CCNA Security Final Exam (2nd Half)

1.

1 point

What is the purpose of a local username database if multiple ACS servers are configured to provide authentication services?

Clients using internet services are authenticated by ACS servers, whereas local clients are authenticated through a local username database.

A local username database is required when creating a method list for the default login.

Each ACS server must be configured with a local username database in order to provide authentication services.

A local username database provides redundancy if ACS servers become unreachable. [adef]

2.

1 point

What are two reasons to enable OSPF routing protocol authentication on a network? (Choose two.)

to ensure more efficient routing

to prevent redirection of data traffic to an insecure link

to prevent data traffic from being redirected and then discarded

to provide data security through encryption

to ensure faster network convergence

3.

1 point

Which two end points can be on the other side of an ASA site-to-site VPN configured using ASDM? (Choose two.)

ISR router

DSL switch

another ASA

multilayer switch

Frame Relay switch

4.

1 point

What is a feature of the TACACS+ protocol?

It combines authentication and authorization as one process.

It utilizes UDP to provide more efficient packet transfer.

It hides passwords during transmission using PAP and sends the rest of the packet in plaintext.

It encrypts the entire body of the packet for more secure communications.

5.

1 point

Which network security tool allows an administrator to test and detect weak passwords?

L0phtcrack

Metasploit

Tripwire

Nessus

6.

1 point

Which statement describes a characteristic of the Security Device Event Exchange (SDEE) feature supported by the Cisco IOS IPS?

SDEE notification is disabled by default. It starts receiving and processing events from the Cisco IOS IPS as soon as an attack signature is detected.

SDEE notification is disabled by default. It does not receive and process events from the Cisco IOS IPS unless SDEE notification is enabled.

SDEE notification is enabled by default. It receives and processes events from the Cisco IOS IPS and sends them to a syslog server.

SDEE notification is enabled by default. It receives and processes events from the Cisco IOS IPS and stores them in a buffer.

7.

1 point

Refer to the exhibit. Based on the security levels of the interfaces on ASA1, what traffic will be allowed on the interfaces?

Traffic from the Internet can access both the DMZ and the LAN.

Traffic from the LAN and DMZ can access the Internet.

Traffic from the Internet and LAN can access the DMZ.

Traffic from the Internet and DMZ can access the LAN.

8.

1 point

What represents a best practice concerning discovery protocols such as CDP and LLDP on network devices?

Use the open standard LLDP rather than CDP.

Disable both protocols on all interfaces where they are not required.

Enable CDP on edge devices, and enable LLDP on interior devices.

Use the default router settings for CDP and LLDP.

9.

1 point

What is a characteristic of most modern viruses?

They replicate themselves and locate new targets.

Email viruses are the most common type of them.

They are usually found attached to online games.

They are responsible for some of the most destructive internet attacks.

10.

1 point

If a network administrator wants to track the usage of FTP services, which keyword or keywords should be added to the aaa accounting command?

network

connection

exec default

exec

11.

1 point

In which two instances will traffic be denied as it crosses the ASA 5505 device? (Choose two.)

traffic originating from the outside network going to the DMZ network

traffic originating from the inside network going to the outside network

traffic originating from the inside network going to the DMZ network

traffic originating from the outside network going to the inside network

traffic originating from the DMZ network going to the inside network

12.

1 point

A company deploys a hub-and-spoke VPN topology where the security appliance is the hub and the remote VPN networks are the spokes. Which VPN method should be used in order for one spoke to communicate with another spoke through the single public interface of the security appliance?

split tunneling

GRE

MPLS

Hairpinning

13.

1 point

Why is hashing cryptographically stronger compared to a cyclical redundancy check (CRC)?

Hashing always uses a 128-bit digest, whereas a CRC can be variable length.

Hashes are never sent in plain text.

It is virtually impossible for two different sets of data to calculate the same hash output.

It is easy to generate data with the same CRC

14.

1 point

A network analyst wants to monitor the activity of all new interns. Which type of security testing would track when the interns sign on and sign off the network?

password cracking

vulnerability scanning

network scanning

integrity checker

15.

1 point

In an AAA-enabled network, a user issues the configure terminal command from the privileged executive mode of operation. What AAA function is at work if this command is rejected?

authorization

auditing

authentication

accounting

16.

1 point

**** New Incomplete Question ****

The following authentication configuration is applied to a router.

aaa authentication login default tacacs+ local enable none

Several days later the TACACS+ server goes off-line. Which method will be used to authenticate users?

Local

Default

17.

1 point

What Layer 2 attack is mitigated by disabling Dynamic Trunking Protocol?

ARP spoofing

DHCP spoofing

ARP poisoning

VLAN hopping

18.

1 point

Which security policy outlines the overall security goals for managers and technical personnel within an organization and includes the consequences of noncompliance with the policy?

governing policy

application policy

technical policy

end-user policy

19.

1 point

What is a secure configuration option for remote access to a network device?

Configure SSH.

Configure 802.1x.

Configure Telnet.

Configure an ACL and apply it to the VTY lines.

20.

1 point

Which feature is specific to the Security Plus upgrade license of an ASA 5505 and provides increased availability?

redundant ISP connections

routed mode

transparent mode

stateful packet inspection

21.

1 point

Which security measure is best used to limit the success of a reconnaissance attack from within a campus area network?

Implement a firewall at the edge of the network.

Implement restrictions on the use of ICMP echo-reply messages.

Implement access lists on the border router.

Implement encryption for sensitive traffic.

22.

1 point

In a server-based AAA implementation, which protocol will allow the router to successfully communicate with the AAA server?

SSH

RADIUS

TACACS

802.1x

23.

1 point

What is the default preconfigured interface for the outside network on a Cisco ASA 5505?

Ethernet 0/1

VLAN 2

Ethernet 0/2

VLAN 1

24.

1 point

Which two features should be configured on end-user ports in order to prevent STP manipulation attacks? ( Choose two.)

loop guard

root guard

PortFast

BPDU guard

UDLD

25.

1 point

A network technician is attempting to resolve problems with the NAT configuration on an ASA. The technician generates a ping from an inside host to an outside host. Which command verifies that addresses are being translated on the ASA?

show running-config

show ip nat translation

show xlate

show ip address

26.

1 point

A security awareness session is best suited for which topic?

required steps when reporting a breach of security

how to install and maintain virus protection

steps used to configure automatic Windows updates

the primary purpose and use of password policies

27.

1 point

Which two types of hackers are typically classified as grey hat hackers? (Choose two.)

hacktivists

script kiddies

vulnerability brokers

state-sponsored hackers

cyber criminals

28.

1 point

Refer to the exhibit. What two pieces of information can be gathered from the generated message? (Choose two.)

This message indicates that enhanced security was configured on the vty ports.

This message is a level five notification message.

This message appeared because a major error occurred that requires immediate action.

This message appeared because a minor error occurred that requires further investigation.

This message indicates that service timestamps have been globally enabled.

29.

1 point

Which two ports can send and receive Layer 2 traffic from a community port on a PVLAN? (Choose two.)

promiscuous ports

community ports belonging to the same community

isolated ports within the same community

community ports belonging to other communities

PVLAN edge protected ports

30.

1 point

What provides both secure segmentation and threat defense in a Secure Data Center solution?

intrusion prevention system

Cisco Security Manager software

Adaptive Security Appliance

AAA server

31.

1 point

What mechanism is used by an ASA 5505 device to allow inspected outbound traffic to return to the originating sender who is on an inside network?

Network Address Translation

security zones

access control lists

stateful packet inspection

32.

1 point

An organization has configured an IPS solution to use atomic alerts. What type of response will occur when a signature is detected?

A counter starts and a summary alert is issued when the count reaches a preconfigured number.

The TCP connection is reset.

The interface that triggered the alert is shutdown.

An alert is triggered each time a signature is detected.

33.

1 point

What two algorithms can be part of an IPsec policy to provide encryption and hashing to protect interesting traffic? (Choose two.)

DH

PSK

RSA

SHA

AES

34.

1 point

Refer to the exhibit. The network administrator is configuring the port security feature on switch SWC. The administrator issued the command show port-security interface fa 0/2 to verify the configuration. What can be concluded from the output that is shown? (Choose three.)

The port is configured as a trunk link.

Security violations will cause this port to shut down immediately.

This port is currently up.

Three security violations have been detected on this interface.

There is no device currently connected to this port.

The switch port mode for this interface is access mode. [adef]

35.

1 point

What is the function of a policy map configuration when an ASA firewall is being configured?

binding class maps with actions

binding a service policy to an interface

using ACLs to match traffic

identifying interesting traffic

36.

1 point

What is the benefit of the network-based IPS (NIPS) over host-based IPS (HIPS) deployment models?

NIPS monitors network segments

NIPS provides individual host protection.

NIPS relies on centrally managed software agents.

NIPS monitors all operations within an operating system.

37.

1 point

Fill in the blank.

A stateful signature is also known as a _____________ signature.

38.

1 point

Refer to the exhibit. Based on the configuration that is shown, which statement is true about the IPS signature category?

All signature categories will be compiled into memory for scanning, but only those signatures in the ios_ips basic category will be used for scanning purposes.

Only signatures in the ios_ips basic category will be compiled into memory for scanning.

All signatures categories will be compiled into memory for scanning, but only those signatures within the ios ips advanced category will be used for scanning purposes.

Only signatures in the ios_ips advanced category will be compiled into memory for scanning.

39.

1 point

What function is provided by the Tripwire network security tool?

security policy compliance

IDS signature development

password recovery

logging of security events

40.

1 point

What is indicated by the use of the local-case keyword in a local AAA authentication configuration command sequence?

That AAA is enabled globally on the router.

That a default local database AAA authentication is applied to all lines.

That user access is limited to vty terminal lines.

That passwords and usernames are case-sensitive.

41.

1 point

An administrator assigned a level of router access to the user ADMIN using the commands below.

Router(config)# privilege exec level 14 show ip route
Router(config)# enable algorithm-type scrypt secret level 14 cisco-level-10
Router(config)# username ADMIN privilege 14 algorithm-type scrypt secret cisco-level-10

Which two actions are permitted to the user ADMIN? (Choose two.)

The user can issue the show version command.

The user can only execute the subcommands under the show ip route command.

The user can issue all commands because this privilege level can execute all Cisco IOS commands.

The user can issue the ip route command.

The user can execute all subcommands under the show ip interfaces command.

42.

1 point

What are two drawbacks in assigning user privilege levels on a Cisco router? (Choose two.)

Privilege levels must be set to permit access control to specific device interfaces, ports, or slots.

Commands from a lower level are always executable at a higher level.

Only a root user can add or remove commands.

AAA must be enabled.

Assigning a command with multiple keywords allows access to all commands using those keywords.

43.

1 point

What is required for auto detection and negotiation of NAT when establishing a VPN link?

Both VPN end devices must be configured for NAT.

No ACLs can be applied on either VPN end device.

Both VPN end devices must be NAT-T capable.

Both VPN end devices must be using IPv6.

44.

1 point

Which procedure is recommended to mitigate the chances of ARP spoofing?

Enable DAI on the management VLAN.

Enable port security globally.

Enable IP Source Guard on trusted ports.

Enable DHCP snooping on selected VLANs.