《思科网络工程师题库4.docx》由会员分享,可在线阅读,更多相关《思科网络工程师题库4.docx(80页珍藏版)》请在课桌文档上搜索。
1、思科网络工程师题库201-327Q201.AnorganizationisimplementingURLblockingusingCiscoUmbreIIA.Theusersareabletogotosomesitesbutothersitesarenotaccessibleduetoanerror.Whyistheerroroccurring?A. ClientcomputersdonothavetheCiscoUmbrellaRootCAcertificateinstalled.B. IP-LayerEnforcementisnotconfigured.C. Clientcomputers
2、donothaveanSSLcertificatedeployedfromaninternalCAserver.D. IntelligentproxyandSSLdecryptionisdisabledinthepolicy.Answer:AExplanation:OtherfeaturesaredependentonSSLDecryptionfunctionality,whichrequirestheCiscoUmbrellarootcertificate.HavingtheSSLDecryptionfeatureimproves:CustomURLBlocking-Requiredtobl
3、ocktheHTTPSversionofaURL.UmbrellasBlockPageandBlockPageBypassfeaturespresentanSSLcertificatetobrowsersthatmakeconnectionstoHTTPSsites.ThisSSLcertificatematchestherequestedsitebutwillbesignedbytheCiscoUmbrellacertificateauthority(CA).IftheCAisnottrustedbyyourbrowser,anerrorpagemaybedisplayed.Typicale
4、rrorsincludeThesecuritycertificatepresentedbythiswebsitewasnotissuedbyatrustedcertificateauthority(InternetExplorer),Thesitessecuritycertificateisnottrusted!(GoogleChrome)orThisConnectionisUntrusted(MozillaFirefox).Althoughtheerrorpageisexpected,themessagedisplayedcanbeconfusingandyoumaywishtopreven
5、titfromappearing.Toavoidtheseerrorpages,installtheCiscoUmbrellarootcertificateintoyourbrowserorthebrowsersofyourusers-ifyoureanetworkadmin.Reference:httpsdocs.umbrellA.com/deployment-umbrella/docs/rebrand-cisco-certificate-import-informationQ202.WhichtwoaspectsofthecloudPaaSmodelaremanagedbythecusto
6、merbutnottheprovider?(Choosetwo)A. virtualizationB. middlewareC. operatingsystemsD.applicationsE.dataServiceprovidermanagesApplicatiRuntiMiddlewVirtualizaServeStoragNetworkAnswer:DEExplanation:PaaSDataO/SQ203.WhatisanattributeoftheDevSecOpsprocess?A. mandatedsecuritycontrolsandchecklistsB. securitys
7、canningandtheoreticalvulnerabilitiesC. developmentsecurityD. isolatedsecurityteamAnswer:CExplanation:DevSecOps(development,security,andoperations)isaconceptusedinrecentyearstodescribehowtomovesecurityactivitiestothestartofthedevelopmentlifecycleandhavebuilt-insecuritypracticesinthecontinuousintegrat
8、ion/continuousdeployment(CICD)pipeline.ThusminimizingvulnerabilitiesandbringingsecurityclosertoITandbusinessobjectives.ThreekeythingsmakearealDevSecOpsenvironment:+Securitytestingisdonebythedevelopmentteam.+Issuesfoundduringthattestingismanagedbythedevelopmentteam.+Fixingthoseissuesstayswithinthedev
9、elopmentteam.Q204.Anengineernoticestrafficinterruptiononthenetwork.Uponfurtherinvestigation,itislearnedthatbroadcastpacketshavebeenfloodingthenetwork.Whatmustbeconfigured,basedonapredefinedthreshold,toaddressthisissue?A. BridgeProtocolDataUnitguardB. embeddedeventmonitoringC. stormcontrolD. accessco
10、ntrollistsAnswer:CExplanation:StormcontrolpreventstrafficonaLANfrombeingdisruptedbyabroadcast,multicast,orunicaststormononeofthephysicalinterfaces.ALANstormoccurswhenpacketsfloodtheLAN,creatingexcessivetrafficanddegradingnetworkperformance.Errorsintheprotocol-stackimplementation,mistakesinnetworkcon
11、figurations,orusersissuingadenial-of-serviceattackcancauseastorm.Byusingthestorm-controlbroadcastlevelfalling-thresholdwecanlimitthebroadcasttrafficontheswitch.Q205.WhichtwocryptographicalgorithmsareusedwithIPsec?(Choosetwo)A. AES-BACB. AES-ABCC. HMAC-SHA1SHA2D. TripleAMC-CBCE. AES-CBCAnswer:CEExpla
12、nation:CryptographicalgorithmsdefinedforusewithIPsecinclude:+HMAC-SHA1SHA2forintegrityprotectionandauthenticity.+TripIeDES-CBCforconfidentiality+AES-CBCandAES-CTRforconfidentiality.+AES-GCMandChaCha20-Polyl305providingconfidentialityandauthenticationtogetherefficiently.Q206.lnwhichtypeofattackdoesth
