Download Free Pass4sure Cisco CCSP Exam 642-552 v2.93 Dumps

Pass4sure Cisco CCSP Exam 642-552 v2.93

Securing Cisco Networking Devices (SND) : 642-552 Exam

Exam Number/Code: 642-552
Exam Name: Securing Cisco Networking Devices (SND)
VUE Code: 642-552
Questions Type: Single choice,

Exam : Cisco 642552

Title :

Cisco® Securing Cisco Network

Devices Exam

Update : Demo

1. Referring to the Cisco SDM Security Audit Wizard screen shown, what will happen if you check the Fix
it box for Firewall is not enabled in all the outside interfaces then click the Next button?

A. All outside access through the outside interfaces will immediately be blocked by an ACL.
B. SDM will prompt you to configure an ACL to block access through the outside interfaces. C. SDM will take you to the Advanced Firewall Wizard.
D. SDM will perform a onestep lockdown to lock down the outside interfaces.
E. SDM will take you to the Edit Firewall Policy/ACL screen where you can configure an ACL to block access through the outside interfaces.
Answer: C
2. Which of these two ways does Cisco recommend that you use to mitigate maintenancerelated threats?
(Choose two.)
A. Maintain a stock of critical spares for emergency use. B. Ensure that all cabling is Category 6.
C. Always follow electrostatic discharge procedures when replacing or working with internal router and switch device components.
D. Always wear an electrostatic wrist band when handling cabling, including fiberoptic cabling.
E. Always employ certified maintenance technicians to maintain missioncritical equipment and cabling. Answer: AC

3. Which method of mitigating packetsniffer attacks is the most effective? A. implement twofactor authentication
B. deploy a switched Ethernet network infrastructure

C. use software and hardware to detect the use of sniffers
D. deploy networklevel cryptography using IPsec, secure services, and secure protocols
Answer: D

4. A malicious program is disguised as another useful program? consequently, when the user executes the program,files get erased and then the malicious program spreads itself using emails as the delivery mechanism. Which type of attack best describes how this scenario got started?
A. DoS B. worm C. virus
D. trojan horse E. DDoS Answer: D

5. What is the key function of a comprehensive security policy?
A. informing staff of their obligatory requirements for protecting technology and information assets
B. detailing the way security needs will be met at corporate and department levels
C. recommending that Cisco IPS sensors be implemented at the network edge
D. detailing how to block malicious network attacks
Answer: A

6. Which building blocks make up the Adaptive Threat Defense phase of Cisco SDN strategy?
A. VoIP services, NAC services, Cisco IBNS
B. network foundation protection, NIDS services, adaptive threat mitigation services
C. firewall services, intrusion prevention, secure connectivity
D. firewall services, IPS and network antivirus services, network intelligence
E. AntiX defense, NAC services, network foundation protection
Answer: D

7. Why is TACACS+ the preferred AAA protocol to use with Cisco device authentication?
A. TACACS+ encryption algorithm is more recent than other AAA protocols
B. TACACS+ has a more robust programming interface than other AAA protocols
C. TACACS+ was initially developed as opensource software
D. TACACS+ provides true AAA functional separation and encrypts the entire body of the packet
E. TACACS+ maintains authentication information in the local database of each Cisco IOS router
F. TACACS+ combines authentication and authorization to provide more robust functionalities
Answer: D

8. Which method does a Cisco router use for protocol type IP packet filtering? A. inspection rules
B. standard ACLs C. security policies D. extended ACLs

Answer: D

9. Referring to the network diagram shown, which ACL entry will block any Telnet Client traffic from the
Corporate LAN to any Telnet Servers on the Remote Access LAN?

