CCNA Security Final Exam Quiz

Approved & Edited by ProProfs Editorial Team

The editorial team at ProProfs Quizzes consists of a select group of subject experts, trivia writers, and quiz masters who have authored over 10,000 quizzes taken by more than 100 million users. This team includes our in-house seasoned quiz moderators and subject matter experts. Our editorial experts, spread across the world, are rigorously trained using our comprehensive guidelines to ensure that you receive the highest quality quizzes.

Learn about Our Editorial Process

| By Pepsisnus

Pepsisnus

Community Contributor

Quizzes Created: 1 | Total Attempts: 660

Questions: 81 | Attempts: 661 | Updated: Mar 22, 2023

Questions

Settings

Feedback

During the Quiz End of Quiz

Play as

Quiz Flashcard

Create your own Quiz

It’s quite possibly the most important thing you could know about when studying the topic of networking – security is vital for any network that’s passing information and data from one location to another, to make sure it reaches its destination untouched by any outside source. What can you tell us about it in this final exam?

Questions and Answers

1.

1. Which statement is true about the One-Step lockdown feature of the CCP Security Audit wizard?
- A.
  
  It sets an access class ACL on VTY lines.
- B.
  
  It enables TCP intercepts.
- C.
  
  It provides an option for configuring SNMPv3 on all routers.
- D.
  
  It enables the Secure Copy Protocol (SCP).
- E.
  
  It supports AAA configuration.
Correct Answer
A. It sets an access class ACL on VTY lines.

Explanation
The One-Step lockdown feature of the CCP Security Audit wizard sets an access class ACL on VTY lines. This means that it allows the administrator to configure an access control list (ACL) on virtual terminal (VTY) lines, which control remote access to the device. By setting an access class ACL on VTY lines, the feature helps to enhance the security of the device by controlling who can access it remotely.

Rate this question:
2.

2. With the Cisco AnyConnect VPN wizard, which two protocols can be used for tunnel group configuration? (Choose two.)
- A.
  
  MPLS
- B.
  
  SSH
- C.
  
  PPTP
- D.
  
  ESP
- E.
  
  IPsec
Correct Answer(s)
B. SSH
E. IPsec

Explanation
The Cisco AnyConnect VPN wizard allows the use of SSH and IPsec protocols for tunnel group configuration. SSH (Secure Shell) provides a secure remote login and command execution, making it suitable for secure access to network devices. IPsec (Internet Protocol Security) is a suite of protocols that provide secure communication over IP networks, ensuring confidentiality, integrity, and authentication of data. These protocols are commonly used in VPN configurations to establish secure connections between remote users and the network.

Rate this question:
3.

3. What are two disadvantages of using network IPS? (Choose two.)
- A.
  
  Network IPS is operating system-dependent and must be customized for each platform.
- B.
  
  Network IPS is incapable of examining encrypted traffic.
- C.
  
  Network IPS is unable to provide a clear indication of the extent to which the network is being attacked.
- D.
  
  Network IPS sensors are difficult to deploy when new networks are added.
- E.
  
  Network IPS has a difficult time reconstructing fragmented traffic to determine if an attack was successful.
Correct Answer(s)
B. Network IPS is incapable of examining encrypted traffic.
E. Network IPS has a difficult time reconstructing fragmented traffic to determine if an attack was successful.

Explanation
An explanation for the given correct answer is that network IPS is unable to examine encrypted traffic, which means that it cannot detect and prevent attacks that are hidden within encrypted data. Additionally, network IPS may have a difficult time reconstructing fragmented traffic, making it challenging to determine if an attack was successful or not. These two disadvantages highlight limitations in the effectiveness of network IPS in certain situations.

Rate this question:
4.

Refer to the exhibit. An administrator is implementing VPN support on an ASA 5505. What type of VPN support is being implemented?
- A.
  
  Client-based IPsec VPN using AnyConnect
- B.
  
  Client-based IPsec VPN using Cisco VPN Client
- C.
  
  Clientless SSL VPN
- D.
  
  Site-to-site IPsec VPN
- E.
  
  Client-based SSL VPN using AnyConnect
- F.
  
  Clientless IPsec VPN
Correct Answer
C. Clientless SSL VPN

Explanation
The correct answer is clientless SSL VPN. This is because a clientless SSL VPN allows users to remotely access a network resource using a web browser without the need to install any additional software. It provides secure access to web-based applications and resources. In this scenario, the administrator is implementing VPN support on an ASA 5505, and the fact that it is clientless means that users will be able to connect to the VPN using a web browser rather than a dedicated VPN client.

Rate this question:
5.

5. What are two benefits of an SSL VPN? (Choose two.)
- A.
  
  The thin client mode functions without requiring any downloads or software.
- B.
  
  It supports all client/server applications.
- C.
  
  It is compatible with DMVPNs, Cisco IOS Firewall, IPsec, IPS, Cisco Easy VPN, and NAT.
- D.
  
  It has the option of only requiring an SSL-enabled web browser.
- E.
  
  It supports the same level of cryptographic security as an IPsec VPN.
Correct Answer(s)
C. It is compatible with DMVPNs, Cisco IOS Firewall, IPsec, IPS, Cisco Easy VPN, and NAT.
D. It has the option of only requiring an SSL-enabled web browser.

Explanation
An SSL VPN offers two main benefits. First, it is compatible with various network technologies such as DMVPNs, Cisco IOS Firewall, IPsec, IPS, Cisco Easy VPN, and NAT. This compatibility allows for seamless integration and connectivity with different network infrastructures. Second, an SSL VPN has the option of only requiring an SSL-enabled web browser. This means that users can access the VPN securely without the need for additional downloads or software installations, making it more convenient and user-friendly.

Rate this question:
6.

6. When configuring router security, which statement describes the most effective way to use ACLs to control Telnet traffic that is destined to the router itself?
- A.
  
  Apply the ACL to the vty lines without the in or out option required when applying ACLs to interfaces.
- B.
  
  The ACL is applied to the Telnet port with the ip access-group command.
- C.
  
  The ACL must be applied to each vty line individually.
- D.
  
  The ACL should be applied to all vty lines in the in direction to prevent an unwanted user from connecting to an unsecured port.
Correct Answer
D. The ACL should be applied to all vty lines in the in direction to prevent an unwanted user from connecting to an unsecured port.

