If you fail in Cisco 642-501 exam test with Cisco 642-501 exam dumps, we promise to give you full refund! You only need to scan your Cisco 642-501 test score report to us together with your receipt ID. After our confirmation, we will give you full refund in time.Or you can choose to charge another IT exam Q&As instead of Cisco 642-501 exam dumps.Useful Cisco certifications exam dumps are assured with us.If our Cisco 642-501 exam dumps can’t help you pass Cisco 642-501 exam,details will be sent before we send the exam to you.We don’t waste our customers’ time and money! Trusting Passtcert is your best choice!
QUESTION 96
John is the administrator working on configuring the authentication proxy feature. He is not sure what the authentication proxy feature does on the Cisco IOS Firewall.
A. Use a general policy applied across multiple Certkiller Inc. users
B. Use a single security policy that is applied to an entire user group or subnet at Certkiller Inc.
C. Apply specific security polices on a per-user basis at Certkiller Inc.
D. Keep the Certkiller Inc. user profiles active even where there is no active traffic from the authenticated users.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
The Cisco IOS Firewall authentication proxy feature allows network administrators to apply specific security policies on a per-user basis. Previously, user identity and related authorized access was associated with a user’s IP address, or a single security policy had to be applied to an entire user group or sub network. Now, users can be identified and authorized on the basis of their per-user policy, and access privileges tailored on an individual basis are possible, as opposed to general policy applied across multiple users. With the authentication proxy feature, users can log in to the network or access the Internet via HTTP, and their specific access profiles are automatically retrieved and applied from a CiscoSecureACS, or other RADIUS, or TACACS+ authentication server. The user profiles are active only when there is active traffic from the authenticated users.
Reference: http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/ products_configuration_guide_chapter09186a00800 d981d.ht
QUESTION 97
John is the administrator working on configuring the authentication proxy feature. He is not sure what the authentication proxy feature does on the Cisco IOS Firewall.
A. Creates specific security polices for each user with Cisco Secure ACS, dynamic, per-user authentication and authorization.
B. Creates specific authorization policies for each user with Cisco Secure ACS, dynamic, per-user security and authorization.
C. Provides additional visibility at intranet, extranet, and Internet perimeters.
D. Provides secure, per-application access control across network perimeters.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation: The Cisco IOS Firewall authentication proxy feature allows network administrators to apply specific security policies on a per-user basis. Previously, user identity and related authorized access was associated with a user’s IP address, or a single security policy had to be applied to an entire user group or sub network. Now, users can be identified and authorized on the basis of their per-user policy, and access privileges tailored on an individual basis are possible, as opposed to general policy applied across multiple users. With the authentication proxy feature, users can log in to the network or access the Internet via HTTP, and their specific access profiles are automatically retrieved and applied from a CiscoSecureACS, or other RADIUS, or TACACS+ authentication server. The user profiles are active only when there is active traffic from the authenticated users.
Reference: http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/ products_configuration_guide_chapter09186a00800 d981d.ht
QUESTION 98
Certkiller Inc. just hired a new security administrator named Paul. He is working on authentication proxy for his first project. He does not know how the user triggers the authentication proxy after the idle timer expires. Which one of these answers is the right answer?
A. Authenticates the user.
B. Initiates another HTTP session.
C. Enters a new username and password.
D. Enters a valid username and password.
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
How the Authentication Proxy Works When a user initiates an HTTP session through the firewall, the authentication proxy is triggered. The authentication proxy first checks to see if the user has been authenticated. If a valid authentication entry exists for the user, the connection is completed with no further intervention by the authentication proxy. If no entry exists, the authentication proxy responds to the HTTP connection request by prompting the user for a username and password.
Reference: http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/ products_configuration_guide_chapter09186a00800 d981d.ht
QUESTION 99
Johnthe security administrator is having issues with the IOS Firewall authentication proxy. He needs to know what the default idle time of an enabled IOS Firewall authentication proxy before he can start using it.
A. 60 minutes
B. 5 seconds
C. 60 seconds
D. 5 minutes
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
ipauth-proxy auth-cache-timemin – Sets the global authentication proxy idle timeout value in minutes. If the
timeout expires, user authentication entries are removed, along with any associated dynamic access lists.
The default value is 60 minutes.
Reference:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1830/
products_feature_guide_chapter09186a00800a17ec.
html
QUESTION 100
John and Kathy are the security administrators at Certkiller Inc. with one job left for the day. They have to select the three RADIUS servers supported by the Cisco IOS Firewall authentication proxy. Which three are the correct answers? (Choose three)
A. Oracle
B. DB2
C. Cisco Secure ACS for Windows NT/2000
D. Cisco Secure ACS for UNIX
E. Lucent F. TACACS+
Correct Answer: CDE Section: (none) Explanation
Explanation/Reference:
Explanation:
The supported AAA servers are CiscoSecure ACS 2.3 for Windows NT, CiscoSecure ACS 2.3 for UNIX,
TACACS+ server (vF4.02.alpha), Ascend RADIUS server – radius-980618 (required avpair patch), and
Livingston (now Lucent), RADIUS server (v1.16).
Reference:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1830/
products_feature_guide_chapter09186a00800a17ec.
html
QUESTION 101
In which of the following ways will the proxy respond to HTTP if no valid authentication entry exists in the authentication?
A. Proxy will prompt the user for user name
B. Proxy will prompt the user for password
C. Proxy will prompt the user for user and password
D. Proxy will send an alert to the Cisco Secure ACS server
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Cisco Self-Study CCSP SECUR page 257
QUESTION 102
Which of the following situations brought on by a user will trigger the authentication proxy or the Cisco firewall?
A. When a user initiate inbound interface
B. When a user logon through firewall
C. When a user initiate an FTP session through the firewall
D. When a user initiate HTTP session through the firewall
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt3/scdauthp.htm
QUESTION 103
In which location are access profiles stored with the authentication proxy features of the Cisco IOS Firewall?
A. Cisco router
B. Cisco VPN Concentrator
C. PIX Firewall
D. Cisco Secure ACS authentication server
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
With the authentication proxy feature, users can log in to the network or access the Internet via HTTP, and their specific access profiles are automatically retrieved and applied from a Cisco Secure ACS, or other RADIUS, or TACACS+ authentication server. The access profile is stored on the ACS, you define access-list entries in ACS witch are transferred to the router upon successful authentication. (and deleted when the session ends)
QUESTION 104
Which of the following factors will act as triggers for the authentication proxy on the Cisco IOS Firewall?
A. user initiating inbound interface
B. user initiating login through the firewall
C. user initiating an FTP session though the firewall
D. user initiating an HTTP session through the firewall
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
Unlike many Cisco IOS firewall functions, authentication proxy is not a service that is transparent to the
user.
On the contrary, it requires user interaction. The authentication proxy is triggered when the user initiates an
HTTP session through the Cisco IOS firewall. The firewall checks to see wether the user has already been
authenticated. If the user has previously authenticated, it allows the connection. If the user has not
previously authenticated, the firewall propmpts the user for a username and password and verifies the user
input with a TACACS+ or RADIUS server.
Reference:
CCSP student guide p.255
QUESTION 105
Which of the following correctly sets the IOS Firewall authentication-proxy idle timer to 20 minutes?
A. ip auth-proxy auth-cache 20
B. ip auth-proxy auth-time 20
C. ip auth-proxy auth-cache-time 20
D. ip auth-proxy idle 20
E. ip auth-proxy idle timer 20
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
Use the global configuration mode command ip auth-proxy auth-cache-time (minutes) to determine the
acceptable idle period for users authenticated through the IOS Firewall before they must re-authenticate.
QUESTION 106
Which of the following configures an authentication proxy rule for the IOS Firewall?
A. ip inspect-proxy name proxyname http
B. ip auth-proxy name proxyname http
C. ip auth-rule proxyname http
D. ip proxy-name proxyname http
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
Create an authentication proxy rule with the global configuration mode command ip auth-proxy name
(name) http. Apply the proxy rule to an interface to force users to authenticate through the firewall.
QUESTION 107
Kathy the security administrator was given the following configuration statement. After looking at the command, she knows three statements are true. Which three are correct statements? (Choose three) Router(config)#aaa accounting network wait-start radius
A. The accounting records are stored in a TACACS+ server.
B. Stop-accounting records for network service requests are sent to the TACACS+ server.
C. The accounting records are stored on a RADIUS server.
D. Start-accounting records for network service requests are sent to the local database.
E. Stop-accounting records for network service requests are sent to the RADIUS server.
F. The requested service cannot start until the acknowledgment has been received from the RADIUS server.
Correct Answer: CEF Section: (none) Explanation
Explanation/Reference:
Explanation:
Router(config)#aaa accounting network wait-start radius aaaaccounting{ system | network | connection |
exec | command level} {start-stop | wait-start | stop-only} tacacs+
*
Use the aaa accounting command to enable accounting and to create named method lists that define
specific accounting methods on a per-line or per-interface basis.
*
Network- Enables accounting for all network-related requests, including SLIP, PPP, PPP network control
protocols, and ARAP
*
wait-start – This keyword causes both a start and stop accounting record to be sent to the accounting
server.
However, the requested user service does not begin until the start accounting record is acknowledged. A
stop accounting record is also sent.
QUESTION 108
Study the Exhibit below carefully:
Certkiller Router(config)#aaa account network wait-start radius According to the configuration statement in
the exhibit, which of the following statements are valid? Choose all that apply.
A. The accounting record are stored on a RADIUS server
B. Start-accounting records for network service requests are sent to the local database.
C. Stop-accounting record for network service requests are sent to the RADIUS server.
D. The accounting records are stored on TACACS+ server.
E. Stop-accounting record for network service requests are sent to TACACS+ server.
F. The requested service cannot start until the acknowledgment has been received from the RADIUS server.
Correct Answer: ACF Section: (none) Explanation
Explanation/Reference:
Explanation:
Router(config)#aaa accounting network wait-start radius aaaaccounting{ system | network | connection |
exec | command level} {start-stop | wait-start | stop-only} tacacs+
*
Use the aaa accounting command to enable accounting and to create named method lists that define
specific accounting methods on a per-line or per-interface basis.
*
Network- Enables accounting for all network-related requests, including SLIP, PPP, PPP network control
protocols, and ARAP
*
wait-start – This keyword causes both a start and stop accounting record to be sent to the accounting
server.
However, the requested user service does not begin until the start accounting record is acknowledged. A
stop accounting record is also sent.
QUESTION 109
Which of the following authorization commands are valid? (Choose two.)
A. aaa authentication exec home radius
B. aaa accounting exec home radius
C. aaa authorization default none
D. aaa authorization exec home radius
E. aaa authorization network default enable
F. aaa authorization network default local
Correct Answer: CF Section: (none) Explanation
Explanation/Reference:
AAA Authorization {Nework or Exe or Command level or Reverse-acces or Configuration} { default| list name } methode 1, 2 , 3 . Methodes => Group : use the server Tacas or Raduis => If-authenticated : allows the user to access the request fuction if the usetr is authenticate => Krb5 : instant for the Kerboros instant map => Local : use the local database for authorization => None : no authorization is performed CCSP Self-Study Securing Cisco IOS Network (Secur) CiscoPress.comJohn F Roland Page 102
QUESTION 110
Which of the following router commands enables the AAA process?
A. aaa new-model
B. aaa setup-dbase
C. aaa config-login
D. aaa server-sync
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
The router global configuration command aaa new-model, enables aaa (radius, tacacs+) configuration
commands on the router, and disables tacacs and xtacacs.
QUESTION 111
John is the administrator at Certkiller Inc. and his assignment today is to find the two types of signature
implementations that the IOS Firewall IDS can detect.
Which two are correct? (Choose two)
A. Atomic
B. Compound
C. Dynamic
D. Regenerative
E. Cyclical
F. Complex
Correct Answer: AB Section: (none) Explanation
Explanation/Reference:
Explanation:
Cisco IOS Firewall IDS Signature List The following is a complete list of Cisco IOS Firewall IDS signatures.
A signature detects patterns of misuse in network traffic. In Cisco IOS Firewall IDS, signatures are
categorized into four types:
1.
Info Atomic
2.
Info Compound
3.
Attack Atomic
4.
Attack Compound
Reference: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/ products_configuration_guide_chapter09186a00800 ca7c6.ht
QUESTION 112
James the administrator of Certkiller Inc. is working on the IDS for the network. He needs to know what kind of signatures trigger on a single packet. (Choose one)
A. Regenerative
B. Cyclical
C. Dynamic
D. Atomic
E. Compound
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Signature structure The signature structure indicates whether the signature implementation is either
content or composite. Atomic signatures occur in a single packet, whereas composite signatures ca be
spread across multiple packets.
Reference:
Cisco Secure Intrusion Detection System (Ciscopress) page 192
QUESTION 113
What type of IDS attack is spread out over multiple packets?
A. atomic
B. arbitrary
C. aggregate
D. compound
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
When an IDS signature attack uses multiple packets, it’s called a compound attack. For the IOS Firewall to
detect this type of attack, it must keep suspicious packets in memory to follow up on later packets of the
session to see if it is an actual attack.
QUESTION 114
Which of the following commands correctly sets the IOS Firewall IDS spam threshold?
A. ip audit smtp spam 500
B. ip audit smtp spam 500 notify
C. ip audit smtp name spam 500
D. ip audit ids spam 500
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
Set the threshold at which a spam alarm is triggered for the number of recipients in an email with the ip
audit smtp spam (number) command.
QUESTION 115
Which of the following commands can be used to verify your IOS Firewall IDS configuration? Select all that apply.
A. show ip audit attack
B. show ip audit statistics
C. show ip audit all
D. show ip audit tcp
E. show ip audit info
Correct Answer: BC Section: (none) Explanation
Explanation/Reference:
Explanation:
To verify your IOS Firewall IDS configuration there are six options with the show ip audit command: all,
configuration, interfaces, name, sessions, and statistics.
QUESTION 116
Flydumps Cisco 642-501 exam dumps are audited by our certified subject matter experts and published authors for development.Flydumps Cisco 642-501 exam dumps are one of the highest quality Cisco 642-501 Q&As in the world.It covers nearly 96% real questions and answers, including the entire testing scope.Flydumps guarantees you pass Cisco 642-501 exam at first attempt.