13、eattackerinserttheirmachinebetweentwohoststhatarecommunicatingwitheachother?A. LDAPinjectionB. ma-i-the-middleC. cross-sitescriptingD. insecureAPIAnswer:BExplanation:NewQuestions(addedon2nd-Jan-2021)Q207.WhichDosattackusesfragmentedpacketstocrashatargetmachine?A. smurfB. MITMC. teardropD. LANDAnswer
14、:CExplanation:Ateardropattackisadenial-of-service(DoS)attackthatinvolvessendingfragmentedpacketstoatargetmachine.SincethemachinereceivingsuchpacketscannotreassemblethemduetoabuginTCP/IPfragmentationreassembly,thepacketsoverlaponeanother,crashingthetargetnetworkdevice.Thisgenerallyhappensonolderopera
15、tingsystemssuchasWindows3.lx,Windows95,WindowsNTandversionsoftheLinuxkernelpriorto2.1.63.Q208.Whyisitimportanttohavelogicalsecuritycontrolsonendpointseventhoughtheusersaretrainedtospotsecuritythreatsandthenetworkdevicesalreadyhelppreventthem?A.topreventtheftoftheendpointsB. becausedefense-in-depthst
16、opsatthenetworkC. toexposetheendpointtomorethreatsD. becausehumanerrororinsiderthreatswillstillexistAnswer:DQ209.WhichtypeofAPIisbeingusedwhenasecurityapplicationnotifiesacontrollerwithinasoftware-definednetworkarchitectureaboutaspecificsecuritythreat?(Choosetwo)A. westboundAPB. southboundAPIC. nort
17、hboundAPID. eastboundAPIAnswer:BCQ210.WhenplanningaVPNdeployment,forwhichreasondoesanengineeroptforanactive/activeFIexVPNconfigurationasopposedtoDMVPN?A. MultipleroutersorVRFsarerequired.B. Trafficisdistributedstaticallybydefault.C. Floatingstaticroutesarerequired.D. HSRPisusedforfailover.Answer:BQ2
18、11.Whichalgorithmprovidesasymmetricencryption?A. RC4B. AESC. RSAD. 3DESAnswer:CQ212.Whataretwofunctionsofsecretkeycryptography?(Choosetwo)A. keyselectionwithoutintegerfactorizationB. utilizationofdifferentkeysforencryptionanddecryptionC. utilizationoflargeprimenumberiterationsD. providesthecapabilit
19、ytoonlyknowthekeyononesideE. utilizationoflessmemoryAnswer:BDQ213.ForCiscoIOSPKI1whichtwotypesofServersareusedasadistributionpointforCRLs?(Choosetwo)A. SDPB. LDAPC. subordinateCAD. SCPE. HTTPAnswer:BEExplanation:CiscoIOSpublickeyinfrastructure(PKI)providescertificatemanagementtosupportsecurityprotoc
20、olssuchasIPSecurity(IPSec)1secureshell(SSH),andsecuresocketlayer(SSL).Thismoduleidentifiesanddescribesconceptsthatareneededtounderstand,planfor,andimplementaPKI.APKIiscomposedofthefollowingentities:Adistributionmechanism(suchasLightweightDirectoryAccessProtocolLDAPorHTTP)forcertificaterevocationlist
21、s(CRLs)Reference:Q214.Whichattacktypeattemptstoshutdownamachineornetworksothatusersarenotabletoaccessit?A. smurfB. bluesnarfingC. MACspoofingD. IPspoofingAnswer:AExplanation:Denial-of-service(DDoS)aimsatshuttingdownanetworkorservice,causingittobeinaccessibletoitsintendedusers.TheSmurfattackisaDDoSat
22、tackinwhichlargenumbersofInternetControlMessageProtocol(ICMP)packetswiththeintendedvictimsspoofedsourceIParebroadcasttoacomputernetworkusinganIPbroadcastaddress.Q215.WhatisadifferencebetweenDMVPNandsVTI?A. DMVPNsupportstunnelencryption,whereassVTIdoesnot.B. DMVPNsupportsdynamictunnelestablishment,wh
23、ereassVTIdoesnot.C. DMVPNsupportsstatictunnelestablishment,whereassVTIdoesnot.D. DMVPNprovidesinteroperabilitywithothervendors,whereassVTIdoesnot.Answer:BQ216.WhatfeaturesdoesCiscoFTDvprovideoverASAv?A. Cisco11DvrunsonVMWarewhileASAvdoesnotB. CiscoFTDvprovidesIGBoffirewallthroughputwhileCiscoASAvdoe
