Get Smart with ccna security pdf 210 260

Proper study guides for Improve Cisco Implementing Cisco Network Security certified begins with Cisco ccna security 210 260 dumps preparation products which designed to deliver the Breathing ccna security 210 260 book questions by making you pass the 210 260 home lab files test at your first time. Try the free ccna security 210 260 book demo right now.

Q1. Refer to the exhibit. 

What type of firewall would use the given configuration line? 

A. a stateful firewall 

B. a personal firewall 

C. a proxy firewall 

D. an application firewall 

E. a stateless firewall 

Answer: A 

Q2. Which FirePOWER preprocessor engine is used to prevent SYN attacks? 

A. Rate-Based Prevention 

B. Portscan Detection 

C. IP Defragmentation 

D. Inline Normalization 

Answer: A 

Q3. A specific URL has been identified as containing malware. What action can you take to block users from accidentally visiting the URL and becoming infected with malware. 

A. Enable URL filtering on the perimeter router and add the URLs you want to block to the router's local URL list. 

B. Enable URL filtering on the perimeter firewall and add the URLs you want to allow to the router's local URL list. 

C. Enable URL filtering on the perimeter router and add the URLs you want to allow to the firewall's local URL list. 

D. Create a blacklist that contains the URL you want to block and activate the blacklist on the perimeter router. 

E. Create a whitelist that contains the URLs you want to allow and activate the whitelist on the perimeter router. 

Answer: A 

Q4. If you change the native VLAN on the trunk port to an unused VLAN, what happens if an attacker attempts a double-tagging attack? 

A. The trunk port would go into an error-disabled state. 

B. A VLAN hopping attack would be successful. 

C. A VLAN hopping attack would be prevented. 

D. The attacked VLAN will be pruned. 

Answer: C 

Q5. What VPN feature allows Internet traffic and local LAN/WAN traffic to use the same network connection? 

A. split tunneling 

B. hairpinning 

C. tunnel mode 

D. transparent mode 

Answer: A 

Q6. Refer to the exhibit. 

While troubleshooting site-to-site VPN, you issued the show crypto isakmp sa command. What does the given output show? 

A. IPSec Phase 1 is established between 10.10.10.2 and 10.1.1.5. 

B. IPSec Phase 2 is established between 10.10.10.2 and 10.1.1.5. 

C. IPSec Phase 1 is down due to a QM_IDLE state. 

D. IPSec Phase 2 is down due to a QM_IDLE state. 

Answer: A 

Q7. When an IPS detects an attack, which action can the IPS take to prevent the attack from spreading? 

A. Deny the connection inline. 

B. Perform a Layer 6 reset. 

C. Deploy an antimalware system. 

D. Enable bypass mode. 

Answer: A 

Q8. What command can you use to verify the binding table status? 

A. show ip dhcp snooping database 

B. show ip dhcp snooping binding 

C. show ip dhcp snooping statistics 

D. show ip dhcp pool 

E. show ip dhcp source binding 

F. show ip dhcp snooping 

Answer: A 

Q9. What three actions are limitations when running IPS in promiscuous mode? (Choose three.) 

A. deny attacker 

B. deny packet 

C. modify packet 

D. request block connection 

E. request block host 

F. reset TCP connection 

Cisco 210-260 : Practice Test 

Answer: A,B,C 

Q10. If a packet matches more than one class map in an individual feature type's policy map, how does the ASA handle the packet? 

A. The ASA will apply the actions from only the first matching class map it finds for the feature type. 

B. The ASA will apply the actions from only the most specific matching class map it finds for the feature type. 

C. The ASA will apply the actions from all matching class maps it finds for the feature type. 

D. The ASA will apply the actions from only the last matching class map it finds for the feature type. 

Answer: A 

Q11. Which Sourcefire logging action should you choose to record the most detail about a connection? 

A. Enable logging at the end of the session. 

B. Enable logging at the beginning of the session. 

C. Enable alerts via SNMP to log events off-box. 

D. Enable eStreamer to log events off-box. 

Answer: A 

Q12. CORRECT TEXT 

Scenario 

Given the new additional connectivity requirements and the topology diagram, use ASDM to accomplish the required ASA configurations to meet the requirements. 

New additional connectivity requirements: 

. Currently, the ASA configurations only allow on the Inside and DMZ networks to access any hosts on the Outside. Your task is to use ASDM to configure the ASA to also allow any host only on the Outside to HTTP to the DMZ server. The hosts on the Outside will need to use the 209.165.201.30 public IP address when HTTPing to the DMZ server. 

. Currently, hosts on the ASA higher security level interfaces are not able to ping any hosts on the lower security level interfaces. Your task in this simulation is to use ASDM to enable the ASA to dynamically allow the echo-reply responses back through the ASA. 

Once the correct ASA configurations have been configured: 

. You can test the connectivity to http://209.165.201.30 from the Outside PC browser. 

. You can test the pings to the Outside (www.cisco.com) by opening the inside PC command prompt window. In this simulation, only testing pings to www.cisco.com will work. 

To access ASDM, click the ASA icon in the topology diagram. 

To access the Firefox Browser on the Outside PC, click the Outside PC icon in the topology diagram. 

To access the Command prompt on the Inside PC, click the Inside PC icon in the topology diagram. 

Note: 

After you make the configuration changes in ASDM, remember to click Apply to apply the configuration changes. 

Not all ASDM screens are enabled in this simulation, if some screen is not enabled, try to use different methods to configure the ASA to meet the requirements. 

In this simulation, some of the ASDM screens may not look and function exactly like the real ASDM. 

Answer: Follow the explanation part to get answer on this sim question. 

Q13. In what type of attack does an attacker virtually change a device's burned-in address in an attempt to circumvent access lists and mask the device's true identity? 

A. gratuitous ARP 

B. ARP poisoning 

C. IP spoofing 

D. MAC spoofing 

Answer: D 

Q14. Which two statements about stateless firewalls are true? (Choose two.) 

A. They compare the 5-tuple of each incoming packet against configurable rules. 

B. They cannot track connections. 

C. They are designed to work most efficiently with stateless protocols such as HTTP or HTTPS. 

D. Cisco IOS cannot implement them because the platform is stateful by nature. 

E. The Cisco ASA is implicitly stateless because it blocks all traffic by default. 

Answer: A,B 

Q15. If a switch receives a superior BPDU and goes directly into a blocked state, what mechanism must be in use? 

A. root guard 

B. EtherChannel guard 

C. loop guard 

D. BPDU guard 

Answer: A 

Q16. What type of attack was the Stuxnet virus? 

A. cyber warfare 

B. hacktivism 

C. botnet 

D. social engineering 

Answer: A 

Q17. Which type of secure connectivity does an extranet provide? 

A. other company networks to your company network 

B. remote branch offices to your company network 

C. your company network to the Internet 

D. new networks to your company network 

Answer: A 

Q18. How does the Cisco ASA use Active Directory to authorize VPN users? 

A. It queries the Active Directory server for a specific attribute for the specified user. 

B. It sends the username and password to retrieve an ACCEPT or REJECT message from the Active Directory server. 

C. It downloads and stores the Active Directory database to query for future authorization requests. 

D. It redirects requests to the Active Directory server defined for the VPN group. 

Answer: A 

Q19. Refer to the exhibit. 

Which statement about the device time is true? 

A. The time is authoritative, but the NTP process has lost contact with its servers. 

B. The time is authoritative because the clock is in sync. 

C. The clock is out of sync. 

D. NTP is configured incorrectly. 

E. The time is not authoritative. 

Answer: A 

Q20. Scenario 

In this simulation, you have access to ASDM only. Review the various ASA configurations using ASDM then answer the five multiple choice questions about the ASA SSLVPN configurations. 

To access ASDM, click the ASA icon in the topology diagram. 

Note: Not all ASDM functionalities are enabled in this simulation. 

To see all the menu options available on the left navigation pane, you may also need to un-expand the expanded menu first. 

Which two statements regarding the ASA VPN configurations are correct? (Choose two) 

A. The ASA has a certificate issued by an external Certificate Authority associated to the ASDM_TrustPoint1. 

B. The DefaultWEBVPNGroup Connection Profile is using the AAA with RADIUS server method. 

C. The Inside-SRV bookmark references the https://192.168.1.2 URL 

D. Only Clientless SSL VPN access is allowed with the Sales group policy 

E. AnyConnect, IPSec IKEv1, and IPSec IKEv2 VPN access is enabled on the outside interface 

F. The Inside-SRV bookmark has not been applied to the Sales group policy 

Answer: B,C 

Explanation: 

For B: 

Macintosh HD:Users:danielkeller:Desktop:Screen Shot 2015-09-25 at 9.38.21 AM.png For C, Navigate to the Bookmarks tab: 

Macintosh HD:Users:danielkeller:Desktop:Screen Shot 2015-09-25 at 9.40.14 AM.png Then hit “edit” and you will see this: 

Macintosh HD:Users:danielkeller:Desktop:Screen Shot 2015-09-25 at 9.41.54 AM.png Not A, as this is listed under the Identity Certificates, not the CA certificates: 

Macintosh HD:Users:danielkeller:Desktop:Screen Shot 2015-09-25 at 9.34.54 AM.png Note E: 

Macintosh HD:Users:danielkeller:Desktop:Screen Shot 2015-09-25 at 9.26.56 AM.png