CCNA Security Implementing Cisco Network Security v1.0 (210-260)

Page:    1 / 23   
Total 337 questions

A specific URL has been identified as containing malware. What action can you take to block users from accidentally visiting the URL and becoming infected with malware.

  • A. Enable URL filtering on the perimeter router and add the URLs you want to block to the router's local URL list.
  • B. Enable URL filtering on the perimeter firewall and add the URLs you want to allow to the router's local URL list.
  • C. Enable URL filtering on the perimeter router and add the URLs you want to allow to the firewall's local URL list.
  • D. Create a blacklist that contains the URL you want to block and activate the blacklist on the perimeter router.
  • E. Create a whitelist that contains the URLs you want to allow and activate the whitelist on the perimeter router.


Answer : A

Explanation:
URL filtering window displays the global settings for URL filtering on the router. You can maintain the local URL list and the URL filter server list in the Additional
Tasks screens or in the Application Security windows. The Global settings for URL filtering can only be maintained from this Additional Tasks window. Use the Edit
Global Settings button to change these values.
Reference:
http://www.cisco.com/c/en/us/td/docs/routers/access/cisco_router_and_security_device_manager/24/software/user/guide/URLftr.html

When is the best time to perform an anti-virus signature update?

  • A. Every time a new update is available.
  • B. When the local scanner has detected a new virus.
  • C. When a new virus is discovered in the wild.
  • D. When the system detects a browser hook.


Answer : A

Explanation:
You can automatically check for Anti-Virus signature updates from Cisco’s signature server every 24 hours or to manually check for Anti-Virus signature updates at any time by clicking Update. When a newer signature file is available on the server, the new signature file will be downloaded to your device.
Reference:
https://www.cisco.com/assets/sol/sb/isa500_emulator/help/guide/af1321261.html

Which statement about application blocking is true?

  • A. It blocks access to specific programs.
  • B. It blocks access to files with specific extensions.
  • C. It blocks access to specific network addresses.
  • D. It blocks access to specific network services.


Answer : A

Explanation:
Application filters allow you to quickly create application conditions for access control rules. They simplify policy creation and administration, and grant you assurance that the system will control web traffic as expected. For example, you could create an access control rule that identifies and blocks all high risk, low business relevance applications. If a user attempts to use one of those applications, the session is blocked.
Reference:
http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/AC-Rules-App-URL-

Reputation.html#pgfId-1576835 -

Scenario -
In this simulation, you have access to ASDM only. Review the various ASA configurations using ASDM then answer the four multiple choice questions about the
ASA SSLVPN configurations.
To access ASDM, click the ASA icon in the topology diagram.
Note: Not all ASDM functionalities are enabled in this simulation.
To see all the menu options available on the left navigation pane, you may also need to un-expand the expanded menu first.























































Which four tunneling protocols are enabled in the DfltGrpPolicy group policy? (Choose four)

  • A. Clientless SSL VPN
  • B. SSL VPN Client
  • C. PPTP
  • D. L2TP/IPsec
  • E. IPsec IKEv1
  • F. IPsec IKEv2


Answer : ADEF

Explanation:
By clicking one the Configuration-> Remote Access -> Clientless CCL VPN Access-> Group Policies tab you can view the DfltGrpPolicy protocols as shown below:


Scenario -
In this simulation, you have access to ASDM only. Review the various ASA configurations using ASDM then answer the four multiple choice questions about the
ASA SSLVPN configurations.
To access ASDM, click the ASA icon in the topology diagram.
Note: Not all ASDM functionalities are enabled in this simulation.
To see all the menu options available on the left navigation pane, you may also need to un-expand the expanded menu first.























































Which user authentication method is used when users login to the Clientless SSLVPN portal using https://209.165.201.2/test?

