A. Use SSH to access your Syslog information.
B. Enable the highest level of Syslogging available to ensure you log all possible event messages.
C. Log all messages to the system buffer so that they can be displayed when accessing the router.
D. Syncronize clocks on the network with a protocol such as Network Time Protocol.
Answer: D Question: 2
Which statement is true when you have generated RSA keys on your Cisco router to prepare for secure device management?

A. You must then zeroize the keys to reset secure shell before configuring other parameters. B. The SSH protocol is automatically enabled.
C. You must then specify the general-purpose key size used for authentication with the crypto key generate rsa general-keys modulus command.
D. All vty ports are automatically enabled for SSH to provide secure management.
Answer: B Question: 3
What does level 5 in the following enable secret global configuration mode command indicate?
router# enable secret level 5 password

A. The enable secret password is hashed using MD5. B. The enable secret password is hashed using SHA.
C. The enable secret password is encrypted using Cisco proprietary level 5 encryption. D. Set the enable secret command to privilege level 5.
E. The enable secret password is for accessing exec privilege level 5.

Answer: E Question: 4 Drop

Answer:

Page 1 of 43

Exam Name: IINS Implementing Cisco IOS Network Security
Exam Type: Cisco Case Studies: 2
Exam Code: 640-553 Total Questions: 134

Question: 5 Drop

Answer:

Question: 6
Which of these correctly matches the CLI command(s) to the equivalent SDM wizard that performs similar configuration functions?

A. Cisco Common Classification Policy Language configuration commands and the SDM Site-to- Site VPNn wizard
B. Auto secure exec command and the SDM One-Step Lockdown wizard
C. Setup exec command and the SDM Security Audit wizard

Page 2 of 43

Exam Name: IINS Implementing Cisco IOS Network Security
Exam Type: Cisco Case Studies: 2
Exam Code: 640-553 Total Questions: 134

D. Class-maps, policy-maps, and service-policy configuration commands and the SDM IPS
wizard
E. Aaa configuration commands and the SDM Basic Firewall wizard
Answer: B Question: 7
What is the key difference between host-based and network-based intrusion prevention?

A. Network-based IPS is better suited for inspection of SSL and TLS encrypted data flows.
B. Network-based IPS provides better protection against OS kernel-level attacks against hosts and servers.
C. Network-based IPS can provide protection to desktops and servers without the need of installing specialized software on the end hosts and servers.
D. Host-based IPS can work in promiscuous mode or inline mode.
E. Host-based IPS is more scalable then network-based IPS.
F. Host-based IPS deployment requires less planning than network-based IPS.
Answer: C Question: 8
Refer to the exhibit.
You are a network manager for your organization. You are looking at your Syslog server reports. Based on the Syslog message shown, which two statements are true? (Choose two.)

A. Service timestamps have been globally enabled.
B. This is a normal system-generated information message and does not require further investigation.
C. This message is unimportant and can be ignored. D. This message is a level 5 notification message.
Answer: A, D Question: 9
You suspect an attacker in your network has configured a rogue layer 2 device to intercept traffic
from multiple VLANS, thereby allowing the attacker to capture potentially sensitive data. Which two methods will help to mitigate this type of activity? (Choose two.)

A. Turn off all trunk ports and manually configure each VLAN as required on each port
B. Disable DTP on ports that require trunking
C. Secure the native VLAN, VLAN 1 with encryption
D. Set the native VLAN on the trunk ports to an unused VLAN E. Place unused active ports in an unused VLAN
Answer: B, D Question: 10
Which three statements about SSL-based VPNs are true? (Choose three.)

A. Asymmetric algorithms are used for authentication and key exchange.
B. SSL VPNs and IPsec VPNs cannot be configured concurrently on the same router. C. Symmetric algorithms are used for bulk encryption.

Page 3 of 43

Exam Name: IINS Implementing Cisco IOS Network Security
Exam Type: Cisco Case Studies: 2
Exam Code: 640-553 Total Questions: 134

D. The authentication process uses hashing technologies.
E. SSL VPNs require special-purpose client software to be installed on the client machine.
F. You can also use the application programming interface to extensively modify the SSL client software for use in special applications.
Answer: A, C, D Question: 11
When configuring AAA login authentication on Cisco routers, which two authentication methods
should be used as the final method to ensure that the administrator can still log in to the router in case the external AAA server fails? (Choose two.)

A. Group RADIUS
B. Group TACACS+ C. Local
D. Krb5
E. Enable
F. If-authenticated
Answer: C, E Question: 12
What is a result of securing the Cisco IOS image using the Cisco IOS image resilience feature?

A. The show version command will not show the Cisco IOS image file location.
B. The Cisco IOS image file will not be visible in the output from the show flash command.
C. When the router boots up, the Cisco IOS image will be loaded from a secured FTP location.
D. The running Cisco IOS image will be encrypted and then automatically backed up to the
NVRAM.
E. The running Cisco IOS image will be encrypted and then automatically backed up to a TFTP
server.
Answer: B

Below is the rapidshare link and is limited to 10 downloads. Some one can mirror it on a permanent server.

Download 640-553 exam
Code:

http://rapidshare.com/files/303507478/Pass4Sure.CISCO.640-553.By.exms.rar.html

[offer]P4S 640-553 Latest version (18-aug-2009) CRACKED
To Download the latest version of pass4sure 640-553 (18-aug-2009) v.4.38
138 questions

follow the below links

megaupload

http://www.megaupload.com/?d=1IVX4HB7

rapidshare

http://rapidshare.com/files/276313602/p4s_640-553.exe

ziddu.com

http://www.ziddu.com/download/6380841/p4s640-553.exe.html

Product 640-553 Description
640-553 pdf vce

Exam Number:640-553
Exam Name:Cisco Certified – IINS Implementing Cisco IOS Network Security
Market Price:$125.99
Member Price:$99.99
Where can you buy the 640-553 exam online?
We recommend Pass4sure 640-553 Testing Engine which will help you pass the 640-553 exam.

ActualtestsDemo 640-553 Exam Details

Comprehensive questions with complete details about Actualtests 640-553 exam
Tested by many real exams before publishing
Verified Actualtests 640-553 Answers Researched by Industry Experts
Actualtests 640-553 exam questions accompanied by exhibits
Drag and Drop questions as experienced in the Real Actualtests 640-553 Exams
How to prepare for 640-553 exam?

We designed Actualtests 640-553 Simulation kit to help you get certified effortlessly. Now you don’t need to spend your time and money searching for Actualtests 640-553 certification materials, books, etc., Actualtests 640-553 exam simulation contains everything you need to get certified. Just follow the instructions, focus on the study material and getting certified will be easy.

Free down:pass4sure 640-553
Free down:testking 640-553

more info:www.ciscoexams.org

CCNA Security Q&A

a) RADIUS does not allow users to control which commands can be executed on a router and which cannot; therefore, it is not as useful for router management or as flexible for terminal services.

b) RADIUS allows users to control which commands can be executed on a router, once
properly authenticated, and as permitted in the authorization reply
c) RADIUS, using TCP, secures the authorization and accounting processes by transmitting sensitive information in a secure tunnel once the connection is properly authenticated.
d) RADIUS provides for flexible user and device authentication and access authorization management

Answer: A

Questions & Answers from The Bryant Advantage

1-Question: In terms of their position in the flow of traffic, what’s the major difference between an
IPS and an IDS?
Answer: An IDS is not in the direct flow of network traffic. Instead, the traffic flows are mirrored to the IDS. When infected traffic does hit the network, the IDS will see this and take appropriate
action.
In contrast, the Intrusion Prevention System (IPS) does sit in the middle of the traffic flow – in this case, the IPS will actually be our Cisco router. When the IPS detects a problem, the IPS itself can prevent the traffic from entering the network

2-Question: What is SDEE, and what do we use it for?

Answer:

3-Question: What is the highest stratum level in the NTP hierarchy? Can a Cisco router serve at that level?
Answer: Stratum-0, and no. Typically that role is held by an atomic clock. Cisco routers are good,
but not atomic

4-Question: What benefit does “GRE over IPSec” offer than IPSec by itself does not?

Answer: By combining GRE and IPSec, each protocol helps to compensate for the other’s limitation:

IPSec adds data integrity and confidentiality that GRE does not offer

GRE offers the ability to carry routing protocol traffic, which IPSec does not offer

Why call it “GRE over IPSec” rather than “IPSec over GRE”? Because the GRE
encapsulation happens first, and then that encapsulation is encapsulated again, by IPSec.
In effect, we have a GRE tunnel inside an IPSec tunnel.

5-Question: You’re editing an ACL in SDM and notice some asterisks under source and
destination. What do those asterisks indicate?

Answer: In SDM, asterisks indicate the ACL keyword any.

6-Question: What is “3704 filtering”, and what does it have to do with network security?

Answer: RFC 3704 (an updated version of RFC 2827) recommends that packets from the following network ranges be prohibited from entering your network:

0.0.0.0 /8

10.0.0.0 /8 (RFC 1918 Class A private range)

127.0.0.0 /8 (loopback address range)

172.16.0.0 /12 (RFC 1918 Class B private range)

192.168.0.0 /16 (RFC 1918 Class C private range)

224.0.0.0 /4 (reserved for IP multicasts)

240.0.0.0 /4 (RFC 1918 Class E private range)

Blocking these address ranges for incoming traffic on your network’s perimeter routers is
sometimes called “2827 filtering” or “3704 filtering”, referring to the original and updated RFCs that discuss this topic in a great deal of detail.

