Download Implementing Cisco Network Security.210-260.PracticeDumps.2018-02-12.229q.tqb

Vendor: Cisco
Exam Code: 210-260
Exam Name: Implementing Cisco Network Security
Date: Feb 12, 2018
File Size: 32 MB
Download Exam

How to open TQB files?

Files with TQB (Taurus Question Bank) extension can be opened by Taurus Exam Studio.

Download
Taurus Exam Studio

Purchase
Coupon: TAURUSSIM_20OFF

Discount: 20%

Taurus Exam Simulator Taurus Exam Simulator Taurus Exam Simulator Taurus Exam Simulator Taurus Exam Simulator

Demo Questions

Question 1
Which two services define cloud networks? (Choose two.)
  1. Infrastructure as a Service
  2. Platform as a Service
  3. Security as a Service
  4. Compute as a Service
  5. Tenancy as a Service
Correct answer: AB
Explanation:
The diagram below depicts the Cloud Computing stack – it shows three distinct categories within Cloud Computing: Software as a Service, Platform as a Service and Infrastructure as a Service.    A simplified way of differentiating these flavors of Cloud Computing is as follows; SaaS applications are designed for end-users, delivered over the web  PaaS is the set of tools and services designed to make coding and deploying those applications quick and efficient  IaaS is the hardware and software that powers it all – servers, storage, networks, operating systems Reference: https://support.rackspace.com/white-paper/understanding-the-cloud-computing-stack-saas-paas-iaas/
The diagram below depicts the Cloud Computing stack – it shows three distinct categories within Cloud Computing: Software as a Service, Platform as a Service and Infrastructure as a Service.
    
A simplified way of differentiating these flavors of Cloud Computing is as follows; 
  • SaaS applications are designed for end-users, delivered over the web  
  • PaaS is the set of tools and services designed to make coding and deploying those applications quick and efficient  
  • IaaS is the hardware and software that powers it all – servers, storage, networks, operating systems 
Reference: https://support.rackspace.com/white-paper/understanding-the-cloud-computing-stack-saas-paas-iaas/
Question 2
In which two situations should you use out-of-band management? (Choose two.)
  1. when a network device fails to forward packets
  2. when you require ROMMON access
  3. when management applications need concurrent access to the device
  4. when you require administrator access from multiple locations
  5. when the control plane fails to respond
Correct answer: AB
Explanation:
Out-of-band refers to an interface that allows only management protocol traffic to be forwarded or processed. An out-of-band management interface is defined by the network operator to specifically receive network management traffic. The advantage isthat forwarding (or customer) traffic cannot interfere with the management of the router, which significantly reduces the possibility of denial-of-service attacks. Out-of-band interfaces forward traffic only between out-of-band interfaces or terminate management packets that are destined to the router. In addition, the out-of-band interfaces can participate in dynamic routing protocols. The service provider connects to the router’s out-of-band interfaces and builds an independent overlay management network, with all the routing and policy tools that the router can provide. Reference: http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-0/security/configuration/guide/b_sc40asr9kbook/b_sc40asr9kbook_chapter_0101.pdf
Out-of-band refers to an interface that allows only management protocol traffic to be forwarded or processed. An out-of-band management interface is defined by the network operator to specifically receive network management traffic. The advantage isthat forwarding (or customer) traffic cannot interfere with the management of the router, which significantly reduces the possibility of denial-of-service attacks. 
Out-of-band interfaces forward traffic only between out-of-band interfaces or terminate management packets that are destined to the router. In addition, the out-of-band interfaces can participate in dynamic routing protocols. The service provider connects to the router’s out-of-band interfaces and builds an independent overlay management network, with all the routing and policy tools that the router can provide. 
Reference: http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-0/security/configuration/guide/b_sc40asr9kbook/b_sc40asr9kbook_chapter_0101.pdf
Question 3
In which three ways does the TACACS protocol differ from RADIUS? (Choose three.)
  1. TACACS uses TCP to communicate with the NAS.
  2. TACACS can encrypt the entire packet that is sent to the NAS.
  3. TACACS supports per-command authorization.
  4. TACACS authenticates and authorizes simultaneously, causing fewer packets to be transmitted.
  5. TACACS uses UDP to communicate with the NAS.
  6. TACACS encrypts only the password field in an authentication packet.
Correct answer: ABC
Explanation:
TACACS+ uses Transmission Control Protocol (TCP) port 49 to communicate between the TACACS+ client and the TACACS+ server. An example is a Cisco switch authenticating and authorizing administrative access to the switch’s IOS CLI. The switch is the TACACS+ client, and Cisco Secure ACS is the server. TACACS+ communication between the client and server uses different message types depending on the function. In other words, different messages may be used for authentication than are used for authorization and accounting. Another very interesting point to know is that TACACS+ communication will encrypt the entire packet. Reference: http://www.networkworld.com/article/2838882/radius-versus-tacacs.html
TACACS+ uses Transmission Control Protocol (TCP) port 49 to communicate between the TACACS+ client and the TACACS+ server. An example is a Cisco switch authenticating and authorizing administrative access to the switch’s IOS CLI. The switch is the TACACS+ client, and Cisco Secure ACS is the server. 
TACACS+ communication between the client and server uses different message types depending on the function. In other words, different messages may be used for authentication than are used for authorization and accounting. Another very interesting point to know is that TACACS+ communication will encrypt the entire packet. 
Reference: http://www.networkworld.com/article/2838882/radius-versus-tacacs.html
Question 4
According to Cisco best practices, which three protocols should the default ACL allow on an access port to enable wired BYOD devices to supply valid credentials and connect to the network? (Choose three.)
  1. BOOTP
  2. TFTP
  3. DNS
  4. MAB
  5. HTTP
  6. 802.1x
Correct answer: ABC
Explanation:
ACL-DEFAULT allows DHCP, DNS, ICMP, and TFTP traffic and denies everything else. Reference: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD_Design_Guide/BYOD_Wired.html
ACL-DEFAULT allows DHCP, DNS, ICMP, and TFTP traffic and denies everything else. 
Reference: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD_Design_Guide/BYOD_Wired.html
Question 5
Which two next-generation encryption algorithms does Cisco recommend? (Choose two.)
  1. AES
  2. 3DES
  3. DES
  4. MD5
  5. DH-1024
  6. SHA-384
Correct answer: AF
Explanation:
The following table shows the relative security level provided by the recommended and NGE algorithms. The security level is the relative strength of an algorithm. An algorithm with a security level of x bits is stronger than one of y bits if x > y. If an algorithm has a security level of x bits, the relative effort it would take to "beat" the algorithm is of the same magnitude of breaking a secure x-bit symmetric key algorithm (without reduction or other attacks). The 128-bit security level is for sensitive information and the 192-bit level is for information of higher importance.    Reference: http://www.cisco.com/c/en/us/about/security-center/next-generation-cryptography.html
The following table shows the relative security level provided by the recommended and NGE algorithms. The security level is the relative strength of an algorithm. An algorithm with a security level of x bits is stronger than one of y bits if x > y. If an algorithm has a security level of x bits, the relative effort it would take to "beat" the algorithm is of the same magnitude of breaking a secure x-bit symmetric key algorithm (without reduction or other attacks). The 128-bit security level is for sensitive information and the 192-bit level is for information of higher importance. 
   
Reference: http://www.cisco.com/c/en/us/about/security-center/next-generation-cryptography.html
Question 6
Which three ESP fields can be encrypted during transmission? (Choose three.)
  1. Security Parameter Index
  2. Sequence Number
  3. MAC Address
  4. Padding
  5. Pad Length
  6. Next Header
Correct answer: DEF
Explanation:
The remaining four parts of the ESP are all encrypted during transmission across the network. Those parts are as follows:The Payload Data is the actual data that is carried by the packet. The Padding, from 0 to 255 bytes of data, allows certain types of encryption algorithms to require the data to be a multiple of a certain number of bytes. The padding also ensures that the text of a message terminates ona four-byte boundary (an architectural requirement within IP). The Pad Length field specifies how much of the payload is padding rather than data. The Next Header field, like a standard IP Next Header field, identifies the type of data carried and the protocol. Reference: http://www.cisco.com/c/en/us/td/docs/net_mgmt/vpn_solutions_center/2-0/ip_security/provisioning/guide/IPsecPG1.html
The remaining four parts of the ESP are all encrypted during transmission across the network. Those parts are as follows:
  • The Payload Data is the actual data that is carried by the packet. 
  • The Padding, from 0 to 255 bytes of data, allows certain types of encryption algorithms to require the data to be a multiple of a certain number of bytes. The padding also ensures that the text of a message terminates ona four-byte boundary (an architectural requirement within IP). 
  • The Pad Length field specifies how much of the payload is padding rather than data. 
  • The Next Header field, like a standard IP Next Header field, identifies the type of data carried and the protocol. 
Reference: http://www.cisco.com/c/en/us/td/docs/net_mgmt/vpn_solutions_center/2-0/ip_security/provisioning/guide/IPsecPG1.html
Question 7
What are two default Cisco IOS privilege levels? (Choose two.)
  1. 0
  2. 1
  3. 5
  4. 7
  5. 10
  6. 15
Correct answer: BF
Explanation:
By default, the Cisco IOS software command-line interface (CLI) has two levels of access to commands: user EXEC mode (level 1) and privileged EXEC mode (level 15). However, you can configure additional levels of access to commands, called privilege levels, to meet the needs of your users while protecting the system from unauthorized access. Up to 16 privilege levels can be configured, from level 0, which is the most restricted level, to level 15, which is the least restricted level.Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfpass.html#wp1001016
By default, the Cisco IOS software command-line interface (CLI) has two levels of access to commands: user EXEC mode (level 1) and privileged EXEC mode (level 15). However, you can configure additional levels of access to commands, called privilege levels, to meet the needs of your users while protecting the system from unauthorized access. Up to 16 privilege levels can be configured, from level 0, which is the most restricted level, to level 15, which is the least restricted level.
Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfpass.html#wp1001016
Question 8
Which two authentication types does OSPF support? (Choose two.)
  1. plaintext
  2. MD5
  3. HMAC
  4. AES 256
  5. SHA-1
  6. DES
Correct answer: AB
Explanation:
These are the three different types of authentication supported by OSPF. Null Authentication—This is also called Type 0 and it means no authentication information is included in the packet header. It is the default. Plain Text Authentication—This is also called Type 1 and it uses simple clear-text passwords. MD5 Authentication—This is also called Type 2 and it uses MD5 cryptographic passwords. Authentication does not need to be set. However, if it is set, all peer routers on the same segment must have the same password and authentication method. The examples in this document demonstrate configurations for both plain text and MD5 authentication. Reference: http://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/13697-25.html
These are the three different types of authentication supported by OSPF. 
  • Null Authentication—This is also called Type 0 and it means no authentication information is included in the packet header. It is the default. 
  • Plain Text Authentication—This is also called Type 1 and it uses simple clear-text passwords. 
  • MD5 Authentication—This is also called Type 2 and it uses MD5 cryptographic passwords. 
Authentication does not need to be set. However, if it is set, all peer routers on the same segment must have the same password and authentication method. The examples in this document demonstrate configurations for both plain text and MD5 authentication. 
Reference: http://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/13697-25.html
Question 9
Which two features do CoPP and CPPr use to protect the control plane? (Choose two.)
  1. QoS
  2. traffic classification
  3. access lists
  4. policy maps
  5. class maps
  6. Cisco Express Forwarding
Correct answer: AB
Question 10
Which two statements about stateless firewalls are true? (Choose two.)
  1. They compare the 5-tuple of each incoming packet against configurable rules.
  2. They cannot track connections.
  3. They are designed to work most efficiently with stateless protocols such as HTTP or HTTPS.
  4. Cisco IOS cannot implement them because the platform is stateful by nature.
  5. The Cisco ASA is implicitly stateless because it blocks all traffic by default.
Correct answer: AB
Explanation:
However, since iptables and Netfilter were introduced and connection tracking in particular, this option was gotten rid of. The reason for this is that connection tracking can not work properly without defragmenting packets, and hence defragmenting has been incorporated into conntrack and is carried out automatically. It can not be turned off, except by turning off connection tracking. Defragmentation is always carried out if connection tracking is turned on. Reference: http://www.iptables.info/en/connection-state.html
However, since iptables and Netfilter were introduced and connection tracking in particular, this option was gotten rid of. The reason for this is that connection tracking can not work properly without defragmenting packets, and hence defragmenting has been incorporated into conntrack and is carried out automatically. It can not be turned off, except by turning off connection tracking. Defragmentation is always carried out if connection tracking is turned on. 
Reference: http://www.iptables.info/en/connection-state.html
CONNECT US
HOW TO OPEN VCE FILES

Use VCE Exam Simulator to open VCE files
Avanaset

HOW TO OPEN VCEX FILES

Use ProfExam Simulator to open VCEX files
ProfExam Screen

ProfExam
ProfExam at a 20% markdown

You have the opportunity to purchase ProfExam at a 20% reduced price

Get Now!