Question 1 | James downloads sophisticated hacking software from the Internet. He is a disgruntled employee and tries to hack into his company's Web server. John is a highly motivated and technically competent individual. What type of network threat is James? (Choose all that apply.) A. Unstructured threat B. Structured threat C. External threat D. Internal threat
|
Question 2 | A hacker attacks your network in such a way that damages and corrupts your computer systems and denies intended users' access to a Web server. The attack also denies all authorized users access to the network and services. How would you classify this network attack? |
Question 3 | Which of the following products is the best choice if the primary role of the equipment is to perform site-to-site VPN with a few remote access connections? A. VPN-enabled router B. VPN 3000 Concentrator C. PIX Firewall
|
Question 4 | Out of the box, which of the following models of VPN Concentrator support hardware encryption? (Choose all that apply.) A. 3005 B. 3015 C. 3030 D. 3060 E. 3080
|
Question 5 | You are designing a VPN solution for your enterprise network. The requirement is for 180 site-to-site tunnels. Money is an important factor that needs to be considered when implementing this solution. Which of the following models of VPN Concentrator fits the requirement? A. 3005 B. 3015 C. 3030 D. 3060
|
Question 6 | You have a 3080 VPN Concentrator running in an environment that supports both site-to-site VPN tunnels as well as remote access VPN tunnels. You have 728 branch offices that have site-to-site tunnels established to the Head Office 3080 Concentrator. What are the maximum number of remote access VPN tunnels that can now be established to this VPN 3080 Concentrator? A. 10000 B. 9271 C. 9722 D. 5000 E. 9272
|
Question 7 | To establish a site-to-site VPN tunnel between a VPN Concentrator and an IOS router you are required to be running release ___ software on the VPN concentrator and release ____ software on the IOS router. A. 2.5(2), 5.2 B. 3.0, 5.2 C. 2.5(2), 12.1 D. 5.2, 2.5(2)
|
Question 8 | Which feature of IPSec ensures that each packet is unique and not duplicated? A. Confidentiality B. Data integrity C. Origin authentication D. Anti-replay
|
Question 9 | In which key encryption methodology do source and destination tunnel endpoints use one key to encrypt and another key to decrypt the traffic? A. Analog B. Symmetric C. Asymmetric D. Auto-configurable
|
Question 10 | When utilizing RSA encryption, the remote tunnel endpoint decrypts data using sender's _______ key. A. Public B. Private C. Preshared D. Diffie-Hellman
|
Question 11 | Which of the following Diffie-Hellman key exchange algorithms use a key size of 1536 bits? A. Group 1 B. Group 2 C. Group 5 D. Group 7
|
Question 12 | In which of the following methods can you perform peer authentication? (Choose all that apply.) A. Preshared key B. RSA encrypted nonces C. RSA signatures D. DES E. 3DES
|
Question 13 | IPSec is a framework of open standards. Which of the following protocols falls under the IPSec framework? |
Question 14 | In which steps of IPSec are the basic set of security services negotiated and agreed upon? (Choose two.) |
Question 15 | When peers agree upon security services, each VPN peer device enters information in a security policy database. The information in the security policy database is known as an ____. A. SPI B. SA C. SAD D. IKE phase 2 database
|
Question 16 | A cluster is defined as a group of concentrators working together as a single entity. To the outside client space, this cluster is known by what IP address? A. IP address of the public interface B. IP address of the private interface C. Virtual IP address D. IP address of the external interface
|
Question 17 | When implementing load balancing, load is calculated as a percentage of current active sessions divided by the configured maximum allowed connections. A virtual cluster master maintains load information from which of the following VPN Concentrators? |
Question 18 | Which of the following VPN clients and tunneling protocols does a Cisco VPN Concentrator support? (Choose all that apply.) A. L2TP B. Linux C. Mac D. Certicom E. IPsec
|
Question 19 | When enabled, in which mode does the default firewall filter block all traffic inbound that is not related to the outbound session? |
Question 20 | By default, which of the following ports can be used to configure the Cisco VPN 3002 Hardware client? (Choose all that apply.) A. 1 Private port B. 1 Public port C. 1 Console port D. 1 VTY port
|
Question 21 | A Cisco VPN Concentrator can be configured via a CLI and a GUI interface. In what ways can you configure the VPN Concentrator via the GUI interface? (Choose all that apply.) A. Setup mode B. Quick Configuration C. Concentrator Manager D. Privilege mode |
Question 22 | Which of the following parameters can be configured under the Configuration | Quick | Protocols window? (Choose all that apply.) A. L2TP B. RIP C. PPTP D. OSPF E. IPSec
|
Question 23 | You have an internal authentication server that assigns IP addresses to the remote VPN sessions based upon their credentials. Which parameter would you select under the Configuration | Quick | Address Management window to assign IP addresses retrieved from an authentication server on a per-user basis? A. Client Specified B. Per User C. DHCP D. Configured Pool
|
Question 24 | Which of the following options are available under the Server Type field in the Configuration | Quick | Authentication window? (Choose all that apply.) |
Question 25 | Which of the following are valid group categories defined under the User Management configuration tree? (Choose all that apply.) A. Default Group B. Groups C. Authenticated Users D. Users
|
Question 26 | Which of the following fields under the Configuration | User Management | Groups | Modify Group | General window determines the termination of a VPN connection if there is a configured period of inactivity on the link? A. Access Hours B. Maximum Connect Time C. Inactivity Timeout D. Idle Timeout
|
Question 27 | Which of the following types of VPN authentication is also referred to as XAUTH? A. Concentrator authentication B. Network authentication C. Local authentication D. Database authentication
|
Question 28 | To configure split tunneling on the Cisco 3005 VPN Concentrator, which tab under the Configuration | User Management | Groups | Modify Group window would you select to accomplish this task? A. IPSec B. HW Client C. Client FW D. Client Config
|
Question 29 | Which of the following options allows a remote user to send clear text messages to a printer, download images from a Web site, and send encrypted messages to the head office, all at the same time? |
Question 30 | Which of the following are mandatory steps in implementing split tunneling on a Cisco VPN Concentrator? (Choose all that apply.) A. Select Only Tunnel Networks in the list option B. Select the Tunnel Everything option C. Choose appropriate list from the Split Tunneling Network list D. Select Allow the Networks in List to Bypass the Tunnel option
|
Question 31 | Which of the following steps are required to set up Split DNS? (Choose all that apply.) A. Identify list of secure networks B. Configure split tunneling C. Assign network list to split tunneling parameters D. Define names of all DNS servers, both corporate and ISP E. Define names of only corporate DNS servers F. Define primary and secondary DNS servers to resolve encrypted DNS queries
|
Question 32 | Which of the following parameters on a Cisco VPN Concentrator specifies how to handle a packet that exceeds the MTU setting when tunneling through the public interface? A. TCP fragmentation B. IPSec fragmentation C. IP fragmentation D. UDP fragmentation
|
Question 33 | When configuring a Cisco VPN Client, which of the following options on the General tab enables a user to disable local LAN access when using an insecure local LAN? A. Allow IPSec over UDP (NAT/PAT) B. Use IPSec over TCP (NAT/PAT/Firewall) C. Allow Local LAN access D. Peer Response Timeout
|
Question 34 | You have been assigned the task of preconfiguring 150 Cisco VPN Clients. Which of the following files can be used as a global profile to set standards for all Cisco VPN Client profiles? A. oem.ini B. vpnclient.ini C. vpnbuild.ini D. .pcf E. profile.ini F. Global.ini
|
Question 35 | Which of the following sections under the Monitor |Sessions window gives you an overview of all the sessions, as well as the total active, peak concurrent, and total concurrent sessions? |
Question 36 | Which of the following windows displays more in-depth statistics about the remote access sessions? A. Monitoring | Remote Access | Detail B. Monitoring | Remote Access C. Monitoring | Detail | Remote Access D. Monitoring | Sessions E. Monitoring | Sessions | Details
|
Question 37 | Digital signatures are used to link data with the owner of a specific private key. Which of the following holds true about digital signatures? (Choose all that apply.) A. Senders private key is used to encrypt the hash. B. The original message is run through a hashing algorithm. C. Hash that was appended to the original message is decrypted using the sender's public key at the remote end. D. Hash values are matched. E. Matching hash values indicate that the message was signed by the sender's private key.
|
Question 38 | Which of the following defines a set of procedures needed to create, manage, store, revoke, and distribute digital certificates? A. Private key infrastructure B. Public key infrastructure C. Digital key infrastructure D. Analog key infrastructure
|
Question 39 | Which of the following steps are required for the end-user to obtain a digital certificate? (Choose all that apply.) A. User generates private and public key pair. B. User generates certificate request. C. User sends the request to the CA. D. User installs root certificate after installing identity certificate. E. User installs root certificate before installing identity certificate.
|
Question 40 | When creating a certificate request message, which of the following fields must match the attribute data based on the concentrator to establish a secure VPN tunnel successfully? |
Question 41 | Which of the following parameters does the concentrator check before installing the identity certificate? (Choose all that apply.) A. Is the identity certificate verified with the CA's public key? B. Has the identity certificate been revoked? C. Has the CA server used the PKCS#10 request? D. Has the identity certificate expired?
|
Question 42 | Which of the following is NOT true about the Certificate Revocation List (CRL)? A. CRL checking is the last validation step. B. The CRL is issued by the CA. C. The CRL contains a list of certificates that have been newly issued. D. The CRL contains a list of certificates that are invalid. E. The CRL is signed by the CA and released periodically.
|
Question 43 | Which of the following protocols enable you to connect directly to the CA and use the network-based enrollment? A. DES B. SCEP C. Diffie-Hellman D. MD5
|
Question 44 | When configuring the CRL Retrieval Policy, which option enables the concentrator to retrieve up to 5 CRL-DPs from the CRL-DP extension of the certificate being verified? A. Use CRL-DPs from the Certificate being checked B. Use Static CRL-DPs C. Use CRL-DPs from the Certificate being checked, or else use Static DPs D. No CRL checking
|
Question 45 | Which of the following statements are true about the IKE proposal? (Choose all that apply.) A. IKE proposal uses preshared key with extended authentication. B. IKE proposal uses digital certificates with extended authentication. C. IKE proposal uses MD5 as the encryption algorithm. D. IKE proposal uses MD5 as the authentication algorithm. E. DH group 2 is used to derive the shared secret. F. Lifetime is based upon the data flow.
|
Question 46 | You want to download an identity certificate from a Microsoft CA by using the file enrollment process. Which of the following actions must be considered on the Cisco VPN Client when you want to implement the cut-and-paste transfer? (Choose all that apply.) A. Use binary encoded PKCS#10 (.p10). B. Use base 64 encoded PKCS#10 (.req). C. Department and group name must be identical. D. Department and group name don't have to be identical.
|
Question 47 | Which of the following are the correct steps involved in the SCEP process? A. CA returns a CA or RA certificate; user sends the CA or RA certificate request to the CA; Certificate Manager verifies the CA or RA, generates keys and certificate request, and sends certificate request to CA; CA generates identity certificate and returns it to Certificate Manager. B. CA generates identity certificate and returns it to Certificate Manager; user sends the CA or RA certificate request to the CA; CA returns a CA or RA certificate; Certificate Manager verifies the CA or RA, generates keys and certificate request, and sends certificate request to CA. C. User sends the CA or RA certificate request to the CA; Certificate Manager verifies the CA or RA, generates keys and certificate request, and sends certificate request to CA; CA returns a CA or RA certificate; CA generates identity certificate and returns it to Certificate Manager. D. User sends the CA or RA certificate request to the CA; CA returns a CA or RA certificate; Certificate Manager verifies the CA or RA, generates keys and certificate request, and sends certificate request to CA; CA generates identity certificate and returns it to Certificate Manager
|
Question 48 | Which firewall feature allows network administrators to centrally define firewall policies for the connected VPN clients? A. AYT B. Stateful Firewall C. CPP D. CIC
|
Question 49 | When configuring the AYT feature on the concentrator, in what different ways can you configure the firewall settings under the Client FW tab of the Configuration | User Management | Groups | Modify page? (Choose all that apply.) |
Question 50 | Which firewall is not supported by the CPP? |
Question 51 | Which of the following steps are needed to configure Cisco Pushed Policy (CPP)? (Choose all that apply.) A. Under the Firewall Policy section, select Policy from Server. B. Select the Firewall Required or Firewall Optional parameter. C. Select NetworkICE as the firewall. D. Under the Firewall Policy section, select Policy Pushed. E. Select CIC or Zone Labs as the firewall.
|
Question 52 | Which feature provides a secure connection within an on-site wireless LAN environment though a VPN Concentrator? |
Question 53 | Which of the following are the predefined administrators on a VPN Concentrator? (Choose all that apply.) A. admin B. config C. isp D. mis E. user
|
Question 54 | Which of the following is true about the Session Summary table in the Monitoring | Sessions window? A. Shows parameters and statistics for all active remote access sessions B. Shows summary total for LAN-to-LAN, remote access, and management sessions C. Shows parameters and statistics for all active administrator management sessions D. Shows summary total for only LAN-to-LAN sessions
|
Question 55 | Which window displays the statistics for all IPSec activity and the active tunnels currently established to the concentrator? A. Monitoring | Statistics | NAT B. Monitoring | Statistics | Protocols | IPSec C. Monitoring | Sessions D. Monitoring | Statistics | L2TP E. Monitoring | Statistics | IPSec
|
Question 56 | Which concentrator window enables you to display the events in the current event log and lets you filter, display, and manage events by various criteria? A. Monitoring | Statistics | NAT B. Monitoring | Statistics | Live Log C. Monitoring | Live Event Log D. Monitoring | Filterable Event Log
|
Question 57 | Which of the following tasks need to be completed when configuring a new event class under the Configuration | System | Events | Classes | Add window? (Choose all that apply.) A. Select the type of event class. B. Enable or disable special handling of this event. C. Select the range of severity level. D. Select the IKE parameters. E. Select the level of administrator privileges.
|
Question 58 | Which administrator accounts on the VPN concentrator has all rights of the admin account except SNMP access? (Choose two.) A. admin B. config C. isp D. mis E. user
|
Question 59 | What must be done to make the boot configuration file the active configuration file? A. Copy current configuration to an FTP server B. Delete the config.bak file C. Swap the load file from TFTP server D. Reboot the Concentrator
|
Question 60 | Which window enables you to implement a software update on the Cisco VPN Concentrator? A. Administration | Software Update | Client B. Administration | Software Update | Concentrator C. Configuration | Software Update | Concentrator D. Configuration | Software Update | Client
|
Question 61 | What would be the normal burst size if you want to limit remote access users to 200Kbps of bandwidth on the concentrator by using bandwidth management policies? A. 35000 bytes B. 37500 bytes C. 40000 bytes C. 42750 bytes
|
Question 62 | Which of the following modes should be used if there is no need to see the devices behind the VPN 3002 Hardware Client? |
Question 63 | Which of the following is the default authentication option on the Cisco 3002 HW Client? |
Question 64 | In which of the following ways can the end user gain access to the username password prompt when individual user authentication is enabled? (Choose all that apply.) A. Via the Hardware Client Manager B. Via the Connection Status window C. Via the System Status window D. Via a redirect message when trying to access a Web page on the VPN Concentrator's network
|
Question 65 | You have configured backup servers on the Cisco HW Client. Which of the following is true about accessing backup servers on the HW Client? (Choose all that apply.) A. HW Client attempts to contact both primary and backup peers instantaneously. B. HW Client attempts to contact primary peers. C. If the primary peer is down, the HW Client declares the packet lost. D. HW Client attempts connection with the backup server.
|
Question 66 | Which of the following VPN Client versions support load balancing? (Choose all that apply.) A. Cisco VPN Software Client release 2 B. HW Client release 2.0 C. Cisco VPN Software Client release 3 and above D. HW Client release 3.5 and above
|
Question 67 | Which of the following is the default port used by the VPN Virtual Cluster? (Choose all that apply.) A. UDP 9000 B. UDP 9023 C. TCP 9023 D. TCP 9000
|
Question 68 | When enabled, which of the following features applies to all VPN Software and HW Clients using PAT mode? |
Question 69 | Which of the following statements are true about the Cisco VPN HW Client software update feature? (Choose all that apply.) A. Client update feature has to be enabled. B. Client update feature is enabled by default. C. Client Type parameter is case- and space-sensitive. D. Client Type parameter is not case- and space-sensitive. E. Revision Group Update parameter is not case-sensitive.
|
Question 70 | Which of the following are IPSec through NAT applications? (Choose all that apply.) |
Question 71 | Which window allows you to enable NAT-T on a concentrator? A. Configuration | System | Tunneling Protocols B. Configuration | System | Tunneling Protocols | IPSec |NAT Transparency C. Configuration | System | Tunneling Protocols | NAT Transparency D. Configuration | System | Tunneling Protocols | IPSec | IPSec LAN-to-LAN
|
Question 72 | When configuring IPSec LAN-to-LAN tunnels, which of the following ESP options are supported by the concentrator? (Choose all that apply.) |
Question 73 | Which of the following tables does the LAN-to-LAN wizard automatically configure? (Choose all that apply.) A. Group Name B. Connection Name C. SA Name D. Filter Name
|
Question 74 | Which of the following statements are true regarding creation of static LAN-to-LAN NAT translation rules? (Choose all that apply.) A. Specified local network address must be the same class as the mapped ddress. B. Packets are translated based on static rules. C. Port mapping is never performed. D. Static rules are bi-directional.
|
Question 75 | Which of the following statements are true about installing an identity certificate via SCEP? (Choose all that apply.) A. Concentrator generates a RSA key pair. B. Concentrator creates a PKCS#10 request and sends it to CA. C. CA approves the request and sends the certificate back. D. CA approval process can be either automatic or manual.
|