CISCO CCNA Security Test

Approved & Edited by ProProfs Editorial Team
The editorial team at ProProfs Quizzes consists of a select group of subject experts, trivia writers, and quiz masters who have authored over 10,000 quizzes taken by more than 100 million users. This team includes our in-house seasoned quiz moderators and subject matter experts. Our editorial experts, spread across the world, are rigorously trained using our comprehensive guidelines to ensure that you receive the highest quality quizzes.
Learn about Our Editorial Process
| By Achmad Sagaf
A
Achmad Sagaf
Community Contributor
Quizzes Created: 3 | Total Attempts: 18,585
Questions: 50 | Attempts: 2,564

SettingsSettingsSettings
CISCO CCNA Security Test - Quiz

.


Questions and Answers
  • 1. 

    Which VPN component ensures that data cannot be read while in transit?Select one:

    • A.

      Key exchange

    • B.

      Authentication

    • C.

      Encryption

    • D.

      Data integrity

    Correct Answer
    C. Encryption
    Explanation
    The correct answer is: encryption

    Rate this question:

  • 2. 

    Which two places are valid logging destinations?Select one:

    • A.

      Syslog Server, NVRAM

    • B.

      Syslog Server, FTP Server

    • C.

      NVRAM, FTP Server

    • D.

      Secure Web Server, FTP Server

    Correct Answer
    A. Syslog Server, NVRAM
    Explanation
    The correct answer is: Syslog Server, NVRAM

    Rate this question:

  • 3. 

    Review the following code snippet:      aaa new-model      aaa authentication login default group tacacs+ enable      tacacs-server host 192.168.1.20      tacacs-server key T@C@c$P@ssW0rd!What is the password the TACACS server must use to establish a valid connection to the router?Select one:

    • A.

      Not enough information is provided.

    • B.

      The password is - T@C@c$P@ssW0rd!

    • C.

      No password is required with TACACS

    • D.

      The password is configured using the username command and is not shown in this configuration.

    Correct Answer
    B. The password is - T@C@c$P@ssW0rd!
    Explanation
    The correct answer is: The password is - T@C@c$P@ssW0rd!

    Rate this question:

  • 4. 

    Which plane is used to access, configure and manage a router?Select one:

    • A.

      Data plane

    • B.

      Network plane

    • C.

      Management plane

    • D.

      Control plane

    Correct Answer
    C. Management plane
    Explanation
    The correct answer is: Management plane

    Rate this question:

  • 5. 

    Which option will disable the Daytime service on a Cisco router?Select one:

    • A.

      R1>no service daytime

    • B.

      R1(config)#no service udp-small-servers

    • C.

      R1(config)#no service daytime

    • D.

      R1(config)#no service tcp-small-servers

    Correct Answer
    D. R1(config)#no service tcp-small-servers
    Explanation
    The correct answer is: R1(config)#no service tcp-small-servers

    Rate this question:

  • 6. 

    Which of the following IP addresses are considered private?  Choose all correct answers.Select one or more:

    • A.

      10.10.30.1

    • B.

      203.193.193.222

    • C.

      172.32.254.1

    • D.

      192.167.23.11

    Correct Answer
    A. 10.10.30.1
    Explanation
    The correct answer is: 10.10.30.1

    Rate this question:

  • 7. 

    Which of the following is NOT considered best security practice when hardening Cisco IOS devices?Select one:

    • A.

      Use SSH only for remote management

    • B.

      Use SNMP v1 for management

    • C.

      Shutdown unused ports

    • D.

      Disable CDP

    Correct Answer
    B. Use SNMP v1 for management
    Explanation
    The correct answer is: Use SNMP v1 for management

    Rate this question:

  • 8. 

    In a security context what does CIA stand for?Select one:

    • A.

      Central Intelligence Agency

    • B.

      Confidentiality, Integrity, Avoidance

    • C.

      Confidentiality, Integrity, Availability

    • D.

      Contextual Internet Availability

    Correct Answer
    C. Confidentiality, Integrity, Availability
    Explanation
    The correct answer is: Confidentiality, Integrity, Availabilit

    Rate this question:

  • 9. 

    What would be the end result if the management plane of your router was compromised?Select one:

    • A.

      SNMP traps would not be received by the syslog server.

    • B.

