web analytics
Skip to content

[Free-Dumps] Newest 400-251 Exam Questions Ensure 100% Exam Passing From PassLeader (Question 1 – Question 30)

New Updated 400-251 Exam Questions from PassLeader 400-251 PDF dumps! Welcome to download the newest PassLeader 400-251 VCE dumps: http://www.passleader.com/400-251.html (366 Q&As)

Keywords: 400-251 exam dumps, 400-251 exam questions, 400-251 VCE dumps, 400-251 PDF dumps, 400-251 practice tests, 400-251 study guide, 400-251 braindumps, CCIE Security Exam

p.s. Free 400-251 dumps download from Google Drive: https://drive.google.com/open?id=0B-ob6L_QjGLpd3JLalNVS0VWbms

QUESTION 1
According to OWASP guidelines, what is the recommended method to prevent cross-site request forgery?

A.    Allow only POST requests.
B.    Mark all cookies as HTTP only.
C.    Use per-session challenge tokens in links within your web application.
D.    Always use the "secure" attribute for cookies.
E.    Require strong passwords.

Answer: C

QUESTION 2
What is the maximum pattern length supported by FPM searches within a packet?

A.    256 bytes
B.    128 bytes
C.    512 bytes
D.    1500 bytes

Answer: A

QUESTION 3
Which two statements about role-based access control are true? (Choose two.)

A.    Server profile administrators have read and write access to all system logs by default.
B.    If the same user name is used for a local user account and a remote user account, the roles defined in the remote user account override the local user account.
C.    A view is created on the Cisco IOS device to leverage role-based access controls.
D.    Network administrators have read and write access to all system logs by default.
E.    The user profile on an AAA server is configured with the roles that grant user privileges.

Answer: DE

QUESTION 4
Which three global correlation feature can be enabled from cisco IPD device manager (Cisco IDM)? (Choose three.)

A.    Network Reputation
B.    Global Data Interaction
C.    Signature Correlation
D.    Reputation Filtering
E.    Global Correlation Inspection
F.    Data Contribution
G.    Reputation Assignment

Answer: CDE

QUESTION 5
According to RFC 4890, which three message must be dropped at the transit firewall/router? (Choose three.)

A.    Router Renumbering (Type 138)
B.    Node Information Query (Type 139)
C.    Router Solicitation (Type 133)
D.    Node information Response (Type 140)
E.    Router Advertisement (Type 134)
F.    Neighbor Solicitaion (Type 135)

Answer: ABD

QUESTION 6
What is the effect of the following command on Cisco IOS router?
ip dns spoofing 1.1.1.1

A.    The router will respond to the DNS query with its highest loopback address configured
B.    The router will respond to the DNS query with 1.1.1.1 if the query id for its own hostname
C.    The router will respond to the DNS query with the IP address of its incoming interface for any hostname query
D.    The router will respond to the DNS query with the IP address of its incoming interface for its own hostname

Answer: D

QUESTION 7
Which two options are differences between automation and orchestration? (Choose two.)

A.    Automation is to be used to replace human intervention
B.    Automation is focused on automating a single or multiple tasks
C.    Orchestration is focused on an end-to-end process or workflow
D.    Orchestration is focused on multiple technologies to be integrated together
E.    Automation is an IT workflow composed of tasks, and Orchestration is a technical task

Answer: BC

QUESTION 8
Refer to the exhibit. What is the effect of the given configuration?

A.    It sets the duplicate address detection interval to 60 second and sets the IPv6 neighbor reachable time to 3600 milliseconds.
B.    It sets the number of neighbor solicitation massages to 60 and sets the retransmission interval to 3600 milliseconds.
C.    It sets the number of duplicate address detection attempts to 60 and sets the duplicate address detection interval to 3600 millisecond.
D.    It sets the number of neighbor solicitation massage to 60 and set the duplicate address detection interval to 3600 second.
E.    It sets the duplicate address detection interval to 60 second and set the IPv6 neighbor solicitation interval to 3600 millisecond.

Answer: E

QUESTION 9
What are two characteristics of RPL, used in loT environments? (Choose two.)

A.    It is an Exterior Gateway Protocol
B.    It is a Interior Gateway Protocol
C.    It is a hybrid protocol
D.    It is link-state protocol
E.    It is a distance-vector protocol

Answer: BE

QUESTION 10
In a Cisco ASA multiple-context mode of operation configuration, what three session types are resource-limited by default when their context is a member of the default class? (Choose three.)

A.    Telnet sessions
B.    ASDM sessions
C.    IPSec sessions
D.    SSH sessions
E.    TCP sessions
F.    SSL VPN sessions

Answer: ABD

QUESTION 11
Drag and Drop Question
Drag each OSPF security feature on the left to its description on the right.

Answer:

QUESTION 12
Which VPN technology is based on GDOI (RFC 3547)?

A.    MPLS Layer 3 VPN
B.    MPLS Layer 2 VPN
C.    GET VPN
D.    IPsec VPN

Answer: C

QUESTION 13
Which statement about the 3DES algorithm is true?

A.    The 3DES algorithm uses the same key for encryption and decryption.
B.    The 3DES algorithm uses a public-private key pair with a public key for encryption and a private key for decryption.
C.    The 3DES algorithm is a block cipher.
D.    The 3DES algorithm uses a key length of 112 bits.
E.    The 3DES algorithm is faster than DES due to the shorter key length.

Answer: C

QUESTION 14
Which significant change to PCI DSS standards was made in PCI DSS version 3.1?

A.    No version of TLS is now considered to provide strong cryptography.
B.    Storage of sensitive authentication data after authorization is now permitted when proper encryption is applied.
C.    Passwords are now required to be changed at least once every 30 days.
D.    SSL is now considered a weak cryptographic technology.
E.    If systems that are vulnerable to POODLE are deployed in an organization, a patching and audit review process must be implemented.

Answer: D

QUESTION 15
Refer to the Exhibit, what is a possible reason for the given error?

A.    One or more require application failed to respond.
B.    The IPS engine is busy building cache files.
C.    The IPS engine I waiting for a CLI session to terminate.
D.    The virtual sensor is still initializing.

Answer: D

QUESTION 16
Which three statements about the keying methods used by MAC Sec are true? (Choose three.)

A.    MKA is implemented as an EAPoL packet exchange.
B.    SAP is enabled by default for Cisco TrustSec in manual configuration mode.
C.    SAP is supported on SPAN destination ports.
D.    Key management for host-to-switch and switch-to-switch MACSec sessions is provided by MKA.
E.    SAP is not supported on switch SVIs.
F.    A valid mode for SAP is NULL.

Answer: ABF

QUESTION 17
Which two statements about Cisco ASA authentication using LDAP are true? (Choose two.)

A.    It uses attribute maps to map the AD memberOf attribute to the cisco ASA Group-Poilcy attribute
B.    It uses AD attribute maps to assign users to group policies configured under the WebVPN context
C.    The Cisco ASA can use more than one AD memberOf attribute to match a user to multiple group policies
D.    It can assign a group policy to a user based on access credentials
E.    It can combine AD attributes and LDP attributes to configure group policies on the Cisco ASA
F.    It is a closed standard that manages directory-information services over distributed networks

Answer: AB

QUESTION 18
Drag and Drop Question
Drag each IPS signature engine on the left to its description on the right.

Answer:

QUESTION 19
With this configuration you notice that the IKE and IPsec SAs come up between the spoke and the hub, but NHRP registration fails Registration will continue to fail until you do which of these?

A.    Modify the NHRP network IDs to match on the hub and spoke.
B.    configure the ip nhrp caches non-authoritative command on the hub’s tunnel interface.
C.    modify the tunnel keys to match on the hub and spoke.
D.    modify the NHRP hold time to match on the hub and spoke.

Answer: C

QUESTION 20
Which three statements are true regarding Security Group Tags? (Choose three.)

A.    When using the Cisco ISE solution, the Security Group Tag gets defined as a separate authorization result.
B.    When using the Cisco ISE solution, the Security Group Tag gets defined as part of a standard authorization profile.
C.    Security Group Tags are a supported network authorization result using Cisco ACS 5.x.
D.    Security Group Tags are a supported network authorization result for 802.1X, MAC Authentication Bypass, and WebAuth methods of authentication.
E.    A Security Group Tag is a variable length string that is returned as an authorization result.

Answer: ACD

QUESTION 21
Refer to the exhibit which two statement about the given IPV6 ZBF configuration are true? (Choose two.)

A.    It provides backward compability with legacy IPv6 inspection.
B.    It inspect TCP, UDP,ICMP and FTP traffic from Z1 to Z2.
C.    It inspect TCP, UDP,ICMP and FTP traffic from Z2 to Z1.
D.    It inspect TCP,UDP,ICMP and FTP traffic in both direction between z1 and z2.
E.    It passes TCP, UDP,ICMP and FTP traffic from z1 to z2.
F.    It provide backward compatibility with legacy IPv4 inseption.

Answer: AB

QUESTION 22
In which class of applications security threads does HTTP header manipulation reside?

A.    Session management
B.    Parameter manipulation
C.    Software tampering
D.    Exception managements

Answer: A

QUESTION 23
What is the most commonly used technology to establish an encrypted HTTP connection?

A.    the HTTP/1.1 Upgrade header
B.    the HTTP/1.0 Upgrade header
C.    Secure Hypertext Transfer Protocol
D.    HTTPS

Answer: D

QUESTION 24
What functionality is provided by DNSSEC?

A.    origin authentication of DNS data
B.    data confidentiality of DNS queries and answers
C.    access restriction of DNS zone transfers
D.    storage of the certificate records in a DNS zone file

Answer: A

QUESTION 25
What are the two mechanism that are used to authenticate OSPFv3 packets?(Choose two.)

A.    MD5
B.    ESP
C.    PLAIN TEXT
D.    AH
E.    SHA

Answer: BD

QUESTION 26
You have been asked to configure a Cisco ASA appliance in multiple mode with these settings:
(A) You need two customer contexts, named contextA and contextB
(B) Allocate interfaces G0/0 and G0/1 to contextA
(C) Allocate interfaces G0/0 and G0/2 to contextB
(D) The physical interface name for G0/1 within contextA should be "inside"
(E) All other context interfaces must be viewable via their physical interface names
If the admin context is already defined and all interfaces are enabled, which command set will complete this configuration?

A.    context contextA
config-url disk0:/contextA.cfg
allocate-interface GigabitEthernet0/0 visible
allocate-interface GigabitEthernet0/1 inside
context contextB
config-url disk0:/contextB.cfg
allocate-interface GigabitEthernet0/0 visible
allocate-interface GigabitEthernet0/2 visible
B.    context contexta
config-url disk0:/contextA.cfg
allocate-interface GigabitEthernet0/0 visible
allocate-interface GigabitEthernet0/1 inside
context contextb
config-url disk0:/contextB.cfg
allocate-interface GigabitEthernet0/0 visible
allocate-interface GigabitEthernet0/2 visible
C.    context contextA
config-url disk0:/contextA.cfg
allocate-interface GigabitEthernet0/0 invisible
allocate-interface GigabitEthernet0/1 inside
context contextB
config-url disk0:/contextB.cfg
allocate-interface GigabitEthernet0/0 invisible
allocate-interface GigabitEthernet0/2 invisible
D.    context contextA
config-url disk0:/contextA.cfg
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/1 inside
context contextB
config-url disk0:/contextB.cfg
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/2
E.    context contextA
config-url disk0:/contextA.cfg
allocate-interface GigabitEthernet0/0 visible
allocate-interface GigabitEthernet0/1 inside
context contextB
config-url disk0:/contextB.cfg
allocate-interface GigabitEthernet0/1 visible
allocate-interface GigabitEthernet0/2 visible

Answer: A

QUESTION 27
Which statement about the cisco anyconnect web security module is true?

A.    It is VPN client software that works over the SSl protocol.
B.    It is an endpoint component that is used with smart tunnel in a clientless SSL VPN.
C.    It operates as an NAC agent when it is configured with the Anyconnect VPN client.
D.    It is deployed on endpoints to route HTTP traffic to SCANsafe.

Answer: D

QUESTION 28
Which two statements about the SeND protocol are true? (Choose two.)

A.    It uses IPsec as a baseline mechanism
B.    It supports an autoconfiguration mechanism
C.    It must be enabled before you can configure IPv6 addresses
D.    It supports numerous custom neighbor discovery messages
E.    It counters neighbor discovery threats
F.    It logs IPv6-related threats to an external log server

Answer: BE

QUESTION 29
Drag and Drop Question
Drag each attack type on the left to the matching attack category on the right.

Answer:

QUESTION 30
Refer to the exhibit. You executed the show crypto key mypubkey rsa command to verify that the RSA key is protected and it generated the given output. What command must you have entered to protect the key?

A.    crypto key decrypt rsa name pki.cisco.com passphrase CiscoPKI
B.    crypto key zeroize rsa CiscoPKI
C.    crypto key export ras pki.cisco.com pem url flash: 3des CiscoPKI
D.    crypto key lock rsa name pki.cisco.com passphrase CiscoPKI
E.    crypto key import rsa pki.cisco.com pem url nvram: CiscoPKI

Answer: D


Download the newest PassLeader 400-251 dumps from passleader.com now! 100% Pass Guarantee!

400-251 PDF dumps & 400-251 VCE dumps: http://www.passleader.com/400-251.html (366 Q&As) (New Questions Are 100% Available and Wrong Answers Have Been Corrected! Free VCE simulator!)

p.s. Free 400-251 dumps download from Google Drive: https://drive.google.com/open?id=0B-ob6L_QjGLpd3JLalNVS0VWbms

Comments are closed, but trackbacks and pingbacks are open.