Free Download the Most Update CertBus Cisco 640-554 Brain Dumps
CCNA Security 640-554 easy pass guidance: Preparing for Cisco CCNA Security 640-554 exam is really a tough task to achieve. However, CertBus provides the most comprehensive PDF and VCEs, covering each knowledge points required in the actual 640-554 exam.
We CertBus has our own expert team. They selected and published the latest 640-554 preparation materials from Cisco Official Exam-Center: http://www.certgod.com/640-554.html
QUESTION NO:12
Refer to the exhibit.
Which statement about this output is true?
A. The user logged into the router with the incorrect username and password.
B. The login failed because there was no default enable password.
C. The login failed because the password entered was incorrect.
D. The user logged in and was given privilege level 15.
Answer: C
Explanation:
http://www.cisco.com/en/US/docs/ios/12_2/debug/command/reference/dbfaaa.html
debug aaa authentication To display information on AAA/Terminal Access Controller Access Control System Plus (TACACS ) authentication, use the debug aaa authentication privileged EXEC command. To disable debugging command, use the no form of the command. debug aaa authentication no debug aaa authentication The following is sample output from the debug aaa authentication command. A single EXEC login that uses the “default” method list and the first method, TACACS , is displayed. The TACACS server sends a GETUSER request to prompt for the username and then a GETPASS request to prompt for the password, and finally a PASS response to indicate a successful login. The number 50996740 is the session ID, which is unique for each authentication. Use this ID number to distinguish between different authentications if several are occurring concurrently.
Router# debug aaa authentication
6:50:12:
AAA/AUTHEN: create_user user=” ruser=” port=’tty19′ rem_addr=’172.31.60.15′ authen_type=1 service=1 priv=1
6:50:12:
AAA/AUTHEN/START (0): port=’tty19′ list=” action=LOGIN service=LOGIN
6:50:12:
AAA/AUTHEN/START (0): using “default” list
6:50:12:
AAA/AUTHEN/START (50996740): Method=TACACS
6:50:12:
TAC (50996740): received authen response status = GETUSER
6:50:12:
AAA/AUTHEN (50996740): status = GETUSER
6:50:15:
AAA/AUTHEN/CONT (50996740): continue_login
6:50:15:
AAA/AUTHEN (50996740): status = GETUSER
6:50:15:
AAA/AUTHEN (50996740): Method=TACACS
6:50:15:
TAC : send AUTHEN/CONT packet
6:50:15:
TAC (50996740): received authen response status = GETPASS
6:50:15:
AAA/AUTHEN (50996740): status = GETPASS
6:50:20:
AAA/AUTHEN/CONT (50996740): continue_login
6:50:20:
AAA/AUTHEN (50996740): status = GETPASS
6:50:20:
AAA/AUTHEN (50996740): Method=TACACS
6:50:20:
TAC : send AUTHEN/CONT packet
6:50:20:
TAC (50996740): received authen response status = PASS
6:50:20:
AAA/AUTHEN (50996740): status = PASS
QUESTION NO:1
Which two features are supported by Cisco IronPort Security Gateway? (Choose two.)
A. Spam protection
B. Outbreak intelligence
C. HTTP and HTTPS scanning
D. Email encryption
E. DDoS protection
Answer: A,D
Explanation: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps10128/ps10154/data-sheet-c78-729751.html
Product Overview
Over the past 20 years, email has evolved from a tool used primarily by technical and
research professionals to become the backbone of corporate communications. Each day,
more than 100 billion corporate email messages are exchanged. As the level of use rises,
security becomes a greater priority. Mass spam campaigns are no longer the only concern.
Today, spam and malware are just part of a complex picture that includes inbound threats
and outbound risks.
Cisco. Email Security solutions defend mission-critical email systems with appliance,
virtual, cloud, and hybrid solutions. The industry leader in email security solutions, Cisco
delivers:
. Fast, comprehensive email protection that can block spam and threats before they even hit your network . Flexible cloud, virtual, and physical deployment options to meet your ever-changing business needs . Outbound message control through on-device data-loss prevention (DLP), email encryption, and optional integration with the RSA enterprise DLP solution . One of the lowest total cost of ownership (TCO) email security solutions available
QUESTION NO:6
What does level 5 in this enable secret global configuration mode command indicate? router#enable secret level 5 password
A. The enable secret password is hashed using MD5.
B. The enable secret password is hashed using SHA.
C. The enable secret password is encrypted using Cisco proprietary level 5 encryption.
D. Set the enable secret command to privilege level 5.
E. The enable secret password is for accessing exec privilege level 5.
Answer: D
Explanation:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfpass.html
To configure the router to require an enable password, use either of the following
commands in global configuration mode:
Router(config)# enable password [level level] {password| encryption-type encrypted-
password}
Establishes a password for a privilege command mode.
