Tài liệu TestKing 640-100 Edt7 pdf
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (1.18 MB, 87 trang )
640-100 (MCNS)
Managing Cisco Network Security
Version 7.0
640 - 100
Leading the way in IT testing and certification tools, www.testking.com
- 2 -
Important Note, Please Read Carefully
Study Tips
This product will provide you questions and answers along with detailed explanations
carefully compiled and written by our experts. Try to understand the concepts behind the
questions instead of cramming the questions. Go through the entire document at least twice so
that you make sure that you are not missing anything.
Further Material
For this test TestKing also provides:
* Interactive Test Engine Examinator. Check out an Examinator Demo at
/>
Latest Version
We are constantly reviewing our products. New material is added and old material is revised.
Free updates are available for 90 days after the purchase. You should check your member
zone at TestKing an update 3-4 days before the scheduled exam date.
Here is the procedure to get the latest version:
1. Go to www.testking.com
2. Click on Member zone/Log in
3. The latest versions of all purchased products are downloadable from here. Just click
the links.
For most updates, it is enough just to print the new questions at the end of the new version,
not the whole document.
Feedback
Feedback on specific questions should be send to You should state:
Exam number and version, question number, and login ID.
Our experts will answer your mail promptly.
Explanations
Currently this product does not include explanations. If you are interested in providing
TestKing with explanations contact
. Include the following
information: exam, your background regarding this exam in particular, and what you consider
a reasonable compensation for the work.
Copyright
Each pdf file contains a unique serial number associated with your particular name and
contact information for security purposes. So if we find out that a particular pdf file is being
distributed by you, TestKing reserves the right to take legal action against you according to
the International Copyright Laws.
640 - 100
Leading the way in IT testing and certification tools, www.testking.com
- 3 -
Section A contains 82 questions.
Section B contains 113 questions.
The total number of questions is 195.
Section A
QUESTION NO: 1
Which of the following is the correct command to create a dynamic crypto map entry?
A. router(config-if)#crypto dynamic map mydyn 15
B. router(config)#crypto dynamic-map mydyn 15
C. router(config)#crypto map dynamic mydyn 15
D. router(config)#crypto dynamic-map mydyn 15 enable
Answer: B
Explanation:
To create a dynamic crypto map entry and enter the crypto map configuration command
mode, use the crypto dynamic-map command in global configuration mode.
Reference:
/>m#1069489
QUESTION NO: 2
What is the maximum number of “transforms” in the command:
router(config)#crypto ipsec transform-set Tsname transform1
A. 4
B. 3
C. 2
D. Unlimited
Answer: B
Explanation:
Up to three transforms can be in a set. Sets are limited to up to one AH and one or two ESP
transforms.
Reference:
Cisco Secure PIX Firewalls (Ciscopress) Page 212
QUESTION NO: 3
Which of the following statements are true? (Choose all that apply)
A. A message encrypted using Bob’s public key can only be decrypted using Alice’s
public key.
640 - 100
Leading the way in IT testing and certification tools, www.testking.com
- 4 -
B. A message encrypted using Bob’s public key can only be decrypted by using Bob’s
private key.
C. A message encrypted using Bob’s private key can only be decrypted using Alice’s
private key.
D. A message encrypted using Bob’s private key can only be decrypted by using Bob’s
public key.
Answer: B, D
Explanation:
Public and private keys are the ciphers used to encrypt and decrypt information. While the
public key is shared quite freely, the private key is never given out. Each public-private key
pair works together: data encrypted with the public key can only be decrypted with the private
key.
Reference: CiscoWorks Common Services Software - Understanding
CiscoWorks Security
/>86a008017b74d.html
QUESTION NO: 4
What type of Access List are we talking about when we say:
It creates temporary opening in access lists at firewall interfaces. These opening occur
when specified traffic exits the internal network through the firewall. It allows the traffic
back through the firewall only if it is part of the same session as the original traffic that
triggered it when exiting the firewall.
A. Dynamic (Lock & Key)
B. CBAC
C. Reflexive Access List
D. Time-of-Day Access List
Answer: B
Explanation:
Context-based Access Control (CBAC) examines not only network layer and transport layer
information, but also examines the application-layer protocol information (such as FTP
information) to learn about the state of TCP and UDP connections. CBAC maintains
connection state information for individual connections. This state information is used to
make intelligent decisions about whether packets should be permitted or denied, and
dynamically creates and deletes temporary openings in the firewall.
