9E0-111 Questions

9E0-111 (Q & A)
Cisco Secure PIX Firewall Advanced Exam



Q1
You are the network security administrator for an enterprise network with a complex security policy.
Which PIX Firewall feature should you configure to minimize the number of ACLs needed to implement your policy?
A. ASA
B. Packet capture
C. Turbo ACLs
D. IP helper
E. Object grouping
Answer: E


Q2
IPSec works with which switching paths:
A. Process switching
B. Optimum switching
C. Fast switching
D. Flow switching
Answer: A


Q3
Speaking of Security Association requirements, which of the following statements is true?
A. A set of SAs are needed, one per direction, per protected data pipe.
B. A set of SAa are needed, one per direction, per protocol, per protected data pipe.
C. A set of SAs are needed, one per protocol only.
D. A set of SAs are needed, per protocol, per protected data pipe.
Answer: B


Q4
The graphic shows the output from the show failover command. This unit is active and the other unit is Standby. For an unknown reason, the failover is triggered and this unit has become Standby.
We enter the command “show failover” again.
What shall we see as the ip address of the [active-interface-inside]?
A. 172.29.1.2
B. 192.168.89.1
C. 0.0.0.0
D. 172.29.1.1
Answer: D


Q5
Which of the following statements is not true regarding the DNS Guard?
A. If disabled, can be enabled by the command: fixed protocol dns 53
B. The default UDP time expires in two minutes.
C. Immediately tears down the UDP conduit on the PIX Firewall as soon as the DNS response is received.
D. Prevents against UDP session hijacking and denial of service attacks.
Answer: A


Q6
In helping the user to choose the right IPSec transforms combinations, the following rules apply: (Choose all that apply)
A. To provide authentication services for the transform set, include an AH transform.
B. For authentication services include an ESP authentication transform.
C. To provide data authentication for the data and the outer IP header, include an AH transform.
D. For data confidentiality include an ESP encryption transform.
E. ND5 is stronger than SHA.
Answer: A, B, C, D


Q7
What is the command that enables IPSec traffic to bypass the check of conduit or accessgroup command statements?
A. conduit permit ip any any all
B. access-list acl_out permit tcp any any all access-group acl_out interface outside
C. sysopt connection permit-ipsec
D. conduit permit tcp any any all
Answer: C




9E0-111

No comments: