《思科网络工程师题库2.docx》由会员分享,可在线阅读,更多相关《思科网络工程师题库2.docx(110页珍藏版)》请在课桌文档上搜索。
1、CCNP/CCIESecuritySCOR思科网络工程师题库2Ql.WhatcanbeintegratedwithCiscoThreatIntelligenceDirectortoprovideinformationaboutsecuritythreats,whichallowstheSOCtoproactivelyautomateresponsestothosethreats?A. CiscoUmbrellaB. ExternalThreatFeedsC. CiscoThreatGridD. CiscoStealthwatchAnswer:CExplanation:CiscoThreatIn
2、telligenceDirector(CTID)canbeintegratedwithexistingThreatIntelligencePlatformsdeployedbyyourorganizationtoingestthreatintelligenceautomatically.Reference:Q2.WhichsolutioncombinesCiscoIOSandIOSXEcomponentstoenableadministratorstorecognizeapplications,collectandsendnetworkmetricstoCiscoPrimeandotherth
3、ird-partymanagementtools,andprioritizeapplicationtraffic?A. CiscoSecurityIntelligenceB. CiscoApplicationVisibilityandControlC. CiscoModelDrivenTelemetryD. CiscoDNACenterAnswer:BExplanation:TheCiscoApplicationVisibilityandControl(AVC)solutionleveragesmultipletechnologiestorecognize,analyze,andcontrol
4、over100Oapplications,includingvoiceandvideo,email,filesharing,gaming,peer-to-peer(P2P),andcloud-basedapplications.AVCcombinesseveralCiscoIOSIOSXEcomponents,aswellascommunicatingwithexternaltools,tointegratethefollowingfunctionsintoapowerfulsolution.Reference:guide/avc_tech_overview.htmlQ3.Whichtwoac
5、tivitiescanbedoneusingCiscoDNACenter?(Choosetwo)A. DHCPB. DesignC. AccountingD. DNSE. ProvisionAnswer:BEExplanation:CiscoDNACenterhasfourgeneralsectionsalignedtoITworkflows:Design:Designyournetworkforconsistentconfigurationsbydeviceandbysite.Physicalmapsandlogicaltopologieshelpprovidequickvisualrefe
6、rence.Thedirectimportfeaturebringsinexistingmaps,images,andtopologiesdirectlyfromCiscoPrimeInfrastructureandtheCiscoApplicationPolicyInfrastructureControllerEnterpriseModule(APIC-EM),makingupgradeseasyandquick.Deviceconfigurationsbysitecanbeconsolidatedinagoldenimagethatcanbeusedtoautomaticallyprovi
7、sionnewnetworkdevices.Thesenewdevicescaneitherbepre-stagedbyassociatingthedevicedetailsandmappingtoasite.Ortheycanbeclaimeduponconnectionandmappedtothesite.Policy:Translatebusinessintentintonetworkpoliciesandapplythosepolicies,suchasaccesscontrol,trafficrouting,andqualityofservice,consistentlyoverth
8、eentirewiredandwirelessinfrastructure.Policy-basedaccesscontrolandnetworksegmentationisacriticalfunctionoftheCiscoSoftware-DefinedAccess(SD-Access)solutionbuiltfromCiscoDNACenterandCiscoIdentityServicesEngine(ISE).CiscoAlNetworkAnalyticsandCiscoGroup-BasedPolicyAnalyticsrunningintheCiscoDNACenteride
9、ntifyendpoints,groupsimilarendpoints,anddeterminegroupcommunicationbehavior.CiscoDNACenterthenfacilitatescreatingpoliciesthatdeterminetheformofcommunicationallowedbetweenandwithinmembersofeachgroup.ISEthenactivatestheunderlyinginfrastructureandsegmentsthenetworkcreatingavirtualoverlaytofollowthesepo
10、liciesconsistently.Suchsegmentingimplementszero-trustsecurityintheworkplace,reducesrisk,containsthreats,andhelpsverifyregulatorycompliancebygivingendpointsjusttherightlevelofaccesstheyneed.Provision:OnceyouhavecreatedpoliciesinCiscoDNACenter,provisioningisasimpledrag-and-droptask.Theprofiles(calleds
11、calablegrouptagsorSGTs)intheCiscoDNACenterinventorylistareassignedapolicy,andthispolicywillalwaysfollowtheidentity.Theprocessiscompletelyautomatedandzero-touch.NewdevicesaddedtothenetworkareassignedtoanSGTbasedonidentity-greatlyfacilitatingremoteofficesetups.Assurance:CiscoDNAAssurance,usingAIML,ena
12、bleseverypointonthenetworktobecomeasensor,sendingcontinuousstreamingtelemetryonapplicationperformanceanduserconnectivityinrealtime.Thecleanandsimpledashboardshowsdetailednetworkhealthandflagsissues.Then,guidedremediationautomatesresolutiontokeepyournetworkperformingatitsoptimalwithlessmundanetrouble
