210-260 CCNA Security – IINS Exam Questions with Answers – Q211 to Q225
Question 211.
What encryption technology has broadest platform support
A. hardware
B. middleware
C. Software
D. File level
Correct Answer: C
Section: (none)
Explanation
Question 212.
With which preprocesor do you detect incomplete TCP handshakes
A. ?
B. rate based prevention
C. ?
D. portscan detection
Correct Answer: B
Section: (none)
Explanation
BD
Rate-based attack prevention identifies abnormal traffic patterns and attempts to minimize the impact of that traffic on legitimate requests. Rate-based attacks usually have one of the following characteristics:
+ any traffic containing excessive incomplete connections to hosts on the network, indicating a SYN flood attack
+ any traffic containing excessive complete connections to hosts on the network, indicating a TCP/IP connection flood attack
+ excessive rule matches in traffic going to a particular destination IP address or addresses or coming from a particular source IP address or addresses.
+ excessive matches for a particular rule across all traffic.
Question 213.
Which type of PVLAN port allows a host in the same VLAN to communicate only with promiscuous hosts?
A. Community host in the PVLAN
B. Isolated host in the PVLAN
C. Promiscuous host in the PVLAN
D. Span for host in the PVLAN
Correct Answer: B
Section: (none)
Explanation
BD
The types of private VLAN ports are as follows:
+ Promiscuous – The promiscuous port can communicate with all interfaces, including the community and isolated host ports, that belong to those secondary VLANs associated to the promiscuous port and associated with the primary VLAN
+ Isolated – This port has complete isolation from other ports within the same private VLAN domain, except that it can communicate with associated promiscuous ports.
+ Community — A community port is a host port that belongs to a community secondary VLAN. Community ports communicate with other ports in the same community VLAN and with associated promiscuous ports.
These interfaces are isolated from all other interfaces in other communities and from all isolated ports within the private VLAN domain.
Question 214.
Which type of encryption technology has the broadcast platform support?
A. Middleware
B. Hardware
C. Software
D. File-level
Correct Answer: C
Section: (none)
Explanation
Question 215.
The first layer of defense which provides real-time preventive solutions against malicious traffic is provided by?
A. Banyan Filters
B. Explicit Filters
C. Outbreak Filters
D. ?
Correct Answer: C
Section: (none)
Explanation
Question 216.
SSL certificates are issued by Certificate Authority(CA) are?
A. Trusted root
B. Not trusted
C. ?
D. ?
Correct Answer: A
Section: (none)
Explanation
Question 217.
SYN flood attack is a form of ?
A. Reconnaissance attack
B. Denial of Service attack
C. Spoofing attack
D. Man in the middle attack
Correct Answer: B
Section: (none)
Explanation
BD
A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target’s system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.
Source: https://en.wikipedia.org/wiki/SYN_flood
Question 218.
The command debug crypto isakmp results in ?
A. Troubleshooting ISAKMP (Phase 1) negotiation problems
B. ?
C. ?
D. ?
Correct Answer: A
Section: (none)
Explanation
BD
#debug crypto isakmp
This output shows an example of the debug crypto isakmp command.
processing SA payload. message ID = 0
Checking ISAKMP transform against priority 1 policy
encryption 3DES
hash SHA
default group 2
auth pre-share
life type in seconds
life duration (basic) of 240
atts are acceptable. Next payload is 0
processing KE payload. message ID = 0
processing NONCE payload. message ID = 0
processing ID payload. message ID = 0
SKEYID state generated
processing HASH payload. message ID = 0
SA has been authenticated
processing SA payload. message ID = 800032287
Contains the IPsec Phase1 information. You can view the HAGLE (Hash, Authentication, DH Group, Lifetime, Encryption) process in the output.
Question 219.
Which prevent the company data from modification even when the data is in transit?
A. Confidentiality
B. Integrity
C. Vailability
D. Scalability
Correct Answer: B
Section: (none)
Explanation
BD
Integrity: Integrity for data means that changes made to data are done only by authorized individuals/systems. Corruption of data is a failure to maintain data integrity.
Source: Cisco Official Certification Guide, Confidentiality, Integrity, and Availability, p.6
Question 220.
The stealing of confidential information of a company comes under the scope of:
A. Reconnaissance
B. Spoofing attack
C. Social Engineering
D. Denial of Service
Correct Answer: C
Section: (none)
Explanation
BD
Social engineering
This is a tough one because it leverages our weakest (very likely) vulnerability in a secure system (data, applications, devices, networks): the user. If the attacker can get the user to reveal information, it is much easier for the attacker than using some other method of reconnaissance. This could be done through e-mail or misdirection of web pages, which results in the user clicking something that leads to the attacker gaining information. Social engineering can also be done in person or over the phone.
Source: Cisco Official Certification Guide, Table 1-5 Attack Methods, p.13
Question 221.
The Oakley cryptography protocol is compatible with following for managing security?
A. IPSec
B. ISAKMP
C. Port security
D. ?
Correct Answer: B
Section: (none)
Explanation
BD
IKE (Internet Key Exchange)
A key management protocol standard that is used in conjunction with the IPSec standard. IPSec is an IP security feature that provides robust authentication and encryption of IP packets. IPSec can be configured without IKE, but IKE enhances IPSec by providing additional features, flexibility, and ease of configuration for the IPSec standard. IKE is a hybrid protocol that implements the Oakley key exchange and Skeme key exchange inside of the Internet Security Association and Key Management Protocol (ISAKMP) framework. ISAKMP, Oakley, and Skeme are security protocols implemented by IKE.
Question 222.
Unicast Reverse Path Forwarding definition:
A. ?
B. ?
C. ?
D. ?
Correct Answer:
Section: (none)
Explanation
BD
Unicast Reverse Path Forwarding
Unicast Reverse Path Forwarding (uRPF) can mitigate spoofed IP packets. When this feature is enabled on an interface, as packets enter that interface the router spends an extra moment considering the source address of the packet. It then considers its own routing table, and if the routing table does not agree that the interface that just received this packet is also the best egress interface to use for forwarding to the source address of the packet, it then denies the packet.
This is a good way to limit IP spoofing.
Source: Cisco Official Certification Guide, Table 10-4 Protecting the Data Plane, p.270
Question 223.
The NAT traversal definition:
A. ?
B. ?
C. ?
D. ?
Correct Answer:
Section: (none)
Explanation
BD
NAT-T (NAT Traversal)
If both peers support NAT-T, and if they detect that they are connecting to each other through a Network Address Translation (NAT) device (translation is happening), they may negotiate that they want to put a fake UDP port 4500 header on each IPsec packet (before the ESP header) to survive a NAT device that otherwise may have a problem tracking an ESP session (Layer 4 protocol 50).
Source: Cisco Official Certification Guide, Table 7-2 Protocols That May Be Required for IPsec, p.153 Also a good reference
Source: https://supportforums.cisco.com/document/64281/how-does-nat-t-work-ipsec
Question 224.
Man-in-the-middle attack definition:
A. ?
B. ?
C. ?
D. ?
Correct Answer:
Section: (none)
Explanation
BD
Man-in-the-middle attacks: Someone or something is between the two devices who believe they are communicating directly with each other. The “man in the middle” may be eavesdropping or actively changing the data that is being sent between the two parties. You can prevent this by implementing Layer 2 dynamic ARP inspection (DAI) and Spanning Tree Protocol (STP) guards to protect spanning tree. You can implement it at Layer 3 by using routing protocol authentication. Authentication of peers in a VPN is also a method of preventing this type of attack.
Source: Cisco Official Certification Guide, Threats Common to Both IPv4 and IPv6, p.333
Question 225.
Which privileged level is … by default? for user exec mode
A. 0
B. 1
C. 2
D. 5
E. 15
Correct Answer: B
Section: (none)
Explanation
BD
User EXEC mode commands are privilege level 1
Privileged EXEC mode and configuration mode commands are privilege level 15.
Source: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r/srfpass.html