Cisco Secure PIX Firewall Advanced Version 7.0

In this document, one or more access-list command statements with the same access list name are referred to as an "access list." Access lists associated with IPSec are known as "crypto

Trang 1

9E0-111 (CSPFA) Cisco Secure PIX Firewall Advanced

Version 7.0

Trang 2

Leading the way in IT testing and certification tools, www.testking.com

Important Note, Please Read Carefully

Study Tips

This product will provide you questions and answers along with detailed explanations carefully compiled and written by our experts Try to understand the concepts behind the questions instead of cramming the questions Go through the entire document at least twice so that you make sure that you are not missing anything

Further Material

For this test TestKing also provides:

* Interactive Test Engine Examinator Check out an Examinator Demo at

http://www.testking.com/index.cfm?pageid=724

Latest Version

We are constantly reviewing our products New material is added and old material is revised Free updates are available for 90 days after the purchase You should check your member zone at TestKing an update 3-4 days before the scheduled exam date

Here is the procedure to get the latest version:

1 Go to www.testking.com

2 Click on Member zone/Log in

3 The latest versions of all purchased products are downloadable from here Just click the links

For most updates, it is enough just to print the new questions at the end of the new version, not the whole document

Currently this product does not include explanations If you are interested in providing

TestKing with explanations contact feedback@testking.com Include the following

information: exam, your background regarding this exam in particular, and what you consider

a reasonable compensation for the work

Copyright

Each pdf file contains a unique serial number associated with your particular name and contact information for security purposes So if we find out that a particular pdf file is being distributed by you, TestKing reserves the right to take legal action against you according to the International Copyright Laws

Trang 3

Note:

Section A contains 106 questions

Section B contains 57 questions

Section C contains 170 questions

The total numbers of questions is 333

To simplify your configuration, object grouping is supported in Cisco PIX Device Manager

Version 2.0 Object grouping enables you to define groups of objects such as hosts, IP addresses, or network services You can use these groups, for example, when you create and apply access rules When you include a Cisco PIX Firewall object group in a PIX Firewall command, it is the equivalent of applying every element of the object group to the PIX Firewall command

Reference: Cisco PIX Device Manager Version 2.0

Supported Switching Paths

IPSec works with process switching, fast switching, and Cisco Express Forwarding (CEF) IPSec does not work with optimum or flow switching

Trang 4

Reference: Configuring IPSec Network Security

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt 4/scdipsec.pdf

QUESTION NO: 3

Speaking of Security Association requirements, which of the following statements is true?

A A set of SAs are needed, one per direction, per protected data pipe

B A set of SAa are needed, one per direction, per protocol, per protected data pipe

C A set of SAs are needed, one per protocol only

D A set of SAs are needed, per protocol, per protected data pipe

Answer: B

Explanation:

A set of SAs are needed for a protected data pipe, one per direction per protocol For

example, if you have a pipe that supports ESP between peers, one ESP SA is required for each direction SAs are uniquely identified by destination (IPSec endpoint) address, security protocol (AH or ESP), and security parameter index (SPI)

Reference: Configuring IKE Shared Secret Using AAA Server

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t1/i kessaaa.pdf

QUESTION NO: 4

The graphic shows the output from the show failover command

** Graphic output missing ***

This unit is active and the other unit is Standby For an unknown reason, the failover is triggered and this unit has become Standby

We enter the command “show failover” again

What shall we see as the ip address of the [active-interface-inside]?

Note: The graphic is missing so it's hard to choose the correct answer

Trang 5

Reference: Cisco Secure PIX Firewalls (Ciscopress) page 176

QUESTION NO: 5

Which of the following statements is not true regarding the DNS Guard?

A If disabled, can be enabled by the command: fixed protocol dns 53

B The default UDP time expires in two minutes

C Immediately tears down the UDP conduit on the PIX Firewall as soon as the DNS response is received

D Prevents against UDP session hijacking and denial of service attacks

Answer: A

Explanation:

The DNS Guard performs the following actions:

Automatically tears down the UDP conduit on the PIX firewall as soon as the DNS response is received It doesn’t wait for the default UDP timer to close the session The default UDP session is two minutes

Prevents against UDP session hijacking and DoS attacks

Reference: Cisco Secure PIX Firewalls (Ciscopress) page 166

QUESTION NO: 6

In helping the user to choose the right IPSec transforms combinations, the following rules apply: (Choose all that apply)

A To provide authentication services for the transform set, include an AH transform

B For authentication services include an ESP authentication transform

C To provide data authentication for the data and the outer IP header, include an AH transform

D For data confidentiality include an ESP encryption transform

E ND5 is stronger than SHA

Answer: A, B, C, D

Explanation:

Choosing IPSec transforms combination can be complex The following tips may help you select transforms that are appropriate for your situation:

To provide data confidentiality, include an ESP encryption transform

Also consider including an ESP authentication transform or an AH transform to provide authentication services for the transform set

To ensure data authentication for the outer IP header as well as the data, include an

AH transform

Trang 6

To ensure data authentication (using either ESP or AH) you can choose from the MD5 or SHA (HMAC keyed hash variants) authentication algorithms The SHA algorithm is generally considered stronger than MD5, but it is slower

Reference: Cisco Secure PIX Firewalls (Ciscopress) page 212 -213

QUESTION NO: 7

What is the command that enables IPSec traffic to bypass the check of conduit or group command statements?

access-A conduit permit ip any any all

B access-list acl_out permit tcp any any all access-group acl_out interface outside

C sysopt connection permit-ipsec

D conduit permit tcp any any all

All of the following statements are true, except:

A Use nat command to let users on the respective interfaces start outbound connections Associate the nat id with the global-id in the global command

B An interface is always outside when compared to another interface that has a higher security level

C Use a single default route statement to the outside interface only

Set the default route with the ip route command

D To permit access to servers on protected networks, use the static conduit commands

E Packets can not flow between interfaces that have the same security level

Answer: C

Explanation:

The route command defines a static route for an interface The route statement may have a

specific destination, or a default static route may be created

The ip route command is used in the Cisco IOS To establish static routes, use the ip route

command in global configuration mode

Cisco IOS Master Commands List, Release 12.3(1)

Trang 7

QUESTION NO: 9

Which of the following statements are not true: (Choose all that apply)

