cisco.pass4sure.210-260.v2017-09-25.by.marley · 210-260 implementing cisco network security...

http://www.gratisexam.com/

210-260.exam

Number: 210-260Passing Score: 800Time Limit: 120 minFile Version: 1.0


Cisco

210-260

Implementing Cisco Network Security

Version 1.0


Exam A

QUESTION 1Which of the following are not default values in an IKE policy on an ASA running software version 8.4 or higher? (Select 2 choices.)

A. PSKbased authentication method

B. 168bit DES encryption algorithm

C. 1024bit DH group

D. MD5 hash algorithm

E. 14,400second lifetime

Correct Answer: DESection: (none)Explanation

Explanation/Reference:Explanation:The Message Digest 5 (MD5) algorithm and a 14,400second lifetime are not default values in an Internet Key Exchange (IKE) policy on a Cisco Adaptive SecurityAppliance (ASA) running software version 8.2. Virtual private network (VPN) peers establish a connection through a series of negotiations and authentications.Initially, the VPN peers negotiate an IKE security association (SA) and establish a tunnel for key management and authentication. This initial phase is referred to asIKE phase 1. The key management tunnel is used to protect the subsequent negotiation of IP Security (IPSec) SAs. This secondary negotiation phase is referred toas IKE phase 2.Each VPN peer defines a collection of security parameters in an IKE policy. These parameters are used to negotiate the creation of the key management tunnel inIKE phase 1. There are six required parameters in an IKE policy: - Policy priority - specifies the order in which policies are negotiated with a peer - Authentication method - indicates whether a preshared key (PSK) or an RSA digital certificate is used to verify the identity of an IKE peer- Encryption algorithm - indicates the data protection method used to secure IKE traffic- Hashbased Message Authentication Code (HMAC) algorithm - indicates the data integrity method used to verify the integrity of IKE traffic- DiffieHellman (DH) group - specifies how keying material is generated between IKE peers-Lifetime - specifies the length of time that a key is considered valid? the default is 86,400 seconds, or 24 hours

If an IKE policy does not specify a parameter and its associated value, the ASA will use the default value. The default IKE policy settings are shown below:

The default IKE policy settings are combined with the configuration parameters specified in the running configuration. For example, because the following block ofcommands does not specify an HMAC algorithm, an ASA running software revision 8.4 or higher would use the default value, which is SHA1:ASA(config)#crypto ikev1 policy 1


ASA(configikev1policy)#authentication rsasigASA(configikev1policy)#encryption aes 192ASA(configikev1policy)#group 1ASA(configikev1policy)#lifetime 14400In order for VPN peers to successfully negotiate a key management tunnel during IKE phase 1, the peers must agree on security parameters. For example, whenASA1 sends an IKE policy proposal to ASA2, the IKE policy is compared with the IKE policies defined on ASA2. The proposed policy must be an exact match toone of ASA2's locally defined policies? otherwise, it will be rejected. The one exception to this rule is the value of the IKE lifetime parameter. An IKE lifetime isconsidered a match if the value specified by the remote peer is less than or equal to the IKE lifetime defined in the local policy. If the IKE lifetime value is less thanthat of the local policy, the ASA will use the lesser of the two values.Reference:Cisco: Cisco ASA 5500 Series Configuration Guide using the CLI, 8.2: ISAKMP Overview

QUESTION 2Which of the following is specifically filtered by a URL filtering subscription service on a Cisco router? (Select the best answer.)


A. traffic sent from specific domains

B. traffic that contains specific keywords

C. traffic that contains malicious software

D. traffic that matches predefined categories

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Explanation:On a Cisco router, traffic that matches predefined categories is filtered by a Uniform Resource Locator(URL) filtering subscription service. URL filtering inspects Hypertext Transfer Protocol (HTTP) requests and blocks access to websites that match certain criteria.Subscriptionbased URL filtering services, which are offered by Trend Micro, Websense, and Secure Computing, assign websites to categories, which are used byadministrators to limit or block access to these sites. URL filtering is commonly configured on perimeter routers to prevent users from inadvertently accessing URLsthat have been deemed inappropriate or identified as containing malware.Although a URL filtering subscription service does not specifically filter traffic that contains malicious software as a payload, you can configure the local URL filteringservice so that access to websites known to distribute malicious software is filtered. For example, if a particular URL is known to harbor malware, you could filterthat specific URL or the entire domain. However, to filter traffic that contains malicious software as a payload, you should install an Intrusion Prevention System(IPS).


Reference:Cisco: Subscriptionbased Cisco IOS Content FilteringCisco: Cisco IOS Content Filtering Configuration Guide

QUESTION 3Which of the following actions could you take to mitigate VLAN hopping attacks? (Select the best answer.)

A. Implement sticky MAC addresses.

B. Change the native VLAN on trunk ports to an unused VLAN.

C. Implement DAI.

D. Limit the number of MAC addresses permitted on a port.

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Explanation:You should change the native virtual LAN (VLAN) on trunk ports to an unused VLAN to mitigate VLAN hopping attacks. In a VLAN hopping attack, an attackersends doubletagged 802.1Q frames over a trunk link. A doubletagged frame is an Ethernet frame containing two distinct 802.1Q headers. Although doubletaggingcan be used as a legitimate way to tunnel traffic through a network and is commonly used by service providers, it can also be used by an attacker to circumventsecurity controls on an access switch. In a VLAN hopping attack, the attacker attempts to inject packets into other VLANs by accessing the native VLAN on a trunkand sending doubletagged 802.1Q frames to the switch. The switch strips the outer 802.1Q header from the received frame and then forwards the frame, which stillincludes an 802.1Q header, across a trunk port to the VLAN of the target host. A successful VLAN hopping attack enables an attacker to send unidirectional trafficto other VLANs without the use of a router. Implementing sticky secure Media Access Control (MAC) addresses can help mitigate MAC spoofing attacks. In a MAC spoofing attack, an attacker uses the MACaddress of another known host on the network in order to bypass port security measures. MAC spoofing can also be used to impersonate another host on thenetwork.Limiting the number of MAC addresses permitted on a port can help mitigate MAC flooding attacks. In a MAC flooding attack, an attacker generates thousands offorged frames every minute with the intention of overwhelming the switch's MAC address table. Once this table is flooded, the switch can no longer make intelligentforwarding decisions and all traffic is flooded. This allows the attacker to view all data sent through the switch because all traffic will be sent out each port. A MACflooding attack is also known as a content addressable memory (CAM) table overflow attack.Implementing Dynamic ARP Inspection (DAI) can help mitigate Address Resolution Protocol (ARP) poisoning attacks. In an ARP poisoning attack, which is alsoknown as an ARP spoofing attack, the attacker sends a gratuitous ARP (GARP) message to a host. The GARP message associates the attacker's MAC addresswith the IP address of a valid host on the network. Subsequently, traffic sent to the valid host address will go through the attacker's computer rather than directly tothe intended recipient.Reference:Cisco: Implementation of Security: VLAN Hopping

QUESTION 4Which of the following devices typically sits inline? (Select the best answer.)


A. a HIDS

B. a HIPS

C. a NIDS

D. a NIPS


Explanation/Reference:Explanation:A Networkbased Intrusion Prevention System (NIPS) typically sits inline, which means that all traffic from the external network must flow through and be analyzedby the NIPS before the traffic can enter the internal network. Therefore, a NIPS can detect and drop malicious traffic, which prevents malicious traffic frominfiltrating the internal network. A NIPS can work in conjunction with a network firewall? however, Cisco recommends deploying a NIPS on the inside interface of thefirewall in order to prevent the NIPS from wasting resources by analyzing traffic that will ultimately be blocked by the firewall. This enables the NIPS to efficientlyanalyze the traffic that the firewall permits onto the network, rather than processing every inbound packet.A Hostbased Intrusion Prevention System (HIPS) is software that is installed on a host device and analyzes traffic that enters the host. Any traffic that is suspectedto be malicious is blocked before it can affect the host device. Many modern, hostbased firewall applications include components that provide HIPS functionality.A Networkbased Intrusion Detection System (NIDS) typically does not sit inline in the flow of traffic. Instead, a NIDS merely sniffs the network traffic by using apromiscuous network interface. Because network traffic does not flow through a NIDS, the NIDS can detect malicious traffic but cannot prevent it from infiltratingthe network. When a NIDS detects malicious traffic, it can alert other network devices in the traffic path so that further traffic can be blocked. In addition, a NIDScan be configured to send a Transmission Control Protocol (TCP) reset notification or an Internet Control Message Protocol (ICMP) unreachable message to thesource and destination addresses.A Hostbased Intrusion Detection System (HIDS) is software that is installed on a host device and analyzes changes made to the device. The primary differencebetween a HIDS and a HIPS is that a HIPS can detect and block malicious traffic before the traffic can affect the host? a HIDS can detect a threat only after it hasalready affected the host. Two examples of HIDS applications are Tripwire and OSSEC. Tripwire monitors the integrity of critical files and sends alerts if changesare made to them. OSSEC is an opensource application that monitors logs, registries, and critical files. In addition, OSSEC can detect rootkits, which are malwareprocesses that actively hide their presence from the host operating system.Reference:CCNA Security 210260 Official Cert Guide, Chapter 17, Difference Between IPS and IDS, pp. 460462Cisco: Cisco IPS Mitigation Capabilities

QUESTION 5Which of the following statements is true regarding a stateless packetfiltering firewall? (Select the best answer.)

A. It can operate at Layer 4 of the OSI model.

B. It is more secure than a stateful packetfiltering firewall.

C. It tracks packets as a part of a stream.

D. It is not susceptible to IP spoofing attacks.


Correct Answer: ASection: (none)Explanation

Explanation/Reference:Explanation:A stateless packetfiltering firewall can operate at Layer 4 of the Open Systems Interconnection (OSI) model.A stateless packetfiltering firewall, which is also referred to as a static packetfiltering firewall, evaluates and either blocks or allows individual packets based on theLayer 3 and Layer 4 information in the packet header. Specifically, stateless packetfiltering firewalls can use the source and destination IP addresses, source anddestination port numbers, and protocol type listed in the packet header? these values are commonly known as the 5tuple. Because a stateless packetfilteringfirewall allows all traffic from an approved IP address, stateless packetfiltering firewalls are susceptible to IP spoofing attacks? an IP spoofing attack is a type ofattack wherein an attacker uses the source IP address of a trusted host to send messages to other computers. This allows the attacker to send messages thatappear to come from legitimate hosts on the network. In addition, because a stateless packetfiltering firewall evaluates packets individually, it cannot evaluate datastreams or track connections.By contrast, stateful packetfiltering firewalls traditionally operate at Layers 3, 4, and 5 of the OSI model. Stateful packetfiltering firewalls are more secure thanstateless packetfiltering firewalls and are commonly used because of their versatility and ability to dynamically monitor and filter packets. Session information ismaintained and tracked by stateful packetfiltering firewalls in order to determine whether packets should be permitted or blocked. For example, when monitoringTransmission Control Protocol (TCP) traffic, the stateful packet filter adds an entry to the state table when a TCP session is permitted. Subsequent packets areverified against the state table to ensure that the packets are in the expected sequence. If the TCP packet sequence numbers are not in the expected range, thepackets are dropped.Reference:CCNA Security 210260 Official Cert Guide, Chapter 14, Static Packet Filtering, p. 362

QUESTION 6An SNMP readonly community named READONLY is configured on a Cisco router. Which of the following fields in the output of the show snmp command on the router will increment if an NMS makes a set request to the READONLY community?(Select the best answer.)

A. Unknown community name

B. Illegal operation for community name supplied

C. Input queue packet drops

D. No such name errors


Explanation/Reference:Explanation:In this scenario, the Illegal operation for community name supplied field in the output of the show snmp command on the router will increment if a networkmanagement station (NMS) makes a Simple Network Management Protocol (SNMP) set request to the READONLY community. SNMP communities can be


configured to be either readonly or readwrite. Readonly communities enable an NMS to retrieve Management Information Base (MIB) data from a community,whereas readwrite communities enable an NMS to modify and retrieve MIB data. The show snmp command displays accumulated SNMP statistics, as shown in thefollowing sample output:Chassis: 42792565171230SNMP packets input 2 Bad SNMP version errors 5 Unknown community name 4 Illegal operation for community name supplied 0 Encoding errors 0 Number of requested variables 0 Number of altered variables 680 Getrequest PDU 479 Getnext PDUs 60 Setrequest PDUs 0 Input queue packet drops (Maximum queue size 1000)1230 SNMP packets output 0 Too big errors (Maximum packet size 1500)No such name errorsBad values errors 0 General errors 762 Response PDUs 0 Trap PDUsSNMP logging: disabledThe Illegal operation for community name supplied field in the sample output indicates that four SNMP packets requested an operation that was not allowed for theassociated community, such as a set request for a community that permits only get requests. The Unknown community name field indicates that five SNMPpackets were received with unknown community strings. The Input queue packet drops field indicates that no packets were dropped because the input queue hadreached its maximum size. The No such name errors field indicates that five SNMP packets were received for MIBs that did not exist on the router. The sampleoutput also indicates the number of get, getNext, and set requests that have been received by the router as well as statistics on the number of various types ofSNMP packets the router has sent in response to NMS queries.Reference:Cisco: Cisco IOS SNMP Support Command Reference: show snmp

QUESTION 7Which of the following statements is true of all firewalls? (Select the best answer.)

A. They maintain a state table.

B. They hide the source of network connections.

C. They operate at Layer 7 of the OSI model.

D. They are multihomed devices.

Correct Answer: DSection: (none)


Explanation

Explanation/Reference:Explanation:All firewalls are multihomed devices. A multihomed device is a device that connects to more than one network segment. The purpose of a firewall is to blockundesired network traffic and to allow desired network traffic to pass from one network interface to another.Some firewalls, such as proxy firewalls, can be configured to hide the source of network connections. However, stateful firewalls and packet filtering firewalls arenot typically configured to hide the source of network connections. A proxy firewall terminates the connection with the source device and initiates a new connectionwith the destination device, thereby hiding the true source of the traffic. When the reply comes from the destination device, the proxy firewall forwards the reply tothe original source device. Network Address Translation (NAT) and Port Address Translation (PAT) can also be used to hide the source of network connections.Some firewalls, such as stateful firewalls, maintain a state table. However, other firewalls, such as packet filtering firewalls, do not. A stateful firewall makes filteringdecisions based on the state of each session. When an outbound session is initiated, the stateful firewall will create an entry in the firewall’s state table anddynamically allow the return traffic in the inbound direction. Inbound traffic from other sources will be blocked unless there is a corresponding outbound sessionlisted in the state table. A packet filtering firewall makes simple filtering decisions based on each individual packet. As a result, packet filtering firewalls are not particularly flexible. Forexample, if you want to configure traffic on a port to flow inbound as well as outbound, you must open up the port in both directions. However, doing so mightexpose the internal network to undesirable inbound traffic on that port. Therefore, stateful firewalls are more secure than packet filtering firewalls.Some firewalls, such as applicationlevel proxy firewalls, operate at Layer 7 of the Open Systems Interconnection (OSI) model, which is called the Application layer.However, stateful firewalls and packet filtering firewalls operate at the Network and Transport layers. An applicationlevel proxy firewall can make filtering decisionsbased on Application layer data. However, to do so, the firewall must be able to understand the corresponding Application layer protocol. As a result,applicationlevel proxy firewalls are often designed to filter data for a particular Application layer protocol, such as Hypertext Transfer Protocol (HTTP) or FileTransfer Protocol (FTP). For example, an HTTP proxy can block malicious or otherwise undesirable web traffic, but it might not be able to block malicious FTPtraffic.Reference:CCNA Security 210260 Official Cert Guide, Chapter 14, Firewall Technologies, p. 358

QUESTION 8You issue the following block of commands on a Cisco router:RouterA(config)#privilege exec level 10 show usersRouterA(config)#username boson password ciscoRouterA(config)#username boson privilege 15RouterA(config)#username boson autocommand show usersRouterA(config)#line vty 0 4RouterA(configline)#login localRouterA(configline)#privilege level 7Which of the following statements accurately describes what happens when the user boson successfully initiates a Telnet session to RouterA? (Select the bestanswer.)

A. The autocommand command fails, and the user is disconnected.

B. The autocommand command fails, and the user is not disconnected.

C. The autocommand command succeeds, and the user is disconnected.


D. The autocommand command succeeds, and the user is not disconnected.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Explanation:When the user boson successfully initiates a Telnet session to RouterA in this scenario, the autocommand command succeeds and the user is disconnected fromthe router. When issued with the username command, the autocommand keyword can execute a specific command immediately after a user successfully logs in toa Cisco router. In this scenario, the autocommand specifies that the show users command should execute immediately after the user logs in. The command outputis displayed to the user terminal, and then the user’s session is terminated. You can prevent the user session from being terminated either by using the nohangupkeyword or by issuing the no username username autocommand command to remove the autocommand keyword. However, the no username usernameautocommand command will delete both the autocommandkeyword and the specified user name from the local database? therefore, you will need to issue theusername username password password again to recreate the user entry. By contrast, the nohangup keyword does not affect the autocommand keyword butinstead changes the default behavior so that the user session is not disconnected.The privilege exec level 10 show users command in this scenario changes the required privilege level of the show users command to level 10. The default EXECprivilege level is level 1? therefore, this command removes the show users command from the EXEC shells of all users with privilege levels less than 10. Thedefault enable privilege level is level 15? therefore, any user could enter privileged EXEC mode and execute the command. The username boson privilege 15command in this scenario configures the user boson with a privilege level of 15. Because the user’s base privilege level is already 15, the user is not required toissue the enable command to enter privileged EXEC mode. The following block of commands configures the four default virtual terminal (VTY) interfaces onRouterA to use the local database for authentication and to assign user sessions a default privilege level of 7:RouterA(config)#line vty 0 4RouterA(configline)#login localRouterA(configline)#privilege level 7Although Telnet users are assigned a default privilege level of 7 in this scenario, peruser privileges override the privileges configured for the VTY line. Therefore,the user boson will be granted privilege level 15 when connected to a VTY line through a Telnet session. By contrast, a user without a specified privilege level willbe granted privilege level 7 in this scenario. Because the show users command has been assigned a required privilege level of 10, the boson user will be able toexecute the command, whereas a Telnet user with the default privilege level would be unable to execute the command without first issuing the enable command toenter privileged EXEC mode.If the boson user was assigned a privilege level that was insufficient to execute the show users command, the autocommand keyword would still attempt to executethe command. The autocommand keyword does not verify that a user has sufficient privileges to execute the specified command. However, the command wouldcause the router to display an error message instead of the expected command output. The user session would be disconnected after the error message wasdisplayed.In no case would the user session remain connected. The nohangup keyword must be used with the username command to change the default behavior so that auser session is not disconnected after the command specified by the autocommand command is executed.Reference:Cisco: RoleBased CLI Access: username

QUESTION 9


You administer the network shown above. SwitchE is the root bridge for the network. You connect SwitchF to a port on SwitchB. SwitchF has a priority value of 0and the MAC address 0000.0c42.0729.Which statement is most accurate regarding root bridge selection after SwitchF is connected to SwitchB? (Select the best answer.)

A. SwitchB will immediately become the root bridge.

B. SwitchE will remain the root bridge.

C. SwitchF will immediately become the root bridge.

D. SwitchE will remain the root bridge until it is powered down, and then SwitchF will become the root bridge.


Explanation/Reference:Explanation:After you connect SwitchF to a port on SwitchB, SwitchF will become the root bridge because it has the lowest possible priority value and it has a lower MediaAccess Control (MAC) address than any of the other switches with a priority value of 0. The root bridge is the switch with the lowest bridge ID (BID), which iscomposed of a 2byte bridge priority and a 6byte MAC address. The bridge priority is considered first in the determination of the lowest BID. When two or moreswitches have the lowest priority, the switch with the lowest MAC address will become the root bridge. Because SwitchF has a lower MAC address than SwitchE,SwitchF will become the root bridge.


SwitchE will not remain the root bridge, because SwitchF has the same priority and a lower MAC address.When a switch is powered on, it sends out bridge protocol data units (BPDUs) that contain the switch's BID. As soon as a switch receives a BPDU with a lower BIDthan the current root switch BID, the switch will consider that BPDU to be superior, replace the root switch BID with the BID from the BPDU, and recalculate the rootport and port costs. This can have an undesired effect on how packets are sent through a switched network. Therefore, when connecting a switch to a switchednetwork, you must ensure that the switch has a higher priority value than the root bridge, unless you want the switch to assume the root bridge role. This isespecially true if the switch is older or contains inferior technology, such as ports that are capable of only 10megabits per second (Mbps) transmission or halfduplexoperation. Alternatively, you can issue the spanningtree guard root command to enable the root guard feature. The root guard feature, when enabled on a port,prevents superior BPDUs received on a neighbor switch connected to that port from becoming the root bridge. If superior BPDUs are received on a port enabledwith root guard, the port enters the rootinconsistent state and the port is blocked until the port stops receiving superior BPDUs.SwitchB will not become the root bridge. SwitchB has a priority value of 65535, which is the highest possible priority value. The root bridge is the switch with thelowest priority value. You can set the bridge priority by issuing the spanningtree priority value command, where value is a number from 0 through 65535? the defaultpriority is 32768.SwitchE will not remain the root bridge until it is powered down? SwitchF will immediately replace SwitchE as the root bridge. Root bridges do not behave the sameas Open Shortest Path First (OSPF) designated routers (DRs) and backup DRs (BDRs) do. A DR is not replaced by another DR even if a router with a higherOSPF priority is introduced. A DR remains the DR until it fails or is powered down? then the BDR becomes the DR and a new BDR is selected.Reference:Cisco: Understanding and Configuring Spanning Tree Protocol (STP) on Catalyst Switches Cisco: Spanning Tree Protocol Root Guard Enhancement

QUESTION 10Which of the following statements is true regarding the outbreak control feature of AMP for Endpoints? (Select the best answer.)

A. It cannot block polymorphic malware.

B. It must wait for a content update before blocking specific files.

C. It cannot whitelist specific applications.

D. It can use application blocking lists to contain compromised applications.


Explanation/Reference:Explanation:The outbreak control feature of Cisco Advanced Malware Protection (AMP) for Endpoints can use application blocking lists to contain compromised applications.AMP for Endpoints is a hostbased malware detection and prevention platform that runs on Microsoft Windows, Mac OS X, Linux, and Google Android. Like manyother antimalware packages, AMP for Endpoints monitors network traffic and application behavior to protect a host from malicious traffic. However, unlike many ofits competitors, AMP forEndpoints continues its analysis after a disposition has been assigned to a file or traffic flow. When malware is detected, the outbreak control feature of AMP forEndpoints can use application blocking to ensure that a compromised application is contained and that it does not spread the infection. Outbreak control providesfor granular control over which applications are blocked and can use whitelists to ensure that missioncritical software continues to run even during an outbreak.The outbreak feature works in conjunction with the continuous analysis, continuous detection, and retrospective security features of AMP for Endpoints to quicklycontain and control the spread of malware. Once a file or application has been detected as malicious, the outbreak control feature can use custom detection rules


to quickly block the specific file or application without waiting for a signature file content update. In addition, custom signatures can be created to detect polymorphicmalware, which is malicious software than can evolve its code or behavior as it propagates.Reference:Cisco: Cisco Advanced Malware Protection Solution OverviewCisco: Cisco Advanced Malware Protection for Endpoints Data Sheet

QUESTION 11You want to use ASDM to create an inspection rule that will drop and log SHOUTcast media streams.Which of the following inspection rules should you configure to achieve your goal? (Select the best answer.)


A. H.323 H.225

B. H.323 RAS

C. HTTP

D. RTSP

E. IM


Explanation/Reference:Explanation:You should configure a Hypertext Transfer Protocol (HTTP) inspection rule to drop and log SHOUTcast media streams on a Cisco Adaptive Security Appliance(ASA). When HTTP inspection is enabled in a service policy, such as the global service policy, you can opt to use the default inspection rules or you can customizethe inspection rules by applying an HTTP inspect map. You can select a custom HTTP inspect map from the Select HTTP Inspect Map dialog box, as shownbelow:


You can modify the configuration of an HTTP inspect map from the Configuration > Firewall > Objects > Inspect Maps > HTTP pane of Cisco Adaptive SecurityDevice Manager (ASDM). This pane enables you to add, delete, and modify HTTP inspect maps. To modify an existing map, you should first click the Customizebutton, which opens the Edit HTTP Inspect Map dialog box, as shown in the following exhibit:


You can reset the inspection map to its default security level by clicking the Default Level button, or you can slide the Security Level slider to select a predefinedsetting. Alternatively, you can click the Details button to expand the Edit HTTP Inspect Map dialog box into a larger window with more options, as shown below:


You can use the Parameters tab of the expanded Edit HTTP Inspect Map dialog box to enable protocol violation checks and to select the actions that the ASAshould take if protocol violations are found. You can also use the tab to configure server string spoofing and the maximum body length for HTTP request andresponse searches. The Inspections tab of the expanded Edit HTTP Inspect Map dialog box displays the details of the inspection map, as shown in the exhibitbelow:


The Inspections tab displays the inspection rules that apply to the current inspect map. The Match Type column indicates whether traffic must match or not matchthe criterion specified in the remaining columns. The Criterion column specifies what type of inspection is being performed. If the traffic is being inspected for avalue, that value is indicated in the Value column. The Action column indicates what action will be applied to sessions that meet the rules requirements, and the Logcolumn indicates whether the action triggers a system log (syslog) message. If you wanted to add an inspection rule that dropped and logged SHOUTcast mediastreams, you could click the Add button to open the Add HTTP Inspect dialog box and then select the _default_shoutcasttunnelingprotocol item from the HTTPTraffic Class dropdown list box, as shown in the following exhibit:


The items listed in the dropdown list are class maps that have been defined on the ASA. Names that begin with _default are predefined in the system defaultconfiguration and can be referenced directly from ASDM or by the class command in a policy map. The _default_shoutcasttunnelingprotocol class map is apredefined class map that can identify SHOUTcast media streams by their HTTP metadata, as shown in the following exhibit:


You cannot configure H.323 H.225; H.323 Registration, Admission, and Status (RAS); Instant Messaging (IM); or RealTime Streaming Protocol (RTSP) inspectionrules to drop and log SHOUTcast media streams on an ASA. SHOUTcast media streams use HTTP, not H.323 or H.225. H.323 H.225 and H.323 RAS inspectionrules provide support for International Telecommunication Union (ITU) H.323compliant applications such as Cisco CallManager. IM inspection rules provide theASA with the ability to enforce security policies for a variety of mainstream IM applications. RTSP inspection rules enable an ASA to process media streams thatare commonly produced by RealAudio, Apple QuickTime, and Cisco IP television (IPTV) connections. Reference:Cisco: Configuring Application Layer Protocol Inspection: HTTP Class MapCisco: Configuring Inspection of Basic Internet Protocols: Configuring an HTTP Inspection Policy Map for Additional Inspection ControlCisco: Configuring Application Layer Protocol Inspection: Add/Edit HTTP Map

QUESTION 12On which of the following screens in ASDM can you enable users to select which connection profile they will use when they establish a clientless SSL VPNconnection? (Select the best answer.)

A. the Edit User Account dialog box for each user who should be able to select a connection profile

B. the Edit Internal Group Policy dialog box for each group policy that is associated with the clientless SSL VPN connection profiles

C. the main Connection Profiles pane

D. the main Group Policies pane

E. the main Local Users pane



Explanation/Reference:Explanation: You can enable users to select which connection profile they will use on the portal login page on the main Connection Profiles pane for clientless Secure SocketsLayer (SSL) virtual private network (VPN) connections in Cisco Adaptive Security Device Manager (ASDM). When you configure a clientless SSL VPN connection,you can require that a user use a specific connection profile or you can allow users to select the connection profile to use on the login page of the clientless SSLVPN portal. You can select the Allow user to select connection profile, identified by its alias, on the login page option on the Connection Profiles pane in ASDM toallow users to select which connection profile they will use. This option is shown in the following exhibit:


When this option is selected, a dropdown list will be displayed on the login page of the clientless SSL VPN portal. The dropdown list will contain a list of theconnection profiles from which the user can select. You cannot configure the main Group Policies pane or the main Local Users pane to enable users to select connection profiles on the clientless SSL VPN portal.On these panes, you can view a basic summary of information for any configured group policies or user accounts, respectively. To configure group policy or useraccount information, you must select a group policy or a user account and click the Edit button to configure them. The resulting configuration dialog boxes-Edit UserAccount for users and Edit Internal Group Policy for group policies-enable you to make configuration changes, but neither of these dialog boxes contains an optionfor enabling users to select the connection profile on the clientless SSL VPN portal.Reference:Cisco: General VPN Setup: About Connection Profiles

QUESTION 13Which of the following can be configured on the General screen of the Add Internal Group Policy dialog box in ASDM when creating a group policy for clientlessSSL VPN users? (Select 3 choices.)

A. a banner message for VPN clients

B. the bookmark list to apply to VPN clients

C. the tunneling protocols that clients can use to establish a VPN connection

D. the name of the group policy

E. a group URL that VPN users can access

F. the portal customization object to apply to VPN connections

Correct Answer: ACDSection: (none)Explanation

Explanation/Reference:Explanation:Of the choices available, you can configure a banner message for virtual private network (VPN) clients, the tunneling protocols that clients can use to establish VPNconnections, and the name of the group policy on the General screen of the Add Internal Group Policydialog box in Cisco Adaptive Security Device Manager(ASDM) when creating a group policy for clientless Secure Sockets Layer (SSL) VPN users. You can create a group policy on a Cisco Adaptive Security Appliance(ASA) to specify security policies and network settings that are used when remote VPN users log in to the ASA. To create a group policy for clientless SSL VPNusers in ASDM, you should click Configuration, click the Remote Access VPN button, expand Clientless SSL VPN Access, and click Group Policies. You can thencreate a new group policy by clicking Add, which will open the Add Internal Group Policy dialog box. The dialog box opens to the General screen, on which you canconfigure general properties for the group policy, including the name of the group policy, a banner message to be displayed to VPN users, the tunneling protocolsthat clients can use to establish a VPN connection, the VPN access hours, a web access control list (ACL), the number of simultaneous logins, a virtual LAN(VLAN) restriction, the connection profile to use for the connection, the maximum connect time, and the idle timeout time. The General screen of the Add InternalGroup Policy dialog box, with the name, banner message, and tunneling protocols configured, is shown in the following exhibit:


The bookmark list to apply to VPN clients is not configured on the General screen of the Add Internal Group Policy dialog box. You can specify the bookmark list onthe Portalscreen of the Add Internal Group Policy dialog box.The portal customization object to apply to VPN clients is not configured on the Generalscreen of the Add Internal Group Policy dialog box. You can specify theportal customization object on the Customization screen of the Add Internal Group Policydialog box.A group Uniform Resource Locator (URL) that VPN users can access is not configured on the General screen of the Add Internal Group Policy dialog box. Youconfigure a group URL in a connection profile, not in a group policy. To configure a group URL, you should access the SSL VPN screen of the Add SSL VPNConnection Profile dialog box in ASDM.Reference:Cisco: General VPN Setup: Adding or Editing a Remote Access Internal Group Policy, General Attributes

QUESTION 14Which of the following show clock command output symbols indicates that time reported by the software clock is authoritative but not synchronized with theconfigured time source? (Select the best answer.)

A. #

B. *

C. ~

D. .

E. +



Explanation/Reference:Explanation:The period (.) is the show clock command output symbol that indicates that time reported by the software clock is authoritative but not synchronized with theconfigured time source. The show clock command displays the current time as reported by the system software clock. The time can be configured manually orderived from an external time source, such as a Network Time Protocol (NTP) server. If the software clock is configured to use an external time source and thatsource becomes unreachable, the time might become unsynchronized due to clock drift. When this happens, the show clockcommand uses the . symbol to indicatethat the time is still considered authoritative but is no longer guaranteed to be synchronized with the external time source. The following command output indicatesthat the software clock is authoritative but not synchronized with its time source:.10:06:40.603 UTC Tue Jan 13 2015The asterisk (*) is displayed in the output of the show clock command to indicate that time reported by the software clock is not authoritative. If the software clock isnot set by a timing source, the system will flag the time as not authoritative and the output of the show clock command will indicate the flag with the * symbol, asshown in the following command output:*10:06:40.603 UTC Tue Jan 13 2015By contrast, if the time is set by a timing source and is synchronized with that source, the time is considered authoritative and the output of the show clockcommand will not display any additional symbols. For example, the absence of additional symbols in the following command output indicates that the software clockis authoritative and synchronized with its time source:10:06:40.603 UTC Tue Jan 13 2015The pound sign (#), tilde (~), and plus sign (+) are displayed in the output of the show ntp associations command, not the show clock command. The output of theshow ntp associations command shows the IP addresses of configured NTP servers and their respective clock sources, strata, and reachability statistics. Forexample, in the following command output, the NTP server at IP address 128.227.205.3 is a stratum 1 server that uses a global positioning system (GPS) timesource as its time source:address ref clock st when poll reach delay offset disp *~128.227.205.3 .GPS. 1 17 64 377 0.000 0.000 0.230~71.40.128.157 204.9.54.119 2 18 64 377 0.000 321 1.816 ~184.22.97.162 132.163.4.101 2 5 64 377 0.000 314 1.134 * sys.peer, # selected, + candidate, outlyer, x falseticker, ~ configuredThe * next to the IP address in the command output indicates that this server is an NTP master time source to which the Cisco device is synched. A # next to the IPaddress indicates that the server is an NTP master time source to which the Cisco device is not yet synched. A + next to the IP address indicates that the server isan NTP master time source that is selected for synchronization but the synchronization process has not yet begun. A ~next to an IP address indicates that theaddress was manually configured.Reference:Cisco: Cisco IOS Basic System Management Command Reference: show clock

QUESTION 15Which of the following statements are true regarding policies in Cisco Security Manager? (Select 2 choices.)

A. Rule-based policies can contain hundreds of rules containing values for the same set of parameters.

B. Settings-based policies can define only one set of parameters for each settings based policy defined on a device.


C. Local policies are well-suited to smaller networks and to devices requiring standard configurations.

D. Any changes that you make to a shared policy are not automatically applied to all the devices to which it is assigned.

