1. What method can be used to mitigate ping sweeps?

using encrypted or hashed authentication protocols

installing antivirus software on hosts

deploying antisniffer software on all network devices

blocking ICMP echo and echo-replies at the network edge*

2. What are the three major components of a worm attack? (Choose

three.)
a penetration mechanism

an infecting vulnerability

a payload*

an enabling vulnerability*

a probing mechanism

a propagation mechanism*

3. Which statement accurately characterizes the evolution of threats

to network security?
Internal threats can cause even greater damage than external threats.*

Threats have become less sophisticated while the technical knowledge needed by an attacker
has grown.

Early Internet users often engaged in activities that would harm other users.

Internet architects planned for network security from the beginning.

4. What causes a buffer overflow?

launching a security countermeasure to mitigate a Trojan horse

sending repeated connections such as Telnet to a particular device, thus denying other data
sources.

downloading and installing too many software updates at one time

attempting to write more data to a memory location than that location can hold*

sending too much information to two or more interfaces of the same device, thereby causing
dropped packets

5. What commonly motivates cybercriminals to attack networks as

compared to hactivists or state-sponsored hackers?
status among peers

fame seeking

financial gain*

political reasons

6. Which two network security solutions can be used to mitigate DoS

attacks? (Choose two.)
virus scanning

intrusion protection systems*

applying user authentication

antispoofing technologies*

data encryption

7. Which two statements characterize DoS attacks? (Choose two.)

 
They are difficult to conduct and are initiated only by very skilled attackers.
They are commonly launched with a tool called L0phtCrack.
Examples include smurf attacks and ping of death attacks.*
They attempt to compromise the availability of a network, host, or application.*
They always precede access attacks.

8. An attacker is using a laptop as a rogue access point to capture all

network traffic from a targeted user. Which type of attack is this?
trust exploitation

buffer overflow

man in the middle*

port redirection

9. What functional area of the Cisco Network Foundation Protection

framework is responsible for device-generated packets required for
network operation, such as ARP message exchanges and routing
advertisements?
data plane

control plane*

management plane

forwarding plane

10. What are the three components of information security ensured

by cryptography? (Choose three.)
threat prevention

authorization

confidentiality*
countermeasures

integrity*

availability*

11. What is the primary method for mitigating malware?

using encrypted or hashed authentication protocols

installing antivirus software on all hosts*

blocking ICMP echo and echo-replies at the network edge

deploying intrusion prevention systems throughout the network

12. What is an objective of a state-sponsored attack?

to gain financial prosperity

to sell operation system vulnerabilities to other hackers

to gain attention

to right a perceived wrong*

13. What role does the Security Intelligence Operations (SIO) play in
the Cisco SecureX architecture?
identifying and stopping malicious traffic*

authenticating users

enforcing policy

identifying applications

 
14. What worm mitigation phase involves actively disinfecting
infected systems?
Treatment*

containment

inoculation

quarantine

15. How is a smurf attack conducted?

by sending a large number of packets to overflow the allocated buffer memory of the target
device

by sending a large number of ICMP requests to directed broadcast addresses from a

spoofed source address on the same network*

by sending a large number of TCP SYN packets to a target device from a spoofed source
address

by sending an echo request in an IP packet larger than the maximum packet size of 65,535
bytes

16. What is a characteristic of a Trojan horse as it relates to network

security?
Malware is contained in a seemingly legitimate executable program.*

Extreme quantities of data are sent to a particular network device interface.

An electronic dictionary is used to obtain a password to be used to infiltrate a key network

device.

Too much information is destined for a particular memory block causing additional memory
areas to be affected.

 
17. What is the first step in the risk management process specified by
the ISO/IEC?
Create a security policy.

Conduct a risk assessment.*

Inventory and classify IT assets.

Create a security governance model.

18. What is the significant characteristic of worm malware?

A worm can execute independently*

A worm must be triggered by an event on the host system.

Worm malware disguises itself as legitimate software

Once installed on a host system, a worm does not replicate itself.

19. Which condition describes the potential threat created by Instant

On in a data center?
when the primary firewall in the data center crashes

when an attacker hijacks a VM hypervisor and then launches attacks against other devices in
the data center

when the primary IPS appliance is malfunctioning

when a VM that may have outdated security policies is brought online after a long
period of inactivity.*

20. What are the three core components of the Cisco Secure Data
Center solution? (Choose three.)
mesh network
secure segmentation*

visibility*

threat defense*

servers

infrastructure

21. A disgruntled employee is using Wireshark to discover

administrative Telnet usernames and passwords. What type of
network attack does this describe?
trust exploitation

denial of service

reconnaissance*

port redirection

22. Which two statements describe access attacks? (Choose two.)

Trust exploitation attacks often involve the use of a laptop to act as a rogue access point to
capture and copy all network traffic in a public location, such as a wireless hotspot.

To detect listening services, port scanning attacks scan a range of TCP or UDP port numbers
on a host

Buffer overflow attacks write data beyond the hallocated buffer memory to overwrite
valid data or to exploit systems to execute malicious code.*

Password attacks can be implemented by the use os brute-force attack methods, Trojan
horse, or packet sniffers.*

Port redirection attacks use a network adapter card in promiscuous mode to capture all
network packets that are sent across a LAN.

23. What is a ping sweep?

a scanning technique that examines a range of TCP or UDP port numbers on a host to detect
listening services.

a software application that enables the capture of all network packets that are sent across a
LAN.

a query and response protocol that identifies information about a domain, including the
addresses that are assigned to that domain

a network scanning technique that indicates the live hosts in a range of IP addresses.*

24. As a dedicated network security tool, an intrusion __prevention__

system can provide detection and blocking of attacks in real time.

1. An administrator defined a local user account with a secret

password on router R1 for use with SSH. Which three additional
steps are required to configure R1 to accept only encrypted SSH
connections? (Choose three.)
Enable inbound vty SSH sessions.*

Generate two-way pre-shared keys.

Configure DNS on the router.

Configure the IP domain name on the router.*

Enable inbound vty Telnet sessions.

Generate the SSH keys.*

2. Which set of commands are required to create a username of

admin, hash the password using MD5, and force the router to access
the internal username database when a user attempts to access the
console?
R1(config)# username admin password Admin01pa55
R1(config)# line con 0
R1(config-line)# login local

R1(config)# username admin secret Admin01pa55

R1(config)# line con 0
R1(config-line)# login local*

R1(config)# username admin Admin01pa55 encr md5

R1(config)# line con 0
R1(config-line)# login local

R1(config)# username admin password Admin01pa55

R1(config)# line con 0
R1(config-line)# login

R1(config)# username admin secret Admin01pa55

R1(config)# line con 0
R1(config-line)# login

3. Refer to the exhibit.

CCNA Security
v2.0 Chapter 2 Exam Answers p3

Which statement about the JR-Admin account is true?

JR-Admin can issue only ping commands.

JR-Admin can issue show, ping, and reload commands.

JR-Admin cannot issue any command because the privilege level does not match one of those
defined.

JR-Admin can issue debug and reload commands.

JR-Admin can issue ping and reload commands*

 
4. Which three areas of router security must be maintained to secure
an edge router at the network perimeter? (Choose three.)
remote access security

zone isolation

router hardening*

operating system security*

flash security

physical security*

5. Which recommended security practice prevents attackers from

performing password recovery on a Cisco IOS router for the purpose
of gaining access to the privileged EXEC mode?
Locate the router in a secure locked room that is accessible only to authorized
personnel.*

Configure secure administrative control to ensure that only authorized personnel can access
the router.

Keep a secure copy of the router Cisco IOS image and router configuration file as a backup.

Provision the router with the maximum amount of memory possible.

Disable all unused ports and interfaces to reduce the number of ways that the router can be
accessed.

6. Refer to the exhibit.

 CCNA Security v2.0 Chapter 2 Exam
Answers p6

Based on the output of the show running-config command, which

type of view is SUPPORT?
CLI view, containing SHOWVIEW and VERIFYVIEW commands

superview, containing SHOWVIEW and VERIFYVIEW views*

secret view, with a level 5 encrypted password

root view, with a level 5 encrypted secret password

7. Which two characteristics apply to role-based CLI access

superviews? (Choose two.)
A specific superview cannot have commands added to it directly.*

CLI views have passwords, but superviews do not have passwords.

A single superview can be shared among multiple CLI views.

Deleting a superview deletes all associated CLI views.

Users logged in to a superview can access all commands specified within the associated
CLI views.*

8. Which three types of views are available when configuring the role-
based CLI access feature? (Choose three.)
superview*

admin view
root view*

superuser view

CLI view*

config view

9. If AAA is already enabled, which three CLI steps are required to

configure a router with a specific view? (Choose three.)
Create a superview using the parser view view-name command.

Associate the view with the root view.

Assign users who can use the view.

Create a view using the parser view view-name command.*

Assign a secret password to the view.*

Assign commands to the view.*

10. What occurs after RSA keys are generated on a Cisco router to
prepare for secure device management?
The keys must be zeroized to reset Secure Shell before configuring other parameters.

All vty ports are automatically configured for SSH to provide secure management.

The general-purpose key size must be specified for authentication with the crypto key
generate rsa general-keys moduluscommand.

The generated keys can be used by SSH.*

11. Which three statements describe limitations in using privilege

levels for assigning command authorization? (Choose three.)
Creating a user account that needs access to most but not all commands can be a tedious
process.*
Views are required to define the CLI commands that each user can access.

Commands set on a higher privilege level are not available for lower privilege users.*

It is required that all 16 privilege levels be defined, whether they are used or not.

There is no access control to specific interfaces on a router.*

The root user must be assigned to each privilege level that is defined.

12. What command must be issued to enable login enhancements on a

Cisco router?
privilege exec level

login delay

login block-for*

banner motd

13. What is the default privilege level of user accounts created on

Cisco routers?
0

1*

15

16

14. A network administrator notices that unsuccessful login attempts

have caused a router to enter quiet mode. How can the administrator
maintain remote access to the networks even during quiet mode?
Quiet mode behavior can be enabled via an ip access-group command on a physical interface.
Quiet mode behavior will only prevent specific user accounts from attempting to authenticate.

Quiet mode behavior can be overridden for specific networks by using an ACL.*

Quiet mode behavior can be disabled by an administrator by using SSH to connect.

15. What is a characteristic of the Cisco IOS Resilient Configuration

feature?
It maintains a secure working copy of the bootstrap startup program.

Once issued, the secure boot-config command automatically upgrades the configuration
archive to a newer version after new configuration commands have been entered.

A snapshot of the router running configuration can be taken and securely archived in
persistent storage.*

The secure boot-image command works properly when the system is configured to run an
image from a TFTP server.

16. What is a requirement to use the Secure Copy Protocol feature?

At least one user with privilege level 1 has to be configured for local authentication.

A command must be issued to enable the SCP server side functionality.*

A transfer can only originate from SCP clients that are routers.

The Telnet protocol has to be configured on the SCP server side.

17. What is a characteristic of the MIB?

The OIDs are organized in a hierarchical structure.*

Information in the MIB cannot be changed.

