Want to Pass 210-260 Exam In Next HOURS? Get it now →
December 24, 2018

Tactics to cisco ccna security 210 260 iins

Our pass rate is high to 98.9% and the similarity percentage between our ccna security 210 260 dumps pdf study guide and real exam is 90% based on our seven-year educating experience. Do you want achievements in the Cisco ccna security 210 260 exam dumps exam in just one try? I am currently studying for the Cisco ccna security 210 260 dumps pdf exam. Latest Cisco ccna security 210 260 official cert guide Test exam practice questions and answers, Try Cisco ccna security 210 260 dumps Brain Dumps First.

P.S. 100% Correct 210-260 dumps are available on Google Drive, GET MORE: https://drive.google.com/open?id=15Wj8GqxvfYTz0nGHdJkfV_zMadDrezid

New Cisco 210-260 Exam Dumps Collection (Question 2 - Question 11)

Q2. With Cisco IOS zone-based policy firewall, by default, which three types of traffic are permitted by the router when some of the router interfaces are assigned to a zone? (Choose three.)

A. traffic flowing between a zone member interface and any interface that is not a zone member

B. traffic flowing to and from the router interfaces (the self zone)

C. traffic flowing among the interfaces that are members of the same zone

D. traffic flowing among the interfaces that are not assigned to any zone

E. traffic flowing between a zone member interface and another interface that belongs in a different zone

F. traffic flowing to the zone member interface that is returned traffic

Answer: B,C,D


http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080 8bc994.shtml

Rules For Applying Zone-Based Policy Firewall

Router network interfacesu2019 membership in zones is subject to several rules that govern interface behavior, as is the traffic moving between zone member interfaces:

A zone must be configured before interfaces can be assigned to the zone. An interface can be assigned to only one security zone.

All traffic to and from a given interface is implicitly blocked when the interface is assigned to a zone, except traffic to and from other interfaces in the same zone, and traffic to any interface on the router.

Traffic is implicitly allowed to flow by default among interfaces that are members of the same zone. In order to permit traffic to and from a zone member interface, a policy allowing or inspecting traffic must be configured between that zone and any other zone.

The self zone is the only exception to the default deny all policy. All traffic to any router interface is allowed until traffic is explicitly denied.

Traffic cannot flow between a zone member interface and any interface that is not a zone member. Pass, inspect, and drop actions can only be applied between two zones. Interfaces that have not been assigned to a zone function as classical router ports and

might still use classical stateful inspection/CBAC configuration.

If it is required that an interface on the box not be part of the zoning/firewall policy. It might still be necessary to put that interface in a zone and configure a pass all policy (sort of a dummy policy) between that zone and any other zone to which traffic flow is desired.

From the preceding it follows that, if traffic is to flow among all the interfaces in a router, all the interfaces must be part of the zoning model (each interface must be a member of one zone or another).

The only exception to the preceding deny by default approach is the traffic to and from the router, which will be permitted by default. An explicit policy can be configured to restrict such traffic.

Q3. With which preprocesor do you detect incomplete TCP handshakes

A. rate based prevention

B. portscan detection

Answer: A

Q4. What is the actual IOS privilege level of User Exec mode?

A. 1

B. 0

C. 5

D. 15

Answer: A

Explanation: By default, the Cisco IOS software command-line interface (CLI) has two levels of access to commands: user EXEC mode (level 1) and privileged EXEC mode (level 15). However, you can configure additional levels of access to commands, called privilege levels, to meet the needs of your users while protecting the system from unauthorized access. Up to 16 privilege levels can be configured, from level 0, which is the most restricted level, to level 15, which is the least restricted level.

Source: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfpas s.html

Q5. Which two characteristics of an application layer firewall are true? (Choose two)

A. provides protection for multiple applications

B. is immune to URL manipulation

C. provides reverse proxy services

D. provides stateful firewall functionality

E. has low processor usage

Answer: A,C

Q6. Which of the following pairs of statements is true in terms of configuring MD authentication?