E. The Default section of a shared policy contains rules that cannot be overridden by local rules.

Correct Answer: ABSection: (none)Explanation

Explanation/Reference:Explanation:In Cisco Security Manager (CSM), rulebased policies can contain hundreds of rules containing values for the same set of parameters and settingsbased policiescan define only one set of parameters for each settingsbased policy defined on a device. CSM is a graphicsbased management application that can be used toconfigure a wide variety of Cisco devices, such as routers, switches, firewall appliances, Intrusion Prevention System (IPS) appliances, and Catalyst servicemodules. One of the advantages of CSM is its ability to centralize the administration of security policies across a large number of Cisco devices. CSM categorizespolicies into two general types: rulebased policies and settingsbased policies. Rulesbased policies, such as access control lists (ACLs) and inspection rules, arestored in a tabular fashion and can contain many different values for the same set of parameters. These policies are processed in order and the first matching tableentry will be applied, even if there are other matching table entries farther down the table. Because of the nature in which rulesbased policies are processed, theycan contain hundreds of rules with values for the same set of parameters. By contrast, settingsbased policies can define only a single set of parameters for eachsettingsbased policy defined on a device. Settingsbased policies, such as Quality of Service (QoS) policies and IP Security (IPSec) policies, contain a set ofparameters that, as a whole, define a particular hardware or security configuration feature.CSM policies can be either local or shared. A local policy is specific to a particular device, and any changes affect only its associated device. By contrast, a sharedpolicy is applicable to a group of devices and any changes are automatically applied to all of its associated devices. Because local policies are specific to individualdevices, it can become cumbersome to manage the policies in a network with a large number of devices? therefore, local policies are better suited to smallernetworks and shared policies are better suited to larger networks.Shared policies use an inheritance hierarchy to determine which policy rules are implemented on a particular device. There are two kinds of shared policy rules:mandatory and default. Mandatory rules cannot be overridden by either child policy rules or local rules. By contrast, default rules can be overridden by both childpolicy rules and local rules. Inheritance enables you to nest multiple shared rules and ensure that certain policies cannot be overridden while still maintaining theflexibility to override some default settings.Reference:Cisco: Managing Policies: Understanding Policies

QUESTION 16Which of the following authentication methods are supported by both RADIUS and TACACS+ server groups on a Cisco ASA firewall? (Select 3 choices.)

A. ASCII

B. CHAP

C. MSCHAPv1

D. MSCHAPv2

E. PAP


Correct Answer: BCESection: (none)Explanation

Explanation/Reference:Explanation:Remote Authentication DialIn User Service (RADIUS) and Terminal Access Controller Access ControlSystem Plus (TACACS+) server groups on a Cisco Adaptive Security Appliance (ASA) support ChallengeHandshake Authentication Protocol (CHAP), Microsoft CHAP version 1 (MSCHAPv1), and Password Authentication Protocol (PAP). A Cisco ASA supports anumber of different Authentication, Authorization, and Accounting (AAA) server types, such as RADIUS, TACACS+, Lightweight Directory Access Protocol (LDAP),Kerberos, and RSA Security Dynamics, Inc. (SDI) servers.When authenticating with a TACACS+ server, a Cisco ASA can use the following authentication protocols:- ASCII- PAP- CHAP- MSCHAPv1When authenticating with a RADIUS server, a Cisco ASA can use the following authentication protocols:- PAP- CHAP- MSCHAPv1- MSCHAPv2- Authentication Proxy Mode (for example, RADIUS to RSA/SDI, RADIUS to Active Directory, and others)Reference:Cisco: Configuring AAA Servers and the Local Database: Radius Server SupportCisco: Configuring AAA Servers and the Local Database: TACACS+ Server Support

QUESTION 17Which of the following statements is true regarding ZFW traffic action characteristics? (Select the best answer.)

A. The pass action is bidirectional and automatically permits return traffic.

B. The inspect action is unidirectional and can be used to maintain state information.

C. The drop action silently discards packets and does not generate ICMP host unreachable messages.

D. The pass action can provide an audit trail including session start, stop, and duration values.


Explanation/Reference:Explanation:The drop action in a zonebased policy firewall (ZFW) configuration silently discards packets and does not generate Internet Control Message Protocol (ICMP) host


unreachable messages. ZFWs include many of the features of previous firewall versions, including stateful packet inspection and Uniform Resource Locator (URL)filtering. However, several new firewall features are also included, such as the ability to create security zones to which security policies can be applied. With ZFWs,policies are applied to a security zone pair rather than to an interface. This provides for more granular implementation of firewall policies? different policies can beapplied to hosts connected to the same interface. Before a policy can be applied to an interface, the interface must be added to a zone. To permit traffic from onezone to another, you must create a zone pair between the zones. Once you have configured zones and zone pairs, you can apply one of three actions, pass, drop,or inspect, to the traffic between the zones.The drop action is the default action that is applied to traffic sent from one zone to another on a router that is configured with a ZFW. Unless a policy has beenconfigured to allow traffic to be sent between two zones, the traffic will be dropped.The pass action can be applied to permit traffic from one zone to another. However, because the pass action is unidirectional, no return traffic will be allowed by thepass action. Another policy would need to be applied in the destination zone to allow return traffic to the originating zone.The inspect action can be used to maintain state information for a connection sent through a ZFW. Consequently, unlike the pass action, the inspect action isbidirectional and will allow return traffic to the zone from the destination. For example, if a ZFW is used in between an internal network and the Internet, the inspectaction can be used to allow the internal hosts to retrieve information from the Internet. That is, data from the Internet will be permitted by the inspect action. Inaddition, the inspect action can provide an audit trail including session start time, stop time, duration, quantity of data transferred, and source and destination IPaddresses.Reference:Cisco: ZoneBased Policy Firewall Design and Application Guide: Configuring ZoneBased Policy Firewall PolicyMapsCategory:Cisco Firewall Technologies

QUESTION 18You have configured an ASA to accept SSL VPN connections. DTLS and DPD are configured on the ASA.Which of the following is most likely to occur if a Cisco AnyConnect client that is not configured for DTLS attempts to connect to the ASA? (Select the best answer.)

A. The client will be unable to establish a connection to the ASA.

B. The client will still be able to connect by using DTLS and will be able to communicate on the remote network.

C. The client will be able to connect by using TLS and will be able to communicate on the remote network.

D. The client will be able to establish a connection to the ASA but will be unable to communicate on the remote network.


Explanation/Reference:Explanation:The client will be able to connect by using Transport Layer Security (TLS) and will be able to communicate on the remote network. Datagram TLS (DTLS) is thedefault transport method for Secure Sockets Layer (SSL) virtual private network (VPN) connections on Cisco Adaptive Security Appliance (ASA) devices. However,if DTLS is not enabled on the VPN client, TLS can be used as a fallback method for data transport. In such a scenario, the client will establish a TLS connectionand will be able to communicate on the remote network, provided that the user has access to the client network. In order for an ASA to fall back to TLS, Dead PeerDetection (DPD) must be enabled on the ASA. DPD is a feature that can determine whether the other end of a link is not responding and the connection has failed.If DPD determines that the client is not responding, the connection will revert to using TLS as the transport method.Reference:


Cisco: Configuring AnyConnect VPN Client Connections: Configuring DTLS

QUESTION 19Refer to the exhibit.

You want to use network object NAT to configure the ASA to perform PAT on traffic that originates from the 192.168.13.0/24 network attached to the INSIDEinterface and that is destined to any networks connected to OUTSIDE interface.Which of the following blocks of commands should you issue to achieve your goal? (Select the best answer.)

A. asa(config)#object network INSIDENetwork asa(confignetworkobject)#subnet 192.168.13.0 255.255.255.0 asa(confignetworkobject)#nat (INSIDE,OUTSIDE) dynamic interface

B. asa(config)#object network OUTSIDENetwork asa(confignetworkobject)#subnet 198.51.100.0 255.255.255.0 asa(confignetworkobject)#nat (any,INSIDE) dynamic interface

C. asa(config)#object network INSIDENetwork asa(confignetworkobject)#subnet 192.168.13.0 255.255.255.0 asa(confignetworkobject)#nat (OUTSIDE,INSIDE) dynamic interface

D. asa(config)#object network INSIDENetwork asa(confignetworkobject)#subnet 192.168.13.0 255.255.255.0 asa(confignetworkobject)#nat (any,OUTSIDE) dynamic interface


Explanation/Reference:Explanation:You should issue the following block of commands to achieve your goal in this scenario:


asa(config)#object network INSIDENetwork asa(confignetworkobject)#subnet 192.168.13.0 255.255.255.0 asa(confignetworkobject)#nat (INSIDE, OUTSIDE) dynamic interface

When the nat command is issued from network object configuration mode, it is referred to as the nat (object) command and it can be used to configure networkobject Network Address Translation (NAT) on the Cisco Adaptive Security Appliance (ASA). Network object NAT enables you to easily specify a mapping for thesource address in a packet. The command block in this scenario configures a network object named INSIDENetwork, defines a subnet IP address and networkmask for the INSIDENetwork object, and specifies that the real source IP address of packets from the INSIDE interface should be dynamically translated to themapped IP address corresponding to the IP address assigned to the OUTSIDE interface. The effect of the translation on matching packets is illustrated by thefollowing graphic:

The nat (object) command can be used to create a dynamic NAT rule which translates traffic for a particular network object. The abbreviated syntax to create adynamic NAT rule with the nat (object) command is nat (real_interface,mapped_interface) dynamic {mapped_object | mapped_ host_IP | interface}[fallthrough_interface], where real_interface represents the source interface of the original packet and mapped_interfacerepresents the source interface of thetranslated packet. The source IP address of the original packet is based on the definition of the network object? in this scenario, the network object is a networksubnet. The dynamic keyword is used to specify a dynamic NAT rule and the interface parameter is used to specify a Port Address Translation (PAT) rule. Anoptional fallthrough interface can be specified if dynamic NAT is configured to use a pool of addresses to ensure that translation continues even if every IP addressin the pool has been assigned a translation.Alternatively, you could use Adaptive Security Device Manager (ASDM) instead of the command line to configure the network object NAT rule in this scenario. Youcan create a network object rule in ASDM by accessing the Configuration > Firewall > NAT Rules pane, clicking the Add dropdown list, and selecting the Add“Network Object” NAT ruleoption to open the Add Network Object dialog box. The following sample Add Network Object dialog box corresponds to the block ofcommands in this scenario:


You should not issue the following block of commands to achieve your goal in this scenario:asa(config)#object network INSIDENetwork asa(confignetworkobject)#subnet 192.168.13.0 255.255.255.0 asa(confignetworkobject)#nat (any,OUTSIDE) dynamic interface

The nat (any,OUTSIDE) dynamic interface command in this block of commands maps the source IP address of traffic that originates from the 192.168.13.0/24subnet, from any interface, to the IP address assigned to the OUTSIDE interface. Although this block of commands would configure the ASA to perform therequired translation for traffic originating from the INSIDE interface, it would also perform the translation for any traffic from the 192.168.13.0/24 subnet originatingfrom any other interface. Because the scenario requires the translation to occur only for traffic originating from the INSIDE interface, you should not issue this blockof commands.You should not issue the following block of commands to achieve your goal in this scenario:asa(config)#object network INSIDENetwork asa(confignetworkobject)#subnet 192.168.13.0 255.255.255.0 asa(confignetworkobject)#nat (OUTSIDE, INSIDE) dynamic interface

The nat (OUTSIDE, INSIDE) dynamic interface command maps the source IP address of traffic that originates from the 192.168.13.0/24 subnet, from only theOUTSIDE interface, to the IP address assigned to the INSIDE interface. Because the 192.168.13.0/24 network is directly connected to the INSIDE interface and notthe OUTSIDE interface, this translation rule would not achieve the requirements of the scenario.You should not issue the following block of commands to achieve your goal in this scenario:asa(config)#object network INSIDENetwork asa(confignetworkobject)#subnet 192.168.13.0 255.255.255.0 asa(confignetworkobject)#nat (OUTSIDE, INSIDE) dynamic interface

This block of commands creates a network object that corresponds to the network directly connected to the OUTSIDE interface. The nat (any,INSIDE) dynamic


interface command maps the source IP address of traffic that originates from the 198.51.100.0/24 subnet, from any interface, to the IP address assigned to theINSIDE interface.Reference:Cisco: Configuring Network Object NAT: Configuring Dynamic PAT (Hide)Cisco: Cisco ASA Series Command Reference: nat (object)

QUESTION 20You are using ASDM to verify a clientless SSL VPN configuration made by a junior administrator on an ASA. Please click exhibit to answer the following questions. Exhibit:


When a user logs in to the clientless SSL VPN portal by using extranet tunnel group, which of the following statements is true regarding the appearance of theportal? (Select the best answer.)

A. No text will be displayed in the title portion of the portal screen.

B. The text “SSL VPN Service” will be displayed in the title portion of the portal screen.

C. The text “Boson Extranet” will be displayed in the title portion of the portal screen.

D. The text “Boson SSL VPN Service” will be displayed in the title portion of the portal screen.


Explanation/Reference:Explanation:When a user logs in to the clientless Secure Sockets Layer (SSL) virtual private network (VPN) portal by using the extranet tunnel group, the text “Boson Extranet”will be displayed in the title portion of the portal screen. When users log in to a clientless SSL VPN session, the users are presented with a portal screen thatcontains information and links to resources to which the user has access. You can customize the appearance of the portal by modifying the DfltCustomizationcustomization object or by creating a new customization object and linking it to the appropriate tunnel group (s). You can then link a customization object to aspecific tunnel group, which is also known as a connection profile.To determine which customization object has been applied to a tunnel group, you should click Configuration, click the Remote Access VPN button, expand Clientless SSL VPN Access, click Connection Profiles, and then select the appropriate connectionprofile from the list. For this scenario, you want to determine the customization object that will be applied to the extranet tunnel group, so you should doubleclickextranet in the list of connection profiles, expand Advanced, and click Clientless SSL VPN. The Portal Page Customization entry indicates that this connectionprofile uses the extranet_customization customization object, as shown in the following exhibit:


To view the details of a customization object in Cisco Adaptive Security Device Manager (ASDM), you should click Configuration, click the Remote Access VPNbutton, expand Clientless SSL VPN Access, expand Portal, and click Customization, which will display the Customization Objects pane. In this scenario, twocustomization objects have been created: boson_customization and extranet_customization. To view the details of a customization object, you should doubleclickthe customization object, which will open the SSL VPN Customization Editor in a browser window. To determine the text that will be displayed in the title portion ofthe portal screen, you should navigate to the Portal area of the SSL VPN Customization Editor by clicking the Portal tab and then click Title Panel, as shown in thefollowing exhibit:


The text that will be displayed in the title portion of the portal is displayed in the Text entry of the Title Panel pane; the Text entry contains the text “Boson Extranet”,which is the text that will be displayed in the title portion of the portal when users establish a VPN connection, as shown in the following exhibit.

The text “SSL VPN Service” is the default text that will be displayed if you do not customize the Text entry of the Title Panel. In this scenario, the text has beencustomized, so the text “SSL VPN Service” will not be displayed.The text “Boson SSL VPN Service” will be displayed only for tunnel groups that use the boson_customization customization object. This text will not be displayed forthe extranet tunnel group.Reference:Cisco: Customizing Clientless SSL VPN: Customizing the External Portal Page

QUESTION 21You are using ASDM to verify a clientless SSL VPN configuration made by a junior administrator on an ASA. Please click exhibit to answer the following questions. Exhibit:


Which of the following statements is true regarding how the on-screen keyboard will be displayed when a user establishes a clientless SSL VPN session by usingthe boson connection profile? (Select the best answer.)

A. The on-screen keyboard will not be displayed on any pages.

B. The on-screen keyboard will be displayed only on the login page.

C. The on-screen keyboard will be displayed on any portal page that requires authentication.

D. The on-screen keyboard will be displayed on every portal page.


Explanation/Reference:Explanation:In this scenario, the onscreen keyboard will be displayed only on the login page when a user establishes a clientless Secure Sockets Layer (SSL) virtual privatenetwork (VPN) session by using the boson connection profile. When users log in to a clientless SSL VPN session, you can configure an onscreen keyboard to bedisplayed in certain areas of the portal. The onscreen keyboard enables users to enter information, such as passwords, by using the onscreen keyboard instead ofa physical keyboard. For example, you can configure the onscreen keyboard to be displayed on the login page, and users can use this keyboard to enter their logininformation. By default, the onscreen keyboard is disabled. To enable the onscreen keyboard, you should click Configuration, click the Remote Access VPN button,expand Clientless SSL VPN Access, expand Portal, and click Customization, which will display the Customization Objects pane. This pane contains an OnScreenKeyboard area that provides several options for configuring the onscreen keyboard. You can select from the following onscreen keyboard options:- Do not show OnScreen keyboard - This option disables the onscreen keyboard.- Show only for the login page - This option enables the onscreen keyboard for the login page. - Show for all portal pages requiring authentication - This option enables the onscreen keyboard for any page that requires that the user be authenticated.In this scenario, the Show only for the login page option is selected, as shown in the following exhibit:


This setting will apply to any customization object that you create. Therefore, selecting the Show only for the login page option will configure the onscreen keyboardto be displayed on the login page for all customization objects and for any connection profiles associated with those customization objects.Reference:CCNP Security VPN 210260 Quick Reference, Chapter 4, Deploying Basic Navigation Customization, pp.153-154

QUESTION 22You are using ASDM to verify a clientless SSL VPN configuration made by a junior administrator on an ASA. Please click exhibit to answer the following questions.

Exhibit:


Which of the following statements are true regarding the extranet connection profile? (Select three.)

A. It will use the boson_grp group policy.

B. It will use the DfltGrpPolicy group policy.

C. It will use the local AAA database for authentication.

D. It will use digital certificates for authentication.

E. It will use the DfltCustomization customization object.

F. It will use the boson_customization customization object.

G. It will use the extranet_customization customization object.

Correct Answer: BCGSection: (none)Explanation

Explanation/Reference:Explanation:The extranet connection profile will use the DfltGrpPolicy group policy, the local Authentication, Authorization, and Accounting (AAA) database for authentication,and the extranet_customization customization object. When creating a connection profile in Cisco Adaptive Security Device Manager (ASDM), you can specify anumber of parameters. For example, you can specify the type of authentication to use and the default group policy to use for VPN connections made by using theconnection profile. This information can be configured or modified on the Add or Edit Clientless SSL VPN Connection Profile dialog box in ASDM. To access thisdialog box in ASDM, you should click Configuration, click the Remote Access VPN button, expand Clientless SSL VPN Access, and click Connection Profiles. Youcan then doubleclick a connection profile to open the Edit Clientless SSL VPN Connection Profile dialog box for the selected connection profile. The Edit ClientlessSSL VPN Connection Profile dialog box for the extranet tunnel group is shown in the following exhibit:


The Authentication section of the Basic screen of the Edit Clientless SSL VPN Connection Profile dialog box indicates that the tunnel group will use the local AAAdatabase for user authentication. Thus any VPN connections made by using this tunnel group will be authenticated against the AAA database.The Default Group Policy section indicates that the DfltGrpPolicy group policy will be applied to this connection profile. That is, the settings in the DfltGrpPolicygroup policy will apply to VPN users who connect by using the extranet tunnel group.The Clientless SSL VPN screen of the Edit Clientless SSL VPN Connection Profiledialog box indicates that the extranet connection profile will use theextranet_customization customization object. This screen is shown in the following exhibit:


Reference:Cisco: Configuring Tunnel Groups, Group Policies, and Users: Connection Profiles


Exhibit:


Which of the following statements is true regarding the display of a banner message when users establish a clientless SSL VPN session by using the extranetconnection profile? (Select the best answer.)

A. No banner message will be displayed.

B. A generic banner message will be displayed that states “Welcome to SSL VPN Service.”

C. A custom banner message will be displayed that states “Welcome to Boson Software!”

D. For each user, a custom banner message will be displayed for each user that states “Welcome user-name.”


Explanation/Reference:Explanation:No banner message will be displayed when users establish a clientless Secure Sockets Layer (SSL) virtual private network (VPN) session by using the extranetconnection profile. You can configure a banner message to be displayed when users establish a clientless SSL VPN connection. This information is configured inthe group policy that is associated with the connection profile used to create the connection.In this scenario, you want to determine whether a banner message will be displayed when the extranet connection profile is used. The extranet connection profileuses the DfltGrpPolicy group policy, so you should view the details of that group policy. To view the details of the DfltGrpPolicy group policy, you should clickConfiguration, expand Clientless SSL VPN Access, and click Group Policies. You can then doubleclick DfltGrpPolicy (System Default), which will open the EditInternal Group Policy dialog box, which is shown in the following exhibit:

The Banner entry contains no value. As a result, clientless SSL VPN connections made by using connection profiles that use the DfltGrpPolicy group policy will notdisplay a banner to users when they establish a connection.


VPN connections made by using the boson connection profile will display the message “Welcome to Boson Software!” This message will not be displayed forconnections made by using the extranet connection profile.No group policy has been configured with a banner of “Welcome to SSL VPN Service.” In addition, no group policy has been configured with a banner of “Welcomeusername.” Thus no VPN connections in this scenario will display either of these banner messages.Reference:Cisco: General VPN Setup: Adding or Editing a Remote Access Internal Group Policy, General Attributes


Exhibit:


A. No bookmarks will be displayed.

B. The boson.com and files.boson.com bookmarks will be displayed.

C. The extranet.boson.com and projects.boson.com bookmarks will be displayed.

D. The boson.com, files.boson.com, extranet.boson.com, and projects.boson.com bookmarks will be displayed.


Explanation/Reference:Explanation:The extranet.boson.com and projects.boson.com bookmarks will be displayed to users who establish a clientless Secure Sockets Layer (SSL) virtual privatenetwork (VPN) session by using the extranet connection profile. You can create a bookmark list to specify a list of Uniform Resource Locators (URLs) that will bedisplayed to users when they establish a clientless SSL VPN connection. To configure a bookmark list, you should access the Bookmarks pane of Cisco AdaptiveSecurity Device Manager (ASDM) by clicking Configuration, clicking the Remote Access VPN button, expanding Clientless SSL VPN Access, expanding Portal, andclicking Bookmarks. In this scenario, two bookmark lists have been created: URLs and Extranet. The URLs bookmark list contains two URLs, which are boson.comand files.boson.com. The Extranet bookmark list also contains two URLs, which are extranet.boson.com and projects.boson.com.The bookmark list that will be applied to a tunnel group is specified in the group policy that is associated with the tunnel group. In this scenario, the extranet tunnelgroup is linked to the DfltGrpPolicy group policy. Thus you should view the details of this group policy to determine which links will be displayed. This isaccomplished by clicking Configuration, clicking the Remote Access VPN button, expanding Clientless SSL VPN Access, selecting Group Policies, anddoubleclicking DfltGrpPolicy (System Default). You should then click Portal, which will display the Portal pane of the Edit Internal Group Policy dialog box, as shownin the following exhibit:


The Bookmark List entry indicates that the Extranet bookmark list is associated with the DfltGrpPolicy group policy. Because this list contains theextranet.boson.com and projects.boson.com URLs, you can conclude that these URLs will be displayed to users who connect by using the extranet tunnel group.Reference:Cisco: Configuring Clientless SSL VPN: Configuring Bookmarks

QUESTION 25Which of the following are inband management tools that do not use encryption? (Select 3 choices.)

A. SNMPv1


B. SNMPv2

C. SNMPv3


D. Telnet

E. SSH

Correct Answer: ABDSection: (none)Explanation

Explanation/Reference:Explanation:Of the available choices, Simple Network Management Protocol version 1 (SNMPv1), SNMP version 2 (SNMPv2), and Telnet are all inband management tools thatdo not use encryption. Encryption is a method of encoding network traffic so that it cannot be read intransit. Thus encryption can be used to defeat eavesdroppingattacks.Simple Network Management Protocol (SNMP) is used to remotely monitor and manage network devices. Telnet is used to create a terminal connection to remotedevices. When a Cisco device is operating in its normal state, another device can connect to it by using inband methods, such as virtual terminal (VTY) applicationprotocols.Three versions of SNMP currently exist. SNMPv1 and SNMPv2 do not provide encryption? password information, known as community strings, is sent as plain textwith messages. SNMPv3 improves upon SNMPv1 and SNMPv2 by providing encryption, authentication, and message integrity to ensure that the messages are nottampered with during transmission.Secure Shell (SSH) is a VTY protocol that can be used to securely replace Telnet. Telnet is considered to be an insecure method of remote connection because itsends credentials over the network in clear text.Therefore, you should replace Telnet with an encrypted application, such as SSH, where possible.Reference:Cisco: SNMP Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches): Versions of SNMPCisco: Cisco Guide to Hardening IOS Devices: Use Secure Protocols When Possible

QUESTION 26Your company’s Cisco ISE device and all of its supplicants support EAPFASTv2. A user’s authentication fails. However, the user’s device attempts to authenticateand succeeds.Which of the following is true? (Select the best answer.)

A. The user will have no access.

B. The user will have restricted access.

C. The user will have full access.

D. The device will have full access but the user will have no access.


Explanation/Reference:Explanation:


The user will have restricted access if user authentication to the Cisco Identity Services Engine (ISE) fails but the user’s device authentication succeeds. ExtensibleAuthentication Protocol (EAP)FlexibleAuthentication via Secure Tunneling (FAST) with EAP chaining, which is also sometimes called EAPFAST version 2 (EAPFASTv2), enables the validation of bothuser and device credentials in a single EAP transaction. EAP chaining enables a Cisco security device to validate authentication credentials for both a user and theuser’s device. In order to enable EAP chaining, both the Cisco security device and the supplicant device must support EAP chaining. The Cisco ISE will assign a different level of authorization access depending on one of four success and failure possibilities, as shown in the following table:

EAP-FAST is an authentication protocol that can be used for pointtopoint connections and for both wired and wireless links. The EAP-FAST authentication processconsists of three phases. The first phase, which is optional and is considered phase 0, consists of provisioning a client with a PAC, which is a digital credential thatis used for authentication. A PAC can be manually configured on a client, in which case phase 0 is not required. The second phase, which is referred to as phase 1,involves creating a secure tunnel between the client and the server. The final phase, which is referred to as phase 2, involves authenticating the client. If the clientis authenticated, the client will be able to access the network.Reference:Cisco: Cisco Identity Services Engine Administrator Guide, Release 1.3: Simple Authentication Policy Configuration Settings

QUESTION 27Which of the following features prevent attacks that consume CPU and memory resources? (Select 2 choices.)

A. CoPP

B. CPPr

C. CPU Threshold Notifications

D. Memory Threshold Notifications


Explanation/Reference:Explanation:Control Plane Policing (CoPP) and Control Plane Protection (CPPr) prevent attacks that consume CPU and memory resources. Both CoPP and CPPr use classmaps to filter and ratelimit traffic. However, CPPr separates control plane traffic into three subinterfaces: the host subinterface, the transit subinterface, and theCisco Express Forwarding (CEF)exception subinterface. For this reason, Cisco recommends that you use CPPr instead of CoPP whenever possible. To configureCPPr, you must perform the following steps:- Create access control lists (ACLs) to identify traffic.- Create a traffic class.


- Create a traffic policy, and associate the traffic class to the policy. - Apply the policy to the specific control plane subinterface.CoPP is similar to CPPr, except CoPP does not separate control plane traffic into three subinterfaces. To configure CoPP, you must perform the following steps:- Create ACLs to identify traffic.- Create a traffic class.- Create a traffic policy, and associate the traffic class to the policy. - Apply the policy to the control plane interface.

The host subinterface contains control plane IP traffic that is destined for a router interface, including traffic from the following sources and protocols:- Terminating tunnels- Secure Shell (SSH)- Simple Network Management Protocol (SNMP)- Internal Border Gateway Protocol (iBGP)- Enhanced Interior Gateway Routing Protocol (EIGRP)The transit subinterface contains control plane IP traffic that is traversing the router, including the following traffic:- Nonterminating tunnel traffic- Traffic that is softwareswitched by the route processorThe CEFexception subinterface contains control plane traffic redirected by CEF for process switching, including traffic from the following sources and protocols:- NonIP hosts- Address Resolution Protocol (ARP)- External BGP (eBGP) - Open Shortest Path First (OSPF)- Label Distribution Protocol (LDP)- Layer 2 keepalives

CPU Threshold Notifications and Memory Threshold Notifications do not prevent attacks that consume CPU and memory resources. However, these features canautomatically send notifications if excessive CPU or memory consumption is detected. Excessive resource consumption could occur if CoPP or CPPr protectionfeatures have been circumvented or are misconfigured. Notifications are typically sent as SNMP trap messages.Reference:Cisco: Control Plane Protection

QUESTION 28Which of the following can be detected by the Cisco ESA CASE? (Select 2 choices.)

A. snowshoe spam

B. phishing attacks

C. DDoS attacks

D. MAC spoofing attacks

E. DNS poisoning attacks

Correct Answer: AB


Section: (none)Explanation

Explanation/Reference:Explanation:A Cisco Email Security Appliance (ESA) is designed to protect against email threats, such as malware attachments, phishing scams, and spam. The Cisco ContextAdaptive Scanning Engine (CASE) on an ESA is a contextual analysis technology that is intended to detect email threats as they are received. CASE checks thereputation of email senders, scans the content of email messages, and analyzes the construction of email messages. As part of this process, CASE submits theemail sender to the Cisco SenderBase Network, which contains data on hundreds of thousands of email networks. The sender is assigned a score based on thisinformation. The content of the email messaging is scanned because it could contain language, links, or a call to action that is indicative of a phishing scam.Snowshoe spammers establish many false company names and identities, often with unique post office addresses and telephone numbers, so that reputation filtersdo not perceive the source of the spam as a threat. In addition, the spam output is spread across multiple IP addresses and domain names in order to defeatblacklists.Phishing is a social engineering technique in which a malicious person uses a seemingly legitimate electronic communication, such as email or a webpage, in anattempt to dupe a user into submitting personal information, such as a Social Security number (SSN), account login information, or financial information. To mitigatethe effects of a phishing attack, users should use email clients and web browsers that provide phishing filters. In addition, users should also be wary of anyunsolicited email or web content that requests personal information. The CASE on a Cisco ESA appliance is capable of detecting phishing scams.The Cisco ESA CASE does not protect against Distributed Denial of Service (DDoS) attacks. A DDoS attack is a coordinated Denial of Service (DoS) attack thatuses multiple attackers to target a single host. For example, a large number of zombie hosts in a botnet could flood a target device with packets.The Cisco ESA CASE does not protect against Media Access Control (MAC) spoofing attacks. A MAC spoofing attack uses the MAC address of another host onthe network in order to bypass port security measures.The Cisco ESA CASE does not protect against Domain Name System (DNS) poisoning attacks. DNS poisoning is an attack that modifies the DNS cache byproviding invalid information. In a DNS poisoning attack, a malicious user attempts to exploit a DNS server by replacing the IP addresses of legitimate hosts withthe IP address of one or more malicious hosts.Reference:Cisco: Cisco Email Security Appliance Data SheetSpamhaus: Frequently Asked Questions (FAQ): Snowshoe Spamming

QUESTION 29You are configuring dynamic PAT on a Cisco ASA 5500 using the CLI. The ASA is running software version 8.3.Which of the following IP addresses must be configured within a network object or object group? (Select the best answer.)

A. inside global

B. outside global

C. inside local

D. outside local



Explanation/Reference:Explanation:Of the available options, an inside local address must be configured within a network object or object group if you are configuring dynamic Port Address Translation(PAT) on a Cisco Adaptive Security Appliance (ASA) 5500 using the commandline interface (CLI) if the ASA is running software version 8.3. A local address is asource or destination IP address as seen from the perspective of a host on the inside network.On a Cisco ASA, a network object is a data structure that is used in place of inline IP information. You might use a network object in place of configuring IPaddresses, subnet masks, protocols, and port numbers if you must configure that same information in multiple places. If the information you configure within theobject ever changes, you then need only modify the single object instead of locating and modifying each instance of the inline IP information.An object group is simply a group of network objects. By grouping network objects, you can enable the use of a single application control engine (ACE) to makerequests of multiple devices.An inside local address is an IP address that represents an internal host to the inside network. Inside local addresses are typically private IP addresses defined byRequest for Comments (RFC) 1918. When a NAT router receives a packet from a local host destined for the Internet, the router changes the inside local addressto an inside global address and forwards the packet to its destination.You can configure an inside global address inline or as part of a network object or object group on an ASA running software version 8.3. An inside global address isan IP address that represents an internal host to the outside network. Inside global addresses are typically public IP addresses assigned by the administrator of theoutside network. You would not configure an outside global address in this scenario. An outside global address is an IP address that represents an external host to the outsidenetwork. Outside global addresses are typically public IP addresses assigned to an Internet host by the host’s operator. The outside global address is usually theaddress registered with the Domain Name System (DNS) server that maps a host’s public IP address to a friendly name, such as www.example.com.You are notlikely to configure an outside local address in this scenario. An outside local address is an IP address that represents an external host to the inside network. Theoutside local address is often the same as the outside global address, particularly when inside hosts attempt to access resources on the Internet. However, in someconfigurations, it is necessary to configure a NAT translation that allows a local address on the internal network to identify an outside host.Reference:Cisco: Cisco ASA 5500 Series Configuration Guide Using the CLI, 8.3: Configuring Dynamic PAT (Hide)

QUESTION 30Which of the following phishing techniques is most likely to occur as a result of DNS poisoning? (Select the best answer.)

A. vishing

B. pharming

C. whaling

D. dumpster diving


Explanation/Reference:Explanation:Pharming is the phishing technique that is most likely to occur as a result of Domain Name System (DNS) poisoning. Phishing is a social engineering technique inwhich a malicious person uses a seemingly legitimate electronic communication, such as email or a webpage, in an attempt to dupe a user into submitting personal


information, such as a Social Security number (SSN), account login information, or financial information. Pharming is used to retrieve sensitive information bydirecting users to fake websites. Malicious users can direct users to fake websites through DNS poisoning or host file manipulation. Both DNS and host files areused to crossreference Uniform Resource Locators (URLs) and IP addresses. When a user specifies a URL, either a DNS server or the local host file converts it toan IP address so that requests can be forwarded to the correct location. Both a DNS server and a host file can be altered so that users are directed to websites thatappear authentic but instead are used for malicious information gathering. These phony websites often ask users for passwords or other sensitive information. Apharming attack is not effective unless a user voluntarily provides information to the website. Whaling is a type of spear phishing attack used to retrieve sensitive information from highranking executives of a corporation. Spear phishing is a form of phishingthat targets specific individuals. Spear phishing is considered whaling when it specifically targets highranking executives of a corporation, such as chief executiveofficers (CEOs) or chief financial officers (CFOs). To mitigate the effects of a phishing attack, users should use email clients and web browsers that providephishing filters. In addition, users should also be wary of any unsolicited email or web content that requests personal information.Like whaling and pharming, vishing is another form of phishing that is used to obtain sensitive information. Vishing accomplishes its goal through the use of voicecommunication networks. Perpetrators of vishing attacks use a variety of methods to retrieve information. For example, an attacker might spoof phone numbers oflegitimate businesses in order to deceive a victim. An attacker might also use a misleading voice or email message that instructs the potential victim to contact aphony call center that is masked as a legitimate business. After telephone communications are established, the perpetrators will attempt to coax sensitiveinformation from users, such as credit card or bank account numbers. Dumpster diving is an attack in which malicious users obtain information that has been thrown in the trash. Dumpster divers seek to recover discarded documentsthat might contain sensitive information such as account login credentials, passwords, or bank account numbers. To prevent unauthorized users from obtaininginformation from discarded documents, individuals and companies should shred documents containing confidential data before disposing of such documents.Reference:Cisco: Protect Against Social Engineering: Security Awareness Is a Vital Defense

QUESTION 31The Serial 0/0 interfaces on Router1 and Router2 are directly connected on the 192.168.51.48/30 network. You issue the following commands on Router1:interface serial 0/0 ip ospf messagedigestkey 1 md5 b0s0n router ospf 1routerid 1.1.1.1 network 10.10.10.0 0.0.0.255 area 1 network192.168.51.48 0.0.0.3 area 0 area 0 authentication

You issue the following commands on Router2:

interface serial 0/0 ip ospf authenticationkey b0s0n router ospf 2routerid 2.2.2.2 network 10.10.20.0 0.0.0.255 area 2network 192.168.51.48 0.0.0.3 area 0 area 0 authentication

Router1 and Router2 do not form an OSPF adjacency.

