In which three ways does the RADIUS protocol differ from TACACS? (choose two)
RADIUS uses UDP to communicate with the NAS
RADIUS encrypts only the password field in an authentication packet
RADIUS authenticates and authorizes simultaneously, causing fewer packets to be transmitted
RADIUS uses TCP to communicate with the NAS
RADIUS can encrypt the entire packet that is sent to the NAS
RADIUS supports per-command authorization
Which countermeasures can mitigate ARP spoofing attacks? (Choose two)
Dynamic ARP inspection
IP Source Guard
In which three cases does the ASA firewall permit inbound HTTP GET requests during normal operations? (Choose three)
When matching ACL entries are configures
When the firewall requires strict HTTP inspection
When matching NAT entries are configured
When the firewall receives a SYN packet
When the firewall receives a SYN-ACK packet
When the firewall requires HTTP inspection
In which two situations should you use in-band management? (Choose two)
When management applications need concurrent access to the devices
When you require administartor access from multiple locations
When you require ROMMON access
When a network device fails to forward packets
When the control plane fails to respond.
Which components does HMAC use to determine the authenticity and integrity of a message? (Choose two)
The transform set
Which security measures can protect the control plane of a Cisco router? (Choose two)
Access control lists
Which RADIUS server authentication protocols are suported on Cisco ASA firewalls? (Choose three)
Which TACACS+ server authentication protocols are supported on Cisco ASA firewalls? (Choose three)
Which statement about reflexive access lists are true? (Choose three)
Reflexive access lists can be attached to extended named IP ACLs
Reflexive access lists support TCP sessions
Reflexive access lists approximate the session filtering using the established keyword
Reflexive access lists create a permanent ACE
Reflexive access lists can be attached to standard named IP ACLs
Reflexive access lists support UDP sessions
According to Cisco best practices, which three protocols should the default ACL allow on an access port to enable wired BYOD devices to supply valid credentials and connect to the network? (Choose three)
Which two next-generation encryption algorithms does Cisco recommend? (Choose two)
Which three statements describe DHCP spoofing attacks? (Choose three)
They are used to perform man-in-the-middle attacks
They can physically modify the network gateway
They can access most network devices
They use ARP poisoning
They protect the identity of the attacker by masking the DHCP address
They can modify traffic in transit
Which three ESP fields can be encrypted during transmission? (Choose three)
Security Parameter Index
In which three ways does the TACACS protocol differ from RADIUS? (Choose three)
TACACS uses UDP to communicate with the NAS
TACACS suports per-command authorization
TACACS can encrypt the entire packet that is sent to the NAS
TACACS encrypts only the password field in an authentication packet
TACACS uses TCP to communicate with the NAS
TACACS authenticates and authorizes simultaneously, causing fewer packets to be transmitted.
Which accounting notices are used to send a failed authentication attempt record to a AAA server? (Choose two)
Which options are filtering options used to display SDEE message types? (Choose two)
Which protocols use encryption to protect the confidentiality of data transmitted between two parties? (Choose two)
What are two uses of SIEM software? (Choose two)
Performing automatic network audits
Collecting and archiving syslog data
Scanning email for suspicious attachments
Configuring firewall and IDS devices
Alerting administrators to security events in real time
You want to allow all of your company's users to access the Internet without allowing other web servers to collect the IP Addresses of individual users. What two solutions can you use? (Choose two)
Configure a firewall to use Port Address Translation
Configure a proxy server to hide users' local IP Addresses
Install a Web content filter to hide users' local IP Addresses
Assign the same IP address to all users
Assign unique IP addresses to all users
A data breach has occurred and your company database has been copied. Which security principle has been violated?
Which alert protocol is used with Cisco IPS Manager Express to support up to 10 sensors?
How can you detect a false negative on an IPS?
Review the IPS log
Review the IPS console
Use a third-party to audit the next-generation firewall rules
Use a third-party system to perform penetration testing
View the alert on the IPS
Which statement provides the best definition of malware?
Malware is tools and applications that remove unwanted programs
Malware is software used by nation states to commit cyber crimes
Malware is unwanted software that is harmful or destructive
Malware is a collection of worms, viruses, and Trojan horses that is distributed as a single package
How can FirePOWER block malicious email attachments?
It forwards email requrests to an external signature engine.
It scans inbound email messages for known bad URLs
It send an alert to the administrator to verify suspicious email messages
It send the traffic through a file policy
A clientless SSL VPN user who is connecting on a Windows Vista computer is missing the menu option for Remote Desktop Protocol on the portal web page. Which action should you take to begin troubleshooting?
Instruct the user to reconnect to the VPN gateway
Ensure that the RDP plug-in is installed on the VPN gateway
Reboot the VPN gateway
Ensure that the RDP2 plug-in is installed on the VPN gateway
Refer to the following commands:
crypto map mymap match address 201
access-list 201 permit ip 10.10.10.0 255.255.255.0 10.100.100.0 255.255.255.0
What is the effect of the given command sequence?
It defines IKE policy for traffic sourced from the 10.100.100.0/24 with a destination of 10.10.10.0/24
It defines IPsec policy for traffic sourced from the 10.100.100.0/24 with a destination of 10.10.10.0/24
It defines IPsec policy for traffic sourced from the 10.10.10.0/24 with a destination of 10.100.100.0/24
It defines IKE policy for traffic sourced from the 10.10.10.0/24 with a destination of 10.100.100.0/24
Which Cisco Security Manager application collects information about the device status and uses it to generate notifications and alerts?
Health and Performance monitor
You have been tasked with blocking user access to websites that violate company policy, but the sites use dynamic IP addresses. What is the best practice for URL filtering to solve the problem?
Enable URL filtering and create a whitelist to block websites that violate company policy.
Enable URL filtering and use URL categorization to block the websites that violate company policy.
Enable URL filtering and use URL categorization to allow only the websites that company policy allows users to access
Enable URL filtering and create a blacklist to block the websites that violate company policy
Enable URL filtering and create a whitelist to allow only the websites that company policy allows users to access
Which Sourcefire event action should you choose if you want to block only malicious traffic from a particular end user?
Allow with inspection
Allow without inspection
You have implemented a Sourcefire IPS and configured it to block certain addresses utilizing Security intelligence iP Address Reputation. A user calls and is not able to access a certain IP Address. What action can you take to allow the user access to the IP address?
Create a user based access control rule to allow the traffic
Create a custom blacklist to allow the traffic
Create a whitelist and add the appropriate IP address to allow the traffic
Create a network based access control rule to allow the traffic
Create a rule to bypass inspection to allow the traffic
Refer to the following commands:
authentication event fail action next-method
authentication event no-response action authorize vlan 101
authentication order mab dot1x webauth
authentication priority dot1x mab
authentication port-control auto
dot1x pae authenticator
If a supplicant supplies incorrect credentials for all authentication methods configured on the switch, how will the switch respond?
The authentication attempt will time out and the switch will place the port into unauthorized state.
The switch will cycle through the configured authentication methods indefinitely.
The authentication attempt will time out and the switch will place the port into VLAN 101.
The supplicant will fail to advance beyond the webauth method
In which stage on an attack does the attacker discover devices on a target network?
Which statement about personal firewalls is true?
They can protect a system by denying probing requests.
They can protect the network against attacks.
They can protect email messages and private documents in a similar way to a VPN.
They are resilient against kernel attacks.
What is a possible reason for the error message:
% Unrecognized command
The router is already running the latest operating system
The command is invalid on the target device
The router is a new device on which the aaa new-model command must be applied before continuing
The command syntax requires a space after the word "server"
Which command is needed to enable SSH support on a Cisco Router?
crypto key unlock rsa
crypto key lock rsa
crypto key generate rsa
crypto key zeorize rsa
What is the transition order of STP in states on a Layer 2 switch interface?