cap-25-26

Which place in the network (PIN) is considered to be the highest-risk, as it is the ingress and egress point for internet traffic?. cloud. data center. WAN. edge.

What threat protection actions are involved in the “before” phase of the attack continuum?. defining the abilities and actions that are required when an attack gets through. establishing policies and implementing prevention measures to reduce risks. detecting, containing, and remediating attacks. conducting threat analysis and incident response.

Question as presented: Match the Cisco Safe security concepts to the description. (Not all options are used.). management. security intelligence. segmentation.

Question as presented: Match the Cisco SAFE component with the description. (Not all options are used.). cisco talos. cisco umbrella. cisco stealth whatch.

Which solution provides comprehensive network and data protection for organizations before, during, and after a malware attack?. Cisco Umbrella. Cisco ISE. Cisco AMP. Cisco Stealthwatch.

Which solution provides VPN access for clients and performs an assessment of the VPN client security posture compliance?. Cisco Umbrella. Cisco AMP. Cisco Talos. Cisco AnyConnect.

What security capability is provided by applying Cisco WSA web reputation filters before an attack?. prevents client devices from accessing dangerous websites containing malware or phishing links. uses URL filtering to shut down access to websites known to host malware. provides administrators with granular control over web and mobile application usage behavior. inspects the network continuously for instances of undetected malware and breaches.

Which security appliance passively monitors and analyzes network traffic for potential network intrusion attacks and logs the attacks for analysis?. next-generation firewall. web security appliance. intrusion detection system. intrusion prevention system.

According to Gartner, Inc. what three capabilities must a next-generation firewall (NGFW) provide in addition to standard firewall features? (Choose three.). the ability to perform application-level inspection. real-time contextual awareness. incident response and forensics. the ability to leverage external security intelligence. an integrated IPS. the ability to identify users who click malicious URLs.

Question as presented: Match the security platform to the description. (Not all options are used.). cisco firepower-management center. cisco stealthwatch. cisco identity services engine.

Which secure access solution can be implemented to authenticate endpoints that do not support 802.1x or MAB?. Cisco TrustSec. Cisco Identity-Based Network Services. web authentication. Enhanced Flexible Authentication.

Which EAP method makes use of the Protected Extensible Authentication Protocol (PEAP)?. EAP challenge-based authentication method. EAP tunnelled TLS authentication method. EAP TLS authentication method. EAP inner authentication method.

What message is sent every 30 seconds by the 802.1x authenticator to an endpoint to initiate the MAB authentication process?. RADIUS access-accept. EAPoL identity request. RADIUS access-request. EAPoL start.

What are the three phases of TrustSec configuration? (Choose three.). access-request. start. ingress classification. propagation. access-accept. egress enforcement.

Which set of access control entries would allow all users on the 192.168.10.0/24 network to access a web server that is located at 172.17.80.1, but would not allow them to use Telnet?. access-list 103 permit tcp 192.168.10.0 0.0.0.255 host 172.17.80.1 eq 80 access-list 103 deny tcp ​192.168.10.0 0.0.0.255 any eq 23. access-list 103 permit tcp 192.168.10.0 0.0.0.255 any eq 80 access-list 103 deny tcp 192.168.10.0 0.0.0.255 any eq 23. access-list 103 deny tcp host 192.168.10.0 any eq 23 access-list 103 permit tcp host 192.168.10.1 eq 80. access-list 103 permit 192.168.10.0 0.0.0.255 host 172.17.80.1 access-list 103 deny tcp 192.168.10.0 0.0.0.255 any eq telnet​​.

Which three statements describe ACL processing of packets? (Choose three.). A packet that has been denied by one ACE can be permitted by a subsequent ACE. An implicit deny any rejects any packet that does not match any ACE. A packet that does not match the conditions of any ACE will be forwarded by default. Each statement is checked only until a match is detected or until the end of the ACE list. Each packet is compared to the conditions of every ACE in the ACL before a forwarding decision is made. A packet can either be rejected or forwarded as directed by the ACE that is matched.

