C. ACL

D. ISAKMP policy Answer: B Explanation: Crypto map set transform-set command: Specifies which transform sets can be used with the crypto map entry. List multiple transform sets in order of priority, with the highest-priority transform set first. Reference: Cisco Secure PIX Firewall (Cisco press) page 217

QUESTION 3 Exhibit:

You are the administrator at Cisco Sources Inc. and you need to add an ACL statement to protect against address spoofing when applied inbound on the external interface of the perimeter router. Which one of these commands is correct?

A. access-list 101 deny IP 162.16.1.0 0.0.0.255. 0.0.0.0 255.255.255.255

B. access-list 101 deny UDP 162.16.1.0 255.255.0.0 0.0.0.0 255.255.255.255

C. access-list 101 deny IP 162.16.1.0 255.255.255.0 0.0.0.0 255.255.255.255

D. access list 101 permit IP 162.16.1.0 255.255.0.0 0.0.0.0 255.255.255.255 Answer: A Explanation: access-list 101 deny IP 162.16.1.0 0.0.0.255 0.0.0.0 255 255.255.255 access-list command - command to deny access to the 162.16.1.0 0.0.0.255 addresses from any address (0.0.0.0 255.255.255.255) Reference: Managing Cisco Network Security (Cisco press) page Appendix C

QUESTION 4 Jacob at Cisco Sources Inc. was given the assignment to secure the network from giving out unauthorized information. His first step is to prevent the perimeter router from divulging topology information by telling external hosts which subnets are not configured. Which command fits this objective?

A. no source-route

B. no ip route-cache

C. no service udp-small-servers

D. no ip unreachable Answer: D Explanation:

To enable the generation of Internet Control Message Protocol (ICMP) unreachable messages, use the ip unreachable command in interface configuration mode. To disable this function, use the no form of this command. Reference: http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/ipras_r/ip1_i2g.htm#1082329

QUESTION 5 Exhibit: service password-encryption ! aaa new-model aaa authentication login default line aaa authentication login nologin name aaa authentication login admin tacacs+ enable aaa authentication ppp default tacacs+ ! enable secret 5 $1$WogB$7.0FLEFgB8Wp.C9eqNX9L/ ! ! interface Group-Async ip unnumbered Loopback0 ip tcp header-compression passive encapsulation ppp async mode interactive John at Cisco Sources Inc. is looking at this configuration to figure out what method authenticates through the vty port. Which method is correct?

A. no access permitted

B. line password

C. no authentication required

D. default authentication used Answer: B Explanation: Enabling Authentication for Login Using the aaa authentication login command and the following keywords, you create one or more lists of authentication methods that are tried at login. The lists are used with the login authentication line configuration command. Enter the following command in global configuration mode to enable authentication for login: Switch# aaa authentication login {default | list-name} method1 [...[method3]] The keyword list-name is any character string used to name the list you are creating. The method keyword refers to the actual method the authentication algorithm tries, in the sequence entered. You can enter up to three methods: Keyword Description line Uses the line password for authentication. local Uses the local username database for authentication. tacacs+ Uses TACACS+ authentication. Reference: http://www.cisco.com/en/US/products/hw/switches/ps637/products_configuration_guide_chapter09186a008007 f032.php#35679

QUESTION 6 You are the administrator in charge of the Management Center for VPN routers and are having problems communicating with other VPN routers. Which protocol does the Management Center for VPN Routers use to communicate with VPN routers?

A. SNMP

B. HTTPS

C. HTTP

D. IPSec

E. SSH

F. AES Answer: E Explanation: Prerequisites for Working with Router MC Following are some prerequisites for working with Router MC:

. SSH must be enabled on your devices if you want to import or deploy to live devices. Reference: Using Management Center for VPN Routers 1.2

QUESTION 7 Kathy is the administrator who is configuring IOS firewall IDS. She has two issues to consider when implementing IOS Firewall IDS. Which of these will she select? (Choose two)

