Mike M
Test por , creado hace más de 1 año

This exam tests the candidate's knowledge of secure network infrastructure, understanding core security concepts, managing secure access, VPN encryption, firewalls, intrusion prevention, web and email content security, and endpoint security using: SIEM Technology Cloud & Virtual Network Topologies BYOD Identity Services Engine 802.1x Authentication Cisco FirePOWER Anti-Malware/Cisco Advanced Malware Protection From Cisco.PracticeTest.210-260.v2016-07-06.by.Noah.154q.vce

3941
18
4
Mike M
Creado por Mike M hace casi 8 años
Cerrar

CCNA Security 210-260 IINS - Exam 1

Pregunta 1 de 50

1

What type of packet creates and performs network operations on a network device?

Selecciona una de las siguientes respuestas posibles:

  • Control plane packets

  • Data plane packets

  • Management plane packets

  • Services plane packets

Explicación

Pregunta 2 de 50

1

What is an advantage of implementing a Trusted Platform Module for disk encryption?

Selecciona una de las siguientes respuestas posibles:

  • It provides hardware authentication

  • It allows the hard disk to be transferred to another device with requiring re-encryption

  • It supports a more complex encryption algorithm than other disk encryption technologies

  • It can protect against single points of failure

Explicación

Pregunta 3 de 50

1

In what type of attach does an attacker virtually change a device's burned-in address in an attempt to circumvent access lists and mask the device's true identity?

Selecciona una de las siguientes respuestas posibles:

  • Gratuitous ARP

  • ARP poisoning

  • IP Spoofing

  • MAC Spoofing

Explicación

Pregunta 4 de 50

1

What is the effect of the
send-lifetime local 23:59:00 Dec 31 2013 infinite
command?

Selecciona una de las siguientes respuestas posibles:

  • It configures the device to begin transmitting the authentication key to other devices at the 00:00:00 local time on January 1, 2014 and continue using the key indefinitely.

  • It configures the device to begin transmitting the authentication key to other devices at the 23:59:00 local time on December 31, 2013 and continue using the key indefinitely.

  • It configures the device to begin accepting the authentication key from other devices immediately and stop accepting the key at the 23:59:00 local time on December 31, 2013.

  • It configures the device to generate a new authentication key and transmit it to other devices at 23:59:00 local time on December 31, 2013.

  • It configures the device to begin accepting the authentication key from other devices at the 23:59:00 local time on December 31, 2013 and continue accepting the key indefinitely.

  • It configures the device to begin accepting the authentication key from other devices at the 00:00:00 local time on January 1, 2014 and continue accepting the key indefinitely.

Explicación

Pregunta 5 de 50

1

What type of algorithm uses the same key to encrypt and decrypt data?

Selecciona una de las siguientes respuestas posibles:

  • A symmetric algorithm

  • An asymmetric algorithm

  • A Public Key Infrastructure algorithm

  • An IP Security algorithm

Explicación

Pregunta 6 de 50

1

What type of security support is provided by the Open Web Application Security Project?

Selecciona una de las siguientes respuestas posibles:

  • Education about common website vulnerabilities

  • A Web site security framework

  • A security discussion forum for Web site developers

  • Scoring of common vulnerabilities and exposures

Explicación

Pregunta 7 de 50

1

What is one requirement for locking a wired or wireless device from the ISE?

Selecciona una de las siguientes respuestas posibles:

  • The ISE agent must be installed on the device

  • The device must be connected to the network when the lock command is executed

  • The user must approve the locking action

  • The organization must implement an acceptable use policy allowing device locking

Explicación

Pregunta 8 de 50

1

What is the FirePOWER impact flag used for?

Selecciona una de las siguientes respuestas posibles:

  • A value that indicates the potential severity of an attack

  • A value that the administrator assigns to each signature

  • A value that sets the priority of a signature

  • A value that measures the application awareness

Explicación

Pregunta 9 de 50

1

What method does asymmetric cryptography use to secure data?

Selecciona una de las siguientes respuestas posibles:

  • A public/private key pair

  • Shared secret keys

  • An RSA nonce

  • An MD5 hash

Explicación

Pregunta 10 de 50

1

Which statement about IOS priviledge levels is true?

