CCNA security 210 260 book kho tài liệu bách khoa

Incorrect filtering between the ACS and the router Correct Answer: ABCD Section: none Explanation Explanation/Reference: QUESTION 31 Which of the following is not a business driver for a

CCNA Security 210-260 - certification book 20170128

Certification Book Questions

B Classified but not important

C Sensitive but unclassified

D For official use only

E Secret

Which of the following represents a physical control?

A Change control policy

D Current patches on servers

Correct Answer: ABCD

Why is UDP the “protocol of choice” for reflected DDoS attacks?

A There are more application choices when using UDP

B UDP requires a three-way handshake to establish a connection

C UDP is much more easily spoofed

D TCP cannot be used in DDoS attacks

NetFlow provides which of the following?

A Detailed data about each packet on the network

B Troubleshooting messages about the network devices

C Information on the types of traffic traversing the network

D Network names of routers, end hosts, servers

Which type of data is not often attractive to malicious actors?

A Personally identifiable information (PII)

B Training schedules

C Credit and debit card data

D Intellectual property (IP

C Authorization method list

D Authentication method list

Which statement is true for ACS 5.x and later?

A User groups are nested in network device groups

B Authorization policies can be associated with user groups that are accessing specific network devicegroups

C There must be at least one user in a user group

D User groups can be used instead of device groups for simplicity

Where in the ACS do you go to create a new group of administrators?

A Users and Identity Stores > Identity Groups

B Identity Stores > Identity Groups

C Identity Stores and Groups > Identity Groups

D Users and Groups > Identity Groups

QUESTION 30

Which of the following could likely cause an ACS authentication failure, even when the user is using the correctcredentials? (Choose all that apply.)

A Incorrect secret on the ACS

B Incorrect IP address of the ACS configured on the router

C Incorrect routing

D Incorrect filtering between the ACS and the router

Correct Answer: ABCD

Section: (none)

Explanation

Explanation/Reference:

QUESTION 31

Which of the following is not a business driver for a BYOD solution?

A Need for employees to work anywhere and anytime

B Increase in the type of devices needed and used by employees to connect to the corporate network

C The lack of IPv4 address space

D Fluidity of today’s work schedules

B Cisco AnyConnect Client

C Wireless access points (AP)

D Identity Services Engine (ISE)

The Identity Services Engine (ISE) provides which of the following?

A Access, authentication, accounting

B Authentication, authorization, accounting

C Access, authorization, accounting

D Authentication, authorization, access

The purpose of the RSA SecurID server/application is to provide what?

A Authentication, authorization, accounting (AAA) functions

B One-time password (OTP) capabilities

The purpose of the certificate authority (CA) is to ensure what?

A BYOD endpoints are posture checked

B BYOD endpoints belong to the organization

C BYOD endpoints have no malware installed

D BYOD users exist in the corporate LDAP directory

Correct Answer: B

Section: (none)

Explanation

Explanation/Reference:

QUESTION 37

What is the primary purpose of the Integrated Services Routers (ISR) in the BYOD solution?

A Provide connectivity in the home office environment back to the corporate campus

B Provide WAN and Internet access for users on the corporate campus

C Enforce firewall-type filtering in the data center

D Provide connectivity for the mobile phone environment back to the corporate campus

Which is not a function of mobile device management (MDM)?

A Enforce strong passwords on BYOD devices

B Deploy software updates to BYOD devices

C Remotely wipe data from BYOD devices

D Enforce data encryption requirements on BYOD devices

Which is not an advantage of an On-Premise MDM solution?

A Higher level of control over the BYOD solution

B Ease of deployment and operation of the BYOD solution

C Ability to meet regulatory requirements

D Security of the overall BYOD solution

Which is not an advantage of a cloud-based MDM solution?

A Scalability of the MDM solution

B Security of the overall MDM solution

C Flexibility in deploying the MDM solution

D Speed of deployment of MDM solution

Correct Answer: B

Section: (none)

What is used to encrypt the hash in a digital signature?

A Sender’s public key

B Sender’s private key

C Receiver’s public key

D Receiver’s private key

Correct Answer: B

Section: (none)

Explanation

Explanation/Reference:

Why is the public key in a typical public-private key pair referred to as public?

A Because the public already has it

B Because it is shared publicly

C Because it is a well-known algorithm that is published

D The last name of the creator was publica, which is Latin for public

What is the key component used to verify a digital signature?

A Sender’s public key

B Receiver’s public key

C AES

D One-time PAD

Correct Answer: A

B Issuing identity certificates

C Maintaining client’s private keys

D Tracking identity certificates

Which of the following is not a way for a client to check to see whether a certificate has been revoked?

