640-553

Number: 000-000 Passing Score: 800 Time Limit: 120 min File Version: 1.0

Cisco 640-553

QUESTION 1 As a network engineer at Cisco.com, you are responsible for Cisco network. Which will be necessarily taken into consideration when implementing Syslogging in your network? A. B. C. D. Log all messages to the system buffer so that they can be displayed when accessing the router. Use SSH to access your Syslog information. Enable the highest level of Syslogging available to ensure you log all possible event messages. Syncronize clocks on the network with a protocol such as Network Time Protocol.

Answer: D

QUESTION 2 Which classes does the U.S. government place classified data into? (Choose three.) A. B. C. D. SBU Confidential Secret Top-secret

Answer: BCD

QUESTION 3 You are a network technician at Cisco.com. Which description is correct when you have generated RSA keys on your Cisco router to prepare for secure device management? A. B. C. D. All vty ports are automatically enabled for SSH to provide secure management. The SSH protocol is automatically enabled. You must then zeroize the keys to reset secure shell before configuring other parameters. You must then specify the general-purpose key size used for authentication with the crypto key generate rsa general-keys modulus command.

Answer: B

QUESTION 4 Which method is of gaining access to a system that bypasses normal security measures? A. Creating a back door B. Starting a Smurf attack

C. Conducting social engineering D. Launching a DoS attack Answer: A

QUESTION 5 As a candidate for CCNA examination, when you are familiar with the basic commands, if you input the -Make You Succeed To Pass IT Exams 640-553 command "enable secret level 5 password" in the global mode , what does it indicate? A. B. C. D. E. Set the enable secret command to privilege level 5. The enable secret password is hashed using SHA. The enable secret password is hashed using MD5. The enable secret password is encrypted using Cisco proprietary level 5 encryption. The enable secret password is for accessing exec privilege level 5.

Answer: E

QUESTION 6 Which statement is true about a Smurf attack?

A. It sends ping requests to a subnet, requesting that devices on that subnet send ping replies to a target system. B. It intercepts the third step in a TCP three-way handshake to hijack a session. C. It uses Trojan horse applications to create a distributed collection of "zombie" computers, which can be used to laun a coordinated DDoS attack. D. It sends ping requests in segments of an invalid size. Answer: A

QUESTION 7 Please choose the correct description about Cisco Self-Defending Network characteristics.

A. INTEGRATED - PG1 COLLABORATIVE - PG2 ADAPTIVE - PG3 B. INTEGRATED - PG2 COLLABORATIVE - PG1 ADAPTIVE - PG3 C. INTEGRATED - PG2 COLLABORATIVE - PG3 ADAPTIVE - PG1 D. INTEGRATED - PG3 COLLABORATIVE - PG2 ADAPTIVE - PG1 Answer: B

-Make You Succeed To Pass IT Exams 640-553

QUESTION 8 Which three items are Cisco best-practice recommendations for securing a network? (Choose three.) A. B. C. D. Deploy HIPS software on all end-user workstations. Routinely apply patches to operating systems and applications. Disable unneeded services and ports on hosts. Require strong passwords, and enable password expiration.

Answer: BCD

QUESTION 9 With the increasing development of network, various network attacks appear. Which statement best describes the relationships between the attack method and the result?

A. Ping Sweep - PG1 and PG3 Port Scan - PG2, PG4 and PG5 B. Ping Sweep - PG2 and PG4 Port Scan - PG1, PG3 and PG5 C. Ping Sweep - PG1 and PG5 Port Scan - PG2, PG3 and PG4 D. Ping Sweep - PG2 and PG3 Port Scan - PG1, PG4 and PG5 Answer: B

QUESTION 10 For the following attempts, which one is to ensure that no one employee becomes a pervasive security threat, that data can be recovered from backups, and that information system changes do not compromise a system's security? A. B. C. D. Disaster recovery Strategic security planning Implementation security Operations security -Make You Succeed To Pass IT Exams 640-553

Answer: D

QUESTION 11 For the following options ,which one accurately matches the CLI command(s) to the equivalent SDM wizard that performs similar configuration functions?

A. B. C. D.

setup exec command and the SDM Security Audit wizard auto secure exec command and the SDM One-Step Lockdown wizard aaa configuration commands and the SDM Basic Firewall wizard Cisco Common Classification Policy Language configuration commands and the SDM Site-to-Site VPN wizard

Answer: B

QUESTION 12 Which three options are network evaluation techniques? (Choose three.) A. B. C. D. Scanning a network for active IP addresses and open ports on those IP addresses Using password-cracking utilities Performing end-user training on the use of antispyware software Performing virus scans

Answer: ABD

QUESTION 13 Which is the main difference between host-based and network-based intrusion prevention?

A. Network-based IPS is better suited for inspection of SSL and TLS encrypted data flows. B. Host-based IPS can work in promiscuous mode or inline mode. C. Network-based IPS can provide protection to desktops and servers without the need of installing specialized softwa on the end hosts and servers. D. Host-based IPS deployment requires less planning than network-based IPS. Answer: C

QUESTION 14 Which one is the most important based on the following common elements of a network design? A. B. C. D. Business needs Best practices Risk analysis Security policy

Answer: A

-Make You Succeed To Pass IT Exams 640-553

QUESTION 15 Given the exhibit below. You are a network manager of your company. You are reading your Syslog server reports. On the basis of the Syslog message shown, which two descriptions are correct? (Choose two.)

A. B. C. D.

This message is a level 5 notification message. This message is unimportant and can be ignored. This is a normal system-generated information message and does not require further investigation. Service timestamps have been globally enabled.

Answer: AD

QUESTION 16 Examine the following items, which one offers a variety of security solutions, including firewall, IPS, VPN, antispyware, antivirus, and antiphishing features? A. B. C. D. Cisco 4200 series IPS appliance Cisco ASA 5500 series security appliance Cisco IOS router Cisco PIX 500 series security appliance

Answer: B

QUESTION 17 The enable secret password appears as an MD5 hash in a router's configuration file, whereas the enable password is not hashed (or encrypted, if the password-encryption service is not enabled). What is the reason that Cisco still support the use of both enable secret and enable passwords in a router's configuration?

A. The enable password is used for IKE Phase I, whereas the enable secret password is used for IKE Phase II. B. The enable password is considered to be a router's public key, whereas the enable secret password is considered be a router's private key. C. Because the enable secret password is a hash, it cannot be decrypted. Therefore, the enable password is used to match the password that was entered, and the enable secret is used to verify that the enable password has not bee modified since the hash was generated.

D. The enable password is present for backward compatibility. Answer: D

QUESTION 18 How does CLI view differ from a privilege level?

