400-251 Royal Pack Testengine pdf
100% Actual & Verified — 100% PASS
Unlimited access to the world's largest Dumps library!Download 400-251 Dumps Free
Exam Number/Code: 400-251
Exam name: CCIE Security Written Exam
n questions with full explanations
Certification: Cisco Certification
Master the 400-251 dumps content and be ready for exam day success quickly with this 400-251 dumps. We guarantee it!We make it a reality and give you real 400-251 dumps in our Cisco 400-251 braindumps. Latest 100% VALID 400-251 dumps at below page. You can use our Cisco 400-251 braindumps and pass your exam.
Online Cisco 400-251 free dumps demo Below:
NEW QUESTION 1
Which statement is true regarding the wireless security technologies?
- A. WPA provides message integrity using AES
- B. WPA2-PSK mode allows passphrase to store locally on the device
- C. WEP is more secure than WPA2 because it uses AES for encryption
- D. WPA-ENT mode does not require RADIUS for authentication
- E. WPÁ2-PSK mode provides better security by having same passphrase across the network
- F. WPA2 is more secure than WPA because it uses TKIP for encryption
NEW QUESTION 2
Which statement about SenderBase sender-reputation filtering approaches on the Cisco
- A. The conservative approach provides near zero false positives at the cost lower performance
- B. The aggressive approach provides near zero false positives at the cost of lower performance
- C. The aggressive approach provides maximum performance at the cost of numerous
- D. The moderate approach provides maximum performance with some false positives
- E. The conservative approach provides good performance with near zero false positives
- F. The moderate approach combines high performance with some false positives
NEW QUESTION 3
Which statement about Nmap scanning on the Cisco Firepower System is true?
- A. It can leverage multiple proxy devices to increase scan speed
- B. It can scan TCP and UDP ports, but TCP ports require significantly more resources
- C. The Fast Port Scan scans only the TCP ports that are lited in the nmap-service file
- D. It can scan IP addresses, address blocks, and address ranges on IPv4 and IPv6 networks
- E. It supports custom fingerprinting to identify malware by its unique characteristics in your specific environment
- F. It performs host discovery before each scan to identify hosts that are online and skips the full scan for hosts that are offline
NEW QUESTION 4
Which statement about the Sender Base functionality is true?
- A. SenderBase uses DNS-based blacklist as one of the sources of information to define reputation score of sender's IP address
- B. SenderBase uses spam complaints as one of the sources of information to define reputation score of receiver's IP address of the sender and receiver
- C. ESA uses destination address reputation information from SenderBase to configure mail policies.
- D. ESA sees a high positive score from SenderBase as very likely that sender is sending spam
- E. ESA sees a high negative score from SenderBase as very unlikely that sender is sending spam
- F. ESA uses source address reputation information from SenderBase to stop spam
- G. WSA uses SenderBase information to configure URL filtering policies
NEW QUESTION 5
Which best practice can limit inbound TTL expiry attacks?
- A. Setting the TTL value to zero.
- B. Setting the TTL value to more than longest path in the network.
- C. Setting the TTL value equal to the longest path in the network.
- D. Setting the TTL value to less than the longest path in the network.
Explanation: In practice, filtering packets whereby TTL value is less than or equal to the value that is needed to traverse the longest path across the network will completely mitigate this attack vector. https://www.cisco.com/c/en/us/about/security-center/ttl-expiry-attack.html
NEW QUESTION 6
Which file extensions are supported on the Firesight Management Center 6.1 file policies that can be analyzed dynamically using the Threat Grid Sandbox integration?
- A. MSEXEMSOLE2NEW-OFFICEPDF
- B. DOCXWAVXLSTXT
- C. TXTMSOLE2WAVPDF
- D. DOCMSOLE2XMLPDF
NEW QUESTION 7
Which effect of the crypto key encrypt write rsa command on a router is true?
- A. The device locks the encrypted key, but the key is lost when the router is reloaded.
- B. The device encrypts and locks the key before authenticating it with an external CA server.
- C. The device unlocks the encrypted key, but the key is lost when the router is reloaded.
- D. The device locks the encrypted key and saves it to the NVRAM.
- E. The device saves the unlocked encrypted key to the NVRAM.
NEW QUESTION 8
What are the most common methods that security auditors use to access an organization’s security
processes? (Choose two.)
- A. physical observation
- B. social engineering attempts
- C. penetration testing
- D. policy assessment
- E. document review
- F. interviews
NEW QUESTION 9
What are the advantages of using LDAP over AD?
- A. LDAP allows for granular policy control, whereas AD does not.
- B. LDAP provides for faster authentication
- C. LDAP can be configured to use primary and secondary server, whereas AD cannot.
- D. LDAP does not require ISE to join the AD domain
- E. The closest LDAP servers are used for Authentication
NEW QUESTION 10
Which three of these are properties of RC4? (Choose three.)
- A. It is a block cipher.
- B. It is a stream cipher.
- C. It is used in AES.
- D. It is a symmetric cipher.
- E. It is used in SSL.
- F. It is an asymmetric cipher.
NEW QUESTION 11
Which statement about the TRUST action when configure an ACP is true?
- A. it allows traffic to pass without inspection only of the source matches with an address defined in the preprocessor list.
- B. It allows matched traffic through without inspection.
- C. It allows matched traffic to pass without inspection if the traffic source matches exists in the white list.
- D. It allows matched traffic through, but reverts to IPS inspection if a file inspection triggers malware alert.
NEW QUESTION 12
Drag each component of an Adaptive Wireless IPS deployment on the left to the matching description on the right
Explanation: 1-F, 2-E, 3-B, 4-G, 5-D, 6-C, 7-A
NEW QUESTION 13
Drag the ACI security principle on the left to its definition on the right.
Explanation: 1-6, 2-1, 3-5, 4-2, 5-3, 6-4
NEW QUESTION 14
Which two statements about DTLS are true? (Choose two.)
- A. If DPD is enabled.DTLS can fall back to a TLS connection.
- B. It is disabled by default if you enable SSL VPN on the interface.
- C. It uses two simultaneous IPSec tunnels to carry traffic.
- D. If DTLS is disabled on an interface, then SSL VPN connections must use SSL/TLS tunnels.
- E. Because if requires two tunnels, it may experience more latency issues than SSL connections.
NEW QUESTION 15
Which statement about Password Authentication Protocol is true?
- A. RADIUS –based PAP authentication logs successful authentication attempts only.
- B. Its password in encrypted with a certificate.
- C. It offers strong protection against brute force attacks.
- D. RADIUS –based PAP authentication is based on the RADIUS Password attribute
- E. It is the most secure authentication method supported for authentication against the internal Cisco ISE database
- F. It uses a two-way handshake with an encrypted password
NEW QUESTION 16
You are considering using RSPAN to capture traffic between several switches. Which two configuration aspects do you need to consider? (Choose two.)
- A. All switches need to be running the same IOS version.
- B. All distribution switches need to support RSPAN.
- C. Not all switches need to support RSPAN for it to work.
- D. The RSPAN VLAN need to be blocked on all trunk interfaces leading to the destination RSPAN switch.
- E. The RSPAN VLAN need to be allow on all trunk interfaces leading to the destination RSPAN switch.
Thanks for reading the newest 400-251 exam dumps! We recommend you to try the PREMIUM 2passeasy 400-251 dumps in VCE and PDF here: https://www.2passeasy.com/dumps/400-251/ (414 Q&As Dumps)
[TRY FREE] BUY 400-251 Full version( pdf+software ):