[Free] Download New Updated (December) Cisco 640-554 Exam Questions 171-180

By | December 12, 2015

Ensurepass

QUESTION 171

You want to use the Cisco Configuration Professional site-to-site VPN wizard to implement a site- to-site IPsec VPN using pre-shared key. Which four configurations are required (with no defaults)? (Choose four.)

 

A.

the interface for the VPN connection

B.

the VPN peer IP address

C.

the IPsec transform-set

D.

the IKE policy

E.

the interesting traffic (the traffic to be protected)

F.

the pre-shared key

 

Correct Answer: ABEF

Explanation:

http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080ba1d0a.shtml

 

3. In the next window, provide the VPN Connection Information in the respective spaces. Choose the interface of the VPN Tunnel from the drop-down menu. Here, FastEthernet0 is chosen. In the Peer Identity section, choose Peer with static IP address and provide the remote peer IP address. Then, provide the Pre-shared Keys (cisco123 in this example) in the Authentication section. Lastly, click Next.

 

clip_image002

 

10. In the following window, provide the details about the Traffic to be protected through the VPN Tunnel.

Provide the Source and Destination Networks of the traffic to be protected so that the traffic between the specified source and destination networks are protected. In this example, the Source network is 10.10.10.0 and the Destination network is 10.20.10.0. Click Next.

 

clip_image004

 

 

QUESTION 172

Which three modes of access can be delivered by SSL VPN? (Choose three.)

 

A.

full tunnel client

B.

IPsec SSL

C.

TLS transport mode

D.

thin client

E.

clientless

F.

TLS tunnel mode

 

Correct Answer: ADE

Explanation:

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htwebvpn.html

 

SSL VPN

The SSL VPN feature (also known as WebVPN) provides support, in Cisco IOS software, for remote user access to enterprise networks from anywhere on the Internet. Remote access is provided through a Secure Socket Layer- (SSL-) enabled SSL VPN gateway. The SSL VPN gateway allows remote users to establish a secure Virtual Private Network (VPN) tunnel using a web browser. This feature provides a comprehensive solution that allows easy access to a broad range of web resources and web-enabled applications using native HTTP over SSL (HTTPS) browser support. SSL VPN delivers three modes of SSL VPN access: clientless, thin-client, and full-tunnel client support.

 

QUESTION 173

Which statement describes how the sender of the message is verified when asymmetric encryption is used?

 

A.

The sender encrypts the message using the sender’s public key, and the receiver decrypts the message using the sender’s private key.

B.

The sender encrypts the message using the sender’s private key, and the receiver decrypts the message using the sender’s public key.

C.

The sender encrypts the message using the receiver’s public key, and the receiver decrypts the message using the receiver’s private key.

D.

The sender encrypts the message using the receiver’s private key, and the receiver decrypts the message using the receiver’s public key.

E.

The sender encrypts the message using the receiver’s public key, and the receiver decrypts the message using the sender’s public key.

 

Correct Answer: C

Explanation:

http://www.cisco.com/en/US/tech/tk1132/technologies_white_paper09186a00800e79cb.shtml

 

Public-Key Cryptography and Asymmetric Encryption

In asymmetric encryption, two different keys are used to render data illegible to anyone who may be eavesdropping on a conversation. The certificates contain the two components of asymmetric encryption: public key and private key.

Data that is encrypted with the public key can be decrypted with the private key, and vice versa. However, data encrypted with the public key cannot be decrypted with the public key. The parties who need to encrypt their communications will exchange their public keys (contained in the certificate), but will not disclose their private keys. The sending party will use the public key of the receiving party to encrypt message data and forward the cipher text (encrypted data) to the other party. The receiving party will then decrypt the cipher text with their private key.

Data encrypted with the public key cannot be decrypted with the public key. This prevents someone from compromising the cipher text after acquiring both public keys by eavesdropping on the certificate exchange.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

QUESTION 174

Refer to the exhibit.  Which three statements about these three show outputs are true? (Choose three.)

 

clip_image006

 

A.

Traffic matched by ACL 110 is encrypted.

B.

The IPsec transform set uses SHA for data confidentiality.

C.

The crypto map shown is for an IPsec site-to-site VPN tunnel.

D.

The default ISAKMP policy uses a digital certificate to authenticate the IPsec peer.

E.

The IPsec transform set specifies the use of GRE over IPsec tunnel mode.

F.

The default ISAKMP policy has higher priority than the other two ISAKMP policies with a priority of 1 and 2

 

Correct Answer: ACD

Explanation:


http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_s3.html

 

Show crypto map Field Descriptions

 

Peer

Possible peers that are configured for this crypto map entry.

Extended IP access list Access list that is used to define the data packets that need to be encrypted. Packets that are denied by this access list are forwarded but not encrypted. The “reverse” of this access list is used to check the inbound return packets, which are also encrypted. Packets that are denied by the “reverse” access list are dropped because they should have been encrypted but were not.

Extended IP access check

Access lists that are used to more finely control which data packets are allowed into or out of the IPsec tunnel.

Packets that are allowed by the “Extended IP access list” ACL but denied by the “Extended IP access list check” ACL are dropped.

Current peer Current peer that is being used for this crypto map entry.

Security association lifetime

Number of bytes that are allowed to be encrypted or decrypted or the age of the security association before new encryption keys must be negotiated.

