Implementing Cisco Network Security 210-260 Questions Pool

Cisco IronPort Outbreak Filters provide a critical first layer of defense against new outbreaks. With this proven preventive solution, protection begins hours before signatures used by traditional antivirus solutions are in place. Real-world results show an average 14-hour lead time over reactive antivirus solutions.
SenderBase, the world\'s largest email and web traffic monitoring network, provides real-time protection. The Cisco IronPort SenderBase Network captures data from over 120,000 contributing organizations around the world.
Source: http://www.cisco.com/c/en/us/products/security/email-security-appliance/outbreak_filters_index.html

To set the interval for which the server waits for a server host to reply, use the tacacs-server timeout command in global configuration mode. To restore the default, use the no form of this command.
If the command is not configured, the timeout interval is 5. Source: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command

None

None

Phishing presents a link that looks like a valid trusted resource to a user. When the user clicks it, the user is prompted to disclose confidential information such as usernames/passwords.
Source: Cisco Official Certification Guide, Table 1-5 Attack Methods, p.13

SDEE Messages
+ All -- SDEE error, status, and alert messages are shown.
+ Error -- Only SDEE error messages are shown.
+ Status -- Only SDEE status messages are shown.
+ Alerts -- Only SDEE alert messages are shown.
Source:
http://www.cisco.com/c/en/us/td/docs/routers/access/cisco_router_and_security_device_manager/24/ software/user/guide/IPS.html#wp1083698

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml Zone-Based Policy Firewall Actions
ZFW provides three actions for traffic that traverses from one zone to another:
Drop — This is the default action for all traffic, as applied by the "class class-default" that terminates every inspect-type policy-map. Other class-maps within a policy-map can also be configured to drop unwanted traffic.
Traffic that is handled by the drop action is "silently" dropped (i.e., no notification of the drop is sent to the relevant end-host) by the ZFW, as opposed to an ACL\'s behavior of sending an ICMP “host unreachable”
message to the host that sent the denied traffic. Currently, there is not an option to change the "silent drop" behavior. The log option can be added with drop for syslog notification that traffic was dropped by the firewall.
Pass — This action allows the router to forward traffic from one zone to another. The pass action does not track the state of connections or sessions within the traffic. Pass only allows the traffic in one direction. A corresponding policy must be applied to allow return traffic to pass in the opposite direction. The pass action is useful for protocols such as IPSec ESP, IPSec AH, ISAKMP, and other inherently secure protocols with predictable behavior. However, most application traffic is better handled in the ZFW with the inspect action.
Inspect—The inspect action offers state-based traffic control. For example, if traffic from the private zone to the Internet zone in the earlier example network is inspected, the router maintains connection or session information for TCP and User Datagram Protocol (UDP) traffic. Therefore, the router permits return traffic sent from Internet-zone hosts in reply to private zone connection requests. Also, inspect can provide application inspection and control for certain service protocols that might carry vulnerable or sensitive application traffic.
Audit-trail can be applied with a parameter-map to record connection/session start, stop, duration, the data volume transferred, and source and destination addresses.

URL filtering allows you to control access to Internet websites by permitting or denying access to specific websites based on information contained in an URL list. You can maintain a local URL list on the router. If the Cisco IOS image on the router supports URL filtering but does not support Zone-based Policy Firewall (ZPF), you can maintain one local URL list on the router to add or edit an URLs. Enter a full domain name or a partial domain name and choose whether to Permit or Deny requests for this URL.
Source:
http://www.cisco.com/c/en/us/td/docs/routers/access/cisco_router_and_security_device_manager/24/ software/user/guide/URLftr.html#wp999509

None

As an enhancement to EAP-FAST, a differentiation was made to have a User PAC and a Machine PAC. After a successful machine-authentication, ISE will issue a Machine-PAC to the client. Then, when processing a user- authentication, ISE will request the Machine-PAC to prove that the machine was successfully authenticated, too. This is the first time in 802.1X history that multiple credentials have been able to be authenticated within a single EAP transaction, and it is known as "EAP Chaining".
Source:
http://www.networkworld.com/article/2223672/access-control/which-eap-types-do-you-need-for-which- identity-projects.html

