210-260 CCNA Security – IINS Exam Questions with Answers – Q76 to Q90

210-260 CCNA Security – IINS Exam Questions with Answers – Q76 to Q90

Question 76.
Which actions can a promiscuous IPS take to mitigate an attack? (Choose three.)
A. Reset the TCP connection
B. Request connection blocking
C. Deny packets
D. Modify packets
E. Request host blocking
F. Deny frames
Correct Answer: ABE
Section: (none)


Answer:A, B and E
Confidence level: 100%

Note: Be aware that there is a reverse version of this question, worded such as “What actions are limited when running IPS in promiscuous mode?”.


Promiscuous Mode Event Actions
+ Request block host: This event action will send an ARC request to block the host for a specified time frame, preventing any further communication. This is a severe action that is most appropriate when there is minimal chance of a false alarm or spoofing.
+ Request block connection: This action will send an ARC response to block the specific connection. This action is appropriate when there is potential for false alarms or spoofing.
+ Reset TCP connection: This action is TCP specific, and in instances where the attack requires several TCP packets, this can be a successful action.

Source: http://www.cisco.com/c/en/us/about/security-center/ips-mitigation.html#7

Question 77.
Which command will configure a Cisco ASA firewall to authenticate users when they enter the enable syntax using the local database with no fallback method?
A. “aaa authentication enable console LOCAL SERVER_GROUP”
B. “aaa authentication enable console SERVER_GROUP LOCAL”
C. “aaa authentication enable console LOCAL”
D. “aaa authentication enable console local”
Correct Answer: C
Section: (none)


Answer: C
Confidence level: 100%

Remember: The local database must be referenced in all capital letters when AAA is in use. If lower case letters are used, the ASA will look for an AAA server group called “local”.

Question 78.
Which Cisco Security Manager application collects information about device status and uses it to generate notifications and alerts?
A. FlexConfig
B. Device Manager
C. Report Manager
D. Health and Performance Monitor
Correct Answer: D
Section: (none)


Health and Performance Monitor (HPM) – Monitors and displays key health, performance and VPN data for ASA and IPS devices in your network. This information includes critical and non-critical issues, such as memory usage, interface status, dropped packets, tunnel status, and so on. You also can categorize devices for normal or priority monitoring, and set different alert rules for the priority devices.

Source: http://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/ security_manager/4-4/user/guide/CSMUserGuide_wrapper/HPMchap.pdf

Question 79.
Which accounting notices are used to send a failed authentication attempt record to a AAA server? (Choose two.)
A. Stop
B. Stop-record
C. Stop-only
D. Start-stop
Correct Answer: BC
Section: (none)


Answer: C and D
Confidence level: 50%

Note: This is a widely debated question and my research did not turn up a concrete answer. Some users on the securitytut forums have said that A is a correct answer.


aaa accounting { auth-proxy | system | network | exec | connection | commands level | dot1x } { default | listname | guarantee-first } [ vrf vrf-name ] { start-stop | stop-only | none } [broadcast] { radius | group group-name }
+ stop-only: Sends a stop accounting record for all cases including authentication failures regardless of whether the aaa accounting send stop-record authentication failure command is configured.
+ stop-record: Generates stop records for a specified event.

For minimal accounting, include the stop-only keyword to send a “stop” accounting record for all cases including authentication failures. For more accounting, you can include the start-stop keyword, so that RADIUS or TACACS+ sends a “start” accounting notice at the beginning of the requested process and a “stop” accounting notice at the end of the process.

Source: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-cr-a1.html

On securitytut. com you can find a full description of the simulation test I did.

Question 80.
Which command is needed to enable SSH support on a Cisco Router?
A. crypto key lock rsa
B. crypto key generate rsa
C. crypto key zeroize rsa
D. crypto key unlock rsa
Correct Answer: B
Section: (none)

There are four steps required to enable SSH support on a Cisco IOS router:
+ Configure the hostname command.
+ Configure the DNS domain.
+ Generate the SSH key to be used.
+ Enable SSH transport support for the virtual type terminal (vtys).

