1. Trang chủ
  2. » Công Nghệ Thông Tin

Tài liệu Cisco Secure PIX Firewall Advanced - Version 4.0 pptx

103 332 0

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 103
Dung lượng 1,13 MB

Nội dung

9E0-111 (CSPFA) Cisco Secure PIX Firewall Advanced Version 4.0 9E0 - 111 Leading the way in IT testing and certification tools, www.testking.com - 2 - Important Note, Please Read Carefully Study Tips This product will provide you questions and answers along with detailed explanations carefully compiled and written by our experts. Try to understand the concepts behind the questions instead of cramming the questions. Go through the entire document at least twice so that you make sure that you are not missing anything. Further Material For this test TestKing also provides: * Interactive Test Engine Examinator. Check out an Examinator Demo at http://www.testking.com/index.cfm?pageid=724 Latest Version We are constantly reviewing our products. New material is added and old material is revised. Free updates are available for 90 days after the purchase. You should check your member zone at TestKing an update 3-4 days before the scheduled exam date. Here is the procedure to get the latest version: 1. Go to www.testking.com 2. Click on Member zone/Log in 3. The latest versions of all purchased products are downloadable from here. Just click the links. For most updates, it is enough just to print the new questions at the end of the new version, not the whole document. Feedback Feedback on specific questions should be send to feedback@testking.com. You should state: Exam number and version, question number, and login ID. Our experts will answer your mail promptly. Explanations Currently this product does not include explanations. If you are interested in providing TestKing with explanations contact feedback@testking.com . Include the following information: exam, your background regarding this exam in particular, and what you consider a reasonable compensation for the work. Copyright Each pdf file contains a unique serial number associated with your particular name and contact information for security purposes. So if we find out that a particular pdf file is being distributed by you, TestKing reserves the right to take legal action against you according to the International Copyright Laws. 9E0 - 111 Leading the way in IT testing and certification tools, www.testking.com - 3 - Note: Section A contains 100 questions. Section B contains 57 questions. Section C contains 170 questions. The total numbers of questions is 327. Section A QUESTION NO: 1 You are the network security administrator for an enterprise network with a complex security policy. Which PIX Firewall feature should you configure to minimize the number of ACLs needed to implement your policy? A. ASA B. Packet capture C. Turbo ACLs D. IP helper E. Object grouping Answer: E QUESTION NO: 2 IPSec works with which switching paths: A. Process switching B. Optimum switching C. Fast switching D. Flow switching Answer: A QUESTION NO: 3 Speaking of Security Association requirements, which of the following statements is true? A. A set of SAs are needed, one per direction, per protected data pipe. B. A set of SAa are needed, one per direction, per protocol, per protected data pipe. 9E0 - 111 Leading the way in IT testing and certification tools, www.testking.com - 4 - C. A set of SAs are needed, one per protocol only. D. A set of SAs are needed, per protocol, per protected data pipe. Answer: B QUESTION NO: 4 The graphic shows the output from the show failover command. This unit is active and the other unit is Standby. For an unknown reason, the failover is triggered and this unit has become Standby. We enter the command “show failover” again. What shall we see as the ip address of the [active-interface-inside]? A. 172.29.1.2 B. 192.168.89.1 C. 0.0.0.0 D. 172.29.1.1 Answer: D QUESTION NO: 5 Which of the following statements is not true regarding the DNS Guard? A. If disabled, can be enabled by the command: fixed protocol dns 53 B. The default UDP time expires in two minutes. C. Immediately tears down the UDP conduit on the PIX Firewall as soon as the DNS response is received. D. Prevents against UDP session hijacking and denial of service attacks. Answer: A QUESTION NO: 6 In helping the user to choose the right IPSec transforms combinations, the following rules apply: (Choose all that apply) A. To provide authentication services for the transform set, include an AH transform. B. For authentication services include an ESP authentication