Selecciona una de las siguientes respuestas posibles:

  • Each privilege level supports the commands at its own level and all levels below it.

  • Each privilege level supports the commands at its own level and all levels above it.

  • Privilege-level commands are set explicitly for each user.

  • Each privilege level is independent of all other privilege levels.

Explicación

Pregunta 11 de 50

1

Which Cisco product can help mitigate web-based attacks within a network?

Selecciona una de las siguientes respuestas posibles:

  • Adaptive Security Appliance

  • Web Security Appliance

  • E-mail Security Appliance

  • Identity Services Engine

Explicación

Pregunta 12 de 50

1

A proxy firewall protects against which type of attack?

Selecciona una de las siguientes respuestas posibles:

  • cross-site scripting attack

  • worm traffic

  • port scanning

  • DDoS attacks

Explicación

Pregunta 13 de 50

1

Refer to the following command output:

crypto ikev1 policy 1
encryption aes
hash md5
authentication-preshare
group 2
lifetime 14400

What is the effect of the given command sequence?

Selecciona una de las siguientes respuestas posibles:

  • It configures IKE Phase1

  • It configures a site-to-site VPN tunnel

  • It configures a crypto policy with a key size of 14400

  • It configures IPSec Phase2

Explicación

Pregunta 14 de 50

1

When an administrator initiates a device wipe command from the ISE, what is the immediate effect?

Selecciona una de las siguientes respuestas posibles:

  • It requests the administrator to choose between erasing all device data or only managed corporate data.

  • It requests the administrator to enter the device PIN or password before proceeding with the operation.

  • It notifies the device user and proceeds with the erase option.

  • It immediately erases all data on the device.

Explicación

Pregunta 15 de 50

1

What is an advantage of placing an IPS on the inside of a network?

Selecciona una de las siguientes respuestas posibles:

  • It can provide higher throughput

  • It receives traffic that has already been filtered

  • It receives every inbound packet

  • It can provide greater security

Explicación

Pregunta 16 de 50

1

What improvement does EAP-FASTv2 provide over EAP-FAST

Selecciona una de las siguientes respuestas posibles:

  • It allow multiple credentials to be passed in a single EAP exchange.

  • It supports more secure encryption protocols.

  • It allows faster authentication by using fewer packets.

  • It addresses security vulnerabilities found in the original protocol.

Explicación

Pregunta 17 de 50

1

What type of attack was the Struxnet virus?

Selecciona una de las siguientes respuestas posibles:

  • Cyber warfare

  • Hacktivism

  • Botnet

  • Social Engineering

Explicación

Pregunta 18 de 50

1

Which statement about communication over failover interfaces is true?

Selecciona una de las siguientes respuestas posibles:

  • All information that is sent over the failover and stateful failover interface is sent as clear text by default.

  • All information that is sent over the failover interface is sent as clear text but the stateful failover link is encrypted by default.

  • All information that is sent over the failover and stateful failover interfaces is encrypted by default.

  • User names, passwords, and preshared keys are encrypted by default when they are sent over the failover and stateful failover interfaces, but other information is sent as clear text.

Explicación

Pregunta 19 de 50

1

Which sensor mode can deny attackers inline?

Selecciona una de las siguientes respuestas posibles:

  • IPS

  • Fail-close

  • IDS

  • Fail-open

Explicación

Pregunta 20 de 50

1

What is the only permitted operation for processing multicast traffic on zone-based firewalls?

Selecciona una de las siguientes respuestas posibles:

  • Only control-plane policing can protect the control plane against multi-cast traffic.

  • Stateful inspection of multicast traffic is supported only for the self-zone

  • Stateful inspection for multicast traffic is supported only between the self-zone and the internal zone.

  • Stateful inspection of multi-cast traffic is supported only for the internal zone.

Explicación

Pregunta 21 de 50

1

Which option is the most effective placement of an IPS device within the infrastructure?

Selecciona una de las siguientes respuestas posibles:

  • Inline, behind the internet router and firewall.

  • Inline, before the internet router and firewall.

  • Promiscously, after the internet router and before the firewall.

  • Promiscously, before the internet router and the firewall

Explicación

Pregunta 22 de 50

1

Which statement about Cisco ACS authentication and authorization is true?

Selecciona una de las siguientes respuestas posibles:

  • ACS servers can be clustered to provide scalability

  • ACS can query multiple Active Directory domains

  • ACS can use only one authorization profile to allow or deny requests

  • ACS uses TACACS to proxy other authentication servers

Explicación

Pregunta 23 de 50

1

An attacker installs a rogue switch that sends superior BPDUs on your network. What is a possible result of this activity?

Selecciona una de las siguientes respuestas posibles:

  • The switch could become the root bridge.

  • The switch could offer fake DHCP addresses.

  • The switch could be allowed to join the VTP domain.

  • The switch could become a transparent bridge.

Explicación

Pregunta 24 de 50

1

Which type of address translation should be used when a Cisco ASA is in transparent mode?

Selecciona una de las siguientes respuestas posibles:

  • Dynamic PAT

  • Dynamic NAT

  • Static NAT

  • Overload

Explicación

Pregunta 25 de 50

1

Which command will configure a Cisco ASA firewall to authenticate users when they enter the enable syntax using the local database with no fallback method?

Selecciona una de las siguientes respuestas posibles:

  • aaa authentication enable console LOCAL

  • aaa authentication enable console SERVER_GROUP LOCAL

  • aaa authentication enable console local-case

  • aaa authentication enable console LOCAL SERVER_GROUP

Explicación

Pregunta 26 de 50

1

What hash type does Cisco use to validate the integrity of downloaded images?

Selecciona una de las siguientes respuestas posibles:

  • MD5

  • SHA1

  • MD1

  • SHA2

Explicación

Pregunta 27 de 50

1

Which NAT option is executed first in case of multiple NAT translations?

Selecciona una de las siguientes respuestas posibles:

  • Dynamic NAT with shortest prefix

  • Dynamic NAT with longest prefix

  • Static NAT with shortest prefix

  • Static NAT with longest prefix

Explicación

Pregunta 28 de 50

1

How can firepower block malicious e-mail attachments?

Selecciona una de las siguientes respuestas posibles:

  • It forwards email requests to an external signature engine.

  • It sends the traffic through a file policy.

  • It scans inbound e-mail messages for known bad URLs.

  • It send an alert to the administrator to verify suspicious email messages.

Explicación

Pregunta 29 de 50

1

What PAT configuration command allows it to use the next IP in the dynamic pool instead of the next port?

Selecciona una de las siguientes respuestas posibles:

  • Next IP

  • Round Robin

  • Dynamic rotation

  • Dynamic PAT rotation

Explicación

Pregunta 30 de 50

1

In this simulation, you have access to ASDM only. Review the various ASA configurations using ASDM five multiple choice questions about the ASA SSL VPN configurations.

To access ASDM, click the ASA icon in the topology diagram.

Note: Not all ASDM functionalities are enabled in this simulation.

To see all the menu options available on the left navigation pane, you may also need to unexpand the expanded menu first:

Which two statements regarding the ASA VPN configurations are correct? (choose two)

Selecciona una o más de las siguientes respuestas posibles:

  • The ASA has a certificate issued by an external Certificate Authority associated to the ASDM_TrustPoint1

  • *Correct*The DefaultWEBVPNGroup Connection Profile is using the AAA with RADIUS server method

  • The inside-SRV bookmark references the https://192.168.1.2 URL

  • *Correct* Only clientless SSL VPN access is allowed with the Sales group policy

  • AnyConnect, IPSec IKEv1, and IPSec IKEv2 VPN access is enabled on the outside interface

  • The Inside-SRV bookmark has not been applied to the Sales group policy

Explicación

Pregunta 31 de 50

1

In this simulation, you have access to ASDM only. Review the various ASA configurations using ASDM five multiple choice questions about the ASA SSL VPN configurations.

To access ASDM, click the ASA icon in the topology diagram.

Note: Not all ASDM functionalities are enabled in this simulation.

To see all the menu options available on the left navigation pane, you may also need to unexpand the expanded menu first:

Which user authentication method is used when users login to the Clientless SSLVPN portal using https://209.165.201.2/test?

