CCNA – Security Questions
Here you will find answers to Security Questions
Question 1
Which component of VPN technology ensures that data can be read only by its intended recipient?
A. data integrity
B. encryption
C. key exchange
D. authentication
Answer: D
Explanation
First you need to understand what these terms mean:
Data integrity: verifying that the packet was not changed as the packet transited the Internet
Encryption: conversion of data into a form, called a ciphertext, that cannot be easily understood by unauthorized people
Authentication: the process of determining whether someone or something is, in fact, who or what it is declared to be. Authentication can take place at both sides, the sender and the receiver.
Key exchange: is any method in cryptography by which cryptographic keys are exchanged between users, allowing use of a cryptographic algorithm.
So in this question we realize that only authentication involves in the end user while others are about processing data -> D is correct.
Question 2
What can be done to secure the virtual terminal interfaces on a router? (Choose two)
A. Administratively shut down the interface.
B. Physically secure the interface.
C. Create an access list and apply it to the virtual terminal interfaces with the access-group command.
D. Configure a virtual terminal password and login process.
E. Enter an access list and apply it to the virtual terminal interfaces using the access-class command.
Answer: D E
Explanation
It is a waste to administratively shut down the interface. Moreover, someone can still access the virtual terminal interfaces via other interfaces -> A is not correct.
We can not physically secure a virtual interface because it is “virtual” -> B is not correct.
To apply an access list to a virtual terminal interface we must use the “access-class” command. The “access-group” command is only used to apply an access list to a physical interface -> C is not correct; E is correct.
The most simple way to secure the virtual terminal interface is to configure a username & password to prevent unauthorized login -> D is correct.
Question 3
The enable secret command is used to secure access to which CLI mode?
A. user EXEC mode
B. global configuration mode
C. privileged EXEC mode
D. auxiliary setup mode
Answer: C
Question 4
Which type of attack is characterized by flood of packet that requesting a TCP connection to a server?
A. denial of service
B. brute force
C. reconnaissance
D. Trojan horse
Answer: A
Question 5
Which IPsec security protocol should be used when confidentiality is required?
A. AH
B. MD5
C. PSK
D. ESP
Answer: D
Explanation
IPsec is a pair of protocols, Encapsulating Security Payload (ESP) and Authentication Header (AH), which provide security services for IP datagrams.
ESP can provide the properties authentication, integrity, replay protection, and confidentiality of the data (it secures everything in the packet that follows the IP header).
AH provides authentication, integrity, and replay protection (but not confidentiality) of the sender.
Question 6
What algorithm technology must be used for ensuring data integrity when dataflow goes over VPN tunnel? (Choose two)
A. RSA
B. DH-1
C. DH-2
D. HMAC-MD5
E. HMAC-SHA1
Answer: D E
Explanation
Data integrity ensures data has not been altered in the transmission. A data-integrity algorithm adds a hash to the message to guarantee the integrity of the message.
A Hashed Message Authentication Code (HMAC) is a data-integrity algorithm that ensures the integrity of the message. Two popular algorithms a VPN gateway uses for verifying integrity of data are HMAC-Message Digest 5 (HMAC-MD5) and HMAC-Secure Hash Algorithm 1 (HMAC-SHA1)
+ HMAC-MD5 uses a 128-bit shared-secret key of any size. The variable-length message and shared-secret key are combined and run through the HMAC-MD5 hash algorithm. The output is a 128-bit hash. The hash is appended to the original message and is forwarded to the remote end.
+ HMAC-SHA-1 uses a secret key of any size. The variable-length message and the shared-secret key are combined and run through the HMAC-SHA-1 hash algorithm. The output is a 160-bit hash. The hash is appended to the original message and is forwarded to the remote end.
Diffie-Hellman Group 1 (DH-1) & Diffie-Hellman Group 2 (DH-2) are two encryption algorithms for VPN, not data integrity algorithms.
RSA is also an encryption algorithm, not data integrity algorithm.
(Reference: Implementing Cisco IOS Network Security IINS)
Question 7
What are two security appliances that can be installed in a network? (Choose two)
A. ATM
B. IDS
C. IOS
D. IOX
E. IPS
F. SDM
Answer: B E
Explanation
Intrusion detection system (IDS) and intrusion prevention system (IPS) solutions form an integral part of a robust network defense solution.
IDS monitors network and system activities for malicious activities or policy violations and produces reports to a Management Station.
IPS provides policies and rules for network traffic along with an intrusion detection system for alerting system or network administrators to suspicious traffic, but allows the administrator to provide the action upon being alerted.
The key to differentiating an IDS from an IPS is that an IPS responds immediately and does not allow any malicious traffic to pass, whereas an IDS allows malicious traffic to pass before it can respond.
