Taking the Test


Relax. Once you're sitting in front of the testing computer, there's nothing more you can do to increase your knowledge or preparation. Take a deep breath , stretch, and start reading that first question.

You don't need to rush, either. You have plenty of time to complete each question. Remember, in Cisco exams, you'll have to guess and move on. Both easy and difficult questions are intermixed throughout the test in random order. Don't spend too much time on a single question; if it takes you that long to get nowhere, it's time to guess and move on.

On an adaptive test, set a maximum time limit for questions, and watch your time on long or complex questions. If you hit your limit, it's time to guess and move on. Don't deprive yourself of the opportunity to see more questions by taking too long to puzzle over questions, unless you think you can figure out the answer. Otherwise, you're limiting your opportunities to pass.

That's it for pointers. Here are some questions for you to practice. Good luck!

Question 1

Which of the following are primary threats to network security? (Choose all that apply.)

  • A. Unstructured threat

  • B. Structured threat

  • C. External threat

  • D. Internal threat

  • E. Nonfilterable threat

Question 2

The need for network security is becoming more important due to which of the following reasons? (Choose all that apply.)

  • A. The need for sending private data over public networks has become a norm.

  • B. The need for secure communications between end-to-end networks is becoming important.

  • C. The implementation of network security policy is becoming critical to implement secure infrastructures .

Question 3

Which of the following is true about IP spoofing? (Choose all that apply.)

  • A. IP spoofing deals with the injection of malicious data.

  • B. IP spoofing is implemented by changing routing tables.

  • C. IP spoofing is used to disable accounts after unsuccessful logins.

  • D. IP spoofing is implemented by using strong password policy.

Question 4

In which of the following ways can you mitigate the man-in-the-middle attack?

  • A. Password policy

  • B. Encryption

  • C. OTP

  • D. RFC 2827 filtering

Question 5

Which of the following ways can you mitigate application layer attacks? (Choose all that apply.)

  • A. Vulnerability patching

  • B. Access control

  • C. Encryption

  • D. IDS

Question 6

Which of the following mitigation techniques can you use against unauthorized access attacks? (Choose all that apply.)

  • A. Prevent unauthorized attacks to pass through the firewall

  • B. Strict access control on network traffic

  • C. IDS

  • D. Encryption

Question 7

Which of the following are components of security policy? (Choose all that apply.)

  • A. Campus access policy

  • B. Remote access policy

  • C. Authentication policy

  • D. Internet access policy

Question 8

Which command can you use to ensure that all administrative interfaces stay active for a period of 5 minutes and 45 seconds only after the last session activity?

  • A. Central(config-line)#timeout 5 45

  • B. Central(config-line)# exec -timeout 5 45

  • C. Central(config)#exec-timeout 5 45

  • D. Central#exec-timeout 5 45

Question 9

Which of the following protocols can you use to communicate between the AAA security servers and an NAS? (Choose all that apply.)

  • A. PPTP

  • B. TACACS+

  • C. RADIUS

  • D. EIGRP

  • E. OSPF

Question 10

Which of the following statements is not true about PPP CHAP? (Choose all that apply.)

  • A. Cleartext authentication.

  • B. Challenges are repeated periodically.

  • C. Strong against sniffing and replay attacks.

  • D. Subject to eavesdropping.

  • E. Uses MD5 hash.

Question 11

Which of the following commands enables AAA globally on the perimeter router?

  • A. aaa new model

  • B. aaa new-model

  • C. enable aaa

  • D. enable new-model

Question 12

Which of the following commands would you use if you want to authenticate to the AAA server simply to access resources on the IP network? (Choose all that apply.)

  • A. aaa authentication arap

  • B. aaa authentication enable

  • C. aaa authentication login

  • D. aaa authentication ppp

  • E. aaa authentication nasi

Question 13

The debug aaa authorization command was issued and the following code segment was the output. What service is this user attempting to access?

 
 11:11:11: AAA/AUTHOR (0): user='examcramuser' 11:11:11: AAA/AUTHOR (0): send AV service=shell 11:11:11: AAA/AUTHOR (0): send AV cmd* 11:11:11: AAA/AUTHOR (125485216): Method=RADIUS 11:11:11: AAA/AUTHOR/TAC+ ((125485216): user= examcramuser 11:11:11: AAA/AUTHOR/TAC+ ((125485216): send AV service=shell 11:11:11: AAA/AUTHOR/TAC+ ((125485216): send AV cmd* 11:11:12: AAA/AUTHOR ((125485216): Post authorization status = PASS 
  • A. ARAP

  • B. ATALK

  • C. LCP

  • D. EXEC

  • E. IPX

Question 14

CiscoSecure Access Control Server supports which of the following authentication protocols? (Choose all that apply.)

  • A. PAP

  • B. CHAP

  • C. MS-CHAP

  • D. LEAP

  • E. EAP-CHAP

  • F. EAP-TLS

Question 15

Which of the following CSACS services is the database manager that stores all database backups periodically?

  • A. CSAdmin

  • B. CSAuth

  • C. CSTacacs

  • D. CSLog

  • E. CSDBSynch

  • F. CSMonitor

Question 16

Which of the following commands allows you to access the CSACS server on a Windows 2000 machine?

  • A. http://train.darktech.org:2000

  • B. http://train.darktech.org:2001

  • C. http://train.darktech.org:2002

  • D. http://train.darktech.org:2003

Question 17

Which of the following is true about the following command?

 
 aaa new-model aaa authentication login default group tacacs+ enable aaa authentication login no_tacacs enable . . . line con 0 login authentication no_tacacs 
  • A. no_tacacs is a method list.

  • B. Console access will use the enable password as the password.

  • C. Console access will use the enable password only when AAA is offline.

  • D. no_tacacs is an access list.

Question 18

What is the correct command to configure an AAA authentication method list on a line?

  • A. login aaa authentication QUE

  • B. authentication login QUE

  • C. aaa authentication login QUE

  • D. authentication QUE

  • E. login authentication QUE

Question 19

Which of the following commands on a Cisco router can you use to prevent a hacker from finding out which users are logged in to the network device? (Choose all that apply.)

  • A. show cdp entry

  • B. ip finger

  • C. no ip finger

  • D. no service finger

Question 20

Which of the following commands tells a router to respond to ICMP mask request by sending the ICMP mask replies containing the IP address of the interface?

  • A. ip classless

  • B. ip redirects

  • C. ip mask reply

  • D. ip source routing

Question 21

Which of the following commands allows you to mitigate common Smurf attacks?

  • A. no ip classless

  • B. no ip redirects

  • C. no ip directed-broadcast

  • D. no ip source routing

Question 22

Which of the following commands would force the router to override all previously configured authentication methods on the VTY and CTY lines?

  • A. aaa new-model

  • B. aaa authentication login

  • C. aaa authentication enable

  • D. aaa authorization

  • E. login authentication local

Question 23

The Kerberos protocol is based on the concept of a trusted third party to perform secure verification. What is this trusted third party called?

  • A. Kerberos Certificate Agency

  • B. Key Distribution Center

  • C. Kerberos Certificate Center

  • D. Kerberos Distribution Authority

  • E. Key Distribution Authority

Question 24

Which of the following statements regarding Turbo ACLs is true?

  • A. CPU load is fixed regardless of ACL size.

  • B. Turbo ACLs compile ACLs into a set of lookup tables.

  • C. Turbo ACLs are best used if ACL has more than 85 entries.

  • D. The time that the router takes to match a packet is less with Turbo ACLs but depends upon the number of ACL entries.

Question 25

You want to configure your syslog server to log all debug messages. Which logging severity level must you enable to accomplish this task?

  • A. 3

  • B. 4

  • C. 5

  • D. 6

  • E. 7

Question 26

Which of the following statements are true regarding CBAC?

