Download - CCNA Security 640-554 QA
-
7/25/2019 CCNA Security 640-554 QA
1/50
QUESTION 1
Which two features are supported by Cisco IronPort Security Gateway? (Choose two.)
A. spam protection
B. outbrea inte!!i"ence
C. #$$P and #$$PS scannin"
%. emai! encryption
&. %%oS protection
Correct Answer:A%
QUESTION 2
Which option is a feature of Cisco ScanSafe techno!o"y?
A. spam protection
B. consistent c!oud'based po!icy
C. %%oS protection
%. SA &mai! %P
Correct Answer: B
QUESTION 3
Which two characteristics represent a b!ended threat? (Choose two.)
A. man'in'the'midd!e attac
B. tro*an horse attac
C. pharmin" attac
%. denia! of ser+ice attac
&. day ,ero attac
Correct Answer: B&
QUESTION 4
-nder which hi"her'!e+e! po!icy is a P/ security po!icy cate"ori,ed?
A. app!ication po!icy
B. %P po!icy
C. remote access po!icy
%. comp!iance po!icy
&. corporate WA/ po!icy
-
7/25/2019 CCNA Security 640-554 QA
2/50
Correct Answer:C
QUESTION 5
efer to the e0hibit. What does the option secret 1 in the username "!oba! confi"uration modecommand indicate about the user password?
A. It is hashed usin" S#A.
B. It is encrypted usin" %# "roup
C. It is hashed usin" 2%1.
%. It is encrypted usin" the ser+ice password'encryption
command.&. It is hashed usin" a proprietary Cisco hashin" a!"orithm.3. It is encrypted usin" a proprietary Cisco encryption a!"orithm.
Correct
Answer:C
QUESTION 6
What does !e+e! 1 in this enab!e secret "!oba! confi"uration mode command indicate?
A. router4enab!e secret !e+e! 1 password
B. $he enab!e secret password is hashed usin"
2%1.
C. $he enab!e secret password is hashed usin"
S#A.
%. $he enab!e secret password is encrypted usin" Cisco proprietary !e+e! 1
encryption.
&. Set the enab!e secret command to pri+i!e"e !e+e! 1.3. $he enab!e secret password is for accessin" e0ec pri+i!e"e !e+e! 1.
Correct
Answer:&
-
7/25/2019 CCNA Security 640-554 QA
3/50
QUESTION 7
Which Cisco mana"ement too! pro+ides the abi!ity to centra!!y pro+ision a!! aspects of de+iceconfi"uration across the Cisco fami!y of security products?
A. Cisco Confi"uration Professiona!B. Security %e+ice 2ana"er
C. Cisco Security 2ana"er
%. Cisco Secure 2ana"ement Ser+er
Correct
Answer: C
QUESTION 8
Which option is the correct representation of the IP+5 address6778977779817C97777977779:8B89:1A;97:8%?
A. 677899817c99:8b89:1a;97:8d
B. 6778979817c9799:8b89:1a;97:d8
C. 67789817c99:8b89:1a;99:8d
%. 6778979817c99:8b89:1a;9:8d
Correct
Answer: %
QUESTION 9
Which three options are common e0amp!es of AAA imp!ementation on Cisco routers? (Choose three.)
A. authenticatin" remote users who are accessin" the corporate A/ throu"h IPsec P/ connections
B. authenticatin" administrator access to the router conso!e port< au0i!iary port< and +ty
ports
C. imp!ementin" P=I to authenticate and authori,e IPsec P/ peers usin" di"ita!
certificates
%. tracin" Cisco /et3!ow accountin" statistics&. securin" the router by !ocin" down a!! unused ser+ices
3. performin" router commands authori,ation usin" $ACACS>
Correct
Answer:AB3
-
7/25/2019 CCNA Security 640-554 QA
4/50
QUESTION 10
When AAA !o"in authentication is confi"ured on Cisco routers< which two authentication methods shou!dbe used as the fina! method to ensure that the administrator can sti!! !o" in to the router in case thee0terna!
AAA ser+er fai!s? (Choose two.)
A. "roup A%I-S
B. "roup
$ACACS>
C. !oca!%. rb1
&. enab!e
3. if'authenticated
Correct
Answer:C&
QUESTION 11
Which two characteristics of the $ACACS> protoco! are true? (Choose two.)
A. uses -%P ports 85:1 or 886
B. separates AAA functions
C. encrypts the body of e+ery pacet
%. offers e0tensi+e accountin" capabi!ities
&. is an open 3C standard protoco!
Correct Answer: BC
QUESTION 12
efer to the e0hibit. Which statement about this output is true?
-
7/25/2019 CCNA Security 640-554 QA
5/50
A. $he user !o""ed into the router with the incorrect
username and password.
B. $he !o"in fai!ed because there was no defau!t enab!e
password.
C. $he !o"in fai!ed because the password
entered was incorrect.%. $he user !o""ed in and was "i+en pri+i!e"e
!e+e! 81.
Correct Answer: C
-
7/25/2019 CCNA Security 640-554 QA
6/50
QUESTION 13
efer to the e0hibit. Which traffic is permitted by this AC?
A. $CP traffic sourced from any host in the [email protected] subnet on any port to host 86.85.8.6 port7 or ::;
B. $CP traffic sourced from host [email protected] on port 7 or ::; to host 86.85.8.6 on any port
C. any $CP traffic sourced from host [email protected].;7 destined to host 86.85.8.8
%. any $CP traffic sourced from host [email protected] to host 86.85.8.6
Correct Answer: C
QUESTION 14
efer to the e0hibit. Which statement about this partia! CI confi"uration of an access contro! !ist is true?
A. $he access !ist accepts a!! traffic on the 87.7.7.7
subnets.
B. A!! traffic from the 87.87.7.7 subnets is denied.C. n!y traffic from 87.87.7.87 is a!!owed.
%. $his confi"uration is in+a!id. It shou!d be confi"ured as an e0tended AC to permit theassociated wi!dcard mas.
&. 3rom the 87.87.7.7 subnet< on!y traffic sourced from 87.87.7.87 is a!!owedD traffic sourced fromthe other 87.7.7.7 subnets a!so is a!!owed.
3. $he access !ist permits traffic destined to the 87.87.7.87 host on 3ast&thernet77 from any source.
Correct Answer: &
QUESTION 15
Which type of Cisco ASA access !ist entry can be confi"ured to match mu!tip!e entries in asin"!e statement?
A. nested ob*ect'c!ass
B. c!ass'map
-
7/25/2019 CCNA Security 640-554 QA
7/50
C. e0tended wi!dcard matchin"
%. ob*ect "roups
Correct Answer: %
QUESTION 16
Which statement about an access contro! !ist that is app!ied to a router interface is true?
A. It on!y fi!ters traffic that passes throu"h the
router.
B. It fi!ters pass'throu"h and router'"enerated
traffic.
C. An empty AC b!ocs a!! traffic.%. It fi!ters traffic in the inbound and outbound directions.
Correct Answer:A
QUESTION 17
Eou ha+e been tased by your mana"er to imp!ement sys!o" in your networ. Which option is animportant factor to consider in your imp!ementation?
A. -se SS# to access your sys!o" information.
B. &nab!e the hi"hest !e+e! of sys!o" function a+ai!ab!e to ensure that a!! possib!e e+ent messa"esare !o""ed.
C. o" a!! messa"es to the system buffer so that they can be disp!ayed when accessin" the
router.
%. Synchroni,e c!ocs on the networ with a protoco! such as /etwor $ime Protoco!.
Correct Answer: %
QUESTION 18
Which protoco! secures router mana"ement session traffic?
A. SS
$P
B. P
P
C. $e!net
%. SS
#
Correct Answer: %
QUESTION 19
-
7/25/2019 CCNA Security 640-554 QA
8/50
Which two considerations about secure networ mana"ement are important? (Choose two.)
A. !o" tamperin"
B. encryption a!"orithmstren"th
C. accurate time
stampin"
%. off'sitestora"e
&. -se A%I-S for router commandsauthori,ation.
3. %o not use a !oopbac interface for de+ice mana"ementaccess.
Correct
Answer:AC
QUESTION20
Which command enab!es Cisco IS ima"eresi!ience?
A. secure boot'FIS ima"e
fi!ename B. secure boot'runnin"'
confi"C. secure boot'start
%. secure boot'ima"e
Correct
Answer:%
QUESTION
21
Which router mana"ement feature pro+ides for the abi!ity to confi"ure mu!tip!e administrati+e+iews?
A. ro!e'basedCI
B. +irtua! routin" and
forwardin"
C. secure confi" pri+i!e"e
H!e+e!
