您好,欢迎来到江浙沪招生考试网 !

设为首页|加入收藏|联系我们|网站地图|

江浙沪招生考试网

您现在的位置: test4exam >> 历年真题 >> it认证题库 >> 正文

思科认证Cisco 642-566 题库

日期:2015/9/3 9:38:37 来源:本站原创 访问量:
1. What is the primary reason that GET VPN is not deployed over the public Internet?
A. because GET VPN supports re-keying using multicast only
B. because GET VPN preserves the original source and destination IP addresses, which may be private addresses
that are not routable over the Internet
C. because GET VPN uses IPsec transport mode, which would expose the IP addresses to the public if using the
Internet
D. because the GET VPN group members use multicast to register with the key servers
E. because the GET VPN key servers and group members requires a secure path to exchange the Key Encryption
Key (KEK) and the Traffic Encryption Key (TEK)
Answer: B 
2. Which is used to authenticate remote IPsec VPN users?
A. PFS
B. XAUTH
C. mode configuration
D. single sign-on (SSO)
E. Diffie-Hellman (DH)
F. pre-shared key
Answer: B 
3. Which three security components can be found in today's typical single-tier firewall system? (Choose three.)
A. Stateful Packet Filtering with Application Inspection and Control
B. IPS
C. Network Admission Control
D. application proxy
E. Cache engine
F. server load balancing
Answer: ABD 
4. When implementing point-to-point secure WAN solutions over the Internet, which alternative Cisco IOS
method is available if GRE-over-IPsec tunnels cannot beused?
TestInside  Cisco  642-566
A. Virtual Routing Forwardings (VRFs)
B. Virtual Tunnel Interfaces (VTIs)
C. dynamic crypto maps
D. GET VPN
Answer: B 
5. Which three are correct guidelines when using separation to secure the enterprise data center? (Choose three.)
A. Separate exposed services' resources into security domains, as granularly as possible.
B. Use DMZ to host exposed services.
C. Always prefer logical separation to physical separation.
D. Use multiple firewall tiers for defense in depth
E. Use IDS instead of IPS for better performance.
Answer: ABD 
6. What is used to enable IPsec usage across Port Address Translation (PAT)devices?
A. port forwarding
B. static NAT/PAT
C. NAT-T
D. IPsec tunnel mode
E. RRI
Answer: C 
7. Which algorithm is recommended for implementing automatic symmetric key exchange over an unsecured
channel?
A. public key infrastructure (PKI)
B. Diffie-Hellman (DH)
C. RSA
D. EAP
E. SHA-512
F. AES
Answer: B
TestInside  Cisco  642-566 
8. Which Cisco software agent uses content scanning to identify sensitive content and controls the transfer of
sensitive content off the local endpoint over removable storage, locally or network-attached hardware, or network
applications?
A. Cisco Trust Agent 2.0
B. Cisco NAC Appliance Agent 4.1.3
C. Cisco NAC Appliance Web Agent 1.0
D. Cisco Security Agent 6.0
E. Cisco IronPort Agent 3.0
Answer: D 
9. The LWAPP protocol supports which type of native encryption?
A. DES
B. 3DES
C. RC5
E. ECC
F. AES
Answer: F 
10. Which three benefits does DMVPN offer? (Choose three.)
A. supports spokes that use dynamic IP addresses
B. supports IP unicast and multicast traffic
C. supports native routing protocols over the tunnels
D. is available on Cisco IOS routers and on Cisco ASA security appliances
E. provides tunnel-less any-to-any connectivity
F. has less overhead than GRE over IPsec
Answer: ABC 
11. Pharming attacks, which are used to fool users into submitting sensitive information to malicious servers,
typically involve which attack method?
A. ARP poisoning
TestInside  Cisco  642-566
B. DNS cache poisoning
C. DHCP exhaustion
D. DHCP server spoofing
E. IP spoofing
Answer: B 
12. Which statement regarding the hybrid user authentication model for remote-access IPsec VPNs is correct?
A. VPN servers authenticate by using pre-shared keys, and users authenticate by using usernames and passwords.
B. VPN servers authenticate by using digital certificates, and users authenticate by using usernames and
passwords.
C. VPN servers authenticate by using digital certificates, and users authenticate by using pre-shared keys.
D. VPN servers and users authenticate by using digital certificates.
E. VPN servers and users authenticate by using pre-shared keys.
Answer: B 
13. Which protocol is used to allow the utilization of Cisco Wide Area Application Engines or Cisco IronPort
S-Series web security appliances to localize web traffic patterns in the network and to enable the local fulfillment
of content requests?
