2015-11-13

Understanding Network and Information Security Basics
1. Which security term refers to a person, property, or data of value to a company?
a. Risk
b. Asset
c. Threat prevention
d. Mitigation technique

2. Which asset characteristic refers to risk that results from a threat and lack of a countermeasure?
a. High availability
b. Liability
c. Threat prevention
d. Vulnerability

3. Which three items are the primary network security objectives for a company?
a. Revenue generation
b. Confidentiality
c. Integrity
d. Availability

4. Which data classification label is usually not found in a government organization?
a. Unclassified
b. Classified but not important
c. Sensitive but unclassified
d. For official use only
e. Secret

5. Which of the following represents a physical control?
a. Change control policy
b. Background checks
c. Electronic lock
d. Access lists

6. What is the primary motivation for most attacks against networks today?
a. Political
b. Financial
c. Theological
d. Curiosity

7. Which type of an attack involves lying about the source address of a frame or packet?
a. Man-in-the-middle attack
b. Denial-of-service attack
c. Reconnaissance attack
d. Spoofing attack

8. Which two approaches to security provide the most secure results on day one?
a. Role based
b. Defense in depth
c. Authentication
d. Least privilege

9. Which of the following might you find in a network that is based on a defense-indepth
security implementation? (Choose all that apply.)
a. Firewall
b. IPS
c. Access lists
d. Current patches on servers

10. In relation to production networks, which of the following are viable options when
dealing with risk? (Choose all that apply.)
a. Ignore it
b. Transfer it
c. Mitigate it
d. Remove it

Network Security Threat Landscape
1. Which of the following is not a motivation of malicious actors?
a. Disruption
b. Bug bounty awards
c. Financial
d. Geopolitical

2. Which of the following is not considered a type of DDoS attack?
a. Directed
b. Cached
c. Reflected
d. Amplified

3. Why is UDP the “protocol of choice” for reflected DDoS attacks?
a. There are more application choices when using UDP.
b. UDP requires a three-way handshake to establish a connection.
c. UDP is much more easily spoofed.
d. TCP cannot be used in DDoS attacks.

4. Which of the following is leveraged in social engineering?
a. Software vulnerabilities
b. Human nature
c. Protocol violations
d. Application issues

5. Which of the following is not a form of social engineering?
a. Phone scams
b. Phishing
c. Denial of service (DoS)
d. Malvertising

6. Which of the following is not a valid defense against social engineering?
a. Two-factor authentication
b. Information classification
c. Infrastructure hardening
d. Physical security

7. Which tool provides the most granular information to help in the identification of
malware?
a. NetFlow
b. Syslog
c. Packet capture
d. Server logs

8. NetFlow provides which of the following?
a. Detailed data about each packet on the network
b. Troubleshooting messages about the network devices
c. Information on the types of traffic traversing the network
d. Network names of routers, end hosts, servers

9. Which of the following is not used for identification of malware on the network?
a. NetFlow
b. IPS events
c. Routing Information Base (RIB)
d. Packet captures

10. Which type of data is not often attractive to malicious actors?
a. Personally identifiable information (PII)
b. Training schedules
c. Credit and debit card data
d. Intellectual property (IP)

Cisco Secure ACS, RADIUS, and TACACS
1. Which of the following are most likely to be used for authentication of a network
administrator accessing the CLI of a Cisco router? (Choose all that apply.)
a. TACACS+
b. Diameter
c. RADIUS
d. ACS

2. Which of the following allows for granular control related to authorization of specific
Cisco IOS commands that are being attempted by an authenticated and authorized
Cisco router administrator?
a. RADIUS
b. Diameter
c. TACACS+
d. ISE

3. Which devices or users would be clients of an ACS server? (Choose all that apply.)
a. Routers
b. Switches
c. VPN users
d. Administrators

4. On the router, what should be created and applied to a vty line to enforce a specific
set of methods for identifying who a user is?
a. RADIUS server
b. TACACS+ server
c. Authorization method list
d. Authentication method list

5. What is the minimum size for an effective TACACS+ group of servers?
a. 1
b. 2
c. 5
d. 6

6. With what can you configure AAA on the router? (Choose all that apply.)
a. ACS
b. CCP
c. CLI
d. TACACS+

7. Which statement is true for ACS 5.x and later?
a. User groups are nested in network device groups.
b. Authorization policies can be associated with user groups that are accessing specific
network device groups.
c. There must be at least one user in a user group.
d. User groups can be used instead of device groups for simplicity.

8. Where in the ACS do you go to create a new group of administrators?
a. Users and Identity Stores > Identity Groups
b. Identity Stores > Identity Groups
c. Identity Stores and Groups > Identity Groups
d. Users and Groups > Identity Groups

9. From the router, which method tests the most about the ACS configuration, without
forcing you to log in again at the router?
a. ping
b. traceroute
c. test aaa
d. telnet

10. Which of the following could likely cause an ACS authentication failure, even when
the user is using the correct credentials? (Choose all that apply.)
a. Incorrect secret on the ACS
b. Incorrect IP address of the ACS configured on the router
c. Incorrect routing
d. Incorrect filtering between the ACS and the router

Bring Your Own Device Fundamentals
1. Which of the following is not a business driver for a BYOD solution?
a. Need for employees to work anywhere and anytime
b. Increase in the type of devices needed and used by employees to connect to the
corporate network
c. The lack of IPv4 address space
d. Fluidity of today’s work schedules

2. Which component provides Wi-Fi access for employees in home offices, branch
offices, and on the corporate campus?
a. WLAN controllers (WLC)
b. Cisco AnyConnect Client
c. Wireless access points (AP)
d. Identity Services Engine (ISE)

3. The Identity Services Engine (ISE) provides which of the following?
a. Access, authentication, accounting
b. Authentication, authorization, accounting
c. Access, authorization, accounting
d. Authentication, authorization, access

4. Which of the following is not enabled through the use of the Cisco AnyConnect Client?
a. 802.1X
b. VPN
c. AAA
d. Posture checking

5. The purpose of the RSA SecurID server/application is to provide what?
a. Authentication, authorization, accounting (AAA) functions
b. One-time password (OTP) capabilities
c. 802.1X enforcement
d. VPN access

6. The purpose of the certificate authority (CA) is to ensure what?
a. BYOD endpoints are posture checked
b. BYOD endpoints belong to the organization
c. BYOD endpoints have no malware installed
d. BYOD users exist in the corporate LDAP directory

7. What is the primary purpose of the Integrated Services Routers (ISR) in the BYOD
solution?
a. Provide connectivity in the home office environment back to the corporate campus
b. Provide WAN and Internet access for users on the corporate campus
c. Enforce firewall-type filtering in the data center
d. Provide connectivity for the mobile phone environment back to the corporate
campus

8. Which is not a function of mobile device management (MDM)?
a. Enforce strong passwords on BYOD devices
b. Deploy software updates to BYOD devices
c. Remotely wipe data from BYOD devices
d. Enforce data encryption requirements on BYOD devices

9. Which is not an advantage of an On-Premise MDM solution?
a. Higher level of control over the BYOD solution
b. Ease of deployment and operation of the BYOD solution
c. Ability to meet regulatory requirements
d. Security of the overall BYOD solution

10. Which is not an advantage of a cloud-based MDM solution?
a. Scalability of the MDM solution
b. Security of the overall MDM solution
c. Flexibility in deploying the MDM solution
d. Speed of deployment of MDM solution

Fundamentals of VPN Technology and Cryptography
1. What algorithms in a VPN provide the confidentiality? (Choose all that apply.)
a. MD5
b. SHA-1
c. AES
d. 3DES

2. A remote user needs to access the corporate network from a hotel room from a laptop.
What type of VPN is used for this?
a. Site-to-site VPN
b. Dial-up VPN
c. PPP VPN
d. Remote-access VPN

3. Which type of VPN technology is likely to be used in a site-to-site VPN?
a. SSL
b. TLS
c. HTTPS
d. IPsec

4. Which two of the following are benefits of VPNs?
a. Hashing
b. Confidentiality
c. Diffie-Hellman
d. Data integrity

5. Which of the following are symmetrical encryption ciphers? (Choose all that apply.)
a. SHA1
b. AES
c. RSA
d. 3DES

6. What is the primary difference between a hash and Hashed Message Authentication
Code (HMAC)?
a. Keys
b. MD5
c. SHA1
d. AES

7. What is used to encrypt the hash in a digital signature?
a. Sender’s public key
b. Sender’s private key
c. Receiver’s public key
d. Receiver’s private key

8. What are valid options to protect data in motion with or without a full VPN? (Choose
all that apply.)
a. TLS
b. SSL
c. HTTPS
d. IPsec

9. Why is the public key in a typical public-private key pair referred to as public?
a. Because the public already has it.
b. Because it is shared publicly.
c. Because it is a well-known algorithm that is published.
d. The last name of the creator was publica, which is Latin for public.

10. What is the key component used to create a digital signature?
a. Ink
b. Public key
c. Private key
d. AES

11. What is the key component used to verify a digital signature?
a. Sender’s public key
b. Receiver’s public key
c. AES
d. One-time PAD

12. What is another name for a hash that has been encrypted with a private key?
a. MD5
b. SHA-1
c. AES
d. Digital signature

13. What are the primary responsibilities for a certificate authority (CA)? (Choose all that
apply.)
a. Verification of certificates
b. Issuing identity certificates
c. Maintaining client’s private keys
d. Tracking identity certificates

14. Which of the following is not a way for a client to check to see whether a certificate
has been revoked?
a. Look at the lifetime of the certificate itself
b. CRL
c. OSCP
d. LDAP

15. Which of the following could be found in a typical identity certificate? (Choose all
that apply.)
a. CRL locations
b. Validity date
c. Public key of the certificate owner
d. Serial number

16. Which standard format is used to request a digital certificate from a CA?
a. PKCS#7
b. PKCS#10
c. LDAP
d. TLS/SSL/HTTPS

17. When obtaining the initial root certificate, what method should be used for validation
of the certificate?
a. Sender’s public key
b. Telephone
c. HTTPS/TLS/SSL
d. Receiver’s private key

18. Which method, when supported by both the client and the CA, is the simplest to use
when implementing identity certificates on the client?
a. PKCS#7
b. PKCS#10
c. SCEP
d. LDAP

Fundamentals of IP Security
1. Which technology is a primary method that IPsec uses to implement data integrity?
a. MD5
b. AES
c. RSA
d. DH

2. What are the source and destination addresses used for an encrypted IPsec packet?
a. Original sender and receiver IP addresses
b. Original sender’s and outbound VPN gateway’s addresses
c. Sending and receiving VPN gateways
d. Sending VPN gateway and original destination address in the packet

3. Which phase is used for private management traffic between the two VPN peers?
a. IPsec
b. IKE Phase 1
c. IKE Phase 2
d. IKE Phase 3

4. Which of the following are negotiated during IKE Phase 1?
a. Hashing
b. DH group
c. Encryption
d. Authentication method

5. What method is used to allow two VPN peers to establish shared secret keys and to
establish those keys over an untrusted network?
a. AES
b. SHA
c. RSA
d. DH

6. Which of the following is not part of the IKE Phase 1 process?
a. Negotiation of the IKE Phase 1 protocols
b. Running DH
c. Authenticating the peer
d. Negotiating the transform set to use

7. How is the negotiation of the IPsec (IKE Phase 2) tunnel done securely?
a. Uses the IKE Phase 1 tunnel
b. Uses the IPsec tunnel
c. Uses the IKE Phase 2 tunnel
d. Uses RSA

8. What are the two main methods for authenticating a peer as the last step of IKE Phase
1? (Choose all that apply.)
a. RSA signatures, using digital certificates to exchange public keys
b. PSK (pre-shared key)
c. DH Group 2
d. TCP three-way handshake

9. Which component acts as an if-then statement, looking for packets that should be
encrypted before they leave the interface?
a. crypto isakmp policy
b. crypto map
c. crypto ipsec transform-set
d. crypto access-list (access list used for cryptography)

10. What is true about symmetrical algorithms and symmetrical crypto access lists used
on VPN peers?
a. Symmetrical algorithms use the same secret (key) to lock and unlock the data.
Symmetrical ACLs between two VPN peers should symmetrically swap the
source and destination portions of the ACL.
b. Symmetrical algorithms like RSA use the same secret (key) to lock and unlock the
data. Symmetrical ACLs between two VPN peers should symmetrically swap the
source and destination portions of the ACL.
c. Symmetrical algorithms use the same secret (key) to lock and unlock the data.
Symmetrical ACLs between two VPN peers should be identical.
d. Symmetrical algorithms use the same secret (key) to lock and unlock the data.
Symmetrical ACLs between two VPN peers require that only symmetrical algorithms
be used for all aspects of IPsec.

11. Which one of the following commands reveal the ACLs, transform sets, and peer
information and indicate which interface is being used to connect to the remote IPsec
VPN peer?
a. show crypto map
b. show crypto isakmp policy
c. show crypto config
d. show crypto ipsec sa

Implementing IPsec Site-to-Site VPNs
1. Which of the following could be part of both an IKEv1 Phase 1 and IKEv1 Phase 2
policy? (Choose all that apply.)
a. MD5
b. AES
c. RSA
d. DH

2. How is it possible that a packet with a private Layer 3 destination address is forwarded
over the Internet?
a. It is encapsulated into another packet, and the Internet only sees the outside valid
IP destination address.
b. It cannot be sent. It will always be dropped.
c. The Internet does not filter private addresses, only some public addresses, based
on policy.
d. NAT is used to change the destination IP address before the packet is sent.

3. What is the method for specifying the IKEv1 Phase 2 encryption method?
a. Crypto ACLs
b. crypto isakmp policy
c. crypto ipsec transform-set
d. RSA signatures

4. Which of the following potentially could be negotiated during IKEv1 Phase 2?
(Choose all that apply.)
a. Hashing
b. DH group
c. Encryption
d. Authentication method

5. Which of the DH groups is the most prudent to use when security is of the utmost
importance?
a. 1
b. 2
c. 5
d. 6

6. Which of the following is never part of an IKEv1 Phase 2 process?
a. Main mode
b. Specifying a hash (HMAC)
c. Running DH (PFS)
d. Negotiating the transform set to use

7. Which encryption method will be used to protect the negotiation of the IPsec (IKEv1
Phase 2) tunnel?
a. The one negotiated in the transform set.
b. The one negotiated for the IKEv1 Phase 2 tunnel.
c. The one negotiated in the ISAKMP policy.
d. There is no encryption during this time; that is why DH is used.

8. Which is the most secure method for authentication of IKEv1 Phase 1?
a. RSA signatures, using digital certificates to exchange public keys
b. PSK
c. DH group 5
d. Symmetrical AES-256

9. Which component is not placed directly in a crypto map?
a. Authentication policy
b. ACL
c. Transform set
d. PFS

10. Which of the following would cause a VPN tunnel using IPsec to never initialize or
work correctly? (Choose all that apply.)
a. Incompatible IKEv1 Phase 2 transform sets
b. Incorrect pre-shared keys or missing digital certificates
c. Lack of interesting traffic
d. Incorrect routing

11. Which of the following IKE versions are supported by the Cisco ASA? (Choose all
that apply.)
a. IKEv1
b. IKEv2
c. IKEv3
d. IKEv4

12. What is the purpose of NAT exemption?
a. To bypass NAT in the remote peer
b. To bypass NAT for all traffic not sent over the IPsec tunnel
c. To bypass NAT for traffic in the VPN tunnel
d. To never bypass NAT in the local or remote peer

13. Which of the following commands are useful when troubleshooting VPN problems in
the Cisco ASA? (Choose all that apply.)
a. show isakmp sa detail
b. debug crypto ikev1 | ikev2
c. show crypto ipsec sa detail
d. show vpn-sessiondb

14. (True or False) The Cisco ASA cannot be configured with more than one IKEv1 or
IKEv2 policy.
a. True
b. False

Implementing SSL VPNs Using Cisco ASA
1. Which SSL solution is most appropriate for a remote user who is at a borrowed computer
and needs access to a single server at the central office?
a. SSL thin client
b. SSL clientless VPN
c. Cisco AnyConnect Secure Mobility Client SSL VPN client
d. IPsec VPN client

2. Which of the following solutions assigns a virtual IP address to the remote user to use
for traffic sent over the SSL VPN to the server?
a. SSL thin client
b. SSL clientless VPN
c. Cisco AnyConnect Secure Mobility Client
d. IPsec VPN client

3. What is the immediate cost savings when implementing SSL VPNs?
a. No licensing is required on the server.
b. No licensing is required on the clients.
c. Easy deployment.
d. SSL VPN licenses are significantly less expensive on the server than IPsec
licenses.

4. How does an SSL client send the desired shared secret to the server?
a. AES.
b. Encrypts it with the server’s public key.
c. Encrypts it with the sender’s public key.
d. They use DH to negotiate the shared secret.

5. Which of the following is not part of configuring the clientless SSL VPN on the ASA?
a. Launching the wizard
b. Specifying the URL
c. Configuring bookmarks
d. Configuring a pool of IP addresses for the remote users to use

6. What may be the potential problem when enabling SSL VPNs on an interface on the
ASA?
a. ASDM is now disabled on that interface.
b. ASDM must be additionally configured with a custom port.
c. ASDM must be used with a different URL.
d. ASDM is not affected because it does not connect on port TCP:443.

7. Which of the following steps is configured when setting up Cisco AnyConnect Secure
Mobility Client on the ASA that would not be configured for clientless SSL VPN?
(Choose all that apply.)
a. NAT exemption
b. Pool of addresses
c. Connection profile
d. Authentication method

8. Where does the ASA keep the copy of the Cisco AnyConnect Secure Mobility Client
that may be deployed down to the client?
a. On an HTTPS server only
b. On flash
c. On an SFTP server only
d. On NVRAM

9. Which of the following are common issues that users experience when they cannot
send or receive IP traffic over an SSL VPN tunnel? (Choose all that apply).
a. Routing issues behind the ASA
b. Access control lists blocking traffic
c. Too much traffic for the VPN tunnel size
d. Network Address Translation not being bypassed for VPN traffic

Securing Layer 2 Technologies
1. Which is the primary Layer 2 mechanism that allows multiple devices in the same
VLAN to communicate with each other even though those devices are physically connected
to different switches?
a. IP address
b. Default gateway
c. Trunk
d. 802.1D

2. How does a switch know about parallel Layer 2 paths?
a. 802.1Q
b. BPDU
c. CDP
d. NTP

3. When implemented, which of the following helps prevent CAM table overflows?
a. 802.1w
b. BPDU Guard
c. Root Guard
d. Port security

4. Which of the following is not a best practice for security?
a. Leaving the native VLAN as VLAN 1
b. Shutting down all unused ports and placing them in an unused VLAN
c. Limiting the number of MAC addresses learned on a specific port
d. Disabling negotiation of switch port mode

5. What is the default number of MAC addresses allowed on a switch port that is configured
with port security?
a. 1
b. 5
c. 15
d. Depends on the switch model

6. Which two items normally have a one-to-one correlation?
a. VLANs
b. Classful IP networks
c. IP subnetworks
d. Number of switches
e. Number of routers

7. What is a typical method used by a device in one VLAN to reach another device in a
second VLAN?
a. ARP for the remote device’s MAC address
b. Use a remote default gateway
c. Use a local default gateway
d. Use trunking on the PC

8. Which two configuration changes prevent users from jumping onto any VLAN they
choose to join?
a. Disabling negotiation of trunk ports
b. Using something else other than VLAN 1 as the “native” VLAN
c. Configuring the port connecting to the client as a trunk
d. Configuring the port connecting to the client as an access port

9. If you limit the number of MAC addresses learned on a port to five, what benefits do
you get from the port security feature? (Choose all that apply.)
a. Protection for DHCP servers against starvation attacks
b. Protection against IP spoofing
c. Protection against VLAN hopping
d. Protection against MAC address spoofing
e. Protection against CAM table overflow attacks

10. Why should you implement Root Guard on a switch?
a. To prevent the switch from becoming the root
b. To prevent the switch from having any root ports
c. To prevent the switch from having specific root ports
d. To protect the switch against MAC address table overflows

11. Why should CDP be disabled on ports that face untrusted networks?
a. CDP can be used as a DDoS vector.
b. CDP can be used as a reconnaissance tool to determine information about the
device.
c. Disabling CDP will prevent the device from participating in spanning tree with
untrusted devices.
d. CDP can conflict with LLDP on ports facing untrusted networks.

12. Which of the following is not a true statement for DHCP snooping?
a. DHCP snooping validates DHCP messages received from untrusted sources and
filters out invalid messages
b. DHCP snooping information is stored in a binding database.
c. DHCP snooping is enabled by default on all VLANs.
d. DHCP snooping rate-limits DHCP traffic from trusted and untrusted sources.

