| Question: | When the concentrator recieves an identity certificate from an IKE peer it will validate the certificate by checking which of the following actions?[select 2]
A. check to see if the certificate has all fields completed
B. check to see if the certificate is the answer to a PCKS#10
C. check to see if the certificate has not expired
D. check to see if the certificate has been signed by a trusted CA
|
| Answer: | C. check to see if the certificate has not expired
D. check to see if the certificate has been signed by a trusted CA
|
| Explanation: | When the concentrator recieves an identity certificate from an IKE peer it will validate the certificate by checking the following:
- has the certificate been signed by a trusted CA
- has the certiciate expired
- has the certificate been revoked |
|
| Question: | What is the default VPN virtual cluster UDP port?
A. 10000
B. 5487
C. 9023
D. 3000
|
| Answer: | C. 9023
|
| Explanation: | The default VPN virtual cluster UDP port is 9023. |
|
| Question: | What is the priority of a 3030 concentrator for the election of a cluster master?
A. 3
B. 5
C. 7
D. 9
|
| Answer: | B. 5
|
| Explanation: | The default master election priorities for the concentrators are:
- 3005 1
- 3015 3
- 3030 5
- 3060 7
- 3080 9 |
|
| Question: | What is the name of the process in which a VPN concentrator advertises the IP Address of the VPN Client through its private interface?
A. Reverse Route Injection
B. Are You There
C. Client Advertising feature
D. Client Awareness feature
|
| Answer: | A. Reverse Route Injection
|
| Explanation: | When a VPN concentrator advertises the IP Address of the VPN Client through its private interface it is called Reverse Route Injection |
|
| Question: | When using RRI what type of route is entered in the routing table?
A. summary route
B. normal route
C. host route
D. null0 route
|
| Answer: | C. host route
|
| Explanation: | Using RRI, the concentrator will add a host route to the routing table. |
|
| Question: | When using NAT-T what type of packets are sent during IKE phase 1?
A. NAT-T
B. NAT-T VID
C. NAT-D
D. NAT-T DIS
|
| Answer: | B. NAT-T VID
|
| Explanation: | During IKE phase 1 the client and IPSec gateway exchange NAT-T VID, NAT-T vendor identification packets. |
|
| Question: | When there is NAT device on the path between source and destination IPSec packets will be wrapped in UDP port __________ packets.
A. 500
B. 10000
C. 514
D. 4500
|
| Answer: | D. 4500
|
| Explanation: | When there is NAT device on the path between source and destination IPSec packets will be wrapped in UDP, port 4500, packets. |
|
| Question: | On which tab do we configure IPSec over UDP on the concentrator?
A. IPSec
B. PPTP/L2TP
C. General
D. Client config
|
| Answer: | D. Client config
|
| Explanation: | We configure IPSec over UDP on the Configuration > User Management > Groups > Modify > Client config tab. |
|
| Question: | What is the minimum software version of the VPN Software Client and concentrator to support IPSec over TCP?
A. 3.6
B. 4.0
C. 3.5
D. 3.3
|
| Answer: | C. 3.5
|
| Explanation: | To support IPSec over TCP the VPN software client and concentrator must be running verion 3.5 or later. |
|
| Question: | HMAC is the abbreviation of?
A. Host-Based Message Authentication Code
B. Host-Based Message Authentication Cipher
C. Hash-Based Message Authentication Code
D. High-Level Message Authentication Cipher
|
| Answer: | C. Hash-Based Message Authentication Code
|
| Explanation: | HMAC or Hash-Based Message Authentication Code. |
|
| Question: | What do we have to select on the Configuration > System > Tunneling Protocols > IPSec > LAN-to-LAN window to allow connections to multiple peers?
A. Connection Type: Originate-Only
B. Connection Type: Multi-directional
C. Connection Type: Peer network
D. Connection Type: Multi-drop
|
| Answer: | A. Connection Type: Originate-Only
|
| Explanation: | The Connection Type: Originate-only on the Configuration > System > Tunneling Protocols > IPSec > LAN-to-LAN window allows connections to multiple peers (upto 10). |
|
| Question: | What is the default IP address for the IKE peer in SAs used for remote VPNs?
A. The private IP address of the remote VPN peer
B. 255.255.255.255
C. The public IP address of the remote VPN peer
D. 0.0.0.0
|
| Answer: | D. 0.0.0.0
|
| Explanation: | The default IP address of an IKE peer in SAa used for remote access is 0.0.0.0 This is because they can connect from any source address so we do not know their address. |
|
| Question: | When monitoring LAN-to-LAN VPN tunnels we can see which of the following information? [Select 2]
A. User name
B. Public IP address of the remote concentrator
C. Public IP address of the local concentrator
D. Encryption
E. Active management sessions
|
| Answer: | B. Public IP address of the remote concentrator
D. Encryption
|
| Explanation: | In the Administration > administer session window we can view the following information about LAN-to-LAN sessions:
- Connection name
- IP address, public IP address of the remote concentrator
- Protocol
- Encryption
- Login time
- Duration
- Bytes Tx and Rx
- Actions |
|
| Question: | Using LAN-to-LAN VPNs how do we enter the networks in the network list if we are dealing with multiple subnets? [e.g. 172.16.0.0/16]
A. 172.16.0.0/255.255.0.0
B. 172.16.0.0 255.255.0.0
C. 172.16.0.0/16
D. 172.16.0.0/0.0.255.255
|
| Answer: | D. 172.16.0.0/0.0.255.255
|
| Explanation: | We entering networks in the network list we use the network/wildcard_mask notation to enter them in the list. |
|
| Question: | Which protocol will build the local network list automatically when using LAN-to-LAN VPNs?
A. EIGRP
B. RIP
C. static
D. OSPF
|
| Answer: | B. RIP
|
| Explanation: | The local network list is build automatically using RIP. |
|
| Question: | What is the function of NAD when using LAN-to-LAN VPNs?
A. Enables the use of NAT on each side of the LAN-to-LAN tunnel.
B. Dynamically adjusts the NAT settings using discovery packets on each side of the LAN-to-LAN tunnel.
C. Dynamically discovers and updates the private addresses on each side of the LAN-to-LAN tunnel.
D. Dynamically adjusts the IPSec settings on each side of the LAN-to-LAN tunnel.
|
| Answer: | C. Dynamically discovers and updates the private addresses on each side of the LAN-to-LAN tunnel.
|
| Explanation: | Network AutoDiscovery or NAD, dynamically discovers and updates the private addresses on each side of the LAN-to-LAN tunnel. |
|
| Question: | On which monitoring tab would we find information about ICMP and ARP?
A. Dynamic filters
B. System status
C. General statistics
D. Sessions
|
| Answer: | C. General statistics
|
| Explanation: | On the monitoring > General Statistics we can find the following information:
- PPTP
- L2TP
- IPSec
- HTTP
- ICMP
- ARP
- TCP/UDP
- and more |
|
| Question: | The Filterable Event log can hold up to ________ events?
A. 4096
B. 8192
C. 2048
D. depending on memory of the concentrator
|
| Answer: | C. 2048
|
| Explanation: | The Filterable Event log can hold up to 2048 events and wraps when full. |
|
| Question: | When looking at the Monitoring > System Status > LED status we see our ethernet is blinking green. What does this indicate?
A. The ethernet is connected to a network and traffic is passing.
B. The ethernet is connected to a network but has duplex/speed mismatch.
C. The ethernet is connected to a network, configured but disabled.
D. The ethernet is connected to a network but not configured.
|
| Answer: | C. The ethernet is connected to a network, configured but disabled.
|
| Explanation: | When looking at the Monitoring > System Status > LED status we see our ethernet is blinking green this indicates that the ethernet is connected to a network, configured but disabled. |
|
| Question: | How can we restore the concentrator to factory defaults using the web browser?
A. Administration > System Reboot
Configuration, select reboot ignoring the configuration file
B. Administration > System Reboot
Click on restore to factory default
C. Administration > System Reboot
Configuration, select reboot without saving the active configuration
D. Administration > System Reboot
Action, select restore to factory defaults
|
| Answer: | A. Administration > System Reboot
Configuration, select reboot ignoring the configuration file
|
| Explanation: | If we want to restore the concentrator back to factory defaults using the web interface we go to Administration > System Reboot and in the configuration field select reboot ignoring the configuration file |
|
| Question: | What is the default monitoring refresh rate of the statistics window?
A. 30 seconds
B. 60 seconds
C. 5 seconds
D. 10 seconds
|
| Answer: | A. 30 seconds
|
| Explanation: | The default monitoring refresh rate of the statistics window is 30 seconds. |
|
| Question: | What is the recommended formula to calculate the burst size when using bandwidth policing on the concentrator?
A. policing_rate/users
B. max bandwidth/users
C. (policing_rate/8)* 1.5
D. (policing_rate/users)* 1.5
|
| Answer: | C. (policing_rate/8)* 1.5
|
| Explanation: | To calculate the burst size when using bandwidth policing on the concentrator we use the following formula (policing_rate/8)* 1.5. For example, the max bandwidth per user is 125Kbps, so the burst size is (125000/8)*1.5 = 23437 bps. |
|
| Question: | What is the default burst size when using bandwidth policing on the concentrator?
