640-554 - Implementing Cisco IOS Network Security
Go back to Cisco
Refer to Cisco IOS Zone-Based Policy Firewall, where will the inspection policy be applied?
to the zone-pair
Which three statements about applying access control lists to a Cisco router are true? (Choose three.)
Place more specific ACL entries at the top of the ACL.
Router-generated packets cannot be filtered by ACLs on the router.
If an access list is applied but it is not configured, all traffic passes.
On Cisco ISR routers, for what purpose is the realm-cisco.pub public encryption key used?
used to verify the digital signature of the IPS signature file
Which router management feature provides for the ability to configure multiple administrative views?
Which option is a feature of Cisco ScanSafe technology?
consistent cloud-based policy
Which type of management reporting is defined by separating management traffic from production traffic?
Which location is recommended for extended or extended named ACLs?
a location as close to the source traffic as possible
Which type of firewall technology is considered the versatile and commonly used firewall technology?
stateful packet filter firewall
Which type of security control is defense in depth?
When logging is enabled for an ACL entry, how does the router switch packets filtered by the ACL?
Which statement is true about configuring access control lists to control Telnet traffic destined to the router itself?
The ACL should be applied to all vty lines in the in direction to prevent an unwanted user from connecting to an unsecured port.
When a network transitions from IPv4 to IPv6, how many bits does the address expand to?
How many crypto map sets can you apply to a router interface
What does the secure boot-config global configuration accomplish?
takes a snapshot of the router running configuration and securely archives it in persistent storage
Which statement about asymmetric encryption algorithms is true?
They use different keys for encryption and decryption of data.
Which network security framework is used to set up access control on Cisco Appliances?
You are troubleshooting a Cisco AnyConnect VPN on a firewall and issue the command show webvpn anyconnect. The output shows the message "SSL VPN is not enabled" instead of showing the AnyConnect package. Which action can you take to resolve the problem?
Issue the anyconnect enable command.
When port security is enabled on a Cisco Catalyst switch, what is the default action when the configured maximum number of allowed MAC addresses value is exceeded?
The port is shut down.
When configuring a site-to-site IPsec VPN using the CLI, the authentication pre-share command is configured in the ISAKMP policy. Which additional peer authentication configuration is required?
Configure a PSK with the crypto isakmp key global configuration command.
Which option is the correct representation of the IPv6 address 2001:0000:150C:0000:0000:41B1:45A3:041D?
Which command will configure AAA accounting using the list of all RADIUS servers on a device to generate a reload event message when the device reloads?
aaa accounting system default start-stop group radius
Which type of NAT would you configure if a host on the external network required access to an internal host?
Which two protocols are used in a server-based AAA deployment? (Choose two.)
Which two statements about SSL-based VPNs are true? (Choose two.)
Asymmetric algorithms are used for authentication and key exchange.
The authentication process uses hashing technologies.
Which type of Layer 2 attack causes a switch to flood all incoming traffic to all ports?
CAM overflow attack
How are Cisco IOS access control lists processed?
ACLs are matched from top down.
Which two options are for securing NTP? (Choose two.)
Which two countermeasures can mitigate MAC spoofing attacks? (Choose two.)
IP source guard
Which type of encryption algorithm uses public and private keys to provide authentication, integrity, and confidentiality?
In an IPsec VPN, what determination does the access list make about VPN traffic?
whether the traffic should be encrypted
Which option describes a function of a virtual VLAN?
A virtual VLAN creates a logically partitioned LAN to place switch ports in a separate broadcast domain.
Which statement describes how the sender of the message is verified when asymmetric encryption is used?
The sender encrypts the message using the receiver's public key, and the receiver decrypts the message using the receiver's private key.
What is the best way to prevent a VLAN hopping attack?
Disable DTP negotiations.
Which type of network masking is used when Cisco lOS access control lists are configured?
Which statement describes a best practice when configuring trunking on a switch port?
Configure an unused VLAN as the native VLAN.
What is the purpose of a trunk port?
A trunk port carries traffic for multiple VLANs.
The host A Layer 2 port is configured in VLAN 5 on switch 1, and the host B Layer 2 port is configured in VLAN 10 on switch 1. Which two actions you can take to enable the two hosts to communicate with each other? (Choose two.)
Configure inter-VLAN routing.
Configure switched virtual interfaces.
Which aaa accounting command is used to enable logging of the start and stop records for user terminal sessions on the router?
aaa accounting exec start-stop tacacs+
What are two disadvantages of using network IPS? (Choose two.)
Network IPS has a difficult time reconstructing fragmented traffic to determine if an attack was successful.
Network IPS is incapable of examining encrypted traffic
On which protocol number does the authentication header operate?
Which statement about disabled signatures when using Cisco IOS IPS is true?
They still consume router resources.
Which two options are characteristics of the Cisco Configuration Professional Security Audit wizard? (Choose two.)
displays a screen with fix-it check boxes to let you choose which potential security-related configuration changes to implement
requires users to first identify which router interfaces connect to the inside network and which connect to the outside network
Which statement about Control Plane Policing is true?
Control Plane Policing allows QoS filtering to protect the control plane against DoS attacks.
Which step is important to take when implementing secure network management?
Synchronize clocks on hosts and devices.
Under which higher-level policy is a VPN security policy categorized?
remote access policy.
Which protocol provides security to Secure Copy?
When port security is enabled on a Cisco Catalyst switch, what is the default action when the maximum number of allowed MAC addresses is exceeded?
The port is shut down.
Which Cisco management tool provides the ability to centrally provision all aspects of device configuration across the Cisco family of security products?
Cisco Security Manager
Which option is a key difference between Cisco lOS interface ACL configurations and Cisco ASA appliance interface ACL configurations?
The Cisco ASA appliance interface ACL configurations use netmasks instead of wildcard masks.
Which authentication method is available when specifying a method list for group policy lookup using the CCP Easy VPN Server wizard?