A DMZ interface can be considered an inside, or outside interface

B DMZ interface is always considered inside

C Traffic originating from the inside interface to the outside interface of the PIX Firewall will be allowed to flow unless restricted by access lists

D Traffic originating from the outside interface to the inside interface of the PIX Firewall will be dropped unless specifically allowed

E DMZ interface is always considered outside

Global and NAT are typically configured to enable sessions originated from the inside

interface to the DMZ interface Another option is the static command to ensure the internal host has the same source address all the time

QUESTION NO: 10

Adaptive Security Algorithm (ASA) is the heart of the PIX Firewall Choose the strict rules that ASA follows: (Choose all that apply)

A The highest security interface is the inside interface

B The highest security interface is the outside interface

C No outbound packet can exit the PIX Firewall without a connection and state

D No packet, regardless of its direction, can traverse the PIX Firewall without a

connection or state

E No inbound packet can enter the PIX Firewall without a connection and state

Answer: A, D

Explanation:

A The inside interface security level is 100 and is the default setting for the PIX firewall It

cannot be changed because 100 is the most trusted interface security level, the organization’s network should be set up behind that interface

D It allows (ASA) data packets to flow through the PIX Firewall only if an appropriate

connection exists to validate their passage

Reference: Cisco Secure PIX Firewalls (Ciscopress) page 20, 53

Trang 8

QUESTION NO: 11

Which statements about the PIX Firewall in VoIP environments are true? (Choose two)

A The PIX Firewall does not support the popular call setup protocol SIP because TCP can be used for call setup

B The PIX Firewall allows SCCP signaling and media packets to traverse the PIX Firewall and interoperate with H.323 terminals

C The PIX Firewall supports the Skinny Client Control Protocol, which allows you to place IP phones and Call Manager on separate sides of the PIX Firewall

D Users behind the PIX Firewall can place outbound calls with IP phones because they use HTTP tunneling to route packets through port 80, making them appear as web traffic

Answer: B, C

Explanation:

Cisco Secure PIX Firewall application handling has been enhanced to support the Skinny Client Control Protocol (SCCP), used by Cisco IP phones for VoIP call signaling This capability dynamically opens pinholes for media sessions and Network Address Translation (NAT)-embedded IP addresses SCCP supports IP telephony and can coexist in an H.323 environment An application layer ensures that all SCCP signaling and media packets can traverse the PIX Firewall and interoperate with H.323 terminals

Reference: Cisco PIX Firewall Version 6.0

http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/pix60_ds.pdf

QUESTION NO: 12

Your organization’s web traffic has come to a halt because your PIX Firewall is

dropping all new connection attempts Why?

A You are running a software version older than 5.2, and the embryonic threshold you

set in the static command was reached

B The shun feature of the PIX Firewall has taken effect because the embryonic threshold

you set in the nat command was reached

C The TCP Intercept feature of the PIX Firewall has taken affect because the embryonic

threshold you set in the static command was reached

D The intrusion detection feature of the PIX Firewall has taken effect because the

embryonic threshold you set in the conduit command was reached

Answer: A

Explanation:

Prior to version 5.2, PIX Firewall offered no mechanism to protect systems reachable via a static and TCP conduit from TCP SYN segment attacks With the new TCP intercept feature, once the optional embryonic connection limit is reached, and until the embryonic connection count falls below this threshold, every SYN segment bound for the affected server is

intercepted

This feature requires no change to the PIX Firewall command set, only that the embryonic

connection limit on the static command now has a new behavior

Trang 9

Reference: Release Notes for the Cisco Secure PIX Firewall Version 5.2(1)

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/relnotes/pixrn521.p

df

QUESTION NO: 13

Which tasks can be performed from the Access Rules tab? (Choose three)

A Configure translation rules

B Configure Cisco Secure ACS

C Configure access rules

D Define Java and ActiveX filtering rules

E Configure command authorization

F Create service groups and apply them to ACLs

Answer: B, C, D

Explanation:

Each interface on the PIX Firewall is associated with a list of Access Control Entries (ACEs), called Access Control Lists (ACLs) An ACL is an ordered list of rules that describe how an entire subnet or specific network host interacts with another to permit or deny a specific service, protocol, or both You can also define authentication, authorization, and accounting (AAA), and filter rules for ActiveX and Java

Reference: Configuring Settings, Rules, and Building Blocks

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_b/vpnman/v ms_2_1/pix/use_man/px_cnfig.pdf

QUESTION NO: 14

Where in PDM do you go to add, delete, or view global pools of addresses to be used by NAT?

A Global Pools tab

B System Properties tab

C Manage Pools button on the Translation Rules tab

D IP Address Pools button on the VPN tab

Answer: C

Explanation:

The Translation Rules feature allows you to view all address translation rules applied to your network Address translation means that when a host starts an outbound connection, the IP addresses in the internal network are translated into global addresses Network Address Translation (NAT) allows your network to have any IP addressing scheme, and the PIX Firewalls protect these addresses from visibility on the external network You access this

feature by selecting Configure > Translation Rules

Reference: Configuring Settings, Rules, and Building Blocks

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_b/vpnman/v ms_2_1/pix/use_man/px_cnfig.pdf

QUESTION NO: 15

Trang 10

Which step is optional when creating a crypto map on the PIX Firewall?

A Create a crypto map entry identifying the crypto map with a unique crypto map name and sequence number

B Specify which transform sets are allowed for this crypto map entry

C Specify a dynamic crypto map to act as a policy template where the missing

parameters are later dynamically configured to match a peer’s requirements

D Assign an ACL to the crypto map entry

E Specify the peer to which IPSec-protected traffic can be forwarded

Answer: C

Explanation:

If you are not sure how to configure each crypto map parameter to guarantee compatibility with other peers, you might consider configuring dynamic crypto maps as described in the section "Dynamic Crypto Maps." Dynamic crypto maps are useful when the establishment of the IPSec tunnels is initiated by the peer They are not useful if the establishment of the IPSec tunnels is locally initiated, because the dynamic crypto maps are policy templates, not

complete statements of policy (Although the access lists in any referenced dynamic crypto map entry are used for crypto packet filtering.)

Reference: About IPSec

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/ipsec/ipsec.pdf

QUESTION NO: 16

Which type of downloadable ACLs are best when there are frequent requests for

downloading a large ACL?

Downloading an access list without a name—Configure a user authentication profile

on an AAA server to include the PIX Firewall access list to be downloaded This method should be used when there are no frequent requests for the same access list

Reference: Controlling Network Access and Use

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_62/config/mngacl pdf

Trang 11

QUESTION NO: 17

Why is the group tag in the aaa-server command important?

A The aaa command references the group tag to know where to direct authentication,

authorization, or accounting traffic

B The group tag identifies which users require authorization to use certain services

C The group tag identifies which user groups must authenticate

D The group tag enables or disables user authentication services

Answer: A

Explanation:

Group_tag specifies the AAA server Enter LOCAL for the group tag value for local AAA

services such as local command authorization using privilege levels, or use the AAA server

group tag as defined by the aaa-server command

Reference: PIX Firewall Software Version 6.3 Commands

How do you make the ACL work for you? (Choose two)

A Bind the ACL to the DMZ interface

B Bind the ACL to the inside interface

C Bind the ACL to the outside interface

D Create a static mapping for the DMZ server

E Create a static mapping for the web server

F Create a conduit mapping for the web server

Answer: C, E

Explanation:

Static address translation creates a permanent, one-to-one mapping between an address on an internal network (a higher security level interface) and a perimeter or external network (lower security level interface) For example, to share a web server on a perimeter interface with users on the public Internet, use static address translation to map the server's actual address to

a registered IP address Static address translation hides the actual address of the server from users on the less secure interface, making casual access by unauthorized users less likely Unlike NAT or PAT, it requires a dedicated address on the outside network for each host, so it does not save registered IP addresses

If you use a static command to allow inbound connections to a fixed IP address, use the

access-list and access-group commands to create an access list and to bind it to the

appropriate interface For more information, refer to "Allowing Inbound Connections."

Reference: Managing Network Access and Use

Trang 12

A From the nat_id in the static command

B You can have only one global pool of addresses, so the PIX Firewall knows that NAT

uses the addresses in the global pool established by the global command

C From the nat_id in the nat command

D From the nat_id in the dhcp address command

Answer: C

Explanation:

A nat_id that is a number from 1 to 2147483647 specifies the inside hosts for dynamic

address translation The dynamic addresses are chosen from a global address pool created

with the global command, so the nat_id number must match the global_id number of the

global address pool you want to use for dynamic address translation

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/qref.ht

m

QUESTION NO: 21

Trang 13

What is the purpose of the access-group command?

A Bind an ACL to an interface

B Create an object group

C Create and access group

D Unbind the acl_ID from the interface interface_name

Answer: A

Explanation:

The access-group command binds an access list to an interface The access list is applied to

traffic inbound to an interface If you enter the permit option in an access-list command statement, the PIX Firewall continues to process the packet If you enter the deny option in an

access-list command statement, PIX Firewall discards the packet and generates the following

Which statements about security level 100 are true? (Choose two)

A It is the lowest security level

B It is the highest security level

C It is the least-trusted security level

D By default it is designated for the inside interface of the PIX Firewall

E It is not currently a configurable security level

It is reserved for future use

F By default, it is designated for the outside interface of the PIX Firewall

Answer: B, D

Explanation:

The inside interface security level is 100 and is the default setting for the PIX firewall It cannot be changed because 100 is the most trusted interface security level, the organization’s network should be set up behind that interface

QUESTION NO: 23

Which statements about the PIX Firewall’s DHCP capabilities are true? (Choose two)

A It can be a DHCP server

B It cannot be a DHCP client

C You must remove a configured domain name

D It can be a DHCP server and client simultaneously

E It cannot pass configuration parameters it receives from another DHCP server to its own DHCP clients

Trang 14

F The PIX Firewall’s DHCP server can be configured to distribute the IP address of up

to four DNS servers to its clients

Answer: A, D

Explanation:

PIX Firewall supports Dynamic Host Configuration Protocol (DHCP) servers and DHCP clients DHCP is a protocol that supplies automatic configuration parameters to Internet hosts This protocol has two components:

Protocol for delivering host-specific configuration parameters from a DHCP server

to a host (DHCP client)

Mechanism for allocating network addresses to hosts

A DHCP server is simply a computer that provides configuration parameters to a DHCP client, and a DHCP client is a computer or network device that uses DHCP to obtain network configuration parameters

Reference: Using PIX Firewall in SOHO Networks

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_62/config/pixclnt.p

df

QUESTION NO: 24

The LAN-based failover your configured does not work Why? (Choose two)

A You used a hub for failover operation

B You used a switch for failover operation

C You used a dedicated VLAN for failover operation

D You did not set a failover IP address

E You did not use a crossover Ethernet cable between the two PIX Firewalls

F You used a crossover Ethernet cable between the two PIX Firewalls

Answer: D, F

Explanation:

You must set an Failover IP address for LAN-based failover

Ethernet connection (“LAN-based failover”)—You can use any unused Ethernet interface on the device If the units are further than six feet apart, use this method We recommend that

you connect this link through a dedicated switch You cannot use a crossover Ethernet cable

to link the units directly

Reference: Using PIX Firewall Failover

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/failover pdf

QUESTION NO: 25

How are LAN-based failover and serial failover alike?

A Both require that all configuration is performed on the primary PIX Firewall

B Both require the use of a special serial cable

C They are configured with the same command set

Trang 15

D Both require two dedicated interfaces: one for configuration replication and another for stateful failover

E Both provide stateful failover

Answer: E

Explanation:

For Stateful Failover, you must use an Ethernet link to pass state information The PIX

Firewall supports the following Ethernet interface settings for the state link:

• Fast Ethernet (100BASE-T) full duplex

• Gigabit Ethernet (GE) (1000BASE-T) full duplex

We recommend that you use a crossover cable to directly connect the units You can also use

a switch between the units No hosts or routers should be on this link

If the two units are more than six feet apart, you can use the same Ethernet state link as the failover link, but we recommend that you use a separate Ethernet link if available If they are closer than 6 feet, we recommend that you use the serial failover cable as the failover link

Reference: Using PIX Firewall Failover

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/failover pdf

QUESTION NO: 26

Choose the correct statements regarding ACLs & Conduits:

A A conduit creates a rule on the PIX Firewall Adaptive Security Algorithm by denying connections from one interface to access hosts on another

B An ACL applies to a single interface, affecting all traffic entering that interface

regardless of its security level

C An ACL applies to a single interface, affecting all traffic entering that interface based

in its security level

D A conduit creates an exception to the PIX Firewall Adaptive Security Algorithm by permitting connections from one interface to access hosts on another

Answer: B, D

Explanation: The conduit statement creates an exception to the PIX Firewall ASA by

permitting connections from one PIX Firewall network interface to access host on another

The access-list command lets you specify if an IP address is permitted or denied access to a port or protocol In this document, one or more access-list command statements with the same

access list name are referred to as an "access list." Access lists associated with IPSec are known as "crypto access lists."

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/qref.htm

QUESTION NO: 27

What is the command to remove a group of previously defined object-group commands?

Trang 16

A Both answers are correct

A The peer’s IPSec SA will never time out for a given IPSec session

B CA can not be used

C The command to disable IKE is: no crypto isakmp

D The user must manually define all the IPSec security associations in the crypto maps at all peers

Answer: A, B, D

Explanation: Disabling IKE

To disable IKE, you will have to make these concessions at the peers:

You must manually specify all the IPSec security associations in the crypto maps at all peers

IPSec security associations will never time out for a given IPSec session

The encryption keys never change during IPSec sessions between peers

Anti-replay services will not be available between the peers

CA support cannot be used

To disable IKE, use the following command: no crypto isakmp enable interface-name

Reference: IPSec - Overview

http://www.cisco.com/en/US/tech/tk583/tk372/tech_overview.html

QUESTION NO: 29

This security protocol provides data confidentiality and protection with optional

authentication and replay-detection services

Trang 17

Answer: A

Explanation:

Encapsulating Security Protocol (ESP) A security protocol that provides data confidentiality and protection with optional authentication and relay-detection services The PIX Firewall uses ESP to encrypt the data payload of IP packets ESP can be used either by itself or in conjunction with AH ESP was assigned IP protocol number 50

Reference: Cisco Secure PIX Firewall (Ciscopress) page 198

The fixup protocol rtsp command lets PIX Firewall pass Real Time Streaming Protocol

(RTSP) packets RTSP is used by RealAudio, RealNetworks, Apple QuickTime 4,

RealPlayer, and Cisco IP/TV connections

m

QUESTION NO: 31

H.323 is more complicated than other traditional protocols because:

A It requires a high amount of bandwidth

B It uses more than one TCP port

Trang 18

Speaking of the translation table of a PIX Firewall, by default, if there is no translated packets for a particular IP address, the entry times out and gets removes from the table This timeout period is:

A User- Configurable and by default is 5 minutes

B User- Configurable and by default is 60 minutes

C User- Configurable and by default is 180 minutes

D not User- Configurable and by default is 5 minutes

E not User- Configurable and by default is 2 Minutes

F not User- Configurable and by default is 60 Minutes

Answer: C

Explanation:

Translation slot The default value for this timeout setting is 180 minutes

Reference: Cisco Secure Policy Manager - Configuring the Global Policy Override Settings for Policy Enforcement Points

http://www.cisco.com/en/US/products/sw/secursw/ps2133/products_user_guide_chapter0 9186a00800d9cf9.html

QUESTION NO: 33

Firewall operations are based on one of the following technologies:

- Packet filtering

- Proxy Server

- Stateful packet filtering

Which is the method used by PIX Firewall?

A Packet Filtering

B Stateful Packet Filtering

C All answers are incorrect

D Proxy server

Answer: B

Explanation:

The third type of firewall combines the best of packet filtering and proxy technologies

A stateful packet filter keeps complete session state information for each built through the firewall Each time an IP connection is established for an inbound or outbound connection, the information is logged in a stateful session flow table Stateful packet filtering is the method used by the Cisco PIX Firewall

QUESTION NO: 34

Which statements about intrusion detection in the PIX Firewall are true? (Choose two)

Trang 19

A When a policy for a given signature class is created and applied to an interface, all supported signatures of that class are monitored unless you disable them

B Only the signatures you enable will be monitored

C The PIX Firewall supports only inbound auditing

D IP audit policies must be applied to an interface with the ip audit interface command

E When a policy for a given signature class is created and applied to an interface, all supported signatures of that class are monitored and cannot be disabled until you remove the policy from the interface

F IP audit policies must be applied to an interface with the ip audit signature command

Answer: A, D

Explanation:

Developed with flexibility in mind, PIX IDS allows a signature to be acted upon differently depending on the interface on which it was detected on PIX also allows signatures to be individually disabled when the event that reoccurring false positives are detected

The ip audit interface if_name audit_name command applies an audit specification or policy (via the ip audit name command) to an interface The no ip audit interface [if_name]

command removes a policy from an interface

Reference: Cisco PIX 500 Series Firewalls - Cisco PIX Firewall Software v5.2

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet09186a00 80091b32.html

QUESTION NO: 35

Why are packets inspected on the PIX Firewall?

A For valid users

B For misconfiguration

C For incorrect address

D For malicious application misuse

Trang 20

D curpriv

Answer: A

Explanation:

The privilege command sets user-defined privilege levels for PIX Firewall commands This is

especially useful for setting different privilege levels for related configuration, show, and clear commands However, be sure to verify privilege level changes in your commands with

your security policies before implementing the new privilege levels

m

QUESTION NO: 37

Which command enables IKE on the outside interface?

A ike enable outside

B ipsec enable outside

C isakmp enable outside

D ike enable (outbound)

Answer: C

Explanation:

The isakmp enable command is used to enable ISAKMP negotiation on the interface on

which the IPSec peer will communicate with the PIX Firewall ISAKMP is enabled by

default Use the no isakmp enable command to disable IKE

A ESP provides ant-replay and AH does not

B ESP provides data integrity and AH does not

C ESP provides data confidentiality and AH does not

D ESP provides data origin authentication and AH does not

Trang 21

B You have not enabled HTTP authorization, which is required for HTTP authentication

C HTTP authentication is not supported

D Re-authentication maybe taking place with the web browser sending the cached username and password back to the PIX Firewall

Answer: D

Explanation:

HTTP - A window is displayed in the browser requesting username and password If

authentication (and authorization) is successful, the user arrives at the destination web site beyond Keep in mind that browsers cache usernames and passwords! If it appears that the PIX should be timing out an HTTP connection but is not doing so, it is likely that re-

authentication actually is taking place with the browser "shooting" the cached username and password to the PIX, which then forwards this to the authentication server PIX syslog and/or server debug will show this phenomenon If Telnet and FTP seem to work "normally", but HTTP connections do not, this is why

