Cisco 642-542 Self Study, High Pass Rate Cisco 642-542 Demos Covers All Key Points

CCSP, Cisco Comments Off

Welcome to download the newest Pass4itsure 412-79 VCE dumps: http://www.pass4itsure.com/412-79.html

Flydumps Cisco 642-542 exam questions and answers in PDF are prepared by our expert, Moreover, they are based on the recommended syllabus covering all the Cisco 642-542 exam objectives.You will find them to be very helpful and precise in the subject matter since all the Cisco 642-542 exam content is regularly updated and has been checked for accuracy by our team of SAP expert professionals.

QUESTION 126
Which command implements UnicastRPF IP spoofing protection?
A. access-list
B. access-group
C. ip verify reverse-path interface
D. tcp verify reverse-path interface
E. udp verify reverse-path interface

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: Use the ipverify unicast reverse-path interface command on the input interface on the router at the upstream end of the connection. This feature examines each packet received as input on that interface. If the source IP address does not have a route in the CEF tables that points back to the same interface on which the packet arrived, the router drops the packet. Reference: Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks
QUESTION 127
How many transforms can be included in a transform set on a PIX Firewall?
A. 1
B. 2
C. 3
D. 4
E. unlimited number

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: Up to three transforms can be in a set. Sets are limited to up to one AH And up to two ESP transforms. Reference: Cisco Secure PIX Firewalls (Ciscopress) Page 212
QUESTION 128
What is the function of a crypto map on a PIX Firewall?
A. To define the policy that will be applied to the traffic.
B. To specify which algorithms will be used with the selected security protocol.
C. To configure a pre-shared authentication key and associate the key with an IPSec peer address or host name.
D. To map transforms to transform sets.

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
Crypto map entries must be created for IPSec to set up SAs for traffic flows that must be encrypted.
Reference: Cisco Secure PIX Firewalls (Ciscopress) Page 215

QUESTION 129
Which version of PIX introduces support for the VPN accelerator card?
A. Version 4.0
B. Version 4.3
C. Version 5.0
D. Version 5.3

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: System Requirements Operating System: PIX OS v5.3(1) or later (with DES or 3DES license) Platforms: PIX 515/515E, 520, 525, 535 (limit one per chassis) Reference: Cisco PIX 500 Series Firewalls – Cisco PIX Firewall VPN Accelerator Card
QUESTION 130
What version of the Cisco PIX Firewall is required to use the VPN accelerator card?
A. Version 2.3 or higher.
B. Version 3.3 or higher.
C. Version 4.3 or higher.
D. Version 5.3 or higher.
E. Version 6.3 or higher.

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: System Requirements Operating System: PIX OS v5.3(1) or later (with DES or 3DES license) Platforms: PIX 515/515E, 520, 525, 535 (limit one per chassis) Reference: Cisco PIX 500 Series Firewalls – Cisco PIX Firewall VPN Accelerator Card
QUESTION 131
John the security administrator at Certkiller is working on mitigating DoS in the network. How are DoS attacks mitigated in the SAFE SMR small network corporate Internet module? (Choose two)
A. Mitigated by CAR at ISP edge.
B. Mitigated by NIDS
C. Mitigated by TCP setup controls at the firewall to limit exposure.
D. Mitigated by HIDS on the public serves.
E. Mitigated by virus scanning at the host level.

Correct Answer: AC Section: (none) Explanation
Explanation/Reference:
Explanation: Threat Mitigation Denial of service-Committed access rate (CAR) at ISP edge and TCP setup controls at firewall to limit exposure Reference: Page 11 SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks
QUESTION 132
You are the administrator at Certkiller Inc. and you need pick a device to help you secure the network. Which device in the SAFE SMR midsize network design corporate Internet module determines when to provide TCP shunning or resets?
A. IDS
B. Firewall
C. Router
D. Public services servers
E. Layer 2 switches

