Implementing Cisco Network Security 試験
【2024桜まつりキャンペーン】:210-260 最新真題を買う時、日本語版と英語版両方を同時に獲得できます。
実際の問題集を練習し、試験のポイントを了解し、テストに申し込むするかどうかを決めることができます。
さらに試験準備時間の35%を節約するには、210-260 問題集を使用してください。
Question No : 1
Which type of mirroring does SPAN technology perform?
正解:
Explanation:
You can analyze network traffic passing through ports or VLANs by using SPAN or RSPAN to send a copy of the traffic to another port on the switch or on another switch that has been connected to a network analyzer or other monitoring or security device. Local SPAN supports a SPAN session entirely within one switch; all source ports or source VLANs and destination ports are in the same switch or switch stack.
Each local SPAN session or RSPAN destination session must have a destination port (also called a monitoring port) that receives a copy of traffic from the source ports or VLANs and sends the SPAN packets to the user, usually a network analyzer:
+ If ingress traffic forwarding is enabled for a network security device, the destination port forwards traffic at Layer 2.
Source: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/122_55_se/ configuration/guide/scg_2960/swspan.html
Question No : 2
By which kind of threat is the victim tricked into entering username and password information at a disguised website?
正解:
Explanation:
Phishing presents a link that looks like a valid trusted resource to a user. When the user clicks it, the user is prompted to disclose confidential information such as usernames/passwords.
Source: Cisco Official Certification Guide, Table 1-5 Attack Methods, p.13
Question No : 3
Which syslog severity level is level number 7?
正解:
Explanation:
Remember: There is a mnemonic device for remembering the order of the eight syslog levels:
"Every Awesome Cisco Engineer Will Need Icecream Daily"
0 - Emergency
1 - Alert
2 - Critical
3 - Error
4 - Warning
5 - Notification
6 C Informational
7 - Debugging
Question No : 4
Which type of firewall can act on the behalf of the end device?
正解:
Explanation:
Application firewalls, as indicated by the name, work at Layer 7, or the application layer of the OSI model.
These devices act on behalf of a client (aka proxy) for requested services.
Because application/proxy firewalls act on behalf of a client, they provide an additional "buffer" from port scans, application attacks, and so on. For example, if an attacker found a vulnerability in an application, the attacker would have to compromise the application/proxy firewall before attacking devices behind the firewall. The application/proxy firewall can also be patched quickly in the event that a vulnerability is discovered. The same may not hold true for patching all the internal devices.
Source: http://www.networkworld.com/article/2255950/lan-wan/chapter-1--types-of-firewalls.html
Question No : 5
What is the purpose of a honeypot IPS?
正解:
Explanation:
Honeypot systems use a dummy server to attract attacks. The purpose of the honeypot approach is to distract attacks away from real network devices. By staging different types of vulnerabilities in the honeypot server, you can analyze incoming types of attacks and malicious traffic patterns.
Source: http://www.ciscopress.com/articles/article.asp?p=1336425
Question No : 6
Which command verifies phase 1 of an IPsec VPN on a Cisco router?
正解:
Explanation:
A show crypto isakmp sa command shows the ISAKMP SA to be in MM_NO_STATE. This also means that main mode has failed.
Dstsrc state conn-id slot
Question No : 7
Which type of IPS can identify worms that are propagating in a network?
正解:
Explanation:
An example of anomaly-based IPS/IDS is creating a baseline of how many TCP sender requests are generated on average each minute that do not get a response. This is an example of a half-opened session. If a system creates a baseline of this (and for this discussion, let's pretend the baseline is an average of 30 half- opened sessions per minute), and then notices the half-opened sessions have increased to more than 100 per minute, and then acts based on that and generates an alert or begins to deny packets, this is an example of anomaly-based IPS/IDS. The Cisco IPS/IDS appliances have this ability (called anomaly detection), and it is used to identify worms that may be propagating through the network.
