Free Cheat-test Samples and Demo Questions Download
Adobe exams Adobe
Apple exams Apple
Avaya exams Avaya
Check Point exams Check Point
Cisco exams Cisco
Citrix exams Citrix
CIW exams CIW
CompTIA exams CompTIA
EC-Council exams EC-Council
EMC exams EMC
Exin exams Exin
Fortinet exams Fortinet
Hitachi exams Hitachi
HP exams HP
IBM exams IBM
Isaca exams Isaca
ISC exams ISC
Juniper exams Juniper
LPI exams LPI
McAfee exams McAfee
Microsoft exams Microsoft
Oracle exams Oracle
PMI exams PMI
Riverbed exams Riverbed
SNIA exams SAP
Sun exams SAS
Symantec exams Symantec
VMware exams VMware
All certification exams

Cisco 642-552 Exam -

Free 642-552 Sample Questions:

1. What are two ways of preventing VLAN hopping attacks? (Choose two.)
A. Disable DTP on all the trunk ports.
B. Enable VTP pruning on all trunk ports to limit the VLAN broadcast.
C. Set the native VLAN on all the trunk ports to an unused VLAN.
D. Using port security, set the maximum number of secure MAC addresses to 1 on all trunk and access ports.
E. Disable portfast on all access ports.
Answer: A, C

2. Which of these two ways does Cisco recommend that you use to mitigate maintenance­related threats? (Choose two.)
A. Maintain a stock of critical spares for emergency use.
B. Ensure that all cabling is Category 6.
C. Always follow electrostatic discharge procedures when replacing or working with internal router and switch device components.
D. Always wear an electrostatic wrist band when handling cabling, including fiber­optic cabling.
E. Always employ certified maintenance technicians to maintain mission­critical equipment and cabling.
Answer: A, C

3. Which method of mitigating packet­sniffer attacks is the most effective?
A. implement two­factor authentication
B. deploy a switched Ethernet network infrastructure
C. use software and hardware to detect the use of sniffers
D. deploy network­level cryptography using IPsec, secure services, and secure protocols
Answer: D

4. A malicious program is disguised as another useful program; consequently, when the user executes the program,files get erased and then the malicious program spreads itself using emails as the delivery mechanism. Which type of attack best describes how this scenario got started?
A. DoS
B. worm
C. virus
D. trojan horse
Answer: D

5. What is the key function of a comprehensive security policy?
A. informing staff of their obligatory requirements for protecting technology and information assets
B. detailing the way security needs will be met at corporate and department levels
C. recommending that Cisco IPS sensors be implemented at the network edge
D. detailing how to block malicious network attacks
Answer: A

6. Which building blocks make up the Adaptive Threat Defense phase of Cisco SDN strategy?
A. VoIP services, NAC services, Cisco IBNS
B. network foundation protection, NIDS services, adaptive threat mitigation services
C. firewall services, intrusion prevention, secure connectivity
D. firewall services, IPS and network antivirus services, network intelligence
E. Anti­X defense, NAC services, network foundation protection
Answer: D

7. Why is TACACS+ the preferred AAA protocol to use with Cisco device authentication?
A. TACACS+ encryption algorithm is more recent than other AAA protocols
B. TACACS+ has a more robust programming interface than other AAA protocols
C. TACACS+ was initially developed as open­source software
D. TACACS+ provides true AAA functional separation and encrypts the entire body of the packet
E. TACACS+ maintains authentication information in the local database of each Cisco IOS router
F. TACACS+ combines authentication and authorization to provide more robust functionalities
Answer: D

8. Which method does a Cisco router use for protocol type IP packet filtering?
A. inspection rules
B. standard ACLs
C. security policies
D. extended ACLs
Answer: D

9. Which IKE function is optional?
A. authentication during SA negotiation
B. XAUTH protocol for user authentication
C. Quick Mode for IKE Phase 2
D. IKE SA establishment
Answer: B

