CCNP Security Practice Test | Network Security (SENSS)

Which of the following are features of connection table logging? (Choose three)

A. It is enabled by default

B. Records the building of local-host connections

C. Records the teardown of local-host connections

D. It is disabled by default

What statements describe characteristics of the management plane and its security controls? (Choose three)

A. The management plane runs at the memory level on the network device

B. The management plane is susceptible to session spoofing and identity theft

C. By default, has its own dedicated path to the main CPU

D. From the perspective of the network device, management plane traffic always has a transit destination IP address and can be managed by normal, destination IP address-based forwarding processes

E. Management plane traffic is created by network devices and is used to maintain the network

Which of the following are characteristics of the access rules table in the ASDM interface? (Choose three)

A. Shows the service of protocol specified for a rule

B. The columns cannot be edited

C. Rules are displayed in order of execution

D. It shows the source and destination specified for IP Addresses

Before tuning OSI layer 3-4 stateful tuning on the headquarters Cisco ASA, you want to understand problematic properties of the local network environment and the tuning options within the default inspection policy.
What statements about the default inspection policy on a Cisco ASA are correct? (Choose two)

A. An overview of IP fragmentation issues will enable you to plan for possible buffering issues

B. An overview of asymmetric IP routing enables you to plan for normalizer exceptions

C. A list of applications idle for a long period will enable you to adjust connection table timers

D. A list of problematic TCP/IP stacks will enable you to possibly bypass stateful algorithms

Identify statements that describe layer 2 data plane and layer 3 data plane security measures. (Choose two)

A. Layer 2 data plane security measures include DHCP snooping, ARP inspection, traffic storm control, PVLAN, and MACsec encryption

B. Layer 3 data planes can use ACLs to restrict user access based on the role of the user

C. Layer 3 data plane security measures include uRPF, interface ACLs, and FPM

D. The layer 2 data plane traffic storm feature prevents ARP spoofing attacks by intercepting and validating all ARP requests and responses

Select the statements that describe characteristics of control plane policing? (Choose two)

A. Configured as a service policy on a virtual data plane interface

B. A Cisco IOS feature designed to allow users to manage the flow of traffic that is managed by the route processor of their network devices

C. Less manageable than a local interface or infrastructure ACL

D. Lets users configure a QoS filter to restrict the flow of control plane packets

How should you configure Zone-Based Policy Firewall zones and zone pairs? (Choose two)

A. Create zones by tagging ACLs with a zone name

B. Create zones by tagging interfaces with a zone name

C. Separate resources into zones based on location

D. Separate resources into zones based on resource sensitivity and trustworthiness

You are configuring IP source address control using static addressing. Currently only IP Source Guard with IP address filtering is enabled. What command enables IP source guard with both IP and MAC address filtering on all DHCP-snooping-enabled ports?

A. port-security

B. errdisable recovery cause all

C. ip source binding

D. ip verify source port security

You have been assigned the task of defending the network against Layer 2 attacks.
What can you do as a best practice? (Choose two)

A. Use VLAN 1 for management.

B. Use Telnet for remote administration.

C. Use the |b switchport host |p command for ports connecting to end devices.

D. Globally enable CDP.

E. Disable unneeded services.

Identify the statements that describe NAT with PAT and policy-based NAT. (Choose three)

A. Policy-based NAT can be used to implement destination-sensitive rules

B. Dynamic PAT maps a local network to another global IP address using multiplexing

C. Policy-based NAT is sensitive to all communicating endpoints

D. Static PAT maps one global IP and service port to another global IP and service port

E. Policy-based NAT is mainly used on networks with the same NAT requirements

When configuring management plane access control, which implementation type may cause compatibility issues with some Cisco hardware platforms?

A. Service-specific ACLs

B. Management Plane Protection

C. Interface ACLs

D. Control Plane Protection

Which commands can be used to verify the identity-based firewall? (Choose two)

A. show identity user active list detail

B. show user-identity user active list detail

C. show user-identity user all list

Syslog has been enabled. However, Botnet Traffic Filter is not logging messages. What could be causing this issue?

A. A domain was not added to the blacklist.

B. Severity level was misconfigured.

C. A packet capture was not created.

D. Packet tracing was not enabled.

Which of the following two are the default behaviors when tagging interfaces into the Cisco IOS Zone-Based Policy Firewall zones? (Choose two)

A. By default, interfaces in the same zone can freely communicate

B. By default, all traffic is permitted between zones

C. By default, all traffic is denied between zones

D. By default, interfaces in the same zone cannot communicate

You have created a packet capture named "drop" to capture all packets dropped by interface access rules. What command will only display the captured packets from the drop capture?