  • A. AAA with LOCAL database
  • B. AAA with RADIUS server
  • C. Certificate
  • D. Both Certificate and AAA with LOCAL database
  • E. Both Certificate and AAA with RADIUS server


Answer : A

Explanation:
This can be seen from the Connection Profiles Tab of the Remote Access VPN configuration, where the alias of test is being used,


Scenario -
In this simulation, you have access to ASDM only. Review the various ASA configurations using ASDM then answer the four multiple choice questions about the
ASA SSLVPN configurations.
To access ASDM, click the ASA icon in the topology diagram.
Note: Not all ASDM functionalities are enabled in this simulation.
To see all the menu options available on the left navigation pane, you may also need to un-expand the expanded menu first.























































Which two statements regarding the ASA VPN configurations are correct? (Choose two)

  • A. The ASA has a certificate issued by an external Certificate Authority associated to the ASDM_TrustPoint1.
  • B. The DefaultWEBVPNGroup Connection Profile is using the AAA with RADIUS server method.
  • C. The Inside-SRV bookmark references https://192.168.1.2 URL
  • D. Only Clientless SSL VPN access is allowed with the Sales group policy
  • E. AnyConnect, IPSec IKEv1, and IPSec IKEv2 VPN access is enabled on the outside interface
  • F. The Inside-SRV bookmark has not been applied to the Sales group policy


Answer : BC

Explanation:
For B:


For C, Navigate to the Bookmarks tab:

Then hit “edit†and you will see this:

Not A, as this is listed under the Identity Certificates, not the CA certificates:

Note E:

Scenario -
In this simulation, you have access to ASDM only. Review the various ASA configurations using ASDM then answer the four multiple choice questions about the
ASA SSLVPN configurations.
To access ASDM, click the ASA icon in the topology diagram.
Note: Not all ASDM functionalities are enabled in this simulation.
To see all the menu options available on the left navigation pane, you may also need to un-expand the expanded menu first.























































When users login to the Clientless SSLVPN using https://209.165.201.2/test, which group policy will be applied?

  • A. test
  • B. clientless
  • C. Sales
  • D. DfltGrpPolicy
  • E. DefaultRAGroup
  • F. DefaultWEBVPNGroup


Answer : C

Explanation:
First navigate to the Connection Profiles tab as shown below, highlight the one with the test alias:


Then hit the “edit†button and you can clearly see the Sales Group Policy being applied.

SIMULATION -

Scenario -
Given the new additional connectivity requirements and the topology diagram, use ASDM to accomplish the required ASA configurations to meet the requirements.
New additional connectivity requirements:
-> Currently, the ASA configurations only allow on the Inside and DMZ networks to access any hosts on the Outside. Your task is to use ASDM to configure the
ASA to also allow any host only on the Outside to HTTP to the DMZ server. The hosts on the Outside will need to use the 209.165.201.30 public IP address when HTTPing to the DMZ server.
-> Currently, hosts on the ASA higher security level interfaces are not able to ping any hosts on the lower security level interfaces. Your task in this simulation is to use ASDM to enable the ASA to dynamically allow the echo-reply responses back through the ASA.
Once the correct ASA configurations have been configured:
-> You can test the connectivity to http://209.165.201.2 from the Outside PC browser.
You can test the pings to the Outside (www.cisco.com) by opening the inside PC command prompt window. In this simulation, only testing pings to

www.cisco.com will work.
To access ASDM, click the ASA icon in the topology diagram.
To access the Firefox Browser on the Outside PC, click the Outside PC icon in the topology diagram.
To access the Command prompt on the Inside PC, click the Inside PC icon in the topology diagram.
Note:
After you make the configuration changes in ASDM, remember to click Apply to apply the configuration changes.
Not all ASDM screens are enabled in this simulation, if some screen is not enabled, try to use different methods to configure the ASA to meet the requirements.
In this simulation, some of the ASDM screens may not look and function exactly like the real ASDM.
































































Answer : Follow the explanation part to get answer on this sim question.

Explanation:
First, for the HTTP access we need to creat a NAT object. Here I called it HTTP but it can be given any name.


Then, create the firewall rules to allow the HTTP access:


You can verify using the outside PC to HTTP into 209.165.201.30.
For step two, to be able to ping hosts on the outside, we edit the last service policy shown below:

And then check the ICMP box only as shown below, then hit Apply.

