CCNA Security V2.0 Final Exam

Approved & Edited by ProProfs Editorial Team

The editorial team at ProProfs Quizzes consists of a select group of subject experts, trivia writers, and quiz masters who have authored over 10,000 quizzes taken by more than 100 million users. This team includes our in-house seasoned quiz moderators and subject matter experts. Our editorial experts, spread across the world, are rigorously trained using our comprehensive guidelines to ensure that you receive the highest quality quizzes.

Learn about Our Editorial Process

| By Jokinen

Jokinen

Community Contributor

Quizzes Created: 1 | Total Attempts: 308

Questions: 98 | Attempts: 308 | Updated: Sep 4, 2023

Questions

Settings

Feedback

During the Quiz End of Quiz

Play as

Quiz Flashcard

Create your own Quiz

Questions and Answers

1.

Which security implementation will provide control plane protection for a network device?
- A.
  
  Encryption for remote access connections
- B.
  
  AAA for authenticating management access
- C.
  
  Routing protocol authentication
- D.
  
  NTP for consistent timestamps on logging messages
Correct Answer
C. Routing protocol authentication

Explanation
Routing protocol authentication is a security implementation that provides control plane protection for a network device. It ensures that only authorized routers can participate in the routing process by verifying the authenticity of routing updates. This prevents unauthorized devices from injecting false routing information and helps in protecting the network against attacks such as route poisoning or route hijacking. By authenticating the routing protocol, the control plane of the network device is protected, enhancing the overall security of the network.

Rate this question:
2.

What is the one major difference between local AAA authentication and using the login local command when configuring device access authentication?
- A.
  
  Local AAA authentication provides a way to configure backup methods of authentication, but login local does not
- B.
  
  The login local command requires the administrator to manually configure the usernames and passwords, but local AAA authentication does not
- C.
  
  Local AAA authentication allows more than one user account to be configured, but login local does not.
- D.
  
  The login local command uses local usernames and passwords stored on the router, but local AAA authentication does not.
Correct Answer
A. Local AAA authentication provides a way to configure backup methods of authentication, but login local does not

Explanation
Local AAA authentication provides a way to configure backup methods of authentication, which means that if the primary authentication method fails, the device can fall back to a secondary method for authentication. On the other hand, the login local command does not provide this capability. It simply requires the administrator to manually configure the usernames and passwords on the device. Therefore, the major difference between local AAA authentication and using the login local command is that local AAA authentication allows for backup authentication methods, while login local does not.

Rate this question:
3.

Refer to the exhibit. A network administrator configures AAA authentication on R1. The administrator then tests the configuration by telneting to R1. The ACS servers are configured and running. What will happen if the authentication fails?
- A.
  
  The enable secret password could be used in the next login attempt.
- B.
  
  The authentication process stops.
- C.
  
  The username and password of the local user database could be used in the next login attempt.
- D.
  
  The enable secret password and a random username could be used in the next login attempt.
Correct Answer
B. The authentication process stops.

Explanation
If the authentication fails, the authentication process will stop. This means that the user will not be able to access the device or perform any further actions until a successful authentication is completed. The enable secret password or any other credentials will not be used in the next login attempt.

Rate this question:
4.

What are two tasks that can be accomplished with the Nmap and Zenmap network tools? (Choose two.)
- A.
  
  Password recovery
- B.
  
  Password auditing
- C.
  
  Identification of Layer 3 protocol support on hosts
- D.
  
  TCP and UDP port scanning
- E.
  
  Validation of IT system configuration
Correct Answer(s)
C. Identification of Layer 3 protocol support on hosts
D. TCP and UDP port scanning

Explanation
Nmap and Zenmap are network tools that can be used for identifying Layer 3 protocol support on hosts. This means that they can help in determining which network protocols are supported by different hosts on a network. Additionally, these tools can also perform TCP and UDP port scanning, which involves checking open ports on a network host to identify potential vulnerabilities or services running on those ports. These tasks are important for network administrators to assess network security and ensure proper configuration.

Rate this question:
5.

Which Cisco IOS subcommand is used to compile an IPS signature into memory
- A.
  
  Retired true
- B.
  
  Event-action produce-alert
- C.
  
  Retired false
- D.
  
  Event-action deny-attacker-inline
Correct Answer
C. Retired false
6.

Why are DES keys considered weak keys?
- A.
  
  They are more resource intensive.
- B.
  
  DES weak keys use very long key sizes.
- C.
  
  They produce identical subkeys.
- D.
  
  DES weak keys are difficult to manage.
Correct Answer
C. They produce identical subkeys.

Explanation
The reason DES keys are considered weak keys is because they produce identical subkeys. This means that certain keys in the DES algorithm result in the same subkeys being generated, which can lead to vulnerabilities and make it easier for attackers to exploit the encryption. Identical subkeys reduce the effective key length and weaken the overall security of the encryption algorithm.

Rate this question:
7.

What is a benefit of using a next-generation firewall rather than a stateful firewall?
- A.
  
  Reactive protection against Internet attacks
- B.
  
  Granularity control within applications
- C.
  
  Support of TCP-based packet filtering
- D.
  
  Support for logging
Correct Answer
B. Granularity control within applications

Explanation
A benefit of using a next-generation firewall rather than a stateful firewall is the granularity control within applications. Next-generation firewalls have the ability to inspect and control traffic at the application level, allowing for more specific and fine-tuned control over the applications being used. This can help prevent unauthorized access or usage of specific applications, providing a higher level of security and control compared to stateful firewalls which primarily focus on network-level filtering.

Rate this question:
8.

