Download CCNA Security -Implementing Cisco Network Security (IINS v3-0).examlabs.210-260.2019-09-26.1e.202q.vcex

Download Exam

File Info

Exam CCNA Security - Implementing Cisco Network Security (IINS v3.0)
Number 210-260
File Name CCNA Security -Implementing Cisco Network Security (IINS v3-0).examlabs.210-260.2019-09-26.1e.202q.vcex
Size 1.06 Mb
Posted September 26, 2019
Downloads 76
Download CCNA Security -Implementing Cisco Network Security (IINS v3-0).examlabs.210-260.2019-09-26.1e.202q.vcex

How to open VCEX & EXAM Files?

Files with VCEX & EXAM extensions can be opened by ProfExam Simulator.

Purchase

Coupon: MASTEREXAM
With discount: 20%



 
 



Demo Questions

Question 1

In which two situations should you use out-of-band management? (Choose two.)

  • A: when a network device fails to forward packets
  • B: when you require ROMMON access
  • C: when management applications need concurrent access to the device
  • D: when you require administrator access from multiple locations
  • E: when the control plane fails to respond

Correct Answer: AB

Out-of-band refers to an interface that allows only management protocol traffic to be forwarded or processed. An out-of-band management interface is defined by the network operator to specifically receive network management traffic. The advantage isthat forwarding (or customer) traffic cannot interfere with the management of the router, which significantly reduces the possibility of denial-of-service attacks. 
Out-of-band interfaces forward traffic only between out-of-band interfaces or terminate management packets that are destined to the router. In addition, the out-of-band interfaces can participate in dynamic routing protocols. The service provider connects to the router’s out-of-band interfaces and builds an independent overlay management network, with all the routing and policy tools that the router can provide. 
Reference: http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-0/security/configuration/guide/b_sc40asr9kbook/b_sc40asr9kbook_chapter_0101.pdf




Question 2

According to Cisco best practices, which three protocols should the default ACL allow on an access port to enable wired BYOD devices to supply valid credentials and connect to the network? (Choose three.)

  • A: BOOTP
  • B: TFTP
  • C: DNS
  • D: MAB
  • E: HTTP
  • F: 802.1x

Correct Answer: ABC

ACL-DEFAULT allows DHCP, DNS, ICMP, and TFTP traffic and denies everything else. 
Reference: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD_Design_Guide/BYOD_Wired.html




Question 3

Which two next-generation encryption algorithms does Cisco recommend? (Choose two.)

  • A: AES
  • B: 3DES
  • C: DES
  • D: MD5
  • E: DH-1024
  • F: SHA-384

Correct Answer: AF

The following table shows the relative security level provided by the recommended and NGE algorithms. The security level is the relative strength of an algorithm. An algorithm with a security level of x bits is stronger than one of y bits if x > y. If an algorithm has a security level of x bits, the relative effort it would take to "beat" the algorithm is of the same magnitude of breaking a secure x-bit symmetric key algorithm (without reduction or other attacks). The 128-bit security level is for sensitive information and the 192-bit level is for information of higher importance. 

  

Reference: http://www.cisco.com/c/en/us/about/security-center/next-generation-cryptography.html




Question 4

What are two default Cisco IOS privilege levels? (Choose two.)

  • A: 0
  • B: 1
  • C: 5
  • D: 7
  • E: 10
  • F: 15

Correct Answer: BF

By default, the Cisco IOS software command-line interface (CLI) has two levels of access to commands: user EXEC mode (level 1) and privileged EXEC mode (level 15). However, you can configure additional levels of access to commands, called privilege levels, to meet the needs of your users while protecting the system from unauthorized access. Up to 16 privilege levels can be configured, from level 0, which is the most restricted level, to level 15, which is the least restricted level.
Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfpass.html#wp1001016




Question 5

Which two features do CoPP and CPPr use to protect the control plane? (Choose two.)

  • A: QoS
  • B: traffic classification
  • C: access lists
  • D: policy maps
  • E: class maps
  • F: Cisco Express Forwarding

Correct Answer: AB




Question 6

Which two statements about stateless firewalls are true? (Choose two.)

  • A: They compare the 5-tuple of each incoming packet against configurable rules.
  • B: They cannot track connections.
  • C: They are designed to work most efficiently with stateless protocols such as HTTP or HTTPS.
  • D: Cisco IOS cannot implement them because the platform is stateful by nature.
  • E: The Cisco ASA is implicitly stateless because it blocks all traffic by default.

Correct Answer: AB

However, since iptables and Netfilter were introduced and connection tracking in particular, this option was gotten rid of. The reason for this is that connection tracking can not work properly without defragmenting packets, and hence defragmenting has been incorporated into conntrack and is carried out automatically. It can not be turned off, except by turning off connection tracking. Defragmentation is always carried out if connection tracking is turned on. 
Reference: http://www.iptables.info/en/connection-state.html




Question 7

Which three statements about host-based IPS are true? (Choose three.)

  • A: It can view encrypted files.
  • B: It can have more restrictive policies than network-based IPS.
  • C: It can generate alerts based on behavior at the desktop level.
  • D: It can be deployed at the perimeter.
  • E: It uses signature-based policies.
  • F: It works with deployed firewalls.

Correct Answer: ABC

Cisco Host based IPS can generate alerts based on behavior at desktop level. They can also be more restrictive in policies than network based IPS. And you can view encrypted files using Host-based IPS solution. 
Reference: http://www.ciscopress.com/articles/article.asp?p=1336425&seqNum=3




Question 8

What three actions are limitations when running IPS in promiscuous mode? (Choose three.)

  • A: deny attacker
  • B: deny packet
  • C: modify packet
  • D: request block connection
  • E: request block host
  • F: reset TCP connection

Correct Answer: ABC

The following actions require the device to be deployed in Inline mode and are in affect for a user- configurable default time of 3600 seconds (60 minutes). 
Deny attacker inline: This action is the most severe and effectively blocks all communication from the attacking host that passes through the IPS for a specified period of time. Because this event action is severe, administrators are advised to use this only when the probability of false alarms or spoofing is minimal.
Deny attacker service pair inline: This action prevents communication between the attacker IP address and the protected network on the port in which the event was detected. However, the attacker would be able to communicate on another port that has hosts on the protected network. This event action works well for worms that attack many hosts on the same service port. If an attack occurred on the same host but on another port, this communication would be allowed. This event action is appropriate when the likelihood of a false alarm or spoofing is minimal.
Deny attacker victim pair inline: This action prevents the attacker from communicating with the victim on any port. However, the attacker could communicate with other hosts, making this action better suited for exploits that target a specific host. This event action is appropriate when the likelihood of a false alarm or spoofing is minimal.
Deny connection inline: This action prevents further communication for the specific TCP flow. This action is appropriate when there is the potential for a false alarm or spoofing and when an administrator wants to prevent the action but not deny further communication.  
Deny packet inline: This action prevents the specific offending packet from reaching its intended destination. Other communication between the attacker and victim or victim network may still exist. This action is appropriate when there is the potential for a false alarm or spoofing. Note that for this action, the default time has no effect.
Modify packet inline: This action enables the IPS device to modify the offending part of the packet. However, it forwards the modified packet to the destination. This action is appropriate for packet normalization and other anomalies, such as TCP segmentation and IP fragmentation re-ordering.
Reference: http://www.cisco.com/c/en/us/about/security-center/ips-mitigation.html




Question 9

When an IPS detects an attack, which action can the IPS take to prevent the attack from spreading?

  • A: Deny the connection inline.
  • B: Perform a Layer 6 reset.
  • C: Deploy an antimalware system.
  • D: Enable bypass mode.

Correct Answer: A

This action prevents the attacker from communicating with the victim on any port. However, the attacker could communicate with other hosts, making this action better suited for exploits that target a specific host. This event action is appropriate when the likelihood of a false alarm or spoofing is minimal. 
Reference: http://www.cisco.com/c/en/us/about/security-center/ips-mitigation.html




Question 10

What is the purpose of the Integrity component of the CIA triad?

  • A: to ensure that only authorized parties can modify data
  • B: to determine whether data is relevant
  • C: to create a process for accessing data
  • D: to ensure that only authorized parties can view data

Correct Answer: A

The I in CIA stands for Integrity — specifically, data integrity. The key to this component of the CIA Triad is protecting data from modification or deletion by unauthorized parties, and ensuring that when authorized people make changes that shouldn't have been made the damage can be undone. 
Reference: http://www.techrepublic.com/blog/it-security/the-cia-triad/










CONNECT US

Facebook

Twitter

PROFEXAM WITH A 20% DISCOUNT

You can buy ProfExam with a 20% discount!



HOW TO OPEN VCEX AND EXAM FILES

Use ProfExam Simulator to open VCEX and EXAM files