Which two options are advantages of an application layer firewall? (Choose two.)
A. provides high-performance filtering
B. makes DoS attacks difficult
C. supports a large number of applications
D. authenticates devices
E. authenticates individuals
Correct Answer: BE
Refer to the exhibit. Using a stateful packet firewall and given an inside ACL entry of permit ip
126.96.36.199 0.0.0.255 any, what would be the resulting dynamically configured ACL for the return
traffic on the outside ACL?
A. permit tcp host 172.16.16.10 eq 80 host 192.168.1.11 eq 2300
B. permit ip 172.16.16.10 eq 80 192.168.1.0 0.0.0.255 eq 2300
C. permit tcp any eq 80 host 192.168.1.11 eq 2300
D. permit ip host 172.16.16.10 eq 80 host 192.168.1.0 0.0.0.255 eq 2300
Correct Answer: A
Which option is the resulting action in a zone-based policy firewall configuration with these
A. no impact to zoning or policy
B. no policy lookup (pass)
D. apply default policy
Correct Answer: C
A Cisco ASA appliance has three interfaces configured. The first interface is the inside interface
with a security level of 100. The second interface is the DMZ interface with a security level of 50.
The third interface is the outside interface with a security level of 0. By default, without any
access list configured, which five types of traffic are permitted? (Choose five.)
A. outbound traffic initiated from the inside to the DMZ
B. outbound traffic initiated from the DMZ to the outside
C. outbound traffic initiated from the inside to the outside
D. inbound traffic initiated from the outside to the DMZ
E. inbound traffic initiated from the outside to the inside
F. inbound traffic initiated from the DMZ to the inside
G. HTTP return traffic originating from the inside network and returning via the outside
H. HTTP return traffic originating from the inside network and returning via the DMZ interface
I. HTTP return traffic originating from the DMZ network and returning via the inside interface
J. HTTP return traffic originating from the outside network and returning via the inside
Correct Answer: ABCGH
Which two protocols enable Cisco Configuration Professional to pull IPS alerts from a Cisco ISR
router? (Choose two.)
Correct Answer: BF
Which two functions are required for IPsec operation? (Choose two.)
A. using SHA for encryption
B. using PKI for pre-shared key authentication
C. using IKE to negotiate the SA
D. using AH protocols for encryption and authentication
E. using Diffie-Hellman to establish a shared-secret key
Correct Answer: CE
On Cisco ISR routers, for what purpose is the realm-cisco.pub public encryption key used?
A. used for SSH server/client authentication and encryption
B. used to verify the digital signature of the IPS signature file
C. used to generate a persistent self-signed identity certificate for the ISR so administrators can
authenticate the ISR when accessing it using Cisco Configuration Professional
D. used to enable asymmetric encryption on IPsec and SSL VPNs
E. used during the DH exchanges on IPsec VPNs
Correct Answer: B
Which four tasks are required when you configure Cisco IOS IPS using the Cisco Configuration
Professional IPS wizard? (Choose four.)
A. Select the interface(s) to apply the IPS rule.
B. Select the traffic flow direction that should be applied by the IPS rule.
C. Add or remove IPS alerts actions based on the risk rating.
D. Specify the signature file and the Cisco public key.
E. Select the IPS bypass mode (fail-open or fail-close).
F. Specify the configuration location and select the category of signatures to be applied to the
Correct Answer: ABDF
Which statement is a benefit of using Cisco IOS IPS?
A. It uses the underlying routing infrastructure to provide an additional layer of security.
B. It works in passive mode so as not to impact traffic flow.
C. It supports the complete signature database as a Cisco IPS sensor appliance.
D. The signature database is tied closely with the Cisco IOS image.
Correct Answer: A
You are the security administrator for a large enterprise network with many remote locations.
You have been given the assignment to deploy a Cisco IPS solution. Where in the network would
be the best place to deploy Cisco IOS IPS?
A. inside the firewall of the corporate headquarters Internet connection
B. at the entry point into the data center
C. outside the firewall of the corporate headquarters Internet connection
D. at remote branch offices
Correct Answer: D
Download Latest Complete collection of CCNA Security 640-554 Real Exam ,help you to pass exam 100%.
Ensurepass Cisco Certifications Exam Questions and Answers
Ensurepass CCNA Security Exams Questions and Answers