A. 10000 bytes
B. 46875 bytes
C. 10500 bytes
D. administrator defined
|
| Answer: | C. 10500 bytes
|
| Explanation: | The default burst size is 10500 bytes when using bandwidth policing on the concentrator |
|
| Question: | When is the config.bak file created?
A. Every 5 minutes when logged on to the concentrator
B. Every time you click the save button
C. When clicking backup configuration
D. When rebooting the concentrator
|
| Answer: | B. Every time you click the save button
|
| Explanation: | The config.bak file is created every time the save button is clicked, it contains the last configuration before the changes were saved. |
|
| Question: | Which protocol is used when uploading a file from Administration > File Management > File Upload?
A. HTTP
B. FTP
C. TFTP
D. LDAP
|
| Answer: | A. HTTP
|
| Explanation: | When uploading a file from Administration > File Management > File Upload screen the HTTP protocol is used to upload that file. |
|
| Question: | Which of the following is not a predefined user on a Cisco VPN concentrator?
A. admin
B. config
C. mis
D. default
|
| Answer: | D. default
|
| Explanation: | By default the following are predefined on a Cisco VPN concentrator:
- admin
- config
- isp
- mis
- user |
|
| Question: | What is the minimum level of access to configure SNMP on a VPN concentrator?
A. admin
B. config
C. mis
D. isp
|
| Answer: | A. admin
|
| Explanation: | In order to configure SNMP on a concentrator you need admin level access, config level access does not allow SNMP configuration. |
|
| Question: | How can we sort our top ten sessions? [Select 2]
A. by username
B. by throughput
C. by IP Address
D. by duration
E. by protocol
|
| Answer: | B. by throughput
D. by duration
|
| Explanation: | We can sort our sessions by the following:
- Data
- Duration
- Throughput |
|
| Question: | The Live Event Log updates the display every ________ seconds?
A. 60
B. 10
C. 30
D. 5
|
| Answer: | D. 5
|
| Explanation: | The Live Event Log updates the display every 5 seconds. |
|
| Question: | What does a PKCS#7 allows us to do?
A. Allows us to send multiple certificates to be envelopped within one message.
B. Allows us to send the PKCS#10 encrypted to the CA.
C. Allows us to send PKCS#10 to different CAs.
D. Allows us to send multiple certificates using different file encodings.
|
| Answer: | A. Allows us to send multiple certificates to be envelopped within one message.
|
| Explanation: | PKCS#7 is a message syntax that allows multiple certificates to be envelopped within one message (same as zipping multiple files using PKZIP). |
|
| Question: | Which two fields do we find on the certificate revocation list tab? [Select 2]
A. Date&time of next publication
B. Issuer
C. Name of the CA
D. Revocation date&time
E. Serial number
|
| Answer: | D. Revocation date&time
E. Serial number
|
| Explanation: | On the revocation list tab we find the following fields:
- Serial number
- Revocation date&time |
|
| Question: | Which protocol is used for network-based CA enrollment?
A. SCEP
B. PCKS#10
C. PCKS#7
D. X.509
|
| Answer: | A. SCEP
|
| Explanation: | SCEP or Simple Certificate Enrollment Protocol is used when using network-based CA enrollment. |
|
| Question: | By default the concentrator uses which field from the certificate when using group matching?
A. OU
B. L
C. O
D. FQDN
|
| Answer: | A. OU
|
| Explanation: | The OU field is used by default by the concentrator when using group matching. |
|
| Question: | How can we view the installed root certificate?
A. Configuration > certificate management > view
B. Administration > certificate management > root > view
C. Administration > certificate management > view
D. Administration > certificate management
E. Configuration > certificate management > root > view
|
| Answer: | C. Administration > certificate management > view
|
| Explanation: | The Administration > certificate management > view window will display the installed root certificate. |
|
| Question: | Which of the following fields is not on the Identity certificate section?
A. Expiration
B. Actions
C. Subject
D. Issuer
E. SCEP Issuer
|
| Answer: | E. SCEP Issuer
|
| Explanation: | The Identity Certificate section contains the following fields:
- Subject
- Issuer
- Expiration
- Actions |
|
| Question: | Which 2 protocols can we use for CRL distribution points? [Select 2]
A. HTTPS
B. TFTP
C. FTP
D. HTTP
E. LDAP
|
| Answer: | D. HTTP
E. LDAP
|
| Explanation: | We can use HTTP or LDAP as our CRL distribution point protocol. |
|
| Question: | When using file-based enrollment on the VPN client we can use which of the following file encodings? [Select 2]
A. SHA-1
B. Base 64
C. 3DES-168
D. DER
E. MD5
|
| Answer: | B. Base 64
D. DER
|
| Explanation: | With file-enrollment we can select Base-64 or DER (Distinguished Encoding Rules) as our file encoding type. |
|
| Question: | If we want to import a certificate that is resident in Internet Explorer, what will be the file extension?
