CCNA Security Practice Test

Which technology requires that SSH and AAA are configured before it can work?

A. TLS

B. SCP

C. TFTP

D. NTP

How does a stateful packet filtering firewall use a state table to improve the performance of routing?

A. Checks the source addresses of packets that can be routed

B. Used to reduce the number of routes available

C. To determine if a packet is returning traffic

D. Allows multiple private IP addresses to be mapped to a single public IP address

A company opens a new mid-sized branch office. Which Cisco ESA models would ideally be deployed to this office? (Choose three)

A. C670

B. X1070

C. C170

D. C380

E. C370

F. C680

Which of the following actions belong to the Operations and maintenance phase of the secure network life cycle? (Choose two)

A. Security categorization

B. Preliminary risk assessment

C. Configuration management and control

D. Continuous monitoring

E. Information preservation

F. Media sanitization

A tunnel has been created and established with a branch office. You need to verify that traffic is traversing the connection. Which command will provide this information?

A. show crypto ipsec sa

B. show crypto ipsec transform-set

C. show crypto map

D. show crypto isakmp policy

You are asked to configure SNMPv3 inside your network. An ACL named snmpacl, which specifies the IP addresses, has already been created, and will be able to perform SNMP queries. Which command would you enter to create a group named SNMPgroup which can send encrypted SNMP queries?

A. Router(config)# snmp-server group SNMPgroup v3 priv access snmpacl

B. Router(config)#snmp-server user admin SNMPgroup v3 auth md5 Password12 priv des56 Password12 access snmpacl

C. Router(config)# snmp-server group SNMPgroup v3 auth access snmpacl

D. Router(config)#snmp-server user admin SNMPgroup v3 auth md5 Password12 access snmpacl

You need to ensure that CDP is only enabled on interfaces that are connected to a trusted network. CDP must be disabled on all other interfaces. What should you do?

A. Run the no cdp run command

B. Run the no cdp enable command

C. Deploy Cisco AutoSecure in noninteractive mode

D. Deploy Cisco AutoSecure in interactive mode

Which three of these options are some of the best practices when you implement an effective firewall security policy? (Choose three)

A. Position firewalls at strategic inside locations to help mitigate inside nontechnical attacks.

B. Configure logging to capture all events for forensic purposes.

C. Use firewalls as a primary security defense; other security measures and devices should be implemented to enhance your network security.

D. Position firewalls at key security boundaries.

E. Deny all traffic by default and permit only necessary services.

To verify the clientless SSL VPN, a compliant browser has been opened. Which prefix is the path changed to if the object requires authentication?

A. /+CSCOU+/

B. http://

C. https://

D. /+CSCOE+/

Network security aims to provide which three key services? (Choose three)

A. data integrity

B. data strategy

C. data and system availability

D. data mining

E. data storage

F. data confidentiality

Attacks may take a variety of forms. Which of the following describes the Blended threats as a threat category?

A. Uses ping sweeps and port scans to identify all services on a network

B. Occurs when an attacker uses a fake device address

C. Attacks spread without human intervention

D. Attacks are typically carried out by instant message or E-mail

E. Hackers attempt to gain access to network packets

F. Occurs when an attacker can read or change sensitive data

Which clients meet the browser requirements for a Cisco ASA clientless SSL VPN? (Choose two)

A. OS X 10.10 Chrome v.41

B. Windows Vista IE8

C. Windows 8.1 IE10

D. OS X |w 10.8 Firefox v.33

What is the goal of an overall security challenge when planning a security strategy?

A. to harden all exterior-facing network components

B. to install firewalls at all critical points in the network

C. to find a balance between the need to open networks to support evolving business requirements and the need to inform

D. to educate employees to be on the lookout for suspicious behavior

You have learned that a Trojan was propagated to several servers in your network. However, no preventative action was taken by an IPS. What is this an example of?

A. False negative

B. True positive

C. True negative

D. False positive

Which of the following describes the Phreakers as a category of individuals who attack computer systems and operations?

A. Individuals who mean no harm and do not expect financial gain

B. Individuals who generally work for financial gain

C. Individuals who pride themselves on compromising telephone systems

D. Individuals who do not write their own code

E. Individuals with a political agenda

A client on your network is seeking advice from you in regards to the type of host-based security for their home network. They state that they have three devices, which share an Internet connection through a single home server. The home server is directly connected to the ISP router. Their main concern is primarily on traffic going through the home server to and from the other three devices. What should you recommend that would require the least amount of administrative overhead and associated set up cost?

A. Proxy firewall

B. Dynamic NAT

C. Personal firewall

D. Static NAT

Which feature can you use to place a rate limit on traffic that is handled by a Cisco device's route processor?

A. Cisco AutoSecure

B. OSPF neighbor authentication

C. CoPP

D. SNMP

Which of the actions are possible using Cisco Configuration Professional Express?

A. NAT, QoS, and NAC configurations

B. One-click router lockdown

C. Command line interface

D. WAN and VPN connectivity troubleshooting

Which of the following describes the function of Cisco ScanSafe?

A. Includes a firewall and real-time threat defense capability

B. Uses hardware- and software-integrated security functions to provide a zone-based policy firewall and intrusion prevention

C. Uses sensors to accomplish intrusion prevention

D. Provides an on-premise solution to prevent data loss

E. Analyzes web requests to determine if the content is malicious or inappropriate based on the defined security policy

What technology allows for a device to have multiple virtual firewalls?

A. Cisco Secure ACS

B. Class maps

C. Security contexts

D. Compartmentalization principal

Which of these options is a GUI tool for performing security configurations on Cisco routers?

A. Security Appliance Device Manager

B. Cisco CLI Configuration Management Tool

C. Cisco Security Device Manager

D. Cisco Security Manager

You need to implement a high availability solution on the ASA. The solution must be able to work with units running in either single or multiple context mode. Which failover configuration should be used?

A. Cisco Secure ACS

B. Active/Standby

C. Cisco ASDM

D. Active/Active

Which 802.1X component would refer to an endpoint in an 802.1X infrastructure?

A. Backend identity database

B. Supplicant

C. Authentication server

D. Authenticator

Which STP attack mitigation features causes an interface to be placed in an errdisabled state if a BPDU is received on that port?

A. Root guard

B. Loop guard

C. BPDU guard

D. BPDU filtering

How is called the total amount of time the system owner will accept for a business process outage?

A. Recovery Point Objective

B. Recovery Time Objective

C. Maximum Tolerable Downtime

Which option is the term for what happens when computer code is developed to take advantage of a vulnerability? For example, suppose that a vulnerability exists in a piece of software, but nobody knows about this vulnerability.

A. a vulnerability

B. a risk

C. an exploit

D. an attack

Security threats have evolved over time. Identity the latest generation of security threats. (Choose four)

A. Virtualization exploits

B. Memory scraping

C. Hardware hacking

D. IPv6-based attacks

E. E-mail

F. Infrastructure hacking

Which ESA listener would need to be configured to accept mail from a POP/IMAP system?

A. Public

B. Private

C. External

D. Internal

Which three options are areas of router security? (Choose three)

A. physical security

B. access control list security

C. zone-based firewall security

D. operating system security

E. router hardening

F. Cisco IOS-IPS security

Which actions can you take to prevent VLAN hopping? (Choose two)

A. Prevent dynamic trunk port negotiation

B. Enable port security

C. Ensure all trunk ports use VLAN 1 as their native VLAN

D. Change the native VLAN on all trunk ports to an unused VLAN

Which statement is true when configuring access control lists (ACLs) on a Cisco router?

A. ACLs filter all traffic through and sourced from the router.

B. Apply the ACL to the interface prior to configuring access control entries to ensure that controls are applied immediately upon configuration.

C. An "implicit deny" is applied to the start of the ACL entry by default.

D. Only one ACL per protocol, per direction, and per interface is allowed.

An intruder sends messages to a computer with an IP address that indicates that the message is coming from a trusted host. The hacker learns the IP address of a trusted host and modifies the packet headers so that apparently the packets are coming from that trusted host. How would you categorize this attack?

A. Confidentiality and integrity violation

B. Password attack

C. Spoofing

D. Blended threat

Which technologies can perform RADIUS and TACACS+ authentication? (Choose two)

A. ISE

B. ASDM

C. ACS

D. ASA

Which of the following describes the function of Cisco ASA?

A. Includes a firewall and real-time threat defense capability

B. Uses hardware- and software-integrated security functions to provide a zone-based policy firewall and intrusion prevention

C. Uses sensors to accomplish intrusion prevention

D. Provides an on-premise solution to prevent data loss

E. Analyzes web requests to determine if the content is malicious or inappropriate based on the defined security policy

Which of the options are primary reasons for an attacker to perform an IP spoofing attack? (Choose two)

A. Divert traffic streams

B. Gain root access to a system

C. Corrupt transmitted data

D. Logging information

RADIUS and TACACS+ are both commonly used to control network access. Which of the following describes the function of RADIUS? (Choose three)

A. Uses UDP

B. Uses TCP

C. Only encrypts the password for access-request packets

D. Encrypts the entire body of access-request packets

E. Cannot be used to prevent users from performing specific commands on a router

F. Can be used to specify which commands users can perform on a router

Attacks may take a variety of forms. Which of the following describes the Phishing, pharming, and identify theft?

A. Uses ping sweeps and port scans to identify all services on a network

B. Occurs when an attacker uses a fake device address

C. Attacks spread without human intervention

D. Attacks are typically carried out by instant message or E-mail

E. Hackers attempt to gain access to network packets

F. Occurs when an attacker can read or change sensitive data

Which statement is true when using zone-based firewalls on a Cisco router?

A. Policies are applied to traffic moving between zones, not between interfaces.

B. The firewalls can be configured simultaneously on the same interface as classic CBAC using the ip inspect CLI command.

C. Interface ACLs are applied before zone-based policy firewalls when they are applied outbound.

D. When configured with the “PASS” action, stateful inspection is applied to all traffic passing between the configured zones.

Select the statements that represent threats to network infrastructure. (Choose four)

A. Trust exploitation attacks

B. Spoofing

C. Route flaps and major network transitions

D. Exposed management credentials

E. Denial-of-service attacks

F. Login, authentication, and password attacks

Which of the following describes the Hackers as a category of individuals who attack computer systems and operations?

A. Individuals who mean no harm and do not expect financial gain

B. Individuals who generally work for financial gain

C. Individuals who pride themselves on compromising telephone systems

D. Individuals who do not write their own code

E. Individuals with a political agenda

What is true regarding application layer proxy firewalls? (Choose two)

A. Authenticates devices

B. Increases network performance

C. Authenticates users

D. Reduces spoofing attacks

Which statements about DHCP snooping are true? (Choose two)

A. The DHCP snooping database is used by root guard

B. The DHCP snooping database agent allows you to retain the DHCP snooping database bindings when the device is reloaded

C. Client devices should be connected to trusted ports, and all unused ports should be configured as untrusted ports

D. DHCP snooping is enabled by configuring Cisco AutoSecure

E. DHCP snooping can mitigate DHCP spoofing attacks

Which statement about role-based CLI access is true?

A. Commands can be added and removed on superviews from the root view

B. Deleting a superview also deletes any associated CLI views

C. Role-based CLI access can be configured with or without an AAA infrastructure

D. CLI views can be shared with more than one superview

What are the appropriate actions during a Detection and analysis incident response phase? (Choose three)

A. Prepare the facilities and communication mechanisms

B. Define the incident analysis hardware and software

C. Define the prevention procedures

D. Define a threat vector classification scheme

E. Analyze and implement tools for log and event correlation

F. Provide notification of incidents

Which actions occur during the implementation phase of the secure network life cycle? (Choose three)

A. Inspection and acceptance

B. System integration

C. Security certification

D. Developmental security test and evaluation

E. Security planning

Which option is a desirable feature of using symmetric encryption algorithms?

A. They are often used for wire-speed encryption in data networks.

B. They are based on complex mathematical operations and can easily be accelerated by hardware.

C. They offer simple key management properties.

D. They are best used for one-time encryption needs.

A transform-set must be created with the name 'test'. It should also support data confidentiality using strong DES encryption. Enter the command that would accomplish this task.

A. crypto ipsec transform-set test esp-des

B. crypto ipsec transform-set test esp-3des

C. crypto ipsec transform-set test ah-md5-hmac

You are reviewing syslog messages from multiple routers in your network. You have noticed irregularities with multiple syslog message timestamps for each router. Which technology can you configure to resolve this?

A. ASDM

B. SNMP

C. NTP

D. RADIUS

Which IDS sensor action will send an ARC response to completely block the attacker's IP address?

A. Deny attacker inline

B. Reset TCP connection

C. Request block host

D. Deny packet inline

Which command is used to display established IPsec tunnels?

A. show crypto ipsec sa

B. show crypto ipsec transform-set

C. show crypto ipsec

Which of the following control plane security features provides a necessary mechanism for deploying, monitoring, and troubleshooting CPP efficiently?

A. Control Plane Policing – CoPP

B. Control Plane Protection – CPP

C. Control Plane Logging

Which two statements describe features of the state table? (Choose two)

A. Tracks all sessions and inspects all packets passing through the firewall

B. Changes dynamically according to traffic flow

C. Receives copies of packets, processes them, and can then respond to threats

D. Provides a secure and encrypted management connection for managing network devices

Which threats are the most serious?

A. inside threats

B. outside threats

C. unknown threats

D. reconnaissance threats

Attacks may take a variety of forms. Which of the following describes the Enumeration and fingerprinting as a threat category?

A. Uses ping sweeps and port scans to identify all services on a network

B. Occurs when an attacker uses a fake device address

C. Attacks spread without human intervention

D. Attacks are typically carried out by instant message or E-mail

E. Hackers attempt to gain access to network packets

F. Occurs when an attacker can read or change sensitive data

Which are ways to combat social based attacks? (Choose two)

A. Mantrap

B. Identity validation

C. Training

D. Network access policies

Cisco test CCNA 210-260

While calculating your results take a moment to complete our simple survey!

How likely is it that you would recommend LearnCisco.net
to a friend or colleague?

Why?

Cisco test CCNA 210-260

While calculating your results take a moment to complete our simple survey!

How likely is it that you would recommend LearnCisco.net to a friend or colleague?

Why?

How likely is it that you would recommend LearnCisco.net
to a friend or colleague?