Chapter 12: Security
Terms in this set (17)
Which of the following statements is false when a packet is being compared to an access list?
A. Its always compared with each line of the access list in sequential order.
B. Once the packet matches the condition on a line of the access list, the packet is acted upon and no further comparisons take place.
C. There is an implicit deny at the end of each access list.
D. Until all lines have been analyzed, the comparison is not over.
D. Its compared with lines of the access list only until a match is made. Once the packet matches the condition on a line of the access list, the packet is acted upon and no further comparisons take place.
You need to create an access list that will prevent hosts in the network range of 192.168.160.0 to 192.168.191.0. Which of the following lists will you use?
A. access-list 10 deny 192.168.160.0 255.255.224.0
B. access-list 10 deny 192.168.160.0 0.0.191.255
C. access-list 10 deny 192.168.160.0 0.0.31.255
D. access-list 10 deny 192.168.0.0 0.0.31.255
C. The range of 192.168.160.0 to 192.168.191.0 is a block size of 32. The network address is 192.168.160.0 and the mask would be 255.255.224.0, which for an access list must be a wildcard format of 0.0.31.255. The 31 is used for a block size of 32. The wildcard is always one less than the block size.
You have created a named access list called Blocksales. Which of the following is a valid command for applying this to packets trying to enter interface Fa0/0 of your router?
A. (config)#ip access-group 110 in
B. (config-if)#ip access-group 110 in
C. (config-if)#ip access-group Blocksales in
D. (config-if)#Blocksales ip access-list in
C. Using a named access list just replaces the number used when applying the list to the routerâ€™s interface. ip access-group Blocksales in is correct.
Which access list statement will permit all HTTP sessions to network 192.168.144.0/24 containing web servers?
A. access-list 110 permit tcp 192.168.144.0 0.0.0.255 any eq 80
B. access-list 110 permit tcp any 192.168.144.0 0.0.0.255 eq 80
C. access-list 110 permit tcp 192.168.144.0 0.0.0.255 192.168.144.0 0.0.0.255 any eq 80
D. access-list 110 permit udp any 192.168.144.0 eq 80
B. The list must specify TCP as the Transport layer protocol and use a correct wildcard mask (in this case 0.0.0.255), and it must specify the destination port (80). It also should specify all as the set of computers allowed to have this access.
Which of the following access lists will allow only HTTP traffic into network 184.108.40.206?
A. access-list 100 permit tcp any 220.127.116.11 0.0.0.255 eq www
B. access-list 10 deny tcp any 18.104.22.168 eq www
C. access-list 100 permit 22.214.171.124 0.0.0.255 eq www
D. access-list 110 permit ip any 126.96.36.199 0.0.0.255
E. access-list 110 permit www 188.8.131.52 0.0.0.255
A. The first thing to check in a question like this is the access-list number. Right away, you can see that the second option is wrong because it is using a standard IP access-list number. The second thing to check is the protocol. If you are filtering by upper-layer protocol, then you must be using either UDP or TCP; this eliminates the fourth option. The third and last answers have the wrong syntax.
What router command allows you to determine whether an IP access list is enabled on a particular interface?
A. show ip port
B. show access-lists
C. show ip interface
D. show access-lists interface
C. Of the available choices, only the show ip interface command will tell you which interfaces have access lists applied. show access-lists will not show you which interfaces have an access list applied.
If you wanted to deny all Telnet connections to only network 192.168.10.0, which command could you use?
A. access-list 100 deny tcp 192.168.10.0 255.255.255.0 eq telnet
B. access-list 100 deny tcp 192.168.10.0 0.255.255.255 eq telnet
C. access-list 100 deny tcp any 192.168.10.0 0.0.0.255 eq 23
D. access-list 100 deny 192.168.10.0 0.0.0.255 any eq 23
C. The extended access list ranges are 100â€"199 and 2000â€"2699, so the access-list number of 100 is valid. Telnet uses TCP, so the protocol TCP is valid. Now you just need to look for the source and destination address. Only the third option has the correct sequence of parameters. Option B may work, but the question specifically states â€œonlyâ€ to network 192.168.10.0, and the wildcard in option B is too broad
If you wanted to deny FTP access from network 184.108.40.206 to network 220.127.116.11 but allow everything else, which of the following command strings is valid?
A. access-list 110 deny 18.104.22.168 to network 22.214.171.124 eq ftp
access-list 111 permit ip any 0.0.0.0 255.255.255.255
B. access-list 1 deny ftp 126.96.36.199 188.8.131.52 any any
C. access-list 100 deny tcp 184.108.40.206 0.0.0.255 220.127.116.11 0.0.0.255 eq ftp
D. access-list 198 deny tcp 18.104.22.168 0.0.0.255 22.214.171.124 0.0.0.255 eq ftp
access-list 198 permit ip any 0.0.0.0 255.255.255.255
D. Extended IP access lists use numbers 100 199 and 2000 2699 and filter based on source and destination IP address, protocol number, and port number. The last option is correct because of the second line that specifies permit ip any any. (I used 0.0.0.0 255.255.255.255, which is the same as the any option.) The third option does not have this, so it would deny access but not allow everything else.
