Managing Cisco Network Security (MCNS)

Chia sẻ: Thu Xuan | Ngày: | Loại File: PDF | Số trang:32

0
91
lượt xem
13
download

Managing Cisco Network Security (MCNS)

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

If a Security Association (SA) was previously established with Internet Key Exchange (IKE), what will the following command do on the router? A. It clears the SA symmetric key. B. It clears the SA authentication key. C. It deletes SA from the SA database. D. It re-initializes every peer’s secret key.

Chủ đề:
Lưu

Nội dung Text: Managing Cisco Network Security (MCNS)

  1. 640-442 1 CISCO: Managing Cisco Network Security (MCNS) 640-442 Version 6.0 Jun. 17th, 2003 21certify.com
  2. 640-442 2 Study Tips This product will provide you questions and answers along with detailed explanations carefully compiled and written by our experts. Try to understand the concepts behind the questions instead of cramming the questions. Go through the entire document at least twice so that you make sure that you are not missing anything. Latest Version We are constantly reviewing our products. New material is added and old material is revised. Free updates are available for 365 days after the purchase. You should check the products page on the www.21certify.com web site for an update 3-4 days before the scheduled exam date. Important Note: Please Read Carefully This 21certify Exam has been carefully written and compiled by 21certify Exams experts. It is designed to help you learn the concepts behind the questions rather than be a strict memorization tool. Repeated readings will increase your comprehension. We continually add to and update our 21certify Exams with new questions, so check that you have the latest version of this 21certify Exam right before you take your exam. For security purposes, each PDF file is encrypted with a unique serial number associated with your 21certify Exams account information. In accordance with International Copyright Law, 21certify Exams reserves the right to take legal action against you should we find copies of this PDF file has been distributed to other parties. Please tell us what you think of this 21certify Exam. We appreciate both positive and critical comments as your feedback helps us improve future versions. We thank you for buying our 21certify Exams and look forward to supplying you with all your Certification training needs. Good studying! 21certify Exams Technical and Support Team 21certify.com
  3. 640-442 3 Q.1 What are three commands that can be used in enabling NAT? (Choose three) A. nat B. static C. global D. conduit E. xlate enable Answer: A, B, C Q.2 Which three databases are supported by the Cisco Secure ACS for UNIX? (Choose three) A. Oracle B. Sybase C. NDS (Novell) D. SQL Anywhere E. Windows NT user database Answer: A, B, D Q.3 Given the following debug output: 1d16h: %UPLINK-3-UPDOWN: Interface Serial3/0, changed state to up*Mar 2 16:52:297: Se3/0 PPP: Treating connection as a dedicated line *Mar 2 16:52:441: Se3/0 PPP: Phase is AUTHENTICATING, by this end *Mar 2 16:52:445: Se3/0 CHAP: O CHALLENGE id 7 len 29 from "NASx Which two statements are true? (Choose two) A. The user ID is NASx. B. This is a connection attempt to an async port. C. The connection is established on serial interface 3/0. D. The user is authenticating using Challenge Handshake Authentication Protocol (CHAP). E. The client is attempting to setup a Serial Internet Protocol (SLIP) connection. Answer: C, D Q.4 To ensure compatibility with IPSec when using Internet Key Exchange (IKE), what must be allowed through an access list (ACL)? A. IP protocol 50 and TCP port 500 B. IP protocol 50 and UDP port 51 C. IP protocol 51, TCP port 500 and UDP port 50 D. IP protocol 50, IP Protocol 51 and UDP port 500 Answer: D Q.5 Java inspection was properly configured with Context based Access Control (CBAC) to allow only applets from a trusted Web server. What happens when a user attempts to download an applet from an untrusted server using FTP (assuming that FTP is allowed between the two by CBAC)? A. CBAC requests user authentication. 21certify.com