7-Question: The following three timers sound a great deal alike, but they have very different functions. What purpose do each of these timers fill?

ip inspect finwait-time

ip inspect tcp synwait-time ip inspect tcp idle-time Answers:
ip inspect finwait-time defines the amount of time between one of the two endpoints of an established TCP session starts to end the connection and the time that entry is removed from the state table. Default is 5 seconds.

ip inspect tcp idle-time defines just what you think it would – the amount of time an idle TCP
connection is kept in the state table. Default is 3600 seconds.

ip inspect tcp synwait-time defines the time allowed for a TCP three-way handshake to reach the Established stage. Default is 30 seconds. If this timer expires, the connection is terminated and the entry removed from the router’s state table.

8-Question: In regards to the IOS Firewall set, what is generic inspection? What’s so “generic”
about it?

Answer; I’m not going to show you the entire IOS Help readout for the following command, but believe me – it’s a long, long list. On this particular router, I had over 150 options.

R1(config)#ip inspect name CCNP ?

802-11-iapp IEEE 802.11 WLANs WG IAPP
ace-svr ACE Server/Propagation appfw Application Firewall appleqtc Apple QuickTime
bgp Border Gateway Protocol biff Bliff mail notification
bootpc Bootstrap Protocol Client

If you want to inspect all TCP and/or UDP connections, you can specify TCP and/or UDP as the inspected protocol, rather than a more-specific entry. This is generic inspection and is configured by entering tcp or udp at that same point in the ip inspect command.

tcp Transmission Control Protocol

udp User Datagram Protocol

This will inspect any TCP and/or UDP protocol traffic, even if the specific application isn’t named in the inspection rule. Generic inspection is designed to allow return traffic for all TCP and/or UDP connections that are initiated on the inside network.

So why don’t we just configure all TCP and UDP traffic to be inspected generically and leave it at that?

Application-specific commands are not interpreted by generic inspection, and that means that the return packets may not be allowed to enter the inside network. If the return traffic is using a different port number than the original traffic, generic inspection may not allow that return traffic to enter the network.

9-Question: What exactly is fail closed? Is it enabled or disabled by default?
Answer: The following illustration from my CCNP ISCW and CCNA Security study guides explains
it! The default settings are shown – note that Fail Closed is off by default.

10-Question: You’re in SDM and want to perform a one-step router lockdown. Take a look at the following screen shot and tell me where you should click next.

Answer: Click the Security Audit button. You’ll see the following screen at that point – note the mention of one-step lockdown.

11-Question: When you’re configuring SDM, you have two options for the location of
SDF files. What are they?

Answer: You can specify a URL or Flash, as demonstrated by this screen shot from my picture

12-Question: What’s the difference between symmetric and asymmetric encryption?
Answer: Symmetric encryption is an algorithm where the key that is used for encryption is also
used for decryption. The drawback to symmetric encryption is that the key is used for two purposes, making it that much easier for an intruder to discover the key.

In contrast, asymmetric encryption involves two keys for both the sender and receiver. This public key encryption scheme involves a public and private key for each user. Before starting the actual encryption process, the public key should be certified by a third party called a Certificate Authority
(CA).

13-Question: What is the purpose of the 256MB.sdf file? What does the “256″ refer to?

Answer: This is one of three preconfigured Signature Definition Files. Cisco’s website recommends running the Intruder Prevention System (IPS) with the preconfigured files – attack-drop.sdf,
128MB.sdf, and 256MB.sdf. The “128MB” and “256MB” refer to the amount of memory necessary
to use these particular files.

14-Question: Which of the following does not use encryption? A. SSH
B. SSL

C. NTP v 3

D. Telnet

E. SMTP v 3

Answer: D. The other four all use encryption in some form.

15-Question: How can you configure SDM to preview the commands before delivering them to the router, and also give you a confirmation prompt when you leave SDM?
Answer: I personally check Preferences in SDM every time I use it, and I recommend you do the
same. Before proceeding to the Configuration section, go to the upper-left corner of the initial SDM
window and select Preferences, as shown here:

Then you can edit these three prefs to your heart’s delight! (The following illustration was trimmed to
fit Blogger.)

16-Question: What is the anomaly method?

Answer: “This is the IPS method of identifying malicious traffic where differences from normal traffic patterns are sought and detected.”

17-Question: What’s the purpose of the attack-drop.sdf file?
Answer: The attack-drop.sdf file is a Signature Definition File that contains the latest and greatest IPS signatures.

18-Question: There are three basic methods IPS uses to identify potentially malicious traffic. Name all three and give a brief definition of each.
Answer: Both the IPS and IDS can base their identification of dangerous and malicious
traffic on the following:

Policy, where a configured policy may ban particular IP addresses, ports, or even websites

Signature, where byte patterns are considered along with other values.

Anomaly, where differences from normal traffic patterns are sought and detected.

19-Question: In SDM, you might see a green square next to a signature. What does that symbol indicate?

Answer: The green square indicates the signature is at its default setting. Here are the two possibilities, as shown in this image from my CCNA Security Study Package. (Click the
image for a larger view.)

20-Question: You’re working in SDM to configure an Easy VPN Server. You’ll have three options
for authenticating your Easy VPN Clients. What are they?

Answer: The choices are Pre-shared key, Digital Certificates, and Both, as shown here in this screen shot from my CCNA Security Study Package. (Click the image for a larger view.)

1-Question:Define the term “DMZ” as it pertains to network security, and name three different common network devices that are typically found there.

Answer: It’s easy to think of your network as the “inside”, and everything else as “outside”. However, we’ve got a third area when it comes to firewalls – the DMZ.

From an IT standpoint, the DMZ is the part of our network that is exposed to outside networks. It’s common to find the following devices in a DMZ:

• FTP server
• Email server
• E-commerce server
• DNS servers
• Web servers

2-Question: Identify the true statements.

A. Stateless packet filtering considers the TCP connection state. B. Stateful packet filtering considers the TCP connection state.
C. Neither stateless nor stateful packet filtering monitor the TCP connection state.

D. Both stateless and stateful packet filtering monitor the TCP connection state, and keep a state table containing that information.

Answer: (B.) Stateful packet filtering does monitor the connection state, and that’s particularly important when it comes to preventing TCP attacks. A stateful firewall will not only monitor the state of the TCP connection, but also the sequence numbers. Stateful firewalls accomplish this by keeping a session table, or state table.

3-Question:Does the Cisco IOS Firewall feature set act as a stateful or stateless packet filter?

Answer:The Cisco IOS Firewall is a stateful filter.

4-Question: Which of the following are considered parts of the IOS Firewall feature set? A. IOS Firewall
B. Intrusion Prevention System

C. RADIUS

D. Authentication Proxy

E. Password Encryption

Source: www.thebryantadvantage.com/

CCNA Security Q&A ——-by Nar(Naresnet@gmail.com)

Answer:(A, B, D.) There are three major components to the IOS Firewall feature set – the IOS
Firewall, the Intrusion Prevention System (IPS), and the Authentication Proxy.

5-Question:Identify the true statements regarding the Authentication Proxy. A. It’s part of the IOS Firewall Feature Set.
B. It allows creation of per-user security profiles, rather than more general profiles.

C. It allows creation of general security profiles, but not per-user profiles. D. Profiles can be stored locally, but not remotely.
E. Profiles can be stored on a RADIUS server.

F. Profiles can be stored on a TACACS+ server.

Answer: (A, B, E, F. T he Authentication Proxy allows us to create security profiles that will be applied on a per-user basis, rather than a per-subnet or per-address basis. These profiles can be kept
on either of the following:

• RADIUS server
• TACACS+ server

Upon successful authentication, that particular user’s security policy is downloaded from the
RADIUS or TACACS+ server and applied by the IOS Firewall router.

6-Question:Configuring ACLs is an important part of working with the IOS Firewall. What wildcard masks are replaced in ACLs by the words host and any?

Answer: We have the option of using the word host to represent a wildcard mask of 0.0.0.0.
Consider a configuration where only packets from IP source 10.1.1.1 should be allowed and all other packets denied. The following ACLs both do that.

R3#conf t
R3(config)#access-list 6 permit 10.1.1.1 0.0.0.0
R3(config)#conf t
R3(config)#access-list 7 permit host 10.1.1.1

The keyword any can be used to represent a wildcard mask of 255.255.255.255. Both of the following lines permit all traffic.

R3(config)#access-list 15 permit any

R3(config)#access-list 15 permit 0.0.0.0 255.255.255.255

There’s no “right” or “wrong” decision to make when you’re configuring ACLs in the real world. For your exam, though, I’d be very familiar with the proper use of host and any.

Source: www.thebryantadvantage.com/

CCNA Security Q&A ——-by Nar(Naresnet@gmail.com)

7-Question:What does the dollar sign in the following ACL line indicate?

R1(config)#$ 150 deny ip 172.50.50.0 0.0.0.255 172.50.100.0 0.0.0.255

Answer: The dollar sign simply indicates that part of the command you’re entering or viewing can’t
be shown because the entry is so long. It does not mean the command is illegal.

8-Question:Basically, how does an IOS Firewall prevent a TCP SYN attack?

Answer: The IOS Firewall can use any or all of the following values to detect when a TCP SYN
attack is underway

Overall total of incomplete TCP sessions
Number of incomplete TCP sessions in a certain amount of time
Number of incomplete TCP sessions on a per-host basis

When any of these thresholds are reached, either of the following actions can be taken: Block all incoming SYN packets for a certain period of time
Transmit a RST to both parties in the oldest incomplete session

9-Question:What does the term “punch a hole in the firewall” refer to? (Logically, that is, not physically.)

Answer: That term simply refers to configuring the firewall to open a port that was previously closed. Don’t forget to close it when you no longer need it to be open!

10-Question:What exactly does the router-traffic option in the following configuration do?

R4(config)#ip inspect name PASSCCNASECURITY tcp router-traffic R4(config)#ip inspect name PASSCCNASECURITY udp router-traffic R4(config)#ip inspect name PASSCCNASECURITY icmp router-traffic

Answer: If you’re going to inspect traffic that is actually generated on the router, you need to include the router-traffic option at the end of that particular ip inspect statement

Questions On NTP, SSH, Telnet, And More

11-Question: We’ll start with a question you learned the answer to in your CCNA studies. When you have an enable secret and an enable password set, which takes precedence over the other?

A. The enable secret takes precedence.

B. The enable password takes precedence.

C. You cannot set both an enable secret and an enable password.

D. You can set them both, but since they must be set to the same value, there is no question of precedence.

Source: www.thebryantadvantage.com/

CCNA Security Q&A ——-by Nar(Naresnet@gmail.com)

Answer: A. The enable secret always takes precedence over the enable password

12-Question: What device and stratum level are found at the top of the NTP hierarchy? A. Atomic clocks, stratum 1
B. Atomic clocks, stratum 0

C. NTP Masters, stratum 1

D. NTP Masters, stratum 0

E. NTP Primary, stratum 0

F. NTP Primary, stratum 1

Answer: B. Atomic clocks are at the top of the NTP hierarchy, and that top level is Stratum 0. Cisco routers cannot get their time directly from a Stratum 0 device.

13-Question: What port does NTP use?

Answer: NTP uses UDP port 123. Remember that when you’re configuring your ACLs!

14-Question: What are the options for NTP authentication? A. MD5
B. Bellman-Ford

C. clear text

D. CHAP E. PAP
Answer: A. As IOS Help illustrates, the only option here is MD5. You still have to specify that option, though.

R1(config)#ntp authentication-key 1 ?
md5 MD5 authentication

15-Question: What command resulted in the following output?

R2#
Clock is synchronized, stratum 10, reference is 172.12.23.3
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**19
reference time is CBB9CEC8.17FBD1B8 (15:05:44.093 UTC Wed Apr 23
2008)

Source: www.thebryantadvantage.com/

CCNA Security Q&A ——-by Nar(Naresnet@gmail.com)

clock offset is -0.6214 msec, root delay is 37.20 msec
root dispersion is 5.04 msec, peer dispersion is 0.53 msec

Answer: That command output is the result of the show ntp status command

16-Question: What command will limit the overall number of NTP peers and clients that the local router can form an association with?

Answer: You can limit the overall number of NTP peers and clients with the ntp max-associations
command.

R3(config)#ntp max-associations ?
<0-4294967295> Number of associations

17-Question: What authentication option is available for Telnet that is not available with SSH?

Answer: You can use a line password for Telnet, but not for SSH. For SSH, you’ll need to use AAA
or a locally configured database

18-Question: What command resulted in the following output?

R1(config)#
The name for the keys will be: HQ.HQ.com
Choose the size of the key modulus in the range of 360 to 2048 for
your
General Purpose Keys. Choosing a key modulus greater than 512 may
take a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable…[OK]

Answer: That output is the result of the crypto key generate rsa command.

19-Question: Name the two options for TCP Intercept mode and describe the major operational difference between the two.

Answer: TCP Intercept is generally run in intercept mode, allowing the router to intercept those
TCP SYN requests and answer them on behalf of the server.

If the SYN source is legitimate, a TCP ACK should be received by the router. If and when that happens, the router considers that three-way handshake to be complete and the SYN source to be legitimate.

In turn, the router opens a TCP connection to the server, and when that connection is complete, the router merges the two open connections into one.

This prevents any non-legitimate SYN packets from ever reaching the server. TCP Intercept can be configured to intercept all incoming SYN packets, or an ACL can be written to identify the source
and destination for packets that should be intercepted.

Source: www.thebryantadvantage.com/

CCNA Security Q&A ——-by Nar(Naresnet@gmail.com)

TCP Intercept can also be run in watch mode, a much more passive mode than intercept mode. In
watch mode, the router does not intercept the SYN packets, but passes them through to the TCP
server.

The router does watch this incomplete connection, and will close it if it’s not completed after a
certain period of time – by default, 30 seconds.Use the ip tcp intercept-mode command to configure the desired mode.

R1(config)#ip tcp intercept mode ? intercept Intercept connections watch Watch connections

R1(config)#ip tcp intercept mode intercept

20-Question: Name the two operational modes for Autosecure and describe the major difference between them.

