CCIE Security Qualification Exam
Exam : Cisco 350-018
Title : CCIE Security
Qualification Exam
1. Which two of the following statements describe
why TACACS+ is more desirable from a security standpoint than RADIUS? (Choose
two.)
A. It uses UDP as its transport.
B. It uses TCP as its
transport.
C. It encrypts the password field with a unique key between server
and requester.
D. Encrypting the whole data payload is optional.
E.
Authentication and authorization are combined into a single query for
robustness.
Answer: BD
2. A firewall administrator received this
syslog message from his adaptive security appliance. What can the firewall
administrator infer from the message?
A. The server at 209.165.201.10 is
under a smurf attack.
B. The server at 10.1.1.20 is under a SYN attack.
C.
The client at 209.165.201.10 has been infected with a virus.
D. The server at
10.1.1.20 is under a smurf attack.
Answer: B
3. In regards to private
address space, which three of the following statements are true? (Choose
three.)
A. Private address space is defined in RFC 1918.
B. These IP
addresses are considered private:
10.0.0.0
172.15.0.0
192.168.0.0
C.
Private address space is not supposed to be routed over the Internet.
D.
127.0.0.1 is also considered part of private address space, according to the
RFC.
E. Using only private address space and NAT to the Internet is not
considered as secure as having a stateful firewall.
Answer: ACE
4.
When using Cisco SDM to manage a Cisco IOS device, what configuration statements
are necessary to be able to use Cisco SDM?
A. ip http server
B. ip http
secure-server
C. ip http server
sdm location X.X.X.X
D. ip http
secure-server
sdm location X.X.X.X
E. ip http server
ip http
secure-server
Answer: A
5. Which three of these statements describe
how DNSSEC prevents DNS cache poisoning attacks from succeeding? (Choose
three.)
A. DNSSEC encrypts all records with domain-specific keys.
B.
DNSSEC eliminates caching and forces all answers to be authoritative.
C.
DNSSEC introduces KEY records that hold domain-specific public keys.
D.
DNSSEC deprecates CNAME records and replaces them with DS records.
E. DNSSEC
utilizes DS records to establish a trusted hierarchy of zones.
F. DNSSEC
signs all records with domain-specific keys.
Answer: CEF
6. Which
three of the following are attributes of the RADIUS protocol? (Choose
three.)
A. encrypts the password
B. hashes the password
C. uses UDP as
the transport
D. uses TCP as the transport
E. combines authentication and
authorization in a single request
F. commonly used to implement command
authorization
Answer: BCE
7. Which two of the following statements are
attributed to stateless filtering? (Choose two.)
A. The first TCP packet in a
flow must be a SYN packet.
B. It must process every packet against the
inbound ACL filter.
C. It can look at sequence numbers to validate packets in
flow.
D. It must implement an idle timeout.
E. It can be used in
asymmetrical traffic flows.
Answer: BE
8. When initiating a new
SSL/TLS session, the client receives the server SSL certificate and validates
it. What does the client use the certificate for after validating it?
A. The
client and server use the key in the certificate to encrypt all data in the
following SSL session.
B. The server creates a separate session key and sends
it to the client. The client has to decrypt the session key using the server
public key from the certificate.
C. The client creates a separate session key
and encrypts it with the server public key from the certificate before sending
it to the server.
D. Nothing, the client and server switch to symmetric
encryption using IKE to exchange keys.
E. The client generates a random
string, encrypts it with the server public key from the certificate, and sends
it to the server. Both the client and server derive the session key from the
random data sent by the client.
Answer: E