CCSP SECUR FAQ : Context-Based Access Control (CBAC)
Q1. Which of the following is not about a content-based access control?
A. CBAC provides secure per-application access control across network perimeters.
B. CBAC intelligently filters TCP and UDP packets based on application layer protocol session information.
C. The CBAC feature is only available on Cisco switches.
D. CBAC uses state information to create temporary openings in the firewall’s ACL to allow return traffic.
Q2. What is the advantage of using CBAC versus ACLs?
A. CBAC examines and inspects packets at the network, transport, and application layer level, whereas ACLs do not inspect all three levels.
B. CBAC is less complicated to configure than ACLs.
C. CBAC works on hubs.
D. The CBAC memory requirement is less than ACL memory requirements.
Q3. How does CBAC handle UDP sessions?
A. CBAC cannot build a state table for UDP sessions because UDP is a connectionless protocol.
B. CBAC approximates UDP sessions by examining the information in the packet and determining whether the packet is similar to other UDP packets.
C. CBAC does not inspect UDP packets.
D. CBAC denies suspicious UDP packets randomly.
Q4. Approximately how much memory per connection does CBAC require?
A. 2 KB
B. 6 KB
C. 200 bytes
D. 600 bytes
Q5. Which of the following is true about ACLs created by CBAC?
A. ACL entries are created and deleted dynamically.
B. After they are created, they are saved to NVRAM.
C. CBAC does not create or delete ACLs.
D. CBAC creates ACL entries for temporary openings on the Cisco IOS firewall to permit only traffic that is part of the permissible session.
Q6. Which of the following protocols are supported by CBAC?
Q7. Which three types of debug command are used to debug CBAC?
A. Network level debug commands
B. Transport level debug command
C. Application protocol debug command
D. Generic debug commands
Q8. What is the command to define an inspection rule?
A. inspection rule name protocol
B. ip inspect name inspection name protocol
C. ip protocol inspect inspection name protocol
D. ip protocol inspection name
Q9. What is the command to inspect an application level protocol?
A. debug ip inspect protocol
B. debug ip inspect tcp
C. debug ip inspect udp
D. debug up inspect app
Q10. What command enables you to show existing sessions that are currently being tracked and inspected by CBAC?
A. show ip inspect session [detail] B. display current ip inspect
C. show current ip inspect
D. display ip inspect session [detail]
Q11. What are the steps in the CBAC configuration process?
Q12. Are inspection rules a requirement for CBAC configuration?
Q13. What are the three categories of debug commands that are commonly used to debug CBAC configuration?
Q14. Can CBAC be configured to inspect all TCP, UDP, and ICMP packets?
Q15. What command enables you to show a complete CBAC inspection configured on the Cisco IOS firewall?
Q16. What command do you use to turn on audit trail messages?
Q17. What are indicators in half-open sessions that CBAC measures before it takes steps to prevent a DoS attack?
Q18. Does CBAC block malicious Java applets that are on .jar format?
Q19. Name two features of the CBAC?
Q20. Name one restriction with using CBAC.
Answer: Some of the restrictions when using CBAC include the following:
- Packets with the firewall as the source or destination address are not inspected by CBAC.
- If you reconfigure your ACLs when you configure CBAC, be aware that if your ACLs block TFTP traffic into an interface, you cannot netboot over that interface. (This is not a CBAC-specific limitation but is part of existing ACL functionality.)
- CBAC is available only for IP protocol traffic. Only TCP and UDP packets are inspected. Other IP traffic, such as ICMP, cannot be inspected with CBAC and should be filtered with extended IP ACLs instead.