Config Router

You are here: Home / CCIE / CCIE Security FAQ Security Technologies

CCIE Security FAQ Security Technologies

by

CCIE Security FAQ Security Technologies

Q1. DMZ stands for what?
a. Demilitarized zone
b. Demitted zone
c. Domain main zone
d. Domain name

Answer: a

Q2. When defining an extended access list, what TCP port numbers can you use?
a. Only predefined Cisco keywords
b. 0 to –65,000
c. 0 to –65,535
d. 1 to 65,534
e. None of the above

Answer: c
Explanation: TCP port numbers from 0 to –65,535; devices such as PCs go from 1025 to 65535.

Q3. When defining an extended access list, what UDP port numbers can you use?
a. Only predefined Cisco keywords
b. 0 to 65000
c. 0 to 65535
d. 1 to 65534
e. None of the above

Answer: c
Explanation: UDP port numbers from 0 to 65535.

Q4. Which of the following is not a TCP service?
a. who
b. whois
c. finger
d. ftp
e. pop3

Answer: a
Explanation: who is a UDP service.

Q5. Which of the following is not a UDP service?
a. BGP
b. echo
c. domain
d. discard
e. rip
f. snmp

Answer: a
Explanation: BGP runs over TCP port 179.

Q6. For how many translations does PAT allow you to use one IP address?
a. 32,000
b. 64,000
c. 96,000
d. 128,000
e. 256,000

Answer: b
Explanation: Port Address Translation (PAT) occurs when the local port number is modified, allowing more than one host the ability to share one public address, for example. The Port number in a TCP frame can be numbered from 0 to –65,535, so answer b is closet to the actual number of allowed translations.

Q7. PAT translates all private addresses based on what?
a. Source port
b. Destination port
c. Both source and destination
d. None

Answer: c
Explanation: PAT is based on source port; the destination port is not altered. For example, a Telnet connection is based on the local port number (a random number generated by the device between 0 and –65,535) and the destination port number 23.

Q8. NAT is which of the following?
a. Network Architectural Language
b. National anthem of Latvia
c. Network translation
d. Network Address Translation

Answer: d

Q9. NAT is defined in which RFC?
a. 1700
b. 1701
c. 2002
d. 1631
e. 1613

Answer: d
Explanation: NAT is defined by Request for comment (RFC) number 1631.

Q10. The following defines which NAT terminology: “A legitimate registered IP address as assigned by the InterNIC?”
a. Inside local address
b. Outside global address
c. Inside global address
d. Outside local address

Answer: c

Q11. What IOS command defines a pool of addresses that will be translated to a registered IP address?
a. ip nat inside
b. ip nat outside
c. ip nat pool
d. ip nat inside pool
e. ip nat outside pool

Answer: c

Q12. PIX stands for what?
a. Protocol interchange
b. Cisco Private Internet
c. Private Internet Exchange
d. Public Internet Exchange

Answer: c

Q13. To define how a PIX will route IP data, what is the correct syntax for a PIX 520?
a. ip route
b. route
c. ip route enable
d. default-network

Answer: b
Explanation: A PIX can run RIP or be configured for static routing; a default route is typically required so that end-user data can be sent to the Internet, for example.

Q14. What is the alias command’s function on a PIX firewall?
a. To define a local host name
b. To define the DNS server
c. Used in NAT environments where one IP address is translated into another.
d. Only applicable to Cisco IOS

Answer: c
Explanation: The PIX alias command is used for NAT configurations. The alias command translates one IP address into another address. For example, one private network might be using unregistered IP address space, and to allow users access to outside address space, the alias command is used. This command is applied differently on a Cisco IOS router.

Q15. CBAC stands for what?
a. CBAC is not a valid term
b. Cisco Business architectural centre
c. Context-based Access Control
d. Context-based Accelerated controller
e. Content-based arch. Centre

Answer:c

Q16. What is IKE used to accomplish?
a. NAT translations
b. Ensures that data is not sourced by the right sources
c. Ensures that data is not sourced by the wrong sources
d. No use
e. Both a and c

Answer: c
Explanation: Internet Key Exchange (IKE) allows a network confidentially from unauthorized sources.

Q17. To create a simple VPN tunnel (unencrypted) between two sites, what must you do on a Cisco router?
a. Create a GRE tunnel
b. Create a routing map
c. Nothing, use a PIX
d. Create an IPSec tunnel

Answer: a
Explanation: A simple VPN tunnel requires a generic routing encapsulation (GRE) tunnel between two Cisco routers.

Q18. What does the term DMZ refer to?

Answer: The DMZ, or demilitarized zone, is defined as an isolated part of the network that is easily accessible to hosts on the outside (Internet, for example).

Q19. What is the perimeter router’s function in a DMZ?

Answer: The perimeter router sits between the DMZ and the public domain. It is typically a high performance router or routers that perform a number of duties, including the following:

  • Access lists to ensure access to IP is restricted
  • Restrictions to TCP services
  • Restrictions on what applications can be run
  • Routing protocols (typically, BGP)

Q20. What two main transport layer protocols do extended access lists filter traffic through?

Answer: Extended access lists filter both TCP and UDP transport layer services.

Q21. Which of the following is not a TCP service?
a. Ident
b. ftp
c. pop3
d. pop2
e. echo

Answer: e
Explanation: Echo is part of the UDP protocol suite. Ident, ftp, and pop2/pop3 are TCP services.

Q22. Name five UDP services that can be filtered with an extended access-list.

Answer:Cisco IOS can filter a number of UDP services, including the following:

  • biff—Biff (mail notification, comsat, 512)
  • bootpc—Bootstrap Protocol (BOOTP) client (68)
  • bootps—Bootstrap Protocol (BOOTP) server (67)
  • discard—Discard (9)
  • dnsix—DNSIX security protocol auditing (195)
  • domain—Domain Name Service (DNS, 53)
  • echo—Echo (7)
  • isakmp—Internet Security Association and Key Management Protocol (500)
  • mobile-ip—Mobile IP registration (434)
  • nameserver—IEN116 name service (obsolete, 42)
  • netbios-dgm—NetBIOS datagram service (138)
  • netbios-ns—NetBIOS name service (137)
  • netbios-ss—NetBIOS session service (139)
  • ntp—Network Time Protocol (123)
  • pim-auto-rp—PIM Auto-RP (496)
  • rip—Routing Information Protocol (router, in.routed, 520)
  • snmp—Simple Network Management Protocol (161)
  • snmptrap—SNMP traps (162)
  • sunrpc—Sun Remote Procedure Call (111)
  • syslog—System Logger (514)
  • tacacs—TAC Access Control System (49)
  • talk—Talk (517)
  • tftp—Trivial File Transfer Protocol (69)
  • time—Time (37)
  • who—Who service (rwho, 513)
  • xdmcp—X Display Manager Control Protocol (177)

Q23. What RFC defines NAT?

Answer: Network Address Translation (NAT) is defined in RFC 1631.

Q24. In NAT, what is the inside local address used for?

Answer: The inside local address refers to the IP address that is assigned to a host on the internal network, that is, the logical address that is not being advertised to the Internet. A local administrator generally assigns this address. This address is NOT a legitimate Internet address.

Q25. What does the IOS command ip nat inside source list accomplish?

Answer: It defines the addresses that will be allowed to access the Internet. This command enables the network address translation of the inside source addresses. The “list” keyword helps define the access list to be used for determining the source addresses.

Q26. What are the four possible NAT translations on a Cisco IOS router?

