642-584 Security Solutions for Systems Engineers

Page 1   
Question 1

Which two statements about the capabilities of the Cisco AnyConnect 3.0 Secure Mobility
Client for Windows are true? (Choose two.)

  • A. It supports always-on connectivity by automatically establishing a VPN connection as needed. If multiple VPN gateways exist, load sharing occurs in a Round-robin fashion.
  • B. It supports session persistence after hibernation or standby.
  • C. Trusted Network Detection allows the connection to be established without any user intervention (authentication), if the client is located inside the office.
  • D. It is exclusively configured by central policies; no local configuration is possible.
  • E. The order of policy enforcement is as follows: dynamic access policy, user attributes, tunnel group, group policy attributes.

Answer : B,C

Question 2

Which three are security features that are applicable to the network edge? (Choose three.)

  • A. Layer 2 encryption service, also known as MACsec firewall service
  • B. VPN service
  • C. Email security service
  • D. WLAN authorization service

Answer : B,C,D

Question 3

What are two advantages of IKEv2 and Cisco FlexVPN? (Choose two.)

  • A. IKEv2 is backwards compatible with IKEv1.
  • B. Cisco FlexVPN supports interoperability, dynamic routing, direct spoke-to-spoke communication, remote access, source failover, per-peer QoS, and Full AAA management.
  • C. IKEv2 consolidates several VPN key management features and standards into one new standard.
  • D. The anticlogging cookie feature from IKEv1 has been improved.
  • E. IKEv2 uses IP protocol numbers 50 and 51.

Answer : B,C

Question 4

Which one is an additional feature of Cisco IPS Manager Express as compared to Cisco
IPS Device Manager?

  • A. Support for a single IPS device
  • B. Intuitive user interface
  • C. More powerful event management
  • D. Health and performance tools

Answer : C

Question 5

Which three are valid Cisco email security deployment options? (Choose three.)

  • A. Hosted email security
  • B. Hybrid hosted email security
  • C. Managed appliances email security
  • D. Client-based email security
  • E. Email security on BYOD devices

Answer : A,B,C

Question 6

A customer wants to use the Cisco ASA for a VPN to interconnect the central site and three
branches. Which type of VPN would you recommend?

  • A. IPsec site-to-site VPN
  • B. IPsec remote access VPN
  • C. SSL remote access VPN
  • D. SSL site-to-site VPN

Answer : A

Question 7

Which two virtual networking services are provided by a Cisco Nexus 1000V? (Choose

  • A. Cisco Virtual Security Gateway
  • B. Cisco ASA 1000V
  • C. Cisco Virtual ScanSafe
  • D. Cisco Virtual IPS

Answer : A,B

Question 8

Which statement best describes Cisco ScanSafe?

  • A. ScanSafe is a centralized software-based web proxy that runs in the customer data center.
  • B. ScanSafe is a cloud-based web security service that provides web filtering and web security.
  • C. ScanSafe is a service that runs on the Cisco ASA CX.
  • D. ScanSafe consists of a server and a client component; the server component is implemented in the data center, and the client component is part of the Cisco AnyConnect client.

Answer : B

Question 9

The Cisco SecureX Architecture is built on which three foundational principles? (Choose

  • A. Context-aware policy
  • B. Virtual office management
  • C. Network management
  • D. Content access control
  • E. Context-aware security enforcement
  • F. Network and global intelligence

Answer : A,E,F

Question 10

Which two are features of the Cisco VPN Internal Service Module for ISR G2? (Choose

  • A. Hardware encryption support for IPsec VPN
  • B. Hardware encryption support for SSL VPN
  • C. IPsec VPN throughput of up to 10 Gbps
  • D. Support for the Cisco 1941W ISR
  • E. Built-in signature-based intrusion detection for up to 4 Gbps of data

Answer : A,B

Question 11

Which two statements about Cisco IPS are true? (Choose two.)

  • A. Cisco IPS global correlation is performed before Cisco IPS reputation filters.
  • B. Cisco ASA-integrated IPS and standalone IPS offer the same features.
  • C. Cisco standalone IPS functionality can be virtualized.
  • D. The Cisco IPS reputation filter is based on Cisco SIO and allows packets that are received from known malicious sources to be dropped before performing signature-based inspection.

Answer : B,D

Question 12

Which statement is true when comparing Cisco ASA and Cisco ASA CX?

  • A. Cisco ASA fits better to the core and data center.
  • B. Cisco ASA provides better application control.
  • C. Cisco ASA does not support multitenant deployments.
  • D. Cisco ASA CX provides better AAA support.

Answer : A

Question 13

Which statement about MACsec is true?

  • A. MACsec provides Layer 2 hop-by-hop encryption, based on the 802.1AE standard.
  • B. Cisco AnyConnect Release 3.0 supports both roles: supplicant and authenticator?
  • C. 802.1X protection includes the CMD field, which is used to carry the security group tag value.
  • D. MACsec does not work between any MACsec-capable supplicant and authenticator.

Answer : A

Question 14

Which statement about IPsec and IPv6 is true?

  • A. IPsec is available only with IPv6.
  • B. IPsec support is mandatory in IPv4.
  • C. IPsec support is mandatory in IPv6.
  • D. In order to use IPsec with IPv6, IPv6 must be tunneled over IPv4.

Answer : C

Question 15

Which two statements about the Cisco IronPort Email Security architecture are true?
(Choose two.)

  • A. A key component of the Cisco IronPort Email Security architecture is the compromised domain list.
  • B. A key component of the Cisco IronPort Email Security architecture is the HTTP Inspection Engine.
  • C. Inbound security includes spam defense and virus defense.
  • D. Inbound security includes secure messaging via SSH, S-MIME, and POP over TLS.
  • E. Outbound control includes data loss prevention and secure messaging.

Answer : C,E

Page 1