound connections

Question 18

Which of the following VPN clients and tunneling protocols does a Cisco VPN Concentrator support? (Choose all that apply.)

  • A. L2TP

  • B. Linux

  • C. Mac

  • D. Certicom

  • E. IPsec

Question 19

When enabled, in which mode does the default firewall filter block all traffic inbound that is not related to the outbound session?

  • A. Stateful Firewall (always on)

  • B. Are You There

  • C. Cisco Pushed Policy

  • D. Cisco VRRP Firewall

Question 20

By default, which of the following ports can be used to configure the Cisco VPN 3002 Hardware client? (Choose all that apply.)

  • A. 1 Private port

  • B. 1 Public port

  • C. 1 Console port

  • D. 1 VTY port

Question 21

A Cisco VPN Concentrator can be configured via a CLI and a GUI interface. In what ways can you configure the VPN Concentrator via the GUI interface? (Choose all that apply.)

  • A. Setup mode

  • B. Quick Configuration

  • C. Concentrator Manager

  • D. Privilege mode

graphics/13inf01.gif

Question 22

Which of the following parameters can be configured under the Configuration | Quick | Protocols window? (Choose all that apply.)

  • A. L2TP

  • B. RIP

  • C. PPTP

  • D. OSPF

  • E. IPSec

Question 23

graphics/13inf02.gif

You have an internal authentication server that assigns IP addresses to the remote VPN sessions based upon their credentials. Which parameter would you select under the Configuration | Quick | Address Management window to assign IP addresses retrieved from an authentication server on a per-user basis?

  • A. Client Specified

  • B. Per User

  • C. DHCP

  • D. Configured Pool

Question 24

Which of the following options are available under the Server Type field in the Configuration | Quick | Authentication window? (Choose all that apply.)

  • A. RADIUS

  • B. SOLARIS

  • C. NT Domain

  • D. Security Dynamics (SDI)

  • E. Internal Server

Question 25

Which of the following are valid group categories defined under the User Management configuration tree? (Choose all that apply.)

  • A. Default Group

  • B. Groups

  • C. Authenticated Users

  • D. Users

Question 26

Which of the following fields under the Configuration | User Management | Groups | Modify Group | General window determines the termination of a VPN connection if there is a configured period of inactivity on the link?

  • A. Access Hours

  • B. Maximum Connect Time

  • C. Inactivity Timeout

  • D. Idle Timeout

Question 27

Which of the following types of VPN authentication is also referred to as XAUTH?

  • A. Concentrator authentication

  • B. Network authentication

  • C. Local authentication

  • D. Database authentication

Question 28

graphics/13inf03.jpg

To configure split tunneling on the Cisco 3005 VPN Concentrator, which tab under the Configuration | User Management | Groups | Modify Group window would you select to accomplish this task?

  • A. IPSec

  • B. HW Client

  • C. Client FW

  • D. Client Config

Question 29

Which of the following options allows a remote user to send clear text messages to a printer, download images from a Web site, and send encrypted messages to the head office, all at the same time?

  • A. Split tunneling

  • B. Tunnel everything except local LAN traffic

  • C. Tunnel everything

  • D. One-way tunneling

Question 30

Which of the following are mandatory steps in implementing split tunneling on a Cisco VPN Concentrator? (Choose all that apply.)

  • A. Select Only Tunnel Networks in the list option

  • B. Select the Tunnel Everything option

  • C. Choose appropriate list from the Split Tunneling Network list

  • D. Select Allow the Networks in List to Bypass the Tunnel option

Question 31

Which of the following steps are required to set up Split DNS? (Choose all that apply.)

  • A. Identify list of secure networks

  • B. Configure split tunneling

  • C. Assign network list to split tunneling parameters

  • D. Define names of all DNS servers, both corporate and ISP

  • E. Define names of only corporate DNS servers

  • F. Define primary and secondary DNS servers to resolve encrypted DNS queries

Question 32

Which of the following parameters on a Cisco VPN Concentrator specifies how to handle a packet that exceeds the MTU setting when tunneling through the public interface?

  • A. TCP fragmentation

  • B. IPSec fragmentation

  • C. IP fragmentation

  • D. UDP fragmentation

Question 33

When configuring a Cisco VPN Client, which of the following options on the General tab enables a user to disable local LAN access when using an insecure local LAN?

