New Updated Cisco CCNA Security 640-554 Real Exam Download 31-40

Ensurepass

QUESTION 31

Which two options are advantages of an application layer firewall? (Choose two.)

 

A.      provides high-performance filtering

B.      makes DoS attacks difficult

C.      supports a large number of applications

D.      authenticates devices

E.       authenticates individuals

 

Correct Answer: BE

 

 

QUESTION 32

Refer to the exhibit. Using a stateful packet firewall and given an inside ACL entry of permit ip

192.16.1.0 0.0.0.255 any, what would be the resulting dynamically configured ACL for the return

traffic on the outside ACL?

 

clip_image002

 

A.      permit tcp host 172.16.16.10 eq 80 host 192.168.1.11 eq 2300

B.      permit ip 172.16.16.10 eq 80 192.168.1.0 0.0.0.255 eq 2300

C.      permit tcp any eq 80 host 192.168.1.11 eq 2300

D.      permit ip host 172.16.16.10 eq 80 host 192.168.1.0 0.0.0.255 eq 2300

 

Correct Answer: A

 

 

QUESTION 33

Which option is the resulting action in a zone-based policy firewall configuration with these

conditions?

 

clip_image004

 

A.      no impact to zoning or policy

B.      no policy lookup (pass)

C.      drop

D.      apply default policy

 

Correct Answer: C

 

 

QUESTION 34

A Cisco ASA appliance has three interfaces configured. The first interface is the inside interface

with a security level of 100. The second interface is the DMZ interface with a security level of 50.

The third interface is the outside interface with a security level of 0. By default, without any

access list configured, which five types of traffic are permitted? (Choose five.)

 

A.      outbound traffic initiated from the inside to the DMZ

B.      outbound traffic initiated from the DMZ to the outside

C.      outbound traffic initiated from the inside to the outside

D.      inbound traffic initiated from the outside to the DMZ

E.       inbound traffic initiated from the outside to the inside

F.       inbound traffic initiated from the DMZ to the inside

G.      HTTP return traffic originating from the inside network and returning via the outside

interface

H.      HTTP return traffic originating from the inside network and returning via the DMZ interface

I.        HTTP return traffic originating from the DMZ network and returning via the inside interface

J.        HTTP return traffic originating from the outside network and returning via the inside

interface

 

Correct Answer: ABCGH

 

 

QUESTION 35

Which two protocols enable Cisco Configuration Professional to pull IPS alerts from a Cisco ISR

router? (Choose two.)

 

A.      syslog

B.      SDEE

C.      FTP

D.      TFTP

E.       SSH

F.       HTTPS

 

Correct Answer: BF

 

 

QUESTION 36

Which two functions are required for IPsec operation? (Choose two.)

 

A.      using SHA for encryption

B.      using PKI for pre-shared key authentication

C.      using IKE to negotiate the SA

D.      using AH protocols for encryption and authentication

E.       using Diffie-Hellman to establish a shared-secret key

 

Correct Answer: CE

 

 

QUESTION 37

On Cisco ISR routers, for what purpose is the realm-cisco.pub public encryption key used?

 

A.      used for SSH server/client authentication and encryption

B.      used to verify the digital signature of the IPS signature file

C.      used to generate a persistent self-signed identity certificate for the ISR so administrators can

authenticate the ISR when accessing it using Cisco Configuration Professional

D.      used to enable asymmetric encryption on IPsec and SSL VPNs

E.       used during the DH exchanges on IPsec VPNs

 

Correct Answer: B

 

 

QUESTION 38

Which four tasks are required when you configure Cisco IOS IPS using the Cisco Configuration

Professional IPS wizard? (Choose four.)

 

A.      Select the interface(s) to apply the IPS rule.

B.      Select the traffic flow direction that should be applied by the IPS rule.

C.      Add or remove IPS alerts actions based on the risk rating.

D.      Specify the signature file and the Cisco public key.

E.       Select the IPS bypass mode (fail-open or fail-close).

F.       Specify the configuration location and select the category of signatures to be applied to the

selected interface(s).

 

Correct Answer: ABDF

 

 

QUESTION 39

Which statement is a benefit of using Cisco IOS IPS?

 

A.      It uses the underlying routing infrastructure to provide an additional layer of security.

B.      It works in passive mode so as not to impact traffic flow.

C.      It supports the complete signature database as a Cisco IPS sensor appliance.

D.      The signature database is tied closely with the Cisco IOS image.

 

Correct Answer: A

 

 

QUESTION 40

You are the security administrator for a large enterprise network with many remote locations.

You have been given the assignment to deploy a Cisco IPS solution. Where in the network would

be the best place to deploy Cisco IOS IPS?

 

A.      inside the firewall of the corporate headquarters Internet connection

B.      at the entry point into the data center

C.      outside the firewall of the corporate headquarters Internet connection

D.      at remote branch offices

 

Correct Answer: D

 

Download Latest Complete collection of CCNA Security 640-554 Real Exam ,help you to pass exam 100%.

Ensurepass Cisco Certifications Exam Questions and Answers
Ensurepass CCNA Security Exams Questions and Answers

Leave a Reply