Вы находитесь на странице: 1из 11
Exam : Nortel 920-449 Title : NNCSE Contivity Security Version : R6.1 www.prepking.com
Exam : Nortel 920-449 Title : NNCSE Contivity Security Version : R6.1 www.prepking.com
Exam : Nortel 920-449 Title : NNCSE Contivity Security Version : R6.1
Exam
:
Nortel 920-449
Title
:
NNCSE Contivity Security
Version :
R6.1

www.prepking.com

Prepking - King of Computer Certification

Important Information, Please Read Carefully

Other Prepking products

A)

Use the offline Testing engine product to practice the questions in an exam environment.

B)

Build a foundation of knowledge which will be useful also after passing the exam.

Offline Testing engine

useful also after passing the exam. Offline Testing engine Study Guide (not available for all exams)

Study Guide (not available for all exams)

Latest Version We are constantly reviewing our products. New material is added and old material is updated. Free updates are available for 90 days after the purchase. You should check your member zone at Prepking and update 3-4 days before the scheduled exam date. Here is the procedure to get the latest version:

1.Go towww.Prepking.com 2.Click on Member zone/Log in (right side) 3. Then click My Account 4.The latest versions of all purchased products are downloadable from here. Just click the links. For most updates,it is enough just to print the new questions at the end of the new version, not the whole document.

Feedback If you spot a possible improvement then please let us know. We always interested in improving product quality. Feedback should be send to feedback@Prepking.com. You should include the following:

Exam number, version, page number, question number, and your login ID. Our experts will answer your mail promptly.

Exam number, version, page number, question number, and your login ID. Our experts will answer your

Copyright Each PDF file contains a unique serial number associated with your particular name and contact information for security purposes. So if we find out that a particular PDF file is being distributed by you, Prepking reserves the right to take legal action against you according to the International Copyright Laws.

Explanations This product does not include explanations at the moment. If you are interested in providing explanations for this exam, please contact feedback@Prepking.com

www.prepking.com

1.

A Contivity configuration has two private interfaces (LAN 0 and LAN 1) and one public interface (LAN 3)

with Application servers residing on LAN 0. An administrator needs to create a default rule in order to allow users from LAN 1 and tunneled users from LAN 3 to access the application servers in LAN 0. What would be the most secure interface classification for the source interface?

A. Any

B. Trusted

C. Tunnel: Any

D. LAN 1 and LAN 3

Answer: B

2.

to enable a Lockdown rule. What will be the impact of this rule?

a Lockdown rule. What will be the impact of this rule? A technician is setting up

A technician is setting up a rule base for a Contivity Stateful Firewall configuration. The technician plans

A. non-tunneled traffic will be blocked

B. access to the firewall will be blocked

C. outgoing traffic through the firewall will be blocked

D. incoming traffic through the firewall will be blocked

Answer: B

3.

(BOT) connection to the main office. The following conditions exist: - Contivity firewall is disabled but each BOT has a default setting of ermit all?tunnel filter configured under the group profile. - Contivity firewall is

A company has a main office and three branch offices. Each branch office has a branch office tunnel

disabled but each BOT has a default setting of ?ermit all?tunnel filter configured under the group profile. - The company has their own internal/private DNS server which resides in the main office. - Contivity from each branch offices is acting as DNS proxy. - Workstations from the branch offices are pointing to their local Contivity as the default gateway and DNS server. All workstations from the branch offices can reach all devices in the main office via IP address but cannot reach them through DNS names. What is the most likely cause of the problem?

A.

The access control of ermit all?given to the BOT group is enough to allow DNS to pass through the

to the BOT group is enough to allow DNS to pass through the tunnel so the

tunnel so the DNS server could be The access control of ?ermit all?given to the BOT group is enough to

allow DNS to pass through the tunnel so the DNS server could be down.

B.

traffic for remote servers portion of the permit all rule.

C. DNS server is up but branch offices' Contivity has DNS setting unchecked under the allow management

traffic for remote servers portion of the permit all rule.

