Need The Newest Cisco 350-018 Exam Dumps? Why not try Cisco 350-018 vce or pdf exam dumps? You can get all the new Cisco 350-018 exam questions and answers you need, we ensure high pass rate and money back guarantee.
QUESTION 10
Choose the correct security statements about the HTTP protocol and its use. (Choose two.)
A. Long URLs are not used to provoke buffer overflows.
B. Cookies can not provide information about where you have been.
C. HTTP can provide server identification.
D. HTTP is NOT often used to tunnel communication for insecure clients such as P2P.
E. HTTP is often used to tunnel communication for insecure clients such as P2P.
Correct Answer: CE
QUESTION 11
Which three steps are required to enable SSH Server on an IOS router?
A. Configure a host name.
B. Configure a domain name.
C. Configure the Crypto PKI trustpoint (CA).
D. Specifies a fingerprint that can be matched against the fingerprint of a CA certificate during authentication.
E. Import the SSH client fingerprint.
F. Generate an RSA key pair.
Correct Answer: ABF
QUESTION 12
ARP cache poisoning can be best prevented by using which two Catalyst security features? (Choose two.)
A. Dynamic ARP Inspection (DAI)
B. Port Security
C. MAC Address Notification
D. DHCP Snooping
E. Port Fast
F. 802.1x Authentication
Correct Answer: AD
QUESTION 13
access-list 111 permit udp any any eq 1434 class-map match-all bad_worm match access-group 111 match packet length min 404 max 404 policy-map drop-bad-worm class bad-worm police 1000000 22250 22250 conform-action drop exceed-action drop violate-action drop
Taking into consideration the shown configuration, what kind of attack are we attempting to mitigate?
A. Smurf Attack
B. Code Red Worm
C. SQL Slammer Worm
D. MSQL and JavaScript attack
E. This is not valid configuration.
Correct Answer: C
QUESTION 14
In ISO 27001 ISMS what are the main certification process phases required to collect information for ISO 27001?
A. Discover
B. Certification audit
C. Post-audit
D. Observation
E. Pre-audit
F. Major compliance.
Correct Answer: BCE
QUESTION 15
Which two statements are correct about the aaa authentication login default group tacacs+ local global configuration command? (Choose two)
A. this login authentication method list is automatically applied to all lines except those that have a named method list explicitly defined.
B. If the user fails the TACACS+ authentication then the local database on the router will be used to authenticate the user.
C. If the tacacs+ server fails to respond then the local database on the router will be used to authenticate the user.
D. “login” is the name of the method list being configured.
E. If the tacacs+ server is unavailable, authentication will succeed automatically by default.
Correct Answer: AC
QUESTION 16
What is the main reason for using the “ip ips deny-action ips-interface” IOS command?
A. To selectively apply drop actions to specific interfaces.
B. To enable IOS to drop traffic for signatures configured with the Drop action.
C. To support load-balancing configurations in which traffic can arrive via multiple interfaces.
D. This is not a valid IOS command.
Correct Answer: C
QUESTION 17
How can Netflow be used to help identify a day-zero scanning worm?
A. Netflow statistics can show a huge increase in traffic on a specific day.
B. Netflow tracks destination address.
C. Netflow makes sure that only the correct applications are using their designated ports.
D. Netflow prevents buffer overflow attacks.
E. Netflow protects against unknown virus attacks.
Correct Answer: A
QUESTION 18
Which type of attacks can be monitored and mitigated by CS-MARS using NetFlow data?
A. Man-in-the middle attack
B. Spoof attack
C. Land.C attack
D. Buffer Overflow
E. Day zero attack
F. Trojan Horse
Correct Answer: E
QUESTION 19
Which Cisco security software product mitigates Day Zero attacks on desktops and servers – stopping known and unknown attacks without requiring reconfigurations or updates on the endpoints?
A. Cisco Secure Desktop (CSD)
B. NAC Appliance Agent (NAA)
C. Cisco Security Agent (CSA)
D. SSL VPN Client (SVC)
E. Cisco Trust Agent (CTA)
Correct Answer: C QUESTION 20
Referring to the network diagram and the R1 router configurations shown in the exhibit, why remote users using their Cisco VPN software client are not able to reach the 172.16.0.0 networks behind R1 once they successfully VPN into R1?
