★ Pass on Your First TRY ★ 100% Money Back Guarantee ★ Realistic Practice Exam Questions

Free Instant Download NEW 640-554 Exam Dumps (PDF & VCE):
Available on: https://www.certleader.com/640-554-dumps.html


Proper study guides for Most up-to-date Cisco Implementing Cisco IOS Network Security (IINS v2.0) certified begins with Cisco 640-554 preparation products which designed to deliver the Downloadable 640-554 questions by making you pass the 640-554 test at your first time. Try the free 640-554 demo right now.

2021 Jul ccna security 640-554 cbt:

Q151. - (Topic 8) 

On Cisco ISR routers, for what purpose is the realm-cisco.pub public encryption key used? 

A. used for SSH server/client authentication and encryption 

B. used to verify the digital signature of the IPS signature file 

C. used to generate a persistent self-signed identity certificate for the ISR so administrators can authenticate the ISR when accessing it using Cisco Configuration Professional 

D. used toenable asymmetric encryption on IPsec and SSL VPNs 

E. used during the DH exchanges on IPsec VPNs 

Answer: B 

Explanation: 

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod_white_pa per0900aecd805c4ea8.html 

Step 1: Downloading IOS IPS files The first step is to download IOS IPS signature package files and public crypto key from Cisco.com. 

Step 1.1: Download the required signature files from Cisco.com to your PC 

.Location:http://tools.cisco.com/support/downloads/go/Model.x?mdfid=281442967&mdfLev 

el=Software%20Family&treeName=Security&modelName=Cisco%20IOS%20Intrusion%20 

Prevention%20System%20Feature%20Software&treeMdfId=268438162 

.Files to download: 

IOS-Sxxx-CLI.pkg: Signature package - download the latest signature package. 

realm-cisco.pub.key.txt: Public Crypto key - this is the crypto key used by IOS IPS 


Q152. - (Topic 10) 

Which statement about application blocking is true? 

A. It blocks access to specific programs. 

B. It blocks access to files with specific extensions. 

C. It blocks access to specific network addresses. 

D. It blocks access to specific network services. 

Answer: A 


Q153. - (Topic 10) 

Which statement about communication over failover interfaces is true? 

A. All information that is sent over the failover and stateful failover interfaces is sent as clear text by default. 

B. All information that is sent over the failover interface is sent as clear text, but the stateful failover link is encrypted by default. 

C. All information that is sent over the failover and stateful failover interfaces is encrypted by default. 

D. User names, passwords, and preshared keys are encrypted by default when they are sent over the failover and stateful failover interfaces, but other information is sent as clear text. 

Answer: A 


Q154. - (Topic 5) 

Which Cisco management tool provides the ability to centrally provision all aspects of device configuration across the Cisco family of security products? 

A. Cisco Configuration Professional 

B. Security Device Manager 

C. Cisco Security Manager 

D. Cisco Secure Management Server 

Answer: C 

Explanation: 

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5739/ps6498/data_sheet_c78-27090.html 

Cisco Security Manager 4.4 Data Sheet Cisco. Security Manager is acomprehensive management solution that enables advanced management and rapid troubleshooting of multiple security devices. Cisco Security Manager provides scalable, centralized management from which administrators can efficiently manage a wide range of Cisco security devices, gain visibility across the network deployment, and securelyshare information with other essential network services such as compliance systems and advanced security analysis systems. Designed to maximize operational efficiency, CiscoSecurity Manager also includes a powerful suite of automated capabilities, such as health and performance monitoring, software image management, auto-conflict detection, and integration with ticketing systems. 


Q155. - (Topic 3) 

Which AAA feature can automate record keeping within a network? 

A. TACACS+ 

B. authentication 

C. authorization 

D. accounting 

Answer: D 


640-554 pdf exam

Updated ccna security 640-554 portable command guide pdf:

Q156. - (Topic 10) 

Which command provides phase 1 and phase 2 status for all active sessionsof an IPsec VPN on a Cisco router? 

A. show crypto map 

B. show crypto ipsec sa 

C. show crypto isakmp sa 

D. show crypto session 

Answer: D 


Q157. - (Topic 5) 

Which router management feature provides for the ability to configure multiple administrative views? 

