PCNSA 4.3 and 4.4|30 Questions with Verified Answers,100% CORRECT

Document Content and Description Below

PCNSA 4.3 and 4.4|30 Questions with Verified Answers Safe Search - CORRECT ANSWER filters out pornographic images and videos in search query return traffic. Safe Search Enforcement - CORRECT A ... NSWER When enabled, the firewall blocks search results if the end user is not using the strictest safe search settings in the search query. The firewall can enforce to the following search providers: Google, Yahoo, Bing, Yandex, and YouTube. This is a best-effort setting and is not guaranteed by the search providers to work with every website. HTTP Header Logging - CORRECT ANSWER provides visibility into the attributes included in the HTTP request sent to a server. 1. User Agent 2. Referer 3. X-Forward-For - CORRECT ANSWER 3 Kinds of attributes recorded in the URL filtering log. User Agent - CORRECT ANSWER The web browser that the user used to access the URL. This information is sent in the HTTP request to the server. For example, the User Agent can be Internet Explorer or Firefox. Referer - CORRECT ANSWER The URL of the webpage that linked the user to another webpage. It is the source that redirected (referred) the user to the webpage that is being requested. X-Forward-For - CORRECT ANSWER The header field option that preserves the IP address of the user who requested the webpage. It enables you to identify the IP address of the user, which is particularly useful if you have a proxy server on you network or you have implemented source NAT that is masking the user's IP address such that all requests seem to originate from the proxy server's IP address or a common IP address. A. User-Agent D. X-Forwarded-For - CORRECT ANSWER Which two HTTP Header Logging options are within a URL Filtering Profile? (Choose two.) A. User-Agent B. Safe Search C. URL redirection D. X-Forwarded-For denial-of-service (DoS) protection - CORRECT ANSWER which is based on analysis of packet headers to detect threats rather than signatures. DOS Attack - CORRECT ANSWER Attempts to make network devices unreachable by disrupting services. These attacks usually come from the internet but can come from misconfigured or compromised internal devices. The typical method is to flood the target with resource requests until the requests consume all the target's available resources: memory, CPU cycles, and bandwidth. Typical targets are internet-facing devices that users can access from outside the corporate network such as web servers and database servers. 1. Zone Protection Profiles 2. DoS Protection Profiles and policy rules 3. Packet buffer protection - CORRECT ANSWER Three DoS attack mitigation tools Zone Protection Profiles - CORRECT ANSWER Apply only to new sessions in ingress zones and provide broad protection against flood attacks by limiting the connections-per-second (CPS) to the firewall, plus protection against reconnaissance (port scans and host sweeps), packet-based attacks, and Layer 2 protocol-based attacks. DoS Protection Profiles and policy rules - CORRECT ANSWER Provide granular protection of specific, critical devices for new sessions. Classified profiles protect individual devices by limiting the CPS for a specific device or specific devices. Aggregate profiles limit the total CPS for a group of devices but don't limit the CPS for a particular device in the group to less than the total allowed for the group, so one device still might receive most of the connection requests. Packet buffer protection - CORRECT ANSWER Protects against single-session DoS attacks that attempt to overwhelm the firewall's packet buffer Zone Protection Profile - CORRECT ANSWER is applied to an ingress zone. It offers protection against floods, reconnaissance attacks, and other packet-based attacks. is broad-based protection and is not designed to protect a specific end host or traffic going to a particular destination zone. Only a single Zone Protection Profile can be applied to a zone. is enforced only when there is no session match for the packet because zone protection is based on new CPS, not on packets per second (pps). If the packet matches an existing session, it will bypass the Zone Protection Profiles. • SYN (TCP) • UDP • ICMP • ICMPv6 • Other IP - CORRECT ANSWER Zone Protection Profiles protect against of five types of floods: SYN Random Early Drop - CORRECT ANSWER This feature causes TCP SYN packets to be dropped to mitigate a flood attack. When the flow exceeds the Activate rate threshold, the firewall drops individual SYN packets randomly to restrict the flow. When the flow exceeds the Maximum rate threshold, 100% of incoming SYN packets are dropped. SYN Cookies - CORRECT ANSWER This feature causes the firewall to act like a proxy, intercept the TCP SYN, generate a cookie on behalf of the server to which the SYN was directed, and send a SYN-ACK with the cookie to the original source. Only when the source returns an ACK with the cookie to the firewall does the firewall consider the source valid and forward the SYN to the server. This is the preferred configuration option. UDP flood protection - CORRECT ANSWER is activated when the number of UDP packets (not matching an existing session) the zone receives per second exceeds the Activate threshold. The firewall uses an algorithm to progressively drop more packets as the attack rate increases, until the rate reaches the Maximum rate. The firewall stops dropping the UDP packets if the incoming rate drops below the Activate threshold. ICMP flood protection - CORRECT ANSWER is activated when the number of ICMP packets (not matching an existing session) the zone receives per second exceeds the Activate threshold. The firewall uses an algorithm to progressively drop more packets as the attack rate increases, until the rate reaches the Maximum rate. The firewall stops dropping the ICMP packets if the incoming rate drops below the Activate threshold. ICMPv6 - CORRECT ANSWER is activated when the number of ICMPv6 packets (not matching an existing session) the zone receives per second exceeds the Activate threshold. The firewall uses an algorithm to progressively drop more packets as the attack rate increases, until the rate reaches the Maximum rate. The firewall stops dropping the ICMPv6 packets if the incoming rate drops below the Activate threshold. Other IP flood protection - CORRECT ANSWER is activated when the number of non-IP packets (not matching an existing session) the zone receives per second exceeds the Activate threshold. The firewall uses an algorithm to progressively drop more packets as the attack rate increases, until the rate reaches the Maximum rate. The firewall stops dropping the Other IP packets if the incoming rate drops below the Activate threshold. Reconnaissance protection - CORRECT ANSWER protects against reconnaissance attacks, which are the first type of attacks within a cyberattack lifecycle. During the first stage of the attack lifecycle, cyberattackers carefully plan their method of attack. They research, identify, and select targets within an organization such as human resources and financial personnel that will enable them to meet their objectives. 1. Performing continuous inspection of network traffic flows to detect and prevent port scans and host sweeps. 2. Implementing security awareness by limiting what should be posted on the internet: Examples of content that should not be posted are sensitive documents, customer lists, event attendees, job roles, and responsibilities - CORRECT ANSWER How to prevent Reconnaissance attack. • IP Drop • TCP Drop • ICMP Drop • IPv6 Drop • ICMPv6 Drop - CORRECT ANSWER The five major categories of packet-based attack protection. IP Drop - CORRECT ANSWER Drop Unknown and Malformed packets TCP Drop - CORRECT ANSWER Retain the default TCP SYN with Data and TCP SYNACK with Data drops, drop Mismatched overlapping TCP segment and Split Handshake packets, and strip the TCP Timestamp from packets Protocol Protection - CORRECT ANSWER defends against non-IP protocol-based attacks. to block or allow non-IP protocols between security zones on a Layer 2 VLAN or on a virtual wire, or between interfaces within a single zone on a Layer 2 VLAN (Layer 3 interfaces and zones drop non-IP protocols, so non-IP Protocol Protection doesn't apply). Ethernet SGT Protection - CORRECT ANSWER When your firewall is part of a Cisco TrustSec network, the firewall now can inspect headers with 802.1Q (Ethertype 0x8909) for specific Layer 2 Security Group Tag (SGT) values and drop the packet if the SGT matches the list configured in the Zone Protection Profile attached to the interface. A. Zone Protection Profile B. DoS Protection Profile and policy rules - CORRECT ANSWER What are the two components of Denial-of-Service Protection? (Choose two.) A. Zone Protection Profile B. DoS Protection Profile and policy rules C. flood protection D. reconnaissance protection [Show More]

Last updated: 2 years ago

Preview 1 out of 6 pages