D. Main office's Contivity has DNS setting checked under the allow management traffic for remote servers

portion of the permit all rule but DNS server could be down. Answer: C

DNS server is up but main office's Contivity has DNS setting unchecked under the allow management

www.prepking.com

4.

Contivity Stateful Firewall has been enabled on a customer's Contivity system. The customer wants to

extend user authentication on traffic between branch office connections in their VPN environment and a technician has set up Firewall User Authentication (FWUA). How will this affect system users?

A. Users will now have transparent access to the Contivity Stateful Firewall.

B. Users will be automatically authenticated for internal authorization services such as LDAP.

C. Users will be automatically authenticated for external authorization services such as RADIUS.

D. Users will be required to log into the Contivity Stateful Firewall before they are granted network access.

Answer: D

5.

an IP address of 10.10.10.1/24 is in the network that is directly attached to the private interface LAN. Workstation2 with an IP address of 20.20.20.1/24 is in the network that is directly attached to private interface DMZ. The requirement is to block only traffic from workstation1 to workstation2 using interface

traffic from workstation1 to workstation2 using interface A Contivity has two private interfaces (LAN and DMZ)

A Contivity has two private interfaces (LAN and DMZ) and one public interfaces (INT). Workstation1 with

filters to be applied to the private interface DMZ. Select the most appropriate filter action, direction, and address for the access control filter.

A. Filter action = Deny ; Direction = Inbound ; Address = 20.20.20.1

B. Filter action = Deny ; Direction = Inbound ; Address = 10.10.10.1

C. Filter action = Deny ; Direction = Outbound ; Address = 10.10.10.1

D. Filter action = Deny ; Direction = Outbound ; Address = 20.20.20.1

Answer: C

6.

following setup: Company A - private interface (LAN A) has an IP address of 192.168.3.1/24 Company A - FTP server with IP address192.168.3.3/24 which resides in LAN A Company B - private interface (LAN B) has an IP address of 192.168.30.2/24 The security policy allows users from LAN B to access Company A's

Company A and Company B established a branch office tunnel connection using Contivity v4.8 with the

FTP server to download files with no other access to the rest of Company A's network. In Company A's Contivity Stateful Firewall configuration, what would be the most likely default rule?

A.

192.168.3.3/24 ; Service = FTP ; Action = Allow

B.

192.168.3.3/24 ; Service = FTP ; Action = Allow

= Allow B. 192.168.3.3/24 ; Service = FTP ; Action = Allow Source interface = LAN

Source interface = LAN B ; Destination Interface = LAN A ; Source = 192.168.30.0/24 ; Destination =

Source interface = LAN B ; Destination Interface = Trusted ; Source = 192.168.30.0/24 ; Destination =

C. Source interface = Tunnel: Any; Destination Interface = LAN A ; Source = 192.168.30.0/24; Destination

= 192.168.3.3/24 ; Service = FTP ; Action = Allow

D. Source interface = Branch Tunnel: Any ; Destination Interface = Trusted ; Source = 192.168.30.0/24 ;

Destination = 192.168.3.3/24 ; Service = FTP; Action = Allow

Answer: D

7. A Contivity has a private interface (LAN) and a public interface (DMZ). Workstation1 with an IP address of

www.prepking.com

10.10.10.1/24 is in the network that is directly attached to the private interface LAN. Workstation2 with an IP

address of 20.20.20.1/24 is in the network that is directly attached to public interface DMZ. The requirement is to block only traffic from workstation1 to workstation2 using interface filters applied to the private interface LAN. Select the most appropriate filter action, direction, and address for the access control filter.

A. Filter action = Deny ; Direction = Inbound ; Address = 20.20.20.1

B. Filter action = Deny ; Direction = Inbound ; Address = 10.10.10.1

C. Filter action = Deny ; Direction = Outbound ; Address = 20.20.20.1

action = Deny ; Direction = Outbound ; Address = 20.20.20.1 D. Filter action = Deny

D. Filter action = Deny ; Direction = Outbound ; Address = 10.10.10.1

Answer: A

8.

during this time. Which statement best describes how the Override rules will function?

A technician is debugging a problem on a Contivity system and has input Override rules to be in effect

A. will be processed first

B. will override all rules in the policy

C. will override the rest of the rules described later in the policy

D. will apply only to the specific interface identified in the override rule

Answer: C

9.

Assume Contivity Stateful Firewall has just been enabled but no specific rules have been configured. How

A customer's Contivity system is currently supporting a network of tunneled and non-tunneled traffic.

will the tunneled and non-tunneled traffic be handled?

A. Tunneled and non-tunneled traffic is allowed until rules restricting specific traffic are established.

B. Tunneled traffic is allowed but non-tunneled traffic is disallowed until rules allowing for specific traffic are

established

C.

established.

D.

allowing for specific traffic are established. Answer: D 10. A company has a Contivity v4.8 configured with branch office tunnel connections under /Base/Partners group for all of its business partners. User tunnel access is also provided for all employees and partners. The Contivity has two private interfaces (LAN and DMZ) and one public interface. Application servers reside in the DMZ. The following rules are in effect: Interface specific rule 1 : Source interface rule = LAN ; Source interface = LAN ; Destination interface = DMZ ; Source = Any ; Destination = Any ; Service = Any ; Action = Allow Default rule 1 : Source interface = Trusted ; Destination Interface = Trusted ; Source = Any ; Destination = Any ; Service = Any ; Action = Allow The company's security policy dictates that only local users and remote users through a branch office tunnel can access application servers in the DMZ. However,

Non-tunneled traffic is allowed but tunneled traffic is disallowed until rules allowing for specific traffic are

Tunnels can be established, but all data traffic is disallowed from passing through the CES until rules

Tunnels can be established, but all data traffic is disallowed from passing through the CES until

www.prepking.com

even users via user tunnel connection also appear to have access to the application servers in the DMZ. How can the rules be changed to resolve the problem?

A. Interface specific rule 1 is correct but the source interface for default rule 1 is wrong and should be

changed to Branch Tunnel: Any.

B. Default rule 1 is correct but the source interface for interface specific rule 1 is wrong and should be

changed to Branch Tunnel: Any.

C.

changed to Branch Tunnel:/Base/Partners.

D.

changed to Branch Tunnel:/Base/Partners. Answer: A

11.

A Contivity has been set up to classify packets by the interface on which they arrive at the gateway.

Interface specific rule 1 is correct but the source interface for default rule 1 is wrong and should be

source interface for default rule 1 is wrong and should be Default rule 1 is correct

Default rule 1 is correct but the source interface for interface specific rule 1 is wrong and should be

The policy rules have been constructed to ignore this classification. How did the rule designate the interface in order to ignore the classification?

A. designated as Any

B. designated as Ignore

C. designate as Trusted

D. designated as Untrusted

Answer: A

12.

has suggested configuring CMP (Certificate Management Protocol) on the Contivity switches company wide in order to reduce the administrator's workload. In what way would the configuration of CMP benefit the administrator?

A Contivity customer is using certificate authentication for user and branch office tunnels. A supervisor

A. CMP automates the processes of CRL updates and CRL distributions to all Contivity switches.

B. CMP allows the Contivity switch to act as a CA (Certification Authority) for other Contivity switches on the

Authority) for other Contivity switches on the network. C. certificate request. D. CA certificates. Answer:

network.

C.

certificate request.

D.

CA certificates.

Answer: D

13. You have a CES2700 in your central office with about 1700 CES1100's at remote branch offices. All of

the CES1100's have a nailed-up Peer-to-Peer branch office tunnel to the central office. You are using AES with Group 8 on the tunnels for security and the re-key timer is set to 1 hour. As more and more tunnels are activated, you noticed that CPU utilization increases significantly and network performance has begun

CMP automates the process of client certificate distribution so the clients don't have to generate a

CMP offers management of the entire certificate and key life cycle for the Contivity switch's server and

www.prepking.com

to slightly degrade.

load on the CPU without making a significant sacrifice in security?

A. Increase the re-key timer to 8 hours.

B. Upgrade the CES2700 to a CES5000.

C. Deploy a second CES2700 and move half of the tunnels to the second switch.

D. Change the level of security used on the tunnels to 3DES with Group 7 (ECC 163-bit field).

Answer: A

14.