A. .cer
B. .pfx
C. .p7b
D. .cec
|
| Answer: | B. .pfx
|
| Explanation: | Microsoft Personal Exchange Files, .pfx are certificates resident in Internet Explorer which we can import. |
|
| Question: | Which of the following are PKI models? [Select 2]
A. Central
B. Custom
C. Hierarchical
D. Independant
E. Cascaded
|
| Answer: | A. Central
C. Hierarchical
|
| Explanation: | A PKI can be either central or hierarchical. |
|
| Question: | Which Cisco VPN client feature verifies that a specific firewall is installed on a client PC?
A. Are you there
B. Statefull firewall
C. Central policy protection
D. Cisco intergrated client
|
| Answer: | A. Are you there
|
| Explanation: | The AYT, are you there, Cisco VPN client feature verifies that a specific firewall is installed on a client PC. |
|
| Question: | Which of the following firewalls are supported in the AYT feature? [Select 2]
A. Checkpoint
B. Microsoft XP SP2 integrated firewall
C. Netscreen
D. ZoneAlarm
E. BlackIce Defender
|
| Answer: | D. ZoneAlarm
E. BlackIce Defender
|
| Explanation: | The AYT feature supports the following firewalls:
- Cisco Integrated Client Firewall
- BlackIce Defender
- ZoneAlarm
- Sygate Personal Firewall
- Cisco Intrusion Prevention Security Agent |
|
| Question: | What is the poll interval when Firewall require setting is turned on?
A. 30 seconds
B. 10 seconds
C. 20 seconds
D. 60 seconds
|
| Answer: | A. 30 seconds
|
| Explanation: | With the Firewall required setting turned on the software client polls the firewall every 30 seconds. |
|
| Question: | Which firewalls support the CPP feature? [Select 2]
A. ZoneLabs
B. Cisco Integrated Client
C. BlackIce Defender
D. Sygate Personal Firewall
|
| Answer: | A. ZoneLabs
B. Cisco Integrated Client
|
| Explanation: | The CPP, Central Policy Protection feature is supported on the following firewalls:
- Cisco Integrated Client
- ZoneLabs |
|
| Question: | Which protocol is not on the list of the protocol drop-down menu when creating a customized firewall policy? [Select 2]
A. EIGRP
B. OSPF
C. IP
D. TCP
E. IGMP
F. IGP
|
| Answer: | A. EIGRP
C. IP
|
| Explanation: | The following protocols are listed in the drop-down menu when creating a customized firewall policy:
- any
- ICMP
- TCP
- EGP
- IGP
- UDP
- ESP
- AH
- GRE
- RSVP
- IGMP
- OSPF |
|
| Question: | When creating a customized firewall policy on the concentrator what is the default wildcard mask for the souce address?
A. 255.255.255.0 if the IP address is a class C
B. 255.255.0.0 if the IP address is a class B
C. 255.0.0.0 if the IP address is a class A
D. 255.255.255.255 regardless of the IP address class
|
| Answer: | D. 255.255.255.255 regardless of the IP address class
|
| Explanation: | The default wildcard mask for the source address is 255.255.255.255 when creating a customized firewall policy. |
|
| Question: | On which tab do we assign the customized firewall policy to the CPP?
A. Configuration > User Management > Groups > Client FW
B. Configuration > User Management > Groups > Client Config
C. Configuration > User Management > Groups > General
D. Configuration > User Management > Groups > Security
|
| Answer: | A. Configuration > User Management > Groups > Client FW
|
| Explanation: | We assign the customized firewall policy to the CCP on the configuration > User Management > Groups > Client FW tab. |
|
| Question: | In client mode what is used to hide the private network?
A. Static NAT
B. IPSec
C. PAT
D. Dynamic NAT
|
| Answer: | C. PAT
|
| Explanation: | The Hardware VPN client uses PAT to hide the private networks from the public network. |
|
| Question: | What is the default, private, IP address of the Cisco VPN hardware client?
A. 192.168.1.1
B. 172.16.1.1
C. 192.168.1.10
D. 10.10.10.1
E. 192.168.10.1
F. 10.1.1.1
|
| Answer: | E. 192.168.10.1
|
| Explanation: | The default IP address for the Cisco Hardware VPN client is 192.168.10.1 |
|
| Question: | What are the options to configure the public IP address on a Hardware VPN client? [Select 2]
A. PPPoA
B. PPPoE
C. RARP
D. DHCP
|
| Answer: | B. PPPoE
D. DHCP
|
| Explanation: | You can configure the public IP address on a Hardware VPN client using the following:
- DHCP
- Static
- PPPoE |
|
| Question: | How many DNS servers can we configure on VPN Hardware client?
A. 1
B. 2
C. 3
D. 5
|
| Answer: | C. 3
|
| Explanation: | We can configure up to 3 DNS servers on Hardware VPN client. |
|
| Question: | What is the default IPSec over TCP port number on a 3002 VPN concentrator?
A. 500
B. 50
C. random port number
D. 10000
|
| Answer: | D. 10000
|
| Explanation: | The default IPSec over TCP port number on a 3002 VPN concentrator is 10000. |
|
| Question: | On which tab of a 3002 concentrator can we view if a tunnel is established?
A. Monitoring > tunnel
B. Monitoring > system status
C. Monitoring > user status
D. Monitoring > routing table
|
| Answer: | B. Monitoring > system status
|
| Explanation: | We can view if a tunnel is established on the monitoring > system status tab of a 3002 concentrator. If not we can click on the connect now button to establish the tunnel. |
|
| Question: | How do we enable network extension mode on a 3002 concentrator?
A. By checking the network extension mode box on Configuration > System > Tunneling protocols
And allowing Network Extentions mode on the HW Client tab
B. By disabling PAT on Configuration > Policy Management > Traffic Management > PAT > Enable
And allowing Network Extentions mode on the HW Client tab
C. By checking the network extension mode box on Configuration > Policy Management > Traffic Management
And allowing Network Extentions mode on the HW Client tab
D. By checking the network extension mode box on Configuration > System > General
And allowing Network Extentions mode on the HW Client tab
|
| Answer: | B. By disabling PAT on Configuration > Policy Management > Traffic Management > PAT > Enable
And allowing Network Extentions mode on the HW Client tab
|
| Explanation: | We enable Network Extension mode by disabling PAT on Configuration > Policy Management > Traffic Management > PAT > Enable. We also need to do an additional step by allowing Network Extentions mode on the HW Client tab. |
|
| Question: | How can we verify that we are working in Network Extension mode on a 3002 VPN concentrator?
A. On the Monitoring > System status tab it will display Network Extension mode in the VPN Client type.
B. The client does not have an assigned IP address on the Monitoring > System status tab
C. The client has an assigned IP address on the Monitoring > System status tab
D. On the Monitoring > System status tab it will display Network Extension mode in the tunnel type.
|
| Answer: | B. The client does not have an assigned IP address on the Monitoring > System status tab
|
| Explanation: | In Network Extension mode the client does not have an assigned IP address on the Monitoring > System status tab. |
|
| Question: | What protocol is used to update the client using the Auto-Update feature?
A. FTP
B. HTTP
C. LDAP
D. TFTP
|
| Answer: | D. TFTP
|
| Explanation: | The Auto-Update feature uses TFTP to update the software to the clients. |
|
| Question: | Which of the following are authentication options for the Hardware client? [Select 2]
A. User authentication
B. No authentication
C. Unit authentication
D. Group authentication
|
| Answer: | A. User authentication
C. Unit authentication
|
| Explanation: | The three authentication options for the Hardware client are as follows:
- Unit authentication
- Interactive unit authentication
- User authentication |
|
| Question: | Which of the following are methods to access the username/password prompt on a 3002 concentrator? [Select 2]
A. Connect via Hardware Client Manager
B. Connect via Monitoring > Sessions > HW Client window
C. Connect via Monitoring > System Status window
D. Connect via Monitoring > Sessions window
|
| Answer: | A. Connect via Hardware Client Manager
C. Connect via Monitoring > System Status window
|
| Explanation: | The following methods can be used to access the username/password prompt:
- Connect via the Hardware Client Manager
- Connect via the Systems Status window
- Connect via the redirect message |
|
| Question: | On which tab do we enable Individual User Authentication?
A. Client FW
B. General
C. HW Client
D. Identity
|
| Answer: | C. HW Client
|
| Explanation: | We configure Individual User Authentication on the HW Client tab of Configuration > User Management > Groups > Modify screen. |
|
| Question: | When looking at the individual users statistics in the Monitoring > User Status window, which of the following statistics can we view? [Select 2]
A. Amount of traffic sent/received
B. Logout function
C. IP addresses of resources accessed
D. IP address
E. Users group membership
|
| Answer: | B. Logout function
D. IP address
|
| Explanation: | When viewing the individual user statistics we can observe the following:
- IP address
- MAC address
- Username
- Login time and duration
- Logout function |
|
| Question: | What is the time that a Hardware Client waits for an IKE reply packet from a primary concentrator before declaring the packet lost?
A. 4 seconds
B. 6 seconds
C. 8 seconds
D. 10 seconds
|
| Answer: | C. 8 seconds
|
| Explanation: | A Hardware Client will wait for 8 seconds for an IKE reply packet from a primary concentrator before declaring the packet lost. |
|
| Question: | How many IPSec backup servers can be configured on Hardware Client?
A. 16
B. 5
C. 10
D. 8
|
| Answer: | C. 10
|
| Explanation: | Up to 10 IPSec backup servers can be configured on a Hardware Client. |
|
| Question: | Which concentrator services the virtual IP address when load balancing?
A. primary cluster manager
B. virtual cluster agent
C. virtual cluster manager
D. virtual cluster master
|
| Answer: | D. virtual cluster master
|
| Explanation: | The virtual cluster master will service the IP address when load balancing. |
|
| Question: | What method is used when using load-balancing on VPN concentrators?
A. round robin
B. by load
C. by source
D. by destination
|
| Answer: | B. by load
|
| Explanation: | Connections to the load-balancing cluster are based on the load. |
|
| Question: | Which of the following are functions of the VCA?
A. calculating the load
B. authenticate the clients
C. joining and exiting the virtual cluster
D. re-directing clients to least-congested concentrator
E. assigning IP addresses to the clients
|
| Answer: | A. calculating the load
C. joining and exiting the virtual cluster
|
| Explanation: | The functions of the VCA, virtual cluster agent are:
- joining and exiting the virtual cluster
- establishing IPSec connections between peers in the cluster
- calculating the load - sending periodic load and health check information to the cluster master
- determining a failed cluster master
- particioating in a virtual master election process |
|
| Question: | Which of the following are considered primary threats to network security? [select 2]
A. external
B. structured
C. distributed
D. exterior
E. organised
|
| Answer: | A. external
B. structured
|
| Explanation: | The four primary threats againsts network security are:
- unstructured threats
- structured threats
- external threats
- internal threats |
|
| Question: | What type of attack is described by the following:
It will try to do unauthorized data manipulation or privilege escalation
A. Reconnaissance attack
B. DoS attack
C. Access attack
D. DDos attack
|
| Answer: | C. Access attack
|
| Explanation: | Access attacks refers to unauthorized data manipulation, system access and privilege escalation. |
|
| Question: | An attack coming from a highly motivated and technical individual is called a(n) ____________ attack.
A. unstructured
B. external
C. structured
D. internal
|
| Answer: | C. structured
|
| Explanation: | An attack coming from a highly motivated and technical individual is called a structured attack. |
|
| Question: | What is the correct order for the security wheel?
A. step 1,step 2,step 3,step 4
B. Secure,Monitor,Test,Improve
|
| Answer: | B. Secure,Monitor,Test,Improve
|
| Explanation: | The security wheel uses the following order:
- Secure
- Monitor
- Test
- Improve |
|
| Question: | In Ciscos AVVID model, which are part of the Internet Middleware layer? [select 2]
A. Accounting
B. Security
C. Caching
D. Collaboration
E. Switches and routers
|
| Answer: | B. Security
D. Collaboration
|
| Explanation: | Messaging, contact center, multimedia, voice call processing, collaboration, video on demand, personal productivity, policy management, security, content distribution, SLA management and address management can all be found at the Internet Middleware layer of Ciscos AVVID model. |
|
| Question: | Which of the following is not a layer of the SAFE blueprint incorporated in AVVID? [select 2]
A. Infrastructure
B. Enterprise
C. Service Control
D. Security
|
| Answer: | B. Enterprise
D. Security
|
| Explanation: | The SAFE layers incorporated in AVVID are:
- Infrastructure layer
- Appliances layer
- Service control layer
- Applications layer |
|
| Question: | Which of the following are VPN implementation scenarios? [select 2]
A. Firewall based
B. Site-to-site
C. Server based
D. Client access
|
| Answer: | A. Firewall based
B. Site-to-site
|
| Explanation: | The following scenarios exist for VPN implementation:
- Remote-access
- Site-to-site
- Firewall-based |
|
| Question: | DH group 2 has wich key size?
A. 512 bit
B. 768 bit
C. 2048 bit
D. 1024 bit
|
| Answer: | D. 1024 bit
|
| Explanation: | Diffie-Hellman group 2 has a key size of 1024 bits. |
|
| Question: | Which of the following protocols can we use for data integrity when using IPSec?
A. DH5
B. SHA-1
C. DES
D. 3DES
|
| Answer: | B. SHA-1
|
| Explanation: | MD5 and SHA-1 are used to provide us data integrity when using IPSec. |
|
| Question: | Which of the following are provided by IPSec? [select 2]
A. compression
B. quality of service
C. origin authentication
D. anti-replay protection
|
| Answer: | C. origin authentication
D. anti-replay protection
|
| Explanation: | IPSec provides the following functions:
- confidentiality
- data integrity
- origin authentication
- anti-replay protection |
|
| Question: | Which of the following can be used for peer authentication? [select 2]
A. 3DES
B. RSA encrypted nonces
C. DH 2
D. AES
E. Preshared keys
|
| Answer: | B. RSA encrypted nonces
E. Preshared keys
|
| Explanation: | Peer authentication can use one of the following:
- Preshared keys
- RSA signatures
- RSA encrypted nonces |
|
| Question: | Which of the following are provide both by AH and ESP? [select 2]
A. Data origin
B. Compression
C. Anti-replay protection
D. Data confidentiality
|
| Answer: | A. Data origin
C. Anti-replay protection
|
| Explanation: | AH and ESP both provide anti-replay protection, data origin and data integrity (for ESP MD5 or SHA-1 has to be turned on in the transform set). |
|
| Question: | AH uses which protocol number?
A. 50
B. 500
C. 514
D. 51
|
| Answer: | D. 51
|
| Explanation: | AH is IP Protocol 51. |
|
| Question: | ESP can operate in which of the following modes? [select 2]
A. Tunnel
B. Site-to-site
C. Transport
D. Secure
|
| Answer: | A. Tunnel
C. Transport
|
| Explanation: | ESP can operate either in transport mode or tunnel mode. |
|
| Question: | In what order does IPSec works?
A. step 1,step 2,step 3,step 4,step 5
B. define interesting traffic,IKE phase 1,IKE phase 2,data transfer, IPSec tunnel termination
|
| Answer: | B. define interesting traffic,IKE phase 1,IKE phase 2,data transfer, IPSec tunnel termination
|
| Explanation: | IPSec works like this:
- step 1: define interesting traffic
- step 2: IKE Phase 1
- step 3: IKE Phase 2
- step 4: Data transfer
- step 5: IPSec tunnel termination |
|
| Question: | During which part of IPSec are SAs established?
A. IKE Phase 1
B. Defined together with interesting traffic
C. IKE Phase 2
D. During data transfer
|
| Answer: | C. IKE Phase 2
|
| Explanation: | SAs or Security Associations are established during IKE Phase 2. |
|
| Question: | IKE Phase operates in which of the following modes? [Select 2]
A. main
B. secure
C. aggressive
D. tunnel
|
| Answer: | A. main
C. aggressive
|
| Explanation: | IKE Phase 1 operates either in main mode or aggressive mode. |
|
| Question: | Which of the following is not a VPN Concentrator?
A. 3005
B. 3030
C. 3010
D. 3080
|
| Answer: | C. 3010
|
| Explanation: | The VPN concentrator comes in the following models:
- 3005
- 3015
- 3020
- 3030
- 3060
- 3080 |
|
| Question: | How many simultaneous users can a 3080 accomodate?
A. 10000
B. 1000
C. 5000
D. 100000
|
| Answer: | A. 10000
|
| Explanation: | A 3080 can have 10000 simultaneous users. |
|
| Question: | Which of the following clients can only connect via ethernet?
A. Solaris Client
B. Mac OS Client
C. Windows Client
D. Linux Client
|
| Answer: | B. Mac OS Client
|
| Explanation: | The MAC OS client can only connect via ethernet not ppp as the others. |
|
| Question: | What two modes of operation has the Cisco VPN Hardware client? [select 2]
A. tunnel mode
B. transport mode
C. main mode
D. client mode
E. network extension mode
|
| Answer: | D. client mode
E. network extension mode
|
| Explanation: | The Cisco hardware VPN client can work in client mode or network extension. |
|
| Question: | Which two routing protocols are supported on the VPN concentrators? [Select 2]
A. IGRP
B. RIP
C. BGP
D. EIGRP
E. OSPF
|
| Answer: | B. RIP
E. OSPF
|
| Explanation: | The VPN concentrator supports RIP and OSPF. |
|
| Question: | Which of the following can you not configure in Quick Configuration mode?
A. IP interfaces
B. Admin password
C. User
D. IPSec group
|
| Answer: | C. User
|
| Explanation: | In Quick Configuration you can set the following:
- IP interfaces
- System information
- Protocols
- Address assignment
- Authentication
- IPSec group
- Admin password |
|
| Question: | On which Quick Configuration tab do we set our default gateway?
A. Protocols
B. IP interfaces
C. System information
D. Address assignment
|
| Answer: | C. System information
|
| Explanation: | We can set the default gateway on the system information tab in Quick Configuration. |
|
| Question: | What is the default username/password on a VPN concentrator?
A. cisco/cisco
B. Cisco/Cisco
C. admin/blank_password
D. admin/admin
|
| Answer: | D. admin/admin
|
| Explanation: | The default username/password on a VPN concentrator is admin/admin. |
|
| Question: | If we are using a Certicom client we need to use a IKE proposal that will end in __________ on the VPN concentrator?
A. DH7
B. MD5
C. SHA
D. DH1
|
| Answer: | A. DH7
|
| Explanation: | When using the Certicom client make sure the IKE proposal ends with DH7. |
|
| Question: | On wich tab of the VPN concentrator configuration can we set the access hours?
A. Configuration - User management - Groups - Modify - HW client
B. Configuration - User management - Groups - Modify - General
C. Configuration - User management - Groups - Modify - Client config
D. Configuration - User management - Groups - Modify - Identity
|
| Answer: | B. Configuration - User management - Groups - Modify - General
|
| Explanation: | We can set the access hours on the Configuration - User management - Groups - Modify - General tab. |
|
| Question: | Which of the following is not a tunnel option?
A. split tunneling
B. tunnel everything
C. tunnel everything except local LAN traffic
D. tunnel everything except internet traffic
|
| Answer: | D. tunnel everything except internet traffic
|
| Explanation: | There are three tunnel options:
- tunnel everything
- tunnel everything except local LAN traffic
- split tunneling |
|
| Question: | On the Windows software VPN client, which tab enables IPSec through NAT?
A. Transport
B. Authentication
C. Backup servers
D. Dial-up
|
| Answer: | A. Transport
|
| Explanation: | The transport tab is where we can enable IPSec through NAT |
|
| Question: | Which file contains all the Software Client configuration parameters?
A. .ini file
B. .txt file
C. .exe file
D. .pcf file
|
| Answer: | D. .pcf file
|
| Explanation: | The .pcf file contains all the Software Client configuration parameters. |
|
| Question: | If we dont want the system to reboot after installing the software client, which settings do we need to set in the oem.ini file?
A. silent mode 1
reboot 1
B. silent mode 1
reboot 0
C. silent mode 0
reboot 0
D. silent mode 1
reboot 2
|
| Answer: | D. silent mode 1
reboot 2
|
| Explanation: | Setting silent mode to 1 and reboot to 2 will not reboot the system after the installation. |
|
| Question: | Which of the following CAs are supported on the VPN concentrator?[Select 2]
A. Baltimore
B. Thawte
C. Microsoft
D. Security Keon
|
| Answer: | A. Baltimore
C. Microsoft
|
| Explanation: | The following CAs are supported on the VPN concentrator:
- Entrust
- RSA Security
- Network Associates PGP
- Baltimore
- Microsoft
- Verisign |
|
| Question: | What is not a function of a PKI?
A. Maintain CRLs
B. Generate keys
C. Software updates
D. Distribute certificates
|
| Answer: | C. Software updates
|
| Explanation: | A PKI is responsible for generating and distributing keys, associated certificates and maintain certificate revocation lists (CRLs). |
|
| Question: | Which of the following fields can we find on a PKCS #10? [Select 2]
A. Common Name
B. Country Field
C. Certificate Authoritys name
D. City Field
E. Telephone Number Field
|
| Answer: | A. Common Name
B. Country Field
|
| Explanation: | On the PKCS#10 for we fiend the following fields:
- Common name, CN
- Organizational Unit, OU
- Organization, O
- Locality, L
- State/Province, SP
- Country
- Subject Alternative Name, FQDN
- Subject Alternative Name, E-mail address
- Key-size |
|
| Question: | A PCKS#10 is sent to the CA in which format?
A. X.509
B. PKZIP
C. ASN.1
D. MIME
|
| Answer: | C. ASN.1
|
| Explanation: | A PCKS#10 is sent to the CA in ASN.1 (Abstract Syntax Notation 1) format. |
|
| Question: | Which of the following fields are part of the X.509 certificate? [Select 2]
A. Country Field
B. Organization
C. Subject alternative name
D. Certificate serial number
E. Extensions
|
| Answer: | D. Certificate serial number
E. Extensions
|
| Explanation: | The X.509 digital certificate has the following fields:
- Certificate format version
- Certificate serial number
- Signature algorithm
- Issuer
- Validity period
- Subject X.500 name
- Subject public key information
- Extensions
- CRL-DPs (distribution points)
- CA signature |
|
