H12-725_V4.0 Exam Dumps - Huawei Certification Questions and Answers

Comprehensive and Detailed Explanation:

CVSS (Common Vulnerability Scoring System)is used toevaluate the severity of security vulnerabilities.

It consists of three metric groups:

A. Temporal→ Measures how the vulnerability changes over time.

B. Base→ Measures theinherent severityof the vulnerability.

C. Environmental→ Measures the impact based on the user's specific environment.

Why is D incorrect?

"Spatial" is not a part of the CVSS scoring system.

HCIP-Security References:

Huawei HCIP-Security Guide → CVSS and Risk Scoring

Comprehensive and Detailed Explanation:

SYN scanning is a stealthy technique used to identify open ports on a target system without fully establishing a TCP connection.

How SYN scanning works:

The scanner sends aSYN packetto the target port.

The target responds based on the port state:

SYN-ACK → Port is open(Correct - D).

RST → Port is closed(Correct - A).

No response → The host does not exist, or a firewall is blocking it(Correct - B).

The scanner doesnot send an ACK(unlike a full TCP connection). Instead, it sends anRSTto avoid detection.

Why is C incorrect?

In SYN scanning, the scanner does NOT send an ACK to complete thehandshake. Instead, it sends an RST to abort the connection.

HCIP-Security References:

Huawei HCIP-Security Guide → SYN Scanning Techniques

Comprehensive and Detailed Explanation:

Aggressive modeis a faster IKE Phase 1 negotiation method butdoes not support NAT traversal (NAT-T) with AH.

NAT-T only works with ESP, because:

AH includes the original IP header in its integrity check, which breaks when NAT modifies the IP address.

ESP works with NAT-Tsince it does not include the original IP header in its integrity check.

Why is this statement false?

AH does not support NAT-T, soAH+ESP cannot be used in NAT traversal scenarios.

HCIP-Security References:

Huawei HCIP-Security Guide → IPsec VPN NAT Traversal

Comprehensive and Detailed Explanation:

Flood attacks (DoS/DDoS) overwhelm network resources, preventing normal users from accessing services.

Correct answers:

A. Exhaust available bandwidth→ Large amounts of traffic saturate the network.

B. Exhaust server-side resources→ High CPU/memory usage causes server crashes.

D. Exhaust network device resources→ Firewalls, routers, and switches become overloaded.

Why is C incorrect?

Controlling host rights is related to hacking, not flooding attacks.

HCIP-Security References:

Huawei HCIP-Security Guide → DoS/DDoS Attack Prevention

Comprehensive and Detailed Explanation:

IPsec does not support non-IP traffic (e.g., multicast, routing protocols, or legacy protocols like IPX).

GRE over IPsec allows encapsulation of:

A. IPX→ Legacy protocol supported via GRE.

B. VRRP→ Uses multicast, which GRE supports.

C. IPv6→ GRE tunnels can carry IPv6 over IPv4.

D. OSPF→ Uses multicast (224.0.0.5 & 224.0.0.6), requiring GRE.

Why are all options correct?

GRE over IPsec is required for non-unicast and legacy protocols.

HCIP-Security References:

Huawei HCIP-Security Guide → GRE over IPsec Deployment

Comprehensive and Detailed Explanation:

Firewalls enforce security policies based on rules defined by the administrator.

Data filtering rules must be explicitly referenced in security policies to take effect.

Why is this statement true?

If a filtering rule exists but is not linked to a security policy, it will not apply to network traffic.

HCIP-Security References:

Huawei HCIP-Security Guide → Data Filtering Policy Configuration

Comprehensive and Detailed Explanation:

IKEv1 Phase 1 (Main Mode) consists of six messages:

Messages 1 & 2 → Negotiate security proposals(encryption, authentication, and DH group).

Messages 3 & 4 → Exchange key-related information.

Messages 5 & 6 → Perform mutual authentication.

Why is B correct?

Messages 1 and 2 negotiate IKE proposalsbetween VPN peers.

HCIP-Security References:

Huawei HCIP-Security Guide → IKEv1 Main Mode Negotiation

Comprehensive and Detailed Explanation:

RADIUS and HWTACACS are AAA (Authentication, Authorization, and Accounting) protocols, but they have key differences:

RADIUS→ Encrypts only passwords (not the entire message).

HWTACACS→ Encrypts the entire packet, providing better security.

Command authorization:

RADIUS does not support command-level authorization.

HWTACACS supports per-command authorization(used in network device access control).

Why is C false?

RADIUS does not authorize configuration commands; HWTACACS does.

HCIP-Security References:

Huawei HCIP-Security Guide → RADIUS vs. HWTACACS