Which of the following is most likely the problem? (Select the best answer.)


A. an OSPF area mismatch

B. an OSPF authentication mismatch

C. an OSPF process ID mismatch

D. an OSPF router ID mismatch


Explanation/Reference:Explanation:Of the available choices, a mismatched authentication type is most likely to be the cause of the problem in this scenario. A mismatched authentication key or amismatched authentication type could cause two OpenShortest Path First (OSPF) routers to not form an adjacency. In this scenario, the Serial 0/0 interface on Router1 is configured to use a Message Digest 5 (MD5)authentication key of b0s0n. The Serial 0/0 interface on Router2, on the other hand, is configured to use a plaintext authentication key of b0s0n. If the correctauthentication type were configured between the Serial 0/0 interfaces on the routers, OSPF authentication would succeed and an adjacency would be formed.A mismatched process ID will not prevent an OSPF router from establishing an adjacency with a neighbor. An OSPF process ID is used to identify the OSPFprocess only to the local router. In this scenario, the router ospf 1 command has been issued on Router1, which configures Router1 with an OSPF process ID of 1.The router ospf 2 command has been issued on Router2, which configures Router2 with an OSPF process ID of 2. An OSPF area mismatch is not the reason thatRouter1 and Router2 do not form an adjacency in this scenario. In order to establish an adjacency, OSPF routers must be configured with the same area ID, Hellotimer value, Dead timer value, and authentication password. In this scenario, the Serial 0/0 interface on Router1 has been configured to operate in area 0, which isalso known as the backbone area. Similarly, the Serial 0/0 interface on Router2 has been configured to operate in area 0.OSPF router IDs should never match between routers. A router ID is a unique 32bit identifier that resembles an IP address. A router ID conflict could cause routersto not form an adjacency. If you do not manually configure a router ID on an OSPF router, then the router ID is the highest IP address configured among loopbackinterfaces on the router, even if a physical interface is configured with a higher IP address. Cisco recommends using a loopback interface instead of a physicalinterface for the router ID? a loopback interface is never in the down state, thus OSPF is considered to be more stable when the router ID is configured from the IPaddress of a loopback interface. In this scenario, the router IDs on Router1 and Router2 have been manually configured by using the routerid ipaddresscommand.Reference:Cisco: Sample Configuration for Authentication in OSPF: Configurations for Plain Text Authentication

QUESTION 32In which of the following authentication protocols is support for TLS 1.2 specifically required? (Select the best answer.)

A. EAPFASTv1

B. EAPFASTv2

C. EAPMD5

D. EAPTLS

E. EAPPEAP

Correct Answer: B


Section: (none)Explanation

Explanation/Reference:Explanation:Of the available choices, only Extensible Authentication ProtocolFlexible Authentication via Secure Tunneling Version 2 (EAPFASTv2) is specifically required tosupport Transport Layer Security (TLS) 1.2. EAPFAST is an authentication protocol that can be used for pointtopoint connections and for both wired and wirelesslinks. EAPFAST Version 1 (EAPFASTv1) supported TLS 1.0 and higher. However, EAPFASTv2 made support of TLS 1.2 a requirement, thereby providingEAPFASTv2 with a stronger encryption algorithm than EAPFASTv1.EAPTransport Layer Security (EAPTLS) does not specifically require support for TLS 1.2, although EAPTLS is designed to support TLS 1.0 and higher. EAPTLS isan Internet Engineering Task Force (IETF) standard that is defined in Request for Comments (RFC) 5216.Protected EAP (PEAP) does not specifically require support for TLS 1.2. PEAP is an open standard developed by Cisco, Microsoft, and RSA. PEAP and other latervariants of EAP, such as EAPTLS, and EAPTunneled TLS (EAPTTLS), are replacing Lightweight EAP (LEAP). PEAP supports TLS 1.0 and higher.EAP Message Digest 5 (EAPMD5) does not specifically require support for TLS 1.2. EAPMD5 uses an MD5 hash function to provide security and is thereforeconsidered weak when compared to later methods. EAP is an IETF standard that was originally defined in RFC 2284. It does not support TLS at all.Reference:IETF: Flexible Authentication via Secure Tunnel Extension Authentication Protocol (EAPFAST) Version 2:1.2. Major Differences from Version 1

QUESTION 33Router2 is configured to obtain time from three different NTP servers. You want to determine from which of the three servers Router2 is currently synchronizingtime.Which of the following commands would not achieve your goal? (Select the best answer.)

A. show clock detail

B. show ntp associations

C. show ntp associations detail

D. show ntp status


Explanation/Reference:Explanation:Of the available choices, only the show clock detail command would not enable you to determine from which of the three Network Time Protocol (NTP) serversRouter2 is synchronizing time. The show clock detail command displays the date and time as it is configured on the device and general information about thesource of the configuration. However, this command does not reveal the IP address or NTP peer status of an NTP source. The following is sample output from theshow clock detail command:Router2#show clock detail09:12:20.299 UTC Sat Jul 4 2015


Time source is NTPThe show ntp associations command and the show ntp associations detail command would both enable you to determine from which of the three NTP serversRouter2 is synchronizing time. The show ntp associations command displays both the address of the NTP server from which the client obtains its time and theaddress of the reference clock to which the NTP server is synchronized. When issued with the detail keyword, you can additionally determine the IP address of theNTP peer from which time was synchronized, the NTP source authentication status, the NTP hierarchical status of the server from which time was obtained,whether the NTP peer passes basic sanity checks, whether NTP believes the time is valid, and the stratum of the NTP peer. The following is sample output fromboth the show ntp associations command and the show ntp associations detail command:

The presence of our_master in the output of the show ntp associations detail command indicates the status of the device at the NTP peer IP address of203.0.113.1. Similarly, the asterisk (*) in the output of the show ntp associations command indicates that Router2’s NTP master is the device with the IP address of203.0.113.1.The show ntp status command would enable you to determine from which of the three NTP servers Router2 is synchronizing time. The show ntp status commanddisplays no information when NTP is not running on a device. When NTP is running, the show ntp status command provides information about whether the localclock is synchronized, the local clock’s stratum level, and the IP address of the NTP peer that the local device is using as a reference clock. The following is sampleoutput from the show ntp status command:


Reference:Cisco: Cisco IOS Basic System Management Command Reference: show clock

QUESTION 34Which of the following indicates that aggressive mode ISAKMP peers have created SAs? (Select the best answer.)

A. AG_NO_STATE

B. MM_NO_STATEC. AG_AUTH

C. MM_KEY_AUTH

D. QM_IDLE


Explanation/Reference:Explanation:Of the available choices, the AG_NO_STATE state is most likely to indicate that aggressive mode InternetSecurity Association and Key Management Protocol (ISAKMP) peers have created security associations (SAs). The show crypto isakmp sa command displays thestatus of current IKE SAs on the router. The following states are used during aggressive mode:- AG_NO_STATE - The peers have created the SA.- AG_INIT_EXCH - The peers have negotiated SA parameters and exchanged keys. - AG_AUTH - The peers have authenticated the SA.

The MM_NO_STATE state is the first transaction to occur when setting up Internet Key Exchange (IKE) SAs in main mode MM_NO_STATE indicates that theISAKMP peers have created their SAs. However, an exchange that does not move past this stage indicates that main mode has failed. The following states areused during main mode:- MM_NO_STATE - The peers have created the SA.- MM_SA_SETUP - The peers have negotiated SA parameters.- MM_KEY_EXCH - The peers have exchanged DiffieHellman (DH) keys and have generated a shared secret.- MM_KEY_AUTH - The peers have authenticated the SA.Quick mode is used during IKE phase 2. The only state in quick mode is QM_IDLE, which indicates that IKE phase 1 has completed successfully and that there isan active IKE SA between peers.Reference:Cisco: Most Common DMVPN Troubleshooting SolutionsCisco: Cisco IOS Security Command Reference: show crypto isakmp sa

QUESTION 35Which of the following is least likely to be considered an advanced persistent threat? (Select the best answer.)


A. Operation Aurora

B. Heartbleed

C. the 2011 RSA breach

D. Stuxnet


Explanation/Reference:Explanation:Of the available options, Heartbleed is least likely to be considered an advanced persistent threat. An advanced persistent threat is an intrusion in which theattacker has advanced knowledge of intrusion tools and techniques, is fully intent on using the intrusion to achieve a specific mission or goals, and hasorganizational backing, funding, and motivation. For example, an attacker who obtains access to an organization’s network and remains there for an extendedperiod of time to collect data that can then be used to the attacker’s advantage can be considered an advanced persistent threat.Heartbleed is a vulnerability, not an advanced persistent attack. Heartbleed is the OpenSSL vulnerability that could allow an attacker to obtain approximately 64kilobytes (KB) of information from a web server's memory at regular intervals. The Heartbleed bug, which was discovered in 2014, was a memoryhandling bugpresent in OpenSSL from version 1.0.1 through version 1.0.1f. OpenSSL 1.0.1g was the first version to fix the bug. By exploiting this vulnerability, an attacker canobtain a server's private key, which could in turn allow the attacker to decrypt communications with the server or perform maninthemiddle attacks against theserver. Although Heartbleed could be used as a component of an attack in an advanced persistent threat, it is not itself an advanced persistent threat.Operation Aurora could be considered an advanced persistent threat. Operation Aurora was a monthslong attack in 2009 that was carried out against multiplecompanies, including Google and Adobe? it began with a targeted email spear phishing attack. The email delivered malware that was capable of exploiting anInternet Explorer vulnerability to obtain access to the contents of partially freed memory. After compromising company workstations, the attackers used thoseworkstations to obtain access to other company resources and information, which eventually resulted in the loss of intellectual property. The attack was eventuallytraced to two Chinese education facilities that were thought to have ties to a Google competitor in China.The 2011 RSA breach could be considered an advanced persistent threat. The RSA breach was an attack against RSA's SecurID twofactor authentication system.Similar to Operation Aurora, the 2011 RSA breach began with a targeted phishing email that contained a Microsoft Excel attachment. The Excel attachmentcontained a zeroday exploit that was able to install a back door on a user’s workstation. From there, the attacker compromised other workstations in what appearedto be an effort to retrieve information related to SecurID, such as source code or customer information.Stuxnet is more likely than Heartbleed to be considered an advanced persistent threat. Stuxnet exploited vulnerabilities in both the printer spooler service and theprocessing of .lnk files. Stuxnet was used in an act of cyber warfare against Iranian industrial control systems (ICSs). It was written to target specific ICSs bymodifying code on programmable logic controllers (PLCs). Stuxnet initially exploited vulnerabilities in the printer spooler service? however, later variants exploited avulnerability in the way that Windows processes shortcuts (.lnk files). Research from Symantec published in 2011 indicated that at the time, over 60% percent of theStuxnetaffected hosts had been in Iran. Symantec analyzed Stuxnet and its variants and discovered that five organizations were the primary targets of infection andthat further infections were likely collateral damage from the aggressive manner in which the worm spreads throughout the network. Given the considerable cost inresources and manhours that would have been required to craft the Stuxnet worm, it was theorized that it was likely intended to sabotage highvalue targets such asnuclear materials refinement facilities.Reference:SANS: Assessing Outbound Traffic to Uncover Advanced Persistent Threat (PDF)Security Tracker: Cisco Unified Communications Manager OpenSSL TLS Heartbeat Buffer Overread Lets Remote Users Obtain Potentially Sensitive InformationNational Vulnerability Database: Vulnerability Summary for CVE20140160


Common Vulnerabilities and Exposures: CVE20140160

QUESTION 36Which of the following best describes the purpose of SNMP? (Select the best answer.)

A. to manage network devices

B. to send email

C. to create VPNs

D. to transfer files


Explanation/Reference:Explanation:Simple Network Management Protocol (SNMP) is used to manage network devices. SNMP can be used to remotely monitor and configure a wide variety ofnetwork devices, such as routers, switches, and network printers. SNMP version 1 (SNMPv1) and SNMPv2 use community strings to provide authentication.However, neither SNMPv1 nor SNMPv2 uses encryption? all data and community strings are sent in clear text. A malicious user can sniff an SNMP communitystring and use it to access and modify network devices. SNMPv3 is an enhancement to the SNMP protocol that uses encryption to provide confidentiality, integrity,and authentication.SNMP is not used to send email. Simple Mail Transfer Protocol (SMTP) is used to send email. Post Office Protocol 3 (POP3) and Internet Message AccessProtocol 4 (IMAP4) are used to receive email.SNMP is not used to create virtual private networks (VPNs). To create a VPN, you would typically use a protocol that can encrypt the data on the virtual network,such as IP Security (IPSec). A VPN is often used when it is necessary to connect two locations that are separated by a public network, such as the Internet.SNMP is not used to transfer files. To transfer files between computers, you should use File Transfer Protocol (FTP), Trivial FTP (TFTP), or Secure FTP (SFTP).Reference:Cisco: Simple Network Management Protocol: Versions of SNMP

QUESTION 37You create a static pointtopoint VTI tunnel on RouterA. Afterward, you issue the show runningconfig command and receive the following output:


Which of the following is the authentication transform that will be used by the static VTI tunnel? (Select the best answer.)

A. ESP with 128bit AES

B. ESP with 256bit AES

C. ESP with 56bit DES

D. ESP with 168bit 3DES

E. ESP with MD5

F. ESP with SHA

G. AH with MD5

H. AH with SHA

Correct Answer: FSection: (none)Explanation

Explanation/Reference:Explanation:The static virtual tunnel interface (VTI) tunnel will use Encapsulating Security Payload (ESP) with Secure Hash Algorithm (SHA) as the authentication transform, asindicated by the crypto ipsec transformset command. The syntax of the crypto ipsec transformset command is crypto ipsec transformset transformnametransform1 [transform2] [transform3] [transform4]. Up to four transforms can be specified in an IP Security (IPSec) transform set: one ESP authenticationtransform, one authentication header (AH) transform, one ESP encryption transform, and one IP compression transform. ESP can use the Message Digest 5 (MD5) and SHA algorithms for authentication. The following keywords can be used to specify the ESP authentication transform:- espmd5hmac- espshahmac

AH can also use the MD5 and SHA algorithms for authentication. The following keywords can be used to specify the AH transform:


- ahmd5hmac

- uses AH with MD5 - ahshahmac - uses AH with SHA

ESP can use the following encryption methods:-128bit, 192bit, and 256bit Advanced Encryption Standard (AES)- 56bit Data Encryption Standard (DES)- 168bit Triple DES (3DES)-160bit Softwareoptimized Encryption ALgorithm (SEAL) -Null encryption

The following keywords can be used to specify the ESP encryption transform:- espies- espaes 192 - espaes 256 - espdes- esp3des - espseal - espnull

The LempelZivStac (LZS) algorithm is the only IP compression method that can be used in an IPSec transform set. To configure a transform set to use LZS IPcompression, you should use the complzs keyword.Reference:Cisco: Cisco IOS Security Command Reference: crypto ipsec transformset

QUESTION 38To ease administrative overhead, you want to add a third party feed to a Security Intelligence device so that the IP addresses of known malicious hosts areautomatically blacklisted. However, you have not determined whether the feed is valid.Which of the following are you most likely to do? (Select the best answer.)

A. Implement the feed, and add IP addresses to a custom whitelist as necessary.

B. Enforce Security Intelligence filtering by Security Zone.

C. Configure the monitor-only setting, and examine the logs.

D. Configure a custom blacklist that contains only malicious IP addresses.



Explanation/Reference:Explanation:Most likely, you will configure the monitor-only setting and examine the logs if you want to add a thirdparty feed to a Security Intelligence device but you have notdetermined whether the feed is valid. Security Intelligence devices, such as a Cisco Sourcefire Intrusion Prevention System (IPS), are capable of acceptingmanually imported lists of network addresses or feeds from third parties. Such devices can block IP addresses or networks based on their reputation, whichmitigates device overhead that comes from having to analyze traffic from those networks.The monitor-only setting enables traffic from networks that are listed within a given feed to be analyzed by the Security Intelligence device but also logs the fact thatthe given network matches the thirdparty feed. This enables an administrator to review the logs and the analysis of traffic from networks on the feed to determinethe validity of the feed.Although you could implement the feed and add IP addresses to a custom whitelist as necessary, doing so might increase administrative overhead if the feed turnsout to be invalid. On Security Intelligence devices, whitelists can be used to override blacklisted IP addresses. Whitelists can thus be used to enable communicationwith legitimate IP addresses that are listed on third-party feeds or other blacklists that might be too broadly defined. From an administrative overhead standpoint,you are more likely to validate the feed, then implement the feed, and finally add IP addresses or networks to the whitelist as necessary.You are less likely to enforce Security Intelligence filtering by Security Zone than configure the monitor only setting in this scenario, because doing so would neithervalidate nor invalidate the IP addresses that are contained on the third-party feed. Enforcing blacklisting by security zone can be used to enhance the performanceof a Security Intelligence device by limiting the blacklisting to the specific security zones that process the given traffic. For example, the blacklisting of IP addressesthat send email traffic could be restricted to a Security Zone that handles only email traffic.You are not likely to configure a custom blacklist that contains only malicious IP addresses, because doing so defeats the purpose of easing administrativeoverhead in this scenario. Security Intelligence devices allow the creation of custom blacklists so that you can manually block specific IP addresses or networks.However, compiling and validating such a list would require more administrative overhead in this scenario than simply validating a third-party feed prior toimplementing it.Reference:Cisco: Blacklisting Using Security Intelligence IP Address Reputation: Choosing a Security Intelligence Strategy

QUESTION 39Which of the following is primarily true of SEM systems? (Select the best answer.)

A. They perform real-time analysis and detection.

B. They focus on policy and standards compliance.

C. They consolidate logs to a central server.

D. They analyze log data and report findings.


Explanation/Reference:Explanation:Security Event Management (SEM) systems perform realtime analysis and detection. SEM systems typically analyze log data from a number of sources. Somesystems also incorporate incident handling tools that enable administrators to more effectively mitigate threats when they occur. Security Information Management (SIM) systems, on the other hand, are focused more on the collection and analysis of logs in a nonrealtime fashion. For example,


a SIM system might centralize logging on a single device for review and analysis. Some SIM systems also provide assessment tools that can flag potentiallythreatening events.A Security Information and Event Management (SIEM) system combines both the realtime aspects of a SEM system and the indepth analysis and timelinegeneration of a SIM system. Therefore, a SIEM system is a hybrid of a SIM system and a SEM system.Reference:SANS: IDFAQ: What is The Role of a SIEM in Detecting Events of Interest?Search Security: Tech Target: security information and event management (SIEM)

QUESTION 40You want to configure Cisco ISE as a SCEP proxy to a Microsoft Windows 2008 R2 Server root CA. Which of the following also needs to be configured? (Select thebest answer.)


A. AD on the CA

B. a root CA on the Cisco ISE

C. a manually installed certificate on the connecting BYOD device

D. NDES on a CA or domain member server


Explanation/Reference:Explanation:Microsoft Network Device Enrollment Service (NDES) on a certificate authority (CA) or domain member server also needs to be configured if you want to configureCisco Identity Services Engine (ISE) as a Simple Certificate Enrollment Protocol (SCEP) proxy to a Microsoft Windows 2008 R2 Server root CA.Implementing ISE as a SCEP proxy enables bring your own device (BYOD) users to register their devices on their own, without administrative overhead from the ITdepartment.You are not required to configure a root CA on the Cisco ISE. Configuring ISE as a SCEP proxy indicates that ISE communicates with the CA on the behalf of itsclient devices. However, the ISE does need to be configured with a SCEP CA profile. When configured with a SCEP CA profile, the ISE will contain a SCEP NDESserver registration authority (RA) certificate in the Certificate Store. RAs verify requests for certificates and enable the CA to issue them.You are not required to configure Active Directory (AD) on the CA. AD is typically configured on domain controllers, although member servers and workstations canconnect to the AD domain.You are not required to manually install a certificate on the connecting BYOD device. Manually installing a client certificate on the BYOD device would defeat thepurpose of configuring the ISE as a SCEP proxy, because administrative intervention would be required.Reference:


Cisco: ISE SCEP Support for BYOD Configuration Example: Background Information

QUESTION 41You issue the following commands on a Cisco router:tacacsserver host ts1 single-connection timeout 20 tacacsserver timeout 30

Which of the following are true about how the Cisco router communicates with the TACACS+ server? (Select 2 choices.)

A. The router will maintain an open TCP connection.

B. The router will maintain an open TCP connection for no more than 20 seconds.

C. The router will maintain an open TCP connection for no more than 30 seconds.

D. The router will wait 20 seconds for the server to reply before declaring an error.

E. The router will wait 30 seconds for the server to reply before declaring an error.

Correct Answer: ADSection: (none)Explanation

Explanation/Reference:Explanation:The router will maintain an open Transmission Control Protocol (TCP) connection. In addition, the router will wait 20 seconds for the server to reply before declaringan error. The tacacsserver host ts1 singleconnection timeout 20 command in this scenario configures a router to connect to a Terminal Access Controller AccessControl System Plus (TACACS+) server named ts1. The singleconnection keyword configures the router to maintain an open connection to the TACACS+ server.The timeout 20 keyword configures the router to wait 20 seconds for the TACACS+ server to reply before declaring an error with the connection.The router will not wait 30 seconds for the server to reply before declaring an error. The tacacsserver host ts1 singleconnection timeout 20 command in thisscenario configures the router to wait only 20 seconds for the server to reply before declaring an error. If the timeout 20 keyword had not been specified in thisscenario, the tacacsserver timeout 30 command would have configured the router to wait 30 seconds for the server to reply before declaring an error. The timeout20 keyword in this scenario overrides the value assigned by the tacacsserver timeout command.The router will maintain an open connection for an indeterminate amount of time, not for a 20second or 30second interval. When the singleconnection keyword isnot configured, a Cisco router will open and close a TCP connection to the TACACS+ server each time it needs to perform an operation. When thesingleconnection keyword is configured, the router connects to the TACACS+ server and maintains that connection even when it is not performing an operation.This setting enhances the efficiency of the communications between the router and the TACACS+ server because the router is not having to constantly close andopen connections.Reference:Cisco: Configuring TACACS+: Identifying the TACACS+ Server Host

QUESTION 42You want to implement a VPN with an alwayson fail close policy for Cisco AnyConnect clients.Which of the following does Cisco recommend that you do? (Select the best answer.)


A. Start with a fail open policy, and implement fail close in phases.

B. Start with the fail close policy, and implement fail open as necessary.

C. Implement always-on, and leave the failure policy at the default setting.

D. Implement always-on with a fail open policy, and enable the Disconnect button.


Explanation/Reference:Explanation:Cisco recommends that you start with a fail open policy and implement fail close in phases if you want to implement a virtual private network (VPN) with an alwayson fail close policy. The always on feature enables Cisco AnyConnect clients to establish a VPN session automatically whenever the client detects that the host isconnected to an untrusted network. For example, a laptop that is used both on a corporate LAN and for remote work might be configured to automatically connectto the corporate VPN whenever the laptop is not directly connected to the corporate LAN. However, any number of problems could prevent the client from actuallyestablishing a connection to the VPN.There are two types of connect failure policies that you can enable for Cisco AnyConnect always on clients. The fail open policy allows the client to complete aconnection to the local network for access to the Internet or local resources. However, because a VPN session has not been established, the security of theAnyConnect device that is connected to the remote network could be compromised.The fail closed policy, on the other hand, prevents all network access from the Cisco AnyConnect client except to local devices and devices that are available byusing split tunneling. This extra layer of security could prevent the user from accessing the Internet and thus could compromise productivity if the user relies onInternet access to complete work related tasks. Because the fail closed policy is so restrictive, Cisco recommends implementing it by using a phased approach thatincludes initially implementing fail open and surveying user activity for AnyConnect issues that might prevent seamless connections.There is no need to enable the Disconnect button, because the button is enabled by default when the always on feature is enabled. The Disconnect button enablesusers to manually disconnect from a VPN session that has been automatically established by the AnyConnect client. The Disconnect button can be disabled by anadministrator.Cisco does not recommend leaving the failure policy at the default setting if you want to implement a fail close policy. The fail close policy is the default failure policywhen connect failure policies are enabled.Reference:Cisco: Configuring VPN Access: Connect Failure Policy for Always on VPNCategory:VPN

QUESTION 43Your company is using a shopping cart web application that is known to be vulnerable to a code injection attack. Your company has no support agreement for theapplication, and the application is no longer updated by its author. Modifying the code would require the hiring of additional help and an extensive interview process.Which of the following should your company do in the meantime to most quickly mitigate the threat? (Select the best answer.)

A. Use the grep command to examine web logs for evidence of an attack.

B. Shut down the site.

C. Replace the shopping cart application with a different one.

D. Implement a WAF.



Explanation/Reference:Explanation:Your company should implement a web application firewall (WAF) to mitigate the shopping cart web application threat. A WAF sits between a web application andthe end user in order to protect the application from malicious activity and known vulnerabilities. Therefore, by installing a WAF, it is possible to protect a vulnerableweb application without modifying the application code.Although you should issue the grep command to examine web application logs for evidence of an attack, doing so would not quickly mitigate the threat posed by theunpatched vulnerability. Searching for evidence of an attack takes time. Even if evidence of an attack were found in the log, discovering that evidence does notmitigate the threat.Although you should consider replacing the shopping cart application with a different one that is supported and regularly updated, doing so would not be thequickest way to mitigate the threat. Depending on the complexity of the data and the availability of conversion tools, it could take many weeks or months tosuccessfully migrate a shopping cart from one web application to another.You should not shut down the site. Shutting down the site would cause a severe business interruption because users would no longer be able to purchase productsby using the shopping cart.Reference:OWASP: Category:OWASP Best Practices: Use of Web Application Firewalls

QUESTION 44Which of the following is a Cisco IPS appliance feature that analyzes normal network activity to detect hosts that are infected with worms? (Select the best answer.)

A. anomaly detection

B. global correlation

C. reputation filtering

D. a signature definition

E. a threat rating


Explanation/Reference:Explanation:Anomaly detection is a Cisco Intrusion Prevention System (IPS) appliance feature that analyzes normal network activity to detect hosts that are infected withworms. The IPS anomaly detection feature enables IPS to learn what type of network activity is normal activity for the network that is being protected. If a networkstarts to become congested by traffic that is generated by a worm or if a host that is infected with a worm connects to the network and attempts to infect otherhosts, the anomaly detection feature can trigger a specific response, such as denying traffic from the infected host or alerting an administrator.Signature definitions do not analyze normal network activity to detect hosts that are infected with worms. A signature definition is a set of rules to which a Cisco IPS


appliance can compare network traffic to determine whether an attack is occurring. If the network activity matches a signature definition, IPS can trigger a specificresponse from other defined event action rule sets, such as denying traffic from a host or alerting an administrator. IPS administrators can manually configuresignature definitions in Cisco IPS Device Manager (IDM) or use the Signature Wizard to create custom signature definitions.Global correlation does not analyze normal network activity to detect hosts that are infected with worms. Global correlation enables IPS sensors to allow or denytraffic based on the reputation of the sending device. When you enable global correlation, IPS devices will periodically receive updates that include informationabout known malicious devices on the Internet from the Cisco SensorBase Network. In addition, global correlation will send statistical information about attacksagainst your company's network to the Cisco SensorBase Network. Cisco uses that information to detect threat patterns on the Internet.Reputation filtering does not analyze normal network activity to detect hosts that are infected with worms. Reputation filtering denies packets from hosts that areconsidered to have a malicious reputation based on the global correlation information that is available from the Cisco SensorBase Network. Reputation filtering isdifferent from global correlation inspection in that reputation filtering denies traffic before the traffic is compared to any signature definitions. In addition, reputationfiltering does not generate alerts.Threat ratings do not analyze normal network activity to detect hosts that are infected with worms. A threat rating is an event action risk rating that has beenlowered because of a specific action taken by IPS. A risk rating is a numerical representation of the risk presented to a network by a specific attack. Risk ratingscan range from 0 through 100. Depending on the actions IPS has taken in response to an event, IPS will subtract a value from the threat rating of the event. Forexample, if IPS responds to a specific event by issuing a request to block the attacking host, a value of 20 will be subtracted from the threat rating.Reference:Cisco: Configuring Anomaly Detections: Understanding Anomaly Detection

QUESTION 45Which of the following can be used to encrypt email messages, files, and disk drives? (Select the best answer.)

A. L2TP

B. PEM

C. PGP

D. S/MIME


Explanation/Reference:Explanation:Pretty Good Privacy (PGP) is software that can be used to encrypt email messages, files, and disk drives. PGP can be used to provide confidentiality, integrity, andnonrepudiation. PGP uses an asymmetric encryption method to encrypt information. To encrypt a file or a message by using PGP, you must use the recipient'spublic key. The recipient will then use his or her private key to decrypt the file or message. Many modern operating systems (OSs) offer their own builtin support forfile level and disk level encryption. Therefore, third-party software is often no longer necessary for encrypting files.Privacy Enhanced Mail (PEM) and Secure/Multipurpose Internet Mail Extensions (S/MIME) can be used to encrypt email messages, but they cannot be used toencrypt files or disk drives. PEM is defined in Requests for Comments (RFCs) 1421 through 1424 but was never widely used. S/MIME, which was created by RSAData Security, is now an RFC standard defined in RFCs 3369, 3370, 3850, and 3851.Although Layer 2 Tunneling Protocol (L2TP) can be used along with an encryption protocol to encrypt files and email messages while they are sent over a virtualprivate network (VPN), L2TP is not used to encrypt disk drives. L2TP does not offer any security on its own but provides the tunnel by which IP packets


encapsulated in User Datagram Protocol (UDP) packets can travel.Reference:Search Security: Tech Target: Pretty Good Privacy (PGP)Microsoft TechNet: Understanding S/MIME

QUESTION 46Refer to the exhibit:

You have created a network object NAT rule in ASDM to translate the real IP address of a DMZ web server, DMZWWWINT, to an IP address in the OUTSIDEnetwork, DMZWWWEXT. The DMZ interface has asecurity level of 50, and the OUTSIDE interface has a security level of 0. In addition, the ASA is running system software version 8.4.Which of the following statements are true regarding the ACL that will be required to enable hosts in the OUTSIDE network to communicate with the DMZ webserver? (Select 2 choices.)

A. The ACL should be applied to the OUTSIDE interface.

B. The ACL should be applied to the DMZ interface.

C. The ACL should reference the DMZWWWEXT object as its source address.

D. The ACL should reference the DMZWWWINT object as its source address.

E. The ACL should reference the DMZWWWEXT object as its destination address.

F. The ACL should reference the DMZWWWINT object as its destination address.

Correct Answer: AFSection: (none)Explanation

Explanation/Reference:Explanation:In this scenario, the access control list (ACL) should be applied to the OUTSIDE interface and should reference the DMZWWWINT object as its destinationaddress. The Network Address Translation (NAT) rule in this scenario creates a static mapping between the address of the web server in the DMZ network, whichhas been defined as an object named DMZWWWINT, and an address in the OUTSIDE network, which has been defined as an object named DMZWWWEXT.This static mapping enables hosts on the outside network to communicate with the DMZ web server by using the DMZWWWEXT address. However, the CiscoAdaptive Security Appliance (ASA) will deny inbound traffic from the OUTSIDE interface by default unless it is return traffic from an existing connection or an ACLexists which explicitly permits the traffic.You can view, edit, and add ACLs from the Configuration > Firewall > Access Rules pane in Adaptive Security Device Manager (ASDM). By default, the Access


Rules pane contains implicit rules that permit traffic from higher security interfaces to lower security interfaces and that deny all traffic that has not been otherwisepermitted, as shown in the following exhibit:

You can click the Add button in the Access Rules pane to create a new ACL. When you click the Add button, ASDM will display the Add Access Rule dialog box, asshown in the following exhibit:

In the Add Access Rule dialog box, you should click the Interface dropdown and select the OUTSIDE interface if it is not already selected. The ACL should beapplied to the OUTSIDE interface? otherwise, the traffic from the OUTSIDE network would be denied before reaching any of the other ASA interfaces. You shouldensure that the Permit radio button is selected in order to permit the traffic specified by the ACL. The Source Criteriasection of the Add Access Rule dialog box can


maintain its default values because traffic from any source and user should be permitted to access the DMZ web server. The network object corresponding to theDMZ web server should be specified in the Destination field of the Destination Criteria section. Because the ASA is running a system software revision that isgreater than or equal to version 8.3, the ACL required for this scenario must use the object named DMZWWWINT as its destination and not the object namedDMZWWWEXT, as would be the case for system software revisions less than version 8.3. Finally, the Service field should be used to specify the protocols that willbe permitted by the ACL. By default, all IP traffic is permitted? however, as this rule will apply to a web server, it is more secure to limit the permitted protocols toHypertext Transfer Protocol (HTTP) and Secure HTTP (HTTPS). You can either type the protocol object names into the field, or click the browse button to selectprotocols from a list. By default, the Add Access Rules dialog box enables the rule in the inbound direction, which is precisely what is needed in this scenario. Thefollowing exhibit shows the Add Access Rules dialog box with sample values that would be suitable for this scenario:

When you click the OK button, the Access Rules pane will automatically update to display the newly created ACL, as shown in the following exhibit:


You would not apply an ACL to the DMZ interface. Although you could apply a similar ACL to the DMZ interface in the outbound direction, traffic from the OUTSIDEinterface would be denied by the implicit Global policy before it had a chance to reach the DMZ interface. There is no need to apply an ACL to the DMZ interface inthe inbound direction because traffic from higher security interfaces is permitted to lower security interfaces by default. You would not need to supply a sourceaddress to the ACL in this scenario, because all traffic passing through the OUTSIDE interface in the inbound direction is specified instead. Although you couldspecify individual hosts or subnets in a similar ACL, it is significantly more efficient to specify any traffic on the OUTSIDE interface. Typically, the OUTSIDEinterface of an ASA connects to the greatest number of additional networks, such as the Internet, and it would quickly become impractical to specify all permittedhosts or subnets.Reference:Cisco: Configuring Access Rules: Configuring Access Rules

QUESTION 47According to the branch location ACL design guidelines in the Cisco BYOD Design Guide, which protocols should not be permitted by the default ACL that isapplied to the access ports of a Layer 2 switch? (Select 2 choices.)

