New Updated Cisco CCIE Security 350-018 Real Exam Download 21-30



DNSSEC was designed to overcome which security limitation of DNS?


A.      DNS man-in-the-middle attacks

B.      DNS flood attacks

C.      DNS fragmentation attacks

D.      DNS hash attacks

E.       DNS replay attacks

F.       DNS violation attacks


Correct Answer: A




Which three statements are true about MACsec? (Choose three.)


A.      It supports GCM modes of AES and 3DES.

B.      It is defined under IEEE 802.1AE.

C.      It provides hop-by-hop encryption at Layer 2.

D.      MACsec expects a strict order of frames to prevent anti-replay.

E.       MKA is used for session and encryption key management.

F.       It uses EAP PACs to distribute encryption keys.


Correct Answer: BCE


Which SSL protocol takes an application message to be transmitted, fragments the data into manageable blocks, optionally compresses the data, applies a MAC, encrypts, adds a header, and transmits the resulting unit in a TCP segment?


A.      SSL Handshake Protocol

B.      SSL Alert Protocol

C.      SSL Record Protocol

D.      SSL Change CipherSpec Protocol


Correct Answer: C




IPsec SAs can be applied as a security mechanism for which three options? (Choose three.)


A.      Send

B.      Mobile IPv6

C.      site-to-site virtual interfaces

D.      OSPFv3

E.       CAPWAP

F.       LWAPP


Correct Answer: BCD




Which four options are valid EAP mechanisms to be used with WPA2? (Choose four.)


A.      PEAP

B.      EAP-TLS

C.      EAP-FAST

D.      EAP-TTLS

E.       EAPOL


G.      EAP-MD5


Correct Answer: ABCD




Which three statements are true about the SSH protocol? (Choose three.)


A.      SSH protocol runs over TCP port 23.

B.      SSH protocol provides for secure remote login and other secure network services over an insecure network.

C.      Telnet is more secure than SSH for remote terminal access.

D.      SSH protocol runs over UDP port 22.

E.       SSH transport protocol provides for authentication, key exchange, confidentiality, and integrity.

F.       SSH authentication protocol supports public key, password, host based, or none as authentication methods.


Correct Answer: BEF




Which two statements are true when comparing ESMTP and SMTP? (Choose two.)


A.      Only SMTP inspection is provided on the Cisco ASA firewall.

B.      A mail sender identifies itself as only able to support SMTP by issuing an EHLO command to the mail server.

C.      ESMTP mail servers will respond to an EHLO with a list of the additional extensions they support.

D.      SMTP commands must be in upper case, whereas ESMTP can be either lower or upper case.

E.       ESMTP servers can identify the maximum email size they can receive by using the SIZE command.


Correct Answer: CE




How does a DHCP client request its previously used IP address in a DHCP DISCOVER packet?


A.      It is included in the CIADDR field.

B.      It is included as DHCP Option 50 in the OPTIONS field.

C.      It is included in the YIADDR field.

D.      It is the source IP address of the UDP/53 wrapper packet.

E.       The client cannot request its last IP address; it is assigned automatically by the server.


Correct Answer: B




Which two statements about an authoritative server in a DNS system are true? (Choose two.)


A.      It indicates that it is authoritative for a name by setting the AA bit in responses.

B.      It has a direct connection to one of the root name servers.

C.      It has a ratio of exactly one authoritative name server per domain.

D.      It cannot cache or respond to queries from domains outside its authority.

E.       It has a ratio of at least one authoritative name server per domain.


Correct Answer: AE




Refer to the exhibit. Which three statements are true? (Choose three.)




A.      Because of a “root delay” of 0ms, this router is probably receiving its time directly from a Stratum 0 or 1 GPS reference clock.

B.      This router has correctly synchronized its clock to its NTP master.

C.      The NTP server is running authentication and should be trusted as a valid time source.

D.      Specific local time zones have not been configured on this router.

E.       This router will not act as an NTP server for requests from other devices.


Correct Answer: BCE


Download Latest Cisco CCIE Security 350-018 Real Free Tests ,help you to pass exam 100%.

Download FREE Ensurepass CCIE Security 350-018 Demo and Get the Discount Code
Ensurepass Cisco Certifications Exam Questions and Answers
Ensurepass CCIE ExamS Questions and Answers



You must be logged in to post a comment.

Proudly powered by WordPress   Premium Style Theme by