Security in Design
Question 1
Which Cisco security solution offers protection against “day zero” attacks?A. Cisco Adaptive Security Appliance
B. Cisco Security Agent
C. Cisco IOS Firewall
D. Cisco IOS IPS
E. Cisco Traffic Anomaly Detector
Answer: B
Explanation
The Cisco Security Agent (CSA) software protects server and desktop
endpoints from the latest threats caused by malicious network attacks.
CSA can identify and prevent network attacks that are considered unknown
or “Day Zero”-type threats. CSAs are packed with many features,
including firewall capabilities, intrusion prevention, malicious mobile
code protection, operating-system integrity assurance, and audit log
consolidation.
(Reference: CCDA Official Exam Certification Guide 3rd)
Question 2
Which two solutions are parts of the Cisco Security Management Suite? (Choose two)A. ASA
B. Cisco Security Agent
C. NAC Appliance
D. CSM
E. PIX
F. Cisco Security MARS
Answer: D F
Explanation
Solutions of the Cisco Security Management Suite are:+ Cisco Security Manager (CSM) is an integrated solution for configuration management of firewall, VPN, router, switch module, and IPS devices.
+ Cisco Secure Access Control Server (ACS) provides centralized control for administrative access to Cisco devices and security applications.
+ Cisco Security Monitoring, Analysis, and Response System (MARS) is an appliance-based solution for network security administrators to monitor, identify, isolate, and respond to security threats.
+ Management Center for CSA (CSA MC) is an SSL web-based tool for managing Cisco Security Agent configurations.
+ Cisco Router and Security Device Manager (SDM) is a web-based tool for routers and supports a wide range of IOS software.
+ Cisco Adaptive Security Device Manager (ASDM) is a web-based tool for managing Cisco ASA 5500 series appliances, PIX 500 series appliances (version 7.0 or higher), and Cisco Catalyst 6500 Firewall Services Modules (FWSM version 3.1 or higher).
+ Cisco Intrusion Prevention System Device Manager (IDM) is a web-based application that configures and manages IPS sensors.
(Reference: CCDA Official Exam Certification Guide 3rd)
Question 3
A manufacturing company has decided to add a website to enhance
sales. The web seivers in the E-Commerce module must be accessible
without compromising network security. Which two design recommendations
can be made to meet these requirements? (Choose two)A. Use private and public key encryption.
B. Move the E-Commerce seivers to the WAN module.
C. Use intrusion detection on the E-Commerce setverfarm.
D. Limit the number of incoming connections to the E-Commerce module.
E. Place E-Commerce seivers and application seivers on isolated LANs (DMZs).
Answer: C E
Question 4
Which Cisco security solution can quarantine and prevent
non-compliant end stations from accessing the network until they achieve
security policy compliance?A. Cisco Secure Connectivity
B. Adaptive Security Appliance
C. Access Control Server
D. Network Admission Control
E. Network Intrusion Prevention System
F. Cisco Security Monitoring, Analysis, and Response System
Answer: D
Explanation
The Network Admission Control protects the network from threats by
enforcing security compliance on all devices attempting to access the
network. It only allows access to endpoints only after they have passed
authentication based on security policies.
Question 5
A Cisco Self-Defending Network has been installed, but DoS attacks
are still being directed at e-commerce hosts. The connection rate at the
Internet firewall was limited, but the problem persists. What more can
be done?A. Move the seivers to the DMZ.
B. Install all relevant operating system patches.
C. Block the servers’ TCP traffic at the Internet firewall.
D. Block the servers’ UDP traffic at the Internet firewall.
Answer: B
Question 6
Which three security measures can be used to mitigate DoS attacks
that are directed at exposed hosts within the E-Commerce module? (Choose
three)A. Partition the exposed hosts into a separate LAN or VLAN.
B. Use firewalls to block all unnecessary connections to the exposed hosts.
C. Use a VPN concentrator (IPSec) to protect and verify each connection to the exposed host or hosts.
D. Use LAN switch VTP pruning to separate hosts on the same segment.
E. Use NIDSs and HIPSs to detect signs of attack and to identify potentially successful breaches.
Answer: A B E
Question 7
Which Cisco security management solution provides the means to identify, isolate, and counter security threats to the network?A. Adaptive Security Device Manager
B. Intrusion Prevention Device Manager
C. Security Device Manager
D. Cisco Security Manager
E. Cisco Security Monitoring, Analysis, and Response System
Answer: E
Explanation
Cisco Security Monitoring, Analysis, and Response System (Cisco
Security MARS) is an appliance-based solution for network security
administrators to monitor, identify, isolate, and respond to security
threats. MARS understands the network topology and device configurations
from routers, switches, firewalls, and IPS devices. MARS also can model packet flows on the network.
Question 8
A large enterprise requires sensitive information be transmitted over
a public infrastructure. It requires confidentiality, integrity, and
authenticity. Which security solution best meets these requirements?A. Cisco IOS Firewall
B. Intrusion Prevention
C. Secure Connectivity
D. AAA
E. Traffic Guard Protector
Answer: C
Question 9
Which technology can ensure data confidentiality, data integrity, and authentication across a public IP network?A. GRE
B. IPsec
C. VLANs
D. VSANs
E. VPDNs
Answer: B
Question 10
For which technology is IPsec required for a site-to-site enterprise WAN/MAN architecture?A. ATM
B. ISP Service
C. Frame Relay
D. SP MPLS VPN
E. self-deployed MPLS
Answer: B
Question 11
A Cisco security mechanism has the following attributes: it is a sensor appliance
it searches for potential attacks by capturing and analyzing traffic
it is a “purpose-built device”
it is installed passively
it introduces no delay or overhead
Which Cisco security mechanism is this?
A. IKE
B. PIX
C. HIPS
D. NIDS
E. HMAC
Answer: D
Question 12
Which of these domain-of-trust security statements is correct?A. Segments within a network should have the same trust models.
B. An administrator should apply consistent security controls between segments.
C. Communication between trusted entities needs to be carefully managed and controlled.
D. Segment security policy decisions are based on trust.
Answer: D
No comments:
Post a Comment