H12-731_V2.0 HCIE-Security (Written) V2.0 Questions and Answers

Physicalization of attack methods

Complication of attack methods

The attack method changes little

Diversification of attack objectives

TRUE

B・ FALSE

Transmission security

Storage security

Destroy security

Collect security

B. FALSE

TRUE

FALSE

The classification of general safety requirements is more detailed.

The workflow of equal protection assessment is more detailed.

Added expansion requirements.

The security requirements of each level are more detailed.

Degaussing method

Multiple divisions

Overwriting

Mashing method

Under the condition that the firewall service interface works at Layer 2 and connects the router upstream and downstream It is recommended to use a staff-sharing network.

Under the condition that the firewall service interface works at Layer 2 and connects the switch upstream and downstream Support staff sharing networking

The firewall service interface works in the case of three-layer, uplink and downlink connection to the router You can use primary/standby networking.

The firewall service interface works under the networking condition of Layer 3, uplink and downlink connecting routers You cannot use load-sharing groups.

DDOS Anti-DDoS Pro IP services

Situational awareness services

SSL certificate management service

Security Expert Services

TRUE

FALSE

TRUE

FALSE

Multi-tenant app environment Enable the virtual firewall to implement an independent port for administrative privileges

Network traffic isolation between VMs is not possible

VPN group and network environment Enable the virtual firewall for forward isolation

Isolation of different security areas of the campus network

In this scenario, Fireproof will assign an IP address to the client

After the L2TF tunnel is established, the user cannot access the Internet normally

The parameters set by the client should match the parameters set on the firewall.

The client should initiate a dial-up connection to the virtual address of the dual machine.

Cloud host security

Situational awareness services

Database security

Vulnerability scanning service

Installing threats against network weapons, network trapping defense technology, can use deception to make the attack execute special commands in the trapping system

In the face of viruses, worms, WebShell these weaponized attack methods, can use misleading methods to make the attack traffic be diverted to trap probe O

For the detection behavior in the early stage of the attack, you can use deception to burst into defense. By creating various traps to mislead the attacker. Cause attackers to misunderstand the network structure, attack targets, and vulnerabilities.

Network trapping technology can disguise the actual business and vulnerabilities to mislead the attacker, so that the attacker can infiltrate the trapping system.

TRUE

FALSE

Modify system files

Parasitic in macro files

Modify the memory signature

Modify the file signature

Global traffic steering strategy

Policy routing and routing

ISProuting

Health check

For FTP behavior, application behavior control can limit the size of upload/download files, but cannot control the upload/download line separately

For IM behavior You can set a black whitelist The priority relationship between the black and white list and the provincial action is: blacklist, white list, default action.

When creating a security strategy Application behavior control and yellow files can be combined with users, time periods, and other objects to achieve the purpose of application control for different users and different time periods.

D. For HTTP behavior The application behavior control function can be controlled by DET operation in POST.

Tokenization

hash

encrypt

D . Generalization

In a networking environment where the packet return path is inconsistent, the content of the audit log record is not complete.

Only audit administrators can configure audit functions and view audit logs

In the security policy, traffic configured as deny will be processed by the audit policy.

The audit strategy includes two parts: conditions and actions By matching any of the conditions, a response action can be performed.

Host vulnerabilities

Middleware vulnerabilities

Database vulnerabilities

The interface does not have strict security mode enabled

The maximum key length that the interface can accept is 2048

The minimum key length that the interface can accept is 512

The security level of the CGA address is 1

Tenants can be isolated through security group networks.

Fire protection is implemented between HUAWEI CLOUD and the customer network

Cloud network perimeter protection DDos can only be achieved by deploying anti-DDoS appliances.

The cloud network boundary protects service availability through DDos defense.

TRUE

FALSE

Responsible for security vulnerability detection and protection.

Responsible for organizing the emergency handling of information security emergencies.

Responsible for formulating enterprise-level information security technology planning and technical architecture.

Responsible for organizing and carrying out information system security graded protection work

Close unnecessary host ports

Misoperation

Important files are not encrypted

Connect to public WIFI

The deployment method of reverse proxy requires directing traffic to the WAF device.

The deployment method of transparent proxy requires directing traffic to the WAF device.

The deployment method of transparent proxy is to connect devices in the network.

The deployment method of reverse proxy is to connect devices in the network.

Heuristic detection technology

First package detection technology

Malicious domain name detection technology

Document reputation detection technology

Security resources that can be pooled with features Security functions can be divided and combined, and elastically scalable

The functional interface should provide northbound API interfaces to meet the requirements of flexible service configuration

The security resource pool that carries the security business function can be a hardware resource pool or a software resource pool

Need to provide rich security functions to meet the needs of the business

in the file system Data at rest is protected on the database through storage technology

Check database backups regularly

Protection of data in use when using or processing data

Protect data in transit as it travels across the network

Attack traceability

Log storage

Virus blockade

O&M failure analysis

Protect the security of user communications and the integrity of data, and prevent malicious users from intercepting and tampering with data It can fully protect users from malicious damage during operation

It can provide fine-grained access control to maximize the security of user resources

It provides centralized management of all server and network device accounts, which can complete the monitoring and management of the entire life cycle of the account

It can automatically display the user's operation process and monitor the user's every behavior Determine whether the user's behavior poses a danger to the internal network security of the enterprise

You do not need to configure a security policy to allow health check packets.

The outbound interface of the probe message does not need to be fixed

After specifying the junction of the link health check The outgoing interface of the health probe packet can be consistent with the incoming interface of the response packet.

When configuring the protocol and port of the health check, check whether the corresponding protocol and port are enabled on the peer side.

Identification

Identity authentication

Billing

Authorization