210-260 Dump Flashcards
Which three ESP fields can be encrypted during transmission?
Padding
Pad Length
Next Header
What mechanism does asymmetric cryptography use to secure data?
a public/private key pair
Which feature allows a dynamic PAT pool to select the next address in the PAT pool instead of the next port of an existing address?
round robin
Which label is given to a person who uses existing computer scripts to hack into computers lacking the expertise to write their own?
script kiddy
When Cisco IOS zone-based policy firewall is configured, which three actions can be applied to a traffic class?
pass
inspect
drop
Which type of security control is defense-in-depth?
Threat mitigation
Which statement about a PVLAN isolated port configured on a switch is true?
The isolated port can communicate only with the promiscuous port
Which statement about Cisco ACS authentication and authorization is true?
ACS servers can be clustered to provide scalability
If a supplicant supplies incorrect credentials for all authentication methods configured on the switch, how will the switch respond?
The supplicant will fail to advance beyond the webauth method
What configure mode you used for the command ip ospf authentication-key c1$c0?
interface
Which two features are commonly use CoPP and CPPr to protect the control plane?
QoS Traffic classification
What is one requirement for locking a wired or wireless device from ISE?
The ISE agent must be installed on the device
Which three statements are characteristics of DHCP Spoofing?
Arp Poisoning modify traffic in transit used to perform man-in-the-middle attack
Which statement correctly describes the function of a private VLAN?
a private VLAN partitions the layer 2 broadcast domain of a VLAN into subdomains
Which feature allows from dynamic NAT pool to choose next IP address and not a port on a used IP address?
round robin
Which type of encryption technology has the broadcast platform support?
Software
When an IPS detects an attack, which action can the IPS take to prevent the attack from spreading?
deny the connection inline
Which four tasks are required when you configure Cisco IOS IPS using the Cisco Configuration Professional IPS Wizard?
Select the interface to apply the IPS rule Select the traffic flow direction that should be applied by the IPS rule Specify the signature file and the Cisco public key Specify the configuration location and select the category of signatures to be applied to the selected interface
An attacker installs a rogue switch that sends superior BPDUs on your network. What is a possible result of this activity?
The switch could become the root bridge
What is the effect of the given command sequence?
It configures IKE Phase 1
Which 2 NAT types allows only objects or groups to reference an IP address?
dynamic NAT
static NAT
Which FirePOWER preprocessor engine is used to prevent SYN attacks?
Rate-Based Prevention
What is the advantage of implementing a Trusted Platform Module for disk encryption?
It provides hardware authentication
What is the Cisco preferred countermeasure to mitigate CAM overflows?
Dynamic port security
Which security measure can protect the control plane of a Cisco router?
CCPr
CoPP
All ports on switch 1 have a primary VLAN of 300. Which devices can host 1 reach?
Server
If a router configuration includes the line aaa authentication login default group tacacs enable, which events will occur when the tacacs server returns an error?
The user will be prompted to authenticate using the enable password Authentication attempts to the router will be denied
What IPSec mode is used to encrypt traffic between a server and VPN endpoint?
Transport
Which three statements about host-based IPS are true?
It can view encrypted files It can have more restrictive policies than network-based IPS It can generate alerts based on behavior at the desktop level
Which statement about reflexive access lists are true?
Reflexive access lists support UDP sessions Reflexive access lists can be attached to extended named IP ACLs Reflexive access lists support TCP sessions
Where OAKLEY and SKEME come to play
IKE
Which command helps user1 to use enable, disable, exit & etc commands?
username user1 privilege 0 secret us1pass
The admin user is unable to enter configuration mode on a device with the given configuration. What change can you make to the configuration to correct the problem?
Remove the autocommand keyword and arguments from the username admin privilege line
Which network device does NTP authenticate?
Only the time source
In which type of attacker attempts to overload the CAM table on a switch so that the switch acts as a hub?
MAC flooding
If you change the native VLAN on the trunk port to an unused VLAN, what happens if an attacker attempts a double-tagging attack?
A VLAN hopping attack would be prevented
If a switch port goes directly into a blocked state only when a superior BPDU is received, what mechanism must be in use?
STP BPDU guard
Which statement provides the best definition of malware?
Malware is unwanted software that is harmful or destructive
Which are two valid TCP connection states?
SYN-RCVD
Closed
Which option is the cloud-based security service from Cisco that provides URL filtering web browsing content security, and roaming user protection?
Cloud web security
What type of firewall would use the given configuration line?
a stateful firewall
What is the effect of the ASA command crypto isakmp nat-traversal?
It opens port 4500 on all interfaces that are IPSec enabled
What is the effect of the given command sequence?
It defines IPSec policy for traffic sourced from 1.1.1.0/24 with a destination of 2.2.20/24
What type of algorithm uses the same key to encrypt and decrypt data?
symmetric algorithm
Which type of address translation should be used when a Cisco ASA is in transparent mode?
Static NAT
With which technology do apply integrity, confidentially, authenticate the source?
IPSec
What is true about the Cisco IOS Resilient Configuration feature?
The feature can be disabled through a remote session
Which two characteristics apply to an Intrusion Prevention System (IPS)?
Cabled directly inline with the flow of the network traffic Can drop traffic based on a set of rules
What VPN feature allows Internet traffic and local LAN/WAN traffic to use the same network connection?
split tunneling
What feature can protect the data plane?
ACLs antispoofing DHCP-snooping
What show command can see vpn tunnel establish with traffic passing through?
show crypto ipsec sa
What is the effect of the send-lifetime local 23:59:00 31 December 31 2013 infinite command?
It configures the device to begin transmitting the authentication key to other devices at 23:59:00 local time on December 31, 2013 and continue using the key indefinitely
What information does the key length provide in an encryption algorithm?
the hash block size
Which of the following statements about access lists are true?
Extended access lists should be placed as near as possible to the source Standard access lists should be placed as near as possible to the destination Standard access lists filter on the source address
In which two situations should you use in-band management?
when management applications need concurrent access to the device when you require administrator access from multiple locations
Which type of layer 2 attack enables the attacker to intercept traffic that is intended for one specific recipient?
MAC address spoofing
What are the primary attack methods of VLAN hopping?
Switch spoofing Double tagging
What feature defines a campus area network?
It has a single geographic location
Which command initializes a lawful intercept view?
li-view cisco user cisco1 password cisco
When a switch has multiple links connected to a downstream switch, what is the first step that STP takes to prevent loops?
STP elects the root bridge
A Cisco ASA appliance has three interfaces configured. The first interface is the inside interface with a security level of 100. The second interface is the DMZ interface with a security level of 50. The third interface is the outside interface with a security level of 0. By default, without any access-list configured, which five types of traffic are permitted?
outbound traffic initiated from the inside to the DMZ outbound traffic initiated from the DMZ to the outside outbound traffic initiated from the inside to the outside HTTP return traffic originating from the inside network and returning via the outside interface HTTP return traffic originating from the inside network and returning via the DMZ interface
Which type of Cisco ASA access list entry can be configured to match multiple entries in a single statement?
object groups
What’s the technology that you can use to prevent non-malicious program to run on the computer that is disconnected from the network?
Host IPS
What are two well-known security terms?
Phishing ransomware
What hash type does Cisco use to validate the integrity of downloaded images?
MD5
What are the three layers of a hierarchical network design?
access core distribution
Which type of attack is directed against the network directly?
Denial of Service
Your security team has discovered a malicious program that has been harvesting the CEO’s email messages and the company’s user database for the last 6 months. What type of attack did your team discover?
advanced persistent threat
What type of security support is provided by the Open Web Application Security Project?
Education about common Web site vulnerabilities
How to verify that tacacs connectivity to a device?
You connect to the device using SSH and receive the login prompt
Which three statements describe DHCP spoofing attacks?
They can modify traffic in transit They are used to perform man-in-the-middle attacks They use ARP poisoning
What is a potential drawback to leaving VLAN 1 as the native VLAN?
It may be susceptible to a VLAN hopping attack
Which two actions can a zone-based firewall take when looking at traffic?
Drop
Inspect
What technology can you use to provide data confidentiality, data integrity, and data origin authentication
IPSec
What is the effect of the given command?
It merges authentication and encryption methods to traffic that matches an ACL
Which countermeasures can mitigate ARP spoofing attacks?
DHCP snooping Dynamic ARP inspection
Within an 802.1x enabled network with the Auth Fail feature configured, when does a switch port get placed into a restricted VLAN?
When a connected client fails to authenticate after a certain number of attempts
Which statement about the given configuration is true?
The single-connection command causes the device to establish one connection for all tacacs transactions
The first layer of defense which provides real-time preventive solutions against malicious traffic is provided by?
Outbreak Filters
In which type of attack does an attacker send email messages that ask the recipient to click a link such as https://www.cisco.net.cc/securelogon?
phishing
Which two functions can SIEM provide?
Correlation between logs and events from multiple systems Proactive malware analysis to block malicious traffic
On which Cisco Configuration Professional screen do you enable AAA?
AAA Summary
Which line in the following OSPF configuration will not be required for MD5 authentication to work? interface g0/1 ip address 1.1.1.1 255.255.255.0 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 ccna router ospf 65000 router-id 1.1.1.1 area 20 authentication message-digest
area 20 authentication message-digest
How can you detect a false negative on an IPS?
Use a third-party system to perform penetration testing
After reloading a router, you issue the dir command to verify the installation and observe that the image file appears to be missing. For what reason could the image file fail to appear in the dir output?
The secure boot-image command is configured
When is the best time to perform an anti-virus signature update?
Every time a new update is available
In which two situations should you use out-of-band management?
when a network device fails to forward packets when you require ROMMON access
Syn flood attack is a form of?
Denial of Service attack
Which two features of Cisco Web Reputation tracking can mitigate web-based threats?
outbreak filter web reputation filter
What is a valid implicit permit rule for traffic that is traversing the ASA firewall?
ARPs in both directions are permitted in transparent mode only
When is the default deny all policy an exception in zone-based firewalls?
When traffic traverses two interfaces in the same zone
Which of the following pairs of statements is true in terms of configuring MD authentication?
Router process (only for OSPF) must be configured; key chain in EIGRP
Which statements about smart tunnels on a Cisco firewall are true?
Smart tunnels can be used by clients that do not have administrator privileges Smart tunnels offer better performance than port forwarding
In which configuration mode do you configure the ip ospf authentication-key 1 command?
Interface
Which statement about IOS privilege levels is true?
Each privilege level supports the commands at its own level and all levels below it
SSL certificates are issued by Certificate Authority (CA) are?
Trusted root
What commands can you use to verify the binding table status?
show ip dhcp snooping database
Which two authentication types does OSPF support
plaintext MD5
How does a zone-based firewall implementation handle traffic between interfaces in the same zone?
Traffic between interface in the zone is allowed by default
Which statement about zone-based firewall configuration is true?
The zone must be configured before a can be assigned
Which two statements about Telnet access to the ASA are true?
You may VPN to the lowest security interface to telnet to an inside interface Best practice is to disable Telnet and use SSH
Which type of PVLAN port allows hosts in the same VLAN to communicate directly with each other?
community for hosts in the PVLAN
Which statement about the communication between interfaces on the same security level is true?
Interfaces on the same security level require additional configuration to permit inter-interface
Which statement about personal firewalls is true?
They can protect a system by denying probing requests
nat (inside,outside) dynamic interface Which translation technique does this configuration result in?
Dynamic PAT
Which EAP method uses Protected Access Credentials?
EAP-FAST
Which NAT option is executed first during in case of multiple nat translations?
static nat with longest prefix
Which statement about extended access lists is true?
Extended access lists perform filtering that is based on source and destination and are most effective when applied to the source
Which term best describes the concept of preventing the modification of data in transit and in storage?
Integrity
You have configured R1 and R2 as shown, but the routers are unable to establish a site-to-site VPN tunnel. What action can you take to correct the problem?
Edit the crypto keys on R1 and R2 to match
Which Cisco product can help mitigate web-based attacks within a network?
Web Security Appliance
Which command verifies phase 1 of an IPSec VPN on a Cisco router?
show crypto isakmp sa
Which feature filters CoPP packets?
ACLs
How many crypto map sets can you apply to a router interface?
1
Which option is the most effective placement of an IPS device within the infrastructure?
Inline, behind the internet router and firewall
According to Cisco best practice, which three protocols should the default ACL allow on an access port to enable wired BYOD devices to supply valid credentials and connect to the network?
BOOTP TFTP DNS
Which option is a characteristic of the RADIUS protocol?
combines authentication and authorization in one process
What do you use when you have a network object or group and want to use an IP address?
Dynamic NAT
What are two challenges faced when deploying host-level IPS?
The deployment must support multiple operating systems It does not provide protection for offsite computers
