★ Pass on Your First TRY ★ 100% Money Back Guarantee ★ Realistic Practice Exam Questions

Free Instant Download NEW 640-554 Exam Dumps (PDF & VCE):
Available on: https://www.certleader.com/640-554-dumps.html


Cause all that matters here is passing the Cisco 640-554 exam. Cause all that you need is a high score of 640-554 Implementing Cisco IOS Network Security (IINS v2.0) exam. The only one thing you need to do is downloading Actualtests 640-554 exam study guides now. We will not let you down with our money-back guarantee.

2021 Nov ccna security 640-554 official cert guide pdf download:

Q71. - (Topic 10) 

Which command configures logging on a Cisco ASA firewall to include the date and time? 

A. logging facility 

B. logging enable 

C. logging timestamp 

D. logging buffered debugging 

Answer:


Q72. - (Topic 6) 

Which type of Layer 2 attackcauses a switch to flood all incoming traffic to all ports? 

A. MAC spoofing attack 

B. CAM overflow attack 

C. VLAN hopping attack 

D. STP attack 

Answer:

Explanation: 

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11_6038 36.htmlSummary The MAC Address Overflow attack is effective if the proper mitigation techniques are not in place on theCisco Catalyst 6500 series switch. By using publicly (free) and available Layer 2 attack tools found on the Internet, anyone who understands how to setup and run these tools could potentially launch an attack on your network. 

MAC address monitoring is a feature present on Cisco Catalyst 6500 Series switches. This feature helps mitigate MAC address flooding and other CAM overflow attacks by limiting the total number of MAC addresses learned by the switch on per-port or per-VLAN basis. With MAC Address Monitoring, a maximum threshold for the total number of MAC addresses can be configured and enforced on a per-port and/or per-VLAN basis. 

MAC address monitoring in Cisco IOS Software allows the definition of a single upper (maximum) threshold. In addition, thenumber of MAC addresses learned can only be monitored on a per-port or per-VLAN basis, and not a per-port-per-VLAN. By default, MAC address monitoring is disabled in Cisco IOS Software. However, the maximum threshold for all ports and VLANs is configuredto 500 MAC address entries, and when the threshold is exceeded the system is set to generate a system message along with a syslog trap. These default values take effect only when MAC address monitoring is enabled. The system can be configured to notify ordisable the port or VLAN every time the number of learned MAC addresses exceeds the predefined threshold. In our test, we used the "mac-address-table limit" command on the access layer port interface to configure the MAC address monitoring feature. 


Q73. - (Topic 4) 

How are Cisco IOS access control lists processed? 

A. Standard ACLs are processed first. 

B. The best match ACLis matched first. 

C. Permit ACL entries are matched first before the deny ACL entries. 

D. ACLs are matched from top down. 

E. The global ACL is matched first before the interface ACL. 

Answer:

Explanation: 

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080 0a5b9a.shtml 

Process ACLs Traffic that comes into the router is compared to ACL entriesbased on the order that the entries occur in the router. New statements are added to the end of the list. The router continues to look until it has a match. If no matches are found when the router reaches the end of the list, the traffic is denied. For this reason, you should have the frequently hit entries at the top of the list. There is an implied deny for traffic that is not permitted. A single-entry ACL with only one deny entry has the effect of denying all traffic. You must have at least one permit statement in an ACL or all traffic is blocked. These two ACLs (101 and 102) have the same effect. 


Q74. - (Topic 1) 

Which four methods are used by hackers? (Choose four.) 

A. footprint analysis attack 

B. privilege escalation attack 

C. buffer Unicode attack 

D. front door attacks 

E. social engineering attack 

F. Trojan horse attack 

Answer: A,B,E,F 

Explanation: 

https://learningnetwork.cisco.com/servlet/JiveServlet/download/15823-1-57665/CCNA%20Security%20(640-554)%20Portable%20Command%20Guide_ch01.pdf 