  4. 640-442 4 B. The applet is downloaded successfully. C. The FTP session is terminated by CBAC. D. The packets containing the applet are dropped by CBAC. Answer: B Q.6 Which Cisco IOS feature should be used when hiding multiple hosts behind a single IP address? A. PAT B. ACL C. DHCP D. CBAC Answer: A Q.7 Which encryption algorithms are supported by the Cisco Secure VPN Client? A. Null, CAST-128 and DES B. DES, Triple-DES and Null C. DES, CAST-128 and Blowfish D. DES, Blowfish and Diffie-Hellman Answer: B Q.8 Given the following output: Crypto Map: "s1first" idb: Serial0 local address: 172.16.254.201 Crypto Map "s1first" 20 ipsec-isakmp Peer = 172.16.254.212 Extended IP access list 101 access-list 101 permit ip source: addr = 172.16.152.0/0.0.0.255 dest: addr 0.0.0.0/255.255.255.255 Current peer: 172.16.254.212 Security association lifetime: 4608000 kilobytes/3600 seconds PP3 (Y/N): N Transform sets=(secure1, ) Which command was used to generate this display? A. show crypto ip map B. show crypto ipsec sa C. show crypto map D. show crypto ipsec transform set Answer: C Q.9 The PIX firewall operates with three rules that govern how to use the security level field. What are these three rules? (Choose three) A. Security level 0 is the least secure. B. Security level 100 is the most secure. C. The lowest security level is for the inside interface. D. The highest security level is for the outside interface. 21certify.com
  5. 640-442 5 E. Conduit and static commands are required to enable traffic that originates from outside and has an inside destination. Answer: A, B, E Q.10 Which statement about the PIX password recovery procedure is true? A. The password recovery of the PIX 515 requires an FTP server. B. The PIX firewall needs to be reloaded during password recovery. C. Password recovery can only be done on PIX firewall with floppy drive. D. The config-register has to be set to 0x2142 before password recovery. Answer: C Q.11 Which three statements apply to AAA on a PIX firewall? (Choose three) A. Only inbound connections can be authenticated by AAA. B. FTP, HTTP and Telnet can be authenticated using AAA. C. The PIX can authenticate Enable mode access using AAA. D. The PIX can authenticate serial console access using AAA. Answer: A, B, C Q.12 Exhibit: Which PIX command statically translates the IP address of the Mail server to 182.16.1.4? A. static(dmz, outside) 172.16.2.4 182.16.1.4 B. static(outside,dmz ) 182.16.1.4 172.16.2.4 C. static(dmz, outside) 182.16.1.4 172.16.2.4 D. static(inside, outside) 182.16.1.4 172.16.2.4 Answer: B Q.13 Which statement best describes the Encapsulation Security Payload (ESP) header? A. It is inserted before an encapsulated IP header in Tunnel mode. B. It is inserted before an encapsulated IP header in Transparent mode. 21certify.com
  6. 640-442 6 C. It is inserted after the IP header and before the upper layer protocol header in Tunnel mode. D. It is inserted after the IP header and after the upper layer protocol header in Transport mode. Answer: A Q.14 Which two protocols are known to pose security threats? (Choose two) A. SNMP B. NNTP C. SMTP D. CHAP E. Frame Relay Answer: A, C Q.15 If a Security Association (SA) was previously established with Internet Key Exchange (IKE), what will the following command do on the router? A. It clears the SA symmetric key. B. It clears the SA authentication key. C. It deletes SA from the SA database. D. It re-initializes every peer’s secret key. Answer: C Q.16 After the installation of Cisco Secure VPN Client is complete, you need either __________ for authentication A. A user ID or a password. B. An error-correcting code (ECC) key or a pre-shared key. C. An ECC key or a digital certificate. D. A pre-shared key or a digital certificate. Answer: A Q.17 Which two statements are true (Choose two) A. There are few good security products. B. A lack of a consistent security policy is a security risk. C. Security should only be implemented on the perimeter devices. D. Individual products must be integrate from a complete network solution. Answer: B, C Q.18 A masquerade attack occurs when an attacker pretends to come from a trusted host by stealing its _____________ A. User group B. IP address 21certify.com
  7. 640-442 7 C. Account ID D. Challenge handshake authentication protocol (CHAP) password Answer: B Q.19 Which command is most useful to troubleshoot a Challenge Handshake Authentication Protocol (CHAP) authentication attempt? Answer: D Q.20 When the nat (inside) 0 command is configured on a PIX firewall, ________ IP address are translated A. DMZ B. No inside C. Only private D. Global outside Answer: B Q.21 Which two commands prevent a chargen attack? (Choose two) A. no ip redirects B. no service finger C. no chargen enable D. no tcp-small-servers E. no udp-small-servers Answer: D Q.22 Which 3 services can be authenticated using AAA on a PIX firewall? (Choose three) A. FTP B. POP C. HTTP D. SMTP E. TFTP F. TELNET Answer: A, C, F Q.23 Which three external databases are supported by CSNT (Choose three) A. NDS 21certify.com
