210-260 Dump Flashcards
Which three ESP fields can be encrypted during transmission?
Padding
Pad Length
Next Header
What mechanism does asymmetric cryptography use to secure data?
a public/private key pair
Which feature allows a dynamic PAT pool to select the next address in the PAT pool instead of the next port of an existing address?
round robin
Which label is given to a person who uses existing computer scripts to hack into computers lacking the expertise to write their own?
script kiddy
When Cisco IOS zone-based policy firewall is configured, which three actions can be applied to a traffic class?
pass
inspect
drop
Which type of security control is defense-in-depth?
Threat mitigation
Which statement about a PVLAN isolated port configured on a switch is true?
The isolated port can communicate only with the promiscuous port
Which statement about Cisco ACS authentication and authorization is true?
ACS servers can be clustered to provide scalability
If a supplicant supplies incorrect credentials for all authentication methods configured on the switch, how will the switch respond?
The supplicant will fail to advance beyond the webauth method
What configure mode you used for the command ip ospf authentication-key c1$c0?
interface
Which two features are commonly use CoPP and CPPr to protect the control plane?
QoS Traffic classification
What is one requirement for locking a wired or wireless device from ISE?
The ISE agent must be installed on the device
Which three statements are characteristics of DHCP Spoofing?
Arp Poisoning modify traffic in transit used to perform man-in-the-middle attack
Which statement correctly describes the function of a private VLAN?
a private VLAN partitions the layer 2 broadcast domain of a VLAN into subdomains
Which feature allows from dynamic NAT pool to choose next IP address and not a port on a used IP address?
round robin
Which type of encryption technology has the broadcast platform support?
Software
When an IPS detects an attack, which action can the IPS take to prevent the attack from spreading?
deny the connection inline
Which four tasks are required when you configure Cisco IOS IPS using the Cisco Configuration Professional IPS Wizard?
Select the interface to apply the IPS rule Select the traffic flow direction that should be applied by the IPS rule Specify the signature file and the Cisco public key Specify the configuration location and select the category of signatures to be applied to the selected interface
An attacker installs a rogue switch that sends superior BPDUs on your network. What is a possible result of this activity?
The switch could become the root bridge
What is the effect of the given command sequence?
It configures IKE Phase 1
Which 2 NAT types allows only objects or groups to reference an IP address?
dynamic NAT
static NAT
Which FirePOWER preprocessor engine is used to prevent SYN attacks?
Rate-Based Prevention
What is the advantage of implementing a Trusted Platform Module for disk encryption?
It provides hardware authentication
What is the Cisco preferred countermeasure to mitigate CAM overflows?
Dynamic port security
Which security measure can protect the control plane of a Cisco router?
CCPr
CoPP
All ports on switch 1 have a primary VLAN of 300. Which devices can host 1 reach?
Server
If a router configuration includes the line aaa authentication login default group tacacs enable, which events will occur when the tacacs server returns an error?
The user will be prompted to authenticate using the enable password Authentication attempts to the router will be denied
What IPSec mode is used to encrypt traffic between a server and VPN endpoint?
Transport
Which three statements about host-based IPS are true?
It can view encrypted files It can have more restrictive policies than network-based IPS It can generate alerts based on behavior at the desktop level
Which statement about reflexive access lists are true?
Reflexive access lists support UDP sessions Reflexive access lists can be attached to extended named IP ACLs Reflexive access lists support TCP sessions
Where OAKLEY and SKEME come to play
IKE
Which command helps user1 to use enable, disable, exit & etc commands?
username user1 privilege 0 secret us1pass
The admin user is unable to enter configuration mode on a device with the given configuration. What change can you make to the configuration to correct the problem?
Remove the autocommand keyword and arguments from the username admin privilege line
Which network device does NTP authenticate?
Only the time source
In which type of attacker attempts to overload the CAM table on a switch so that the switch acts as a hub?
MAC flooding
If you change the native VLAN on the trunk port to an unused VLAN, what happens if an attacker attempts a double-tagging attack?
