| Question 1 | Which of the following are primary threats to network security? (Choose all that apply.) A. Unstructured threat B. Structured threat C. External threat D. Internal threat E. Non-filterable threat
|
| Question 2 | A _________ is classified as unauthorized discovery and mapping of systems, services, or vulnerabilities on a network. |
| Question 3 | Which of the following VPN network types is targeted toward mobile users and home telecommuters? A. Remote Access VPN B. Site-to-Site VPN C. Firewall-based VPNs D. Stateful VPNs
|
| Question 4 | Out of the box, which of the following VPN Concentrator models only support software encryption? (Choose all that apply.) A. 3005 B. 3015 C. 3030 D. 3060 E. 3080
|
| Question 5 | Which of the following models of VPN Concentrator support a maximum of 100 simultaneous sessions? (Choose all that apply.) A. 3005 B. 3015 C. 3030 D. 3060 E. 3080
|
| Question 6 | You have a 3005 VPN Concentrator running in an environment that supports both site-to-site VPNs as well as remote access VPNs. You have 36 branch offices that have site-to-site tunnels established to the Head Office 3005 Concentrator. What is the maximum number of remote access VPN tunnels that can now be established with this VPN 3005 Concentrator? A. 100 B. 73 C. 64 D. 93 E. 50
|
| Question 7 | To establish a site-to-site VPN tunnel between a PIX firewall and the VPN Concentrator you are required to be running release ___ software on the VPN concentrator and release ____ software on the PIX firewall. A. 2.5(2), 5.2 B. 3.0, 5,2 C. 2.5(2), 12.1 D. 5.2, 2.5(2)
|
| Question 8 | Which of the following statements are true about IPSec? (Choose all that apply.) A. IPSec operates at the transport layer. B. It can be used to authenticates IP packets. C. Provides data confidentiality. D. Data integrity. E. Origin authentication.
|
| Question 9 | Which key encryption methodology has each peer utilize the same key to encrypt and decrypt the data? A. Analog B. Symmetric C. Asymmetric D. Digital
|
| Question 10 | When utilizing RSA encryption, the remote tunnel endpoint decrypts data using its own _______ key. A. Public B. Private C. Authentication Header D. DES
|
| Question 11 | Which of the following Diffie-Hellman key exchange algorithms uses a key size of 1024 bits? A. Group 1 B. Group 2 C. Group 5 D. Group 7
|
| Question 12 | Which of the following Hashed Message Authentication Code (HMAC) algorithms use a 128-bit secret key? A. DES B. HMAC-MD5 C. 3DES D. HMAC-SHA-1
|
| Question 13 | Authentication Header (AH) provides which of the following benefits? (Choose all that apply.) A. Guarantees data integrity B. Provides origin authentication C. Provides data encryption D. Uses hashing algorithm E. Provides anti-replay mechanism
|
| Question 14 | Which of the following statements about ESP in tunnel mode are true? (Choose all that apply.) A. Original packet is protected. B. Original packet is not protected. C. ESP header and trailers are added to the encrypted payload. D. New IP header is appended to the front of the authenticated payload. E. New IP header is appended to the end of the authenticated payload.
|
| Question 15 | The purpose of the IKE phase 1 process is to negotiate IKE policy sets and it can be done in two different modes. Which of the following are the two modes of IKE phase 1 negotiation? A. Passive mode B. Aggressive mode C. Quick mode D. Main mode E. Primary mode
|
| Question 16 | Which of the following modes negotiate a shared IPSec transform set, establishes security associations, and derives shared secret keying material that is used for the IPSec security algorithms? A. Aggressive mode B. Main mode C. Quick mode D. Passive mode
|
| Question 17 | Which of the following parameters constitute the IPSec Security Association (SA)? (Choose all that apply.) |
| Question 18 | On a Cisco VPN Concentrator, VRRP (Virtual Router Redundancy Protocol) and load balancing can be performed at the same time. |
| Question 19 | How does a Cisco VPN Concentrator calculate load when load balancing is implemented? A. As an average of current active and inactive sessions divided by the maximum allowed connections B. As a percentage of current active sessions divided by the minimum allowed connections C. As a total of current inactive sessions divided by the maximum allowed connections D. As a percentage of current active sessions divided by the configured maximum allowed connections E. As a total of current active and inactive sessions divided by the maximum allowed connections
|
| Question 20 | The Cisco VPN Windows client offers support for firewall features that can be used to enhance security for Windows-based PCs running Cisco IPSec client release 3.5. What are the different modes that can be configured to provide firewall capability for a Cisco IPSec Client for Windows? (Choose all that apply.) |
| Question 21 | Which of the following features verify the presence of a firewall and report that information back to the Concentrator? |
| Question 22 | 
The Cisco VPN Concentrator can be configured via a CLI and a GUI. When you use the CLI to configure the VPN Concentrator, the terminal emulation software should be configured for which of the following settings? (Choose all that apply.) A. Data bits = 8 B. Speed = 11250 C. Stop Bits = 1 D. Parity = N E. Speed = 9600
|
| Question 23 | Which statement about Quick Configuration on a Cisco VPN Concentrator is not true? (Choose all that apply.) A. Quick configuration enables you to configure minimal parameters. B. Quick configuration can be run only once. C. Quick configuration can be run anytime by clicking on the Configuration | Quick Configuration submenu. D. You must reboot the VPN Concentrator to the factory default configuration to run Quick configuration again.
|
| Question 24 | 
When in Quick Configuration mode, which of the following parameters enable you to obtain the virtual IP address under the Configuration | Quick | Address Management window? (Choose all that apply.) A. Client Specified B. Per User C. DHCP D. Configured Pool
|
| Question 25 | When configuring external authentication using an NT domain, what required NT parameter has to be configured in the Domain Controller Name field under the Configuration | Quick | Authentication window? A. Fully qualified domain name B. IP Address of the domain controller C. Computer name D. Administrator password
|
| Question 26 | Which of the following attributes can be configured under the General tab in the Configuration | User Management | Groups | Modify Group window? |
| Question 27 | 
A Group Name password can range from a minimum of ___ characters to a maximum of ___ characters. A. 4, 32 B. 2, 24 C. 3, 16 D. 5, 8
|
| Question 28 | Which of the following fields under the General tab in the Configuration | User Management | Groups | Modify Group window determines the termination of a VPN connection if there is a configured period of connect time for the link? A. Access Hours B. Maximum Connect Time C. Maximum Login Field D. Idle Timeout
|
| Question 29 | 
Which of the following tabs under the Configuration | User Management | Groups | Modify Group | window enables you to configure specific Cisco clients and Microsoft clients, as well as the Common Client parameters? A. Identity B. General C. IPSec D. Client Config E. Client FW
|
| Question 30 | What are the various split tunneling parameters that can be configured under the Client Config tab of the Configuration | User Management | Groups | Modify Group window? (Choose all that apply.) A. Tunnel Everything B. Allow Networks in the List to Bypass the Network C. Do Not Tunnel Anything D. Only Tunnel Networks in List
|
| Question 31 | 
The Concentrator has been configured to tunnel everything except local LAN traffic, and the default VPN Client Local LAN network list has been applied to the SALES group. Which of the following statements hold true when members of the SALES group residing on the 172.31.100.x/24 connect to the VPN Concentrator residing on a 30.10.0.x/24 network by using the Software Client? (Choose all that apply.) A. The concentrator pushes down the network list to the Software Client. B. The network list that is pushed down is 0.0.0.0/0.0.0.0. C. The network list that is pushed down is 0.0.0.0/255.255.255.0. D. Local traffic is routed in clear text. E. Local traffic is encrypted and then routed through the concentrator.
|
| Question 32 | Which of the following features governs how a VPN software client resolves whether a DNS query packet has to be sent in clear text or encrypted and sent over the tunnel? A. Dynamic DNS B. Tunneled DNS C. Virtual DNS D. Split DNS
|
| Question 33 | Which of the following statements are true regarding Dynamic DNS? (Choose all that apply.) A. DDNS was supported prior to Release 3.6 software version. B. DDNS is supported from Release 3.6 software version. C. DDNS applies to software client connections when a DHCP server assigns an IP address to the software client. D. DDNS applies to software client connections when a local pool is used to assign IP addresses to the software client.
|
| Question 34 | Which of the following options under the Configuration | Interfaces | Ethernet2 | Public Interface IPSec Fragmentation Policy allows the Concentrator to encapsulate and then fragment packets that exceed the MTU setting before pushing them through the public interface? A. Do Not Fragment Prior to IPSec Encapsulation; Fragment Prior to Interface Transmission B. Fragment Prior to IPSec Encapsulation with Path MTU Discovery C. Fragment Prior to IPSec Encapsulation Without Path MTU Discovery D. Fragment Prior to IPSec Encapsulation; Fragment Prior to Interface Transmission
|
| Question 35 | 
Which of the statements are true regarding the Group Access Information found on the Authentication tab of the Software VPN Client? (Choose all that apply.) A. The group name should be the same as the group name configured on the Concentrator. B. The group name and password are case-sensitive. C. The group name is not case-sensitive but the password is case-sensitive. D. The password is the preshared key used in IKE Phase 1 negotiation.
|
| Question 36 | Which of the following files is used to create connection entries within the Cisco VPN Client VPN Dialer application? A. oem.ini B. vpnclient.ini C. vpnbuild.ini D. .pcf E. profile.ini
|
| Question 37 | Which of the following sections under the Monitor |Sessions window displays statistics on all users connecting to the VPN Concentrator using Cisco VPN Software Client? |
| Question 38 | Which of the following statements are true regarding digital signatures? (Choose all that apply.) A. They tie a message to sender's public key. B. They tie a message to sender's private key. C. The hash can be decrypted by sender's private key. D. The hash can be decrypted by sender's public key.
|
| Question 39 | Which of the following certificates is installed first on the VPN Concentrator? A. Identity certificate B. PKCS#7 C. PKCS#10 D. Root certificate
|
| Question 40 | Which of the following is not true about a hierarchical PKI model? A. Single root CA signs all certificates. B. Works well in large enterprise networks. C. Uses a tiered approach. D. Uses subordinate CA. E. Root CA is at the top of the hierarchy.
|
| Question 41 | 
Which of the following fields does the concentrator use as the group name when it uses PKCS#10 to create a certificate request message? |
| Question 42 | After the certificate is revoked or breached, which of the following fields on the X.509 certificate specifies the certificate number that is listed on the CRL? |
| Question 43 | Which of the following is not true about digital certificate validation? (Choose all that apply.) A. Based upon trust relationship. B. If A trusts B and B trusts C, then A should trust C. C. If A trusts B and B trusts C, then A should not trust C. D. Not based upon trust relationship.
|
| Question 44 | For the concentrator to participate in certificate exchange, a certificate needs to be loaded on the concentrator. Which of the following processes enable you to enroll with a CA by manually creating a PKCS#10 request file? |
| Question 45 | After CRL checking is enabled, in which phase of tunnel establishment does the concentrator verify the revocation status of the peer certificate? A. During IKE phase 1 B. During IKE phase 2 C. After IKE phase 2 D. Before IKE phase 1
|
| Question 46 | Which of the following protocols can be configured on the concentrator to retrieve the CRL if the primary CRL-DP is unavailable? (Choose all that apply.) A. HTTP B. LAPB C. LDAP D. LABPD E. FTP
|
| Question 47 | 
When configuring the Cisco VPN Unity Client for digital certificates in Certificate Manager, which of the following fields in the Enrollment Form must match the group name configured on the concentrator? A. Common Name B. Department C. Company D. IP Address E. Domain
|
| Question 48 | When configuring the network-based enrollment process on the Cisco VPN Client, which of the following steps should be followed when configuring the CA's network address? (Choose all that apply.) A. Configure the URL or network address of the CA server. B. Choose from pre-existing CA Server. C. Configure FQDN of the CA server. D. Configure IKE proposal on the CA server. E. Configure password if required.
|
| Question 49 | On a Cisco VPN Concentrator, which of the following firewall features can be used to enhance security on a Windows-based PC running the Cisco VPN Software Client? (Choose all that apply.) |
| Question 50 | Which firewall feature verifies whether a specific firewall is operational on the client PC after tunnel establishment? A. AYT B. Stateful Firewall C. CPP D. CIC
|
| Question 51 | After you have navigated to the Configuration | User Management | Groups | Modify window, under which tab do you configure the AYT, CIC, and CPP features? A. General B. HW Client C. Client FW D. PPTP/L2TP E. Client Config
|
| Question 52 | Which of the following statements are true when the default stateful firewall policy is loaded on CIC firewall? (Choose all that apply.) A. All outbound traffic that is not related to the inbound session is blocked. B. Allows DHCP traffic to pass through where inbound packets are allowed through specific holes in the stateful firewall. C. Allows ARP traffic to pass through where outbound packets are allowed through specific holes in the stateful firewall. D. Allows ARP traffic to pass through where inbound packets are allowed through specific holes in the stateful firewall. E. All inbound traffic that is not related to the outbound session is blocked.
|
| Question 53 | Which of the following are the steps required to build a custom CPP policy on a Cisco VPN Concentrator? (Choose all that apply.) A. Create rules to restrict traffic B. Define a new policy C. Assign the new rule to the new policy D. Assign the new policy to CPP E. Assign the new policy to the CIC
|
| Question 54 | In vpnclient.ini file, which of the following parameters is used to enable Auto-initiation? |
| Question 55 | Which of the following is true about the Management Sessions section in the Monitoring | Sessions window? A. Shows parameters and statistics for all active, remote access sessions. B. Shows parameters and statistics for all active, IPSec LAN-to-LAN sessions. C. Shows parameters and statistics for all active, administrator management sessions. D. Shows summary total for LAN-to-LAN, remote access, and management sessions.
