640 - 442 Leading the way in IT testing and certification tools, www.testking.com - 1 - 640-442 Managing Cisco Network Security (MCNS) Version 1.0 640 - 442 Leading the way in IT testing and certification tools, www.testking.com - 2 - Important Note Please Read Carefully Study Tips This product will provide you questions and answers along with detailed explanations carefully compiled and written by our experts. Try to understand the concepts behind the questions instead of cramming the questions. Go through the entire document at least twice so that you make sure that you are not missing anything. Latest Version We are constantly reviewing our products. New material is added and old material is revised. Free updates are available for 90 days after the purchase. You should check the products page on the TestKing web site for an update 3-4 days before the scheduled exam date. Here is the procedure to get the latest version: 1. Go to www.testking.com 2. Click on Login (upper right corner) 3. Enter e-mail and password 4. The latest versions of all purchased products are downloadable from here. Just click the links. For most updates, it is enough just to print the new questions at the end of the new version, not the whole document. Feedback Feedback on specific questions should be send to feedback@testking.com. You should state 1. Exam number and version. 2. Question number. 3. Order number and login ID. Our experts will answer your mail promptly. Copyright Each pdf file contains a unique serial number associated with your particular name and contact information for security purposes. So if we find out that a particular pdf file is being distributed by you, TestKing reserves the right to take legal action against you according to the International Copyright Laws. 640 - 442 Leading the way in IT testing and certification tools, www.testking.com - 3 - QUESTION NO: 1 What are three commands that can be used in enabling NAT? (Choose three) A. nat B. static C. global D. conduit E. xlate enable Answer: A, B, C QUESTION NO: 2 Which three databases are supported by the Cisco Secure ACS for UNIX? (Choose three) A. Oracle B. Sybase C. NDS (Novell) D. SQL Anywhere E. Windows NT user database Answer: A, B, D QUESTION NO: 3 Given the following debug output: 1d16h: %UPLINK-3-UPDOWN: Interface Serial3/0, changed state to up *Mar 2 16:52:297: Se3/0 PPP: Treating connection as a dedicated line *Mar 2 16:52:441: Se3/0 PPP: Phase is AUTHENTICATING, by this end *Mar 2 16:52:445: Se3/0 CHAP: O CHALLENGE id 7 len 29 from "NASx Which two statements are true? (Choose two) A. The user ID is NASx. B. This is a connection attempt to an async port. C. The connection is established on serial interface 3/0. D. The user is authenticating using Challenge Handshake Authentication Protocol (CHAP). E. The client is attempting to setup a Serial Internet Protocol (SLIP) connection. 640 - 442 Leading the way in IT testing and certification tools, www.testking.com - 4 - Answer: C, D QUESTION NO: 4 To ensure compatibility with IPSec when using Internet Key Exchange (IKE), what must be allowed through an access list (ACL)? A. IP protocol 50 and TCP port 500 B. IP protocol 50 and UDP port 51 C. IP protocol 51, TCP port 500 and UDP port 50 D. IP protocol 50, IP Protocol 51 and UDP port 500 Answer: D QUESTION NO: 5 Java inspection was properly configured with Context based Access Control (CBAC) to allow only applets from a trusted Web server. What happens when a user attempts to download an applet from an untrusted server using FTP (assuming that FTP is allowed between the two by CBAC)? A. CBAC requests user authentication. B. The applet is downloaded successfully. C. The FTP session is terminated by CBAC. D. The packets containing the applet are dropped by CBAC. Answer: B QUESTION NO: 6 Which Cisco IOS feature should be used when hiding multiple hosts behind a single IP address? A. PAT B. ACL C. DHCP D. CBAC Answer: A 640 - 442 Leading the way in IT testing and certification tools, www.testking.com - 5 - QUESTION NO: 7 Which encryption algorithms are supported by the Cisco Secure VPN Client? A. Null, CAST-128 and DES B. DES, Triple-DES and Null C. DES, CAST-128 and Blowfish D. DES, Blowfish and Diffie-Hellman Answer: B QUESTION NO: 8 Given the following output: Crypto Map: "s1first" idb: Serial0 local address: 172.16.254.201 Crypto Map "s1first" 20 ipsec-isakmp Peer = 172.16.254.212 Extended IP access list 101 access-list 101 permit ip source: addr = 172.16.152.0/0.0.0.255 dest: addr 0.0.0.0/255.255.255.255 Current peer: 172.16.254.212 Security association lifetime: 4608000 kilobytes/3600 seconds PP3 (Y/N): N Transform sets=(secure1, ) Which command was used to generate this display? A. show crypto ip map B. show crypto ipsec sa C. show crypto map D. show crypto ipsec transform set Answer: C QUESTION NO: 9 The PIX firewall operates with three rules that govern how to use the security level field. What are these three rules? (Choose three) A. Security level 0 is the least secure. B. Security level 100 is the most secure. C. The lowest security level is for the inside interface. D. The highest security level is for the outside interface. E. Conduit and static commands are required to enable traffic that originates from outside and has an inside destination. 640 - 442 Leading the way in IT testing and certification tools, www.testking.com - 6 - Answer: A, B, E QUESTION NO: 10 Which statement about the PIX password recovery procedure is true? A. The password recovery of the PIX 515 requires an FTP server. B. The PIX firewall needs to be reloaded during password recovery. C. Password recovery can only be done on PIX firewall with floppy drive. D. The config-register has to be set to 0x2142 before password recovery. Answer: C QUESTION NO: 11 Which three statements apply to AAA on a PIX firewall? (Choose three) A. Only inbound connections can be authenticated by AAA. B. FTP, HTTP and Telnet can be authenticated using AAA. C. The PIX can authenticate Enable mode access using AAA. D. The PIX can authenticate serial console access using AAA. Answer: A, B, C QUESTION NO: 12 Exhibit: Which PIX command statically translates the IP address of the Mail server to 182.16.1.4? A. static(dmz, outside) 172.16.2.4 182.16.1.4 640 - 442 Leading the way in IT testing and certification tools, www.testking.com - 7 - B. static(outside,dmz ) 182.16.1.4 172.16.2.4 C. static(dmz, outside) 182.16.1.4 172.16.2.4 D. static(inside, outside) 182.16.1.4 172.16.2.4 Answer: B QUESTION NO: 13 Which statement best describes the Encapsulation Security Payload (ESP) header? A. It is inserted before an encapsulated IP header in Tunnel mode. B. It is inserted before an encapsulated IP header in Transparent mode. C. It is inserted after the IP header and before the upper layer protocol header in Tunnel mode. D. It is inserted after the IP header and after the upper layer protocol header in Transport mode. Answer: A QUESTION NO: 14 Which two protocols are known to pose security threats? (Choose two) A. SNMP B. NNTP C. SMTP D. CHAP E. Frame Relay Answer: A, C QUESTION NO: 15 If a Security Association (SA) was previously established with Internet Key Exchange (IKE), what will the following command do on the router? A. It clears the SA symmetric key. B. It clears the SA authentication key. C. It deletes SA from the SA database. D. It re-initializes every peer’s secret key. Answer: C 640 - 442 Leading the way in IT testing and certification tools, www.testking.com - 8 - QUESTION NO: 16 After the installation of Cisco Secure VPN Client is complete, you need either __________ for authentication A. A user ID or a password. B. An error-correcting code (ECC) key or a pre-shared key. C. An ECC key or a digital certificate. D. A pre-shared key or a digital certificate. Answer: A QUESTION NO: 17 Which two statements are true (Choose two) A. There are few good security products. B. A lack of a consistent security policy is a security risk. C. Security should only be implemented on the perimeter devices. D. Individual products must be integrate from a complete network solution. Answer: B, C QUESTION NO: 18 A masquerade attack occurs when an attacker pretends to come from a trusted host by stealing its _____________ A. User group B. IP address C. Account ID D. Challenge handshake authentication protocol (CHAP) password Answer: B QUESTION NO: 19 Which command is most useful to troubleshoot a Challenge Handshake Authentication Protocol (CHAP) authentication attempt? A. Show user B. Debug aaa accounting C. Debug aaa authorization 640 - 442 Leading the way in IT testing and certification tools, www.testking.com - 9 - D. Debug ppp authentication Answer: D QUESTION NO: 20 When the nat (inside) 0 command is configured on a PIX firewall, ________ IP address are translated A. DMZ B. No inside C. Only private D. Global outside Answer: B QUESTION NO: 21 Which two commands prevent a chargen attack? (Choose two) A. no ip redirects B. no service finger C. no chargen enable D. no tcp-small-servers E. no udp-small-servers Answer: D QUESTION NO: 22 Which 3 services can be authenticated using AAA on a PIX firewall? (Choose three) A. FTP B. POP C. HTTP D. SMTP E. TFTP F. TELNET Answer: A, C, F 640 - 442 Leading the way in IT testing and certification tools, www.testking.com - 10 - QUESTION NO: 23 Which three external databases are supported by CSNT (Choose three) A. NDS B. Oracle C. Windows NT D. Token server Answer: A, C, D QUESTION NO: 24 You generate general purpose RSA keys. The router will have one _____________ A. RSA key pair B. RSA key pair per peer C. RSA key pair and one certificate per peer D. RSA key pair per peer and one certificate per peer Answer: A QUESTION NO: 25 Which three statements about Encapsulation Security Payload are true? (Choose three) A. It encapsulates the data. B. It uses symmetric secret key algorithms. C. It provides protection to the outer headers. D. It encrypts the payload for data confidentiality. Answer: A, B, D QUESTION NO: 26 Exhibit: [...]... NAS can access multiple Cisco secure ACS for NT servers Cisco Secure ACS for NT servers can only log on to external servers The Cisco secure ACS for NT server supports both TACACS+ and RADIUS Database replication is supported by the Cisco secure ACS for NT servers The service used for authentication and authorization on a Cisco secure ACS for NT server is called CSAdmin F The Cisco Secure ACS for NT... following configuration statement: Router(config)# aaa account network wait-start radius Which three statements are true? (Choose three) A The accounting records are stored on a Remote Access Dial-In User Service (RADIUS) Server B Stop-accounting records for network service requests are sent to the RADIUS server C Start-accounting records for network service requests are sent to the local database D The... certification tools, www.testking.com - 24 - 640 - 442 Answer: B, D QUESTION NO: 67 Which three databases are supported by the Cisco Secure ACS for UNIX (Choose three) A B C D E Oracle Sybase NDS (Novell) SQL Anywhere Windows NT user database Answer: A, B, D QUESTION NO: 68 To enable Network address translation on the PIX firewall for all internal hosts, which two commands need to be used? (Choose two) A... disaster recovery plan misconfigured network equipment Answer: C, D QUESTION NO: 44 Which command demonstrates a successful login for a specific user? A B C D show show show show all user interface aaa accounting Leading the way in IT testing and certification tools, www.testking.com - 16 - 640 - 442 Answer: D QUESTION NO: 45 What are three benefits delivered by the PIX Network address translation (Choose... AuthRADIUS (inside) host 10.1.1.1 ciscomcns timeout 20 aaa-server AuthRADIUS (inside) host 10.1.1.2 mcns timeout 5 aaa-authentication ftp outbound 0 0 AuthRADIUS Which three statements are TRUE? (Choose three) A Host 10.1.1.1 is an AAA server B RADIUS protocol is used for authentication C All outbound FTP connections will be prompted for username and password by the PIX D The key "ciscomcns" is used between... address translation (Choose three) A B C D E It hides the MAC address It automates IP renumbering of internal hosts It hides internal networks addressing scheme to the outside world It enables Internet access from the hosts with unregistered IP addresses It enables a network connected to the Internet to be independent of Internet address limitation Answer: B, C, D QUESTION NO: 46 TCP intercept is used... B, E QUESTION NO: 69 Which firewall command manually saves the configuration of the active failover unit to the standby failover unit from the RAM in the active to the RAM in the standby? A B C D Write network Write standby Write failover Write secondary Answer: B Leading the way in IT testing and certification tools, www.testking.com - 25 - 640 - 442 QUESTION NO: 70 Given the inspect statement ip inspect... C D E FTP Server DNS Server Web server Mail server Enterprise server Answer: E QUESTION NO: 40 Which three tools is used to counter an unauthorized access attempt? (Choose three) A A B C Encryption Bb Cisco IOS Lock and Key feature Terminal Access Controller Control System (TACACS) Challenge Handshake Authentication Protocol (CHAP) authentication Answer: B, C, D QUESTION NO: 41 Exhibit: Leading the... another interface that has a higher security level D To permit access to the servers on the DMZ segment from outside hosts, a conduit command is required Answer: D QUESTION NO: 81 Which protocol is used by Cisco IOS Cryptosystem to securely exchange encryption keys for IPSEC? A B C D Diffie-Hellman Data Encryption Standard (DES) Digital Signature Standard (DSS) Encapsulation Security Payload (ESP) Answer:... allows you to specify _ A Whether inside users can create inbound connections B Whether inside users can access specific outside servers C Whether outbound connections can execute ActiveX on the inside network Leading the way in IT testing and certification tools, www.testking.com - 30 - 640 - 442 D What services outside users can use for inbound connections and for accessing inside servers Answer: B . in IT testing and certification tools, www.testking.com - 1 - 640-442 Managing Cisco Network Security (MCNS) Version 1.0 640 - 442 Leading the way in IT. PIX Network address translation (Choose three) A. It hides the MAC address. B. It automates IP renumbering of internal hosts. C. It hides internal networks