CCNA Security FAQ: Using Cisco IOS Firewalls to Implement a Network Security Policy
A. Firewalls statefully inspect reply packets to determine whether they match the expected state of a connection in the state table.
B. Firewalls statically inspect packets in both directions and filter on layer 3 and layer 4 information.
C. A firewall is a system or a group of systems that enforce an access control policy between two networks.
D. A firewall is any device that blocks access to a protected network.
E. None of the above.
A. It analyzes network traffic at the network and transport protocol layers.
B. It evaluates network packets for valid data at the application layer before allowing connections.
C. It validates the fact that a packet is either a connection request or a data packet belonging to a connection.
D. It keeps track of the actual communication process through the use of a state table.
A. It authenticates individuals, not devices.
B. It makes it more difficult to spoof and implement DoS attacks.
C. It allows monitoring and filtering transport data.
D. It provides verbose auditing.
A. Layer 2 connections
B. Layer 3 connections
C. Layer 4 connections
D. Layer 5 connections
A. It does not work well with applications that open multiple connections.
B. It cannot defend against spoofing and DoS attacks.
C. User authentication is not supported.
D. It does not prevent application layer attacks.
A. Segment security zones
B. Use logs and alerts
C. Restrict access to firewalls
D. Set connection limits
A. 1 to 99
B. 100 to 199
C. 1300 to 1999
D. 2000 to 2699
Question. Which of the following define characteristics of a firewall? (Choose all that apply.)
A. Enforces the access control policy of an organization.
B. Must be hardened against attacks.
C. Must be the only transit point between networks.
D. Completely eliminates the risk of network compromise.
E. All of the above.
Question. True or false. Transparent firewalls mitigate the risk of attack by applying rich layer 3 through 7 inspection services to the traffic transiting the firewall
Question. Consider the following output for your answer: What sequence of commands would you enter to add a line at the beginning of the ACL that permits packets for established TCP sessions?
A. configure terminal ip access- list extended 101 5 permit tcp any any established.
B.configure terminal ip access- list name 101 5 permit tcp any any established.
C.configure terminal ip access- list extended 1 01 line 5 permit tcp any any established.
D. configure nacl 10 permit tcp any any established.
E. configure extended- nacl permit line 5 session- established.
F. None of the above.
Question. Fill in the blank in the sequence below for editing an existing access control list in the Cisco SDM.
A. Firewall rules
B. Additional tasks
C. Policy editor
D. Perimeter security
E. None of the above.
A. An explicit allow all
B. An implicit deny all
C. An implicit allow all
D. An explicit deny all
A. show access-list status
B. show access-list turbo compiled
C. show access-list compiled
D. show access-list complete
A. The Turbo ACL feature processes ACLs into lookup tables for greater efficiency.
B. Turbo ACLs increase the CPU load by matching the packet to a predetermined list.
C. The Turbo ACL feature leads to reduced latency, because the time it takes to match the packet is fixed and consistent.
A. Attacks from this IP address will be blocked because of the line you have added.
B. Attacks will continue. This line will never be reached, because above this line is a permit any statement.
C. ACLs may not be used to block traffic originating outside your network address range.
D. ACLs may not be modified after they are created.
Question. Match the protocols in the numbered list below with the letter corresponding to their protocol ID in an IP packet.
- EIGRP
- UDP
- ICMP
- GRE
- ESP
- TCP
A. 1
B. 6
C. 17
D. 47
E. 50
F. 88
Question. Certain source IP addresses should be filtered using ACLs to prevent IP spoofing attacks. Which of the following list should be filtered? (Choose all that apply.)
A. All 1’s source IP addresses
B. Any address starting with a zero
C. IP multicast addresses
D. Reserved private IP addresses
E. All of the above
Question. True or false. Cisco specifically recommends against allowing ICMP echoes and ICMP redirects inbound.
Question. True or false. The Cisco IOS Zone-Based Policy Firewall (ZPF) is not used solely to implement a Stateful Packet Inspection (SPI) firewall.
A. Traffic zoning
B. Traffic filtering
C. Traffic inspection
D. Intrusion prevention
A. Application inspection
B. A default deny-all policy
C. URL filtering
D. Subnet and host inspection policies
A. Four
B. One
C. Two
D. Subnets are assigned to zones, not interfaces.
A. Allow
B. Inspect
C. Pass
D. Flow
A. Class map
B. Class policy
C. Policy map
D. Parameter map
E. Policy action
Question. Consider the following scenario: A firewall has five interfaces, two of which are not associated with security zones:
- Two interfaces are in the INTERNET zone.
- One interface is in the INSIDE zone.
- Two interfaces are not in any zone.
What is the default rule for traffic that originates from one of the two interfaces that are not in any zone and is destined for an interface in the INTERNET security zone?
A. The traffic is dropped.
B. The traffic is passed because it’s going to the Internet.
C. The traffic is either permitted or denied based on the actions in the policy map if it has been applied to the zone pair.
D. The traffic is passed because the default policy map action is to pass traffic that doesn’t have a specific match.
E. None of the above.