Ccna Security » Share Your Secure Experience Page 2 6m306m
This document was ed by and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this report form. Report 3l3c15
Overview 3z723u
& View Ccna Security » Share Your Secure Experience Page 2 as PDF for free.
More details 2i4a6q
- Words: 6,968
- Pages: 26
3/19/2014
CCNA Security » Share your SECURE Experience
Type text to search here...
Home > Share your SECURE Experience
Share your SECURE Experience January 3rd, 2011 in SECURE 642-637 Go to comments Cisco has made changes for the Security exams by replacing the old CCSP with the new CCNP Security Certification with 4 modules: Secure, Firewall, IPS and VPN. In fact, the old CCSP and the new CCNP Security are very similar. Many candidates have requested us to put up materials for these new exams but it is a time-consuming work. In the mean time, we created the “Share your experience” for the SECURE exam. We really hope anyone who read securitytut, 9tut, digitaltut, certprepare, networktut and voicetut contribute to these sections as your experience is invaluable for CCNP Security learners to complete their goals. Please share with us your experience after taking the SECURE 642-637 exam, your materials, the way you learned, your recommendations… Comments (812) Comments Comment pages « Previous 1 2 3 4 ... 9 Next » 584 1. ios August 13th, 2011 drag and drop to match left side l1. protocol minimization l2. payload minimization l3. application layer inspection l4. protocol verification right side r1. can prevent covert tunneling r2. increase protection by only allowing expected content types and values r3. increases protection by hiding unnecessary features r4. can be configured in a zone-based firewall policy to prevent known attacks I think it is l1=r3, l2=r1, l3=r2, l4=r4 but the actual tests says l1=r3, l2=r2, l3=r1, l4=r4 what do you think? 2. Ciscolover August 14th, 2011 @deep .. congrats for ing ur exam plz send me ur dumps in my mail . [email protected].. tnx in Advance 3. maria http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
1/26
3/19/2014
CCNA Security » Share your SECURE Experience
August 15th, 2011 @deep congrats on your success can u please send me secure dumps through email.you mentioned your email id then i send u email 4. ray August 15th, 2011 Hi All Please does anyone no where you can the Nuggets from ? 5. DR August 15th, 2011 Ray: The CBT Nuggets (among other things) can be found at: http://www.careercert.info/2009/12/ccsp-snrs-642-504.html DR 6. jtt August 16th, 2011 For those who have doubts : Pre-requisite for CCNP – Security is : Option 1 – CCNA Security or Option 2- SND (Securing Cisco Network Devices) Exam – Im doing this way 7. jtt August 16th, 2011 Dont study just by CBT Nuggets ccsp-snrs-642-504 for preparing for 642-637. It is not enough….and you will fail exam Best way is to listen CBT Nuggets and check what is new iin the recent exam. I had take a look at CT Nuggets , but than i read Cisco press to learn new concepts , and to go more deep in some subjects. 8. vcr August 18th, 2011 All dumps are valid, the lab of getvpn, dig a little deeper with the command show crypto … plus there are 2 or 3 new questions… 9. hey August 26th, 2011 I think there are plenty of wrong answers in the tests: —————————————————— —————————————————— D&D Explanation: Existing lists of LAN switches Existing credentials http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
2/26
3/19/2014
CCNA Security » Share your SECURE Experience
Existing addressing scheme Existing transport protocols used in the environment. I think correct: Explanation: Existing lists of LAN switches Existing credentials Existing automated software deployment mechanism trustworthiness of the existing transport network ——————– D&D Delete IPsec security association -> clear crypto sa cryptographic configurations and show SA lifetimes -> show crypto isakmp policy the IPsec protection policy settings -> show crypto ipsec transform-set current IPsec settings in use by the SAs – show cyrpto ipsec sa Clear active IKE connections – clear crypto isakmp ——————— Which of these is a configurable Cisco IOS feature that triggers notifications if an attack attempts to exhaust critical router resources and if preventative controls have been byed or are not working correctly? A. Control Plane Protection B. Management Plane Protection C. U and memorythresholding D. SNMPv3 Answer: A I think C (based on the book) ——————— You are troubleshooting reported connectivity issues from remote s who are accessing corporate headquarters via an IPsec VPN connection. What should be your first step in troubleshooting these issues? A. issue a show cryptoisakmp policy command to matching policies of the tunnel endpoints B. ping the tunnel endpoint C. run a traceroute to the tunnel path D. debug the connection process and look for any error messages in tunnel establishment Answer: B Can be D ——————— Refer to the exhibit. The INSIDE zone has been configured and assigned to two separate router interfaces. All other zones and interfaces have been properly configured. Given the configuration example shown, what can be determined. A. Hosts in the INSIDE zone, with addresses in the 10.10.10.0/24 network, can access any host in the 10.10.10.0/24 network using the SSH protocol. B. If a host in the INSIDE zone attempts to communicate via SSH with another host on a different interface within the INSIDE zone, communications must through the router self zone using the INTRAZONE policy. http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
3/26
3/19/2014
CCNA Security » Share your SECURE Experience
C. This is an illegal configuration. You cannot have the same source and destination zones. D. This policy configuration is notneeded, traffic within the same zone is allowed to by default. Answer: D I think it’s A (IOS 15.x allows intrazone policies) ———————When using Cisco Easy VPN, what are the three options for entering an XAUTH name and for establishing a VPN connection from the Cisco Easy VPN remote router? (Choose three.) A. using an external AAA server B. entering the information via the router cryptoipsec client ezvpn connect CLI command in privileged EXEC mode C. using the router local database D. entering the information from the PC via a browser E. storing the XAUTH credentials in the router configuration file Answer: B,C,E B should be “crypto ipsec client ezvpn xauth” C is false for sure, because you store it other place. Also: “Do not store the XAUTH name and on the router: If this option is used, a PC who is connected to the router is presented with a web page that allows the name and to be manually entered.” so D is correct. Overall: B,D,E ———————– Which two types of deployments can be implemented for a zone-based policy firewall? (Choose two.) A. routed mode B. interzone mode C. fail open mode D. transparent mode E. inspection mode Answer: A,E Should be: A,D ———————— D&D Dropping application layer protocol units that do not confirm to the protocol standard. An application-aware method of filtering that works on OSI layers 3 and 4. Filtering inside the protocol and its related content correct: Dropping application layer protocol units that do not confirm to the protocol standard. http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
4/26
3/19/2014
CCNA Security » Share your SECURE Experience
in-memory reassembly of Layer 4 sessions…. Filtering inside the protocol and its related content ” As was ed by CBAC, the ZBPFW s stateful inspection as well as Application Inspection and Control (AIC), which is also referred to as Deep Packet Inspection (DPI). This includes inspection for Layers 3 through 7. AIC provides the ability to perform in-memory reassembly of Layer 4 sessions to obtain stream information between the two connected hosts. It also provides the ability to monitor application layer protocol information and that this information is conforming to established standards.” ————————Which of these is a result of using the same routing protocol process for routing outside and inside the VPN tunnel? A. This will provide for routing-protocol-based failover redundancy. B. Spoke routers will able to dynamically learn routes to peer networks. C. This will allow VPN-encapsulated packets to be routed out the correct physical interface used to reach the remote peer D. The tunnel will constantly flap. Answer: B I think it’s D. ————————Refer to the exhibit. What can be determined from the output of this show command? A. The switch port interface is enabled and operating as a community port. B. The interface is acting as an isolated switch port operating in VLAN 1. C. The interface is configured for Private VLAN Edge. D. The switch port interface is not a trusted port. Answer: D I think C ————————– Refer to the exhibit. Given the output shown, what can be determined? A. An attacker has sent a spoofed DH address. B. An attacker has sent a spoofed ARP response that violates a static mapping. C. The MAC address has matched a deny rule within the ACL. D. This is an invalid proxy ARP packet, as indicated by the 0000.0000.0000 MAC address on the destination Answer: C I think B ————————— left side l1. protocol minimization l2. payload minimization l3. application layer inspection l4. protocol verification http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
5/26
3/19/2014
CCNA Security » Share your SECURE Experience
right side r1. can prevent covert tunneling r2. increase protection by only allowing expected content types and values r3. increases protection by hiding unnecessary features r4. can be configured in a zone-based firewall policy to prevent known attacks I think it is l1=r3, l2=r1, l3=r4, l4=r2 —————————————————— —————————————————— what do you think? 10. Idana August 26th, 2011 Ho ho, who wuloda thunk it, right? 11. Cheyenne August 27th, 2011 Well macdaamia nuts, how about that. 12. Anonymous August 28th, 2011 guys can any one please tell me were to find labs for CCNP Security ASA papers i am frm india 13. netpeer August 28th, 2011 Hey good list, here is a tip about the last confusing question… http://my.safaribooksonline.com/book/certification/ccnp/9780132567145/asa-access-control/ch03lev1sec4 Protocol Minimization: Enables a minimal required set of protocol features through the ASA ■ Payload Minimization: Enables transport of minimally required payloads over the application session ■ Application Layer Signatures: Enables and drops known malicious payloads in application layer sessions ■ Protocol Verifcation: Detects and drops anomalous application layer protocol units 14. netpeer August 28th, 2011 Can some clarify for the 642-637 exam lab: -why you need the class default defined? -why match-any used in the class map? thanks! 15. sahib August 30th, 2011 want 642-637 dumps,just 30$. will give you some simulation verifications commands also….!! [email protected] http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
6/26
3/19/2014
CCNA Security » Share your SECURE Experience
16. Anonymous August 30th, 2011 @ Netpeer . If you do not defined Class default , then your Qos is not complete and it might not work properly HTH DAk 17. Anonymous September 2nd, 2011 @ Edward _ Thanks Adeok 18. sahib September 3rd, 2011 can somebody send me 4sure dumps , i will be very thankful ….!! if somebody got some new questions in secure exam , send those questions also… please help…[email protected] 19. syed September 7th, 2011 Can anyone confirm if dumps with 78 questions are vlaid? Anyone ed SNRS recently? Its urgent Thanks 20. syed September 7th, 2011 @ Deep, you have recently cleared 642-637, you can help me out better 21. Sunil Singh September 7th, 2011 Hi guys does any body have the link for cbt nuggets for secure and the 4sure dumps…. help would be appreciated …………. 22. sam September 8th, 2011 drag and drop to match left side l1. protocol minimization l2. payload minimization l3. application layer inspection l4. protocol verification right side r1. can prevent covert tunneling http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
7/26
3/19/2014
CCNA Security » Share your SECURE Experience
r2. increase protection by only allowing expected content types and values r3. increases protection by hiding unnecessary features r4. can be configured in a zone-based firewall policy to prevent known attacks The correct answer is l1=r3, l2=r2, l3=r4, l4=r1 Reference on page 50: http://www.slideshare.net/CiscoSystems/ccsp-effective-deployment-of-cisco-asa-access-control 23. sam September 8th, 2011 Btw, I confuse with this below question (question no.2) A. There is no ID payload in the packet, as indicated by the message ID = 0. B. The peer has not matched any offered profiles. C. This is an IKE quick mode negotiation D. This is normal output of a successful Phase 1 IKE Exchange Answer: B I think the correct answer is D. I debugged the successful IKE exchange process in GNS3 and saw “peer matches *none* profile”. This output will appear when we dont use isakmp profile to match identity of peer or group. Any idea? 24. Dmitry Novikov September 8th, 2011 Sam, i think the correct answer is B just because to meet enterprise security policy we have to specify isakmp profile with stronger encryption, best hash function like SHA and etc… Thats why when we see “peer matches none profile”, it means that we don’t meet ent sec pol. It is not normal for security engineers. 25. sam September 9th, 2011 Dear Dmitry Novikov, Thanks for ur response. But ISAKMP profile is used to define a peer or group in case of implementing DMVPN, EZVPN. When we use static p2p VTI, ISAKMP profile is not used but we can see the “peer matces none profile” although the IKE exchange is successful. In addition, the output shows “SA authenticated status: authenticated”. It means the peer has been authenticated and the IKE exchange has been successful. 26. Dmitry Novikov September 9th, 2011 Ok, Sam! lets see from the beginning. —————————————————————————————————————http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/ike.html —————————————————————————————————————During tunnel establishment, the two peers negotiate security associations that govern authentication, encryption, encapsulation, and key management. These negotiations involve two phases: first, to establish the tunnel (the IKE SA); and second, to govern traffic within the tunnel (the IPsec SA). ISAKMP is the negotiation protocol that lets two hosts agree on how to build an IPsec security association. ISAKMP separates negotiation into two phases: Phase 1 and Phase 2. http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
8/26
3/19/2014
CCNA Security » Share your SECURE Experience
Phase 1 creates the first tunnel, which protects later ISAKMP negotiation messages. Phase 2 creates the tunnel that protects data. —————————————————————————————————— The most important words in our case are: ISAKMP separates negotiation into two phases: Phase 1 and Phase 2. Phase 1 creates the first tunnel, WHICH PROTECTS later ISAKMP negotiation messages. We can specify parameters for PHASE 1 with crypto ISAKMP profile configuration command or we can do not do this. IN case we didn’t specify these parameters, phase 1 will use default parameters, and we’ll see this message: “peer matches *none* profile”. 27. sam September 10th, 2011 Dear Dmitry Novikov Are u wrong between ISKAMP policy and ISAKMP profile. We specify parameters for phase 1 witch crypto isakmp policy commands instead of crypto isakmp profile. “ISAKMP profiles can possibly match on a single peer, multiple peers, or even no peers based on the identity information received during the IKE negotiations”. It means it doesnt specify parameters for PHASE 1. It’s used to specify the identity of a peer or group to authenticate (in dynamic p2p VTI, authorize certificate in DMVP) or bind client to client group configuration and virtual-template. Witch default parameters, we can see “atts are accepted.” 28. sam September 10th, 2011 Hi, I have just ed the 642-637 today with 939/1000 score. There are some new questions but almost in 73q dump. Be careful because some answers in dump are wrong. The SIM lab are ZBFW and show commands GET VPN. No need to define class-default in ZBFW lab because of the default drop action that applied to all class. In GET VPN lab, the identity to distinguish group is identity number 67890, R1 is group member and R2 is key server. There are plenty of wrong answers that Hey explained. Some new D&D, I just the question - describe common features of L2/3 Catalyst switch and ISR to protect control plane: Routing filter, routing authentication, VTP authentication, STP protection, rate limit is answer - Question about feature of DVTI, ZBFW with VRF Now I start learning 642-647 VPN. 29. Dmitry Novikov September 10th, 2011 Dear Sam! Congrats for ing your exam!!! It is so sad. It was my fault. I really thought about crypto isakmp policy command. And i’ve just revised meaning of profile command and you were right. Did you have this question on exam? 30. Gaurav September 10th, 2011 Hi Sam, http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
9/26
3/19/2014
CCNA Security » Share your SECURE Experience
can you please go deep with about feature of DVTI, ZBFW with VRF Please advice about the new DD faced Is hey’s advice of wrong questions ( each of them is correct) also please advice about your discussion on A. There is no ID payload in the packet, as indicated by the message ID = 0. B. The peer has not matched any offered profiles. C. This is an IKE quick mode negotiation D. This is normal output of a successful Phase 1 IKE Exchange Answer: B I think the correct answer is D. thanks in advance sam I will be writing the paper soon all the best for 642-647 Regards Gaurav 31. sam September 10th, 2011 Dear all The question DVTI: describe the feature of DVTI. I my choice is VTIs on the hub are created dy-namically as tunnels to the hub are established. U can check in Official book. About ZBFW with VRF, the question is how should u do when implement ZBFW with VRF. I forget my choice but u can check in official book. I had this question on exam and I choose D because of status SA authenticated. Good luck to all! 32. Gaurav September 10th, 2011 Hi Sam, Can you please advice about new DD faced by you Thanks gaurav 33. Gaurav September 11th, 2011 Any one, Please help me with below 3 questions as i think that answers to them are incorrect Question1 Which three of these are features of data plane security on a Cisco ISR? (Choose three) A. uRPF http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
10/26
3/19/2014
CCNA Security » Share your SECURE Experience
B. NetFlow export C. FPM D. Pr E. RBAC F. routing protocol filtering Answer: A,C,E correct one is UrPF, FPM not possible pr,Netflow export (ios), left with RBAC and routing protocol filtering http://www.cisco.com/en/US/prod/collateral/routers/ps10538/data_sheet_c78-556151_ps10537_Products_Data_Sheet.html ——————————————— ——————————————— Question 2 When you are configuring DH snooping, how should you classify access ports? A. untrusted B. trusted C. promiscuous D. private Answer: B Explanation: it depends upon offer and reply ——————————————— ——————————————— Question 3 When configuring URL filtering with the Trend Micro filtering service, which of these steps must you take to prepare for configuration? A. define blacklists and whitelists B. categorize traffic types C. install the appropriate root CA certificate on the router D. synchronize clocks via NTP to ensure accuracy of URL filter updates from the service Answer: D Explanation: I think the correct is A Question 20 Question 4 D&D Delete IPsec security association -> clear crypto sa cryptographic configurations and show SA lifetimes -> show crypto isakmp policy the IPsec protection policy settings -> show crypto ipsec transform-set current IPsec settings in use by the SAs – show cyrpto ipsec sa Clear active IKE connections – clear crypto isakmp http://ciscoarticles.com/CCSP-Cisco-Certified-Security-Professional/Step-4-4-Display-the-Configured-Crypto-Maps.html http://www.cisco.com/en/US/docs/ios/ipv6/command/reference/ipv6_13.pdf ——————————————————————————http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
11/26
3/19/2014
CCNA Security » Share your SECURE Experience
Question 5 One extra question from dump is ‘command to check license for SSL VPN’ Please reply with correct answers Many thanks Regards Gaurav 34. FT September 12th, 2011 hi guys, please share CCNP Secure CBT Nuggets. thanks 35. Jack September 14th, 2011 i’ve just ed 642-637. ZBPFW lab GET VPN lab quiz with 5 questions. 73q still valid, but there was some new questions and d&d. one question about end s connectivity issues and dh snooping. Don’t exactly, but try to spend more time to this topic. d&d was about order of easy vpn establishment. which process goes first, second and etc. there was 5-7 pieces. 36. Moran September 14th, 2011 73 q valid….check hey and sam comments…new drag drops and some new qsns…but you’ll be safe….success 37. Moran September 14th, 2011 please note that some answers are wrong…be keen on that. 38. Rahul September 15th, 2011 Hi Deep, can u tell me 4m which dumps u have prepared?? & 4m where u hav D’load it?? Thanks in advance. 39. Thakur 1984 September 15th, 2011 Hi Guys can anyone please help me with the link for the dumps and CBT nuggets. 40. Rahul September 20th, 2011 Hi friends, What is the exam cost for ccnp secu. exam?? Thanks in advance.. 41. Anonymous September 20th, 2011 Hi…Can anyone help me to know whether 73 q actual test dump is still valid. http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
12/26
3/19/2014
