Cisco CCNA 640-802 Dumps|Just another WordPress weblog

QUESTION 616
Part of the Certifyme network is shown below:
You work as a network technician at Certifyme. Certifyme is concerned about unauthorized access to the
CertifymeE server. The Certifyme1, Certifyme4, Certifyme6 and Certifyme7 PCs should be the only computers
with access to the CertifymeE server. What two technologies should be implemented to help prevent
unauthorized access to this server? (Choose two)
A. Encrypted router passwords
B. VLANs
C. STP
D. VTP
E. Access lists
F. Wireless LANs
G. Switches

Answer: BE

Section: IMPLEMENT, VERIFY, AND TROUBLESHOOT NAT AND ACLs IN A MEDIUM-SIZED
ENTERPRISE BRANCH NETWORK
Explanation/Reference:

QUESTION 617
The Certifyme worldwide WAN is shown in the exhibit below:
On the Hong Kong router an access list is needed that will accomplish the following:
1. Allow a Telnet connection to the HR Server through the Internet 2. Allow internet HTTP traffic to access the
webserver 3. Block any other traffic from the internet to everything else
Which of the following access list statements are capable of accomplishing these three goals? (Select all that
apply)
A. access-list 101 permit tcp any 172.17.18.252 0.0.0.0 eq 80
B. access-list 1 permit tcp any 172.17.17.252 0.0.0.0 eq 23
C. access-list 101 permit tcp 172.17.17.252 0.0.0.0 any eq 23
D. access-list 101 deny tcp any 172.17.17.252 0.0.0.0 eq 23
E. access-list 101 deny tcp any 172.17.18.252 0.0.0.0 eq 80
F. access-list 101 permit tcp any 172.17.17.252 0.0.0.0 eq 23

Answer: AF

Section: IMPLEMENT, VERIFY, AND TROUBLESHOOT NAT AND ACLs IN A MEDIUM-SIZED
ENTERPRISE BRANCH NETWORK
Explanation/Reference:
Explanation:
Because of the implicit deny rule at the end of every access list, only two choices need to be made, as the final
requirement is automatic.
A. This is correct as we need to allow the access list to allow port 80 connections (port 80 = HTTP) from
anywhere, to the web server’s IP address.
F. This will fulfill the first requirement, as it allows port 23 (Telnet) traffic from anywhere.
Incorrect Answers:
B. The answer asks you to create an access list, a single one. The answer choices require you to choose two
answers. For two statements to be on the same list, you need them to have the same number. So answer
choice B can be ruled out by process of elimination. In addition to this, access list 1 is an illegal number, since
we need an extended access list to use source and destination information, and extended access lists are in
the 100-199 range.
C. This is incorrect as it allows telnet traffic from the HR server to the Internet, but we need it to be the other
way around.
D, E: Because of the implicit deny any rule; we need to only be concerned with the access rules that permit
traffic.

QUESTION 618
The Certifyme WAN is displayed below:
An access list needs to be implemented that will block users from the Graphics Department from telnetting to
the HR server; and this list is to be implemented on the Ethernet 0 interface of the Westfield router for the
inbound direction. All other office communications should be allowed. Which of the following answer choices
would accomplish this?
A. deny tcp 192.168.16.0 0.0.0.255 192.168.17.252 0.0.0.0 eq 23 permit ip any any
B. permit ip any any deny tcp 192.168.16.0 0.0.0.255 192.172.252 0.0.0.0 eq 23
C. permit ip any any
deny tcp 192.168.17.252 0.0.0.0 192.168.0 0.0.0.255 eq 23
D. deny tcp 192.168.18.262 0.0.0.0 192.168.16.0 0.0.0.255 eq 23 permit ip any any
E. None of the above

Answer: A

Section: IMPLEMENT, VERIFY, AND TROUBLESHOOT NAT AND ACLs IN A MEDIUM-SIZED
ENTERPRISE BRANCH NETWORK
Explanation/Reference:
Explanation:
The syntax for an access list is the source address first then the destination address. In this case the source
address is 192.168.16.0/24 and the destination address 192.168.17.252.
The “permit ip any any” statement is required because of the implicit deny all at the end of every access list.
Generally speaking, all access lists require at least one permit statement, otherwise all traffic will be denied
through the interface.

QUESTION 613
What are the general recommendations regarding the placement of access control lists? (Choose two)
A. Standard ACLs should be placed as close as possible to the source of traffic to be denied.
B. Extended ACLs should be placed as close as possible to the source of traffic to be denied .
C. Standard ACLs should be placed as close as possible to the destination of traffic to be denied .
D. Extended ACLs should be placed as close as possible to the destination of traffic to be denied .

Answer: BC

Section: IMPLEMENT, VERIFY, AND TROUBLESHOOT NAT AND ACLs IN A MEDIUM-SIZED
ENTERPRISE BRANCH NETWORK
Explanation/Reference:
Explanation:
Standard Access Lists:
l Access-list list# {permit/deny} source IP [wildcard mask] l interface [router port] l ip access-group [list#] in|out
(out is the default) l If a match is made, the action defined in this access list statement is performed.
l If no match is made with an entry in the access list, the deny action is performed (implicit deny) l Should be
put close to the destination address because you can not specify the destination address, only the source
information is looked at.
Extended Access List:
l Access-list list# {permit/deny} protocol source [source mask] destination [destination mask] operator [port] l
Should be put close to the source l Since extended ACLs have destination information, you want to place it as
close to the source as possible.
l Place an extended ACL on the first router interface the packet enters and specify inbound in the access-group
command.
Section 2: Configure and apply ACLs based on network filtering
requirements. (including: CLI/SDM) (24 questions)

QUESTION 614
Part of the Certifyme network is shown in the following topology exhibit:
In this network, an access list has been designed to prevent HTTP traffic from the accounting department from
reaching the CertifymeI server attached to the Certifyme2 router. Which of the following access lists will
accomplish this task when grouped with the e0 interface on the Certifyme router?
A. permit ip any any deny tcp 172.17.17.252 0.0.0.0 172.16.16.0 0.0.0.255 eq 80
B. deny tcp 172.17.17.252 0.0.0.0 172.16.16.0 0.0.0.255 eq 80 permit ip any any
C. deny tcp 172.16.16.0 0.0.0.255 172.17.17.252 0.0.0.0 eq 80 permit ip any any
D. permit ip any nay deny tcp 172.16.16.0 0.0.0.255 172.17.17.252 0.0.0.0 eq 80
E. None of the above

Answer: C

Section: IMPLEMENT, VERIFY, AND TROUBLESHOOT NAT AND ACLs IN A MEDIUM-SIZED
ENTERPRISE BRANCH NETWORK
Explanation/Reference:

QUESTION 615
For security reasons, the Certifyme network administrator needs to prevent pings into the corporate networks
from hosts outside the internetwork. Using access control lists, which protocol should be blocked?
A. IP
B. UDP
C. TCP
D. ICMP
E. None of the above

Answer: D

Section: IMPLEMENT, VERIFY, AND TROUBLESHOOT NAT AND ACLs IN A MEDIUM-SIZED
ENTERPRISE BRANCH NETWORK
Explanation/Reference:
Explanation:
A ping is a computer network tool used to test whether a particular host is reachable across an IP network. It
works by sending ICMP “echo request” packets to the target host and listening for ICMP “echo response”
replies. ping estimates the round-trip time, generally in milliseconds, and records any packet loss, and prints a
statistical summary when finished.

QUESTION 610
A standard IP access list is applied to an Ethernet interface of router CM1. What does this standard access list
filter on?
A. The source and destination addresses
B. The destination port number
C. The destination address
D. The source address
E. All of the above

Answer: D

Section: IMPLEMENT, VERIFY, AND TROUBLESHOOT NAT AND ACLs IN A MEDIUM-SIZED
ENTERPRISE BRANCH NETWORK
Explanation/Reference:
Explanation:
The standard IP access-list will only filter on the source address contained in the packet.
Extended access lists can filter on the source and destination address and port information.