(Reference: Implementing Cisco IOS Network Security IINS)
Note: Asynchronous Transfer Mode (ATM) is a layer 2 WAN transport protocol. It encodes data into small, fixed-sized cells consisting of 48 bytes of payload and 5 bytes of cell header -> A is not correct
Cisco Router and Security Device Manager (SDM) is a Web-based device-management tool for Cisco routers that can help you configure a router via a web browser -> In general, it only helps simplify the network management, router configuration so it is not a security appliance -> F is not correct.
Question 8
Which device might be installed at a branch office to enable and manage an IPsec site-to-site VPN?
A. Cisco IOS IPsec/SSL VPN client
B. Cisco VPN Client
C. ISDN terminal adapter
D. Cisco Adaptive Security Appliance
Answer: D
Explanation
An example of IPsec site-to-site VPN is your corporation has departments in many countries which need to communicate with each other. A popular solution is site-to-site (LAN-to-LAN) VPN to create private networks through the Internet. But as we know, Internet is not a safe environment for important data to be transferred. That is the reason why we need IPsec, a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session.
Cisco Adaptive Security Appliance (ASA) supports IPsec, that’s all I can say! If you wish to learn more about the configuration, please read http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml
Question 9
Refer to the exhibit. What is the result of setting the no login command?
| Router#config t Router(config)#line vty 0 4 Router(config-line)#password c1sc0 Router(config-line)#no login |
A. This is a virtually limitless supply of IP addresses
B. Telnet access requires a new password at first login
C. Telnet access requires a password
D. Telnet access is denied
Answer: No correct answer
Explanation
There is a mistake in this question because this configuration will let someone telnet to that router without the password (so the line “password c1sco” is not necessary).
If we want to deny telnet we can configure like this:
Router(config)#line vty 0 4
Router(config-line)#no password (if the password is set before)
Router(config-line)#login
With this configuration, when someone tries to telnet to this router, a message “Password required, but none set” is displayed.
Question 10
What is the effect of using the service password-encryption command?
A. Only passwords configured after the command has been entered will be encrypted.
B. Only the enable password will be encrypted.
C. Only the enable secret password will be encrypted
D. It will encrypt the secret password and remove the enable secret password from the configuration.
E. It will encrypt all current and future passwords.
Answer: E
Explanation
The secret password (configured by the command “enable secret “) is always encrypted even if the “service password-encryption” command is not used. Moreover, the secret password is not removed from the configuration with this command, we still see it in encrypted form in the running-config -> D is not correct.
The “enable password ” does not encrypt the password and can be viewed in clear text in the running-config. By using the “service password-encryption” command, that password is encrypted (both current and future passwords) -> A is not correct, E is correct.
Answer B – Only the enable password will be encrypted seems to be correct but it implies the secret password will not be encrypted and stay in clear text, which is not correct.
For your information, the secret password is encrypted with MD5 one-way hash algorithm which is harder to break than the encryption algorithm used by the “service password-encryption” command.
Question 11
Which command sets and automatically encrypts the privileged enable mode password?
A. enable password c1sco
B. secret enable c1sco
C. password enable c1sco
D. enable secret c1sco
Answer: D
is the VTP simulation exam is in chose format or ….?
How much % of the exam is rom 9tut
hi friends can sand me last dams pls i will do exam next week my e mill abeer-sharief@hotmail.com
friends i m unable to get virtual centExam application registration code cos of that i m unable to work with dumbs …
can any one pls send virtual centexam registration code…
pls
my abeer-sharief@hotmail.com
VCE program with reg code
http://www.mediafire.com/?pr1y714kup9u7so
hi Ahmed, I also downloaded the above mensioned VCE but it says windows cant open this file,what more is needed in order for me to open it? please help
It work with me and for check i re downloaded it again and it worked
http://www.mediafire.com/download.php?pr1y714kup9u7so
Valid Que :D
Q:10
Please, which statement (answer) I must select on Question 9?
Refer to the exhibit. What is the result of setting the no login command?
Which one is right answer on CCNA exam ?
Does anyone know is there is a VPN sim in the 802 CCNA exam? I haven’t seen one mentioned on any pre-exam website.
plz tell me which question belong to lab?
I like the valuable information you provide in your articles. I will bookmark your weblog and check again here frequently. I am quite certain I will learn plenty of new stuff right here! Best of luck for the next!| visit the up coming post http://sdkfsdklfskdlflsd.com
@Xtrikerpd,
The answer is , telnet access is denied.
Question 3
The enable secret command is used to secure access to which CLI mode?
A. user EXEC mode
B. global configuration mode
C. privileged EXEC mode
D. auxiliary setup mode
Why the answer is C?
enable secret command should be in global config mode. Any one can explain this?
I understand now.
Question 3
The enable secret command “is used to secure access” to which CLI mode?
A. user EXEC mode
B. global configuration mode
C. privileged EXEC mode
D. auxiliary setup mode
The correct answer is C.
