640 - 100
Leading the way in IT testing and certification tools, www.testking.com
- 5 -
What is the purpose of the following commands:
Router(config)#line con 0
Router(config-line)#login authentication no_tacacs
A. Specifies that for authentication, any other method except tacacs, is permitted (Radius
for example).
B. Specifies that the AAA authentication is not necessary when using console.
C. Specifies that the AAA authentication list called no tacacs is to be used on the console.
D. Specifies that tacacs+ has been configured with no shared key, so no authentication is
necessary.
Answer: C
Explanation:
To enable authentication, authorization, and accounting (AAA) authentication for logins, use
the login authentication command in line configuration mode.
Reference:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/secur_r/sec_i2g.ht
m#1072266
QUESTION NO: 6
In a masquerade attack, what does an attacker steal when pretending to come from a
trusted host?
A. Account identification
B. User group
C. IP address
D. CHAP password
Answer: C
Explanation:
IP spoofing An IP spoofing attack occurs when an attacker outside your network pretends
to be a trusted user either by using an IP address that is within the range of IP addresses for
your network or by using an authorized external IP address that you trust and to which you
wish to provide access to specified resources on your network. Should an attacker get access
to your IPSec security parameters, that attacker can masquerade as the remote user authorized
to connect to the corporate network
Reference:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1834/products_feature_guide09186a008
007fee4.html
QUESTION NO: 7
What three typical security weaknesses exist in any implementation? (Choose three)
A. Policy weakness
640 - 100
Leading the way in IT testing and certification tools, www.testking.com
- 6 -
B. Technology weakness
C. Hardware weakness
D. Encryption weakness
E. Configuration weakness
F. UDP protocol weakness
Answer: A, B, E
Explanation:
There are at least three primary reasons for network security:
Technology weaknesses – Each network and computing technology has inherent
security problems.
Configuration weaknesses – Even the most secure technology can be misconfigured
or misused, exposing security problems.
Policy weakness – A poorly defined or improperly implemented and managed
security policy can make the best security and network technology ripe for security
abuse.
Reference: Managing Cisco Network Security (Ciscopress) page 6
QUESTION NO: 8
Select the three RADIUS servers supported by the Cisco IOS Firewall authentication
proxy. (Choose three)
A. Cisco Secure ACS for Windows NT/2000.
B. Oracle
C. DB2
D. Cisco Secure ACS for UNIX.
E. TACACS+
F. Lucent
Answer: A, D, F
Explanation:
The supported AAA servers are CiscoSecure ACS 2.3 for Windows NT, CiscoSecure ACS
2.3 for UNIX, TACACS+ server (vF4.02.alpha), Ascend RADIUS server - radius-980618
(required avpair patch), and Livingston (now Lucent), RADIUS server (v1.16).
Reference:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1830/products_feature_guide_chapter09
186a00800a17ec.html
QUESTION NO: 9
Given the following configuration statement, which three statements are true? (Choose
three)
Router(config)#aaa accounting network wait-start radius
A. The accounting records are stored on a TACACS+ server.
B. Stop-accounting records for network service requests are sent to the TACACS+ server.
640 - 100
Leading the way in IT testing and certification tools, www.testking.com
- 7 -
C. The accounting records are stored on a RADIUS server.
D. Start-accounting records for network service requests are sent to the local database.
E. Stop-accounting records for network service requests are sent to the RADIUS server.
F. The requested service cannot start until the acknowledgement has been received from
the RADIUS server.
Answer: C, E, F
Explanation:
Router(config)#aaa accounting network wait-start radius
aaa accounting {system | network | connection | exec | command level} {start-stop | wait-
start | stop-only} tacacs+
Use the aaa accounting command to enable accounting and to create named method
lists that define specific accounting methods on a per-line or per-interface basis.
Network - Enables accounting for all network-related requests, including SLIP,
PPP, PPP network control protocols, and ARAP
wait-start - This keyword causes both a start and stop accounting record to be sent
to the accounting server. However, the requested user service does not begin until
the start accounting record is acknowledged. A stop accounting record is also sent.
Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps4911/products_user_guide_chapter0918
6a00800eb6e4.html
QUESTION NO: 10
Which three external databases are supported by Cisco Secure ACS for Windows?
(Choose three)
A. Netware NDS
B. Oracle
C. Windows-NT/2000
D. Token Server
E. SQL-Linux
F. AAA
Answer: A, C, D
Explanation:
You can select the CiscoSecure user database or configure an external user database such as
Windows NT/2000, Open Database Connectivity (ODBC), generic Lightweight Directory
Access Protocol (LDAP), Microsoft Commercial Internet System (MCIS), Novell NetWare
Directory Services (NDS), or a token-card database to authenticate usernames and
passwords according to your network requirements. This chapter discusses the advantages and
limitations of each option.
