Académique Documents
Professionnel Documents
Culture Documents
QUESTION: 1
Which consideration is important when implementing Syslogging in your network?
Answer: D
QUESTION: 2
Which statement is true when you have generated RSA keys on your Cisco router to prepare
for secure device management?
A. You must then zeroize the keys to reset secure shell before configuring other parameters.
B. The SSH protocol is automatically enabled.
C. You must then specify the general-purpose key size used for authentication with the
crypto key generate rsa general-keys modulus command.
D. All vty ports are automatically enabled for SSH to provide secure management.
Answer: B
QUESTION: 3
What does level 5 in the following enable secret global configuration mode command
indicate?router# enable secret level 5 password
2 http://www.hotcerts.com
640-553
Answer: E
QUESTION: 4
Drop
Answer:
QUESTION: 5
Drop
3 http://www.hotcerts.com
640-553
Answer:
QUESTION: 6
Which of these correctly matches the CLI command(s) to the equivalent SDM wizard that
performs similar configuration functions?
A. Cisco Common Classification Policy Language configuration commands and the SDM
Site-to- Site VPNn wizard
B. Auto secure exec command and the SDM One-Step Lockdown wizard
C. Setup exec command and the SDM Security Audit wizard
D. Class-maps, policy-maps, and service-policy configuration commands and the SDM IPS
Wizard
E. Aaa configuration commands and the SDM Basic Firewall wizard
4 http://www.hotcerts.com
640-553
Answer: B
QUESTION: 7
What is the key difference between host-based and network-based intrusion prevention?
A. Network-based IPS is better suited for inspection of SSL and TLS encrypted data flows.
B. Network-based IPS provides better protection against OS kernel-level attacks against
hosts and servers.
C. Network-based IPS can provide protection to desktops and servers without the need of
installing specialized software on the end hosts and servers.
D. Host-based IPS can work in promiscuous mode or inline mode.
E. Host-based IPS is more scalable then network-based IPS.
F. Host-based IPS deployment requires less planning than network-based IPS.
Answer: C
QUESTION: 8
Refer to the exhibit.
You are a network manager for your organization. You are looking at your Syslog server
reports. Based on the Syslog message shown, which two statements are true? (Choose two.)
Answer: A, D
5 http://www.hotcerts.com
640-553
QUESTION: 9
You suspect an attacker in your network has configured a rogue layer 2 device to intercept
traffic from multiple VLANS, thereby allowing the attacker to capture potentially sensitive
data. Which two methods will help to mitigate this type of activity? (Choose two.)
A. Turn off all trunk ports and manually configure each VLAN as required on each port
B. Disable DTP on ports that require trunking
C. Secure the native VLAN, VLAN 1 with encryption
D. Set the native VLAN on the trunk ports to an unused VLAN
E. Place unused active ports in an unused VLAN
Answer: B, D
QUESTION: 10
Which three statements about SSL-based VPNs are true? (Choose three.)
Answer: A, C, D
QUESTION: 11
When configuring AAA login authentication on Cisco routers, which two authentication
methods should be used as the final method to ensure that the administrator can still log in to
the router in case the external AAA server fails? (Choose two.)
A. Group RADIUS
B. Group TACACS+
C. Local
6 http://www.hotcerts.com
640-553
D. Krb5
E. Enable
F. If-authenticated
Answer: C, E
QUESTION: 12
What is a result of securing the Cisco IOS image using the Cisco IOS image resilience
feature?
A. The show version command will not show the Cisco IOS image file location.
B. The Cisco IOS image file will not be visible in the output from the show flash command.
C. When the router boots up, the Cisco IOS image will be loaded from a secured FTP
location.
D. The running Cisco IOS image will be encrypted and then automatically backed up to the
NVRAM.
E. The running Cisco IOS image will be encrypted and then automatically backed up to a
TFTP server.
Answer: B
QUESTION: 13
Which two protocols enable Cisco SDM to pull IPS alerts from a Cisco ISR router?
(Choose two.)
A. HTTPS
B. SDEE
C. FTP
D. TFTP
E. SSH
F. Syslog
Answer: B, F
7 http://www.hotcerts.com
640-553
QUESTION: 14
What are three common examples of AAA implementation on Cisco routers? (Choose three.)
A. Authenticating remote users who are accessing the corporate LAN through IPSec VPN
Connections
B. Authenticating administrator access to the router console port, auxiliary port, and vty ports
C. Implementing PKI to authenticate and authorize IPsec VPN peers using digital
certificates D. Tracking Cisco Netflow accounting statistics
E. Securing the router by locking down all unused services
F. Performing router commands authorization using TACACS+
Answer: A, B, F
QUESTION: 15
Refer to the exhibit.