Reference:
/>pter09186a00800d9815.html
QUESTION NO: 5
640 - 100
Leading the way in IT testing and certification tools, www.testking.com
- 5 -
What is the purpose of the following commands:
Router(config)#line con 0
Router(config-line)#login authentication no_tacacs
A. Specifies that for authentication, any other method except tacacs, is permitted (Radius
for example).
B. Specifies that the AAA authentication is not necessary when using console.
C. Specifies that the AAA authentication list called no tacacs is to be used on the console.
D. Specifies that tacacs+ has been configured with no shared key, so no authentication is
necessary.
Answer: C
Explanation:
To enable authentication, authorization, and accounting (AAA) authentication for logins, use
the login authentication command in line configuration mode.
Reference:
/>m#1072266
QUESTION NO: 6
In a masquerade attack, what does an attacker steal when pretending to come from a
trusted host?
A. Account identification
B. User group
C. IP address
D. CHAP password
Answer: C
Explanation:
IP spoofing An IP spoofing attack occurs when an attacker outside your network pretends
to be a trusted user either by using an IP address that is within the range of IP addresses for
your network or by using an authorized external IP address that you trust and to which you
wish to provide access to specified resources on your network. Should an attacker get access
to your IPSec security parameters, that attacker can masquerade as the remote user authorized
to connect to the corporate network
Reference:
/>007fee4.html
QUESTION NO: 7
What three typical security weaknesses exist in any implementation? (Choose three)
A. Policy weakness
640 - 100
Leading the way in IT testing and certification tools, www.testking.com
- 6 -
B. Technology weakness
C. Hardware weakness
D. Encryption weakness
E. Configuration weakness
F. UDP protocol weakness
Answer: A, B, E
Explanation:
There are at least three primary reasons for network security:
Technology weaknesses – Each network and computing technology has inherent
security problems.
Configuration weaknesses – Even the most secure technology can be misconfigured
or misused, exposing security problems.
Policy weakness – A poorly defined or improperly implemented and managed
security policy can make the best security and network technology ripe for security
abuse.
Reference: Managing Cisco Network Security (Ciscopress) page 6
QUESTION NO: 8
Select the three RADIUS servers supported by the Cisco IOS Firewall authentication
proxy. (Choose three)
A. Cisco Secure ACS for Windows NT/2000.
B. Oracle
C. DB2
D. Cisco Secure ACS for UNIX.
E. TACACS+
F. Lucent
Answer: A, D, F
Explanation:
The supported AAA servers are CiscoSecure ACS 2.3 for Windows NT, CiscoSecure ACS
2.3 for UNIX, TACACS+ server (vF4.02.alpha), Ascend RADIUS server - radius-980618
(required avpair patch), and Livingston (now Lucent), RADIUS server (v1.16).
Reference:
/>186a00800a17ec.html
QUESTION NO: 9
Given the following configuration statement, which three statements are true? (Choose
three)
Router(config)#aaa accounting network wait-start radius
A. The accounting records are stored on a TACACS+ server.
B. Stop-accounting records for network service requests are sent to the TACACS+ server.
640 - 100
Leading the way in IT testing and certification tools, www.testking.com
- 7 -
C. The accounting records are stored on a RADIUS server.
D. Start-accounting records for network service requests are sent to the local database.
E. Stop-accounting records for network service requests are sent to the RADIUS server.
F. The requested service cannot start until the acknowledgement has been received from
the RADIUS server.
Answer: C, E, F
Explanation:
Router(config)#aaa accounting network wait-start radius
aaa accounting {system | network | connection | exec | command level} {start-stop | wait-
start | stop-only} tacacs+
Use the aaa accounting command to enable accounting and to create named method
lists that define specific accounting methods on a per-line or per-interface basis.
Network - Enables accounting for all network-related requests, including SLIP,
PPP, PPP network control protocols, and ARAP
wait-start - This keyword causes both a start and stop accounting record to be sent
to the accounting server. However, the requested user service does not begin until
the start accounting record is acknowledged. A stop accounting record is also sent.
Reference:
/>6a00800eb6e4.html
QUESTION NO: 10
Which three external databases are supported by Cisco Secure ACS for Windows?
(Choose three)
A. Netware NDS
B. Oracle
C. Windows-NT/2000
D. Token Server
E. SQL-Linux
F. AAA
Answer: A, C, D
Explanation:
You can select the CiscoSecure user database or configure an external user database such as
Windows NT/2000, Open Database Connectivity (ODBC), generic Lightweight Directory
Access Protocol (LDAP), Microsoft Commercial Internet System (MCIS), Novell NetWare
Directory Services (NDS), or a token-card database to authenticate usernames and
passwords according to your network requirements. This chapter discusses the advantages and
limitations of each option.
640 - 100
Leading the way in IT testing and certification tools, www.testking.com
- 8 -
Reference:
/>6a008007e6bb.html
QUESTION NO: 11
Given the following configuration statement, which two statements are true? (Choose
two)
router(config)#aaa authentication login default tacacs+ none
A. No authentication is required to login.
B. TACACS is the default login method for all authentication.
C. If TACACS process is unavailable, no access is permitted.
D. RADIUS is the default login method for all authentication.
E. If the TACACS process is unavailable, no login is required.
F. If the RADIUS process is unavailable, no login is required.
Answer: B, E
Explanation:
use TACACS+ authentication; if a CiscoSecure ACS is not available, use the NAS's local user
database password. However, all other users can only use TACACS+:
none – no authorization is performed.
Reference:
/>6a008015c5c3.html
QUESTION NO: 12
How many kilobytes of memory are consumed by each alarm stored in a router queue?
A. 5
B. 10
C. 16
D. 32
E. 64
Answer: D
Explanation:
With the option buffersize kilobytes , it can be changed to the size of the buffer used for
crashinfo files. The default size is 32 KB (maximum is 100 KB, configured using exception
crashinfo buffer 100 ).
Reference:
/>29.shtml
640 - 100
Leading the way in IT testing and certification tools, www.testking.com
- 9 -
QUESTION NO: 13
Choose the three actions that the IOS Firewall IDS router may perform when a packet,
or a number of packets in a session, match a signature. (Choose three)
A. Forward packet to the Cisco IDS Host Sensor for further analysis.
B. Send alarm to the Cisco IDS Director of Syslog server.
C. Send an alarm to Cisco Secure ACS.
D. Set the packet reset flag and forward the packet through.
E. Drop the packet immediately.
F. Return the packet to the sender.
Answer: B, D, E
Explanation:
The Cisco IOS Firewall IDS acts as an in-line intrusion detection sensor, watching packets
and sessions as they flow through the router, scanning each to match any of the IDS
signatures. When it detects suspicious activity, it responds before network security can be
compromised and logs the event through Cisco IOS syslog or the Cisco Secure Intrusion
Detection System (Cisco Secure IDS, formerly known as Net Ranger) Post Office Protoco
The network administrator can configure the IDS system to choose the appropriate response
to various threats. When packets in a session match a signature, the IDS system can be
configured to take these actions:
Send an alarm to a syslog server or a Cisco Secure IDS Director (centralized
management interface)
Drop the packet
Reset the TCP connection
Reference:
/>pter09186a00800d9819.html
QUESTION NO: 14
Exhibit:
640 - 100
Leading the way in IT testing and certification tools, www.testking.com
- 10 -
In order to prevent external (internet) users from pinging the PIX, which access list
(ACL) statement should be configured on the external interface of the perimeter router?
A. Access-list 102 deny tcp any 182.16.1.1 0.0.0.0
B. Access-list 102 deny icmp any 182.16.1.1 0.0.0.0 echo
C. Access-list 102 permit tcp any 182.16.1.1 0.0.0.0 echo
D. Access-list 102 deny icmp any 182.16.1.1 0.0.0.0 echo-
reply
Answer: D
Explanation:
Echo-reply added to the end of the command implies no ping responses to the PIX.
Reference: Managing Cisco Network Security (Ciscopress) pages 728
QUESTION NO: 15
Which protocol is used by Cisco IOS Cryptosystem to securely exchange encryption keys
for IPSec?
A. DH
B. DES
C. Digital Signature Standard
D. ESP
Answer: A
Explanation:
640 - 100
Leading the way in IT testing and certification tools, www.testking.com
- 11 -
Diffie-Hellman is a public-key cryptography protocol that allows two parties to establish a
shared secret over an unsecure communications channel. IKE uses Diffie-Hellman to establish
session keys. VPN Solutions Center supports four Diffie-Hellman groups:
Group 1—a MODP group with a 768-bit modulus.
Group 2—a MODP group with a 1024-bit modulus.
Group 5—Specifies the 1536-bit Diffie-Hellman group. Group 5 works like Groups
1 and 2, but it provides a higher level of security and requires more processing time
than Groups 1 and 2. Cisco IOS supports Diffie-Hellman Group 5.
Group 7—Uses a combination of Diffie-Hellman and a 163-bit Elliptic Curve
Cryptosystem (ECC) algorithm. ECC provides superior encryption, and it is quickly
generated on a hand-held device. VPN 3000 devices support Diffie-Hellman Group
7.
Reference:
/>86a00800876f5.html
QUESTION NO: 16
Exhibit:
Which ACL statement protects against address spoofing when applied inbound on the
external interface of the perimeter router?
A. access-list 101 deny IP 182.16.1.0 255.255.255.0 0.0.0.0 255.255.255.255
B. access-list 101 permit IP 182.16.1.0 255.255.0.0 0.0.0.0 255.255.255.255
C. access-list 101 deny IP 182.16.1.0 0.0.0.255 0.0.0.0 255 255.255.255
D. access-list 101 deny UDP 182.16.1.0 255.255.0.0 0.0.0.0 255.255.255.255
Answer: C
Explanation:
access-list 101 deny IP 182.16.1.0 0.0.0.255 0.0.0.0 255 255.255.255
640 - 100
Leading the way in IT testing and certification tools, www.testking.com
- 12 -
access-list command – command to deny access to the 182.16.1.0 0.0.0.255 addresses from
any address (0.0.0.0 255.255.255.255)
Reference: Managing Cisco Network Security (Ciscopress) page Appendix C
QUESTION NO: 17
Which two commands prevent a Chargen attack? (Choose two)
A. no ip redirects
B. no service
tcp-small-servers
C. no ip-source route
D. no chargen enable
E. no service
udp-small-servers
F. no service finger
Answer: B, E
Explanation:
By default, the Cisco router has a series of diagnostic ports enabled for certain UDP and TCP
services including echo, chargen, and discard. When a host attaches to those ports, a small
amount of CPU capacity is consumed to service these requests
Any network device that has UDP and TCP diagnostic services should be protected by a
firewall or have the services disabled. For a Cisco router, this can be accomplished by using
these global configuration commands.
no service udp-small-servers
no service tcp-small-servers
Reference:
/>690e.shtml
QUESTION NO: 18
Which three tasks are needed to configure IPSec encryption? (Choose three)
A. Configure IPSec.
B. Configure transform sets.
C. Configure the encryption algorithm.
D. Test and verify IPSec.
E. Prepare for IKE and IPSec.
F. Create crypto ACLs.
Answer: A, D, E
Explanation:
Four key tasks are involved in configuring IPSec encryption using preshared keys on the PIX
Firewall:
640 - 100
Leading the way in IT testing and certification tools, www.testking.com
- 13 -
Task 1: Prepare for IPSec
Task 2: Configured IKE for preshared keys
Task 3: Configure IPSec
Task 4: Test and verify the overall IPSec configuration.
Reference: Managing Cisco Network Security (Ciscopress) page 612
QUESTION NO: 19
In preparing for IPSec, which command ensures that basis connectivity has been
achieved between IPSec peers before configuring IPSec?
A. ping
B. write term
C. show crypto map
D. show access-list
Answer: A
Explanation:
Task 1: Prepare for IPSec
Step 4 of 4. Ensure that the network works without encryption to eliminate basic routing
problems using the ping command and by running test traffic before encryption.
Reference: Managing Cisco Network Security (Ciscopress) page 612
QUESTION NO: 20
You should pay particular attention to detail when entering peer RSA public keys.
Why?
A. Public keys are used to create the private keys.
B. Mistakes made when entering the keys will cause them not to work.
C. Changes cannot be made after the keys are entered.
D. Changes are complex to make after the keys are entered.
Answer: B
Explanation:
The fact that the message could be decrypted using the sender's public key indicates that the
holder of the private key, the sender, must have created the message. This process relies on
the receiver having a copy of the sender's public key and knowing with a high degree of
certainty that it really does belong to the sender, and not to someone pretending to be the
sender.
Reference:
/>6a0080106f63.html
640 - 100
Leading the way in IT testing and certification tools, www.testking.com
- 14 -
QUESTION NO: 21
Which of the following statements best described a digital certificate:
A. A digital certificate is issued by the trusted certificate authority to the requesting peer
for authentication.
B. A digital certificate give you the authority to telnet to a perimeter router running IPSec
and change its configuration.