A. A CLI view supports only commands configured for that specific view, whereas a privilege level supports command available to that level and all the lower levels. -Make You Succeed To Pass IT Exams 640-553 B. A CLI view supports only monitoring commands, whereas a privilege level allows a user to make changes to an IOS configuration. C. A CLI view and a privilege level perform the same function. However, a CLI view is used on a Catalyst switch, whereas a privilege level is used on an IOS router. D. A CLI view can function without a AAA configuration, whereas a privilege level requires AAA to be configured. Answer: A

QUESTION 19 When configuring Cisco IOS login enhancements for virtual connections, what is the "quiet period"? A. B. C. D. A period of time when no one is attempting to log in The period of time in which virtual logins are blocked as security services fully initialize The period of time in which virtual login attempts are blocked, following repeated failed login attempts The period of time between successive login attempts

Answer: C

QUESTION 20 Which result is of securing the Cisco IOS image by use of the Cisco IOS image resilience feature? A. B. C. D. When the router boots up, the Cisco IOS image will be loaded from a secured FTP location. The Cisco IOS image file will not be visible in the output from the show flash command. The show version command will not show the Cisco IOS image file location. The running Cisco IOS image will be encrypted and then automatically backed up to a TFTP server.

Answer: B

QUESTION 21 Which three statements are valid SDM configuration wizards? (Choose three.) A. B. C. D. Security Audit VPN STP NAT

Answer: ABD

QUESTION 22 How do you define the authentication method that will be used with AAA? A. B. C. D. With a method list With the method command With the method aaa command With a method statement -Make You Succeed To Pass IT Exams 640-553

Answer: A

QUESTION 23 What is the objective of the aaa authentication login console-in local command?

A. It specifies the login authorization method list named console-in using the local RADIUS username-password database. B. It specifies the login authorization method list named console-in using the local username-password database on th router. C. It specifies the login authentication method list named console-in using the local user database on the router. D. It specifies the login authentication list named console-in using the local username- password database on the rout Answer: C

QUESTION 24 Which description is true about the show login command output displayed in the exhibit?

A. All logins from any sources are blocked for another 193 seconds. B. The login block-for command is configured to block login hosts for 93 seconds. C. When the router goes into quiet mode, any host is permitted to access the router via Telnet, SSH, and HTTP, since the quiet-mode access list has not been configured. D. Three or more login requests have failed within the last 100 seconds. Answer: D

QUESTION 25 Which one of the following commands can be used to enable AAA authentication to determine if a user can access the privilege command level? A. aaa authentication enable default local B. aaa authentication enable level -Make You Succeed To Pass IT Exams 640-553 C. aaa authentication enable method default D. aaa authentication enable default Answer: D

QUESTION 26 Please choose the correct matching relationships between the cryptography algorithms and the type of algorithm.

A. Symmetric - PG1, PG2 and PG3 Asymmetric - PG4, PG5 and PG6 B. Symmetric - PG1, PG4 and PG5 Asymmetric - PG2, PG3 and PG6 C. Symmetric - PG2, PG4 and PG5 Asymmetric - PG1, PG3 and PG6 D. Symmetric - PG2, PG5 and PG6 Asymmetric - PG1, PG3 and PG4 Answer: B

QUESTION 27 Which two ports are used with RADIUS authentication and authorization?(Choose two.) A. B. C. D. TCP port 2002 UDP port 2000 UDP port 1645 UDP port 1812

Answer: CD

QUESTION 28 For the following items, which management topology keeps management traffic isolated from production traffic? -Make You Succeed To Pass IT Exams

640-553 A. B. C. D. OOB SAFE MARS OTP

Answer: A

QUESTION 29 What are four methods used by hackers? (Choose four.) A. B. C. D. E. F. social engineering attack Trojan horse attack front door attacks buffer Unicode attack privilege escalation attack footprint analysis attack

Answer: ABEF

QUESTION 30 Information about a managed device??s resources and activity is defined by a series of objects. What defines the structure of these management objects? A. B. C. D. FIB LDAP CEF MIB

Answer: D

QUESTION 31 After enabling port security on a Cisco Catalyst switch, what is the default action when the configured maximum of allowed MAC addresses value is exceeded? A. The port is shut down. B. The port's violation mode is set to restrict.

C. The MAC address table is cleared and the new MAC address is entered into the table. D. The port remains enabled, but bandwidth is throttled until old MAC addresses are aged out. Answer: A

QUESTION 32 When configuring SSH, which is the Cisco minimum recommended modulus value? -Make You Succeed To Pass IT Exams 640-553 A. B. C. D. 2048 bits 256 bits 1024 bits 512 bits

Answer: C

QUESTION 33 When using the Cisco SDM Quick Setup Siteto-Site VPN wizard, which three parameters do you configure? (Choose three.) A. B. C. D. Interface for the VPN connection IP address for the remote peer Transform set for the IPsec tunnel Source interface where encrypted traffic originates

Answer: ABD

QUESTION 34 If you click the Configure button along the top of Cisco SDM??s graphical interface,which Tasks button permits you to configure such features as SSH, NTP, SNMP, and syslog? A. B. C. D. Additional Tasks Security Audit Intrusion Prevention Interfaces and Connections

Answer: A

QUESTION 35 Which item is correct regarding Cisco IOS IPS on Cisco IOS Release 12.4(11)T and later ? A. B. C. D. uses Cisco IPS 5.x signature format supports SDEE, SYSLOG, and SNMP for sending Cisco IPS alerts requires the Basic or Advanced Signature Definition File uses the built-in signatures that come with the Cisco IOS image as backup

Answer: A

QUESTION 36 Examine the following options , which Spanning Tree Protocol (STP) protection mechanism disables a switch port if the port receives a Bridge Protocol Data Unit (BPDU)? A. PortFast B. BPDU Guard -Make You Succeed To Pass IT Exams 640-553 C. UplinkFast D. Root Guard Answer: B

QUESTION 37 For the following options, which feature is the foundation of Cisco Self-Defending Network technology? A. B. C. D. policy management secure connectivity threat control and containment secure network platform

Answer: D

QUESTION 38 If a switch is working in the fail-open mode, what will happen when the switch's CAM table fills to capacity and a new frame arrives? A. B. C. D. The switch sends a NACK segment to the frame's source MAC address. A copy of the frame is forwarded out all switch ports other than the port the frame was received on. The frame is dropped. The frame is transmitted on the native VLAN.

Answer: B

QUESTION 39 Which kind of table will be used by most firewalls today to keep track of the connections through the firewall? A. B. C. D. E. queuing netflow dynamic ACL reflexive ACL state

Answer: E

QUESTION 40 Which type of MAC address is dynamically learned by a switch port and then added to the switch's running configuration? A. B. C. D. Pervasive secure MAC address Static secure MAC address Sticky secure MAC address Dynamic secure MAC address -Make You Succeed To Pass IT Exams 640-553

Answer: C

QUESTION 41 Which are the best practices for attack mitigations?

