Tải bản đầy đủ

Tài liệu Cisco Secure VPN Version 5.1 pptx











9E0-121 (CSVPN)

Cisco Secure VPN



Version 5.1




























9E0 - 121
Leading the way in IT testing and certification tools, www.testking.com


- 2 -
Important Note, Please Read Carefully

Study Tips
This product will provide you questions and answers along with detailed explanations
carefully compiled and written by our experts. Try to understand the concepts behind the
questions instead of cramming the questions. Go through the entire document at least twice so
that you make sure that you are not missing anything.

Further Material
For this test TestKing also provides:
* Interactive Test Engine Examinator. Check out an Examinator Demo at
http://www.testking.com/index.cfm?pageid=724




Latest Version
We are constantly reviewing our products. New material is added and old material is revised.
Free updates are available for 90 days after the purchase. You should check your member
zone at TestKing an update 3-4 days before the scheduled exam date.

Here is the procedure to get the latest version:

1. Go to www.testking.com

2. Click on Member zone/Log in
3. The latest versions of all purchased products are downloadable from here. Just click
the links.

For most updates, it is enough just to print the new questions at the end of the new version,
not the whole document.

Feedback
Feedback on specific questions should be send to feedback@testking.com. You should state:
Exam number and version, question number, and login ID.

Our experts will answer your mail promptly.


Copyright
Each pdf file contains a unique serial number associated with your particular name and
contact information for security purposes. So if we find out that a particular pdf file is being
distributed by you, TestKing reserves the right to take legal action against you according to
the International Copyright Laws.
9E0 - 121
Leading the way in IT testing and certification tools, www.testking.com


- 3 -
Note 1:
Section A contains 93 questions
Section B contains 126 questions.
Section C contains 171 questions.
The total number of questions is 390.

Note 2: First customer, if any, to beat TestKing in providing answers to the unanswered
questions will receive a free TestKing product. Send answers to feedback@testking.com.


Section A
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csvpnc/csvpnsg/icpdf.pdf

QUESTION NO: 1
If the central Concentrator configured for interactive unit authentication, a VPN 3002
will prompt for username/password before establishing a tunnel.
In how many ways can you make a VPN 3002 prompt for the username/password?

A. 1
B. 5
C. 4
D. 2
E. 3


Answer: A
Explanation:
You access the interactive hardware client authentication and individual user authentication
login screens from the VPN 3002 Hardware Client Manager login screen.
Note You cannot use the command-line interface to login if user authentication is enabled.
You must use a browser.

Reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2286/products_user_guide_chapter0918
6a008015d019.html#1006934



QUESTION NO: 2
Performing Quick configuration on a VPN 3002 Hardware, under “Private Interface”
what options are available to the administrator? (Choose all that apply)

A. Do not use the DHCP server to provide address.
B. Do you want to use DHCP server on Interface 1 to provide addresses for the local
LAN?
C. Do not use DHCP client to request address.
D. Do you want to use DHCP client to request addresses for the local LAN?


9E0 - 121
Leading the way in IT testing and certification tools, www.testking.com


- 4 -
Answer: A, B
Explanation:
Choose one of the menu options listed.
• If you want to disable the DHCP server, at the prompt enter 1 Disable DHCP Server, and
continue with quick configuration.
• If you want to enable and configure the DHCP server, at the prompt enter 2 Enable and
Configure DHCP Server, and follow Steps 6 through 9 below.
• If you want to enable the DHCP server with existing parameters, at the prompt enter 3.

Reference:http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3002/4_0/gs/3002gs.pdf




QUESTION NO: 3
A VPN 3000 Concentrator is configured for Optional as Firewall Setting and the
expected Firewall is set to ICE BlackICE Defender. A client connects without any
Firewall.
Which of the following will happen?

A. The tunnel will establish as normal.
B. There is no optional firewall setting in the AYT configuration on a Cisco 3000
Concentrator.
C. All answers are incorrect.
D. The tunnel will establish, AYT will fail, the tunnel will be removed and the client will
get disconnected.
E. The Tunnel will establish, but the administrator will receive a notification message
that the client did not match any of the Concentrator’s configured firewalls.


Answer: C
Explanation:
Network ICE's BlackICE Defender is a traffic monitoring security product. If you properly
configure it, BlackICE Defender can work with the VPN Client. You must configure
BlackICE Defender for Trusting, Nervous, or Cautious mode. If you use Nervous or Cautious
mode, add the public IP address of the VPN Concentrator to the list of trusted addresses. You
can now configure the VPN Client to work with BlackICE Defender configured for Paranoid
mode when in Tunnel-everything mode. Split Tunneling requires BlackICE to be in Trusting,
Nervous, or Cautious mode.

