Tài liệu Cisco Secure PIX Firewall Advanced (CSPFA) - Version 3.0 pptx

Content-Based Access Control Answer: B, D QUESTION NO: 12 Which three thresholds does CBAC on the Cisco IOS Firewall provide against DoS attacks.. Answer: B, C, E QUESTION NO: 15 Why

9E0 9E0-571 - 571

Cisco Secure PIX Firewall

Advanced (CSPFA)

Version 3.0

Latest Version

We are constantly reviewing our products New material is added and old material is revised Free updates are available for 90 days after the purchase You should check the products page

on the TestKing web site for an update 3-4 days before the scheduled exam date

Here is the procedure to get the latest version:

1 Go to www.testking.com

2 Click on Login (upper right corner)

3 Enter e-mail and password

4 The latest versions of all purchased products are downloadable from here Just click the links

For most updates, it is enough just to print the new questions at the end of the new version, not the whole document

Feedback

Feedback on specific questions should be send to feedback@testking.com You should state

1 Exam number and version

2 Question number

3 Order number and login ID

Our experts will answer your mail promptly

Copyright

Each pdf file contains a unique serial number associated with your particular name and contact information for security purposes So if we find out that a particular pdf file is being distributed by you, TestKing reserves the right to take legal action against you according to the International Copyright Laws

Note: Section A contains 59 questions and Section B contains 170 The total numbers of

Which two AAA protocols and servers does the PIX Firewall support? (Choose two)

A Access control list

B Synchronous Communication Server

C Remote Authentication Dial-In User Service

D Terminal Access Controller Access Control System Plus

What does the nat command allow you to do on the PIX Firewall? (Choose two)

A Enable address translation for internal addresses

B Enable address translation for external addresses

C Disable address translation for internal addresses

D Disable address translation for external addresses

E Enable address translation for both external and internal addresses

F Disable address translation for both external and internal addresses

D Configure the PIX Firewall

E Configure the IKE parameters

F Configure the IPSec parameters

G Prepare for configuring VPN support

H Test and verify the VPN configuration

What should you do to prepare for configuring VPN support on the PIX Firewall?

A Plan in advance

B Minimize mis-configuration

C Configure IPSec encryption correctly the first time

D Define the overall security needs and strategy based on the overall company security policy

QUESTION NO: 10

What are packets inspected for on the PIX firewall?

A For invalid users

B For mis-configuration

C For incorrect addresses

D For malicious application misuse

B Network address translation

C Protocol address translation

D Content-Based Access Control

Answer: B, D

QUESTION NO: 12

Which three thresholds does CBAC on the Cisco IOS Firewall provide against DoS attacks? (Choose Three)

A The number of half-open sessions based upon time

B The total number of half open TCP or UDP sessions

C The number of fully-open sessions based upon time

D The number of half-open TCP-only sessions per host

E The total number of fully-open TCP or UDP sessions

F The number of fully-open TCP-only sessions per host

Answer: A, B, D

QUESTION NO: 13

What does CBAC on the Cisco IOS Firewall do?

A Created specific security policies for each user

B Protects the network from internal attacks and threats

C Provides additional visibility at intranet, extranet and Internet perimeters

D Provides secure, per-application access control across network perimeters

Answer: D

QUESTION NO: 14

What are three methods for configuring basic router security on the Cisco IOS Firewall? (Choose three)

A Turn off services

B Set global timeouts

C Set global thresholds

D Use password encryption

E Define inspection rules

F Set console and VTY access

Answer: B, C, E

QUESTION NO: 15

Why does aaa command reference the group tag on the PIX Firewall?

A To direct the interface name to the AAA server

B To direct the IP address to the appropriate AAA server

C To direct authentication, authorization or accounting traffic to the appropriate AAA server

D To direct authentication, authorization or accounting traffic to the appropriate PIX Firewall

Answer: C

Enter the command that enables failover between two PIX Firewalls

Answer: Failover active

What does deny mean in regards to crypto access lists on the PIX firewall?

