H12-711_V3.0 HCIA-Security V3.0 Questions and Answers

UNIX

OS/2

Linux

MSDOS

go throughNo-PATAfter conversion, for external network users, all packets come from the sameIPaddress

No-PATOnly supports protocol port translation at the transport layer

NAPTOnly supports protocol address translation at the network layer

No-PATSupports protocol address translation at the network layer

2

1

4

3

It is the data obtained by the sender after calculating the plaintext information through the HASH algorithm.

The receiver will use the sender's public key to calculate the generated data fingerprint and compare it with the received digital fingerprint.

Digital fingerprints are also known as information digests.

The receiver needs to use the sender's public key to unlock the digital signature to obtain the digital fingerprint.

automatic backup

Manual batch backup

Session fast backup

After the device restarts, the active and standbyFWConfiguration

True

False

1-2-3-4

4-1-3-2

3-2-1-4

1-4-3-2

NAPT

NAT Server

Easy-ip

CT Jinglu

NAT No-PAT

A patch is a small program made by the original author of the software for a discovered vulnerability

Not patching does not affect the operation of the system, so whether patching is irrelevant or not.

Patches are generally updated continuously.

Computer users should download and install the latest patches in a timely manner to protect their systems

Operation log

business log

Alarm information

Threat log

Hit apply exception

Not a protocol supported by the firewall

The source IP hits the whitelist

Hit virus exception

56168

64168

64128

56128

-i

-a

-C

-f

Easy-ip

NAT No-PAT

NAPT

NAT Server

The firewall allows the same physical interface to belong to two different security zones (sub-interfaces are not considered)

There are two security zones with exactly the same security level in the firewall

Different interfaces of the firewall can belong to different security zones

Different interfaces of the firewall can belong to the same security zone

untrust trust

trust zone

dmz zone

isp zone)

Portali certification

Certification-free

WeChat authentication

not certified

Network expansion

Port Forwarding

web proxy

file sharing

Find Trojan horses, illegal authorizations, and system loopholes, and deal with them in a timely manner

Revise security policies based on security incidents that occur, enable security auditing

Block the behavior of the attack and reduce the impact

Confirm the degree of damage caused by the security incident and report the security incident

True

False

When the firewall generates a session table, it will generate a Server-map table

ASPF is deployed on the firewall and forwards the traffic of the multi-channel protocol

Security policies are deployed on the firewall and traffic is released

NAT Server is deployed on the firewall

first level

User self-protection level

second level

System Audit Protection Level

third level

Safety Mark Protection

fourth level

structured protection

Online Application

local application

online application

Apply offline

The authentication policy is not configured or the authentication policy is incorrectly configured

UnopenedwebAuthentication function

browserSSLVersion and Firewall Authentication PageSSLversion mismatch

The port number of the authentication page service is set to8887

snooping scan attack

Malformed Packet Attack

special packet attack

traffic attack

True

False

True

False

sourceNATconfiguration in technologyNATaddress pool, you can configure only one address poolIPaddress

Address translation can be provided in the local area network according to the needs of usersFTP,WWW,Telnetand other services

Some application layer protocols carry in the dataIPaddress information, make themNATWhen modifying the data in the upper layerIPAddress information

for someTCP,UDPagreement (such asICMP,PPTP), cannot doNATconvert

network down

Server down

data stolen

The web page has been tampered with

True

False

Internet virus

Email Security

Database system configuration security

WEBservice security

True

False

confidentiality

controllability

integrity

source check

Authentication-free users and authenticated users are in the same security area

Authentication-free users do not use the specifiedIP/MACaddressPC

The authentication action in the authentication policy is set to"Do not acknowledge/Certification-free"

Online users have reached the maximum

The active closing party sends the firstFINperform an active shutdown while the other party receives thisFINexecution is closed

When passive shutdown receives the firstFIN, it will send back aACK, and randomly generate the confirmation serial number.

The passive closing party needs to pass an end-of-file to the application, the application closes its connection, and causes the sending of an end-of-fileFIN

Sent on passive shutdown sideFINAfter that, the active closing party must send back an acknowledgment and set the acknowledgment sequence number to the received sequence number plus1

Symmetric encryption

Symmetric encryption

fingerprint encryption

data encryption

True

False

If the security policy ispermit, the discarded packets will not be accumulated"Hits"

When configuring a security policy name, the same name cannot be reused

Adjust the order of security policies without saving configuration files and take effect immediately

HuaweiUSGThe security policy entries of the series firewall cannot exceed128strip

Proxy scan method

Stream scan method

Packet killing method

File killing method

Facsimile data and mobile phone recordings are electronic evidence related to communication technology.

