TestKing 640-100 Edt7

Chia sẻ: Ba Trinh | Ngày: | Loại File: PDF | Số trang:87

0
78
lượt xem
11
download

TestKing 640-100 Edt7

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

QUESTION NO: 1 Which of the following is the correct command to create a dynamic crypto map entry? A. router(config-if)#crypto dynamic map mydyn 15 B. router(config)#crypto dynamic-map mydyn 15 C. router(config)#crypto map dynamic mydyn 15 D. router(config)#crypto dynamic-map mydyn 15 enable

Chủ đề:
Lưu

Nội dung Text: TestKing 640-100 Edt7

  1. 640-100 (MCNS) Managing Cisco Network Security Version 7.0
  2. 640 - 100 Important Note, Please Read Carefully Study Tips This product will provide you questions and answers along with detailed explanations carefully compiled and written by our experts. Try to understand the concepts behind the questions instead of cramming the questions. Go through the entire document at least twice so that you make sure that you are not missing anything. Further Material For this test TestKing also provides: * Interactive Test Engine Examinator. Check out an Examinator Demo at http://www.testking.com/index.cfm?pageid=724 Latest Version We are constantly reviewing our products. New material is added and old material is revised. Free updates are available for 90 days after the purchase. You should check your member zone at TestKing an update 3-4 days before the scheduled exam date. Here is the procedure to get the latest version: 1. Go to www.testking.com 2. Click on Member zone/Log in 3. The latest versions of all purchased products are downloadable from here. Just click the links. For most updates, it is enough just to print the new questions at the end of the new version, not the whole document. Feedback Feedback on specific questions should be send to feedback@testking.com. You should state: Exam number and version, question number, and login ID. Our experts will answer your mail promptly. Explanations Currently this product does not include explanations. If you are interested in providing TestKing with explanations contact feedback@testking.com. Include the following information: exam, your background regarding this exam in particular, and what you consider a reasonable compensation for the work. Copyright Each pdf file contains a unique serial number associated with your particular name and contact information for security purposes. So if we find out that a particular pdf file is being distributed by you, TestKing reserves the right to take legal action against you according to the International Copyright Laws. Leading the way in IT testing and certification tools, www.testking.com - 2-
  3. 640 - 100 Section A contains 82 questions. Section B contains 113 questions. The total number of questions is 195. Section A QUESTION NO: 1 Which of the following is the correct command to create a dynamic crypto map entry? A. router(config-if)#crypto dynamic map mydyn 15 B. router(config)#crypto dynamic-map mydyn 15 C. router(config)#crypto map dynamic mydyn 15 D. router(config)#crypto dynamic-map mydyn 15 enable Answer: B Explanation: To create a dynamic crypto map entry and enter the crypto map configuration command mode, use the crypto dynamic-map command in global configuration mode. Reference: http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/secur_r/sec_c2g.ht m#1069489 QUESTION NO: 2 What is the maximum number of “transforms” in the command: router(config)#crypto ipsec transform-set Tsname transform1 A. 4 B. 3 C. 2 D. Unlimited Answer: B Explanation: Up to three transforms can be in a set. Sets are limited to up to one AH and one or two ESP transforms. Reference: Cisco Secure PIX Firewalls (Ciscopress) Page 212 QUESTION NO: 3 Which of the following statements are true? (Choose all that apply) A. A message encrypted using Bob’s public key can only be decrypted using Alice’s public key. Leading the way in IT testing and certification tools, www.testking.com - 3-
