|
QUESTION 1 John is the security administrator at Cisco Highway Inc.and his job is to view event logs. Which statement about the live event log is true?
A. With the event log, the administrator can pause, and then filter the live event log.
B. The live event log can filter events by various criteria.
C. As events occur, the live event log automatically updates.
D. The live event log automatically updates the display every six seconds. Answer: C Explanation: Monitoring | Live Event Log Pause Display/Resume Display To pause the display, click Pause Display. While paused, the screen does not display new events, the button changes to Resume Display, and the timer counts down to 0 and stops. You can still scroll through the event log. Click the button to resume the display of new events and restart the timer. Clear Display To clear the event display, click Clear Display. This action does not clear the event log, only the display of events on this screen. Restart To clear the event display and reload the entire event log in the display, click Restart. Timer The timer counts 5 - 4 - 3 - 2 - 1 to show where it is in the 5-second refresh cycle. A momentary Rx indicates receipt of new events. A steady 0 indicates the display has been paused. The screen always displays the most recent event at the bottom. Use the scroll bar to view earlier events. To filter and display events by various criteria, see the Monitoring | Filterable Event Log section above. Reference: http://www.cisco.com/en/US/products/hw/vpndevc/ps2286/products_user_guide_chapter09186a00800bcd4e.ht ml#xtocid6
QUESTION 2 Kathy the security administrator at Cisco Highway Inc.wants to know more about authentication. One of the first things she has to do is know how user authentication is enabled on the Cisco VPN 3002? (Choose two)
A. Pushed down to the Cisco VPN 3002.
B. Pushed down to the Cisco VPN Concentrator.
C. Checked on the Cisco VPN Concentrator
D. Unchecked on the Cisco VPN 3002.
Answer: A C Explanation: You configure individual user authentication on the VPN Concentrator, which pushes the policy to the VPN 3002. Reference: http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3002/4_0/index.htm
QUESTION 3 Jason from the security department was given the assignment to match the Cisco VPN key with its description.
Answer: Explanation: The Diffie-Hellman (D-H) key agreement is a public key encryption method that provides a way for two IPSec peers to establish a shared secret key that only they know, although they communicating over an insecure channel. With D-H, each peer generates a public and private key pair. The private key generated by each peer is kept secret and never shared. The public key is calculated from the private key by each peer and is exchanged over the insecure channel. Each peer combines the other's public key with its own private and computes the shared secret key number exchanged over the insecure channel. Reference: Cisco Secure Virtual Private Network (Cisco press) page 18-20
QUESTION 4 Jason the security administrator at Cisco Highway Inc.was given the assignment to match the following order. In IPSec main mode, match the two-way exchange between the initiator and receiver with their descriptions.
Answer: Explanation: Main Mode Main mode provides a way to establish the first phase of an IKE SA, which is then used to negotiate future communications. The first step, securing an IKE SA, occurs in three two-way exchanges between the sender and the receiver. In the first exchange, the sender and receiver agree on basic algorithms and hashes. In the second exchange, public keys are sent for a Diffie-Hellman exchange. Nonces (random numbers each party must sign and return to prove their identities) are then exchanged. In the third exchange, identities are verified, and each party is assured that the exchange has been completed. Reference: Reference: Cisco Secure Virtual Private Network (Cisco press) page 27
QUESTION 5 Kathy and Jason the security department heads are in charge of configuring a bandwidth policy. They know that configuring a bandwidth policing policy is a two-step process: configuring, then applying the policy. Where is the configured bandwidth policies applied on the VPN Concentrator? (Choose two)
A. It must be applied to an interface.
B. It can optionally be applied to an interface.
C. The bandwidth policy must be applied to a group.
D. It can be optionally applied to a group.
E. It must be applied to a LAN-to-LAN tunnel.
F. It can be optionally applied to a LAN-to-LAN tunnel. Answer: C E Explanation: The bandwidth policy is applied to each group, and users within a group share the service policy applied to the group. The sample configuration uses the service policy on the outbound of the interface. Reference: http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/ns109/networking_solutions_white_
paper09186a00801 87151.shtml http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_
example09186a00801ae24c .shtml
QUESTION 6 James the security administrator for Cisco Highway Inc.is working with IKE. His job is to know what the three functions of IKE Phase 2 are. (Choose three)
A. IKE uses aggressive mode.
B. IKE can optionally performs an additional DH exchange.
C. IKE periodically renegotiates IPSec SAs to ensure security.
D. IKE Negotiates IPSec SA parameter protected by an existing IKE SA.
E. IKE verifies the other side's identity.
F. IKE uses main mode. Answer: B C D Explanation: Step 2 Determine IPSec (IKE Phase Two) Policy
- Negotiates IPSec SA parameters protected by an existing IKE SA
- Establishes IPSec security associations
- Periodically renegotiates IPSec SAa to ensure security
- Optionally performs an additional Diffie-Hellman Reference: Cisco Secure Virtual Private Networks (Cisco press) page 28
QUESTION 7 James the security administrator for Cisco Highway Inc.is working on VPNs. IF the VPN is owned and managed by the Cisco Highway Inc.corporate security, which product would he choose?
A. 2900
B. 3030
C. 3660
D. PIX Firewall 500
E. PIX Firewall 515 Answer: E Explanation: This is a tough question, the best choice would be A because of the additional security features of the firewall. Use your best judgment.
QUESTION 8 Kathy is the security administrator at Cisco Highway Inc.and is working with the Cisco VPN Client. Her job today is to know which firewall is supported by the Cisco VPN Client are you there feature.
A. Supported by Zone Labs
B. Supported by Cisco Integrated Client firewall
C. Supported by Cyber guard
D. Supported by Symantec Answer: A Explanation: The VPN Client on the Windows platform includes a stateful firewall that incorporates Zone Labs technology. This firewall is used for both the Stateful Firewall (Always On) feature and the Centralized Protection Policy (see "Centralized Protection Policy (CPP)"). Reference: VPN Client Administrator Guide 4.0
QUESTION 9 John the Jr. Security administrator at Cisco Highway Inc.does not understand how Cisco solved the PAT translation issue.
A. They wrap a standard IKE packet with a UDP port number.
B. They changed the IKE TCP port number from a well known to a dynamically assigned port number.
C. They changed the IPSec TCP port number from a well known to a dynamically assigned port number.
D. They wrap a standard IPSec packet with a UDP port number. Answer: D Explanation: NAT-T (NAT Traversal) lets IPSec peers establish a LAN-to-LAN connection through a NAT device. It does this by encapsulating IPSec traffic in UDP datagrams, using port 4500, thereby providing NAT devices with
port information. NAT-T auto-detects any NAT devices, and only encapsulates IPSec traffic when necessary. Reference: VPN 3000 Series Concentrator Reference Volume I: Configuration
QUESTION 10 When configuring CPP, which statement is true?
A. CPP is enabled in both the Cisco VPN Client and Cisco VPN Concentrator.
B. CPP is enabled in the Cisco VPN Client, Cisco VPN Concentrator, and firewall.
C. CPP is enabled on the Cisco VPN Concentrator only.
D. CPP is enabled in the Cisco VPN Concentrator and firewall. Answer: C Explanation: Centralized Protection Policy (CPP) Centralized Protection Policy (CPP) also known as firewall push policy, lets a network administrator define a set of rules for allowing or dropping Internet traffic while the VPN Client is tunneled in to the VPN Concentrator. A network administrator defines this policy on the VPN Concentrator, and the policy is sent to the VPN Client during connection negotiation. The VPN Client passes the policy to the Cisco Integrated Client, which then enforces the policy. If the client user has already selected the "Always On" option, any more restrictive rules are enforced for Internet traffic while the tunnel is established. Since CIC includes a stateful firewall module, most configurations block all inbound traffic and permit either all outbound traffic or traffic through specific TCP and UDP ports outbound. Cisco Integrated Client, Zone Alarm, and Zone Alarm Pro firewalls can assign firewall rules. CPP rules are in effect during split tunneling and help protect the VPN Client PC from Internet attacks by preventing servers from running and by blocking any inbound connections unless they are associated with outbound connections. CPP provides more flexibility than the Stateful Firewall (Always On) feature, since with CPP, you can refine the ports and protocols that you want to permit. Reference: VPN Client Administrator Guide 4.0
Search and Find Anything Here
|
|
