Network Security ( Version 1) – Network Security 1.0 Modules 8-10: ACLs and Firewalls Group Exam
How to find: Press “Ctrl + F” in the browser and fill in whatever wording is in the question to find that question/answer.
1. When creating an ACL, which keyword should be used to document and interpret the purpose of the ACL statement on a Cisco device?
Explanation: In order to document the purpose of an ACL and identify its function more easily, the remark keyword is used when building the ACL. The established keyword is used to allow connections that were initially sourced from the current device. The eq operator is used to specify a port number for denying or permitting traffic. The description keyword is used when configuring and documenting interfaces.
2. Which two pieces of information are required when creating a standard access control list? (Choose two.)
- access list number between 1 and 99
- source address and wildcard mask
- destination address and wildcard mask
- subnet mask and wildcard mask
- access list number between 100 and 199
Explanation: Standard ACLs can be numbered 1 to 99 and 1300 to 1999. Standard IP ACLs filter only on the source IP address.
3. What two steps provide the quickest way to completely remove an ACL from a router? (Choose two.)
- Removal of the ACEs is the only step required.
- Modify the number of the ACL so that it doesn’t match the ACL associated with the interface.
- Copy the ACL into a text editor, add no before each ACE, then copy the ACL back into the router.
- Remove the inbound/outbound reference to the ACL from the interface.
- Use the no access-list command to remove the entire ACL.
- Use the no keyword and the sequence number of every ACE within the named ACL to be removed.
Explanation: To completely remove an ACL from a router requires two steps. Removing the actual ACL with the no access-list command and removing the association of the ACL from the appropriate interface.
4. Which two types of addresses should be denied inbound on a router interface that attaches to the Internet? (Choose two.)
- private IP addresses
- any IP address that starts with the number 127
- any IP address that starts with the number 1
- NAT translated IP addresses
- public IP addresses
Explanation: The following addresses should not be permitted inbound from the Internet in order to mitigate IP spoofing and DoS attacks:
All zero address
Local host addresses that start with 127
Reserved private addresses
IP multicast addresses
5. In the creation of an IPv6 ACL, what is the purpose of the implicit final command entries, permit icmp any any nd-na and permit icmp any any nd-ns ?
- to allow forwarding of ICMPv6 packets
- to allow automatic address configuration
- to allow IPv6 to MAC address resolution
- to allow forwarding of IPv6 multicast packets
Explanation: IPv6 address to MAC address resolution is performed through the exchange of ICMPv6 neighbor discovery packets comprised of neighbor solicitation and neighbor advertisement packets. Unless these packets are permitted on a router interface, the interface will not be able to perform MAC address resolution.
6. What two statements describe characteristics of IPv6 access control lists? (Choose two.)
- They permit ICMPv6 router advertisements by default.
- They can be named or numbered.
- They include two implicit permit statements by default.
- They are applied to an interface with the ip access-group command .
- They use prefix lengths to indicate how much of an address to match.
Explanation: IPv6 access lists have distinct characteristics that are different than IPv4 access lists:
They use prefix lengths instead of wildcard masks to match network bits.
They permit two ICMPv6 message types: neighbor solicitations and neighbor advertisements by default.
They are only created as named access lists.
They use the command ipv6 taffic-filter when applied to an interface.
7. Refer to the exhibit. A network administrator created an IPv6 ACL to block the Telnet traffic from the 2001:DB8:CAFE:10::/64 network to the 2001:DB8:CAFE:30::/64 network. What is a command the administrator could use to allow only a single host 2001:DB8:CAFE:10::A/64 to telnet to the 2001:DB8:CAFE:30::/64 network?
- permit tcp 2001:DB8:CAFE:10::A/64 2001:DB8:CAFE:30::/64 eq 23
- permit tcp 2001:DB8:CAFE:10::A/64 eq 23 2001:DB8:CAFE:30::/64
- permit tcp host 2001:DB8:CAFE:10::A eq 23 2001:DB8:CAFE:30::/64
- permit tcp host 2001:DB8:CAFE:10::A 2001:DB8:CAFE:30::/64 eq 23 sequence 5
Explanation: When an IPv6 ACE is created and is to be processed before an existing ACE is processed, the next command entered must use the sequence argument with a number lower than the existing ACE. This allows an entry to be placed before an existing entry, as the default sequence numbers are commonly numbered by increments of 10. Thus, using a sequence number of 5 on an ACE will place it in front of a prior existing entry with a sequence number of 10.
8. When implementing components into an enterprise network, what is the purpose of a firewall?
- A firewall is a system that inspects network traffic and makes forwarding decisions based solely on Layer 2 Ethernet MAC addresses.
- A firewall is a system that is designed to secure, monitor, and manage mobile devices, including corporate-owned devices and employee-owned devices.
- A firewall is a system that stores vast quantities of sensitive and business-critical information.
- A firewall is a system that enforces an access control policy between internal corporate networks and external networks.
Explanation: A firewall is a system that enforces an access control policy and prevents the exposure of sensitive hosts, resources, and applications to untrusted users.
9. What are two possible limitations of using a firewall in a network? (Choose two.)
- It provides accessibility of applications and sensitive resources to external untrusted users.
- It increases security management complexity by requiring off-loading network access control to the device.
- A misconfigured firewall can create a single point of failure.
- Network performance can slow down.
- It cannot sanitize protocol flows.
Explanation: Firewalls have some limitations:
– A misconfigured firewall can have serious consequences for the network, such as becoming a single point of failure.
– The data from many applications cannot be passed over firewalls securely.
– Users might proactively search for ways around the firewall to receive blocked material, which exposes the network to potential attack.
– Network performance can slow down.
– Unauthorized traffic can be tunneled or hidden as legitimate traffic through the firewall.
10. Which type of firewall makes use of a proxy server to connect to remote servers on behalf of clients?
- stateful firewall
- stateless firewall
- packet filtering firewall
- application gateway firewall
Explanation: An application gateway firewall, also called a proxy firewall, filters information at Layers 3, 4, 5, and 7 of the OSI model. It uses a proxy server to connect to remote servers on behalf of clients. Remote servers will see only a connection from the proxy server, not from the individual clients.
11. How does a firewall handle traffic when it is originating from the public network and traveling to the private network?
- Traffic that is originating from the public network is not inspected when traveling to the private network.
- Traffic that is originating from the public network is usually blocked when traveling to the private network.
- Traffic that is originating from the public network is usually permitted with little or no restrictions when traveling to the private network.
- Traffic that is originating from the public network is selectively permitted when traveling to the private network.
Explanation: When traffic is originating from the public network it will usually be blocked when traveling to the private network. Traffic that originates from the private network will be selectively allowed to be returned to the public network.
12. Which two statements describe the two configuration models for Cisco IOS firewalls? (Choose two.)
- ZPF must be enabled in the router configuration before enabling an IOS Classic Firewall.
- The IOS Classic Firewall and ZPF cannot be combined on a single interface.
- IOS Classic Firewalls and ZPF models can be enabled on a router concurrently.
- Both IOS Classic Firewall and ZPF models require ACLs to define traffic filtering policies.
- IOS Classic Firewalls must be enabled in the router configuration before enabling ZPF.
Explanation: There are two configuration models for Cisco IOS Firewalls, IOS Classic Firewalls and zone-based policy firewalls (ZPF). Both configuration models can be enabled concurrently on a router but they cannot be combined on a single interface. One benefit of using ZPF is that ZPF is not dependent on ACLs.
13. Designing a ZPF requires several steps. Which step involves dictating the number of devices between most-secure and least-secure zones and determining redundant devices?
- determine the zones
- design the physical infrastructure
- establish policies between zones
- identify subsets within zones and merge traffic requirements
Explanation: Designing ZPFs involves several steps:
Step 1 . Determine the zones – The administrator focuses on the separation of the network into zones. Zones establish the security borders of a network.
Step 2 . Establish policies between zones – For each pair of “source-destination” zones, define the sessions that clients in the source zones can request from servers in destination zones.
Step 3 . Design the physical infrastructure – After the zones have been identified, and the traffic requirements between them documented, the administrator must design the physical infrastructure. This includes dictating the number of devices between most-secure and least-secure zones and determining redundant devices.
Step 4 . Identify subsets within zones and merge traffic requirements – For each firewall device in the design, the administrator must identify zone subsets that are connected to its interfaces and merge the traffic requirements for those zones.
14. When a Cisco IOS zone-based policy firewall is being configured, which three actions can be applied to a traffic class? (Choose three.)
Explanation: The inspect CCP action is similar to the classic firewall ip inspect command in that it inspects traffic going through the firewall and allowing return traffic that is part of the same flow to pass through the firewall. The drop action is similar to the deny parameter in an ACL. This action drops whatever traffic fits the defined policy. The pass action is similar to a permit ACL statement–traffic is allowed to pass through because it met the criteria of the defined policy statement.
15. When using Cisco IOS zone-based policy firewall, where is the inspection policy applied?
- to a global service policy
- to a zone
- to an interface
- to a zone pair
Explanation: After configuring the firewall policy, apply the policy to traffic that would flow between a pair of zones. Use the zone-pair security command in global configuration mode.
16. What is the first step in configuring a Cisco IOS zone-based policy firewall via the CLI?
- Define traffic classes.
- Assign router interfaces to zones.
- Define firewall policies.
- Assign policy maps to zone pairs.
- Create zones.
Explanation: The steps for configuring a Cisco IOS zone-based policy firewall are as follows:
1. Create zones.
2. Define traffic classes.
3. Define firewall policies.
4. Apply policy maps to zone pairs.
5. Assign router interfaces to zones.
17. What is one benefit of using a stateful firewall instead of a proxy server?
- ability to perform user authentication
- better performance
- ability to perform packet filtering
- prevention of Layer 7 attacks
Explanation: A stateful firewall performs better than a proxy server. A stateful firewall cannot authenticate users or prevent Layer 7 attacks. Both a stateful firewall and a proxy server can filter packets.
18. Which statement describes a typical security policy for a DMZ firewall configuration?
- Traffic that originates from the DMZ interface is selectively permitted to the outside interface.
- Return traffic from the inside that is associated with traffic originating from the outside is permitted to traverse from the inside interface to the outside interface.
- Return traffic from the outside that is associated with traffic originating from the inside is permitted to traverse from the outside interface to the DMZ interface.
- Traffic that originates from the inside interface is generally blocked entirely or very selectively permitted to the outside interface.
- Traffic that originates from the outside interface is permitted to traverse the firewall to the inside interface with few or no restrictions.
With a three interface firewall design that has internal, external, and DMZ connections, typical configurations include the following:
Traffic originating from DMZ destined for the internal network is normally blocked.
Traffic originating from the DMZ destined for external networks is typically permitted based on what services are being used in the DMZ.
Traffic originating from the internal network destined from the DMZ is normally inspected and allowed to return.
Traffic originating from external networks (the public network) is typically allowed in the DMZ only for specific services.
19. What is one limitation of a stateful firewall?
- weak user authentication
- cannot filter unnecessary traffic
- not as effective with UDP- or ICMP-based traffic
- poor log information
Explanation: Limitations of stateful firewalls include the following:
Stateful firewalls cannot prevent application layer attacks.
Protocols such as UDP and ICMP are not stateful and do not generate information needed for a state table.
An entire range of ports must sometimes be opened in order to support specific applications that open multiple ports.
Stateful firewalls lack user authentication.
20. Which statement describes Cisco IOS Zone-Based Policy Firewall operation?
- The pass action works in only one direction.
- Router management interfaces must be manually assigned to the self zone.
- A router interface can belong to multiple zones.
- Service policies are applied in interface configuration mode.
Explanation: The pass action allows traffic only in one direction. Interfaces automatically become members of the self zone. Interfaces are assigned to zones in interface configuration mode, but most configuration takes place in global configuration mode and associated submodes. Interfaces can belong to only one zone at any time.
21. What is the result in the self zone if a router is the source or destination of traffic?
- No traffic is permitted.
- All traffic is permitted.
- Only traffic that originates in the router is permitted.
- Only traffic that is destined for the router is permitted.
Explanation: All traffic is permitted in the self zone if the traffic originates from, or is destined for, the router.
22. What are two characteristics of ACLs? (Choose two.)
- Extended ACLs can filter on destination TCP and UDP ports.
- Standard ACLs can filter on source TCP and UDP ports.
- Extended ACLs can filter on source and destination IP addresses.
- Standard ACLs can filter on source and destination IP addresses.
- Standard ACLs can filter on source and destination TCP and UDP ports.
Explanation: Standard ACLs can only filter on source addresses. That is why they are normally placed closest to the destination. Extended ACLs can filter on source and destination IP addresses, port numbers, and specific message types within a particular protocol such as echo request within the ICMP protocol.
23. Which three statements describe ACL processing of packets? (Choose three.)
- An implicit deny any rejects any packet that does not match any ACE.
- A packet can either be rejected or forwarded as directed by the ACE that is matched.
- A packet that has been denied by one ACE can be permitted by a subsequent ACE.
- A packet that does not match the conditions of any ACE will be forwarded by default.
- Each statement is checked only until a match is detected or until the end of the ACE list.
- Each packet is compared to the conditions of every ACE in the ACL before a forwarding decision is made.
Explanation: When a packet comes into a router that has an ACL configured on the interface, the router compares the condition of each ACE to determine if the defined criteria has been met. If met, the router takes the action defined in the ACE (allows the packet through or discards it). If the defined criteria has not been met, the router proceeds to the next ACE. An implicit deny any statement is at the end of every standard ACL.
24. A network administrator configures an ACL with the command R1(config)# access-list 1 permit 172.16.0.0 0.0.15.255 . Which two IP addresses will match this ACL statement? (Choose two.)
Explanation: The wildcard mask indicates that any IP address within the range of 172.16.0.0 to 172.16.15.255 matches.
25. What single access list statement matches all of the following networks?
- access-list 10 permit 192.168.16.0 0.0.3.255
- access-list 10 permit 192.168.16.0 0.0.0.255
- access-list 10 permit 192.168.16.0 0.0.15.255
- access-list 10 permit 192.168.0.0 0.0.15.255
Explanation: The ACL statement access-list 10 permit 192.168.16.0 0.0.3.255 will match all four network prefixes. All four prefixes have the same 22 high order bits. These 22 high order bits are matched by the network prefix and wildcard mask of 192.168.16.0 0.0.3.255.
26. Which two characteristics are shared by both standard and extended ACLs? (Choose two.)
- Both kinds of ACLs can filter based on protocol type.
- Both can permit or deny specific services by port number.
- Both include an implicit deny as a final statement.
- Both filter packets for a specific destination host IP address.
- Both can be created by using either a descriptive name or number.
Explanation: Standard ACLs filter traffic based solely on a specified source IP address. Extended ACLs can filter by source or destination, protocol, or port. Both standard and extended ACLs contain an implicit deny as a final statement. Standard and extended ACLs can be identified by either names or numbers.
27. Refer to the exhibit. What is the result of adding the established argument to the end of the ACE?
- Any traffic is allowed to reach the 192.168.254.0 255.255.254.0 network.
- Any IP traffic is allowed to reach the 192.168.254.0 255.255.254.0 network as long as it is in response to an originated request.
- 192.168.254.0 /23 traffic is allowed to reach any network.
- Any TCP traffic is allowed to reach the 192.168.254.0 255.255.254.0 network if it is in response to an originated request.
Explanation: The established argument allows TCP return traffic from established connections to be sent on an outgoing interface to a network.
28. Which two keywords can be used in an access control list to replace a wildcard mask or address and wildcard mask pair? (Choose two.)
Explanation: The host keyword is used when using a specific device IP address in an ACL. For example, the deny host 192.168.5.5 command is the same is the deny 192.168.5.5 0.0.0.0 command. The any keyword is used to allow any mask through that meets the criteria. For example, the permit any command is the same as permit 0.0.0.0 255.255.255.255 command.
29. If the provided ACEs are in the same ACL, which ACE should be listed first in the ACL according to best practice?
- permit ip any any
- permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq snmptrap
- permit tcp 172.16.0.0 0.0.3.255 any established
- permit udp any any range 10000 20000
- deny udp any host 172.16.1.5 eq snmptrap
- deny tcp any any eq telnet
Explanation: A best practice for configuring an extended ACL is to ensure that the most specific ACE is placed higher in the ACL. Consider the two permit UDP statements. If both of these were in an ACL, the SNMP ACE is more specific than the UDP statement that permits a range of 10,001 UDP port numbers. The SNMP ACE would be entered before the other UDP ACE. The ACEs from most specific to least specific are as follows: permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq snmptrap
deny udp any host 172.16.1.5 eq snmptrap
permit tcp 172.16.0.0 0.0.3.255 any established
deny tcp any any eq telnet
permit udp any any range 10000 20000
permit ip any any
30. To facilitate the troubleshooting process, which inbound ICMP message should be permitted on an outside interface?
- echo request
- echo reply
- time-stamp request
- time-stamp reply
- router advertisement
Explanation: By allowing the ICMP echo reply message inbound to the organization, internal users are allowed to ping external addresses (and the reply message allowed to return).
31. A security specialist designs an ACL to deny access to a web server from all sales staff. The sales staff are assigned addressing from the IPv6 subnet 2001:db8:48:2c::/64. The web server is assigned the address 2001:db8:48:1c::50/64. Configuring the WebFilter ACL on the LAN interface for the sales staff will require which three commands? (Choose three.)
- permit tcp any host 2001:db8:48:1c::50 eq 80
- deny tcp host 2001:db8:48:1c::50 any eq 80
- deny tcp any host 2001:db8:48:1c::50 eq 80
- permit ipv6 any any
- deny ipv6 any any
- ip access-group WebFilter in
- ipv6 traffic-filter WebFilter in
Explanation: The ACL requires an ACE denying Telnet access from all users in the LAN to the file server at 2001:db8:48:1c::50/64. The IPv6 ACL also has an implicit deny, so a permit statement is required to allow all other traffic. With IPv6, the ipv6 traffic filter command is used to bind the ACL to the interface.
32. What are two characteristics of a stateful firewall? (Choose two.)
- uses static packet filtering techniques
- uses connection information maintained in a state table
- analyzes traffic at Layers 3, 4 and 5 of the OSI model
- uses complex ACLs which can be difficult to configure
- prevents Layer 7 attacks
Explanation: Stateful firewalls are the most versatile and the most common firewall technologies in use. Stateful firewalls provide stateful packet filtering by using connection information maintained in a state table. Stateful filtering is a firewall architecture that is classified at the network layer. It also analyzes traffic at OSI Layers 4 and 5. Stateful firewalls cannot prevent application layer attacks because they do not examine the actual contents of an HTTP connection.
33. What are two differences between stateful and stateless firewalls? (Choose two.)
- A stateless firewall is able to filter sessions that use dynamic port negotiations while a stateful firewall cannot.
- A stateless firewall will examine each packet individually while a stateful firewall observes the state of a connection.
- A stateless firewall will provide more logging information than a stateful firewall.
- A stateful firewall will prevent spoofing by determining whether packets belong to an existing connection while a stateless firewall follows pre-configured rule sets.
- A stateless firewall provides more stringent control over security than a stateful firewall.
Explanation: There are many differences between a stateless and stateful firewall.
are susceptible to IP spoofing
do not reliably filter fragmented packets
use complex ACLs, which can be difficult to implement and maintain
cannot dynamically filter certain services
examine each packet individually rather than in the context of the state of a connection
are often used as a primary means of defense by filtering unwanted, unnecessary, or undesirable traffic
strengthen packet filtering by providing more stringent control over security
improve performance over packet filters or proxy servers
defend against spoofing and DoS attacks by determining whether packets belong to an existing connection or are from an unauthorized source
provide more log information than a packet filtering firewall
34. When implementing a ZPF, what is the default security setting when forwarding traffic between two interfaces in the same zone?
- Traffic between interfaces in the same zone is selectively forwarded based on Layer 3 information.
- Traffic between interfaces in the same zone is not subject to any policy and passes freely.
- Traffic between interfaces in the same zone is blocked.
- Traffic between interfaces in the same zone is selectively forwarded based on the default policy restrictions.
Explanation: A zone-based policy firewall uses the concept of zones to specify where firewall rules and policies should be applied. By default, the traffic between interfaces that exist in the same zone is not subject to any policy and passes freely.
35. Which two rules about interfaces are valid when implementing a Zone-Based Policy Firewall? (Choose two.)
- If neither interface is a zone member, then the action is to pass traffic.
- If one interface is a zone member, but the other is not, all traffic will be passed.
- If both interfaces belong to the same zone-pair and a policy exists, all traffic will be passed.
- If both interfaces are members of the same zone, all traffic will be passed.
- If one interface is a zone member and a zone-pair exists, all traffic will be passed.
Explanation: The rules for traffic transiting through the router are as follows:If neither interface is a zone member, then the resulting action is to pass the traffic.
If both interfaces are members of the same zone, then the resulting action is to pass the traffic.
If one interface is a zone member, but the other is not, then the resulting action is to drop the traffic regardless of whether a zone-pair exists.
If both interfaces belong to the same zone-pair and a policy exists, then the resulting action is inspect, allow, or drop as defined by the policy.