13、shootingwork.Theoutcomeisaconsistentexperienceandproactiveoptimizationofyournetwork,withlesstimespentontroubleshootingtasks.Reference:https:/www.cisco.eom/c/en/us/products/collateral/cloud-systems-management/dna-center/nb-06-dna-center-so-cte-en.htmlQ4.Whatmustbeusedtosharedatabetweenmultiplesecurit
14、yproducts?A. CiscoRapidThreatContainmentB. CiscoPlatformExchangeGridC. CiscoAdvancedMalwareProtectionD. CiscoStealthwatchCloudAnSWe匚BQ5.WhichCiscoproductisopen,scalable,andbuiltonIETFstandardstoallowmultiplesecurityproductsfromCiscoandothervendorstosharedataandinteroperatewitheachother?A. AdvancedMa
15、lwareProtectionB. PlatformExchangeGridC. MultifactorPlatformIntegrationD. FirepowerThreatDefenseAnswer:BExplanation:WithCiscopxGrid(PlatformExchangeGrid),yourmultiplesecurityproductscannowsharedataandworktogether.Thisopen,scalable,andIETFstandards-drivenplatformhelpsyouautomatesecuritytogetanswersan
16、dcontainthreatsfaster.Q6.WhatisafeatureoftheopenplatformcapabilitiesofCiscoDNACenter?A. intent-basedAPIsB. automationadaptersC.domainintegrationD.applicationadaptersAnswer:AQ7.WhatisthefunctionoftheContextDirectoryAgent?A. maintainsusersgroupmembershipsB. relaysuserauthenticationrequestsfromWebSecur
17、ityAppliancetoActiveDirectoryC. readstheActiveDirectorylogstomapIPaddressestousernamesD. acceptsuserauthenticationrequestsonbehalfofWebSecurityApplianceforuseridentificationAnswer:CExplanation:CiscoContextDirectoryAgent(CDA)isamechanismthatmapsIPAddressestousernamesinordertoallowsecuritygatewaystoun
18、derstandwhichuserisusingwhichIPAddressinthenetwork,sothosesecuritygatewayscannowmakedecisionsbasedonthoseusers(orthegroupstowhichtheusersbelongto).CDArunsonaCiscoLinuxmachine;monitorsinrealtimeacollectionofActiveDirectorydomaincontroller(DC)machinesforauthentication-relatedeventsthatgenerallyindicat
19、euserlogins;learns,analyzes,andcachesmappingsofIPAddressesanduseridentitiesinitsdatabase;andmakesthelatestmappingsavailabletoitsconsumerdevices.Reference:https:/www.cisco.eom/c/en/us/td/docs/security/ibf/cda_10/lnstall_Config_guide/cdal0/cda_oveviw.htmlQ8.WhatisacharacteristicofabridgegroupinASAFire
20、walltransparentmode?A. ItincludesmultipleinterfacesandaccessrulesbetweeninterfacesarecustomizableB. ItisaLayer3segmentandincludesoneportandcustomizableaccessrulesC. ItallowsARPtrafficwithasingleaccessruleD. IthasanIPaddressonitsBVIinterfaceandisusedformanagementtrafficAnswer:AExplanation:Abridgegrou
21、pisagroupofinterfacesthattheASAbridgesinsteadofroutes.BridgegroupsareonlysupportedinTransparentFirewallMode.Likeanyotherfirewallinterfaces,accesscontrolbetweeninterfacesiscontrolled,andalloftheusualfirewallchecksareinplace.EachbridgegroupincludesaBridgeVirtualInterface(BVI).TheASAusestheBVIIPaddress
22、asthesourceaddressforpacketsoriginatingfromthebridgegroup.TheBVIIPaddressmustbeonthesamesubnetasthebridgegroupmemberinterfaces.TheBVIdoesnotsupporttrafficonsecondarynetworks;onlytrafficonthesamenetworkastheBVIIPaddressissupported.Youcanincludemultipleinterfacesperbridgegroup.Ifyouusemorethan2interfa
23、cesperbridgegroup,youcancontrolcommunicationbetweenmultiplesegmentsonthesamenetwork,andnotjustbetweeninsideandoutside.Forexample,ifyouhavethreeinsidesegmentsthatyoudonotwanttocommunicatewitheachother,youcanputeachsegmentonaseparateinterface,andonlyallowthemtocommunicatewiththeoutsideinterface.Oryouc
24、ancustomizetheaccessrulesbetweeninterfacestoallowonlyasmuchaccessasdesired.Reference:https:/www.cisco.eom/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/intro-fw.htmlNote:BVIinterfaceisnotusedformanagementpurpose.ButwecanaddaseparateManagementslot/portinterfacethatisn
25、otpartofanybridgegroup,andthatallowsonlymanagementtraffictotheASA.Q9.WhenCiscoandotherindustryorganizationspublishandinformusersofknownsecurityfindingsandvulnerabilities,whichnameisused?A. CommonSecurityExploitsB. CommonVulnerabilitiesandExposuresC. CommonExploitsandVulnerabilitiesD. CommonVulnerabi