!— Step 1: Configure the hostname if you have not previously done so. hostname carter
!— The aaa new-model command causes the local username and password on the router
!— to be used in the absence of other AAA statements. aaa new-model username cisco password 0 cisco
!— Step 2: Configure the DNS domain of the router. ip domain-name rtp.cisco.com
!— Step 3: Generate an SSH key to be used with SSH.
crypto key generate rsa
ip ssh time-out 60
ip ssh authentication-retries 2
!— Step 4: By default the vtys’ transport is Telnet. In this case,
!— Telnet is disabled and only SSH is supported. line vty 0 4 transport input SSH

Source: http://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/4145- ssh.html#settingupaniosrouterasssh

Question 81.
Which protocol provides security to Secure Copy?
A. IPsec
Correct Answer: B
Section: (none)


The SCP is a network protocol, based on the BSD RCP protocol,[3] which supports file transfers between hosts on a network. SCP uses Secure Shell (SSH) for data transfer and uses the same mechanisms for authentication, thereby ensuring the authenticity and confidentiality of the data in transit.

Source: https://en.wikipedia.org/wiki/Secure_copy

Question 82.
A clientless SSL VPN user who is connecting on a Windows Vista computer is missing the menu option for Remote Desktop Protocol on the portal web page. Which action should you take to begin troubleshooting?
A. Ensure that the RDP plug-in is installed on the VPN gateway
B. Ensure that the RDP2 plug-in is installed on the VPN gateway
C. Reboot the VPN gateway
D. Instruct the user to reconnect to the VPN gateway
Correct Answer: B
Section: (none)


Answer: B
Confidence level: 100%

Note: This question has been verified by posters on securitytut who scored perfect scores on the exam. While it is fact that the newest version of the RDP plug-in is compatible with RDP2, this question specifically asks about Windows Vista. This is one of those “choose the best answer” scenarios.


+ RDP plug-in: This is the original plug-in created that contains both the Java and ActiveX Client.
+ RDP2 plug-in: Due to changes within the RDP protocol, the Proper Java RDP Client was updated in order to support Microsoft Windows 2003 Terminal Servers and Windows Vista Terminal Servers.

Source: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generationfirewalls/113600-technote-product-00.html

Question 83.
Which security zone is automatically defined by the system?
A. The source zone
B. The self zone
C. The destination zone
D. The inside zone
Correct Answer: B
Section: (none)


A zone is a logical area where devices with similar trust levels reside. For example, we could define a DMZ for devices in the DMZ in an organization. A zone is created by the administrator, and then interfaces can be assigned to zones. A zone can have one or more interfaces assigned to it. Any given interface can belong to only a single zone. There is a default zone, called the self zone, which is a logical zone.

Source: Cisco Official Certification Guide, Zones and Why We Need Pairs of Them, p.380

Question 84.
What are purposes of the Internet Key Exchange in an IPsec VPN? (Choose two.)
A. The Internet Key Exchange protocol establishes security associations
B. The Internet Key Exchange protocol provides data confidentiality
C. The Internet Key Exchange protocol provides replay detection
D. The Internet Key Exchange protocol is responsible for mutual authentication
Correct Answer: AD
Section: (none)


IPsec uses the Internet Key Exchange (IKE) protocol to negotiate and establish secured site-to-site or remote access virtual private network (VPN) tunnels. IKE is a framework provided by the Internet Security Association and Key Management Protocol (ISAKMP) and parts of two other key management protocols, namely Oakley and Secure Key Exchange Mechanism (SKEME).
In IKE Phase 1 IPsec peers negotiate and authenticate each other. In Phase 2 they negotiate keying materials and algorithms for the encryption of the data being transferred over the IPsec tunnel.

Source: Cisco Official Certification Guide, The Internet Key Exchange (IKE) Protocol, p.123

Question 85.
Which address block is reserved for locally assigned unique local addresses?
A. 2002::/16
B. 2001::/32
C. FD00::/8
D. FB00::/8
Correct Answer: C
Section: (none)


Answer: C
Confidence level: 100%

Remember: Locally assigned IPv6 addresses begin at FC00

The address block fc00::/7 is divided into two /8 groups:
+ The block fc00::/8 has not been defined yet. It has been proposed to be managed by an allocation authority, but this has not gained acceptance in the IETF
+ The block fd00::/8 is defined for /48 prefixes, formed by setting the 40 least-significant bits of the prefix to a randomly generated bit string

Prefixes in the fd00::/8 range have similar properties as those of the IPv4 private address ranges:
+ They are not allocated by an address registry and may be used in networks by anyone without outside involvement.
+ They are not guaranteed to be globally unique.
+ Reverse Domain Name System (DNS) entries (under ip6.arpa) for fd00::/8 ULAs cannot be delegated in the global DNS.

Source: https://en.wikipedia.org/wiki/Unique_local_address

Question 86.
What is a possible reason for the error message? Router(config)#aaa server?% Unrecognized command
A. The command syntax requires a space after the word “server”
B. The command is invalid on the target device
C. The router is already running the latest operating system
D. The router is a new device on which the aaa new-model command must be applied before continuing
Correct Answer: D
Section: (none)


Before you can use any of the services AAA network security services provide, you must enable AAA.

Source: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfaaa.html

Question 87.
Which statements about smart tunnels on a Cisco firewall are true? (Choose two.)
A. Smart tunnels can be used by clients that do not have administrator privileges
B. Smart tunnels require the client to have the application installed locally
C. Smart tunnels offer better performance than port forwarding
D. Smart tunnels support all operating systems
Correct Answer: AC
Section: (none)


Answer: A and C
Confidence level: 90%

Note: Smart tunnels are clientless, which is why I am pretty sure B is an incorrect answer.


Smart Tunnel is an advanced feature of Clientless SSL VPN that provides seamless and highly secure remote access for native client-server applications.
Clientless SSL VPN with Smart Tunnel is the preferred solution for allowing access from non-corporate assets as it does not require the administrative rights.
Port forwarding is the legacy technology for supporting TCP based applications over a Clientless SSL VPN connection. Unlike port forwarding, Smart Tunnel simplifies the user experience by not requiring the user connection of the local application to the local port.

Source: http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/tunnel.pdf

Question 88.
If the native VLAN on a trunk is different on each end of the link, what is a potential consequence?
A. The interface on both switches may shut down
B. STP loops may occur
C. The switch with the higher native VLAN may shut down
D. The interface with the lower native VLAN may shut down
Correct Answer: B
Section: (none)


Source: https://learningnetwork.cisco.com/docs/DOC-25797
http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/24063-pvid-inconsistency- 24063.html

Question 89.
Which option describes information that must be considered when you apply an access list to a physical interface?
A. Protocol used for filtering
B. Direction of the access class
C. Direction of the access group
D. Direction of the access list
Correct Answer: C
Section: (none)


Applying an Access List to an Interface
#interface type number
#ip access-group {access-list-number | access-list-name} {in | out}

Source: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/sec-data-acl-xe-3sbook/sec create-ip-apply.html

Question 90.
Which source port does IKE use when NAT has been detected between two VPN gateways?
A. TCP 4500
B. TCP 500
C. UDP 4500
D. UDP 500
Correct Answer: C
Section: (none)


The IKE protocol uses UDP packets, usually on port 500
NAT traversal: The encapsulation of IKE and ESP in UDP port 4500 enables these protocols to pass through a device or firewall performing NAT

Source: https://en.wikipedia.org/wiki/Internet_Key_Exchange


About the author


Leave a Comment