Network Security > Network Security Practice Final > Flashcards

Network Security Practice Final Flashcards

(64 cards)

Study These Flashcards
1
Q

Which two statements are true about ASA standard ACLs? (Choose two.)

a) They identify only the destination IP address.

b) They are the most common type of ACL.

c) They are applied to interfaces to control traffic.

d) They specify both the source and destination MAC address.

e) They are typically only used for OSPF routes.

A

Answer:
a) They identify only the destination IP address.
e) They are typically only used for OSPF routes.

Explanation:
ASA standard ACLs match on destination IP (unlike IOS standard ACLs, which match source). They’re mainly used for OSPF.

Cisco Explanation:
ASA standard ACLs are used to identify the destination IP addresses, unlike IOS ACLs where a standard ACL identifies the source host/network. They are typically only used for OSPF routes and can be used in a route map for OSPF redistribution. Standard access lists cannot be applied to interfaces to control traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

When dynamic NAT on an ASA is being configured, what two parameters must be specified by network objects? (Choose two.)

a) The inside NAT interface

b) The interface security level

c) The outside NAT interface

d) A range of private addresses that will be translated

e) The pool of public global addresses

A

Answer:
d) A range of private addresses that will be translated
e) The pool of public global addresses

Explanation:
Dynamic NAT needs an inside local range and a global address pool, both defined via network objects.

Cisco Explanation:
On an ASA, both the pool used as inside global and the internal private addresses to translate are configured through network objects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which protocol uses X.509 certificates to support mail protection performed by mail agents?

a) IPsec

b) SSL

c) S/MIME

d) EAP-TLS

A

Answer:
c) S/MIME

Explanation:
S/MIME uses X.509 certificates for email signing/encryption.

Cisco Explanation:
User email agents use S/MIME to support email protection. S/MIME uses X.509 certificates.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are two security features commonly found in a WAN design? (Choose two.)

a) WPA2 for data encryption of all data between sites

b) Firewalls protecting the main and remote sites

c) Outside perimeter security including continuous video surveillance

d) Port security on all user-facing ports

e) VPNs used by mobile workers between sites

A

Answer:
b) Firewalls protecting the main and remote sites
e) VPNs used by mobile workers between sites

Explanation:
Typical WAN security: perimeter firewalls and VPNs for remote/mobile users.

Cisco Explanation:
WANs commonly include firewalls at each site and VPNs used by remote workers between sites.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is an appropriate use for class 5 digital certificates?

a) Used for online business transactions between companies

b) Used for private organizations or government security

c) Used by organizations for which proof of identity is required

d) Used for testing in situations in which no checks have been performed

A

Answer:
b) Used for private organizations or government security

Explanation:
Higher class → more trust. Class 5 is the most trusted (gov/private org security).

Cisco Explanation:
Class numbers range 0–5. Class 5 is the most trusted and used for private organizations or governmental security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which two statements are characteristics of a virus? (Choose two.)

a) A virus typically requires end-user activation.

b) A virus has an enabling vulnerability, a propagation mechanism, and a payload.

c) A virus replicates itself by independently exploiting vulnerabilities in networks.

d) A virus provides the attacker with sensitive data, such as passwords.

e) A virus can be dormant and then activate at a specific time or date.

A

Answer:
a) A virus typically requires end-user activation.
e) A virus can be dormant and then activate at a specific time or date.

Explanation:
Viruses need user action (e.g., open file) and can have time-based triggers.

Cisco Explanation:
End-user interaction (opening an app/web page or powering on) typically launches a virus. Once activated, it may infect other files locally or on the LAN.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Match the information security component with the description.

A

Answer:

Confidentiality — Only authorized individuals, entities or processes can access sensitive information.

Integrity — Data is protected from unauthorized alteration.

Availability — Authorized users must have uninterrupted access to important resources and data.

Explanation:
CIA triad: Confidentiality, Integrity, Availability.

Cisco Explanation:
(As taught) Confidentiality prevents disclosure, integrity prevents unauthorized modification, availability ensures timely access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Match the security policy with the description. (Not all options are used.)

