REAL QUESTIONS SUBMIT MATERIAL ADVERTISE
Braindumps

Microsoft

Cisco

Citrix

CIW

CompTia

CWNA

Apple

Adobe

HP

Legato

Exin

Filemaker

Brocade

Ericsson

TIA

Veritas

ISEB

SCP

IISFA

ISM

OMG

Apc

Mile2

Foundry

Huawei

McData

Symantec

TeraData

RedHat

Solar Winds

Blue Coat

Riverbed

 

 
 
Click on name of dumper to view the dump
 
Andrew
 
 

 

Braindumps of 640-554
Implementing Cisco IOS Network Security (IINS v2.0)

 

Exam Questions, Answers, Braindumps (640-554)

Many thanx to www.examcheats.net  and  www.exams.ws  for providing help

 

QUESTION NO: 1

Which two features are supported by Cisco IronPort Security Gateway? (Choose two.)

A. Spam protection

B. Outbreak intelligence

C. HTTP and HTTPS scanning

D. Email encryption

E. DDoS protection

Answer: A,D

Explanation: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps10128/ps10154/data-sheetc78-

729751.html

Product Overview

Over the past 20 years, email has evolved from a tool used primarily by technical and research professionals to become the backbone of corporate communications. Each day, more than 100 billion corporate email messages are exchanged. As the level of use rises, security becomes a greater priority. Mass spam campaigns are no longer the only concern. Today, spam and malware are just part of a complex picture that includes inbound threats and outbound risks.

Cisco® Email Security solutions defend mission-critical email systems with appliance, virtual, cloud, and hybrid solutions. The industry leader in email security solutions, Cisco delivers:

QUESTION NO: 2

In an IPsec VPN, what determination does the access list make about VPN traffic?

A. whether the traffic should be blocked

B. whether the traffic should be permitted

C. whether the traffic should be encrypted

D. the peer to which traffic should be sent

Answer: C

QUESTION NO: 3

Which two characteristics represent a blended threat? (Choose two.)

A. man-in-the-middle attack

B. trojan horse attack

C. pharming attack

D. denial of service attack

E. day zero attack

Answer: B,E

Explanation:

http://www.cisco.com/web/IN/about/network/threat_defense.html

Rogue developers create such threats by using worms, viruses, or application-embedded attacks.

Botnets can be used to seed an attack, for example, rogue developers can use worms or application-embedded attacks, that is an attack that is hidden within application traffic such as web traffic or peer-to-peer shared files, to deposit "Trojans". This combination of attack techniques – a virus or worm used to deposit a Trojan, for example-is relatively new and is known as a blended attack. A blended attack can also occur in phases: an initial attack of a virus with a Trojan that might open up an unsecured port on a computer, disable an access control list (ACL), or disarm antivirus software, with the goal of a more devastating attack to follow soon after. Host Firewall on servers and desktops/laptops, day zero protection & intelligent behavioral based protection from application vulnerability and related flaws (within or inserted by virus, worms or Trojans) provided great level of confidence on what is happening within an organization on a normal day and when there is a attack situation, which segment and what has gone wrong and gives flexibility and control to stop such situations by having linkages of such devices with monitoring, log-analysis and event co-relation system.

QUESTION NO: 4

Under which higher-level policy is a VPN security policy categorized?

A. application policy

B. DLP policy

C. remote access policy

D. compliance policy

E. corporate WAN policy

Answer: C

Explanation:

http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.0/user/guide/ravpnpag.html

Remote Access VPN Policy Reference

The Remote Access VPN policy pages are used to configure remote access VPNs on Cisco IOS security routers, PIX Firewalls, Catalyst 6500 /7600 devices, and Adaptive Security Appliance (ASA) devices.

QUESTION NO: 5

You are troubleshooting a Cisco AnyConnect VPN on a firewall and issue the command show webvpn anyconnect. The output shows the message "SSL VPN is not enabled" instead of showing the AnyConnect package. Which action can you take to resolve the problem?

A. Issue the enable outside command.

B. Issue the anyconnect enable command.

C. Issue the enable inside command.

D. Reinstall the AnyConnect image.

Answer: B

QUESTION NO: 6

What does level 5 in this enable secret global configuration mode command indicate? router#enable secret level 5 password

A. The enable secret password is hashed using MD5.

B. The enable secret password is hashed using SHA.

C. The enable secret password is encrypted using Cisco proprietary level 5 encryption.

D. Set the enable secret command to privilege level 5.

E. The enable secret password is for accessing exec privilege level 5.

Answer: D

Explanation:

http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfpass.html

To configure the router to require an enable password, use either of the following commands in global configuration mode:

Router(config)# enable password [level level] {password| encryption-type encrypted-password}

Establishes a password for a privilege command mode.

Router(config)# enable secret [level level] {password | encryption-type encrypted-password}

Specifies a secret password, saved using a non-reversible encryption method. (If enable password and enable secret are both set, users must enter the enable secret password.)

Use either of these commands with the level option to define a password for a specific privilege level.

After you specify the level and set a password, give the password only to users who need to have access at this level. Use the privilege level configuration command to specify commands accessible at various levels.

QUESTION NO: 7

Which Cisco management tool provides the ability to centrally provision all aspects of device configuration across the Cisco family of security products?

A. Cisco Configuration Professional

B. Security Device Manager

C. Cisco Security Manager

D. Cisco Secure Management Server

Answer: C

Explanation:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5739/ps6498/data_sheet_c78-27090.html

Cisco Security Manager 4.4 Data Sheet

Cisco® Security Manager is a comprehensive management solution that enables advanced management and rapid troubleshooting of multiple security devices. Cisco Security Manager provides scalable, centralized management from which administrators can efficiently manage a wide range of Cisco security devices, gain visibility across the network deployment, and securely share information with other essential network services such as compliance systems and advanced security analysis systems. Designed to maximize operational efficiency, Cisco Security Manager also includes a powerful suite of automated capabilities, such as health and performance monitoring, software image management, auto-conflict detection, and integration with ticketing systems.

QUESTION NO: 8

Which option is the correct representation of the IPv6 address 2001:0000:150C:0000:0000:41B1:45A3:041D?

A. 2001::150c::41b1:45a3:041d

B. 2001:0:150c:0::41b1:45a3:04d1

C. 2001:150c::41b1:45a3::41d

D. 2001:0:150c::41b1:45a3:41d

Answer: D

Explanation:

http://www.cisco.com/web/strategy/docs/gov/IPv6_WP.pdf

Address Representation

The first area to address is how to represent these 128 bits. Due to the size of the numbering space, hexadecimal numbers and colons were chosen to represent IPv6 addresses. An example IPv6 address is:

2001:0DB8:130F:0000:0000:7000:0000:140B

Note the following:

•There is no case sensitivity. Lower case “a” means the same as capital “A”.

•There are 16 bits in each grouping between the colons.

– 8 fields * 16 bits/field = 128 bits

There are some accepted ways to shorten the representation of the above address:

•Leading zeroes can be omitted, so a field of zeroes can be represented by a single 0.

•Trailing zeroes must be represented.

•Successive fields of zeroes can be shortened down to “::”. This shorthand representation can only occur once in the address.

Taking these rules into account, the address shown above can be shortened to:

2001:0DB8:130F:0000:0000:7000:0000:140B

2001:DB8:130F:0:0:7000:0:140B (Leading zeroes)

2001:DB8:130F:0:0:7000:0:140B (Trailing zeroes)

2001:DB8:130F::7000:0:140B (Successive field of zeroes)

QUESTION NO: 9

Which three options are common examples of AAA implementation on Cisco routers? (Choose three.)

A. authenticating remote users who are accessing the corporate LAN through IPsec VPN connections

B. authenticating administrator access to the router console port, auxiliary port, and vty ports

C. implementing PKI to authenticate and authorize IPsec VPN peers using digital certificates

D. tracking Cisco NetFlow accounting statistics

E. securing the router by locking down all unused services

F. performing router commands authorization using TACACS+

Answer: A,B,F

Explanation:

http://www.cisco.com/en/US/products/ps6638/products_data_sheet09186a00804fe332.html

Need for AAA Services

Security for user access to the network and the ability to dynamically define a user's profile to gain access to network resources has a legacy dating back to asynchronous dial access. AAA network security services provide the primary framework through which a network administrator can set up access control on network points of entry or network access servers, which is usually the function of a router or access server.

Authentication identifies a user; authorization determines what that user can do; and accounting monitors the network usage time for billing purposes.

AAA information is typically stored in an external database or remote server such as RADIUS or TACACS+.

The information can also be stored locally on the access server or router. Remote security servers, such as RADIUS and TACACS+, assign users specific privileges by associating attributevalue (AV) pairs, which define the access rights with the appropriate user. All authorization methods must be defined through AAA.

QUESTION NO: 10

When AAA login authentication is configured on Cisco routers, which two authentication methods should be used as the final method to ensure that the administrator can still log in to the router in case the external AAA server fails? (Choose two.)

A. group RADIUS

B. group TACACS+

C. local

D. krb5

E. enable

F. if-authenticated

Answer: C,E

Explanation:

http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scftplus.html

TACACS+ Authentication Examples

The following example shows how to configure TACACS+ as the security protocol for PPP authentication:

aaa new-model

aaa authentication ppp test group tacacs+ local

tacacs-server host 10.1.2.3

tacacs-server key goaway

interface serial 0

ppp authentication chap pap test

The lines in the preceding sample configuration are defined as follows:

•The aaa new-model command enables the AAA security services.

•The aaa authentication command defines a method list, "test," to be used on serial interfaces running PPP.

The keyword group tacacs+ means that authentication will be done through TACACS+. If TACACS+ returns an ERROR of some sort during authentication, the keyword local indicates that authentication will be attempted using the local database on the network access server.

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800946a3.shtml

Authentication Start to configure TAC+ on the router.

Enter enable mode and type configure terminal before the command set. This command syntax ensures that you are not locked out of the router initially, providing the tac_plus_executable is not running:

!--- Turn on TAC+.

aaa new-model

enable password whatever

!--- These are lists of authentication methods.

!--- "linmethod", "vtymethod", "conmethod", and

!--- so on are names of lists, and the methods

!--- listed on the same lines are the methods

!--- in the order to be tried. As used here, if

!--- authentication fails due to the

!--- tac_plus_executable not being started, the

!--- enable password is accepted because

!--- it is in each list.

!

aaa authentication login linmethod tacacs+ enable

aaa authentication login vtymethod tacacs+ enable

aaa authentication login conmethod tacacs+ enable

QUESTION NO: 11

Which two characteristics of the TACACS+ protocol are true? (Choose two.)

A. uses UDP ports 1645 or 1812

B. separates AAA functions

C. encrypts the body of every packet

D. offers extensive accounting capabilities

E. is an open RFC standard protocol

Answer: B,C

Explanation:

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml

Packet Encryption

RADIUS encrypts only the password in the access-request packet, from the client to the server.

The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party.

TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful to have the body of the packets unencrypted. However, during normal operation, the body of the packet is fully encrypted for more secure communications.

Authentication and Authorization RADIUS combines authentication and authorization. The accessaccept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.

TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on a Kerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server then provides authorization information.

During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control over the commands that can be executed on the access server while decoupling from the authentication mechanism.

QUESTION NO: 12

On which protocol number does the authentication header operate?

A. 06

B. 47

C. 50

D. 51

Answer: D

QUESTION NO: 13

Which type of Cisco ASA access list entry can be configured to match multiple entries in a single statement?

A. nested object-class

B. class-map

C. extended wildcard matching

D. object groups

Answer: D

Explanation:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/objectgroups.html

Information About Object Groups

By grouping like objects together, you can use the object group in an ACE instead of having to enter an ACE for each object separately. You can create the following types of object groups:

•Protocol

•Network

•Service

•ICMP type

For example, consider the following three object groups:

•MyServices—Includes the TCP and UDP port numbers of the service requests that are allowed access to the internal network.

•TrustedHosts—Includes the host and network addresses allowed access to the greatest range of services and servers.

•PublicServers—Includes the host addresses of servers to which the greatest access is provided.

After creating these groups, you could use a single ACE to allow trusted hosts to make specific service requests to a group of public servers.

You can also nest object groups in other object groups.

 

640-554


 

 

Braindumps Real exam questions and verified answers - 100% passing guarantee - cheap prices.

 

Free brain dumps Braindumps, notes, books for free

 

Braindumps and Exams - Instant download real exam questions - Passing guarantee.

Follow us on FaceBook
Braindumps on Facebook
 
 
 
 
 

CheckPoint

Linux

Novell

DB/2

Network Appliance

EC-Council

Nortel

McAfee

Juniper

ISACA

PMI

Sybase

EMC

HDI

SNIA

ISC

Sair

IBM

Lotus

Exam Express

3COM

BICSI

DeLL

Enterasys

Extreme Networks

Guidance Software

Computer Associates

Network General

SAS Institute

Alcatel Lucent

SeeBeyond

TruSecure

Polycom

Hyperion

Hitachi

Nokia

Fortinet

Vmware

Fujitsu

Tibco

Intel

PostgreSQLCE

BusinessObjects

RESSoftware

BlackBerry

AccessData

ICDL

Isilon

SAP

The Open Group

ACSM

Altiris

Avaya

Cognos

F5

Genesys

SDI

ACI

ASQ

Google

H3C

HIPAA

HRCI

SOA

IIBA

Zend