C. A digital certificate allows its holder to access the campus network.
D. A digital certificate is issued by a certificate authority to authorize an electronic
transaction.
Answer: D
Explanation:
Certification authorities (CAs) are responsible for managing certificate requests and issuing
digital certificates. A digital certificate contains information that identifies a user or device,
such as a name, serial number, company, department, or IP address. A digital certificate also
contains a copy of the entity's public key. A CA can be a trusted third party, such as VeriSign,
or a private (in-house) CA that you establish within your organization.
Reference:
/>
QUESTION NO: 22
What are the three ISAKMP authentications modes? (Choose three)
A. Main
B. Aggressive
C. Quick
D. Active
E. Passive
Answer: A, B, C
Explanation:
An IKE peer is an IPsec-compliant node capable of establishing IKE channels and negotiating
SAs. IKE provides three modes for the exchange of keying information and setting up IKE
security associations: Main mode, Aggressive mode, and Quick mode.
Reference:
/>86a0080087696.html#xtocid2073219
QUESTION NO: 23
IPSec is a set of security protocols and algorithms used to secure data at the network
layer. IPSec consists of two protocols and two protection modes. Choose these two
protocols: (Choose two)
640 - 100
Leading the way in IT testing and certification tools, www.testking.com
- 15 -
A. ESP
B. SHA1
C. AH
D. DSA
E. MD5
Answer: A, C
Explanation:
IPSec provides authentication and encryption services to protect unauthorized viewing or
modification of data within your network or as it is transferred over an unprotected network,
such as the public Internet. IPSec is generally implemented in two types of configurations:
Two different security protocols are included within the IPSec standard:
• Encapsulating Security Payload (ESP)—Provides authentication, encryption, and anti-
replay services.
• Authentication Header (AH)—Provides authentication and anti-replay services.
Reference:
/>#1028818
QUESTION NO: 24
Which the following configuration statement:
NAS(config)# aaa accounting network wait-start radius
Which three statements are true? (Choose three)
A. Start accounting records for network service requests are sent to the local database
server.
B. The request server can not start service until the acknowledgement received form the
radius server.
C. The accounting records are stored on a remote access dial-in user server.
D. The request server must start service immediately.
E. Stop accounting records for network service requests are sent to radius server.
Answer: B, C, E
Explanation:
Router(config)#aaa accounting network wait-start radius
aaa accounting {system | network | connection | exec | command level} {start-stop | wait-
start | stop-only} tacacs+
Use the aaa accounting command to enable accounting and to create named method
lists that define specific accounting methods on a per-line or per-interface basis.
Network - Enables accounting for all network-related requests, including SLIP,
PPP, PPP network control protocols, and ARAP
640 - 100
Leading the way in IT testing and certification tools, www.testking.com
- 16 -
wait-start - This keyword causes both a start and stop accounting record to be sent
to the accounting server. However, the requested user service does not begin until
the start accounting record is acknowledged. A stop accounting record is also sent.
Reference:
/>6a00800eb6e4.html
QUESTION NO: 25
What is a configuration weakness?
A. Outdated software
B. No written security policy
C. Unsecured user accounts
D. No monitoring or auditing of the security logs.
Answer: C
Explanation:
Configuration weaknesses examples:
• Insecure default settings within products
• Misconfigured network equipment
• Insecure user accounts
• System accounts with easily guessed passwords
• Misconfigured Internet Services
Reference: Managing Cisco Network Security (Ciscopress) pages 9, 10
QUESTION NO: 26
Identify two packet mode access methods. (Choose two)
A. BRI
B. Async
C. Sync
D. Group-sync
E. Telnet
F. Tty
Answer: A, B
Explanation:
AAA technologies can also protect dialup access in the packet or interface mode via async,
group-async, Basic Rate Interface (BRI) ISDN lines, or Primary Rate Interface (PRI) ISDN
interfaces on Cisco routers.
Reference: Managing Cisco Network Security (Ciscopress) pages 114
640 - 100
Leading the way in IT testing and certification tools, www.testking.com
- 17 -
QUESTION NO: 27
Which configuration command causes a start-accounting record for a Point-to-Point
session to be sent to a TACACS+ server?
A. aaa authentication ppp start tacacs+
B. aaa authorization exec default tacacs+
C. aaa authorization network default tacacs+
D. aaa accounting network default stop-only tacacs+
E. aaa accounting network default start-stop tacacs+
Answer: E
Explanation:
aaa accounting {system | network | exec | command level} {start-stop |
wait-start | stop-only} {tacacs+ | radius}
no aaa accounting {system | network | exec | command level}
network Runs accounting for all network-related service requests, including SLIP, PPP, PPP
NCPs, and ARAP.
start-stop Sends a start accounting notice at the beginning of a process and a stop accounting
notice at the end of a process. The start accounting record is sent in the background. The
requested user process begins regardless of whether or not the start accounting notice was
received by the accounting server.
tacacs+ Enables the TACACS-style accounting.
Reference:
/>pter09186a00800d9c0e.html
QUESTION NO: 28
What does a half-open TCP session on the Cisco IOS Firewall mean?
A. Session was denied.
B. Firewall detected return traffic.
C. Session has not reached the established state.
D. Three-way handshake has been completed.
Answer: C
Explanation:
An unusually high number of half-open sessions (either absolute or measured as the arrival
rate) could indicate that a denial-of-service attack is occurring. For TCP, "half-open" means
that the session has not reached the established state. For UDP, "half-open" means that the
firewall has detected traffic from one direction only.
640 - 100
Leading the way in IT testing and certification tools, www.testking.com
- 18 -
Reference:
/>pter09186a00800d9806.html
QUESTION NO: 29
What kind of signature trigger on a single packet?
A. Regenerative
B. Cyclic
C. Atomic
D. Dynamic
E. Compound
Answer: C
Explanation:
Signature Structure—Defines how many packets it takes for the Sensor to positively identify
an alarm condition on the network. There are two types:
• Atomic signature—Requires only one packet to be inspected to identify an alarm
condition.
• Composite signature—Requires multiple packets to be inspected to identify an alarm
condition.
Reference:
/>pter09186a008007eafe.html
QUESTION NO: 30
Select the three types of IPSec encryption algorithms supported by Cisco Easy VPN.
(Choose three)
A. DES
B. ESP
C. IPCOMP-LZS
D. HMAC-MD5
E. 3DES
F. NULL
Answer: A, E, F
Explanation:
Encryption Algorithms (IPSec)
• DES
• 3DES
• NULL
640 - 100
Leading the way in IT testing and certification tools, www.testking.com
- 19 -
Reference:
/>0087d1e.html
QUESTION NO: 31
Select the three operating systems supported by the Cisco VPN Software Client 3.x.
(Choose three)
A. HP-UX
B. IBM-AIX
C. Microsoft Windows
D. Linux (Intel)
E. Palm-OS
F. Apple MAC OS
Answer: C, D, F
Explanation:
Works with any operating system, such as Windows, MAC, Linux, Solaris, more
Reference:
/>89cf.html
QUESTION NO: 32
In a rerouting attack, which router table is modified or prevented from updating?
A. ARP
B. Address
C. Routing
D. Bridge
Answer: C
Explanation:
Route filters can be set up on any interface to prevent learning or propagating routing
information inappropriately. Some routing protocols (such as EIGRP) allow you to insert a
filter on the routes being advertised so that certain routes are not advertised in some parts of
the network.
Reference: Managing Cisco Network Security (Ciscopress) page 233
QUESTION NO: 33
Which command prevents the perimeter router form divulging topology information by
telling external hosts which subnets are not configured?
A. no source-route
B. no ip unreachables
640 - 100
Leading the way in IT testing and certification tools, www.testking.com
- 20 -
C. no ip route-cache
D. no service udp-small-servers
Answer: B
Explanation:
To enable the generation of Internet Control Message Protocol (ICMP) unreachable messages,
use the ip unreachables command in interface configuration mode. To disable this function,
use the no form of this command.
Reference:
/>m#1082329
QUESTION NO: 34
Which error message indicates that ISAKMP peers failed protection suite negotiation
for ISAKMP?
A. %CRYPTO-6-IKMP_SA_AUTH: Can accept Quick Mode exchange from % 15i if
SA is authenticated!
B. %CRYPTO-6-IKMP_SA_OFFERED: Remote peer % 15i responded with attribute
[chars] offered and changed.
C. %CRYPTO-6-IKMP_SA_NOT_OFFERED: Remote peer % 15i responded with
attribute [chars] not offered or changed.
D. %CRYPTO-6-IKMP_SA_NOT_AUTH: Cannot accept Quick Mode exchange from
% 15i if SA is not authenticated.
Answer: C
Explanation:
Error Message
%CRYPTO-6-IKMP_SA_NOT_AUTH: Cannot accept Quick Mode exchange from [chars] if
SA is not authenticated!
Explanation The IKE security association with the remote peer was not authenticated yet
the peer attempted to begin a Quick Mode exchange. This exchange must only be done with
an authenticated security association.
Reference:
/>9186a0080087bdf.html
QUESTION NO: 35
Which two statements about the creation of a security policy are true? (Choose two)
A. It helps Chief Information Officers determine the return on investment of network
security.
B. It provides a process to audit existing network security.
C. It defines how to track down and prosecute policy offenders.
640 - 100
Leading the way in IT testing and certification tools, www.testking.com
- 21 -
D. It defines which behavior is and is not allowed.
E. It helps determine which vendor security equipment or software is better than others.
F. It clears the general security framework so you can implement network security.
Answer: B, D
Explanation:
Reasons to create a network security policy:
• Provides a process to audit existing network security
• Provides a general security framework for implementing network security
• Defines which behavior is and is not allowed
• Often helps determine which tools and procedures are needed for the organization
• Helps communicate consensus among a group of key decision-makers and defines
responsibilities of users and administrators
• Defines a process for handling network security incidents
• Enables global security implementation and enforcement
• Creates a basis for legal action if necessary
Reference: Managing Cisco Network Security (Ciscopress) page 43
QUESTION NO: 36
In Cisco’s terminology, what is the definition of Perimeter Security Solution?
A. A Perimeter Security Solution is the deployment of networking technology to secure
the internal hosts from the outside intruders.
B. A Perimeter Security Solution is the deployment of networking technology to secure
the Perimeter router from the possible intruders.
C. A Perimeter Security Solution is the deployment of networking technology to secure
the edges of the network from possible intruders.
D. A Perimeter Security Solution is the deployment of networking technology to secure
The Firewall from the possible intruders.
Answer: C
Explanation:
Perimeter security is the intelligent selection and deployment of networking technologies to
secure the edge of a network from intruders. Perimeter security typically is used to secure the
internet connection to the corporate network, although the same technologies and techniques
can be used to a secure one part of a network from another.
Reference: Managing Cisco Network Security (Ciscopress) page 223
QUESTION NO: 37
The strength of the RSA encryption algorithm steams from:
A. Keeping details of the algorithms secret.
B. The processing power needed based on the formula e=mc**2.
C. The difficulty of factoring very large prime numbers.
640 - 100
Leading the way in IT testing and certification tools, www.testking.com
- 22 -
D. Keeping the shared decryption key secret.
Answer: D
Explanation:
RSA-encrypted nonces – Public key cryptography requires that each party generate a
pseudorandom number (a nonce) and encrypt it in the other party’s RSA public key.
Authentication occurs when each party decrypts the other party’s nonce with a local private
key and then uses the decrypted nonce to compute a keyed hash.
Reference: Managing Cisco Network Security (Ciscopress) page 539
QUESTION NO: 38
What are the minimum hardware requirements of the server running Cisco Secure ACS
3.0 for Windows 2000/NT? (Choose two)
A. Pentium III processor, 550 MHz or faster.
B. 256 RAM and 320 MB of HD.
C. Pentium U processor, 400 MHz or faster.
D. 256 RAM and 250 MB of HD.
E. 32-bit Sound Card and a Joystick.
Answer: A, D
Explanation:
Your Cisco Secure ACS server must meet the following minimum hardware requirements:
• Pentium III processor, 550 MHz or faster
• 256 MB of RAM
• At least 250 MB of free disk space. If you are running your database on the same
machine, more disk space is required.
• Minimum graphics resolution of 256 colors at 800 x 600 lines
Reference:
/>6a008007deb4.html
QUESTION NO: 39
Which three tools counter an unauthorized access attempt? (Choose three)
A. Encryption
B. Cisco IOS Lock and Key feature
C. Password decryption
D. TACACS
E. IKE
F. CHAP authentication
640 - 100
Leading the way in IT testing and certification tools, www.testking.com
- 23 -
Answer: B, D, F
Explanation:
To prevent unauthorized access through a networking device into a network, you should
configure one or more of these security features:
• Traffic Filtering
Cisco uses access lists to filter traffic at networking devices. Basic access lists allow only
specified traffic through the device; other traffic is simply dropped. You can specify
individual hosts or subnets that should be allowed into the network, and you can specify
what type of traffic should be allowed into the network. Basic access lists generally filter
traffic based on source and destination addresses, and protocol type of each packet.
Advanced traffic filtering is also available, providing additional filtering capabilities; for
example, the Lock-and-Key Security feature requires each user to be authenticated via a
username/password before that user's traffic is allowed onto the network.
All the Cisco IOS traffic filtering capabilities are described in the chapters in the "Traffic
Filtering and Firewalls" part of this document.
• Authentication
You can require users to be authenticated before they gain access into a network. When
users attempt to access a service or host (such as a web site or file server) within the
protected network, they must first enter certain data such as a username and password, and
possibly additional information such as their date of birth or mother's maiden name. After
successful authentication (depending on the method of authentication), users will be
assigned specific privileges, allowing them to access specific network assets. In most
cases, this type of authentication would be facilitated by using CHAP or PAP over a serial
PPP connection in conjunction with a specific security protocol, such as TACACS+ or
RADIUS.
Reference:
/>pter09186a00800a17ef.html
QUESTION NO: 40
If no valid authentication entry exists in the authentication proxy, how does the proxy
respond to the HTTP connection request?
A. Prompting the user for a username.
B. Prompting the user for a password.
C. Prompting the user for a username and password.
D. Sending an alert to the Cisco Secure ACS server.
Answer: C
Explanation:
How the Authentication Proxy Works
When a user initiates an HTTP session through the firewall, the authentication proxy is
triggered. The authentication proxy first checks to see if the user has been authenticated. If a
valid authentication entry exists for the user, the connection is completed with no further
intervention by the authentication proxy. If no entry exists, the authentication proxy responds
to the HTTP connection request by prompting the user for a username and password.
640 - 100
Leading the way in IT testing and certification tools, www.testking.com
- 24 -
Reference:
/>pter09186a00800d981d.html
QUESTION NO: 41
Which module is audited first when packets enter an IOS Firewall IDS and match a
specific audit rule?
A. TCP
B. ICMP
C. IP
D. Application lever
E. UDP
Answer: C
Explanation:
5. Packets going through the interface that match the audit rule are audited by a series of
modules, starting with IP; then either ICMP, TCP, or UDP (as appropriate); and finally, the
Application level.
Reference:
/>186a00800881c0.html
QUESTION NO: 42
When used with the IOS Firewall, what does CBAC use for inspection rules to configure
on a peer-application protocol basis?
A. Alerts and audit trails
B. ODBC filtering
C. Tunnel, transport modes, or both
D. Stateful failover
Answer: A
Explanation:
CBAC also generates real-time alerts and audit trails. Enhanced audit trail features use
SYSLOG to track all network transactions. Real-time alerts send SYSLOG error messages to
central management consoles upon detecting suspicious activity. Using CBAC inspection
rules, you can configure alerts and audit trail information on a per-application protocol basis.
Reference:
/>pter09186a00800ca7c1.html
QUESTION NO: 43
640 - 100
Leading the way in IT testing and certification tools, www.testking.com
- 25 -
L2TP is 100% backwards-compatible with what tunneling protocol?
A. PPTP
B. GRE
C. IPSec
D. L2F
Answer: D
Explanation:
L2TP/IPSec - Commonly called L2TP over IPSec, this provides the security of the IPSec
protocol over the tunneling of Layer 2 Tunneling Protocol (L2TP). L2TP is the product of a
partnership between the members of the PPTP forum, Cisco, and the Internet Engineering
Task Force (IETF). Primarily used for remote-access VPNs with Windows 2000 operating
systems, since Windows 2000 provides a native IPSec and L2TP client. Internet Service
Providers can also provide L2TP connections for dial-in users, and then encrypt that traffic
with IPSec between their access-point and the remote office network server.
Reference:
/>ml
QUESTION NO: 44
At which OSI layer does IPSec provide security services?
A. session
B. network
C. transport
D. presentation
Answer: B
Explanation:
IPSec uses a type of encryption known as packet encryption. It is referred to as packet
encryption because it takes place at the network layer, or layer 3 in the OSI reference model.
Because this encryption takes place above the data link layer (layer 2), communication takes
place in the form of distinct packets or datagrams, depending on which protocol controls the
session (TCP or UDP). Packet encryption is often called end-to-end encryption because the
encryption process takes place only at the source and destination endpoints
Reference:
/>6a00800e9586.html
QUESTION NO: 45
You are creating more than one crypto map for a given interface using the sequence
number of each map entry to rank the map entries.
