210-260 CCNA Security – IINS Exam Questions with Answers – Q226 to Q249

210-260 CCNA Security – IINS Exam Questions with Answers – Q226 to Q249

Question 226.
When is “Deny all” policy an exception in Zone Based Firewall
A. traffic traverses 2 interfaces in same zone
B. traffic sources from router via self zone
C. traffic terminates on router via self zone
D. traffic traverses 2 interfaces in different zones
E. traffic terminates on router via self zone
Correct Answer: A
Section: (none)

Explanation
BD

+ There is a default zone, called the self zone, which is a logical zone. For any packets directed to the router directly (the destination IP represents the packet is for the router), the router automatically considers that traffic to be entering the self zone. In addition, any traffic initiated by the router is considered as leaving the self zone.
By default, any traffic to or from the self zone is allowed, but you can change this policy.
+ For the rest of the administrator-created zones, no traffic is allowed between interfaces in different zones.
+ For interfaces that are members of the same zone, all traffic is permitted by default.

Source: Cisco Official Certification Guide, Zones and Why We Need Pairs of Them, p.380

Question 227.
Cisco Resilient Configuration Feature:
A. Required additional space to store IOS image file
B. Remote storage required to save IOS image
C. Can be disabled …remote session
D. Automatically detects image or config.version missmatch
Correct Answer: D
Section: (none)

Explanation
BD

The following factors were considered in the design of Cisco IOS Resilient Configuration:
+ The configuration file in the primary bootset is a copy of the running configuration that was in the router when the feature was first enabled.
+ The feature secures the smallest working set of files to preserve persistent storage space. No extra space is required to secure the primary Cisco IOS image file.
+ The feature automatically detects image or configuration version mismatch .
+ Only local storage is used for securing files, eliminating scalability maintenance challenges from storing multiple images and configurations on TFTP servers.
+ The feature can be disabled only through a console session

Source: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/15-mt/sec-usr-cfg-15-mtbook/sec-resil-config.html

Question 228.
What are the two characteristics of IPS?
A. Can drop traffic
B. Does not add delay to traffic
C. It is cabled directly inline
D. Can`t drop packets on its own
Correct Answer: AC
Section: (none)

Explanation
BD

+ Position in the network flow: Directly inline with the flow of network traffic and every packet goes through the sensor on its way through the network.
+ Mode: Inline mode
+ The IPS can drop the packet on its own because it is inline. The IPS can also request assistance from another device to block future packets just as the IDS does.

Source: Cisco Official Certification Guide, Table 17-2 IDS Versus IPS, p.461

Question 229.
What can cause the state table of a stateful firewall to update? (choose two)
A. when connection is created
B. connection timer expired within state table
C. when packet is evaluated against the inbound access list and is …
D. outbound packets forwarded to inbound interface
E. when rate limiting is applied
Correct Answer: AB
Section: (none)

Explanation
BD

Stateful inspection monitors incoming and outgoing packets over time, as well as the state of the connection, and stores the data in dynamic state tables. This cumulative data is evaluated, so that filtering decisions would not only be based on administrator-defined rules, but also on context that has been built by previous connections as well as previous packets belonging to the same connection.
Entries are created only for TCP connections or UDP streams that satisfy a defined security policy. In order to prevent the state table from filling up, sessions will time out if no traffic has passed for a certain period. These stale connections are removed from the state table.

Source: https://en.wikipedia.org/wiki/Stateful_firewall

Question 230.
What IPSec mode is used to encrypt traffic between client and server vpn endpoints?
A. tunnel
B. Trunk
C. Aggregated
D. Quick
E. Transport
Correct Answer: E
Section: (none)

Explanation
BD

16.02.2017
@Tullipp on securitytut.com commented:
“the IPSEC Mode question did come up. It has been been very badly worded in the dumps and I knew It cant be right.
The question that comes in the exam is “between client and server vpn endpoints”.
So the keyword here is vpn endpoints. Not the end points like its worded in the dumps.
So the answer is transport mode.”
+ IPSec Transport mode is used for end-to-end communications, for example, for communication between a client and a server or between a workstation and a gateway (if the gateway is being treated as a host). A good example would be an encrypted Telnet or Remote Desktop session from a workstation to a server.
+ IPsec supports two encryption modes: Transport mode and Tunnel mode. Transport mode encrypts only the data portion (payload) of each packet and leaves the packet header untouched. Transport mode is applicable to either gateway or host implementations, and provides protection for upper layer protocols as well as selected IP header fields.