-
7/25/2019 CCNA Security 640-554 QA
9/50
%. parser +iew +iew name
Correct
Answer:A
QUESTION22
Eou suspect that an attacer in your networ has confi"ured a ro"ue ayer 6 de+ice to intercept trafficfrom mu!tip!e A/s< which a!!ows the attacer to capture potentia!!y sensiti+e data.Which two methodswi!! he!p to miti"ate this type of acti+ity? (Choose two.)
A. $urn off a!! trun ports and manua!!y confi"ure each A/ as reJuired on each
port.
B. P!ace unused acti+e ports in an unused A/.C. Secure the nati+e A/< A/ 8< withencryption.
%. Set the nati+e A/ on the trun ports to an unused
A/.
&. %isab!e %$P on ports that reJuire trunin".
Correct
Answer:%&
QUESTION 23
Which statement describes a best practice when confi"urin" trunin" on a switch port?
A. %isab!e doub!e ta""in" by enab!in" %$P on the trun
port.
B. &nab!e encryption on the trun port.C. &nab!e authentication and encryption on the trun port.
%. imit the a!!owed A/(s) on the trun to the nati+e A/
on!y.
&. Confi"ure an unused A/ as the nati+e A/.
Correct
Answer:&
QUESTION 24
Which type of ayer 6 attac causes a switch to f!ood a!! incomin" traffic to a!! ports?
A. 2AC spoofin"
attac
-
7/25/2019 CCNA Security 640-554 QA
10/50
B. CA2 o+erf!ow
attac
C. A/ hoppin"
attac
%. S$P attac
Correct
Answer:B
QUESTION 25
What is the best way to pre+ent a A/ hoppin" attac?
A. &ncapsu!ate trun ports with I&&&
76.8K.
B. Physica!!y secure data c!osets.
C. %isab!e %$Pne"otiations.
%. &nab!e B%P- "uard.
Correct
Answer:C
QUESTION 26
Which statement about PA/ &d"e is true?
A. PA/ &d"e can be confi"ured to restrict the number of 2AC addresses that appear on a sin"!eport.
B. $he switch does not forward any traffic from one protected port to any other protected port.
C. By defau!t< when a port po!icy error occurs< the switchport shuts
down.
%. $he switch on!y forwards traffic to ports within the same A/ &d"e.
Correct Answer:B
QUESTION 27
If you are imp!ementin" A/ trunin"< which additiona! confi"uration parameter shou!d be added tothe trunin" confi"uration?
-
7/25/2019 CCNA Security 640-554 QA
11/50
A. no switchport mode access
B. no switchport trun nati+e A/ 8
C. switchport mode %$P
%. switchport nonne"otiate
Correct
Answer:%
QUESTION 28
When Cisco IS ,one'based po!icy firewa!! is confi"ured< which three actions can be app!ied to atraffic c!ass? (Choose three.)
A. pass
B. Jueu
eC. shap
e
%. po!ic
e
&. drop3. inspect
Correct
Answer:A&3
QUESTION 29
With Cisco IS ,one'based po!icy firewa!!< by defau!t< which three types of traffic are permitted bythe router when some of the router interfaces are assi"ned to a ,one? (Choose three.)
A. traffic f!owin" between a ,one member interface and any interface that is not a ,one member
B. traffic f!owin" to and from the router interfaces (the se!f ,one)
C. traffic f!owin" amon" the interfaces that are members of the same ,one
%. traffic f!owin" amon" the interfaces that are not assi"ned to any ,one
&. traffic f!owin" between a ,one member interface and another interface that be!on"s in a different,one
3. traffic f!owin" to the ,one member interface that is returned traffic
Correct
Answer:BC%
QUESTION 30
Which option is a ey difference between Cisco IS interface AC confi"urations and Cisco ASAapp!iance interface AC confi"urations?
A. $he Cisco IS interface AC has an imp!icit permit'a!! ru!e at the end of each interface AC.
-
7/25/2019 CCNA Security 640-554 QA
12/50
B. Cisco IS supports interface AC and a!so "!oba! AC. G!oba! AC is app!ied to a!! interfaces.
C. $he Cisco ASA app!iance interface AC confi"urations use netmass instead of wi!dcard mass.
%. $he Cisco ASA app!iance interface AC a!so app!ies to traffic directed to the IP addresses of theCisco
ASA app!iance interfaces.
&. $he Cisco ASA app!iance does not support standard AC. $he Cisco ASA app!iance on!y
support e0tended AC.
Correct
Answer:C
QUESTION 31
Which two options are ad+anta"es of an app!ication !ayer firewa!!? (Choose two.)
