CCNA Security v2.0 Practice Final Exam Answers 2017 (100%)

CCNA Security Practice Final Exam Answers

  1. What is the function of the Hashed Message Authentication Code (HMAC) algorithm in setting up an IPsec VPN?

    authenticates the IPsec peers

    guarantees message integrity*

    protects IPsec keys during session negotiation

    creates a secure channel for key negotiation

  2. What ports can receive forwarded traffic from an isolated port that is part of a PVLAN?

    other isolated ports and community ports

    only promiscuous ports*

    all other ports within the same community

    only isolated ports

  3. What is the next step in the establishment of an IPsec VPN after IKE Phase 1 is complete?

    negotiation of the ISAKMP policy

    negotiation of the IPsec SA policy*

    detection of interesting traffic

    authentication of peers

  4. Which three areas of router security must be maintained to secure an edge router at the network perimeter? (Choose three.)

    physical security*

    flash security

    remote access security

    operating system security*

    zone isolation

    router hardening*

  5. What is the purpose of AAA accounting?

    to prove users are who they say they are

    to determine which operations the user can perform

    to determine which resources the user can access

    to collect and report data usage*

  6. Refer to the exhibit. Based on the output generated by the show monitor session 1 command, how will SPAN operate on the switch?

    All traffic received on VLAN 10 or transmitted from VLAN 20 is forwarded to FastEthernet 0/1.*

    Native VLAN traffic transmitted from VLAN 10 or received on VLAN 20 is forwarded to FastEthernet 0/1.

    All traffic transmitted from VLAN 10 or received on VLAN 20 is forwarded to FastEthernet 0/1.

    Native VLAN traffic received on VLAN 10 or transmitted from VLAN 20 is forwarded to FastEthernet 0/1.

  7. Refer to the exhibit. The ISAKMP policy for the IKE Phase 1 tunnel was configured, but the tunnel does not yet exist. Which action should be taken next before IKE Phase 1 negotiations can begin?

    Configure the set of encryption and hashing algorithms that will be used to transform the data sent through the IPsec tunnel.

    Bind the transform set with the rest of the IPsec policy in a crypto map​.

    Configure the IPsec tunnel lifetime​.

    Configure an ACL to define interesting traffic.*

  8. On what switch ports should PortFast be enabled to enhance STP stability?

    only ports that are elected as designated ports

    only ports that attach to a neighboring switch

    all trunk ports that are not root ports

    all end-user ports*

  9. What service or protocol does the Secure Copy Protocol rely on to ensure that secure copy transfers are from authorized users?





  10. Which statement accurately describes Cisco IOS Zone-Based Policy Firewall operation?

    The pass action works in only one direction.

    Service policies are applied in interface configuration mode.

    A router interface can belong to multiple zones.

    Router management interfaces must be manually assigned to the self zone.

  11. Which two statements describe the use of asymmetric algorithms? (Choose two.)

    Public and private keys may be used interchangeably.

    If a public key is used to encrypt the data, a public key must be used to decrypt the data.

    If a private key is used to encrypt the data, a public key must be used to decrypt the data.*

    If a public key is used to encrypt the data, a private key must be used to decrypt the data.*

    If a private key is used to encrypt the data, a private key must be used to decrypt the data.

  12. Which interface setting can be configured in ASDM through the Device Setup tab?




    security level*

  13. A security technician uses an asymmetric algorithm to encrypt messages with a private key and then forwards that data to another technician. What key must be used to decrypt this data?

    The public key of the receiver.

    The public key of the sender.*

    The private key of the receiver.

    The private key of the sender.

  14. A network administrator is configuring an AAA server to manage TACACS+ authentication. What are two attributes of TACACS+ authentication? (Choose two.)

    UDP port 1645

    encryption for only the password of a user

    encryption for all communication*

    TCP port 40

    single process for authentication and authorization

    separate processes for authentication and authorization*

  15. What are three characteristics of the RADIUS protocol? (Choose three.)

    utilizes TCP port 49

    is an open IETF standard AAA protocol*

    uses UDP ports for authentication and accounting*

    is widely used in VOIP and 802.1X implementations*

    separates authentication and authorization processes

    encrypts the entire body of the packet

  16. What algorithm is used with IPsec to provide data confidentiality?






  17. When configuring SSH on a router to implement secure network management, a network engineer has issued the login local and transport input ssh line vty commands. What three additional configuration actions have to be performed to complete the SSH configuration? (Choose three.)

