210-260 | Improved 210-260 Exam Study Guides With New Update Exam Questions

New Questions 4

Which firewall configuration must you perform to allow traffic to flow in both directions between two zones?

A. You must configure two zone pairs, one for each direction.

B. You can configure a single zone pair that allows bidirectional traffic flows for any zone.

C. You can configure a single zone pair that allows bidirectional traffic flows for any zone except the self zone.

D. You can configure a single zone pair that allows bidirectional traffic flows only if the source zone is the less secure zone.

Answer: A

New Questions 5

What is the Cisco preferred countermeasure to mitigate CAM overflows?

A. Port security

B. Dynamic port security

C. IP source guard

D. Root guard

Answer: B

New Questions 6

Whatu2021s the technology that you can use to prevent non malicious program to run in the computer that is disconnected from the network?

A. Firewall

B. Software Antivirus

C. Network IPS

D. Host IPS.

Answer: D

New Questions 7

Which source port does IKE use when NAT has been detected between two VPN gateways?

A. TCP 4500

B. TCP 500

C. UDP 4500

D. UDP 500

Answer: C

New Questions 8

When AAA login authentication is configured on Cisco routers, which two authentication methods should be used as the final method to ensure that the administrator can still log in to the router in case the external AAA server fails? (Choose two.)

A. group RADIUS

B. group TACACS+

C. local

D. krb5

E. enable

F. if-authenticated

Answer: C,E

Explanation:

http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scftplus.htmlTACACS+ Authentication Examples

The following example shows how to configure TACACS+ as the security protocol for PPP authentication:

aaa new-model

aaa authentication ppp test group tacacs+ local tacacs-server host 10.1.2.3

tacacs-server key goaway interface serial 0

ppp authentication chap pap test

The lines in the preceding sample configuration are defined as follows:

u2022The aaa new-model command enables the AAA security services.

u2022The aaa authentication command defines a method list, "test," to be used on serial interfaces running PPP.

The keyword group tacacs+ means that authentication will be done through TACACS+. If TACACS+ returns an ERROR of some sort during authentication, the keyword local indicates that authentication will be attempted using the local database on the network access server. http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800946a3.shtml Authentication Start to configure TAC+ on the router.

Enter enable mode and type configure terminal before the command set. This command syntax ensures that you are not locked out of the router initially, providing the tac_plus_executable is not running:

!--- Turn on TAC+. aaa new-model

enable password whatever

!--- These are lists of authentication methods.

!--- "linmethod", "vtymethod", "conmethod", and

!--- so on are names of lists, and the methods

!--- listed on the same lines are the methods

!--- in the order to be tried. As used here, if

!--- authentication fails due to the

!--- tac_plus_executable not being started, the

!--- enable password is accepted because

!--- it is in each list.

!

aaa authentication login linmethod tacacs+ enable aaa authentication login vtymethod tacacs+ enable aaa authentication login conmethod tacacs+ enable

New Questions 9

Which type of address translation should be used when a Cisco ASA is in transparent mode?

A. Static NAT

B. Dynamic NAT

C. Overload

D. Dynamic PAT

Answer: A

New Questions 10

Which two characteristics of the TACACS+ protocol are true? (Choose two.)

A. uses UDP ports 1645 or 1812

B. separates AAA functions

C. encrypts the body of every packet

D. offers extensive accounting capabilities

E. is an open RFC standard protocol

Answer: B,C

Explanation:

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml Packet Encryption

RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party.

TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful to have the body of the packets unencrypted. However, during normal operation, the body of the packet is fully encrypted for more secure communications.

Authentication and Authorization RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.

TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on a Kerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server then provides authorization information.

During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control over the commands that can be executed on the access server while decoupling from the authentication mechanism.

New Questions 11

What do you use when you have a network object or group and want to use an IP address?

A. Static NAT

B. Dynamic NAT

C. identity NAT

D. Static PAT

Answer: B

New Questions 12

Which statement about the communication between interfaces on the same security level is true?

A. Interfaces on the same security level require additional configuration to permit inter- interface communication.

B. Configuring interfaces on the same security level can cause asymmetric routing.

C. All traffic is allowed by default between interfaces on the same security level.

D. You can configure only one interface on an individual security level.

Answer: A

New Questions 13

What can the SMTP preprocessor in FirePOWER normalize?

A. It can extract and decode email attachments in client to server traffic.

B. It can look up the email sender.

C. It compares known threats to the email sender.

D. It can forward the SMTP traffic to an email filter server.

E. It uses the Traffic Anomaly Detector.

Answer: A