A. pro+ides hi"h'performance fi!terin"
B. maes %oS attacs difficu!t
C. supports a !ar"e number of app!ications
%. authenticates de+ices
&. authenticates indi+idua!s
Correct
Answer:B&
QUESTION 32
efer to the e0hibit. -sin" a statefu! pacet firewa!! and "i+en an inside AC entry of permit ip 86.85.8.77.7.7.611 any< what wou!d be the resu!tin" dynamica!!y confi"ured AC for the return traffic on the
outsideAC?
A. permit tcp host [email protected] eJ 7 host 86.85.8.88 eJ 6;77
B. permit ip [email protected] eJ 7 86.85.8.7 7.7.7.611 eJ 6;77C. permit tcp any eJ 7 host 86.85.8.88 eJ 6;77
%. permit ip host [email protected] eJ 7 host 86.85.8.7 7.7.7.611 eJ 6;77
Correct Answer:A
-
7/25/2019 CCNA Security 640-554 QA
13/50
QUESTION 33
Which option is the resu!tin" action in a ,one'based po!icy firewa!! confi"uration with these conditions?
Source9 Lone 8
%estination9 Lone 6
Lone pair e0ists?9 Ees
Po!icy e0ists?9 /o
A. no impact to ,onin" or po!icy
B. no po!icy !ooup (pass)
C. drop%. app!y defau!t po!icy
Correct Answer: C
QUESTION 34
A Cisco ASA app!iance has three interfaces confi"ured. $he first interface is the inside interface with asecurity !e+e! of 877. $he second interface is the %2L interface with a security !e+e! of 17. $he thirdinterface is the outside interface with a security !e+e! of 7. By defau!t< without any access !ist confi"ured
C. aaa accountin" e0ec start'stop tacacs>%. aaa accountin" connection start'stop tacacs>
&. aaa accountin" commands 81 start'stop tacacs>
Correct
Answer: C
QUESTION 54
Which access !ist permits #$$P traffic sourced from host 87.8.86.877 port ;7;7 destined to host86.85.8.87?
A. access'!ist 878 permit tcp any eJ ;7;7
B. access'!ist 878 permit tcp 87.8.86.7 7.7.8.611 eJ ;7;7 86.85.8.7 7.7.7.81 eJ
www
C. access'!ist 878 permit tcp 87.8.86.7 7.7.7.611 eJ www 86.85.8.87 7.7.7.7 eJ www
%. access'!ist 878 permit tcp host 86.85.8.87 eJ 7 87.8.7.7 7.7.611.611 eJ ;7;7&. access'!ist 878 permit tcp 86.85.8.87 7.7.7.7 eJ 7 87.8.7.7 7.7.611.611
3. access'!ist 878 permit ip host 87.8.86.877 eJ ;7;7 host 86.85.8.877 eJ 7
Correct
Answer: B
QUESTION 55
Which !ocation is recommended for e0tended or e0tended named ACs?
A. an intermediate !ocation to fi!ter as much traffic as possib!e
B. a !ocation as c!ose to the destination traffic as possib!e
-
7/25/2019 CCNA Security 640-554 QA
24/50
C. when usin" the estab!ished eyword< a !ocation c!ose to the destination point to ensure thatreturn traffic is a!!owed
%. a !ocation as c!ose to the source traffic as possib!e
Correct
Answer: %
-
7/25/2019 CCNA Security 640-554 QA
25/50
QUESTION 56
Which statement about asymmetric encryption a!"orithms is true?
A. $hey use the same ey for encryption and decryption of data.
B. $hey use the same ey for decryption but different eys for encryption of
data.C. $hey use different eys for encryption and decryption of data.%. $hey use different eys for decryption but the same ey for encryption of data.
Correct
Answer:C
QUESTION 57
Which option can be used to authenticate the IPsec peers durin" I=& Phase 8?
A. %iffie'#e!!man /once
B. pre'shared ey
C. OA-$#
%. inte"rity chec +a!ue
&. A
CS
3. A
#
Correct
Answer:B
QUESTION 58
Which sin"!e Cisco IS AC entry permits IP addresses from [email protected] to [email protected][email protected]?