      All management access to the router would be lost.

    • C.

      Packets would be dropped at increasing rates until the memory buffers overflowed.

    • D.

      CPU cycles would be wasted.

    Correct Answer
    B. All management access to the router would be lost.
    Explanation
    The correct answer is: All management access to the router would be lost.

    Rate this question:

  • 10. 

    Review the following code snippet and answer the statement at the bottom:            line aux 0             transport input none             transport output none             no exec            exec-timeout 0 1            no passwordThis code will result in the console port being disabled.Select one:

    • A.

      True

    • B.

      False

    Correct Answer
    B. False
    Explanation
    This code will disabled the AUX port not the console port
    The correct answer is 'False'.

    Rate this question:

  • 11. 

    Consider the following code and answer the question below:interface ethernet 0ip access-group no_web outip access-list extended no_webdeny host 172.20.3.85 any eq httpdeny host 172.20.3.13 any eq httppermit 172.20.0.0 0.0.255.255 any eq httpIn what direction is the access-list applied?Select one:

    • A.

      Inbound on ethernet 0

    • B.

      Outbound on ethernet 0

    • C.

      Outbound on ethernet 1

    • D.

      Direction is not specified

    Correct Answer
    B. Outbound on ethernet 0
    Explanation
    The correct answer is: Outbound on ethernet 0

    Rate this question:

  • 12. 

    Consider the following code and answer the question below:ip access-list extended no_webdeny host 172.20.3.85 any eq httpdeny host 172.20.3.13 any eq httppermit 172.20.0.0 0.0.255.255 any eq httpHow would you modify the bolded code to deny all hosts on the subnet 172.20.4.0 from accessing via secure web?Select one:

    • A.

      Deny 172.20.4.0 0.0.0.255 any eq http

    • B.

      Deny 172.20.4.0 0.0.0.255 any eq secure

    • C.

      Deny 172.20.4.0 0.0.0.255 any eq https

    • D.

      Deny 172.20.4.0 0.0.0.255 any eq ssh

    Correct Answer
    C. Deny 172.20.4.0 0.0.0.255 any eq https
    Explanation
    The correct answer is: deny 172.20.4.0 0.0.0.255 any eq https

    Rate this question:

  • 13. 

    Which one of the following wildcard masks will match exactly all hosts on the 172.16.0.0/24 and 172.16.1.0/24 subnets?Select one:

    • A.

      0.0.0.255

    • B.

      0.0.3.255

    • C.

      0.0.1.255

    • D.

      0.0.16.255

    Correct Answer
    C. 0.0.1.255
    Explanation
    The correct answer is: 0.0.1.255

    Rate this question:

  • 14. 

    What type of access list allows IP packets to be filtered based on upper-layer session information?Select one:

    • A.

      Standard

    • B.

      Extended

    • C.

      Reflexive

    • D.

      Dynamic

    Correct Answer
    C. Reflexive
    Explanation
    The correct answer is: Reflexive

    Rate this question:

  • 15. 

    What is another name for Lock & Key access lists?Select one:

    • A.

      Dynamic Access List

    • B.

      Standard Access List

    • C.

      Reflexive Access List

    • D.

      Time-Based Access List

    Correct Answer
    A. Dynamic Access List
    Explanation
    The correct answer is: Dynamic Access List

    Rate this question:

  • 16. 

    Which of the following answers describes CBAC?Select one:

    • A.

      A feature of firewall software which intelligently filters TCP and UDP packets based on application layer protocol session information.

    • B.

      A feature of router software that detects abnormal traffic patterns.

    • C.

      A feature of router software that controls authentication processes on the local router.

    • D.

      A feature of router software that blocks traffic based on specific patterns of behavior.

    Correct Answer
    A. A feature of firewall software which intelligently filters TCP and UDP packets based on application layer protocol session information.
    Explanation
    The correct answer is: A feature of firewall software which intelligently filters TCP and UDP packets based on application layer protocol session information.

    Rate this question:

  • 17. 

    Which item represents the standard IP ACL?Select one:

    • A.

      Access-list 50 deny 192.168.1.1 0.0.0.255

    • B.

      Access-list 110 permit ip any any

    • C.

      Access-list 2500 deny tcp any host 192.168.1.1 eq 22

    • D.

      Access-list 101 deny tcp any host 192.168.1.1

    Correct Answer
    A. Access-list 50 deny 192.168.1.1 0.0.0.255
    Explanation
    The correct answer is: access-list 50 deny 192.168.1.1 0.0.0.255

    Rate this question:

  • 18. 

    A network administrator is configuring ACLs on a Cisco router, to allow traffic from hosts on networks 172.17.146.0, 172.17.147.0, 172.17.148.0, and 172.17.149.0 only. Which two ACL statements, when combined, would you use to accomplish this task? (Choose two)

    • A.

      Access-list 10 permit ip 172.17.146.0 0.0.1.255

    • B.

      Access-list 10 permit ip 172.17.147.0 0.0.255.255

    • C.

      Access-list 10 permit ip 172.17.148.0 0.0.1.255

    • D.

      Access-list 10 permit ip 172.17.149.0 0.0.255.255

    • E.

      Access-list 10 permit ip 172.17.146.0 0.0.0.255

    • F.

      Access-list 10 permit ip 172.17.146.0 255.255.255.0

    Correct Answer(s)
    A. Access-list 10 permit ip 172.17.146.0 0.0.1.255
    C. Access-list 10 permit ip 172.17.148.0 0.0.1.255
    Explanation
    To accomplish the task of allowing traffic from hosts on networks 172.17.146.0, 172.17.147.0, 172.17.148.0, and 172.17.149.0 only, we need to use two ACL statements that cover all these networks while denying all other traffic.
    The correct ACL statements to accomplish this task are:
    access-list 10 permit ip 172.17.146.0 0.0.1.255
    This statement permits traffic from the network 172.17.146.0 with a wildcard mask of 0.0.1.255, covering both the 172.17.146.0 and 172.17.147.0 networks.
    access-list 10 permit ip 172.17.148.0 0.0.1.255
    This statement permits traffic from the network 172.17.148.0 with a wildcard mask of 0.0.1.255, covering both the 172.17.148.0 and 172.17.149.0 networks.
    Combining these two ACL statements will allow traffic from all specified networks while denying traffic from any other networks. Therefore, the correct options are:
    access-list 10 permit ip 172.17.146.0 0.0.1.255
    access-list 10 permit ip 172.17.148.0 0.0.1.255

    Rate this question:

  • 19. 

    Which statement about access lists that are applied to an interface is true?Select one:

    • A.

      You can apply only one access list on any interface

    • B.

      You can configure one access list, per direction, per layer 3 protocol

    • C.

      You can place as many access lists as you want on any interface

    • D.

      You can configure one access list, per direction, per layer 2 protocol

    Correct Answer
    B. You can configure one access list, per direction, per layer 3 protocol
    Explanation
    The correct answer is: you can configure one access list, per direction, per layer 3 protocol

    Rate this question:

  • 20. 

    You want to allow a temporary entry for a remote user with a specific username and password so that the user can access the entire network over the internet. Which ACL can be used?Select one:

    • A.

      Reflexive

    • B.

      Extended

    • C.

      Standard

    • D.

      Dynamic

    Correct Answer
    D. Dynamic
    Explanation
    The correct answer is: dynamic

    Rate this question:

  • 21. 

    What is the first step you should take when trying to secure your network?Select one:

    • A.

      Install a firewall

    • B.

      Install an IPS

    • C.

      Update servers and PCs with the latest patches & AV signatures

    • D.

      Develop a security policy

    Correct Answer
    D. Develop a security policy
    Explanation
    The correct answer is: Develop a security policy

    Rate this question:

  • 22. 

    Which of the following is enabled when RSA keys are generated? Select one:

    • A.

      The password encryptions service

    • B.

      Telnet access with the password "password

    • C.

      SSL

    • D.

      SSH

    Correct Answer
    D. SSH
    Explanation
    The correct answer is: SSH

    Rate this question:

  • 23. 

    If you're using an extended ACL to block traffic to a server located on the remote side of your WAN, where should you place the ACL?  Choose the two best answers.Select one or more:

    • A.

      Remote side of the WAN

    • B.

      As close to the source as possible

    • C.

      On the local side of the WAN

    • D.

