思科网络工程师题库2.docx

《思科网络工程师题库2.docx》由会员分享，可在线阅读，更多相关《思科网络工程师题库2.docx（110页珍藏版）》请在课桌文档上搜索。

1、CCNP/CCIESecuritySCOR思科网络工程师题库2Ql.WhatcanbeintegratedwithCiscoThreatIntelligenceDirectortoprovideinformationaboutsecuritythreats,whichallowstheSOCtoproactivelyautomateresponsestothosethreats?A. CiscoUmbrellaB. ExternalThreatFeedsC. CiscoThreatGridD. CiscoStealthwatchAnswer:CExplanation:CiscoThreatIn

2、telligenceDirector(CTID)canbeintegratedwithexistingThreatIntelligencePlatformsdeployedbyyourorganizationtoingestthreatintelligenceautomatically.Reference:Q2.WhichsolutioncombinesCiscoIOSandIOSXEcomponentstoenableadministratorstorecognizeapplications,collectandsendnetworkmetricstoCiscoPrimeandotherth

3、ird-partymanagementtools,andprioritizeapplicationtraffic?A. CiscoSecurityIntelligenceB. CiscoApplicationVisibilityandControlC. CiscoModelDrivenTelemetryD. CiscoDNACenterAnswer:BExplanation:TheCiscoApplicationVisibilityandControl(AVC)solutionleveragesmultipletechnologiestorecognize,analyze,andcontrol

4、over100Oapplications,includingvoiceandvideo,email,filesharing,gaming,peer-to-peer(P2P),andcloud-basedapplications.AVCcombinesseveralCiscoIOSIOSXEcomponents,aswellascommunicatingwithexternaltools,tointegratethefollowingfunctionsintoapowerfulsolution.Reference:guide/avc_tech_overview.htmlQ3.Whichtwoac

5、tivitiescanbedoneusingCiscoDNACenter?(Choosetwo)A. DHCPB. DesignC. AccountingD. DNSE. ProvisionAnswer:BEExplanation:CiscoDNACenterhasfourgeneralsectionsalignedtoITworkflows:Design:Designyournetworkforconsistentconfigurationsbydeviceandbysite.Physicalmapsandlogicaltopologieshelpprovidequickvisualrefe

6、rence.Thedirectimportfeaturebringsinexistingmaps,images,andtopologiesdirectlyfromCiscoPrimeInfrastructureandtheCiscoApplicationPolicyInfrastructureControllerEnterpriseModule(APIC-EM),makingupgradeseasyandquick.Deviceconfigurationsbysitecanbeconsolidatedinagoldenimagethatcanbeusedtoautomaticallyprovi

7、sionnewnetworkdevices.Thesenewdevicescaneitherbepre-stagedbyassociatingthedevicedetailsandmappingtoasite.Ortheycanbeclaimeduponconnectionandmappedtothesite.Policy:Translatebusinessintentintonetworkpoliciesandapplythosepolicies,suchasaccesscontrol,trafficrouting,andqualityofservice,consistentlyoverth

8、eentirewiredandwirelessinfrastructure.Policy-basedaccesscontrolandnetworksegmentationisacriticalfunctionoftheCiscoSoftware-DefinedAccess(SD-Access)solutionbuiltfromCiscoDNACenterandCiscoIdentityServicesEngine(ISE).CiscoAlNetworkAnalyticsandCiscoGroup-BasedPolicyAnalyticsrunningintheCiscoDNACenteride

9、ntifyendpoints,groupsimilarendpoints,anddeterminegroupcommunicationbehavior.CiscoDNACenterthenfacilitatescreatingpoliciesthatdeterminetheformofcommunicationallowedbetweenandwithinmembersofeachgroup.ISEthenactivatestheunderlyinginfrastructureandsegmentsthenetworkcreatingavirtualoverlaytofollowthesepo

10、liciesconsistently.Suchsegmentingimplementszero-trustsecurityintheworkplace,reducesrisk,containsthreats,andhelpsverifyregulatorycompliancebygivingendpointsjusttherightlevelofaccesstheyneed.Provision:OnceyouhavecreatedpoliciesinCiscoDNACenter,provisioningisasimpledrag-and-droptask.Theprofiles(calleds

11、calablegrouptagsorSGTs)intheCiscoDNACenterinventorylistareassignedapolicy,andthispolicywillalwaysfollowtheidentity.Theprocessiscompletelyautomatedandzero-touch.NewdevicesaddedtothenetworkareassignedtoanSGTbasedonidentity-greatlyfacilitatingremoteofficesetups.Assurance:CiscoDNAAssurance,usingAIML,ena

12、bleseverypointonthenetworktobecomeasensor,sendingcontinuousstreamingtelemetryonapplicationperformanceanduserconnectivityinrealtime.Thecleanandsimpledashboardshowsdetailednetworkhealthandflagsissues.Then,guidedremediationautomatesresolutiontokeepyournetworkperformingatitsoptimalwithlessmundanetrouble

13、shootingwork.Theoutcomeisaconsistentexperienceandproactiveoptimizationofyournetwork,withlesstimespentontroubleshootingtasks.Reference:https:/www.cisco.eom/c/en/us/products/collateral/cloud-systems-management/dna-center/nb-06-dna-center-so-cte-en.htmlQ4.Whatmustbeusedtosharedatabetweenmultiplesecurit

14、yproducts?A. CiscoRapidThreatContainmentB. CiscoPlatformExchangeGridC. CiscoAdvancedMalwareProtectionD. CiscoStealthwatchCloudAnSWe匚BQ5.WhichCiscoproductisopen,scalable,andbuiltonIETFstandardstoallowmultiplesecurityproductsfromCiscoandothervendorstosharedataandinteroperatewitheachother?A. AdvancedMa

15、lwareProtectionB. PlatformExchangeGridC. MultifactorPlatformIntegrationD. FirepowerThreatDefenseAnswer:BExplanation:WithCiscopxGrid(PlatformExchangeGrid),yourmultiplesecurityproductscannowsharedataandworktogether.Thisopen,scalable,andIETFstandards-drivenplatformhelpsyouautomatesecuritytogetanswersan

16、dcontainthreatsfaster.Q6.WhatisafeatureoftheopenplatformcapabilitiesofCiscoDNACenter?A. intent-basedAPIsB. automationadaptersC.domainintegrationD.applicationadaptersAnswer:AQ7.WhatisthefunctionoftheContextDirectoryAgent?A. maintainsusersgroupmembershipsB. relaysuserauthenticationrequestsfromWebSecur

17、ityAppliancetoActiveDirectoryC. readstheActiveDirectorylogstomapIPaddressestousernamesD. acceptsuserauthenticationrequestsonbehalfofWebSecurityApplianceforuseridentificationAnswer:CExplanation:CiscoContextDirectoryAgent(CDA)isamechanismthatmapsIPAddressestousernamesinordertoallowsecuritygatewaystoun

18、derstandwhichuserisusingwhichIPAddressinthenetwork,sothosesecuritygatewayscannowmakedecisionsbasedonthoseusers(orthegroupstowhichtheusersbelongto).CDArunsonaCiscoLinuxmachine;monitorsinrealtimeacollectionofActiveDirectorydomaincontroller(DC)machinesforauthentication-relatedeventsthatgenerallyindicat

19、euserlogins;learns,analyzes,andcachesmappingsofIPAddressesanduseridentitiesinitsdatabase;andmakesthelatestmappingsavailabletoitsconsumerdevices.Reference:https:/www.cisco.eom/c/en/us/td/docs/security/ibf/cda_10/lnstall_Config_guide/cdal0/cda_oveviw.htmlQ8.WhatisacharacteristicofabridgegroupinASAFire

20、walltransparentmode?A. ItincludesmultipleinterfacesandaccessrulesbetweeninterfacesarecustomizableB. ItisaLayer3segmentandincludesoneportandcustomizableaccessrulesC. ItallowsARPtrafficwithasingleaccessruleD. IthasanIPaddressonitsBVIinterfaceandisusedformanagementtrafficAnswer:AExplanation:Abridgegrou

21、pisagroupofinterfacesthattheASAbridgesinsteadofroutes.BridgegroupsareonlysupportedinTransparentFirewallMode.Likeanyotherfirewallinterfaces,accesscontrolbetweeninterfacesiscontrolled,andalloftheusualfirewallchecksareinplace.EachbridgegroupincludesaBridgeVirtualInterface(BVI).TheASAusestheBVIIPaddress

22、asthesourceaddressforpacketsoriginatingfromthebridgegroup.TheBVIIPaddressmustbeonthesamesubnetasthebridgegroupmemberinterfaces.TheBVIdoesnotsupporttrafficonsecondarynetworks;onlytrafficonthesamenetworkastheBVIIPaddressissupported.Youcanincludemultipleinterfacesperbridgegroup.Ifyouusemorethan2interfa

23、cesperbridgegroup,youcancontrolcommunicationbetweenmultiplesegmentsonthesamenetwork,andnotjustbetweeninsideandoutside.Forexample,ifyouhavethreeinsidesegmentsthatyoudonotwanttocommunicatewitheachother,youcanputeachsegmentonaseparateinterface,andonlyallowthemtocommunicatewiththeoutsideinterface.Oryouc

