Directory Image
This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.

350-018 Passing Guarantee Exam

Author: Monika Bergmann
by Monika Bergmann
Posted: Oct 15, 2016

Question: 1

Which statement is valid regarding SGACL?

A. SGACL mapping and policies can only be manually configured.

B. Dynamically downloaded SGACL does not override manually configured conflicting policies.

C. SGACL is access-list bound with a range of SGTs and DGTs.

D. SGACL is not a role-based access list.

Answer: C

Explanation:

A role-based access control list bound to a range of SGTs and DGTs forms an SGACL

Reference:

http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/sgacl_config.html

Question: 2

Of which IPS application is Event Store a component?

A. InterfaceApp

B. AuthenticationApp

C. SensorApp

D. NotificationApp

E. MainApp

Answer: E

Explanation:

Cisco IPS software includes the following applications:

  • MainApp—Initializes the system, starts and stops the other applications, configures the OS, and performs upgrades. It contains the following components:
  • ctlTransSource (Control Transaction server)—Allows sensors to send control transactions. This is used to enable the master blocking sensor capability of Attack Response Controller (formerly known as Network Access Controller).
  • Event Store—An indexed store used to store IPS events (error, status, and alert system messages) that is accessible through the CLI, IDM, IME, ASDM, or SDEE.

Reference:

http://www.cisco.com/c/en/us/td/docs/security/ips/7-0/configuration/guide/cli/cliguide7/cli_system_architecture.html#wp1009053

Question: 3

Refer to the exhibit.

Which two statements about this debug output are true? (Choose two.)

A. The request is from NHC to NHS.

B. The request is from NHS to NNC.

C. 192.168.10.2 is the remote NBMA address.

D. 192.168.10.1 is the local VPN address.

E. 69.1.1.2 is the local non-routable address.

F. This debug output represents a failed NHRP request.

Answer: A, D

Question: 4

Which statement describes RA?

A. The RA is not responsible to verify users request for digital certificates.

B. The RA is part of private key infrastructure.

C. The RA has the power to accept registration requests and to issue certificates.

D. The RA only forwards the requests to the CA to issue certificates.

Answer: D

Question: 5

Refer to the exhibit.

Against which type of attack does the given configuration protect?

A. pharming

B. a botnet attack

C. phishing

D. DNS hijacking

E. DNS cache poisoning

Answer: B

Reference:

https://supportforums.cisco.com/document/33011/asa-botnet-configuration

Question: 6

DRAG DROP

Drag and drop the description on the left onto the associated items on the right.

Answer:

Collection of similar programs that work together to execute specific tasks – botnet

Independent malicious program copies itself from one host to another host over a network and carries other programs – Viruses

Programs that appear to have one function but actually perform a different function – Trojan horse

Programs that modify other programs and that attach themselves to other programs on execution - Worms

Reference:

http://www.cisco.com/web/about/security/intelligence/virus-worm-diffs.html

Question: 7

Refer to the exhibit.

Which option describes the behavior of this configuration?

A. The switch initiates the authentication.

B. The client initiates the authentication.

C. The device performs subsequent IEEE 802.1X authentication if it passed MAB authentication. If the device fails IEEE 802.1X, it will start MAB again.

D. Devices that perform IEEE 802.1X should be in the MAC address database for successful authentication.

E. IEEE 802.1x devices must first authenticate via MAB to perform subsequent IEEE 802.1X authentication. If 802.1X fails, the device is assigned to the default guest VLAN.

Answer: C

Reference:

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-service/application_note_c27-573287.html

Question: 8

Which two statements about the RC4 algorithm are true? (Choose two.)

A. The RC4 algorithm is an asymmetric key algorithm.

B. In the RC4 algorithm, the 40-bit key represents four characters of ASCII code.

C. The RC4 algorithm is faster in computation than DES.

D. The RC4 algorithm uses variable-length keys.

E. The RC4 algorithm cannot be used with wireless encryption protocols.

Answer: C, D

Question: 9

Refer to the exhibit.

After setting the replay window size on your Cisco router, you received the given system message. What is the reason for the message?