QUESTION 611
What are two reasons that the Certifyme network administrator would use access lists on a router? (Choose
two.)
A. To filter traffic as it passes through a router
B. To filter traffic that originates from the router
C. To replace passwords as a line of defense against security incursions
D. To control vty access into a router
E. To control broadcast traffic through a router

Answer: AD

Section: IMPLEMENT, VERIFY, AND TROUBLESHOOT NAT AND ACLs IN A MEDIUM-SIZED
ENTERPRISE BRANCH NETWORK
Explanation/Reference:
Explanation:
Access lists are used to process data received by a router can be divided into two broad categories:
1. traffic that passes through the router via the forwarding path (choice A) 2. traffic destined for the router via
the receive path for route processor handling, such as
ssh/telnet vty access (Choice D) In normal operations, the vast majority of traffic simply flows through a router
en route to its ultimate destination.
Incorrect Answers:
B: Traffic originated by the router will bypass the access list.
C: Access lists can be used to permit or deny access, but it can not be used to replace the need for passwords
for authorizing users into the system.
E: Routers do not forward broadcast traffic by default, and this is true regardless if access lists are configured
or are not.

QUESTION 612
Which of the following are characteristics of named access lists? (Choose three)
A. Individual statements in a named access list may be deleted.
B. They require a numbered range from 1000 to 1099.
C. When created, they must be specified as standard or extended.
D. They are created with the ip access-list command.
E. The entire access list must be deleted before editing.
F. They are applied with the ip name-group command.

Answer: ACD

Section: IMPLEMENT, VERIFY, AND TROUBLESHOOT NAT AND ACLs IN A MEDIUM-SIZED
ENTERPRISE BRANCH NETWORK
Explanation/Reference:
Explanation:
You can identify IP access lists with an alphanumeric string (a name) rather than a number. Named access
lists allow you to configure more IP access lists in a router than if you were to use numbered access lists. If
you identify your access list with a name rather than a number, the mode and command syntax are slightly
different. Currently, only packet and route filters can use a named list.
Consider the following guidelines before configuring named access lists:
Access lists specified by name are not compatible with Cisco IOS Releases prior to 11.2.
Not all access lists that accept a number will accept a name. Access lists for packet filters and route filters on
interfaces can use a name.
A standard access list and an extended access list cannot have the same name.
To configure a named access list (standard and extended):
Reference:

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080430e5b.html

QUESTION 607
Router CM1 is configured with an inbound ACL. When are packets processed in this inbound access list?
A. Before they are routed to an outbound interface.
B. After they are routed for outbound traffic.
C. After they are routed to an outbound interface while queuing.
D. Before and after they are routed to an outbound interface.
E. Depends on the configuration of the interface
F. None of the above

Answer: A

Section: IMPLEMENT, VERIFY, AND TROUBLESHOOT NAT AND ACLs IN A MEDIUM-SIZED
ENTERPRISE BRANCH NETWORK
Explanation/Reference:
Explanation:
When a packet is received on an interface with an inbound access list configured, the packets are matched
against the access list to determine if they should be permitted or denied. After this check, the packets are
processed by the routing function. The access list check is always done first.
Incorrect Answers:
B, C. The packets are always processed by the inbound access list prior to being routed.
D. All packets are always checked against a specific access list only once. While packets traversing through a
router may be checked against different access lists for each interface and in each direction (inbound and
outbound), each access list is always only consulted once.

QUESTION 608
Many Certifyme routers are configured using access lists. Which of the following are benefits provided with
access control lists (ACLs)? (Select all that apply)
A. ACLs monitor the number of bytes and packets.
B. Virus detection.
C. ACLs identify interesting traffic for DDR.
D. ACLs provide IP route filtering.
E. ACLs provide high network availability.
F. ACLs classify and organize network traffic.

Answer: CD

Section: IMPLEMENT, VERIFY, AND TROUBLESHOOT NAT AND ACLs IN A MEDIUM-SIZED
ENTERPRISE BRANCH NETWORK
Explanation/Reference:
Explanation:
IP access control lists allow a router to discard some packets based on criteria defined by the network
engineer. The goal of these filters is to prevent unwanted traffic in the network – whether to prevent hackers
from penetrating the network or just to prevent employees from using systems they should not be using.
IP access lists can also be used to filter routing updates, to match packets for prioritization, to match packets
for prioritization, to match packets for VPN tunneling, and to match packets for implementing quality of service
features. It is also used to specify the interesting traffic, which is used to trigger ISDN and Dial on Demand
Routing (DDR) calls.
Reference:
CCNA Self-Study CCNA ICND exam certification Guide (Cisco Press, ISBN 1-58720X) Page 427 Incorrect
Answers:
A, F: ACLs do not provide for management and traffic analysis functions such as the monitoring and
organization of network packets.
B. While ACLs can be used to filter out some unwanted traffic; they can not be used to routinely provide for
virus detection and removal.
E. ACLs alone do not provide for any additional level of network availability.

QUESTION 609
Router CM1 is configured using a named ACL. Which of the following answer choices are correct
characteristics of named access list? (Select all that apply)
A. You can delete individual statements in a named access list
B. Named access lists require a numbered range from 1000 to 1099.
C. Named access lists must be specified as standard or extended.
D. You can use the ip access-list command to create named access lists.
E. You cannot delete individual statements in a named access list.
F. You can use the ip name-group command to apply named access lists.

Answer: ACD

Section: IMPLEMENT, VERIFY, AND TROUBLESHOOT NAT AND ACLs IN A MEDIUM-SIZED
ENTERPRISE BRANCH NETWORK
Explanation/Reference:
Explanation:
Named access lists have two advantages over numbered access lists: the first one being that a name is easier
to remember and the second being the fact that you can delete individual statements in a named access list.
That makes A correct.
When you create a named access list you use the ip access-list command, and you have to specify whether
it’s standard or extended (since there are no numbers). So C and D are both correct. An example from the
textbook is the command, “ip access-list extended Barney” Incorrect Answers:
B. Named access lists don’t require a number range from 1000 to 1099 so B is incorrect.
E. Answer choice E is not true.
F. This is incorrect because the command ip name-group is absolutely unnecessary.

QUESTION 604
Refer to the Certifyme network shown below:
For security reasons, information about Certifyme1, including platform and IP addresses, should not be
accessible from the Internet. This information should, however, be accessible to devices on the internal
networks of Certifyme1. Which command or series of commands will accomplish these objectives?
A. Certifyme1(config)#no cdp enable
B. Certifyme1(config)#no cdp run
C. Certifyme1(config)#interface s0/0 Certifyme1(config-if)#no cdp run
D. Certifyme1(config)#interface s0/0 Certifyme1(config-if)#no cdp enable
E. None of the above

Answer: D

Section: IDENTIFY SECURITY THREATS TO A NETWORK AND DESCRIBE GENERAL METHODS TO
MITIGATE THOSE THREATS
Explanation/Reference:
Explanation:
CDP is a proprietary protocol designed by Cisco to help administrators collect information about both locally
attached and remote devices. By using CDP, you can gather hardware and protocol information about
neighbor devices which is useful info for troubleshooting and documenting
the network.
To disable the CDP on particular interface use the “no cdp enable” command. To disable CDP on the entire
router use the “no cdp run” in global configuration mode.
Topic 7, IMPLEMENT, VERIFY, AND
TROUBLESHOOT NAT AND ACLs IN A MEDIUM-SIZED ENTERPRISE BRANCH NETWORK.
(79 questions)
Section 1: Describe the purpose and types of ACLs (9 questions)
Exam G

QUESTION 605
An extended access list needs to be applied to a Certifyme router. What three pieces of information can be
used in an extended access list to filter traffic? (Choose three)
A. Source IP Address and destination IP address
B. Source MAC address and destination MAC address
C. Source switch port number
D. VLAN number
E. Protocol
F. TCP or UDP port numbers

Answer: AEF

Section: IMPLEMENT, VERIFY, AND TROUBLESHOOT NAT AND ACLs IN A MEDIUM-SIZED
ENTERPRISE BRANCH NETWORK
Explanation/Reference:

QUESTION 606
The Certifyme administrator is implementing access control lists in the Certifyme network. What are two reasons
that the Certifyme network administrator would use access lists? (Choose two.)
A. To filter traffic as it passes through a router
B. To filter traffic that originates from the router
C. To replace passwords as a line of defense against security incursions
D. To control broadcast traffic through a router
E. To control VTY access into a router
F. To encrypt traffic

