Question 1 | A security policy addresses which of these problems? -
A. Management indifference. -
B. Contractor use. -
C. User software additions. -
D. Plans for a security incident. -
E. All of these are correct. |
Question 2 | Information assets include which of the following? (Choose two.) |
Question 3 | A security policy includes all of the following except |
Question 4 | Most threats are which of the following in origin? -
A. Remote -
B. External -
C. Local -
D. Internal |
Question 5 | Information assets are devices and their contents that are -
A. Organizational property in its control. -
B. Organizational property, including some of which is not in the organization's control. -
C. Small devices that interact with organizational property. -
D. Organizational property that interacts with outside devices. -
E. All of these are correct. |
Question 6 | Packet sniffers operate by -
A. Placing the NIC in promiscuous mode -
B. Placing the host in promiscuous mode -
C. Directing the nearest switch to enter promiscuous mode -
D. Copying all traffic from the nearest router or other Layer 3 device |
Question 7 | Data manipulation includes all but which of these? -
A. IP spoofing -
B. Repudiation -
C. Rerouting -
D. Replay -
E. Port redirection |
Question 8 | Cisco Discovery Protocol (CDP) operates at which layer? -
A. Layer 7 -
B. Layer 4 -
C. Layer 3 -
D. Layer 2 |
Question 9 | The default community string for a read-only (ro) SNMP community is what? -
A. admin -
B. cisco -
C. public -
D. private -
E. ietf |
Question 10 | Why is it important to use NTPv3? -
A. It encrypts the time message exchange. -
B. It authenticates the time message exchange. -
C. It authenticates and encrypts the time message exchange. -
D. It is more efficient. |
Question 11 | Which of these is a design objective or fundamental of the SAFE SMR Blueprint? -
A. Redundant security systems. -
B. All applications run with least privilege. -
C. Cost-effective deployment. -
D. Vendor consistency for interoperability. -
E. None of these is correct. |
Question 12 | Which of these is a design objective or fundamental of the SAFE SMR Blueprint? -
A. Maintain a balance between usability and security -
B. Intrusion detection for critical resources and subnets -
C. AAA must reside on a secured server -
D. Secured accounting of the use of all critical network resources |
Question 13 | Which of these is a design objective or fundamental of the SAFE SMR Blueprint? -
A. AAA must be performed by a secured server. -
B. Management protocols should always use the latest available fully tested version. -
C. Authentication and authorization of users and administrators to critical network resources. -
D. Network management must be secured at least as well as the critical server resources it protects. |
Question 14 | What is one reason why the SAFE Blueprints take a modular approach? -
A. To facilitate product consistency -
B. To facilitate application consistency -
C. To enable focus on correct product placement -
D. To enable focus on the security relationship between modules |
Question 15 | Which of these is a SAFE axiom ? |
Question 16 | Which of these is a SAFE axiom? -
A. Hosts are the most likely source of infection. -
B. Users are the most likely source of infection. -
C. Network infections must be contained. -
D. Hosts are targets. |
Question 17 | Which of these is a SAFE axiom? -
A. Applications should always be fully patched. -
B. Application patches should be fully tested for interaction with other software known to be present in the system. -
C. Applications are targets. -
D. Application vulnerabilities are always serious. |
Question 18 | Which of these releases of the PIX software will support the VPN Accelerator Card? -
A. PIX OS v5.2(1) or later (with DES or 3DES license) -
B. PIX OS v5.3(1) or later (with DES or 3DES license) -
C. PIX OS v5.4(1) or later (with DES or 3DES license) -
D. PIX OS v6.0(1) or later (with DES or 3DES license) -
E. PIX OS v6.2(1) or later (with DES or 3DES license) |
Question 19 | The VPN hardware client is generally recommended when the number of tunnels to be terminated exceeds what value? |
Question 20 | A router terminating VPN tunnels performs at what level compared to a PIX firewall? -
A. About the same. -
B. Faster because the Firewall Feature Set is optimized for throughput. -
C. Slower because the router processes in software while the PIX processes in hardware. -
D. It depends on the QoS configuration. |
Question 21 | The NIDS classifies attacks according to which categories? (Choose two.) |
Question 22 | The Cisco Security Agent is managed via what system? -
A. NetRanger (NR). -
B. CiscoWorks VPN/Security Management Solution (VMS). -
C. CiscoSecure Control Console (CSCC). -
D. None of these is correct. |
Question 23 | Which module of the SAFE SMR Blueprint includes a Layer 3 switch? -
A. Medium Corporate Internet -
B. Small and medium Corporate Internet -
C. Medium Campus -
D. Small and medium Campus |
Question 24 | When the VPN software client is being used, split tunneling should be |
Question 25 | In the medium Corporate Internet module, the VPN concentrator is placed where? -
A. Between the firewall and the switch leading to the DMZ -
B. Between the firewall and the switch leading to the Campus module -
C. Between the firewall and the first NIDS -
D. Between the ingress router and the firewall |
Question 26 | Which of these is a design alternative in the small network Corporate Internet module? -
A. Adding a NIDS in front of the firewall at ingress. -
B. Adding a VPN concentrator. -
C. Adding a perimeter router in front of the firewall. -
D. All of these are correct. |
Question 27 | Which of these is a design alternative in the medium network's WAN module? -
A. Adding a firewall on ingress. -
B. Adding a VPN concentrator on ingress. -
C. Connecting the WAN ingress to the existing VPN concentrator in the Corporate Internet module. -
D. None of these is correct. |
Question 28 | Which of these is a design alternative in the medium network's Corporate Internet module? (Choose two.) -
A. Add a stateful firewall to the perimeter router's software image -
B. Add a HIDS monitor to the perimeter router -
C. Add a NIDS in front of the perimeter router -
D. Eliminate the perimeter router |
Question 29 | Which of these is a design alternative in the remote-user model? -
A. Use both a router and a stateful firewall for a small branch network. -
B. Add NIDS software to the software VPN client option. -
C. Enable split tunneling with the software VPN client option. -
D. All of these are correct. -
E. None of these is correct. |
Question 30 | What is a difference between the small network as a branch and the small network as a standalone network? |
Question 31 | What is a difference between the medium network as a branch and the medium network as a headend? (Choose two.) -
A. If a WAN link is used, the Corporate Internet module can be eliminated. -
B. If a WAN link is used, QoS and multiprotocol support are possible. -
C. If a WAN link is used, costs will be minimized. -
D. If a WAN link is used, local Internet access cannot be enabled. |
Question 32 | What is a difference between the medium network as a branch and the medium network as a headend? -
A. WAN link management is cheaper than that required for an IPSec tunnel. -
B. IPSec tunnels are subject to more attacks over the Internet portion of the data path. -
C. The easier management of a WAN link offsets its higher operating cost. -
D. The tunnel-termination device must be managed by a separate connection (not from the main tunnel). -
E. All of these are correct. |
Question 33 | URPF refers to what protective measure? -
A. Universal Remote Protective Function -
B. Unlimited Remote Protective Function -
C. Universal Reverse Path Forwarding -
D. Unicast Reverse Path Forwarding |
Question 34 | In Figure 13.1, to configure the perimeter router for NAT, which of these commands is not used (>> indicates a return, leading to the next prompt)? -
A. ip nat pool exam_1 192.168.12.3 192.168.12.3 255.255.255.0 -
B. ip nat inside source list 110 pool exam_1 -
C. interface s0 >> ip address 192.168.12.1 255.255.255.0 >> ip nat outside -
D. interface e0 >> ip address 172.18.24.1 255.255.255.0 >> ip nat inside -
E. ip nat inside source list 110 pool exam_1 overload Figure 13.1. Router-to-PIX tunnel with NAT on each end. |
Question 35 | To configure a router for IPSec, using group 2, MD5, and preshared keys, which of the following commands is unnecessary? -
A. crypto isakmp policy 13 -
B. hash md5 -
C. group 2 -
D. authentication pre-share -
E. crypto isakmp key nitT4agM#0C2%5 address 192.168.47.2 -
F. None of these is correct. |
Question 36 | Which of these commands would correctly allow traffic from the router's inside network in Figure 13.2 to be encrypted for transit to the other network? -
A. access-list 113 permit 172.18.28.0 0.0.0.255 172.20.32.0 0.0.0.255 -
B. access-list 113 permit 172.18.24.0 0.0.0.255 172.20.42.0 0.0.0.255 -
C. access-list 13 permit 172.18.24.0 0.0.0.255 172.20.32.0 0.0.0.255 -
D. access-list 113 permit 172.18.24.0 0.0.0.255 172.20.32.0 0.0.0.255 -
E. None of these is correct. Figure 13.2. Router-to-PIX tunnel with NAT on each end. |
Question 37 | Which of these is a valid IPSec command on the router? -
A. ipsec crypto transform-set exam esp-des esp-md5-hmac -
B. crypto ipsec transform-set exam esp-sha esp-md5-hmac -
C. crypto ipsec 113 transform-set exam esp-des esp-md5-hmac -
D. crypto ipsec transform-set exam esp-des esp-md5-hmac |
