Questions Answer Correct Wrong

1 Which two characteristics apply to an intrusion prevention system (IPS) Cabled directly inline with the flow of the network traffic 1,2
Runs in promiscuous mode 1 2
2 Which type of IPS can identify the worms that are propagating in a network Anomaly-based IPS 1
3 Which statement about personal firewalls is true They can protect a system by denying probing requests 1
While troubleshooting site-to-site VPN, you issued the show crypto ipsec sa IPSec phase 2 is established between 10.1.1.1 and
4 command. What does the given output show? 10.1.1.5 1
What security feature allows a private IP address to access the internet by translating
5 it to a public address NAT 1
6 Which actions can a promiscuous IPS take to mitigate an attack? Requesting connection blocking 2 1
Resetting the TCP connection 1 2
Requesting host blocking 1,2
When a switch has multiple links connected to a downstream switch, what is the first
7 step that STP takes to prevent loops? STP elects the root bridge 1
What is the effect if the given command It merges authentication and encryption methods to
8 -crypto ipsec transform-set myset esp-md5-hmac esp-aes-256 protect traffic that matches an ACL 2,3 1
When an IPS detects an attack, which action can the IPS take to prevent the attack
9 from spreading Deny the connection inline. 2
Your security team has discovered a malicious program that has been harvesting the
CEO's email messages and the company's user database for the last 6 months. What
10 type of attack did your team discover advanced persistent threat 1
Which Cisco Security manager application collects information about device status
11 and uses it to generate notifications and alerts Health and performance monitor 2 1
When users login to the Clientless SSLVPN using https://209.165.201.2/ test, which
12 group policy will be applied Sales 1
Which type of PVLAN port allows hosts in the same VLAN to communicate directly
13 with each other Community for hosts in the PVLAN 1
14 Which statement about Cisco ACS authentication and authorization is true ACS servers can be clustered to provide scalability 1
Which option is the cloud-based security service from Cisco that provides URL
15 Filtering, web browsing content security and roaming user protection Cloud Web Security 1
Which Firepower Management Center feature detects and blocks exploits and hack
16 attempts Advanced malware protection 1
Extended access lists should be placed as NEAR as
17 Which of the following statements about access lists are true possible to the Source 1
Standard access lists should be placed as NEAR as
possible to the DESTINATION 1
Standard access lists filter on the source address 1
18 How can you protect CDP from reconnaissance attacks Disabled CDP on ports connected to endpoints 1 1,2
19 Which TACACS+ server-authentication protocols are supported in Cisco ASA firewalls ASCII 1,2
PAP 2 1
MS-CHAPv1 2 1
20 What is true of an ASA in transparent mode It requires a management IP address 1
What VPN feature allows traffic to exit the security appliance through the same interface in
21 entered hairpinning 1
A specific URL has been identified as containing malware. What action can you take to block Enable URL filtering on the perimeter router and add th URLs
22 users from accidentally visiting the URL and becoming infected with malware you want to block to the router's local URL list. 1
What is a possible reason for the error message The router is a new device on which the aaa new-model
23 router(config)#aaa server?% Unrecognized command command must be applied before continuing
24 In which three ways does the RADIUS protocol differ from TACACS RADIUS uses UDP to communicate with the NAS 1
RADIUS encrypts only the password field in an authentication
pocket 1
RADIUS authenticates and authorizes simultaneously, causing
fewer packets to be transmitted 1
25 What is an advantagge of implementing a Trusted Platform Module for disk encryption It provides hardware authentication 1 2
26 What mechanism does asymmetric cryptography use to secure data a public/private key pair 1
27 On which Cisco configuration professional screen do you enable AAA AAA summary 1
They compare the 5-tuple of each incoming packet against
28 Which statements about stateless firewalls are true configurable rules 1
They cannot track connections 1
29 Which Cisco product can help mitigate web-based attacks within a network Web Security appliance 1,2,3,4
30 What is the purpose of honeypot IPS To collect information about attacks 2 1
31 Which quantifiable item should you consider when your organization adopts new technology exploits 1
32 Which two characterics of symmetric encryption are true It is faster than asymmetric encryption 1
It uses the same key to decrypt and encrypt traffic 1,2
33 Which two characteristics of an application layer firewall are true provides reverse proxy services 1,2
provides protection for multiple applications 1
34 What is the transition order of STP states on a layer 2 switch interface blocking, listening, learning, forwarding, disabled 2 1