A

Answer:

Identifies network applications/uses acceptable to the org — Acceptable Use Policy (AUP)

Identifies how remote users access the network — Remote Access Policy

Specifies who is authorized and identity verification — Identification and Authentication Policy

Specifies OS/app update procedures — Network Maintenance Policy

Explanation:
Each policy governs a specific control domain (use, remote access, identity, maintenance).

Cisco Explanation:
Matches as listed in your prompt.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How does the service password-encryption command enhance password security on Cisco routers and switches?

a) It encrypts passwords as they are sent across the network.

b) It encrypts passwords that are stored in router or switch configuration files.

c) It requires that a user type encrypted passwords for console access.

d) It requires encrypted passwords for Telnet connections.

A

Answer:
b) It encrypts passwords that are stored in router or switch configuration files.

Explanation:
It obfuscates plaintext passwords in the config (type 7).

Cisco Explanation:
The command encrypts plaintext passwords in the configuration so unauthorized users cannot view them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which benefit does SSH offer over Telnet for remotely managing a router?

a) Encryption

b) TCP usage

c) Authorization

d) Connections via multiple VTY lines

A

Answer:
a) Encryption

Explanation:
SSH encrypts session data; Telnet does not.

Cisco Explanation:
SSH provides secure access, with stronger authentication and encryption for the session.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Refer to the exhibit. Which statement about the JR-Admin account is true?

a) JR-Admin can issue show, ping, and reload commands.

b) JR-Admin can issue ping and reload commands.

c) JR-Admin can issue only ping commands.

d) JR-Admin can issue debug and reload commands.

e) JR-Admin cannot issue any command because the privilege level does not match one of those defined.

A

Answer:
b) JR-Admin can issue ping and reload commands.

Explanation:
username … privilege 10 permits commands at priv level ≤10 (commonly includes show/ping/reload depending on mapping).

Cisco Explanation:
When username name privilege 10 is issued, access to commands with privilege level 10 or less is permitted.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What protocol is used by SCP for secure transport?

a) IPSec

b) HTTPS

c) SSH

d) Telnet

e) TFTP

A

Answer:
c) SSH

Explanation:
SCP is built on SSH for secure file copy.

Cisco Explanation:
SCP provides a secure, authenticated method of copying router configs using SSH.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What type of syslog message is displayed with severity level 5?

a) Warning

b) Notification

c) Informational

d) Debugging

A

Answer:
b) Notification

Explanation:
Syslog level 5 = Notification, 6 = Informational, 7 = Debug.

Cisco Explanation:
The severity level is used to provide an explanation for the event or error that is occurring within the Cisco IOS.

The smaller the number of the severity level, the more critical the event. A Syslog message with a level 5 is considered a notification message.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What command must be issued on a Cisco router that will serve as an authoritative NTP server?

a) ntp master 1

b) ntp server 172.16.0.1

c) ntp broadcast client

d) clock set 11:00:00 DEC 20 2010

A

Answer:
a) ntp master 1

Explanation:
ntp master makes the router act as an NTP master (stratum given).

Cisco Explanation:
Routers serving as NTP masters use ntp master. Clients use ntp server x.x.x.x.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A server log entry says: User student accessed host server ABC using Telnet yesterday for 10 minutes. What type of log entry is this?

a) Authentication

b) Authorization

c) Accounting

d) Accessing

A

Answer:
c) Accounting

Explanation:
Accounting logs what/when/how long resources are used.

Cisco Explanation:
Accounting records resource usage: what was accessed, duration, and changes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which three types of views are available with role-based CLI access? (Choose three.)

a) Superuser view

b) Root view

c) Superview

d) CLI view

e) Admin view

f) Config view

A

Answer:
b) Root view
c) Superview
d) CLI view

Explanation:
RBAC supports root, CLI view, and superview.

Cisco Explanation:
Three types: root view, CLI view, superview.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Purpose of ip ospf message-digest-key key md5 password and area area-id authentication message-digest?

a) To encrypt OSPF routing updates

b) To enable OSPF MD5 authentication on a per-interface basis

c) To configure OSPF MD5 authentication globally on the router

d) To facilitate neighbor adjacencies

A

Answer:
c) To configure OSPF MD5 authentication globally on the router

Explanation:
Area-level message-digest enables MD5 auth globally for that area; interface key defines the key.