Reference:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/prod_release_note09186a008015ee
05.html


QUESTION NO: 4
Trojan horses fall into which of the following methods?

A. Denial of Service Methods
B. Reconnaissance Methods
C. Stealth Methods
9E0 - 121
Leading the way in IT testing and certification tools, www.testking.com


- 5 -
D. Access Methods


Answer: D
Explanation:
The primary vulnerabilities for end-user workstations are viruses and Trojan horse attacks.
Viruses refer to malicious software that is attached to another program to execute a particular
unwanted function on a user's workstation. An example of a virus is a program that is attached
to command.com (the primary interpreter for windows systems), which deletes certain files
and infects any other versions of command.com that it can find. A Trojan horse is different
only in that the entire application was written to look like something else, when in fact it is an
attack tool. An example of a Trojan horse is a software application that runs a simple game on
the user’s workstation. While the user is occupied with the game, the Trojan horse mails a
copy of itself to every user in the user’s address book. Then other users get the game and play
it, thus spreading the Trojan horse.

Reference: Safe White papers; Page 70
SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks





QUESTION NO: 5
What are the two purposes of X.509 certificate serial numbers?

A. It is a unique certificate numerical identifier in the certificate authority domain.
B. It identifies the certificate authority public key and hashing algorithm.
C. Includes subject’s public key and hashing algorithm.
D. It is the number used to identify certificates in CRLs.
E. It specifies start and expiration dates on the certificate.


Answer: A, D
Explanation:
A certificate is normally expected to be valid for its entire validity period. However, if a
certificate becomes invalid due to such things as a name change, change of association
between the subject and the CA, and security compromise, the CA revokes the certificate.
Under X.509, CAs revoke certificates by periodically issuing a signed CRL, where each
revoked certificate is identified by its serial number. Enabling CRL checking means that every
time the VPN Concentrator uses the certificate for authentication, it also checks the CRL to
ensure that the certificate being verified has not been revoked.

Reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example0
9186a00800d658e.shtml




QUESTION NO: 6
9E0 - 121
Leading the way in IT testing and certification tools, www.testking.com


- 6 -
Which of the following statements is true in defining RSA signature system?

A. An RSA signature is formed when data is encrypted with a user’s private key and the
receiver verifies the signature by decrypting the message with the sender’s private key.
B. An RSA signature is formed when data is encrypted with a user’s public key and the
receiver verifies the signature by decrypting the message with the sender’s private key,
C. An RSA signature is formed when data is encrypted with a user’s private key and the
receiver verifies the signature by decrypting the message with the sender’s public key.
D. An RSA signature is formed when data is encrypted with a user’s public key and the
receiver verifies the signature by decrypting the message with the sender’s public key.


Answer: D
Explanation:
With a CA, a peer authenticates itself to the remote peer by sending a certificate to the remote
peer and performing some public key cryptography. Each peer must send its own unique
certificate which was issued and validated by the CA. This process works because each peer's
certificate encapsulates the peer's public key, each certificate is authenticated by the CA, and
all participating peers recognize the CA as an authenticating authority. This is called IKE with
an RSA signature.

Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_user_guide_chapter0918
6a0080106f63.html



QUESTION NO: 7
Which model of the VPN 3000 Concentrator matches the following descriptions:
- 256 MB of SRAM
- Hardware Based Encryption
- Programmable DSP-based security accelerator
- Supports up to 5000 simultaneous remote connections

A. Model 3080
B. Model 3015
C. Model 3060
D. Model 3030


Answer: C
Explanation:
VPN 3060
• Appropriate for a large central site
• Supports up to 5000 simultaneous sessions
• Supports two SEP2 hardware modules-up to 5000 sessions
• Upgradeable
• Memory – 256 MB SRAM standard
• Encryption – Hardware-based SEP2 - Programmable DSP-based security accelerator

9E0 - 121
Leading the way in IT testing and certification tools, www.testking.com


- 7 -
Reference: Cisco Secure Virtual Private Networks (Ciscopress) page 55 + 57


QUESTION NO: 8
Each IPSec peer has how many keys?

A. 3
B. It depends
C. 4
D. 2


Answer: B
Explanation:
Without a CA, if you want to enable IPSec services (such as encryption) between two peers,
you must first ensure that each peer has the other's key (such as an RSA public key or a pre-
shared key).
If you have multiple Cisco peers in a mesh topology, and wish to exchange IPSec traffic
passing between all of the peers, you must first configure shared keys or RSA public keys
between all of the peers.
Every time a new peer is added to the IPSec network, you must configure keys between the
new peer and each of the existing peers.

Reference:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_user_guide_chapter0918
6a0080089901.html




QUESTION NO: 9
VPN is the most cost-effective method of establishing a point-to-point connection
between remote users and the enterprise network. Cisco categorizes VPN in three types:
(Choose three)

A. Hybrid VPN
B. Access VPN
C. Extranet VPN
D. Direct VPN
E. Intranet VPN


Answer: B, C, E
Explanation:
virtual private network (VPN) routers-secure, scalable VPN platforms that provide enterprise
customers with a comprehensive solution for cost-effective remote access, intranet and
extranet connectivity using public data services.
Reference: http://newsroom.cisco.com/dlls/fspnisapi7399-2.html



9E0 - 121
Leading the way in IT testing and certification tools, www.testking.com


- 8 -

QUESTION NO: 10
To troubleshoot SCEP enrollment, the administrator should scrutinize what event class
in the event log?

A. IKE
B. IPSec
C. SCEP
D. Cert


Answer: D
Explanation:
The goal of SCEP is to support the secure issuance of certificates to network devices in a
scalable manner, using existing technology whenever possible. The protocol supports the
following operations:
• CA and RA public key distribution
• Certificate enrollment
• Certificate revocation
• Certificate query
• CRL query

Reference: http://www.cisco.com/warp/public/cc/pd/sqsw/tech/scep_wp.htm





QUESTION NO: 11
If the LAN-to-LAN tunnel is not established, which three IPSec LAN-to-LAN
configuration parameters should the administrator verify at both ends of the tunnel?
(Choose three)

A. Name
B. Pre-shared key
C. Authentication
D. Routing
E. Local network IP address
F. Remote network IP address


Answer: C, E, F C
Explanation:
A continuation of step 2 includes going to the configuration | System | Tunneling Protocols |
IPSec LAN-to-LAN and clicking ADD to configure the IPSec parameters as follows:

Step1 Enter the name for the LAN-to-LAN connection.

Step2 Set the peer value to be the IP address assigned to the outside interface of the remote
PIX Firewall
9E0 - 121
Leading the way in IT testing and certification tools, www.testking.com


- 9 -

Step3 Enter an alphanumeric string value for the preshared key to match that of the peer or
select a digital certificate.

Step4 Select the authentication and encryption values to match the IPSec policy. Select the
IKE policy configured in Step1.

Step5 Set the local network to be the network address that the private interface is on

Step6 Set the destination network to be a network on the peer’s network.
Set the wildcard mask to be a network’s subnet mask.

Step7 Click Add.

Reference: Cisco Secure Virtual Private Networks (Ciscopress) page 324



QUESTION NO: 12
Which statement about the Cisco VPN client software update is true?

A. As a remote Cisco VPN Client connects to the Cisco VPN Concentrator, the remote
Cisco VPN Client automatically downloads a new version of code from a configured
web site.
B. As remote Cisco VPN Client connects to the Cisco VPN Concentrator, the remote
Cisco VPN Client automatically downloads a new version of code from a TFTP
server.
C. As a remote Cisco VPN Client connects to the Cisco VPN Concentrator, the Cisco
VPN Concentrator automatically downloads a new version of the software.
D. As a remote Cisco VPN Client connects to the Cisco VPN Concentrator, the Cisco
VPN Concentrator only sends an update notification to the remove Cisco VPN client.


Answer: D
Explanation:
When you enable client update, upon connection the central-site VPN Concentrator sends an
IKE packet that contains an encrypted message that notifies VPN Client users about
acceptable versions of executable system software. The message includes a location that
contains the new version of software for the VPN Client to download. The administrator for
that VPN Client can then retrieve the new software version, and update the VPN Client
software.

Reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_ch
apter09186a00800dc6fe.html




QUESTION NO: 13
9E0 - 121
Leading the way in IT testing and certification tools, www.testking.com


- 10 -
To clear the ARP cache on a Cisco VPN Concentrator, which status screen should the
administrator access?

