ASA Midterm Review

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

What command disables pinging to an interface on the ASA firewall itself? (2) Note: * Pinging an ASA interface from a host on that interface is allowed by default?

icmp deny

Information security deals principally with _ _

risk management

What can standard ACLs be used for?

route update filters VPN split-tunneling definitions

Same-security access allows traffic between same security interfaces to be permitted without any requirement for access lists. What command can be used to enable this ability?

same-security-traffic permit inter-interface

What command can you use to permit hairpin traffic?

same-security-traffic permit intra-interface

How can you view the startup configuration in flash? Note: * Startup config is stored in the 2nd partition along with the crash dump file

show startup-config

Auto NAT allows only how many NAT rules per network object?

1

For TCP, a connection will be removed from the state table if it is idle for more than _ hour by default.

1

How many maximum ACLs can you apply to a firewall interface in a specific direction?

1

When a client connects to a server via telnet, FTP, and HTTP simultaneously, the translation table would create _ translation slot(s) and _ connection slot(s)

1, 3

Two ways in which to launch ASDM:

1. Local appliance (use asdm-launcher.msi) 2. Java Web Start application

The NAT policy output consists of what 3 things?

1. MATCH CLAUSE for the traffic that should be matched 2. ACTION to be taken after a match (type of translation) 3. COUNTERS which includes translate_hits and untranslate_hits

If there is no ACL, outbound traffic is ____ by default

permitted

Static PAT is also called what? (2)**

port redirection

In 8.3 and above, the ACL must always reference the _ destination address.

real

(true/false) ACLs are not used to inspect a connection's state

true

(true/false) By default, a Cisco Security Appliance drops all traffic originating from a lower security boundary destined for a higher security boundary.

true

(true/false) If you define any explicit rules within a global ACL, all implicit interface ACLs (permit high to low) are removed.

true

(true/false) In ASA 8.3 and above, NAT Control is no longer a supported option.

true

(true/false) The ASA firewall permits only a single reply to an ICMP request.

true

(true/false) There is an implicit permit rule for outbound ICMP connections however the expected echo reply is dropped by the implicit deny for inbound connections.

true

For connectionless protocols such as ICMP, the ASA establishes _ sessions.

unidirectional

ASA provides a stateful process for which two types of traffic by default?

TCP, UDP

3 ways that an image can be transferred to the firewall.

TFTP, HTTP, AUS

(true/false) You can nest object groups of different types (network object and a service object group)

false

(true/false) You cannot configure multiple interfaces with the same level of security.

false

The ASA family of products is what type of firewall?

hybrid

What criteria can be matched to remove a TCP connection from the state table? (4 different things)

- FIN and FIN/ACK in TCP header control field - RST in TCP header control field (from client > server) - Connection is idle for more than 1 hr - Connection is removed with the clear xlate command

The NAT ID can be in the range of _ to _ billion.

0,2

Translation operations are evaluated in which order?

1. Static NAT 2. Static PAT 3. Identity NAT 4. Dynamic NAT 5. Dynamic PAT

What's the maximum throughput for stateful inspection with ASA 5505? (2)

150 mbps

ASA factory default configuration: What IP address is assigned by default for VLAN 1?

192.168.1.1

ASA factory default configuration: Which VLAN belongs to the outside and includes the E0/0 interface? Note: This VLAN derives its IP address using DHCP

2

For a UDP connection to be removed, it needs to be idle for more than _ minutes by default.

2

For an ICMP connection to be removed, it needs to be idle for more than _ seconds by default.

2

How many network objects are required to configure dynamic NAT?

2

If NAT is used, the ICMP connection is open for how many seconds after the ICMP reply?

2

Which Unified NAT section is used for translation rules that could conflict with the entries in the other sections? Note: * These entries are generally less specific * Used only if a packet does not match any translation rules from the other sections

3

A packet filter firewall works at which layer(s)?

3, 4

ASA interface command naming scheme

5505: ethernet0/(number) 5510: ethernet (slot)/(number) * Slot 0 = four fixed interfaces on the chassis * Slot 1 = optional SSM card * e0/0 = RIGHTMOST data interface on the chassis 5520: gigabitethernet0/0

PAT can handle a theoretical maximum of how many connections?

64000

What additional configuration does static NAT require? (long sentence)

ACL to permit traffic in the inbound direction

Once the enterprise's assets and their corresponding threats have been identified, risk management can take the form of what 4 things?

Acceptance, Mitigation, Transference, Avoidance

Typically what two conditions are required for a connection between firewall interfaces?