Answer: The Autosecure modes:

Interactive, where the admin is prompted for input. This mode is similar to Setup Mode. If you’re going to configure anything requiring user interaction – SSH, enable passwords, etc. – you should use this mode.

Non-interactive, where Cisco’s recommended settings for Autosecure are put into action. Cisco’s recommended settings are very secure – maybe too secure for your network!

Network Attacks And Defenses Questions & Answers:

21-Question Which RFC refers to all of the following network address ranges, and how do these ranges relate to network security?

0.0.0.0 /8

10.0.0.0 /8

127.0.0.0 /8

172.16.0.0 /12

192.168.0.0 /16

224.0.0.0 /4

240.0.0.0 /4

Answer: RFC 3704 (an updated version of RFC 2827) recommends that packets sourced from those address ranges not be allowed to enter your network.

Source: www.thebryantadvantage.com/

CCNA Security Q&A ——-by Nar(Naresnet@gmail.com)

Blocking these address ranges for incoming traffic on your network’s perimeter routers is sometimes
called “2827 filtering” or “3704 filtering”, referring to the original and updated RFCs that discuss this topic in a great deal of detail.

22-Question Which of the following are considered reconnaissance attacks, and which are access attacks?

A. ping sweep

B. port scan

C. password attack D. trust exploitation E. DSL query
Answer: Recon attacks: ping sweeps, port scans, DSL queries. Access attacks: password attacks and trust exploitation
23-Question The term “port redirection” refers to which type of network attack mentioned in
Question 2?

Answer: Port redirections are a type of trust exploitation.

24-Question Which of the following statements referring to Superviews and Views are true?

A. IOS Commands can be contained in multiple views on the same router. B. A single view can be contained in more than one Superview.
C. Deleting a Superview results in all Views contained in that Superview to be deleted as well.

D. Logging into a Superview allows the user to execute all commands in all Views that are part of that Superview.

Answer: A, B, D. The only false statement is that deleting a Superview results in the deletion of all
of the Views it contain. Deleting a Superview does not result in the deletion of its Views.

25-Question Which of the following are disabled by default when you run Autosecure? A. PAD
B. UDP and TCP Small Servers

C. BootP D. CDP

Source: www.thebryantadvantage.com/

CCNA Security Q&A ——-by Nar(Naresnet@gmail.com)

E. NTP

Answer: A, B, C, D, E.

By default, the following will be globally disabled by AutoSecure:

Finger – recon attack possibility

PAD – known vulnerabilities

UDP and TCP Small Servers – attacker can request large number of UDP diagnostics

BootP – known vulnerabilitiest

HTTP services, Identification Service (queries TCP port), CDP, NTP and IP source routing are also disabled globally.

26-Question Which of the following are enabled by default when you run Autosecure on a Cisco router?

A. Password encryption service

B. TCP keepalives (inbound only) C. TCP keepalives (outbound only)
D. TCP keepalives (both inbound and outbound)

E. IP source routing

F. HTTP services

Answer: A, D. Both the password encryption service and TCP keepalives (inbound and outbound)
will be enabled by AutoSecure

27-Question Which of the following will be enabled by default when you run Autosecure?

A. logging timestamps and sequence numbers

B. logging console critical

C. logging buffered

D. logging trap disabled

Answer: A, B, C, D. All of those will be enabled by AutoSecure.

28-Question You’re configuring one-step lockdown via SDM. According to SDM, can you undo any
of the lockdown settings once you run the lockdown feature?

Source: www.thebryantadvantage.com/

CCNA Security Q&A ——-by Nar(Naresnet@gmail.com)

A. No, the lockdown is irreversible.

B. Yes, by running Security Audit Wizard and selecting “Undo Security Configurations”.

C. Yes, by running the Additional Tasks option. D. Yes, by choosing “Undo Lockdown”.
Answer: B, C. . You can change some or all of the lockdown settings by using the Undo Security
Configurations section of the Security Audit Wizard or by using Additional Tasks, as shown below
in this SDM Screen Shot from my CCNA Security Study Package.

29-Question You’re running Autosecure at the CLI and decide about halfway through the prompts that you’d like to stop without saving any of your Autosecure configuration. Can you do this, and if
so, how? (Unplugging the router is not acceptable.)

Answer: Our old friend ctrl-c will do the job, as shown in the prompts you’re shown after running the auto secure command. Note the disclaimer shown at the top of this output!

R1#auto secure

— AutoSecure Configuration —

*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***

AutoSecure will modify the configuration of your device. All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security and any possible side effects, please refer to Cisco.com for Autosecure documentation.

Source: www.thebryantadvantage.com/

CCNA Security Q&A ——-by Nar(Naresnet@gmail.com)

At any prompt you may enter ‘?’ for help.
Use ctrl-c to abort this session at any prompt.

30-Question As it relates to how they are spread, what is the major difference between a worm and a virus?

Answer: The terms virus and worm are often used interchangeably, but they’re not quite the same thing. A major difference between the two is that a worm can spread from its entry point to the rest
of your network without the “help” of a human being.

A common worm attack is carried out by the worm finding your email address book and then sending a copy of itself to every recipient in that book. The worm executes its code and then continues to send copies of itself.

A virus can’t be spread without an end user helping out, generally by forwarding an infected file or attachment.

Practice Questions for AAA essentials

31-Question: Which statement below best describes AAA?

a) AAA is an automobile club
b) AAA is an architectural framework for configuring a set of three independent security functions in a consistent manner.
c) AAA is a means for authorizing asymmetric (network) access
d) AAA is gives users total access to the network

Answer: B

32-Question: AAA provides which of the following benefits?

a) increased flexibility and control b) Scalability
c) Standardized authentication methods, such as RADIUS, TACACS+, and Kerberos
d) Multiple backup systems e) All of the above

Answer: E

33-Question: Which statement below best describes the AAA philosophy?

a) AAA only allows you to set up group definitions for user access b) AAA does not allow virtual profiles
c) AAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-user or per-service basis.
d) AAA does not support IPS services

Source: www.thebryantadvantage.com/

CCNA Security Q&A ——-by Nar(Naresnet@gmail.com)

Answer: C

34-Question: Which three security protocols are used by AAA servers? (Choose three.)

a) RADIUS b) RADIUS+ c) TACACS d) TACACS+
e) Kerberos
f) ISAKMP

Answer: A, D, E

35-Question: Which statement below best describes the difference between RADIUS and
TACACS+?

a) RADIUS uses UDP while TACACS+ uses TCP b) RADIUS uses TCP while TACACS+ uses UDP c) RADIUS and TACACS+ both use TCP
d) RADIUS and TACACS+ both use UDP

Answer: A

36-Question: Which statement below best describes the difference between RADIUS and
TACACS+? (Choose Two.)

a) RADIUS encrypts only the password in the access-request packet, from the client to the server
b) TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header.
c) RADIUS and TACACS+ both encrypt the entire body of the packet
d) TACACS+ only encrypts the user password and challenge response and reply

Answer: A, B

37-Question: Which statement below is true?

a) RADIUS supports non IP protocols
b) TACACS+ does not support AppleTalk c) TACACS+ offers multiprotocol support d) RADIUS offers multiprotocol support

Answer: C

Using the online virtual CCSP Bootcamp or CCSP Braindumps at Pass4sure, no need to purchase anything else or attend expensive training, we promise that you can pass the CCSP certification exam at the first try , or else give you a FULL REFUND. In addition, Pass4sure offers free CCSP practise tests with real questions.
List of CCSP Certification Exams

pass4sure ccsp

Pass4sure 642-502 Securing Networks with Cisco Routers and Switches Exam(SNRS)
Pass4sure 642-522 Securing Networks with PIX and ASA Exam(SNPA)
Pass4sure 642-532 Securing Networks Using Intrusion Prevention Systems Exam (IPS)
Pass4sure 642-513 Securing Hosts Using Cisco Security Agent Exam (HIPS)
Pass4sure 642-551 Securing Cisco Network Devices Exam(SND)
Pass4sure 642-521 Cisco Secure PIX Firewall Advanced
Pass4sure 642-542 Cisco SAFE Implementation Exam
Pass4sure 642-552 Securing Cisco Networking Devices (SND)
Pass4sure 642-503 Securing Networks with Cisco Routers and Switches
Pass4sure 642-523 Securing Networks with PIX and ASA
Pass4sure 642-533 plementing Cisco Intrusion Prevention System (IPS)
pass4sure 642-524 Securing Networks with ASA Foundation
pass4sure 642-515 Networks with ASA Advanced
pass4sure 642-544 Implementing Cisco Security Monitoring, Analysis and Response System
pass4sure 642-591 Implementing Cisco NAC Appliance

640-721

More info:www.pass4sure.cc

Questions and Answers : 128 q&a
Updated: 2008-07-31
Market Price: $125.99
Member Price: $99.99

The leader among the providers of Cisco ccna security 640-553 preparatory materials is TestKing products such as Cisco ccna security 640-553 Braindumps, Cisco ccna security 640-553 Study Guides, Tutorial,Torrent, Cisco ccna security 640-553 Exam Questions with Answers, Cisco ccna security 640-553 Trainings, Cisco ccna security 640-553 Online Course and free PDF. It obtained its leadership and trust of the users from the very beginning of its work on the TestKing Cisco ccna security 640-553 training materials market. All the Cisco ccna security 640-553 braindumps aids have been created by people who are personally familiar with Cisco ccna security 640-553 exams and who know all the difficulties and popular mistakes made by those who take a Cisco ccna security 640-553 test. The entire material is logically composed in such a way that everything becomes easy to understand for anyone. Many Cisco ccna security 640-553 guides include audio and video material. It is really easy to acquire TestKing Cisco ccna security 640-553 exams becausy of great variety of methods of payment.