A. show capture

B. show capture drop

You are looking at how the Cisco ASA supports application layer inspection for many other application layer protocols.
From the following, which can you configure inspection functionality for? (Choose four)

A. SIP

B. TCP

C. IM Service

D. CDP

E. DNS

You need to prevent LAN traffic from being disrupted by broadcast storms on a Catalyst 3550 switch interface. You have been notified to configure the switch to drop broadcast traffic when exceeding 70 percent of total available bandwidth. Traffic should resume automatically when approximately half the total of available bandwidth is detected.
What needs to be entered in the CLI?

A. Switch(config-if)# storm-control broadcast level 70 50

B. Switch(config-if)# storm-control broadcast level 70

C. Switch(config-if)# storm-control broadcast level bps 70
Switch(config-if)# storm-control action trap

D. Switch(config-if)# storm-control broadcast level 50 70

E. Switch(config-if)# storm-control broadcast level 70 50
Switch(config-if)# storm-control action shutdown

F. Switch(config-if)# storm-control broadcast level 70
Switch(config-if)# storm-control action shutdown

Which of the following options are the benefits of the Identity Internal Firewall? (Choose three)

A. Eliminates user activity monitoring

B. Simplifies the creation of security policies

C. Decouples network topology from security policies

D. Helps identify user activity on network resources

What are the benefits of using management plane access control features? (Choose three)

A. Control plane protection is easy to configure and can limit access to any service

B. Service-specific ACLs can limit access to any local or remote Cisco IOS management service

C. Management plane protection supports Out of Bound access

D. Control plane protection is available on all Cisco IOS hardware platforms

E. Interface ACLs can limit access to any local management service

A network has recently configured the following L2 Data Plane control: DHCP snooping. What will configuring this accomplish for the organization? (Choose two)

A. Isolate same VLAN ports.

B. Defend against ARP spoofing.

C. Harden overall network security.

D. Prevent STP operations from being influenced.

What statements describe secure management protocols? (Choose three)

A. IPSec VPN cryptographic traffic protection should be employed if using an unsecured management protocol

B. Secure management protocols are used to filter management access to devices

C. HTTPS, SSL, and SNMPv3 are examples of secure management protocols

D. A hostname and domain name are required to be configured on the device in order to create RSA keypairs used for secure management

E. The HTTPS server is enabled using the IP HTTP authentication local command

What are the benefits of Cisco ASA object groups? (Choose three)

A. Ease administrative overhead

B. Only available for ASA devices

C. Allows for grouping of hosts, resources, or services that share the same policy

D. Can optimize the effective ness of access rules

A network administrator has configured NTP with authentication on the company's Cisco IOS routers. Which command can be used to verify that NTP has been authenticated with the NTP server?

A. show ntp associations

B. show cdp neighbors

C. |b show ntp status |p

D. |b show ntp associations detail |p

DHCP does not include authentication and is therefore vulnerable to spoofing and other attacks. In which ways can you deploy DHCP control to help mitigate such attacks? (Choose four)

A. Use ARP snooping to help protect against DHCP starvation threats

B. Use static IP addresses to mitigate DHCP spoofing in smaller networks

C. Limit the maximum number of MAC addresses per port to provide defense against DHCP starvation threats

D. Use BPDU guard and root guard to prevent attacker attempts to use all available DHCP-assigned addresses in the network to deny DHCP service to legitimate users

E. Use DHCP snooping to filter untrusted DHCP messages by building and maintaining a DHCP snooping binding database

Cisco SecureX is an access control strategy that allows for more effective, higher-level policy creation and enforcement for mobile users. Identify the statements that describe components of the of the SecureX architecture. (Choose two)

A. Cisco TrustSec function offers a web-based global network of shared resources, software, and information provided to Cisco customers on demand

B. Cisco Security Intelligence Operations (SIO) extends the access control functionality end-to-end, using security group tags

C. Cisco AnyConnect client provides a consistent user interface and consolidates traditional function-specific client software products into one product

D. Context awareness allows enforcement elements to use identity and location information to define access policy

You are in the process of configuring PVLANs on a Cisco Catalyst switch. You need to configure the port that connects to the default gateway.
What type of port should be configured?

A. Promiscuous

B. Community

C. Isolated

D. Non-promiscuous

How can you verify your object groups on the Cisco ASA? (Choose two)

A. With the show access-list command

B. From the ADSM in Configuration > Firewall > Access Rules

C. From the ADSM in Configuration > Firewall > Object Groups

D. With the show object-list command

Examine the output in the exhibit. What can be concluded based upon the output?