Router(config)# enable secret [level level] {password | encryption-type encrypted-
password}
Specifies a secret password, saved using a non-reversible encryption method. (If enable
password and enable secret are both set, users must enter the enable secret password.)
Use either of these commands with the level option to define a password for a specific
privilege level.
After you specify the level and set a password, give the password only to users who need
to have access at this level. Use the privilege level configuration command to specify
commands accessible at various levels.
QUESTION NO:9
Which three options are common examples of AAA implementation on Cisco routers? (Choose three.)
A. authenticating remote users who are accessing the corporate LAN through IPsec VPN connections
B. authenticating administrator access to the router console port, auxiliary port, and vty ports
C. implementing PKI to authenticate and authorize IPsec VPN peers using digital certificates
D. tracking Cisco NetFlow accounting statistics
E. securing the router by locking down all unused services
F. performing router commands authorization using TACACS
Answer: A,B,F
Explanation:
http://www.cisco.com/en/US/products/ps6638/products_data_sheet09186a00804fe332.htm
Need for AAA Services
Security for user access to the network and the ability to dynamically define a user’s profile
to gain access to network resources has a legacy dating back to asynchronous dial access.
AAA network security services provide the primary framework through which a network
administrator can set up access control on network points of entry or network access
servers, which is usually the function of a router or access server.
Authentication identifies a user; authorization determines what that user can do; and
accounting monitors the network usage time for billing purposes.
AAA information is typically stored in an external database or remote server such as
RADIUS or TACACS .
The information can also be stored locally on the access server or router. Remote security servers, such as RADIUS and TACACS , assign users specific privileges by associating attribute-value (AV) pairs, which define the access rights with the appropriate user. All authorization methods must be defined through AAA.
QUESTION NO:2
Which option is a feature of Cisco ScanSafe technology?
A. spam protection
B. consistent cloud-based policy
C. DDoS protection
D. RSA Email DLP
Answer: B
Explanation:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6525/ps6538/ps6540/data_sheet_c 78-655324.html
Cisco Enterprise Branch Web Security The Cisco. Integrated Services Router G2 (ISR G2) Family delivers numerous security services, including firewall, intrusion prevention, and VPN. These security capabilities have been extended with Cisco ISR Web Security with Cisco ScanSafe for a simple, cost-effective, on-demand web security solution that requires no additional hardware. Organizations can deploy and enable market-leading web security quickly and easily, and can enable secure local Internet access for all sites and users, saving bandwidth, money, and resources. Figure 1. Typical Cisco ISR Web Security with Cisco ScanSafe Deployment
Cisco ISR Web Security with Cisco ScanSafe enables branch offices to intelligently redirect web traffic to the cloud to enforce granular security and control policy over dynamic Web
2.0 content, protecting branch office users from threats such as Trojans, back doors, rogue scanners, viruses, and worms. The Cisco ISR Web Security with Cisco ScanSafe feature will be available in the Security SEC K9 license bundle
QUESTION NO:19
Which two considerations about secure network management are important? (Choose two.)
A. log tampering
B. encryption algorithm strength
C. accurate time stamping
D. off-site storage
E. Use RADIUS for router commands authorization.
F. Do not use a loopback interface for device management access.
Answer: A,C
Explanation:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/best/practices/reco mmendations.html
Enable Timestamped Messages Enable timestamps on log messages: Router(config)# service timestamps log datetime localtime show-timezone msec Enable timestamps on system debug messages: Router(config)# service timestamps debug datetime localtime show-timezone msec
QUESTION NO:14
Refer to the exhibit.
Which statement about this partial CLI configuration of an access control list is true?
A. The access list accepts all traffic on the 10.0.0.0 subnets.
B. All traffic from the 10.10.0.0 subnets is denied.
C. Only traffic from 10.10.0.10 is allowed.
D. This configuration is invalid. It should be configured as an extended ACL to permit the associated wildcard mask.
E. From the 10.10.0.0 subnet, only traffic sourced from 10.10.0.10 is allowed; traffic sourced from the other 10.0.0.0 subnets also is allowed.
F. The access list permits traffic destined to the 10.10.0.10 host on FastEthernet0/0 from any source.
Answer: E
Explanation:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-acl-ov-gdl.html
The Order in Which You Enter Criteria Statements Note that each additional criteria statement that you enter is appended to the end of the access list statements.
Also note that you cannot delete individual statements after they have been created. You can only delete an entire access list.
The order of access list statements is important! When the router is deciding whether to forward or block a packet, the Cisco IOS software tests the packet against each criteria statement in the order in which the statements were created. After a match is found, no more criteria statements are checked.
If you create a criteria statement that explicitly permits all traffic, no statements added later will ever be checked. If you need additional statements, you must delete the access list and retype it with the new entries.
Apply an Access Control List to an Interface With some protocols, you can apply up to two access lists to an interfacE. one inbound access list and one outbound access list. With other protocols, you apply only one access list that checks both inbound and outbound packets.
If the access list is inbound, when a device receives a packet, Cisco software checks the access list’s criteria statements for a match. If the packet is permitted, the software continues to process the packet. If the packet is denied, the software discards the packet.
If the access list is outbound, after receiving and routing a packet to the outbound interface, Cisco software checks the access list’s criteria statements for a match. If the packet is permitted, the software transmits the packet. If the packet is denied, the software discards the packet.
Note Access lists that are applied to interfaces on a device do not filter traffic that originates from that device. The access list check is bypassed for locally generated packets, which are always outbound. By default, an access list that is applied to an outbound interface for matching locally generated traffic will bypass the outbound access list check; but transit traffic is subjected to the outbound access list check.
QUESTION NO:22
You suspect that an attacker in your network has configured a rogue Layer 2 device to intercept traffic from multiple VLANs, which allows the attacker to capture potentially sensitive data.
Which two methods will help to mitigate this type of activity? (Choose two.)
A. Turn off all trunk ports and manually configure each VLAN as required on each port.
B. Place unused active ports in an unused VLAN.
C. Secure the native VLAN, VLAN 1, with encryption.
D. Set the native VLAN on the trunk ports to an unused VLAN.
E. Disable DTP on ports that require trunking.
Answer: D,E
Explanation:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide
/layer2.html
Layer 2 LAN Port Modes
Table 17-2 lists the Layer 2 LAN port modes and describes how they function on LAN
ports.
switchport mode access
Puts the LAN port into permanent nontrunking mode and negotiates to convert the link into
a nontrunk link. The LAN port becomes a nontrunk port even if the neighboring LAN port
does not agree to the change.
switchport mode dynamic desirable
Makes the LAN port actively attempt to convert the link to a trunk link. The LAN port
becomes a trunk port if the neighboring LAN port is set to trunk, desirable, or auto mode.
This is the default mode for all LAN ports.
switchport mode dynamic auto
Makes the LAN port willing to convert the link to a trunk link. The LAN port becomes a trunk
port if the neighboring LAN port is set to trunk or desirable mode.
switchport mode trunk
Puts the LAN port into permanent trunking mode and negotiates to convert the link into a
trunk link. The LAN port becomes a trunk port even if the neighboring port does not agree
to the change.
switchport nonegotiate
Puts the LAN port into permanent trunking mode but prevents the port from generating
DTP frames. You must configure the neighboring port manually as a trunk port to establish
a trunk link.
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008 013159f.shtml
Double Encapsulation Attack When double-encapsulated 802.1Q packets are injected into the network from a device whose VLAN happens to be the native VLAN of a trunk, the VLAN identification of those packets cannot be preserved from end to end since the 802.1Q trunk would always modify the packets by stripping their outer tag. After the external tag is removed, the internal tag permanently becomes the packet’s only VLAN identifier. Therefore, by doubleencapsulating packets with two different tags, traffic can be made to hop across VLANs.
This scenario is to be considered a misconfiguration, since the 802.1Q standard does not necessarily force the users to use the native VLAN in these cases. As a matter of fact, the proper configuration that should always be used is to clear the native VLAN from all 802.1Q trunks (alternatively, setting them to 802.1q-all-tagged mode achieves the exact same result). In cases where the native VLAN cannot be cleared, then always pick an unused VLAN as native VLAN of all the trunks; don’t use this VLAN for any other purpose.
Protocols like STP, DTP, and UDLD (check out [3]) should be the only rightful users of the native VLAN and their traffic should be completely isolated from any data packets.
QUESTION NO:17
You have been tasked by your manager to implement syslog in your network. Which option is an important factor to consider in your implementation?
A. Use SSH to access your syslog information.
B. Enable the highest level of syslog function available to ensure that all possible event messages are logged.
C. Log all messages to the system buffer so that they can be displayed when accessing the router.
D. Synchronize clocks on the network with a protocol such as Network Time Protocol.
Answer: D
Explanation:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/Baseline_Security/sec_cha
p5.html
Time Synchronization
When implementing network telemetry, it is important that dates and times are both
accurate and synchronized across all network infrastructure devices. Without time
synchronization, it is very difficult to correlate different sources of telemetry.
Enabling Network Time Protocol (NTP) is the most common method of time
synchronization.
General best common practices for NTP include:
.
A common, single time zone is recommended across an entire network infrastructure in order to enable the consistency and synchronization of time across all network devices.
.
The time source should be from an authenticated, limited set of authorized NTP servers. Detailed information on NTP and NTP deployment architectures is available in the Network Time Protocol: Best Practices White Paper at the following URL: http://www.cisco.com/warp/public/126/ntpm.pdf Timestamps and NTP Configuration
In Cisco IOS, the steps to enable timestamps and NTP include:
Step 1 Enable timestamp information for debug messages.
Step 2 Enable timestamp information for log messages.
Step 3 Define the network-wide time zone.
Step 4 Enable summertime adjustments.
Step 5 Restrict which devices can communicate with this device as an NTP server.
Step 6 Restrict which devices can communicate with this device as an NTP peer.
Step 7 Define the source IP address to be used for NTP packets.
Step 8 Enable NTP authentication.
Step 9 Define the NTP servers.
Step 10 Define the NTP peers.
Step 11 Enable NTP to update the device hardware clock
QUESTION NO:4
Under which higher-level policy is a VPN security policy categorized?
A. application policy
B. DLP policy
C. remote access policy
D. compliance policy
E. corporate WAN policy
Answer: C
Explanation:
http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/ security_manager/4.0/user/guide/ravpnpag.html
Remote Access VPN Policy Reference The Remote Access VPN policy pages are used to configure remote access VPNs on Cisco IOS security routers, PIX Firewalls, Catalyst 6500 /7600 devices, and Adaptive Security Appliance (ASA) devices.
CertBus exam braindumps are pass guaranteed. We guarantee your pass for the 640-554 exam successfully with our Cisco materials. CertBus Implementing Cisco IOS Network Security (IINS v2.0) exam PDF and VCE are the latest and most accurate. We have the best Cisco in our team to make sure CertBus Implementing Cisco IOS Network Security (IINS v2.0) exam questions and answers are the most valid. CertBus exam Implementing Cisco IOS Network Security (IINS v2.0) exam dumps will help you to be the Cisco specialist, clear your 640-554 exam and get the final success.
640-554 Latest questions and answers on Google Drive(100% Free Download): https://drive.google.com/file/d/0B_3QX8HGRR1mNHcxYWl1d3djNnc/view?usp=sharing
640-554 Cisco exam dumps (100% Pass Guaranteed) from CertBus: http://www.certgod.com/640-554.html [100% Exam Pass Guaranteed]
Why select/choose CertBus?
Millions of interested professionals can touch the destination of success in exams by certgod.com. products which would be available, affordable, updated and of really best quality to overcome the difficulties of any course outlines. Questions and Answers material is updated in highly outclass manner on regular basis and material is released periodically and is available in testing centers with whom we are maintaining our relationship to get latest material.
 |  |  |  |  | |
|---|---|---|---|---|---|
 |  | | |  | |
| Brand | Certbus | Testking | Pass4sure | Actualtests | Others |
| Price | $45.99 | $124.99 | $125.99 | $189 | $69.99-99.99 |
| Up-to-Date Dumps |  |  | | | |
| Free 365 Days Update | | | | | |
| Real Questions | | | | | |
| Printable PDF | | | | | |
| Test Engine | | | | | |
| One Time Purchase | | | | | |
| Instant Download | | | | | |
| Unlimited Install | | | | | |
| 100% Pass Guarantee | | | | | |
| 100% Money Back | | | | | |
| Secure Payment | | | | | |
| Privacy Protection | | | | | |