Answer: AE

Section: IMPLEMENT, VERIFY, AND TROUBLESHOOT NAT AND ACLs IN A MEDIUM-SIZED
ENTERPRISE BRANCH NETWORK
Explanation/Reference:

QUESTION 601
Certifyme University has a small campus where 25 faculty members are located. The faculty offices and student
computers are currently on the same network. The faculty is concerned about students being able to capture
packets going across the network and obtain sensitive material. What could a network administrator do to
protect faculty network traffic from student connections?
A. Install anti-virus software on the student computers.
B. Put the faculty computers in a separate VLAN.
C. Power down the switches that connect to faculty computers when they are not in use.
D. Remove the student computers from the network and put them on a peer-to-peer
network.
E. Create an access list that blocks the students from the Internet where the hacking tolls are located.
F. None of the above

Answer: B

Section: IDENTIFY SECURITY THREATS TO A NETWORK AND DESCRIBE GENERAL METHODS TO
MITIGATE THOSE THREATS
Explanation/Reference:
Explanation:
Main Functions of a VLAN:
1.
The VLAN can group several broadcast domains into multiple logical subnets.
You can accomplish network additions, moves, and changes by configuring a port into the 2.
appropriate VLAN.
1.You can place a group of users who need high security into a VLAN so that no users outside f the VLAN can
communicate with them.
As a logical grouping of users by function, VLANs can be considered independent from heir 2.
physical or geographic locations.
VLANs can enhance network security.
3.
VLANs increase the number of broadcast domains while decreasing their size.
4.

QUESTION 602
What are three valid reasons to assign ports on VLANs on a new Certifyme LAN switch? (Choose three)
A. To make VTP easier to implement
B. To isolate broadcast traffic
C. To increase the size of the collision domain
D. To allow more devices to connect to the network
E. To logically group hosts according to function
F. To increase network security

Answer: BEF

Section: IDENTIFY SECURITY THREATS TO A NETWORK AND DESCRIBE GENERAL METHODS TO
MITIGATE THOSE THREATS
Explanation/Reference:
Explanation:
Main Functions of a VLAN (see previous question):
1.
The VLAN can group several broadcast domains into multiple logical subnets.
2.You can accomplish network additions, moves, and changes by configuring a port into the appropriate VLAN.
You can place a group of users who need high security into a VLAN so that no users outside f 1.
the VLAN can communicate with them.
As a logical grouping of users by function, VLANs can be considered independent from heir 2.
physical or geographic locations.
3.VLANs can enhance network security.
4.VLANs increase the number of broadcast domains while decreasing their size.

QUESTION 603
What set of router configuration commands causes the message shown in the exhibit below?
A. Certifyme1(config)# line console 0
Certifyme1(config-line)# service password-encryption Certifyme1(config-line)# login
B. Certifyme1(config)# line console 0
Certifyme1(config-line)# enable password cisco
Certifyme1(config-line)# login
C. Certifyme1(config)# line console 0
Certifyme1(config-line)# enable password cisco
Certifyme1(config-line)# logging synchronous
D. Certifyme1(config)# line console 0
Certifyme1(config-line)# enable secret cisco
Certifyme1(config-line)# login
E. Certifyme1(config)# line console 0
Certifyme1(config-line)# password cisco
Certifyme1(config-line)# login
F. None of the above

Answer: E

Section: IDENTIFY SECURITY THREATS TO A NETWORK AND DESCRIBE GENERAL METHODS TO
MITIGATE THOSE THREATS
Explanation/Reference:
Explanation:
Use the line con 0 command to configure the console line. Use the login and password commands to configure
the console for login with a password. Here is an example using the Battle Creek router:
Battle>enable Password:*******
CM1#conf term
CM1(config)#line con 0
CM1(config-line)#login
CM1(config-line)#password oatmeal
CM1(config-line)#^Z
The “login” command is needed to enforce users to log in to the router using the console connection.

QUESTION 598
The Certifyme administrator is concerned with enhancing network security. To do this, what are two
recommended ways of protecting network device configuration files from outside security threats on the
network? (Choose two)
A. Use a firewall to restrict access from the outside to the network devices
B. Allow unrestricted access to the console or VTY ports
C. Prevent the loss of passwords by disabling encryption
D. Always use Telnet to access the device command line because its data is automatically encrypted
E. Use SSH or another encrypted and authenticated transport to access device configurations
F. Use easy to remember passwords so that they are not forgotten

Answer: AE

Section: IDENTIFY SECURITY THREATS TO A NETWORK AND DESCRIBE GENERAL METHODS TO
MITIGATE THOSE THREATS
Explanation/Reference:
Explanation:
Whenever the trusted (inside) part of the network connects to an untrusted (outside, or internet) network, the
use of a firewall should be implemented to ensure only legitimate traffic is allowed within the enterprise. SSH is
a secure alternative to telnet that encrypts the traffic so that data carried within can not be “sniffed.” It is always
recommended to use SSH over telnet whenever possible.

QUESTION 599
You want to enable telnet access to a Certifyme router as securely as possible. Which of the following
commands would you execute if you wanted to enable others to establish a telnet session on a Cisco router?
A. Certifyme1(config)# line console 0 Certifyme1(config-if)# enable password Certifyme
B. Certifyme1(config)# line vty 0 Certifyme1(config-line)#enable password Certifyme
C. Certifyme1(config)# line vty 0 Certifyme1(config-line)#enable secret Certifyme
Certifyme1(config-line)# login
D. Certifyme1(config)# line console 0 Certifyme1(config-line)#enable secret Certifyme Certifyme1(config-line)#login
E. Certifyme1(config)#line console 0 Certifyme1(config-line)# password Certifyme Certifyme1(config-line)#login
F. Certifyme1(config)#line vty 0 Certifyme1(config-line)#password Certifyme Certifyme1(config-line)#login

Answer: F

Section: IDENTIFY SECURITY THREATS TO A NETWORK AND DESCRIBE GENERAL METHODS TO
MITIGATE THOSE THREATS
Explanation/Reference:
Explanation:
Telnet sessions use virtual terminal sessions, which are configured under the “line vty” portion of the
configuration. There are 5 total vty sessions that can be configured, numbered 0-4. In order to be prompted for
a password, one must be configured. Choice F gives the 3 commands needed to allow a single telnet session.
Incorrect Answers:
A, B, C, D. The telnet password needs to be configured in addition to the enable password. Without the initial
password configured, users that try to telnet to the router will receive a “password required, but none set”
message.
D, E. Telnet uses VTY ports, not the console port.
Section 3: Describe the functions of common security appliances
and applications (1 question)

QUESTION 600
You want to increase the security in the Certifyme network. What are the two security appliances that can be
installed in this network? (Choose two)
A. SDM
B. ATM
C. IDS
D. IOX
E. IPS
F. IOS
G. FR

Answer: CE

Section: IDENTIFY SECURITY THREATS TO A NETWORK AND DESCRIBE GENERAL METHODS TO
MITIGATE THOSE THREATS
Explanation/Reference:
Section 4: Describe security recommended practices including initial steps to secure network devices (4
questions)

QUESTION 595
You need to troubleshoot an interference issue with the Certifyme wireless LAN.
Which two devices can interfere with the operation of this network because they operate on similar
frequencies? (Choose two)
A. Microwave oven
B. AM radio
C. Toaster
D. Copier
E. Cordless phone
F. IP phone
G. I-pod

Answer: AE

Section: EXPLAIN AND SELECT THE APPROPRIATE ADMINISTRATIVE TASKS REQUIRED FOR A WLAN
Explanation/Reference:
Topic 6, IDENTIFY SECURITY THREATS TO A
NETWORK AND DESCRIBE GENERAL METHODS TO MITIGATE THOSE THREATS (9 questions)
Section 1: Describe today’s increasing network security threats and explain the need to implement a
comprehensive security policy to mitigate the threats (2 questions)
Exam F

QUESTION 596
You need to create a security plan for the Certifyme network. What should be part of a comprehensive network
security plan?
A. Delay deployment of software patches and updates until their effect on end-user equipment is well known
and widely reported
B. Minimize network overhead by deactivating automatic antivirus client updates
C. Encourage users to use personal information in their passwords to minimize the likelihood of passwords
being forgotten
D. Physically secure network equipment from potential access by unauthorized individuals
E. Allow users to develop their own approach to network security
F. None of the above