A show crypto isakmp sa command shows the ISAKMP SA to be in MM_NO_STATE. This also means that main mode has failed.
Dstsrc state conn-id slot
10.1.1.2 10.1.1.1 MM_NO_STATE 1 0
Verify that the phase 1 policy is on both peers, and ensure that all the attributes match.
Source:
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec- debug-00.html#isakmp_sa

In network computing, hairpinning (or NAT loopback) describes a communication between two hosts behind the same NAT device using their mapped endpoint. Because not all NAT devices support this communication configuration, applications must be aware of it.
Hairpinning is where a machine on the LAN is able to access another machine on the LAN via the external IP address of the LAN/router (with port forwarding set up on the router to direct requests to the appropriate machine on the LAN).
Source: https://en.wikipedia.org/wiki/Hairpinning

http://searchsecurity.techtarget.com/definition/proxy-firewall

None

None

The MD5 File Validation feature, added in Cisco IOS Software Releases 12.2(4)T and 12.0(22)S, allows network administrators to calculate the MD5 hash of a Cisco IOS software image file that is loaded on a device.
It also allows administrators to verify the calculated MD5 hash against that provided by the user. Once the MD5 hash value of the installed Cisco IOS image is determined, it can also be compared with the MD5 hash provided by Cisco to verify the integrity of the image file.
verify /md5 filesystem:filename [md5-hash]
Source:
http://www.cisco.com/c/en/us/about/security-center/ios-image-verification.html#11

Much commercial and free software enables you to encrypt files in an end-user workstation or mobile device. The following are a few examples of free solutions:
+ GPG: GPG also enables you to encrypt files and folders on a Windows, Mac, or Linux system. GPG is free.
+ The built-in MAC OS X Disk Utility: D isk Utility enables you to create secure disk images by encrypting files with AES 128-bit or AES 256-bit encryption.
+ TrueCrypt: A free encryption tool for Windows, Mac, and Linux systems.
+ AxCrypt: A f ree Windows-only file encryption tool.
+ BitLocker: Full disk encryption feature included in several Windows operating systems.
+ Many Linux distributions such as Ubuntu: A llow you to encrypt the home directory of a user with built-in utilities.
+ MAC OS X FileVault: Supports full disk encryption on Mac OS X systems. The following are a few examples of commercial file encryption software:
+ Symantec Endpoint Encryption
+ PGP Whole Disk Encryption
+ McAfee Endpoint Encryption (SafeBoot)
+ Trend Micro Endpoint Encryption
Source: Cisco Official Certification Guide, Encrypting Endpoint Data at Rest, p.501

Web-based threats continue to rise. To protect your network you need a solution that prevents them. Cisco Advanced Malware Protection (AMP) for Web Security goes beyond the basics in threat detection, URL filtering, and application control. It provides continuous file analysis, retrospective security, and sandboxing to help your security team catch even the stealthiest threats.
Source:
http://www.cisco.com/c/en/us/products/security/advanced-malware-protection/amp-for-web- security.html

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/product_data_sheet0900aecd80313 Product Overview
In today\'s business environment, network intruders and attackers can come from outside or inside the network.
They can launch distributed denial-of-service attacks, they can attack Internet connections, and they can exploit network and host vulnerabilities. At the same time, Internet worms and viruses can spread across the world in a matter of minutes. There is often no time to wait for human intervention-the network itself must possess the intelligence to recognize and mitigate these attacks, threats, exploits, worms and viruses.
Cisco IOS Intrusion Prevention System (IPS) is an inline, deep-packet inspection-based solution that enables Cisco IOS Software to effectively mitigate a wide range of network attacks. While it is common practice to defend against attacks by inspecting traffic at data centers and corporate headquarters, distributing the network level defense to stop malicious traffic close to its entry point at branch or telecommuter offices is also critical.
Cisco IOS IPS: Major Use Cases and Key Benefits IOS IPS helps to protect your network in 5 ways:

