Flydumps has timely updated the Cisco 642-511 exam questions.With all the new questions and answers, you will pass the Cisco 642-511 exam easily. If you want to get more Cisco 642-511 exam dumps, you can free download the new version VCE test engine from https://www.pass4itsure.com/642-511.html.All Cisco 642-511 dumps are new updated and cover all aspect of the examination.
QUESTION 51
Which of the following represents a limitation when using Quick Configuration?
A. It enables you to define attributes only on a global basis.
B. It enables you to define attributes only on an authentication server basis.
C. It enables you to define attributes only on an individual basis.
D. It enables you to define attributes only on a client basis.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
Quick configuration supplies the minimal parameters needed to make the VPN Concentrator operational,
while the Main menu lets you configure all the features of the VPN 3000 Concentrator. For example, a
configured remote user with a PC and modem can use Microsoft PPTP (point-to-point tunneling protocol)
and a local ISP to connect securely-in a VPN tunnel through the Internet-with resources on a private,
internal corporate network.
QUESTION 52
True or false: There is an out-of-band management channel?
A. True
B. False
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
Yes there is an RJ-45 console port with full RS-232 signals. The unit comes with cables and adapters for
DB-25 and DB-9.
QUESTION 53
What is the default username and password on a 3000 series Concentrator?
A. user, password
B. admin, password
C. it, login
D. admin, admin
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
The 3000 series Concentrator default login is username admin, password admin.
QUESTION 54
Which method uses the Cisco VPN 3000 Concentrator to assign IP addresses from an internal pool when you have been asked to configure address assignments?
A. remote client pool
B. per-user
C. configured pool
D. DHCP pool
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: After you have selected the protocol to use, you must select the method the VPN concentrator is to use to assign an address to clients as they establish tunnels with the concentrator. You could select multiple methods; the concentrator tries each method in order until it is successful in assigning an address to the client. The methods are tried in the order listed: 1) Client Specified 2) Per User 3) DHCP 4) Configured Pool Reference: CCSP VPN Ciscopress p.148
QUESTION 55
Greg the security administrator at Certkiller Inc. is working on configuring the group VPN Client attributes in the VPN Concentrator. He needs to know which three are the VPN Client firewall settings. (Choose three)
A. Click the radio button to select enable content filtering
B. Click the radio button to select enable CBAC
C. Click the radio button to select no firewall
D. Click the radio button to select enable authentication proxy
E. Click the radio button to select firewall required
F. Click the radio button to select firewall optional
Correct Answer: CEF Section: (none) Explanation
Explanation/Reference:
Explanation:
Click the radio button to select a firewall setting:
No Firewall = No firewall is required for remote users in this group. Firewall Required = All remote users in
this group must use a specific firewall. Only those users with the designated firewall can connect. Firewall
Optional = All remote users in this group can connect. Those that have the designated firewall can use it.
Those who do not have a firewall receive a warning message.
Note If you require a firewall for a group, make sure the group does not include any clients other than
Windows VPN Clients. Any other clients in the group (including VPN 3002 Hardware Clients) are unable to
connect.
Reference: VPN 3000 Series Concentrator Reference Volume I: Configuration
QUESTION 56
When logged into your 3000 series Concentrator via a web browser, what are the three main tabs?
A. administration
B. settings
C. protocols
D. monitoring
E. configuration
F. ipsec
Correct Answer: ADE Section: (none) Explanation Explanation/Reference:
Explanation:
There are three main tabs of your 3000 series Concentrator when logged in via a web browser.
Configuration, Administration, and Monitoring.
QUESTION 57
Jane the newly hired security administrator at Certkiller Inc. is working on setting up the Cisco VPN Client. Which statement about the Cisco VPN Client local LAN access feature is true?
A. The Cisco VPN Client local LAN access feature enables split tunneling.
B. The Cisco VPN Client local LAN access feature enables local LAN users access to the VPN tunnel.
C. The Cisco VPN Client local LAN access feature enables Cisco VPN Client to encrypt packets destined for the local LAN.
D. The Cisco VPN Client local LAN access feature enables and disables Cisco VPN Client access to the local LAN.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 58
Johnand Kathy the security team at Certkiller Inc. is working on Cisco VPN. They need to choose three parameters sent from the Cisco VPN Concentrator to the remote Cisco VPN Client during tunnel establishment. Which are the three parameters? (Choose three)
A. Access priority
B. Split tunnel policy
C. Group name
D. Primary DNS address
E. Access priority level
F. Cisco VPN Client IP address
Correct Answer: BDF Section: (none) Explanation
Explanation/Reference:
Explanation:
Together with IP addressing information, the split tunneling policy is also pushed to the client as part of the
“mode configuration”. Page 111 of “The Complete Cisco VPN Configuration Guide”, Richard Deal; Cisco
Press.