    Create a valid local username and password database.*

    Generate the asymmetric RSA keys.*

    Set the user privilege levels.

    Configure role-based CLI access.

    Configure the correct IP domain name.*

    Manually enable SSH after the RSA keys are generated.

  18. What is an advantage of HIPS that is not provided by IDS?

    HIPS protects critical system resources and monitors operating system processes.*

    HIPS deploys sensors at network entry points and protects critical network segments.

    HIPS provides quick analysis of events through detailed logging.

    HIPS monitors network processes and protects critical files.

  19. What technology is used to separate physical interfaces on the ASA 5505 device into different security zones?

    Network Address Translation

    quality of service

    virtual local-area networks*

    access control lists

  20. How are Intrusion Prevention System (IPS) and Intrusion Detection System (IDS) components used conjunctively?

    The IDS blocks offending traffic and the IPS verifies that offending traffic was blocked.

    The IPS will send alert messages when the IDS sends traffic through that is marked as malicious.

    The IPS will block all traffic that the IDS does not mark as legitimate.

    The IDS will send alert messages about “gray area” traffic while the IPS will block malicious traffic.*

  21. What is the result of a DHCP starvation attack?

    Legitimate clients are unable to lease IP addresses.*

    The IP addresses assigned to legitimate clients are hijacked.

    The attacker provides incorrect DNS and default gateway information to clients.

    Clients receive IP address assignments from a rogue DHCP server.

  22. Which router component determines the number of signatures and engines that can be supported in an IPS implementation?

    USB availability

    available memory*

    number of interfaces

    CPU speed

  23. What can be used as an alternative to HMAC?



    symmetric encryption algorithms

    digital signatures*

  24. How can DHCP spoofing attacks be mitigated?

    by disabling DTP negotiations on nontrunking ports

    by implementing port security

    by the application of the ip verify source command to untrusted ports​

    by implementing DHCP snooping on trusted ports*

  25. A network administrator is configuring an AAA server to manage RADIUS authentication. Which two features are included in RADIUS authentication? (Choose two.)

    single process for authentication and authorization*

    hidden passwords during transmission*

    encryption for only the data

    encryption for all communication

    separate processes for authentication and authorization

  26. A syslog server has received the message shown.

    *Mar 1 00:07:18.783: %SYS-5-CONFIG_I: Configured from console by vty0 (

    What can be determined from the syslog message?

    The message is a normal notification and should not be reviewed.

    The message informs the administrator that a user with an IP address of configured this device remotely.*

    The message is a Log_Alert notification message.

    The message description displays that the console line was accessed locally.

  27. What is the default preconfigured security level for the outside network interface on a Cisco ASA 5505?





  28. What term describes a set of rules used by an IDS or IPS to detect typical intrusion activity?




    event file

  29. Which type of VLAN-hopping attack may be prevented by designating an unused VLAN as the native VLAN?

    VLAN double-tagging*

    DHCP starvation

    DHCP spoofing

    DTP spoofing

  30. Which statement describes the Cisco Cloud Web Security?

    It is a secure web server specifically designed for cloud computing.

    It is a cloud-based security service to scan traffic for malware and policy enforcement.*

    It is an advanced firewall solution to guard web servers against security threats.

    It is a security appliance that provides an all-in-one solution for securing and controlling web traffic.

  31. Why is Diffie-Hellman algorithm typically avoided for encrypting data?

    DH runs too quickly to be implemented with a high level of security.

    Most data traffic is encrypted using asymmetrical algorithms.

    The large numbers used by DH make it too slow for bulk data transfers.*

    DH requires a shared key which is easily exchanged between sender and receiver.

  32. What information does the SIEM network security management tool provide to network administrators?

    real time reporting and analysis of security events*

    assessment of system security configurations

    a map of network systems and services

    detection of open TCP and UDP ports

  33. What can be configured as part of a network object?

    interface type

    IP address and mask*

    upper layer protocol

    source and destination MAC address

  34. A user complains about not being able to gain access to the network. What command would be used by the network administrator to determine which AAA method list is being used for this particular user as the user logs on?

    debug aaa accounting

    debug aaa authorization

    debug aaa authentication*

    debug aaa protocol

  35. What is a limitation to using OOB management on a large enterprise network?

    Production traffic shares the network with management traffic.

