High value 210-260 Braindumps 2021
It is more faster and easier to pass the ccna security 210 260 official cert guide by using ccna security 210 260 vce. Immediate access to the cisco ccna security 210 260 pdf and find the same core area cisco 210 260 dump with professionally verified answers, then PASS your exam with a high score now.
Free 210-260 Demo Online For Microsoft Certifitcation:
NEW QUESTION 1
Which type of attack can exploit design flaws in the implementation of an application without going noticed?
- A. Volume-based DDoS attacks.
- B. application DDoS flood attacks.
- C. DHCP starvation attacks
- D. low-rate DoS attacks
NEW QUESTION 2
Which command do you enter to verify the Phase 1 status of a VPN connection?
- A. debug crypto isakmp
- B. sh crypto session
- C. sh crypto isakmp sa
- D. sh crypto ipsec sa
NEW QUESTION 3
What do you use when you have a network object or group and want to use an IP address?
- A. Static NAT
- B. Dynamic NAT
- C. identity NAT
- D. Static PAT
Explanation: Adding Network Objects for Mapped Addresses
For dynamic NAT, you must use an object or group for the mapped addresses. Other NAT types have the option of using inline addresses, or you can create an object or group according to this section.
* Dynamic NAT:
+ You cannot use an inline address; you must configure a network object or group. + The object or group cannot contain a subnet; the object must define a range; the group can include hosts and ranges.
+ If a mapped network object contains both ranges and host IP addresses, then the ranges are used for dynamic NAT, and then the host IP addresses are used as a PAT fallback.
* Dynamic PAT (Hide):
+ Instead of using an object, you can optionally configure an inline host address or specify the interface address.
+ If you use an object, the object or group cannot contain a subnet; the object must define a host, or for a PAT pool, a range; the group (for a PAT pool) can include hosts and ranges.
* Static NAT or Static NAT with port translation:
+ Instead of using an object, you can configure an inline address or specify the interface address (for static NAT-with-port-translation).
+ If you use an object, the object or group can contain a host, range, or subnet.
* Identity NAT
+ Instead of using an object, you can configure an inline address. + If you use an object, the object must match the real addresses you want to translate.
NEW QUESTION 4
Which two features are commonly used CoPP and CPPr to protect the control plane? (Choose two.)
- A. QoS
- B. traffic classification
- C. access lists
- D. policy maps
- E. class maps
- F. Cisco Express Forwarding
NEW QUESTION 5
What IPSec mode is used to encrypt traffic between a server and VPN endpoint?
- A. tunnel
- B. Trunk
- C. Aggregated
- D. Quick
- E. Transport
Explanation: @Tullipp on securitytut.com commented:
"the IPSEC Mode question did come up. It has been been very badly worded in the dumps and I knew It cant be right.
The question that comes in the exam is "between client and server vpn endpoints".
So the keyword here is vpn endpoints. Not the end points like its worded in the dumps. So the answer is transport mode."
+ IPSec Transport mode is used for end-to-end communications, for example, for communication between a client and a server or between a workstation and a gateway (if the gateway is being treated as a host). A good example would be an encrypted Telnet or Remote Desktop session from a workstation to a server.
+ IPsec supports two encryption modes: Transport mode and Tunnel mode. Transport mode encrypts only the data portion (payload) of each packet and leaves the packet header untouched. Transport mode is applicable to either gateway or host implementations, and provides protection for upper layer protocols as well as selected IP header fields.
http://www.firewall.cx/networking-topics/protocols/870-ipsec-modes.html http://www.cisco.com/c/en/us/td/docs/net_mgmt/vpn_solutions_center/2-0/ip_security/provisioning/guide/ IPsecPG1.html
Generic Routing Encapsulation (GRE) is often deployed with IPsec for several reasons, including the following:
+ IPsec Direct Encapsulation supports unicast IP only. If network layer protocols other than IP are to be supported, an IP encapsulation method must be chosen so that those protocols can be transported in IP packets.
