Sei sulla pagina 1di 154

Script Kiddie


& June 17, 2017 / thinhnp / A 5

For more questions, please visit the following link:

Question 1:
Which accounting notices are used to send a failed
authentication attempt record to a AAA
server? (Choose two.)

A. start-stop
B. stop-record
C. stop-only
D. stop


The Cisco implementation of AAA accounting provides “start”
and “stop” record support for calls that have passed user
authentication. The additional feature of generating “stop”
records for calls that fail to authenticate as part of user
authentication is also supported.

Click to see Reference

Question 2:
Which RADIUS server and TACACS server authentication
protocols are suported on Cisco ASA rewalls? (Choose three)

Click to see Reference


Click to see Reference

Question 3:
Which statement about re exive access lists are true? (Choose
A. Re exive ACL support UDP Sessions
B. Re exive ACL approximate the session ltering using
the established keyword
C. Re exive ACL can be attached to extended named IP
D. Re exive ACL create a permanent ACE
E. Re exive ACL support TCP Sessions
F. Re exive ACL can be attached to standard named IP

Re exive access lists allow IP packets to be ltered based on
upper-layer session information. You can use re exive access
lists to permit IP tra c for sessions originating from within your
network but to deny IP tra c for sessions originating from
outside your network. This is accomplished by re exive ltering,
a kind of session ltering.

Re exive access lists can be de ned with extended named IP

access lists only. You cannot de ne re exive access lists with
numbered or standard named IP access lists or with other
protocol access lists.
With basic standard and static extended access lists, you can
approximate session ltering by using the establishedkeyword
with the permit command.

Re exive access lists, however, provide a truer form of session

ltering, which is much harder to spoof because more lter
criteria must be matched before a packet is permitted through.
(For example, source and destination addresses and port
numbers are checked, not just ACK and RST bits.)

Click here to see Reference

Question 4:
According to Cisco best practices, which three protocols should
the default ACL allow on an access port to enable wired BYOD
devices to supply valid credentials and connect to the network?
(Choose three)

F. 802.1x


An example of a default ACL on a campus access layer switch is
shown below:

Extended IP access list ACL-DEFAULT

10 permit udp any eq bootpc any eq bootps log (2604 ma

20 permit udp any host eq domain
30 permit icmp any any
40 permit udp any any eq tftp
50 deny ip any any log (40 matches)

Click here to see Reference

 Question 5:
Which three ESP elds can be encrypted during transmission?
(Choose three)

A. Next Header
B. Sequence Number
C. Padding
D. Security Parameter Index
E. Pad Length
F. MAC Address


The Encapsulating Security Payload (ESP) contains six parts as
described below. The rst two parts are not encrypted, but they
are authenticated. Those parts are as follows:
• The Security Parameter Index (SPI) is an arbitrary 32-bit
number that tells the device receiving the packet what group of
security protocols the sender is using for communication. Those
protocols include the particular algorithms and keys, and how
long those keys are valid.

• The Sequence Number is a counter that is incremented by 1

each time a packet is sent to the same address and uses the
same SPI. The sequence number indicates which packet is
which, and how many packets have been sent with the same
group of parameters. The sequence number also protects
against replay attacks. Replay attacks involve an attacker who
copies a packet and sends it out of sequence to confuse
communicating devices.
The remaining four parts of the ESP are all encrypted during
transmission across the network. Those parts are as follows:

• The Payload Data is the actual data that is carried by the


• The Padding, from 0 to 255 bytes of data, allows certain types

of encryption algorithms to require the data to be a multiple of a
certain number of bytes. The padding also ensures that the text
of a message terminates on a four-byte boundary (an
architectural requirement within IP).

• The Pad Length eld speci es how much of the payload is

padding rather than data.
• The Next Header eld, like a standard IP Next Header eld,
identi es the type of data carried and the protocol.

Click here to see Reference

Question 6:
Which options are ltering options used to display SDEE
message types? (choose two)

A. Error
B. None
C. All
D. Stop

SDEE Messages

• All— SDEE error, status, and alert messages are shown.

• Error—Only SDEE error messages are shown.

• Status—Only SDEE status messages are shown.

• Alerts—Only SDEE alert messages are shown

Click here to see Reference

Question 7:
Which alert protocol is used with Cisco IPS Manager Express to
support up to 10 sensors?

C. Syslog

SDEE is used for real-time delivery of alerts, and is the most
secure method for delivering alerts. These can be sent to an
application running on a server. One example is the software
named IPS Manager Express (IME), which can run on a
workstation and be a central point of event viewing that can
support up to 10 sensors simultaneously. Other management
consoles, such as Cisco Security Manager (CSM), can also be
used and can support greater numbers of simultaneous
sensors. The upper limit of what is reasonable is about 25
sensors reporting to a single manager machine.

Reference: CCNA Security 210-260 O cial Cert Guide, page 471

Question 8:
How can FirePOWER block malicious email attachments?

A. it sends an alert to the administrator to verify

suspicious email messages
B. it Forward Email requests to an external signature
C. It scans inbound email messages for known bad URLs
D. It send the tra c through a le policy

You con gure the system to perform malware protection and
le control as part of your overall access control con guration.
File policies that you create and associate with access control
rules handle network tra c that matches the rules. You can
download les detected in that tra c, then submit them to
Cisco’s malware awareness network (called the Collective
Security Intelligence Cloud) for dynamic analysis

Malicious software, or malware, can enter your organization’s

network via multiple routes. To help you identify and mitigate
the e ects of malware, the FireSIGHT System’s le control,
network le trajectory, and advanced malware protection
components can detect, track, store, analyze, and optionally
block the transmission of malware and other types of les in
network tra c. The system can also analyze and act upon
nested les inside archive les (such as the archive le formats
.zip or .rar).

