Tài liệu Managing Cisco Network pdf
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (670.49 KB, 42 trang )
640 - 442
Leading the way in IT testing and certification tools, www.testking.com
- 1 -
640-442
Managing Cisco Network
Security (MCNS)
Version 1.0
640 - 442
Leading the way in IT testing and certification tools, www.testking.com
- 2 -
Important Note
Please Read Carefully
Study Tips
This product will provide you questions and answers along with detailed explanations
carefully compiled and written by our experts. Try to understand the concepts behind the
questions instead of cramming the questions. Go through the entire document at least twice so
that you make sure that you are not missing anything.
Latest Version
We are constantly reviewing our products. New material is added and old material is revised.
Free updates are available for 90 days after the purchase. You should check the products page
on the TestKing web site for an update 3-4 days before the scheduled exam date.
Here is the procedure to get the latest version:
1. Go to www.testking.com
2. Click on Login (upper right corner)
3. Enter e-mail and password
4. The latest versions of all purchased products are downloadable from here. Just click the links.
For most updates, it is enough just to print the new questions at the end of the new version,
not the whole document.
Feedback
Feedback on specific questions should be send to You should state
1. Exam number and version.
2. Question number.
3. Order number and login ID.
Our experts will answer your mail promptly.
Copyright
Each pdf file contains a unique serial number associated with your particular name and
contact information for security purposes. So if we find out that a particular pdf file is being
distributed by you, TestKing reserves the right to take legal action against you according to
the International Copyright Laws.
640 - 442
Leading the way in IT testing and certification tools, www.testking.com
- 3 -
QUESTION NO: 1
What are three commands that can be used in enabling NAT? (Choose three)
A. nat
B. static
C. global
D. conduit
E. xlate enable
Answer: A, B, C
QUESTION NO: 2
Which three databases are supported by the Cisco Secure ACS for UNIX? (Choose
three)
A. Oracle
B. Sybase
C. NDS (Novell)
D. SQL Anywhere
E. Windows NT user database
Answer: A, B, D
QUESTION NO: 3
Given the following debug output:
1d16h: %UPLINK-3-UPDOWN: Interface Serial3/0, changed state to
up
*Mar 2 16:52:297: Se3/0 PPP: Treating connection as a
dedicated line
*Mar 2 16:52:441: Se3/0 PPP: Phase is AUTHENTICATING, by this
end
*Mar 2 16:52:445: Se3/0 CHAP: O CHALLENGE id 7 len 29 from
"NASx
Which two statements are true? (Choose two)
A. The user ID is NASx.
B. This is a connection attempt to an async port.
C. The connection is established on serial interface 3/0.
D. The user is authenticating using Challenge Handshake Authentication Protocol
(CHAP).
E. The client is attempting to setup a Serial Internet Protocol (SLIP) connection.
640 - 442
Leading the way in IT testing and certification tools, www.testking.com
- 4 -
Answer: C, D
QUESTION NO: 4
To ensure compatibility with IPSec when using Internet Key Exchange (IKE), what
must be allowed through an access list (ACL)?
A. IP protocol 50 and TCP port 500
B. IP protocol 50 and UDP port 51
C. IP protocol 51, TCP port 500 and UDP port 50
D. IP protocol 50, IP Protocol 51 and UDP port 500
Answer: D
QUESTION NO: 5
Java inspection was properly configured with Context based Access Control (CBAC) to
allow only applets from a trusted Web server. What happens when a user attempts to
download an applet from an untrusted server using FTP (assuming that FTP is allowed
between the two by CBAC)?
A. CBAC requests user authentication.
B. The applet is downloaded successfully.
C. The FTP session is terminated by CBAC.
D. The packets containing the applet are dropped by CBAC.
Answer: B
QUESTION NO: 6
Which Cisco IOS feature should be used when hiding multiple hosts behind a single IP
address?
A. PAT
B. ACL
C. DHCP
D. CBAC
Answer: A
640 - 442
Leading the way in IT testing and certification tools, www.testking.com
- 5 -
QUESTION NO: 7
Which encryption algorithms are supported by the Cisco Secure VPN Client?