Address translation policy ACL

The following describes what type of firewall? * Intercepts users' communications * Acts on behalf of the user * Can perform stateful packet inspection + layer 7 inspection * Reassembles UDP + TCP sessions & can perform Deep Packet Inspection * Memory and CPU-intensive

Application

The following describes what type of firewall? * Devices that operate as intermediary agents on behalf of clients in the internal network * Clients send connection requests to this firewall and the firewall sends the request on behalf of the client

Application Proxy

What are the two major kinds of NAT in ASA 8.3? _ _ * Done inside the object * Only the source is used as match criteria * Does not take into consideration the destination of the traffic * Referred to as OBJECT NAT _ _ *Can be used to configure a single NAT rule that can translate both source + dest addresses in a packet * Known as TWICE NAT (NAT can be performed once on source and once on dest IP) * Typically used when configuring remote-access IPsec/SSL VPNs

Auto NAT, Manual NAT

What is used in ASA for authenticating telnet, HTTP, and FTP connections? (2)

Cut-through Proxy

What two things are used to establish authenticity and non-repudiation of a document/message?

Digital signatures, encryption

How do you define an enhanced service object? (long sentence) Hint: * object-group service (NAME)

Do not specify the protocol type (tcp,udp) after "object-group service (NAME)"

What type of NAT meets the following criteria: (2) * Used mostly for end-user outbound connections (unidirectional) * Inside end user receives an address from a pool of available addresses

Dynamic NAT

What is the greatest motive for attacks? (1)

Financial

On ASDM, what section provides security-related information about traffic that passes through the ASA? (2)

Firewall Dashboard

What type of file images can be stored in the ASA flash?

Firewall OS Firewall management application Firewall configuration

If the NAT ID is 0, what special type of NAT is this? (2) Hint: * This allows you to bypass the NAT requirement * Might be necessary for an application that does not support NAT

Identity NAT

What type of NAT uses the same inside address as the outside address? (2)

Identity NAT

What type of group in ASA is used in Identity-based firewalling for filtering traffic based on user identity and its group membership within Active Directory? (3)

Local User Group

What are the three sections of the Unified NAT table? (in order)

Manual NAT, Auto NAT, Manual NAT

For a network intrusion to occur, what 3 things must exist?

Motive, Means, Opportunity

what are the 4 main types of objects? ___ Used to group client hosts, server hosts, or subnets ___ Used to group protocols, can contain keywords such as icmp, ip, tcp, udp ___ Used to group ICMP message types to which you permit or deny access ___ Used to group TCP, UDP, or TCP-UDP port names/numbers assigned to a different service

Network, Protocol, ICMP-type, Service

What term refers to the ability to ensure that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message? (2)

Non repudiation

The following describes what type of firewall? * Traffic is examined based solely on values found in the packet's header * Rules based on source/dest addresses or ports, protocol type, etc * Resides at layer 3 & 4 * Forward/block decisions are made on each packet independently * Stateless * Statically configured rules/ACLs

Packet Filter

Cisco ASA uses two flash partitions. Where are OS images, ASDM images, config files, logging files, arbritrary files stored?

Partition 1 (flash:/)

What type of NAT translates internal addresses only if they are going to a particular destination? (2)

Policy NAT

On the ASA CLI, you can interrupt the output of a show command by using which letter? Note: * This is unlike IOS where you use Ctrl+C

Q

What is used in ASA to secure TCP connections? (3)

Secure Number Randomization

What type of group is used in TrustSec for filtering traffic based on information that is downloaded from an external identity repository such as Cisco ISE? (2)

Security Group

The level of security in any system can be defined by the strength of which three components?

Security, Functionality, Usability

What term is given to an attack that exploits the default scripts/code that comes with an OS/Application? (2)

Shrink Wrap

What are two possible solutions to the issue of having an outside DNS server servicing requests from internal clients through the ASA?**

Split DNS DNS Rewrite/A-record translation

In ASA 8.3, what concept is introduced which allows translation policies to be inserted in any order? (3) Notes: * NAT rules are placed in a NAT table, which has three sections * First rule that matches the packet being analyzed is always applied

Unified NAT Table

Before you can use ASDM, what information do you need to enter/configure? (select all that apply) a. Time b. Inside IP address c. SSH d. http server enable e. http (IP addr of authorized hosts) f. Hostname & domain name

a,b,d,e,f

Which command is used to bind an access list to an interface?

access-group

What command would you use if you wanted to apply a global ACL named "GLOBAL1" for the ASA?

access-group GLOBAL global

If you need to place a manual NAT rule after Auto NAT, what keyword should you specify when configuring a manual NAT rule?