A It specifies that no packets are encrypted

B It specifies that matching packets must be encrypted

C It specifies that mismatched packets must be encrypted

D It specifies that matching packets need no be encrypted

C To identify IPSec peer router Internet Protocol addresses and host names

D To determine key distribution methods based on the numbers and locations of IPSec peers

Answer: B

QUESTION NO: 22

Which three probables can ActiveX cause for network clients using the PIX Firewall? (Choose three)

A It can attack servers

B It can block HTML commands

C It can block HTML comments

D It can download Java applets

E It can cause workstations to fail

F It can introduce network security problems

Answer: A, ?, ?

QUESTION NO: 23

How does passive mode FTP on the PIX firewall support inside clients without exposing them to attack?

A There is no data connection

B Port 20 remains open from outside to inside

C Port 21 remains open from inside to outside

D The client initiates both the command and data connections

Answer: D

Why does failover begin a series of interface tests on the PIX Firewall?

A To check the failover cable

B To clear the received packets

C To determine which PIX Firewall has failed

D To determine which interface has the failover packet

Answer: C

A It routes traffic in the clear

B It configures the transform set

C It encrypts Internet Protocol packets

D It causes all Internet protocol traffic to be protected by crypto

C IT causes UDP session hijacking and denial-of-service attacks

D It prevents UDP session hijacking and denial-of-service attacks

E It automatically creates a UDP conduit as soon as the DNS response is received

F It automatically tears down a UDP conduit as soon as the DNS response is received

Answer: C

QUESTION NO: 34

What does the authentication proxy feature of the Cisco IOS Firewall allow network administrators to do?

A Tailor access privileges on an individual basis

B Use a general policy applied across multiple users

C Use a single security policy that us applied to an entire user group or subnet

D Keep user policies active even when there is no active traffic from the authenticated users

Answer: A

QUESTION NO: 35

What happens when you see the "Authentication Successful" message during the virtual Telnet authentication of the PIX Firewall?

A The user is automatically logged out

B All entries in the uauth cache are cleared

C The user must provide a username and password

D Authentication credentials are cached in the PIX Firewall for the duration of the uauth timeout

Answer: D

QUESTION NO: 36

What happens at the end of each test during failover interface testing on the PIX

firewall?

A Network traffic is generated

B The PIX Firewall receives traffic for a test

C Each PIX Firewall looks to see if it has received any traffic

D Each PIX Firewall clears its received packet count for its interface

Answer: C

QUESTION NO: 37

Enter the command that assigns a name and a security level to each interface of the PIX Answer: nameif ethernet0 perimeter1 security100

C Apply crypto map

D Configure crypto map

E Enable or disable IKE

F Verify IKE phase 1 details

G Configure phase 1 policy

H Configure IKE pre-shared key

Answer:

QUESTION NO: 40

Which four items does the outbound command let you specify on the PIX Firewall? (Choose four)

A Whether inside users can access outside servers

B Whether outside users can access outside servers

C Whether inside users can use outbound connections

D Whether outside users can use inbound connections

E Whether outbound connections can execute Java applets on the inside network

F Whether inbound connections can execute Java applets on the outside network

G Which services outside users can use for inbound connections and for accessing inside servers

H Which services inside users can use for outbound connections and for accessing outside servers

Answer: A, C, E, H

QUESTION NO: 41

How does the user trigger the authentication proxy after the idle timer expires?

A By authenticating the user

B By initiating another HTTP session

C By entering a new user name and password

D By entering a valid user name and password

Answer: D

E Intrusion detection systems

F Content based access control

Which addressed does the primary PIX Firewall use when in active mode?

A Media access control addresses only

B System Internet Protocol addresses and media access control addresses

C Failover Internet Protocol addresses and media access control addresses

D System Internet Protocol addresses and failover Internet Protocol addresses

Answer: B

QUESTION NO: 45

What is the purpose of verifying the IKE Phase 1 policy with the PIX Firewall?

A To specify the hash algorithm

B To configure the IPSec parameters

C To specify the authentication method

D To display configured and default IKE policies

Answer: D

QUESTION NO: 46

What is the purpose of WebSENSE with the PIX Firewall?

