350 - 018
Leading the way in IT testing and certification tools, www.testking.com
- 5 -
QUESTION NO: 4
A Network Administrator is trying to configure IPSec with a remote system. When a tunnel is initiated
from the remote end, the security associations (SAs) come up without errors. However, encrypted traffic
is never send successfully between the two endpoints.
What is a possible cause?
A. NAT could be running between the twp IPSec endpoints.
B. NAT overload could be running between the two IPSec endpoints.
C. The transform set could be mismatched between the two IPSec endpoints.
D. The IPSec proxy could be mismatched between the two IPSec endpoints.
Answer: B
Explanation: This configuration will not work with port address translation (PAT). Note: NAT is a one-to-one
address translation, not to be confused with PAT, which is a many (inside the firewall)-to-one translation. IPSec
with PAT may not work properly because the outside tunnel endpoint device cannot handle multiple tunnels
from one IP address. You will need to contact your vendor to determine if the tunnel endpoint devices will
work with PAT Question- What is PAT, or NAT overloading? Answer- PAT, or NAT overloading, is a feature
of Cisco IOS NAT and can be used to translate internal (inside local) private addresses to one or more outside
(inside global—usually registered) IP addresses. Unique source port numbers on each translation are used to
distinguish between the conversations. With NAT overload, a translation table entry containing full address and
source port information is created.
QUESTION NO: 5
Which are the principles of a one way hash function? (Multiple answer)
A. A hash function takes a variable length input and creates a fixed length output.
B. A hash function is typically used in IPSec to provide a fingerprint for a packet.
C. A hash function cannot be random and the receiver cannot decode the hash.
D. A hash function must be easily decipherable by anyone who is listening to the exchange.
Answer: A. B
Explanation: Developers use a hash function on their code to compute a diges, which is also known as a one-
way hash .The hash function securely compresses code of arbitrary length into a fixed-length digest result.
QUESTION NO: 6
Exhibit:
350 - 018
Leading the way in IT testing and certification tools, www.testking.com
- 6 -
What is the expected behavior of IP traffic from the clients attached to the two Ethernet subnets?
A. Traffic will successfully access the Internet, but will not flow encrypted between the router’s Ethernet
subnets.
B. Traffic between the Ethernet subnets on both routers will not be encrypted.
C. Traffic will be translated by NAT between the Ethernet subnets on both routers.
D. Traffic will successfully access the Internet fully encrypted.
E. Traffic bound for the Internet will not be routed because the source IP addresses are private.
Answer: A
Explanation:
NOT ENOUGH OF THE EXHIBIT TO MAKE A REAL CHOICE. THE EXHIBIT IS ONE OF
IPSEC TAKE YOUR BEST SHOT.
QUESTION NO: 7
A ping of death is when:
A. An IP datagram is received with the “protocol” field in the IP header set to 1 (ICMP) and the “type”
field in the ICMP header is set to 18 (Address Mask Reply).
350 - 018
Leading the way in IT testing and certification tools, www.testking.com
- 7 -
B. An IP datagram is received with the “protocol” field in the IP header set to 1 (ICMP), the Last Fragment
bit is set, and (IP offset ‘ 8) + (IP data length) >65535.
In other words, the IP offset (which represents the starting position of this fragment in the original
packet, and which is in 8-byte units) plus the rest of the packet is greater than the maximum size for an
IP packet.
C. An IP datagram is received with the “protocol” field in the IP header set to 1 (ICMP) and the source
equal to destination address.
D. The IP header is set to 1 (ICMP) and the “type” field in the ICMP header is set to 5 (Redirect).
Answer: B
Explanation: "A hacker can send an IP packet to a vulnerable machine such that the last fragment contains an
offest where (IP offset *8) + (IP data length)>65535. This means that when the packet is reassembled, its total
length is larger than the legal limit, causing buffer overruns in the machine's OS (becouse the buffer sizes are
defined only to accomodate the maximum allowed size of the packet based on RFC 791) IDS can generally
recongize such attacks by looking for packet fragments that have the IP header's protocol field set to 1 (ICMP),
the last bit set, and (IP offset *8) +(IP data length)>65535" CCIE Professional Development Network Security
Principles and Practices by Saadat Malik pg 414 "Ping of Death" attacks cause systems to react in an
unpredictable fashion when receiving oversized IP packets. TCP/IP allows for a maximum packet size of up to
65536 octets (1 octet = 8 bits of data), containing a minimum of 20 octets of IP header information and zero or
more octets of optional information, with the rest of the packet being data. Ping of Death attacks can cause
crashing, freezing, and rebooting.
QUESTION NO: 8
Why would a Network Administrator want to use Certificate Revocation Lists (CRLs) in their IPSec
implementations?
A. They allow the ability to do “on the fly” authentication of revoked certificates.
B. They help to keep a record of valid certificates that have been issued in their network.
C. They allow them to deny devices with certain certificates from being authenticated to their network.
D. Wildcard keys are much more efficient and secure.
CRLs should only be used as a last resort.
Answer: C
Explanation: A method of certificate revocation. A CRL is a time-stamped list identifying revoked
certificates, which is signed by a CA and made available to the participating IPSec peers on a regular periodic
basis (for example, hourly, daily, or weekly). Each revoked certificate is identified in a CRL by its certificate
serial number. When a participating peer device uses a certificate, that system not only checks the certificate
signature and validity but also acquires a most recently issued CRL and checks that the certificate serial
number is not on that CRL.
350 - 018
Leading the way in IT testing and certification tools, www.testking.com
- 8 -
QUESTION NO: 9
A SYN flood attack is when:
A. A target machine is flooded with TCP connection requests with randomized source address & ports for
the TCP ports.
B. A target machine is sent a TCP SYN packet (a connection initiation), giving the target host’s address as
both source and destination, and is using the same port on the target host as both source and destination.
C. A TCP packet is received with the FIN bit set but with no ACK bit set in the flags field.
D. A TCP packet is received with both the SYN and the FIN bits set in the flags field.
Answer: A
Explanation: to a server that requires an exchange of a sequence of messages. The client system begins by
sending a SYN message to the server. The server then acknowledges the SYN message by sending a SYN-
ACK message to the client. The client then finishes establishing the connection by responding with an ACK
message and then data can be exchanged. At the point where the server system has sent an acknowledgment
(SYN-ACK) back to client but has not yet received the ACK message, there is a half-open connection. A data
structure describing all pending connections is in memory of the server that can be made to overflow by
intentionally creating too many partially open connections. Another common attack is the SYN flood, in which
a target machine is flooded with TCP connection requests. The source addresses and source TCP ports of the
connection request packets are randomized; the purpose is to force the target host to maintain state information
for many connections that will never be completed. SYN flood attacks are usually noticed because the target
host (frequently an HTTP or SMTP server) becomes extremely slow, crashes, or hangs. It's also possible for the
traffic returned from the target host to cause trouble on routers; because this return traffic goes to the
randomized source addresses of the original packets, it lacks the locality properties of "real" IP traffic, and may
overflow route caches. On Cisco routers, this problem often manifests itself in the router running out of memory
QUESTION NO: 10
What kind of interface is not available on the Cisco Secure Intrusion Detection System sensor?
A. Ethernet
B. Serial
C. Token Ring
D. FDDI
Answer: B
Explanation: Sensors are optimized for specific data rates and are packaged in Ethernet, Fast Ethernet
(100BaseT), Token Ring, and FDDI configurations
350 - 018
Leading the way in IT testing and certification tools, www.testking.com
- 9 -
QUESTION NO: 11
Exhibit:
Given the configuration shown, what is the expected behavior of IP traffic travelling from the attached
clients to the two Ethernet subnets? (Multiple answer)
A. Traffic bound for the Internet will be translated by NAT and will not be encrypted.
B. Traffic between the Ethernet subnets on both routers will be encrypted.
C. Traffic bound for the Internet will not be routed because the source IP addresses are private.
D. Traffic will not successfully access the Internet or the subnets of the remote router’s Ethernet interface.
E. Traffic will be translated by NAT between the Ethernet subnets on both routers.
Answer: B
Explanation:
QUESTION NO: 12
How is data between a router and a TACACS+ server encrypted?
A. CHAP Challenge responses
B. DES encryption, if defined
350 - 018
Leading the way in IT testing and certification tools, www.testking.com
- 10 -
C. MD5 has using secret matching keys
D. PGP with public keys
Answer: C
Explanation: "The hash used in TACACS+ is MD5"
CCIE Professional Development Network Security Principles and Practices by Saadat Malik pg 497
QUESTION NO: 13
A gratuitous ARP is used to: (Multiple answer)
A. Refresh other devices’ ARP caches after reboot.
B. Look for duplicate IP addresses.
C. Refresh the originating server’s cache every 20 minutes.
D. Identify stations without MAC addresses.
E. Prevent proxy ARP from becoming promiscuous.
Answer: A, B
Explanation: NOT SURE ABOUT THIS QUESTION - Refresh the originating server’s cache every 20
minutes. could be an swer but the test wants only 2
Gratuitous ARP [23] is an ARP packet sent by a node in order to spontaneously cause other nodes to update an
entry in their ARP cache. A gratuitous ARP MAY use either an ARP Request or an ARP Reply packet. In
either case, the ARP Sender Protocol Address and ARP Target Protocol Address are both set to the IP address
of the cache entry to be updated, and the ARP Sender Hardware Address is set to the link-layer address to
which this cache entry should be updated. When using an ARP Reply packet, the
Target Hardware Address is also set to the link-layer address to which this cache entry should be updated (this
field is not used in an ARP Request packet).
Most hosts on a network will send out a Gratuitous ARP when they are
initialising their IP stack. This Gratuitous ARP is an ARP request for their
own IP address and is used to check for a duplicate IP address. If there is
a duplicate address then the stack does not complete initialisation.
QUESTION NO: 14
Within OSPF, what functionality best defines the use of a ‘stub’ area?
A. It appears only on remote areas to provide connectivity to the OSPF backbone.
B. It is used to inject the default route for OSPF.
350 - 018
Leading the way in IT testing and certification tools, www.testking.com
- 11 -
C. It uses the no-summary keyword to explicitly block external routes, defines the non-transit area, and
uses the default route to reach external networks.
D. To reach networks external to the sub area.
Answer: B
Explanation: These areas do not accept routes belonging to external autonomous systems (AS); however,
these areas have inter-area and intra-area routes. In order to reach the outside networks, the routers in the stub
area use a default route which is injected into the area by the Area Border Router (ABR). A stub area is
typically configured in situations where the branch office need not know about all the routes to every other
office, instead it could use a default route to the central office and get to other places from there.
Hence the memory requirements of the leaf node routers is reduced, and so is the size of the OSPF database.
QUESTION NO: 15
What is the best explanation for the command aaa authentication ppp default if-needed
tacacs+?
A. If authentication has been enabled on an interface, use TACACS+ to perform authentication.
B. If the user requests authentication, use TACACS+ to perform authentication.
C. If the user has already been authenticated by some other method, do not run PPP authentication.
D. If the user is not configured to run PPP authentication, do not run PPP authentication.
E. If the user knows the enable password, do not run PPP authentication.
Answer: C
Explanation: if-needed (Optional) Used with TACACS and extended TACACS. Does not perform
CHAP or PAP authentication if the user has already provided authentication. This option is available only on
asynchronous interfaces.
QUESTION NO: 16
To restrict SNMP access to a router, what configuration command could be used?
A. snmp-server community
B. snmp-server public
C. snmp-server password
D. snmp-server host
Answer: A
350 - 018
Leading the way in IT testing and certification tools, www.testking.com
- 12 -
Explanation: Configure the community string (Optional) For access-list-number, enter an IP standard access
list numbered from 1 to 99 and 1300 to 1999.
QUESTION NO: 17
TFTP security is controlled by: (Multiple answer)
A. A username/password.
B. A default TFTP directory.
C. A TFTP file.
D. A pre-existing file on the server before it will accept a put.
E. File privileges.
Answer: B, D, E
Explanation: username/password- is for FTP a default TFTP directory - one has to be in your tftp server and
the location listed in the tftp command
In uploading code you need to have a file but some programs like solarwinds will download the running config
via tftp and make the file
QUESTION NO: 18
Which statements are true about RIP v1? (Multiple answer)
A. RIP v1 is a classful routing protocol.
B. RIP v1 does not carry subnet information in its routing updates.
C. RIP v1 does not support Variable Length Subnet Masks (VLSM).
D. RIP v1 can support discontiguous networks.
Answer: A, B, C
Explanation: RIP and IGRP are classful protocols
Why Doesn't RIP or IGRP Support Discontiguous Networks?
QUESTION NO: 19
In the IOS Firewall Feature Set, what kind of traffic is NOT subject to inspection?
A. FTP
B. TFTP
C. ICMP
350 - 018
Leading the way in IT testing and certification tools, www.testking.com
- 13 -
D. SMTP
Answer: C
Explanation: CBAC-Supported applications (Deployable on a modular basis):
QUESTION NO: 20
Exhibit:
S* 0.0.0.0/0 [1/0] via 172.31.116.65
D 172.16.0.0/24 [90/48609] via 10.1.1.1
R 172.16.0.0/16 [120/4] via 192.168.1.4
A router has the above routers listed in its routing table and receives a packet destined for 172.16.0.45.
What will happen?
A. The router will not forward this packet, since it is destined for the 0 subnet.
B. The router will forward the packet though 172.31.116.65, since it has the lowest metric.
C. The router will forward the packet through 10.1.1.1.
D. The router will forward the packet through 172.31.116.65, since it has the lowest administrative
distance.
E. The router will forward the packet through 192.168.1.4.
Answer: C
Explanation: D= EIGRP and the lowest metric of the routing protocols
R= Rip AD of 120 S* default route The 0.0.0.0 is a default route for packets that dont match the other routes is
to be forworded to 172.31.116.65
QUESTION NO: 21
In the Cisco Secure Intrusion Detection System/HP OpenView interface, a “yellow” sensor icon would
mean:
A. A sensor daemon had logged a level 3 alarm.
B. A sensor daemon had logged a level 4 or 5 alarm.
C. The director that the sensor reports to is operating in degraded mode.
D. The device that the sensor detected being attacked is inoperative as a result of the attack.
Answer: A
350 - 018
Leading the way in IT testing and certification tools, www.testking.com
- 14 -
Explanation: Alarm level 3 and 4 are medium. Medium severity is displayed in yellow, then icon medium
severity is a yellow flag. by defualt events at level 1 and 2 are low, events at level 3 and 4 are medium, level 5
and higher are high.
Cisco Secure intrusion detection system by Earl Carter p. 148, 213, 214
QUESTION NO: 22
Symptoms:
- Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
- Console logging: level warning, 0 messages logged
- Monitor logging: level informational, 0 messages logged
- Buffer logging: level informational, 0 message lines logged
Note: Router 1’s CPU is normally above 25% busy switching packets
Scenario:
Host A cannot reach the FTP Server, but can reach Host B. The network administrator suspects that
packets are travelling from network 10.1.5.0 to the FTP Server, but packets are not returning. The
administrator logs into the console port of Router 1. When Host A sends a ping to the FTP Server, the
administrator executes a “debug ip packet” command on the router.
Exhibit:
The administrator does not see any output. What additional commands could be used to see the packets
flowing from Ethernet 0 to Ethernet 1?
A. terminal monitor
B. configure terminal
logging console debug
interface ethernet1
no ip route-cache
C. configure terminal
logging console debug
D. configure terminal
no logging buffered
E. configure terminal
Không có nhận xét nào:
Đăng nhận xét