Wednesday 28 December 2016

JN0-541 Juniper Networks IDP Certified Internet Associate (JNCIA-IDP)

Concepts of intrusion detection
Identify the features and functions of an IDP sensor
Identify the use of IDP interfaces
Identify the TCP ports used by IDP sensors and Security Manager
Understanding the IDP provisioning modes

Initial configuration of an IDP sensor
Identify the steps involved in implementing the IDP sensor
Describe the configuration of a new sensor via the console
Describe the communication setup between Security Manager and IDP sensor

Configure and fine-tune policies
Assign the IDP attack terminology to the corresponding definitions
Understand the components of an IDP rule
Choice of appropriate IDP actions and IP actions
Describe the algorithm of the IDP rule assignment
Explain the use of captured packages
Explain the fine-tuning of guidelines

Configuring Other Policies for IDP
Explain the function of a rule database for exceptions
Explain the function of a rule database for anomalies
Explain the function of a rule database for backdoors
Explain the function of a SYN Protector rule database
Explain the function of honeypots in the network

Configure and use the profiler
Describe the normal functioning of a profiler
Showing the steps to a working profiler
Describe the use of a profiler for network detection
Describe the use of a profiler to identify new devices and ports
Describe the use of a profiler to detect policy violations

Sensor operation and sensor command line utility
Describe the sensor components and processes
Use scio to manage policies and display sensor configurations
Use sctop to display sensor statistics

Manage attack objects and create custom signatures
Describe the use of static and dynamic groups
Explain how to update the attack object database
List the steps for obtaining information about an attack
Understanding the purpose and use of the sensor commands "scio ccap" and "scio pcap"
List the steps for creating a simple attack object
Describe the purpose of combined attack objects

Maintenance and troubleshooting
Use the Appliance Configuration Manager (ACM) to view and modify sensor configurations
Use sensor and unix commands to resolve IDP issues
Understand the operation of external HA and NIC bypass
QUESTION 1
Which statement is true about the attack object database update process?

A. Each sensor updates its own attack object database automatically; however they must be able
to access the Juniper site on TCP port 443.
B. The attack object database update must be manually performed by the administrator, and the
administrator must manually install it on each sensor.
C. The attack object database update can be initiated manually or automatically.
D. The attack object database update can be automatically scheduled to occur using the Security
Manager GUI.

Answer: C
QUESTION 2
On a sensor, which command will indicate if log messages are being sent to Security Manager?

A. scio vr list
B. serviceidp status
C. scio agentstats display
D. scio getsystem

Answer: C
QUESTION 3
After you enable alerts for new hosts that are detected by the Enterprise Security Profiler, where
do you look in Security Manager to see those alerts?

A. Security Monitor > Profiler > Application Profiler tab
B. Security Monitor > Profiler > Violation Viewer tab
C. Security Monitor > Profiler > Network Profiler tab
D. Log Viewer > Profiler Log

Answer: D
QUESTION 4
When connecting to a sensor using SSH, which account do you use to login?

A. admin
B. super
C. netscreen
D. root

Answer: A
QUESTION 5
Which OSI layer(s) of a packet does the IDP sensor examine?

A. layers 2-7
B. layers 2-4
C. layer 7 only
D. layers 4-7

Answer: A
Posted by at No comments:
Labels: , , , , , , ,

Monday 19 December 2016

JN0-646 Enterprise Routing and Switching, Professional (JNCIP-ENT) Exam

JNCIP-ENT Exam Objectives (Exam: JN0-643 and JN0-646)

OSPF
Describe the concepts, operation and functionality of OSPFv2 and OSPFv3
OSPF LSA types
OSPF area types and operations
LSA flooding through an OSPF multi-area network
DR/BDR operation
SPF algorithm
Metrics, including external metric types
Authentication options
Route summarization and restriction
Overload
Virtual links
OSPFv2 vs OSPFv3
Given a scenario, demonstrate knowledge of how to configure and monitor single-area and multi-area OSPF
Implement OSPF routing policy

BGP
Describe the concepts, operation and functionality of BGP
BGP route selection process
Next hop resolution
BGP attributes - concept and operation
BGP communities
Regular expressions
Load balancing - multipath, multihop, forwarding table
NLRI families - inet, inet6
Advanced BGP options
Given a scenario, demonstrate knowledge of how to configure and monitor BGP
Implement BGP routing policy