  8. 640-442 8 B. Oracle C. Windows NT D. Token server Answer: A, C, D Q.24 You generate general purpose RSA keys. The router will have one _____________ A. RSA key pair B. RSA key pair per peer C. RSA key pair and one certificate per peer D. RSA key pair per peer and one certificate per peer Answer: A Q.25 Which three statements about Encapsulation Security Payload are true? (Choose three) A. It encapsulates the data. B. It uses symmetric secret key algorithms. C. It provides protection to the outer headers. D. It encrypts the payload for data confidentiality. Answer: A, B, D Q.26 Exhibit: Which command do you use to ping the NAS from the PIX firewall A. Ping 10.1.1.1 B. Ping –s 10.1.1.1 C. Ping –t 10.1.1.1 D. Ping inside 10.1.1.1 E. Ping outside 10.1.1.1 Answer: D 21certify.com
  9. 640-442 9 Q.27 Which PIX firewall command denies any internal hosts from downloading Java Applets? Answer: A Q.28 Which command allows you to view PIX firewall software version? A. Show os B. Show pix C. Show version D. Debug version E. Show software Answer: C Q.29 With TCP inspection, which three parameters are used by Context Based Access Control (CBAC) to permit a packet received on the external interface? (Choose Three) A. A Source IP address B. Source port number C. TCP sequence number D. Destination port number E. Destination MAC address Answer: A, B, D Q.30 Which three statements about PIX firewall multimedia support are true? (Choose three) A. It supports multimedia with or without NAT. B. It reserves all available UDP and TCP ports. C. Using PAT with multimedia can create port conflict. D. It statically opens/closes UDP ports for multimedia connections. Answer: A, B, C Q.31 Given the following configuration command: Router(config)#aaa authorization network abc tacacs local Assuming all interfaces are configured to use default authentication, which statement is true? A. The NAS will use the enable password by default. B. If the TACACS server is unreachable, the local database will be used. 21certify.com
  10. 640-442 10 C. If the TACACS server is unreachable, the NAS access will be enabled by default. D. If the Terminal Access Controller Access Control System (TACACS) server is unreachable, no access will be permitted. Answer: B Q.32 Which authentication method is the most secure? A. S/KEY B. username/password C. one-time passwords D. token cards/soft tokens Answer: D Q.33 Given the following interface configuration: interface serial 0 ip address 172.16.1.1 255.255.255.0 ip address-group 101 in Which access list (ACL) line allows Internet Security Association Key Management Protocol (ISAKMP) from router 172.16.1.2? A. access-list 101 permit ahp host 172.16.1.2 host 172.16.1.1 B. access-list 101 permit isakmp host 172.16.1.2 host 172.16.1.1 C. access-list 101 permit udp host 172.16.1.2 host 172.16.1.1 eq isakmp D. access-list 101 permit tcp host 172.16.1.2 host 172.16.1.1 eq isakmp Answer: C Q.34 Context based Access Control (CBAC) allows replies for sessions originating from the ______ hosts. A. WAN B. internal C. external D. destination Answer: B Q.35 Which IOS feature best prevents eavesdropping? A. IPSec B. CBAC C. Lock and Key D. TCP intercepts 21certify.com
  11. 640-442 11 Answer: A Q.36 What does the following command do? Crypto map map-name local-address interface-id A. It applies a crypto map to an interface. B. It defines a crypto map set to be used by multiple interfaces. C. It allows the router to add a dynamic crypto map set to a static crypto map set on multiple interfaces. D. It allows the router to have a single ID with the crypto map configured on more than one interface. Answer: A Q.37 Which four interfaces are supported by the PIX firewall? (Choose four) A. ATM B. FDDI C. Serial D. 10BaseT E. 100BaseT F. Token Ring Answer: A, C, ?, ? Q.38 Which PIX firewall command initiates a failover switch from the standby unit? A. standby active B. failover active C. failover switch D. no failover passive Answer: B Q.39 Which server is typically not in a DMZ? A. FTP Server B. DNS Server C. Web server D. Mail server E. Enterprise server Answer: E Q.40 Which three tools is used to counter an unauthorized access attempt? (Choose three) A. Encryption A. Bb. Cisco IOS Lock and Key feature B. Terminal Access Controller Control System (TACACS) C. Challenge Handshake Authentication Protocol (CHAP) authentication 21certify.com
  12. 640-442 12 Answer: B, C, D Q.41 Exhibit: The crypto map is implemented on the serial interface of the remote router. Which access list (ACL) line configured on the remote router enables encryption of traffic between workstation B to workstation A A. Access-list 101 permit ip host 192.168.255.2 host 10.34.2.3 B. Access-list 101 permit ip host 192.168.255.2 host 172.34.2.1 C. Access-list 101 permit ip host 10.34.2.3 172.16.1.0 0.0.0.255 D. Access-list 101 permit ip 172.16.1.0 0.0.0.255 10.34.2.0 0.0.0.255 Answer: A Q.42 The client’s public/private key pair is generated by ____________ A. The client. B. The certificate authority (CA). C. The peer during the security association (SA) establishment. D. Both peers during the SA establishment. Answer: A Q.43 Which two demonstrate a security policy weakness? (Choose two) A. ping of death B. denial of service C. improper change control D. no disaster recovery plan E. misconfigured network equipment Answer: C, D Q.44 Which command demonstrates a successful login for a specific user? A. show all B. show user C. show interface D. show aaa accounting 21certify.com
  13. 640-442 13 Answer: D Q.45 What are three benefits delivered by the PIX Network address translation (Choose three) A. It hides the MAC address. B. It automates IP renumbering of internal hosts. C. It hides internal networks addressing scheme to the outside world. D. It enables Internet access from the hosts with unregistered IP addresses. E. It enables a network connected to the Internet to be independent of Internet address limitation. Answer: B, C, D Q.46 TCP intercept is used to protect against which type of attacks? A. rerouting B. SYN-flooding C. Eavesdropping D. Unauthorized accesses Answer: B Q.47When a PIX firewall has three Ethernet interfaces, which three statements are true? (Choose three) A. The security level of the Ethernet1 interface is 1. B. The default name of the Ethernet2 interface is “dmz”. C. The default name of the Ethernet1 interface is “inside”. D. The default name of the Ethernet0 interface is “outside”. E. The security level of the Ethernet2 interface is between 1 and 99. Answer: B, C, D Q.48 The missing parameters of a dynamic crypto map _________ A. Are configured by the Certificate Authority (CA). B. Can be manually configured if using IPSEC manual mode. C. Are configured as the result of IPSec negotiation initiated by a peer. D. Are configured by the router when it initiates a new Security association (SA) with a remote peer. Answer: C Q.49 Which hash algorithms are used to authenticate packet data? A. DES and CBC B. RSA and SHA C. MD5 and SHA D. Diffie-Hellman and RSA 21certify.com
  14. 640-442 14 Answer: C Q.50 Which three statements apply to a PIX firewall (Choose three) A. There is no default enable password. B. The enable password will be hashed by default. C. The passwd command sets a password for Telnet. D. An empty enable password is not changed into an encrypting string. Answer: A, B, C Q.51When configuring Context Based Access Control (CBAC) on an external interface, inbound access lists (ACLs) ______________ A. Must be reflexive. B. Must be standard only. C. Must be extended only. D. Can be standard or extended. Answer: C Q.52 Which Context Based Access Control (CBAC) command increases the generic UDP timeout settings to 60 seconds? A. ip inspect one-minute low B. ip inspect one-minute high C. ip inspect udp idle-timeout 60 D. ip inspect max-incomplete high 60 Answer: C Q.53 Exhibit: 21certify.com
  15. 640-442 15 Which command statically translates the IP address of the Domain Name System (DNS) server to 182.18.1.4? A. static (inside, outside) 10.1.1.1 182.16.1.4 B. static (inside, outside) 182.16.1.4 10.1.1.1 C. static (outside, inside) 10.1.1.1 182.16.1.4 D. static (outside, inside) 182.16.1.4 10.1.1.1 Answer: D Q.54 Which command enables AAA globally in the NAS? A. Router(config)# aaa enable B. Router(config)# aaa new model C. Router(config)# aaa default enable D. Router(config)# aaa authentication login default enable Answer: B Q.55 Exhibit: Given the following configuration on the perimeter router: crypto ipsec transform-set secure esp-des esp-md5-hmac ! crypto map secmap 20 ipsec-isakmp set peer 172.16.1.1 set transform-set secure match-address 101 access-list 101 permit ip any 192.168.255.0 0.0.0.255 access-list 101 deny ip any host 172.16.1.2 Which command secures traffic from workstation A to workstation B? A. interface ethernet 0 crypto map secmap B. interface ethernet 0 crypto map 20 C. interface serial 0 crypto map secmap D. interface serial 0 crypto map 20 21certify.com
