CCNA Security v2 Certification Practice Exam Answers
1. During the AAA process, when will authorization be implemented?
immediately after an AAA client sends authentication information to a centralized server
immediately after the determination of which resources a user can access
immediately after successful authentication against an AAA data source*
immediately after AAA accounting and auditing receives detailed reports
2. What is the primary function of the Diffie-Hellman algorithm?
to provide data integrity
to prevent man-in-the middle attacks
to generate and share public keys
to exchange shared secret keys over untrusted networks*
3. When configuring SSH on a router to implement secure network management, a network engineer has issued the login local and transport input ssh line vty commands. What three additional configuration actions have to be performed to complete the SSH configuration? (Choose three.)
Configure role-based CLI access.
Create a valid local username and password database.*
Configure the correct IP domain name.*
Manually enable SSH after the RSA keys are generated.
Set the user privilege levels.
Generate the asymmetric RSA keys.*
4. Which functionality does the TACACS single-connection keyword provide to AAA services?
maintains a single UDP connection for the life of the session
enhances the performance of the TCP connection*
encrypts the data transfer between the TACACS+ server and the AAA client
allows the use of differing keys between the TACACS+ server and the AAA client
5. In what situation would a network administrator most likely implement root guard?
on all switch ports (used or unused)
on all switch ports that connect to a Layer 3 device
on all switch ports that connect to another switch that is not the root bridge*
on all switch ports that connect to another switch
on all switch ports that connect to host devices
6. What type of algorithms require sender and receiver to exchange a secret key that is used to ensure the confidentiality of messages?
public key algorithms
7. A network administrator is configuring an AAA server to manage TACACS+ authentication. What are two attributes of TACACS+ authentication? (Choose two.)
encryption for only the password of a user
encryption for all communication*
separate processes for authentication and authorization*
single process for authentication and authorization
UDP port 1645
TCP port 40
8. What is a characteristic of a role-based CLI view of router configuration?
A CLI view has a command hierarchy, with higher and lower views.
When a superview is deleted, the associated CLI views are deleted.
A single CLI view can be shared within multiple superviews.*
Only a superview user can configure a new view and add or remove commands from the existing views.
9. What service or protocol does the Secure Copy Protocol rely on to ensure that secure copy transfers are from authorized users?
10. Which three functions are provided under Cisco NAC framework solution? (Choose three.)
secure connection to servers
remediation for noncompliant devices*
scanning for policy compliance*
11. A network administrator is configuring an AAA server to manage RADIUS authentication. Which two features are included in RADIUS authentication? (Choose two.)
encryption for all communication
encryption for only the data
separate processes for authentication and authorization
hidden passwords during transmission*
single process for authentication and authorization*
12. What is the next step in the establishment of an IPsec VPN after IKE Phase 1 is complete?
negotiation of the ISAKMP policy
detection of interesting traffic
authentication of peers
negotiation of the IPsec SA policy*
13. A security technician uses an asymmetric algorithm to encrypt messages with a private key and then forwards that data to another technician. What key must be used to decrypt this data?
The public key of the receiver.
The private key of the sender.
The public key of the sender.*
The private key of the receiver.
14. Which IPS signature trigger type is based on a defined profile of normal network activity?
15. Which condition describes a true positive IPS signature alarm?
when an alarm is not generated in response to a known attack
when an alarm is not generated by normal traffic
when an alarm is generated in response to a known attack*
when an alarm is generated by normal traffic
16. In the implementation of secure network management, what are two services or functions of the management plane of a Cisco router that should be configured? (Choose two.)
secure logins and passwords*
secure SSH access*
Cisco Express Forwarding
traffic filtering with ACLs
Cisco IOS firewall inspection
17. Which two characteristics describe a virus? (Choose two.)
Malicious code that can remain dormant before executing an unwanted action.*
A self-replicating attack that is independently launched.
Malware that relies on the action of a user or a program to activate.*
Malware that executes arbitrary code and installs copies of itself in memory.
Program code specifically designed to corrupt memory in network devices.
18. Which network attack is mitigated by enabling BPDU guard?
MAC address spoofing
rogue switches on a network*
CAM table overflow attacks
rogue DHCP servers on a network
19. When is a security association (SA) created if an IPsec VPN tunnel is used to connect between two sites?
during both Phase 1 and 2*
after the tunnel is created, but before traffic is sent
only during Phase 2
only during Phase 1
20. How is asymmetric encryption used to provide confidentiality for VPN traffic?
A sender encrypts traffic with the public key of the receiver and the receiver decrypts the data using the private key of the receiver.*
A sender encrypts traffic with the private key of the receiver and the receiver decrypts the data using the private key of the sender.
A sender encrypts traffic with the private key of the receiver and the receiver decrypts the data using the public key of the sender.
A sender encrypts traffic with the public key of the receiver and the receiver decrypts the data using the public key of the sender.
21. Which AAA component can be established using token cards?
22. In the implementation of network security, how does the deployment of a Cisco ASA firewall differ from a Cisco IOS router?
ASA devices do not support an implicit deny within ACLs.
ASA devices use ACLs configured with a wildcard mask.
ASA devices support interface security levels.*
ASA devices use ACLs that are always numbered.
23. What function is performed by the class maps configuration object in the Cisco modular policy framework?
restricting traffic through an interface
identifying interesting traffic*
applying a policy to an interface
applying a policy to interesting traffic
24. In the implementation of security on multiple devices, how do ASA ACLs differ from Cisco IOS ACLs?
Cisco IOS routers utilize both named and numbered ACLs and Cisco ASA devices utilize only numbered ACLs.
Cisco IOS ACLs are configured with a wildcard mask and Cisco ASA ACLs are configured with a subnet mask.*
Cisco IOS ACLs are processed sequentially from the top down and Cisco ASA ACLs are not processed sequentially.
Cisco IOS ACLs utilize an implicit deny all and Cisco ASA ACLs end with an implicit permit all.
25. In configuring a Cisco router to prepare for IPS and VPN features, a network administrator opens the file realm-cisco.pub.key.txt, and copies and pastes the contents to the router at the global configuration prompt. What is the result after this configuration step?
The router is authenticated with the Cisco secure IPS resource web server.
A pair of public/secret keys is created for the router to serve as an SSH server.
A crypto key is created for IOS IPS to verify the master signature file.*
A pair of public/secret keys is created for IPsec VPN operation.
26. When dynamic NAT on an ASA is being configured, what two parameters must be specified by network objects? (Choose two.)
the outside NAT interface
the interface security level
a range of private addresses that will be translated*
the inside NAT interface
the pool of public global addresses*
27. A system analyst is configuring and tuning a recently deployed IPS appliance. By examining the IPS alarm log, the analyst notices that the IPS does not generate alarms for a few known attack packets. Which term describes the lack of alarms by the IPS?
28. An administrator is comparing multiple implementations of AAA. Which AAA method is server-based and considered the most secure?
29. What can be implemented to help mitigate the threat of a rogue switch becoming the root bridge in an STP domain?
30. Consider the following configuration on a Cisco ASA:
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
What is the purpose of this command?
to define the ISAKMP parameters that are used to establish the tunnel
to define the encryption and integrity algorithms that are used to build the IPsec tunnel*
to define what traffic is allowed through and protected by the tunnel
to define only the allowed encryption algorithms
31. What is negotiated in the establishment of an IPsec tunnel between two IPsec hosts during IKE Phase 1?
ISAKMP SA policy*
32. Which type of IPS signature alarm occurs from normal traffic that should not have triggered an alarm?
33. Which two options provide secure remote access to a router? (Choose two.)
34. What action can a network administrator take to help mitigate the threat of VLAN hopping attacks?
Disable automatic trunking negotiation.*
Enable PortFast on all switch ports.
Configure all switch ports to be members of VLAN 1.
35. What type of data does the DLP feature of Cisco Email Security Appliance scan in order to prevent customer data from being leaked outside of the company?
messages stored on a client device
messages stored on the email server
36. A security specialist configures an IPS so that it will generate an alert when an attack is first detected. Alerts for the subsequent detection of the same attack are suppressed for a pre-defined period of time. Another alert will be generated at the end of the period indicating the number of the attack detected. Which IPS alert monitoring mechanism is configured?
37. Which transform set provides the best protection?
crypto ipsec transform-set ESP-DES-SHA esp-aes esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-aes-256 esp-sha-hmac*
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
38. A syslog server has received the message shown.
*Mar 1 00:07:18.783: %SYS-5-CONFIG_I: Configured from console by vty0 (172.16.45.1)
What can be determined from the syslog message?
The message is a normal notification and should not be reviewed.