CCNA Security » Share your SECURE Experience
42. Anonymous September 21st, 2011 http://go4exams.com/cisco.html..please check that this link is valid for ing SECURE dumps… 43. Sam September 22nd, 2011 http://go4exams.com/cisco.html this has the same http://www.examcollection.com/642-637.html given on 17-May-2011 !!! plz if someone have new dumps then let us know .. !! 44. Gaurav September 23rd, 2011 Two new questions which can be there Question 1 about the Access class. Virtual Access interfaces Answer A special Virtual-Access1 interface is used internally by Cisco IOS Software and is always present in the output of this command. Question 2 about the 3 ways URL filtering can be configured. Answer : external URL filtering server, including for (Websense and N2H2.) 3 way was to use the local configured database. 45. brotherincisco September 25th, 2011 Just wondering, if anyone of you can lead me some good resources in TOEFL. I need to get high score in my exam next week. Any input and assistance will be highly appreciated. Thanks! 46. jamil September 25th, 2011 Is there any video traning avialbel for the Secure. 47. Anonymous September 26th, 2011 plZ..share new dumps… 48. Gaurav September 27th, 2011 ed exam with 969/1000, all the questins expect 1 or two in which hey mentioned as wrong was really wrong in AT&T, apat from them two new questions were there Question 1 about the Access class. Virtual Access interfaces Answer A special Virtual-Access1 interface is used internally by Cisco IOS Software and is always present in the output of this command. Question 2 about the 3 ways URL filtering can be configured. Answer : external URL filtering server, including for (Websense and N2H2.) 3 way was to use the local configured database. http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
13/26
3/19/2014
CCNA Security » Share your SECURE Experience
i used 85 questions dumps Thankx to everyone 49. Rahul September 27th, 2011 Congrats Gaurav 4 ing the exam. Can u give me the link 4m where u have the 85 Question dumps?? Coz I have only 78Q dumps from http://www.examcollection.com Thanks. 50. kazar September 27th, 2011 Congrats Gaurav, Rahul, send me your e-mail address for 85q 51. Sam September 27th, 2011 HEY Gaurav or any one can u plz send the dumps to [email protected] Thanks… 55. 1 test away September 27th, 2011 guys here is the link for 85q http://hotfile.com/dl/118882656/c845ee3/637.rar.html Everyone must use teamwork and not be so secretive. Please post publically and not try to hide everything behind email. 56. Sam September 28th, 2011 do any one have secure 642-637 cbt nuggets… ? 57. Shahid September 29th, 2011 @SAM , @Gaurav I have a dout with few questions please correct me if i am wrong, thanks http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
14/26
3/19/2014
CCNA Security » Share your SECURE Experience
A. using an external AAA server B. entering the information via the router crypto ipsec client ezvpn connect CLI command in privileged EXEC mode C. using the router local database D. entering the information from the PC via a browser E. storing the XAUTH credentials in the router configuration file i think B C E are correct, D is wrong becuase XAUTH is IKE extension which does’nt browser(SSL use) —————————A. An attacker has sent a spoofed DH address. B. An attacker has sent a spoofed ARP response that violates a static mapping. C. The MAC address has matched a deny rule within the ACL. D. This is an invalid proxy ARP packet, as indicated by the 0000.0000.0000 MAC — Answer: C i think C is correct according to the this link http://www.sadikhov.com/forum/index.php?/topic/121637-dynamic-arp-inspection-in-non-dh-environments/ ——— A. uRPF B. NetFlow export C. FPM D. Pr E. RBAC F. routing protocol filtering I think A,B, C according to the book CCNP Security SECURE 642-637 Official Cert Guide page#204(Netflow export as a component ) ———— Still confused with D&D Crypo map cryptographic configurations and show SA lifetimes -> show crypto map (can be correct) because it gives us a SA life time but show crypto isakmp policy gives us IKE life time ======================= Please Guide me if i am wrong 58. roT September 29th, 2011 Page 582 CCNP Security SECURE 642-637 Official Cert Guide If XAUTH is being used, it must be decided where to store the authentication credentials: ■ Store the XAUTH name and in the configuration file on the router: This option is typically used if the router is shared between many PCs and the goal is to have the VPN tunnel up all the time. E ■ Do not store the XAUTH name and on the router: If this option is used, a PC who is connected to the router is presented with a web page that allows the name and to be manually entered. D Page 583 CCNP Security SECURE 642-637 Official Cert Guide EZVPN Remote connection profile using the crypto ipsec client ezvpn command ■ Use the group command to specify the group name and group to authenticate http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
15/26
3/19/2014
CCNA Security » Share your SECURE Experience
to the EZVPN Server as a part of a group. ■ Use the name command to specify the stored name and used to provide additional authentication using XAUTH. B B,D,E 59. kazar September 30th, 2011 ed today, 70 questions and about 10 new questions, sslvpn, virtual interfaces,… 60. kazar September 30th, 2011 mark is 776 61. kazar September 30th, 2011 use 85q, thanks guys, wish you all the best!!! 62. shahid September 30th, 2011 Thanks @roT to correct me and can you help in other questions as well. i would appreciate it. 63. Tony September 30th, 2011 Also ed today. The 85 question test is fairly good (the 2 tests from May on http://www.examcollection.com/642-637.html are also valid/close to what is on the test). A couple new questions on vpn, sdee and vti, don’t the specifics, but questions were about small sections of code then choosing what they do. 2 simulations on the test, one for setting up a zone and the other was the 5 part VPN question. Make sure you know the basic show commands and how to set up a class and policy map along with a zone. 64. Rahul September 30th, 2011 Actual Tests – ver4.3 Cisco 642-637 – 85Q http://www.wikifortio.com/809773/642-637.rar 65. LifeTime October 1st, 2011 roT Pls. provide me CCNP Security SECURE 642-637 Official Cert Guide Link. Pls. and Link provide …… 66. Anthony October 1st, 2011 Link for 642-637 Cert Guide; http://www.4shared.com/file/Zw4vJDTo/CiscoPressCCNPSecuritySecure64.html 67. jt October 1st, 2011 http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
16/26
3/19/2014
CCNA Security » Share your SECURE Experience
hi anyone here ever used ccnp-s training video from ipexpert. please share your . thanks. 68. Sam October 2nd, 2011 hey Karaz .. how much marks u got .. ? and hw where the new question ? tough or easy ? 69. Shahid October 2nd, 2011 Hi guys, I ed my exam and got 959/1000, mostly was from 85q. one question was about ZBPFW with VRP (i selected separate zone-pair can be defined in each VRF environment) but im not sure is it correct? and other question was about falspositv, true negative. Thanks everyone for help and . 70. eslam October 2nd, 2011 HI Guys, I’d like to ask if there is an exam in ccsp track i can take without the ccna security or can be certified if i ed on it????? 71. aw3se4dr October 2nd, 2011 Hi guys, would any of you have the link to CBT nuggets 642-637 SECURE by Michael Shannon?? regards 72. Sunil Singh October 3rd, 2011 Hi guys , Can anyone share the link for CBT nuggets of Secure and other CCNP Security certifications Help of any kind is appreciated Thanks 73. Rahul October 4th, 2011 ed today with 860. There was 70 que in exam, 5-6 were new. I think in 85Q dumps many are answered WRONG, be careful & also prepare 4m book. Thanks all. 74. Sanket October 7th, 2011 @Rahul – can u please tell which of the ans are wrong.. ?? if u can.. ? and the new question are they easy if u have basic knowledge.. ? 75. Guy October 7th, 2011 http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
17/26
3/19/2014
CCNA Security » Share your SECURE Experience
Does anyone have the LAB guide for this exam. I want to actually study instead of getting the answers. THANKS 76. Sanket October 8th, 2011 @Guy u can even try “INe CCIe V5 Workbook” it have “Section IOS Firewall” it is the same as CCNP SECURE… !! and even easy to understand.. !! its portion is almost the same.. just vpn have to do from other section of VPN … 77. Obinna October 10th, 2011 Guys, please can someone help me with a link where i can get the CBT Nuggets video for this exam? [email protected] Thank you 78. FTSG October 11th, 2011 Just ed the exam with a score of 968/1000 and got my CCNP-Security. Thanks to all who share their experiences here. Studied Cisco Press CCNP Secure V1.0 and the 85q dumps which i believe theres a lot of wrong answers so know your basics and double check all the answers on the book and I’m sure will help you this exam. Included are the ZONE Based Firewall Lab and GET VPN show commands which is fairly easy. Lots of new exhibit around 5 and you have to analyzed that output. includes, certificates, rommon, VTI etc. New drag and drop for Management Plane features. If you have questions feel free to drop a message here and glad to help. Good luck to all… 79. raj October 11th, 2011 hey just cleared my secure exam……thanks to all……n dont worry these dumps are enough for ing……however some mis questions are there….but it vll do…..study hard…..practice more……n any queries pls ask…..Gud luck to everyone…..nn thanks for ur ….. 80. francis October 11th, 2011 RAJ Can you confirm that I can take CCNP Sec exam without CCNA security but with CCNP Route + Switch 81. raj October 11th, 2011 hey fancis, i dont think that u can give it without CCNA Security…coz its totally different track…security & r/&/s… 82. jt October 12th, 2011 @ftsg congrat… please stick around.. i will begin to study for this exam soon and may need to ask some questions. do you the topic of those new exhibits? or whatever not on the dumps? thanks, http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
18/26
3/19/2014
CCNA Security » Share your SECURE Experience