640 - 100
Leading the way in IT testing and certification tools, www.testking.com
- 8 -
Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter0918
6a008007e6bb.html
QUESTION NO: 11
Given the following configuration statement, which two statements are true? (Choose
two)
router(config)#aaa authentication login default tacacs+ none
A. No authentication is required to login.
B. TACACS is the default login method for all authentication.
C. If TACACS process is unavailable, no access is permitted.
D. RADIUS is the default login method for all authentication.
E. If the TACACS process is unavailable, no login is required.
F. If the RADIUS process is unavailable, no login is required.
Answer: B, E
Explanation:
use TACACS+ authentication; if a CiscoSecure ACS is not available, use the NAS's local user
database password. However, all other users can only use TACACS+:
none – no authorization is performed.
Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps4911/products_user_guide_chapter0918
6a008015c5c3.html
QUESTION NO: 12
How many kilobytes of memory are consumed by each alarm stored in a router queue?
A. 5
B. 10
C. 16
D. 32
E. 64
Answer: D
Explanation:
With the option buffersize kilobytes , it can be changed to the size of the buffer used for
crashinfo files. The default size is 32 KB (maximum is 100 KB, configured using exception
crashinfo buffer 100 ).
Reference:
http://www.cisco.com/en/US/products/hw/routers/ps167/products_tech_note09186a0080093e
29.shtml
640 - 100
Leading the way in IT testing and certification tools, www.testking.com
- 9 -
QUESTION NO: 13
Choose the three actions that the IOS Firewall IDS router may perform when a packet,
or a number of packets in a session, match a signature. (Choose three)
A. Forward packet to the Cisco IDS Host Sensor for further analysis.
B. Send alarm to the Cisco IDS Director of Syslog server.
C. Send an alarm to Cisco Secure ACS.
D. Set the packet reset flag and forward the packet through.
E. Drop the packet immediately.
F. Return the packet to the sender.
Answer: B, D, E
Explanation:
The Cisco IOS Firewall IDS acts as an in-line intrusion detection sensor, watching packets
and sessions as they flow through the router, scanning each to match any of the IDS
signatures. When it detects suspicious activity, it responds before network security can be
compromised and logs the event through Cisco IOS syslog or the Cisco Secure Intrusion
Detection System (Cisco Secure IDS, formerly known as Net Ranger) Post Office Protoco
The network administrator can configure the IDS system to choose the appropriate response
to various threats. When packets in a session match a signature, the IDS system can be
configured to take these actions:
Send an alarm to a syslog server or a Cisco Secure IDS Director (centralized
management interface)
Drop the packet
Reset the TCP connection
Reference:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuration_guide_cha
pter09186a00800d9819.html
QUESTION NO: 14
Exhibit:
640 - 100
Leading the way in IT testing and certification tools, www.testking.com
- 10 -
In order to prevent external (internet) users from pinging the PIX, which access list
(ACL) statement should be configured on the external interface of the perimeter router?
A. Access-list 102 deny tcp any 182.16.1.1 0.0.0.0
B. Access-list 102 deny icmp any 182.16.1.1 0.0.0.0 echo
C. Access-list 102 permit tcp any 182.16.1.1 0.0.0.0 echo
D. Access-list 102 deny icmp any 182.16.1.1 0.0.0.0 echo-
reply
Answer: D
Explanation:
Echo-reply added to the end of the command implies no ping responses to the PIX.
Reference: Managing Cisco Network Security (Ciscopress) pages 728
QUESTION NO: 15
Which protocol is used by Cisco IOS Cryptosystem to securely exchange encryption keys
for IPSec?
A. DH
B. DES
C. Digital Signature Standard
D. ESP
Answer: A
Explanation:
640 - 100
Leading the way in IT testing and certification tools, www.testking.com
- 11 -
Diffie-Hellman is a public-key cryptography protocol that allows two parties to establish a
shared secret over an unsecure communications channel. IKE uses Diffie-Hellman to establish
session keys. VPN Solutions Center supports four Diffie-Hellman groups:
Group 1—a MODP group with a 768-bit modulus.
Group 2—a MODP group with a 1024-bit modulus.
Group 5—Specifies the 1536-bit Diffie-Hellman group. Group 5 works like Groups
1 and 2, but it provides a higher level of security and requires more processing time
than Groups 1 and 2. Cisco IOS supports Diffie-Hellman Group 5.
Group 7—Uses a combination of Diffie-Hellman and a 163-bit Elliptic Curve
Cryptosystem (ECC) algorithm. ECC provides superior encryption, and it is quickly
generated on a hand-held device. VPN 3000 devices support Diffie-Hellman Group
7.
Reference:
http://www.cisco.com/en/US/products/sw/netmgtsw/ps2327/products_user_guide_chapter091
86a00800876f5.html
QUESTION NO: 16
Exhibit:
Which ACL statement protects against address spoofing when applied inbound on the
external interface of the perimeter router?