IP Multicast
Describe the concepts, operation and functionality of IP multicast
Components of IP multicast, including multicast addressing
IP multicast traffic flow
Any-Source Multicast (ASM) vs. Source-Specific Multicast (SSM)
RPF - concept and operation
IGMP, IGMP snooping
PIM dense-mode and sparse-mode
Rendezvous point (RP) - concept, operation, discovery, election
SSM - requirements, benefits, address ranges
Anycast RP
MSDP
Routing policy and scoping
Given a scenario, demonstrate knowledge of how to configure and monitor IGMP, PIM-DM and PIM-SM (including SSM)
Implement IP multicast routing policy

Ethernet Switching and Spanning Tree
Describe the concepts, operation and functionality of advanced Ethernet switching
Filter-based VLANs
Private VLANs
Dynamic VLAN registration using MVRP
Tunnel Layer 2 traffic through Ethernet networks
Layer 2 tunneling using Q-in-Q and L2PT
Given a scenario, demonstrate knowledge of how to configure and monitor advanced Ethernet switching
Filter-based VLANs
Private VLANs
Dynamic VLAN registration using MVRP
Tunnel Layer 2 traffic through Ethernet networks
Layer 2 tunneling using Q-in-Q and L2PT
Describe the concepts, operation and functionality of advanced spanning tree protocols, including MSTP and VSTP
Given a scenario, demonstrate knowledge of how to configure and monitor MSTP and VSTP

Layer 2 Authentication and Access Control
Describe the operation of various Layer 2 authentication and access control features
Authentication process flow
802.1x - concepts and functionality
MAC RADIUS
Captive portal
Server fail fallback
Guest VLAN
Considerations when using multiple authentication/access control methods
Given a scenario, demonstration how to configure and monitor Layer 2 authentication and access control

IP Telephony Features
Describe the concepts, operation and functionality of features that facilitate IP telephony deployments
Power over Ethernet (PoE)
LLDP and LLDP-MED
Voice VLAN
Given a scenario, demonstrated how to configure and monitor features used to support IP Telephony

Class of Service (CoS)
Describe the concepts, operation and functionality of Junos CoS for Layer 2/3 networks
CoS processing on Junos devices
CoS header fields
Forwarding classes
Classification
Packet loss priority
Policers
Schedulers
Drop profiles
Shaping
Rewrite rules
Given a scenario, demonstrate knowledge of how to configure and monitor CoS for Layer 2/3 networks




Posted by at No comments:
Labels: , , , , , , ,

Monday 12 December 2016

JN0-533 FWV, Specialist (JNCIS-FWV)

JNCIS-FWV Exam Objectives (Exam: JN0-533)

System Setup and Initial Configuration
Identify the concepts and components of ScreenOS software
Security architecture components
Packet flow and decision process
IPv6 packet handling
ScreenOS firewall/VPN product lines
System components
Demonstrate knowledge of how to configure basic elements of ScreenOS software
Interfaces
Zones
Management access and services
User accounts and authentication
Administrative lockout options
DNS configuration
NTP configuration
Describe how to configure and monitor interfaces
VLANs, aggregated Ethernet
Management interface
Bridge Group
Tunnel interfaces
Loopback interface
Interface modes
Redundant Ethernet
Identify the concepts and functionality of virtual systems (vsys)
vsys interfaces and zones
Inter-vsys routing
Profiles
CPU resource management

Layer 3 Operations
Identify the concepts and functionality of Layer 3 operations (IPv4 and IPv6)
Routing lookup flow
Virtual routers
Static and default routing
Dynamic routing - RIP, OSPF, BGP
Considerations for routing over VPNs
Route optimization and aggregation
Route redistribution; access lists and route maps
Source-based vs. policy-based routing
IPv6 modes
Demonstrate knowledge of how to configure, monitor and troubleshoot Layer 3 operations (IPv4 and IPv6)
Zones
Interfaces
IP addressing
Virtual router
Static/default routes, including floating static routes
RIP
OSPF
BGP
Redistribution
Access lists and route maps
Source-based and policy-based routing
Layer 3 verification
Layer 3 troubleshooting - get vrouter, debug, flow filter, session table

Security Policies
Identify the concepts and functionality of security policies
Zones and policies
Policy components
Policy options
Policy ordering
Policy scheduling
Global policies
Multicell policies
Address books
Policing and guaranteed bandwidth
Services
Demonstrate knowledge of how to configure, monitor and troubleshoot security policies
Address books and address groups
Services and service groups
Policy verification
Policy troubleshooting - debug, get session

NAT
Identify the concepts and functionality of NAT
Interface-based vs. policy-based NAT
NAT type usage
Source NAT (NAT-src)
Dynamic IP addresses (DIP)
Destination NAT (NAT-dst)
Virtual IP addresses (VIP)
Mapped IP addresses (MIP)
Precedence
Demonstrate knowledge of how to configure, monitor and troubleshoot NAT
Policy-based NAT
Dynamic IP addresses (DIP)
Reachability/Routing
VIP and MIP
NAT verification
NAT troubleshooting - debug, get session, and traffic logs

IPsec VPNs
Identify the concepts and functionality of IPsec VPNs
Secure VPN characteristics and components
Encapsulating Security Payload (ESP)
Authentication Header (AH)
IPsec tunnel establishment - Internet Key Exchange (IKE)
Hub-and-spoke IPsec VPNs
Policy-based vs. route-based IPsec VPNs
Next-hop tunnel binding (NHTB)
Next Hop Resolution Protocol (NHRP)
Fixed vs. dynamic peers
Tunnel interfaces
Preshared keys
VPN Monitor
Demonstrate knowledge of how to configure, monitor and troubleshoot IPsec VPNs
Interfaces
Objects
IKE
Policy
Routing
VPN Monitor
IPsec VPN verification
IPsec VPN troubleshooting - system/event log, debug, get ike, get sa

High Availability
Identify the concepts and requirements for high availability (HA) in a ScreenOS firewall/VPN environment
NetScreen Redundancy Protocol (NSRP) characteristics
NSRP modes; usage guidelines
Links, ports and zones
Virtual security device (VSD), virtual security interfaces (VSI) and VSD groups
VSD states
Run-time objects (RTOs)
HA probes
Failover tuning
IP tracking
Virtual Router Redundancy Protocol (VRRP)
Redundant interfaces
Links between the firewalls
Redundant VPN gateways
Demonstrate knowledge of how to configure, monitor and troubleshoot HA
HA link
Cluster settings
Interfaces
VSD settings
RTO synchronization
Tracking and monitoring
Redundant interface
HA verification
HA monitoring for VPNs - IKE heartbeats, dead peer detection
HA troubleshooting - debug, get interface, get nsrp stats

Attack Prevention
Describe the purpose, configuration and operation of Screens
Attack types and phases
Screen options
Best practices
Configuration, verification and troubleshooting
Describe the purpose, configuration and operation of deep inspection (DI)
Attack object database
Custom attack objects
Signature database update methods
DI policies and actions
Licensing
Configuration, verification and troubleshooting
Describe the purpose, configuration and operation of Unified Threat Management (UTM)
Antispam profiles
Actions
Spam block list (SBL)
Antivirus scanning methods and options
Antivirus flow process
Licensing
Web filtering features and solutions
Data flow
Search order
White lists, black lists and categories
Configuration, verification and troubleshooting

System Administration, Management and Monitoring
Demonstrate knowledge of how to manage and monitor a ScreenOS firewall/VPN environment
File management
Password recovery
Licensing
Logs
Syslog
SNMP
Alarms
Counters


QUESTION 1
Which ScreenOS security feature helps protect against port scans and denial of service attacks?

A. session-based stateful firewall
B. IPsec VPNs
C. security policies
D. Screen options

Answer: B

Explanation:

QUESTION 2
What is the initial default username and password for all ScreenOS devices?

A. administrator/password
B. root/password
C. netscreen/netscreen
D. admin/netscreen1

Answer: D

Explanation:

QUESTION 3
What is a virtual system?

A. a mechanism to logically partition a single ScreenOS device into multiple logical devices
B. a collection of subnets and interfaces sharing identical security requirements
C. a method of providing a secure connection across a network
D. a tool to protect against DoS attacks

Answer: C

Explanation:

QUESTION 4
What is a zone?

A. a set of rules that controls traffic from a specified source to a specified destination using a
specified service
B. a collection of subnets and interfaces sharing identical security requirements
C. a method of providing a secure connection across a network
D. a tool to protect against DoS attacks

Answer: C

Explanation:

QUESTION 5
What is the function of NAT?