Cisco Explanation:
Global MD5 auth uses area … authentication message-digest plus ip ospf message-digest-key on interfaces. Auth doesn’t encrypt OSPF.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What does the local-case keyword indicate in local AAA auth?

a) User access is limited to vty lines

b) Passwords and usernames are case-sensitive

c) AAA is enabled globally on the router

d) A default local database AAA auth is applied to all lines

A

Answer:
b) Passwords and usernames are case-sensitive

Explanation:
local-case forces case-sensitive matching.

Cisco Explanation:
local-case means authentication is case-sensitive; it doesn’t enable/apply AAA by itself

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Configuring an AAA server for RADIUS authentication — which two features are included? (Choose two.)

a) Encryption for all communication

b) Hidden passwords during transmission

c) Single process for authentication and authorization

d) Separate processes for authentication and authorization

e) Encryption for only the data

A

Answer:
b) Hidden passwords during transmission
c) Single process for authentication and authorization

Explanation:
RADIUS encrypts only the password and combines auth+authz.

Cisco Explanation:
RADIUS: combines authentication and authorization; encrypts only the password; uses UDP; supports remote-access/802.1X/SIP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Where are lt / gt keywords used in ACLs?

a) In an IPv6 extended ACL that stops packets to one destination VLAN

b) In an IPv4 named standard ACL for specific UDP protocols on a server

c) In an IPv6 named ACL that permits FTP traffic from one LAN to another

d) In an IPv4 extended ACL that allows packets from a range of TCP ports destined for a specific device

A

Answer:
d) In an IPv4 extended ACL that allows packets from a range of TCP ports destined for a specific device

Explanation:
lt / gt specify port comparisons (less-than/greater-than) in extended ACLs.

Cisco Explanation:
Used to define port ranges as less-than or greater-than a particular port.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Which feature is unique to IPv6 ACLs when compared to those of IPv4 ACLs?

a) The use of wildcard masks

b) An implicit deny any any statement

c) The use of named ACL statements

d) An implicit permit of neighbor discovery packets

A

Answer:
d) An implicit permit of neighbor discovery packets

Explanation:
IPv6 ACLs include implicit permits for ND (Neighbor Discovery) traffic so basic IPv6 operations function.

Cisco Explanation:
IPv6 ACLs have two implicit permit statements to allow neighbor discovery operations to function on router interfaces.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Refer to the exhibit. An extended access list has been created to prevent human resource users from gaining access to the accounting server.

All other network traffic is to be permitted.

When following the ACL configuration guidelines, on which router, interface, and direction should the access list be applied?

a) Router R1, interface S0/1/0, outbound

b) Router R2, interface Gi0/0/1, outbound

c) Router R2, interface Gi0/0/1, inbound

d) Router R1, interface Gi0/0/0, inbound

e) Router R2, interface S0/1/1, inbound

f) Router R1, interface Gi0/0/0, outbound

A

Answer:
d) Router R1, interface Gi0/0/0, inbound

Explanation:
Extended ACLs should be placed close to the source of the traffic being filtered.

Cisco Explanation:
The ACL configuration guidelines recommend placing extended access control lists as close to the source of network traffic as possible and placing standard access control lists as close to the destination of network traffic as possible.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Which statement describes packet-filtering vs stateful firewalls (OSI model)?

a) Both can filter at the application layer.

b) Stateful can filter application layer info; packet-filtering cannot beyond network layer.

c) Packet-filtering filters up to transport layer; stateful filters up to session layer.

d) Packet-filtering uses session layer info; stateful uses application layer info to track state.

A

Answer:
c) A packet-filtering firewall typically can filter up to the transport layer, whereas a stateful firewall can filter up to the session layer.

Explanation:
Packet filters use L3/L4 fields; stateful devices track connections (session).

