Network Security (Version 1) - Network Security 1 0 Practice Final Answers - InfraExam 2022

Prévia do material em texto

Online Test
1. What are two security features commonly found in a WAN design? (Choose two.)
port security on all user-facing petween sites
firewalls protecting the main aorts
VPNs used by mobile workers bnd remote sites
WPA2 for data encryption of all data between sites
outside perimeter security including continuous video surveillance
 Answers Explanation & Hints:
WANs span a wide area and commonly have connections from a main site to remote sites
including a branch office, regional site, SOHO sites, and mobile workers. WANs typically
connect over a public internet connection. Each site commonly has a firewall and VPNs used
by remote workers between sites.
2. Which two means can be used to try to bypass the management of mobile devices?
(Choose two.)
using a fuzzer
rooting
jailbreaking
packet sniffing
using a Trojan Horse
 Answers Explanation & Hints:
Jailbreaking is a term used when breaking into an Apple iOS device, whereas rooting is the
term used for doing the same to an Android device. Both must be concerns in the corporate
environment where so many people bring their own devices and access the corporate
networks.
3. Match the type of cyberattackers to the description. (Not all options are used.)
Network Security (Version 1) – Network Security 1.0 Practice Final Answers 001
4. Which two statements are characteristics of a virus? (Choose two.)
A virus typically requires end-user activation.
A virus has an enabling vulnerability, a propagation mechanism, and a payload.
A virus replicates itself by independently exploiting vulnerabilities in networks.
A virus provides the attacker with sensitive data, such as passwords.
A virus can be dormant and then activate at a specific time or date.
 Answers Explanation & Hints:
The type of end user interaction required to launch a virus is typically opening an application,
opening a web page, or powering on the computer. Once activated, a virus may infect other
files located on the computer or other computers on the same network.
5. Match the information security component with the description.
Network Security (Version 1) – Network Security 1.0 Practice Final Answers 002
6. Match the security policy with the description. (Not all options are used.)
Network Security (Version 1) – Network Security 1.0 Practice Final Answers 003
7. How does the service password-encryption command enhance password security
on Cisco routers and switches?
It encrypts passwords as they are sent across the network.
It encrypts passwords that are stored in router or switch configuration files.
It requires that a user type encrypted passwords to gain console access to a router or switch.
It requires encrypted passwords to be used when connecting remotely to a router or switch with Telnet.
 Answers Explanation & Hints:
The service password-encryption command encrypts plaintext passwords in the configuration
file so that they cannot be viewed by unauthorized users.
8. Which benefit does SSH offer over Telnet for remotely managing a router?
encryption
TCP usage
authorization
connections via multiple VTY lines
 Answers Explanation & Hints:
SSH provides secure access to a network device for remote management. It uses a stronger
password authorization than Telnet does and encrypts any data that is transported during the
session.
9. Refer to the exhibit. Which statement about the JR-Admin account is true?
Network Security (Version 1) – Network Security 1.0 Practice Final Answers 01
JR-Admin can issue show , ping , and reload commands.
JR-Admin can issue ping and reload commands.
JR-Admin can issue only ping commands.
JR-Admin can issue debug and reload commands.
JR-Admin cannot issue any command because the privilege level does not match one of those defined.
Answers Explanation & Hints:
When the username name privilege 10 command is issued, access to commands with a
privilege level of 10 or less (0-10) is permitted to the user.
10. What protocol is used by SCP for secure transport?
IPSec
HTTPS
SSH
Telnet
TFTP
 Answers Explanation & Hints:
The Secure Copy (SCP) feature provides a secure and authenticated method for copying and
saving router configuration files by using SSH.
11. Which three types of views are available when configuring the role-based CLI
access feature? (Choose three.)
superuser view
root view
superview
CLI view
admin view
config view
 Answers Explanation & Hints:
There are three types of Role-based CLI views:
1) root view
 2) CLI view
 3) superview
12. What is the purpose of using the ip ospf message-digest-key key md5 password
command and the area area-id authentication message-digest command on a
router? 
to encrypt OSPF routing updates 
to enable OSPF MD5 authentication on a per-interface basis 
to configure OSPF MD5 authentication globally on the router 
to facilitate the establishment of neighbor adjacencies
Answers Explanation & Hints:
To configure OSPF MD5 authentication globally, the ip ospf message-digest-key key md5
password interface configuration command and the area area-id authentication message-
digest router configuration command are issued. To configure OSPF MD5 authentication per
interface, the ip ospf message-digest-key key md5 password interface configuration
command and the ip ospf authentication message-digest interface configuration command
are issued. Authentication does not encrypt OSPF routing updates. The requirements to
establish OSPF router neighbor adjacencies are separate from authentication. 
