江浙沪招生考试网

　　1. Referring to the Cisco SDM Security Audit Wizard screen shown, what will happen if you check the Fix it box

　　for Firewall is not enabled in all the outside interfaces then click the Next button?

　　A. All outside access through the outside interfaces will immediately be blocked by an ACL.

　　B. SDM will prompt you to configure an ACL to block access through the outside interfaces.

　　C. SDM will take you to the Advanced Firewall Wizard.

　　D. SDM will perform a one-step lockdown to lock down the outside interfaces.

　　E. SDM will take you to the Edit Firewall Policy/ACL screen where you can configure an ACL to block access

　　through the outside interfaces.

　　Answer: C

　　2. Which of these two ways does Cisco recommend that you use to mitigate maintenance-related threats? (Choose

　　two.)

　　A. Maintain a stock of critical spares for emergency use.

　　B. Ensure that all cabling is Category 6.

　　C. Always follow electrostatic discharge procedures when replacing or working with internal router and switch

　　TestInside 642-552

　　device components.

　　D. Always wear an electrostatic wrist band when handling cabling, including fiber-optic cabling.

　　E. Always employ certified maintenance technicians to maintain mission-critical equipment and cabling.

　　Answer: AC

　　3. Which method of mitigating packet-sniffer attacks is the most effective?

　　A. implement two-factor authentication

　　B. deploy a switched Ethernet network infrastructure

　　C. use software and hardware to detect the use of sniffers

　　D. deploy network-level cryptography using IPsec, secure services, and secure protocols

　　Answer: D

　　4. A malicious program is disguised as another useful program; consequently, when the user executes the program,

　　files get erased and then the malicious program spreads itself using emails as the delivery mechanism. Which type

　　of attack best describes how this scenario got started?

　　A. DoS

　　B. worm

　　C. virus

　　D. trojan horse

　　E. DDoS

　　Answer: D

　　5. What is the key function of a comprehensive security policy?

　　A. informing staff of their obligatory requirements for protecting technology and information assets

　　B. detailing the way security needs will be met at corporate and department levels

　　C. recommending that Cisco IPS sensors be implemented at the network edge

　　D. detailing how to block malicious network attacks

　　Answer: A

　　6. Which building blocks make up the Adaptive Threat Defense phase of Cisco SDN strategy?

　　A. VoIP services, NAC services, Cisco IBNS

　　TestInside 642-552

　　B. network foundation protection, NIDS services, adaptive threat mitigation services

　　C. firewall services, intrusion prevention, secure connectivity

　　D. firewall services, IPS and network antivirus services, network intelligence

　　E. Anti-X defense, NAC services, network foundation protection

　　Answer: D

　　7. Why is TACACS+ the preferred AAA protocol to use with Cisco device authentication?

　　A. TACACS+ encryption algorithm is more recent than other AAA protocols

　　B. TACACS+ has a more robust programming interface than other AAA protocols

　　C. TACACS+ was initially developed as open-source software

　　D. TACACS+ provides true AAA functional separation and encrypts the entire body of the packet

　　E. TACACS+ maintains authentication information in the local database of each Cisco IOS router

　　F. TACACS+ combines authentication and authorization to provide more robust functionalities

　　Answer: D

　　8. Which method does a Cisco router use for protocol type IP packet filtering?

　　A. inspection rules

　　B. standard ACLs

　　C. security policies

　　D. extended ACLs

　　Answer: D

　　9. Referring to the network diagram shown, which ACL entry will block any Telnet Client traffic from the

　　Corporate LAN to any Telnet Servers on the Remote Access LAN?

　　A. access-list 190 deny tcp any eq 23 16.2.1.0 0.0.0.255

　　B. access-list 190 deny tcp 16.1.1.0 0.0.0.255 eq 23 16.2.1.0 0.0.0.255 eq 23

　　TestInside 642-552

　　C. access-list 190 deny tcp any 16.1.1.0 0.0.0.255 eq 23

　　D. access-list 190 deny tcp any 16.2.1.0 0.0.0.255 eq 23

　　E. access-list 190 deny tcp 16.2.1.0 0.0.0.255 eq 23 16.1.1.0 0.0.0.255 eq 23

　　Answer: D

　　10. What two tasks should be done before configuring SSH server operations on Cisco routers? (Choose two.)

　　A. Upgrade routers to run a Cisco IOS Release 12.1(1)P image.

　　B. Upgrade routers to run a Cisco IOS Release 12.1(3)T image or later with the IPsec feature set.

　　C. Ensure routers are configured for external ODBC authentication.

　　D. Ensure routers are configured for local authentication or AAA for username and password authentication.

　　E. Upgrade routers to run a Cisco IOS Release 11.1(3)T image or later with the IPsec feature set.

　　Answer: BD

　　11. The figure contains a sample configuration using Cisco IOS commands. Which Cisco IOS command or setting

　　does the configuration need to get SSH to work?

　　A. add the transport input telnet ssh Cisco IOS command after the line vty 0 4 Cisco IOS command

　　B. add the transport output ssh Cisco IOS command after the line vty 0 4 Cisco IOS command

　　C. set the SSH timeout value using the ip ssh timeout 60 Cisco IOS command

　　D. add the crypto key generate rsa general-keys modulus 1024 Cisco IOS command

　　E. set the SSH retries value using the ip ssh authentication-retries 3 Cisco IOS command

　　Answer: D

　　TestInside 642-552

　　12. Network administrators have just configured SSH on their target router and have now discovered that an

　　intruder has been using this router to perform a variety of malicious attacks. What have they most likely forgotten

　　to do and which Cisco IOS commands do they need to use to fix this problem on their target router?

　　A. forgot to reset the encryption keys using the crypto key zeroize rsa Cisco IOS global configuration command

　　B. forgot to close port 23 and they need to issue the no transport input telnet Cisco IOS global configuration

　　command

　　C. forgot to disable vty inbound Telnet sessions and they need to issue the line vty 0 4 and the no transport input

　　telnet Cisco IOS line configuration commands

　　D. forgot to restrict access to the Telnet service on port 23 using ACLs and they need to issue the access-list 90

　　deny any log Cisco IOS global configuration command, and the line vty 0 4 and access-class 90 in Cisco IOS line

　　configuration commands

　　Answer: C

　　13. Which security log messaging method is the most common message logging facility and why?

　　A. SNMP traps, because the router can act as an SNMP agent and forward SNMP traps to an external SNMP

　　server

　　B. buffered logging, because log messages are stored in router memory and events are cleared whenever the router

　　is rebooted

　　C. console logging, because security messages are not stored and do not take up valuable storage space on

　　network servers

　　D. syslog, because this method is capable of providing long-term log storage capabilities and supporting a central

　　location for all router messages

　　E. logging all events to the Cisco Incident Control System to correlate events and provide recommended

　　mitigation actions

　　Answer: D

　　14. What is a syslog configuration oversight that makes system event logs hard to interpret and what can be done

　　to fix this oversight?

　　A. The system time does not get set on the router, making it difficult to know when events occurred. Recommend

　　that an NTP facility be used to ensure that all the routers operate at the correct time.

　　B. Third-party flash memory gets installed and doesn't provide easily understandable error or failure codes. Only

　　TestInside 642-552

　　Cisco-authorized memory modules should be installed in Cisco devices.

　　C. The syslog message stream does not get encrypted and invalid syslog messages get sent to the syslog server.

　　Encrypt the syslog messages.

　　D. The syslog messages filter rules did not get configured on the router, resulting in too many unimportant

　　messages. Configure syslog messages filter rules so that low-severity messages are blocked from being sent to the

　　syslog server and are logged locally on the router.

　　Answer: A

　　15. What are two security risks on 802.11 WLANs that implement WEP using a static 40-bit key with open

　　authentication? (Choose two.)

　　A. The IV is transmitted as plaintext, and an attacker can sniff the WLAN to see the IV.

　　B. The challenge packet sent by the wireless AP is sent unencrypted.

　　C. The response packet sent by the wireless client is sent unencrypted.

　　D. WEP uses a weak-block cipher such as the Data Encryption Algorithm.

　　E. One-way authentication only where the wireless client does not authenticate the wireless-access point.

　　Answer: AE

　　16. Using 802.1x authentication on a WLAN offers which advantage?

　　A. enforces a set of the policy statements that regulate which resource to protect and which activities are

　　forbidden

　　B. allows inbound and outbound packet filter rules to be established at the interface level of a device

　　C. limits access to network resources based on user login identity; especially suited for large mobile user

　　populations

　　D. enforces security policy compliance on all devices seeking to access network computing resources

　　Answer: C

　　17. How does an application-layer firewall work?

　　A. examines the data in all network packets at the application layer and maintains complete connection state and

　　sequencing information

　　B. operates at Layers 3, 4 and 5, and keeps track of the actual application communication process by using an

　　application table

　　TestInside 642-552

　　C. determines whether the connection between two applications is valid according to configurable rules

　　D. allows an application on your private network that does not have a valid registered IP address to communicate

　　with other applications through the Internet

　　Answer: A

　　18. Using a stateful firewall, which information is stored in the stateful session flow table?

　　A. the outbound and inbound access rules (ACL entries)

　　B. the source and destination IP addresses, port numbers, TCP sequencing information, and additional flags for

　　each TCP or UDP connection associated with a particular session

　　C. all TCP and UDP header information only

　　D. all TCP SYN packets and the associated return ACK packets only

　　E. the inside private IP address and the translated global IP address

　　Answer: B

　　19. What is a potential security weakness of traditional stateful firewall?

　　A. cannot support non-TCP flows

　　B. retains the state of user data packet and dynamically assigned ports in the state table

　　C. cannot track the state of each connection setup to ensure that each connection follows a legitimate TCP

　　three-way handshake

　　D. cannot detect application-layer attacks

　　Answer: D

　　20. A client wants their web server on the DMZ to use a private IP address and to be reachable over the Internet

　　with a fixed outside public IP address. Which type of technology will be effective in this scenario?

　　A. PAT

　　B. Dynamic NAT

　　C. Cut-Through Proxy

　　D. Application inspection

　　E. Static NAT

　　Answer: E

　　TestInside 642-552

　　21. A mission critical server application embeds a private IP address and port number in the payload of packets

　　that is used by the client to reply to the server. Why is implementing NAT over the Internet supporting this type of

　　application an issue?

　　A. Embedded IP addresses causes NAT to do extensive packet manipulation. This process is very time intensive

　　and the added delay causes the connection in these types of applications to time out and fail.

　　B. When the client attempts to reply to the server using the embedded private IP address instead of the public IP

　　address mapped by NAT, the embedded private IP address will not be routable over the Internet.

　　C. NAT traversal can't be used for embedded IP addresses. Mission critical applications typically use NAT

　　transversal to ensure stable timely connections, but not when embedded IP addresses and ports are used.

　　D. Using NAT makes troubleshooting difficult. You must know the IP address assigned to a device on its NIC and

　　its translated address; it takes too long to determine the source and destination of an embedded IP address, and this

　　delay is not appropriate for mission critical applications.

　　Answer: B

　　22. Which feature is available only in the Cisco SDM Advanced Firewall Wizard?

　　A. configure a router interface connected to a WLAN

　　B. create a firewall policy to block SDM access to the router from the outside interface

　　C. specify the router outside interface to use for remote management access

　　D. choose physical and logical interfaces connected to a WLAN

　　E. configure DMZ interfaces with access and inspection rules

　　Answer: E

　　23. What is the primary type of intrusion prevention technology used by Cisco IPS security appliances?

　　A. profile-based

　　B. rule-based

　　C. signature-based

　　D. protocol analysis-based

　　Answer: C

　　24. What is the difference between the attack-drop.sdf file and the 128MB.sdf and the 256MB.sdf files?

　　A. attack-drop.sdf has fewer signatures

　　TestInside 642-552

　　B. attack-drop.sdf takes up more router memory space

　　C. attack-drop.sdf signatures cannot be tuned

　　D. attack-drop.sdf only contains the Atomic signatures

　　E. attack-drop.sdf only contains the String signatures

　　Answer: A

　　25. By default, what will a router do with incoming network traffic when the Cisco IOS IPS software fails to build

　　a SME?

　　A. scan traffic using the most recently installed SME

　　B. drop all packets destined for that SME

　　C. print a syslog message indicating that failure of the SME build

　　D. pass traffic packets destined for that SME without scanning them

　　Answer: D

　　26. Which three ways can AAA services be implemented for Cisco routers? (Choose three.)

　　A. self-contained AAA services in the router itself

　　B. Cisco Secure ACS Network Module

　　C. Cisco Secure ACS Solution Engine

　　D. Cisco Security Manager AAA Service Module

　　E. Cisco Secure ACS for Windows Servers

　　F. Cisco Security Manager ACS Service Module

　　Answer: ACE

　　27. What is a secure way of providing clock synchronization between network routers?

　　A. sync each router acting as an NTPv2 client to the UTC via the Internet

　　B. implement an NTPv3 server synchronized to the UTC via an external clock source like a radio or atomic clock,

　　then configure the other routers as NTPv3 clients

　　C. use CDPv2 and NTPv3 to pass and sync the clocking information between the adjacent routers in the network

　　D. implement in-band management to sync the clock between the routers using a peer-to-peer architecture using

　　NTPv4 or higher

　　Answer: B

　　TestInside 642-552

　　28. What are two ways of preventing VLAN hopping attacks? (Choose two.)

　　A. Disable DTP on all the trunk ports.

　　B. Enable VTP pruning on all trunk ports to limit the VLAN broadcast.

　　C. Set the native VLAN on all the trunk ports to an unused VLAN.

　　D. Using port security, set the maximum number of secure MAC addresses to 1 on all trunk and access ports.

　　E. Disable portfast on all access ports.

　　Answer: AC

　　29. Which IKE function is optional?

　　A. authentication during SA negotiation

　　B. XAUTH protocol for user authentication

　　C. Quick Mode for IKE Phase 2

　　D. IKE SA establishment

　　Answer: B

　　30. Which of these is true regarding IKE Phase 2?

　　A. The SAs used by IPsec are unidirectional, so a separate key exchange is required for each data flow.

　　B. Either main or aggressive mode can be used to establish the SAs.

　　C. Quick mode is used to establish the unidirectional IKE SA and the bidirectional IPsec SAs.

　　D. XAUTH can be optionally used to reauthenticate the IPsec peers.

　　E. The Diffie-Hellman protocol is used to exchange the public and private keys between the two IPsec peers.

　　Answer: A

　　31. Router A can not establish a standard IPsec VPN tunnel with router B. An analysis reveals one or more NAT

　　points in the delivery path of each IPsec packet being sent to router B. What is the problem and what is the

　　solution?

　　A. IPsec encrypts Layer 4 port information and IKE NAT transversal needs to be configured on this network.

　　B. The port number information in the ESP header is encrypted. Use ESP tunnel mode instead of transport mode.

　　C. Router A needs to decrypt the Layer 4 port information. Configure ESP protocol on router A.

　　D. NAT changes the source IP address of the packets so IPSEC ESP integrity check will fail. Use PAT instead of

　　NAT.

　　TestInside 642-552

　　Answer: A

　　32. Which of these two functions are required for IPsec operation? (Choose two.)

　　A. using SHA for encryption

　　B. using PKI for shared-key authentication

　　C. using IKE to negotiate the SA

　　D. using AH protocols for encryption and authentication

　　E. using Diffie-Hellman to establish a shared-secret key

　　Answer: CE

　　33. What does the MD5 algorithm do?

　　A. takes a message less than 2^64 bits as input and produces a 160-bit message digest

　　B. creates a variable-length message and produces a 168-bit message digest

　　C. takes a variable-length message and produces a 128-bit message digest

　　D. takes a fixed-length message and produces a 128-bit message digest

　　Answer: C

　　34. Which of these is the strongest symmetrical encryption algorithm?

　　A. DES

　　B. 3DES

　　C. AES

　　D. RSA

　　E. SHA

　　F. Diffie-Hellman

　　Answer: C

　　35. Which two encryption algorithms are commonly used to encrypt the contents of a message? (Choose two.)

　　A. DH

　　B. AES

　　C. SHA1

　　D. 3DES

　　TestInside 642-552

　　E. PKI

　　Answer: BD

　　36. Why was the Diffie-Hellman key agreement protocol created?

　　A. to eliminate the possibility of man-in-the-middle attacks, replacing the RSA method, which is susceptible to

　　this type of attack

　　B. a practical method for establishing a shared secret over an unprotected communications channel was needed

　　C. an iterated HMAC function to generate pseudorandom data streams was needed

　　D. to provide a scalable and secure mechanism for distributing, managing, and revoking encryption and identity

　　information

　　Answer: B

　　37. Which IPsec protocol is the most popular and why?

　　A. AH, because it provides encryption and authentication

　　B. AH, because it supports tunnel mode

　　C. AH, because it works with PAT

　　D. ESP, because it provides encryption and authentication

　　E. ESP, because it supports tunnel mode

　　F. ESP, because it works with PAT

　　Answer: D

　　38. Which of these can be used to authenticate the IPsec peers during IKE Phase 1?

　　A. Diffie-Hellman Nounce

　　B. Pre-Shared Key

　　C. XAUTH

　　D. ICV

　　E. ACS

　　F. AH

　　Answer: B

　　39. Which three components are used in the PKI environment? (Choose three.)

　　TestInside 642-552

　　A. a CA to grant and maintain private shared keys

　　B. a CA to grant and maintain digital certificates

　　C. an RA to offload the CA by processing enrollment requests

　　D. a distribution mechanism for public key revocation lists

　　E. a distribution mechanism for certification revocation lists

　　F. an eToken key on the router to store the CA private key

　　Answer: BCE

　　40. Remote users are having a problem using their Cisco VPN Client software to connect to a Cisco Easy VPN

　　Server. Which of the following could be causing the problem?

　　A. The Cisco Easy VPN Server is configured with more than one ISAKMP policy.

　　B. The Cisco Easy VPN Server is configured with only one ISAKMP policy specifying Diffie-Hellman Group 5.

　　C. The Cisco Easy VPN Server transform set configuration includes both encryption and authentication.

　　D. The Cisco Easy VPN Server is configured with more than one transform set using ESP.

　　E. The Cisco VPN Client software does not support ESP, so the Cisco VPN Server transform set needs to use AH

　　instead.

　　Answer: B

　　41. Why does PAT fail with ESP packets?

　　A. because ESP is a portless protocol riding directly over IP, ESP prevents the PAT from creating IP address and

　　port mappings

　　B. because using tunnel mode, ESP includes the outer IP header in computing the ICV, thus if PAT modifies the

　　outer IP header, the ICV will fail

　　C. because ESP does not support tunnel mode

　　D. because the ESP header is encrypted

　　E. because ESP uses dynamic port number

　　Answer: A

　　42. On Cisco routers, which two methods can be used to secure privileged mode access? (Choose two.)

　　A. use the enable secret command to secure the enable password using MD5 encrypted hash

　　B. use the service password-encryption command to secure the enable password using the SHA1

　　TestInside 642-552

　　C. use the privilege exec command to enable Role-Based CLI access

　　D. use an external Cisco ACS server to authenticate privilege mode access

　　E. use an external AAA server to encrypt and decrypt the enable password

　　Answer: AD

　　43. How can you recover a Cisco IOS image from a router whose password you have lost and on which the no

　　service password-recovery Cisco IOS command has been configured?

　　A. You cannot recover the router.

　　B. Use the service password-recovery Cisco IOS command in ROMMON.

　　C. Obtain a new Cisco IOS image on a FLASH SIMM or on a PCMCIA card.

　　D. Use the service password Cisco IOS recovery command.

　　E. Use the tftpdnld Cisco IOS command in ROMMON to use the TFTP facility to copy a new image to the router

　　Flash memory.

　　Answer: C

　　44. Referring to the partial router configuration shown, which can represent the highest security risk?

　　A. AAA login authentication is not enabled for console access

　　B. SSH is not enabled for console access

　　C. using the default exec-timeout, which is too long

　　D. using the local router database for console login authentication

　　E. not using the Cisco propietary cipher to protect the user password

　　Answer: C

　　45. What is the first step you need to perform on a router when configuring role-based CLI?

　　A. place the router in global configuration mode

　　B. create a parser view called root view

 

　　C. enable role-based CLI globally on the router using the privilege exec level Cisco IOS command.

　　D. enable the root view on the router

　　E. log in to the router as the "root" user

　　Answer: D

　　46. To verify role-based CLI configurations, which Cisco IOS CLI commands do you need use to verify a view?

　　A. parser view view-name, then use the ? to verify the available commands

　　B. enable view view-name, then use the ? to verify the available commands

　　C. enable view, then use the parser view view-name to verify the available commands

　　D. show view view-name to verify the available commands

　　Answer: B

　　47. What does the secure boot-config global configuration accomplish?

　　A. enables Cisco IOS image resilience

　　B. backs up the Cisco IOS image from flash to a TFTP server

　　C. takes a snapshot of the router running configuration and securely archives it in persistent storage

　　D. backs up the router running configuration to a TFTP server

　　E. stores a secured copy of the Cisco IOS image in its persistent storage

　　Answer: C

　　48. Which SDM feature(s) can be used to audit and secure a Cisco router?

　　A. AutoSecure and AAA Wizards

　　B. AutoSecure or SDM Express Wizards

　　C. Security Audit Wizard or One-Step Lockdown

　　D. AAA or SDM Express Wizard

　　E. IPS Wizard

　　Answer: C

　　49. Which two Cisco AutoSecure features are not supported in the One-Step Lockdown feature found in Cisco

　　SDM Version 2.2a? (Choose two.)

　　A. disable IP gratuitous ARPs

　　B. disabling NTP

　　C. set minimum password length to less than 6 characters

　　D. configure antispoofing ACLs on outside interfaces

　　E. disable CDP

　　F. enable SSH for access to the router

　　Answer: BD

　　50. In the Cisco SDM Security Audit Wizard screen shown in the figure, which Fix it action should be selected to

　　prevent smurf denial of service attacks?

　　A. IP Mask Reply is enabled

　　B. IP Unreachables is enabled

　　C. IP Directed Broadcast is enabled

　　D. IP Redirects is enabled

　　E. IP Proxy ARP is enabled

　　F. Access class is not set on vty lines

　　Answer: C