A. B. C. D. E.

PG1, PG2, PG3 and PG5 PG2, PG5, PG6 and PG8 PG2, PG5, PG6 and PG7 PG2, PG3, PG6 and PG8 PG3, PG4, PG6 and PG7

Answer: B

QUESTION 42 In an IEEE 802.1x deployment, between which two devices EAPOL messages typically are sent? A. B. C. D. Between the RADIUS server and the authenticator Between the authenticator and the authentication server Between the supplicant and the authentication server Between the supplicant and the authenticator

Answer: D

QUESTION 43 Which one of the Cisco IOS commands can be used to verify that either the Cisco IOS image, the configuration files, or both have been properly backed up and secured? A. B. C. D. show flash show secure bootset show archive show file systems

-Make You Succeed To Pass IT Exams 640-553 Answer: B

QUESTION 44 Which item is the great majority of software vulnerabilities that have been discovered? A. B. C. D. Stack vulnerabilities Software overflows Heap overflows Buffer overflows

Answer: D

QUESTION 45 Which type of intrusion prevention technology will be primarily used by the Cisco IPS security appliances? A. B. C. D. rule-based protocol analysis-based signature-based profile-based

Answer: C

QUESTION 46 What will be enabled by the scanning technology-The Dynamic Vector Streaming (DVS)? A. B. C. D. Firmware-level virus detection Layer 4 virus detection Signature-based spyware filtering Signature-based virus filtering

Answer: C

QUESTION 47 What is the purpose of the secure boot-config global configuration ? A. B. C. D. backs up the Cisco IOS image from flash to a TFTP server enables Cisco IOS image resilience takes a snapshot of the router running configuration and securely archives it in persistent storage stores a secured copy of the Cisco IOS image in its persistent storage

Answer: C

QUESTION 48 What Cisco Security Agent Interceptor is in charge of intercepting all read/write requests to the rc files in UNIX? -Make You Succeed To Pass IT Exams 640-553 A. B. C. D. Network interceptor Configuration interceptor Execution space interceptor File system interceptor

Answer: B

QUESTION 49 Which name is of the e-mail traffic monitoring service that underlies that architecture of IronPort? A. B. C. D. IronPort M-Series E-Base TrafMon SenderBase

Answer: D

QUESTION 50 Based on the username global configuration mode command displayed in the exhibit. What does the option secret 5 indicate about the enable secret password?

A. B. C. D.

It is encrypted using DH group 5. It is hashed using SHA. It is hashed using MD5. It is encrypted using a proprietary Cisco encryption algorithm.

Answer: C

QUESTION 51 Which statement is not a reason for an organization to incorporate a SAN in its enterprise infrastructure? A. B. C. D. To increase the performance of long-distance replication, backup, and recovery To decrease the threat of viruses and worm attacks against data storage devices To decrease both capital and operating expenses associated with data storage To meet changing business priorities, applications, and revenue growth

Answer: B

QUESTION 52 -Make You Succeed To Pass IT Exams 640-553 On the basis of the show policy-map type inspect zone-pair session command output provided in the exhibit.What can be determined about this Cisco IOS zone based firewall policy?

A. B. C. D.

This is an outbound policy (applied to traffic sourced from the more secured zone destined to the less secured zone All packets will be dropped since the class-default traffic class is matching all traffic. This is an inbound policy (applied to traffic sourced from the less secured zone destined to the more secured zone) Stateful packet inspection will be applied only to HTTP packets that also match ACL 110.

Answer: D

QUESTION 53 Which protocol will use a LUN as a way to differentiate the individual disk drives that comprise a target device? A. B. C. D. iSCSI ATA SCSI HBA

Answer: C

QUESTION 54 What should be enabled before any user views can be created during role-based CLI configuration ? -Make You Succeed To Pass IT Exams 640-553 A. B. C. D. usernames and passwords secret password for the root user aaa new-model command multiple privilege levels

Answer: C

QUESTION 55 For the following statements, which one is perceived as a drawback of implementing Fibre Channel Authentication Protocol (FCAP)? A. B. C. D. It is restricted in size to only three segments. It requires the implementation of IKE. It relies on an underlying Public Key Infrastructure (PKI). It requires the use of netBT as the network protocol.

Answer: C

QUESTION 56 Which two primary port authentication protocols are used with VSANs? (Choose two.) A. B. C. D. ESP CHAP DHCHAP SPAP

Answer: BC

QUESTION 57 Which statement best describes Cisco IOS Zone-Based Policy Firewall?

A. A router interface can belong to multiple zones. B. The pass action works in only one direction. C. Policy maps are used to classify traffic into different traffic classes, and class maps are used to assign action to the traffic classes. D. A zone-pair is bidirectional because it specifies traffic flowing among the interfaces within the zone-pair in both directions. Answer: B

QUESTION 58 Which VoIP components can permit or deny a call attempt on the basis of a network's available bandwidth? A. MCU -Make You Succeed To Pass IT Exams 640-553 B. Gatekeeper C. Application server D. Gateway Answer: B

QUESTION 59 Which statement is true about vishing?

A. Influencing users to forward a call to a toll number (for example, a long distance or international number) B. Influencing users to provide personal information over the phone C. Using an inside facilitator to intentionally forward a call to a toll number (for example, a long distance or internationa number) D. Influencing users to provide personal information over a web page Answer: B

QUESTION 60 You work as a network engineer, do you know an IPsec tunnel is negotiated within the protection of which type of tunnel? A. GRE tunnel

B. L2TP tunnel C. L2F tunnel D. ISAKMP tunnel Answer: D

QUESTION 61 Which type of firewall is needed to open appropriate UDP ports required for RTP streams? A. B. C. D. Proxy firewall Packet filtering firewall Stateful firewall Stateless firewall

Answer: C

QUESTION 62 Which statement best describes the relationships between AAA function and TACACS+, RADIUS based on the exhibit shown? -Make You Succeed To Pass IT Exams 640-553

A. TACACS+ - PG1 and PG3 RADIUS - PG2 and PG4 B. TACACS+ - PG2 and PG4 RADIUS - PG1 and PG3 C. TACACS+ - PG1 and PG4 RADIUS - PG2 and PG3 D. TACACS+ - PG2 and PG3 RADIUS - PG1 and PG4

Answer: B

QUESTION 63 Which two statements are correct regarding a Cisco IP phone??s web access feature? (Choose two.) A. B. C. D. It is enabled by default. It uses HTTPS. It can provide IP address information about other servers in the network. It requires login credentials, based on the UCM user database.

Answer: AC

QUESTION 64 Which option ensures that data is not modified in transit? A. B. C. D. Authentication Integrity Authorization Confidentiality

Answer: B

QUESTION 65 What is a static packet-filtering firewall used for ? -Make You Succeed To Pass IT Exams 640-553 A. B. C. D. It analyzes network traffic at the network and transport protocol layers. It validates the fact that a packet is either a connection request or a data packet belonging to a connection. It keeps track of the actual communication process through the use of a state table. It evaluates network packets for valid data at the application layer before allowing connections.

Answer: A

QUESTION 66 Which information is stored in the stateful session flow table while using a stateful firewall?

A. all TCP and UDP header information only B. the source and destination IP addresses, port numbers, TCP sequencing information, and additional flags for each TCP or UDP connection associated with a particular session C. the outbound and inbound access rules (ACL entries) D. the inside private IP address and the translated inside global IP address Answer: B

QUESTION 67 Which firewall best practices can help mitigate worm and other automated attacks? A. B. C. D. Restrict access to firewalls Segment security zones Use logs and alerts Set connection limits

Answer: D

QUESTION 68 Refer to Cisco IOS Zone-Based Policy Firewall, where will the inspection policy be applied? A. B. C. D. to the interface to the zone-pair to the global service policy to the zone

Answer: B

QUESTION 69 Which statement best describes the Turbo ACL feature? (Choose all that apply.) A. The Turbo ACL feature processes ACLs into lookup tables for greater efficiency. B. The Turbo ACL feature leads to increased latency, because the time it takes to match the packet is variable.

