QUESTION 1 John is the security administrator at Cisco Sources Inc. and his job is
to view event logs. Which statement about the live
event log is true?
A. With the event log, the administrator can pause, and then filter the live
event log.
B. The live event log can filter events by various criteria.
C. As events occur, the live event log automatically updates.
D. The live event log automatically updates the display every six seconds.
Answer: C Explanation: Monitoring | Live Event Log
Pause Display/Resume Display To pause the display,
click Pause Display. While paused, the screen does
not display new events, the button changes to Resume
Display, and the timer counts down to 0 and stops.
You can still scroll through the event log. Click
the button to resume the display of new events and
restart the timer. Clear Display To clear the event
display, click Clear Display. This action does not
clear the event log, only the display of events on
this screen. Restart To clear the event display and
reload the entire event log in the display, click
Restart. Timer The timer counts 5 - 4 - 3 - 2 - 1
to show where it is in the 5-second refresh cycle.
A momentary Rx indicates receipt of new events. A
steady 0 indicates the display has been paused. The
screen always displays the most recent event at the
bottom. Use the scroll bar to view earlier events.
To filter and display events by various criteria,
see the Monitoring | Filterable Event Log section
above. Reference: http://www.cisco.com/en/US/products/hw/vpndevc/ps2286/products_user_guide_chapter09186a00800bcd4e.ht ml#xtocid6
QUESTION 2 Kathy the security administrator at Cisco Sources Inc. wants to know more
about authentication. One of the first things she
has to do is know how user authentication is enabled
on the Cisco VPN 3002? (Choose two)
A. Pushed down to the Cisco VPN 3002.
B. Pushed down to the Cisco VPN Concentrator.
C. Checked on the Cisco VPN Concentrator
D. Unchecked on the Cisco VPN 3002.
Answer: A C Explanation: You configure individual user authentication on the VPN Concentrator, which
pushes the policy to the VPN 3002. Reference: http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3002/4_0/index.htm
QUESTION 3 Jason from the security department was given the assignment to match
the Cisco VPN key with its description.
Answer: Explanation: The Diffie-Hellman (D-H) key agreement is a public key encryption
method that provides a way for two IPSec peers to
establish a shared secret key that only they know,
although they communicating over an insecure channel.
With D-H, each peer generates a public and private
key pair. The private key generated by each peer is
kept secret and never shared. The public key is calculated
from the private key by each peer and is exchanged
over the insecure channel. Each peer combines the
other's public key with its own private and computes
the shared secret key number exchanged over the insecure
channel. Reference: Cisco Secure Virtual Private Network
(Cisco press) page 18-20
QUESTION 4 Jason the security administrator at Cisco Sources Inc. was given the assignment to match the following order. In IPSec main mode, match the two-way exchange between the initiator and
receiver with their descriptions.
Answer: Explanation: Main Mode Main mode provides a way to establish the first
phase of an IKE SA, which is then used to negotiate
future communications. The first step, securing an
IKE SA, occurs in three two-way exchanges between
the sender and the receiver. In the first exchange,
the sender and receiver agree on basic algorithms
and hashes. In the second exchange, public keys are
sent for a Diffie-Hellman exchange. Nonces (random
numbers each party must sign and return to prove their
identities) are then exchanged. In the third exchange,
identities are verified, and each party is assured that the exchange has been completed. Reference: Reference:
Cisco Secure Virtual Private Network (Cisco press)
page 27
QUESTION 5 Kathy and Jason the security department heads are in charge of configuring
a bandwidth policy. They know that configuring a bandwidth
policing policy is a two-step process: configuring,
then applying the policy. Where is the configured bandwidth policies applied on the VPN Concentrator? (Choose
two)
A. It must be applied to an interface.
B. It can optionally be applied to an interface.
C. The bandwidth policy must be applied to a group.
D. It can be optionally applied to a group.
E. It must be applied to a LAN-to-LAN tunnel.
F. It can be optionally applied to a LAN-to-LAN tunnel. Answer: C E Explanation:
The bandwidth policy is applied to each group, and
users within a group share the service policy applied
to the group. The sample configuration uses the service
policy on the outbound of the interface. Reference:
http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/ns109/networking_solutions_white_
paper09186a00801 87151.shtml http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_
example09186a00801ae24c .shtml
QUESTION 6 James the security administrator for Cisco Sources Inc. is working with
IKE. His job is to know what the three functions of
IKE Phase 2 are. (Choose three)
