CCNA Security Exam Back to Exams Page 1. Which of the following concepts deals with making sure that data is not altered whether in transit or in storage? Authentication Confidentiality Integrity AvailabilityQuestion 1 of 50 2. Which of the following make up the CIA triad? Choose three. Authentication Confidentiality Integrity AvailabilityQuestion 2 of 50 3. Security controls can be classified as physical controls, logical controls and administrative controls. A firewall is an example of a physical control. True or false? True FalseQuestion 3 of 50 4. A Denial of Service (DoS) attack is an attack against which goal of security? Confidentiality Availability Non-repudiation IntegrityQuestion 4 of 50 5. The Advanced Encryption Standard (AES) is an example of a/an _________________. Asymmetric encryption algorithm Hashing algorithm Stream cipher Block cipherQuestion 5 of 50 6. Which of the following are true about SHA-1? Choose two. It takes variable-length data and transforms it into a fixed-length digest It takes fixed-length data and transforms it into a variable-length digest It produces 160-bit hash value It produces 256-bit hash valueQuestion 6 of 50 7. When asymmetric key cryptography is used for secure communication exchange, which of the following is true? The sender encrypts the message with the receiver’s public key while the receiver decrypts the message with the receiver’s private key The sender encrypts the message with the receiver’s private key while the receiver decrypts the message with the receiver’s public key The sender encrypts the message with the sender’s private key while the receiver decrypts the message with the sender’s public key The sender encrypts the message with the sender’s public key while the receiver decrypts the message with the receiver’s private keyQuestion 7 of 50 8. Looking at the command output below, what algorithm is being used to encrypt/hash the password of the user? Vigenere cipher MD5 SHA AESQuestion 8 of 50 9. Looking at the configuration snippet below, which of the following is/are true for users who connect via Telnet? Select all that apply. Users connecting via telnet will be required to login using the line password “cisco123” No authentication will be required Users connecting via telnet will be required to login using a username/password combination Users will not be able to login via telnet because of the “no login” command under the VTY lines Users will be placed at privilege level 15 upon connection via telnetQuestion 9 of 50 10. When the aaa new-model command is issued on a Cisco router, which of the following is true? Local authentication is applied on the console line but not the VTY lines Local authentication is automatically applied on the VTY lines and also the console line Nothing happens until an AAA method list is configured under a line Local authentication is automatically applied to all lines on the router except the console lineQuestion 10 of 50 11. How many privilege levels are available on the Cisco IOS? 1 2 15 16Question 11 of 50 12. Which of the following are external identity sources supported by Cisco Secure ACS 5.x? Select two. LDAP Active Directory TACACS+ Identity Server MySQL DatabaseQuestion 12 of 50 13. Which of the following is NOT true about the RADIUS protocol? It uses TCP port 49 It uses UDP It is an industry standard It encrypts only the password in the access-request packetQuestion 13 of 50 14. You have enabled 802.1X on your network so that users trying to connect through the LAN ports on your Cisco switches are authenticated and authorized by your Cisco Secure ACS. Which of the following terms describes the role of the Cisco switches in 802.1X? Supplicant Authenticator Authentication Server Authentication gatewayQuestion 14 of 50 15. Looking at the configuration snippet on a Cisco IOS router below, what will happen if the TACACS+ server responds with a FAIL for a user who tries to connect via Telnet? The router will try to authenticate the user using the next method in the method list i.e. RADIUS The router will try to authenticate the user using the last method in the method list i.e. local database The router does not try to use other methods in the method list to authenticate the user None of the aboveQuestion 15 of 50 16. You have configured the IP address and key of a TACACS+ server on a Cisco router. Which of the following options will let you verify that the Cisco router can successfully communicate with the TACACS+ server and authenticate users against that server? Ping Traceroute Use the “test aaa” command from the router Login to the TACACS+ server from the routerQuestion 16 of 50 17. Which of the following are true about Internet Key Exchange version 1 (IKEv1)? Select four. IKE Phase 1 can either be Main mode or Aggressive mode IKE Phase 1 can either be Main mode or Quick mode IKE Phase 1 establishes 2 bidirectional SAs IKE Phase 2 establishes 2 unidirectional SAs 6 messages in total are exchanged during IKE main mode 3 messages in total are exchanged during IKE Quick mode.Question 17 of 50 18. Study the diagram and the two configuration snippets below. The network administrator is trying to configure a site-to-site VPN tunnel between a Cisco router and a Cisco ASA but the tunnel is not coming up. What is the problem? IKE Phase 1 policy does not match IKE transform set does not match Incorrect ACLs You cannot create a VPN tunnel between a Cisco router and a Cisco ASAQuestion 18 of 50 19. When NAT Traversal is being used between two VPN peers, the packets used to encapsulate IPsec traffic use what protocol/port? UDP port 500 TCP port 500 UDP port 4500 TCP port 4500Question 19 of 50 20. ESP, an IPsec protocol, stands for? Encryption Standard Protocol Encryption Standard Payload Encapsulating Security Protocol Encapsulating Security PayloadQuestion 20 of 50 21. Which of the Cisco SSL VPN modes requires you to configure an IP address pool from which remote users will be assigned IP addresses? Clientless SSL VPN Thin-client SSL VPN SSL VPN Client All of the aboveQuestion 21 of 50 22. What feature will you configure on a Cisco ASA to allow only certain traffic to be tunneled through the VPN tunnel while allowing all other traffic to flow unencrypted? Hairpinning Split tunneling NAT Traversal Always-onQuestion 22 of 50 23. What effect will the “no sysopt connection permit-vpn” command have on the Cisco ASA? VPN traffic will be subject to interface ACLs VPN traffic will not be subject to interface ACLs That command allows VPN tunnels to be terminated on the Cisco ASA It restricts the number of VPN tunnels that can be terminated on the Cisco ASAQuestion 23 of 50 24. Take a look at the diagram below. Assuming all other VPN-related configuration are correct, will the VPN tunnel between the routers come up? No, because the IKE policies do not have the same number No, because the lifetime in the IKE policies do not match Yes, the lower lifetime in the IKE policies will be used Yes, the higher lifetime in the IKE policies will be usedQuestion 24 of 50 25. Which of the following are true about the SSH protocol? Choose three. It uses TCP port 22 by default It uses TCP port 23 by default It is more secure than the Telnet protocol It is less secure than the Telnet protocol On a Cisco router, generating RSA keys automatically enables SSH On a Cisco router, you need to manually enable ssh using the enable ssh commandQuestion 25 of 50 26. Looking at the configuration snippet below, when user “helpdesk” logs in via the VTY line, what privilege level will that user be placed in? 0 1 2 15Question 26 of 50 27. Which of the following is/are required to configure role-based CLI access on a Cisco IOS router? Choose all that apply. AAA must be enabled Enable password/secret must be configured Privilege 15 user must be used to configure views System must be in Root view to configure viewsQuestion 27 of 50 28. Enabling routing protocol authentication is a protection feature for which plane on a Cisco IOS device? Management plane Control plane Data plane Synchronous planeQuestion 28 of 50 29. Which of the following options is/are layer 2 security best practices? Choose all that apply. Change the Native VLAN from the default VLAN Shutdown unused ports Enable DTP as it is more secure than static trunking Configure unused ports as trunk portsQuestion 29 of 50 30. Which of the following is NOT true about DHCP snooping? It is a layer 2 security feature that can be used to protect against rogue DHCP servers To enable DHCP snooping on a Cisco IOS switch, you must enable it globally and also per-VLAN It maintains a DHCP snooping binding database that contains information about both trusted and untrusted hosts It discards invalid DHCP messages received on untrusted portsQuestion 30 of 50 31. Which of the following is/are true about Dynamic ARP inspection (DAI)? Select two. It can use information provided by the DHCP snooping binding database DHCP snooping must be configured for Dynamic ARP inspection to work To enable Dynamic ARP inspection on a Cisco IOS switch, you must enable it globally and also per-VLAN It validates ARP packets received on untrusted portsQuestion 31 of 50 32. What is the default maximum number of secure MAC addresses allowed on a switchport configured with port security? One Two Three FiveQuestion 32 of 50 33. Which port security violation mode permits traffic from known MAC addresses to continue to be forwarded, restricts data from the violating MAC address but does not provide notification that a violation has occurred? Pass Restrict Shutdown ProtectQuestion 33 of 50 34. Choose two correct options below. BPDU Guard will allow BPDU packets be received on a port as long as the device sending the BPDU packets is not trying to become root. Root Guard will allow BPDU packets be received on a port as long as the device sending the BPDU packets is not trying to become root. BPDU Guard will disable a portfast-enabled port if any BPDU packet is received on that port. Root Guard will disable a portfast-enabled port if any BPDU packet is received on that port.Question 34 of 50 35. For Active/Active failover to be configured on the Cisco ASA, what mode must the ASAs be in? Transparent mode Single context mode Multiple context mode Failover modeQuestion 35 of 50 36. Network-Object NAT rules are placed in what section of the Cisco ASA NAT table? Section 1 Section 2 Section 3 Section 4Question 36 of 50 37. Looking at the following NAT rules configured on a Cisco ASA, traffic from source IP address 10.0.0.100 on the inside will be seen as coming from what IP address in the DMZ? 172.16.10.100 DMZ Interface IP address of the ASA 172.16.1.254 172.16.1.10Question 37 of 50 38. Looking at the diagrams below, choose the correct option for translating the 10.0.0.0/24 network to 192.168.0.0/24 when going to the destination network 10.1.1.0/24 (which is really 192.168.1.0/24). The NAT configuration will be done on the Cisco ASA. Create two Network Object NAT rules, one for the source NAT and one for the destination NAT Create a single Network Object NAT rule specifying both the source and destination NAT Create two Twice NAT rules, one for the source NAT and one for the destination NAT Create a single Twice NAT rule specifying both the source and destination NATQuestion 38 of 50 39. In the diagram below, assume that there is IP routing among the different zones, no ACLs have been configured and the default MPF policy has not been edited. Which of the following is/are true? Select all that apply. HOST1 will be able to open a TCP connection to HOST2 HOST2 will be able to open an HTTP connection to HOST3 HOST1 will be able to successfully ping HOST3 and get a reply HOST3 will be able to open an FTP connection to HOST2Question 39 of 50 40. Which of the following is/are correct about the Cisco IOS zone-based policy firewall? Select all that apply. Traffic will flow between an interface that is in a zone and an interface that is not in any zone Traffic between zones is not permitted by default except a policy is configured Traffic to the self-zone from any other zone and vice versa is denied Traffic between hosts in the same zone is permitted by defaultQuestion 40 of 50 41. What type of NAT will you configure to allow access to a web server located in the DMZ from the Internet? Static NAT PAT Dynamic NAT NAT OverloadQuestion 41 of 50 42. Look at the diagram below and study the configuration. Assume that there is proper IP routing between the zones. Which of the following is NOT true? A host on the outside zone will be able to successfully ping a host on the inside zone A host on the inside zone will be able to successfully ping a host on the outside zone A host on the outside zone will not be able to make any connection to the inside zone A host on the outside zone will be able to successfully ping the router’s inside interface IP address i.e. 10.0.0.1Question 42 of 50 43. When a malicious packet passes through an Intrusion Prevention System and the IPS does not raise any alarms, what is this called? False negative False positive True positive True negativeQuestion 43 of 50 44. Which IPS/IDS detection technology works by detecting malicious traffic by comparing such traffic to a generally acceptable baseline? Signature-based Policy-based Reputation-based Anomaly-basedQuestion 44 of 50 45. One of the advantages of an IPS operating in inline mode versus one operating in promiscuous mode is that: It does not introduce latency to traffic flow Traffic flow will not be disrupted if the IPS goes down as long as it is configured to fail-closed It can better stop malicious traffic from entering the network All of the aboveQuestion 45 of 50 46. Which of the following products can be used for centralized management of the Cisco FirePOWER services and appliances? Cisco Configuration Professional Cisco Security Device Manager Cisco FireSIGHT Management Center Cisco Adaptive Security Device ManagerQuestion 46 of 50 47. OpenPGP is a protocol that can be used for email encryption. What does PGP stand for? Protected Group Protocol Pretty Good Protocol Pretty Good Privacy Protected Group PrivacyQuestion 47 of 50 48. Sam is the CEO of an organization that deals with trading diamonds. Early one morning, he receives an email from one of their suppliers addressed to him and informing him of an outstanding payment for a shipment that Sam thought he had already paid. The email includes a link for Sam to log into the supplier’s portal. Fearing the email may be malicious, Sam gets on the phone with the supplier who tells him they didn’t send any email and that his shipment is already on its way. What kind of email attack did Sam almost fall for? Phishing Pharming Spear phishing VishingQuestion 48 of 50 49. In what two modes can the Cisco Web Security Appliance (WSA) be configured to operate? Explicit mode Whitelist mode Routed mode Transparent modeQuestion 49 of 50 50. A type of malware that disguises itself as a legitimate program but is in fact malicious is known as a? Virus Worm Trojan horse Logic bombQuestion 50 of 50 Loading…