QUESTION 59
Kathy is the security administrator at Certkiller Inc. is working on the Cisco VPN Concentrator. How can Kathy accommodate the different access needs in a Cisco VPN Concentrator?
A. By having Kathy configure rights and privileges parameters in the Cisco VPN Concentrator.
B. By having Kathy configure access and usage parameters in the Cisco VPN Concentrator.
C. By having Kathy configure rights and privileges in the network authentication server.
D. By having Kathy configure user and group parameters in the Cisco VPN Concentrator.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
Configure groups and users with attributes that determine their access to and use of the VPN. Configuring
groups and users correctly is essential for managing the security of your VPN.
Reference: VPN 3000 Concentrator Ref Volume 1. Configuration 4.0.pdf
QUESTION 60
A Certkiller trainee wants to know what is the type of authentication makes use of groups value in the Configuration | Quick | IPSec window. What will your reply be?
A. user
B. Cisco VPN Concentrator
C. NT Domain
D. RADIUS
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: Configuring the IPSec Group
The Manager displays the Configuration | Quick | IPSec Group screen. This screen appears only when you
select the IPSec tunneling protocol, and you must configure these parameters to complete quick
configuration.
The remote-access IPSec client connects to the VPN Concentrator using this group name and password,
which are automatically configured on the internal authentication server. This is the IPSec group that
creates the tunnel. Users then log in, and are authenticated, through their usernames and passwords.
(See Figure 3-14.)
QUESTION 61
During tunnel establishment, during tunnel establishment, the Cisco VPN Client receives a list of split DNS names and a primary DNS server address from the Concentrator when working in a VPN Concentrator release 3.6 environment. After the tunnel is established, when the VPN Client receives a DNS query, the query is compared with the split DNS names. How will the VPN Client react to the results of the comparison?
A. A matching query will be encrypted then transmitted to the primary DNS server for address resolution.
B. A matching query will be transmitted in clear text to the ISP DNS server for address resolution.
C. A matching query will be transmitted in clear text to the primary DNS server for address resolution.
D. A matching query will be encrypted then transmitted to the ISP DNS server for address resolution.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
…Query packets passing the comparison will have their destination IP address rewritten and tunneled
using the primary DNS IP address configured on the concentrator…
QUESTION 62
The newly appointed Certkiller trainee technician wants to know which of the following Quick Configuration elements can be used in the configuration of IPSec group. What will your reply be? Choose two.
A. group access protocols
B. group server name
C. password
D. user name
E. group priority
F. group name
Correct Answer: CF Section: (none) Explanation
Explanation/Reference:
Explanation:
“Group Name”, “Password” and “Verify” are the field displayed under “IPSec Group” when using the Quick
Configuration in the concentrator. Therefore, C and F are the right options.
Page 101 of “The Complete Cisco VPN Configuration Guide”, Richard Deal; Cisco Press.
QUESTION 63
The newly appointed Certkiller trainee wants to know which IKE proposal is supported by the certicom client when under the IKE active proposal list. What will your reply be?
A. IKE-3DES-MD5-RSA
B. IKE-3DES-MD5-DH7
C. CiscoVPNClient-3DES-MD5
D. IKE-3DES-MD5
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Certicom client uses elliptical curve cryptography (ecc) for small processor devices.
QUESTION 64
Which of the following group attributes are configurable in an environment where group attributes are being configured in the Cisco VPN Concentrator? (Select three options.)
A. access hours
B. idle timeout
C. connection priority
D. maximum connect time
E. access level
F. TACACS+ server IP address
Correct Answer: ABD Section: (none) Explanation
Explanation/Reference:
Source: Configuration | User Management | Groups | Modify a Group | General Tab Access hours Idle Timeout Maximum Connect Time These 3 options are configurable from the Configuration | User Management | Groups |
QUESTION 65
Which of the following IP addresses should go in the remote server field in the Configuration | Quick | IPSec windows?
A. DCHP server
B. authentication server
C. central site Cisco VPN Concentrator
D. accounting server
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: In the Remote Server field, enter the IP address or hostname of the VPN Concentrator to which this VPN 3002 hardware client connects. Note that to enter a hostname, a DNS server must be configured.
QUESTION 66
The Certkiller trainee technician wants to know which of the following IKE proposals can be used with digital certificates. What will your reply be?
A. IKE-3DES-MD5
B. IKE-3DES-MD5-DH7
C. IKE-3DES-MD5-RSA
D. IKE-AES-128-SHA
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Source: Cisco Press CCSP Cisco Secure VPN (Roland, Newcomb) p.240
QUESTION 67
What is the 3000 series Concentrator group
configuration screen tab that you enable split tunneling on?
A. client config
B. general
C. identity
D. setup
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
Split Tunneling configuration for a group is set under the client config tab from the 3000 series
Concentrator configuration, user management, groups configuration screen.
QUESTION 68
Which 3000 series Concentrator group configuration tab allows you to enable Interactive Hardware Authentication for remote 3002 Hardware Clients?
A. authentication
B. clients
C. hardware
D. hw client
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
The hw client tab under group configuration (configuration, user management, groups) allows enabling of
Interactive Hardware Authentication. This essentially provides an extra level of security between the 3002
Hardware Client and the Head End Concentrator.
QUESTION 69
What is the maximum combined number of users and groups that can be configured on a Concentrator?
A. 100
B. 200
C. 750
D. 1000
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
The concentrator allows a maximum of 100 groups and users. Page 98 of “The Complete Cisco VPN
Configuration Guide”, Richard Deal; Cisco Press.
QUESTION 70
DRAG DROP Jason the security administrator at Certkiller Inc. was given the assignment to match the severity level with the alarm level.
A.
B.
C.
D.
Correct Answer: Section: (none) Explanation Explanation/Reference:
Explanation:
Table9-2: Event Severity Levels
Level Category Description
1 Fault A crash or non-recoverable error.
2 Warning A pending crash or severe problem that requires user intervention. 3 Warning A potentially
serious problem that may require user action. 4 Information An information-only event with few details. 5
Information An information-only event with moderate detail. 6 Information An information-only event with
greatest detail.
7 Debug Least amount of debugging detail.
8 Debug Moderate amount of debugging detail.
9 Debug Greatest amount of debugging detail.
10 Packet Decode High-level packet header decoding. 11 Packet Decode Low-level packet header
decoding.
12 Packet Decode Hex dump of header.
13 Packet Decode Hex dump of packet.
QUESTION 71
Johnis the security administrator at Certkiller Inc. and he is troubleshooting the Cisco VPN Concentrator. The problem is a remote user exceeds the configured policing rate. What will the VPN Concentrator do when this happens?
A. The VPN Concentrator will allow exceeds of traffic to pass up to the configured normal burst size.
B. The VPN Concentrator logs the event, set the DE bit, and allow the traffic to pass.
C. All packets marked high priority are passed and all packets marked low priority are dropped on the VPN Concentrator
D. The VPN Concentrator will allow excess traffic to pass up to 1/8th of the CIR.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation: Bandwidth policing sets a maximum limit, a cap, on the rate of tunneled traffic. The VPN Concentrator transmits traffic it receives below this rate; it drops traffic above this rate. Because traffic is bursty, some flexibility is built into policing. Policing involves two thresholds: the policing rate and the burst size. The policing rate is the maximum limit on the rate of sustained tunneled traffic. The burst size indicates the maximum size of an instantaneous burst of bytes allowed before traffic is capped back to the policing rate. The VPN Concentrator allows for instantaneous bursts of traffic greater than the policing rate up to the burst rate. But should traffic bursts consistently exceed the burst rate, the VPN Concentrator enforces the policing rate threshold. Reference: VPN 3000 Concentrator Ref Volume 1. Configuration 4.0.pdf
QUESTION 72
At which particular level in the Concentrator is NAT applied after NAT-transparency is configured on the Concentrator?
A. port level
B. group level
C. user level
D. system-wide level
E. none of the above
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
The functions that fall under the Configuration | System section have to do with configuring parameters for
system-wide functions in the VPN concentrator. Configure | Policy Management is its subcategorie.
One of the Sections of Configure | Policy Management is NAT. -NAT- The Cisco VPN 3000 Concentrators
can perform Network Address Translation, which you would configure in this section.
Reference: CCSP VPN Ciscopress p.169-173
QUESTION 73
Which of the following protocols can be used to
download the event log file from a Concentrator? Choose 2.
A. http
B. smtp
C. ftp
D. scep
Correct Answer: AC Section: (none) Explanation
Explanation/Reference:
Explanation:
Download the event log file on a Concentrator with HTTP or FTP.
QUESTION 74
Where can you configure your Concentrators hostname?
A. configuration, system, ip routing, setup
B. configuration, system, ip routing, identification
C. configuration, system, general, setup
D. configuration, system, general, identification
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
Use the configuration, system, general, identification Concentrator screen to set the hostname.
QUESTION 75
Where is an SMTP server added to your Concentrator configuration?
A. configuration, policy management, traffic management, smtp servers
B. configuration, policy management, traffic management, servers
C. configuration, system, general, smtp servers
D. configuration, system, events, smtp servers
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
SMTP servers can be configured on your Concentrator from configuration, system, events, smtp servers.
QUESTION 76
Where do you access DNS server configuration parameters on your Concentrator?
A. configuration, system, tunneling protocols, dns
B. configuration, system, servers, dns
C. configuration, system, ip routing, dns
D. configuration, system, management protocols, dns
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
DNS server configuration is set from the configuration, system, servers, dns screen.
QUESTION 77
On a Concentrator, where is the default gateway ip address entered?
A. configuration, system, ip routing, default gateways
B. configuration, system, tunneling protocols, default gateways
C. configuration, system, servers, default gateways
D. configuration, system, general, default gateways
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
The Concentrators default gateway can be configured from configuration, system, ip routing, default
gateways.
QUESTION 78
Which three files is necessary when pre-configuring a Cisco VPN client? (Select three options.)
A. unattended_setup.ini
B. user.pcf
C. data.ini
D. oem.ini
E. vpnclient.ini
F. client.ini
Correct Answer: BDE Section: (none) Explanation
Explanation/Reference:
QUESTION 79
In Cisco VPN 3000 releases 3.7, in the Cisco VPN client GUI is supported on which two operating systems. Select two.
A. Windows
B. Linux
C. Macintosh
D. Solaris
E. HP-UX
F. IBM AIX
Correct Answer: AC Section: (none) Explanation
Explanation/Reference:
QUESTION 80
Which of the following statements regarding Cisco VPN client software update is valid?
A. As a remote Cisco VPN Client connects to the Cisco VPN Concentrator, the remote Cisco VPN Client automatically downloads a new version of code from a configurable web site.
B. As a remote Cisco VPN Client connects to the Cisco VPN Concentrator, the remote Cisco VPN Client automatically downloads a new version of code from a configurable TFTP server.
C. As a remote Cisco VPN Client connects to the Cisco VPN Concentrator, the r Cisco VPN Concentrator automatically downloads a new version of the software.
D. As a remote Cisco VPN Client connects to the Cisco VPN Concentrator, the Cisco VPN Concentrator only sends an update notification to the remote Cisco VPN Client.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
When you use the update software feature it will notify your client that they need to update their software,
QUESTION 81
Jacob the security administrator for Certkiller Inc. is exchanging certificates between a Cisco VPN client and a Cisco VPN Concentrator, the group information on Cicso VPN client and Cisco VPN Concentrator must match. Because there is no group field listed on the VPN client certificate manager enrollment form, which enrollment field will double as a group field?
A. Common name enrollment field
B. IP address enrollment field
C. Organization enrollment field
D. Department name enrollment field
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
Department-The name of the department to which you belong; for example, International Studies. This field
correlates to the Organizational Unit (OU). The OU is the same as the Group Name configured in a VPN
3000 Series Concentrator, for example.
QUESTION 82
Jason the security administrator at Certkiller Inc. is working on IKE. His assignment is to find out which three things the Cisco VPN 3000 Concentrator checks during the IKE negotiations, when an identity certificate is received from an IKE peer. (Choose three)
A. Has the CA expired?
B. Is the certificate still valid?
C. Has the CA been revoked?
D. Is the certificate signed by a trusted CA?
E. Is the certificate in the CRL?
F. Is the certificate FQDN valid?
Correct Answer: BDE Section: (none) Explanation
Explanation/Reference:
Explanation: During IKE tunnel establishment, the peer provides its identity: either an IP address, a fully qualified domain name (FQDN), or a distinguished name (DN). It also presents a certificate, which contains none, some, or all of these fields. If IKE peer identity validation is enabled, the VPN Concentrator compares the peer’s identity to the like field in the certificate to see if the information matches. If the information matches, then the peer’s identity is validated and the VPN Concentrator establishes the tunnel. If the information does not match, the VPN Concentrator drops the tunnel. This feature provides an additional level of security. Reference: VPN 3000 Concentrator Ref Volume 1. Configuration 4.0.pdf
QUESTION 83
Jason the security administrator for Certkiller Inc. was given the assignment to find out what the two purposes of the X.509 Certificate Serial Number are. (Choose two)
A. The purpose is it specifies the subject’s public key and hashing algorithm.
B. The purpose is it specifies the start and expiration dates for the certificate.
C. The purpose is a unique certificate numerical identifier in the CA domain.
D. The purpose is the certificate number that is listed on the CRL when the certificate is revoked.
E. The purpose is it identifies the CA’s public key and hashing algorithm.
F. The purpose is Private Key.
Correct Answer: CD Section: (none) Explanation
Explanation/Reference:
Explanation: A certificate is normally expected to be valid for its entire validity period. However, if a certificate becomes invalid due to such things as a name change, change of association between the subject and the CA, and security compromise, the CA revokes the certificate. Under X.509, CAs revoke certificates by periodically issuing a signed CRL, where each revoked certificate is identified by its serial number. Enabling CRL checking means that every time the VPN Concentrator uses the certificate for authentication, it also checks the CRL to ensure that the certificate being verified has not been revoked.h
QUESTION 84
Kathy the security administrator at Certkiller Inc. is working on certificates. She needs to know which information is included in the PKCS#10 request message. (Choose two)
A. PKCS#10 request message contains the encryption algorithm
B. PKCS#10 request message contains the validity dates
C. PKCS#10 request message contains the user information
D. PKCS#10 request message contains the key size
E. PKCS#10 request message contains the private key
F. PKCS#10 request message contains the authentication algorithm
Correct Answer: CD Section: (none) Explanation
Explanation/Reference:
Explanation:
Generating the PKCS#10 requires various user information inputs AND input for the key size of choice!
Note:
An enrollment request for an identity certificate consists of a base 64 encoded PKCS#10 file that the VPN
Concentrator generates based on information you provide in the steps that follow.
You have generated a base 64 encoded PKCS#10 file (Public Key Certificate Syntax-10), which most CAs
recognize or require. The system automatically saves this file in Flash memory with the filename shown in
the browser (pkcsNNNN.txt). In generating the request, the system also generates the private key used in
the PKI process. That key remains on the VPN Concentrator in encrypted form.
QUESTION 85
Which of the following features will permit automatic certificate enrollment with the CA?
A. Mode Configuration
B. Quick Configuration
C. VRRP
D. SCEP
E. RRI
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Developed by Cisco, Verisign, Entrust, Microsoft, Netscape and Sun Simple Certificate Enrollment Protocol (SCEP) provides a way of managing the certificate. SCEP let you automatically provide your users with a way to enroll with the CA.
QUESTION 86
What are the two types of certificate enrollment for the Cisco VPN Concentrator? Select two.
A. PKCS# 15enrollment process
B. PKCS#7 enrollment process
C. SCEP
D. certified enrollment process
E. CERTC enrollment process
F. File-based enrollment process
Correct Answer: CF Section: (none) Explanation
Explanation/Reference:
Explanation:
Configuring Digital Certificates: SCEP and Manual Methods To use digital certificates for authentication,
you first enroll with a Certificate Authority (CA), and obtain and install a CA certificate on the VPN
Concentrator. Then you enroll and install an identity certificate from the same CA. You can enroll and
install digital certificates on the VPN Concentrator in either of two ways:
*
Using Cisco’s Simple Certificate Enrollment Protocol (SCEP). SCEP is a secure messaging protocol that
requires minimal user intervention. SCEP is the quicker method, and it lets you to enroll and install
certificates using only the VPN Concentrator Manager. To use SCEP, you must enroll with a CA that
supports SCEP, and you must enroll via the Internet.
*
Manually, exchanging information with the CA directly. The manual method involves more steps. You can
do some of the steps using the Manager. Other steps require that you exchange information with the CA
directly. You deliver your enrollment request and receive the certificate from the CA via the Internet, email,
or a floppy disk.
Ref 2//Enrollment Method
Choose an enrollment method:
*
PKCS10 Request (Manual) = Enroll using the manual process.
*
Certificate Name via SCEP = Enroll automatically using this SCEP CA. Note If you install a CA certificate
using the manual method, you must also use the manual method to request identity or SSL certificates
from that C A. Conversely, to
request identity and SSL certificates using SCEP, you must first use SCEP to obtain the CA certificate.
Tasks Summary
Whether you use SCEP or the manual method, you perform the following tasks to obtain and install
certificates:
1.
Obtain and install one or more CA certificate(s).
2.
Create an enrollment request for one or more identity certificates.
3.
Request an identity certificate from the same CA that issued the CA certificate(s).
4.
Install the identity certificate on the VPN Concentrator.
5.
Enable CRL checking and caching.
6.
Enable certificates.
About the Documentation
The print version of this guide provides step-by-step examples of configuring digital certificates using
SCEP and manually, and with both LAN-to-LAN and remote access connections, beginning with the next
section, “1879871Managing Certificates with SCEP .”
Ref 3://————–Types of certificate enrollment in Cisco VPN contractor You can enroll and install digital certificates on the
VPN 3002 automatically or manually. The automatic method is a new feature that uses the Simple
Certificate Enrollment Protocol (SCEP) to streamline enrollment and installation. SCEP is a secure
messaging protocol that requires minimal user intervention. This method is quicker than enrolling and
installing digital certificates manually, but it is available only if you are both enrolling with a CA that
supports SCEP and enrolling via the web. If your CA does not support SCEP, or if you enroll with digital
certificates by a means other than the web (such as through email or by a diskette), then you cannot use
the automatic method; you must use the manual method.
An enrollment request for an identity certificate consists of a base 64 encoded PKCS#10 file that the VPN
Concentrator generates based on information you provide in the steps that follow
QUESTION 87
Which of the following will suffice as reasons for revoking a certificate? Choose two.
A. invalid time
B. Invalid date
C. change of association
D. compromised security
E. Invalid signature
Correct Answer: CD Section: (none) Explanation
Explanation/Reference:
Explanation: A certificate is normally expected to be valid for its entire validity period. However, if a certificate becomes invalid due to a name change, change of association between the subject and the CA, security compromise, etc., the CA revokes the certificate. Under X.509, CAs revoke certificates by periodically issuing a signed certificate revocation list (CRL), where each revoked certificate is identified by its serial number. Enabling CRL checking means that every time the VPN Concentrator uses the certificate for authentication, it also checks the CRL to ensure that the certificate being verified has not been revoked. CAs use LDAP/HTTP databases to store and distribute CRLs. They might also use other means, but the VPN Concentrator relies on LDAP/HTTP access.
QUESTION 88
Which of the following statements regarding the digital signature process statement is valid?
A. The hash is encrypted with the public key and decrypted with the private key.
B. The hash is encrypted and decrypted with a shared secret key.
C. The hash is encrypted and decrypted with a symmetric key.
D. The hash is encrypted with the private key and decrypted with the public key.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
The question is “digital signature” which requires computation of a hash code, typically MD5 or SHA-1,
then encrypted with the private key of the sender. It is verified by the public key of the sender – which is
known to all. Since the public key is ONLY known to the owner of the key pair, as loing as the private key
is kept secret, you know that the signature is valid – and that is came from the holder/owner of the private
key (non-repudiation)
QUESTION 89
What are the functions that a CA has to fulfill? (Select three options.)
A. The CA is responsible for revoking valid certificates
B. The CA is responsible for creating certificates
C. The CA is responsible for decrypting digital certificate
D. The CA is responsible for administering certificates
E. The CA is responsible for issues equipment certificates
F. The CA is responsible for revoking invalid certificates
Correct Answer: BDF Section: (none) Explanation
Explanation/Reference:
Explanation: The CA creates, administers, and revokes invalid certificates. Reference: Ciscopress CCSP Self Study, CSVPN Second edition Page: 142
QUESTION 90
The Certkiller CEO wants your opinion regarding the best PKI model for a large enterprise. What can you tell her?
A. Central
B. Flat
C. Hub and Spoke
D. Hierarchical
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: Going beyond the single-root CA, more complex topologies can be devised that involve multiple CAs within the same organization. One such topology is the hierarchical CA system, in which CAs no longer issue certificates to end users only, but also to subordinate CAs, who in turn issue their certificates to end-users and/or other CAs. In a hierarchical CA system, a tree of CAs and end users is built for which every CA can issue certificates to entities on the next lower level.
QUESTION 91
Which of the following causes a certificate issued from a CA to become invalid? Choose all that apply.
A. certificate reaches expiration date
B. certificate listed on CRL
C. certificate not enrolled via SCEP
D. certificate requested via PKCS # 10
Correct Answer: AB Section: (none) Explanation
Explanation/Reference:
Explanation:
If a certificate is on the CA servers’ Certificate Revocation List, (CRL) is should be considered invalid and
not used. Also when the certificate is generated, it has a built-in expiration date, after which it will not work.
QUESTION 92
Which of the following protocols automates the installation process of a digital certificate?
A. FTP
B. SCEP
C. VRRP
D. AH
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
You can automate the certificate request and installation process on your Concentrator by using Simple
Certificate Enrollment Protocol (SCEP) with a CA.
QUESTION 93
Johnthe security administrator at Certkiller Inc. is working on installing certificates on the Cisco VPN 3000 Concentrator. Which two certificates does John need to install in the Cisco VPN 3000 Concentrator? (Choose two)
A. Root certificate needs to be installed
B. SSL certificate needs to be installed
C. Public certificate needs to be installed
D. Private certificate needs to be installed
E. Identity certificate needs to be installed
F. Trusted certificate needs to be installed
Correct Answer: AE Section: (none) Explanation
Explanation/Reference:
“Concentrator Certificate Manual Loading Process” Step 1: Generate the certificate request and upload it to the CA Step 2: The CA generates the identity and root certificates.
Each downloaded to a PC.
Step 3: The certificates are loaded onto the Concentrator. Reference: VPN 3000 Concentrator Ref Volume
1. Configuration 4.0.pdf
QUESTION 94
Which pieces of information does the CA supply when it issues a digital certificate? Choose three.
A. user name
B. validity dates
C. User’s private key information
D. private key
E. Issuer’s name
F. CA signature algorithm
Correct Answer: BEF Section: (none) Explanation
Explanation/Reference:
Explanation: Certificate Fields A certificate contains some or all of the following fields: Field Content Subject The person or system that uses the certificate. For a CA root certificate, the Subject and Issuer are the same. Issuer The CA or other entity (jurisdiction) that issued the certificate. Subject and Issuer consist of a specific-to-general identification hierarchy: CN, OU, O, L, SP, and C. These labels and acronyms conform to X.520 terminology, and they echo the fields on the Administration | Certificate Management | Enrollment screen. CN Common Name: the name of a person, system, or other entity. This is the lowest (most specific) level in the identification hierarchy. For the VPN Concentrator self-signed SSL certificate, the CN is the IP address on the Ethernet 1 (Private) interface at the time the certificate is generated. SSL compares this CN with the address you use to connect to the VPN Concentrator via HTTPS, as part of its validation. OU Organizational Unit: the subgroup within the organization (O). O Organization: the name of the company, institution, agency, association, or other entity. L Locality: the city or town where the organization is located. SP State/Province: the state or province where the organization is located. C Country: the two-letter country abbreviation. These codes conform to ISO 3166 country abbreviations. Serial Number The serial number of the certificate. Each certificate issued by a CA must be unique among all certificates issued by that C A. CRL checking uses this serial number. Signing Algorithm The cryptographic algorithm that the CA or other issuer used to sign this certificate. Public Key Type The algorithm and size of the certified public key. Certificate Usage The purpose of the key contained in the certificate, for example: digital signature, certificate signing, nonrepudiation, key or data encipherment, etc. MD5 Thumbprint A 128-bit MD5 hash of the complete certificate contents, shown as a 16-byte string. This value is unique for every certificate, and it positively identifies the certificate. If you question a root certificate’s authenticity, you can check this value with the issuer. SHA1 Thumbprint A 160-bit SHA-1 hash of the complete certificate contents, shown as a 20-byte string. This value is unique for every certificate, and it positively identifies the certificate. If you question a certificate’s authenticity, you can check this value with the issuer. Validity The time period during which this certificate is valid. Format is MM/DD/YYYY at HH:MM:SS to MM/ DD/YYYY at HH:MM:SS. Time uses 24-hour notation, and is local system time. The Manager checks the validity against the VPN Concentrator system clock, and it flags expired certificates by issuing event log entries. Subject Alternative Name (Fully Qualified Domain Name) The fully qualified domain name for this VPN Concentrator that identifies it in this PKI. The alternative name is an optional additional data field in the certificate, and it provides interoperability with many Cisco IOS and PIX systems in LAN-to-LAN connections. CRL Distribution Point All CRL distribution points from the issuer of this certificate.
QUESTION 95
Which of the following are the steps that are used when enrolling the file-based certificate? (Select three options.)
A. The identity certificate is loaded into the Cisco VPN Concentrator first.
B. The CA generates the root and identity certificates.
C. The root certificate is loaded into the Cisco VPN Concentrator second.
D. The root certificate is loaded into the Cisco VPN Concentrator first.
E. The Cisco VPN Concentrator generates a PKCS#7.
F. The Cisco VPN Concentrator generates a PKCS#10.
Correct Answer: BDF Section: (none) Explanation
Explanation/Reference:
Explanation:
The steps are: 1. The requestor generates a PKCS#10 request; 2. The CA returns both a rood and identity
certificates to the concentrator; 3. The requestor installs the root certificate first, so the identity one can be
validated afterwards. So, B, D and F are the appropriate answers.
Page 143 of “The Complete Cisco VPN Configuration Guide”, Richard Deal; Cisco Press.
QUESTION 96
James the security administrator at Certkiller Inc. is working on IKE certificates. What are three steps in the IKE certificate authentication process? (Choose three)
A. The identity certificate validity period is verified against the system clock of the Cisco VPN Concentrator.
B. The root certificate is not in the Cisco VPN Concentrator.
C. If enabled, the Cisco VPN Concentrator locates the CRL and validates the identity certificate.
D. Identity certificates are exchanged during IPSec negotiations.
E. The identity certificate signature is validated using the stored root certificate.
F. The signature is validated using the stored identity certificate.
Correct Answer: ACE Section: (none) Explanation
Explanation/Reference:
Explanation: Validating Certificates:
1.
Signed by a CA that is trusted. – Checks the signature. (E)
2.
Not expired. (A)
3.
