What three tasks can a network administrator accomplish with the Nmap and Zenmap security testing tools? (Choose three.)

What three tasks can a network administrator accomplish with the Nmap and Zenmap security testing tools? (Choose three.)

  • operating system fingerprinting
  • assessment of Layer 3 protocol support on hosts
  • open UDP and TCP port detection
  • security event analysis and reporting
  • password recovery
  • development of IDS signatures
    Answers Explanation & Hints:

    Nmap is a low-level network scanner that is available to the public and that has the ability to perform port scanning, to identify open TCP and UDP ports, and which can also perform system identification. It can also be used to identify Layer 3 protocols that are running on a system. Zenmap is the GUI version of Nmap.

 

What type of network security test uses simulated attacks to determine the feasibility of an attack as well as the possible consequences if the attack occurs?

What type of network security test uses simulated attacks to determine the feasibility of an attack as well as the possible consequences if the attack occurs?

  • penetration testing
  • network scanning
  • integrity checking
  • vulnerability scanning
    Answers Explanation & Hints:

    There are many tests that are used by security specialists to assess the status of a system. They include the following:
    penetration testing to determine the feasibility of attacks
    network scanning to scan for and identify open TCP ports
    integrity checking to check for changes that have occurred in the system
    vulnerability scanning to detect potential weaknesses in systems

 

Refer to the exhibit. A network administrator is configuring PAT on an ASA device to enable internal workstations to access the Internet. Which configuration command should be used next?

Refer to the exhibit. A network administrator is configuring PAT on an ASA device to enable internal workstations to access the Internet. Which configuration command should be used next?

Network Security (Version 1) - Network Security 1.0 Modules 20-22 ASA Group Exam Answers 03

Network Security (Version 1) – Network Security 1.0 Modules 20-22 ASA Group Exam Answers 03

  • nat (inside,outside) dynamic NET1
  • nat (outside,inside) dynamic NET1
  • nat (inside,outside) dynamic interface
  • nat (outside,inside) dynamic interface
    Answers Explanation & Hints:

    The nat (inside,outside) dynamic interface command indicates that inside hosts are overloading the outside address of the mapped interface.

 

In the implementation of network security, how does the deployment of a Cisco ASA firewall differ from a Cisco IOS router?

In the implementation of network security, how does the deployment of a Cisco ASA firewall differ from a Cisco IOS router?

  • ASA devices use ACLs that are always numbered.
  • ASA devices do not support an implicit deny within ACLs.
  • ASA devices support interface security levels.
  • ASA devices use ACLs configured with a wildcard mask.
    Answers Explanation & Hints:

    The differences between ASA devices and Cisco IOS routers include the following:
    An ASA device configured with ACLs is configured with a subnet mask.
    An ASA device supports interface security levels.
    An ASA device configured with an ACL is always named.

    ASA devices and Cisco IOS routers are similar in that they both support an implicit deny within an ACL.

 

Refer to the exhibit. A network administrator is configuring an object group on an ASA device. Which configuration keyword should be used after the object group name SERVICE1 ?

Refer to the exhibit. A network administrator is configuring an object group on an ASA device. Which configuration keyword should be used after the object group name SERVICE1 ?

Network Security (Version 1) - Network Security 1.0 Practice Final Answers 05

Network Security (Version 1) – Network Security 1.0 Practice Final Answers 05

  • ip
  • tcp
  • udp
  • icmp
    Answers Explanation & Hints:

    Because this is a service object group, the keyword should indicate which protocol is used. The options are tcp, udp, tcp-udp, icmp, and icmpv6. The subsequent commands indicate that the services in the group are WWW, FTP, and SMTP. Because all of these protocols use TCP, the keyword in the service object group should be tcp .

 

Refer to the exhibit. A network administrator is configuring the security level for the ASA. What is a best practice for assigning the security level on the three interfaces?

Refer to the exhibit. A network administrator is configuring the security level for the ASA. What is a best practice for assigning the security level on the three interfaces?

Network Security (Version 1) - Network Security 1.0 Practice Final Answers 03

Network Security (Version 1) – Network Security 1.0 Practice Final Answers 03

  • Outside 0, Inside 35, DMZ 90
  • Outside 40, Inside 100, DMZ 0
  • Outside 0, Inside 100, DMZ 50
  • Outside 100, Inside 10, DMZ 40
    Answers Explanation & Hints:

    The Cisco ASA assigns security levels to distinguish among different networks it connects. Security levels define the level of trustworthiness of an interface. The higher the level, the more trusted the interface. The security level numbers range between 0 (untrustworthy) to 100 (very trustworthy). Therefore, the interface connecting to the Internet should be assigned the lowest level. The interface connecting to the internal network should be assigned the highest level. The interface connecting to the DMZ network should be assigned a level between them.

 

Which special hardware module, when integrated into ASA, provides advanced IPS features?

Which special hardware module, when integrated into ASA, provides advanced IPS features?

  • Content Security and Control (CSC)
  • Advanced Inspection and Prevention (AIP)
  • Advanced Inspection and Prevention Security Services Card (AIP-SSC)
  • Advanced Inspection and Prevention Security Services Module (AIP-SSM)
    Answers Explanation & Hints:

    The advanced threat control and containment services of an ASA firewall are provided by integrating special hardware modules with the ASA architecture. These special modules include:
    Advanced Inspection and Prevention (AIP) module – supports advanced IPS capability.
    Content Security and Control (CSC) module – supports antimalware capabilities.
    Cisco Advanced Inspection and Prevention Security Services Module (AIP-SSM) and Cisco Advanced Inspection and Prevention Security Services Card (AIP-SSC) – support protection against tens of thousands of known exploits.

 

Refer to the exhibit. An administrator creates three zones (A, B, and C) in an ASA that filters traffic. Traffic originating from Zone A going to Zone C is denied, and traffic originating from Zone B going to Zone C is denied. What is a possible scenario for Zones A, B, and C?

Refer to the exhibit. An administrator creates three zones (A, B, and C) in an ASA that filters traffic. Traffic originating from Zone A going to Zone C is denied, and traffic originating from Zone B going to Zone C is denied. What is a possible scenario for Zones A, B, and C?

Network Security (Version 1) - Network Security 1.0 Practice Final Answers 02

Network Security (Version 1) – Network Security 1.0 Practice Final Answers 02

  • A – DMZ, B – Inside, C – Outside
  • A – Inside, B – DMZ, C – Outside
  • A – DMZ, B – Outside, C – Inside
  • A – Outside, B – Inside, C – DMZ
    Answers Explanation & Hints:

    ASA protects Network/Zone C (Inside) from unauthorized access by users on a Network/Zone B (Outside). It also denies traffic from Network/Zone A (DMZ) to access the Network/Zone C (Inside).

 

What is the purpose of configuring multiple crypto ACLs when building a VPN connection between remote sites?

What is the purpose of configuring multiple crypto ACLs when building a VPN connection between remote sites?

  • By applying the ACL on a public interface, multiple crypto ACLs can be built to prevent public users from connecting to the VPN-enabled router.
  • Multiple crypto ACLs can be configured to deny specific network traffic from crossing a VPN.
  • When multiple combinations of IPsec protection are being chosen, multiple crypto ACLs can define different traffic types.
  • Multiple crypto ACLs can define multiple remote peers for connecting with a VPN-enabled router across the Internet or network.
    Answers Explanation & Hints:

    A crypto ACL can define “interesting traffic” that is used to build a VPN, and forward that “interesting traffic” across the VPN to another VPN-enabled router. Multiple crypto ACLs are used to define multiple different types of traffic and utilize different IPsec protection corresponding to the different types of traffic.