You want to create an extended access list that denies the subnet of the following host: 172.16.50.172/20. Which of the following would you start your list with?
A. access-list 110 deny ip 172.16.48.0 255.255.240.0 any
B. access-list 110 udp deny 172.16.0.0 0.0.255.255 ip any
C. access-list 110 deny tcp 172.16.64.0 0.0.31.255 any eq 80
D. access-list 110 deny ip 172.16.48.0 0.0.15.255 any
D. First, you must know that a /20 is 255.255.240.0, which is a block size of 16 in the third octet. Counting by 16s, this makes our subnet 48 in the third octet, and the wildcard for the third octet would be 15 since the wildcard is always one less than the block size.
The following access list has been applied to an interface on a router:
access-list 101 deny tcp 126.96.36.199 0.0.0.31 host 188.8.131.52
Which of the following IP addresses will be blocked because of this single rule in the list? (Choose all that apply.)
B. The scope of an access list is determined by the wildcard mask and the network address to which it is applied. For example, in this case the starting point of the list of addresses affected by the mask is the network ID 184.108.40.206. The wildcard mask is 0.0.0.31. Adding the value of the last octet in the mask to the network address (32 + 31 = 63) tells you where the effects of the access list ends, which is 220.127.116.11. Therefore, all addresses in the range 18.104.22.168â€"22.214.171.124 will be denied by this list.
Which of the following commands connects access list 110 inbound to interface Ethernet0?
A. Router(config)#ip access-group 110 in
B. Router(config)#ip access-list 110 in
C. Router(config-if)#ip access-group 110 in
D. Router(config-if)#ip access-list 110 in
C. To place an access list on an interface, use the ip access-group command in interface configuration mode.
What is the effect of this single-line access list?
access-list 110 deny ip 172.16.10.0 0.0.0.255 host 126.96.36.199
A. Denies only the computer at 172.16.10
B. Denies all traffic
C. Denies the subnet 172.16.10.0/26
D. Denies the subnet 172.16.10.0/25
B. With no permit statement, the ACL will deny all traffic.
You configure the following access list. What will the result of this access list be?
access-list 110 deny tcp 10.1.1.128 0.0.0.63 any eq smtp
access-list 110 deny tcp any any eq 23
int ethernet 0
ip access-group 110 out
A. Email and Telnet will be allowed out E0.
B. Email and Telnet will be allowed in E0.
C. Everything but email and Telnet will be allowed out E0.
D. No IP traffic will be allowed out E0.
D. If you add an access list to an interface and you do not have at least one permit statement, then you will affectively shut down the interface because of the implicit deny any at the end of every list.
Which of the following series of commands will restrict Telnet access to the router?
A. Lab_A(config)#access-list 10 permit 172.16.1.1
Lab_A(config)#line con 0
Lab_A(config-line)#ip access-group 10 in
B. Lab_A(config)#access-list 10 permit 172.16.1.1
Lab_A(config)#line vty 0 4
Lab_A(config-line)#access-class 10 out
C. Lab_A(config)#access-list 10 permit 172.16.1.1
Lab_A(config)#line vty 0 4
Lab_A(config-line)#access-class 10 in
D. Lab_A(config)#access-list 10 permit 172.16.1.1
Lab_A(config)#line vty 0 4
Lab_A(config-line)#ip access-group 10 in
C. Telnet access to the router is restricted by using either a standard or extended IP access list inbound on the VTY lines of the router. The command access-class is used to apply the access list to the VTY lines.
Which of the following is true regarding access lists applied to an interface?
A. You can place as many access lists as you want on any interface until you run out of memory.
B. You can apply only one access list on any interface.
C. One access list may be configured, per direction, for each layer 3 protocol configured on an interface.
D. You can apply two access lists to any interface.
C. A Cisco router has rules regarding the placement of access lists on a router interface. You can place one access list per direction for each layer 3 protocol configured on an interface.
What is the most common attack on a network today?
A. Lock picking
D. auto secure
C. The most common attack on a network today is a denial of service (DoS) because they are the easiest attack to achieve.
You need to stop DoS attacks in real time and have a log of anyone who has tried to attack your network. What should you do your network?
A. Add more routers.
B. Use the auto secure command.
C. Implement IDS/IPS.
D. Configure Naggle.
C. Implementing intrusion detection services and intrusion prevention services will help notify you and stop attacks in real time.