Module Group Exam 2 – Network Defense (NetDef) Module 4 – 8 Group Exam – Checkpoint Exam: Firewalls, Cryptography, and Cloud Security
1. Refer to the exhibit. An administrator has configured a standard ACL on R1 and applied it to interface serial 0/0/0 in the outbound direction. What happens to traffic leaving interface serial 0/0/0 that does not match the configured ACL statements?
- The resulting action is determined by the destination IP address and port number.
- The resulting action is determined by the destination IP address.
- The traffic is dropped.
- The source IP address is checked and, if a match is not found, traffic is routed out interface serial 0/0/1.
2. When an inbound Internet-traffic ACL is being implemented, what should be included to prevent the spoofing of internal networks?
- ACEs to prevent broadcast address traffic
- ACEs to prevent traffic from private address spaces
- ACEs to prevent ICMP traffic
- ACEs to prevent SNMP traffic
- ACEs to prevent HTTP traffic
3. Refer to the exhibit. What is the result of adding the established argument to the end of the ACE?
- 192.168.254.0 /23 traffic is allowed to reach any network.
- Any IP traffic is allowed to reach the 192.168.254.0 255.255.254.0 network as long as it is in response to an originated request.
- Any traffic is allowed to reach the 192.168.254.0 255.255.254.0 network.
- Any TCP traffic is allowed to reach the 192.168.254.0 255.255.254.0 network if it is in response to an originated request.
4. What single access list statement matches all of the following networks?
- access-list 10 permit 192.168.16.0 0.0.0.255
- access-list 10 permit 192.168.16.0 0.0.3.255
- access-list 10 permit 192.168.16.0 0.0.15.255
- access-list 10 permit 192.168.0.0 0.0.15.255
5. Refer to the exhibit. The IPv6 access list LIMITED_ACCESS is applied on the S0/0/0 interface of R1 in the inbound direction. Which IPv6 packets from the ISP will be dropped by the ACL on R1?
- neighbor advertisements that are received from the ISP router
- HTTPS packets to PC1
- ICMPv6 packets that are destined to PC1
- packets that are destined to PC1 on port 80
6. What are two characteristics of a stateful firewall? (Choose two.)
- uses static packet filtering techniques
- uses connection information maintained in a state table
- prevents Layer 7 attacks
- analyzes traffic at Layers 3, 4 and 5 of the OSI model
- uses complex ACLs which can be difficult to configure
7. How does a firewall handle traffic when it is originating from the public network and traveling to the DMZ network?
- Traffic that is originating from the public network is inspected and selectively permitted when traveling to the DMZ network.
- Traffic that is originating from the public network is usually forwarded without inspection when traveling to the DMZ network.
- Traffic that is originating from the public network is usually blocked when traveling to the DMZ network.
- Traffic that is originating from the public network is usually permitted with little or no restriction when traveling to the DMZ network.
8. Which type of firewall is commonly part of a router firewall and allows or blocks traffic based on Layer 3 and Layer 4 information?
- stateless firewall
- proxy firewall
- stateful firewall
- application gateway firewall
9. What is one limitation of a stateful firewall?
- not as effective with UDP- or ICMP-based traffic
- poor log information
- cannot filter unnecessary traffic
- weak user authentication
10. How does a firewall handle traffic when it is originating from the private network and traveling to the DMZ network?
- The traffic is selectively denied based on service requirements.
- The traffic is selectively permitted and inspected.
- The traffic is usually blocked.
- The traffic is usually permitted with little or no restrictions.
11. When a Cisco IOS zone-based policy firewall is being configured, which three actions can be applied to a traffic class? (Choose three.)
12. Which two statements describe the two configuration models for Cisco IOS firewalls? (Choose two.)
- Both IOS Classic Firewall and ZPF models require ACLs to define traffic filtering policies.
- ZPF must be enabled in the router configuration before enabling an IOS Classic Firewall.
- The IOS Classic Firewall and ZPF cannot be combined on a single interface.
- IOS Classic Firewalls and ZPF models can be enabled on a router concurrently.
- IOS Classic Firewalls must be enabled in the router configuration before enabling ZPF.
13. What are two benefits of using a ZPF rather than a Classic Firewall? (Choose two.)
- With ZPF, the router will allow packets unless they are explicitly blocked.
- ZPF policies are easy to read and troubleshoot.
- Multiple inspection actions are used with ZPF.
- The ZPF is not dependent on ACLs.
- ZPF allows interfaces to be placed into zones for IP inspection.
14. When using Cisco IOS zone-based policy firewall, where is the inspection policy applied?
- to a zone pair
- to a global service policy
- to a zone
- to an interface
15. Which zone-based policy firewall zone is system-defined and applies to traffic destined for the router or originating from the router?
- inside zone
- outside zone
- system zone
- local zone
- self zone
16. Which cloud security domain covers cloud-specific aspects of infrastructure security and foundations for operating securely in the cloud?
- Application Security
- Data Security and Encryption
- Management Plane and Business Continuity
- Infrastructure Security
17. Which technique can be used to leverage virtual network topologies to run smaller and more isolated networks without incurring additional hardware costs?
- shadow IT
- fog computing
- edge computing
18. Which algorithm is used with symmetric encryption to provide confidentiality?
19. In which phase of application development is new software verified to run under the required security settings?
20. What is the description of VM sprawl?
- The demand for VMs is greater than the ability to create VMs.
- When a process breaks out of the VM and interacts with the host operating system.
- VMs are spread over too large of a geographic area.
- There are more VMs than can be effectively managed.
21. Which measure can a security analyst take to perform effective security monitoring against network traffic encrypted by SSL technology?
- Use a Syslog server to capture network traffic.
- Require remote access connections through IPsec VPN.
- Deploy a Cisco ASA.
- Deploy a Cisco SSL Appliance.
22. What technology has a function of using trusted third-party protocols to issue credentials that are accepted as an authoritative identity?
- hashing algorithms
- PKI certificates
- symmetric keys
- digital signatures
23. Match the description with the correct term.
24. Which method tries all possible passwords until a match is found?
- brute force
- rainbow tables
25. An IT enterprise is recommending the use of PKI applications to securely exchange information between the employees. In which two cases might an organization use PKI applications to securely exchange information between users? (Choose two.)
- file and directory access permission
- HTTPS web service
- local NTP server
- 802.1x authentication
- FTP transfers