Movies and TV series are electronic evidence related to network technology.

Database operation records and operating system logs are electronic evidence related to computers•

OS logs,e-mail, chat records can be used as a source of electronic evidence

CIS

Fierhunter

router

AntiDDoS

Buffer overflow attacks exploit the flaws of software systems in memory operations to run attack code with high operating privileges

Buffer overflow attacks have nothing to do with the vulnerabilities and architecture of the operating system

Buffer overflow attacks are one of the most common ways to attack the behavior of software systems

Buffer overflow attacks are application-layer attacks

Vulnerability Scanning Device

firewall

Anti-DDoSequipment

IPS/IDSequipment

By default the preemption delay is 60s

Whether it is a Layer 2 or Layer 3 interface, whether it is a service interface or a heartbeat interface, it needs to be added to a security zone

By default, the active preemption function is enabled

Dual-system hot backup function requires license support

Intrusion detection system can collect a large amount of key information dynamically through network and computer.And can analyze and judge the current state of the entire system environment in time

Once the intrusion detection system finds that there is a behavior that violates the security policy or the system has traces of being attacked, it can implement blocking operations.

Intrusion detection system includes all hardware and software systems used for intrusion detection

The immersion detection system can be linked with firewalls and switches, making it a powerful tool for firewalls"assistant", better and more precise control of traffic access between domains

Packet logging technology through the tracedIPInsert trace data into packets to mark packets on each router they pass through

Link testing technology determines the information of the attack source by testing the network link between routers

Packet marking technology extracts attack source information by logging packets on routers and then using data drilling techniques

Shallow mail behavior analysis can achieveIPAnalysis of addresses, sent time, sending frequency, number of recipients, shallow email headers, and more.

User data

Receiver's public key

sender's public key

digital fingerprint

usernameadmin

passwordAdmin@123

usernameadmin

passwordadmin@123

usernameadmin

passwordadmin

usernameadmin

passwordAdmin123

Certification-free

Password authentication

sign in

Fingerprint authentication

When configuring the interzone security policy, you need to set the source security zone toUntrust, the target security area isDMZ

configureNATServer, the internal address is10.1.1.2, the external address is200.10.10.1

When configuring the interzone security policy, set the source security zone toDMZ, the target security area isUntrust

configureNATServer, the internal address is200.10.10.1, the external address is10.1.1.2

matching condition"source security zone"is an optional parameter

matching condition"period"is an optional parameter

matching condition"application"is an optional parameter

matching condition"Serve"is an optional parameter

PolicyStrategy

Protectionprotection

Detectiondetect

Responseresponse

VRRP

VGMP

HRP

OSPF

When FTP Server1 responds to Client A, it is converted to the address 1.1.1.5 in Address Ground 1

Source NAT configuration, only for intranet users (10.1.1.0/24) to access the external network for translation

When the IP address of the FTP Server host is changed to 1.11.3. Client A host can still access the FTP Server more

Client A accesses FTP Server 1.1.1.1, and the destination address is converted to 10.1.1.2. The source address remains unchanged

The device can identify the user who has passed the authentication of the identity authentication system

AD There is only one deployment mode for domain single sign-on

Although there is no need to enter the user password, the authentication server needs to interact with the user password and the device to ensure that the authentication is passed.

AD Domain single sign-on can be synchronized to the firewall by mirroring the login data stream

Vulnerability scanning is a network-based technology for remotely monitoring the security performance vulnerabilities of target networks or hosts, and can be used to conduct simulated attack experiments and security audits.

Vulnerability scanning is used to detect whether there are vulnerabilities in the target host system, generally scanning the target host for specific vulnerabilities

Vulnerability scanning is a passive preventive measure that can effectively avoid hacker attacks

can be based onpingScan and port scan results for vulnerability scanning

Certificate renewal: When the certificate expires and the key is leaked, the PKI entity must replace the certificate. The purpose of renewal can be achieved by re-applying, or it can be automatically renewed using SCEP or CPv2 protocol.

Certificate download: The PKI entity downloads the issued certificate to the RA server through SCEP or CIPvz protocol, or through DAP.HIITP or out-of-band mode, download the issued certificate.

Certificate issuance: When a PKI entity applies for a local certificate from a CA, if there is an RA, the RA will first review the identity information of the PKI entity. After the verification is passed, the RA will send the application information to the CA.

Certificate application: certificate application, namely certificate registration, is a PKI entity introducing itself to the CA and obtaining a certificate