A. permit [email protected] 7.7.;.611
B. permit [email protected] [email protected]
C. permit [email protected] 7.7.6:.611
%. permit [email protected] 611.611.616.7
&. permit [email protected] 611.611.6:.73. permit [email protected] 611.611.6:7.7
Correct
Answer:B
-
7/25/2019 CCNA Security 640-554 QA
26/50
QUESTION 59
Eou want to use the Cisco Confi"uration Professiona! site'to'site P/ wi,ard to imp!ement a site' to'siteIPsec P/ usin" pre'shared ey. Which four confi"urations are reJuired (with no defau!ts)? (Choosefour.)
A. the interface for the P/ connectionB. the P/ peer IP address
C. the IPsec transform'set
%. the interestin" traffic (the traffic to be protected)
&. the pre'shared ey
3. the I=& po!icy
Correct
Answer:AB%&
QUESTION 60
Which two options represent a threat to the physica! insta!!ation of an enterprise networ? (Choose two.)
A. sur+ei!!ance camera
B. security "uards
C. e!ectrica! power
%. computer room access
&. chan"e contro!
Correct
Answer: C%
QUESTION 61
Which option represents a step that shou!d be taen when a security po!icy is de+e!oped?
A. Perform penetration testin".
B. %etermine de+ice ris scores.
C. Imp!ement a security monitorin"
system.
%. Perform Juantitati+e ris ana!ysis.
Correct
Answer: %
QUESTION 62
Which type of networ masin" is used when Cisco IS access contro! !ists are confi"ured?
-
7/25/2019 CCNA Security 640-554 QA
27/50
A. e0tended subnet
masin"
B. standard subnet masin"
C. priority masin"%. wi!dcard masin"
Correct
Answer: %
QUESTION 63
#ow are Cisco IS access contro! !ists processed?
-
7/25/2019 CCNA Security 640-554 QA
28/50
A. Standard ACs are processed first.
B. $he best match AC is matched first.
C. Permit AC entries are matched first before the deny AC
entries.
%. ACs are matched from top down.
&. $he "!oba! AC is matched first before the interface AC.
Correct
Answer:%
QUESTION 64
Which type of mana"ement reportin" is defined by separatin" mana"ement traffic from productiontraffic?
A. IPsec encryptedB. in'band
C. out'of'band
%. SS#
Correct
Answer:C
QUESTION 65
Which sys!o" !e+e! is associated with GWA/I/G?
A. 8
B. 6
C. ;
%. :
&. 1
3. 5
Correct
Answer:%
QUESTION 66
In which type of ayer 6 attac does an attacer broadcast B%P-s with a !ower switch priority?
A. 2AC spoofin"
attac
-
7/25/2019 CCNA Security 640-554 QA
29/50
B. CA2 o+erf!ow
attac
C. A/ hoppin"
attac
%. S$P attac
Correct
Answer:%
-
7/25/2019 CCNA Security 640-554 QA
30/50
QUESTION 67
Which security measure must you tae for nati+e A/s on a trun port?
A. /ati+e A/s for trun ports shou!d ne+er be used anywhere e!se on the switch.
B. $he nati+e A/ for trun ports shou!d be A/ 8.
C. /ati+e A/s for trun ports shou!d match access A/s to ensure that cross'A/ traffic frommu!tip!e switches can be de!i+ered to physica!!y disparate switches.
%. /ati+e A/s for trun ports shou!d be ta""ed with 76.8K.
Correct Answer:A
QUESTION 68
efer to the e0hibit. Which switch is desi"nated as the root brid"e in this topo!o"y?
A. It depends on which switch came on !ine first.
B. /either switch wou!d assume the ro!e of root brid"e because they ha+e the same defau!t priority.
C. switch O%. switch E
Correct Answer: C
QUESTION 69
Which type of firewa!! techno!o"y is considered the +ersati!e and common!y used firewa!! techno!o"y?
A. static pacet fi!ter firewa!!
B. app!ication !ayer firewa!!
C. statefu! pacet fi!ter firewa!!
%. pro0y firewa!!
-
7/25/2019 CCNA Security 640-554 QA
31/50
&. adapti+e !ayer firewa!!
Correct Answer: C
QUESTION 70
Which type of /A$ is used where you trans!ate mu!tip!e interna! IP addresses to a sin"!e "!oba!< routab!eIP address?
A. po!icy /A$
B. dynamic
PA$
C. static /A$
%. dynamic
/A$
&. po!icy PA$
Correct
Answer: B
QUESTION 71
Which Cisco IPS product offers an in!ine< deep'pacet inspection feature that is a+ai!ab!e ininte"rated ser+ices routers?
A. Cisco
iS%2
B. Cisco AI2
C. Cisco IS IPS%. Cisco AIP'
SS2
Correct
Answer: C
QUESTION 72
Which three modes of access can be de!i+ered by SS P/? (Choose three.)
A. fu!! tunne! c!ient
B. IPsec SS
C. $S transport mode
%. thin c!ient
&. c!ient!ess
3. $S tunne! mode
-
7/25/2019 CCNA Security 640-554 QA
32/50
Correct
Answer:A%&
QUESTION 73%urin" ro!e'based CI confi"uration< what must be enab!ed before any user +iews can be created?
-
7/25/2019 CCNA Security 640-554 QA
33/50
A. mu!tip!e pri+i!e"e !e+e!s
B. usernames and passwords
C. aaa new'mode! command
%. secret password for the root user
&. #$$P andor #$$PS ser+er
3. $ACACS ser+er "roup
Correct
Answer:C
QUESTION 74
Which three statements about app!yin" access contro! !ists to a Cisco router are true? (Choose three.)
A. P!ace more specific AC entries at the top of the AC.
B. P!ace "eneric AC entries at the top of the AC to fi!ter "enera! traffic and thereby reduce QnoiseRon the networ.
C. ACs a!ways search for the most specific entry before tain" any fi!terin"
action.
%. outer'"enerated pacets cannot be fi!tered by ACs on the router.&. If an access !ist is app!ied but it is not confi"ured< a!! traffic passes.
Correct
Answer:A%&
QUESTION 75
When port security is enab!ed on a Cisco Cata!yst switch< what is the defau!t action when theconfi"ured ma0imum number of a!!owed 2AC addresses +a!ue is e0ceeded?
A. $he port remains enab!ed< but bandwidth is thrott!ed unti! o!d 2AC addresses are a"ed
out.
B. $he port is shut down.
C. $he 2AC address tab!e is c!eared and the new 2AC address is entered into the
tab!e.
%. $he +io!ation mode of the port is set to restrict.
Correct
Answer: B
QUESTION 76
Which three statements about the Cisco ASA app!iance are true? (Choose three.)
-
7/25/2019 CCNA Security 640-554 QA
34/50
A. $he %2L interface(s) on the Cisco ASA app!iance most typica!!y use a security !e+e! between 8 and
.
B. $he Cisco ASA app!iance supports Acti+eActi+e or Acti+eStandby fai!o+er.C. $he Cisco ASA app!iance has no defau!t 2P3 confi"urations.
%. $he Cisco ASA app!iance uses security conte0ts to +irtua!!y partition the ASA into mu!tip!e+irtua! firewa!!s.
&. $he Cisco ASA app!iance supports user'based access contro! usin" 76.80.
3. An SS2 is reJuired on the Cisco ASA app!iance to support Botnet $raffic 3i!terin".
-
7/25/2019 CCNA Security 640-554 QA
35/50
Correct
Answer:AB%
QUESTION 77
efer to the e0hibit. $his Cisco IS access !ist has been confi"ured on the 3A77 interface in theinbound direction. Which four $CP pacets sourced from 87.8.8.8 port 87;7 and routed to the 3A77interface are permitted? (Choose four.)
A. destination ip address9 86.85.81.;@ destination port9 66
B. destination ip address9 86.85.81.7 destination port9 6;
C. destination ip address9 86.85.81.55 destination port9 77
%. destination ip address9 86.85.81.;5 destination port9 7
&. destination ip address9 86.85.81.5; destination port9 7
3. destination ip address9 86.85.81.:7 destination port9 68
Correct
Answer:BC%&
QUESTION 78
Eou use Cisco Confi"uration Professiona! to enab!e Cisco IS IPS. Which state must a si"nature bein before any actions can be taen when an attac matches that si"nature?
A. enab!ed
B. unretired
C. successfu!!y comp!ied
-
7/25/2019 CCNA Security 640-554 QA
36/50
%. successfu!!y comp!ied and
unretired
&. successfu!!y comp!ied and
enab!ed 3. unretired and enab!edG. enab!ed< unretired< and successfu!!y comp!ied
Correct Answer: G
QUESTION 79
Which statement describes how the sender of the messa"e is +erified when asymmetric encryption isused?
A. $he sender encrypts the messa"e usin" the senderNs pub!ic ey< and the recei+er decrypts themessa"e usin" the senderNs pri+ate ey.
B. $he sender encrypts the messa"e usin" the senderNs pri+ate ey< and the recei+er decrypts themessa"e usin" the senderNs pub!ic ey.
C. $he sender encrypts the messa"e usin" the recei+erNs pub!ic ey< and the recei+er decrypts themessa"e usin" the recei+erNs pri+ate ey.
%. $he sender encrypts the messa"e usin" the recei+erNs pri+ate ey< and the recei+er decrypts themessa"e usin" the recei+erNs pub!ic ey.
&. $he sender encrypts the messa"e usin" the recei+erNs pub!ic ey< and the recei+er decrypts themessa"e usin" the senderNs pub!ic ey.
Correct Answer: B
QUESTION 80
efer to the e0hibit. Which three statements about these three show outputs are true? (Choose three.)
-
7/25/2019 CCNA Security 640-554 QA
37/50
A. $raffic matched by AC 887 is encrypted.
B. $he IPsec transform set uses S#A for data confidentia!ity.
C. $he crypto map shown is for an IPsec site'to'site P/ tunne!.
%. $he defau!t ISA=2P po!icy uses a di"ita! certificate to authenticate the IPsec peer.
&. $he IPsec transform set specifies the use of G& o+er IPsec tunne! mode.
3. $he defau!t ISA=2P po!icy has hi"her priority than the other two ISA=2P po!icies with a priority of 8and 6
Correct Answer:AC%
QUESTION 81
Which type of security contro! is defense in depth?
A. threat miti"ation
B. ris ana!ysis
C. botnet miti"ation
%. o+ert and co+ert channe!s
Correct Answer:A
QUESTION 82
Which two options are two of the bui!t'in features of IP+5? (Choose two.)
A. S2
B. nati+e IPsec
C. contro!!ed broadcasts
-
7/25/2019 CCNA Security 640-554 QA
38/50
%. mobi!e IP
&. /A$
-
7/25/2019 CCNA Security 640-554 QA
39/50
Correct
Answer: B%
QUESTION 83
Which option is a characteristic of the A%I-S protoco!?
A. uses $CP
B. offers mu!tiprotoco! support
C. combines authentication and authori,ation in one process
%. supports bi'directiona! cha!!en"e
Correct
Answer: C
QUESTION 84
efer to the be!ow. Which statement about this debu" output is true?
8:977979 $AC>9 penin" $CPIP connection to 86.85.57.81 usin" source 87.885.7.@
8:977979 $AC>9 Sendin" $CPIP pacet number ;;61716'8 to 86.85.57.81 (A-$#&/S$A$)
8:977979 $AC>9 ecei+in" $CPIP pacet number ;;61716'6 from 86.85.57.81
8:977979 $AC> (;;61716)9 recei+ed authen response status G&$-S&
8:9779879 $AC>9 send A-$#&/C/$ pacet
8:9779879 $AC>9 Sendin" $CPIP pacet number ;;61716'; to 86.85.57.81 (A-$#&/C/$)
8:9779879 $AC>9 ecei+in" $CPIP pacet number ;;61716': from 86.85.57.81
8:9779879 $AC> (;;61716)9 recei+ed authen response status G&$PASS
8:97798:9 $AC>9 send A-$#&/C/$ pacet
8:97798:9 $AC>9 Sendin" $CPIP pacet number ;;61716'1 to 86.85.57.81 (A-$#&/C/$)
8:97798:9 $AC>9 ecei+in" $CPIP pacet number ;;61716'5 from 86.85.57.81
8:97798:9 $AC> (;;61716)9 recei+ed authen response status PASS
8:97798:9 $AC>9 C!osin" $CPIP connection to 86.85.57.81
A. $he reJuestin" authentication reJuest came from username
G&$-S&.
-
7/25/2019 CCNA Security 640-554 QA
40/50
B. $he $ACACS> authentication reJuest came from a +a!id user.
C. $he $ACACS> authentication reJuest passed< but for some reason the userNs connection wasc!osed immediate!y.
%. $he initiatin" connection reJuest was bein" spoofed by a different source address.
Correct
Answer: B
-
7/25/2019 CCNA Security 640-554 QA
41/50
QUESTION 85
Which type of Cisco IS access contro! !ist is identified by 877 to 8 and 6777 to 65?
A. standard
B. e0tended
C. named%. IP+: for 877 to 8 and IP+5 for 6777 to 65
Correct Answer: B
QUESTION 86
Which priority is most important when you p!an out access contro! !ists?
A. Bui!d ACs based upon your security po!icy.
B. A!ways put the AC c!osest to the source of ori"ination.
C. P!ace deny statements near the top of the AC to pre+ent unwanted traffic from passin" throu"h therouter.
%. A!ways test ACs in a sma!!< contro!!ed production en+ironment before you ro!! it out into the !ar"erproduction networ.
Correct Answer:A
QUESTION 87
Which step is important to tae when imp!ementin" secure networ mana"ement?
A. Imp!ement in'band mana"ement whene+er possib!e.
B. Imp!ement te!net for encrypted de+ice mana"ement access.
C. Imp!ement S/2P with readwrite access for troub!eshootin" purposes.
%. Synchroni,e c!ocs on hosts and de+ices.&. Imp!ement mana"ement p!ane protection usin" routin" protoco! authentication.
Correct Answer: %
QUESTION 88
Which statement best represents the characteristics of a A/?
A. Ports in a A/ wi!! not share broadcasts amon"st physica!!y separate switches.
-
7/25/2019 CCNA Security 640-554 QA
42/50
B. A A/ can on!y connect across a A/ within the same bui!din".
C. A A/ is a !o"ica! broadcast domain that can span mu!tip!e physica! A/ se"ments.
%. A A/ pro+ides indi+idua! port security.
Correct Answer: C
QUESTION 89
Which ayer 6 protoco! pro+ides !oop reso!ution by mana"in" the physica! paths to "i+en networse"ments?
A. root "uard
B. port fast
C. #SP
%. S$P
Correct Answer: %
QUESTION 90
When S$P miti"ation features are confi"ured< where shou!d the root "uard feature be dep!oyed?
A. toward ports that connect to switches that shou!d not be the root brid"e
B. on a!! switch ports
C. toward user'facin" ports
%. oot "uard shou!d be confi"ured "!oba!!y on the switch.
Correct Answer:A
QUESTION 91
Which option is a characteristic of a statefu! firewa!!?
A. can ana!y,e traffic at the app!ication !ayer
B. a!!ows modification of security ru!e sets in rea! time to a!!ow return traffic
C. wi!! a!!ow outbound communication< but return traffic must be e0p!icit!y permitted%. supports user authentication
Correct Answer: B
-
7/25/2019 CCNA Security 640-554 QA
43/50
QUESTION 92
Which type of /A$ wou!d you confi"ure if a host on the e0terna! networ reJuired access to an interna!host?
A. outside "!oba! /A$
B. /A$ o+er!oad
C. dynamic outside /A$
%. static /A$
Correct Answer: %
QUESTION 93
Which statement about disab!ed si"natures when usin" Cisco IS IPS is true?
A. $hey do not tae any actions< but do produce a!erts.B. $hey are not scanned or processed.C. $hey sti!! consume router resources.
%. $hey are considered to be QretiredR si"natures.
Correct Answer: C
QUESTION 94
Which type of intrusion pre+ention techno!o"y is the primary type used by the Cisco IPS security
app!iances?
A. profi!e'based
B. ru!e'based
C. protoco! ana!ysis'based
%. si"nature'based
&. /et3!ow anoma!y'based
Correct Answer: %
QUESTION 95
Which two ser+ices are pro+ided by IPsec? (Choose two.)
A. Confidentia!ity
B. &ncapsu!atin" Security Pay!oad
C. %ata Inte"rity
%. Authentication #eader
-
7/25/2019 CCNA Security 640-554 QA
44/50
&. Internet =ey &0chan"e
Correct Answer:AC
-
7/25/2019 CCNA Security 640-554 QA
45/50
QUESTION 96%AG A/% %P Se!ect and P!ace9
Correct
Answer:
QUESTION 97
%AG A/% %P
Se!ect and P!ace9
-
7/25/2019 CCNA Security 640-554 QA
46/50
C
o
rr
e
c
t
A
n
s
we
r:
QUESTION 98
%AG %P
Se!ect and P!ace9
-
7/25/2019 CCNA Security 640-554 QA
47/50
C
o
rr
e
c
t
A
n
s
w
e
r:
-
7/25/2019 CCNA Security 640-554 QA
48/50
QUESTION 99
%AG %P
Se!ect and P!ace9
C
o
rr
e
c
t
A
n
s
w
e
r:
-
7/25/2019 CCNA Security 640-554 QA
49/50
QUESTION 100
%AG A/% %P
Se!ect and P!ace9
Correct Answer:
-
7/25/2019 CCNA Security 640-554 QA
50/50