  4. 640 - 100 B. A message encrypted using Bob’s public key can only be decrypted by using Bob’s private key. C. A message encrypted using Bob’s private key can only be decrypted using Alice’s private key. D. A message encrypted using Bob’s private key can only be decrypted by using Bob’s public key. Answer: B, D Explanation: Public and private keys are the ciphers used to encrypt and decrypt information. While the public key is shared quite freely, the private key is never given out. Each public-private key pair works together: data encrypted with the public key can only be decrypted with the private key. Reference: CiscoWorks Common Services Software - Understanding CiscoWorks Security http://www.cisco.com/en/US/products/sw/cscowork/ps3996/products_user_guide_chapter091 86a008017b74d.html QUESTION NO: 4 What type of Access List are we talking about when we say: It creates temporary opening in access lists at firewall interfaces. These opening occur when specified traffic exits the internal network through the firewall. It allows the traffic back through the firewall only if it is part of the same session as the original traffic that triggered it when exiting the firewall. A. Dynamic (Lock & Key) B. CBAC C. Reflexive Access List D. Time-of-Day Access List Answer: B Explanation: Context-based Access Control (CBAC) examines not only network layer and transport layer information, but also examines the application-layer protocol information (such as FTP information) to learn about the state of TCP and UDP connections. CBAC maintains connection state information for individual connections. This state information is used to make intelligent decisions about whether packets should be permitted or denied, and dynamically creates and deletes temporary openings in the firewall. Reference: http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuration_guide_cha pter09186a00800d9815.html QUESTION NO: 5 Leading the way in IT testing and certification tools, www.testking.com - 4-
  5. 640 - 100 What is the purpose of the following commands: Router(config)#line con 0 Router(config-line)#login authentication no_tacacs A. Specifies that for authentication, any other method except tacacs, is permitted (Radius for example). B. Specifies that the AAA authentication is not necessary when using console. C. Specifies that the AAA authentication list called no tacacs is to be used on the console. D. Specifies that tacacs+ has been configured with no shared key, so no authentication is necessary. Answer: C Explanation: To enable authentication, authorization, and accounting (AAA) authentication for logins, use the login authentication command in line configuration mode. Reference: http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/secur_r/sec_i2g.ht m#1072266 QUESTION NO: 6 In a masquerade attack, what does an attacker steal when pretending to come from a trusted host? A. Account identification B. User group C. IP address D. CHAP password Answer: C Explanation: IP spoofing---An IP spoofing attack occurs when an attacker outside your network pretends to be a trusted user either by using an IP address that is within the range of IP addresses for your network or by using an authorized external IP address that you trust and to which you wish to provide access to specified resources on your network. Should an attacker get access to your IPSec security parameters, that attacker can masquerade as the remote user authorized to connect to the corporate network Reference: http://www.cisco.com/en/US/products/sw/iosswrel/ps1834/products_feature_guide09186a008 007fee4.html QUESTION NO: 7 What three typical security weaknesses exist in any implementation? (Choose three) A. Policy weakness Leading the way in IT testing and certification tools, www.testking.com - 5-
  6. 640 - 100 B. Technology weakness C. Hardware weakness D. Encryption weakness E. Configuration weakness F. UDP protocol weakness Answer: A, B, E Explanation: There are at least three primary reasons for network security: Technology weaknesses – Each network and computing technology has inherent security problems. Configuration weaknesses – Even the most secure technology can be misconfigured or misused, exposing security problems. Policy weakness – A poorly defined or improperly implemented and managed security policy can make the best security and network technology ripe for security abuse. Reference: Managing Cisco Network Security (Ciscopress) page 6 QUESTION NO: 8 Select the three RADIUS servers supported by the Cisco IOS Firewall authentication proxy. (Choose three) A. Cisco Secure ACS for Windows NT/2000. B. Oracle C. DB2 D. Cisco Secure ACS for UNIX. E. TACACS+ F. Lucent Answer: A, D, F Explanation: The supported AAA servers are CiscoSecure ACS 2.3 for Windows NT, CiscoSecure ACS 2.3 for UNIX, TACACS+ server (vF4.02.alpha), Ascend RADIUS server - radius-980618 (required avpair patch), and Livingston (now Lucent), RADIUS server (v1.16). Reference: http://www.cisco.com/en/US/products/sw/iosswrel/ps1830/products_feature_guide_chapter09 186a00800a17ec.html QUESTION NO: 9 Given the following configuration statement, which three statements are true? (Choose three) Router(config)#aaa accounting network wait-start radius A. The accounting records are stored on a TACACS+ server. B. Stop-accounting records for network service requests are sent to the TACACS+ server. Leading the way in IT testing and certification tools, www.testking.com - 6-
  7. 640 - 100 C. The accounting records are stored on a RADIUS server. D. Start-accounting records for network service requests are sent to the local database. E. Stop-accounting records for network service requests are sent to the RADIUS server. F. The requested service cannot start until the acknowledgement has been received from the RADIUS server. Answer: C, E, F Explanation: Router(config)#aaa accounting network wait-start radius aaa accounting {system | network | connection | exec | command level} {start-stop | wait- start | stop-only} tacacs+ Use the aaa accounting command to enable accounting and to create named method lists that define specific accounting methods on a per-line or per-interface basis. Network - Enables accounting for all network-related requests, including SLIP, PPP, PPP network control protocols, and ARAP wait-start - This keyword causes both a start and stop accounting record to be sent to the accounting server. However, the requested user service does not begin until the start accounting record is acknowledged. A stop accounting record is also sent. Reference: http://www.cisco.com/en/US/products/sw/secursw/ps4911/products_user_guide_chapter0918 6a00800eb6e4.html QUESTION NO: 10 Which three external databases are supported by Cisco Secure ACS for Windows? (Choose three) A. Netware NDS B. Oracle C. Windows-NT/2000 D. Token Server E. SQL-Linux F. AAA Answer: A, C, D Explanation: You can select the CiscoSecure user database or configure an external user database such as Windows NT/2000, Open Database Connectivity (ODBC), generic Lightweight Directory Access Protocol (LDAP), Microsoft Commercial Internet System (MCIS), Novell NetWare Directory Services (NDS), or a token-card database to authenticate usernames and passwords according to your network requirements. This chapter discusses the advantages and limitations of each option. Leading the way in IT testing and certification tools, www.testking.com - 7-
  8. 640 - 100 Reference: http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter0918 6a008007e6bb.html QUESTION NO: 11 Given the following configuration statement, which two statements are true? (Choose two) router(config)#aaa authentication login default tacacs+ none A. No authentication is required to login. B. TACACS is the default login method for all authentication. C. If TACACS process is unavailable, no access is permitted. D. RADIUS is the default login method for all authentication. E. If the TACACS process is unavailable, no login is required. F. If the RADIUS process is unavailable, no login is required. Answer: B, E Explanation: use TACACS+ authentication; if a CiscoSecure ACS is not available, use the NAS's local user database password. However, all other users can only use TACACS+: none – no authorization is performed. Reference: http://www.cisco.com/en/US/products/sw/secursw/ps4911/products_user_guide_chapter0918 6a008015c5c3.html QUESTION NO: 12 How many kilobytes of memory are consumed by each alarm stored in a router queue? A. 5 B. 10 C. 16 D. 32 E. 64 Answer: D Explanation: With the option buffersize kilobytes , it can be changed to the size of the buffer used for crashinfo files. The default size is 32 KB (maximum is 100 KB, configured using exception crashinfo buffer 100 ). Reference: http://www.cisco.com/en/US/products/hw/routers/ps167/products_tech_note09186a0080093e 29.shtml Leading the way in IT testing and certification tools, www.testking.com - 8-