      As close to the destination as possible

    Correct Answer(s)
    B. As close to the source as possible
    C. On the local side of the WAN
    Explanation
    The correct answer is: As close to the source as possible, On the local side of the WAN

    Rate this question:

  • 24. 

    Which technology dynamically builds a table for the purpose of permitting thereturn traffic from an outside server, back to the client, in spite of a default securitypolicy that says no traffic is allowed to initiate from the outside networks?Select one:

    • A.

      Proxy

    • B.

      NAT

    • C.

      Packet filtering

    • D.

      Stateful filtering

    Correct Answer
    D. Stateful filtering
    Explanation
    The correct answer is: Stateful filtering

    Rate this question:

  • 25. 

    What term refers to the internal IP address of a client using NAT as seen from other devices on the same internal network as the client?Select one:

    • A.

      Inside local

    • B.

      Inside global

    • C.

      Outside local

    • D.

      Outside global

    Correct Answer
    A. Inside local
    Explanation
    The correct answer is: Inside local

    Rate this question:

  • 26. 

    If interface number 1 is in zone A, and interface number 2 is in zone B, and there is no policy or service commands applied yet to the configuration, what is the status of transit traffic that is being routed between these two interfaces?Select one:

    • A.

      Denied

    • B.

      Permitted

    • C.

      Inspected

    • D.

      Logged

    Correct Answer
    A. Denied
    Explanation
    The correct answer is: Denied

    Rate this question:

  • 27. 

    What is the default policy between an administratively created zone and the self zone?Select one:

    • A.

      Deny

    • B.

      Permit

    • C.

      Inspect

    • D.

      Log

    Correct Answer
    B. Permit
    Explanation
    The correct answer is: Permit

    Rate this question:

  • 28. 

    Why is it that the return traffic, from previously inspected sessions, is allowed back to the user, in spite of not having a zone pair explicitly configured that matches on the return traffic?Select one:

    • A.

      Stateful entries (from the initial flow) are matched, which dynamically allows return traffic.

    • B.

      Return traffic is not allowed because it is a firewall.

    • C.

      Explicit ACL rules need to be placed on the return path to allow the return traffic.

    • D.

      A zone pair in the opposite direction of the initial zone pair

    Correct Answer
    A. Stateful entries (from the initial flow) are matched, which dynamically allows return traffic.
    Explanation
    The correct answer is: Stateful entries (from the initial flow) are matched, which dynamically allows return traffic.

    Rate this question:

  • 29. 

    How does IPS have the ability to prevent an ICMP-based attack from reaching the intended victim?Select one:

    • A.

      Policy-based routing

    • B.

      TCP resets are used.

    • C.

      The IPS is inline with the traffic.

    • D.

      The IPS is in promiscuous mode

    Correct Answer
    C. The IPS is inline with the traffic.
    Explanation
    The correct answer is: The IPS is inline with the traffic.

    Rate this question:

  • 30. 

    Which method should you implement when it is not acceptable for an attack to reach its intended victim?Select one:

    • A.

      IDS

    • B.

      IPS

    • C.

      Out of band

    • D.

      Hardware appliance

    Correct Answer
    B. IPS
    Explanation
    The correct answer is: IPS

    Rate this question:

  • 31. 

    Which method of IPS uses a baseline of normal network behaviour and looks for deviations from that baseline?Select one:

    • A.

      Reputation-based IPS

    • B.

      Policy-based IPS

    • C.

      Signature-based IPS

    • D.

      Anomaly-based IPS

    Correct Answer
    D. Anomaly-based IPS
    Explanation
    The correct answer is: Anomaly-based IPS

    Rate this question:

  • 32. 

    Because of how a router operates, which IPS/IDS mode does it operate in?Select one:

    • A.

      Promiscuous

    • B.

      Out-of-band

    • C.

      IPS

    • D.

      IDS

    Correct Answer
    C. IPS
    Explanation
    The correct answer is: IPS

    Rate this question:

  • 33. 

    Which of the following are examples of tuning a signature? (Choose all that apply.)Select one or more:

    • A.

      Changing the default severity level

    • B.

      Changing password by own

    • C.

      Disabling it if it was enabled by default

    • D.

      Changing the default action

    Correct Answer(s)
    A. Changing the default severity level
    C. Disabling it if it was enabled by default
    D. Changing the default action
    Explanation
    The correct answer is: Changing the default severity level, Disabling it if it was enabled by default, Changing the default action

    Rate this question:

  • 34. 

