CCIE Security Written Exam (v5.0)
Question No: 131 – (Topic 2)
According to OWASP guidelines, what is the recommended method to prevent cross-site request forgery?
Allow only POST requests.
Mark all cookies as HTTP only.
Use per-session challenge tokens in links within your web application.
Always use the quot;securequot; attribute for cookies.
Require strong passwords.
Question No: 132 DRAG DROP – (Topic 2)
Drag each Management Frame Protection feature on the Left to the function it performs on the right?
Explanation: Client MFP: Enables access points to drop spoofed management frames. Event reporting: Enables the WLC to aggregate anomaly reports.
Infrastructure Frame validation: Enables and disables MFP protection and validation on selective basis.
Management frame protection: Enables an access point to report management frames with invalid MICs to the WLC.
Management frame validation: Enables an access point to verify that management frame from other access points include a valid MIC IE from the sending access point’s BSSID.
Question No: 133 – (Topic 2)
Which two statements about the DH group are true? (Choose two.)
The DH group is used to provide data authentication.
The DH group is negotiated in IPsec phase-1.
The DH group is used to provide data confidentiality.
The DH group is used to establish a shared key over an unsecured medium.
The DH group is negotiated in IPsec phase-2.
Question No: 134 – (Topic 2)
A server with Ip address 22.214.171.124 is protected behind the inside of a cisco ASA or PIX security appliance and the internet on the outside interface .User on the internet need to access the server at any time but the firewall
administrator does not want to apply NAT to the address of the server because it is currently a public address which three of the following command can be used to accomplish this? (Choose three)
A. static (inside,outside) 126.96.36.199 188.8.131.52 netmask 255.255.255.2quot;
B. nat (inside) 1 184.108.40.206 255.255.255.255
C. no nat-control
D. nat (inside) 0 209.16S.202.150 255.255.255.255
E. static (outside.insid) 220.127.116.11 18.104.22.168 netmask 255.255.255.255
F. access-tist no-nat permit ip host 22.214.171.124 any nat (inside) 0 access-list no-nat
Question No: 135 – (Topic 2)
Which category to protocol mapping for NBAR is correct?
)Category:Network management Protocol:ICMP,SNMP,SSH,telent
Category:network mail services Protocol:mapi,pop3,smtp
Category:Enterprise applications Protocal:citrixICA,PCAnywhere,SAP,IMAP
Question No: 136 – (Topic 2)
Refer to the exhibit.
Routers R1, R2, and R3 have IPv6 reachability, and R1 and R3 are able to ping each other with the IPv6 global unicast address. However, R1 and R3 are unable to ping each other with their
link-local addresses. What is a possible reason for the problem?
Link-local addresses can communicate with neighboring interfaces.
Link-local addresses are forwarded by IPv6 routers using loopback interfaces.
Link-local addresses can be used only with a physical interface#39;s local network.
Multicast must be enabled to allow link-local addresses to traverse multiple hops.
Question No: 137 – (Topic 2)
The computer at 10.10.10.4 on your network has been infected by a botnet that directs traffic to a malware site at 126.96.36.199. Assuming that filtering will be performed on a Cisco ASA, What command can you use to block all current and future connections from the infected host?
A. ip access-list extended BLOCK_BOT_OUT deny ip any host 10.10.10.4
B. shun 10.10.10.4 188.8.131.52 6000 80
ip access-list extended BLOCK_BOT_OUT deny ip host 10.10.10.4 host 184.108.40.206
ip access-list extended BLOCK_BOT_OUT deny ip host 220.127.116.11 host 10.10.10.4
E. shun 18.104.22.168 10.10.10.4 6000 80
Question No: 138 – (Topic 2)
Refer to the Exhibit, Which two Statements about the given Configuration are true? (Choose two)
It is an inbound policy.
It will allow 22.214.171.124 to connect to 126.96.36.199 on an IMAP port.
It will allow 188.8.131.52 to connect to 184.108.40.206 on an RDP port.
It will allow 220.127.116.11 to connect to 18.104.22.168 on an RDP port.
It will allow 22.214.171.124 to connect to 126.96.36.199 on a VNC port.
It is an outbound policy.
Question No: 139 – (Topic 2)
Which two u.s government entities are authorized to execute and enforce the penalties for violations of the
Federal trade commission (FTC.
internal Revenue service (IRS)
Office of Civil Rights (OCR)
federal reserve board
Securities and exchange commission (SEC.
United states Citizenship and immigration services (USCIS)
Question No: 140 – (Topic 2)
Which two statements about role-based access control are true?(Choose two)
Server profile administrators have read and write access to all system logs by default.
If the same user name is used for a local user account and a remote user account, the roles defined in the remote user account override the local user account.
A view is created on the Cisco IOS device to leverage role-based access controls.
Network administrators have read and write access to all system logs by default.
The user profile on an AAA server is configured with the roles that grant user privileges.
|Lowest Price Guarantee||Yes||No||No|
|Free VCE Simulator||Yes||No||No|