Syngress Managing Cisco Network Security (SMCNS)

Chia sẻ: Thu Xuan | Ngày: | Loại File: PDF | Số trang:29

0
62
lượt xem
9
download

Syngress Managing Cisco Network Security (SMCNS)

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

For security purposes, each PDF file is encrypted with a unique serial number associated with your 21certify Exams account information. In accordance with International Copyright Law, 21certify Exams reserves the right to take legal action against you should we find copies of this PDF file has been distributed to other parties.

Chủ đề:
Lưu

Nội dung Text: Syngress Managing Cisco Network Security (SMCNS)

  1. 640-100 1 CISCO: Managing Cisco Network Security (MCNS) 640-100 Version 6.0 Jun. 17th, 2003 21certify.com
  2. 640-100 2 Study Tips This product will provide you questions and answers along with detailed explanations carefully compiled and written by our experts. Try to understand the concepts behind the questions instead of cramming the questions. Go through the entire document at least twice so that you make sure that you are not missing anything. Latest Version We are constantly reviewing our products. New material is added and old material is revised. Free updates are available for 365 days after the purchase. You should check the products page on the www.21certify.com web site for an update 3-4 days before the scheduled exam date. Important Note: Please Read Carefully This 21certify Exam has been carefully written and compiled by 21certify Exams experts. It is designed to help you learn the concepts behind the questions rather than be a strict memorization tool. Repeated readings will increase your comprehension. We continually add to and update our 21certify Exams with new questions, so check that you have the latest version of this 21certify Exam right before you take your exam. For security purposes, each PDF file is encrypted with a unique serial number associated with your 21certify Exams account information. In accordance with International Copyright Law, 21certify Exams reserves the right to take legal action against you should we find copies of this PDF file has been distributed to other parties. Please tell us what you think of this 21certify Exam. We appreciate both positive and critical comments as your feedback helps us improve future versions. We thank you for buying our 21certify Exams and look forward to supplying you with all your Certification training needs. Good studying! 21certify Exams Technical and Support Team 21certify.com
  3. 640-100 3 Q1. By default, Cisco Secure ACS for Windows Web server (CSAdmin) listens on which port? A. tcp 80 B. tcp 2002 C. tcp 5050 D. tcp 8080 Answer: B. Q2. Which three statements about AH are true? (Choose three) A. AH provides protection against replay. B. AH encrypts the payload for data confidentiality. C. AH provides connectionless integrity for the IP datagrams. D. AH provides data origin authentication for the IP datagrams. E. AH encapsulates the data. F. AH uses symmetric secret key algorithms. Answer: A, C, D. Q3. Snooping and packet sniffing are examples of what type of threat? A. Repudiation B. Masquerade threats C. Eavesdropping D. DoS Answer: C. Q4. What is the default idle time of an enabled IOS Firewall authentication proxy? A. 5 seconds B. 60 seconds C. 5 minutes D. 60 minutes Answer: D. 21certify.com
  4. 640-100 4 Q5. Which set specifies DH Group 1 or Group 2? A. Peer B. Transform-set C. Pfs D. Security-association Answer: C. Q6. What does authentication proxy on the Cisco IOS Firewall do? A. Create specific authorization policies for each user with Cisco Secure ACS, dynamic, peer-user security and authorization. B. Provides additional visibility at intranet, extranet, and Internet perimeters. C. Creates specific security policies for each user with Cisco Secure ACS, dynamic, peer-user authentication and authorization. D. Provides secure, per-application access control across network perimeters. Answer: C. Q7. When a remote user attempts to dial in to the network, the network access server (NAS) first queries the tacacs+ server for authentication information. What is the difference between an ERROR and a FAIL response? (Choose two) A. A FAIL response means that the user has not met the criteria to be successfully authenticated. B. An ERROR means that the ACS server has not responded to an authentication query. C. A FAIL means that the ACS server has not responded to an authentication query. D. An ERROR means that the user has not met the criteria to be successfully authenticated. Answer: A, B. Q8. You are creating more than one crypto map for a given interface using the sequence number of each map entry to rank the map entries. 21certify.com
