CCNP Security Practice Test | Network Security (SENSS)

Which command set would be used to create an object group for a server running the DNS server service located on the 10.0.0.0 255.0.0.0 network?

A. object-group network DNS
network-object 10.0.0.0 255.0.0.0

B. object-group host DNS
network-object host 10.0.1.0

C. object-group protocol DNS
network-object host 10.0.1.0

D. object-group network DNS
network-object host 10.0.1.0

You have been asked to strengthen the security of each network switch. One method that needs to be employed is IP Source Guard.
Which levels of IP traffic filtering are available? (Choose two)

A. Destination MAC address filter

B. Destination IP and MAC address filter

C. Source MAC address filter

D. Source IP and MAC address filter

E. Source IP address filter

F. Destination IP address filter

A network group named blcokNY was created. It contains only IPv4 networks. An IPv6 network needs to have the same ACLs applied to it. Which option would best achieve this requirement?

A. Access protocol configuration mode for the blockNY group and add the IPv6 network with the "network-object" command.

B. Issue the "no object-group network blockNY" command and then recreate the group so it includes all required networks.

C. Access protocol configuration mode for the blockNY group and add the IPv6 network with the "object-network" command.

D. Create a new network object group named blockNY_IPv6, add the IPv6 network using the "network-object" command, and create ACLs.

Describe how dynamic protocols are supported on the ASA. (Choose three)

A. The ASA inspects all services in the default inspection class by default

B. The ASA will snoop on many dynamic protocols to automatically permit these sessions by default

C. The ASA interface ACLs only need to permit the initial, control session but all subsequent negotiated sessions will be permitted automatically

D. The ASA requires configuration in order to snoop on any port negotiations

E. The ASA has additional ports available for NAT and application layer inspection

You are in the process of configuring PVLANs on a Cisco Catalyst switch. You need to configure the port that connects to the default gateway.
What type of port should be configured?

A. Promiscuous

B. Community

C. Isolated

D. Non-promiscuous

Which SNMP version and security level needs to be specified in the "snmp-server user" command if SHA authentication and AES encryption are to be used for SNMP users? (Choose two)

A. SNMPv1

B. noauth

C. SNMPv3

D. auth

E. SNMPv2

F. priv

A network has recently configured the following L2 Data Plane control: DHCP snooping. What will configuring this accomplish for the organization? (Choose two)

A. Isolate same VLAN ports.

B. Defend against ARP spoofing.

C. Harden overall network security.

D. Prevent STP operations from being influenced.

Identify the ways in which IP spoofing is used? (Choose three)

A. Spoofing nonexistent hosts by injecting packets with a forged source address in the network avoiding detection

B. Spoofing an existing host using IP source routing exploiting IP address-based authentication between networked systems

C. Spoofing an existing host by simply injecting packets with a forged source address in the network exploiting IP address-based authentication between networked systems

D. Spoofing can be to accommodate ARP attacks in non-DHCP environments

E. Spoofing is mainly used to attack Layer 2 data plane controls using storm control mechanisms

What statements describe service placement within the network zone architecture? (Choose two)

A. A service can be accessed from other adjacent zones and not just the zone in which it resides

B. Services such as backup and auditing should be located in the Public Access Zone

C. As a best practice authentication services should be placed in the Management Restricted Zone

D. The placement of services and structure of Network Security Zones should be complimentary

Which of the following statements describe the self zone? (Choose three)

A. The self zone represents the control and management plane of the router

B. If there are no policies between a zone and the self zone, all traffic is denied

C. All IP interfaces on the router are automatically made a part of the self zone when you configure a Zone-Based Policy Firewall

D. The self zone is used to control traffic to and from the router's own IP addresses

You want to check if host 10.1.1.2 has an entry in the local host table. Which commands can you use? (Choose two)

A. show local-host 10.1.1.2

B. show conn

C. show sessions

D. show local-host

Which of the following are available firewall filtering technologies? (Choose three)

A. Stateless packet filtering

B. Reputation based filtering

C. IDS

D. Stateful packet filtering

Which SAP operational mode provides both encryption and authentication?

A. Null

B. GMAC

C. No encapsulation

D. GCM

Which type of attack can be mitigated by using BPDU guard?

A. VLAN hopping

B. STP spoofing

C. DHCP server spoofing

D. ARP spoofing

A network administrator has identified several hosts on the network that have been infected with malware. An analysis of traffic from the infected hosts identified that communication had occurred with a malware control server on the Internet. Which feature should be implemented on the Cisco ASA that is specifically designed to prevent these types of attacks?