13. Which of the following is not a true statement regarding dynamic ARP inspection (DAI)?
a. DAI intercepts, logs, and discards ARP packets with invalid IP-to-MAC address
bindings.
b. DAI helps to mitigate MITM attacks.
c. DAI determines validity of ARP packets based on IP-to-MAC address bindings
found in the DHCP snooping database.
d. DAI is enabled on a per-interface basis.

Network Foundation Protection
1. Which of the following is not a core element addressed by NFP (Network Foundation
Protection)?
a. Management plane
b. Control plane
c. Data plane
d. Executive plane

2. If you add authentication to your routing protocol so that only trusted authorized
routers share information, which plane in the NFP are you securing?
a. Management plane
b. Control plane
c. Data plane
d. Executive plane

3. If you use authentication and authorization services to control which administrators
can access which networked devices and control what they are allowed to do, which
primary plane of NFP are you protecting?
a. Management plane
b. Control plane
c. Data plane
d. Executive plane

4. Which of the following is not a best practice to protect the management plane?
(Choose all that apply.)
a. HTTP
b. Telnet
c. HTTPS
d. SSH

5. Which of the following is a way to implement role-based access control related to the
management plane? (Choose all that apply.)
a. Views
b. AAA services
c. Access lists
d. IPS

6. What do CoPP and CPPr have in common? (Choose all that apply.)
a. They both focus on data plane protection.
b. They both focus on management plane protection.
c. They both focus on control plane protection.
d. They both can identify traffic destined for the router that will likely require direct
CPU resources to be used by the router.

7. Which type of attack can you mitigate by authenticating a routing protocol? (Choose
all that apply.)
a. Man-in-the-middle attack
b. Denial-of-service attack
c. Reconnaissance attack
d. Spoofing attack

8. What is a significant difference between CoPP and CPPr?
a. One works at Layer 3, and the other works at Layer 2.
b. CPPr can classify and act on more-specific traffic than CoPP.
c. CoPP can classify and act on more-specific traffic than CPPr.
d. One protects the data plane, and the other protects the management plane.

9. Which of the following enables you to protect the data plane?
a. IOS zone-based firewall
b. IPS
c. Access lists
d. Port security

10. DHCP snooping protects which component of NFP?
a. Management plane
b. Control plane
c. Data plane
d. Executive plane

Securing the Management Plane on Cisco IOS Devices
1. Which one of the following follows best practices for a secure password?
a. ABC123!
b. SlE3peR1#
c. tough-passfraze
d. InterEstIng-PaSsWoRd

2. When you connect for the first time to the console port on a new router, which privilege
level are you using initially when presented with the command-line interface?
a. 0
b. 1
c. 15
d. 16

3. Which of the following is not impacted by a default login authentication method list?
a. AUX line
b. HDLC interface
c. Vty line
d. Console line

4. You are trying to configure a method list, and your syntax is correct, but the command
is not being accepted. Which of the following might cause this failure? (Choose
all that apply.)
a. Incorrect privilege level
b. AAA not enabled
c. Wrong mode
d. Not allowed by the view

5. Cisco recommends which version of Simple Network Management Protocol (SNMP)
on your network if you need it?
a. Version 1
b. Version 2
c. Version 3
d. Version 4

6. How can you implement role-based access control (RBAC)? (Choose all that apply.)
a. Provide the password for a custom privilege level to users in a given role
b. Associate user accounts with specific views
c. Use access lists to specify which devices can connect remotely
d. Use AAA to authorize specific users for specific sets of permissions

7. Which of the following indirectly requires the administrator to configure a hostname?
a. Telnet
b. HTTP
c. HTTPS
d. SSH

8. What are the two primary benefits of using NTP along with a syslog server? (Choose
all that apply.)
a. Correlation of syslog messages from multiple different devices
b. Grouping of syslog messages into summary messages
c. Synchronization in the sending of syslog messages to avoid congestion
d. Accurate accounting of when a syslog message occurred

9. Which of the following commands result in a secure bootset? (Choose all that apply.)
a. secure boot-set
b. secure boot-config
c. secure boot-files
d. secure boot-image

10. What is a difference between a default and named method list?
a. A default method list can contain up to four methods.
b. A named method list can contain up to four methods.
c. A default method list must be assigned to an interface or line.
d. A named method list must be assigned to an interface or line.

Securing the Data Plane in IPv6
1. Which of the following are the valid first four characters of a globally routable IPv6
address? (Choose all that apply.)
a. 1234
b. 2345
c. 3456
d. 4567

2. Which of the following are the valid first four characters of a link-local address?
a. FE80
b. FF02
c. 2000
d. 3000

3. What is the default method for determining the interface ID for a link-local address on
Ethernet?
a. EUI-64
b. MAC address with FFFE at the end
c. MAC address with FFFE at the beginning
d. Depends on the network address being connected to

4. How many groups of four hexadecimal characters does an IPv6 address contain?
a. 4
b. 8
c. 16
d. 32

5. Which of the following routing protocols have both an IPv4 and IPv6 version?
(Choose all that apply.)
a. Routing Information Protocol
b. Enhanced Interior Gateway Routing Protocol
c. Open Shortest Path First
d. Interior Gateway Routing Protocol

6. Which best practices apply to networks that run both IPv4 and IPv6? (Choose all that
apply.)
a. Physical security
b. Routing protocol authentication
c. Authorization of administrators
d. Written security policy

7. Which of protocols, if abused, could impair an IPv6 network, but not IPv4? (Choose
all that apply.)
a. ARP
b. NDP
c. Broadcast addresses
d. Solicited node multicast addresses

8. If a rogue IPv6 router is allowed on the network, which information could be incorrectly
delivered to the clients on that network? (Choose all that apply.)
a. IPv6 default gateway
b. IPv6 DNS server
c. IPv6 network address
d. IPv6 ARP mappings

9. Why is tunneling any protocol (including IPv6) through another protocol a security
risk?
a. The innermost contents of the original packets may be hidden from normal security
filters.
b. The tunnels, if they extend beyond the network perimeter, may allow undesired
traffic through the tunnel.
c. Functionality might need to be sacrificed when going through a tunnel.
d. Quality of service, for the underlying protocol, might be compromised.