What is a result of securing the Cisco IOS image using the Cisco IOS Resilient Configuration feature?
- A.
  
  When the router boots up, the Cisco IOS image is loaded from a secured FTP location.
- B.
  
  The Cisco IOS image file is not visible in the output of the show flash command.
- C.
  
  The Cisco IOS image is encrypted and then automatically backed up to the NVRAM.
- D.
  
  The Cisco IOS image is encrypted and then automatically backed up to a TFTP server.
Correct Answer
B. The Cisco IOS image file is not visible in the output of the show flash command.

Explanation
The Cisco IOS Resilient Configuration feature ensures that the Cisco IOS image file is not visible in the output of the show flash command. This means that even if someone gains access to the router's flash memory, they will not be able to see the IOS image file. This adds an extra layer of security to the device, as it prevents potential attackers from easily identifying and analyzing the IOS image.

Rate this question:
9.

The corporate security policy dictates that the traffic from the remote-access VPN clients must be separated between trusted traffic that is destined for the corporate subnets and untrusted traffic destined for the public Internet. Which VPN solution should be implemented to ensure compliance with the corporate policy?
- A.
  
  MPLS
- B.
  
  Hairpinning
- C.
  
  GRE
- D.
  
  Split tunneling
Correct Answer
D. Split tunneling

Explanation
Split tunneling should be implemented to ensure compliance with the corporate policy. Split tunneling allows remote-access VPN clients to access both the corporate subnets and the public Internet simultaneously. This means that the client's traffic can be separated, with trusted traffic being directed to the corporate subnets and untrusted traffic being directed to the public Internet. By implementing split tunneling, the corporate security policy regarding traffic separation can be enforced.

Rate this question:
10.

Which two conditions must be met in order for a network administrator to be able to remotely manage multiple ASAs with Cisco ASDM? (Choose two.)
- A.
  
  The ASAs must all be running the same ASDM version.
- B.
  
  Each ASA must have the same enable secret password.
- C.
  
  Each ASA must have the same master passphrase enabled.
- D.
  
  The ASAs must be connected to each other through at least one inside interface.
- E.
  
  ASDM must be run as a local application.
Correct Answer(s)
A. The ASAs must all be running the same ASDM version.
E. ASDM must be run as a local application.

Explanation
To remotely manage multiple ASAs with Cisco ASDM, two conditions must be met. First, all ASAs must be running the same version of ASDM. This ensures compatibility and allows for seamless management across the network. Second, ASDM must be run as a local application, meaning it should be installed and accessed from the administrator's local machine. This allows for remote access and control of the ASAs without physically being present at each device.

Rate this question:
11.

What is negotiated in the establishment of an IPsec tunnel between two IPsec hosts during IKE Phase 1?
- A.
  
  ISAKMP SA policy
- B.
  
  DH groups
- C.
  
  Interesting traffic
- D.
  
  Transform sets
Correct Answer
A. ISAKMP SA policy

Explanation
During IKE Phase 1, the ISAKMP SA (Internet Security Association and Key Management Protocol Security Association) policy is negotiated in the establishment of an IPsec tunnel between two IPsec hosts. The ISAKMP SA policy defines the parameters and settings for the secure communication between the hosts, including authentication methods, encryption algorithms, and key exchange protocols. This negotiation ensures that both hosts agree on the security parameters before establishing the IPsec tunnel for secure communication.

Rate this question:
12.

What are two benefits of using a ZPF rather than a Classic Firewall? (Choose two.)
- A.
  
  ZPF allows interfaces to be placed into zones for IP inspection.
- B.
  
  The ZPF is not dependent on ACLs.
- C.
  
  Multiple inspection actions are used with ZPF.
- D.
  
  ZPF policies are easy to read and troubleshoot.
- E.
  
  With ZPF, the router will allow packets unless they are explicitly blocked.
Correct Answer(s)
B. The ZPF is not dependent on ACLs.
D. ZPF policies are easy to read and troubleshoot.

Explanation
ZPF allows interfaces to be placed into zones for IP inspection, which provides better control and visibility over network traffic. The ZPF is not dependent on ACLs, eliminating the need for complex access control configurations and simplifying the firewall setup. ZPF policies are easy to read and troubleshoot, making it easier for administrators to understand and maintain the firewall rules.

Rate this question:
13.

Which security policy characteristic defines the purpose of standards?
- A.
  
  Step-by-step details regarding methods to deploy company switches
- B.
  
  Recommended best practices for placement of all company switches
- C.
  
  Required steps to ensure consistent configuration of all company switches
- D.
  
  List of suggestions regarding how to quickly configure all company switches
Correct Answer
C. Required steps to ensure consistent configuration of all company switches

Explanation
The security policy characteristic that defines the purpose of standards is the required steps to ensure consistent configuration of all company switches. Standards provide a set of guidelines and procedures that must be followed in order to achieve a consistent and secure configuration across all switches. By enforcing these required steps, organizations can ensure that all switches are configured in a uniform and secure manner, reducing the risk of vulnerabilities and ensuring compliance with security policies.

Rate this question:
14.

What algorithm is used to provide data integrity of a message through the use of a calculated hash value?
- A.
  
  RSA
- B.
  
  DH
- C.
  
  AES
- D.
  
  HMAC
Correct Answer
D. HMAC

Explanation
HMAC (Hash-based Message Authentication Code) is the algorithm used to provide data integrity of a message through the use of a calculated hash value. It involves a cryptographic hash function along with a secret key, which is used to generate the hash value. This hash value is then appended to the message, allowing the recipient to verify the integrity of the message by recalculating the hash value using the same key and comparing it to the received hash value.