Explanation
The most effective way to use ACLs to control Telnet traffic that is destined to the router itself is to apply the ACL to all vty lines in the in direction. This prevents unwanted users from connecting to an unsecured port and ensures that only authorized users can access the router through Telnet. Applying the ACL to the vty lines without the in or out option, as mentioned in the first option, is incorrect because it does not specify the direction of traffic. Applying the ACL to the Telnet port with the ip access-group command, as mentioned in the second option, is also incorrect because the ACL needs to be applied to the vty lines, not the specific port. Applying the ACL to each vty line individually, as mentioned in the third option, is not necessary because applying it to all vty lines in the in direction achieves the desired control.

Rate this question:

2
0
7.

Refer to the exhibit. A network administrator is configuring the security level for the ASA. Which statement describes the default result if the administrator tries to assign the Inside interface with the same security level as the DMZ interface?
- A.
  
  The ASA console will display an error message.
- B.
  
  The ASA will not allow traffic in either direction between the Inside interface and the DMZ.
- C.
  
  The ASA allows traffic from the Inside to the DMZ, but blocks traffic initiated on the DMZ to the Inside interface.
- D.
  
  The ASA allows inbound traffic initiated on the Internet to the DMZ, but not to the Inside interface.
Correct Answer
B. The ASA will not allow traffic in either direction between the Inside interface and the DMZ.

Explanation
If the network administrator tries to assign the Inside interface with the same security level as the DMZ interface, the ASA will not allow traffic in either direction between the Inside interface and the DMZ. This is because when two interfaces have the same security level, the ASA considers them to be in the same security zone and applies stricter security policies, effectively blocking all traffic between them.

Rate this question:
8.

8. A network technician is configuring SNMPv3 and has set a security level of auth. What is the effect of this setting?
- A.
  
  Authenticates a packet by using either the HMAC MD5 or HMAC SHA algorithms and encrypts the packet with either the DES, 3DES or AES algorithms
- B.
  
  Authenticates a packet by using the SHA algorithm only
- C.
  
  Authenticates a packet by using either the HMAC with MD5 method or the SHA method
- D.
  
  Authenticates a packet by a string match of the username or community string
Correct Answer
C. Authenticates a packet by using either the HMAC with MD5 method or the SHA method

Explanation
Setting the security level of auth in SNMPv3 means that the packet will be authenticated using either the HMAC with MD5 method or the SHA method. This ensures that the packet's integrity and authenticity are verified before it is processed. The packet is not encrypted with this setting, as encryption is not included in the auth security level.

Rate this question:
9.

9. What is an advantage of using SSL VPNs compared to IPsec VPNs on an ASA?
- A.
  
  SSL VPNs provide support for more applications.
- B.
  
  SSL VPNs do not require any pre-installed client software.
- C.
  
  SSL VPNs provide superior authentication.
- D.
  
  SSL VPNs provide stronger encryption as a remote-access solution.
Correct Answer
B. SSL VPNs do not require any pre-installed client software.

Explanation
SSL VPNs do not require any pre-installed client software, which is an advantage compared to IPsec VPNs on an ASA. This means that users can access the VPN without having to install any additional software on their devices, making it more convenient and user-friendly. It also reduces the complexity and potential compatibility issues that may arise from requiring client software installations.

Rate this question:
10.

Refer to the exhibit. Which interface configuration completes the classic firewall configuration on the firewall?
- A.
  
  FW(config)# interface g0/1 FW(config-if)# ip inspect OUTBOUND in FW(config-if)# ip access-group INSIDE out
- B.
  
  FW(config)# interface g0/1 FW(config-if)# ip inspect OUTBOUND in FW(config-if)# ip access-group INSIDE in
- C.
  
  FW(config)# interface g0/0 FW(config-if)# ip inspect OUTBOUND in FW(config-if)# ip access-group INSIDE in
- D.
  
  W(config)# interface g0/0 FW(config-if)# ip inspect INSIDE in FW(config-if)# ip access-group OUTBOUND in
Correct Answer
B. FW(config)# interface g0/1 FW(config-if)# ip inspect OUTBOUND in FW(config-if)# ip access-group INSIDE in

Explanation
The correct answer is FW(config)# interface g0/1. This completes the classic firewall configuration by configuring the interface g0/1 with the "ip inspect OUTBOUND in" command to enable outbound traffic inspection and the "ip access-group INSIDE in" command to apply the access group INSIDE to inbound traffic on the interface. This ensures that outbound traffic is inspected and inbound traffic is filtered according to the rules defined in the access group.

Rate this question:
11.

11. What is a type of SSL VPN that provides access to a network without requiring VPN software or a Java applet on the client?
- A.
  
  Clientless mode
- B.
  
  Cisco VPN client mode
- C.
  
  Full client mode
- D.
  
  Thin client mode
Correct Answer
A. Clientless mode

Explanation
Clientless mode is a type of SSL VPN that allows users to access a network without the need for VPN software or a Java applet on the client device. In this mode, users can connect to the network using only a web browser, eliminating the need for additional software installations. This provides a convenient and streamlined approach to VPN access, as users can securely connect to the network from any device with a web browser, without the need for specific VPN client software.

Rate this question:
12.

12. What are two reasons for a company to migrate from a classic firewall to the ZPF model? (Choose two.)
- A.
  
  The classic firewall will perform the same inspection on all traffic that goes through a specific interface.
- B.
  
  The classic firewall can only have one policy that affects any given traffic.
- C.
  
  The classic firewall security posture is to block unless explicitly allowed.
- D.
  
  The classic firewall is limited to two interfaces.
- E.
  
  The classic firewall relies heavily on ACLs.
Correct Answer(s)
A. The classic firewall will perform the same inspection on all traffic that goes through a specific interface.
E. The classic firewall relies heavily on ACLs.

Explanation
The ZPF model allows for more granular inspection of traffic, allowing the company to have different inspection policies for different types of traffic. This can improve security by allowing for more targeted and specific inspection. Additionally, the ZPF model reduces reliance on ACLs, which can be complex and difficult to manage. This can simplify firewall management and improve overall efficiency.

Rate this question:
13.

13. What is the main difference between the implementation of IDS and IPS devices?
- A.
  
  An IDS uses signature-based technology to detect malicious packets, whereas an IPS uses profile-based technology.
- B.
  
