Lifestyle

JN0-332 NEW_formatted

Description
JN0-332 NEW_formatted Number: Passing Score: 800 Time Limit: 120 min File Version: 1.0 Juniper JN0-332 I selected what I thought were the correct answers when I compared
Categories
Published
of 107
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
Share
Transcript
JN0-332 NEW_formatted Number: Passing Score: 800 Time Limit: 120 min File Version: 1.0 Juniper JN0-332 I selected what I thought were the correct answers when I compared juniper/2011/12/which-junos-hierarchy-level-are-security-policies-configured/ with those posted from hoavinh from exam collection using Juniper Networks Certified Internet Specialist, SEC (JNCIS-SEC) Practice Test Version: 5.0 Juniper JN0-332: Practice Exam **************** UPDATED WITH NEW QUESTIONS FROM 6/25/2012 ************************* By: DD Exam A QUESTION 1 Which configuration keyword ensures that all in-progress sessions are re-evaluated upon committing a security policy change? A. policy-rematch B. policy-evaluate C. rematch-policy D. evaluate-policy Correct Answer: A /Reference: : Optionally Applying the policy-rematch Statement The default behavior of the Junos OS is to not disturb sessions in progress when you make configuration changes to security policies. For example, you can modify an address field or modify the actions of a policy used for session examination. By default, because a session was pre-established, it continues to be operational without any interruptions. You can change that default behavior by enabling the policy-rematch statement. Once you enable the statement, every time a configuration change to a policy occurs, it reflects in the sessions in progress. Configuration changes, such as source addresses, destination addresses, and application changes, cause policy re-evaluation as the system performs a policy lookup. If the newly matched policy is not the policy referred to by the session, the session clears. If an IPsec VPN change occurs, the Junos security platform clears the session. The following list explains the actions that the Junos OS performs on impacted sessions in progress based on whether the policy-rematch flag is enabled or disabled. When the policy-rematch flag is enabled: The software inserts a policy: no impact; The software modifies the action field of a policy from permit to either deny or reject: all existing sessions are dropped; and The software modifies some combination of source address, destination addresses, and applications fields: the Junos OS re-evaluates policy lookup. When the policy-rematch flag is disabled (default behavior): The software inserts a policy: no impact; The software modifies the action field of a policy from permit to either deny or reject: all existing sessions continue; and The software modifies some combination of source address, destination addresses, and applications fields: all existing sessions continue unchanged. Note that irrespective of the value of policy-rematch policy flag, deletion of the policy causes the device to drop all impacted existing sessions. QUESTION 2 Which three security concerns can be addressed by a tunnel mode IPsec VPN secured by AH? (Choose three.) A. data integrity B. data confidentiality C. data authentication D. outer IP header confidentiality E. outer IP header authentication Correct Answer: ACE /Reference: : Example: Tunnel Mode AH Packets AH authenticates only the immutable fields in the IP header. Fields like time to live (TTL) and type of service (ToS) change during packet transit, so these fields do not receive authentication. The new IP header contains protocol number 51, signifying AH. The AH header contains the following items: Next header: Information on the next expected segment; Payload length: Indicates the size of the payload; SPI: An arbitrary 32-bit value that, in combination with the destination IP address and security protocol (AH), uniquely identifies the security association for this datagram; and Sequence number: An unsigned 32-bit field containing a monotonically increasing counter value (sequence number). It is used to detect antireplay. QUESTION 3 You must configure a SCREEN option that would protect your device from a session table flood.which configuration meets this requirement? A. [edit security screen] show ids-option protectfromflood { icmp { ip-sweep threshold 5000; flood threshold 2000; B. [edit security screen] show ids-option protectfromflood { tcp { syn-flood { attack-threshold 2000; destination-threshold 2000; C. [edit security screen] show ids-option protectfromflood { udp { flood threshold 5000; D. [edit security screen] show ids-option protectfromflood { limit-session { source-ip-based 1200; destination-ip-based 1200; Correct Answer: D /Reference: : SCREEN Options Best Practices Prior to analyzing Junos SCREEN options in detail, we discuss best practice suggestions for SCREEN option use. You should understand the applications and their behavior within your network before you begin implementing features that