A. Monitor | Routing Table
B. Monitor | ARP cache
C. Monitor | Statistics | MIB-II
D. Monitor | System Statistics


Answer: C
Explanation:
Monitoring | Statistics | MIB-II | ARP Table
This screen shows entries in the Address Resolution Protocol mapping table since the VPN
3002 was last booted or reset. ARP matches IP addresses with physical MAC addresses, so
the system can forward traffic to computers on its network. RFC 2011 defines MIB entries in
the ARP table.

Reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2286/products_user_guide_chapter0918
6a00800bcd4e.html#1889235




QUESTION NO: 14
When first installing the Cisco VPN Concentrator, why should you use CLI?

A. To configure the Cisco VPN Concentrator.
B. To configure the private LAN port.
C. To connect to the Internet.
D. To configure serial ports.


Answer: B
Explanation:
The private LAN on the Cisco VPN 3000 Concentrator series initially must be configured
with the CLI. Once the private interface is configured, you can use the browser management
interface.

Reference: Cisco Secure Virtual Private Networks (Ciscopress) page 235



QUESTION NO: 15
Choose the two ways and administrator can set up user authentication and IP address
assignment. (Choose two)


A. Per user
9E0 - 121
Leading the way in IT testing and certification tools, www.testking.com


- 11 -
B. Per domain
C. Per Cisco VPN Concentrator (globally)
D. Per group
E. Per network
F. Per server


Answer: A F
Explanation:
Configuring Address Assignment
You can select prioritized methods for assigning IP addresses to clients as a tunnel is
established. The methods are tried in the order listed. You must select at least one method.
You can select any and all methods:
• Client Specific
• Per User
• DHCP
• Configured Pool

Configuring Authentication
You can choose how to authenticate users. You can select the VPN Concentrator internal
server or one of three external server types. You must select one server type. You can
configure additional authentication servers on the Configuration | System | Servers |
Authentication screen using regular system configuration.

Reference:
http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_0/gs/gs.pdf




QUESTION NO: 16
Which three are Cisco VPN Client firewall features? (Choose three)

A. Are you there
B. Authentication proxy
C. Stateful firewall (always on)
D. Content filtering
E. Central protection policy
F. Stateful failover


Answer: A, C, E
Explanation:

Firewall Feature
• Support for firewalls
• Centralized Protection Policy
• Stateful Firewall
• ICMP permission

Reference:

9E0 - 121
Leading the way in IT testing and certification tools, www.testking.com


- 12 -
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_user_guide_chapter0918
6a008015e26e.html




QUESTION NO: 17
How can you monitor IPSec sessions on the Cisco VPN Client?

A. Monitor-Screen | Encryption
B. Cisco VPN Client Connection Status window
C. Monitor-Sessions screen
D. Monitor-Routing table


Answer: B
Explanation:
Sample VPN Client Window


Reference:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_user_guide_chapter0918
6a008015cffc.html




QUESTION NO: 18
For the Cisco VPN Concentrator, what are the two types of certificate enrollment?
(Choose two)

A. File-based enrollment process
B. SCEP
C. PKCS#15 enrollment process
9E0 - 121
Leading the way in IT testing and certification tools, www.testking.com


- 13 -
D. Automated enrollment process
E. Out-of-band enrollment process
F. Certified enrollment process


Answer: A B
Explanation:
Cisco Secure VPN Client interoperates with Cisco networking devices using digital
certificates in certification authority (CA) and Registration Authority (RA) modes with file-
based enrollment and Simple Certificate Enrollment Protocol (SCEP).

Reference: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csvpnc/csvpnsg/icpdf.pdf





QUESTION NO: 19
When the IPSec client-to-LAN applications are changed from pre-shared keys to digital
certificates, what is true about the IPSec SA?

A. SA IKE authentication method should be changed.
B. SAP IPSec authentication method should be changed.
C. When the digital certificate is validated, the IPSec SA template automatically is
updated.
D. When the digital certificate is activated, the IPSec SA template is automatically
updated.


Answer: A
Explanation:
Using digital certificates, clients establish a secure tunnel over the Internet to the enterprise. A
certification authority (CA) issues a digital certificate to each client for device authentication.
VPN Clients may either use static IP addressing with manual configuration or dynamic IP
addressing with IKE Mode Configuration. The CA server checks the identity of remote users,
then authorizes remote users to access information relevant to their function. Extranet VPNs
with the Cisco Secure VPN Client are addressed in "Configuring Digital Certification."
Static
and dynamic IP addressing is addressed in "Configuring Dynamic IP Addressing."


Reference:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csvpnc/csvpnsg/icdcs.htm#18263





QUESTION NO: 20
How did Cisco solve the PAT translation issue?