35 How can you detect a false negative on an IPS Use a third-party system to perform penetration testing 1
What is the effect of the given command sequence (crypto map mymap 20 match address It defines IPsec policy for the traffic sourced from 10.10.10.0
36 201 > access-list 201 permit ip 10.10.10.0 255.255.255.0 10.100.100.0 255.255.255.0) /24 with a destination 10.100.100.0/24 1
How does a device on a network using ISE receive its digital certificate during the new-device ISE acts as a SCEP proxy to enable the device to receive a
37 registration process certificate from a central CA server 1
38 What is the actual IOS privilege level of User Exec mode 1 1
39 Which countermeasures can mitigate ARP spoofing attacks DHCP snooping 2,3 1
Dynamic ARP inspection 2,3 1
You may VPN to the lowest security interface to Telnet to an
40 Which two statements about Telnet access to the ASA are true inside interface 1
Best practice is to disable Telnet and use SSH 1
41 Which wildcard mask is associated with a subnet mask of /27 0.0.0.31 1
a private VLAN partitions the Layer 2 broadcast domain of a
42 Which statement correctly describes the function of a private VLAN VLAN into subdomains 1
What are the two ways to prevent eavesdropping when you perform device-management
43 tasks Use an SSH connection 1
use SNMPv3 1
When a switch has multiple links connected to a downstream switch, what is the first step
44 that STP takes to prevent loops STP elects the root bridge 1,2
When an IPS detects an attack, which action can the IPS take to prevent the attack from
45 spreading Deny the connection inline 1
46 What features can protect the data plane ACL 1
antispoofing 2 1
DHCP-snooping 2 1
47 Which features filters CoPP packets Access control lists 1 2
Which accounting notices are used to send a failed authentication attempt record to an AAA
48 server start-stop 1,2,3
stop-only 2,3 1
49 How many times was a read-only string used to attempt a write operation 9 1
It configures the device to begin transmitting he authentication
What is the effect of the send-lifetime local 23:59:00 31 December 31, 2013 infinite key to other devices at 23:59:00 local time on December 31,
50 command 2013 and continue using the key indefinitely 1
51 Which type of social engineering attack uses normal telephone service as the attack vendor vishing 1
52 When a company puts a security policy in place, what is the effect on the company's business minimizing risk 1
53 Which command verifies phase 1 of an IPsec VPN on a Cisco router show crypto isakmp sa 1
54 Which action can a promiscuous IPS take to mitigate an attack requesting connection blocking 1
resetting the TCP connection 1
Requesting host blocking 1
55 Which of the following are features of IPsec transport mode IPsec transport mode is used between end stations 1
IPsec transport mode supports unicast 1
IPsec transport mode encrypts only the payload 1
Which command should be used to enable AAA authentication to determine if a user can
56 access the privilege command level aaa authentication enable default local 1
57 Which source port does IKE use when NAT has been detected between two VPN gateways UDP 4500 1
58 Which statement about Cisco ACS authentication and authorization is true ACS servers can be clustered to provide scalability 1
59 Which statement provides the best definition of malware Malware is unwanted software that is harmful or destructive 1
60 Which two events would cause the state table of a stateful firewall to be updated When a connection's timer has expired within the state table 1
when a connection is created 1
61 Which address block is reserved for locally assigned unique local addresses FD00::/8 1
62 which area represents the data center A 2,3,4 1
63 What type of attack was the Stuxnet virus cyber warfare 2,3 1
64 How does PEAP protect the EAP exchange It encrypts the exchange using the server certificate 2,3 1
In which type of attack does the attacker attempt to overload the CAM table on a switch so
65 that the switch acts as a hub MAC flooding 1
66 Which sensor mode can dent attackers inline IPS 1
67 Which option is the most effective placement of an IPS device within the infrastructure Inline, behind the internet router and firewall 1
68 For what reason would you configure multiple security contexts on the ASA firewall To separate different departments and business units. 1
In which three cases does the ASA firewall permit inbound HTTP GET requests during normal
69 operations when a matching TCP connection is found 2 1
when matching ACL entries are configured 2 1
when matching NAT entries are configured 2 1
to configure an event action that takes place when a signature
70 What is the primary purpose of a defined rule in an IPS is triggered f 1
71 Which syslog severity level is level number 7 debugging 1
72 What is a valid implicit permit rule for traffic that is traversing the ASA firewall ARP in both directions are permitted in transparent mode only 1