Key Benefits:
• Provides network-wide, distributed protection from many attacks, exploits, worms and viruses exploiting vulnerabilities in operating systems and applications.
• Eliminates the need for a standalone IPS device at branch and telecommuter offices as well as small and medium-sized business networks.
• Unique, risk rating based signature event action processor dramatically improves the ease of management of IPS policies.
• Offers field-customizable worm and attack signature set and event actions.
• Offers inline inspection of traffic passing through any combination of router LAN and WAN interfaces in both directions.
• Works with Cisco IOS® Firewall, control-plane policing, and other Cisco IOS Software security features to protect the router and networks behind the router.
• Supports more than 3700 signatures from the same signature database available for Cisco Intrusion Prevention System (IPS) appliances.

This command shows IPsec SAs built between peers - IPsec Phase2. The encrypted tunnel is build between 10.1.1.5 and 10.1.1.1 (the router from which we issued the command).

SCEP Profile Configuration on ISE
Within this design, ISE is acting as a Simple Certificate Enrollment Protocol (SCEP) proxy server, thereby allowing mobile clients to obtain their digital certificates from the CA server. This important feature of ISE allows all endpoints, such as iOS, Android, Windows, and MAC, to obtain digital certificates through the ISE. This feature combined with the initial registration process greatly simplifies the provisioning of digital certificates on endpoints.
Source:
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/ BYOD_Design_Guide/BYOD_ISE.html

The types of private VLAN ports are as follows:
+ Promiscuous - The promiscuous port can communicate with all interfaces, including the community and isolated host ports, that belong to those secondary VLANs associated to the promiscuous port and associated with the primary VLAN
+ Isolated - This port has complete isolation from other ports within the same private VLAN domain, except that it can communicate with associated promiscuous ports.
+ Community -- A community port is a host port that belongs to a community secondary VLAN. Community ports communicate with other ports in the same community VLAN and with associated promiscuous ports.
These interfaces are isolated from all other interfaces in other communities and from all isolated ports within
the private VLAN domain.
Source:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/ CLIConfigurationGuide/PrivateVLANs.html#42874

The following are the most common types of malicious software:
+ Computer viruses
+ Worms
+ Mailers and mass-mailer worms
+ Logic bombs
+ Trojan horses
+ Back doors
+ Exploits
+ Downloaders
+ Spammers
+ Key loggers
+ Rootkits
+ Ransomware

:
Reference: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/objectgroups.html
Information About Object Groups
By grouping like objects together, you can use the object group in an ACE instead of having to enter an ACE for each object separately. You can create the following types of object groups:
•Protocol
•Network
•Service
•ICMP type
For example, consider the following three object groups:
•MyServices — Includes the TCP and UDP port numbers of the service requests that are allowed access to the internal network.
•TrustedHosts — Includes the host and network addresses allowed access to the greatest range of services and servers.
•PublicServers — Includes the host addresses of servers to which the greatest access is provided.
After creating these groups, you could use a single ACE to allow trusted hosts to make specific service requests to a group of public servers.
You can also nest object groups in other object groups.

None

None

Agents are applications that reside on client machines logging into the Cisco ISE network. Agents can be persistent (like the AnyConnect, Cisco NAC Agent for Windows and Mac OS X) and remain on the client machine after installation, even when the client is not logged into the network. Agents can also be temporal (like the Cisco NAC Web Agent), removing themselves from the client machine after the login session has terminated.
Source:
http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_010101.html

autocommand: (Optional) Causes the specified command to be issued automatically after the user logs in. When the command is complete, the session is terminated. Because the command can be any length and can contain embedded spaces, commands using the autocommand keyword must be the last option on the line.
So after successfully logs in the Admin user sees the running configuration and immediately after is disconnected by the router. So removing the command lets keeps him connected.
Source:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-xe-3se-3850-cr-book/sec-s1-xe- 3se-3850-cr-book_chapter_0110.html

None