  5. 640-100 5 What does the lower number indicate? A. Lower priority B. Higher priority C. Number of interfaces D. Number of map entries Answer: B. Q9. Which module is audited first when packets enter an IOS Firewall IDS and match a specific audit rule? A. TCP B. ICMP C. IP D. Application lever E. UDP Answer: C. Q10. The strength of the RSA encryption algorithm steams from: A. Keeping details of the algorithms secret. B. The processing power needed based on the formula e=mc**2. C. The difficulty of factoring very large prim numbers. D. Keeping the shared decryption key secret. Answer: C. Q11. Which command prevents the perimeter router form divulging topology information by telling external hosts which subnets are not configured? A. no source-route B. no ip unreachables C. no ip route-cache D. no service udp-small-servers Answer: B. 21certify.com
  6. 640-100 6 Q12. What kind of signature trigger on a single packet? A. Regenerative B. Cyclic C. Atomic D. Dynamic E. Compound Answer: C. Q13. What is a configuration weakness? A. Outdated software B. No written security policy C. Unsecured user accounts D. No monitoring or auditing of the security logs. Answer: C. Q14. Which of the following statements best described a digital certificate: A. A digital certificate is issued by the trusted certificate authority to the requesting peer for authentication. B. A digital certificate give you the authority to telnet to a perimeter router running IPSec and change its configuration. C. A digital certificate allows its holder to access the campus network. D. A digital certificate is issued by a certificate authority to authorize an electronic transaction. Answer: D Q15. Which two commands prevent a Chargen attack? (Choose two) A. no ip redirects B. no tcp-small-servers C. no ip-source route D. no chargen enable E. no udp-small-servers F. no service finger 21certify.com
  7. 640-100 7 Answer: B, E. Q16. Choose the three actions that the IOS Firewall IDS router may perform when a packet, or a number of packets in a session, match a signature. (Choose three) A. Forward packet to the Cisco IDS Host Sensor for further analysis. B. Send alarm to the Cisco IDS Director of Syslog server. C. Send an alarm to Cisco Secure ACS. D. Set the packet reset flag and forward the packet through. E. Drop the packet immediately. F. Return the packet to the sender. Answer: B, D, E. Q17. Given the following configuration statement, which three statements are true? (Choose three) Router(config)#aaa account network wait-start radius A. The accounting records are stored on a TACACS+ server. B. Stop-accounting records for network service requests are sent to the TACACS+ server. C. The accounting records are stored on a RADIUS server. D. Start-accounting records for network service requests are sent to the local database. E. Stop-accounting records for network service requests are sent to the RADIUS server. F. The requested service cannot start until the acknowledgement has been received from the RADIUS server. Answer: C, E, F. Q18. What is the purpose of the following commands: Router(config)#line con 0 Router(config-line)#login authentication no_tacacs A. Specifies that for authentication, any other method except tacacs, is permitted (Radius for example). B. Specifies that the AAA authentication is not necessary when using console. C. Specifies that the AAA authentication list called no tacacs is to be used on the console. D. Specifies that tacacs+ has been configured with no shared key, so no authentication is necessary. Answer: C. 21certify.com
  8. 640-100 8 Q19. Which of the following is the correct command to create a dynamic crypto map entry? A. router(config-if)#crypto dynamic map mydyn 15 B. router(config)#crypto dynamic-map mydyn 15 C. router(config)#crypto map dynamic mydyn 15 D. router(config)#crypto dynamic-map mydyn 15 enable Answer: B. Q20. What is the more secure approach for pre-shared keys between peers? A. Specify the same key to share with multiple remote peers. B. Specify different keys to share with multiple remote peers. C. Specify the same key to share between different pairs of peers. D. Specify different keys to share between different pairs of peers. Answer: D. Q21. What is the purpose of the ip host global configuration command? A. Associates an IP address. B. Removes name-to-address mapping. C. Binds eight addresses to a hostname. D. Defines a static host name-to-address mapping in the host cache. Answer: D Q22. To verify the operation of IPSec, we need to view all security associations settings. What is the exec command to accomplish this? A. show crypto ipsec assoc B. show crypto ipsec sa C. show crypto isakmp sa D. show crypto ipsec security Answer: B. 21certify.com
