★ Pass on Your First TRY ★ 100% Money Back Guarantee ★ Realistic Practice Exam Questions
Free Instant Download NEW 640-554 Exam Dumps (PDF & VCE):
Available on:
https://www.certleader.com/640-554-dumps.html
Proper study guides for Up to the minute Cisco Implementing Cisco IOS Network Security (IINS v2.0) certified begins with Cisco 640-554 preparation products which designed to deliver the Guaranteed 640-554 questions by making you pass the 640-554 test at your first time. Try the free 640-554 demo right now.
2021 Aug cbt nuggets ccna security 640-554 download:
Q21. - (Topic 9)
Which description of the Diffie-Hellman protocol is true?
A. It uses symmetrical encryption to provide data confidentiality over an unsecured communications channel.
B. It uses asymmetrical encryption to provide authentication over an unsecured communications channel.
C. It is used within the IKE Phase 1 exchange to provide peer authentication.
D. It provides a way for two peers to establish a shared-secret key, which only they will know, even though they are communicating over an unsecured channel.
E. It is a data integrity algorithm that is used within the IKE exchanges to guarantee the integrity of the message of the IKE exchanges.
Answer: D
Explanation:
http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/ security_manager/4.1/user/guide/vpipsec.html
Modulus Group The Diffie-Hellman group to use for deriving a shared secret between the two IPsec peers without transmitting it to each other. A larger modulus provides higher security but requires more processing time. The two peers must have a matching modulus group. Options are:
.1—Diffie-Hellman Group 1 (768-bit modulus).
.2—Diffie-Hellman Group 2 (1024-bit modulus).
.5—Diffie-Hellman Group 5 (1536-bit modulus, considered good protection for 128-bit keys, but group 14 is better). If you are using AES encryption, use this group (or higher). The ASA supports this group as the highest group.
.7—Diffie-Hellman Group 7 (163-bit elliptical curve field size).
.14—Diffie-Hellman Group 14 (2048-bit modulus, considered good protection for 128-bit keys).
.15—Diffie-Hellman Group 15 (3072-bit modulus, considered good protection for 192-bit keys).
.16—Diffie-Hellman Group 16 (4096-bitmodulus, considered good protection for 256-bit keys).
Q22. - (Topic 1)
Which statement is true about vishing?
A. Influencing users to forward a call to a toll number (for example, along distance or international number)
B. Influencing users to provide personal information over a web page
C. Using an inside facilitator to intentionally forward a call to a toll number (for example, a long distance or international number)
D. Influencing users to provide personal information over the phone
Answer: D
Explanation: Explanation:
Vishing (voice phishing) uses telephony to glean information, such as account details, directly from users. Because many users tend to trust the security of a telephone versus the security of the web, some users are more likely to provide condential information over the telephone. User education is the most effective method to combat vishing attacks.
Q23. - (Topic 4)
Which three statements about applying access control lists to a Cisco router are true? (Choose three.)
A. Place more specific ACL entries at the top of the ACL.
B. Place generic ACL entries at the top of the ACL to filter general traffic and thereby reduce “noise” on the network.
C. ACLs always search for the most specific entry before taking any filtering action.
D. Router-generated packets cannot be filtered by ACLs on the router.
E. If an access list is applied but it is not configured, all traffic passes.
Answer: A,D,E
Explanation: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-acl-ov-gdl.html
TheOrder in Which You Enter Criteria Statements Note that each additional criteria statement that you enter is appended to the end of the access list statements.
Also note that you cannot delete individual statements after they have been created. You can only delete an entire access list. The order of access list statements is important! When the router is deciding whether to forward or block a packet, the Cisco IOS software tests the packet against each criteria statement in the order in which the statements were created. After a match is found, no more criteria statements are checked.
If you create a criteria statement that explicitly permits all traffic, no statements added later will ever be checked. If you need additional statements, you must delete theaccess list and retype it with the new entries.
Apply an Access Control List to an Interface With some protocols, you can apply up to two access lists to an interfacE. one inbound access list and one outbound access list. With other protocols, you applyonly one access list that checks both inbound and outbound packets. If the access list is inbound, when a device receives a packet, Cisco software checks the access list's criteria statements for a match. If the packet is permitted, the software continuesto process the packet. If the packet is denied, the software discards the packet. If the access list is outbound, after receiving and routing a packet to the outbound interface, Cisco software checks the access list's criteria statements for a match. If the packet is permitted, the software transmits the packet. If the packet is denied, the software discards the packet.
Note Access lists that are applied to interfaces on a device do not filter traffic that originates from that device. The access list checkis bypassed for locally generated packets, which are always outbound. By default, an access list that is applied to an outbound interface for matching locally generated traffic will bypass the outbound access list check; but transit traffic is subjected to the outbound access list check.
Q24. - (Topic 2)
Scenario:
You are the security admin for a small company. This morning your manager has supplied you with a list of Cisco ISR and CCP configuration questions. Using CCP, your job is to navigate the pre-configured CCP in order to find answers to your business question.
What is included in the Network Object Group INSIDE? (Choose two)
A. Network 192.168.1.0/24
B. Network 175.25.133.0/24
C. Network 10.0.10.0/24
D. Network 10.0.0.0/8
E. Network 192.168.1.0/8
Answer: B,C
Q25. - (Topic 2)
Scenario:
You are the security admin for a small company. This morning your manager has supplied you with a list of Cisco ISR and CCP configuration questions. Using CCP, your job is to navigate the pre-configured CCP in order to find answers to your business question.
Which Class Map is used by the INBOUND Rule?
A. SERVICE_IN
B. Class-map-ccp-cls-2
C. Ccp-cts-2
D. Class-map SERVICE_IN
Answer: C
Renew ccna security 640-554 official cert guide:
Q26. - (Topic 10)
Which action can you take to add bandwidth to a trunk between twoswitches and end up with only one logical interface?
A. Configure another trunk link.
B. Configure EtherChannel.
C. Configure an access port.
D. Connect a hub between the two switches.
Answer: B
Q27. - (Topic 10)
What must be configured before Secure Copy can be enabled?
A. SSH
B. AAA
C. TFTP
D. FTP
Answer: B
Q28. - (Topic 10)
In which two situations should you use out-of-band management? (Choose two.)
A. when a network device fails to forward packets
B. when you require ROMMON access
C. when management applications need concurrent access to the device
D. when you require administrator access from multiple locations
E. when the control plane fails to respond
Answer: A,B
Q29. - (Topic 2)
Scenario:
You are the security admin for a small company. This morning your manager has supplied you with a list of Cisco ISR and CCP configuration questions. Using CCP, your job is to navigate the pre-configured CCP in order to find answers to your business question.
What NAT address will be assigned by ACL 1?
A. 192.168.1.0/25
B. GlobalEthernet0/0 interface address.
C. 172.25.223.0/24
D. 10.0.10.0/24
Answer: C
Q30. - (Topic 9)
Refer to the exhibit.
Which three statements about these three show outputs are true? (Choose three.)
A. Traffic matched by ACL 110 is encrypted.
B. The IPsec transform set uses SHA for data confidentiality.
C. The crypto map shown is for an IPsec site-to-site VPN tunnel.
D. The default ISAKMP policy uses a digital certificate to authenticate the IPsec peer.
E. The IPsec transform set specifies the use of GRE over IPsec tunnel mode.
F. The default ISAKMP policy has higher priority than the other two ISAKMP policies with a priority of 1 and 2
Answer: A,C,D
Explanation:
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_s3.html
Show crypto map Field Descriptions
Peer
Possible peers that are configured for this crypto map entry.
Extended IP access list Access list that is used to define the data packets that need to be encrypted. Packets that are denied by this access list are forwarded but not encrypted. The "reverse" of this access list is used to check the inbound return packets, which are also encrypted. Packets that are denied by the "reverse" access list are dropped because they should have been encrypted but were not.
Extended IP access check
Access lists that are used to more finely control which data packets are allowedinto or out of the IPsec tunnel.
Packets that are allowed by the "Extended IP access list" ACL but denied by the "Extended IP access list check" ACL are dropped.
Current peer Current peer that is being used for this crypto map entry.
Security associationlifetime
Number of bytes that are allowed to be encrypted or decrypted or the age of the security
association before new encryption keys must be negotiated.
PFS
(Perfect Forward Secrecy) If the field is marked as `Yes', the Internet Security Association and Key Management Protocol (ISAKMP) SKEYID-d key is renegotiated each time security association (SA) encryption keys are renegotiated (requires another Diffie-Hillman calculation). If the field is marked as `No', the same ISAKMP SKEYID-d key is used when renegotiating SA encryption keys. ISAKMP keys are renegotiated on a separate schedule, with a default time of 24 hours.
Transform sets
List of transform sets (encryption, authentication, and compression algorithms) that can be used with this crypto map.
Interfaces using crypto map test Interfaces to which this crypto map is applied. Packets that are leaving from this interface are subject to the rules of this crypto map for encryption.
Encrypted packets may enter the router on any interface, and they are decrypted.
Nonencrypted packets that are entering the router through this interface are subject to the "reverse" crypto access list check.