13. Refer to the exhibit. What type of syslog message is displayed?
Network Security (Version 1) – Network Security 1.0 Practice Final Answers 06
warning
notification
informational
debugging
 Answers Explanation & Hints:
The severity level is used to provide an explanation for the event or error that is occurring
within the Cisco IOS. The smaller the number of the severity level, the more critical the event.
A Syslog message with a level 5 is considered a notification message.
14. What command must be issued on a Cisco router that will serve as an authoritative
NTP server?
ntp master 1
ntp server 172.16.0.1
ntp broadcast client
clock set 11:00:00 DEC 20 2010
 Answers Explanation & Hints:
Routers that will serve as NTP masters must be configured with the ntp master command. A
client is configured with the ntp server command so that the client can locate the NTP master.
The ntp broadcast client command allows NTP to use to broadcast messages. The clock set
command is used to set the time on a router.
15. A server log includes this entry: User student accessed host server ABC using
Telnet yesterday for 10 minutes. What type of log entry is this?
authentication
authorization
accounting
accessing
 
Answers Explanation & Hints:
Accounting records what users do and when they do it, including what is accessed, the
amount of time the resource is accessed, and any changes that were made. Accounting
keeps track of how network resources are used.
16. What is indicated by the use of the local-case keyword in a local AAA authentication
configuration command sequence?
that user access is limited to vty terminal lines
that passwords and usernames are case-sensitive
that AAA is enabled globally on the router
that a default local database AAA authentication is applied to all lines
 Answers Explanation & Hints:
The use of the local-case keyword means that the authentication is case-sensitive. It does
not enable or apply the AAA configuration to router interfaces or lines. 
17. A network administrator is configuring an AAA server to manage RADIUS
authentication. Which two features are included in RADIUS authentication? (Choose
two.)
encryption for all communication
hidden passwords during transmission
single process for authentication and authorization
separate processes for authentication and authorization
encryption for only the data
 Answers Explanation & Hints:
RADIUS authentication supports the following features:RADIUS authentication and
authorization as one process
 Encrypts only the passwordUtilizes UDP
 Supports remote-access technologies, 802.1X, and Session Initiation Protocol (SIP)
18. A network administrator is explaining to a junior colleague the use of the lt and gt
keywords when filtering packets using an extended ACL. Where would the lt or gt
keywords be used?
in an IPv6 extended ACL that stops packets going to one specific destination VLAN
in an IPv4 named standard ACL that has specific UDP protocols that are allowed to be used on a specific server
in an IPv6 named ACL that permits FTP traffic from one particular LAN getting to another LAN
in an IPv4 extended ACL that allows packets from a range of TCP ports destined for a specific network device
 Answers Explanation & Hints:
The lt and gt keywords are used for defining a range of port numbers that are less than a
particular port number or greater than a particular port number.
19. Which feature is unique to IPv6 ACLs when compared to those of IPv4 ACLs?
the use of wildcard masks
an implicit deny any any statement
the use of named ACL statements
an implicit permit of neighbor discovery packets
Answers Explanation & Hints:
One of the major differences between IPv6 and IPv4 ACLs are two implicit permit statements
at the end of any IPv6 ACL. These two permit statements allow neighbor discovery
operations to function on the router interface.
20. Refer to the exhibit. An extended access list has been created to prevent human
resource users from gaining access to the accounting server. All other network
traffic is to be permitted. When following the ACL configuration guidelines, on
which router, interface, and direction should the access list be applied?
Network Security (Version 1) – Network Security 1.0 Practice Final Answers 07
router R1, interface S0/1/0, outbound
router R1, interface Gi0/0/0, inbound
router R1, interface Gi0/0/0, outbound
router R2, interface S0/1/1, inbound
router R2, interface Gi0/0/1, inbound
router R2, interface Gi0/0/1, outbound
 Answers Explanation & Hints:
The ACL configuration guidelines recommend placing extended access control lists as close
to the source of network traffic as possible and placing standard access control lists as close
to the destination of network traffic as possible.
