Cisco 210-260 Exam Practice Question

By | December 8, 2019

Pass Cisco 210-260 Exam with DumpsSchool ccna security 210-260 dumps. ccna security exam questions are Verified by Experts. Get Cisco 210-260 Test Preparation with Free updates for one year!

Try it Latest DumpsSchool 210-260 Exam dumps. Buy Full File here: (502 As Dumps)

Download the DumpsSchool 210-260 braindumps from Google Drive: (FREE VERSION!!!)

Question No. 1

Which type of mechanism does Cisco FirePOWER deploy 10 protect against email threats that are detected moving across other networks?

Answer: D

Question No. 2

When is “Deny all” policy an exception in Zone Based Firewall

Answer: A

+ There is a default zone, called the self zone, which is a logical zone. For any packets directed to the router directly (the destination IP represents the packet is for the router), the router automatically considers that traffic to be entering the self zone. In addition, any traffic initiated by the router is considered as leaving the self zone.

By default, any traffic to or from the self zone is allowed, but you can change this policy.

+ For the rest of the administrator-created zones, no traffic is allowed between interfaces in different zones.

+ For interfaces that are members of the same zone, all traffic is permitted by default.

Source: Cisco Official Certification Guide, Zones and Why We Need Pairs of Them, p.380

Question No. 3

A Cisco ASA appliance has three interfaces configured. The first interface is the inside interface with a security level of 100. The second interface is the DMZ interface with a security level of 50. The third interface is the outside interface with a security level of 0.

By default, without any access list configured, which five types of traffic are permitted? (Choose five.)

Answer: A, B, C, G, H

Security Level Overview

Each interface must have a security level from 0 (lowest) to 100 (highest). For example, you should assign your most secure network, such as the inside host network, to level 100. While the outside network connected to the Internet can be level 0. Other networks, such as DMZs can be in between. You can assign interfaces to the same security level. See the “Allowing Communication Between Interfaces on the Same Security Level” section for more information.

The level controls the following behavior:

*Network access — By default, there is an implicit permit from a higher security interface to a lower security interface (outbound). Hosts on the higher security interface can access any host on a lower security interface. You can limit access by applying an access list to the interface. If you enable communication for same security interfaces (see the “Allowing Communication Between Interfaces on the Same Security Level” section), there is an implicit permit for interfaces to access other interfaces on the same security level or lower.

*Inspection engines — Some inspection engines are dependent on the security level. For same security interfaces, inspection engines apply to traffic in either direction.

–NetBIOS inspection engine—Applied only for outbound connections.

–OraServ inspection engine — If a control connection for the OraServ port exists between a pair of hosts, then only an inbound data connection is permitted through the security appliance.

*Filtering—HTTP(S) and FTP filtering applies only for outbound connections (from a higher level to a lower level).

For same security interfaces, you can filter traffic in either direction.

*NAT control — When you enable NAT control, you must configure NAT for hosts on a higher security interface (inside) when they access hosts on a lower security interface (outside).

Without NAT control, or for same security interfaces, you can choose to use NAT between any interface, or you can choose not to use NAT. Keep in mind that configuring NAT for an outside interface might require a special keyword.

*established command — This command allows return connections from a lower security host to a higher security host if there is already an established connection from the higher level host to the lower level host.

For same security interfaces, you can configure established commands for both directions.

Question No. 4

What is the best definition of hairpinning?

Answer: B

Question No. 5

Which STP feature can prevent an attacker from becoming the root bridge by immediately shutting down the interface when it receives a BPDU?

Answer: C

Question No. 6

Which two next-generation encryption algorithms does Cisco recommend? (Choose two.)

Answer: A, F

The Suite B next-generation encryption (NGE) includes algorithms for authenticated encryption, digital signatures, key establishment, and cryptographic hashing, as listed here:

+ Elliptic Curve Cryptography (ECC) replaces RSA signatures with the ECDSA algorithm + AES in the Galois/Counter Mode (GCM) of operation

+ ECC Digital Signature Algorithm

+ SHA-256, SHA-384, and SHA-512

Source: Cisco Official Certification Guide, Next-Generation Encryption Protocols, p.97

Question No. 7

How can you detect a false negative on an IPS?

Answer: D

A false negative, however, is when there is malicious traffic on the network, and for whatever reason the IPS/ IDS did not trigger an alert, so there is no visual indicator (at least from the IPS/IDS system) that anything negative is going on. In the case of a false negative, you must use some third-party or external system to alert you to the problem at hand, such as syslog messages from a network device.

Source: Cisco Official Certification Guide, Positive/Negative Terminology, p.463

Question No. 8

Which statement about Cisco ACS authentication and authorization is true?

Answer: A

210-260 Dumps Google Drive: (Limited Version!!!)

Related Certification:

Leave a Reply

Your email address will not be published. Required fields are marked *