CCNA Cyber Ops FAQ: Network Security Devices and Cloud Services

CCNA Cyber Ops FAQ: Network Security Devices and Cloud Services

Q1. Which of the following are examples of network security devices that have been invented throughout the years to enforce policy and maintain network visibility?
A. Routers
B. Firewalls
C. Traditional and next-generation intrusion prevention systems (IPSs)
D. Anomaly detection systems
E. Cisco Prime Infrastructure

Answer: B, C, D. Firewalls, traditional and next-generation intrusion prevention systems (IPSs), and anomaly detection systems are network security devices that provide enforcement and network visibility.

Q2. Access control entries (ACE), which are part of an access control list (ACL), can classify packets by inspecting Layer 2 through Layer 4 headers for a number of parameters, including which of the following items?
A. Layer 2 protocol information such as Ether Types
B. The number of bytes within a packet payload
C. Layer 3 protocol information such as ICMP, TCP, or UDP
D. The size of a packet traversing the network infrastructure device
E. Layer 3 header information such as source and destination IP addresses
F. Layer 4 header information such as source and destination TCP or UDP ports

Answer: A, C, E, F. ACEs can classify packets by inspecting Layer 2 protocol information such as Ether Types; Layer 3 protocol information such as ICMP, TCP, or UDP; Layer 3 header information such as source and destination IP addresses; and Layer 4 header information such as source and destination TCP or UDP ports.

Q3. Which of the following statements are true about application proxies?
A. Application proxies, or proxy servers, are devices that operate as intermediary agents on behalf of clients that are on a private or protected network.

B. Clients on the protected network send connection requests to the application proxy to transfer data to the unprotected network or the Internet.

C. Application proxies can be classified as next-generation firewalls.

D. Application proxies always perform network address translation (NAT).
A, B. Application proxies, or proxy servers, are devices that operate as intermediary agents on

Answer: behalf of clients that are on a private or protected network. Clients on the protected network send connection requests to the application proxy to transfer data to the unprotected network or the Internet.

Q4. Which of the following statements are true when referring to network address translation (NAT)?
A. NAT can only be used in firewalls.

B. Static NAT does not allow connections to be initiated bidirectionally.

C. Static NAT allows connections to be initiated bidirectionally.

D. NAT is often used by firewalls; however, other devices such as routers and wireless access points provide support for NAT

Answer: C, D. Static NAT allows connections to be initiated bidirectionally, meaning both to the host and from the host. Also, NAT is often used by firewalls; however, other devices such as routers and wireless access points provide support for NAT.

Q5. Which of the following are examples of next-generation firewalls?
A. Cisco WSA
B. Cisco ASA 5500-X
C. Cisco ESA
D. Cisco Firepower 4100 Series

Answer: B, D. Cisco ASA 5500-X and the Cisco Firepower 4100 Series are next-generation firewalls.

Q6. Which of the following are examples of cloud-based security solutions?
A. Cisco Cloud Threat Security (CTS)
B. Cisco Cloud Email Security (CES)
C. Cisco AMP Threat Grid
D. Cisco Threat Awareness Service (CTAS)
E. OpenDNS
F. CloudLock

Answer: B, C, D, E, F. Cisco Cloud Email Security (CES), Cisco AMP Threat Grid, Cisco Threat Awareness Service (CTAS), OpenDNS, and CloudLock are examples of cloud-based security solutions.

Q7. The Cisco CWS service uses web proxies in the Cisco cloud environment that scan traffic for malware and policy enforcement. Cisco customers can connect to the Cisco CWS service directly by using a proxy auto-configuration (PAC) file in the user endpoint or through connectors integrated into which of the following Cisco products?
A. Cisco ISR G2 routers
B. Cisco Prime LMS
C. Cisco ASA
D. Cisco WSA
E. Cisco AnyConnect Secure Mobility Client

Answer: A, C, D, E. The Cisco ISR routers, Cisco ASA, Cisco WSA, and Cisco AnyConnect have connectors for CWS.

Q8. Depending on the version of NetFlow, a network infrastructure device can gather different types of information, including which of the following?
A. Common vulnerability enumerators (CVEs)
B. Differentiated services code point (DSCP)
C. The device’s input interface
D. TCP flags
E. Type of service (ToS) byte

Answer: B, C, D, E. There are different versions of NetFlow. Depending on the version of NetFlow, the router can also gather additional information, such as the type of service (ToS) byte, the differentiated services code point (DSCP), the device’s input interface, TCP flags, byte counters, and start and end times.

Q9. There are several differences between NetFlow and full-packet capture. Which of the following statements are true?
A. Full-packet capture provides the same information as NetFlow.

B. Full-packet capture is faster.

C. One of the major differences and disadvantages of full-packet capture is cost and the amount of data to be analyzed.

D. In many scenarios, full-packet captures are easier to collect and require pretty much the same analysis ecosystem as NetFlow.

Answer: C. One of the main differences between NetFlow and full-packet capture is the cost and the amount of data that needs to be analyzed. In a lot of scenarios and in most cases, you don’t need heavyweight packet capture technology everywhere throughout your network if you have an appropriate NetFlow collection and analysis ecosystem.

Q10. Which of the following is an example of a data loss prevention solution?
A. Cisco Advanced DLP
B. Cisco CloudLock
C. Cisco Advanced Malware Protection (AMP)
D. Cisco Firepower 4100 appliances

Answer: B. Cisco CloudLock is designed to protect organizations of any type against data breaches in any cloud environment or application through a highly configurable cloud-based DLP architecture.

Q11. Which of the following explains features of a traditional stateful firewall?
A. Access control is done by application awareness and visibility.

B. Access control is done by the five-tuple (source and destination IP addresses, source and destination ports, and protocol).

C. Application inspection is not supported.

D. Traditional stateful firewalls support advanced malware protection.

Answer: B. ACLs are the heart of a traditional stateful firewall, and they are based on source and destination IP addresses, source and destination ports, and protocol information.

Q12. Which of the following describes a traditional IPS?
A. A network security appliance or software technology that resides in stateful firewalls

B. A network security appliance or software technology that supports advanced malware protection

C. A network security appliance or software technology that inspects network traffic to detect and prevent security threats and exploits

D. A virtual appliance that can be deployed with the Cisco Adaptive Security Manager (ASM)

Answer: C. A traditional IPS is a network security appliance or software technology that inspects network traffic to detect and prevent security threats and exploits.

Q13. Which of the following is true about NetFlow?
A. NetFlow can be deployed to replace IPS devices.
B. NetFlow provides information about network session data.
C. NetFlow provides user authentication information.
D. NetFlow provides application information.

Answer: B. NetFlow provides information about network flows and sessions.

Q14. What is DLP?
A. An email inspection technology used to prevent phishing attacks

B. A software or solution for making sure that corporate users do not send sensitive or critical information outside the corporate network

C. A web inspection technology used to prevent phishing attacks

D. A cloud solution used to provide dynamic layer protection

Answer: B. DLP stands for data loss prevention and is a software or cloud solution for making sure that corporate users do not send sensitive or critical information outside the corporate network..

Q15. Stateful and traditional firewalls can analyze packets and judge them against a set of predetermined rules called access control lists (ACLs). They inspect which of the following elements within a packet?
A. Session headers
B. NetFlow flow information
C. Source and destination ports and source and destination IP addresses
D. Protocol information

Answer: C and D. ACLs inspect and apply policies based on source and destination IP addresses as well as source and destination ports and protocol information.

Q16. Which of the following are Cisco cloud security solutions?
A. CloudDLP
B. OpenDNS
C. CloudLock
D. CloudSLS

Answer: B and C. OpenDNS and CloudLock are Cisco cloud security solutions.

Q17. Cisco pxGrid has a unified framework with an open API designed in a hub-and-spoke architecture. pxGrid is used to enable the sharing of contextual-based information from which devices?
A. From a Cisco ASA to the Cisco OpenDNS service

B. From a Cisco ASA to the Cisco WSA

C. From a Cisco ASA to the Cisco FMC

D. From a Cisco ISE session directory to other policy network systems, such as Cisco IOS devices and the Cisco ASA

Answer: D. Cisco pxGrid is used to enable the sharing of contextual-based information from a Cisco ISE session directory to other policy network systems, such as Cisco IOS devices and the Cisco ASA.

Q18. Which of the following is true about heuristic-based algorithms?
A. Heuristic-based algorithms may require fine tuning to adapt to network traffic and minimize the possibility of false positives.

B. Heuristic-based algorithms do not require fine tuning.

C. Heuristic-based algorithms support advanced malware protection.

D. Heuristic-based algorithms provide capabilities for the automation of IPS signature creation and tuning

Answer: A. Heuristic-based algorithms may require fine tuning to adapt to network traffic and minimize the possibility of false positives.

Q19. Which of the following describes the use of DMZs?
A. DMZs can be configured in Cisco IPS devices to provide additional inspection capabilities.

B. DMZs can automatically segment the network traffic.

C. DMZs can serve as segments on which a web server farm resides or as extranet connections to business partners.

D. DMZs are only supported in next-generation firewalls.

Answer: C. DMZs provide security to the systems that reside within them, with different security levels and policies between them. DMZs can have several purposes; for example, they can serve as segments on which a web server farm resides or as extranet connections to business partners.

Q20. Which of the following has the most storage requirements?
A. NetFlow
B. Syslog
C. Full packet captures
D. IPS signatures

Answer: C. Full packet captures take more storage resources in comparison to NetFlow, syslog, and other network logs.

More Resources

About the author

Scott

Leave a Comment