  9. 640 - 100 QUESTION NO: 13 Choose the three actions that the IOS Firewall IDS router may perform when a packet, or a number of packets in a session, match a signature. (Choose three) A. Forward packet to the Cisco IDS Host Sensor for further analysis. B. Send alarm to the Cisco IDS Director of Syslog server. C. Send an alarm to Cisco Secure ACS. D. Set the packet reset flag and forward the packet through. E. Drop the packet immediately. F. Return the packet to the sender. Answer: B, D, E Explanation: The Cisco IOS Firewall IDS acts as an in-line intrusion detection sensor, watching packets and sessions as they flow through the router, scanning each to match any of the IDS signatures. When it detects suspicious activity, it responds before network security can be compromised and logs the event through Cisco IOS syslog or the Cisco Secure Intrusion Detection System (Cisco Secure IDS, formerly known as Net Ranger) Post Office Protoco The network administrator can configure the IDS system to choose the appropriate response to various threats. When packets in a session match a signature, the IDS system can be configured to take these actions: Send an alarm to a syslog server or a Cisco Secure IDS Director (centralized management interface) Drop the packet Reset the TCP connection Reference: http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuration_guide_cha pter09186a00800d9819.html QUESTION NO: 14 Exhibit: Leading the way in IT testing and certification tools, www.testking.com - 9-
  10. 640 - 100 In order to prevent external (internet) users from pinging the PIX, which access list (ACL) statement should be configured on the external interface of the perimeter router? A. Access-list 102 deny tcp any 182.16.1.1 0.0.0.0 B. Access-list 102 deny icmp any 182.16.1.1 0.0.0.0 echo C. Access-list 102 permit tcp any 182.16.1.1 0.0.0.0 echo D. Access-list 102 deny icmp any 182.16.1.1 0.0.0.0 echo- reply Answer: D Explanation: Echo-reply added to the end of the command implies no ping responses to the PIX. Reference: Managing Cisco Network Security (Ciscopress) pages 728 QUESTION NO: 15 Which protocol is used by Cisco IOS Cryptosystem to securely exchange encryption keys for IPSec? A. DH B. DES C. Digital Signature Standard D. ESP Answer: A Explanation: Leading the way in IT testing and certification tools, www.testking.com - 10 -
  11. 640 - 100 Diffie-Hellman is a public-key cryptography protocol that allows two parties to establish a shared secret over an unsecure communications channel. IKE uses Diffie-Hellman to establish session keys. VPN Solutions Center supports four Diffie-Hellman groups: Group 1—a MODP group with a 768-bit modulus. Group 2—a MODP group with a 1024-bit modulus. Group 5—Specifies the 1536-bit Diffie-Hellman group. Group 5 works like Groups 1 and 2, but it provides a higher level of security and requires more processing time than Groups 1 and 2. Cisco IOS supports Diffie-Hellman Group 5. Group 7—Uses a combination of Diffie-Hellman and a 163-bit Elliptic Curve Cryptosystem (ECC) algorithm. ECC provides superior encryption, and it is quickly generated on a hand-held device. VPN 3000 devices support Diffie-Hellman Group 7. Reference: http://www.cisco.com/en/US/products/sw/netmgtsw/ps2327/products_user_guide_chapter091 86a00800876f5.html QUESTION NO: 16 Exhibit: Which ACL statement protects against address spoofing when applied inbound on the external interface of the perimeter router? A. access-list 101 deny IP 182.16.1.0 255.255.255.0 0.0.0.0 255.255.255.255 B. access-list 101 permit IP 182.16.1.0 255.255.0.0 0.0.0.0 255.255.255.255 C. access-list 101 deny IP 182.16.1.0 0.0.0.255 0.0.0.0 255 255.255.255 D. access-list 101 deny UDP 182.16.1.0 255.255.0.0 0.0.0.0 255.255.255.255 Answer: C Explanation: access-list 101 deny IP 182.16.1.0 0.0.0.255 0.0.0.0 255 255.255.255 Leading the way in IT testing and certification tools, www.testking.com - 11 -
  12. 640 - 100 access-list command – command to deny access to the 182.16.1.0 0.0.0.255 addresses from any address (0.0.0.0 255.255.255.255) Reference: Managing Cisco Network Security (Ciscopress) page Appendix C QUESTION NO: 17 Which two commands prevent a Chargen attack? (Choose two) A. no ip redirects B. no service tcp-small-servers C. no ip-source route D. no chargen enable E. no service udp-small-servers F. no service finger Answer: B, E Explanation: By default, the Cisco router has a series of diagnostic ports enabled for certain UDP and TCP services including echo, chargen, and discard. When a host attaches to those ports, a small amount of CPU capacity is consumed to service these requests Any network device that has UDP and TCP diagnostic services should be protected by a firewall or have the services disabled. For a Cisco router, this can be accomplished by using these global configuration commands. no service udp-small-servers no service tcp-small-servers Reference: http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a008017 690e.shtml QUESTION NO: 18 Which three tasks are needed to configure IPSec encryption? (Choose three) A. Configure IPSec. B. Configure transform sets. C. Configure the encryption algorithm. D. Test and verify IPSec. E. Prepare for IKE and IPSec. F. Create crypto ACLs. Answer: A, D, E Explanation: Four key tasks are involved in configuring IPSec encryption using preshared keys on the PIX Firewall: Leading the way in IT testing and certification tools, www.testking.com - 12 -