A. accesslist 190 deny tcp any eq 23 16.2.1.0 0.0.0.255
B. accesslist 190 deny tcp 16.1.1.0 0.0.0.255 eq 23 16.2.1.0 0.0.0.255 eq 23
C. accesslist 190 deny tcp any 16.1.1.0 0.0.0.255 eq 23
D. accesslist 190 deny tcp any 16.2.1.0 0.0.0.255 eq 23
E. accesslist 190 deny tcp 16.2.1.0 0.0.0.255 eq 23 16.1.1.0 0.0.0.255 eq 23
Answer: D

10. What two tasks should be done before configuring SSH server operations on Cisco routers? (Choose two.)
A. Upgrade routers to run a Cisco IOS Release 12.1(1)P image.
B. Upgrade routers to run a Cisco IOS Release 12.1(3)T image or later with the IPsec feature set.
C. Ensure routers are configured for external ODBC authentication.
D. Ensure routers are configured for local authentication or AAA for username and password authentication.
E. Upgrade routers to run a Cisco IOS Release 11.1(3)T image or later with the IPsec feature set. Answer: BD

11. The figure contains a sample configuration using Cisco IOS commands. Which Cisco IOS command
or setting does the configuration need to get SSH to work?

A. add the transport input telnet ssh Cisco IOS command after the line vty 0 4 Cisco IOS command
B. add the transport output ssh Cisco IOS command after the line vty 0 4 Cisco IOS command
C. set the SSH timeout value using the ip ssh timeout 60 Cisco IOS command
D. add the crypto key generate rsa generalkeys modulus 1024 Cisco IOS command
E. set the SSH retries value using the ip ssh authenticationretries 3 Cisco IOS command
Answer: D

12. Network administrators have just configured SSH on their target router and have now discovered that
an intruder has been using this router to perform a variety of malicious attacks. What have they most likely forgotten to do and which Cisco IOS commands do they need to use to fix this problem on their target router?
A. forgot to reset the encryption keys using the crypto key zeroize rsa Cisco IOS global configuration command
B. forgot to close port 23 and they need to issue the no transport input telnet Cisco IOS global configuration command
C. forgot to disable vty inbound Telnet sessions and they need to issue the line vty 0 4 and the no transport input telnet Cisco IOS line configuration commands
D. forgot to restrict access to the Telnet service on port 23 using ACLs and they need to issue the accesslist 90 deny any log Cisco IOS global configuration command, and the line vty 0 4 and accessclass 90 in Cisco IOS line configuration commands
Answer: C

13. Which security log messaging method is the most common message logging facility and why?
A. SNMP traps, because the router can act as an SNMP agent and forward SNMP traps to an external
SNMP server
B. buffered logging, because log messages are stored in router memory and events are cleared whenever the router is rebooted
C. console logging, because security messages are not stored and do not take up valuable storage space
on network servers
D. syslog, because this method is capable of providing longterm log storage capabilities and supporting a central location for all router messages
E. logging all events to the Cisco Incident Control System to correlate events and provide recommended mitigation actions
Answer: D

14. What is a syslog configuration oversight that makes system event logs hard to interpret and what can be done to fix this oversight?
A. The system time does not get set on the router, making it difficult to know when events occurred. Recommend that an NTP facility be used to ensure that all the routers operate at the correct time.
B. Thirdparty flash memory gets installed and doesn’t provide easily understandable error or failure codes. Only Ciscoauthorized memory modules should be installed in Cisco devices.
C. The syslog message stream does not get encrypted and invalid syslog messages get sent to the syslog server. Encrypt the syslog messages.

D. The syslog messages filter rules did not get configured on the router, resulting in too many unimportant
messages. Configure syslog messages filter rules so that lowseverity messages are blocked from being sent to the syslog server and are logged locally on the router.
Answer: A

15. What are two security risks on 802.11 WLANs that implement WEP using a static 40bit key with open authentication? (Choose two.)
A. The IV is transmitted as plaintext, and an attacker can sniff the WLAN to see the IV. B. The challenge packet sent by the wireless AP is sent unencrypted.
C. The response packet sent by the wireless client is sent unencrypted.
D. WEP uses a weakblock cipher such as the Data Encryption Algorithm.
E. Oneway authentication only where the wireless client does not authenticate the wirelessaccess point. Answer: AE

