210-260 CCNA Security – IINS Exam Questions with Answers – Q151 to Q165
Question 151.
Which statement about IOS privilege levels is true?
A. Each privilege level supports the commands at its own level and all levels below it.
B. Each privilege level supports the commands at its own level and all levels above it.
C. Privilege-level commands are set explicitly for each user.
D. Each privilege level is independent of all other privilege levels.
Correct Answer: A
Section: (none)
Explanation
Question 152.
Refer to the exhibit.
Username Engineer privilege 9 password 0 configure
Username Monitor privilege 8 password 0 vatcher
Username HelpDesk privilege 6 password help
Privilege exec level 6 show running
Privilege exec level 7 show start-up
Privilege exec level 9 configure terminal
Privilege exec level 10 interface
Which line in this configuration prevents the HelpDesk user from modifying the interface configuration?
A. Privilege exec level 9 configure terminal
B. Privilege exec level 7 show start-up
C. Privilege exec level 10 interface
D. Username HelpDesk privilege 6 password help
Correct Answer: A
Section: (none)
Explanation
Brad
Answer: A
Confidence level: 100%
Note: I have seen a lot of claims that D is the correct answer, but this is wrong. The only thing command D does is create the user “HelpDesk” with a privilege level of 6, and sets the password for that user to “help”.
Command A sets the “configure terminal” command at privilege level 9, which is a higher level than HelpDesk has access to.
Also, some of the dumps say “Privilege exec level 9 show configure terminal” in the config and the answer options. This is not a different version of the question, it is a mistake. The line “show configure terminal” is not a valid command in Cisco IOS.
Question 153.
In the “router ospf 200” command, what does the value 200 stand for?
A. process ID
B. area ID
C. administrative distance value
D. ABR ID
Correct Answer: A
Section: (none)
Explanation
BD
Enabling OSPF
SUMMARY STEPS
- enable
- configure terminal
- router ospf process-id
- network ip-address wildcard-mask area area-id
- end
Question 154.
Which feature filters CoPP packets?
A. Policy maps
B. Class maps
C. Access control lists
D. Route maps
Correct Answer: C
Section: (none)
Explanation
Brad
Answer: C
Confidence level: 60%
Note: All the dumps say C is the correct answer. I have never been able to find anything concrete on this, but some people say A is correct.
Question 155.
In which type of attack does the attacker attempt to overload the CAM table on a switch so that the switch acts as a hub?
A. MAC spoofing
B. gratuitous ARP
C. MAC flooding
D. DoS
Correct Answer: C
Section: (none)
Explanation
BD
MAC address flooding is an attack technique used to exploit the memory and hardware limitations in a switch’s CAM table.
Source: http://hakipedia.com/index.php/CAM_Table_Overflow
Question 156.
Which type of PVLAN port allows a host in the same VLAN to communicate directly with another?
A. community for hosts in the PVLAN
B. promiscuous for hosts in the PVLAN
C. isolated for hosts in the PVLAN
D. span for hosts in the PVLAN
Correct Answer: A
Section: (none)
Explanation
BD
The types of private VLAN ports are as follows:
+ Promiscuous – The promiscuous port can communicate with all interfaces, including the community and isolated host ports, that belong to those secondary VLANs associated to the promiscuous port and associated with the primary VLAN
+ Isolated – This port has complete isolation from other ports within the same private VLAN domain, except that it can communicate with associated promiscuous ports.
+ Community — A community port is a host port that belongs to a community secondary VLAN. Community ports communicate with other ports in the same community VLAN and with associated promiscuous ports. These interfaces are isolated from all other interfaces in other communities and from all isolated ports within the private VLAN domain.
Question 157.
What is a potential drawback to leaving VLAN 1 as the native VLAN?
