NCSA v5.0 认证考试学习
NCSA v5.0 Certification Exam Study Guide
NCSA v5.0 Certification Exam Study Guide
NetScreen has developed this Study Guide to help you prepare for the NCSA v5.0 Certification Exam. This guide contains Topics and Objectives, which were used to develop the questions on the exam, Preparatory Materials and Sample Questions.
We also recommend that you attend the corresponding course(s), have hands-on experience with the hardware and software, as well as current product knowledge.
Topics and Objectives
The following topics and objectives are covered on the NCSA v5.0 Certification Exam.
Security Concepts for IP Networks
􀂃 Identify requirements that must be met by network security devices
􀂃 Name and describe the function of components of the Universal Security Gateway Architecture including:
-Virtual Systems (VSYS)
-Zones
-Policies
-Virtual Routers
-Interfaces
􀂃 Describe the packet processing sequence in a NetScreen device
􀂃 Identify correct deployment scenarios for NetScreen appliances and systems
Administration of NetScreen Products
􀂃 Describe the functions performed by different system components
􀂃 Establish connectivity to the NetScreen via the console and via the network
􀂃 Configure administrative settings and options
􀂃 Configure communication with external management devices
􀂃 Manage configuration and software image files
􀂃 Perform disaster recovery procedures
Layer 2/Transparent Operations
􀂃 Describe the advantages of Transparent Mode operation
􀂃 Describe V1 zones and their usage
􀂃 Create user-defined Layer-2 (L2) zones
􀂃 Use the VLAN1 interface to manage the NetScreen in Transparent Mode
Layer 3 Operations
􀂃 Explain the need for routing on the NetScreen firewall
􀂃 Configure static routes
􀂃 Describe the function of a virtual router
􀂃 Configure inter-VR routing
􀂃 Define the uses of a loopback interface
􀂃 Configure a loopback interface
􀂃 Explain the difference between NAT and route interface modes
􀂃 Configure interfaces for NAT or route mode
Basic Policy Configuration
􀂃 Explain the purpose of a security policy
􀂃 List all the configuration elements needed for policy creation
􀂃 Create address book entries and address groups
􀂃 Create custom service entries and service groups
􀂃 Create security policy entries
􀂃 List "gotchas" associated with policy creation
􀂃 Move policy entries within a policy
Advanced Policy Configuration
􀂃 Configure advanced policy features, including:
-Traffic logging
-Traffic counters
-Scheduling
-User Authentication
􀂃 Verify operations of advanced policy features
Attack Prevention
􀂃 Describe general types of network attacks
􀂃 Configure the SCREEN function of the NetScreen
􀂃 Configure malicious URL protection
􀂃 Configure Anti-Virus integration
􀂃 Configure URL Filtering
􀂃 Explain the functionality of Deep packet inspection in the NetScreen Firewall/VPN product line
􀂃 Import Deep Inspection signatures
􀂃 Configure policies with Deep Inspection actions
Address Translation Options
􀂃 Define policy-based NAT options:
-Unidirectional
-Bidirectional
􀂃 Configure address translation features:
-NAT-src
-NAT-dst
-Mapped IP (MIP)
-Virtual IP (VIP)
􀂃 Verify NAT mode operation
VPN Concepts
􀂃 Define "virtual private network"
􀂃 List three security concerns and describe how to address them
􀂃 List the components of the IPSec protocol suite
􀂃 Explain the IKE protocol process for tunnel establishment
Policy-based VPNs
􀂃 Define the term "Policy-based VPN"
􀂃 Identify the minimum components needed to configure a Policy-based VPN
􀂃 Configure a IKE based VPN binding to Policies with:
-Phase 1 Gateways
-Phase 2 AutoKey IKE
-Address and Service Books
􀂃 Verify operation
Route-based VPNs
􀂃 Explain the concepts of a Route Based VPN
􀂃 Configure Route Based VPNs with the following options:
-Fixed IP v Unnumbered IP
-Proxy ID Settings
-VPN Monitoring
􀂃 Verify operation
NetScreen-Remote VPN Client with Pre-Shared Key
􀂃 Describe the NetScreen-Remote Client Software
􀂃 Define the components of the NetScreen-Remote VPN Client
􀂃 Navigate and identify parts of the Security Policy Editor
􀂃 Create a VPN using Pre-shared keys to a NetScreen device
􀂃 Export/Import a Security Policy Database (SPD) file for mass deployment
􀂃 Troubleshoot both sides if the VPN fails to establish
Preparation Materials
􀂃 Implementing NetScreen Security Gateways (INSG) Course (you must attend the course to access the courseware)
􀂃 ScreenOS 5.0 Concepts and Examples Guide
Sample Questions
The sample questions give you an understanding of how questions will look on the exam. Answering these questions correctly does not imply that you will be able to pass the exam.
1) What are three (3) functions that a security gateway must perform?
a) routing
b) firewall
c) switching
d) VPN termination
e) device aggregation
2) Which are two (2) components that make up the NetScreen security architecture?
a) policy
b) interface
c) virtual router
d) deep inspection
e) address objects
3) How is a NetScreen appliance different from a system?
a) An appliance has no ASIC-based processing
b) An appliance has a fixed interface configuration
c) An appliance has redundant power supplies
d) An appliance supports multiple virtual systems
4) What are the two (2) minimal interface configuration parameters required to activate the WebUI?
a) IP address on interface
b) Resetting root password
c) Enabling Web management on the interface
d) Default route
5) What are three (3) basic components of a policy?
a) address
b) port
c) service
d) action
e) protocol
6) Which advanced feature displays session duration information?
a) scheduling
b) counters
c) traffic shaping
d) logging
7) Which three (3) types of attacks can Deep Inspection prevent?
a) denial of service
b) reconnaissance attack
c) back-door attacks
d) buffer overflow
e) worm
8) In the packet handling process, when is the Deep Inspection evaluation done?
a) when packet is first received
b) after session lookup
c) after routing lookup
d) after policy lookup
9) When using IKE for VPN negotiation, which Phase 1 messages exchange proposals?
a) Messages 1 and 2
b) Messages 3 and 4
c) Messages 5 and 6
d) Messages 2 and 3
e) Messages 4 and 5
10) Where is the proxy-ID for a policy-based VPN derived from?
a) Phase 1 configuration
b) Phase 2 configuration
c) VPN policy address
d) VPN policy address and service
e) VPN policy address, service, and application
Answers:
1. ABD
2. BC
3. B
4. AC
5. ACD
6. D
7. BDE
8. D
9. A
10.D
2001-2007 Comsenz Inc.
