1 Cisco CCNA Security Practice Exam Questions 2009 Cisco Systems, Inc.

Cisco CCNA Security Practice Exam Questions

Implementing Cisco IOS Network Security (IINS) v1.0




The following Cisco CCNA Security practice exam questions are based on the course Implementing Cisco
IOS Network Security (IINS) v1.0. The answer key is on the last page of this document.



1. What is the goal of an overall security challenge when planning a security strategy?

A) to harden all exterior-facing network components
B) to install firewalls at all critical points in the network
C) to find a balance between the need to open networks to support evolving business requirements
and the need to inform
D) to educate employees to be on the lookout for suspicious behavior


2. Which threats are the most serious?

A) inside threats
B) outside threats
C) unknown threats
D) reconnaissance threats


3. Network security aims to provide which three key services? (Choose three.)

A) data integrity
B) data strategy
C) data and system availability
D) data mining
E) data storage
F) data confidentiality


4. Which option is the term for a weakness in a system or its design that can be exploited by a threat?

A) a vulnerability
B) a risk
C) an exploit
D) an attack
2 Cisco CCNA Security Practice Exam Questions 2009 Cisco Systems, Inc.

5. Which option is the term for the likelihood that a particular threat using a specific attack will exploit a
particular vulnerability of a system that results in an undesirable consequence?

A) a vulnerability
B) a risk
C) an exploit
D) an attack


6. Which option is the term for what happens when computer code is developed to take advantage of a
vulnerability? For example, suppose that a vulnerability exists in a piece of software, but nobody knows
about this vulnerability.

A) a vulnerability
B) a risk
C) an exploit
D) an attack


7. What is the first step you should take when considering securing your network?

A) Install a firewall.
B) Install an intrusion prevention system.
C) Update servers and user PCs with the latest patches.
D) Develop a security policy.


8. Which option is a key principle of the Cisco Self-Defending Network strategy?

A) Security is static and should prevent most known attacks on the network.
B) The self-defending network should be the key point of your security policy.
C) Integrate security throughout the existing infrastructure.
D) Upper management is ultimately responsible for policy implementation.


9. Which three options are areas of router security? (Choose three.)

A) physical security
B) access control list security
C) zone-based firewall security
D) operating system security
E) router hardening
F) Cisco IOS-IPS security

3 Cisco CCNA Security Practice Exam Questions 2009 Cisco Systems, Inc.

10. You have several operating groups in your enterprise that require differing access restrictions to the
routers to perform their job roles. These groups range from Help Desk personnel to advanced
troubleshooters. What is one methodology for controlling access rights to the routers in these situations?

A) configure ACLs to control access for the different groups
B) configure multiple privilege level access
C) implement syslogging to monitor the activities of the groups
D) configure TACACS+ to perform scalable authentication


11. Which of these options is a GUI tool for performing security configurations on Cisco routers?

A) Security Appliance Device Manager
B) Cisco CLI Configuration Management Tool
C) Cisco Security Device Manager
D) Cisco Security Manager


12. When implementing network security, what is an important configuration task that you should perform
to assist in correlating network and security events?

A) Configure Network Time Protocol.
B) Configure synchronized syslog reporting.
C) Configure a common repository of all network events for ease of monitoring.
D) Configure an automated network monitoring system for event correlation.


13. Which of these options is a Cisco IOS feature that lets you more easily configure security features on
your router?

A) Cisco Self-Defending Network
B) implementing AAA command authorization
C) the auto secure CLI command
D) performing a security audit via SDM


14. Which three of these options are some of the best practices when you implement an effective firewall
security policy? (Choose three.)

A) Position firewalls at strategic inside locations to help mitigate inside nontechnical attacks.
B) Configure logging to capture all events for forensic purposes.
C) Use firewalls as a primary security defense; other security measures and devices should be
implemented to enhance your network security.
D) Position firewalls at key security boundaries.
E) Deny all traffic by default and permit only necessary services.

4 Cisco CCNA Security Practice Exam Questions 2009 Cisco Systems, Inc.

15. Which statement is true when configuring access control lists (ACLs) on a Cisco router?

A) ACLs filter all traffic through and sourced from the router.
B) Apply the ACL to the interface prior to configuring access control entries to ensure that controls are
applied immediately upon configuration.
C) An implicit deny is applied to the start of the ACL entry by default.
D) Only one ACL per protocol, per direction, and per interface is allowed.


16. Which option correctly defines asymmetric encryption?

A) uses the same keys to encrypt and decrypt data
B) uses MD5 hashing algorithms for digital signage encryption
C) uses different keys to encrypt and decrypt data
D) uses SHA-1 hashing algorithms for digital signage encryption


17. Which option is a desirable feature of using symmetric encryption algorithms?

A) They are often used for wire-speed encryption in data networks.
B) They are based on complex mathematical operations and can easily be accelerated by hardware.
C) They offer simple key management properties.
D) They are best used for one-time encryption needs.


18. Which option is true of using cryptographic hashes?

A) They are easily reversed to decipher the message context.
B) They convert arbitrary data into a fixed-length digest.
C) They are based on a two-way mathematical function.
D) They are used for encrypting bulk data communications.


19. Which option is true of intrusion prevention systems?

A) They operate in promiscuous mode.
B) They operate in inline mode.
C) They have no potential impact on the data segment being monitored.
D) They are more vulnerable to evasion techniques than IDS.


20. Which statement is true when using zone-based firewalls on a Cisco router?

A) Policies are applied to traffic moving between zones, not between interfaces.
B) The firewalls can be configured simultaneously on the same interface as classic CBAC using the ip
inspect CLI command.
C) Interface ACLs are applied before zone-based policy firewalls when they are applied outbound.
D) When configured with the PASS action, stateful inspection is applied to all traffic passing between
the configured zones.

5 Cisco CCNA Security Practice Exam Questions 2009 Cisco Systems, Inc.

CCNA Security Practice Questions Answer Key

1. C

2. A

3. A, C, F

4. A

5. B

6. C

7. D

8. C

9. A, D, E

10. B

11. C

12. A

13. C

14. C, D, E

15. D

16. C

17. A

18. B

19. B

20. A