Test All

Network Security (Version1.
0) - Final Exam Answers Full 20/12/2023, 3:13 AM
+ IT Questions Bank , IOS Command List - Ebooks . IP Calculators »
/ Donations
Search the site 0
) Home * CCNA » Security » CyberOps »
+ IT Questions Bank , IOS Command List CCNA » CCNA Security v2.0 »
Cybersecurity » Networking Essentials IP Subnet Calculators » Donation Contact
Network Security (Version1.0) – Final Network Security 1.0

Exam Answers Full Exam Answers
% May 20, 2021 | & Last Updated: Oct 17, 2023 |
Network Security v1.0 Answers
' Network Security 1.0 | ( 58 Comments
! Share " Tweet # Share $ Pin it Modules 1 - 4: Securing

Networks Group Exam
Answers
Modules 5 - 7: Monitoring
and Managing Devices
Group Exam Answers
Modules 8 - 10: ACLs and

Firewalls Group Exam
Answers
Modules 11 - 12: Intrusion

Prevention Group Exam
Answers
https://itexamanswers.net/network-security-version1-0-final-exam-answers-full.html Page 1 of 105

Network Security (Version1.0) - Final Exam Answers Full 20/12/2023, 3:13 AM
Modules 13 - 14: Layer 2

and Endpoint Security
Group Exam Answers
Modules 15 - 17:
How to find: Press “Ctrl + F” in the browser and fill in
Cryptography Group
whatever wording is in the question to find that
Exam Answers
question/answer. If the question is not here, find it in
Questions Bank. Modules 18 - 19: VPNs
Group Exam Answers
Modules 20 - 22: ASA

NOTE: If you have the new question on this test, Group Exam Answers
please comment Question and Multiple-Choice list in
Network Security 1.0
form below this article. We will update answers for
Practice Final Exam
you in the shortest time. Thank you! We truly value
Answers
your contribution to the website.
Final PT Skills Exam
(PTSA) Answers

Final Exam Answers
Network Security ( Version 1) – Network

Related Posts
Security 1.0 Final Exam Answers
5.2.5 Lab – Configure
1. Match the type of ASA ACLs to the description. (Not all Administrative Roles Answers
options are used.)
Module 10: Quiz – Zone-Based
Firewalls (Answers) Network
Security
Modules 1 – 4: Securing Networks

Group Exam Answers Full
Module 17: Quiz – Configure

Network and Device Security
(Answers) Network Security
21.3.6 Check Your Understanding –

Object Groups Answers

Network Security 1.0 Final PT Skills

Assessment (PTSA) Exam
Network Security (Version1.0)

Modules 18 – 19: VPNs Group Test
Online
9.2.4 Packet Tracer – Identify

Packet Flow Answers
Module 20: Quiz – Introduction to

the ASA (Answers) Network
Security
8.6.5 Packet Tracer – Configure IP

ACLs to Mitigate Attacks Answers
Recent Comments
IBrahim on 1.1.7 Lab – Basic Switch
Configuration (Answers)
asd on 6.2.3.8 Packet Tracer –

Troubleshooting a VLAN
Implementation – Scenario 2
Instructions Answers
2. Which statement describes a difference between the
Cisco ASA IOS CLI feature and the router IOS CLI alpha on 4.2.8 Lab – Configure
feature? Router-on-a-Stick Inter-VLAN
Routing (Answers)
ASA uses the ? command whereas a router uses the
tempuser on CCNA 1 v7 Modules
help command to receive help on a brief description and
11 – 13: IP Addressing Exam
the syntax of a command. Answers Full
To use a show command in a general configuration
cclar on CCNA 1 v7.0 Final Exam
mode, ASA can use the command directly whereas a Answers Full – Introduction to
router will need to enter the do command before Networks
issuing the show command.
To complete a partially typed command, ASA uses the
Ctrl+Tab key combination whereas a router uses the Tab
key.
To indicate the CLI EXEC mode, ASA uses the % symbol
whereas a router uses the # symbol.
Explanation: The ASA CLI is a proprietary OS which

has a similar look and feel to the Cisco router IOS.

Although it shares some common features with the router
IOS, it has its unique features. For example, an ASA CLI
command can be executed regardless of the current
configuration mode prompt. The IOS do command is not
required or recognized. Both the ASA CLI and the router
CLI use the # symbol to indicate the EXEC mode. Both
CLIs use the Tab key to complete a partially typed
command. Different from the router IOS, the ASA
provides a help command that provides a brief command
description and syntax for certain commands.
3. Refer to the exhibit. A network administrator is

configuring AAA implementation on an ASA device. What
does the option link3 indicate?
the network name where the AAA server resides

the specific AAA server name
the sequence of servers in the AAA server group
the interface name
4. What provides both secure segmentation and threat

defense in a Secure Data Center solution?
Cisco Security Manager software

AAA server
Adaptive Security Appliance
intrusion prevention system
5. What are the three core components of the Cisco

Secure Data Center solution? (Choose three.)
mesh network
secure segmentation
visibility
threat defense
servers
infrastructure
Explanation: Secure segmentation is used when

managing and organizing data in a data center. Threat
defense includes a firewall and intrusion prevention
system (IPS). Data center visibility is designed to simplify
operations and compliance reporting by providing
consistent security policy enforcement.
6. What are three characteristics of ASA transparent

mode? (Choose three.)
This mode does not support VPNs, QoS, or DHCP

Relay.
It is the traditional firewall deployment mode.
This mode is referred to as a “bump in the wire.”
NAT can be implemented between connected networks.
In this mode the ASA is invisible to an attacker.
The interfaces of the ASA separate Layer 3 networks and
require IP addresses in different subnets.
7. What is needed to allow specific traffic that is sourced

on the outside network of an ASA firewall to reach an
internal network?
ACL
NAT
dynamic routing protocols
outside security zone level 0
Explanation: In order to explicitly permit traffic from an

interface with a lower security level to an interface with a

higher security level, an ACL must be configured. By

default, traffic will only flow from a higher security level to
a lower.
8. What will be the result of failed login attempts if the

following command is entered into a router?
login block-for 150 attempts 4 within 90
All login attempts will be blocked for 150 seconds if

there are 4 failed attempts within 90 seconds.
All login attempts will be blocked for 90 seconds if there
are 4 failed attempts within 150 seconds.
All login attempts will be blocked for 1.5 hours if there are
4 failed attempts within 150 seconds.
All login attempts will be blocked for 4 hours if there are
90 failed attempts within 150 seconds.
Explanation: The components of the login block-for 150

attempts 4 within 90 command are as follows:
The expression block-for 150 is the time in seconds that
logins will be blocked.
The expression attempts 4 is the number of failed
attempts that will trigger the blocking of login requests.
The expression within 90 is the time in seconds in which
the 4 failed attempts must occur.
9. Which two tasks are associated with router hardening?

(Choose two.)

placing the router in a secure room

disabling unused ports and interfaces
installing the maximum amount of memory possible
securing administrative access
using uninterruptible power supplies
10. Which threat protection capability is provided by

Cisco ESA?
web filtering
cloud access security
spam protection
Layer 4 traffic monitoring
Explanation: Email is a top attack vector for security

breaches. Cisco ESA includes many threat protection
capabilities for email such as spam protection, forged
email detection, and Cisco advanced phishing protection.
11. What are two security measures used to protect

endpoints in the borderless network? (Choose two.)
denylisting
Snort IPS
DLP
DMZ
rootkit
Explanation:
Measure Purpose
antimalware Protect endpoints from malware.

software
spam Prevent spam emails from reaching

filtering endpoints.
blocklisting Prevent endpoints from connecting

to websites with bad reputations by

immediately blocking connections

based on the latest reputation
intelligence.
data loss Prevent sensitive information from

prevention being lost or stolen.
(DLP)
12. Which three types of traffic are allowed when the

authentication port-control auto command has been
issued and the client has not yet been authenticated?
(Choose three.)
CDP
802.1Q
IPsec
TACACS+
STP
EAPOL
Explanation: Until the workstation is authenticated,

802.1X access control enables only Extensible
Authentication Protocol over LAN (EAPOL), Cisco
Discovery Protocol (CDP), and Spanning Tree Protocol
(STP) traffic through the port to which the workstation is
connected. After authentication succeeds, normal traffic
can pass through the port.
13. Which statement describes a characteristic of the IKE

protocol?
It uses UDP port 500 to exchange IKE information

between the security gateways.
IKE Phase 1 can be implemented in three different
modes: main, aggressive, or quick.
It allows for the transmission of keys directly across a
network.
The purpose of IKE Phase 2 is to negotiate a security
association between two IKE peers.
14. Which action do IPsec peers take during the IKE

Phase 2 exchange?
exchange of DH keys
negotiation of IPsec policy
negotiation of IKE policy sets
verification of peer identity
Explanation: The IKE protocol executes in two phases.

During Phase 1 the two sides negotiate IKE policy sets,
authenticate each other, and set up a secure channel.
During the second phase IKE negotiates security
associations between the peers.
15. What are two hashing algorithms used with IPsec AH

to guarantee authenticity? (Choose two.)
SHA
RSA
DH
MD5
AES
Explanation: The IPsec framework uses various

protocols and algorithms to provide data confidentiality,
data integrity, authentication, and secure key exchange.
Two popular algorithms used to ensure that data is not
intercepted and modified (data integrity and authenticity)

are MD5 and SHA.
16. Which command raises the privilege level of the ping

command to 7?
user exec ping level 7

authorization exec ping level 7
accounting exec level 7 ping
privilege exec level 7 ping
17. What is a characteristic of a role-based CLI view of

router configuration?
A CLI view has a command hierarchy, with higher and

lower views.
When a superview is deleted, the associated CLI views
are deleted.
A single CLI view can be shared within multiple
superviews.
Only a superview user can configure a new view and add
or remove commands from the existing views.
Explanation: A CLI view has no command hierarchy,

and therefore, no higher or lower views. Deleting a
superview does not delete the associated CLI views.
Only a root view user can configure a new view and add
18. What is a limitation to using OOB management on a

large enterprise network?
Production traffic shares the network with management

traffic.
Terminal servers can have direct console connections to
user devices needing management.
OOB management requires the creation of VPNs.
All devices appear to be attached to a single
management network.
Explanation: OOB management provides a dedicated

management network without production traffic. Devices
within that network, such as terminal servers, have direct
console access for management purposes. Because in-
band management runs over the production network,
secure tunnels or VPNs may be needed. Failures on the
production network may not be communicated to the
OOB network administrator because the OOB
management network may not be affected
19. Refer to the exhibit. A corporate network is using NTP

to synchronize the time across devices. What can be
determined from the displayed output?
Router03 is a stratum 2 device that can provide NTP

service to other devices in the network.
The time on Router03 may not be reliable because it is
offset by more than 7 seconds to the time server.
The interface on Router03 that connects to the time
sever has the IPv4 address 209.165.200.225.
Router03 time is synchronized to a stratum 2 time server.
20. Refer to the exhibit. Which two conclusions can be

drawn from the syslog message that was generated by
the router? (Choose two.)

This message resulted from an unusual error requiring

reconfiguration of the interface.
This message indicates that service timestamps have
been configured.
This message indicates that the interface changed state
five times.
This message is a level 5 notification message.
This message indicates that the interface should be
replaced.
Explanation: The message is a level 5 notification

message as shown in the %LINEPROTO-5 section of the
output. Messages reporting the link status are common
and do not require replacing the interface or
reconfiguring the interface. The date and time displayed
at the beginning of the message indicates that service
timestamps have been configured on the router.
21. Which two types of hackers are typically classified as

grey hat hackers? (Choose two.)
hacktivists
cyber criminals
vulnerability brokers
script kiddies
state-sponsored hackers

Explanation: Grey hat hackers may do unethical or

illegal things, but not for personal gain or to cause
damage. Hacktivists use their hacking as a form of
political or social protest, and vulnerability brokers hack
to uncover weaknesses and report them to vendors.
Depending on the perspective one possesses, state-
sponsored hackers are either white hat or black hat
operators. Script kiddies create hacking scripts to cause
damage or disruption. Cyber criminals use hacking to
obtain financial gain by illegal means.
22. When describing malware, what is a difference

between a virus and a worm?
Network Security (Version 1) – Network

Security 1.0 Final Exam
A virus focuses on gaining privileged access to a device,

whereas a worm does not.
A virus replicates itself by attaching to another file,
whereas a worm can replicate itself independently.
A virus can be used to launch a DoS attack (but not a
DDoS), but a worm can be used to launch both DoS and
DDoS attacks.
A virus can be used to deliver advertisements without
user consent, whereas a worm cannot.
Explanation: Malware can be classified as follows:

Virus (self-replicates by attaching to another program or

file)
Worm (replicates independently of another program)
Trojan horse (masquerades as a legitimate file or
program)
Rootkit (gains privileged access to a machine while
concealing itself)
Spyware (collects information from a target system)
Adware (delivers advertisements with or without consent)
Bot (waits for commands from the hacker)
Ransomware (holds a computer system or data captive
until payment isreceived)
23. Which type of packet is unable to be filtered by an

outbound ACL?
multicast packet
ICMP packet
broadcast packet
router-generated packet
Explanation: Traffic that originates within a router such

as pings from a command prompt, remote access from a
router to another device, or routing updates are not
affected by outbound access lists. The traffic must flow
through the router in order for the router to apply the
ACEs.
24. Consider the access list command applied outbound

on a router serial interface.

access-list 100 deny icmp 192.168.10.0 0.0.0.255 any echo reply
What is the effect of applying this access list command?
The only traffic denied is echo-replies sourced from the

192.168.10.0/24 network. All other traffic is allowed.
The only traffic denied is ICMP-based traffic. All other
traffic is allowed.
No traffic will be allowed outbound on the serial
interface.
Users on the 192.168.10.0/24 network are not allowed to
transmit traffic to any other destination.
25. Which command is used to activate an IPv6 ACL

named ENG_ACL on an interface so that the router filters
traffic prior to accessing the routing table?
ipv6 access-class ENG_ACL in

ipv6 traffic-filter ENG_ACL out
ipv6 traffic-filter ENG_ACL in
ipv6 access-class ENG_ACL out
Explanation: For the purpose of applying an access list

to a particular interface, the ipv6 traffic-filter IPv6
command is equivalent to the access-group IPv4
command. The direction in which the traffic is examined
(in or out) is also required.
26. What technology has a function of using trusted third-

party protocols to issue credentials that are accepted as
an authoritative identity?
digital signatures
hashing algorithms
PKI certificates
symmetric keys
Explanation: Digital certificates are used to prove the

authenticity and integrity of PKI certificates, but a PKI

Certificate Authority is a trusted third-party entity that
issues PKI certificates. PKI certificates are public
information and are used to provide authenticity,
confidentiality, integrity, and nonrepudiation services that
can scale to large requirements.
27. What are two methods to maintain certificate

revocation status? (Choose two.)
subordinate CA
OCSP
DNS
LDAP
CRL
Explanation: A digital certificate might need to be

revoked if its key is compromised or it is no longer
needed. The certificate revocation list (CRL) and Online
Certificate Status Protocol (OCSP), are two common
methods to check a certificate revocation status.
28. Which protocol is an IETF standard that defines the

PKI digital certificate format?
SSL/TLS
X.500
LDAP
X.509
Explanation: To address the interoperability of different

PKI vendors, IETF published the Internet X.509 Public

Key Infrastructure Certificate Policy and Certification
Practices Framework (RFC 2527). The standard defines
the format of a digital certificate.
29. A network administrator is configuring DAI on a

switch. Which command should be used on the uplink
interface that connects to a router?
ip arp inspection trust

ip dhcp snooping
ip arp inspection vlan
spanning-tree portfast
Explanation: In general, a router serves as the default

gateway for the LAN or VLAN on the switch. Therefore,
the uplink interface that connects to a router should be a
trusted port for forwarding ARP requests.
30. What is the best way to prevent a VLAN hopping

attack?
Disable trunk negotiation for trunk ports and

statically set nontrunk ports as access ports.
Disable STP on all nontrunk ports.
Use VLAN 1 as the native VLAN on trunk ports.
Use ISL encapsulation on all trunk links.
Explanation: VLAN hopping attacks rely on the attacker

being able to create a trunk link with a switch. Disabling
DTP and configuring user-facing ports as static access
ports can help prevent these types of attacks. Disabling
the Spanning Tree Protocol (STP) will not eliminate
VLAN hopping attacks.
31. What would be the primary reason an attacker would

launch a MAC address overflow attack?

so that the switch stops forwarding traffic

so that legitimate hosts cannot obtain a MAC address
so that the attacker can see frames that are destined
for other hosts
so that the attacker can execute arbitrary code on the
switch
32. What is the main difference between the

implementation of IDS and IPS devices?
An IDS can negatively impact the packet flow, whereas

an IPS can not.
An IDS needs to be deployed together with a firewall
device, whereas an IPS can replace a firewall.
An IDS would allow malicious traffic to pass before it
is addressed, whereas an IPS stops it immediately.
An IDS uses signature-based technology to detect
malicious packets, whereas an IPS uses profile-based
technology.
Explanation: An IPS is deployed in inline mode and will

not allow malicious traffic to enter the internal network
without first analyzing it. An advantage of this is that it
can stop an attack immediately. An IDS is deployed in
promiscuous mode. It copies the traffic patterns and
analyzes them offline, thus it cannot stop the attack
immediately and it relies on another device to take
further actions once it detects an attack. Being deployed
in inline mode, an IPS can negatively impact the traffic
flow. Both IDS and IPS can use signature-based
technology to detect malicious packets. An IPS cannot
replace other security devices, such as firewalls,
because they perform different tasks.

33. Which attack is defined as an attempt to exploit

software vulnerabilities that are unknown or undisclosed
by the vendor?
zero-day
Trojan horse
brute-force
man-in-the-middle
34. Match the network monitoring technology with the

description.
35. What are the three signature levels provided by Snort

IPS on the 4000 Series ISR? (Choose three.)
security
drop
reject
connectivity
inspect

balanced
36. What are three attributes of IPS signatures? (Choose

three.)
action
length
trigger
type
depth
function
Explanation: IPS signatures have three distinctive

attributes:
type
trigger (alarm)
action
37. Match each IPS signature trigger category with the

description.
Other case:

pattern-based detection: simplest triggering mechanism

which searches for a specific and pre-defined atomic or
composite pattern
anomaly-based detection: involves first defining a
profile of what is considered normal network or host
activity
honey pot-based detection: uses a decoy server to
divert attacks away from production devices
38. Which two features are included by both TACACS+

and RADIUS protocols? (Choose two.)
SIP support
password encryption
802.1X support
separate authentication and authorization processes
utilization of transport layer protocols
Explanation: Both TACACS+ and RADIUS support

password encryption (TACACS+ encrypts all
communication) and use Layer 4 protocol (TACACS+
uses TCP and RADIUS uses UDP). TACACS+ supports
separation of authentication and authorization processes,
while RADIUS combines authentication and authorization
as one process. RADIUS supports remote access

technology, such as 802.1x and SIP; TACACS+ does

not.
39. What function is provided by the RADIUS protocol?
RADIUS provides encryption of the complete packet

during transfer.
RADIUS provides separate AAA services.
RADIUS provides separate ports for authorization
and accounting.
RADIUS provides secure communication using TCP port
49.
Explanation: When an AAA user is authenticated,

RADIUS uses UDP port 1645 or 1812 for authentication
and UDP port 1646 or 1813 for accounting. TACACS
provides separate authorization and accounting services.
When a RADIUS client is authenticated, it is also
authorized. TACACS provides secure connectivity using
TCP port 49. RADIUS hides passwords during
transmission and does not encrypt the complete packet.
40. What are three characteristics of the RADIUS

protocol? (Choose three.)
utilizes TCP port 49

uses UDP ports for authentication and accounting
supports 802.1X and SIP
separates the authentication and authorization processes
encrypts the entire body of the packet
is an open RFC standard AAA protocol

Explanation: RADIUS is an open-standard AAA protocol

using UDP port 1645 or 1812 for authentication and UDP
port 1646 or 1813 for accounting. It combines
authentication and authorization into one process; thus, a
password is encrypted for transmission while the rest of
the packet will be sent in plain text. RADIUS offers the
expedited service and more comprehensive accounting
desired by remote-access providers but provides lower
security and less potential for customization than
TACACS+.
41. Which zone-based policy firewall zone is system-

defined and applies to traffic destined for the router or
originating from the router?
local zone
inside zone
self zone
system zone
outside zone
Explanation: Zone-based policy firewalls typically have

the private (internal or trusted) zone, the public (external
or untrusted) zone, and the default self zone, which does
not require any interfaces. The private or internal zone is
commonly used for internal LANs. The public zone would
include the interfaces that connect to an external (outside
the business) interface.
42. What are two benefits of using a ZPF rather than a

Classic Firewall? (Choose two.)
ZPF allows interfaces to be placed into zones for IP

inspection.
The ZPF is not dependent on ACLs.
Multiple inspection actions are used with ZPF.
ZPF policies are easy to read and troubleshoot.

With ZPF, the router will allow packets unless they are
explicitly blocked.
Explanation: There are several benefits of a ZPF:

– It is not dependent on ACLs.
– The router security posture is to block unless explicitly
allowed.
– Policies are easy to read and troubleshoot with C3PL.
– One policy affects any given traffic, instead of needing
multiple ACLs and inspection actions.
In addition, an interface cannot be simultaneously configured

as a security zone member and for IP inspection.
43. Place the steps for configuring zone-based policy

(ZPF) firewalls in order from first to last. (Not all options
are used.)

44. How does a firewall handle traffic when it is

originating from the private network and traveling to the
DMZ network?
The traffic is selectively denied based on service

requirements.
The traffic is usually permitted with little or no
restrictions.
The traffic is selectively permitted and inspected.
The traffic is usually blocked.
Explanation: Traffic originating from the private network

is inspected as it travels toward the public or DMZ
network. This traffic is permitted with little or no
restriction. Inspected traffic returning from the DMZ or
public network to the private network is permitted.
45. Which two protocols generate connection information

within a state table and are supported for stateful
filtering? (Choose two.)

ICMP
UDP
DHCP
TCP
HTTP
46. Which type of firewall is supported by most routers

and is the easiest to implement?
next generation firewall

stateless firewall
stateful firewall
proxy firewall
Explanation: Packet Filtering (Stateless) Firewall uses a

simple policy table look-up that filters traffic based on
specific criteria and is considered the easiest firewall to
implement.
47. What network testing tool would an administrator use

to assess and validate system configurations against
security policies and compliance standards?
Tripwire
L0phtcrack
Nessus
Metasploit
Explanation: Tripwire – This tool assesses and validates

IT configurations against internal policies, compliance
standards, and security best practices.

48. What type of network security test can detect and

report changes made to network systems?
vulnerability scanning
network scanning
integrity checking
penetration testing
Explanation: Integrity checking is used to detect and

report changes made to systems. Vulnerability scanning
is used to find weaknesses and misconfigurations on
network systems. Network scanning is used to discover
available resources on the network.
49. What network security testing tool has the ability to

provide details on the source of suspicious network
activity?
SIEM
SuperScan
Zenmap
Tripwire
Explanation: There are various network security tools

available for network security testing and evaluation.
SuperScan is a Microsoft port scanning software that
detects open TCP and UDP ports on systems. Nmap and
Zenmap are low-level network scanners available to the
public. Tripwire is used to assess if network devices are
compliant with network security policies. SIEM is used to
provide real-time reporting of security events on the
network.
50 How do modern cryptographers defend against brute-

force attacks?

Use statistical analysis to eliminate the most common

encryption keys.
Use a keyspace large enough that it takes too much
money and too much time to conduct a successful
attack.
Use an algorithm that requires the attacker to have both
ciphertext and plaintext to conduct a successful attack.
Use frequency analysis to ensure that the most popular
letters used in the language are not used in the cipher
message.
Explanation: In a brute-force attack, an attacker tries

every possible key with the decryption algorithm knowing
that eventually one of them will work. To defend against
the brute-force attacks, modern cryptographers have as
an objective to have a keyspace (a set of all possible
keys) large enough so that it takes too much money and
too much time to accomplish a brute-force attack. A
security policy requiring passwords to be changed in a
predefined interval further defend against the brute-force
attacks. The idea is that passwords will have been
changed before an attacker exhausts the keyspace.
51. How does a Caesar cipher work on a message?
Letters of the message are replaced by another letter

that is a set number of places away in the alphabet.
Letters of the message are rearranged randomly.
Letters of the message are rearranged based on a
predetermined pattern.
Words of the message are substituted based on a
predetermined pattern.

