Earning your CCNA Security certification is a huge boost to their career and their career! To help you prepare for total success on exam day, here courtesy are 10 questions about the IOS Firewall set. Answers are at end of article. Enjoy!
1. Define the term "demilitarized zone" with respect to network security, and name three different common network devices that are normally found there.
2. Identify the true statements.
A. Stateless packet filtering considers the TCP connection status.
B. state packet filtering considers the TCP connection status.
C. None of the stateless packet filtering or monitoring the health status of the TCP connection.
D. Both stateless packet filtering state monitor the TCP connection status, and maintain a state table containing that information.
3. Does Cisco IOS Firewall feature set to act as a state or stateless packet filter?
4. Which of the following parties are considered the IOS Firewall feature set?
A. IOS Firewall
Intrusion Prevention System B.
C. RADIUS
D. proxy authentication
E. password encryption
5. Identify claims true with respect to the authentication proxy.
s R: part of the IOS Firewall Feature Set.
B. Allows creation of user security profiles, in rather than more general profiles.
C. Enables the creation of general safety profiles, but not for user profiles.
D. Profiles can be stored locally but not remotely.
E. Profiles can be stored in a RADIUS server.
F. Profiles can be stored on a TACACS + server.
6. Configuration ACL is an important part of working with the IOS Firewall. What wildcard masks are replaced in ACLs by the words host and any?
7. What makes the dollar sign in the following ACL line indicate?
R1 (config) # deny ip $ 150 172.50.50.0 0.0.0.255 172.50.100.0 0.0.0.255
8. Basically, how can an IOS Firewall prevent TCP SYN attack?
9. What does the term "make a hole in the firewall" mean? (Of course, that is, not physically.)
10. What exactly the option of routing traffic in the following configuration do?
R4 (config) # ip inspect tcp PASSCCNASECURITY name router traffic
R4 (config) # ip inspect PASSCCNASECURITY behalf UDP traffic router
R4 (config) # ip inspect name PASSCCNASECURITY ICMP traffic routers
Here are the answers!
1. It is easy to in your network as the "inside", and everything else as "outside." However, we have a third area when it comes to firewalls – the area detente.
From an IT perspective, the DMZ is the part of our network is exposed to external networks. It is common to find following devices in a DMZ:
FTP Server
E-mail server
E-Commerce Server
DNS Servers
Web Servers
2. (B.) state packet filtering does not monitor the connection status, and this is particularly important when it comes to preventing TCP attacks. A firewall not only control the state the TCP connection, but also the sequence numbers. firewalls accomplish this by maintaining a session table or state table.
3. The Cisco IOS Firewall is stateful filtering.
4. (A, B, D) There are three main components of the IOS Firewall feature set – the IOS Firewall, the system Prevention (IPS) and proxy authentication.
5. (A, B, E, F. T proxy authentication allows us to create security profiles to be applied on per-user basis, rather than one for each subnet or for each direction. These profiles can be maintained in any of the following:
RADIUS Server
TACACS + server
After a successful authentication, the user security policy in particular is downloaded from the radio or TACACS + server and applied by IOS Firewall router.
6. We have the option of using the word host to represent a wildcard mask of 0.0.0.0. Consider a configuration where only IP packet source 10.1.1.1 should allow or deny the remaining packages. The following ACL while doing so.
R3 # conf t
R3 (config) # access list 6 permit 10.1.1.1 0.0.0.0
R3 (config) # conf t
R3 (config) # access-list 7 permit host 10.1.1.1
The key word any of them can be used to represent a mask of 255.255.255.255. Both of the following lines to allow all traffic.
R3 (config) # access-list 15 permit no
R3 (config) # access-list 15 permit 0.0.0.0 255 255 255 255
There is no "right" or "wrong" decision to do when setting up ACL in the real world. For your consideration, however, I would be very familiar with the proper use and any other host.
7. The dollar sign simply indicates that part of the command that is entering or viewing can not be displayed because the entrance is so long. This does not mean the command is illegal.
8. IOS Firewall can use any or all of these values to detect when a TCP SYN attack is under way:
Overall total incomplete TCP sessions
Number of incomplete TCP sessions in a certain amount of time
Number of incomplete TCP sessions on a per-host
When any of these thresholds are reached, any of the following actions can be taken:
Block all incoming SYN packets for a certain period time
Transmit a RST to both parties in the oldest incomplete session
We'll look at specific cases in the tutorials in the future.
9. That term simply refers to the configuration of the firewall to open a port that was previously closed. Do not forget to close when you no longer need to be open!
10. If you go to inspect the traffic that actually in the router, the router is necessary to include traffic option the end of that particular ip inspect statement.
Look for more Cisco certification exams and fully-illustrated tutorials on my website!
Chris Bryant, CCIE #12933, is the owner of The Bryant Advantage, home of free CCNA Security exam tutorials.
Get your CCNA and CCNP certifications with this special offer from The Bryant Advantage!
How to deploy FreeConn onto Windows Azure
|
ASUS WL-520GU Wireless Router
$39.50
The WL-320gE wireless access point provides up to 850m of open space coverage range. The AP also enables client, bridge, repeater and gateway functions to offer versatile wireless solutions for different WLAN environments.With built-in high-power amplifier with 20dBm average transmit power and 5dBi high-gain antenna, the WL-320gE delivers excellent signal quality and coverage range up to 850 meter…
|
