Dumps4cert.com : Latest Dumps with PDF and VCE Files
2018 Mar Cisco Official New Released 350-018
100% Free Download! 100% Pass Guaranteed!
http://www.Dumps4cert.com/350-018.html

CCIE Security Exam (v4.1)

Question No: 181 – (Topic 2)

Refer to the exhibit.

Dumps4Cert 2018 PDF and VCE

Against which type of attack does the given configuration protect?

  1. pharming

  2. a botnet attack

  3. phishing

  4. DNS hijacking

  5. DNS cache poisoning

Answer: B

Reference: https://supportforums.cisco.com/document/33011/asa-botnet-configuration

Question No: 182 – (Topic 2)

Which two statements about ASA transparent mode are true? (Choose two.)

  1. It drops ARP traffic unless it is permitted.

  2. It does not support NAT.

  3. It requires the inside and outside interface to be in different subnets.

  4. It can pass IPv6 traffic.

  5. It cannot pass multicast traffic.

  6. It supports ARP inspection.

Answer: B,F

Explanation:

Even though the transparent mode acts as a bridge, Layer 3 traffic, such as IP traffic, cannot pass through the security appliance unless you explicitly permit it with an extended access list. The only traffic allowed through the transparent firewall without an access list is ARP traffic. ARP traffic can be controlled by ARP inspection.

These features are not supported in transparent mode:

->NAT /PAT

NAT is performed on the upstream router.

->Dynamic routing protocols (such as RIP, EIGRP, OSPF)

You can add static routes for traffic that originates on the security appliance. You can also allow dynamic routing protocols through the security appliance with an extended access list.

Note: IS-IS is IP protocol 124 (is-is over ipv4). IS-IS transient packets can be allowed through the transparent mode by the form of an ACL that permits protocol 124. The transparent mode supports all 255 IP protocols.

->IPv6

->DHCP relay

The transparent firewall can act as a DHCP server, but it does not support the DHCP relay commands. DHCP relay is not required because you can allow DHCP traffic to pass through with an extended access list.

->Quality of Service (QOS)

->Multicast

You can allow multicast traffic through the security appliance if you allow it in an extended access list. In a transparent firewall, access-lists are required to pass the multicast traffic from higher to lower, as well as from lower to higher security zones. In normal firewalls, higher to lower security zones are not required.

->VPN termination for through traffic

The transparent firewall supports site-to-site VPN tunnels for management connections only. It does not terminate VPN connections for traffic through the security appliance. You can pass VPN traffic through the security appliance with an extended access list, but it does not terminate non-management connections.

Reference: http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security- appliances/97853-Transparent-firewall.html

Question No: 183 – (Topic 2)

Of which IPS application is Event Action Rule a component?

  1. NotificationApp

  2. InterfaceApp

  3. SensorApp

  4. SensorDefinition

  5. MainApp

  6. AuthenticationApp

Answer: C

Reference: http://manualmachine.com/cisco-systems/ips4510k9/1024953-user- manual/page:67/

Question No: 184 – (Topic 2)

Refer to the exhibit.

Dumps4Cert 2018 PDF and VCE

After setting the replay window size on your Cisco router, you received the given system message. What is the reason for the message?

  1. The replay window size is set too low for the number of packets received.

  2. The IPSec anti-replay feature is enabled, but the window size feature is disabled.

  3. The IPSec anti-replay feature is disabled.

  4. The replay window size is set too high for the number of packets received.

Answer: A Explanation:

If your replay window size has not been set to a number that is high enough for the number of packets received, you will receive a system message such as the following:

*Nov 17 19:27:32.279: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=1

The above message is generated when a received packet is judged to be outside the anti- replay window.

Reference: http://www.cisco.com/c/en/us/td/docs/ios-

xml/ios/sec_conn_dplane/configuration/12-4t/sec-ipsec-data-plane-12-4t-book/sec-ipsec- antireplay.html

Question No: 185 – (Topic 2)

What are two advantages of SNMPv3 over SNMPv2c? (Choose two.)