Click here to see Reference

Question 9:
A clientless SSL VPN user who is connecting on a Windows Vista
computer is missing the menu option for Remote Desktop
Protocol on the portal web page. Which action should you take
to begin troubleshooting?
A. Ensure that RDP plug-in is installed on the VPN
B. Ensure that RDP 2 plug-in is installed on the VPN
C. Reboot the VPN Gateway
D. Instruct the user to reconnect to the VPN Gateway


RDP and RDP-2 Plug-In Usage
RDP plug-in: This is the original plug-in created that
contains both the Java and ActiveX Client.
RDP2 plug-in: Due to changes within the RDP protocol,
the Proper Java RDP Client was updated in order to
support Microsoft Windows 2003 Terminal Servers and
Windows Vista Terminal Servers.

Click here to see Reference

Question 10:
Which Cisco Security Manager application collects information
about the device status and uses it to generate noti cations and
A. Health and Performance Monitor
B. FlexCon g
C. Report Manager
D. Device Manager


Security Manager Applications Overview

The Security Manager client includes ve main applications:

Con guration Manager —This is the primary
application. You use Con guration Manager to manage
the device inventory, create and edit local and shared
policies, manage VPN con gurations, and deploy
policies to devices. Con guration Manager is the largest
of the applications and most of the documentation
addresses this application. If a procedure does not
speci cally mention an application, the procedure is
using Con guration Manager.
Event Viewer —This is an event monitoring application,
where you can view and analyze events generated from
IPS, ASA, and FWSM devices that you have con gured to
send events to Security Manager.
Report Manager —This is a reporting application,
where you can view and create reports of aggregated
information on device and VPN statistics. Much of the
information is derived from events available through
Event Viewer, but some of the VPN statistics are
obtained by communicating directly with the device.
Health & Performance Monitor —The HPM application
lets you monitor key health and performance data for
ASA (including ASA-SM) devices, IPS devices, and VPN
services by providing network-level visibility into device
status and tra c information. This ability to monitor key
network and device metrics lets you quickly detect and
resolve device malfunctions and bottlenecks in the
Image Manager —The Image Manager application
provides complete image management of ASA devices. It
facilitates downloading, evaluating, analyzing, preparing,
and planning image updates. It assesses image
availability, compatibility, and impact on devices and
provides scheduling, grouping, and change
management of device updates. In addition, Image
Manager includes capabilities for maintaining an image
repository as well as for ensuring stable fallback and
recovery mechanisms for image updates on ASA
Click here to see Reference

Question 11:
You have implemented a Source re IPS and con gured it to
block certain addresses utilizing Security intelligence iP Address
Reputation. A user calls and is not able to access a certain IP
Address. What action can you take to allow the user access to
the IP address?

A. Create a rule to bypass inspection to allow the tra c

B. Create a user-based access control rule to allow the
tra c
C. Create a custom blacklist to allow the tra c
D. Create a network-based access control rule to allow
the tra c
E. Create a whitelist and add the appropriate IP address
to allow the tra c


When a blacklist is too broad in scope, or incorrectly blocks
tra c that you want to allow (forexample, to vital resources),
you can override a blacklist with a custom whitelist
Click here to see Reference

Question 12:
Refer to the following commands:

authentication event fail action next-method

authentication event no-response action authorize vlan
authentication order mab dot1x webauth
authentication priority dot1x mab
authentication port-control auto
dot1x pae authenticator
If a supplicant supplies incorrect credentials for all
authentication methods con gured on the switch, how will the
switch respond?

A. The switch will cycle through the con gured

authentication methods inde nitely
B. The authentication attempt will time out and the
switch will place the port into VLAN 101
C. The supplicant will fail to advance beyond the
webauth method
D. The authentication attempt will time out and the
switch will place the port into unauthorized state


authentication event fail action next-method

Speci es that the next con gured authentication method

will be used if authentication fails

authentication event no-response action authorize vlan 101

Speci es an active VLAN as a guest VLAN. The range is 1 to

You can con gure any active VLAN except an internal VLAN
(routed port), an RSPAN VLAN, a private primary PVLAN, or a
voice VLAN as a guest VLAN.

authentication order mab dot1x webauth

Speci es the fallback order of authentication methods to be

used. The three values of method, in the  default order, are
dot1x, mab, and webauth. The speci ed order also
determines the relative priority of the methods for
reathentication, from highest to lowest.

authentication priority dot1x mab

Overrides the relative priority of authentication methods to
be used. The three values of method, in the default order of
priority, are dot1x, mab, and webauth.

authentication port-control auto

Enables 802.1X port-based authentication and causes the

port to begin in the unauthorized state, allowing only EAPOL
frames to be sent and received through the port. The
authentication process begins when the link state of the
port transitions from down to up or when an EAPOL-start
frame is received. The switch requests the identity of the
client and begins relaying authentication messages between
the client and the authentication server. Each client
attempting to access the network is uniquely identi ed by
the switch by using the client’s MAC address.

dot1x pae authenticator

Enables 802.1X authentication on the interface.

Click here to see Reference

Question 13:
Which statement about personal rewalls is true?

