CCSP SECUR FAQ : Context-Based Access Control (CBAC)

CCSP SECUR FAQ : Context-Based Access Control (CBAC)

Q1. Which of the following is not about a content-based access control?
A. CBAC provides secure per-application access control across network perimeters.

B. CBAC intelligently filters TCP and UDP packets based on application layer protocol session information.

C. The CBAC feature is only available on Cisco switches.

D. CBAC uses state information to create temporary openings in the firewall’s ACL to allow return traffic.

Answer: C

Q2. What is the advantage of using CBAC versus ACLs?
A. CBAC examines and inspects packets at the network, transport, and application layer level, whereas ACLs do not inspect all three levels.

B. CBAC is less complicated to configure than ACLs.

C. CBAC works on hubs.

D. The CBAC memory requirement is less than ACL memory requirements.

Answer: A

Q3. How does CBAC handle UDP sessions?
A. CBAC cannot build a state table for UDP sessions because UDP is a connectionless protocol.

B. CBAC approximates UDP sessions by examining the information in the packet and determining whether the packet is similar to other UDP packets.

C. CBAC does not inspect UDP packets.

D. CBAC denies suspicious UDP packets randomly.

Answer: B

Q4. Approximately how much memory per connection does CBAC require?
A. 2 KB
B. 6 KB
C. 200 bytes
D. 600 bytes

Answer: D

Q5. Which of the following is true about ACLs created by CBAC?
A. ACL entries are created and deleted dynamically.

B. After they are created, they are saved to NVRAM.

C. CBAC does not create or delete ACLs.

D. CBAC creates ACL entries for temporary openings on the Cisco IOS firewall to permit only traffic that is part of the permissible session.

Answer: A, D

Q6. Which of the following protocols are supported by CBAC?
C. H.323

Answer: A, B, C

Q7. Which three types of debug command are used to debug CBAC?
A. Network level debug commands
B. Transport level debug command
C. Application protocol debug command
D. Generic debug commands

Answer: B, C, D

Q8. What is the command to define an inspection rule?
A. inspection rule name protocol
B. ip inspect name inspection name protocol
C. ip protocol inspect inspection name protocol
D. ip protocol inspection name

Answer: B

Q9. What is the command to inspect an application level protocol?
A. debug ip inspect protocol
B. debug ip inspect tcp
C. debug ip inspect udp
D. debug up inspect app

Answer: A

Q10. What command enables you to show existing sessions that are currently being tracked and inspected by CBAC?
A. show ip inspect session [detail] B. display current ip inspect
C. show current ip inspect
D. display ip inspect session [detail]

Answer: A

Q11. What are the steps in the CBAC configuration process?

Answer: Pick an interface, configure ip access list at the interface, configure global timeouts and thresholds, define an inspection rule, and apply the inspection rule to an interface.

Q12. Are inspection rules a requirement for CBAC configuration?

Answer: Yes. Inspection rules are a mandatory requirement for CBAC configuration.

Q13. What are the three categories of debug commands that are commonly used to debug CBAC configuration?

Answer: The three categories for debugging CBAC configuration are generic, transport level, and application level.

Q14. Can CBAC be configured to inspect all TCP, UDP, and ICMP packets?

Answer: No. CBAC is available only for TCP and UDP IP protocol traffic.

Q15. What command enables you to show a complete CBAC inspection configured on the Cisco IOS firewall?

Answer: show ip inspect config

Q16. What command do you use to turn on audit trail messages?

Answer: ip inspect audit trail

Q17. What are indicators in half-open sessions that CBAC measures before it takes steps to prevent a DoS attack?

Answer: CBAC measures both the total number of existing half-open sessions and the rate of session establishment attempts

Q18. Does CBAC block malicious Java applets that are on .jar format?

Answer: No. CBAC cannot block any Java applet that is wrapped in a .zip or .jar format.

Q19. Name two features of the CBAC?

Answer: Some of CBAC features include secure per-application DoS detection and prevention and real-time alerts

Q20. Name one restriction with using CBAC.

Answer: Some of the restrictions when using CBAC include the following:

  • Packets with the firewall as the source or destination address are not inspected by CBAC.
  • If you reconfigure your ACLs when you configure CBAC, be aware that if your ACLs block TFTP traffic into an interface, you cannot netboot over that interface. (This is not a CBAC-specific limitation but is part of existing ACL functionality.)
  • CBAC is available only for IP protocol traffic. Only TCP and UDP packets are inspected. Other IP traffic, such as ICMP, cannot be inspected with CBAC and should be filtered with extended IP ACLs instead.

More Resources

About the author


Leave a Comment