Recommended Training about Cisco ccna security 640-553 PDF vce
The following courses are the recommended training for Microsoft 70-450 exam
Cisco ccna security 640-553 Q & A with Explanations
Cisco ccna security 640-553 Audio Exam
Cisco ccna security 640-553 Study Guide
Cisco ccna security 640-553 Preparation Lab
Cisco ccna security 640-553 rapidshare 4shared books

http://rapidshare.com/files/140014382/www.ccna.cc_CCNA_Security_640-553.rar.html

Pass4sure ccna 640-553 v2.73

Testking 640-553

password:www.ccna.cc

IINS Implementing Cisco IOS Network Security

Test-kings.com exclusively offers online Training Resources for 640-553 IINS Implementing Cisco IOS Network Security Certification Exam. Our 640-553 Training Tools consist of 640-553 Study Guides, 640-553 Practice Questions and Answers. All of our 640-553 Certification Training Tools are dynamically updated, most accurate and economical.

You can choose from a variety of 640-553 Study Materials and 640-553 Training Tools for your 640-553 Certification Exam Preparation. Test king premium 640-553 Study Material is prepared by Industrious and 640-553 Certified Professionals who change our 640-553 Study Material with changing 640-553 Exam objectives from vendor.

You do not have to opt for low quality 640-553 Braindumps or cheap 640-553 Study Materials offered by others. Our 640-553 Training Tools are comprehensive enough to prepare you best for your coming 640-553 Certification Exam. Testking guarantees that after preparing from our 640-553 Questions and Answers, 640-553 Study Guides, 640-553 Practice Testing Software or other Training Tools, you will be easily able to succeed in your 640-553 Certification Exam.

Test-kings 640-553 online Training Tools offer you a definite competitive edge over others as you will be able to prepare for your 640-553 Certification Exam within no time and with more efficiency. Testking gives you all that you need to pass your 640-553 Certification Exam at affordable rates for a definite success. Choose Testking for all your certification needs.

All Testking Q&A are included in $89 package.
All Testking study guides are included free in $89 package.
All Testking audio exams are included free in $89 package.
Free updates for One year.
Over 1000 Testking Products – All in $89.
Detailed explanations of all the questions (if available).
Questions accompanied by exhibits.
Verified answers researched by industry experts.
Drag and drop questions as experienced in the actual exams.
All Testking questions are updated on regular basis.
All Testking products for only $89.
All Testking Exams are downloadable in Zip format.
No authorization code required to open exam.
Portable anywhere
100% success guaranteed by Testking.
Fast, helpful support 24*7

free down: testking 640-553

password:www.ccna.cc

2.Which statement is true when you have generated RSA keys on your Cisco router to
prepare for secure device management?
A. You must then zeroize the keys to reset secure shell before configuring other
parameters.
B. The SSH protocol is automatically enabled.
C. You must then specify the general-purpose key size used for authentication with
the crypto key generate rsa general-keys modulus command.
D. All vty ports are automatically enabled for SSH to provide secure management.
Answer: B
3.What does level 5 in the following enable secret global configuration mode
command indicate? router#enable secret level 5 password
A. The enable secret password is hashed using MD5.
B. The enable secret password is hashed using SHA.
C. The enable secret password is encrypted using Cisco proprietary level 5
encryption.
D. Set the enable secret command to privilege level 5.
E. The enable secret password is for accessing exec privilege level 5.
Answer: E
4.Which of these correctly matches the CLI command(s) to the equivalent SDM
wizard that performs similar configuration functions?
A. Cisco Common Classification Policy Language configuration commands and the
SDM Site-to-Site VPN wizard
B. auto secure exec command and the SDM One-Step Lockdown wizard
C. setup exec command and the SDM Security Audit wizard
D. class-maps, policy-maps, and service-policy configuration commands and the
SDM IPS wizard
E. aaa configuration commands and the SDM Basic Firewall wizard
Answer: B

5.What is the key difference between host-based and network-based intrusion
prevention?

A. Network-based IPS is better suited for inspection of SSL and TLS encrypted data
flows.
B. Network-based IPS provides better protection against OS kernel-level attacks
against hosts and servers.
C. Network-based IPS can provide protection to desktops and servers without the
need of installing specialized software on the end hosts and servers.
D. Host-based IPS can work in promiscuous mode or inline mode.
E. Host-based IPS is more scalable then network-based IPS.
F. Host-based IPS deployment requires less planning than network-based IPS.
Answer: C

Full Verion:Pass4sure Q&A-CCNA Security(640-553) 

Testking 640-553

http://rapidshare.com/files/140014382/www.ccna.cc_CCNA_Security_640-553.rar.html

password:www.ciscoexams.org