Cisco 642-566 Exam - PassITexam.com
Free 642-566 Sample Questions:
1. What is the primary reason that GET VPN is not deployed over the public Internet?
A. because GET VPN supports re-keying using multicast only
B. because GET VPN preserves the original source and destination IP addresses, which may be private addresses that are not routable over the Internet
C. because GET VPN uses IPsec transport mode, which would expose the IP addresses to the public if using the Internet
D. because the GET VPN group members use multicast to register with the key servers
E. because the GET VPN key servers and group members requires a secure path to exchange the Key Encryption Key (KEK) and the Traffic Encryption Key (TEK)
2. Which is used to authenticate remote IPsec VPN users?
C. mode configuration
D. single sign-on (SSO)
E. Diffie-Hellman (DH)
F. pre-shared key
3. Which three security components can be found in today's typical single-tier firewall system? (Choose three.)
A. Stateful Packet Filtering with Application Inspection and Control
C. Network Admission Control
D. application proxy
E. Cache engine
F. server load balancing
Answer: A, B, D
4. When implementing point-to-point secure WAN solutions over the Internet, which alternative Cisco IOS method is available if GRE-over-IPsec tunnels cannot beused?
A. Virtual Routing Forwardings (VRFs)
B. Virtual Tunnel Interfaces (VTIs)
C. dynamic crypto maps
D. GET VPN
5. Which three are correct guidelines when using separation to secure the enterprise data center? (Choose three.)
A. Separate exposed services' resources into security domains, as granularly as possible.
B. Use DMZ to host exposed services.
C. Always prefer logical separation to physical separation.
D. Use multiple firewall tiers for defense in depth
E. Use IDS instead of IPS for better performance.
Answer: A, B, D
6. What is used to enable IPsec usage across Port Address Translation (PAT)devices?
A. port forwarding
B. static NAT/PAT
D. IPsec tunnel mode
7. Which algorithm is recommended for implementing automatic symmetric key exchange over an unsecured channel?
A. public key infrastructure (PKI)
B. Diffie-Hellman (DH)
C. RSA D. EAP
8. Which Cisco software agent uses content scanning to identify sensitive content and controls the transfer of sensitive content off the local endpoint over removable storage, locally or network-attached hardware, or network
A. Cisco Trust Agent 2.0
B. Cisco NAC Appliance Agent 4.1.3
C. Cisco NAC Appliance Web Agent 1.0
D. Cisco Security Agent 6.0
E. Cisco IronPort Agent 3.0
9. The LWAPP protocol supports which type of native encryption?
10. Which three benefits does DMVPN offer? (Choose three.)
A. supports spokes that use dynamic IP addresses
B. supports IP unicast and multicast traffic
C. supports native routing protocols over the tunnels
D. is available on Cisco IOS routers and on Cisco ASA security appliances
E. provides tunnel-less any-to-any connectivity F. has less overhead than GRE over IPsec
Answer: A, B, C
11. Pharming attacks, which are used to fool users into submitting sensitive information to malicious servers, typically involve which attack method?
A. ARP poisoning
B. DNS cache poisoning
C. DHCP exhaustion
D. DHCP server spoofing
E. IP spoofing
12. Which statement regarding the hybrid user authentication model for remote-access IPsec VPNs is correct?
A. VPN servers authenticate by using pre-shared keys, and users authenticate by using usernames and passwords.
B. VPN servers authenticate by using digital certificates, and users authenticate by using usernames and passwords.
C. VPN servers authenticate by using digital certificates, and users authenticate by using pre-shared keys.
D. VPN servers and users authenticate by using digital certificates. E. VPN servers and users authenticate by using pre-shared keys.
13. Which protocol is used to allow the utilization of Cisco Wide Area Application Engines or Cisco IronPort S-Series web security appliances to localize web traffic patterns in the network and to enable the local fulfillment of content requests?
14. What is implemented on Cisco IP Phones so that they can authenticate itself before gaining network access?
A. Cisco Secure Services Client
B. Cisco NAC Appliance Agent (NAA)
C. IEEE 802.1X supplicant
D. AAA client
E. Cisco Security Agent
F. one-time password
15. What is the difference between hashing and Hashed Message Authentication Code (HMAC) algorithms?
A. HMAC provides non-repudiation service.
B. Hashing protects against man-in-the-middle attacks.
C. With hashing, the original data can be recovered, given only its digest.
D. HMAC uses an asymmetric key; hashing uses a symmetric key.
E. HMAC uses an additional secret key as the input to the hash function.