10. What is one method to protect against a rogue IPv6 router?
a. Port security
b. Static ARP entries
c. DHCPv6
d. RA guard

Securing Routing Protocols and the Control Plane
1. Control plane packets are handled by which of the following?
a. Ingress Interface
b. CPU
c. Management Interface
d. SNMP Interface

2. Which of the following functions is not handled by the control plane?
a. BGP
b. RSVP
c. SSH
d. ICMP

3. Which command provides information on receive adjacency traffic?
a. show ip bgp
b. show processes cpu
c. show interfaces summary
d. show ip cef

4. Control plane policing helps to protect the CPU by doing what?
a. Diverting all control plane traffic to the data and management planes
b. Filtering and rate-limiting traffic destined to the control plane
c. Rate-limiting SNMP traffic to reduce the impact on the CPU
d. Throttling all traffic ingressing the device during heavy traffic periods until the
CPU performance has improved

5. In the following CoPP access control list example, which traffic is being prevented
from reaching the control plane?
Extended IP access list 123
10 deny tcp 192.168.1.0 0.0.0.255 any eq telnet
20 deny udp 192.168.1.0 0.0.0.255 any eq domain
30 permit tcp any any eq telnet
40 permit udp any any eq domain
50 deny ip any any
a. Telnet traffic from the 192.168.1.0/24
b. Telnet and DNS traffic from outside the 192.168.1.0./24 subnet
c. Telnet and DNS traffic from the 192.168.1.0/24 subnet
d. DNS traffic from the 192.168.1.0/24 subnet

6. Which of the following is not a subinterface that can be leveraged as part of control
plane protection?
a. Host subinterface
b. Frame Relay subinterface
c. CEF-Exception subinterface
d. Transit subinterface

7. Which line in the following OSPF configuration will not be required for MD5 authentication
to work?
interface GigabitEthernet0/1
ip address 192.168.10.1 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 CCNA
!
router ospf 65000
router-id 192.168.10.1
area 20 authentication message-digest
network 10.1.1.0 0.0.0.255 area 10
network 192.168.10.0 0.0.0.255 area 0
!
a. ip ospf authentication message-digest
b. network 192.168.10.0 0.0.0.255 area 0
c. area 20 authentication message-digest
d. ip ospf message-digest-key 1 md5 CCNA

8. Which of the following pairs of statements is true in terms of configuring MD authentication?
a. Interface statements (OSPF, EIGRP) must be configured; use of key chain in OSPF
b. Router process (OSPF, EIGRP) must be configured; key chain in EIGRP
c. Router process (only for OSPF) must be configured; key chain in EIGRP
d. Router process (only for OSPF) must be configured; key chain in OSPF

9. Which of the following statements is true?
a. RIPv1 supports cleartext authentication, and RIPv2 supports MD5 authentication.
b. RIPv2 and OSPF make use of a key chain for authentication.
c. RIPv2 and EIGRP both require router process configuration for authentication.
d. RIPv2 and EIGRP both make use of a key chain for authentication.

10. What is needed to implement MD5 authentication for BGP?
a. Interface and router process configuration
b. Interface and key chain configuration
c. Router process configuration
d. Router process and key chain configuration

Understanding Firewall Fundamentals
1. Which firewall methodology requires the administrator to know and configure all the
specific ports, IPs, and protocols required for the firewall?
a. AGL
b. Packet filtering
c. Stateful filtering
d. Proxy server

2. Which technology dynamically builds a table for the purpose of permitting the return
traffic from an outside server, back to the client, in spite of a default security policy
that says no traffic is allowed to initiate from the outside networks?
a. Proxy
b. NAT
c. Packet filtering
d. Stateful filtering

3. What does application layer inspection provide?
a. Packet filtering at Layer 5 and higher
b. Enables a firewall to listen in on a client/server communication, looking for information
regarding communication channels
c. Proxy server functionality
d. Application layer gateway functionality

4. Which one of the following is true about a transparent firewall?
a. Implemented at Layer 1
b. Implemented at Layer 2
c. Implemented at Layer 3
d. Implemented at Layer 4 and higher

5. What is the specific term for performing Network Address Translation for multiple
inside devices but optimizing the number of global addresses required?
a. NAT-T
b. NAT
c. PAT
d. PAT-T

6. What term refers to the internal IP address of a client using NAT as seen from other
devices on the same internal network as the client?
a. Inside local
b. Inside global
c. Outside local
d. Outside global

7. Which of the following describes a rule on the firewall which will never be matched
because of where the firewall is in the network?
a. Orphaned rule
b. Redundant rule
c. Shadowed rule
d. Promiscuous rule

8. What is the long-term impact of providing a promiscuous rule as a short-term test in
an attempt to get a network application working?
a. The promiscuous rule may be left in place, leaving a security hole.
b. The rule cannot be changed later to more accurately filter based on the business
requirement.
c. It should be a shadowed rule.
d. Change control documentation may not be completed for this test.

Implementing Cisco IOS Zone-Based Firewalls
1. Which zone is implied by default and does not need to be manually created?
a. Inside
b. Outside
c. DMZ
d. Self

2. If interface number 1 is in zone A, and interface number 2 is in zone B, and there are
no policy or service commands applied yet to the configuration, what is the status of
transit traffic that is being routed between these two interfaces?
a. Denied
b. Permitted
c. Inspected
d. Logged

3. When creating a specific zone pair and applying a policy to it, policy is being implemented
on initial traffic in how many directions?
a. 1
b. 2
c. 3
d. Depends on the policy

4. What is the default policy between an administratively created zone and the self zone?
a. Deny
b. Permit
c. Inspect
d. Log

5. What is one of the added configuration elements that the Advanced security setting
has in the ZBF Wizard that is not included in the Low security setting?
a. Generic TCP inspection
b. Generic UDP inspection
c. Filtering of peer-to-peer networking applications
d. NAT

6. Why is it that the return traffic, from previously inspected sessions, is allowed back to
the user, in spite of not having a zone pair explicitly configured that matches on the
return traffic?
a. Stateful entries (from the initial flow) are matched, which dynamically allows
return traffic.
b. Return traffic is not allowed because it is a firewall.
c. Explicit ACL rules need to be placed on the return path to allow the return traffic.
d. A zone pair in the opposite direction of the initial zone pair (including an applied
policy) must be applied for return traffic to be allowed.

7. What doe the keyword overload imply in a NAT configuration?
a. NAT is willing to take up to 100 percent of available CPU.
b. PAT is being used.
c. NAT will provide “best effort” but not guaranteed service, due to an overload.
d. Static NAT is being used.

8. Which of the following commands shows the current NAT translations on the router?
a. show translations
b. show nat translations
c. show ip nat translations
d. show ip nat translations *

Configuring Basic Firewall Policies on Cisco ASA
1. Which of the following features does the Cisco ASA provide? (Choose all that apply.)
a. Simple packet filtering using standard or extended access lists
b. Layer 2 transparent implementation
c. Support for remote-access SSL VPN connections
d. Support for site-to-site SSL VPN connections

2. Which of the following Cisco ASA models are designed for small and branch offices?
(Choose all that apply.)
a. 5505
b. 5512-X
c. 5555-X
d. 5585-X with SSP10

3. When used in an access policy, which component could identify multiple servers?
a. Stateful filtering
b. Application awareness
c. Object groups
d. DHCP services

4. Which of the following is an accurate description of the word inbound as it relates to
an ASA? (Choose all that apply.)
a. Traffic from a device that is located on a high-security interface
b. Traffic from a device that is located on a low-security interface
c. Traffic that is entering any interface
d. Traffic that is exiting any interface

5. When is traffic allowed to be routed and forwarded if the source of the traffic is from
a device located off of a low-security interface if the destination device is located off
of a high-security interface? (Choose all that apply.)
a. This traffic is never allowed.
b. This traffic is allowed if the initial traffic was inspected and this traffic is the
return traffic.
c. If there is an access list that is permitting this traffic.
d. This traffic is always allowed by default.

6. Which of the following tools could be used to configure or manage an ASA? (Choose
all that apply.)
a. Cisco Security Manager (CSM)
b. ASA Security Device Manager (ASDM)
c. Cisco Configuration Professional (CCP)
d. The command-line interface (CLI)

7. Which of the following elements, which are part of the Modular Policy Framework on
the ASA, are used to classify traffic?
a. Class maps
b. Policy maps
c. Service policies
d. Stateful filtering

8. When you configure the ASA as a DHCP server for a small office, what default gateway
will be assigned for the DHCP clients to use?
a. The service provider’s next-hop IP address.
b. The ASA’s outside IP address.
c. The ASA’s inside IP address.
d. Clients need to locally configure a default gateway value.

9. When you configure network address translation for a small office, devices on the
Internet will see the ASA inside users as coming from which IP address?
a. The inside address of the ASA.
b. The outside address of the ASA.
c. The DMZ address of the ASA.
d. Clients will each be assigned a unique global address, one for each user.

10. You are interested in verifying whether the security policy you implemented is having
the desired effect. How can you verify this policy without involving end users or their
computers?
a. Run the policy check tool, which is built in to the ASA.
b. The ASA automatically verifies that policy matches intended rules.
c. Use the Packet Tracer tool.
d. You must manually generate the traffic from an end-user device to verify that the
firewall will forward it or deny it based on policy.

Cisco IDS/IPS Fundamentals
1. Which method should you implement when it is not acceptable for an attack to reach
its intended victim?
a. IDS
b. IPS
c. Out of band
d. Hardware appliance

2. A company has hired you to determine whether attacks are happening against the
server farm, and it does not want any additional delay added to the network. Which
deployment method should be used?
a. Appliance-based inline
b. IOS software-based inline
c. Appliance-based IPS
d. IDS

3. Why does IPS have the ability to prevent an ICMP-based attack from reaching the
intended victim?
a. Policy-based routing.
b. TCP resets are used.
c. The IPS is inline with the traffic.
d. The IPS is in promiscuous mode.

4. Which method of IPS uses a baseline of normal network behavior and looks for deviations
from that baseline?
a. Reputation-based IPS
b. Policy-based IPS
c. Signature-based IPS
d. Anomaly-based IPS

5. Which type of implementation requires custom signatures to be created by the administrator?
a. Reputation-based IPS
b. Policy-based IPS
c. Engine-based IPS
d. Anomaly-based IPS

6. Which method requires participation in global correlation involving groups outside
your own enterprise?
a. Reputation-based IPS
b. Policy-based IPS
c. Signature-based IPS
d. Anomaly-based IPS

7. Which of the micro-engines contains signatures that can only match on a single
packet, as opposed to a flow of packets?
a. Atomic
b. String
c. Flood
d. Other

8. Which of the following are properties directly associated with a signature? (Choose all
that apply.)
a. ASR
b. SFR
c. TVR
d. RR

9. Which of the following is not a best practice?
a. Assign aggressive IPS responses to specific signatures
b. Assign aggressive IPS responses based on the resulting risk rating generated by
the attack
c. Tune the IPS and revisit the tuning process periodically
d. Use correlation within the enterprise and globally for an improved security
posture

10. What is the name of Cisco cloud-based services for IPS correlation?
a. SIO
b. EBAY
c. ISO
d. OSI

11. Which of the following is not a Next-Generation IPS (NGIPS) solution?
a. NGIPSv
b. ASA with FirePOWER
c. SIO IPS
d. FirePOWER 8000 series appliances

Mitigation Technologies for E-mail- Based and Web-Based Threats
1. Which of the following features does the Cisco ESA provide? (Choose all that apply.)
a. Network antivirus capabilities
b. E-mail encryption
c. Threat outbreak prevention
d. Support for remote access SSL VPN connections

2. Which of the following Cisco ESA models are designed for mid-sized organizations?
(Choose all that apply.)
a. Cisco C380
b. Cisco C670
c. Cisco C680
d. Cisco X1070

3. What is a spear phishing attack?
a. Unsolicited e-mails sent to an attacker.
b. A denial-of-service (DoS) attack against an e-mail server.
c. E-mails that are directed to specific individuals or organizations. An attacker may
obtain information about the targeted individual or organization from social media
sites and other sources.
d. Spam e-mails sent to numerous victims with the purpose of making money.

4. Which of the following e-mail authentication mechanisms are supported by the Cisco
ESA? (Choose all that apply.)
a. Sender Policy Framework (SPF)
b. Sender ID Framework (SIDF)
c. DomainKeys Identified Mail (DKIM)
d. DomainKeys Mail Protection (DMP)

5. Which of the following is the operating system used by the Cisco WSA ?
a. Cisco AsyncOS operating system
b. Cisco IOS-XR Software
c. Cisco IOS-XE Software
d. Cisco IOS Software
e. Cisco ASA Software

6. Which of the following connectors are supported by the Cisco CWS service? (Choose
all that apply.)
a. Cisco Security Manager (CSM)
b. Cisco ASA
c. Cisco ISR G2 routers
d. Cisco AnyConnect Secure Mobility Client
e. Cisco WSA

7. Which of the following features are supported by the Cisco WSA? (Choose all that apply.)
a. File reputation
b. File sandboxing
c. Layer 4 traffic monitor
d. Real-time e-mail scanning
e. Third-party DLP integration

8. Cisco WSA can be deployed using the Web Cache Communication Protocol (WCCP)
configured in which of the following modes? (Choose all that apply.)
a. Multiple context mode
b. Explicit proxy mode
c. Transparent proxy mode
d. Virtualized mode

Mitigation Technologies for Endpoint Threats
1. Which of the following are examples of the most common types of malware? (Choose
all that apply.)
a. viruses
b. worms
c. file encryption software
d. Trojan horses

2. Which of the following are open source antivirus software? (Choose all that apply.)
a. ClamAV
b. Immunet
c. ImuniSec
d. ClamSoft

3. Which of the following statements is correct about back doors?
a. Back doors are created when a buffer overflow is exploited.
b. Back doors can open a network port on the affected system so that the attacker
can connect and control such system.
c. Back doors can open a network firewall port in the network.
d. Back doors are used to legitimately configure system configurations.

4. Cisco AMP for Endpoints provides advanced malware protection for which of the following
operating systems? (Choose all that apply.)
a. Windows
b. MAC OS X
c. Android
d. Solaris
e. HP-UX

5. Which of the following are examples of e-mail encryption solutions? (Choose all that
apply.)
a. Secure/Multipurpose Internet Mail Extensions (S/MIME )
b. VPNs
c. Pretty Good Privacy (PGP)
d. GNU Privacy Guard (GnuPG)
e. Web-based encryption e-mail service like Sendinc or JumbleMe

6. Which of the following file types are supported by Cisco AMP for Endpoints?
(Choose all that apply.)
a. PDF
b. ASC
c. MSCAB
d. ZIP
e. MACHO

7. Which of the following are examples of full disk encryption legitimate software?
(Choose all that apply.)
a. FileVault
b. Cisco FileEncryptor
c. BitLocker
d. CryptoWall
e. CryptoLocker

8. VPN implementations can be categorized into which of the following two distinct
groups?
a. Site-to-site VPNs
b. Free VPNs
c. Commercial VPNs
d. Remote-access VPNs

Show more