210-260 | High Quality 210-260 Class 2020
It is more faster and easier to pass the Cisco 210-260 exam by using High quality Cisco Implementing Cisco Network Security questuins and answers. Immediate access to the Renew 210-260 Exam and find the same core area 210-260 questions with professionally verified answers, then PASS your exam with a high score now.
Online Cisco 210-260 free dumps demo Below:
NEW QUESTION 1
Diffie-Hellman key exchange question
- A. IKE
- B. IPSEC
- C. SPAN
- D. STP
NEW QUESTION 2
Drag the hash or algorithm from the left column to its appropriate category on the right.
- A. Mastered
- B. Not Mastered
NEW QUESTION 3
Which four tasks are required when you configure Cisco IOS IPS using the Cisco Configuration Professional IPS wizard? (Choose four.)
- A. Select the interface(s) to apply the IPS rule.
- B. Select the traffic flow direction that should be applied by the IPS rule.
- C. Add or remove IPS alerts actions based on the risk rating.
- D. Specify the signature file and the Cisco public key.
- E. Select the IPS bypass mode (fail-open or fail-close).
- F. Specify the configuration location and select the category of signatures to be applied to the selected interface(s).
Step 11. At the `Select Interfaces' screen, select the interface and the direction that IOS IPS will be applied to, then click `Next' to continue.
Step 12. At the `IPS Policies Wizard' screen, in the `Signature File' section, select the first radio button "Specify the signature file you want to use with IOS IPS", then click the "..." button to bring up a dialog box to specify the location of the signature package file, which will be the directory specified in Step 6. In this example, we use tftp to download the signature package to the router.
Step 13. In the `Configure Public Key' section, enter `realm-cisco.pub' in the `Name' text field, then copy and paste the following public key's key-string in the `Key' text field. This public key can be downloaded from Cisco.com at: http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup. Click `Next ' to continue.
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124AD6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128 B199ABCBD34ED0F9 085FADC1 359C189EF30AF10AC0EFB624 7E0764BF 3E53053E 5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35 FE3F0C87 89BCB7BB 994AE74C FA9E481DF65875D6 85EAF974 6D9CC8E3 F0B08B85 50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3 F3020301 0001
NEW QUESTION 4
Which security zone is automatically defined by the system?
- A. The source zone
- B. The self zone
- C. The destination zone
- D. The inside zone
A zone is a logical area where devices with similar trust levels reside. For example, we could define a DMZ for devices in the DMZ in an organization. A zone is created by the administrator, and then interfaces can be assigned to zones. A zone can have one or more interfaces assigned to it. Any given interface can belong to only a single zone. There is a default zone, called the self zone, which is a logical zone.
Source: Cisco Official Certification Guide, Zones and Why We Need Pairs of Them, p.380
NEW QUESTION 5
Which command enable ospf authentication on an interface?
- A. ip ospf authentication message-digest
- B. network 192.168.10.0 0.0.0.255 area 0
- C. area 20 authentication message-digest
- D. ip ospf message-digest-key 1 md5 CCNA
NEW QUESTION 6
Which security principle has been violated if data is altered in an unauthorized manner?
- A. accountability
- B. availability
- C. confidentiality
- D. integrity
NEW QUESTION 7
The purpose of the certificate authority (CA) is to ensure what?
- A. BYOD endpoints are posture checked
- B. BYOD endpoints belong to the organization
- C. BYOD endpoints have no malware installed
- D. BYOD users exist in the corporate LDAP directory
NEW QUESTION 8
Which IPS detection method examines network traffic for preconfigured patterns?
- A. signature-based detection
- B. policy-based detection
- C. anomaly-based detection
- D. honey-pot detection
NEW QUESTION 9
Which two default settings for port security are true? (Choose two.)
- A. Maximum number of MAC addresses is 1.
- B. Maximum number of MAC addresses is 2.
- C. Violation is Restrict.
- D. Violation is Protect.
- E. Violation is Shutdown.
NEW QUESTION 10
Which two statements about the self zone on a Cisco zone-based policy firewall are true? (Choose Two)
- A. Multiple interfaces can be assigned to the self zone.
- B. Traffic entering the self zone must match a rule.
- C. Zone pairs that include the self zone apply to traffic transiting the device.
- D. It can be either the source zone or the destination zone.
- E. It supports stateful inspection for multicast traffic.
NEW QUESTION 11
Which statement provides the best definition of malware?
- A. Malware is unwanted software that is harmful or destructive.
- B. Malware is software used by nation states to commit cyber crimes.
- C. Malware is a collection of worms, viruses, and Trojan horses that is distributed as a single package.
- D. Malware is tools and applications that remove unwanted programs.
Malware, short for malicious software, is any software used to disrupt computer or mobile operations, gather sensitive information, gain access to private computer systems, or display unwanted advertising. Before the term malware was coined by Yisrael Radai in 1990, malicious software was referred to as computer viruses.
NEW QUESTION 12
What command could you implement in the firewall to conceal internal IP address?
- A. no source-route
- B. no cdp run
- C. no broadcast…
- D. no proxy-arp
The Cisco IOS software uses proxy ARP (as defined in RFC 1027) to help hosts with no knowledge of routing determine the media addresses of hosts on other networks or subnets. For example, if the router receives an ARP request for a host that is not on the same interface as the ARP request sender, and if the router has all of its routes to that host through other interfaces, then it generates a proxy ARP reply packet giving its own local data-link address. The host that sent the ARP request then sends its packets to the router, which forwards them to the intended host. Proxy ARP is enabled by default.
Router(config-if)# ip proxy-arp - Enables proxy ARP on the interface.
NEW QUESTION 13
What technology can you use to provide data confidentiality, data integrity and data origin authentication on your network?
- A. Certificate Authority
- B. IKE
- C. IPSec
- D. Data Encryption Standards
NEW QUESTION 14
Which technology can you implement to centrally mitigate potential threats when users on your network download files that might be malicious?
- A. Enable file-reputation services to inspect all files that traverse the company network and block files with low reputation scores.
- B. Verify that the company IPS blocks all known malicious websites.
- C. Verify that antivirus software is installed and up to date for all users on your network.
- D. Implement URL filtering on the perimeter firewall.
NEW QUESTION 15
Which three ESP fields can be encrypted during transmission? (Choose three.)
- A. Security Parameter Index
- B. Sequence Number
- C. MAC Address
- D. Padding
- E. Pad Length
- F. Next Header
The packet begins with two 4-byte fields (Security Parameters Index (SPI) and Sequence Number). Following these fields is the Payload Data, which has substructure that depends on the choice of encryption algorithm and mode, and on the use of TFC padding, which is examined in more detail later. Following the Payload Data are Padding and Pad Length fields, and the Next Header field. The optional Integrity Check Value (ICV) field completes the packet.
NEW QUESTION 16
Which IPS mode is less secure than other options but allows optimal network throughput?
- A. Promiscuous mode
- B. inline mode
- C. transparent mode
- D. inline-bypass mode
The recommended IPS deployment mode depends on the goals and policies of the enterprise. IPS inline mode is more secure because of its ability to stop malicious traffic in real-time, however it may impact traffic throughput if not properly designed or sized. Conversely, IPS promiscuous mode has less impact on traffic
throughput but is less secure because there may be a delay in reacting to the malicious traffic. https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/SAFE_RG/safesmallentnetworks.html
NEW QUESTION 17
In which two situations should you use out-of-band management? (Choose two.)
- A. when a network device fails to forward packets
- B. when you require ROMMON access
- C. when management applications need concurrent access to the device
- D. when you require administrator access from multiple locations
- E. when the control plane fails to respond
OOB management is used for devices at the headquarters and is accomplished by connecting dedicated management ports or spare Ethernet ports on devices directly to the dedicated OOB management network hosting the management and monitoring applications and services. The OOB management network can be either implemented as a collection of dedicated hardware or based on VLAN isolation.
NEW QUESTION 18
Refer to the exhibit.
What is the effect of the given command sequence?
- A. It configures IKE Phase 1.
- B. It configures a site-to-site VPN tunnel.
- C. It configures a crypto policy with a key size of 14400.
- D. It configures IPSec Phase 2.
Configure the IPsec phase1 with the 5 parameters HAGLE (Hashing-Authentication-Group-Lifetime-Encryption)
NEW QUESTION 19
You are configuring a NAT rule on a Cisco ASA. Which description of a mapped interface is true?
- A. It is mandatory for all fire wall modes.
- B. It is mandatory for identity NAT only.
- C. It is optional in transparent mode.
- D. It is optional in routed mode.
NEW QUESTION 20
Which option is a characteristic of the RADIUS protocol?
- A. uses TCP
- B. offers multiprotocol support
- C. combines authentication and authorization in one process
- D. supports bi-directional challenge
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml Authentication and Authorization
RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.
TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on a Kerberos server, it requests authorization information from a TACACS+ server without having to
NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server then provides authorization information.
During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control over the commands that can be executed on the access server while decoupling from the authentication mechanism.
NEW QUESTION 21
Which two commands are used to implement Cisco IOS Resilient Configuration? (Choose two.)
- A. secure boot-image
- B. copy running-config startup-config
- C. secure boot-config
- D. copy flash:/ios.bin tftp
- E. copy running-config tftp
The Cisco IOS Resilient Configuration feature enables a router to secure and maintain a working copy of the running image and configuration so that those files can withstand malicious attempts to erase the contents of persistent storage (NVRAM and flash).
In 12.3(8)T this feature was introduced.
The following commands were introduced or modified: secure boot-config, secure boot-image, showsecure bootset.
NEW QUESTION 22
Which IPSec mode is used to encrypt traffic directly between a client and a server VPN endpoint?
- A. transport mode
- B. tunnel mode
- C. quick mode
- D. aggressive mode
NEW QUESTION 23
What is the only permitted operation for processing multicast traffic on zone-based firewalls?
- A. Only control plane policing can protect the control plane against multicast traffic.
- B. Stateful inspection of multicast traffic is supported only for the self-zone.
- C. Stateful inspection for multicast traffic is supported only between the self-zone and the internal zone.
- D. Stateful inspection of multicast traffic is supported only for the internal zone.
Neither Cisco IOS ZFW or Classic Firewall include stateful inspection support for multicast traffic. So the only choice is A.
NEW QUESTION 24
Which component of a BYOD architecture provides AAA services for endpoint access?
- A. Identity Services Engine
- B. Integrated Services Router
- C. access point
- D. ASA
NEW QUESTION 25
What are characteristics of the Radius Protocol? choose Two
- A. Uses TCP port 49
- B. Uses UDP Port 49
- C. Uses TCP 1812/1813
- D. Uses UDP 1812/1813
- E. Comines authentication and authorization
NEW QUESTION 26
Which two NAT types allows only objects or groups to reference an IP address? (choose two)
- A. dynamic NAT
- B. dynamic PAT
- C. static NAT
- D. identity NAT
Adding Network Objects for Mapped Addresses
For dynamic NAT, you must use an object or group for the mapped addresses. Other NAT types have the option of using inline addresses, or you can create an object or group according to this section.
* Dynamic NAT:
+ You cannot use an inline address; you must configure a network object or group.
+ The object or group cannot contain a subnet; the object must define a range; the group can include hosts and ranges.
+ If a mapped network object contains both ranges and host IP addresses, then the ranges are used for dynamic NAT, and then the host IP addresses are used as a PAT fallback.
* Dynamic PAT (Hide):
+ Instead of using an object, you can optionally configure an inline host address or specify the interface address.
+ If you use an object, the object or group cannot contain a subnet; the object must define a host, or for a PAT pool, a range; the group (for a PAT pool) can include hosts and ranges.
* Static NAT or Static NAT with port translation:
+ Instead of using an object, you can configure an inline address or specify the interface address (for static NAT-with-port-translation).
+ If you use an object, the object or group can contain a host, range, or subnet.
* Identity NAT
+ Instead of using an object, you can configure an inline address.
+ If you use an object, the object must match the real addresses you want to translate.
NEW QUESTION 27
Which statement about IOS privilege levels is true?
- A. Each privilege level supports the commands at its own level and all levels below it.
- B. Each privilege level supports the commands at its own level and all levels above it.
- C. Privilege-level commands are set explicitly for each user.
- D. Each privilege level is independent of all other privilege levels.
NEW QUESTION 28
P.S. Easily pass 210-260 Exam with 481 Q&As Passcertsure Dumps & pdf Version, Welcome to Download the Newest Passcertsure 210-260 Dumps: https://www.passcertsure.com/210-260-test/ (481 New Questions)