A VLAN hopping attack would be prevented
If a switch port goes directly into a blocked state only when a superior BPDU is received, what mechanism must be in use?
STP BPDU guard
Which statement provides the best definition of malware?
Malware is unwanted software that is harmful or destructive
Which are two valid TCP connection states?
SYN-RCVD
Closed
Which option is the cloud-based security service from Cisco that provides URL filtering web browsing content security, and roaming user protection?
Cloud web security
What type of firewall would use the given configuration line?
a stateful firewall
What is the effect of the ASA command crypto isakmp nat-traversal?
It opens port 4500 on all interfaces that are IPSec enabled
What is the effect of the given command sequence?
It defines IPSec policy for traffic sourced from 1.1.1.0/24 with a destination of 2.2.20/24
What type of algorithm uses the same key to encrypt and decrypt data?
symmetric algorithm
Which type of address translation should be used when a Cisco ASA is in transparent mode?
Static NAT
With which technology do apply integrity, confidentially, authenticate the source?
IPSec
What is true about the Cisco IOS Resilient Configuration feature?
The feature can be disabled through a remote session
Which two characteristics apply to an Intrusion Prevention System (IPS)?
Cabled directly inline with the flow of the network traffic Can drop traffic based on a set of rules
What VPN feature allows Internet traffic and local LAN/WAN traffic to use the same network connection?
split tunneling
What feature can protect the data plane?
ACLs antispoofing DHCP-snooping
What show command can see vpn tunnel establish with traffic passing through?
show crypto ipsec sa
What is the effect of the send-lifetime local 23:59:00 31 December 31 2013 infinite command?
It configures the device to begin transmitting the authentication key to other devices at 23:59:00 local time on December 31, 2013 and continue using the key indefinitely
What information does the key length provide in an encryption algorithm?
the hash block size
Which of the following statements about access lists are true?
Extended access lists should be placed as near as possible to the source Standard access lists should be placed as near as possible to the destination Standard access lists filter on the source address
In which two situations should you use in-band management?
when management applications need concurrent access to the device when you require administrator access from multiple locations
Which type of layer 2 attack enables the attacker to intercept traffic that is intended for one specific recipient?
MAC address spoofing
What are the primary attack methods of VLAN hopping?
Switch spoofing Double tagging
What feature defines a campus area network?
It has a single geographic location
Which command initializes a lawful intercept view?
li-view cisco user cisco1 password cisco
When a switch has multiple links connected to a downstream switch, what is the first step that STP takes to prevent loops?
STP elects the root bridge
A Cisco ASA appliance has three interfaces configured. The first interface is the inside interface with a security level of 100. The second interface is the DMZ interface with a security level of 50. The third interface is the outside interface with a security level of 0. By default, without any access-list configured, which five types of traffic are permitted?
outbound traffic initiated from the inside to the DMZ outbound traffic initiated from the DMZ to the outside outbound traffic initiated from the inside to the outside HTTP return traffic originating from the inside network and returning via the outside interface HTTP return traffic originating from the inside network and returning via the DMZ interface
Which type of Cisco ASA access list entry can be configured to match multiple entries in a single statement?
object groups
What’s the technology that you can use to prevent non-malicious program to run on the computer that is disconnected from the network?
Host IPS
What are two well-known security terms?
Phishing ransomware
What hash type does Cisco use to validate the integrity of downloaded images?
MD5
What are the three layers of a hierarchical network design?
access core distribution
Which type of attack is directed against the network directly?
Denial of Service
Your security team has discovered a malicious program that has been harvesting the CEO’s email messages and the company’s user database for the last 6 months. What type of attack did your team discover?
advanced persistent threat
What type of security support is provided by the Open Web Application Security Project?
Education about common Web site vulnerabilities
How to verify that tacacs connectivity to a device?
You connect to the device using SSH and receive the login prompt
Which three statements describe DHCP spoofing attacks?
They can modify traffic in transit They are used to perform man-in-the-middle attacks They use ARP poisoning
What is a potential drawback to leaving VLAN 1 as the native VLAN?
It may be susceptible to a VLAN hopping attack
Which two actions can a zone-based firewall take when looking at traffic?
Drop
Inspect
What technology can you use to provide data confidentiality, data integrity, and data origin authentication
IPSec
What is the effect of the given command?
It merges authentication and encryption methods to traffic that matches an ACL
Which countermeasures can mitigate ARP spoofing attacks?
DHCP snooping Dynamic ARP inspection
Within an 802.1x enabled network with the Auth Fail feature configured, when does a switch port get placed into a restricted VLAN?
When a connected client fails to authenticate after a certain number of attempts
Which statement about the given configuration is true?
The single-connection command causes the device to establish one connection for all tacacs transactions
The first layer of defense which provides real-time preventive solutions against malicious traffic is provided by?
Outbreak Filters
In which type of attack does an attacker send email messages that ask the recipient to click a link such as https://www.cisco.net.cc/securelogon?
phishing
Which two functions can SIEM provide?
Correlation between logs and events from multiple systems Proactive malware analysis to block malicious traffic
On which Cisco Configuration Professional screen do you enable AAA?
AAA Summary
Which line in the following OSPF configuration will not be required for MD5 authentication to work? interface g0/1 ip address 1.1.1.1 255.255.255.0 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 ccna router ospf 65000 router-id 1.1.1.1 area 20 authentication message-digest
area 20 authentication message-digest
How can you detect a false negative on an IPS?
Use a third-party system to perform penetration testing
After reloading a router, you issue the dir command to verify the installation and observe that the image file appears to be missing. For what reason could the image file fail to appear in the dir output?
The secure boot-image command is configured
When is the best time to perform an anti-virus signature update?
Every time a new update is available
In which two situations should you use out-of-band management?
when a network device fails to forward packets when you require ROMMON access
Syn flood attack is a form of?
Denial of Service attack
Which two features of Cisco Web Reputation tracking can mitigate web-based threats?
outbreak filter web reputation filter
What is a valid implicit permit rule for traffic that is traversing the ASA firewall?
ARPs in both directions are permitted in transparent mode only
When is the default deny all policy an exception in zone-based firewalls?
When traffic traverses two interfaces in the same zone
Which of the following pairs of statements is true in terms of configuring MD authentication?
Router process (only for OSPF) must be configured; key chain in EIGRP
Which statements about smart tunnels on a Cisco firewall are true?
Smart tunnels can be used by clients that do not have administrator privileges Smart tunnels offer better performance than port forwarding
In which configuration mode do you configure the ip ospf authentication-key 1 command?
Interface
Which statement about IOS privilege levels is true?
Each privilege level supports the commands at its own level and all levels below it
SSL certificates are issued by Certificate Authority (CA) are?
Trusted root
What commands can you use to verify the binding table status?
show ip dhcp snooping database
Which two authentication types does OSPF support
plaintext MD5
How does a zone-based firewall implementation handle traffic between interfaces in the same zone?
Traffic between interface in the zone is allowed by default
Which statement about zone-based firewall configuration is true?
The zone must be configured before a can be assigned
Which two statements about Telnet access to the ASA are true?
You may VPN to the lowest security interface to telnet to an inside interface Best practice is to disable Telnet and use SSH
Which type of PVLAN port allows hosts in the same VLAN to communicate directly with each other?
community for hosts in the PVLAN
Which statement about the communication between interfaces on the same security level is true?
Interfaces on the same security level require additional configuration to permit inter-interface
Which statement about personal firewalls is true?
They can protect a system by denying probing requests
nat (inside,outside) dynamic interface Which translation technique does this configuration result in?
Dynamic PAT
Which EAP method uses Protected Access Credentials?
EAP-FAST
Which NAT option is executed first during in case of multiple nat translations?
static nat with longest prefix
Which statement about extended access lists is true?
Extended access lists perform filtering that is based on source and destination and are most effective when applied to the source
Which term best describes the concept of preventing the modification of data in transit and in storage?
Integrity
You have configured R1 and R2 as shown, but the routers are unable to establish a site-to-site VPN tunnel. What action can you take to correct the problem?
Edit the crypto keys on R1 and R2 to match
Which Cisco product can help mitigate web-based attacks within a network?
Web Security Appliance
Which command verifies phase 1 of an IPSec VPN on a Cisco router?
show crypto isakmp sa
Which feature filters CoPP packets?
ACLs
How many crypto map sets can you apply to a router interface?
1
Which option is the most effective placement of an IPS device within the infrastructure?
Inline, behind the internet router and firewall
According to Cisco best practice, which three protocols should the default ACL allow on an access port to enable wired BYOD devices to supply valid credentials and connect to the network?
BOOTP TFTP DNS
Which option is a characteristic of the RADIUS protocol?
combines authentication and authorization in one process
What do you use when you have a network object or group and want to use an IP address?
Dynamic NAT
What are two challenges faced when deploying host-level IPS?
The deployment must support multiple operating systems It does not provide protection for offsite computers
What is the only permitted operation for processing multicast traffic on zone-based firewalls?
Only control plane policing can protect the control plane against multicast traffic
What is the primary purpose of a defined rule in an IPS?
to configure an event action that takes place when a signature is triggered
Which firepower preprocessor blocks traffic based on IP?
Reputation-Based
When AAA login authentication is configured on Cisco routers, which two authentication methods should be used as the final method to ensure that the administrator can still log into the router in case the external AAA server fails?
local enable
Which two characteristics of an application layer firewall are true?
provides protection for multiple applications provides reverse proxy services
Which of the following commands results in a secure bootset?
secure boot-config secure boot-image
Which sensor mode can deny attackers inline?
IPS
Which Cisco feature can help mitigate spoofing attacks by verifying symmetry of the traffic path?
Unicast Reverse Path Forwarding
With Cisco IOS zone-based firewall, by default, which three types of traffic are permitted by the router when some of the router interfaces are assigned to a zone
traffic flowing to and from the router interfaces (the self zone) traffic flowing among the interfaces that are members of the same zone traffic flowing among the interfaces that are not assigned to any zone
Which IPS detection method can you use to detect attacks that based on the attackers IP addresses?
Reputation-Based
Which statement is a benefit of using Cisco IOS IPS?
It uses the underlying routing infrastructure to provide an additional layer of security
If a switch port goes into a blocked state only when a superior BPDU is received, what mechanism must be in uses?
STP root guard
Which command do you enter to enable authentication for OSPF on an interface?
router(config-if)#ip ospf authentication message-digest
You have implemented a Sourcefire IPS and configured it to block certain addresses utilizing Security Intelligence IP Address Reputation. A user calls and is not able to access a certain IP. What action can you take to allow the user access to the IP address?
Create a whitelist and add the appropriate IP address to allow the traffic
Which type of secure connectivity does an extranet provide?
other company networks to your company network
A specific URL has been identified as containing malware. What action can you take to block users from accidentally visiting the URL and becoming infected with the malware?
Enable URL filtering on the perimeter router and add the URLs you want to block to the router’s local URL list
You have been tasked with blocking user access to websites that violate company policy, but the sites use dynamic IP addresses. What is the best practice for URL filtering to solve the problem?
Enable URL filtering and use URL categorization to block the websites that violate company policy
What are two uses of SIEM software?
collecting and archiving syslog data alerting administrators to security events in real time
Which address block is reserved for locally assigned unique local addresses?
FD00::/8
What is an advantage of placing an IPS on the inside of a network?
It receives traffic that has already been filtered
Which accounting notices are used to send a failed authentication attempt record to a AAA server?
start-stop stop-only
Which source port does IKE use when NAT has been detected between two VPN gateways?
UDP 4500
Which command is needed to enable SSH support on a Cisco router?
crypto key generate rsa
Which two option are advantages of an application layer firewall?
makes DoS attacks difficult authenticates individuals
Which feature of the Cisco Email Security Appliance can mitigate the impact of snowshoe spam and sophisticated phishing attacks?
contextual analysis
What security feature allows a private IP address to access the Internet by translating it to a public address?
NAT
While troubleshooting site-to-site VPN, you issued the show crypto isakmp sa command. What does the given output show?
IPSec Phase 1 is established between 10.10.10.2 and 10.1.1.5
A clientless SSL VPN user who is connecting on a Windows Vista computer is missing the menu option for RDP on the portal web page. Which action should you take to begin troubleshooting?
Ensure that the RDP plug-in is installed on the VPN gateway
Which components does HMAC use to determine the authenticity and integrity of a message?
the hash the key
What is the FirePOWER impact flag used for?
A value that indicates the potential severity of an attack
What configuration allows AnyConnect to automatically establish a VPN session when a user logs in to the computer?
always-on
What is the actual IOS privilege level of User Exec mode?
1
What type of IPS can identify worms that are propagating in a network?
Anomaly-based IPS
In what type of attack does an attacker virtually change a device’s burned-in address in an attempt to circumvent access lists and mask the device’s true identity?
MAC spoofing
What three actions are limitations when running IPS in promiscuous mode?
deny attacker deny packet modify packet
Which prevents the company data from modification even when data is in transit?
Integrity
Which two services define cloud networks?
Infrastructure as a Service Platform as a Service
Which two features fo CoPP and CoPPr use to protect the control plane?
QoS traffic classification
In which three ways does the TACACS protocol differ from RADIUS?
TACACS uses TCP to communicate TACACS can encrypt the entire packet that is sent TACACS supports per-command authorization
What is the best way to confirm that AAA authentication is working properly?
Use the test aaa command
How does PAEP protect the EAP exchange?
It encrypts the exchange using the server certificate
Which technology can be used to rate data fidelity and to provide an authenticated hash for data?
file reputation
How does the Cisco ASA use Active Directory to authorize VPN users?
It queries the Active Directory server for a specific attribute for the specific user
You want to allow all your company’s users to access the Internet without allowing other Web servers to collect the IP addresses of individual users. What two solutions can you use?
Configure a proxy server to hide users’ local IP addresses Configure a firewall to use PAT
Using a stateful packet firewall and given an inside ACL entry of permit ip 192.16.1.0 0.0.0.255 any, what would be the resulting dynamically configured ACL for the return traffic on the outside ACL?
permit tcp host 172.16.16.10 eq 80 host 192.16.1.11 eq 2300
How many times was a read-only string used to attampt a write operation?
9
Which Sourcefire event action should you choose if you want to block only malicious traffic from a particular end user?
Allow with inspection
The stealing of confidential information of a company comes under the scope of?
Social Engineering
Which command is used to verify that a VPN connection is established between two endpoints and that the connection is passing?
Firewall#sh crypto ipsec sa
If the native VLAN on a truck is different on each of the links, what is a potential consequence?
STP loops may occur
Which TACACS server-authentication protocols are supported on Cisco ASA firewalls?
ASCII
PAP
MS-CHAPv1
What can the SMTP preprocessor in FirePOWER normalize?
It can extract and decode email attachments in client to server traffic
What is an example of social engineering?
gaining access to server room by posing as IT
How does a device on a network using ISE receive its digital certificate during the new-device registration process?
ISE acts as a SCEP proxy to enable the device to receive a certificate from a central CA server
Which two protocols enable Cisco Configuration Professional to pull IPS alerts from a Cisco ISR router?
SDEE
HTTPS
Which statement about a college campus is true?
College campus has geographical position
Which statement about application blocking is true?
It blocks access to specific programs
In a security context, which action can you take to address compliance?
Implement rules to prevent a vulnerability
How can FirePOWER block malicious email attachments?
It sends the traffic through a file policy
Which two devices are components of the BYOD architectural framework?
Prime Infrastructure
Identity Services Engine
In which three cases does the ASA firewall permit inbound HTTP GET requests during normal operations?
when matching NAT entries are configured
when matching ACL entries are configured
when the firewall receives a SYN packet
Which command causes a Layer 2 switch interface to operate as a Layer 3 interface?
no switchport
What is the default timeout interval during which a router waits for responses from a TACACS server before declaring a timeout failure?
5 seconds
Which command will configure a Cisco ASA firewall to authenticate users when they enter the enable syntax using the local database with no fallback method?
aaa authentication enable console LOCAL
Which type of firewall can act on the behalf of the end device?
Proxy
While troubleshooting site-to-site VPN, you issue the show crypto isakmp sa command. What does the given output show?
IPSec Phase 1 is established between 10.10.10.2 and 10.1.1.5
Which line in the configuration prevents the Helpdesk user from modifying the interface configuration?
Privilege exec level 9 configure terminal
Which two NAT types allows only objects or groups to reference an IP address?
dynamic NAT
static NAT
Which tool can an attacker use to attempt a DDoS attack?
botnet
Which alert protocol is used with Cisco IPS Manager Express to support up to 10 sensors?
SDEE
Which security zone is automatically defined by the system?
the self zone
What are two effects of the given command?
It configures authentication to use MD5 HMAC
It configures encryption to use AES 256
What is the most common Cisco Discovery Protocol version 1 attack?
Denial of Service
Which statement about this debug is true?
The TACACS authentication request came from a valid user
A proxy firewall protects against which type of attack?
cross-site scripting attack
Which type of PVLAN port allows a host in the same VLAN to communicate only with promiscuous hosts?
Isolated host in the PVLAN
What is the purpose of a honeypot IPS?
to collect information about attacks
What are two ways to prevent eavesdropping when you perform device-management tasks?
use an SSH connection
use SNMPv3
What is the purpose of the Integrity component of the CIA triad?
to ensure that only authorized parties can modify data
Which IOS command is used to define the authentication key for NTP?
Switch(config)#ntp authenticatioin-key 1 md5 C1sc0
What are purposes of the Internet Key Exchange in an IPSec VPN?
The Internet Key Exchange protocol establishes security associations
The Internet Key Exchange protocol is responsible for mutual authentication
Which IPS mode provides the maximum number of actions?
inline
Which options are filtering options used to display SDEE message types?
error
all
Which two next-generation encryption algorithms does Cisco recommend?
AES
SHA-384
What type of packet creates and performs network operations on a network device?
control plane packets
What port option in a PVLAN that can communicate with every other port?
promiscuous
When a company puts a security policy in place, what is the effect on the company’s business?
Minimizing risk
The command debug crypto isakmp results in?
Troubleshooting ISAKMP (Phase 1) negotiation problems
If a packet matches more than one class map in an individual feature type’s policy map, how does the ASA handle the packet?
The ASA will apply the actions form the first matching class map it finds for the feature type
What type of attacks was the Stuxnet virus?
cyber warfare
What is a possible reason for the error message?
Router(config)#aaa server?% Unrecognized command
The router is a new device on which the aaa new-model command must be applied before continuing
With which preprocessor do you detect incomplete TCP handshakes?
rate based prevention
In which three ways does the RADIUS protocol differ from TACACS?
RADIUS uses UDP to communicate with the NAS
RADIUS encrypts only the password field in an authentication packet
RADIUS authenticates and authorizes simultaneously, causing fewer packets to be transmitted
Which statement about the device time is true?
The time is authoritative, but the NTP process has lost contact with its server
Which Sourcefire logging action should you choose to record the most detail about a connection?
Enable logging at the end of the session
Which syslog severity level is number 7?
Debugging
What are two Cisco IOS privilege levels?
1
15
What improvement does EAP-FASTv2 provide over EAP-FAST?
It allows multiple credentials to be passed in a single EAP exchange
Which three statements about Cisco host-based IPS solutions are true?
It can view encrypted files
It can have more restrictive policies than network-based IPS
It can generate alerts based on behavior at the desktop level
Which actions can a promiscuous IPS take to mitigate an attack?
Requesting connection blocking
Resetting the TCP connection
Requesting host blocking
While troubleshooting site-to-site VPN, you issued the show crypto ipsec sa command. What does the given output show?
IPSec Phase 2 is established between 10.1.1.1 and 10.1.1.5
By which kind of threat is the victim tricked into entering username and password information on a disguised website?
Phishing
What VPN feature allows traffic to exit the security appliance through the same interface it entered?
hairpinning
Which protocols use encryption to protect the confidentiality of data transmitted between two parties?
SSH
HTTPS
Which aaa accounting command is used to enable logging of the start and stop records for user terminal sessions on the router?
aaa accounting exec start-stop tacacs+
Which option is a weakness in an information system that an attacker might leverage to gain unauthorized access to the system or its data?
vulnerability
What command could you implement in the firewall to conceal internal IP addresses?
no proxy-arp
A data breach has occurred and your company database has been copied. Which security principle has been violated?
Confidentiality
In which stage of an attack does the attacker discover devices on a target network?
Reconnaissance
Which port should (or would) be open in VPN NAT-T was enabled?
port 4500 ipsec
Which produced can be used to provide application layer protection for TCP port 25 traffic?
ESA
Which RADIUS server authentication protocols are supported on Cisco ASA firewalls?
PAP
MS-CHAMPv1
MS-CHAMPv2
Which will auto-nat process first?
static nat longest prefix
Which of the following are features of IPSec transport mode?
IPSec transport mode is used between end stations
IPSec transport mode supports unicast
IPSec transport mode encrypts only the payload
Which firewall configuration must you perform to allow traffic to flow in both directions between two zones?
You must configure two zone pairs, one for each direction
Which two statements about stateless firewalls are true?
They compare the 5-tuple of each incoming packet against configurable rules
They cannot track connections
What can cause the state table of a stateful firewall to update?
when a connection is created
when a connection’s timer has expired within the state table
With which NTP server has the router synchronized?
192.168.10.7
Which Cisco Security Manager application collects information about device status and uses it to generate notifications and alerts?
Health and Performance Monitor
What is the transition order of STP states on a Layer 2 switch interface?
blocking, listening, learning, forwarding, disabled
On Cisco ISR routers, for what purpose is the realm-cisco.pub public encryption key used?
used to verify the digital signature of the IPS signature file
Which type of PVLAN port allows communication from all port types?
Promiscuous
What is the reason for an organization to deploy a personal firewall?
To protect endpoints such as desktops from malicious activity
Which three options are common examples of AAA implementation on Cisco routers?
authenticating remote users who are accessing the corporate LAN through VPN
authenticating administrator access to the router console port, auxiliary port, and vty ports
performing router commands authorization using TACACS
Which type of encryption technology has the broadcast platform support to protect operating systems?
Software
Which option describes information that must be considered when you apply an access list to a physical interface?
Direction of the access group
Which statement about this output is true?
The login failed because the password entered was incorrect
Which protocol provides security to Secure Copy?
SSH
Security well-known terms?
Phishing
Ransomware
You are the security administrator for a large enterprise network with many remote locations. You have been given the assignment to deploy a Cisco IPS. Where in the network would be the best place to deploy Cisco IOS IPS?
At remote branch offices
Which two characteristics of the TACACS protocol are true
separates AAA functions
encrypts the body of every packet
What is a benefit of a web application firewall?
It blocks known vulnerabilities without patching applications
Which security term refers to a person, property, or data of value to a company?
Asset
Which filter uses in Web reputation to prevent from Web-Based Attacks?
outbreak filter
web reputation
How can the administrator enable permanent client installation in a Cisco AnyConnect VPN firewall configuration?
issue the command anyconnect keep-installer installed under the group policy or username webvpn mode
Which option is the default value for the Diffie-Hellman group when configuring a site-to-site VPN on an ASA device?
Group 2
Which task is the session management path responsible for?
Performing route lookup
Allocating NAT translations
Checking packets against the access list
Which wildcard mask is associated with a subnet mask of /27?
0.0.0.31
Which type of mirroring does SPAN technology perform?
Local mirroring over Layer 2
When an administrator initiates a device wipe command from the ISE, what is the immediate effect?
It requests the administrator to choose between erasing all device data or only managed corporate data
While troubleshooting site-to-site VPN, you issued the show crypto isakmp sa command. What does the given output show?
IKE Phase 1 main mode was created on 10.1.1.5, but it failed to negotiate with 10.10.10.2
Which option is the resulting action in a zone-based policy firewall configuration with these conditions?
Drop
The Oakley cryptography protocol is compatible with following for managing security?
ISAKMP
Which statement about communication over failover interfaces is true?
All information that is sent over the failover interfaces is sent as clear text by default
In the router ospf200 command, what does the value 200 stand for?
the process id
For what reason would you configure multiple security contexts on the ASA firewall?
To separate different departments and business units
Which option is the default value for the Diffie-Hillman group when configuring a site-to-site VPN on an ASA device?
Group 2
Which ports need to be active for AAA server to integrate with Microsoft AD?
Ports 445, 389
Protocols supported in contest aware VRF over VRF lite?
EIGRP
Multicast
What causes a client to be placed in a great or restricted VLAN on an 802.1x enabled network?
Client entered wrong credentials multiple times
What data is transferred during DH for making a public and private key?
Random prime integer
Which IPS mode is less secure than other options but allows optimal network throughput?
Promiscuous mode
How can you protect CDP from reconnaissance attacks?
Disable CP on ports connected to endpoints
What feature defines a campus area network?
It has a single geographic location
Which FirePOWER Management Center feature detects and blocks exploits and hack attempts?
File control
What is the highest security level that can be configured for an interface on an ASA?
100
Which type of social-engineering attacks uses normal telephone service as the attack vector?
Phishing
What are two options for running Cisco SDM?
Running SDM from a PC
Running SDM from the Cisco web portal
By default, how does zone-based firewall handle traffic to and from the self-zone?
It drops all traffic
For which reason is the tunnel unable to pass traffic?
The local peer is unable to encrypt the traffic
Which two statements about the self-zone on a Cisco zone-based policy firewall are true?
It can be either the secure zone or the destination zone
It supports stateful inspection for multicast traffic
What does the command crytpo isakmp nat-traversal do?
Enables UDP port 4500 on all IPSec enabled interfaces
Which quantifiable item should you consider when your organization adopts new technologies?
Risk
Which IPS mode is less secure than other options but allows optional network throughput?
Promiscuous mode
Which option is a key security component of an MDM deployment?
Using self-signed certificates to validate the server
Which command should be used to enable AAA authentication to determine if a user can access the privileged command level?
aaa authentication enable default local
Which type of firewall can serve as the intermediary between a client and a server?
Proxy firewall
Which two characteristics of a PVLAN are true?
Promiscuous portscan communicate with PVLAN ports
Community ports have to be a part of the trunk
Which two features are supported in a VRF-aware software infrastructure before VRF-lite?
EIGRP
Multicast
Which two primary security concerns can you mitigate with a BYOD solution?
Compliance with applicable policies
Securing access to a trusted corporate network
Which IDS\IPS solution can monitor system processes and resources?
HIPS
Which type of attack can exploit design flaws in the implementation of an application without going noticed?
Low-rate DoS attacks
Which type of address translation supports the initiation of communications bidirectionally?
dynamic NAT
Which IDS\IPS is used for monitoring systems?
HIPS
Referencing the CIA model, in which scenario is a hash-only function most appropriate?
Securing data at rest
Which description of the nonsecret numbers that are used to start a DH exchange is true?
They are preconfigured prime integers
Which two options are the primary deployment models for device management?
on-premises
cloud-based
Which two characteristics of symmetric encryption are true?
It uses a public key and a private key to encrypt and decrypt traffic
It uses the same key to encrypt and decrypt the traffic
Drag the hash or algorithm from the left column to its appropriate category on the right?
