[Free] 2018(July) Dumps4cert Microsoft 77-427 Dumps with VCE and PDF Download 101-110

Dumps4cert.com : Latest Dumps with PDF and VCE Files
2018 July Microsoft Official New Released 77-427
100% Free Download! 100% Pass Guaranteed!

CCIE Security Exam (v4.1)

Question No: 101 – (Topic 1)

What is the most commonly used technology to establish an encrypted HTTP connection?

1. The HTTP/1.0 Upgrade header

2. HTTPS

3. Secure Hyper Transfer Protocol

4. The HTTP/1.1 Upgrade header

Answer: B

Question No: 102 – (Topic 1)

What is an example of a stream cipher?

1. RC4

2. DE5

3. Blowfish D. RC5

Answer: A

Topic 2, Exam Set A

Question No: 103 DRAG DROP – (Topic 2)

Drag the elements on the left to their corresponding functionality on the right.

Answer:

Explanation:

Cisco TrustSec SGT Exchange Protocol – Control protocol for propagating IP-to-SGT binding information across network device

SGACL – Associates SGT with a policy

Cisco Trustsec – Build secure networks by establishing domains of trusted network devices

Question No: 104 – (Topic 2)

Refer to the exhibit.

Which statement about the configuration commands is true?

1. These are valid configuration commands and the switch accepts them.

2. These commands return an error because of a mismatch between the Dot1x order and priority.

3. Changing the default order of authentication does not introduce additional authentication traffic in the network.

4. By default, the switch attempts MAB and then Dot1x.

Answer: A

Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity- based-networking-service/application_note_c27-573287.html

Question No: 105 – (Topic 2)

What are two limitations of the Atomic IP Advanced Engine? (Choose two.)

1. It has limited ability to check the fragmentation header.

2. It is unable to fire high-severity alerts for known vulnerabilities.

3. It is unable to detect IP address anomalies, including IP spoofing

4. It is unable to inspect a packet’s length fields for bad information.

5. It is unable to detect Layer 4 attacks if the packets were fragmented by IPv6.

Answer: A,E Explanation:

The Atomic IP Advanced engine contains the following restrictions:

• Cannot detect the Layer 4 field of the packets if the packets are fragmented so that the Layer 4 identifier does not appear in the first packet.

• Cannot detect Layer 4 attacks in flows with packets that are fragmented by IPv6 because there is no fragment reassembly.

• Cannot detect attacks with tunneled flows.

• Limited checks are provided for the fragmentation header.

• There is no support for IPv6 on the management (command and control) interface. With ASA 8.2(1), the ASA 5500 AIP SSM support IPv6 features.

• If there are illegal duplicate headers, a signature fires, but the individual headers cannot be separately inspected.

• Anomaly detection does not support IPv6 traffic; only IPv4 traffic is directed to the anomaly detection processor.

• Rate limiting and blocking are not supported for IPv6 traffic. If a signature is configured with a block or rate limit event action and is triggered by IPv6 traffic, an alert is generated but the action is not carried out.

  Reference: http://www.cisco.com/c/en/us/td/docs/security/ips/7-

  1/configuration/guide/ime/imeguide71/ime_signature_engines.pdf

  Question No: 106 – (Topic 2)

  What is Cisco CKM (Centralized Key Management) used for?

  1. to allow an access point to act as a TACACS server to authenticate the client

  2. to avoid configuring PSKs (Pre-Shared Key) locally on network access devices and to configure a PSK once on a RADIUS server

  3. to provide switch port security

  4. to allow authenticated client devices to roam from one access point to another without any perceptible delay during re-association

  Answer: D Explanation:

  Using Cisco Centralized Key Management (CCKM), an access point configured to provide Wireless Domain Services (WDS) takes the place of the RADIUS server and authenticates the client so quickly that there is no perceptible delay in voice or other time-sensitive applications

  Reference: http://www.cisco.com/c/en/us/td/docs/wireless/access_point/12-

  2_13_JA/configuration/guide/s12213sc/s13roamg.html

  Question No: 107 – (Topic 2)

  Refer to the exhibit.

  

  Which two statements about the given configuration are true? (Choose two)

  1. It will allow 202.165.200.225 to connect to 209.165.202.129 on a VNC port.

  2. It will allow 209.165.202.129 to connect to 202.165.200.225 on a IMAP port

  3. It will allow 209.165.202.129 to connect to 202.165.200.225 on a RDP port

  4. It is an inbound policy

  5. It is an outbound policy

  6. It will allow 202.165.200.225 to connect to 209.165.202.129 on a RDP port

  Answer: C,D

  Question No: 108 – (Topic 2)

  Which statement is true regarding the packet flow on Cisco ASA firewall running version 8.2?

  1. For the packet that has been received on the ingress interface, ACL is only checked if the connection entry exists for the packet flow.

  2. For the packet that has been received on the ingress interface, transaction rule is checked before the ACL if the connection entry for the packet flow does not exist.

  3. For the packet that has been received on the egress interface, transaction rule is checked before the ACL if the connection entry does not exist for the packet flow.

  4. For the packet that has been received on the ingress interface, ACL is only checked if the connection entry does not exist for the packet flow.

  Answer: D Explanation:

  Here is a diagram of how the Cisco ASA processes the packet that it receives:

  

  Here are the individual steps in detail:

  ->The packet is reached at the ingress interface.

  ->Once the packet reaches the internal buffer of the interface, the input counter of the interface is incremented by one.

  ->Cisco ASA first looks at its internal connection table details in order to verify if this is a current connection. If the packet flow matches a current connection, then the Access Control List (ACL) check is bypassed and the packet is moved forward.

  If packet flow does not match a current connection, then the TCP state is verified. If it is a SYN packet or UDP (User Datagram Protocol) packet, then the connection counter is incremented by one and the packet is sent for an ACL check. If it is not a SYN packet, the packet is dropped and the event is logged.

  ->The packet is processed as per the interface ACLs. It is verified in sequential order

  of the ACL entries and if it matches any of the ACL entries, it moves forward. Otherwise, the packet is dropped and the information is logged. The ACL hit count is incremented by one when the packet matches the ACL entry.

  ->The packet is verified for the translation rules. If a packet passes through this

  check, then a connection entry is created for this flow and the packet moves forward. Otherwise, the packet is dropped and the information is logged.

  ->The packet is subjected to an Inspection Check. This inspection verifies whether or

  not this specific packet flow is in compliance with the protocol. Cisco ASA has a built-in inspection engine that inspects each connection as per its pre-defined set of application-level functionality. If it passed the inspection, it is moved forward.

  Otherwise, the packet is dropped and the information is logged.

  Additional security checks will be implemented if a Content Security (CSC) module is involved.

  ->The IP header information is translated as per the Network Address Translation/

  Port Address Translation (NAT/PAT) rule and checksums are updated accordingly. The packet is forwarded to Advanced Inspection and Prevention Security Services Module (AIP-SSM) for IPS related security checks when the AIP module is involved.

  ->The packet is forwarded to the egress interface based on the translation rules. If

  no egress interface is specified in the translation rule, then the destination interface is decided based on the global route lookup.

  ->On the egress interface, the interface route lookup is performed. Remember, the

  egress interface is determined by the translation rule that takes the priority.

  ->Once a Layer 3 route has been found and the next hop identified, Layer 2 resolution is performed. The Layer 2 rewrite of the MAC header happens at this stage.

  ->The packet is transmitted on the wire, and interface counters increment on the egress interface

  Reference: “ASA 8.2: Packet Flow through an ASA Firewall” http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation- firewalls/113396-asa-packet-flow-00.html

  Question No: 109 – (Topic 2)

  Attacks can originate from multicast receivers. Any receiver that sends an IGMP or MLD report typically creates state on which router?

  1. customer

  2. first-hop

  3. source

  4. RP

  Answer: B Explanation:

  Attacks can originate from multicast receivers. Any receiver sending an IGMP/MLD report will typically create state on the first-hop router. There is no equivalent mechanism in unicast.

  Reference: http://www.cisco.com/web/about/security/intelligence/multicast_toolkit.html

  Question No: 110 – (Topic 2)

  What are three protocols that support Layer 7 class maps and policy maps for zone-based firewalls? (Choose three)

  1. MIME

  2. ICQ

  3. POP3

  4. IMAP

  5. RDP

  6. IKE

  Answer: B,C,D

  100% Dumps4cert Free Download!
  –Download Free Demo:77-427 Demo PDF
  100% Dumps4cert Pass Guaranteed!
  –77-427 Dumps

  	Dumps4cert	ExamCollection	Testking
  Lowest Price Guarantee	Yes	No	No
  Up-to-Dated	Yes	No	No
  Real Questions	Yes	No	No
  Explanation	Yes	No	No
  PDF VCE	Yes	No	No
  Free VCE Simulator	Yes	No	No
  Instant Download	Yes	No	No