CCIE Security Exam (v4.1)
Question No: 181 – (Topic 2)
Refer to the exhibit.
Against which type of attack does the given configuration protect?
a botnet attack
DNS cache poisoning
Question No: 182 – (Topic 2)
Which two statements about ASA transparent mode are true? (Choose two.)
It drops ARP traffic unless it is permitted.
It does not support NAT.
It requires the inside and outside interface to be in different subnets.
It can pass IPv6 traffic.
It cannot pass multicast traffic.
It supports ARP inspection.
Even though the transparent mode acts as a bridge, Layer 3 traffic, such as IP traffic, cannot pass through the security appliance unless you explicitly permit it with an extended access list. The only traffic allowed through the transparent firewall without an access list is ARP traffic. ARP traffic can be controlled by ARP inspection.
These features are not supported in transparent mode:
NAT is performed on the upstream router.
->Dynamic routing protocols (such as RIP, EIGRP, OSPF)
You can add static routes for traffic that originates on the security appliance. You can also allow dynamic routing protocols through the security appliance with an extended access list.
Note: IS-IS is IP protocol 124 (is-is over ipv4). IS-IS transient packets can be allowed through the transparent mode by the form of an ACL that permits protocol 124. The transparent mode supports all 255 IP protocols.
The transparent firewall can act as a DHCP server, but it does not support the DHCP relay commands. DHCP relay is not required because you can allow DHCP traffic to pass through with an extended access list.
->Quality of Service (QOS)
You can allow multicast traffic through the security appliance if you allow it in an extended access list. In a transparent firewall, access-lists are required to pass the multicast traffic from higher to lower, as well as from lower to higher security zones. In normal firewalls, higher to lower security zones are not required.
->VPN termination for through traffic
The transparent firewall supports site-to-site VPN tunnels for management connections only. It does not terminate VPN connections for traffic through the security appliance. You can pass VPN traffic through the security appliance with an extended access list, but it does not terminate non-management connections.
Reference: http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security- appliances/97853-Transparent-firewall.html
Question No: 183 – (Topic 2)
Of which IPS application is Event Action Rule a component?
Reference: http://manualmachine.com/cisco-systems/ips4510k9/1024953-user- manual/page:67/
Question No: 184 – (Topic 2)
Refer to the exhibit.
After setting the replay window size on your Cisco router, you received the given system message. What is the reason for the message?
The replay window size is set too low for the number of packets received.
The IPSec anti-replay feature is enabled, but the window size feature is disabled.
The IPSec anti-replay feature is disabled.
The replay window size is set too high for the number of packets received.
Answer: A Explanation:
If your replay window size has not been set to a number that is high enough for the number of packets received, you will receive a system message such as the following:
*Nov 17 19:27:32.279: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=1
The above message is generated when a received packet is judged to be outside the anti- replay window.
Question No: 185 – (Topic 2)
What are two advantages of SNMPv3 over SNMPv2c? (Choose two.)
integrity, to ensure that data has not been tampered with in transit
no source authentication mechanism for faster response time
Packet replay protection mechanism removed for efficiency
GetBulkRequest capability, to retrieve large amounts of data in a single request
confidentiality via encryption of packets, to prevent man-in-the-middle attacks
Answer: A,E Explanation:
SNMPv3 contains all the functionality of SNMPv1 and SNMPv2, but SNMPv3 has significant enhancements to administration and security. SNMPv3 is an interoperable standards-based protocol. SNMPv3 provides secure access to devices by authenticating and encrypting packets over the network.
The security features provided in SNMPv3 are as follows:
Message integrity-Ensuring that a packet has not been tampered with in transit
Authentication-Determining that the message is from a valid source
Encryption-Scrambling contents of a packet to prevent it from being seen by an unauthorized source
Question No: 186 – (Topic 2)
What is the purpose of enabling the IP options selective drop feature on your network routers?
To protect the internal network from IP spoofing attacks
To drop IP fragmented packets
To Drop packets with a TTL value of zero
To protect the network from DoS attacks.
Question No: 187 – (Topic 2)
Which three statements about VRF-Aware Firewall are true? (Choose three)
It can run as more than one instance
It enables service providers to implement firewall on PE devices.
It can generate syslog message that are visible only to individual VPNs
It can support VPN network with overlapping address range without NAT
It supports both global and per-VRF commands and DoS parameters
It enables service providers to deploy firewall on customer device.
Question No: 188 – (Topic 2)
Which three fields are part of the AH header? (Choose three.)
SPI identifying SA
Answer: D,E,F Explanation:
The following AH packet diagram shows how an AH packet is constructed and interpreted:
Authentication Header format
Offsets Octet16 0
Next Header Payload Len Reserved
Security Parameters Index (SPI)
Integrity Check Value (ICV)…
Question No: 189 – (Topic 2)
What are two authentication algorithms supported with SNMPv3 on an ASA? (Choose two.)
Question No: 190 – (Topic 2)
For which reason would an RSA key pair need to be removed?
The CA is under DoS attack
The CA has suffered a power outage
The existing CA is replaced, and the new CA requires newly generated keys
PKI architecture would never allow the RSA key pair removal
Answer: C Explanation:
An RSA key pair may need to be removed for one of the following reasons:
->During manual PKI operations and maintenance, old RSA keys can be removed and replaced with new keys.
->An existing CA is replaced and the new CA requires newly generated keys; for example, the required key size might have changed in an organization so you
would have to delete the old 1024-bit keys and generate new 2048-bit keys.
->The peer router#39;s public keys can be deleted in order to help debug signature verification problems in IKEv1 and IKEv2. Keys are cached by default with the lifetime of the certificate revocation list (CRL) associated with the trustpoint.
Reference: http://www.cisco.com/c/en/us/td/docs/ios- xml/ios/sec_conn_pki/configuration/xe-3s/sec-pki-xe-3s-book/sec-deploy-rsa-pki.html
|Lowest Price Guarantee||Yes||No||No|
|Free VCE Simulator||Yes||No||No|