640-553

IINS Implementing Cisco IOS Network Security Exam: 640-553
Demo Edition

© 2007- 2008 Test Killer, LTD All Rights Reserved
http://www.testkiller.com http://www.troytec.com

1

Answer: B QUESTION: 3 What does level 5 in the following enable secret global configuration mode command indicate? router# enable secret level 5 password A. Answer: E 2 http://www. Enable the highest level of Syslogging available to ensure you log all possible event messages. D. All vty ports are automatically enabled for SSH to provide secure management. The enable secret password is for accessing exec privilege level 5. Log all messages to the system buffer so that they can be displayed when accessing the router. D. E. The enable secret password is hashed using SHA. The SSH protocol is automatically enabled. You must then zeroize the keys to reset secure shell before configuring other parameters.com http://www. Set the enable secret command to privilege level 5.com . D. C. Syncronize clocks on the network with a protocol such as Network Time Protocol. Answer: D QUESTION: 2 Which statement is true when you have generated RSA keys on your Cisco router to prepare for secure device management? A. You must then specify the general-purpose key size used for authentication with the crypto key generate rsa general-keys modulus command.640-553 QUESTION: 1 Which consideration is important when implementing Syslogging in your network? A. Use SSH to access your Syslog information. The enable secret password is hashed using MD5.testkiller. C. B. The enable secret password is encrypted using Cisco proprietary level 5 encryption.troytec. C. B. B.

com .testkiller.640-553 QUESTION: 4 Drop Answer: QUESTION: 5 Drop 3 http://www.troytec.com http://www.

Setup exec command and the SDM Security Audit wizard D. and service-policy configuration commands and the SDM IPS wizard E. Auto secure exec command and the SDM One-Step Lockdown wizard C.to-Site VPNn wizard B. Aaa configuration commands and the SDM Basic Firewall wizard Answer: B 4 http://www.640-553 Answer: QUESTION: 6 Which of these correctly matches the CLI command(s) to the equivalent SDM wizard that performs similar configuration functions? A. policy-maps.troytec.testkiller.com http://www. Cisco Common Classification Policy Language configuration commands and the SDM Site.com . Class-maps.

This is a normal system-generated information message and does not require further investigation. Host-based IPS is more scalable then network-based IPS. Network-based IPS provides better protection against OS kernel-level attacks against hosts and servers. Host-based IPS can work in promiscuous mode or inline mode. You are looking at your Syslog server reports. Network-based IPS is better suited for inspection of SSL and TLS encrypted data flows. thereby allowing the attacker to capture potentially sensitive data.) A. D QUESTION: 9 You suspect an attacker in your network has configured a rogue layer 2 device to intercept traffic from multiple VLANS. E.testkiller.troytec. Network-based IPS can provide protection to desktops and servers without the need of installing specialized software on the end hosts and servers. Turn off all trunk ports and manually configure each VLAN as required on each port 5 http://www. B. Service timestamps have been globally enabled. You are a network manager for your organization. C. This message is a level 5 notification message. D.com http://www. Host-based IPS deployment requires less planning than network-based IPS. F. Answer: C QUESTION: 8 Refer to the exhibit. This message is unimportant and can be ignored.640-553 QUESTION: 7 What is the key difference between host-based and network-based intrusion prevention? A. B.com . Based on the Syslog message shown. which two statements are true? (Choose two. Answer: A. Which two methods will help to mitigate this type of activity? (Choose two.) A. C. D.

Set the native VLAN on the trunk ports to an unused VLAN E. D QUESTION: 10 Which three statements about SSL-based VPNs are true? (Choose three.com . C. D QUESTION: 11 When configuring AAA login authentication on Cisco routers. Enable F. which two authentication methods should be used as the final method to ensure that the administrator can still log in to the router in case the external AAA server fails? (Choose two. SSL VPNs and IPsec VPNs cannot be configured concurrently on the same router. Secure the native VLAN.) A. Group RADIUS B. If-authenticated Answer: C. E QUESTION: 12 6 http://www. F.com http://www. VLAN 1 with encryption D. SSL VPNs require special-purpose client software to be installed on the client machine. Asymmetric algorithms are used for authentication and key exchange.) A. Krb5 E. E. D. B. Local D. Place unused active ports in an unused VLAN Answer: B. The authentication process uses hashing technologies. Symmetric algorithms are used for bulk encryption. You can also use the application programming interface to extensively modify the SSL client software for use in special applications.testkiller.640-553 B. Answer: A. Group TACACS+ C. C.troytec. Disable DTP on ports that require trunking C.

Implementing PKI to authenticate and authorize IPsec VPN peers using digital 7 http://www. HTTPS Answer: B. The show version command will not show the Cisco IOS image file location.com . the Cisco IOS image will be loaded from a secured FTP location. Answer: B QUESTION: 13 Which two protocols enable Cisco SDM to pull IPS alerts from a Cisco ISR router? (Choose two. Syslog B. SSH F. The running Cisco IOS image will be encrypted and then automatically backed up to the NVRAM. C. TFTP E. F QUESTION: 14 What are three common examples of AAA implementation on Cisco routers? (Choose three.com http://www. Authenticating administrator access to the router console port.testkiller. Authenticating remote users who are accessing the corporate LAN through IPSec VPN connections B. When the router boots up. D. E.troytec. FTP D.) A.640-553 What is a result of securing the Cisco IOS image using the Cisco IOS image resilience feature? A. The Cisco IOS image file will not be visible in the output from the show flash command. auxiliary port. SDEE C. B. The running Cisco IOS image will be encrypted and then automatically backed up to a TFTP server.) A. and vty ports C.

testkiller. any host is permitted to access the router via Telnet. SSH. Performing router commands authorization using TACACS+ Answer: A. Answer: D QUESTION: 16 Drop 8 http://www. Which statement is correct based on the show login command output shown? A. When the router goes into quiet mode. Three or more login requests have failed within the last 100 seconds. Securing the router by locking down all unused services F. The login block-for command is configured to block login hosts for 93 seconds. since the quiet-mode access list has not been configured. B. All logins from any sources are blocked for another 193 seconds.com . F QUESTION: 15 Refer to the exhibit. Tracking Cisco Netflow accounting statistics E. D. and HTTP.com http://www.640-553 certificates D. C. B.troytec.

use the Shell Command Authorization Set options to configure which commands and command arguments to permit or deny. In the ACS User Group setup screen. Configure the Cisco ACS server to forward authentication of users to an external user databases. D. select RADIUS (Cisco IOS/PIX 6. When adding the router as an AAA client on the Cisco ACS server. B.) A.testkiller.troytec. From the ACS Interface Configuration screen. and then enable the Shell (exec) option on the RADIUS Services screen. like Windows Database.0).com http://www.640-553 Answer: QUESTION: 17 Which two statements about configuring the Cisco ACS server to perform router command authorization are true? (Choose two.com . C. choose the TACACS+ (Cisco IOS) protocol. 9 http://www.

) A. F QUESTION: 19 When port security is enabled on a Cisco Catalyst switch. B.x signature format B. and SNMP for sending Cisco IPS alerts Answer: A 10 http://www.testkiller.640-553 Answer: A. Trojan horse attack Answer: A. The port's violation mode is set to restrict.com . The port remains enabled.com http://www. C. The port is shut down.4(11)T and later is true? A. B. D.troytec. Requires the Basic or Advanced Signature Definition File C. what is the default action when the configured maximum of allowed MAC addresses value is exceeded? A. E. SYSLOG. Social engineering attack F. The MAC address table is cleared and the new MAC address is entered into the table. Supports both inline and promiscuous mode D. C QUESTION: 18 Which four methods are used by hackers? (Choose four. Supports SDEE. Uses Cisco IPS 5. Footprint analysis attack B. Front door attacks E. Privilege escalation attack C. Answer: A QUESTION: 20 Which statement about Cisco IOS IPS on Cisco IOS Release 12. Buffer Unicode attack D. Requires IEV for monitoring Cisco IPS alerts E. but bandwidth is throttled until old MAC addresses are aged out. Uses the built-in signatures that come with the Cisco IOS image as backup F.

Sign up to vote on this title
UsefulNot useful