A. access-list 101 deny IP 182.16.1.0 255.255.255.0 0.0.0.0 255.255.255.255
B. access-list 101 permit IP 182.16.1.0 255.255.0.0 0.0.0.0 255.255.255.255
C. access-list 101 deny IP 182.16.1.0 0.0.0.255 0.0.0.0 255 255.255.255
D. access-list 101 deny UDP 182.16.1.0 255.255.0.0 0.0.0.0 255.255.255.255
Answer: C
Explanation:
access-list 101 deny IP 182.16.1.0 0.0.0.255 0.0.0.0 255 255.255.255
640 - 100
Leading the way in IT testing and certification tools, www.testking.com
- 12 -
access-list command – command to deny access to the 182.16.1.0 0.0.0.255 addresses from
any address (0.0.0.0 255.255.255.255)
Reference: Managing Cisco Network Security (Ciscopress) page Appendix C
QUESTION NO: 17
Which two commands prevent a Chargen attack? (Choose two)
A. no ip redirects
B. no service
tcp-small-servers
C. no ip-source route
D. no chargen enable
E. no service
udp-small-servers
F. no service finger
Answer: B, E
Explanation:
By default, the Cisco router has a series of diagnostic ports enabled for certain UDP and TCP
services including echo, chargen, and discard. When a host attaches to those ports, a small
amount of CPU capacity is consumed to service these requests
Any network device that has UDP and TCP diagnostic services should be protected by a
firewall or have the services disabled. For a Cisco router, this can be accomplished by using
these global configuration commands.
no service udp-small-servers
no service tcp-small-servers
Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a008017
690e.shtml
QUESTION NO: 18
Which three tasks are needed to configure IPSec encryption? (Choose three)
A. Configure IPSec.
B. Configure transform sets.
C. Configure the encryption algorithm.
D. Test and verify IPSec.
E. Prepare for IKE and IPSec.
F. Create crypto ACLs.
Answer: A, D, E
Explanation:
Four key tasks are involved in configuring IPSec encryption using preshared keys on the PIX
Firewall:
640 - 100
Leading the way in IT testing and certification tools, www.testking.com
- 13 -
Task 1: Prepare for IPSec
Task 2: Configured IKE for preshared keys
Task 3: Configure IPSec
Task 4: Test and verify the overall IPSec configuration.
Reference: Managing Cisco Network Security (Ciscopress) page 612
QUESTION NO: 19
In preparing for IPSec, which command ensures that basis connectivity has been
achieved between IPSec peers before configuring IPSec?
A. ping
B. write term
C. show crypto map
D. show access-list
Answer: A
Explanation:
Task 1: Prepare for IPSec
Step 4 of 4. Ensure that the network works without encryption to eliminate basic routing
problems using the ping command and by running test traffic before encryption.
Reference: Managing Cisco Network Security (Ciscopress) page 612
QUESTION NO: 20
You should pay particular attention to detail when entering peer RSA public keys.
Why?
A. Public keys are used to create the private keys.
B. Mistakes made when entering the keys will cause them not to work.
C. Changes cannot be made after the keys are entered.
D. Changes are complex to make after the keys are entered.
Answer: B
Explanation:
The fact that the message could be decrypted using the sender's public key indicates that the
holder of the private key, the sender, must have created the message. This process relies on
the receiver having a copy of the sender's public key and knowing with a high degree of
certainty that it really does belong to the sender, and not to someone pretending to be the
sender.
Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_user_guide_chapter0918
6a0080106f63.html
640 - 100
Leading the way in IT testing and certification tools, www.testking.com
- 14 -
QUESTION NO: 21
Which of the following statements best described a digital certificate:
A. A digital certificate is issued by the trusted certificate authority to the requesting peer
for authentication.
B. A digital certificate give you the authority to telnet to a perimeter router running IPSec
and change its configuration.
C. A digital certificate allows its holder to access the campus network.
D. A digital certificate is issued by a certificate authority to authorize an electronic
transaction.
Answer: D
Explanation:
Certification authorities (CAs) are responsible for managing certificate requests and issuing
digital certificates. A digital certificate contains information that identifies a user or device,
such as a name, serial number, company, department, or IP address. A digital certificate also
contains a copy of the entity's public key. A CA can be a trusted third party, such as VeriSign,
or a private (in-house) CA that you establish within your organization.
Reference:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/ipsecint.htm
QUESTION NO: 22
What are the three ISAKMP authentications modes? (Choose three)
A. Main
B. Aggressive
C. Quick
D. Active
E. Passive
Answer: A, B, C
Explanation:
An IKE peer is an IPsec-compliant node capable of establishing IKE channels and negotiating
SAs. IKE provides three modes for the exchange of keying information and setting up IKE
security associations: Main mode, Aggressive mode, and Quick mode.
Reference:
http://www.cisco.com/en/US/products/sw/netmgtsw/ps2327/products_user_guide_chapter091
86a0080087696.html#xtocid2073219
QUESTION NO: 23
IPSec is a set of security protocols and algorithms used to secure data at the network
layer. IPSec consists of two protocols and two protection modes. Choose these two
protocols: (Choose two)
Không có nhận xét nào:
Đăng nhận xét