A. BOOTP

B. DNS

C. HTTP

D. HTTPS

E. ICMP

F. TFTP

Correct Answer: CDSection: (none)Explanation

Explanation/Reference:Explanation:According to the branch location access control list (ACL) design guidelines in the Cisco Bring Your Own Device (BYOD) Design Guide, Hypertext Transfer Protocol(HTTP) and Secure HTTP (HTTPS) should not be permitted by the default ACL that is applied to the access ports of a Layer 2 switch. In a BYOD environment,802.1X, Web Authentication (WebAuth), or Media Access Control (MAC) Authentication Bypass (MAB) are used to authenticate and authorize the user and theuser’s associated device for network access. Once a wired device authenticates with the Cisco Identity Services Engine (ISE), a downloadable ACL (dACL) istypically applied to the appropriate access port on the Layer 2 switch to which the device is attached. HTTP and HTTPS traffic should be permitted by an ACL thatis used to redirect web traffic to the ISE for browserbased authentication if 802.1x or MAB authentication are unavailable. Cisco recommends denying DomainName System (DNS) traffic or specifically excluding the IP address of the ISE to prevent redirection loops. For example, the following ACL denies DNS traffic andpermits HTTP and HTTPS traffic for redirection to the ISE:

switch(config)#ip accesslist extended REDIRECT-ACL switch(configextnacl)#deny udp any any eq domain switch(configextnacl)#permit tcp any any eq www switch(configextnacl)#permit tcp any any eq 443


Cisco recommends applying a default ACL to the access ports of Layer 2 switches to mitigate against situations where a configuration error might prevent a dACLfrom being applied to the appropriate access port during the authorization/authentication process. The default ACL should permit Bootstrap Protocol (BOOTP),DNS, Trivial File Transfer Protocol (TFTP), and Internet Control Message Protocol (ICMP). In addition, the default ACL should explicitly deny and log all other IPtraffic. For example, the following ACL complies with Cisco’s best common practices (BCP) as outlined in the BYOD Design Guide:switch(config)#ip accesslist extended DEFAULT-ACL switch(configextnacl)#permit icmp any any switch(configextnacl)#permit udp any eq bootpc any eq bootps switch(configextnacl)#permit udp any any eq domain switch(configextnacl)#permit udp any any eq tftp switch(configextnacl)#deny ip any any log

Reference:Cisco: Cisco Bring Your Own Device (BYOD) CVD: ACL Design at Branch Location

QUESTION 48You have issued the following commands to modify the 802.1X configuration on a switch port:switch(configif)#authentication order mab dot1x switch(configif)#authentication priority dot1x mab switch(configif)#authentication event fail action nextmethod switch(configif)#authentication event noresponse action authorize vlan 1313

A new host is attached to the switch port. The host’s MAC address is in the authentication database, but the host’s certificate for 802.1X authentication is expired.Which of the following statements is true regarding the host in this scenario? (Select the best answer.)

A. MAB will authorize the host for network access, and the switch port will ignore the host’s 802.1X authentication attempts.

B. MAB will authorize the host for network access? however, the host will lose network access when it attempts to authenticate with 802.1X.

C. The host will fail 802.1X authentication and will be assigned to VLAN 1313.

D. The host will fail 802.1X authentication, and the switch will place the port into an unauthorized state.


Explanation/Reference:Explanation:In this scenario, Media Access Control (MAC) Authentication Bypass (MAB) will authorize the host for network access? however, the host will lose network accesswhen it attempts to authenticate with 802.1X. A switch port can be configured to use 802.1X, MAB, or Web Authentication (WebAuth) to authenticate clients. Theauthentication order command is used to specify the order in which the switch should attempt the configured authentication methods. By default, a switch willattempt 802.1X authentication before other authentication methods. The authentication order mab dot1x command configures the switch to first use MAB toauthenticate a client based on its MAC address. If the client’s MAC address is not in the authentication database, the switch will then attempt to authenticate the


client with 802.1X. In this scenario, the client’s MAC address is in the authentication database and MAB will authorize the client for network access.Normally, the configured authentication order is mirrored by the priority of each authentication method? however, you can use the authentication priority commandto change the priority. If the priority mirrored the authentication order in this scenario, the switch would ignore Extensible Authentication Protocol over LAN (EAPoL)messages after the client was authenticated by MAB and the client would continue to have authorized network access. However, the authentication priority dot1xmab command changes the default priority behavior and assigns a higher priority to 802.1X authentication than it does to MAB. This enables a client to use 802.1Xauthentication even if it has successfully been authenticated by MAB. Unfortunately, the client will lose network access when it attempts 802.1X authenticationbecause its certificate is expired.The authentication event fail action command specifies how the switch should react if an 802.1X client is detected and the clientfails to authenticate. There are two configurable parameters: nextmethod and authorize vlanid. The authorize vlanid parameter configures the port to a specificrestricted virtual LAN (VLAN). The nextmethod parameter configures the switch to attempt authentication by using the next authentication method specified in theauthentication order command. If the nextmethod parameter is configured, the switch will indefinitely cycle through authentication methods unless WebAuth isconfigured. If WebAuth is configured, the authentication process will not loop back to other authentication methods and the switch will ignore EAPoL messages onthe port.The authentication event noresponse action authorize vlan 1313 command specifies the VLAN into which a switch should place a port if it does not receive aresponse to the EAPoL messages it sends on that port. This enables devices that do no support 802.1X to be assigned to a guest VLAN. When a guest VLAN isconfigured, the switch will grant non802.1Xcapable clients access to the guest VLAN? however, if an 802.1Xcapable device is detected, the switch will place theport into an unauthorized state and will deny access to all devices on the port.Reference:Cisco: Flexible Authentication Order, Priority, and Failed Authentication: Case 2: Order MAB Dot1x and Priority Dot1x MAB

QUESTION 49Which of the following are symmetric encryption algorithms? (Select 3 choices.)

A. AES

B. RC4

C. 3DES

D. ECC

E. DH

F. DSA

Correct Answer: ABCSection: (none)Explanation

Explanation/Reference:Explanation:Advanced Encryption Standard (AES), RC4, and Triple Data Encryption Standard (3DES) are symmetric encryption algorithms. When symmetric encryptionalgorithms are used, the same encryption key is used to encrypt and decrypt data. In addition, because symmetric encryption algorithms use less complexmathematics than asymmetric encryption algorithms when encrypting and decrypting data, they often perform faster than asymmetric encryption algorithms.Two types of symmetric encryption algorithms exist: block ciphers and stream ciphers. Block ciphers derive their name from the fact that they encrypt fixedlengthblocks of data. For example, AES encrypts 128bit blocks of data. By contrast, stream ciphers are typically faster than block ciphers because stream ciphers canencrypt text of variable length depending on the size of the frame to be encrypted? stream ciphers are not limited to specific block sizes. For example, RC4, a


stream cipher, can encrypt data in streams of 8 through 2,048 bits. Other examples of symmetric encryption algorithms include International Data EncryptionAlgorithm (IDEA), Skipjack, and Blowfish.DiffieHellman (DH), Digital Signature Algorithm (DSA), and Elliptical Curve Cryptography (ECC) are asymmetric algorithms. DH is an asymmetric key exchangemethod. DSA and ECC are asymmetric encryption algorithms. Asymmetric encryption, also known as public key encryption, uses a public key to encrypt data and adifferent, yet mathematically related, private key to decrypt data. Public key infrastructure (PKI) uses a certificate authority (CA) to tie a public key to a user ID tofurther ensure the confidentiality of data. Other examples of asymmetric encryption algorithms include RSA and ElGamal.Reference:CCNA Security 210260 Official Cert Guide, Chapter 5, Symmetric and Asymmetric Algorithms, pp. 92-94

QUESTION 50Which of the following statements is correct regarding the traffic types that can be matched in a class map on a Cisco ASA? (Select the best answer.)

A. A class map can match traffic by TCP port number but not by UDP port number.

B. A class map can match traffic by UDP port number but not by IP precedence.

C. A class map can match traffic by TCP port number but not by IP precedence.

D. A class map can match traffic by UDP port number but not by TCP port number.

E. A class map can match traffic by TCP port number, by UDP port number, and by IP precedence.

Correct Answer: ESection: (none)Explanation

Explanation/Reference:Explanation:A class map can match traffic by Transmission Control Protocol (TCP) port number, by User Datagram Protocol (UDP) port number, and by IP precedence on aCisco Adaptive Security Appliance (ASA). A class map is one of the three basic components of Modular Policy Framework (MPF)? policy maps and service policiesare the other two components. MPF is a Cisco ASA feature that provides a flexible method of enabling security policies on an interface. A class map identifies aspecific flow of traffic, a policy map determines the action that will be performed on the traffic, and a service policy ties this action to a specific interface. Generally,each class map can contain only a single match statement, and a packet can match only a single class map within the policy map of a particular feature type. Forexample, if a packet matched a class map for File Transfer Protocol (FTP) inspection and a class map for traffic policing, the ASA would apply both policy mapactions to the packet. However, if a packet matched a class map for FTP inspection and a second, different class map that included FTP inspection, the ASA wouldapply only the actions of the first matching policy map.You can use the match command from class map configuration mode to identify traffic based on specified characteristics. The keywords you can use to identifytraffic in a class map are closely tied to their respective characteristics. The match command supports the following key words: accesslist, port,defaultinspectiontraffic, dscp, precedence, rtp, tunnelgroup, and any.For example, you could issue the following commands to create a class map named CLASSMAP that identifies traffic using TCP port 25:

asa(config)#classmap CLASSMAP asa(configcmap)#match port tcp eq 25

Once traffic has been identified by a class map, the associated policy map can take action on that traffic. A policy map typically contains references to one or more


class maps and defines actions that should be performed on traffic matched by the specified class maps. If traffic matches multiple class maps for different actionswithin a policy map-for instance, if traffic matches a class map for application inspection as well as a class map for priority queuing-the actions of both class mapswill be applied to the traffic. To continue the example from above, you could issue the following commands to configure a policy map named POLICYMAP thatmatches traffic specified by the class map named CLASSMAP and then processes the traffic with the Hypertext Transfer Protocol (HTTP) inspection engine:

asa(config)#policymap POLICYMAP asa(configpmap)#class CLASSMAP asa(configpmapc)#inspect http

A policy map does not act on traffic until the map has been applied to an interface by a service policy. A service policy can be applied globally to all interfaces,which will apply application inspection to only traffic entering the appliance? alternatively, a service policy can be applied to a single interface, which will applyapplication inspection to traffic entering and exiting the interface. An interface service policy overrides a global service policy: if traffic matches both an interfacepolicy and a global policy, only the interface policy will be applied to that particular traffic flow. To complete the example, you could issue the following commands toapply the POLICYMAP policy map to the inside interface:

asa(config)#servicepolicy POLICYMAP interface inside

Reference:Cisco: Service Policy Using the Modular Policy Framework: Feature Matching Within a Service Policy

QUESTION 51Which of the following EAP authentication protocols requires both a client and a server digital certificate? (Select the best answer.)


A. LEAP

B. PEAP

C. EAP-FAST

D. EAP-TLS


Explanation/Reference:Explanation:Extensible Authentication Protocol (EAP)Transport Layer Security (TLS) requires both a client and a server digital certificate. EAPTLS is an authentication protocol


that can be used for pointtopoint connections and for both wired and wireless links. EAPTLS performs mutual authentication to secure the authentication process.When EAPTLS is used, a digital certificate must be installed on the authentication server and each client that must authenticate with the server. The digitalcertificate used on clients and the server must be obtained from the same certificate authority (CA).Protected EAP (PEAP) does not require that clients be configured with digital certificates. When EAPPEAP is used, only servers are required to be configured withdigital certificates. Clients can use alternative authentication methods, such as onetime passwords (OTPs).Lightweight EAP (LEAP) does not require either the server or the client to be configured with a digital certificate. When LEAP is used, the client initiates anauthentication attempt with a Remote Authentication DialIn User Service (RADIUS) server. The RADIUS server responds with a challenge response. If thechallenge/response process is successful, the client then validates that the RADIUS server is correct for the network. If the RADIUS server is validated, the clientwill connect to the network. Similar to LEAP, EAPFlexible Authentication via Secure Tunneling (FAST) does not require either the server or the client to be configured with a digital certificate.When EAPFAST is used, Protected Access Credentials (PACs) are used to authenticate users. The EAPFAST authentication process consists of three phases.The first phase, which is optional and is considered phase 0, consists of provisioning a client with a PAC, which is a digital credential that is used for authentication.A PAC can be manually configured on a client, in which case phase 0 is not required. The second phase, which is referred to as phase 1, involves creating asecure tunnel between the client and the server. The final phase, which is referred to as phase 2, involves authenticating the client. If the client is authenticated, theclient will be able to access the network.Reference:Cisco: EAPTLS Deployment Guide for Wireless LAN Networks: 5.2 Certificate Requirements

QUESTION 52The system software on a Cisco Catalyst 3750 series switch was corrupted during a failed upgrade, and now the switch no longer passes the POST on restart. Youwant to use the Xmodem Protocol to recover the system software.To which of the following ports on the switch could you connect? (Select the best answer.)

A. an Ethernet port in the management VLAN

B. the auxiliary port

C. the console port

D. the highest numbered Ethernet port on the switch

E. the lowest numbered Ethernet port on the switch


Explanation/Reference:Explanation:You should connect to the console port of a Cisco Catalyst 3750 series switch to use the Xmodem Protocol for system software recovery. Xmodem is a simple,errorcorrecting transfer protocol that can be used to transfer an IOS software image from a PC to Cisco switch or router through its console port. When the systemsoftware image on a switch or router becomes corrupted, the system will fail the poweron self-test (POST) when it reloads and it will typically halt in anadministrative mode, which is commonly called readonly memory (ROM) monitor (ROMmon) mode. You can identify this mode on a switch or router by thecommand prompt that is displayed at the console: switch: on a switch and rommon1> on a router. When in ROMmon mode, a switch or router will no longer forwardpackets and thus can no longer be reached through traditional inband management methods, such as through a management virtual LAN (VLAN) or an active


network interface. Instead, you must use an outofband management method to access a switch or router in ROMmon mode. The only outofband access methodavailable on a Cisco 3750 series switch that supports Xmodem for system software recovery is the console port.On a Cisco router, you could use either the console port or the auxiliary (AUX) port for outofband access if the router is in ROMmon mode. The AUX port on aCisco router is typically capable of supporting most of the features available on a console port. Cisco switches either do not have AUX ports or do not supportcertain features, such as system recovery, on their AUX ports if they have them.Reference:Cisco: Recovering Catalyst Fixed Configuration Switches from a Corrupted or Missing Image

QUESTION 53Which of the following security functions is associated with the control plane? (Select the best answer.)

A. device configuration protection

B. device resource protection

C. traffic accounting

D. traffic filtering


Explanation/Reference:Explanation:Device resource protection is a security function that is associated with the control plane. Cisco devices are generally divided into three planes: the control plane,the management plane, and the data plane. Each plane is responsible for different operations, and each plane can be secured by implementing various securitymethods.The control plane is responsible for the creation and maintenance of structures related to routing and forwarding. These functions are heavily dependent on theCPU and memory availability. Therefore, control plane security methods protect against unauthorized traffic destined for the router, which can modify route pathsand consume excessive resources. Path modification can be caused by manipulating the traffic generated by routing protocols, VLAN Trunking Protocol (VTP), andSpanning Tree Protocol (STP). Path modification attacks can be mitigated by implementing routing protocol authentication and filtering, VTP authentication, andSTP protection features. In addition, excessive CPU and memory consumption can be caused by control plane flooding. Resource consumption attacks can bemitigated by implementing control plane filtering and rate limiting with Control Plane Policing (CoPP) and Control Plane Protection (CPPr).Traffic accounting and traffic filtering are security features that are associated with the data plane. The data plane is responsible for traffic passing through therouter, which is referred to as transit traffic. Therefore, data plane security protects against unauthorized packet transmission and interception. Threats such as IPspoofing, Media Access Control (MAC) address spoofing, Address Resolution Protocol (ARP) spoofing, Dynamic Host Configuration Protocol (DHCP) spoofing,unauthorized traffic interception, and unauthorized network access can be mitigated and monitored by implementing features such as the following:-ARP inspection- Antispoofing access control lists (ACLs)- DHCP snooping - Port ACLs (PACLs)- Private virtual LANs (VLANs) - Unicast Reverse Path Forwarding (uRPF)- VLAN ACLs (VACLs)


Device configuration protection is associated with the management plane. Management plane security protects against unauthorized device access andconfiguration. Unauthorized access can be mitigated by implementing a strong Authentication, Authorization, and Accounting (AAA) solution and by implementingManagement Plane Protection (MPP), which creates protected management channels over which administrators must connect in order to access deviceadministration features. Management traffic can be encrypted by implementing Secure Shell (SSH). You can mitigate unauthorized configuration of a device byimplementing RoleBased Access Control (RBAC), whereby administrators are limited to using only the features they need to accomplish their jobs. Detection andlogging of management plane access can be performed by implementing Simple Network Management Protocol version 3 (SNMPv3) and Syslog servers.Reference:Cisco: Cisco Guide to Harden Cisco IOS Devices

QUESTION 54Which of the following statements are true regarding IDS devices? (Select 2 choices.)

A. They can send alerts.

B. They do not sit inline with the flow of network traffic.

C. They can directly block a virus before it infiltrates the network.

D. They can detect malicious traffic only by signature matching.

E. They function identically to IPS devices.


Explanation/Reference:Explanation:Intrusion Detection System (IDS) devices can send alerts and do not sit inline with the flow of network traffic. An IDS is a network monitoring device that passivelymonitors network traffic and actively sends alerts to a management station when it detects malicious traffic. An IDS typically has one promiscuous network interfaceattached to each monitored network. Because traffic does not flow through the IDS, the IDS is unable to directly block malicious traffic? however, an IDS can doany of the following:- Request that another device block a connection- Request that another device block a particular host- Reset TCP connections

An IDS can prevent further instances of previously detected malicious traffic from passing onto the network by creating access control lists (ACLs) on routers in thetraffic path or by configuring other security devices that reside in the flow of traffic. Although signaturebased pattern matching is the primary method used by an IDSto detect malicious traffic, an IDS can also consider policy definitions and historical traffic behavior when analyzing network packets.By contrast, an Intrusion Prevention System (IPS) typically sits inline with the flow of traffic and can therefore block malicious traffic before it passes onto thenetwork. An inline IPS can perform the following actions:- Block traffic from a particular host- Block a particular connection- Modify traffic


- Reset TCP connectionsHowever, if an IPS sits inline with traffic, a failed IPS device can cause all traffic to be dropped. Analyzing all of the traffic that passes through the IPS can causelatency and jitter. Alternatively, an IPS can be configured to operate in promiscuous mode, which would make it functionally similar to an IDS. Typically, an IPS isconfigured to use signaturebased pattern matching to block traffic that has been definitively marked as malicious. Traffic that is suspect but has not been confirmedas malicious is referred to as gray area traffic and is not discarded by an IPS. If an IDS is used in conjunction with an IPS, the IDS can be configured to monitor thegray area traffic in greater detail without affecting the flow of traffic through the IPS.

Reference:Cisco: Managed Security Services Partnering for Network Security: Managed Intrusion Detection and Prevention Systems

QUESTION 55Which of the following statements are true regarding TACACS+? (Select 2 choices.)

A. It encrypts the entire body of a packet.

B. It combines authorization and authentication functions.

C. It provides router command authorization capabilities.

D. It uses UDP for packet delivery.

E. It was developed as an IETF standard protocol.

Correct Answer: ACSection: (none)Explanation

Explanation/Reference:Explanation:Terminal Access Controller Access Control System Plus (TACACS+) encrypts the entire body of a packet and provides router command authorization capabilities.TACACS+ is a Ciscoproprietary protocol that uses Transmission Control Protocol (TCP) for transport during Authentication, Authorization, and Accounting (AAA)operations. TACACS+ provides more security and flexibility than other authentication protocols, such as Remote Authentication DialIn User Service (RADIUS),which is an open standard protocol commonly used as an alternative to TACACS+. Because TACACS+ can be used to encrypt the entire body of a packet, userswho intercept the encrypted packet cannot view the user name or contents of the packet. In addition, TACACS+ provides flexibility by separating the authentication,authorization, and accounting functions of AAA. This enables granular control of access to resources. For example, TACACS+ gives administrators control overaccess to configuration commands? users can be permitted or denied access to specific configuration commands. Because of this flexibility, TACACS+ is usedwith Cisco Secure Access Control Server (ACS), which is a software tool that is used to manage user authorization for router access.RADIUS, not TACACS+, was developed as an Internet Engineering Task Force (IETF) standard protocol.Like TACACS+, RADIUS is a protocol used with AAA operations. However, RADIUS uses User Datagram Protocol (UDP) for packet delivery and is less secureand less flexible than TACACS+. RADIUS encrypts only the password of a packet? the rest of the packet would be viewable if the packet were intercepted by amalicious user. With RADIUS, the authentication and authorization functions of AAA are combined into a single function, which limits the flexibility thatadministrators have when configuring these functions.Furthermore, RADIUS does not provide router command authorization capabilities.Reference:Cisco: TACACS+ and RADIUS Comparison: Compare TACACS+ and RADIUS


QUESTION 56Which of the following protocols can IPSec use to provide the integrity component of the CIA triad? (Select 2 choices.)

A. GRE

B. AH

C. AES

D. ESP

E. DES

Correct Answer: BDSection: (none)Explanation

Explanation/Reference:Explanation: IP Security (IPSec) can use either Authentication Header (AH) or Encapsulating Security Payload (ESP) to provide the integrity component of the confidentiality,integrity, and availability (CIA) triad. The integrity component of the CIA triad ensures that data is not modified in transit by unauthorized parties. AH and ESP areintegral parts of the IPSec protocol suite and can be used to ensure the integrity of a packet. Data integrity is provided by using checksums on each end of theconnection. If the data generates the same checksum value on each end of the connection, the data was not modified in transit. In addition, AH and ESP canauthenticate the origin of transmitted data. Data authentication is provided through various methods, including user name/password combinations, preshared keys(PSKs), digital certificates, and onetime passwords (OTPs). Although AH and ESP perform similar functions, ESP provides additional security by encrypting thecontents of the packet. AH does not encrypt the contents of the packet.In addition to data authentication and data integrity, IPSec can provide confidentiality, which is another component of the CIA triad. IPSec uses encryption protocols,such as Advanced Encryption Standard (AES) or Data Encryption Standard (DES), to provide data confidentiality. Because the data is encrypted, an attackercannot read the data if he or she intercepts the data before it reaches the destination. IPSec does not use either AES or DES for data authentication or dataintegrity.Generic Routing Encapsulation (GRE) is a protocol designed to tunnel any Layer 3 protocol through an IP transport network. Because the focus of GRE is totransport many different protocols, it has very limited security features. By contrast, IPSec has strong data confidentiality and data integrity features, but it cantransport only IP traffic. GRE over IPSec combines the best features of both protocols to securely transport any protocol over an IP network. However, GRE itselfdoes not provide data integrity or data authentication.Reference:CCNA Security 210260 Official Cert Guide, Chapter 1, Confidentiality, Integrity, and Availability, pp. 14-15IETF: RFC 4301: Security Architecture for the Internet Protocol: 3.2. How IPsec Works

QUESTION 57RouterA is configured to establish an IKE tunnel with RouterB. You issue the show crypto isakmp sa command on RouterA and receive the following output:dst src state connid slot 10.1.2.3 10.1.2.4 MM_SA_SETUP 1 0 Which of the following statements is true? (Select the best answer.)


A. RouterA has negotiated ISAKMP SA parameters with RouterB.

B. RouterA has exchanged keys with RouterB.

C. RouterA has generated a shared secret.

D. RouterA uses three transactions to negotiate an ISAKMP SA.

E. RouterA has established an active IKE SA.


Explanation/Reference:Explanation:RouterA has negotiated Internet Security Association and Key Management Protocol (ISAKMP) security association (SA) parameters with RouterB. The showcrypto isakmp sa command displays the status of current Internet Key Exchange (IKE) SAs on the router. The MM_SA_SETUP state indicates that the IKE peersare using main mode for phase 1 negotiations and that they have successfully negotiated security parameters. IKE has two modes for phase 1 security negotiation:main mode and aggressive mode. The following states are used during main mode:- MM_NO_STATE - The peers have created the SA.- MM_SA_SETUP - The peers have negotiated SA parameters.- MM_KEY_EXCH - The peers have exchanged DiffieHellman (DH) keys and have generated a shared secret.- MM_KEY_AUTH - The peers have authenticated the SA.The following states are used during aggressive mode:- AG_NO_STATE - The peers have created the SA.- AG_INIT_EXCH - The peers have negotiated SA parameters and exchanged keys.- AG_AUTH - The peers have authenticated the SA.

Quick mode is used during IKE phase 2. The only state in quick mode is QM_IDLE, which indicates that IKE phase 1 has completed successfully and that there isan active IKE SA between peers.Because RouterA is using main mode, RouterA requires six transactions, not three, to negotiate an ISAKMP SA. Main mode requires six transactions for IKE peersto negotiate security parameters, generate a shared secret, and mutually authenticate. Aggressive mode requires only three transactions to negotiate securityparameters, establish a key management tunnel, and mutually authenticate.RouterA has not yet exchanged keys with RouterB or generated a shared secret. Key exchange and shared secret generation occurs during the MM_KEY_EXCHstate.Reference:Cisco: Cisco IOS Security Command Reference: show crypto isakmp sa

QUESTION 58Which of the following worms was used in an act of cyber warfare against Iranian ICSs? (Select the best answer.)

A. Blaster

B. Nachi

C. Stuxnet


D. Welchia


Explanation/Reference:Explanation:The Stuxnet worm was used in an act of cyber warfare against Iranian industrial control systems (ICSs). Stuxnet is a Microsoft Windows worm that was discoveredin the wild as early as 2008. It was written to target specific ICSs by modifying code on programmable logic controllers (PLCs). Stuxnet initially exploitedvulnerabilities in the printer spooler service? however, later variants exploited a vulnerability in the way that Windows processes shortcuts. Research fromSymantec published in 2011 indicated that at the time, more than 60% percent of the Stuxnetaffected hosts had been in Iran. Symantec analyzed Stuxnet and itsvariants and discovered that five organizations were the primary targets of infection and that further infections were likely collateral damage from the aggressivemanner in which the worm spreads throughout the network. Given the considerable cost in resources and manhours that would have been required to craft theStuxnet worm, it was theorized that it was likely intended to sabotage highvalue targets such as nuclear materials refinement facilities.Blaster is a worm that targeted a vulnerability in the Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) service on Microsoft Windowshosts. The worm carried a destructive payload that configured the target host to engage in Denial of Service (DoS) attacks on Microsoft update servers.Like Blaster, Welchia is a worm that targeted a vulnerability in the DCOM RPC service. In fact, Welchia exploited the exact same vulnerability as the Blaster worm.Welchia was developed to scan the network for vulnerable machines, infect them, and then remove the Blaster worm if present. It was even designed to downloadand install the appropriate patch from Microsoft to fix the vulnerability that it and Blaster initially exploited to infect the target machine. However, despite thegoodnatured design intentions of the Welchia worm, its networkscanning component inadvertently caused DoS attacks on several large networks, including thoseof the United States armed forces. Welchia was also referred to by the name Nachi.Reference:Cisco: Protecting Industrial Control Systems with Cisco IPS Industrial SignaturesSymantec: Security Response: W32.Stuxnet Dossier (PDF)

QUESTION 59Which of the following statements is true regarding the Cisco IOS Resilient Configuration feature? (Select the best answer.)

A. Extra space is not required to secure the primary IOS image file.

B. Image or configuration mismatches are not automatically detected.

C. Only remote storage can be used for securing configuration files.

D. The feature can be disabled remotely.


Explanation/Reference:Explanation:Extra space is not required to secure the primary IOS image file with the Cisco IOS Resilient Configuration feature. The Resilient Configuration feature is designed


to protect system and configuration files from tampering and accidental deletion. You can issue the following block of commands to enable the ResilientConfiguration feature:

Router#configure terminalRouter(config)#secure boot-imageRouter(config)#secure boot-config

When the feature is enabled, the primary system image file and associated running configuration are securely archived in local persistent storage? you cannotselect a remote storage location. The secure bootimage command enables the image resilience component of the Resilient Configuration feature and effectivelyhides the system image from the directory structure. This means that the system image will no longer be displayed when the dir command is issued from thecommand prompt of an EXEC shell? you can issue the show secure bootset command to verify that the system image has been archived. In addition, because thesystem image file is not copied to a secure location, extra storage is not required to secure it. By contrast, the secure bootconfig command creates a hidden copy ofthe running configuration file. The secured versions of the system image and running configuration are referred to as the primary bootset.You can restore either or both components of the primary bootset at any time. The system image can be restored from readonly memory (ROM) monitor(ROMmon) mode and the running configuration can be restored from the global configuration mode by using the restore parameter of the secure bootconfigcommand. Once the system image and running configuration have been secured, the router will track version mismatches and produce a console message if thesystem image or running configuration have mismatched versions. Once the Resilient Configuration feature is enabled, it can only be disabled from the console.Reference:Cisco: Cisco IOS Resilient Configuration: Feature Design of Cisco IOS Resilient Configuration

QUESTION 60Which of the following can be installed on a host to analyze and prevent malicious traffic on that host? (Select the best answer.)

A. antivirus software

B. a HIPS

C. a personal firewall

D. a proxy server


Explanation/Reference:Explanation:A Hostbased Intrusion Prevention System (HIPS) can be installed on a host to analyze and prevent malicious traffic on that host. An Intrusion Prevention System(IPS) can be used to actively monitor, analyze, and block malicious traffic before it infects devices. HIPS software can be installed on a host computer to protectthat computer against malicious traffic. By contrast, a Networkbased IPS (NIPS) is an independent operating platform, often a standalone appliance or a hardwaremodule installed in a chassis. A NIPS device can be installed inline on a network to monitor and prevent malicious traffic from being sent to other devices on thenetwork. One advantage of using a NIPS over a HIPS is that a NIPS can detect lowlevel network events, such as the scanning of random hosts on the network? aHIPS can only detect scans for which it is the target. A HIPS and a NIPS can be used together to provide an additional layer of protection.Although you could install a personal firewall to protect a host from malicious traffic, a personal firewall does not perform traffic analysis. However, a personal


firewall can work in conjunction with other software, such as a HIPS or a NIPS, to protect a host from a wider array of malicious activities. For example, CiscoAdvanced Malware Protection (AMP) for Endpoints can work in conjunction with a personal firewall to provide threat protection and advanced analytics.You could not install antivirus software to analyze and prevent malicious traffic on that host. Antivirus software monitors the file system and memory space on ahost for malicious code. Although the antivirus software might protect the host from malicious file execution, it would be unable to protect the host from malicioustraffic. Some antivirus vendors offer integrated security suites, which feature personal firewall, HIPS, antivirus, and antimalware components.You could not install a proxy server on a host to analyze and prevent malicious traffic on that host. A proxy server is typically an application layer gateway thatprovides resource caching and traffic filtering for a particular class of traffic, such as web content. Although you could install a proxy server locally on a host, itwould not have a significant effect on malicious traffic directed at the host nor would it be able to analyze its content.Reference:CCNA Security 210260 Official Cert Guide, Chapter 19, Mitigation Technologies for Endpoint Threats, pp. 498-499

QUESTION 61Which of the following traffic types can be detected by the FirePOWER ratebased prevention preprocessor engine? (Select the best answer.)

A. Back Orifice traffic

B. distributed port scan traffic

C. port sweep traffic

D. SYN flood traffic


Explanation/Reference:Explanation:The FirePOWER ratebased prevention preprocessor engine can detect SYN flood traffic. A FirePOWER Intrusion Prevention System (IPS) has several predefinedpreprocessor engines that can be used in network policies to detect specific threats? the preprocessors focus on detecting Back Orifice attacks, detecting port scanattacks, preventing ratebased attacks, and detecting sensitive data. The ratebased prevention preprocessor detects traffic abnormalities based on the frequency ofcertain types of traffic. The following traffic patterns can trigger ratebased attack prevention:

-Traffic containing excessive incomplete Transmission Control Protocol (TCP) connections-Traffic containing excessive complete TCP connections-Excessive rule matches for a particular IP address or range of IP addresses -Excessive rule matches for one particular rule regardless of IP address

Distributed port scan traffic and port sweep traffic can be detected by the portscan detection preprocessor. Port scanning traffic can be an indicator that an attackeris conducting network reconnaissance prior to an attack. Although legitimate port scanning traffic can periodically exist on a network, the portscan detectionpreprocessor can distinguish between legitimate scanning and potentially malicious traffic based on the activity patterns found in the analysis of port scanningtraffic.The FirePOWER IPS has a preprocessor dedicated to Back Orifice traffic. Back Orifice and its variants exploit a vulnerability in Microsoft Windows hosts to gaincomplete administrative control of the host. Back Orifice traffic can be identified by the presence of a specific token, known as a magic cookie, in the first eight


bytes of a User Datagram Protocol (UDP) packet.Reference:Cisco: Detecting Specific Threats: Understanding RateBased Attack Prevention

QUESTION 62Which of the following commands should you issue to allow a packet to exit an ASA through the same interface through which it entered the ASA? (Select the bestanswer.)

A. samesecuritytraffic permit interinterface

B. samesecuritytraffic permit intrainterface

C. securitylevel 0

D. securitylevel 100

E. established


Explanation/Reference:Explanation:To allow a packet to exit a Cisco Adaptive Security Appliance (ASA) through the same interface through which it entered, which is also known as hairpinning, youshould issue the samesecuritytraffic permit intrainterface command. By default, an ASA does not allow packets to enter and exit through the same physicalinterface. However, because multiple logical virtual LANs (VLANs) can be assigned to the same physical interface, it is sometimes necessary to allow a packet toenter and exit through the same interface. The samesecuritytraffic permit intrainterface command allows packets to be sent and received from the same interfaceeven if the traffic is protected by IP Security (IPSec) security policies. Another scenario for which you would need to use the samesecuritytraffic permit intrainterfacecommand is if multiple users need to connect via virtual private network (VPN) through the same physical interface. These users will not be able communicate withone another unless the samesecuritytraffic permit intrainterface command has been issued from global configuration mode.You should not issue the samesecuritytraffic permit interinterface command to allow a packet to exit through the same interface through which it entered. Thesamesecuritytraffic permit interinterface command is used to allow communication between different interfaces that share the same security level. Typically,interfaces with the same security level are not allowed to communicate with each other.You should not issue either the securitylevel 0 command or the securitylevel 100command to allow a packet to exit through the same interface through which itentered. The securitylevel command is used to set the security level on a physical interface. Security level 0 should be used to achieve the lowest security levelpossible, whereas security level 100 should be used to achieve the highest security level available. You should not issue the established command to allow a packet to exit through the same interface through which it entered. The established command is used toallow inbound traffic on any interface that has already established an outbound connection with the ASA. For example, you could issue the established tcp 4567 0command to configure the ASA to allow an external host to initiate a connection through the ASA to an internal host after the internal host has first established aTransmission Control Protocol (TCP) connection to port 4567 on the external host. The established command is often used to support protocols such as streamingmedia protocols that negotiate the ports for return traffic.Reference: Cisco: Configuring Interfaces: Allowing Same Security Level Communication

QUESTION 63Which of the following devices requires that a physical interface be in promiscuous mode in order to monitor network traffic? (Select the best answer.)