    Why is it considered a best practice to avoid compiling, enabling, and running all available signatures? (Choose all that apply.)Select one or more:

    • A.

      CPU utilization

    • B.

      Memory utilization

    • C.

      The size of NVRAM

    • D.

      Not a best practice

    Correct Answer(s)
    A. CPU utilization
    B. Memory utilization
    Explanation
    The correct answer is: CPU utilization, Memory utilization

    Rate this question:

  • 35. 

    What element in a VPN provides the Privacy?Select one:

    • A.

      Data integrity

    • B.

      Confidentiality

    • C.

      Antireplay

    • D.

      Authentication

    Correct Answer
    B. Confidentiality
    Explanation
    The correct answer is: Confidentiality

    Rate this question:

  • 36. 

    What algorithms in a VPN provide the confidentiality? (Choose all that apply.)Select one or more:

    • A.

      MD5

    • B.

      SHA-1

    • C.

      AES

    • D.

      3DES

    Correct Answer(s)
    C. AES
    D. 3DES
    Explanation
    The correct answer is: AES, 3DES

    Rate this question:

  • 37. 

    Which type of VPN technology is likely to be used in a site-to-site VPN?Select one:

    • A.

      SSL

    • B.

      TLS

    • C.

      HTTPS

    • D.

      IPsec

    Correct Answer
    D. IPsec
    Explanation
    The correct answer is: IPsec

    Rate this question:

  • 38. 

    Why is the public key in a typical public-private key pair referred to as public?Select one:

    • A.

      Because the public already has it.

    • B.

      Because it is shared publicly.

    • C.

      Because it is a well-known algorithm that is published.

    • D.

      The last name of the creator was publica, which is Latin for public.

    Correct Answer
    B. Because it is shared publicly.
    Explanation
    The correct answer is: Because it is shared publicly.

    Rate this question:

  • 39. 

    Which of the following are negotiated during IKE Phase 1? (Choose all that apply.)Select one or more:

    • A.

      Hashing

    • B.

      DH group

    • C.

      Hex Encryption

    • D.

      Authentication method

    Correct Answer(s)
    A. Hashing
    B. DH group
    D. Authentication method
    Explanation
    The correct answer is: Hashing, DH group, Authentication method

    Rate this question:

  • 40. 

    How is the negotiation of the IPsec (IKE Phase 2) tunnel done securely?Select one:

    • A.

      Uses the IKE Phase 1 tunnel

    • B.

      Uses the IPsec tunnel

    • C.

      Uses the IKE Phase 2 tunnel

    • D.

      Uses RSA

    Correct Answer
    A. Uses the IKE Phase 1 tunnel
    Explanation
    The correct answer is: Uses the IKE Phase 1 tunnel

    Rate this question:

  • 41. 

    How is it possible that a packet with a private Layer 3 destination address is forwarded over the Internet?Select one:

    • A.

      It is encapsulated into another packet, and the Internet only sees the outside valid IP destination address.

    • B.

      It cannot be sent. It will always be dropped.

    • C.

      The Internet does not filter private addresses, only some public addresses, based on policy.

    • D.

      NAT is used to change the destination IP address before the packet is sent.

    Correct Answer
    C. The Internet does not filter private addresses, only some public addresses, based on policy.
    Explanation
    The correct answer is: The Internet does not filter private addresses, only some public addresses, based on policy.

    Rate this question:

  • 42. 

    Which of the following would cause a VPN tunnel using IPsec to never initialize or work correctly? (Choose all that apply.)Select one or more:

    • A.

      Incompatible IKE Phase 2 transform sets

    • B.

      Incorrect pre-shared keys or missing digital certificates

    • C.

      Incorrect dns

    • D.

      Incorrect routing

    Correct Answer(s)
    A. Incompatible IKE Phase 2 transform sets
    B. Incorrect pre-shared keys or missing digital certificates
    D. Incorrect routing
    Explanation
    The correct answer is: Incompatible IKE Phase 2 transform sets, Incorrect pre-shared keys or missing digital certificates, Incorrect routing

    Rate this question:

  • 43. 

    Which of the following are defense-in-depth approaches? (Choose all that apply.)Select one or more:

    • A.

      Performing filtering at the router and the firewall

    • B.

      Requiring authentication for the administrator to connect

    • C.

      Implementing multiple security features on the firewall only, because of the dedicated appliance having the CPU and resources to implement all of them

    • D.

      Don't use proxy

    Correct Answer(s)
    A. Performing filtering at the router and the firewall
    B. Requiring authentication for the administrator to connect
    C. Implementing multiple security features on the firewall only, because of the dedicated appliance having the CPU and resources to implement all of them
    Explanation
    The correct answer is: Performing filtering at the router and the firewall, Requiring authentication for the administrator to connect

    Rate this question:

  • 44. 

    What is the term for tricking a user into revealing sensitive or confidential information, including information about user credentials?Select one:

    • A.

      Eavesdropping

    • B.

      Cross-site scripting

    • C.

      Denial of service

    • D.

      Social engineering

    Correct Answer
    D. Social engineering
    Explanation
    The correct answer is: Social engineering

    Rate this question:

  • 45. 

    Which device can analyze network traffic in real time, generate alerts, and even prevent the first malicious packet from entering the network?Select one:

    • A.

      IPS

    • B.

      CSM

    • C.

      IDS

    • D.

      CCP

    Correct Answer
    A. IPS
    Explanation
    The correct answer is: IPS

    Rate this question:

  • 46. 

    What happens when an access list has 100 lines and a match occurs on line 14?Select one:

    • A.

      Lines 15 through 100 are parsed as a group object.

    • B.

      The ACL acts on the packet, and no further list processing is done for that packet.

    • C.

      The ACL is processed all the way through line 100, to see whether there is a more strict policy that should be applied

    • D.

      There cannot be a line 14 because the only lines permitted start with 10 and increment by 10.

    Correct Answer
    B. The ACL acts on the packet, and no further list processing is done for that packet.
    Explanation
    The correct answer is: The ACL acts on the packet, and no further list processing is done for that packet.

    Rate this question:

  • 47. 

    Which of the following is not a best practice to protect the management plane?(Choose all that apply.)Select one or more:

    • A.

      HTTP

    • B.

      Telnet

    • C.

      HTTPS

    • D.

      SSH

    Correct Answer(s)
    A. HTTP
    B. Telnet
    Explanation
    The correct answer is: HTTP, Telnet

    Rate this question:

  • 48. 

    Which one of the following follows best practices for a secure password? Select one:

    • A.

      AbC123!

    • B.

      SlE3peR1#

    • C.

      Tough-passfraze

    • D.

      NterEstIng-PaSsW0Rd

    Correct Answer
    B. SlE3peR1#
    Explanation
    The correct answer is: SlE3peR1#

    Rate this question:

  • 49. 

    How can you implement role-based access control (RBAC)? (Choose all that apply.)Select one or more:

    • A.

      Provide the password for a custom privilege level to users in a given role

    • B.

      Associate user accounts with specific views

    • C.

      Use access lists to specify which devices can connect remotely

    • D.

      Use AAA to authorize specific users for specific sets of permissions

    Correct Answer(s)
    A. Provide the password for a custom privilege level to users in a given role
    B. Associate user accounts with specific views
    D. Use AAA to authorize specific users for specific sets of permissions
    Explanation
    The correct answer is: Provide the password for a custom privilege level to users in a given role, Associate user accounts with specific views,

    Use AAA to authorize specific users for specific sets of permissions

    Rate this question:

  • 50. 

    Which of the following enables you to protect the data plane? (Choose all that apply.)Select one or more:

    • A.

      IOS Zone-Based Firewall

    • B.

      Port Security

    • C.

      Proxy

    • D.

      IPS

    Correct Answer(s)
    A. IOS Zone-Based Firewall
    B. Port Security
    D. IPS
    Explanation
    You have correctly selected 1.
    The correct answer is: IOS Zone-Based Firewall, IPS, Port security

    Rate this question:

Quiz Review Timeline +

Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.

  • Current Version
  • Feb 13, 2024
    Quiz Edited by
    ProProfs Editorial Team
  • Dec 13, 2014
    Quiz Created by
    Achmad Sagaf
Back to Top Back to top
Advertisement
×

Wait!
Here's an interesting quiz for you.

We have other quizzes matching your interest.