Which statement is correct based on the show login command output shown?
A. When the router goes into quiet mode, any host is permitted to access the router via
Telnet, SSH, and HTTP, since the quiet-mode access list has not been configured.
B. The login block-for command is configured to block login hosts for 93 seconds.
C. All logins from any sources are blocked for another 193 seconds.
D. Three or more login requests have failed within the last 100 seconds.
Answer: D
8 http://www.hotcerts.com
640-553
QUESTION: 16
Drop
Answer:
QUESTION: 17
Which two statements about configuring the Cisco ACS server to perform router command
authorization are true? (Choose two.)
A. When adding the router as an AAA client on the Cisco ACS server, choose the
9 http://www.hotcerts.com
640-553
Answer: A, C
QUESTION: 18
Which four methods are used by hackers? (Choose four.)
Answer: A, B, E, F
QUESTION: 19
When port security is enabled on a Cisco Catalyst switch, what is the default action when the
configured maximum of allowed MAC addresses value is exceeded?
Answer: A
10 http://www.hotcerts.com
640-553
QUESTION: 20
LAB
11 http://www.hotcerts.com
640-553
12 http://www.hotcerts.com
640-553
Answer:
Switch1>enable Switch1#config t
Switch1(config)#interface fa0/12
Switch1(config-if)#switchport mode access
Switch1(config-if)#switchport port-security maximum 2
Switch1(config-if)#switchport port-security violation shutdown
Switch1(config-if)#no shut Switch1(config-if)#end Switch1#copy run start
QUESTION: 21
Which statement about Cisco IOS IPS on Cisco IOS Release 12.4(11)T and later is true?
Answer: A
QUESTION: 22
Which characteristic is the foundation of Cisco Self-Defending Network technology?
A. Secure connectivity
B. Threat control and containment
C. Policy management
D. Secure network platform
Answer: D
QUESTION: 23
Which kind of table do most firewalls use today to keep track of the connections through
the firewall?
13 http://www.hotcerts.com
640-553
A. Dynamic ACL
B. Reflexive ACL
C. Netflow
D. Queuing
E. State
F. Express forwarding
Answer: E
QUESTION: 24 Drop
Answer:
14 http://www.hotcerts.com
640-553
QUESTION: 25
Which Cisco IOS command is used to verify that either the Cisco IOS image, the
configuration files, or both have been properly backed up and secured?
A. Show archive
B. Show secure bootset
C. Show flash
D. Show file systems
E. Dir
F. Dir archive
Answer: B
QUESTION: 26
What is the primary type of intrusion prevention technology used by the Cisco IPS security
appliances?
A. Profile-based
B. Rule-based
C. Signature-based
D. Protocol analysis-based
15 http://www.hotcerts.com
640-553
E. Netflow anomaly-based
Answer: C
QUESTION: 27
What does the secure boot-config global configuration accomplish?
Answer: C
QUESTION: 28
What are two characteristics of the SDM Security Audit wizard? (Choose two.)
A. Displays a screen with Fix-it check boxes to let you choose which potential security-
related configuration changes to implement
B. Has two modes of operationnteractive and non-interactive
C. Automatically enables Cisco IOS firewall and Cisco IOS IPS to secure the router
D. Uses interactive dialogs and prompts to implement role-based CLI
E. Requires users to first identify which router interfaces connect to the inside network and
which connect to the outside network
Answer: A, E
QUESTION: 29
Refer to the exhibit.
What does the option secret 5 in the username global configuration mode command indicate
16 http://www.hotcerts.com
640-553
Answer: C
QUESTION: 30
Refer to the exhibit.
Based on the show policy-map type inspect zone-pair session command output shown, what
can be determined about this Cisco IOS zone based firewall policy?
17 http://www.hotcerts.com
640-553
A. All packets will be dropped since the class-default traffic class is matching all traffic.
B. This is an inbound policy (applied to traffic sourced from the less secured zone destined
to the more secured zone).
C. This is an outbound policy (applied to traffic sourced from the more secured zone destined
to the less secured zone).
D. Stateful packet inspection will be applied only to HTTP packets that also match ACL 110.
E. All non-HTTP traffic will be permitted to pass as long as it matches ACL 110.
F. All non-HTTP traffic will be inspected.
Answer: D
QUESTION: 31
During role-based CLI configuration, what must be enabled before any user views can be
18 http://www.hotcerts.com
640-553
created?
Answer: C
QUESTION: 32
With Cisco IOS Zone-Based Policy Firewall, by default, which three types of traffic are
permitted by the router when some of the router interfaces are assigned to a zone? (Choose
three.)
