[Free] Download New Latest (November) Juniper JN0-632 Actual Tests Topic 2, Volume B part 07

Ensurepass

QUESTION 131  (Topic 2)

 

Your company has VPNs that connect to other companies. The company wants to use certificates with a recognized third-patty certificate authority.

 

Which two steps are required to use certificates with a certificate authority? (Choose two)

 

A.

Configure a CRL

B.

Configure RSA signatures for the IKE authentication method

C.

Configure DSA signatures for the IKE authentication method

D.

Generate a certificate request for the SRX device

 

Answer: BD

 

 

Explanation: To use certificates with a certificate authority you have to set the IKE authentication method configuring phase 1 proposal by setting the “rsa-signature” attribute. the rsa-signatures attribute signifies certificates using RSA key generation. Before you can use certificate based authentication you have to generate certificate request fro each participating SRX device. You can do it by issuing th ecommand:

request security pki generate-certificate-request

 

Reference: http://jsrx.juniperwiki.com/index.php?title=JNCIE-SEC#Certificates

 

 

QUESTION 132  (Topic 2)

 

Click the Exhibit button.

 

 

 

 

 

clip_image002

 

You are troubleshooting a new IPsec VPN tunnel that is failing to establish an IKE security association between SRX Series devices.

 

What is a possible cause for this problem?

 

A.

Mismatched Phase 1 proposals

B.

Missing Phase 1 proposal on the responder

C.

Mismatched Phase 2 proposals

D.

Missing Phase 2 proposal on the responder

 

Answer: A

 

 

QUESTION 133  (Topic 2)

 

Which statement accurately describes an idle scan?

 

A.

A scanning method where “stealth” packets (packets without arty flags set) are sent from an attacker to a remote target host through IDS systems.

B.

A scanning method that scans all idle TCP connections on a remote target host to hijack them, so that you can take advantage of an authenticated data connection.

C.

A scanning method where long idle periods exist between the scanning packets sent so IDS systems do not sense the scan attack.

D.

A scanning method where a “zombie” host is used by an attacker to exploit a predictable IP fragmentation ID sequence and to discover open ports on the target host.

 

Answer: D

 

 

Explanation: The idle scan is a TCP port scan method that consists of sending spoofed packets to a computer to find out what services are available. This is accomplished by impersonating another computer called a “zombie” (that is not transmitting or receiving information) and observing the behavior of the zombie system.

Reference: http://nmap.org/book/idlescan.html

 

http://en.wikipedia.org/wiki/Idle_scan

 

 

 

 

 

 

QUESTION 134  (Topic 2)

 

A user residing in the trust zone of the SRX Series device cannot access a Web page hosted on a server in the DMZ zone. You verity that an active security policy exists on the SRX device that allows the user’s PC to access the Web server with the application HTTP. However, you do not see the security policy access counter increment, nor do you see any information in the log file associated with the security policy.

 

What is causing the problem?

 

A.

A security policy exists further down the list that is denying the user access to Web server traffic

B.

No route exists on the SRX device to the destination server.

C.

A firewall filter is applied to the egress interface.

D.

The policy rematch option is disabled for the session configuration

 

Answer: B

 

 

Explanation: Without the correct route to Web server in DMZ zone the packet will be dropped.

 

 

QUESTION 135  (Topic 2)

 

You have been asked to secure your network from as many network reconnaissance activities as possible.

 

Which three screens would be helpful in blocking these types of activities? (Choose three.)

 

 

 

 

 

clip_image004

 

A.

Option A

B.

Option B

C.

Option C

D.

Option D

E.

Option E

 

Answer: BCD

Explanation:

 

The packets with source-route-option creates load on CPU and may create security risk. A TCP header with the FIN flag set but not the ACK flag is anomalous TCP behavior, causing various responses from the recipient, depending on the OS. Blocking packets with the FIN flag and without the ACK flag helps prevent OS system probes. Land attacks occur when

 

 

 

 

 

an attacker sends spoofed SYN packets containing the IP address of the victim as both the destination and source IP address.

 

Reference:

 

http://www.juniper.net/techpubs/en_US/junos11.2/topics/reference/statement- hierarchy/security-screen.html

 

 

QUESTION 136  (Topic 2)

 

Which IPS inspection step is completed last?

 

A.

reassembly of packet fragments

B.

identification of attack signatures

C.

location of protocol anomalies

D.

tracking of packets in sessions and flows

 

Answer: B

 

 

QUESTION 137  (Topic 2)

 

A security alert has been issued for an application running on your network that exploits a buffer overflow to compromise the application. The security alert specifies that initial client- to-server communication will contain the string “~hack-app”, followed by the string “&&- phase-2//” or the string “bad7string”.

 

Which type of IPS custom signature is required to block the traffic?

 

A.

a signature attack object for each of the specified strings

B.

a compound attack object

C.

a protocol anomaly attack object

D.

a regular expression matching the identified strings

 

Answer: B

 

 

QUESTION 138  (Topic 2)

 

 

 

 

Click the Exhibit button.

 

clip_image006

 

You created the IPS policy displayed in the exhibit and find that the policy is not being used to inspect traffic.

 

What must you do to activate the policy?

 

A.

You must import and activate the IPS signature database to the SRX Series device.

B.

You must run the set security idp active-policy base-policy command and commit the configuration

C.

You must run the set security idp activate base-policy command and commit the configuration.

D.

You must use the commit activate-ips command to recompile the IPS rule base.

 

Answer: B

 

 

Explanation: New policy must be activated with set security idp active-policy base-policy command.

 

Reference: http://www.juniper.net/techpubs/software/junos-security/junos- security10.2/junos-security-swconfig-security/topic-42460.html?searchid=1320438879836

 

 

 

 

 

 

QUESTION 139  (Topic 2)

 

You loaded the attack database on your SRX device, but it must be installed.

 

Which command statement installs the attack database?

 

A.

request system security-package add /var/tmp/idp.tar.tgz

B.

request security idp security-package install

C.

request security idp security-package install package

D.

request security idp security-package install database

 

Answer: B

 

 

Explanation: The command request security idp security-package install is used to Install the signature DB on to the control and data-plane.

 

Reference:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB15806&actp=search&viewlocale =en_US&searchid=1320424816614

 

 

QUESTION 140  (Topic 2)

 

Click the Exhibit button.

 

 

 

 

 

clip_image008

 

Which statement is true regarding the session displayed in the exhibit?

 

A.

The session must be a transit session.

B.

The session must be a local session.

C.

The session traverses more than one routing-instance.

D.

The session traverses only one routing-instance.

 

Answer: D

 

 

Explanation: The session tokens match (0x20a) for In and Out parts. This indicates that the session traverses only one routing-instance.

 

Free VCE & PDF File for Juniper JN0-632 Actual Tests

Instant Access to Free VCE Files: CompTIA | VMware | SAP …
Instant Access to Free PDF Files: CompTIA | VMware | SAP …

This entry was posted in JN0-632 Actual Tests (November) and tagged , , , , , , . Bookmark the permalink.