思科网络工程师题库4.docx

思科网络工程师题库201-327Q201.AnorganizationisimplementingURLblockingusingCiscoUmbreIIA.Theusersareabletogotosomesitesbutothersitesarenotaccessibleduetoanerror.Whyistheerroroccurring?A. ClientcomputersdonothavetheCiscoUmbrellaRootCAcertificateinstalled.B. IP-LayerEnforcementisnotconfigured.C. ClientcomputersdonothaveanSSLcertificatedeployedfromaninternalCAserver.D. IntelligentproxyandSSLdecryptionisdisabledinthepolicy.Answer:AExplanation:OtherfeaturesaredependentonSSLDecryptionfunctionality,whichrequirestheCiscoUmbrellarootcertificate.HavingtheSSLDecryptionfeatureimproves:CustomURLBlocking-RequiredtoblocktheHTTPSversionofaURL.Umbrella'sBlockPageandBlockPageBypassfeaturespresentanSSLcertificatetobrowsersthatmakeconnectionstoHTTPSsites.ThisSSLcertificatematchestherequestedsitebutwillbesignedbytheCiscoUmbrellacertificateauthority(CA).IftheCAisnottrustedbyyourbrowser,anerrorpagemaybedisplayed.Typicalerrorsinclude"Thesecuritycertificatepresentedbythiswebsitewasnotissuedbyatrustedcertificateauthority"(InternetExplorer),"Thesite'ssecuritycertificateisnottrusted!"(GoogleChrome)or"ThisConnectionisUntrusted"(MozillaFirefox).Althoughtheerrorpageisexpected,themessagedisplayedcanbeconfusingandyoumaywishtopreventitfromappearing.Toavoidtheseerrorpages,installtheCiscoUmbrellarootcertificateintoyourbrowserorthebrowsersofyourusers-ifyou'reanetworkadmin.Reference:httpsdocs.umbrellA.com/deployment-umbrella/docs/rebrand-cisco-certificate-import-informationQ202.WhichtwoaspectsofthecloudPaaSmodelaremanagedbythecustomerbutnottheprovider?(Choosetwo)A. virtualizationB. middlewareC. operatingsystemsD.applicationsE.dataServiceprovidermanagesApplicatiRuntiMiddlewVirtualizaServeStoragNetworkAnswer:DEExplanation:PaaSDataO/SQ203.WhatisanattributeoftheDevSecOpsprocess?A. mandatedsecuritycontrolsandchecklistsB. securityscanningandtheoreticalvulnerabilitiesC. developmentsecurityD. isolatedsecurityteamAnswer:CExplanation:DevSecOps(development,security,andoperations)isaconceptusedinrecentyearstodescribehowtomovesecurityactivitiestothestartofthedevelopmentlifecycleandhavebuilt-insecuritypracticesinthecontinuousintegration/continuousdeployment(CICD)pipeline.ThusminimizingvulnerabilitiesandbringingsecurityclosertoITandbusinessobjectives.ThreekeythingsmakearealDevSecOpsenvironment:+Securitytestingisdonebythedevelopmentteam.+Issuesfoundduringthattestingismanagedbythedevelopmentteam.+Fixingthoseissuesstayswithinthedevelopmentteam.Q204.Anengineernoticestrafficinterruptiononthenetwork.Uponfurtherinvestigation,itislearnedthatbroadcastpacketshavebeenfloodingthenetwork.Whatmustbeconfigured,basedonapredefinedthreshold,toaddressthisissue?A. BridgeProtocolDataUnitguardB. embeddedeventmonitoringC. stormcontrolD. accesscontrollistsAnswer:CExplanation:StormcontrolpreventstrafficonaLANfrombeingdisruptedbyabroadcast,multicast,orunicaststormononeofthephysicalinterfaces.ALANstormoccurswhenpacketsfloodtheLAN,creatingexcessivetrafficanddegradingnetworkperformance.Errorsintheprotocol-stackimplementation,mistakesinnetworkconfigurations,orusersissuingadenial-of-serviceattackcancauseastorm.Byusingthe"storm-controlbroadcastlevelfalling-threshold"wecanlimitthebroadcasttrafficontheswitch.Q205.WhichtwocryptographicalgorithmsareusedwithIPsec?(Choosetwo)A. AES-BACB. AES-ABCC. HMAC-SHA1SHA2D. TripleAMC-CBCE. AES-CBCAnswer:CEExplanation:CryptographicalgorithmsdefinedforusewithIPsecinclude:+HMAC-SHA1SHA2forintegrityprotectionandauthenticity.+TripIeDES-CBCforconfidentiality+AES-CBCandAES-CTRforconfidentiality.+AES-GCMandChaCha20-Polyl305providingconfidentialityandauthenticationtogetherefficiently.Q206.lnwhichtypeofattackdoestheattackerinserttheirmachinebetweentwohoststhatarecommunicatingwitheachother?A. LDAPinjectionB. ma-i-the-middleC. cross-sitescriptingD. insecureAPIAnswer:BExplanation:NewQuestions(addedon2nd-Jan-2021)Q207.WhichDosattackusesfragmentedpacketstocrashatargetmachine?A. smurfB. MITMC. teardropD. LANDAnswer:CExplanation:Ateardropattackisadenial-of-service(DoS)attackthatinvolvessendingfragmentedpacketstoatargetmachine.SincethemachinereceivingsuchpacketscannotreassemblethemduetoabuginTCP/IPfragmentationreassembly,thepacketsoverlaponeanother,crashingthetargetnetworkdevice.ThisgenerallyhappensonolderoperatingsystemssuchasWindows3.lx,Windows95,WindowsNTandversionsoftheLinuxkernelpriorto2.1.63.Q208.Whyisitimportanttohavelogicalsecuritycontrolsonendpointseventhoughtheusersaretrainedtospotsecuritythreatsandthenetworkdevicesalreadyhelppreventthem?A.topreventtheftoftheendpointsB. becausedefense-in-depthstopsatthenetworkC. toexposetheendpointtomorethreatsD. becausehumanerrororinsiderthreatswillstillexistAnswer:DQ209.WhichtypeofAPIisbeingusedwhenasecurityapplicationnotifiesacontrollerwithinasoftware-definednetworkarchitectureaboutaspecificsecuritythreat?(Choosetwo)A. westboundAPB. southboundAPIC. northboundAPID. eastboundAPIAnswer:BCQ210.WhenplanningaVPNdeployment,forwhichreasondoesanengineeroptforanactive/activeFIexVPNconfigurationasopposedtoDMVPN?A. MultipleroutersorVRFsarerequired.B. Trafficisdistributedstaticallybydefault.C. Floatingstaticroutesarerequired.D. HSRPisusedforfailover.Answer:BQ211.Whichalgorithmprovidesasymmetricencryption?A. RC4B. AESC. RSAD. 3DESAnswer:CQ212.Whataretwofunctionsofsecretkeycryptography?(Choosetwo)A. keyselectionwithoutintegerfactorizationB. utilizationofdifferentkeysforencryptionanddecryptionC. utilizationoflargeprimenumberiterationsD. providesthecapabilitytoonlyknowthekeyononesideE. utilizationoflessmemoryAnswer:BDQ213.ForCiscoIOSPKI1whichtwotypesofServersareusedasadistributionpointforCRLs?(Choosetwo)A. SDPB. LDAPC. subordinateCAD. SCPE. HTTPAnswer:BEExplanation:CiscoIOSpublickeyinfrastructure(PKI)providescertificatemanagementtosupportsecurityprotocolssuchasIPSecurity(IPSec)1secureshell(SSH),andsecuresocketlayer(SSL).Thismoduleidentifiesanddescribesconceptsthatareneededtounderstand,planfor,andimplementaPKI.APKIiscomposedofthefollowingentities:Adistributionmechanism(suchasLightweightDirectoryAccessProtocolLDAPorHTTP)forcertificaterevocationlists(CRLs)Reference:Q214.Whichattacktypeattemptstoshutdownamachineornetworksothatusersarenotabletoaccessit?A. smurfB. bluesnarfingC. MACspoofingD. IPspoofingAnswer:AExplanation:Denial-of-service(DDoS)aimsatshuttingdownanetworkorservice,causingittobeinaccessibletoitsintendedusers.TheSmurfattackisaDDoSattackinwhichlargenumbersofInternetControlMessageProtocol(ICMP)packetswiththeintendedvictim'sspoofedsourceIParebroadcasttoacomputernetworkusinganIPbroadcastaddress.Q215.WhatisadifferencebetweenDMVPNandsVTI?A. DMVPNsupportstunnelencryption,whereassVTIdoesnot.B. DMVPNsupportsdynamictunnelestablishment,whereassVTIdoesnot.C. DMVPNsupportsstatictunnelestablishment,whereassVTIdoesnot.D. DMVPNprovidesinteroperabilitywithothervendors,whereassVTIdoesnot.Answer:BQ216.WhatfeaturesdoesCiscoFTDvprovideoverASAv?A. Cisco11DvrunsonVMWarewhileASAvdoesnotB. CiscoFTDvprovidesIGBoffirewallthroughputwhileCiscoASAvdoesnotC. Cisco11DvrunsonAWSwhileASAvdoesnotD. CiscoFTDvsupportsURLfilteringwhileASAvdoesnotAnswer:DQ217.lnwhichsituationshouldanEndpointDetectionandResponsesolutionbechosenversusanEndpointProtectionPlatform?A. whenthereisaneedfortraditionalanti-malwaredetectionB. whenthereisnoneedtohavethesolutioncentrallymanagedC. whenthereisnofirewallonthenetworkD. whenthereisaneedtohavemoreadvanceddetectioncapabilitiesAnswer:DExplanation:Endpointprotectionplatforms(EPP)preventendpointsecuritythreatslikeknownandunknownmalware.Endpointdetectionandresponse(EDR)solutionscandetectandrespondtothreatsthatyourEPPandothersecuritytoolsdidnotcatch.EDRandEPPhavesimilargoalsbutaredesignedtofulfilldifferentpurposes.EPPisdesignedtoprovidedevice-levelprotectionbyidentifyingmaliciousfiles,detectingpotentiallymaliciousactivity,andprovidingtoolsforincidentinvestigationandresponse.ThepreventativenatureofEPPcomplementsproactiveEDR.EPPactsasthefirstlineofdefense,filteringoutattacksthatcanbedetectedbytheorganization'sdeployedsecuritysolutions.EDRactsasasecondlayerofprotection,enablingsecurityanalyststoperformthreathuntingandidentifymoresubtlethreatstotheendpoint.EffectiveendpointdefenserequiresasolutionthatintegratesthecapabilitiesofbothEDRandEPPtoprovideprotectionagainstcyberthreatswithoutoverwhelminganorganization'ssecurityteam.Q218.WhichtypeofAPIisbeingusedwhenacontrollerwithinasoftware-definednetworkarchitecturedynamicallymakesconfigurationchangesonswitcheswithinthenetwork?A. westboundAPB. southboundAPIC. northboundAPID. eastboundAPIAnswer:BExplanation:SouthboundAPIsenableSDNcontrollerstodynamicallymakechangesbasedonreal-timedemandsandscalabilityneeds.SDNApplicationsNorthboundAPIControllersSouthboundAPINetworkElementsQ219.AnorganizationhastwosystemsintheirDMZthathaveanunencryptedlinkbetweenthemforcommunication.Theorganizationdoesnothaveadefinedpasswordpolicyandusesseveraldefaultaccountsonthesystems.Theapplicationusedonthosesystemsalsohavenotgonethroughstringentcodereviews.Whichvulnerabilitywouldhelpanattackerbruteforcetheirwayintothesystems?A. weakpasswordsB. lackofinputvalidationC. missingencryptionD. lackoffilepermissionAnswer:AQ220.WhatisthepurposeofaNetflowversion9templaterecord?A. ItspecifiesthedataformatofNetFIowprocesses.B. ItprovidesastandardizedsetofinformationaboutanIPflow.C. Itdefinestheformatofdatarecords.D. ItservesasauniqueidentificationnumbertodistinguishindividualdatarecordsAnswer:CExplanation:Theversion9exportformatusestemplatestoprovideaccesstoobservationsofIPpacketflowsinaflexibleandextensiblemanner.Atemplatedefinesacollectionoffields,withcorrespondingdescriptionsofstructureandsemantics.Reference:https:/tools.ietf.org/html/rfc3954Q221.WhatisprovidedbytheSecureHashAlgorithminaVPN?A. integrityB. keyexchangeC. encryptionD.authenticationAnswer:AExplanation:TheHMAC-SHA-1-96(alsoknownasHMAC-SHA-1)encryptiontechniqueisusedbyIPSectoensurethatamessagehasnotbeenaltered.(->Thereforeanswer"integrity"isthebestchoice),HMAC-SHA-IusestheSHA-IspecifiedinFIPS-190-l1combinedwithHMAC(asperRFC2104),andisdescribedinRFC2404.Reference:Q222.AnetworkengineerisdecidingwhethertousestatefulorstatelessfailoverwhenconfiguringtwoASAsforhighavailability.Whatistheconnectionstatusinbothcases?A. needtobereestablishedwithstatefulfailoverandpreservedwithstatelessfailoverB. preservedwithstatefulfailoverandneedtobereestablishedwithstatelessfailoverC. preservedwithbothstatefulandstatelessfailoverD. needtobereestablishedwithbothstatefulandstatelessfailoverAnswer:BQ223.WhichtypeofprotectionencryptsRSAkeyswhentheyareexportedandimported?A. fileB. passphraseC. NGED. nonexportableAnswer:BQ224.DraganddropthecapabilitiesofCiscoFirepowerversusCiscoAMPfromtheleftintotheappropriatecategoryontheright.providestheabilitytoperformnetworkdiscoveryprovidesdetection,blocking,tracking,analyseandremediationtoprotectagainsttargetedpersistentmalwareattacksprovidesintrusionpreventionbeforemalwarecomprisesthehostprovidessuperiorthreatpreventionandmitigationforknownandunknownthreatsprovidesthertcauseofathreatbasedontheindicatorsofcompromiseseenprovidesoutbreakcontrolthroughcustomdetectionsAnswer:provides the ability to performnetwork discoveryprovides detection, blocking, tracking, analyseand remediation to protect against targetedpersistent malware attacksprovides intrusion prevention beforemalware comprises the hostCisco Firepowerprovides superior threat prevention andmitigation for known and unknown threatsprovides the root cause of a threat basedon the indicators of compromise seenprovides outbreak control throughcustom detectionsprovides the ability to performnetwork disveryprovides detection, blocking, tracking, analyseand remediation to protect against targetedpersistent malware attacksprovides superior threat prevention andmitigation for known and unknown threatsCisco AMPprovides intrusion prevention beforemalware comprises the hostprovides the root cause of a threat basedon the indicators of compromise seenprovides outbreak control throughcustom detectionsExplanation:TheFirepowerSystemusesnetworkdiscoveryandidentitypoliciestocollecthost,application,anduserdatafortrafficonyournetwork.Youcanusecertaintypesofdiscoveryandidentitydatatobuildacomprehensivemapofyournetworkassets,performforensicanalysis,behavioralprofiling,accesscontrol,andmitigateandrespondtothevulnerabilitiesandexploitstowhichyourorganizationissusceptible.TheCiscoAdvancedMalwareProtection(AMP)solutionenablesyoutodetectandblockmalware,continuouslyanalyzeformalware,andgetretrospectivealerts.AMPforNetworksdeliversnetwork-basedadvancedmalwareprotectionthatgoesbeyondpoint-in-timedetectiontoprotectyourorganizationacrosstheentireattackcontinuumbefore,during,andafteranattack.DesignedforCiscoFirepowernetworkthreatappliances,AMPforNetworksdetects,blocks,tracks,andcontainsmalwarethreatsacrossmultiplethreatvectorswithinasinglesystem.Italsoprovidesthevisibilityandcontrolnecessarytoprotectyourorganizationagainsthighlysophisticated,targeted,zero-day,andpersistentadvancedmalwarethreats.Q225.DraganddropthesuspiciouspatternsfortheCiscoTetrationplatformfromtheleftontothecorrectdefinitionsontheright.interestingfileaccessCiscoTetrationplatformcanbearmedtoIoOkatsensitivefilesfileaccessfromadifferentuserWatchesforprivilegechangesfromalowerprivilegetoahigherprivilegeintheprocesslineagetreeuserloginsuspiciousbehaviorCiscoTetrationplatformwatchesuserloginfailuresanduserloginmethodsprivilegeescalationCiscoTetrationplatformlearnsthenormalbehaviorofwhichfileisaccessedbywhichuserAnswer:interestingfileaccessinterestingfileaccessfileaccessfromadifferentuserprivilegeescalationuserloginsuspiciousbehavioruserloginsuspiciousbehaviorprivilegeescalationfileaccessfromadifferentuserExplanation:CiscoTetrationplatformstudiesthebehaviorofthevariousprocessesandapplicationsintheworkload,measuringthemagainstknownbadbehaviorsequences.Italsofactorsintheprocesshashesitcollects.Bystudyingvarioussetsofmalwares,theTetrationAnalyticsengineeringteamdeconstructeditbackintoitsbasicbuildingblocks.Therefore,theplatformunderstandsclearandcrispdefinitionsofthesebuildingblocksandwatchesforthem.ThevarioussuspiciouspatternsforwhichtheCiscoTetrationplatformlooksinthecurrentreleaseare:+Shellcodeexecution:Looksforthepatternsusedbyshellcode.+Privilegeescalation:Watchesforprivilegechangesfro