transform. C. To provide data authentication for the data and the outer IP header, include an AH transform. D. For data confidentiality include an ESP encryption transform. E. ND5 is stronger than SHA. 9E0 - 111 Leading the way in IT testing and certification tools, www.testking.com - 5 - Answer: A, B, C, D QUESTION NO: 7 What is the command that enables IPSec traffic to bypass the check of conduit or access- group command statements? A. conduit permit ip any any all B. access-list acl_out permit tcp any any all access-group acl_out interface outside C. sysopt connection permit-ipsec D. conduit permit tcp any any all Answer: C QUESTION NO: 8 All of the following statements are true, except: A. Use nat command to let users on the respective interfaces start outbound connections. Associate the nat id with the global-id in the global command. B. An interface is always outside when compared to another interface that has a higher security level. C. Use a single default route statement to the outside interface only. Set the default route with the ip route command. D. To permit access to servers on protected networks, use the static conduit commands. E. Packets can not flow between interfaces that have the same security level. Answer: C QUESTION NO: 9 Which of the following statements are not true: (Choose all that apply) A. DMZ interface can be considered an inside, or outside interface. B. DMZ interface is always considered inside. C. Traffic originating from the inside interface to the outside interface of the PIX Firewall will be allowed to flow unless restricted by access lists. D. Traffic originating from the outside interface to the inside interface of the PIX Firewall will be dropped unless specifically allowed. E. DMZ interface is always considered outside. Answer: B, E 9E0 - 111 Leading the way in IT testing and certification tools, www.testking.com - 6 - QUESTION NO: 10 Adaptive Security Algorithm (ASA) is the heart of the PIX Firewall. Choose the strict rules that ASA follows: (Choose all that apply) A. The highest security interface is the inside interface. B. The highest security interface is the outside interface. C. No outbound packet can exit the PIX Firewall without a connection and state. D. No packet, regardless of its direction, can traverse the PIX Firewall without a connection or state. E. No inbound packet can enter the PIX Firewall without a connection and state. Answer: A, D QUESTION NO: 11 Which statements about the PIX Firewall in VoIP environments are true? (Choose two) A. The PIX Firewall does not support the popular call setup protocol SIP because TCP can be used for call setup. B. The PIX Firewall allows SCCP signaling and media packets to traverse the PIX Firewall and interoperate with H.323 terminals. C. The PIX Firewall supports the Skinny Client Control Protocol, which allows you to place IP phones and Call Manager on separate sides of the PIX Firewall. D. Users behind the PIX Firewall can place outbound calls with IP phones because they use HTTP tunneling to route packets through port 80, making them appear as web traffic. Answer: B, C QUESTION NO: 12 Your organization’s web traffic has come to a halt because your PIX Firewall is dropping all new connection attempts. Why? A. You are running a software version older than 5.2, and the embryonic threshold you set in the static command was reached. B. The shun feature of the PIX Firewall has taken effect because the embryonic threshold you set in the nat command was reached. C. The TCP Intercept feature of the PIX Firewall has taken affect because the embryonic threshold you set in the static command was reached. D. The intrusion detection feature of the PIX Firewall has taken effect because the embryonic threshold you set in the conduit command was reached. 9E0 - 111 Leading the way in IT testing and certification tools, www.testking.com - 7 - Answer: A QUESTION NO: 13 Which tasks can be performed from the Access Rules tab? (Choose three) A. Configure translation rules. B. Configure Cisco Secure ACS. C. Configure access rules. D. Define Java and ActiveX filtering rules. E. Configure command authorization. F. Create service groups and apply them to ACLs. Answer: C, D, F QUESTION NO: 14 Where in PDM do you go to add, delete, or view global pools of addresses to be used by NAT? A. Global Pools tab B. System Properties tab C. Manage Pools button on the Translation Rules tab D. IP Address Pools button on the VPN tab Answer: C QUESTION NO: 15 Which step is optional when creating a crypto map on the PIX Firewall? A. Create a crypto map entry identifying the crypto map with a unique crypto map name and sequence number. B. Specify which transform sets are allowed for this crypto map entry. C. Specify a dynamic crypto map to act as a policy template where the missing parameters are later dynamically configured to match a peer’s requirements. D. Assign an ACL to the crypto map entry. E. Specify the peer to which IPSec-protected traffic can be forwarded. Answer: C QUESTION NO: 16 9E0 - 111 Leading the way in IT testing and certification tools, www.testking.com - 8 - Which type of downloadable ACLs are best when there are frequent requests for downloading a large ACL? A. Named ACLs B. Unnamed ACLs C. Dynamic ACLs D. Static ACLs Answer: A QUESTION NO: 17 Why is the group tag in the aaa-server command important? A. The aaa command references the group tag to know where to direct authentication, authorization, or accounting traffic. B. The group tag identifies which users require authorization to use certain services. C. The group tag identifies which user groups must authenticate. D. The group tag enables or disables user authentication services. Answer: A QUESTION NO: 18 You have already created an ACL named ACLIN to permit traffic from certain Internet hosts to the web server on your DMZ. How do you make the ACL work for you? (Choose two) A. Bind the ACL to the DMZ interface. B. Bind the ACL to the inside interface. C. Bind the ACL to the outside interface. D. Create a static mapping for the DMZ server. E. Create a static mapping for the web server. F. Create a conduit mapping for the web server. Answer: C, E QUESTION NO: 19 Cicso PDM consists of five major configuration areas. Choose these areas. A. Monitoring B. Hosts or networks C. Access rules 9E0 - 111 Leading the way in IT testing and certification tools, www.testking.com - 9 - D. System properties E. Preferences F. Translation rules Answer: A, B, C, D, F QUESTION NO: 20 How does the PIX Firewall know where to get the addresses to use for any NAT configuration? A. From the nat_id in the static command. B. You can have only one global pool of addresses, so the PIX Firewall knows that NAT uses the addresses in the global pool established by the global command. C. From the nat_id in the nat command. D. From the nat_id in the dhcp address command. Answer: C QUESTION NO: 21 What is the purpose of the access-group command? A. Bind an ACL to an interface. B. Create an object group. C. Create and access group. D. Unbind the acl_ID from the interface interface_name Answer: A QUESTION NO: 22 Which statements about security level 100 are true? (Choose two) A. It is the lowest security level. B. It is the highest security level. C. It is the least-trusted security level. D. By default it is designated for the inside interface of the PIX Firewall. E. It is not currently a configurable security level. It is reserved for future use. F. By default, it is designated for the outside interface of the PIX Firewall. Answer: B, D 9E0 - 111 Leading the way in IT testing and certification tools, www.testking.com - 10 - QUESTION NO: 23 Which statements about the PIX Firewall’s DHCP capabilities are true? (Choose two) A. It can be a DHCP server. B. It cannot be a DHCP client. C. You must remove a configured domain name. D. It can be a DHCP server and client simultaneously. E. It cannot pass configuration parameters it receives from another DHCP server to its own DHCP clients. F. The PIX Firewall’s DHCP server can be configured to distribute the IP address of up to four DNS servers to its clients. Answer: A, D QUESTION NO: 24 The LAN-based failover your configured does not work. Why? (Choose two) A. You used a hub for failover operation. B. You used a switch for failover operation. C. You used a dedicated VLAN for failover operation. D. You did not set a failover IP address. E. You did not use a crossover Ethernet cable between the two PIX Firewalls. F. You used a crossover Ethernet cable between the two PIX Firewalls. Answer: D, F Explanation: LAN-Based Failover It is recommended that you connect the Primary and Secondary PIXes with a dedicated switch. Do not use crossover cables. In the diagram above, a Cisco Catalyst 3500 switch connects the Primary and Secondary PIXes. The LAN failover and stateful failover links are in different VLANs, VLAN 10 and VLAN 20, respectively. The inside-router and outside-router are used only for the sake of testing connectivity. QUESTION NO: 25 How are LAN-based failover and serial failover alike? A. Both require that all configuration is performed on the primary PIX Firewall. B. Both require the use of a special serial cable. C. They are configured with the same command set. [...]