A. SOAP
B. XML
C. WCCP
D. HTTPS
E. DTLS
F. TLS
Answer: C 
14. What is implemented on Cisco IP Phones so that they can authenticate itself before gaining network access?
A. Cisco Secure Services Client
B. Cisco NAC Appliance Agent (NAA)
C. IEEE 802.1X supplicant
D. AAA client
TestInside  Cisco  642-566
E. Cisco Security Agent
F. one-time password
Answer: C 
15. What is the difference between hashing and Hashed Message Authentication Code (HMAC) algorithms?
A. HMAC provides non-repudiation service.
B. Hashing protects against man-in-the-middle attacks.
C. With hashing, the original data can be recovered, given only its digest.
D. HMAC uses an asymmetric key; hashing uses a symmetric key.
E. HMAC uses an additional secret key as the input to the hash function.
Answer: E 
16. Refer to the exhibit. Which three Cisco IOS features can be used on the VPN gateways (Cisco IOS routers) to
implement high availability for remote-access IPsec VPN? (Choose three.)
A. VPN clustering
B. Reverse Route Injection (RRI)
C. VPN clustering
D. Dead Peer Detection (DPD)
E. cooperative key servers
F. virtual contexts
Answer: ABD 
17. Cisco Security MARS and Cisco Security Manager can work together to perform which two functions?
(Choose two.)
A. centralized attacks mitigation commands management
B. centralized syslog storage and management
C. firewall events-to-Cisco Security MARS events correlations
D. IPS events-to-Cisco Security MARS events correlations
E. false-positive tuning
F. incident-vector analysis
Answer: CD
TestInside  Cisco  642-566 
18. Which platform has the highest IPsec throughput and can support the highest number of tunnels?
A. Cisco 3845 with AIM-VPN/SSL-3
B. Cisco 7200 NPE-GE+VSA
C. Cisco 7200 NPE-GE+VAM2+
D. Cisco ASR 1000-5G
E. Cisco 6500/7600 + VPN SPA
F. Cisco ASA 5580
Answer: E 
19. Which two Cisco IOS features can be used to enable a router's command authorization? (Choose two.)
A. command privilege levels
B. auto secure
C. CLI views
D. management plane protection (MPP)
E. one-step lockdown
Answer: AC 
20. Which two logical controls are available on Cisco IOS routers to limit the damage of physical intrusions?
(Choose two.)
A. USB smart token key storage
B. security stickers
C. disabling of password recovery
D. digitally signed Cisco IOS image
E. port security
Answer:AC 
21. Which additional security control can be used in multi-tier applications and multi-tier firewall designs to force
an attacker to compromise the exposed server before the attacker can attempt to penetrate the more protected
domains?
A. Use a different firewall platform at each tier.
TestInside  Cisco  642-566
B. Make exposed servers in the DMZs dual homed..
C. At each tier, implement a transparent proxy component within the firewall system.
D. Implement host IPS on the exposed servers in the DMZs.
E. Implement in-band network admission control at the first tier.
F. Use zone-based firewalling and assign each exposed server in the DMZs to a unique security zone.
Answer: B 
22. Which two settings can the Cisco Security Agent (release 5.2 and later) monitor to control user's wireless
access? (Choose two.)
A. protection types such as WEP, TKIP
B. wireless card type (802.11a, b, or g)
C. SSIDs
D. antivirus version
E. lightweight versus autonomous mode
Answer: AC 
23. When SSL uses TCP encapsulation on Cisco SSL VPNs, the user's TCP session is transported over another
TCP session, thus making flow control inefficient if a packet is lost. Which solution solves this problem?
A. smart tunnel
B. application plug-ins
C. DTLS
D. Cisco Secure Desktop
E. DAP
Answer: C 
24. Using Cisco ASA active/active stateful failover, what happens if the return packet of an existing connection is
not found in the local Cisco ASA connection table?
A. The local Cisco ASA will drop the packet.
B. If the local Cisco ASA is the active Cisco ASA, then it will forward the packet.
C. The local Cisco ASA will forward the packet if it is permitted by the inbound ACL.
D. The local Cisco ASA will perform a reverse path forwarding check to determine whether to forward or drop the
TestInside  Cisco  642-566
packet.
E. The local Cisco ASA will determine, based on its routing table, whether to forward or drop the packet.
F. The local Cisco ASA will examine the copy of the other Cisco ASA's connection table and, if a match is found,
will forward the packet to the other Cisco ASA.
Answer: F 
25. Which Cisco ASA SSL VPN feature requires a special license?
A. prelogin assessment
B. Basic Host Scan
C. smart tunnels
D. Advanced Endpoint Assessment
E. client plug-ins
F. Cisco AnyConnect VPN Client
Answer: D 
26. Which Cisco IOS feature can be used to prevent IP address spoofing?
A. Dynamic ARP Inspection (DAI)
B. reflexive Access Control List (ACL)
C. unicast Reverse Path Forwarding (uRPF)
D. Flexible Packet Matching (FPM)
E. 802.1X authentication
Answer: C 
27. Refer to the exhibit. Which statement correctly describes this security architecture, which is used to protect the
multi-tiered web application?
A. This architecture supports application tiers that are dual homed.
B. All the servers are protected by the dual-tier firewall systems and do not require additional endpoint security
controls.
C. The firewall systems in the first and second tiers should be implemented with identical security controls to
provide defense in depth.
D. The second-tier Cisco ASA AIP-SSM should be tuned for inspecting Oracle attack signatures.
TestInside  Cisco  642-566
Answer: D 
28. When using QoS mechanisms to protect the network links against DoS attacks, classification and marking of
traffic is most commonly performed at which layer(s)?
A. core
B. distribution
C. access
D. core and access
E. core, distribution, and access
Answer: C 
29. Dynamic ARP Inspection (DAI) uses the MAC-to-IP addresses mapping learned through which other Cisco
Catalyst switch Layer 2 security feature?
A. IP source guard
B. port security
C. DHCP snooping
D. VACL
E. BPDU guard
Answer: C 
30. If the primary firewall fails when using the Cisco IOS Release 12.4(6)T stateful firewall failover configuration,
which two categories of state-tracking information will be lost? (Choose two.)
A. TCP connections
B. UDP connections
C. ICMP sessions
D. NAT translations
E. Layer 7 inspection sessions
Answer: CE 
31. IPsec peer authentication is typically implemented through which two methods? (Choose two.)
A. pre-shared key
TestInside  Cisco  642-566
B. Diffie-Hellman (DH)
C. non-encrypted Nounce
D. digital certificate
E. AAA
F. one-time password
Answer: AD 
32. Which authentication protocol can provide single sign-on (SSO) services?
A. RADIUS
B. TACACS+
C. Diameter
D. Kerberos
E. EAP
Answer: D 
33. What are the four main deployment options to consider when implementing Cisco NAC Appliance design?
(Choose four.)
A. in-band versus out-of-band
B. edge deployment versus central deployment
C. system authentication versus user authentication
D. Real-IP Gateway versus virtual gateway
E. Layer 2 versus Layer 3
Answer: ABDE 
34. Which countermeasure is best used to protect against rogue access points that are outside the enterprise
physical perimeter and that attempt to attract legitimate clients?
A. dedicated rogue detector access points with active and passive RLDP and radio containment
B. personal firewall
C. Management Frame Protection
D. wireless IDS/IPS
E. EAP-TLS bidirectional authentication
TestInside  Cisco  642-566
Answer: E 
35. Cisco SSL VPN solution uses the Cisco Secure Desktop to provide which four functionalities? (Choose four.)
A. pre-login assessment
B. application plug-ins
C. secure vault
D. Cache Cleaner
E. Advanced Endpoint Assessment
F. smart tunnel
Answer: ACDE 
36. Which two administrative controls can be used as preventive controls against insider attacks? (Choose two.)
A. two-factor authentication
B. separation of duty
C. mandatory holidays
D. biometric access control system
E. audit logs
F. Network Admission Control (NAC)
Answer: BC 
37. The Cisco ASA can use which three network controls or technologies to filter network traffic? (Choose three.)
A. stateful packet filters with Application Inspection and Control
B. network IPS with the AIP-SSM
C. adaptive control protocol
D. zone-based policy firewall
E. XML firewalling
F. proxy services with the CSC-SSM
Answer: ABF 
38. Deploying logical security controls such as firewall and IPS appliances is an example of which kind of
risk-management option?
TestInside  Cisco  642-566
A. risk avoidance
B. risk transfer
C. risk retention
D. risk reduction
E. risk removal
Answer: D 
39. What can be used to implement automatic learning and application sandboxing creation for host endpoint
protection?
A. Cisco NAC Appliance Agent (Cisco NAA)
B. Cisco Security Agent
C. Cisco Trust Agent
D. Cisco Secure Services Client
E. Cisco Secure Desktop
Answer: B  
40. Which Cisco ASA configuration is required to implement active/active failover?
A. transparent firewall
B. modular policy framework (MPF)
C. virtual contexts
D. policy-based routing
E. redundant interfaces
F. VLANs
Answer: C  
41. Digital signatures can be used to provide which three security controls? (Choose three.)
A. confidentiality
B. integrity
C. anti-replay
TestInside  Cisco  642-566
D. nonrepudiation
E. authenticity
F. availability
Answer: BDE 
42. Which statement regarding the Cisco ASA encrypted voice inspection capability is correct?
A. The Cisco ASA decrypts, inspects, then re-encrypts voice-signaling traffic; all of the existing VoIP inspection
functions for SCCP and SIP protocols are preserved.
