[Free] Download New Latest (November) Juniper JN0-632 Actual Tests Topic 1, Volume A part 02

Ensurepass

QUESTION 11  (Topic 1)

 

Click the Exhibit button.

 

clip_image002

 

In the process of securing your network from network reconnaissance, you notice that a large number of random packets are destined for unused segments on your network.

 

Referring to the exhibit, how should you secure the borders from these attacks while allowing legitimate traffic to pass through?

 

A.

Configure SYN fragment protection to prevent these types of packets from entering the

 

 

 

 

network.

B.

Configure IP sweep protection to rate-limit the number of allowed packets.

C.

Configure TCP sweep protection to rate-limit the number of allowed packets to enter

D.

Configure the teardrop screen to prevent these types of packets from entering your network.

 

Answer: C

 

 

Explanation: In a TCP Sweep attack, an attacker sends TCK SYN packets to the target device as part of the TCP handshake. If the device responds to those packets, the attacker gets an indication that a port in the device is open, which makes the port vulnerable to attack. The TCP Sweep SCREEN option restricts the session establishment between the source IP (the attacker) and the destination IP (the target device) based on the number of attempts made by the attacker within a particular timeframe. The default threshold is 50 packets per second. If the number of attempts exceeds 50, the security device does not establish connection. You can set the threshold to a value between 1 and 5000 packets per second.

Reference: http://help.juniper.net/help/english/6.2.0/zone_ids_edit_cnt.htm

 

 

QUESTION 12  (Topic 1)

 

Click the Exhibit button

 

clip_image004

 

In the exhibit, traffic from the client is routed to Server A by default You have just implemented filter-based forwarding to redirect specific traffic from the client to Server

B.Server B will then send that traffic to Server

 

A.

After finalizing this implementation, you notice reverse traffic from Server A back to the client is being dropped

 

 

 

 

Which statement describes why the reverse traffic is being dropped?

 

 

A.The filter-based forwarding unidirectional-only option has been enabled.

B.

The MAC caching configuration option has not been enabled.

C.

The Junos OS performs a route lookup on the reverse traffic and drops the traffic due to a zone mismatch.

D.

The Junos OS performs a security policy check in the fast path packet flow on traffic matched by a stateless filter.

 

Answer: C

 

 

Reference: http://juniper.ilkom.unsri.ac.id/stepbystep/Junos%20Security.pdf

 

 

QUESTION 13  (Topic 1)

 

You are working at a service provider that offers only residential access to DSL subscribers. Your company has decided to make customer traffic subject to further inspection.

 

When you install a new IPS machine in the network, where should you place it?

 

A.

as close as possible to the server farm that runs the company’s Web and DNS servers

B.

between the dual-homed upstream routers and the firewalls

C.

as close to the B-RAS devices as possible

D.

in the middle of the network

 

Answer: C

 

 

Explanation: B-RAS concentrate the traffic from remote DSL subscribers. So IPS machine should be placed as close to the B-RAS as possible.

 

 

QUESTION 14  (Topic 1)

 

You want to implement an IPS rule base action in which matching traffic is dropped.

 

Which configuration parameter meets this requirement?

 

 

 

 

 

A.

no-action

B.

drop-packet

C.

accept

D.

notification

 

Answer: B

Explanation:

Actions specify the actions you want IDP to take when the monitored traffic matches the attack objects specified in the rules. The following table shows the actions you can specify for IDP rules:

 

clip_image006

 

 

 

 

 

C:Documents and Settingsuser-nwzDesktop1.JPG

 

Reference:

 

http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security- swconfig-security/understand-rule-action-section.html#understand-rule-action-section

 

 

QUESTION 15  (Topic 1)

 

You configured all the required parameters to allow IPv6 address book entries. You successfully committed the configuration. You noticed that IPv4 traffic is still working as expected, but IPv6 traffic is being dropped.

 

What is the solution to the problem? (Choose Two)

 

A.

IPv4 and IPv6 address book entries will not work together

B.

IPv6 flow-based mode must be enabled.

C.

The SRX device must be rebooted.

D.

IPv6 policy-based mode must be enabled.

 

Answer: BC

Explanation:

[edit security forwarding-options] diriger# set family inet6 mode flow-based[edit security forwarding-options]diriger# exit[edit]diriger# commitwarning: You have enabled/disabled inet6 flow.You must reboot the system for your change to take effect.If you have deployed a cluster, be sure to reboot all nodes.commit complete[edit] Reference:

 

http://blog.kramse.org/blojsom/blog/default/IPv6/Juniper-SRX210-Junos-10-2-flow-based- IPv6-forwarding?smm=y

 

http://blog.kramse.org/blojsom/blog/default/IPv6/JUNOS-software-on-SRX-basic-IPv6- configuration?smm=y

 

 

QUESTION 16  (Topic 1)

 

 

 

 

Click the Exhibit button

 

clip_image008

 

In the exhibit, a chassis cluster is deployed in active/active mode. This chassis cluster control and fabric links are connected through 100 Mbps WAN connections. During peak data usage times the chassis cluster becomes disabled even though the rate of new connections through the cluster is relatively low.