Source: http://www.firewall.cx/networking-topics/protocols/870-ipsec-modes.html

Generic Routing Encapsulation (GRE) is often deployed with IPsec for several reasons, including the following:
+ IPsec Direct Encapsulation supports unicast IP only. If network layer protocols other than IP are to be supported, an IP encapsulation method must be chosen so that those protocols can be transported in IP packets.
+ IPmc is not supported with IPsec Direct Encapsulation. IPsec was created to be a security protocol between two and only two devices, so a service such as multicast is problematic. An IPsec peer encrypts a packet so that only one other IPsec peer can successfully perform the de-encryption. IPmc is not compatible with this mode of operation.

Question 231.
Which command is used to verify VPN connection is operational (or something like that) ?
A. crypto ipsec sa
B. ?
C. ?
D. ?
Correct Answer: A
Section: (none)

Explanation
BD

#show crypto ipsec sa – This command shows IPsec SAs built between peers

In the output you see
#pkts encaps: 345, #pkts encrypt: 345, #pkts digest 0
#pkts decaps: 366, #pkts decrypt: 366, #pkts verify 0

which means packets are encrypted and decrypted by the IPsec peer.

Source: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsecdebug-00.html#ipsec_sa

Question 232.
What is the command to authenticate an NTP time source? (something in those lines)
A. #ntp authentication-key 1 md5 141411050D 7
B. #ntp authenticate
C. #ntp trusted-key 1
D. #ntp trusted-key 1
Correct Answer: A
Section: (none)

Explanation
BD

ntp authentication-key 1 md5 141411050D 7
ntp authenticate
ntp trusted-key 1
ntp update-calendar
ntp server 192.168.1.96 key 1 prefer source FastEthernet0/1

Source: Cisco Official Certification Guide, Example 11-15 Using Authentication via Keys with NTPv3, p.314

Question 233.
How can you allow bidirational traffic? (something in those lines)
A. static NAT
B. dynamic NAT
C. dynamic PAT
D. multi-NAT
Correct Answer: A
Section: (none)

Explanation
BD

Bidirectional initiation—Static NAT allows connections to be initiated bidirectionally, meaning both to the host and from the host.

Source: http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/nat_overview.html

Question 234.
Which option is the default value for the Diffie–Hellman group when configuring a site-to-site VPN on an ASA device?
A. Group 1
B. Group 2
C. Group 7
D. Group 5
Correct Answer: B
Section: (none)

Explanation

Question 235.
What two devices are components of the BYOD architecture framework? (Choose two)
A. Identity Service Engine
B. Cisco 3845 Router
C. Wireless Access Points
D. Nexus 7010 Switch
E. Prime Infrastructure
Correct Answer: AE
Section: (none)

Explanation

Question 236.
Where does the Datacenter operate ?
ccna-security-iins-exam-questions-answers-q226-q240-236

A. Distribution
B. Access
C. Core
Correct Answer: A
Section: (none)

Explanation

Question 237.
Which option is the cloud based security service from Cisco that provides URL filtering web browsing content security, and roaming user protection?
A. Cloud web security
B. Cloud web Protection
C. Cloud web Service
D. Cloud advanced malware protection
Correct Answer: A
Section: (none)

Explanation

Question 238.
Which product can be used to provide application layer protection for TCP port 25 traffic?
A. ESA
B. CWS
C. WSA
D. ASA
Correct Answer: A
Section: (none)

Explanation

Question 239.
HIPS and NIPS

You need to place these 7 options into HIPS and NIPS. Each section has 4 choices which means one out of these 7 options goes into both.

Select and Place:
ccna-security-iins-exam-questions-answers-q226-q240-239-1

Correct Answer:
ccna-security-iins-exam-questions-answers-q226-q240-239-2

Section: (none)

Explanation
User JS from securitytut.com

Question 240.
What two actions would the zone base firewall when looking at the traffic?
A. drop
B. inspect
C. forward
D. …
Correct Answer: AB
Section: (none)

Explanation

Question 241.
Which label is given to a person who uses existing computer scripts to hack into computers lacking the expertise to write their own?
A. script kiddy
B. white hat hacker
C. phreaker
D. hacktivist
Correct Answer: A
Section: (none)

Explanation

Question 242.
Regarding PVLAN diagram question:

Switch was in VLAN 300
Isolated Host 1 on VLAN 301
Host 2 and Host 4 on VLAN 303 or something (Community PVLAN)

Server is connected to Switch.

