Pages

Monday, 7 May 2012

CCSP Security Question


CCSP Security Question




(Q) Which types of digital certificate enrollment are available for the Cisco ASA 5500 series appliance? (Choose two.)
SCEP
SFTP
Manual
HTTPS
The answers are 1 and 3.
The types of digital certificate enrollments available for the Cisco ASA 5500 series are Simple Certificate Enrollment Protocol (SCEP) and Manual.


(Q) What is another name for application layer gateway?
IPS
Proxy
Dynamic firewall
Stateful firewall


The answer is 2.
An application layer gateway (ALG) is commonly called an (application) proxy. It is a piece of software that is designed to act as an intermediary and relay application layer requests and responses between clients and servers.


(Q) On which operating systems is ASDM supported? Choose 3.
Windows
Linux
Mac OS X
Solaris


The answers are 1, 2, and 3.
ASDM is supported on Windows, Linux and Mac OS X.


(Q) Which ASA feature can be used to automatically prevent the spoofing of internal source addresses from outside networks?
ACLs
uRPF
AIP-SSM
Shunning


The answer is 2.
Specifying Cisco ASA adaptive security appliance per-interface access rules to protect against source-spoofed packets can be a labor-intensive task. As the adaptive security appliance can refer to its routing table to determine which networks are reachable through which interface, it can also use its routing table to validate source addresses of incoming packets. The technique is called Unicast Reverse Path Forwarding (uRPF), and the Cisco ASA adaptive security appliance supports the strict uRPF usage, where packets must arrive over the correct interface in order to be accepted.


(Q) How many data interfaces are supported by a security appliance running in transparent mode with ASA version 8.2?
1
2
4
10


The correct answer is 2.
The transparent adaptive security appliance supports only two traffic passing interfaces. If the adaptive security appliance platform supports a dedicated management interface, you can also enable the management interface for management traffic only


(Q) The command that can be used on the standby firewall to force control back, making that firewall become active is?
failover preempt
reset failover
failover primary
failover active


The correct answer is 4.
Use the failover active command when you need to force the current unit into the active state. This need can occur in a situation such as when you want to switch control back from a unit after you have fixed a problem and want to restore service to the current standby unit.

(Q) True or False — The AIP-SSM supports hot swap capabilities.

The answer is False.
The Cisco ASA AIP-SSM does not support hot swap capabilities. To install the module, you must first shut down the Cisco ASA adaptive security appliance. You then power on the appliance after the module has been installed.


(Q) When setting the name of an interface from the command line, what is the default security level on any interface with a name other than inside?
0
50
100
none


The correct answer is 1.
When working from the command line (CLI) all interfaces other than the inside interface get a default security level of 0 (Most untrusted).


(Q) In which of the following methods can a VPN user be automatically associated with a connection profile?
Certificate mapping
Group alias
Group URL
Cannot be done


The correct answers are 1 and 2.
Every VPN user needs to be associated with a connection profile in order for the ASA to determine which set of policies to apply to the connection. If certificate based authentication is in use, the a certificate to connection profile mapping can be used. Otherwise and alias can be displayed to the user at logon to allow for selection of the appropriate profile

No comments:

Post a Comment