642-583
Security Solutions for Systems Engineers Exam: 642-583 Demo Edition
CERT MAGIC 1
http://www.certmagic.com
642-583
Section 1: Sec One (1 to 20) Details: Topic 1, Main QUESTION: 1 DRAG DROP You work as a network engineer at Certmagic.com. Your boss, Miss Certmagic, is curious about implementing secure WAN solutions. Which five security design components are required?
Answer:
2
http://www.certmagic.com
642-583
QUESTION: 2 What are the advantages and disadvantages of using the "Direct to tower" or PAC file methods for redirecting traffic to ScanSafe?
A. Advantages: no browser changes required Disadvantages: not all browsers supported B. Advantages: ease of deployment, especially for multiple breakout points Disadvantages: no user granularity C. Advantages: user granularity Disadvantages: requires additional hardware for each breakout point
Answer: A
QUESTION: 3 The Cisco IPS Manager Express (IME) can be used to manage how many IPS appliances, at a maximum?
A. 20 B. 10 C. 15 D. 3 E. 25 F. 5
Answer: F
QUESTION: 4 Which two logical controls are available on Cisco lOS routers to limit the damage of physical intrusions? (Choose two.)
A. port security B. digitally signed Cisco lOS image C. disabling of password recovery D. security stickers E. USB smart token key storage
3
http://www.certmagic.com
642-583
Answer: B, D
QUESTION: 5 Which three statements correctly describe the perimeter-endpoint security architecture? (Choose three.)
A. The network is regarded as an untrusted transport mechanism. B. The architecture is easy to operate and to maintain and is flexible for adding new services. C. The architecture uses a restrictive access model. D. The network is partitioned into security domains. E. The architecture offers integration of network and endpoint security.
Answer: E, ?, ?
QUESTION: 6 What is used to enable IPsec usage across Port Address Translation (PAT) devices?
A. static NAT/PAT B. IPsec tunnel mode C. RRI D. NAT-T E. port forwarding
Answer: D
QUESTION: 7 Which authentication protocol can provide single sign-on (SSO) services?
A. RADIUS B. Diameter C. EAP D. TACACS+ E. Kerberos
4
http://www.certmagic.com
642-583
Answer: E
QUESTION: 8 MPLS VPN does not provide or support which of the following?
A. any-to-any connectivity B. customer's IGP routing C. confidentiality D. the use of private IP addresses E. customer's isolation
Answer: C
QUESTION: 9 Pharming attacks, which are used to fool users into submitting sensitive information to malicious servers, typically involve which attack method?
A. DHCP exhaustion B. DHCP server spoofing C. ARP poisoning D. IP spoofing E. DNS cache poisoning
Answer: E
QUESTION: 10 Refer to the exhibit. To support IPsec VPN, which three traffic types should ACL1 permit on the firewall in front of the IPsec VPN gateway? (Choose three.)
5
http://www.certmagic.com
642-583
A. UDP port 4500 B. IP protocol 50 C. TCP port 50 D. UDP port 10000 E. UDP port 500 F. IP protocol 10000
Answer: A, B, E
QUESTION: 11 Which Cisco ASA SSL VPN feature requires a special license?
A. smart tunnels B. prelogin assessment C. Cisco AnyConnect VPN Client D. Basic Host Scan E. Advanced Endpoint Assessment F. client plug-ins
Answer: A
QUESTION: 12
6
http://www.certmagic.com
642-583
Exhibit: * Missing * Refer to the exhibit. Which statement correctly describes this security architecture, which is used to protect the multi-tiered web application? ***Missing Exhibit***
A. The second-tier Cisco ASA AIP-SSM should be tuned for inspecting Oracle attack signatures. B. All the servers are protected by the dual-tier firewall systems and do not require additional endpoint security controls. C. The firewall systems in the first and second tiers should be implemented with identical security controls to provide defense in depth. D. This architecture supports application tiers that are dual homed.
Answer: A
QUESTION: 13 Which statement is true?
A. Three consecutive one-year commitments cost less than one three-year commitment. B. Cisco IronPort does not sell three-year commitments. C. Three-year commitments cost the same per year as three consecutive one-year commitments D. Three-year commitments cost less per year than three consecutive one-year commitments.
Answer: B
QUESTION: 14 Refer to the exhibit. A distributed DoS attack has been detected. The attack appears to have sources from many hosts in network X/24. An operator in the network operation center is notified of this attack and must take preventive action. To block all offending traffic, the network operator announces a BGP route, with the next-hop attribute of 172.31.1.1, for the X/24 network of the attacker. Which two methods do the routers at the regional office, branch office, and telecommuter location use to prevent traffic going to and from the attacker? (Choose two.)
7
http://www.certmagic.com
642-583
A. a static route to 172.31.1.1/32, which points to a null interface B. a dynamic ACL entry to block any traffic that is sourced from the X/24 network C. a prefix list to block routing updates about the X/24 network D. strict uRPF E. a route map to tag all traffic from the X/24 network with the no-export community attribute
Answer: A, D
QUESTION: 15 Cisco SSL VPN solution uses which method to provide connections between a Winsock 2, TCP-based application and a private site without requiring administrative privileges?
A. Cisco Secure Desktop B. port forwarding C. smart tunnels D. application plug-ins E. Cisco AnyConnect VPN Client
Answer: C
8
http://www.certmagic.com
642-583
QUESTION: 16 Cisco IOS Control Plane Protection can be used to protect traffic to which three router control plane subinterfaces? (Choose three.)
A. cpu B. CEF-exception C. host D. transit E. fast-switched F. aggregate
Answer: B, C, D
QUESTION: 17 Which algorithm is recommended for implementing automatic symmetric key exchange over an unsecured channel?
A. public key infrastructure (PKI) B. RSA C. Diffie-Hellman (DH) D. SHA-512 E. AES F. EAP
Answer: A
QUESTION: 18 When implementing point-to-point secure WAN solutions over the Internet, which alternative Cisco IOS method is available if GRE-over-IPsec tunnels cannot be used?
A. GET VPN B. Virtual Tunnel Interfaces (VTIs) C. Virtual Routing Forwardings (VRFs) D. MPLS VPN E. dynamic crypto maps
9
http://www.certmagic.com
642-583
Answer: B
QUESTION: 19 Which three security components can be found in today's typical single-tier firewall system? (Choose three.)
A. IPS B. Network Admission Control C. application proxy D. Stateful Packet Filtering with Application Inspection and Control E. server load balancing F. cache engine
Answer: A, C, D
QUESTION: 20 Which two Cisco products can be used to provide a captive portal to authenticate wireless users? (Choose two.)
A. Cisco Secure ACS B. WLAN Controller C. Cisco NAC Profiler D. Cisco ASA E. Cisco NAC Guest Server
Answer: B, E
10
http://www.certmagic.com