Selecciona una de las siguientes respuestas posibles:

  • *Correct* AAA with LOCAL database

  • AAA with RADIUS server

  • Certificate

  • Both Certificate with AAA with LOCAL database

  • Both Certificate and AAA with RADIUS server

Explicación

Pregunta 32 de 50

1

Scenario:
Given the new additional connectivity requirements and the topology diagram, use ASDM to accomplish the required ASA configurations to meet the requirements.

New additional connectivity requirements:

Once the correct ASA configurations have been configured:

To access ASDM, click the ASA icon in the topology diagram.

To access the Firefox Browser on the Outside PC, click the Outside PC icon in the topology diagram.

To access the Command prompt on the Inside PC, click the Inside PC icon in the topology diagram.

Note:

After you make the configuration changes in ASDM, remember to click Apply to apply the configuration changes.

Not all ASDM screens are enabled in this simulation, if some screen is not enabled, try to use different methods to configure the ASA to meet the requirements.

In this simulation, some of the ASDM screens may not look and function exactly like the real ASDM.

Selecciona una de las siguientes respuestas posibles:

  • *Correct* A

  • B

  • C

  • D

Explicación

Pregunta 33 de 50

1

In this simulation, you have access to ASDM only. Review the various ASA configurations using ASDM five multiple choice questions about the ASA SSL VPN configurations.

To access ASDM, click the ASA icon in the topology diagram.

Note: Not all ASDM functionalities are enabled in this simulation.

To see all the menu options available on the left navigation pane, you may also need to unexpand the expanded menu first:

Which four tunneling protocols are enabled in the DfltGrpPolicy group policy? (Choose four)

Selecciona una o más de las siguientes respuestas posibles:

  • Clientless SSL VPN *Correct*

  • SSL VPN Client

  • PPTP

  • L2TP/IPSec *Correct*

  • IPSec IKEv1 *Correct*

  • IPSec IKEv2 *Correct*

Explicación

Pregunta 34 de 50

1

In this simulation, you have access to ASDM only. Review the various ASA configurations using ASDM five multiple choice questions about the ASA SSL VPN configurations.

To access ASDM, click the ASA icon in the topology diagram.

Note: Not all ASDM functionalities are enabled in this simulation.

To see all the menu options available on the left navigation pane, you may also need to unexpand the expanded menu first:

When users login to the Clientless SSLVPN using https://209.165.201.2/test, which group policy will be applied?

Selecciona una de las siguientes respuestas posibles:

  • Test

  • Clientless

  • Sales *Correct*

  • DfltGrpPolicy

  • DefaultRAGroup

  • DefaultWEBVPNGroup

Explicación

Pregunta 35 de 50

1

Your security team has discovered a malicious program that has been harvesting the CEO's e-mail messages and the company's user database for the last 6 months. What type of attack did your team discover? (Choose two)

Selecciona una o más de las siguientes respuestas posibles:

  • Advanced persistent threat

  • Targeted malware

  • Drive-by spyware

  • Social activism

  • Email harvesting

Explicación

Pregunta 36 de 50

1

Refer to the following command:

crypto ipsec transform-set myset esp-md5-hmac esp-aes-256

What is the effect of the given command? (Choose two)

Selecciona una o más de las siguientes respuestas posibles:

  • It merges authentication and encryption methods to protect traffic that matches an ACL.

  • It configures the network to use a different transform set between peers.

  • It configures encryption for MD5-HMAC

  • It configures authentication as AES 256

Explicación

Pregunta 37 de 50

1

Which two statements about stateless firewalls are true? (choose two)

Selecciona una o más de las siguientes respuestas posibles:

  • They compare the 5-tuple of each incoming packet against configurable tables

  • They cannot track connections

  • They are designed to work most efficiently with stateless protocols such as HTTP or HTTPS.

  • Cisco IOS cannot implement them because the platform is stateful by nature

  • The Cisco ASA is implicitly stateless because it blocks all traffic by default

Explicación

Pregunta 38 de 50

1

What is the purpose of Internet Key Exchange in an IPSec VPN? (Choose two)

Selecciona una o más de las siguientes respuestas posibles:

  • The Internet Key Exchange protocol establishes security associations.

  • The Internet Key Exchange protocol provides data confidentiality.

  • The Internet Key Exchange protocol provides replay detection.