|
| Question 56 | Which parameter under Configuration | System | Events | General window enables you to select the range of severity value to enter on the log? A. Severity to Console option B. Severity to Syslog option C. Severity to Log option D. Severity to Email option
|
| Question 57 | Which Concentrator window enables you to view the event log in real time? A. Monitoring | Statistics | NAT B. Monitoring | Statistics | Live Log C. Monitoring | Live Event Log D. Monitoring | Filterable Event Log
|
| Question 58 | Which of the following options can be used in the Monitoring | Filterable Event Log to filter and display the event log? (Choose all that apply.) A. Event Class option B. Severity option C. Client IP option D. Events/Page option
|
| Question 59 | Which administrator account on the VPN concentrator has view and read privileges only? A. admin B. config C. isp D. mis E. user
|
| Question 60 | When configuring a TACACS+ server for AAA authentication, what value would you put in the server port field if you want to use the default port number? |
| Question 61 | Which option would you choose if you want to reset a production VPN Concentrator back to the factory default? A. Reboot B. Save Active Configuration at the Time of Reboot C. Reboot Without Saving Active Configuration D. Reboot Ignoring the Configuration File
|
| Question 62 | To set up the client update feature on the Cisco VPN Concentrator, which of the following parameters need to be configured? (Choose all that apply.) A. Enable Client update B. Client Type C. Feature Set D. URL E. Version F. Revisions
|
| Question 63 | You have a speed of 1.544Mbps configured on your public interface of the Concentrator. The reserved bandwidth has been set to 64Kbps per connection. Which statements are true regarding bandwidth management? (Choose all that apply.) A. The first 24 connections are allocated a bandwidth of 64Kbps per connection. B. The 25th connection is allocated bandwidth from the remaining available bandwidth. C. The concentrator denies the 25th connection. D. The first connection reserves the 64Kbps bandwidth, plus the remainder of the bandwidth.
|
| Question 64 | Which of the following statements is true about configuring network extension mode on a Cisco 3002 HW Client? (Choose three.) A. Enable network extension mode on the concentrator B. Enable network extension mode on the HW Client C. Change IP address on the private interface of the HW Client to any address other than 192.168.10.1 D. Change IP address on the private interface of the HW Client to 192.168.10.1 E. By default, network extension mode is enabled on the HW Client
|
| Question 65 | 
Which of the following statements are true regarding Interactive unit authentication? (Choose all that apply.) A. Select or deselect Require Interactive Hardware Client Authentication to enable or disable interactive unit authentication. B. If selected, the HW Client does not save user password. C. If deselected, the HW Client supplies the username and password from memory. D. If deselected, the HW Client does not save the user password. E. If selected, the HW Client supplies the username and password from memory.
|
| Question 66 | Which tab enables you to configure Individual user authentication on the concentrator? A. Configuration | User Management | Groups | General tab B. Configuration | User Management |Groups | PPTP/L2TP tab C. Configuration | User Management |Groups | HW Client tab D. Configuration | User Management | Groups | Client Config tab
|
| Question 67 | Which of the following backup server options are offered to the HW and Unity Clients from the VPN 3000 Concentrator? (Choose all that apply.) |
| Question 68 | Which of the following steps are needed to configure load balancing on the VPN Concentrator? (Choose all that apply.) A. Add Virtual Cluster Agent capability on public interface B. Add Virtual Cluster Agent capability on private interface C. Configure concentrators in the cluster for load balancing D. Configure clients with virtual IP address of the cluster
|
| Question 69 | Which feature enables the concentrator to advertise the IP address of the VPN Client out to its private interface? A. Reverse Path Tunneling B. Interactive Unit Authentication C. Individual User Authentication D. Reverse Route Injection
|
| Question 70 | In which mode are the network routes advertised through the private interface, provided OSPF or outbound RIP is enabled on the private interface? |
| Question 71 | If you want to view update-specific information in the Monitoring | Filterable Event Log window on the Cisco HW Client, which event class would you choose? A. AUTH B. AUTHDBG C. AUTOUPDATE D. AUTHDECODE E. UPDATECLIENT
|
| Question 72 | Which of the following are true about configuring IPSec over UDP on a VPN Concentrator? (Choose all that apply.) A. IPSec over UDP is enabled by default. B. Enable IPSec over UDP by navigating to a specific group under Configuration | User Management | Groups window. C. Within the Client Config tab, select the IPSec over UDP check box. D. Choose default port number of 12000 for IPSec over UDP. E. Define a specific port number between 4001 to 49151.
|
| Question 73 | Which of the following are not true about an IPSec over TCP application? (Choose two.) A. IPSec over TCP must be enabled on both client and the concentrator. B. IPSec over TCP is a group parameter. C. IPSec over TCP is a global parameter. D. You can supply up to 10 comma-delimited port addresses in IPSec over TCP. E. You can supply up to 20 comma-delimited port addresses in IPSec over TCP.
|
| Question 74 | Which of the following ESP encryption options does the concentrator support? (Choose all that apply.) |
| Question 75 | Which of the following features dynamically discovers and continuously updates the private network addresses on each side of a LAN-to-LAN connection? |
