★ Pass on Your First TRY ★ 100% Money Back Guarantee ★ Realistic Practice Exam Questions
Free Instant Download NEW 640-554 Exam Dumps (PDF & VCE):
Available on:
https://www.certleader.com/640-554-dumps.html
Proper study guides for Avant-garde Cisco Implementing Cisco IOS Network Security (IINS v2.0) certified begins with Cisco 640-554 preparation products which designed to deliver the Guaranteed 640-554 questions by making you pass the 640-554 test at your first time. Try the free 640-554 demo right now.
2021 Aug ccna security 640-554 practice test:
Q141. - (Topic 8)
Which Cisco IPS productoffers an inline, deep-packet inspection feature that is available in integrated services routers?
A. Cisco iSDM
B. Cisco AIM
C. Cisco IOS IPS
D. Cisco AIP-SSM
Answer: C
Explanation:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/product_data_ sheet0900aecd803137cf.html
Product Overview In today's business environment, network intruders and attackers can come from outside or inside the network.
They can launch distributed denial-of-service attacks, they can attack Internet connections, and they can exploit network and host vulnerabilities. At the same time, Internet worms and viruses can spread across the world in a matter of minutes. There is often no time to wait for human intervention-the network itself must possess the intelligence to recognize and mitigate these attacks, threats, exploits, worms and viruses.
Cisco IOS Intrusion Prevention System (IPS) is an inline, deep-packet inspection-based solution that enables Cisco IOS Software to effectively mitigate a wide range of network attacks. While it is common practice to defend against attacks by inspecting traffic at data centers and corporate headquarters, distributing the network level defense to stop malicious traffic close to its entry point at branch or telecommuter offices is also critical. Cisco IOS IPS: Major Use Cases and Key Benefits IOS IPS helps to protect your network in 5 ways:
Key Benefits
.Provides network-wide, distributed protection from many attacks, exploits, worms and viruses exploiting vulnerabilities in operating systems and applications
.Eliminates the need for a standalone IPS device at branch andtelecommuter offices as well as small and medium-sized business networks
.Unique, risk rating based signature event action processor dramatically improves the ease of management of IPS policies
.Offers field-customizable worm and attack signature set and event actions
.Offers inline inspection of traffic passing through any combination of router LAN and WAN interfaces in both directions
.Works with Cisco IOS. Firewall, control-plane policing, and other Cisco IOS Software security features to protect the router and networks behind the router
.Supports more than 3700 signatures from the same signature database available for Cisco Intrusion Prevention System (IPS) appliances
Q142. - (Topic 7)
Which type of Cisco ASA access list entry can be configured to match multiple entries in a single statement?
A. nested object-class
B. class-map
C. extended wildcard matching
D. object groups
Answer: D
Explanation:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/objectgroups.html
Information About Object Groups By grouping like objects together, you can use the object group in an ACE instead of having to enter an ACE for each object separately. You can create the following types of object groups:
.Protocol
.Network
.Service
.ICMP type
For example, consider the following three object groups:
.MyServices—Includes the TCP and UDP port numbers of the service requests that are allowed access to the internal network.
.TrustedHosts—Includes the host and network addresses allowed access to the greatest range of services and servers.
.PublicServers—Includes the host addresses of servers to which the greatest access isprovided.
After creating these groups, you could use a single ACE to allow trusted hosts to make specific service requests to a group of public servers.
You can also nest object groups in other object groups.
Q143. - (Topic 10)
Which two accounting notices are used to send a failed authentication attempt record to a AAA server? (Choose two.)
A. start-stop
B. stop-record
C. stop-only
D. stop
Answer: A,C
Q144. - (Topic 10)
Which two options are advantages of a network-based Cisco IPS? (Choose two.)
A. It can examine encrypted traffic.
B. It can protect the host after decryption.
C. It is an independent operating platform.
D. It can observe bottom-level network events.
E. It can block traffic
Answer: C,D
Q145. - (Topic 10)
Refer to the exhibit.
What is the effect of the given command sequence?
A. It defines IPSec policy for traffic sourced from 10.10.10.0/24 with a destination of 10.100.100.0/24.
B. It defines IPSec policy for traffic sourced from 10.100.100.0/24 with a destination of 10.10.10.0/24.
C. It defines IKE policy for traffic sourced from 10.10.10.0/24 with a destination of 10.100.100.0/24.
D. It defines IKE policy for traffic sourced from 10.100.100.0/24 with a destination of 10.10.10.0/24.
Answer: A
Improve ccna security 640-554 videos:
Q146. - (Topic 7)
Which option is the resulting action in a zone-based policy firewall configuration with these conditions?
A. no impact to zoning or policy
B. no policy lookup (pass) C. drop
D. apply default policy
Answer: C
Explanation:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/sec-zone-pol-fw.html
Zone Pairs A zone pair allows you to specify a unidirectional firewall policy between two security zones. To define a zone pair, use the zone-pair security command. The direction of the traffic is specified by source and destination zones. The source and destination zones of a zone pair must be security zones.
You can select the default or self zone as either the source or the destination zone. The self zone is a systemdefined zone which does not have any interfaces as members. A zone pair that includes the self zone, along with the associated policy, applies to traffic directed to the device or traffic generated by the device. It does not apply to traffic through the device.
The most common usage of firewall is to apply them to traffic through a device, so you need at least two zones (that is, you cannot use the self zone).
