Chapter 4 Test Security
Which type of packet is unable to be filtered by an outbound ACL?
router-generated packet
Which two types of addresses should be denied inbound on a router interface that attaches to the Internet? (Choose two.)
private IP addresses. And any IP address that starts with the number 127
Which command will verify a Zone-Based Policy Firewall configuration?
show running-config
Which statement describes the characteristics of packet-filtering and stateful firewalls as they relate to the OSI model?
A packet-filtering firewall typically can filter up to the transport layer, while a stateful firewall can filter up to the session layer
When an inbound Internet-traffic ACL is being implemented, what should be included to prevent the spoofing of internal networks?
ACEs to prevent traffic from private address spaces
When implementing an inbound Internet traffic ACL, what should be included to prevent the spoofing of internal networks?
ACEs to prevent traffic from private address spaces
What is the result in the self zone if a router is the source or destination of traffic?
All traffic is permitted
Which statement describes one of the rules governing interface behavior in the context of implementing a zone-based policy firewall configuration?
By default, traffic is allowed to flow among interfaces that are members of the same zone.
What is the first step in configuring a Cisco IOS zone-based policy firewall using the CLI?
Create zones.
Consider the following access list.access-list 100 permit ip host 192.168.10.1 any access-list 100 deny icmp 192.168.10.0 0.0.0.255 any echo access-list 100 permit ip any any Which two actions are taken if the access list is placed inbound on a router Gigabit Ethernet port that has the IP address 192.168.10.254 assigned? (Choose two.)
Devices on the 192.168.10.0/24 network are not allowed to ping other devices on the 192.168.11.0 network.* A Telnet or SSH session is allowed from any device on the 192.168.10.0 into the router with this access list assigned.*
Refer to the exhibit. The network "A" contains multiple corporate servers that are accessed by hosts from the Internet for information about the corporation. What term is used to describe the network marked as "A"?
DMZ
When a Cisco IOS Zone-Based Policy Firewall is being configured via CLI, which step must be taken after zones have been created?
Establish policies between zones.
When a Cisco IOS Zone-Based Policy Firewall is being configured, which two actions can be applied to a traffic class?
Drop, Inspect
In general which ICMP message type should be stopped inbound?
ECHO
Which two rules about interfaces are valid when implementing a Zone-Based Policy Firewall? (Choose two.)
If neither interface is a zone member, then the action is to pass traffic. * If both interfaces are members of the same zone, all traffic will be passed.*
Where is the firewall policy applied when using Classic Firewall?
Interfaces
Which statement describes a stateful firewall?
It can determine if the connection is in the initiation, data transfer, or termination phase.
Consider the following access list command applied outbound on a router serial interface: access-list 100 deny icmp 192.168.10.0 0.0.0.255 any echo reply What is the effect of applying this access list command?
No traffic will be allowed outbound on the serial interface.
A network administrator is implementing a Classic Firewall and a Zone-Based Firewall concurrently on a router. Which statement best describes this implementation?
The two models cannot be implemented on a single interface.
Permit ICMP any any nd-na Permit ICMP any any nd-ns Deny ipv6 any any Refer to the exhibit. Which statement describes the function of the ACEs?
These ACEs allow for IPv6 neighbor discovery traffic.
In the ZPF (or ZBF) configuration, which configuration is used to specify a unidirectional firewall policy between two security zones?
Zone-pair
Class maps identify traffic and traffic parameters for policy application based on which three criteria? (Choose three.)
access group, protocol, subordinate class map
In addition to the criteria used by extended ACLs, what conditions are used by a classic firewall to filter traffic?
application layer protocol session information
What is one benefit of using a stateful firewall instead of a proxy server
better performance
When a Cisco IOS Zone-Based Policy Firewall is being configured, which action should be used to make the firewall really stateful? (Choose the best one.)
inspect
Which command is used to activate an IPv6 ACL named ENG_ACL on an interface so that the router filters traffic.
ipv6 traffic-filter ENG_ACL in.
What is one limitation of a stateful firewall?
not as effective with UDP- or ICMP-based traffic
The ________action in a Cisco IOS Zone-Based Policy Firewall is similar to a permit statement in an ACL.
pass
If the provided ACEs are in the same ACL, which ACE should be listed first in the ACL according to best practice?
permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq snmptrap
Which zone-based policy firewall zone is system-defined and applies to traffic destined for the router or originating from the router?
self zone
Which two parameters are tracked by CBAC for TCP traffic but not for UDP traffic? (Choose two.)
sequence number, SYN and ACK flags
For a stateful firewall, which information is stored in the stateful session flow table?
source and destination IP addresses, and port numbers and sequencing information associated with a particular session
A _________firewall monitors the state of connections as network traffic flows into and out of the organization.
stateful
A company is deploying a new network design in which the border router has three interfaces. Interface Serial0/0/0 connects to the ISP, GigabitEthernet0/0 connects to the DMZ, and GigabitEthernet/01 connects to the internal private network. Which type of traffic would receive the least amount of inspection (have the most freedom of travel)?
traffic that is going from the private network to the DMZ
A router has been configured as a classic firewall and an inbound ACL applied to the external interface. Which action does the router take after inbound-to-outbound traffic is inspected and a new entry is created in the state table?
A dynamic ACL entry is added to the external interface in the inbound direction.
Which statement correctly describes how an ACL can be used with the access-class command to filter vty access to a router?
An extended ACL can be used to restrict vty access based on specific source addresses and protocol but the destination can only specify the keyword any.
What are two characteristics of ACLs? (Choose two.)
Extended ACLs can filter on destination TCP and UDP ports. Extended ACLs can filter on source and destination IP addresses.
In the ZPF (or ZBF) configuration, which configuration is used to configure the action that will be taken on a certain type of traffic?
Policy-map
R1# show access-lists extended ip access list 100 deny tcp host 10.1.1.2 host 10.1.1.1 eq telnet deny tcp host 10.1.1.2 host 10.1.2.1 eq telnet permit ip any any (15 Matches) What are two characteristics of this access list? (Choose two.)
The access list has been applied to an interface. Any device on the 10.1.1.0/24 network (except the 10.1.1.2 device) can telnet to the router that has the IP address 10.1.1.1 assigned.
Refer to the exhibit. If a hacker on the outside network sends an IP packet with source address 172.30.1.50, destination address 10.0.0.3, source port 23, and destination port 2447, what does the Cisco IOS firewall do with the packet?
The packet is dropped.
Which statement describes a typical security policy for a DMZ firewall configuration?
Traffic that originates from the DMZ interface is selectively permitted to the outside interface.
To facilitate the troubleshooting process, which inbound ICMP message should be permitted on an outside interface?
echo reply
If the provided statements are in the same ACL, which statement should be listed first in the ACL according to best practice?
permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq snmptrap