83. Igor October 12th, 2011 @raj, congratulations! anybody can clear the situation with the wrong questions in 85q dump? 84. raj October 12th, 2011 @igor i might say yes…..but u need to clear d concepts….d basics atleast….n then you are the winner….these dumps are enough… but hav some wrong answers… 85. Igor October 12th, 2011 @raj Thanks, i’ve read Official cert guide. But as for me, it will be better to have only questions than questions with wrong answers because they make me confused. 86. Ila October 12th, 2011 I thing found a fail on the testking answer. This question. — Which two of these are potential results of an attacker performing a DH server spoofing attack? (Choose two) A. DH snooping B. DoS C. Confidentiality breach D spoofed MAC addressses E. switch ports being converted to an untrusted state testking says B and C. But I thing the correct answer is A & D. What are you thinking about that?? 87. DC October 12th, 2011 Ila, I think B and C are correct, the key word being “results”. Still not sure on some of the other questionable answers mentioned previously. and thanks xxxxtut, another great site. your TSHOOT site was very helpful. dc 88. DC October 12th, 2011 and hey wrote: “Refer to the exhibit. The INSIDE zone has been configured and assigned to two separate router interfaces. All other zones and interfaces have been properly configured. Given the configuration example shown, what can be determined. A. Hosts in the INSIDE zone, with addresses in the 10.10.10.0/24 network, can access any host in the 10.10.10.0/24 network using the SSH protocol. B. If a host in the INSIDE zone attempts to communicate via SSH with another host on a different interface within the INSIDE zone, communications must through the router self zone using http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
19/26
3/19/2014
CCNA Security » Share your SECURE Experience
the INTRAZONE policy. C. This is an illegal configuration. You cannot have the same source and destination zones. D. This policy configuration is notneeded, traffic within the same zone is allowed to by default. Answer: D I think it’s A (IOS 15.x allows intrazone policies)” Well I don’t think this test covers IOS 15.x as this release does firewalls much differently. In 15.x no traffic will within the same zone by default. And to complicate matters, I think the correct answer is “C” illegal configuration. This is what I get when I try to configure: Router2(config)#zone-pair security IN-TO-OUT source INSIDE dest INSIDE % Same zone cannot be defined as both the source and destination dc 89. FTSG October 13th, 2011 @jt – hard to get the details of those new questions. just study the 85q dumps and if you have doubt about the answers just let me know. @DC – i also chose C as my answer on this. 90. Sanket October 13th, 2011 Hi FTSG !! i am going to give my paper !! can u plz do a favour .. if u can then plz let me know which are the ans wrong ?!! thanks …!! 91. Igor October 13th, 2011 @DC – i think the correct answer is D: “This policy configuration is notneeded” – that’s true, “traffic within the same zone is allowed to by default” – also true. 92. Igor October 13th, 2011 When you are configuring DH snooping, how should you classify access ports? A. untrusted B. trusted C. promiscuous D. private Answer: B Correct – A 93. DC October 13th, 2011 Hi Igor, For the “intrazone” firewall question I still think “C – illegal configuration” is the “best” answer. Note that the configuration example only allows SSH traffic, all else would be dropped..IF you COULD configure it. But you cannot in most releases. For DH snooping, I also thought A (Untrusted) was correct so I researched it. I found this: http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
20/26
3/19/2014
CCNA Security » Share your SECURE Experience
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/snoodh.html#wp1114389 “Trusted and Untrusted Sources The DH snooping feature determines whether traffic sources are trusted or untrusted. An untrusted source may initiate traffic attacks or other hostile actions. To prevent such attacks, the DH snooping feature filters messages and rate-limits traffic from untrusted sources. In an enterprise network, devices under your istrative control are trusted sources. These devices include the switches, routers and servers in your network. Any device beyond the firewall or outside your network is an untrusted source. Host ports are generally treated as untrusted sources.” So with little information presented, So if one assumes the access port is under the s control?…thus “B trusted” would be correct. I am not sure what the definition of “access port” shoud be in this case. But this is a great example on how confusing these simple questions can be…I still wouldn’t bet any money on either answer. I would like to know if you\anyone else found anything else more conclusive. Thanks dc 94. Igor October 13th, 2011 @DC thanks for your conclusions. I agree with you, that it’s not clear what do the mean under “access port”. In case: port for connection DH server – answer “B trusted” will be correct. In case: access port for s in access layer – answer “A untrusted” is correct. We can only try to guess what they mean ( 95. DC October 13th, 2011 Sam wrote: “drag and drop to match left side l1. protocol minimization l2. payload minimization l3. application layer inspection l4. protocol verification right side r1. can prevent covert tunneling r2. increase protection by only allowing expected content types and values r3. increases protection by hiding unnecessary features r4. can be configured in a zone-based firewall policy to prevent known attacks The correct answer is l1=r3, l2=r2, l3=r4, l4=r1 Reference on page 50: http://www.slideshare.net/CiscoSystems/ccsp-effective-deployment-of-cisco-asa-access-control” I aggree. So in “block order”, top from bottom its: Protocol Verification – Can prevent covert tunneling payload minimization – increase protection by only allowing expected content types and values http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
21/26
3/19/2014
CCNA Security » Share your SECURE Experience
protocol minimization – increases protection by hiding unnecessary features application layer inspection – can be configured in a zone-based firewall policy to prevent known attacks 96. DC October 13th, 2011 Ok another confusion question: Guarav wrote: “When configuring URL filtering with the Trend Micro filtering service, which of these steps must you take to prepare for configuration? A. define blacklists and whitelists B. categorize traffic types C. install the appropriate root CA certificate on the router D. synchronize clocks via NTP to ensure accuracy of URL filter updates from the service Answer: D Explanation: I think the correct is A” I don’t think A is right. If we look at: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6643/white_paper_c89-492776.html It makes sure that you set the time correct or else you will not be able to the certificate. So answer “D synchronize clocks via NTP to ensure accuracy of URL filter updates from the service” is close, but the description “to ensure accuracy..” is not necessarily correct. So, I am thinking answer “C” is a better choice “install the appropriate root CA certificate on the router”. Thoughts? 97. Igor October 14th, 2011 According to this link http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6643/white_paper_c89492776.html we can see in description of the Second step: a) that your router clock has the correct time; b) If the system clock is not synchronized with the current time, change the time and date c) When the system clock matches the actual time, a certificate from Cisco.com So, the first step is to synchronize time…. and only after install the appropriate root CA certificate. In this way I think that Answer D “synchronize clocks via NTP to ensure accuracy of URL filter updates from the service” is correct 98. DC October 14th, 2011 Hi Igor, Thanks, That page is pretty much the same as the one that I posted. I am just afraid it is a trick question as: 1) The pages say to “set the clock” not necessarily use NTP. 2) There is no mention of “to ensure accuracy of URL filter updates from the service” http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
22/26
3/19/2014
CCNA Security » Share your SECURE Experience
I don’t know, perhaps I should just stick with “D”. BTW, does your last name start with Pel? dc 99. Igor October 14th, 2011 @DC thanks for your discussion. I’m quite agree with you about “trick question”. Maybe someone, who ed this exam can clear the situation? About my last name: no, it start with Mo ) 100. DC October 14th, 2011 Hi Igor, Ok, you are not an “old” friend of mine… I double checked the answers for: Question1 Which three of these are features of data plane security on a Cisco ISR? (Choose three) A. uRPF B. NetFlow export C. FPM D. Pr E. RBAC F. routing protocol filtering Answer: A,C,E Of course uRPF and FPM are correct and Pr is control plane. According to table3-7 of the cert guide, RBAC is management plane, and “routing protocol filtering” is control plane. That leaves Netfow export. Now the cert guide lists “Network Export” as a data plane security feature, I think its a missprint and it should be Netflow. Netflow can be used for security analysis (monitor data flow). So A.B.C should be correct as Sahid also reported. Comment pages « Previous 1 2 3 4 ... 9 Next » 584 Add a Comment Name
Submit Comment
Subscribe to comments feed Share your FIREWALL Experience Share your IPS v7.0 Experience
CCNA Security 640-554 http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
23/26
3/19/2014
CCNA Security » Share your SECURE Experience
Share your (new) CCNA Security Experience
CCNA Security 640-553 LabSim Security Fundamentals Access list Questions Drag and Drop Questions Modern Network Security Threats Securing Network Devices Authentication Authorization & ing Implementing Firewall Technologies IPsec Questions Security Device Manager SDM Implementing Intrusion Prevention Securing Local Area Networks Storage Area Network SAN Cryptographic Systems Implementing Virtual Private Networks Managing a Secure Network Share your CCNA Security Experience
SNRS 642-504 Share your SNRS Experience
SNAF 642-524 Share your SNAF Experience
IPS 642-533 Share your IPS Experience
CANAC 642-591 Share your CANAC Experience
MARS 642-545 Share your MARS Experience http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
24/26
3/19/2014
CCNA Security » Share your SECURE Experience
SNAA 642-515 Share your SNAA Experience
New CCNP Security Exams
SECURE 642-637 Share your SECURE Experience
IPS v7.0 642-627 Share your IPS v7.0 Experience
FIREWALL 642-617 Share your FIREWALL Experience
VPN 642-647 Share your VPN Experience
CCIE Security Written 350-018 Exam Share your CCIE Security Written Experience
CCIE Security Lab Exam Share your CCIE Security Lab Experience
Network Resources CCNA Security Knowledge Base http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
25/26
3/19/2014
CCNA Security » Share your SECURE Experience
CCNA Website ROUTE Website SWITCH Website TSHOOT Website CCNA Voice Website CCNA Security Website CCDA Website Securitytut
Your contribution will help keep this site updated! Top
Copyright © 2010-2012 CCNA Security . Valid XHTML 1.1 and CSS 3.
http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
26/26
CCNA Security » Share your SECURE Experience
Type text to search here...
