Cisco CCNP Security 350-701 Questions & Answers

• Question 511:

  What is a characteristic of a bridge group in ASA Firewall transparent mode?

  A. It includes multiple interfaces and access rules between interfaces are customizable

  B. It is a Layer 3 segment and includes one port and customizable access rules

  C. It allows ARP traffic with a single access rule

  D. It has an IP address on its BVI interface and is used for management traffic

  Correct Answer: A

  Reference:

  https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95- generalconfig/intro-fw.html

  Note: BVI interface is not used for management purpose. But we can add a separate Management slot/port interface that is not part of any bridge group, and that allows only management traffic to the ASA.

• Question 512:

  Refer to the exhibit.

  

  A network administrator configures command authorization for the admin5 user. What is the admin5 user able to do on HQ_Router after this configuration?

  A. set the IP address of an interface

  B. complete no configurations

  C. complete all configurations

  D. add subinterfaces

  Correct Answer: B

  The user "admin5" was configured with privilege level 5. In order to allow configuration (enter globalconfiguration mode), we must type this command:(config)#privilege exec level 5 configure terminalWithout this command, this user cannot do any configuration.Note: Cisco IOS supports privilege levels from 0 to 15, but the privilege levels which are used by default are privilege level 1 (user EXEC) and level privilege 15 (privilege EXEC)

• Question 513:

  Which two behavioral patterns characterize a ping of death attack? (Choose two)

  A. The attack is fragmented into groups of 16 octets before transmission.

  B. The attack is fragmented into groups of 8 octets before transmission.

  C. Short synchronized bursts of traffic are used to disrupt TCP connections.

  D. Malformed packets are used to crash systems.

  E. Publicly accessible DNS servers are typically used to execute the attack.

  Correct Answer: BD

  Ping of Death (PoD) is a type of Denial of Service (DoS) attack in which an attacker attempts to crash,destabilize, or freeze the targeted computer or service by sending malformed or oversized packets using a simple ping command.A correctly- formed ping packet is typically 56 bytes in size, or 64 bytes when the ICMP header is considered,and 84 including Internet Protocol version 4 header. However, any IPv4 packet (including pings) may be as large as 65,535 bytes. Some computer systems were never designed to properly handle a ping packet larger than the maximum packet size because it violates the Internet Protocol documentedLike other large but well-formed packets, a ping of death is fragmented into groups of 8 octets beforetransmission. However, when the target computer reassembles the malformed packet, a buffer overflow can occur, causing a system crash and potentially allowing the injection of malicious code.

• Question 514:

  What does the Cloudlock Apps Firewall do to mitigate security concerns from an application perspective?

  A. It allows the administrator to quarantine malicious files so that the application can function, just not maliciously.

  B. It discovers and controls cloud apps that are connected to a company's corporate environment.

  C. It deletes any application that does not belong in the network.

  D. It sends the application information to an administrator to act on.

  Correct Answer: B

• Question 515:

  Which capability is exclusive to a Cisco AMP public cloud instance as compared to a private cloud instance?

  A. RBAC

  B. ETHOS detection engine

  C. SPERO detection engine

  D. TETRA detection engine

  Correct Answer: B

• Question 516:

  Which RADIUS attribute can you use to filter MAB requests in an 802.1 x deployment?

  A. 1

  B. 2

  C. 6

  D. 31

  Correct Answer: C

  Reference: https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity- based-networkingservices/config_guide_c17-663759.html

• Question 517:

  Which algorithm provides encryption and authentication for data plane communication?

  A. AES-GCM

  B. SHA-96

  C. AES-256

  D. SHA-384

  Correct Answer: A

  Reference:

  https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/security/vedge/security- book/ security-overview.html

• Question 518:

  An organization has two machines hosting web applications. Machine 1 is vulnerable to SQL injection while machine 2 is vulnerable to buffer overflows. What action would allow the attacker to gain access to machine 1 but not machine 2?

  A. sniffing the packets between the two hosts

  B. sending continuous pings

  C. overflowing the buffer's memory

  D. inserting malicious commands into the database

  Correct Answer: D

• Question 519:

  What is a commonality between DMVPN and FlexVPN technologies?

  A. FlexVPN and DMVPN use IS-IS routing protocol to communicate with spokes

  B. FlexVPN and DMVPN use the new key management protocol

  C. FlexVPN and DMVPN use the same hashing algorithms

  D. IOS routers run the same NHRP code for DMVPN and FlexVPN

  Correct Answer: D

  Reference: https://packetpushers.net/cisco-flexvpn-dmvpn-high-level-design/

• Question 520:

  Which two conditions are prerequisites for stateful failover for IPsec? (Choose two)

  A. Only the IKE configuration that is set up on the active device must be duplicated on the standby device; the IPsec configuration is copied automatically

  B. The active and standby devices can run different versions of the Cisco IOS software but must be the same type of device.

  C. The IPsec configuration that is set up on the active device must be duplicated on the standby device

  D. Only the IPsec configuration that is set up on the active device must be duplicated on the standby device; the IKE configuration is copied automatically.

  E. The active and standby devices must run the same version of the Cisco IOS software and must be the same type of device

  Correct Answer: CE

  Stateful failover for IP Security (IPsec) enables a router to continue processing and forwarding IPsec packetsafter a planned or unplanned outage occurs. Customers employ a backup (secondary) router that automaticallytakes over the tasks of the active (primary) router if the active router loses connectivity for any reason. Thisfailover process is transparent to users and does not require adjustment or reconfiguration of any remote peer.Stateful failover for IPsec requires that your network contains two identical routers that are available to be eitherthe primary or secondary device. Both routers should be the same type of device, have the same CPU andmemory, and have either no encryption accelerator or identical encryption accelerators.Prerequisites for Stateful Failover for IPsec Reference: https://www.cisco.com/c/en/us/td/docs/ios- xml/ios/sec_conn_vpnav/configuration/15-mt/sec-vpnavailability-15-mt-book/sec-state-fail- ipsec.htmlAlthough the prerequisites only stated that "Both routers should be the same type of device" but in the"Restrictions for Stateful Failover for IPsec" section of the link above, it requires "Both the active and standby devices must run the identical version of the Cisco IOS software" so answer E is better than answer B.