A separate MIB tree exists for any given device in the network.

Information is organized in a flat manner so that SNMP can access it quickly.

 

18. Which three items are prompted for a user response during
interactive AutoSecure setup? (Choose three.)
IP addresses of interfaces

content of a security banner*

enable secret password*

services to disable

enable password*

interfaces to enable

19. A network engineer is implementing security on all company

routers. Which two commands must be issued to force authentication
via the password 1A2b3C for all OSPF-enabled interfaces in the
backbone area of the company network? (Choose two.)
area 0 authentication message-digest*

ip ospf message-digest-key 1 md5 1A2b3C*

username OSPF password 1A2b3C

enable password 1A2b3C

area 1 authentication message-digest

20. What is the purpose of using the ip ospf message-digest-key key

md5 password command and the area area-id authentication
message-digest command on a router?
to configure OSPF MD5 authentication globally on the router*

to enable OSPF MD5 authentication on a per-interface basis

to facilitate the establishment of neighbor adjacencies

to encrypt OSPF routing updates

21. What are two reasons to enable OSPF routing protocol

authentication on a network? (Choose two.)
to provide data security through encryption

to ensure faster network convergence

to ensure more efficient routing

to prevent data traffic from being redirected and then discarded*

to prevent redirection of data traffic to an insecure link*

22. Which two options can be configured by Cisco AutoSecure?

(Choose two.)
enable secret password*

interface IP address

SNMP

security banner*

syslog

23. Which three functions are provided by the syslog logging service?
(Choose three.)
setting the size of the logging buffer

specifying where captured information is stored*

gathering logging information*

authenticating and encrypting data sent over the network

distinguishing between information to be captured and information to be ignored*

retaining captured messages on the router when a router is rebooted

24. What is the Control Plane Policing (CoPP) feature designed to

accomplish?
disable control plane services to reduce overall traffic

prevent unnecessary traffic from overwhelming the route processor*

direct all excess traffic away from the route process

manage services provided by the control plane

25. Which three actions are produced by adding Cisco IOS login
enhancements to the router login process? (Choose three.)
permit only secure console access

create password authentication

automatically provide AAA authentication

create syslog messages*

slow down an active attack*

disable logins from specified hosts*

1. Because of implemented security controls, a user can only access a

server with FTP. Which AAA component accomplishes this?
accounting

accessibility
auditing

authorization*

authentication

2. Why is authentication with AAA preferred over a local database

method?
It provides a fallback authentication method if the administrator forgets the username
or password.*

It uses less network bandwidth.

It specifies a different password for each line or port.

It requires a login and password combination on the console, vty lines, and aux ports.

3. Which authentication method stores usernames and passwords in

ther router and is ideal for small networks.
local AAA over TACACS+

server-based AAA over TACACS+

local AAA*

local AAA over RADIUS

server-based AAA over RADIUS

server-based AAA

4. Which component of AAA allows an administrator to track

individuals who access network resources and any changes that are
made to those resources?
accounting*
accessibility

authentication

authorization

5. Refer to the exhibit.

CCNA Security v2.0 Chapter 3 Exam Answers p5

Router R1 has been configured as shown, with the resulting log

message. On the basis of the information that is presented, which two
statements describe the result of AAA authentication operation?
(Choose two.)
The locked-out user stays locked out until the clear aaa local user lockout username
Admin command is issued.*

The locked-out user stays locked out until the interface is shut down then re-enabled.

The locked-out user is locked out for 10 minutes by default.

The locked-out user should have used the username admin and password Str0ngPa55w0rd.

The locked-out user failed authentication.*

6. A user complains about being locked out of a device after too many
unsuccessful AAA login attempts. What could be used by the network
administrator to provide a secure authentication access method
without locking a user out of a device?
Use the login delay command for authentication attempts.*

Use the login local command for authenticating user access.

Use the aaa local authentication attempts max-fail global configuration mode command with a
higher number of acceptable failures.

Use the none keyword when configuring the authentication method list.

7. A user complains about not being able to gain access to a network

device configured with AAA. How would the network administrator
determine if login access for the user account is disabled?
Use the show aaa local user lockout command.*

Use the show running-configuration command.

Use the show aaa sessions command.

Use the show aaa user command.

8. When a method list for AAA authentication is being configured,

what is the effect of the keywordlocal?
The login succeeds, even if all methods return an error.

It uses the enable password for authentication.

It accepts a locally configured username, regardless of case.*

It defaults to the vty line password for authentication.

9. Which solution supports AAA for both RADIUS and TACACS+

servers?
Implement Cisco Secure Access Control System (ACS) only.*

RADIUS and TACACS+ servers cannot be supported by a single solution.

Implement a local database.

Implement both a local database and Cisco Secure

Access Control System (ACS).

10. What difference exists when using Windows Server as an AAA

server, rather than Cisco Secure ACS?
Windows Server requires more Cisco IOS commands to configure.

Windows Server only supports AAA using TACACS.

Windows Server uses its own Active Directory (AD) controller for authentication and
authorization.*

Windows Server cannot be used as an AAA server.

11. What is a characteristic of TACACS+?

TACACS+ uses UDP port 1645 or 1812 for authentication, and UDP port 1646 or 1813 for
accounting.

TACACS+ is backward compatible with TACACS and XTACACS.

TACACS+ is an open IETF standard.

TACACS+ provides authorization of router commands on a per-user or per-group

basis.*

12. Which two features are included by both TACACS+ and

RADIUS protocols? (Choose two.)
802.1X support

separate authentication and authorization processes

SIP support

password encryption*

utilization of transport layer protocols*

13. Which server-based authentication protocol would be best for an

organization that wants to apply authorization policies on a per-group
basis?
SSH

RADIUS

ACS

TACACS+*

14. Refer to the exhibit.

CCNA Security v2.0 Chapter 3 Exam Answers p14

Which statement describes the configuration of the ports for Server1?

The configuration using the default ports for a Cisco router.

The configuration of the ports requires 1812 be used for the authentication and the
authorization ports.

The configuration will not be active until it is saved and Rtr1 is rebooted.

The ports configured for Server1 on the router must be identical to those configured on
the RADIUS server.*

 
15. True or False?

The single-connection keyword prevents the configuration of multiple

TACACS+ servers on a AAA-enabled router.
false*

true

16. Why would a network administrator include a local username

configuration, when the AAA-enabled router is also configured to
authenticate using several ACS servers?
Because ACS servers only support remote user access, local users can only authenticate using
a local username database.

A local username database is required when configuring authentication using ACS servers.

The local username database will provide a backup for authentication in the event the
ACS servers become unreachable.*

Without a local username database, the router will require successful authentication with each
ACS server.

17. Which debug command is used to focus on the status of a TCP

connection when using TACACS+ for authentication?
debug tacacs events*

debug tacacs

debug tacacs accounting

debug aaa authentication

18. Which characteristic is an important aspect of authorization in an

AAA-enabled network device?
The authorization feature enhances network performance.

User access is restricted to certain services.*

User actions are recorded for use in audits and troubleshooting events.

A user must be identified before network access is granted.

19. What is the result of entering the aaa accounting network

command on a router?
The router collects and reports usage data related to network-related service requests.*

The router outputs accounting data for all EXEC shell sessions.

The router provides data for only internal service requests.

The router outputs accounting data for all outbound connections such as SSH and Telnet.

20. What is a characteristic of AAA accounting?

Possible triggers for the aaa accounting exec default command include start-stop and
stop-only.*

Accounting can only be enabled for network connections.

Accounting is concerned with allowing and disallowing authenticated users access to certain
areas and programs on the network.

Users are not required to be authenticated before AAA accounting logs their activities on the
network.

21. When using 802.1X authentication, what device controls physical

access to the network, based on the authentication status of the client?
the router that is serving as the default gateway

the authentication server

the switch that the client is connected to*

the supplicant

22. What device is considered a supplicant during the 802.1X

authentication process?
the client that is requesting authentication*

the switch that is controlling network access

the router that is serving as the default gateway

the authentication server that is performing client authentication

23. What protocol is used to encapsulate the EAP data between the
authenticator and authentication server performing 802.1X
authentication?
SSH

MD5

TACACS+

RADIUS*

1. Refer to the exhibit.

CC
NA Security v2.0 Chapter 4 Exam Answers p1
If a hacker on the outside network sends an IP packet with source
address 172.30.1.50, destination address 10.0.0.3, source port 23, and
destination port 2447, what does the Cisco IOS firewall do with the
packet?
The initial packet is dropped, but subsequent packets are forwarded.

The packet is forwarded, and an alert is generated.

The packet is forwarded, and no alert is generated.

The packet is dropped.*

2. To facilitate the troubleshooting process, which inbound ICMP

message should be permitted on an outside interface?
echo request

time-stamp request

echo reply*

time-stamp reply

router advertisement

3. Which command is used to activate an IPv6 ACL named

ENG_ACL on an interface so that the router filters traffic prior to
accessing the routing table?
ipv6 access-class ENG_ACL in

ipv6 traffic-filter ENG_ACL out

ipv6 traffic-filter ENG_ACL in*

ipv6 access-class ENG_ACL out

 
4. Which statement describes a typical security policy for a DMZ
firewall configuration?
Traffic that originates from the inside interface is generally blocked entirely or very
selectively permitted to the outside interface.

Traffic that originates from the DMZ interface is selectively permitted to the outside
interface.*

Traffic that originates from the outside interface is permitted to traverse the firewall to the
inside interface with few or no restrictions.

Return traffic from the inside that is associated with traffic originating from the outside is
permitted to traverse from the inside interface to the outside interface.

Return traffic from the outside that is associated with traffic originating from the inside is
permitted to traverse from the outside interface to the DMZ interface.

5. Refer to the exhibit.

CCNA Security v2.0 Chapter 4 Exam Answers

p5

Which statement describes the function of the ACEs?

These ACEs allow for IPv6 neighbor discovery traffic.*

These ACEs automatically appear at the end of every IPv6 ACL to allow IPv6 routing to
occur.

These are optional ACEs that can be added to the end of an IPv6 ACL to allow ICMP
messages that are defined in object groups named nd-na and nd-ns.

These ACEs must be manually added to the end of every IPv6 ACL to allow IPv6 routing to
occur.

 
6. When an inbound Internet-traffic ACL is being implemented, what
should be included to prevent the spoofing of internal networks?
ACEs to prevent traffic from private address spaces*

ACEs to prevent broadcast address traffic

ACEs to prevent ICMP traffic

ACEs to prevent HTTP traffic

ACEs to prevent SNMP traffic

7. In addition to the criteria used by extended ACLs, what conditions

are used by a classic firewall to filter traffic?
TCP/UDP source and destination port numbers

TCP/IP protocol numbers

IP source and destination addresses

application layer protocol session information*

8. A router has been configured as a classic firewall and an inbound

ACL applied to the external interface. Which action does the router
take after inbound-to-outbound traffic is inspected and a new entry is
created in the state table?
When traffic returns from its destination, it is reinspected, and a new entry is added to the
state table.

The internal interface ACL is reconfigured to allow the host IP address access to the Internet.