A. Wrap a standard IKE packet with a UDP port number.
B. Wrap a standard IPSec packet with a UDP port number.
9E0 - 121
Leading the way in IT testing and certification tools, www.testking.com


- 14 -
C. Change the IKE TCP port number from a well known to a dynamically assigned port
number.
D. Change the IPSec TCP port number from a well known to a dynamically assigned port
number.


Answer: B


QUESTION NO: 21
How is user authentication enabled on the Cisco VPN 3002?

A. Checked on the Cisco VPN Concentrator and pushed down to the Cisco VPN 3002.
B. Unchecked on the Cisco VPN Concentrator and pushed down to the Cisco VPN 3002.
C. Checked on the Cisco VPN 3002.
D. Unchecked on the Cisco VPN 3002.


Answer: A
Explanation:
You configure individual user authentication on the VPN Concentrator, which pushes the
policy to the VPN 3002.

Reference:
http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3002/4_0/index.htm




QUESTION NO: 22
What are the three steps in the auto-update configuration process? (Choose three)

A. Enable the client update functionality in the Cisco VPN 3002.
B. Enable the client update functionality in the Cisco VPN Concentrator.
C. Modify the group-client, auto-update parameter.
D. Configure the IKE auto-update message parameters.
E. Send an update message.
F. Configure the IPSec auto-update message parameters.


Answer: B, C, E
Explanation:
This process uploads the executable system software to the VPN Concentrator, which then verifies the
integrity of the software image.
The new image file must be accessible by the workstation you are using to manage the VPN
Concentrator. Software image files ship on the Cisco VPN 3000 Concentrator CD-ROM. Updated or
patched versions are available from the Cisco website, www.cisco.com, under Service & Support >
Software Center.
It takes a few minutes to upload and verify the software, and the system displays the progress. Please
wait for the operation to finish.
To run the new software image, you must reboot the VPN Concentrator. The system prompts you to
reboot when the update is finished.

9E0 - 121
Leading the way in IT testing and certification tools, www.testking.com


- 15 -
Reference: VPN 3000 Concentrator Ref Vol 2. Config 4.0.pdf



QUESTION NO: 23
When two adjacent Cisco VPN Concentrators are configured for VRRP and the master
Cisco VPN Concentrator fails, which statement is true?

A. All sessions are lost.
B. Only remote access users need to re-establish their tunnels.
C. No sessions are lost.
D. Only site-to-site users need to re-establish their tunnels.


Answer: B
Explanation:
These functions apply only to installations where two or more VPN Concentrators are in
parallel. One VPN Concentrator is the master system, and the other(s) are backup systems. A
backup system acts as a virtual master system when a switchover occurs.

Reference:
VPN 3000 Concentrator Ref Volume 1. Configuration 4.0.pdf



QUESTION NO: 24
Which Cisco IOS VPN feature allows the sender to encrypt packets before transmitting
them across a network?

A. Anti-replay
B. Data confidentiality
C. Data integrity
D. Data original authentication


Answer: B
Explanation:
IP ESP seeks to provide confidentiality and integrity by encrypting data to be protected and
placing the encrypted data in the data portion of the IP ESP. Depending on the user's security
requirements, this mechanism can be used to encrypt either a transport-layer segment (such as
TCP, UDP, ICMP, IGMP) or an entire IP datagram. Encapsulating the protected data is
necessary to provide confidentiality for the entire original datagram. Use of this specification
will increase the IP protocol processing costs in participating systems and will also increase
the communications latency. The increased latency is primarily due to the encryption and
decryption required for each IP datagram containing an ESP.

Reference:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094628.sht
ml


9E0 - 121
Leading the way in IT testing and certification tools, www.testking.com


- 16 -


QUESTION NO: 25
How is data authentication achieved?

A. Using DES
B. Using ESP
C. Using MD5
D. Using 3DES


Answer: C
Explanation:
Message Digest 5 (MD5) is a hash algorithm used to authenticate packet data. Cisco routers
and the PIX Firewall use the MD5 hashed message authentication code (HMAC) variant that
provides an additional level of hashing.

Reference: Cisco Secure Virtual Private Networks (Ciscopress) page 55 + 57



QUESTION NO: 26
What is the name of the application that must be added to the Concentrator to perform
load balancing?