Cisco Explanation:
Packet filtering firewalls handle L3 and sometimes L4; stateful firewalls monitor connections up to the session layer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Which special hardware module, when integrated into ASA, provides advanced IPS features?

a) Content Security and Control (CSC)

b) Advanced Inspection and Prevention (AIP)

c) Advanced Inspection and Prevention Security Services Card (AIP-SSC)

d) Advanced Inspection and Prevention Security Services Module (AIP-SSM)

A

Answer:
d) Advanced Inspection and Prevention Security Services Module (AIP-SSM)

Explanation:
AIP-SSM (and AIP-SSC) deliver enhanced IPS capabilities on ASA.

Cisco Explanation:
ASA threat services use special modules: AIP (advanced IPS), CSC (antimalware), and AIP-SSM/AIP-SSC for IPS against many known exploits.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Refer to the exhibit. A network administrator is configuring the security level for the ASA. What is a best practice for assigning the security level on the three interfaces? a) Outside 0, Inside 35, DMZ 90 b) Outside 40, Inside 100, DMZ 0 c) Outside 0, Inside 100, DMZ 50 d) Outside 100, Inside 10, DMZ 40
Answer: c) Outside 0, Inside 100, DMZ 50 Explanation: Outside least trusted (0), Inside most trusted (100), DMZ in between. Cisco Explanation: The Cisco ASA assigns security levels to distinguish among different networks it connects. Security levels define the level of trustworthiness of an interface. The higher the level, the more trusted the interface. The security level numbers range between 0 (untrustworthy) to 100 (very trustworthy). Therefore, the interface connecting to the Internet should be assigned the lowest level. The interface connecting to the internal network should be assigned the highest level. The interface connecting to the DMZ network should be assigned a level between them.
26
Advantage of a packet filtering firewall vs a high-end appliance? a) Performs almost all tasks of a high-end firewall at a fraction of the cost. b) Represents a complete firewall solution. c) Not susceptible to IP spoofing. d) Provides an initial degree of security at the data-link and network layer.
Answer: d) Provides an initial degree of security at the data-link and network layer. Explanation: Packet filters are simple, low-overhead, and provide baseline security mainly at network layer. Cisco Explanation: Advantages: simple permit/deny, low performance impact, easy to implement, initial network-layer security, lower cost than high-end firewalls.
27
Which firewall is commonly part of a router and allows/blocks traffic based on L3/L4 info? a) Stateless firewall b) Stateful firewall c) Proxy firewall d) Application gateway firewall
Answer: a) Stateless firewall Explanation: Router stateless ACL filtering uses packet headers (L3/L4) without state tracking. Cisco Explanation: A stateless firewall uses a policy table lookup on L3/L4 fields and is often part of a router firewall.
28
. Border router (ISP, DMZ, Inside). Which traffic receives the least inspection (most freedom)? a) Private → DMZ b) Public → DMZ c) Return from DMZ after originating from private d) Return from public after originating from private
Answer: d) Traffic that is returning from the public network after originating from the private network Explanation: Return traffic for established private-initiated sessions typically faces minimal inspection (allowed by state). Cisco Explanation: Most enterprise traffic originates internally. Returning traffic for established sessions is commonly allowed with minimal checks.
29
Two benefits of zone-based policy firewall (ZPF)? (Choose two.) a) Policies are defined exclusively with ACLs. b) Policies are applied to unidirectional traffic between zones. c) Policies provide scalability; easy to read/troubleshoot. d) Any interface can be configured with both ZPF and IOS Classic on same interface. e) Virtual and physical interfaces are put in different zones to enhance security.
Answer: b) Policies are applied to unidirectional traffic between zones. c) Policies provide scalability; easy to read and troubleshoot. Explanation: ZPF uses zone pairs (one direction) and policy-maps; cleaner and scalable. Cisco Explanation: Benefits: not dependent on ACLs, default deny, easier to manage/troubleshoot (scalable), can group interfaces into zones, policies are unidirectional between zones.
30
After creating zones in Cisco IOS ZPF, what is the next step? a) Design the physical infrastructure. b) Establish policies between zones. c) Identify subsets within zones. d) Assign interfaces to zones.
Answer: b) Establish policies between zones. Explanation: ZPF steps: determine zones → policies between zones → design infra → identify subsets. Cisco Explanation: Configuration order: 1) determine zones, 2) establish policies, 3) design physical infra, 4) identify subsets.
31
Two shared characteristics of IDS and IPS? (Choose two.) a) Both are deployed as sensors. b) Both analyze copies of network traffic. c) Both use signatures to detect malicious traffic. d) Both have minimal impact on network performance. e) Both rely on an additional network device to respond to malicious traffic.
Answer: a) Both are deployed as sensors. c) Both use signatures to detect malicious traffic. Explanation: IDS/IPS both use sensors and signatures; IDS is passive (copies), IPS is inline. Cisco Explanation: Both are sensors and use signatures. IDS analyzes copies (minimal impact) and often relies on IPS/firewall to stop traffic.
32
In Cisco IOS ZPF, which two actions can be applied to a traffic class? (Choose two.) a) Log b) Hold c) Drop d) Inspect e) Copy f) Forward
Answer: c) Drop d) Inspect Explanation: ZPF actions: inspect, drop, pass (forward). Cisco Explanation: Actions: Inspect (stateful), Drop (default if unmatched), Pass (forward).
33
Match the network security device type with the description.
34
What is a characteristic of an IPS atomic signature? a) It can be slow and inefficient to analyze traffic. b) It requires several pieces of data to match an attack. c) It is a stateful signature. d) It is the simplest type of signature.
Answer: d) It is the simplest type of signature. Explanation: Atomic signatures match from a single packet/event and don’t require state. Cisco Explanation: Atomic is simplest; composite is stateful and requires multiple events.
35
Match each IPS signature trigger category with the description.
36
Company worries about stolen laptops—what Windows tool protects data? a) AMP b) 802.1X c) RADIUS d) BitLocker
Answer: d) BitLocker Explanation: BitLocker provides full-disk encryption to protect data at rest. Cisco Explanation: Storage can be encrypted to prevent unauthorized access; Windows BitLocker does drive encryption.
37
What protocol encapsulates EAP data between the authenticator and authentication server in 802.1X? a) RADIUS b) TACACS+ c) SSH d) MD5
Answer: a) RADIUS Explanation: 802.1X uses EAPOL (client–switch) and RADIUS (switch–server). Cisco Explanation: Encapsulation of EAP between authenticator and authentication server is via RADIUS.
38
With authentication port-control auto and client not yet authenticated, what traffic can pass? a) SNMP b) EAPOL c) Broadcasts such as ARP d) Any data encrypted with 3DES or AES
Answer: b) EAPOL Explanation: Before auth, only EAPOL (and certain control like CDP/STP) is permitted. Cisco Explanation: 802.1X prevents unauthorized devices from gaining access to the network. The authentication port-control auto command turns on 802.1X access control. Until the client is authenticated, 802.1X only allows Extensible Authentication Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic to pass through the port. EAPOL messages are sent between the client and the authenticator such as a switch. If authentication is successful, normal traffic can be sent and received through the port.
39
Which two security features can cause a switch port to become error-disabled? (Choose two.) a) Root guard b) PortFast with BPDU guard enabled c) Protected ports d) Storm control with the trap option e) Port security with the shutdown violation mode
Answer: b) PortFast with BPDU guard enabled e) Port security with the shutdown violation mode Explanation: BPDU Guard on PortFast and port-security (shutdown) both trigger error-disable. Cisco Explanation: Explanation: Error-disabled mode is a way for a switch to automatically shut down a port that is causing problems, and usually requires manual intervention from an administrator to restore the port. When port security is configured to use the shutdown violation mode, it will put the port into the error-disabled mode when the maximum number of MAC addresses is exceeded. Likewise, BPDU guard will put the port into error-disabled mode if a BPDU arrives on a PortFast enabled interface. Storm control will only put the port into the error-disabled mode when configured with the shutdown option. The trap option will simply create an SNMP log message
40
Three techniques for mitigating VLAN hopping? (Choose three.) a) Disable DTP. b) Enable trunking manually. c) Set the native VLAN to an unused VLAN. d) Enable BPDU guard. e) Enable Source Guard. f) Use private VLANs.
Answer: a) Disable DTP b) Enable trunking manually c) Set the native VLAN to an unused VLAN Explanation: Prevent dynamic trunking and native VLAN misuse to block VLAN hopping. Cisco Explanation: Mitigation: disable DTP, set manual trunking, set native VLAN to an unused VLAN.
41
Refer to the exhibit. A network administrator is configuring DAI on switch SW1. What is the result of entering the exhibited commands? a) DAI will validate both source and destination MAC addresses as well as the IP addresses in the order specified. If all parameters are valid then the ARP packet is allowed to pass. b) DAI will validate both source and destination MAC addresses as well as the IP addresses in the order specified. When one set of parameters are valid, the ARP packet is allowed to pass. c) DAI will validate only the destination MAC addresses. d) DAI will validate only the IP addresses.
Answer: c) DAI will validate only the destination MAC addresses. Explanation: DAI can validate IP, src-MAC, dst-MAC; typically a single ip arp inspection validate line sets checks; all specified checks must pass. Cisco Explanation: DAI can be configured to check for destination MAC, source MAC, and IP addresses. However, only one ip arp inspection validate command can be configured. Entering multiple ip arp inspection validate commands overwrites the previous command.
42
During a pandemic, which technology ensures confidentiality for employee–HQ communications? a) A symmetric or asymmetric encryption algorithm such as AES or PKI b) A hashing algorithm such as MD5 c) A hash message authentication code such as HMAC d) A hash-generating algorithm such as SHA
Answer: a) A symmetric or asymmetric encryption algorithm such as AES or PKI Explanation: VPN encryption (e.g., AES, or PKI-based IPsec) ensures confidentiality. Cisco Explanation: MD5/SHA verify integrity; AES (symmetric) or PKI (asymmetric) provide confidentiality. HMAC authenticates the source/integrity.
43
Which cipher played a significant role in World War II? a) RC4 b) Caesar c) Enigma d) One-time pad
Answer: c) Enigma Explanation: The Enigma machine was central to WWII cryptography. Cisco Explanation: Enigma was an electromechanical device producing the Enigma cipher, used widely during WWII.
44
Method using the fact some letters are used more often—what is it called? a) Cybertext b) Meet-in-the-middle c) Frequency analysis d) Known-plaintext
Answer: c) Frequency analysis Explanation: Counts letter frequencies to crack substitution ciphers. Cisco Explanation: Frequency analysis leverages common letter frequencies (E, T, A frequent; J, Q, X, Z rare).
45
Why are DES keys considered weak keys? a) They are more resource intensive. b) DES weak keys are difficult to manage. c) They produce identical subkeys. d) DES weak keys use very long key sizes.
Answer: c) They produce identical subkeys. Explanation: DES has known weak keys where encryption ≈ decryption due to identical subkeys. Cisco Explanation: Weak keys reveal regularities; DES has four keys where encryption equals decryption.
46
Refer to the exhibit. A network administrator is configuring an object group on an ASA device. Which configuration keyword should be used after the object group name SERVICE1 ? a) ip b) tcp c) udp d) icmp
Answer: b) tcp Explanation: Service group with WWW/FTP/SMTP uses TCP. Cisco Explanation: Because this is a service object group, the keyword should indicate which protocol is used. The options are tcp, udp, tcp-udp, icmp, and icmpv6. The subsequent commands indicate that the services in the group are WWW, FTP, and SMTP. Because all of these protocols use TCP, the keyword in the service object group should be tcp .
47
How does ASA firewall deployment differ from Cisco IOS router? a) ASA devices use ACLs that are always numbered. b) ASA devices do not support an implicit deny within ACLs. c) ASA devices support interface security levels. d) ASA devices use ACLs configured with a wildcard mask.
Answer: c) ASA devices support interface security levels. Explanation: ASA uses security levels and named ACLs with subnet masks (not wildcards). Cisco Explanation: ASA vs IOS: ASA ACLs are named and use subnet masks; ASA supports interface security levels; both have implicit deny.
48
Refer to the exhibit. A network administrator is configuring PAT on an ASA device to enable internal workstations to access the Internet. Which configuration command should be used next? a) nat (inside,outside) dynamic NET1 b) nat (outside,inside) dynamic NET1 c) nat (inside,outside) dynamic interface d) nat (outside,inside) dynamic interface