A. Traffic flowing between a zone member interface and any interface that is not a zone
member
B. Traffic flowing to and from the router interfaces (the self zone)
C. Traffic flowing among the interfaces that are members of the same zone
D. Traffic flowing among the interfaces that are not assigned to any zone
E. Traffic flowing between a zone member interface and another interface that belongs in a
different zone
F. Traffic flowing to the zone member interface that is returned traffic
Answer: B, C, D
QUESTION: 33
Which statement about Cisco IOS Zone-Based Policy Firewall is true?
19 http://www.hotcerts.com
640-553
E. Policy maps are used to classify traffic into different traffic classes, and class maps are
used to assign action to the traffic classes.
F. Service policies are applied in the interface configuration mode.
Answer: B
QUESTION: 34
When configuring Cisco IOS Zone-Based Policy Firewall, what are the three actions that
can be applied to a traffic class? (Choose three.)
A. Pass
B. Police
C. Inspect
D. Drop
E. Queue
F. Shape
Answer: A, C, D
QUESTION: 35
Refer to the exhibit.
Rules showed which access control list would prevent IP address spoofing of these internal
networks?
20 http://www.hotcerts.com
640-553
A. SDM_Default_196
B. SDM_Default_197
C. SDM_Default_198
D. SDM_Default_199
Answer: C
QUESTION: 36
Drop Drag each AAA function on the left to the protocol that it corresponds to.
21 http://www.hotcerts.com
640-553
Answer:
QUESTION: 37
Refer to the exhibit.Based on the VPN connection shown, which statement is true?
22 http://www.hotcerts.com
640-553
IPsec policy.
D. The tunnel is down because the transform set needs to include the Authentication Header
parameter.
Answer: A
QUESTION: 38
When using a stateful firewall, which information is stored in the stateful session flow table?
Answer: B
QUESTION: 39
With Cisco IOS Zone-Based Policy Firewall, where is the inspection policy applied?
A. To the zone
B. To the zone-pair
C. To the interface
D. To the global service policy
Answer: B
QUESTION: 40
Which statement is true about configuring access control lists to control Telnet traffic
destined to the router itself?
23 http://www.hotcerts.com
640-553
A. The ACL is applied to the Telnet port with the ip access-group command.
B. The ACL should be applied to all vty lines in the in direction to prevent an unwanted user
from connecting to an unsecured port.
C. The ACL applied to the vty lines has no in or out option like ACL being applied to an
interface.
D. The ACL must be applied to each vty line individually.
Answer: B
QUESTION: 41
When configuring role-based CLI on a Cisco router, which step is performed first?
Answer: D
QUESTION: 42
Refer to the exhibit.Which statement about the aaa configurations is true?
24 http://www.hotcerts.com
640-553
A. The authentication method list used by the console port is named test.
B. The authentication method list used by the vty port is named test.
C. If the TACACS+ AAA server is not available, no users will be able to establish a Telnet
session with the router.
D. If the TACACS+ AAA server is not available, console access to the router can be
authenticated using the local database.
E. The local database is checked first when authenticating console and vty access to the
router.
Answer: B
QUESTION: 43
Which characteristic is a potential security weakness of a traditional stateful firewall?
Answer: B
QUESTION: 44
What is the purpose of Diffie-Hellman?
A. Used between the initiator and the responder to establish a basic security policy
B. Used to verify the identity of the peer
C. Used for asymmetric public key encryption
D. Used to establish a symmetric shared key via a public key exchange process
Answer: D
25 http://www.hotcerts.com
640-553
QUESTION: 45
Which statement is true about asymmetric encryption algorithms?
A. They use the same key for encryption and decryption of data.
B. They use the same key for decryption but different keys for encryption of data.
C. They use different keys for encryption and decryption of data.
D. They use different keys for decryption but the same key for encryption of data.
Answer: C
QUESTION: 46
Which aaa accounting command is used to enable logging of both the start and stop records
for user terminal sessions on the router?
Answer: C
QUESTION: 47
Refer to the exhibit and partial configuration. Which statement is true?
26 http://www.hotcerts.com
640-553
A. All traffic destined for network 172.16.150.0 will be denied due to the implicit deny all.
B. All traffic from network 10.0.0.0 will be permitted.
C. Access-list 101 will prevent address spoofing from interface E0.
D. This is a misconfigured ACL resulting in traffic not being allowed into the router in
interface S0.
E. This ACL will prevent any host on the Internet from spoofing the inside network address
as the source address for packets coming into the router from the Internet.
27 http://www.hotcerts.com
640-553
Answer: C
QUESTION: 48
Which of these can be used to authenticate the IPsec peers during IKE Phas 1?
A. Diffie-Hellman Nonce
B. pre-shared key
C. XAUTH
D. Integrity check value
E. ACS
F. AH
Answer: B
QUESTION: 49
What will be disabled as a result of the no service password-recovery command?
Answer: B
QUESTION: 50
Which three statements about applying access control lists to a Cisco router are true?
(Choose three.)
28 http://www.hotcerts.com
640-553
Answer: A, C, E
QUESTION: 51
What does the MD5 algorithm do?
A. Takes a message less than 2^64 bits as input and produces a 160-bit message digest
B. Takes a variable-length message and produces a 168-bit message digest
C. Takes a variable-length message and produces a 128-bit message digest
D. Takes a fixed-length message and produces a 128-bit message digest
Answer: C
QUESTION: 52
Which access list will permit HTTP traffic sourced from host 10.1.129.100 port 3030
destined to host 192.168.1.10?
Answer: B
QUESTION: 53
29 http://www.hotcerts.com
640-553
You have configured a standard access control list on a router and applied it to interface
Serial 0 in an outbound direction. No ACL is applied to Interface Serial 1 on the same
router. What happens when traffic being filtered by the access list does not match the
configured ACL statements for Serial 0?
Answer: D
QUESTION: 54
Drop
Match the descriptions on the left with the IKE phases on the right.
Answer:
30 http://www.hotcerts.com
640-553
QUESTION: 55
Which of these is the strongest symmetrical encryption algorithm?
A. DES
B. 3DES
C. AES
D. RSA
E. SHA
F. Diffie-Hellman
Answer: C
QUESTION: 56
Which location is recommended for extended or extended named ACLs?
Answer: D
31 http://www.hotcerts.com
640-553
QUESTION: 57
Which two functions are required for IPsec operation? (Choose two.)
Answer: C, E
QUESTION: 58
Which three statements about the IPsec protocol are true? (Choose 3.)
Answer: A, C, D
QUESTION: 59
Which classes does the U.S. government place classified data into? (Choose three.)
A. SBU
B. Confidential
C. Secret
D. Top-secret
Answer: B, C, D
32 http://www.hotcerts.com
640-553
QUESTION: 60
Which method is of gaining access to a system that bypasses normal security measures?
Answer: A
QUESTION: 61
Which statement is true about a Smurf attack?
A. It sends ping requests to a subnet, requesting that devices on that subnet send ping replies
to a target system.
B. It intercepts the third step in a TCP three-way handshake to hijack a session.
C. It uses Trojan horse applications to create a distributed collection of "zombie" computers,
which can be used to launch a coordinated DDoS attack.
D. It sends ping requests in segments of an invalid size.
Answer: A
QUESTION: 62
Please choose the correct description about Cisco Self-Defending Network characteristics.
A. INTEGRATED - HC1
COLLABORATIVE - HC2
33 http://www.hotcerts.com
640-553
ADAPTIVE - HC3
B. INTEGRATED - HC2
COLLABORATIVE - HC1
ADAPTIVE - HC3
C. INTEGRATED - HC2
COLLABORATIVE - HC3
ADAPTIVE - HC1
D. INTEGRATED - HC3
COLLABORATIVE - HC2
ADAPTIVE - HC1
Answer: B
QUESTION: 63
Which three items are Cisco best-practice recommendations for securing a network?
(Choose three.)
Answer: B, C, D
QUESTION: 64
With the increasing development of network, various network attacks appear. Which
statement best describes the relationships between the attack method and the result?
34 http://www.hotcerts.com
640-553
Answer: B
QUESTION: 65
For the following attempts, which one is to ensure that no one employee becomes a
pervasive security threat, that data can be recovered from backups, and that information
system changes do not compromise a system's security?
A. Disaster recovery
B. Strategic security planning
C. Implementation security
D. Operations security
35 http://www.hotcerts.com
640-553
Answer: D
QUESTION: 66
Which three options are network evaluation techniques? (Choose three.)
A. Scanning a network for active IP addresses and open ports on those IP addresses
B. Using password-cracking utilities
C. Performing end-user training on the use of antispyware software
D. Performing virus scans
Answer: A, B, D
QUESTION: 67
Which one is the most important based on the following common elements of a network
design?
A. Business needs
B. Best practices
C. Risk analysis
D. Security policy
Answer: A
QUESTION: 68
Examine the following items, which one offers a variety of security solutions, including
firewall, IPS, VPN, antispyware, antivirus, and antiphishing features?
36 http://www.hotcerts.com
640-553
Answer: B
QUESTION: 69
The enable secret password appears as an MD5 hash in a router's configuration file, whereas
the enable password is not hashed (or encrypted, if the password-encryption service is not
enabled). What is the reason that Cisco still support the use of both enable secret and enable
passwords in a router's configuration?
A. The enable password is used for IKE Phase I, whereas the enable secret password is used
for IKE Phase II.
B. The enable password is considered to be a router's public key, whereas the enable secret
password is considered to be a router's private key.
C. Because the enable secret password is a hash, it cannot be decrypted. Therefore, the
enable password is used to match the password that was entered, and the enable secret is
used to verify that the enable password has not been modified since the hash was generated.
D. The enable password is present for backward compatibility.
Answer: D
QUESTION: 70
How does CLI view differ from a privilege level?
A. A CLI view supports only commands configured for that specific view, whereas a
privilege level supports commands available to that level and all the lower levels.
B. A CLI view supports only monitoring commands, whereas a privilege level allows a user
to make changes to an IOS configuration.
C. A CLI view and a privilege level perform the same function. However, a CLI view is used
on a Catalyst switch, whereas a privilege level is used on an IOS router.
D. A CLI view can function without a AAA configuration, whereas a privilege level requires
AAA to be configured.
Answer: A
37 http://www.hotcerts.com
640-553
QUESTION: 71
When configuring Cisco IOS login enhancements for virtual connections, what is the "quiet
period"?
Answer: C
QUESTION: 72
Which three statements are valid SDM configuration wizards? (Choose three.)
A. Security Audit
B. VPN
C. STP
D. NAT
Answer: A, B, D
QUESTION: 73
How do you define the authentication method that will be used with AAA?
Answer: A
38 http://www.hotcerts.com
640-553
QUESTION: 74
What is the objective of the aaa authentication login console-in local command?
A. It specifies the login authorization method list named console-in using the local RADIUS
username-password database.
B. It specifies the login authorization method list named console-in using the local
username- password database on the router.
C. It specifies the login authentication method list named console-in using the local user
database on the router.
D. It specifies the login authentication list named console-in using the local username-
password database on the router.
Answer: C
QUESTION: 75
Which one of the following commands can be used to enable AAA authentication to
determine if a user can access the privilege command level?
Answer: D
QUESTION: 76
Please choose the correct matching relationships between the cryptography algorithms and
the type of algorithm.
39 http://www.hotcerts.com
640-553
Answer: B
QUESTION: 77
Which two ports are used with RADIUS authentication and authorization?(Choose two.)
40 http://www.hotcerts.com
640-553
Answer: C, D
QUESTION: 78
For the following items, which management topology keeps management traffic isolated
from production traffic?
A. OOB
B. SAFE
C. MARS
D. OTP
Answer: A
QUESTION: 79
Information about a managed device??s resources and activity is defined by a series of
objects. What defines the structure of these management objects?
A. FIB
B. LDAP
C. CEF
D. MIB
Answer: D
QUESTION: 80
When configuring SSH, which is the Cisco minimum recommended modulus value?
A. 2048 bits
B. 256 bits
C. 1024 bits
41 http://www.hotcerts.com
640-553
D. 512 bits
Answer: C
QUESTION: 81
When using the Cisco SDM Quick Setup Siteto-Site VPN wizard, which three parameters do
you configure? (Choose three.)
Answer: A, B, D
QUESTION: 82
If you click the Configure button along the top of Cisco SDM??s graphical interface,which
Tasks button permits you to configure such features as SSH, NTP, SNMP, and syslog?
A. Additional Tasks
B. Security Audit
C. Intrusion Prevention
D. Interfaces and Connections
Answer: A
QUESTION: 83
Examine the following options , which Spanning Tree Protocol (STP) protection mechanism
disables a switch port if the port receives a Bridge Protocol Data Unit (BPDU)?
A. PortFast
B. BPDU Guard
42 http://www.hotcerts.com
640-553
C. UplinkFast
D. Root Guard
Answer: B
QUESTION: 84
If a switch is working in the fail-open mode, what will happen when the switch's CAM table
fills to capacity and a new frame arrives?
A. The switch sends a NACK segment to the frame's source MAC address.
B. A copy of the frame is forwarded out all switch ports other than the port the frame was
received on.
C. The frame is dropped.
D. The frame is transmitted on the native VLAN.
Answer: B
QUESTION: 85
Which type of MAC address is dynamically learned by a switch port and then added to the
switch's running configuration?
Answer: C
QUESTION: 86
In an IEEE 802.1x deployment, between which two devices EAPOL messages typically are
sent?
43 http://www.hotcerts.com
640-553
Answer: D
QUESTION: 87
What will be enabled by the scanning technology-The Dynamic Vector Streaming (DVS)?
Answer: C
QUESTION: 88
What Cisco Security Agent Interceptor is in charge of intercepting all read/write requests to
the rc files in UNIX?
A. Network interceptor
B. Configuration interceptor
C. Execution space interceptor
D. File system interceptor
Answer: B
QUESTION: 89
Which name is of the e-mail traffic monitoring service that underlies that architecture of
IronPort?
44 http://www.hotcerts.com
640-553
A. IronPort M-Series
B. E-Base
C. TrafMon
D. SenderBase
Answer: D
QUESTION: 90
Which statement is not a reason for an organization to incorporate a SAN in its enterprise
infrastructure?
Answer: B
QUESTION: 91
Which protocol will use a LUN as a way to differentiate the individual disk drives that
comprise a target device?
A. iSCSI
B. ATA
C. SCSI
D. HBA
Answer: C
QUESTION: 92
For the following statements, which one is perceived as a drawback of implementing Fibre
45 http://www.hotcerts.com
640-553
Answer: C
QUESTION: 93
Which two primary port authentication protocols are used with VSANs? (Choose two.)
A. ESP
B. CHAP
C. DHCHAP
D. SPAP
Answer: B, C
QUESTION: 94
Which VoIP components can permit or deny a call attempt on the basis of a network's
available bandwidth?
A. MCU
B. Gatekeeper
C. Application server
D. Gateway
Answer: B
QUESTION: 95
Which statement is true about vishing?
46 http://www.hotcerts.com
640-553
A. Influencing users to forward a call to a toll number (for example, a long distance or
international number)
B. Influencing users to provide personal information over the phone
C. Using an inside facilitator to intentionally forward a call to a toll number (for example, a
long distance or international number)
D. Influencing users to provide personal information over a web page
Answer: B
QUESTION: 96
You work as a network engineer, do you know an IPsec tunnel is negotiated within the
protection of which type of tunnel?
A. GRE tunnel
B. L2TP tunnel
C. L2F tunnel
D. ISAKMP tunnel
Answer: D
QUESTION: 97
Which type of firewall is needed to open appropriate UDP ports required for RTP streams?
A. Proxy firewall
B. Packet filtering firewall
C. Stateful firewall
D. Stateless firewall
Answer: C
QUESTION: 98
47 http://www.hotcerts.com
640-553
Which two statements are correct regarding a Cisco IP phone??s web access feature?
(Choose two.)
A. It is enabled by default.
B. It uses HTTPS.
C. It can provide IP address information about other servers in the network.
D. It requires login credentials, based on the UCM user database.
Answer: A, C
QUESTION: 99
Which option ensures that data is not modified in transit?
A. Authentication
B. Integrity
C. Authorization
D. Confidentiality
Answer: B
QUESTION: 100
What is a static packet-filtering firewall used for ?
Answer: A
48 http://www.hotcerts.com
640-553
QUESTION: 101
Which firewall best practices can help mitigate worm and other automated attacks?
Answer: D
QUESTION: 102
Which statement best describes the Turbo ACL feature? (Choose all that apply.)
A. The Turbo ACL feature processes ACLs into lookup tables for greater efficiency.
B. The Turbo ACL feature leads to increased latency, because the time it takes to match the
packet is variable.
C. The Turbo ACL feature leads to reduced latency, because the time it takes to match the
packet is fixed and consistent.
D. Turbo ACLs increase the CPU load by matching the packet to a predetermined list.
Answer: A, C
QUESTION: 103
Which key method is used to detect and prevent attacks by use of IDS and/or IPS
technologies?
A. Signature-based detection
B. Anomaly-based detection
C. Honey pot detection
D. Policy-based detection
Answer: A
49 http://www.hotcerts.com
640-553
QUESTION: 104
Based on the following items, which two types of interfaces are found on all network-based
IPS sensors? (Choose two.)
A. Loopback interface
B. Monitoring interface
C. Command and control interface
D. Management interface
Answer: B, C
QUESTION: 105
With which three tasks does the IPS Policies Wizard help you? (Choose three.)
Answer: A, B, D
QUESTION: 106
Examine the following options ,when editing global IPS settings, which one determines if the
IOS- based IPS feature will drop or permit traffic for a particular IPS signature engine while
a new signature for that engine is being compiled?
Answer: A
50 http://www.hotcerts.com
640-553
QUESTION: 107
Regarding constructing a good encryption algorithm, what does creating an avalanche effect
indicate?
A. Changing only a few bits of a plain-text message causes the ciphertext to be completely
different.
B. Changing only a few bits of a ciphertext message causes the plain text to be completely
different.
C. Altering the key length causes the plain text to be completely different.
D. Altering the key length causes the ciphertext to be completely different.
Answer: A
QUESTION: 108
Stream ciphers run on which of the following?
A. Individual blocks, one at a time, with the transformations varying during the encryption
B. Individual digits, one at a time, with the transformations varying during the encryption
C. Fixed-length groups of digits called blocks
D. Fixed-length groups of bits called blocks
Answer: B
QUESTION: 109
Which description is true about ECB mode?
A. ECB mode uses the same 64-bit key to serially encrypt each 56-bit plain-text block.
B. In ECB mode, each 56-bit plain-text block is exclusive ORed (XORed) bitwise with the
previous ciphertext block.
C. ECB mode uses the same 56-bit key to serially encrypt each 64-bit plain-text block.
D. In ECB mode, each 64-bit plain-text block is exclusive ORed (XORed) bitwise with the
previous ciphertext block.
51 http://www.hotcerts.com
640-553
Answer: C
QUESTION: 110
In a brute-force attack, what percentage of the keyspace must an attacker generally search
through until he or she finds the key that decrypts the data?
A. Roughly 66 percent
B. Roughly 10 percent
C. Roughly 75 percent
D. Roughly 50 percent
Answer: D
QUESTION: 111
Which example is of a function intended for cryptographic hashing?
A. SHA-135
B. MD65
C. XR12
D. MD5
Answer: D
QUESTION: 112
Which one of the following items may be added to a password stored in MD5 to make it
more secure?
A. Rainbow table
B. Cryptotext
C. Ciphertext
D. Salt
52 http://www.hotcerts.com
640-553
Answer: D
QUESTION: 113
Which algorithm was the first to be found suitable for both digital signing and encryption?
A. SHA-1
B. MD5
C. HMAC
D. RSA
Answer: D
QUESTION: 114
Observe the following options carefully, which two attacks focus on RSA? (Choose all that
apply.)
A. DDoS attack
B. BPA attack
C. Adaptive chosen ciphertext attack
D. Man-in-the-middle attack
Answer: B, C
QUESTION: 115
Before a Diffie-Hellman exchange may begin, the two parties involved must agree on what?
53 http://www.hotcerts.com
640-553
Answer: D
QUESTION: 116
Which item is the correct matching relationships associated with IKE Phase?
Answer: B
QUESTION: 117
Which three are distinctions between asymmetric and symmetric algorithms? (Choose all
that apply.)
54 http://www.hotcerts.com
640-553
Answer: A, C, D
QUESTION: 118
For the following statements, which one is the strongest symmetrical encryption algorithm?
A. 3DES
B. DES
C. AES
D. Diffie-Hellman
Answer: C
QUESTION: 119
Which statement is true about a certificate authority (CA)?
A. A trusted third party responsible for signing the private keys of entities in a PKIbased
system
B. A trusted third party responsible for signing the public keys of entities in a PKIbased
system
C. An entity responsible for registering the private key encryption used in a PKI
D. An agency responsible for granting and revoking public-private key pairs
Answer: B
QUESTION: 120
55 http://www.hotcerts.com
640-553
Which Public Key Cryptographic Standards (PKCS) defines the syntax for encrypted
messages and messages with digital signatures?
A. PKCS #12
B. PKCS #10
C. PKCS #8
D. PKCS #7
Answer: D
QUESTION: 121
For the following items, which one acts as a VPN termination device and is located at a
primary network location?
Answer: A
QUESTION: 122
Which are the best practices for attack mitigations?
56 http://www.hotcerts.com
640-553
Answer: B
QUESTION: 123
Which item is the great majority of software vulnerabilities that have been discovered?
A. Stack vulnerabilities
B. Software overflows
C. Heap overflows
D. Buffer overflows
Answer: D
QUESTION: 124
57 http://www.hotcerts.com
640-553
Which two actions can be configured to allow traffic to traverse an interface when zone-
based security is being employed? (Choose two.)
A. Flow
B. Inspect
C. Pass
D. Allow
Answer: B, C
58 http://www.hotcerts.com
640-553
59 http://www.hotcerts.com
640-553
QUESTION: 125
Which two options correctly identify the associated interface with the correct security zone?
(Choose two.)
Answer: A, B
QUESTION: 126
Which statements is correct regarding the "sdm-permit" policy map?
A. Traffic not matched by any of the class maps within that policy map will be inspected
B. Traffic matching the "sdm-access" traffic class will be inspected.
C. Traffic matching the "SDM_CA_SERVER" traffic class will be dropped.
D. That policy map is applied to traffic sourced from the "self" zone and destined to the "out-
zone"zone.
E. That policy map is applied to traffic sourced from the "out-zone" zone and destined to the
"in- zone" zone.
