Don’t worry about how to get yourself well prepared your CCNA Security 640-554 exam! CertBus will work you out of your CCNA Security 640-554 exam with the latest updated 640-554 Implementing Cisco IOS Network Security (IINS v2.0) PDF and VCE dumps. CertBus provides the latest real Cisco CCNA Security 640-554 exam preparation material, covering every aspect of 640-554 exam curriculum.
We CertBus has our own expert team. They selected and published the latest 640-554 preparation materials from Cisco Official Exam-Center: http://www.certgod.com/640-554.html
QUESTION NO:3
Which two characteristics represent a blended threat? (Choose two.)
A. man-in-the-middle attack
B. trojan horse attack
C. pharming attack
D. denial of service attack
E. day zero attack
Answer: B,E
Explanation:
http://www.cisco.com/web/IN/about/network/threat_defense.html
Rogue developers create such threats by using worms, viruses, or application-embedded attacks. Botnets can be used to seed an attack, for example, rogue developers can use worms or application-embedded attacks, that is an attack that is hidden within application traffic such as web traffic or peer-to-peer shared files, to deposit “Trojans”. This combination of attack techniques – a virus or worm used to deposit a Trojan, for example-is relatively new and is known as a blended attack. A blended attack can also occur in phases: an initial attack of a virus with a Trojan that might open up an unsecured port on a computer, disable an access control list (ACL), or disarm antivirus software, with the goal of a more devastating attack to follow soon after. Host Firewall on servers and desktops/laptops, day zero protection and intelligent behavioral based protection from application vulnerability and related flaws (within or inserted by virus, worms or Trojans) provided great level of confidence on what is happening within an organization on a normal day and when there is a attack situation, which segment and what has gone wrong and gives flexibility and control to stop such situations by having linkages of such devices with monitoring, log-analysis and event co-relation system.
QUESTION NO:9
Which three options are common examples of AAA implementation on Cisco routers? (Choose three.)
A. authenticating remote users who are accessing the corporate LAN through IPsec VPN connections
B. authenticating administrator access to the router console port, auxiliary port, and vty ports
C. implementing PKI to authenticate and authorize IPsec VPN peers using digital certificates
D. tracking Cisco NetFlow accounting statistics
E. securing the router by locking down all unused services
F. performing router commands authorization using TACACS
Answer: A,B,F
Explanation:
http://www.cisco.com/en/US/products/ps6638/products_data_sheet09186a00804fe332.htm
Need for AAA Services
Security for user access to the network and the ability to dynamically define a user\’s profile
to gain access to network resources has a legacy dating back to asynchronous dial access.
AAA network security services provide the primary framework through which a network
administrator can set up access control on network points of entry or network access
servers, which is usually the function of a router or access server.
Authentication identifies a user; authorization determines what that user can do; and
accounting monitors the network usage time for billing purposes.
AAA information is typically stored in an external database or remote server such as
RADIUS or TACACS .
The information can also be stored locally on the access server or router. Remote security servers, such as RADIUS and TACACS , assign users specific privileges by associating attribute-value (AV) pairs, which define the access rights with the appropriate user. All authorization methods must be defined through AAA.
QUESTION NO:21
Which router management feature provides for the ability to configure multiple administrative views?
A. role-based CLI
B. virtual routing and forwarding
C. secure config privilege {level}
D. parser view view name
Answer: A
Explanation:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html
Role-Based CLI Access The Role-Based CLI Access feature allows the network administrator to define “views,” which are a set of operational commands and configuration capabilities that provide selective or partial access to Cisco IOS EXEC and configuration (Config) mode commands. Views restrict user access to Cisco IOS command-line interface (CLI) and configuration information; that is, a view can define what commands are accepted and what configuration information is visible. Thus, network administrators can exercise better control over access to Cisco networking devices.
QUESTION NO:14
Refer to the exhibit.
Which statement about this partial CLI configuration of an access control list is true?
A. The access list accepts all traffic on the 10.0.0.0 subnets.
B. All traffic from the 10.10.0.0 subnets is denied.
C. Only traffic from 10.10.0.10 is allowed.
D. This configuration is invalid. It should be configured as an extended ACL to permit the associated wildcard mask.
E. From the 10.10.0.0 subnet, only traffic sourced from 10.10.0.10 is allowed; traffic sourced from the other 10.0.0.0 subnets also is allowed.
F. The access list permits traffic destined to the 10.10.0.10 host on FastEthernet0/0 from any source.
Answer: E
Explanation:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-acl-ov-gdl.html
The Order in Which You Enter Criteria Statements Note that each additional criteria statement that you enter is appended to the end of the access list statements.