52. What is the main factor that ensures the security of

encryption of modern algorithms?
complexity of the hashing algorithm

the use of 3DES over AES
secrecy of the keys
secrecy of the algorithm
Explanation: With most modern algorithms, successful

decryption requires knowledge of the appropriate
cryptographic keys. This means that the security of
encryption lies in the secrecy of the keys, not the
algorithm.
53 What is the next step in the establishment of an IPsec

VPN after IKE Phase 1 is complete?
negotiation of the ISAKMP policy

negotiation of the IPsec SA policy
detection of interesting traffic
authentication of peers
Explanation: Establishing an IPsec tunnel involves five

steps:
detection of interesting traffic defined by an ACL
IKE Phase 1 in which peers negotiate ISAKMP SA policy
IKE Phase 2 in which peers negotiate IPsec SA policy
Creation of the IPsec tunnel
Termination of the IPsec tunnel
54. Refer to the exhibit. What algorithm will be used for

providing confidentiality?

Network Security (Version 1) – Network Security 1.0 Final

Exam
RSA
Diffie-Hellman
DES
AES

Two popular algorithms that are used to ensure that data
is not intercepted and modified (data integrity) are MD5
and SHA. AES is an encryption protocol and provides
data confidentiality. DH (Diffie-Hellman) is an algorithm
that is used for key exchange. RSA is an algorithm used
for authentication.
55. After issuing a show run command, an analyst

notices the following command:
crypto ipsec transform-set MYSET esp-aes 256 esp-md5-hmac
What is the purpose of this command?
It establishes the set of encryption and hashing

algorithms used to secure the data sent through an
IPsec tunnel.
It defines the default ISAKMP policy list used to establish
the IKE Phase 1 tunnel.
It establishes the criteria to force the IKE Phase 1

negotiations to begin.
It indicates that IKE will be used to establish the IPsec
tunnel for protecting the traffic.
56. Which algorithm can ensure data integrity?
RSA
AES
MD5
PKI
Explanation: Data integrity guarantees that the

message was not altered in transit. Integrity is ensured
by implementing either of the Secure Hash Algorithms
(SHA-2 or SHA-3). The MD5 message digest algorithm is
still widely in use.
57. A company implements a security policy that ensures

that a file sent from the headquarters office to the branch
office can only be opened with a predetermined code.
This code is changed every day. Which two algorithms
can be used to achieve this task? (Choose two.)
HMAC
MD5
3DES
SHA-1
AES
Explanation: The task to ensure that only authorized

personnel can open a file is data confidentiality, which
can be implemented with encryption. AES and 3DES are

two encryption algorithms. HMAC can be used for

ensuring origin authentication. MD5 and SHA-1 can be
used to ensure data integrity.
58. A network technician has been asked to design a

virtual private network between two branch routers.
Which type of cryptographic key should be used in this
scenario?
hash key
symmetric key
asymmetric key
digital signature
Explanation: A symmetric key requires that both routers

have access to the secret key that is used to encrypt and
decrypt exchanged data.
59. Which two options can limit the information

discovered from port scanning? (Choose two.)

firewall
authentication
passwords
encryption
Explanation: Using an intrusion prevention system (IPS)

and firewall can limit the information that can be
discovered with a port scanner. Authentication,
encryption, and passwords provide no protection from
loss of information from port scanning.
60. An administrator discovers that a user is accessing a

newly established website that may be detrimental to
company security. What action should the administrator
take first in terms of the security policy?

Ask the user to stop immediately and inform the user that
this constitutes grounds for dismissal.
Create a firewall rule blocking the respective website.
Revise the AUP immediately and get all users to sign
the updated AUP.
Immediately suspend the network privileges of the user.
61. If AAA is already enabled, which three CLI steps are

required to configure a router with a specific view?
(Choose three.)
Create a superview using the parser view view-name

command.
Associate the view with the root view.
Assign users who can use the view.
Create a view using the parser view view-name
command.
Assign a secret password to the view.
Assign commands to the view.
Explanation: There are five steps involved to create a

view on a Cisco router.
1) AAA must be enabled.
2) the view must be created.
3) a secret password must be assigned to the view.
4) commands must be assigned to the view.
5) view configuration mode must be exited.
62. Refer to the exhibit. A network administrator

configures a named ACL on the router. Why is there no
output displayed when the show command is issued?

A network administrator configures a named ACL on the

router
The ACL is not activated.

The ACL name is case sensitive.
The ACL has not been applied to an interface.
No packets have matched the ACL statements yet.
63. ACLs are used primarily to filter traffic. What are two
additional uses of ACLs? (Choose two.):
specifying internal hosts for NAT

identifying traffic for QoS
specifying source addresses for authentication
reorganizing traffic into VLANs
filtering VTP packets
Explanation: ACLs are used to filter traffic to determine

which packets will be permitted or denied through the
router and which packets will be subject to policy-based
routing. ACLs can also be used to identify traffic that
requires NAT and QoS services. Prefix lists are used to
control which routes will be redistributed or advertised to
other routers.
64. What two features are added in SNMPv3 to address

the weaknesses of previous versions of SNMP? (Choose
two.)
authentication

authorization with community string priority

bulk MIB objects retrieval
ACL management filtering
encryption
65. What network testing tool is used for password

auditing and recovery?
Nessus
Metasploit
L0phtcrack
SuperScan
Explanation: The Nesus tool provides remote

vulnerability scanning that focuses on remote access,
password misconfiguration, and DoS against the TCP/IP
stack. L0phtcrack provides password auditing and
recovery. Metasploit provides information about
vulnerabilities and aids in penetration testing and IDS
signature development.
66. Which type of firewall makes use of a server to

connect to destination devices on behalf of clients?
packet filtering firewall

proxy firewall
stateless firewall
stateful firewall
Explanation: An application gateway firewall, also called

a proxy firewall, filters information at Layers 3, 4, 5, and 7
of the OSI model. It uses a proxy server to connect to

remote servers on behalf of clients. Remote servers will

see only a connection from the proxy server, not from the
individual clients.
67. Refer to the exhibit. What will be displayed in the

output of the show running-config object command after
the exhibited configuration commands are entered on an
ASA 5506-X?
host 192.168.1.4
range 192.168.1.10 192.168.1.20
host 192.168.1.3, host 192.168.1.4, and range
192.168.1.10 192.168.1.20
host 192.168.1.3
host 192.168.1.3 and host 192.168.1.4
host 192.168.1.4 and range 192.168.1.10 192.168.1.20
Explanation: The show running-config object command

is used to display or verify the IP address/mask pair
within the object. There can only be one statement in the
network object. Entering a second IP address/mask pair
will replace the existing configuration.
68. Refer to the exhibit. According to the command

output, which three statements are true about the DHCP
options entered on the ASA? (Choose three.)

The dhcpd address [ start-of-pool ]-[ end-of-pool ]

inside command was issued to enable the DHCP
server.
The dhcpd address [ start-of-pool ]-[ end-of-pool ] inside
command was issued to enable the DHCP client.
The dhcpd enable inside command was issued to
enable the DHCP server.
The dhcpd auto-config outside command was issued
to enable the DHCP client.
The dhcpd auto-config outside command was issued to
enable the DHCP server.
The dhcpd enable inside command was issued to enable
the DHCP client.
69. Which two statements describe the characteristics of

symmetric algorithms? (Choose two.)
They are commonly used with VPN traffic.

They use a pair of a public key and a private key.
They are commonly implemented in the SSL and SSH
protocols.
They provide confidentiality, integrity, and availability.
They are referred to as a pre-shared key or secret
key.
Explanation: Symmetric encryption algorithms use the

same key (also called shared secret) to encrypt and

decrypt the data. In contrast, asymmetric encryption
algorithms use a pair of keys, one for encryption and
another for decryption.
70. A web server administrator is configuring access

settings to require users to authenticate first before
accessing certain web pages. Which requirement of
information security is addressed through the
configuration?
availability
integrity
scalability
confidentiality
Explanation: Confidentiality ensures that data is

accessed only by authorized individuals. Authentication
will help verify the identity of the individuals.
71. The use of 3DES within the IPsec framework is an

example of which of the five IPsec building blocks?
authentication
nonrepudiation
integrity
Diffie-Hellman
confidentiality
Explanation: The IPsec framework consists of five

building blocks. Each building block performs a specific
securty function via specific protocols. The function of
providing confidentiality is provided by protocols such as
DES, 3DES, and AES.
72. What function is provided by Snort as part of the

Security Onion?

to generate network intrusion alerts by the use of

rules and signatures
to normalize logs from various NSM data logs so they
can be represented, stored, and accessed through a
common schema
to display full-packet captures for analysis
to view pcap transcripts generated by intrusion detection
tools
Explanation: Snort is a NIDS integrated into Security

Onion. It is an important source of the alert data that is
indexed in the Sguil analysis tool. Snort uses rules and
signatures to generate alerts.
73. What are two drawbacks to using HIPS? (Choose

two.)
With HIPS, the success or failure of an attack cannot be

readily determined.
With HIPS, the network administrator must verify
support for all the different operating systems used
in the network.
HIPS has difficulty constructing an accurate network
picture or coordinating events that occur across the
entire network.
If the network traffic stream is encrypted, HIPS is unable
to access unencrypted forms of the traffic.
HIPS installations are vulnerable to fragmentation attacks
or variable TTL attacks.

Explanation: Two disadvantages of deploying HIPS are

(1) that it cannot create a complete view of the network
or have knowledge of events that might be occurring
beyond an individual host and (2) every host operating
system within the organization must be supported.
However, an advantage of using HIPS is that it can
monitor and protect the operating system as well as
critical system processes on each network host.
74. In an AAA-enabled network, a user issues the

configure terminal command from the privileged
executive mode of operation. What AAA function is at
work if this command is rejected?
authorization
authentication
auditing
accounting
Explanation: Authentication must ensure that devices or

end users are legitimate. Authorization is concerned with
allowing and disallowing authenticated users access to
certain areas and programs on the network. The
configure terminal command is rejected because the
user is not authorized to execute the command.
75. A company has a file server that shares a folder

named Public. The network security policy specifies that
the Public folder is assigned Read-Only rights to anyone
who can log into the server while the Edit rights are
assigned only to the network admin group. Which
component is addressed in the AAA network service
framework?
automation
accounting
authentication

authorization
Explanation: After a user is successfully authenticated

(logged into the server), the authorization is the process
of determining what network resources the user can
access and what operations (such as read or edit) the
user can perform.
76. What is a characteristic of a DMZ zone?
Traffic originating from the inside network going to the

DMZ network is not permitted.
Traffic originating from the outside network going to
the DMZ network is selectively permitted.
Traffic originating from the DMZ network going to the
inside network is permitted.
DMZ network is selectively permitted.
Explanation: The characteristics of a DMZ zone are as

follows:
DMZ network is permitted.
Traffic originating from the outside network going to the
DMZ network is selectively permitted.
Traffic originating from the DMZ network going to the
inside network is denied.
77. Which measure can a security analyst take to perform

effective security monitoring against network traffic
encrypted by SSL technology?

Use a Syslog server to capture network traffic.

Deploy a Cisco SSL Appliance.
Require remote access connections through IPsec VPN.
Deploy a Cisco ASA.
Explanation: Deploy a Cisco SSL Appliance to decrypt

SSL traffic and send it to intrusion prevention system
(IPS) appliances to identify risks normally hidden by SSL.
78. Refer to the exhibit. Port security has been configured

on the Fa 0/12 interface of switch S1. What action will
occur when PC1 is attached to switch S1 with the applied
configuration?
Frames from PC1 will be forwarded since the switchport

port-security violation command is missing.
Frames from PC1 will be forwarded to its destination, and
a log entry will be created.
Frames from PC1 will be forwarded to its destination, but
a log entry will not be created.
Frames from PC1 will cause the interface to shut
down immediately, and a log entry will be made.
Frames from PC1 will be dropped, and there will be no
log of the violation.
Frames from PC1 will be dropped, and a log message
will be created.
Explanation: Manual configuration of the single allowed

MAC address has been entered for port fa0/12. PC1 has

a different MAC address and when attached will cause

the port to shut down (the default action), a log message
to be automatically created, and the violation counter to
increment. The default action of shutdown is
recommended because the restrict option might fail if an
attack is underway.
79. What security countermeasure is effective for

preventing CAM table overflow attacks?
DHCP snooping
Dynamic ARP Inspection
IP source guard
port security
Explanation: Port security is the most effective method

for preventing CAM table overflow attacks. Port security
gives an administrator the ability to manually specify
what MAC addresses should be seen on given switch
ports. It provides a method for limiting the number of
MAC addresses that can be dynamically learned over a
switch port.
80. What are two examples of DoS attacks? (Choose two.)
port scanning
SQL injection
ping of death
phishing
buffer overflow

Explanation: The buffer overflow and ping of death DoS

attacks exploit system memory-related flaws on a server
by sending an unexpected amount of data or malformed
data to the server.
81. Which method is used to identify interesting traffic

needed to create an IKE phase 1 tunnel?
transform sets
a permit access list entry
hashing algorithms
a security association
82. When the CLI is used to configure an ISR for a site-to-

site VPN connection, which two items must be specified
to enable a crypto map policy? (Choose two.)
the hash
the peer
encryption
the ISAKMP policy
a valid access list
IP addresses on all active interfaces
the IKE Phase 1 policy
Explanation: After the crypto map command in global

configuration mode has been issued, the new crypto map
will remain disabled until a peer and a valid access list
have been configured.
83. How does a firewall handle traffic when it is

originating from the public network and traveling to the
DMZ network?
Traffic that is originating from the public network is

inspected and selectively permitted when traveling to
the DMZ network.

usually permitted with little or no restriction when

traveling to the DMZ network.
usually forwarded without inspection when traveling to
the DMZ network.
usually blocked when traveling to the DMZ network.
Explanation: Traffic originating from the public network

and traveling toward the DMZ is selectively permitted
and inspected. This type of traffic is typically email, DNS,
HTTP, or HTTPS traffic. Return traffic from the DMZ to
the public network is dynamically permitted.
84. A client connects to a Web server. Which component

of this HTTP connection is not examined by a stateful
firewall?
the source IP address of the client traffic

the destination port number of the client traffic
the actual contents of the HTTP connection
the source port number of the client traffic
Explanation: Stateful firewalls cannot prevent

application layer attacks because they do not examine
the actual contents of the HTTP connection.
85. Which network monitoring technology uses VLANs to

monitor traffic on remote switches?
IPS

IDS
TAP
RSPAN
Explanation: Remote SPAN (RSPAN) enables a

network administrator to use the flexibility of VLANs to
monitor traffic on remote switches.
86. Which rule action will cause Snort IPS to block and
log a packet?
log
drop
alert
Sdrop
Explanation: Snort IPS mode can perform all the IDS

actions plus the following:
– Drop – Block and log the packet.
– Reject – Block the packet, log it, and then send a TCP
reset if the protocol is TCP or an ICMP port unreachable
message if the protocol is UDP.
– Sdrop – Block the packet but do not log it.
87. What is typically used to create a security trap in the

data center facility?
IDs, biometrics, and two access doors

high resolution monitors
redundant authentication servers
a server without all security patches applied
Explanation: Security traps provide access to the data

halls where data center data is stored. As shown in the
figure below, a security trap is similar to an air lock. A
person must first enter the security trap using their badge
ID proximity card. After the person is inside the security

trap, facial recognition, fingerprints, or other biometric

verifications are used to open the second door. The user
must repeat the process to exit the data hall.
88. A company is concerned with leaked and stolen

corporate data on hard copies. Which data loss
mitigation technique could help with this situation?
strong PC security settings

strong passwords
shredding
encryption
Explanation: Confidential data should be shredded

when no longer required. Otherwise, a thief could
retrieve discarded reports and gain valuable information.
89. Upon completion of a network security course, a

student decides to pursue a career in cryptanalysis. What
job would the student be doing as a cryptanalyst?
cracking code without access to the shared secret

key
creating hashing codes to authenticate data
making and breaking secret codes
creating transposition and substitution ciphers
Explanation: Cryptanalysis is the practice and study of

determining the meaning of encrypted information
(cracking the code), without access to the shared secret
key. This is also known as codebreaking.

90. What command is used on a switch to set the port

access entity type so the interface acts only as an
authenticator and will not respond to any messages
meant for a supplicant?
dot1x pae authenticator

authentication port-control auto
aaa authentication dot1x default group radius
dot1x system-auth-control
Explanation: Sets the Port Access Entity (PAE) type.

dot1x pae [supplicant | authenticator | both]
supplicant—The interface acts only as a supplicant
and does not respond to messages that are meant
for an authenticator.
authenticator-—The interface acts only as an
authenticator and does not respond to any
messages meant for a supplicant.
both—The interface behaves both as a supplicant
and as an authenticator and thus does respond to all
dot1x messages.
91. What are two disadvantages of using an IDS?

(Choose two.)
The IDS does not stop malicious traffic.

The IDS works offline using copies of network traffic.
The IDS has no impact on traffic.
The IDS analyzes actual forwarded packets.
The IDS requires other devices to respond to attacks.
Explanation: The disadvantage of operating with

mirrored traffic is that the IDS cannot stop malicious
single-packet attacks from reaching the target before
responding to the attack. Also, an IDS often requires
assistance from other networking devices, such as

routers and firewalls, to respond to an attack. An

advantage of an IDS is that by working offline using
mirrored traffic, it has no impact on traffic flow.
92. Refer to the exhibit. The ip verify source command is

applied on untrusted interfaces. Which type of attack is
mitigated by using this configuration?
DHCP spoofing
DHCP starvation
STP manipulation
MAC and IP address spoofing
Explanation: To protect against MAC and IP address

spoofing, apply the IP Source Guard security feature,
using the ip verify source command, on untrusted ports.
93. What ports can receive forwarded traffic from an

isolated port that is part of a PVLAN?
other isolated ports and community ports

only promiscuous ports
all other ports within the same community
only isolated ports

Explanation: PVLANs are used to provide Layer 2

isolation between ports within the same broadcast
domain. The level of isolation can be specified
with three types of PVLAN ports:
– Promiscuous ports that can forward traffic to all other
ports
– Isolated ports that can only forward traffic to
promiscuous ports
– Community ports that can forward traffic to other
community ports and promiscuous ports
94. A user complains about being locked out of a device

after too many unsuccessful AAA login attempts. What
could be used by the network administrator to provide a
secure authentication access method without locking a
user out of a device?
Use the login delay command for authentication

attempts.
Use the login local command for authenticating user
access.
Use the aaa local authentication attempts max-fail global
configuration mode command with a higher number of
acceptable failures.
Use the none keyword when configuring the
authentication method list.
Explanation: The login delay command introduces a

delay between failed login attempts without locking the
account. This provides a user with unlimited attempts at
accessing a device without causing the user account to
become locked and thus requiring administrator
intervention.
95. What are two drawbacks in assigning user privilege

levels on a Cisco router? (Choose two.)

Only a root user can add or remove commands.

Privilege levels must be set to permit access control to
specific device interfaces, ports, or slots.
Assigning a command with multiple keywords allows
access to all commands using those keywords.
Commands from a lower level are always executable
at a higher level.
AAA must be enabled.
Explanation: Privilege levels may not provide desired

flexibility and specificity because higher levels always
inherit commands from lower levels, and commands with
multiple keywords give the user access to all commands
available for each keyword. Privilege levels cannot
specify access control to interfaces, ports, or slots. AAA
is not required to set privilege levels, but is required in
order to create role-based views. The role of root user
does not exist in privilege levels.
96. Refer to the exhibit. Which conclusion can be made

from the show crypto map command output that is
shown on R1?

The crypto map has not yet been applied to an

interface.
The current peer IP address should be 172.30.2.1.
There is a mismatch between the transform sets.
The tunnel configuration was established and can be
tested with extended pings.
Explanation: According to the show crypto map

command output, all required SAs are in place, but no
interface is currently using the crypto map. To complete
the tunnel configuration, the crypto map has to be
applied to the outbound interface of each router.
97. What are two reasons to enable OSPF routing

protocol authentication on a network? (Choose two.)
to prevent data traffic from being redirected and then

discarded
to ensure faster network convergence
to provide data security through encryption
to prevent redirection of data traffic to an insecure
link
to ensure more efficient routing
Explanation: The reason to configure OSPF

authentication is to mitigate against routing protocol
attacks like redirection of data traffic to an insecure link,
and redirection of data traffic to discard it. OSPF
authentication does not provide faster network
convergence, more efficient routing, or encryption of data
traffic.
98. Which three functions are provided by the syslog

logging service? (Choose three.)
gathering logging information

authenticating and encrypting data sent over the network
retaining captured messages on the router when a router
is rebooted
specifying where captured information is stored
distinguishing between information to be captured
and information to be ignored
setting the size of the logging buffer
Explanation: Syslog operations include gathering

information, selecting which type of information to
capture, and directing the captured information to a
storage location. The logging service stores messages in
a logging buffer that is time-limited, and cannot retain the
information when a router is rebooted. Syslog does not
authenticate or encrypt messages.
99. What two ICMPv6 message types must be permitted

through IPv6 access control lists to allow resolution of
Layer 3 addresses to Layer 2 MAC addresses? (Choose
two.)
neighbor solicitations
echo requests
neighbor advertisements
echo replies
router solicitations
router advertisements
100. Which three services are provided through digital

signatures? (Choose three.)

accounting
authenticity
compression
nonrepudiation
integrity
encryption
Explanation: Digital signatures use a mathematical

technique to provide three basic security
services:Integrity; Authenticity; Nonrepudiation
101. A technician is to document the current

configurations of all network devices in a college,
including those in off-site buildings. Which protocol
would be best to use to securely access the network
devices?
FTP
HTTP
SSH
Telnet
Explanation: Telnet sends passwords and other

information in clear text, while SSH encrypts its data.
FTP and HTTP do not provide remote device access for
configuration purposes.
102. An administrator is trying to develop a BYOD

security policy for employees that are bringing a wide
range of devices to connect to the company network.
Which three objectives must the BYOD security policy
address? (Choose three.)
All devices must be insured against liability if used to

compromise the corporate network.
All devices must have open authentication with the
corporate network.

Rights and activities permitted on the corporate

network must be defined.
Safeguards must be put in place for any personal
device being compromised.
The level of access of employees when connecting to
the corporate network must be defined.
All devices should be allowed to attach to the corporate
network flawlessly.
103. What is the function of the pass action on a Cisco

IOS Zone-Based Policy Firewall?
logging of rejected or dropped packets

inspecting traffic between zones for traffic control
tracking the state of connections between zones
forwarding traffic from one zone to another
Explanation: The pass action performed by Cisco IOS

ZPF permits forwarding of traffic in a manner similar to
the permit statement in an access control list.
104. Refer to the exhibit. Based on the security levels of

the interfaces on ASA1, what traffic will be allowed on the
interfaces?

Traffic from the Internet and DMZ can access the LAN.
Traffic from the Internet and LAN can access the DMZ.
Traffic from the Internet can access both the DMZ and
the LAN.
Traffic from the LAN and DMZ can access the
Internet.
Explanation: ASA devices have security levels assigned

to each interface that are not part of a configured ACL.
These security levels allow traffic from more secure
interfaces, such as security level 100, to access less
secure interfaces, such as level 0. By default, they allow
traffic from more secure interfaces (higher security level)
to access less secure interfaces (lower security level).
Traffic from the less secure interfaces is blocked from
accessing more secure interfaces.
105. What network testing tool can be used to identify

network layer protocols running on a host?
SIEM
Nmap
L0phtcrack
Tripwire
106. In the implementation of security on multiple

devices, how do ASA ACLs differ from Cisco IOS ACLs?
Cisco IOS routers utilize both named and numbered

ACLs and Cisco ASA devices utilize only numbered
ACLs.
Cisco IOS ACLs are configured with a wildcard mask
and Cisco ASA ACLs are configured with a subnet
mask.
Cisco IOS ACLs are processed sequentially from the top
down and Cisco ASA ACLs are not processed
sequentially.

Cisco IOS ACLs utilize an implicit deny all and Cisco ASA
ACLs end with an implicit permit all.
Explanation: The Cisco IOS ACLs are configured with a

wildcard mask and the Cisco ASA ACLs are configured
with a subnet mask. Both devices use an implicit deny,
top down sequential processing, and named or
numbered ACLs.
107. Which statement describes an important

characteristic of a site-to-site VPN?
It must be statically set up.

It is ideally suited for use by mobile workers.
It requires using a VPN client on the host PC.
After the initial connection is established, it can
dynamically change connection information.
It is commonly implemented over dialup and cable
modem networks.
Explanation: A site-to-site VPN is created between the

network devices of two separate networks. The VPN is
static and stays established. The internal hosts of the two
networks have no knowledge of the VPN.
108. Which two options are security best practices that

help mitigate BYOD risks? (Choose two.)
Use paint that reflects wireless signals and glass that

prevents the signals from going outside the building.
Keep the device OS and software updated.

Only allow devices that have been approved by the

corporate IT team.
Only turn on Wi-Fi when using the wireless network.
Decrease the wireless antenna gain level.
Use wireless MAC address filtering.
Explanation: Many companies now support employees

and visitors attaching and using wireless devices that
connect to and use the corporate wireless network. This
practice is known as a bring-your-own-device policy or
BYOD. Commonly, BYOD security practices are included
in the security policy. Some best practices that mitigate
BYOD risks include the following:
Use unique passwords for each device and account.
Turn off Wi-Fi and Bluetooth connectivity when not being
used. Only connect to trusted networks.
Keep the device OS and other software updated.
Backup any data stored on the device.
Subscribe to a device locator service with a remote wipe
feature.
Provide antivirus software for approved BYODs.
Use Mobile Device Management (MDM) software that
allows IT teams to track the device and implement
security settings and software controls.

configures AAA authentication on R1. Which statement
describes the effect of the keyword single-connection in
the configuration?

R1 will open a separate connection to the TACACS+

server for each user authentication session.
The authentication performance is enhanced by
keeping the connection to the TACACS+ server open.
The TACACS+ server only accepts one successful try for
a user to authenticate with it.
R1 will open a separate connection to the TACACS
server on a per source IP address basis for each
authentication session.
Explanation: The single-connection keyword enhances

TCP performance with TACACS+ by maintaining a single
TCP connection for the life of the session. Without the
single-connection keyword, a TCP connection is opened
and closed per session.
110. A recently created ACL is not working as expected.

The admin determined that the ACL had been applied
inbound on the interface and that was the incorrect
direction. How should the admin fix this issue?
Delete the original ACL and create a new ACL,

applying it outbound on the interface.
Add an association of the ACL outbound on the same
interface.
Fix the ACE statements so that it works as desired
inbound on the interface.
Remove the inbound association of the ACL on the
interface and reapply it outbound.
111. What characteristic of the Snort term-based

subscriptions is true for both the community and the
subscriber rule sets?
Both have a 30-day delayed access to updated

signatures.
Both use Cisco Talos to provide coverage in advance of
exploits.

Both are fully supported by Cisco and include Cisco

customer support.
Both offer threat protection against security threats.
Explanation: There are two types of term-based

subscriptions:
– Community Rule Set – Available for free, this
subscription offers limited coverage against threats. The
community rule set focuses on reactive response to
security threats versus proactive research work. There is
also a 30-day delayed access to updated signatures
meaning that newest rule will be a minimum of 30 days
old. In addition, there is no Cisco customer support
available.
– Subscriber Rule Set – Available for a fee, this service
provides the best protection against threats. It includes
coverage of advance exploits by using the research work
of the Cisco Talos security experts. The Subscriber Rule
Set also provides the fastest access to updated
signatures in response to a security incident or the
proactive discovery of a new threat. This subscription is
fully supported by Cisco.
112. A security analyst is configuring Snort IPS. The

analyst has just downloaded and installed the Snort OVA
file. What is the next step?
Verify Snort IPS.

Configure Virtual Port Group interfaces.
Enable IPS globally or on desired interfaces.
Activate the virtual services.

Explanation: To deploy Snort IPS on supported devices,

perform the following steps:
– Step 1. Download the Snort OVA file.
– Step 2. Install the OVA file.
– Step 3. Configure Virtual Port Group interfaces.
– Step 4. Activate the virtual services.
– Step 5. Configure Snort specifics.
– Step 6. Enable IPS globally or on desired interfaces.
– Step 7. Verify Snort IPS.
113. The security policy in a company specifies that

employee workstations can initiate HTTP and HTTPS
connections to outside websites and the return traffic is
allowed. However, connections initiated from outside
hosts are not allowed. Which parameter can be used in
extended ACLs to meet this requirement?
dscp
precedence
eq
established
114. A researcher is comparing the differences between a

stateless firewall and a proxy firewall. Which two
additional layers of the OSI model are inspected by a
proxy firewall? (Choose two.)
Layer 3
Layer 4
Layer 5
Layer 6
Layer 7
Explanation: Packet filtering firewalls are usually part of

a router firewall, which permits or denies traffic based on
Layer 3 and Layer 4 information.
An application gateway firewall (proxy firewall), as shown
in the figure, filters information at Layers 3, 4, 5, and 7 of

the OSI reference model.

configuring a VPN between routers R1 and R2. Which
commands would correctly configure a pre-shared key
for the two routers?
R1(config)# username R2 password 5tayout!

R2(config)# username R1 password 5tayout!
R1(config)# crypto isakmp key 5tayout! address

64.100.0.2
R2(config)# crypto isakmp key 5tayout! address
64.100.0.1
R1(config)# crypto isakmp key 5tayout! hostname R1

R2(config)# crypto isakmp key 5tayout! hostname R2
R1(config-if)# ppp pap sent-username R1 password 5tayout!

R2(config-if)# ppp pap sent-username R2 password 5tayout!
116. Refer to the exhibit. Which statement is true about

the effect of this Cisco IOS zone-based policy firewall

configuration?
The firewall will automatically drop all HTTP, HTTPS, and

FTP traffic.
The firewall will automatically allow HTTP, HTTPS, and
FTP traffic from s0/0/0 to g0/0 and will track the
connections. Tracking the connection allows only return
traffic to be permitted through the firewall in the opposite
direction.
FTP traffic from s0/0/0 to g0/0, but will not track the state
of connections. A corresponding policy must be applied
to allow return traffic to be permitted through the firewall
in the opposite direction.
The firewall will automatically allow HTTP, HTTPS,
and FTP traffic from g0/0 to s0/0/0 and will track the
connections. Tracking the connection allows only
return traffic to be permitted through the firewall in
the opposite direction.
return traffic to be permitted through the firewall in the
opposite direction.


FTP traffic from g0/0 to s0/0/0, but will not track the state
of connections. A corresponding policy must be applied
to allow return traffic to be permitted through the firewall
in the opposite direction.
117. Which privilege level has the most access to the

Cisco IOS?
level 0
level 15
level 7
level 16
level 1
118. Refer to the exhibit. A network administrator has

configured NAT on an ASA device. What type of NAT is
used?
inside NAT
static NAT
bidirectional NAT
outside NAT
Explanation: NAT can be deployed on an ASA using

one of these methods:
inside NAT – when a host from a higher-security interface
has traffic destined for a lower-security interface and the
ASA translates the internal host address to a global
address
outside NAT – when traffic from a lower-security interface
destined for a host on the higher-security interface is
translated
bidirectional NAT – when both inside NAT and outside

NAT are used together

Because the nat command is applied so that the inside
interface is mapped to the outside interface, the NAT
type is inside. Also, the dynamic keyword in the nat
command indicates that it is a dynamic mapping.
119. A network analyst is configuring a site-to-site IPsec

VPN. The analyst has configured both the ISAKMP and
IPsec policies. What is the next step?
Configure the hash as SHA and the authentication as

pre-shared.
Apply the crypto map to the appropriate outbound
interfaces.
Issue the show crypto ipsec sa command to verify the
tunnel.
Verify that the security feature is enabled in the IOS.
120. When an inbound Internet-traffic ACL is being

implemented, what should be included to prevent the
spoofing of internal networks?
ACEs to prevent traffic from private address spaces

ACEs to prevent broadcast address traffic
ACEs to prevent ICMP traffic
ACEs to prevent HTTP traffic
ACEs to prevent SNMP traffic
Explanation: Common ACEs to assist with antispoofing

include blocking packets that have a source address in
the 127.0.0.0/8 range, any private address, or any
multicast addresses. Furthermore, the administrator

should not allow any outbound packets with a source

address other than a valid address that is used in the
internal networks of the organization.
121. Match the security term to the appropriate

description. (Not all options are used.)
Match the security term to the appropriate description
122. Which two types of attacks are examples of

reconnaissance attacks? (Choose two.)
brute force
port scan
ping sweep
man-in-the-middle
SYN flood

Explanation: Reconnaissance attacks attempt to gather

information about the targets. Ping sweeps will indicate
which hosts are up and responding to pings, whereas
port scans will indicate on which TCP and UDP ports the
target is listening for incoming connections. Man-in-the-
middle and brute force attacks are both examples of
access attacks, and a SYN flood is an example of a
denial of service (DoS) attack.
123. Which Cisco solution helps prevent ARP spoofing

and ARP poisoning attacks?

IP Source Guard
DHCP Snooping
Port Security
124. When the Cisco NAC appliance evaluates an

incoming connection from a remote device against the
defined network policies, what feature is being used?
posture assessment
remediation of noncompliant systems
authentication and authorization
quarantining of noncompliant systems
125. Which two steps are required before SSH can be

enabled on a Cisco router? (Choose two.)
Give the router a host name and domain name.

Create a banner that will be displayed to users when they
connect.
Generate a set of secret keys to be used for encryption

and decryption.
Set up an authentication server to handle incoming
connection requests. 1
Enable SSH on the physical interfaces where the
incoming connection requests will be received.
Explanation: There are four steps to configure SSH on a

Cisco router. First, set the host name and domain name.
Second, generate a set of RSA keys to be used for
encrypting and decrypting the traffic. Third, create the
user IDs and passwords of the users who will be
connecting. Lastly, enable SSH on the vty lines on the
router. SSH does not need to be set up on any physical
interfaces, nor does an external authentication server
need to be used. While it is a good idea to configure a
banner to display legal information for connecting users,
it is not required to enable SSH.
126. The network administrator for an e-commerce

website requires a service that prevents customers from
claiming that legitimate orders are fake. What service
provides this type of guarantee?
confidentiality
authentication
integrity
nonrepudiation
127. Match the security technology with the description.

128. What functionality is provided by Cisco SPAN in a

switched network?
It mirrors traffic that passes through a switch port or

VLAN to another port for traffic analysis.
It prevents traffic on a LAN from being disrupted by a
broadcast storm.
It protects the switched network from receiving BPDUs
on ports that should not be receiving them.
It copies traffic that passes through a switch interface and
sends the data directly to a syslog or SNMP server for
analysis.
It inspects voice protocols to ensure that SIP, SCCP,
H.323, and MGCP requests conform to voice standards.
It mitigates MAC address overflow attacks.
Explanation: SPAN is a Cisco technology used by

network administrators to monitor suspicious traffic or to
capture traffic to be analyzed.

129. Which three statements are generally considered to

be best practices in the placement of ACLs? (Choose
three.)
Filter unwanted traffic before it travels onto a low-

bandwidth link.
Place standard ACLs close to the destination IP address
of the traffic.
Place standard ACLs close to the source IP address of
the traffic.
Place extended ACLs close to the destination IP address
of the traffic.
Place extended ACLs close to the source IP address of
the traffic.
For every inbound ACL placed on an interface, there
should be a matching outbound ACL.
Explanation: Extended ACLs should be placed as close

as possible to the source IP address, so that traffic that
needs to be filtered does not cross the network and use
network resources. Because standard ACLs do not
specify a destination address, they should be placed as
close to the destination as possible. Placing a standard
ACL close to the source may have the effect of filtering
all traffic, and limiting services to other hosts. Filtering
unwanted traffic before it enters low-bandwidth links
preserves bandwidth and supports network functionality.
Decisions on placing ACLs inbound or outbound are
dependent on the requirements to be met.
130. What function is performed by the class maps

configuration object in the Cisco modular policy
framework?
identifying interesting traffic

applying a policy to an interface
applying a policy to interesting traffic
restricting traffic through an interface

Explanation: There are three configuration objects in the

MPF; class maps, policy maps, and service policy. The
class maps configuration object uses match criteria to
identify interesting traffic.
131. In an attempt to prevent network attacks, cyber

analysts share unique identifiable attributes of known
attacks with colleagues. What three types of attributes or
indicators of compromise are helpful to share? (Choose
three.)
IP addresses of attack servers

changes made to end system software
netbios names of compromised firewalls
features of malware files
BIOS of attacking systems
system ID of compromised systems
Explanation: Many network attacks can be prevented by

sharing information about indicators of compromise
(IOC). Each attack has unique identifiable attributes.
Indicators of compromise are the evidence that an attack
has occurred. IOCs can be identifying features of
malware files, IP addresses of servers that are used in
the attack, filenames, and characteristic changes made
to end system software.
132. What two assurances does digital signing provide

about code that is downloaded from the Internet?
(Choose two.)

The code is authentic and is actually sourced by the

publisher.
The code contains no errors.
The code has not been modified since it left the
software publisher.
The code contains no viruses.
The code was encrypted with both a private and public
key.
Explanation: Digitally signing code provides several

assurances about the code:
publisher.
The code has not been modified since it left the software
publisher.
The publisher undeniably published the code. This
provides nonrepudiation of the act of publishing.
133. Refer to the exhibit. What algorithm is being used to

provide public key exchange?
SHA
RSA
Diffie-Hellman
AES

DH (Diffie-Hellman) is an algorithm used for key

exchange. DH is a public key exchange method and

allows two IPsec peers to establish a shared secret key
over an insecure channel.
134. Which two statements describe the use of

asymmetric algorithms? (Choose two.)
Public and private keys may be used interchangeably.

If a public key is used to encrypt the data, a public key
must be used to decrypt the data.
If a private key is used to encrypt the data, a public key
If a public key is used to encrypt the data, a private key
If a private key is used to encrypt the data, a private key
Explanation: Asymmetric algorithms use two keys: a

public key and a private key. Both keys are capable of
the encryption process, but the complementary matched
key is required for decryption. If a public key encrypts the
data, the matching private key decrypts the data. The
opposite is also true. If a private key encrypts the data,
the corresponding public key decrypts the data.
135. Which statement is a feature of HMAC?
HMAC uses a secret key that is only known to the sender

and defeats man-in-the-middle attacks.
HMAC uses protocols such as SSL or TLS to provide
session layer confidentiality.
HMAC uses a secret key as input to the hash
function, adding authentication to integrity
assurance.
HMAC is based on the RSA hash function.
Explanation: A keyed-hash message authentication

code (HMAC or KHMAC) is a type of message

authentication code (MAC). HMACs use an additional
secret key as input to the hash function, adding
authentication to data integrity assurance.
136. What is the purpose of the webtype ACLs in an

ASA?
to inspect outbound traffic headed towards certain web

sites
to restrict traffic that is destined to an ASDM
to monitor return traffic that is in response to web server
requests that are initiated from the inside interface
to filter traffic for clientless SSL VPN users
Explanation: The webtype ACLs are used in a

configuration that supports filtering for clientless SSL
VPN users.
137. Which two statements describe the effect of the

access control list wildcard mask 0.0.0.15? (Choose two.)
The first 28 bits of a supplied IP address will be

matched.
The last four bits of a supplied IP address will be
matched.
The first 28 bits of a supplied IP address will be ignored.
ignored.
The last five bits of a supplied IP address will be ignored.
The first 32 bits of a supplied IP address will be matched.

Explanation: A wildcard mask uses 0s to indicate that

bits must match. 0s in the first three octets represent 24
bits and four more zeros in the last octet, represent a
total of 28 bits that must match. The four 1s represented
by the decimal value of 15 represents the four bits to
ignore.
138. Which type of firewall is the most common and

allows or blocks traffic based on Layer 3, Layer 4, and
Layer 5 information?
stateless firewall
stateful firewall
139. Which protocol or measure should be used to

mitigate the vulnerability of using FTP to transfer
documents between a teleworker and the company file
server?
SCP
TFTP
ACLs on the file server
out-of-band communication channel
Explanation: File transfer using FTP is transmitted in

plain text. The username and password would be easily
captured if the data transmission is intercepted. Secure
Copy Protocol (SCP) conducts the authentication and file
transfer under SSH, thus the communication is
encrypted. Like FTP, TFTP transfers files unencrypted.
ACLs provide network traffic filtering but not encryption.
Using an out-of-band communication channel (OOB)
either requires physical access to the file server or, if
done through the internet, does not necessarily encrypt
the communication.

140. Refer to the exhibit. The IPv6 access list

LIMITED_ACCESS is applied on the S0/0/0 interface of R1
in the inbound direction. Which IPv6 packets from the ISP
will be dropped by the ACL on R1?
HTTPS packets to PC1

ICMPv6 packets that are destined to PC1
packets that are destined to PC1 on port 80
neighbor advertisements that are received from the ISP
router
Explanation: The access list LIMITED_ACCESS will

block ICMPv6 packets from the ISP. Both port 80, HTTP
traffic, and port 443, HTTPS traffic, are explicitly
permitted by the ACL. The neighbor advertisements from
the ISP router are implicitly permitted by the implicit
permit icmp any any nd-na statement at the end of all
IPv6 ACLs.
141. What tool is available through the Cisco IOS CLI to

initiate security audits and to make recommended

configuration changes with or without administrator
input?
Control Plane Policing

Cisco AutoSecure
Cisco ACS
Simple Network Management Protocol
142. Refer to the exhibit. Which pair of crypto isakmp key

commands would correctly configure PSK on the two
routers?
R1(config)# crypto isakmp key cisco123 address

209.165.200.227
209.165.200.226
209.165.200.226
209.165.200.227
R1(config)# crypto isakmp key cisco123 hostname R1
R2(config)# crypto isakmp key cisco123 hostname R2
209.165.200.226
R2(config)# crypto isakmp key secure address
209.165.200.227
Explanation: The correct syntax of the crypto isakmp

key command is as follows:
crypto isakmp key keystring address peer-address

or
crypto isakmp keykeystring hostname peer-hostnameSo,
the correct answer would be the following:
209.165.200.227
209.165.200.226
143. Which two technologies provide enterprise-managed

VPN solutions? (Choose two.)
Layer 3 MPLS VPN

Frame Relay
site-to-site VPN
Layer 2 MPLS VPN
remote access VPN
144. What are the three components of an STP bridge ID?

(Choose three.)
the date and time that the switch was brought online
the hostname of the switch
the MAC address of the switch
the extended system ID
the bridge priority value
the IP address of the management VLAN
145. What are two differences between stateful and

packet filtering firewalls? (Choose two.)
A packet filtering firewall will prevent spoofing by

determining whether packets belong to an existing
connection while a stateful firewall follows pre-configured

rule sets.
A stateful firewall provides more stringent control
over security than a packet filtering firewall.
A packet filtering firewall is able to filter sessions that use
dynamic port negotiations while a stateful firewall cannot.
A stateful firewall will provide more logging
information than a packet filtering firewall.
A statefull firewall will examine each packet individually
while a packet filtering firewall observes the state of a
connection.
Explanation: There are many differences between a

stateless and stateful firewall.
Stateless firewalls (packet filtering firewalls):
– are susceptible to IP spoofing
– do not reliably filter fragmented packets
– use complex ACLs, which can be difficult to implement
and maintain
– cannot dynamically filter certain services
– examine each packet individually rather than in the
context of the state of a connection
Stateful firewalls:
– are often used as a primary means of defense by
filtering unwanted, unnecessary, or undesirable traffic
– strengthen packet filtering by providing more stringent
control over security
– improve performance over packet filters or proxy
servers
– defend against spoofing and DoS attacks by
connection or are from an unauthorized source
– provide more log information than a packet filtering
firewall
146. Which portion of the Snort IPS rule header identifies

the destination port?

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
any
$HTTP_PORTS
$HOME_NET
tcp
147. Match each SNMP operation to the corresponding

148. What port state is used by 802.1X if a workstation

fails authorization?

disabled
down
unauthorized
blocking
149. Match the ASA special hardware modules to the

description.
Network Security 1.0 Final Exam Answers
Explanation: The advanced threat control and

containment services of an ASA firewall are provided by
integrating special hardware modules with the ASA
architecture. These special modules include:
– Advanced Inspection and Prevention (AIP) module –
supports advanced IPS capability.
– Content Security and Control (CSC) module – supports
antimalware capabilities.
– Cisco Advanced Inspection and Prevention Security
Services Module (AIP-SSM) and Cisco Advanced
Inspection and Prevention Security Services Card (AIP-
SSC) – support protection against tens of thousands of
known exploits.
150. Refer to the exhibit. Which two ACLs, if applied to

the G0/1 interface of R2, would permit only the two LAN
networks attached to R1 to access the network that
connects to R2 G0/1 interface? (Choose two.)

Network Security 1.0 Final Exam Answers
access-list 3 permit 192.168.10.128 0.0.0.63
access-list 2 permit host 192.168.10.9

access-list 2 permit host 192.168.10.69

Explanation: The permit 192.168.10.0 0.0.0.127

command ignores bit positions 1 through 7, which means
that addresses 192.168.10.0 through 192.168.10.127 are

allowed through. The two ACEs of permit 192.168.10.0

0.0.0.63 and permit 192.168.10.64 0.0.0.63 allow the
same address range through the router.
151. Which two characteristics apply to role-based CLI

access superviews? (Choose two.)
A specific superview cannot have commands added

to it directly.
CLI views have passwords, but superviews do not have
passwords.
A single superview can be shared among multiple CLI
views.
Deleting a superview deletes all associated CLI views.
Users logged in to a superview can access all
commands specified within the associated CLI views.
Explanation: By using a superview an administrator can

assign users or groups of users to CLI views which
contain a specific set of commands those users can
access. Commands cannot be added directly to a
superview but rather must be added to a CLI view and
the CLI view added to the superview.
152. Match the IPS alarm type to the description.

153. What are two security features commonly found in a

WAN design? (Choose two.)
WPA2 for data encryption of all data between sites

firewalls protecting the main and remote sites
outside perimeter security including continuous video
surveillance
port security on all user-facing ports
VPNs used by mobile workers between sites
Explanation: WANs span a wide area and commonly

have connections from a main site to remote sites
including a branch office, regional site, SOHO sites, and
mobile workers. WANs typically connect over a public
internet connection. Each site commonly has a firewall
and VPNs used by remote workers between sites.
← Previous Article Next Article →

Network Security (Version Network Security 1.0 Final
1.0) – Practice Final Exam PT Skills Assessment
Answers (PTSA) Exam
! Subscribe !

