Download Implementing Cisco Network Security.210-260.PracticeDumps.2018-05-23.147q.vcex

Vendor: Cisco
Exam Code: 210-260
Exam Name: Implementing Cisco Network Security
Date: May 23, 2018
File Size: 27 MB
Download Exam

How to open VCEX files?

Files with VCEX extension can be opened by ProfExam Simulator.

Download
ProfExam Simulator

Purchase
Coupon: TAURUSSIM_20OFF

Discount: 20%

ProfExam Simulator ProfExam Simulator ProfExam Simulator ProfExam Simulator ProfExam Simulator

Demo Questions

Question 1
Refer to the exhibit. 
   
 
If a supplicant supplies incorrect credentials for all authentication methods configured on the switch, how will the switch respond?
  1. The supplicant will fail to advance beyond the webauth method.
  2. The switch will cycle through the configured authentication methods indefinitely.
  3. The authentication attempt will time out and the switch will place the port into the unauthorized state.
  4. The authentication attempt will time out and the switch will place the port into VLAN 101.
Correct answer: A
Explanation:
Incorrect credentials supplied will result in failure to advance beyond webauth method. The authentication needs correct credentials as seen in the exhibit.
Incorrect credentials supplied will result in failure to advance beyond webauth method. The authentication needs correct credentials as seen in the exhibit.
Question 2
Which EAP method uses Protected Access Credentials?
  1. EAP-FAST
  2. EAP-TLS
  3. EAP-PEAP
  4. EAP-GTC
Correct answer: A
Explanation:
EAP-FAST is an EAP method that enables secure communication between a client and an authentication server by using Transport Layer Security (TLS) to establish a mutually authenticated tunnel. Within the tunnel, data in the form of type, length, and value (TLV) objects are used to send further authentication-related data between the client and the authentication server. EAP-FAST supports the TLS extension as defined in RFC 4507 to support the fast re-establishment of the secure tunnel without having to maintain per-session state on the server. EAP-FAST-based mechanisms are defined to provision the credentials for the TLS extension. These credentials are called Protected Access Credentials (PACs). Reference: http://www.cisco.com/c/en/us/td/docs/wireless/wlan_adapter/cb21ag/user/vista/1-0/configuration/guide/cb21ag10vistaconfigguide/eap_types.html
EAP-FAST is an EAP method that enables secure communication between a client and an authentication server by using Transport Layer Security (TLS) to establish a mutually authenticated tunnel. Within the tunnel, data in the form of type, length, and value (TLV) objects are used to send further authentication-related data between the client and the authentication server. 
EAP-FAST supports the TLS extension as defined in RFC 4507 to support the fast re-establishment of the secure tunnel without having to maintain per-session state on the server. EAP-FAST-based mechanisms are defined to provision the credentials for the TLS extension. These credentials are called Protected Access Credentials (PACs). 
Reference: http://www.cisco.com/c/en/us/td/docs/wireless/wlan_adapter/cb21ag/user/vista/1-0/configuration/guide/cb21ag10vistaconfigguide/eap_types.html
Question 3
What is one requirement for locking a wired or wireless device from ISE?
  1. The ISE agent must be installed on the device.
  2. The device must be connected to the network when the lock command is executed.
  3. The user must approve the locking action.
  4. The organization must implement an acceptable use policy allowing device locking.
Correct answer: A
Explanation:
To lock a wired or wireless device from ISE, you need to install ISE agent on that device first. The agent will assist in locking the device promptly.
To lock a wired or wireless device from ISE, you need to install ISE agent on that device first. The agent will assist in locking the device promptly.
Question 4
What VPN feature allows traffic to exit the security appliance through the same interface it entered?
  1. hairpinning
  2. NAT
  3. NAT traversal
  4. split tunneling
Correct answer: A
Explanation:
This feature is useful for VPN traffic that enters an interface, but is then routed out of that same interface. For example, if you have a hub-and-spoke VPN network where the security appliance is the hub and the remote VPN networks are spokes, in order for one spoke to communicate with another spoke traffic must go to the security appliance and then out again to the other spoke. Enter the same-security-traffic command in order to allow traffic to enter and exit the same interface. ciscoasa(config)#same-security-traffic permit intra-interface Reference: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100918-asa-sslvpn-00.html
This feature is useful for VPN traffic that enters an interface, but is then routed out of that same interface. For example, if you have a hub-and-spoke VPN network where the security appliance is the hub and the remote VPN networks are spokes, in order for one spoke to communicate with another spoke traffic must go to the security appliance and then out again to the other spoke. 
Enter the same-security-traffic command in order to allow traffic to enter and exit the same interface. 
ciscoasa(config)#same-security-traffic permit intra-interface 
Reference: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100918-asa-sslvpn-00.html
Question 5
What VPN feature allows Internet traffic and local LAN/WAN traffic to use the same network connection?
  1. split tunneling
  2. hairpinning
  3. tunnel mode
  4. transparent mode
Correct answer: A
Explanation:
When split tunneling is enabled, Internet traffic goes directly from your computer to the Internet and back without involving the VPN at all. Split tunneling also allows you to access other systems on your local network which is impossible if all traffic has go to the corporate network first, although this can be mitigated in some configurations. Reference: http://www.tripwire.com/state-of-security/security-data-protection/36th-article-vpn-split-tunneling/
When split tunneling is enabled, Internet traffic goes directly from your computer to the Internet and back without involving the VPN at all. Split tunneling also allows you to access other systems on your local network which is impossible if all traffic has go to the corporate network first, although this can be mitigated in some configurations. 
Reference: http://www.tripwire.com/state-of-security/security-data-protection/36th-article-vpn-split-tunneling/
Question 6
Refer to the exhibit. 
    