B. The Cisco ASA acts as a non-transparent TLS proxy between the Cisco IP Phone and Cisco Unified
Communications Manager.
C. TLS proxy applies to the encryption layer and is configured by using a Layer 3/4 inspection policy on the Cisco
ASA.
D. The Cisco ASA does not support PAT and NAT for SCCP inspection.
E. The Cisco ASA serves as a proxy for both client and server, with the Cisco IP Phone and the Session Border
Controller.
Answer: A 
142858
43. Which series of steps illustrates how a challenge-and-response authentication protocol functions?
A.
B.
C. 
D. 
E. 
Answer: A 
44. Which three statements regarding Virtual Tunnel Interface (VTI) are correct ? (Choose three.)
A. There are two types of VTIs: Static and Dynamic.
B. VTIs are supported on Cisco IOS routers and on Cisco ASA security appliances.
C. VTIs have more encapsulation overhead than GRE tunnels do.
D. QoS services can be deployed on VTIs.
TestInside  Cisco  642-566
E. Traffic that requires protection is routed to VTIs by using static routing or routing protocols.
Answer: ADE 
45. MPLS VPN does not provide or support which of the following?
A. customer's isolation
B. the use of private IP addresses
C. confidentiality
D. any-to-any connectivity
E. customer's IGP routing
Answer: C 
46. Refer to the exhibit. A distributed DoS attack has been detected. The attack appears to have sources from
many hosts in network X/24. An operator in the network operation center is notified of this attack and must take
preventive action. To block all offending traffic, the network operator announces a BGP route, with the next-hop
attribute of 172.31.1.1, for the X/24 network of the attacker.
Which two methods do the routers at the regional office, branch office, and telecommuter location use to prevent
traffic going to and from the attacker? (Choose two.)
A. A dynamic ACL entry to block any traffic that is sourced from the X/24 network
B. a static route to 172.31.1.1/32, which points to a null interface
C. a prefix list to block routing updates about the X/24 network
D. strict uRPF
E. community attribute
Answer: BD 
47. Cisco SSL VPN solution uses which method to provide connections between a Winsock 2, TCP-based
application and a private site without requiring administrative privileges?
A. application plug-ins
B. port forwarding
C. Cisco AnyConnect VPN Client
D. smart tunnels
E. Cisco Secure Desktop
TestInside  Cisco  642-566
Answer: D 
48. Which function can the Cisco Security Agent data access control feature perform?
A. detects changes to system files by examining the file signature
B. detects attempts to modify the file registry
C. detects rootkit by examining attempts to modify the kernel functionality
D. detects malformed HTTP requests by examining the URI in the HTTP request
E. enables trusted QoS marking at the end host
F. subset of configuration actions on the management console
Answer: D 
49. What is the benefit of the Cisco ASA phone proxy feature?
A. allows businesses to securely connect their Cisco Unified Presence clients back to their enterprise networks or
to share presence information between Cisco Unified Presence servers in different enterprises
B. allows telecommuters to connect their IP phones to the corporate IP telephony network securely over the
Internet, without the need to connect over a VPN tunnel
C. allows businesses to configure granular policies for SCCP traffic, such as enforcing only registered phone calls
to send traffic through the Cisco ASA security appliance and filtering on message IDs to allow or disallow specific
messages
D. enables deep inspection services for SIP traffic for both User Datagram Protocol (UDP) and TCP-based SIP
environments, thus providing granular control for protection against unified communications attacks
E. enables inspection of the RTSP protocols that are used to control communications between the client and server
for streaming applications
F. 14 along with Direct Call Signaling (DCS) and Gatekeeper-Routed Call Signaling (GKRCS) to provide flexible
security integration in a variety of H.323-driven VoIP environments
Answer: B 
50. Refer to the exhibit. To support IPsec VPN, which three traffic types should ACL1 permit on the firewall in
front of the IPsec VPN gateway? (Choose three.)
A. IP protocol 50
B. TCP port 50
TestInside  Cisco  642-566
C. IP protocol 10000
D. UDP port 10000
E. UDP port 500
F. UDP port 4500
Answer: AEF 
51. Which Cisco NAC Appliance design is the most scalable architecture for campus LANs because it provides
high performance after posture verification?
A. Layer 2 out-of-band
B. Layer 2 edge deployment
C. Layer 3 in-band
D. Layer 3 central deployment
E. in-band real-IP gateway
F. in-band virtual gateway
Answer: A
相关阅读
·推荐文章

Copyright ©2013-2015 江浙沪招生考试网 All Rights Reserved.
地址: 苏州市姑苏区阊胥路483号(工投创业园)  电话:0512-85551931 邮编: 214000
邮箱: [email protected] 版权所有:苏州迈峰教育科技有限公司 苏ICP备15050684号-2