350-018 - CCIE Security Written Exam
Go back to
Cisco
Example Questions
Which two of the following provide protect against man-in-the-middle attacks? (Choose two.)
IPsec VPNs
Secure Sockets Layer
What is the default username and password set for Cisco Security Device Manager (SDM)?
cisco/cisco
Which protocol does 802.1X use between the supplicant and the authenticator to authenticate users who wish to access the network?
EAP over LAN
error: % Invalid input detected at '^' marker. Above error is received when generating RSA keys for SSH access on a router using the crypto key generate rsa command. What are the reasons for this error? (Choose two.)
The image that is used on the router does not support the crypto key generate rsa command.
The command has been used with incorrect syntax.
Which of the following types of traffic is NOT subject to inspection in the 105 Firewall Feature Set?
ICMP
Which of the following is true with respect to active/active failover on the adaptive security appliance? Select the best response.
available only for systems running in multiple context mode
Which IPv6 Interior Gateway Protocol (IGP) relies entirely on IPsec to secure communications between neighbors?
OSPFv3
Which of these communications mechanisms can be used between Cisco Security Device Manager (SDM) and a Cisco router in addition to HTTP or HTTPS to read and write the router configurations?
Telnet/SSH
To prevent a potential attack on a Cisco IOS router with the echo service enabled, what action should you take?
Disable tcp-small-servers.
The communication between Cisco Configuration Professional and a Cisco router is secured using which of these?
SSL
Which option on the Cisco ASA appliance must be enabled when implementing botnet traffic filtering?
DNS inspection and DNS snooping
Which multicast capability is not supported by the Cisco ASA appliance?
sending multicast traffic across a VPN tunnel
An attacker configures an access point to broadcast the same SSID that is used at a public hot-spot, and launches a deauthentication attack against the clients that are connected to the hot-spot, with the hope that the clients will then associate to the AP of the attacker. In addition to the deauthentication attack, what attack has been launched?
man-in-the-middle
What is the main reason for using the ip ips deny-action ips-interface Cisco IOS command?
to support load-balancing configurations in which traffic can arrive via multiple interfaces
Why would a Network Administrator want to use Certificate Revocation Lists (CRLs) in their IPSec implementations?
They allow them to deny devices with certain certificates from being authenticated to their network.
Which three statements are true about the Cisco NAC Appliance solution? (Choose three.)
In a Layer 3 OOB ACL deployment of the Cisco NAC Appliance, the discovery host must be configured as the untrusted IP address of the Cisco NAC Appliance Server.
In a VRF-style OOB deployment of the Cisco NAC Appliance, the discovery host may be the IP address that is on the trusted side of the Cisco NAC Appliance Server.
In a Layer 3 IB deployment of the Cisco NAC Appliance, the discovery host may be configured as the IP address of the Cisco NAC Appliance Manager.
What is Chain of Evidence in the context of security forensics?
The concept that evidence is controlled and accounted for as to not disrupt its authenticity and integrity.
Routers running OSPF and sharing a common segment become neighbors on that segment. What statement regarding OSPF neighbors is FALSE?
The Primary and Secondary addresses on an interface allow the router to belong to different areas at the same time.
What would be the best reason for selecting L2TP as a tunnel protocol for a VPN Client?
L2TP uses PPP so address allocation and authentication is built into the protocol instead of relying on IPSec extended functions, like mode config and a-auth.
Which three of these are performed by both RADIUS and TACACS+ servers?(choose three)
Login authentication
EXEC authorization
EXEC accounting
Which three statements are true regarding the EIGRP update message? (Choose three.)
Updates require an acknowledgement with an ACK message.
Updates can be sent to the multicast address 224.0.0.10.
Updates are sent as unicasts when they are retransmitted.
An attacker is attempting to Telnet a specific host secured behind a firewall rule that only allows inbound connections on TCP port 25. What aspect of RFC 791 (Internet Protocol) can the attacker exploit to perform this attack?
Send two packets, the first packet with the DF bit clear and the MF bit set, and the second packet with a fragmentation offset of 1 and a destination port of TCP 23
Which would be the best method to deploy on a Cisco ASA to detect and prevent viruses and worms?
content security via the Control Security Services Module
The following is an example of an IPSec error message: IPSEC(validat_proposal): invalid local address 192.1.1.1 ISAKMP (0:3): atts not acceptable. Next payload is 0 ISAKMP (0:3): SA not acceptable! What is the most common problem that this message can be attributed to?
Crypto map is applied to the wrong interface or is not applied at all.
A security System Administrator is reviewing the network system log files. The administrator notes that: - Network log files are at 5 MB at 12:00 noon. - At 14:00 hours, the log files at 3 MB. What should the System Administrator assume has happened and what should they do?
Log the event as suspicious activity, continue to investigate, and take further steps according to site security policy.
What new features were added to the PIX in version 7.0? (Choose 3)
Support for multiple virtual firewalls
Rate-Limiting
Transparent firewall
Which of the following statements is true regarding SSL?
Encryption is used after a simple handshake is completed.
How can Netflow be used to help identify a day-zero scanning worm?
Netflow statistics can show a huge increase in traffic on a specific day.
Which additional configuration component is required to implement a MACSec Key Agreement policy on user-facing Cisco Catalyst switch ports?
802.1x
What is the recommended network MACSec policy mode for high security deployments?
should-secure
What does qos pre-classify provides in regard to implementing QoS over GRE/IPSec VPN tunnels?
enables IOS to make a copy of the inner (original) IP header and to run a QoS classification before encryption, based on fields in the inner IP header.
What two things must you do on the router before generating an SSH key with the "crypto key generate rsa "IOS command ?
Configure the default IP domain name that the router will use
Configure the host name of the router
Which of these statements best describes the advantage of using cisco secure desktop which is part of the cisco ASA VPN solution?
Secure desktop will create a completely separate computing environment that will be deleted when you are done. This ensures that no confidential data has been left on the shared/public computer.
Which of the following are valid choices for ESP cipher algorithms in a Cisco IOS IPsec transform set? Select 2 response(s).
esp-null, esp-seal
esp-aes 192, esp-des, esp-3des
Which three of these situations warrant engagement of a Security Incident Response team? (Choose three.)
loss of data confidentiality/integrity
damage to computer/network resources
computer or network misuse/abuse
When configuring a Cisco adaptive security appliance in multiple context mode, which one of these capabilities is supported?
static routes
How are the username and password transmitted if a basic HTTP authentication is used?
Base64 encoded username and password
Which two statements are correct regarding the AES encryption algorithm? (Choose two.)
It is a FIPS-approved symmetric block cipher.
It supports a cipher key size of 128, 192, or 256 bits.
Which IPS appliance signature engine inspects IPv6 Layer 3 traffic?
Atomic IP Advanced
Which two of the following can you configure an IPS sensor with three sniffing interfaces as? (Choose two.)
three promiscuous sensors
one inline sensor, one promiscuous sensor
If the result of an attack left an ARP table in the state below, what address would you suspect of launching the attack? Internet 171.16.1.100 - 000c.5a35.3c77 ARPA FastEthernet0/0 Internet 171.16.1.111 0 00bc.d1f5.f769 ARPA FastEthernet0/0 Internet 171.16.1.112 0 00bc.d1f5.f769 ARPA FastEthernet0/0 Internet 171.16.1.113 3 00bc.d1f5.f769 ARPA FastEthernet0/0 Internet 171.16.1.114 0 00bc.d1f5.f769 ARPA FastEthernet0/0
171.16.1.113
What service SHOULD be enabled on ISO firewall devices?
Password-encryption.
Which three packet types will be used by TACACS+ authentication? (Choose three.)
START
CONTINUE
REPLY
Which IOS QoS mechanism is used strictly to rate limit traffic destined to the router itself?
Control Plane Policing
Event Store is a component of which IPS application?
MainApp
In IPSec, what encapsulation protocol only encrypts the data and not the IP header?
ESP
When configuring a multipoint GRE tunnel interface, which one of the following is not a valid configuration option? Select the best response.
tunnel destination
Which algorithms did TKIP add to the 802.11 specification? (Choose 3)
key mixing
message integrity check
anti-replay sequence counter
Which statement below is true about the command "nat control" on the ASA?
It requires traffic originating from the inside interface to match a NAT translation rule to pass through the firewall on the outside interface.
What is the best way to mitigate Browser Helper Objects (BHO) from being installed on your system?
A BHO installation can be stopped using CSA rules.
Study Guides