Home > Share your SECURE Experience
Share your SECURE Experience January 3rd, 2011 in SECURE 642-637 Go to comments Cisco has made changes for the Security exams by replacing the old CCSP with the new CCNP Security Certification with 4 modules: Secure, Firewall, IPS and VPN. In fact, the old CCSP and the new CCNP Security are very similar. Many candidates have requested us to put up materials for these new exams but it is a time-consuming work. In the mean time, we created the “Share your experience” for the SECURE exam. We really hope anyone who read securitytut, 9tut, digitaltut, certprepare, networktut and voicetut contribute to these sections as your experience is invaluable for CCNP Security learners to complete their goals. Please share with us your experience after taking the SECURE 642-637 exam, your materials, the way you learned, your recommendations… Comments (812) Comments Comment pages « Previous 1 2 3 4 ... 9 Next » 584 1. ios August 13th, 2011 drag and drop to match left side l1. protocol minimization l2. payload minimization l3. application layer inspection l4. protocol verification right side r1. can prevent covert tunneling r2. increase protection by only allowing expected content types and values r3. increases protection by hiding unnecessary features r4. can be configured in a zone-based firewall policy to prevent known attacks I think it is l1=r3, l2=r1, l3=r2, l4=r4 but the actual tests says l1=r3, l2=r2, l3=r1, l4=r4 what do you think? 2. Ciscolover August 14th, 2011 @deep .. congrats for ing ur exam plz send me ur dumps in my mail . [email protected].. tnx in Advance 3. maria http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
1/26
3/19/2014
CCNA Security » Share your SECURE Experience
August 15th, 2011 @deep congrats on your success can u please send me secure dumps through email.you mentioned your email id then i send u email 4. ray August 15th, 2011 Hi All Please does anyone no where you can the Nuggets from ? 5. DR August 15th, 2011 Ray: The CBT Nuggets (among other things) can be found at: http://www.careercert.info/2009/12/ccsp-snrs-642-504.html DR 6. jtt August 16th, 2011 For those who have doubts : Pre-requisite for CCNP – Security is : Option 1 – CCNA Security or Option 2- SND (Securing Cisco Network Devices) Exam – Im doing this way 7. jtt August 16th, 2011 Dont study just by CBT Nuggets ccsp-snrs-642-504 for preparing for 642-637. It is not enough….and you will fail exam Best way is to listen CBT Nuggets and check what is new iin the recent exam. I had take a look at CT Nuggets , but than i read Cisco press to learn new concepts , and to go more deep in some subjects. 8. vcr August 18th, 2011 All dumps are valid, the lab of getvpn, dig a little deeper with the command show crypto … plus there are 2 or 3 new questions… 9. hey August 26th, 2011 I think there are plenty of wrong answers in the tests: —————————————————— —————————————————— D&D Explanation: Existing lists of LAN switches Existing credentials http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
2/26
3/19/2014
CCNA Security » Share your SECURE Experience
Existing addressing scheme Existing transport protocols used in the environment. I think correct: Explanation: Existing lists of LAN switches Existing credentials Existing automated software deployment mechanism trustworthiness of the existing transport network ——————– D&D Delete IPsec security association -> clear crypto sa cryptographic configurations and show SA lifetimes -> show crypto isakmp policy the IPsec protection policy settings -> show crypto ipsec transform-set current IPsec settings in use by the SAs – show cyrpto ipsec sa Clear active IKE connections – clear crypto isakmp ——————— Which of these is a configurable Cisco IOS feature that triggers notifications if an attack attempts to exhaust critical router resources and if preventative controls have been byed or are not working correctly? A. Control Plane Protection B. Management Plane Protection C. U and memorythresholding D. SNMPv3 Answer: A I think C (based on the book) ——————— You are troubleshooting reported connectivity issues from remote s who are accessing corporate headquarters via an IPsec VPN connection. What should be your first step in troubleshooting these issues? A. issue a show cryptoisakmp policy command to matching policies of the tunnel endpoints B. ping the tunnel endpoint C. run a traceroute to the tunnel path D. debug the connection process and look for any error messages in tunnel establishment Answer: B Can be D ——————— Refer to the exhibit. The INSIDE zone has been configured and assigned to two separate router interfaces. All other zones and interfaces have been properly configured. Given the configuration example shown, what can be determined. A. Hosts in the INSIDE zone, with addresses in the 10.10.10.0/24 network, can access any host in the 10.10.10.0/24 network using the SSH protocol. B. If a host in the INSIDE zone attempts to communicate via SSH with another host on a different interface within the INSIDE zone, communications must through the router self zone using the INTRAZONE policy. http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
3/26
3/19/2014
CCNA Security » Share your SECURE Experience
C. This is an illegal configuration. You cannot have the same source and destination zones. D. This policy configuration is notneeded, traffic within the same zone is allowed to by default. Answer: D I think it’s A (IOS 15.x allows intrazone policies) ———————When using Cisco Easy VPN, what are the three options for entering an XAUTH name and for establishing a VPN connection from the Cisco Easy VPN remote router? (Choose three.) A. using an external AAA server B. entering the information via the router cryptoipsec client ezvpn connect CLI command in privileged EXEC mode C. using the router local database D. entering the information from the PC via a browser E. storing the XAUTH credentials in the router configuration file Answer: B,C,E B should be “crypto ipsec client ezvpn xauth” C is false for sure, because you store it other place. Also: “Do not store the XAUTH name and on the router: If this option is used, a PC who is connected to the router is presented with a web page that allows the name and to be manually entered.” so D is correct. Overall: B,D,E ———————– Which two types of deployments can be implemented for a zone-based policy firewall? (Choose two.) A. routed mode B. interzone mode C. fail open mode D. transparent mode E. inspection mode Answer: A,E Should be: A,D ———————— D&D Dropping application layer protocol units that do not confirm to the protocol standard. An application-aware method of filtering that works on OSI layers 3 and 4. Filtering inside the protocol and its related content correct: Dropping application layer protocol units that do not confirm to the protocol standard. http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
4/26
3/19/2014
CCNA Security » Share your SECURE Experience
in-memory reassembly of Layer 4 sessions…. Filtering inside the protocol and its related content ” As was ed by CBAC, the ZBPFW s stateful inspection as well as Application Inspection and Control (AIC), which is also referred to as Deep Packet Inspection (DPI). This includes inspection for Layers 3 through 7. AIC provides the ability to perform in-memory reassembly of Layer 4 sessions to obtain stream information between the two connected hosts. It also provides the ability to monitor application layer protocol information and that this information is conforming to established standards.” ————————Which of these is a result of using the same routing protocol process for routing outside and inside the VPN tunnel? A. This will provide for routing-protocol-based failover redundancy. B. Spoke routers will able to dynamically learn routes to peer networks. C. This will allow VPN-encapsulated packets to be routed out the correct physical interface used to reach the remote peer D. The tunnel will constantly flap. Answer: B I think it’s D. ————————Refer to the exhibit. What can be determined from the output of this show command? A. The switch port interface is enabled and operating as a community port. B. The interface is acting as an isolated switch port operating in VLAN 1. C. The interface is configured for Private VLAN Edge. D. The switch port interface is not a trusted port. Answer: D I think C ————————– Refer to the exhibit. Given the output shown, what can be determined? A. An attacker has sent a spoofed DH address. B. An attacker has sent a spoofed ARP response that violates a static mapping. C. The MAC address has matched a deny rule within the ACL. D. This is an invalid proxy ARP packet, as indicated by the 0000.0000.0000 MAC address on the destination Answer: C I think B ————————— left side l1. protocol minimization l2. payload minimization l3. application layer inspection l4. protocol verification http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
5/26
3/19/2014
CCNA Security » Share your SECURE Experience
right side r1. can prevent covert tunneling r2. increase protection by only allowing expected content types and values r3. increases protection by hiding unnecessary features r4. can be configured in a zone-based firewall policy to prevent known attacks I think it is l1=r3, l2=r1, l3=r4, l4=r2 —————————————————— —————————————————— what do you think? 10. Idana August 26th, 2011 Ho ho, who wuloda thunk it, right? 11. Cheyenne August 27th, 2011 Well macdaamia nuts, how about that. 12. Anonymous August 28th, 2011 guys can any one please tell me were to find labs for CCNP Security ASA papers i am frm india 13. netpeer August 28th, 2011 Hey good list, here is a tip about the last confusing question… http://my.safaribooksonline.com/book/certification/ccnp/9780132567145/asa-access-control/ch03lev1sec4 Protocol Minimization: Enables a minimal required set of protocol features through the ASA ■ Payload Minimization: Enables transport of minimally required payloads over the application session ■ Application Layer Signatures: Enables and drops known malicious payloads in application layer sessions ■ Protocol Verifcation: Detects and drops anomalous application layer protocol units 14. netpeer August 28th, 2011 Can some clarify for the 642-637 exam lab: -why you need the class default defined? -why match-any used in the class map? thanks! 15. sahib August 30th, 2011 want 642-637 dumps,just 30$. will give you some simulation verifications commands also….!! [email protected] http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
6/26
3/19/2014
CCNA Security » Share your SECURE Experience
