CCNA SECURITY 3

Which countermeasures can mitigate ARP spoofing attacks? (Choose two.). Port security. DHCP snooping. IP source guard. Dynamic ARP inspection.

Which of the following statements about access lists are true? (Choose three.). Extended access lists should be placed as near as possible to the destination. Extended access lists should be placed as near as possible to the source. Standard access lists should be placed as near as possible to the destination. Standard access lists should be placed as near as possible to the source. Standard access lists filter on the source address. Standard access lists filter on the destination address.

In which stage of an attack does the attacker discover devices on a target network?. Reconnaissance. Covering tracks. Gaining access. Maintaining access.

Which type of security control is defense in depth?. Threat mitigation. Risk analysis. Botnet mitigation. Overt and covert channels.

On which Cisco Configuration Professional screen do you enable AAA?. AAA Summary. AAA Servers and Groups. Authentication Policies. Authorization Policies.

What configure mode you used for the command ip ospf authentication-key c1$c0?. global. priviliged. in-line. interface.

What are two users of SIEM software? (Choose two). performing automatic network audits. configuring firewall and IDS devices. alerting administrators to security events in real time. scanning emails for suspicious attachments. collecting and archiving syslog data.

If a packet matches more than one class map in an individual feature type's policy map, how does the ASA handle the packet?. the ASA will apply the actions from only the last matching class maps it finds for the feature type. the ASA will apply the actions from all matching class maps it finds for the feature type. the ASA will apply the actions from only the most specific matching class map it finds for the feature type. the ASA will apply the actions from only the first matching class maps it finds for the feature type.

What statement provides the best definition of malware?. Malware is tools and applications that remove unwanted programs. Malware is a software used by nation states to commit cyber-crimes. Malware is unwanted software that is harmful or destructive. Malware is a collection of worms, viruses and Trojan horses that is distributed as a single.....

Which sensor mode can deny attackers inline?. IPS. fail-close. IDS. fail-open.

What command can you use to verify the binding table status?. show ip dhcp snooping statistics. show ip dhcp snooping database. show ip dhcp snooping binding. show ip dhcp pool. show ip dhcp snooping. show ip dhcp source binding.

Your security team has discovered a malicious program that has been harvesting the CEO's email messages and the company's user database for the last 6 months. What are two possible types of attacks your team discovered?. social activism. advanced persistent threat. drive-by spyware. targeted malware.

Which FirePOWER preprocessor engine is used to prevent SYN attacks?. Anomaly. Rate-Based Prevention. Portscan Detection. Inline Normalization.

What is the only permitted operation for processing multicast traffic on zone-based firewalls?. Stateful inspection of multicast traffic is supported only for the self-zone. Stateful inspection of multicast traffic is supported only between the self-zone and the internal zone. Only control plane policing can protect the control plane against multicast traffic. Stateful inspection of multicast traffic is supported only for the internal zone.

Which of encryption technology has the broadcast platform support to protect operating systems?. Middleware. Hardware. software. file-level.

Which feature of the Cisco Email Security Appliance can mitigate the impact of snowshoe spam and sophisticated phishing attack?. holistic understanding of threats. graymail management and filtering. signature-based IPS. contextual analysis.

Which Sourfire secure action should you choose if you want to block only malicious traffic from a particular end-user?. Trust. Block. Allow without inspection. Monitor. Allow with inspection.

Which two next-generation encryption algorithms does Cisco recommends? (Choose two). SHA-384. MD5. DH-1024. DES. AES. 3DES.

When an administrator initiates a device wipe command from the ISE, what is the immediate effect?. It requests the administrator to choose between erasing all device data or only managed corporate data. It requests the administrator to enter the device PIN or password before proceeding with the operation. It immediately erases all data on the device. It notifies the device user and proceeds with the erase operation.

How does a device on a network using ISE receive its digital certificate during the new-device registration process?. ISE acts as a SCEP proxy to enable the device to receive a certificate from a central CA server. The device request a new certificate directly from a central CA. ISE issues a pre-defined certificate from a local database. ISE issues a certificate from its internal CA server.