Answer: The four NAT translation versions are as follows:

  • Static NAT—Maps an unregistered IP address to a registered IP address on a one-to-one basis.
  • Dynamic NAT—Maps an unregistered IP address to a registered IP address from a group of registered IP addresses.
  • Overloading—A form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address using different ports. Known also as Port Address Translation (PAT), single address NAT, or port-level multiplexed NAT.
  • Overlapping—When the IP addresses used on your internal network are registered IP addresses in use on another network, the router must maintain a lookup table of these addresses so that it can intercept them and replace them with registered unique IP addresses.

Q27. How many connections can be translated with a PIX firewall for the following RAM configurations: 16 MB, 32MB, or 128MB?

Answer: You can support up to 260,000 connections with 128MB, 16MB can support up to 32,768 connections, and 32MB of memory can support up to 65,536 connections.

Q28. When the alias command is applied to a PIX, what does it accomplish?

Answer: The alias command translates one address into another, and is used for translating unregistered IP addresses in a NAT environment.

Q29. What security features does the Cisco IOS Firewall feature set allow a network administrator to accomplish?

Answer: The Cisco IOS features set consists of the following:

  • Context-based Access Control (CBAC) provides internal users secure, perapplication-based access control for all traffic across perimeters, such as between private enterprise networks and the Internet.
  • Java blocking protects against unidentified, malicious Java applets.
  • Denial-of-service detection and prevention defends and protects router resources against common attacks, checking packet headers and dropping suspicious packets.
  • Audit trail details transactions, recording time stamp, source host, destination host, ports, duration, and total number of bytes transmitted.
  • Real-time alerts log alerts in case of denial-of-service attacks or other preconfigured conditions.

Q30. What does CBAC stand for?

Answer: Context-based Access Control

Q31. Name the eight possible steps to take when configuring CBAC.

Answer: To configure CBAC, the following tasks are required or optional:

  • Pick an internal or external interface. (Required)
  • Configure IP access lists at the interface. (Required)
  • Configure global timeouts and thresholds. (Required)
  • Define an inspection rule. (Required)
  • Apply the inspection rule to an interface. (Required)
  • Configure logging and audit trail. (Required)
  • Follow other guidelines for configuring a firewall. (Required)
  • Verify CBAC. (Optional)

Q32. What is a virtual private network?

Answer: A virtual private network (VPN) enables IP traffic to travel securely over a public TCP/IP network by encrypting all traffic from one network to another. A VPN uses tunneling to encrypt all information at the IP level.

Q33. The following configuration is installed on a PIX 520. Users from the inside network 10.0.0.0/8 report to you that they cannot browse the Internet. What is the problem, and what command or commands will rectify the problem?

pix# write terminal
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pix
fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
logging timestamp
no logging standby
logging console debugging
no logging monitor
logging buffered debugging
no logging trap
logging facility 20
logging queue 512
interface ethernet0 10full
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address inside 201.201.201.1 255.255.255.
ip address outside 131.108.1.1 255.255.255.0
route inside 10.0.0.0 255.0.0.0 201.201.201.2
route outside 0.0.0.0 0.0.0.0 131.018.1.2
no failover
failover timeout 0:00:00
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
arp timeout 14400
global (outside) 1 192.192.1.2-192.192.1.30 netmask 255.255.255.224
no rip outside passive
no rip outside default
no rip inside passive
no rip inside default
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:00:00 absolute
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
telnet timeout 5
terminal width 80
: end

Answer: Cisco PIX Firewalls need to NAT any nonregistered IP address space. In particular, the Class A 10.0.0.0/8 is not routable in the Internet, so you must use NAT to permit access, or you could re-address your entire network, which clearly is not an exercise you will do often.

The following command will NAT all inside addresses:

nat (inside) 1 0.0.0.0 0.0.0.0

Before you can access the Internet, you must also tell the PIX (remember the PIX is not as intelligent as a router; RIP can be configured by the network administrator), and you must route IP data with the command shown here:

route outside 0.0.0.0 0.0.0.0 <default-gateway>

This command installs a default route where IP datagrams will be sent, typically, the perimeter router or ISP router.

More Resources