  An IDS would allow malicious traffic to pass before it is addressed, whereas an IPS stops it immediately.
- C.
  
  An IDS can negatively impact the packet flow, whereas an IPS can not.
- D.
  
  An IDS needs to be deployed together with a firewall device, whereas an IPS can replace a firewall.
Correct Answer
B. An IDS would allow malicious traffic to pass before it is addressed, whereas an IPS stops it immediately.

Explanation
The main difference between the implementation of IDS and IPS devices is that an IDS would allow malicious traffic to pass before it is addressed, whereas an IPS stops it immediately. This means that an IDS is more passive in nature, detecting and alerting about malicious activity but not taking immediate action to prevent it. On the other hand, an IPS actively blocks and prevents malicious traffic from entering the network, providing a higher level of security.

Rate this question:
14.

14. What information must an IPS track in order to detect attacks matching a composite signature?
- A.
  
  The state of packets related to the attack
- B.
  
  The total number of packets in the attack
- C.
  
  The network bandwidth consumed by all packets
- D.
  
  The attacking period used by the attacker
Correct Answer
A. The state of packets related to the attack

Explanation
An Intrusion Prevention System (IPS) must track the state of packets related to the attack in order to detect attacks matching a composite signature. By monitoring the state of packets, the IPS can analyze the behavior and characteristics of the attack. This includes tracking the sequence of packets, their source and destination, payload content, and any anomalies or patterns that indicate a potential attack. By understanding the state of packets, the IPS can effectively detect and prevent attacks that match a composite signature.

Rate this question:
15.

15. What method is used to authenticate SNMPv2 messages between the manager and the agent?
- A.
  
  RSA keys
- B.
  
  Trusted keys
- C.
  
  Encrypted passwords
- D.
  
  Community strings
Correct Answer
D. Community strings

Explanation
Community strings are used to authenticate SNMPv2 messages between the manager and the agent. SNMP (Simple Network Management Protocol) is a widely used protocol for managing and monitoring network devices. The community string acts as a password or shared secret between the manager and the agent. When a manager sends a request to an agent, it includes the community string. The agent checks if the received community string matches the one configured on its side. If there is a match, the agent accepts the request and responds accordingly. This helps ensure that only authorized managers can access and control the SNMP agent.

Rate this question:
16.

16. Which statement describes the characteristics of packet-filtering and stateful firewalls as they relate to the OSI model?
- A.
  
  A packet-filtering firewall typically can filter up to the transport layer, whereas a stateful firewall can filter up to the session layer.
- B.
  
  Both stateful and packet-filtering firewalls can filter at the application layer.
- C.
  
  A packet-filtering firewall uses session layer information to track the state of a connection, whereas a stateful firewall uses application layer information to track the state of a connection.
- D.
  
  A stateful firewall can filter application layer information, whereas a packet-filtering firewall cannot filter beyond the network layer.
Correct Answer
A. A packet-filtering firewall typically can filter up to the transport layer, whereas a stateful firewall can filter up to the session layer.

Explanation
Packet-filtering firewalls typically operate at the network layer of the OSI model, allowing them to filter based on IP addresses, ports, and protocols. They can examine individual packets and make decisions based on this information. On the other hand, stateful firewalls operate at a higher layer, typically the session layer. They can keep track of the state of connections and make decisions based on the context of the entire session. This allows stateful firewalls to have more advanced filtering capabilities compared to packet-filtering firewalls.

Rate this question:
17.

17. What is a difference between ASA IPv4 ACLs and IOS IPv4 ACLs?
- A.
  
  ASA ACLs use the subnet mask in defining a network, whereas IOS ACLs use the wildcard mask.
- B.
  
  ASA ACLs do not have an implicit deny all at the end, whereas IOS ACLs do.
- C.
  
  ASA ACLs use forward and drop ACEs, whereas IOS ACLs use permit and deny ACEs.
- D.
  
  Multiple ASA ACLs can be applied on an interface in the ingress direction, whereas only one IOS ACL can be applied.
- E.
  
  ASA ACLs are always named, whereas IOS ACLs can be named or numbered.
Correct Answer
A. ASA ACLs use the subnet mask in defining a network, whereas IOS ACLs use the wildcard mask.

Explanation
ASA ACLs use the subnet mask in defining a network, whereas IOS ACLs use the wildcard mask. Subnet masks are used to determine the network portion of an IP address, while wildcard masks are used to specify which bits in the IP address should be matched. This means that ASA ACLs are more specific in defining the network, as they require an exact match of the subnet mask. On the other hand, IOS ACLs provide more flexibility by allowing the use of wildcard masks, which can match multiple subnets or ranges of IP addresses.

Rate this question:
18.

18. What is the best way to prevent a VLAN hopping attack?
- A.
  
  Use ISL encapsulation on all trunk links.
- B.
  
  Disable STP on all nontrunk ports.
- C.
  
  Disable trunk negotiation for trunk ports and statically set nontrunk ports as access ports.
- D.
  
  Use VLAN 1 as the native VLAN on trunk ports.
Correct Answer
C. Disable trunk negotiation for trunk ports and statically set nontrunk ports as access ports.

Explanation
The best way to prevent a VLAN hopping attack is to disable trunk negotiation for trunk ports and statically set nontrunk ports as access ports. By doing this, the network administrator can ensure that only authorized devices can access the VLANs. Trunk negotiation should be disabled to prevent unauthorized devices from negotiating a trunk connection and gaining access to multiple VLANs. Statically setting nontrunk ports as access ports ensures that these ports can only access a single VLAN, further preventing unauthorized access.

Rate this question:
19.

19. Why have corporations been shifting remote access security policies to include support for ASA SSL VPNs?
- A.
  
  To have stronger encryption options
- B.
  
  To support secure access for users on a multitude of devices
- C.
  
  To have stronger authentication options
- D.
  
  To provide stronger overall security
Correct Answer
B. To support secure access for users on a multitude of devices

Explanation
Corporations have been shifting remote access security policies to include support for ASA SSL VPNs in order to support secure access for users on a multitude of devices. This is because ASA SSL VPNs provide a secure and encrypted connection for users accessing the corporate network remotely, regardless of the device they are using. By implementing ASA SSL VPNs, corporations can ensure that employees can securely access company resources from various devices, such as laptops, smartphones, and tablets, without compromising the security of the network.

