Network Auth Chapter 10, Network Auth Chapter 9, Network Auth Chapter 8
What wild card mask will match networks 172.16.0.0 through 172.19.0.0? 0.252.255.255 0.0.3.255 0.3.255.255 0.0.255.255 0.0.0.255
0.3.255.255
Which type of firewall is commonly part of a router firewall and allows or blocks traffic based on Layer 3 or 4 information? Packet filtering firewall. Next generation firewall. Stateful firewall. Proxy firewall.
Packet filtering firewall.
What are two benefits of implementing a firewall in a network? (Choose two.) A firewall will inspect network traffic and forward traffic based solely on the Layer 2 Ethernet MAC address. A firewall will sanitize protocol flow. A firewall will prevent unauthorized traffic from being tunneled or hidden as legitimate traffic through an enteprise network. A firewall will reduce security management complexity. A firewall will provide accessibility of applications and sensitive resources to external untrusted users.
A firewall will sanitize protocol flow. A firewall will reduce security management complexity.
Which statement describes a zone when implementing ZPF on a Cisco router? A zone establishes a security border of a network. Only one zone can be attached to a single interface. A zone is used to implement traffic filtering for either TCP or UDP. It does not require a remote connection to a Cisco device.
A zone establishes a security border of a network.
When implementing a ZPF, which statement describes a zone? A zone is a group of hardened computers known as bastion hosts. A zone is a group of one or more devices that provide backup and disaster recovery mechanisms. A zone is a group of administrative devices that protect against rogue access point installations. A zone is a group of one or more interfaces that have similar functions or features.
A zone is a group of one or more interfaces that have similar functions or features.
Which statement describes a factor to be considered when configuring a zone-based policy firewall? The router always filters the traffic between interfaces in the same zone. A zone must be configured with the zone security global command before it can be used in the zone-member security command. The classic firewall ip inspect command can coexist with ZPF as long as it is used on interfaces that are in the same security zones. No certificates are used by default. The type must be specified. An interface can belong to multiple zones.
A zone must be configured with the zone security global command before it can be used in the zone-member security command.
Which scenario would cause an ACL misconfiguration and deny all traffic? Apply a standard ACL using the ip access-group out command. Apply a named ACL to a VTY line. Apply a standard ACL in the inbound direction. Apply an ACL that has all deny ACE statements.
Apply an ACL that has all deny ACE statements.
Which statement describes one of the rules that govern interface behavior in the context of implementing a zone-based policy firewall configuration? An administrator can assign interfaces to zones, regardless of whether the zone has been configured. By default, traffic is allowed to flow among interfaces that are members of the same zone. By default, traffic is allowed to flow between a zone member interface and any interface that is not a zone member. An administrator can assign an interface to multiple security zones.
By default, traffic is allowed to flow among interfaces that are members of the same zone.
Designing a ZPF requires several steps. Which step involves defining boundaries where traffic is subjected to policy restrictions as it crosses to another region of the network? Design the physical infrastructure. Identify subsets within zones and merge traffic requirements. Establish policies between zones. Determine the zones.
Determine the zones.
When a Cisco IOS zone-based policy firewall is being configured, which two actions can be applied to a traffic class? (Choose two.) Forwaard. Copy. Log. Drop. Inspect.
Drop. Inspect.
Which ICMP message type should be stopped inbound? Echo-reply. Echo. Source quench. Echo-tango. Unreachable.
Echo
What is one benefit of using a next-generation firewall rather than a stateful firewall? Support of logging. Integrated use of an intrusion prevention system (IPS). Support of TCP-based packet filtering. Reactive protection against Internet threats.
Integrated use of an intrusion prevention system (IPS).
Which statement describes a feature of a zone-based policy firewall? It does not depend on ACLs. All traffic through a given interface is subject to the same inspection. It uses a flat, non-hierarchical data structure making it easier to configure and troubleshoot. The router security posture is to allow traffic unless explicitly blocked.
It does not depend on ACLs.
Which three layers of the OSI model include information that is commonly inspected by a stateful firewall? (Choose three.) Layer 1. Layer 3. Layer 4. Layer 2. Layer 1. Layer 5.
Layer 3. Layer 4. Layer 5.
Which three statements describe zone-based policy firewall rules that govern interface behavior and the traffic moving between zone member interfaces? (Choose three.) Pass, inspect, and drop options can only be applied between two zones. Interfaces can be assigned to a zone before the zone is created. Traffic is implicitly prevented from flowing by default among interfaces that are members of the same zone An interface can be assigned to multiple security zones. If traffic is to flow between all interfaces in a router, each interface must be a member of a zone. To permit traffic to and from a zone member interface, a policy allowing or inspecting traffic must be configured between that zone and any other zone.
Pass, inspect, and drop options can only be applied between two zones. If traffic is to flow between all interfaces in a router, each interface must be a member of a zone. To permit traffic to and from a zone member interface, a policy allowing or inspecting traffic must be configured between that zone and any other zone.
What are two characteristics of an application gateway firewall? (Choose two.) Provides an integrated intrusion prevention and detection feature. Cisco Unified Communications (voice and video) security Uses a simple policy table look-up to filter traffic based on Layer 3 and Layer 4 information. Performs most filtering and firewall control in software. Analyzes traffic at Layers 3, 4, 5 and 7 of the OSI model. Uses connection information maintained in a state table and analyzes traffic at OSI Layers 3, 4, and 5.
Performs most filtering and firewall control in software. Analyzes traffic at Layers 3, 4, 5 and 7 of the OSI model.
Refer to the exhibit. A network administrator wants to create a standard ACL to prevent Network 1 traffic from being transmitted to the Research and Development network. On which router interface and in which direction should the standard ACL be applied? R1 Gi0/0 outbound R2 S0/0/0 inbound R1 S0/0/0 outbound R2 Gi0/0 outbound. R2 Gi0/0 inbound R1 Gi0/0 inbound
R2 Gi0/0 outbound.
Which type of firewall generally has a low impact on network performance? Stateful firewall. Stateless firewall. Application gateway firewall. Next generation firewall.
Stateless firewall.
Refer to the exhibit. A network administrator is configuring an IPv6 ACL to allow hosts on the 2001:DB8:CAFE:10::/64 network to access remote web servers, except for PC1. However, a user on PC1 can successfully access the web server PC2. Why is this possible? The IPv6 ACL Deny_WEB is applied in the incorrect direction on router R1. The IPv6 ACL Deny_WEB is permitting all web traffic before the specific host is blocked. The IPv6 ACL Deny_WEB is applied to the wrong interface of router R1. The IPv6 ACL Deny_WEB is spelled incorrectly when applied to the interface.
The IPv6 ACL Deny_WEB is permitting all web traffic before the specific host is blocked.
Which statement accurately describes Cisco IOS zone-based policy firewall operation? A router interface can belong to multiple zones. Router management interfaces must be manually assigned to the self zone. Service policies are applied in interface configuration mode. The pass action works in only one direction.
The pass action works in only one direction.
In ZPF design, what is described as the self zone? The outward facing interface on the edge router. A predefined cluster of servers with configured interfaces. The router itself, including all interfaces with assigned IP addresses. A predefined cluster of routers with configured interfaces.
The router itself, including all interfaces with assigned IP addresses.
What method is used to apply an IPv6 ACL to a router interface? The use of the ipv6 traffic-filter command. The use of the access-class command. The use of the ipv6 access-list command. The use of the ip access-group command.
The use of the ipv6 traffic-filter command.
Refer to the exhibit. Which statement describes the function of the ACEs? NOT WORKING These are optional ACEs that can be added to the end of an IPv6 ACL to allow ICMP messages that are defined in object groups named nd-na and nd-ns. These ACEs allow for IPv6 neighbor discovery traffic. These ACEs must be manually added to the end of every IPv6 ACL to allow IPv6 routing to occur. These ACEs automatically appear at the end of every IPv6 ACL to allow IPv6 routing to occur.
These ACEs allow for IPv6 neighbor discovery traffic.
Refer to the exhibit. Which statement describes the function of the ACEs? These are optional ACEs that can be added to the end of an IPv6 ACL to allow ICMP messages that are defined in object groups named nd-na and nd-ns. These ACEs allow for IPv6 neighbor discovery traffic. These ACEs must be manually added to the end of every IPv6 ACL to allow IPv6 routing to occur. These ACEs automatically appear at the end of every IPv6 ACL to allow IPv6 routing to occur.
These ACEs allow for IPv6 neighbor discovery traffic.
Which statement is a characteristic of a packet filtering firewall? They are susceptible to IP spoofing. They filter fragmented packets. They have a high impact on network performance. They examine each packet in the context of the state of a connection.
They are susceptible to IP spoofing.
How does a firewall handle traffic that is originating from the DMZ network and traveling to a private network? Traffic is usually not filtered using firewall rules when it is originating from the DMZ network and traveling to a private network. Traffic is usually allowed when it is originating from the DMZ network and traveling to a private network. Traffic is usually blocked when it is originating from the DMZ network and traveling to a private network. Traffic is allowed when it is originating from the private network, but the response traffic from the DMZ network will be blocked.
Traffic is usually blocked when it is originating from the DMZ network and traveling to a private network.
When configuring a class map for a zone-based policy firewall, how is the match criteria applied when using the match-all parameter? Traffic must match all of the criteria solely defined by ACLs. Traffic must match at least one of the match criteria statements. Traffic must match all of the match criteria specified in the statement. Traffic must match the first criteria in the statement.
Traffic must match all of the match criteria specified in the statement.
Which type of traffic is usually blocked when implementing a demilitarized zone? Traffic that is returning from the public network and traveling to the DMZ network. Traffic originating from the private network and traveling to the DMZ network. Traffic originating from the DMZ network and traveling to the private network. Traffic that is returning from the DMZ network and traveling to the private network.
Traffic originating from the DMZ network and traveling to the private network.
In applying an ACL to a router interface, which traffic is designated as outbound? Traffic that is coming from the source IP address into the router. Traffic that is going from the destination IP address into the router. Traffic that is leaving the router and going toward the destination host. The IP atraffic for which the router can find no routing table entryddresses of IPsec peers.
Traffic that is leaving the router and going toward the destination host.
What is the quickest way to remove a single ACE from a named ACL? Use the no access-list command to remove the entire ACL, then recreate it without the ACE. Copy the ACL into a text editor, remove the ACE, then copy the ACL back into the router. Use the no keyword and the sequence number of the ACE to be removed. Create a new ACL with a different number and apply the new ACL to the router interface.
Use the no keyword and the sequence number of the ACE to be removed.
Which operator is used in an ACL statement to match packets of a specific application? eq gt lt established implicit deny match
eq
What type of ACL offers greater flexibility and control over network access? named standard numbered standard flexible extended detracted
extended
In what step of zone-based policy firewall configuration is traffic identified for policy application? Creating policy maps. Defining zones. Configuring class maps. Assigning policy maps to zones.
Configuring class maps.
Which type of firewall is supported by most routers and is the easiest to implement? Next generation firewall. Packet filtering firewall. Stateful firewall. Application gateway firewall.
Packet filtering firewall.
Which two protocols are stateless and do not generate connection information needed to build a state table? (Choose two.) UDP HTTP TCP FTP ICMP
UDP ICMP
How does ZPF handle traffic between an interface that is a zone member and another interface that does not belong to any zone? pass drop allow inspect
drop