| Question 1 | When receiving an attack, which command provides a blocking function? -
A. access-list -
B. shun -
C. conduit -
D. shutdown |
| A1: | Answer B is correct. When an attack occurs, the shun command provides blocking for the PIX firewall. Answers A and C are incorrect because access-list and conduit commands are not used to block when attacks occur; they are manually set ahead of time. Answer D is incorrect because the shutdown command disables an interface permanently. |
| Question 2 | Which function does the DNS Guard perform? (Select two.) -
A. It prevents denial -of-service attacks and UDP session hijacking. -
B. It blocks DNS transfers. -
C. It tears down the connection after the first DNS response is received. -
D. It allows DNS requests to enter the PIX only from the inside interface. |
| A2: | Answers A and C are correct. The DNS Guard prevents DoS attacks and UDP session hijacking by closing down the connection after the first DNS response is received. Answer B is incorrect because it does not block DNS transfers. Answer D is incorrect because it doesn't allow DNS requests from the inside. This can only be controlled by using access lists. |
| Question 3 | Which command applies an IP audit policy to an interface? |
| A3: | Answer B is correct. The ip audit interface <if_name> < name > command applies an audit policy to an interface. Audits are used to define what to do with traffic that matches informational or attack signature types. Answers A, C, and D are incorrect because these commands do not exist. |
| Question 4 | What is the default action of an audit policy when it is first created and applied to an interface? -
A. All signature classes are enabled. -
B. Only informational signature classes are enabled. -
C. Only attack signature classes are enabled. -
D. All signature classes are disabled. |
| A4: | Answer A is correct. By default, when a policy is created, all signature classes are enabled. They must be manually disabled if required. Therefore, answers B, C, and D are incorrect. |
| Question 5 | What are false positive alarms in an IDS? -
A. Alarms caused by legitimate traffic -
B. Alarms caused by direct information or attacks on the system -
C. Alarms that can be ignored -
D. Alarms that need to be set by the administrator |
| A5: | Answer A is correct. False positives are alarms triggered by legitimate traffic that matches a pattern of a monitored signature. Answer B is incorrect because it indicates what should happen when malicious traffic matching an audited signature, not a false positive, is detected . Answer C is incorrect because not all false positives should be ignored; therefore answer A is more correct. Answer D is incorrect because the administrator can only disable alarms, not set them. |
| Question 6 | Which command uses the embryonic parameter? (Select two.) -
A. access-list -
B. nat -
C. conduit -
D. static |
| A6: | Answers B and D are correct. The embryonic parameter is used by the nat and static commands. The PIX monitors half- open connections and allows up to the value set by the embryonic parameter. Then TCP intercept is performed on behalf of the client, ensuring that only good, valid TCP connections are made with the client. Answers A and C do not use the embryonic connection parameter and are therefore incorrect. |
| Question 7 | Which function does Mail Guard perform? -
A. It blocks POP3 mail requests. -
B. It prevents illegal mail commands from passing. -
C. It blocks all SMTP traffic. -
D. It allows all SMTP mail commands except the seven insecure commands. |
| A7: | Answer B is correct. Mail Guard is implemented using a fixup protocol command and allows only seven safe email commands through the PIX: DATA , HELO , MAIL , NOOP , QUIT , RCPT , and RSET . All other commands are considered illegal. Therefore, answers A, C, and D are incorrect. |
| Question 8 | After the embryonic connection limit is reached, what does the PIX do? -
A. It blocks all traffic to the specific internal host. -
B. It drops all new connections to the host. -
C. It sends TCP FIN requests to the incoming request. -
D. It performs TCP intercept for the host. |
| A8: | Answer D is correct. The embryonic limit setting is used to calculate the number of half-open connections to a host. When this limit is reached, the PIX performs a function called TCP intercept, in which the PIX attempts to complete the three-way handshake for any new requests to that host. If the handshake is valid, the connection is passed on to the host; otherwise , it is dropped. Therefore, answers A, B, and C are incorrect. |
| Question 9 | Which command enables fragmented packet protection? |
| A9: | Answer C is correct. The sysopt security fragguard command enables protection against receiving too many fragmented packets. Answers A, B, and D contain invalid commands and are therefore incorrect. |
| Question 10 | What does the Floodguard feature do? -
A. It prevents fragments from entering the PIX. -
B. It reclaims resources to handle more requests. -
C. It drops port flood requests. -
D. It prevents traffic from going too fast. |
| A10: | Answer B is correct. The AAA Floodguard reclaims resources from other services when too many requests are coming in for AAA services. Therefore, answers A, C, and D are incorrect. |