A. The replay window size is set too low for the number of packets received.

B. The IPSec anti-replay feature is enabled, but the window size feature is disabled.

C. The IPSec anti-replay feature is disabled.

D. The replay window size is set too high for the number of packets received.

Answer: A

Explanation:

If your replay window size has not been set to a number that is high enough for the number of packets received, you will receive a system message such as the following:

*Nov 17 19:27:32.279: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=1

The above message is generated when a received packet is judged to be outside the anti-replay window.

Reference:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dplane/configuration/12-4t/sec-ipsec-data-plane-12-4t-book/sec-ipsec-antireplay.html

Question: 10

Which two statements about IPv6 path MTU discovery are true? (Choose two.)

A. If the destination host receives an ICMPv6 Packet Too Big message from a router, it reduces its path MTU.

B. It can allow fragmentation when the minimum MTU is below a configured value.

C. The discovery packets are dropped if there is congestion on the link.

D. If the source host receives an ICMPv6 Packet Too Big message from a router, it reduces its path MTU.

E. During the discovery process, the DF bit is set to 1.

F. The initial path MTU is the same as the MTU of the original node’s link layer interface.

Answer: D, F

Explanation:

IPv6 routers do not support fragmentation or the Don't Fragment option. For IPv6, Path MTU Discovery works by initially assuming the path MTU is the same as the MTU on the link layer interface where the traffic originates. Then, similar to IPv4, any device along the path whose MTU is smaller than the packet will drop the packet and send back an ICMPv6 Packet Too Big (Type 2) message containing its MTU, allowing the source host to reduce its Path MTU appropriately. The process is repeated until the MTU is small enough to traverse the entire path without fragmentation.

Reference:

https://en.wikipedia.org/wiki/Path_MTU_Discovery

Question: 11

An RSA key pair consists of a public key and a private key and is used to set up PKI. Which statement applies to RSA and PKI?

A. The public key must be included in the certificate enrollment request.

B. The RSA key-pair is a symmetric cryptography.

C. It is possible to determine the RSA key-pair private key from its corresponding public key.

D. When a router that does not have an RSA key pair requests a certificate, the certificate request is sent, but a warning is shown to generate the RSA key pair before a CA signed certificate is received.

Answer: A

Explanation:

An RSA key pair consists of a public key and a private key. When setting up your PKI, you must include the public key in the certificate enrollment request. After the certificate has been granted, the public key will be included in the certificate so that peers can use it to encrypt data that is sent to the router. The private key is kept on the router and used both to decrypt the data sent by peers and to digitally sign transactions when negotiating with peers.

Reference:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-3s/sec-pki-xe-3s-book/sec-pki-overview.html

Question: 12

For what reason has the IPv6 Type 0 Routing Header been recommended for deprecation?

A. When Type 0 traffic is blocked by a firewall policy, all other traffic with routing headers is dropped automatically.

B. It can conflict with ingress filtering.

C. It can create a black hole when used in combination with other routing headers.

D. Attackers can exploit its functionality to generate DoS attacks.

Answer: D

Explanation:

The functionality provided by IPv6's Type 0 Routing Header can be exploited in order to achieve traffic amplification over a remote path for the purposes of generating denial-of-service traffic. This document updates the IPv6 specification to deprecate the use of IPv6 Type 0 Routing Headers, in light of this security concern.

Reference:

https://tools.ietf.org/html/rfc5095

Question: 13

Refer to the exhibit.

Which option is the reason for the failure of the DMVPN session between R1 and R2?

A. incorrect tunnel source interface on R1

B. IPsec phase-1 policy mismatch

C. tunnel mode mismatch

D. IPsec phase-2 policy mismatch

E. IPsec phase-1 configuration missing peer address on R2

Answer: B

Question: 14

For which reason would an RSA key pair need to be removed?

A. The CA is under DoS attack

B. The CA has suffered a power outage

C. The existing CA is replaced, and the new CA requires newly generated keys

D. PKI architecture would never allow the RSA key pair removal

Answer: C

Explanation:

An RSA key pair may need to be removed for one of the following reasons:

During manual PKI operations and maintenance, old RSA keys can be removed and replaced with new keys.

An existing CA is replaced and the new CA requires newly generated keys; for example, the required key size might have changed in an organization so you would have to delete the old 1024-bit keys and generate new 2048-bit keys.

