640-553 - IINS Implementing Cisco IOS Network Security
Go back to Cisco
Which one of the following commands can be used to enable AAA authentication to determine if a user can access the privilege command level?
aaa authentication enable default
Which location will be recommended for extended or extended named ACLs?
a location as close to the source traffic as possible
Which option is a desirable feature of using symmetric encryption algorithms?
they are often used for wire-speed encryption in data networks
Before a Diffie-Hellman exchange may begin, the two parties involved must agree on what?
Two nonsecret numbers
When configuring AAA login authentication on CISCO routers, which two authentication methods should be used as the final method to ensure that the administrator can still log in to the router in case the external AAA server fails? (Choose two)
Examine the following options, which access list will permit HTTP traffic sourced from host 10.1.129.100 port 3030 destined to host 192.168.1.10?
access-list 101 permit tcp 10.1.128.0 0.0.1.255 eq 3030 192.168.1.0 0.0.0.15 eq www
Which option is the term for the likelihood that a particular threat using a specific attack will exploit particular vulnerability of a system that results in an undesirable consequence?
Which three are distinctions between asymmetric and symmetric algorithms? (Choose all that apply.)
Asymmetric algorithms are based on more complex mathematical computations.
Only asymmetric algorithms have a key exchange technology built in. 28
Asymmetric algorithms are used quite often as key exchange protocols for symmetric algorithms.
Which type of firewall is needed to open appropriate UDP ports required for RTP streams?
Which one of the following items may be added to a password stored in MD5 to make it more secure?
Which two ports are used with RADIUS authentication and authorization?(Choose two.)
UDP port 1645
UDP port 1812
As a candidate for CCNA examination, when you are familiar with the basic commands, if you input the command "enable secret level 5 password" in the global mode , what does it indicate?
The enable secret password is for accessing exec privilege level 5.
Stream ciphers run on which of the following?
Individual digits, one at a time, with the transformations varying during the encryption
DES typically operates in block mode, where it encrypts data in what size blocks?
Which one is the most important based on the following common elements of a network design?
You have several operating groups in your enterprise that require different access restrictions to the routers to perform their jobs roles. These groups range from Help Desk personnel to advanced troubleshooters. 33 What is one methodology for controlling access rights to the router in these situation?
configure multiple privilege level access
You are a network technician at Cisco.com. Which description is correct when you have generated RSA keys on your Cisco router to prepare for secure device management?
The SSH protocol is automatically enabled.
Which option is true of using cryptographic hashes?
they convert arbitrary data into fixed length digits
In an IEEE 802.1x deployment, between which two devices EAPOL messages typically are sent?
Between the supplicant and the authenticator
The enable secret password appears as an MD5 hash in a router's configuration file, whereas the enable password is not hashed (or encrypted, if the password-encryption service is not enabled). What is the reason that Cisco still support the use of both enable secret and enable passwords in a router's configuration?
The enable password is present for backward compatibility.
What will be disabled as a result of the no service password-recovery command?
Which statement is true about configuring access control lists to control Telnet traffic destined to the router itself?
The ACL should be applied to all vty lines in the in direction to prevent an unwanted user from connecting to an unsecured port.
Which option ensures that data is not modified in transit?
Which option is the term for a weakness in a system or its design that can be exploited by a threat
Examine the following items, which one offers a variety of security solutions, including firewall, IPS, VPN, antispyware, antivirus, and antiphishing features?
Cisco ASA 5500 series security appliance
Which statement about disabled signatures when using Cisco IOS IPS is true?
They still consume router resources.
Which threat are the most serious?
Which type of MAC address is dynamically learned by a switch port and then added to the switch's running configuration?
Sticky secure MAC address
Which statement is true about a certificate authority (CA)?
A trusted third party responsible for signing the public keys of entities in a PKIbased system
What is a static packet-filtering firewall used for?
It analyzes network traffic at the network and transport protocol layers.
Refer to Cisco IOS Zone-Based Policy Firewall, where will the inspection policy be applied?
to the zone-pair
Which Public Key Cryptographic Standards (PKCS) defines the syntax for encrypted messages and messages with digital signatures?
Which option correctly defines asymmetric encryption?
uses different keys to encrypt and decrypt data
You work as a network engineer, do you know an IPsec tunnel is negotiated within the protection of which type of tunnel?
What is the purpose of Diffie-Hellman?
used to establish a symmetric shared key via a public key exchange process
Which protocol will use a LUN as a way to differentiate the individual disk drives that comprise a target device?
Which two functions are required for IPsec operation? (Choose two.)
using Diffie-Hellman to establish a shared-secret key
using IKE to negotiate the SA
When configuring Cisco IOS login enhancements for virtual connections, what is the "quiet period"?
The period of time in which virtual login attempts are blocked, following repeated failed login attempts
Which option is true of intrusion prevention systems?
they operate in inline mode
Examine the following options ,when editing global IPS settings, which one determines if the IOS-based IPS feature will drop or permit traffic for a particular IPS signature engine while a new signature for that engine is being compiled?
Enable Engine Fail Closed
Which statement is true about vishing?
Influencing users to provide personal information over the phone
Which of these options is a Cisco IOS feature that lets you more easily configure security features on your router?
the auto secure CLI command
Regarding constructing a good encryption algorithm, what does creating an avalanche effect indicate?
Changing only a few bits of a plain-text message causes the ciphertext to be completely different.
Which of the following are techniques used by symmetric encryption cryptography? (Choose all that apply.)
Message Authentication Codes (MAC)
If you click the Configure button along the top of Cisco SDM's graphical interface,which Tasks button permits you to configure such features as SSH, NTP, SNMP, and syslog?
How does CLI view differ from a privilege level?
A CLI view supports only commands configured for that specific view, whereas a privilege level supports commands available to that level and all the lower levels.
Which description is true about ECB mode?
ECB mode uses the same 56-bit key to serially encrypt each 64-bit plain-text block.
Which is the main difference between host-based and network-based intrusion prevention?
Network-based IPS can provide protection to desktops and servers without the need of installing specialized software on the end hosts and servers.
Which VoIP components can permit or deny a call attempt on the basis of a network's available bandwidth?
When configuring SSH, which is the Cisco minimum recommended modulus value?