CCNA Security FAQ: Using Cisco IOS Firewalls to Implement a Network Security Policy

CCNA Security FAQ: Using Cisco IOS Firewalls to Implement a Network Security Policy

Question. Which of the following is the best description of a firewall? (Choose one.)
A. Firewalls statefully inspect reply packets to determine whether they match the expected state of a connection in the state table.

B. Firewalls statically inspect packets in both directions and filter on layer 3 and layer 4 information.

C. A firewall is a system or a group of systems that enforce an access control policy between two networks.

D. A firewall is any device that blocks access to a protected network.

E. None of the above.

Answer: is C. Answers A and B define types of firewalls. Answer D is incorrect.
Question. A static packet-filtering firewall does which of the following?

A. It analyzes network traffic at the network and transport protocol layers.

B. It evaluates network packets for valid data at the application layer before allowing connections.

C. It validates the fact that a packet is either a connection request or a data packet belonging to a connection.

D. It keeps track of the actual communication process through the use of a state table.

Answer: A
Question. Which of the following are advantages of an application layer firewall? (Choose all that apply.)
A. It authenticates individuals, not devices.
B. It makes it more difficult to spoof and implement DoS attacks.
C. It allows monitoring and filtering transport data.
D. It provides verbose auditing.

Answer: A and B
Question. Application inspection firewalls are aware of the state of which layers? (Choose all that apply.)
A. Layer 2 connections
B. Layer 3 connections
C. Layer 4 connections
D. Layer 5 connections

Answer: B and D
Question. Which of the following is not a limitation of a stateful firewall?
A. It does not work well with applications that open multiple connections.
B. It cannot defend against spoofing and DoS attacks.
C. User authentication is not supported.
D. It does not prevent application layer attacks.

Answer: B
Question. Which of the following firewall best practices can help mitigate worm and other automated attacks?
A. Segment security zones
B. Use logs and alerts
C. Restrict access to firewalls
D. Set connection limits

Answer: D
Question. When creating an extended ACL, which of the following number ranges may be used?(Choose all that apply.)
A. 1 to 99
B. 100 to 199
C. 1300 to 1999
D. 2000 to 2699

Answer: B and D

Question. Which of the following define characteristics of a firewall? (Choose all that apply.)
A. Enforces the access control policy of an organization.
B. Must be hardened against attacks.
C. Must be the only transit point between networks.
D. Completely eliminates the risk of network compromise.
E. All of the above.

Answer: A, B, and C are correct. Answer D is incorrect because no firewall can eliminate risk. Firewalls mitigate risk.

Question. True or false. Transparent firewalls mitigate the risk of attack by applying rich layer 3 through 7 inspection services to the traffic transiting the firewall

Answer:False. Transparent firewalls mitigate the risk of attack by applying rich inspection services from layer 2 through 7 of the OSI model. They are “transparent” in the same way that a LAN switch is transparent to layer 3 devices.

Question. Consider the following output for your answer: What sequence of commands would you enter to add a line at the beginning of the ACL that permits packets for established TCP sessions?
5-1
A. configure terminal ip access- list extended 101 5 permit tcp any any established.

B.configure terminal ip access- list name 101 5 permit tcp any any established.

C.configure terminal ip access- list extended 1 01 line 5 permit tcp any any established.

D. configure nacl 10 permit tcp any any established.

E. configure extended- nacl permit line 5 session- established.

F. None of the above.

Answer: A is correct. With version 12.3 of the Cisco IOS, you can insert and delete lines in numbered ACLs, both standard and extended. The other answers are made up and use a mix of existing and nonexistent commands to try to trick you.

Question. Fill in the blank in the sequence below for editing an existing access control list in the Cisco SDM.
5-2
A. Firewall rules
B. Additional tasks
C. Policy editor
D. Perimeter security
E. None of the above.

Answer: B is correct.
Question. Each Cisco ACL ends with which of the following?
A. An explicit allow all
B. An implicit deny all
C. An implicit allow all
D. An explicit deny all

Answer: B
Question. To view the status of your Turbo ACLs, which command would you use?
A. show access-list status
B. show access-list turbo compiled
C. show access-list compiled
D. show access-list complete

Answer: C
Question. Which of the following are true of the Turbo ACL feature? (Choose all that apply.)
A. The Turbo ACL feature processes ACLs into lookup tables for greater efficiency.

B. Turbo ACLs increase the CPU load by matching the packet to a predetermined list.

C. The Turbo ACL feature leads to reduced latency, because the time it takes to match the packet is fixed and consistent.

D. The Turbo ACL feature leads to increased latency, because the time it takes to match the packet is variable.

Answer: A and C
Question. You examine your IDS Event Viewer and find that the IP address 192.168.15.10 keeps appearing. You determine that your web server is under attack from this IP and would like to resolve this permanently. What happens if you place this address at the bottom of the ACL?
A. Attacks from this IP address will be blocked because of the line you have added.

B. Attacks will continue. This line will never be reached, because above this line is a permit any statement.

C. ACLs may not be used to block traffic originating outside your network address range.

D. ACLs may not be modified after they are created.

Answer: B

Question. Match the protocols in the numbered list below with the letter corresponding to their protocol ID in an IP packet.

  1. EIGRP
  2. UDP
  3. ICMP
  4. GRE
  5. ESP
  6. TCP

A. 1
B. 6
C. 17
D. 47
E. 50
F. 88

Answer: 1—F; 2—C; 3—A; 4—D; 5—E; 6—B.

Question. Certain source IP addresses should be filtered using ACLs to prevent IP spoofing attacks. Which of the following list should be filtered? (Choose all that apply.)
A. All 1’s source IP addresses
B. Any address starting with a zero
C. IP multicast addresses
D. Reserved private IP addresses
E. All of the above

Answer: is E, All of the above. IP ACLs should also filter local addresses in the 127.0.0.0/8 range

Question. True or false. Cisco specifically recommends against allowing ICMP echoes and ICMP redirects inbound.

Answer: True. Cisco recommends against ICMP echoes because this would be useful for network reconnaissance. ICMP redirects are recommended against because this might allow an attacker to hijack routing as part of a Man-in-the-Middle (MiM) attack.

Question. True or false. The Cisco IOS Zone-Based Policy Firewall (ZPF) is not used solely to implement a Stateful Packet Inspection (SPI) firewall.

Answer: True. ZPF policy maps can take inspect, drop, or pass actions on traffic. The drop and pass actions are analogous to deny and permit actions on an ACL and are not stateful.
Question. Cisco IOS classic firewall can provide network protection on multiple levels using all of the following except which item?
A. Traffic zoning
B. Traffic filtering
C. Traffic inspection
D. Intrusion prevention

Answer: A
Question. Cisco IOS Release 12.4(6)T added which of the following capabilities to the Cisco IOS Firewall? (Choose all that apply.)
A. Application inspection
B. A default deny-all policy
C. URL filtering
D. Subnet and host inspection policies

Answer: B and D
Question. Interfaces may be assigned to how many security zones?
A. Four
B. One
C. Two
D. Subnets are assigned to zones, not interfaces.

Answer: B
Question. Which two actions can be configured to permit traffic to traverse an interface when zone-based security is being employed? (Choose two.)
A. Allow
B. Inspect
C. Pass
D. Flow

Answer: B and C
Question. Creating Cisco IOS zone-based firewall policies involve which of the following constructs? (Choose all that apply.)
A. Class map
B. Class policy
C. Policy map
D. Parameter map
E. Policy action

Answer: A, C, and D

Question. Consider the following scenario: A firewall has five interfaces, two of which are not associated with security zones:

  • Two interfaces are in the INTERNET zone.
  • One interface is in the INSIDE zone.
  • Two interfaces are not in any zone.

What is the default rule for traffic that originates from one of the two interfaces that are not in any zone and is destined for an interface in the INTERNET security zone?
A. The traffic is dropped.

B. The traffic is passed because it’s going to the Internet.

C. The traffic is either permitted or denied based on the actions in the policy map if it has been applied to the zone pair.

D. The traffic is passed because the default policy map action is to pass traffic that doesn’t have a specific match.

E. None of the above.

Answer: A is correct. Recall that one of the advantages of ZPF is that the firewall becomes a “deny all” firewall for all traffic that doesn’t have an explicit action that will permit it to pass.

About the author

Scott

Leave a Comment