The peer router's public keys can be deleted in order to help debug signature verification problems in IKEv1 and IKEv2. Keys are cached by default with the lifetime of the certificate revocation list (CRL) associated with the trustpoint.

Reference:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-3s/sec-pki-xe-3s-book/sec-deploy-rsa-pki.html

Question: 15

Which encapsulation technique does VXLAN use?

A. MAC in TCP

B. MAC in MAC

C. MAC in UDP

D. MAC in GRE

Answer: C

Explanation:

VXLAN is a MAC in IP/UDP(MAC-in-UDP) encapsulation technique with a 24-bit segment identifier in the form of a VXLAN ID.

Reference:

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/nx-os/vxlan/configuration/guide/b_NX-OS_VXLAN_Configuration_Guide/overview.pdf

Question: 16

What are two limitations of the Atomic IP Advanced Engine? (Choose two.)

A. It has limited ability to check the fragmentation header.

B. It is unable to fire high-severity alerts for known vulnerabilities.

C. It is unable to detect IP address anomalies, including IP spoofing

D. It is unable to inspect a packet’s length fields for bad information.

E. It is unable to detect Layer 4 attacks if the packets were fragmented by IPv6.

Answer: A, E

Explanation:

The Atomic IP Advanced engine contains the following restrictions:

  • Cannot detect the Layer 4 field of the packets if the packets are fragmented so that the Layer 4 identifier does not appear in the first packet.
  • Cannot detect Layer 4 attacks in flows with packets that are fragmented by IPv6 because there is no fragment reassembly.
  • Cannot detect attacks with tunneled flows.
  • Limited checks are provided for the fragmentation header.
  • There is no support for IPv6 on the management (command and control) interface. With

ASA 8.2(1), the ASA 5500 AIP SSM support IPv6 features.

  • If there are illegal duplicate headers, a signature fires, but the individual headers cannot be separately inspected.
  • Anomaly detection does not support IPv6 traffic; only IPv4 traffic is directed to the anomaly detection processor.
  • Rate limiting and blocking are not supported for IPv6 traffic. If a signature is configured with a block or rate limit event action and is triggered by IPv6 traffic, an alert is generated but the action is not carried out.

Reference:

http://www.cisco.com/c/en/us/td/docs/security/ips/7-1/configuration/guide/ime/imeguide71/ime_signature_engines.pdf

Question: 17

What are two advantages of SNMPv3 over SNMPv2c? (Choose two.)

A. integrity, to ensure that data has not been tampered with in transit

B. no source authentication mechanism for faster response time

C. Packet replay protection mechanism removed for efficiency

D. GetBulkRequest capability, to retrieve large amounts of data in a single request

E. confidentiality via encryption of packets, to prevent man-in-the-middle attacks

Answer: A, E

Explanation:

SNMPv3 contains all the functionality of SNMPv1 and SNMPv2, but SNMPv3 has significant enhancements to administration and security. SNMPv3 is an interoperable standards-based protocol. SNMPv3 provides secure access to devices by authenticating and encrypting packets over the network.

The security features provided in SNMPv3 are as follows:

  • Message integrity—Ensuring that a packet has not been tampered with in transit
  • Authentication—Determining that the message is from a valid source
  • Encryption—Scrambling contents of a packet to prevent it from being seen by an unauthorized source

Reference:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4000/8-2glx/configuration/guide/snmp.pdf

Question: 18

Refer to the exhibit.

Which two statements correctly describe the debug output?

A. The remote VPN address is 180.10.10.1

B. The message is observed on the NHS

C. The message is observed on the NHC.

D. The remote routable address 91.91.91.1.

E. The local non-routable address is 20.10.10.3.

F. The NHRP hold time is 3 hours.

Answer: A, C

About the Author

Ou can buy and download our downloadable 712-50 material for 712-50 EC-Council Certified CISO (CCISO) exam quite easily. Just add this study material to your cart, enter your billing information and once you have completed the purchase process

Rate this Article
Leave a Comment
Author Thumbnail
I Agree:
Comment 
Pictures
Author: Monika Bergmann

Monika Bergmann

Member since: Oct 13, 2016
Published articles: 44

Related Articles