Source: Cisco Official Certification Guide, Anomaly-Based IPS/IDS, p.464
Question No : 8
Which TACACS+ server-authentication protocols are supported on Cisco ASA firewalls? (Choose three.)
正解:
Explanation:
The ASA supports TACACS+ server authentication with the following protocols: ASCII, PAP, CHAP, and MS- CHAPv1.
Source: http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_c onfig/ aaa_tacacs.pdf
Question No : 9
Which command causes a Layer 2 switch interface to operate as a Layer 3 interface?
正解:
Explanation:
The no switchport command makes the interface Layer 3 capable.
Source: http://www.cisco.com/c/en/us/support/docs/lan-switching/inter-vlan-routing/41860-howtoL3- intervlanrouting.html
Question No : 10
Which of the following are features of IPsec transport mode? (Choose three.)
正解:
Explanation:
+ IPSec Transport mode is used for end-to-end communications, for example, for communication between a client and a server or between a workstation and a gateway (if the gateway is being treated as a host). A good example would be an encrypted Telnet or Remote Desktop session from a workstation to a server.
+ IPsec supports two encryption modes: Transport mode and Tunnel mode. Transport mode encrypts only the data portion (payload) of each packet and leaves the packet header untouched. Transport mode is applicable to either gateway or host implementations, and provides protection for upper layer protocols as well as selected IP header fields.
Source: http://www.firewall.cx/networking-topics/protocols/870-ipsec-modes.html http://www.cisco.com/c/en/us/td/docs/net_mgmt/vpn_solutions_center/20/ip_security/provisioning/guide/ IPsecPG1.html
Generic Routing Encapsulation (GRE) is often deployed with IPsec for several reasons, including the following:
+ IPsec Direct Encapsulation supports unicast IP only. If network layer protocols other than IP are to be supported, an IP encapsulation method must be chosen so that those protocols can be transported in IP packets.
+ IPmc is not supported with IPsec Direct Encapsulation. IPsec was created to be a security protocol between two and only two devices, so a service such as multicast is problematic. An IPsec peer encrypts a packet so that only one other IPsec peer can successfully perform the de-encryption. IPmc is not compatible with this mode of operation.
Source: https://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ ccmigration_09186a008074f26a.pdf
Question No : 11
Which source port does IKE use when NAT has been detected between two VPN gateways?
正解:
Explanation:
The IKE protocol uses UDP packets, usually on port 500 NAT traversal: The encapsulation of IKE and ESP in UDP port 4500 enables these protocols to pass through a device or firewall performing NAT
Source: https://en.wikipedia.org/wiki/Internet_Key_Exchange
Question No : 12
Which option describes information that must be considered when you apply an access list to a physical interface?
正解:
Explanation:
Applying an Access List to an Interface #interface type number #ip access-group {access-list-number | access-list-name} { in | out}
Source: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/sec-data-aclxe-3s- book/sec-create-ip-apply.html
Question No : 13
If the native VLAN on a trunk is different on each end of the link, what is a potential consequence?
正解:
Explanation:
Smart Tunnel is an advanced feature of Clientless SSL VPN that provides seamless and highly secure remote access for native client-server applications.
Clientless SSL VPN with Smart Tunnel is the preferred solution for allowing access from non-corporate assets as it does not require the administrative rights.
Port forwarding is the legacy technology for supporting TCP based applications over a Clientless SSL VPN connection. Unlike port forwarding, Smart Tunnel simplifies the user experience by not requiring the user connection of the local application to the local port.
Source: http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zonesecurity/tunnel.pdf
Question No : 14
Which statements about smart tunnels on a Cisco firewall are true? (Choose two.)
正解:
Question No : 15
What is a possible reason for the error message?
Router(config)#aaa server?% Unrecognized command
正解:
Explanation:
Before you can use any of the services AAA network security services provide, you must enable AAA.
Source: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfaaa.html