C. The Turbo ACL feature leads to reduced latency, because the time it takes to match the packet is fixed and consistent. -Make You Succeed To Pass IT Exams 640-553 D. Turbo ACLs increase the CPU load by matching the packet to a predetermined list. Answer: AC

QUESTION 70 Which statement best describes configuring access control lists to control Telnet traffic destined to the router itself? A. The ACL must be applied to each vty line individually. B. The ACL should be applied to all vty lines in the in direction to prevent an unwanted user from connecting to an unsecured port. C. The ACL is applied to the Telnet port with the ip access-group command. D. The ACL applied to the vty lines has no in or out option like ACL being applied to an interface. Answer: B

QUESTION 71 Which two actions can be configured to allow traffic to traverse an interface when zone-based security is being employed? (Choose two.) A. B. C. D. Flow Inspect Pass Allow

Answer: BC

QUESTION 72 When configuring role-based CLI on a Cisco router, which action will be taken first ? A. B. C. D. Create a parser view called "root view." Log in to the router as the root user. Enable role-based CLI globally on the router using the privileged EXEC mode Cisco IOS command. Enable the root view on the router.

Answer: D

QUESTION 73 Which key method is used to detect and prevent attacks by use of IDS and/or IPS technologies? A. B. C. D. Signature-based detection Anomaly-based detection Honey pot detection Policy-based detection -Make You Succeed To Pass IT Exams 640-553

Answer: A

QUESTION 74 Which statement is correct regarding the aaa configurations based on the exhibit provided?

A. The authentication method list used by the console port is named test. B. The authentication method list used by the vty port is named test. C. If the TACACS+ AAA server is not available, console access to the router can be authenticated using the local database. D. If the TACACS+ AAA server is not available, no users will be able to establish a Telnet session with the router. Answer: B

QUESTION 75

Based on the following items, which two types of interfaces are found on all network-based IPS sensors? (Choose two.) A. B. C. D. Loopback interface Monitoring interface Command and control interface Management interface

Answer: BC

QUESTION 76 Which feature is a potential security weakness of a traditional stateful firewall? A. B. C. D. It cannot ensure each TCP connection follows a legitimate TCP three-way handshake. It cannot detect application-layer attacks. It cannot support UDP flows. The status of TCP sessions is retained in the state table after the sessions terminate.

Answer: B

QUESTION 77 -Make You Succeed To Pass IT Exams 640-553 With which three tasks does the IPS Policies Wizard help you? (Choose three.) A. B. C. D. Selecting the interface to which the IPS rule will be applied Selecting the direction of traffic that will be inspected Selecting the inspection policy that will be applied to the interface Selecting the Signature Definition File (SDF) that the router will use

Answer: ABD

QUESTION 78 What is the objective of Diffie-Hellman? A. used for asymmetric public key encryption B. used between the initiator and the responder to establish a basic security policy

C. used to verify the identity of the peer D. used to establish a symmetric shared key via a public key exchange process Answer: D

QUESTION 79 Examine the following options ,when editing global IPS settings, which one determines if the IOS-based IPS feature will drop or permit traffic for a particular IPS signature engine while a new signature for that engine is being compiled? A. B. C. D. Enable Engine Fail Closed Enable Fail Opened Enable Signature Default Enable Default IOS Signature

Answer: A

QUESTION 80 Which description about asymmetric encryption algorithms is correct? A. B. C. D. They use different keys for decryption but the same key for encryption of data. They use the same key for encryption and decryption of data. They use different keys for encryption and decryption of data. They use the same key for decryption but different keys for encryption of data.

Answer: C

QUESTION 81 Regarding constructing a good encryption algorithm, what does creating an avalanche effect indicate? A. Changing only a few bits of a plain-text message causes the ciphertext to be completely different. -Make You Succeed To Pass IT Exams 640-553 B. Changing only a few bits of a ciphertext message causes the plain text to be completely different. C. Altering the key length causes the plain text to be completely different. D. Altering the key length causes the ciphertext to be completely different. Answer: A

QUESTION 82 Which one of the aaa accounting commands can be used to enable logging of both the start and stop records for user terminal sessions on the router? A. B. C. D. aaa accounting connection start-stop tacacs+ aaa accounting network start-stop tacacs+ aaa accounting exec start-stop tacacs+ aaa accounting system start-stop tacacs+

Answer: C

QUESTION 83 Stream ciphers run on which of the following? A. B. C. D. Individual blocks, one at a time, with the transformations varying during the encryption Individual digits, one at a time, with the transformations varying during the encryption Fixed-length groups of digits called blocks Fixed-length groups of bits called blocks

Answer: B

QUESTION 84 Which description is correct based on the exhibit and partial configuration? -Make You Succeed To Pass IT Exams 640-553

A. All traffic from network 10.0.0.0 will be permitted. B. This ACL will prevent any host on the Internet from spoofing the inside network address as the source address for packets coming into the router from the Internet. C. Access-list 101 will prevent address spoofing from interface E0. D. All traffic destined for network 172.16.150.0 will be denied due to the implicit deny all. Answer: C

QUESTION 85 Which description is true about ECB mode? A. B. C. D. ECB mode uses the same 64-bit key to serially encrypt each 56-bit plain-text block. In ECB mode, each 56-bit plain-text block is exclusive ORed (XORed) bitwise with the previous ciphertext block. ECB mode uses the same 56-bit key to serially encrypt each 64-bit plain-text block. In ECB mode, each 64-bit plain-text block is exclusive ORed (XORed) bitwise with the previous ciphertext block.

Answer: C

QUESTION 86 For the following items ,which one can be used to authenticate the IPsec peers during IKE Phase 1? A. XAUTH B. pre-shared key -Make You Succeed To Pass IT Exams 640-553 C. integrity check value D. Diffie-Hellman Nonce Answer: B

QUESTION 87 In a brute-force attack, what percentage of the keyspace must an attacker generally search through until he or she finds the key that decrypts the data? A. B. C. D. Roughly 66 percent Roughly 10 percent Roughly 75 percent Roughly 50 percent

Answer: D

QUESTION 88 What will be disabled as a result of the no service password-recovery command? A. B. C. D. password encryption service ROMMON changes to the config-register setting the xmodem privilege EXEC mode command to recover the Cisco IOS image

Answer: B

QUESTION 89 Which example is of a function intended for cryptographic hashing? A. SHA-135 B. MD65

C. XR12 D. MD5 Answer: D

QUESTION 90 Which one of the following items may be added to a password stored in MD5 to make it more secure? A. B. C. D. Rainbow table Cryptotext Ciphertext Salt

Answer: D

-Make You Succeed To Pass IT Exams 640-553

QUESTION 91 What is the MD5 algorithm used for? A. B. C. D. takes a variable-length message and produces a 168-bit message digest takes a fixed-length message and produces a 128-bit message digest takes a variable-length message and produces a 128-bit message digest takes a message less than 2^64 bits as input and produces a 160-bit message digest

Answer: C

QUESTION 92 Which algorithm was the first to be found suitable for both digital signing and encryption? A. B. C. D. SHA-1 MD5 HMAC RSA