A. Botnet Traffic Filter

B. NetFlow

C. IP Source Guard

D. HTTP Inspector

A Cisco security consultant is designing a firewall solution for a company. The company contains a single Active Directory Domain Services domain and has several remote employees. Management has given the following requirements:

- Only HR employees can access the HR department network.
- Users should not be prompted for login information.

Which firewall solution can be used?

A. Configure per-user policies using Cisco ASA cut-through proxy feature.

B. Configure the Botnet Traffic Filter.

C. Configure Cisco ASA Identity Firewall.

D. Configure a reputation-based Cisco ASA access policy.

Identify the features of the Zone-Based Policy Firewall TCP normalizer. (Choose three)

A. May interfere with some TCP stack quirks and out-of-order packet delivery

B. Provides the reassembled byte stream to upper-layer inspectors

C. It can be tuned for single flows

D. Verifies adherence to the TCP protocol and prevents evasion attacks

Which of the following describe C3PL policy map functions? (Choose three)

A. They determine the firewall policy applied to a class

B. They are evaluated in reverse order

C. They are applied to each configured zone pair

D. They can use permit, deny, log, or special actions

Firewall threat controls should be placed throughout the Cisco modular network architecture, one option for a control are stateful packet filters. Which statements are true of stateful packet filters? (Choose two)

A. They offer high performance

B. They provide application layer access control

C. They are most suited to static TCP applications

D. They offer access control on layers 3 and 4

Which option supports Cisco TrustSec NDAC SAP?

A. Virtual interfaces

B. Host facing access ports

C. SPAN destination ports

D. Trunk ports

Which statements describe the benefits of inside NAT? (Choose three)

A. It provides mutual connectivity with overlapping IP addresses

B. There is no need to readdress internal networks

C. It conserves IPv4 addresses

D. It allows for translation of embedded IP addresses

E. It works with all encryption systems

Identify the tasks involved in configuring control plane protection. (Choose four)

A. Apply the traffic policy to the virtual control plane subinterface

B. Verify the CPP configuration using the show policy-map control plane all command

C. Apply the traffic policy to the virtual data plane transit subinterface

D. Create a traffic policy ACL that describe the permitted control plane traffic

E. Create traffic classes that describe valid control plane traffic

F. Create a traffic policy that permits, denies, or rate-limits control plane traffic

How can the ASA be configured to allow the SNMP clients to poll or to receive traps from the ASA? (Choose two)

A. To allow SNMPv3 clients to poll or to receive traps from the ASA, an SNMPv3 user and credentials must be defined first

B. To allow SNMP clients to poll or to receive traps from the ASA, SNMP is selected from the Management Access option from the Device Management menu

C. The SNMPv3 user and credentials are defined in the Add SNMP Host Access Entry window

D. Four SNMPv3 groups are defined on the Cisco ASA for use in communicating between the ASA and the NMS

A network administrator has configured the DHCP snooping feature on a switch. Which command can be used to determine the interfaces that have been trusted and the rate limit configured on them?

A. show arp inspection interfaces

B. show ip dhcp snooping database

C. |b show ip dhcp snooping |p

D. |b show ip dhcp snooping binding |p

Identify statements that describe plane and management plane security controls. (Choose two)

A. Control plane security measures include secure management protocols, AAA, and MPP

B. The control plane includes a control plane protection feature that extends policing functionality by allowing finer policing granularity

C. Management plane control includes the use of management protocols with strong authentication to ensure the confidentiality of your data

D. Network management on the management plane should always be performed using Telnet or HTTP

Identify the statements that describe NAT with PAT and policy-based NAT. (Choose three)

A. Policy-based NAT can be used to implement destination-sensitive rules

B. Dynamic PAT maps a local network to another global IP address using multiplexing

C. Policy-based NAT is sensitive to all communicating endpoints

D. Static PAT maps one global IP and service port to another global IP and service port

E. Policy-based NAT is mainly used on networks with the same NAT requirements

Which protocol can be implemented to maintain accurate time synchronization on Cisco devices?

A. CDP

B. TDP

C. NTP

D. ARP

Recently, Cisco Botnet Traffic Filter was enabled. However, after traffic analysis, it is determined that data is being sent to and from a known Botnet. Which two separate configurations could be implemented to resolve this issue? (Choose two)

A. Create a static database entry.

B. Disable traffic classification.

C. Configure a domain name server.

D. Disable DNS inspection.

How will a configured Cisco ASA appliance handle a packet when there is no match in the NAT table?

A. The packet is forwarded without translation.

B. The packet is forwarded if access rules permit.

C. A static mapping is created and the packet is forwarded.

D. The packet is dropped.

Which of the following correctly describes the Cisco modular network architecture design management module?