Each branch will have a primary Peer-to-Peer branch office tunnel to a CES5000 at the corporate

What is the best initial step in trying to increase network performance and reduce the

in trying to increase network performance and reduce the A large banking company wants to deploy

A large banking company wants to deploy several hundred Contivity 1100's at remote branch offices.

headquarters and a backup Peer-to-Peer tunnel to a secondary CES5000.

The bank has stated that the

encryption algorithm used on the tunnels should be the most secure and fasted encryption available on the switch. Which encryption algorithm will best meet these needs?

A. 3DES with Group 2 (1024-bit prime)

B. AES with Group 8 (ECC 283-bit field)

C. 3DES with Group 7 (ECC 163-bit field)

D. AES-128 with Group 5 (1536-bit prime)

Answer: B

15.

will be a security requirement on all of the company's branch office tunnel configurations.

The new Director of IT at your company has informed you that the use of PFS (Perfect Forward Secrecy)

What added

security benefit does PFS offer to branch office tunnels?

A. The Contivity switch will encrypt the IKE phase I negotiations.

B. The session key will automatically be renegotiated between every packet.

C. The Contivity switch will place an outer encrypted header around the original encrypted header.

outer encrypted header around the original encrypted header. D. The compromise of one or both of

D. The compromise of one or both of the session keys will not allow previous session keys to be broken.

Answer: D

16.

Since the customer's user base is growing

rapidly, they would like to create a user group for each department within the company and have each user

is placed into a default group upon successful authentication.

A customer's Contivity switch is configured to authenticate users by their user certificates. Each user

be placed into respective groups upon successful authentication. solution?

A. Configure a 'User Access Policy' from the user's group IPsec configuration screen.

B. Configure a 'User Access Policy' in the CA certificate details section to determine group membership.

C. Use a separate Certification Authority (CA) for each group, and set each group as the 'Default Group' for

its respective CA certificate.

Which approach will support this

D. Configure 'Group Access Control' in the CA certificate details section to use the Subject DN of the user

www.prepking.com

certificate to determine group membership. Answer: D

17. The following message has been displayed on a Contivity switch: "Warning: System CA certificates may

have been tampered with, please reinstall!" What step should be taken to verify whether a certificate has, or has not been, tampered with?

A. Recover the certificate and verify that the fingerprint identifier matches the previous identifier.

B. Reinstall the certificate and verify that the new fingerprint identifier matches the previous identifier.
B. Reinstall the certificate and verify that the new fingerprint identifier matches the previous identifier.
C. Verify the certificate's fingerprint identifier matches with the fingerprint supplied directly by the
certificate's issuer.
D.
Verify the certificate's issuer and the certificate issuer's serial number is that of the configured
Certification Authority (CA).
Answer: C
18.
A customer has eight Contivity 5000 Extranet switches that share an external LDAP server. Users are
authenticated by the switch, which requires a valid user certificate and a user account in the LDAP
database.
The customer complains that when the eight switches update their CRL, the LDAP server that
publishes the CRL seems to be overloaded.
The CRL is updated every four hours.
How could you
effectively reduce the load on the LDAP server during the CRL updates?
A. Reduce the 'CRL Update Frequency' on the Contivity switches to every twelve hours.
B. Disable 'CRL Retrieval' on the Contivity switches and disable 'CRL Checking Mandatory'.
C. Add a second LDAP server that publishes the CRL, and have four of the eight switches use the second
LDAP server.
D.
Set the 'CRL Update Frequency' on six of the Contivity switches to zero, and have only two switches
perform the update.
Answer: D
19.
You are tasked with configuring a Contivity 4600 to connect to a frame relay gateway. You want the
gateway type to be user configurable, with the gateway type determining both the LMI format and the
FECN/BECN processing.
set?
When configuring the frame relay interface, how must the connection type be
A.
direct
B.
looped
C.
switched

D. non-switched

Answer: C

20. The load balance and fail over features available for user tunnels apply to clients connecting through

which method?

www.prepking.com

A. SSL

B. Private interface

C. Nortel Networks Contivity VPN client

D. Microsoft dial-up networking PPTP client

Answer: C

21. You are attempting to establish a VPN user tunnel to a Contivity 1700 using the Contivity VPN Client.

When trying to login, a popup window appears with the following message: ogin Failure due to: Remote

with the following message: ogin Failure due to: Remote host not responding? ?

host not responding?

