400-251...AMP for networks, AMP for endpoints, and AMP for content security (CWS, ESA, and WSA) 3...

400-251

CCIE Security Written Exam

NWExam.com

Exam Summary – Syllabus – Questions

SUCCESS GUIDE TO CISCO CERTIFICATION

400-251 Sample Questions and Exam Summary ____________________________________________________________________________________

____________________________________________________________________________________ 400-251- CCIE Security pg. 1

Table of Contents Introduction to 400-251 Exam on CCIE Security Written Exam ................... 2

Cisco 400-251 Certification Details: ......................................................... 2

Cisco 400-251 Exam Syllabus: .................................................................. 3

400-251 Sample Questions: ................................................................... 11

Answers to 400-251 Exam Questions: .................................................... 12


____________________________________________________________________________________ 400-251- CCIE Security pg. 2

Introduction to 400-251 Exam on CCIE Security

Written Exam A great way to start the Cisco Certified Internetwork Expert Security (CCIE S) preparation is to begin by properly appreciating the role that syllabus and study guide play in the Cisco 400-251 certification exam. This study guide is an instrument to get you on the

same page with Cisco and understand the nature of the Cisco CCIE Security exam.

Our team of experts has composed this Cisco 400-251 exam preparation guide to provide the overview about Cisco CCIE Security Written Exam exam, study material, sample

questions, practice exam and ways to interpret the exam objectives to help you assess your readiness for the Cisco CCIE S exam by identifying prerequisite areas of knowledge. We recommend you to refer the simulation questions and practice test listed in this guide

to determine what type of questions will be asked and the level of difficulty that could be tested in the Cisco CCIE Security certification exam.

Cisco 400-251 Certification Details:

Exam Name CCIE Security Written Exam

Exam Number 400-251 CCIE S

Exam Price $450 USD

Duration 120 minutes

Number of Questions 90-110

Passing Score Variable (750-850 / 1000 Approx.)

Exam Registration PEARSON VUE

Sample Questions Cisco 400-251 Sample Questions

Practice Exam Cisco Certified Internetwork Expert Security

Practice Test

http://www.vue.com/cisco/

https://www.nwexam.com/cisco/cisco-400-251-certification-exam-sample-questions-and-answers

https://www.nwexam.com/cisco/400-251-ccie-security-ccie-s

https://www.nwexam.com/cisco/400-251-ccie-security-ccie-s


____________________________________________________________________________________ 400-251- CCIE Security pg. 3

Cisco 400-251 Exam Syllabus:

Section Weight Written

Weight Lab

Objectives

Perimeter Security and Intrusion

Prevention

21% 23%

1 Describe, implement, and troubleshoot HA features on Cisco ASA and Cisco FirePOWER Threat Defense (FTD)

2 Describe, implement, and troubleshoot clustering on Cisco ASA and Cisco FTD

3 Describe, implement, troubleshoot, and secure routing protocols on Cisco ASA and Cisco FTD

4 Describe, implement, and troubleshoot different deployment modes such as routed,

transparent, single, and multicontext on Cisco ASA and Cisco FTD

5 Describe, implement, and troubleshoot firewall features such as NAT (v4,v6), PAT, application inspection, traffic zones, policy-

based routing, traffic redirection to service modules, and identity firewall on Cisco ASA and Cisco FTD

6 Describe, implement, and troubleshoot IOS security features such as Zone-Based

Firewall (ZBF), application layer inspection, NAT (v4,v6), PAT and TCP intercept on Cisco IOS/IOS-XE

7 Describe, implement, optimize, and troubleshoot policies and rules for traffic

control on Cisco ASA, Cisco FirePOWER and Cisco FTD

8 Describe, implement, and troubleshoot Cisco Firepower Management Center (FMC) features such as alerting, logging, and

reporting

9 Describe, implement, and troubleshoot

correlation and remediation rules on Cisco FMC

10 Describe, implement, and troubleshoot Cisco FirePOWER and Cisco FTD deployment such as in-line, passive, and TAP modes


____________________________________________________________________________________ 400-251- CCIE Security pg. 4


Weight Lab

Objectives

11 Describe, implement, and troubleshoot Next Generation Firewall (NGFW) features

such as SSL inspection, user identity, geolocation, and AVC (Firepower appliance)