The entry remains in the state table after the session is terminated so that it can be reused by
the host.

A dynamic ACL entry is added to the external interface in the inbound direction.*

 
9. If the provided ACEs are in the same ACL, which ACE should be
listed first in the ACL according to best practice?
permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq snmptrap*

deny udp any host 172.16.1.5 eq snmptrap

deny tcp any any eq telnet

permit ip any any

permit udp any any range 10000 20000

permit tcp 172.16.0.0 0.0.3.255 any established

10. A company is deploying a new network design in which the border

router has three interfaces. Interface Serial0/0/0 connects to the ISP,
GigabitEthernet0/0 connects to the DMZ, and GigabitEthernet/01
connects to the internal private network. Which type of traffic would
receive the least amount of inspection (have the most freedom of
travel)?
traffic that is going from the private network to the DMZ*

traffic that is returning from the DMZ after originating from the private network

traffic that originates from the public network and that is destined for the DMZ

traffic that is returning from the public network after originating from the private network

11. Refer to the exhibit.

CCN
A Security v2.0 Chapter 4 Exam Answers p11
The ACL statement is the only one explicitly configured on the router.
Based on this information, which two conclusions can be drawn
regarding remote access network connections? (Choose two.)
SSH connections from the 192.168.2.0/24 network to the 192.168.1.0/24 network are allowed.

Telnet connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are
allowed.

Telnet connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are
blocked.*

SSH connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are
allowed.*

SSH connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are blocked.

Telnet connections from the 192.168.2.0/24 network to the 192.168.1.0/24 network are
allowed.

12. Consider the following

access list.access-list 100 permit ip host 192.168.10.1 any

access-list 100 deny icmp 192.168.10.0 0.0.0.255 any echo

access-list 100 permit ip any any

Which two actions are taken if the access list is placed inbound on a
router Gigabit Ethernet port that has the IP address 192.168.10.254
assigned? (Choose two.)
Only the network device assigned the IP address 192.168.10.1 is allowed to access the router.

Devices on the 192.168.10.0/24 network are not allowed to reply to any ping requests.

Only Layer 3 connections are allowed to be made from the router to any other network
device.

Devices on the 192.168.10.0/24 network are not allowed to ping other devices on the
192.168.11.0 network.*
A Telnet or SSH session is allowed from any device on the 192.168.10.0 into the router
with this access list assigned.*

13. What is one benefit of using a stateful firewall instead of a proxy

server?
ability to perform user authentication

better performance*

ability to perform packet filtering

prevention of Layer 7 attacks

14. What is one limitation of a stateful firewall?

weak user authentication

cannot filter unnecessary traffic

not as effective with UDP- or ICMP-based traffic*

poor log information

15. When a Cisco IOS Zone-Based Policy Firewall is being configured

via CLI, which step must be taken after zones have been created?
Assign interfaces to zones.

Establish policies between zones.*

Identify subsets within zones.

Design the physical infrastructure.

 
16. A network administrator is implementing a Classic Firewall and a
Zone-Based Firewall concurrently on a router. Which statement best
describes this implementation?
An interface must be assigned to a security zone before IP inspection can occur.

Both models must be implemented on all interfaces.

The two models cannot be implemented on a single interface.*

A Classic Firewall and Zone-Based Firewall cannot be used concurrently.

17. Which two rules about interfaces are valid when implementing a
Zone-Based Policy Firewall? (Choose two.)
If one interface is a zone member, but the other is not, all traffic will be passed.

If neither interface is a zone member, then the action is to pass traffic.*

If both interfaces are members of the same zone, all traffic will be passed.*

If one interface is a zone member and a zone-pair exists, all traffic will be passed.

If both interfaces belong to the same zone-pair and a policy exists, all traffic will be passed.

18. Which command will verify a Zone-Based Policy Firewall

configuration?
show interfaces

show zones

show running-config*

show protocols

19. Refer to the exhibit.

 CCNA Security v2.0
Chapter 4 Exam Answers p19

The network “A” contains multiple corporate servers that are

accessed by hosts from the Internet for information about the
corporation. What term is used to describe the network marked as
“A”?
internal network

untrusted network

perimeter security boundary

DMZ*

20. Which type of packet is unable to be filtered by an outbound

ACL?
multicast packet

ICMP packet
broadcast packet

router-generated packet*

21. When a Cisco IOS Zone-Based Policy Firewall is being

configured, which two actions can be applied to a traffic class?
(Choose two.)
drop*

log

forward

hold

inspect*

copy

22. Fill in the blank.

A __stateful__ firewall monitors the state of connections as network

traffic flows into and out of the organization.
 

23. Fill in the blank.

The __pass__ action in a Cisco IOS Zone-Based Policy Firewall is

similar to a permit statement in an ACL.

1. What information must an IPS track in order to detect attacks

matching a composite signature?
the total number of packets in the attack

the attacking period used by the attacker

the network bandwidth consumed by all packets

the state of packets related to the attack*

2. What is a disadvantage of a pattern-based detection mechanism?

The normal network traffic pattern must be profiled first.

It cannot detect unknown attacks.*

It is difficult to deploy in a large network.

Its configuration is complex.

3. What is the purpose in configuring an IOS IPS crypto key when

enabling IOS IPS on a Cisco router?
to secure the IOS image in flash

to enable Cisco Configuration Professional to be launched securely

to encrypt the master signature file

to verify the digital signature for the master signature file*

4. Refer to the exhibit.

CCNA Security v2.0 Chapter 5 Exam Answers p4

What is the result of issuing the Cisco IOS IPS commands on router
R1?
All traffic that is permitted by the ACL is subject to inspection by the IPS.*

A named ACL determines the traffic to be inspected.

All traffic that is denied by the ACL is subject to inspection by the IPS.

A numbered ACL is applied to S0/0/0 in the outbound directio

5. Which two benefits does the IPS version 5.x signature format
provide over the version 4.x signature format? (Choose two.)
support for IPX and AppleTalk protocols

addition of signature micro engines

support for comma-delimited data import

support for encrypted signature parameters*

addition of a signature risk rating*

6. Which type of IPS signature detection is used to distract and

confuse attackers?
honeypot-based detection*

policy-based detection

pattern-based detection

anomaly-based detection

7. Which statement is true about an atomic alert that is generated by

an IPS?
It is an alert that is used only when a logging attack has begun.

It is a single alert sent for multiple occurrences of the same signature.

It is an alert that is generated every time a specific signature has been found.*

It is both a normal alarm and a summary alarm being sent simultaneously at set intervals.

8. A system analyst is configuring and tuning a recently deployed IPS

appliance. By examining the IPS alarm log, the analyst notices that
the IPS does not generate alarms for a few known attack packets.
Which term describes the lack of alarms by the IPS?
true negative

false positive

false negative*

true positive

9. A security specialist configures an IPS so that it will generate an

alert when an attack is first detected. Alerts for the subsequent
detection of the same attack are suppressed for a pre-defined period
of time. Another alert will be generated at the end of the period
indicating the number of the attack detected. Which IPS alert
monitoring mechanism is configured?
composite alert

atomic alert

correlation alert

summary alert*

10. In configuring a Cisco router to prepare for IPS and VPN

features, a network administrator opens the file realm-
cisco.pub.key.txt, and copies and pastes the contents to the router at
the global configuration prompt. What is the result after this
configuration step?
The router is authenticated with the Cisco secure IPS resource web server.

A pair of public/secret keys is created for IPsec VPN operation.

A crypto key is created for IOS IPS to verify the master signature file.*

A pair of public/secret keys is created for the router to serve as an SSH server.

11. Refer to the exhibit.

CCNA Security v2.0 Chapter 5 Exam Answers p11

Based on the configuration, which traffic will be examined by the IPS

that is configured on router R1?
traffic that is destined to LAN 1 and LAN 2

return traffic from the web server

traffic that is initiated from LAN 1 and LAN 2

no traffic will be inspected*

http traffic that is initiated from LAN 1

12. Refer to the exhibit.

CCNA
Security v2.0 Chapter 5 Exam Answers p12

Based on the IPS configuration provided, which conclusion can be

drawn?
The signatures in all categories will be compiled into memory and used by the IPS.

The signatures in all categories will be retired and not be used by the IPS.

Only the signatures in the ios_ips basic category will be compiled into memory and used
by the IPS.*

The signatures in the ios_ips basic category will be retired and the remaining signatures will
be compiled into memory and used by the IPS.

13. A network administrator is configuring an IOS IPS with the

command

R1(config)# ip ips signature-definition

Which configuration task can be achieved with this command?

Retire or unretire the ios_ips basic signature category.

Retire or unretire an individual signature.*

Retire or unretire the all signature category.

Retire or unretire the all atomic signatures category.

14. What are two disadvantages of using an IDS? (Choose two.)

The IDS analyzes actual forwarded packets.

The IDS does not stop malicious traffic.*

The IDS has no impact on traffic.

The IDS works offline using copies of network traffic.

The IDS requires other devices to respond to attacks.*

15. What are two shared characteristics of the IDS and the IPS?
(Choose two.)
Both use signatures to detect malicious traffic.*

Both analyze copies of network traffic.

Both have minimal impact on network performance.

Both rely on an additional network device to respond to malicious traffic.

Both are deployed as sensors.*

16. Refer to the exhibit.

CCNA Security v2.0 Chapter 5 Exam

Answers p16

A network administrator enters the command on a Cisco IOS IPS

router. What is the effect?
Alert messages are sent in syslog format.*
Alert messages are sent in trace file format.

Alert messages are sent in Security Device Event Exchange (SDEE) format.

Alert messages are sent in event log format.

17. A network administrator suspects the default setting of the ip ips

notify sdee command has caused performance degradation on the
Cisco IOS IPS router. The network administrator enters the ip sdee
events 50 command in an attempt to remedy the performance issues.
What is the immediate effect of this command?
All events that were stored in the original buffer are saved, while a new buffer is created to
store new events.

All events that were stored in the previous buffer are lost.*

The newest 50 events from the original buffer are saved and all others are deleted.

The oldest 50 events of the original buffer are deleted.

18. True or False?

A Cisco IDS does not affect the flow of traffic when it operates in
promiscuous mode
true*

false

19. What is a required condition to enable IPS activity reporting using

the SDEE format?
Create an IOS IPS configuration directory in flash.

Enable an HTTP or HTTPS service on the router.*

Configure the signature category.

Issue the ip ips notify log command.

20. Refer to the exhibit.

CCNA Security
v2.0 Chapter 5 Exam Answers p20

Which statement best describes how incoming traffic on serial 0/0 is

handled?
Traffic that is coming from any source other than 172.31.235.0/24 will be scanned and
reported.

Traffic not matching ACL 100 will be dropped.

Traffic not matching ACL 100 will be scanned and reported.

Traffic that is sourced from 172.31.235.0/24 will be sent directly to its destination without
being scanned or reported.

Traffic matching ACL 100 will be scanned and reported.*

Traffic that is sourced from 172.31.235.0/24 will be scanned and reported.

21. What is a disadvantage of network-based IPS as compared to

host-based IPS?
Network-based IPS is less cost-effective.