Refer to the exhibit. An ACL was configured on R1 with the intention of denying traffic from subnet 172.16.4.0/24 into subnet 172.16.3.0/24. All other traffic into subnet 172.16.3.0/24 should be permitted. This standard ACL was then applied outbound on interface G0/0/0. Which conclusion can be drawn from this configuration?​. An extended ACL must be used in this situation. Only traffic from the 172.16.4.0/24 subnet is blocked, and all other traffic is allowed.​. The ACL should be applied outbound on all interfaces of R1. All traffic will be blocked, not just traffic from the 172.16.4.0/24 subnet. The ACL should be applied to the GigabitEthernet 0/0/0 interface of R1 inbound to accomplish the requirements.

What are two limitations of PACLs? (Choose two.). only support numbered ACLs. only support extended ACLs. can only filter Layer 2 traffic. no support of ACLs that filter IPv6 packets. no filtering of outbound traffic.

An administrator defined a local user account with a secret password on router R1 for use with SSH. Which three additional steps are required to configure R1 to accept only encrypted SSH connections? (Choose three.). Configure DNS on the router. Enable inbound vty Telnet sessions. Configure the IP domain name on the router. Configure a host name other than “Router”. Generate two-way pre-shared keys. Generate crypto keys.

Which command produces an encrypted password that is easily reversible?. username {username} secret {password}. username {username} algorithm-type sha256 {password}. enable secret {password}. service password-encryption.

Which is the preferred method for securing device terminal lines?. a password configured directly on the terminal lines. username-based authentication. AAA authentication. username-based authentication restricted with an ACL.

What protocol is used to encapsulate the EAP data between the authenticator and authentication server performing 802.1X authentication?. SSH. TACACS+. RADIUS. MD5.

Which statement describes a difference between RADIUS and TACACS+?. RADIUS separates authentication and authorization, whereas TACACS+ combines them as one process. RADIUS does not support EAP for 802.1x, whereas TACACS+ does. RADIUS encrypts only the password, whereas TACACS+ encrypts all communication. RADIUS uses TCP, whereas TACACS+ uses UDP.

What is a feature of a Cisco IOS Zone-Based Policy Firewall?. Router management interfaces must be manually assigned to the self zone. A router interface can belong to only one zone at a time. Service policies are applied in interface configuration mode. The pass action works in multiple directions.

Which statement describes Cisco IOS Zone-Based Policy Firewall operation?. The pass action works in only one direction. Router management interfaces must be manually assigned to the self zone. A router interface can belong to multiple zones. Service policies are applied in interface configuration mode.

What are two characteristics of the ZBFW default zone? (Choose two.). By default, all IP addresses on a router are included in the default zone. It is a system built zone. By default, interfaces in the default zone are permitted to communicate with interfaces in other zones. All traffic is permitted by default to and from the default zone. Interfaces that are not members of other zones are placed in this zone by default.

What is the Control Plane Policing (CoPP) feature designed to accomplish?. disable control plane services to reduce overall traffic. manage services provided by the control plane. direct all excess traffic away from the route processor. prevent unnecessary traffic from overwhelming the route processor.

Which command can be issued to protect a Cisco router from unauthorized automatic remote configuration?. no cdp enable. no service pad. no service config. no ip proxy-arp.

Which vulnerability can be mitigated by disabling CDP and LLDP on a Cisco device?. advertising detailed information about a device. automatic remote configuration. half-open or orphaned TCP connections. answering APR requests intended for other devices.

Which type of threat defense is provided by Cisco Umbrella?. blocking requests to malicious Internet destinations. monitoring and analyzing network traffic for potential network intrusion attacks. identifying and blocking zero-day threats that manage to infiltrate the network. blocking hidden malware from both suspicious and legitimate websites.

Which Cisco solution is used by Cisco Web Security Appliance to detect and correlate threats in real time?. Cisco Umbrella. Cisco Talos. Cisco Threat Grid. Cisco ISE.

Refer to the exhibit. Which two ACLs, if applied to the G0/1 interface of R2, would permit only the two LAN networks attached to R1 to access the network that connects to R2 G0/1 interface? (Choose two.). access-list 4 permit 192.168.10.0 0.0.0.255. access-list 5 permit 192.168.10.0 0.0.0.63 access-list 5 permit 192.168.10.64 0.0.0.63. access-list 3 permit 192.168.10.128 0.0.0.63. access-list 1 permit 192.168.10.0 0.0.0.127. access-list 2 permit host 192.168.10.9 access-list 2 permit host 192.168.10.69.