A. The connection is blocked because Telnet has not been configured properly.

B. The connection is blocked because NAT is not configured properly.

C. There is no connectivity issue.

D. The connection is blocked by a configured interface access rule.

Which of the following commands can be used to verify the functionality of your Botnet Traffic Filter? (Choose three)

A. show dynamic-filter database

B. show dynamic-filter dns-snoop

C. show dynamic-filter statistics

D. show dynamic-filter data

Which options are recommended baseline forms of telemetry that should be used on network infrastructure devices? (Choose three)

A. Accounting

B. Time synchronization

C. ARP inspection

D. MACsec

E. SNMP

F. Interface ACLs

Class maps for OSI layers 3 and 4 identify traffic based on criteria such as protocols, ports, IP addresses, and other attributes for these layers.
Identify statements that correctly describe matching criteria. (Choose two)

A. IP DSCP allows you to match on a UDP port number within the specified range

B. IP flow represents all traffic going to a unique IP destination address

C. RTP port numbers allows you to define classes based on the differentiated services code point values defined within the ToS byte in the IP header

D. The default inspection traffic criterion will match all default TCP and User Datagram Protocol (UDP) destination ports that the security appliance inspects by default

When configuring policy-based NAT, which type of access control list should be configured to match both the source and destination IP addresses?

A. Standard ACL

B. Reflexive ACL

C. Dynamic ACL

D. Extended ACL

Which of the following can be used for URL filtering with Cisco IOS Zone-Based Policy Firewall? (Choose three)

A. Local blacklists and whitelists

B. Cloud web security

C. WSA

D. IIS

You need to implement dynamic ARP inspection on a Cisco Catalyst 6500 series switch. The switch hosts either computer systems that have been dynamically or statically assigned IP addresses.
What is the first step that you should undertake?

A. Designate all ports as untrusted.

B. Ensure all IP addresses are assigned by DHCP.

C. Verify that DHCP snooping has been enabled.

D. Configure IP Source Guard.

Which of the following correctly describes inline mode when all traffic is being inspected by AIP-SSM?

A. The original data is forwarded to the destination while a copy is sent to the AIP-SSM.

B. Original data is inspected by AIP-SSM and then forwarded to the destination.

C. The ASA will block data to the destination if the AIP-SSM is offline.

D. The ASA will forward data to the destination if the AIP-SSM is offline.

A network group named blcokNY was created. It contains only IPv4 networks. An IPv6 network needs to have the same ACLs applied to it. Which option would best achieve this requirement?

A. Access protocol configuration mode for the blockNY group and add the IPv6 network with the "network-object" command.

B. Issue the "no object-group network blockNY" command and then recreate the group so it includes all required networks.

C. Access protocol configuration mode for the blockNY group and add the IPv6 network with the "object-network" command.

D. Create a new network object group named blockNY_IPv6, add the IPv6 network using the "network-object" command, and create ACLs.

Examine the output in the exhibit. You are troubleshooting the syslog message displayed in the output. Which severity level is outlined within the syslog message?

A. Alert

B. Critical

C. Emergency

D. Warning

You are viewing the following syslog message:

Jul 23 2012 00:12:01 ASAFW : %ASA-7-111009: User "administrator" executed cmd: show interface

What does the message severity level indicate?

A. Warning

B. Critical

C. Emergency

D. Debugging

E. Alert

F. Notification

G. Error

H. Informational

Which command can you use to verify your global access rule configuration?

A. show access-rules

B. show access-list

C. show lists

D. show global-access-list

Which command can be used to verify that secure management access protocols are configured on a Cisco IOS device?

A. show management-interface

B. show ip interfaces brief

C. |b show version |p

D. |b show interfaces |p

Suppose you are viewing the partial router output displayed below. Identify the statements that best describe this configuration of Cisco IOS Secure Management Access?

crypto key generate rsa modulus 2048
!
ip ssh version 2
username admin privilege 15 secret Admin92DXBh
!
ip access-list standard 90
permit 10.10.10.0 0.0.0.255
deny any log
!
no ip http server
ip http secure-server
ip http authentication local
ip http access-class 90
!
snmp-server community 7rNjOgmEnUMRpR0remI ro 90 (Choose three)

A. Access to the HTTPS server is allowed from authorized sources only

B. SNMP access is limited to SNMP versions 1 and 2 on the router

C. A single RSA key has been created with the crypto key generate rsa modulus 2048 command

D. show management-interface will display the configured dedicated management interfaces

E. Remote HTTPS authentication has been enabled using the ip http authentication local command

F. A local user account with a privilege level of 5 has been configured

A user has been added to a SNMPv3 management group. Which command can you use to identify the SNMPv3 group to which the user belongs?

A. show snmp

B. show snmp user

C. |b show snmp group |p

D. show snmp sessions

A Cisco security consultant is designing a firewall solution for a company. The company contains a single Active Directory Domain Services domain and has several remote employees. Management has given the following requirements:

- Only HR employees can access the HR department network.
- Users should not be prompted for login information.

Which firewall solution can be used?

A. Configure per-user policies using Cisco ASA cut-through proxy feature.

B. Configure the Botnet Traffic Filter.

C. Configure Cisco ASA Identity Firewall.

D. Configure a reputation-based Cisco ASA access policy.

Which command set would be used to create an object group for a server running the DNS server service located on the 10.0.0.0 255.0.0.0 network?