16. Anonymous August 30th, 2011 @ Netpeer . If you do not defined Class default , then your Qos is not complete and it might not work properly HTH DAk 17. Anonymous September 2nd, 2011 @ Edward _ Thanks Adeok 18. sahib September 3rd, 2011 can somebody send me 4sure dumps , i will be very thankful ….!! if somebody got some new questions in secure exam , send those questions also… please help…[email protected] 19. syed September 7th, 2011 Can anyone confirm if dumps with 78 questions are vlaid? Anyone ed SNRS recently? Its urgent Thanks 20. syed September 7th, 2011 @ Deep, you have recently cleared 642-637, you can help me out better 21. Sunil Singh September 7th, 2011 Hi guys does any body have the link for cbt nuggets for secure and the 4sure dumps…. help would be appreciated …………. 22. sam September 8th, 2011 drag and drop to match left side l1. protocol minimization l2. payload minimization l3. application layer inspection l4. protocol verification right side r1. can prevent covert tunneling http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
7/26
3/19/2014
CCNA Security » Share your SECURE Experience
r2. increase protection by only allowing expected content types and values r3. increases protection by hiding unnecessary features r4. can be configured in a zone-based firewall policy to prevent known attacks The correct answer is l1=r3, l2=r2, l3=r4, l4=r1 Reference on page 50: http://www.slideshare.net/CiscoSystems/ccsp-effective-deployment-of-cisco-asa-access-control 23. sam September 8th, 2011 Btw, I confuse with this below question (question no.2) A. There is no ID payload in the packet, as indicated by the message ID = 0. B. The peer has not matched any offered profiles. C. This is an IKE quick mode negotiation D. This is normal output of a successful Phase 1 IKE Exchange Answer: B I think the correct answer is D. I debugged the successful IKE exchange process in GNS3 and saw “peer matches *none* profile”. This output will appear when we dont use isakmp profile to match identity of peer or group. Any idea? 24. Dmitry Novikov September 8th, 2011 Sam, i think the correct answer is B just because to meet enterprise security policy we have to specify isakmp profile with stronger encryption, best hash function like SHA and etc… Thats why when we see “peer matches none profile”, it means that we don’t meet ent sec pol. It is not normal for security engineers. 25. sam September 9th, 2011 Dear Dmitry Novikov, Thanks for ur response. But ISAKMP profile is used to define a peer or group in case of implementing DMVPN, EZVPN. When we use static p2p VTI, ISAKMP profile is not used but we can see the “peer matces none profile” although the IKE exchange is successful. In addition, the output shows “SA authenticated status: authenticated”. It means the peer has been authenticated and the IKE exchange has been successful. 26. Dmitry Novikov September 9th, 2011 Ok, Sam! lets see from the beginning. —————————————————————————————————————http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/ike.html —————————————————————————————————————During tunnel establishment, the two peers negotiate security associations that govern authentication, encryption, encapsulation, and key management. These negotiations involve two phases: first, to establish the tunnel (the IKE SA); and second, to govern traffic within the tunnel (the IPsec SA). ISAKMP is the negotiation protocol that lets two hosts agree on how to build an IPsec security association. ISAKMP separates negotiation into two phases: Phase 1 and Phase 2. http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
8/26
3/19/2014
CCNA Security » Share your SECURE Experience
Phase 1 creates the first tunnel, which protects later ISAKMP negotiation messages. Phase 2 creates the tunnel that protects data. —————————————————————————————————— The most important words in our case are: ISAKMP separates negotiation into two phases: Phase 1 and Phase 2. Phase 1 creates the first tunnel, WHICH PROTECTS later ISAKMP negotiation messages. We can specify parameters for PHASE 1 with crypto ISAKMP profile configuration command or we can do not do this. IN case we didn’t specify these parameters, phase 1 will use default parameters, and we’ll see this message: “peer matches *none* profile”. 27. sam September 10th, 2011 Dear Dmitry Novikov Are u wrong between ISKAMP policy and ISAKMP profile. We specify parameters for phase 1 witch crypto isakmp policy commands instead of crypto isakmp profile. “ISAKMP profiles can possibly match on a single peer, multiple peers, or even no peers based on the identity information received during the IKE negotiations”. It means it doesnt specify parameters for PHASE 1. It’s used to specify the identity of a peer or group to authenticate (in dynamic p2p VTI, authorize certificate in DMVP) or bind client to client group configuration and virtual-template. Witch default parameters, we can see “atts are accepted.” 28. sam September 10th, 2011 Hi, I have just ed the 642-637 today with 939/1000 score. There are some new questions but almost in 73q dump. Be careful because some answers in dump are wrong. The SIM lab are ZBFW and show commands GET VPN. No need to define class-default in ZBFW lab because of the default drop action that applied to all class. In GET VPN lab, the identity to distinguish group is identity number 67890, R1 is group member and R2 is key server. There are plenty of wrong answers that Hey explained. Some new D&D, I just the question - describe common features of L2/3 Catalyst switch and ISR to protect control plane: Routing filter, routing authentication, VTP authentication, STP protection, rate limit is answer - Question about feature of DVTI, ZBFW with VRF Now I start learning 642-647 VPN. 29. Dmitry Novikov September 10th, 2011 Dear Sam! Congrats for ing your exam!!! It is so sad. It was my fault. I really thought about crypto isakmp policy command. And i’ve just revised meaning of profile command and you were right. Did you have this question on exam? 30. Gaurav September 10th, 2011 Hi Sam, http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
9/26
3/19/2014
CCNA Security » Share your SECURE Experience
can you please go deep with about feature of DVTI, ZBFW with VRF Please advice about the new DD faced Is hey’s advice of wrong questions ( each of them is correct) also please advice about your discussion on A. There is no ID payload in the packet, as indicated by the message ID = 0. B. The peer has not matched any offered profiles. C. This is an IKE quick mode negotiation D. This is normal output of a successful Phase 1 IKE Exchange Answer: B I think the correct answer is D. thanks in advance sam I will be writing the paper soon all the best for 642-647 Regards Gaurav 31. sam September 10th, 2011 Dear all The question DVTI: describe the feature of DVTI. I my choice is VTIs on the hub are created dy-namically as tunnels to the hub are established. U can check in Official book. About ZBFW with VRF, the question is how should u do when implement ZBFW with VRF. I forget my choice but u can check in official book. I had this question on exam and I choose D because of status SA authenticated. Good luck to all! 32. Gaurav September 10th, 2011 Hi Sam, Can you please advice about new DD faced by you Thanks gaurav 33. Gaurav September 11th, 2011 Any one, Please help me with below 3 questions as i think that answers to them are incorrect Question1 Which three of these are features of data plane security on a Cisco ISR? (Choose three) A. uRPF http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
10/26
3/19/2014
CCNA Security » Share your SECURE Experience
B. NetFlow export C. FPM D. Pr E. RBAC F. routing protocol filtering Answer: A,C,E correct one is UrPF, FPM not possible pr,Netflow export (ios), left with RBAC and routing protocol filtering http://www.cisco.com/en/US/prod/collateral/routers/ps10538/data_sheet_c78-556151_ps10537_Products_Data_Sheet.html ——————————————— ——————————————— Question 2 When you are configuring DH snooping, how should you classify access ports? A. untrusted B. trusted C. promiscuous D. private Answer: B Explanation: it depends upon offer and reply ——————————————— ——————————————— Question 3 When configuring URL filtering with the Trend Micro filtering service, which of these steps must you take to prepare for configuration? A. define blacklists and whitelists B. categorize traffic types C. install the appropriate root CA certificate on the router D. synchronize clocks via NTP to ensure accuracy of URL filter updates from the service Answer: D Explanation: I think the correct is A Question 20 Question 4 D&D Delete IPsec security association -> clear crypto sa cryptographic configurations and show SA lifetimes -> show crypto isakmp policy the IPsec protection policy settings -> show crypto ipsec transform-set current IPsec settings in use by the SAs – show cyrpto ipsec sa Clear active IKE connections – clear crypto isakmp http://ciscoarticles.com/CCSP-Cisco-Certified-Security-Professional/Step-4-4-Display-the-Configured-Crypto-Maps.html http://www.cisco.com/en/US/docs/ios/ipv6/command/reference/ipv6_13.pdf ——————————————————————————http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
11/26
3/19/2014
CCNA Security » Share your SECURE Experience
Question 5 One extra question from dump is ‘command to check license for SSL VPN’ Please reply with correct answers Many thanks Regards Gaurav 34. FT September 12th, 2011 hi guys, please share CCNP Secure CBT Nuggets. thanks 35. Jack September 14th, 2011 i’ve just ed 642-637. ZBPFW lab GET VPN lab quiz with 5 questions. 73q still valid, but there was some new questions and d&d. one question about end s connectivity issues and dh snooping. Don’t exactly, but try to spend more time to this topic. d&d was about order of easy vpn establishment. which process goes first, second and etc. there was 5-7 pieces. 36. Moran September 14th, 2011 73 q valid….check hey and sam comments…new drag drops and some new qsns…but you’ll be safe….success 37. Moran September 14th, 2011 please note that some answers are wrong…be keen on that. 38. Rahul September 15th, 2011 Hi Deep, can u tell me 4m which dumps u have prepared?? & 4m where u hav D’load it?? Thanks in advance. 39. Thakur 1984 September 15th, 2011 Hi Guys can anyone please help me with the link for the dumps and CBT nuggets. 40. Rahul September 20th, 2011 Hi friends, What is the exam cost for ccnp secu. exam?? Thanks in advance.. 41. Anonymous September 20th, 2011 Hi…Can anyone help me to know whether 73 q actual test dump is still valid. http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
12/26
3/19/2014
CCNA Security » Share your SECURE Experience
