CCNP Security FAQ : Cisco Security Appliance
Q1. True or false: You do not need a license for any Cisco PIX Firewall. If you own the appliance, you can do anything you want with it.
Q2. How many physical interfaces does the PIX 525 support?
A. Eight 10/100 interfaces or three Gigabit interfaces
B. Eight 10/100 interfaces and three Gigabit interfaces
C. Six 10/100 interfaces or three Gigabit interfaces
D. Six 10/100 interfaces and three Gigabit interfaces
E. None of the above
Q3. What are the three firewall technologies?
A. Packet filtering, proxy, connection dropping
B. Stateful inspection, packet filtering, proxy
C. Stateful proxy, stateful filtering, packet inspection
D. Cut-through proxy, ASA, proxy
Q4. How are optional component cards installed in the PIX Firewall?
A. ISA slot
B. USB port
C. Serial connection
D. PCI slot
E. PCMCIA slot
Q5. What is the maximum firewall throughput of the ASA Security Appliance 5540?
A. 1.0 Gbps
B. 1.7 Gbps
C. 100 Mbps
D. 400 Mbps
Q6. How many physical interfaces does a PIX 501 have, and how many network segments does it support?
A. Six interfaces, two network segments
B. Six interface, six network segments
C. Five interfaces, four network segments
D. Two interfaces, two network segments
E. None of these answers are correct
Q7. What happens to a reply that does not have the correct TCP sequence number?
A. It generates an alert.
B. The connection is dropped.
C. The connection information is added to the state table.
D. The session object is modified.
E. None of these answers are correct.
Q8. Which of the following is the best way to remove the ASA from a PIX Firewall?
A. Use the ASA removal tool, downloaded from Cisco.com.
B. Use the asa disable command in the config mode.
C. Configure all NATs to a single external address.
D. Configure all NATs to a single internal address.
E. You cannot remove the ASA from the PIX Firewall.
Q9. Which of the following four authentication methods is not supported by the PIX Firewall for performing cut-through proxy?
A. Local Database
D. Active Directory
E. All of the above
Q10. What encryption algorithms does the PIX Firewall not support?
A. Data Encryption Standard
B. Triple Data Encryption Standard
D. Advanced Encryption Standard 128
E. Advanced Encryption Standard 256
F Answers C, D, and E
Q11. What is the ASA, and how does Cisco PIX Firewall use it?
Q12. Why does the ASA generate random TCP sequence numbers?
Q13. What components of a TCP session does the ASA write to the state table to create a session object?
- Source IP and port
- Destination IP and port
- TCP sequencing information
- Additional TCP and UDP flags
- A new random TCP sequence number
Q14. What can cause a session object to be deleted from the state table?
Q15. What are the three ways to initiate a cut-through proxy session?
Q16. What X.509 certificates do SCEP and the Security Appliance support?
- Entrust Technologies, Inc.—Entrust/PKI 4.0
- Microsoft Corp.—Windows 2000 Certificate Server 5.0
- VeriSign—Onsite 4.5
- Baltimore Technologies—UniCERT 3.05
Q17. How many physical interfaces does the PIX 515E support?
Q18. What is the lowest model number of the PIX Firewall family to support failover?
Q19. What are two methods of managing a Cisco ASA Security Appliance?
- Command-line interface (CLI)
- Cisco Adaptive Security Device Manager (ASDM)
Q20. List four advantages of the ASA.
- It is more secure than packet filtering.
- It has greater performance than application proxy.
- It can guard against session hijacking.
- It is part of the embedded PIX operating system.
Q21. List the three parts to a Modular Policy.
- A class-map identifies the type of traffic flow that the MPF will use. The flow type is packet specific and can be any packet type, such as a VPN tunnel, voice traffic, or basic IP traffic.
- The policy-map assigns one or more actions to traffic flows specified by a class-map. For example, all basic IP traffic entering a site would be packet inspected and rate limited through a policy-map.
- The service policy assigns one or more policy-maps to an interface.