Technology
August 21, 2021

CCNA Security Practice Exam: 10 Questions on the IOS Firewall Suite

Earning your CCNA Security certification is a huge boost to your career and career prospects! To help you prepare for total success on exam day, here are 10 supplemental questions on the IOS Firewall suite. The answers are at the end of the article. Enjoy!

1. Define the term “DMZ” when it comes to network security and name three different common network devices that are typically found there.

2. Identify the true statements.

A. Stateless packet filtering considers the state of the TCP connection.

B. Stateful packet filtering considers the state of the TCP connection.

C. Neither stateless nor stateful packet filtering monitors the status of the TCP connection.

D. Both stateless and stateful packet filtering monitor the state of the TCP connection and maintain a state table containing that information.

3. Does the Cisco IOS Firewall feature set act as a stateful or stateless packet filter?

4. Which of the following is considered part of the IOS Firewall feature set?

A. IOS Firewall

B. Intrusion prevention system

C. RADIO

D. Authentication proxy

E. Password encryption

5. Identify the true statements regarding the authentication proxy.

A. It is part of the IOS firewall feature set.

B. Allows the creation of security profiles per user, instead of more general profiles.

C. Allows the creation of general security profiles, but not per user profiles.

D. Profiles can be stored locally, but not remotely.

E. Profiles can be stored on a RADIUS server.

F. Profiles can be stored on a TACACS + server.

6. ACL configuration is an important part of working with IOS Firewall. What wildcard masks are replaced in ACLs by the words host and any?

7. What does the dollar sign indicate on the following ACL line?

R1 (config) # $ 150 deny ip 172.50.50.0 0.0.0.255 172.50.100.0 0.0.0.255

8. Basically, how does an IOS Firewall prevent a TCP SYN attack?

9. What does the term “punch a hole in the firewall” refer to? (Logically, that is, not physically).

10. What exactly does the router traffic option do in the following configuration?

R4 (config) #ip inspects the name PASSCCNASECURITY tcp router-traffic

R4 (config) #ip inspects the name PASSCCNASECURITY udp router-traffic

R4 (config) #ip inspects the name PASSCCNASECURITY icmp router-traffic

Here are the answers!

1. It’s easy to think of your network as “inside” and everything else as “outside.” However, we have a third area when it comes to firewalls: the DMZ.

From an IT point of view, the DMZ is the part of our network that is exposed to external networks. It is common to find the following devices in a DMZ:

Ftp server

Email server

E-commerce server

DNS servers

Web servers

2. (B.) Stateful packet filtering monitors the state of the connection, and that is particularly important when it comes to preventing TCP attacks. A stateful firewall will not only monitor the status of the TCP connection, but also the sequence numbers. Stateful firewalls accomplish this by maintaining a session table or a state table.

3. Cisco IOS Firewall is a stateful filter.

4. (A, B, D.) There are three main components in the IOS Firewall feature set: the IOS Firewall, the Intrusion Prevention System (IPS), and the Authentication Proxy.

5. (A, B, E, F. The authentication proxy allows us to create security profiles that will be applied by user, instead of by subnet or by address. These profiles can be maintained in any of the following:

Radio server

TACACS + Server

Upon successful authentication, the security policy for that particular user is downloaded from the RADIUS or TACACS + server and enforced by the IOS Firewall router.

6. We have the option of using the word host to represent a wildcard mask of 0.0.0.0. Consider a configuration in which only packets from the source IP 10.1.1.1 are allowed and all other packets are denied. The following ACLs do that.

R3 # conf t

R3 (config) # access-list 6 permission 10.1.1.1 0.0.0.0

R3 (config) #conf t

R3 (config) # access-list 7 permit host 10.1.1.1

The any keyword can be used to represent a wildcard mask of 255.255.255.255. The next two lines allow all traffic.

R3 (config) # access-list 15 allows any

R3 (config) # access-list 15 permit 0.0.0.0 255.255.255.255

There is no “right” or “wrong” decision to make when configuring ACLs in the real world. However, for your consideration, I will be very familiar with the proper use of host and any.

7. The dollar sign simply indicates that part of the command you are entering or viewing cannot be displayed because the input is too long. It does not mean that the command is illegal.

8. The IOS Firewall can use any or all of the following values ​​to detect when a TCP SYN attack is occurring:

Grand total of incomplete TCP sessions

Number of incomplete TCP sessions in a given period of time

Number of incomplete TCP sessions per host

When any of these thresholds are reached, any of the following actions can be taken:

Block all incoming SYN packets for a certain period of time

Broadcast an RST to both parties in the oldest incomplete session

We will see specific cases in future tutorials.

9. That term simply refers to configuring the firewall to open a port that was previously closed. Don’t forget to close it when you no longer need it open!

10. If you are going to inspect the traffic that is actually generated on the router, you must include the router’s traffic option at the end of that particular IP inspection instruction.

Look for more Cisco certification practical exams and fully illustrated tutorials on my website.

admin
0

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts

Recent Comments

    Archives

    Categories

    TOGEL
    Slot gacor hari ini
    Slot gacor hari ini

    Meta