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation: The NIDS appliance between the private interface of the firewall and the internal router provides a final analysis of attacks. Very few attacks should be detected on this segment because only responses to initiated requests, a few select ports from the public services segment, and traffic from the remote access segment are allowed to the inside. Only sophisticated attacks should be seen on this segment because they could mean that a system on the public services segment has been compromised and the hacker is attempting to take advantage of this foothold to attack the internal network. For example, if the public SMTP server were compromised, a hacker might try to attack the internal mail server over TCP port 25, which is permitted to allow mail transfer between the two hosts. If attacks are seen on this segment, the responses to those attacks should be more severe than those on other segments because they probably indicate that a compromise has already occurred. The use of TCP resets or shunning to thwart, for example, the SMTP attack mentioned above, should be seriously considered. Reference: Safe white papers;page 19 SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks
QUESTION 133
You are the leader of the security team at Certkiller Inc and you are working on mitigation trust exploitation attacks. How is trust exploitation attacks mitigated in the SAFE SMR midsize network design corporate Internet module?
A. Mitigated by using restrictive trust model and private VLANs.
B. Mitigated by using OS and IDS detection.
C. Mitigated by using restrictive filtering and host IDS.
D. Mitigated by using IDS at the host and network levels.
E. Mitigated by using filtering at the ISP, edge router, and corporate firewall.
Correct Answer: A Section: (none) Explanation

Explanation/Reference:
Explanation: Trust exploitation-Restrictive trust model and private VLANs to limit trust-based attacks Reference: Safe white papers;page 17 SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks
QUESTION 134
Jason the security administrator at Certkiller Inc is working on dial in users for the network. In the SAFE SMR midsize network design, which module does dial-in traffic terminate?
A. It terminates at the campus module
B. It terminates at the WAN module
C. It terminates at the Corporate Internet module
D. It terminates at the ISP edge module
E. It terminates at the PSTN module
F. It terminates at the Frame/ATM module

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: The SAFE medium network design consists of three modules: the corporate Internet module, the campus module, and the WAN module. As in the small network design, the corporate Internet module has the connection to the Internet and terminates VPN and public-services (DNS, HTTP, FTP, and SMTP) traffic. Dial-in traffic also terminates at the corporate Internet module. Reference: Safe white papers;page 16 SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks Reference: Cisco Courseware page 6-3
QUESTION 135
You are the security administrator at Certkiller Inc and you need to authenticate users to the network. After being authenticated, which actions are performed on dial-in access users in the SAFE SMR midsize network design corporate Internet module?
A. After being authenticated, CHAP is used to authenticate the user.
B. After being authenticated, traffic is sent through a Layer 3 switch.
C. After being authenticated, users are provided with IP addresses from an IP pool.
D. After being authenticated, traffic is sent through a router.

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: Last sentence of the paragraph states: When authenticated, the users are provided with IP addresses from an IP pool. However it also states that CHAP is used to authenticate the user (Answer A) But the keyword is ‘After being authenticated’ not ‘During or When’. Reference: Cisco SAFE Implementation Courseware version
1.1 Page 6-17
QUESTION 136
In which module does VPN traffic terminate in the SAFE SMR midsize network design?
A. WAN module
B. Campus module
C. Corporate Internet module
D. ISP edge module
E. PSTN module
F. Frame/ATM module

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: As in the small network design, the corporate Internet module has the connection to the Internet and terminates VPN and public-services (DNS, HTTP, FTP, and SMTP) traffic. REf;Safe white papers;page 16 SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks
QUESTION 137
Based on the SAFE Model of Small Networks, which threats can only be mitigated at the corporate Internet module (not at the campus module)? (Choose all that apply)
A. Password attacks
B. Port redirection
C. Virus and Trojan horse
D. IP spoofing
E. Denial of service
F. Network reconnaissance

Correct Answer: Section: (none) Explanation
Explanation/Reference:
Answer: A, B, C, D, E, F
Explanation: Reference: Table 13-3 Page 201 of CCSP CSI Exam Certification Guide AND Page 5-5 and 5-6 of CISCO SAFE Courseware under Expected Treat and Mitigation Roles The following are threats to be expected: 1)Unauthorised Access 2)Application layer attacks 3)Virus and Trojan horse attacks 4)Password attacks 5)DoS 6)IP spoofing 7)Packet sniffers 8)Network reconnaissance 9)Trust Exploitation 10)Port Redirection
QUESTION 138
In the corporate Internet module of SAFE SMR midsize network design, following termination of the VPN tunnel, traffic is sent through:
A. A wireless device.
B. A Layer 3 switch
C. A router
D. A Firewall