A. Virtual Termination Point (VTP)
B. Virtual Designated Concentrator (VDC)
C. Virtual Cluster Agent (VCA)
D. Virtual Access Point (VAP)


Answer: C
Explanation:
Before you can configure load balancing on a VPN Concentrator, you must do the following:
• Configure the private and public interfaces.
• Configure the filters for the private and public interfaces to allow the Virtual Cluster Agent
(VCA) load balancing protocol.

Reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_ch
apter09186a008015ce26.html




QUESTION NO: 27
On a VPN 3002 hardware, what are the three levels of GUI Access rights? (Choose
three)

A. Admin
9E0 - 121
Leading the way in IT testing and certification tools, www.testking.com


- 17 -
B. Config
C. Monitor
D. Power on /Shut down
E. Power
F. Test


Answer: A, B, C
Explanation:
Access Rights

The Access Rights determine access to and rights in VPN Concentrator Manager functional
areas (Authentication or General), or via SNMP. Click the Access Rights drop-down menu
button and choose the access rights:
• None = No access or rights.
• Stats Only = Access to only the Monitoring section of the VPN Concentrator Manager. No
rights to change parameters.
• View Config = Access to permitted functional areas of the VPN Concentrator Manager, but
no rights to change parameters.
• Modify Config = Access to permitted functional areas of the VPN Concentrator Manager,
and rights to change parameters.

Reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_administration_guide_ch
apter09186a008015c519.html




QUESTION NO: 28
Configuring a firewall policy:

A. New filters are added to rules.
B. Unlike ACLs that have an implicit any all at the end of it statements, Filters do not
have an implicit deny all.
C. New rules are added to filters.
D. Like ACLs that have an implicit deny all at the end of it statements, Filters also have
an implicit deny all.


Answer: B, C
Explanation:
When you want the VPN Concentrator to push the firewall policy to the VPN Client, you
must first define the policy on the VPN Concentrator. To do this you need to create a filter
and add rules to the filter on the public network. The VPN 3000 Concentrator provides a
default filter you can use for CPP by selecting it from the menu. The name of this filter is
“Firewall Filter for VPN Client (Default)”. This filter allows all outbound traffic and drops
all inbound traffic. Firewall filters are session filters, rather than packet filters. This
means that for an “allow all outbound/drop all inbound” rule, the CPP policy lets inbound
9E0 - 121
Leading the way in IT testing and certification tools, www.testking.com


- 18 -
responses come from outbound sessions only from IP protocols TCP, UDP, and ICMP. These
protocols are the only protocols that are “stateful.”
Most administrators will want to use a rule that blocks all inbound traffic and either permits
all outbound traffic or limits outbound traffic to specific TCP and UDP ports. For complete
information on creating filters and adding rules in general, see VPN 3000 Series Concentrator

Reference: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csvpnc/csvpnsg/icpdf.pdf





QUESTION NO: 29
An intruder ping sweeps a network and notes the responding nodes. Cisco classifies this
type of attack as:

A. Reconnaissance
B. Access
C. Malicious ping
D. Scooping
E. Denial of Service


Answer: A
Explanation:
Network reconnaissance refers to the overall act of learning information about a target
network by using publicly available information and applications. When hackers attempt to
penetrate a particular network, they often need to learn as much information as possible about
the network before launching attacks. This can take the form of Domain Name System (DNS)
queries, ping sweeps, and port scans.

Reference:
SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User
Networks



QUESTION NO: 30
After you issue the “crypto ca enroll”, you are prompted to create a challenge password.
Why should you remember this password?

A. Because it is required if you intend to generate multiple certificates.
B. Because if you ever try to reboot, you will be prompted for this password.
C. Because it is required to generate RSA key pairs.
D. You must supply this challenge password if you ever ask the CA to revoke your
certificate.


Answer: C
Explanation:
This command (crypto ca enroll) requests certificates from the CA for all of your router’s
RSA key pairs. This task is also known as enrolling with the CA.
9E0 - 121
Leading the way in IT testing and certification tools, www.testking.com


- 19 -
During the enrollment process, you are prompted for a challenge password, which can be used
by the CA administrator to validate your identity.

Reference: Cisco Secure Virtual Private Networks (Ciscopress) page 124



QUESTION NO: 31
You have received a brand new VPN 3030 Concentrator from Cisco. You power it on,
console to it from your laptop and configure the Private LAN port with your networks
IP address as 172.29.10.44.
Later, you ping the Concentrator and you get a successful response. You make sure that
your system administration tasks and network permit a clear text connection between
the VPN Concentrator and your browser.
Then you inform your infamous MIS Director and give him the IP address, the Login
name as “admin” and the password as “admin”.
The Director points his browser to http://www.172.29.10.44
What will happen next?