 

What is the problem?

 

A.

Control and fabric link WAN connections are not supported through a non-Ethernet- based technology. VPLS must be used instead

B.

Control link heartbeats are being lost during peak data usage times. The WAN connection that supports the control link must be upgraded to support greater bandwidth.

C.

Fabric link probes are being lost during peak data usage times. The WAN connection that supports the fabric link must be upgraded to support greater bandwidth

D.

Latency across a WAN connection will always exceed the recommended 100 ms limit. The chassis cluster will always enter the disabled state during peak data usage.

 

Answer: B

 

 

Explanation: If the control link fails, Junos OS disables the secondary node to prevent the possibility of each node becoming primary for all redundancy groups, including redundancy group 0.

A control link failure is described as not receiving heartbeats over the control link; however, heartbeats are still received over the fabric link.

 

Reference: http://www.juniper.net/techpubs/en_US/junos11.2/topics/concept/chassis- cluster-control-link-failure-recovery-understanding.html

 

 

QUESTION 17  (Topic 1)

 

 

 

 

What are two implementations of NAT? (Choose two.)

 

A.

source NAT

B.

group NAT

C.

filter-based NAT

D.

destination NAT

 

Answer: AD

Explanation:

A – Source NAT is the translation of the source IP address of a packet leaving the Juniper Networks device. Source NAT is used to allow hosts with private IP addresses to access a public network

D – Destination NAT is the translation of the destination IP address of a packet entering the Juniper Networks device. Destination NAT is used to redirect traffic destined to a virtual host (identified by the original destination IP address) to the real host (identified by the translated destination IP address).

Reference:

 

http://www.juniper.net/techpubs/en_US/junos10.4/topics/example/nat-security-source-and- destination-nat-translation-configuring.html

 

http://www.juniper.net/techpubs/en_US/junos11.2/topics/concept/network-address- translation-overview.html

 

 

QUESTION 18  (Topic 1)

 

Company A and Company B are using the same IP address space. You are using static NAT to provide dual translation between the two networks.

 

Which two additional requirements are needed to fully allow end-to-end communication? (Choose two.)

 

A.

route information for each remote device

B.

persistent-nat

C.

required security policies

D.

no-nat-traversal

 

Answer: AC

 

 

Reference: http://www.juniper.fr/techpubs/en_US/junos10.4/topics/example/nat-twice-

 

 

 

 

configuring.html

 

http://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf

 

 

QUESTION 19  (Topic 1)

 

You have been asked to configure a signature to block an attack released by a security vulnerability reporting agency.

 

Which two characteristics of the attack must you understand to configure the attack object? (Choose two.)

 

A.

the source port of the attacker

B.

a string or regular expression that occurs within the attack

C.

the context where the attack pattern is found within the packet

D.

the IPv4 routing header

 

Answer: BC

 

 

Reference:

http://www.juniper.net/techpubs/en_US/nsm2011.1/topics/task/configuration/attack- signature-attack-object-creating-nsm.html

 

 

QUESTION 20  (Topic 1)

 

In planning for your core data center’s SRX5800 cluster software upgrade, minimal downtime is requested by your management team.

 

With a goal to achieve maximum uptime, how should you upgrade the SRX cluster?

 

A.

Preload the software onto the SRX devices and then issue the following command at the same time on both SRX devices: request system software add <package-name> reboot

B.

Use in-service software upgrade using the following command: request system software in-service-upgrade <package-name> reboot.

C.

Preload the software onto the SRX devices and then issue the following command at the same time on both SRX devices: request system software add no-validate <package-

 

 

 

 

name> reboot.

D.

Use an in-service software upgrade using the following command: request system software in-service upgrade <package-name> restart.

 

Answer: B

 

 

Explanation: The in-service software upgrade (ISSU) feature allows a chassis cluster pair to be upgraded or downgraded from supported JUNOS versions with a traffic impact similar to that of redundancy group failovers. Before upgrading, you should perform failovers so that all redundancy groups are active on only one device. It is recommended that routing protocols graceful restart be enabled prior to initiating an ISSU. Reference: http://www.juniper.net/techpubs/software/junos-security/junos- security10.0/junos-security-cli-reference/request-system-software-in-service-upgrade.html

 

Free VCE & PDF File for Juniper JN0-632 Actual Tests

Instant Access to Free VCE Files: CompTIA | VMware | SAP …
Instant Access to Free PDF Files: CompTIA | VMware | SAP …

This entry was posted in JN0-632 Actual Tests (November) and tagged , , , , , , . Bookmark the permalink.