24、snotC. Cisco11DvrunsonAWSwhileASAvdoesnotD. CiscoFTDvsupportsURLfilteringwhileASAvdoesnotAnswer:DQ217.lnwhichsituationshouldanEndpointDetectionandResponsesolutionbechosenversusanEndpointProtectionPlatform?A. whenthereisaneedfortraditionalanti-malwaredetectionB. whenthereisnoneedtohavethesolutioncent
25、rallymanagedC. whenthereisnofirewallonthenetworkD. whenthereisaneedtohavemoreadvanceddetectioncapabilitiesAnswer:DExplanation:Endpointprotectionplatforms(EPP)preventendpointsecuritythreatslikeknownandunknownmalware.Endpointdetectionandresponse(EDR)solutionscandetectandrespondtothreatsthatyourEPPando
26、thersecuritytoolsdidnotcatch.EDRandEPPhavesimilargoalsbutaredesignedtofulfilldifferentpurposes.EPPisdesignedtoprovidedevice-levelprotectionbyidentifyingmaliciousfiles,detectingpotentiallymaliciousactivity,andprovidingtoolsforincidentinvestigationandresponse.ThepreventativenatureofEPPcomplementsproac
27、tiveEDR.EPPactsasthefirstlineofdefense,filteringoutattacksthatcanbedetectedbytheorganizationsdeployedsecuritysolutions.EDRactsasasecondlayerofprotection,enablingsecurityanalyststoperformthreathuntingandidentifymoresubtlethreatstotheendpoint.Effectiveendpointdefenserequiresasolutionthatintegratesthec
28、apabilitiesofbothEDRandEPPtoprovideprotectionagainstcyberthreatswithoutoverwhelminganorganizationssecurityteam.Q218.WhichtypeofAPIisbeingusedwhenacontrollerwithinasoftware-definednetworkarchitecturedynamicallymakesconfigurationchangesonswitcheswithinthenetwork?A. westboundAPB. southboundAPIC. northb
29、oundAPID. eastboundAPIAnswer:BExplanation:SouthboundAPIsenableSDNcontrollerstodynamicallymakechangesbasedonreal-timedemandsandscalabilityneeds.SDNApplicationsNorthboundAPIControllersSouthboundAPINetworkElementsQ219.AnorganizationhastwosystemsintheirDMZthathaveanunencryptedlinkbetweenthemforcommunica
30、tion.Theorganizationdoesnothaveadefinedpasswordpolicyandusesseveraldefaultaccountsonthesystems.Theapplicationusedonthosesystemsalsohavenotgonethroughstringentcodereviews.Whichvulnerabilitywouldhelpanattackerbruteforcetheirwayintothesystems?A. weakpasswordsB. lackofinputvalidationC. missingencryption
31、D. lackoffilepermissionAnswer:AQ220.WhatisthepurposeofaNetflowversion9templaterecord?A. ItspecifiesthedataformatofNetFIowprocesses.B. ItprovidesastandardizedsetofinformationaboutanIPflow.C. Itdefinestheformatofdatarecords.D. ItservesasauniqueidentificationnumbertodistinguishindividualdatarecordsAnsw
32、er:CExplanation:Theversion9exportformatusestemplatestoprovideaccesstoobservationsofIPpacketflowsinaflexibleandextensiblemanner.Atemplatedefinesacollectionoffields,withcorrespondingdescriptionsofstructureandsemantics.Reference:https:/tools.ietf.org/html/rfc3954Q221.WhatisprovidedbytheSecureHashAlgori
33、thminaVPN?A. integrityB. keyexchangeC. encryptionD.authenticationAnswer:AExplanation:TheHMAC-SHA-1-96(alsoknownasHMAC-SHA-1)encryptiontechniqueisusedbyIPSectoensurethatamessagehasnotbeenaltered.(-Thereforeanswerintegrityisthebestchoice),HMAC-SHA-IusestheSHA-IspecifiedinFIPS-190-l1combinedwithHMAC(as
34、perRFC2104),andisdescribedinRFC2404.Reference:Q222.AnetworkengineerisdecidingwhethertousestatefulorstatelessfailoverwhenconfiguringtwoASAsforhighavailability.Whatistheconnectionstatusinbothcases?A. needtobereestablishedwithstatefulfailoverandpreservedwithstatelessfailoverB. preservedwithstatefulfail
35、overandneedtobereestablishedwithstatelessfailoverC. preservedwithbothstatefulandstatelessfailoverD. needtobereestablishedwithbothstatefulandstatelessfailoverAnswer:BQ223.WhichtypeofprotectionencryptsRSAkeyswhentheyareexportedandimported?A. fileB. passphraseC. NGED. nonexportableAnswer:BQ224.Dragandd