A. It performs Layer 3 routing.
B. It evaluates and redirects matching traffic into secure tunnels.
C. It provides translation between IP addresses.
D. It performs Layer 2 switching.

Answer: B

Explanation:




Posted by at No comments:
Labels: , , , , , , ,

Thursday 8 December 2016

JN0-696 Security Support, Professional (JNCSP-SEC)

JNCSP-SEC Exam Objectives (Exam: JN0-696)

Security Policy Troubleshooting
Given a scenario, demonstrate knowledge of how to troubleshoot security policy evaluation issues on Junos devices
Transit traffic issues
To-the-device traffic issues
Default and global policy issues
Zone issues
Address book issues
Filter-based forwarding
NAT issues
Configuration issues

IPSec VPN Troubleshooting
Given a scenario, demonstrate knowledge of how to troubleshoot IPSec VPN issues on Junos device
Route-based VPN issues
Policy-based VPN issues
IKE phase 1 issues
IKE phase 2 issues
Configuration issues

Application-Aware Security Services Troubleshooting
Given a scenario, demonstrate knowledge of how to troubleshoot Junos AppSecure issues
AppID issues
AppTrack issues
AppFW issues
AppDoS issues
AppQoS issues
Configuration issues

Intrusion Prevention Troubleshooting
Given a scenario, demonstrate knowledge of how to troubleshoot Junos Intrusion Prevention System (IPS) issues
Licensing and platform issues
Signature database issues
IPS and security policy issues
Configuration issues

Unified Threat Management (UTM) Troubleshooting
Given a scenario, demonstrate knowledge of how to troubleshoot UTM issues on Junos devices
Licensing and platform issues
Antivirus issues
Antispam issues
Content-filtering issues
Web-filtering issues
UTM and security policy issues
Configuration issues

High Availability (HA) Clustering Troubleshooting
Given a scenario, demonstrate knowledge of how to troubleshoot chassis cluster issues on Junos devices
Cluster architecture issues
Cluster component issues
Cluster mode issues
Configuration issues

QUESTION 1
You are having problems establishing an IPsec tunnel between two SRX Series devices.
What are two explanations for this problem? (Choose two.)

A. proposal mismatch
B. antivirus configuration
C. preshared key mismatch
D. TCP MSS clamping is disabled

Answer: B,D

Explanation:
QUESTION 2
Two SRX Series devices are having problems establishing an IPsec VPN session. One of the
devices has a firewall filter applied to its gateway interface that rejects UDP traffic.
What would resolve the problem?

A. Disable the IKE Phase 1 part of the session establishment.
B. Disable the IKE Phase 2 part of the session establishment.
C. Change the configuration so that session establishment uses TCP.
D. Edit the firewall filter to allow UDP port 500.

Answer: A

Explanation:
QUESTION 3
Your SRX Series device has the following configuration:
user@host> show security policies
...
Policy: my-policy, State: enabled, Index: 5, Sequence number: 1
Source addresses: any
Destination addresses: any
Applications: snmp
Action: reject
From zone: trust, To zone: untrust
...
When traffic matches my-policy, you want the device to silently drop the traffic; however, you
notice that the device is replying with ICMP unreachable messages instead.
What is causing this behavior?

A. the snmp application
B. the reject action
C. the trust zone
D. the untrust zone

Answer: C

Explanation:
QUESTION 4
You want to allow remote users using PCs running Windows 7 to access the network using an
IPsec VPN. You implement a route-based hub-and-spoke VPN; however, users report that they
are not able to access the network.
What is causing this problem?

A. The remote clients do not have proper licensing.
B. Hub-and-spoke VPNs cannot be route-based; they must be policy-based.
C. The remote clients' OS is not supported.
D. Hub-and-spoke VPNs do not support remote client access; a dynamic VPN must be
implemented instead.