26、lities,ExploitsandThreatsAnswer:BExplanation:Vendors,securityresearchers,andvulnerabilitycoordinationcenterstypicallyassignvulnerabilitiesanidentifierthatsdisclosedtothepublic.ThisidentifierisknownastheCommonVulnerabilitiesandExposures(CVE),CVEisanindustry-widestandard.CVEissponsoredbyUS-CERT1theoff
27、iceofCybersecurityandCommunicationsattheU.S.DepartmentofHomelandSecurity.ThegoalofCVEistomakeitseasiertosharedataacrosstools,vulnerabilityrepositories,andsecurityservices.Reference:QlO.WhichtwofieldsaredefinedintheNetFIowflow?(Choosetwo)A. typeofservicebyteB. classofservicebitsC. Layer4protocoltypeD
28、. destinationportE. outputlogicalinterfaceAnswer:ADExplanation:CiscostandardNetFIowversion5definesaflowasaunidirectionalsequenceofpacketsthatallsharesevenvalueswhichdefineauniquekeyfortheflow:+Ingressinterface(SNMPiflndex)+SourceIPaddress+DestinationIPaddress+IPprotocol+SourceportforUDPorTCP,Oforoth
29、erprotocols+DestinationportforUDPorTCP,typeandcodeforICMP1orOforotherprotocols+IPTypeofServiceNote:Aflowisaunidirectionalseriesofpacketsbetweenagivensourceanddestination.Qll.WhatprovidestheabilitytoprogramandmonitornetworksfromsomewhereotherthantheDNACGUI?A. NetFIowB. desktopclientC. ASDMD. APIAnswe
30、r:DQ12.Anorganizationhastwomachineshostingwebapplications.Machine1isvulnerabletoSQLinjectionwhilemachine2isvulnerabletobufferoverflows.Whatactionwouldallowtheattackertogainaccesstomachine1butnotmachine2?A. sniffingthepacketsbetweenthetwohostsB. sendingcontinuouspingsC. overflowingthebuffersmemoryD.
31、insertingmaliciouscommandsintothedatabaseAnswer:DQ13.AnorganizationistryingtoimprovetheirDefenseinDepthbyblockingmaliciousdestinationspriortoaconnectionbeingestablished.Thesolutionmustbeabletoblockcertainapplicationsfrombeingusedwithinthenetwork.Whichproductshouldbeusedtoaccomplishthisgoal?A. CiscoF
32、irepowerB. CiscoUmbrellaC. ISED. AMPAnswer:BExplanation:CiscoUmbrellaprotectsusersfromaccessingmaliciousdomainsbyproactivelyanalyzingandblockingunsafedestinationsbeforeaconnectionisevermade.Thusitcanprotectfromphishingattacksbyblockingsuspiciousdomainswhenusersclickonthegivenlinksthatanattackersent.
33、Q14.Acompanyisexperiencingexfiltrationofcreditcardnumbersthatarenotbeingstoredon-premise.Thecompanyneedstobeabletoprotectsensitivedatathroughoutthefullenvironment.Whichtoolshouldbeusedtoaccomplishthisgoal?A. SecurityManagerB. CloudlockC. WebSecurityApplianceD. CiscoISEAnswer:BExplanation:CiscoCloudl
34、ockisacloud-nativecloudaccesssecuritybroker(CASB)thathelpsyoumovetothecloudsafely.Itprotectsyourcloudusers,data,andapps.CiscoCloudlockprovidesvisibilityandcompliancechecks,protectsdataagainstmisuseandexfiltration,andprovidesthreatprotectionsagainstmalwarelikeransomware.Q15.Anengineeristryingtosecure
35、lyconnecttoarouterandwantstopreventinsecurealgorithmsfrombeingused.However,theconnectionisfailing.Whichactionshouldbetakentoaccomplishthisgoal?A. Disabletelnetusingthenoiptelnetcommand.B. EnabletheSSHserverusingtheipsshservercommand.C. Configuretheportusingtheipsshport22command.D. GeneratetheRSAkeyu
36、singthecryptokeygeneratersacommand.Answer:DExplanation:Inthisquestion,theengineerwastryingtosecuretheconnectionsomaybehewastryingtoallowSSHtothedevice.Butmaybesomethingwentwrongsotheconnectionwasfailing(theconnectionusedtobegood).Somaybehewasmissingthecryptokeygeneratersacommand.Q16.Anetworkadminist
37、ratorisusingtheCiscoESAwithAMPtouploadfilestothecloudforanalysis.Thenetworkiscongestedandisaffectingcommunication.HowwilltheCiscoESAhandleanyfileswhichneedanalysis?A. AMPcalculatestheSHA-256fingerprint,cachesit,andperiodicallyattemptstheupload.B. Thefileisqueuedforuploadwhenconnectivityisrestored.C.