might have an impact on legitimate traffic. Furthermore, you must understand the traffic patterns traversing your network. To determine appropriate thresholds for limit-based SCREEN functions, you must first know what is typical of your network. For example, if you want to enable SYN flood protection, you must first determine what constitutes an acceptable number of connection requests. This determination requires a period of observation and analysis to establish a baseline for typical traffic flows. You must also consider the maximum number of concurrent sessions required to fill up the session table of the particular Junos security platform you are using. To see the maximum number of sessions that your session table supports, use the CLI command show security flow session summary. Remember the output of this command reports statistics for each Services Processing Unit (SPU) separately. You can use the alarm-without-drop statement, as illustrated on the graphic, to gather the traffic going to and through your Junos security platform. The gathered information might help you to better understand your network s vulnerabilities. Typically, you want to deploy SCREEN options only in vulnerable zones. QUESTION 4 Which type of Web filtering by default builds a cache of server actions associated with each URL it has checked? A. Websense Redirect Web filtering B. integrated Web filtering C. local Web filtering D. enhanced Web filtering Correct Answer: B /Reference: : SurfControl Integrated Web Filtering The first and most common Web filtering method is to use the in-the-cloud SurfControl server, which stores a database of categories and associated URLs. The SurfControl integrated option requires the purchase of a Juniper Web filtering license. Every time a user tries to access a site, the Juniper gateway (J Series or SRX Series) captures the requested URL and queries the SurfControl database. The server responds with the site s category, which is then used by a Web filtering policy on the gateway to allow or deny access. QUESTION 5 Which security or functional zone name has special significance to the Junos OS? A. self B. trust C. untrust D. junos-global Correct Answer: D /Reference: : Functional Zone A functional zone is used for special purposes, like management interfaces. Currently, only the management (MGT) zone is supported. Management zones have the following properties: Management zones host management interfaces. Traffic entering management zones does not match policies; therefore, traffic cannot transit out of any other interface if it was received in the management interface. Management zones can only be used for dedicated management interfaces. Security Zone Security zones are the building blocks for policies; they are logical entities to which one or more interfaces are bound. Security zones provide a means of distinguishing groups of hosts (user systems and other hosts, such as servers) and their resources from one another in order to apply different security measures to them. Security zones have the following properties: Policies Active security policies that enforce rules for the transit traffic, in terms of what traffic can pass through the firewall, and the actions that need to take place on the traffic as it passes through the firewall. For more information, see Security Policies Overview. Screens A Juniper Networks stateful firewall secures a network by inspecting, and then allowing or denying, all connection attempts that require passage from one security zone to another. For every security zone, and the MGT zone, you can enable a set of predefined screen options that detect and block various kinds of traffic that the device determines as potentially harmful. For more information, see Reconnaissance Deterrence Overview. Address books IP addresses and address sets that make up an address book to identify its members so that you can apply policies to them. For more information, see Configuring Address Books. TCP-RST When this feature is enabled, the system sends a TCP segment with the RESET flag set when traffic arrives that does not match an existing session and does not have the SYNchronize flag set. Interfaces List of interfaces in the zone. Security zones have the following preconfigured zones: junos-global zone Defined in the JUNOS defaults and cannot be configured by the user. The global zone serves as a storage area for static NAT addresses and can be used in policies like any other security zone. Trust zone Available only in the factory configuration and is used for initial connection to the device. After you commit a configuration, the trust zone can be overridden. QUESTION 6 Which command do you use to display the status of an antivirus database update? A. show security utm anti-virus status B. show security anti-virus database status C. show security utm anti-virus database D. show security utm anti-virus update Correct Answer: A /Reference: : show security utm anti-virus status show security utm anti-virus