A. It may be susceptible to a VLAN hopping attack.
B. Gratuitous ARPs might be able to conduct a man-in-the-middle attack.
C. The CAM might be overloaded, effectively turning the switch into a hub.
D. VLAN 1 might be vulnerable to IP address spoofing.
Correct Answer: A
Section: (none)
Explanation
BD
VLAN hopping is a computer security exploit, a method of attacking networked resources on a virtual LAN (VLAN). The basic concept behind all VLAN hopping attacks is for an attacking host on a VLAN to gain access to traffic on other VLANs that would normally not be accessible. There are two primary methods of VLAN hopping: switch spoofing and double tagging.
+ In a switch spoofing attack, an attacking host imitates a trunking switch by speaking the tagging and trunking protocols (e.g. Multiple VLAN Registration Protocol, IEEE 802.1Q, Dynamic Trunking Protocol) used in maintaining a VLAN. Traffic for multiple VLANs is then accessible to the attacking host.
+ In a double tagging attack, an attacking host connected on a 802.1q interface prepends two VLAN tags to packets that it transmits.
Double Tagging can only be exploited when switches use “Native VLANs”. Ports with a specific access VLAN (the native VLAN) don’t apply a VLAN tag when sending frames, allowing the attacker’s fake VLAN tag to be read by the next switch. Double Tagging can be mitigated by either one of the following actions:
+ Simply do not put any hosts on VLAN 1 (The default VLAN). i.e., assign an access VLAN other than VLAN 1 to every access port
+ Change the native VLAN on all trunk ports to an unused VLAN ID.
+ Explicit tagging of the native VLAN on all trunk ports. Must be configured on all switches in network autonomy.
Source: https://en.wikipedia.org/wiki/VLAN_hopping
Question 158.
In which three cases does the ASA firewall permit inbound HTTP GET requests during normal operations? (Choose three).
A. When matching ACL entries are configured
B. When the firewall requires strict HTTP inspection
C. When matching NAT entries are configured
D. When the firewall recieves a FIN packet
E. When the firewall requires HTTP inspection
F. When the firewall already has a TCP connection
Correct Answer: ACF
Section: (none)
Explanation
Brad
Answer: A, C and F
Confidence level: 100%
Note: The dumps say the correct answers are A, C, E. This is incorrect. See the following links:
https://supportforums.cisco.com/discussion/12473551/asa-what-allowing-return-http-traffic
Also, there is a modified version of this question where answers D and F are replaced with “When the firewall receives a SYN packet” and “When the firewall receives a SYN-ACK packet”. The a SYN-ACK packet coming back from the web server establishes the TCP connection and allows requests to come through, so this is a correct answer.
Question 159.
Which firewall configuration must you perform to allow traffic to flow in both directions between two zones?
A. You must configure two zone pairs, one for each direction.
B. You can configure a single zone pair that allows bidirectional traffic flows for any zone.
C. You can configure a single zone pair that allows bidirectional traffic flows for any zone except the self zone.
D. You can configure a single zone pair that allows bidirectional traffic flows only if the source zone is the less secure zone.
Correct Answer: A
Section: (none)
Explanation
BD
If you want to allow traffic between two zones, such as between the inside zone (using interfaces facing the inside network) and the outside zone (interfaces facing the Internet or less trusted networks), you must create a policy for traffic between the two zones, and that is where a zone pair comes into play. A zone pair, which is just a configuration on the router, is created identifying traffic sourced from a device in one zone and destined for a device in the second zone. The administrator then associates a set of rules (the policy) for this unidirectional zone pair, such as to inspect the traffic, and then applies that policy to the zone pair.
Source: Cisco Official Certification Guide, Zones and Why We Need Pairs of Them, p.380
Question 160.
What is a valid implicit permit rule for traffic that is traversing the ASA firewall?
A. Unicast IPv6 traffic from a higher security interface to a lower security interface is permitted in transparent mode only
B. Only BPDUs from a higher security interface to a lower security interface are permitted in routed mode
C. Unicast IPv4 traffic from a higher security interface to a lower security interface is permitted in routed mode only
D. Only BPDUs from a higher security interface to a lower security interface are permitted in transparent mode
E. ARPs in both directions are permitted in transparent mode only
Correct Answer: E
Section: (none)
Explanation
Brad
Answer: E
Confidence level: 0%
Note: Never bothered to research this question.