Reference: Cisco PIX 500 Series Firewalls - Performing Authentication, Authorization, and Accounting of Users Through PIX Versions 5.2 and Later

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008 0094ea9.shtml

QUESTION NO: 40

Which are functions of the object-group command? (Choose two)

A Defines members of an object group

B Names an object group

C Enables sub-command mode

D Inserts an object group in an ACL

E Displays a list of the current configured object groups of the specified type

F Describes the object group

Answer: B, C

Explanation:

To simplify your configuration, object grouping is supported in Cisco PIX Device Manager

Version 2.0 Object grouping enables you to define groups of objects such as hosts, IP

addresses, or network services You can use these groups, for example, when you create and apply access rules When you include a Cisco PIX Firewall object group in a PIX Firewall command, it is the equivalent of applying every element of the object group to the PIX

Firewall command

Reference: Cisco PIX Device Manager Version 2.0

http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/pixge_ds.pdf

Trang 22

QUESTION NO: 41

Why create Turbo ACL’s only on high-end PIX Firewall models, such as the PIX

Firewall 525 or 535?

A They are not supported in any of the low-end models, such as the 506

B Turbo ACLs require significant amounts of memory

C Turbo ACLs are processor-intensive

D Although turbo ACLs improve ACL search time with any PIX Firewall model, they are complicated and rather difficult to configure

It is unlikely that environments using low-end models have personnel properly trained

to configure turbo ACLs

Answer: B

Explanation:

The TurboACL feature requires significant amounts of memory and is most appropriate for high-end PIX Firewall models, such as the PIX 525 or PIX 535 The minimum memory required for TurboACL is 2.1 MB and approximately 1 MB of memory is required for every

2000 ACL elements

Reference: Controlling Network Access and Use

QUESTION NO: 42

When are duplicate objects allowed in object groups?

A When they are due to the inclusion of group objects

B When a group object is included, which causes the group hierarchy to become circular

MyServices—Includes the TCP/UDP port numbers of the service requests that are allowed access to the internal network

TrustedHosts—Includes the host and network addresses allowed access to the greatest range of services and servers

PublicServers—Includes the host addresses of servers to which the greatest access is provided

After creating these groups, you could use a single access rule to allow trusted hosts to make specific service requests to a group of public servers Object groups can also contain other object groups or be contained by other object groups

Trang 23

Reference: Cisco PIX Firewall Software - Controlling Network Access and Use

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide _chapter09186a00800eb721.html

QUESTION NO: 43

Which statement about the configuration mode for the PIX Firewall is true?

A Privileged mode commands, unprivileged mode commands, and configuration mode commands all work in configuration mode

B Only configuration mode commands work in configuration mode

C Unprivileged mode commands and configuration mode commands work in

configuration mode, but you must exit the configuration mode in order to execute privileged mode commands

D Privileged mode commands and configuration mode commands work in configuration mode, but you must exit both these modes in order to execute unprivileged mode commands

Answer: A

Explanation:

Configuration Mode – This mode displays the (config)# prompt and enables you to change

system configurations All privileged, unprivileged, and configuration commands work in this

mode

QUESTION NO: 44

Which statement about the PIX Firewall Syslog is true?

A Syslog messages can be used to create log files, and can be displayed on the console of

a designated Syslog host, but they cannot be used to create e-mail alerts

B If all Syslog servers are offline, the PIX Firewall stores up to 100 messages in its memory and then deletes the messages in its memory to make room for subsequent messages

C The PIX Firewall sends Syslog messages to document such events as denied TCP connections, translation slot depletion, console logins and bytes transferred for each connection

D All Syslog messages are denied unless explicitly permitted

Answer: C

Explanation:

PIX Firewall sends SYSLOG messages to document the following events:

Security—Dropped UDP packets and denied TCP connections

Resources—Notification of 80% and 100% connection and translation slot

depletion, and translation and connection counts every 10 minutes

System—Console and Telnet logins and logouts and PIX Firewall reboots

Accounting—Bytes transferred per connection

Trang 24

Reference: Cisco PIX Firewall Software - Configuring by Feature

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide _chapter09186a00801162ec.html

QUESTION NO: 45

In the output of the show failover command, what does cable status waiting mean?

A The active PIX Firewall is working and the standby PIX Firewall is ready

B Monitoring the other PIX Firewall’s network interface has not yet started

C The active PIX Firewall is waiting for configuration replication to be completed

D The primary PIX Firewall has finished testing the standby PIX Firewall’s interfaces and the standby PIX Firewall is waiting to take control

Answer: B

Explanation:

The Cable Status that displays with the show failover command has these values:

(a) Normal—Indicates that the Active unit is working and that the Standby unit is ready

(b) Waiting—Indicates that monitoring of the other unit's network interfaces has not yet

started

(c) Failed—Indicates that the PIX Firewall has failed

Reference: Cisco PIX Firewall Software - Advanced Configurations

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide _chapter09186a008008996b.html

QUESTION NO: 46

Your new network administrator has recently modified your PIX Firewall’s

configuration You are suddenly experiencing security breaches involving Internet mail What change did the administrator make?

A He disabled the PIX Firewall’s mailpor fixup

B He disabled the PIX Firewall’s smtp fixup

C He enabled the Pix Firewall’s ils fixup on port 25

D He defined the port on which to activate Mail Guard

Answer: B

Explanation:

The fixup protocol smtp command enables the Mail Guard feature, which only lets mail

servers receive the RFC 821, section 4.5.1, commands of HELO, MAIL, RCPT, DATA,

RSET, NOOP, and QUIT

Trang 25

clear crypto sa - Clears existing IPSec security associations so that any changes to a

transform set take effect on subsequently established security associations (SAs) (Manually

established SAs are reestablished immediately.)