A. IKE uses aggressive mode.
B. IKE can optionally performs an additional DH exchange.
C. IKE periodically renegotiates IPSec SAs to ensure security.
D. IKE Negotiates IPSec SA parameter protected by an existing IKE SA.
E. IKE verifies the other side's identity.
F. IKE uses main mode. Answer: B C D Explanation: Step 2 Determine IPSec (IKE Phase Two) Policy
- Negotiates IPSec SA parameters protected
by an existing IKE SA
- Establishes IPSec security associations
- Periodically renegotiates IPSec SAa to
ensure security
- Optionally performs an additional
Diffie-Hellman Reference: Cisco Secure Virtual Private Networks (Cisco press) page 28
QUESTION 7 James the security administrator for Cisco Sources Inc. is working on VPNs.
IF the VPN is owned and managed by the Cisco Sources
Inc. corporate security, which product would he choose?
A. 2900
B. 3030
C. 3660
D. PIX Firewall 500
E. PIX Firewall 515 Answer: E Explanation: This is a tough question, the
best choice would be A because of the additional
security features of the firewall. Use your best
judgment.
QUESTION 8 Kathy is the security administrator at Cisco Sources Inc. and is working
with the Cisco VPN Client. Her job today is to know
which firewall is supported by the Cisco VPN Client
are you there feature.
A. Supported by Zone Labs
B. Supported by Cisco Integrated Client firewall
C. Supported by Cyber guard
D. Supported by Symantec Answer: A Explanation: The VPN Client on the Windows
platform includes a stateful firewall that incorporates
Zone Labs technology. This firewall is used for
both the Stateful Firewall (Always On) feature and
the Centralized Protection Policy (see "Centralized
Protection Policy (CPP)"). Reference: VPN Client
Administrator Guide 4.0
QUESTION 9 John the Jr. Security administrator at Cisco Sources Inc. does not understand
how Cisco solved the PAT translation issue.
A. They wrap a standard IKE packet with a UDP port number.
B. They changed the IKE TCP port number from a well known to a dynamically
assigned port number.
C. They changed the IPSec TCP port number from a well known to a dynamically
assigned port number.
D. They wrap a standard IPSec packet with a UDP port number. Answer: D Explanation: NAT-T (NAT Traversal) lets IPSec peers establish a LAN-to-LAN connection
through a NAT device. It does this by encapsulating IPSec traffic in UDP datagrams, using port 4500,
thereby providing NAT devices with
port information. NAT-T auto-detects
any NAT devices, and only encapsulates IPSec traffic
when necessary. Reference: VPN 3000 Series Concentrator
Reference Volume I: Configuration
QUESTION 10 When configuring CPP, which statement is true?
A. CPP is enabled in both the Cisco VPN Client and Cisco VPN Concentrator.
B. CPP is enabled in the Cisco VPN Client, Cisco VPN Concentrator, and firewall.
C. CPP is enabled on the Cisco VPN Concentrator only.
D. CPP is enabled in the Cisco VPN Concentrator and firewall. Answer: C Explanation:
Centralized Protection Policy (CPP) Centralized
Protection Policy (CPP) also known as firewall push
policy, lets a network administrator define a set
of rules for allowing or dropping Internet traffic
while the VPN Client is tunneled in to the VPN Concentrator.
A network administrator defines this policy on the
VPN Concentrator, and the policy is sent to the
VPN Client during connection negotiation. The VPN
Client passes the policy to the Cisco Integrated
Client, which then enforces the policy. If the client
user has already selected the "Always On" option,
any more restrictive rules are enforced for Internet
traffic while the tunnel is established. Since CIC
includes a stateful firewall module, most configurations
block all inbound traffic and permit either all
outbound traffic or traffic through specific TCP
and UDP ports outbound. Cisco Integrated Client,
Zone Alarm, and Zone Alarm Pro firewalls can assign
firewall rules. CPP rules are in effect during split
tunneling and help protect the VPN Client PC from
Internet attacks by preventing servers from running
and by blocking any inbound connections unless they
are associated with outbound connections. CPP provides
more flexibility than the Stateful Firewall (Always
On) feature, since with CPP, you can refine the
ports and protocols that you want to permit. Reference:
VPN Client Administrator Guide 4.0
|
.gif){kind=tracking}