The message is a Log_Alert notification message.
The message informs the administrator that a user with an IP address of 172.16.45.1 configured this device remotely.*
The message description displays that the console line was accessed locally.
39. What are three attributes of IPS signatures? (Choose three.)
40. What mitigation plan is best for thwarting a DoS attack that is creating a switch buffer overflow?
Enable port security.*
Place unused ports in an unused VLAN.
41. What mitigation method is effective against CAM table overflow attacks?
Dynamic ARP Inspection
42. An administrator assigned a level of router access to the user ADMIN using the commands below.
Router(config)# privilege exec level 14 show ip route Router(config)# enable algorithm-type scrypt secret level 14 cisco-level-10 Router(config)# username ADMIN privilege 14 algorithm-type scrypt secret cisco-level-10
Which two actions are permitted to the user ADMIN? (Choose two.)
The user can issue all commands because this privilege level can execute all Cisco IOS commands.
The user can only execute the subcommands under the show ip route command.
The user can issue the show version command.*
The user can execute all subcommands under the show ip interfaces command.*
The user can issue the ip route command.
43. What is an effective deployment of IPS and IDS appliances in a corporate network?
Place an IPS between the border router and the internal network and an IDS in the same LAN.*
Place an IPS between the border router and the internal network and an IDS between the border router and the ISP.
Place both an IPS and an IDS inside the DMZ network.
Place an IDS between the border router and the internal network and an IPS inside the DMZ network.
44. Which antispoofing technology is used to mitigate DoS attacks?
45. A network administrator notices that unsuccessful login attempts have caused a router to enter quiet mode. How can the administrator maintain remote access to the networks even during quiet mode?
Quiet mode behavior will only prevent specific user accounts from attempting to authenticate.
Quiet mode behavior can be enabled via an ip access-group command on a physical interface.
Quiet mode behavior can be disabled by an administrator by using SSH to connect.
Quiet mode behavior can be overridden for specific networks by using an ACL.*
46. Which statement describes the function of the SPAN tool used in a Cisco switch?
It provides interconnection between VLANs over multiple switches.
It is a secure channel for a switch to send logging to a syslog server.
It copies the traffic from one switch port and sends it to another switch port that is connected to a monitoring device.*
It supports the SNMP trap operation on a switch.
47. What function is provided by the Cisco IOS Resilient Configuration feature?
It locks down the management plane and the forwarding plane services and functions of a router.
It allows administrators to create different views of router configurations for different users.
It maintains a secure copy of the IOS image and running configuration that can be used for fast recovery if flash or NVRAM is erased.*
It identifies attacks and security policy violations that are occurring on the network.
48. What does the TACACS+ protocol provide in a AAA deployment?
compatibility with previous TACACS protocols
password encryption without encrypting the packet
AAA connectivity via UDP
authorization on a per-user or per-group basis*
49. Which two UDP port numbers may be used for server-based AAA RADIUS authentication? (Choose two.)
50. Which two options can limit the information discovered from port scanning? (Choose two.)
intrusion prevention system*
51. What function is provided by the RADIUS protocol?
RADIUS provides encryption of the complete packet during transfer.
RADIUS provides separate AAA services.
RADIUS provides separate ports for authorization and accounting.*
RADIUS provides secure communication using TCP port 49.
52. What is the role of the Cisco NAC Agent in implementing a secure networking infrastructure?
to provide the ability for company employees to create guest accounts
to perform deep inspection of device security profiles*
to provide post-connection monitoring of all endpoint devices
to assess and enforce security policy compliance in the NAC environment
to define role-based user access and endpoint security policies
53. What level of syslog is associated with Log_Alert?
54. Refer to the exhibit.
Based on the security levels of the interfaces on ASA1, what traffic will be allowed on the interfaces?
Traffic from the LAN and DMZ can access the Internet.*
Traffic from the Internet and LAN can access the DMZ.
Traffic from the Internet can access both the DMZ and the LAN.
Traffic from the Internet and DMZ can access the LAN.
55. Refer to the exhibit.
An administrator issues these IOS login enhancement commands to increase the security for login connections. What can be concluded about them?
These enhancements apply to all types of login connections.
The hosts that are identified in the ACL will have access to the device.*
The login block-for command permits the attacker to try 150 attempts before being stopped to try again.
Because the login delay command was not used, a one-minute delay between login attempts is assumed.