Cisco 640-553 IINS Implementing Cisco IOS Network Security 10 Q&A
Version 3.0
http://www.selfexamprep.com/640-553.htm
Important Note, Please Read Carefully Other 640-553 products A) Offline Testing engine Use the offline Testing engine product topractice the questions in an exam environment. Build a foundation of knowledge which will be useful also after passing the exam. Latest Version We are constantly reviewing our products. New material is added and old material is revised. Free updates are available for 90 days after the purchase. You should check your member zone at 640-553 and update 3-4 days before the scheduled exam date. Here is the procedure to get the latest version: 1.Go towww.640-553.com 2.Click on Log in 3.The latest versions of all purchased products are downloadable from here. Just click the links. For most updates,it is enough just to print the new questions at the end of the new version, not the whole document. Feedback If you spot a possible improvement then please let us know. We always interested in improving product quality. Feedback should be send to feedback@640-553.com. You should include the following: Exam number, version, page number, question number, and your login Email. Our experts will answer your mail promptly. Copyright Each iPAD file is a green exe file. if we find out that a particular iPAD Viewer file is being distributed by you, 640-553 reserves the right to take legal action against you according to the International Copyright Laws. Explanations This product does not include explanations at the moment. If you are interested in providing explanations for this exam, please contact feedback@640-553.com.
Leading the way in IT testing and certification tools, www.SelfExamPrep.com
-2-
www.640-553.com Q: 1 Exam Description and Topics Exam Description The 640-553 Implementing Cisco IOS Network Security (IINS) exam is associated with the CCNA Security certification. This exam tests a candidate's knowledge of securing Cisco routers and switches and their associated networks. It leads to validated skills for installation, troubleshooting and monitoring of network devices to maintain integrity, confidentiality and availability of data and devices and develops competency in the technologies that Cisco uses in its security infrastructure. Exam Topics The following topics are general guidelines for the content likely to be included on the Implementing Cisco IOS Network Security (IINS) exam. However, other related topics may also appear on any specific delivery of the exam. In order to better reflect the contents of the exam and for clarity purposes, the guidelines below may change at any time without notice.
Topic-1 Describe the security threats facing modern network infrastructures. (15 Questions) Describe and list mitigation methods for common network attacks Describe and list mitigation methods for Worm, Virus, and Trojan Horse attacks Describe the Cisco Self Defending Network architecture
Topic-2 Secure Cisco routers . (24 Questions) Secure Cisco routers using the SDM Security Audit feature Use the One-Step Lockdown feature in SDM to secure a Cisco router Secure administrative access to Cisco routers by setting strong encrypted passwords, exec timeout, login failure rate and using IOS login enhancements Secure administrative access to Cisco routers by configuring multiple privilege levels Secure administrative access to Cisco routers by configuring role based CLI Secure the Cisco IOS image and configuration file
Topic-3 Implement AAA on Cisco routers using local router database and external ACS. (12 Questions) Explain the functions and importance of AAA Describe the features of TACACS+ and RADIUS AAA protocols Configure AAA authentication Configure AAA authorization Leading the way in IT testing and certification tools, www.SelfExamPrep.com
-3-
Configure AAA accounting
Topic-4 Mitigate threats to Cisco routers and networks using ACLs. (11 Questions) Explain the functionality of standard, extended, and named IP ACLs used by routers to filter packets Configure and verify IP ACLs to mitigate given threats (filter IP traffic destined for Telnet, SNMP, and DDoS attacks) in a network using CLI Configure IP ACLs to prevent IP address spoofing using CLI Discuss the caveats to be considered when building ACLs
Topic-5 Implement secure network management and reporting. (4 Questions) Use CLI and SDM to configure SSH on Cisco routers to enable secured management access Use CLI and SDM to configure Cisco routers to send Syslog messages to a Syslog server
Topic-6 Mitigate common Layer 2 attacks. (7 Questions) Describe how to prevent layer 2 attacks by configuring basic Catalyst switch security features
Topic-7 Implement the Cisco IOS firewall feature set using SDM. (11 Questions) Describe the operational strengths and weaknesses of the different firewall technologies Explain stateful firewall operations and the function of the state table Implement Zone Based Firewall using SDM
Topic -8 Implement the Cisco IOS IPS feature set using SDM. (8 Questions) Define network based vs. host based intrusion detection and prevention Explain IPS technologies, attack responses, and monitoring options Enable and verify Cisco IOS IPS operations using SDM
Topic-9 Implement site-to-site VPNs on Cisco Routers using SDM. (36 Questions) Explain the different methods used in cryptography Explain IKE protocol functionality and phases Describe the building blocks of IPSec and the security functions it provides Configure and verify an IPSec site-to-site VPN with pre-shared key authentication using SDM Answer & Explanation Leading the way in IT testing and certification tools, www.SelfExamPrep.com
-4-
Correct Answer Explanations(Click me to Show)
Answer: Check 640-553 eEngine, Download from Member Center www.640-553.com Q: 2 Which item is the great majority of software vulnerabilities that have been discovered?
A. Stack vulnerabilities B. Software overflows C. Heap overflows D. Buffer overflows
Answer: D www.640-553.com Q: 3 With which three tasks does the IPS Policies Wizard help you? (Choose three.)
A. Selecting the interface to which the IPS rule will be applied B. Selecting the direction of traffic that will be inspected C. Selecting the inspection policy that will be applied to the interface D. Selecting the Signature Definition File (SDF) that the router will use
Answer: A, B, D
Leading the way in IT testing and certification tools, www.SelfExamPrep.com
-5-
www.640-553.com Q: 4 Examine the following options, when editing global IPS settings, which one determines if the IOS-based IPS feature will drop or permit traffic for a particular IPS signature engine while a new signature for that engine is being compiled?
A. Enable Engine Fail Closed B. Enable Fail Opened C. Enable Signature Default D. Enable Default IOS Signature
Answer: A www.640-553.com Q: 5 Topic-9 Implement site-to-site VPNs on Cisco Routers using SDM. (36 Questions) Explain the different methods used in cryptography Explain IKE protocol functionality and phases Describe the building blocks of IPSec and the security functions it provides Configure and verify an IPSec site-to-site VPN with pre-shared key authentication using SDM Answer & Explanation Correct Answer Explanations(Click me to Show)
Answer: Check 640-553 eEngine, Download from Member Center www.640-553.com Q: 6 Which three options are network evaluation techniques? (Choose three.)
A. Scanning a network for active IP addresses and open ports on those IP addresses
Leading the way in IT testing and certification tools, www.SelfExamPrep.com
-6-
B. Using password-cracking utilities C. Performing end-user training on the use of antispyware software D. Performing virus scans
Answer: A, B, D www.640-553.com Q: 7 The enable secret password appears as an MD5 hash in a router's configuration file, whereas the enable password is not hashed (or encrypted, if the password-encryption service is not enabled). What is the reason that Cisco still supports the use of both enable secret and enables passwords in a router's configuration?
A. The enable password is used for IKE Phase I, whereas the enable secret password is used for IKE Phase II. B. The enable password is considered to be a router's public key, whereas the enable secret password is considered to be a router's private key. C. Because the enable secret password is a hash, it cannot be decrypted. Therefore, the enable password is used to match the password that was entered, and the enable secret is used to verify that the enable password has not been modified since the hash was generated. D. The enable password is present for backward compatibility.
Answer: D www.640-553.com Q: 8 On the basis of the description of SSL-based VPN, place the correct descriptions in the proper locations. Answer & Explanation Correct Answer Explanations(Click me to Show) This question is to examine the knowledge related to SSLVPN.
Leading the way in IT testing and certification tools, www.SelfExamPrep.com
-7-
SSL VPN uses the RSA or DH technologies rather than HASH (SHA-1, MD5) algorithm for authentication and key exchange. Asymmetric algorithms are used for authentication and key exchange of SSL VPN. Symmetric algorithms (such as des, 3DES, AES, RC4, etc.) are applied to encryption. Unlike IPSec VPN, SSL VPN uses an easier way to achieve remote connection of information and can be used by any browser-installed machine.
Leading the way in IT testing and certification tools, www.SelfExamPrep.com
-8-
Answer: Check 640-553 eEngine, Download from Member Center www.640-553.com Q: 9 Please choose the correct matching relationships between the cryptography algorithms and the type of algorithm.
Leading the way in IT testing and certification tools, www.SelfExamPrep.com
-9-
A. Symmetric - P4S1, P4S2 and P4S3 Asymmetric - P4S4, P4S5 and P4S6 B. Symmetric - P4S1, P4S4 and P4S5 Asymmetric - P4S2, P4S3 and P4S6 C. Symmetric - P4S2, P4S4 and P4S5 Asymmetric - P4S1, P4S3 and P4S6 D. Symmetric - P4S2, P4S5 and P4S6 Asymmetric - P4S1, P4S3 and P4S4
Answer: B www.640-553.com Q: 10 When using the Cisco SDM Quick Setup Site-to-Site VPN wizard, which three parameters do you configure? (Choose three.)
A. Interface for the VPN connection B. IP address for the remote peer C. Transform set for the IPsec tunnel Leading the way in IT testing and certification tools, www.SelfExamPrep.com
- 10 -
D. Source interface where encrypted traffic originates
Answer: A, B, D
Leading the way in IT testing and certification tools, www.SelfExamPrep.com
- 11 -