Security in Design
Here you will find answers to Security in Design Questions
Which Cisco security solution offers protection against “day zero” attacks?
A. Cisco Adaptive Security Appliance
B. Cisco Security Agent
C. Cisco IOS Firewall
D. Cisco IOS IPS
E. Cisco Traffic Anomaly Detector
The Cisco Security Agent (CSA) software protects server and desktop endpoints from the latest threats caused by malicious network attacks. CSA can identify and prevent network attacks that are considered unknown or “Day Zero”-type threats. CSAs are packed with many features, including ﬁrewall capabilities, intrusion prevention, malicious mobile code protection, operating-system integrity assurance, and audit log consolidation.
Which two solutions are parts of the Cisco Security Management Suite? (Choose two)
B. Cisco Security Agent
C. NAC Appliance
F. Cisco Security MARS
Answer: D F
Solutions of the Cisco Security Management Suite are:
+ Cisco Security Manager (CSM) is an integrated solution for conﬁguration management of ﬁrewall, VPN, router, switch module, and IPS devices.
+ Cisco Secure Access Control Server (ACS) provides centralized control for administrative access to Cisco devices and security applications.
+ Cisco Security Monitoring, Analysis, and Response System (MARS) is an appliance-based solution for network security administrators to monitor, identify, isolate, and respond to security threats.
+ Management Center for CSA (CSA MC) is an SSL web-based tool for managing Cisco Security Agent conﬁgurations.
+ Cisco Router and Security Device Manager (SDM) is a web-based tool for routers and supports a wide range of IOS software.
+ Cisco Adaptive Security Device Manager (ASDM) is a web-based tool for managing Cisco ASA 5500 series appliances, PIX 500 series appliances (version 7.0 or higher), and Cisco Catalyst 6500 Firewall Services Modules (FWSM version 3.1 or higher).
+ Cisco Intrusion Prevention System Device Manager (IDM) is a web-based application that conﬁgures and manages IPS sensors.
(Reference: CCDA Official Exam Certification Guide 3rd)
A manufacturing company has decided to add a website to enhance sales. The web seivers in the E-Commerce module must be accessible without compromising network security. Which two design recommendations can be made to meet these requirements? (Choose two)
A. Use private and public key encryption.
B. Move the E-Commerce seivers to the WAN module.
C. Use intrusion detection on the E-Commerce setverfarm.
D. Limit the number of incoming connections to the E-Commerce module.
E. Place E-Commerce seivers and application seivers on isolated LANs (DMZs).
Answer: C E
Which Cisco security solution can quarantine and prevent non-compliant end stations from accessing the network until they achieve security policy compliance?
A. Cisco Secure Connectivity
B. Adaptive Security Appliance
C. Access Control Server
D. Network Admission Control
E. Network Intrusion Prevention System
F. Cisco Security Monitoring, Analysis, and Response System
The Network Admission Control protects the network from threats by enforcing security compliance on all devices attempting to access the network. It only allows access to endpoints only after they have passed authentication based on security policies.
A Cisco Self-Defending Network has been installed, but DoS attacks are still being directed at e-commerce hosts. The connection rate at the Internet firewall was limited, but the problem persists. What more can be done?
A. Move the seivers to the DMZ.
B. Install all relevant operating system patches.
C. Block the servers’ TCP traffic at the Internet firewall.
D. Block the servers’ UDP traffic at the Internet firewall.
Which three security measures can be used to mitigate DoS attacks that are directed at exposed hosts within the E-Commerce module? (Choose three)
A. Partition the exposed hosts into a separate LAN or VLAN.
B. Use firewalls to block all unnecessary connections to the exposed hosts.
C. Use a VPN concentrator (IPSec) to protect and verify each connection to the exposed host or hosts.
D. Use LAN switch VTP pruning to separate hosts on the same segment.
E. Use NIDSs and HIPSs to detect signs of attack and to identify potentially successful breaches.
Answer: A B E
Which Cisco security management solution provides the means to identify, isolate, and counter security threats to the network?
A. Adaptive Security Device Manager
B. Intrusion Prevention Device Manager
C. Security Device Manager
D. Cisco Security Manager
E. Cisco Security Monitoring, Analysis, and Response System
Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS) is an appliance-based solution for network security administrators to monitor, identify, isolate, and respond to security threats. MARS understands the network topology and device conﬁgurations from routers, switches, ﬁrewalls, and IPS devices. MARS also can model
packet ﬂows on the network.
A large enterprise requires sensitive information be transmitted over a public infrastructure. It requires confidentiality, integrity, and authenticity. Which security solution best meets these requirements?
A. Cisco IOS Firewall
B. Intrusion Prevention
C. Secure Connectivity
E. Traffic Guard Protector
Which technology can ensure data confidentiality, data integrity, and authentication across a public IP network?
For which technology is IPsec required for a site-to-site enterprise WAN/MAN architecture?
B. ISP Service
C. Frame Relay
D. SP MPLS VPN
E. self-deployed MPLS
A Cisco security mechanism has the following attributes:
it is a sensor appliance
it searches for potential attacks by capturing and analyzing traffic
it is a “purpose-built device”
it is installed passively
it introduces no delay or overhead
Which Cisco security mechanism is this?
Which of these domain-of-trust security statements is correct?
A. Segments within a network should have the same trust models.
B. An administrator should apply consistent security controls between segments.
C. Communication between trusted entities needs to be carefully managed and controlled.
D. Segment security policy decisions are based on trust.