642-566 - Security Solutions for Systems Engineers
Go back to Cisco
When a FWSM is operating in transparent mode, what is true?
Each directly connected network must be on the same subnet
Which item will be performed on Cisco IP Phones so that they can authenticate it before obtaining network access?
IEEE 802.1X Supplicant
You are the network consultant from Your company. Please point out two requirements that call for the deployment of 802.1X.
Authenticate users on switch or wireless ports
Grant or Deny network access at the port level, based on configured authorization policies
Secure Sockets Layer (SSL) is a cryptographic protocol that provides security and data integrity for communications over TCP/IP networks such as the interne. When SSL uses TCP encapsulation on Cisco SSL VPNs, the user's TCP session is transported over another TCP session, thus making flow control inefficient if a packet is lost. Which is the best solution of this problem?
For the following items, which two are differences between symmetric and asymmetric encryption algorithms? (Choose two.)
Asymmetric encryption is slower than symmetric encryption
Asymmetric encryption requires a much larger key size to achieve the same level of protection as asymmetric encryption
Cisco Security MARS and Cisco Security Manager could work together to implement which two functions? (Choose two.)
Firewall events-to-Cisco Security MARS events correlations
IPS events-to-Cisco Security MARS events correlations
Which two features work together to provide anti-X defense? (Choose two.)
Enhanced Application inspection engines
Cisco IPS Sensors
How does CSA protect endpoints?
Uses file system, network, registry and execution space interceptors to stop malicious activity
Which one of the following elements is essential to perform events analysis and correlation?
Time synchronization between all the devices
Which protocol should be used to provide secure communications when performing shunning on a network device?
While performing point-to-point secure WAN solutions over the Internet, which alternative Cisco IOS method is available if GRE-over-IPsec tunnels could not be used?
Virtual Tunnel Interfaces (VTIs)
You are the network engineer at Your company. Which component should not be included in a security policy?
Security best practice
Which method can be used by Cisco SSL VPN solution to provide connections between a Winsock2, TCP-based application and a private site without requiring administrative privileges?
While using the Gateway Load Balancing Protocol to enable high-availability Cisco IOS Firewalls, what should be configured to maintain symmetric flow of traffic?
Network Address Translation (NAT)
Cisco NAC Appliance (formerly Cisco Clean Access) is an easily deployed Network Admission Control (NAC) product that allows network administrator to authenticate, authorize, evaluate and remediate wired, wireless and remote users and their machines prior to allowing users onto the network. It identifies whether networked devices such as laptops, desktops and other corporate assets are compliant with a network's security policies and it repairs any vulnerabilities before permitting access to the network. Which two of these statements describe features of the NAC Appliance Architecture? (Choose two.)
NAC Appliance Manager acts as an authentication proxy for external authentication servers
NAC Appliance Manager determines the appropriate access policy
Which of these items is a feature of a system-level approach to security management?
Which one can be used to provide logical separation between the voice and data traffic at the access layer?
Which two methods can be used to perform IPSec peer authentication? (Choose two.)
While implementing a proxy component within a firewall system, which method will be used?
Transparent or non-transparent
What should be taken into consideration while performing Cisco NAC Appliance design? Select all that apply.
edge deployment versus central deployment
in-band versus out-of-band
Real-IP Gateway versus virtual gateway
Layer 2 versus Layer 3
Which option is correct about the relationship between the malware type and its description? 1. virus 2. worms 3. botnets 4. spyware 5. Trojan horses 6. rootkits (a) collection of compromised computers under a common command-and-control infrastructure (b) typically used to monitor user actions (c) autonomously spreads to other systems without user interaction (d) malware that hides through evasion of the operating system security mechanisms (e) requires some user action to infect the system (f) malware that hides inside anoter legitimate looking application
Can you tell me which one of the following platforms has the highest IPSec throughput and can support the highest number of tunnels?
Cisco 6500/7600 + VPN SPA
You are the network consultant from Your company. Please point out two technologies that address ISO 17799 requirements to detecting, preventing and responding to attacks and intrusions.
Cisco Security Agent
Cisco Security MARS
Which series of steps correctly describes how a challenge-and-response authentication protocol functions?
1. The authenticator sends a random challenge string to the subject being authenticated. 2. The subject being authenticated hashes the challenge using a shared secret password to form a response back to the authenticator. 3. The authenticator performs the same hash method with the same shared secret password to calculate a local response and compare it with the received response. 4. If these match, the subject is authenticated.