After that is done, we can ping www.cisco.com again to verify:

What features can protect the data plane? (Choose three.)

  • A. policing
  • B. ACLs
  • C. IPS
  • D. antispoofing
  • E. QoS
  • F. DHCP-snooping


Answer : BDF

Explanation:
Data plane security can be implemented using the following features:

Access control lists -
Access control lists (ACLs) perform packet filtering to control which packets move through the network and where.

Antispoofing -
ACLs can be used as an antispoofing mechanism that discards traffic that has an invalid source address.

Layer 2 security features -
Cisco Catalyst switches have integrated features to help secure the Layer 2 infrastructure.
Reference:
http://www.ciscopress.com/articles/article.asp?p=1924983&seqNum=5

How many crypto map sets can you apply to a router interface?

  • A. 3
  • B. 2
  • C. 4
  • D. 1


Answer : D

Explanation:
These commands apply the crypto map to the interface. You can assign only one crypto map set to an interface. If multiple crypto map entries have the same map-name but a different seq-num, they are part of the same set and are all applied to the interface. The security appliance evaluates the crypto map entry with the lowest seq-num first. dt3-45a(config)#interface e0 dt3-45a(config-if)#crypto map armadillo
Reference:
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/16439-IPSECpart8.html

What is the transition order of STP states on a Layer 2 switch interface?

  • A. listening, learning, blocking, forwarding, disabled
  • B. listening, blocking, learning, forwarding, disabled
  • C. blocking, listening, learning, forwarding, disabled
  • D. forwarding, listening, learning, blocking, disabled


Answer : C

Explanation:
Each interface on a access point using spanning tree exists in one of these states:
-> Blockingâ€"The interface does not participate in frame forwarding.
-> Listeningâ€"The first transitional state after the blocking state when the spanning tree determines that the interface should participate in frame forwarding.
-> Learningâ€"The interface prepares to participate in frame forwarding.
-> Forwardingâ€"The interface forwards frames.
-> Disabledâ€"The interface is not participating in spanning tree because of a shutdown port, no link on the port, or no spanning-tree instance running on the port.
Reference:
http://www.cisco.com/c/en/us/td/docs/wireless/access_point/12-3_7_JA/configuration/guide/i1237sc/s37span.html#wp1040509

Which sensor mode can deny attackers inline?

  • A. IPS
  • B. fail-close
  • C. IDS
  • D. fail-open


Answer : A

Explanation:
You can configure certain aspects of the deny attackers inline event action. You can configure the number of seconds you want to deny attackers inline and you can limit the number of attackers you want denied in the system at any one time.
Reference:
http://www.cisco.com/c/en/us/td/docs/security/ips/5-1/configuration/guide/cli/cliguide/cliEvAct.html

Which options are filtering options used to display SDEE message types? (Choose two.)

  • A. stop
  • B. none
  • C. error
  • D. all


Answer : CD

Explanation:
Secure Device Event Exchange (SDEE) messages report on the progress of Cisco IOS IPS initialization and operation. Click to display the Edit IPS: SDEE
Messages window, where you can review SDEE messages and filter them to display only error, status, or alert messages.
Reference:
http://www.cisco.com/c/en/us/td/docs/routers/access/cisco_router_and_security_device_manager/24/software/user/guide/IPS.html

When a company puts a security policy in place, what is the effect on the company’s business?

  • A. Minimizing risk
  • B. Minimizing total cost of ownership
  • C. Minimizing liability
  • D. Maximizing compliance


Answer : A

Explanation:
A security policy is used to minimize risk by allocating company’s resources to eliminate risk and focus on growth and revenues.
Reference:
http://searchsecurity.techtarget.com/definition/security-policy

Which wildcard mask is associated with a subnet mask of /27?

  • A. 0.0.0.31
  • B. 0.0.027
  • C. 0.0.0.224
  • D. 0.0.0.255


Answer : A

Explanation:
On Cisco router, wildcard subnet mask is used in the following occasion
* Defining subnet in ACL
* Defining subnet member in OSPF area
Reference:
http://www.dslreports.com/faq/15216

Page:    1 / 23   
Total 337 questions