All host connects to switch.
A. Host 2 (Host is part of community PVLAN).
B. Other devices on VLAN XXX (VLAN were isolated host is connected, in my case it was Host 1).
C. Server
D. Host 4 (Host is part of community PVLAN)
Correct Answer: C
Section: (none)

Explanation
JS
Host 3 is not part of anyh PVLAN. It is also connected to switch.
So, Host 3 was not an option otherwise it could also be an answer.

Question 243.
nat (inside,outside) dynamic interface
A. static PAT
B. static NAT
C. dynamic PAT
D. dynamic NAT
Correct Answer: C
Section: (none)

Explanation
Mr.W

Configuring Dynamic NAT
nat (inside,outside) dynamic my-range-obj
Configuring Dynamic PAT (Hide)
nat (inside,outside) dynamic interface

Source: http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/nat_objects.html

Question 244.
Which two characteristics of an application layer firewall are true? (Choose two)
A. provides reverse proxy services
B. is immune to URL manipulation
C. provides protection for multiple applications
D. provides stateful firewall functionality
E. has low processor usage
Correct Answer: AC
Section: (none)

Explanation
Brad

  1. supports revers proxy – Definitely true
  2. is immune to URL manupulation – Definitely false
  3. supprts multiple application – Definitely true
  4. provide statefull firewall security
  5. saves processing usage.

I’m not sure about the last two.

Question 245.
SIEM Functions (Choose two)
A. correlation between logs and events from multiple sys
B. event aggregation that allows reduced logs stogarge
C. comined managemant access to firewalls
D. …
Correct Answer: AB
Section: (none)

Explanation
BD

Security Information Event Management SIEM
+ Log collection of event records from sources throughout the organization provides important forensic tools and helps to address compliance reporting requirements.
+ Normalization maps log messages from different systems into a common data model, enabling the organization to connect and analyze related events, even if they are initially logged in different source formats.
+ Correlation links logs and events from disparate systems or applications, speeding detection of and reaction to security threats.
+ Aggregation reduces the volume of event data by consolidating duplicate event records.
+ Reporting presents the correlated, aggregated event data in real-time monitoring and long-term summaries.

Question 246.
Within an 802.1X enabled network with the Auth Fail feature configured, when does a switch port get placed into a restricted VLAN?
A. When user failed to authenticate after certain number of attempts
B. When 802.1X is not globally enabled on the Cisco catalyst switch
C. When AAA new-model is enabled
D. …
Correct Answer: A
Section: (none)

Explanation

Question 247.
What configure mode you used for the command ip ospf authentication-key (something) ?
A. global
B. priviliged
C. in-line
D. interface
Correct Answer: D
Section: (none)

Explanation
BD

ip ospf authentication-key is used under interface configuration mode, so it’s in interface level, under global configuration mode. If it asks about interface level then choose that.

interface Serial0
ip address 192.16.64.1 255.255.255.0
ip ospf authentication-key c1$c0

Question 248.
What is the actual IOS privilege level of User Exec mode?
A. 1
B. 0
C. 5
D. 15
Correct Answer: A
Section: (none)

Explanation
BD

By default, the Cisco IOS software command-line interface (CLI) has two levels of access to commands: user EXEC mode (level 1) and privileged EXEC mode (level 15). However, you can configure additional levels of access to commands, called privilege levels, to meet the needs of your users while protecting the system from unauthorized access. Up to 16 privilege levels can be configured, from level 0, which is the most restricted level, to level 15, which is the least restricted level.

Source: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfpass.html

Question 249.
Which option is a weakness in an information system that an attacker might leverage to gain unauthorized access to the system or its data?
A. hack
B. mitigation
C. risk
D. vulnerability
E. exploit
Correct Answer: D
Section: (none)

Explanation
BD

vulnerability A flaw or weakness in a system’s design or implementation that could be exploited.

Source: CCNA Security 210-260 Official Cert Guide, GLOSSARY, p. 530

About the author

Scott

Leave a Comment