Passed CCNA, questions 6 and 10 from here.
ques no 9 and 11 in the exam
ques no 6 from here in the exam
q 10
my school gave me the boson one when i first sttaerd and i agree, its horrible. have you looked into buying used 1700 s and 2600s on ebay?if you manage to grab two routers and a switch, you’re well ahead of the game for a beginning lab. I have like 3 routers, two catalysts and a pix and other than the pix, i never paid over 100 bucks after shipping.
Question 10 on CCNA 2nd try today
question 3 is c?
Question 3
If you only configure Vty without “enable secret” you can only reach up to this point:
Switch> <——- This mode is user exec mode, which is limited to some commands
- If you want to have access to the privileged mode, you need to use "enable secret"
Switch# <——- Privileged mode, from here you can go to Global config mode
Switch#Configure Terminal
Switch(config)# <——— Global config mode
So the question "…used to secure access to which CLI mode?", the answer is:
C. privileged EXEC mode ! :D
Question 9: I apply this configuration on a gns3 lab, and i access my router without any password.
Q10 was on today’s exam
what is the answer for number 9?
q10 in today exam
Pliz i will sit for the exam next month, can someone send me the latest dumps on email: olesimbe@yahoo.com
@Tdy11
What did you answer for question 9 ??
Anyone who has got Q9 in their paper with the same choices, what was your answer ?
Hi guys any one can direct me for the est material of ccna security ooks, pdfs and questiosn and answers exams
I believe that the answer for Q1 is key exchange . Authentication ensures that the recipient of the data is known, but in case that data was intercepted, key exchange ensures that it can’t be read (deciphered) by anyone else but the intended recipient.
what do you mean by no correct answer on Q9??
does it mean that i’ll get a point by not answering the question??
hi
Question 9
Refer to the exhibit. What is the result of setting the no login command?
D correct …. D. Telnet access is denied …. Because it wants to disable Telnet …
Q1 needs better explanason.
Encryption also prevents from data being read and undersrtand by unauthorised recipient in the midle of connection.
anybody knows the answer to question # 9? please reply thanks.
@Andrius,
question states that :
Which component of VPN technology ensures that data can be read ‘ONLY’ by its intended recipient?
If userA wants to send data to userB, the data will somehow be encrypted then decrypted but ONLY userB which is the intended recipient will be the ONLY one who can receive the data fr. userA
Q9, if this question letter by letter was in Cisco CCNA exam, it proves how much they’re corrupted.
Ahmad tavasoli,
it asked what is the ‘result’ of no login command. So you don’t have to guess what they intend to ask, the correct answer is there. Cisco doesn’t allow us to know what the correct answer for questions so you’re right, to get 1000 score, just assume whoever works in cisco making this question is retard.
great security questions review, question 8 on the exam.
q9 just varified telnet access will be denied when you configure no login on vty lines
Hello Guys I hope you will be fine there. I have CCNA (640-802) and CCNA security (640-554) Vouchers on special discount of 58% for World wide, with six months expiry date till you purchase. Each voucher cost 70USD.
Details Required For CCNA Voucher For Discount Processing:
1-Full Name. 1st Name & Last Name (as you want to appear on certificate & documents)
2-Country.
3-City.
4-State.
5-Pin Code (or Area Code)
6-Residential Address (or where you can collect your Certificate or further correspondence
can be received)
7-Date of birth
Add me on Skype through this information which is written below:
Skype Name: rockon660
you can also email me at this email address which is written below:
madeelqaiser@gmail.com
If you have any Questions feel free to contact me.
Thanks,
Best regards,
Adeel
ashxheat, how did you set up your router, so it blocks with no login? login command is telling router to check or not to check password configured. If no login blocked telnet session, then it is not cisco router.
To block telnet, you leave password empty and type ‘login’ so that router checks password to validate password, but there’s no password, so it blocks. This is the only way you block telnet unless you configure ACL on the line.
Q 9 – Answer is D – telnet will be denied. If you dont have the login command ( or in this case no login), the telnet session is denied. Try it
Questions 6 in today exam
Q11 in today exam !!
Can somebody plz send me the latest dumps for CCNA .
i have an exam on the 25 of September.
address:moravcik.j@gmail.com
thank you
Thanks 9tut. I made it. I passed my CCNA 200-120 today. The sim is Access-list 1 , Access-list 2 & EIGRP. A lot of new questions like Netflow, Syslog, SNMP, VRRP, and GLBP.
Q9. Just tried it in packet tracer – you can telnet without entering a password.
So I agree with the explanation given by 9tut, none of the answers is correct.
@ Chompiras Since we have to choose an answer, I guess we just go with D – Telnet will be denied, even though 9tut explanation seems right. But there is no choice for “None of the Above”, so choose D.
Q9 is a trap, no explanation to the answer.