  1. integrity, to ensure that data has not been tampered with in transit

  2. no source authentication mechanism for faster response time

  3. Packet replay protection mechanism removed for efficiency

  4. GetBulkRequest capability, to retrieve large amounts of data in a single request

  5. confidentiality via encryption of packets, to prevent man-in-the-middle attacks

Answer: A,E Explanation:

SNMPv3 contains all the functionality of SNMPv1 and SNMPv2, but SNMPv3 has significant enhancements to administration and security. SNMPv3 is an interoperable standards-based protocol. SNMPv3 provides secure access to devices by authenticating and encrypting packets over the network.

The security features provided in SNMPv3 are as follows:

  • Message integrity-Ensuring that a packet has not been tampered with in transit

  • Authentication-Determining that the message is from a valid source

  • Encryption-Scrambling contents of a packet to prevent it from being seen by an unauthorized source

  • Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4000/8-

    2glx/configuration/guide/snmp.pdf

    Question No: 186 – (Topic 2)

    What is the purpose of enabling the IP options selective drop feature on your network routers?

    1. To protect the internal network from IP spoofing attacks

    2. To drop IP fragmented packets

    3. To Drop packets with a TTL value of zero

    4. To protect the network from DoS attacks.

    Answer: D

    Question No: 187 – (Topic 2)

    Which three statements about VRF-Aware Firewall are true? (Choose three)

    1. It can run as more than one instance

    2. It enables service providers to implement firewall on PE devices.

    3. It can generate syslog message that are visible only to individual VPNs

    4. It can support VPN network with overlapping address range without NAT

    5. It supports both global and per-VRF commands and DoS parameters

    6. It enables service providers to deploy firewall on customer device.

    Answer: A,B,C

    Question No: 188 – (Topic 2)

    Which three fields are part of the AH header? (Choose three.)

    1. Destination Address

    2. Source Address

    3. Protocol ID

    4. Next Header

    5. Packet ICV

    6. SPI identifying SA

    7. Application Port

    Answer: D,E,F Explanation:

    The following AH packet diagram shows how an AH packet is constructed and interpreted:[8][9]

    Authentication Header format

    Offsets Octet16 0

    1

    2

    3

    Octet16 Bit10

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

    0

    0

    Next Header Payload Len Reserved

    4

    32

    Security Parameters Index (SPI)

    8

    64

    Sequence Number

    C 96

    Integrity Check Value (ICV)

    Reference: https://en.wikipedia.org/wiki/IPsec

    Question No: 189 – (Topic 2)

    What are two authentication algorithms supported with SNMPv3 on an ASA? (Choose two.)

    1. 3DES

    2. DES

    3. SHA

    4. RC4

    5. MD5

    6. RC5

    Answer: C,E

    Reference: http://www.lightchange.com/configuring-snmp-v3-on-cisco-asa-and-ios/

    Question No: 190 – (Topic 2)

    For which reason would an RSA key pair need to be removed?

    1. The CA is under DoS attack

    2. The CA has suffered a power outage

    3. The existing CA is replaced, and the new CA requires newly generated keys

    4. PKI architecture would never allow the RSA key pair removal

    Answer: C Explanation:

    An RSA key pair may need to be removed for one of the following reasons:

    ->During manual PKI operations and maintenance, old RSA keys can be removed and replaced with new keys.

    ->An existing CA is replaced and the new CA requires newly generated keys; for example, the required key size might have changed in an organization so you

    would have to delete the old 1024-bit keys and generate new 2048-bit keys.

    ->The peer router#39;s public keys can be deleted in order to help debug signature verification problems in IKEv1 and IKEv2. Keys are cached by default with the lifetime of the certificate revocation list (CRL) associated with the trustpoint.

    Reference: http://www.cisco.com/c/en/us/td/docs/ios- xml/ios/sec_conn_pki/configuration/xe-3s/sec-pki-xe-3s-book/sec-deploy-rsa-pki.html

    100% Dumps4cert Free Download!
    Download Free Demo:350-018 Demo PDF
    100% Dumps4cert Free Guaranteed!
    350-018 Dumps

    Dumps4cert ExamCollection Testking
    Lowest Price Guarantee Yes No No
    Up-to-Dated Yes No No
    Real Questions Yes No No
    Explanation Yes No No
    PDF VCE Yes No No
    Free VCE Simulator Yes No No
    Instant Download Yes No No