Which certificates are needed for a device to join a certificate-authenticated network?
The Certificates of the certificate authority and the device
Which Cisco Catalyst Series switch feature can be used to integrate a tap-mode (promiscuous mode) IDS/IPS sensor into the network?
Switch Port ANalyzer (SPAN)
Which is the primary benefit that DTLS offers over TLS?
Provides low latency for real-time applications
Which two should be included in an analysis of a security posture assessment? (Choose two.)
Recommendations based on security best practice
Identification of critical deficiencies
In multi-tier applications and multi-tier firewall designs, which additional security control can be used to force an attacker to compromise the exposed server before the attacker attempts to penetrate the more protected domains?
Make exposed servers in the DMZs dual homed.
Which attack method is typically used by Pharming attacks that are used to fool users into submitting sensitive information to malicious servers?
DNS cache poisoning
Cisco IOS Control Plane Protection is able to be used to protect traffic to which three router control plane subinterfaces? (Choose three.)
What is the security issue in classic packet filtering of active FTP sessions?
Allowing data sessions to the clientopens up all the high ports on the client
Which two components should be included in a network design document? (Choose two.)
Complete network blueprint
Detailed part list
Which two Cisco products/feature provide the best security controls for a web server having applications running on it that perform inadequate input data validation? (Choose two.)
Cisco Security Agent data access controls
Cisco ACE XML Gateway
Match each IKE component to its supported option. 1. IKE authentication 2. IKE encryption 3. IKE data authentication/integrity 4. IKE key negotiation (a) 3DES or AES (b) MD5 or SHA-1 (c) pre-shared key or digital certificates (d) DH Group 1,2,or5
a-2, b-3, c-1, d-4
Which IPS feature models worm behavior and correlates the specific time between events, network behavior and multiple exploit behavior to more accurately identify and stop worms?
Meta Event Generator
Before damage can occur to the network, Cisco Security Agent block malicious behavior through ___________
Interception of operation system calls
In which two ways do Cisco ASA 5500 Series Adaptive Security Apliance achieve containment and control? (Choose two.)
By preventing unauthorized network access
By tracking the state of all network communications
Which three elements does the NAC Appliance Agent check on the client machine? (Choose three.)
Presence of Cisco Security Agent
IPSec-based site-to-site VPNs is better than traditional WAN networks in what?
Span, flexibility, security and low cost
Which statement best describes the Cisco ASA encrypted voice inspection capability?
The Cisco ASA decrypts, inspects, then re-encrypts voice-signaling traffic; all of the existing VoIP inspection functions for SCCP and SIP protocols are preserved.
You are working as a Network Engineer at Your company. Please suggest one encryption protocol to your customer from an enterprise with standard security requirements.
Which one of the following Cisco Security Management products is able to perform (syslog) events normalization?
Cisco Security MARS
Why GET VPN is not deployed over the public Internet?
Because the GET VPN preserves the original source and destination IP addresses, which may be private addresses that are not routable over the Internet
Which typical design choices should be taken into consideration while designing Cisco solution- based enterprise remote-access solutions?
Authentication: one-time passwords, digital certificates
EndpointSecurity : Managed endponts versus unmanaged endpoints protection (Cisco Security Agent, Cisco NAC Agent, Cisco Secure Desktop)
Traffic protection: IPSec versus SSL
Central Site aggregation device: ISR versus Cisco ASA, high-availability options
You are network engineer at Your company. Please point out two functions of Cisco Security Agent.
Control of executable content
Which function can be implemented by the Cisco Security Agent data access control feature?
Detects malformed HTTP requests by examining the URI in the HTTP request
Which one of the following platforms could support the highest number of SSL sessions?
Cisco ASA 5580
Which primary security design components should be addressed while performing Enterprise Internet Access protection? (Not all design components are required.) 1. resource separation 2. network infrastructure device hardening 3. network signaling protection 4. boundary access control 5. compliance assessment 6. endpoint protection
1, 2, 4, 6
Which option is correct about the relationship between the terms and their descriptions? Terms 1. true positives 2. false positives 3. true negatives 4. false negatives Descriptions (a) security control has not acted, even though there was malicious activity (b) security control has not acted, as there was no malicious activity (c) security control acted as a consequence of non-malicious activity (d) security control acted as a consequence of malicious activity