Join the discussion
"
58 COMMENTS
Big FOOT # 1 month ago
These answers still valid?
Reply
K-min # 1 year ago
What are two security features commonly found in a

outside perimeter security including continuous

video surveillance
port security on all user-facing ports
firewalls protecting the main and remote sites
Navigation Bar
I think new question added. Help me

Reply View Replies (1) "
gemechu # 1 year ago
list parameters included in ip security database?
Reply

VitalyES # 1 year ago
Match the IPS alarm type to the description.
verified attack traffic is generating an alarm

True positive
normal user traffic is not generating an alarm

True negative
attack traffic is not generating an alarm

False negative
normal user traffic is generating an alarm

False positive
Reply
guest # 1 year ago
138. Which type of firewall is the most common

and allows or blocks traffic based on Layer 3,
Layer 4, and Layer 5 information?
stateless firewall
stateful firewall
packet filtering == stateless firewall == 3 and 4 layer

Reply

Attia # 2 years ago
Match the IPS alarm type to the description
Reply
Erick # 2 years ago
Hi everyone! new attached question
Reply
Dina # 2 years ago
Match the ASA special hardware modules to the

description.
Reply

Austin Graves # 2 years ago
Match the security management function with the

description.
Artur # 2 years ago
Which two technologies provide enterprise-managed

Layer 3 MPLS VPN

Frame Relay
site-to-site VPN * correct
Layer 2 MPLS VPN
remote access VPN * (correct)
$ Last edited 2 years ago by Artur

Koma # 2 years ago
46 What are the three components of an STP bridge

ID? (Choose three.)
46
What are the three components of an STP bridge ID?
(Choose three.)
the date and time that the switch was brought

online
the MAC address of the switch
the extended system ID
the bridge priority value
Navigation Bar
Koma # 2 years ago

(Choose three.)
Reply

Koma # 2 years ago
What are two differences between stateful and packet

filtering firewalls? (Choose two.)
33

connection while a stateful firewall follows pre-
configured rule sets.
A packet filtering firewall is able to filter sessions
that use dynamic port negotiations while a stateful
firewall cannot.
A statefull firewall will examine each packet
individually while a packet filtering firewall observes
the state of a connection.
$ Last edited 2 years ago by lucas sanju
Reply
billionaries_killer # 2 years ago
Match each SNMP operation to the corresponding



* remote access VPN

Layer 3 MPLS VPN
* site-to-site VPN
Layer 2 MPLS VPN
Frame Relay

(Choose three.)
the date and time that the switch was brought online
* the MAC address of the switch
* the bridge priority value
* the extended system ID
Reply
Which portion of the Snort IPS rule header identifies

the destination port? alert tcp $HOME_NET any ->
$EXTERNAL_NET $HTTP_PORTS
any
* $HTTP_PORTS
$HOME_NET
tcp
Reply


A statefull firewall will examine each packet

individually while a packet filtering firewall observes
the state of a connection.


connection while a stateful firewall follows pre-
configured rule sets.
A packet filtering firewall is able to filter sessions that

use dynamic port negotiations while a stateful firewall
cannot.

Reply
joseph climber # 2 years ago
true positive true negative false positive false negative

verified attack traffic is generating an alarm
normal user traffic is not generating an alarm
attack traffic is not generating an alarm
normal user traffic is generating an alarm
Reply

efbium # 2 years ago

Frame Relay
remote access VPN
Layer 3 MPLS VPN
Layer 2 MPLS VPN
site-to-site VPN
Anon # 2 years ago
Refer to the exhibit. Which pair of crypto isakmp

key commands would correctly configure PSK on the
two routers?

209.165.200.226
R2(config)# crypto isakmp key secure address
209.165.200.227
209.165.200.226
209.165.200.227
R1(config)# crypto isakmp key cisco123
address 209.165.200.227
address 209.165.200.226
hostname R1
hostname R2

Anon # 2 years ago
What tool is available through the Cisco IOS CLI to

initiate security audits and to make recommended
configuration changes with or without administrator
input?
Control Plane Policing

Cisco AutoSecure
Cisco ACS
Simple Network Management Protocol
Reply
Anon # 2 years ago
Which two statements describe the effect of the

access control list wildcard mask 0.0.0.15? (Choose
two.)

matched.
ignored.
The last four bits of a supplied IP address will
be ignored.
matched.
matched.
The last five bits of a supplied IP address will be
ignored.
Reply

Anon # 2 years ago
Refer to the exhibit. The IPv6 access list

LIMITED_ACCESS is applied on the S0/0/0 interface
of R1 in the inbound direction. Which IPv6 packets
from the ISP will be dropped by the ACL on R1?
HTTPS packets to PC1

packets that are destined to PC1 on port 80
ICMPv6 packets that are destined to PC1
neighbor advertisements that are received from the
ISP router
Reply
Blindvision # 2 years ago
Thanks for the materialof study.
Bellow some new questions to be added
Which two statements describe the use of asymmetric

algorithms
If a public key is used to encrypt the data, a private

key must be used to decrypt the data.
If a private key is used to encrypt the data, a private

If a public key is used to encrypt the data, a public key

Public and private keys may be used interchangeably.
If a private key is used to encrypt the data, a public

//////////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////
Which statement is a feature of HMAC
HMAC uses a secret key as input to the hash

function, adding authentication to integrity assurance.

HMAC uses a secret key that is only known to the

sender and defeats man-in-the-middle attacks.
HMAC uses protocols such as SSL or TLS to provide

session layer confidentiality.
HMAC is based on the RSA hash function.
//////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////
What is the purpose of the webtype ACLs in an ASA
to monitor return traffic that is in response to web

server requests that are initiated from the inside
interface
to inspect outbound traffic headed towards certain

web sites
to filter traffic for clientless SSL VPN users (Correct

Answer)
to restrict traffic that is destined to an ASDM
//////////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////
Which two statements describe the effect of the

access control list wildcard mask 0.0.0.15? (Choose
two.)

matched.

ignored.
The last five bits of a supplied IP address will be

ignored.

matched.

ignored.

matched.

//////////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////
Which type of firewall is the most common and allows

or blocks traffic based on Layer 3, Layer 4, and Layer
5 information?
stateless firewall
stateful firewall
//////////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////
Which protocol or measure should be used to mitigate

the vulnerability of using FTP to transfer documents
between a teleworker and the company file server?
SCP
out-of-band communication channel
ACLs on the file server
TFTP
//////////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////

3r!v@s # 2 years ago
Question
What two assurances does digital signing provide

(Choose two.)

software publisher.

publisher.
The code was encrypted with both a private and

public key.
The code contains no errors
Reply

In an attempt to prevent network attacks, cyber

analysts share unique identifiable attributes of known
attacks with colleagues. What three types of attributes
or indicators of compromise are helpful to share?
(Choose three.)
IP addresses of attack servers
features of malware files
changes made to end system software
BIOS of attacking systems
system ID of compromised systems
netbios names of compromised firewalls
Reply
What function is performed by the class maps

configuration object in the Cisco modular policy
framework?
applying a policy to interesting traffic
restricting traffic through an interface
applying a policy to an interface
Reply

Which three statements are generally considered to

be best practices in the placement of ACLs? (Choose
three.)
Filter unwanted traffic before it travels onto a low-

bandwidth link.
Place standard ACLs close to the destination IP

address of the traffic.
Place extended ACLs close to the source IP

Place extended ACLs close to the destination IP

Place standard ACLs close to the source IP

For every inbound ACL placed on an interface,

there should be a matching outbound ACL.
Reply

What functionality is provided by Cisco SPAN in a

switched network?
It prevents traffic on a LAN from being disrupted by

a broadcast storm.
It mitigates MAC address overflow attacks.
It protects the switched network from receiving

BPDUs on ports that should not be receiving them.
It mirrors traffic that passes through a switch port or

VLAN to another port for traffic analysis.
It copies traffic that passes through a switch

interface and sends the data directly to a syslog or
SNMP server for analysis.
It inspects voice protocols to ensure that SIP,

SCCP, H.323, and MGCP requests conform to
voice standards.
Reply
Question DRAG-AND-DROP
Reply

Max # 2 years ago
When an inbound Internet-traffic ACL is being

implemented, what should be included to prevent the
spoofing of internal networks?
ACEs to prevent broadcast address traffic

ACEs to prevent SNMP traffic
ACEs to prevent traffic from private address spaces
ACEs to prevent ICMP traffic
ACEs to prevent HTTP traffic
Max # 2 years ago
more
Reply

Max # 2 years ago
Which two types of attacks are examples of

reconnaissance attacks? (Choose two.)
ping sweep
port scan
man-in-the-middle
brute force
SYN flood
Reply
Max # 2 years ago
Which Cisco solution helps prevent ARP spoofing and

ARP poisoning attacks?
DHCP Snooping
Port Security
IP Source Guard
Max # 2 years ago
When the Cisco NAC appliance evaluates an

incoming connection from a remote device against the
defined network policies, what feature is being used?
posture assessment
remediation of noncompliant systems
authentication and authorization
quarantining of noncompliant systems
Reply

Max # 2 years ago
Which two steps are required before SSH can be

enabled on a Cisco router? (Choose two.)
Enable SSH on the physical interfaces where the

incoming connection requests will be received.
Create a banner that will be displayed to users
when they connect.
Give the router a host name and domain name.
Set up an authentication server to handle incoming
connection requests.
Generate a set of secret keys to be used for
encryption and decryption.
Reply
Max # 2 years ago
The network administrator for an e-commerce website

requires a service that prevents customers from
claiming that legitimate orders are fake. What service
provides this type of guarantee?
confidentiality
authentication
integrity
nonrepudiation
Reply

Max # 2 years ago
Match the security technology with the description.
Reply
Alex43 # 2 years ago
Thanks so much, how many question in this exam?

Ahuys # 2 years ago
Passed, good site, many thanks

ITExamAnswers.net Copyright © 2023. Privacy Policy

Contact

Network Security (Version 1.0) - Practice Final Exam Answers 20/12/2023, 3:12 AM
/ Donations
Search the site 0
Network Security (Version 1.0) – Network Security 1.0 Exam

Practice Final Exam Answers Answers
% May 20, 2021 | & Last Updated: Nov 6, 2023 |
Network Security v1.0 Answers
' Network Security 1.0 | ( No Comments
! Share " Tweet # Share $ Pin it Modules 1 - 4: Securing

Networks Group Exam
Final Exam: Network Security FINAL Exam Answers
Answers Modules 5 - 7: Monitoring

and Managing Devices
Group Exam Answers
Modules 8 - 10: ACLs and

Firewalls Group Exam
Answers
Modules 11 - 12: Intrusion

Prevention Group Exam
Answers
Modules 13 - 14: Layer 2
https://itexamanswers.net/network-security-version-1-0-practice-final-exam-answers.html Page 1 of 38
and Endpoint Security

Group Exam Answers
Modules 15 - 17:
00:00/00:00 World Tech
Cryptography Group Exam
Answers
How to find: Press “Ctrl + F” in the browser and fill in Modules 18 - 19: VPNs
whatever wording is in the question to find that Group Exam Answers
Modules 20 - 22: ASA
Questions Bank.
Group Exam Answers

NOTE: If you have the new question on this test, Practice Final Exam
please comment Question and Multiple-Choice list in Answers
form below this article. We will update answers for Network Security 1.0
you in the shortest time. Thank you! We truly value Final PT Skills Exam
your contribution to the website. (PTSA) Answers

Final Exam Answers
Network Security (Version 1.0) Practice Final

Answers
1. Which two statements are true about ASA standard
ACLs? (Choose two.)
They identify only the destination IP address.

They are the most common type of ACL.
They are applied to interfaces to control traffic.
They specify both the source and destination MAC
address.
They are typically only used for OSPF routes.
Explanation: ASA standard ACLs are used to identify the
destination IP addresses, unlike IOS ACLs where a

standard ACL identifies the source host/network. They are
typically only used for OSPF routes and can be used in a
route map for OSPF redistribution. Standard access lists
cannot be applied to interfaces to control traffic.
2. When dynamic NAT on an ASA is being configured, what

two parameters must be specified by network objects?
(Choose two.)
the inside NAT interface

the interface security level
the outside NAT interface
a range of private addresses that will be translated
the pool of public global addresses
Explanation: On an ASA, both the pool of addresses that

will be used as inside global address and the range of
internal private addresses that should be translated are ‫ﺷﺎﻣﺑو اﻟﺗرا دوﻛس ﻟﺗﻧﻌﯾم اﻟﺷﻌر وﺟوز اﻟﮭﻧد ﻣن‬
‫ ﻣل‬350 ‫ﺟﺎرﻧﯾﯾﮫ ﻟﻠﺷﻌر اﻟﺟﺎف واﻟﻣﺟﻌد‬
configured through network objects. 47
EGP
176 00
3. Which protocol uses X.509 certificates to support mail

‫ﺗﺳوﱠ ق اﻵن‬
protection performed by mail agents?
IPsec
SSL Related Posts
S/MIME 21.9.5 Lab – Configure ASA Basic
EAP-TLS Settings and Firewall Using ASDM
Answers
Explanation: Many applications use the X.509 standard 1.2.7 Check Your Understanding –
Network Topology Protection
format of digital certificates to authenticate websites,
Overview Answers
public key distribution, and end devices connected to
switch ports. User email agents use the S/MIME protocol Network Security (Version1.0)
Modules 5 – 7: Monitoring and
to support email protection. S/MIME uses X.509
Managing Devices Group Test
certificates. Online
Module 2: Quiz – Network Threats

4. What are two security features commonly found in a (Answers) Network Security
6.2.7 Lab – Configure Automated

Security Features Answers
16.3.11 Lab – Encrypting and

Decrypting Data Using a Hacker Tool
Answers
8.5.13 Packet Tracer – Configure

Extended IPv4 ACLs – Scenario 2
firewalls protecting the main and remote sites Answers
outside perimeter security including continuous video
Module 7: Quiz – Authentication,
surveillance
Authorization, and Accounting (AAA)
port security on all user-facing ports (Answers) Network Security
12.1.6 Check Your Understanding –
IPS Signature Actions Answers
Explanation: WANs span a wide area and commonly
Network Security Exam Answers
have connections from a main site to remote sites Version 1.0 Full Labs
including a branch office, regional site, SOHO sites, and
mobile workers. WANs typically connect over a public
internet connection. Each site commonly has a firewall
and VPNs used by remote workers between sites.
5. What is an appropriate use for class 5 digital

certificates?
used for online business transactions between companies

used for private organizations or government security
used by organizations for which proof of identity is required
used for testing in situations in which no checks have been
performed
Explanation: The CA class number determines how

rigorous the procedure was that verified the identity of the
holder when the certificate was issued. The higher the Recent Comments
class number, the more trusted the certificate. Class IBrahim on 1.1.7 Lab – Basic Switch
numbers range from 0 to 5. A class 5 certificate is the Configuration (Answers)
most trusted, and class 0 the least trusted. Class 5 is used
asd on 6.2.3.8 Packet Tracer –
for private organizations or government security. Troubleshooting a VLAN
Instructions Answers
6. Which two statements are characteristics of a virus?
(Choose two.) alpha on 4.2.8 Lab – Configure

Router-on-a-Stick Inter-VLAN
A virus typically requires end-user activation. Routing (Answers)
A virus has an enabling vulnerability, a propagation
tempuser on CCNA 1 v7 Modules 11
mechanism, and a payload. – 13: IP Addressing Exam Answers
A virus replicates itself by independently exploiting Full
vulnerabilities in networks. cclar on CCNA 1 v7.0 Final Exam
A virus provides the attacker with sensitive data, such as Answers Full – Introduction to
passwords. Networks
A virus can be dormant and then activate at a specific
time or date.
Explanation: The type of end user interaction required to

launch a virus is typically opening an application, opening
a web page, or powering on the computer. Once activated,
a virus may infect other files located on the computer or
other computers on the same network.
Learn more
7. Match the information security component with the

description.
Match the information security component with the

description.
8. Match the security policy with the description. (Not all

options are used.)
Match the security policy with the description. (Not all options
are used.)
identifies network applications and uses acceptable

that are acceptable to the organization use policy
(AUP)
identifies how remote users can access remote

a network and what is accessible via access policy
remote connectivity
specifies authorized persons that can identification
have access to network resources and and

identity verification procedures authentication
policy
specifies network device operating network

systems and end user application maintenance
update procedures policy
9. How does the service password-encryption command

enhance password security on Cisco routers and
switches?
It encrypts passwords as they are sent across the network.

It encrypts passwords that are stored in router or
switch configuration files.
It requires that a user type encrypted passwords to gain
console access to a router or switch.
It requires encrypted passwords to be used when
connecting remotely to a router or switch with Telnet.
Explanation: The service password-encryption command

encrypts plaintext passwords in the configuration file so
that they cannot be viewed by unauthorized users.
10. Which benefit does SSH offer over Telnet for remotely
managing a router?
encryption
TCP usage
authorization
connections via multiple VTY lines
Explanation: SSH provides secure access to a network

device for remote management. It uses a stronger
password authorization than Telnet does and encrypts any
data that is transported during the session.
11. Refer to the exhibit. Which statement about the JR-
Admin account is true?
JR-Admin can issue show , ping , and reload commands.

JR-Admin can issue ping and reload commands.
JR-Admin can issue only ping commands.
JR-Admin can issue debug and reload commands.
JR-Admin cannot issue any command because the
privilege level does not match one of those defined.
Explanation: When the username name privilege 10

command is issued, access to commands with a privilege
level of 10 or less (0-10) is permitted to the user.
12. What protocol is used by SCP for secure transport?
IPSec
HTTPS
SSH
Telnet
TFTP
Explanation: The Secure Copy (SCP) feature provides a

secure and authenticated method for copying and saving
router configuration files by using SSH.
13. Refer to the exhibit. What type of syslog message is

displayed?
warning
notification
informational
debugging
Explanation: The severity level is used to provide an

explanation for the event or error that is occurring within
the Cisco IOS. The smaller the number of the severity
level, the more critical the event. A Syslog message with a
level 5 is considered a notification message.
14. What command must be issued on a Cisco router that

will serve as an authoritative NTP server?
ntp master 1
ntp server 172.16.0.1
ntp broadcast client
clock set 11:00:00 DEC 20 2010
Explanation: Routers that will serve as NTP masters

must be configured with the ntp master command. A client
is configured with the ntp server command so that the
client can locate the NTP master. The ntp broadcast client
command allows NTP to use to broadcast messages. The
clock set command is used to set the time on a router.
15. A server log includes this entry: User student accessed

host server ABC using Telnet yesterday for 10 minutes.
What type of log entry is this?
authentication
authorization
accounting
accessing
Explanation: Accounting records what users do and when

they do it, including what is accessed, the amount of time
the resource is accessed, and any changes that were
made. Accounting keeps track of how network resources
are used.
16. Which three types of views are available when

configuring the role-based CLI access feature? (Choose
three.)
superuser view
root view
superview
CLI view
admin view
config view
Explanation: There are three types of Role-based CLI

views:
1) root view
2) CLI view
3) superview
17. What is the purpose of using the ip ospf message-

digest-key key md5 password command and the area area-
id authentication message-digest command on a router?
to encrypt OSPF routing updates

to enable OSPF MD5 authentication on a per-interface
basis
to configure OSPF MD5 authentication globally on the
router
to facilitate the establishment of neighbor adjacencies
Explanation: To configure OSPF MD5 authentication

globally, the ip ospf message-digest-key key md5
password interface configuration command and the area
area-id authentication message-digest router configuration
command are issued. To configure OSPF MD5
authentication per interface, the ip ospf message-digest-
key key md5 password interface configuration command
and the ip ospf authentication message-digest interface
configuration command are issued. Authentication does
not encrypt OSPF routing updates. The requirements to
establish OSPF router neighbor adjacencies are separate
from authentication.
18. What is indicated by the use of the local-case keyword

in a local AAA authentication configuration command
sequence?
that user access is limited to vty terminal lines

that passwords and usernames are case-sensitive
that AAA is enabled globally on the router
that a default local database AAA authentication is applied
to all lines
Explanation: The use of the local-case keyword means

that the authentication is case-sensitive. It does not enable
or apply the AAA configuration to router interfaces or lines.
19. A network administrator is configuring an AAA server

to manage RADIUS authentication. Which two features are
included in RADIUS authentication? (Choose two.)
encryption for all communication

hidden passwords during transmission
single process for authentication and authorization
separate processes for authentication and authorization
encryption for only the data
Explanation: RADIUS authentication supports the

following features:RADIUS authentication and
authorization as one process
Encrypts only the password
Utilizes UDP
Supports remote-access technologies, 802.1X, and
Session Initiation Protocol (SIP)
20. A network administrator is explaining to a junior

colleague the use of the lt and gt keywords when filtering
packets using an extended ACL. Where would the lt or gt
keywords be used?
in an IPv6 extended ACL that stops packets going to one

specific destination VLAN
in an IPv4 named standard ACL that has specific UDP
protocols that are allowed to be used on a specific server
in an IPv6 named ACL that permits FTP traffic from one
particular LAN getting to another LAN
in an IPv4 extended ACL that allows packets from a
range of TCP ports destined for a specific network
device
Explanation: The lt and gt keywords are used for defining

a range of port numbers that are less than a particular port
number or greater than a particular port number.
21. Which feature is unique to IPv6 ACLs when compared

to those of IPv4 ACLs?
the use of wildcard masks

an implicit deny any any statement
the use of named ACL statements
an implicit permit of neighbor discovery packets
Explanation: One of the major differences between IPv6

and IPv4 ACLs are two implicit permit statements at the
end of any IPv6 ACL. These two permit statements allow
neighbor discovery operations to function on the router
interface.
22. Refer to the exhibit. An extended access list has been

created to prevent human resource users from gaining
access to the accounting server. All other network traffic is
to be permitted. When following the ACL configuration
guidelines, on which router, interface, and direction should
the access list be applied?
router R1, interface S0/1/0, outbound

router R2, interface Gi0/0/1, outbound
router R2, interface Gi0/0/1, inbound
router R1, interface Gi0/0/0, inbound
router R2, interface S0/1/1, inbound
router R1, interface Gi0/0/0, outbound
Explanation: The ACL configuration guidelines

recommend placing extended access control lists as close
to the source of network traffic as possible and placing
standard access control lists as close to the destination of

network traffic as possible.
23. Which statement describes the characteristics of

packet-filtering and stateful firewalls as they relate to the
OSI model?
Both stateful and packet-filtering firewalls can filter at the

application layer.
A stateful firewall can filter application layer information,
whereas a packet-filtering firewall cannot filter beyond the
network layer.
A packet-filtering firewall typically can filter up to the
transport layer, whereas a stateful firewall can filter up
to the session layer.
A packet-filtering firewall uses session layer information to
track the state of a connection, whereas a stateful firewall
uses application layer information to track the state of a
connection.
Explanation: Packet filtering firewalls can always filter

Layer 3 content and sometimes TCP and UDP-based
content. Stateful firewalls monitor connections and thus
have to be able to support up to the session layer of the
OSI model.
24. Which special hardware module, when integrated into

ASA, provides advanced IPS features?
Content Security and Control (CSC)

Advanced Inspection and Prevention (AIP)
Advanced Inspection and Prevention Security Services
Card (AIP-SSC)
Advanced Inspection and Prevention Security Services
Module (AIP-SSM)
Explanation: The advanced threat control and

containment services of an ASA firewall are provided by
integrating special hardware modules with the ASA
architecture. These special modules include:
Advanced Inspection and Prevention (AIP) module –
supports advanced IPS capability.
Content Security and Control (CSC) module – supports
antimalware capabilities.
Cisco Advanced Inspection and Prevention Security
Services Module (AIP-SSM) and Cisco Advanced
Inspection and Prevention Security Services Card (AIP-
SSC) – support protection against tens of thousands of
known exploits.

configuring the security level for the ASA. What is a best
practice for assigning the security level on the three
interfaces?
Outside 0, Inside 35, DMZ 90


Explanation: The Cisco ASA assigns security levels to

distinguish among different networks it connects. Security
levels define the level of trustworthiness of an interface.
The higher the level, the more trusted the interface. The
security level numbers range between 0 (untrustworthy) to
100 (very trustworthy). Therefore, the interface connecting
to the Internet should be assigned the lowest level. The
interface connecting to the internal network should be
assigned the highest level. The interface connecting to the
DMZ network should be assigned a level between them.
26. What is an advantage in using a packet filtering firewall

versus a high-end firewall appliance?
Packet filters perform almost all the tasks of a high-

end firewall at a fraction of the cost.
Packet filters represent a complete firewall solution.
Packet filters are not susceptible to IP spoofing.
Packet filters provide an initial degree of security at the
data-link and network layer.
Explanation: There are several advantages of using a

packet filtering firewall:
– allows for implementing simple permit or deny rule sets.
– has a low impact on network performance
– is easy to implement, and is supported by most routers
– provides an initial degree of security at the network layer
– performs almost all the tasks of a high-end firewall at a
much lower cost
27. Which type of firewall is commonly part of a router

firewall and allows or blocks traffic based on Layer 3 and
Layer 4 information?
stateless firewall
stateful firewall
proxy firewall
application gateway firewall
Explanation: A stateless firewall uses a simple policy

table look-up that filters traffic based on specific criteria.
These firewalls are usually part of a router firewall. They
permit or deny traffic based on Layer 3 and Layer 4
information.
28. A company is deploying a new network design in which

the border router has three interfaces. Interface Serial0/0/0
connects to the ISP, GigabitEthernet0/0 connects to the
DMZ, and GigabitEthernet/01 connects to the internal
private network. Which type of traffic would receive the
least amount of inspection (have the most freedom of
travel)?
traffic that is going from the private network to the

DMZ
traffic that originates from the public network and that is
destined for the DMZ
traffic that is returning from the DMZ after originating from
the private network
traffic that is returning from the public network after
originating from the private network
Explanation: Most traffic within an organization originates

from a private IP address. The amount of inspection done
to that traffic depends on its destination or whether traffic
that is going to that private IP address originated the
connection. The demilitarized zone typically holds servers.

Traffic that is destined to those servers is filtered based on
what services are being provided by the server (HTTP,
HTTPS, DNS, etc.).
29. What are two benefits offered by a zone-based policy

firewall on a Cisco router? (Choose two.)
Policies are defined exclusively with ACLs.

Policies are applied to unidirectional traffic between
zones.
Policies provide scalability because they are easy to
read and troubleshoot.
Any interface can be configured with both a ZPF and an
IOS Classic Firewall.
Virtual and physical interfaces are put in different zones to
enhance security.

It is not dependent on ACLs.
The router security posture is to block unless explicitly
allowed.
Policies are easy to read and troubleshoot. This provides
scalability because one policy affects any given traffic,
instead of needing multiple ACLs and inspection actions
for different types of traffic.
Virtual and physical interfaces can be grouped into zones.
Policies are applied to unidirectional traffic between zones.
Both IOS Classic Firewalls and ZPFs can be enabled
concurrently on a Cisco router. However, the models
cannot be combined on a single interface.
30. When a Cisco IOS Zone-Based Policy Firewall is being

configured via CLI, which step must be taken after zones
have been created?
Design the physical infrastructure.

Establish policies between zones.
Identify subsets within zones.

Assign interfaces to zones.
Explanation: The steps for configuring zones in a Zone-

Based Policy Firewall are as follows:
– Step 1. Determine the zones.
– Step 2. Establish policies between zones.
– Step 3. Design the physical infrastructure.
– Step 4. Identify subsets within zones and merge traffic
requirements.
31. What are two shared characteristics of the IDS and the
IPS? (Choose two.)
Both are deployed as sensors.

Both analyze copies of network traffic.
Both use signatures to detect malicious traffic.
Both have minimal impact on network performance.
Both rely on an additional network device to respond to
malicious traffic.
Explanation: Both the IDS and the IPS are deployed as

sensors and use signatures to detect malicious traffic. The
IDS analyzes copies of network traffic, which results in
minimal impact on network performance. The IDS also
relies on an IPS to stop malicious traffic.
32. When a Cisco IOS Zone-Based Policy Firewall is being

configured, which two actions can be applied to a traffic
class? (Choose two.)
log
hold
drop
inspect
copy
forward
Explanation: The three actions that can be applied are

inspect, drop,and pass.
Inspect – This action offers state-based traffic control.
Drop – This is the default action for all traffic. Similar to the
implicit deny any at the end of every ACL, there is an
explicit drop applied by the IOS to the end of every policy
map.
Pass – This action allows the router to forward traffic from
one zone to another.
33. Match the network security device type with the

description.
34. What is a characteristic of an IPS atomic signature?
it can be slow and inefficient to analyze traffic

it requires several pieces of data to match an attack
it is a stateful signature
it is the simplest type of signature
Explanation: There are two types of IPS signatures:

Atomic – This is the simplest type of signature because it
does not require the IPS to maintain state information and
it can identify an attack with a single packet, activity, or
event.
Composite – This is a stateful type of signature. It requires
that the IPS maintain state information to match an attack
signature.
35. Match each IPS signature trigger category with the

description.
Match each IPS signature trigger category with the

description.
36. A company is concerned about data theft if any of the

corporate laptops are stolen. Which Windows tool would
the company use to protect the data on the laptops?
AMP
802.1X
RADIUS
BitLocker
Explanation: Storage devices can be encrypted to protect

data from unauthorized access. Windows BitLocker
provides drive encryption.
37. What protocol is used to encapsulate the EAP data

between the authenticator and authentication server
performing 802.1X authentication?
RADIUS
TACACS+
SSH
MD5
Explanation: Encapsulation of EAP data between the

authenticator and the authentication server is performed
using RADIUS.
38. A company requires the use of 802.1X security. What

type of traffic can be sent if the authentication port-control
auto command is configured, but the client has not yet
been authenticated?
SNMP
EAPOL
broadcasts such as ARP
any data encrypted with 3DES or AES
Explanation: 802.1X prevents unauthorized devices from

gaining access to the network. The authentication port-
control auto command turns on 802.1X access control.

Until the client is authenticated, 802.1X only allows
Extensible Authentication Protocol over LAN (EAPOL),
Cisco Discovery Protocol (CDP), and Spanning Tree
Protocol (STP) traffic to pass through the port. EAPOL
messages are sent between the client and the
authenticator such as a switch. If authentication is
successful, normal traffic can be sent and received
through the port.
39. Which two security features can cause a switch port to

become error-disabled? (Choose two.)
root guard
PortFast with BPDU guard enabled
protected ports
storm control with the trap option
port security with the shutdown violation mode
Explanation: Error-disabled mode is a way for a switch to

automatically shut down a port that is causing problems,
and usually requires manual intervention from an
administrator to restore the port. When port security is
configured to use the shutdown violation mode, it will put
the port into the error-disabled mode when the maximum
number of MAC addresses is exceeded. Likewise, BPDU
guard will put the port into error-disabled mode if a BPDU
arrives on a PortFast enabled interface. Storm control will
only put the port into the error-disabled mode when
configured with the shutdown option. The trap option will
simply create an SNMP log message.
40. What are three techniques for mitigating VLAN hopping

attacks? (Choose three.)
Disable DTP.
Enable trunking manually.
Set the native VLAN to an unused VLAN.
Enable BPDU guard.
Enable Source Guard.
Use private VLANs.
Explanation: Mitigating a VLAN hopping attack can be

done by disabling Dynamic Trunking Protocol (DTP),
manually setting ports to trunking mode, and by setting the
native VLAN of trunk links to VLANs not in use.

configuring DAI on switch SW1. What is the result of
entering the exhibited commands?
DAI will validate both source and destination MAC

addresses as well as the IP addresses in the order
specified. If all parameters are valid then the ARP packet
is allowed to pass.
DAI will validate both source and destination MAC
addresses as well as the IP addresses in the order
specified. When one set of parameters are valid, the ARP
packet is allowed to pass.
DAI will validate only the destination MAC addresses.
DAI will validate only the IP addresses.
Explanation: DAI can be configured to check for

destination MAC, source MAC, and IP addresses.
However, only one ip arp inspection validate command

can be configured. Entering multiple ip arp inspection
validate commands overwrites the previous command.
42. During a recent pandemic, employees from ABC

company were allowed to work from home. What security
technology should be implemented to ensure that data
communications between the employees and the ABC
Head Office network remain confidential?
a symmetric or asymmetric encryption algorithm such

as AES or PKI
a hashing algorithm such as MD5
a hash message authentication code such as HMAC
a hash-generating algorithm such as SHA
Explanation: MD5 and SHA are hash-generating

algorithms that guarantee that no one intercepted the
message and altered it. Advanced Encryption Standard
(AES) is a popular symmetric encryption algorithm where
each communicating party needs to know the pre-shared
key. Public key infrastructure (PKI) is an asymmetric
encryption algorithm based on the assumption that the two
communicating parties have not previously shared a
secret key. HMAC is a hash message authentication code
that guarantees that the message is not a forgery and
actually comes from the authentic source.
43. Which cipher played a significant role in World War II?
RC4
Caesar
Enigma
One-time pad
Explanation: The Enigma machine was an

electromechanical encryption device that created the
Enigma cipher and was developed during World War II.
The device depended on the distribution of pre-shared

keys that were used to encrypt and decrypt messages.
44. One method used by Cryptanalysts to crack codes is

based on the fact that some letters of the English language
are used more often than others. Which term is used to
describe this method?
cybertext
meet-in-the-middle
frequency analysis
known-plaintext
Explanation: Frequency analysis uses the fact that some

characters in the English alphabet are used more often
than others. The letters E, T, and A are the most popular
letters and J, Q, X, and Z are the least popular.
45. Why are DES keys considered weak keys?
They are more resource intensive.

DES weak keys are difficult to manage.
They produce identical subkeys.
DES weak keys use very long key sizes.
Explanation: Weak keys, whether part of an existing

encryption algorithm or manually generated, reveal
regularities in encryption. This creates a shortcut by which
a hacker can break the encryption. DES has four keys for
which encryption is identical to decryption.

configuring an object group on an ASA device. Which
configuration keyword should be used after the object
group name SERVICE1 ?
ip
tcp
udp
icmp
Explanation: Because this is a service object group, the

keyword should indicate which protocol is used. The
options are tcp, udp, tcp-udp, icmp, and icmpv6. The
subsequent commands indicate that the services in the
group are WWW, FTP, and SMTP. Because all of these
protocols use TCP, the keyword in the service object
group should be tcp .
47. In the implementation of network security, how does

the deployment of a Cisco ASA firewall differ from a Cisco
IOS router?
ASA devices use ACLs that are always numbered.

ASA devices do not support an implicit deny within ACLs.
ASA devices support interface security levels.
ASA devices use ACLs configured with a wildcard mask.
Explanation: The differences between ASA devices and

Cisco IOS routers include the following:
An ASA device configured with ACLs is configured with a
subnet mask.
An ASA device supports interface security levels.
An ASA device configured with an ACL is always named.
ASA devices and Cisco IOS routers are similar in that they
both support an implicit deny within an ACL.

configuring PAT on an ASA device to enable internal
workstations to access the Internet. Which configuration
command should be used next?
nat (inside,outside) dynamic NET1

nat (outside,inside) dynamic NET1
nat (inside,outside) dynamic interface
nat (outside,inside) dynamic interface
Explanation: The nat (inside,outside) dynamic interface

command indicates that inside hosts are overloading the
outside address of the mapped interface.
49. What type of network security test uses simulated

attacks to determine the feasibility of an attack as well as
the possible consequences if the attack occurs?
penetration testing
network scanning
integrity checking
Explanation: There are many tests that are used by
security specialists to assess the status of a system. They

include the following:
penetration testing to determine the feasibility of attacks
network scanning to scan for and identify open TCP ports
integrity checking to check for changes that have occurred
in the system
vulnerability scanning to detect potential weaknesses in
systems
50. What three tasks can a network administrator

accomplish with the Nmap and Zenmap security testing
tools? (Choose three.)
operating system fingerprinting

assessment of Layer 3 protocol support on hosts
open UDP and TCP port detection
security event analysis and reporting
password recovery
development of IDS signatures
Explanation: Nmap is a low-level network scanner that is

available to the public and that has the ability to perform
port scanning, to identify open TCP and UDP ports, and
which can also perform system identification. It can also
be used to identify Layer 3 protocols that are running on a
system. Zenmap is the GUI version of Nmap.
51. Match the network security testing tool with the correct
function. (Not all options are used.)
Match the network security testing tool with the correct

function. (Not all options are used.)
52. Which two means can be used to try to bypass the

management of mobile devices? (Choose two.)
using a fuzzer
rooting
jailbreaking
packet sniffing
using a Trojan Horse
Explanation: Jailbreaking is a term used when breaking

into an Apple iOS device, whereas rooting is the term
used for doing the same to an Android device. Both must
be concerns in the corporate environment where so many
people bring their own devices and access the corporate
networks.
53. Match the type of cyberattackers to the description.

(Not all options are used.)
Match the type of cyberattackers to the description. (Not all

options are used.)
54. What is a benefit of having users or remote employees

use a VPN to connect to the existing network rather than
growing the network infrastructure?
security
scalability
cost savings
compatibility
Explanation: A benefit of VPNs is scalability because

organizations can use the Internet and easily add new
users without adding significant infrastructure. Security is
provided by using encryption and authentication protocols
to protect data. Another benefit is compatibility because
VPNs can be implemented across a wide variety of WAN
connections. Organizations also benefit from cost savings
because VPNs reduce connectivity costs while
simultaneously increasing remote connection bandwidth.
55. What is a difference between symmetric and

asymmetric encryption algorithms?
Symmetric algorithms are typically hundreds to thousands

of times slower than asymmetric algorithms.
Symmetric encryption algorithms are used to authenticate
secure communications. Asymmetric encryption algorithms
are used to repudiate messages.
Symmetric encryption algorithms are used to encrypt data.
Asymmetric encryption algorithms are used to decrypt
data.
Symmetric encryption algorithms use pre-shared
keys. Asymmetric encryption algorithms use different
keys to encrypt and decrypt data.
Explanation: Asymmetric algorithms can use very long

key lengths in order to avoid being hacked. This results in
the use of significantly increased resources and time
compared to symmetric algorithms.
56. What technology allows users to verify the identity of a

website and to trust code that is downloaded from the
Internet?
asymmetric key algorithm

digital signature
encryption
hash algorithm
Explanation: Digital signatures provide assurance of the

authenticity and integrity of software codes. They provide
the ability to trust code that is downloaded from the
Internet.
57. Which two statements correctly describe certificate

classes used in the PKI? (Choose two.)
A class 0 certificate is for testing purposes.

A class 0 certificate is more trusted than a class 1
certificate.
The lower the class number, the more trusted the
certificate.
A class 5 certificate is for users with a focus on verification
of email.
A class 4 certificate is for online business transactions
between companies.
Explanation: A digital certificate class is identified by a

number. The higher the number, the more trusted the
certificate. The classes include the following:Class 0 is for
testing purposes in which no checks have been
performed.
Class 1 is for individuals with a focus on verification of
email.
Class 2 is for organizations for which proof of identity is
required.
Class 3 is for servers and software signing for which
independent verification and checking of identity and
authority is done by the issuing certificate authority.
Class 4 is for online business transactions between
companies.
Class 5 is for private organizations or governmental
security.
58. What is the standard for a public key infrastructure to

manage digital certificates?
PKI
NIST-SP800
x.503
x.509
Explanation: The x.509 standard is for a PKI

infrastructure and x.500 if for directory structures.
59. Which two statements describe remote access VPNs?

(Choose two.)
Remote access VPNs are used to connect entire

networks, such as a branch office to headquarters.
End users are not aware that VPNs exists.
A leased line is required to implement remote access
VPNs.
Client software is usually required to be able to access
the network.
Remote access VPNs support the needs of
telecommuters and mobile users.
Explanation: Remote access VPNs are designed to

provide for the needs of telecommuters and mobile users
through the use of software that is installed on the client to
encrypt and encapsulate the data. Remote access VPNs
can be used across a variety of WAN connections. Users
must access the client software to initiate the VPN
connection.
60. What are two hashing algorithms used with IPsec AH

to guarantee authenticity? (Choose two.)
MD5
SHA
AES
DH
RSA
Explanation: The IPsec framework uses various protocols

and algorithms to provide data confidentiality, data
integrity, authentication, and secure key exchange. Two
popular algorithms used to ensure that data is not
intercepted and modified (data integrity and authenticity)
are MD5 and SHA.
61. What is the purpose of configuring multiple crypto

ACLs when building a VPN connection between remote
sites?
By applying the ACL on a public interface, multiple crypto

ACLs can be built to prevent public users from connecting
to the VPN-enabled router.
Multiple crypto ACLs can be configured to deny specific
network traffic from crossing a VPN.
When multiple combinations of IPsec protection are
being chosen, multiple crypto ACLs can define
different traffic types.
Multiple crypto ACLs can define multiple remote peers for
connecting with a VPN-enabled router across the Internet
or network.
Explanation: A crypto ACL can define “interesting traffic”

that is used to build a VPN, and forward that “interesting
traffic” across the VPN to another VPN-enabled router.
Multiple crypto ACLs are used to define multiple different
types of traffic and utilize different IPsec protection
corresponding to the different types of traffic.
62. Refer to the exhibit. An administrator creates three
zones (A, B, and C) in an ASA that filters traffic. Traffic

originating from Zone A going to Zone C is denied, and
traffic originating from Zone B going to Zone C is denied.
What is a possible scenario for Zones A, B, and C?
A – DMZ, B – Inside, C – Outside

A – Inside, B – DMZ, C – Outside
A – Outside, B – Inside, C – DMZ
A – DMZ, B – Outside, C – Inside
Explanation: ASA protects Network/Zone C (Inside) from

unauthorized access by users on a Network/Zone B
(Outside). It also denies traffic from Network/Zone A
(DMZ) to access the Network/Zone C (Inside).
63. What are two monitoring tools that capture network

traffic and forward it to network monitoring devices?
(Choose two.)
SIEM
Wireshark
SNMP
SPAN
network tap
Explanation: A network tap is used to capture traffic for

monitoring the network. The tap is typically a passive
splitting device implemented inline on the network and
forwards all traffic including physical layer errors to an

analysis device. SPAN is a port mirroring technology
supported on Cisco switches that enables the switch to
copy frames and forward them to an analysis device.
64. What is the IPS detection engine that is included in the

SEC license for 4000 Series ISRs?
Security Onion
Snort
ASDM
AMP
Explanation: Snort is the IPS detection and enforcement

engine that is included in the SEC license for 4000 Series
ISRs.
Final Exam: Network Security FINAL Exam

Answers

Modules 20 – 22: ASA Network Security
Group Exam Answers Full (Version1.0) – Final Exam
Answers Full
! Subscribe !
Be the First to Comment!
"
0 COMMENTS
Close

Contact
CCNA Security v2.0 Final Exam Answers 100% 20/12/2023, 7:45 AM
/ Donations
Search the site 0
CCNA Security v2.0 Final Exam CCNA Security v2.0

Answers 100% CCNA Security v2.0 Exam Answers
% Feb 9, 2016 | & Last Updated: Oct 3, 2023 |
' CCNA Security v2.0 Answers | ( 16 Comments
Pretest Exam Answers
! Share " Tweet # Share $ Pin it
CCNA Security Chapter 1
Exam Answers

Exam Answers

Exam Answers

Exam Answers

Exam Answers
https://itexamanswers.net/ccna-security-v2-0-final-exam-answers.html Page 1 of 61
Exam Answers

Exam Answers
How to find: Press “Ctrl + F” in the browser and fill in
whatever wording is in the question to find that Exam Answers
Questions Bank. CCNA Security Chapter 9
Exam Answers
CCNA Security Chapter

NOTE: If you have the new question on this test, 10 Exam Answers
please comment Question and Multiple-Choice list in
CCNA Security Chapter
form below this article. We will update answers for
11 Exam Answers
you in the shortest time. Thank you! We truly value
your contribution to the website. CCNA Security v2.0
Practice Final Exam
Answers
CCNA Security v2.0

Certification Practice
Exam Answers
CCNA Security v2.0

Final Exam Answers
Implementing Network Security (Version 2.0) CCNA Security 2.0 PT

Practice Skill SA Part 1
– CCNAS Final Exam Answers Full 100% Answers
Scored
CCNA Security 2.0 PT
1. Which security implementation will provide control Practice Skill SA Part 2
plane protection for a network device? Answers
encryption for remote access connections CCNA Security v2.0

Skills Assessment – A
AAA for authenticating management access
(Answer Key) (ASA-5506
routing protocol authentication
/ Equiv)
NTP for consistent timestamps on logging messages
CCNA Security v2.0
Skills Assessment – B
Explanation: Control plane traffic such as ARP
(Answer Key) (ASA-5506
messages or routing protocol advertisements are / Equiv)
generated by a network device in order to support
network operations. Routing protocol authentication

provides an extra measure of security to authenticate the
source of routing updates. Encrypting remote access
connections, utilizing the NTP protocol, and using AAA,
are all measures implemented to secure management
plane traffic.
2. What is the one major difference between local AAA

authentication and using the login local command when
configuring device access authentication?
Local AAA authentication provides a way to

configure backup methods of authentication, but
login local does not.
The login local command requires the administrator to
manually configure the usernames and passwords, but
local AAA authentication does not.
Local AAA authentication allows more than one user
account to be configured, but login local does not.
The login local command uses local usernames and
passwords stored on the router, but local AAA
authentication does not.
Explanation: Local AAA authentication works very

similar to the login local command, except that it allows
you to specify backup authentication methods as well.
Both methods require that local usernames and
passwords be manually configured on the router. Related Posts
CCNA Security v2.0 Chapter 6 Test
3. Refer to the exhibit. A network administrator Online
configures AAA authentication on R1. The administrator CCNA Security v2.0 Skills
then tests the configuration by telneting to R1. The ACS Assessment – B (Answer Key)
servers are configured and running. What will happen if
CCNA Security v2.0 Final Test
the authentication fails? Online Exam Answers

Online

Online
CCNA Security v2.0 Practice Final

Test Online

Online
CCNA Security v2.0 Chapter 4

Exam Answers
CCNA Security v2.0 Chapter 8

Exam Answers
CCNA Security v2.0 Skills

Assessment – A (Answer Key)
The enable secret password could be used in the next

login attempt.
The authentication process stops.
The username and password of the local user database
could be used in the next login attempt.
The enable secret password and a random username
4. What are two tasks that can be accomplished with the

Nmap and Zenmap network tools? (Choose two.)
password recovery
password auditing
identification of Layer 3 protocol support on hosts
TCP and UDP port scanning
validation of IT system configuration
Explanation: Nmap is a low-level network scanner that

is available to the public and which has the ability to
perform port scanning, to identify open TCP and UDP
ports, and perform system identification. It can also be
used to identify Layer 3 protocols that are running on a
system.
5. Which Cisco IOS subcommand is used to compile an
IPS signature into memory?

Recent Comments
retired true
event-action produce-alert IBrahim on 1.1.7 Lab – Basic Switch
Configuration (Answers)
retired false
event-action deny-attacker-inline asd on 6.2.3.8 Packet Tracer –
Troubleshooting a VLAN
Explanation: The Cisco IOS subcommand retired can Instructions Answers
be used to retire (not to compile into memory) or unretire
alpha on 4.2.8 Lab – Configure
(compile into memory) individual signatures or a group of Router-on-a-Stick Inter-VLAN
signatures that belong to a signature category. The Routing (Answers)
command retired false instructs IOS to compile an IPS
tempuser on CCNA 1 v7 Modules
signature into memory. The command retired true 11 – 13: IP Addressing Exam
instructs IOS not to compile an IPS signature into Answers Full
memory. The commands event-action produce-alert and
cclar on CCNA 1 v7.0 Final Exam
event-action deny-attacker-inline define the action when Answers Full – Introduction to
an enabled signature is matched. Networks

They produce identical subkeys.
Explanation: Weak keys, whether part of an existing

encryption algorithm or manually generated, reveal
regularities in encryption. This creates a shortcut by
which a hacker can break the encryption. DES has four
keys for which encryption is identical to decryption.
7. What is a benefit of using a next-generation firewall

rather than a stateful firewall?
reactive protection against Internet attacks

granularity control within applications
support of TCP-based packet filtering
support for logging
Explanation: Stateful and next-generation firewalls

provide better log information than packet filtering
firewalls. Both stateful and next-generation firewalls
defend against spoofing by filtering unwanted traffic.
However, next-generation firewalls provide the following
benefits over stateful firewalls:
– Granularity control within applications
– Website and application traffic filtering based on site
reputation
– Proactive rather than reactive protection from Internet
threat
– Enforcement of security policies based on multiple
criteria
– Improved performance with NAT, VPN, and stateful
inspections
– Integrated IPS
8. What is a result of securing the Cisco IOS image using

the Cisco IOS Resilient Configuration feature?
When the router boots up, the Cisco IOS image is loaded
from a secured FTP location.
The Cisco IOS image file is not visible in the output
of the show flash command.
The Cisco IOS image is encrypted and then automatically
backed up to the NVRAM.
The Cisco IOS image is encrypted and then automatically
backed up to a TFTP server.
Explanation: When using the Cisco IOS Resilient

Configuration feature, a secure copy of the IOS image is
stored in flash and is hidden from view and and not
included in any directory listings.
9. The corporate security policy dictates that the traffic

from the remote-access VPN clients must be separated
between trusted traffic that is destined for the corporate
subnets and untrusted traffic destined for the public
Internet. Which VPN solution should be implemented to
ensure compliance with the corporate policy?
MPLS
hairpinning
GRE
split tunneling
Explanation: Hairpinning allows VPN traffic that is

received on a single interface to be routed back out that
same interface. Split tunneling allows traffic that
originates from a remote-access client to be split
according to whether the traffic must cross a VPN or the
traffic is destined for the public Internet. MPLS and GRE
are two types of Layer 3 VPNs.
10. Which two conditions must be met in order for a

network administrator to be able to remotely manage
multiple ASAs with Cisco ASDM? (Choose two.)
The ASAs must all be running the same ASDM

version.
Each ASA must have the same enable secret password.
Each ASA must have the same master passphrase
enabled.
The ASAs must be connected to each other through at
least one inside interface.
ASDM must be run as a local application.
Explanation: Cisco ASDM is a Java-based GUI tool that

makes ASA configuration easier. In order to remotely
manage multiple ASAs with Cisco ASDM, each ASA
must have the same ASDM version. When ASDM is run
as a local application, no browser is required and several
ASA devices can be managed.
11. What is negotiated in the establishment of an IPsec

tunnel between two IPsec hosts during IKE Phase 1?
ISAKMP SA policy
DH groups
interesting traffic
transform sets
Explanation: Establishing an IPsec tunnel involves five

steps:
Detection of interesting traffic defined by an ACL
IKE Phase 1 in which peers negotiate ISAKMP SA policy
IKE Phase 2 in which peers negotiate IPsec SA policy
Creation of the IPsec tunnel
Termination of the IPsec tunnel
12. What are two benefits of using a ZPF rather than a

Classic Firewall? (Choose two.)
ZPF allows interfaces to be placed into zones for IP

inspection.
The ZPF is not dependent on ACLs.
ZPF policies are easy to read and troubleshoot.

With ZPF, the router will allow packets unless they are
explicitly blocked.

– It is not dependent on ACLs.
– The router security posture is to block unless explicitly
allowed.
– Policies are easy to read and troubleshoot with C3PL.
– One policy affects any given traffic, instead of needing
multiple ACLs and inspection actions.
In addition, an interface cannot be simultaneously
configured as a security zone member and for IP
inspection.
13. Which security policy characteristic defines the

purpose of standards?
step-by-step details regarding methods to deploy

company switches
recommended best practices for placement of all
company switches
required steps to ensure consistent configuration of
all company switches
list of suggestions regarding how to quickly configure all
company switches
Explanation: Standards help IT staff maintain

consistency in the operations of the network. Guidelines
are a list of suggestions on how to do things more
efficiently and securely. They are similar to standards,
but are more flexible and are not usually mandatory.
Procedure documents are longer and more detailed than
standards and guidelines. Procedure documents include
implementation details that usually contain step-by-step
instructions and graphics.
14. What algorithm is used to provide data integrity of a

message through the use of a calculated hash value?
RSA
DH
AES
HMAC

To ensure that data is not intercepted and modified (data
integrity), Hashed Message Authentication Code (HMAC)
is used. AES is an encryption protocol and provides data
confidentiality. DH (Diffie-Hellman) is an algorithm that is
used for key exchange. RSA is an algorithm that is used
for authentication.
15. On which port should Dynamic ARP Inspection (DAI)

be configured on a switch?
an uplink port to another switch

on any port where DHCP snooping is disabled
any untrusted port
access ports only
Explanation: DHCP snooping must be enabled on a port

where DAI is configured, because DAI requires the
DHCP snooping table to operate. Only a trusted
interface, such as an uplink port between switches, is
configured to implement DAI. All access ports are
untrusted.
16. What is a feature of a Cisco IOS Zone-Based Policy

Firewall?
A router interface can belong to only one zone at a

time.
Service policies are applied in interface configuration
mode.
Router management interfaces must be manually
assigned to the self zone.
The pass action works in multiple directions.
Explanation: The pass action allows traffic in only one

direction. Interfaces automatically become members of
the self zone. Interfaces are assigned to a zone in
interface configuration mode, but most configuration
takes place in global configuration mode and associated
submodes. An interface can belong to only one zone at a
time.
17. Refer to the exhibit. The administrator can ping the

S0/0/1 interface of RouterB but is unable to gain Telnet
access to the router by using the password cisco123.
What is a possible cause of the problem?
The Telnet connection between RouterA and RouterB is
not working correctly.

The password cisco123 is wrong.
The administrator does not have enough rights on the PC
that is being used.
The enable password and the Telnet password need to
be the same.
Other case:
AAA authorization is not configured.

The administrator does not have enough rights on the PC
that is being used.
The administrator has used the wrong password.
The wrong vty lines are configured.
Explanation: To authenticate and log in using a Telnet

vty line, the network administrator is required to use the
local username and password that has been configured
on the local router. This is evidenced by the application
of the aaa authentication login telnet local-case
command. The administrator must use a capital C in
Cisco123 to match the applied configuration.
18. Refer to the exhibit. The ip verify source command is

applied on untrusted interfaces. Which type of attack is
mitigated by using this configuration?
DHCP spoofing
DHCP starvation
STP manipulation
MAC and IP address spoofing
Explanation: To protect against MAC and IP address

spoofing, apply the IP Source Guard security feature,
using the ip verify source command, on untrusted ports.
19. Refer to the exhibit. Which conclusion can be made

from the show crypto map command output that is
shown on R1?
The crypto map has not yet been applied to an

interface.
The tunnel configuration was established and can be
tested with extended pings.
Explanation: According to the show crypto map

command output, all required SAs are in place, but no
interface is currently using the crypto map. To complete
the tunnel configuration, the crypto map has to be
applied to the outbound interface of each router.
20. What type of algorithms require sender and receiver

to exchange a secret key that is used to ensure the
confidentiality of messages?
symmetric algorithms
hashing algorithms
asymmetric algorithms
public key algorithms
Explanation: Symmetric algorithms use the same key, a

secret key, to encrypt and decrypt data. This key must be
pre-shared before communication can occur. Asymmetric
algorithms require more processing power and overhead
on the communicating devices because these keys can
be long in order to avoid being hacked.
21. What is an advantage in using a packet filtering

firewall versus a high-end firewall appliance?
Packet filters perform almost all the tasks of a high-

end firewall at a fraction of the cost.
Packet filters provide an initial degree of security at the
data-link and network layer.
Explanation: There are several advantages of using a

packet filtering firewall:
– allows for implementing simple permit or deny rule
sets.
– has a low impact on network performance
– is easy to implement, and is supported by most routers
– provides an initial degree of security at the network
layer
– performs almost all the tasks of a high-end firewall at a
much lower cost
22. Refer to the exhibit. In the network that is shown,

which AAA command logs the use of EXEC session
commands?
aaa accounting network start-stop group tacacs+

aaa accounting network start-stop group radius
aaa accounting connection start-stop group radius
aaa accounting exec start-stop group radius
aaa accounting connection start-stop group tacacs+
aaa accounting exec start-stop group tacacs+
Explanation: The aaa accounting exec start-stop group

tacacs+ command is used to configure the router to log
the use of EXEC commands.
23. A network administrator enters the single-connection

command. What effect does this command have on AAA
operation?
allows a new TCP session to be established for every

authorization request
authorizes connections based on a list of IP addresses
configured in an ACL on a Cisco ACS server
allows a Cisco ACS server to minimize delay by
establishing persistent TCP connections
allows the device to establish only a single connection

with the AAA-enabled server
Explanation: By default, TACACS+ establishes a new

TCP session for every authorization request. This can
lead to delays.To improve performance, Cisco Secure
ACS supports persistent TCP sessions configured with
the single-connection command.
24. Which two practices are associated with securing the

features and performance of router operating systems?
(Choose two.)
Install a UPS.
Keep a secure copy of router operating system
images.
Configure the router with the maximum amount of
memory possible.
Disable default router services that are not necessary.
Reduce the number of ports that can be used to access
the router.
Explanation: Configuring a router with maximum

available memory allows support for the widest range of
security services and can help to protect against certain
DoS attacks. Secure copies of router operating system
images and configuration files provide backups needed
for device recovery. Installing a UPS device provides
physical security for networking devices but does not
affect the security of their operating systems. Disabling
unnecessary ports and services is part of the process of
router hardening, and does not specifically involve the
router operating system.
25. Which statement describes a characteristic of the IKE

protocol?
It uses UDP port 500 to exchange IKE information

between the security gateways.
IKE Phase 1 can be implemented in three different
modes: main, aggressive, or quick.
It allows for the transmission of keys directly across a
network.
The purpose of IKE Phase 2 is to negotiate a security
association between two IKE peers.
26. Refer to the exhibit. If a network administrator is

using ASDM to configure a site-to-site VPN between the
CCNAS-ASA and R3, which IP address would the
administrator use for the peer IP address textbox on the
ASA if data traffic is to be encrypted between the two
remote LANs?
209.165.201.1
192.168.1.3
172.16.3.1
172.16.3.3
192.168.1.1
Explanation: When ASDM is used to configure an ASA,

the peer address is the IP address of the other site for
the VPN. In this instance R3 has the outside IP address
of 209.165.201.1, so that must be the peer IP address for
the ASA. Conversely, R3 will have to be configured with
a peer IP address of 209.165.200.226.

the interfaces on the ASA, what statement correctly
describes the flow of traffic allowed on the interfaces?
Traffic that is sent from the LAN and the Internet to the
DMZ is considered inbound.
Traffic that is sent from the DMZ and the Internet to the
LAN is considered outbound.
Traffic that is sent from the LAN to the DMZ is considered
inbound.
Traffic that is sent from the LAN to the DMZ is considered
is considered inbound.
Traffic that is sent from the DMZ and the LAN to the
Internet is considered outbound.
Explanation: When traffic moves from an interface with

a higher security level to an interface with a lower
security level, it is considered outbound traffic.

Conversely, traffic that moves from an interface with a
lower security level to an interface with a higher security
level is considered inbound traffic.
28. What two assurances does digital signing provide

(Choose two.)

software publisher.
publisher.
The code was encrypted with both a private and public
key.
Explanation: Digitally signing code provides several

assurances about the code:
publisher.
publisher.
The publisher undeniably published the code. This
provides nonrepudiation of the act of publishing.
29. Which interface option could be set through ASDM for

a Cisco ASA?
default route
access list
VLAN ID
NAT/PAT
Explanation: To assign a VLAN number to an interface,

choose Configuration > Device Setup > Interfaces and
add or select an interface. Choose the Advanced tab to

assign a VLAN. Other options that can be assigned to an
interface include an IP address, mask, and security level.
30. What are two characteristics of a stateful firewall?

(Choose two.)
uses connection information maintained in a state

table
uses static packet filtering techniques
analyzes traffic at Layers 3, 4 and 5 of the OSI model
uses complex ACLs which can be difficult to configure
prevents Layer 7 attacks
Explanation: Stateful firewalls are the most versatile and

the most common firewall technologies in use. Stateful
firewalls provide stateful packet filtering by using
connection information maintained in a state table.
Stateful filtering is a firewall architecture that is classified
at the network layer. It also analyzes traffic at OSI Layers
4 and 5. Stateful firewalls cannot prevent application
layer attacks because they do not examine the actual
contents of an HTTP connection.
31. What are three characteristics of SIEM? (Choose

three.)
can be implemented as software or as a service

Microsoft port scanning tool designed for Windows
examines logs and events from systems and
applications to detect security threats
consolidates duplicate event data to minimize the

volume of gathered data
uses penetration testing to determine most network
vulnerabilities
provides real-time reporting for short-term security event
analysis
Explanation: Security Information Event Management

(SIEM) is a technology that provides real-time reporting
and long-term analysis of security events. SIEM provides
the ability to search logs and events from disparate
systems or applications to detect threats. SIEM
aggregates duplicate events to reduce the volume of
event data. SIEM can be implemented as software or as
a managed.service. SuperScan is a Microsoft Windows
port scanning tool that runs on most versions of
Windows.Tools, such as Nmap and SuperScan, can
provide effective penetration testing on a network and
determine network vulnerabilities while helping to
anticipate possible attack mechanisms.
32. Which type of traffic is subject to filtering on an ASA

5505 device?
public Internet to inside

public Internet to DMZ
inside to DMZ
DMZ to inside
Explanation: Filtering only applies to traffic traveling in

the direction from a higher security level to a lower
security level.
33. Which IDS/IPS signature alarm will look for packets

that are destined to or from a particular port?
honey pot-based
anomaly-based
signature-based
policy-based
Explanation: Cisco IDS and IPS sensors can use four

types of signature alarms or triggers:
– Pattern-based detection – also known as signature-
based detection, searches for a specific and pre-defined
pattern. In most cases, the pattern is matched to the
signature only if the suspect packet is associated with a
particular service or destined to or from particular ports.
– Anomaly-based detection – also known as profile-
based detection, involves first defining a profile of what is
considered normal for the network or host. After defining
normal activity, the signature triggers an action if
excessive activity occurs beyond a specified threshold
that is not included in the normal profile.
– Policy-based detection – also known as behavior-
based detection, is similar to pattern-based detection, but
instead of trying to define specific patterns, the
administrator defines behaviors that are suspicious
based on historical analysis.
– Honey pot-based detection – uses a dummy server
to attract attacks.
34. Which three actions can the Cisco IOS Firewall IPS
feature be configured to take when an intrusion activity is
detected? (Choose three.)
reset UDP connection

reset TCP connection
alert
isolate
inoculate
drop
Explanation: In IPS implementation, when a signature

detects a matching activity, the signature triggers one or
more of these actions:
– Generates an alert
– Logs the activity
– Drops or prevent the activity
– Resets a TCP connection
– Blocks future activity
– Allows the activity
35. Which two protocols can be selected using the Cisco

AnyConnect VPN Wizard to protect the traffic inside a
VPN tunnel? (Choose two.)
Telnet
SSH
SSL
ESP
IPsec
Explanation: When a full tunnel is creating using the

Cisco AnyConnect VPN Wizard, the VPN protocols
should be selected to protect the traffic inside the tunnel.
The VPN protocol choices are SSL and/or IPsec.
Otherwise, a third-party certificate can be configured.
Initially SSL and IPsec are selected.
36. What is a characteristic of a role-based CLI view of

router configuration?
When a superview is deleted, the associated CLI views

are deleted.
A single CLI view can be shared within multiple

superviews.
A CLI view has a command hierarchy, with higher and
lower views.
Only a superview user can configure a new view and add
Explanation: A CLI view has no command hierarchy,

and therefore, no higher or lower views. Deleting a
superview does not delete the associated CLI views.
Only a root view user can configure a new view and add
37. Match the network security testing technique with

how it is used to test network security. (Not all options
are used)?
Penetration testing = used to determine the possible

consequences of successful attacks on the network.
Vulnerability scanning = used to find weaknesses and
misconfigurations on network systems.
Network scanning = used to discover available

resources on the network.
Explanation: Network scanning tools are used to probe

network devices, servers and hosts for open TCP or UDP
ports. Vulnerability scanning tools are used to discover
security weaknesses in a network or computer system.
Penetration testing tools are used to determine the
possible outcome of a successful attack on a network or
computer system.
38. Which statement describes the use of certificate

classes in the PKI?
A class 5 certificate is more trustworthy than a class

4 certificate.
Email security is provided by the vendor, not by a
certificate.
The lower the class number, the more trusted the
certificate.
A vendor must issue only one class of certificates when
acting as a CA.
Explanation: The higher the certificate number, the

more trustworthy the certificate. Class 1 certificates are
for individuals, with a focus on email verification. An
enterprise can act as its own CA and implement PKI for
internal use. In that situation, the vendor can issue
certificates as needed for various purposes.
39. Refer to the exhibit. An administrator issues these

IOS login enhancement commands to increase the
security for login connections. What can be concluded
about them?
Because the login delay command was not used, a one-

minute delay between login attempts is assumed.
The hosts that are identified in the ACL will have
access to the device.
The login block-for command permits the attacker to try
150 attempts before being stopped to try again.
These enhancements apply to all types of login
connections.
Explanation: When the login block-for command is

implemented, it automatically invokes a one-second
delay between login attempts. The login block-for
command that is presented means that login will be
disabled for 150 seconds, if more than 5 login failures
occur within 60 seconds. These enhancements do not
apply to console connections. When quiet mode is
enabled, all login attempts are denied except for the
hosts permitted in the ACL.
40. A company deploys a Cisco ASA with the Cisco CWS

connector enabled as the firewall on the border of
corporate network. An employee on the internal network
is accessing a public website. What should the employee
do in order to make sure the web traffic is protected by
the Cisco CWS?
Register the destination website on the Cisco ASA.
Use the Cisco AnyConnect Secure Mobility Client first.

Use a web browser to visit the destination website.
First visit a website that is located on a web server in the
Cisco CWS infrastructure.
Explanation: Once the connector is enabled on the

Cisco ASA device, users on the internal network can
connect to the Cisco CWS transparently when they
access external websites. The Cisco CWS serves as a
proxy for the web access to scan traffic for malware and
policy enforcement. Users visit external websites by
accessing the URLs directly on the web browsers.

configures AAA authentication on router R1. The ACS
servers are configured and running. The administrator
tests the configuration by telneting to R1. What will
happen if the administrator attempts to authenticate
through the RADIUS server using incorrect credentials?

login attempt.
The username and password of the local user database
Explanation: The authentication for Telnet connections

is defined by AAA method list AUTHEN. The AUTHEN
list defines that the first authentication method is through
an ACS server using the RADIUS protocol (or RADIUS
server), the second authentication method is to use the
local user database, and the third method is to use the
enable password. In this scenario, however, because the
administrator fails to pass the authentication by the first
method, the authentication process stops and no other
authentication methods are allowed.
42. What mechanism is used by an ASA 5505 device to

allow inspected outbound traffic to return to the
originating sender who is on an inside network?
Network Address Translation

access control lists
security zones
stateful packet inspection
Explanation: Stateful packet inspection allows return

traffic that is sourced on the outside network to be
received by the originating sender on the internal
network.
43. Which two end points can be on the other side of an

ASA site-to-site VPN configured using ASDM? (Choose
two.)
DSL switch
Frame Relay switch

ISR router
another ASA
multilayer switch
Explanation: ASDM supports creating an ASA site-to-

site VPN between two ASAs or between an ASA and an
ISR router.
44. What Layer 2 attack is mitigated by disabling Dynamic

Trunking Protocol?
DHCP spoofing
ARP spoofing
VLAN hopping
ARP poisoning
Explanation: Mitigating a VLAN hopping attack can be

done by disabling Dynamic Trunking Protocol (DTP) and
by setting the native VLAN of trunk links to VLANs not in
use.
45. In an AAA-enabled network, a user issues the

configure terminal command from the privileged
executive mode of operation. What AAA function is at
work if this command is rejected?
authorization
authentication
auditing
accounting
Explanation: Authentication must ensure that devices or

end users are legitimate. Authorization is concerned with
allowing and disallowing authenticated users access to
certain areas and programs on the network. The
configure terminal command is rejected because the
user is not authorized to execute the command.
46. An organization has configured an IPS solution to use

atomic alerts. What type of response will occur when a
signature is detected?
A counter starts and a summary alert is issued when the

count reaches a preconfigured number.
The TCP connection is reset.
An alert is triggered each time a signature is
detected.
The interface that triggered the alert is shutdown.
Explanation: Atomic alerts are generated every time a

signature triggers. A summary alert is a single alert that
indicates multiple occurrences of the same signature
from the same source address or port. Deny packet and
deny flow actions do not automatically cause TCP reset
actions to occur. Atomic alerts do not shut down
interfaces.
47. What two algorithms can be part of an IPsec policy to

provide encryption and hashing to protect interesting
traffic? (Choose two.)
PSK
DH
RSA
AES
SHA

Two algorithms that can be used within an IPsec policy to
protect interesting traffic are AES, which is an encryption
protocol, and SHA, which is a hashing algorithm.
48. Fill in the blank.?

A stateful signature is also known as a Composite?
signature.
49. Why is hashing cryptographically stronger compared

to a cyclical redundancy check (CRC)?
Hashes are never sent in plain text.

It is easy to generate data with the same CRC.
It is difficult to generate data with the same CRC.
It is virtually impossible for two different sets of data
to calculate the same hash output.
Hashing always uses a 128-bit digest, whereas a CRC
can be variable length.
Explanation: When assuring integrity with CRC values,

it is easy to generate data with the same CRC. With hash
functions, it is computationally infeasible for two different
sets of data to come up with the same hash output.
Hashing can use many bit values depending on the
algorithm. These characteristics make hashing much
stronger cryptographically.
50. A network analyst wants to monitor the activity of all

new interns. Which type of security testing would track
when the interns sign on and sign off the network?
password cracking
network scanning
integrity checker
Explanation: An integrity checking system can report

login and logout activities. Network scanning can detect
user names, groups, and shared resources by scanning
listening TCP ports. Password cracking is used to test
and detect weak passwords. Vulnerability scanning can
detect potential weaknesses in a system, such as
misconfigurations, default passwords, or DoS attack
targets.
51. Refer to the exhibit. What two pieces of information

can be gathered from the generated message? (Choose
two.)
This message is a level five notification message.

This message indicates that service timestamps have
been globally enabled.
This message indicates that enhanced security was
configured on the vty ports.
This message appeared because a major error occurred
that requires immediate action.
This message appeared because a minor error occurred
that requires further investigation.
Explanation: A Cisco router log message consists for

three parts:
1) the timestamp
2) the log message and severity level
3) the message text
52. What is required for auto detection and negotiation of

NAT when establishing a VPN link?
Both VPN end devices must be configured for NAT.

No ACLs can be applied on either VPN end device.
Both VPN end devices must be NAT-T capable.
Both VPN end devices must be using IPv6.
Explanation: Establishing a VPN between two sites has

been a challenge when NAT is involved at either end of
the tunnel. The enhanced version of original IKE, IKE
version 2, now supports NAT Traversal (NAT-T). NAT-T
has the ability to encapsulate ESP packets inside UDP.
During IKE version 2 Phase 1, the VPN end devices can
detect whether the other device is NAT-T capable and
whether either device is connecting through a NAT-
enabled device in order to establish the tunnel.
53. Refer to the exhibit. The network administrator is

configuring the port security feature on switch SWC. The
administrator issued the command show port-security
interface fa 0/2 to verify the configuration. What can be
concluded from the output that is shown? (Choose
three.)
Three security violations have been detected on this

interface.
This port is currently up.
The port is configured as a trunk link.
Security violations will cause this port to shut down
immediately.
There is no device currently connected to this port.
The switch port mode for this interface is access
mode.
Explanation: Because the security violation count is at

0, no violation has occurred. The system shows that 3
MAC addresses are allowed on port fa0/2, but only one
has been configured and no sticky MAC addresses have
been learned. The port is up because of the port status
of secure-up. The violation mode is what happens when
an unauthorized device is attached to the port. A port
must be in access mode in order to activate and use port
security.
54. In which two instances will traffic be denied as it

crosses the ASA 5505 device? (Choose two.)
traffic originating from the inside network going to the

DMZ network
traffic originating from the inside network going to the
outside network
traffic originating from the outside network going to the
DMZ network
traffic originating from the DMZ network going to the
inside network
traffic originating from the outside network going to

the inside network
Explanation: When an ASA 5505 device is being

utilized, traffic is denied as it travels from a lower security
zone to a higher security zone. The highest security zone
is the internal network, the DMZ is usually the next
highest, and the outside network is the lowest. Traffic is
only allowed to move from a lower security level to a
higher if it is in response to originating traffic within the
higher security zone.
55. Refer to the exhibit. Based on the configuration that is

shown, which statement is true about the IPS signature
category?
Only signatures in the ios_ips advanced category will be

compiled into memory for scanning.
All signatures categories will be compiled into memory for
scanning, but only those signatures within the ios ips
advanced
category will be used for scanning purposes.
All signature categories will be compiled into memory for
scanning, but only those signatures in the ios_ips basic
Only signatures in the ios_ips basic category will be
compiled into memory for scanning.
Explanation: When a signature category is marked as

retired by using the command retired true, then the IPS
does not compile signatures that are part of that category
into memory for inspection (scanning). The retired false

command does the opposite. This command instructs the
IPS to include those signatures that are part of that
category into memory for scanning.
56. Which two ports can send and receive Layer 2 traffic
from a community port on a PVLAN? (Choose two.)
community ports belonging to other communities

promiscuous ports
isolated ports within the same community
PVLAN edge protected ports
community ports belonging to the same community
Explanation: Community ports can send and receive

information with ports within the same community, or with
a promiscuous port. Isolated ports can only communicate
with promiscuous ports. Promiscuous ports can talk to all
interfaces. PVLAN edge protected ports only forward
traffic through a Layer 3 device to other protected ports.
57. What is a feature of the TACACS+ protocol?
It utilizes UDP to provide more efficient packet transfer.

It combines authentication and authorization as one
process.
It encrypts the entire body of the packet for more
secure communications.
It hides passwords during transmission using PAP and
sends the rest of the packet in plaintext.
Explanation: TACACS+ has the following

features:separates authentication and authorization
encrypts all communication uses TCP port 49
58. Which security measure is best used to limit the

success of a reconnaissance attack from within a
campus area network?
Implement restrictions on the use of ICMP echo-reply

messages.
Implement a firewall at the edge of the network.
Implement access lists on the border router.
Implement encryption for sensitive traffic.
Explanation: The implementation of an access list may

provide extra security by permitting denying a flow of
traffic, but it will not provide a direct response to limit the
success of the attack. The implementation of a firewall
on the network edge may prevent reconnaissance
attacks from the Internet, but attacks within the local
network are not prevented. By implementing restrictions
on the sending of ICMP echo-reply messages within a
local network, devices may not respond to ping
messages, but port scans are not prevented and clear-
text data sent on the network are still vulnerable. The
best security measure is to encrypt as much network
traffic as possible, both user data and network
management traffic.
59. What is the benefit of the network-based IPS (NIPS)

over host-based IPS (HIPS) deployment models?
NIPS provides individual host protection.

NIPS relies on centrally managed software agents.
NIPS monitors network segments.
NIPS monitors all operations within an operating system.
Explanation: The network-based IPS (NIPS) is deployed

in a network to monitor traffic in the network. Different
from the host-based IPS (HIPS), NIPS does not provides
protection to specific individual hosts. The operation of
NIPS does not rely on the operating system of individual
hosts nor centrally managed software agents.
60. What represents a best practice concerning discovery

protocols such as CDP and LLDP on network devices?
LLDP on network devices?

Enable CDP on edge devices, and enable LLDP on
interior devices.
Use the default router settings for CDP and LLDP.
Use the open standard LLDP rather than CDP.
Disable both protocols on all interfaces where they
are not required.
Explanation: Both discovery protocols can provide

hackers with sensitive network information. They should
not be enabled on edge devices, and should be disabled
globally or on a per-interface basis if not required. CDP is
enabled by default.
61. What function is provided by the Tripwire network

security tool?
password recovery
security policy compliance
IDS signature development
logging of security events
Explanation: Tripwire is a network security testing tool

that can be used by administrators to assess if network
devices are compliant with company network security
policies.
62. What is the function of a policy map configuration

when an ASA firewall is being configured?
binding class maps with actions

binding a service policy to an interface
using ACLs to match traffic
1
Explanation: Policy maps are used to bind class maps
with actions Class maps are configured to identify Layer
3 and 4 traffic. Service policies are configured to attach
the policy map to an interface.
63. If a network administrator wants to track the usage of

FTP services, which keyword or keywords should be
added to the aaa accounting command?
exec default
connection
exec
network
64. What is indicated by the use of the local-case

keyword in a local AAA authentication configuration
command sequence?
that user access is limited to vty terminal lines

that passwords and usernames are case-sensitive
that AAA is enabled globally on the router
that a default local database AAA authentication is
applied to all lines
Explanation: The use of the local-case keyword means

that the authentication is case-sensitive. It does not
enable or apply the AAA configuration to router interfaces
or lines.
65. What is the purpose of a local username database if

multiple ACS servers are configured to provide
authentication services?
Clients using internet services are authenticated by ACS

servers, whereas local clients are authenticated through
a local username database.
Each ACS server must be configured with a local
username database in order to provide authentication
services.
A local username database is required when creating a
method list for the default login.
A local username database provides redundancy if
ACS servers become unreachable. [adef]

the interfaces on ASA1, what traffic will be allowed on the
interfaces?
Traffic from the Internet can access both the DMZ and
the LAN.
Traffic from the LAN and DMZ can access the
Internet.
Explanation: ASA devices have security levels assigned

to each interface that are not part of a configured ACL.
These security levels allow traffic from more secure
interfaces, such as security level 100, to access less
secure interfaces, such as level 0. By default, they allow
traffic from more secure interfaces (higher security level)
to access less secure interfaces (lower security level).
Traffic from the less secure interfaces is blocked from
accessing more secure interfaces.
67. What are two reasons to enable OSPF routing

protocol authentication on a network? (Choose two.)

discarded
to prevent redirection of data traffic to an insecure
link?
Explanation: The reason to configure OSPF

authentication is to mitigate against routing protocol
attacks like redirection of data traffic to an insecure link,
and redirection of data traffic to discard it. OSPF
authentication does not provide faster network
convergence, more efficient routing, or encryption of data
traffic.
68. A security awareness session is best suited for which
topic?
required steps when reporting a breach of security

the primary purpose and use of password policies
steps used to configure automatic Windows updates
how to install and maintain virus protection?
69. What provides both secure segmentation and threat

defense in a Secure Data Center solution?

AAA server
Adaptive Security Appliance
70. Which two features should be configured on end-user

ports in order to prevent STP manipulation attacks(
Choose two.)?
root guard
UDLD
BPDU guard
loop guard
PortFast
71. What is a characteristic of most modern viruses?
They are usually found attached to online games.

Email viruses are the most common type of them.
They replicate themselves and locate new targets.
They are responsible for some of the most destructive
internet attacks.
72. Which statement describes a characteristic of the

Security Device Event Exchange (SDEE) feature
supported by the Cisco IOS IPS?
SDEE notification is disabled by default. It does not

receive and process events from the Cisco IOS IPS
unless SDEE notification is enabled.
SDEE notification is enabled by default. It receives and
processes events from the Cisco IOS IPS and sends
them to a syslog server.
SDEE notification is enabled by default. It receives and
processes events from the Cisco IOS IPS and stores
them in a buffer.
SDEE notification is disabled by default. It starts
receiving and processing events from the Cisco IOS IPS
as soon as an attack signature is detected.
73. Which network security tool allows an administrator

to test and detect weak passwords?
L0phtcrack
Tripwire
Nessus
Metasploit
Explanation: L0phtcrack can be used to perform

password auditing and recovery. Nessus can scan
systems for software vulnerabilities. Metasploit is used
for penetration testing and IDS signature development.
Tripwire is used to assess if network devices are
compliant with network security policies.
74. What is an advantage of logging packets that are seen

by an IPS device?
Packets from the IP address that triggered the logging

are denied once logging begins.
Administrators can decide what actions can be taken
in the future.
Administrators can use the brief summary that is
generated to quickly determine how to handle the
packets.
Attacker packets can be stopped immediately.
75. Which procedure is recommended to mitigate the

chances of ARP spoofing?
Enable DHCP snooping on selected VLANs.

Enable IP Source Guard on trusted ports.
Enable DAI on the management VLAN.
Enable port security globally.
Explanation: To mitigate the chances of ARP spoofing,

these procedures are recommended:
– Implement protection against DHCP spoofing by
enabling DHCP snooping globally.
– Enable DHCP snooping on selected VLANs.
– Enable DAI on selected VLANs.
– Configure trusted interfaces for DHCP snooping and
ARP inspection. Untrusted ports are configured by
default.
76. In a server-based AAA implementation, which

protocol will allow the router to successfully
communicate with the AAA server?
RADIUS
802.1x
SSH
TACACS
Explanation: With a server-based method, the router

accesses a central AAA server using either the Remote
Authentication Dial-In User (RADIUS) or Terminal Access

Controller Access Control System (TACACS+) protocol.
SSH is a protocol used for remote login. 802.1x is a
protocol used in port-based authentication. TACACS is a
legacy protocol and is no longer used.
77. A network technician is attempting to resolve

problems with the NAT configuration on anASA. The
technician generates a ping from an inside host to an
outside host. Whichcommand verifies that addresses are
being translated on the ASA?
show ip nat translation

show running-config
show xlate
show ip address
78. What are three components of a technical security

policy? (Choose three.)
human resource policy

acceptable use policy
remote access policy
identity policy
network access policy
end user policy
79. Which security policy outlines the overall security

goals for managers and technical personnel within an
organization and includes the consequences of
noncompliance with the policy?
end-user policy
application policy
governing policy
technical policy
80. What is a secure configuration option for remote

access to a network device?
Configure 802.1x.
Configure Telnet.
Configure SSH.
Configure an ACL and apply it to the VTY lines.
81. On what switch ports should BPDU guard be enabled

to enhance STP stability?
only ports that attach to a neighboring switch

all PortFast-enabled ports
all trunk ports that are not root ports
only ports that are elected as designated ports
Explanation: End-user ports should connect only to end-

user devices and not to other switches. To prevent a
switch from being added to the network on an end-user
port, BPDU guard will immediately put the port into the
error disabled state if a BPDU is received on that port.
However, if PortFast is not configured on an end-user
port, BPDU guard is not activated on that port.
82. Which feature is specific to the Security Plus upgrade

license of an ASA 5505 and provides increased
availability?
redundant ISP connections
routed mode
transparent mode
83. A company deploys a hub-and-spoke VPN topology

where the security appliance is the hub and the remote
VPN networks are the spokes. Which VPN method should
be used in order for one spoke to communicate with
another spoke through the single public interface of the
security appliance?
split tunneling
MPLS
GRE
Hairpinning
84. What are two drawbacks in assigning user privilege

levels on a Cisco router? (Choose two.)
Privilege levels must be set to permit access control to

specific device interfaces, ports, or slots.
Assigning a command with multiple keywords allows
access to all commands using those keywords.
Commands from a lower level are always executable
at a higher level.
Explanation: Privilege levels may not provide desired

flexibility and specificity because higher levels always
inherit commands from lower levels, and commands with
multiple keywords give the user access to all commands
available for each keyword. Privilege levels cannot
specify access control to interfaces, ports, or slots. AAA
is not required to set privilege levels, but is required in
order to create role-based views. The role of root user
does not exist in privilege levels.
85. Which two types of hackers are typically classified as
grey hat hackers? (Choose two.)
script kiddies
vulnerability brokers
cyber criminals
hacktivists
Explanation: Grey hat hackers may do unethical or

illegal things, but not for personal gain or to cause
damage. Hacktivists use their hacking as a form of
political or social protest, and vulnerability brokers hack
to uncover weaknesses and report them to vendors.
Depending on the perspective one possesses, state-
sponsored hackers are either white hat or black hat
operators. Script kiddies create hacking scripts to cause
damage or disruption. Cyber criminals use hacking to
obtain financial gain by illegal means.
86. What is the default preconfigured interface for the

outside network on a Cisco ASA 5505?
VLAN 2
Ethernet 0/2
Ethernet 0/1
VLAN 1
87. A user successfully logs in to a corporate network via

a VPN connection. Which part of the AAA process
records that a certain user performed a specific operation
at a particular date and time?
authentication
accounting
access
authorization
Explanation: The three parts of the AAA process are

authentication, authorization, and accounting. The
accounting function records information such as who
logged in, when the user logged in and out, and what the
user did with network resources.
88. What determines which switch becomes the STP root

bridge for a given VLAN?
the lowest bridge ID

the highest MAC address
the highest priority
the lowest IP address
Explanation: STP uses a root bridge as a central point

for all spanning tree calculations. To select a root bridge,
STP conducts an election process. All switches in the
broadcast domain participate in the election process. The
switch with the lowest bridge ID, or BID, is elected as the
root bridge. The BID is made up of a priority value, an
extended system ID, and the MAC address of the switch.
89. What is a function of the GRE protocol?
to configure the set of encryption and hashing algorithms

that will be used to transform the data sent through the
IPsec tunnel
to provide encryption through the IPsec tunnel
to configure the IPsec tunnel lifetime
to encapsulate multiple OSI Layer 3 protocol packet
types inside an IP tunnel
Explanation: The transform set is the set of encryption

and hashing algorithms that will be used to transform the
data sent through the IPsec tunnel. GRE supports
multiprotocol tunneling. It can encapsulate multiple OSI
Layer 3 protocol packet types inside an IP tunnel.
Routing protocols that are used across the tunnel enable
dynamic exchange of routing information in the virtual
network. GRE does not provide encryption.
90. What is used to determine the root bridge when the

priority of the switches are the same?
the MAC address with the highest hexadecimal value

the lowest ip address
the layer 2 address with the lowest hexadecimal
value
the highest BID
91. What is algorithm-type to protect the data in transit?

Hashing algorithm
92. What type of ACL is designed for use in the

configuration of an ASA to support filtering for clientless
SSL VPN’s?
Webtype
Standard
Ethertype
Extended
Explanation: Webtype access lists are used in ASA

configurations to support filtering for clientless SSL
VPNs. Standard ACLs used in ASA configurations

typically identify destination IPs in OSPF routes.
Extended ACLs are the most common type of ACL, and
are not specifically designed for use with clientless SSL
VPNs. Ethertype ACLs can only be configured if the ASA
is running in transparent mode.
93. The following authentication configuration is applied

to a router.
aaa authentication login default tacacs+ local enable
none
Several days later the TACACS+ server goes off-line.
Which method will be used to authenticate users?
none
manually configured vty line password
local username/password database
default
94. A security technician is evaluating a new operations

security proposal designed to limit access to all servers.
What is an advantage of using network security testing to
evaluate the new proposal?
Network security testing proactively evaluates the

effectiveness of the proposal before any real threat
occurs.
Network security testing is most effective when deploying
new security proposals.
Network security testing is specifically designed to
evaluate administrative tasks involving server and
workstation access.
Network security testing is simple because it requires just

one test to evaluate the new proposal.
Explanation: Network security testing can evaluate the

effectiveness of an operations security solution without
having to wait for a real threat to take place. However,
this type of testing should be conducted periodically,
versus just once. It is effective to evaluate many different
tasks when it is conducted during both the
implementation and operational stages.
95. Which security implementation will provide

management plane protection for a network device?
role-based access control

antispoofing
Explanation: Management plane processes typically

use protocols such as Telnet and SSH. Role-based
access control ensures that only authorized users have
management privileges. ACLs perform packet filtering
and antispoofing functions on the data plane to secure
packets generated by users. Routing protocol
authentication on the control plane ensures that a router
does not accept false routing updates from neighbor
routers.
96. What two new features are offered by Cisco ASA

5500-X with FirePOWER service when compared with the
original ASA 5500 series? (Choose two.)
IPsec VPN
advanced malware protection
security level settings
stateful firewall
application control and URL filtering
Explanation: The Cisco ASA 5500-X series with

FirePOWER service merges the ASA 5500 series
appliances with some new features such as advanced
malware protection as well as application control and
URL filtering. The stateful firewall, IPsec VPN, and
security level settings are functions common to both ASA
5500 and ASA 5500-X series devices.
97. Which two statements describe the 8 Ethernet ports

in the backplane of a Cisco ASA 5506-X device? (Choose
two.)
These ports all require IP addresses.

They all can be configured as routed ports or switch
ports.
They are all routed ports.
Port 1 is a routed port and the rest are switch ports.
Three of them are routed ports and 5 of them are switch
ports.
Explanation: Unlike the ASA 5505, the ASA 5506-X

does not use switch ports. All Ethernet ports in the
backplane are routed and require IP addresses.
98. An administrator assigned a level of router access to

the user ADMIN using the commands below.
Router(config)# privilege exec level 14 show ip route
Router(config)# enable algorithm-type scrypt secret level 14 cisco-level

Router(config)# username ADMIN privilege 14 algorithm-type scrypt secret
Which two actions are permitted to the user ADMIN?

(Choose two.)
The user can only execute the subcommands under the

show ip routecommand.
The user can execute all subcommands under the
show ip interfaces command.
The user can issue all commands because this privilege
level can execute all Cisco IOS commands.
The user can issue the ip routecommand.
The user can issue the show version command.
Explanation: Assigning a command such as show ip

route to a specific privilege level automatically assigns
all commands associated with the first few keywords to
the specified privilege level. So, the show and the show
ip commands are automatically set to the privilege level
where show ip route is set, which is necessary because
the show ip route command cannot be executed without
access to the show and show ip commands. Assigning
the show ip route command allows the user to issue all
showcommands, such as show version.
99. Refer to the exhibit. The administrator wants to

enable port security on an interface on switch S1, but the
command was rejected. Which conclusion can be drawn?
The interface must be initially configured with the

switchport mode trunk command.
The interface needs to be configured initially with an IP
address.
The interface needs to be previously configured with the
no shutdown command.
The interface must be initially configured with the
switchport mode access command.
Explanation: To enable port security, use the switchport

port-security interface configuration command on an
access port. By default, Layer 2 switch ports are set to
dynamic auto (trunking on); therefore, the port must be
initially configured as an access port before port security
can be enabled.

CCNA Security v2.0 CCNA Security v2.0 Final
Chapter 11 Exam Answers Test Online Exam Answers
! Subscribe !
Join the discussion
"
16 COMMENTS
almaw # 3 years ago
An administrator assigned a level of router access to

the user ADMIN using the commands below.
Router(config)# privilege exec level 14 show ip
routeRouter(config)# enable algorithm-type scrypt

secret level 14 cisco-level-
10Router(config)# username ADMIN privilege 14
algorithm-type scrypt secret cisco-level-10
Which two actions are permitted to the user ADMIN?
(Choose two.)
Correct
Response
Your
Response
The user can only execute the subcommands
under the show ip route command.
The user can execute all subcommands

under the show ip interfaces command.
The user can issue all commands because this
privilege level can execute all Cisco IOS
commands.
The user can issue the ip route command.
The user can issue the show

version command.
Assigning a command such as show ip route to a

specific privilege level automatically assigns all
commands associated with the first few keywords to
the specified privilege level. So, the show and
the show ip commands are automatically set to the
privilege level where show ip route is set, which is
necessary because the show ip route command
cannot be executed without access to
the show and show ip commands. Assigning
the show ip route command allows the user to issue
all show commands, such as show version .
swefd # 3 years ago
A network administrator enters the single-

connection command . What effect does this
command have on AAA operation?
allows a new TCP session to be established for

every authorization request
authorizes connections based on a list of IP
addresses configured in an ACL on a Cisco ACS
server
allows a Cisco ACS server to minimize delay by
establishing persistent TCP connections
allows the device to establish only a single
connection with the AAA-enabled server
Omar # 3 years ago
Hi there, please tell me the exam has been updated

for 2020, got an exam today
Reply
Jon Smith # 4 years ago
What two new features are offered by Cisco ASA

5500-X with FirePOWER service when compared with
the original ASA 5500 series? (Choose two.)
IPsec VPN
advanced malware protection
security level settings
stateful firewall
application control and URL filtering
The graphic shows configuration commands on

R1:R1(config)# enable secret level 15
LetMeIn2R1(config)# username ADMIN secret
1sThePassWdR1(config)# aaa new-modelR1(config)#
tacacs server SVR-TR1(config-server-tacacs)#
address ipv4 192.168.100.250R1(config-server-
tacacs)# single-connectionR1(config-server-tacacs)#
key T-Pa55w0rdR1(config-server-tacacs)#
exitR1(config)# radius server SVR-RR1(config-radius-
server)# address ipv4 192.168.100.252 auth-port
1812 acct-port 1813R1(config-radius-server)# key R-
Pa55w0rdR1(config-radius-server)# exitR1(config)#
aaa authentication login default group tacacs
enableR1(config)# aaa authentication login AUTHEN
group radius local enableR1(config)# line vty 0
15R1(config-line)# login authentication
AUTHENR1(config-line)# line console 0R1(config-
line)# login authentication defaultR1(config-line)# end
Refer to the exhibit. A network administrator
configures AAA authentication on router R1. The ACS
servers are configured and running. The administrator
tests the configuration by telneting to R1. What will
happen if the administrator attempts to authenticate
through the RADIUS server using incorrect
credentials?
The username and password of the local user
database could be used in the next login attempt.
login attempt.
An administrator workstation connects to a switch that

connects to the Fa0/0 port of RouterA. RouterA
connects to RouterB through serial interfaces labeled
S0/0/1 on both routers. The following configuration is
applied to RouterB.RouterB(config)# enable secret
class123RouterB(config)# username admin secret
Cisco123RouterB(config)# aaa new-
modelRouterB(config)# aaa authentication login
default local-case line enable noneRouterB(config)#
aaa authentication login telnet local-
caseRouterB(config)# line vty 0 4RouterB(config)#
login authentication telnet
Refer to the exhibit. The administrator can ping the
S0/0/1 interface of RouterB but is unable to gain
Telnet access to the router by using the password
cisco123. What is a possible cause of the problem?
The wrong vty lines are configured.
AAA authorization is not configured.
The administrator has used the wrong password.
The administrator does not have enough rights on the
PC that is being used.
Navigation Bar
Reply
15Which two statements describe the 8 Ethernet ports

in the backplane of a Cisco ASA 5506-X device?
(Choose two.)
These ports all require IP addresses.
They all can be configured as routed ports or switch
ports.
They are all routed ports.
Port 1 is a routed port and the rest are switch ports.
Three of them are routed ports and 5 of them are
switch ports.
Navigation Bar
Reply
korean # 6 years ago
There is wrong answer of question 10. it need two

answer. but there is one answer. thank you
Adriano # 7 years ago
Could you please update the final exam security

version 2 answers update to this month:September
2016?
Reply
Fernando # 7 years ago
Are correct all these questions and answers?
Reply
Josepht # 7 years ago
Do you have a Practical Questions for cisco ccna

security
Reply

Contact
CCNA Security v2.0 Final Answers - Implementing Network Security 20/12/2023, 7:43 AM
َ
‫اﺑق ﻋﻠﻰ اﺗﺻﺎل‬
.‫ﻛن ﻋﻠﻰ اﺗﺻﺎل داﺋم ﺑﺄﺣﺑﺎﺋك ﻋﻠﻰ ﻓﯾﺳﺑوك‬
‫اﻻﺷﺗراك‬ Facebook®
Home ! CCNA Security v2.0 !
CCNA Security V2.0 Final Answers –

Implementing Network Security
Last updated Feb 18, 2019 CCNA SECURITY V2.0
CCNA Security Final Exam Answers

They produce identical subkeys.*
2. What is a benefit of using a next-generation firewall rather than a

stateful firewall?
reactive protection against Internet attacks
granularity control within applications*
support of TCP-based packet filtering
support for logging
3. A network administrator enters the single-connection command.

What effect does this command have on AAA operation?
allows a new TCP session to be established for every authorization
request
authorizes connections based on a list of IP addresses configured in an
ACL on a Cisco ACS server
allows a Cisco ACS server to minimize delay by establishing
persistent TCP connections*
allows the device to establish only a single connection with the AAA-
enabled server
4. Which two practices are associated with securing the features and
performance of router operating systems? (Choose two.)
Install a UPS.
Keep a secure copy of router operating system images.*
Configure the router with the maximum amount of memory
possible.*
Disable default router services that are not necessary.
Reduce the number of ports that can be used to access the router.
https://ccnasec.com/ccna-security-v2-0-final-answers-implementing-network-security.html Page 1 of 16
5. Which statement describes a characteristic of the IKE protocol?

It uses UDP port 500 to exchange IKE information between the
security gateways.*
IKE Phase 1 can be implemented in three different modes: main,
aggressive, or quick.
It allows for the transmission of keys directly across a network.
The purpose of IKE Phase 2 is to negotiate a security association between
two IKE peers.
6. Refer to the exhibit. If a network administrator is using ASDM to

configure a site-to-site VPN between the CCNAS-ASA and R3, which IP
address would the administrator use for the peer IP address textbox
on the ASA if data traffic is to be encrypted between the two remote
LANs?
209.165.201.1*
192.168.1.3
172.16.3.1
172.16.3.3
192.168.1.1
7. Refer to the exhibit. Based on the security levels of the interfaces on

the ASA, what statement correctly describes the flow of traffic
allowed on the interfaces?
Traffic that is sent from the LAN and the Internet to the DMZ is considered
inbound.
Traffic that is sent from the DMZ and the Internet to the LAN is considered
outbound.
Traffic that is sent from the LAN to the DMZ is considered is considered
inbound.
Traffic that is sent from the DMZ and the LAN to the Internet is
considered outbound.*
8. What two assurances does digital signing provide about code that is
downloaded from the Internet? (Choose two.)
publisher.*
The code is authentic and is actually sourced by the publisher.*
The code was encrypted with both a private and public key.
9. What is a result of securing the Cisco IOS image using the Cisco IOS
Resilient Configuration feature?
When the router boots up, the Cisco IOS image is loaded from a secured
FTP location.
The Cisco IOS image file is not visible in the output of the show
flash command.*
The Cisco IOS image is encrypted and then automatically backed up to
the NVRAM.
The Cisco IOS image is encrypted and then automatically backed up to a
TFTP server.
10. The corporate security policy dictates that the traffic from the
remote-access VPN clients must be separated between trusted traffic

that is destined for the corporate subnets and untrusted traffic
destined for the public Internet. Which VPN solution should be
implemented to ensure compliance with the corporate policy?
MPLS
hairpinning
GRE
split tunneling*
11. Which two conditions must be met in order for a network

administrator to be able to remotely manage multiple ASAs with
Cisco ASDM? (Choose two.)
The ASAs must all be running the same ASDM version.*
Each ASA must have the same enable secret password.
Each ASA must have the same master passphrase enabled.
The ASAs must be connected to each other through at least one inside
interface.
ASDM must be run as a local application.*
12. What is negotiated in the establishment of an IPsec tunnel between

two IPsec hosts during IKE Phase 1?
ISAKMP SA policy*
DH groups
interesting traffic
transform sets
13. What are two benefits of using a ZPF rather than a Classic Firewall?
(Choose two.)
ZPF allows interfaces to be placed into zones for IP inspection.
The ZPF is not dependent on ACLs.*
ZPF policies are easy to read and troubleshoot.*
With ZPF, the router will allow packets unless they are explicitly blocked.
14. Which security policy characteristic defines the purpose of

standards?
step-by-step details regarding methods to deploy company switches
recommended best practices for placement of all company switches
required steps to ensure consistent configuration of all company
switches*
list of suggestions regarding how to quickly configure all company
switches
15. What algorithm is used to provide data integrity of a message

through the use of a calculated hash value?
RSA
DH
AES
HMAC*
16. On which port should Dynamic ARP Inspection (DAI) be configured on

a switch?
an uplink port to another switch*
on any port where DHCP snooping is disabled
any untrusted port
access ports only
17. What is a feature of a Cisco IOS Zone-Based Policy Firewall?

A router interface can belong to only one zone at a time.*
Service policies are applied in interface configuration mode.
Router management interfaces must be manually assigned to the self
zone.
The pass action works in multiple directions.
18. Which security implementation will provide control plane protection

for a network device?
encryption for remote access connections
AAA for authenticating management access
routing protocol authentication*
NTP for consistent timestamps on logging messages
19. What is the one major difference between local AAA authentication
and using the login local command when configuring device access
authentication?
Local AAA authentication provides a way to configure backup
methods of authentication, but login local does not.*
The login local command requires the administrator to manually
configure the usernames and passwords, but local AAA authentication
does not.
Local AAA authentication allows more than one user account to be
configured, but login local does not.
The login local command uses local usernames and passwords stored
on the router, but local AAA authentication does not.
20. Refer to the exhibit. A network administrator configures AAA

authentication on R1. The administrator then tests the configuration
by telneting to R1. The ACS servers are configured and running. What
will happen if the authentication fails?
The enable secret password could be used in the next login attempt.
The authentication process stops. *
The username and password of the local user database could be used in
the next login attempt.
The enable secret password and a random username could be used in
the next login attempt.
21. What are two tasks that can be accomplished with the Nmap and
Zenmap network tools? (Choose two.)
password recovery
password auditing
identification of Layer 3 protocol support on hosts*
TCP and UDP port scanning*
validation of IT system configuration
22. Which Cisco IOS subcommand is used to compile an IPS signature

into memory?
retired true
event-action produce-alert
retired false*
event-action deny-attacker-inline
23. Refer to the exhibit. The administrator can ping the S0/0/1 interface of
RouterB but is unable to gain Telnet access to the router by using the
password cisco123. What is a possible cause of the problem?
The Telnet connection between RouterA and RouterB is not working

correctly.
The password cisco123 is wrong.*
The administrator does not have enough rights on the PC that is being
used.
The enable password and the Telnet password need to be the same.
24. Refer to the exhibit. The ip verify source command is applied on

untrusted interfaces. Which type of attack is mitigated by using this
configuration?
DHCP spoofing
DHCP starvation
STP manipulation
MAC and IP address spoofing*
25. Refer to the exhibit. Which conclusion can be made from the show
crypto map command output that is shown on R1?
The crypto map has not yet been applied to an interface.*

The tunnel configuration was established and can be tested with
extended pings.
26. What type of algorithms require sender and receiver to exchange a

secret key that is used to ensure the confidentiality of messages?
symmetric algorithms*
hashing algorithms
asymmetric algorithms
public key algorithms
27. What is an advantage in using a packet filtering firewall versus a

high-end firewall appliance?
Packet filters perform almost all the tasks of a high-end firewall
at a fraction of the cost.*
Packet filters provide an initial degree of security at the data-link and
network layer.
28. Refer to the exhibit. In the network that is shown, which AAA
command logs the use of EXEC session commands?
aaa accounting network start-stop group tacacs+

aaa accounting network start-stop group radius
aaa accounting connection start-stop group radius
aaa accounting exec start-stop group radius
aaa accounting connection start-stop group tacacs+
aaa accounting exec start-stop group tacacs+*
29. Which interface option could be set through ASDM for a Cisco ASA?
default route
access list
VLAN ID*
NAT/PAT
30. What are two characteristics of a stateful firewall? (Choose two.)

uses connection information maintained in a state table*
uses static packet filtering techniques
analyzes traffic at Layers 3, 4 and 5 of the OSI model*
uses complex ACLs which can be difficult to configure
prevents Layer 7 attacks
31. What are three characteristics of SIEM? (Choose three.)

can be implemented as software or as a service*
Microsoft port scanning tool designed for Windows
examines logs and events from systems and applications to
detect security threats*
consolidates duplicate event data to minimize the volume of
gathered data*
uses penetration testing to determine most network vulnerabilities
provides real-time reporting for short-term security event analysis
32. Which type of traffic is subject to filtering on an ASA 5505 device?

public Internet to inside
public Internet to DMZ
inside to DMZ*
DMZ to inside
33. Which IDS/IPS signature alarm will look for packets that are destined
to or from a particular port?
honey pot-based
anomaly-based
signature-based*
policy-based
34. Which three actions can the Cisco IOS Firewall IPS feature be
configured to take when an intrusion activity is detected? (Choose
three.)
reset UDP connection
reset TCP connection*
alert*
isolate
inoculate
drop*
35. Which two protocols can be selected using the Cisco AnyConnect VPN
Wizard to protect the traffic inside a VPN tunnel? (Choose two.)
Telnet
SSH
SSL*
ESP
IPsec*
36. What is a characteristic of a role-based CLI view of router

configuration?
When a superview is deleted, the associated CLI views are deleted.
A single CLI view can be shared within multiple superviews.*
A CLI view has a command hierarchy, with higher and lower views.
Only a superview user can configure a new view and add or remove
commands from the existing views.
37. Match the network security testing technique with how it is used to
test network security. (Not all options are used)?
Penetration testing = used to determine the possible consequences

of successful attacks on the network*.
Vulnerability scanning = used to find weaknesses and
misconfigurations on network systems*.
Network scanning = used to discover available resources on the
network*.
38. Which statement describes the use of certificate classes in the PKI?
A class 5 certificate is more trustworthy than a class 4
certificate.*
Email security is provided by the vendor, not by a certificate.
The lower the class number, the more trusted the certificate.
A vendor must issue only one class of certificates when acting as a CA.
39. Refer to the exhibit. An administrator issues these IOS login

enhancement commands to increase the security for login
connections. What can be concluded about them?
Because the login delay command was not used, a one-minute delay
between login attempts is assumed.
The hosts that are identified in the ACL will have access to the
device.*
The login block-for command permits the attacker to try 150 attempts
before being stopped to try again.
These enhancements apply to all types of login connections.
40. A company deploys a Cisco ASA with the Cisco CWS connector
enabled as the firewall on the border of corporate network. An
employee on the internal network is accessing a public website. What
should the employee do in order to make sure the web traffic is
protected by the Cisco CWS?
Register the destination website on the Cisco ASA.
Use the Cisco AnyConnect Secure Mobility Client first.
Use a web browser to visit the destination website.*
First visit a website that is located on a web server in the Cisco CWS
infrastructure.
41. An administrator assigned a level of router access to the user ADMIN

using the commands below.?
Router(config)# privilege exec level 14 show ip route
Router(config)# enable algorithm-type scrypt secret level 14 cisco-level-10

Router(config)# username ADMIN privilege 14 algorithm-type scrypt secret
cisco-level-10
Which two actions are permitted to the user ADMIN? (Choose two.)
The user can execute all subcommands under the show ip interfaces
command.
The user can issue the show version command.*
The user can only execute the subcommands under the show ip
route command.*
The user can issue all commands because this privilege level can
execute all Cisco IOS commands.
The user can issue the ip route command.
42. What mechanism is used by an ASA 5505 device to allow inspected

outbound traffic to return to the originating sender who is on an
inside network?
Network Address Translation
security zones
stateful packet inspection*
43. Which two end points can be on the other side of an ASA site-to-site
VPN configured using ASDM? (Choose two.)
DSL switch
Frame Relay switch
ISR router*
another ASA*
multilayer switch
44. What Layer 2 attack is mitigated by disabling Dynamic Trunking

Protocol?
DHCP spoofing
ARP spoofing
VLAN hopping*
ARP poisoning
45. In an AAA-enabled network, a user issues the configure terminal

command from the privileged executive mode of operation. What AAA
function is at work if this command is rejected?
authorization*
authentication
auditing
accounting
46. An organization has configured an IPS solution to use atomic alerts.

What type of response will occur when a signature is detected?
A counter starts and a summary alert is issued when the count reaches
a preconfigured number.
The TCP connection is reset.
An alert is triggered each time a signature is detected.*
The interface that triggered the alert is shutdown.
47. What two algorithms can be part of an IPsec policy to provide

encryption and hashing to protect interesting traffic? (Choose two.)
PSK
DH
RSA
AES*
SHA*
48. Fill in the blank.?

A stateful signature is also known as a Composite? signature.
49. Why is hashing cryptographically stronger compared to a cyclical
redundancy check (CRC)?
Hashes are never sent in plain text.
It is easy to generate data with the same CRC.
It is virtually impossible for two different sets of data to calculate
the same hash output.*
Hashing always uses a 128-bit digest, whereas a CRC can be variable
length.
50. A network analyst wants to monitor the activity of all new interns.
Which type of security testing would track when the interns sign on
and sign off the network?
password cracking
network scanning
integrity checker*
51. Refer to the exhibit. What two pieces of information can be gathered
from the generated message? (Choose two.)
This message is a level five notification message.*

This message indicates that service timestamps have been
globally enabled.*
This message indicates that enhanced security was configured on the
vty ports.
This message appeared because a major error occurred that requires
immediate action.
This message appeared because a minor error occurred that requires
further investigation.
52. What is required for auto detection and negotiation of NAT when
establishing a VPN link?
Both VPN end devices must be configured for NAT.
No ACLs can be applied on either VPN end device.
Both VPN end devices must be NAT-T capable.*
Both VPN end devices must be using IPv6.
53. Refer to the exhibit. The network administrator is configuring the port
security feature on switch SWC. The administrator issued the
command show port-security interface fa 0/2 to verify the
configuration. What can be concluded from the output that is shown?
(Choose three.)
Three security violations have been detected on this interface.

This port is currently up.*
The port is configured as a trunk link.
Security violations will cause this port to shut down immediately.*
There is no device currently connected to this port.*
The switch port mode for this interface is access mode. [adef]
54. In which two instances will traffic be denied as it crosses the ASA
5505 device? (Choose two.)
traffic originating from the inside network going to the DMZ network
traffic originating from the inside network going to the outside network
traffic originating from the outside network going to the DMZ network
traffic originating from the DMZ network going to the inside
network*
traffic originating from the outside network going to the inside
network*
55. Refer to the exhibit. Based on the configuration that is shown, which
statement is true about the IPS signature category?
Only signatures in the ios_ips advanced category will be compiled into

memory for scanning.
All signatures categories will be compiled into memory for scanning, but
only those signatures within the ios ips advanced
All signature categories will be compiled into memory for scanning, but
only those signatures in the ios_ips basic category will be used for
scanning purposes.
Only signatures in the ios_ips basic category will be compiled
into memory for scanning.*
56. Which two ports can send and receive Layer 2 traffic from a
community port on a PVLAN? (Choose two.)
community ports belonging to other communities
promiscuous ports*
isolated ports within the same community
PVLAN edge protected ports
community ports belonging to the same community*
57. What is a feature of the TACACS+ protocol?

It utilizes UDP to provide more efficient packet transfer.
It combines authentication and authorization as one process.
It encrypts the entire body of the packet for more secure
communications.*
It hides passwords during transmission using PAP and sends the rest of
the packet in plaintext.
58. Which security measure is best used to limit the success of a

reconnaissance attack from within a campus area network?
Implement restrictions on the use of ICMP echo-reply messages.
Implement a firewall at the edge of the network.
Implement access lists on the border router.
Implement encryption for sensitive traffic.*
59. What is the benefit of the network-based IPS (NIPS) over host-based
IPS (HIPS) deployment models?
NIPS provides individual host protection.
NIPS relies on centrally managed software agents.
NIPS monitors all operations within an operating system.*
NIPS monitors network segments.
60. What represents a best practice concerning discovery protocols such

as CDP and LLDP on network devices?
LLDP on network devices?

Enable CDP on edge devices, and enable LLDP on interior devices.
Use the default router settings for CDP and LLDP.
Use the open standard LLDP rather than CDP.
Disable both protocols on all interfaces where they are not
required.*
61. What function is provided by the Tripwire network security tool?

password recovery
security policy compliance*
IDS signature development
logging of security events
62. What is the function of a policy map configuration when an ASA

firewall is being configured?
binding class maps with actions*
binding a service policy to an interface
using ACLs to match traffic
63. If a network administrator wants to track the usage of FTP services,

which keyword or keywords should be added to the aaa accounting
command?
exec default
connection
exec*
network
64. What is indicated by the use of the local-case keyword in a local AAA
authentication configuration command sequence?
That AAA is enabled globally on the router.
That passwords and usernames are case-sensitive.?
That a default local database AAA authentication is applied to all lines.
That user access is limited to vty terminal lines.
65. What is the purpose of a local username database if multiple ACS

servers are configured to provide authentication services?
Clients using internet services are authenticated by ACS servers,
whereas local clients are authenticated through a local username
database.
Each ACS server must be configured with a local username database in
order to provide authentication services.
A local username database is required when creating a method list for
the default login.
A local username database provides redundancy if ACS servers
become unreachable. [adef]*
66. Refer to the exhibit. Based on the security levels of the interfaces on
ASA1, what traffic will be allowed on the interfaces?
Traffic from the Internet can access both the DMZ and the LAN.
Traffic from the LAN and DMZ can access the Internet.?
67. What are two reasons to enable OSPF routing protocol authentication
on a network? (Choose two.)

discarded?
to prevent redirection of data traffic to an insecure link?
68. A security awareness session is best suited for which topic?

required steps when reporting a breach of security
the primary purpose and use of password policies
steps used to configure automatic Windows updates
how to install and maintain virus protection?
69. What provides both secure segmentation and threat defense in a

Secure Data Center solution?
AAA server
Adaptive Security Appliance*
70. Which two features should be configured on end-user ports in order

to prevent STP manipulation attacks( Choose two.)?
root guard
UDLD
BPDU guard*
loop guard
PortFast*
71. What is a characteristic of most modern viruses?

They are usually found attached to online games.
Email viruses are the most common type of them.*
They replicate themselves and locate new targets.
They are responsible for some of the most destructive internet attacks.
72. Which statement describes a characteristic of the Security Device

Event Exchange (SDEE) feature supported by the Cisco IOS IPS?
SDEE notification is disabled by default. It does not receive and
process events from the Cisco IOS IPS unless SDEE notification is
enabled.*
SDEE notification is enabled by default. It receives and processes events
from the Cisco IOS IPS and sends them to a syslog server.
SDEE notification is enabled by default. It receives and processes events
from the Cisco IOS IPS and stores them in a buffer.
SDEE notification is disabled by default. It starts receiving and processing
events from the Cisco IOS IPS as soon as an attack signature is detected.
73. Which network security tool allows an administrator to test and

detect weak passwords?
L0phtcrack*
Tripwire
Nessus
Metasploit
74. What is an advantage of logging packets that are seen by an IPS

device?
Packets from the IP address that triggered the logging are denied once
logging begins.
Administrators can decide what actions can be taken in the
future.*
Administrators can use the brief summary that is generated to quickly
determine how to handle the packets.
Attacker packets can be stopped immediately.
75. Which procedure is recommended to mitigate the chances of ARP

spoofing?
Enable DHCP snooping on selected VLANs.
Enable IP Source Guard on trusted ports.
Enable DAI on the management VLAN.*
Enable port security globally.
76. In a server-based AAA implementation, which protocol will allow the

router to successfully communicate with the AAA server?
RADIUS*
802.1x
SSH
TACACS
77. A network technician is attempting to resolve problems with the NAT

configuration on anASA. The technician generates a ping from an
inside host to an outside host. Whichcommand verifies that
addresses are being translated on the ASA?
show ip nat translation
show running-config
show xlate*
show ip address
78. What are three components of a technical security policy? (Choose

three.)
human resource policy
acceptable use policy*
remote access policy*
identity policy
network access policy*
end user policy
79. Which security policy outlines the overall security goals for managers
and technical personnel within an organization and includes the
consequences of noncompliance with the policy?
end-user policy
application policy
governing policy*
technical policy
80. What is a secure configuration option for remote access to a network

device?
Configure 802.1x.
Configure Telnet.
Configure SSH.*
Configure an ACL and apply it to the VTY lines.
81. On what switch ports should BPDU guard be enabled to enhance STP
stability?
only ports that attach to a neighboring switch
all PortFast-enabled ports*

all trunk ports that are not root ports
only ports that are elected as designated ports
82. Which feature is specific to the Security Plus upgrade license of an

ASA 5505 and provides increased availability?
redundant ISP connections*
routed mode
transparent mode
83. A company deploys a hub-and-spoke VPN topology where the

security appliance is the hub and the remote VPN networks are the
spokes. Which VPN method should be used in order for one spoke to
communicate with another spoke through the single public interface
of the security appliance?
split tunneling
MPLS
GRE
Hairpinning*
84. What are two drawbacks in assigning user privilege levels on a Cisco
router? (Choose two.)
Privilege levels must be set to permit access control to specific device
interfaces, ports, or slots.
Assigning a command with multiple keywords allows access to
all commands using those keywords.*
Commands from a lower level are always executable at a higher
level.*
85. Which two types of hackers are typically classified as grey hat
hackers? (Choose two.)
script kiddies
vulnerability brokers*
cyber criminals
hacktivists*
86. What is the default preconfigured interface for the outside network on
a Cisco ASA 5505?
VLAN 2*
Ethernet 0/2
Ethernet 0/1
VLAN 1
87. A user successfully logs in to a corporate network via a VPN

connection. Which part of the AAA process records that a certain user
performed a specific operation at a particular date and time?
authentication
accounting*
access
authorization
88. What determines which switch becomes the STP root bridge for a
given VLAN?
the lowest bridge ID*

the highest MAC address
the highest priority
the lowest IP address
89. What is a function of the GRE protocol?

to configure the set of encryption and hashing algorithms that will be
used to transform the data sent through the IPsec tunnel
to provide encryption through the IPsec tunnel
to configure the IPsec tunnel lifetime
to encapsulate multiple OSI Layer 3 protocol packet types inside
an IP tunnel*
90. What is used to determine the root bridge when the priority of the
switches are the same?
the MAC address with the highest hexadecimal value
the lowest ip address
the layer 2 address with the lowest hexadecimal value*
the highest BID
91. What is algorithm-type to protect the data in transit?

Hashing algorithm*
92. What type of ACL is designed for use in the configuration of an ASA to
support filtering for clientless SSL VPN’s?
Webtype*
Standard
Ethertype
Extended
93. The following authentication configuration is applied to a router.

aaa authentication login default tacacs+ local enable none
Several days later the TACACS+ server goes off-line. Which method
will be used to authenticate users?
none*
manually configured vty line password
local username/password database
default
94. A security technician is evaluating a new operations security

proposal designed to limit access to all servers. What is an
advantage of using network security testing to evaluate the new
proposal?
Network security testing proactively evaluates the effectiveness
of the proposal before any real threat occurs.*
Network security testing is most effective when deploying new security
proposals.
Network security testing is specifically designed to evaluate
administrative tasks involving server and workstation access.
Network security testing is simple because it requires just one test to
evaluate the new proposal.
95. Which security implementation will provide management plane

protection for a network device?
role-based access control*
antispoofing
0
Article Rating
! Subscribe ! " Login
Be the First to Comment!
{} [+] "
0 COMMENTS # $
" HOME CYBEROPS ASSOCIATELEVEL 2 CCNA SECURITY V2.0LEVEL 3 CCNAS V2 INSTRUCTOR LAB
© 2023 - CCNASec. All Rights Reserved. Website Design: BetterStudio

Test All

Uploaded by

Document Informationclick to expand document information

Document Informationclick to expand document information

Copyright:

Available Formats

Test All

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Test All

Uploaded by

Copyright:

Available Formats

Network Security (Version1.

0) - Final Exam Answers Full 20/12/2023, 3:13 AM

+ IT Questions Bank , IOS Command List - Ebooks . IP Calculators »

Search the site 0

) Home * CCNA » Security » CyberOps »

+ IT Questions Bank , IOS Command List CCNA » CCNA Security v2.0 »

Cybersecurity » Networking Essentials IP Subnet Calculators » Donation Contact

Network Security (Version1.0) – Final Network Security 1.0

! Share " Tweet # Share $ Pin it Modules 1 - 4: Securing

Modules 8 - 10: ACLs and

Modules 11 - 12: Intrusion

https://itexamanswers.net/network-security-version1-0-final-exam-answers-full.html Page 1 of 105

Modules 13 - 14: Layer 2

Modules 20 - 22: ASA

Network Security 1.0

Network Security ( Version 1) – Network

Modules 1 – 4: Securing Networks

Module 17: Quiz – Configure

21.3.6 Check Your Understanding –

https://itexamanswers.net/network-security-version1-0-final-exam-answers-full.html Page 2 of 105

Network Security 1.0 Final PT Skills

Network Security (Version1.0)

9.2.4 Packet Tracer – Identify

Module 20: Quiz – Introduction to

8.6.5 Packet Tracer – Configure IP

asd on 6.2.3.8 Packet Tracer –

Explanation: The ASA CLI is a proprietary OS which

https://itexamanswers.net/network-security-version1-0-final-exam-answers-full.html Page 3 of 105

has a similar look and feel to the Cisco router IOS.

3. Refer to the exhibit. A network administrator is

the network name where the AAA server resides

4. What provides both secure segmentation and threat

Cisco Security Manager software

5. What are the three core components of the Cisco

https://itexamanswers.net/network-security-version1-0-final-exam-answers-full.html Page 4 of 105

Secure Data Center solution? (Choose three.)

Explanation: Secure segmentation is used when

6. What are three characteristics of ASA transparent

This mode does not support VPNs, QoS, or DHCP

7. What is needed to allow specific traffic that is sourced

Explanation: In order to explicitly permit traffic from an

https://itexamanswers.net/network-security-version1-0-final-exam-answers-full.html Page 5 of 105

higher security level, an ACL must be configured. By

8. What will be the result of failed login attempts if the

login block-for 150 attempts 4 within 90

All login attempts will be blocked for 150 seconds if

Explanation: The components of the login block-for 150

9. Which two tasks are associated with router hardening?

https://itexamanswers.net/network-security-version1-0-final-exam-answers-full.html Page 6 of 105

placing the router in a secure room

10. Which threat protection capability is provided by

Explanation: Email is a top attack vector for security

11. What are two security measures used to protect

antimalware Protect endpoints from malware.

spam Prevent spam emails from reaching

blocklisting Prevent endpoints from connecting

https://itexamanswers.net/network-security-version1-0-final-exam-answers-full.html Page 7 of 105