CCIE Security FAQ Security Technologies

ccie-security-faq-security-technologies

CCIE Security FAQ Security Technologies

Q1. DMZ stands for what?
a. Demilitarized zone
b. Demitted zone
c. Domain main zone
d. Domain name

Answer: a

Q2. When defining an extended access list, what TCP port numbers can you use?
a. Only predefined Cisco keywords
b. 0 to –65,000
c. 0 to –65,535
d. 1 to 65,534
e. None of the above

Answer: c
Explanation: TCP port numbers from 0 to –65,535; devices such as PCs go from 1025 to 65535.

Q3. When defining an extended access list, what UDP port numbers can you use?
a. Only predefined Cisco keywords
b. 0 to 65000
c. 0 to 65535
d. 1 to 65534
e. None of the above

Answer: c
Explanation: UDP port numbers from 0 to 65535.

Q4. Which of the following is not a TCP service?
a. who
b. whois
c. finger
d. ftp
e. pop3

Answer: a
Explanation: who is a UDP service.

Q5. Which of the following is not a UDP service?
a. BGP
b. echo
c. domain
d. discard
e. rip
f. snmp

Answer: a
Explanation: BGP runs over TCP port 179.

Q6. For how many translations does PAT allow you to use one IP address?
a. 32,000
b. 64,000
c. 96,000
d. 128,000
e. 256,000

Answer: b
Explanation: Port Address Translation (PAT) occurs when the local port number is modified, allowing more than one host the ability to share one public address, for example. The Port number in a TCP frame can be numbered from 0 to –65,535, so answer b is closet to the actual number of allowed translations.

Q7. PAT translates all private addresses based on what?
a. Source port
b. Destination port
c. Both source and destination
d. None

Answer: c
Explanation: PAT is based on source port; the destination port is not altered. For example, a Telnet connection is based on the local port number (a random number generated by the device between 0 and –65,535) and the destination port number 23.

Q8. NAT is which of the following?
a. Network Architectural Language
b. National anthem of Latvia
c. Network translation
d. Network Address Translation

Answer: d

Q9. NAT is defined in which RFC?
a. 1700
b. 1701
c. 2002
d. 1631
e. 1613

Answer: d
Explanation: NAT is defined by Request for comment (RFC) number 1631.

Q10. The following defines which NAT terminology: “A legitimate registered IP address as assigned by the InterNIC?”
a. Inside local address
b. Outside global address
c. Inside global address
d. Outside local address

Answer: c

Q11. What IOS command defines a pool of addresses that will be translated to a registered IP address?
a. ip nat inside
b. ip nat outside
c. ip nat pool
d. ip nat inside pool
e. ip nat outside pool

Answer: c

Q12. PIX stands for what?
a. Protocol interchange
b. Cisco Private Internet
c. Private Internet Exchange
d. Public Internet Exchange

Answer: c

Q13. To define how a PIX will route IP data, what is the correct syntax for a PIX 520?
a. ip route
b. route
c. ip route enable
d. default-network

Answer: b
Explanation: A PIX can run RIP or be configured for static routing; a default route is typically required so that end-user data can be sent to the Internet, for example.

Q14. What is the alias command’s function on a PIX firewall?
a. To define a local host name
b. To define the DNS server
c. Used in NAT environments where one IP address is translated into another.
d. Only applicable to Cisco IOS

Answer: c
Explanation: The PIX alias command is used for NAT configurations. The alias command translates one IP address into another address. For example, one private network might be using unregistered IP address space, and to allow users access to outside address space, the alias command is used. This command is applied differently on a Cisco IOS router.

Q15. CBAC stands for what?
a. CBAC is not a valid term
b. Cisco Business architectural centre
c. Context-based Access Control
d. Context-based Accelerated controller
e. Content-based arch. Centre

Answer:c

Q16. What is IKE used to accomplish?
a. NAT translations
b. Ensures that data is not sourced by the right sources
c. Ensures that data is not sourced by the wrong sources
d. No use
e. Both a and c

Answer: c
Explanation: Internet Key Exchange (IKE) allows a network confidentially from unauthorized sources.

Q17. To create a simple VPN tunnel (unencrypted) between two sites, what must you do on a Cisco router?
a. Create a GRE tunnel
b. Create a routing map
c. Nothing, use a PIX
d. Create an IPSec tunnel

Answer: a
Explanation: A simple VPN tunnel requires a generic routing encapsulation (GRE) tunnel between two Cisco routers.

Q18. What does the term DMZ refer to?

Answer: The DMZ, or demilitarized zone, is defined as an isolated part of the network that is easily accessible to hosts on the outside (Internet, for example).

Q19. What is the perimeter router’s function in a DMZ?

Answer: The perimeter router sits between the DMZ and the public domain. It is typically a high performance router or routers that perform a number of duties, including the following:

  • Access lists to ensure access to IP is restricted
  • Restrictions to TCP services
  • Restrictions on what applications can be run
  • Routing protocols (typically, BGP)

Q20. What two main transport layer protocols do extended access lists filter traffic through?

Answer: Extended access lists filter both TCP and UDP transport layer services.

Q21. Which of the following is not a TCP service?
a. Ident
b. ftp
c. pop3
d. pop2
e. echo

Answer: e
Explanation: Echo is part of the UDP protocol suite. Ident, ftp, and pop2/pop3 are TCP services.

Q22. Name five UDP services that can be filtered with an extended access-list.

Answer:Cisco IOS can filter a number of UDP services, including the following:

  • biff—Biff (mail notification, comsat, 512)
  • bootpc—Bootstrap Protocol (BOOTP) client (68)
  • bootps—Bootstrap Protocol (BOOTP) server (67)
  • discard—Discard (9)
  • dnsix—DNSIX security protocol auditing (195)
  • domain—Domain Name Service (DNS, 53)
  • echo—Echo (7)
  • isakmp—Internet Security Association and Key Management Protocol (500)
  • mobile-ip—Mobile IP registration (434)
  • nameserver—IEN116 name service (obsolete, 42)
  • netbios-dgm—NetBIOS datagram service (138)
  • netbios-ns—NetBIOS name service (137)
  • netbios-ss—NetBIOS session service (139)
  • ntp—Network Time Protocol (123)
  • pim-auto-rp—PIM Auto-RP (496)
  • rip—Routing Information Protocol (router, in.routed, 520)
  • snmp—Simple Network Management Protocol (161)
  • snmptrap—SNMP traps (162)
  • sunrpc—Sun Remote Procedure Call (111)
  • syslog—System Logger (514)
  • tacacs—TAC Access Control System (49)
  • talk—Talk (517)
  • tftp—Trivial File Transfer Protocol (69)
  • time—Time (37)
  • who—Who service (rwho, 513)
  • xdmcp—X Display Manager Control Protocol (177)

Q23. What RFC defines NAT?

Answer: Network Address Translation (NAT) is defined in RFC 1631.

Q24. In NAT, what is the inside local address used for?

Answer: The inside local address refers to the IP address that is assigned to a host on the internal network, that is, the logical address that is not being advertised to the Internet. A local administrator generally assigns this address. This address is NOT a legitimate Internet address.

Q25. What does the IOS command ip nat inside source list accomplish?

Answer: It defines the addresses that will be allowed to access the Internet. This command enables the network address translation of the inside source addresses. The “list” keyword helps define the access list to be used for determining the source addresses.

Q26. What are the four possible NAT translations on a Cisco IOS router?

Answer: The four NAT translation versions are as follows:

  • Static NAT—Maps an unregistered IP address to a registered IP address on a one-to-one basis.
  • Dynamic NAT—Maps an unregistered IP address to a registered IP address from a group of registered IP addresses.
  • Overloading—A form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address using different ports. Known also as Port Address Translation (PAT), single address NAT, or port-level multiplexed NAT.
  • Overlapping—When the IP addresses used on your internal network are registered IP addresses in use on another network, the router must maintain a lookup table of these addresses so that it can intercept them and replace them with registered unique IP addresses.

Q27. How many connections can be translated with a PIX firewall for the following RAM configurations: 16 MB, 32MB, or 128MB?

Answer: You can support up to 260,000 connections with 128MB, 16MB can support up to 32,768 connections, and 32MB of memory can support up to 65,536 connections.

Q28. When the alias command is applied to a PIX, what does it accomplish?

Answer: The alias command translates one address into another, and is used for translating unregistered IP addresses in a NAT environment.

Q29. What security features does the Cisco IOS Firewall feature set allow a network administrator to accomplish?

Answer: The Cisco IOS features set consists of the following:

  • Context-based Access Control (CBAC) provides internal users secure, perapplication-based access control for all traffic across perimeters, such as between private enterprise networks and the Internet.
  • Java blocking protects against unidentified, malicious Java applets.
  • Denial-of-service detection and prevention defends and protects router resources against common attacks, checking packet headers and dropping suspicious packets.
  • Audit trail details transactions, recording time stamp, source host, destination host, ports, duration, and total number of bytes transmitted.
  • Real-time alerts log alerts in case of denial-of-service attacks or other preconfigured conditions.

Q30. What does CBAC stand for?

Answer: Context-based Access Control

Q31. Name the eight possible steps to take when configuring CBAC.

Answer: To configure CBAC, the following tasks are required or optional:

  • Pick an internal or external interface. (Required)
  • Configure IP access lists at the interface. (Required)
  • Configure global timeouts and thresholds. (Required)
  • Define an inspection rule. (Required)
  • Apply the inspection rule to an interface. (Required)
  • Configure logging and audit trail. (Required)
  • Follow other guidelines for configuring a firewall. (Required)
  • Verify CBAC. (Optional)

Q32. What is a virtual private network?

Answer: A virtual private network (VPN) enables IP traffic to travel securely over a public TCP/IP network by encrypting all traffic from one network to another. A VPN uses tunneling to encrypt all information at the IP level.

Q33. The following configuration is installed on a PIX 520. Users from the inside network 10.0.0.0/8 report to you that they cannot browse the Internet. What is the problem, and what command or commands will rectify the problem?

Answer: Cisco PIX Firewalls need to NAT any nonregistered IP address space. In particular, the Class A 10.0.0.0/8 is not routable in the Internet, so you must use NAT to permit access, or you could re-address your entire network, which clearly is not an exercise you will do often.

The following command will NAT all inside addresses:

Before you can access the Internet, you must also tell the PIX (remember the PIX is not as intelligent as a router; RIP can be configured by the network administrator), and you must route IP data with the command shown here:

This command installs a default route where IP datagrams will be sent, typically, the perimeter router or ISP router.

More Resources

About the author

Scott

Leave a Comment