21. Which statement describes the characteristics of packet-filtering and stateful
firewalls as they relate to the OSI model?
Both stateful and packet-filtering firewalls can filter at the application layer.
A stateful firewall can filter application layer information, whereas a packet-filtering firewall cannot filter beyond
the network layer.
A packet-filtering firewall typically can filter up to the transport layer, whereas a stateful firewall can filter up to
the session layer.
A packet-filtering firewall uses session layer information to track the state of a connection, whereas a stateful
firewall uses application layer information to track the state of a connection.
 
Answers Explanation & Hints:
Packet filtering firewalls can always filter Layer 3 content and sometimes TCP and UDP-
based content. Stateful firewalls monitor connections and thus have to be able to support up
to the session layer of the OSI model.
22. What is an advantage in using a packet filtering firewall versus a high-end firewall
appliance?
Packet filters perform almost all the tasks of a high-end firewall at a fraction of the cost.
Packet filters represent a complete firewall solution.
Packet filters are not susceptible to IP spoofing.
Packet filters provide an initial degree of security at the data-link and network layer.
 Answers Explanation & Hints:
There are several advantages of using a packet filtering firewall:
 – allows for implementing simple permit or deny rule sets.
 – has a low impact on network performance
 – is easy to implement, and is supported by most routers
 – provides an initial degree of security at the network layer
 – performs almost all the tasks of a high-end firewall at a much lower cost
23. Which type of firewall is commonly part of a router firewall and allows or blocks
traffic based on Layer 3 and Layer 4 information?
stateless firewall
stateful firewall
proxy firewall
application gateway firewall
 Answers Explanation & Hints:
A stateless firewall uses a simple policy table look-up that filters traffic based on specific
criteria. These firewalls are usually part of a router firewall. They permit or deny traffic based
on Layer 3 and Layer 4 information.
24. A company is deploying a new network design in which the border router has three
interfaces. Interface Serial0/0/0 connects to the ISP, GigabitEthernet0/0 connects to
the DMZ, and GigabitEthernet/01 connects to the internal private network. Which
type of traffic would receive the least amount of inspection (have the most freedom
of travel)?
traffic that is going from the private network to the DMZ
traffic that originates from the public network and that is destined for the DMZ
traffic that is returning from the DMZ after originating from the private network
traffic that is returning from the public network after originating from the private network
 
Answers Explanation & Hints:
Most traffic within an organization originates from a private IP address. The amount of
inspection done to that traffic depends on its destination or whether traffic that is going to that
private IP address originated the connection. The demilitarized zone typically holds servers.
Traffic that is destined to those servers is filtered based on what services are being provided
by the server (HTTP, HTTPS, DNS, etc.).
25. What are two benefits offered by a zone-based policy firewall on a Cisco router?
(Choose two.)
Policies are defined exclusively with ACLs.
Policies are applied to unidirectional traffic between zones.
Policies provide scalability because they are easy to read and troubleshoot.
Any interface can be configured with both a ZPF and an IOS Classic Firewall.
Virtual and physical interfaces are put in different zones to enhance security.
 Answers Explanation & Hints:
There are several benefits of a ZPF:
 It is not dependent on ACLs.
 The router security posture is to block unless explicitly allowed.
 Policies are easy to read and troubleshoot. This provides scalability because one policy
affects any given traffic, instead of needing multiple ACLs and inspection actions for different
types of traffic.
 Virtual and physical interfaces can be grouped into zones.
 Policies are applied to unidirectional traffic between zones.
 Both IOS Classic Firewalls and ZPFs can be enabled concurrently on a Cisco router.
However, the models cannot be combined on a single interface.
26. When a Cisco IOS Zone-Based Policy Firewall is being configured via CLI, which
step must be taken after zones have been created?
Design the physical infrastructure.
Establish policies between zones.
Identify subsets within zones.
Assign interfaces to zones.
 Answers Explanation & Hints:
The steps for configuring zones in a Zone-Based Policy Firewall are as follows:
Step 1. Determine the zones.
 Step 2. Establish policies between zones.
 Step 3. Design the physical infrastructure.
 Step 4. Identify subsets within zones and merge traffic requirements. 
27. What are two shared characteristics of the IDS and the IPS? (Choose two.)
Both are deployed as sensors.
Both analyze copies of network traffic.
Both use signatures to detect malicious traffic.
Both have minimal impact on network performance. 
Both rely on an additional network device to respond to malicious traffic.
 
Answers Explanation & Hints:
Both the IDS and the IPS are deployed as sensors and use signatures to detect malicious
traffic. The IDS analyzes copies of network traffic, which results in minimal impact on network
performance. The IDS also relies on an IPS to stop malicious traffic. 
28. When a Cisco IOS Zone-Based Policy Firewall is being configured, which two
actions can be applied to a traffic class? (Choose two.)
log
hold
drop
inspect
copy
forward
 Answers Explanation & Hints:
Thethree actions that can be applied are inspect, drop,and pass. 
 Inspect – This action offers state-based traffic control.
 Drop – This is the default action for all traffic. Similar to the implicit deny any at the end of
every ACL, there is an explicit drop applied by the IOS to the end of every policy map.
 Pass – This action allows the router to forward traffic from one zone to another.
29. Match the network security device type with the description.
Network Security (Version 1) – Network Security 1.0 Practice Final Answers 004
30. What are two monitoring tools that capture network traffic and forward it to network
monitoring devices? (Choose two.)
SIEM
Wireshark
SNMP
SPAN
network tap
 
Answers Explanation & Hints:
A network tap is used to capture traffic for monitoring the network. The tap is typically a
passive splitting device implemented inline on the network and forwards all traffic including
physical layer errors to an analysis device. SPAN is a port mirroring technology supported on
Cisco switches that enables the switch to copy frames and forward them to an analysis
device.
31. What is a characteristic of an IPS atomic signature?
it can be slow and inefficient to analyze traffic
it requires several pieces of data to match an attack
it is a stateful signature
it is the simplest type of signature
 Answers Explanation & Hints:
There are two types of IPS signatures:
 Atomic – This is the simplest type of signature because it does not require the IPS to
maintain state information and it can identify an attack with a single packet, activity, or event.
 Composite – This is a stateful type of signature. It requires that the IPS maintain state
information to match an attack signature.
32. Match each IPS signature trigger category with the description.
Network Security (Version 1) – Network Security 1.0 Practice Final Answers 005
33. What is the IPS detection engine that is included in the SEC license for 4000 Series
ISRs?
Security Onion
Snort
ASDM
AMP
 Answers Explanation & Hints:
Snort is the IPS detection and enforcement engine that is included in the SEC license for
4000 Series ISRs.
34. A company is concerned about data theft if any of the corporate laptops are stolen.
Which Windows tool would the company use to protect the data on the laptops?
AMP
802.1X
RADIUS
BitLocker
 Answers Explanation & Hints:
Storage devices can be encrypted to protect data from unauthorized access. Windows
BitLocker provides drive encryption.
35. What protocol is used to encapsulate the EAP data between the authenticator and
authentication server performing 802.1X authentication?
RADIUS
TACACS+
SSH
MD5
 Answers Explanation & Hints:
Encapsulation of EAP data between the authenticator and the authentication server is
performed using RADIUS.
36. A company requires the use of 802.1X security. What type of traffic can be sent if
the authentication port-control auto command is configured, but the client has not
yet been authenticated?
SNMP
EAPOL
broadcasts such as ARP
any data encrypted with 3DES or AES
 Answers Explanation & Hints:
802.1X prevents unauthorized devices from gaining access to the network. The
authentication port-control auto command turns on 802.1X access control. Until the client is
authenticated, 802.1X only allows Extensible Authentication Protocol over LAN (EAPOL),
Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic to pass through
the port. EAPOL messages are sent between the client and the authenticator such as a
switch. If authentication is successful, normal traffic can be sent and received through the
port.
37. Which two security features can cause a switch port to become error-disabled?
(Choose two.)
root guard
PortFast with BPDU guard enabled
protected ports
storm control with the trap option
port security with the shutdown violation mode
 
Answers Explanation & Hints:
Error-disabled mode is a way for a switch to automatically shut down a port that is causing
problems, and usually requires manual intervention from an administrator to restore the port.
When port security is configured to use the shutdown violation mode, it will put the port into
the error-disabled mode when the maximum number of MAC addresses is exceeded.
Likewise, BPDU guard will put the port into error-disabled mode if a BPDU arrives on a
PortFast enabled interface. Storm control will only put the port into the error-disabled mode
when configured with the shutdown option. The trap option will simply create an SNMP log
message.
38. What are three techniques for mitigating VLAN hopping attacks? (Choose three.)
Disable DTP.