Also note that you cannot delete individual statements after they have been created. You can only delete an entire access list.
The order of access list statements is important! When the router is deciding whether to forward or block a packet, the Cisco IOS software tests the packet against each criteria statement in the order in which the statements were created. After a match is found, no more criteria statements are checked.
If you create a criteria statement that explicitly permits all traffic, no statements added later will ever be checked. If you need additional statements, you must delete the access list and retype it with the new entries.
Apply an Access Control List to an Interface With some protocols, you can apply up to two access lists to an interfacE. one inbound access list and one outbound access list. With other protocols, you apply only one access list that checks both inbound and outbound packets.
If the access list is inbound, when a device receives a packet, Cisco software checks the access list\’s criteria statements for a match. If the packet is permitted, the software continues to process the packet. If the packet is denied, the software discards the packet.
If the access list is outbound, after receiving and routing a packet to the outbound interface, Cisco software checks the access list\’s criteria statements for a match. If the packet is permitted, the software transmits the packet. If the packet is denied, the software discards the packet.
Note Access lists that are applied to interfaces on a device do not filter traffic that originates from that device. The access list check is bypassed for locally generated packets, which are always outbound. By default, an access list that is applied to an outbound interface for matching locally generated traffic will bypass the outbound access list check; but transit traffic is subjected to the outbound access list check.
QUESTION NO:8
Which option is the correct representation of the IPv6 address 2001:0000:150C:0000:0000:41B1:45A3:041D?
A. 2001::150c::41b1:45a3:041d
B. 2001:0:150c:0::41b1:45a3:04d1
C. 2001:150c::41b1:45a3::41d
D. 2001:0:150c::41b1:45a3:41d
Answer: D
Explanation:
http://www.cisco.com/web/strategy/docs/gov/IPv6_WP.pdf Address Representation The first area to address is how to represent these 128 bits. Due to the size of the numbering space, hexadecimal numbers and colons were chosen to represent IPv6 addresses. An example IPv6 address is: 2001:0DB8:130F:0000:0000:7000:0000:140B Note the following:
.
There is no case sensitivity. Lower case
QUESTION NO:15
Which type of Cisco ASA access list entry can be configured to match multiple entries in a single statement?
A. nested object-class
B. class-map
C. extended wildcard matching
D. object groups
Answer: D
Explanation:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/objectgroups.html
Information About Object Groups By grouping like objects together, you can use the object group in an ACE instead of having to enter an ACE for each object separately. You can create the following types of object groups:
.
Protocol
.
Network
.
Service
.
ICMP type
For example, consider the following three object groups:
.
MyServices
QUESTION NO:10
When AAA login authentication is configured on Cisco routers, which two authentication methods should be used as the final method to ensure that the administrator can still log in to the router in case the external AAA server fails? (Choose two.)
A. group RADIUS
B. group TACACS
C. local
D. krb5
E. enable
F. if-authenticated
Answer: C,E
Explanation:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scftplus.html
TACACS Authentication Examples The following example shows how to configure TACACS as the security protocol for PPP authentication: aaa new-model aaa authentication ppp test group tacacs local tacacs-server host 10.1.2.3 tacacs-server key goaway interface serial 0 ppp authentication chap pap test The lines in the preceding sample configuration are defined as follows:
.
The aaa new-model command enables the AAA security services.
.
The aaa authentication command defines a method list, “test,” to be used on serial interfaces running PPP. The keyword group tacacs means that authentication will be done through TACACS . If TACACS returns an ERROR of some sort during authentication, the keyword local
indicates that authentication will be attempted using the local database on the network access server. http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800946a3.shtml Authentication Start to configure TAC on the router. Enter enable mode and type configure terminal before the command set. This command syntax ensures that you are not locked out of the router initially, providing the tac_plus_executable is not running: !— Turn on TAC . aaa new-model enable password whatever !— These are lists of authentication methods. !— “linmethod”, “vtymethod”, “conmethod”, and !— so on are names of lists, and the methods !— listed on the same lines are the methods !— in the order to be tried. As used here, if !— authentication fails due to the !— tac_plus_executable not being started, the !— enable password is accepted because !— it is in each list. ! aaa authentication login linmethod tacacs enable aaa authentication login vtymethod tacacs enable aaa authentication login conmethod tacacs enable
QUESTION NO:19
Which two considerations about secure network management are important? (Choose two.)
A. log tampering
B. encryption algorithm strength
C. accurate time stamping
D. off-site storage
E. Use RADIUS for router commands authorization.
F. Do not use a loopback interface for device management access.
Answer: A,C
Explanation:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/best/practices/reco mmendations.html
Enable Timestamped Messages Enable timestamps on log messages: Router(config)# service timestamps log datetime localtime show-timezone msec Enable timestamps on system debug messages: Router(config)# service timestamps debug datetime localtime show-timezone msec
QUESTION NO:1
Which two features are supported by Cisco IronPort Security Gateway? (Choose two.)
A. Spam protection
B. Outbreak intelligence
C. HTTP and HTTPS scanning
D. Email encryption
E. DDoS protection
Answer: A,D
Explanation: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps10128/ps10154/data-sheet-c78-729751.html
Product Overview
Over the past 20 years, email has evolved from a tool used primarily by technical and
research professionals to become the backbone of corporate communications. Each day,
more than 100 billion corporate email messages are exchanged. As the level of use rises,
security becomes a greater priority. Mass spam campaigns are no longer the only concern.
Today, spam and malware are just part of a complex picture that includes inbound threats
and outbound risks.
Cisco. Email Security solutions defend mission-critical email systems with appliance,
virtual, cloud, and hybrid solutions. The industry leader in email security solutions, Cisco
delivers:
. Fast, comprehensive email protection that can block spam and threats before they even hit your network . Flexible cloud, virtual, and physical deployment options to meet your ever-changing business needs . Outbound message control through on-device data-loss prevention (DLP), email encryption, and optional integration with the RSA enterprise DLP solution . One of the lowest total cost of ownership (TCO) email security solutions available
QUESTION NO:2
Which option is a feature of Cisco ScanSafe technology?
A. spam protection
B. consistent cloud-based policy
C. DDoS protection
D. RSA Email DLP
Answer: B
Explanation:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6525/ps6538/ps6540/data_sheet_c 78-655324.html
Cisco Enterprise Branch Web Security The Cisco. Integrated Services Router G2 (ISR G2) Family delivers numerous security services, including firewall, intrusion prevention, and VPN. These security capabilities have been extended with Cisco ISR Web Security with Cisco ScanSafe for a simple, cost-effective, on-demand web security solution that requires no additional hardware. Organizations can deploy and enable market-leading web security quickly and easily, and can enable secure local Internet access for all sites and users, saving bandwidth, money, and resources. Figure 1. Typical Cisco ISR Web Security with Cisco ScanSafe Deployment
Cisco ISR Web Security with Cisco ScanSafe enables branch offices to intelligently redirect web traffic to the cloud to enforce granular security and control policy over dynamic Web
2.0 content, protecting branch office users from threats such as Trojans, back doors, rogue scanners, viruses, and worms. The Cisco ISR Web Security with Cisco ScanSafe feature will be available in the Security SEC K9 license bundle
CertBus exam braindumps are pass guaranteed. We guarantee your pass for the 640-554 exam successfully with our Cisco materials. CertBus Implementing Cisco IOS Network Security (IINS v2.0) exam PDF and VCE are the latest and most accurate. We have the best Cisco in our team to make sure CertBus Implementing Cisco IOS Network Security (IINS v2.0) exam questions and answers are the most valid. CertBus exam Implementing Cisco IOS Network Security (IINS v2.0) exam dumps will help you to be the Cisco specialist, clear your 640-554 exam and get the final success.
640-554 Latest questions and answers on Google Drive(100% Free Download): https://drive.google.com/file/d/0B_3QX8HGRR1mNHcxYWl1d3djNnc/view?usp=sharing
640-554 Cisco exam dumps (100% Pass Guaranteed) from CertBus: http://www.certgod.com/640-554.html [100% Exam Pass Guaranteed]
Why select/choose CertBus?
Millions of interested professionals can touch the destination of success in exams by certgod.com. products which would be available, affordable, updated and of really best quality to overcome the difficulties of any course outlines. Questions and Answers material is updated in highly outclass manner on regular basis and material is released periodically and is available in testing centers with whom we are maintaining our relationship to get latest material.
 |  |  |  |  | |
|---|---|---|---|---|---|
 |  | | |  | |
| Brand | Certbus | Testking | Pass4sure | Actualtests | Others |
| Price | $45.99 | $124.99 | $125.99 | $189 | $69.99-99.99 |
| Up-to-Date Dumps |  |  | | | |
| Free 365 Days Update | | | | | |
| Real Questions | | | | | |
| Printable PDF | | | | | |
| Test Engine | | | | | |
| One Time Purchase | | | | | |
| Instant Download | | | | | |
| Unlimited Install | | | | | |
| 100% Pass Guarantee | | | | | |
| 100% Money Back | | | | | |
| Secure Payment | | | | | |
| Privacy Protection | | | | | |