CCNA Security Final Exam v2

Last Updated on March 15, 2020 by Admin

CCNA Security Final Exam v2 Final Exam Answers 2019 Full 100%

1. Which security measure is best used to limit the success of a reconnaissance attack from within a campus area network?

   • Implement access lists on the border router.
   • Implement encryption for sensitive traffic.
   • Implement a firewall at the edge of the network.
   • Implement restrictions on the use of ICMP echo-reply messages.​
     

     Explanation: The implementation of an access list may provide extra security by permitting denying a flow of traffic, but it will not provide a direct response to limit the success of the attack. The implementation of a firewall on the network edge may prevent reconnaissance attacks from the Internet, but attacks within the local network are not prevented. By implementing restrictions on the sending of ICMP echo-reply messages within a local network, devices may not respond to ping messages, but port scans are not prevented and clear-text data sent on the network are still vulnerable. The best security measure is to encrypt as much network traffic as possible, both user data and network management traffic.

2. Which security implementation will provide control plane protection for a network device?

   • routing protocol authentication
   • encryption for remote access connections
   • NTP for consistent timestamps on logging messages​
   • AAA for authenticating management access
     

     Explanation: Control plane traffic such as ARP messages or routing protocol advertisements are generated by a network device in order to support network operations. Routing protocol authentication provides an extra measure of security to authenticate the source of routing updates. Encrypting remote access connections, utilizing the NTP protocol, and using AAA, are all measures implemented to secure management plane traffic.

3. Which two practices are associated with securing the features and performance of router operating systems? (Choose two.)

   • Install a UPS.
   • Keep a secure copy of router operating system images.
   • Disable default router services that are not necessary.
   • Reduce the number of ports that can be used to access the router.
   • Configure the router with the maximum amount of memory possible.
     

     Explanation: Configuring a router with maximum available memory allows support for the widest range of security services and can help to protect against certain DoS attacks. Secure copies of router operating system images and configuration files provide backups needed for device recovery. Installing a UPS device provides physical security for networking devices but does not affect the security of their operating systems. Disabling unnecessary ports and services is part of the process of router hardening, and does not specifically involve the router operating system.

4. Refer to the exhibit. An administrator issues these IOS login enhancement commands to increase the security for login connections. What can be concluded about them?​

   

   Implementing Network Security (Version 2.0) – CCNAS Final Exam Answers 2019 08

   • Because the login delay command was not used, a one-minute delay between login attempts is assumed.​
   • These enhancements apply to all types of login connections.
   • The hosts that are identified in the ACL will have access to the device.
   • The login block-for command permits the attacker to try 150 attempts before being stopped to try again.​
     

     Explanation: When the login block-for command is implemented, it automatically invokes a one-second delay between login attempts. The login block-for command that is presented means that login will be disabled for 150 seconds, if more than 5 login failures occur within 60 seconds. These enhancements do not apply to console connections. When quiet mode is enabled, all login attempts are denied except for the hosts permitted in the ACL.

5. What is a characteristic of a role-based CLI view of router configuration?

   • A CLI view has a command hierarchy, with higher and lower views.
   • When a superview is deleted, the associated CLI views are deleted.​
   • Only a superview user can configure a new view and add or remove commands from the existing views.​
   • A single CLI view can be shared within multiple superviews.
     

     Explanation: A CLI view has no command hierarchy, and therefore, no higher or lower views. Deleting a superview does not delete the associated CLI views. Only a root view user can configure a new view and add or remove commands from the existing views.​

6. What is a result of securing the Cisco IOS image using the Cisco IOS Resilient Configuration feature?

   • The Cisco IOS image file is not visible in the output of the show flash command.
   • The Cisco IOS image is encrypted and then automatically backed up to a TFTP server.
   • The Cisco IOS image is encrypted and then automatically backed up to the NVRAM.
   • When the router boots up, the Cisco IOS image is loaded from a secured FTP location.
     

     Explanation: When using the Cisco IOS Resilient Configuration feature, a secure copy of the IOS image is stored in flash and is hidden from view and and not included in any directory listings.

7. Refer to the exhibit. What two pieces of information can be gathered from the generated message? (Choose two.)

   

   Implementing Network Security (Version 2.0) – CCNAS Final Exam Answers 2019 11

   • This message is a level five notification message.
   • This message appeared because a minor error occurred that requires further investigation.
   • This message appeared because a major error occurred that requires immediate action.
   • This message indicates that service timestamps have been globally enabled.
   • This message indicates that enhanced security was configured on the vty ports.
     

     Explanation: A Cisco router log message consists for three parts: 1) the timestamp 2) the log message and severity level 3) the message text

8. What represents a best practice concerning discovery protocols such as CDP and LLDP on network devices?

   • Use the open standard LLDP rather than CDP.
   • Disable both protocols on all interfaces where they are not required.
   • Use the default router settings for CDP and LLDP.
   • Enable CDP on edge devices, and enable LLDP on interior devices.
     

     Explanation: Both discovery protocols can provide hackers with sensitive network information. They should not be enabled on edge devices, and should be disabled globally or on a per-interface basis if not required. CDP is enabled by default.​

9. What is the one major difference between local AAA authentication and using the login local command when configuring device access authentication?

   • Local AAA authentication allows more than one user account to be configured, but login local does not.
   • The login local command uses local usernames and passwords stored on the router, but local AAA authentication does not.
   • Local AAA authentication provides a way to configure backup methods of authentication, but login local does not.
   • The login local command requires the administrator to manually configure the usernames and passwords, but local AAA authentication does not.
     

     Explanation: Local AAA authentication works very similar to the login local command, except that it allows you to specify backup authentication methods as well. Both methods require that local usernames and passwords be manually configured on the router.

10. Refer to the exhibit. A network administrator configures AAA authentication on router R1. The ACS servers are configured and running. The administrator tests the configuration by telneting to R1. What will happen if the administrator attempts to authenticate through the RADIUS server using incorrect credentials?

    

    Implementing Network Security (Version 2.0) – CCNAS Final Exam Answers 2019 04

    • The authentication process stops.
    • The enable secret password could be used in the next login attempt.
    • The enable secret password and a random username could be used in the next login attempt.
    • The username and password of the local user database could be used in the next login attempt.
      

      Explanation: The authentication for Telnet connections is defined by AAA method list AUTHEN. The AUTHEN list defines that the first authentication method is through an ACS server using the RADIUS protocol (or RADIUS server), the second authentication method is to use the local user database, and the third method is to use the enable password. In this scenario, however, because the administrator fails to pass the authentication by the first method, the authentication process stops and no other authentication methods are allowed.

11. Refer to the exhibit. The administrator can ping the S0/0/1 interface of RouterB but is unable to gain Telnet access to the router by using the password cisco123. What is a possible cause of the problem?

    

    Implementing Network Security (Version 2.0) – CCNAS Final Exam Answers 2019 03

    • The wrong vty lines are configured.
    • The administrator has used the wrong password.
    • AAA authorization is not configured.
    • The administrator does not have enough rights on the PC that is being used.
      

      Explanation: To authenticate and log in using a Telnet vty line, the network administrator is required to use the local username and password that has been configured on the local router. This is evidenced by the application of the aaa authentication login telnet local-case command. The administrator must use a capital C in Cisco123 to match the applied configuration.

12. What is a feature of the TACACS+ protocol?

    • It combines authentication and authorization as one process.
    • It encrypts the entire body of the packet for more secure communications.
    • It utilizes UDP to provide more efficient packet transfer.
    • It hides passwords during transmission using PAP and sends the rest of the packet in plaintext.
      

      Explanation: TACACS+ has the following features:separates authentication and authorization encrypts all communication uses TCP port 49

13. In an AAA-enabled network, a user issues the configure terminal command from the privileged executive mode of operation. What AAA function is at work if this command is rejected?

    • authentication
    • authorization
    • accounting
    • auditing
      

      Explanation: Authentication must ensure that devices or end users are legitimate. Authorization is concerned with allowing and disallowing authenticated users access to certain areas and programs on the network. The configure terminal command is rejected because the user is not authorized to execute the command.

14. A network administrator enters the single-connection command. What effect does this command have on AAA operation?

    • allows the device to establish only a single connection with the AAA-enabled server
    • authorizes connections based on a list of IP addresses configured in an ACL on a Cisco ACS server
    • allows a Cisco ACS server to minimize delay by establishing persistent TCP connections
    • allows a new TCP session to be established for every authorization request
      

      Explanation: By default, TACACS+ establishes a new TCP session for every authorization request. This can lead to delays.To improve performance, Cisco Secure ACS supports persistent TCP sessions configured with the single-connection command.

15. Refer to the exhibit. In the network that is shown, which AAA command logs the use of EXEC session commands?

    

    Implementing Network Security (Version 2.0) – CCNAS Final Exam Answers 2019 01

    • aaa accounting connection start-stop group radius
    • aaa accounting connection start-stop group tacacs+
    • aaa accounting exec start-stop group radius
    • aaa accounting exec start-stop group tacacs+
    • aaa accounting network start-stop group radius
    • aaa accounting network start-stop group tacacs+
      

      Explanation: The aaa accounting exec start-stop group tacacs+ command is used to configure the router to log the use of EXEC commands.

16. What is an advantage in using a packet filtering firewall versus a high-end firewall appliance?

    • Packet filters perform almost all the tasks of a high-end firewall at a fraction of the cost.
    • Packet filters represent a complete firewall solution.
    • Packet filters are not susceptible to IP spoofing.
    • Packet filters provide an initial degree of security at the data-link and network layer.
      

      Explanation: There are several advantages of using a packet filtering firewall: – ​allows for implementing simple permit or deny rule sets. – has a low impact on network performance – is easy to implement, and is supported by most routers – provides an initial degree of security at the network layer – performs almost all the tasks of a high-end firewall at a much lower cost

17. What is a benefit of using a next-generation firewall rather than a stateful firewall?

    • support for logging
    • support of TCP-based packet filtering
    • reactive protection against Internet attacks
    • granularity control within applications
      

      Explanation: Stateful and next-generation firewalls provide better log information than packet filtering firewalls​. Both stateful and next-generation firewalls defend against spoofing by filtering unwanted traffic. However, next-generation firewalls provide the following benefits over stateful firewalls:Granularity control within applications Website and application traffic filtering based on site reputation Proactive rather than reactive protection from Internet threat Enforcement of security policies based on multiple criteria Improved performance with NAT, VPN, and stateful inspections Integrated IPS

18. What are two characteristics of a stateful firewall? (Choose two.)

    • uses static packet filtering techniques
    • uses connection information maintained in a state table
    • analyzes traffic at Layers 3, 4 and 5 of the OSI model
    • uses complex ACLs which can be difficult to configure
    • prevents Layer 7 attacks
      

      Explanation: Stateful firewalls are the most versatile and the most common firewall technologies in use. Stateful firewalls provide stateful packet filtering by using connection information maintained in a state table. Stateful filtering is a firewall architecture that is classified at the network layer. It also analyzes traffic at OSI Layers 4 and 5.​ Stateful firewalls cannot prevent application layer attacks because they do not examine the actual contents of an HTTP connection.

19. What are two benefits of using a ZPF rather than a Classic Firewall? (Choose two.)

    • The ZPF is not dependent on ACLs.
    • With ZPF, the router will allow packets unless they are explicitly blocked.
    • ZPF policies are easy to read and troubleshoot.
    • Multiple inspection actions are used with ZPF.
    • ZPF allows interfaces to be placed into zones for IP inspection.
      

      Explanation: There are several benefits of a ZPF: · It is not dependent on ACLs. · The router security posture is to block unless explicitly allowed. · Policies are easy to read and troubleshoot with C3PL. · One policy affects any given traffic, instead of needing multiple ACLs and inspection actions. ​In addition, an interface cannot be simultaneously configured as a security zone member and for IP inspection.​

20. What is a feature of a Cisco IOS Zone-Based Policy Firewall?

    • Router management interfaces must be manually assigned to the self zone.
    • Service policies are applied in interface configuration mode.
    • A router interface can belong to only one zone at a time.
    • The pass action works in multiple directions.
      

      Explanation: The pass action allows traffic in only one direction. Interfaces automatically become members of the self zone. Interfaces are assigned to a zone in interface configuration mode, but most configuration takes place in global configuration mode and associated submodes. An interface can belong to only one zone at a time.

21. Which IDS/IPS signature alarm will look for packets that are destined to or from a particular port?

    • signature-based
    • policy-based
    • anomaly-based
    • honey pot-based
      

      Explanation: Cisco IDS and IPS sensors can use four types of signature alarms or triggers: Pattern-based detection – also known as signature-based detection, searches for a specific and pre-defined pattern. In most cases, the pattern is matched to the signature only if the suspect packet is associated with a particular service or destined to or from particular ports. Anomaly-based detection – also known as profile-based detection, involves first defining a profile of what is considered normal for the network or host. After defining normal activity, the signature triggers an action if excessive activity occurs beyond a specified threshold that is not included in the normal profile. Policy-based detection – also known as behavior-based detection, is similar to pattern-based detection, but instead of trying to define specific patterns, the administrator defines behaviors that are suspicious based on historical analysis. Honey pot-based detection – uses a dummy server to attract attacks.