10. What two tasks should be done before configuring SSH server operations on Cisco routers? (Choose two.)
A. Upgrade routers to run a Cisco IOS Release 12.1(1)P image.
B. Upgrade routers to run a Cisco IOS Release 12.1(3)T image or later with the IPsec feature set.
C. Ensure routers are configured for external ODBC authentication.
D. Ensure routers are configured for local authentication or AAA for username and password authentication.
E. Upgrade routers to run a Cisco IOS Release 11.1(3)T image or later with the IPsec feature set.
Answer: B, D

11. Which of these is true regarding IKE Phase 2?
A. The SAs used by IPsec are unidirectional, so a separate key exchange is required for each data flow.
B. Either main or aggressive mode can be used to establish the SAs.
C. Quick mode is used to establish the unidirectional IKE SA and the bidirectional IPsec SAs.
D. XAUTH can be optionally used to reauthenticate the IPsec peers.
E. The Diffie­Hellman protocol is used to exchange the public and private keys between the two IPsec peers.
Answer: A

12. Network administrators have just configured SSH on their target router and have now discovered that
an intruder has been using this router to perform a variety of malicious attacks. What have they most likely forgotten to do and which Cisco IOS commands do they need to use to fix this problem on their target router?
A. forgot to reset the encryption keys using the crypto key zeroize rsa Cisco IOS global configuration command
B. forgot to close port 23 and they need to issue the no transport input telnet Cisco IOS global configuration command
C. forgot to disable vty inbound Telnet sessions and they need to issue the line vty 0 4 and the no transport input telnet Cisco IOS line configuration commands
D. forgot to restrict access to the Telnet service on port 23 using ACLs and they need to issue the access­list 90 deny any log Cisco IOS global configuration command, and the line vty 0 4 and access­class 90 in Cisco IOS line configuration commands
Answer: C

13. Which security log messaging method is the most common message logging facility and why?
A. SNMP traps, because the router can act as an SNMP agent and forward SNMP traps to an external
SNMP server
B. buffered logging, because log messages are stored in router memory and events are cleared whenever the router is rebooted
C. console logging, because security messages are not stored and do not take up valuable storage space
on network servers
D. syslog, because this method is capable of providing long­term log storage capabilities and supporting a central location for all router messages
E. logging all events to the Cisco Incident Control System to correlate events and provide recommended mitigation actions
Answer: D

14. What is a syslog configuration oversight that makes system event logs hard to interpret and what can
be done to fix this oversight?
A. The system time does not get set on the router, making it difficult to know when events occurred. Recommend that an NTP facility be used to ensure that all the routers operate at the correct time.
B. Third­party flash memory gets installed and doesn't provide easily understandable error or failure codes. Only Cisco­authorized memory modules should be installed in Cisco devices.
C. The syslog message stream does not get encrypted and invalid syslog messages get sent to the syslog server. Encrypt the syslog messages.
D. The syslog messages filter rules did not get configured on the router, resulting in too many unimportant messages. Configure syslog messages filter rules so that low­severity messages are blocked from being sent to the syslog server and are logged locally on the router.
Answer: A

15. What are two security risks on 802.11 WLANs that implement WEP using a static 40­bit key with open authentication? (Choose two.)
A. The IV is transmitted as plaintext, and an attacker can sniff the WLAN to see the IV.
B. The challenge packet sent by the wireless AP is sent unencrypted.
C. The response packet sent by the wireless client is sent unencrypted.
D. WEP uses a weak­block cipher such as the Data Encryption Algorithm.
E. One­way authentication only where the wireless client does not authenticate the wireless­access point.
Answer: A, E

16. Using 802.1x authentication on a WLAN offers which advantage?
A. enforces a set of the policy statements that regulate which resource to protect and which activities are forbidden
B. allows inbound and outbound packet filter rules to be established at the interface level of a device
C. limits access to network resources based on user login identity; especially suited for large mobile user populations
D. enforces security policy compliance on all devices seeking to access network computing resources
Answer: C

17. How does an application­layer firewall work?
A. examines the data in all network packets at the application layer and maintains complete connection state and sequencing information
B. operates at Layers 3, 4 and 5, and keeps track of the actual application communication process by using an application table
C. determines whether the connection between two applications is valid according to configurable rules
D. allows an application on your private network that does not have a valid registered IP address to communicate with other applications through the Internet
Answer: A

18. Using a stateful firewall, which information is stored in the stateful session flow table?
A. the outbound and inbound access rules (ACL entries)
B. the source and destination IP addresses, port numbers, TCP sequencing information, and additional flags for each TCP or UDP connection associated with a particular session
C. all TCP and UDP header information only
D. all TCP SYN packets and the associated return ACK packets only E. the inside private IP address and the translated global IP address Answer: B

19. What is a potential security weakness of traditional stateful firewall?
A. cannot support non­TCP flows
B. retains the state of user data packet and dynamically assigned ports in the state table
C. cannot track the state of each connection setup to ensure that each connection follows a legitimate TCP three­way handshake
D. cannot detect application­layer attacks
Answer: D

20. A client wants their web server on the DMZ to use a private IP address and to be reachable over the Internet with a fixed outside public IP address. Which type of technology will be effective in this scenario?
B. Dynamic NAT
C. Cut­Through Proxy
D. Application inspection
E. Static NAT
Answer: E

21. A mission critical server application embeds a private IP address and port number in the payload of packets that is used by the client to reply to the server. Why is implementing NAT over the Internet supporting this type of application an issue?
A. Embedded IP addresses causes NAT to do extensive packet manipulation. This process is very time intensive and the added delay causes the connection in these types of applications to time out and fail.
B. When the client attempts to reply to the server using the embedded private IP address instead of the public IP address mapped by NAT, the embedded private IP address will not be routable over the Internet.
C. NAT traversal can't be used for embedded IP addresses. Mission critical applications typically use NAT
transversal to ensure stable timely connections, but not when embedded IP addresses and ports are used.
D. Using NAT makes troubleshooting difficult. You must know the IP address assigned to a device on its NIC and its translated address; it takes too long to determine the source and destination of an embedded IP address, and this delay is not appropriate for mission critical applications.
Answer: B

22. Which feature is available only in the Cisco SDM Advanced Firewall Wizard?
A. configure a router interface connected to a WLAN
B. create a firewall policy to block SDM access to the router from the outside interface
C. specify the router outside interface to use for remote management access
D. choose physical and logical interfaces connected to a WLAN E. configure DMZ interfaces with access and inspection rules Answer: E

23. What is the primary type of intrusion prevention technology used by Cisco IPS security appliances?
A. profile­based
B. rule­based
C. signature­based
D. protocol analysis­based
Answer: C

24. What is the difference between the attack­drop.sdf file and the 128MB.sdf and the 256MB.sdf files?
A. attack­drop.sdf has fewer signatures
B. attack­drop.sdf takes up more router memory space
C. attack­drop.sdf signatures cannot be tuned
D. attack­drop.sdf only contains the Atomic signatures
E. attack­drop.sdf only contains the String signatures
Answer: A

25. By default, what will a router do with incoming network traffic when the Cisco IOS IPS software fails to build a SME?
A. scan traffic using the most recently installed SME
B. drop all packets destined for that SME
C. print a syslog message indicating that failure of the SME build
D. pass traffic packets destined for that SME without scanning them
Answer: D

26. Which three ways can AAA services be implemented for Cisco routers? (Choose three.)
A. self­contained AAA services in the router itself
B. Cisco Secure ACS Network Module
C. Cisco Secure ACS Solution Engine
D. Cisco Security Manager AAA Service Module
E. Cisco Secure ACS for Windows Servers
F. Cisco Security Manager ACS Service Module
Answer: A, C, E

27. What is a secure way of providing clock synchronization between network routers?
A. sync each router acting as an NTPv2 client to the UTC via the Internet
B. implement an NTPv3 server synchronized to the UTC via an external clock source like a radio or atomic clock, then configure the other routers as NTPv3 clients
C. use CDPv2 and NTPv3 to pass and sync the clocking information between the adjacent routers in the network
D. implement in­band management to sync the clock between the routers using a peer­to­peer architecture using NTPv4 or higher
Answer: B

© 2014, All Rights Reserved