Answer: D

QUESTION 93 Examine the following options, which access list will permit HTTP traffic sourced from host 10.1.129.100 port 3030 destined to host 192.168.1.10? A. B. C. D. access-list 101 permit tcp 10.1.129.0 0.0.0.255 eq www 192.168.1.10 0.0.0.0 eq www access-list 101 permit tcp 10.1.128.0 0.0.1.255 eq 3030 192.168.1.0 0.0.0.15 eq www access-list 101 permit tcp host 192.168.1.10 eq 80 10.1.0.0 0.0.255.255 eq 3030 access-list 101 permit tcp any eq 3030

Answer: B

QUESTION 94 Observe the following options carefully, which two attacks focus on RSA? (Choose all that apply.) A. B. C. D. DDoS attack BPA attack Adaptive chosen ciphertext attack Man-in-the-middle attack

Answer: BC

QUESTION 95 A standard access control list has been configured on a router and applied to interface Serial 0 in an outbound direction. No ACL is applied to Interface Serial 1 on the same router. What will happen when traffic being filtered -Make You Succeed To Pass IT Exams 640-553 by the access list does not match the configured ACL statements for Serial 0? A. B. C. D. The source IP address is checked, and, if a match is not found, traffic is routed out interface Serial 1. The resulting action is determined by the destination IP address. The resulting action is determined by the destination IP address and port number. The traffic is dropped.

Answer: D

QUESTION 96 Before a Diffie-Hellman exchange may begin, the two parties involved must agree on what? A. B. C. D. Two nonsecret keys Two secret numbers Two secret keys Two nonsecret numbers

Answer: D

QUESTION 97 Which item is the correct matching relationships associated with IKE Phase?

A. IKE Phase 1 - PG1 and PG2 IKE Phase 2 - PG3, PG4 and PG5 B. IKE Phase 1 - PG1 and PG4 IKE Phase 2 - PG2, PG3 and PG5 C. IKE Phase 1 - PG2 and PG3 IKE Phase 2 - PG1, PG4 and PG5 D. IKE Phase 1 - PG2 and PG4 IKE Phase 2 - PG1, PG3 and PG5 Answer: B

-Make You Succeed To Pass IT Exams 640-553

QUESTION 98 Which three are distinctions between asymmetric and symmetric algorithms? (Choose all that

apply.) A. B. C. D. Asymmetric algorithms are based on more complex mathematical computations. Only symmetric algorithms have a key exchange technology built in. Only asymmetric algorithms have a key exchange technology built in. Asymmetric algorithms are used quite often as key exchange protocols for symmetric algorithms.

Answer: ACD

QUESTION 99 For the following statements, which one is the strongest symmetrical encryption algorithm? A. B. C. D. 3DES DES AES Diffie-Hellman

Answer: C

QUESTION 100 Which statement is true about a certificate authority (CA)? A. B. C. D. A trusted third party responsible for signing the private keys of entities in a PKIbased system A trusted third party responsible for signing the public keys of entities in a PKIbased system An entity responsible for registering the private key encryption used in a PKI An agency responsible for granting and revoking public-private key pairs

Answer: B

QUESTION 101 Which location will be recommended for extended or extended named ACLs? A. B. C. D.

a location as close to the destination traffic as possible an intermediate location to filter as much traffic as possible when using the established keyword, a location close to the destination point to ensure that return traffic is allowed a location as close to the source traffic as possible

Answer: D

QUESTION 102 Which Public Key Cryptographic Standards (PKCS) defines the syntax for encrypted messages and messages with digital signatures? -Make You Succeed To Pass IT Exams 640-553 A. B. C. D. PKCS #12 PKCS #10 PKCS #8 PKCS #7

Answer: D

QUESTION 103 For the following items, which one acts as a VPN termination device and is located at a primary network location? A. B. C. D. Headend VPN device Tunnel Broadband service VPN access device

Answer: A

QUESTION 104 Refer to the exhibit. You are the network security administrator responsible for router security. Your network uses internal IP addressing according to RFC 1918 specifications. From the default rules shown, which access control list would prevent IP address spoofing of these internal networks?

A. B. C. D.

SDM_Default_196 SDM_Default_197 SDM_Default_198 SDM_Default_199 -Make You Succeed To Pass IT Exams 640-553

Answer: C

QUESTION 105 Refer to the exhibit. Based on the VPN connection shown, which statement is true?

A. Traffic that matches access list 103 will be protected. B. This VPN configuration will not work because the tunnel IP and peer IP are the same.

C. The tunnel is down as result of being a static rule. It should be configured as a Dynamic IPsec policy. D. The tunnel is down because the transform set needs to include the Authentication Header parameter. Answer: A

QUESTION 106 Instructions To access the Cisco Router and Security Device Manager(SDM) utility click on the console host icon that is connected to a ISR router. You can click on the grey buttons below to view the different windows. Each of the windows can be minimized by clicking on the [-].You can also reposition a window by dragging it by the title bar. The "Tab" key and most commands that use the "Control"or "Escape" keys are not supported and are not necessary to complete this simulation. -Make You Succeed To Pass IT Exams 640-553

-Make You Succeed To Pass IT Exams 640-553

1. Which two options correctly identify the associated interface with the correct security zone? (Choose two.) A: FastEthernet0/1 is associated to the "out-zone" zone. B: FastEthernet0/0 is associated to the "in-zone" zone. C: FastEthernet0/0 and 0/1 are associated to the "self" zone. D: FastEthernet0/0 and 0/1 are associated to the "in-zone" zone. E: FastEthernet0/0 and 0/1 are associated to the "out-zone" zone. F: FastEthernet0/0 and 0/1 are not associated to any zone. A. B. C. D. Answer:

2 . Which statements is correct regarding the "sdm-permit" policy map? A: Traffic not matched by any of the class maps within that policy map will be inspected B: Traffic matching the "sdm-access" traffic class will be inspected. C: Traffic matching the "SDM_CA_SERVER" traffic class will be dropped. D: That policy map is applied to traffic sourced from the "self" zone and destined to the "out-zone"

zone. Answer: B 3. Within the "sdm-inspect" policy map, what is the action assigned to the traffic class "sdm-invalid-src", and which traffic is matched by the traffic class "sdm-invlid-src" ? (Choose two.) -Make You Succeed To Pass IT Exams 640-553 A.drop/log B.inspect C.inspect/log D.traffic matched by ACL 104 E.traffic matched by ACL 105 F.traffic matched by the nested "sdm-cls-insp-traffic" class map G.any traffic Answer: A, D 4. Which three protocols are matched by the "sdm-cls-insp-traffic" class map? (Choose three) A: sql-net B: pop3 C: 12tp D: ftp Answer: A, B, D 5. Within the "sdm-permit" policy map, what is the action assigned to the traffic class "class-default"? A: inspect B: pass C: drop D: police Answer: C 6. Which ploicy map is associated to the "adm-zp-in-out" security zone pair? A.sdm-permit-icmpreply B.adm-permit C.sdm-inspect D.sdm-insp-traffic E.sdm-access Answer: C

QUESTION 107 On the basis of the description of SSL-based VPN, place the correct descriptions in the proper locations. -Make You Succeed To Pass IT Exams 640-553

A.

Answer: A

QUESTION 108 Which three common examples are of AAA implementation on Cisco routers? Please place the correct descriptions in the proper locations. -Make You Succeed To Pass IT Exams 640-553

A. -Make You Succeed To Pass IT Exams 640-553

Answer: A

QUESTION 109 Drag two characteristics of the SDM Security Audit wizard on the above to the list on the below. -Make You Succeed To Pass IT Exams 640-553

A.