What is the effect of the given command sequence?
  1. It configures IKE Phase 1.
  2. It configures a site-to-site VPN tunnel.
  3. It configures a crypto policy with a key size of 14400.
  4. It configures IPSec Phase 2.
Correct answer: A
Explanation:
To create an IKE policy, enter the crypto ikev1 | ikev2 policy command from global configuration mode. The prompt displays IKE policy configuration mode. For example:hostname(config)# crypto ikev1 policy 1  hostname(config-ikev1-policy)#  After creating the policy, you can specify the settings for the policy. Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_ike.html
To create an IKE policy, enter the crypto ikev1 | ikev2 policy command from global configuration mode. The prompt displays IKE policy configuration mode. For example:
hostname(config)# crypto ikev1 policy 1  
hostname(config-ikev1-policy)#  
After creating the policy, you can specify the settings for the policy. 
Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_ike.html
Question 7
Refer to the exhibit. 
   
What is the effect of the given command sequence?
  1. It defines IPSec policy for traffic sourced from 10.10.10.0/24 with a destination of 10.100.100.0/24.
  2. It defines IPSec policy for traffic sourced from 10.100.100.0/24 with a destination of 10.10.10.0/24.
  3. It defines IKE policy for traffic sourced from 10.10.10.0/24 with a destination of 10.100.100.0/24.
  4. It defines IKE policy for traffic sourced from 10.100.100.0/24 with a destination of 10.10.10.0/24.
Correct answer: A
Explanation:
Crypto map entry "mymap 30" references the dynamic crypto map set "mydynamicmap," which can be used to process inbound security association negotiation requests that do not match "mymap" entries 10 or 20. In this case, if the peer specifies a transform set that matches one of the transform sets specified in "mydynamicmap," for a flow "permitted" by the access list 103, IPSec will accept the request and set up security associations with the remote peer without previously knowing about the remote peer. If accepted, the resulting security associations (and temporary crypto map entry) are established according to the settings specified by the remote peer. Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/srfipsec.html
Crypto map entry "mymap 30" references the dynamic crypto map set "mydynamicmap," which can be used to process inbound security association negotiation requests that do not match "mymap" entries 10 or 20. In this case, if the peer specifies a transform set that matches one of the transform sets specified in "mydynamicmap," for a flow "permitted" by the access list 103, IPSec will accept the request and set up security associations with the remote peer without previously knowing about the remote peer. If accepted, the resulting security associations (and temporary crypto map entry) are established according to the settings specified by the remote peer. 
Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/srfipsec.html
Question 8
Refer to the exhibit. 
    
While troubleshooting site-to-site VPN, you issued the show crypto isakmp sa command. What does the given output show?
  1. IPSec Phase 1 is established between 10.10.10.2 and 10.1.1.5.
  2. IPSec Phase 2 is established between 10.10.10.2 and 10.1.1.5.
  3. IPSec Phase 1 is down due to a QM_IDLE state.
  4. IPSec Phase 2 is down due to a QM_IDLE state.
Correct answer: A
Explanation:
Phase 1 of IPsec is used to establish a secure channel between the two peers that will be used for further data transmission. The ASAs will exchange secret keys, they authenticate each other and will negotiate about the IKE security policies. This is what happens in phase 1:Authenticate and protect the identities of the IPsec peers. Negotiate a matching IKE policy between IPsec peers to protect the IKE exchange. Perform an authenticated Diffie-Hellman exchange to have matching shared secret keys. Setup a secure tunnel for IKE phase 2. Reference: https://networklessons.com/security/cisco-asa-site-site-ikev1-ipsec-vpn/
Phase 1 of IPsec is used to establish a secure channel between the two peers that will be used for further data transmission. The ASAs will exchange secret keys, they authenticate each other and will negotiate about the IKE security policies. This is what happens in phase 1:
  • Authenticate and protect the identities of the IPsec peers. 
  • Negotiate a matching IKE policy between IPsec peers to protect the IKE exchange. 
  • Perform an authenticated Diffie-Hellman exchange to have matching shared secret keys. 
  • Setup a secure tunnel for IKE phase 2. 
Reference: https://networklessons.com/security/cisco-asa-site-site-ikev1-ipsec-vpn/
Question 9
Refer to the exhibit. 
    
While troubleshooting site-to-site VPN, you issued the show crypto ipsec sa command. What does the given output show?
  1. IPSec Phase 2 is established between 10.1.1.1 and 10.1.1.5.
  2. ISAKMP security associations are established between 10.1.1.5 and 10.1.1.1.
  3. IKE version 2 security associations are established between 10.1.1.1 and 10.1.1.5.
  4. IPSec Phase 2 is down due to a mismatch between encrypted and decrypted packets.
Correct answer: A
Explanation:
Once the secure tunnel from phase 1 has been established, we will start phase 2. In this phase the two firewalls will negotiate about the IPsec security parameters that will be used to protect the traffic within the tunnel. In short, this is what happens in phase 2:Negotiate IPsec security parameters through the secure tunnel from phase 1. Establish IPsec security associations. Periodically renegotiates IPsec security associations for security. Reference: https://networklessons.com/security/cisco-asa-site-site-ikev1-ipsec-vpn/
Once the secure tunnel from phase 1 has been established, we will start phase 2. In this phase the two firewalls will negotiate about the IPsec security parameters that will be used to protect the traffic within the tunnel. In short, this is what happens in phase 2:
  • Negotiate IPsec security parameters through the secure tunnel from phase 1. 
  • Establish IPsec security associations. 
  • Periodically renegotiates IPsec security associations for security. 
Reference: https://networklessons.com/security/cisco-asa-site-site-ikev1-ipsec-vpn/
Question 10
Refer to the exhibit. 
   
The Admin user is unable to enter configuration mode on a device with the given configuration. 
What change can you make to the configuration to correct the problem?
  1. Remove the autocommand keyword and arguments from the Username Admin privilege line.
  2. Change the Privilege exec level value to 15.
  3. Remove the two Username Admin lines.
  4. Remove the Privilege exec line.
Correct answer: A
Explanation:
The autocommand causes the specified command to be issued automatically after the user logs in. When the command is complete, the session is terminated. Because the command can be any length and contain embedded spaces, commands using the autocommand keyword must be the last option on the line. Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r/srfpass.html#wp1030793
The autocommand causes the specified command to be issued automatically after the user logs in. When the command is complete, the session is terminated. Because the command can be any length and contain embedded spaces, commands using the autocommand keyword must be the last option on the line. 
Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r/srfpass.html#wp1030793
CONNECT US
HOW TO OPEN VCE FILES

Use VCE Exam Simulator to open VCE files
Avanaset

HOW TO OPEN VCEX FILES

Use ProfExam Simulator to open VCEX files
ProfExam Screen

ProfExam
ProfExam at a 20% markdown

You have the opportunity to purchase ProfExam at a 20% reduced price

Get Now!