    Terminal servers can have direct console connections to user devices needing management.

    OOB management requires the creation of VPNs.

    All devices appear to be attached to a single management network.*

  36. A company deploys a network-based IPS. Which statement describes a false negative alarm that is issued by the IPS sensor?

    A normal user packet passes and no alarm is generated.

    A normal user packet passes and an alarm is generated.

    An attack packet passes and an alarm is generated.

    An attack packet passes and no alarm is generated.*

  37. What type of ACL offers greater flexibility and control over network access?


    named standard


    numbered standard

  38. Which security document includes implementation details, usually with step-by-step instructions and graphics?

    overview document

    procedure document*

    guideline document

    standard document

  39. What is a characteristic of a DMZ zone?

    Traffic originating from the inside network going to the DMZ network is not permitted.

    Traffic originating from the outside network going to the DMZ network is selectively permitted.*

    Traffic originating from the DMZ network going to the inside network is permitted.

    Traffic originating from the inside network going to the DMZ network is selectively permitted.

  40. Which type of ASDM connection would provide secure remote access for remote users into corporate networks?

    ASDM Launcher

    AnyConnect SSL VPN*

    site-to-site VPN

    Java Web Start VPN

  41. Which three forwarding plane services and functions are enabled by the Cisco AutoSecure feature?

    ​ (Choose three.)

    secure SSH access

    Cisco IOS firewall inspection*

    Cisco Express Forwarding (CEF)*

    traffic filtering with ACLs*

    secure password and login functions

    legal notification using a banner

  42. Which feature of the Cisco Network Foundation Protection framework prevents a route processor from being overwhelmed by unnecessary traffic?

    Control Plane Policing*

    IP Source Guard

    port security

    access control lists

  43. What three tasks can a network administrator accomplish with the Nmap and Zenmap security testing tools? (Choose three.)

    open UDP and TCP port detection*

    operating system fingerprinting*

    password recovery

    security event analysis and reporting

    assessment of Layer 3 protocol support on hosts*

    development of IDS signatures

  44. What is a characteristic of an ASA site-to-site VPN?

    ASA site-to-site VPNs create a secure single-user-to-LAN connection.

    The IPsec protocol protects the data transmitted through the site-to-site tunnel.*

    ASA site-to-site VPNs can only be established between ASA devices.​

    The first echo request packet sent to test the establishment of the tunnel always succeeds.

  45. What is a result of enabling the Cisco IOS image resilience feature?

    Secured files can be viewed in the output of a CLI-issued command.

    Multiple primary bootset files can be accessed.

    The feature can only be disabled through a console session.*

    Images on a TFTP server can be secured.

  46. What does the keyword default specify when used with the aaa authentication login command?

    Authentication must be specifically set for all lines, otherwise access is denied and no authentication is performed.

    Authentication is automatically enabled for the vty lines utilizing the enable password.

    The local username/password database is accessed for authentication.

    Authentication is automatically applied to the con 0, aux, and vty lines.*

  47. What are two protocols that are used by AAA to authenticate users against a central database of usernames and password? (Choose two.)







  48. Which service should be disabled on a router to prevent a malicious host from falsely responding to ARP requests with the intent to redirect the Ethernet frames?


    reverse ARP

    proxy ARP*


  49. What is a characteristic of asymmetric algorithms?

    Key management is more difficult with asymmetric algorithms than it is with symmetric algorithms.

    Very long key lengths are used.*

    Both the sender and the receiver know the key before communication is shared.

    Asymmetric algorithms are easier for hardware to accelerate.

  50. What are two drawbacks in assigning user privilege levels on a Cisco router? (Choose two.)

    Only a root user can add or remove commands.

    Privilege levels must be set to permit access control to specific device interfaces, ports, or slots.

    Assigning a command with multiple keywords allows access to all commands using those keywords.*

    Commands from a lower level are always executable at a higher level.*

    AAA must be enabled.

Notify of

Inline Feedbacks
View all comments