A. an IPS

B. a firewall

C. a router

D. an IDS

E. an ASA


Explanation/Reference:Explanation:An Intrusion Detection System (IDS) requires that a physical interface be in promiscuous mode in order to monitor network traffic. An IDS is a network monitoringdevice that does not sit inline with the flow of network traffic? an IDS passively monitors a copy of network traffic, not the actual packet. Typically, an IDS has onepromiscuous network interface attached to each monitored network. A promiscuous device listens to all data flowing past it regardless of the destination. Becausetraffic does not flow through the IDS, the IDS cannot mitigate singlepacket attacks and is unable to directly block malicious traffic, like a virus, before it passes ontothe network. However, an IDS can actively send alerts to a management station when it detects malicious traffic.An Intrusion Prevention System (IPS) sits inline with the flow of traffic, thus actively monitoring network traffic and blocking malicious traffic, such as an atomic orsinglepacket attack, before it passes onto the network. Blocking an attack inline can prevent the attack from spreading further into the network. An IPS requires atleast two interfaces for each monitored network: one interface listens to traffic entering the IPS, and the other listens to traffic leaving the IPS. In addition, an IPSacts similarly to a Layer 2 bridge in that it passes traffic through to destinations on the same subnet? an IPS cannot route to destinations on a different subnet. Aninterface of an IPS can be put in promiscuous mode? when this happens, the device operates as an IDS on that interface. However, an IPS does not require that aphysical interface be in promiscuous mode in order to monitor network traffic.A firewall is a network security device that protects a trusted network from an untrusted network, such as the Internet. Firewalls can operate in either routed modeor transparent mode. In routed mode, the firewall acts as a Layer 3 device that can perform Network Address Translation (NAT) and route traffic between virtualLANs (VLANs) on different subnets. In transparent mode, the firewall acts as a Layer 2 bridge in that it can pass traffic through to destinations on the same subnetbut cannot route to destinations on a different subnet. Although a firewall is a security appliance that permits or denies traffic on a network, a firewall does notrequire that a physical interface be in promiscuous mode in order to monitor network traffic.A router is a device that connects multiple subnets of the same or different networks and passes information between them. The functionality of a router can varydepending on the size of the network on which it is deployed. For example, a Cisco IPS Advanced Integration Module (AIM) can be installed in a router to integrateIPS functionality at the hardware level. Alternatively, an IOS feature set with IPS capabilities can be installed to provide IPS functionality at the software level. Arouter operating as an IPS or IDS can serve as a part of the network security structure as well as a bridge between two segments of the network. Although a routercan function as an IPS or IDS, a router does not require that a physical interface be in promiscuous mode in order to monitor network traffic.The Cisco Adaptive Security Appliance (ASA) is a multifunction appliance that can provide firewall, virtual private network (VPN), intrusion prevention, and contentsecurity services. The Cisco ASA is based on the framework of the Private Internet Exchange (PIX) firewall appliance. If used as an IPS device in IDS mode, orpromiscuous mode, the Cisco ASA can have a physical interface in promiscuous mode? however, Cisco ASA does not require that a physical interface be inpromiscuous mode in order to monitor network traffic.Reference:CCNA Security 210260 Official Cert Guide, Chapter 17, Difference Between IPS and IDS, pp. 460-462 Cisco: Cisco IPS Mitigation Capabilities


QUESTION 64Which of the following is typically implemented in a cluster configuration? (Select the best answer.)

A. ACS

B. CSA

C. CTA

D. SSC


Explanation/Reference:Explanation:Cisco Secure Access Control System (ACS) is typically implemented in a cluster configuration. ACS is anAuthentication, Authorization, and Accounting (AAA) server that uses Remote Authentication DialIn User Service (RADIUS) and Terminal Access Controller AccessControl System Plus (TACACS+) to provide AAA services for users, hosts, and network infrastructure devices such as switches and routers. An ACS deploymenttypically consists of a primary server responsible for configuration, authentication, and policy enforcement and one or more secondary servers serving as a backupin case the primary server fails. In largescale deployments, the primary server’s function is typically relegated to configuration and synchronization services,whereas the secondary servers provide AAA services to the network clients.Cisco Trust Agent (CTA) is responsible for ascertaining the status of security applications and management tools that are installed on a client. As client software,CTA communicates host posture information back to a network access device on a Cisco Network Admission Control (NAC) framework. NAC is a Cisco featurethat prevents hosts from accessing the network if they do not comply with organizational requirements, such as containing an updated antivirus definition file. WhenNAC is configured on an access device, such as a router or switch, the NAC device intercepts connections from hosts that are not yet registered on the network.When a host attempts to connect to the network, the access device queries the CTA running on the host for the host's security status. The access device thensends this information to the ACS, which determines whether the host is in compliance with organizational security policies. If the host is in compliance, it is allowedto access the network? if the host is not in compliance, it can be denied access, quarantined, or allowed limited network access.Cisco Secure Services Client (SSC) is client security software that facilitates the use of one authentication framework for connecting to both wired and wirelessdevices on a Cisco Unified Wireless Network. SSC makes use of the Extensible Authentication Protocol (EAP), WiFi Protected Access (WPA), and WPA2standards to control network access and enforce security policies for clients using Microsoft Windows platforms. Cisco SSC is not typically implemented in a clusterconfiguration.Cisco Security Agent (CSA) is a Hostbased Intrusion Prevention System (HIPS) that can be installed on host computers, servers, and pointofsale (POS) computers.CSA can help protect these devices from malicious network traffic, such as zeroday attacks. In addition, CSA can provide local firewall services, antivirus services,and security policy enforcement. CSA is not typically implemented in a cluster configuration.Reference:Cisco: Understanding the ACS Server Deployment (PDF)

QUESTION 65Which of the following traffic types are blocked by default in a zone-based policy firewall configuration? (Select 2 choices.)

A. traffic to or from the self zone

B. traffic between interfaces in the same zone


C. traffic between interfaces in a zone and interfaces not assigned to any zone


D. traffic between interfaces in different zones

E. traffic directly to or received from the router


Explanation/Reference:Explanation:In a zonebased policy firewall (ZFW) configuration, all traffic between interfaces in different zones is blocked by default. In addition, all traffic between interfacesthat have been assigned to a zone and interfaces that are not assigned to any zone is blocked by default. ZFW is the latest iteration of Cisco’s stateful firewallimplementation, which was formerly called ContextBased Access Control (CBAC). With ZFW, virtual security zones are specified and then interfaces are assignedto the appropriate zone. By default, all traffic is implicitly permitted to flow between interfaces that have been assigned to the same zone? however, all trafficbetween zones is blocked. In addition, all traffic to and from an interface is implicitly blocked by default when the interface is assigned to a zone, but there are a fewexceptions. Traffic to or from other interfaces in the same zone is permitted, as is traffic to or from the router itself. When ZFW is configured, a special zone calledthe self zone is automatically created and contains the IP addresses of all the router interfaces. By default, all traffic to or from the self zone is implicitly permitted?this implicit permission ensures that management access to the router is not lost when ZFW is configured.In order for traffic to flow between userconfigured zones, stateful packet inspection policies must be configured to explicitly permit traffic between the zones. Thebasic process is as follows:1. Define the required zones. 2. Create zonepairs for zones that will pass traffic between themselves.3. Define class maps to match the appropriate traffic for each zonepair.4. Define policy maps to specify the actions that should be performed on matching traffic.5. Apply the policy maps to the zonepairs.6. Assign interfaces to their appropriate zones.Although inspection rules can be created for a large number of traffic types, stateful inspection of multicast traffic is not supported by ZFW and must be handled byother security features, such as Control Plane Policing (CoPP).Reference:Cisco: ZoneBased Policy Firewall Design and Application Guide: Rules For Applying ZoneBased Policy FirewallCategory:Cisco Firewall Technologies

QUESTION 66An inside host has initiated a TCP connection through a Cisco ASA to an outside server. The outside server has responded with a SYN/ACK segment? however,the inside host has not yet responded with an ACK segment.


Which of the following lines of output from the show conn command best represents the state of the connection in this scenario? (Select the best answer.)

A. TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags SaAB

B. TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags saA

C. TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags aB

D. TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags A

E. TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags U

F. TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags UIO


Explanation/Reference:Explanation:The following line of output from the show conn command on a Cisco Adaptive Security Appliance (ASA) best represents the state of a connection that is waiting ononly the ACK segment from an inside host:TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags A

The output of the show conn command uses connection flags to indicate the status of each entry in the ASA connection database. The connection database isused by the stateful firewall feature of the ASA to track the state of each network connection that passes through it. The flags that an ASA uses to track aconnection entry are dependent on the interface that initiated the connection. Typically, each connection entry has corresponding inside and outside interfaces. Interms of the connection database, the inside interface for the entry is the interface with the higher security level, whereas the outside interface for the entry is theinterface with the lower security level. In addition, a data flow from the inside interface to the outside interface is considered to be moving in the outbound directionand a data flow from the outside interface to the inside interface is considered to be moving in the inbound direction.When an ASA receives the first packet from a Transmission Control Protocol (TCP) connection, it creates an entry in the connection database. The ASAimmediately adds the B flag to the entry if the connection was initiated from the outside. The ASA then uses various flags to indicate the progress of the TCPthreeway handshake. For example, if a connection is initiated from the inside, the ASA will add the saA flags to the entry, as shown in the following commandoutput:TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags saAThe s flag indicates that the ASA is awaiting a SYN segment from the outside host, and the a flag indicates that the ASA is waiting for an ACK response segment tothe SYN that was initiated from the inside host. When the corresponding SYN/ACK segment is received from the outside host, it will satisfy both of these flags andthe ASA will clear the flags from the entry, as shown in the following command output:TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags A

The remaining A flag indicates that the ASA is awaiting an ACK segment from the inside host. When the host on the inside responds to the SYN/ACK segment withthe corresponding ACK segment, the ASA will clear the A flag and will mark the connection with the U flag, as shown in the following command output:TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags U

The U flag indicates that the threeway handshake is complete and that the TCP session is established. Once the TCP session is established, the host can begin toexchange data. In this example, the inside host has established a Secure Shell (SSH) session to an outside server. When the outside server sends data to theinside host, the ASA will add the I flag to the entry to indicate that data has passed through the session in the inbound direction. Likewise, the ASA will add the O


flag to the entry to indicate that data has passed through the session in the outbound direction. Thus a normal TCP session should have flags similar to thoseshown in the following command output:TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags UIO

By contrast, if the connection were initiated from the outside, the ASA would have added the SaAB flags to the entry, as shown in the following command output:TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags SaAB

The S flag indicates that the ASA is awaiting a SYN segment from the inside host, and the A flag indicates that the ASA is waiting for an ACK response segment tothe SYN that was initiated from the outside host. When the corresponding SYN/ACK segment is received from the inside host, it will satisfy both of these flags andthe ASA will clear the flags from the entry, as shown in the following command output:TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags aB

The remaining a flag indicates that the ASA is awaiting an ACK segment from the outside host. When the host on the outside responds to the SYN/ACK segmentwith the

QUESTION 67Which of the following is an IOS privilege level that provides the highest level of access on a Cisco router? (Select the best answer.)

A. 0

B. 1

C. 15

D. 16


Explanation/Reference:Explanation:The highest level of access on a Cisco router is provided by IOS privilege level 15. Privilege levels can be used to limit the IOS commands that a user can access.However, you are limited to 16 privilege levels, some of which are used by default by the IOS. For example, privilege levels 1 and 15 are default IOS privilegelevels. Privilege level 1 allows a user to issue any command that is available at the user EXEC > prompt. Privilege level 15 allows a user to issue any command thatis available at the privileged EXEC # prompt.Each privilege level is associated with a list of commands that are available at that level. Users assigned to a privilege level have access to all of the commands atthat privilege level and all lower privilege levels. Changing the commands that are available to a privilege level might provide access to a user who should not beallowed access to the command, or it might restrict access to another user who should be allowed access to the command.Because the default privilege level for a newly created local user account is 1, a newly created user will always have access to the disable, enable, exit, help, andlogoutcommands? these commands are associated with privilege level 0. However, per user privilege levels can sometimes conflict with the privilege levels set forvirtual terminal (VTY) interfaces. In the event of a conflict, per user privileges override the privileges configured for the VTY line causing the conflict.Although there are 16 distinct privilege levels that can be assigned on a Cisco router, 16 is not a valid value for a privilege level. Valid values for user assignedprivilege levels are whole numbers ranging from 0 through 15.


Reference:CCNA Security 210260 Official Cert Guide, Chapter 11, Custom Privilege Levels, p. 287Cisco: IOS Privilege Levels Cannot See Complete Running Configuration: Privilege Levels

QUESTION 68Which of the following statements is true regarding LDAP attribute maps on an ASA? (Select the best answer.)

A. There is a defined limit on the number of LDAP attribute maps you can configure.

B. There is a defined limit on the number of attributes that can be mapped in each LDAP attribute map.

C. There is a defined limit on the number of LDAP servers to which an LDAP attribute map can be applied.

D. There is a defined limit on the number of AD multivalued attributes matched by an LDAP attribute map.


Explanation/Reference:Explanation:When using Lightweight Directory Access Protocol (LDAP) attribute maps on a Cisco Adaptive Security Appliance (ASA), there is a limit on the number of ActiveDirectory (AD) multivalued attributes matched by an LDAP attribute map. LDAP attribute maps are used to authorize virtual private network (VPN) users based onspecified AD attributes, such as group membership or department name. If an LDAP query returns a multivalued attribute, such as the list of groups of which a useris a member, the ASA will match only one of the returned values to the appropriate group policy. The ASA will select the matching group policy with the leastnumber of characters in the name and that starts with the lowest alphanumeric character.There is no defined limit on the number of LDAP attribute maps you can configure on an ASA. Because LDAP attribute maps are dynamically allocated as they areneeded, configuring a large number of attribute maps does not unnecessarily burden the ASA during normal operations. Likewise, there is no defined limit on thenumber of attributes that can be mapped in each LDAP attribute map.There is no defined limit on the number of LDAP servers to which an LDAP attribute map can be applied. When an LDAP attribute map is applied to a server, theASA only verifies that the specified attribute map exists. The same LDAP attribute map can be applied to multiple, different servers.Reference:Cisco: ASA Use of LDAP Attribute Maps Configuration Example: FAQ

QUESTION 69


Which of the following can be determined from the Route Details tab of the VPN Client Statistics dialog box shown above? (Select the best answer.)

A. The VPN client cannot access devices on the local LAN.

B. The VPN client is configured to use split tunneling.

C. The VPN client is configured to use transparent tunneling.

D. The VPN client cannot access devices on the 172.16.20.0/24 network.


Explanation/Reference:Explanation:The Route Details tab of the VPN Client Statistics dialog box displayed below indicates that the virtual private network (VPN) client is configured to use splittunneling:


By default, all traffic from a VPN client is passed through an encrypted tunnel to the VPN server. However, with split tunneling, only traffic destined for a protectedsubnet is passed through the encrypted tunnel? all other traffic is processed normally. You can define protected subnets on the VPN server by entering the networkaddress of each protected subnet on the Split Tunneling tab of the Group Policy window or by specifying an access control list (ACL) that includes each protectedsubnet. When a client establishes a VPN session, the list of protected subnets is passed from the VPN server to the VPN client as part of the session configurationparameters.Alternatively, the VPN client can be configured to pass all nonlocal traffic through an encrypted tunnel to the VPN server. If the group policy on the VPN serverpermits local LAN access and the VPN client is configured to allow local LAN access, all traffic that is not destined to the local LAN is sent through the encryptedtunnel. For example, if the VPN client had a locally configured route to the 192.168.13.0/24 network, packets destined for that network would be processednormally. However, any packets destined for a network not in the VPN client's routing table, such as the Internet, would pass through the encrypted tunnel to theVPN server. This configuration is represented on the Route Details tab of the VPN Client Statistics dialog box shown below:


The VPN Client Statistics dialog box does not indicate that the client cannot access devices on the 172.16.20.0/24 network. Because the 172.16.20.0/24 network islisted in the Secured Routes pane, traffic destined for the 172.16.20.0/24 network will pass through the encrypted tunnel to the VPN server. However, trafficdestined for a network not in the Secured Routes pane, such as the Internet or the local LAN, will not pass through the tunnel and will be processed normally.Likewise, the VPN Client Statistics dialog box does not indicate that the client cannot access devices on the local LAN. Because the router is configured for splittunneling, only traffic destined for a network in the Secured Routes pane is passed through an encrypted tunnel to the VPN server. All other traffic, including localLAN traffic, is processed normally.You cannot determine from the Route Details tab of the VPN Client Statistics dialog box whether the client is configured to use transparent tunneling. The TunnelDetails tab of the VPN Client Statistics dialog box indicates whether the client is configured to use transparent tunneling. Transparent tunneling facilitates thecreation of IP Security (IPSec) tunnels through a firewall or Network Address Translation (NAT) device. When transparent tunneling is enabled on the client,encrypted packets are encapsulated in Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) packets prior to transmission through the firewall orNAT device.Reference:Cisco: ASA/PIX: Allow Split Tunneling for VPN Clients on the ASA Configuration Example: Connect with the VPN ClientCCNA Security 210260 Official Cert Guide, Chapter 8, Split Tunneling, pp. 227-228

QUESTION 70Which of the following IPS detection methods is a string pattern-based detection method? (Select the best answer.)

A. anomalybased detection

B. profilebased detection

C. signaturebased detection

D. policybased detection



Explanation/Reference:Explanation:Signaturebased detection is a string patternbased detection method. Patternbased detection methods use specific strings of text to detect malicious traffic. Manysignaturebased detection methods can also use protocols and port numbers to further specify malicious traffic patterns. The benefit of signaturebased detectionmethods is that the number of false positives generated is typically low. However, the drawback is that a modified attack cannot be detected by an old signature?the modified attack will not be detected until a new signature is added for the modified attack. Therefore, Cisco recommends updating signature files, includingantivirus signatures, every time a new update is available.Anomalybased detection methods and profilebased detection methods detect abnormal behavior on a network. Traffic is classified as normal or abnormal based oninformation that is dynamically learned or manually programmed. The benefit of anomalybased detection is that anything that is not specified as normal is classifiedas abnormal? therefore, anomalybased detection can typically detect a wide range of threats. One drawback of anomalybased detection is that new traffic patternsare required on a regular basis on all but the smallest of networks, which leads to a lot of false positives. Another drawback is the memory and processing powerrequired to handle profiles for each user.Policybased detection methods use algorithms to detect patterns in network traffic. The benefit of policybased detection methods is that they can often detect whena coordinated attack, such as a Distributed Denial of Service (DDoS) attack, is happening, whereas a signaturebased detection method might detect only acollection of individual Denial of Service (DoS) attacks.Reference:CCNA Security 210260 Official Cert Guide, Chapter 17, SignatureBased IPS/IDS, p. 464 Symantec: Network Intrusion Detection Signatures, Part One

QUESTION 71You have been asked to add a key to an existing keychain. You issue the following commands to enter key chain key configuration mode:RouterA(config)#key chain chain1RouterA(configkeychain)#key 2RouterA(configkeychainkey)#keystring key2

The new key should be valid for three hours, and the router should begin sending the key at 9 a.m. on January 13, 2015.Which of the following commands should you issue next to achieve your goal? (Select the best answer.)

A. accep-tlifetime 09:00:00 Jan 13 2015 duration 3

B. accep-tlifetime 09:00:00 Jan 13 2015 duration 180

C. send-lifetime 09:00:00 Jan 13 2015 duration 180

D. send-lifetime 09:00:00 Jan 13 2015 duration 10800


Explanation/Reference:


Explanation:You should issue the send-lifetime 09:00:00 Jan 13 2015 duration 10800 command to specify that the key in this scenario should be valid for three hours and thatthe router should begin sending the key at 9 a.m. on January 13, 2015. The send-lifetime command is used to specify the period of time during which a key shouldbe sent by a router for authentication. The syntax for this command is send-lifetime starttime {infinite | endtime | duration seconds}, where starttime specifies thedate and time that the key should start being sent. By default, keys are valid indefinitely? however, you can use the durationkeyword to specify a duration valuebetween 1 and 2,147,483,646 seconds. In this scenario, the duration is 10800 seconds, which is three hours, and the start time is 09:00:00 Jan 13 2015, whichcorresponds to 9 a.m. on January 13, 2015.You should not issue the sendlifetime 09:00:00 Jan 13 2015 duration 180command, because the key duration is incorrectly specified as 180 seconds, which isthree minutes, instead of 10,800 seconds, or three hours.You should not issue the accept-lifetime 09:00:00 Jan 13 2015 duration 3 command or the accept-lifetime 09:00:00 Jan 13 2015 duration 180 command. Theaccept-lifetime command specifies the time period during which a received key is considered valid. By default, received keys are valid indefinitely. If no send-lifetime command has been issued, the accept-lifetime command will limit the period of time in which the received key is valid, but it will have no effect on the periodof time during which the router sends the key for authentication.Reference:Cisco: IP Routing ProtocolIndependent Commands: send-lifetime

QUESTION 72Which of the following can be mitigated by installing a personal firewall on a laptop? (Select the best answer.)

A. a SYN flood attack

B. a crosssite scripting attack

C. a portscanning attack

D. a sessionhijacking attack


Explanation/Reference:Explanation:Installing a personal firewall on a laptop can mitigate a portscanning attack. In a portscanning attack, an attacker uses a portscanning application to probe acomputer to determine which ports are open and vulnerable to an attack. After determining which ports are open, the attacker can attempt to access the computerthrough an open port. With a personal firewall, you can protect a host from malicious traffic by permitting or denying specific applications or network ports access tothe host or its network interface. Typically, a personal firewall provides sufficient granularity to specify the direction of a particular flow of traffic. For example, youcould permit outbound web traffic but deny all inbound traffic that does not correspond to established outbound connections.Installing a personal firewall on a laptop would not mitigate a sessionhijacking attack. A sessionhijacking attack requires that the attacker determine the InitialSequence Number (ISN) for a new Transmission Control Protocol (TCP) session. The ISN is used during the TCP threeway handshake to synchronize the states ofthe sending and receiving hosts. If an attacker can guess the ISN or any subsequent sequence number for a connection, the attacker can hijack the session.Typically, an attacker will disrupt the connection by forcing one of the hosts to become unsynchronized and will then assume the identity of the unsynchronized hostby spoofing its IP address. Session hijacking relies on the attacker being able to determine the correct sequence number for any given segment in a TCP session.Because some hosts use incremental ISNs and random sequence numbers, an attacker can determine the ISN for a new connection on a vulnerable host by first


initiating a connection to the host and determining the current ISN.Installing a personal firewall on a laptop would not mitigate a crosssite scripting (XSS) attack. An XSS attack takes advantage of weaknesses within a webapplication to insert malicious code into input fields on a web form. If the attack is successful, the attacker might be able to inject code into the webpage, whichcould allow the attacker to perform a variety of malicious tasks, such as redirecting visitors to another website or harvesting cookies from the victim's computer.Serverside input validation can be used to mitigate XSS attacks performed on web forms. However, other types of XSS attacks, such as a link in an email to lurevictims to a webpage containing malicious script, are not mitigated by input validation.Installing a personal firewall on a laptop would not mitigate a SYN flood attack. A SYN flood attack sends a large volume of SYN segments to a target host in anattempt to saturate the target's TCP connection table. The SYN flood attack exploits the TCP threeway handshake by sending TCP SYN segments from spoofed IPaddresses. When the target host replies to the spoofed IP addresses, the target's packets are ignored because the spoofed hosts do not have correspondingentries in their TCP connection tables. The target host will continue to wait for responses from the spoofed hosts until the TCP handshake times out. With asufficient number of SYN requests, the target's TCP connection table can become full. Once the TCP connection table is full, the target host will be unable toaccept new TCP connections.Reference:CCNA Security 210260 Official Cert Guide, Chapter 19, Personal Firewalls and Host Intrusion Prevention Systems, pp. 498-499

QUESTION 73When a switch is configured with private VLANs, which of the following ports can an isolated port communicate with? (Select the best answer.)

A. ports within the same community

B. ports within a different community

C. other isolated ports

D. promiscuous ports


Explanation/Reference:Explanation:An isolated port can communicate with promiscuous ports when a switch is configured with private virtualLANs (VLANs). Private VLANs can be configured on a switch to help isolate traffic within a VLAN. Private VLANs can provide Layer 2 separation between ports thatbelong to the same VLAN. Because the separation exists at Layer 2, the hosts can exist on the same IP subnet. The VLAN to which the hosts belong is called theprimary VLAN. To create a private VLAN, you must create secondary VLANs and associate them with the primary VLAN. There are two types of secondary VLANs:community VLANs and isolated VLANs. Ports that belong to a community VLAN can communicate with promiscuous ports and with other ports that belong to thesame community. However, they cannot communicate with isolated ports or with ports that belong to other communities. Ports that belong to an isolated VLAN cancommunicate only with promiscuous ports.After configuring the private VLAN, you can configure ports to participate in the private VLAN. When configuring a port to participate in a private VLAN, you mustconfigure the port by issuing the switchport mode privatevlan {promiscuous | host} command. The promiscuous keyword configures the port to communicate withany secondary VLAN. Consequently, devices that should be reachable from any secondary VLAN should be connected to promiscuous ports. For example, arouter, a firewall, or a gateway that any host should be able to reach should be connected to a promiscuous port. By contrast, devices connected to isolated orcommunity VLANs should be connected to host ports, which are configured by using the host keyword.


Reference:Cisco: Configuring Private VLANs: Understanding Private VLANs

QUESTION 74Which of the following statements is not true regarding the IaaS service model? (Select the best answer.)

A. The consumer has control over the configuration of the OS running on the physical infrastructure in the cloud.

B. The consumer has control over the physical infrastructure in the cloud.

C. The consumer has control over the allocation of processing, memory, storage, and network resources within the cloud.

D. The consumer has control over development tools or APIs in the cloud running on the physical infrastructure in the cloud.


Explanation/Reference:Explanation:In the Infrastructure as a Service (IaaS) service model, the consumer does not have control over the physical infrastructure in the cloud. The National Institute ofStandards and Technology (NIST) defines three service models in its definition of cloud computing: Software as a Service (SaaS), IaaS, and Platform as a Service(PaaS).The SaaS service model enables its consumer to access applications running in the cloud infrastructure but does not enable the consumer to manage the cloudinfrastructure or the configuration of the provided applications. A company that licenses a service provider’s office suite and email service that is delivered to endusers through a web browser is using SaaS. SaaS providers use an Internetenabled licensing function, a streaming service, or a web application to provide endusers with software that they might otherwise install and activate locally. Webbased email clients, such as Gmail and Outlook.com, are examples of SaaS.The PaaS service model provides its consumer with a bit more freedom than the SaaS model by enabling the consumer to install and possibly configureprovidersupported applications in the cloud infrastructure. A company that uses a service provider’s infrastructure, programming tools, and programming languagesto develop and serve cloudbased applications is using PaaS. PaaS enables a consumer to use the service provider’s development tools or Application ProgrammerInterface (API) to develop and deploy specific cloudbased applications or services. Another example of PaaS might be using a third party’s MySQL database andApache services to build a cloudbased customer relationship management (CRM) platform.The IaaS service model provides the greatest degree of freedom by enabling its consumer to provision processing, memory, storage, and network resources withinthe cloud infrastructure. The IaaS service model also enables its consumer to install applications, including operating systems (OSs) and custom applications.However, with IaaS, the cloud infrastructure remains in control of the service provider. A company that hires a service provider to deliver cloudbased processingand storage that will house multiple physical or virtual hosts configured in a variety of ways is using IaaS. For example, a company that wanted to establish a webserver farm by configuring multiple Linux Apache MySQL PHP (LAMP) servers could save hardware costs by virtualizing the farm and using a provider’s cloudservice to deliver the physical infrastructure and bandwidth for the virtual farm. Control over the OS, software, and server configuration would remain theresponsibility of the organization, whereas the physical infrastructure and bandwidth would be the responsibility of the service provider.Reference:NIST: Special Publication 800145: The NIST Definition of Cloud Computing (PDF)

QUESTION 75Which of the following emailrelated FirePOWER preprocessors can extract and decode attachments in clienttoserver traffic? (Select the best answer.)


A. only the IMAP preprocessor

B. only the POP3 preprocessor

C. only the SMTP preprocessor

D. only the POP3 and SMTP preprocessors

E. only the IMAP and SMTP preprocessors

F. the IMAP, POP3, and SMTP preprocessors

Correct Answer: FSection: (none)Explanation

Explanation/Reference:Explanation:On a Cisco FirePOWER Intrusion Prevention System (IPS), the Internet Message Access Protocol (IMAP), Post Office Protocol version 3 (POP3), and Simple MailTransfer Protocol (SMTP) preprocessors can extract and decode attachments in clienttoserver traffic. The FirePOWER IMAP, POP3, and SMTP preprocessors areApplication layer inspection engines with the capability to decode email traffic and to normalize the resulting data prior to forwarding the traffic to the intrusion rulesengine for analysis.In addition to generating an event when they observe anomalous traffic, the FirePOWER emailrelated preprocessor engines can inspect the commands that passbetween a client and a server to ensure that they are compliant with the relevant Request for Comments (RFC). For example, the IMAP preprocessor can generatean event when either a client command or a server response does not comply with RFC 3501, which is the RFC that defines the IMAP protocol, and the POP3preprocessor can do the same for commands that do not comply with RFC 1939, which is the RFC that defines the POP3 protocol. By contrast, the SMTPpreprocessor provides the ability to normalize all, none, or a specific set of SMTP commands, although a base set of commands will always be considered as partof the custom valid set if normalization is enabled.Reference:Cisco: Application Layer Preprocessors: The IMAP PreprocessorCisco: Application Layer Preprocessors: The POP PreprocessorCisco: Application Layer Preprocessors: The SMTP Preprocessor

QUESTION 76Which of the following authentication methods is not used with OSPFv3? (Select the best answer.)

A. plaintext

B. MD5

C. SHA1

D. IPv6 IPSec



Explanation/Reference:Explanation:Plaintext authentication is not used with Open Shortest Path First version 3 (OSPFv3), which is also called OSPF for IP version 6 (IPv6). OSPFv3 uses IPv6 IPSecurity (IPSec) authentication, which in turn uses either Message Digest 5 (MD5) or the Secure Hash Algorithm 1 (SHA1). Although plaintext authentication is notused by OSPFv3, you can configure OSPFv3 either to encrypt the MD5 or SHA1 hash that is used by IPv6 IPSec or to leave the hash unencrypted. Encrypting thehash provides an extra layer of security but requires additional processing that could introduce latency. You can issue either the ospfv3 authentication commandor the ipv6 ospf authentication command to configure authentication for OSPFv3 on an interface.MD5 and plaintext authentication are supported by OSPF version 2 (OSPFv2), which is the IPv4 version of OSPF. By default, no authentication method is used withOSPFv2. To configure a router for MD5 authentication, you should first configure the authentication password by issuing the ip ospf authenticationkey passwordcommand in interface configuration mode. Then you should configure MD5 authentication for an OSPF interface by issuing the ip ospf authenticationmessagedigest command in interface configuration mode. Because plaintext authentication is notoriously insecure, Cisco recommends using MD5 authenticationfor OSPFv2 instead of plaintext authentication.Reference:Cisco: IPv6 Routing: OSPFv3 Authentication Support with IPsec: How to Configure IPv6 Routing: OSPFv3 Authentication Support with IPsec

QUESTION 77You have configured a Cisco Catalyst switch to store its binding table on a local TFTP server.Which of the following commands can you issue to verify the URL that the agent will use to store the binding table on the TFTP server? (Select the best answer.)

A. show ip dhcp snooping

B. show ip dhcp snooping database

C. show ip dhcp snooping binding

D. show ip dhcp snooping statistics


Explanation/Reference:Explanation: You can issue the show ip dhcp snooping database command to verify the Uniform Resource Locator (URL) that the agent will use to store the binding table whenDynamic Host Configuration Protocol (DHCP) snooping is configured on a Cisco Catalyst switch to store the binding table on a local Trivial File Transfer Protocol(TFTP) server. DHCP snooping ensures that DHCP servers reside on trusted switch interfaces and that all DHCP traffic from untrusted interfaces is verified beforebeing forwarded. When a switch is configured to use DHCP snooping, the switch tracks client Media Access Control (MAC) addresses and their associated DHCPclient hardware addresses in the DHCP snooping binding database, which is also known as the binding table. If the switch receives DHCP packets that do notmatch entries in the binding table, the switch drops the packets. The binding table can be stored locally or it can be stored on a remote server.The show ip dhcp snooping database command can be used to display the status of the DHCP snooping binding table agent and statistics regarding the status ofthe binding table, such as the URL where the binding table can be found and how many successful writes have been committed to the table. For example, thefollowing sample output indicates that the binding table is stored in a file named bindingtable on the TFTP server with an IP address of 1.2.3.4:


The show ip dhcp snooping command displays general information regarding the DHCP snooping configuration on a switch, such as the virtual LANs (VLANs) forwhich DHCP snooping is enabled and the trusted state of each interface. For example, the following sample output indicates that DHCP snooping is enabled forVLANs 101, 201, and 301:

The show ip dhcp snooping binding command displays the dynamic entries in the binding table. You must use the show ip source binding command to view bothstatic and dynamic binding table entries. For example, the following sample output from the show ip dhcp snooping binding command indicates that two DHCPclients from VLAN 101 have entries in the binding table:

The show ip dhcp snooping statistics command displays statistical information regarding the number of frames that have been forwarded or dropped by the DHCPsnooping configuration on a switch. You can use the detail keyword to display expanded statistics, which include the number of packets dropped for each denialcategory, such as binding mismatches or exceeded rate limits. For example, the following sample output from the show ip dhcp snooping statistics commandindicates that 1,450 packets were forwarded and 105 packets were dropped from untrusted ports:

Packets Forwarded = 1450


Packets Dropped = 118 Packets Dropped From untrusted ports = 105

Reference:Cisco: Cisco IOS IP Addressing Services Command Reference: show ip dhcp snooping database

QUESTION 78You have configured a CoPP policy to mitigate the effects of DoS attacks on the router.Which of the following packet types does the CoPP policy affect? (Select the best answer.)

A. packets originating from the control plane

B. packets destined to the control plane

C. packets originating from the data plane

D. packets destined to the data plane


Explanation/Reference:Explanation:The Control Plane Policing (CoPP) policy in this scenario affects packets that are destined to the control plane of a router. Packets destined to the control plane aretypically packets intended to create or perform network operations on a router, such as packets from dynamic routing protocols or Address Resolution Protocol(ARP) packets. These packets cannot be handled by Cisco’s normal fastpath switching mechanisms, such as Cisco Express Forwarding (CEF), because theyrequire special handling by the router's CPU, which is also known as the route processor. CoPP is a Cisco IOS feature that protects the route processor of a routeror switch from malicious traffic, such as Denial of Service (DoS) attacks.The control plane is one of the four logical components that collectively define a router? the remaining components are the data plane, the management plane, andthe services plane. The control plane is the home of the route processor and is essential to the forwarding of packets because routing protocol operation, networkmanagement, and processbased switching all involve the control plane. CoPP filters the types of packets that enter or exit the control plane and controls the rate atwhich permitted packets enter or exit the control plane. Because traffic must pass through the control plane to reach the management plane, CoPP protects themanagement plane as well.The CoPP policy in this scenario does not affect packets that originate from the control plane of a router. DoS attacks that target a router use packets either thatare destined to the router itself or that require special handling by the router's route processor. Because packets originating from the control plane have alreadypassed through the route processor, a CoPP policy that affects packets exiting the control plane would not mitigate the effects of a DoS attack.Cisco considers all packets that pass through a router without any interaction from the route processor as data plane traffic, which is also known as transit traffic.Because DoS attacks on a router target the route processor, a CoPP policy that protects a router from DoS attacks would not affect packets originating from ordestined to the data plane.Reference:Cisco: Control Plane Policing: Benefits of Control Plane Policing

QUESTION 79


Which of the following is the most likely reason for an organization to implement an extranet? (Select the best answer.)

A. to provide customers with largescale computer services

B. to provide internal departments with independent security policies

C. to provide internal users with a customized website

D. to provide customers with access to the company’s internal network


Explanation/Reference:Explanation:A company can implement an extranet to provide customers with access to the company’s internal network. An extranet is a portion of a company’s internalnetwork that is accessible to specific people outside of the company, such as business partners, suppliers, or customers. By creating an extranet, a company canprovide a location for sharing information with external users. For example, a consulting company could create an extranet for external customers to view andcomment on the consulting company’s progress on various projects. In many extranet implementations, the external customer network shares a bilateralconnection with the company’s internal network. This bilateral connection not only enables the external customer to access portions of the company’s internalnetwork, but it also enables portions of the company’s internal network to access the portions of the external customer’s network.An extranet is not implemented to provide customers with largescale computer services. A company could implement a cloud computing infrastructure to providelargescale computer services over a vast network, such as the Internet. Cloud computing allows for access to applications, storage space, and other services ondemand without requiring that the services be installed locally. Cloud computing can be used to replace or supplement highly utilized local systems. The use ofcloudbased services can simplify IT management by reducing or eliminating the amount of time needed to install, upgrade, and manage services.An extranet is not implemented to provide internal departments with independent security policies. A company could implement security contexts on a firewall, suchas the Cisco Adaptive Security Appliance (ASA), to provide internal departments with independent security policies. Security contexts divide a single ASA intomultiple virtual devices with unique policies that can be managed by separate administrative domains. This division enables a single physical ASA to providesecurity services for different departments while keeping the departments logically separated.An extranet is not implemented to provide internal users with a customized website. Instead, an intranet can be created to provide internal users with their ownwebsite. An intranet provides a location for sharing information among members of the company. Unlike an extranet, an intranet is typically available only to internalusers.Reference:SANS: SANS Institute InfoSec Reading Room: Security Considerations for Extranets (PDF)Category: Security Concepts

QUESTION 80Which of the following is the default connection profile that is applied to clientless SSL VPN connections? (Select the best answer.)



A. DefaultRAGroup

B. DefaultWEBVPNGroup

C. DefaultSSLVPNGroup

D. DefaultL2LGroup


Explanation/Reference:Explanation:The DefaultWEBVPNGroup connection profile is the default connection profile that is applied to clientless Secure Sockets Layer (SSL) virtual private network (VPN)connections. Connection profiles are used to separate remote VPN users into groups. For example, you can use one connection profile for contractors and anotherconnection profile for managers, with each profile providing access to different resources. If no connection profile is associated with a particular user or if the userdid not select a connection profile when the user initiated the VPN connection, the default connection profile will be used. For SSL VPN connections, the defaultconnection profile is the DefaultWEBVPNGroup profile. You can edit the default connection profiles, but you cannot delete them.The DefaultRAGroup connection profile is not the default connection profile for clientless SSL VPN connections. This profile is the default profile used for fulltunneling IP Security (IPSec) VPN connections.The DefaultL2LGroup connection profile is not the default connection profile for clientless SSL VPN connections. This profile is the default profile used for IPSecLANtoLAN VPN connections.The DefaultSSLVPNGroup connection profile is not the default connection profile for clientless SSL VPN connections. This is not a default profile that is provided byCisco. You can create a connection profile named DefaultSSLVPNGroup, but it will not be used by default for clientless SSL VPN connections.Reference:Cisco: Configuring Tunnel Groups, Group Policies, and Users: Connection Profiles

QUESTION 81You are configuring a connection profile for Cisco AnyConnect SSL VPN users. You have accessed the Add SSL VPN Connection Profile dialog box in ASDM. Youwant to configure a group URL for the connection profile.On which of the following screens of this dialog box will you be able to accomplish your goal? (Select the best answer.)

A. the Basic screen

B. the General screen

C. the Authorization screen

D. the SSL VPN screen



Explanation/Reference:Explanation:You can configure a group Uniform Resource Locator (URL) for the connection profile that you are configuring for Cisco AnyConnect Secure Sockets Layer (SSL)virtual private network (VPN) users on the SSL VPN screen of the Add SSL VPN Connection Profiledialog box in Cisco Adaptive Security DeviceManager (ASDM). If you configure a group URL for SSL VPN users, the users can connect to the group URL and will not be required to select a tunnel group whenthey establish a connection. In such a scenario, the user is presented with only user name and password fields on the login screen. The Cisco Adaptive SecurityAppliance (ASA) examines the URL from which the user is connecting and automatically applies the connection profile associated with the URL. Configuring agroup URL can help improve security because the user is not presented with a list of available connection profiles.To configure a group URL for a new SSL VPN connection profile in ASDM, you should click Configuration, expand Network (Client) Access, click AnyConnectConnection Profiles, and click Add under Connection Profiles, which will open the Add SSL VPN Connection Profile dialog box. In the Add SSL VPN ConnectionProfile dialog box, expand Advanced and click SSL VPN to open the SSL VPN screen, which is shown in the following exhibit:

You cannot configure a group URL on the Basic screen of the Add SSL VPN Connection Profile dialog box in ASDM. On the Basic screen, you can configure theconnection profile name, the Authentication, Authorization, and Accounting (AAA) server group, the default group policy, and client addressing information, such asDynamic Host Configuration Protocol (DHCP) servers and IP address pools.You cannot configure a group URL on the General screen of the Add SSL VPN Connection Profile dialog box in ASDM. On the General screen, you can enablepassword management and configure password expiration notification options.


You cannot configure a group URL on the Authorization screen of the Add SSL VPN Connection Profile dialog box in ASDM. On the Authorization screen, you canconfigure an authorization server group and user name certificate mapping.Reference:Cisco: General VPN Setup: Add or Edit SSL VPN Connections > Advanced > SSL VPN

QUESTION 82You are configuring a connection profile for clientless SSL VPN connections. You have accessed the Add Clientless SSL VPN Connection Profile dialog box inASDM.Which of the following authentication methods can you configure in this dialog box? (Select the best answer.)

A. only AAA

B. only OTP

C. only digital certificates

D. both AAA and OTP

E. both AAA and digital certificates


Explanation/Reference:Explanation:You can configure Authentication, Authorization, and Accounting (AAA) and digital certificate authentication on the Add Clientless SSL VPN Connection Profiledialog box in Cisco Adaptive Security Device Manager (ASDM). Connection profiles are used to separate remote virtual private network (VPN) users into groups.For example, you can use one connection profile for contractors and another connection profile for managers, with each profile providing access to differentresources.You can configure a new connection profile by using ASDM. To configure a new connection profile for clientless Secure Sockets Layer (SSL) VPN connections byusing ASDM, you should click Configuration, click the Remote Access VPN button, expand Clientless SSL VPN Access, and click Connection Profiles, which willopen the Connection Profiles configuration pane. From this pane, you can view a list of existing connection profiles and you can create new connection profiles.You should click the Add button under Connection Profiles in the Connection Profiles screen to create a new connection profile and to open the Add Clientless SSLVPN Connection Profile dialog box, which is shown in the following exhibit:


In this dialog box, you can configure the connection profile details, including the authentication method to use, the Domain Name System (DNS) server to use, andthe group policy to apply to the connection profile. There are two authentication methods that are supported: AAA and Certificate. You can configure the connectionprofile to use either or both of the methods.You cannot configure onetime passwords (OTPs) as an authentication method for connection profiles on the Add Clientless SSL VPN Connection Profile dialog boxin ASDM. OTP is a two factor user authentication method that typically uses a personal identification number (PIN) in conjunction with code generated by ahardware or software token. The token is synchronized with a central server and periodically generates a code. The code is only valid until the next code isgenerated, which typically occurs in less than 60 seconds.Reference:Cisco: Configuring Tunnel Groups, Group Policies, and Users: Connection Profile Connection Parameters for SSL VPN Sessions

QUESTION 83Which of the following can you mitigate by implementing DAI? (Select the best answer.)

A. ARP poisoning attacks

B. MAC spoofing attacks

C. MAC flooding attacks


D. VLAN hopping attacks


Explanation/Reference:Explanation:Implementing Dynamic ARP Inspection (DAI) can help mitigate Address Resolution Protocol (ARP) poisoning attacks. In an ARP poisoning attack, which is alsoknown as an ARP spoofing attack, the attacker sends a gratuitous ARP (GARP) message to a host. The GARP message associates the attacker’s Media AccessControl (MAC) address with the IP address of a valid host on the network. Subsequently, traffic sent to the valid host address will go through the attacker’scomputer rather than directly to the intended recipient.You should change the native virtual LAN (VLAN) on trunk ports to an unused VLAN to mitigate VLAN hopping attacks. In a VLAN hopping attack, attacker sendsdoubletagged 802.1Q frames over a trunk link. A doubletagged frame is an Ethernet frame containing two distinct 802.1Q headers. Although doubletagging can beused as a legitimate way to tunnel traffic through a network and is commonly used by service providers, it can also be used by an attacker to circumvent securitycontrols on an access switch. In a VLAN hopping attack, the attacker attempts to inject packets into other VLANs by accessing the native VLAN on a trunk andsending doubletagged 802.1Q frames to the switch. The switch strips the outer 802.1Q header from the received frame and then forwards the frame, which stillincludes an 802.1Q header, across a trunk port to the VLAN of the target host. A successful VLAN hopping attack enables an attacker to send unidirectional trafficto other VLANs without the use of a router.Implementing sticky secure MAC addresses can help mitigate MAC spoofing attacks. In a MAC spoofing attack, an attacker uses the MAC address of anotherknown host on the network in order to bypass port security measures. MAC spoofing can also be used to impersonate another host on the network.Limiting the number of MAC addresses permitted on a port can help mitigate MAC flooding attacks. In a MAC flooding attack, an attacker generates thousands offorged frames every minute with the intention of overwhelming the switch’s MAC address table. Once this table is flooded, the switch can no longer make intelligentforwarding decisions and all traffic is flooded. This allows the attacker to view all data sent through the switch because all traffic will be sent out each port. A MACflooding attack is also known as a content addressable memory (CAM) table overflow attack.Reference:Cisco: Implementation of Security: ARP Spoofing Attack

QUESTION 84You have configured a lawful intercept view, five CLI views, and two superviews on a Cisco router. How many additional CLI views can you create? (Select the bestanswer.)

A. one

B. two

C. six

D. seven



Explanation/Reference:Explanation:You can create seven additional commandline interface (CLI) views on a Cisco router if you have already configured a lawful intercept view, five CLI views, and twosuperviews. A CLI view enables an administrator to provide granular access to IOS commands and interfaces to a specific user or group of users. CLI views can begrouped under a superview to provide access to all of the commands within each view. On hardware platforms that support it, a single lawful intercept view can becreated to provide secure access to a specific set of commands pertaining to voice calls and their associated Simple Network Management Protocol (SNMP) data.The maximum number of CLI views you can create on a Cisco router is 15. This includes one lawful intercept view and any combination of CLI views andsuperviews? however, this does not include the root view, which is created by default and does not count against the number of available views. In this scenario,you have created eight views: one lawful intercept view, five CLI views, and two superviews. Because you can configure a maximum of 15 views, you can createonly seven more views. Each of the newly created views could be a CLI view or a superview but could not be a lawful intercept view, because one has already beencreated.Reference:Cisco: RoleBased CLI Access: Restrictions for RoleBased CLI Access

QUESTION 85Which of the following statements is true regarding the aaa new-modelcommand? (Select the best answer.)

A. The aaa new-model command must be issued prior to enabling AAA accounting on a router.

B. The aaa new-model command must be issued after enabling AAA authentication on a router.

C. The aaa new-model command configures AAA to work only with RADIUS servers.

D. The aaa new-model command configures AAA to work only with TACACS+ servers.

E. The aaa new-model command has been deprecated in Cisco IOS versions 12.3 and later.


Explanation/Reference:Explanation:The aaa new-model command must be issued prior to enabling Authentication, Authorization, and Accounting (AAA) accounting on a router. AAA can be used tocontrol access to a router or switch. Before configuring authentication, authorization, or accounting using AAA, you must first issue the aaa new-model command toenable AAA on the device? the aaa authentication, aaa authorization, and aaa accounting commands cannot be issued until the aaa new-model command isissued. When the aaa new-model command is issued, local authentication is applied immediately to all router lines and interfaces? any existing authenticationmethods are superseded by the aaa new-model command. All future connection attempts will be authenticated using the method defined in the aaa authenticationcommand.When implementing AAA, you can configure users to be authenticated against a local database, against a Remote Authentication DialIn User Service (RADIUS)server, or against a Terminal Access Controller Access Control System Plus (TACACS+) server. You are not limited to a single type of authentication with AAA.

The aaa newmodel command has not been deprecated in Cisco IOS versions 12.3 and later. This command is required in these versions of Cisco IOS in order toimplement AAA on a router or a switch.Reference:


Cisco: Configuring Basic AAA on an Access Server: Enabling AAA

QUESTION 86Which of the following signature microengines typically has the greatest effect on Cisco IOS IPS performance? (Select the best answer.)

A. atomic-ip

B. normalizer

C. service-http

D. service-smb-advanced

E. string-tcp


Explanation/Reference:Explanation:Of the choices provided, the stringtcp signature microengine (SME) typically has the greatest effect on Cisco IOS Intrusion Prevention System (IPS) performance.An SME compiles a specific category of signatures and loads them into the IPS regular expression table. Within each category is a number of signatures that cananalyze a packet or stream of packets for a particular pattern. For example, the atomicip SME contains signatures that can recognize a pattern in a single packet,whereas the servicehttp SME contains signatures than can recognize a pattern in a stream of Hypertext Transfer Protocol (HTTP) packets. In general, the more ofa packet or stream of packets that an SME needs to analyze, the greater its impact on the available memory and CPU of the router. The stringtcp SME can analyzeone or more Transmission Control Protocol (TCP) packets and search for a particular string of text.The atomicip SME can analyze the Layer 3 and Layer 4 header fields of a single packet. Because the atomicip SME signatures operate on a single packet, theycannot preserve state information between packets. However, atomicip SME signatures do not consume large amounts of memory or CPU resources likestringbased SMEs can consume.The servicehttp and servicesmbadvanced SMEs can analyze Layer 5 through 7 information for HTTP and Server Message Block (SMB) network services,respectively. Service SMEs are typically the most complicated SMEs because they understand and implement a significant portion of the network services for whichthey are designed. For example, the servicehttp SME can effectively mimic the characteristics of a web server in order analyze the HTTP payload between a webserver and its client. Because service SMEs have a deep knowledge of their underlying protocols, they can be optimized to decode only particular portions of a datastream, thereby reducing their impact on the memory and CPU utilization.The normalizer SME is targeted at fragmented IP datagrams. The normalizer SME reassembles the fragmented IP datagrams and then analyzes the completeddatagram before deciding whether the datagram should be forwarded or discarded. If the normalizer SME decides that a datagram should be forwarded but thedatagram is too large to transmit, it will refragment the datagram prior to forwarding it. If the normalizer SME had to analyze fragmented datagrams based on themany different ways that destination devices might reassemble them, it could consume a significant amount of memory and CPU resources? however, because thenormalizer SME reassembles datagrams without regard to how the target device will receive them, the process can be optimized with regard to memory and CPUutilization.Reference:Cisco: Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 5.1: Example String TCP Signature

QUESTION 87


You have configured the password management feature for a tunnel group on an ASA. The ASA is using aCisco Secure ACS RADIUS server for AAA authentication.Which of the following actions will occur after a remote user with an expired password attempts to establish a VPN connection? (Select the best answer.)

A. The AnyConnect client will display an authentication failed dialog box and will not permit the user to establish the VPN connection until an admin unlocks theuser’s account.

B. The AnyConnect client will display a dialog box that prompts the user for a new password.

C. The AnyConnect client will display a dialog box that prompts the user for both their old password and a new password.

D. The AnyConnect client will display a dialog box notifying the user that their password has expired but will permit the user to establish the VPN connection withthe expired password.


Explanation/Reference:Explanation:In this scenario, the Cisco AnyConnect virtual private network (VPN) client will display a dialog box that prompts the user for a new password after a remote userwith an expired password attempts to establish a VPN connection. When a Cisco Adaptive Security Appliance (ASA) is configured to use the passwordmanagement feature for a particular tunnel group, the ASA will use Microsoft Challenge HandshakeAuthentication Protocol version 2 (MSCHAPv2) rather than Password Authentication Protocol (PAP) when communicating with the Remote Authentication DialInUser Service (RADIUS) server and the AnyConnect client. MSCHAPv2 supports password expiry and password change capabilities that are not inherentlysupported by PAP or RADIUS. This enables the ASA to understand RadiusReject messages with password expiry information instead of simply treating themessages as authentication failure messages. When the ASA receives the RadiusReject message with password expiry information, it sends a MODE_CFGmessage to the AnyConnect VPN client, causing it to display a dialog box that prompts the user for a new password. The ASA then forwards the new password tothe RADIUS server, and if the new password meets the configured password requirements, the user is authenticated and the ASA can finish establishing the VPNconnection.The AnyConnect client will not prevent the user from establishing a VPN connection until an administrator unlocks the user’s account. Because the passwordmanagement feature is enabled on the ASA, it has the capability to prompt the user to update their expired password. However, if the password managementfeature was not enabled on the ASA in this scenario, then RadiusReject messages received from the RADIUS server would be interpreted as an authenticationfailure message and users with expired passwords would be unable to establish VPN connections.The AnyConnect client will not prompt the user for both their old password and a new password nor will it permit the user to establish the VPN connection with anexpired password.Reference:Cisco: ASA Remote Access VPN IKE/SSL Password Expiry and Change for RADIUS, TACACS, and LDAP Configuration Example: ASA with ACS via RADIUS

QUESTION 88You want to issue the following block of commands on a Cisco ASA:ASA(config)#nat (DMZ, INSIDE) source dynamic any interface destination static INSIDESQLEXT INSIDESQLINTYou do not have CLI access to the ASA and must use ASDM instead.Which of the following samples of the Add NAT Rule dialog box corresponds to the configuration needed to achieve your goal? (Select the best answer.)


A. Option A

B. Option B

C. Option C

D. Option D


Explanation/Reference:Explanation:The following sample of the Add NAT Rule dialog box corresponds to the Cisco Adaptive Security Appliance (ASA) configuration needed to achieve your goal usingCisco Adaptive Security Device Manager (ASDM):


In the exhibit shown above, the Match Criteria: Original Packet section of the Add NAT Rule dialog box contains fields that correspond to the interface and IPaddress information in a matching packet prior to translation. The Source Interface field specifies the real source interface, the Source Address field specifies thereal source IP address, the Destination Interface field specifies the real destination interface, the Destination Address field specifies the real destination IP address,and the Service: field specifies the real protocol port numbers for the original packet. By contrast, the Action: Translated Packet section of the Add NAT Rule dialogbox contains fields that correspond to the mapped interface and IP address information in a matching packet after translation. The Source NAT Type field specifiesthe type of Network Address Translation (NAT), the Source Address field specifies the mapped source IP address, the Destination Address: field specifies themapped destination IP address, and the Service: field specifies the mapped protocol numbers for the translated packet.The sample Add NAT Rule dialog box configures the ASA to map the real source IP address traffic from any network attached to the DMZ network to the IPaddress assigned to the INSIDE interface. In addition, the mapped destination IP address defined in the INSIDESQLEXT object is mapped to the real destination IPaddress defined in the INSIDESQLINT object. The following diagram depicts the translation of the addresses within matching packets where INSIDESQLEXT hasan IP address of 192.168.15.2 and INSIDESQLINT has an IP address of 192.168.13.2:

You could use the nat (DMZ, INSIDE) source dynamic any interface destination static INSIDESQLEXT INSIDESQLINT command from global configuration mode toconfigure the same dynamic NAT rule as shown in the sample. Add NAT Rule dialog box. When the nat command is issued from global configuration mode, it isreferred to as the nat (global) command and it can be used to configure twice NAT on the ASA. Twice NAT enables you to specify a mapping for both the sourceaddress and destination address in a packet. The nat (global) command in this scenario can be used to create a dynamic NAT rule which translates traffic betweenthe DMZ and INSIDE interfaces of the ASA. The abbreviated syntax to create a dynamic NAT rule with the nat (global) command is nat(real_interface,mapped_interface) source dynamic {real_object | any} {mapped_object | interface} destination static {mapped_object | interface} {real_object| any}.The following sample of the Add NAT Rule dialog box corresponds to the nat (DMZ, INSIDE) source dynamic any interface destination static INSIDESQLINTINSIDESQLEXT command:


The following sample of the Add NAT Rule dialog box corresponds to the nat (INSIDE, DMZ) source dynamic any interface destination static INSIDESQLEXTINSIDESQLINT command:

The following sample of the Add NAT Rule dialog box corresponds to the nat (INSIDE, DMZ) source dynamic any interface destination static INSIDESQLINTINSIDESQLEXT command:


Reference:Cisco: Configuring Twice NAT: Configuring Dynamic PAT (Hide)Cisco: Cisco ASA Series Command Reference: nat (global)

QUESTION 89You are using ASDM to verify an IPSec VPN configuration made by another administrator on an ASA. Please click exhibit to answer the following questions.

Exhibit:


Which of the following tunneling protocols are supported by the boson group policy? (Select the best answer.)

A. only clientless SSL VPN

B. only SSL VPN Client

C. only IPSec

D. both clientless SSL VPN and SSL VPN Client

E. both clientless SSL VPN and IPSec

F. clientless SSL VPN, SSL VPN Client, and IPSec


Explanation/Reference:Explanation:The boson group policy supports only IP Security (IPSec) as a tunneling protocol. You can specify the tunneling protocols that can be used to establish aconnection to a tunnel group, which is also known as a connection profile, either in a group policy or within a user account, depending on whether the tunnelingprotocol configuration should be applied to a group or to a single user. When you configure a tunneling protocol, you can specify one or more of the following fouroptions: Clientless SSL VPN, SSL VPN Client, IPSec, or L2TP/IPSec.In this scenario, you can view the tunneling protocols that are configured for the boson group policy user account by accessing the group policy information in CiscoAdaptive Security Device Manager (ASDM) by clicking Configuration, clicking the Remote Access VPN button, expanding Network (Client) Access, clicking GroupPolicies, and double clicking the boson group policy, which will open the Edit Internal Group Policy dialog box. The More Options section on the General panedisplays the Tunneling Protocols entry. This entry for the boson group policy is configured with the IPsec option, which means that the boson group policy supportsonly IPSec connections. The following exhibit displays the General pane of the Edit Internal Group Policy dialog box for the boson group policy:


Reference:Cisco: General VPN Setup: Adding or Editing a Remote Access Internal Group Policy, General Attributes


Exhibit:


Which of the following IP address ranges will be used to assign address to VPN clients who connect by using the boson connection profile? (Select the bestanswer.)

A. 10.1.1.50 through 10.1.1.75

B. 10.1.10.50 through 10.1.10.75

C. 192.168.0.100 through 192.168.0.125

D. 192.168.10.100 through 192.168.10.125


Explanation/Reference:Explanation:Virtual private network (VPN) clients who connect by using the boson connection profile will be assigned anIP address in the range from 10.1.1.50 through 10.1.1.75. You can create a local IP address pool on a Cisco Adaptive Security Appliance (ASA) to deploy IPaddresses to remote VPN clients. The IP address pool can then be applied to Cisco AnyConnect or IP Security (IPSec) connection profiles. To view the IP addresspool that is associated with the boson connection profile in Cisco Adaptive Security Device Manager (ASDM), you should click Configuration, click the RemoteAccess VPN button, expand Network (Client) Access, click IPsec Connection Profiles, and then doubleclick boson, which will open the Edit IPsec Remote AccessConnection Profile dialog box, as shown in the following exhibit:


The Client Address Pools entry indicates that the boson_remote address pool has been configured for this connection profile. To view the IP addresses associatedwith this address pool, you should expand Address Assignment under Network (Client) Access and then click Address Pools, which will display the Address Poolspane, as shown in the following exhibit:


On this pane, you can determine that the boson_remote address pool will distribute IP addresses in the range from 10.1.1.50 through 10.1.1.75.The boson_internal address pool will distribute IP addresses in the range from 10.1.10.50 through10.1.10.75. The boson_extranet address pool will distribute IP addresses in the range from 192.168.0.100 through 192.168.0.125. The temporary address pool willdistribute IP addresses in the range from192.168.10.100 through 192.168.10.125. The boson_remote address pool will not distribute IP addresses in any of these ranges. Reference:Cisco: Deploying the AnyConnect Cisco Mobility Client: Configure a method of address assignment

QUESTION 91You are using ASDM to verify an IPSec VPN configuration made by another administrator on an ASA.Please click exhibit to answer the following questions.


Exhibit:


Which of the following group policies will be based when a user establishes a VPN connection by using the boson connection profile? (Select the best answer.)

A. internal

B. temporary

C. DfltGrpPolicy

D. boson


Explanation/Reference:Explanation:The boson connection profile will use the boson group policy. When creating an IP Security (IPSec) connection profile in Cisco Adaptive Security Device Manager(ASDM), you can specify a number of parameters. For example, you can specify the type of authentication to use and the default group policy to use for VPNconnections made by using the connection profile. This information can be configured or modified on the Add or Edit IPsec Remote Access Connection Profiledialog box in ASDM. To access this dialog box in ASDM, you should click Configuration, click the Remote Access VPN button, expand Network (Client) Access,click IPsec Connection Profiles, and then doubleclick the connection profile that you want to view. The Edit IPsec Remote Access Connection Profile dialog box forthe boson connection profile is shown in the following exhibit:


On the Basic pane, you can determine that the Group Policy setting is configured to use the boson group policy. Thus the boson connection profile will not use theDfltGrpPolicy, the internal, or the temporary group policies.Reference:Cisco: Configuring Tunnel Groups, Group Policies, and Users: Connection Profiles


Exhibit:


Which of the following will occur when a user attempts to establish a VPN connection to the ASA by using the boson connection profile and the boson useraccount? (Select the best answer.)

A. The user will be unable to establish a VPN connection.

B. A banner will be displayed that states “Welcome to Boson Software!”

C. The internal group policy will be applied to the connection.

D. The VPN traffic will be sent by using only VLAN 2.


Explanation/Reference:Explanation:Of the choices available, a banner will be displayed that states “Welcome to Boson Software!” when a user attempts to establish a virtual private network (VPN)connection to the Cisco Adaptive Security Appliance (ASA) by using the boson connection profile and the boson user account. You can configure a bannermessage to be displayed when users establish a VPN connection. This information is configured in the group policy that is associated with the connection profileused to create the connection.In this scenario, the boson connection profile is associated with the boson group policy. The boson group policy is configured to inherit the banner settings from thedefault group policy, DfltGrpPolicy. You can view the banner settings by clicking Configuration, clicking the Remote Access VPN button, expanding Network (Client)Access, clicking Group Policies, and doubleclicking the boson group policy, which will open the Edit Internal Group Policy dialog box, as shown in the followingexhibit:


Therefore, to determine whether a banner message will be displayed, you should view the details of the DfltGrpPolicy group policy. By viewing the details of thedefault group policy, you can determine that a banner message has been configured that states “Welcome to Boson Software!” The following exhibit displays thedetails of the DfltGrpPolicy group policy:


Because the boson group policy inherits the Banner setting, VPN connections made by using connection profiles that use the boson group policy will display the“Welcome to Boson Software!” banner message. The boson user will be able to establish a VPN connection. There is nothing in the boson user’s profile settings that would prevent the user from making a VPNconnection. Moreover, the user will also be able to establish a management session with the ASA, because the boson user has been granted administrative accessto the device.The internal group policy will not apply to a VPN connection made by using the boson connection profile and the boson user account. The boson connection profileis associated with the boson group policy, not the internal group policy.The VPN traffic will not be sent by using only virtual LAN (VLAN) 2 when a user makes a VPN connection by using the boson connection profile and the boson useraccount. Although you can configure VLAN restrictions for a group policy, none have been configured in this scenario.Reference:Cisco: General VPN Setup: Adding or Editing a Remote Access Internal Group Policy, General Attribute

QUESTION 93You are using ASDM to verify an IPSec VPN configuration made by another administrator on an ASA.Please click exhibit to answer the following questions.Exhibit:


Which of the following users have been assigned to use the boson group policy? (Select the best answer.)

A. only jane

B. only john

C. only boson

D. both john and jane

E. john, jane, and boson


Explanation/Reference:Explanation:Both the john and jane user accounts have been configured to use the boson group policy. When configuring a user account, you can specify the group policy toassociate with the user account. This is configured on the VPN Policy pane of the Add or Edit User Account dialog box. You can access the Add or Edit UserAccount dialog box in Cisco Adaptive Security Device Manager (ASDM) by clicking Configuration, clicking the Remote Access VPN button, expanding AAA/LocalUsers, clicking Local Users, doubleclicking the user, and clicking VPN Policy, as shown in the following exhibit:


For both the john and jane user accounts, the Group Policy setting is configured to use the boson group policy. You can also view the group policy configuration forall users on the Local Users pane in ASDM. For example, in the following exhibit, the VPN Group Policy column indicates that only the john and jane user accountsare configured to use the boson group policy:


Reference:Cisco: Configuring AAA Servers and the Local Database: Configuring VPN Policy Attributes for a User

QUESTION 94You manage your company’s Cisco devices by using Telnet. Your supervisor is concerned about eavesdropping over inband device management and has askedyou to recommend a solution that would allow you to disable the Telnet servers on each device.Which of the following are you most likely to recommend as a replacement? (Select the best answer.)

A. SNMPv3

B. SSH

C. SFTP

D. SCP



Explanation/Reference:Explanation:Most likely, you will recommend Secure Shell (SSH) as a replacement for Telnet as a method of inband management on your company’s Cisco devices. SSH is avirtual terminal (VTY) protocol that can be used to securely replace Telnet. Telnet is considered to be an insecure method of remote connection because it sendscredentials over the network in clear text. Therefore, you should replace Telnet with an encrypted application, such as SSH, where possible. Encryption is a methodof encoding network traffic so that it cannot be read intransit. Thus encryption can be used to defeat eavesdropping attacks.You are not likely to recommend any version of Simple Network Management Protocol (SNMP) as a replacement for Telnet. However, if your company were usingSNMP version 1 (SNMPv1) or SNMPv2 as a means of inband management, you might recommend that your company use SNMPv3 instead. Three versions ofSNMP currently exist. SNMPv1 and SNMPv2 do not provide encryption? password information, known as community strings, is sent as plain text with messages.SNMPv3 improves upon SNMPv1 and SNMPv2 by providing encryption, authentication, and message integrity to ensure that the messages are not tampered withduring transmission.You are not likely to recommend either Secure File Transfer Protocol (SFTP) or Secure Copy (SCP) as a replacement for Telnet. However, either of thoseapplications could replace File Transfer Protocol (FTP), which is a protocol that is used to exchange files between devices. FTP transmits all data as clear text.Both SFTP and SCP transmit information in an encrypted format.Reference:Cisco: Cisco Guide to Hardening IOS Devices: Use Secure Protocols When PossibleCisco: SNMP Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches): Versions of SNMP

QUESTION 95Which of the following commands should you issue when troubleshooting basic IKE peering to determine whether PSKs are present and matching on both peers?(Select the best answer.)

A. ping

B. traceroute

C. show crypto isakmp policy

D. debug crypto isakmp


Explanation/Reference:Explanation:You should issue the debug crypto isakmp command to determine whether preshared keys (PSKs) are present and matching on both peers. If there is a PSKmismatch between the peers, you will see the 1d00h:%CRYPTO4IKMP_BAD_MESSAGE: IKE message from 10.11.12.13 failed its sanity check or is malformeddebug error message. If a PSK is missing on one of the peers, you will see the 1d00h:#CRYPTO4IKMP_NO_PRESHARED_KEY: Preshared key for remote peer at10.11.12.13 is missing debug error message. To create a PSK, issue the crypto isakmp key key {address | ipaddress [mask] | hostname name} [noxauth]command.When troubleshooting basic Internet Key Exchange (IKE) peering, you should perform the following steps:1. Verify that the peers can reach each other.2. Verify that the IKE policies match on both peers.


3. Verify that the peers successfully authenticate each other.

To verify that the peers can reach each other, you can issue the ping command. A successful ping indicates that connectivity between the peers exists. If the ping isnot successful, you can issue the traceroute command to see where the fault is occurring along the path between the two peers.To verify that the IKE policies match on both peers, you can issue the show crypto isakmp policy command to display the IKE phase 1 policy settings that areconfigured on the router, including the encryption algorithm, hash algorithm, authentication method, DiffieHellman (DH) key exchange mechanism, and securityassociation (SA) lifetime. The following displays sample output from the show crypto isakmp policy command:

RouterA#show crypto isakmp policyGlobal IKE policyProtection suite of priority 20 encryption algorithm: AES - Advanced Encryption Standard (128 bit keys) hash algorithm: Secure Hash Standard authenticationmethod: PreShared Key DiffieHellman group: #14 (2048 bit) lifetime: 3600 seconds, no volume limit

To configure IKE phase 1 policy parameters, issue the crypto isakmp policy prioritycommand to enter ISAKMP policy configuration mode, where you can issue thefollowing commands:- authentication - encryption- group- hash- lifetimeYou can issue the debug crypto isakmp command to determine whether an IKE phase 1 policy mismatch is occurring. The debug error message 1d00h: ISAKMP(0:1): atts are not acceptable. Next payload is 0 will appear when there is a phase 1 policy mismatch between the peers.

To verify that the peers successfully authenticate each other, you should issue the debug crypto isakmp command. If the PSKs are present and matching on bothpeers, the IKE SA should establish successfully and communication between the sites should occur.Reference:Cisco: IPsec Troubleshooting: Understanding and Using debug Commands: debug crypto isakmpCisco: Configuring Internet Key Exchange Version 2 (IKEv2): Example How a Policy Is Matched

QUESTION 96Your company has installed and configured a Sourcefire device. You want to reduce false positives from a trusted source.

Which of the following could you do? (Select 2 choices.)

A. Configure an Allow action with an Intrusion Policy.

B. Configure a Block action with an Intrusion Policy.

C. Configure a Trust action.



D. Configure an Allow action without an Intrusion Policy.

E. Configure a Block action without an Intrusion Policy.

F. Configure a Monitor action.


Explanation/Reference:Explanation:You could configure a Sourcefire Allow action without an Intrusion Policy to reduce false positives from a trusted source. Alternatively, you could configure a Trustaction. A false positive occurs when an intrusion detection system (IDS) or intrusion prevention system (IPS) identifies nonmalicious traffic as malicious. Sourcefiredevices are commercial Cisco IDSs based on the opensource IDS known as Snort.A Sourcefire device can match traffic based on a number of conditions, including security zones, networks, virtual LAN (VLAN) tags, source or destination ports,applications, Uniform Resource Locators (URLs), or users. The Sourcefire is also capable of handling traffic matching a given condition by applying an action, orrule, to the traffic. The actions that are supported by a Sourcefire include all of the following:- Monitor- Trust- Block- Interactive Block- AllowConfiguring actions is a step in configuring granular access control rules, which in turn is part of developing an Access Control Policy.A Sourcefire can inspect and log traffic that is passed by the Allow action. Sourcefire inspection occurs when an Intrusion Policy is applied to this action. Applyingan action without an Intrusion Policy performs the given action when traffic matches a condition but does not inspect the traffic. Therefore, you could apply an Allowaction without an Intrusion Policy to allow all traffic matching a given condition and prevent that traffic from generating a false positive. Conversely, you might applyan Allow action with an Intrusion Policy to permit all but malicious traffic that matches a given condition.The Trust action allows traffic to pass uninspected and not logged. Therefore, the Trust action can never prevent malicious traffic from passing through theSourcefire and will never generate false positives.You cannot configure a Block action with an Intrusion Policy. In addition, you should not configure a Block actionto prevent false positives in this scenario. The Block action blocks traffic and does not perform any type of inspection.You do not need to configure a Monitor action. The Monitor action does not determine whether traffic is blocked or allowed based on a matching condition? itspurpose is to track traffic from the network. This action is primarily used to log all traffic that connects to the Sourcefire. The Monitor action will log the traffic even ifdoes not match any other condition and is not allowed to pass.Reference:Cisco: Options to Reduce False Positive Intrusion Events: 2. Trust or Allow RuleCisco: FireSIGHT System User Guide Version 5.4.1: Using Rule Actions to Determine Traffic Handling and Inspection


QUESTION 97Which of the following is a reason to use the roundrobin assignment feature of dynamic PAT addresses? (Select the best answer.)

A. You want to send traffic to more than one remote device.

B. You want to map a single internal IP address to a single routable IP address.

C. You want to prevent the misinterpretation of traffic as a DoS attack.

D. You want to use a single mapped routable address.


Explanation/Reference:Explanation:You would use the roundrobin assignment feature of dynamic Port Address Translation (PAT) addresses if you want to prevent the misinterpretation of traffic as aDenial of Service (DoS) attack. Dynamic PAT is a form of Network Address Translation (NAT) that enables IP source addresses to be translated from many uniqueIP addresses to one of a pool of routable IP address. NAT is most often used to conserve routable IP addresses on the public side of a NAT router. When PAT isconfigured, an inside local address, along with a port number, is typically mapped to a single inside global address. The NAT router uses port numbers to keeptrack of which packets belong to each host. Dynamic PAT is capable of mapping internal source addresses to more than one routable IP address. Some security appliances could mistake a large number ofpackets from a single IP address as a DoS attack attempt. Therefore, dynamic PAT supports the use of roundrobin to enable internal IP source addresses to mapto more than just one routable IP source address. By using dynamic PAT’s roundrobin assignment of IP addresses, the risk of misidentification of large amounts oftraffic as a DoS attack can be mitigated.You could use PAT if you wanted to translate many internal addresses to a single routable IP address. However, you would not need to use the dynamic PATroundrobin feature to achieve this task. Roundrobin is used to cycle through a pool of routable IP addresses instead of translating to a single routable IP address.You would use static NAT to map a single internal IP address to a single routable IP address. Static NAT translates a single inside local IP address to a singleinside global IP address? the static mapping is permanently present in the NAT translation table. It is therefore possible for someone on an outside network toaccess a device on an inside network by using its inside global IP address.You would not need to use dynamic PAT if you want to send traffic to more than one remote device. PAT neither specifically enables nor specifically prevents thesending of traffic from one device to multiple remote devices.Reference:Cisco: Information About NAT: Dynamic PAT: Dynamic PAT Disadvantages and Advantages

QUESTION 98You are configuring manual NAT on a Cisco Firepower device.Which of the following best describes the order in which the NAT rules will be processed? (Select the best answer.)

A. on a firstmatch basis in the order that they appear in the configuration

B. the most general rules first followed by the most specific rules

C. static rules first followed by dynamic rules


D. shortest prefix first followed by longer prefixes


Explanation/Reference:Explanation:The Firepower will process the Network Address Translation (NAT) rules on a firstmatch basis in the order that they appear in the configuration if you areconfiguring manual NAT. There are two methods of implementing NAT on a Cisco Firepower device: manual NAT and auto NAT. Of the two methods, auto NAT isthe simplest to configure because NAT rules are configured as components of a network object. Both source and destination addresses are compared to the ruleswithin the object. Manual NAT, on the other hand, enables you to specify both the source address and the destination address of a mapping in a single rule.Therefore, you can configure more granular mapping rules by using manual NAT.Both manual NAT rules and auto NAT rules are stored in the same translation table. The table is divided into three sections. Section 1 and Section 3 containmanual NAT rules, with Section 1 containing the most specific manual NAT rules and Section 3 containing the most general NAT rules. Section 2 contains autoNAT rules. When the Firepower matches traffic to the NAT translation table, manual NAT rules in Section 1 are processed first and in the order in which they were configured.Manual NAT rules are added to Section 1 by default. If a match is found, rules in Section 2 and Section 3 are ignored. If the traffic does not match any of themanual NAT rules in Section 1, the auto NAT rules in Section 2 are processed. Auto NAT rules are automatically ordered by the device. Regardless of the order in which you configured the rules in the network object, auto NAT will alwaysattempt to match static rules before dynamic rules. In addition, auto NAT will always attempt to match the longest address prefix first, meaning that the rule thatcontains the smallest quantity of real IP addresses will be processed before rules containing a larger quantity of real IP addresses. Therefore, a static NAT mappingthat matches 10.10.10.0/24 will be processed before a dynamic NAT mapping that matches 10.10.10.10/32, even though the 10.10.10.10/32 address has a longerprefix. If the traffic matches one of the auto NAT rules, rules in Section 3 are ignored. If the traffic does not match any of the auto NAT rules, the device will nextattempt to match the traffic to the Section 3 manual NAT rules.Similar to Section 1, the manual NAT rules in Section 3 are processed in the order that they appear in the configuration. However, you must specifically placemanual NAT rules in this section because the device will not automatically place manual NAT rules there. Cisco recommends that the most general manual NATrules be placed in this section, with the most specific of those general rules configured first.Reference:Cisco: Firepower Management Center Configuration Guide, Version 6.0.1: NAT Rule Order

QUESTION 99Which of the following is least likely to be considered a form of malware? (Select the best answer.)

A. bots

B. DDoS

C. Trojan horses

D. viruses

Correct Answer: BSection: (none)


Explanation

Explanation/Reference:Explanation: Of the available choices, a Distributed Denial of Service (DDoS) attack is least likely to be considered a form of malware. Malware, which is a term formed from thecombination of the words malicious and software, is unwanted software that is specifically designed to be malicious. Malware can damage or disrupt systems, stealinformation from a user, or perform other unwanted and malicious actions. A DDoS attack is a coordinated Denial of Service (DoS) attack that uses multiple attackers to target a single host. For example, a large number of zombie hosts ina botnet could flood a target device with packets. Because the flood of packets originates from multiple hosts and typically targets public services, such as the webservice, the target device might not detect the attack. If enough packets are sent to the target device within a short period of time, the target will be unable torespond to legitimate packets because it is waiting for a response to each of the requests originated by the attacker.Bots are forms of malware. A bot is a type of automated software that can be used as a remote command and control tool to exploit a compromised system formalicious purposes. For example, a botnet is a network of bots on compromised systems that can be used to carry out coordinated attacks, such as a DDoSattack.Viruses are forms of malware. A virus is a type of software that can make copies of itself and inject them into other software. Viruses can therefore spread acrosssystems and networks. The level of damage that can be inflicted by a virus ranges from annoyances to destruction of data.Trojan horses are forms of malware. A Trojan horse is a malicious program that entices the user to execute it by appearing to be a legitimate application. Trojanhorses can be used to annoy users, steal information, destroy data, or install back doors.Reference:Cisco: What Is the Difference: Viruses, Worms, Trojans, and Bots?

QUESTION 100Which of the following occurs when an IDS or IPS does not identify malicious traffic that enters the network? (Select the best answer.)

A. a false positive

B. a false negative

C. a true positive

D. a true negative


Explanation/Reference:Explanation: A false negative occurs when an intrusion detection system (IDS) or intrusion prevention system (IPS) does not identify malicious traffic that enters the network.False negatives can often lead to disastrous network security problems. To properly secure a network, you should reduce the number of false negatives as muchas possible by finetuning IDS and IPS rules, even if more false positives are reported. Penetration testing can help determine when an IDS or IPS is not detecting agenuine attack.A false positive occurs when an IDS or IPS identifies nonmalicious traffic as malicious. Tuning must be performed to minimize the number of false positives whileeliminating false negatives. Not only can too many false positives overburden a router, they can also overburden a network administrator because false positives


must usually be verified as harmless.A true positive occurs when an IDS or IPS correctly identifies malicious traffic as malicious. For instance, a true positive occurs when a virus or an attack isidentified and the appropriate action is taken.A true negative occurs when an IDS or IPS correctly identifies harmless traffic as harmless. For example, a true negative occurs when an administrator correctlyenters a password or when Hypertext Transfer Protocol (HTTP) traffic is sent to a web server.Reference:Cisco: Cisco Secure IPS Excluding False Positive Alarms: False Positive and False Negative Alarms

QUESTION 101Which of the following lost or stolen device options are available to employees when MDM is integrated with ISE? (Select 3 choices.)

A. report device as lost or stolen

B. initiate a PIN lock

C. initiate a full or corporate wipe

D. quarantine the device

E. revoke the device’s digital certificate

Correct Answer: ABCSection: (none)Explanation

Explanation/Reference:Explanation: When Mobile Device Management (MDM) platforms are integrated with Cisco Identity Services Engine(ISE), employees have the ability to report a device as lost or stolen, initiate a personal identification number (PIN) lock, or initiate a full or corporate wipe. Acorporate wipe, which is also known as a selective wipe, removes only corporate data and applications from the device. A full wipe, which is also known as a factoryreset, removes all data from the device. An employee is also capable of reinstating a device to gain access without having to reregister the device with ISE. Each ofthese options is available to the employee by using ISE’s My Devices portal.ISE is a nextgeneration Authentication, Authorization, and Accounting (AAA) platform with integratedposture assessment, network access control, and client provisioning. ISE integrates with a number of MDM frameworks, such as MobileIron and AirWatch. FromISE, you can easily provision network devices with native supplicants available for Microsoft Windows, Mac OS X, Apple iOS, and Google Android. The supplicantsact as agents that enable you to perform various functions on the network device, such as installing software or locking the screen with a PIN lock.Only ISE administrators can quarantine a device and revoke the device’s digital certificate. However, administrators are also capable of performing wipes and PINlocks without user notification or intervention. Unlike employees, who initiate full wipes or corporate wipes by using the My Devices portal, an administrator initiatesa wipe or a PIN lock by using the ISE Endpoints screen. Whether an administrator can initiate a full wipe or a corporate wipe depends on the MDM server policiesand configuration. In a Bring Your Own Device (BYOD) environment, administrators will most likely be able to perform only a corporate wipe or a PIN lock on adevice. If the device is a corporate device that an employee is simply allowed to use, an administrator might be able to perform a full wipe from the Endpointsscreen by selecting Full Wipe from the MDM Access dropdown menu. Administrators can additionally force connected devices off the network, add devices to theBlacklist Identity Group, and disable the device’s RSA SecurID token.Reference:Cisco: Managing a Lost or Stolen Device (PDF)


Cisco: Managing Network Devices: Wiping or Locking a DeviceCategory: Secure Access

QUESTION 102Which of the following private VLAN port types communicate only with promiscuous ports? (Select the best answer.)

A. community ports

B. isolated ports

C. SPAN ports

D. promiscuous ports


Explanation/Reference:Explanation:Isolated private virtual LAN (VLAN) ports can communicate only with promiscuous ports. Private VLANs can be configured on a switch to help isolate traffic within aVLAN. Private VLANs can provide Layer 2 separation between ports that belong to the same VLAN. Because the separation exists at Layer 2, the hosts can existon the same IP subnet. The VLAN to which the hosts belong is called the primary VLAN. To create a private VLAN, you must create secondary VLANs andassociate them with the primary VLAN.Community private VLAN ports can communicate with promiscuous ports and with other ports that belong to the same community. However, they cannotcommunicate with isolated ports or with ports that belong to other communities. Promiscuous ports can communicate with all other private VLAN port types.Switch Port Analyzer (SPAN) ports are not a private VLAN port type. SPAN is a means of monitoring traffic on a switch by copying packets from a source port to amonitored port or mirrored port.Reference:Cisco: Configuring Isolated Private VLANs on Catalyst Switches: Background Theory

QUESTION 103On which of the following layers of the hierarchical network design model should you implement PortFast, BPDU guard, and root guard? (Select the best answer.)

A. only on core layer ports

B. only on distribution layer ports

C. only on access layer ports

D. only on core and distribution layer ports

E. on core, distribution, and access layer ports



Explanation/Reference:Explanation:You should implement PortFast, BPDU guard, and root guard only on access layer ports. PortFast, BPDU guard, and root guard are enhancements to SpanningTree Protocol (STP). The access layer is the network hierarchical layer where enduser devices connect to the network. The distribution layer is used to connect thedevices at the access layer to those in the core layer. The core layer, which is also referred to as the backbone, is used to provide connectivity to devices connectedthrough the distribution layer.PortFast reduces convergence time by immediately placing user access ports into a forwarding state.PortFast is recommended only for ports that connect to enduser devices, such as desktop computers. Therefore, you would not enable PortFast on ports thatconnect to other switches, including distribution layer ports and core layer ports. To enable PortFast, issue the spanningtree portfast command from interfaceconfiguration mode.BPDU guard disables ports that erroneously receive bridge protocol data units (BPDUs). User access ports should never receive BPDUs, because user accessports should be connected only to enduser devices, not to other switches. When BPDU guard is applied, the receipt of a BPDU on a port with BPDU guard enabledwill result in the port being placed into a disabled state, which prevents loops from occurring. To enable BPDU guard, issue the spanningtree bpduguard enablecommand from interface configuration mode.Root guard is used to prevent newly introduced switches from being elected as the root. The device with the lowest bridge priority is elected the root. If an additionaldevice is added to the network with a lower priority than the current root, it will become the new root. However, this could cause the network to reconfigure inunintended ways, particularly if an access layer switch were to become the root. To prevent this, root guard can be applied to ports that connect to other switches inorder to maintain control over which switch is the root. Root guard is applied on a perport basis with the spanningtree guard root command.Reference:Cisco: Campus Network for High Availability Design Guide: Spanning Tree Protocol VersionsCisco: Campus Network for High Availability Design Guide: Best Practices for Optimal ConvergenceCategory:Security Concepts

QUESTION 104Which of the following is the man-in-the-middle attack that is most likely to be used to cause a workstation to send traffic to a false gateway IP address? (Select thebest answer.)

A. ARP spoofing

B. DHCP spoofing

C. MAC spoofing

D. switch spoofing


Explanation/Reference:Explanation:Dynamic Host Configuration Protocol (DHCP) spoofing is the maninthemiddle attack that is most likely to be used to cause a workstation to send traffic to a falsegateway IP address. In a DHCP spoofing attack, a rogue DHCP server is attached to the network in an attempt to intercept DHCP requests. The rogue DHCPserver can then respond to the DHCP requests with its own IP address as the default gateway address so that all traffic is routed through the rogue DHCP server.


DHCP snooping is a security technique that can be used to mitigate DHCP spoofing.In an Address Resolution Protocol (ARP) poisoning attack, which is also known as an ARP spoofing attack, the attacker sends a gratuitous ARP (GARP) messageto a host. The GARP message associates the attacker's Media Access Control (MAC) address with the IP address of a valid host on the network. Subsequently,traffic sent to the valid host address will go to the attacker's computer rather than to the intended recipient.MAC spoofing makes network traffic from a device look as if it is coming from a different device. MAC spoofing is often implemented to bypass port security bymaking a device appear as if it were an authorized device. Malicious users can also use MAC spoofing to intercept network traffic that should be destined for adifferent device. ARP cache poisoning, content addressable memory (CAM) table flooding, and Denial of Service (DoS) attacks can all be performed by MACspoofing.Switch spoofing is a virtual LAN (VLAN) hopping attack that is characterized by using Dynamic Trunking Protocol (DTP) to negotiate a trunk link with a switch port inorder to capture all traffic that is allowed on the trunk. In a switch spoofing attack, the attacking system is configured to act like a switch with a trunk port. Thisenables the attacking system to become a member of all VLANs, which enables the attacker to send and receive traffic among the other VLANs.Reference:Cisco: DHCP Snooping: Overview of DHCP SnoopingJuniper Networks: Preventing DHCP Spoofing

QUESTION 105On a Cisco ASA, which of the following RADIUS authentication protocols are not supported? (Select 2 choices.)

A. CHAP

B. EAPMD5

C. PAP

D. PEAP

E. MSCHAPv1F. MSCHAPv2

Correct Answer: BDSection: (none)Explanation

Explanation/Reference:Explanation:Neither Extensible Authentication Protocol (EAP)Message Digest 5 (MD5) nor Protected EAP (PEAP) are supported by the Remote Authentication DialIn UserService (RADIUS) server on a Cisco Adaptive Security Appliance (ASA). RADIUS is an Authentication, Authorization, and Accounting (AAA) server that uses UserDatagram Protocol (UDP) for packet delivery.RADIUS and Terminal Access Controller Access Control System Plus (TACACS+) server groups on aCisco ASA support Challenge Handshake Authentication Protocol (CHAP), Microsoft CHAP version 1 (MSCHAPv1), and Password Authentication Protocol (PAP).A Cisco ASA supports a number of different AAA server types, such as RADIUS, TACACS+, Lightweight Directory Access Protocol (LDAP), Kerberos, and RSASecurity Dynamics, Inc. (SDI) servers.When authenticating with a TACACS+ server, a Cisco ASA can use the following authentication protocols:- ASCII- PAP- CHAP


- MSCHAPv1When authenticating with a RADIUS server, a Cisco ASA can use the following authentication protocols:- PAP- CHAP- MSCHAPv1- MSCHAP version 2 (MSCHAPv2)- Authentication Proxy Mode (for example, RADIUS to RSA/SDI, RADIUS to Active Directory, and others)Reference:Cisco: Configuring AAA Servers and the Local Database: RADIUS Server SupportCisco: Configuring AAA Servers and the Local Database: TACACS+ ServerSupport

QUESTION 106Which of the following is the best reason to enforce blacklisting by security zone on a Cisco device that uses the Security Intelligence IP Address Reputationfeature? (Select the best answer.)

A. to streamline performance of the IPS device

B. to ensure that local hosts can communicate with a given IP address

C. to validate a blacklist feed that has been obtained from a third party

D. to manually control which networks are blocked by the IPS


Explanation/Reference:Explanation:Most likely, you would enforce blacklisting by security zone to streamline performance of the intrusion prevention system (IPS) device. Enforcing blacklisting bysecurity zone can be used to enhance the performance of a Security Intelligence device by limiting the blacklisting to the specific security zones that process thegiven traffic. For example, the blacklisting of IP addresses that send email traffic could be restricted to a Security Zone that handles only email traffic.You would configure the monitoronly setting if you wanted to validate a blacklist feed that has been obtained from a third party. Security Intelligence devices, suchas a Cisco Sourcefire IPS, are capable of accepting manually imported lists of network addresses or feeds from third parties. Such devices can block IP addressesor networks based on their reputation, which mitigates device overhead that comes from having to analyze traffic from those networks. The monitoronly settingenables traffic from networks that are listed within a given feed to be analyzed by the Security Intelligence device, but also logs the fact that the given networkmatches the thirdparty feed. This enables an administrator to review the logs and the analysis of traffic from networks on the feed to determine the validity of thefeed.You would add IP addresses to a custom whitelist to ensure that local hosts can communicate with a given IP address. On Security Intelligence devices, whitelistscan be used to override blacklisted IP addresses. Whitelists can thus be used to enable communication with legitimate IP addresses that are listed on thirdpartyfeeds or other blacklists that might be too broadly defined. From an administrative overhead standpoint, you should first validate the feed, then implement the feed,and finally add IP addresses or networks to the whitelist as necessary.You would configure a custom blacklist to manually control which networks are blocked by the IPS. Security Intelligence devices allow the creation of customblacklists so that you can manually block specific IP addresses or networks.


Reference:Cisco: Blacklisting Using Security Intelligence IP Address Reputation: Choosing a Security Intelligence Strategy

QUESTION 107Which of the following is not true of SIM systems? (Select the best answer.)

A. They perform realtime threat detection.

B. They focus on policy and standards compliance.

C. They consolidate logs to a central server.

D. They analyze log data and report findings.


Explanation/Reference:Explanation:Security Information Management (SIM) systems do not perform realtime analysis and detection. SIM systems are focused more on the collection and analysis oflogs in a nonrealtime fashion. For example, a SIM system might centralize logging on a single device for review and analysis. Some SIM systems also provideassessment tools that can flag potentially threatening events.Security Event Management (SEM) systems perform realtime analysis and detection. SEM systems typically analyze log data from a number of sources. Somesystems also incorporate incident handling tools that enable administrators to more effectively mitigate threats when they occur. A Security Information and Event Management (SIEM) system combines both the realtime aspects of a SEM system and the indepth analysis and timelinegeneration of a SIM system. Therefore, a SIEM system is a hybrid of a SIM system and a SEM system.Reference:SANS: IDFAQ: What is The Role of a SIEM in Detecting Events of Interest?Search Security: Tech Target: security information and event management (SIEM)

QUESTION 108In the Cisco ISE GUI, you click Administration > Certificates > Certificate Store and notice that a SCEP NDES server RA certificate is installed on the ISE node.Which of the following best describes the reason the certificate is there? (Select the best answer.)

A. The ISE is a SCEP proxy for a Windows CA.

B. The ISE is a CA for the Windows AD domain.

C. The ISE has been compromised, and the CA chain has been altered.

D. The ISE requires the CA in order to mitigate a Windows Server SCEP bug.



Explanation/Reference:Explanation:The Cisco Identity Services Engine (ISE) is a Simple Certificate Enrollment Protocol (SCEP) proxy for a Windows certificate authority (CA) if you notice that a SCEPNetwork Device Enrollment Service (NDES) server registration authority (RA) certificate is installed in the ISE's Certificate Store. Implementing ISE as a SCEPproxy enables bring your own device (BYOD) users to register their devices on their own, without administrative overhead from the IT department.The ISE is not a CA for the Windows Active Directory (AD) domain. When configured with a SCEP CA profile, the ISE will contain a SCEP NDES server RAcertificate in the Certificate Store. RAs verify requests for certificates and enable the CA to issue them.The ISE does not require the CA in order to mitigate a Windows Server SCEP bug. However, configuring ISE as a SCEP proxy to a Microsoft Windows 2008 R2Server does require the installation of some Microsoft SCEP implementation hotfixes.There is nothing in this scenario to indicate that the ISE has been compromised. In addition, there is no reason to suspect that the CA chain has been altered.Reference:Cisco: ISE SCEP Support for BYOD Configuration Example: Configure ISE as a SCEP proxy

QUESTION 109You issue the following commands on a Cisco router:tacacsserver host ts1 timeout 30 tacacsserver timeout 20Which of the following is true about how the Cisco router communicates with the TACACS+ server? (Select the best answer.)

A. The router will maintain an open TCP connection.

B. The router will maintain an open TCP connection for no more than 20 seconds.

C. The router will wait 20 seconds for the server to reply before declaring an error.

D. The router will wait 30 seconds for the server to reply before declaring an error.


Explanation/Reference:Explanation: The router will wait 30 seconds for the server to reply before declaring an error. The tacacsserver host ts1 timeout 30 command in this scenario configures a routerto connect to a Terminal Access Controller Access Control System Plus (TACACS+) server named ts1. The timeout 30 keyword in this command configures therouter to wait 30 seconds for the server to reply before declaring an error. The router will wait 30 seconds, not 20 seconds, for the server to reply before declaring an error. If the timeout 30 keyword had not been specified in this scenario,the tacacsserver timeout 20 command would have configured the router to wait 20 seconds for the server to reply before declaring an error. The timeout 30keyword in this scenario overrides the value assigned by the tacacsserver timeout command.The router will not maintain an open Transmission Control Protocol (TCP) connection, because the singleconnection keyword has not been issued in this scenario.The singleconnection keyword configures the router to maintain an open connection to the TACACS+ server. When the singleconnection keyword is not configured,a Cisco router will open and close a TCP connection to the TACACS+ server each time it needs to perform an operation. When the singleconnection keyword isconfigured, the router connects to the TACACS+ server and maintains that connection even when it is not performing an operation. This setting enhances theefficiency of the communications between the router and the TACACS+ server because the router does not have to constantly close and open connections.


Reference:Cisco: Configuring TACACS+: Identifying the TACACS+ Server Host

QUESTION 110You are configuring VPN access for Cisco AnyConnect clients. You finish the configuration by establishing a fail open policy.Which of the following is true of AnyConnect clients that fail to establish a VPN session? (Select the best answer.)


A. They are granted full access to the local network, but without security.

B. They are granted full access to the local network, including security.

C. They are denied full network access, except for local resources.

D. They are denied full network access, including local resources.


Explanation/Reference:Explanation:Cisco AnyConnect clients that fail to establish a virtual private network (VPN) session under a fail open policy are granted full access to the local network, butwithout the security provided by the CiscoAnyConnect VPN service. Connect failure policies are typically applied when the Cisco AnyConnect alwayson feature is configured. The alwayson feature enablesCisco AnyConnect clients to establish a VPN session automatically whenever the client detects that the host is connected to an untrusted network. For example, alaptop that is used both on a corporate LAN and for remote work might be configured to automatically connect to the corporate VPN whenever the laptop is notdirectly connected to the corporate LAN. However, any number of problems could prevent the client from actually establishing a connection to the VPN.There are two types of connect failure policies that you can enable for Cisco AnyConnect alwayson clients. The fail open policy allows the client to complete aconnection to the local network for access to the Internet or local resources. However, because a VPN session has not been established, the security of theAnyConnect device that is connected to the remote network could be compromised.The fail closed policy, on the other hand, prevents all network access from the Cisco AnyConnect client except to local devices and devices that are available byusing split tunneling. This extra layer of security could prevent the user from accessing the Internet and thus could compromise productivity if the user relies onInternet access to complete workrelated tasks. Because the fail closed policy is so restrictive, Cisco recommends implementing it by using a phased approach thatincludes initially implementing fail open and surveying user activity for AnyConnect issues that might prevent seamless connections.Reference:Cisco: Configuring VPN Access: Connect Failure Policy for Alwayson VPN

QUESTION 111


Which of the following web application threats is not typically mitigated by installing a WAF? (Select the best answer.)

A. exploits related to uncloaked error messages

B. exploits against known vulnerabilities

C. exploits related to directory traversal vulnerabilities

D. exploits against unknown vulnerabilities

E. exploits related to viruses in file uploads


Explanation/Reference:Explanation:Of the available choices, exploits related to unknown vulnerabilities are not typically mitigated by installing a web application firewall (WAF). A WAF sits between aweb application and the end user in order to protect the application from malicious activity and known vulnerabilities. Therefore, by installing a WAF, it is possible toprotect a vulnerable web application without modifying the application code.WAFs are not typically capable of protecting a web application against unknown vulnerabilities. WAFs can protect against known or common unpatched webapplication vulnerabilities by using techniques such as cloaking to protect against information leakage related to uncloaked error messages, encrypting UniformResource Locators (URLs) to protect against exploits related to directory traversal, and checking file uploads for viruses. Reference:OWASP: Category:OWASP Best Practices: Use of Web Application Firewalls

QUESTION 112Which of the following is a set of rules to which a Cisco IPS appliance can compare network traffic to determine whether an attack is occurring? (Select the bestanswer.)

A. anomaly detection

B. global correlation

C. reputation filtering

D. a signature definition

E. a threat rating


Explanation/Reference:Explanation:A signature definition is a set of rules to which a Cisco Intrusion Prevention System (IPS) appliance can compare network traffic to determine whether an attack is


occurring. If the network activity matches a signature definition, IPS can trigger a specific response from other defined event action rule sets, such as denying trafficfrom a host or alerting an administrator. IPS administrators can manually configure signature definitions in Cisco IPS Device Manager (IDM) or use the SignatureWizard to create custom signature definitions.Global correlation is not a set of rules to which a Cisco IPS appliance can compare network traffic to determine whether an attack is occurring. Global correlationenables IPS sensors to allow or deny traffic based on the reputation of the sending device. When you enable global correlation, IPS devices will periodically receiveupdates that include information about known malicious devices on the Internet from the Cisco SensorBase Network. In addition, global correlation will sendstatistical information about attacks against your company's network to the Cisco SensorBase Network. Cisco uses that information to detect threat patterns on theInternet.Reputation filtering is not a set of rules to which a Cisco IPS appliance can compare network traffic to determine whether an attack is occurring. Reputation filteringdenies packets from hosts that are considered to have a malicious reputation based on the global correlation information that is available from the CiscoSensorBase Network. Reputation filtering is different from global correlation inspection in that reputation filtering denies traffic before the traffic is compared to anysignature definitions. In addition, reputation filtering does not generate alerts.Anomaly detection is not a set of rules to which a Cisco IPS appliance can compare network traffic to determine whether an attack is occurring. Anomaly detectionenables IPS to learn what type of network activity is normal activity for the network that is being protected. If a network starts to become congested by traffic that isgenerated by a worm or if a host that is infected with a worm connects to the network and attempts to infect other hosts, the anomaly detection feature can trigger aspecific response, such as denying traffic from the infected host or alerting an administrator.A threat rating is not a set of rules to which a Cisco IPS appliance can compare network traffic to determine whether an attack is occurring. A threat rating is anevent action risk rating that has been lowered because of a specific action taken by IPS. A risk rating is a numerical representation of the risk presented to anetwork by a specific attack. Risk ratings can range from 0 through 100. Depending on the actions IPS has taken in response to an event, IPS will subtract a valuefrom the threat rating of the event. For example, if IPS responds to a specific event by issuing a request to block the attacking host, a value of 20 will be subtractedfrom the threat rating.Reference:Cisco: Defining Signatures: Understanding Signatures

QUESTION 113Which of the following describes the primary difference between PGP and S/MIME? (Select the best answer.)

A. PGP can be used to encrypt disk drives, but S/MIME cannot.

B. PGP can use SHA1 for data integrity, but S/MIME cannot.

C. S/MIME can be used to encrypt email messages, but PGP cannot.

D. S/MIME can use RSA for digital signatures, but PGP cannot.


Explanation/Reference:Explanation:The primary difference between Pretty Good Privacy (PGP) and Secure/Multipurpose Internet Mail Extensions (S/MIME) is that PGP can be used to encrypt notonly email messages, but also files and entire disk drives. PGP is software that uses an asymmetric encryption method to encrypt information. To encrypt a file or amessage by using PGP, you must use the recipient's public key. The recipient will then use his or her private key to decrypt the file or message.


Although PGP is an application and S/MIME is a standardsbased protocol, both can be used to provide confidentiality, integrity, and nonrepudiation for emailmessages. Confidentiality is provided by an encryption method, such as Triple Data Encryption Standard (3DES or TDES). Integrity is provided by a hashingalgorithm, such as Secure Hash Algorithm 1 (SHA1). Nonrepudiation is provided by creating digital signatures with an asymmetric encryption method, such as RSA.Many modern operating systems (OSs) offer their own builtin support for filelevel and disklevel encryption. Therefore, thirdparty software is often no longernecessary for encrypting files.Reference:Search Security: Tech Target: Pretty Good Privacy (PGP)Microsoft TechNet: Understanding S/MIME

QUESTION 114Which of the following failover link configurations can leave an ASA vulnerable to replay attacks? (Select the best answer.)

A. connecting the active and standby units directly with a crossover cable

B. connecting the active and standby units to a dedicated VLAN on a switch

C. sharing a regular data interface with the stateful failover link

D. sharing the LAN failover link with the stateful failover link

E. using a dedicated Ethernet interface as the stateful failover link


Explanation/Reference:Explanation:Sharing a regular data interface with the stateful failover link on a Cisco Adaptive Security Appliance (ASA) can leave the ASA vulnerable to replay attacks. A replayattack is a type of maninthemiddle attack in which the attacker uses a packet sniffer to capture legitimate network data, such as authentication tokens andpreshared keys, and then replays the data to a target. In addition, the attacker might delay or modify the captured data before directing it to the target. On an ASA,all LAN failover and stateful failover information is transmitted as clear text by default. Therefore, sharing the stateful failover link with a regular data interface canunnecessarily expose virtual private network (VPN) configuration information, such as user names, passwords, and preshared keys (PSKs) to malicious users onthe shared network segment. You can mitigate this risk by configuring a failover key on both the active unit and the standby unit to protect failover information.Cisco strongly recommends using a dedicated Ethernet interface or sharing a LAN failover link instead of sharing the stateful failover link with a regular datainterface.ASAs can be configured to participate in either a stateless or a stateful failover implementation. In a stateless failover implementation, the active unit and standbyunit use a dedicated LAN link, known as a LAN failover link, for failover traffic. The LAN failover link can use any unnamed Ethernet interface and can connect thefailover pair directly, with either a straightthrough or crossover Ethernet cable, or through a switch, with no other devices on the same network segment or virtualLAN (VLAN) as the failover pair. Although all failover traffic is sent as clear text by default, a LAN failover link does not leave an ASA vulnerable to replay attacksbecause the failover pair are either directly connected or connected through a dedicated VLAN.By contrast, the failover link between two ASAs in a stateful failover implementation can use a dedicated Ethernet link, a shared LAN failover link, or a sharedregular data interface. If a dedicated Ethernet link is used for stateful failover, it must follow the same connectivity guidelines as a LAN failover link: it can be either adirect connection or a dedicated VLAN on a switch. Like a LAN failover link, a stateful failover link using either a dedicated Ethernet link or a shared LAN failoverlink does not leave an ASA vulnerable to replay attacks because the failover pair are either directly connected or connected through a dedicated VLAN.


Reference:Cisco: Information About High Availability: Stateful Failover LinkCategory: Cisco Firewall Technologies

QUESTION 115Which of the following fields make up the header of an ESP packet? (Select 2 choices.)

A. Next Header

B. Pad Length

C. Padding

D. Security Parameter Index

E. Sequence Number

Correct Answer: DESection: (none)Explanation

Explanation/Reference:Explanation:The Security Parameter Index (SPI) and Sequence Number fields make up the header of an Encapsulating Security Payload (ESP) packet. ESP is an IP Security(IPSec) protocol that provides data integrity and confidentiality for IP traffic. The ESP header is always part of the authenticated data in an ESP packet, but the ESPheader itself is never encrypted. By contrast, the ESP trailer, which is made up of the Padding, Pad Length, and Next Header fields, is always part of theauthenticated data and is always encrypted. The following diagram illustrates the ESP packet format:

ESP can operate in transport mode or tunnel mode. In transport mode, ESP encrypts only the original payload data and the resultant ESP trailer, leaving the originalIP header unencrypted. The following diagram illustrates the components of an ESP packet in transport mode:


In tunnel mode, ESP encrypts the entire packet, including the original IP header, the original payload data, and the resultant ESP trailer. The following diagramillustrates the components of an ESP packet in tunnel mode:

Reference:IETF: RFC 4303: IP Encapsulating Security Payload (ESP): 2. Encapsulating Security Payload Packet Format

QUESTION 116You want to use the authentication event noresponse action authorize vlan 101 command to ensure that network devices incapable of using 802.1X authenticationare automatically placed into VLAN 101, which is the guest VLAN.Which of the following VLAN types can you specify as an 802.1X guest VLAN? (Select the best answer.)

A. a primary private VLAN

B. a secondary private VLAN

C. a voice VLAN

D. an RSPAN VLAN


Explanation/Reference:Explanation:Of the choices available, you can configure a secondary private virtual LAN (VLAN) as an 802.1X guest VLAN with the authentication event noresponse actionauthorize vlan 101 command. The authentication event noresponse action authorize vlancommand specifies the VLAN into which a switch should place a port if itdoes not receive a response to the 802.1X Extensible Authentication Protocol over LAN (EAPoL) messages it sends on that port. The VLAN ID must be a numberfrom 1 through 4094. The VLAN ID can specify any active VLAN except for a Remote Switch Port Analyzer (RSPAN) VLAN, a primary private VLAN, or a voiceVLAN. In addition, a guest VLAN can be configured on only access ports, not on routed ports or trunk ports.When a guest VLAN is configured, the switch will grant non802.1Xcapable clients access to the guest VLAN? however, if an 802.1Xcapable device is detected, theswitch will place the port into an unauthorized state and will deny access to all devices on the port. You can use the authentication event fail action command tospecify how the switch should react if an 802.1X client is detected and the client fails to authenticate. There are two configurable parameters: nextmethod and


authorize vlanid. The authorize vlanid parameter configures a restricted VLAN, which is functionally similar to the guest VLAN. The nextmethod parameterconfigures the switch to attempt authentication by using the next authentication method specified in the authentication order command. For example, if theauthentication order 802.1X mab webauth command has been configured and 802.1X authentication fails, the switch will attempt to use Media Access Control(MAC) Authentication Bypass (MAB) to authenticate the client based on its MAC address? if MAB fails, the switch will attempt webbased authentication. If thenextmethod parameter is configured, the switch will indefinitely cycle through authentication methods unless Web Authentication (WebAuth) is configured. IfWebAuth is configured, the authentication process will not loop back to other authentication methods and the switch will ignore EAPoL messages on the port.Reference:Cisco: Configuring IEEE 802.1x PortBased Authentication: Configuring a Guest VLAN

QUESTION 117Which of the following statements is true about network traffic event logging in Cisco FireSIGHT Management Center? (Select the best answer.)

A. Beginningofconnection events contain less information than endofconnection events.

B. Performance is optimized by logging both beginningofconnection events and end ofconnection events.

C. You can log only beginningofconnection events for encrypted connections handled by an SSL policy.

D. You can log only endofconnection events for blocked traffic.


Explanation/Reference:Explanation:In Cisco FireSIGHT Management Center, beginningofconnection events contain less information than endofconnection events. Cisco FireSIGHT ManagementCenter, which was formerly called Sourcefire Defense Center, can log beginningofconnection and endofconnection events for various types of network traffic.Although most network traffic will generate both kinds of events, blocked or blacklisted traffic is typically denied without further processing and therefore onlygenerates beginningofconnection events. Beginningofconnection events contain a limited amount of information because they are generated based on theinformation contained in the first few packets of a connection.By contrast, endofconnection events are generated when a connection closes, times out, or can no longer be tracked because of memory constraints.Endofconnection events contain significantly more information than beginningofconnection events because they can draw upon data collected throughout thecourse of a connection. This additional information can be used to create traffic profiles, generate connection summaries, or graphically represent connection data.In addition, the data can be used for detailed analysis or to trigger correlation rules based on session data. Endofconnection events are also required to logencrypted connections that are handled by a Secure Sockets Layer (SSL) policy because there is not enough information in the first few packets to indicate that aconnection is encrypted.Reference:Cisco: Logging Connections in Network Traffic: Logging the Beginning or End of Connections

QUESTION 118Which of the following are asymmetric algorithms? (Select 3 choices.)

A. DH


B. AES

C. 3DES

D. ECC

E. RC4

F. RSA

Correct Answer: ADFSection: (none)Explanation

Explanation/Reference:Explanation:DiffieHellman (DH), Elliptical Curve Cryptography (ECC), and RSA are asymmetric algorithms. DH is an asymmetric key exchange method. DHA and ECC areasymmetric encryption algorithms. Asymmetric encryption, also known as public key encryption, uses a public key to encrypt data and a different, yetmathematically related, private key to decrypt data. Public key infrastructure (PKI) uses a certificate authority (CA) to tie a public key to a user ID to further ensurethe confidentiality of data. Asymmetric encryption algorithms use more complex mathematical functions than symmetric encryption algorithms. As a result,asymmetric encryption algorithms take longer to encrypt and decrypt data than symmetric encryption algorithms. Other examples of asymmetric encryptionalgorithms include Digital Signature Algorithm (DSA) and ElGamal.Advanced Encryption Standard (AES), RC4, and Triple Data Encryption Standard (3DES) are examples of symmetric encryption algorithms. When symmetricencryption algorithms are used, the same encryption key is used to encrypt and decrypt data. Two types of symmetric algorithms exist: block ciphers and streamciphers. Block ciphers derive their name from the fact that they encrypt blocks of data. For example, AES encrypts 128bit blocks of data. By contrast, streamciphers are typically faster than block ciphers because stream ciphers encrypt text of variable length depending on the size of the frame to be encrypted? streamciphers are not limited to specific block sizes. For example, RC4, a stream cipher, can encrypt data in streams of 8 through 2,048 bits. Other examples ofsymmetric encryption algorithms include International Data Encryption Algorithm (IDEA), Skipjack, and Blowfish.Reference:CCNA Security 210260 Official Cert Guide, Chapter 5, Symmetric and Asymmetric Algorithms, pp. 92-94

QUESTION 119Which of the following statements are true regarding class maps on a Cisco ASA? (Select 2 choices.)

A. QoS traffic shaping is not available for all class maps.

B. Class maps apply specific security measures on a persession basis.

C. By default, no class maps are defined on an ASA.

D. Class maps must use an ACL to match traffic.

E. Class maps can match traffic based on application protocols.

F. Class maps identify the interface to which a policy map is applied.

Correct Answer: AESection: (none)Explanation


Explanation/Reference:Explanation:Class maps can match traffic based on application protocols, and Quality of Service (QoS) traffic shaping is not available for all class maps on a Cisco AdaptiveSecurity Appliance (ASA). A class map is one of the three basic components of Modular Policy Framework (MPF)? policy maps and service policies are the othertwo components. MPF is a Cisco ASA feature that provides a flexible method of enabling security policies on an interface. A class map identifies a specific flow oftraffic, a policy map determines the action that will be performed on the traffic, and a service policy ties this action to a specific interface. Generally, each class mapcan contain only a single match statement, and a packet can match only a single class map within the policy map of a particular feature type. For example, if apacket matched a class map for File Transfer Protocol (FTP) inspection and a class map for traffic policing, the ASA would apply both policy map actions to thepacket. However, if a packet matched a class map for FTP inspection and a second, different class map that included FTP inspection, the ASA would apply onlythe actions of the first matching policy map. By default, two class maps are defined on an ASA? the classdefault and inspection_default class maps are part of thedefault configuration of an ASA.You can use the match command from class map configuration mode to identify traffic based on specifiedcharacteristics. The keywords you can use to identify traffic in a class map are closely tied to their respective characteristics. The match command supports thefollowing key words: accesslist, port, defaultinspectiontraffic, dscp, precedence, rtp, tunnelgroup, and any. For example, you could issue the following commands to create a class map named CLASSMAP that identifies traffic using Transmission Control Protocol (TCP)port 8080:

asa(config)#classmap CLASSMAP asa(configcmap)#match port tcp eq 8080

Once traffic has been identified by a class map, the associated policy map can take action on that traffic. A policy map typically contains references to one or moreclass maps and defines actions that should be performed on traffic matched by the specified class maps. If traffic matches multiple class maps for different actionswithin a policy map-for instance, if traffic matches a class map for application inspection as well as a class map for priority queuing-the actions of both class mapswill be applied to the traffic. To continue the example from above, you could issue the following commands to configure a policy map named POLICYMAP thatmatches traffic specified by the class map named CLASSMAP and then processes the traffic with the Hypertext Transfer Protocol (HTTP) inspection engine:

asa(config)#policymap POLICYMAP asa(configpmap)#class CLASSMAP asa(configpmapc)#inspect http

A policy map does not act on traffic until the map has been applied to an interface by a service policy. A service policy identifies the interface to which a policy mapis applied? a service policy can be applied globally to all interfaces, which will apply application inspection to only traffic entering the appliance. Alternatively, aservice policy can be applied to a single interface, which will apply application inspection to traffic entering and exiting the interface. An interface service policyoverrides a global service policy: if traffic matches both an interface policy and a global policy, only the interface policy will be applied to that particular traffic flow.To complete the example, you could issue the following commands to apply the POLICYMAP policy map to the inside interface:

asa(config)#servicepolicy POLICYMAP interface insideQoS traffic shaping is available for only the classdefault class map.

Class maps do not apply specific security measures on a persession basis? dynamic access policies (DAPs) can apply specific security measures on a persessionbasis. Configuring a DAP allows you to resolve complications presented by the frequently inconsistent nature of a virtual private network (VPN). For example, usersmight access your network from different remote locations, with each location having a different configuration, thus presenting a variety of security issues for each


individual situation. With a DAP, you can apply specific security measures for each specific situation on a persession basis. Depending on the circumstances of thenext connection from a remote location, a different DAP may be applied if the variables have changed.Reference:Cisco: Service Policy Using the Modular Policy Framework: Task Flow for Configuring Hierarchical Policy Maps for QoS Traffic ShapingCisco: Service Policy Using the Modular Policy Framework: Creating a Layer 3/4 Class Map for Through Traffic

QUESTION 120Which of the following is true regarding the EAPFAST authentication process? (Select the best answer.)

A. A digital certificate is required only on the client.

B. A digital certificate is required only on the server.

C. Digital certificates are required on both the client and the server.

D. Digital certificates are not required on the client or the server.


Explanation/Reference:Explanation:Digital certificates are not required on the client or the server during the Extensible Authentication Protocol (EAP)Flexible Authentication via Secure Tunneling(FAST) authentication process? instead, EAPFAST uses Protected Access Credentials (PACs). EAPFAST is an authentication protocol that can be used forpointtopoint connections and for both wired and wireless links. The EAPFAST authentication process consists of three phases. The first phase, which is optionaland is considered phase 0, consists of provisioning a client with a PAC, which is a digital credential that is used for authentication. A PAC can be manuallyconfigured on a client, in which case phase 0 is not required. The second phase, which is referred to as phase 1, involves creating a secure tunnel between theclient and the server. The final phase, which is referred to as phase 2, involves authenticating the client. If the client is authenticated, the client will be able toaccess the network.Other EAP methods exist that do rely on digital certificates for authentication. For example, EAPTransport Layer Security (TLS) requires both a client and a serverdigital certificate, whereas Protected EAP (PEAP) requires only servers to be configured with digital certificates. With PEAP, clients can use alternativeauthentication methods, such as onetime passwords (OTPs).Similar to EAPFAST, Lightweight EAP (LEAP) does not require either the server or the client to be configured with a digital certificate. When LEAP is used, theclient initiates an authentication attempt with a Remote Authentication DialIn User Service (RADIUS) server. The RADIUS server responds with a challengeresponse. If the challenge/response process is successful, the client then validates that the RADIUS server is correct for the network. If the RADIUS server isvalidated, the client will connect to the network.Reference:Cisco: EAP Methods SummaryCisco: Configuring EAPFAST: Table 31 Connection Settings (PDF)

QUESTION 121Which of the following security functions is associated with the data plane? (Select 2 choices.)


A. device configuration protection

B. signaling protection

C. traffic conditioning

D. traffic filtering


Explanation/Reference:Explanation:Traffic conditioning and traffic filtering are security features that are associated with the data plane. Cisco devices are generally divided into three planes: the controlplane, the management plane, and the data plane. Each plane is responsible for different operations, and each plane can be secured by implementing varioussecurity methods.The data plane is responsible for traffic passing through the router, which is referred to as transit traffic. Therefore, data plane security protects againstunauthorized packet transmission and interception. Threats such as IP spoofing, Media Access Control (MAC) address spoofing, Address Resolution Protocol(ARP) spoofing, Dynamic Host Configuration Protocol (DHCP) spoofing, unauthorized traffic interception, and unauthorized network access can be mitigated andmonitored by implementing features such as the following:- ARP inspection- Antispoofing access control lists (ACLs)- DHCP snooping- Port ACLs (PACLs)- Private virtual LANs (VLANs)- Unicast Reverse Path Forwarding (uRPF)- VLAN ACLs (VACLs)

The control plane is responsible for the creation and maintenance of structures related to routing and forwarding. These functions are heavily dependent on theCPU and memory availability. Therefore, control plane security methods protect against unauthorized traffic destined for the router, which can modify route pathsand consume excessive resources. Path modification can be caused by manipulating the traffic generated by routing protocols, VLAN Trunking Protocol (VTP), andSpanning Tree Protocol (STP). Path modification attacks can be mitigated by implementing routing protocol authentication and filtering, VTP authentication, andSTP protection features. In addition, excessive CPU and memory consumption can be caused by control plane flooding. Resource consumption attacks can bemitigated by implementing control plane filtering and rate limiting with Control Plane Policing (CoPP) and Control Plane Protection (CPPr).Device configuration protection is associated with the management plane. Management plane security protects against unauthorized device access andconfiguration. Unauthorized access can be mitigated by implementing a strong Authentication, Authorization, and Accounting (AAA) solution and by implementingManagement Plane Protection (MPP), which creates protected management channels over which administrators must connect in order to access deviceadministration features. Management traffic can be encrypted by implementing Secure Shell (SSH). You can mitigate unauthorized configuration of a device byimplementing RoleBased Access Control (RBAC), whereby administrators are limited to using only the features they need to accomplish their jobs. Detection andlogging of management plane access can be performed by implementing Simple Network Management Protocol version 3 (SNMPv3) and Syslog servers.Reference:Cisco: Cisco Guide to Harden Cisco IOS Devices


QUESTION 122Which of following capabilities do an IDS and IPS have in common? (Select the best answer.)

A. blocking a particular connection

B. blocking traffic from a particular host

C. modifying traffic

D. resetting TCP connections


Explanation/Reference:Explanation:An Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS) can both reset Transmission Control Protocol (TCP) connections. An IDS is anetwork monitoring device that passively monitors network traffic and actively sends alerts to a management station when it detects malicious traffic. An IDStypically has one promiscuous network interface attached to each monitored network. Because traffic does not flow through the IDS, the IDS is unable to directlyblock malicious traffic? however, an IDS can do any of the following:- Request that another device block a connection- Request that another device block a particular host- Reset TCP connections

An IDS can prevent further instances of previously detected malicious traffic from passing onto the network by creating access control lists (ACLs) on routers in thetraffic path or by configuring other security devices that reside in the flow of traffic.By contrast, an IPS typically sits inline with the flow of traffic and can therefore block malicious traffic before it passes onto the network. An inline IPS can performthe following actions:- Block traffic from a particular host- Block a particular connection- Modify traffic- Reset TCP connections

However, if an IPS sits inline with traffic, a failed IPS device can cause all traffic to be dropped. Analyzing all of the traffic that passes through the IPS can causelatency and jitter. Alternatively, an IPS can be configured to operate in promiscuous mode, which would make it functionally similar to an IDS.Reference:Cisco: Managed Security Services Partnering for Network Security: Managed Intrusion Detection and Prevention Systems

QUESTION 123Which of the following statements are true regarding RADIUS? (Select 2 choices.)

A. It encrypts only the password in AccessRequest packets.

B. It combines authorization and authentication functions.


C. It provides more flexible security options than TACACS+.

D. It uses TCP port 49.

E. It is a Ciscoproprietary standard protocol.


Explanation/Reference:Explanation:Remote Authentication DialIn User Service (RADIUS) combines authentication and authorization into a single function and encrypts only the password inAccessRequest packets. RADIUS is an Internet Engineering Task Force (IETF) standard protocol for Authentication, Authorization, and Accounting (AAA)operations. RADIUS uses User Datagram Protocol (UDP) for packet delivery. Because RADIUS encrypts only the password of a packet, the rest of the packetwould be viewable if the packet were intercepted by a malicious user. RADIUS has fewer flexible security options than Terminal Access Controller Access ControlSystem Plus (TACACS+), because RADIUS combines the authentication and authorization functions of AAA into a single function and does not provide routercommand authorization capabilities.By contrast, TACACS+ is a Ciscoproprietary protocol that uses Transmission Control Protocol (TCP) for transport during AAA operations. TACACS+ provides moresecurity and flexibility than RADIUS because TACACS+ encrypts the entire body of a packet and separates the authentication, authorization, and accountingfunctions of AAA. This separation enables granular control of access to resources. For example, TACACS+ gives administrators control over access toconfiguration commands? users can be permitted or denied access to specific configuration commands. Because of this flexibility, TACACS+ is used with CiscoSecure Access Control Server (ACS), which is a software tool that is used to manage user authorization for router access.Reference:Cisco: TACACS+ and RADIUS Comparison: Compare TACACS+ and RADIUS

QUESTION 124Which of the following protocols can IPSec use to provide the confidentiality component of the CIA triad? (Select 2 choices.)

A. AES

B. AH

C. DES

D. MD5

E. SHA

Correct Answer: ACSection: (none)Explanation

Explanation/Reference:Explanation:Of the choices available, IP Security (IPSec) can use either Advanced Encryption Standard (AES) or Data Encryption Standard (DES) to provide the confidentiality


component of the confidentiality, integrity, and availability (CIA) triad. The confidentiality component of the CIA triad ensures that transmitted data cannot be read byan unauthorized party if the data is intercepted before it reaches its destination. Depending on the amount of confidentiality desired, IPSec can use AES or DESwith Encapsulating Security Payload (ESP) in either transport mode or tunnel mode. In transport mode, ESP uses AES or DES to encrypt only the original payloaddata and the resultant ESP trailer, leaving the original IP header unencrypted. The following diagram illustrates the components of an ESP packet in transportmode:

In tunnel mode, ESP uses AES or DES to encrypt the entire packet, including the original IP header, the original payload data, and the resultant ESP trailer. Thefollowing diagram illustrates the components of an ESP packet in tunnel mode:

IPSec can use Authentication Header (AH) and ESP to provide the integrity component of the CIA triad, not the confidentiality component. The integrity componentof the CIA triad ensures that unauthorized parties have not modified data as it was transmitted over the network. Data integrity is provided by using algorithms suchas Message Digest 5 (MD5) or Secure Hash Algorithm (SHA) to produce checksums on each end of the connection. If the data generates the same checksumvalue on each end of the connection, the data was not modified in transit. In addition, AH and ESP can authenticate the origin of transmitted data. Dataauthentication is provided through various methods, including user name/password combinations, preshared keys (PSKs), digital certificates, and onetimepasswords (OTPs).Reference:CCNA Security 210260 Official Cert Guide, Chapter 1, Confidentiality, Integrity, and Availability, pp. 14-15IETF: RFC 4301: Security Architecture for the Internet Protocol: 3.2. How IPsec Works

QUESTION 125You issue the following commands on a Cisco ASA with no other configured interfaces:

asa(config)#interface gigabitethernet 0/1

asa(configif)#speed 1000 asa(configif)#duplex full asa(configif)#nameif insideasa(configif)#ip address 10.1.1.1 255.255.255.0


asa(configif)#no shutdownasa(configif)#exitasa(config)#telnet 10.1.1.0 255.255.255.0 inside asa(config)#telnet timeout 30

Which of the following statements is true regarding the resulting configuration? (Select the best answer.)

A. Telnet sessions will time out after 30 seconds of inactivity.

B. The ASA will assign the interface a security level of 0.

C. The ASA will assign the interface a security level of 100.

D. Telnet sessions will be denied until a security level is manually assigned.


Explanation/Reference:Explanation: In this scenario, the Cisco Adaptive Security Appliance (ASA) will assign the GigabitEthernet 0/1 interface a security level of 100. The block of commands in thisscenario configures the GigabitEthernet 0/1 interface to operate in fullduplex mode at a speed of 1,000 megabits per second (Mbps), names the interface “inside”,and assigns an IP address 10.1.1.1 with a network mask of 255.255.255.0. In addition, the no shutdown command enables the interface. The telnet commandsdefine a network range that is permitted to Telnet to the inside interface and configure a Telnet idletimeout value. Because no security level is manually assigned tothe interface, the ASA will automatically assign the interface a security level. The default security level on an ASA is 0? however, the inside interface is an exceptionto this rule because it is automatically assigned a security level of 100 if a security level is not explicitly configured. An interface can be assigned any integervaluedsecurity level from 0 through 100.Telnet sessions will not be denied to the GigabitEthernet 0/1 interface until a security level is manually assigned. Normally, Telnet traffic is not permitted to theinterface with the lowest security. However, if there is only one configured interface and it has been configured with a security level of 100, Telnet traffic is permittedeven though the interface simultaneously has the highest security and the lowest security. Because the ASA automatically assigns a security level of 100 to theinside interface, Telnet sessions will be able to access the interface. If there were other active interfaces on the ASA, a Telnet session would be permitted to theinterface with the lowest security only if that session was protected by a virtual private network (VPN) tunnel terminating on the interface. Although there are severalmethods for working around Telnet access restrictions of the ASA, Cisco recommends disabling Telnet and using more secure methods for management access,such as Secure Shell (SSH) or Secure Hypertext Transfer Protocol (HTTPS) instead? neither HTTPS nor SSH is restricted by the security level of an interface.Telnet sessions will not time out after 30 seconds of activity. The telnet timeout 30 command specifies an inactivity timeout length of 30 minutes, not 30 seconds.The telnet timeout command accepts an integer value from 1 through 1440 to specify the number of minutes a Telnet session can remain idle before the ASAcloses the connection.Reference:Cisco: Cisco ASA 5500 Series Command Reference: securitylevel

QUESTION 126Which of the following vulnerabilities did the Blaster worm exploit on target hosts? (Select the best answer.)


A. a buffer overflow vulnerability in the DCOM RPC service

B. a buffer overflow vulnerability in IIS software

C. a buffer overflow vulnerability in Microsoft SQL Server

D. a remote code execution vulnerability in the printer spooler service

E. a remote code execution vulnerability in the processing of .lnk files


Explanation/Reference:Explanation:The Blaster worm exploited a buffer overflow vulnerability in the Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) service on MicrosoftWindows hosts. The worm carried a destructive payload that configured the target host to engage in Denial of Service (DoS) attacks on Microsoft update servers.Before Microsoft released a patch, several other worms exploited the vulnerability. For example, the Welchia worm targeted the same vulnerability. Welchia wasdeveloped to scan the network for vulnerable machines, infect them, and then remove the Blaster worm if present. It was even designed to download and install theappropriate patch from Microsoft to fix the vulnerability that it and Blaster initially exploited to infect the target machine. However, despite the goodnatured designintentions of the Welchia worm, its networkscanning component inadvertently caused DoS attacks on several large networks, including those of the United Statesarmed forces.Stuxnet is an example of a worm that exploited vulnerabilities in both the printer spooler service and the processing of .lnk files. Stuxnet was used in an act of cyberwarfare against Iranian industrial control systems (ICSs). It was written to target specific ICSs by modifying code on programmable logic controllers (PLCs). Stuxnetinitially exploited vulnerabilities in the printer spooler service? however, later variants exploited a vulnerability in the way that Windows processes shortcuts (.lnkfiles). Research from Symantec published in 2011 indicated that at the time, over 60% percent of the Stuxnetaffected hosts had been in Iran. Symantec analyzedStuxnet and its variants and discovered that five organizations were the primary targets of infection and that further infections were likely collateral damage from theaggressive manner in which the worm spreads throughout the network. Given the considerable cost in resources and manhours that would have been required tocraft the Stuxnet worm, it was theorized that it was likely intended to sabotage high value targets such as nuclear materials refinement facilities.SQL Slammer is an example of a worm that exploited a buffer overflow vulnerability in Microsoft Structured Query Language (SQL) server software. SQL Slammerspread at a tremendous rate and was reported to have infected as many as 12,000 servers per minute. Its high scanning rate generated enough traffic on manynetworks to effectively produce DoS effects as collateral damage to the infection.Code Red is an example of a worm that exploited a buffer overflow vulnerability in Microsoft Internet Information Server (IIS) software. Although not as efficient asSQL Slammer, Code Red still managed to infect as many as 2,000 hosts per minute. The initial Code Red variant failed to infect more than a single set of IPaddresses? however, a later variant was reported to have affected over 350,000 hosts within the first 14 hours of its release into the wild.Reference:Cisco: The Internet Protocol Journal: Trends in Viruses and Worms

QUESTION 127Which of the following statements is true regarding the primary bootset when the Cisco IOS Resilient Configuration feature is enabled? (Select the best answer.)

A. The configuration file can be secured on a TFTP server, but the system image must be secured on local storage.

B. The system image can be secured on a TFTP server, but the configuration file must be secured on local storage.

C. The configuration file and the system image must both be secured on local storage.


D. The configuration file and the system image must both be secured on remote storage.


Explanation/Reference:Explanation:The configuration file and the system image must both be secured on local storage when the Cisco IOS Resilient Configuration feature is enabled. The ResilientConfiguration feature is designed to protect system and configuration files from tampering and accidental deletion. You can issue the following block of commandsto enable the Resilient Configuration feature:

Router#configure terminalRouter(config)#secure bootimageRouter(config)#secure bootconfig

When the feature is enabled, the primary system image file and associated running configuration are securely archived in local persistent storage? you cannotselect a remote storage location. The secure bootimage command enables the image resilience component of the Resilient Configuration feature and effectivelyhides the system image from the directory structure. This means that the system image will no longer be displayed when the dir command is issued from thecommand prompt of an EXEC shell. In addition, because the system image file is not copied to a secure location, extra storage is not required to secure it. Bycontrast, the secure bootconfig command creates a hidden copy of the running configuration file. The secured versions of the system image and runningconfiguration are referred to as the primary bootset.You can restore either or both components of the primary bootset at any time. The system image can be restored from readonly memory (ROM) monitor(ROMmon) mode and the running configuration can be restored from the global configuration mode by using the restore parameter of the secure bootconfigcommand. Once the system image and running configuration have been secured, the router will track version mismatches and produce a console message if thesystem image or running configuration have mismatched versions. Once the Resilient Configuration feature is enabled, it can only be disabled from the console. Reference:Cisco: Cisco IOS Resilient Configuration: Feature Design of Cisco IOS Resilient ConfigurationCategory: Secure Routing and Switching

QUESTION 128Which of the following can be installed on a host to ensure that only specified inbound and outbound connections are permitted? (Select the best answer.)


A. antivirus software

B. a HIPS

C. a personal firewall


D. a proxy server


Explanation/Reference:Explanation:A personal firewall can be installed on a host to ensure that only specified inbound and outbound connections are permitted. A personal firewall can protect a hostfrom malicious traffic by permitting or denying specific applications or network ports access to the host or its network interface. Typically, a personal firewallprovides sufficient granularity to specify the direction of a particular flow of traffic. For example, you could permit outbound web traffic but deny inbound InternetControl Message Protocol (ICMP) messages.A Hostbased Intrusion Prevention System (HIPS) can be installed on a host to analyze and prevent malicious traffic on that host. An Intrusion Prevention System(IPS) can be used to actively monitor, analyze, and block malicious traffic before it infects devices. HIPS software can be installed on a host computer to protectthat computer against malicious traffic. By contrast, a Networkbased IPS (NIPS) is an independent operating platform, often a standalone appliance or a hardwaremodule installed in a chassis. A NIPS device can be installed inline on a network to monitor and prevent malicious traffic from being sent to other devices on thenetwork. One advantage of using a NIPS over a HIPS is that a NIPS can detect lowlevel network events, such as the scanning of random hosts on the network? aHIPS can only detect scans for which it is the target. HIPS and a NIPS can be used together to provide an additional layer of protection.You could not install antivirus software to ensure that only specified inbound and outbound connections are permitted. Antivirus software monitors the file systemand memory space on a host for malicious code. Although the antivirus software might protect the host from malicious file execution, it would be unable to protectthe host from malicious traffic. Some antivirus vendors offer integrated security suites, which feature personal firewall, HIPS, antivirus, and antimalwarecomponents.You could not install a proxy server on a host to ensure that only specified inbound and outbound connections are permitted. A proxy server is typically anapplication layer gateway that provides resource caching and traffic filtering for a particular class of traffic, such as web content. Although you could install a proxyserver locally on a host and use it to process specified outbound connections, it would not be able to restrict outbound connections that were not configured to usethe proxy nor would it be able to restrict inbound connections.Reference:CCNA Security 210260 Official Cert Guide, Chapter 19, Mitigation Technologies for Endpoint Threats, pp. 498-499Category:Cisco Firewall Technologies

QUESTION 129Which of the following statements are true regarding the FirePOWER inline normalization preprocessor engine? (Select 2 choices.)

A. Inline normalization can process IPv4 and ICMPv4 traffic but not IPv6 traffic.

B. Inline normalization can process IPv4 and IPv6 traffic but not ICMPv4 traffic.

C. Inline normalization cannot detect TCP SYN flood attacks.

D. Inline normalization cannot detect TCP session hijacking attacks.

E. Inline normalization takes place immediately before decoding by the packet decoder.

Correct Answer: CDSection: (none)


Explanation

Explanation/Reference:Explanation:The FirePOWER inline normalization preprocessor engine cannot detect Transmission Control Protocol (TCP) SYN flood attacks or session hijacking attacks. Theinline normalization preprocessor can be used by a FirePOWER Intrusion Prevention System (IPS) that is deployed in an inline configuration. Packet normalizationcan reduce the chances of malicious traffic evading detection. The inline normalization process takes place immediately after the IPS packet decoder decodes thepacket, which ensures that packets being analyzed by the IPS are identical to the packets that will be assembled by the target host. The inline normalizationpreprocessor can perform normalizations on various components of Internet Control Message Protocol version 4 (ICMPv4), IP version 4 (IPv4), IPv6, and TCPpackets. For example, it can reset the timetolive (TTL) value on a packet if it detects a TTL value outside of a userdefined range.The FirePOWER ratebased prevention preprocessor engine, not the inline normalization detection preprocessor engine, can detect SYN flood traffic. Theratebased prevention preprocessor engine detects traffic abnormalities based on the frequency of certain types of traffic. The following traffic patterns can triggerratebased attack prevention:- Traffic containing excessive incomplete TCP connections- Traffic containing excessive complete TCP connections- Excessive rule matches for a particular IP address or range of IP addresses- Excessive rule matches for one particular rule regardless of IP address

The FirePOWER TCP stream preprocessor engine, not the inline normalization detection preprocessor, can detect session hijacking attacks. The streampreprocessor assembles the packets of a TCP data stream into a single comprehensive unit for scanning. Because the TCP stream preprocessor has access tomultiple packets in a data stream, it can analyze state information, analyze payload anomalies, and identify streambased attacks that are not possible to identifybased on singlepacket analysis.Reference:Cisco: Configuring Transport & Network Layer Preprocessing: Normalizing Inline Traffic

QUESTION 130What is the effect of the samesecuritytraffic permit intrainterface command on a Cisco ASA? (Select the best answer.)

A. It allows communication between different interfaces that share the same security level.

B. It allows traffic to exit the same interface through which it entered.

C. It allows outbound traffic and the corresponding return traffic to pass through different ASAs.

D. It allows traffic destined to unprotected subnets to bypass a VPN tunnel.


Explanation/Reference:Explanation:On a Cisco Adaptive Security Appliance (ASA), the samesecuritytraffic permit intrainterface command allows traffic to exit the same interface through which itentered, which is also known as hairpinning. By default, an ASA does not allow packets to enter and exit through the same physical interface. However, because


multiple logical virtual LANs (VLANs) can be assigned to the same physical interface, it is sometimes necessary to allow a packet to enter and exit through thesame interface. The samesecuritytraffic permit intrainterface command allows packets to be sent and received from the same interface even if the traffic isprotected by IP Security (IPSec) security policies. Another scenario for which you would need to use the samesecuritytraffic permit intrainterface command is ifmultiple users need to connect via virtual private network (VPN) through the same physical interface. These users will not be able communicate with one anotherunless the samesecuritytraffic permit intrainterface command has been issued from global configuration mode.The samesecuritytraffic permit interinterface command, not the samesecuritytraffic permit intrainterface command, allows communication between differentinterfaces that share the same security level. By default, interfaces with the same security level are not allowed to communicate with each other.A split tunneling policy, not the samesecuritytraffic permit intrainterfacecommand, allows traffic destined to unprotected subnets to bypass an encrypted tunnel.With split tunneling, only traffic destined to protected subnets is routed through the appropriate VPN tunnel. Traffic destined to unprotected subnets, such as theInternet, can bypass the tunnel and be routed normally. You can issue the splittunnelpolicy and splittunnelnetworklist commands to configure a split tunneling policy.Transmission Control Protocol (TCP) bypass, not the samesecuritytraffic permit intrainterface command, allows outbound traffic and the corresponding return trafficto pass through different ASAs. With TCP state bypass, an ASA will allow a specific class of traffic to pass through the ASA without the traffic class having an entryin the ASA's state table. TCP state bypass is disabled by default. You can issue the set connection advancedoptions tcpstatebypass command to enable the TCPstate bypass feature.Reference:Cisco: Configuring Interfaces: Allowing Same Security Level Communication Category:VPN


cisco.pass4sure.210-260.v2017-09-25.by.marley · 210-260 implementing cisco network security...

Documents