  9. 640-100 9 Q23. Which two demonstrate a security policy weakness? (Choose two) A. Improper change protocol B. Ping of death C. DoS D. Misconfigured network equipment E. Consistent security policy F. No disaster recover plan Answer: A, F. Q24. Which command disables finger replies on a perimeter router? A. no finger B. no finger reply C. no service finger D. disable finger Answer: C. Q25. Given the following debug output, which two statements are true? (Choose two) 13:53:38: TAC+: Receiving TCP/IP packet number 416942312-5 from 13:53:38 TAC+: (416942312): received authen response status = FAIL 15.53:38: TAC+: Closing TCP/IP connection to 10.1.1.4/49 A. The request used the RADIUS protocol. B. Authentication is complete. C. The authentication failed. D. The request used the TACACS+ protocol. E. The address of the NAS was 10.1.1.4. F. The debug command used was debug tacacs. Answer: C, D. Q26. To prevent Internet users from pinging the PIX, which ACL statement should be configured on the external 21certify.com
  10. 640-100 10 interface of the perimeter router? A. access-list 102 deny icmp any 182.16.1.1 0.0.0.0 echo B. access-list 102 dent tcp any 182.16.1.1 0.0.0.0 C. access-list 102 permit tcp any 182.16.1.1 0.0.0.0 echo D. access-list 102 deny icmp any 182.16.1.1 0.0.0.0 echo-reply Answer: A. Q27. Which three tools counter an unauthorized access attempt? (Choose three) A. Encryption B. Cisco IOS Lock and Key feature C. Password decryption D. TACACS E. IKE F. CHAP authentication Answer: B, D, F. Q28. Which error message indicates that ISAKMP peers failed protection suite negotiation for ISAKMP? A. %CRYPTO-6-IKMP_SA_AUTH: Can accept Quick Mode exchange from % 15i if SA is authenticated! B. %CRYPTO-6-IKMP_SA_OFFERED: Remote peer % 15i responded with attribute [chars] offered and changed. C. %CRYPTO-6-IKMP_SA_NOT_OFFERED: Remote peer % 15i responded with attribute [chars] not offered or changed. D. %CRYPTO-6-IKMP_SA_NOT_AUTH: Cannot accept Quick Mode exchange from % 15i if SA is not authenticated. Answer: C. Q29. What does a half-open TCP session on the Cisco IOS Firewall mean? A. Session was denied. B. Firewall detected return traffic. C. Session has not reached the established state. D. Three-way handshake has been completed. 21certify.com
  11. 640-100 11 Answer: C. Q30. IPSec is a set of security protocols and algorithms used to secure data at the network layer. IPSec consists of two protocols and two protection modes. Choose these two protocols: (Choose two) A. ESP B. SHA1 C. AH D. DSA E. MD5 Answer: A, C. Q31. Which three tasks are needed to configure IPSec encryption? (Choose three) A. Configure IPSec. B. Configure transform sets. C. Configure the encryption algorithm. D. Test and verify IPSec. E. Prepare for IKE and IPSec. F. Create crypto ACLs. Answer: A, D, E. Q32. How many kilobytes of memory are consumed by each alarm stored in a router queue? A. 5 B. 10 C. 16 D. 32 E. 64 Answer: D. Q33. What three typical security weaknesses exist in any implementation? (Choose three) 21certify.com
  12. 640-100 12 A. Policy weakness B. Technology weakness C. Hardware weakness D. Encryption weakness E. Configuration weakness F. UDP protocol weakness Answer: A, B, E. Q34. What is the maximum number of “transforms” in the command: router(config)#crypto ipsec transform-set Tsname transform1 A. 4 B. 3 C. 2 D. Unlimited Answer: B. Q35. Choose the two DH groups supported by Cisco Easy VPN. (Choose two) A. DH1 B. DH 2 C. DH 3 D. DH 4 E. DH 5 F. DH 6 Answer: B, E. Q36. What Cisco Secure ACS service processes the ODBC import tables and updates local and remote Cisco Secure ACS installations? A. CSAdmin B. CSAimporter C. CSAccupdate D. CSACSupdate Answer: C. 21certify.com
  13. 640-100 13 Q37. What is the default for the lings of time, in seconds, a DNS name loopback session will still be managed after no activity is registered on the Cisco IOS Firewall? A. 4 B. 30 C. 60 D. 3,600 Answer: A. Q38. Which three statements about ESP are true? (Choose three) A. ESP encapsulates the data. B. ESP uses symmetric secret key algorithms. C. ESP provides protection to the outer headers. D. ESP encrypts the payload for data confidentiality. E. ESP verifies the integrity of the ESP datagram. F. ESP uses asymmetric secret key algorithms. Answer: A, B, D. Q39. If you don’t want IKE to be used with your IPSec implementation, you can disable it at all IPSec peers. What are the concessions that you have to make at the peers? A. You will not have nay control on the IPSec security associations in the crypto maps. B. Certification Authority (CA) support cannot be used. C. Anti-replay services will not be available. D. The peer’s IPSec security associations will never time out for a given IPSec session. Answer: B, C, D. Q40. If no valid authentication entry exists in the authentication proxy, how does the proxy respond to the HTTP connection request? 21certify.com
  14. 640-100 14 A. Prompting the user for a username. B. Prompting the user for a password. C. Prompting the user for a username and password. D. Sending an alert to the Cisco Secure ACS server. Answer: C. Q41. In a rerouting attack, which router table is modified or prevented from updating? A. ARP B. Address C. Routing D. Bridge Answer: C. Q42. Identify two packet mode access methods. (Choose two) A. BRI B. Async C. Sync D. Group-sync E. Telnet F. Tty Answer: A, B. Q43. In preparing for IPSec, which command ensures that basis connectivity has been achieved between IPSec peers before configuring IPSec? A. ping B. write term C. show crypto map D. show access-list Answer: A. 21certify.com
  15. 640-100 15 Q44. Given the following configuration statement, which two statements are true? (Choose two) router(config)#aaa authentication login default tacacs+ none A. No authentication is required to login. B. TACACS is the default login method for all authentication. C. If TACACS process is unavailable, no access is permitted. D. RADIUS is the default login method for all authentication. E. If the TACACS process is unavailable, no login is required. F. If the RADIUS process is unavailable, no login is required. Answer: B, E. Q45. What type of Access List are we talking about when we say: It creates temporary opening in access lists at firewall interfaces. These opening occur when specified traffic exits the internal network through the firewall. It allows the traffic back through the firewall only if it is part of the same session as the original traffic that triggered it when exiting the firewall. A. Dynamic (Lock & Key) B. CBAC C. Reflexive Access List D. Time-of-Day Access List Answer: B. Q46. Select the two issues to consider when implementing IOS Firewall IDS. (Choose two) A. Memory usage B. Number of DMZs C. Signature coverage D. Number of router interfaces Answer: A, C. Q47. Which protocol gives the intruders the best of information regarding your network? A. Sendmail B. POP3 21certify.com
  16. 640-100 16 C. SMTP D. LDAP E. SNMP Answer: E. Q48. The 3 primary reasons for security issues are technology, configuration and Policy Weaknesses. Which of the following fall under Policy Weaknesses? (Choose all that apply) A. Software/Hardware installation by users without going through an appropriate channel. B. Lack of disaster recover plan. C. Lack of written security policy. D. Business lacks continuity. E. Allowing system accounts with easily guesses passwords. F. Lack of security administration. Answer: A, B, C, D, F. Q49. When implementing an authentication proxy, which two tasks are necessary to complete the configuration? (Choose two) A. Verify configuration of both the router and AAA server. B. Configure AAA accounting on the router. C. Configure AAA accounting on the server. D. Configure the AAA server. E. Configure AAA authorization on the router. F. Configure AAA authorization on the server. Answer: A, D. Q50. What three main security issues face organizations today? (Choose three) A. Security is not just a technology problem. B. Too many employees wish to work off campus. 21certify.com
  17. 640-100 17 C. Service providers are slow to react to security issues. D. Vast quantities of security technologies exist. E. Adopting the latest security methods can be costly. F. Many organizations lack a single network-wide security policy. Answer: A, D, F. Q51. What are the minimum hardware requirements of the server running Cisco Secure ACS 3.0 for Windows 2000/NT? (Choose two) A. Pentium III processor, 550 MHz or faster. B. 256 RAM and 320 MB of HD. C. Pentium U processor, 400 MHz or faster. D. 256 RAM and 250 MB of HD. E. 32-bit Sound Card and a Joystick. Answer: A, D. Q52. Select the three operating systems supported by the Cisco VPN Software Client 3.x. (Choose three) A. HP-UX B. IBM-AIX C. Microsoft Windows D. Linux (Intel) E. Palm-OS F. Apple MAC OS Answer: C, D, F. Q53. Which the following configuration statement: NAS(config)# aaa account network wait-start radius Which three statements are true? (Choose three) A. Start accounting records for network service requests are sent to the local database server. B. The request server can not start service until the acknowledgement received form the radius server. C. The accounting records are stored on a remote access dial-in user server. D. The request server must start service immediately. E. Stop accounting records for network service requests are sent to radius server. 21certify.com
  18. 640-100 18 Answer: A, B, E. Q54. Which ACL statement protects against address spoofing when applied inbound on the external interface of the perimeter router? A. access-list 101 deny IP 182.16.1.0 255.255.255.0 0.0.0.0 255.255.255.255 B. access-list 101 permit IP 182.16.1.0 255.255.0.0 0.0.0.0 255.255.255.255 C. access-list 101 deny IP 182.16.1.0 0.0.0.255 0.0.0.255 255.255.255 D. access-list 101 deny UDP 182.16.1.0 255.255.0.0 0.0.0.0 255.255.255.255 Answer: C. Q55. Which three external databases are supported by Cisco Secure ACS for Windows? (Choose three) A. Netware NDS B. Oracle C. Windows-NT/2000 D. Token Server E. SQL-Linux F. AAA Answer: A, C, D. Q56. In a masquerade attack, what does an attacker steal when pretending to come from a trusted host? A. Account identification B. User group C. IP address D. CHAP password Answer: C. Q57. Which of the following statements are true? (Choose all that apply) A. CBAC is only available as part of CSIS. B. CBAC creates permanent openings in access lists at firewall interfaces. C. The primary component of the Firewall Feature Set is CBAC. 21certify.com
  19. 640-100 19 D. CBAC will not work with IPSec unless it is on the IPSec endpoint routers. Answer: A, C, D. Q58. Which services are common to AH and ESP? A. Confidentiality, connectionless integrity, and anti-replay service. B. Data origin authentication, confidentiality, and anti-replay service. C. Connectionless integrity, data origin authentication, and anti-replay service. D. Confidentiality, connectionless integrity, and data origin authentication. Answer: C. Q59. Given the following debug output, which two statements are true? (Choose two) ldl6h: %LINK-3-UPDOWN: Interface Serial3/0, changed state to up *Mar 2 16:52:15.297: Se3/0 PPP: Treating connection as a dedicated line *Mar 2 16:52:15.441: Se3/0 PPP: Phase is AUTHENTICATION, by this end *Mar 2 16:52:15.445: Se3/0 CHAP: O CHALLENGE id 7 len 29 from “NASx” A. The user identity is NASx. B. This is a connection attempt to an async port. C. The connection is established on serial interface 3/0. D. The client is attempting to setup a Serial Line Internet Protocol connection. E. The user is authenticating using CHAP. F. The DHCP server sends a getpass request to prompt for the password. Answer: C, E. Q60. When used with the IOS Firewall, what does CBAC use for inspection rules to configure on a peer-application protocol basis? A. Alerts and audit trails B. ODBC filtering C. Tunnel, transport modes, or both D. Stateful failover Answer: A. 21certify.com
  20. 640-100 20 Q61. Select the three types of IPSec encryption algorithms supported by Cisco Easy VPN. (Choose three) A. DES B. ESP C. IPCOMP-LZS D. HMAC-MD5 E. 3DES F. NULL Answer: A, E, F. Q62. You should pay particular attention to detail when entering peer RSA public keys. Why? A. Public keys are used to create the private keys. B. Mistakes made when entering the keys will cause them not to work. C. Changes cannot be made after the keys are entered. D. Changes are complex to make after the keys are entered. Answer: B. Q63. Select the three RADIUS servers supported by the Cisco IOS Firewall authentication proxy. (Choose three) A. Cisco Secure ACS for Windows NT/2000. B. Oracle C. DB2 D. Cisco Secure ACS for UNIX. E. TACACS+ F. Lucent Answer: A, D, F. Q64. TCP intercept protects against what type of attacks? A. Rerouting B. SYN-flooding C. Eavesdropping D. Unauthorized access 21certify.com
Đồng bộ tài khoản