A. Aggregates the WAN links that connect geographically distant branch offices to a central site

B. Dedicated to carrying traffic such as NTP, SSH, and SNMP

C. Provides network access to end users and devices located in the same geographical location

D. Provides connectivity to the Internet and acts as the gateway for the enterprise to the rest of the cyberspace

Which security features provided by switches can protect network devices and network endpoints against L2 attacks? (Choose two)

A. FPM

B. DHCP snooping

C. Interface ACLs

D. ARP inspection

E. uRPF

Examine the output in the exhibit. What can be concluded based upon the output?

A. The connection is blocked because Telnet has not been configured properly.

B. The connection is blocked because NAT is not configured properly.

C. There is no connectivity issue.

D. The connection is blocked by a configured interface access rule.

Which of the following options are the benefits of the Identity Internal Firewall? (Choose three)

A. Eliminates user activity monitoring

B. Simplifies the creation of security policies

C. Decouples network topology from security policies

D. Helps identify user activity on network resources

Which statements are true regarding the configuration of Zone-Based Policy Firewall zones and zone pairs? (Choose three)

A. Zones are created by tagging interfaces with a zone name.

B. It uses PAM to recognize default destination ports for known applications.

C. By default, all traffic is allowed between zones.

D. An interface can be configured to use multiple zones.

E. By default, interfaces in the same zone can communicate.

Select the statements that best a describe Zone Interface Points. (Choose two)

A. Zone Interface Points enforce zone data communication policy through perimeter security measures

B. Only secured data communication is required to travel through a Zone Interface Point

C. A Zone Interface Point can be created by using a combination of a firewall IDS and a router

D. Zone Interface Points are able to implement the security policy of connecting zones as well as their own

E. Additional security controls such an IPS may be required for any data communication that passes through a zone but not terminated in it

A network administrator is designing a firewall solution for his company. The solution includes the configuration of all Cisco routers. The solution must meet the following requirements:

- Use a restrictive approach
- Be configured using a static rulebase
- Work best with Layer 3 only filtering
- Be transparent and provide high performance

Which firewall filtering technology should be used?

A. Stateful packet filtering

B. Stateful packet filtering with AIC

C. Stateful packet filtering with AVC

D. Stateless packet filtering

Identify the statements that describe the features of Network Time Protocol, or NTP. (Choose three)

A. NTP can be used to monitor and filter traffic at all exit points

B. NTP is required for certificate validation and analyzing past log events

C. NTP is used to synchronize clocks between network devices

D. NTP synchronization uses UDP port 23 for its transport

E. NTP authentication is available for use over untrusted networks

What are the main components that make up the Cisco modular network architecture? (Choose two)

A. Design blueprints

B. Auditable Implementations

C. Security solutions

D. Service Availability and Resiliency

Which command would be issued to set the GigabitEthernet0/0 as the dedicated management interface and allow only ssh? (Choose two)

A. management-interface GigabitEthernet0/0 allow ssh

B. management-interface Gi0/0 ssh

C. |b management-interface Gi0/0 allow ssh |p

D. management-interface GigabitEthernet0/0 ssh

What are two advantages of using a next-generation, context-aware firewall over a standard firewall? (Choose two)

A. It can be used to identify users, devices, and applications

B. It can be configured as a large set of multiple devices

C. It can be used to provide reputation-based filtering

D. It can prevent a backdoor connection that could be used to bypass the firewall

E. It is resistant to attacks on the firewall itself

Identify statements that describe NAT configuration on Cisco ASA. (Choose two)

A. Implements address translation using Network Object NAT and twice NAT

B. Uses a concept of network objects to configure NAT rules

C. With Network Object NAT, each rule can only apply to the destination of a packet

D. Inside and outside NAT must be configured using separate rules

Where do you navigate to on the Firewall to configure an identity-based access rule?

A. Configuration > Firewall > Access Rules

B. Configuration > Firewall > Identity

C. Configuration > Firewall > Rules

D. Configuration > Firewall > Setup

How can you verify your object groups on the Cisco ASA? (Choose two)

A. With the show access-list command

B. From the ADSM in Configuration > Firewall > Access Rules

C. From the ADSM in Configuration > Firewall > Object Groups

D. With the show object-list command

Which two features correctly identify the DHCP snooping feature? (Choose two)

A. It can be used to provide isolation between ports within the same VLAN.

B. It can be used to monitor incoming traffic for acceptable levels.

C. It can be used to mitigate DHCP starvation to a degree.

D. It is used to prevent spoofing attacks.

E. It can be used to intercept and validate all ARP requests and responses.

Which of the following are characteristics of Cisco ASA global ACLs? (Choose three)