Reference: Configuring the SA-VAM2

http://www.cisco.com/univercd/cc/td/doc/product/core/7200vx/portadpt/sa-vam2/vam2cf.pdf

QUESTION NO: 48

You have configured your router with the following command:

crypto ipsec transform-set goodform ah-sha-hmac sha-hmac

csp-des-csp-A The peer does not have to have a matching transform set

Parameters will be dynamically negotiated

B The peer must also have the same transform set parameters specified

C The peer must also have the same transform set name specified

D The peer must also have the same transform set name and parameters specified

Answer: B

Explanation:

To define a transform set—an acceptable combination of security protocols and algorithms—

use the crypto ipsec transform-set command in global configuration mode To delete a transform set, use the no form of this command

To define a transform set, you specify one to four "transforms"—each transform represents an IPSec security protocol (AH or ESP) plus the algorithm you want to use When the particular transform set is used during negotiations for IPSec SAs, the entire transform set (the

combination of protocols, algorithms, and other settings) must match a transform set at the remote peer

Trang 26

A Both PIX Firewalls exchange failover HELLO packets over failover cable every 15 seconds

B With Network Activity test, the PIX Firewall counts all received packets for up to 5 seconds

If no traffic is received, the PIX is declared nonoperational and the standby takes over

C Both PIX Firewalls exchange failover HELLO packets over all network interfaces

D PIX Firewall performs a broadcast and checks the responses

Answer: A, C, D

Explanation:

For power loss or reload using cable-based failover, the standby unit learns almost

immediately if the active unit loses power or is reset The other conditions listed previously are sensed when a given interface does not receive hello packets for two consecutive poll intervals The poll interval is user configurable The interface is then tested to determine which unit is at fault The default for sending Hello packets are every 15 seconds

The ping test consists of sending out a broadcast ping request The unit then counts all

received packets for up to 5 seconds If any packets are received at any time during this interval, the interface is considered operational and testing stops

Reference: Cisco PIX Firewall Software - Using PIX Firewall Failover

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278a.html

The aaa authentication command is not intended to mandate your security policy The

authentication servers determine whether a user can or cannot access the system, what

services can be accessed, and what IP addresses the user can access The PIX Firewall

interacts with FTP, HTTP (Web access), and Telnet to display the credentials prompts for logging in to the network or logging in to exit the network You can specify that only a single service be authenticated, but this must agree with the authentication server to ensure that both the firewall and server agree

The PIX Firewall supports authentication usernames up to 127 characters and passwords of up

to 16 characters (some AAA servers accept passwords up to 32 characters) A password or username may not contain an "@" character as part of the password or username string, with a few exceptions

Trang 27

m

QUESTION NO: 51

Which of the following statement is correct?

A Installing an additional interface card on a PIX Firewall is as simple as adding a NIC

to a PC, but you must have a license for it from Cisco

B Installing an additional interface card on a PIX Firewall is as simple as adding a NIC

to a PC

Answer: A

Explanation:

Restricted—PIX Firewall platforms in a Restricted (R) license mode limit the number of

interfaces supported and the amount of RAM available within the system A restricted license provides a cost-optimized firewall solution for simplified network connectivity requirements,

or where lower than the maximum number of user connections are acceptable A Restricted licensed firewall does not support a redundant system for fail-over configurations

Reference: Cisco PIX 500 Series Firewalls - Cisco PIX Firewall Licensing

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet09186a00800b0d85.html

QUESTION NO: 52

On a PIX Firewall, as a general rule:

A There is no general rule

The software configuration decides which one is the outside and which one is the inside interface

B Ethernet 0 is always the outside network connection and Ethernet 1 is always the inside network connection

C Ethernet 0 is always the inside network connection and Ethernet 1 is always the outside network connection

D There is no general rule

The priority command applied to the interface decides which interface is the outside and which interface is the inside

Answer: B

Explanation:

The command nameif assigns a name to each interface on the PIX Firewall and specifies its

security level (except for the inside and outside PIX Firewall interfaces, which are named by default)

QUESTION NO: 53

How does the PIX Firewall handle multimedia applications? (Choose two)

Trang 28

A It supports multimedia only with NAT

B It supports multimedia only without NAT

C It supports multimedia with or without NAT

D Multimedia applications are not allowed because they pose a security risk

E It dynamically opens and closes UDP ports for secure multimedia connections

F It opens a large range of ports for these applications if you configure the PIX Firewall

to support multimedia

Answer: C, E

Explanation:

The Cisco Secure PIX Firewall dynamically opens and closes UDP ports for secure

multimedia connections This significantly reduces the security risk posed by opening a large range of ports and mitigates the need to reconfigure application clients

Also, the PIX Firewall supports multimedia with or without NAT Firewalls that cannot support multimedia with NAT limit multimedia usage to registered users only or require exposing inside IP addresses to the Internet

QUESTION NO: 54

Which command sets the Telnet password to cisco?

A enable telnet password cisco

B telnet password cisco

m

QUESTION NO: 55

Which commands configure the PIX Firewall’s PPPoE client?

A Only vpdn group, vpdn username, and ip address pppoe

B Only vpngroup and vpnusername

C Only vpdn group and interface pppoe

D Only vpngroup and ip address pppoe

Trang 29

Answer: A

Explanation:

To define a VPDN group to be used for PPPoE, use the vpdn group group_name

request dialout pppoe command

Use the vpdn username username password pass command to create a username and password pair for the PPPoE connection The username must be a username that

is already associated with the VPDN group specified for PPPoE

The ip address pppoe command enables the PPPoE client feature within the

PIX Firewall (You can also use this command to clear and restart a PPPoE session; the current session shuts down and a new one restarts after entering this command.)

You must enter the PPPoE configuration using the vpdn commands before enabling PPPoE with the ip address pppoe command

m

QUESTION NO: 56

Which statement about AAA and the PIX Firewall is true?

A Authorization is valid without authentication, but authentication is never valid without authorization

B Authorization is valid without authentication, and authentication is valid without authorization

C Authentication is valid without authorization, but authorization is never valid without authentication

D Authentication and authorization are never valid without accounting

Answer: C

Explanation:

Authentication determines a user’s identity and verifies the information

Once a user has authenticated, the authentication server may be configured to allow specific authorization, based upon user ID and password

Authorization defines what the user can do

Accounting is the action of keeping track of what the user does

Authentication is valid without authorization

Authorization is never valid without authentication

QUESTION NO: 57

Which three problems can ActiveX cause for network clients using the PIX Firewall? (Choose three)

A It can attack servers

B It can block HTML commands

Trang 30

C It can block HTML comments

D It can download Java applets

E It can cause workstations to fail

F It can introduce network security problems

Answer: A, E, F

Explanation:

ActiveX controls, formerly known as OLE or OCX controls, are components you can insert in

a web page or other application These controls include custom forms, calendars, or any of the extensive third-party forms for gathering or displaying information These controls cause potential problems for the network clients such as, causing workstations to fail, introducing network security problems, or being used to attack servers

This feature blocks HTML <object> tags and comments them out within the HTML web

page This functionality has been added to the filter command with the activex option

Reference: Cisco PIX Firewall Release Notes, Version 4.4(1)

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/relnotes/pixrn44.pd

f

QUESTION NO: 58

Which statement about the PIX Firewall is true?

A The PIX Firewall passes RIP updates between interfaces

B You cannot configure the PIX Firewall to learn routes dynamically from RIP version 1

or RIP version 2 broadcast

C The PIX Firewall uses the dynamically learned routes to forward traffic to the

appropriate destinations but does not propagate learned routes to other devices

D The PIX Firewall uses dynamically learned routes to forward traffic to the appropriate destinations, passes RIP updates between its interfaces, and propagates learned routes

to other devices

Answer: C

QUESTION NO: 59

You primary PIX Firewall is currently the active unit in your failover topology

What will happen to the current IP addresses on the primary PIX Firewall if it fails?

A They become those of the standby PIX Firewall

B The ones on the primary PIX Firewall remain the same, but the current IP addresses of the secondary become the virtual IP addresses you configured

C They are deleted

D The ones on both the primary and secondary PIX Firewalls are deleted and both assume the failover IP addresses you configured

Answer: A

Explanation:

Trang 31

The failover feature allows you to use a standby PIX Firewall to take over the functionality of

a failed PIX Firewall When the active unit fails, it changes to the standby state, while the standby unit changes to the active state The unit that becomes active takes over the active unit's IP addresses and MAC addresses, and begins passing traffic The unit that is now in standby state takes over the standby IP addresses and MAC addresses

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide _chapter09186a008017278a.html

of the OSI model

Reference: Configuring IPSec Network Security

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt 4/scdipsec.pdf

Every time a new peer is added to the IPSec network, you must configure keys between the new peer and each of the existing peers

Reference: Cisco PIX Firewall Software - About CA

Trang 32

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_user_guide_chapter0 9186a0080089901.html

QUESTION NO: 62

The hardware requirements of the Stateful Failover are: (Choose all that apply)

A Two identical PIX Firewall units

FIX 520 or later model is recommended by Cisco

B The LAN ports for Stateful Failover on both PIX Firewall units should be connected with a crossover cable or through a hub or switch

C A failover cable with the correct terminals

D Dedicated 10BaseT Ethernet ports on both PIX Firewall units must be connected and fully functional in full Duplex mode

Answer: A, B

Explanation:

For Stateful Failover, you must use an Ethernet link to pass state information The PIX Firewall supports the following Ethernet interface settings for the state link:

Fast Ethernet (100BASE-T) full duplex

Gigabit Ethernet (GE) (1000BASE-T) full duplex

We recommend that you use a crossover cable to directly connect the units You can also use

a switch between the units No hosts or routers should be on this link

If the two units are more than six feet apart, you can use the same Ethernet state link as the failover link, but we recommend that you use a separate Ethernet link if available If they are closer than 6 feet, we recommend that you use the serial failover cable as the failover link Identical PIX Firewall hardware and software versions

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278a.html

QUESTION NO: 63

Preparation to configure VPN support has several steps The first two steps are:

- plan for IKE

- plan for IPSec

The goal of these advance planning are:

A To investigate whether the budget allocated for the project will suffice

B To minimize misconfiguration

C To locate and remove bottleneck before the production phase

D To evaluate IPSEC and IKE parameter for optimal security and performance

Answer: B

Explanation:

IPSec can be configured without IKE, but IKE enhances IPSec by providing additional features, flexibility, and ease of configuration for the IPSec standard

Trang 33

Reference: Cisco PIX Firewall Software - Configuring IKE

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_user_guide_chapter0 9186a00800898df.html

Use the show ip command to view which addresses are assigned to the network interfaces If

you make a mistake while entering this command, reenter the command with the correct information

In a recent survey conducted by the Computer Security Institute, 70 percent of the

organizations polled stated that their network security defenses had been breached and that 60 percent of the incidents came from within the organizations themselves

A Only when an unconfigured PIX Firewall starts up

B Each time your PIX Firewall reloads

C When you enter the startup command at the configuration prompt

Trang 34

D When an unconfigured PIX Firewall boots up or when you enter the setup command

at the configuration mode prompt

Answer: D

Explanation:

A PIX Firewall requires some initial configuration before PDM can connect to it The setup dialog appears, via the console, at boot time if there is no configuration in the Flash memory

You can also access the setup command by typing setup from the Config mode

The dialog asks for the inside IP address, network mask, host name, domain name and PDM host The host and domain names are used to generate the default certificate for the SSL connection The interface type is determined from the hardware

Reference: Cisco PIX Firewall Software - Release Notes for the Cisco Secure PIX Firewall Version 6.0(1)

http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_release_note09186a0080 08c3ce.html

QUESTION NO: 67

If you configure a VPN between a Cisco VPN Client and the PIX Firewall using shared keys for authentication, which should you do? (Choose two)

pre-A Use pre-shared keys for authentication

B Use digital certificates for authentication instead of pre-shared keys

C Do not use digital certificates for authentication

D Ensure that the password on the VPN client matches the vpngroup password on the PIX Firewall

E Ensure that the group name differs from the VPN group name on the PIX Firewall

F Ensure that the group name on the VPN Client matches the vpngroup name on the PIX Firewall

Answer: D, F

Explanation:

The vpngroup command set lets you configure Cisco VPN 3000 Client policy attributes to be

associated with a VPN group name and downloaded to the Cisco VPN 3000 Client(s) that are part of the given group The same VPN group name is configured in the Cisco VPN 3000 Client to ensure the matching of VPN client or Easy VPN Remote policy

Configure a VPN group name of "default" to create a VPN group policy that matches any group name The PIX Firewall selects the VPN group name "default," if there is no other policy match

Configure the VPN group's pre-shared key employing the vpngroup password command to

be used during IKE authentication This pre-shared key is equivalent to the password that you

enter within the Group Password box of the Cisco VPN 3000 Client while configuring your

group access information for a connection entry

The PIX Firewall configured password displays in asterisks within the file configuration

Trang 35

m

QUESTION NO: 68

Which statement about the PIX Firewall and virtual HTTP is true?

A The PIX Firewall enables web browsers to work correctly with its HTTP

authentication

The PIX Firewall redirects the web browser’s initial connection to an IP address, which resides on it, authenticates the user, and the redirects the browser back to the URL the user originally requested

B The PIX Firewall supports virtual Telnet, but not virtual HTTP

C The PIX Firewall enables RADIUS authorization by redirecting the web browser’s initial connection to an IP address which resides on a web server you specify,

authorizing the user, and then redirecting the browser back to the URL the user

QUESTION NO: 69

Which statement about object groups is true?

A Duplicate objects are allowed in object groups unless they are due to the inclusion of group objects

B An object group cannot be a member of another object group

C An object group can be a member of another object group

D Duplicate objects are not allowed in object groups

Answer: C

Explanation:

Object Grouping provides a way to group objects of a similar type into a group so that a single access rule can apply to all the objects in the group For example, consider the following three object groups:

MyServices—Includes the TCP/UDP port numbers of the service requests that are allowed access to the internal network

Trang 36

TrustedHosts—Includes the host and network addresses allowed access to the greatest range of services and servers

PublicServers—Includes the host addresses of servers to which the greatest access is provided

After creating these groups, you could use a single access rule to allow trusted hosts to make specific service requests to a group of public servers Object groups can also contain other object groups or be contained by other object groups

Client host—Makes HTTP, Telnet, FTP, Voice over IP, and other service requests

Server host—Responds to service requests

Service type—Services are assigned to well-known, dynamically assigned, or secondary channel TCP or UDP ports

Subnet—The network address of internal or external subnetworks where server or client hosts are located

ICMP types—Such as ECHO-REPLY

QUESTION NO: 71

Why is the ASA important for the PIX Firewall? (Choose three)

A It monitors return packets to assure validity

B It allows two-way connections on all systems

C It allows one-way connection with an explicit configuration on each internal system

D It allows one-way connection with an explicit configuration on each external system

E It allows one-way connection without an explicit configuration for each internal system

F It randomizes the TCP sequence number, which minimizes the risk of attack

Trang 37

QUESTION NO: 72

Which statement about failover is true?

A When configuring the PIX Firewall for failover, you must configure the primary and secondary PIX Firewalls exactly the same

B Configuration can be modified on either the primary or secondary PIX Firewalls with the same result

C Configuration replication is automatic from the active PIX Firewall to the standby PIX Firewall

D The active PIX Firewall replicates only the failover configuration to the standby PIX Firewall

Answer: A

Explanation:

The two PIX Firewall units must be configured exactly the same and running the same

software release Configuration replication occurs over the failover cable from the Active unit

to the Standby unit in three ways:

When the Standby unit completes its initial bootup, the Active unit replicates its entire configuration to the Standby unit

As commands are entered on the Active unit they are sent across the Failover Cable

to the Standby unit

By entering the write standby command on the Active unit, which forces the entire configuration in memory to be sent to the Standby unit

Reference: Cisco PIX Firewall Software - Advanced Configurations

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide _chapter09186a008008996b.html

QUESTION NO: 73

Cisco PDM supports:

A Both answers are correct

Trang 38

B VPN commands

C IPSec commands

D Both answers are incorrect

Answer: A

Explanation: Answer should be either A or B You can use the VPN tab on the PDM to

configure VPN connections, which would include IPSEC You can also use the CLI from inside PDM to configure IPSEC

Reference: Cisco Secure PIX Firewall Advanced Exam Certification Guide p 115

Note: Cisco PIX Device Manager (PDM) is the graphical user interface (GUI) for configuring

and monitoring your Cisco PIX Firewall or Firewall Services Module (FWSM) on a Catalyst

Sends firewall command-line interface (CLI) commands to the firewall unit for you

Enables you to visually monitor your firewall system, connections, IDS, and traffic

on the interfaces

Can create new firewall configurations or modify existing configurations that were originally implemented using the firewall CLI or Cisco Secure Policy Manager (CSPM)

Monitors and configures one firewall unit at a time, but you can point your browser

to more than one firewall unit and administer several from a single workstation

Runs on platforms that support Java and does not require a separate plug-in (The PDM applet uploads to your workstation when you point your browser at the

Trang 39

A pix(config)#outbound 1 deny 0 0 eq jave pix(config)#apply (inside) 1 outgoing_src

B pix(config)#outbound 1 deny 0.0.0.0 0.0.0.0 java pix(config)#apply (inside) 1

outbound list_ID permit | deny ip_address [netmask [port[-port]] [protocol]

B is correct because of the netmask is 0.0.0.0 which indicates any subnet mask

1-secure

2-monitor

3-test

4-improve

Choose the correct statements: (Choose all that apply)

A To make sure that your network security system works, you must test and validate it with a product such as Cisco Secure Scanner

B Monitoring of the network should be done with a real-time intrusion detection device such as Cisco Secure Intrusion Detection System

C To make sure that your network security system works, you must test and validate it with a product such as Cisco Secure Intrusion Detection System

D Monitoring of the network should be done with a real-time intrusion detection device such as Cisco Secure Scanner

Answer: A, B

Trang 40

Explanation:

A Test the effectiveness of the security safeguards in place Validation is a necessity You

may have a very sophisticated network security system, but if it is not configured or working properly, your network can be compromised One tool that may be used to identify the security posture of the network is Cisco Security Scanner

B Monitor the network for violations and attacks against the corporate policy Violations can

occur within the secured perimeter of the network from a disgruntled employee or from the outside of the network from a hacker A real-time intrusion detection system, such as the Cisco Secure Intrusion Detection System can discover and prevent unauthorized entry

Reference: Cisco Secure PIX Firewalls (Ciscopress) page 11, 12

QUESTION NO: 77

What username and password establish an SSH connection to your PIX Firewall?

A username pixfirewall, password aaapass

B username pix, current enable password

C username pixfirewall, password attack

D username pix, current Telnet password

Answer: D

Explanation:

Connecting to the PIX Firewall with an SSH Client

To gain access to the PIX Firewall console using SSH, at the SSH client, enter the username

pix and enter the Telnet password

Reference: Accessing and Monitoring PIX Firewall

Tiêu đề	Cisco Secure PIX Firewall Advanced Version 7.0
Trường học	TestKing
Chuyên ngành	IT Testing and Certification
Thể loại	tài liệu
Năm xuất bản	2025
Thành phố	Unknown

Định dạng
Số trang	122
Dung lượng	1,27 MB