22. Which three actions can the Cisco IOS Firewall IPS feature be configured to take when an intrusion activity is detected? (Choose three.)

    • alert
    • drop
    • inoculate
    • isolate
    • reset TCP connection
    • reset UDP connection
      

      Explanation: In IPS implementation, when a signature detects a matching activity, the signature triggers one or more of these actions:Generates an alert Logs the activity Drops or prevent the activity Resets a TCP connection Blocks future activity Allows the activity

23. An organization has configured an IPS solution to use atomic alerts. What type of response will occur when a signature is detected?

    • The TCP connection is reset.
    • An alert is triggered each time a signature is detected.
    • A counter starts and a summary alert is issued when the count reaches a preconfigured number.
    • The interface that triggered the alert is shutdown.
      

      Explanation: Atomic alerts are generated every time a signature triggers. A summary alert is a single alert that indicates multiple occurrences of the same signature from the same source address or port. Deny packet and deny flow actions do not automatically cause TCP reset actions to occur. Atomic alerts do not shut down interfaces.

24. Which Cisco IOS subcommand is used to compile an IPS signature into memory?

    • retired true
    • retired false
    • event-action produce-alert
    • event-action deny-attacker-inline
      

      Explanation: The Cisco IOS subcommand retired can be used to retire (not to compile into memory) or unretire (compile into memory) individual signatures or a group of signatures that belong to a signature category. The command retired false instructs IOS to compile an IPS signature into memory. The command retired true instructs IOS not to compile an IPS signature into memory. The commands event-action produce-alert and event-action deny-attacker-inline define the action when an enabled signature is matched.

25. Refer to the exhibit. Based on the configuration that is shown, which statement is true about the IPS signature category?

    

    Implementing Network Security (Version 2.0) – CCNAS Final Exam Answers 2019 10

    • Only signatures in the ios_ips basic category will be compiled into memory for scanning.
    • Only signatures in the ios_ips advanced category will be compiled into memory for scanning.
    • All signature categories will be compiled into memory for scanning, but only those signatures in the ios_ips basic category will be used for scanning purposes.
    • All signatures categories will be compiled into memory for scanning, but only those signatures within the ios_ips advanced category will be used for scanning purposes.
      

      Explanation: When a signature category is marked as retired by using the command retired true, then the IPS does not compile signatures that are part of that category into memory for inspection (scanning). The retired false command does the opposite. This command instructs the IPS to include those signatures that are part of that category into memory for scanning.

26. Refer to the exhibit. The network administrator is configuring the port security feature on switch SWC. The administrator issued the command show port-security interface fa 0/2 to verify the configuration. What can be concluded from the output that is shown? (Choose three.)

    

    Implementing Network Security (Version 2.0) – CCNAS Final Exam Answers 2019 09

    • This port is currently up.
    • The port is configured as a trunk link.
    • There is no device currently connected to this port.
    • Three security violations have been detected on this interface.
    • The switch port mode for this interface is access mode.
    • Security violations will cause this port to shut down immediately.
      

      Explanation: Because the security violation count is at 0, no violation has occurred. The system shows that 3 MAC addresses are allowed on port fa0/2, but only one has been configured and no sticky MAC addresses have been learned. The port is up because of the port status of secure-up. The violation mode is what happens when an unauthorized device is attached to the port. A port must be in access mode in order to activate and use port security.

27. Which two ports can send and receive Layer 2 traffic from a community port on a PVLAN? (Choose two.)

    • community ports belonging to other communities
    • promiscuous ports
    • isolated ports within the same community
    • community ports belonging to the same community
    • PVLAN edge protected ports
      

      Explanation: Community ports can send and receive information with ports within the same community, or with a promiscuous port. Isolated ports can only communicate with promiscuous ports. Promiscuous ports can talk to all interfaces. PVLAN edge protected ports only forward traffic through a Layer 3 device to other protected ports.​

28. What Layer 2 attack is mitigated by disabling Dynamic Trunking Protocol?

    • VLAN hopping
    • DHCP spoofing
    • ARP poisoning
    • ARP spoofing
      

      Explanation: Mitigating a VLAN hopping attack can be done by disabling Dynamic Trunking Protocol (DTP) and by setting the native VLAN of trunk links to VLANs not in use.

29. On which port should Dynamic ARP Inspection (DAI) be configured on a switch?

    • an uplink port to another switch
    • any untrusted port
    • access ports only
    • on any port where DHCP snooping is disabled
      

      Explanation: DHCP snooping must be enabled on a port where DAI is configured, because DAI requires the DHCP snooping table to operate. Only a trusted interface, such as an uplink port between switches, is configured to implement DAI. All access ports are untrusted.

30. Refer to the exhibit. The ip verify source command is applied on untrusted interfaces. Which type of attack is mitigated by using this configuration?

    

    Implementing Network Security (Version 2.0) – CCNAS Final Exam Answers 2019 05

    • ​MAC and IP address spoofing
    • STP manipulation
    • DHCP starvation​
    • DHCP spoofing
      

      Explanation: To protect against MAC and IP address spoofing, apply the IP Source Guard security feature, using the ip verify source command, on untrusted ports.​

31. Why is hashing cryptographically stronger compared to a cyclical redundancy check (CRC)?​

    • It is difficult to generate data with the same CRC.​
    • It is virtually impossible for two different sets of data to calculate the same hash output.
    • Hashing always uses a 128-bit digest, whereas a CRC can be variable length.
    • Hashes are never sent in plain text.
      

      Explanation: When assuring integrity with CRC values, it is easy to generate data with the same CRC. With hash functions, it is computationally infeasible for two different sets of data to come up with the same hash output. Hashing can use many bit values depending on the algorithm. ​These characteristics make hashing much stronger cryptographically.​

32. Why are DES keys considered weak keys?

    • They are more resource intensive.
    • DES weak keys are difficult to manage.
    • They produce identical subkeys.
    • DES weak keys use very long key sizes.
      

      Explanation: Weak keys, whether part of an existing encryption algorithm or manually generated, reveal regularities in encryption. This creates a shortcut by which a hacker can break the encryption. DES has four keys for which encryption is identical to decryption.

33. What type of algorithms require sender and receiver to exchange a secret key that is used to ensure the confidentiality of messages?

    • hashing algorithms
    • public key algorithms
    • symmetric algorithms
    • asymmetric algorithms
      

      Explanation: Symmetric algorithms use the same key, a secret key, to encrypt and decrypt data. This key must be pre-shared before communication can occur. Asymmetric algorithms require more processing power and overhead on the communicating devices because these keys can be long in order to avoid being hacked.

34. What two assurances does digital signing provide about code that is downloaded from the Internet? (Choose two.)

    • The code is authentic and is actually sourced by the publisher.
    • The code contains no errors.
    • The code was encrypted with both a private and public key.
    • The code has not been modified since it left the software publisher.
    • The code contains no viruses.
      

      Explanation: Digitally signing code provides several assurances about the code: The code is authentic and is actually sourced by the publisher. The code has not been modified since it left the software publisher. The publisher undeniably published the code. This provides nonrepudiation of the act of publishing.

35. Which statement describes the use of certificate classes in the PKI?

    • The lower the class number, the more trusted the certificate.
    • A vendor must issue only one class of certificates when acting as a CA.
    • A class 5 certificate is more trustworthy than a class 4 certificate.
    • Email security is provided by the vendor, not by a certificate.
      

      Explanation: The higher the certificate number, the more trustworthy the certificate. Class 1 certificates are for individuals, with a focus on email verification. An enterprise can act as its own CA and implement PKI for internal use. In that situation, the vendor can issue certificates as needed for various purposes.​

36. What two algorithms can be part of an IPsec policy to provide encryption and hashing to protect interesting traffic? (Choose two.)

    • AES
    • SHA
    • DH
    • RSA
    • PSK
      

      Explanation: The IPsec framework uses various protocols and algorithms to provide data confidentiality, data integrity, authentication, and secure key exchange. Two algorithms that can be used within an IPsec policy to protect interesting traffic are AES, which is an encryption protocol, and SHA, which is a hashing algorithm.

37. What algorithm is used to provide data integrity of a message through the use of a calculated hash value?

    • HMAC
    • DH
    • RSA
    • AES
      

      Explanation: The IPsec framework uses various protocols and algorithms to provide data confidentiality, data integrity, authentication, and secure key exchange. To ensure that data is not intercepted and modified (data integrity), Hashed Message Authentication Code (HMAC) is used. AES is an encryption protocol and provides data confidentiality. DH (Diffie-Hellman) is an algorithm that is used for key exchange. RSA is an algorithm that is used for authentication.

38. What is negotiated in the establishment of an IPsec tunnel between two IPsec hosts during IKE Phase 1?

    • ISAKMP SA policy
    • transform sets
    • interesting traffic
    • DH groups
      

      Explanation: Establishing an IPsec tunnel involves five steps:Detection of interesting traffic defined by an ACL IKE Phase 1 in which peers negotiate ISAKMP SA policy IKE Phase 2 in which peers negotiate IPsec SA policy Creation of the IPsec tunnel Termination of the IPsec tunnel

39. Refer to the exhibit. Which conclusion can be made from the show crypto map command output that is shown on R1?

    

    Implementing Network Security (Version 2.0) – CCNAS Final Exam Answers 2019 06

    • There is a mismatch between the transform sets.
    • The tunnel configuration was established and can be tested with extended pings.
    • The crypto map has not yet been applied to an interface.
    • The current peer IP address should be 172.30.2.1.
      

      Explanation: According to the show crypto map command output, all required SAs are in place, but no interface is currently using the crypto map. To complete the tunnel configuration, the crypto map has to be applied to the outbound interface of each router.

40. In which two instances will traffic be denied as it crosses the ASA 5505 device? (Choose two.)

    • traffic originating from the inside network going to the outside network
    • traffic originating from the inside network going to the DMZ network
    • traffic originating from the outside network going to the inside network
    • traffic originating from the outside network going to the DMZ network
    • traffic originating from the DMZ network going to the inside network 
      

      Explanation: When an ASA 5505 device is being utilized, traffic is denied as it travels from a lower security zone to a higher security zone. The highest security zone is the internal network, the DMZ is usually the next highest, and the outside network is the lowest. Traffic is only allowed to move from a lower security level to a higher if it is in response to originating traffic within the higher security zone.

41. What mechanism is used by an ASA 5505 device to allow inspected outbound traffic to return to the originating sender who is on an inside network?

    • stateful packet inspection
    • security zones
    • access control lists
    • Network Address Translation
      

      Explanation: Stateful packet inspection allows return traffic that is sourced on the outside network to be received by the originating sender on the internal network.

42. Which type of traffic is subject to filtering on an ASA 5505 device?

    • public Internet to inside
    • DMZ to inside
    • inside to DMZ
    • public Internet to DMZ
      

      Explanation: Filtering only applies to traffic traveling in the direction from a higher security level to a lower security level.

43. Refer to the exhibit. Based on the security levels of the interfaces on the ASA, what statement correctly describes the flow of traffic allowed on the interfaces?

    

    Implementing Network Security (Version 2.0) – CCNAS Final Exam Answers 2019 02

    • Traffic that is sent from the DMZ and the Internet to the LAN is considered outbound.
    • Traffic that is sent from the DMZ and the LAN to the Internet is considered outbound.
    • Traffic that is sent from the LAN and the Internet to the DMZ is considered inbound.
    • Traffic that is sent from the LAN to the DMZ is considered inbound.
      

      Explanation: When traffic moves from an interface with a higher security level to an interface with a lower security level, it is considered outbound traffic. Conversely, traffic that moves from an interface with a lower security level to an interface with a higher security level is considered inbound traffic.

44. Which two conditions must be met in order for a network administrator to be able to remotely manage multiple ASAs with Cisco ASDM? (Choose two.)

    • ASDM must be run as a local application.
    • Each ASA must have the same enable secret password.
    • The ASAs must all be running the same ASDM version.
    • Each ASA must have the same master passphrase enabled.
    • The ASAs must be connected to each other through at least one inside interface.
      

      Explanation: Cisco ASDM is a Java-based GUI tool that makes ASA configuration easier. In order to remotely manage multiple ASAs with Cisco ASDM, each ASA must have the same ASDM version. When ASDM is run as a local application, no browser is required and several ASA devices can be managed.

45. Which interface option could be set through ASDM for a Cisco ASA?

    • access list
    • NAT/PAT
    • VLAN ID
    • default route
      

      Explanation: To assign a VLAN number to an interface, choose Configuration > Device Setup > Interfaces and add or select an interface. Choose the Advanced tab to assign a VLAN. Other options that can be assigned to an interface include an IP address, mask, and security level.

46. Refer to the exhibit. If a network administrator is using ASDM to configure a site-to-site VPN between the CCNAS-ASA and R3, which IP address would the administrator use for the peer IP address textbox on the ASA if data traffic is to be encrypted between the two remote LANs?

    

    Implementing Network Security (Version 2.0) – CCNAS Final Exam Answers 2019 07

    • 172.16.3.1
    • 172.16.3.3
    • 192.168.1.1
    • 192.168.1.3
    • 209.165.201.1
      

      Explanation: When ASDM is used to configure an ASA, the peer address is the IP address of the other site for the VPN. In this instance R3 has the outside IP address of 209.165.201.1, so that must be the peer IP address for the ASA. Conversely, R3 will have to be configured with a peer IP address of 209.165.200.226.

47. Which two end points can be on the other side of an ASA site-to-site VPN configured using ASDM? (Choose two.)

    • DSL switch
    • ISR router
    • another ASA
    • multilayer switch
    • Frame Relay switch
      

      Explanation: ASDM supports creating an ASA site-to-site VPN between two ASAs or between an ASA and an ISR router.

48. An administrator assigned a level of router access to the user ADMIN using the commands below.

    Router(config)# privilege exec level 14 show ip route
    Router(config)# enable algorithm-type scrypt secret level 14 cisco-level-10
    Router(config)# username ADMIN privilege 14 algorithm-type scrypt secret cisco-level-10

    Which two actions are permitted to the user ADMIN? (Choose two.)​

    • The user can execute all subcommands under the show ip interfaces command.
    • The user can issue the ip route command.​
    • The user can issue all commands because this privilege level can execute all Cisco IOS commands.​
    • The user can issue the show version command.
    • The user can only execute the subcommands under the show ip route command.​
      

      Explanation: Assigning a command such as show ip route to a specific privilege level automatically assigns all commands associated with the first few keywords to the specified privilege level. So, the show and the show ip commands are automatically set to the privilege level where show ip route is set, which is necessary because the show ip route command cannot be executed without access to the show and show ip commands. Assigning the show ip route command allows the user to issue all show commands, such as show version.​

49. Which two protocols can be selected using the Cisco AnyConnect VPN Wizard to protect the traffic inside a VPN tunnel? (Choose two.)​

    • SSH
    • IPsec
    • Telnet
    • ESP
    • SSL
      

      Explanation: When a full tunnel is creating using the Cisco AnyConnect VPN Wizard, the VPN protocols should be selected to protect the traffic inside the tunnel. The VPN protocol choices are SSL and/or IPsec. Otherwise, a third-party certificate can be configured. Initially SSL and IPsec are selected.

50. A network analyst wants to monitor the activity of all new interns. Which type of security testing would track when the interns sign on and sign off the network?

    • integrity checker
    • network scanning
    • password cracking
    • vulnerability scanning
      

      Explanation: An integrity checking system can report login and logout activities. Network scanning can detect user names, groups, and shared resources by scanning listening TCP ports. Password cracking is used to test and detect weak passwords. Vulnerability scanning can detect potential weaknesses in a system, such as misconfigurations, default passwords, or DoS attack targets.

51. What are three characteristics of SIEM? (Choose three.)

    • examines logs and events from systems and applications to detect security threats
    • Microsoft port scanning tool designed for Windows
    • uses penetration testing to determine most network vulnerabilities
    • consolidates duplicate event data to minimize the volume of gathered data
    • provides real-time reporting for short-term security event analysis
    • can be implemented as software or as a service
      

      Explanation: Security Information Event Management (SIEM) is a technology that provides real-time reporting and long-term analysis of security events. SIEM provides the ability to search logs and events from disparate systems or applications to detect threats. SIEM aggregates duplicate events to reduce the volume of event data. SIEM can be implemented as software or as a managed.service. SuperScan is a Microsoft Windows port scanning tool that runs on most versions of Windows.Tools, such as Nmap and SuperScan, can provide effective penetration testing on a network and determine network vulnerabilities while helping to anticipate possible attack mechanisms.

52. What are two tasks that can be accomplished with the Nmap and Zenmap network tools? (Choose two.)

    • TCP and UDP port scanning
    • identification of Layer 3 protocol support on hosts
    • password auditing
    • password recovery
    • validation of IT system configuration
      

      Explanation: Nmap is a low-level network scanner that is available to the public and which has the ability to perform port scanning, to identify open TCP and UDP ports, and perform system identification. It can also be used to identify Layer 3 protocols that are running on a system.

53. A company deploys a Cisco ASA with the Cisco CWS connector enabled as the firewall on the border of corporate network. An employee on the internal network is accessing a public website. What should the employee do in order to make sure the web traffic is protected by the Cisco CWS?