  • The Internet Key Exchange protocol is responsible for mutual authentication.

Explicación

Pregunta 39 de 50

1

Which actions can a promiscuous IPS take to mitigate an attack? (Choose three)

Selecciona una o más de las siguientes respuestas posibles:

  • Modifying packets

  • Requesting connection blocking

  • Denying packets

  • Resetting the TCP connection

  • Requesting host blocking

  • Denying frames

Explicación

Pregunta 40 de 50

1

What are the primary attack methods of VLAN hopping? (Choose two)

Selecciona una o más de las siguientes respuestas posibles:

  • VoIP hopping

  • Switch spoofing

  • CAM-table overflow

  • Double tagging

Explicación

Pregunta 41 de 50

1

Which two services define cloud networks? (Choose two.)

Selecciona una o más de las siguientes respuestas posibles:

  • Infrastructure as a Service

  • Platform as a Service

  • Security as a Service

  • Compute as a Service

  • Tenancy as a Service

Explicación

Pregunta 42 de 50

1

Which of the following are features of IPsec transport mode? (Choose three)

Selecciona una o más de las siguientes respuestas posibles:

  • IPsec transport mode is used between end stations.

  • IPsec transport mode is used between gateways.

  • IPsec transport mode supports multi-cast

  • IPsec transport mode supports unicast

  • IPsec transport mode encrypts only the payload

  • IPsec transport mode encrypts the entire packet

Explicación

Pregunta 43 de 50

1

What features can protect the data plane? (Choose three)

Selecciona una o más de las siguientes respuestas posibles:

  • policing

  • ACLs

  • IPS

  • antispoofing

  • QoS

  • DHCP-snooping

Explicación

Pregunta 44 de 50

1

What are the three layers of a hierarchical network design? (Choose three)

Selecciona una o más de las siguientes respuestas posibles:

  • Access

  • Core

  • Distribution

  • User

  • Server

  • Internet

Explicación

Pregunta 45 de 50

1

Which two statements about Telnet access to the ASA are true? (Choose two)

Selecciona una o más de las siguientes respuestas posibles:

  • You may VPN to the lowest security interface to telnet to an inside interface

  • You must configure a AAA server to enable Telnet

  • You can access all interfaces on an ASA using telnet

  • You must use the command virtual telnet to enable Telnet

  • Best practice is to disable Telnet and use SSH

Explicación

Pregunta 46 de 50

1

Which three statements about host-based iPS are true? (Choose three)

Selecciona una o más de las siguientes respuestas posibles:

  • It can view encrypted files

  • It can have more restrictive policies than network based IPS

  • It can generate alerts based on behavior at the desktop level.

  • It can be deployed at the perimeter

  • It uses signature-based policies

  • It works with deployed firewalls

Explicación

Pregunta 47 de 50

1

If a router configuration includes the line
aaa authentication login default group tacacs+ enable
which events will occur when the TACACS+ server returns an error? (choose two)

Selecciona una o más de las siguientes respuestas posibles:

  • The user will be prompted to authenticate using the enable password

  • Authentication attempts to the router will be denied

  • Authentication will use the router's local database

  • Authentication attempts will be sent to the TACACS+ server

Explicación

Pregunta 48 de 50

1

Which statements about smart tunnels on a Cisco firewall are true? (Choose two)

Selecciona una o más de las siguientes respuestas posibles:

  • Smart tunnels can be used by clients that do not have administrator privileges.

  • Smart tunnels support all operating systems.

  • Smart tunnels offer better performance than port forwarding.

  • Smart tunnels require the client to have the application locally.

Explicación

Pregunta 49 de 50

1

What three actions are limitations when running an IPS in promiscuous mode? (Choose three)

Selecciona una o más de las siguientes respuestas posibles:

  • Deny attacker

  • Deny Packet

  • Modify Packet

  • Request Block Connection

  • Request Block Host

  • Reset TCP Connection

Explicación

Pregunta 50 de 50

1

What are two ways to prevent eavesdropping when you preform device-management tasks? (Choose two)

Selecciona una o más de las siguientes respuestas posibles:

  • Use an SSH connection.

  • Use SNMPv3.

  • Use out-of-band management

  • Use SNMPv2

  • Use in-band management

Explicación