16. Using 802.1x authentication on a WLAN offers which advantage?
A. enforces a set of the policy statements that regulate which resource to protect and which activities are forbidden
B. allows inbound and outbound packet filter rules to be established at the interface level of a device
C. limits access to network resources based on user login identity? especially suited for large mobile user populations
D. enforces security policy compliance on all devices seeking to access network computing resources
Answer: C

17. How does an applicationlayer firewall work?
A. examines the data in all network packets at the application layer and maintains complete connection state and sequencing information
B. operates at Layers 3, 4 and 5, and keeps track of the actual application communication process by using an application table
C. determines whether the connection between two applications is valid according to configurable rules
D. allows an application on your private network that does not have a valid registered IP address to communicate with other applications through the Internet
Answer: A

18. Using a stateful firewall, which information is stored in the stateful session flow table?
A. the outbound and inbound access rules (ACL entries)
B. the source and destination IP addresses, port numbers, TCP sequencing information, and additional flags for each TCP or UDP connection associated with a particular session
C. all TCP and UDP header information only
D. all TCP SYN packets and the associated return ACK packets only E. the inside private IP address and the translated global IP address Answer: B

19. What is a potential security weakness of traditional stateful firewall?

A. cannot support nonTCP flows
B. retains the state of user data packet and dynamically assigned ports in the state table
C. cannot track the state of each connection setup to ensure that each connection follows a legitimate
TCP threeway handshake
D. cannot detect applicationlayer attacks
Answer: D

20. A client wants their web server on the DMZ to use a private IP address and to be reachable over the
Internet with a fixed outside public IP address. Which type of technology will be effective in this scenario?
A. PAT
B. Dynamic NAT
C. CutThrough Proxy
D. Application inspection
E. Static NAT Answer: E

21. A mission critical server application embeds a private IP address and port number in the payload of packets that is used by the client to reply to the server. Why is implementing NAT over the Internet supporting this type of application an issue?
A. Embedded IP addresses causes NAT to do extensive packet manipulation. This process is very time intensive and the added delay causes the connection in these types of applications to time out and fail.
B. When the client attempts to reply to the server using the embedded private IP address instead of the public IP address mapped by NAT, the embedded private IP address will not be routable over the Internet.
C. NAT traversal can’t be used for embedded IP addresses. Mission critical applications typically use NAT
transversal to ensure stable timely connections, but not when embedded IP addresses and ports are used.
D. Using NAT makes troubleshooting difficult. You must know the IP address assigned to a device on its
NIC and its translated address? it takes too long to determine the source and destination of an embedded
IP address, and this delay is not appropriate for mission critical applications. Answer: B

22. Which feature is available only in the Cisco SDM Advanced Firewall Wizard? A. configure a router interface connected to a WLAN
B. create a firewall policy to block SDM access to the router from the outside interface
C. specify the router outside interface to use for remote management access
D. choose physical and logical interfaces connected to a WLAN E. configure DMZ interfaces with access and inspection rules Answer: E

23. What is the primary type of intrusion prevention technology used by Cisco IPS security appliances?
A. profilebased
B. rulebased
C. signaturebased

D. protocol analysisbased
Answer: C

24. What is the difference between the attackdrop.sdf file and the 128MB.sdf and the 256MB.sdf files?
A. attackdrop.sdf has fewer signatures
B. attackdrop.sdf takes up more router memory space
C. attackdrop.sdf signatures cannot be tuned
D. attackdrop.sdf only contains the Atomic signatures E. attackdrop.sdf only contains the String signatures Answer: A

25. By default, what will a router do with incoming network traffic when the Cisco IOS IPS software fails to build a SME?
A. scan traffic using the most recently installed SME B. drop all packets destined for that SME
C. print a syslog message indicating that failure of the SME build
D. pass traffic packets destined for that SME without scanning them
Answer: D

26. Which three ways can AAA services be implemented for Cisco routers? (Choose three.)
A. selfcontained AAA services in the router itself
B. Cisco Secure ACS Network Module
C. Cisco Secure ACS Solution Engine
D. Cisco Security Manager AAA Service Module
E. Cisco Secure ACS for Windows Servers
F. Cisco Security Manager ACS Service Module
Answer: ACE

27. What is a secure way of providing clock synchronization between network routers? A. sync each router acting as an NTPv2 client to the UTC via the Internet
B. implement an NTPv3 server synchronized to the UTC via an external clock source like a radio or atomic clock, then configure the other routers as NTPv3 clients
C. use CDPv2 and NTPv3 to pass and sync the clocking information between the adjacent routers in the network
D. implement inband management to sync the clock between the routers using a peertopeer architecture using NTPv4 or higher
Answer: B

28. What are two ways of preventing VLAN hopping attacks? (Choose two.) A. Disable DTP on all the trunk ports.
B. Enable VTP pruning on all trunk ports to limit the VLAN broadcast. C. Set the native VLAN on all the trunk ports to an unused VLAN.
D. Using port security, set the maximum number of secure MAC addresses to 1 on all trunk and access

ports.
E. Disable portfast on all access ports. Answer: AC

29. Which IKE function is optional?
A. authentication during SA negotiation
B. XAUTH protocol for user authentication
C. Quick Mode for IKE Phase 2
D. IKE SA establishment
Answer: B

30. Which of these is true regarding IKE Phase 2?
A. The SAs used by IPsec are unidirectional, so a separate key exchange is required for each data flow.
B. Either main or aggressive mode can be used to establish the SAs.
C. Quick mode is used to establish the unidirectional IKE SA and the bidirectional IPsec SAs. D. XAUTH can be optionally used to reauthenticate the IPsec peers.
E. The DiffieHellman protocol is used to exchange the public and private keys between the two IPsec peers.
Answer: A

KillTest.com was founded in 2006. The safer,easier way to help you pass any IT
Certification exams . We provide high quality IT Certification exams practice questions and answers(Q&A). Especially Adob e, Apple, Cit rix, Compt ia, EM C,
HP, Hu aW ei, LPI, No rtel, Oracle , SUN, Vmw are and so on. And help you pass any IT Certification exams at the first try.
You can reach us at any of the email addresses listed below. English Customer: Chinese Customer: Sales : sales@Killtest.com sales@Killtest.net
Support: support@Killtest.com support@Killtest.com

“Securing Cisco Networking Devices (SND)”, also known as 642-552 exam, is a Cisco certification.
Preparing for the 642-552 exam? Searching 642-552 Test Questions, 642-552 Practice Exam, 642-552 Dumps?

With the complete collection of questions and answers, Pass4sure has assembled to take you through 60 Q&A to your 642-552 Exam preparation. In the 642-552 exam resources, you will cover every field and category in CCSP helping to ready you for your successful Cisco Certification.
Questions and Answers : 60 Q&A
Updated: April 3rd , 2008
Market Price: $125.99
Member Price: $89.99
The Securing Cisco Network Devices 642-552 SND is the exam associated with the Cisco Certified Security Professional, Cisco Firewall Specialist, Cisco IPS Specialist, and Cisco VPN Specialist certifications. Candidates can prepare for this exam by taking the Securing Cisco Network Devices v2.0 (SND) course. This exam tests a candidate’s knowledge of securing Cisco routers and switches and their associated networks. Topics covered include; Security threats facing modern network infrastructures, Securing Cisco routers, Implementing basic AAA, Using ACLs to mitigate router and network threats, Implementing secure management and reporting, Mitigating common Layer 2 attacks, and Implementing Cisco IOS Firewall features, Cisco IOS IPS features, and IPsec VPN features using Cisco Security Device Manager

Free Down:Pass4sure Cisco CCSP Exam 642-552 v2.93
Free Down:Testking Pass4sure Cisco CCSP Exam 642-552