+ IPmc is not supported with IPsec Direct Encapsulation. IPsec was created to be a security protocol between two and only two devices, so a service such as multicast is problematic. An IPsec peer encrypts a packet so that only one other IPsec peer can successfully perform the de-encryption. IPmc is not compatible with this mode of operation.
Source: https://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ ccmigration_09186a008074f26a.pdf
NEW QUESTION 6
Which Sourcefire event action should you choose if you want to block only malicious traffic from a particular end user?
- A. Allow with inspection
- B. Allow without inspection
- C. Block
- D. Trust
- E. Monitor
Explanation: A file policy is a set of configurations that the system uses to perform advanced malware protection and file control, as part of your overall access control configuration.
A file policy, like its parent access control policy, contains rules that determine how the system handles files that match the conditions of each rule. You can configure separate file rules to take different actions for different file types, application protocols, or directions of transfer.
You can associate a single file policy with an access control rule whose action is Allow, Interactive Block, or Interactive Block with reset. The system then uses that file policy to inspect network traffic that meets the conditions of the access control rule.
NEW QUESTION 7
Which statement is a benefit of using Cisco IOS IPS?
- A. It uses the underlying routing infrastructure to provide an additional layer of security.
- B. It works in passive mode so as not to impact traffic flow.
- C. It supports the complete signature database as a Cisco IPS sensor appliance.
- D. The signature database is tied closely with the Cisco IOS image.
Explanation: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/product_data_sheet0900aecd80313 Product Overview
In today's business environment, network intruders and attackers can come from outside or inside the network.
They can launch distributed denial-of-service attacks, they can attack Internet connections, and they can exploit network and host vulnerabilities. At the same time, Internet worms and viruses can spread across the world in a matter of minutes. There is often no time to wait for human intervention-the network itself must possess the intelligence to recognize and mitigate these attacks, threats, exploits, worms and viruses.
Cisco IOS Intrusion Prevention System (IPS) is an inline, deep-packet inspection-based solution that enables Cisco IOS Software to effectively mitigate a wide range of network attacks. While it is common practice to defend against attacks by inspecting traffic at data centers and corporate headquarters, distributing the network level defense to stop malicious traffic close to its entry point at branch or telecommuter offices is also critical.
Cisco IOS IPS: Major Use Cases and Key Benefits IOS IPS helps to protect your network in 5 ways:
• Provides network-wide, distributed protection from many attacks, exploits, worms and viruses exploiting vulnerabilities in operating systems and applications.
• Eliminates the need for a standalone IPS device at branch and telecommuter offices as well as small and medium-sized business networks.
• Unique, risk rating based signature event action processor dramatically improves the ease of management of IPS policies.
• Offers field-customizable worm and attack signature set and event actions.
• Offers inline inspection of traffic passing through any combination of router LAN and WAN interfaces in both directions.
• Works with Cisco IOS® Firewall, control-plane policing, and other Cisco IOS Software security features to protect the router and networks behind the router.
• Supports more than 3700 signatures from the same signature database available for Cisco Intrusion Prevention System (IPS) appliances.
NEW QUESTION 8
Which protocol provides security to Secure Copy?
- A. IPsec
- B. SSH
- C. HTTPS
- D. ESP
Explanation: The SCP is a network protocol, based on the BSD RCP protocol, which supports file transfers between hosts on a network. SCP uses Secure Shell (SSH) for data transfer and uses the same mechanisms for authentication, thereby ensuring the authenticity and confidentiality of the data in transit.
NEW QUESTION 9
What technology can you use to provide data confidentiality, data integrity and data origin authentication on your network?
- A. Certificate Authority
- B. IKE
- C. IPSec
- D. Data Encryption Standards
NEW QUESTION 10
What are the primary attack methods of VLAN hopping? (Choose two.)