  13. 640 - 100 Task 1: Prepare for IPSec Task 2: Configured IKE for preshared keys Task 3: Configure IPSec Task 4: Test and verify the overall IPSec configuration. Reference: Managing Cisco Network Security (Ciscopress) page 612 QUESTION NO: 19 In preparing for IPSec, which command ensures that basis connectivity has been achieved between IPSec peers before configuring IPSec? A. ping B. write term C. show crypto map D. show access-list Answer: A Explanation: Task 1: Prepare for IPSec Step 4 of 4. Ensure that the network works without encryption to eliminate basic routing problems using the ping command and by running test traffic before encryption. Reference: Managing Cisco Network Security (Ciscopress) page 612 QUESTION NO: 20 You should pay particular attention to detail when entering peer RSA public keys. Why? A. Public keys are used to create the private keys. B. Mistakes made when entering the keys will cause them not to work. C. Changes cannot be made after the keys are entered. D. Changes are complex to make after the keys are entered. Answer: B Explanation: The fact that the message could be decrypted using the sender's public key indicates that the holder of the private key, the sender, must have created the message. This process relies on the receiver having a copy of the sender's public key and knowing with a high degree of certainty that it really does belong to the sender, and not to someone pretending to be the sender. Reference: http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_user_guide_chapter0918 6a0080106f63.html Leading the way in IT testing and certification tools, www.testking.com - 13 -
  14. 640 - 100 QUESTION NO: 21 Which of the following statements best described a digital certificate: A. A digital certificate is issued by the trusted certificate authority to the requesting peer for authentication. B. A digital certificate give you the authority to telnet to a perimeter router running IPSec and change its configuration. C. A digital certificate allows its holder to access the campus network. D. A digital certificate is issued by a certificate authority to authorize an electronic transaction. Answer: D Explanation: Certification authorities (CAs) are responsible for managing certificate requests and issuing digital certificates. A digital certificate contains information that identifies a user or device, such as a name, serial number, company, department, or IP address. A digital certificate also contains a copy of the entity's public key. A CA can be a trusted third party, such as VeriSign, or a private (in-house) CA that you establish within your organization. Reference: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/ipsecint.htm QUESTION NO: 22 What are the three ISAKMP authentications modes? (Choose three) A. Main B. Aggressive C. Quick D. Active E. Passive Answer: A, B, C Explanation: An IKE peer is an IPsec-compliant node capable of establishing IKE channels and negotiating SAs. IKE provides three modes for the exchange of keying information and setting up IKE security associations: Main mode, Aggressive mode, and Quick mode. Reference: http://www.cisco.com/en/US/products/sw/netmgtsw/ps2327/products_user_guide_chapter091 86a0080087696.html#xtocid2073219 QUESTION NO: 23 IPSec is a set of security protocols and algorithms used to secure data at the network layer. IPSec consists of two protocols and two protection modes. Choose these two protocols: (Choose two) Leading the way in IT testing and certification tools, www.testking.com - 14 -