Answer: B

Explanation:
Posted by at No comments:
Labels: , , , , , , ,

Monday 5 December 2016

JN0-355 Junos Pulse Secure Access, Specialist (JNCIS-SA)

JNCIS-SA Exam Objectives (Exam: JN0-355)

Overview
Components and elements
Component functions, interaction and relationships
Junos Pulse Gateway and Virtual Appliance product lines
Licensing
Deployment considerations and integration options
SSL, TLS and digital certificates overview
Access methods

Initial Configuration
Configure the basic elements of a Junos Pulse Secure Access Service environment
Initial configuration via CLI
Initial configuration via admin UI

Roles
Describe the concepts, operation and functionality of roles
Purpose of roles
Role mapping and merging
Customization of the end-user experience
Configure roles
Roles and role options

Policies and Profiles
Describe the concepts, operation and functionality of policies and profiles
Purpose of policies; policy types and elements
Purpose of profiles and profile types
Interrelationship and usage guidelines
Configure policies and profiles
Policies and policy options
Profiles and profile options

Authentication
Describe the authentication process for the Junos Pulse Secure Access Service
Authentication elements
Sign-in process
Digital certificates
Certificate validation process
Advanced authentication options
Configure authentication
Authentication servers
Authentication realms
Role mapping
Sign-in policies
Certificates
Advanced options

Client/Server Communications
Identify and describe client/server applications
WSAM
JSAM
VPN tunneling
Configure client/server applications
SAM
VPN tunneling

Junos Pulse Client
Describe the features, benefits and functionality of the Junos Pulse client
Components and features
Configure the Junos Pulse client
WSAM application access
VPN tunneling

Junos Pulse Collaboration
Describe the features, benefits and functionality of Junos Pulse Collaboration
Components and features
Deployment
Collaboration client
Scheduling meetings
Monitoring meetings
Configure Junos Pulse Collaboration
Collaboration configuration
Meeting options
Pulse Connection

Endpoint Security
Describe the concepts, operation and functionality of endpoint security
TNC architecture
Host Checker
Enhanced Endpoint Security (EES)
Secure Virtual Workspace (SVW)
Cache Cleaner
Enforcement
Configure endpoint security
Host Checker
Enhanced Endpoint Security (EES)
Secure Virtual Workspace (SVW)
Cache Cleaner

Virtualization
Describe the concepts, operation and functionality of virtualization in a Junos Pulse Secure Access Service environment
Concepts and components
Virtual appliances
Virtual Desktop Infrastructure
Configure virtualization
Licensing
Virtual desktops

High Availability
Describe the concepts and requirements for high availability in a Junos Pulse Secure Access Service environment
Clustering
Deployment options and considerations
Licensing
Configure high availability
Clustering configuration
Upgrades

Administration, Management and Troubleshooting
Demonstrate knowledge of how to manage and troubleshoot a Junos Pulse Secure Access Service environment
Configuration file management
Backup and archiving
Logging
System monitoring
Statistics
Policy tracing
Packet capture tools
Connectivity testing tools
Session recording
System snapshot
Client connectivity

QUESTION 1
Which two statements are correct regarding the MAG6611 Junos Pulse Gateway in an
active/active cluster configuration? (Choose two.)

A. Virtual IP (VIP) is available.
B. It supports up to two devices.
C. It supports up to four devices.
D. External load balancing is preferred.

Answer: C,D

Explanation:
QUESTION 2
What is the function of the smart caching setting within a Web caching policy?

A. to send the cache control compress header to the client
B. to remove the cache control headers from the origin server
C. to not modify the cache control header from the origin server
D. to send the appropriate cache control header based on Web content.

Answer: D

Explanation:
QUESTION 3
You have configured RADIUS authentication on the Junos Pulse Secure Access Service. Users
report that their authentication is rejected. The RADIUS administrator reports that the RADIUS
server requires a specific attribute that identifies the Junos Pulse Secure Access Service on the
RADIUS server.
In the Admin UI, which configuration parameter will address this issue?

A. Name
B. NAS-Identifier
C. RADIUS Server
D. Shared Secret

Answer: B

Explanation:
QUESTION 4
What are three benefits that resource profiles provide over resource policies? (Choose three.)

A. Resource profiles provide automatic mapping of users to roles.
B. Resource profiles provide a simplified process for creating bookmarks and resource policies.
C. One profile can be assigned to multiple roles.
D. Resource options can be customized for each profile.
E. Resource profiles provide a simplified process for configuring applications such as VPN
tunneling.

Answer: B,C,D

Explanation:
QUESTION 5
You must deploy VPN tunneling using Network Connect to multiple Microsoft Windows devices.
Due to access restrictions, the users do not have permission to install WSAM.
Which component resolves this issue?

A. Juniper Installer Service
B. Host Checker
C. third-party integrity measurement verifier
D. Windows Secure Application Manager scriptable launcher

Answer: A

Explanation:
Posted by at No comments:
Labels: , , , , , , ,
Subscribe to: Posts (Atom)