- A. VoIP hopping
- B. Switch spoofing
- C. CAM-table overflow
- D. Double tagging
Explanation: VLAN hopping is a computer security exploit, a method of attacking networked resources on a virtual LAN (VLAN). The basic concept behind all VLAN hopping attacks is for an attacking host on a VLAN to gain access to traffic on other VLANs that would normally not be accessible. There are two primary methods of VLAN hopping: switch spoofing and double tagging.
+ In a switch spoofing attack, an attacking host imitates a trunking switch by speaking the tagging and trunking protocols (e.g. Multiple VLAN Registration Protocol, IEEE 802.1Q, Dynamic Trunking Protocol) used in maintaining a VLAN. Traffic for multiple VLANs is then accessible to the attacking host.
+ In a double tagging attack, an attacking host connected on a 802.1q interface prepends two VLAN tags to packets that it transmits.
NEW QUESTION 11
Which IDS/IPS state misidentifies acceptable behavior as an attack?
- A. false positive
- B. false negative
- C. true positive
- D. true negative
NEW QUESTION 12
Which technology can you implement to centrally mitigate potential threats when users on your network download files that might be malicious?
- A. Enable file-reputation services to inspect all files that traverse the company network and block files with low reputation scores.
- B. Verify that the company IPS blocks all known malicious websites.
- C. Verify that antivirus software is installed and up to date for all users on your network.
- D. Implement URL filtering on the perimeter firewall.
NEW QUESTION 13
Which two options are primary deployment model for mobile device management (Choose two)
- A. Cloud-based
- B. Hybrid-cloud based
- C. Multisite
- D. On-Perimeter
- E. Single site
NEW QUESTION 14
Which type of attack is directed against the network directly:
- A. Denial of Service
- B. phishing
- C. trojan horse
Explanation: Denial of service refers to willful attempts to disrupt legitimate users from getting access to the resources they intend to. Although no complete solution exists, administrators can do specific things to protect the network from a DoS attack and to lessen its effects and prevent a would-be attacker from using a system as a source of an attack directed at other systems. These mitigation techniques include filtering based on bogus source IP addresses trying to come into the networks and vice versa. Unicast reverse path verification is one way to assist with this, as are access lists. Unicast reverse path verification looks at the source IP address as it comes into an interface, and then looks at the routing table. If the source address seen would not be reachable out of the same interface it is coming in on, the packet is considered bad, potentially spoofed, and is dropped.
Source: Cisco Official Certification Guide, Best Practices Common to Both IPv4 and IPv6, p.332
NEW QUESTION 15
How can you stop reconnaissance attack with cdp.
- A. disable CDP on ports connected to end points (or Disable CPD on edfe ports)
- B. enable dot1x on all ports that are connected to other switches
- C. disable CDP on trunk ports
- D. enable dynamic ARP inspection on all untrusted ports
NEW QUESTION 16
Which statement about extended access lists is true?
- A. Extended access lists perform filtering that is based on source and destination and are most effective when applied to the destination
- B. Extended access lists perform filtering that is based on source and destination and are most effective when applied to the source
- C. Extended access lists perform filtering that is based on destination and are most effective when applied to the source
- D. Extended access lists perform filtering that is based on source and are most effective when applied to the destination
http://www.ciscopress.com/articles/article.asp?p=1697887 Standard ACL
1) Able Restrict, deny & filter packets by Host Ip or subnet only.
2) Best Practice is put Std. ACL restriction near from Source Host/Subnet (Interface-In-bound).
3) No Protocol based restriction. (Only HOST IP). Extended ACL
1) More flexible then Standard ACL.
2) You can filter packets by Host/Subnet as well as Protocol/TCPPort/UDPPort.
3) Best Practice is put restriction near form Destination Host/Subnet. (Interface-Outbound)
Thanks for reading the newest 210-260 exam dumps! We recommend you to try the PREMIUM Passcertsure 210-260 dumps in VCE and PDF here: https://www.passcertsure.com/210-260-test/ (416 Q&As Dumps)