A To control or monitor e-mail activity

B To control or monitor Internet activity

C To control or monitor inside client activity

D To control or monitor outside client activity

C The connection request is dropped

D The connection request is completed

A It monitors return packets to assure validity

B It allows two-way connections on all systems

C It allows one-way connection with an explicit configuration on each internal system

D It allows one-way connection with an explicit configuration on each external system

E It allows one-way connection without an explicit configuration on each internal system

F It randomizes the TCP sequence number, which minimizes the risk of attack

Answer: A, C, F

QUESTION NO: 50

How do you choose the specific values for each IKE parameter when using the PIC Firewall?

A Using host names

B Using the remote level you desire and the host peer you will connect to

C Using the remote level you desire and the destination peer you will connect to

D Using the security level you desire and the type of IPSec peer you will connect to

Answer: B

QUESTION NO: 51

What is the purpose of UDP resend on the PIX Firewall when using Real Networks' RDT mode?

A It connects the client to the server

B It connects the outside client to the inside client

C The client requests that the server try to resend lost data packets

D Media delivery uses the standard UDP packet format to fo from the server to the client

Answer: C

QUESTION NO: 52

What happens in the aggressive mode of the CBAC on the Cisco IOS Firewall?

A CBAC deletes all half-open sessions

B CBAC re-initiates half-open sessions

C CBAC completes all half-open sessions, making them fully-open sessions

D CBAC deletes half-open sessions as required to accommodate new connection requests

What does permit mean in regards to crypto access lists on the PIX Firewall?

A It specifies that no packets are encrypted

B It specifies that matching packets must be encrypted

C It specifies that mismatched packets must be encrypted

D It specifies that matching packets need not be encrypted

Answer: B

QUESTION NO: 56

How does the PIX firewall provide secure connections for Real Audio and CUSeeME?

A It statically opens UDP ports

B It statically closes UDP ports

C It statically opens and closes UDP ports

D It dynamically opens and closes UDP ports

Answer: D

QUESTION NO: 57

What does a half-open TCP session on the Cisco IOS Firewall mean?

A The session was denied

B The firewall detected return traffic

C A three-way handshake has been completed

D The session has not reached the established state

Answer: D

QUESTION NO: 58

Why do the connections remain with stateful failover on the PIX Firewall?

A Stateful failover passes per-connection stateful information to the active PIX Firewall

B Stateful failover passes per-connection stateful information to the standby PIX

B Default hostname of the Cisco PIX

C Network access translations

D IP addressing translating

Answer: D

QUESTION NO: 3

What does PAM stand for?

A Port address mapping

B Port allocation mapping

C Port to application mapping

D Port address management

How do you save the PAM mappings?

A Copy pam-mappings flash

B They are automatically saved

C Save pam-mappings

D Copy run start

Answer: D

QUESTION NO: 7

What command enables the failover feature on the PIX506?

A Failover is not supported on the PIX506

What needs to be done to the clients in case of a PIX stateful failover situation?

A A router is required to redirect to the PIX in case of failover

B The arp table must be cleared on all client computers

C All clients must have the default gateway changed to the now active PIX

D Nothing

Answer: D

Actually, nothing needs to be done if two PIXs are hooked up and failover is active, and the Primary fails With stateful failover, all the actual connection states that are created in the Primary PIX are replicated to the standby PIX In the event of a failover, the XLATE table is the same on standby unit so when it becomes the Primary, nothing needs to be done It is transparent to all the hosts on the network

QUESTION NO: 9

What three commands are required for stateful failover?

A failover ip address inside 10.1.1.2

What is a limitation of PAT?

A Very processor intensive

B Supports very few clients

C Only supported on Cisco IOS routers

D Does not support multi-media protocols

QUESTION NO: 12

How are outbound TCP sessions handled?

A TCP sessions are allowed inbound unless blocked by an access list

B PIX does not inspect TCP traffic

C TCP sessions are maintained in a state table

D TCP sessions are authorized inbound and outbound by default

What would be the purpose of multiple interfaces?

A For redundant Internet connections

B To create separate secure networks

QUESTION NO: 16

What are some limitations of authentication proxy?

A Client browsers must have JavaScript enabled for secure authentication

B Does not support AAA

C HTTP must be running on the standard port

D HTTP is the only triggering protocol

Answer: A, B, C, D

QUESTION NO: 17

What are TCP half open sessions?

A TCP sessions that span several ports

B One way TCP sessions

C TCP sessions that have not complete the 3-way handshake

D TCP sessions initiated from inside the PIX

Answer: C

QUESTION NO: 18

What is the purpose of inspection rules in CBAC configurations?

A Defines what IP traffic is denied

B Defines what application layer protocols will be denied

C Defines what IP traffic will be permitted

D Defines what application layer protocols will be inspected

Answer: A, B, C, D

QUESTION NO: 20

By default, how are outbound connections handled by the PIX?

A All outbound connections are allowed, except those specifically denied by access control lists

B All ports on the PIX are open by default until you lock them down Therefore all connections are allowed until access control list are implemented

C Depends upon the user

D All outbound connections are denied, except those specifically allowed

What command enables authentication proxy?

A router(conf)#ip authentication-proxy <name>

B router#ip authentication-proxy <name>

C router(conf-if)#ip authentication-proxy <name>

D router#enable ip authentication proxy

Answer: C

QUESTION NO: 23

What command enables activex blocking?

How do you view all active static translations?

A show static translations

B show all static translations

C show xlate state static

D show translations state static

What command is used to disable NAT?

What is the purpose of authorization with AAA?

A Authorization is not supported on the PIX

B To determine who has authorized access

C To determine what services a user is authorized to utilize

D To determine which PIX is authorized to allow traffic to pass

Answer: C

What is data integrity?

A IPSec receiver can detect & reject replayed packets

B Packets are authenticated by receiver to ensure no alterations have been made

C Packets are encrypted before transmitting them across a network

D Receiver can authenticate source of IPSec packets

Answer: B

QUESTION NO: 33

What is anti-replay?

A Receiver can authenticate source of IPSec packets

B Receiver authenticates packets to ensure no alterations have been made

C IPSec receiver can detect & reject replayed packets

D IPSec sender can encrypt packets before transmitting them across a network

Answer: C

QUESTION NO: 34

How do you display dynamic ACL entries an authentication proxy router?

A Show access-list authentication proxy

B Show dynamic-entries access-list

C Show access-list

D Show authentication-proxy access-list entries

Answer: C

QUESTION NO: 35

What happens if the global timeouts are different on two IPSec peers?

A Nothing

B The highest value is used

C The lowest value is used

D The PIX default timeout is used

Answer: C

QUESTION NO: 36

What is the purpose of the alias command?

A To allow internal users to use the FQDN that is registered an external DNS server

B To assign a name to an IP host

C To hide inside addresses from the Internet

D To assign a name to the PIX firewall

Answer: A

QUESTION NO: 37

What three things does IKE provide?

A Security payload encapsulation

B IPSec peer authentication

C IPSec SA negotiations

D IPSec key establishment

Answer: B, C, D

QUESTION NO: 38

What is required to perform a password recovery on the PIX520?

A Change to the boot sequence

B Change to the registry

C Pix Password Lockout Utility

D Reboot

Answer: C, D

QUESTION NO: 39

How do you edit a system defined PAM mapping?

A ip pam <port number>

B System defined mappings cannot be changed

C ip port-map <port number>

D ip port-map port <port number>

Answer: B

QUESTION NO: 40

What is data origin authentication?

A Receiver authenticates packets to ensure no alterations have been made

B IPSec receiver can detect & reject replayed packets

C IPSec sender can encrypt packets before transmitting them across a network

D Receiver can authenticate source of IPSec packets

Answer: D

QUESTION NO: 41

What does CBAC offer?

A Application layer examination

A The activation key cannot be changed

B Enable DES

C Upgrade IOS version

D Install new memory

Answer: B

QUESTION NO: 43

What does the AH security protocol provide?

A encrypted data routing

C It allows HTTP & FTP traffic to port 21

D It allows FTP traffic to port 80 and HTTP traffic to port 21

Answer: B