210-260 CCNA Security – IINS Exam Questions with Answers – Q61 to Q75
Question 61.
A specific URL has been identified as containing malware. What action can you take to block users from accidentally visiting the URL and becoming infected with malware.
A. Enable URL filtering on the perimeter firewall and add the URLs you want to allow to the router’s local URL list
B. Enable URL filtering on the perimeter router and add the URLs you want to allow to the firewall’s local URL list
C. Create a blacklist that contains the URL you want to block and activate the blacklist on the perimeter router
D. Enable URL filtering on the perimeter router and add the URLs you want to block to the router’s local URL list
E. Create a whitelist that contains the URLs you want to allow and activate the whitelist on the perimeter router
Correct Answer: D
Section: (none)
Explanation
Brad
Answer: D
Confidence level: 100%
Remember: A and B are not correct answers because you cannot use a router’s URL list to filter URLs on a firewall, and vice versa. E is not correct because whitelists are used to allow websites, not block, and that is not what the question is asking for.
BD
URL Filtering
URL filtering allows you to control access to Internet websites by permitting or denying access to specific websites based on information contained in an URL list. You can maintain a local URL list on the router.If the Cisco IOS image on the router supports URL filtering but does not support Zone-based Policy Firewall (ZPF), you can maintain one local URL list on the router to add or edit an URLs. Enter a full domain name or a partial domain name and choose whether to Permit or Deny requests for this URL.
Question 62.
When is the best time to perform an antivirus signature update?
A. Every time a new update is available.
B. When the local scanner has detected a new virus.
C. When a new virus is discovered in the wild.
D. When the system detects a browser hook.
Correct Answer: A
Section: (none)
Explanation
BD
Obvious answer
More reading here
Source: http://www.techrepublic.com/article/four-steps-to-keeping-current-with-antivirus-signature-updates/
Question 63.
Which statement about application blocking is true?
A. It blocks access to specific programs.
B. It blocks access to files with specific extensions.
C. It blocks access to specific network addresses.
D. It blocks access to specific network services.
Correct Answer: A
Section: (none)
Explanation
BD
How do you block unknown applications on Cisco Web Security Appliance
If Application Visibility Controls (AVC) are enabled (Under GUI > Security Services > Web Reputation and AntiMalware), then we can block access based on application types like Proxies, File Sharing, Internet utilities.
We can do this under Web Security Manager > Access Policies > ‘Applications’ column <for the required access policy>.
Question 64.
Scenario
In this simulation, you have access to ASDM only. Review the various ASA configurations using ASDM then answer the five multiple choice questions about the ASA SSLVPN configurations.
To access ASDM, click the ASA icon in the topology diagram.
Note: Not all ASDM functionalities are enabled in this simulation.
To see all the menu options available on the left navigation pane, you may also need to un-expand the expanded menu first.
Which four tunneling protocols are enabled in the DfltGrpPolicy group policy? (Choose four)
A. Clientless SSL VPN
B. SSL VPN Client
C. PPTP
D. L2TP/IPsec
E. IPsec IKEv1
F. IPsec IKEv2
Correct Answer: ADEF
Section: (none)
Explanation
Correct Answer: ADEF
Section: (none)
By clicking one the Configuration-> Remote Access -> Clientless CCL VPN Access-> Group Policies tab you can view the DfltGrpPolicy protocols as shown below:
Question 65.
Scenario
In this simulation, you have access to ASDM only. Review the various ASA configurations using ASDM then answer the five multiple choice questions about the ASA SSLVPN configurations.
To access ASDM, click the ASA icon in the topology diagram.
Note: Not all ASDM functionalities are enabled in this simulation. To see all the menu options available on the left navigation pane, you may also need to un-expand the expanded menu first.
Which user authentication method is used when users login to the Clientless SSLVPN portal using https://209.165.201.2/test?