  • A. Allow IPSec over UDP (NAT/PAT)

  • B. Use IPSec over TCP (NAT/PAT/Firewall)

  • C. Allow Local LAN access

  • D. Peer Response Timeout

Question 34

You have been assigned the task of preconfiguring 150 Cisco VPN Clients. Which of the following files can be used as a global profile to set standards for all Cisco VPN Client profiles?

  • A. oem.ini

  • B. vpnclient.ini

  • C. vpnbuild.ini

  • D. .pcf

  • E. profile.ini

  • F. Global.ini

Question 35

Which of the following sections under the Monitor |Sessions window gives you an overview of all the sessions, as well as the total active, peak concurrent, and total concurrent sessions?

  • A. Session Summary

  • B. LAN-to-LAN Sessions

  • C. Remote Access Sessions

  • D. Management Sessions

Question 36

Which of the following windows displays more in-depth statistics about the remote access sessions?

  • A. Monitoring | Remote Access | Detail

  • B. Monitoring | Remote Access

  • C. Monitoring | Detail | Remote Access

  • D. Monitoring | Sessions

  • E. Monitoring | Sessions | Details

Question 37

Digital signatures are used to link data with the owner of a specific private key. Which of the following holds true about digital signatures? (Choose all that apply.)

  • A. Senders private key is used to encrypt the hash.

  • B. The original message is run through a hashing algorithm.

  • C. Hash that was appended to the original message is decrypted using the sender's public key at the remote end.

  • D. Hash values are matched.

  • E. Matching hash values indicate that the message was signed by the sender's private key.

Question 38

Which of the following defines a set of procedures needed to create, manage, store, revoke, and distribute digital certificates?

  • A. Private key infrastructure

  • B. Public key infrastructure

  • C. Digital key infrastructure

  • D. Analog key infrastructure

Question 39

Which of the following steps are required for the end-user to obtain a digital certificate? (Choose all that apply.)

  • A. User generates private and public key pair.

  • B. User generates certificate request.

  • C. User sends the request to the CA.

  • D. User installs root certificate after installing identity certificate.

  • E. User installs root certificate before installing identity certificate.

Question 40

When creating a certificate request message, which of the following fields must match the attribute data based on the concentrator to establish a secure VPN tunnel successfully?

  • A. Organization (O)

  • B. Subject Alternative Name

  • C. Organizational Unit (OU)

  • D. Key Size

  • E. Common Name (CN)

Question 41

Which of the following parameters does the concentrator check before installing the identity certificate? (Choose all that apply.)

  • A. Is the identity certificate verified with the CA's public key?

  • B. Has the identity certificate been revoked?

  • C. Has the CA server used the PKCS#10 request?

  • D. Has the identity certificate expired?

Question 42

Which of the following is NOT true about the Certificate Revocation List (CRL)?

  • A. CRL checking is the last validation step.

  • B. The CRL is issued by the CA.

  • C. The CRL contains a list of certificates that have been newly issued.

  • D. The CRL contains a list of certificates that are invalid.

  • E. The CRL is signed by the CA and released periodically.

Question 43

Which of the following protocols enable you to connect directly to the CA and use the network-based enrollment?

  • A. DES

  • B. SCEP

  • C. Diffie-Hellman

  • D. MD5

Question 44

When configuring the CRL Retrieval Policy, which option enables the concentrator to retrieve up to 5 CRL-DPs from the CRL-DP extension of the certificate being verified?

  • A. Use CRL-DPs from the Certificate being checked

  • B. Use Static CRL-DPs

  • C. Use CRL-DPs from the Certificate being checked, or else use Static DPs

  • D. No CRL checking

Question 45

graphics/13inf04.jpg

Which of the following statements are true about the IKE proposal? (Choose all that apply.)

  • A. IKE proposal uses preshared key with extended authentication.

  • B. IKE proposal uses digital certificates with extended authentication.

  • C. IKE proposal uses MD5 as the encryption algorithm.

  • D. IKE proposal uses MD5 as the authentication algorithm.

  • E. DH group 2 is used to derive the shared secret.

  • F. Lifetime is based upon the data flow.

Question 46

You want to download an identity certificate from a Microsoft CA by using the file enrollment process. Which of the following actions must be considered on the Cisco VPN Client when you want to implement the cut-and-paste transfer? (Choose all that apply.)

  • A. Use binary encoded PKCS#10 (.p10).

  • B. Use base 64 encoded PKCS#10 (.req).

  • C. Department and group name must be identical.

  • D. Department and group name don't have to be identical.

Question 47

Which of the following are the correct steps involved in the SCEP process?