Rate this question:
20.

Refer to the exhibit. What is the purpose of the object group-based ACL?
- A.
  
  It allows users on the 10.5.0.0/24 network access via HTTPS to remote devices on the 10.7.150.0/28, 10.7.151.0/28, 10.7.160.0/28, and 10.7.161.0/28 networks.
- B.
  
  It allows devices on the 10.7.150.0/28, 10.7.151.0/28, 10.7.160.0/28, 10.7.161.0/28 networks to receive TCP-based broadcasts.
- C.
  
  It allows any TCP traffic with port 443 from the 10.7.150.0/28, 10.7.151.0/28, 10.7.160.0/28, and 10.7.161.0/28 networks access to the 10.5.0.0/24 network.
- D.
  
  It allows devices on the 10.5.0.0/24 network to have telnet and web access to the 10.7.150.0/28, 10.7.151.0/28, 10.7.160.0/28, and 10.7.161.0/28 networks.
Correct Answer
A. It allows users on the 10.5.0.0/24 network access via HTTPS to remote devices on the 10.7.150.0/28, 10.7.151.0/28, 10.7.160.0/28, and 10.7.161.0/28 networks.

Explanation
The purpose of the object group-based ACL is to allow users on the 10.5.0.0/24 network to access remote devices on the 10.7.150.0/28, 10.7.151.0/28, 10.7.160.0/28, and 10.7.161.0/28 networks specifically through HTTPS. This means that only HTTPS traffic from the 10.5.0.0/24 network is permitted to reach the specified remote devices on the mentioned networks.

Rate this question:
21.

Refer to the exhibit. Based on the output from the show secure bootset command on router R1, which three conclusions can be drawn about Cisco IOS Resilience? (Choose three.)
- A.
  
  A copy of the router configuration file has been made.
- B.
  
  The Cisco IOS image file is hidden and cannot be copied, modified, or deleted.
- C.
  
  The Cisco IOS image filename will be listed when the show flash command is issued on R1.
- D.
  
  A copy of the Cisco IOS image file has been made.
- E.
  
  The secure boot-config command was issued on R1.
- F.
  
  The copy tftp flash command was issued on R1.
Correct Answer(s)
A. A copy of the router configuration file has been made.
B. The Cisco IOS image file is hidden and cannot be copied, modified, or deleted.
E. The secure boot-config command was issued on R1.

Explanation
Based on the output from the "show secure bootset" command on router R1, three conclusions can be drawn about Cisco IOS Resilience. Firstly, a copy of the router configuration file has been made. Secondly, the Cisco IOS image file is hidden and cannot be copied, modified, or deleted. Lastly, the secure boot-config command was issued on R1.

Rate this question:
22.

22. How would a network security professional mitigate a DoS attack?
- A.
  
  Implement a strong password policy.
- B.
  
  Deploy antisniffer software.
- C.
  
  Include a firewall and IPS in the network security design.
- D.
  
  Design the network by using the principle of minimum trust.
Correct Answer
C. Include a firewall and IPS in the network security design.

Explanation
A network security professional would mitigate a DoS (Denial of Service) attack by including a firewall and IPS (Intrusion Prevention System) in the network security design. A firewall acts as a barrier between the internal network and external threats, filtering and blocking unauthorized access. An IPS monitors network traffic, detects and prevents malicious activities, including DoS attacks. By implementing these measures, the network security professional can effectively prevent and mitigate the impact of a DoS attack on the network.

Rate this question:
23.

23. Which three statements describe limitations in using privilege levels for assigning command authorization? (Choose three.)
- A.
  
  The root user must be assigned to each privilege level that is defined.
- B.
  
  It is required that all 16 privilege levels be defined, whether they are used or not.
- C.
  
  Views are required to define the CLI commands that each user can access.
- D.
  
  There is no access control to specific interfaces on a router.
- E.
  
  Creating a user account that needs access to most but not all commands can be a tedious process.
- F.
  
  Commands set on a higher privilege level are not available for lower privilege users.
Correct Answer(s)
D. There is no access control to specific interfaces on a router.
E. Creating a user account that needs access to most but not all commands can be a tedious process.
F. Commands set on a higher privilege level are not available for lower privilege users.

Explanation
The first statement is incorrect because privilege levels do not require the root user to be assigned to each level. The second statement is incorrect because it is not necessary to define all 16 privilege levels. The third statement is incorrect because views are not required to define CLI commands for each user. The fourth statement is correct because privilege levels do not provide access control to specific interfaces on a router. The fifth statement is correct because creating a user account with specific command access can be a tedious process. The sixth statement is correct because commands set at a higher privilege level are not available to lower privilege users.

Rate this question:
24.

24. Which algorithm is used to automatically generate a shared secret for two systems to use in establishing an IPsec VPN?
- A.
  
  DES
- B.
  
  DH
- C.
  
  3DES
- D.
  
  ESP
- E.
  
  AH
- F.
  
  SSL
Correct Answer
B. DH

Explanation
DH (Diffie-Hellman) algorithm is used to automatically generate a shared secret for two systems to use in establishing an IPsec VPN. DES (Data Encryption Standard), 3DES (Triple Data Encryption Standard), ESP (Encapsulating Security Payload), AH (Authentication Header), and SSL (Secure Sockets Layer) are all encryption protocols or algorithms, but they are not specifically used for generating shared secrets in IPsec VPNs.

Rate this question:
25.

25. What type of security key is generated by the local user software when a user is connecting to a Cisco ASA through a remote-access SSL VPN?
- A.
  
  Asymmetric key
- B.
  
  Digitally signed private key
- C.
  
  Shared-secret key
- D.
  
  Digitally signed public key
Correct Answer
C. Shared-secret key

Explanation
When a user is connecting to a Cisco ASA through a remote-access SSL VPN, the local user software generates a shared-secret key. This key is used for authentication and encryption purposes between the user's device and the Cisco ASA. It is called a shared-secret key because it is shared between the user's software and the ASA, allowing them to establish a secure connection.

Rate this question:
26.

26. What is one advantage of using a Cisco ASA for remote networking VPN deployment compared to a Cisco ISR?
- A.
  
  Support for SSL VPNs
- B.
  
  Support for more concurrent user sessions
- C.
  
  Support for IPsec VPNs
- D.
  
  Support for AAA external authentication
Correct Answer
B. Support for more concurrent user sessions

Explanation
One advantage of using a Cisco ASA for remote networking VPN deployment compared to a Cisco ISR is its support for more concurrent user sessions. This means that the Cisco ASA can handle a larger number of simultaneous VPN connections, allowing for greater scalability and accommodating more users at the same time. This can be particularly beneficial in scenarios where there is a high demand for VPN access or when the network needs to support a large number of remote users.

Rate this question:
27.

27. What will be disabled as a result of the no service password-recovery command?
- A.
  
  Aaa new-model global configuration command
- B.
  
  Changes to the configuration register
- C.
  
  Ability to access ROMMON
- D.
  
  Password encryption service
Correct Answer
C. Ability to access ROMMON

Explanation
The "no service password-recovery" command disables the ability to access ROMMON. ROMMON (ROM Monitor) is a low-level software that runs on Cisco devices, allowing users to recover passwords or perform other troubleshooting tasks. By disabling this command, users will no longer be able to access ROMMON, limiting their ability to recover passwords or perform any other actions that require ROMMON access.

Rate this question:

0
1
28.

28. In what two phases of the system development life cycle does risk assessment take place? (Choose two.)
- A.
  
  Operation and maintenance
- B.
  
  Disposition
- C.
  
  Implementation
- D.
  
  Initiation
- E.
  
  Acquisition and development
Correct Answer(s)
D. Initiation
E. Acquisition and development

Explanation
Risk assessment takes place in the initiation phase of the system development life cycle to identify potential risks and determine their impact on the project. It also takes place in the acquisition and development phase to assess risks associated with acquiring and developing the system, such as technical risks, resource risks, and schedule risks.

Rate this question:
29.

29. What is one benefit of implementing a secure email service by using the Cisco Email Security Appliance (ESA)?
- A.
  
  ESA provides isolation between processes.
- B.
  
  It obtains real-time updates from the Cisco SIO.
- C.
  
  It uses the network infrastructure to enforce security policy compliance.
- D.
  
  It combines advanced threat defense and secure mobility for email.
Correct Answer
B. It obtains real-time updates from the Cisco SIO.

Explanation
By implementing a secure email service using the Cisco Email Security Appliance (ESA), one benefit is that it obtains real-time updates from the Cisco SIO. This means that the ESA can stay up to date with the latest information and intelligence about potential threats and vulnerabilities. This allows the ESA to effectively protect against new and emerging threats, ensuring that the email service remains secure and protected.

Rate this question:
30.

Refer to the exhibit. The administrator can ping the S0/0/1 interface of RouterB but is unable to gain Telnet access to the router by using the password cisco123. What is a possible cause of the problem?
- A.
  
  The Telnet connection between RouterA and RouterB is not working correctly.
- B.
  
  The enable password and the Telnet password need to be the same.
- C.
  
  The password cisco123 is wrong.
- D.
  
  The administrator does not have enough rights on the PC that is being used.
Correct Answer
C. The password cisco123 is wrong.

Explanation
The possible cause of the problem is that the password cisco123 is wrong. This means that the administrator is using an incorrect password to gain Telnet access to RouterB.

Rate this question:
31.

31. A network administrator configures the alert generation of an IPS device in such a way that when multiple attack packets that match the same signature are detected, a single alert for the first packet is generated and the remaining duplicate alarms are counted, but not sent, for a specific time period. When the specified time period is reached, an alert is sent that indicates the number of alarms that occurred during the time interval. What kind of alert generation pattern is configured?
- A.
  
  Composite alerts
- B.
  
  Composite alerts
- C.
  
  Summary alerts
- D.
  
  Advanced alerts
Correct Answer
C. Summary alerts

Explanation
The network administrator has configured the alert generation of the IPS device to generate a single alert for the first packet that matches a specific signature. Any subsequent packets that match the same signature are not sent as individual alerts, but are instead counted. After a specified time period, an alert is sent indicating the number of alarms that occurred during that time interval. This configuration is known as "summary alerts," where multiple alarms are summarized and reported as a single alert.

Rate this question:
32.

32. Which STP port type is permitted to forward traffic, but is not the port closest to the root bridge?
- A.
  
  Root port
- B.
  
  Designated port
- C.
  
  Backup port
- D.
  
  Alternate port
Correct Answer
B. Designated port

Explanation
A designated port is a port on a non-root bridge that is selected to forward traffic towards the root bridge. While the root port is the port on a non-root bridge that is closest to the root bridge and is responsible for forwarding traffic towards it, the designated port is also permitted to forward traffic but may not be the closest port to the root bridge. Therefore, the designated port is the correct answer.

Rate this question:
33.

Refer to the exhibit. What is the purpose of the ACLs?
- A.
  
  To deny inbound IPv6 and SSH traffic unless it originates from within the organization
- B.
  
  To allow inbound traffic from only designated sources
- C.
  
  To allow SSH connections initiated from the Internet to enter the network
- D.
  
  To deny all inbound traffic and log TCP and UDP transmissions
Correct Answer
A. To deny inbound IPv6 and SSH traffic unless it originates from within the organization

Explanation
The purpose of the ACLs in this scenario is to restrict inbound IPv6 and SSH traffic, allowing it only if it originates from within the organization. This means that any external sources attempting to access the network via IPv6 or SSH will be denied, while internal sources will be allowed. This helps to enhance security by only permitting trusted connections from within the organization.

Rate this question:
34.

Refer to the exhibit. An administrator is examining the message in a syslog server. What can be determined from the message?
- A.
  
  This is a notification message for a normal but significant condition.
- B.
  
  This is an alert message for which immediate action is needed.
- C.
  
  This is an error message that indicates the system is unusable.
- D.
  
  This is an error message for which warning conditions exist.
Correct Answer
A. This is a notification message for a normal but significant condition.

Explanation
The message in the syslog server indicates a normal but significant condition. It is not an alert message that requires immediate action, nor is it an error message indicating that the system is unusable. Additionally, there is no mention of warning conditions. Therefore, the correct answer is that this is a notification message for a normal but significant condition.

Rate this question:
35.

35. What is the basic method used by 3DES to encrypt plaintext?
- A.
  
  The data is divided into three blocks of equal length for encryption.
- B.
  