12 Describe, detect, and mitigate common types of attacks such as DoS/DDoS, evasion techniques, spoofing, man-in-the-middle,

and botnet

Advanced Threat Protection and Content Security

17% 19%

1 Compare and contrast different AMP

solutions including public and private cloud deployment models

2 Describe, implement, and troubleshoot AMP for networks, AMP for endpoints, and AMP for content security (CWS, ESA, and

WSA)

3 Detect, analyze, and mitigate malware

incidents

4 Describe the benefit of threat intelligence

provided by AMP Threat GRID

5 Perform packet capture and analysis using

Wireshark, tcpdump, SPAN, and RSPAN


web filtering, user identification, and Application Visibility and Control (AVC)

7 Describe, implement, and troubleshoot mail policies, DLP, email quarantines, and SenderBase on ESA

8 Describe, implement, and troubleshoot SMTP authentication such as SPF and DKIM

on ESA

9 Describe, implement, and troubleshoot SMTP encryption on ESA

10 Compare and contrast different LDAP query types on ESA

11 Describe, implement, and troubleshoot WCCP redirection


____________________________________________________________________________________ 400-251- CCIE Security pg. 5


Weight Lab

Objectives

12 Compare and contrast different proxy methods such as SOCKS, Auto

proxy/WPAD, and transparent


HTTPS decryption and DLP

14 Describe, implement, and troubleshoot CWS connectors on Cisco IOS routers, Cisco

ASA, Cisco AnyConnect, and WSA

15 Describe the security benefits of

leveraging the OpenDNS solution.


SMA for centralized content security management

17 Describe the security benefits of leveraging Lancope

Secure Connectivity

and Segmentation 17% 19%

1 Compare and contrast cryptographic and hash algorithms such as AES, DES, 3DES, ECC, SHA, and MD5

2 Compare and contrast security protocols such as ISAKMP/IKEv1, IKEv2, SSL,

TLS/DTLS, ESP, AH, SAP, and MKA

3 Describe, implementc and troubleshoot

remote access VPN using technologies such as FLEXVPN, SSL-VPN between Cisco firewalls, routers, and end hosts

4 Describe, implement, and troubleshoot the Cisco IOS CA for VPN authentication

5 Describe, implement, and troubleshoot clientless SSL VPN technologies with DAP

and smart tunnels on Cisco ASA and Cisco FTD


site-to-site VPNs such as GETVPN, DMVPN and IPsec

7 Describe, implement, and troubleshoot uplink and downlink MACsec (802.1AE)


____________________________________________________________________________________ 400-251- CCIE Security pg. 6


Weight Lab

Objectives

8 Describe, implement, and troubleshoot VPN high availability using Cisco ASA VPN

clustering and dual-hub DMVPN deployments

9 Describe the functions and security implications of cryptographic protocols such as AES, DES, 3DES, ECC, SHA, MD5,

ISAKMP/IKEv1, IKEv2, SSL, TLS/DTLS, ESP, AH, SAP, MKA, RSA, SCEP/EST, GDOI, X.509, WPA, WPA2, WEP, and TKIP

10 Describe the security benefits of network segmentation and isolation

11 Describe, implement, and troubleshoot VRF-Lite and VRF-Aware VPN

12 Describe, implement, and troubleshoot microsegmentation with TrustSec using SGT and SXP

13 Describe, implement, and troubleshoot infrastructure segmentation methods such

as VLAN, PVLAN, and GRE

14 Describe the functionality of Cisco VSG

used to secure virtual environments

15 Describe the security benefits of data

center segmentation using ACI, EVPN, VXLAN, and NVGRE

Identity

Management, Information Exchange, and

Access Control

22% 24%

1 Describe, implement, and troubleshoot various personas of ISE in a multinode deployment

2 Describe, implement, and troubleshoot network access device (NAD), ISE, and ACS

configuration for AAA


AAA for administrative access to Cisco network devices using ISE and ACS

4 Describe, implement, verify, and troubleshoot AAA for network access with 802.1X and MAB using ISE.


____________________________________________________________________________________ 400-251- CCIE Security pg. 7


Weight Lab

Objectives

5 Describe, implement, verify, and troubleshoot cut-through proxy/auth-proxy

using ISE as the AAA server

6 Describe, implement, verify, and

troubleshoot guest life cycle management using ISE and Cisco network infrastructure


troubleshoot BYOD on-boarding and network access flows with an internal or external CA

