Practice Exam 2

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Practice Exam 2

Hints and Pointers

If you are preparing for the CCNA Security exam, you already have your CCNA certification, which means you are already an expert at Cisco exams, right? Possibly, but don’t be overconfident. The CCNA Security is most definitely a big step, and although it leverages your basic network knowledge of the CCNA certification, it also introduces new ways of looking at topics that just may force you to go back and re-study large sections of the prerequisite CCNA material. That is why I have included tips throughout the book of CCNA areas that are particularly important to brush up on.

These practice exam questions have been created by the author and reviewed by Cisco technical experts. They are representative of (and possibly a little bit harder than) the questions that you will see in the real exam.

The following are general tips for using the two practice exams in this book:

Time yourself: Each sample exam is 50 questions. Try to stay within a 60- minute time limit for each exam.
Find a quiet place: You need a place free of distractions to attempt the sample exams. I find a public library is often the best place. Equip yourself with only a notepad and pen, just like the real exam. Oh, and turn off your personal communication device when you’re taking the exam!
Practice data dumping: The Cram Sheet at the beginning of this Exam Cram is meant to represent the kind of arcane but important information that is hard to retain. Practice dumping this information from your brain onto the aforementioned notepad just before you sit down to attempt the practice exam.
Don’t get beached on a single question: If you don’t know the answer for a question, then choose an answer anyway, recognizing that you don’t get marked down for a wrong answer and that you get no points at all for one that you do not attempt. Take note of the question that stumped you and be prepared to drill down on that topic area later.
Don’t be overconfident: If you take the practice exam and ace it, you’re probably ready for the real thing. That said, although these practice exam questions are meant to represent the real exam to the best of this author’s knowledge, you owe it to yourself to at least read every chapter in its entirety to obtain the complete context for every topic area. Use the exams to identify topics you struggle with consistently and brush up on them.
Practice, practice, practice: Keep on taking the practice exams until you obtain a perfect score on both of them. Book your exam appointment. You’re ready!

So in the end, I have these pieces of advice: Study hard and practice, practice, practice!

I wish you good luck, too. But remember, sometimes you have to be good to be lucky.

—Eric Stewart

Practice Exam #2

Implementing network security is often described as a balancing act between three competing needs. Choose these needs from the following:

	A.	Evolving business requirements
	B.	Freedom of information initiatives
	C.	Personal safety
	D.	Physical plant security
	E.	Protection of data

Fill in the blank. A disturbing recent trend has been what Cisco calls ______ threats, which focus on the application layer of the OSI model.

	A.	External
	B.	Internal
	C.	Custom
	D.	Hacker
	E.	None of the above.

What are the three broad categories of security controls?

	A.	User education
	B.	Firewalls
	C.	Administrative
	D.	Physical
	E.	Technical

True or false. Hackers are known for thinking “inside the box” because their integral understanding of a system’s inner workings make them uniquely able to exploit weaknesses in design.

Which of the following are not considered attacks against availability? (Choose all that apply.)

	A.	SYN floods
	B.	MAC flooding
	C.	Social engineering
	D.	Dumpster diving
	E.	DoS

Fill in the blanks in the quantitative risk analysis formula with the missing variables. (Choose two; the order makes no difference.)

ALE = (AV * EF) * ARO

	A.	Asset Value (AV)
	B.	Exposure Factor (EF)
	C.	Single Loss Expectancy (SLE)
	D.	Rate of Functional Loss (ROFL)
	E.	Return on Investment (ROI)

Network security testing is considered an important part of assessing a network’s resilience against attacks and establishing the requirement for security controls (physical, administrative, and technical). Which of the following is not a goal of network security testing?

	A.	Create a baseline for corrective action.
	B.	Define ways to mitigate discovered vulnerabilities.
	C.	Create a baseline of an organization’s current security measures.
	D.	Measure an organization’s progress in fulfilling security policy.
	E.	Analyze the relative cost vs. benefit of security improvements.
	F.	None of the above.

Some of the items in the following list represent categories of disruption. Identify the three correct categories of disruption by putting them in order from least disruptive to most disruptive:

	A.	Catastrophe
	B.	Disaster
	C.	Nondisaster
	D.	Cataclysm
	E.	Armageddon

What are the three main groups of stakeholders in a security policy?

	A.	Senior management, security staff, end users
	B.	Senior management, law enforcement agencies, IT staff
	C.	Law enforcement agencies, customers, security staff
	D.	Senior management, security staff, the public
	E.	None of the above.

10.

Which of the following Cisco products cannot be managed by the Cisco Security Manager?

	A.	ASA 5500 Series Adaptive Security Appliances
	B.	Catalyst 6500 Series switches
	C.	PIX 500 series Security Appliances
	D.	Cisco 4200 Series Sensors
	E.	None of the above.

11.

In the following figure, what do scenarios 1, 2, and 3 represent, respectively?

	A.	Two perimeters, single perimeter, screened subnet
	B.	Screened subnet, single perimeter, two perimeters
	C.	Single perimeter, two perimeters, screened subnet
	D.	Single DMZ, double DMZ, triple DMZ
	E.	None of the above.

12.

True or false. The service password-encryption command encrypts all the passwords on the device with the exception of the enable secret, which uses a hash.

13.

Views are very useful in creating role-based rules as to which commands are authorized for execution. Examine the sequence of commands and choose all the correct statements from the list that follows them.

CiscoISR(config)#aaa new-model
CiscoISR#enable view
Password: enablesecretpassword
CiscoISR#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
CiscoISR(config)#parser view ISP
CiscoISR(config-view)#secret 0 hardtoguess
CiscoISR(config-view)#commands exec include ping
CiscoISR(config-view)#commands exec include all configure

	A.	The aaa new-model command is required before a view can be created.
	B.	The user who accesses the ISP view will require the password *hardtoguess*.
	C.	The user who accesses the ISP view will be authorized to use the ping command.
	D.	The user who accesses the ISP view will not be authorized to use the copy running-config startup-config command.
	E.	None of the above.

14.

With respect to AAA, access to the router is called remote ________ access and access through the router is called remote ________ access. (Pick the answer that fills in the blanks in the correct order.)

	A.	Network, administrative
	B.	Vty, packet
	C.	Administrative, network
	D.	Proxy, cut-through
	E.	None of the above.

15.

What are the three main task areas for setting up external AAA? Choose from the following list:

	A.	Set up users (server).
	B.	Configure the AAA network (client and server).
	C.	Install AAA 802.1X supplicant support in SDM (client).
	D.	Identify traffic to which AAA will be applied (client).
	E.	Choose digital certificates to authenticate the AAA server to the client (and vice versa).

16.

With respect to secure management and reporting, traffic can flow either ________, meaning that it is separate from the production network, or ________, meaning that the traffic flows across the production network. (Pick the answer that fills in the blanks in the correct order.)

	A.	Extranet, intranet
	B.	Intranet, extranet
	C.	Internet, intranet
	D.	Out-of-band, in-band
	E.	In-band, out-of-band

17.

For the following names of Cisco log severity levels, fill in their level:

Names:

Errors __

Informational __

Alerts __

Emergencies __

Debugging __

Warnings __

Notifications __

Critical __

18.

Choose the statement that best describes what is being represented in the following figure.

	A.	SSH is enabled system wide on the router, and a user should now be able to SSH to any interface.
	B.	SSH is enabled on the router, but has to be separately enabled on the vty lines.
	C.	SSH is not enabled on the router until the Save button is pressed.
	D.	SSH is not enabled on the router until the Refresh button is pressed.
	E.	SSH is enabled on the router, but has to be separately enabled on the physical interfaces (Ethernet, serial, and so on).
	F.	None of the above.

19.

What are the Cisco AutoSecure features that SDM Security Audit does not implement? (Choose all that apply.)

	A.	Disabling NTP
	B.	Configuring AAA
	C.	Setting Selective Packet Discard (SPD) values
	D.	Enabling TCP intercepts
	E.	Configuring anti-spoofing ACLs on outside-facing interfaces
	F.	All of the above.

20.

What are the two parameters that have to be configured before RSA keys can be generated to support SSH on the router?

	A.	Hostname, domain name
	B.	Enable secret, SSH transport on the vtys
	C.	Enable password, SSH transport on physical interfaces
	D.	Hostname, default gateway
	E.	Encryption key protocol, hashing method

21.

Which of the following is Cisco’s definition of a firewall?

	A.	A firewall is a system or a group of systems that enforce an access control policy between two networks.
	B.	A firewall is a stateful device that analyzes the state of a connection built across it and opens and closes ports in support of secure communication.
	C.	A firewall is a device that filters packets, both in the ingress and egress direction, based on static packet header content.
	D.	A firewall is software deployed on an end system to protect a specific application.
	E.	None of the above.

22.

Match the following firewall types with the letter corresponding to the layers of the TCP/IP protocol stack at which they operate:

Firewall Types

1. Static packet-filtering firewall	__
2. Application layer gateway	__
3. Dynamic (or stateful) packet-filtering firewall	__
4. Application inspection firewall	__
5. Transparent firewall	__

TCP/IP Layers

A. 1 to 4

B. 1 to 5

C. 1 to 2

23.

True or false. Assuming that the IOS router is also the VPN endpoint, encrypted packets are tested on an inbound ACL twice.

24.

Fill in the blanks. Interface ACLs are still relevant and can be used to complement Zone-Based Policy Firewall (ZPF) policies. Inbound ACLs are applied ________ ZPF policies and outbound ACLs are applied ________ ZPF policies.

25.

Examine the figure and answer the subsequent question.

True or false. The traffic from Vlan 2 to FastEthernet4 (Fa 4) will be forwarded.

26.

What is the area of the largest vulnerability in modern cryptosystems?

	A.	Ciphers
	B.	Hashes
	C.	VPN endpoints
	D.	Users
	E.	Encryption keys

27.

Fill in the blank. You are asked to implement a new cryptosystem that uses ciphers to provide for confidentiality of data transmitted. Researching industry data, you decide to use 3DES and not AES because 3DES ________.

	A.	Is cryptographically stronger.
	B.	Uses longer keys.
	C.	Is more trusted.
	D.	Is less computationally intensive.
	E.	None of the above.

28.

True or false. Modern SSL VPNs use Transmission Level Security (TLS) instead of Secure Sockets Layer (SSL) because it is a newer, standards-based replacement for SSL.

29.

In a typical asymmetric key cryptosystem, node A will encrypt messages with the node B’s ________ and will decrypt messages from node B using node A’s own ________. Safeguarding the ________ is essential. (Pick the answers that fill in the blanks in the correct order; choices can be reused.)

	A.	Private key
	B.	Public key

30.

Which of the following represent common Cisco applications of certificate-based authentication?

	A.	SSL VPN servers
	B.	TN3270 over SSL
	C.	802.1X using EAP-TLS
	D.	IPsec VPNs
	E.	None of the above.

31.

What are the two main categories of VPN?

	A.	Dynamic multipoint (DMVPN)
	B.	Client-Server
	C.	Site-to-site
	D.	Remote-access
	E.	Full mesh

32.

True or false. In IPsec VPNs, Internet Key Exchange (IKE) Phase I carries data, and IKE Phase II exists only to negotiate and authenticate, but does not carry data.

33.

Fill in the blanks in the following description of IKE Phase I negotiations.

The separate elements of IKE Phase I negotiation are grouped in a ________. During IKE Phase I, either main mode or ________ may be chosen to perform negotiations. When this negotiation is complete, some vendors use their own proprietary negotiation protocol to negotiate additional parameters. Cisco’s proprietary protocol for remote-access IPsec VPNs is called ________. After Phase I is complete, ________ negotiates the IKE Phase II parameters.

Choices:

	A.	Policy set
	B.	Transform set
	C.	Aggressive mode
	D.	Mode configuration
	E.	Quick mode
	F.	Active mode

34.

Examine the following commands:

CiscoISR-A(config)#crypto isakmp policy 99
CiscoISR-A(config-isakmp)#hash sha
CiscoISR-A(config-isakmp)#authentication pre-share
CiscoISR-A(config-isakmp)#group 5
CiscoISR-A(config-isakmp)#lifetime 86400
CiscoISR-A(config-isakmp)#encryption aes
CiscoISR-A(config-isakmp)#

Which statements are correct with respect to these commands? (Choose all that apply.)

	A.	A site-to-site tunnel group, number 5, is being created.
	B.	The VPN peers will authenticate using a pre-shared key (PSK).
	C.	The separate policy elements are being grouped as policy set 99.
	D.	The Advanced Enterprise Security (AES) encryption algorithm is specified.
	E.	128-bit Advanced Encryption Standard (AES) encryption algorithm is specified.

35.

Examine the figure. It is a screenshot showing the summary of a VPN created with the Cisco SDM Site-to-Site VPN Wizard.

Which statements are correct with respect to the figure? (Choose all that apply.)

	A.	PSKs are used for authentication.
	B.	One IKE Phase I policy indicates SHA-HMAC with DH group 2, and 3DES for the cipher.
	C.	One IKE Phase II policy indicates SHA-HMAC with DH group 2, and 3DES for the cipher.
	D.	One IKE Phase I transform set indicates that ESP will be used with an AES 128-bit cipher and integrity uses SHA-HMAC.
	E.	All the traffic between 192.168.0.0/24 to 10.0.20.0/24 will be protected by the IPsec tunnel.

36.

Which of the following are examples of Cisco IDS or IPS solutions? (Choose all that apply.)

	A.	AIP-SSM module for ASA 5500 Series security appliances
	B.	IOS IPS
	C.	HIPS
	D.	4200 Series sensors
	E.	IPS AIM

37.

Match the types of IPS alarms below with their descriptions:

IPS Alarms:

1.	False positive	__
2.	False negative	__
3.	True positive	__
4.	True negative	__

Descriptions:

	A.	Normal traffic or a non-malicious action causes the signature to fire.
	B.	An attack is properly detected by the IPS.
	C.	An attack is not detected by the IPS.
	D.	The signature doesn’t fire on traffic that it’s not supposed to.

38.

What are the three main detection technologies that the Cisco IOS IPS employs?

	A.	Protocol analysis-based
	B.	Signature-based
	C.	Predictive algorithm protocol (PAP)-based
	D.	Stochastic interpolation statistical anomaly
	E.	Profile-based

39.

True or false. Cisco recommends that the alert level of any signature should be set to the severity level of the signature, both for the included signature as well as for created signatures.

40.

Which CLI command verifies all Cisco IOS IPS settings?

	A.	show ip ips configuration all
	B.	show ip ips all
	C.	show ips all
	D.	show ips configuration all
	E.	None of the above.

41.

What are the three prongs of Cisco’s Host Security Strategy?

	A.	Perimeter security
	B.	End-user security
	C.	Endpoint protection
	D.	Cisco Network Admission Control (NAC)
	E.	Network infection containment

42.

What is Cisco’s solution for preventing a buffer overflow attack?

	A.	Storm control
	B.	IOS IPS
	C.	Network Admission Control (NAC)
	D.	Cisco Security Agent (CSA)
	E.	Trend Micro attack signatures

43.

Match the following interceptors that CSA employs with their definitions:

Terms:

1.	Network interceptor	__
2.	Execution space interceptor	__
3.	File system interceptor	__
4.	Configuration interceptor	__

Definitions:

A. All file read/write requests are intercepted and permitted or denied based on the security policy.

B. Stymies DoS attacks by limiting the number of connections that can be made in a specified period.

C. Examines read/write requests to system configuration files.

D. Ensures that each application is only allowed write access to memory that it owns.

44.

What is the main strategy for securing access to SANs?

	A.	VLANs
	B.	VSANs
	C.	Zoning
	D.	ZPF
	E.	Physical security

45.

Which of the following Cisco Unified Communications Manager (UCM) features can protect the VoIP network against fraud? (Choose all that apply.)

	A.	Partitioning
	B.	Dial Plans
	C.	Forced Authorization Codes (FACs)
	D.	VVLANs (Voice VLANs)
	E.	Anti-Vishing Agent (AVA)

46.

What statement best describes a VLAN hopping attack in general terms?

	A.	An attacker tricks a switch into routing traffic to a different IP subnet than the subnet to which the VLAN 1 interface is assigned in the management domain.
	B.	An attacker tricks a switch into allowing traffic to hop to a different VLAN than the VLAN that is assigned to the port to which they are connected.
	C.	An attacker tricks the switch into allowing an attack to propagate to the Internet VLAN.
	D.	An attacker tricks the switch into dynamically assigning the attacker a VLAN ID to which they are not entitled via VTP (VLAN Trunking Protocol) and turn off trunking between all switches.
	E.	An attacker tricks the switch into turning off traffic to the Internet VLAN, thus creating a DoS for all users whose traffic is destined to the Internet.

47.

True or false. The best way to prevent a double-tagging VLAN hopping attack is to make sure that the native VLAN of the trunked ports is different than any of the users’ ports.

48.

Examine the following commands and answer the subsequent question.

Catalyst1(config-if)#switchport mode access
Catalyst1(config-if)#switchport port-security
Catalyst1(config-if)#switchport port-security maximum 30
Catalyst1(config-if)#switchport port-security violation shutdown vlan 5

Which of the following statements about this series of commands is correct? (Choose all that apply.)

	A.	Port security will be performed for a maximum of 30 learned MAC addresses; thereafter, it will be disabled.
	B.	Port security will be enabled for a maximum of 30 seconds on any one MAC address.
	C.	Only the first 30 MAC addresses in VLAN 5 learned on this switch port will be able to use the port.
	D.	When the 31^st MAC address in VLAN 5 tries to use this port, the switch port will be administratively disabled.
	E.	None of the above.

49.

Which commands do you use to verify that port security is configured and operational on an interface? (Choose two.)

	A.	show interface port-security address
	B.	*show port-security interface interface-id* address**
	C.	show port-security address
	D.	show interface
	E.	show mac-address-table interface interface-id

50.

Which of the following interface configuration commands set the native VLAN of a trunk to 10?

	A.	switchport native vlan 10 trunkport
	B.	switchport trunk mode native vlan 10
	C.	switchport trunk native vlan 10
	D.	switchport-native trunk 10
	E.	switchport-trunk native 10

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Practice Exam 2

Create new playlist

Sign In

Sign Up

Practice Exam 2

Hints and Pointers

Practice Exam #2

Table of Contents for
Practice Exam 2