Rate this question:
15.

On which port should Dynamic ARP Inspection (DAI) be configured on a switch?
- A.
  
  An uplink port to another switch
- B.
  
  On any port where DHCP snooping is disabled 2
- C.
  
  Any untrusted port
- D.
  
  Access ports only
Correct Answer
A. An uplink port to another switch

Explanation
Dynamic ARP Inspection (DAI) should be configured on an uplink port to another switch. This is because DAI is a security feature that validates ARP packets and prevents ARP spoofing attacks. By configuring DAI on the uplink port, the switch can inspect and verify ARP packets coming from other switches before forwarding them to the network. This helps ensure the integrity of the ARP process and protects against malicious activities. Configuring DAI on other types of ports, such as access ports or untrusted ports, may not provide the same level of protection.

Rate this question:
16.

What is a feature of a Cisco IOS Zone-Based Policy Firewall?
- A.
  
  A router interface can belong to only one zone at a time.
- B.
  
  Service policies are applied in interface configuration mode.
- C.
  
  Router management interfaces must be manually assigned to the self zone.
- D.
  
  The pass action works in multiple directions.
Correct Answer
A. A router interface can belong to only one zone at a time.

Explanation
A feature of a Cisco IOS Zone-Based Policy Firewall is that a router interface can belong to only one zone at a time. This means that each interface on the router can be assigned to a specific zone, and traffic between zones can be controlled and monitored based on the policies defined for each zone. This helps in enhancing network security by allowing administrators to enforce different security policies for different zones.

Rate this question:
17.

Refer to the exhibit. The administrator can ping the S0/0/1 interface of RouterB but is unable to gain Telnet access to the router by using the password cisco123. What is a possible cause of the problem?
- A.
  
  The Telnet connection between RouterA and RouterB is not working correctly.
- B.
  
  The password cisco123 is wrong.
- C.
  
  The administrator does not have enough rights on the PC that is being used.
- D.
  
  The enable password and the Telnet password need to be the same.
Correct Answer
B. The password cisco123 is wrong.

Explanation
The possible cause of the problem is that the password "cisco123" is wrong. This means that the administrator is entering an incorrect password when trying to gain Telnet access to RouterB.

Rate this question:
18.

Refer to the exhibit. The ip verify source command is applied on untrusted interfaces. Which type of attack is mitigated by using this configuration?
- A.
  
  DHCP spoofing
- B.
  
  DHCP starvation
- C.
  
  STP manipulation
- D.
  
  MAC and IP address spoofing
Correct Answer
D. MAC and IP address spoofing

Explanation
The "ip verify source" command is used to mitigate MAC and IP address spoofing attacks. MAC spoofing involves changing the Media Access Control (MAC) address of a device to impersonate another device on the network, while IP address spoofing involves forging the source IP address in network packets. By applying the "ip verify source" command on untrusted interfaces, the network can verify the source MAC and IP addresses of incoming packets, helping to prevent spoofing attacks.

Rate this question:
19.

Refer to the exhibit. Which conclusion can be made from the show crypto map command output that is shown on R1?
- A.
  
  The crypto map has not yet been applied to an interface.
- B.
  
  The current peer IP address should be 172.30.2.1.
- C.
  
  There is a mismatch between the transform sets.
- D.
  
  The tunnel configuration was established and can be tested with extended pings.
Correct Answer
A. The crypto map has not yet been applied to an interface.

Explanation
The exhibit shows the output of the "show crypto map" command on R1. Based on this output, it can be concluded that the crypto map has not yet been applied to an interface. This means that the VPN configuration has been created but has not been activated on any specific interface for the traffic to be encrypted or decrypted.

Rate this question:
20.

What type of algorithms require sender and receiver to exchange a secret key that is used to ensure the confidentiality of messages?
- A.
  
  Symmetric algorithms
- B.
  
  Hashing algorithms
- C.
  
  Asymmetric algorithms
- D.
  
  Public key algorithms
Correct Answer
A. Symmetric algorithms

Explanation
Symmetric algorithms require the sender and receiver to exchange a secret key that is used to ensure the confidentiality of messages. In symmetric encryption, the same key is used for both encryption and decryption. This means that both the sender and receiver need to have the same key in order to encrypt and decrypt the messages. By exchanging the secret key, the sender and receiver can securely communicate and ensure that only they can understand the encrypted messages.

Rate this question:
21.

What is an advantage in using a packet filtering firewall versus a high-end firewall appliance?
- A.
  
  Packet filters perform almost all the tasks of a high-end firewall at a fraction of the cost.
- B.
  
  Packet filters provide an initial degree of security at the data-link and network layer.
- C.
  
  Packet filters represent a complete firewall solution.
- D.
  
  Packet filters are not susceptible to IP spoofing.
Correct Answer
A. Packet filters perform almost all the tasks of a high-end firewall at a fraction of the cost.

Explanation
An advantage of using a packet filtering firewall versus a high-end firewall appliance is that packet filters can perform most of the tasks of a high-end firewall but at a much lower cost. This means that organizations can achieve a high level of security without having to invest in expensive hardware or software. Packet filters are a cost-effective solution for providing an initial degree of security at the data-link and network layer, making them a favorable option for many businesses.

Rate this question:
22.

Refer to the exhibit. In the network that is shown, which AAA command logs the use of EXEC session commands?
- A.
  
  Aaa accounting network start-stop group tacacs+
- B.
  
  Aaa accounting network start-stop group radius
- C.
  
  Aaa accounting connection start-stop group radius
- D.
  
  Aaa accounting exec start-stop group radius
- E.
  