Correct Answer: D Section: (none) Explanation Explanation/Reference:
Explanation: The firewall also acts as a termination point for site-to-site IPSec VPN tunnels for both remote site production and remote site management traffic. Ref;Safe white papers;page 19 SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks Reference: Cisco Courseware page 6-13
QUESTION 139
How is denial of service attacks mitigated in the SAFE SMR midsize network design corporate Internet module?
A. IDS at the host and network levels.
B. E-mail content filtering, HIDS, and host-based virus scanning.
C. OS and IDS detection
D. CAR at the ISP edge and TCP setup controls at the firewall.
E. RFC 2827 and 1918 filtering at ISP edge and midsize network edge router.
F. filtering at the ISP, edge router, and corporate firewall

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: Threats Mitigated Denial of service-CAR at ISP edge and TCP setup controls at firewall Ref: Safe White papers 17 SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks
QUESTION 140
How are application layer attacks mitigated in the SAFE SMR midsize network design corporate Internet module?
A. Filtering at the ISP, edge router, and corporate firewall.
B. IDS at the host and network levels.
C. E-mail content filtering, HIDS, and host-based virus scanning.
D. OS and IDS detection.
E. CAR at the ISP edge and TCP setup controls at the firewall.
F. RFC 2827 and 1918 filtering at ISP edge and midsize network edge.

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: Threats mitigated Application layer attacks-Mitigated through IDS at the host and network levels REF;Safe white papers;page 18 SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks
QUESTION 141
What is the primary function of the firewall in the SAFE SMR midsize network design corporate Internet module?
A. Provide connectivity to the Internet or ISP network.
B. Provide connectivity to the campus module.
C. Provide connectivity to the WAN module.
D. Provide connectivity to the LAN module.
E. Provide the demarcation point between the ISP and the midsize network.
F. Provide connection state enforcement and detailed filtering for sessions initiated through the firewall.

Correct Answer: F Section: (none) Explanation
Explanation/Reference:
Explanation: The primary function of the firewall is to provide connection-state enforcement and detailed filtering for sessions initiated through the firewall. REF;Safe white papers;page 19 SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks
QUESTION 142
What is the primary function of the inside router in the SAFE SMR midsize network design corporate Internet module?
A. Detect attacks on ports that the firewall is configured to permit.
B. Provide connection state enforcement and detailed filtering for session initiated through the firewall.
C. Provide connectivity to the LAN Module.
D. Provide Layer 3 separation

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: The primary function of the inside router is to provide Layer 3 separation and routing between the corporate Internet module and the campus module. REF;Safe white papers;page 20 SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks
QUESTION 143
Following termination of the VPN tunnel, what action is performed on remote user traffic in the SAFE SMR midsize network design corporate Internet module?
A. Traffic is sent through a Layer 2 switch.
B. Traffic is sent through a Layer 3 switch.
C. Traffic is sent through a firewall.
D. Traffic is sent through a router.

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: Following termination of the VPN tunnel, traffic is sent through a firewall to ensure that VPN users are appropriately filtered. Reference: SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks Page 20
QUESTION 144
Which two are design alternatives in the SAFE SMR midsize network design corporate Internet module? (Choose two)
A. Place a URL filtering server on the public services segment.
B. Eliminate the router between the firewall and the campus module.
C. Set up a small filtering router between the management stations and the rest of the network.
D. Eliminate HIDS.
Correct Answer: AB Section: (none) Explanation

Explanation/Reference:
Explanation: Two other alternatives are available. First is the elimination of the router between the firewall and the campus module. Although its functions can be integrated into the campus module Layer 3 switch, this setup would eliminate the ability of the corporate Internet module to function without relying on Layer 3 services from another area of the network. Second is the addition of content inspection beyond the mail-content inspection already specified. For example, a URL filtering server could be placed on the public services segment to filter the types of Web pages that employees can access. Reference: SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks Page 21
QUESTION 145
What is the NIDS primary function in the SAFE SMR midsize network design corporate Internet module?
A. Provide connectivity to the campus module.
B. Provide connectivity to the WAN module.
C. Provide connectivity to the LAN module.
D. Provides detection of attacks on ports that the firewall is configured to permit.
E. Provide the demarcation point between the ISP and the medium network.
F. Provide connection state enforcement and detailed filtering for session initiated through the firewall.