A. The Cisco VPN software client does not support DH group 2
B. Reverse Route Injection (RRI) is not enabled on R1
C. The R1 configuration is missing the crypto ACL
D. The dynamic crypto map on R1 is misconfigured.
E. The ACL 100 on R1 is misconfigured.
Correct Answer: E
QUESTION 21
Refer to the exhibit. In the sample configuration file what does the ip verify unicast reverse-path interface command accomplish?
A. It verifies the route of outgoing traffic is an approved network.
B. It verifies the route of incoming traffic is from an approved network.
C. It verifies source address and source interface of all input traffic on an interface is in the routing table.
D. It verifies destination address and destination interface of all output traffic on an interface is in the routing table.
Correct Answer: C QUESTION 22
The following is an example of an IPSec error message:
IPSEC(validat_proposal): invalid local address 192.1.1.1
ISAKMP (0:3): atts not acceptable.
Next payload is 0
ISAKMP (0:3): SA not acceptable!
What is the most common problem that this message can be attributed to?
A. Router is missing the crypto map map-name local-address command.
B. Crypto access-lists are not mirrored on each side.
C. This is only an informational message, ipsec session will still succeed.
D. Crypto map is applied to the wrong interface or is not applied at all.
Correct Answer: D QUESTION 23
Which RFCs are used to establish internet connectivity from a private office with the following requirements?
1.
254 users
2.
Only one IP address provided by your ISP.
3.
Your IP address is assigned dynamically.
4.
The CPE from the ISP is pre-provisioned and working.
5.
You are expected to make changes on your router.
A. IP Network Address Translator (NAT): Defined in RFC 1631.
B. IP Network Address Translator (NAT) Terminology and Considerations: Defined in RFC 2663.
C. Network Address Translator (NAT) – Friendly Application Design Guidelines: Defined in RFC 3235.
D. Address Allocation for Private Internets: Defined in RFC 1918
E. PPP and IPCP: Defined in RFC 1332
F. DHCP: Defined in RFC 2131
Correct Answer: ADF
QUESTION 24
Since HTTP is one of the most common protocols used in the internet, what should be done at a firewall level to ensure that the protocol is being used correctly?
A. Ensure that a stateful firewall allows only HTTP traffic destined for valid web server IP address.
B. Ensure that a firewall has SYN flood and DDoS protection applied specifically for valid web servers.
C. Ensure that your firewall enforces HTTP protocol compliance to ensure that only valid flows are allowed in and out of your network.
D. Ensure that HTTP is always authenticated.
E. Ensure that your web server is in a different zone than your backend servers such as SQL and DNS.
Correct Answer: C
QUESTION 25
CS-MARS works with which IOS feature to accomplish anomaly detection?
A. IOS IPS
B. Autosecure
C. CSA
D. Netflow
E. IOS Network Foundation Protection (NFP)
F. IOS Firewall
Correct Answer: D
QUESTION 26
Referring to the ASDM screen shot shown in the exhibit, which of the following traffic is peritted based on the currect Access Rules?
A. Any IP traffic from any host on the outside to the 172.16.10.2 server on the dmz2
B. Any IP traffic from any host on the dmz to any host on the outside.
C. Any IP traffic from any host on the inside to any host on the dmz or dmz2
D. Any IP traffic from the 172.16.1.2 host to any host on the inside.
E. FTP traffic from any host on the outside to the 172.16.1.2 host on the dmz.
F. HTTP traffic from the 172.16.10.2 server to any host on the inside.
Correct Answer:
QUESTION 27
When an IPS device in single interface VLAN-pairing mode fires a signature from the normalizer engine and TCP-based packets are dropped, which of the following would be a probable cause?
A. The IPS device identified an incorrect value in layer 7.
B. There was no information in the IPS state table for the connection.
C. The IPS device identified an incorrect value in layer 6.
D. There was a valid SYN ACK in the state table but the subsequent packets were fragmented and did not constitute a valid flow.
E. The IPS device identified an incorrect value in layer 5.
Correct Answer: BD
QUESTION 28
Which statement is true about SYN cookies?
A. State is kept on the server machine TCP stack.
B. No State is kept on the server machine state and is embedded in the systems Initial Sequence Number (ISN).
C. SYN cookies do not help to protect against SYN flood attacks.
D. A system has to check every incoming ACK against state tables.
Correct Answer: B QUESTION 29
Refer to the Exhibit. Which of the following R1 router configurations will correctly prevent R3 from becoming a PIM neighor with rendezvous point R1?
A. access-list 1 deny 192.168.1.3 255.255.255.255 ! interface fa0/0 ip pim neighbor-filter 1
B. access-list 1 permit 192.168.1.2 255.255.255.255 access-list 1 deny any ! interface fa0/0 ip pim bidir-neighbor-filter 1
C. access-list 1 deny 192.168.1.3 255.255.255.255 ! interface fa0/0 ip igmp access-group 1
D. access-list 1 permit 192.168.1.2 255.255.255.255 ! interface fa0/0 ip multicast boundary 1 filter-autorop
E. access-list 1 permit 192.168.1.3 255.255.255.255 ip pim rp-announce-filter rp-list 1
Correct Answer: A
QUESTION 30
Asymmetric and symmetric ciphers differ in which of the following way(s)? (Choose two.)
A. Asymmetric ciphers use pre-shared keys.
B. Symmetric ciphers are faster to compute.
C. Asymmetric ciphers are faster to compute.
D. Asymmetric ciphers use public and private keys.
Correct Answer: BD
QUESTION 31
The key lengths for DES and 3DES, respectively, are:
A. 128 bits and 256 bits.
B. 128 bits and 384 bits.
C. 1024 bits and 3072 bits.
D. 64 bits and 192 bits.
E. 56 bits and 168 bits.
F. 128 bytes and 384 bytes.
Correct Answer: E
QUESTION 32
When enrolling a Cisco IOS router to a CA server using the SCEP protocol, which one of the following is NOT a required step?
A. Configure an ip domain-name on the router.
B. Generate the RSA key pairs on the router.
C. Define the crypto pki trustpoint on the router.
D. Authenticate the CA server’s certificate.
E. Import the server certificate to the router using TFTP.
Correct Answer: E
QUESTION 33
RFC 2827 ingress filtering is used to help prevent which type of attacks?
A. Syn Flood.
B. Source IP address spoofing.
C. Overlapping IP Fragments.
D. Tiny IP Fragments.
E. Land.C
F. Network Reconnaissance.
Correct Answer: B
QUESTION 34
Cisco Clean Access ensures that computers connecting to your network have which of the following?
A. No vulnerable applications or operating systems
B. No viruses or worms
C. Appropriate security applications and patch levels.
D. Current ips signatures.
E. Cisco Security Agent
Correct Answer: C
QUESTION 35
The following ip protocols and ports are commonly used in IPSec protocols.
A. IP protocol 50 and 51, UDP port 500 and 4500
B. UDP ports 50, 51, 500, and 4500
C. TCP ports 50, 51, 500, and 4500
D. IP protocols 50, 51, 500, and 4500
E. IP protocols 50 and 51, UDP port 500, and TCP port 4500
Correct Answer: A QUESTION 36
Refer to the Exhibit. Router R1 is stuck in 2-WAY state with neighbors R2 and R3. As a result R1 has an incomplete routing table. To troubleshoot the issue, the show and debug commands in the exhibit are entered on R1. Based on the output of these commands what is the most likely cause of this problem?
A. The hello timers on the segment between these routers do not match.
B. All the routers on the Ethernet segment have been configured with “ip ospf priority 0”
C. R1 can not form an adjacency with R2 or R3 because it does not have a matching authentication key.
D. The Ethernet 0/0 interfaces on these routers are missing the “ip ospf network broadcast” command.
E. The Ethernet 0/0 interfaces on R1 has been configured with the command, “ip ospf network non-broadcast”.
Correct Answer: B
QUESTION 37
Based on the following partial configuration shown, which statement is true?
interface FastEthernet0/1 switchport access vlan 100 switchport mode access dot1x port-control auto dot1x guest-vlan 10
A. vlan 10, the guest vlan is also known as the restricted vlan B. client without an 802.1x supplicant connecting to port fa0/1 will be assigned to the vlan 10
C. client connecting to port fa0/1 with an 802.1x supplicant but fails authentication will be assigned to the vlan 10.
D. client connecting to port fa0/1 with an 802.1x supplicant but fails authentication will be assigned to the vlan 100
E. EAP over LAN frames will flow over VLAN 10
Correct Answer: B
QUESTION 38
What is the function of the switch(config-if)# switchport port-security mac-address sticky comand?
A. allows the switch to restrict the MAC addresses on the switchport based on the static MAC addresses configured in the startup configuration.
B. allows the administrator to manually configured the secured MAC addresses on the switchport.
C. allows the switch to permanently store the secured MAC addresses in the MAC Address Table (CAM Table)
D. allows the switch to perform sticky learning where the dynamically learned MAC addresses are copied from the MAC Address Table (CAM Table) to the startup configuration.
E. allows the switch to dynamically learn the MAC addresses on the switchport and the MAC addresses will be added to the running configuration.
Correct Answer: E
QUESTION 39
What statement is true concerning PAT?
A. PAT keeps ports but rewrites address.
B. PAT provides access control.
C. PAT rewrites the source address and port.
D. PAT is the preferred method to map servers to external networks.
Correct Answer: C
QUESTION 40
When configuring system state conditions with the Cisco Security Agent, what is the resulting action when configuring more than one system state condition?
A. Any matching state condition will result with the state being triggered.
B. Once a state condition is met, the system ceases searching further conditions and will cause the state condition to trigger.
C. All specified state conditions are used as part of the requirements to be met to for the state to trigger.
D. Once the state conditions are met, they become persistent and can only be removed using the Reset feature.
Correct Answer: C
QUESTION 41
When implementing internet standards you are required to follow RFC’s processes and procedures based on what RFC?
A. RFC 1769 and mere publications.
B. Real standards of RFC 1918.
C. RFC 1669 real standards and mere publications.
D. Real standards and mere publications RFC 1769.
E. None of the above.
Correct Answer: E QUESTION 42
Which two of followings are correct regarding the Cisco Trust Agent (CTA)? (Choose two.)
A. Available on Windows operating systems only.
B. Provides the capability at the endpoint to apply QoS markings to application network traffic as specified by Cisco Trust Agent policy rules.
C. Can communicate the Cisco Security Agent (CSA) version, OS and patch version, as well as the presence, version, and other posture information of third-party applications that are part of the NAC initiative to the Authentication Server.
D. Includes both a Layer 3 communication component using EAP over UDP, as well as an 802.1x supplicant, allowing layer 2 EAP over LAN communications.
E. Resides between the applications and the Operating System Kernel to prevent day zero attacks.
Correct Answer: CD
QUESTION 43
With the Cisco’s IOS Authentication Proxy feature, users can initiate network access via which three protocols? (Choose three)
A. IPSec
B. HTTP/HTTPS
C. L2TP
D. FTP
E. TELNET
F. SSH
Correct Answer: BDE
QUESTION 44
Which should be the key driver for a company security policy’s creation, implementation and enforcement?
A. the business knowledge of the IT staff
B. the technical knowledge of the IT staff
C. the company’s business objectives
D. the company’s network topology
E. the IT future directions
Correct Answer: C
QUESTION 45
What Cisco technology protects against Spanning-Tree Protocol manipulation?
A. Spanning tree protect.
B. Root Guard and BPDU Guard.
C. Unicast Reverse Path Forwarding.
D. MAC spoof guard.
E. Port Security.
Correct Answer: B
QUESTION 46
When configuring IOS firewall (CBAC) operations on Cisco routers, the “inspectin rule” could be applied at which two locations? (Choose two.)
A. at the untrusted interface in the inbound direction
B. at the untrusted interface in the outbound direction
C. at the trusted interface in the inbound direction
D. at the trusted interface in the outbound direction
E. at the trusted and untrusted interface in the inbound direction
F. at the trusted and untrusted interface in the outbound direction
Correct Answer: BC
QUESTION 47
By default, to perform IPS deny actions, where is the ACL applied when using IOS-IPS?
A. To the ingress interface of the offending packet.
B. To the ingress interface on which IOS-IPS is configured.
C. To the egress interface on which IOS-IPS is configured.
D. To the egress interface of the offending packet
E. To the ingress interface of the offending packet and the ingress interface on which IOS-IPS is configured.
Correct Answer: A
QUESTION 48
If you perform a network trace of a ping going through an IPSec/3-DES tunnel, what would be true with respect to the appearence of a tunneled/encrypted packets?
A. The encryption key changes for each packet, resulting in a unique packet for each transmission.
B. The same key is used, but an index vector is used by IPSec to offset the key, resulting in a unique packet for each transmission.
C. The packets will likely be the same except for TTL and the sequence number.
D. A characteristic of 3-DES ensures that no two packets are alike.
E. The only way to ensure that packets are unique is to use AH as a header protocol.
Correct Answer: B
QUESTION 49
Cisco IOS IPS sends IPS alert messages using which two protocols? (Choose two.)