  • A. CA returns a CA or RA certificate; user sends the CA or RA certificate request to the CA; Certificate Manager verifies the CA or RA, generates keys and certificate request, and sends certificate request to CA; CA generates identity certificate and returns it to Certificate Manager.

  • B. CA generates identity certificate and returns it to Certificate Manager; user sends the CA or RA certificate request to the CA; CA returns a CA or RA certificate; Certificate Manager verifies the CA or RA, generates keys and certificate request, and sends certificate request to CA.

  • C. User sends the CA or RA certificate request to the CA; Certificate Manager verifies the CA or RA, generates keys and certificate request, and sends certificate request to CA; CA returns a CA or RA certificate; CA generates identity certificate and returns it to Certificate Manager.

  • D. User sends the CA or RA certificate request to the CA; CA returns a CA or RA certificate; Certificate Manager verifies the CA or RA, generates keys and certificate request, and sends certificate request to CA; CA generates identity certificate and returns it to Certificate Manager

Question 48

Which firewall feature allows network administrators to centrally define firewall policies for the connected VPN clients?

  • A. AYT

  • B. Stateful Firewall

  • C. CPP

  • D. CIC

Question 49

When configuring the AYT feature on the concentrator, in what different ways can you configure the firewall settings under the Client FW tab of the Configuration | User Management | Groups | Modify page? (Choose all that apply.)

  • A. Firewall Optional/Required

  • B. No Firewall

  • C. Firewall Required

  • D. Firewall Optional

Question 50

Which firewall is not supported by the CPP?

  • A. CIC

  • B. Network ICE BlackICE Defender

  • C. ZoneAlarm

  • D. ZoneAlarm Pro

Question 51

Which of the following steps are needed to configure Cisco Pushed Policy (CPP)? (Choose all that apply.)

  • A. Under the Firewall Policy section, select Policy from Server.

  • B. Select the Firewall Required or Firewall Optional parameter.

  • C. Select NetworkICE as the firewall.

  • D. Under the Firewall Policy section, select Policy Pushed.

  • E. Select CIC or Zone Labs as the firewall.

Question 52

Which feature provides a secure connection within an on-site wireless LAN environment though a VPN Concentrator?

  • A. Tunnel establishment

  • B. Automatic VPN initiation

  • C. IPSec VPN initiation

  • D. Administrative VPN initiation

Question 53

Which of the following are the predefined administrators on a VPN Concentrator? (Choose all that apply.)

  • A. admin

  • B. config

  • C. isp

  • D. mis

  • E. user

Question 54

Which of the following is true about the Session Summary table in the Monitoring | Sessions window?

  • A. Shows parameters and statistics for all active remote access sessions

  • B. Shows summary total for LAN-to-LAN, remote access, and management sessions

  • C. Shows parameters and statistics for all active administrator management sessions

  • D. Shows summary total for only LAN-to-LAN sessions

Question 55

Which window displays the statistics for all IPSec activity and the active tunnels currently established to the concentrator?

  • A. Monitoring | Statistics | NAT

  • B. Monitoring | Statistics | Protocols | IPSec

  • C. Monitoring | Sessions

  • D. Monitoring | Statistics | L2TP

  • E. Monitoring | Statistics | IPSec

Question 56

Which concentrator window enables you to display the events in the current event log and lets you filter, display, and manage events by various criteria?

  • A. Monitoring | Statistics | NAT

  • B. Monitoring | Statistics | Live Log

  • C. Monitoring | Live Event Log

  • D. Monitoring | Filterable Event Log

Question 57

Which of the following tasks need to be completed when configuring a new event class under the Configuration | System | Events | Classes | Add window? (Choose all that apply.)

  • A. Select the type of event class.

  • B. Enable or disable special handling of this event.

  • C. Select the range of severity level.

  • D. Select the IKE parameters.

  • E. Select the level of administrator privileges.

Question 58

Which administrator accounts on the VPN concentrator has all rights of the admin account except SNMP access? (Choose two.)

  • A. admin

  • B. config

  • C. isp

  • D. mis

  • E. user

Question 59

What must be done to make the boot configuration file the active configuration file?

  • A. Copy current configuration to an FTP server

  • B. Delete the config.bak file

  • C. Swap the load file from TFTP server

  • D. Reboot the Concentrator

Question 60

Which window enables you to implement a software update on the Cisco VPN Concentrator?

  • A. Administration | Software Update | Client

  • B. Administration | Software Update | Concentrator

  • C. Configuration | Software Update | Concentrator

  • D. Configuration | Software Update | Client

Question 61

What would be the normal burst size if you want to limit remote access users to 200Kbps of bandwidth on the concentrator by using bandwidth management policies?

