Which statement about Cisco ACS authentication and authorization is true?
A.
ACS servers can be clustered to provide scalability.
B.
ACS can query multiple Active Directory domains.
C.
ACS uses TACACS to proxy other authentication servers.
D.
ACS can use only one authorization profile to allow or deny requests.
Isnt B true?
0
0
of course not stupid
0
0
I have already passed 210-260 certification exam yesterday….Scored 984/1000 in US! Many new exam questions added into the 2017 210-260 test! So I just come here to share with your guys and wish more 210-260 candidates can pass easily!
Good Luck for your all!
QUESTION 181
A data breach has occurred and your company database has been copied. Which security principle has been violated?
A. Confidentiality
B. Access
C. Control
D. Availability
Answer: A
QUESTION 182
If a switch receives a superior BPDU and goes directly into a blocked state, what mechanism must be in use?
A. BPDU guard
B. portfast
C. EherCahannel guard
D. loop guard
Answer: A
Explanation:
The key here is the word ‘switch’. The entire switch goes into a blocked state, meaning that it can’t participate in STP, it is blocked. Root guard basically puts the port in a listening state rather than forwarding, still allowing the device to participate in STP.
QUESTION 183
What is the primary purposed of a defined rule in an IPS?
A. to detect internal attacks
B. to define a set of actions that occur when a specific user logs in to the system
C. to configure an event action that is pre-defined by the system administrator
D. to configure an event action that takes place when a signature is triggered.
Answer: C
Explanation:
Defined rules are defined by the sysadmin, Event Action Rules take place when an event triggers an action.
QUESTION 184
How does PEAP protect EAP exchange?
A. it encrypts the exchange using the client certificate.
B. it validates the server-supplied certificate and then encrypts the exchange using the client certificate
C. it encrypts the exchange using the server certificate
D. it validates the client-supplied certificate and then encrypts the exchange using the server certificate.
Answer: C
Explanation:
The client certificate is not used for encryption with PEAP.
QUESTION 185
How can firepower block malicious email attachments?
A. It forwards email requests to an external signature engine
B. It sends the traffic through a file policy
C. It scans inbound email messages for known bad URLs
D. It sends an alert to the administrator to verify suspicious email messages
Answer: B
QUESTION 186
A proxy firewall protects against which type of attacks?
A. DDoS
B. port scanning
C. worm traffic
D. cross-site scripting attacks
Answer: D
QUESTION 187
Which three statements are characteristics of DHCP Spoofing? (Choose three.)
A. Arp Poisoning
B. Modify Traffic in transit
C. Used to perform man-in-the-middle attack
D. Physically modify the network gateway
E. Protect the identity of the attacker by masking the DHCP address
F. Can access most network devices
Answer: BCD
Explanation:
In DHCP spoofing attacks, the attacker takes over the DHCP server role and can serve IP addresses and his IP address as default gateway. By doing that he performs a man-in-the-middle attack, and because all the traffic passes through his computer he can modify traffic in transit and he physically changed the default gateway.
QUESTION 188
In which two situations should you use in-band management? (Choose two)
A. when a network device fails to forward packets
B. when management applications need concurrent access to the device
C. when you require ROMMON access
D. when you require administrator’s access from multiple locations
E. when the control plane fails to respond
Answer: BD
QUESTION 189
Which three statements describe DHCP spoofing attacks? (Choose three.)
A. They can modify traffic in transit.
B. They are used to perform man-in-the-middle attacks.
C. They use ARP poisoning.
D. They can access most network devices.
E. They protect the identity of the attacker by masking the DHCP address.
F. They are can physically modify the network gateway.
Answer: ABF
QUESTION 190
What security feature allows a private IP address to access the Internet by translating it to a public address?
A. NAT
B. hairpinning
C. Trusted Network Detection
D. Certification Authority
Answer: A
QUESTION 191
Which Sourcefire event action should you choose if you want to block only malicious traffic
from a particular end user?
A. Allow with inspection
B. Allow without inspection
C. Block
D. Trust
E. Monitor
Answer: A
QUESTION 192
Which two NAT types allows only objects or groups to reference an IP address? (choose two)
A. dynamic NAT
B. dynamic PAT
C. static NAT
D. identity NAT
Answer: AC
Explanation:
Adding Network Objects for Mapped Addresses
For dynamic NAT, you must use an object or group for the mapped addresses. Other NAT types have the option of using inline addresses, or you can create an object or group according to this section.
* Dynamic NAT:
+ You cannot use an inline address; you must configure a network object or group.
+ The object or group cannot contain a subnet; the object must define a range; the group can include hosts and ranges.
+ If a mapped network object contains both ranges and host IP addresses, then the ranges are used for dynamic NAT, and then the host IP addresses are used as a PAT fallback.
* Dynamic PAT (Hide):
+ Instead of using an object, you can optionally configure an inline host address or specify the interface address.
+ If you use an object, the object or group cannot contain a subnet; the object must define a host, or for a PAT pool, a range; the group (for a PAT pool) can include hosts and ranges.
* Static NAT or Static NAT with port translation:
+ Instead of using an object, you can configure an inline address or specify the interface address (for static NAT-with-port-translation).
+ If you use an object, the object or group can contain a host, range, or subnet.
* Identity NAT
+ Instead of using an object, you can configure an inline address.
+ If you use an object, the object must match the real addresses you want to translate.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/ nat_objects.html#61711
QUESTION 193
Which feature allows a dynamic PAT pool to select the next address in the PAT pool instead of the next port of an existing address?
A. next IP
B. round robin
C. dynamic rotation
D. NAT address rotation
Answer: B
QUESTION 194
Which line in the following OSPF configuration will not be required for MD5 authentication to work?
interface GigabitEthernet0/1
ip address 192.168.10.1 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 CCNA
!
router ospf 65000
router-id 192.168.10.1
area 20 authentication message-digest
network 10.1.1.0 0.0.0.255 area 10
network 192.168.10.0 0.0.0.255 area 0
!
A. ip ospf authentication message-digest
B. network 192.168.10.0 0.0.0.255 area 0
C. area 20 authentication message-digest
D. ip ospf message-digest-key 1 md5 CCNA
Answer: C
QUESTION 195
Which of the following pairs of statements is true in terms of configuring MD authentication?
A. Interface statements (OSPF, EIGRP) must be configured; use of key chain in OSPF
B. Router process (OSPF, EIGRP) must be configured; key chain in EIGRP
C. Router process (only for OSPF) must be configured; key chain in EIGRP
D. Router process (only for OSPF) must be configured; key chain in OSPF
Answer: C
QUESTION 196
Which component of CIA triad relate to safe data which is in transit.
A. Confidentiality
B. Integrity
C. Availability
D. Scalability
Answer: B
Explanation:
Integrity: Integrity for data means that changes made to data are done only by authorized individuals/systems.
Corruption of data is a failure to maintain data integrity.
QUESTION 197
Which command help user1 to use enable,disable,exit&etc commands?
A. catalyst1(config)#username user1 privilege 0 secret us1pass
B. catalyst1(config)#username user1 privilege 1 secret us1pass
C. catalyst1(config)#username user1 privilege 2 secret us1pass
D. catalyst1(config)#username user1 privilege 5 secret us1pass
Answer: A
Explanation:
To understand this example, it is necessary to understand privilege levels.
By default, there are three command levels on the router:
+ privilege level 0 — Includes the disable, enable, exit, help, and logout commands.
+ privilege level 1 — Normal level on Telnet; includes all user-level commands at the router> prompt.
+ privilege level 15 — Includes all enable-level commands at the router# prompt.
http://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/23383-showrun.html
QUESTION 198
Command ip ospf authentication key 1 is implemented in which level.
A. Interface
B. process
C. global
D. enable
Answer: A
Explanation:
Use the ip ospf authentication-key interface command to specify this password. If you enable MD5 authentication with the message-digest keyword, you must configure a password with the ip ospf message- digest-key interface command.
interface GigabitEthernet0/1
ip address 192.168.10.1 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 CCNA
Cisco Official Certification Guide, Implement Routing Update Authentication on OSPF, p.348 The OSPFv2 Cryptographic Authentication feature allows you to configure a key chain on the OSPF interface to authenticate OSPFv2 packets by using HMAC-SHA algorithms. You can use an existing key chain that is being used by another protocol, or you can create a key chain specifically for OSPFv2.
If OSPFv2 is configured to use a key chain, all MD5 keys that were previously configured using the ip ospf message-digest-key command are ignored.
Device> enable
Device# configure terminal
Device(config)# interface GigabitEthernet0/0/0
Device (config-if)# ip ospf authentication key-chain sample1
Device (config-if)# end
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/xe-3s/iro-xe-3s-book/iro-ospfv2-crypto-authen-xe.html
In both cases OSPF and OSPFv1 the ip ospf authentication is inserted at interface level
QUESTION 199
Which are two valid TCP connection states (pick 2) is the gist of the question.
A. SYN-RCVD
B. Closed
C. SYN-WAIT
D. RCVD
E. SENT
Answer: AB
Explanation:
TCP Finite State Machine (FSM) States, Events and Transitions + CLOSED: This is the default state that each connection starts in before the process of establishing it begins.
The state is called “fictional” in the standard.
+ LISTEN
+ SYN-SENT
+ SYN-RECEIVED: The device has both received a SYN (connection request) from its partner and sent its own SYN. It is now waiting for an ACK to its SYN to finish connection setup.
+ ESTABLISHED
+ CLOSE-WAIT
+ LAST-ACK
+ FIN-WAIT-1
+ FIN-WAIT-2
+ CLOSING
+ TIME-WAIT
http://tcpipguide.com/free/t_TCPOperationalOverviewandtheTCPFiniteStateMachineF-2.htm
QUESTION 200
……
I have uploaded all the real questions of 210-260 exam to my Google Drive: https://drive.google.com/open?id=0B3Syig5i8gpDYUk3WWFWOEhsSU0
Welcome to download them freely!
2
0