A Look at the lifetime of the certificate itself

When obtaining the initial root certificate, what method should be used for validation of the certificate?

A Sender’s public key

What are the source and destination addresses used for an encrypted IPsec packet?

A Original sender and receiver IP addresses

B Original sender’s and outbound VPN gateway’s addresses

C Sending and receiving VPN gateways

D Sending VPN gateway and original destination address in the packet

Correct Answer: ABCD

Which of the following is not part of the IKE Phase 1 process?

A Negotiation of the IKE Phase 1 protocols

B Running DH

C Authenticating the peer

D Negotiating the transform set to use

How is the negotiation of the IPsec (IKE Phase 2) tunnel done securely?

A Uses the IKE Phase 1 tunnel

B Uses the IPsec tunnel

C Uses the IKE Phase 2 tunnel

A RSA signatures, using digital certificates to exchange public keys

C crypto ipsec transform-set

D crypto access-list (access list used for cryptography)

What is true about symmetrical algorithms and symmetrical crypto access lists used on VPN peers?

A Symmetrical algorithms use the same secret (key) to lock and unlock the data Symmetrical ACLs betweentwo VPN peers should symmetrically swap the source and destination portions of the ACL

B Symmetrical algorithms like RSA use the same secret (key) to lock and unlock the data Symmetrical ACLsbetween two VPN peers should symmetrically swap the source and destination portions of the ACL

C Symmetrical algorithms use the same secret (key) to lock and unlock the data Symmetrical ACLs betweentwo VPN peers should be identical

D Symmetrical algorithms use the same secret (key) to lock and unlock the data Symmetrical ACLs betweentwo VPN peers require that only symmetrical algorithms be used for all aspects of IPsec

A show crypto map

B show crypto isakmp policy

C show crypto config

D show crypto ipsec sa

How is it possible that a packet with a private Layer 3 destination address is forwarded over the Internet?

A It is encapsulated into another packet, and the Internet only sees the outside valid IP destination address

B It cannot be sent It will always be dropped

C The Internet does not filter private addresses, only some public addresses, based on policy

D NAT is used to change the destination IP address before the packet is sent

B crypto isakmp policy

C crypto ipsec transform-set

Which of the following potentially could be negotiated during IKEv1 Phase 2? (Choose all that apply.)

Which encryption method will be used to protect the negotiation of the IPsec (IKEv1 Phase 2) tunnel?

A The one negotiated in the transform set

B The one negotiated for the IKEv1 Phase 2 tunnel

C The one negotiated in the ISAKMP policy

D There is no encryption during this time; that is why DH is used

Correct Answer: C

Section: (none)

Explanation

QUESTION 77

Which is the most secure method for authentication of IKEv1 Phase 1?

A RSA signatures, using digital certificates to exchange public keys

A Incompatible IKEv1 Phase 2 transform sets

B Incorrect pre-shared keys or missing digital certificates

C Lack of interesting traffic

What is the purpose of NAT exemption?

A To bypass NAT in the remote peer

B To bypass NAT for all traffic not sent over the IPsec tunnel

C To bypass NAT for traffic in the VPN tunnel

D To never bypass NAT in the local or remote peer

A show isakmp sa detail

B debug crypto ikev1 | ikev2

C show crypto ipsec sa detail

a single server at the central office?

What is the immediate cost savings when implementing SSL VPNs?

A No licensing is required on the server

B No licensing is required on the clients

B Encrypts it with the server’s public key

C Encrypts it with the sender’s public key

D They use DH to negotiate the shared secret

Correct Answer: B

Section: (none)

Explanation/Reference:

QUESTION 88

Which of the following is not part of configuring the clientless SSL VPN on the ASA?

A Launching the wizard

B Specifying the URL

What may be the potential problem when enabling SSL VPNs on an interface on the ASA?

A ASDM is now disabled on that interface

B ASDM must be additionally configured with a custom port

C ASDM must be used with a different URL

D ASDM is not affected because it does not connect on port TCP:443

A Routing issues behind the ASA

B Access control lists blocking traffic

C Too much traffic for the VPN tunnel size

D Network Address Translation not being bypassed for VPN traffic

Correct Answer: ABD

Which of the following is not a best practice for security?

A Leaving the native VLAN as VLAN 1

B Shutting down all unused ports and placing them in an unused VLAN

C Limiting the number of MAC addresses learned on a specific port

D Disabling negotiation of switch port mode

What is a typical method used by a device in one VLAN to reach another device in a second VLAN?

A ARP for the remote device’s MAC address

B Use a remote default gateway

C Use a local default gateway

D Use trunking on the PC

Which two configuration changes prevent users from jumping onto any VLAN they choose to join?

A Disabling negotiation of trunk ports

B Using something else other than VLAN 1 as the “native” VLAN

C Configuring the port connecting to the client as a trunk

D Configuring the port connecting to the client as an access port

A Protection for DHCP servers against starvation attacks

B Protection against IP spoofing

C Protection against VLAN hopping

D Protection against MAC address spoofing

E Protection against CAM table overflow attacks

Correct Answer: AE

Section: (none)

Explanation

Explanation/Reference:

QUESTION 102

Why should you implement Root Guard on a switch?

A To prevent the switch from becoming the root

B To prevent the switch from having any root ports

C To prevent the switch from having specific root ports

D To protect the switch against MAC address table overflows

Why should CDP be disabled on ports that face untrusted networks?

A CDP can be used as a DDoS vector

B CDP can be used as a reconnaissance tool to determine information about the device

C Disabling CDP will prevent the device from participating in spanning tree with untrusted devices

D CDP can conflict with LLDP on ports facing untrusted networks

Which of the following is not a true statement for DHCP snooping?

A DHCP snooping validates DHCP messages received from untrusted sources and filters out invalid

messages

B DHCP snooping information is stored in a binding database

C DHCP snooping is enabled by default on all VLANs

D DHCP snooping rate-limits DHCP traffic from trusted and untrusted sources

Which of the following is not a true statement regarding dynamic ARP inspection (DAI)?

A DAI intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings

B DAI helps to mitigate MITM attacks

C DAI determines validity of ARP packets based on IP-to-MAC address bindings found in the DHCP snoopingdatabase

D DAI is enabled on a per-interface basis

Which of the following is not a best practice to protect the management plane? (Choose all that apply.)

What do CoPP and CPPr have in common? (Choose all that apply.)

A They both focus on data plane protection

B They both focus on management plane protection

C They both focus on control plane protection

D They both can identify traffic destined for the router that will likely require direct CPU resources to be used

Section: (none)

Explanation

Explanation/Reference:

QUESTION 113

What is a significant difference between CoPP and CPPr?

A One works at Layer 3, and the other works at Layer 2

B CPPr can classify and act on more-specific traffic than CoPP

C CoPP can classify and act on more-specific traffic than CPPr

D One protects the data plane, and the other protects the management plane

Which of the following enables you to protect the data plane?

A IOS zone-based firewall

A Incorrect privilege level

B AAA not enabled

C Wrong mode

D Not allowed by the view

Correct Answer: ABCD

Section: (none)

Explanation

How can you implement role-based access control (RBAC)? (Choose all that apply.)

A Provide the password for a custom privilege level to users in a given role

B Associate user accounts with specific views

C Use access lists to specify which devices can connect remotely

D Use AAA to authorize specific users for specific sets of permissions

Correct Answer: ABD

What are the two primary benefits of using NTP along with a syslog server? (Choose all that apply.)

A Correlation of syslog messages from multiple different devices

B Grouping of syslog messages into summary messages

C Synchronization in the sending of syslog messages to avoid congestion

D Accurate accounting of when a syslog message occurred

What is a difference between a default and named method list?

A A default method list can contain up to four methods

B A named method list can contain up to four methods

C A default method list must be assigned to an interface or line

D A named method list must be assigned to an interface or line

Which of the following are the valid first four characters of a link-local address?

B MAC address with FFFE at the end

C MAC address with FFFE at the beginning

D Depends on the network address being connected to

Which of the following routing protocols have both an IPv4 and IPv6 version? (Choose all that apply.)

A Routing Information Protocol

B Enhanced Interior Gateway Routing Protocol

C Open Shortest Path First

D Interior Gateway Routing Protocol

Correct Answer: ABC

Section: (none)

Explanation

D Written security policy

Correct Answer: ABCD

If a rogue IPv6 router is allowed on the network, which information could be incorrectly delivered to the clients

on that network? (Choose all that apply.)

A IPv6 default gateway

B IPv6 DNS server

C IPv6 network address

D IPv6 ARP mappings

Correct Answer: ABC

Section: (none)

Explanation

Explanation/Reference:

QUESTION 134

Why is tunneling any protocol (including IPv6) through another protocol a security risk?

A The innermost contents of the original packets may be hidden from normal security filters

B The tunnels, if they extend beyond the network perimeter, may allow undesired traffic through the tunnel