1. What should be the first step in migrating a network to a secure infrastructure?
A. developing a security policy
B. securing the perimeter
C. implementing antivirus protection
D. securing the DMZ
Answer:A
2. What is a reconnaissance attack?
A. when an intruder attacks networks or systems to retrieve data, gain access, or escalate access privileges
B. when an intruder attempts to discover and map systems, services, and vulnerabilities
C. when malicious software is inserted onto a host in order to damage a system, corrupt a system, replicate itself,
or deny services or access to networks, systems, or services
D. when an intruder attacks your network in a way that damages or corrupts your computer system, or denies
you and others access to your networks, systems, or services
E. when an intruder attempts to learn user IDs and passwords that can later be used in identity theft
Answer:B
3. What is a DoS attack?
A. when an intruder attacks networks or systems to retrieve data, gain access, or escalate access privileges
B. when an intruder attempts to discover and map systems, services, and vulnerabilities
C. when malicious software is inserted onto a host in order to damage a system, corrupt a system, replicate itself,
or deny services or access to networks, systems, or services
D. when an intruder attacks your network in a way that damages or corrupts your computer system, or denies
you and others access to your networks, systems, or services
Answer:D
4. Select two ways to secure hardware from threats. (Choose two.)
A. The room must have steel walls and doors.
B. The room must be static free.
C. The room must be locked, with only authorized people allowed access.
D. The room should not be accessible via a dropped ceiling, raised floor, window, ductwork, or point of entry
TestInside 642-551
other that the secured access point.
Answer:CD
5. Cisco routers, such as the ISRs, are best suited for deploying which type of IPSec VPN?
A. remote-access VPN
B. overlay VPN
C. WAN-to-WAN VPN
D. site-to-site VPN
E. SSL VPN
Answer:D
6. Packet sniffers work by using a network interface card in which mode?
A. inline
B. cut-through
C. promiscuous
D. Ethernet
E. passive
Answer:C
7. Which method of mitigating packet-sniffer attacks is most effective?
A. authentication
B. switched infrastructure
C. antisniffer tools
D. cryptography
Answer:D
8. Which management protocol is used to synchronize the clocks across a network?
A. SNMP
B. syslog
C. NTP
D. TFTP
TestInside 642-551
Answer:C
9. In which Cisco Catalyst Series switches can the Firewall Services Modules be installed?
A. Catalyst 2900 and 3500 XL Series
B. Catalyst 1900 and 2000 Series
C. Catalyst 4200 and 4500 Series
D. Catalyst 6500 and 7600 Series
Answer:D
10. Where is the Cisco Security Agent installed?
A. on a router
B. on a switch
C. on a host
D. on a hub
Answer:C
11. Which component within the Cisco Network Admission Control architecture acts as the policy server for
evaluating the endpoint security information that is relayed from network devices, and for determining the
appropriate access policy to apply?
A. CiscoWorks
B. CiscoWorks VMS
C. Cisco Secure ACS
D. Cisco Trust Agent
E. Cisco Security Agent
Answer:C
12. Which command sets the minimum length of all Cisco IOS passwords?
A. password min-length length
B. min-length security length
C. enable secret min-length
D. security passwords min-length length
TestInside 642-551
Answer:D
13. Which command is used to encrypt passwords in the router configuration file?
A. service password-encryption
B. password-encryption
C. enable password encryption
D. encrypt password
Answer:A
14. Which method of authentication is considered the strongest?
A. S/Key (OTP for terminal login)
B. username and password (aging)
C. token cards or SofTokens using OTP
D. username and password (static)
Answer:C
15. Which Cisco IOS command enables the AAA access-control commands and functions on the router, and
overrides the older TACACS and extended TACACS commands?
A. no aaa authentication login default enable
B. aaa authentication login default local
C. aaa new-model
D. login authentication default
E. no login authentication default
Answer:C
16. Which two protocols does Cisco Secure ACS use for AAA services? (Choose two.)
A. TACACS+
B. Telnet
C. SSH
D. RADIUS
E. SSL
TestInside 642-551
F. SNMP
Answer:AD
17. Which authentication method is based on the 802.1x authentication framework, and mitigates several of the
weaknesses by using dynamic WEP and sophisticated key management on a per-packet basis?
A. PAP
B. CHAP
C. LEAP
D. ARAP
Answer:C
18. Which command globally disables CDP?
A. no cdp
B. cdp disable
C. no cdp enable
D. no cdp run
Answer:D
19. Which protocol does the Cisco Web VPN solution use?
A. SSH
B. Telnet
C. SSL
D. IPSec
E. XML
Answer:C
20. Which type of access control list can secure multichannel operations that are based on upper-layer
information?
A. dynamic
B. CBAC
C. reflexive
TestInside 642-551
D. time-based
Answer:B
21. To which router platform can Turbo ACLs be applied?
A. Cisco 800 Router
B. Cisco 2600 Series Router
C. Cisco 3500
D. Cisco 7200 Router
Answer:D
22. At which location in an access control list is it recommended that you place the more specific entries?
A. in the middle of the access control list
B. higher in the access control list
C. lower in the access control list
D. at the bottom of the access control list
Answer:B
23. In which version did NTP begin to support cryptographic authentication?
A. version 5
B. version 4
C. version 3
D. version 2
Answer:C
24. When Cisco routers are configured for SSH, how do they act?
A. as SSH servers
B. as SSH clients
C. as SSH and SSL servers
D. as SSH and SSL clients
E. as SSH accelerators
F. as SSH proxies
TestInside 642-551
Answer:A
25. Which command is used to configure syslog on a Cisco router?
A. syslog
B. logging
C. logging-host
D. syslog-host
Answer:B
26. What is considered the main administrative vulnerability of Cisco Catalyst switches?
A. SNMP
B. Telnet
C. poor passwords
D. poor encryption
Answer:C
27. When port security is enabled on a Cisco Catalyst switch, what is the default action when the configured
maximum of allowed MAC addresses value is exceeded?
A. The port is shut down.
B. The port is enabled and the maximum number automatically increases.
C. The MAC address table is cleared and the new MAC address is entered into the table.
D. The MAC address table is shut down.
Answer:A
28. What are the three types of private VLAN ports? (Choose three.)
A. typical
B. isolated
C. nonisolated
D. promiscuous
E. community
F. bridging
TestInside 642-551
Answer:BDE
29. What is a description of a promiscuous PVLAN port?
A. It has a complete Layer 2 separation from the other ports within the same PVLAN.
B. It can only communicate with other promiscuous ports.
C. It can communicate with all interfaces within a PVLAN.
D. It cannot communicate with any other ports.
Answer:C
30. Which method does a Cisco firewall use for packet filtering?
A. inspection rules
B. ACLs
C. security policies
D. VACLs
Answer:B
31. At which layer of the OSI model does a proxy server work?
A. data link
B. physical
C. application
D. network
E. transport
Answer:C
32. Which connections does stateful packet filtering handle?
A. TCP and UDP
B. packet
C. TCP only
D. ICMP
Answer:A
TestInside 642-551 33. Which browser-based configuration device can be used to monitor and manage multiple Cisco PIX Security
Appliances?
A. Cisco PIX Device Manager
B. Cisco ASA Device Manager
C. Firewall Management Center
D. PIX Management Center
Answer:C
34. Which administrative access mode for the Cisco PIX Security Appliance allows you to change the current
settings?
A. unprivileged mode
B. privileged mode
C. configuration mode
D. monitor mode
Answer:B
35. Which administrative access mode for the Cisco PIX Security Appliance allows you to view a restricted and
limited view of current settings?
A. unprivileged mode
B. privileged mode
C. configuration mode
D. monitor mode
Answer:A
36. Which type of VPN is considered an extension of a classic WAN?
A. remote-access VPN
B. site-to-site VPN
C. GRE VPN
D. L2TP VPN
Answer:B
TestInside 642-551 37. The DH exchange used to generate the shared secret keys occurs in which IKE and exchange phase?
A. first exchange
B. second exchange
C. third exchange
D. fourth exchange
Answer:B
38. Which command on the Cisco PIX Security Appliance is used to write the current running config to the Flash
memory startup config?
A. write terminal
B. write config
C. write memory
D. write startup config
Answer:C
39. Which command is used to reboot the Cisco PIX Security Appliance?
A. reboot
B. restart
C. boot
D. reload
Answer:D
40. What is the default security-level definition setting for the outside interface for the Cisco PIX Security
Appliance?
A. 0
B. 100
C. 50
D. 25
Answer:A
TestInside 642-551 41. What is the purpose of the global command on the Cisco PIX Security Appliance?
A. to set up the IP addresses on an interface
B. to enable global configuration mode
C. to create a pool of one or more IP addresses for use in NAT and PAT
D. to enable global NAT
Answer:C
42. What would the following command indicate if it were used on the Cisco PIX Security Appliance?
nameif ethernet2 dmz security50
A. The administrator is naming an Ethernet interface only.
B. The administrator is assigning a security level only.
C. The administrator is removing a named interface.
D. The administrator is naming an interface and assigning a security level to it.
Answer:D
43. Which command would be used on the Cisco PIX Security Appliance to show the pool of addresses to be
translated?
A. show nat
B. show xlate
C. show global
D. show conn
Answer:C
44. With IPSec operation, what happens when a basic set of security services are negotiated and agreed upon
between peers?
A. data transfer
B. IKE Phase 1
C. IPSec tunnel termination
D. IKE Phase 2
Answer:B
TestInside 642-551 45. Which encryption method uses a 56-bit key to ensure high-performance encryption?
A. 3DES
B. AES
C. RSA
D. DES
Answer:D
46. What are the four critical services of IPSec functions? (Choose four.)
A. replay protection
B. confidentiality
C. data integrity
D. data mining
E. origin authentication
F. anti-replay protection
Answer:BCEF
47. What is a set of conditions that, when met, indicates that an intrusion is occurring or has occurred?
A. rules
B. state tables
C. signatures
D. master parameters
Answer:C
48. Which CSA object contains associations with policies and can accept hosts as members?
A. Groups
B. Policies
C. Variables
D. Agent Kits
Answer:A
49. Which communication protocol is used by the administrator workstation to communicate with the CSA MC?
TestInside 642-551
A. SSH
B. Telnet
C. HTTPS
D. SSL
Answer:D
50. During which phase of an attack does the attacker attempt to identify targets?
A. penetrate
B. propagate
C. persist
D. probe
E. paralyze
Answer:D