400-251: CCIE Security Written Exam (v5.0) exam
By Examgood | December 12,2019 06:53 AM
The 400-251 CCIE Security written exam validates experts who have the knowledge and skills to architect, engineer, implement, troubleshoot, and support the full suite of Cisco security technologies and solutions using the latest industry best practices to secure systems and environments against modern security risks, threats, vulnerabilities, and requirements.
Topics include network functionality and security-related concepts and best practices, as well as Cisco network security products, solutions, and technologies in areas such as next generation intrusion prevention, next generation firewalls, identity services, policy management, device hardening, and malware protection.
The written exam utilizes the unified exam topics which includes emerging technologies, such as Cloud, Network Programmability (SDN), and Internet of Things (IoT).
Details of 400-251: CCIE Security Written Exam (v5.0) exam
The Cisco CCIE Security Written Exam (400-251) version 5.0 is a two-hour test with 90–110 questions that validate professionals who have the expertise to describe, design, implement, operate, and troubleshoot complex security technologies and solutions. Candidates must understand the requirements of network security, how different components interoperate, and translate it into the device configurations. The exam is closed book and no outside reference materials are allowed. Log into your account at Pearson VUE to schedule your exam.
The following topics are general guidelines for the content likely to be included on the exam. However, other related topics may also appear on any specific delivery of the exam. In order to better reflect the contents of the exam and for clarity purposes, the guidelines below may change at any time without notice.
1.0 Perimeter Security and Intrusion Prevention
2.0 Advanced Threat Protection and Content Security
3.0 Secure Connectivity and Segmentation
4.0 Identity Management, Information Exchange, and Access Control
5.0 Infrastructure Security, Virtualization, and Automation
6.0 Evolving Technologies v1.1
Note: Last date to test: February 23, 2020
The 400-251 CCIE Security written exam will be retired on February 23, 2020.
Sample questions of 400-251: CCIE Security Written Exam (v5.0) exam
As I said above, it is recommended to use our real questions, test center provide 90-110 questions for 400-251 exam, we directly got 124 questions from test center. You only need to study well whole questions and answers we offered, then you can take the exam, we ensure you pass the exam easily. i share 6 sample questions to you as below:
1. In your ISE design, there are two TACACS profiles that are created for a device administration:
Help Desk_Profile, and IOS_Admin_Profile. The Help Desk profile should login the user with privilege 1, with ability to change privilege level to 15. The Admin profile should login the user with privilege 15 by default.
Which two commands must the help Desk enter on the IOS device to access privilege level 15? (Choose two)
A. Enable secret
B. Enable 15
E. Enable
F, Enable lOS_Admin profile
G. Enable password
Answer: BE
2. Which criteria does ASA use for packet classification if multiple contexts share an ingress interface MAC address?
A, ASA ingress interface IP address
B. policy-based routing on ASA
D. destination MAC address
E. ASA ingress interface MAC address
G. ASA egress interface IP address
Answer: E
3. For your enterprise ISE deployment, you want to use certificate-based authentication for all your Windows machines you have already pushed the machine and user certificates out to all the machines using GPO. By default, certificate-based authentication does not check the certificate against Active Directory, or requires credentials from the user. This essentially means that no groups are returned as part of the authentication request.
In which way can the user be authorized based on Active Directory group membership?
A. The certificate must be configured with the appropriate attributes that contain appropriate group formation, which can be used in Authorization policies
B. Configure the Windows supplicant to used saved credentials as well as certificate based authentication
C. Enable Change of Authorization on the deployment to perform double authentication
D. Configure Network Access Device to bypass certificate-based authentication and push configured user credentials as a proxy to ISE
E. Use EAP authorization to retrieve group information from Active directory
F. Use ISE as the Certificate Authority which allows for automatic group retrieval from Active directory to perform the required authorization
Answer: A
4. All your employees are required to authenticate their devices to the network, be it company owned or employee owned assets, with ISE as the authentication server. The primary identity store used is Microsoft Active directory, with username and password authentication. To ensure the security of your enterprise our security policy dictates that only company owned assets should be able to get access to the enterprise network, while personal assets should have restricted access.
Which option would allow you to enforce this policy using only ISE and Active Directory?
A. Configure an authentication policy that uses the computer credentials in Active Directory to determine whether the device is company owned or personal
B. This would require deployment of a Mobile Device Management (MDM)solution, which can be used to register all devices against the MDM server, and use that to assign appropriate access levels.
Configure an authentication policy that checks against the MAC address database of company assets in ISE end points identity store to determine the level of access depending on the device.
D. Configure an Authorization policy that checks against the mac address database of company assets in ISE endpoint identity store to determine the level of access depending on the device
E. Configure an authorization policy that assigns the device the appropriate profile based on whether the device passes Machine Authentication or no
Answer: E
5. Which statement about the Sender Base functionality is true?
A. ESA sees a high negative score from Sender Base as very unlikely that sender is sending spam
B. Sender Base uses DNS-based blacklist as one of the sources of information to define reputation score of sender’s IP address.
C. WSA uses Sender Base information to configure URL filtering policies.
D. ESA uses destination address reputation information from SenderBase to configure mail policies
E. Sender Base uses spam complaints as one of the sources of information of define reputation score of receiver IP address
F. ESA sees a high positive score from Sender Base as very likely that sender is sending spam.
G. ESA uses source address reputation to configure URL filtering policies.
Answer: B
Finally, I hope that every candidate can successfully pass the Cisco CCIE Security certification 400-251 exam.
- Related News
- What should we do with 700-751 dump as we approach the exam? January 02,2020
- CCNP Security: Cisco Certified Network Professional Security December 31,2019
- How to learn SMB track 700-751 well? December 19,2019
- 300-175: Implementing Cisco Data Center Unified Computing (D... December 16,2019
- 400-101: CCIE Routing and Switching Written Exam December 02,2019
- 300-320: Designing Cisco Network Service Architectures November 21,2019
- CCNA Data Center certification exam November 11,2019
- CCNP Routing and Switching Certification October 24,2019
- Best CCNA R&S (200-125) Certification Exam Dumps October 14,2019
- New updated 300-101, 300-115, 300-135 exam questions October 07,2019