TestKing 350-018

Document Sample
TestKing 350-018 Powered By Docstoc
					                TestKing Cisco 350-018 Exam Questions & Answers

TK's CCIE Pre-Qualification Test for Security

Exam number/code: 350-018
Exam name: TK's CCIE Pre-Qualification Test for Security
Questions & Answers: 824 Q&A
Related Certifications: CCIE

Hundreds of people each day pass their IT certification exams with Testking
guaranteed certification resources and training kits.

Use the Cisco 350-018 questions and answers to practice for your next Cisco certification
exam. If you don't pass – you don't pay! Testking has the first and only 100% product
satisfaction and exam passing guarantee. Advanced practice questions and answers help
drive the information into your routine thinking and surpass 350-018 brain dumps in retention
and skill building.

Cisco 350-018 exam answers and practice questions can be used at home or office,
installable on up to two PCs, or print the questions and answers to take with you and train
on-the-go! Cisco 350-018 preparation tools are the perfect fit for any Cisco certification
candidate with 350-018 training materials for every level of entry.

Exam Engine Features
Control your IT training process by customizing your practice certification questions and
answers. The fastest and best way to train.

   *   Truly interactive practice tests
   *   Create and take notes on any question
   *   Retake tests until you're satisfied
   *   YOU select the areas of the exam to cover
   *   Filter questions for a new practice test experience each time
   *   Re-visit difficult questions
               TestKing Cisco 350-018 Exam Questions & Answers

  Exam: 350-018 Certification Questions & Answers

Question 1:

Why is NTP an important component when implementing IPSec VPN in a PKI environment?

A. To ensure the router has the correct time when checking certificate validityform the
remote peers.
B. To ensure the router has the correct time when generating its private/public key pairs.
C. To ensure the router time is sync with the remote peers during the DH exchange
D. To ensure the router time is sync with the remote peers when generating the cookies
during IKE phase 1.
E. To ensure the router time is sync with the remote peers for encryption keys generation.

Answer: A

Question 2:

CS-MARS works with which IOS feature to accomplish anomaly detection?

A. Netflow
B. Autosecure
D. IOS Network Foundation Protection (NFP)
F. IOS Firewall

Answer: A

Question 3:

aaa new-model
aaa authentication login default radius local
aaa authorization exec default radius
enable password cisco
radius-server key password
username root privilege 15 password 0 router
line con 0
login authentication default

Look at the attached configuration. If the RADIUS server is unavailable, what will happen
when the
root user tries to login?

A. He will be authenticated locally.
B. Login will succeed through RADIUS.
C. Login will fail.
D. Router will crash.

Answer: A

If there is no response from RADIUS server, according to the command , the router will
search for its local database, and because the command 'username root xxxx' is there, root
user will be authenticated successfully.
                TestKing Cisco 350-018 Exam Questions & Answers
So, the answer is A.

Question 4:

What would be the consequence that all the other nodes would experience when a jam
signal causes a collision on an Ethernet LAN?

A. All other nodes will recognize the collision and all nodes should stop sending new data.
B. All other nodes will compute part of a hash algorithm to determine the random amount of
time the nodes should back off before retransmitting.
C. A signal was generated to help the network administrators isolate the fault domain
between two Ethernet nodes.
D. A faulty transceiver is locked in the transmit state, causing it to violate CSMA/CD rules.
E. A high-rate of collisions was caused by a missing or faulty terminator on a coaxial
Ethernet network.

Answer: A

When a collision is detected the device will "transmit a jam signal" this will will inform all the
devices on the network that there has been a collision and hence stop them initiating the
transmission of new data. This "jam signal" is a sequence of 32 bits that can have any value
as long as it does not equal the CRC value in the damaged frame's FCS field. This jam
signal is normally 32 1's as this only leaves a 1 in 2^32 chance that the CRC is correct by
chance. Because the CRC value is incorrect all devices listening on the network will detect
that a collision has occurred and hence will not create further collisions by transmitting
immediately. "Part of a hash algorithm was computed, to determine the random amount of
time the nodes should back off before retransmitting." WOULD SEEM CORRECT BUT IT IS
After transmitting the jam signal the two nodes involved in the collision use an algorithm
called the "truncated BEB (truncated binary exponential back off)" to determine when they
will next retransmit. The algorithm works as follows: Each device will wait a multiple of
51.2us (minimum time required for signal to traverse network) before retransmitting. 51.2us
is known as a "slot". The device will wait wait a certain number of these time slots before
attempting to retransmit. The number of time slots is chosen from the set {0,.....,2^k-1} at
random where k= number of collisions. This means k is initialized to 1and hence on the first
attempt k will be chosen at random from the set {0,1} then on the second attempt the set will
be {0,1,2,3} and so on. K will stay at the value 10 in the 11, 12, 13, 14, 15 and 16th attempt
but on the 17th attempt the MAC unit stops trying to transmit and reports an error to the
layer above.

Question 5:

If you had to choose one command in global-config mode to disable CDP on interface e0/0,
which would it be? Choose the best answer.

A. no cdp run
B. no cdp enable
C. no cdp
D. no ip cdp

Answer: A

VERY TRICKY! Notice it says global config (router-config)# not (router-config-if)#
normally you would use the cdp enable/no cdp enable to control interface cdp but the
question calls for a global command. The normal global command is cdp runcdp run --To
enable Cisco Discovery Protocol (CDP), use the cdp run global configuration command. To
disable CDP, use the no form of this command. cdp enable -- To enable Cisco Discovery
Protocol (CDP) on an interface, use the cdp enable interface configuration command. To
                TestKing Cisco 350-018 Exam Questions & Answers
disable CDP on an interface, use the no form of this command.

Question 6:

In Unix, where are failed super-user level access attempts stored?

A. /var/adm/sulog
B. /var/adm/wtmp
C. /etc/adm/sulog
D. /etc/wtmp
E. /etc/shadow

Answer: A

This file contains a history of su(1M) command usage. As a security measure, this file
should not be readable by others. Truncate the /var/adm/sulog file periodically to keep the
size of the file within a reasonable limit. The /usr/sbin/cron, the /sbin/rc0, or the /sbin/rc2
command can be used to clean up the sulog file. You can add the appropriate commands to
the /var/spool/cron/crontabs/root file or add shell commands to directories such as /etc/rc2.d,
/etc/rc3.d, and so on. The following two line script truncates the log file and saves only its
last 100 lines:

Question 7:

What is a benefit of implementing RFC 2827?

A. Prevents DoS from legimate, non-hostile end systems
B. Prevents disruption of special services such as Mobile IP
C. Defeats DoS attacks which employ IP Source Address Spoofing
D. Restricts directed broadcasts at the ingress router
E. Allows DHCP or BOOTP packets to reach the relay agents as appropriate

Answer: C

RFC 2827 - Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP
Source Address Spoofing
Recent occurrences of various Denial of Service (DoS) attacks which have employed forged
source addresses have proven to be a troublesome issue for Internet Service Providers and
the Internet community overall. This paper discusses a simple, effective, and straightforward
method for using ingress traffic filtering to prohibit DoS attacks which use forged IP
addresses to be propagated from 'behind' an Internet Service Provider's (ISP) aggregation
While the filtering method discussed in this document does absolutely nothing to protect
against flooding attacks which originate from valid prefixes (IP addresses), it will prohibit an
attacker within the originating network from launching an attack of this nature using forged
source addresses that do not conform to ingress filtering rules. All providers of Internet
connectivity are urged to implement filtering described in this document to prohibit attackers
from using forged source addresses which do not reside within a range of legitimately
advertised prefixes. In other words, if an ISP is aggregating routing announcements for
multiple downstream networks, strict traffic filtering should be used to prohibit traffic which
claims to have originated from outside of these aggregated announcements.

Question 8:

If an administrator is unable to connect to a Cisco ASA or PIX security appliance via Cisco
which four of the following items should be checked? (Choose four.)
                TestKing Cisco 350-018 Exam Questions & Answers
A. The HTTPS server is enabled.
B. The user IP address is permitted in the interface ACL.
C. The user IP address is permitted in the HTTP statement.
D. The asdm image command exists in the configuration.
E. The HTTP server is enabled.
F. The ASDM file resides in flash memory.

Answer: C,D,E,F

Question 9:

A Kerberos user defined in the Kerberos database is called a:

A. Principal
B. Kerberos user
C. User
D. Authenticator
E. Accessor

Answer: A

Question 10:

To encrypt passwords stored on your Cisco router, what command must you run?

A. service password-encryption
B. service encryption-password
C. password-encryption
D. encrypt service-passwords
E. password hash
F. no service password-cleartext

Answer: A

To encrypt passwords, use the service password-encryption global configuration command.
Use the no form of this command to disable this service.

Question 11:

IKE provides which of the following benefits? (Select all that apply)

A. Allow encryption keys to change during IPSec sessions.
B. Anti-replay.
C. Enables you to specify a lifetime for security associations.
D. Enable you to have certification authority (CA) support.
E. Data integrity.
F. Provides data integrity.

Answer: A,B,C,D

Specifically, IKE provides these benefits:
Eliminates the need to manually specify all the IPSec security parameters in the crypto maps
at both peers.
Allows you to specify a lifetime for the IPSec security association.
Allows encryption keys to change during IPSec sessions.
Allows IPSec to provide anti-replay services.
Permits CA support for a manageable, scalable IPSec implementation.
                TestKing Cisco 350-018 Exam Questions & Answers
Allows dynamic authentication of peers

Question 12:

What command is this output from?
nameif ethernet0 outside security0
nameif ethernet1 inside security100

A. show nameif
B. show name
C. show interfaces
D. show ip int brief
E. show run

Answer: A

Question 13:

What does split horizon do?

A. Keeps the router from sending routes out the same interface they came in.
B. Sends a "route delete" back down the same interface that the route came in.
C. Ignores routing updates.
D. Waits for the next update to come in before declaring the route unreachable.

Answer: A

"Split horizon" is a scheme for avoiding problems caused by including routes in updates sent
to the gateway from which they were learned. The "simple split horizon" scheme omits
routes learned from one neighbor in updates sent to that neighbor. "Split horizon with
poisoned reverse" includes such routes in updates, but sets their metrics to infinity.

Question 14:

What is the main difficulty facing exploit software when trying to hijack a TCP session?

A. Spoofing a source address.
B. Hopping a VLAN to get in-line with the connection.
C. Calculating the sequence number.
D. Injecting their IP address as a default gateway.
E. Converting the TCP packet to UDP for eaiser injection.

Answer: C


Question 15:

What functionality best defines the use of a 'stub' area within an OSPF environment?

A. A stub area appears only on remote areas to provide connectivity to the OSPF backbone.
B. A stub area is used to inject the default route for OSPF.
C. A stub area uses the no-summary keyword to explicitly block external routes, defines the
non-transit area, and uses the default route to reach external networks.
                TestKing Cisco 350-018 Exam Questions & Answers
D. A stub area is used to reach networks external to the sub area.

Answer: B

These areas do not accept routes belonging to external autonomous systems (AS);
however, these areas have inter-area and intra-area routes. In order to reach the outside
networks, the routers in the stub area use a default route which is injected into the area by
the Area B order Router (ABR). A stub area is typically configured in situations where the
branch office need not know about all the routes to every other office, instead it could use a
default route to the central office and get to other places from there.
Hence the memory requirements of the leaf node routers is reduced, and so is the size of
the OSPF database.

  Related 350-018 Exams:

350-023            350-020            350-029            350-030            350-040
350-026            350-001

  Popular Certification Exams:

000-301            LOT-847            E20-097         1z0-225               920-203
70-315             1Y0-A17            SK0-002         SC0-471               000-018
920-430            642-503            Section 1: Word HP2-061               70-652

  Hot Certifications:

System             CIFI               CCIP               9i Internet        HDSA
Administator                                             Application

  Popular Certification Providers:

CompTIA            Citrix             Isilon             Macromedia         Nortel