Cisco CCNA Security Test

1. In a security context what does CIA stand for? Select one:

Central Intelligence Agency

Confidentiality, Integrity, Avoidance

Confidentiality, Integrity, Availability

Contextual Internet Availability

The correct answer is: Confidentiality, Integrity, Availabilit

Explanation

The correct answer is: Confidentiality, Integrity, Availabilit

2. What is the term for tricking a user into revealing sensitive or confidential information, including information about user credentials? Select one:

Eavesdropping

Cross-site scripting

Denial of service

Social engineering

The correct answer is: Social engineering

Explanation

The correct answer is: Social engineering

3. Which one of the following follows best practices for a secure password? Select one:

AbC123!

SlE3peR1#

Tough-passfraze

NterEstIng-PaSsW0Rd

The correct answer is: SlE3peR1#

Explanation

The correct answer is: SlE3peR1#

4. Which type of VPN technology is likely to be used in a site-to-site VPN? Select one:

SSL

TLS

HTTPS

IPsec

The correct answer is: IPsec

Explanation

The correct answer is: IPsec

5. Which device can analyze network traffic in real time, generate alerts, and even prevent the first malicious packet from entering the network? Select one:

IPS

CSM

IDS

CCP

The correct answer is: IPS

Explanation

The correct answer is: IPS

6. Which method should you implement when it is not acceptable for an attack to reach its intended victim? Select one:

IDS

IPS

Out of band

Hardware appliance

The correct answer is: IPS

Explanation

The correct answer is: IPS

7. Review the following code snippet: aaa new-model aaa authentication login default group tacacs+ enable tacacs-server host 192.168.1.20 tacacs-server key T@C@c$P@ssW0rd! What is the password the TACACS server must use to establish a valid connection to the router? Select one:

Not enough information is provided.

The password is - T@C@c$P@ssW0rd!

No password is required with TACACS

The password is configured using the username command and is not shown in this configuration.

The correct answer is: The password is - T@C@c$P@ssW0rd!

Explanation

The correct answer is: The password is - T@C@c$P@ssW0rd!

8. Which VPN component ensures that data cannot be read while in transit?Select one:

Key exchange

Authentication

Encryption

Data integrity

The correct answer is: encryption

Explanation

The correct answer is: encryption

9. Which of the following IP addresses are considered private? Choose all correct answers. Select one or more:

10.10.30.1

203.193.193.222

172.32.254.1

192.167.23.11

The correct answer is: 10.10.30.1

Explanation

The correct answer is: 10.10.30.1

10. Why is the public key in a typical public-private key pair referred to as public? Select one:

Because the public already has it.

Because it is shared publicly.

Because it is a well-known algorithm that is published.

The last name of the creator was publica, which is Latin for public.

The correct answer is: Because it is shared publicly.

Explanation

The correct answer is: Because it is shared publicly.

11. Which plane is used to access, configure and manage a router? Select one:

Data plane

Network plane

Management plane

Control plane

The correct answer is: Management plane

Explanation

The correct answer is: Management plane

12. What element in a VPN provides the Privacy? Select one:

Data integrity

Confidentiality

Antireplay

Authentication

The correct answer is: Confidentiality

Explanation

The correct answer is: Confidentiality

13. What term refers to the internal IP address of a client using NAT as seen from other devices on the same internal network as the client? Select one:

Inside local

Inside global

Outside local

Outside global

The correct answer is: Inside local

Explanation

The correct answer is: Inside local

14. Why is it that the return traffic, from previously inspected sessions, is allowed back to the user, in spite of not having a zone pair explicitly configured that matches on the return traffic? Select one:

Stateful entries (from the initial flow) are matched, which dynamically allows return traffic.

Return traffic is not allowed because it is a firewall.

Explicit ACL rules need to be placed on the return path to allow the return traffic.

A zone pair in the opposite direction of the initial zone pair

The correct answer is: Stateful entries (from the initial flow) are matched, which dynamically allows return traffic.

Explanation

The correct answer is: Stateful entries (from the initial flow) are matched, which dynamically allows return traffic.

15. Which of the following is NOT considered best security practice when hardening Cisco IOS devices? Select one:

Use SSH only for remote management

Use SNMP v1 for management

Shutdown unused ports

Disable CDP

The correct answer is: Use SNMP v1 for management

Explanation

The correct answer is: Use SNMP v1 for management

16. Which of the following answers describes CBAC? Select one:

A feature of firewall software which intelligently filters TCP and UDP packets based on application layer protocol session information.

A feature of router software that detects abnormal traffic patterns.

A feature of router software that controls authentication processes on the local router.

A feature of router software that blocks traffic based on specific patterns of behavior.

The correct answer is: A feature of firewall software which intelligently filters TCP and UDP packets based on application layer protocol session information.

Explanation

The correct answer is: A feature of firewall software which intelligently filters TCP and UDP packets based on application layer protocol session information.

17. Which item represents the standard IP ACL? Select one:

Access-list 50 deny 192.168.1.1 0.0.0.255

Access-list 110 permit ip any any

Access-list 2500 deny tcp any host 192.168.1.1 eq 22

Access-list 101 deny tcp any host 192.168.1.1

The correct answer is: access-list 50 deny 192.168.1.1 0.0.0.255

Explanation

The correct answer is: access-list 50 deny 192.168.1.1 0.0.0.255

18. Which of the following is enabled when RSA keys are generated? Select one:

The password encryptions service

Telnet access with the password "password

SSL

SSH

The correct answer is: SSH

Explanation

The correct answer is: SSH

19. What would be the end result if the management plane of your router was compromised? Select one:

SNMP traps would not be received by the syslog server.

All management access to the router would be lost.

Packets would be dropped at increasing rates until the memory buffers overflowed.

CPU cycles would be wasted.

The correct answer is: All management access to the router would be lost.

Explanation

The correct answer is: All management access to the router would be lost.

20. Review the following code snippet and answer the statement at the bottom: line aux 0 transport input none transport output none no exec exec-timeout 0 1 no password This code will result in the console port being disabled. Select one:

True

False

This code will disabled the AUX port not the console port
The correct answer is 'False'.

Explanation

This code will disabled the AUX port not the console port
The correct answer is 'False'.

21. What happens when an access list has 100 lines and a match occurs on line 14? Select one:

Lines 15 through 100 are parsed as a group object.

The ACL acts on the packet, and no further list processing is done for that packet.

There cannot be a line 14 because the only lines permitted start with 10 and increment by 10.

The correct answer is: The ACL acts on the packet, and no further list processing is done for that packet.

Explanation

The correct answer is: The ACL acts on the packet, and no further list processing is done for that packet.

22. Consider the following code and answer the question below: ip access-list extended no_webdeny host 172.20.3.85 any eq httpdeny host 172.20.3.13 any eq httppermit 172.20.0.0 0.0.255.255 any eq http How would you modify the bolded code to deny all hosts on the subnet 172.20.4.0 from accessing via secure web? Select one:

Deny 172.20.4.0 0.0.0.255 any eq http

Deny 172.20.4.0 0.0.0.255 any eq secure

Deny 172.20.4.0 0.0.0.255 any eq https

Deny 172.20.4.0 0.0.0.255 any eq ssh

The correct answer is: deny 172.20.4.0 0.0.0.255 any eq https

Explanation

The correct answer is: deny 172.20.4.0 0.0.0.255 any eq https

23. Which method of IPS uses a baseline of normal network behaviour and looks for deviations from that baseline? Select one:

Reputation-based IPS

Policy-based IPS

Signature-based IPS

Anomaly-based IPS

The correct answer is: Anomaly-based IPS

Explanation

The correct answer is: Anomaly-based IPS

24. Which of the following is not a best practice to protect the management plane? (Choose all that apply.) Select one or more:

HTTP

Telnet

HTTPS

SSH

The correct answer is: HTTP, Telnet

Explanation

The correct answer is: HTTP, Telnet

Submit

25. Consider the following code and answer the question below: interface ethernet 0ip access-group no_web outip access-list extended no_webdeny host 172.20.3.85 any eq httpdeny host 172.20.3.13 any eq httppermit 172.20.0.0 0.0.255.255 any eq http In what direction is the access-list applied? Select one:

Inbound on ethernet 0

Outbound on ethernet 0

Outbound on ethernet 1

Direction is not specified

The correct answer is: Outbound on ethernet 0

Explanation

The correct answer is: Outbound on ethernet 0

26. Which one of the following wildcard masks will match exactly all hosts on the 172.16.0.0/24 and 172.16.1.0/24 subnets? Select one:

0.0.0.255

0.0.3.255

0.0.1.255

0.0.16.255

The correct answer is: 0.0.1.255

Explanation

The correct answer is: 0.0.1.255

27. Which statement about access lists that are applied to an interface is true? Select one:

You can apply only one access list on any interface

You can configure one access list, per direction, per layer 3 protocol

You can place as many access lists as you want on any interface

You can configure one access list, per direction, per layer 2 protocol

The correct answer is: you can configure one access list, per direction, per layer 3 protocol

Explanation

The correct answer is: you can configure one access list, per direction, per layer 3 protocol

28. If interface number 1 is in zone A, and interface number 2 is in zone B, and there is no policy or service commands applied yet to the configuration, what is the status of transit traffic that is being routed between these two interfaces? Select one:

Denied

Permitted

Inspected

Logged

The correct answer is: Denied

Explanation

The correct answer is: Denied

29. What is the default policy between an administratively created zone and the self zone? Select one:

Deny

Permit

Inspect

Log

The correct answer is: Permit

Explanation

The correct answer is: Permit

30. How does IPS have the ability to prevent an ICMP-based attack from reaching the intended victim? Select one:

Policy-based routing

TCP resets are used.

The IPS is inline with the traffic.

The IPS is in promiscuous mode

The correct answer is: The IPS is inline with the traffic.

Explanation

The correct answer is: The IPS is inline with the traffic.

31. You want to allow a temporary entry for a remote user with a specific username and password so that the user can access the entire network over the internet. Which ACL can be used? Select one:

Reflexive

Extended

Standard

Dynamic

The correct answer is: dynamic

Explanation

The correct answer is: dynamic

32. What is the first step you should take when trying to secure your network? Select one:

Install a firewall

Install an IPS

Update servers and PCs with the latest patches & AV signatures

Develop a security policy

The correct answer is: Develop a security policy

Explanation

The correct answer is: Develop a security policy

33. Which two places are valid logging destinations?Select one:

Syslog Server, NVRAM

Syslog Server, FTP Server

NVRAM, FTP Server

Secure Web Server, FTP Server

The correct answer is: Syslog Server, NVRAM

Explanation

The correct answer is: Syslog Server, NVRAM

34. Because of how a router operates, which IPS/IDS mode does it operate in? Select one:

Promiscuous

Out-of-band

IPS

IDS

The correct answer is: IPS

Explanation

The correct answer is: IPS

35. Which of the following are defense-in-depth approaches? (Choose all that apply.) Select one or more:

Performing filtering at the router and the firewall

Requiring authentication for the administrator to connect

Don't use proxy

The correct answer is: Performing filtering at the router and the firewall, Requiring authentication for the administrator to connect

Explanation

The correct answer is: Performing filtering at the router and the firewall, Requiring authentication for the administrator to connect

Submit

36. Which technology dynamically builds a table for the purpose of permitting the return traffic from an outside server, back to the client, in spite of a default security policy that says no traffic is allowed to initiate from the outside networks? Select one:

Proxy

NAT

Packet filtering

Stateful filtering

The correct answer is: Stateful filtering

Explanation

The correct answer is: Stateful filtering

37. How is the negotiation of the IPsec (IKE Phase 2) tunnel done securely? Select one:

Uses the IKE Phase 1 tunnel

Uses the IPsec tunnel

Uses the IKE Phase 2 tunnel

Uses RSA

The correct answer is: Uses the IKE Phase 1 tunnel

Explanation

The correct answer is: Uses the IKE Phase 1 tunnel

38. What is another name for Lock & Key access lists? Select one:

Dynamic Access List

Standard Access List

Reflexive Access List

Time-Based Access List

The correct answer is: Dynamic Access List

Explanation

The correct answer is: Dynamic Access List

39. What type of access list allows IP packets to be filtered based on upper-layer session information? Select one:

Standard

Extended

Reflexive

Dynamic

The correct answer is: Reflexive

Explanation

The correct answer is: Reflexive

40. Which option will disable the Daytime service on a Cisco router? Select one:

R1>no service daytime

R1(config)#no service udp-small-servers

R1(config)#no service daytime

R1(config)#no service tcp-small-servers

The correct answer is: R1(config)#no service tcp-small-servers

Explanation

The correct answer is: R1(config)#no service tcp-small-servers

41. Why is it considered a best practice to avoid compiling, enabling, and running all available signatures? (Choose all that apply.) Select one or more:

CPU utilization

Memory utilization

The size of NVRAM

Not a best practice

The correct answer is: CPU utilization, Memory utilization

Explanation

The correct answer is: CPU utilization, Memory utilization

Submit

42. What algorithms in a VPN provide the confidentiality? (Choose all that apply.) Select one or more:

MD5

SHA-1

AES

3DES

The correct answer is: AES, 3DES

Explanation

The correct answer is: AES, 3DES

Submit

43. Which of the following would cause a VPN tunnel using IPsec to never initialize or work correctly? (Choose all that apply.) Select one or more:

Incompatible IKE Phase 2 transform sets

Incorrect pre-shared keys or missing digital certificates

Incorrect dns

Incorrect routing

The correct answer is: Incompatible IKE Phase 2 transform sets, Incorrect pre-shared keys or missing digital certificates, Incorrect routing

Explanation

The correct answer is: Incompatible IKE Phase 2 transform sets, Incorrect pre-shared keys or missing digital certificates, Incorrect routing

Submit

44. Which of the following is NOT a core security principle?

Confidentiality

Integrity

Availability

Obscurity

The three core security principles are confidentiality, integrity, and availability (often referred to as the CIA triad). Confidentiality ensures that information is accessible only to authorized individuals. Integrity ensures that information remains accurate and unaltered. Availability ensures that information and resources are accessible to authorized users when needed. Obscurity, while sometimes considered a security measure, is not a core principle and can create a false sense of security.

Explanation

The three core security principles are confidentiality, integrity, and availability (often referred to as the CIA triad). Confidentiality ensures that information is accessible only to authorized individuals. Integrity ensures that information remains accurate and unaltered. Availability ensures that information and resources are accessible to authorized users when needed. Obscurity, while sometimes considered a security measure, is not a core principle and can create a false sense of security.

45. How is it possible that a packet with a private Layer 3 destination address is forwarded over the Internet? Select one:

It is encapsulated into another packet, and the Internet only sees the outside valid IP destination address.

It cannot be sent. It will always be dropped.

The Internet does not filter private addresses, only some public addresses, based on policy.

NAT is used to change the destination IP address before the packet is sent.

The correct answer is: The Internet does not filter private addresses, only some public addresses, based on policy.

Explanation

The correct answer is: The Internet does not filter private addresses, only some public addresses, based on policy.

46. A network administrator is configuring ACLs on a Cisco router, to allow traffic from hosts on networks 172.17.146.0, 172.17.147.0, 172.17.148.0, and 172.17.149.0 only. Which two ACL statements, when combined, would you use to accomplish this task? (Choose two)

Access-list 10 permit ip 172.17.146.0 0.0.1.255

Access-list 10 permit ip 172.17.147.0 0.0.255.255

Access-list 10 permit ip 172.17.148.0 0.0.1.255

Access-list 10 permit ip 172.17.149.0 0.0.255.255

Access-list 10 permit ip 172.17.146.0 0.0.0.255

Access-list 10 permit ip 172.17.146.0 255.255.255.0

To accomplish the task of allowing traffic from hosts on networks 172.17.146.0, 172.17.147.0, 172.17.148.0, and 172.17.149.0 only, we need to use two ACL statements that cover all these networks while denying all other traffic.

The correct ACL statements to accomplish this task are:

access-list 10 permit ip 172.17.146.0 0.0.1.255

This statement permits traffic from the network 172.17.146.0 with a wildcard mask of 0.0.1.255, covering both the 172.17.146.0 and 172.17.147.0 networks.

access-list 10 permit ip 172.17.148.0 0.0.1.255

This statement permits traffic from the network 172.17.148.0 with a wildcard mask of 0.0.1.255, covering both the 172.17.148.0 and 172.17.149.0 networks.

Combining these two ACL statements will allow traffic from all specified networks while denying traffic from any other networks. Therefore, the correct options are:

access-list 10 permit ip 172.17.146.0 0.0.1.255

access-list 10 permit ip 172.17.148.0 0.0.1.255

Explanation

To accomplish the task of allowing traffic from hosts on networks 172.17.146.0, 172.17.147.0, 172.17.148.0, and 172.17.149.0 only, we need to use two ACL statements that cover all these networks while denying all other traffic.

The correct ACL statements to accomplish this task are:

access-list 10 permit ip 172.17.146.0 0.0.1.255

This statement permits traffic from the network 172.17.146.0 with a wildcard mask of 0.0.1.255, covering both the 172.17.146.0 and 172.17.147.0 networks.

access-list 10 permit ip 172.17.148.0 0.0.1.255

This statement permits traffic from the network 172.17.148.0 with a wildcard mask of 0.0.1.255, covering both the 172.17.148.0 and 172.17.149.0 networks.

Combining these two ACL statements will allow traffic from all specified networks while denying traffic from any other networks. Therefore, the correct options are:

access-list 10 permit ip 172.17.146.0 0.0.1.255

access-list 10 permit ip 172.17.148.0 0.0.1.255

Submit

47. Which of the following are examples of tuning a signature? (Choose all that apply.) Select one or more:

Changing the default severity level

Changing password by own

Disabling it if it was enabled by default

Changing the default action

The correct answer is: Changing the default severity level, Disabling it if it was enabled by default, Changing the default action

Explanation

The correct answer is: Changing the default severity level, Disabling it if it was enabled by default, Changing the default action

Submit

48. How can you implement role-based access control (RBAC)? (Choose all that apply.) Select one or more:

Provide the password for a custom privilege level to users in a given role

Associate user accounts with specific views

Use access lists to specify which devices can connect remotely

Use AAA to authorize specific users for specific sets of permissions

The correct answer is: Provide the password for a custom privilege level to users in a given role, Associate user accounts with specific views,

Use AAA to authorize specific users for specific sets of permissions

Explanation

The correct answer is: Provide the password for a custom privilege level to users in a given role, Associate user accounts with specific views,

Use AAA to authorize specific users for specific sets of permissions

Submit

49. Which of the following are negotiated during IKE Phase 1? (Choose all that apply.) Select one or more:

Hashing

DH group

Hex Encryption

Authentication method

The correct answer is: Hashing, DH group, Authentication method

Explanation

The correct answer is: Hashing, DH group, Authentication method

Submit

50. If you're using an extended ACL to block traffic to a server located on the remote side of your WAN, where should you place the ACL? Choose the two best answers. Select one or more:

Remote side of the WAN

As close to the source as possible

On the local side of the WAN

As close to the destination as possible

The correct answer is: As close to the source as possible, On the local side of the WAN

Explanation

The correct answer is: As close to the source as possible, On the local side of the WAN

Submit

CISCO CCNA Security Test