A. object-group network DNS
network-object 10.0.0.0 255.0.0.0

B. object-group host DNS
network-object host 10.0.1.0

C. object-group protocol DNS
network-object host 10.0.1.0

D. object-group network DNS
network-object host 10.0.1.0

Which command would be issued to set the GigabitEthernet0/0 as the dedicated management interface and allow only ssh? (Choose two)

A. management-interface GigabitEthernet0/0 allow ssh

B. management-interface Gi0/0 ssh

C. |b management-interface Gi0/0 allow ssh |p

D. management-interface GigabitEthernet0/0 ssh

Which of the following are features of Application layer gateways? (Choose three)

A. Use a permissive filtering only

B. Provide automatic protocol normalization

C. They provide access control from layers 3 through 7

D. Can perform content analysis and buffering

A network administrator is designing a firewall solution for his company. The solution includes the configuration of all Cisco routers. The solution must meet the following requirements:

- Use a restrictive approach
- Be configured using a static rulebase
- Work best with Layer 3 only filtering
- Be transparent and provide high performance

Which firewall filtering technology should be used?

A. Stateful packet filtering

B. Stateful packet filtering with AIC

C. Stateful packet filtering with AVC

D. Stateless packet filtering

The Cisco ASA 5500-X Series Next-Generation Firewalls provide four main remote access protocols to access the adaptive security appliance management functions. Which remote access protocol uses X.509 certificates for authentication?

A. HTTPS

B. SSH

C. SNMP

D. Telnet

Identify the statements that describe characteristics of management access AAA. (Choose four)

A. RBAC restricts user access based on task functions and permission roles

B. Management access AAA specifies what user can do on the device

C. Management access AAA specifies what a user did on the device

D. Management access AAA specifies who can access a network devices

E. AAA authentication and authorization can be checked against a local database only

F. Management access AAA provides secure management access to a network device using SNMP-based tools

Which statements describe the benefits of inside NAT? (Choose three)

A. It provides mutual connectivity with overlapping IP addresses

B. There is no need to readdress internal networks

C. It conserves IPv4 addresses

D. It allows for translation of embedded IP addresses

E. It works with all encryption systems

Identify the features of the Zone-Based Policy Firewall. (Choose three)

A. It allows you to configure access rules between each zone pair that is available on the route

B. It is a collection of networks that are reachable over one router interface or over a specific set of router interfaces

C. It is a stateless packet filter with application inspection and control abilities

D. It is a stateful packet filter with application inspection and control abilities

You are going to implement Cisco MPF to provide granularity and flexibility when implementing network policies for traffic flows.
Identify the statements that best describe how MPF works with OSI layer 3-4 traffic. (Choose two)

A. You can create class maps for OSI layers 3 and 4 that classify traffic based only on IP addresses

B. To associate an action with a specific traffic class, you create a service policy

C. Class maps for layers 3 and 4 identify what policy to apply to the traffic

D. Policy maps for layers 3 and 4 specify which traffic to apply policy to

E. Service policy specifies where to apply the policy

How can you control management access to the ASA using management access AAA? (Choose three)

A. By allowing management access to be based on the role of the user

B. By using strong authentication methods and using TACACS+ and LDAP servers

C. By not being permitted to reuse existing authentication databases

D. It allows you to implement a strong administrator auditing policy

E. AAA authorization and accounting processes do not require an existing authentication configuration

You plan on implementing TrustSec in the network infrastructure. What statement best describes its use?

A. Assists network architects and security practitioners with the appropriate placement of services

B. Provides a policy-based platform offering integrated posture, profiling and guest services to make context-aware access control decisions

C. Helps organizations accurately detect threats, provide holistic protection, and continually adapt to a rapidly evolving, constantly changing threatscape

D. Describes best practices, designs and configurations to providing the necessary information to help succeed in designing, implementing, and operating secure network infrastructures

In what ways can ACLs protect the data plane? (Choose five)

A. ACLs can be used to restrict user access based on the role of the user

B. ACLs can reduce the chance of DoS attacks

C. ACLs can be used to classify network traffic in order to protect other planes

D. ACLs can block unwanted traffic or users

E. ACLs can prevent spoofed packets

F. ACLs can provide port security to prevent MAC flooding attacks

G. ACLs can provide bandwidth control

While calculating your results take a moment to complete our simple survey!

How likely is it that you would recommend LearnCisco.net
to a friend or colleague?

Why?

Our Recommended Premium Cisco Training Resources:

While calculating your results take a moment to complete our simple survey!

How likely is it that you would recommend LearnCisco.net to a friend or colleague?

Why?

Our Recommended Premium Cisco Training Resources:

How likely is it that you would recommend LearnCisco.net
to a friend or colleague?