  The data is encrypted using a key length that is three times longer than the key used for DES.
- C.
  
  The data is encrypted three times with three different keys.
- D.
  
  The data is encrypted, decrypted, and encrypted using three different keys.
Correct Answer
D. The data is encrypted, decrypted, and encrypted using three different keys.

Explanation
3DES, also known as Triple Data Encryption Standard, uses the method of encrypting the data, then decrypting it, and finally encrypting it again using three different keys. This process provides a higher level of security compared to regular DES encryption. By applying multiple rounds of encryption and decryption, 3DES enhances the confidentiality and integrity of the data being transmitted or stored.

Rate this question:
36.

Refer to the exhibit. A network administrator configures AAA authentication on R1. The administrator then tests the configuration by telneting to R1. The ACS servers are configured and running. What will happen if the authentication fails?
- A.
  
  The enable secret password could be used in the next login attempt.
- B.
  
  The authentication process stops.
- C.
  
  The enable secret password and a random username could be used in the next login attempt.
- D.
  
  The username and password of the local user database could be used in the next login attempt.
Correct Answer
D. The username and password of the local user database could be used in the next login attempt.

Explanation
If the authentication fails, the router will fall back to using the username and password of the local user database for the next login attempt. This means that the router will check its own local user database for a valid username and password combination to authenticate the user. This is the default behavior when AAA authentication fails.

Rate this question:
37.

37. Which two security features can cause a switch port to become error-disabled? (Choose two.)
- A.
  
  Storm control with the trap option
- B.
  
  PortFast with BPDU guard enabled
- C.
  
  Port security with the shutdown violation mode
- D.
  
  Root guard
- E.
  
  Protected ports
Correct Answer(s)
B. PortFast with BPDU guard enabled
C. Port security with the shutdown violation mode

Explanation
PortFast with BPDU guard enabled can cause a switch port to become error-disabled because it detects the presence of a BPDU (Bridge Protocol Data Unit) on a PortFast enabled port, which indicates the connection of a switch or bridge. This is a security feature that prevents loops in the network.

Port security with the shutdown violation mode can also cause a switch port to become error-disabled. This feature is used to restrict the number of MAC addresses allowed on a port and if a violation occurs (e.g., when a new MAC address is detected), the port will be shut down to prevent unauthorized access.

Rate this question:
38.

38. What are three goals of a port scan attack? (Choose three.)
- A.
  
  To identify peripheral configurations
- B.
  
  To determine potential vulnerabilities
- C.
  
  To disable used ports and services
- D.
  
  To identify operating systems
- E.
  
  To identify active services
Correct Answer(s)
B. To determine potential vulnerabilities
D. To identify operating systems
E. To identify active services

Explanation
A port scan attack aims to achieve three goals. First, it is used to determine potential vulnerabilities in a system by identifying open ports that could be exploited. Second, it helps in identifying the operating system running on the target system, which can provide valuable information for further attacks. Lastly, a port scan is used to identify active services running on the target system, which can help an attacker understand the network infrastructure and potential entry points.

Rate this question:
39.

39. Which security policy component would contain procedures for handling an issue where someone followed a network administrator into the server room without the administrator noticing and the person removed some storage drives?
- A.
  
  Information preservation policy
- B.
  
  Security policy
- C.
  
  Operations and maintenance document
- D.
  
  Security initiation document
Correct Answer
B. Security policy

Explanation
The correct answer is security policy. A security policy is a document that outlines the guidelines and procedures for ensuring the security of an organization's assets, including physical security. It would contain procedures for handling security incidents such as unauthorized access to the server room and the removal of storage drives. This policy would help establish protocols for preventing and responding to such incidents to protect sensitive information and maintain the integrity of the network.

Rate this question:
40.

40. What question is answered by the risk analysis component of security policy development?
- A.
  
  What is the cost versus benefit analysis of implementing various security technologies?
- B.
  
  What are the reliable, well-understood, and recommended security practices that similar organizations currently employ?
- C.
  
  What are the current procedures for incident response, monitoring, maintenance, and auditing of the system for compliance?
- D.
  
  What are the most likely types of threats given the purpose of the organization?
Correct Answer
A. What is the cost versus benefit analysis of implementing various security technologies?

Explanation
The risk analysis component of security policy development answers the question of what is the cost versus benefit analysis of implementing various security technologies. This component evaluates the potential risks and threats faced by the organization and assesses the effectiveness and cost-effectiveness of different security technologies in mitigating those risks. It helps in determining the appropriate allocation of resources and investment in security measures based on the potential benefits and costs associated with each technology.

Rate this question:
41.

41. What are two characteristics of an acceptable use policy? (Choose two.)
- A.
  
  It should be as explicit as possible to avoid misunderstanding.
- B.
  
  It should specify who is authorized to access network resources.
- C.
  
  It should identify how remote users will access the network.
- D.
  
  It should identify what network applications and usages are acceptable.
- E.
  
  It should enforce minimum password requirements for users.
- F.
  
  It should be vague to allow maximum user flexibility.
Correct Answer(s)
A. It should be as explicit as possible to avoid misunderstanding.
D. It should identify what network applications and usages are acceptable.

Explanation
An acceptable use policy should be as explicit as possible to avoid any misunderstandings or confusion regarding the rules and guidelines for network usage. This ensures that all users are aware of what is expected of them and what actions are prohibited. Additionally, the policy should clearly identify what network applications and usages are considered acceptable, helping to establish a standard for appropriate use of network resources. By specifying these two characteristics, the policy can effectively guide users in their behavior and protect the integrity and security of the network.

Rate this question:
42.

Refer to the exhibit. Which pair of crypto isakmp key commands would correctly configure PSK on the two routers?
- A.
  
  R1# crypto isakmp key ciscopass address 209.165.200.226 R2# crypto isakmp key secure address 209.165.200.227
- B.
  
  R1# crypto isakmp key ciscopass address 209.165.200.227 R2# crypto isakmp key ciscopass address 209.165.200.226
- C.
  
  R1# crypto isakmp key ciscopass hostname R1 R2# crypto isakmp key ciscopass hostname R2
- D.
  
  R1# crypto isakmp key ciscopass address 209.165.200.226 R2# crypto isakmp key ciscopass address 209.165.200.227
Correct Answer
B. R1# crypto isakmp key ciscopass address 209.165.200.227 R2# crypto isakmp key ciscopass address 209.165.200.226

Explanation
The correct answer is the pair of commands:

R1# crypto isakmp key ciscopass address 209.165.200.227
R2# crypto isakmp key ciscopass address 209.165.200.226

This is because the "crypto isakmp key" command is used to configure a pre-shared key (PSK) for IPsec VPN authentication. In this case, the PSK is "ciscopass". The first command configures the PSK on R1 with the IP address of R2 (209.165.200.227), and the second command configures the PSK on R2 with the IP address of R1 (209.165.200.226). This ensures that both routers have the correct PSK configured for authentication when establishing an IPsec VPN tunnel.

Rate this question:
43.

43. What are two features of Cisco Easy VPN Server? (Choose two.)
- A.
  
  It requires Cisco routers to act as remote VPN clients.
- B.
  
  It enables complete access to the corporate network over an SSL VPN tunnel.
- C.
  
  It enables an ASA firewall to act as the VPN head-end device in remote-access VPNs.
- D.
  
  It requires remote access to the corporate network via a web browser and SSL.
- E.
  
  Cisco Easy VPN Server enables VPN client remote access to a company intranet through creation of secure IPsec tunnels.
Correct Answer(s)
C. It enables an ASA firewall to act as the VPN head-end device in remote-access VPNs.
E. Cisco Easy VPN Server enables VPN client remote access to a company intranet through creation of secure IPsec tunnels.

Explanation
The first feature of Cisco Easy VPN Server is that it enables an ASA firewall to act as the VPN head-end device in remote-access VPNs. This means that the ASA firewall can serve as the central point for establishing and managing VPN connections for remote users.

The second feature is that Cisco Easy VPN Server enables VPN client remote access to a company intranet through the creation of secure IPsec tunnels. This means that remote users can securely access the company's internal network using VPN client software and establish encrypted tunnels for data transmission.

Rate this question:
44.

Refer to the exhibit. A network administrator is troubleshooting a GRE VPN tunnel between R1 and R2. Assuming the R2 GRE configuration is correct and based on the running configuration of R1, what must the administrator do to fix the problem?
- A.
  
  Change the tunnel IP address to 209.165.201.1.
- B.
  
  Change the tunnel destination to 192.168.5.1.
- C.
  
  Change the tunnel IP address to 192.168.3.1.
- D.
  
  Change the tunnel source interface to Fa0/0.
- E.
  
  Change the tunnel destination to 209.165.200.225.
Correct Answer
E. Change the tunnel destination to 209.165.200.225.

Explanation
Based on the running configuration of R1, the tunnel destination is currently set to 192.168.5.1. However, the correct tunnel destination should be 209.165.200.225. Therefore, the network administrator needs to change the tunnel destination to 209.165.200.225 in order to fix the problem with the GRE VPN tunnel between R1 and R2.

Rate this question:
45.

45. Which spanning-tree enhancement prevents the spanning-tree topology from changing by blocking a port that receives a superior BPDU?
- A.
  
  PortFast
- B.
  
  BPDU guard
- C.
  
  Root guard
- D.
  
  BDPU filter
Correct Answer
C. Root guard

Explanation
Root guard is a spanning-tree enhancement that prevents the spanning-tree topology from changing by blocking a port that receives a superior BPDU. When root guard is enabled on a port, it ensures that the port does not become a root port or an alternate port, even if it receives superior BPDUs. This feature is useful in preventing unauthorized switches from becoming the root bridge and disrupting the network's stability. By blocking the port that receives a superior BPDU, root guard helps maintain the integrity and stability of the spanning-tree topology.

Rate this question:
46.

46. In deploying an IPS in a corporate network, system operators first create a profile of normal network operation by monitoring network activities in normal network uses. After the profile is incorporated into the IPS triggering mechanism, alarms will be generated when the IPS detects excessive activity that is beyond the scope of the profile. Which signature detection mechanism is deployed?
- A.
  
  Pattern-based detection
- B.
  
  Policy-based detection
- C.
  
  Honey pot-based detection
- D.
  
  Anomaly-based detection
Correct Answer
D. Anomaly-based detection

Explanation
In this scenario, the correct answer is anomaly-based detection. Anomaly-based detection involves creating a profile of normal network behavior by monitoring network activities during typical network usage. This profile is then used by the IPS triggering mechanism to identify any excessive activity that deviates from the normal pattern. When such activity is detected, alarms are generated to alert the system operators. This approach is effective in identifying unknown or new types of attacks that may not have a specific signature or pattern associated with them.

Rate this question:
47.

47. Why does a worm pose a greater threat than a virus poses?
- A.
  
  Worms are not detected by antivirus programs.
- B.
  
  Worms run within a host program.
- C.
  
  Worms are more network-based than viruses are.
- D.
  
  Worms directly attack the network devices.
Correct Answer
C. Worms are more network-based than viruses are.

Explanation
Worms are more network-based than viruses because they are designed to spread quickly across computer networks, infecting multiple devices and systems. Unlike viruses, which typically require user interaction or the execution of a program to spread, worms can self-replicate and spread automatically without any user intervention. This makes worms a greater threat as they can rapidly infect a large number of devices and cause widespread damage to network infrastructure.

Rate this question:
48.

48. Which security feature would be commonly implemented as part of a large enterprise wireless policy but would not typically be used in a small office/home office network?
- A.
  
  Not broadcasting the SSID
- B.
  
  Using WPA2
- C.
  
  Not allowing personal wireless devices
- D.
  
  Using an authentication server
Correct Answer
D. Using an authentication server

Explanation
Using an authentication server would be commonly implemented as part of a large enterprise wireless policy but would not typically be used in a small office/home office network. An authentication server is used to centrally manage and control user access to the wireless network, providing a higher level of security and control. In a large enterprise, where there are multiple users and devices accessing the network, it is important to have a centralized authentication mechanism. However, in a small office/home office network, where the number of users and devices is limited, using an authentication server may not be necessary or cost-effective.

Rate this question:
49.

49. Which two commands are needed on every IPv6 ACL to allow IPv6 neighbor discovery? (Choose two.)
- A.
  
  Permit ipv6 any any fragments
- B.
  
  Permit icmp any any nd-ns
- C.
  
  Permit icmp any any echo-reply
- D.
  