PFS

(Perfect Forward Secrecy) If the field is marked as `Yes’, the Internet Security Association and Key Management Protocol (ISAKMP) SKEYID-d key is renegotiated each time security association (SA) encryption keys are renegotiated (requires another Diffie-Hillman calculation). If the field is marked as `No’, the same ISAKMP SKEYID-d key is used when renegotiating SA encryption keys. ISAKMP keys are renegotiated on a separate schedule, with a default time of 24 hours.

 

Transform sets

List of transform sets (encryption, authentication, and compression algorithms) that can be used with this crypto map.

Interfaces using crypto map test Interfaces to which this crypto map is applied. Packets that are leaving from this interface are subject to the rules of this crypto map for encryption. Encrypted packets may enter the router on any interface, and they are decrypted. Nonencrypted packets that are entering the router through this interface are subject to the “reverse” crypto access list check.

 

 

QUESTION 175

Which two services are provided by IPsec? (Choose two.)

 

A.

Confidentiality

B.

Encapsulating Security Payload

C.

Data Integrity

D.

Authentication Header

E.

Internet Key Exchange

 

Correct Answer: AC

Explanation:

http://www.cisco.com/en/US/docs/net_mgmt/vpn_solutions_center/2.0/ip_security/provisioning/guide/IPsecPG1.html

 

IPsec Overview

A secure network starts with a strong security policy that defines the freedom of access to information and dictates the deployment of security in the network. Cisco Systems offers many technology solutions for building a custom security solution for Internet, extranet, intranet, and remote access networks. These scalable solutions seamlessly interoperate to deploy enterprise- wide network security. Cisco System’s IPsec delivers a key technology component for providing a total security solution. Cisco’s IPsec offering provides privacy, integrity, and authenticity for transmitting sensitive information over the Internet.

 

Cisco’s end-to-end offering allows customers to implement IPsec transparently into the network infrastructure without affecting individual workstations or PCs. Cisco IPsec technology is available across the entire range of computing infrastructure. Windows 95, Windows NT 4.0, and Cisco IOS software.

 

IPsec is a framework of open standards for ensuring secure private communications over the Internet. Based on standards developed by the Internet Engineering Task Force (IETF), IPsec ensures confidentiality, integrity, and authenticity of data communications across a public network. IPsec provides a necessary component of a standards-based, flexible solution for deploying a network-wide security policy.

 

 

QUESTION 176

DRAG DROP

Drag from Left to Right in Correct Area.

 

clip_image008

 

Correct Answer:

< img title="clip_image010" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; margin: 0px; display: inline; padding-right: 0px" border="0" alt="clip_image010" src="http://www.pass-exams.com/wp-content/uploads/2015/12/clip_image010_thumb-12.jpg" width="631" height="276">

 

 

 

 

 

 

 

 

 

QUESTION 177

DRAG DROP

clip_image012

 

Correct Answer:

clip_image014

 

 

 

 

 

 

QUESTION 178

DRAG DROP

clip_image016

 

Correct Answer:

clip_image018

 

 

QUESTION 179

Which two options are symmetric-key algorithms that are recommended by Cisco? (Choose two.)

 

A.

Twofish

B.

Advanced Encryption Standard

C.

Blowfish

D.

Triple Data Encryption Standard

 

Correct Answer: BD

Explanation:

Recommendations for Cryptographic Algorithms

Algorithm

Operation

Status

Alternative

 

DES

Encryption

Avoid

AES

 

3DES

Encryption

Legacy

AES

 

Symmetric key algorithms use the same key for encryption and decryption. Examples include 3DES and AES. 3DES, which consists of three sequential Data Encryption Standard (DES) encryption-decryptions, is a legacy algorithm. This designation means 3DES provides a marginal but acceptable security level, but its k
eys should be renewed relatively often. Because of its small key size, DES is no longer secure and should be avoided. RC4 should be avoided as well. AES with 128-bit keys provides adequate protection for sensitive information. AES with 256-bit keys is required to protect classified information of higher importance.

Reference: http://www.cisco.com/web/about/security/intelligence/nextgen_crypto.html

 

 

QUESTION 180

Which technology provides an automated digital certificate management system for use with IPsec?

 

A.

ISAKMP

B.

public key infrastructure

C.

Digital Signature Algorithm

D.

Internet Key Exchange

 

Correct Answer: B

Explanation:

A PKI is composed of the following entities:

Peers communicating on a secure network

At least one certification authority (CA) that grants and maintains certificates

Digital certificates, which contain information such as the certificate validity period, peer identity information, encryption keys that are used for secure communication, and the signature of the issuing CA

An optional registration authority (RA) to offload the CA by processing enrollment requests

A distribution mechanism (such as Lightweight Directory Access Protocol [LDAP] or HTTP) for certificate revocation lists (CRLs)

PKI provides customers with a scalable, secure mechanism for distributing, managing, and revoking encryption and identity information in a secured data network. Each entity (router or PC) participating in the secure communication is enrolled, a process by which the entity generates a Rivest, Shamir, and Adelman (RSA) key pair (one private key and one public key) and has its identity validated by a trusted entity (also known as a CA).

After each entity enrolls in a PKI, every peer (also known as an end host) in a PKI is granted a digital certificate that has been issued by a CA. When peers must negotiate a secured communication session, they exchange their digital certificates. Using the information in the certificate, a peer can validate the identity of another peer and establish an encrypted session with the public keys contained in the certificate.

Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/layered-perimeter-security-managed-services/prod_white_paper0900aecd805249e3.html

 

Free VCE & PDF File for Cisco 640-554 Exam Questions

Instant Access to Free VCE Files: CCNA | CCNP | CCIE …
Instant Access to Free PDF Files: CCNA | CCNP | CCIE …