New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

Huawei H12-721 HCNP-Security-CISN (Huawei Certified Network Professional - Constructing Infrastructure of Security Network) Exam Practice Test

Demo: 31 questions
Total 245 questions

HCNP-Security-CISN (Huawei Certified Network Professional - Constructing Infrastructure of Security Network) Questions and Answers

Question 1

Regarding the Radius authentication process, there are the following steps: 1. The Radius client (network access server) in the network device receives the username and password, and sends an authentication request to the Radius server; 2 the user logs in to the USG access server, etc. When the network device sends the username and password to the network access server; 3. After receiving the legitimate request, the Radius server completes the authentication and returns the required user authorization information to the client. What is the correct order?

Options:

A.

1 2 3

B.

2 1 3

C.

3 1 2

D.

2 3 1

Question 2

Which of the following is the correct description of the SMURF attack?

Options:

A.

The attacker sends an ICMP request with the destination address or the source address as the broadcast address, causing all hosts or designated hosts of the attacked network to answer, eventually causing the network to crash or the host to crash.

B.

The attacker sends the SYN-ACK message to the attacker's IP address.

C.

The attacker can send UDP packets to the network where the attacker is located. The source address of the packet is the address of the attacked host. The destination address is the broadcast address or network address of the subnet where the attacked host resides. The destination port number is 7 or 19.

D.

The attacker uses the network or the host to receive unreachable ICMP packets. The subsequent packets destined for this destination address are considered unreachable, thus disconnecting the destination from the host.

Question 3

In the application scenario of IPSec traversal by NAT, the active initiator of the firewall must configure NAT traversal, and the firewall at the other end can be configured without NAT traversal.

Options:

A.

TRUE

B.

FALSE

Question 4

When an attack occurs, many packets are found on the attacked host (1.1.129.32) as shown in the figure. According to the analysis of the attack, what kind of attack is this attack?

Options:

A.

Smurf

B.

Land

C.

WinNuke

D.

Ping of Death

Question 5

The malformed packet attack technology uses some legitimate packets to perform reconnaissance or data detection on the network. These packets are legal application types, but they are rarely used in normal networks.

Options:

A.

TRUE

B.

FALSE

Question 6

The hot standby and IPSec functions are combined. Which of the following statements is correct?

Options:

A.

USG supports IPSec hot standby in active/standby mode.

B.

IPSec hot standby is not supported in load balancing mode.

C.

must configure session fast backup

D.

must be configured to preempt

Question 7

Load balancing implements the function of distributing user traffic accessing the same IP address to different servers. What are the main technologies used?

Options:

A.

virtual service technology

B.

server health test

C.

dual hot standby technology

D.

stream-based forwarding

Question 8

Which of the following encryption methods does IPSec VPN use to encrypt communication traffic?

Options:

A.

public key encryption

B.

private key encryption

C.

symmetric key encryption

D.

pre-shared key encryption

Question 9

An administrator can view the IPSec status information and debugging information as follows. What is the most likely fault?

Options:

A.

local ike policy does not match the peer ike policy.

B.

local ike remote namet and peer ikename do not match

C.

local ipsec proposal does not match the peer ipsec proposal.

D.

The local security acl or the peer security acl does not match.

Question 10

Avoid DHCP server spoofing attacks. DHCP snooping is usually enabled. What is the correct statement?

Options:

A.

connected user's firewall interface is configured in trusted mode

B.

The firewall interface connected to the DHCP server is configured as untrusted mode.

C.

DHCP relay packets received on the interface in the untrusted mode are discarded.

D.

The DHCP relay packet received in the D trusted mode and passed the DHCP snooping check.

Question 11

The administrator can create vfw1 and vfw2 on the root firewall to provide secure multi-instance services for enterprise A and enterprise B, and configure secure forwarding policies between security zones of vfw1 and vfw2.

Options:

A.

TRUE

B.

FALSE

Question 12

The ACK flood attack uses a botnet to send a large number of ACK packets, which impacts the network bandwidth and causes network link congestion. If the number of attack packets is large, the server processing performance is exhausted, thus rejecting normal services. Under the Huawei Anti-DDoS device to prevent this attack, compare the two processing methods - strict mode and basic mode, what is correct?

Options:

A.

bypass deployment dynamic drainage using strict mode

B.

In strict mode, the cleaning device does not check the established session, that is, the ACK packet does not hit the session, and the device discards the packet directly.

C.

If the cleaning device checks that the ACK packet hits the session, the session creation reason will be checked regardless of the strict mode or the basic mode.

D.

adopts "basic mode". Even if the session is not detected on the cleaning device, the device discards several ACK packets and starts session checking.

Question 13

Man-in-the-middle attacks are: the middleman completes the data exchange between the server and the client. In the server's view, all messages are sent or sent to the client. From the client's point of view, all messages are also sent or sent.

Options:

A.

Packet 1: Source IP 1.1.1.1 Source MAC C-C-C Destination IP 1.1.1.2 Destination MAC B-B-B

B.

Packet 1: Source IP 1.1.1.3 Source MAC C-C-C Destination IP 1.1.1.2 Destination MAC B-B-B

C.

Packet 2: Source IP 1.1.1.2 Source MAC C-C-C Destination IP 1.1.1.1 Destination MAC A-A-A

D.

Packet 2: Source IP 1.1.1.3 Source MAC C-C-C Destination IP 1.1.1.1 Destination MAC A-A-A

Question 14

According to the capture of the victim host, what kind of attack is this attack?

Options:

A.

ARP Flood attack

B.

HTTP Flood attack

C.

ARP spoofing attack

D.

SYN Flood attack

Question 15

DDoS is an abnormal packet that an attacker sends a small amount of non-traffic traffic to the attack target (usually a server, such as DNS or WEB) through the network, so that the attacked server resolves the packet when the system crashes or the system is busy.

Options:

A.

TRUE

B.

FALSE

Question 16

Accessing the headquarters server through the IPSec VPN from the branch computer. The IPSec tunnel can be established normally, but the service is unreachable. What are the possible reasons?

Options:

A.

packet is fragmented, and fragmented packets are discarded on the link.

B.

There is load sharing or dual-machine link, which may be inconsistent with the back and forth path.

C.

route oscillating

D.

DPD detection parameters are inconsistent at both ends

Question 17

The preemption function of the VGMP management group is enabled by default, and the delay time is 60s.

Options:

A.

TRUE

B.

FALSE

Question 18

An intranet has made a network, the old equipment is offline, the new network equipment is brought online, and after the service test, it is found that most of the original service traffic cannot work normally. What is the quickest way to restore the business?

Options:

A.

layering method

B.

segmentation method

C.

replacement method

D.

block method

Question 19

The enterprise network is as shown in the figure. On the USG_A and USG_B, hot standby is configured, and USG_A is the master device. The administrator wants to configure SSL VPN on the firewall so that branch employees can access the headquarters through SSL VPN. Which virtual gateway address should the SSL VPN be?

Options:

A.

202.38.10.2/24

B.

202.38.10.3/24

C.

202.38.10.1/24

D.

10.100.10.2/24

Question 20

In the firewall DDoS attack defense technology, the data packet of the session table is not defended. If the data packet of the session has been established, it is directly released.

Options:

A.

TRUE

B.

FALSE

Question 21

What are the load balancing algorithms supported by the USG firewall?

Options:

A.

source address hash algorithm

B.

simple polling algorithm (roundrobin)

C.

weighted rounding algorithm (weightff)

D.

ratio (Ratio)

Question 22

The dual-system hot backup load balancing service interface works at Layer 3, and the upstream and downstream routers are connected to each other. The two USG devices are active and standby. Therefore, both the hrp track master and the hrp track slave must be configured on the morning service interface.

Options:

A.

TRUE

B.

FALSE

Question 23

On the USG, you need to delete sslconfig.cfg in the hda1:/ directory. Which of the following commands can complete the operation?

Options:

A.

cd hda 1:/remove sslconfig.cfg

B.

cd hda 1:/delete sslconfig.cfg

C.

cd hda 1:/rmdir sslconfig.cfg

D.

cd hda 1:/mkdir sslconfig.cfg

Question 24

In the active/standby mode of the USG dual-system hot standby, the service interface works at Layer 3, and the upstream and downstream routers are connected to the router. The administrator can view: USG_A status is HRP_M[USG_A], USG_B status is HRP_S[USG_B], current 15000+ session Table, every time a switchover occurs, all traffic is interrupted for a period of time, and seamless switching is impossible.

Options:

A.

Execute the command hrp preempt delay 64 to lengthen the delay of preemption.

B.

Check connectivity between heartbeat lines

C.

does not configure session fast backup

D.

no hrp enable

Question 25

Which of the following is incorrect about IKE V1 and IKE V2?

Options:

A.

IKE V2 establishes a pair of IPSec SAs. Normally, an IKE SA and a pair of IPSec SAs can be completed by exchanging 4 messages twice.

B.

IKE V2 does not have the concept of master mode and barb mode

C.

To establish a pair of IPSec SAs, only 6 messages need to be exchanged in the IKE V1 master mode.

D.

When the IPSec SA established by D IKE V2 is greater than one pair, each pair of SAs needs only one additional exchange, that is, two messages can be completed.

Question 26

Which is incorrect about the IKE DPD statement?

Options:

A.

is used for detection of IKE neighbor status

B.

PDUs are sent periodically between B IKE PEERs.

C.

After the DPD function is enabled, the IPSec packet is not received within the interval specified by the interval, and the DPD sends a DPD request to the peer and waits for the response. Text

D.

DPD sends the query only before the encrypted message is sent and the timer expires.

Question 27

When the firewall works in the dual-system hot backup load balancing environment, if the upstream and downstream routers are working in the routing mode, you need to adjust the OSPF cost based on HRP.

Options:

A.

TRUE

B.

FALSE

Question 28

Two USG firewalls failed to establish an IPSec VPN tunnel through the NAT traversal mode. Run the display ike sa command to view the session without any UDP 500 session. What are the possible reasons?

Options:

A.

public network route is unreachable

B.

Intermediate line device disables UDP port 500

C.

Intermediate line device disables UDP 4500 port

D.

Intermediate line device disables ESP packets

Question 29

An administrator can view the IPSec status information and Debug information as follows. What is the most likely fault?

Options:

A.

local IKE policy does not match the peer IKE policy.

B.

local ike remote name does not match peer ike name

C.

local ipsec proposal does not match the peer ipsec proposal

D.

The local security acl or the peer security acl does not match.

Question 30

A user wants to limit the maximum bandwidth of the 192.168.1.0/24 network segment to 500M, and limit all IP addresses in the network segment to maintain a bandwidth of 1M. How should I configure a current limiting policy for this requirement?

Options:

A.

Configure per-IP traffic limiting. The maximum bandwidth of the host on the 192.168.1.0/24 network segment is 500M.

B.

Configure overall traffic limiting. The maximum bandwidth of the host on the network segment 192.168.1.0/24 is 1M.

C.

Configure the overall traffic limiting. The maximum bandwidth of the host on the 192.168.1.0/24 network segment is 500M.

D.

Configure the overall traffic limiting. The maximum bandwidth of the host on the network segment 192.168.1.0/24 is 500M. Then use the per-IP traffic limiting to ensure that the server bandwidth is 1M.

Question 31

The ip-link principle is to continuously send ICMP packets or ARP request packets to the specified destination address, and check whether the ICMP echo reply or ARP reply packet of the destination IP response can be received.

Options:

A.

TRUE

B.

FALSE

Demo: 31 questions
Total 245 questions