640-100 (MCNS) Managing Cisco Network Security Version 7.0 640 - 100 Leading the way in IT testing and certification tools, www.testking.com - 2 - Important Note, Please Read Carefully Study Tips This product will provide you questions and answers along with detailed explanations carefully compiled and written by our experts. Try to understand the concepts behind the questions instead of cramming the questions. Go through the entire document at least twice so that you make sure that you are not missing anything. Further Material For this test TestKing also provides: * Interactive Test Engine Examinator. Check out an Examinator Demo at http://www.testking.com/index.cfm?pageid=724 Latest Version We are constantly reviewing our products. New material is added and old material is revised. Free updates are available for 90 days after the purchase. You should check your member zone at TestKing an update 3-4 days before the scheduled exam date. Here is the procedure to get the latest version: 1. Go to www.testking.com 2. Click on Member zone/Log in 3. The latest versions of all purchased products are downloadable from here. Just click the links. For most updates, it is enough just to print the new questions at the end of the new version, not the whole document. Feedback Feedback on specific questions should be send to feedback@testking.com. You should state: Exam number and version, question number, and login ID. Our experts will answer your mail promptly. Explanations Currently this product does not include explanations. If you are interested in providing TestKing with explanations contact feedback@testking.com . Include the following information: exam, your background regarding this exam in particular, and what you consider a reasonable compensation for the work. Copyright Each pdf file contains a unique serial number associated with your particular name and contact information for security purposes. So if we find out that a particular pdf file is being distributed by you, TestKing reserves the right to take legal action against you according to the International Copyright Laws. 640 - 100 Leading the way in IT testing and certification tools, www.testking.com - 3 - Section A contains 82 questions. Section B contains 113 questions. The total number of questions is 195. Section A QUESTION NO: 1 Which of the following is the correct command to create a dynamic crypto map entry? A. router(config-if)#crypto dynamic map mydyn 15 B. router(config)#crypto dynamic-map mydyn 15 C. router(config)#crypto map dynamic mydyn 15 D. router(config)#crypto dynamic-map mydyn 15 enable Answer: B Explanation: To create a dynamic crypto map entry and enter the crypto map configuration command mode, use the crypto dynamic-map command in global configuration mode. Reference: http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/secur_r/sec_c2g.ht m#1069489 QUESTION NO: 2 What is the maximum number of “transforms” in the command: router(config)#crypto ipsec transform-set Tsname transform1 A. 4 B. 3 C. 2 D. Unlimited Answer: B Explanation: Up to three transforms can be in a set. Sets are limited to up to one AH and one or two ESP transforms. Reference: Cisco Secure PIX Firewalls (Ciscopress) Page 212 QUESTION NO: 3 Which of the following statements are true? (Choose all that apply) A. A message encrypted using Bob’s public key can only be decrypted using Alice’s public key. 640 - 100 Leading the way in IT testing and certification tools, www.testking.com - 4 - B. A message encrypted using Bob’s public key can only be decrypted by using Bob’s private key. C. A message encrypted using Bob’s private key can only be decrypted using Alice’s private key. D. A message encrypted using Bob’s private key can only be decrypted by using Bob’s public key. Answer: B, D Explanation: Public and private keys are the ciphers used to encrypt and decrypt information. While the public key is shared quite freely, the private key is never given out. Each public-private key pair works together: data encrypted with the public key can only be decrypted with the private key. Reference: CiscoWorks Common Services Software - Understanding CiscoWorks Security http://www.cisco.com/en/US/products/sw/cscowork/ps3996/products_user_guide_chapter091 86a008017b74d.html QUESTION NO: 4 What type of Access List are we talking about when we say: It creates temporary opening in access lists at firewall interfaces. These opening occur when specified traffic exits the internal network through the firewall. It allows the traffic back through the firewall only if it is part of the same session as the original traffic that triggered it when exiting the firewall. A. Dynamic (Lock & Key) B. CBAC C. Reflexive Access List D. Time-of-Day Access List Answer: B Explanation: Context-based Access Control (CBAC) examines not only network layer and transport layer information, but also examines the application-layer protocol information (such as FTP information) to learn about the state of TCP and UDP connections. CBAC maintains connection state information for individual connections. This state information is used to make intelligent decisions about whether packets should be permitted or denied, and dynamically creates and deletes temporary openings in the firewall. Reference: http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuration_guide_cha pter09186a00800d9815.html QUESTION NO: 5 640 - 100 Leading the way in IT testing and certification tools, www.testking.com - 5 - What is the purpose of the following commands: Router(config)#line con 0 Router(config-line)#login authentication no_tacacs A. Specifies that for authentication, any other method except tacacs, is permitted (Radius for example). B. Specifies that the AAA authentication is not necessary when using console. C. Specifies that the AAA authentication list called no tacacs is to be used on the console. D. Specifies that tacacs+ has been configured with no shared key, so no authentication is necessary. Answer: C Explanation: To enable authentication, authorization, and accounting (AAA) authentication for logins, use the login authentication command in line configuration mode. Reference: http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/secur_r/sec_i2g.ht m#1072266 QUESTION NO: 6 In a masquerade attack, what does an attacker steal when pretending to come from a trusted host? A. Account identification B. User group C. IP address D. CHAP password Answer: C Explanation: IP spoofing An IP spoofing attack occurs when an attacker outside your network pretends to be a trusted user either by using an IP address that is within the range of IP addresses for your network or by using an authorized external IP address that you trust and to which you wish to provide access to specified resources on your network. Should an attacker get access to your IPSec security parameters, that attacker can masquerade as the remote user authorized to connect to the corporate network Reference: http://www.cisco.com/en/US/products/sw/iosswrel/ps1834/products_feature_guide09186a008 007fee4.html QUESTION NO: 7 What three typical security weaknesses exist in any implementation? (Choose three) A. Policy weakness 640 - 100 Leading the way in IT testing and certification tools, www.testking.com - 6 - B. Technology weakness C. Hardware weakness D. Encryption weakness E. Configuration weakness F. UDP protocol weakness Answer: A, B, E Explanation: There are at least three primary reasons for network security:  Technology weaknesses – Each network and computing technology has inherent security problems.  Configuration weaknesses – Even the most secure technology can be misconfigured or misused, exposing security problems.  Policy weakness – A poorly defined or improperly implemented and managed security policy can make the best security and network technology ripe for security abuse. Reference: Managing Cisco Network Security (Ciscopress) page 6 QUESTION NO: 8 Select the three RADIUS servers supported by the Cisco IOS Firewall authentication proxy. (Choose three) A. Cisco Secure ACS for Windows NT/2000. B. Oracle C. DB2 D. Cisco Secure ACS for UNIX. E. TACACS+ F. Lucent Answer: A, D, F Explanation: The supported AAA servers are CiscoSecure ACS 2.3 for Windows NT, CiscoSecure ACS 2.3 for UNIX, TACACS+ server (vF4.02.alpha), Ascend RADIUS server - radius-980618 (required avpair patch), and Livingston (now Lucent), RADIUS server (v1.16). Reference: http://www.cisco.com/en/US/products/sw/iosswrel/ps1830/products_feature_guide_chapter09 186a00800a17ec.html QUESTION NO: 9 Given the following configuration statement, which three statements are true? (Choose three) Router(config)#aaa accounting network wait-start radius A. The accounting records are stored on a TACACS+ server. B. Stop-accounting records for network service requests are sent to the TACACS+ server. 640 - 100 Leading the way in IT testing and certification tools, www.testking.com - 7 - C. The accounting records are stored on a RADIUS server. D. Start-accounting records for network service requests are sent to the local database. E. Stop-accounting records for network service requests are sent to the RADIUS server. F. The requested service cannot start until the acknowledgement has been received from the RADIUS server. Answer: C, E, F Explanation: Router(config)#aaa accounting network wait-start radius aaa accounting {system | network | connection | exec | command level} {start-stop | wait- start | stop-only} tacacs+  Use the aaa accounting command to enable accounting and to create named method lists that define specific accounting methods on a per-line or per-interface basis.  Network - Enables accounting for all network-related requests, including SLIP, PPP, PPP network control protocols, and ARAP  wait-start - This keyword causes both a start and stop accounting record to be sent to the accounting server. However, the requested user service does not begin until the start accounting record is acknowledged. A stop accounting record is also sent. Reference: http://www.cisco.com/en/US/products/sw/secursw/ps4911/products_user_guide_chapter0918 6a00800eb6e4.html QUESTION NO: 10 Which three external databases are supported by Cisco Secure ACS for Windows? (Choose three) A. Netware NDS B. Oracle C. Windows-NT/2000 D. Token Server E. SQL-Linux F. AAA Answer: A, C, D Explanation: You can select the CiscoSecure user database or configure an external user database such as Windows NT/2000, Open Database Connectivity (ODBC), generic Lightweight Directory Access Protocol (LDAP), Microsoft Commercial Internet System (MCIS), Novell NetWare Directory Services (NDS), or a token-card database to authenticate usernames and passwords according to your network requirements. This chapter discusses the advantages and limitations of each option. 640 - 100 Leading the way in IT testing and certification tools, www.testking.com - 8 - Reference: http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter0918 6a008007e6bb.html QUESTION NO: 11 Given the following configuration statement, which two statements are true? (Choose two) router(config)#aaa authentication login default tacacs+ none A. No authentication is required to login. B. TACACS is the default login method for all authentication. C. If TACACS process is unavailable, no access is permitted. D. RADIUS is the default login method for all authentication. E. If the TACACS process is unavailable, no login is required. F. If the RADIUS process is unavailable, no login is required. Answer: B, E Explanation: use TACACS+ authentication; if a CiscoSecure ACS is not available, use the NAS's local user database password. However, all other users can only use TACACS+: none – no authorization is performed. Reference: http://www.cisco.com/en/US/products/sw/secursw/ps4911/products_user_guide_chapter0918 6a008015c5c3.html QUESTION NO: 12 How many kilobytes of memory are consumed by each alarm stored in a router queue? A. 5 B. 10 C. 16 D. 32 E. 64 Answer: D Explanation: With the option buffersize kilobytes , it can be changed to the size of the buffer used for crashinfo files. The default size is 32 KB (maximum is 100 KB, configured using exception crashinfo buffer 100 ). Reference: http://www.cisco.com/en/US/products/hw/routers/ps167/products_tech_note09186a0080093e 29.shtml 640 - 100 Leading the way in IT testing and certification tools, www.testking.com - 9 - QUESTION NO: 13 Choose the three actions that the IOS Firewall IDS router may perform when a packet, or a number of packets in a session, match a signature. (Choose three) A. Forward packet to the Cisco IDS Host Sensor for further analysis. B. Send alarm to the Cisco IDS Director of Syslog server. C. Send an alarm to Cisco Secure ACS. D. Set the packet reset flag and forward the packet through. E. Drop the packet immediately. F. Return the packet to the sender. Answer: B, D, E Explanation: The Cisco IOS Firewall IDS acts as an in-line intrusion detection sensor, watching packets and sessions as they flow through the router, scanning each to match any of the IDS signatures. When it detects suspicious activity, it responds before network security can be compromised and logs the event through Cisco IOS syslog or the Cisco Secure Intrusion Detection System (Cisco Secure IDS, formerly known as Net Ranger) Post Office Protoco The network administrator can configure the IDS system to choose the appropriate response to various threats. When packets in a session match a signature, the IDS system can be configured to take these actions:  Send an alarm to a syslog server or a Cisco Secure IDS Director (centralized management interface)  Drop the packet  Reset the TCP connection Reference: http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuration_guide_cha pter09186a00800d9819.html QUESTION NO: 14 Exhibit: 640 - 100 Leading the way in IT testing and certification tools, www.testking.com - 10 - In order to prevent external (internet) users from pinging the PIX, which access list (ACL) statement should be configured on the external interface of the perimeter router? A. Access-list 102 deny tcp any 182.16.1.1 0.0.0.0 B. Access-list 102 deny icmp any 182.16.1.1 0.0.0.0 echo C. Access-list 102 permit tcp any 182.16.1.1 0.0.0.0 echo D. Access-list 102 deny icmp any 182.16.1.1 0.0.0.0 echo- reply Answer: D Explanation: Echo-reply added to the end of the command implies no ping responses to the PIX. Reference: Managing Cisco Network Security (Ciscopress) pages 728 QUESTION NO: 15 Which protocol is used by Cisco IOS Cryptosystem to securely exchange encryption keys for IPSec? A. DH B. DES C. Digital Signature Standard D. ESP Answer: A Explanation: [...]... UDP 182.16.1.0 255.255.0.0 0.0.0.0 255.255.255.255 Answer: C Explanation: access-list 101 deny IP 182.16.1.0 0.0.0.255 0.0.0.0 255 255.255.255 Leading the way in IT testing and certification tools, www .testking. com - 11 - 640 - 100 access-list command – command to deny access to the 182.16.1.0 0.0.0.255 addresses from any address (0.0.0.0 255.255.255.255) Reference: Managing Cisco Network Security (Ciscopress)... crypto ACLs Answer: A, D, E Explanation: Four key tasks are involved in configuring IPSec encryption using preshared keys on the PIX Firewall: Leading the way in IT testing and certification tools, www .testking. com - 12 - 640 - 100 Task 1: Prepare for IPSec Task 2: Configured IKE for preshared keys Task 3: Configure IPSec Task 4: Test and verify the overall IPSec configuration Reference: Managing Cisco... pretending to be the sender Reference: http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_user_guide_chapter0918 6a0080106f63.html Leading the way in IT testing and certification tools, www .testking. com - 13 - 640 - 100 QUESTION NO: 21 Which of the following statements best described a digital certificate: A A digital certificate is issued by the trusted certificate authority to the requesting... algorithms used to secure data at the network layer IPSec consists of two protocols and two protection modes Choose these two protocols: (Choose two) Leading the way in IT testing and certification tools, www .testking. com - 14 - 640 - 100 A B C D E ESP SHA1 AH DSA MD5 Answer: A, C Explanation: IPSec provides authentication and encryption services to protect unauthorized viewing or modification of data within... per-interface basis Network - Enables accounting for all network-related requests, including SLIP, PPP, PPP network control protocols, and ARAP Leading the way in IT testing and certification tools, www .testking. com - 15 - 640 - 100 wait-start - This keyword causes both a start and stop accounting record to be sent to the accounting server However, the requested user service does not begin until the start... ISDN lines, or Primary Rate Interface (PRI) ISDN interfaces on Cisco routers Reference: Managing Cisco Network Security (Ciscopress) pages 114 Leading the way in IT testing and certification tools, www .testking. com - 16 - 640 - 100 QUESTION NO: 27 Which configuration command causes a start-accounting record for a Point-to-Point session to be sent to a TACACS+ server? A B C D E aaa aaa aaa aaa aaa authentication... that the session has not reached the established state For UDP, "half-open" means that the firewall has detected traffic from one direction only Leading the way in IT testing and certification tools, www .testking. com - 17 - 640 - 100 Reference: http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_command_reference_cha pter09186a00800d9806.html QUESTION NO: 29 What kind of signature trigger on... (Choose three) A B C D E F DES ESP IPCOMP-LZS HMAC-MD5 3DES NULL Answer: A, E, F Explanation: Encryption Algorithms (IPSec) • DES • 3DES • NULL Leading the way in IT testing and certification tools, www .testking. com - 18 - 640 - 100 Reference: http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a008 0087d1e.html QUESTION NO: 31 Select the three operating systems supported... router form divulging topology information by telling external hosts which subnets are not configured? A no source-route B no ip unreachables Leading the way in IT testing and certification tools, www .testking. com - 19 - 640 - 100 C no ip route-cache D no service udp-small-servers Answer: B Explanation: To enable the generation of Internet Control Message Protocol (ICMP) unreachable messages, use the... of network security B It provides a process to audit existing network security C It defines how to track down and prosecute policy offenders Leading the way in IT testing and certification tools, www .testking. com - 20 - 640 - 100 D It defines which behavior is and is not allowed E It helps determine which vendor security equipment or software is better than others F It clears the general security framework . Material For this test TestKing also provides: * Interactive Test Engine Examinator. Check out an Examinator Demo at http://www .testking. com/index.cfm?pageid=724 . member zone at TestKing an update 3-4 days before the scheduled exam date. Here is the procedure to get the latest version: 1. Go to www .testking. com