Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk®
Scrum
All Vendors
  2. Home
  3. Exams
  4. Cisco®
  5. 400-007

Free 400-007 Exam Braindumps (page: 23)

Page 22 of 74
PDF with 382 Questions

According to the CIA triad principles for network security design, which principle should be priority for a Zero Trust network?

  1. requirement for data-in-motion encryption and 2FA authentication
  2. categorization of systems, data, and enterprise BYOD assets that are connected to network zones based on individual privacy needs
  3. ensuring that authorized users have high-availability system access from defined zones to defined systems or zones
  4. requirement for data-at-rest encryption for user identification within the VPN termination hardware

Answer(s): A

Explanation:

The CIA triad principles for network security design are confidentiality, integrity, and availability. In a Zero Trust network, the priority principle is confidentiality. This is because Zero Trust assumes that all users and devices are potentially malicious, and therefore, all traffic must be encrypted and authenticated before it is allowed to enter the network.

The other options are also important for network security, but they are not as critical as confidentiality. Categorizing systems, data, and BYOD assets is important for ensuring that the right level of security is applied to each asset. Ensuring that authorized users have high-availability system access is important for ensuring that users can access the systems they need when they need them. And requiring data-at-rest encryption for user identification within the VPN termination hardware is important for protecting user credentials.

However, all of these things can be done without compromising confidentiality. If confidentiality is not maintained, then all of the other security measures are pointless. Therefore, the priority principle for a Zero Trust network is confidentiality.



Which two points must network designers consider when designing a new network design or when evaluating an existing network design to help them understand the high-level design direction with regards to the security aspects? (Choose two.)

  1. Consider for only complex networks
  2. Consider organization's security policy standards
  3. Consider for only new network technologies and components
  4. Consider for only multi-site networks
  5. Consider Business objectives and goals

Answer(s): B,E

Explanation:

The correct answers are B. Consider organization's security policy standards and E. Consider Business objectives and goals.

When designing a new network design or when evaluating an existing network design, it is important to consider the organization's security policy standards. This will help to ensure that the network is designed in a way that meets the organization's security requirements. It is also important to consider the business objectives and goals of the organization. This will help to ensure that the network is designed in a way that supports the organization's business needs.

The other options are not as important as security policy standards and business objectives. Complex networks, new network technologies and components, and multi-site networks can all be factors that affect the security of a network, but they are not as critical as security policy standards and business objectives.



Company XYZ is designing the network for IPv6 security and they have these design requirements:

•A switch or router must deny access to traffic from sources with addresses that are correct, but are topologically incorrect.
•Devices must block Neighbor Discovery Protocol resolutions for destination addresses that are not found in the binding table.

Which two IPv6 security features are recommended for this company? (Choose two.)

  1. IPv6 RA Guard
  2. IPv6 Destination Guard
  3. IPv6 Prefix Guard
  4. IPv6 Source Guard
  5. IPv6 DHCP Guard

Answer(s): B,C

Explanation:

The IPv6 Destination Guard feature works with IPv6 neighbor discovery to ensure that the device performs address resolution only for those addresses that are known to be active on the link.

The IPv6 Prefix Guard feature works within the IPv6 Source Guard feature, enabling the device to deny traffic originated from nontopologically correct addresses.


Reference:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16/ip6f-xe-16-book/ip6-src-guard.html

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16/ip6f-xe-16-book/ipv6-dest-guard.html



Company XYZ wants to improve the security design of their network to include protection from reconnaissance and DoS attacks on their subinterfaces destined toward next hop routers. Which technology can be used to prevent these types of attacks?

  1. DPP
  2. CPPr
  3. CoPP
  4. MPP

Answer(s): C

Explanation:

Control Plane Policing (CoPP) is a Cisco technology that can be used to prevent reconnaissance and DoS attacks on subinterfaces destined toward next hop routers. CoPP works by monitoring the control plane traffic on a router and dropping packets that match certain criteria. This can help to prevent attackers from gaining information about the router's configuration or from flooding the router with traffic.

The other options are not as suitable for preventing these types of attacks. Dynamic Packet Prioritization (DPP) is used to prioritize traffic based on its type. Cisco Packet Policing (CPPr) is used to limit the amount of traffic that a router can receive or transmit. Multiprotocol Label Switching (MPLS) is a technology that can be used to encapsulate traffic and forward it across a network.


Reference:

https://www.cisco.com/c/dam/en/us/td/docs/switches/lan/catalyst6500/ios/15-4SY/cisco-copp-feature-guide.pdf






Post your Comments and Discuss Cisco® 400-007 exam with other Community members:

Exam Discussions & Posts