A. Interface statements (OSPF, EIGRP) must be configured; use of key chain in OSPF

B. Router process (OSPF, EIGRP) must be configured; key chain in EIGRP

C. Router process (only for OSPF) must be configured; key chain in EIGRP

D. Router process (only for OSPF) must be configured; key chain in OSPF

Answer: C

Q7. Which term best describes the concept of preventing the modification of data in transit and in storage?

A. Confidentiality

B. Integrity

C. Availability

D. fidelity

Answer: B


Integrity for data means that changes made to data are done only by authorized individuals/systems.

Corruption of data is a failure to maintain data integrity.

Source: Cisco Official Certification Guide, Confidentiality, Integrity, and Availability, p.6

Q8. Which option is the resulting action in a zone-based policy firewall configuration with these conditions?

A. no impact to zoning or policy

B. no policy lookup (pass)

C. drop

D. apply default policy

Answer: C


http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/sec-zone- pol-fw.html

Zone Pairs

A zone pair allows you to specify a unidirectional firewall policy between two security zones.

To define a zone pair, use the zone-pair security command. The direction of the traffic is specified by source and destination zones. The source and destination zones of a zone pair must be security zones.

You can select the default or self zone as either the source or the destination zone. The self zone is a systemdefined zone which does not have any interfaces as members. A zone pair that includes the self zone, along with the associated policy, applies to traffic directed to the device or traffic generated by the device. It does not apply to traffic through the device.

The most common usage of firewall is to apply them to traffic through a device, so you need at least two zones (that is, you cannot use the self zone).

To permit traffic between zone member interfaces, you must configure a policy permitting (or inspecting) traffic between that zone and another zone. To attach a firewall policy map to the target zone pair, use the servicepolicy type inspect command.

The figure below shows the application of a firewall policy to traffic flowing from zone Z1 to zone Z2, which means that the ingress interface for the traffic is a member of zone Z1 and the egress interface is a member of zone Z2.

Figure 2. Zone Pairs

If there are two zones and you require policies for traffic going in both directions (from Z1 to Z2 and Z2 to Z1), you must configure two zone pairs (one for each direction).

If a policy is not configured between zone pairs, traffic is dropped. However, it is not necessary to configure a zone pair and a service policy solely for the return traffic. By default, return traffic is not allowed. If a service policy inspects the traffic in the forward direction and there is no zone pair and service policy for the return traffic, the return traffic is inspected. If a service policy passes the traffic in the forward direction and there is no zone pair and service policy for the return traffic, the return traffic is dropped. In both these cases, you need to configure a zone pair and a service policy to allow the return traffic. In the above figure, it is not mandatory that you configure a zone pair source and destination for allowing return traffic from Z2 to Z1. The service policy on Z1 to Z2 zone pair takes care of it.

Q9. Which filter uses in Web reputation to prevent from Web Based Attacks? (Choose two)

A. outbreak filter

B. buffer overflow filter

C. bayesian overflow filter

D. web reputation

E. exploit filtering

Answer: A,D

Q10. What type of algorithm uses the same key to encrypt and decrypt data?

A. a symmetric algorithm

B. an asymmetric algorithm

C. a Public Key Infrastructure algorithm

D. an IP security algorithm

Answer: A

Q11. Which two functions can SIEM provide? (Choose Two)

A. Correlation between logs and events from multiple systems.

B. event aggregation that allows for reduced log storage requirements.

C. proactive malware analysis to block malicious traffic.

D. dual-factor authentication.

E. centralized firewall management.

Answer: A,C

see more free 210-260 exam dumps

Recommend!! Get the 100% Correct 210-260 dumps in VCE and PDF From Surepassexam, Welcome to download: https://www.surepassexam.com/210-260-exam-dumps.html (New 387 Q&As Version)