(Security) Chapter 3 homework
Which statement describes a stateful firewall?
. It can determine if the connection is in the initiation, data transfer, or termination phase.
A router has been configured as a classic firewall and an inbound ACL applied to the external interface. Which action does the router take after inbound-to-outbound traffic is inspected and a new entry is created in the state table?
A dynamic ACL entry is added to the external interface in the inbound direction.
Refer to the exhibit. Which statement describes the output of the debug?
A user was successfully authenticated.
What are two characteristics of ACLs? (Choose two.)
A) Extended ACLs can filter on destination TCP and UDP ports. C) Extended ACLs can filter on source and destination IP addresses.
What are two characteristics of this access list? (Choose two.)
A) The access list has been applied to an interface. D) Any device on the 10.1.1.0/24 network (except the 10.1.1.2 device) can telnet to the router that has the IP address 10.1.1.1 assigned.
Refer to the exhibit. Router R1 has been configured as shown, with the resulting log message. On the basis of the information that is presented, which two statements describe the result of AAA authentication operation? (Choose two.)
A) The locked-out user failed authentication. E)The locked-out user stays locked out until the clear aaa local user lockout username Admin command is issued.
What is the result in the self zone if a router is the source or destination of traffic?
All traffic is permitted
Which two features are included by both TACACS+ and RADIUS protocols? (Choose two.)
B) password encryption C) utilization of transport layer protocols
Which two types of addresses should be denied inbound on a router interface that attaches to the Internet? (Choose two.)
B) private IP addresses D) any IP address that starts with the number 127
Which task is necessary to encrypt the transfer of data between the ACS server and the AAA-enabled router?
Configure the key exactly the same way on the server and the router
Refer to the exhibit. The network "A" contains multiple corporate servers that are accessed by hosts from the Internet for information about the corporation. What term is used to describe the network marked as "A"?
DMZ
What is the first required task when configuring server-based AAA authentication?
Enable AAA globally
What is the purpose of the none keyword in an AAA authentication configuration?
It allows users to log into the device without credentials if all other authentication methods fail.
What is the biggest issue with local implementation of AAA?
Local implementation does not scale well.
Refer to the exhibit. What configuration would need to be applied to the vty lines in order to use this AAA policy?
No configuration is necessary
Consider the following access list command applied outbound on a router serial interface: access-list 100 deny icmp 192.168.10.0 0.0.0.255 any echo reply What is the effect of applying this access list command?
No traffic will be allowed outbound on the serial interface.
In the ZPF (or ZBF) configuration, which configuration is used to configure the action that will be taken on a certain type of traffic?
Policy-map
Which statement describes a difference between RADIUS and TACACS+?
RADIUS encrypts only the password whereas TACACS+ encrypts all communication
Starting chapter 4
Starting Chapter 4 below.
Refer to the exhibit. Router R1 is configured as shown. An administrative user attempts to use Telnet from router R2 to router R1 using the interface IP address 10.10.10.1. However, Telnet access is denied. Which option corrects this problem?
The administrative user should use the username Admin and password Str0ngPa55w0rd.
Why would a network administrator include a local username configuration, when the AAA-enabled router is also configured to authenticate using several ACS servers?
The local username database will provide a backup for authentication in the event the ACS servers become unreachable.
Refer to the exhibit. If a hacker on the outside network sends an IP packet with source address 172.30.1.50, destination address 10.0.0.3, source port 23, and destination port 2447, what does the Cisco IOS firewall do with the packet?
The packet is dropped.
Refer to the exhibit. Which statement describes the configuration of the ports for Server1?
The ports configured for Server1 on the router must be identical to those configured on the RADIUS server.
Refer to the exhibit. Which statement describes the function of the ACEs?
These ACEs allow for IPv6 neighbor discovery traffic.
What is a drawback of the local database method of securing device access that can be solved by using AAA with centralized servers?
User accounts must be configured locally on each device, which is an unscalable authentication solution
In the ZPF (or ZBF) configuration, which configuration is used to specify a unidirectional firewall policy between two security zones?
Zone-pair
Which component of AAA allows an administrator to track individuals who access network resources and any changes that are made to those resources?
accounting
In general which ICMP message type should be stopped inbound?
echo.
When a Cisco IOS Zone-Based Policy Firewall is being configured, which action should be used to make the firewall really stateful? (Choose the best one.)
inspect
Where is the firewall policy applied when using Classic Firewall?
interfaces.
Which command is used to activate an IPv6 ACL named ENG_ACL on an interface so that the router filters traffic.
ipv6 traffic-filter ENG_ACL in.
If the provided statements are in the same ACL, which statement should be listed first in the ACL according to best practice?
permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq snmptrap
When using 802.1X authentication, what device controls physical access to the network, based on the authentication status of the client?
the switch that the client is connected to.
What port state is used by 802.1X if a workstation fails authorization?
unauthorized
