CCNA Security Final Exam Quiz

81 Questions | Total Attempts: 512

SettingsSettingsSettings
CCNA Security Final Exam Quiz

It’s quite possibly the most important thing you could know about when studying the topic of networking – security is vital for any network that’s passing information and data from one location to another, to make sure it reaches its destination untouched by any outside source. What can you tell us about it in this final exam?


Questions and Answers
  • 1. 
    2. With the Cisco AnyConnect VPN wizard, which two protocols can be used for tunnel group configuration? (Choose two.)
    • A. 

      MPLS

    • B. 

      SSH

    • C. 

      PPTP

    • D. 

      ESP

    • E. 

      IPsec

  • 2. 
    6. When configuring router security, which statement describes the most effective way to use ACLs to control Telnet traffic that is destined to the router itself?
    • A. 

      Apply the ACL to the vty lines without the in or out option required when applying ACLs to interfaces.

    • B. 

      The ACL is applied to the Telnet port with the ip access-group command.

    • C. 

      The ACL must be applied to each vty line individually.

    • D. 

      The ACL should be applied to all vty lines in the in direction to prevent an unwanted user from connecting to an unsecured port.

  • 3. 
    Refer to the exhibit. Which interface configuration completes the classic firewall configuration on the firewall?
    • A. 

      FW(config)# interface g0/1 FW(config-if)# ip inspect OUTBOUND in FW(config-if)# ip access-group INSIDE out

    • B. 

      FW(config)# interface g0/1 FW(config-if)# ip inspect OUTBOUND in FW(config-if)# ip access-group INSIDE in

    • C. 

      FW(config)# interface g0/0 FW(config-if)# ip inspect OUTBOUND in FW(config-if)# ip access-group INSIDE in

    • D. 

      W(config)# interface g0/0 FW(config-if)# ip inspect INSIDE in FW(config-if)# ip access-group OUTBOUND in

  • 4. 
    9. What is an advantage of using SSL VPNs compared to IPsec VPNs on an ASA?
    • A. 

      SSL VPNs provide support for more applications.

    • B. 

      SSL VPNs do not require any pre-installed client software.

    • C. 

      SSL VPNs provide superior authentication.

    • D. 

      SSL VPNs provide stronger encryption as a remote-access solution.

  • 5. 
    3. What are two disadvantages of using network IPS? (Choose two.)
    • A. 

      Network IPS is operating system-dependent and must be customized for each platform.

    • B. 

      Network IPS is incapable of examining encrypted traffic.

    • C. 

      Network IPS is unable to provide a clear indication of the extent to which the network is being attacked.

    • D. 

      Network IPS sensors are difficult to deploy when new networks are added.

    • E. 

      Network IPS has a difficult time reconstructing fragmented traffic to determine if an attack was successful.

  • 6. 
    19. Why have corporations been shifting remote access security policies to include support for ASA SSL VPNs?
    • A. 

      To have stronger encryption options

    • B. 

      To support secure access for users on a multitude of devices

    • C. 

      To have stronger authentication options

    • D. 

      To provide stronger overall security

  • 7. 
    11. What is a type of SSL VPN that provides access to a network without requiring VPN software or a Java applet on the client?
    • A. 

      Clientless mode

    • B. 

      Cisco VPN client mode

    • C. 

      Full client mode

    • D. 

      Thin client mode

  • 8. 
    1. Which statement is true about the One-Step lockdown feature of the CCP Security Audit wizard?
    • A. 

      It sets an access class ACL on VTY lines.

    • B. 

      It enables TCP intercepts.

    • C. 

      It provides an option for configuring SNMPv3 on all routers.

    • D. 

      It enables the Secure Copy Protocol (SCP).

    • E. 

      It supports AAA configuration.

  • 9. 
    13. What is the main difference between the implementation of IDS and IPS devices?
    • A. 

      An IDS uses signature-based technology to detect malicious packets, whereas an IPS uses profile-based technology.

    • B. 

      An IDS would allow malicious traffic to pass before it is addressed, whereas an IPS stops it immediately.

    • C. 

      An IDS can negatively impact the packet flow, whereas an IPS can not.

    • D. 

      An IDS needs to be deployed together with a firewall device, whereas an IPS can replace a firewall.

  • 10. 
    18. What is the best way to prevent a VLAN hopping attack?
    • A. 

      Use ISL encapsulation on all trunk links.

    • B. 

      Disable STP on all nontrunk ports.

    • C. 

      Disable trunk negotiation for trunk ports and statically set nontrunk ports as access ports.

    • D. 

      Use VLAN 1 as the native VLAN on trunk ports.

  • 11. 
    16. Which statement describes the characteristics of packet-filtering and stateful firewalls as they relate to the OSI model?
    • A. 

      A packet-filtering firewall typically can filter up to the transport layer, whereas a stateful firewall can filter up to the session layer.

    • B. 

      Both stateful and packet-filtering firewalls can filter at the application layer.

    • C. 

      A packet-filtering firewall uses session layer information to track the state of a connection, whereas a stateful firewall uses application layer information to track the state of a connection.

    • D. 

      A stateful firewall can filter application layer information, whereas a packet-filtering firewall cannot filter beyond the network layer.

  • 12. 
    27. What will be disabled as a result of the no service password-recovery command?
    • A. 

      Aaa new-model global configuration command

    • B. 

      Changes to the configuration register

    • C. 

      Ability to access ROMMON

    • D. 

      Password encryption service

  • 13. 
    49. Which two commands are needed on every IPv6 ACL to allow IPv6 neighbor discovery? (Choose two.)
    • A. 

      Permit ipv6 any any fragments

    • B. 

      Permit icmp any any nd-ns

    • C. 

      Permit icmp any any echo-reply

    • D. 

      Permit icmp any any nd-na

    • E. 

      Permit tcp any any ack

    • F. 

      Permit ipv6 any any routing

  • 14. 
    29. What is one benefit of implementing a secure email service by using the Cisco Email Security Appliance (ESA)?
    • A. 

      ESA provides isolation between processes.

    • B. 

      It obtains real-time updates from the Cisco SIO.

    • C. 

      It uses the network infrastructure to enforce security policy compliance.

    • D. 

      It combines advanced threat defense and secure mobility for email.

  • 15. 
    Refer to the exhibit. The administrator can ping the S0/0/1 interface of RouterB but is unable to gain Telnet access to the router by using the password cisco123. What is a possible cause of the problem?
    • A. 

      The Telnet connection between RouterA and RouterB is not working correctly.

    • B. 

      The enable password and the Telnet password need to be the same.

    • C. 

      The password cisco123 is wrong.

    • D. 

      The administrator does not have enough rights on the PC that is being used.

  • 16. 
    23. Which three statements describe limitations in using privilege levels for assigning command authorization? (Choose three.)
    • A. 

      The root user must be assigned to each privilege level that is defined.

    • B. 

      It is required that all 16 privilege levels be defined, whether they are used or not.

    • C. 

      Views are required to define the CLI commands that each user can access.

    • D. 

      There is no access control to specific interfaces on a router.

    • E. 

      Creating a user account that needs access to most but not all commands can be a tedious process.

    • F. 

      Commands set on a higher privilege level are not available for lower privilege users.

  • 17. 
    31. A network administrator configures the alert generation of an IPS device in such a way that when multiple attack packets that match the same signature are detected, a single alert for the first packet is generated and the remaining duplicate alarms are counted, but not sent, for a specific time period. When the specified time period is reached, an alert is sent that indicates the number of alarms that occurred during the time interval. What kind of alert generation pattern is configured?
    • A. 

      Composite alerts

    • B. 

      Composite alerts

    • C. 

      Summary alerts

    • D. 

      Advanced alerts

  • 18. 
    35. What is the basic method used by 3DES to encrypt plaintext?
    • A. 

      The data is divided into three blocks of equal length for encryption.

    • B. 

      The data is encrypted using a key length that is three times longer than the key used for DES.

    • C. 

      The data is encrypted three times with three different keys.

    • D. 

      The data is encrypted, decrypted, and encrypted using three different keys.

  • 19. 
    37. Which two security features can cause a switch port to become error-disabled? (Choose two.)
    • A. 

      Storm control with the trap option

    • B. 

      PortFast with BPDU guard enabled

    • C. 

      Port security with the shutdown violation mode

    • D. 

      Root guard

    • E. 

      Protected ports

  • 20. 
    24. Which algorithm is used to automatically generate a shared secret for two systems to use in establishing an IPsec VPN?
    • A. 

      DES

    • B. 

      DH

    • C. 

      3DES

    • D. 

      ESP

    • E. 

      AH

    • F. 

      SSL

  • 21. 
    54. Which statement accurately describes Cisco IOS zone-based policy firewall operation?
    • A. 

      Router management interfaces must be manually assigned to the self zone.

    • B. 

      A router interface can belong to multiple zones.

    • C. 

      The pass action works in only one direction.

    • D. 

      Service policies are applied in interface configuration mode.

  • 22. 
    48. Which security feature would be commonly implemented as part of a large enterprise wireless policy but would not typically be used in a small office/home office network?
    • A. 

      Not broadcasting the SSID

    • B. 

      Using WPA2

    • C. 

      Not allowing personal wireless devices

    • D. 

      Using an authentication server

  • 23. 
    26. What is one advantage of using a Cisco ASA for remote networking VPN deployment compared to a Cisco ISR?
    • A. 

      Support for SSL VPNs

    • B. 

      Support for more concurrent user sessions

    • C. 

      Support for IPsec VPNs

    • D. 

      Support for AAA external authentication

  • 24. 
    28. In what two phases of the system development life cycle does risk assessment take place? (Choose two.)
    • A. 

      Operation and maintenance

    • B. 

      Disposition

    • C. 

      Implementation

    • D. 

      Initiation

    • E. 

      Acquisition and development

  • 25. 
    32. Which STP port type is permitted to forward traffic, but is not the port closest to the root bridge?
    • A. 

      Root port

    • B. 

      Designated port

    • C. 

      Backup port

    • D. 

      Alternate port

Related Topics
Back to Top Back to top