38、 Thefileuploadisabandoned.D. TheESAimmediatelymakesanotherattempttouploadthefile.Answer:CExplanation:Theappliancewilltryoncetouploadthefile;ifuploadisnotsuccessful,forexamplebecauseofconnectivityproblems,thefilemaynotbeuploaded.Ifthefailurewasbecausethefileanalysisserverwasoverloaded,theuploadwillbe
39、attemptedoncemore.Reference:https:/www.cisco.eom/c/en/us/support/docs/security/email-security-appliance118796-technote-esa-OO.htmlInthisquestion,itstatedthenetworkiscongested(notthefileanalysisserverwasoverloaded)sotheappliancewillnottrytouploadthefileagain.Q17.Whichtypeofalgorithmprovidesthehighest
40、levelofprotectionagainstbrute-forceattacks?A. PFSB. HMACC. MD5D. SHAAnswer:DQ18.WhatmustbeconfiguredinCiscoISEtoenforcereauthenticationofanendpointsessionwhenanendpointisdeletedfromanidentitygroup?A. postureassessmentB. CoAC. externalidentitysourceD. SNMPprobeAnswer:BExplanation:CiscoISEallowsagloba
41、lconfigurationtoissueaChangeofAuthorization(CoA)intheProfilerConfigurationpagethatenablestheprofilingservicewithmorecontroloverendpointsthatarealreadyauthenticated.OneofthesettingstoconfiguretheCoAtypeisReauth.Thisoptionisusedtoenforcereauthenticationofanalreadyauthenticatedendpointwhenitisprofiled.
42、Reference:httpscenustddocssecurityisel-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_010101.htmQ19.AnetworkadministratorisconfiguringaruleinanaccesscontrolpolicytoblockcertainURLsandselectstheChatandInstantMessagingcategory.Whichreputationscoreshouldbeselectedtoaccomplishthisgo
43、al?A. 1B. 3C. 5D. 10Answer:DExplanation:WechooseChatandInstantMessagingcategoryinURLCategory:QuarantineEncrypt on DeHveryStrip Attachment by Content Strip Attachment by Ale Info I URL JtegOryURL ReputationAdd DiscIeimer TextBypass Outbreak Filter Sosnnirvg Bypass DKlM Signing Send Copy (Bee:) NotJfy
44、Change Recipient toSend to Alternate Destination Host Deliver from IP InterfaceStrip HeaderAdd/Edit HeaderAdd Message Tag Add Log Entry S/MIME SigrVEncrypt on Delivery Encrypt end Deliver Now (Final Action)S/MIME SigrI/Eccrypt (Final Action) BoUnCe (Final Action) Skip Remaining Content Filters (Fina
45、l Action) Drop (Final Action)URL CategoryDoes any URL In the message body tbe selected categories?Add I RjenovAvailable Categories:Advertisements AJcohoiArtsAstroiOQy Auctions Busirms and Industry 6At ard InStanC MeSSaQT Cheetiog and PIaQtorfm Computer SCu rtty Computers rtd InternetUse a URL vw rit
46、ehst: ZonCAction on URl.: Defang URL Redirect to CiSCO Security ProxyReplace URL with text messagePerform Actiori for:-All messagesUnsigned messagesToblockcertainURLsweneedtochooseURLReputationfrom6to10.EditConditionMessage Body or Attachment Message Body URL Category IIJRL RBPUtatioCMessage Size At
47、tachment Content Attachment File Info Attachment Protection Subject Header Other Header Envelope Sender Envelope Recipient Receiving Listener Remote IP/Hostname Reputation ScoreURLReputationWhatisthereputationofURLsinttevaluatesURLsusingtheirWebBa:URLReputationis:Malicious(-10.0to-6.0)Suspect(-S.9to5.9)Clean(6.0to10.0)CustomRange(mintomax)I-1-NoScoreUseaURLwhitelist:None:Q20.WhichgroupwithinCiscowritesandpublishesaweeklynewslettertohelpcybersecurityprofessionalsremainawareoftheongoingandmost