Network-based IPS should not be used with multiple operating systems.

Network-based IPS cannot examine encrypted traffic.*

Network-based IPS does not detect lower level network events.

22. An IPS sensor has detected the string confidential across multiple
packets in a TCP session. Which type of signature trigger and
signature type does this describe?
Trigger: Policy-based detection
Type: Atomic signature

Trigger: Policy-based detection

Type: Composite signature

Trigger: Anomaly-based detection

Type: Atomic signature

Trigger: Anomaly-based detection

Type: Composite signature

Trigger: Pattern-based detection

Type: Atomic signature

Trigger: Pattern-based detection

Type: Composite signature*

23. What are two drawbacks to using HIPS? (Choose two.)

With HIPS, the success or failure of an attack cannot be readily determined.

With HIPS, the network administrator must verify support for all the different
operating systems used in the network.*

HIPS has difficulty constructing an accurate network picture or coordinating events

that occur across the entire network.*

If the network traffic stream is encrypted, HIPS is unable to access unencrypted forms of the
traffic.

HIPS installations are vulnerable to fragmentation attacks or variable TTL attacks

1. Refer to the exhibit.

 C
CNA Security v2.0 Chapter 6 Exam Answers p1

The Fa0/2 interface on switch S1 has been configured with the

switchport port-security mac-address 0023.189d.6456 command and
a workstation has been connected. What could be the reason that the
Fa0/2 interface is shutdown?
The connection between S1 and PC1 is via a crossover cable.

The Fa0/24 interface of S1 is configured with the same MAC address as the Fa0/2 interface.

S1 has been configured with a switchport port-security aging command.

The MAC address of PC1 that connects to the Fa0/2 interface is not the configured
MAC address.*

2. Two devices that are connected to the same switch need to be totally
isolated from one another. Which Cisco switch security feature will
provide this isolation?
PVLAN Edge*

DTP

SPAN

BPDU guard
 

3. Which two functions are provided by Network Admission Control?

(Choose two.)
protecting a switch from MAC address table overflow attacks

enforcing network security policy for hosts that connect to the network*

ensuring that only authenticated hosts can access the network*

stopping excessive broadcasts from disrupting network traffic

limiting the number of MAC addresses that can be learned on a single switch port

4. Which spanning-tree enhancement prevents the spanning-tree

topology from changing by blocking a port that receives a superior
BPDU?
BDPU filter

PortFast

BPDU guard

root guard*

5. Which security feature should be enabled in order to prevent an

attacker from overflowing the MAC address table of a switch?
root guard

port security*

storm control

BPDU filter

 
6. In what situation would a network administrator most likely
implement root guard?
on all switch ports (used or unused)

on all switch ports that connect to a Layer 3 device

on all switch ports that connect to host devices

on all switch ports that connect to another switch

on all switch ports that connect to another switch that is not the root bridge*

7. What component of Cisco NAC is responsible for performing deep

inspection of device security profiles?
Cisco NAC Profiler

Cisco NAC Agent*

Cisco NAC Manager

Cisco NAC Server

8. What is the role of the Cisco NAC Manager in implementing a

secure networking infrastructure?
to define role-based user access and endpoint security policies*

to assess and enforce security policy compliance in the NAC environment

to perform deep inspection of device security profiles

to provide post-connection monitoring of all endpoint devices

9. What is the role of the Cisco NAC Server within the Cisco Secure
Borderless Network Architecture?
providing the ability for company employees to create guest accounts

providing post-connection monitoring of all endpoint devices

defining role-based user access and endpoint security policies

assessing and enforcing security policy compliance in the NAC environment*

10. What is the role of the Cisco NAC Guest Server within the Cisco
Borderless Network architecture?
It defines role-based user access and endpoint security policies.

It provides the ability for creation and reporting of guest accounts.*

It provides post-connection monitoring of all endpoint devices.

It performs deep inspection of device security profiles.

11. Which three functions are provided under Cisco NAC framework
solution? (Choose three.)
VPN connection

AAA services*

intrusion prevention

scanning for policy compliance*

secure connection to servers

remediation for noncompliant devices*

12. Which feature is part of the Antimalware Protection security

solution?
file retrospection*
user authentication and authorization

data loss prevention

spam blocking

13. What security countermeasure is effective for preventing CAM

table overflow attacks?
DHCP snooping

Dynamic ARP Inspection

IP source guard

port security*

14. What is the behavior of a switch as a result of a successful CAM

table attack?
The switch will forward all received frames to all other ports.*

The switch will drop all received frames.

The switch interfaces will transition to the error-disabled state.

The switch will shut down.

15. What additional security measure must be enabled along with IP

Source Guard to protect against address spoofing?
port security

BPDU Guard

root guard

DHCP snooping*
 

16. What are three techniques for mitigating VLAN hopping attacks?
(Choose three.)
Set the native VLAN to an unused VLAN.*

Disable DTP.*

Enable Source Guard.

Enable trunking manually.*

Enable BPDU guard.

Use private VLANs.

17. What two mechanisms are used by Dynamic ARP inspection to

validate ARP packets for IP addresses that are dynamically assigned
or IP addresses that are static? (Choose two.)
MAC-address-to-IP-address bindings*

RARP

ARP ACLs*

IP ACLs

Source Guard

18. What protocol should be disabled to help mitigate VLAN hopping

attacks?
STP

ARP

CDP
DTP*

19. What network attack seeks to create a DoS for clients by

preventing them from being able to obtain a DHCP lease?
DHCP spoofing

CAM table attack

IP address spoofing

DHCP starvation*

20. What is the only type of port that an isolated port can forward
traffic to on a private VLAN?
a community port

a promiscuous port*

another isolated port

any access port in the same PVLAN

21. Which STP stability mechanism is used to prevent a rogue switch

from becoming the root switch?
Source Guard

BPDU guard

root guard*

loop guard

 
22. How can a user connect to the Cisco Cloud Web Security service
directly?
through the connector that is integrated into any Layer 2 Cisco switch

by using a proxy autoconfiguration file in the end device*

by accessing a Cisco CWS server before visiting the destination web site

by establishing a VPN connection with the Cisco CWS

23. What security benefit is gained from enabling BPDU guard on

PortFast enabled interfaces?
enforcing the placement of root bridges

preventing buffer overflow attacks

preventing rogue switches from being added to the network*

protecting against Layer 2 loops

24. DHCP snooping is a mitigation technique to prevent rogue DHCP

servers from providing false IP configuration parameters.

1. What is the focus of cryptanalysis?

hiding secret codes

developing secret codes

breaking encrypted codes*

implementing encrypted codes

 
2. How many bits does the Data Encryption Standard (DES) use for
data encryption?
40 bits

56 bits*

64 bits

72 bits

3. Which statement describes the Software-Optimized Encryption

Algorithm (SEAL)?
SEAL is a stream cipher.*

It uses a 112-bit encryption key.

It is an example of an asymmetric algorithm.

It requires more CPU resources than software-based AES does.

4. Which encryption algorithm is an asymmetric algorithm?

DH*

SEAL

3DES

AES

5. An online retailer needs a service to support the nonrepudiation of

the transaction. Which component is used for this service?
the private key of the retailer

the unique shared secret known only by the retailer and the customer
the public key of the retailer

the digital signatures*

6. In which situation is an asymmetric key algorithm used?

Two Cisco routers authenticate each other with CHAP.

User data is transmitted across the network after a VPN is established.

An office manager encrypts confidential files before saving them to a removable device.

A network administrator connects to a Cisco router with SSH.*

7. What is the purpose of a nonrepudiation service in secure

communications?
to ensure that encrypted secure communications cannot be decoded

to confirm the identity of the recipient of the communications

to provide the highest encryption level possible

to ensure that the source of the communications is confirmed*

8. Which objective of secure communications is achieved by

encrypting data?
integrity

authentication

confidentiality*

availability

 
9. Why is the 3DES algorithm often preferred over the AES
algorithm?
3DES is more trusted because it has been proven secure for a longer period than AES.*

AES is more expensive to implement than 3DES.

3DES performs better in high-throughput, low-latency environments than AES.

Major networking equipment vendors such as Cisco have not yet adopted AES.

10. What is the most common use of the Diffie-Helman algorithm in

communications security?
to create password hashes for secure authentication

to provide routing protocol authentication between routers

to encrypt data for secure e-commerce communications

to secure the exchange of keys used to encrypt data*

11. Which type of encryption algorithm uses public and private keys
to provide authentication, integrity, and confidentiality?
symmetric

shared secret

IPsec

asymmetric*

12. How do modern cryptographers defend against brute-force

attacks?
Use statistical analysis to eliminate the most common encryption keys.
Use a keyspace large enough that it takes too much money and too much time to conduct
a successful attack.*

Use an algorithm that requires the attacker to have both ciphertext and plaintext to conduct a
successful attack.

Use frequency analysis to ensure that the most popular letters used in the language are not
used in the cipher message.

13. Which encryption protocol provides network layer

confidentiality?
IPsec protocol suite*

Transport Layer Security

Secure Hash Algorithm 1

Secure Sockets Layer

Keyed MD5

Message Digest 5

14. Refer to the exhibit.

CCNA Security v2.0 Chapter 7 Exam Answers p14

Which encryption algorithm is described in the exhibit?

RC4

AES

3DES*

DES

SEAL

15. Which statement describes asymmetric encryption algorithms?

They have key lengths ranging from 80 to 256 bits.

They include DES, 3DES, and AES.

They are also called shared-secret key algorithms.

They are relatively slow because they are based on difficult computational algorithms.*

16. Which two non-secret numbers are initially agreed upon when the
Diffie-Hellman algorithm is used? (Choose two.)
binomial coefficient

generator*

elliptic curve invariant

prime modulus*

topological index

pseudorandom nome

17. In what situation would an asymmetric algorithm most likely be

used?
logging onto a computer
making an online purchase*

uploading a networking book chapter using FTP

transferring a large stream of data between two corporate locations

18. Why is asymmetric algorithm key management simpler than

symmetric algorithm key management?
It uses fewer bits.

Only one key is used.

Two public keys are used for the key exchange.

One of the keys can be made public.*

19. What is the purpose of code signing?

source identity secrecy

integrity of source .EXE files*

reliable transfer of data

data encryption

20. Which algorithm can ensure data confidentiality?

MD5

PKI

RSA

AES*

 
21. What is the purpose of a digital certificate?
It guarantees that a website has not been hacked.

It authenticates a website and establishes a secure connection to exchange confidential

data.*

It provides proof that data has a traditional signature attached.

It ensures that the person who is gaining access to a network device is authorized.

22. Fill in the blank.

A shared secret is a key used in a symmetric encryption algorithm.

1. Refer to the exhibit.

CCN
A Security v2.0 Chapter 8 Exam Answers p1

How will traffic that does not match that defined by access list 101 be
treated by the router?
It will be sent unencrypted.*

It will be sent encrypted.

It will be blocked.

It will be discarded.

 
2. What three protocols must be permitted through the company
firewall for establishment of IPsec site-to-site VPNs? (Choose three.)
HTTPS

SSH

AH*

ISAKMP*

NTP

ESP*

3. Which statement describes the effect of key length in deterring an

attacker from hacking through an encryption key?
The length of a key does not affect the degree of security.

The shorter the key, the harder it is to break.

The length of a key will not vary between encryption algorithms.

The longer the key, the more key possibilities exist.*

4. What is the purpose of configuring multiple crypto ACLs when

building a VPN connection between remote sites?
By applying the ACL on a public interface, multiple crypto ACLs can be built to prevent
public users from connecting to the VPN-enabled router.

Multiple crypto ACLs can define multiple remote peers for connecting with a VPN-enabled
router across the Internet or network.

Multiple crypto ACLs can be configured to deny specific network traffic from crossing a
VPN.

When multiple combinations of IPsec protection are being chosen, multiple crypto ACLs
can define different traffic types.*
 

5. Consider the following configuration on a Cisco ASA:

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

What is the purpose of this command?

to define the ISAKMP parameters that are used to establish the tunnel

to define the encryption and integrity algorithms that are used to build the IPsec tunnel*

to define what traffic is allowed through and protected by the tunnel

to define only the allowed encryption algorithms

6. Which transform set provides the best protection?

crypto ipsec transform-set ESP-DES-SHA esp-aes-256 esp-sha-hmac*

crypto ipsec transform-set ESP-DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-SHA esp-aes esp-des esp-sha-hmac

7. Which three ports must be open to verify that an IPsec VPN tunnel
is operating properly? (Choose three.)
168

50*

169

501

500*

51*
 

8. When is a security association (SA) created if an IPsec VPN tunnel

is used to connect between two sites?
after the tunnel is created, but before traffic is sent

only during Phase 2

only during Phase 1

during both Phase 1 and 2*

9. In which situation would the Cisco Discovery Protocol be disabled?

when a Cisco VoIP phone attaches to a Cisco switch

when a Cisco switch connects to another Cisco switch

when a Cisco switch connects to a Cisco router

when a PC with Cisco IP Communicator installed connects to a Cisco switch*

10. Which two statements accurately describe characteristics of

IPsec? (Choose two.)
IPsec works at the transport layer and protects data at the network layer.

IPsec is a framework of proprietary standards that depend on Cisco specific algorithms.

IPsec is a framework of standards developed by Cisco that relies on OSI algorithms.

IPsec is a framework of open standards that relies on existing algorithms.*

IPsec works at the network layer and operates over all Layer 2 protocols.*

IPsec works at the application layer and protects all application data.

 
11. Which action do IPsec peers take during the IKE Phase 2
exchange?
exchange of DH keys

negotiation of IPsec policy*

negotiation of IKE policy sets

verification of peer identity

12. Which three statements describe the IPsec protocol framework?

(Choose three.)
AH provides integrity and authentication.*

ESP provides encryption, authentication, and integrity.*

AH uses IP protocol 51.*

AH provides encryption and integrity.

ESP uses UDP protocol 50.

ESP requires both authentication and encryption.

13. Which statement accurately describes a characteristic of IPsec?

IPsec works at the application layer and protects all application data.

IPsec is a framework of standards developed by Cisco that relies on OSI algorithms.

IPsec is a framework of proprietary standards that depend on Cisco specific algorithms.

IPsec works at the transport layer and protects data at the network layer.

IPsec is a framework of open standards that relies on existing algorithms.*

14. Which two IPsec protocols are used to provide data integrity?
SHA*

AES

DH

MD5*

RSA

15. What is the function of the Diffie-Hellman algorithm within the

IPsec framework?
provides authentication

allows peers to exchange shared keys*

guarantees message integrity

provides strong data encryption

16. Refer to the exhibit.

CCNA
Security v2.0 Chapter 8 Exam Answers p16

What HMAC algorithm is being used to provide data integrity?

MD5

AES

SHA*
DH

17. What is needed to define interesting traffic in the creation of an

IPsec tunnel?
security associations

hashing algorithm

access list*

transform set

18. Refer to the exhibit.

CCNA
Security v2.0 Chapter 8 Exam Answers p18

What algorithm will be used for providing confidentiality?

RSA

Diffie-Hellman

DES

AES*

19. Which technique is necessary to ensure a private transfer of data

using a VPN?
encryption*

authorization

virtualization

scalability

20. Which statement describes a VPN?

VPNs use open source virtualization software to create the tunnel through the Internet.

VPNs use virtual connections to create a private network through a public network.*

VPNs use dedicated physical connections to transfer data between remote users.

VPNs use logical connections to create public networks through the Internet.

21. Which protocol provides authentication, integrity, and

confidentiality services and is a type of VPN?
ESP

IPsec*

MD5

AES

22. What is the purpose of NAT-T?

enables NAT for PC-based VPN clients

permits VPN to work when NAT is being used on one or both ends of the VPN*

upgrades NAT for IPv4

allows NAT to be used for IPv6 addresses

 
23. Which term describes a situation where VPN traffic that is is
received by an interface is routed back out that same interface?
GRE

split tunneling

MPLS

hairpinning*

24. What is an important characteristic of remote-access VPNs?

The VPN configuration is identical between the remote devices.

Internal hosts have no knowledge of the VPN.

Information required to establish the VPN must remain static.

The VPN connection is initiated by the remote user.*

25. Which type of site-to-site VPN uses trusted group members to

eliminate point-to-point IPsec tunnels between the members of a
group?
DMVPN

GRE

GETVPN*

MPLS

26. Refer to the exhibit.

 CCNA
Security v2.0 Chapter 8 Exam Answers p26

Which pair of crypto isakmp key commands would correctly

configure PSK on the two routers?
R1(config)# crypto isakmp key cisco123 address 209.165.200.227
R2(config)# crypto isakmp key cisco123 address 209.165.200.226*

R1(config)# crypto isakmp key cisco123 address 209.165.200.226

R2(config)# crypto isakmp key cisco123 address 209.165.200.227

R1(config)# crypto isakmp key cisco123 hostname R1

R2(config)# crypto isakmp key cisco123 hostname R2

R1(config)# crypto isakmp key cisco123 address 209.165.200.226

R2(config)# crypto isakmp key secure address 209.165.200.227

27. Which two protocols must be allowed for an IPsec VPN tunnel is
operate properly (Choose two.)?
168

50*

501

169

51*

500

1. Refer to the exhibit.

CCNA Security v2.0 Chapter 9 Exam Answers p1

An administrator creates three zones (A, B, and C) in an ASA that

filters traffic. Traffic originating from Zone A going to Zone C is
denied, and traffic originating from Zone B going to Zone C is denied.
What is a possible scenario for Zones A, B, and C?
A – DMZ, B – Inside, C – Outside

A – Inside, B – DMZ, C – Outside

A – Outside, B – Inside, C – DMZ

A – DMZ, B – Outside, C – Inside*

2. What is one of the drawbacks to using transparent mode operation

on an ASA device?
no support for IP addressing

no support for management

no support for using an ASA as a Layer 2 switch

no support for QoS*

 

3. What is a characteristic of ASA security levels?

An ACL needs to be configured to explicitly permit traffic from an interface with a
lower security level to an interface with a higher security level.*

Each operational interface must have a name and be assigned a security level from 0 to 200.

The lower the security level on an interface, the more trusted the interface.

Inbound traffic is identified as the traffic moving from an interface with a higher security
level to an interface with a lower security level.

4. Refer to the exhibit.

CCNA
Security v2.0 Chapter 9 Exam Answers p4

Two types of VLAN interfaces were configured on an ASA 5505 with

a Base license. The administrator wants to configure a third VLAN
interface with limited functionality. Which action should be taken by
the administrator to configure the third interface?
Because the ASA 5505 does not support the configuration of a third interface, the
administrator cannot configure the third VLAN.

The administrator must enter the no forward interface vlan command before the nameif
command on the third interface.*

The administrator configures the third VLAN interface the same way the other two were
configured, because the Base license supports the proposed action.

The administrator needs to acquire the Security Plus license, because the Base license does
not support the proposed action.

5. What command defines a DHCP pool that uses the maximum

number of DHCP client addresses available on an ASA 5505 that is
using the Base license?
CCNAS-ASA(config)# dhcpd address 192.168.1.20-192.168.1.50 inside

CCNAS-ASA(config)# dhcpd address 192.168.1.10-192.168.1.100 inside

CCNAS-ASA(config)# dhcpd address 192.168.1.25-192.168.1.56 inside*

CCNAS-ASA(config)# dhcpd address 192.168.1.30-192.168.1.79 inside

6. Which two statements are true about ASA standard ACLs?

(Choose two.)
They are the most common type of ACL.

They are applied to interfaces to control traffic.

They are typically only used for OSPF routes.*

They specify both the source and destination MAC address.

They identify only the destination IP address.*

7. Refer to the exhibit.

 CCNA
Security v2.0 Chapter 9 Exam Answers p7

A network administrator is configuring the security level for the ASA.

What is a best practice for assigning the security level on the three
interfaces?
Outside 40, Inside 100, DMZ 0

Outside 0, Inside 35, DMZ 90

Outside 100, Inside 10, DMZ 40

Outside 0, Inside 100, DMZ 50*

8. Refer to the exhibit.

 CCNA
Security v2.0 Chapter 9 Exam Answers p8

A network administrator is configuring the security level for the ASA.

Which statement describes the default result if the administrator tries
to assign the Inside interface with the same security level as the DMZ
interface?
The ASA allows inbound traffic initiated on the Internet to the DMZ, but not to the Inside
interface.

The ASA console will display an error message.

The ASA will not allow traffic in either direction between the Inside interface and the
DMZ.*

The ASA allows traffic from the Inside to the DMZ, but blocks traffic initiated on the DMZ to
the Inside interface.

9. What is a difference between ASA IPv4 ACLs and IOS IPv4

ACLs?
ASA ACLs are always named, whereas IOS ACLs are always numbered.
Multiple ASA ACLs can be applied on an interface in the ingress direction, whereas only one
IOS ACL can be applied.

ASA ACLs use the subnet mask in defining a network, whereas IOS ACLs use the
wildcard mask.*

ASA ACLs do not have an implicit deny any at the end, whereas IOS ACLs do.

ASA ACLs use forward and drop ACEs, whereas IOS ACLs use permit and deny ACEs.

10. What is the purpose of the webtype ACLs in an ASA?

to inspect outbound traffic headed towards certain web sites

to restrict traffic that is destined to an ASDM

to monitor return traffic that is in response to web server requests that are initiated from the
inside interface

to filter traffic for clientless SSL VPN users*

11. Refer to the exhibit.

CCN
A Security v2.0 Chapter 9 Exam Answers p11

A network administrator has configured NAT on an ASA device.

What type of NAT is used?
inside NAT*

static NAT

bidirectional NAT

outside NAT
 

12. Refer to the exhibit.

CCNA
Security v2.0 Chapter 9 Exam Answers p12

A network administrator is configuring an object group on an ASA

device. Which configuration keyword should be used after the object
group name SERVICE1?
icmp

ip

udp

tcp*

13. When dynamic NAT on an ASA is being configured, what two

parameters must be specified by network objects? (Choose two.)
a range of private addresses that will be translated*

the interface security level

the pool of public global addresses*

the inside NAT interface

the outside NAT interface

14. What function is performed by the class maps configuration

object in the Cisco modular policy framework?
identifying interesting traffic*

applying a policy to an interface

applying a policy to interesting traffic

restricting traffic through an interface

15. Refer to the exhibit.

CCNA Security v2.0 Chapter 9 Exam Answers p15

Based on the security levels of the interfaces on ASA1, what traffic

will be allowed on the interfaces?
Traffic from the Internet and DMZ can access the LAN.

Traffic from the Internet and LAN can access the DMZ.

Traffic from the Internet can access both the DMZ and the LAN.

Traffic from the LAN and DMZ can access the Internet.*

16. What are three characteristics of the ASA routed mode? (Choose
three.)
This mode is referred to as a “bump in the wire.”

In this mode, the ASA is invisible to an attacker.

The interfaces of the ASA separate Layer 3 networks and require different IP addresses
in different subnets.*

It is the traditional firewall deployment mode.*

This mode does not support VPNs, QoS, or DHCP Relay.

NAT can be implemented between connected networks.*

17. Refer to the exhibit.

CCNA
Security v2.0 Chapter 9 Exam Answers p17

An administrator has configured an ASA 5505 as indicated but is still

unable to ping the inside interface from an inside host. What is the
cause of this problem?
The no shutdown command should be entered on interface Ethernet 0/1.*

VLAN 1 should be the outside interface and VLAN 2 should be the inside interface.

VLAN 1 should be assigned to interface Ethernet 0/0 and VLAN 2 to Ethernet 0/1.

The security level of the inside interface should be 0 and the outside interface should be 100.
An IP address should be configured on the Ethernet 0/0 and 0/1 interfaces.

18. Refer to the exhibit.

CCNA Security v2.0

Chapter 9 Exam Answers p18

According to the command output, which three statements are true

about the DHCP options entered on the ASA 5505? (Choose three.)
The dhcpd address [start-of-pool]-[end-of-pool] inside command was issued to enable the
DHCP client.

The dhcpd auto-config outside command was issued to enable the DHCP server.

The dhcpd address [start-of-pool]-[end-of-pool] inside command was issued to enable

the DHCP server.*

The dhcpd auto-config outside command was issued to enable the DHCP client.*

The dhcpd enable inside command was issued to enable the DHCP client.

The dhcpd enable inside command was issued to enable the DHCP server.*

19. Refer to the exhibit.

 C
CNA Security v2.0 Chapter 9 Exam Answers p19

What will be displayed in the output of the show running-config

objectcommand after the exhibited configuration commands are
entered on an ASA 5505?
host 192.168.1.4

host 192.168.1.3, host 192.168.1.4, and range 192.168.1.10 192.168.1.20

host 192.168.1.4 and range 192.168.1.10 192.168.1.20

host 192.168.1.3 and host 192.168.1.4

range 192.168.1.10 192.168.1.20*

host 192.168.1.3

20. What must be configured on a Cisco ASA device to support local

authentication?
AAA*

the IP address of the RADIUS or TACACS+ server

encrypted passwords

SSHv2

RSA keys
 

21. Which statement describes a difference between the Cisco ASA

IOS CLI feature and the router IOS CLI feature?
ASA uses the ? command whereas a router uses the help command to receive help on a brief
description and the syntax of a command.

To use a show command in a general configuration mode, ASA can use the command
directly whereas a router will need to enter the do command before issuing the show
command.*

To complete a partially typed command, ASA uses the Ctrl+Tab key combination whereas a
router uses the Tab key.

To indicate the CLI EXEC mode, ASA uses the % symbol whereas a router uses the #
symbol.

22. What are two factory default configurations on an ASA 5505?

(Choose two.)
VLAN 2 is configured with the name inside.

The internal web server is disabled.

DHCP service is enabled for internal hosts to obtain an IP address and a default gateway from
the upstream device.

PAT is configured to allow internal hosts to access remote networks through an

Ethernet interface.*

VLAN 1 is assigned a security level of 100.*

23. Which type of NAT would be used on an ASA where 10.0.1.0/24

inside addresses are to be translated only if traffic from these
addresses is destined for the 198.133.219.0/24 network?
policy NAT*

dynamic NAT
static NAT

dynamic PAT

24. Which statement describes a feature of AAA in an ASA device?

Accounting can be used alone.*

Authorization is enabled by default.

If authorization is disabled, all authenticated users will have a very limited access to the
commands.

Both authorization and accounting require a user to be authenticated first.

25. A network administrator is working on the implementation of the

Cisco Modular Policy Framework on an ASA device. The
administrator issues a clear service-policy command. What is the
effect after this command is entered?
All class map configurations are removed.

All service policy statistics data are removed.*

All service policies are removed.

All policy map configurations are removed.

26. What is needed to allow specific traffic that is sourced on the

outside network of an ASA firewall to reach an internal network?
ACL*

NAT

dynamic routing protocols

outside security zone level 0

1. Which statement describes the function provided to a network
administratorwho uses the Cisco Adaptive Security Device Manager
(ASDM) GUI that runs as a Java Web Start application?
The administrator can connect to and manage a single ASA.*

The administrator can connect to and manage multiple ASA devices.

The administrator can connect to and manage multiple ASA devices and Cisco routers.

The administrator can connect to and manage multiple ASA devices, Cisco routers, and Cisco
switches.

2. What is one benefit of using ASDM compared to using the CLI to

configure the Cisco ASA?
It does not require any initial device configuration.

It hides the complexity of security commands.*

ASDM provides increased configuration security.

It does not require a remote connection to a Cisco device.

3. Which type of security is required for initial access to the Cisco

ASDM by using the local application option?
SSL*

WPA2 corporate

biometric

AES

 
4. Which minimum configuration is required on most ASAs before
ASDM can be used?
SSH

a dedicated Layer 3 management interface*

a logical VLAN interface and an Ethernet port other than 0/0

Ethernet 0/0

5. What must be configured on an ASA before it can be accessed by

ASDM?
web server access*

Telnet or SSH

an Ethernet port other than 0/0

Ethernet 0/0 IP address

6. How is an ASA interface configured as an outside interface when

using ASDM?
Select a check box from the Interface Type option that shows inside, outside, and DMZ.

Select outside from the Interface Type drop-down menu.

Enter the name “outside” in the Interface Name text box.*

Drag the interface to the port labeled “outside” in the ASA drawing.

7. Refer to the exhibit.

 CCNA Security v2.0 Chapter 10 Exam
Answers p7

Which Device Management menu item would be used to access

theASA command line from within Cisco ASDM?
Licensing

System Image/Configuration

Management Access*

Advanced

8. Which ASDM configuration option is used to configure the ASA

enable secret password?
Device Setup*

Monitoring

Interfaces

Device Management
 

9. Refer to the exhibit.

CCNA Security v2.0 Chapter 10 Exam

Answers p9

Which Device Setup ASDM menu option would be used to

configure the ASA for an NTP server?
Startup Wizard

Device Name/Password

Routing

Interfaces

System Time*

10. True or False?

The ASA can be configured through ASDM as a DHCP server.

false

true*

11. Which ASDM interface option would be used to configure an ASA

as a DHCP server for local corporate devices?
DMZ

outside

local

inside*

12. Which ASDM configuration option re-encrypts all shared keys

and passwords on an ASA?
security master

super encryption

master passphrase*

device protection

13. Which type of encryption is applied to shared keys and passwords

when the master passphrase option is enabled through ASDM for an
ASA?
3DES

public/private key

AES*

128-bit

14. When the CLI is used to configure an ISR for a site-to-site VPN
connection, which two items must be specified to enable a crypto map
policy? (Choose two.)
the hash

the peer*
encryption

the ISAKMP policy

a valid access list*

IP addresses on all active interfaces

15. What is the purpose of the ACL in the configuration of an ISR

site-to-site VPN connection?
to permit only secure protocols

to log denied traffic

to identify the peer

to define interesting traffic*

16. When ASDM is used to configure an ASA site-to-site VPN, what

can be customized to secure traffic?
ISAKMP

IKE

IKE and ISAKMP*

preshared key

17. Which VPN solution allows the use of a web browser to establish a
secure, remote-access VPN tunnel to the ASA?
clientless SSL*

site-to-site using an ACL

site-to-site using a preshared key

client-based SSL

18. Which remote-access VPN connection allows the user to connect

by using a web browser?
IPsec (IKEv2) VPN

site-to-site VPN

clientless SSL VPN*

IPsec (IKEv1) VPN

19. Which remote-access VPN connection allows the user to connect

using Cisco AnyConnect?
IPsec (IKEv2) VPN*

site-to-site VPN

clientless SSL VPN

IPsec (IKEv1) VPN

20. Which statement describes available user authentication methods

when using an ASA 5505 device?
The ASA 5505 can use either a AAA server or a local database.*

The ASA 5505 only uses a AAA server for authentication.

The ASA 5505 only uses a local database for authentication.

The ASA 5505 must use both a AAA server and a local database.

21. Which remote-access VPN connection needs a bookmark list?

IPsec (IKEv1) VPN

IPsec (IKEv2) VPN

site-to-site VPN

clientless SSL VPN*

22. What occurs when a user logs out of the web portal on a clientless
SSL VPN connection?
The browser cache is cleared.

Downloaded files are deleted.

The user no longer has access to the VPN.*

The web portal times out.

23. If an outside host does not have the Cisco AnyConnect client
preinstalled, how would the host gain access to the client image?
The host initiates a clientless connection to a TFTP server to download the client.

The host initiates a clientless VPN connection using a compliant web browser to
download the client.*

The Cisco AnyConnect client is installed by default on most major operating systems.

The host initiates a clientless connection to an FTP server to download the client.

24. What is an optional feature that is performed during the Cisco

AnyConnect Secure Mobility Client VPN establishment phase?
security optimization

host-based ACL installation

posture assessment*
quality of service security

25. Which item describes secure protocol support provided by Cisco

AnyConnect?
neither SSL nor IPsec

SSL only

both SSL and IPsec*

IPsec only

26. What is the purpose of configuring an IP address pool to be used

for client-based SSL VPN connections?
to assign addresses to the interfaces on the ASA

to identify which users are allowed to download the client image

to assign IP addresses to clients when they connect*

to identify which clients are allowed to connect

1. Which security test is appropriate for detecting system weaknesses

such as misconfiguration, default passwords, and potential DoS
targets?
vulnerability scanning*

network scanning

integrity checkers

penetration testing

 
2. How does network scanning help assess operations security?
It can simulate attacks from malicious sources.

It can log abnormal activity.

It can detect open TCP ports on network systems.*

It can detect weak or blank passwords.

3. What is the objective of the governing policy in the security policy

hierarchy structure?
It covers all rules pertaining to information security that end users should know about and
follow.

It outlines the company’s overall security goals for managers and technical staff.*

It provides general policies on how the technical staff should perform security functions.

It defines system and issue-specific policies that describe what the technical staff does.

4. Which type of security policy document is it that includes

implementation details that usually contain step-by-step instructions
and graphics?
best practices document

procedure document*

standards document

guideline document

5. What is the purpose of a security awareness campaign?

to teach skills so employees can perform security tasks
to focus the attention of employees on security issues*

to provide users with a training curriculum that can ultimately lead to a formal degree

to integrate all the security skills and competencies into a single body of knowledge

6. What is the goal of network penetration testing?

detecting configuration changes on network systems

detecting potential weaknesses in systems

determining the feasibility and the potential consequences of a successful attack*

detecting weak passwords

7. What network security testing tool has the ability to provide details
on the source of suspicious network activity?
SIEM*

SuperScan

Zenmap

Tripwire

8. What network scanning tool has advanced features that allows it to

use decoy hosts to mask the source of the scan?
Nessus

Metasploit

Tripwire

Nmap*

 
9. What network testing tool can be used to identify network layer
protocols running on a host?
SIEM

Nmap*

L0phtcrack

Tripwire

10. What type of network security test would be used by network

administrators for detection and reporting of changes to network
systems?
penetration testing

vulnerability scanning

integrity checking*

network scanning

11. What testing tool is available for network administrators who

need a GUI version of Nmap?
Nessus

SIEM

Zenmap*

SuperScan

12. Which initial step should be followed when a security breach is

found on a corporate system?
Create a drive image of the system.

Isolate the infected system.*

Establish a chain of custody.

Photograph the system.

13. What step should be taken after data is collected, but before
equipment is disconnected, if a security breach is found on a system?
Create a drive image of the system.

Isolate the infected system.

Photograph the system.*

Determine if data tampering has occurred.

14. Which security program is aimed at all levels of an organization,

including end users and executive staff?
educational degree programs

certificate programs

awareness campaigns*

firewall implementation training courses

15. What is implemented by administration to instruct end users in

how to effectively conduct business safely within an organization?
security awareness program*

governing policy

noncompliance consequences
technical policy

16. What are two major components of a security awareness

program? (Choose two.)
technical policy

procedure documents

awareness campaigns*

guideline documents

education and training*

17. Which type of documents include implementation details that

usually contain step-by-step instructions and graphics?
standards documents

procedure documents*

guideline documents

end-user policy documents

18. Which type of documents help an organization establish

consistency in the operations of the network by specifying criteria that
must be followed?
guidelines

standards*

procedures

end user policies

 

19. Which policy outlines the overall security goals for managers and
technical staff within a company?
acceptable use policy

technical policy

governing policy*

end-user policy

20. Which type of security policy includes network access standards

and server security policies?
end user policy

technical policy*

governing policy

acceptable use policy

21. Which type of security policy includes acceptable encryption

methods?
governing policy

acceptable use policy

technical policy*

end-user policy

22. What is the determining factor in the content of a security policy

within an organization?
the security staff

the audience*

the chief executive officer

the best practices

23. Which executive position is ultimately responsible for the success

of an organization?
Chief Technology Officer

Chief Executive Officer*

Chief Security Officer

Chief Information Officer

24. Match the network security testing tool with the correct function.
(Not all options are used.)
Question

CCNA Security v2.0 Chapter 11 Exam Answers p24-1

Answer
 CCNA Security v2.0 Chapter
11 Exam Answers p24-2

1. Refer to the exhibit.

CCNA Security v2.0 Final Exam q1

Based on the security levels of the interfaces on ASA1, what traffic

will be allowed on the interfaces? [Similar with Question 27]
Traffic from the Internet and LAN can access the DMZ.
Traffic from the Internet and DMZ can access the LAN.
Traffic from the Internet can access both the DMZ and the LAN.
Traffic from the LAN and DMZ can access the Internet.*
2. What is the one major difference between local AAA authentication
and using the login local command when configuring device access
authentication?
Local AAA authentication provides a way to configure backup methods of
authentication, but login local does not.*
The login local command requires the administrator to manually configure the usernames and
passwords, but local AAA authentication does not.
Local AAA authentication allows more than one user account to be configured, but login local
does not.
The login local command uses local usernames and passwords stored on the router, but local
AAA authentication does not.

3. Refer to the exhibit.

CCNA Security v2.0 Final Exam q3

A network administrator configures AAA authentication on R1. The administrator then
tests the configuration by telneting to R1. The ACS servers are configured and running.
What will happen if the authentication fails?

The enable secret password could be used in the next login attempt.
The authentication process stops. *
The username and password of the local user database could be used in the next login attempt.
The enable secret password and a random username could be used in the next login attempt.

4. What are two tasks that can be accomplished with the Nmap and
Zenmap network tools? (Choose two.)
password recovery
password auditing
identification of Layer 3 protocol support on hosts*
TCP and UDP port scanning*
validation of IT system configuration
5. Which Cisco IOS subcommand is used to compile an IPS signature
into memory?
retired true
event-action produce-alert
retired false*
event-action deny-attacker-inline

6. Why are DES keys considered weak keys?

They are more resource intensive.
DES weak keys use very long key sizes.
They produce identical subkeys.*
DES weak keys are difficult to manage.

7. What is a benefit of using a next-generation firewall rather than a

stateful firewall?
reactive protection against Internet attacks
granularity control within applications*
support of TCP-based packet filtering
support for logging

8. What is a result of securing the Cisco IOS image using the Cisco
IOS Resilient Configuration feature?
When the router boots up, the Cisco IOS image is loaded from a secured FTP location.
The Cisco IOS image file is not visible in the output of the show flash command.*
The Cisco IOS image is encrypted and then automatically backed up to the NVRAM.
The Cisco IOS image is encrypted and then automatically backed up to a TFTP server.

9. The corporate security policy dictates that the traffic from the
remote-access VPN clients must be separated between trusted traffic
that is destined for the corporate subnets and untrusted traffic
destined for the public Internet. Which VPN solution should be
implemented to ensure compliance with the corporate policy?
MPLS
hairpinning
GRE
split tunneling*
10. Which two conditions must be met in order for a network
administrator to be able to remotely manage multiple ASAs with
Cisco ASDM? (Choose two.)
The ASAs must all be running the same ASDM version.
Each ASA must have the same enable secret password.
Each ASA must have the same master passphrase enabled.
The ASAs must be connected to each other through at least one inside interface.
ASDM must be run as a local application.*

11. What is negotiated in the establishment of an IPsec tunnel between

two IPsec hosts during IKE Phase 1?
ISAKMP SA policy*
DH groups
interesting traffic
transform sets

12. What are two benefits of using a ZPF rather than a Classic
Firewall? (Choose two.)
ZPF allows interfaces to be placed into zones for IP inspection.
The ZPF is not dependent on ACLs.*
Multiple inspection actions are used with ZPF.
ZPF policies are easy to read and troubleshoot.*
With ZPF, the router will allow packets unless they are explicitly blocked.

13. Which security policy characteristic defines the purpose of

standards?
step-by-step details regarding methods to deploy company switches
recommended best practices for placement of all company switches
required steps to ensure consistent configuration of all company switches*
list of suggestions regarding how to quickly configure all company switches

14. What algorithm is used to provide data integrity of a message

through the use of a calculated hash value?
RSA
DH
AES
HMAC*
15. On which port should Dynamic ARP Inspection (DAI) be
configured on a switch?
an uplink port to another switch*
on any port where DHCP snooping is disabled
any untrusted port
access ports only

16. What is a feature of a Cisco IOS Zone-Based Policy Firewall?

A router interface can belong to only one zone at a time.*
Service policies are applied in interface configuration mode.
Router management interfaces must be manually assigned to the self zone.
The pass action works in multiple directions.

17. Refer to the exhibit.

CCNA Security v2.0 Final Exam q17

The administrator can ping the S0/0/1 interface of RouterB but is

unable to gain Telnet access to the router by using the password
cisco123. What is a possible cause of the problem?
The Telnet connection between RouterA and RouterB is not working correctly.
The password cisco123 is wrong.*
The administrator does not have enough rights on the PC that is being used.
The enable password and the Telnet password need to be the same.
18. Refer to the exhibit.

CCNA Security v2.0 Final Exam q18

The ip verify source command is applied on untrusted interfaces.

Which type of attack is mitigated by using this configuration?
DHCP spoofing
DHCP starvation
STP manipulation
MAC and IP address spoofing*

19. Refer to the exhibit.

CCNA Security v2.0 Final Exam q19

Which conclusion can be made from the show crypto map command
output that is shown on R1?
The crypto map has not yet been applied to an interface.*
The current peer IP address should be 172.30.2.1.
There is a mismatch between the transform sets.
The tunnel configuration was established and can be tested with extended pings.

20. What type of algorithms require sender and receiver to exchange

a secret key that is used to ensure the confidentiality of messages?
symmetric algorithms*
hashing algorithms
asymmetric algorithms
public key algorithms

21. What is an advantage in using a packet filtering firewall versus a

high-end firewall appliance?
Packet filters perform almost all the tasks of a high-end firewall at a fraction of the
cost.*
Packet filters provide an initial degree of security at the data-link and network layer.
Packet filters represent a complete firewall solution.
Packet filters are not susceptible to IP spoofing.

22. Refer to the exhibit.

CCNA Security v2.0 Final Exam q22

In the network that is shown, which AAA command logs the use of
EXEC session commands?
aaa accounting network start-stop group tacacs+
aaa accounting network start-stop group radius
aaa accounting connection start-stop group radius
aaa accounting exec start-stop group radius
aaa accounting connection start-stop group tacacs+
aaa accounting exec start-stop group tacacs+*
23. A network administrator enters the single-connection command.
What effect does this command have on AAA operation?
allows a new TCP session to be established for every authorization request
authorizes connections based on a list of IP addresses configured in an ACL on a Cisco ACS
server
allows a Cisco ACS server to minimize delay by establishing persistent TCP
connections*
allows the device to establish only a single connection with the AAA-enabled server

24. Which two practices are associated with securing the features and
performance of router operating systems? (Choose two.)
Install a UPS.
Keep a secure copy of router operating system images.*
Configure the router with the maximum amount of memory possible.*
Disable default router services that are not necessary.
Reduce the number of ports that can be used to access the router.

25. Which statement describes a characteristic of the IKE protocol?

It uses UDP port 500 to exchange IKE information between the security gateways.*
IKE Phase 1 can be implemented in three different modes: main, aggressive, or quick.
It allows for the transmission of keys directly across a network.
The purpose of IKE Phase 2 is to negotiate a security association between two IKE peers.

26. Refer to the exhibit.

CCNA Security v2.0 Final Exam q26

If a network administrator is using ASDM to configure a site-to-site

VPN between the CCNAS-ASA and R3, which IP address would the
administrator use for the peer IP address textbox on the ASA if data
traffic is to be encrypted between the two remote LANs?
209.165.201.1*
192.168.1.3
172.16.3.1
172.16.3.3
192.168.1.1

27. Refer to the exhibit.

CCNA Security v2.0 Final Exam q27

Based on the security levels of the interfaces on the ASA, what

statement correctly describes the flow of traffic allowed on the
interfaces?
Traffic that is sent from the LAN and the Internet to the DMZ is considered inbound.
Traffic that is sent from the DMZ and the Internet to the LAN is considered outbound.
Traffic that is sent from the LAN to the DMZ is considered is considered inbound.
Traffic that is sent from the DMZ and the LAN to the Internet is considered outbound.*

28. What two assurances does digital signing provide about code that
is downloaded from the Internet? (Choose two.)
The code contains no errors.
The code contains no viruses.
The code has not been modified since it left the software publisher.*
The code is authentic and is actually sourced by the publisher.*
The code was encrypted with both a private and public key.

29. Which interface option could be set through ASDM for a Cisco
ASA?
default route
access list
VLAN ID*
NAT/PAT
30. What are two characteristics of a stateful firewall? (Choose two.)
uses connection information maintained in a state table*
uses static packet filtering techniques
analyzes traffic at Layers 3, 4 and 5 of the OSI model*
uses complex ACLs which can be difficult to configure
prevents Layer 7 attacks

31. What are three characteristics of SIEM? (Choose three.)

can be implemented as software or as a service*
Microsoft port scanning tool designed for Windows
examines logs and events from systems and applications to detect security threats*
consolidates duplicate event data to minimize the volume of gathered data*
uses penetration testing to determine most network vulnerabilities
provides real-time reporting for short-term security event analysis

32. Which type of traffic is subject to filtering on an ASA 5505 device?

public Internet to inside
public Internet to DMZ
inside to DMZ*
DMZ to inside

33. Which IDS/IPS signature alarm will look for packets that are
destined to or from a particular port?
honey pot-based
anomaly-based
signature-based*
policy-based

34. Which three actions can the Cisco IOS Firewall IPS feature be
configured to take when an intrusion activity is detected? (Choose
three.)
reset UDP connection
reset TCP connection*
alert*
isolate
inoculate
drop*
35. Which two protocols can be selected using the Cisco AnyConnect
VPN Wizard to protect the traffic inside a VPN tunnel? (Choose two.)
Telnet
SSH
SSL*
ESP
IPsec*

36. What is a characteristic of a role-based CLI view of router

configuration?
When a superview is deleted, the associated CLI views are deleted.
A single CLI view can be shared within multiple superviews.*
A CLI view has a command hierarchy, with higher and lower views.
Only a superview user can configure a new view and add or remove commands from the
existing views.

37. Match the network security testing technique with how it is used to
test network security. (Not all options are used)

CCNA Security v2.0 Final Exam q37

Penetration testing = used to determine the possible consequences of successful attacks on
the network.
Vulnerability scanning = used to find weaknesses and misconfigurations on network
systems.
Network scanning = used to discover available resources on the network.

38. Which statement describes the use of certificate classes in the PKI?
A class 5 certificate is more trustworthy than a class 4 certificate.*
Email security is provided by the vendor, not by a certificate.
The lower the class number, the more trusted the certificate.
A vendor must issue only one class of certificates when acting as a CA.
39. Refer to the exhibit.

CCNA Security v2.0 Final

Exam q39

An administrator issues these IOS login enhancement commands to

increase the security for login connections. What can be concluded
about them?
Because the login delay command was not used, a one-minute delay between login attempts is
assumed.
The hosts that are identified in the ACL will have access to the device.*
The login block-for command permits the attacker to try 150 attempts before being stopped to
try again.
These enhancements apply to all types of login connections.

40. A company deploys a Cisco ASA with the Cisco CWS connector
enabled as the firewall on the border of corporate network. An
employee on the internal network is accessing a public website. What
should the employee do in order to make sure the web traffic is
protected by the Cisco CWS?
Register the destination website on the Cisco ASA.
Use the Cisco AnyConnect Secure Mobility Client first.
Use a web browser to visit the destination website.*
First visit a website that is located on a web server in the Cisco CWS infrastructure.

41. An administrator assigned a level of router access to the user

ADMIN using the commands below.
Router(config)# privilege exec level 14 show ip route

Router(config)# enable algorithm-type scrypt secret level 14 cisco-

level-10

Router(config)# username ADMIN privilege 14 algorithm-type scrypt secret

cisco-level-10
Which two actions are permitted to the user ADMIN? (Choose two.)
The user can execute all subcommands under the show ip interfaces command.
The user can issue the show version command.*
The user can only execute the subcommands under the show ip route command.*
The user can issue all commands because this privilege level can execute all Cisco IOS
commands.
The user can issue the ip route command.

42. What mechanism is used by an ASA 5505 device to allow

inspected outbound traffic to return to the originating sender who is
on an inside network?
Network Address Translation
access control lists
security zones
stateful packet inspection*

43. Which two end points can be on the other side of an ASA site-to-
site VPN configured using ASDM? (Choose two.)
DSL switch
Frame Relay switch
ISR router*
another ASA*
multilayer switch

44. What Layer 2 attack is mitigated by disabling Dynamic Trunking

Protocol?
DHCP spoofing
ARP spoofing
VLAN hopping*
ARP poisoning

45. In an AAA-enabled network, a user issues the configure terminal

command from the privileged executive mode of operation. What
AAA function is at work if this command is rejected?
authorization*
authentication
auditing
accounting

46. An organization has configured an IPS solution to use atomic

alerts. What type of response will occur when a signature is detected?
A counter starts and a summary alert is issued when the count reaches a preconfigured
number.
The TCP connection is reset.
An alert is triggered each time a signature is detected.*
The interface that triggered the alert is shutdown.

47. What two algorithms can be part of an IPsec policy to provide

encryption and hashing to protect interesting traffic? (Choose two.)
PSK
DH
RSA
AES*
SHA*

48. Fill in the blank.

A stateful signature is also known as a signature.

49. Why is hashing cryptographically stronger compared to a cyclical

redundancy check (CRC)?
Hashes are never sent in plain text.
It is easy to generate data with the same CRC.
It is virtually impossible for two different sets of data to calculate the same hash
output.*
Hashing always uses a 128-bit digest, whereas a CRC can be variable length.

50. A network analyst wants to monitor the activity of all new interns.
Which type of security testing would track when the interns sign on
and sign off the network?
vulnerability scanning
password cracking
network scanning
integrity checker*
51. Refer to the exhibit.

CCNA Security v2.0 Final Exam q51

What two pieces of information can be gathered from the generated

message? (Choose two.)
This message is a level five notification message.*
This message indicates that service timestamps have been globally enabled.*
This message indicates that enhanced security was configured on the vty ports.
This message appeared because a major error occurred that requires immediate action.
This message appeared because a minor error occurred that requires further investigation.

52. What is required for auto detection and negotiation of NAT when
establishing a VPN link?
Both VPN end devices must be configured for NAT.
No ACLs can be applied on either VPN end device.
Both VPN end devices must be NAT-T capable.*
Both VPN end devices must be using IPv6.

53. Refer to the exhibit.

CCNA Security v2.0 Final Exam q53

The network administrator is configuring the port security feature on
switch SWC. The administrator issued the command show port-
security interface fa 0/2 to verify the configuration. What can be
concluded from the output that is shown? (Choose three.)
Three security violations have been detected on this interface.
This port is currently up.*
The port is configured as a trunk link.
Security violations will cause this port to shut down immediately.*
There is no device currently connected to this port.*
The switch port mode for this interface is access mode. [adef]

54. In which two instances will traffic be denied as it crosses the ASA
5505 device? (Choose two.)
traffic originating from the inside network going to the DMZ network
traffic originating from the inside network going to the outside network
traffic originating from the outside network going to the DMZ network
traffic originating from the DMZ network going to the inside network*
traffic originating from the outside network going to the inside network*

55. Refer to the exhibit.

CCNA Security v2.0 Final Exam q55

Based on the configuration that is shown, which statement is true

about the IPS signature category?
Only signatures in the ios_ips advanced category will be compiled into memory for scanning.
All signatures categories will be compiled into memory for scanning, but only those
signatures within the ios ips advanced category will be used for scanning purposes.
All signature categories will be compiled into memory for scanning, but only those signatures
in the ios_ips basic category will be used for scanning purposes.
Only signatures in the ios_ips basic category will be compiled into memory for
scanning.*

56. Which two ports can send and receive Layer 2 traffic from a
community port on a PVLAN? (Choose two.)
community ports belonging to other communities
promiscuous ports*
isolated ports within the same community
PVLAN edge protected ports
community ports belonging to the same community*

57. What is a feature of the TACACS+ protocol?

It utilizes UDP to provide more efficient packet transfer.
It combines authentication and authorization as one process.
It encrypts the entire body of the packet for more secure communications.*
It hides passwords during transmission using PAP and sends the rest of the packet in
plaintext.

58. Which security measure is best used to limit the success of a

reconnaissance attack from within a campus area network?
Implement restrictions on the use of ICMP echo-reply messages.
Implement a firewall at the edge of the network.
Implement access lists on the border router.
Implement encryption for sensitive traffic.*

59. What is the benefit of the network-based IPS (NIPS) over host-
based IPS (HIPS) deployment models?
NIPS provides individual host protection.
NIPS relies on centrally managed software agents.
NIPS monitors all operations within an operating system.*
NIPS monitors network segments.

60. What represents a best practice concerning discovery protocols

such as CDP and LLDP on network devices?
LLDP on network devices?
Enable CDP on edge devices, and enable LLDP on interior devices.
Use the default router settings for CDP and LLDP.
Use the open standard LLDP rather than CDP.
Disable both protocols on all interfaces where they are not required.*
61. What function is provided by the Tripwire network security tool?
password recovery
security policy compliance*
IDS signature development
logging of security events

62. What is the function of a policy map configuration when an ASA

firewall is being configured?
binding class maps with actions*
identifying interesting traffic
binding a service policy to an interface
using ACLs to match traffic

63. If a network administrator wants to track the usage of FTP

services, which keyword or keywords should be added to the aaa
accounting command?
exec default
connection
exec*
network

64. What is indicated by the use of the local-case keyword in a local

AAA authentication configuration command sequence?
That AAA is enabled globally on the router.
That passwords and usernames are case-sensitive.*
That a default local database AAA authentication is applied to all lines.
That user access is limited to vty terminal lines.

65. What is the purpose of a local username database if multiple ACS

servers are configured to provide authentication services?
Clients using internet services are authenticated by ACS servers, whereas local clients are
authenticated through a local username database.
Each ACS server must be configured with a local username database in order to provide
authentication services.
A local username database is required when creating a method list for the default login.
A local username database provides redundancy if ACS servers become unreachable.
[adef]
66. Which security implementation will provide control plane
protection for a network device?
encryption for remote access connections
AAA for authenticating management access
routing protocol authentication*
NTP for consistent timestamps on logging messages

67. What are two reasons to enable OSPF routing protocol

authentication on a network? (Choose two.)
to ensure more efficient routing
to prevent data traffic from being redirected and then discarded*
to ensure faster network convergence
to prevent redirection of data traffic to an insecure link*
to provide data security through encryption

68. A security awareness session is best suited for which topic?

required steps when reporting a breach of security*
the primary purpose and use of password policies
steps used to configure automatic Windows updates
how to install and maintain virus protection