  • A. 35000 bytes

  • B. 37500 bytes

  • C. 40000 bytes

  • C. 42750 bytes

Question 62

Which of the following modes should be used if there is no need to see the devices behind the VPN 3002 Hardware Client?

  • A. Network PAT mode

  • B. Client Extension mode

  • C. Client mode

  • D. Network Extension mode

Question 63

Which of the following is the default authentication option on the Cisco 3002 HW Client?

  • A. Per-connection authentication

  • B. Interactive unit authentication

  • C. User authentication

  • D. Unit authentication

Question 64

In which of the following ways can the end user gain access to the username password prompt when individual user authentication is enabled? (Choose all that apply.)

  • A. Via the Hardware Client Manager

  • B. Via the Connection Status window

  • C. Via the System Status window

  • D. Via a redirect message when trying to access a Web page on the VPN Concentrator's network

Question 65

You have configured backup servers on the Cisco HW Client. Which of the following is true about accessing backup servers on the HW Client? (Choose all that apply.)

  • A. HW Client attempts to contact both primary and backup peers instantaneously.

  • B. HW Client attempts to contact primary peers.

  • C. If the primary peer is down, the HW Client declares the packet lost.

  • D. HW Client attempts connection with the backup server.

Question 66

Which of the following VPN Client versions support load balancing? (Choose all that apply.)

  • A. Cisco VPN Software Client release 2

  • B. HW Client release 2.0

  • C. Cisco VPN Software Client release 3 and above

  • D. HW Client release 3.5 and above

Question 67

Which of the following is the default port used by the VPN Virtual Cluster? (Choose all that apply.)

  • A. UDP 9000

  • B. UDP 9023

  • C. TCP 9023

  • D. TCP 9000

Question 68

When enabled, which of the following features applies to all VPN Software and HW Clients using PAT mode?

  • A. Client Network Extension

  • B. Network Extension RRI

  • C. Client PAT Extension

  • D. Client RRI

Question 69

Which of the following statements are true about the Cisco VPN HW Client software update feature? (Choose all that apply.)

  • A. Client update feature has to be enabled.

  • B. Client update feature is enabled by default.

  • C. Client Type parameter is case- and space-sensitive.

  • D. Client Type parameter is not case- and space-sensitive.

  • E. Revision Group Update parameter is not case-sensitive.

Question 70

Which of the following are IPSec through NAT applications? (Choose all that apply.)

  • A. IPSec over UDP (proprietary)

  • B. NAT-T

  • C. IPSec over TCP (proprietary)

  • D. ISAKMP over UDP

Question 71

Which window allows you to enable NAT-T on a concentrator?

  • A. Configuration | System | Tunneling Protocols

  • B. Configuration | System | Tunneling Protocols | IPSec |NAT Transparency

  • C. Configuration | System | Tunneling Protocols | NAT Transparency

  • D. Configuration | System | Tunneling Protocols | IPSec | IPSec LAN-to-LAN

Question 72

When configuring IPSec LAN-to-LAN tunnels, which of the following ESP options are supported by the concentrator? (Choose all that apply.)

  • A. HMAC-MD5-128-bit

  • B. HMAC-SHA-1-160-bit

  • C. DES-56-bit

  • D. 3DES-168-bit

  • E. AES-128-, 196-, and 256-bit

Question 73

Which of the following tables does the LAN-to-LAN wizard automatically configure? (Choose all that apply.)

  • A. Group Name

  • B. Connection Name

  • C. SA Name

  • D. Filter Name

Question 74

Which of the following statements are true regarding creation of static LAN-to-LAN NAT translation rules? (Choose all that apply.)

  • A. Specified local network address must be the same class as the mapped ddress.

  • B. Packets are translated based on static rules.

  • C. Port mapping is never performed.

  • D. Static rules are bi-directional.

Question 75

Which of the following statements are true about installing an identity certificate via SCEP? (Choose all that apply.)

  • A. Concentrator generates a RSA key pair.

  • B. Concentrator creates a PKCS#10 request and sends it to CA.

  • C. CA approves the request and sends the certificate back.

  • D. CA approval process can be either automatic or manual.




CSVPN Exam Cram 2 (Exam 642-511)
CCSP CSVPN Exam Cram 2 (Exam Cram 642-511)
ISBN: 078973026X
EAN: 2147483647
Year: 2002
Pages: 185

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net