To permit traffic between zonemember interfaces, you must configure a policy permitting (or inspecting) traffic between that zone and another zone. To attach a firewall policy map to the target zone pair, use the servicepolicy type inspect command.
The figure below shows the application of a firewall policy to traffic flowing from zone Z1 to zone Z2, which means that the ingress interface for the traffic is a member of zone Z1 and the egress interface is a member of zone Z2.
Figure 2. Zone Pairs If there are two zones and you require policies for traffic going in both directions (from Z1 to Z2 and Z2 to Z1), you must configure two zone pairs (one for each direction).
If a policy is not configured between zone pairs, traffic is dropped. However, it is not necessary to configure azone pair and a service policy solely for the return traffic. By default, return traffic is not allowed. If a service policy inspects the traffic in the forward direction and there is no zone pair and service policy for the return traffic, the return traffic is inspected. If a service policy passes the traffic in the forward direction and there is no zone pair and service policy for the return traffic, the return traffic is dropped. In both these cases, you need to configure a zone pair and a service policy to allow the return traffic. In the above figure, it is not mandatory that you configure a zone pair source and destination for allowing return traffic from Z2 to Z1. The service policy on Z1 to Z2 zone pair takes care of it.
Q147. - (Topic 10)
Which two features do CoPP and CPPr use to protect the control plane? (Choose two.)
A. QoS
B. traffic classification
C. access lists
D. policy maps
E. class maps
F. Cisco Express Forwarding
Answer: A,B
Q148. - (Topic 3)
When AAA login authentication is configured on Cisco routers, which two authentication methods should be used as the final method to ensure that the administrator canstill log in to the router in case the external AAA server fails? (Choose two.)
A. group RADIUS
B. group TACACS+
C. local
D. krb5
E. enable
F. if-authenticated
Answer: C,E
Explanation:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scftplus.html
TACACS+ Authentication Examples The following example shows how to configure TACACS+ as the security protocol for PPP authentication: aaa new-model aaa authentication ppp test group tacacs+ local tacacs-server host 10.1.2.3 tacacs-server key goaway interface serial 0 ppp authentication chap pap test The lines in the preceding sample configuration are defined as follows:
.The aaa new-model command enables the AAA security services.
.The aaa authentication command defines a method list, "test," to be used on serial interfaces running PPP. The keyword group tacacs+ means that authentication will be done through TACACS+. IfTACACS+ returns an ERROR of some sort during authentication, the keyword local indicates that authentication will be attempted using the local database on the network access server. http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800946a3.shtml Authentication Start to configure TAC+ on the router. Enter enable mode and type configure terminal before the command set. This command syntax ensures that you are not locked out of the router initially, providing the tac_plus_executable is not running: !--- Turn on TAC+. aaa new-model enable password whatever !--- These are lists of authentication methods. !--- "linmethod", "vtymethod", "conmethod", and !--- so on are names of lists, and the methods !--- listed on the same lines are the methods !--- in the order to be tried. As used here, if !--- authentication fails due to the !--- tac_plus_executable not being started, the !--- enable password is accepted because !--- it is in each list. ! aaa authentication login linmethod tacacs+ enable aaa authentication login vtymethod tacacs+ enable aaa authentication login conmethod tacacs+ enable
Q149. - (Topic 3)
On which Cisco Configuration Professional screen do you enable AAA?
A. AAA Summary
B. AAA Servers and Groups
C. Authentication Policies
D. Authorization Policies
Answer: A
Q150. - (Topic 5)
Refer to the exhibit.
You are a network manager for your organization. You are looking at your Syslog server reports. Based on the Syslog message shown, which two statements are true? (Choose two.)
A. Service timestamps have been globally enabled.
B. This is a normal system-generated information message and does not require further investigation.
C. This message is unimportant and can be ignored.
D. This message is a level 5 notification message.
Answer: A,D
Explanation:
http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/c onfiguration/guide/swlog.html
System Log Message Format Systemlog messages can contain up to 80 characters and a percent sign (%), which follows the optional sequence number or time-stamp information, if configured. Messages appear in this format: seq no:timestamp: %facility-severity-MNEMONIC:description (hostname-n) The part of the message preceding the percent sign depends on the setting of the service sequence-numbers, service timestamps log datetime, service timestamps log datetime [localtime] [msec] [show-timezone], or service timestamps log uptime global configuration command. seq no: Stamps log messages with a sequence number only if the service sequence-numbers global configuration command is configured. For more information, see the "Enabling and Disabling Sequence Numbers in Log Messages" section. timestamp formats: mm/dd hh:mm:ss or hh:mm:ss (short uptime) or d h (long uptime) Date and time of the message or event. This information appears only if the service timestamps log [datetime | log] global configuration command is configured. For more information, seethe "Enabling and Disabling Time Stamps on Log Messages" section.facility The facility to which the message refers (for example, SNMP, SYS, and so forth). For a list of supported facilities, see Table 29-4.severity Single-digit code from 0 to 7 that is the severity of the message. For a description of the severity levels, see Table 29-3. MNEMONIC Text string that uniquely describes the message. description Text string containing detailed information about the event being reported. http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/c onfiguration/guide/swlog.html This example shows part of a logging display with the service timestamps log datetime global configuration command enabled: *Mar 1 18:46:11: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) (Switch-2)