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: The public services segment includes a NIDS appliance. Its primary function is to detect attacks on ports that the firewall is configured to permit. These most often are application layer attacks against specific services. Reference: SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks Page 19
QUESTION 146
How are virus and Trojan Horse attacks mitigated in the SAFE SMR midsize network design corporate Internet module?
A. Filtering at the ISP, edge router, and corporate firewall.
B. IDS at the host and networks levels.
C. E-mail content filtering, HIDS, and host-based virus scanning.
D. OS and IDS detection.
E. CAR and the ISP edge and TCP setup controls at the firewall.
F. RFC 2827 and 1918 filtering at ISP edge and midsize network edge.

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: Virus and Trojan horse attacks-Mitigated through e-mail content filtering, HIDS, and host-based virus scanning Reference: SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks Page 17
QUESTION 147
John the security administrator at Certkiller Inc. is working on the securing the network. How is unauthorized access mitigated in the SAFE SMR midsize network design corporate Internet module?
A. Mitigated by CAR at the ISP edge and TCP setup controls at the firewall.
B. Mitigated by filtering at the ISP, edge router, and corporate firewall.
C. Mitigated by IDS at the host and network levels.
D. Mitigated by OS and IDS detection.
E. Mitigated by e-mail content filtering, HIDS, and host-based virus scanning.
F. Mitigated by RFC 2827 and 1918 filtering at ISP edge and midsize network edge.

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: Unauthorized access-Mitigated through filtering at the ISP, edge router, and corporate firewall Reference: Safe white papers;page 17 SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks
QUESTION 148
You are the administrator at Certkiller Inc. and you are working on securing the network. How are password attacks mitigated in the SAFE SMR midsize network design corporate Internet module?
A. Mitigated by filtering at the ISP, edge router, and corporate firewall.
B. Mitigated by RFC 2827 and 1918 filtering at ISP edge and midsize network edge router.
C. Mitigated by OS and IDS detection.
D. Mitigated by e-mail content filtering, HIDS, and host-based virus scanning-
E. Mitigated by CAR at the ISP edge and TCP setup controls at the firewall.

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: Password attacks -Limited services avalibale to brute force;OS and IDS can detect the threat Reference: Safe white papers;page 17 SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks
QUESTION 149
You the security administrator at Certkiller Inc are working on design alternatives to the network. Which two are design alternatives in the SAFE SMR midsize network design corporate Internet module? (Choose two)
A. A design alternative is to set up a small filtering router between the management stations and the rest of the network.
B. A design alternative is to eliminate HIDS.
C. A design alternative is to place a URL filtering server on the public services segment.
D. A design alternative is to eliminate the router between the firewall and the campus module.

Correct Answer: CD Section: (none) Explanation
Explanation/Reference:
Explanation: Alternatives This module has several alternative designs. Rather than implementing basic filtering on the edge router to the medium network, a network administrator may choose to implement a stateful firewall on this device as well. Having two stateful firewalls provides more of a defense in depth approach to security within the module. Depending on the network administrator’s attitude toward attack awareness, a NIDS appliance might be required in front of the firewall. With the appropriate basic filters, the IDS outside the firewall can provide important alarm information that would otherwise be dropped by the firewall Because the amount of alarms generated on this segment is probably large, alarms generated here should have a lower severity than alarms generated behind a firewall. Also, consider logging alarms from this segment to a separate management station to ensure that legitimate alarms from other segments get the appropriate attention. With the visibility that NIDS outside the firewall provides, evaluation of the attack types your organization is attracting can be better seen. In addition, evaluation of the effectiveness of ISP and enterprise edge filters can be performed. Two other alternatives are available. First is the elimination of the router between the firewall and the campus module. Although its functions can be integrated into the campus module Layer 3 switch, this setup would eliminate the ability of the corporate Internet module to function without relying on Layer 3 services from another area of the network. Second is the addition of content inspection beyond the mail-content inspection already specified. For example, a URL filtering server could be placed on the public services segment to filter the types of Web pages that employees can access. Reference: SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks

Cisco 642-542 exam is a challenging Certification Exam. Besides the books, internet is considered to be a treasure house of knowledge. In Flydumps you can find your treasure house of knowledge. This is a site of great help to you. You will encounter the complex questions in the exam, but Passcert can help you to pass the exam easily. Flydumps Latest Cisco 642-542 dumps includes all the knowledge that must be mastered for the purpose of passing the Cisco 642-542 exam.

Welcome to download the newest Pass4itsure 412-79 VCE dumps: http://www.pass4itsure.com/412-79.html

Author

Back to Top