  Permit icmp any any nd-na
- E.
  
  Permit tcp any any ack
- F.
  
  Permit ipv6 any any routing
Correct Answer(s)
B. Permit icmp any any nd-ns
D. Permit icmp any any nd-na

Explanation
The correct answer is "permit icmp any any nd-ns" and "permit icmp any any nd-na". These two commands allow ICMP Neighbor Discovery Neighbor Solicitation (nd-ns) and Neighbor Advertisement (nd-na) messages to pass through the IPv6 ACL. Neighbor Discovery is an essential protocol in IPv6 that allows devices to discover and communicate with other devices on the same network. By permitting these ICMP messages, the ACL ensures that neighbor discovery functions properly in the IPv6 network.

Rate this question:
50.

50. A network technician has been asked to design a virtual private network between two branch routers. Which type of cryptographic key should be used in this scenario?
- A.
  
  Asymmetric key
- B.
  
  Hash key
- C.
  
  Symmetric key
- D.
  
  Digital signature
Correct Answer
C. Symmetric key

Explanation
In this scenario, a symmetric key should be used to design a virtual private network between two branch routers. A symmetric key is a single shared key that is used for both encryption and decryption of data. Since the two routers are within the same network, using a symmetric key will provide a more efficient and faster encryption process compared to asymmetric keys. Asymmetric keys involve a pair of keys, one for encryption and another for decryption, which can be more complex and resource-intensive. Therefore, a symmetric key is the most suitable choice for this scenario.

Rate this question:

Quiz Review Timeline +

Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.

Current Version
Mar 22, 2023

Quiz Edited by
ProProfs Editorial Team
Oct 08, 2015

Quiz Created by
Pepsisnus

CCNA Security Final Exam Quiz

1. Which statement is true about the One-Step lockdown feature of the CCP Security Audit wizard?

2. With the Cisco AnyConnect VPN wizard, which two protocols can be used for tunnel group configuration? (Choose two.)

3. What are two disadvantages of using network IPS? (Choose two.)

Refer to the exhibit. An administrator is implementing VPN support on an ASA 5505. What type of VPN support is being implemented?

5. What are two benefits of an SSL VPN? (Choose two.)

6. When configuring router security, which statement describes the most effective way to use ACLs to control Telnet traffic that is destined to the router itself?

Refer to the exhibit. A network administrator is configuring the security level for the ASA. Which statement describes the default result if the administrator tries to assign the Inside interface with the same security level as the DMZ interface?

8. A network technician is configuring SNMPv3 and has set a security level of auth. What is the effect of this setting?

9. What is an advantage of using SSL VPNs compared to IPsec VPNs on an ASA?

Refer to the exhibit. Which interface configuration completes the classic firewall configuration on the firewall?

11. What is a type of SSL VPN that provides access to a network without requiring VPN software or a Java applet on the client?

12. What are two reasons for a company to migrate from a classic firewall to the ZPF model? (Choose two.)

13. What is the main difference between the implementation of IDS and IPS devices?

14. What information must an IPS track in order to detect attacks matching a composite signature?

15. What method is used to authenticate SNMPv2 messages between the manager and the agent?

16. Which statement describes the characteristics of packet-filtering and stateful firewalls as they relate to the OSI model?

17. What is a difference between ASA IPv4 ACLs and IOS IPv4 ACLs?

18. What is the best way to prevent a VLAN hopping attack?

19. Why have corporations been shifting remote access security policies to include support for ASA SSL VPNs?

Refer to the exhibit. What is the purpose of the object group-based ACL?

Refer to the exhibit. Based on the output from the show secure bootset command on router R1, which three conclusions can be drawn about Cisco IOS Resilience? (Choose three.)

22. How would a network security professional mitigate a DoS attack?

23. Which three statements describe limitations in using privilege levels for assigning command authorization? (Choose three.)

24. Which algorithm is used to automatically generate a shared secret for two systems to use in establishing an IPsec VPN?

25. What type of security key is generated by the local user software when a user is connecting to a Cisco ASA through a remote-access SSL VPN?

26. What is one advantage of using a Cisco ASA for remote networking VPN deployment compared to a Cisco ISR?

27. What will be disabled as a result of the no service password-recovery command?

28. In what two phases of the system development life cycle does risk assessment take place? (Choose two.)

29. What is one benefit of implementing a secure email service by using the Cisco Email Security Appliance (ESA)?

Refer to the exhibit. The administrator can ping the S0/0/1 interface of RouterB but is unable to gain Telnet access to the router by using the password cisco123. What is a possible cause of the problem?

32. Which STP port type is permitted to forward traffic, but is not the port closest to the root bridge?

Refer to the exhibit. What is the purpose of the ACLs?

Refer to the exhibit. An administrator is examining the message in a syslog server. What can be determined from the message?

35. What is the basic method used by 3DES to encrypt plaintext?

Refer to the exhibit. A network administrator configures AAA authentication on R1. The administrator then tests the configuration by telneting to R1. The ACS servers are configured and running. What will happen if the authentication fails?

37. Which two security features can cause a switch port to become error-disabled? (Choose two.)

38. What are three goals of a port scan attack? (Choose three.)

39. Which security policy component would contain procedures for handling an issue where someone followed a network administrator into the server room without the administrator noticing and the person removed some storage drives?

40. What question is answered by the risk analysis component of security policy development?

41. What are two characteristics of an acceptable use policy? (Choose two.)

Refer to the exhibit. Which pair of crypto isakmp key commands would correctly configure PSK on the two routers?

43. What are two features of Cisco Easy VPN Server? (Choose two.)

Refer to the exhibit. A network administrator is troubleshooting a GRE VPN tunnel between R1 and R2. Assuming the R2 GRE configuration is correct and based on the running configuration of R1, what must the administrator do to fix the problem?

45. Which spanning-tree enhancement prevents the spanning-tree topology from changing by blocking a port that receives a superior BPDU?

47. Why does a worm pose a greater threat than a virus poses?

48. Which security feature would be commonly implemented as part of a large enterprise wireless policy but would not typically be used in a small office/home office network?

49. Which two commands are needed on every IPv6 ACL to allow IPv6 neighbor discovery? (Choose two.)

50. A network technician has been asked to design a virtual private network between two branch routers. Which type of cryptographic key should be used in this scenario?