BD
ARPs are allowed through the transparent firewall in both directions without an ACL. ARP traffic can be controlled by ARP inspection.
It is missing the only word.
More reading here
Source: http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/general/asa-general-cli/introfw.html
Question 161.
Which statement about the communication between interfaces on the same security level is true?
A. Interfaces on the same security level require additional configuration to permit inter-interface communication.
B. Configuring interfaces on the same security level can cause asymmetric routing.
C. All traffic is allowed by default between interfaces on the same security level.
D. You can configure only one interface on an individual security level.
Correct Answer: A
Section: (none)
Explanation
BD
By default, if two interfaces are both at the exact same security level, traffic is not allowed between those two interfaces.
To permit communication between interfaces with equal security levels, or to allow traffic to enter and exit the same interface, use the same-security-traffic command in global configuration mode.
#same-security-traffic permit {inter-interface | intra-interface}
Source: Cisco Official Certification Guide, The Default Flow of Traffic, p.422
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/s1.html
Question 162.
Which IPS mode provides the maximum number of actions?
A. inline
B. promiscuous
C. span
D. failover
E. bypass
Correct Answer: A
Section: (none)
Explanation
BD
The first option is to put a sensor inline with the traffic, which just means that any traffic going through your network is forced to go in one physical or logical port on the sensor.
Because the sensor is inline with the network, and because it can drop a packet and deny that packet from ever reaching its final destination (because it might cause harm to that destination), the sensor has in fact just prevented that attack from being carried out. That is the concept behind intrusion prevention systems (IPS).
Whenever you hear IPS mentioned, you immediately know that the sensor is inline with the traffic, which makes it possible to prevent the attack from making it further into the network.
Source: Cisco Official Certification Guide, Difference Between IPS and IDS, p.460
Question 163.
How can you detect a false negative on an IPS?
A. View the alert on the IPS.
B. Review the IPS log.
C. Review the IPS console.
D. Use a third-party system to perform penetration testing.
E. Use a third-party to audit the next-generation firewall rules.
Correct Answer: D
Section: (none)
Explanation
BD
A false negative, however, is when there is malicious traffic on the network, and for whatever reason the IPS/ IDS did not trigger an alert, so there is no visual indicator (at least from the IPS/IDS system) that anything negative is going on. In the case of a false negative, you must use some third-party or external system to alert you to the problem at hand, such as syslog messages from a network device.
Source: Cisco Official Certification Guide, Positive/Negative Terminology, p.463
Question 164.
What is the primary purpose of a defined rule in an IPS?
A. To detect internal attacks
B. To define a set of actions that occur when a specific user logs in to the system
C. To configure an event action that is pre-defined by the system administrator
D. To configure an event action that takes place when a signature is triggered
Correct Answer: D
Section: (none)
Explanation
Brad
Answer: D
Confidence level: 80%
Note: I suspect this is one of the questions I answered incorrectly on my exam. I answered C, which is the answer I have in my study guide. However, things I have seen since have led me to believe the correct answer is D.
Question 165.
Which Sourcefire secure action should you choose if you want to block only malicious traffic from a particular end-user?
A. Allow with inspection
B. Allow without inspection
C. Block
D. Trust
E. Monitor
Correct Answer: A
Section: (none)
Explanation
BD
A file policy is a set of configurations that the system uses to perform advanced malware protection and file control, as part of your overall access control configuration.
A file policy, like its parent access control policy, contains rules that determine how the system handles files that match the conditions of each rule. You can configure separate file rules to take different actions for different file types, application protocols, or directions of transfer.
You can associate a single file policy with an access control rule whose action is Allow, Interactive Block, or Interactive Block with reset. The system then uses that file policy to inspect network traffic that meets the conditions of the access control rule.
Source: http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepowermodule-user-guide-v541/AMP-Config.html