A. SDEE
B. LDAP
C. SYSLOG
D. FTP
E. SNMP
F. SMTP
Correct Answer: AC
QUESTION 50
What is true about a Pre-Block ACL configured when setting up your sensor to perform IP Blocking?
A. The Pre-Block ACL is overwritten when a blocking action is initiatied by the sensor.
B. The blocking ACL entries generated by the sensor override the Pre-Block ACL entries.
C. The Pre-Block ACL entries override the blocking ACL entries generated by the sensor.
D. The Pre-Block ACL is replaced by the Post-Block ACL when a blocking action is initiated by the sensor.
E. You can not configure a Pre-Block ACL when configuring IP Blocking on your sensor.
Correct Answer: C
QUESTION 51
For a router to obtain a certificate from a CA, what is the first step of the certificate enrollment process?
A. the router generages a certificate request and forwards it to the CA.
B. the router generages an RSA key pair
C. the router sends its public key to the CA.
D. the CA sends its public key to the router.
E. the CA verifies the identity of the router.
F. the CA generates a certificate request and forwards it to the router.
Correct Answer: B
QUESTION 52
Why is NTP an important component when implementing IPSec VPN in a PKI environment?
A. To ensure the router has the correct time when generating its private/public key pairs.
B. To ensure the router has the correct time when checking certificate validity form the remote peers.
C. To ensure the router time is sync with the remote peers for encryption keys generation.
D. To ensure the router time is sync with the remote peers during the DH exchange.
E. To ensure the router time is sync with the remote peers when generating the cookies during IKE phase
1.
Correct Answer: B
QUESTION 53
Which of the following is true about the Cisco IOS-IPS functionality? (Choose two.)
A. The signatures available are built into the IOS code.
B. To update signatures you need to install a new IOS image.
C. To activate new signatures you download a new Signature Defition File (SDF) from Cisco’s web site
D. Loading and enabling selected IPS signatures is user configurable.
E. Cisco IOS only provides Intrusion Detection functionality.
F. Cisco IOS-IPS requires a network module installed in your router running sensor software.
Correct Answer: CD
QUESTION 54
What is NTP crucial for?
A. Accurate Logging
B. Time Zone
C. Validating Certificates
D. Routing Updates
E. Kerberos Tickets
F. Clock
Correct Answer: ACE
QUESTION 55
Which one of the following is NOT a valid RADIUS packet type?
A. Access-reject
B. Access-response
C. Access-challenge
D. Access-reply
E. Access-accept
Correct Answer: B QUESTION 56
When configuring an intrusion prevention sensor in promiscuous mode what type of malicious traffic can NOT be stopped?
A. Sweep reconnaissance (such as ICMP sweeps)
B. Atomic attacks (single packet attacks)
C. Flood attacks
D. Teardrop attacks
E. All of the above
Correct Answer: B
QUESTION 57
What Cisco Switch feature best protects against CAM table overflow attacks?
A. Storm Control
B. Port security
C. CAM table size definition
D. IP spoof prevention
E. Network Based Application Recognition
Correct Answer: B
QUESTION 58
Which of the following are not steps in setting up a TLS session?
A. Client sends Hello to Server listing all of its supported cipher suites
B. Server sends-Hello to Client listing all of is supported cipher suites
C. Client calculates and sends encrypted pre_master_secret
D. Client and Server calculate keys from pre_master_secret
E. Server sends Change Cipher Spec to indicate a shift to encrypted mode
Correct Answer: B
QUESTION 59
What two things must you do on the router before generating an SSH key with the “crypto key generate rsa “IOS command ?
A. Configure the SSH version that the router will use
B. Configure the host name of the router
C. Enable AAA Authentication
D. Configure the default IP domain name that the router will use
E. Enable SSH transport support on the vty lines
Correct Answer: BD
Latest Cisco 350-018 exam is one of popular Certification.Many candidates won’t have confidence to get latest Cisco 350-018. Now We guaranteed latest Cisco 350-018 Exam training is available in various formats to best suit your needs and learning style.Whether you are a hands-on tactile learner,visually or even a textbook training veteran,Flydumps has latest Cisco 350-018 resources that will enable you to pass your Cisco 350-018 test with flying colors.As with Cisco exams,the Cisco 350-018 exam is structured to stack or plug into other related courses.The combination of Cisco 350-018 courses builds the complete core knowledge base you need to meet your Cisco 350-018 certification requirements.