Network Security FAQ: Router Security
Q1. Give two commands to configure an enable password on a router.
Answer: Two commands to configure an enable password on a router are enable password and enable secret.
Q2. Name three services that are running on a router that should be turned off if they are not used.
Answer: Services that are running on a router that should be turned off if they are not used include BOOTP server, DNS resolution, HTTP server, and IP redirect.
Q3: Name the different types of access lists that can be used.
Answer: The different types of access lists that can be used include the following:
- Standard numbered access list
- Standard named access list
- Extended numbered access list
- Extended named access list
Q4. What are dynamic access lists?
Answer: Dynamic access lists, also known as lock-and-key, create specific, temporary openings in response to user authentication.
Q5. What is CBAC used for when it is configured on a router?
Answer: CBAC used for traffic filtering, traffic inspection, and alerts and audit trials when it is configured on a router.
Q6. List five tasks to configure CBAC.
Answer: Tasks to configure CBAC include the following:
- Pick an interface: internal or external.
- Configure an IP access list on that interface.
- Configure global timeouts and thresholds.
- Define an inspection rule.
- Apply the inspection rule to an interface.
- Configure logging and audit trail.
Q7. What does the ip inspect max-incomplete high command do?
Answer: The number of existing half-open sessions can be set, causing the software to start deleting half-open sessions (default is 500 existing half-open sessions).
Q8. Give three different types of enhanced access lists.
Answer: Three different types of enhanced access lists are as follows:
- Dynamic access lists
- Time-based access lists
- Reflexive access lists
Q9. What can be filtered with reflexive access lists?
Answer: With reflexive access lists, you have the ability to filter network traffic at a router, based on IP upper-layer protocol session information.
Q10. How can reflexive access lists be defined?
Answer: Reflexive access lists can be defined by extended named IP access lists only. You cannot define reflexive access lists with numbered or standard named access lists. Reflexive access lists have significant differences from other types of access lists. They contain only temporary entries. These entries are automatically created when a new IP session begins and are removed when the session ends. Reflexive access list are not applied directly to the interface, but are “nested” within an extended named IP access list that is applied to that interface.