
	Homepage \| Add to Favourites

Search the Web

CISCO CERTIFICATION

CCNA

CCNP

CCSP

CCIP

CCIE R&S

CCIE Security

WINDOWS CERTIFICATION

Download Free Tests

350-018 : CCIE Pre-Qualification Test for Security

QUESTION 61 Which well-known ports are used for DNS when taking the RCF 1700 into account?

A. TCP and UDP 23.

B. UDP 53 only.

C. TCP and UDP 53.

D. UDP and TCP 69. Answer: C Explanation: Type Application layer name space translation protocol. Port 53 (TCP, UDP) server.

QUESTION 62 The newly appointed Cisco Highway trainee technician wants to know what the purpose of Lock & Key is. What will your reply be?

A. Lock & Key secures the console port of the router so that even users with physical access to the router cannot gain access without entering the proper sequence.

B. Lock & Key permits Telnet to the router and have temporary access lists applied after issuance of the access-enable command.

C. Lock & Key require additional authentication for traffic traveling through the PIX for TTAP compliance.

D. Lock & Key is to prevent users from getting into enable mode. Answer: B Explanation: Lock-and-key access allows you to set up dynamic access lists that grant access per user to a specific source/destination host through a user authentication process. You can allow user access through a firewall dynamically, without compromising security restrictions. The following process describes the lock-and key access operation A user opens a Telnet session to a border router configured for lock-and-key access. The Cisco IOS software receives the Telnet packet and performs a user authentication process. The user must pass authentication before access is allowed. The authentication process can be done by the router or a central access server such as a TACACS+ or RADIUS server.

QUESTION 63 Besides Kerberos port traffic, what additional service does the router and the Kerberos server use in implementing Kerberos authentication on the router?

A. TCP

B. Telnet

C. DNS

D. FTP

E. ICMP

F. None of the above. Answer: B Explanation: The following network services are supported by the Kerberos authentication capabilities in Cisco IOS software Telnet, rlogin, rsh, rcp

QUESTION 64 What is the default port(s) used for web-based SSL (Secure Socket Layer) Communication?

A. TCP and UDP 1025.

B. TCP and UDP 443.

C. TCP 80.

D. TCP and UDP 1353. Answer: B Explanation: Secure Sockets Layer (SSL) is an application-level protocol that enables secure transactions of data through privacy, authentication, and data integrity. It relies upon certificates, public keys, and private keys. Use 443 (generally used for SSL transactions) as the SSL TCP service port and 443 as the clear text port. Configure the server to not use SSL and to monitor port 443. TCP service port 80 requests are serviced normally. Use 443 as the SSL TCP service port and 81 (or another unused port) for the clear text port. Configure the server to monitor port 81. TCP service port 80 requests are serviced normally.

QUESTION 65 What is the sequence number in the TACACS+ protocol? (Choose all that apply.)

A. It is an identical number contained in every packet.

B. The sequence number is a number that must start with 1 (for the fist packet in the session) and increment each time a request or response is sent.

C. The sequence number is always an odd number when sent by the client.

D. The sequence number is always an even number when sent by the client and odd when sent by the daemon. Answer: B, C Explanation: Seq_no - The sequence number of the current packet for the current session. The first TACACS+ packet is a session must have the sequence number 1, and each subsequent packet increments the sequence number by 1. Thus, clients (such as the NAS) send only packets containing odd sequence numbers, and TACACS+ daemons send only packets containing even sequence numbers. The sequence number must never wrap. In other words, if the sequence number 2^8-1 is ever reached, that session must terminate and be restarted with a sequence number of 1. CCIE Professional Development Network Security Principles and Practices by Saadat Malik pg 496

QUESTION 66 The Cisco Highway network administrator is troubleshooting a problem with FTP services. What will the administrator encounter if a device blocks the data connection?

A. The administrator will experience very slow connect times.

B. Incomplete execution, when issuing commands like "pwd" or "cd".

C. User login problems will occur.

D. Failure when listing a directory.

E. No problems at all. Answer: D Explanation: Below is a caption from a cert advisory about FTP. FTP can have problems when the data channel is blocked. In FTP PASV mode, the client makes a control connection to the FTP server (typically port 21/tcp) and requests a PASV data connection. The server responds by listening for client connections on a specified port number, which is supplied to the client via the control connection An active open is done by the server, from its port 20 to the same port on the client machine as was used for the control connection. The client does a passive open. For better or worse, most current FTP clients do not behave that way.

QUESTION 67 Which of the following is a description of the principle on which a Denial of Service (DoS) attack works?

A. MS-DOS and PC-DOS operating systems using a weak security protocol.

B. Overloaded buffer systems can easily address error conditions and respond appropriately.

C. Host systems are incapable of responding to real traffic, if they have an overwhelming number of incomplete connections (SYN/RCVD State).

D. All CLIENT systems have TCP/IP stack compromisable implementation weaknesses and permit them to launch an attack easily.

E. A server ceases accepting connections from certain networks as soon as they become flooded. Answer: D Explanation: Some of these answers are true examples of types of dos but in itself does not define a dos Denial-of-service (DOS) attacks might attempt o starve a host of resources needed to function correctly. Network Intrusion Detection third edition by Stephen Northcutt and Judy Novak pg 93

QUESTION 68 The newly appointed Cisco Highway trainee technician wants to know Global deployment of RFC 2827 (ingress and egress filtering) would help mitigate what classification of attack. What will your reply be?

A. Sniffing attack

B. Denial of service attack

C. Spoofing attack

D. Reconnaissance attack

E. Port Scan attack

F. All of the above. Answer: C Explanation: Network Ingress Filtering- Defeating Denial of Service Attacks which employ IP Source Address Spoofing

QUESTION 69 The CEO of Cisco Highway want to know which security programs can effectively protect your network against password sniffer programs? (Choose all that apply.)

A. IPSec, due to it encrypting data.

B. RLOGIN, because of it incapacity to send passwords.

C. Kerberos, due to encrypt password abilities.

D. One time passwords, because the passwords always change.

E. Use of POP e-mail, because it is better than using SMTP. Answer: A, D

QUESTION 70 Exhibit: Host 1 and Host 2 are on Ethernet LANs in different building. A serial line is installed between two Cisco routers using Cisco HDLC serial line encapsulation. Routers A and B are configured to route IP traffic. Host 1 sends a packet to Host 2. A line hit on the serial line causes an error in the packet. How is a retransmission sent when this specific error is detected?

A. Host 1

B. Host 2

C. Router A

D. Router B

E. Protocol analyzer Answer: C

Top of page	07 of 37

Search and Find Anything Here

Web	www.ciscohighway.com