status Anti-virus key expire date: Update server: Interval: 1440 minutes Pattern update status: next update in 922 minutes Last result: download catalog file failed Anti-virus signature version: _00 Anti-virus signature compiler version: N/A Scan engine type: juniper-express-engine Scan engine information: Engine not ready Pattern type: N/A Total number of signatures: New signatures (13): Backdoor.Win32.Frauder.ky Rootkit.Win32.Pakes.e Trojan-Downloader.Win32.Exchanger.agf Trojan-Downloader.Win32.Injecter.arc Trojan-PSW.Win32.LdPinch.abgp Trojan-Ransom.Win32.Hexzone.pr Trojan-Spy.Win32.Zbot.fgt Trojan-Spy.Win32.Zbot.fgv Trojan-Spy.Win32.Zbot.fgw Trojan-Spy.Win32.Zbot.fhc Trojan-Spy.Win32.Zbot.fhd Trojan.Win32.FraudPack.aju Trojan.Win32.Inject.isz Modified signatures (0): Removed signatures (1): Trojan-GameThief.Win32.OnLineGames.bjpk QUESTION 7 Which statement contains the correct parameters for a route-based IPsec VPN? A. [edit security ipsec] show proposal ike1-proposal { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm 3des-cbc; lifetime-seconds 3200; policy ipsec1-policy { perfect-forward-secrecy { keys group2; proposals ike1-proposal; vpn VpnTunnel { interface ge-0/0/1.0; ike { gateway ike1-gateway; ipsec-policy ipsec1-policy; establish-tunnels immediately; B. [edit security ipsec] show proposal ike1-proposal { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm 3des-cbc; lifetime-seconds 3200; policy ipsec1-policy { perfect-forward-secrecy { keys group2; proposals ike1-proposal; vpn VpnTunnel { interface st0.0; ike { gateway ike1-gateway; ipsec-policy ipsec1-policy; establish-tunnels immediately; C. [edit security ipsec] show proposal ike1-proposal { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm 3des-cbc; lifetime-seconds 3200; policy ipsec1-policy { perfect-forward-secrecy { keys group2; proposals ike1-proposal; vpn VpnTunnel { bind-interface ge-0/0/1.0; ike { gateway ike1-gateway; ipsec-policy ipsec1-policy; establish-tunnels immediately; D. [edit security ipsec] show proposal ike1-proposal { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm 3des-cbc; lifetime-seconds 3200; policy ipsec1-policy { perfect-forward-secrecy { keys group2; proposals ike1-proposal; vpn VpnTunnel { bind-interface st0.0; ike { gateway ike1-gateway; ipsec-policy ipsec1-policy; establish-tunnels immediately; Correct Answer: D /Reference: : Route-based VPNs: Unlike the process for policy-based IPsec VPNs, for route-based IPsec VPNs, a policy refers to a destination address not an IPsec VPN tunnel. Because a destination address is used, route-based VPNs are generally the best VPNs to use when a routing protocol adjacency must be formed across the tunnel. When the Junos OS searches a route that must send traffic to the destination address, it finds a route associated with a secure tunnel interface (st0.x). The tunnel interface is bound to a specific IPsec VPN tunnel, and traffic routes to the tunnel if the policy action is permit. With a route-based IPsec VPN, in most cases, only one VPN exists between two sites. If you are implementing a route-based IPsec VPN, you must perform the following steps: 1. Configure the secure tunnel interface (st0.x); 2. Configure a static route or enable dynamic routing that points to the st0.x interface; 3. Add the st0.x interface to the appropriate security zone; and 4. Bind the st0.x interface to the IPsec VPN. QUESTION 8 Which zone is system-defined? A. security B. functional C. junos-global D. management Correct Answer: C /Reference: : Functional Zone A functional zone is used for special purposes, like management interfaces. Currently, only the management (MGT) zone is supported. Management zones have the following properties: Management zones host management interfaces. Traffic entering management zones does not match policies; therefore, traffic cannot transit out of any other interface if it was received in the management interface. Management zones can only be used for dedicated management interfaces. Security Zone Security zones are the building blocks for policies; they are logical entities to which one or more interfaces are bound. Security zones provide a means of distinguishing groups of hosts (user systems and other hosts, such as servers) and their resources from one another in order to apply different security measures to them. Security zones have the following properties: Policies Active security policies that enforce rules for the transit traffic, in terms of what traffic can pass through the firewall, and the actions that need to take place on the traffic as it passes through the firewall. For more information, see Security Policies Overview. Screens A Juniper Networks stateful firewall secures a network by inspecting, and then allowing or denying, all connection attempts that require passage from one security zone to another. For every security zone, and the MGT zone, you can enable a set of predefined screen options that detect and block various kinds of traffic that the device determines as potentially harmful. For more information, see Reconnaissance Deterrence Overview. Address books IP addresses and address sets that make up an address book to identify its members so that you can apply policies to them. For more information, see Configuring Address Books. TCP-RST When this feature is enabled, the system sends a TCP segment with the RESET flag set when traffic arrives that does not match an existing session and does not have the SYNchronize flag set. Interfaces List of interfaces in the zone. Security zones have the following preconfigured zones: junos-global zone Defined in the JUNOS defaults and cannot be configured by the user. The global zone serves as a storage area for static NAT addresses and can be used in policies like any other security zone. Trust zone Available only in the factory configuration and is used for initial connection to the device. After you commit a configuration, the trust zone can be overridden. QUESTION 9 You want to allow your device to establish OSPF adjacencies with a neighboring device connected to interface ge-0/0/3.0. Interface ge-0/0/3.0 is a member of the HR zone.under which configuration hierarchy must you permit OSPF traffic? A. [edit security policies from-zone HR to-zone HR] B. [edit security zones functional-zone management protocols] C. [edit security zones protocol-zone HR host-inbound-traffic] D. [edit security zones security-zone HR host-inbound-traffic protocols] Correct Answer: D /Reference: : Any host-inbound traffic that corresponds to a protocol listed under the host-inbound traffic option is allowed. For example, if anywhere in the configuration you map a protocol to a port number other than the default, you can specify the protocol in the host-inbound traffic option, and the new port number will be used. A value of all indicates that traffic from all of the protocols is allowed inbound on the specified interfaces (of the zone, or a single specified interface). Configuration CLI Quick Configuration To quickly configure inbound traffic based on protocols, copy the following commands and paste them into the CLI: [edit] set security zones security-zone ABC interfaces ge-0/0/1.1 host-inbound-traffic system-services ping set security zones security-zone ABC interfaces ge-0/0/1.1 host-inbound-traffic system-services ssh set security zones security-zone ABC interfaces ge-0/0/1.1 host-inbound-traffic system-services traceroute set security zones security-zone ABC interfaces ge-0/0/1.1 host-inbound-traffic protocols ospf set security zones security-zone ABC interfaces ge-0/0/1.1 host-inbound-traffic protocols ospf3 Step-by-Step Procedure The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode. To configure inbound traffic based on protocols: Configure a security zone. [edit] edit security zones security-zone ABC Configure the security zone to support inbound traffic for the ping system service for an interface. [edit security zones security-zone ABC] set interfaces ge-0/0/1.1 host-inbound-traffic system-services ping Configure the security zone to support inbound traffic for the ssh system service for an interface. [edit security zones security-zone ABC] set interfaces ge-0/0/1.1 host-inbound-traffic system-services ssh Configure the security zone to support inbound traffic for the traceroute system service for an interface. [edit security zones security-zone ABC] set interfaces ge-0/0/1.1 host-inbound-traffic system-services traceroute Configure the security zone to support inbound traffic based on the ospf protocol for an interface. [edit security zones security-zone ABC] set interfaces ge-0/0/1.1 host-inbound-traffic protocols ospf Configure the security zone to support inbound traffic based on the ospf3 protocol for an interface. [edit security zones security-zone ABC] set interfaces ge-0/0/1.1 host-inbound-traffic protocols ospf3 Results Confirm your configuration by entering the show security zones security-zone ABC command from configuration mode. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it. show security zones security-zone ABC interfaces { ge-0/0/1.1 { host-inbound-traffic { system-services { ping; ssh; traceroute; protocols { ospf; ospf3; QUESTION 10 Which three statements are true regarding IDP? (Choose three.) A. IDP cannot be used in conjunction with other Junos security features such as SCREEN options, zones, and security policy. B. IDP inspects traffic up to the Application Layer. C. IDP searches the data stream for specific attack patterns. D. IDP inspects traffic up to the Presentation Layer. E. IDP can drop packets, close sessions, prevent future sessions, and log attacks for review by network administrators when an attack is detected. Correct Answer: BCE /Reference: : The Junos IDP feature provides additional security beyond a firewall. While a firewall traditionally inspects only Layers 3 and 4, the Junos OS utilizes the IDP feature to decode and reassemble the protocol st
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks