642-504 - Securing Networks with Cisco Routers and Switches
Go back to Cisco
For the following Cisco IOS Firewall features, which one allows the firewall to function as a Layer 2 bridge on the network?
You are the Cisco Configuration Assistant in your company. Which TCP port would you use to access the Cisco ACS web interface?
What command configures the amount of time CBAC will wait for a TCP session to become established before dropping the connection in the state table?
ip inspect tcp synwait-time (seconds)
You are configuring the authentication feature on a new Company router. Which of the following correctly sets the IOS Firewall authentication-proxy idle timer to 20 minutes?
ip auth-proxy auth-cache-time 20
While using 5.x signatures to enable Cisco IOS IPS, which required option, could be downloaded from Cisco.com?
Which two technologies can secure the control plane of the Cisco router? (Choose two.)
routing protocol authentication
Which two features are included in Cisco IOS SSL VPN thin-client mode? (Choose two.)
uses a Java applet
provides TCP port forwarding capabilities
Cisco Secure Access Control Server (ACS) is a highly scalable, high-performance access control server that provides a comprehensive identity networking solution. Which of these statements is correct regarding user setup on ACS 4.0?
Users are assigned to the default group.
Which two category types are associated with 5.x signature use in Cisco IOS IPS? (Choose two.)
Which of the following IOS commands will you advise the Company trainee technician to use when setting the timeout for router terminal line?
exec-timeout minute [seconds]
Which three statements accurately describe DMVPN configuration? (Choose three)
If running EIGRP over DMVPN the hub router tunnel interface must have split horizon disabled: no ip split-horizon eigrp AS-Number
At the spoke routers, static NHRP mapping to the hub router is required: ip nhrp map hub- tunnel-ip-address hub-physical-ip-address
The GRE tunnel must be associated with an IPsec profile: tunnel protection ipsec profile profile-name
When configuring FPM, which is the next step after loading the PHDFs?
Define a stack of protocol headers.
Select two issues that you should consider when implementing IOS Firewall IDS. (Choose two)
The memory usage
The signature coverage
Which statement best describes Cisco IOS Firewall URL-filtering services on Cisco IOS Release 12.4(15)T and later?
The services support Secure Computing server or Websense server and the local URL list.
While deploying EIGRP dynamic routing over DMVPN, which three configuration tasks are needed at the hub router tunnel interface? (Choose three.)
disabling EIGRP ip next-hop-self
disabling EIGRP ip split-horizon
enabling multipoint GRE
You are a network administrator for the CK Company. You are asked to configure a Cisco router to enroll with a certificate authority. Before configuring enrollment parameters, what is a recommended best practice to perform?
Configure Network Time Protocol.
You are the Cisco Configuration Assistant in your company, When you configure a site-to-site IPsec VPN tunnel, which configuration must be the exact reverse of the other IPsec peer?
You are the network consultant from your company. Cisco IOS Zone-Based Firewall uses which of the following to identify a service or application from traffic flowing through the firewall?
You are in change of Securing Networks Cisco Routers and Switches in your company when troubleshooting site-to-site IPsec VPN, you see this console message: %CRYPT0-6-IKMP_SA_N0T_0FFERED: Remote peer %15i responded with attribute [chars] not offered or changed. Which configuration should you verify?
the ISAKMP policies
During which phase does Cisco Easy VPN Server push parameters such as the client internal IP address, DHCP server IP address, and WINS server IP address to the Cisco Easy VPN Remote client?
IKE mode configuration
You have been tasked with setting up a new Company router with CBAC. How do you set the threshold of half-open sessions CBAC will allow per minute before deleting them?
ip inspect one-minute high (number)
You are configuring the authentication feature on a new Company router. Which of the following configures an authentication proxy rule for the IOS Firewall?
ip auth-proxy name proxyname http
You want to increase the security levels at layer 2 within the Company switched LAN. Which three are typical Layer 2 attack mitigation techniques? (Select three)
Which three features are supported by Cisco IOS Firewall? (Choose three.)
DoS attacks protection
When you implement Cisco IOS WebVPN on a Cisco router using a self-signed certificate, you notice that the router is not generating a self-signed certificate, What should you check to troubleshootthis issue?
Verify that the WebVPN gateway is inservice.
Cisco IOS Intrusion Prevention System (IPS) is an inline, deep-packet inspection feature that effectively mitigates a wide range of network attacks. When verifying Cisco IOS IPS operations, when should you expect Cisco IOS IPS to start loading the signatures?
when the first Cisco IOS IPS rule is enabled
Which two options are possible for authenticating the clients that do not have an 802.1X supplicant while deploying 802.1X authentication on Cisco Catalyst switches? (Choose two.)
MAC Authentication Bypass
Which best practice is recommended while configuring the Auto Update feature for Cisco IOS IPS?
Synchronize the router's clock to the PC before configuring Auto Update,
Which two are typical Layer 2 attacks? (Choose two.)