Not revoked. (C)
Reference: Cisco Secure Virtual Private Networks (Ciscopress) page 236
QUESTION 97
Janice the Certkiller Inc. security administrator is working on the CRL configuration. Which three statements about CRL configuration are true? (Choose three)
A. CRL checking is disabled by default.
B. The Cisco VPN Concentrator relies on LDAP access to procedure the CRL list.
C. CRL checking is enabled by default.
D. The Cisco VPN Concentrator relies on HTTP access to procedure the CRL list.
E. If the CRL distribution point is available in the certificate, you do not have to fill in most of the CRL configuration fields.
F. If the CRL distribution point is available in the certificate, you still have to fill in most of the CRL configuration fields.
Correct Answer: ABE Section: (none) Explanation
Explanation/Reference:
Explanation: F is incorrect, because you don’t have to specify the CRL distribution point configuration fields, if the CRL distribution point URI comes with the certificate (-> E is the better choice). Note 1: CAs use LDAP databases to store and distribute CRLs. They might also use other means, but the VPN Concentrator relies on LDAP access. Step 1 On the Administration | Certificate Management screen, in the Certificate Authorities table, click Configure next to the CA certificate for which you want to enable CRL checking. The Manager displays the Administration | Certificate Management | Configure CA Certificate screen. For information on these fields, see the “Administration | Certificate Management | Configure CA Certificate” section or online Help. Step 2 CRL checking is disabled by default. Choose the method to use to retrieve the CRL. If you choose to use CRL distribution points specified in the certificate being checked, be sure to specify the distribution point protocols for retrieving CRLs. If you choose the LDAP protocol, be sure to specify the LDAP distribution point defaults. If you choose to use static CRL distribution points, be sure to enter them under Static CRL Distribution Points further down. Step 3 To enable CRL caching, check the Enabled check box. In the Refresh Time field, specify a time period for updating the CRL. Step 4 Check the appropriate check boxes to indicate whether you want to accept Subordinate CA Certificates or accept Identity Certificates signed by this issuer. Step 5 Click Apply. The Manager displays the Administration | Certificate Management screen. Note: D is also true, because the concentrator can use LDAP and HTTP to get CRLs (see also Explanations for QUESTION NO 90). The problem is, that there are only three selections possible.
QUESTION 98
Which of the following represents a correctly defined static CRL distribution point?
A. TFTP://10.0.1.21/CertEnroll/ Certkiller .crl
B. FTP://10.0.1.21/CertEnroll/ Certkiller .crl
C. HTTP://10.0.1.21/CertEnroll/ Certkiller .crl
D. HTTPS://10.0.1.21/CertEnroll/ Certkiller .crl
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
Static CRL Distribution Points
Enter HTTP or LDAP URLs that identify CRLs located on external servers. If you chose a CRL Retrieval
Policy that uses static distribution points, you must enter at least one (and not more than five) valid URLs.
Enter each URL on a single line. (Scroll right to enter longer values.) Examples of valid URLs are:
HTTP URL: http://1.1.1.2/CertEnroll/TestCA6-8.crl LDAP URL:
ldap://100.199.7.6:389/CN=TestCA6-8,CN=2KPDC,CN=CDP,CN=Public Key
Services,CN=Services,CN=Configuration,DC=qa2000,DC=com?certficateRevocationList?base?object
QUESTION 99
The VPN Concentrator retrieves and examines CRLs when CRL checking is enabled. CRLs can be cached locally to mitigate potential timeout problems due to network congestion and delay. In which location are CRLs cached?
A. on a pre-defined TFTP server on the local private network
B. on a pre-defined FTP server on the local private network
C. in the VPN Concentrator’s volatile memory
D. in the VPN Concentrator’s non volatile memory
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: Since the system has to retrieve and examine the CRL from a network distribution point, enabling CRL checking might slow system response times. Also, if the network is slow or congested, CRL checking might fail. To mitigate these potential problems, you can enable CRL caching. This stores the retrieved CRLs in local volatile memory, thus allowing the VPN Concentrator to verify the revocation status of certificates more quickly.
QUESTION 100
Which of the following protocols can be utilized by VPN Concentrator in an attempt to retrieve Certificate Revocation Lists? (Select two options.)
A. SSL
B. SSH
C. LDAP
D. HTTP
E. FTP
F. TFTP
Correct Answer: CD Section: (none) Explanation
Explanation/Reference:
Explanation:
Reference: Cisco Press CCSP Cisco Secure VPN (Roland, Newcomb) p.237
CCNA Exam Certification Guide is a best-of-breed Cisco 642-511 exam study guide that has been completely updated to focus specifically on the objectives.Senior instructor and best-selling author Wendell Odom shares preparation hints and Cisco 642-511 tips to help you identify areas of weakness and improve both your conceptual and hands-on knowledge.Cisco 642-511 Material is presented in a concise manner,focusing on increasing your understanding and retention of exam topics.