... QUESTION NO: 79 What PIX Firewall feature do you need when you have NIC-registered IP addresses on your inside network that you want to be accessible on the outside network? A NAT B PAT Leading the way in IT testing and certification tools, www.testking.com - 28 - 9E0 - 111 C NAT+ D PPPoE Answer: C QUESTION NO: 80 Which statement about installing the PIX- 4FE and PIX- VPN-ACCEL cards in a PIX Firewall 535 model... PIX Firewall is ready Monitoring the other PIX Firewall s network interface has not yet started The active PIX Firewall is waiting for configuration replication to be completed The primary PIX Firewall has finished testing the standby PIX Firewall s interfaces and the standby PIX Firewall is waiting to take control Answer: B QUESTION NO: 46 Your new network administrator has recently modified your PIX. .. must configure the primary and secondary PIX Firewalls exactly the same B Configuration can be modified on either the primary or secondary PIX Firewalls with the same result C Configuration replication is automatic from the active PIX Firewall to the standby PIX Firewall D The active PIX Firewall replicates only the failover configuration to the standby PIX Firewall Answer: C QUESTION NO: 73 Leading... certification tools, www.testking.com - 15 - 9E0 - 111 Why create Turbo ACL’s only on high-end PIX Firewall models, such as the PIX Firewall 525 or 535? A B C D They are not supported in any of the low-end models, such as the 506 Turbo ACLs require significant amounts of memory Turbo ACLs are processor-intensive Although turbo ACLs improve ACL search time with any PIX Firewall model, they are complicated... Leading the way in IT testing and certification tools, www.testking.com - 21 - 9E0 - 111 You primary PIX Firewall is currently the active unit in your failover topology What will happen to the current IP addresses on the primary PIX Firewall if it fails? A They become those of the standby PIX Firewall B The ones on the primary PIX Firewall remain the same, but the current IP addresses of the secondary... The PIX- VPN-ACCEL card must be installed in the 64-bit/22 MHz bus, and the PIX4 FE card must be installed in the 32-bit/33 MHz bus B They can be installed in either the 64-bit/66 MHz bus or the 32-bit/33 MHz bus; however, installing them in the 64-bit/66 MHz bus achieves the best possible system performance C They can be installed only in the 32-bit/33 MHz bus and must never be installed in a 64-bit/66... the group name differs from the VPN group name on the PIX Firewall F Ensure that the group name on the VPN Client matches the vpngroup name on the PIX Firewall Answer: D, F QUESTION NO: 68 Which statement about the PIX Firewall and virtual HTTP is true? A The PIX Firewall enables web browsers to work correctly with its HTTP authentication The PIX Firewall redirects the web browser’s initial connection... www.testking.com - 25 - 9E0 - 111 QUESTION NO: 70 Which object group types can be created in the PIX Firewall? (Choose three) A B C D E F Icmp-type Service Server host ACL out DHCP Protocol Answer: A, B, F QUESTION NO: 71 Why is the ASA important for the PIX Firewall? (Choose three) A B C D E It monitors return packets to assure validity It allows two-way connections on all systems It allows one-way connection... closes UDP ports for secure multimedia connections It opens a large range of ports for these applications if you configure the PIX Firewall to support multimedia Answer: C, E QUESTION NO: 54 Which command sets the Telnet password to cisco? A B C D enable telnet password cisco telnet password cisco password cisco passwd cisco Answer: D QUESTION NO: 55 Which commands configure the PIX Firewall s PPPoE client?... the sanity check of PIX Firewall s failover feature? (Choose all that apply) A Both PIX Firewalls exchange failover HELLO packets over failover cable every 15 seconds Leading the way in IT testing and certification tools, www.testking.com - 18 - 9E0 - 111 B With Network Activity test, the PIX Firewall counts all received packets for up to 5 seconds If no traffic is received, the PIX is declared nonoperational . 9E 0- 1 11 (CSPFA) Cisco Secure PIX Firewall Advanced Version 4. 0 9E0 - 111 Leading. NO: 41 9E0 - 111 Leading the way in IT testing and certification tools, www.testking.com - 16 - Why create Turbo ACL’s only on high-end PIX Firewall

Ngày đăng: 24/01/2014, 10:20