  15. 640 - 100 A. ESP B. SHA1 C. AH D. DSA E. MD5 Answer: A, C Explanation: IPSec provides authentication and encryption services to protect unauthorized viewing or modification of data within your network or as it is transferred over an unprotected network, such as the public Internet. IPSec is generally implemented in two types of configurations: Two different security protocols are included within the IPSec standard: • Encapsulating Security Payload (ESP)—Provides authentication, encryption, and anti- replay services. • Authentication Header (AH)—Provides authentication and anti-replay services. Reference: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/ipsecint.htm #1028818 QUESTION NO: 24 Which the following configuration statement: NAS(config)# aaa accounting network wait-start radius Which three statements are true? (Choose three) A. Start accounting records for network service requests are sent to the local database server. B. The request server can not start service until the acknowledgement received form the radius server. C. The accounting records are stored on a remote access dial-in user server. D. The request server must start service immediately. E. Stop accounting records for network service requests are sent to radius server. Answer: B, C, E Explanation: Router(config)#aaa accounting network wait-start radius aaa accounting {system | network | connection | exec | command level} {start-stop | wait- start | stop-only} tacacs+ Use the aaa accounting command to enable accounting and to create named method lists that define specific accounting methods on a per-line or per-interface basis. Network - Enables accounting for all network-related requests, including SLIP, PPP, PPP network control protocols, and ARAP Leading the way in IT testing and certification tools, www.testking.com - 15 -
  16. 640 - 100 wait-start - This keyword causes both a start and stop accounting record to be sent to the accounting server. However, the requested user service does not begin until the start accounting record is acknowledged. A stop accounting record is also sent. Reference: http://www.cisco.com/en/US/products/sw/secursw/ps4911/products_user_guide_chapter0918 6a00800eb6e4.html QUESTION NO: 25 What is a configuration weakness? A. Outdated software B. No written security policy C. Unsecured user accounts D. No monitoring or auditing of the security logs. Answer: C Explanation: Configuration weaknesses examples: • Insecure default settings within products • Misconfigured network equipment • Insecure user accounts • System accounts with easily guessed passwords • Misconfigured Internet Services Reference: Managing Cisco Network Security (Ciscopress) pages 9, 10 QUESTION NO: 26 Identify two packet mode access methods. (Choose two) A. BRI B. Async C. Sync D. Group-sync E. Telnet F. Tty Answer: A, B Explanation: AAA technologies can also protect dialup access in the packet or interface mode via async, group-async, Basic Rate Interface (BRI) ISDN lines, or Primary Rate Interface (PRI) ISDN interfaces on Cisco routers. Reference: Managing Cisco Network Security (Ciscopress) pages 114 Leading the way in IT testing and certification tools, www.testking.com - 16 -
  17. 640 - 100 QUESTION NO: 27 Which configuration command causes a start-accounting record for a Point-to-Point session to be sent to a TACACS+ server? A. aaa authentication ppp start tacacs+ B. aaa authorization exec default tacacs+ C. aaa authorization network default tacacs+ D. aaa accounting network default stop-only tacacs+ E. aaa accounting network default start-stop tacacs+ Answer: E Explanation: aaa accounting {system | network | exec | command level} {start-stop | wait-start | stop-only} {tacacs+ | radius} no aaa accounting {system | network | exec | command level} network Runs accounting for all network-related service requests, including SLIP, PPP, PPP NCPs, and ARAP. start-stop Sends a start accounting notice at the beginning of a process and a stop accounting notice at the end of a process. The start accounting record is sent in the background. The requested user process begins regardless of whether or not the start accounting notice was received by the accounting server. tacacs+ Enables the TACACS-style accounting. Reference: http://www.cisco.com/en/US/products/sw/iosswrel/ps1826/products_command_summary_cha pter09186a00800d9c0e.html QUESTION NO: 28 What does a half-open TCP session on the Cisco IOS Firewall mean? A. Session was denied. B. Firewall detected return traffic. C. Session has not reached the established state. D. Three-way handshake has been completed. Answer: C Explanation: An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, "half-open" means that the session has not reached the established state. For UDP, "half-open" means that the firewall has detected traffic from one direction only. Leading the way in IT testing and certification tools, www.testking.com - 17 -
  18. 640 - 100 Reference: http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_command_reference_cha pter09186a00800d9806.html QUESTION NO: 29 What kind of signature trigger on a single packet? A. Regenerative B. Cyclic C. Atomic D. Dynamic E. Compound Answer: C Explanation: Signature Structure—Defines how many packets it takes for the Sensor to positively identify an alarm condition on the network. There are two types: • Atomic signature—Requires only one packet to be inspected to identify an alarm condition. • Composite signature—Requires multiple packets to be inspected to identify an alarm condition. Reference: http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_configuration_guide_cha pter09186a008007eafe.html QUESTION NO: 30 Select the three types of IPSec encryption algorithms supported by Cisco Easy VPN. (Choose three) A. DES B. ESP C. IPCOMP-LZS D. HMAC-MD5 E. 3DES F. NULL Answer: A, E, F Explanation: Encryption Algorithms (IPSec) • DES • 3DES • NULL Leading the way in IT testing and certification tools, www.testking.com - 18 -
  19. 640 - 100 Reference: http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a008 0087d1e.html QUESTION NO: 31 Select the three operating systems supported by the Cisco VPN Software Client 3.x. (Choose three) A. HP-UX B. IBM-AIX C. Microsoft Windows D. Linux (Intel) E. Palm-OS F. Apple MAC OS Answer: C, D, F Explanation: Works with any operating system, such as Windows, MAC, Linux, Solaris, more Reference: http://www.cisco.com/en/US/products/sw/secursw/ps3872/products_data_sheet09186a008010 89cf.html QUESTION NO: 32 In a rerouting attack, which router table is modified or prevented from updating? A. ARP B. Address C. Routing D. Bridge Answer: C Explanation: Route filters can be set up on any interface to prevent learning or propagating routing information inappropriately. Some routing protocols (such as EIGRP) allow you to insert a filter on the routes being advertised so that certain routes are not advertised in some parts of the network. Reference: Managing Cisco Network Security (Ciscopress) page 233 QUESTION NO: 33 Which command prevents the perimeter router form divulging topology information by telling external hosts which subnets are not configured? A. no source-route B. no ip unreachables Leading the way in IT testing and certification tools, www.testking.com - 19 -
  20. 640 - 100 C. no ip route-cache D. no service udp-small-servers Answer: B Explanation: To enable the generation of Internet Control Message Protocol (ICMP) unreachable messages, use the ip unreachables command in interface configuration mode. To disable this function, use the no form of this command. Reference: http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/ipras_r/ip1_i2g.ht m#1082329 QUESTION NO: 34 Which error message indicates that ISAKMP peers failed protection suite negotiation for ISAKMP? A. %CRYPTO-6-IKMP_SA_AUTH: Can accept Quick Mode exchange from % 15i if SA is authenticated! B. %CRYPTO-6-IKMP_SA_OFFERED: Remote peer % 15i responded with attribute [chars] offered and changed. C. %CRYPTO-6-IKMP_SA_NOT_OFFERED: Remote peer % 15i responded with attribute [chars] not offered or changed. D. %CRYPTO-6-IKMP_SA_NOT_AUTH: Cannot accept Quick Mode exchange from % 15i if SA is not authenticated. Answer: C Explanation: Error Message %CRYPTO-6-IKMP_SA_NOT_AUTH: Cannot accept Quick Mode exchange from [chars] if SA is not authenticated! Explanation The IKE security association with the remote peer was not authenticated yet the peer attempted to begin a Quick Mode exchange. This exchange must only be done with an authenticated security association. Reference: http://www.cisco.com/en/US/products/sw/iosswrel/ps1826/products_system_message_guide0 9186a0080087bdf.html QUESTION NO: 35 Which two statements about the creation of a security policy are true? (Choose two) A. It helps Chief Information Officers determine the return on investment of network security. B. It provides a process to audit existing network security. C. It defines how to track down and prosecute policy offenders. Leading the way in IT testing and certification tools, www.testking.com - 20 -
Đồng bộ tài khoản