8 Describe, implement, verify, and troubleshoot ISE and ACS integration with

external identity sources such as LDAP, AD, and external RADIUS

9 Describe ISE and ACS integration with external identity sources such as RADIUS Token, RSA SecurID, and SAML

10 Describe, implement, verify, and troubleshoot provisioning of AnyConnect

with ISE and ASA


troubleshoot posture assessment with ISE


troubleshoot endpoint profiling using ISE and Cisco network infrastructure including device sensor

13 Describe, implement, verify, and troubleshoot integration of MDM with ISE

14 Describe, implement, verify, and troubleshoot certificate based

authentication using ISE


troubleshoot authentication methods such as EAP Chaining and Machine Access Restriction (MAR)

16 Describe the functions and security implications of AAA protocols such as

RADIUS, TACACS+, LDAP/LDAPS, EAP


____________________________________________________________________________________ 400-251- CCIE Security pg. 8


Weight Lab

Objectives

(EAP-PEAP, EAP-TLS, EAP-TTLS, EAP-FAST, EAP-TEAP, EAP- MD5, EAP-GTC),

PAP, CHAP, and MS-CHAPv2


identity mapping on ASA, ISE, WSA and FirePOWER


pxGrid between security devices such as WSA, ISE, and Cisco FMC

Infrastructure Security,

Virtualization, and Automation

13% 15%

1 Identify common attacks such as Smurf, VLAN hopping, and SYNful knock, and their mitigation techniques

2 Describe, implement, and troubleshoot device hardening techniques and control

plane protection methods, such as CoPP and IP Source routing.

3 Describe, implement, and troubleshoot management plane protection techniques such as CPU and memory thresholding and

securing device access


data plane protection techniques such as iACLs, uRPF, QoS, and RTBH

5 Describe, implement, and troubleshoot IPv4/v6 routing protocols security

6 Describe, implement, and troubleshoot Layer 2 security techniques such as DAI, IPDT, STP security, port security, DHCP

snooping, and VACL


wireless security technologies such as WPA, WPA2, TKIP, and AES

8 Describe wireless security concepts such as FLEX Connect, wIPS, ANCHOR, Rogue AP, and Management Frame Protection

(MFP)


monitoring protocols such as


____________________________________________________________________________________ 400-251- CCIE Security pg. 9


Weight Lab

Objectives

NETFLOW/IPFIX, SNMP, SYSLOG, RMON, NSEL, and eSTREAMER

10 Describe the functions and security implications of application protocols such as

SSH, TELNET, TFTP, HTTP/HTTPS, SCP, SFTP/FTP, PGP, DNS/DNSSEC, NTP, and DHCP

11 Describe the functions and security implications of network protocols such as VTP, 802.1Q, TCP/UDP, CDP, LACP/PAgP,

BGP, EIGRP, OSPF/OSPFv3, RIP/RIPng, IGMP/CGMP, PIM, IPv6, and WCCP

12 Describe the benefits of virtualizing security functions in the data center using ASAv, WSAv, ESAv, and NGIPSv

13 Describe the security principles of ACI such as object models, endpoint groups,

policy enforcement, application network profiles, and contracts

14 Describe the northbound and southbound APIs of SDN controllers such as APIC-EM

15 Identify and implement security features to comply with organizational security policies, procedures, and standards such as

BCP 38, ISO 27001, RFC 827, and PCI-DSS

16 Describe and identify key threats to different places in the network (campus, data center, core, edge) as described in

Cisco SAFE

17 Validate network security design for

adherence to Cisco SAFE recommended practices

18 Interpret basic scripts that can retrieve

and send data using RESTful API calls in scripting languages such as Python

19 Describe Cisco Digital Network Architecture (DNA) principles and components.


____________________________________________________________________________________ 400-251- CCIE Security pg. 10


Weight Lab

Objectives

Evolving Technologies

10% N/A

1 Cloud

a) Compare and contrast Cloud deployment

models

a) [i] Infrastructure, platform, and software services (XaaS)

a) [ii] Performance and reliability

a) [iii] Security and privacy

a) [iv] Scalability and interoperability

b) Describe Cloud implementations and operations

b) [i] Automation and orchestration

b) [ii] Workload mobility

b) [iii] Troubleshooting and management b) [iv] OpenStack components

2 Network Programmability (SDN) a) Describe functional elements of network

programmability (SDN) and how they interact a) [i] Controllers

a) [ii] APIs

a) [iii] Scripting

a) [iv] Agents

a) [v] Northbound vs. Southbound protocols

b) Describe aspects of virtualization and automation in network environments

b) [i] DevOps methodologies, tools and workflows

b) [ii] Network/application function

virtualization (NFV, AFV) b) [iii] Service function chaining

b) [iv] Performance, availability, and scaling

considerations

3 Internet of Things (IoT)

a) Describe architectural framework and deployment considerations for Internet of Things

a) [i] Performance, reliability and scalability

a) [ii] Mobility

a) [iii] Security and privacy

a) [iv] Standards and compliance

a) [v] Migration

a) [vi] Environmental impacts on the

network


____________________________________________________________________________________ 400-251- CCIE Security pg. 11

400-251 Sample Questions: 01. In the IOS Firewall Feature Set, CBAC does not?

a) Maintain state information for individual connections

b) Use state information to allow or deny network traffic

c) Use state information to allow or deny network traffic

d) Dynamically create and delete openings in the firewall

02. What is a limitation of Unicast RPF?

a) Cisco express switching (CES) must be enabled.

b) Multiple access-lists must be configured. c) A CA is required. d) Symmetrical routing is required.

03. How would you see the default IKE policy?

a) show running

b) wr t

c) show crypto isakmp policy

d) show crypto ike policy

e) wr m

04. According to RFC 1700, what well-known ports are used for DNS?

a) TCP and UDP 23.

b) UDP 53 only. c) TCP and UDP 53.

d) UDP and TCP 69.

05. How can you tell what hosts are on your local network?

a) The IP address of your host.

b) The subnet mask of your host. c) The remote router's IP address. d) Your hub's IP address.

06. What does split horizon do?

a) Keeps the router from sending routes out the same interface they came in.

b) Sends a "route delete" back down the same interface that the route came in. c) Ignores routing updates. d) Waits for the next update to come in before declaring the route unreachable.

07. Crypto maps do which of the following?

(Choose four.)

a) Define whether sa's are manual or via IKE. b) Define the transform set to be used. c) Define who the remote peer is.

d) Define the local address. e) Define which IP source addresses, destination addresses, ports, and protocols are to be encrypted.


____________________________________________________________________________________ 400-251- CCIE Security pg. 12

08. For the following options, which security reporting system is analogous to CS-MARS?

a) Security Incident Response System SIRT

b) Security Information Management System SIM

c) Security Reporting and Response System SRRS

d) Security Threat Mitigation System STM

09. What is the purpose of a CA?

(Choose two.)

a) Manage and issue certificates. b) Simplify administration of IPSec devices. c) Define traffic flow.

d) Help IPSec configurations to scale. e) Monitor IPSec statistics between sa's.

10. At which layers of the OIS model do firewalls typically operate?

(Choose three.) a) Application

b) Network

c) Transport d) Session

e) Physical

Answers to 400-251Exam Questions:

Question: 01

Answer: c

Question: 02

Answer: d

Question: 03

Answer: c

Question: 04

Answer: c

Question: 05

Answer: b

Question: 06

Answer: a

Question: 07

Answer: a, b, c, d

Question: 08

Answer: d

Question: 09

Answer: a, b

Question: 10

Answer: a, b, c

Note: If you find any typo or data entry error in these sample questions, we request you to update us by commenting on this page or write an email on

[email protected]

400-251...AMP for networks, AMP for endpoints, and AMP for content security (CWS, ESA, and WSA) 3...

Documents

Transcript of 400-251...AMP for networks, AMP for endpoints, and AMP for content security (CWS, ESA, and WSA) 3...