    • Register the destination website on the Cisco ASA.
    • Use a web browser to visit the destination website.
    • Use the Cisco AnyConnect Secure Mobility Client first.
    • First visit a website that is located on a web server in the Cisco CWS infrastructure.
      

      Explanation: Once the connector is enabled on the Cisco ASA device, users on the internal network can connect to the Cisco CWS transparently when they access external websites. The Cisco CWS serves as a proxy for the web access to scan traffic for malware and policy enforcement. Users visit external websites by accessing the URLs directly on the web browsers.

54. The corporate security policy dictates that the traffic from the remote-access VPN clients must be separated between trusted traffic that is destined for the corporate subnets and untrusted traffic destined for the public Internet. Which VPN solution should be implemented to ensure compliance with the corporate policy?

    • GRE
    • MPLS
    • hairpinning
    • split tunneling
      

      Explanation: Hairpinning allows VPN traffic that is received on a single interface to be routed back out that same interface. Split tunneling allows traffic that originates from a remote-access client to be split according to whether the traffic must cross a VPN or the traffic is destined for the public Internet. MPLS and GRE are two types of Layer 3 VPNs.

55. What is required for auto detection and negotiation of NAT when establishing a VPN link?

    • No ACLs can be applied on either VPN end device.
    • Both VPN end devices must be using IPv6.
    • Both VPN end devices must be NAT-T capable.
    • Both VPN end devices must be configured for NAT.
      

      Explanation: Establishing a VPN between two sites has been a challenge when NAT is involved at either end of the tunnel. The enhanced version of original IKE, IKE version 2, now supports NAT Traversal (NAT-T). NAT-T has the ability to encapsulate ESP packets inside UDP. During IKE version 2 Phase 1, the VPN end devices can detect whether the other device is NAT-T capable and whether either device is connecting through a NAT-enabled device in order to establish the tunnel.

56. What is the benefit of the network-based IPS (NIPS) over host-based IPS (HIPS) deployment models?

    • NIPS provides individual host protection.
    • NIPS relies on centrally managed software agents.
    • NIPS monitors all operations within an operating system.
    • NIPS monitors network segments.
      

      Explanation: The network-based IPS (NIPS) is deployed in a network to monitor traffic in the network. Different from the host-based IPS (HIPS), NIPS does not provides protection to specific individual hosts. The operation of NIPS does not rely on the operating system of individual hosts nor centrally managed software agents.

57. Which security policy characteristic defines the purpose of standards?

    • list of suggestions regarding how to quickly configure all company switches
    • required steps to ensure consistent configuration of all company switches
    • step-by-step details regarding methods to deploy company switches
    • recommended best practices for placement of all company switches
      

      Explanation: Standards help IT staff maintain consistency in the operations of the network. Guidelines are a list of suggestions on how to do things more efficiently and securely. They are similar to standards, but are more flexible and are not usually mandatory. Procedure documents are longer and more detailed than standards and guidelines. Procedure documents include implementation details that usually contain step-by-step instructions and graphics.

58. What two new features are offered by Cisco ASA 5500-X with FirePOWER service when compared with the original ASA 5500 series? (Choose two.)

    • IPsec VPN
    • stateful firewall
    • security level settings
    • advanced malware protection
    • application control and URL filtering
      

      Explanation: The Cisco ASA 5500-X series with FirePOWER service merges the ASA 5500 series appliances with some new features such as advanced malware protection as well as application control and URL filtering. The stateful firewall, IPsec VPN, and security level settings are functions common to both ASA 5500 and ASA 5500-X series devices.

59. Which two statements describe the 8 Ethernet ports in the backplane of a Cisco ASA 5506-X device? (Choose two.)

    • They are all routed ports.
    • Port 1 is a routed port and the rest are switch ports.
    • They all can be configured as routed ports or switch ports.
    • Three of them are routed ports and 5 of them are switch ports.
    • These ports all require IP addresses.
      

      Explanation: Unlike the ASA 5505, the ASA 5506-X does not use switch ports. All Ethernet ports in the backplane are routed and require IP addresses.

60. Match the network security testing technique with how it is used to test network security. (Not all options are used.)

    

    Implementing Network Security (Version 2.0) – CCNAS Final Exam Answers 2019 001

    Explanation: Network scanning tools are used to probe network devices, servers and hosts for open TCP or UDP ports. Vulnerability scanning tools are used to discover security weaknesses in a network or computer system. Penetration testing tools are used to determine the possible outcome of a successful attack on a network or computer system.