A. The browser will open but the log in it will fail because of wrong password.
B. The browser will open with the “VPN 3000 Concentrator Series Manager” GUI and
ask for the username and password.
C. The browser will fail and say “The page can not be displayed”.
D. The browser will open but the log in will fail because of wrong Login.


Answer: C
Explanation:
The MIS Director will not be able to connect using “http://www.172.29.10.44”, in the address
bar of the browser and will then show the “this page can not be displayed” in the window.
The correct syntax is “http://172.29.10.44”.




QUESTION NO: 32
IKE protocol supports multiple authentication methods during the phase one exchange.
The two entities must agree on a common authentication protocol through a negotiation
process.
In how many ways can IKE phase one authenticate IPSec peers?

A. 2
B. 3
C. 4
D. It varies


Answer: B
Explanation:
9E0 - 121
Leading the way in IT testing and certification tools, www.testking.com


- 20 -
Determine the authentication method- Choose the authentication method on the key
distribution method. Cisco IOS software supports either preshared keys, RSA encrypted
nonces, or RSA signatures to authenticated IPSec peers.

Reference: Cisco Secure Virtual Private Networks (Ciscopress) page 69



QUESTION NO: 33
At what layer of the OSI model does the IPSec work?

A. Layer 2
B. Transportation
C. Session
D. Application
E. Network


Answer: E
Explanation:
IPSec protects sensitive data that travels across unprotected networks. IPSec security services
are provided at the network layer, so you do not have to configure individual workstations,
PCs, or applications.

Reference:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fipsenc/
cfencov.htm





QUESTION NO: 34
In the top section of the IPSec LAN-to-LAN screen, what is the peer value?

A. System name of the remote Cisco VPN Concentrator.
B. Internal IP address of the remote Cisco VPN Concentrator.
C. Public Interface IP address of the remote peer.
D. Private interface IP address of the remote peer.


Answer: B
Explanation:
The IP address of the remote peer VPN Concentrator or other secure gateway that initiated
this LAN-to-LAN connection.

Reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_administration_guide_ch
apter09186a008015c5a0.html#1415548


9E0 - 121
Leading the way in IT testing and certification tools, www.testking.com


- 21 -


QUESTION NO: 35
What are three steps in the file-based certificate enrollment process? (Choose three)

A. The identity certificate is located into the Cisco VPN Concentrator first.
B. The CA generates the root and identity certificates.
C. The root certificate is loaded into the Cisco VPN Concentrator second.
D. The root certificate is loaded into the Cisco VPN Concentrator first.
E. Cisco VPN Concentrator generates a PKCS#7.
F. The Cisco VPN Concentrator generates a PKCS#10.


Answer: B, D, F



QUESTION NO: 36
Exhibit:

For connection 3 of the firewall policy chart, choose the action and IP addresses.

A. action drop, destination address, any
B. action forward, destination address, any
C. action forward, destination address, www.cisco.com
D. action drop, destination address, www.cisco.com


Answer: B
Explanation:
A firewall rule includes the following fields:

• Action—The action taken if the data traffic matches the rule:
o Drop = Discard the session.
9E0 - 121
Leading the way in IT testing and certification tools, www.testking.com


- 22 -
o Forward = Allow the session to go through.

• Direction—The direction of traffic to be affected by the firewall:
o Inbound = traffic coming into the PC, also called local machine.
o Outbound = traffic going out from the PC to all networks while the VPN Client
is connected to a secure gateway.
• Source Address—The address of the traffic that this rule affects:
o Any = all traffic; for example, drop any inbound traffic.
o This field can also contain a specific IP address and subnet mask.
o Local = the local machine; if the direction is Outbound then the Source
Address is local.
• Destination Address—The packet's destination address that this rule checks (the
address of the recipient).
o Any = all traffic; for example, forward any outbound traffic.
o Local = The local machine; if the direction is Inbound, the Destination Address
is local.
• Protocol—The Internet Assigned Number Authority (IANA) number of the protocol
that this rule concerns (6 for TCP; 17 for UDP and so on).
• Source Port—Source port used by TCP or UDP.
• Destination Port—Destination port used by TCP or UDP.

Reference:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_user_guide_chapter0
9186a008015ce7d.html#1122639

QUESTION NO: 37
Which of the firewalls supports Cisco Central Policy Protection?

A. Symantee
B. Zone Labs
C. Cyberguard
D. Network Ice BlackICE defender


Answer: B
Explanation:
The VPN Client on the Windows platform includes a stateful firewall that incorporates Zone
Labs technology. This firewall is used for both the Stateful Firewall (Always On) feature and
the Centralized Protection Policy (see “Centralized Protection Policy (CPP)”).

Reference:
VPN Client Administrator Guide 4.0




QUESTION NO: 38
What are two types of certificates in a central CA environment? (Choose two)

A. Public key certificate
B. Root certificate
9E0 - 121
Leading the way in IT testing and certification tools, www.testking.com


- 23 -
C. Private key certificate
D. Certificate of authority
E. Identity certificate
F. Signature certificate


Answer: B, E
Explanation:
On the VPN Concentrator, you have this chain in the certificate hierarchy

• Root Certificate
• CA Certificate 3
• Identity Certificate
Reference:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_user_guide_chapter0918
6a008015e271.html




QUESTION NO: 39
When should you change the administration password?

A. Immediately upon installation.
B. At least weekly.
C. When the system crashes.
D. Every time someone leaves the company.


Answer: A
Explanation:
You can change the password for the admin administrator user. For ease of use during
startup, the default admin password supplied with the VPN 3002 is also admin. Since the
admin user has full access to all management and administration functions on the device, we
strongly recommend you change this password to improve device security. You can further
configure all administrators with the regular Administration menus.

Reference:
VPN 3002 Hardware Client Getting Started, Release 4.0




QUESTION NO: 40
When a VPN 3002 is configured to establish a tunnel to a load balancing cluster, what IP
address should the administrator put in the VPN 3002 remote server field?

A. Cluster’s virtual IP address.
B. Master the Cisco VPN Concentrator’s public interface IP address.
C. Master the Cisco VPN Concentrator’s private interface IP address.
D. Load balancing server’s virtual IP address.
9E0 - 121
Leading the way in IT testing and certification tools, www.testking.com


- 24 -


Answer: B
Explanation:
Remote Server

Enter the IP address or hostname of the remote server. This is the IP address or hostname of
the public interface on the VPN Concentrator to which this VPN 3002 connects. Use dotted
decimal notation; for example, 192.168.34.56. To enter a hostname, a DNS server must be
configured.

Reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2286/products_user_guide_chapter091
6a00800ebfdf.html#xtocid3





QUESTION NO: 41
Which VCA filter statement is true?

A. VCA filter must be enabled on the Cisco VPN Concentrator’s private interface.
B. VCA filter must be enabled on the Cisco VPN Concentrator public interface.
C. VCA filter must be enabled on both Cisco VPN Concentrator interfaces.
D. VCA filter is optional.


Answer: C
Explanation:
Configure Filters

Complete the following steps to configure the filters for the private and public interfaces to
allow the VCA load balancing protocol

Reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_ch
apter09186a008015ce26.html




QUESTION NO: 42
For the Cisco VPN Client to interoperate with the Cisco VPN 3000, what is the
minimum version of the Cisco VPN 3000?

A. 2.5
B. 2.6
C. 3.0
D. 3.1


9E0 - 121
Leading the way in IT testing and certification tools, www.testking.com


- 25 -
Answer: C
Explanation:
To interoperate with a VPN 3002, the VPN 3000 Series Concentrator to which it
connects must:
• Be running software version 3.0 or later.
• Configure IPSec group and user names and passwords for this VPN 3002.
• For a VPN 3002 running in PAT mode, enable a method of address assignment: DHCP,
address pools, per user, or authentication server address.
• For a VPN 3002 running in Network Extension mode, configure either a default gateway or
a static route to the private network of the VPN 3002.

Reference:
Release Notes for Cisco VPN 3002 Hardware Client Release 3.1




QUESTION NO: 43
If the VPN is owned and managed by the corporate security, which product would you
choose?

A. PIX Firewall 515
B. 2900
C. 3030
D. 3660


Answer: A



QUESTION NO: 44
How many simultaneous session can a Cisco VPN 3030 support?

A. 100
B. 1000
C. 1500
D. 5000


Answer: C
Explanation:
VPN 3060
• Height – 2U
• Memory – 128 MB SRAM standard
• Encryption – Hardware-based SEP2 - Programmable DSP-based security accelerator
• Appropriate for a large central site
• Supports two SEP2 hardware modules-up to 1500 sessions
• Upgradeable

Reference: Cisco Secure Virtual Private Networks (Ciscopress) page 56

Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Tải bản đầy đủ ngay

×