36、ropthecapabilitiesofCiscoFirepowerversusCiscoAMPfromtheleftintotheappropriatecategoryontheright.providestheabilitytoperformnetworkdiscoveryprovidesdetection,blocking,tracking,analyseandremediationtoprotectagainsttargetedpersistentmalwareattacksprovidesintrusionpreventionbeforemalwarecomprisesthehost
37、providessuperiorthreatpreventionandmitigationforknownandunknownthreatsprovidesthertcauseofathreatbasedontheindicatorsofcompromiseseenprovidesoutbreakcontrolthroughcustomdetectionsAnswer:provides the ability to performnetwork discoveryprovides detection, blocking, tracking, analyseand remediation to
38、protect against targetedpersistent malware attacksprovides intrusion prevention beforemalware comprises the hostCisco Firepowerprovides superior threat prevention andmitigation for known and unknown threatsprovides the root cause of a threat basedon the indicators of compromise seenprovides outbreak
39、 control throughcustom detectionsprovides the ability to performnetwork disveryprovides detection, blocking, tracking, analyseand remediation to protect against targetedpersistent malware attacksprovides superior threat prevention andmitigation for known and unknown threatsCisco AMPprovides intrusio
40、n prevention beforemalware comprises the hostprovides the root cause of a threat basedon the indicators of compromise seenprovides outbreak control throughcustom detectionsExplanation:TheFirepowerSystemusesnetworkdiscoveryandidentitypoliciestocollecthost,application,anduserdatafortrafficonyournetwor
41、k.Youcanusecertaintypesofdiscoveryandidentitydatatobuildacomprehensivemapofyournetworkassets,performforensicanalysis,behavioralprofiling,accesscontrol,andmitigateandrespondtothevulnerabilitiesandexploitstowhichyourorganizationissusceptible.TheCiscoAdvancedMalwareProtection(AMP)solutionenablesyoutode
42、tectandblockmalware,continuouslyanalyzeformalware,andgetretrospectivealerts.AMPforNetworksdeliversnetwork-basedadvancedmalwareprotectionthatgoesbeyondpoint-in-timedetectiontoprotectyourorganizationacrosstheentireattackcontinuumbefore,during,andafteranattack.DesignedforCiscoFirepowernetworkthreatappl
43、iances,AMPforNetworksdetects,blocks,tracks,andcontainsmalwarethreatsacrossmultiplethreatvectorswithinasinglesystem.Italsoprovidesthevisibilityandcontrolnecessarytoprotectyourorganizationagainsthighlysophisticated,targeted,zero-day,andpersistentadvancedmalwarethreats.Q225.Draganddropthesuspiciouspatt
44、ernsfortheCiscoTetrationplatformfromtheleftontothecorrectdefinitionsontheright.interestingfileaccessCiscoTetrationplatformcanbearmedtoIoOkatsensitivefilesfileaccessfromadifferentuserWatchesforprivilegechangesfromalowerprivilegetoahigherprivilegeintheprocesslineagetreeuserloginsuspiciousbehaviorCisco
45、TetrationplatformwatchesuserloginfailuresanduserloginmethodsprivilegeescalationCiscoTetrationplatformlearnsthenormalbehaviorofwhichfileisaccessedbywhichuserAnswer:interestingfileaccessinterestingfileaccessfileaccessfromadifferentuserprivilegeescalationuserloginsuspiciousbehavioruserloginsuspiciousbe
46、haviorprivilegeescalationfileaccessfromadifferentuserExplanation:CiscoTetrationplatformstudiesthebehaviorofthevariousprocessesandapplicationsintheworkload,measuringthemagainstknownbadbehaviorsequences.Italsofactorsintheprocesshashesitcollects.Bystudyingvarioussetsofmalwares,theTetrationAnalyticsengi
47、neeringteamdeconstructeditbackintoitsbasicbuildingblocks.Therefore,theplatformunderstandsclearandcrispdefinitionsofthesebuildingblocksandwatchesforthem.ThevarioussuspiciouspatternsforwhichtheCiscoTetrationplatformlooksinthecurrentreleaseare:+Shellcodeexecution:Looksforthepatternsusedbyshellcode.+Privilegeescalation:Watchesforprivilegechangesfro
