Ensurepass

QUESTION 41

What are three main phases of an attack? (Choose three.)

 

A.

DoS

B.

exploit

C.

propagation

D.

port scanning

E.

reconnaissance

 

Correct Answer: BCE

 

 

QUESTION 42

An attacker sends a low rate of TCP SYN segments to hosts, hoping that at least one port replies. Which type of an attack does this scenario describe?

 

A.

DoS

B.

SYN flood

C.

port scanning

D.

IP address sweep

 

Correct Answer: C

 

 

QUESTION 43

Where do you configure SCREEN options?

 

A.

zones on which an attack might arrive

B.

zones you want to protect from attack

C.

interfaces on which an attack might arrive

D.

interfaces you want to protect from attack

 

Correct Answer: A

QUESTION 44

Prior to applying SCREEN options to drop traffic, you want to determine how your configuration will affect traffic. Which mechanism would you configure to achieve this objective?

 

A.

the log option for the particular SCREEN option

B.

the permit option for the particular SCREEN option

C.

the SCREEN option, because it does not drop traffic by default

D.

the alarm-without-drop option for the particular SCREEN option

 

Correct Answer: D

 

 

QUESTION 45

You must configure a SCREEN option that would protect your device from a session table flood. Which configuration meets this requirement?

 

A.

< span lang="EN-US" style="font-family: ; mso-font-kerning: 0pt; mso-no-proof: yes">[edit security screen]

user@hostl# show

ids-option protectFromFlood {

icmp {

ip-sweep threshold 5000;

flood threshold 2000;

}}

B.

[edit security screen]

user@hostl# show

ids-option protectFromFlood {

tcp {

syn-flood {

attack-threshold 2000;

destination-threshold 2000;

}}}

C.

[edit security screen]

user@hostl# show

ids-option protectFromFlood {

udp {

flood threshold 5000;

}}

D.

[edit security screen]

user@hostl# show

ids-option protectFromFlood {

limit-session {

source-ip-based 1200;

destination-ip-based 1200;

}}

 

Correct Answer: D

 

 

QUESTION 46

You are required to configure a SCREEN option that enables IP source route option detection. Which two configurations meet this requirement? (Choose two.)

 

A.

[edit security screen]

user@host# show

ids-option protectFromFlood {

ip {

loose-source-route-option;

strict-source-route-option;

}}

B.

[edit security screen]

user@host# show

ids-option protectFromFlood {

ip {

source-route-option;

}}

C.

[edit security screen]

user@host# show

ids-option protectFromFlood {

ip {

record-route-option;

security-option;

}}

D.

[edit security screen]

user@host# show

ids-option protectFromFlood {

ip {

strict-source-route-option;

record-route-option;

}}

 

Correct Answer: AB

 

 

QUESTION 47

Which parameters are valid SCREEN options for combating operating system probes?

 

A.

syn-fin, syn-flood, and tcp-no-frag

B.

syn-fin, port-scan, and tcp-no-flag

C.

syn-fin, fin-no-ack, and tcp-no-frag

D.

syn-fin, syn-ack-ack-proxy, and tcp-no-frag

 

Correct Answer: C

 

 

QUESTION 48

Which two statements describe the purpose of a security policy? (Choose two.)

 

A.

It enables traffic counting and logging.

B.

It enforces a set of rules for transit traffic.

C.

It controls host inbound services on a zone.

D.

It controls administrator rights to access the device.

 

Correct Answer: AB

 

 

 

 

 

QUESTION 49

Which statement describes the behavior of a security policy?

 

A.

The implicit default security policy permits all traffic.

B.

Traffic destined to the device itself always requires a security policy.

C.

Traffic destined to the device’s incoming interface does not require a security policy.

D.

The factory-default configuration permits all traffic from all interfaces.

 

Correct Answer: C

 

 

QUESTION 50

A network administrator wants to permit Telnet traffic initiated from the address book entry the10net in a zone called UNTRUST to the address book entry Server in a zone called TRUST. However, the administrator does not want the server to be able to initiate any type of traffic from the TRUST zone to the UNTRUST zone. Which configuration would correctly accomplish this task?

 

A.

from-zone UNTRUST to-zone TRUST {

policy DenyServer {

match {

source-address any;

destination-address any;

application any;

}

then {

deny;

}}}

from-zone TRUST to-zone UNTRUST {

policy AllowTelnetin {

match {

source-address the10net;

destination-address Server;

application junos-telnet;

}

then {

permit;

}}}

B.

from-zone TRUST to-zone UNTRUST {

policy DenyServer {

match {

source-address Server;

destination-address any;

application any;

}

then {

deny;

}

}}

from-zone UNTRUST to-zone TRUST {

policy AllowTelnetin {

match {

source-address the10net;

destination-address Server;

application junos-telnet;

}

then {

permit;

}}}

C.

from-zone UNTRUST to-zone TRUST {

policy AllowTelnetin {

match {

source-address the10net;

destination-address Server;

application junos-ftp;

}

then {

permit;

}}}

D.

from-zone TRUST to-zone UNTRUST {

policy DenyServer {

match {

source-address Server;

destination-address any;

application any;

}

then {

permit;

}}}

from-zone UNTRUST to-zone TRUST {

policy AllowTelnetin {

match {

source-address the10net;

destination-address Server;

application junos-telnet;

}

then {

permit;

}}}

 

Correct Answer: B

 

Free VCE & PDF File for Juniper JN0-331 Real Exam

Instant Access to Free VCE Files: CompTIA | VMware | SAP …
Instant Access to Free PDF Files: CompTIA | VMware | SAP …

Comments are closed.