  • A. CBAC inspects packets entering the router.

  • B. A state table is not maintained with session information.

  • C. ACLs are dynamically created or deleted as needed.

  • D. Unauthorized Layer 2 addresses are rejected by CBAC.

  • E. CBAC filters TCP and UDP packets based on application layer protocol session information.

Question 27

You have configured CBAC and specified a block time of 0 using the ip inspect tcp max-incomplete command. Which of the following statements are true?

  • A. The oldest existing half- open session for every new connection request is deleted.

  • B. The newest existing half-open session for every new connection request is deleted.

  • C. CBAC allows you to customize TCP and UDP port numbers .

  • D. It is a default value.

Question 28

Which of the following commands defines a nonstandard port for CBAC inspection?

  • A. R1(config)#ip-inspect ftp 8080

  • B. R1(config-if)#ip port-map tftp port 6969

  • C. R1(config)#ip inspect http port 8080

  • D. R1(config)#ip port-map http port 8080

Question 29

Which of the following protocol does authentication proxy use?

  • A. SMTP

  • B. SNMP

  • C. SSH

  • D. HTTP

  • E. FTP

Question 30

Which of the following statements is true regarding configuring ACLs in a user profile on a CSACS server when implementing authentication proxy? (Choose all that apply.)

  • A. ACLs must use permit entries only.

  • B. ACLs can use deny entries as exceptions.

  • C. The source address must always be any .

  • D. A priv-lvl of 16 must be set for all users.

Question 31

Which of the following commands can you use to verify whether a user was authenticated successfully through authentication proxy?

  • A. clear ip auth proxy

  • B. show ip auth-proxy cache

  • C. show ip auth-proxy users

  • D. show ip user auth-proxy

Question 32

Once IDS is configured on the Cisco router, what does Cisco recommend you do to terminate an attack?

  • A. Drop and reset

  • B. Reset and alarm

  • C. Drop and alarm

  • D. Alarm only

  • E. Drop only

Question 33

Which of the following commands disables IDS on a Cisco 3600 series router?

  • A. no ip audit

  • B. no ip audit all

  • C. no ip ids config

  • D. no ids run

  • E. clear ip audit configuration

Question 34

Which of the following statements are true about ESP? (Choose all that apply.)

  • A. Provides data encryption

  • B. Provides authentication

  • C. Does not work with NAT

  • D. Provides header authentication only

Question 35

Which of the following hash algorithms can you use to authenticate packet data? (Choose all that apply.)

  • A. DES

  • B. 3DES

  • C. SHA-1

  • D. MD5

Question 36

Which of the following commands changes the default UDP idle timeout settings to 60 seconds?

  • A. ip inspect dns-timeout 60

  • B. ip inspect max-incomplete low 60

  • C. ip inspect udp idle-timeout 60

  • D. ip inspect max-incomplete high 60

Question 37

What does the following command do?

 
 crypto isakmp key examcramrocks! address 10.1.1.1 
  • A. Configures an IKE Phase 2 key for the router

  • B. Defines the CA certificate to be used by the 10.1.1.1 peer

  • C. Configures IPSec in manual mode

  • D. Configures the preshared authentication key for 10.1.1.1

Question 38

Analyze the following ip inspect statement:

 
 ip inspect name examcram http java-list 15 

Which access list line permits Java applets from the IP address 30.10.0.1?

  • A. access-list 15 permit host 30.10.0.1

  • B. access-list 15 permit udp host 10.16.2.2 any

  • C. access-list 15 permit ip 30.10.0.0 0.0.0.255 any eq www

  • D. access-list 15 permit 30.10.0.1 0.0.0.255 any eq http

Question 39

Which of the following protocols would you use to securely derive the shared secret between two peers?

  • A. D-H

  • B. DES

  • C. AH

  • D. ESP

Question 40

Which of the following commands do you use to apply an IPSec policy to the fa0/0 interface of the router?

  • A. crypto map

  • B. prefix-list

  • C. ip access-group

  • D. crypto ipsec transform-set

Question 41

Which of the following RADIUS servers supports authentication proxy? (Choose all that apply.)

  • A. CSACS for NT/2000

  • B. CSACS for UNIX

  • C. Lucent

  • D. TACACS+

Question 42

Which of the following statements is true about crypto ipsec transform-set EXAMCRAM ah-md5-hmac ?

  • A. AH will be used with MD5 authentication.

  • B. AH will be used with SHA-1 authentication.

  • C. AH will be used with MD5 encryption.

  • D. Only AH will be used.

Question 43

What is the significance of the command tacacs-server key examcramrocks!! ?

  • A. Enables local login on the router

  • B. Enables EXEC login on the router

  • C. Used for IPSec

  • D. Used as a shared key between the NAS and AAA server

Question 44

Java inspection is configured correctly to allow only applets from a trusted WWW server. How will the Java inspection rule react if the applet is downloaded from an untrusted source via FTP?

  • A. User authentication will be initiated.

  • B. The applet will not be downloaded because it is not from a trusted source.

  • C. The applet will be downloaded successfully.

  • D. CBAC will terminate the FTP session and log the incident.

Question 45

Which of the following statements is true about IPSec security associations?

  • A. SAs are required one per direction, per protected data pipe.

  • B. SAs are required one per direction, per protocol, per protected data pipe.

  • C. SAs are required one per protocol only.

  • D. SAs are not required per protocol, per protected data pipe.

Question 46

What are some of the issues you can face when dealing with UDP? (Choose all that apply.)

  • A. Guaranteed delivery makes UDP processor- intensive .

  • B. No handshaking or sequencing allows for easy spoofing.

  • C. UDP does not provide congestion management and avoidance .

  • D. The UDP connection slot is never deleted from the connection table.

  • E. The current state of the connection cannot be determined because there is no state machine.

Question 47

Which of the following thresholds does CBAC provide against denial-of-service attacks? (Choose all that apply.)

  • A. The number of half-open sessions based on time

  • B. The total number of half-open TCP or UDP sessions

  • C. The number of fully open sessions based on time and session

  • D. The number of half-open TCP-only sessions per host

  • E. The total number of fully open UDP sessions only

  • F. The number of fully open TCP sessions per host only

Question 48

What does deny mean in regard to crypto access lists on the Cisco IOS Firewall?

  • A. Deny in a crypto ACL means drop packet.

  • B. Deny in a crypto ACL means drop and reset packet.

  • C. Deny in a crypto ACL means encrypt packet.

  • D. Deny in a crypto ACL means do not encrypt packet.

Question 49

Which of the following are considered asymmetric algorithms? (Choose all that apply.)

  • A. RSA

  • B. DES

  • C. SHA-1

  • D. Diffie-Hellman

Question 50

Which steps do you need to configure IKE parameters using preshared keys? (Choose all that apply.)

  • A. Test the VPN.

  • B. Apply a crypto map.

  • C. Enable IKE.

  • D. Verify IKE Phase 1.

  • E. Configure IKE policy.

  • F. Configure the preshared key.

Question 51

The Diffie-Hellman algorithm occurs during which phase of an IPSec session?

  • A. IKE Phase 1

  • B. IKE Phase 2

  • C. After IKE Phase 1 and before IKE Phase 2

  • D. Before IKE Phase 1

Question 52

What does PAM stand for?

  • A. Port-address mapping

  • B. Port-allocation manipulation

  • C. Port-to-application management

  • D. Port-to-address mapping

Question 53

What is the intention of inspection rules in CBAC?

  • A. Define what IP traffic is dropped

  • B. Define what application layer protocols will be inspected using authentication proxy

  • C. Define what IP traffic is permitted

  • D. Define what application layer protocols will be inspected using CBAC

Question 54

Which of the following commands applies authentication proxy rules on your Cisco 3600 series router?

  • A. R1(conf)#ip authentication-proxy AUTH-RULE

  • B. R1#ip authentication-proxy MYAUTH

  • C. R1(conf-auth)#enable ip authentication proxy

  • D. R1(conf-if)#ip authentication-proxy auth-proxy

Question 55

What is true about authorization with AAA?

  • A. Authorization is not supported on Cisco routers.

  • B. Used to authenticate users.

  • C. Used to track services users are accessing.

  • D. Used to limit services available to users.

Question 56

What is antireplay ?

  • A. The receiver can authenticate the source of IPSec packets.

  • B. The receiver authenticates packets to ensure that no alterations have been made.

  • C. IPSec can detect and reject duplicate packets.

  • D. The receiver can authenticate the source of the packet, guaranteeing the source of information.

Question 57

What is the minimum IOS version required for the Easy VPN Server features?

  • A. 12.2(6)AY

  • B. 12.1(4)T

  • C. 12.1(4)AJ

  • D. 12.2(8)T

  • E. 12.2(8)AJ

Question 58

How do you edit a system-defined PAM mapping?

  • A. ip pam 80

  • B. System-defined mappings cannot be changed.

  • C. ip port-map 21

  • D. ip port-map port 69

Question 59

What is true about Authentication Header? (Choose all that apply.)

  • A. Encrypts data payload

  • B. Authenticates data

  • C. Provides integrity of IP packets

  • D. Provides antireplay protection

Question 60

By default, how long will the IOS Firewall's authentication proxy service maintain dynamic ACL entries for an idle user?

  • A. 90 seconds

  • B. 8 minutes

  • C. 15 minutes

  • D. 45 minutes

  • E. 60 minutes

Question 61

How are dynamic access-list entries saved in CBAC?

  • A. They are not saved.

  • B. copy run star

  • C. copy dyna-acl start

  • D. copy dyna-acl run

Question 62

Choose the correct combination of transforms that you can use in a transform set. (Choose all that apply.)

  • A. Up to one ESP transform

  • B. Up to two ESP transforms

  • C. Up to one AH transform

  • D. Up to two AH transforms

  • E. Any combination of transforms is acceptable.

Question 63

What is true about XAUTH?

  • A. Authentication of multiple IPSec peers with one command

  • B. Autonegotiation of IPSec security associations with multiple peers

  • C. User authentication using AAA

  • D. Used to facilitate Reverse Route Injection

Question 64

A PAM table provides which of the following entries? (Choose all that apply.)

  • A. User-defined

  • B. Destination-specific

  • C. Host-specific

  • D. System-defined

Question 65

Which of the following features of Cisco Easy VPN enables Cisco devices to act as VPN headend devices in site-to-site or remote-access VPN environments where remote-office devices are using Easy VPN Remote implementation?

  • A. Easy VPN Server-Client

  • B. Easy VPN Client-Server

  • C. Easy VPN Remote

  • D. Easy VPN Server

  • E. Easy VPN Management Station

Question 66

Which of the following commands would enable the Cisco IOS VPN gateway to send Dead Peer Detection packets?

  • A. crypto keepalive isakmp

  • B. crypto isakmp keepalive

  • C. crypto ipsec dpd- keepalives

  • D. crypto map dpd

  • E. crypto ipsec transform-set dpd

Question 67

Router MC supports which of the following tunneling technologies? (Choose all that apply.)

  • A. IPSec

  • B. L2TP over IPSec

  • C. IPSec with GRE

  • D. IPSec with GRE over Frame Relay

  • E. PPTP over GRE

Question 68

Which of the following is part of the default IKE policy on the Router MC? (Choose all that apply.)

  • A. DES

  • B. SHA-1

  • C. Preshared key

  • D. D-H 1

  • E. RSA signatures




CCSP SECUR Exam Cram 2
CCSP SECUR Exam Cram 2 (642-501)
ISBN: B000MU86IQ
EAN: N/A
Year: 2003
Pages: 291
Authors: Raman Sud

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net