A. The ACEs are defined in the same manner as interface ACLs

B. A permit statement is needed in either the global ACL or an interface input ACL for any traffic to be allowed through the appliance

C. After an ACE has been added to the global ACL, all interface default policies are activated

D. Input traffic that does not match an input ACL that is configured for an interface will be compared against the global ACL

Which of the following guidelines should be followed when combining firewall filtering technologies? (Choose two)

A. Create network security zones and implement least-privilege traffic filtering between them

B. Implement a permissive or restrictive policy

C. Harden the network controls, use strong authentication and secure management protocols

D. Choose a single filtering technology

How can storm control prevent LAN traffic from being disrupted by storms? (Choose three)

A. The switch can be configured to shut down the port when the falling threshold is reached

B. It uses thresholds to block and restore the forwarding of broadcast, unicast, or multicast packets

C. The switch port can be configured with a threshold level to be used for a specific traffic type

D. Storm control can be configured to measure traffic activity by bandwidth percentage

E. Broadcast traffic activity can only be tracked by packets per second on the interface

Which statements describe characteristics of the Cisco ASA FTP inspector? (Choose three)

A. Filter specific protocol values within FTP inspector containers

B. Filter FTP access using an internal URL filtering server

C. Additional inspection criteria can be configured where granular filtering is required on the FTP protocol and its payloads

D. Can verify adherence to the FTP protocol and log any accessed object files

E. Use access lists to create custom pattern matching rules within inspector containers

Which switch security feature measures bandwidth-based or packet-based traffic activity and can shut down a port if excessive activity is reached?

A. RSPAN

B. SPAN

C. PVLAN

D. Storm control

You plan on tuning basic Cisco ASA OSI layer 3-4 inspection parameters.
Which are the correct statements about options available within the default inspection policy for tuning the basic stateful inspection functionality of the Cisco ASA? (Choose two)

A. You can configure the appliance to decrement the TTL for all traffic flows

B. You can configure DCD for hosts using slightly nonstandard TCP/IP stacks

C. You can tune the way the virtual reassembly algorithm operates

D. Session timers adjust automatically for hosts using slightly nonstandard TCP/IP stacks

The Cisco IOS Zone-Based Policy Firewall can inspect protocols such as eDonkey, FastTrack, and Gnutella v2.
What type of protocols are these?

A. Network management

B. Instant messaging

C. E-mail

D. Peer-to-peer

You are troubleshooting an SSH connectivity issue with a Cisco ASA adaptive security appliance. The host has an interface address of 10.0.0.101 using port 1024 and the Cisco ASA adaptive security appliance has an interface address of 172.16.1.2. Which CLI command will allow you to quickly pinpoint the cause of the connectivity issue?

A. ASA# packet-tracer input inside tcp 172.16.1.2 22 10.0.0.101 1024

B. ASA# packet-tracer input inside tcp 10.0.0.101 22 172.16.1.2 1024

C. ASA# |b packet-tracer input inside tcp 10.0.0.101 1024 172.16.1.2 22 |p

D. ASA(config)# |b packet-tracer input inside tcp 10.0.0.101 1024 172.16.1.2 22 |p

Which of the following best describes a parameter map?

A. Augment basic inspection with the capability to recognize and apply service-specific actions

B. A threshold setting for classifying traffic that exceeds a defined maximum threshold

C. Specifies the actions to take when traffic matches defined criteria

D. Objects that describe different classes of traffic

Where should network infrastructure protection controls be placed within the Cisco modular network architecture design?

A. Protection controls should be placed in the core; the most important part of the network

B. Protection controls only need to be placed in the data center; the most exposed part of the network

C. Protection controls implemented on all devices in the network

D. Protection controls should be placed on the least exposed parts of the network

When configuring Cisco ASA support for dynamic protocols, you will perform specific configuration tasks.
Identify the statements about configuring Cisco ASA support for dynamic protocols. (Choose two)

A. To enable support for nondefault dynamic protocol inspection, you enable additional inspectors

B. To conditionally permit traffic between hosts, you select the Established option in the ASDM

C. The permitfrom argument allows return protocol connections destined for a specified port

D. To support dynamic applications on nondefault ports, you create a new destination port based class

While calculating your results take a moment to complete our simple survey!

How likely is it that you would recommend LearnCisco.net
to a friend or colleague?

Why?

While calculating your results take a moment to complete our simple survey!

How likely is it that you would recommend LearnCisco.net to a friend or colleague?

Why?

How likely is it that you would recommend LearnCisco.net
to a friend or colleague?