  16. 640-442 16 Answer: unknown Q.56 Which command is used to set the timeout value of established TCP sessions to one minute? A. ip inspect one-minute low B. ip inspect tcp timeout 60 C. ip inspect one-minute high D. ip inspect tcp timeout 3600 Answer: B Q.57 Exhibit: Given the following access list: Which line configuration statement should be used to permit Telnet management of the perimeter router from the management station? Answer: B Q.58 Which statement is true? A. The certificate Authority (CA) signs the Public key. B. The client signs its Public key. C. The client signs its Private key. D. The CA generates a public/private key pair. Answer: A Q.59 Which command is used to display the current PIX configuration? 21certify.com
  17. 640-442 17 Answer: C Q.60 You have saved the configuration. When adding, changing or removing a global statement which command is required next? A. restart B. show nat C. clear nat D. clear xlate Answer: D Q.61 What are three typical security weaknesses in any implementation? (Choose three) A. policy weakness B. hardware weakness C. technology weakness D. configuration weakness Answer: A, C, D Q.62 What does the following command configure? Crypto isakmp key thisissecret hostname routerB A. The router’s hostname and secret key. B. The RSA public key to be used by routerB. C. The symmetric key for IPSec manual mode. D. A pre-shared authentication key for routerB. Answer: D Q.63 In the Cisco Secure VPN Client, the setting for IPSec Protocols (ESP or EH) must agree with which one of the router configuration? A. Crypo map B. Crypto isakmp key C. Crypto isakmp policy D. Crypto ipsec transform-set Answer: D Q.64 Exhibit: 21certify.com
  18. 640-442 18 Given the configuration example in the exhibit, authentication through the vty port would use which method? A. Line password. B. No access permitted. C. No authentication required. D. Default authentication used. Answer: D Q.65 The _________ command shows ICMP packet information on a PIX firewall A. show icmp B. debug ping C. debug ip icmp D. debug icmp trace Answer: C Q.66 Which 2 AAA server products are used on a PIX firewall (Choose two) A. AUTH B. RADIUS C. XTACACS Nameif ethernet0 outside sec0 21certify.com
  19. 640-442 19 Nameif Ethernet1 inside sec100 Nameif ehternet2 dmz sec50 Interface ethernet0 auto interface ethernet1 auto Interface ethernet2 auto Ip address outside 182.16.1.1 255.255.255.0 Ip address inside 10.1.1.3 255.255.255.0 Ip address dmz 172.16.2.1 255.255.255.0 (partial configuration of a PIX firewall) D. TACACS+ E. KERBEROS Answer: B, D Q.67 Which three databases are supported by the Cisco Secure ACS for UNIX (Choose three) A. Oracle B. Sybase C. NDS (Novell) D. SQL Anywhere E. Windows NT user database Answer: A, B, D Q.68 To enable Network address translation on the PIX firewall for all internal hosts, which two commands need to be used? (Choose two) A. Nat (inside) 1 0.0.0.0 0.0.0.0 0 0 B. Nat (inside) 3 0.0.0.0 0.0.0.0 0 0 C. Nat (outside) 3 0.0.0.0 0.0.0.0 0 0 D. Global (inside) 3 192.168.1.10-192.168.1.254 netmask 255.255.255.0 E. Global (outside) 3 192.168.1.10-192.168.1.254 netmask 255.255.255.0 Answer: B, E Q.69 Which firewall command manually saves the configuration of the active failover unit to the standby failover unit from the RAM in the active to the RAM in the standby? A. Write network B. Write standby C. Write failover D. Write secondary Answer: B 21certify.com
  20. 640-442 20 Q.70 Given the inspect statement ip inspect name mcns http java-list 12 If you only trust java applets from web server 10.16.2.2, which access list line is required to permit java applets? A. access-list 12 permit 10.16.2.2 B. access-list 12 permit tcp host 10.16.2.2 any C. access-list 12 permit tcp 10.16.2.2 any eq www D. access-list 12 permit host 10.16.2.2 any eq http Answer: A Q.71 Given the following output of the sh xlate command: Global 16.130.3.17 Local 16.130.3.17 static nconns 10 econns 3 Global 16.130.3.16 Local 16.130.3.16 static nconns 42 econns 2 How many embryonic connections are in the translation table? A. 5 B. 13 C. 44 D. 52 E. 57 Answer: A Q.72 Given the following configuration statement: Router(config)# aaa account network wait-start radius Which three statements are true? (Choose three) A. The accounting records are stored on a Remote Access Dial-In User Service (RADIUS) Server. B. Stop-accounting records for network service requests are sent to the RADIUS server. C. Start-accounting records for network service requests are sent to the local database. D. The requested service cannot start until the acknowledgement has been received from the RADIUS server. Answer: D Q.73 MD5 routing authentication is used with which three protocols? (Choose three) A. RIP B. BGP C. OSPF D. IGRP E. EIGRP 21certify.com
Đồng bộ tài khoản