24、ancustomizetheaccessrulesbetweeninterfacestoallowonlyasmuchaccessasdesired.Reference:https:/www.cisco.eom/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/intro-fw.htmlNote:BVIinterfaceisnotusedformanagementpurpose.ButwecanaddaseparateManagementslot/portinterfacethatisn

25、otpartofanybridgegroup,andthatallowsonlymanagementtraffictotheASA.Q9.WhenCiscoandotherindustryorganizationspublishandinformusersofknownsecurityfindingsandvulnerabilities,whichnameisused?A. CommonSecurityExploitsB. CommonVulnerabilitiesandExposuresC. CommonExploitsandVulnerabilitiesD. CommonVulnerabi

26、lities,ExploitsandThreatsAnswer:BExplanation:Vendors,securityresearchers,andvulnerabilitycoordinationcenterstypicallyassignvulnerabilitiesanidentifierthatsdisclosedtothepublic.ThisidentifierisknownastheCommonVulnerabilitiesandExposures(CVE),CVEisanindustry-widestandard.CVEissponsoredbyUS-CERT1theoff

27、iceofCybersecurityandCommunicationsattheU.S.DepartmentofHomelandSecurity.ThegoalofCVEistomakeitseasiertosharedataacrosstools,vulnerabilityrepositories,andsecurityservices.Reference:QlO.WhichtwofieldsaredefinedintheNetFIowflow?(Choosetwo)A. typeofservicebyteB. classofservicebitsC. Layer4protocoltypeD

28、. destinationportE. outputlogicalinterfaceAnswer:ADExplanation:CiscostandardNetFIowversion5definesaflowasaunidirectionalsequenceofpacketsthatallsharesevenvalueswhichdefineauniquekeyfortheflow:+Ingressinterface(SNMPiflndex)+SourceIPaddress+DestinationIPaddress+IPprotocol+SourceportforUDPorTCP,Oforoth

29、erprotocols+DestinationportforUDPorTCP,typeandcodeforICMP1orOforotherprotocols+IPTypeofServiceNote:Aflowisaunidirectionalseriesofpacketsbetweenagivensourceanddestination.Qll.WhatprovidestheabilitytoprogramandmonitornetworksfromsomewhereotherthantheDNACGUI?A. NetFIowB. desktopclientC. ASDMD. APIAnswe

30、r:DQ12.Anorganizationhastwomachineshostingwebapplications.Machine1isvulnerabletoSQLinjectionwhilemachine2isvulnerabletobufferoverflows.Whatactionwouldallowtheattackertogainaccesstomachine1butnotmachine2?A. sniffingthepacketsbetweenthetwohostsB. sendingcontinuouspingsC. overflowingthebuffersmemoryD.

31、insertingmaliciouscommandsintothedatabaseAnswer:DQ13.AnorganizationistryingtoimprovetheirDefenseinDepthbyblockingmaliciousdestinationspriortoaconnectionbeingestablished.Thesolutionmustbeabletoblockcertainapplicationsfrombeingusedwithinthenetwork.Whichproductshouldbeusedtoaccomplishthisgoal?A. CiscoF

32、irepowerB. CiscoUmbrellaC. ISED. AMPAnswer:BExplanation:CiscoUmbrellaprotectsusersfromaccessingmaliciousdomainsbyproactivelyanalyzingandblockingunsafedestinationsbeforeaconnectionisevermade.Thusitcanprotectfromphishingattacksbyblockingsuspiciousdomainswhenusersclickonthegivenlinksthatanattackersent.

33、Q14.Acompanyisexperiencingexfiltrationofcreditcardnumbersthatarenotbeingstoredon-premise.Thecompanyneedstobeabletoprotectsensitivedatathroughoutthefullenvironment.Whichtoolshouldbeusedtoaccomplishthisgoal?A. SecurityManagerB. CloudlockC. WebSecurityApplianceD. CiscoISEAnswer:BExplanation:CiscoCloudl

34、ockisacloud-nativecloudaccesssecuritybroker(CASB)thathelpsyoumovetothecloudsafely.Itprotectsyourcloudusers,data,andapps.CiscoCloudlockprovidesvisibilityandcompliancechecks,protectsdataagainstmisuseandexfiltration,andprovidesthreatprotectionsagainstmalwarelikeransomware.Q15.Anengineeristryingtosecure

35、lyconnecttoarouterandwantstopreventinsecurealgorithmsfrombeingused.However,theconnectionisfailing.Whichactionshouldbetakentoaccomplishthisgoal?A. Disabletelnetusingthenoiptelnetcommand.B. EnabletheSSHserverusingtheipsshservercommand.C. Configuretheportusingtheipsshport22command.D. GeneratetheRSAkeyu

36、singthecryptokeygeneratersacommand.Answer:DExplanation:Inthisquestion,theengineerwastryingtosecuretheconnectionsomaybehewastryingtoallowSSHtothedevice.Butmaybesomethingwentwrongsotheconnectionwasfailing(theconnectionusedtobegood).Somaybehewasmissingthecryptokeygeneratersacommand.Q16.Anetworkadminist

37、ratorisusingtheCiscoESAwithAMPtouploadfilestothecloudforanalysis.Thenetworkiscongestedandisaffectingcommunication.HowwilltheCiscoESAhandleanyfileswhichneedanalysis?A. AMPcalculatestheSHA-256fingerprint,cachesit,andperiodicallyattemptstheupload.B. Thefileisqueuedforuploadwhenconnectivityisrestored.C.

38、 Thefileuploadisabandoned.D. TheESAimmediatelymakesanotherattempttouploadthefile.Answer:CExplanation:Theappliancewilltryoncetouploadthefile;ifuploadisnotsuccessful,forexamplebecauseofconnectivityproblems,thefilemaynotbeuploaded.Ifthefailurewasbecausethefileanalysisserverwasoverloaded,theuploadwillbe

39、attemptedoncemore.Reference:https:/www.cisco.eom/c/en/us/support/docs/security/email-security-appliance118796-technote-esa-OO.htmlInthisquestion,itstatedthenetworkiscongested(notthefileanalysisserverwasoverloaded)sotheappliancewillnottrytouploadthefileagain.Q17.Whichtypeofalgorithmprovidesthehighest

40、levelofprotectionagainstbrute-forceattacks?A. PFSB. HMACC. MD5D. SHAAnswer:DQ18.WhatmustbeconfiguredinCiscoISEtoenforcereauthenticationofanendpointsessionwhenanendpointisdeletedfromanidentitygroup?A. postureassessmentB. CoAC. externalidentitysourceD. SNMPprobeAnswer:BExplanation:CiscoISEallowsagloba

41、lconfigurationtoissueaChangeofAuthorization(CoA)intheProfilerConfigurationpagethatenablestheprofilingservicewithmorecontroloverendpointsthatarealreadyauthenticated.OneofthesettingstoconfiguretheCoAtypeisReauth.Thisoptionisusedtoenforcereauthenticationofanalreadyauthenticatedendpointwhenitisprofiled.

42、Reference:httpscenustddocssecurityisel-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_010101.htmQ19.AnetworkadministratorisconfiguringaruleinanaccesscontrolpolicytoblockcertainURLsandselectstheChatandInstantMessagingcategory.Whichreputationscoreshouldbeselectedtoaccomplishthisgo

43、al?A. 1B. 3C. 5D. 10Answer:DExplanation:WechooseChatandInstantMessagingcategoryinURLCategory:QuarantineEncrypt on DeHveryStrip Attachment by Content Strip Attachment by Ale Info I URL JtegOryURL ReputationAdd DiscIeimer TextBypass Outbreak Filter Sosnnirvg Bypass DKlM Signing Send Copy (Bee:) NotJfy

44、Change Recipient toSend to Alternate Destination Host Deliver from IP InterfaceStrip HeaderAdd/Edit HeaderAdd Message Tag Add Log Entry S/MIME SigrVEncrypt on Delivery Encrypt end Deliver Now (Final Action)S/MIME SigrI/Eccrypt (Final Action) BoUnCe (Final Action) Skip Remaining Content Filters (Fina

45、l Action) Drop (Final Action)URL CategoryDoes any URL In the message body tbe selected categories?Add I RjenovAvailable Categories:Advertisements AJcohoiArtsAstroiOQy Auctions Busirms and Industry 6At ard InStanC MeSSaQT Cheetiog and PIaQtorfm Computer SCu rtty Computers rtd InternetUse a URL vw rit

46、ehst: ZonCAction on URl.: Defang URL Redirect to CiSCO Security ProxyReplace URL with text messagePerform Actiori for:-All messagesUnsigned messagesToblockcertainURLsweneedtochooseURLReputationfrom6to10.EditConditionMessage Body or Attachment Message Body URL Category IIJRL RBPUtatioCMessage Size At

47、tachment Content Attachment File Info Attachment Protection Subject Header Other Header Envelope Sender Envelope Recipient Receiving Listener Remote IP/Hostname Reputation ScoreURLReputationWhatisthereputationofURLsinttevaluatesURLsusingtheirWebBa:URLReputationis:Malicious(-10.0to-6.0)Suspect(-S.9to5.9)Clean(6.0to10.0)CustomRange(mintomax)I-1-NoScoreUseaURLwhitelist：None：Q20.WhichgroupwithinCiscowritesandpublishesaweeklynewslettertohelpcybersecurityprofessionalsremainawareoftheongoingandmost