Many simple device configuration techniques can add to the security of the network. To a great extent, these often fall into the category of commonsense practices, such as using administrative access passwords on all device access points.
As Cisco moves more and more devices to IOS-based command structures, access lists remain a need-to-know technology. While not a complete security solution, access lists are an integral part of any security program.
Standard access lists filter based on source address alone, creating a simple, yet powerful, tool for blocking all traffic or access to a host, subnet, or network. Standard ACLs can be used for traffic filtering, limiting access to Telnet sessions, limiting access to Web browsers trying to access a Cisco router or switch, filtering routing updates, and focusing commands like debug ip packet to conserve router resources.
Extended access lists can be used to filter on protocol, source address, destination address, source and destination port identifiers for TCP and UDP traffic, and various powerful options. The TCP Established option can be used to limit TCP traffic only to what originated within the network.
Named access lists are a variation on the numbered ACLS supporting for standard and extended versions. Named ACLs are easier to create than numbered lists, and allow limited editing and deletion of specific statements that can’t be done with numbered lists. They can be descriptive of their purpose and, therefore, easier for follow-up support to work with. Some IOS features and all IOS versions prior to 11.2 don’t support named ACLs, requiring some thought in mixed environments. Some newer features like reflexive ACLs only work with named lists, so it’s probably safe to say they’re going to be a bigger, rather than smaller, part of the future.
1.? |
Which of the following interface types is least likely to be on a firewall appliance?
|
|
2.? |
Which of the following would not be considered a basic security step in a router configuration?
|
|
3.? |
Which of the following is not true about numbered access lists?
|
|
4.? |
Which one of the following will deny access to a class C network?
|
|
5.? |
What is the ACL line to deny the subnet 192.168.1.16 subnet mask 255.255.255.240?
|
|
6.? |
With the Log option for ACLs, a message appears when the first match occurs, and then at what interval as long as matches continue?
|
|
7.? |
When limiting access to Telnet sessions, which command would work?
|
|
8.? |
Which two commands could be used to secure the web browser access to a device?
|
|
9.? |
Which of the following protocols uses the established option?
|
|
10.? |
Numbered extended ACLs are created in which mode?
|
|
11.? |
Which statement is not true about named access lists?
|
|
12.? |
Which statement will create a named extended ACL?
|
|
13.? |
The time-based ACL statements are relative to which one of the following?
|
|
14.? |
Which command will define a periodic time range?
|
|
15.? |
Which statement is true about defining a time range?
|
|
16.? |
Which one of the following is true about the Established option in a TCP access list?
|
|
17.? |
In the following ACL, what is the impact of the third statement? access-list 101 deny tcp 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 101 deny tcp 192.168.3.0 0.0.0.255 any eq ftp access-list 101 permit tcp 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 eq www access-list 101 deny tcp any 192.168.1.0 0.0.0.255 any eq telnet access-list 101 permit ip any any
|
|
Answers
1.? |
B. Serial. Firewall device, such as the PIX box, use LAN interfaces |
2.? |
B. Setting a MOTD banner to welcome the user to the device |
3.? |
D. New statements are always added to the top of the list statements (They’re actually appended to the bottom of the list.) |
4.? |
B. Rtr1(config)#access-list 15 deny 192.168.1.0 0.0.0.255 |
5.? |
C. access-list 15 deny 192.168.1.16 0.0.0.15 |
6.? |
B. Five minutes |
7.? |
C. access-class 15 in |
8.? |
B. no ip http server; c. ip http access-class 90 |
9.? |
C. TCP |
10.? |
B. Global Configuration mode |
11.? |
D. All processes that use access lists can use a named ACL. |
12.? |
C. Rtr1(config)#ip access-list extended tcp-control |
13.? |
C. The router clock. If the router clock is wrong, the statements will be implemented wrong. |
14.? |
A. Router(config-time-range)#periodic tuesday thursday 17:00 to 22:00 |
15.? |
C. A time range can have multiple periodic and one absolute time |
16.? |
D. Inbound traffic is limited to sessions originating inside the network. |
17.? |
D. The line does nothing at all. All TCP traffic from 192.168.3.0 to 192.168.1.0 was denied in the first statement |