思科网络工程师题库2.docx

CCNP/CCIESecuritySCOR思科网络工程师题库2Ql.WhatcanbeintegratedwithCiscoThreatIntelligenceDirectortoprovideinformationaboutsecuritythreats,whichallowstheSOCtoproactivelyautomateresponsestothosethreats?A. CiscoUmbrellaB. ExternalThreatFeedsC. CiscoThreatGridD. CiscoStealthwatchAnswer:CExplanation:CiscoThreatIntelligenceDirector(CTID)canbeintegratedwithexistingThreatIntelligencePlatformsdeployedbyyourorganizationtoingestthreatintelligenceautomatically.Reference:Q2.WhichsolutioncombinesCiscoIOSandIOSXEcomponentstoenableadministratorstorecognizeapplications,collectandsendnetworkmetricstoCiscoPrimeandotherthird-partymanagementtools,andprioritizeapplicationtraffic?A. CiscoSecurityIntelligenceB. CiscoApplicationVisibilityandControlC. CiscoModelDrivenTelemetryD. CiscoDNACenterAnswer:BExplanation:TheCiscoApplicationVisibilityandControl(AVC)solutionleveragesmultipletechnologiestorecognize,analyze,andcontrolover100Oapplications,includingvoiceandvideo,email,filesharing,gaming,peer-to-peer(P2P),andcloud-basedapplications.AVCcombinesseveralCiscoIOSIOSXEcomponents,aswellascommunicatingwithexternaltools,tointegratethefollowingfunctionsintoapowerfulsolution.Reference:guide/avc_tech_overview.htmlQ3.WhichtwoactivitiescanbedoneusingCiscoDNACenter?(Choosetwo)A. DHCPB. DesignC. AccountingD. DNSE. ProvisionAnswer:BEExplanation:CiscoDNACenterhasfourgeneralsectionsalignedtoITworkflows:Design:Designyournetworkforconsistentconfigurationsbydeviceandbysite.Physicalmapsandlogicaltopologieshelpprovidequickvisualreference.Thedirectimportfeaturebringsinexistingmaps,images,andtopologiesdirectlyfromCiscoPrimeInfrastructureandtheCiscoApplicationPolicyInfrastructureControllerEnterpriseModule(APIC-EM),makingupgradeseasyandquick.Deviceconfigurationsbysitecanbeconsolidatedina"goldenimage"thatcanbeusedtoautomaticallyprovisionnewnetworkdevices.Thesenewdevicescaneitherbepre-stagedbyassociatingthedevicedetailsandmappingtoasite.Ortheycanbeclaimeduponconnectionandmappedtothesite.Policy:Translatebusinessintentintonetworkpoliciesandapplythosepolicies,suchasaccesscontrol,trafficrouting,andqualityofservice,consistentlyovertheentirewiredandwirelessinfrastructure.Policy-basedaccesscontrolandnetworksegmentationisacriticalfunctionoftheCiscoSoftware-DefinedAccess(SD-Access)solutionbuiltfromCiscoDNACenterandCiscoIdentityServicesEngine(ISE).CiscoAlNetworkAnalyticsandCiscoGroup-BasedPolicyAnalyticsrunningintheCiscoDNACenteridentifyendpoints,groupsimilarendpoints,anddeterminegroupcommunicationbehavior.CiscoDNACenterthenfacilitatescreatingpoliciesthatdeterminetheformofcommunicationallowedbetweenandwithinmembersofeachgroup.ISEthenactivatestheunderlyinginfrastructureandsegmentsthenetworkcreatingavirtualoverlaytofollowthesepoliciesconsistently.Suchsegmentingimplementszero-trustsecurityintheworkplace,reducesrisk,containsthreats,andhelpsverifyregulatorycompliancebygivingendpointsjusttherightlevelofaccesstheyneed.Provision:OnceyouhavecreatedpoliciesinCiscoDNACenter,provisioningisasimpledrag-and-droptask.Theprofiles(calledscalablegrouptagsor"SGTs")intheCiscoDNACenterinventorylistareassignedapolicy,andthispolicywillalwaysfollowtheidentity.Theprocessiscompletelyautomatedandzero-touch.NewdevicesaddedtothenetworkareassignedtoanSGTbasedonidentity-greatlyfacilitatingremoteofficesetups.Assurance:CiscoDNAAssurance,usingAIML,enableseverypointonthenetworktobecomeasensor,sendingcontinuousstreamingtelemetryonapplicationperformanceanduserconnectivityinrealtime.Thecleanandsimpledashboardshowsdetailednetworkhealthandflagsissues.Then,guidedremediationautomatesresolutiontokeepyournetworkperformingatitsoptimalwithlessmundanetroubleshootingwork.Theoutcomeisaconsistentexperienceandproactiveoptimizationofyournetwork,withlesstimespentontroubleshootingtasks.Reference:https:/www.cisco.eom/c/en/us/products/collateral/cloud-systems-management/dna-center/nb-06-dna-center-so-cte-en.htmlQ4.Whatmustbeusedtosharedatabetweenmultiplesecurityproducts?A. CiscoRapidThreatContainmentB. CiscoPlatformExchangeGridC. CiscoAdvancedMalwareProtectionD. CiscoStealthwatchCloudAnSWe匚BQ5.WhichCiscoproductisopen,scalable,andbuiltonIETFstandardstoallowmultiplesecurityproductsfromCiscoandothervendorstosharedataandinteroperatewitheachother?A. AdvancedMalwareProtectionB. PlatformExchangeGridC. MultifactorPlatformIntegrationD. FirepowerThreatDefenseAnswer:BExplanation:WithCiscopxGrid(PlatformExchangeGrid),yourmultiplesecurityproductscannowsharedataandworktogether.Thisopen,scalable,andIETFstandards-drivenplatformhelpsyouautomatesecuritytogetanswersandcontainthreatsfaster.Q6.WhatisafeatureoftheopenplatformcapabilitiesofCiscoDNACenter?A. intent-basedAPIsB. automationadaptersC.domainintegrationD.applicationadaptersAnswer:AQ7.WhatisthefunctionoftheContextDirectoryAgent?A. maintainsusers'groupmembershipsB. relaysuserauthenticationrequestsfromWebSecurityAppliancetoActiveDirectoryC. readstheActiveDirectorylogstomapIPaddressestousernamesD. acceptsuserauthenticationrequestsonbehalfofWebSecurityApplianceforuseridentificationAnswer:CExplanation:CiscoContextDirectoryAgent(CDA)isamechanismthatmapsIPAddressestousernamesinordertoallowsecuritygatewaystounderstandwhichuserisusingwhichIPAddressinthenetwork,sothosesecuritygatewayscannowmakedecisionsbasedonthoseusers(orthegroupstowhichtheusersbelongto).CDArunsonaCiscoLinuxmachine;monitorsinrealtimeacollectionofActiveDirectorydomaincontroller(DC)machinesforauthentication-relatedeventsthatgenerallyindicateuserlogins;learns,analyzes,andcachesmappingsofIPAddressesanduseridentitiesinitsdatabase;andmakesthelatestmappingsavailabletoitsconsumerdevices.Reference:https:/www.cisco.eom/c/en/us/td/docs/security/ibf/cda_10/lnstall_Config_guide/cdal0/cda_oveviw.htmlQ8.WhatisacharacteristicofabridgegroupinASAFirewalltransparentmode?A. ItincludesmultipleinterfacesandaccessrulesbetweeninterfacesarecustomizableB. ItisaLayer3segmentandincludesoneportandcustomizableaccessrulesC. ItallowsARPtrafficwithasingleaccessruleD. IthasanIPaddressonitsBVIinterfaceandisusedformanagementtrafficAnswer:AExplanation:AbridgegroupisagroupofinterfacesthattheASAbridgesinsteadofroutes.BridgegroupsareonlysupportedinTransparentFirewallMode.Likeanyotherfirewallinterfaces,accesscontrolbetweeninterfacesiscontrolled,andalloftheusualfirewallchecksareinplace.EachbridgegroupincludesaBridgeVirtualInterface(BVI).TheASAusestheBVIIPaddressasthesourceaddressforpacketsoriginatingfromthebridgegroup.TheBVIIPaddressmustbeonthesamesubnetasthebridgegroupmemberinterfaces.TheBVIdoesnotsupporttrafficonsecondarynetworks;onlytrafficonthesamenetworkastheBVIIPaddressissupported.Youcanincludemultipleinterfacesperbridgegroup.Ifyouusemorethan2interfacesperbridgegroup,youcancontrolcommunicationbetweenmultiplesegmentsonthesamenetwork,andnotjustbetweeninsideandoutside.Forexample,ifyouhavethreeinsidesegmentsthatyoudonotwanttocommunicatewitheachother,youcanputeachsegmentonaseparateinterface,andonlyallowthemtocommunicatewiththeoutsideinterface.Oryoucancustomizetheaccessrulesbetweeninterfacestoallowonlyasmuchaccessasdesired.Reference:https:/www.cisco.eom/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/intro-fw.htmlNote:BVIinterfaceisnotusedformanagementpurpose.ButwecanaddaseparateManagementslot/portinterfacethatisnotpartofanybridgegroup,andthatallowsonlymanagementtraffictotheASA.Q9.WhenCiscoandotherindustryorganizationspublishandinformusersofknownsecurityfindingsandvulnerabilities,whichnameisused?A. CommonSecurityExploitsB. CommonVulnerabilitiesandExposuresC. CommonExploitsandVulnerabilitiesD. CommonVulnerabilities,ExploitsandThreatsAnswer:BExplanation:Vendors,securityresearchers,andvulnerabilitycoordinationcenterstypicallyassignvulnerabilitiesanidentifierthat'sdisclosedtothepublic.ThisidentifierisknownastheCommonVulnerabilitiesandExposures(CVE),CVEisanindustry-widestandard.CVEissponsoredbyUS-CERT1theofficeofCybersecurityandCommunicationsattheU.S.DepartmentofHomelandSecurity.ThegoalofCVEistomakeit'seasiertosharedataacrosstools,vulnerabilityrepositories,andsecurityservices.Reference:QlO.WhichtwofieldsaredefinedintheNetFIowflow?(Choosetwo)A. typeofservicebyteB. classofservicebitsC. Layer4protocoltypeD. destinationportE. outputlogicalinterfaceAnswer:ADExplanation:CiscostandardNetFIowversion5definesaflowasaunidirectionalsequenceofpacketsthatallsharesevenvalueswhichdefineauniquekeyfortheflow:+Ingressinterface(SNMPiflndex)+SourceIPaddress+DestinationIPaddress+IPprotocol+SourceportforUDPorTCP,Oforotherprotocols+DestinationportforUDPorTCP,typeandcodeforICMP1orOforotherprotocols+IPTypeofServiceNote:Aflowisaunidirectionalseriesofpacketsbetweenagivensourceanddestination.Qll.WhatprovidestheabilitytoprogramandmonitornetworksfromsomewhereotherthantheDNACGUI?A. NetFIowB. desktopclientC. ASDMD. APIAnswer:DQ12.Anorganizationhastwomachineshostingwebapplications.Machine1isvulnerabletoSQLinjectionwhilemachine2isvulnerabletobufferoverflows.Whatactionwouldallowtheattackertogainaccesstomachine1butnotmachine2?A. sniffingthepacketsbetweenthetwohostsB. sendingcontinuouspingsC. overflowingthebuffer'smemoryD. insertingmaliciouscommandsintothedatabaseAnswer:DQ13.AnorganizationistryingtoimprovetheirDefenseinDepthbyblockingmaliciousdestinationspriortoaconnectionbeingestablished.Thesolutionmustbeabletoblockcertainapplicationsfrombeingusedwithinthenetwork.Whichproductshouldbeusedtoaccomplishthisgoal?A. CiscoFirepowerB. CiscoUmbrellaC. ISED. AMPAnswer:BExplanation:CiscoUmbrellaprotectsusersfromaccessingmaliciousdomainsbyproactivelyanalyzingandblockingunsafedestinationsbeforeaconnectionisevermade.Thusitcanprotectfromphishingattacksbyblockingsuspiciousdomainswhenusersclickonthegivenlinksthatanattackersent.Q14.Acompanyisexperiencingexfiltrationofcreditcardnumbersthatarenotbeingstoredon-premise.Thecompanyneedstobeabletoprotectsensitivedatathroughoutthefullenvironment.Whichtoolshouldbeusedtoaccomplishthisgoal?A. SecurityManagerB. CloudlockC. WebSecurityApplianceD. CiscoISEAnswer:BExplanation:CiscoCloudlockisacloud-nativecloudaccesssecuritybroker(CASB)thathelpsyoumovetothecloudsafely.Itprotectsyourcloudusers,data,andapps.CiscoCloudlockprovidesvisibilityandcompliancechecks,protectsdataagainstmisuseandexfiltration,andprovidesthreatprotectionsagainstmalwarelikeransomware.Q15.Anengineeristryingtosecurelyconnecttoarouterandwantstopreventinsecurealgorithmsfrombeingused.However,theconnectionisfailing.Whichactionshouldbetakentoaccomplishthisgoal?A. Disabletelnetusingthenoiptelnetcommand.B. EnabletheSSHserverusingtheipsshservercommand.C. Configuretheportusingtheipsshport22command.D. GeneratetheRSAkeyusingthecryptokeygeneratersacommand.Answer:DExplanation:Inthisquestion,theengineerwastryingtosecuretheconnectionsomaybehewastryingtoallowSSHtothedevice.Butmaybesomethingwentwrongsotheconnectionwasfailing(theconnectionusedtobegood).Somaybehewasmissingthe"cryptokeygeneratersa"command.Q16.AnetworkadministratorisusingtheCiscoESAwithAMPtouploadfilestothecloudforanalysis.Thenetworkiscongestedandisaffectingcommunication.HowwilltheCiscoESAhandleanyfileswhichneedanalysis?A. AMPcalculatestheSHA-256fingerprint,cachesit,andperiodicallyattemptstheupload.B. Thefileisqueuedforuploadwhenconnectivityisrestored.C. Thefileuploadisabandoned.D. TheESAimmediatelymakesanotherattempttouploadthefile.Answer:CExplanation:Theappliancewilltryoncetouploadthefile;ifuploadisnotsuccessful,forexamplebecauseofconnectivityproblems,thefilemaynotbeuploaded.Ifthefailurewasbecausethefileanalysisserverwasoverloaded,theuploadwillbeattemptedoncemore.Reference:https:/www.cisco.eom/c/en/us/support/docs/security/email-security-appliance118796-technote-esa-OO.htmlInthisquestion,itstated"thenetworkiscongested"(notthefileanalysisserverwasoverloaded)sotheappliancewillnottrytouploadthefileagain.Q17.Whichtypeofalgorithmprovidesthehighestlevelofprotectionagainstbrute-forceattacks?A. PFSB. HMACC. MD5D. SHAAnswer:DQ18.WhatmustbeconfiguredinCiscoISEtoenforcereauthenticationofanendpointsessionwhenanendpointisdeletedfromanidentitygroup?A. postureassessmentB. CoAC. externalidentitysourceD. SNMPprobeAnswer:BExplanation:CiscoISEallowsaglobalconfigurationtoissueaChangeofAuthorization(CoA)intheProfilerConfigurationpagethatenablestheprofilingservicewithmorecontroloverendpointsthatarealreadyauthenticated.OneofthesettingstoconfiguretheCoAtypeis"Reauth".Thisoptionisusedtoenforcereauthenticationofanalreadyauthenticatedendpointwhenitisprofiled.Reference:httpscenustddocssecurityisel-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_010101.htmQ19.AnetworkadministratorisconfiguringaruleinanaccesscontrolpolicytoblockcertainURLsandselectsthe"ChatandInstantMessaging"category.Whichreputationscoreshouldbeselectedtoaccomplishthisgoal?A. 1B. 3C. 5D. 10Answer:DExplanation:Wechoose"ChatandInstantMessaging"categoryin"URLCategory":QuarantineEncrypt on DeHveryStrip Attachment by Content Strip Attachment by Ale Info I URL JtegOryURL ReputationAdd DiscIeimer TextBypass Outbreak Filter Sosnnirvg Bypass DKlM Signing Send Copy (Bee:) NotJfyChange Recipient toSend to Alternate Destination Host Deliver from IP InterfaceStrip HeaderAdd/Edit HeaderAdd Message Tag Add Log Entry S/MIME SigrVEncrypt on Delivery Encrypt end Deliver Now (Final Action)S/MIME SigrI/Eccrypt (Final Action) BoUnCe (Final Action) Skip Remaining Content Filters (Final Action) Drop (Final Action)URL CategoryDoes any URL In the message body tbe selected categories?Add » I< RjenovAvailable Categories:Advertisements AJcohoiArtsAstroiOQy Auctions Busirms and Industry 6At ard InStanC MeSSaQT Cheetiog and PIaQtorfm Computer SCu rtty Computers rtd InternetUse a URL vw ritehst: ZonCAction on URl.: Defang URL Redirect to CiSCO Security ProxyReplace URL with text messagePerform Actiori for:-All messagesUnsigned messagesToblockcertainURLsweneedtochooseURLReputationfrom6to10.EditConditionMessage Body or Attachment Message Body URL Category IIJRL RBPUtatioCMessage Size Attachment Content Attachment File Info Attachment Protection Subject Header Other Header Envelope Sender Envelope Recipient Receiving Listener Remote IP/Hostname Reputation ScoreURLReputationWhatisthereputationofURL'sinttevaluatesURL'susingtheirWebBa:URLReputationis:Malicious(-10.0to-6.0)Suspect(-S.9to5.9)Clean(6.0to10.0)CustomRange(mintomax)I-1-NoScoreUseaURLwhitelist：None：Q20.WhichgroupwithinCiscowritesandpublishesaweeklynewslettertohelpcybersecurityprofessionalsremainawareoftheongoingandmost