Answer: A

QUESTION 110 On the basis of the Cisco IOS Zone-Based Policy Firewall, by default, which three types of traffic are permitted -Make You Succeed To Pass IT Exams 640-553 by the router when some interfaces of the routers are assigned to a zone? Drag three proper characterizations on the above to the list on the below.

A. -Make You Succeed To Pass IT Exams 640-553

Answer: A

QUESTION 111 Drag three proper statements about the IPsec protocol on the above to the list on the below. -Make You Succeed To Pass IT Exams 640-553

A. -Make You Succeed To Pass IT Exams 640-553

Answer: A

QUESTION 112 LAB You are the network security administrator for Big Money BankCo. You are informed that an attacker has performed a CAM table overflow attack by sending spoofed MAC addresses on one of the switch ports. The attacker has since been identified and escorted out of the campus. You now need to take action to configure the swtich port to protect against this kind of attack in the future. For purposes of this test, the attacker was connected via a hub to the Fa0/12 interface of the switch. The topology is provided for your use. The enable password of the switch is cisco. Your task is to configure the Fa0/12 interface on the switch to limit the maximum number of MAC addresses that are allowed to access the port to two and to shutdown the interface when there is a violation. -Make You Succeed To Pass IT Exams 640-553

-Make You Succeed To Pass IT Exams 640-553

-Make You Succeed To Pass IT Exams 640-553

A. Switch1>enable Switch1#config t Switch1(config)#interface fa0/12 Switch1(config-if)#switchport mode access Switch1(config-if)#switchport port-security maximum 2 Switch1(config-if)#switchport port-security violation shutdown Switch1(config-if)#no shut Switch1(config-if)#end Switch1#copy run start Answer: A

QUESTION 113 You suspect an attacker in your network has cnfigured a rogue layer 2 device to intercept traffic from multiple VLANS, thereby allowing the attacker to capture potentially sensitive. Which two methods will help to mitigate this type of activity? (Choose two.) A. B. C. D. E. Turn off all trunk ports and manually configure each VLAN as required on each port Disable DTP on ports that require trunking Secure the native VLAN, VLAN 1 with encryption Set the native VLAN on the trunk prots to an unused VLAN Place unused active ports in an umused VLAN

Answer: BD

-Make You Succeed To Pass IT Exams

640-553

QUESTION 114 When configuring AAA login anthentication on Cisco routers, which two authentication methods should be used as the final method to ensure that the administrator can still log in to the router in case the external AAA server fails?(Choose two.) A. B. C. D. E. krb5 local enable group RADIUS group TACACS+

Answer: CE

QUESTION 115 Which two protocols enable Cisco SDM to pull IPS alerts from a Cisco ISR router? A. B. C. D. E. F. FTP HTTPS TFTP SSH syslog SDEE

Answer: BF

QUESTION 116 Which two statements about configuring the Cisco ACS server to perform router command authorization are true/ (Choose two.)

A. In the ACS User Group setup screen, use the Shell Command Authorization Set options to configure which commands and command arguments to permit or deny. B. From the ACS Interface Configuration screen, select RADIUS (Cisco IOS/PIX 6.0), and then enable the Shell (exec option on the RADIUS Services screen. C. When adding the router as an AAA client on the Cisco ACS server, choose the TACACS+ (Cisco Ios) protocol. D. Configure the Cisco ACS server to forward authentication of users to an external user database, like Windows Database Answer: AC

QUESTION 117 When configuring Cisco IOS Zone-Based Policy Firewall, what are the three actions that can be applied to a traffic class? (Chosse three.) A. Pass -Make You Succeed To Pass IT Exams 640-553 B. Police C. Inspect D. Drop E. Queue F. Shape Answer: ACD

QUESTION 118 Which three statements about applying access controll lists to a Cisco router are true? (Choose three.) A. B. C. D. E.

Place more specific ACL enteries at the top of the ACL. ACLs always search for the most specific entry before taking any filtering action. Router-generated packets cannot be filtered by ACLs on the router. Place-generic ACL entries as the top of the ACLs to filter general traffic and thereby reduce "noise" on thenetwork. If an access list is applied but is not configured, all traffic will pass.

Answer: ACE

QUESTION 119 Which two functions are required for Ipsec operation? (Choose two.) A. B. C. D. E. using AH protocols for encryption and authentication using SHA for encryption using Diffie-Hellman to establish a shared-secret key using PKI for pre-shared-key authentication using IKE to negotiate the SA

Answer: CE

QUESTION 120 Scenario: Next Gen University main campus is located in Santa Cruz. The University has recently establisheci various remote campuses offening -lerning services. The UnverIty is using IPec VPN connectivity between its main and remote campus Phoenix (PHX), Newadla (ND). Sacremento (SAC). As a recent addition to The IT/Networking team. You have beeni tasked to document the IPsec VPN configurations to the remote campuses using the Cisco Ruler and SDM utility. Using the SDM output from VPN Tasks under the Configure tab, annwer these quetions Cisco SDM 5.0: -Make You Succeed To Pass IT Exams 640-553

1. Which one of these statements is correct in regards to Next Gen University Psec tunnel between its Santa Cruz main campus and its PHX remote campus? -Make You Succeed To Pass IT Exams 640-553 A: It is using IPsec tunnel mode A&S encryption and SHA HMAC Integrity Check. B: It is using IPsec tunnel mode. 3DES encryption and SHA HMAC Integrity Check. C: It Ia using IPsec tunnel mode to protect the traffic between the 10.10. 10.0/24 and the 10.253.0/24 sbnet, D: It is using digital certificate authenticate between the IPsec peers and DH group 2 E: It Is using pre-shared key to ahentlcate beteen the IPsec pens and OH group 5 F: The Santa Cruz main campus is the Easy VPN server and the PHX remote campus is easy VPN remote. A. B. C. D. Answer:

2. Which of these is used to define which traffic will be protected by IPsec between the Next Gen University Santa Cruz main campus and its SAC remote campus? A: ACL 174 B: ACL 168

C: ACL 151 D: ESP-3DES.SHAI transform set E: ESP-3DES-SHA2 transform set F: IKE Phase Answer: A 3. The IPsec tunnel to the SAC remote campus terminates at which IP address, and what is the protected subnet behind the SAC remote campus router? (Choose two.) A: 192,168288 B: 192.168.5.28 C: 192.168.8.97 D: 10.2.53.0/124 E: 10.5.64.0/124 F: 10.8.74.0/124 Answer: C, F 4. Which one of these statements is correct in regards to Next Gen University IPsec tunnel between its Santa Cruz main campus and its SAC remote campus? A: The SAC remote campus remote router is using dynamic IP address; therefore, the Santa B: Cruz router is using a dynamic crypto map. C: Dead Peer Detection (DPD) is used to monitor the IPsec tunnel, so if there is no traffic traversing between the two sites, the IPsec tunnel will disconnect. D: Tunnel mode is used: therefore, a GRE tunnel interface will be configured. E: Only the ESP protocol is being used: AH is not being used. -Make You Succeed To Pass IT Exams 640-553 Answer: D