A. role-based CLI 

B. virtual routing and forwarding 

C. secure config privilege {level} 

D. parser view view name 

Answer: A 

Explanation: 

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html 

Role-Based CLI Access The Role-Based CLI Access feature allows the network administrator to define "views," which are a set of operational commands and configuration capabilities that provide selective or partial access to Cisco IOS EXEC and configuration (Config) mode commands. Views restrict user access to Cisco IOS command-line interface (CLI) and configuration information; that is, a view can define what commands are accepted and what configurationinformation is visible. Thus, network administrators can exercise better control over access to Cisco networking devices. 


Q158. - (Topic 10) 

Which IPsec component takes an input message of arbitrary length and produces a fixed-length output message? 

A. the transform set 

B. the group policy 

C. the hash 

D. the crypto map 

Answer: C 


Q159. - (Topic 8) 

You use Cisco Configuration Professional to enable Cisco IOS IPS. Which state must a signature be in before any actions can be taken when an attack matches that signature? 

A. Enabled 

B. Unretired 

C. Successfully complied 

D. Successfully complied and unretired 

E. Successfully complied and enabled 

F. Unretired and enabled 

G. Enabled, unretired, and successfully complied 

Answer: G 

Explanation: 

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod_white_pa per0900aecd8066d265.html 

Step 21. Verify the signatures are loaded properly by using this command at the router prompt: 

router#show ip ips signatures count 

Cisco SDF release version S353.0 

Trend SDFrelease version V0.0 

snip 

Total Signatures: 2363 

Total Enabled Signatures: 1025 

Total Retired Signatures: 1796 

Total Compiled Signatures: 567 

Total Obsoleted Signatures: 15 

Step 23. To retire/unretire and enable/disable signatures, select the Edit IPStab, then select Signatures. 

Highlight the signature(s), and then click the Enable, Disable, Retire, or Unretire button. 

Notice the status changed in the Enabled or the Retired column. A yellow icon appears for the signature(s) in the column next to Enabled. The yellow icon means changes have been made to the signature, but have not been applied. Click the Apply Changes button to make the changes take effect. 

Retire/unretire is to select/de-select which signatures are being used by IOS IPS to scan traffic. 

Retiring a signature means IOS IPS will NOT compile that signature into memory for scanning. 

Unretiring a signature instructs IOS IPS to compile the signature into memory and use the signature to scan traffic. 

Enable/disable does NOT select/de-select signatures to be used by IOS IPS. 

Enabling a signature means that when triggered by a matching packet (or packet flow), the signature takes the appropriate action associated with it. However, only unretired AND successfully compiled signatures will take the action when they are enabled. In other words, if a signature is retired, even though it is enabled, it will not be compiled (because it is retired) and it will not take the action associated with it. 

Disabling a signature means that when triggered by a matching packet (or packet flow), the signature DOES NOT take the appropriate action associated with it. In other words, when a signature is disabled, even though it is unretired and successfully compiled, it will not take the action associated with it. 


Q160. - (Topic 2) 

Refer to the exhibit. 

What does the option secret 5 in the username global configuration mode command indicate about the user password? 

A. It is hashed using SHA. 

B. It is encrypted using DH group 5. 

C. It is hashed using MD5. 

D. It is encrypted using the service password-encryption command. 

E. It is hashed using a proprietary Cisco hashing algorithm. 

F. It is encrypted using a proprietary Cisco encryption algorithm. 

Answer: C 

Explanation: Explanation: http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/120s_md5.html 

Feature Overview Using the Enhanced Password Security feature, you canconfigure MD5 encryption for username passwords. Before the introduction of this feature there were two types of passwords associated with usernames. Type 0 is a clear text password visible to any user who has access to privileged mode on the router. Type7 is a password with a weak, exclusive-or type encryption. Type 7 passwords can be retrieved from the encrypted text by using publicly available tools. 

MD5 encryption is a one-way hash function that makes reversal of an encrypted password impossible, providing strong encryption protection. Using MD5 encryption, you cannot retrieve clear text passwords. MD5 encrypted passwords cannot be used with protocols that require that the clear text password be retrievable, such as Challenge Handshake AuthenticationProtocol (CHAP). 

Use the username (secret) command to configure a user name and an associated MD5 encrypted secret. Configuring Enhanced Security Password Router(config)# username name secret 0 password Configures a username and encrypts a clear text password with MD5 encryption. or Router(config)# username name secret 5 encrypted-secret Configures a username and enters an MD5 encrypted text string which is stored as the MD5 encrypted password for the specified username.