A. Signature length

B. Memory usage

C. Number of router interfaces

D. Signature coverage

E. Number of DMZs Answer: B D Explanation: Memory and Performance Impact The performance impact of intrusion detection will depend on the configuration of the signatures, the level of traffic on the router, the router platform, and other individual features enabled on the router such as encryption, source route bridging, and so on. Enabling or disabling individual signatures will not alter performance significantly, however, signatures that are configured to use Access Control Lists will have a significant performance impact. Because this router is being used as a security device, no packet will be allowed to bypass the security mechanisms. The IDS process in the Cisco IOS Firewall router sits directly in the packet path and thus will search each packet for signature matches. In some cases, the entire packet will need to be searched, and state information and even application state and awareness must be maintained by the router. For auditing atomic signatures, there is no traffic-dependent memory requirement. For auditing compound signatures, CBAC allocates memory to maintain the state of each session for each connection. Memory is also allocated for the configuration database and for internal caching. Cisco IOS Firewall IDS Signature List The following is a complete list of Cisco IOS Firewall IDS signatures. A signature detects patterns of misuse in network traffic. In Cisco IOS Firewall IDS, signatures are categorized into four types:

• Info Atomic
• Info Compound
• Attack Atomic
• Attack Compound An info signature detects information-gathering activity, such as a port sweep An attack signature detects attacks attempted into the protected network, such as denial-of service attempts or the execution of illegal commands during an FTP session. Info and attack signatures can be either atomic or compound signatures. Atomic signatures can detect patterns as simple as an attempt to access a specific port on a specific host. Compound signatures can detect complex patterns, such as a sequence of operations distributed across multiple hosts over an arbitrary period of time. The intrusion-detection signatures included in the Cisco IOS Firewall were chosen from a broad cross-section of intrusion-detection signatures as representative of the most common network attacks and information-gathering scans that are not commonly found in an operational network. The following signatures are listed in numerical order by their signature number in the Cisco Secure IDS Network Security Database. After each signature's name is an indication of the type of signature (info or attack, atomic or compound). Reference: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_
  chapter09186a00800 ca7c6.php#1000971

QUESTION 8 James the administrator on Cisco Sources is trying to figure out which router table is modified or prevented from updating, if a rerouting attack occurs. (Choose one)

A. ARP

B. address

C. bridging

D. routing Answer: D Explanation: Route filters can be set up on any interface to prevent learning or propagating routing information inappropriately. Some routing protocols (such as EIGRP) allow you to insert a filter on the routes being advertised so that certain routes are not advertised in some parts of the network. Reference: Managing Cisco Network Security (Cisco press) page 233

QUESTION 9 John and Kathy are working on configuring the IOS firewall together. They are figuring out what CBAC uses for inspection rules to configure on a per-application protocol basis. Which one of these is the correct one?

A. ODBC filtering

B. Tunnel, transport models, or both

C. Alerts and audit trails

D. Stateful failover Answer: C Explanation: CBAC also generates real-time alerts and audit trails. Enhanced audit trail features use SYSLOG to track all network transactions. Real-time alerts send SYSLOG error messages to central management consoles upon detecting suspicious activity. Using CBAC inspection rules, you can configure alerts and audit trail information on a per-application protocol basis.

Reference: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800 ca7c1.html

QUESTION 10 You are the network security administrator for Cisco Sources.com. Cisco Sources has just added TACACS+ AAA authentication to their remote access topology, requiring you to add two TACACS+ servers to the Cisco SourcesPR perimeter router configuration. First, enable the router's AAA access control model and then add the two TACACS+ servers and their respective keys. Use the following values as necessary: Parameter: Value TACACS+ Server Cisco Sources1 - IP address 10.10.1.2 TACACS+ Server Cisco Sources1 - Key Cisco Sources1 TACACS+ Server Cisco Sources2 - IP address 10.10.1.3 TACACS+ Server Cisco Sources2 - Key Cisco Sources2 Enable secret password iS "Cisco Sources" Perimeter Router: Name: Cisco SourcesPR FA0/0 : 192.168.10.1 FA0/1 : 10.10.1.1 Secret password: Cisco Sources To configure the router click on the host icon that is connected to a router by a serial cable.

Answer: Config t Tacacs-server host 10.10.1.2 key Cisco Sources1 Tacacs-server host 10.10.1.3 key Cisco Sources2 Note: On actual test you are unable to enter the command Reference: http://www.cisco.com/en/US/products/hw/switches/ps637/products_configuration_guide_chapter09186a008007 f032.php#xtocid238207