  Aaa accounting connection start-stop group tacacs+
- F.
  
  Aaa accounting exec start-stop group tacacs+
Correct Answer
F. Aaa accounting exec start-stop group tacacs+

Explanation
The correct answer is "aaa accounting exec start-stop group tacacs+". This command enables accounting for EXEC session commands and logs their use. The "start-stop" option ensures that the start and stop times of each session are recorded. The "group tacacs+" specifies that the accounting information should be sent to a TACACS+ server for centralized logging and auditing.

Rate this question:
23.

A network administrator enters the single-connection command. What effect does this command have on AAA operation?
- A.
  
  Allows a new TCP session to be established for every authorization request
- B.
  
  Authorizes connections based on a list of IP addresses configured in an ACL on a Cisco ACS server
- C.
  
  Allows a Cisco ACS server to minimize delay by establishing persistent TCP connections
- D.
  
  Allows the device to establish only a single connection with the AAA-enabled server
Correct Answer
C. Allows a Cisco ACS server to minimize delay by establishing persistent TCP connections

Explanation
The correct answer states that the "single-connection" command allows a Cisco ACS server to minimize delay by establishing persistent TCP connections. This means that instead of establishing a new TCP session for every authorization request, the server maintains a single connection, reducing the overhead and delay associated with establishing multiple connections. This can improve the efficiency and performance of the AAA operation.

Rate this question:
24.

Which two practices are associated with securing the features and performance of router operating systems? (Choose two.)
- A.
  
  Install a UPS.
- B.
  
  Keep a secure copy of router operating system images.
- C.
  
  Configure the router with the maximum amount of memory possible.
- D.
  
  Disable default router services that are not necessary.
- E.
  
  Reduce the number of ports that can be used to access the router.
Correct Answer(s)
B. Keep a secure copy of router operating system images.
C. Configure the router with the maximum amount of memory possible.

Explanation
The two practices associated with securing the features and performance of router operating systems are keeping a secure copy of router operating system images and configuring the router with the maximum amount of memory possible. Keeping a secure copy of the operating system images ensures that in case of any issues or attacks, the router can be restored to a known, secure state. Configuring the router with maximum memory allows it to handle larger workloads and prevents performance degradation.

Rate this question:
25.

Which statement describes a characteristic of the IKE protocol?
- A.
  
  It uses UDP port 500 to exchange IKE information between the security gateways.
- B.
  
  IKE Phase 1 can be implemented in three different modes: main, aggressive, or quick.
- C.
  
  It allows for the transmission of keys directly across a network.
- D.
  
  The purpose of IKE Phase 2 is to negotiate a security association between two IKE peers.
Correct Answer
A. It uses UDP port 500 to exchange IKE information between the security gateways.

Explanation
IKE (Internet Key Exchange) is a protocol used for establishing a secure communication channel between two security gateways. One of the characteristics of the IKE protocol is that it uses UDP port 500 for exchanging IKE information between the gateways. UDP (User Datagram Protocol) is a connectionless protocol that allows for fast and efficient communication. By using UDP port 500, IKE ensures that the exchange of information between the gateways is secure and reliable.

Rate this question:
26.

Refer to the exhibit. If a network administrator is using ASDM to configure a site-to-site VPN between the CCNAS-ASA and R3, which IP address would the administrator use for the peer IP address textbox on the ASA if data traffic is to be encrypted between the two remote LANs?
- A.
  
  209.165.201.1
- B.
  
  192.168.1.3
- C.
  
  172.16.3.1
- D.
  
  172.16.3.3
- E.
  
  192.168.1.1
Correct Answer
A. 209.165.201.1

Explanation
The correct answer is 209.165.201.1. This IP address would be used as the peer IP address on the ASA because it represents the remote LAN that needs to be encrypted with the site-to-site VPN.

Rate this question:
27.

Refer to the exhibit. Based on the security levels of the interfaces on the ASA, what statement correctly describes the flow of traffic allowed on the interfaces?
- A.
  
  Traffic that is sent from the LAN and the Internet to the DMZ is considered inbound.
- B.
  
  Traffic that is sent from the DMZ and the Internet to the LAN is considered outbound.
- C.
  
  Traffic that is sent from the LAN to the DMZ is considered is considered inbound.
- D.
  
  Traffic that is sent from the DMZ and the LAN to the Internet is considered outbound.
Correct Answer
D. Traffic that is sent from the DMZ and the LAN to the Internet is considered outbound.

Explanation
The security levels of the interfaces on the ASA determine the flow of traffic. In this scenario, the LAN and DMZ have higher security levels compared to the Internet. According to the answer, traffic sent from the DMZ and the LAN to the Internet is considered outbound. This means that traffic originating from the protected networks (LAN and DMZ) and going towards the less secure network (Internet) is allowed.

Rate this question:
28.

What two assurances does digital signing provide about code that is downloaded from the Internet? (Choose two.)
- A.
  
  The code contains no errors.
- B.
  
  The code contains no viruses.
- C.
  
  The code has not been modified since it left the software publisher.
- D.
  
  The code is authentic and is actually sourced by the publisher.
- E.
  
  The code was encrypted with both a private and public key.
Correct Answer(s)
C. The code has not been modified since it left the software publisher.
D. The code is authentic and is actually sourced by the publisher.

Explanation
Digital signing provides two assurances about code downloaded from the internet: the code has not been modified since it left the software publisher, and the code is authentic and actually sourced by the publisher. Digital signing uses cryptographic techniques to create a unique signature for the code, which can be verified by the recipient. This ensures that the code has not been tampered with and that it originates from the trusted publisher. It does not guarantee that the code is error-free or virus-free, nor does it involve encryption with private and public keys.

Rate this question:
29.

Which interface option could be set through ASDM for a Cisco ASA?
- A.
  
  Default route
- B.
  
  Access list
- C.
  
  VLAN ID
- D.
  
  NAT/PAT
Correct Answer
C. VLAN ID

Explanation
VLAN ID is an interface option that can be set through ASDM for a Cisco ASA. VLANs (Virtual Local Area Networks) are used to logically divide a network into smaller segments, allowing for better network management and security. By setting the VLAN ID through ASDM, administrators can assign specific VLANs to different interfaces on the Cisco ASA, ensuring that traffic is properly segregated and controlled within the network.

Rate this question:
30.

What are two characteristics of a stateful firewall? (Choose two.)
- A.
  
  Uses connection information maintained in a state table
- B.
  
  Uses static packet filtering techniques
- C.
  
  Analyzes traffic at Layers 3, 4 and 5 of the OSI model
- D.
  
  Uses complex ACLs which can be difficult to configure
- E.
  
  Prevents Layer 7 attacks
Correct Answer(s)
A. Uses connection information maintained in a state table
C. Analyzes traffic at Layers 3, 4 and 5 of the OSI model

Explanation
A stateful firewall uses connection information maintained in a state table to keep track of the state of network connections. This allows the firewall to make more informed decisions about allowing or blocking traffic. Additionally, a stateful firewall analyzes traffic at Layers 3, 4, and 5 of the OSI model, which includes the network, transport, and session layers. By inspecting traffic at these layers, the firewall can gain a deeper understanding of the data being transmitted and make more accurate decisions about whether to allow or block it.

Rate this question:
31.

What are three characteristics of SIEM? (Choose three.)
- A.
  
  Can be implemented as software or as a service
- B.
  
  Microsoft port scanning tool designed for Windows
- C.
  
  Examines logs and events from systems and applications to detect security threats
- D.
  
  Consolidates duplicate event data to minimize the volume of gathered data
- E.
  
  Uses penetration testing to determine most network vulnerabilities
- F.
  
  Provides real-time reporting for short-term security event analysis
Correct Answer(s)
A. Can be implemented as software or as a service
C. Examines logs and events from systems and applications to detect security threats
D. Consolidates duplicate event data to minimize the volume of gathered data

Explanation
SIEM can be implemented as software or as a service, allowing organizations to choose the deployment method that best suits their needs and infrastructure. It examines logs and events from systems and applications to detect security threats, helping to identify and respond to potential attacks. Additionally, SIEM consolidates duplicate event data to minimize the volume of gathered data, making it easier for security teams to analyze and prioritize security events.

Rate this question:
32.

Which type of traffic is subject to filtering on an ASA 5505 device?
- A.
  
  Public Internet to inside
- B.
  
  Public Internet to DMZ
- C.
  
  Inside to DMZ
- D.
  
  DMZ to inside
Correct Answer
C. Inside to DMZ

Explanation
On an ASA 5505 device, the traffic that is subject to filtering is "inside to DMZ". This means that any traffic originating from the internal network (inside) and going towards the demilitarized zone (DMZ) will be filtered and inspected by the ASA 5505 device. This allows for greater control and security measures to be applied to the traffic flowing between these two zones, ensuring that any potential threats or unauthorized access attempts are detected and blocked.

Rate this question:
33.

Which IDS/IPS signature alarm will look for packets that are destined to or from a particular port?
- A.
  
  Honey pot-based
- B.
  
  Anomaly-based
- C.
  
  Signature-based
- D.
  
  Policy-based
Correct Answer
C. Signature-based

Explanation
Signature-based IDS/IPS alarms are designed to detect specific patterns or signatures in network traffic. In this case, the alarm will look for packets that are destined to or from a particular port. It will compare the network traffic against a database of known signatures or patterns associated with malicious activity, and if a match is found, it will trigger an alarm. This method is effective for detecting known threats and attacks, but it may not be as effective against new or unknown threats.

Rate this question:
34.

Which three actions can the Cisco IOS Firewall IPS feature be configured to take when an intrusion activity is detected? (Choose three.)
- A.
  
  Reset UDP connection
- B.
  
  Reset TCP connection
- C.
  
  Alert
- D.
  
  Isolate
- E.
  
  Inoculate
- F.
  
  Drop
Correct Answer(s)
B. Reset TCP connection
C. Alert
F. Drop

Explanation
The Cisco IOS Firewall IPS feature can be configured to take three actions when an intrusion activity is detected: reset TCP connection, alert, and drop. When a TCP connection is reset, the firewall terminates the connection to prevent any further communication. Alerts are generated to notify administrators about the detected intrusion activity. The drop action discards the packets associated with the intrusion, effectively blocking them from reaching their destination.

Rate this question:
35.

Which two protocols can be selected using the Cisco AnyConnect VPN Wizard to protect the traffic inside a VPN tunnel? (Choose two.)
- A.
  
  Telnet
- B.
  
  SSH
- C.
  
  SSL
- D.
  
  ESP
- E.
  
  IPsec
Correct Answer(s)
C. SSL
E. IPsec

Explanation
The Cisco AnyConnect VPN Wizard allows users to select SSL and IPsec protocols to protect the traffic inside a VPN tunnel. SSL (Secure Sockets Layer) is a widely used protocol that provides secure communication over the internet, ensuring confidentiality and integrity of data. IPsec (Internet Protocol Security) is a suite of protocols that authenticates and encrypts IP packets, providing secure communication between network devices. Both SSL and IPsec protocols are commonly used in VPNs to ensure secure and private communication between remote users and the corporate network.

Rate this question:
36.

What is a characteristic of a role-based CLI view of router configuration?
- A.
  
  When a superview is deleted, the associated CLI views are deleted.
- B.
  
  A single CLI view can be shared within multiple superviews.
- C.
  
  A CLI view has a command hierarchy, with higher and lower views.
- D.
  
  Only a superview user can configure a new view and add or remove commands from the existing views.
Correct Answer
B. A single CLI view can be shared within multiple superviews.

Explanation
In a role-based CLI view of router configuration, a single CLI view can be shared within multiple superviews. This means that multiple users with different roles or privileges can have access to the same CLI view and make configuration changes accordingly. This allows for better collaboration and flexibility in managing the router configuration.

Rate this question:
37.

Which statement describes the use of certificate classes in the PKI?
- A.
  
  A class 5 certificate is more trustworthy than a class 4 certificate.
- B.
  
  Email security is provided by the vendor, not by a certificate.
- C.
  
  The lower the class number, the more trusted the certificate.
- D.
  
  A vendor must issue only one class of certificates when acting as a CA.
Correct Answer
A. A class 5 certificate is more trustworthy than a class 4 certificate.

Explanation
Certificate classes in a Public Key Infrastructure (PKI) are used to indicate the level of trust and assurance associated with a certificate. In this context, the statement "A class 5 certificate is more trustworthy than a class 4 certificate" correctly describes the use of certificate classes. The higher the class number, the greater the level of trust and assurance provided by the certificate. Therefore, a class 5 certificate is considered more trustworthy than a class 4 certificate in the PKI.

Rate this question:
38.

Refer to the exhibit. An administrator issues these IOS login enhancement commands to increase the security for login connections. What can be concluded about them?
- A.
  
  Because the login delay command was not used, a one-minute delay between login attempts is assumed.
- B.
  
  The hosts that are identified in the ACL will have access to the device.
- C.
  
  The login block-for command permits the attacker to try 150 attempts before being stopped to try again.
- D.
  
  These enhancements apply to all types of login connections.
Correct Answer
B. The hosts that are identified in the ACL will have access to the device.

Explanation
The given commands indicate that the hosts identified in the ACL will have access to the device. These commands are used to increase the security for login connections, but they do not provide any information about a login delay or the number of login attempts permitted before being stopped. Additionally, it is not mentioned whether these enhancements apply to all types of login connections or not.

Rate this question:
39.

A company deploys a Cisco ASA with the Cisco CWS connector enabled as the firewall on the border of corporate network. An employee on the internal network is accessing a public website. What should the employee do in order to make sure the web traffic is protected by the Cisco CWS?
- A.
  
  Register the destination website on the Cisco ASA.
- B.
  
  Use the Cisco AnyConnect Secure Mobility Client first.
- C.
  
  Use a web browser to visit the destination website.
- D.
  
  First visit a website that is located on a web server in the Cisco CWS infrastructure.
Correct Answer
C. Use a web browser to visit the destination website.

Explanation
The employee should use a web browser to visit the destination website. This is because the Cisco ASA with the Cisco CWS connector enabled acts as the firewall on the corporate network's border. By using a web browser to visit the destination website, the web traffic will pass through the Cisco ASA and be protected by the Cisco CWS.

Rate this question:
40.

An administrator assigned a level of router access to the user ADMIN using the commands below.? Router(config)# privilege exec level 14 show ip route Router(config)# enable algorithm-type scrypt secret level 14 cisco-level-10 Router(config)# username ADMIN privilege 14 algorithm-type scrypt secret cisco-level-10 Which two actions are permitted to the user ADMIN? (Choose two.)
- A.
  
  The user can execute all subcommands under the show ip interfaces command.
- B.
  
  The user can issue the show version command.
- C.
  
  The user can only execute the subcommands under the show ip route command.
- D.
  
  The user can issue all commands because this privilege level can execute all Cisco IOS commands.
- E.
  
  The user can issue the ip route command.
Correct Answer(s)
B. The user can issue the show version command.
C. The user can only execute the subcommands under the show ip route command.

Explanation
The user ADMIN is assigned privilege level 14, which allows them to issue the show version command. Additionally, the user can only execute the subcommands under the show ip route command. This means they have restricted access and can only view specific information related to routing.

Rate this question:
41.

What mechanism is used by an ASA 5505 device to allow inspected outbound traffic to return to the originating sender who is on an inside network?
- A.
  
  Network Address Translation
- B.
  
  Access control lists
- C.
  
  Security zones
- D.
  
  Stateful packet inspection
Correct Answer
D. Stateful packet inspection

Explanation
Stateful packet inspection is the mechanism used by an ASA 5505 device to allow inspected outbound traffic to return to the originating sender who is on an inside network. This mechanism keeps track of the state of network connections and ensures that only legitimate traffic is allowed back in. It examines the complete context of each packet, including the source and destination IP addresses, ports, and sequence numbers. By maintaining this state information, the ASA device can accurately determine which inbound packets are part of established connections and allow them to pass through while blocking unauthorized traffic.

Rate this question:
42.

Which two end points can be on the other side of an ASA site-to-site VPN configured using ASDM? (Choose two.)
- A.
  
  DSL switch
- B.
  
  Frame Relay switch
- C.
  
  ISR router
- D.
  
  Another ASA
- E.
  
  Multilayer switch
Correct Answer(s)
C. ISR router
D. Another ASA

Explanation
An ASA site-to-site VPN can be configured using ASDM to connect two different networks securely. The VPN can be established between two ASA devices or between an ASA device and an ISR router. Therefore, the two end points that can be on the other side of an ASA site-to-site VPN configured using ASDM are an ISR router and another ASA device.

Rate this question:
43.

What Layer 2 attack is mitigated by disabling Dynamic Trunking Protocol?
- A.
  
  DHCP spoofing
- B.
  
  ARP spoofing
- C.
  
  VLAN hopping
- D.
  
  ARP poisoning
Correct Answer
C. VLAN hopping

Explanation
Disabling Dynamic Trunking Protocol (DTP) helps mitigate VLAN hopping. VLAN hopping is a Layer 2 attack where an attacker gains unauthorized access to different VLANs on a network by exploiting the trunking features of switches. By disabling DTP, which is used to negotiate trunking between switches, the attacker's ability to manipulate VLANs and gain unauthorized access is significantly reduced.

Rate this question:
44.

In an AAA-enabled network, a user issues the configure terminal command from the privileged executive mode of operation. What AAA function is at work if this command is rejected?
- A.
  
  Authorization
- B.
  
  Authentication
- C.
  
  Auditing
- D.
  
  Accounting
Correct Answer
A. Authorization

Explanation
If the "configure terminal" command is rejected in an AAA-enabled network, the AAA function at work is authorization. Authorization determines whether a user has the necessary privileges to perform a specific action or access certain resources. In this case, the rejection of the command indicates that the user does not have the authorization to enter the configuration mode.

Rate this question:
45.

An organization has configured an IPS solution to use atomic alerts. What type of response will occur when a signature is detected?
- A.
  
  A counter starts and a summary alert is issued when the count reaches a preconfigured number.
- B.
  
  The TCP connection is reset.
- C.
  
  An alert is triggered each time a signature is detected.
- D.
  
  The interface that triggered the alert is shutdown.
Correct Answer
C. An alert is triggered each time a signature is detected.

Explanation
When an organization configures an IPS solution to use atomic alerts, an alert will be triggered each time a signature is detected. This means that whenever the IPS system identifies a specific pattern or behavior that matches a known threat, it will immediately generate an alert to notify the administrators or security personnel. This allows for a real-time response to potential security incidents, enabling prompt investigation and mitigation actions to be taken.

Rate this question:
46.

What two algorithms can be part of an IPsec policy to provide encryption and hashing to protect interesting traffic? (Choose two.)
- A.
  
  PSK
- B.
  
  DH
- C.
  
  RSA
- D.
  
  AES
- E.
  
  SHA
Correct Answer(s)
D. AES
E. SHA

Explanation
The two algorithms that can be part of an IPsec policy to provide encryption and hashing to protect interesting traffic are AES and SHA. AES (Advanced Encryption Standard) is a symmetric encryption algorithm that provides strong encryption for data confidentiality. SHA (Secure Hash Algorithm) is a hashing algorithm that ensures data integrity by generating a unique hash value for the transmitted data. Both AES and SHA are commonly used in IPsec to secure network communications.

Rate this question:
47.

Why is hashing cryptographically stronger compared to a cyclical redundancy check (CRC)?
- A.
  
  Hashes are never sent in plain text.
- B.
  
  It is easy to generate data with the same CRC.
- C.
  
  It is virtually impossible for two different sets of data to calculate the same hash output.
- D.
  
  Hashing always uses a 128-bit digest, whereas a CRC can be variable length.
Correct Answer
C. It is virtually impossible for two different sets of data to calculate the same hash output.

Explanation
Hashing is cryptographically stronger compared to a cyclical redundancy check (CRC) because it is virtually impossible for two different sets of data to calculate the same hash output. This property is known as collision resistance and ensures that even a small change in the input data will produce a completely different hash value. In contrast, with a CRC, it is relatively easy to generate data with the same CRC, making it less secure for cryptographic purposes. Additionally, hashing always uses a fixed-length digest (such as 128-bit), while a CRC can have variable length, further enhancing the strength of hashing.

Rate this question:
48.

A network analyst wants to monitor the activity of all new interns. Which type of security testing would track when the interns sign on and sign off the network?
- A.
  
  Vulnerability scanning
- B.
  
  Password cracking
- C.
  
  Network scanning
- D.
  
  Integrity checker
Correct Answer
D. Integrity checker

Explanation
An integrity checker is a type of security testing that would track when the interns sign on and sign off the network. It is designed to monitor and verify the integrity of system files and configurations. By comparing the current state of the system with a known baseline, an integrity checker can detect any unauthorized changes or modifications, including login and logout activities. This would allow the network analyst to monitor the activity of the new interns and ensure the security and integrity of the network.

Rate this question:
49.

Refer to the exhibit. What two pieces of information can be gathered from the generated message? (Choose two.)
- A.
  
  This message is a level five notification message.
- B.
  
  This message indicates that service timestamps have been globally enabled.
- C.
  
  This message indicates that enhanced security was configured on the vty ports.
- D.
  
  This message appeared because a major error occurred that requires immediate action.
- E.
  
  This message appeared because a minor error occurred that requires further investigation.
Correct Answer(s)
A. This message is a level five notification message.
B. This message indicates that service timestamps have been globally enabled.

Explanation
The two pieces of information that can be gathered from the generated message are:
1. This message is a level five notification message - This indicates the severity or importance level of the message. Level five typically represents a notification or informational message.
2. This message indicates that service timestamps have been globally enabled - This suggests that a feature called "service timestamps" has been enabled on a global scale, possibly for logging or troubleshooting purposes.

Rate this question:
50.

What is required for auto detection and negotiation of NAT when establishing a VPN link?
- A.
  
  Both VPN end devices must be configured for NAT.
- B.
  
  No ACLs can be applied on either VPN end device
- C.
  
  Both VPN end devices must be NAT-T capable.
- D.
  
  Both VPN end devices must be using IPv6.
Correct Answer
C. Both VPN end devices must be NAT-T capable.

Explanation
For auto detection and negotiation of NAT when establishing a VPN link, both VPN end devices must be NAT-T (Network Address Translation - Traversal) capable. NAT-T is a mechanism that allows VPN traffic to pass through NAT devices, which are commonly used in many networks. It encapsulates the VPN traffic within UDP packets, enabling it to traverse NAT devices without being blocked. Therefore, for successful VPN connection establishment, both VPN end devices must support NAT-T to ensure seamless communication across NAT boundaries.

Rate this question:

Quiz Review Timeline +

Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.

Current Version
Sep 04, 2023

Quiz Edited by
ProProfs Editorial Team
Apr 23, 2020

Quiz Created by
Jokinen

CCNA Security V2.0 Final Exam

Which security implementation will provide control plane protection for a network device?

What is the one major difference between local AAA authentication and using the login local command when configuring device access authentication?

Refer to the exhibit. A network administrator configures AAA authentication on R1. The administrator then tests the configuration by telneting to R1. The ACS servers are configured and running. What will happen if the authentication fails?

What are two tasks that can be accomplished with the Nmap and Zenmap network tools? (Choose two.)

Which Cisco IOS subcommand is used to compile an IPS signature into memory

Why are DES keys considered weak keys?

What is a benefit of using a next-generation firewall rather than a stateful firewall?

What is a result of securing the Cisco IOS image using the Cisco IOS Resilient Configuration feature?

Which two conditions must be met in order for a network administrator to be able to remotely manage multiple ASAs with Cisco ASDM? (Choose two.)

What is negotiated in the establishment of an IPsec tunnel between two IPsec hosts during IKE Phase 1?

What are two benefits of using a ZPF rather than a Classic Firewall? (Choose two.)

Which security policy characteristic defines the purpose of standards?

What algorithm is used to provide data integrity of a message through the use of a calculated hash value?

On which port should Dynamic ARP Inspection (DAI) be configured on a switch?

What is a feature of a Cisco IOS Zone-Based Policy Firewall?

Refer to the exhibit. The administrator can ping the S0/0/1 interface of RouterB but is unable to gain Telnet access to the router by using the password cisco123. What is a possible cause of the problem?

Refer to the exhibit. The ip verify source command is applied on untrusted interfaces. Which type of attack is mitigated by using this configuration?

Refer to the exhibit. Which conclusion can be made from the show crypto map command output that is shown on R1?

What type of algorithms require sender and receiver to exchange a secret key that is used to ensure the confidentiality of messages?

What is an advantage in using a packet filtering firewall versus a high-end firewall appliance?

Refer to the exhibit. In the network that is shown, which AAA command logs the use of EXEC session commands?

A network administrator enters the single-connection command. What effect does this command have on AAA operation?

Which two practices are associated with securing the features and performance of router operating systems? (Choose two.)

Which statement describes a characteristic of the IKE protocol?

Refer to the exhibit. If a network administrator is using ASDM to configure a site-to-site VPN between the CCNAS-ASA and R3, which IP address would the administrator use for the peer IP address textbox on the ASA if data traffic is to be encrypted between the two remote LANs?

Refer to the exhibit. Based on the security levels of the interfaces on the ASA, what statement correctly describes the flow of traffic allowed on the interfaces?

What two assurances does digital signing provide about code that is downloaded from the Internet? (Choose two.)

Which interface option could be set through ASDM for a Cisco ASA?

What are two characteristics of a stateful firewall? (Choose two.)

What are three characteristics of SIEM? (Choose three.)

Which type of traffic is subject to filtering on an ASA 5505 device?

Which IDS/IPS signature alarm will look for packets that are destined to or from a particular port?

Which three actions can the Cisco IOS Firewall IPS feature be configured to take when an intrusion activity is detected? (Choose three.)

Which two protocols can be selected using the Cisco AnyConnect VPN Wizard to protect the traffic inside a VPN tunnel? (Choose two.)

What is a characteristic of a role-based CLI view of router configuration?

Which statement describes the use of certificate classes in the PKI?

Refer to the exhibit. An administrator issues these IOS login enhancement commands to increase the security for login connections. What can be concluded about them?

A company deploys a Cisco ASA with the Cisco CWS connector enabled as the firewall on the border of corporate network. An employee on the internal network is accessing a public website. What should the employee do in order to make sure the web traffic is protected by the Cisco CWS?

What mechanism is used by an ASA 5505 device to allow inspected outbound traffic to return to the originating sender who is on an inside network?

Which two end points can be on the other side of an ASA site-to-site VPN configured using ASDM? (Choose two.)

What Layer 2 attack is mitigated by disabling Dynamic Trunking Protocol?

In an AAA-enabled network, a user issues the configure terminal command from the privileged executive mode of operation. What AAA function is at work if this command is rejected?

An organization has configured an IPS solution to use atomic alerts. What type of response will occur when a signature is detected?

What two algorithms can be part of an IPsec policy to provide encryption and hashing to protect interesting traffic? (Choose two.)

Why is hashing cryptographically stronger compared to a cyclical redundancy check (CRC)?

A network analyst wants to monitor the activity of all new interns. Which type of security testing would track when the interns sign on and sign off the network?

Refer to the exhibit. What two pieces of information can be gathered from the generated message? (Choose two.)

What is required for auto detection and negotiation of NAT when establishing a VPN link?