Question 38 | The VPN concentrator offers what additional encryption algorithm compared to a router or a PIX prior to PIX OS 6.3(1)? -
A. CBC -
B. CBS -
C. CEF -
D. CSP -
E. AES |
Question 39 | What is the maximum number of IKE proposals available to a VPN concentrator? -
A. 120, of which 80 can be active at any one time -
B. 128, of which 64 can be active at any one time -
C. 144, all of which can be active at any one time -
D. 150, all of which can be active at any one time -
E. 256, of which 128 can be active at any one time |
Question 40 | The VPN concentrator handles configuring many clients via the GUI using -
A. Configuration System Client Parameters Update, and click on Enable to access the check box to turn it on -
B. Configuration Client Update, and click on Enable to access the check box to turn it on -
C. Configuration System Client Update, and click on Enable to access the check box to turn it on -
D. Configuration System Client Update, and click on Force Client Update to access the check box to turn it on |
Question 41 | Which of the following will mitigate trust exploitation in the small network Corporate Internet module? -
A. Private VLANs on the DMZ servers -
B. HIDS on the DMZ servers -
C. Antivirus on the DMZ servers -
D. NIDS on the switch feeding the servers |
Question 42 | Which of the following will mitigate IP spoofing in the small network Corporate Internet module? (Choose two.) -
A. RFC 3427 filtering at the perimeter router -
B. RFC 2827 filtering at the perimeter router -
C. RFC 1918 filtering at the perimeter router -
D. RFC 3838 filtering at the ingress switch |
Question 43 | Which of the following will mitigate packet sniffing in the small network Corporate Internet module? |
Question 44 | Which of the following will mitigate application-layer attacks in the small network Corporate Internet module? -
A. Locked down systems and HIDS. -
B. Switched network architecture. -
C. Ingress filtering. -
D. None of these is correct. |
Question 45 | HIDS should be placed on which devices in the small network's Campus module? (Choose two.) |
Question 46 | A switched network architecture in the small network Campus module mitigates what threat? |
Question 47 | Port redirection can be mitigated in the medium network Corporate Internet module by which of these? |
Question 48 | Password attacks in the medium network Corporate Internet module can be mitigated by which of these methods ? -
A. Switched network architecture. -
B. OS restrictions and HIDS detection. -
C. Protocol filtering. -
D. Private VLANs. -
E. None of these is correct. |
Question 49 | What security techniques mitigate network reconnaissance in the medium Corporate Internet module? (Choose two.) -
A. Switched network architecture -
B. Protocol filtering -
C. CAR at the ISP's edge router and TCP setup controls at network ingress -
D. Strong AAA controlling access -
E. NIDS |
Question 50 | RFC 2827 and RFC 1918 filtering at the medium network Corporate Internet module ingress mitigates what attack? |
Question 51 | HIDS protects against which of these attacks in the medium network Campus module? (Choose two.) |
Question 52 | The best protection against packet sniffers operating in the medium network Campus module is which of these? |
Question 53 | Antivirus software in the medium network Campus module protects against which of these? |
Question 54 | Trust exploitation in the medium network Campus module is best mitigated by which of these? |
Question 55 | The broadband access device in the remote-user model mitigates against which of these threats? -
A. Trust exploitation. -
B. Malware applications. -
C. Unauthorized access. -
D. Packet sniffers. -
E. Network reconnaissance. -
F. All of these are correct. -
G. None of these is correct. |
Question 56 | The hardware VPN client in the remote-user network performs which security functions? -
A. Tunnel termination and remote site authentication. -
B. Stateful and basic Layer 7 filtering. -
C. Host DoS mitigation. -
D. All of these are correct. -
E. None of these is correct. |
Question 57 | The router with a firewall and VPN in the remote-user network performs which security functions? -
A. Stateful packet filtering. -
B. Basic Layer 7 filtering. -
C. Host DoS mitigation. -
D. Remote site authentication. -
E. Terminate tunnels. -
F. All of these are correct. |
Question 58 | Unauthorized access in the remote-user network is mitigated by which of these? (Choose two.) |
Question 59 | Which of these mitigates IP spoofing in the remote-user network? |
Question 60 | What is the default SA lifetime on the PIX? -
A. 3,600 seconds (1 hour ) -
B. 14,400 seconds (4 hours) -
C. 28,800 seconds (8 hours) -
D. 43,200 seconds (12 hours) -
E. 86,400 seconds (24 hours) |