CAM table overflow
You are the Cisco Configuration Assistant in your company. After you enable all the authentication protocols under the Global Authentication Setup in Cisco ACS, how can you select a specific EAP type to use for 802.1X authentication?
Specify the particular EAP type to use when you configure the NAP authentication policy
You are in change of Securing Networks Cisco Routers and Switches in your company. Why is the Cisco IOS Firewall authentication proxy not working based on the following configuration? aaa new model aaa authentication login default group tacacs aaa authentication auth-proxy default group tacacs+ aaa accounting auth-proxy default start-stop group tacacs+ enable password TeSt_123 ip auto-proxy name pxy http ip auto-proxy auth-proxy-banner interface Ethernet0/1 ip address 192.168.1.1 255.255.255.0 ip auto-proxy pxy no ip http server tacacs-server host 192.168.123.14 tacacs-server key Cisco [Output omitted]
You forgot to enable HTTP server and AAA authentication
The Company network is using an 802.1X implementation. In an 802.1X implementation the supplicant directly connects to, and obtains network access permission through which device?
The Easy VPN Server feature allows Cisco IOS routers, Cisco Adaptive Security Appliances (ASA), and Cisco PIX Security Appliances to act as head-end devices in site-to-site or remote- access VPNs The feature pushes security policies defined at the central site to the remote device during which of these phases?
IKE mode configuration
The Company network is implementing IBNS. In a Cisco Identity-Based Networking Service (IBNS) implementation, the endpoint that is seeking network access is known as what?
The authentication proxy feature has been configured on one of the Company routers. What does authentication proxy on the Cisco IOS Firewall do?
Creates specific security policies for each user with Cisco Secure ACS, dynamic, per-user authentication and authorization
Which item is true about the zone-based firewall policy while configuring the zone-based firewall feature on a Cisco router?
The policy is applied unidirectionally between two security zones.
You are the network administrator for your company When you implement IBNS, what is defined using the Tunnel-Private-Group-ID RADIUS attribute?
The VLAN name
A new Company router is being configured for IDS services. Choose the two types of signature implementations that the IOS Firewall IDS can detect. (Choose two.)
Refer to the output of a "sh ip auth-proxy cache" command issued on a Company router below. Which port is being used by the client? R2 # sh ip auth-proxy cache Authentication Proxy Cache Client Name aaauser, Client IP 10.0.2.12, Port 2636, timeout 5, Time Remaining 3, state ESTAB Based on this information, which port is being used by the client?
John and Kathy are working on configuring the IOS firewall together. They are figuring out what CBAC uses for inspection rules to configure on a per-application protocol basis. Which one of these is the correct one?
Alerts and audit trails
CBAC has been configured on router CK1 to increase the security of the Company network. CBAC intelligently filters TCP and UDP packets based on which protocol-session information?
You are the Cisco Configuration Assistant in your company. When you implement 802.1X authentication, which other ACS component will refer the RACs configured under the Shared Profile Components in the ACS?
NAP authorization policy
You wish to configure 802.1X port control on your switch. Which three keywords are used with the dotlx port-control command? (Choose three.)
You are the Cisco Configuration Assistant in your company, what additional configuration is required for the Cisco IOS Firewall to reset the TCP connection if any peer-to-peer, tunneling, or instant messaging traffic is detected over HTTP based on the following configuration? appfw policy-name my policy application http strict-http action reset alarm content-length maximum 1 action reset alarm content-type-verification match-req-rsp action reset alarm max-header-length request 1 response 1 action reset alarm max-url-length 1 action reset alarm request-method rfc put action reset alarm transfer-encoding type default reset alarm ! ip inspect name firewall appfw mypolicy ip inspect name firewall http ! Interface FastEthernet0/0 ip inspect firewall in !
the port-misuse default action reset alarm command in the HTTP application firewall policy configuration
When you enter the CK-S(config)#aaa authentication dotlx default group radius command on a Cisco Catalyst switch, the Cisco IOS parser returns with the "invalid input detected" error message. What can be the cause of this error?
You must enter the aaa new-model command first.
What is the objective of the Cisco SDM IPS migration tool?
to migrate from Cisco IOS IPS version 4.0 to Cisco IOS IPS version 5.0
Which of the following represents the behavior of the CBAC aggressive mode in a Cisco IOS firewall?
Delete half-open session as needed to accommodate new connection requests
You are the Cisco Configuration Assistant in your company.Which two commands would you use to only allow SSH traffic to the router Eth0 interface and deny other management traffic (BEEP, FTP, HTTP, HTTPS, SNMP, Telnet, TFTP) to the router interfaces? (Choose two.)
management-interface Eth0 allow ssh
Which three descriptions are true about the GET VPN policy management? (Choose three,)
A local policy is defined on each group member.
A global policy is defined on the key server, and it is distributed to the group members.
The group member appends the global policy to its local policy.
Which two capabilities are of the Cisco IOS Firewall Feature Set? (Choose two,)
protects against worms, malicious users, and denial of service
interoperates with Network Address Translation to conserve and simplify network address use