Answer: D

Section: IDENTIFY SECURITY THREATS TO A NETWORK AND DESCRIBE GENERAL METHODS TO
MITIGATE THOSE THREATS
Explanation/Reference:
Explanation:
Computer systems and networks are vulnerable to physical attack; therefore, procedures should be
implemented to ensure that systems and networks are physically secure.
Physical access to a system or network provides the opportunity for an intruder to damage, steal, or corrupt
computer equipment, software, and information. When computer systems are networked with other
departments or agencies for the purpose of sharing information, it is critical that each party to the network take
appropriate measures to ensure that its system will not be physically breached, thereby compromising the
entire network. Physical security procedures may be the least expensive to implement but can also be the
most costly if not implemented. The most expensive and sophisticated computer protection software can be
overcome once an intruder obtains physical access to the network.

QUESTION 597
As the Certifyme network security administrator, you are concerned with the various possible network attacks.
Which type of attack is characterized by a flood of packets that are requesting a TCP connection to a server?
A. Trojan Horse
B. Reconnaissance
C. Denial of Service
D. Brute Force
E. Virus
F. Worm

Answer: C

Section: IDENTIFY SECURITY THREATS TO A NETWORK AND DESCRIBE GENERAL METHODS TO
MITIGATE THOSE THREATS
Explanation/Reference:
Explanation:
A denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended
users. Although the means to, motives for and targets of a DoS attack may vary, it generally comprises the
concerted, malevolent efforts of a person or persons to prevent an Internet site or service from functioning
efficiently or at all, temporarily or indefinitely. Among these are Network connectivity attacks.
These attacks overload the victim with TCP packets so that its TCP/IP stack is not able to handle any further
connections, and processing queues are completely full with nonsense malicious packets. As a consequence
of this attack, legitimate connections are denied.
One classic example of a network connectivity attack is a SYN Flood
Section 2: Explain general methods to mitigate common security
threats to network devices, hosts, and applications (2 questions)

QUESTION 592
You need to determine the proper security settings on a new Certifyme WLAN-capable office. Which encryption
type would WPA2 use in this office?
A. PSK
B. AES-CCMP
C. PPK via IV
D. CMIP/MIC
E. None of the above

Answer: B

Section: EXPLAIN AND SELECT THE APPROPRIATE ADMINISTRATIVE TASKS REQUIRED FOR A WLAN
Explanation/Reference:
Explanation:
In 2004, the IEEE 802.11i task group responsible for Wi-Fi security for the WLAN provided a series of
recommendations to fix known problems with Wireless Equivalent Privacy (WEP). Its recommendations
included using encryption techniques known as Advanced Encryption Standard Counter-Mode Cipher Block
Chaining (AES-CCMP) or AES for short.
AES is not the end of the story, as the industry had a problem when it moved from WEP to AES. What could be
done, for example, about legacy devices that could not support the upgrade to AES? The IEEE 802.11i task
group recommended using the Temporal Key Integrity Protocol (CMIP). As a patch, CMIP is not as secure as
AES, but it protects against all currently known attacks.
The urgent need to fix WEP caused the Wi-Fi Alliance to develop security patch recommendations for Wi-Fi
Protected Access (WPA) before the IEEE finalized standards. WPA was drawn from an early draft of the IEEE
802.11i standard, and there are significant differences between WPA and CMIP. What is similar is that neither
the WPA patch for WEP nor the CMIP patch is as secure as AES.
The Wi-Fi Alliance later came out with a new security recommendation-WPA, version 2 (WPA2)-to make WPA
consistent with IEEE 802.11i standards. One improvement to WPA2 was the recommendation to use AESCCMP
encryption mode. WPA2 has thus become synonymous with AES.
The table below summarizes the different encryption algorithms used for WLAN privacy.
Reference: http://www.convergedigest.com/bp-bbw/bp1.asp?ID=465&ctgy=Mesh
Section 5: Identify common issues with implementing wireless
networks. (Including: Interface, missconfiguration) (3 questions)

QUESTION 593
You need to add a wireless access point to a new Certifyme office. Which additional configuration step is
necessary in order to connect to an access point that has SSID broadcasting disabled?
A. Configure open authentication on the AP and the client
B. Set the SSID value in the client software to public
C. Set the SSID value on the client to the SSID configured on the AP
D. Configure MAC address filtering to permit the client to connect to the AP
E. None of the above

Answer: C

Section: EXPLAIN AND SELECT THE APPROPRIATE ADMINISTRATIVE TASKS REQUIRED FOR A WLAN
Explanation/Reference:

QUESTION 594
Which of the following data network would you implement if you wanted a wireless network that had a relatively
high data rate, but was limited to very short distances?
A. Broadband personal comm. Service (PCS)
B. Broadband circuit
C. Infrared
D. Spread spectrum
E. Cable

Answer: C

Section: EXPLAIN AND SELECT THE APPROPRIATE ADMINISTRATIVE TASKS REQUIRED FOR A WLAN
Explanation/Reference:
Explanation:
A good example of the range of an infrared is a television remote control or a garage door opener. Infrared
networks are capable of high data rates, but they are limited in the distance between the infrared points, and
also by the fact that a line of sight between the nodes is usually required.
Incorrect Answers:
A, D: Although these are both wireless methods, the data rate capabilities are somewhat limited, especially
when compared to infrared links.
B, E: Although these are both capable of relatively high data rates, they do not use wireless technology.

QUESTION 589
You are responsible for securing the Certifyme Wireless LAN using WPA. Which two statements best describe
the wireless security standard that is defined by WPA? (Choose two)
A. It requires use of an open authentication method
B. It specifies the use of a dynamic encryption keys that change each time a client establishes a connection
C. It includes authentication by PSK
D. It specifies use of a static encryption key that must be changed frequently to enhance security

Answer: BC

Section: EXPLAIN AND SELECT THE APPROPRIATE ADMINISTRATIVE TASKS REQUIRED FOR A WLAN
Explanation/Reference:
Explanation:
WPA is a more powerful security technology for Wi-Fi networks than WEP. It provides strong data protection
by using encryption as well as strong access controls and user authentication. WPA utilizes 128-bit encryption
keys and dynamic session keys to ensure your wireless network’s privacy and enterprise security.
There are two basic forms of WPA:
Either can use CMIP or AES for encryption. Not all WPA hardware supports AES.
WPA-PSK is basically an authentication mechanism in which users provide some form of credentials to verify
that they should be allowed access to a network. This requires a single password entered into each WLAN
node (Access Points, Wireless Routers, client adapters, bridges). As long as the passwords match, a client will
be granted access to a WLAN.
Encryption mechanisms used for WPA and WPA-PSK are the same. The only difference between the two is in
WPA-PSK, authentication is reduced to a simple common password, instead of user-specific credentials.
The Pre-Shared Key (PSK) mode of WPA is considered vulnerable to the same risks as any other shared
password system – dictionary attacks for example. Another issue may be key management difficulties such as
removing a user once access has been granted where the key is shared among multiple users, not likely in a
home environment.
Reference: http://www.dslreports.com/faq/wifisecurity/2.2_WPA

QUESTION 590
In an effort to increase security within the Certifyme wireless network, WPA is being utilized. Which two
statements shown below best describe the wireless security standard that is defined by WPA? (Choose two)
A. It requires use of an open authentication method
B. It specifies use of a static encryption key that must be changed frequently to enhance security
C. It includes authentication by PSK
D. It specifies the use of dynamic encryption keys that change each time a client establishes a connection
E. It requires that all access points and wireless devices use the same encryption key
F. WPA works only with Cisco access points

Answer: CD

Section: EXPLAIN AND SELECT THE APPROPRIATE ADMINISTRATIVE TASKS REQUIRED FOR A WLAN
Explanation/Reference:

QUESTION 591
Certifyme has chosen WPA over WEP in their wireless network. What is one reason why WPA encryption is
preferred over WEP in this network?
A. The WPA key values remain the same until the client configuration is changed.
B. The values of WPA keys can change dynamically while the system is used.
C. The access point and the client are manually configured with different WPA key values.
D. A WPA key is longer and requires more special characters than the WEP key.
E. None of the above

Answer: B

Section: EXPLAIN AND SELECT THE APPROPRIATE ADMINISTRATIVE TASKS REQUIRED FOR A WLAN
Explanation/Reference: