Exam Prep Questions

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Exam Prep Questions

Which of the following is the best description of a firewall? (Choose one.)

	A.	Firewalls statefully inspect reply packets to determine whether they match the expected state of a connection in the state table.
	B.	Firewalls statically inspect packets in both directions and filter on layer 3 and layer 4 information.
	C.	A firewall is a system or a group of systems that enforce an access control policy between two networks.
	D.	A firewall is any device that blocks access to a protected network.
	E.	None of the above.

Which of the following define characteristics of a firewall? (Choose all that apply.)

	A.	Enforces the access control policy of an organization.
	B.	Must be hardened against attacks.
	C.	Must be the only transit point between networks.
	D.	Completely eliminates the risk of network compromise.
	E.	All of the above.

True or false. Transparent firewalls mitigate the risk of attack by applying rich layer 3 through 7 inspection services to the traffic transiting the firewall.

Consider the following output for your answer: What sequence of commands would you enter to add a line at the beginning of the ACL that permits packets for established TCP sessions?

CiscoISR# show access-list 101
Extended IP access list 101
10 permit tcp any 10.10.10.0 0.0.0.255 eq www (12032 matches)
20 permit tcp any 10.10.10.0 0.0.0.255 eq 22 (25000 matches)

	A.	configure terminal ip access-list extended 101 5 permit tcp any any established
	B.	configure terminal ip access-list name 101 5 permit tcp any any established
	C.	configure terminal ip access-list extended 101 line 5 permit tcp any any established
	D.	configure nacl 10 permit tcp any any established
	E.	configure extended-nacl permit line 5 session-established
	F.	None of the above.

Fill in the blank in the sequence below for editing an existing access control list in the Cisco SDM.

Configure->__________->ACL Editor->Access Rules

	A.	Firewall rules
	B.	Additional tasks
	C.	Policy editor
	D.	Perimeter security
	E.	None of the above.

Match the protocols in the numbered list below with the letter corresponding to their protocol ID in an IP packet.

EIGRP
UDP
ICMP
GRE
ESP
TCP

A. 1

B. 6

C. 17

D. 47

E. 50

F. 88

Certain source IP addresses should be filtered using ACLs to prevent IP spoofing attacks. Which of the following list should be filtered? (Choose all that apply.)

	A.	All 1’s source IP addresses
	B.	Any address starting with a zero
	C.	IP multicast addresses
	D.	Reserved private IP addresses
	E.	All of the above.

True or false. Cisco specifically recommends against allowing ICMP echoes and ICMP redirects inbound.

True or false. The Cisco IOS Zone-Based Policy Firewall (ZPF) is not used solely to implement a Stateful Packet Inspection (SPI) firewall.

10.

Consider the following scenario: A firewall has five interfaces, two of which are not associated with security zones:

Two interfaces are in the INTERNET zone.

One interface is in the INSIDE zone.

Two interfaces are not in any zone.

What is the default rule for traffic that originates from one of the two interfaces that are not in any zone and is destined for an interface in the INTERNET security zone?

	A.	The traffic is dropped.
	B.	The traffic is passed because it’s going to the Internet.
	C.	The traffic is either permitted or denied based on the actions in the policy map if it has been applied to the zone pair.
	D.	The traffic is passed because the default policy map action is to pass traffic that doesn’t have a specific match.
	E.	None of the above.

Answers to Exam Prep Questions

1.	The correct answer is C. Answers A and B define types of firewalls. Answer D is incorrect.
2.	Answers A, B, and C are correct. Answer D is incorrect because no firewall can eliminate risk. Firewalls mitigate risk.
3.	False. Transparent firewalls mitigate the risk of attack by applying rich inspection services from layer 2 through 7 of the OSI model. They are “transparent” in the same way that a LAN switch is transparent to layer 3 devices.
4.	Answer A is correct. With version 12.3 of the Cisco IOS, you can insert and delete lines in numbered ACLs, both standard and extended. The other answers are made up and use a mix of existing and nonexistent commands to try to trick you.
5.	Answer B is correct.
6.	1—F; 2—C; 3—A; 4—D; 5—E; 6—B.
7.	The answer is E, All of the above. IP ACLs should also filter local addresses in the 127.0.0.0/8 range.
8.	True. Cisco recommends against ICMP echoes because this would be useful for network reconnaissance. ICMP redirects are recommended against because this might allow an attacker to hijack routing as part of a Man-in-the-Middle (MiM) attack.
9.	True. ZPF policy maps can take inspect, drop, or pass actions on traffic. The drop and pass actions are analogous to deny and permit actions on an ACL and are not stateful.
10.	Answer A is correct. Recall that one of the advantages of ZPF is that the firewall becomes a “deny all” firewall for all traffic that doesn’t have an explicit action that will permit it to pass.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Exam Prep Questions

Create new playlist

Sign In

Sign Up

Exam Prep Questions

Answers to Exam Prep Questions

Table of Contents for
Exam Prep Questions