Question 1 | Which of the following are primary threats to network security? (Choose all that apply.) -
A. Unstructured threat -
B. Structured threat -
C. External threat -
D. Internal threat -
E. Nonfilterable threat |
Question 2 | The need for network security is becoming more important due to which of the following reasons? (Choose all that apply.) -
A. The need for sending private data over public networks has become a norm. -
B. The need for secure communications between end-to-end networks is becoming important. -
C. The implementation of network security policy is becoming critical to implement secure infrastructures . |
Question 3 | Which of the following is true about IP spoofing? (Choose all that apply.) -
A. IP spoofing deals with the injection of malicious data. -
B. IP spoofing is implemented by changing routing tables. -
C. IP spoofing is used to disable accounts after unsuccessful logins. -
D. IP spoofing is implemented by using strong password policy. |
Question 4 | In which of the following ways can you mitigate the man-in-the-middle attack? -
A. Password policy -
B. Encryption -
C. OTP -
D. RFC 2827 filtering |
Question 5 | Which of the following ways can you mitigate application layer attacks? (Choose all that apply.) |
Question 6 | Which of the following mitigation techniques can you use against unauthorized access attacks? (Choose all that apply.) |
Question 7 | Which of the following are components of security policy? (Choose all that apply.) |
Question 8 | Which command can you use to ensure that all administrative interfaces stay active for a period of 5 minutes and 45 seconds only after the last session activity? -
A. Central(config-line)#timeout 5 45 -
B. Central(config-line)# exec -timeout 5 45 -
C. Central(config)#exec-timeout 5 45 -
D. Central#exec-timeout 5 45 |
Question 9 | Which of the following protocols can you use to communicate between the AAA security servers and an NAS? (Choose all that apply.) -
A. PPTP -
B. TACACS+ -
C. RADIUS -
D. EIGRP -
E. OSPF |
Question 10 | Which of the following statements is not true about PPP CHAP? (Choose all that apply.) -
A. Cleartext authentication. -
B. Challenges are repeated periodically. -
C. Strong against sniffing and replay attacks. -
D. Subject to eavesdropping. -
E. Uses MD5 hash. |
Question 11 | Which of the following commands enables AAA globally on the perimeter router? -
A. aaa new model -
B. aaa new-model -
C. enable aaa -
D. enable new-model |
Question 12 | Which of the following commands would you use if you want to authenticate to the AAA server simply to access resources on the IP network? (Choose all that apply.) -
A. aaa authentication arap -
B. aaa authentication enable -
C. aaa authentication login -
D. aaa authentication ppp -
E. aaa authentication nasi |
Question 13 | The debug aaa authorization command was issued and the following code segment was the output. What service is this user attempting to access? 11:11:11: AAA/AUTHOR (0): user='examcramuser' 11:11:11: AAA/AUTHOR (0): send AV service=shell 11:11:11: AAA/AUTHOR (0): send AV cmd* 11:11:11: AAA/AUTHOR (125485216): Method=RADIUS 11:11:11: AAA/AUTHOR/TAC+ ((125485216): user= examcramuser 11:11:11: AAA/AUTHOR/TAC+ ((125485216): send AV service=shell 11:11:11: AAA/AUTHOR/TAC+ ((125485216): send AV cmd* 11:11:12: AAA/AUTHOR ((125485216): Post authorization status = PASS -
A. ARAP -
B. ATALK -
C. LCP -
D. EXEC -
E. IPX |
Question 14 | CiscoSecure Access Control Server supports which of the following authentication protocols? (Choose all that apply.) -
A. PAP -
B. CHAP -
C. MS-CHAP -
D. LEAP -
E. EAP-CHAP -
F. EAP-TLS |
Question 15 | Which of the following CSACS services is the database manager that stores all database backups periodically? -
A. CSAdmin -
B. CSAuth -
C. CSTacacs -
D. CSLog -
E. CSDBSynch -
F. CSMonitor |
Question 16 | Which of the following commands allows you to access the CSACS server on a Windows 2000 machine? -
A. http://train.darktech.org:2000 -
B. http://train.darktech.org:2001 -
C. http://train.darktech.org:2002 -
D. http://train.darktech.org:2003 |
Question 17 | Which of the following is true about the following command? aaa new-model aaa authentication login default group tacacs+ enable aaa authentication login no_tacacs enable . . . line con 0 login authentication no_tacacs -
A. no_tacacs is a method list. -
B. Console access will use the enable password as the password. -
C. Console access will use the enable password only when AAA is offline. -
D. no_tacacs is an access list. |
Question 18 | What is the correct command to configure an AAA authentication method list on a line? -
A. login aaa authentication QUE -
B. authentication login QUE -
C. aaa authentication login QUE -
D. authentication QUE -
E. login authentication QUE |
Question 19 | Which of the following commands on a Cisco router can you use to prevent a hacker from finding out which users are logged in to the network device? (Choose all that apply.) -
A. show cdp entry -
B. ip finger -
C. no ip finger -
D. no service finger |
Question 20 | Which of the following commands tells a router to respond to ICMP mask request by sending the ICMP mask replies containing the IP address of the interface? -
A. ip classless -
B. ip redirects -
C. ip mask reply -
D. ip source routing |
Question 21 | Which of the following commands allows you to mitigate common Smurf attacks? |
Question 22 | Which of the following commands would force the router to override all previously configured authentication methods on the VTY and CTY lines? -
A. aaa new-model -
B. aaa authentication login -
C. aaa authentication enable -
D. aaa authorization -
E. login authentication local |
Question 23 | The Kerberos protocol is based on the concept of a trusted third party to perform secure verification. What is this trusted third party called? -
A. Kerberos Certificate Agency -
B. Key Distribution Center -
C. Kerberos Certificate Center -
D. Kerberos Distribution Authority -
E. Key Distribution Authority |
Question 24 | Which of the following statements regarding Turbo ACLs is true? -
A. CPU load is fixed regardless of ACL size. -
B. Turbo ACLs compile ACLs into a set of lookup tables. -
C. Turbo ACLs are best used if ACL has more than 85 entries. -
D. The time that the router takes to match a packet is less with Turbo ACLs but depends upon the number of ACL entries. |
Question 25 | You want to configure your syslog server to log all debug messages. Which logging severity level must you enable to accomplish this task? |
Question 26 | Which of the following statements are true regarding CBAC? -
A. CBAC inspects packets entering the router. -
B. A state table is not maintained with session information. -
C. ACLs are dynamically created or deleted as needed. -
D. Unauthorized Layer 2 addresses are rejected by CBAC. -
E. CBAC filters TCP and UDP packets based on application layer protocol session information. |
Question 27 | You have configured CBAC and specified a block time of 0 using the ip inspect tcp max-incomplete command. Which of the following statements are true? -
A. The oldest existing half- open session for every new connection request is deleted. -
B. The newest existing half-open session for every new connection request is deleted. -
C. CBAC allows you to customize TCP and UDP port numbers . -
D. It is a default value. |
Question 28 | Which of the following commands defines a nonstandard port for CBAC inspection? -
A. R1(config)#ip-inspect ftp 8080 -
B. R1(config-if)#ip port-map tftp port 6969 -
C. R1(config)#ip inspect http port 8080 -
D. R1(config)#ip port-map http port 8080 |
Question 29 | Which of the following protocol does authentication proxy use? -
A. SMTP -
B. SNMP -
C. SSH -
D. HTTP -
E. FTP |
Question 30 | Which of the following statements is true regarding configuring ACLs in a user profile on a CSACS server when implementing authentication proxy? (Choose all that apply.) -
A. ACLs must use permit entries only. -
B. ACLs can use deny entries as exceptions. -
C. The source address must always be any . -
D. A priv-lvl of 16 must be set for all users. |
Question 31 | Which of the following commands can you use to verify whether a user was authenticated successfully through authentication proxy? -
A. clear ip auth proxy -
B. show ip auth-proxy cache -
C. show ip auth-proxy users -
D. show ip user auth-proxy |
Question 32 | Once IDS is configured on the Cisco router, what does Cisco recommend you do to terminate an attack? -
A. Drop and reset -
B. Reset and alarm -
C. Drop and alarm -
D. Alarm only -
E. Drop only |
Question 33 | Which of the following commands disables IDS on a Cisco 3600 series router? |
Question 34 | Which of the following statements are true about ESP? (Choose all that apply.) -
A. Provides data encryption -
B. Provides authentication -
C. Does not work with NAT -
D. Provides header authentication only |
Question 35 | Which of the following hash algorithms can you use to authenticate packet data? (Choose all that apply.) -
A. DES -
B. 3DES -
C. SHA-1 -
D. MD5 |
Question 36 | Which of the following commands changes the default UDP idle timeout settings to 60 seconds? -
A. ip inspect dns-timeout 60 -
B. ip inspect max-incomplete low 60 -
C. ip inspect udp idle-timeout 60 -
D. ip inspect max-incomplete high 60 |
Question 37 | What does the following command do? crypto isakmp key examcramrocks! address 10.1.1.1 -
A. Configures an IKE Phase 2 key for the router -
B. Defines the CA certificate to be used by the 10.1.1.1 peer -
C. Configures IPSec in manual mode -
D. Configures the preshared authentication key for 10.1.1.1 |
Question 38 | Analyze the following ip inspect statement: ip inspect name examcram http java-list 15 Which access list line permits Java applets from the IP address 30.10.0.1? -
A. access-list 15 permit host 30.10.0.1 -
B. access-list 15 permit udp host 10.16.2.2 any -
C. access-list 15 permit ip 30.10.0.0 0.0.0.255 any eq www -
D. access-list 15 permit 30.10.0.1 0.0.0.255 any eq http |
Question 39 | Which of the following protocols would you use to securely derive the shared secret between two peers? -
A. D-H -
B. DES -
C. AH -
D. ESP |
Question 40 | Which of the following commands do you use to apply an IPSec policy to the fa0/0 interface of the router? |
Question 41 | Which of the following RADIUS servers supports authentication proxy? (Choose all that apply.) -
A. CSACS for NT/2000 -
B. CSACS for UNIX -
C. Lucent -
D. TACACS+ |
Question 42 | Which of the following statements is true about crypto ipsec transform-set EXAMCRAM ah-md5-hmac ? -
A. AH will be used with MD5 authentication. -
B. AH will be used with SHA-1 authentication. -
C. AH will be used with MD5 encryption. -
D. Only AH will be used. |
Question 43 | What is the significance of the command tacacs-server key examcramrocks!! ? -
A. Enables local login on the router -
B. Enables EXEC login on the router -
C. Used for IPSec -
D. Used as a shared key between the NAS and AAA server |
Question 44 | Java inspection is configured correctly to allow only applets from a trusted WWW server. How will the Java inspection rule react if the applet is downloaded from an untrusted source via FTP? -
A. User authentication will be initiated. -
B. The applet will not be downloaded because it is not from a trusted source. -
C. The applet will be downloaded successfully. -
D. CBAC will terminate the FTP session and log the incident. |
Question 45 | Which of the following statements is true about IPSec security associations? -
A. SAs are required one per direction, per protected data pipe. -
B. SAs are required one per direction, per protocol, per protected data pipe. -
C. SAs are required one per protocol only. -
D. SAs are not required per protocol, per protected data pipe. |
Question 46 | What are some of the issues you can face when dealing with UDP? (Choose all that apply.) -
A. Guaranteed delivery makes UDP processor- intensive . -
B. No handshaking or sequencing allows for easy spoofing. -
C. UDP does not provide congestion management and avoidance . -
D. The UDP connection slot is never deleted from the connection table. -
E. The current state of the connection cannot be determined because there is no state machine. |
Question 47 | Which of the following thresholds does CBAC provide against denial-of-service attacks? (Choose all that apply.) -
A. The number of half-open sessions based on time -
B. The total number of half-open TCP or UDP sessions -
C. The number of fully open sessions based on time and session -
D. The number of half-open TCP-only sessions per host -
E. The total number of fully open UDP sessions only -
F. The number of fully open TCP sessions per host only |
Question 48 | What does deny mean in regard to crypto access lists on the Cisco IOS Firewall? -
A. Deny in a crypto ACL means drop packet. -
B. Deny in a crypto ACL means drop and reset packet. -
C. Deny in a crypto ACL means encrypt packet. -
D. Deny in a crypto ACL means do not encrypt packet. |
Question 49 | Which of the following are considered asymmetric algorithms? (Choose all that apply.) -
A. RSA -
B. DES -
C. SHA-1 -
D. Diffie-Hellman |
Question 50 | Which steps do you need to configure IKE parameters using preshared keys? (Choose all that apply.) |
Question 51 | The Diffie-Hellman algorithm occurs during which phase of an IPSec session? |
Question 52 | What does PAM stand for? -
A. Port-address mapping -
B. Port-allocation manipulation -
C. Port-to-application management -
D. Port-to-address mapping |
Question 53 | What is the intention of inspection rules in CBAC? -
A. Define what IP traffic is dropped -
B. Define what application layer protocols will be inspected using authentication proxy -
C. Define what IP traffic is permitted -
D. Define what application layer protocols will be inspected using CBAC |
Question 54 | Which of the following commands applies authentication proxy rules on your Cisco 3600 series router? -
A. R1(conf)#ip authentication-proxy AUTH-RULE -
B. R1#ip authentication-proxy MYAUTH -
C. R1(conf-auth)#enable ip authentication proxy -
D. R1(conf-if)#ip authentication-proxy auth-proxy |
Question 55 | What is true about authorization with AAA? -
A. Authorization is not supported on Cisco routers. -
B. Used to authenticate users. -
C. Used to track services users are accessing. -
D. Used to limit services available to users. |
Question 56 | What is antireplay ? -
A. The receiver can authenticate the source of IPSec packets. -
B. The receiver authenticates packets to ensure that no alterations have been made. -
C. IPSec can detect and reject duplicate packets. -
D. The receiver can authenticate the source of the packet, guaranteeing the source of information. |
Question 57 | What is the minimum IOS version required for the Easy VPN Server features? -
A. 12.2(6)AY -
B. 12.1(4)T -
C. 12.1(4)AJ -
D. 12.2(8)T -
E. 12.2(8)AJ |
Question 58 | How do you edit a system-defined PAM mapping? |
Question 59 | What is true about Authentication Header? (Choose all that apply.) |
Question 60 | By default, how long will the IOS Firewall's authentication proxy service maintain dynamic ACL entries for an idle user? -
A. 90 seconds -
B. 8 minutes -
C. 15 minutes -
D. 45 minutes -
E. 60 minutes |
Question 61 | How are dynamic access-list entries saved in CBAC? -
A. They are not saved. -
B. copy run star -
C. copy dyna-acl start -
D. copy dyna-acl run |
Question 62 | Choose the correct combination of transforms that you can use in a transform set. (Choose all that apply.) -
A. Up to one ESP transform -
B. Up to two ESP transforms -
C. Up to one AH transform -
D. Up to two AH transforms -
E. Any combination of transforms is acceptable. |
Question 63 | What is true about XAUTH? -
A. Authentication of multiple IPSec peers with one command -
B. Autonegotiation of IPSec security associations with multiple peers -
C. User authentication using AAA -
D. Used to facilitate Reverse Route Injection |
Question 64 | A PAM table provides which of the following entries? (Choose all that apply.) -
A. User-defined -
B. Destination-specific -
C. Host-specific -
D. System-defined |
Question 65 | Which of the following features of Cisco Easy VPN enables Cisco devices to act as VPN headend devices in site-to-site or remote-access VPN environments where remote-office devices are using Easy VPN Remote implementation? -
A. Easy VPN Server-Client -
B. Easy VPN Client-Server -
C. Easy VPN Remote -
D. Easy VPN Server -
E. Easy VPN Management Station |
Question 66 | Which of the following commands would enable the Cisco IOS VPN gateway to send Dead Peer Detection packets? -
A. crypto keepalive isakmp -
B. crypto isakmp keepalive -
C. crypto ipsec dpd- keepalives -
D. crypto map dpd -
E. crypto ipsec transform-set dpd |
Question 67 | Router MC supports which of the following tunneling technologies? (Choose all that apply.) |
Question 68 | Which of the following is part of the default IKE policy on the Router MC? (Choose all that apply.) -
A. DES -
B. SHA-1 -
C. Preshared key -
D. D-H 1 -
E. RSA signatures |