42. Anonymous September 21st, 2011 http://go4exams.com/cisco.html..please check that this link is valid for ing SECURE dumps… 43. Sam September 22nd, 2011 http://go4exams.com/cisco.html this has the same http://www.examcollection.com/642-637.html given on 17-May-2011 !!! plz if someone have new dumps then let us know .. !! 44. Gaurav September 23rd, 2011 Two new questions which can be there Question 1 about the Access class. Virtual Access interfaces Answer A special Virtual-Access1 interface is used internally by Cisco IOS Software and is always present in the output of this command. Question 2 about the 3 ways URL filtering can be configured. Answer : external URL filtering server, including for (Websense and N2H2.) 3 way was to use the local configured database. 45. brotherincisco September 25th, 2011 Just wondering, if anyone of you can lead me some good resources in TOEFL. I need to get high score in my exam next week. Any input and assistance will be highly appreciated. Thanks! 46. jamil September 25th, 2011 Is there any video traning avialbel for the Secure. 47. Anonymous September 26th, 2011 plZ..share new dumps… 48. Gaurav September 27th, 2011 ed exam with 969/1000, all the questins expect 1 or two in which hey mentioned as wrong was really wrong in AT&T, apat from them two new questions were there Question 1 about the Access class. Virtual Access interfaces Answer A special Virtual-Access1 interface is used internally by Cisco IOS Software and is always present in the output of this command. Question 2 about the 3 ways URL filtering can be configured. Answer : external URL filtering server, including for (Websense and N2H2.) 3 way was to use the local configured database. http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
13/26
3/19/2014
CCNA Security » Share your SECURE Experience
i used 85 questions dumps Thankx to everyone 49. Rahul September 27th, 2011 Congrats Gaurav 4 ing the exam. Can u give me the link 4m where u have the 85 Question dumps?? Coz I have only 78Q dumps from http://www.examcollection.com Thanks. 50. kazar September 27th, 2011 Congrats Gaurav, Rahul, send me your e-mail address for 85q 51. Sam September 27th, 2011 HEY Gaurav or any one can u plz send the dumps to [email protected] Thanks… 55. 1 test away September 27th, 2011 guys here is the link for 85q http://hotfile.com/dl/118882656/c845ee3/637.rar.html Everyone must use teamwork and not be so secretive. Please post publically and not try to hide everything behind email. 56. Sam September 28th, 2011 do any one have secure 642-637 cbt nuggets… ? 57. Shahid September 29th, 2011 @SAM , @Gaurav I have a dout with few questions please correct me if i am wrong, thanks http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
14/26
3/19/2014
CCNA Security » Share your SECURE Experience
A. using an external AAA server B. entering the information via the router crypto ipsec client ezvpn connect CLI command in privileged EXEC mode C. using the router local database D. entering the information from the PC via a browser E. storing the XAUTH credentials in the router configuration file i think B C E are correct, D is wrong becuase XAUTH is IKE extension which does’nt browser(SSL use) —————————A. An attacker has sent a spoofed DH address. B. An attacker has sent a spoofed ARP response that violates a static mapping. C. The MAC address has matched a deny rule within the ACL. D. This is an invalid proxy ARP packet, as indicated by the 0000.0000.0000 MAC — Answer: C i think C is correct according to the this link http://www.sadikhov.com/forum/index.php?/topic/121637-dynamic-arp-inspection-in-non-dh-environments/ ——— A. uRPF B. NetFlow export C. FPM D. Pr E. RBAC F. routing protocol filtering I think A,B, C according to the book CCNP Security SECURE 642-637 Official Cert Guide page#204(Netflow export as a component ) ———— Still confused with D&D Crypo map cryptographic configurations and show SA lifetimes -> show crypto map (can be correct) because it gives us a SA life time but show crypto isakmp policy gives us IKE life time ======================= Please Guide me if i am wrong 58. roT September 29th, 2011 Page 582 CCNP Security SECURE 642-637 Official Cert Guide If XAUTH is being used, it must be decided where to store the authentication credentials: ■ Store the XAUTH name and in the configuration file on the router: This option is typically used if the router is shared between many PCs and the goal is to have the VPN tunnel up all the time. E ■ Do not store the XAUTH name and on the router: If this option is used, a PC who is connected to the router is presented with a web page that allows the name and to be manually entered. D Page 583 CCNP Security SECURE 642-637 Official Cert Guide EZVPN Remote connection profile using the crypto ipsec client ezvpn command ■ Use the group command to specify the group name and group to authenticate http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
15/26
3/19/2014
CCNA Security » Share your SECURE Experience
to the EZVPN Server as a part of a group. ■ Use the name command to specify the stored name and used to provide additional authentication using XAUTH. B B,D,E 59. kazar September 30th, 2011 ed today, 70 questions and about 10 new questions, sslvpn, virtual interfaces,… 60. kazar September 30th, 2011 mark is 776 61. kazar September 30th, 2011 use 85q, thanks guys, wish you all the best!!! 62. shahid September 30th, 2011 Thanks @roT to correct me and can you help in other questions as well. i would appreciate it. 63. Tony September 30th, 2011 Also ed today. The 85 question test is fairly good (the 2 tests from May on http://www.examcollection.com/642-637.html are also valid/close to what is on the test). A couple new questions on vpn, sdee and vti, don’t the specifics, but questions were about small sections of code then choosing what they do. 2 simulations on the test, one for setting up a zone and the other was the 5 part VPN question. Make sure you know the basic show commands and how to set up a class and policy map along with a zone. 64. Rahul September 30th, 2011 Actual Tests – ver4.3 Cisco 642-637 – 85Q http://www.wikifortio.com/809773/642-637.rar 65. LifeTime October 1st, 2011 roT Pls. provide me CCNP Security SECURE 642-637 Official Cert Guide Link. Pls. and Link provide …… 66. Anthony October 1st, 2011 Link for 642-637 Cert Guide; http://www.4shared.com/file/Zw4vJDTo/CiscoPressCCNPSecuritySecure64.html 67. jt October 1st, 2011 http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
16/26
3/19/2014
CCNA Security » Share your SECURE Experience
hi anyone here ever used ccnp-s training video from ipexpert. please share your . thanks. 68. Sam October 2nd, 2011 hey Karaz .. how much marks u got .. ? and hw where the new question ? tough or easy ? 69. Shahid October 2nd, 2011 Hi guys, I ed my exam and got 959/1000, mostly was from 85q. one question was about ZBPFW with VRP (i selected separate zone-pair can be defined in each VRF environment) but im not sure is it correct? and other question was about falspositv, true negative. Thanks everyone for help and . 70. eslam October 2nd, 2011 HI Guys, I’d like to ask if there is an exam in ccsp track i can take without the ccna security or can be certified if i ed on it????? 71. aw3se4dr October 2nd, 2011 Hi guys, would any of you have the link to CBT nuggets 642-637 SECURE by Michael Shannon?? regards 72. Sunil Singh October 3rd, 2011 Hi guys , Can anyone share the link for CBT nuggets of Secure and other CCNP Security certifications Help of any kind is appreciated Thanks 73. Rahul October 4th, 2011 ed today with 860. There was 70 que in exam, 5-6 were new. I think in 85Q dumps many are answered WRONG, be careful & also prepare 4m book. Thanks all. 74. Sanket October 7th, 2011 @Rahul – can u please tell which of the ans are wrong.. ?? if u can.. ? and the new question are they easy if u have basic knowledge.. ? 75. Guy October 7th, 2011 http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
17/26
3/19/2014
CCNA Security » Share your SECURE Experience
Does anyone have the LAB guide for this exam. I want to actually study instead of getting the answers. THANKS 76. Sanket October 8th, 2011 @Guy u can even try “INe CCIe V5 Workbook” it have “Section IOS Firewall” it is the same as CCNP SECURE… !! and even easy to understand.. !! its portion is almost the same.. just vpn have to do from other section of VPN … 77. Obinna October 10th, 2011 Guys, please can someone help me with a link where i can get the CBT Nuggets video for this exam? [email protected] Thank you 78. FTSG October 11th, 2011 Just ed the exam with a score of 968/1000 and got my CCNP-Security. Thanks to all who share their experiences here. Studied Cisco Press CCNP Secure V1.0 and the 85q dumps which i believe theres a lot of wrong answers so know your basics and double check all the answers on the book and I’m sure will help you this exam. Included are the ZONE Based Firewall Lab and GET VPN show commands which is fairly easy. Lots of new exhibit around 5 and you have to analyzed that output. includes, certificates, rommon, VTI etc. New drag and drop for Management Plane features. If you have questions feel free to drop a message here and glad to help. Good luck to all… 79. raj October 11th, 2011 hey just cleared my secure exam……thanks to all……n dont worry these dumps are enough for ing……however some mis questions are there….but it vll do…..study hard…..practice more……n any queries pls ask…..Gud luck to everyone…..nn thanks for ur ….. 80. francis October 11th, 2011 RAJ Can you confirm that I can take CCNP Sec exam without CCNA security but with CCNP Route + Switch 81. raj October 11th, 2011 hey fancis, i dont think that u can give it without CCNA Security…coz its totally different track…security & r/&/s… 82. jt October 12th, 2011 @ftsg congrat… please stick around.. i will begin to study for this exam soon and may need to ask some questions. do you the topic of those new exhibits? or whatever not on the dumps? thanks, http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
18/26
3/19/2014
CCNA Security » Share your SECURE Experience
83. Igor October 12th, 2011 @raj, congratulations! anybody can clear the situation with the wrong questions in 85q dump? 84. raj October 12th, 2011 @igor i might say yes…..but u need to clear d concepts….d basics atleast….n then you are the winner….these dumps are enough… but hav some wrong answers… 85. Igor October 12th, 2011 @raj Thanks, i’ve read Official cert guide. But as for me, it will be better to have only questions than questions with wrong answers because they make me confused. 86. Ila October 12th, 2011 I thing found a fail on the testking answer. This question. — Which two of these are potential results of an attacker performing a DH server spoofing attack? (Choose two) A. DH snooping B. DoS C. Confidentiality breach D spoofed MAC addressses E. switch ports being converted to an untrusted state testking says B and C. But I thing the correct answer is A & D. What are you thinking about that?? 87. DC October 12th, 2011 Ila, I think B and C are correct, the key word being “results”. Still not sure on some of the other questionable answers mentioned previously. and thanks xxxxtut, another great site. your TSHOOT site was very helpful. dc 88. DC October 12th, 2011 and hey wrote: “Refer to the exhibit. The INSIDE zone has been configured and assigned to two separate router interfaces. All other zones and interfaces have been properly configured. Given the configuration example shown, what can be determined. A. Hosts in the INSIDE zone, with addresses in the 10.10.10.0/24 network, can access any host in the 10.10.10.0/24 network using the SSH protocol. B. If a host in the INSIDE zone attempts to communicate via SSH with another host on a different interface within the INSIDE zone, communications must through the router self zone using http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
