思科网络工程师题库4.docx

《思科网络工程师题库4.docx》由会员分享，可在线阅读，更多相关《思科网络工程师题库4.docx（80页珍藏版）》请在课桌文档上搜索。

1、思科网络工程师题库201-327Q201.AnorganizationisimplementingURLblockingusingCiscoUmbreIIA.Theusersareabletogotosomesitesbutothersitesarenotaccessibleduetoanerror.Whyistheerroroccurring?A. ClientcomputersdonothavetheCiscoUmbrellaRootCAcertificateinstalled.B. IP-LayerEnforcementisnotconfigured.C. Clientcomputers

2、donothaveanSSLcertificatedeployedfromaninternalCAserver.D. IntelligentproxyandSSLdecryptionisdisabledinthepolicy.Answer:AExplanation:OtherfeaturesaredependentonSSLDecryptionfunctionality,whichrequirestheCiscoUmbrellarootcertificate.HavingtheSSLDecryptionfeatureimproves:CustomURLBlocking-Requiredtobl

3、ocktheHTTPSversionofaURL.UmbrellasBlockPageandBlockPageBypassfeaturespresentanSSLcertificatetobrowsersthatmakeconnectionstoHTTPSsites.ThisSSLcertificatematchestherequestedsitebutwillbesignedbytheCiscoUmbrellacertificateauthority(CA).IftheCAisnottrustedbyyourbrowser,anerrorpagemaybedisplayed.Typicale

4、rrorsincludeThesecuritycertificatepresentedbythiswebsitewasnotissuedbyatrustedcertificateauthority(InternetExplorer),Thesitessecuritycertificateisnottrusted!(GoogleChrome)orThisConnectionisUntrusted(MozillaFirefox).Althoughtheerrorpageisexpected,themessagedisplayedcanbeconfusingandyoumaywishtopreven

5、titfromappearing.Toavoidtheseerrorpages,installtheCiscoUmbrellarootcertificateintoyourbrowserorthebrowsersofyourusers-ifyoureanetworkadmin.Reference:httpsdocs.umbrellA.com/deployment-umbrella/docs/rebrand-cisco-certificate-import-informationQ202.WhichtwoaspectsofthecloudPaaSmodelaremanagedbythecusto

6、merbutnottheprovider?(Choosetwo)A. virtualizationB. middlewareC. operatingsystemsD.applicationsE.dataServiceprovidermanagesApplicatiRuntiMiddlewVirtualizaServeStoragNetworkAnswer:DEExplanation:PaaSDataO/SQ203.WhatisanattributeoftheDevSecOpsprocess?A. mandatedsecuritycontrolsandchecklistsB. securitys

7、canningandtheoreticalvulnerabilitiesC. developmentsecurityD. isolatedsecurityteamAnswer:CExplanation:DevSecOps(development,security,andoperations)isaconceptusedinrecentyearstodescribehowtomovesecurityactivitiestothestartofthedevelopmentlifecycleandhavebuilt-insecuritypracticesinthecontinuousintegrat

8、ion/continuousdeployment(CICD)pipeline.ThusminimizingvulnerabilitiesandbringingsecurityclosertoITandbusinessobjectives.ThreekeythingsmakearealDevSecOpsenvironment:+Securitytestingisdonebythedevelopmentteam.+Issuesfoundduringthattestingismanagedbythedevelopmentteam.+Fixingthoseissuesstayswithinthedev

9、elopmentteam.Q204.Anengineernoticestrafficinterruptiononthenetwork.Uponfurtherinvestigation,itislearnedthatbroadcastpacketshavebeenfloodingthenetwork.Whatmustbeconfigured,basedonapredefinedthreshold,toaddressthisissue?A. BridgeProtocolDataUnitguardB. embeddedeventmonitoringC. stormcontrolD. accessco

10、ntrollistsAnswer:CExplanation:StormcontrolpreventstrafficonaLANfrombeingdisruptedbyabroadcast,multicast,orunicaststormononeofthephysicalinterfaces.ALANstormoccurswhenpacketsfloodtheLAN,creatingexcessivetrafficanddegradingnetworkperformance.Errorsintheprotocol-stackimplementation,mistakesinnetworkcon

11、figurations,orusersissuingadenial-of-serviceattackcancauseastorm.Byusingthestorm-controlbroadcastlevelfalling-thresholdwecanlimitthebroadcasttrafficontheswitch.Q205.WhichtwocryptographicalgorithmsareusedwithIPsec?(Choosetwo)A. AES-BACB. AES-ABCC. HMAC-SHA1SHA2D. TripleAMC-CBCE. AES-CBCAnswer:CEExpla

12、nation:CryptographicalgorithmsdefinedforusewithIPsecinclude:+HMAC-SHA1SHA2forintegrityprotectionandauthenticity.+TripIeDES-CBCforconfidentiality+AES-CBCandAES-CTRforconfidentiality.+AES-GCMandChaCha20-Polyl305providingconfidentialityandauthenticationtogetherefficiently.Q206.lnwhichtypeofattackdoesth

13、eattackerinserttheirmachinebetweentwohoststhatarecommunicatingwitheachother?A. LDAPinjectionB. ma-i-the-middleC. cross-sitescriptingD. insecureAPIAnswer:BExplanation:NewQuestions(addedon2nd-Jan-2021)Q207.WhichDosattackusesfragmentedpacketstocrashatargetmachine?A. smurfB. MITMC. teardropD. LANDAnswer

14、:CExplanation:Ateardropattackisadenial-of-service(DoS)attackthatinvolvessendingfragmentedpacketstoatargetmachine.SincethemachinereceivingsuchpacketscannotreassemblethemduetoabuginTCP/IPfragmentationreassembly,thepacketsoverlaponeanother,crashingthetargetnetworkdevice.Thisgenerallyhappensonolderopera

15、tingsystemssuchasWindows3.lx,Windows95,WindowsNTandversionsoftheLinuxkernelpriorto2.1.63.Q208.Whyisitimportanttohavelogicalsecuritycontrolsonendpointseventhoughtheusersaretrainedtospotsecuritythreatsandthenetworkdevicesalreadyhelppreventthem?A.topreventtheftoftheendpointsB. becausedefense-in-depthst

16、opsatthenetworkC. toexposetheendpointtomorethreatsD. becausehumanerrororinsiderthreatswillstillexistAnswer:DQ209.WhichtypeofAPIisbeingusedwhenasecurityapplicationnotifiesacontrollerwithinasoftware-definednetworkarchitectureaboutaspecificsecuritythreat?(Choosetwo)A. westboundAPB. southboundAPIC. nort

17、hboundAPID. eastboundAPIAnswer:BCQ210.WhenplanningaVPNdeployment,forwhichreasondoesanengineeroptforanactive/activeFIexVPNconfigurationasopposedtoDMVPN?A. MultipleroutersorVRFsarerequired.B. Trafficisdistributedstaticallybydefault.C. Floatingstaticroutesarerequired.D. HSRPisusedforfailover.Answer:BQ2

18、11.Whichalgorithmprovidesasymmetricencryption?A. RC4B. AESC. RSAD. 3DESAnswer:CQ212.Whataretwofunctionsofsecretkeycryptography?(Choosetwo)A. keyselectionwithoutintegerfactorizationB. utilizationofdifferentkeysforencryptionanddecryptionC. utilizationoflargeprimenumberiterationsD. providesthecapabilit

19、ytoonlyknowthekeyononesideE. utilizationoflessmemoryAnswer:BDQ213.ForCiscoIOSPKI1whichtwotypesofServersareusedasadistributionpointforCRLs?(Choosetwo)A. SDPB. LDAPC. subordinateCAD. SCPE. HTTPAnswer:BEExplanation:CiscoIOSpublickeyinfrastructure(PKI)providescertificatemanagementtosupportsecurityprotoc

20、olssuchasIPSecurity(IPSec)1secureshell(SSH),andsecuresocketlayer(SSL).Thismoduleidentifiesanddescribesconceptsthatareneededtounderstand,planfor,andimplementaPKI.APKIiscomposedofthefollowingentities:Adistributionmechanism(suchasLightweightDirectoryAccessProtocolLDAPorHTTP)forcertificaterevocationlist

21、s(CRLs)Reference:Q214.Whichattacktypeattemptstoshutdownamachineornetworksothatusersarenotabletoaccessit?A. smurfB. bluesnarfingC. MACspoofingD. IPspoofingAnswer:AExplanation:Denial-of-service(DDoS)aimsatshuttingdownanetworkorservice,causingittobeinaccessibletoitsintendedusers.TheSmurfattackisaDDoSat

22、tackinwhichlargenumbersofInternetControlMessageProtocol(ICMP)packetswiththeintendedvictimsspoofedsourceIParebroadcasttoacomputernetworkusinganIPbroadcastaddress.Q215.WhatisadifferencebetweenDMVPNandsVTI?A. DMVPNsupportstunnelencryption,whereassVTIdoesnot.B. DMVPNsupportsdynamictunnelestablishment,wh

23、ereassVTIdoesnot.C. DMVPNsupportsstatictunnelestablishment,whereassVTIdoesnot.D. DMVPNprovidesinteroperabilitywithothervendors,whereassVTIdoesnot.Answer:BQ216.WhatfeaturesdoesCiscoFTDvprovideoverASAv?A. Cisco11DvrunsonVMWarewhileASAvdoesnotB. CiscoFTDvprovidesIGBoffirewallthroughputwhileCiscoASAvdoe

24、snotC. Cisco11DvrunsonAWSwhileASAvdoesnotD. CiscoFTDvsupportsURLfilteringwhileASAvdoesnotAnswer:DQ217.lnwhichsituationshouldanEndpointDetectionandResponsesolutionbechosenversusanEndpointProtectionPlatform?A. whenthereisaneedfortraditionalanti-malwaredetectionB. whenthereisnoneedtohavethesolutioncent

25、rallymanagedC. whenthereisnofirewallonthenetworkD. whenthereisaneedtohavemoreadvanceddetectioncapabilitiesAnswer:DExplanation:Endpointprotectionplatforms(EPP)preventendpointsecuritythreatslikeknownandunknownmalware.Endpointdetectionandresponse(EDR)solutionscandetectandrespondtothreatsthatyourEPPando

26、thersecuritytoolsdidnotcatch.EDRandEPPhavesimilargoalsbutaredesignedtofulfilldifferentpurposes.EPPisdesignedtoprovidedevice-levelprotectionbyidentifyingmaliciousfiles,detectingpotentiallymaliciousactivity,andprovidingtoolsforincidentinvestigationandresponse.ThepreventativenatureofEPPcomplementsproac

27、tiveEDR.EPPactsasthefirstlineofdefense,filteringoutattacksthatcanbedetectedbytheorganizationsdeployedsecuritysolutions.EDRactsasasecondlayerofprotection,enablingsecurityanalyststoperformthreathuntingandidentifymoresubtlethreatstotheendpoint.Effectiveendpointdefenserequiresasolutionthatintegratesthec

28、apabilitiesofbothEDRandEPPtoprovideprotectionagainstcyberthreatswithoutoverwhelminganorganizationssecurityteam.Q218.WhichtypeofAPIisbeingusedwhenacontrollerwithinasoftware-definednetworkarchitecturedynamicallymakesconfigurationchangesonswitcheswithinthenetwork?A. westboundAPB. southboundAPIC. northb

29、oundAPID. eastboundAPIAnswer:BExplanation:SouthboundAPIsenableSDNcontrollerstodynamicallymakechangesbasedonreal-timedemandsandscalabilityneeds.SDNApplicationsNorthboundAPIControllersSouthboundAPINetworkElementsQ219.AnorganizationhastwosystemsintheirDMZthathaveanunencryptedlinkbetweenthemforcommunica

30、tion.Theorganizationdoesnothaveadefinedpasswordpolicyandusesseveraldefaultaccountsonthesystems.Theapplicationusedonthosesystemsalsohavenotgonethroughstringentcodereviews.Whichvulnerabilitywouldhelpanattackerbruteforcetheirwayintothesystems?A. weakpasswordsB. lackofinputvalidationC. missingencryption

31、D. lackoffilepermissionAnswer:AQ220.WhatisthepurposeofaNetflowversion9templaterecord?A. ItspecifiesthedataformatofNetFIowprocesses.B. ItprovidesastandardizedsetofinformationaboutanIPflow.C. Itdefinestheformatofdatarecords.D. ItservesasauniqueidentificationnumbertodistinguishindividualdatarecordsAnsw

32、er:CExplanation:Theversion9exportformatusestemplatestoprovideaccesstoobservationsofIPpacketflowsinaflexibleandextensiblemanner.Atemplatedefinesacollectionoffields,withcorrespondingdescriptionsofstructureandsemantics.Reference:https:/tools.ietf.org/html/rfc3954Q221.WhatisprovidedbytheSecureHashAlgori

33、thminaVPN?A. integrityB. keyexchangeC. encryptionD.authenticationAnswer:AExplanation:TheHMAC-SHA-1-96(alsoknownasHMAC-SHA-1)encryptiontechniqueisusedbyIPSectoensurethatamessagehasnotbeenaltered.(-Thereforeanswerintegrityisthebestchoice),HMAC-SHA-IusestheSHA-IspecifiedinFIPS-190-l1combinedwithHMAC(as

34、perRFC2104),andisdescribedinRFC2404.Reference:Q222.AnetworkengineerisdecidingwhethertousestatefulorstatelessfailoverwhenconfiguringtwoASAsforhighavailability.Whatistheconnectionstatusinbothcases?A. needtobereestablishedwithstatefulfailoverandpreservedwithstatelessfailoverB. preservedwithstatefulfail

35、overandneedtobereestablishedwithstatelessfailoverC. preservedwithbothstatefulandstatelessfailoverD. needtobereestablishedwithbothstatefulandstatelessfailoverAnswer:BQ223.WhichtypeofprotectionencryptsRSAkeyswhentheyareexportedandimported?A. fileB. passphraseC. NGED. nonexportableAnswer:BQ224.Dragandd

36、ropthecapabilitiesofCiscoFirepowerversusCiscoAMPfromtheleftintotheappropriatecategoryontheright.providestheabilitytoperformnetworkdiscoveryprovidesdetection,blocking,tracking,analyseandremediationtoprotectagainsttargetedpersistentmalwareattacksprovidesintrusionpreventionbeforemalwarecomprisesthehost

37、providessuperiorthreatpreventionandmitigationforknownandunknownthreatsprovidesthertcauseofathreatbasedontheindicatorsofcompromiseseenprovidesoutbreakcontrolthroughcustomdetectionsAnswer:provides the ability to performnetwork discoveryprovides detection, blocking, tracking, analyseand remediation to

38、protect against targetedpersistent malware attacksprovides intrusion prevention beforemalware comprises the hostCisco Firepowerprovides superior threat prevention andmitigation for known and unknown threatsprovides the root cause of a threat basedon the indicators of compromise seenprovides outbreak

39、 control throughcustom detectionsprovides the ability to performnetwork disveryprovides detection, blocking, tracking, analyseand remediation to protect against targetedpersistent malware attacksprovides superior threat prevention andmitigation for known and unknown threatsCisco AMPprovides intrusio

40、n prevention beforemalware comprises the hostprovides the root cause of a threat basedon the indicators of compromise seenprovides outbreak control throughcustom detectionsExplanation:TheFirepowerSystemusesnetworkdiscoveryandidentitypoliciestocollecthost,application,anduserdatafortrafficonyournetwor

41、k.Youcanusecertaintypesofdiscoveryandidentitydatatobuildacomprehensivemapofyournetworkassets,performforensicanalysis,behavioralprofiling,accesscontrol,andmitigateandrespondtothevulnerabilitiesandexploitstowhichyourorganizationissusceptible.TheCiscoAdvancedMalwareProtection(AMP)solutionenablesyoutode

42、tectandblockmalware,continuouslyanalyzeformalware,andgetretrospectivealerts.AMPforNetworksdeliversnetwork-basedadvancedmalwareprotectionthatgoesbeyondpoint-in-timedetectiontoprotectyourorganizationacrosstheentireattackcontinuumbefore,during,andafteranattack.DesignedforCiscoFirepowernetworkthreatappl

43、iances,AMPforNetworksdetects,blocks,tracks,andcontainsmalwarethreatsacrossmultiplethreatvectorswithinasinglesystem.Italsoprovidesthevisibilityandcontrolnecessarytoprotectyourorganizationagainsthighlysophisticated,targeted,zero-day,andpersistentadvancedmalwarethreats.Q225.Draganddropthesuspiciouspatt

44、ernsfortheCiscoTetrationplatformfromtheleftontothecorrectdefinitionsontheright.interestingfileaccessCiscoTetrationplatformcanbearmedtoIoOkatsensitivefilesfileaccessfromadifferentuserWatchesforprivilegechangesfromalowerprivilegetoahigherprivilegeintheprocesslineagetreeuserloginsuspiciousbehaviorCisco

45、TetrationplatformwatchesuserloginfailuresanduserloginmethodsprivilegeescalationCiscoTetrationplatformlearnsthenormalbehaviorofwhichfileisaccessedbywhichuserAnswer:interestingfileaccessinterestingfileaccessfileaccessfromadifferentuserprivilegeescalationuserloginsuspiciousbehavioruserloginsuspiciousbe

46、haviorprivilegeescalationfileaccessfromadifferentuserExplanation:CiscoTetrationplatformstudiesthebehaviorofthevariousprocessesandapplicationsintheworkload,measuringthemagainstknownbadbehaviorsequences.Italsofactorsintheprocesshashesitcollects.Bystudyingvarioussetsofmalwares,theTetrationAnalyticsengi

47、neeringteamdeconstructeditbackintoitsbasicbuildingblocks.Therefore,theplatformunderstandsclearandcrispdefinitionsofthesebuildingblocksandwatchesforthem.ThevarioussuspiciouspatternsforwhichtheCiscoTetrationplatformlooksinthecurrentreleaseare:+Shellcodeexecution:Looksforthepatternsusedbyshellcode.+Privilegeescalation:Watchesforprivilegechangesfro