A. AAA with LOCAL database
B. AAA with RADIUS server
C. Certificate
D. Both Certificate and AAA with LOCAL database
E. Both Certificate and AAA with RADIUS server
Correct Answer: A
Section: (none)
Explanation
Correct Answer: A
Section: (none)
This can be seen from the Connection Profiles Tab of the Remote Access VPN configuration, where the alias of test is being used.
Question 66.
Scenario
In this simulation, you have access to ASDM only. Review the various ASA configurations using ASDM then answer the five multiple choice questions about the ASA SSLVPN configurations.
To access ASDM, click the ASA icon in the topology diagram.
Note: Not all ASDM functionalities are enabled in this simulation. To see all the menu options available on the left navigation pane, you may also need to un-expand the expanded menu first.
Which two statements regarding the ASA VPN configurations are correct? (Choose two)
A. The ASA has a certificate issued by an external Certificate Authority associated to the ASDM_TrustPoint1.
B. The DefaultWEBVPNGroup Connection Profile is using the AAA with RADIUS server method.
C. The Inside-SRV bookmark references the https://192.168.1.2 URL
D. Only Clientless SSL VPN access is allowed with the Sales group policy
E. AnyConnect, IPSec IKEv1, and IPSec IKEv2 VPN access is enabled on the outside interface
F. The Inside-SRV bookmark has not been applied to the Sales group policy
Correct Answer: BC
Section: (none)
Explanation
Correct Answer: BC
Section: (none)
For B:
=============================
For C, Navigate to the Bookmarks tab:
Then hit “edit” and you will see this:
==================================
Not A, as this is listed under the Identity Certificates, not the CA certificates:
==================================
Not E:
Question 67.
Scenario
In this simulation, you have access to ASDM only. Review the various ASA configurations using ASDM then answer the five multiple choice questions about the ASA SSLVPN configurations.
To access ASDM, click the ASA icon in the topology diagram.
Note: Not all ASDM functionalities are enabled in this simulation. To see all the menu options available on the left navigation pane, you may also need to un-expand the expanded menu first.
When users login to the Clientless SSLVPN using https://209.165.201.2/test, which group policy will be
applied?
A. test
B. clientless
C. Sales
D. DfltGrpPolicy
E. DefaultRAGroup
F. DefaultWEBVPNGroup
Correct Answer: C
Section: (none)
Explanation
Correct Answer: C
Section: (none)
First navigate to the Connection Profiles tab as shown below, highlight the one with the test alias:
Then hit the “edit” button and you can clearly see the Sales Group Policy being applied.
Question 68.
What features can protect the data plane? (Choose three.)
A. policing
B. ACLs
C. IPS
D. antispoofing
E. QoS
F. DHCP-snooping
Correct Answer: BDF
Section: (none)
Explanation
BD
+ Block unwanted traffic at the router. If your corporate policy does not allow TFTP traffic, just implement ACLs that deny traffic that is not allowed.
+ Reduce spoofing attacks. For example, you can filter (deny) packets trying to enter your network (from the outside) that claim to have a source IP address that is from your internal network.
+ Dynamic Host Configuration Protocol (DHCP) snooping to prevent a rogue DHCP server from handing out incorrect default gateway information and to protect a DHCP server from a starvation attack
Source: Cisco Official Certification Guide, Best Practices for Protecting the Data Plane , p.271
Question 69.
How many crypto map sets can you apply to a router interface?
A. 3
B. 2
C. 4
D. 1
Correct Answer: D
Section: (none)
Explanation
BD
You must assign a crypto map set to an interface before that interface can provide IPSec services. Only one crypto map set can be assigned to an interface. If multiple crypto map entries have the same map-name but a different seq-num, they are considered to be part of the same set and will all be applied to the interface.
Source: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/srfipsec.html#wp1018126
Question 70.
What is the transition order of STP states on a Layer 2 switch interface?
A. listening, learning, blocking, forwarding, disabled
B. listening, blocking, learning, forwarding, disabled
C. blocking, listening, learning, forwarding, disabled
D. forwarding, listening, learning, blocking, disabled
Correct Answer: C
Section: (none)
Explanation
BD
STP switch port states:
+ Blocking – A port that would cause a switching loop if it were active. No user data is sent or received over a blocking port, but it may go into forwarding mode if the other links in use fail and the spanning tree algorithm determines the port may transition to the forwarding state. BPDU data is still received in blocking state.Prevents the use of looped paths.
+ Listening – The switch processes BPDUs and awaits possible new information that would cause it to return to the blocking state. It does not populate the MAC address table and it does not forward frames. + Learning – While the port does not yet forward frames it does learn source addresses from frames received and adds them to the filtering database (switching database). It populates the MAC address table, but does not forward frames.
+ Forwarding – A port receiving and sending data, normal operation. STP still monitors incoming BPDUs that would indicate it should return to the blocking state to prevent a loop.
+ Disabled – Not strictly part of STP, a network administrator can manually disable a port
Source: https://en.wikipedia.org/wiki/Spanning_Tree_Protocol
Question 71.
Which sensor mode can deny attackers inline?
A. IPS
B. fail-close
C. IDS
D. fail-open
Correct Answer: A
Section: (none)
Explanation
BD
Deny attacker inline: This action denies packets from the source IP address of the attacker for a configurable duration of time, after which the deny action can be dynamically removed.Available only if the sensor is configured as an IPS.
Source: Cisco Official Certification Guide, Table 17-4 Possible Sensor Responses to Detected Attacks , p.465
Question 72.
Which options are filtering options used to display SDEE message types? (Choose two.)
A. stop
B. none
C. error
D. all
Correct Answer: CD
Section: (none)
Explanation
BD
SDEE Messages
+ All — SDEE error, status, and alert messages are shown.
+ Error — Only SDEE error messages are shown.
+ Status — Only SDEE status messages are shown.
+ Alerts — Only SDEE alert messages are shown.
Question 73.
When a company puts a security policy in place, what is the effect on the company’s business?
A. Minimizing risk
B. Minimizing total cost of ownership
C. Minimizing liability
D. Maximizing compliance
Correct Answer: A
Section: (none)
Explanation
BD
The first step in protecting a business network is creating a security policy. A security policy is a formal, published document that defines roles, responsibilities, acceptable use, and key security practices for a company. It is a required component of a complete security framework, and it should be used to guide investment in security defenses.
Source: http://www.cisco.com/warp/public/cc/so/neso/sqso/secsol/setdm_wp.htm
Question 74.
Which wildcard mask is associated with a subnet mask of /27?
A. 0.0.0.31
B. 0.0.0.27
C. 0.0.0.224
D. 0.0.0.255
Correct Answer: A
Section: (none)
Explanation
BD
Slash Netmask Wildcard Mask
/27 255.255.255.224 0.0.0.31
Further reading
Source: https://en.wikipedia.org/wiki/Wildcard_mask
Question 75.
Which statements about reflexive access lists are true? (Choose three.)
A. Reflexive access lists create a permanent ACE
B. Reflexive access lists approximate session filtering using the established keyword
C. Reflexive access lists can be attached to standard named IP ACLs
D. Reflexive access lists support UDP sessions
E. Reflexive access lists can be attached to extended named IP ACLs
F. Reflexive access lists support TCP sessions
Correct Answer: DEF
Section: (none)
Explanation
BD
To define a reflexive access list, you use an entry in an extended named IP access list. This entry must use the reflect keyword.
A reflexive access list is triggered when a new IP upper-layer session (such as TCP or UDP) is initiated from inside your network, with a packet traveling to the external network.
Moreover, the previous method of using the established keyword was available only for the TCP upperlayer protocol. So, for the other upper-layer protocols (such as UDP, ICMP, and so forth), you would have to either permit all incoming traffic or define all possible permissible source/destination host/port address pairs for each protocol. (Besides being an unmanageable task, this could exhaust NVRAM space.)