Enable trunking manually.
Set the native VLAN to an unused VLAN.
Enable BPDU guard.
Enable Source Guard.
Use private VLANs.
 Answers Explanation & Hints:
Mitigating a VLAN hopping attack can be done by disabling Dynamic Trunking Protocol
(DTP), manually setting ports to trunking mode, and by setting the native VLAN of trunk links
to VLANs not in use.
39. Refer to the exhibit. A network administrator is configuring DAI on switch SW1.
What is the result of entering the exhibited commands?
Network Security (Version 1) – Network Security 1.0 Practice Final Answers 08
DAI will validate only the IP addresses.
DAI will validate only the destination MAC addresses.
DAI will validate both source and destination MAC addresses as well as the IP addresses in the order specified.
When one set of parameters are valid, the ARP packet is allowed to pass.
DAI will validate both source and destination MAC addresses as well as the IP addresses in the order specified.
If all parameters are valid then the ARP packet is allowed to pass.
 Answers Explanation & Hints:
DAI can be configured to check for destination MAC, source MAC, and IP addresses.
However, only one ip arp inspection validate command can be configured. Entering multiple
ip arp inspection validate commands overwrites the previous command.
40. During a recent pandemic, employees from ABC company were allowed to work
from home. What security technology should be implemented to ensure that data
communications between the employees and the ABC Head Office network remain
confidential?
a symmetric or asymmetric encryption algorithm such as AES or PKI
a hashing algorithm such as MD5
a hash message authentication code such as HMAC
a hash-generating algorithm such as SHA
Answers Explanation & Hints:
MD5 and SHA are hash-generating algorithms that guarantee that no one intercepted the
message and altered it. Advanced Encryption Standard (AES) is a popular symmetric
encryption algorithm where each communicating party needs to know the pre-shared key.
Public key infrastructure (PKI) is an asymmetric encryption algorithm based on the
assumption that the two communicating parties have not previously shared a secret key.
HMAC is a hash message authentication code that guarantees that the message is not a
forgery and actually comes from the authentic source.
41. Which cipher played a significant role in World War II?
RC4
Caesar
Enigma
One-time pad
 Answers Explanation & Hints:
The Enigma machine was an electromechanical encryption device that created the Enigma
cipher and was developed during World War II. The device depended on the distribution of
pre-shared keys that were used to encrypt and decrypt messages.
42. One method used by Cryptanalysts to crack codes is based on the fact that some
letters of the English language are used more often than others. Which term is used
to describe this method?
cybertext
meet-in-the-middle
frequency analysis
known-plaintext
 Answers Explanation & Hints:
Frequency analysis uses the fact that some characters in the English alphabet are used more
often than others. The letters E, T, and A are the most popular letters and J, Q, X, and Z are
the least popular.
43. Why are DES keys considered weak keys?
They are more resource intensive.
DES weak keys are difficult to manage.
They produce identical subkeys.
DES weak keys use very long key sizes.
 Answers Explanation& Hints:
Weak keys, whether part of an existing encryption algorithm or manually generated, reveal
regularities in encryption. This creates a shortcut by which a hacker can break the encryption.
DES has four keys for which encryption is identical to decryption.
44. What is a difference between symmetric and asymmetric encryption algorithms?
Symmetric algorithms are typically hundreds to thousands of times slower than asymmetric algorithms.
Symmetric encryption algorithms are used to authenticate secure communications. Asymmetric encryption
algorithms are used to repudiate messages.
Symmetric encryption algorithms are used to encrypt data. Asymmetric encryption algorithms are used to
decrypt data.
Symmetric encryption algorithms use pre-shared keys. Asymmetric encryption algorithms use different keys to
encrypt and decrypt data.
 Answers Explanation & Hints:
Asymmetric algorithms can use very long key lengths in order to avoid being hacked. This
results in the use of significantly increased resources and time compared to symmetric
algorithms.
45. What technology allows users to verify the identity of a website and to trust code
that is downloaded from the Internet?
asymmetric key algorithm
digital signature
encryption
hash algorithm
 Answers Explanation & Hints:
Digital signatures provide assurance of the authenticity and integrity of software codes. They
provide the ability to trust code that is downloaded from the Internet.
46. Which two statements correctly describe certificate classes used in the PKI?
(Choose two.)
A class 0 certificate is for testing purposes.
A class 0 certificate is more trusted than a class 1 certificate.