Thinking Like a Hacker The following seven steps may be taken to compromise targets and applications: Step 1 Perform footprint analysis Hackers generally try to build a complete profile of a target company’s security posture using a broad range of easily available tools and techniques. They can discover organizational domain names, network blocks, IP addresses of systems, ports, services that are used, and more. Step 2 Enumerate applications and operating systems Special readily available tools are used to discover additional target information. Ping sweeps use Internet Control Message Protocol (ICMP) to discover devices on a network. Port scans discover TCP/UDP port status. Other tools include Netcat, Microsoft EPDump and Remote Procedure Call (RPC) Dump, GetMAC, and software development kits (SDKs). Step 3 Manipulate users to gain access Social engineering techniques may be used to manipulate target employees to acquire passwords. They may call or email them and try to convince them to reveal passwords without raising any concern or suspicion. Step 4 Escalate privileges To escalate their privileges, a hacker may attempt to use Trojan horse programs and get target users to unknowingly copy malicious code to their corporate system. Step 5 Gather additional passwords and secrets With escalated privileges, hackers may use tools such as the pwdump and LSADump applications to gather passwords from machines running Windows. Step 6 Install back doors Hacker may attempt to enter through the “front door,” or they may use “back doors” into the system. The backdoor method means bypassing normal authentication while attempting to remain undetected. A common backdoor point is a listening port that provides remote access to the system. Step 7 Leverage the compromised system After hackers gain administrative access,they attempt to hack other systems. 


Q75. - (Topic 1) 

In a brute-force attack, what percentage of the keyspace must an attacker generally search through until he or she finds the key that decrypts thedata? 

A. Roughly 50 percent 

B. Roughly 66 percent 

C. Roughly 75 percent 

D. Roughly 10 percent 

Answer:


Leading ccna security 640-554 video training:

Q76. - (Topic 5) 

Which syslog level is associated with LOG_WARNING? 

A. 1 

B. 2 

C. 3 

D. 4 

E. 5 

F. 6 

G. 7 

H. 0 

Answer:


Q77. - (Topic 10) 

Refer to the exhibit. 

What type of firewall would use the given configuration line? 

A. a stateful firewall 

B. a personal firewall 

C. a proxy firewall 

D. an application firewall 

E. a stateless firewall 

Answer:


Q78. - (Topic 4) 

Which type of Cisco IOS access control list is identified by 100 to 199 and 2000 to 2699? 

A. standard 

B. extended 

C. named 

D. IPv4 for 100 to 199 and IPv6 for 2000 to 2699 

Answer:

Explanation: 

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/ configuration/guide/swacl.html 

ACL Numbers The number you use to denote your ACL shows the type of access list that you are creating. Table 23-2 lists the access list number and corresponding type and shows whether or not they are supported by the switch. The Catalyst 2950 switch supports IP standard and IP extended access lists, numbers 1 to 199 and 1300 to 2699. 1-99 IP standard access list 100-199 IP extended access list 200-299 Protocol type-code access list 300-399 DECnet access list 400-499 XNS standard access list 500-599 XNS extended access list 600-699 AppleTalk access list 700-799 48-bit MAC address access list 800-899 IPX standard access list 900-999 IPX extendedaccess list 1000-1099 IPX SAP access list 1100-1199 Extended 48-bit MAC address access list 1200-1299 IPX summary address access list 1300-1999 IP standard access list (expanded range) 2000-2699 IP extended access list (expanded range) 


Q79. - (Topic 10) 

What are three features of IPsec tunnel mode? (Choose three.) 

A. IPsec tunnel mode supports multicast. 

B. IPsec tunnel mode is used between gateways. 

C. IPsec tunnel mode is used between end stations. 

D. IPsec tunnel mode supports unicast traffic. 

E. IPsec tunnel mode encrypts only the payload. 

F. IPsec tunnel mode encrypts the entire packet. 

Answer: B,D,F 


Q80. - (Topic 2) 

Scenario: 

You are the security admin for a small company. This morning your manager has supplied 

you with a list of Cisco ISR and CCP configuration questions. Using CCP, your job is to navigate the pre-configured CCP in order to find answers to your business question. 

Which policy is assigned to Zone Pair sdm-zip-OUT-IN? 

A. Sdm-cls-http 

B. OUT_SERVICE 

C. Ccp-policy-ccp-cls-1 

D. Ccp-policy-ccp-cls-2 

Answer: