★ Pass on Your First TRY ★ 100% Money Back Guarantee ★ Realistic Practice Exam Questions

Free Instant Download NEW 640-554 Exam Dumps (PDF & VCE):
Available on: https://www.certleader.com/640-554-dumps.html


Exam Code: 640-554 (Practice Exam Latest Test Questions VCE PDF)
Exam Name: Implementing Cisco IOS Network Security (IINS v2.0)
Certification Provider: Cisco
Free Today! Guaranteed Training- Pass 640-554 Exam.

2021 Nov ccna security 640-554 portable command guide pdf:

Q131. - (Topic 10) 

Which Cisco Security Manager feature enables the configuration of unsupported device features? 

A. Deployment Manager 

B. FlexConfig 

C. Policy Object Manager 

D. Configuration Manager 

Answer:


Q132. - (Topic 10) 

Which command will configure AAA accounting using the list of all RADIUS serverson a device to generate a reload event message when the device reloads? 

A. aaa accounting network default start-stop group radius 

B. aaa accounting auth-proxy default start-stop group radius 

C. aaa accounting system default start-stop group radius 

D. aaaaccounting exec default start-stop group radius 

Answer:


Q133. - (Topic 6) 

Which two countermeasures can mitigate STP root bridge attacks? (Choose two.) 

A. root guard 

B. BPDU filtering 

C. Layer 2 PDU rate limiter 

D. BPDU guard 

Answer: A,D 


Q134. - (Topic 1) 

Which two characteristics represent a blended threat? (Choose two.) 

A. man-in-the-middle attack 

B. trojan horse attack 

C. pharming attack D. denial of service attack 

E. day zero attack 

Answer: B,E 

Explanation: 

http://www.cisco.com/web/IN/about/network/threat_defense.html 

Rogue developers create such threats by using worms, viruses, or application-embedded attacks. Botnets can be used to seed an attack, for example, rogue developers can use worms or application-embedded attacks, that is an attackthat is hidden within application traffic such as web traffic or peer-to-peer shared files, to deposit "Trojans". This combination of attack techniques - a virus or worm used to deposit a Trojan, for example-is relatively new and is known as a blended attack. A blended attack can also occur in phases: an initial attack of a virus with a Trojan that might open up an unsecured port on a computer, disable an access control list (ACL), or disarm antivirus software, with the goal of a more devastating attack tofollow soon after. Host Firewall on servers and desktops/laptops, day zero protection & intelligent behavioral based protection from application vulnerability and related flaws (within or inserted by virus, worms or Trojans) provided great level of confidence on what is happening within an organization on a normal day and when there is a attack situation, which segment and what has gone wrong and gives flexibility and control to stop such situations by having linkages of such devices with monitoring, log-analysis and event co-relation system. 


Q135. - (Topic 6) 

In which type of Layer 2 attack does an attackerbroadcast BDPUs with a lower switch priority? 

A. MAC spoofing attack 

B. CAM overflow attack 

C. VLAN hopping attack 

D. STP attack 

Answer:

Explanation: 

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11_6059 72.html 

Introduction The purpose of this paper is to identify how easily the Spanning-Tree Protocol (STP) can be compromised to allow eavesdropping in a switched corporate environment and how to mitigate this vulnerability using L2 security features that are available on the Cisco. Catalyst. 6500. The Spanning Tree Protocol (STP) Man in The Middle (MiTM) attack compromises the STP "Root Bridge" election process and allows a hacker to use their PC to masquerade as a "Root Bridge," thus controlling the flow of L2 traffic. In order to understand the attack, the reader must have a basic understanding of the "Root Bridge" Election process and the initial STP operations that build the loop free topology. Therefore, the first section of this document, Overview of the STP Root Bridge Election Process, will be devoted to providing a simplified explanation of 802.1d STP operations as it pertains to understanding the STP MiTM attack. If you require a more comprehensive overview of STP, please review the LAN Switching Chapter of the Cisco Catalyst 6500 Configuration Guide on Cisco.com. 


Refresh ccna security cbt nuggets 640-554:

Q136. - (Topic 10) 

What VPN feature allows Internet traffic and local LAN/WAN traffic to use the same network connection? 

A. split tunneling 

B. hairpinning 

C. tunnel mode 

D. transparent mode 

Answer:


Q137. - (Topic 2) 

What will be disabled as a result of the no service password-recovery command? 

A. changes to the config-register setting 

B. ROMMON 

C. password encryption service 

D. aaa new-model global configuration command 

E. the xmodem privilege EXEC mode command to recover the Cisco IOS image 

Answer:

Explanation: 

http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09 186a00801d8113.shtml 

Background ROMMON security is designed not to allow a person with physical access tothe router view the configuration file. ROMMON security disables access to the ROMMON, so that a person cannot set the configuration register to ignore the start-up configuration. ROMMON security is enabled when the router is configured with the no servicepassword-recovery command. Caution: Because password recovery that uses ROMMON security destroys the configuration, it is recommended that you save the router configuration somewhere off the router, such as on a TFTP server. 

Risks If a router is configured with the no service password-recovery command, this disables all access to the ROMMON. If there is no valid Cisco IOS software image in the Flash memory of the router, the user is not able to use the ROMMON XMODEM command in order to load a new Flash image. In order to fix the router, you must get a new Cisco IOS software image on a Flash SIMM, or on a PCMCIA card, for example on the 3600 Series Routers. In order to minimize this risk, a customer who uses ROMMON security must also use dual Flash bank memory and put a backup Cisco IOS software image in a separate partition. 


Q138. HOTSPOT - (Topic 2) 

Answer: 


Q139. - (Topic 10) 

Which two countermeasures can mitigate ARP spoofing attacks? (Choose two.) 

A. port security 

B. DHCP snooping 

C. IP source guard 

D. dynamic ARP inspection 

Answer: B,D 


Q140. - (Topic 3) 

Refer to the exhibit. 

Which statement about the aaa configurations istrue? 

A. The authentication method list used by the console port is named test. 

B. The authentication method list used by the vty port is named test. 

C. If the TACACS+ AAA server is not available, no users will be able to establish a Telnet session with the router. 

D. If the TACACS+ AAA server is not available, console access to the router can be authenticated using the local database. 

E. The local database is checked first when authenticating console and vty access to the router. 

Answer:

Explanation: 

http://www.cisco.com/en/US/products/sw/iosswrel/ps1818/products_configuration_example 

09186a0080204528.shtml 

Configure AAA Authentication for Login 

To enable authentication, authorization, and accounting (AAA) authentication for logins, 

use the login authentication command in line configuration mode. AAA services must also 

be configured. 

Configuration Procedure 

Inthis example, the router is configured to retrieve users' passwords from a TACACS+ 

server when users attempt to connect to the router. 

From the privileged EXEC (or "enable") prompt, enter configuration mode and enter the commands to configure the routerto use AAA services for authentication: router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. router(config)#aaa new-model router(config)#aaa authentication login my-auth-list tacacs+ router(config)#tacacs-server host 192.168.1.101 router(config)#tacacs-server key letmein Switch to line configuration mode using the following commands. Notice that the prompt changes to reflect the current mode. router(config)#line 1 8 router(config-line)# Configure password checking at login. router(config-line)#login authentication my-auth-list Exit configuration mode. router(config-line)#end router# %SYS-5-CONFIG_I: Configured from console by console