19/26
3/19/2014
CCNA Security » Share your SECURE Experience
the INTRAZONE policy. C. This is an illegal configuration. You cannot have the same source and destination zones. D. This policy configuration is notneeded, traffic within the same zone is allowed to by default. Answer: D I think it’s A (IOS 15.x allows intrazone policies)” Well I don’t think this test covers IOS 15.x as this release does firewalls much differently. In 15.x no traffic will within the same zone by default. And to complicate matters, I think the correct answer is “C” illegal configuration. This is what I get when I try to configure: Router2(config)#zone-pair security IN-TO-OUT source INSIDE dest INSIDE % Same zone cannot be defined as both the source and destination dc 89. FTSG October 13th, 2011 @jt – hard to get the details of those new questions. just study the 85q dumps and if you have doubt about the answers just let me know. @DC – i also chose C as my answer on this. 90. Sanket October 13th, 2011 Hi FTSG !! i am going to give my paper !! can u plz do a favour .. if u can then plz let me know which are the ans wrong ?!! thanks …!! 91. Igor October 13th, 2011 @DC – i think the correct answer is D: “This policy configuration is notneeded” – that’s true, “traffic within the same zone is allowed to by default” – also true. 92. Igor October 13th, 2011 When you are configuring DH snooping, how should you classify access ports? A. untrusted B. trusted C. promiscuous D. private Answer: B Correct – A 93. DC October 13th, 2011 Hi Igor, For the “intrazone” firewall question I still think “C – illegal configuration” is the “best” answer. Note that the configuration example only allows SSH traffic, all else would be dropped..IF you COULD configure it. But you cannot in most releases. For DH snooping, I also thought A (Untrusted) was correct so I researched it. I found this: http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
20/26
3/19/2014
CCNA Security » Share your SECURE Experience
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/snoodh.html#wp1114389 “Trusted and Untrusted Sources The DH snooping feature determines whether traffic sources are trusted or untrusted. An untrusted source may initiate traffic attacks or other hostile actions. To prevent such attacks, the DH snooping feature filters messages and rate-limits traffic from untrusted sources. In an enterprise network, devices under your istrative control are trusted sources. These devices include the switches, routers and servers in your network. Any device beyond the firewall or outside your network is an untrusted source. Host ports are generally treated as untrusted sources.” So with little information presented, So if one assumes the access port is under the s control?…thus “B trusted” would be correct. I am not sure what the definition of “access port” shoud be in this case. But this is a great example on how confusing these simple questions can be…I still wouldn’t bet any money on either answer. I would like to know if you\anyone else found anything else more conclusive. Thanks dc 94. Igor October 13th, 2011 @DC thanks for your conclusions. I agree with you, that it’s not clear what do the mean under “access port”. In case: port for connection DH server – answer “B trusted” will be correct. In case: access port for s in access layer – answer “A untrusted” is correct. We can only try to guess what they mean ( 95. DC October 13th, 2011 Sam wrote: “drag and drop to match left side l1. protocol minimization l2. payload minimization l3. application layer inspection l4. protocol verification right side r1. can prevent covert tunneling r2. increase protection by only allowing expected content types and values r3. increases protection by hiding unnecessary features r4. can be configured in a zone-based firewall policy to prevent known attacks The correct answer is l1=r3, l2=r2, l3=r4, l4=r1 Reference on page 50: http://www.slideshare.net/CiscoSystems/ccsp-effective-deployment-of-cisco-asa-access-control” I aggree. So in “block order”, top from bottom its: Protocol Verification – Can prevent covert tunneling payload minimization – increase protection by only allowing expected content types and values http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
21/26
3/19/2014
CCNA Security » Share your SECURE Experience
protocol minimization – increases protection by hiding unnecessary features application layer inspection – can be configured in a zone-based firewall policy to prevent known attacks 96. DC October 13th, 2011 Ok another confusion question: Guarav wrote: “When configuring URL filtering with the Trend Micro filtering service, which of these steps must you take to prepare for configuration? A. define blacklists and whitelists B. categorize traffic types C. install the appropriate root CA certificate on the router D. synchronize clocks via NTP to ensure accuracy of URL filter updates from the service Answer: D Explanation: I think the correct is A” I don’t think A is right. If we look at: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6643/white_paper_c89-492776.html It makes sure that you set the time correct or else you will not be able to the certificate. So answer “D synchronize clocks via NTP to ensure accuracy of URL filter updates from the service” is close, but the description “to ensure accuracy..” is not necessarily correct. So, I am thinking answer “C” is a better choice “install the appropriate root CA certificate on the router”. Thoughts? 97. Igor October 14th, 2011 According to this link http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6643/white_paper_c89492776.html we can see in description of the Second step: a) that your router clock has the correct time; b) If the system clock is not synchronized with the current time, change the time and date c) When the system clock matches the actual time, a certificate from Cisco.com So, the first step is to synchronize time…. and only after install the appropriate root CA certificate. In this way I think that Answer D “synchronize clocks via NTP to ensure accuracy of URL filter updates from the service” is correct 98. DC October 14th, 2011 Hi Igor, Thanks, That page is pretty much the same as the one that I posted. I am just afraid it is a trick question as: 1) The pages say to “set the clock” not necessarily use NTP. 2) There is no mention of “to ensure accuracy of URL filter updates from the service” http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
22/26
3/19/2014
CCNA Security » Share your SECURE Experience
I don’t know, perhaps I should just stick with “D”. BTW, does your last name start with Pel? dc 99. Igor October 14th, 2011 @DC thanks for your discussion. I’m quite agree with you about “trick question”. Maybe someone, who ed this exam can clear the situation? About my last name: no, it start with Mo ) 100. DC October 14th, 2011 Hi Igor, Ok, you are not an “old” friend of mine… I double checked the answers for: Question1 Which three of these are features of data plane security on a Cisco ISR? (Choose three) A. uRPF B. NetFlow export C. FPM D. Pr E. RBAC F. routing protocol filtering Answer: A,C,E Of course uRPF and FPM are correct and Pr is control plane. According to table3-7 of the cert guide, RBAC is management plane, and “routing protocol filtering” is control plane. That leaves Netfow export. Now the cert guide lists “Network Export” as a data plane security feature, I think its a missprint and it should be Netflow. Netflow can be used for security analysis (monitor data flow). So A.B.C should be correct as Sahid also reported. Comment pages « Previous 1 2 3 4 ... 9 Next » 584 Add a Comment Name
Submit Comment
Subscribe to comments feed Share your FIREWALL Experience Share your IPS v7.0 Experience
CCNA Security 640-554 http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
23/26
3/19/2014
CCNA Security » Share your SECURE Experience
Share your (new) CCNA Security Experience
CCNA Security 640-553 LabSim Security Fundamentals Access list Questions Drag and Drop Questions Modern Network Security Threats Securing Network Devices Authentication Authorization & ing Implementing Firewall Technologies IPsec Questions Security Device Manager SDM Implementing Intrusion Prevention Securing Local Area Networks Storage Area Network SAN Cryptographic Systems Implementing Virtual Private Networks Managing a Secure Network Share your CCNA Security Experience
SNRS 642-504 Share your SNRS Experience
SNAF 642-524 Share your SNAF Experience
IPS 642-533 Share your IPS Experience
CANAC 642-591 Share your CANAC Experience
MARS 642-545 Share your MARS Experience http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
24/26
3/19/2014
CCNA Security » Share your SECURE Experience
SNAA 642-515 Share your SNAA Experience
New CCNP Security Exams
SECURE 642-637 Share your SECURE Experience
IPS v7.0 642-627 Share your IPS v7.0 Experience
FIREWALL 642-617 Share your FIREWALL Experience
VPN 642-647 Share your VPN Experience
CCIE Security Written 350-018 Exam Share your CCIE Security Written Experience
CCIE Security Lab Exam Share your CCIE Security Lab Experience
Network Resources CCNA Security Knowledge Base http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
25/26
3/19/2014
CCNA Security » Share your SECURE Experience
CCNA Website ROUTE Website SWITCH Website TSHOOT Website CCNA Voice Website CCNA Security Website CCDA Website Securitytut
Your contribution will help keep this site updated! Top
Copyright © 2010-2012 CCNA Security . Valid XHTML 1.1 and CSS 3.
http://www.securitytut.com/secure-642-637/share-your-secure-experience/comment-page-2#comments
26/26
Related Documents g842
Ccna Security 561x65
December 2019 64
Ccna Security Chapter 2 Powerpoint 2c2w15
December 2019 41
Tshoot-share-your-experience.pdf a1c4v
December 2019 40
Ccna Security Questions Answers 606r6r
November 2019 73
Ccna Security Final Exam 5d105w
December 2022 0
Ccna Security Commands 352l6z
December 2019 107More Documents from "Elvin Dionicio" 6g3w60
3 Iom - Idirect Datacomm, 061407 v1i5b
August 2021 0
Dmvpn Explained 5l6b2x
November 2019 53
929
November 2019 63
2 Idirect Nms Imonitor Module, V6.0, 080105-1 2p3b3a
February 2022 0
Ccie Security Workbooks - Cisco Certification Training Series 1q1h30
October 2021 0