A. They are resillent against kernel attacks

B. They can protect the network against attacks
C. They can protect a system by denying probing
D. They can protect email messages and private
documents in a similar way to a VPN


Common personal rewall features:

Block or alert the user about all unauthorized inbound

or outbound connection attempts
Allows the user to control which programs can and
cannot access the local network and/or Internet and
provide the user with information about an application
that makes a connection attempt
Hide the computer from port scans by not responding
to unsolicited network tra c
Monitor applications that are listening for incoming
Monitor and regulate all incoming and outgoing Internet
Prevent unwanted network tra c from locally installed
Provide information about the destination server with
which an application is attempting to communicate
Track recent incoming events, outgoing events, and
intrusion events to see who has accessed or tried to
access your computer.
Personal Firewall blocks and prevents hacking attempt
or attack from hackers

Click here to see Reference

Question 14:
Which type of PVLAN port allows hosts in the same VLAN to
communicate directly with each other?
A. Span for hosts in the PVLAN
B. Promicuous for hosts in the PVLAN
C. Isolated for hosts in the PVLAN
D. Community for hosts in the PVLAN


There are three types of PVLAN ports: promiscuous, isolated,
and community.
A promiscuous port communicates with all other PVLAN
ports. The promiscuous port is the port that you
typically use to communicate with external routers,
LocalDirectors, network management devices, backup
servers, administrative workstations, and other devices.
On some switches, the port to the route module (for
example, Multilayer Switch Feature Card [MSFC]) needs
to be promiscuous.
An isolated port has complete Layer 2 separation from
other ports within the same PVLAN. This separation
includes broadcasts, and the only exception is the
promiscuous port. A privacy grant at the Layer 2 level
occurs with the block of outgoing tra c to all isolated
ports. Tra c that comes from an isolated port forwards
to all promiscuous ports only.
Community ports can communicate with each other and
with the promiscuous ports. These ports have Layer 2
isolation from all other ports in other communities, or
isolated ports within the PVLAN. Broadcasts propagate
only between associated community ports and the
promiscuous port.

Click here to see Reference

Question 15:
What is the default timeout interval during which a router waits
for responses from a TACACS server before declaring a timeout

A. 10 seconds
B. 5 seconds
C. 20 seconds
D. 15 seconds


Timeout interval in seconds. The value is from 1 through 1000.
The default is 5.

Click here to see Reference

Question 16:
For what reason would you con gure multiple security contexts
on the ASA rewall?

A. To enable the use of VRFs on routers that are

adjacencyly connected
B. To enable the use of multicast routing and QoS
through the Firewall
C. To provide redundancy and high availability within the
D. To separate di erent departments and business units


You might want to use multiple security contexts in the following

You are a service provider and want to sell security

services to many customers. By enabling multiple
security contexts on the security appliance, you can
implement a cost-e ective, space-saving solution that
keeps all customer tra c separate and secure, and also
eases con guration.
You are a large enterprise or a college campus and want
to keep departments completely separate.
You are an enterprise that wants to provide distinct
security policies to di erent departments.
You have any network that requires more than one
security appliance.

Click here to see Reference

Question 17
Which type of encryption technology has the broadest platform
support to protect operating systems?

A. Software
B. Hardware
C. Middleware
D. File-level


Coming soon…

Question 18
In which three cases does the ASA rewall permit inbound HTTP
GET requests during normal operations? (Choose three)

A. When matching ACL entries are con gures

B. When the rewall requires strict HTTP inspection
C. When the rewall requires HTTP inspection
D. When matching NAT entries are con gured
E. When the rewall receives a SYN packet
F. When the rewall receives a SYN-ACK packet

You can apply an access list to limit tra c from inside to outside,
or allow tra c from outside to inside.

Click here to see Reference

Click here to see Reference

HTTP Inspection

Click here to see Reference

Question 19:
Refer to the following output: configured, ipv4, sane, valid, stratum 2

ref ID , time D7AD124D.9D6FC576 (03:17:3
our mode client, peer mode server, our poll intvl 64,
root delay 46.34 msec, root disp 23.52, reach 1, sync
delay 63.27msec, offset 7.9817 msec, dispersion 107.56
precision 2**23, version 4 configured, ipv4, sane, valid, stratum 2

ref ID, time D7AD1419.9EB5272B (03:
our mode client, peer mode server, our poll intvl 64,
root delay 30.83 msec, root disp 4.88, reach 1, sync d
delay 58.68msec, offset 6.4331 msec, dispersion 187.55
precision 2**20, version 4 configured, ipv4, our_master, sane, valid

ref ID , time D7AD0D8F.AE79A23A (02:57:1
our mode client, peer mode server, our poll intvl 64,
root delay 86.45 msec, root disp 87.82, reach 377, syn
delay 0.89 msec, offset 19.5087 msec, dispersion 1.69,
precision 2**32, version 4
With which NTP server has the router synchronized?



Output is from the following command:

show ntp association detail

con gured – This NTP clock source has been con gured to be a
server. This value can also be dynamic, where the peer/server
was dynamically discovered.

our_master – The local client is synchronized to this peer.

Click here to see Reference

Question 20:
What is an advantage of implementing a Trusted Platform
Module for disk encryption?

A. It supports a more complex encryption algorithm

than other disk encryption technologies
B. It provides hardware authentication
C. It allows the hard disk to be transfered to another
device with requiring re-encryption
D. It can protect against single point of failure

Trusted Platform Module (or TPM)  is an international standard
for a secure cryptoprocessor, which is a dedicated
microcontroller designed to secure hardware by integrating
cryptographic keys into devices.

One feature of Trusted Platform Module is Disk Encryption:

Full disk encryption applications, such as SecureDoc,

dm-crypt in modern Linux kernels, and BitLocker Drive
Encryption in some versions of Microsoft Windows, can
use this technology to protect the keys used to encrypt
the computer’s hard disks and provide integrity
authentication for a trusted boot pathway (for example
BIOS, boot sector, etc.) A number of third-party full-disk
encryption products also support TPM.

Click here to see Reference

Question 21
What is the e ect of the following command?

send-lifetime local 23:59:00 Dec 31 2013 in nite

A. It con gures the device to begin transmitting the

authentication key to other devices at the 00:00:00 local
time on January 1, 2014 and continue using the key
inde nitely.
B. It con gures the device to begin transmitting the
authentication key to other devices at the 23:59:00 local
time on December 31, 2013 and continue using the key
inde nitely.
C. It con gures the device to begin accepting the
authentication key from other devices immediately and
stop accepting the key at the 23:59:00 local time on
December 31, 2013.
D. It con gures the device to generate a new
authentication key and transmit it to other devices at
23:59:00 local time on December 31, 2013.
E. It con gures the device to begin accepting the
authentication key from other devices at the 23:59:00
local time on December 31, 2013 and continue accepting
the key inde nitely.
F. It con gures the device to begin accepting the
authentication key from other devices at the 00:00:00
local time on January 1, 2014 and continue accepting the
key inde nitely.


To set the time period during which an authentication key on a
key chain is valid to be sent, use the send-lifetime command in
key chain key con guration mode.

send-lifetime start-time {in nite | end-time | duration seconds}

Click here to see Reference

Question 22:
What is one requirement for locking a wired or wireless device
from the ISE?

A. The organization must implement an acceptable use

policy allowing device locking
B. The user must approve the locking action
C. The ISE Agent must be installed on the device
D. The device must be connected to the network when
the lock command is executed


Sorry, no reference yet

Question 23:
What is the FirePOWER impact ag used for?

A. A value that indicates the potential severity of an

B. A value that measures the application awareness
C. A value that sets the priority of a signature
D. A value that administrator assigns to each signature


Impact ags help you evaluate the impact an intrusion has on
your network by correlating intrusion data, network discovery
data, and vulnerability information.

Click here to see Reference

Question 24:
A proxy rewall protects against which type of attack?

A. Port scanning
B. Worm tra c
C. Cross-site scripting attack
D. DDoS attack

Today, Cisco is extending its solution for Application Networking
Services (ANS)-Cisco Application Control Engine (ACE) family of
products-with the addition of the Cisco ACE Web Application
Firewall. The main component of this solution is the ACE Web
Application Firewall appliance in a convenient 1 RU form factor
that provides a full-proxy rewall solution for both HTML and
XML-based Web applications.
ACE Web Application Firewall secures and protects web
applications from common attacks, such as identity theft, data
theft, application disruption, fraud and targeted attacks. These
attacks may include cross-site scripting (XSS) attacks, SQL and
command injection, privilege escalation, cross-site request
forgeries (CSRF), bu er over ows, cookie tampering, and denial
of services (DoS) attacks

Click here to see Reference

Question 25:
When an administrator initiates a device wipe command from
the ISE, what is the immediate e ect?
A. It requests the administrator to choose between
erasing all device data or only managed corporate data.
B. It requests the administrator to enter the device PIN
or password before proceeding with the operation.
C. It noti es the device user and proceeds with the erase
D. It immediately erases all data on the device.


Sorry, no reference yet
Question 26
What is an advantage of placing an IPS on the inside of a

A. It can provide greater security

B. It receives every inbound packet
C. It receives tra c that has already been ltered
D. It can provide higher throughput



Question 27:
What improvement does EAP-FASTv2 provide over EAP-FAST

A. It supports more secure encryption protocols

B. It addresses security vulnerabilities found in the
original protocol
C. It allows multiple credentials to be passed in a single
EAP exchange
D. It allows faster authentication by using fewer packets


As an enhancement to EAP-FAST, a di erentiation was made to
have a user PAC and a machine PAC. After a successful machine
authentication, ISE issues a machine-PAC to the client. Then,
when processing a user authentication, ISE requests the
machine-PAC to prove that the machine was successfully
authenticated, too. This is the rst time in 802.1X history that
multiple credentials have been able to be authenticated within a
single EAP transaction, and it is known as EAP chaining.

Click here to see Reference

Question 28:
What type of attack was the Struxnet virus?

A. Social Engineering
B. Botnet
C. Cyber warfare
D. Hacktivism


Stuxnet is a malicious computer worm, rst identi ed in 2010
but thought to be in development since at least 2005, that
targets industrial computer systems and was responsible for
causing substantial damage to Iran’s nuclear program. Although
neither country has admitted responsibility, the worm is now
generally acknowledged to be a jointly built American-Israeli

Click here to see Reference

Question 29:
Which statement about communication over failover interfaces
is true?
A. All information that is sent over the failover and
stateful failover interface is sent as clear text by default.
B. All information that is sent over the failover interface
is sent as clear text but the stateful failover link is
encrypted by default.
C. All information that is sent over the failover and
stateful failover interfaces is encrypted by default.
D. User names, passwords, and preshared keys are
encrypted by default when they are sent over the
failover and stateful failover interfaces, but other
information is sent as clear text.


All information sent over the failover and Stateful Failover links
is sent in clear text unless you secure the communication with a
failover key.

Click here to see Reference

Question 30:
What is the only permitted operation for processing multicast
tra c on zone-based rewalls?
A. Only control-plan policing can protect the control
plane against multicast tra c
B. Stateful inspection of multicast tra c is supported
only for the internal zone
C. Stateful inspection of multicast tra c is supported
only for the self-zone
D. Stateful Inspection for multicast tra c is supported
only between the self-zone and the internal zone


Neither Cisco IOS ZFW or Classic Firewall include stateful
inspection support for multicast tra c

Click here to see Reference

Question 31
Which option is the most e ective placement of an IPS device
within the infrastructure?

A. Inline, before the internet router and the rewall

B. Inline, behind the internet router and the rewall
C. Promiscously, before the internet router and the
D. Promiscously, behind the internet router and the


One can make an argument either way in certain use cases. but
the generally accepted practice is to put an IDS/IPS after the
rewall (from the point of view of incoming tra c – i.e. closer to
the interior or private network).
Firewalls are generally designed to be on the network perimeter
and can handle dropping a lot of the non-legitimate tra c
(attacks, scans etc.) very quickly at the ingress interface, often in

An IDS/IPS is, generally speaking, doing more deep packet

inspections and that is a much more computationally expensive
undertaking. For that reason, we prefer to lter what gets to it
with the rewall line of defense before engaging the IDS/IPS to
analyze the tra c  ow.

In an even more protected environment, we would also put a

rst line of defense in ACLs on an edge router between the
rewall and the public network(s).
Click here to see Reference

Question 32:
Which statement about Cisco ACS authentication and
authorization is true?

A. ACS can query multiple Active Directory Domains

B. ACS can use only one authentication pro le to allow
or deny requests
C. ACS use TACACS to proxy the other authentication
D. ACS Server can be clustered to provide scalability

An ACS deployment may consist of a single instance, or multiple
instances deployed in a distributed manner, where all instances
in a system are managed centrally.

Click here to see Reference

Question 33
Which type of address translation should be used when a Cisco
ASA is in transparent mode?

A. Static NAT
B. Overload
C. Dynamic NAT
D. Dynamic PAT


Question 34:
What hash type does Cisco use to validate the integrity of
downloaded images?

B. MD1
D. MD5


The MD5 File Validation feature, added in Cisco IOS Software
Releases 12.2(4)T and 12.0(22)S, allows network administrators
to calculate the MD5 hash of a Cisco IOS software image le that
is loaded on a device. It also allows administrators to verify the
calculated MD5 hash against that provided by the user. Once the
MD5 hash value of the installed Cisco IOS image is determined,
it can also be compared with the MD5 hash provided by Cisco to
verify the integrity of the image le.

Click here to see Reference

Question 35:
What PAT con guration command allows it to use the next IP in
the dynamic pool instead of the next port?

A. Next IP
B. Round Robin
C. Dynamic rotation
D. Dynamic PAT rotation


For a PAT pool, you can specify one or more of the following

Round robin—The round-robin keyword enables round-

robin address allocation for a PAT pool. Without round
robin, by default all ports for a PAT address will be
allocated before the next PAT address is used. The
round-robin method assigns an address/port from each
PAT address in the pool before returning to use the rst
address again, and then the second address, and so on.
Extended PAT
Flat range

Click here to see Reference

Question 36:
Your security team has discovered a malicious program that has
been harvesting the CEO’s e-mail messages and the company’s
user database for the last 6 months. What type of attack did
your team discover? (Choose two)

A. Drive-by malware
B. Targeted malware
C. Social activism
D. Advanced persistene threat
E. Email harvesting


An advanced persistent threat is a set of stealthy and
continuous computer hacking processes, often orchestrated by
human(s) targeting a speci c entity. An APT usually targets
organizations and/or nations for business or political motives.
APT processes require a high degree of covertness over a long
period of time.

Click here to see Reference

Email harvesting is the process of obtaining lists of email

addresses using various methods for use in bulk email or other
purposes usually grouped as spam.

Click here to see Reference

Question 37
Which two statements about stateless rewalls are true?
(choose two)

A. They cannot track connection

B. Cisco cannot implement them because the platform is
stateful by nature
C. They are designed to work e ciently with stateles
protocols such as HTTP or HTTPS
D. The Cisco ASA is implicitly stateless because it blocks
all tra c by default
E. They compare 5-tuple of each incoming packet
against con gurable tables


A 5-tuple refers to a set of ve di erent values that comprise a
Transmission Control Protocol/Internet Protocol (TCP/IP)
connection. It includes a source IP address/port number,
destination IP address/port number and the protocol in use.
Click here to see Reference

Question 38
What are the primary attack methods of VLAN hopping? (Choose

A. Switch spoo ng
B. Double tagging
C. CAM-table over ow
D. VoIP hopping

VLAN hopping is a computer security exploit, a method of
attacking networked resources on a Virtual LAN (VLAN). The
basic concept behind all VLAN hopping attacks is for an
attacking host on a VLAN to gain access to tra c on other VLANs
that would normally not be accessible. There are two primary
methods of VLAN hopping: switch spoo ng and double tagging.
Both attack vectors can be easily mitigated with proper
switchport con guration.

Click here to see Reference

Question 39:
Which two services de ne cloud networks? (Choose two.)

A. Compute as a Service
B. Platform as a Service
C. Infrastructure as a Service
D. Security as a Service
E. Tenancy as a Service


A cloud can provide access to software applications such as
email or o ce productivity tools (the Software as a Service, or
SaaS, service model), or can provide a toolkit for customers to
use to build and operate their own software (the Platform as a
Service, or PaaS, service model), or can provide network access
to traditional computing resources such as processing power
and storage (the Infrastructure as a Service, or IaaS, service
model). The di erent service models have di erent strengths
and are suitable for di erent customers and business
objectives. Generally, interoperability and portability of
customer workloads is more achievable in the IaaS service
model because the building blocks of IaaS o erings are
relatively well-de ned, e.g., network protocols, CPU instruction
sets, legacy device interfaces.

Click here to see Reference

Question 40:
What features can protect the data plane? (Choose three)

A. antispoo ng
D. QoS
E. policing
F. DHCP snooping


Data plane security can be implemented using the following

Access control lists: Access control lists (ACLs) perform

packet ltering to control which packets move through
the network and where.
Antispoo ng: ACLs can be used as an antispoo ng
mechanism that discards tra c that has an invalid
source address.
Layer 2 security features: Cisco Catalyst switches have
integrated features to help secure the Layer 2
infrastructure. The following are Layer 2 security tools
integrated into the Cisco Catalyst switches:
Port security: Prevents MAC address spoo ng
and MAC address ooding attacks
DHCP snooping: Prevents client attacks on the
Dynamic Host Con guration Protocol (DHCP)
server and switch
Dynamic ARP inspection (DAI): Adds security to
ARP by using the DHCP snooping table to
minimize the impact of ARP poisoning and
spoo ng attacks
IP source guard: Prevents IP spoo ng addresses
by using the DHCP snooping table

You can check the book “CCNA Security 210-260 O cial Cert Guide”
for reference

Question 41:
Which two statements about Telnet access to the ASA are true?
(Choose two)
A. You may VPN to the lowest security interface to telnet
to an inside interface
B. You must con gure a AAA server to enable Telnet
C. You can access all interfaces on an ASA using telnet
D. Best practice is to disable Telnet and use SSH
E. You must use the command virtual telnet to enable


Sorry, no reference has been found yet
Question 42:
Which three statements about host-based iPS are true? (Choose

A. It can be deployed at the perimeter

B. It works with deployed rewalls
C. It can have more restrictive policies than network
based IPS
D. It use signatures based policies
E. It can view encrypted les
F. It can generate alerts based on behavior at the
desktop level

If the network tra c stream is encrypted, HIPS has access to the
tra c in unencrypted form.

A signi cant advantage of HIPS is that it can monitor operating

system processes and protect critical system resources,
including les that may exist only on that speci c host.

HIPS improves the security of hosts and servers by using rules

that control operating system and network stack behavior.
Processor control limits activity such as bu er over ows,
Registry updates, writes to the system directory, and the
launching of installation programs.

Cisco Security Agent (CSA), is signature-free that reduces the

maintenance required to be performed on that software.

Click here to see Reference

Depending on where the NIPS is located within the network, the

rules and policies cannot be as restrictive as a HIPS.

Click here to see Reference

Question 43
Which statements about smart tunnels on a Cisco rewall are
true? (Choose two)

A. Smart Tunnel o ers better performance than port

B. Smart Tunnel require the client to have application
C. Smart Tunnel can be used by clients that do not have
administrator privileges
D. Smart Tunnel supports all operating systems


Smart tunnel access allows a client TCP-based application to use
a browser-based VPN connection to connect to a service. It
o ers the following advantages to users, compared to plugins
and the legacy technology, port forwarding:

Smart tunnel o ers better performance than plug-ins.

Unlike port forwarding, smart tunnel simpli es the user
experience by does not require the user connection of
the local application to the local port.
Unlike port forwarding, smart tunnel does not require
users to have administrator privileges.

Click here to see Reference

Question 44
What can the SMTP preprocessor in FirePOWER normalize?

A. It can lookup the email sender

B. It compares known threats to the email sender
C. It can extract and decode email attachments in client
to server tra c
D. It uses Tra c Anomaly Detector
E. It can forward the SMTP tra c to an email lter server


The SMTP preprocessor instructs the rules engine to normalize
SMTP commands. The preprocessor can also extract and decode
email attachments in client-to-server tra c and, depending on
the software version, extract email le names, addresses, and
header data to provide context when displaying intrusion events
triggered by SMTP tra c.
Click here to see Reference

Question 45
What is the purpose of a honeypot IPS?

A. To collect information about attacks

B. To create customized policies
C. To detect unknown attacks
D. To normalize streams

Honeypot systems use a dummy server to attract attacks. The
purpose of the honeypot approach is to distract attacks away
from real network devices. By staging di erent types of
vulnerabilities in the honeypot server, you can analyze incoming
types of attacks and malicious tra c patterns. You can use this
analysis to tune your sensor signatures to detect new types of
malicious network tra c.

Click here to see Reference

Question 46
How does a device on a network using ISE receive its digital
certi cate during the new device registration process?

A. ISE acts as a SCEP proxy to enable the device to

receive a certi cate from a central CA server
B. ISE issues a certi cate from its internal CA server
C. ISE issues a pre-de ned certi cate from a local
D. The device requests a new certi cate directly from a
central CA

Con gure ISE as a SCEP Proxy

In a BYOD deployment, the endpoint does not communicate

directly with the backend NDES server. Instead, the ISE policy
node is con gured as a SCEP proxy and communicates with the
NDES server on behalf of the endpoints. The endpoints
communicate directly with the ISE. The IIS instance on the NDES
server can be con gured in order to support HTTP and/or HTTPS
bindings for the SCEP virtual directories.

Click here to see Reference

Quesion 47
In a security context, which action can you take to address

A. Implement rules to prevent a vulnerability

B. Correct or counteract a vulnerability
C. Reduce the severity of a vulnerability
D. Follow directions from the security appliance
manufacturer to remediate a vulnerability

Prime Infrastructure allows you to de ne device con guration
baselines and audit policies so you can nd and correct any
con guration deviations in your network devices. You can
schedule a compliance audit against multiple con guration les
and get an audit report that indicates if any con gurations
deviate from the speci ed baseline.

To perform a compliance audit against the devices in your

network, complete the following steps:

1. Complete the prerequisites for Compliance Services.

2. De ne a compliance policy, which includes rules, conditions,
and xes.

3. Group policies into policy pro les.

4. Run the policy against the speci ed device(s), either

immediately or at a speci ed time.

Prime Infrastructure compares the device’s running

con guration, or any show commands, with the content
speci ed in the policy, detects any violations, and creates a
5. View the audit compliance report to view and x any

The Compliance Services feature is supported on wired devices

only. You cannot perform a compliance audit against wireless
devices. You can generate PSIRT and EOX reports for wireless

Click here to see Reference

Question 48
What con guration allows AnyConnect to automatically
establish a VPN session when a user logs into the computer?
A. Always-on
B. Proxy
C. Transparent Mode
D. Trusted Network Detection


Always-on VPN

You can con gure AnyConnect to establish a VPN session

automatically after the user logs in to a
computer. The VPN session remains open until the user logs out
of the computer, or the session timer or
idle session timer expires. The group policy assigned to the
session speci es these timer values. If
AnyConnect loses the connection with the ASA, the ASA and the
client retain the resources assigned to
the session until one of these timers expire. AnyConnect
continually attempts to reestablish the
connection to reactivate the session if it is still open; otherwise,
it continually attempts to establish a new
VPN session.

Click here to see Reference

Question 49
A speci c URL has been identi ed as containing malware. What
action can you take to block users from accidentally visiting the
URL and becoming infected with malware?

A. Enable URL ltering on the perimeter router and add

the URLs you want to block to the router’s local URL list.
B. Enable URL ltering on the perimeter rewall and add
the URLs you want to allow to the router’s local URL list.
C. Enable URL ltering on the perimeter router and add
the URLs you want to allow to the rewall’s local URL list
D. Create a blacklist that contains the URL you want to
block and activate the blacklist on the perimeter router.
E. Create a whitelist that contains the URLs you want to
allow and activate the whitelist on the perimeter router.


URL ltering allows you to control access to Internet websites by
permitting or denying access to speci c websites based on
information contained in an URL list. You can maintain a local
URL list on the router, and you can use URL lists stored on
Websense or Secure Computing URL lter list servers. URL
ltering is enabled by con guring an Application Security policy
that enables it.

Click here to see Reference

Question 50
Refer to the following output:

dst src state conn-id slot MM_NO_STATE 1 0
While troubleshooting site-to-site VPN, you issued the show
crypto isakmp sa command. What does the given output show?

A. IKE Phase 1 main mode was created on, but

failed to negotiate with
B. IKE Phase 1 main mode has successfully negotiated
between and
C. IKE Phase 1 aggressive mode was created on,
but it failed to negotiate with
D. IKE Phase 1 aggressive has successfully negotiated
between and


Processing of Main Mode Failed with Peer

This is an example of the Main Mode error message. The

1d00h: ISAKMP (0:1): atts are not acceptable. Next pay
1d00h: ISAKMP (0:1); no offers accepted!
1d00h: ISAKMP (0:1): SA not acceptable!
1d00h: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main
peer at
A show crypto isakmp sa command shows the ISAKMP SA to
dst src state conn-id slot MM_NO_STATE 1 0

Click here to see Reference

Question 51
After reloading a router, you issue the dir command to verify the
installation and observe that the image le appears to be
missing. For what reason could the image le fail to appear in
the dir output?

A. The secure boot-image command is con gured

B. The secure boot-com t command is con gured
C. The confreg 0x24 command is con gured
D. The reload command was issued from ROMMON


secure boot-image
To enable Cisco IOS image resilience, use the secure boot-image
command in global con guration mode. To disable Cisco IOS
image resilience and release the secured image so that it can be
safely removed, use the no form of this command.
This command enables or disables the securing of the running
Cisco IOS image. The following two possible scenarios exist with
this command.

When turned on for the rst time, the running image (as
displayed in the show version command output) is secured, and
a syslog entry is generated. This command will function properly
only when the system is con gured to run an image from a disk
with an Advanced Technology Attachment (ATA) interface.
Images booted from a TFTP server cannot be secured. Because
this command has the e ect of “hiding” the running image,
the image le will not be included in any directory listing of
the disk. The no form of this command releases the image so
that it can be safely removed.
To upgrade the image archive to the new running image, reenter
this command from the console. A message will be displayed
about the upgraded image. The old image is released and will be
visible in the dir command output.
Be careful when copying new images to persistent storage
because the existing secure image name might con ict with the
new image. To verify the name of the secured archive, run the
show secure bootset command and resolve any name con icts
with the currently secured hidden image.

Click here to see Reference

Question 52
Which type of mirroring does SPAN technology perform?

A. Local mirroring over Layer 2

B. Remote mirroring over Layer 2
C. Remote mirroring over Layer 3
D. Local mirroring over Layer 3


You can analyze network tra c passing through ports by using
SPAN to send a copy of the tra c to another port on the switch
that has been connected to a SwitchProbe device or other
Remote Monitoring (RMON) probe or security device. SPAN
mirrors received or sent (or both) tra c on one or more source
ports to a destination port for analysis.
Each local SPAN session destination session must have a
destination port (also called a monitoring port) that receives a
copy of tra c from the source port.

The destination port has these characteristics:

•It must reside on the same switch as the source port (for a local
SPAN session).
•It can be any Ethernet physical port.

•It cannot be a source port or a re ector port.

•It cannot be an EtherChannel group or a VLAN.

•It can be a physical port that is assigned to an EtherChannel

group, even if the EtherChannel group has been speci ed as a
SPAN source. The port is removed from the group while it is
con gured as a SPAN destination port.

•The port does not transmit any tra c except that required for
the SPAN session.
•If ingress tra c forwarding is enabled for a network security
device, the destination port forwards tra c at Layer 2.

•It does not participate in spanning tree while the SPAN session
is active.

•When it is a destination port, it does not participate in any of

the Layer 2 protocols (STP, VTP, CDP, DTP, PagP, or LACP).

•No address learning occurs on the destination port.

•A destination port receives copies of sent and received tra c

for all monitored source ports. If a destination port is
oversubscribed, it could become congested. This could a ect
tra c forwarding on one or more of the source ports.

Click here to see Reference

Question 53
How does PEAP protect the EAP exchange?

A. It encrypts the exchange using the server certi cate

B. It encrypts the exchange using the client certi cate
C. It validated the server-supplied certi cate, and then
encrypts the exchange using the client side certi cate.
D. It validates the client-supplied certi cate, and then
encrypts the exchange using the server certi cate.


The Protected Extensible Authentication Protocol, also known as
Protected EAP or simply PEAP, is a protocol that encapsulates
the Extensible Authentication Protocol (EAP) within an encrypted
and authenticated Transport Layer Security (TLS) tunnel.[1][2][3]
[4]The purpose was to correct de ciencies in EAP; EAP assumed
a protected communication channel, such as that provided by
physical security, so facilities for protection of the EAP
conversation were not provided.

PEAP is similar in design to EAP-TTLS, requiring only a server-

side PKI certi cate to create a secure TLS tunnel to protect user
authentication, and uses server-side public key certi cates to
authenticate the server. It then creates an encrypted TLS tunnel
between the client and the authentication server. In most
con gurations, the keys for this encryption are transported
using the server’s public key. The ensuing exchange of
authentication information inside the tunnel to authenticate the
client is then encrypted and user credentials are safe from
Click here to see Reference

Question 54
Refer to the following commands:

tacacs server tacacs1

address ipv4
timeout 20

tacacs server tacacs2

address ipv4
timeout 20

tacacs server tacacs3

address ipv4
timeout 20

Which statement about the given con guration is true?

A. The single-connection command causes the device to

establish one connection for all TACACS translations.
B. The single-connection command causes the device to
process one TACACS request and then move to the next
C. The timeout command causes the device to move to
the next server after 20 seconds of TACACS inactivity
D. The router communicates with the NAS on the default
port, TCP 1645



single-connection - (Optional) Maintains a single open

Click here to see Reference

Question 55
syslog severity level

0 Emergency : system is unusable

1 Alert : action must be taken imme

2 Critical : critical conditions

3 Error : error conditions

4 Warning : warning conditions

5 Notice : normal but significant co

6 Informational : informational messages

7 Debug : debug-level messages

Question 56
Which feature of the Cisco Email Security Appliance can mitigate
the impact of snowshoe spam and sophisticated phishing

A. Contextual analysis
B. Holistic understanding of threats
C. Graymail management and ltering
D. Signature-based IPS


Threat-Centric Security
The Email Security Appliance is the industry’s rst proven zero-
hour antivirus solution. It o ers a best-in-class capability to
control and encrypt sensitive outbound email. At the same time,
its layered defense, built into a single appliance, quickly blocks
incoming attacks.
It provides:

Contextual analysis against phishing and snowshoe

spam attacks
A superior spam-capture rate (more than 99 percent)
with few false positives (less than one in one million)
File reputation, dynamic analysis (sandboxing), and
retrospective security with Cisco AMP Threat Grid
Graymail management and web interaction tracking

Click here to see Reference

Question 57
Which Source re logging action should you choose to record the
most detail about a connection?

A. Enable logging at the end of the session

B. Enable logging at the beginning of the session
C. Enable alerts via SNMP to log events o -box
D. Enable eStreamer to log events o -box


Beginning-of-Connection Events – Contain – only information
that can be determined in the rst packet (or the rst few
packets, if event generation depends on application or URL
identi cation)
End-of-Connection Events – Contain – all information in the
beginning-of-connection event, plus information determined by
examining tra c over the duration of the session, for example,
the total amount of data transmitted or the timestamp of the
last packet in the connection

Click here to see Reference

Question 58
Which command initializes a lawful intercept view?

A. li-view cisco user cisco1 password cisco

A. li-view cisco user cisco1 password cisco

B. username cisco1 view lawful-intercept passwo

C. parser view cisco li-view

D. parser view li-view inclusive




To initialize a lawful intercept view, use the li-view command in

global con guration mode.

li-view li-password user username password password

li-view li-password user username password password

Click here to see Reference

y Tag: ccnasec, dump 5 Comments

Previous Post


Next Post


5 Replies to “CCNA Security 210-260 Dump + Explanation

free robux generator

November 15, 2017 at 5:44 pm

Very interesting points you have remarked, appreciate it for putting



Rosa Platter
November 23, 2017 at 9:00 pm
I conceive you have mentioned some very interesting details ,
appreciate it for the post.


golf clash hack ios

November 26, 2017 at 8:05 am

Hello, here from bing, i enjoyng this, will come back again.


sims 4 cats and dogs activation key free

December 7, 2017 at 9:46 am

Good Morning, google lead me here, keep up good work.


December 8, 2017 at 11:15 am

Thank you guys, if you have any ideas or any interesting things to
share, please let me know via my e-mail :

I will retain the source, I always respect the author.


Leave a Reply
Your email address will not be published. Required elds are
marked *

Name *
Email *


Please enter an answer in digits:

fourteen − eight =

Post Comment
Search … o

June 2017


  1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25

26 27 28 29 30  
« May   Jul »

Recent Posts

p Con gure a basic PPTP on Cisco Router

p Something you need to know about Power over Ethernet


p Auto execute command on Cisco IOS with Kron

p Embedded Packet Capture on Cisco IOS and IOS-XE

p Use SCP to download/upload le from/to Cisco Router

Recent Comments

thinhnp on AAA with ACS Server 5.8 Con guration Guide

thinhnp on 3G/4G Con guration Template

thinhnp on Top 7 Nmap NSE Scripts for Recon

thinhnp on RAM monitoring on Cisco Router (IOS & IOS XE)

thinhnp on Layer 2 Security Toolkit (part 1)


January 2018

December 2017

October 2017

September 2017

August 2017

July 2017

June 2017

May 2017

l CCNA Security

l Hacking Tutorials

l Network Tutorials

l Uncategorized


p Register
p Log in

p Entries RSS

p Comments RSS


© 2018 Script Kiddie / Powered by WordPress / Theme by Design Lab