The lower the class number, the more trusted the certificate.
A class 5 certificate is for users with a focus on verification of email.
A class 4 certificate is for online business transactions between companies.
 Answers Explanation & Hints:
A digital certificate class is identified by a number. The higher the number, the more trusted
the certificate. The classes include the following:Class 0 is for testing purposes in which no
checks have been performed.
 Class 1 is for individuals with a focus on verification of email.
 Class 2 is for organizations for which proof of identity is required.
 Class 3 is for servers and software signing for which independent verification and checking of
identity and authority is done by the issuing certificate authority.
 Class 4 is for online business transactions between companies.
 Class 5 is for private organizations or governmental security.
47. What is the standard for a public key infrastructure to manage digital certificates?
PKI
NIST-SP800
x.503
x.509
 
Answers Explanation & Hints:
The x.509 standard is for a PKI infrastructure and x.500 if for directory structures. 
48. What is a benefit of having users or remote employees use a VPN to connect to the
existing network rather than growing the network infrastructure?
security
scalability
cost savings
compatibility
 Answers Explanation & Hints:
A benefit of VPNs is scalability because organizations can use the Internet and easily add
new users without adding significant infrastructure. Security is provided by using encryption
and authentication protocols to protect data. Another benefit is compatibility because VPNs
can be implemented across a wide variety of WAN connections. Organizations also benefit
from cost savings because VPNs reduce connectivity costs while simultaneously increasing
remote connection bandwidth.
49. Which two statements describe remote access VPNs? (Choose two.)
Remote access VPNs are used to connect entire networks, such as a branch office to headquarters.
End users are not aware that VPNs exists.
A leased line is required to implement remote access VPNs.
Client software is usually required to be able to access the network.
Remote access VPNs support the needs of telecommuters and mobile users.
 Answers Explanation & Hints:
Remote access VPNs are designed to provide for the needs of telecommuters and mobile
users through the use of software that is installed on the client to encrypt and encapsulate the
data. Remote access VPNs can be used across a variety of WAN connections. Users must
access the client software to initiate the VPN connection.
50. What are two hashing algorithms used with IPsec AH to guarantee authenticity?
(Choose two.)
MD5
SHA
AES
DH
RSA
 Answers Explanation & Hints:
The IPsec framework uses various protocols and algorithms to provide data confidentiality,
data integrity, authentication, and secure key exchange. Two popular algorithms used to
ensure that data is not intercepted and modified (data integrity and authenticity) are MD5 and
SHA.
51. What is the purpose of configuring multiple crypto ACLs when building a VPN
connection between remote sites?
By applying the ACL on a public interface, multiple crypto ACLs can be built to prevent public users from
connecting to the VPN-enabled router.
Multiple crypto ACLs can be configured to deny specific network traffic from crossing a VPN.
When multiple combinations of IPsec protection are being chosen, multiple crypto ACLs can define different
traffic types.
Multiple crypto ACLs can define multiple remote peers for connecting with a VPN-enabled router across the
Internet or network.
Answers Explanation & Hints:
A crypto ACL can define “interesting traffic” that is used to build a VPN, and forward that
“interesting traffic” across the VPN to another VPN-enabled router. Multiple crypto ACLs are
used to define multiple different types of traffic and utilize different IPsec protection
corresponding to the different types of traffic.
52. Refer to the exhibit. An administrator creates three zones (A, B, and C) in an ASA
that filters traffic. Traffic originating from Zone A going to Zone C is denied, and
traffic originating from Zone B going to Zone C is denied. What is a possible
scenario for Zones A, B, and C?
Network Security (Version 1) – Network Security 1.0 Practice Final Answers 02
A – DMZ, B – Inside, C – Outside
A – Inside, B – DMZ, C – Outside
A – DMZ, B – Outside, C – Inside
A – Outside, B – Inside, C – DMZ
 Answers Explanation & Hints:
ASA protects Network/Zone C (Inside) from unauthorized access by users on a
Network/Zone B (Outside). It also denies traffic from Network/Zone A (DMZ) to access the
Network/Zone C (Inside).
53. Which special hardware module, when integrated into ASA, provides advanced IPS
features?
Content Security and Control (CSC)
Advanced Inspection and Prevention (AIP)
Advanced Inspection and Prevention Security Services Card (AIP-SSC)
Advanced Inspection and Prevention Security Services Module (AIP-SSM)
Answers Explanation & Hints:
The advanced threat control and containment services of an ASA firewall are provided by
integrating special hardware modules with the ASA architecture. These special modules
include:
Advanced Inspection and Prevention (AIP) module – supports advanced IPS capability.
Content Security and Control (CSC) module – supports antimalware capabilities.
Cisco Advanced Inspection and Prevention Security Services Module (AIP-SSM) and Cisco
Advanced Inspection and Prevention Security Services Card (AIP-SSC) – support protection
against tens of thousands of known exploits.
54. Refer to the exhibit. A network administrator is configuring the security level for the
ASA. What is a best practice for assigning the security level on the three
interfaces?
Network Security (Version 1) – Network Security 1.0 Practice Final Answers 03
Outside 0, Inside 35, DMZ 90
Outside 40, Inside 100, DMZ 0
Outside 0, Inside 100, DMZ 50
Outside 100, Inside 10, DMZ 40
 Answers Explanation & Hints:
The Cisco ASA assigns security levels to distinguish among different networks it connects.
Security levels define the level of trustworthiness of an interface. The higher the level, the
more trusted the interface. The security level numbers range between 0 (untrustworthy) to
100 (very trustworthy). Therefore, the interface connectingto the Internet should be assigned
the lowest level. The interface connecting to the internal network should be assigned the
highest level. The interface connecting to the DMZ network should be assigned a level
between them.
55. Refer to the exhibit. A network administrator is configuring an object group on an
ASA device. Which configuration keyword should be used after the object group
name SERVICE1 ?
Network Security (Version 1) – Network Security 1.0 Practice Final Answers 05
ip
tcp
udp
icmp
 Answers Explanation & Hints:
Because this is a service object group, the keyword should indicate which protocol is used.
The options are tcp, udp, tcp-udp, icmp, and icmpv6. The subsequent commands indicate
that the services in the group are WWW, FTP, and SMTP. Because all of these protocols use
TCP, the keyword in the service object group should be tcp .
56. In the implementation of network security, how does the deployment of a Cisco ASA
firewall differ from a Cisco IOS router?
ASA devices use ACLs that are always numbered.
ASA devices do not support an implicit deny within ACLs.
ASA devices support interface security levels.
ASA devices use ACLs configured with a wildcard mask.
 Answers Explanation & Hints:
The differences between ASA devices and Cisco IOS routers include the following:
 An ASA device configured with ACLs is configured with a subnet mask.
 An ASA device supports interface security levels.
 An ASA device configured with an ACL is always named.
ASA devices and Cisco IOS routers are similar in that they both support an implicit deny
within an ACL.
57. Refer to the exhibit. A network administrator is configuring PAT on an ASA device
to enable internal workstations to access the Internet. Which configuration
command should be used next?
Network Security (Version 1) – Network Security 1.0 Modules 20-22 ASA Group Exam Answers 03
nat (inside,outside) dynamic NET1
nat (outside,inside) dynamic NET1
nat (inside,outside) dynamic interface
nat (outside,inside) dynamic interface
Answers Explanation & Hints:
The nat (inside,outside) dynamic interface command indicates that inside hosts are
overloading the outside address of the mapped interface.
58. What type of network security test uses simulated attacks to determine the
feasibility of an attack as well as the possible consequences if the attack occurs?
penetration testing
network scanning
integrity checking
vulnerability scanning
 Answers Explanation & Hints:
There are many tests that are used by security specialists to assess the status of a system.
They include the following:
 penetration testing to determine the feasibility of attacks
 network scanning to scan for and identify open TCP ports
 integrity checking to check for changes that have occurred in the system
 vulnerability scanning to detect potential weaknesses in systems
59. What three tasks can a network administrator accomplish with the Nmap and
Zenmap security testing tools? (Choose three.)
operating system fingerprinting
assessment of Layer 3 protocol support on hosts
open UDP and TCP port detection
security event analysis and reporting
password recovery
development of IDS signatures
 Answers Explanation & Hints:
Nmap is a low-level network scanner that is available to the public and that has the ability to
perform port scanning, to identify open TCP and UDP ports, and which can also perform
system identification. It can also be used to identify Layer 3 protocols that are running on a
system. Zenmap is the GUI version of Nmap.
60. Match the network security testing tool with the correct function. (Not all options
are used.)
Network Security (Version 1) – Network Security 1.0 Practice Final Answers 006