Download CCNA Security -Implementing Cisco Network Security (IINS v3-0).selftestengine.210-260.2018-09-05.1e.159q.vcex

Download Dump

File Info

Exam CCNA Security - Implementing Cisco Network Security (IINS v3.0)
Number 210-260
File Name CCNA Security -Implementing Cisco Network Security (IINS v3-0).selftestengine.210-260.2018-09-05.1e.159q.vcex
Size 26.56 Mb
Posted September 05, 2018
Downloaded 69



How to open VCEX & EXAM Files?

Files with VCEX & EXAM extensions can be opened by ProfExam Simulator.

Purchase

Coupon: MASTEREXAM
With discount: 20%

 
 



Demo Questions

Question 1

In what type of attack does an attacker virtually change a device's burned-in address in an attempt to circumvent access lists and mask the device's true identity?

  • A: gratuitous ARP
  • B: ARP poisoning
  • C: IP spoofing
  • D: MAC spoofing

Correct Answer: D

If your original MAC address is revealed, an hacker can use it to impersonate you! On many networks (wired or wireless) access is restricted based on MAC address to avoid access to unauthorized devices on the network. So, when you go offline, someone can use your machine's MAC address and access the network as 'you'. 
Reference: http://blog.technitium.com/2011/06/why-you-need-to-change-mac-address.html




Question 2

What command can you use to verify the binding table status?

  • A: show ip dhcp snooping database
  • B: show ip dhcp snooping binding
  • C: show ip dhcp snooping statistics
  • D: show ip dhcp pool
  • E: show ip dhcp source binding
  • F: show ip dhcp snooping

Correct Answer: A

To retain the bindings across reloads, you must use the DHCP snooping database agent. Without this agent, the bindings established by DHCP snooping are lost upon reload, and connectivity is lost as well. 
The database agent stores the bindings in a file at a configured location. Upon reload, the switch reads the file to build the database for the bindings. The switch keeps the file current by writing to the file as the database changes. 
Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html#wp1090624




Question 3

If a switch receives a superior BPDU and goes directly into a blocked state, what mechanism must be in use?

  • A: root guard
  • B: EtherChannel guard
  • C: loop guard
  • D: BPDU guard

Correct Answer: A

The root guard feature protects the network against such issues. 
The configuration of root guard is on a per-port basis. Root guard does not allow the port to become an STP root port, so the port is always STP-designated. If a better BPDU arrives on this port, root guard does not take the BPDU into account and elect a new STP root. Instead, root guard puts the port into the root-inconsistent STP state. You must enable root guard on all ports where the root bridge should not appear. In a way, you can configure a perimeter around the part of the network where the STP root is able to be located. 
In the following figure, enable root guard on the Switch C port that connects to Switch D. 
Switch C in figure below blocks the port that connects to Switch D, after the switch receives a superior BPDU. Root guard puts the port in the root-inconsistent STP state. No traffic passes through the port in this state. After device D ceases to send superior BPDUs, the port is unblocked again. Via STP, the port goes from the listening state to the learning state, and eventually transitions to the forwarding state. Recovery is automatic; no human intervention is necessary. 
This message appears after root guard blocks a port:
%SPANTREE-2-ROOTGUARDBLOCK: Port 1/1 tried to become non-designated in VLAN 77. 
Moved to root-inconsistent state 

  

Reference: http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/10588-74.html




Question 4

Which statement about a PVLAN isolated port configured on a switch is true?

  • A: The isolated port can communicate only with the promiscuous port.
  • B: The isolated port can communicate with other isolated ports and the promiscuous port.
  • C: The isolated port can communicate only with community ports.
  • D: The isolated port can communicate only with other isolated ports.

Correct Answer: A

A promiscuous port can communicate with all interfaces, including the isolated and community ports within a PVLAN. 
Reference: http://www.cisco.com/c/en/us/tech/lan-switching/private-vlans-pvlans-promiscuous-isolated-community/index.html




Question 5

If you change the native VLAN on the trunk port to an unused VLAN, what happens if an attacker attempts a double-tagging attack?

  • A: The trunk port would go into an error-disabled state.
  • B: A VLAN hopping attack would be successful.
  • C: A VLAN hopping attack would be prevented.
  • D: The attacked VLAN will be pruned.

Correct Answer: C

The key feature of a double tagging attack is exploiting the native VLAN. Since VLAN 1 is the default VLAN for access ports and the default native VLAN on trunks, it’s an easy target. The first countermeasure is to remove access ports from the default VLAN 1 since the attacker’s port must match that of the switch’s native VLAN. 
Reference: https://www.nlogic.co/understanding-vlan-hopping-attacks/




Question 6

What is a reason for an organization to deploy a personal firewall?

  • A: To protect endpoints such as desktops from malicious activity.
  • B: To protect one virtual network segment from another.
  • C: To determine whether a host meets minimum security posture requirements.
  • D: To create a separate, non-persistent virtual environment that can be destroyed after a session.
  • E: To protect the network from DoS and syn-flood attacks.

Correct Answer: A

The sole purpose of firewall is to protect endpoints (workstations, and other devices) from malicious activity and network connections with nefarious purposes.  
Reference: http://searchmidmarketsecurity.techtarget.com/definition/personal-firewall




Question 7

Which statement about personal firewalls is true?

  • A: They can protect a system by denying probing requests.
  • B: They are resilient against kernel attacks.
  • C: They can protect email messages and private documents in a similar way to a VPN.
  • D: They can protect the network against attacks.

Correct Answer: A

Drop or ignore any probing requests sent to certain service ports on your system. This can mask the presence of the computer from the attacker who is fooled into thinking that no machine is there. 
Reference: https://www.polyu.edu.hk/~ags/itsnews0604/security.html




Question 8

Refer to the exhibit. 

  

What type of firewall would use the given configuration line?

  • A: a stateful firewall
  • B: a personal firewall
  • C: a proxy firewall
  • D: an application firewall
  • E: a stateless firewall

Correct Answer: A

stateful firewalls, a type of firewall that attempts to track the state of network connections when filtering packets. The stateful firewall's capabilities are somewhat of a cross between the functions of a packet filter and the additional application-level protocol intelligence of a proxy.   
Reference: http://www.informit.com/articles/article.aspx?p=373120




Question 9

What is the only permitted operation for processing multicast traffic on zone-based firewalls?

  • A: Only control plane policing can protect the control plane against multicast traffic.
  • B: Stateful inspection of multicast traffic is supported only for the self-zone.
  • C: Stateful inspection for multicast traffic is supported only between the self-zone and the internal zone.
  • D: Stateful inspection of multicast traffic is supported only for the internal zone.

Correct Answer: A

stateful inspection support for multicast traffic is not supported between any zones, including the self zone. Use Control Plane Policing for the protection of the control plane against multicast traffic. 
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/15-mt/sec-data-zbf-15-mt-book/sec-zone-pol-fw.html




Question 10

How does a zone-based firewall implementation handle traffic between interfaces in the same zone?

  • A: Traffic between two interfaces in the same zone is allowed by default.
  • B: Traffic between interfaces in the same zone is blocked unless you configure the same-security permit command.
  • C: Traffic between interfaces in the same zone is always blocked.
  • D: Traffic between interfaces in the same zone is blocked unless you apply a service policy to the zone pair.

Correct Answer: A

By default, the traffic between interfaces in the same zone is not subject to any policy and passes freely. Firewall zones are used for security features. 
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/15-mt/sec-data-zbf-15-mt-book/sec-zone-pol-fw.html










CONNECT US

Facebook

Twitter

PROFEXAM WITH A 20% DISCOUNT

You can buy ProfExam with a 20% discount!



HOW TO OPEN VCEX AND EXAM FILES

Use ProfExam Simulator to open VCEX and EXAM files