Answer: c) nat (inside,outside) dynamic interface Explanation: Dynamic PAT overloading the outside interface address uses dynamic interface. Cisco Explanation: nat (inside,outside) dynamic interface overloads the mapped interface IP for inside hosts.
49
Which test uses simulated attacks to assess feasibility and consequences? a) Penetration testing b) Network scanning c) Integrity checking d) Vulnerability scanning
Answer: a) Penetration testing Explanation: Pen tests simulate real attacks to gauge impact. Cisco Explanation: Penetration testing determines feasibility and potential consequences; others scan/inventory/verify.
50
What three tasks can Nmap/Zenmap accomplish? (Choose three.) a) Operating system fingerprinting b) Assessment of Layer 3 protocol support on hosts c) Open UDP and TCP port detection d) Security event analysis and reporting e) Password recovery f) Development of IDS signatures
Answer: a) Operating system fingerprinting b) Assessment of Layer 3 protocol support on hosts c) Open UDP and TCP port detection Explanation: Nmap/Zenmap: port scan, OS detection, protocol/host discovery. Cisco Explanation: Nmap is a low-level scanner that performs port scanning (TCP/UDP), system identification, and detects L3 protocols; Zenmap is the GUI
51
Match the network security testing tool with the correct function. (Not all options are used.)
52
Which two means can be used to try to bypass management of mobile devices? (Choose two.) a) Using a fuzzer b) Rooting c) Jailbreaking d) Packet sniffing e) Using a Trojan Horse
Answer: b) Rooting c) Jailbreaking Explanation: Android rooting / iOS jailbreaking subvert MDM/controls. Cisco Explanation: Jailbreaking (iOS) and rooting (Android) are corporate security concerns for BYOD
53
Match the type of cyberattackers to the description. (Not all options are used.)
54
Benefit of VPNs vs growing the physical network? a) Security b) Scalability c) Cost savings d) Compatibility
Answer: b) Scalability Explanation: VPNs scale easily by leveraging the Internet to add users/sites. Cisco Explanation: A benefit of VPNs is scalability because organizations can use the Internet and easily add new users without adding significant infrastructure. Security is provided by using encryption and authentication protocols to protect data. Another benefit is compatibility because VPNs can be implemented across a wide variety of WAN connections. Organizations also benefit from cost savings because VPNs reduce connectivity costs while simultaneously increasing remote connection bandwidth.
55
Difference between symmetric and asymmetric encryption algorithms? a) Symmetric algorithms are hundreds to thousands of times slower. b) Symmetric algorithms authenticate; asymmetric repudiate messages. c) Symmetric encrypt; asymmetric decrypt. d) Symmetric use pre-shared keys; asymmetric use different keys for encrypt/decrypt.
Answer: d) Symmetric encryption algorithms use pre-shared keys. Asymmetric algorithms use different keys to encrypt and decrypt data. Explanation: Symmetric = single shared key; asymmetric = public/private pair. Cisco Explanation: Asymmetric algorithms use longer keys and are slower; symmetric algorithms are faster and use pre-shared keys.
56
What technology allows users to verify the identity of a website and trust downloaded code? a) Asymmetric key algorithm b) Digital signature c) Encryption d) Hash algorithm
Answer: b) Digital signature Explanation: Code signing and TLS certificates use digital signatures for authenticity/integrity. Cisco Explanation: Digital signatures provide assurance of authenticity and integrity of software code.
57
Which two statements describe PKI certificate classes? (Choose two.) a) A class 0 certificate is for testing purposes. b) A class 0 certificate is more trusted than a class 1 certificate. c) The lower the class number, the more trusted the certificate. d) A class 5 certificate is for users with a focus on verification of email. e) A class 4 certificate is for online business transactions between companies.
Answer: a) A class 0 certificate is for testing purposes. e) A class 4 certificate is for online business transactions between companies. Explanation: Higher class → more trust. Class 0 testing; 1 email; 2 org identity; 3 server/code; 4 B2B; 5 gov/private. Cisco Explanation: A digital certificate class is identified by a number. The higher the number, the more trusted the certificate. The classes include the following:Class 0 is for testing purposes in which no checks have been performed. Class 1 is for individuals with a focus on verification of email. Class 2 is for organizations for which proof of identity is required. Class 3 is for servers and software signing for which independent verification and checking of identity and authority is done by the issuing certificate authority. Class 4 is for online business transactions between companies. Class 5 is for private organizations or governmental security.
58
What is the standard for a public key infrastructure to manage digital certificates? a) PKI b) NIST-SP800 c) x.503 d) x.509
Answer: d) x.509 Explanation: X.509 defines certificate formats/PKI. Cisco Explanation: x.509 is the PKI standard; x.500 is for directories.
59
Which two statements describe remote access VPNs? (Choose two.) a) Used to connect entire networks like branch-to-HQ. b) End users are not aware that VPNs exist. c) A leased line is required. d) Client software is usually required to access the network. e) Supports telecommuters and mobile users.
Answer: d) Client software is usually required to access the network. e) Remote access VPNs support the needs of telecommuters and mobile users. Explanation: Remote access = client-based for individuals; site-to-site connects networks. Cisco Explanation: Remote access VPNs are designed to provide for the needs of telecommuters and mobile users through the use of software that is installed on the client to encrypt and encapsulate the data. Remote access VPNs can be used across a variety of WAN connections. Users must access the client software to initiate the VPN connection.
60
What are two hashing algorithms used with IPsec AH to guarantee authenticity? (Choose two.) a) MD5 b) SHA c) AES d) DH e) RSA
Answer: a) MD5 b) SHA Explanation: AH provides integrity/authenticity using MD5 or SHA. Cisco Explanation: The IPsec framework uses various protocols and algorithms to provide data confidentiality, data integrity, authentication, and secure key exchange. Two popular algorithms used to ensure that data is not intercepted and modified (data integrity and authenticity) are MD5 and SHA.
61
Purpose of configuring multiple crypto ACLs when building a VPN between remote sites? a) Prevent public users from connecting to the VPN-enabled router. b) Deny specific network traffic from crossing a VPN. c) When multiple IPsec protection combinations are chosen, define different traffic types. d) Define multiple remote peers across the Internet.
Answer: c) When multiple combinations of IPsec protection are being chosen, multiple crypto ACLs can define different traffic types. Explanation: Separate crypto ACLs can map different traffic flows to different IPsec policies. Cisco Explanation: A crypto ACL defines “interesting traffic.” Multiple ACLs define multiple traffic types with different IPsec protections.
62
Refer to the exhibit. An administrator creates three zones (A, B, and C) in an ASA that filters traffic. Traffic originating from Zone A going to Zone C is denied, and traffic originating from Zone B going to Zone C is denied. What is a possible scenario for Zones A, B, and C? a) A – DMZ, B – Inside, C – Outside b) A – Inside, B – DMZ, C – Outside c) A – Outside, B – Inside, C – DMZ d) A – DMZ, B – Outside, C – Inside
Answer: d) A – DMZ, B – Outside, C – Inside Explanation: Denying DMZ→Inside and Outside→Inside matches standard policy protecting Inside. Cisco Explanation: ASA protects Network/Zone C (Inside) from unauthorized access by users on a Network/Zone B (Outside). It also denies traffic from Network/Zone A (DMZ) to access the Network/Zone C (Inside).
63
Two monitoring tools that capture traffic and forward to monitoring devices? (Choose two.) a) SIEM b) Wireshark c) SNMP d) SPAN e) Network tap
Answer: d) SPAN e) Network tap Explanation: SPAN mirrors switch traffic; taps split traffic inline to a monitor. Cisco Explanation: A network tap passively splits traffic to an analysis device; SPAN copies frames to a monitor port.
64
What is the IPS detection engine included in the SEC license for 4000 Series ISRs? a) Security Onion b) Snort c) ASDM d) AMP
Answer: b) Snort Explanation: Cisco ISR 4000 w/ SEC license uses Snort as the IPS engine. Cisco Explanation: Snort provides IPS detection and enforcement with SEC-licensed ISR 4000s.
Network Security
flashcards
Decks in class (22)
# Cards
Brainscape helps you reach your goals faster, through stronger study habits.
© 2026 Bold Learning Solutions. Terms and Conditions