after-auto

What command do you use to specify the ASDM image to use when booting? (2)

asdm image

For static NAT (permanent address assignments), the connection is _

bidirectional

What command should you use to specify which startup-config file/system image the system should use at the next reload? (1)

boot

Using a cloud hosting service for the purposes of insurance/using outside expertise is an example of what type of risk management? a. Acceptance b. Mitigation c. Transference d. Avoidance

c

What command would you use to delete ACLs?

clear config access-list

If you want to clear the entire running configuration on an ASA, what command would you type? (3)

clear configure all

If you wanted to clear all commands related to connectivity on the ASA, what command would you type (3)

clear configure primary

If you wanted to clear all commands not related to ASA connectivity, what would you enter? (3)

clear configure secondary

What command can be used to remove connections from the state table? (2)

clear xlate

Whenever you change a global pool, what command should you use to activate it correctly? (2)

clear xlate

What command can you issue on the ASA to load the default configuration back into the security appliance? Note: * This loads the configuration with the DHCP server and the management addresses preconfigured

configure factory-default

A Stateful Packet Filtering firewall maintains state information in a state table, referred to as a _ _ Note * The stateful packet inspection tracks source & dest ports & addresses, TCP seq numbers, flags

connection table

By default on an ASA, no packets can traverse the security appliance without which two things?

connection, state

What type of firewalls provide granular control of applications, comprehensive user identification, and location-based control? (2)

context aware

What details a set of actions that will be taken after the risk is realized and will lessen the impact of the compromise or loss of the asset? (2) Note: * This is what you would create if you accept a risk

contingency plan

When a Cisco ASA successfully authenticates a user, the firewall keeps the credentials cached so that additional connections can be quickly approved. The firewall acts as a ____authentication proxy so that no further authentication is needed.

cut-through

To enable DNS doctoring or DNS rewrite, what parameter must you add to a NAT static configuration?** Note: * DNS inspection must be enabled to support this functionality (check using show run policy-map)

dns

On the ASA, if you wanted to set the enable password to Cisco123, what would you type? Note: * Passwords that you enter will ALWAYS be encrypted after (no service password- encryption needed)

enable password Cisco123

What type of service group can contain a mix of protocols? (2)

enhanced service

Interface access rules are the most commonly used access control mechanism and permit or deny the ___ of connections through the ASA.

establishment

A security policy should be conceived at which level? Note: * A security policy should always take into account the vision, mission, and objectives of the organization

executive

Only which type of ACL can be used for applying to interfaces? (1)

extended

(true.false) The security appliance processes ACLs after address translation is performed.

false

(true/false) An ACL must be configured to allow returning traffic for established connections

false

(true/false) An ASDM image is loaded into flash. The ASA requires a reload.

false

(true/false) By default, ICMP is treated statefully on ASA

false

(true/false) By default, all ICMP packets through the ASA are permitted.

false

(true/false) If an interface ACL permits the initial outgoing packets on that interface you also need to make an ACL to permit return traffic.

false

(true/false) In the ASA, all packets in the same flow that match the connection are constantly checked against the ACL.

false

(true/false) On the ASA, you must use the "do" command in configuration mode

false

(true/false) There is a default username and password for ASDM.

false

(true/false) There is a greater risk of an attack from the inside than from the outside.

false

ASDM runs on an image stored on the ____ which is made available through an embedded Web server.

firewall

Where does the ASA OS originally reside? Hint: * The ASA will search for and run the first valid image file it can find from here

flash

Fill in the two types of proxies: _ proxy * Internet-facing proxy used to retrieve from a wide range of sources _ proxy * Internet-facing proxy used to control and protect access to a server on the private network (like an edge server) * Commonly also performs load balancing, authentication, decryption, caching

forward, reverse

Unlike Auto NAT which is configured inside an object, Manual NAT is configured directly in the _ configuration mode.

global

What was introduced in ASA 8.3 which allows inbound traffic (only) to be inspected coming in from ANY interface. (2) Note: * Interface ACLs take precedence

global ACL

By default, where does the ASA store its startup configuration in flash? (2)

hidden partition

An outbound packet arrives at a security appliance on a _ security level interface.

higher

By default, a Cisco Security Appliance allows traffic to flow from a _ security boundary/domain to a _ security boundary/domain. Note: * It uses security levels 0-100

higher, lower

To disable an extended access control entry, what keyword should be added at the end of the line?

inactive

You can deactivate a manual NAT statement by adding what keyword at the end of the statement?

inactive

A common strategy used with Cisco ASAs is to apply only ___ access rules to the various ASA interfaces. Note: * This simplifies configuration by using a consistent approach

inbound

Static NAT is used mostly for _ server connections.

inbound

Static NAT is used mostly for ____ server connections.

inbound

You are able to enable stateful processing of ICMP. What command can be used to achieve this? (2)

inspect icmp

What is created for any host that forwards traffic to or through the security appliance? (2)

local host

Fill in the blank: _ (inside) 1 10.0.1.0 255.255.255.0 * Used to allow a group of host to be translated * A mask is not required, however if it is not there then it will be treated as a single address (even if ends with 0) _ (outside) 1 50.1.1.5-50.1.1.10 * Used to assign a pool of public addresses to be used by NAT * If you specify a SINGLE address here, you configure PAT * If you specify a range, you configure NAT

nat, global

What command can be used to enforce NAT control? Note: * NAT enforcement is optional in ASA versions 7.0-8.2 * NAT control drops packets that have no translation rule (this can create another layer of access control)

nat-control

When you use static NAT to configure a range-to-range mapping, what is this called? (2) Note: * This is mapping one range of addresses in a network to a second network with the same range of addresses (10.10.10.0/26 - 172.20.10.0/26) * The advantage of this is the appliance can distinguish between host, network, and directed broadcast for a network number

net static

What are the two main types of objects? _____ * Can be used to define a single IP address, a range, or a subnet * This is used to identify the REAL or non-translated IP address in the NAT configuration _____ * Includes protocols or ports

network, service

What allows you to nest similar objects together to make for efficient configuration of ACEs in access lists? (2) This is used for the following reasons: * Simpler configuration * Mitigate misconfigurations * No performance impact

object groups

In ASA version 8.3+, what is NAT built around? (1)

objects

Dynamic NAT is used mostly for _ user connections.

outbound

Dynamic NAT is used mostly for ___ connections.

outbound

When undertaking risk transference, the details of the arrangement should be clearly stated in what type of contract? (3)

service level agreement

To show ACL hitcounts as well as expanded object groups, what command should be used?

show access-list

What command displays the number of active TCP and UDP connections and provides info about connections of various types? (2)

show conn

What command can you use to view the internal Flash memory?

show flash:

What command lets you display the network states of local hosts? (2) Note: * This command lets you show the translation and connection slots for the local hosts

show local-host

To view the order of NAT as well as translation hit counts, what command can you use? (2)

show nat

What command displays the policies that are looked up when translations are performed? (2)

show nat

What command can be used to show a "logical" view of configured ACLs?

show run access-list

To view a NAT configuration, which two places must you check to see what is being NAT'ed? (2 commands)

show run nat, show run object

What command displays the contents of the translation slots? (2)

show xlate

Organization policy terms: ___ * Mandatory rules, regulations, or activities (example: A certain cryptographic algorithm must be used for certain traffic) ___ * Recommendations, reference actions, operational guides ___ * Step-by-step instructions for performing specific tasks * Defines how all other documents are implemented within the operating environment ___ * Minimum level of security required for a given system type * Example: A list of unnecessary network services that should be disabled on every router

standards, guidelines, procedures, baselines

What is useful when you want an ASA to statically map multiple inside servers to one global IP address? (2) Note: * This is basically like having 2 servers on the inside network. One server accept requests on port 80 (web server), and another for port 25 (SMTP) * This allows you to save on global IP addresses

static PAT

ACLs applied to interfaces filter traffic flowing ____ the appliance.

through

Where should the more specific access control entries be placed?

top

In the NAT policy output (from show nat), there are two types of counters: ___hits * Provide counters for real to mapped address conversion ___hits * Provide counters for mapped to real address conversion

translate, untranslate

For traffic moving from a lower to higher security, the destination address argument of the ACL command is the ___ address

translated

When the first packet in a series of packets arrives at the security appliance from the inside interface, the appliance creates a _ _.

translation slot

Identity NAT creates what type of mapping? (1) Hint: * IP addresses on the higher security interface translate to themselves on all lower security interfaces

transparent

(true/false) A mapped network object or group can be used in multiple NAT rules. Note: object network (object-name) range/host (ip addr)

true

Cisco ASA maintains a translation called what? (2) Notes: * It maintains this for each protected host that can participate in connections * It contains the following: - Protocol used (ICMP,UDP,TCP) - Local and global interfaces, IP addrs, port #s - Flags - Connections - Timers - Uath bindings

xlate table


Set pelajaran terkait

Ch8 Political Participation & Voting

View Set

Hootsuite Platform Certification

View Set

PrepU CH 59: Assessment & Management of Patients with Hearing & Balance Disorders

View Set

CSC401 - Introduction to Programming, Ch2 - CSC401, CSC 401 Test 2, python, Python Programming Review, Introduction to Computer Programming: Python, Python Programming Test, Introduction to Python 3 Programming, Introduction to Programming in Python...

View Set

Polysaccharides (Complex Sugars)

View Set

Caffeine, Ephedrine, and Ma Huang

View Set