A. Null, CAST-128 and DES
B. DES, Triple-DES and Null
C. DES, CAST-128 and Blowfish
D. DES, Blowfish and Diffie-Hellman
Answer: B
QUESTION NO: 8
Given the following output:
Crypto Map: "s1first" idb: Serial0 local address:
172.16.254.201
Crypto Map "s1first" 20 ipsec-isakmp
Peer = 172.16.254.212
Extended IP access list 101
access-list 101 permit ip
source: addr = 172.16.152.0/0.0.0.255
dest: addr 0.0.0.0/255.255.255.255
Current peer: 172.16.254.212
Security association lifetime: 4608000 kilobytes/3600 seconds
PP3 (Y/N): N
Transform sets=(secure1, )
Which command was used to generate this display?
A. show crypto ip map
B. show crypto ipsec sa
C. show crypto map
D. show crypto ipsec transform set
Answer: C
QUESTION NO: 9
The PIX firewall operates with three rules that govern how to use the security level field.
What are these three rules? (Choose three)
A. Security level 0 is the least secure.
B. Security level 100 is the most secure.
C. The lowest security level is for the inside interface.
D. The highest security level is for the outside interface.
E. Conduit and static commands are required to enable traffic that originates from outside
and has an inside destination.
640 - 442
Leading the way in IT testing and certification tools, www.testking.com
- 6 -
Answer: A, B, E
QUESTION NO: 10
Which statement about the PIX password recovery procedure is true?
A. The password recovery of the PIX 515 requires an FTP server.
B. The PIX firewall needs to be reloaded during password recovery.
C. Password recovery can only be done on PIX firewall with floppy drive.
D. The config-register has to be set to 0x2142 before password recovery.
Answer: C
QUESTION NO: 11
Which three statements apply to AAA on a PIX firewall? (Choose three)
A. Only inbound connections can be authenticated by AAA.
B. FTP, HTTP and Telnet can be authenticated using AAA.
C. The PIX can authenticate Enable mode access using AAA.
D. The PIX can authenticate serial console access using AAA.
Answer: A, B, C
QUESTION NO: 12
Exhibit:
Which PIX command statically translates the IP address of the Mail server to
182.16.1.4?
A. static(dmz, outside) 172.16.2.4 182.16.1.4
640 - 442
Leading the way in IT testing and certification tools, www.testking.com
- 7 -
B. static(outside,dmz ) 182.16.1.4 172.16.2.4
C. static(dmz, outside) 182.16.1.4 172.16.2.4
D. static(inside, outside) 182.16.1.4 172.16.2.4
Answer: B
QUESTION NO: 13
Which statement best describes the Encapsulation Security Payload (ESP) header?
A. It is inserted before an encapsulated IP header in Tunnel mode.
B. It is inserted before an encapsulated IP header in Transparent mode.
C. It is inserted after the IP header and before the upper layer protocol header in Tunnel
mode.
D. It is inserted after the IP header and after the upper layer protocol header in Transport
mode.
Answer: A
QUESTION NO: 14
Which two protocols are known to pose security threats? (Choose two)
A. SNMP
B. NNTP
C. SMTP
D. CHAP
E. Frame Relay
Answer: A, C
QUESTION NO: 15
If a Security Association (SA) was previously established with Internet Key
Exchange (IKE), what will the following command do on the router?
A. It clears the SA symmetric key.
B. It clears the SA authentication key.
C. It deletes SA from the SA database.
D. It re-initializes every peer’s secret key.
Answer: C
640 - 442
Leading the way in IT testing and certification tools, www.testking.com
- 8 -
QUESTION NO: 16
After the installation of Cisco Secure VPN Client is complete, you need either
__________ for authentication
A. A user ID or a password.
B. An error-correcting code (ECC) key or a pre-shared key.
C. An ECC key or a digital certificate.
D. A pre-shared key or a digital certificate.
Answer: A
QUESTION NO: 17
Which two statements are true (Choose two)
A. There are few good security products.
B. A lack of a consistent security policy is a security risk.
C. Security should only be implemented on the perimeter devices.
D. Individual products must be integrate from a complete network solution.
Answer: B, C
QUESTION NO: 18
A masquerade attack occurs when an attacker pretends to come from a trusted host by
stealing its _____________
A. User group
B. IP address
C. Account ID
D. Challenge handshake authentication protocol (CHAP) password
Answer: B
QUESTION NO: 19
Which command is most useful to troubleshoot a Challenge Handshake Authentication
Protocol (CHAP) authentication attempt?
A. Show user
B. Debug aaa accounting
C. Debug aaa authorization
640 - 442
Leading the way in IT testing and certification tools, www.testking.com
- 9 -
D. Debug ppp authentication
Answer: D
QUESTION NO: 20
When the nat (inside) 0 command is configured on a PIX firewall, ________ IP address
are translated
A. DMZ
B. No inside
C. Only private
D. Global outside
Answer: B
QUESTION NO: 21
Which two commands prevent a chargen attack? (Choose two)
A. no ip redirects
B. no service finger
C. no chargen enable
D. no tcp-small-servers
E. no udp-small-servers
Answer: D
QUESTION NO: 22
Which 3 services can be authenticated using AAA on a PIX firewall? (Choose three)
A. FTP
B. POP
C. HTTP
D. SMTP
E. TFTP
F. TELNET
Answer: A, C, F
640 - 442
Leading the way in IT testing and certification tools, www.testking.com
- 10 -
QUESTION NO: 23
Which three external databases are supported by CSNT (Choose three)
A. NDS
B. Oracle
C. Windows NT
D. Token server
Answer: A, C, D
QUESTION NO: 24
You generate general purpose RSA keys. The router will have one _____________
A. RSA key pair
B. RSA key pair per peer
C. RSA key pair and one certificate per peer
D. RSA key pair per peer and one certificate per peer
Answer: A
QUESTION NO: 25
Which three statements about Encapsulation Security Payload are true? (Choose three)
A. It encapsulates the data.
B. It uses symmetric secret key algorithms.
C. It provides protection to the outer headers.
D. It encrypts the payload for data confidentiality.
Answer: A, B, D
QUESTION NO: 26
Exhibit:
640 - 442
Leading the way in IT testing and certification tools, www.testking.com
- 11 -
Which command do you use to ping the NAS from the PIX firewall
A. Ping 10.1.1.1
B. Ping –s 10.1.1.1
C. Ping –t 10.1.1.1
D. Ping inside 10.1.1.1
E. Ping outside 10.1.1.1
Answer: D
QUESTION NO: 27
Which PIX firewall command denies any internal hosts from downloading Java
Applets?
A. outbound 14 deny 0.0.0.0 255.255.255.255 java
apply (inside) 14 outgoing_src
B. outbound 14 deny 0.0.0.0 0.0.0.0 java
apply(inside) 14 outgoing_src
C. outbound 14 deny 0.0.0.0 0.0.0.0 java
apply (outside) 14 outgoing_dst
D. outbound 14 deny 0.0.0.0 0.0.0.0 java
apply(outside) 14 outgoing_src
Answer: A
QUESTION NO: 28
Which command allows you to view PIX firewall software version?
A. Show os
B. Show pix
640 - 442
Leading the way in IT testing and certification tools, www.testking.com
- 12 -
C. Show version
D. Debug version
E. Show software
Answer: C
QUESTION NO: 29
With TCP inspection, which three parameters are used by Context Based Access
Control (CBAC) to permit a packet received on the external interface? (Choose
Three)
A. A Source IP address
B. Source port number
C. TCP sequence number
D. Destination port number
E. Destination MAC address
Answer: A, B, D
QUESTION NO: 30
Which three statements about PIX firewall multimedia support are true? (Choose three)
A. It supports multimedia with or without NAT.
B. It reserves all available UDP and TCP ports.
C. Using PAT with multimedia can create port conflict.
D. It statically opens/closes UDP ports for multimedia connections.
Answer: A, B, C
QUESTION NO: 31
Given the following configuration command:
Router(config)#aaa authorization network abc tacacs local
Assuming all interfaces are configured to use default authentication, which statement is
true?
A. The NAS will use the enable password by default.
B. If the TACACS server is unreachable, the local database will be used.
C. If the TACACS server is unreachable, the NAS access will be enabled by default.
D. If the Terminal Access Controller Access Control System (TACACS) server is
unreachable, no access will be permitted.
640 - 442
Leading the way in IT testing and certification tools, www.testking.com
- 13 -
Answer: B
QUESTION NO: 32
Which authentication method is the most secure?
A. S/KEY
B. username/password
C. one-time passwords
D. token cards/soft tokens
Answer: D
QUESTION NO: 33
Given the following interface configuration:
interface serial 0
ip address 172.16.1.1 255.255.255.0
ip address-group 101 in
Which access list (ACL) line allows Internet Security Association Key Management
Protocol (ISAKMP) from router 172.16.1.2?
A. access-list 101 permit ahp host 172.16.1.2 host
172.16.1.1
B. access-list 101 permit isakmp host 172.16.1.2 host
172.16.1.1
C. access-list 101 permit udp host 172.16.1.2 host 172.16.1.1
eq isakmp
D. access-list 101 permit tcp host 172.16.1.2 host
172.16.1.1 eq isakmp
Answer: C
QUESTION NO: 34
Context based Access Control (CBAC) allows replies for sessions originating from the
______ hosts.
A. WAN
B. internal
C. external
D. destination
640 - 442
Leading the way in IT testing and certification tools, www.testking.com
- 14 -
Answer: B
QUESTION NO: 35
Which IOS feature best prevents eavesdropping?
A. IPSec
B. CBAC
C. Lock and Key
D. TCP intercepts
Answer: A
QUESTION NO: 36
What does the following command do?
Crypto map map-name local-address interface-id
A. It applies a crypto map to an interface.
B. It defines a crypto map set to be used by multiple interfaces.
C. It allows the router to add a dynamic crypto map set to a static crypto map set on
multiple interfaces.
D. It allows the router to have a single ID with the crypto map configured on more than
one interface.
Answer: A
QUESTION NO: 37
Which four interfaces are supported by the PIX firewall? (Choose four)
A. ATM
B. FDDI
C. Serial
D. 10BaseT
E. 100BaseT
F. Token Ring
Answer: A, C, ?, ?
640 - 442
Leading the way in IT testing and certification tools, www.testking.com
- 15 -
QUESTION NO: 38
Which PIX firewall command initiates a failover switch from the standby unit?
A. standby active
B. failover active
C. failover switch
D. no failover passive
Answer: B
QUESTION NO: 39
Which server is typically not in a DMZ?
A. FTP Server
B. DNS Server
C. Web server
D. Mail server
E. Enterprise server
Answer: E
QUESTION NO: 40
Which three tools is used to counter an unauthorized access attempt? (Choose three)
A. Encryption
A. Bb. Cisco IOS Lock and Key feature
B. Terminal Access Controller Control System (TACACS)
C. Challenge Handshake Authentication Protocol (CHAP) authentication
Answer: B, C, D
QUESTION NO: 41
Exhibit:
640 - 442
Leading the way in IT testing and certification tools, www.testking.com
- 16 -
The crypto map is implemented on the serial interface of the remote router. Which
access list (ACL) line configured on the remote router enables encryption of traffic
between workstation B to workstation A
A. Access-list 101 permit ip host 192.168.255.2 host 10.34.2.3
B. Access-list 101 permit ip host 192.168.255.2 host 172.34.2.1
C. Access-list 101 permit ip host 10.34.2.3 172.16.1.0 0.0.0.255
D. Access-list 101 permit ip 172.16.1.0 0.0.0.255 10.34.2.0 0.0.0.255
Answer: A
QUESTION NO: 42
The client’s public/private key pair is generated by ____________
A. The client.
B. The certificate authority (CA).
C. The peer during the security association (SA) establishment.
D. Both peers during the SA establishment.
Answer: A
QUESTION NO: 43
Which two demonstrate a security policy weakness? (Choose two)
A. ping of death
B. denial of service
C. improper change control
D. no disaster recovery plan
E. misconfigured network equipment
Answer: C, D
QUESTION NO: 44
Which command demonstrates a successful login for a specific user?
A. show all
B. show user
C. show interface
D. show aaa accounting