? RJLQ)DLOXUHGXHWR5HPRWHKRVWQRWUHVSRQGLQJ What are two

probable causes for this Login Failure? (Choose two.)

A. The user password is not correct.

B. The Contivity 1700 is not accessible.

C. User Datagram Protocol (UDP) port 500 is blocked.

D. The Group Security Authorization is mis-configured.

Answer: BC

22.

establishing the tunnel have different encryption settings (due to either export laws or administrative configuration), how will the two devices react?

You are tasked with configuring a Branch Office Tunnel on a Contivity 2700. If the two devices

A. They will default to DES with SHA1 Integrity.

B. They will negotiate upward until each has a compatible encryption capability.

C. They will negotiate downward until each has a compatible encryption capability.

D. They will negotiate upward until each has a compatible encryption capability

Answer: C

23.

public interface of a Contivity 1100. Which PPPoE usage restriction do you NOT need to consider?

A.

B.

C.

D.

Answer: A

You are tasked with configuring a new Point-to-Point Protocol over Ethernet (PPPoE) connection on the

PPPoE changes are dynamically applied.

connection on the PPPoE changes are dynamically applied. You must set the appropriate filter (deny all

You must set the appropriate filter (deny all by default).

Cannot use dynamic routing on PPPoE interfaces (unless tunneling).

PPPoE has a Maximum Transmission Unit (MTU) limitation of 1492 bytes.

24. For planning purposes, bandwidth often equals the expected or current use plus a growth potential of:

A. 0%

B. 50%

C. 100%

D. 10-20%

Answer: D

www.prepking.com

25. You have configured an IPsec peer to peer branch office tunnel between a Contivity 4600 and a

When the tunnel tries to initiate, you receive the following message in the Contivity 4600's

event log: ISAKMP [13] No proposal chosen in message from X.X.X.X Which condition will generate this

message?

A. A remote branch office gateway rejected your gateway's attempt to authenticate.

B. The encryption types proposed by the remote branch office do not match the encryption types configured

Contivity 1700.

locally. C. One side of the connection is configured to support dynamic routing while the
locally.
C.
One side of the connection is configured to support dynamic routing while the other side is configured for
static routing.
D.
The proposal made by the local gateway has been rejected by a remote branch office gateway, or by an
IPsec implementation from another vendor.
Answer: B
26. Which Branch Office network design provides redundancy with the lowest system overhead?
A. Full Mesh
B. Hub and Spoke
C. Redundant full mesh
D. Redundant hub and spoke
Answer: D
27.
Users at a remote location can not access their local mail server or print locally when they are tunneled
into their corporate LAN via a gateway Contivity 1700.
The elements have the following addresses: -mail
server (10.23.23.5) -print locally (10.23.23.6) -corporate LAN (192.168.1.0) To allow access to the local
servers and remain tunneled into the corporate LAN, which accessible address(es) should be used if split
tunneling is configured?
A.
10.23.23.0
B.
192.168.1.0
C.
192.168.1.255
D.
10.23.23.5 and 10.23.23.6
Answer: B
28.
Your customer has asked for your assistance in configuring a PPPoE interface on a Contivity 1050.

You have researched PPPoE specifications and determined that PPPoE enforces an MTU size of 1492 bytes. For this reason, all PC's that connect to the Contivity also need to enforce an MTU of 1492 bytes, instead 1500 bytes. What are two ways to set the parameters on the Contivity to address this need? (Choose two.) A. Use the ppoe ip tcp adjust-mss enable?command in the CLI. Use the ?ppoe ip tcp adjust-mss enable?command in the CLI.

www.prepking.com

100% Pass Guaranteed or Full Refund Word to Word Real Exam Questions from Real Test Buy full version of exam from this link below

http://www.prepking.com/920-449.htm