Upgrade to remove ads
Only $2.99/month

Cisco Security Chapter 4

Terms in this set (21)

To facilitate the troubleshooting process, which inbound ICMP message should be permitted on an outside interface?
Echo reply.
Which command is used to activate an IPv6 ACL named ENG_ACL on an interface so that the router filters traffic prior to accessing the routing table?
IPv6 traffic-filter ENG_ACL in
Which statement describes a typical security policy for a DMZ firewall configuration?
Traffic that originates from the DMZ interface is selectively permitted to the outside interface.
Refer to the exhibit. Which statement describes the function of the ACEs?

(permit icmp any any nd-na)
(permit icmp any any nd-ns)
(deny IPv6 any any)
These ACEs allow for IPv6 neighbor discovery traffic.
When an inbound Internet-traffic ACL is being implemented , what should be
included to prevent the spoofing of internal networks?
ACEs to prevent traffic from private address spaces
In addition to the criteria used by extended ACLs, what conditions are used by a classic firewall to filter traffic?
Application layer protocol session information
A router has been configured as a classic firewall and an inbound ACL applied to the external interface. Which action does the router take after inbound-to- outbound traffic is inspected and a new entry is created in the state table?
A dynamic ACL entry is added to the external interface in the inbound direction.
If the provided ACEs are in the same ACL, which ACE should be listed first in the ACL according to best practice?
permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq snmptrap
A company is deploying a new network design in which the border router has three interfaces. Interface Serial0/0/0 connects to the ISP, GigabitEthernet0/0 connects to the DMZ, and GigabitEthernet/01 connects to the internal private network. Which type of traffic would receive the least amount of inspection (have the most freedom of travel)?
traffic that is going from the private network to the DMZ
Refer to the exhibit. The ACL statement is the only one explicitly configured on the router. Based on this information, which two conclusions can be drawn regarding remote access network connections?

(R1 (config) # access-list 101 permit tcp 192.168.1.0 0.0.0.255)
(192.168.2.0 0.0.0.255 eq 22 log)
Telnet connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are blocked.

And
SSH connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are allowed.
Consider the following access list.
access-list 100 permit ip host 192.168.10.1 any
access-list 100 deny ICMP 192.168.10.0 0.0.0.255 any echo
access-list 100 permit ip any any
Which two actions are taken if the access list is placed inbound on a router Gigabit Ethernet port that has the IP address 192.168.10.254 assigned?
Devices on the 192.168.10.0/24 network are not allowed to ping other devices on the 192.168.11.0 network.

And a Telnet or SSH session is allowed from any device on the 192.168.10.0 into the router with this access list assigned.
What is one benefit of using a stateful firewall instead of a proxy server?
Better Performance
What is one limitation of a stateful firewall?
Not as effective with UDP-based or ICMP-based traffic.
When a Cisco IOS Zone-Based Policy Firewall is being configured via CLI,
which step must be taken after zones have been created?
Establish policies between zones.
A network administrator is implementing a Classic Firewall and a Zone-Based Firewall concurrently on a router. Which statement best describes this implementation?
The two models cannot be implemented on a single interface.
Which two rules about interfaces are valid when implementing a Zone-Based Policy Firewall?
If neither interface is a zone member, then the action is to pass traffic.

And if both interfaces are members of the same zone, all traffic will be passed.
Which command will verify a Zone-Based Policy Firewall configuration?
show running-config
Which type of packet is unable to be filtered by an outbound ACL?
Router-generated packet.
When a Cisco IOS Zone-Based Policy Firewall is being configured, which two actions can be applied to a traffic class?
Drop

Inspect.
A _____ firewall monitors the state of connections as network traffic flows into and out of the organization.
A stateful firewall
The ____ action in a Cisco IOS Zone-Based Policy Firewall is similar to a permit statement in an ACL
The Pass Action
THIS SET IS OFTEN IN FOLDERS WITH...