Cisco CCN A S e cu r it y P r a ct ice E x a m

Q u e st ion s

Implementing Cisco IOS Network Security (IINS) v1.0

Th e follow ing Cisco CCNA S ecurity practice ex am q uestions are based on th e course I m p l e m e n t i n g C i s c o
I O S N e t w o r k S e c u r i t y ( I I N S ) v 1 . 0 . Th e answ er k ey is on th e last pag e of th is d ocum ent.

1. W h at is th e g oal of an ov erall security ch alleng e w h en planning a security strateg y ?

A )
B )
C)
D )

to h ard en all ex terior-facing netw ork com ponents

to install firew alls at all critical points in th e netw ork
to find a balance betw een th e need to open netw ork s to support ev olv ing business req uirem ents
and th e need to inform
to ed ucate em ploy ees to be on th e look out for suspicious beh av ior

2. W h ich th reats are th e m ost serious?

A )
B )
C)
D )

insid e th reats
outsid e th reats
unk now n th reats
reconnaissance th reats

3. Netw ork security aim s to prov id e w h ich th ree k ey serv ices? ( Ch oose th ree.)
A )
B )
C)
D )
E )
F )

d ata integ rity

d ata strateg y
d ata and sy stem av ailability
d ata m ining
d ata storag e
d ata confid entiality

4. W h ich option is th e term

A )
B )
C)
D )

for a w eak ness in a sy stem

or its d esig n th at can be ex ploited by a th reat?

a v ulnerability
a risk
an ex ploit
an attack

C is c o C C N A S e c u r it y P r a c t ic e E x a m

Q u e s tio n s

20 0 9 C i s c o S y s t e m s , I n c .

5. W h ich option is th e term for th e lik elih ood th at a particular th reat using a specific attack w ill ex ploit a
particular v ulnerability of a sy stem th at results in an und esirable conseq uence?
A )
B )
C)
D )

a v ulnerability
a risk
an ex ploit
an attack

6. W h ich option is th e term for w h at h appens w h en com puter cod e is d ev eloped to tak e ad v antag e of a
v ulnerability ? F or ex am ple, suppose th at a v ulnerability ex ists in a piece of softw are, but nobod y k now s
about th is v ulnerability .
A )
B )
C)
D )

a v ulnerability
a risk
an ex ploit
an attack

7. W h at is th e first step y ou sh ould tak e w h en consid ering securing y our netw ork ?
A )
B )
C)
D )

I nstall a firew all.

I nstall an intrusion prev ention sy stem .
U pd ate serv ers and user PCs w ith th e latest patch es.
D ev elop a security policy .

8. W h ich option is a k ey principle of th e Cisco S elf-D efend ing Netw ork strateg y ?
A )
B )
C)
D )

S ecurity is static and sh ould prev ent m ost k now n attack s on th e netw ork .
Th e self-d efend ing netw ork sh ould be th e k ey point of y our security policy .
I nteg rate security th roug h out th e ex isting infrastructure.
U pper m anag em ent is ultim ately responsible for policy im plem entation.

9. W h ich th ree options are areas of router security ? ( Ch oose th ree.)

A )
B )
C)
D )
E )
F )

ph y sical security
access control list security
zone-based firew all security
operating sy stem security
router h ard ening
Cisco I O S -I PS security

C is c o C C N A S e c u r it y P r a c t ic e E x a m

Q u e s tio n s

20 0 9 C i s c o S y s t e m s , I n c .

10 . Y ou h av e sev eral operating g roups in y our enterprise th at req uire d iffering access restrictions to th e
routers to perform th eir j ob roles. Th ese g roups rang e from H elp D esk personnel to ad v anced
troublesh ooters. W h at is one m eth od olog y for controlling access rig h ts to th e routers in th ese situations?
A )
B )
C)
D )

config ure A CL s to control access for th e d ifferent g roups

config ure m ultiple priv ileg e lev el access
im plem ent sy slog g ing to m onitor th e activ ities of th e g roups
config ure TA CA CS + to perform scalable auth entication

11. W h ich of th ese options is a G U I tool for perform ing security config urations on Cisco routers?
A )
B )
C)
D )

S ecurity A ppliance D ev ice M anag er

Cisco CL I Config uration M anag em ent Tool
Cisco S ecurity D ev ice M anag er
Cisco S ecurity M anag er

12. W h en im plem enting netw ork security , w h at is an im portant config uration task th at y ou sh ould perform
to assist in correlating netw ork and security ev ents?
A )
B )
C)
D )

Config
Config
Config
Config

ure Netw ork Tim e Protocol.

ure sy nch ronized sy slog reporting .
ure a com m on repository of all netw ork ev ents for ease of m onitoring .
ure an autom ated netw ork m onitoring sy stem for ev ent correlation.

13. W h ich of th ese options is a Cisco I O S feature th at lets y ou m ore easily config ure security features on
y our router?
A )
B )
C)
D )

Cisco S
im plem
th e a u t
perform

elf-D efend ing Netw ork

enting A A A com m and auth orization
o s e c u r e CL I com m and
ing a security aud it v ia S D M

14. W h ich th ree of th ese options are som e of th e best practices w h en y ou im plem ent an effectiv e firew all
security policy ? ( Ch oose th ree.)
A )
B )
C)
D )
E )

Position firew alls at strateg ic insid e locations to h elp m itig ate insid e nontech nical attack s.
Config ure log g ing to capture all ev ents for forensic purposes.
U se firew alls as a prim ary security d efense; oth er security m easures and d ev ices sh ould be
im plem ented to enh ance y our netw ork security .
Position firew alls at k ey security bound aries.
D eny all traffic by d efault and perm it only necessary serv ices.

C is c o C C N A S e c u r it y P r a c t ic e E x a m

Q u e s tio n s

20 0 9 C i s c o S y s t e m s , I n c .

15. W h ich statem ent is true w h en config uring access control lists ( A CL s) on a Cisco router?
A )
B )
C)
D )

A CL s filter all traffic th roug h and sourced from th e router.

A pply th e A CL to th e interface prior to config uring access control entries to ensure th at controls are
applied im m ed iately upon config uration.
A n im plicit d eny is applied to th e start of th e A CL entry by d efault.
O nly one A CL per protocol, per d irection, and per interface is allow ed .

16. W h ich option correctly d efines asy m m etric encry ption?

A )
B )
C)
D )

uses th e sam e k ey s to encry pt and d ecry pt d ata

uses M D 5 h ash ing alg orith m s for d ig ital sig nag e encry ption
uses d ifferent k ey s to encry pt and d ecry pt d ata
uses S H A -1 h ash ing alg orith m s for d ig ital sig nag e encry ption

17. W h ich option is a d esirable feature of using sy m m etric encry ption alg orith m s?
A )
B )
C)
D )

Th
Th
Th
Th

ey
ey
ey
ey

are often used for w ire-speed encry ption in d ata netw ork s.
are based on com plex m ath em atical operations and can easily be accelerated by h ard w are.
offer sim ple k ey m anag em ent properties.
are best used for one-tim e encry ption need s.

18. W h ich option is true of using cry ptog raph ic h ash es?
A )
B )
C)
D )

Th
Th
Th
Th

ey
ey
ey
ey

are easily rev ersed to d eciph er th e m essag e contex t.

conv ert arbitrary d ata into a fix ed -leng th d ig est.
are based on a tw o-w ay m ath em atical function.
are used for encry pting bulk d ata com m unications.

19. W h ich option is true of intrusion prev ention sy stem s?

A )
B )
C)
D )

Th
Th
Th
Th

ey
ey
ey
ey

operate in prom iscuous m od e.

operate in inline m od e.
h av e no potential im pact on th e d ata seg m ent being m onitored .
are m ore v ulnerable to ev asion tech niq ues th an I D S .

20 . W h ich statem ent is true w h en using zone-based firew alls on a Cisco router?
A )
B )
C)
D )

Policies are applied to traffic m ov ing betw een zones, not betw een interfaces.
Th e firew alls can be config ured sim ultaneously on th e sam e interface as classic CB A C using th e i p
i n s p e c t CL I com m and .
I nterface A CL s are applied before zone-based policy firew alls w h en th ey are applied outbound .
W h en config ured w ith th e PA S S action, stateful inspection is applied to all traffic passing betw een
th e config ured zones.

C is c o C C N A S e c u r it y P r a c t ic e E x a m

Q u e s tio n s

20 0 9 C i s c o S y s t e m s , I n c .

C C N A S e c u r ity P r a c tic e Q u e s tio n s A n s w e r K e y

1. C
2. A
3. A , C, F
4. A
5. B
6. C
7. D
8. C
9. A , D , E
10 . B
11. C
12. A
13. C
14. C, D , E
15. D
16. C
17. A
18. B
19. B
20 . A

C is c o C C N A S e c u r it y P r a c t ic e E x a m

Q u e s tio n s

20 0 9 C i s c o S y s t e m s , I n c .