How can you detect a false negative on an IPS?. View the alert on the IPS. Use a third-party to audit the next-generation firewall rules. Review the IPS console. Review the IPS log. Use a third-party system to perform penetration testing.

Which two statement about stateless firewalls is true? (Choose two). the Cisco ASA is implicitly stateless because it blocks all traffic by default. They compare the 5-tuple of each incoming packets against configurable rules. They cannot track connections.. They are designed to work most efficiently with stateless protocols such as HTTP or HTTPS.. Cisco IOS cannot implement them because the platform is Stateful by nature.

Which three ESP fields can be encrypted during transmission? (Choose three). Next Header. MAC Address. Padding. Pad Length. Sequence Number. Security Parameter Index.

Which type of PVLAN port allows host in the same VLAN to communicate directly with the other?. promiscuous for hosts in the PVLAN. span for hosts in the PVLAN. Community for hosts in the PVLAN. isolated for hosts in the PVLAN.

Refer to the exhibit while troubleshooting site-to-site VPN, you issued the show crypto isakamp sa command. What does the given output shows?. IKE Phase 1 main mode was created on 10.1.1.5, but it failed to negotiate with 10.10.10.2. IKE Phase 1 main mode has successfully negotiate between 10.1.1.5 and10.10.10.2. IKE Phase 1 aggressive mode was created on 10.1.1.5, but it failed to negotiate with 10.10.10.2. IKE Phase 1 aggressive mode was create on 10.1.1.5, but it failed to negotiate with 10.10.10.2.

Refer to the exhibit while troubleshooting site-to-site VPN, you issued the show crypto isakamp sa command. What does the given output shows?. IPSec Phase 2 established between 10.10.10.2 and 10.1.1.5. IPSec Phase 1 established between 10.10.10.2 and 10.1.1.5. IPSec Phase 2 is down due to a QM_IDLE state. IPSec Phase 1 is down due to a QM_IDLE state.

Refer to the exhibit. You have configured R1 and R2 as shown, but the routers are unable to establish a site-to-site VPN tunnel. What action can you take to correct the problem?. Edit the crypto keys on R1 and R2 to match. Edit the crypto isakmp key command on each router with the address value of its own interface. Edit the ISAKMP policy sequence numbers on R1 and R2 to match. set a valid value for the crypto key lifetime on each router.

Refer to the exhibit. Which statement about the given configuration is true?. The timeout command causes the device to move to the next server after 20 seconds of TACACS inactivity. The single-connection command causes the device to process one TACACS request and then move to the next server. The single-connection command causes the device to establish one connection for all TACACS transactions. The router communicates with the NAS on the default port, TCP 1645.

Refer to the exhibit. What is the effect of the given command?. It configure the network to use a different transform set between peers. It merges authentication and encryption methods to protect traffic that matches an ACL. It configures encryption for MD5 HMAC. It configures authentications as AES 256.

What is a valid implicit permit rule for traffic that is traversing the ASA firewall?. Unicast IPv6 traffic from a higher security interface to a lower security interface is permitted in transparent mode only. Only BPDUs from a higher security interface to a lower security interface are permitted in routed mode. ARPs in both directions are permitted in transparent mode only. Unicast IPv4 traffic from a higher security interface to a lower security interface is permitted in routed mode only. Only BPDUs from a higher security interface to a lower security interface are permitted in transparent mode.

You have been tasked with blocking user access to website that violate company policy, but the site use dynamic IP Addresses. What is the best practice URL filtering to solve the problem?. Enable URL filtering and create a blacklist to block the websites that violate company policy. Enable URL filtering and create a whitelist to allow only the websites the company policy allow users to access. Enable URL filtering and use URL categorization to allow only the websites the company policy allow users to access. Enable URL filtering and create a whitelist to block the websites that violate company policy. Enable URL filtering and use URL categorization to block the websites that violate company policy.

What is the potential drawback to leaving VLAN 1 as the native VLAN?. Gratuitous ARPs might be able to conduct a man-in-the-middle attack. The CAM might be overloaded, effectively turning the switch into hub. VLAN 1 might be vulnerable to IP address spoofing. It may be susceptible to a VLAN hopping attack.

Refer to the exhibit. Which line in this configuration prevents the HelpDesk user from modifying the interface configuration?. Privilege exec level 9 show configure terminal. Privilege exec level 7show start-up. Privilege exec level 10 interface. Username HelpDesk privilege 6 password help.

Which IPS mode provides the maximum number of actions?. Inline. bypass. span. failover. promiscuous.

Which technology can be used to rate data fidelity and to provide an authenticated hash for data?. Network blocking. signature updates. file analysis. file reputation.

What configuration allows AnyConnect to authenticate automatically establish a VPN session when a user logs in to the computer?. proxy. Trusted Network Detection. transparent mode. always-on.

Which statement about the communication between interfaces on the same security level is true?. All Traffic is allowed by default between interfaces on the same security level. Interface on the same security level require additional configuration to permit inter-interface communication. Configuring interface on the same security level can cause asymmetric routing. You can configure only one interface on an individual security level.

You have implemented Sourcefire IPS and configure it to block certain addresses utilizing security intelligence IP Addresses Reputation. A user calls and is not able to access a certain IP address. What action can you take to allow the user access to the IP address?. create a user based access control rule to allow the traffic. create a custom blacklist to allow the traffic. create a whitelist and add the appropriate IP address to allow the traffic. create a rule to bypass inspection to allow the traffic.

Which feature filters CoPP packets?. Policy maps. route maps. access control lists. class maps.

In which type of attack does an attacker send email message that ask the recipient to click a link such as https://www.cisco.net.cc/securelogs?. pharming. phishing. solicitation. secure transaction.

If the router ospf 200 command, what does the value 200 stands for?. Administrative distance value. process ID. area ID. ABR ID.

Your security team has discovered a malicious program that has been harvesting the CEO's email messages and the company's user database for the last 6 months. What type of attack did your team discover? (Choose two.). social activism. drive-by spyware. targeted malware. advance persistent threat. polymorphic Virus.

What is the best way to confirm that AAA authentication is working properly?. use the test aaa command. use the Cisco-recommended configuration for AAA authentication. Log into and out of the router, and then check the NAS authentication log. Ping the NAS to confirm connectivity.

What is the benefit of web application firewall?. It accelerate web traffic. It blocks know vulnerabilities without patching applications. It supports all networking protocols. It simplifies troubleshooting.

What improvement does EAP-FASTv2 provide over EAP-FAST?. It support more secure encryption protocols. It allows multiple credentials to be passed in a single EAP exchange. It addresses security vulnerabilities found in the original protocol. It allows faster authentication by using fewer packets.

Which statement about IOS privilege levels is true?. Each privilege level is independent of all other privilege levels. Each privilege level supports the commands at its own level and all levels above it. Each privilege level supports the commands at its own level and all levels below it. Privilege-level commands are set explicitly for each user.

What mechanism does asymmetric cryptography use to secure data?. an RSA nonce. a public/private key pair. an MD5 hash. shared secret keys.

Which statement about application blocking is true?. Block access to specific program. Block access to specific network addresses. Block access to specific network services. Block access to files with specific extensions.

What are the three layers of a hierarchical network design? (Choose three.). core. access. server. user. internet. distribution.

In which type of attack does the attacker attempt to overload the CAM table on a switch so that the switch acts as a hub?. gratuitous ARP. MAC flooding. MAC spoofing. DoS.

Refer to the exhibit. With which NTP server has the router synchronized?. 192.168.10.7. 108.61.73.243. 209.114.111.1. 204.2.134.164. 132.163.4.103. 241.199.164.101.

What are two ways to protect eavesdropping when you perform device-management task? (Choose two). use SNMPv2. use SSH connection. use SNMPv3. use in-band management. use out-band management.