QUESTION 121 What is the goal of an overall security challenge when planning a security strategy? A. B. C. D.

to harden all exterior-facing networks components to install firewalls at all critical points in the network to find a balance between the need to open networks to support evolving business requirements and to need to info to educate employees to be on the lookout for suspicious behaviour

Answer: C

QUESTION 122 Which threat are the most serious? A. inside threats B. outside threats

C. unknown threats D. reconnaissance threats Answer: A

QUESTION 123 Network security aims to provide which three key services? (choose three) A. B. C. D. E. F. data integrity data strategy data & system availability data mining data storage data confidentiality

Answer: ACF

QUESTION 124 Which option is the term for a weakness in a system or its design that can be exploited by a threat A. B. C. D. E. a vulnerability a risk an exploit an attack a joke

Answer: A

-Make You Succeed To Pass IT Exams 640-553

QUESTION 125 Which option is the term for the likelihood that a particular threat using a specific attack will exploit particular vulnerability of a system that results in an undesirable consequence? A. B. C. D. E. a vulnerability a risk an exploit an attack a joke

Answer: B

QUESTION 126 Which option is the term for what happens when a computer code is developed to take advantage of vulnerability? For example, suppose that a vulnerability exists in a piece of software, but nobody knows about this vulnerability. A. B. C. D. E. a vulnerability a risk an exploit an attack a joke

Answer: C

QUESTION 127 What is the first step you should take when considering securing your network? A. B. C. D. E. install a firewall install an intrusion prevention system update servers and user PCs with the latest patches Develop a security policy go drink beer and don?t worry about it

Answer: D

QUESTION 128 Which option is a key principal of the Cisco Self-Defending Network strategy? A. B. C. D. security is static and should prevent most know attack on the network the self-defending network should be the key point of your security policy integrate security throughout the existing infracture upper management is ultimately responsible for policy implementation -Make You Succeed To Pass IT Exams 640-553

Answer: C

QUESTION 129 Which three option are areas of router security? A. B. C. D. E. F. physical security access control list security zone-base firewall security operating system security router hardening cisco IOS-IPS security

Answer: ADE

QUESTION 130 You have several operating groups in your enterprise that require different access restrictions to the routers to perform their jobs roles. These groups range from Help Desk personnel to advanced troubleshooters. What is one methodology for controlling access rights to the router in these situation? A. B. C. D. configure ACLs to control access for these different groups configure multiple privilege level access implement syslogging to monitor the activities of these groups configure TACACS+ to perform scalable authentication

Answer: B

QUESTION 131 Which of these is a GUI tool for performing security configuration on Cisco routers? A. B. C. D. security appliance device manager cisco CLI configuration management tool cisco security device manager cisco security manager

Answer: C

QUESTION 132 When implementing network security, what is an important configuration task that you should perform t assist in correlating network and security events? A. B. C. D. configure network time protocol configure synchronized syslog reporting configure a common repository of all network events for ease of monitoring configure an automated network monitoring system for event correlation -Make You Succeed To Pass IT Exams 640-553

Answer: A

QUESTION 133 Which of these options is a Cisco IOS feature that lets you more easily configure security features on your router? A. B. C. D. cisco self-defending network implementing AAA command authorization the auto secure CLI command performing a security audit via SDM

Answer: C

QUESTION 134 Which three of these options are some of the best practices when you implement an effective firewall security policy? (choose three)

A. position firewalls at a strategic inside locations to help mitigate nontechnical attacks B. configure logging to capture all events for forensic purposes C. use firewalls as a primary security defense; other security measures and devices shoulde be implemented to enhan your network security D. position firewalls at key security boundeeries E. deny all traffic by default and permit only necessary services Answer: CDE

Drop and drog. Match the descriptions on the left with the IKE phases on the right.

A. -Make You Succeed To Pass IT Exams 640-553

Answer: A

QUESTION 135 Which option correctly defines asymmetric encryption? A. B. C. D. uses the same keys to encrypt and decrypt data uses MD5 hashing algorithms for digital signage encryption uses different keys to encrypt and decrypt data uses SHA-1 hashing algorithms for digital signage encryption

Answer: C

QUESTION 136

Which option is a desirable feature of using symmetric encryption algorithms? A. B. C. D. they are often used for wire-speed encryption in data networks they are based on complex mathematical operations and can easily be accelerated by hardware they offer simple key management properties they are best used for one-time encryption needs

Answer: A

QUESTION 137 Which option is true of using cryptography hashes? A. B. C. D. they are easily reversed to decipher the message context they convert arbitrary data into fixed length digits they are based on a two-way mathematical function they are used for encrypting bulk data communications

Answer: B

-Make You Succeed To Pass IT Exams 640-553

QUESTION 138 Which option is true of intrusion prevention systems? A. B. C. D. they operate in promiscuous mode they operate in inline mode they have no potential impact on the data segment being monitored they are more vulnerable to evasion techniques than IDS

Answer: B

QUESTION 139 Which statement is true when using zone-based firewalls on a Cisco router?

A. policies are applied to traffic moving between zones, not between interfaces B. the firewalls can be configured simultaneously on the same interface as classic CBAC using the ip inspect CLI command C. interface ACLs are applied before zone-based policy firewalls when they are applied outbond D. when configuring with the ?PASS? action, stateful inspection is applied to all traffic passing between the configured

zones Answer: A

QUESTION 140 From what configuration mode would you enter the set peer ip-address command to specify the IP address of an IPsec peer? A. B. C. D. Transform set configuration mode Crypto map configuration mode ISAKMP configuration mode Interface configuration mode

Answer: B

QUESTION 141 What two site-to-site VPN wizards are available in the Cisco SDM interface? (Choose two.) A. B. C. D. Easy VPN Setup Quick Setup Step-by-Step DMVPN Setup

Answer: BC

QUESTION 142 -Make You Succeed To Pass IT Exams 640-553 What command displays all existing IPsec security associations (SA)? A. B. C. D. show crypto isakmp sa show crypto ipsec sa show crypto ike active show crypto sa active

Answer: B

QUESTION 143 Which two statements are true about the differences between IDS and IPS? (Choose two.) A. B. C. D. IPS operates in promiscuous mode. IPS receives a copy of the traffic to be analyzed. IPS operates in inline mode. IDS receives a copy of the traffic to be analyzed.

Answer: CD

QUESTION 144 What form of attack are all algorithms susceptible to? A. B. C. D. Meet-in-the-middle Spoofing Stream cipher Brute-force

Answer: D

QUESTION 145 Which type of cipher achieves security by rearranging the letters in a string of text? A. Stream cipher B. Transposition cipher C. Block cipher Answer: C

QUESTION 146 Which of the following are techniques used by symmetric encryption cryptography? (Choose all that apply.) A. Block ciphers B. Message Authentication Codes (MAC)

-Make You Succeed To Pass IT Exams 640-553 C. One-time pad D. Stream ciphers Answer: ABD

QUESTION 147 DES typically operates in block mode, where it encrypts data in what size blocks? A. B. C. D. 56-bit blocks 40-bit blocks 128-bit blocks 64-bit blocks

Answer: D

QUESTION 148 What method does 3DES use to encrypt plain text? A. B. C. D. 3DES-EDE EDE-3DES 3DES-AES AES-3DES

Answer: A

QUESTION 149 Which of the following is not considered a trustworthy symmetric encryption algorithm? A. B. C. D. 3DES IDEA EDE AES

Answer: C

QUESTION 150 ACE University main campus is located in Santa Cruz. The University has recently established various remote campuses offering e-learning services. The University is using IPsec VPN connectivity between its main and remote campuses San Francisco (SF), South Dakota (SD), Redwood City (RWC). As a recent addition to the IT/Networking team, you have been tasked to document the IPsec VPN configurations to the remote campuses using the Cisco Router and SDM utility. Using the SDM output from VPN Tasks under the Configure tab, answer these questions: 1. Which one of these statements is correct in regards to ACE University IPsec tunnel between its Santa Cruz -Make You Succeed To Pass IT Exams 640-553 main campus and its SF remote campus? A. B. C. D. E. F. It is using IPsec tunnel mode, AES encryption, and SHA HMAC Integrity Check. It is using IPsec transport mode, 3DES encryption, and SHA HMAC Integrity Check. It is using IPsec tunnel mode to protect the traffic between the 10.10.10.0/24 and the 10.2.58.0/24 subnet. It is using digital certificate to authenticate between the IPsec peers and DH group 2. It is using pre-shared key to authenticate between the IPsec peers and DH group 5. The Santa Cruz main campus is the Easy VPN Server and the SF remote campus is the Easy VPN Remote.

Answer: D

2. Which of these is used to define which traffic will be protected by IPsec between the ACE University Santa Cruz main campus and its RWC remote campus? A. ACL 171 B. ACL 167 C. ACL 153 D. ESP-3DES-SHA1 transform set E. ESP-3DES-SHA2 transform set F. IKE Phase 1 Answer: B 3. The IPsec tunnel to the RWC remote campus terminates at which IP address, and what is the protected subnet behind the RWC remote campus router? (Choose two.) A. 192.168.2.79 B. 192.168.5.49 C. 192.168.8.42 D. 10.2.58.0/24 E. 10.5.67.0/24 F. 10.8.74.0/24 Answer: C,D

4. Which one of these statements is correct in regards to ACE University IPsec tunnel between its Santa Cruz main campus and its RWC remote campus? A. The RWC remote campus remote router is using dynamic IP address; therefore, the Santa Cruz router is using a dynamic crypto map. B. Dead Peer Detection (DPD) is used to monitor the IPsec tunnel, so if there is no traffic traversing between the two sites, the IPsec tunnel will disconnect. C. Tunnel mode is used, therefore, a GRE tunnel interface will be configured. D. Only the ESP protocol is being used, AH is not being used. -Make You Succeed To Pass IT Exams 640-553 Answer: D

QUESTION 151 When using a stateful firewall, which information is stored in the stateful session flow table?

A. the outbound and inbound access rules (ACL entries) B. the source and destination IP addresses, port numbers, TCP sequencing information, and additional flags for each TCP or UDP connection associated with a particular session C. all TCP and UDP header information only D. all TCP SYN packets and the associated return ACK packets only E. the inside private IP address and the translated inside global IP address Answer: B

QUESTION 152 Which of these can be used to authenticate the IPsec peers during IKE Phase 1? A. B. C. D. E. F. Diffie-Hellman Nonce pre-shared key XAUTH integrity check value ACS AH

Answer: B

QUESTION 153 What is the primary type of intrusion prevention technology used by the Cisco IPS security appliances?

A. B. C. D. E. F.

profile-based rule-based signature-based protocol analysis-based netflow anomaly-based Pending

Answer: F

QUESTION 154 When configuring AAA login authentication on Cisco routers, which two authentication methods should be used as the final method administrator can still log in to the router in case the external AAA server fails? (Choose two.) A. group RADIUS B. group TACACS+ C. local -Make You Succeed To Pass IT Exams 640-553 D. krb5 E. enable F. if-authenticated G. Pending Answer: G

QUESTION 155 Which access list will permit HTTP traffic sourced from host 10.1.129.100 port 3030 destined to host 192.168.1.10? A. B. C. D. E. F. access-list 101 permit tcp any eq 303 access-list 101 permit tcp 10.1.128.00.0.1.255 eq 3030 192.168.1.00.0.0.15 eq www access-list 101 permit tcp 10.1.129.00.0.0.255 eq www 192.168.1.100.0.0.0 eq www access-list 101 permit tcp host 192.168.1.10 eq 80 10.1.0.00.0.255.255 ep 3030 access-list 101 permit tcp 192.168.1.100.0.0.0 eq 80 10.1.0.00.0.255.255 access-list 101 permit ip host 10.1.129.100 eq 3030 host 192.168.1.100 eq 80

Answer: B

QUESTION 156 Which characteristic is the foundation of Cisco Self-Defending Network technology? A. B. C. D. secure connectivity threat control and containment policy management secure network platform

Answer: D

QUESTION 157 Which Cisco IOS command is used to verify that either the Cisco IOS image, the configuration files, or both have been property backed? A. B. C. D. E. F. show archive show secure bootset show flash show file systems dir dir archive

Answer: B

QUESTION 158 Which aaa accounting command is used to enable logging of both the stat and stop records for user terminal -Make You Succeed To Pass IT Exams 640-553 sessions on the router? A. B. C. D. E. aaa accounting network start-stop tacacs+ aaa accounting system start-stop tacacs+ aaa accounting exec start-stop tacacs+ aaa accounting connection start-stop tacacs+ aaa accounting commands 15 start-stop tacacs+

Answer: C

QUESTION 159 What does the MD5 algorithm do? A. B. C. D. E. takes a message less than 2^64 bits as input and produces a 160-bit message digest takes a variable-length message and produces a 168-bit message digest takes a variable-length message and produces a 128-bit message digest takes a fixed-length message and produces a 128-bit message digest Pending

Answer: E

QUESTION 160 Which statement is true about asymmetric encryption algorithms? A. B. C. D. They use the same key for encryption and decryption of data. They use the same key for decryption but different keys for encryption of data. They use different keys for encryption and decryption of data. They use different keys for decryption but the same key for encryption of data.

Answer: C

-Make You Succeed To Pass IT Exams

QUESTION 161 For the following options ,which one accurately matches the CLI command(s) to the equivalent SDM wizard that performs similar configuration functions? A. B. C. D. setup exec command and the SDM Security Audit wizard auto secure exec command and the SDM One-Step Lockdown wizard aaa configuration commands and the SDM Basic Firewall wizard Cisco Common Classification Policy Language configuration commands and the SDM Site-to-Site VPN wizard

Answer: B

QUESTION 162 Examine the following items, which one offers a variety of security solutions, including firewall, IPS, VPN, antispyware, antivirus, and antiphishing features? A. Cisco 4200 series IPS appliance

B. Cisco ASA 5500 series security appliance C. Cisco IOS router D. Cisco PIX 500 series security appliance Answer: B

QUESTION 163 When configuring Cisco IOS login enhancements for virtual connections, what is the "quiet period"? A. B. C. D. A period of time when no one is attempting to log in The period of time in which virtual logins are blocked as security services fully initialize The period of time in which virtual login attempts are blocked, following repeated failed login attempts The period of time between successive login attempts

Answer: C