Answer: C
QUESTION: 127
Within the "sdm-inspect" policy map, what is the action assigned to the traffic class "sdm-
invalid- src", and which traffic is matched by the traffic class "sdm-invlid-src" ? (Choose
two.)
A. drop/log
60 http://www.hotcerts.com
640-553
B. Inspect
C. inspect/log
D. traffic matched by ACL 104
E. traffic matched by ACL 105
F. traffic matched by the nested "sdm-cls-insp-traffic" class map
G. any traffic
Answer: E, F
QUESTION: 128
Which three protocols are matched by the "sdm-cls-insp-traffic" class map? (Choose three)
A. Sql-net
B. Pop3
C. 12tp
D. Ftp
E. Citrix
F. SNMP
Answer: A, B, D
QUESTION: 129
Within the "sdm-permit" policy map, what is the action assigned to the traffic class "class
default"?
A. Inspect
B. Pass
C. Drop
D. Police
E. Log
Answer: C
61 http://www.hotcerts.com
640-553
QUESTION: 130
Which ploicy map is associated to the "adm-zp-in-out" security zone pair?
A. sdm-permit-icmpreply
B. adm-permit
C. sdm-inspect
D. sdm-insp-traffic
E. sdm-access
Answer: B
62 http://www.hotcerts.com
640-553
Topology:
63 http://www.hotcerts.com
640-553
QUESTION: 131
Which one of these statements is correct in regards to Next Gen University Psec tunnel
between its Santa Cruz main campus and its PHX remote campus?
A. It is using IPsec tunnel mode A&S encryption and SHA HMAC Integrity Check.
B. It is using IPsec tunnel mode. 3DES encryption and SHA HMAC Integrity Check.
C. It Ia using IPsec tunnel mode to protect the traffic between the 10.10. 10.0/24 and the
10.253.0/24 sbnet,
D. It is using digital certificate authenticate between the IPsec peers and DH group 2
E. It Is using pre-shared key to ahentlcate beteen the IPsec pens and OH group 5
F. The Santa Cruz main campus is the Easy VPN server and the PHX remote campus is easy
VPN remote.
Answer: C
QUESTION: 132
64 http://www.hotcerts.com
640-553
Which of these is used to define which traffic will be protected by IPsec between the Next
Gen University Santa Cruz main campus and its SAC remote campus?
A. ACL 174
B. ACL 168
C. ACL 151
D. ESP-3DES.SHAI transform set
E. ESP-3DES-SHA2 transform set
F. IKE Phase
Answer: A
QUESTION: 133
The IPsec tunnel to the SAC remote campus terminates at which IP address, and what is the
protected subnet behind the SAC remote campus router? (Choose two.)
A. 192,168288
B. 192.168.5.28
C. 192.168.8.97
D. 10.2.53.0/124
E. 10.5.64.0/124
F. 10.8.74.0/124
Answer: C, F
QUESTION: 134
Which one of these statements is correct in regards to Next Gen University IPsec tunnel
between its Santa Cruz main campus and its SAC remote campus?
A. The SAC remote campus remote router is using dynamic IP address; therefore, the Santa
B. Cruz router is using a dynamic crypto map.
C. Dead Peer Detection (DPD) is used to monitor the IPsec tunnel, so if there is no traffic
traversing between the two sites, the IPsec tunnel will disconnect.
D. Tunnel mode is used: therefore, a GRE tunnel interface will be configured.
65 http://www.hotcerts.com
640-553
Answer: D
QUESTION: 135
DRAG DROP Drag three proper statements about the IPsec protocol on the above to the
list on the below.
Answer:
66 http://www.hotcerts.com
640-553
QUESTION: 136
DRAG DROP On the basis of the description of SSL-based VPN, place the correct
descriptions in the proper locations.
67 http://www.hotcerts.com
640-553
Answer:
68 http://www.hotcerts.com
640-553
QUESTION: 137
DRAG DROP On the basis of the Cisco IOS Zone-Based Policy Firewall, by default,
which three types zone?
Drag three proper characterizations on the above to the list on the below.
Answer:
69 http://www.hotcerts.com
640-553
QUESTION: 138
DRAG DROP Drag two characteristics of the SDM Security Audit wizard on the above to
the list on the below.
70 http://www.hotcerts.com
640-553
Answer:
QUESTION: 139
HOTSPOT
Answer: C, E
QUESTION: 140
DRAG DROP Which three common examples are of AAA implementation on Cisco
routers? Please place the correct descriptions in the proper locations.
71 http://www.hotcerts.com
640-553
Answer:
72 http://www.hotcerts.com
640-553
73 http://www.hotcerts.com