A network security administrator checks the ASA firewall NAT policy table with the show nat Translation in section 3 is used when a connection does not
73 command. Which statement is false match any entries in first two sections 1
74 What is the Cisco preferred countermeasure to mitigate CAM overflows Dynamic port securit 1
75 Which NAT type allows only objects or groups to reference an IP address Dynamic PAT 1
What VPN feature allows internet traffic and local LAN/WAN traffic to use the same network
76 connection split tunneling 1 1
77 Which two features do CoPP and CPPr use to protect the data plane QOS 1
Traffic classification 1
An attacker installed a rogue switch that sends superior BPDUs on your network. What is the
78 possible result of this activity The switch could become a root bridge 1
What is the effect of this command
crypto ikev1 policy 1
encryption aes
hash md5
authentication pre-share
group 2
79 lifetime 14400 it configures IKE Phase 1 1
Smart tunnels can be used by clients that do not have
80 Which statements about smart tunnels on a Cisco firewall are true administrator privileges 1
Smart tunnels offer better performance than port forwarding 1
81 In which three ways does the TACACS protocol differ from RADIUS A TACACS uses TCP to communicate with the NAS 1,2
TACACS can encrypt the entire packet that is sent to the NAS 1 2
TACACS supports per-command authorization 1,2
82 Which two primary security concerns can you mitigate with a BYOD solution compliance with applicable policies 1
securing access to a trusted corporate network 1
83 Which statement about zone-based firewall configuration is true the zone must be configured before it can be assigned 1
A clientless SSL VPN user who is connecting on a Windows Vista computer is missing the
menu option for Remote Desktop Protocol on the portal web page. Which action should you
84 take to begin troubleshooting Ensure that the RDP plug-in is installed on the VPN Gateway 1
Which sourcefire event action should you choose if you want to block only malicious traffic
85 from a particular end user allow with inspection 1
86 Which command is needed to enable SSH support on a Cisco router crypto key generate rsa 1
87 Which EAP method uses Protected Access Credentials EAP-FAST 1
It can extract and decode email attachments in client to server
88 What can the SMTP preprocessor in FirePOWER normalize traffic 1
If you change the native VLAN on the trunk port to an unused VLAN, what happens if an
89 attacker attempts a double-tagging attack VLAN hopping attack would be prevented 1
90 Which type of address translation should be used when a Cisco ASA is in transparent mode static NAT 1
91 What is a potential drawback to leaving VLAN 1 as the native VLAN. It may be susceptible to a VLAN hoping attack 1
92 Which two commands are used to implement Resilient IOS configuration security boot-image 1
 security boot-config 1
93 Which feature filters CoPP packets Access control lists 1
You want to allow all of your company's users to access the Internet without allowing other
94 Web servers to collect the IP addresses of individual users. What two solutions can you use? Configure a proxy server to hide user's local IP addresses 1
Configure a firewall to use Port Address Translation 1
95 What are two default Cisco IOS privilege levels 1 1
15 1
96 Which statement about a PVLAN isolated port configured on a switch is true The isolated port can communicate only with promiscuous port 1
97 In which two situations should you use out-of-band management when a network device fails to forward packets 1
when you require ROMMON access 1
98 Referencing the CIA model, in which scenario is a hash-only function most appropriate securing data at rest 1
You have implemented a Sourcefire IPS and configured it to block certain addresses utilizing
Security Intelligence IP address Reputation. A user calls and is not able to access a certain IP create a whitelistn and add the appropriate IP address to allow
99 address. What action can you take to allo the user access to the IP Addresses the traffic 1
100 What hash type does Cisco use to validate the integrity of download images MD5 1
101 What is one requirement for locking a wired or wireless device from ISE The ISE agent must be installed on the device 1
Which feature of the Cisco Email Security Appliance can mitigate the impact of snowshoe
102 spam and sophiscated phishing attacks contextual analysis 1
103 Which security zone is automatically defined by the system self zone 1,2
104 Which three statements describe DHCP spoofing attacks They can modify traffic in transit 1
They are used to perform man-in-the-middle attacks 1
They use ARP poisoning 1
105 Which two are valid types of VLANs using PVLANs Community VLAN 1
Isolated VLAN 1
106 Which tool can an attacker use to attempt a DDOS attack botnet 1
107 Referencing to CIA model, in which scenario is a hash-only function most appropriate Securing data at rest 1
108 What is the best way to confirm that AAA authentication is working properly use the test aaa command 1