1. Home
  2. Networking
  3. CCSP Cisco Certified Security Professional Certification

Chapter Review

Chapter Review

Many simple device configuration techniques can add to the security of the network. To a great extent, these often fall into the category of commonsense practices, such as using administrative access passwords on all device access points.

As Cisco moves more and more devices to IOS-based command structures, access lists remain a need-to-know technology. While not a complete security solution, access lists are an integral part of any security program.

Standard access lists filter based on source address alone, creating a simple, yet powerful, tool for blocking all traffic or access to a host, subnet, or network. Standard ACLs can be used for traffic filtering, limiting access to Telnet sessions, limiting access to Web browsers trying to access a Cisco router or switch, filtering routing updates, and focusing commands like debug ip packet to conserve router resources.

Extended access lists can be used to filter on protocol, source address, destination address, source and destination port identifiers for TCP and UDP traffic, and various powerful options. The TCP Established option can be used to limit TCP traffic only to what originated within the network.

Named access lists are a variation on the numbered ACLS supporting for standard and extended versions. Named ACLs are easier to create than numbered lists, and allow limited editing and deletion of specific statements that can’t be done with numbered lists. They can be descriptive of their purpose and, therefore, easier for follow-up support to work with. Some IOS features and all IOS versions prior to 11.2 don’t support named ACLs, requiring some thought in mixed environments. Some newer features like reflexive ACLs only work with named lists, so it’s probably safe to say they’re going to be a bigger, rather than smaller, part of the future.

Questions

1.?

Which of the following interface types is least likely to be on a firewall appliance?

  1. Fast Ethernet

  2. Serial

  3. Ethernet

  4. Token Ring

B. Serial. Firewall device, such as the PIX box, use LAN interfaces

2.?

Which of the following would not be considered a basic security step in a router configuration?

  1. Setting access privilege levels

  2. Setting an MOTD banner to welcome the user to the device

  3. Encrypting passwords in the configuration files

  4. Setting all passwords

B. Setting a MOTD banner to welcome the user to the device

3.?

Which of the following is not true about numbered access lists?

  1. An ACL is made up of one or more permit or deny statements.

  2. If an ACL doesn’t have at least one permit statement, it will deny everything.

  3. All ACL statements with the same number are part of the same ACL.

  4. New statements are always added to the top of the list statements.

  5. ACL statements must be entered sequentially to be processed properly.

  6. An ACL can be added to (appended), but not edited. Any attempt to edit an item will delete the entire AC

D. New statements are always added to the top of the list statements (They re actually appended to the bottom of the list.)

4.?

Which one of the following will deny access to a class C network?

  1. Rtr1(config)#access-list 15 deny 192.168.1.0 255.255.255.0

  2. Rtr1(config)#access-list 15 deny 192.168.1.0 0.0.0.255

  3. Rtr1(config-acl)#access-list 15 deny 192.168.1.0 255.255.255.0

  4. Rtr1(config-acl)#access-list 15 deny 192.168.1.0 0.0.0.255

B. Rtr1(config)#access-list 15 deny 192.168.1.0 0.0.0.255

5.?

What is the ACL line to deny the subnet 192.168.1.16 subnet mask 255.255.255.240?

  1. access-list 15 deny 192.168.1.16 0.0.0.255

  2. access-list 15 deny 192.168.1.0 0.0.0.16

  3. access-list 15 deny 192.168.1.16 0.0.0.15

  4. access-list 15 deny 192.168.1.16 0.0.0.31

C. access-list 15 deny 192.168.1.16 0.0.0.15

6.?

With the Log option for ACLs, a message appears when the first match occurs, and then at what interval as long as matches continue?

  1. One minute

  2. Five minutes

  3. Ten minutes

  4. Thirty minutes

B. Five minutes

7.?

When limiting access to Telnet sessions, which command would work?

  1. access-group 15 in

  2. access-group 15 out

  3. access-class 15 in

  4. access-class 15 out

  5. access-session 15 in

C. access-class 15 in

8.?

Which two commands could be used to secure the web browser access to a device?

  1. ip http server

  2. no ip http server

  3. ip http access-class 90

  4. ip http access-group 90

B. no ip http server; c. ip http access-class 90

9.?

Which of the following protocols uses the established option?

  1. UDP

  2. ICMP

  3. TCP

  4. IGRP

C. TCP

10.?

Numbered extended ACLs are created in which mode?

  1. Privilege mode

  2. Global Configuration mode

  3. Local Configuration mode

  4. Access Configuration mode

B. Global Configuration mode

11.?

Which statement is not true about named access lists?

  1. Named access lists aren’t compatible with older IOS releases (pre-11.2).

  2. A standard access list and an extended access list can’t have the same name.

  3. Names must begin with an alphanumeric character and are case sensitive.

  4. All processes that use access lists can use a named ACLs

D. All processes that use access lists can use a named ACL.

12.?

Which statement will create a named extended ACL?

  1. Rtr1(config)#ip extended access-list tcp-control

  2. Rtr1(config)#ip access-list named extended tcp-control

  3. Rtr1(config)#ip access-list extended tcp-control

  4. Rtr1(config-ext-nacl)#ip access-list extended tcp-control

C. Rtr1(config)#ip access-list extended tcp-control

13.?

The time-based ACL statements are relative to which one of the following?

  1. The computer clock

  2. The world clock

  3. The router clock

  4. The day, month, and year

C. The router clock. If the router clock is wrong, the statements will be implemented wrong.

14.?

Which command will define a periodic time range?

  1. Router(config-time-range)#periodic tuesday thursday 17:00 to 22:00

  2. Router(config-time)#periodic tuesday thursday 17:00 to 22:00

  3. Router(config-time-range)#periodic tuesday, thursday 17:00 to 22:00

  4. Router(config-time)#periodic tuesday, thursday 17:00 to 22:00

A. Router(config-time-range)#periodic tuesday thursday 17:00 to 22:00

15.?

Which statement is true about defining a time range?

  1. A time range can have either periodic or absolute times.

  2. A time range can have one periodic and multiple absolute times.

  3. A time range can have multiple periodic and one absolute time.

  4. A time range can have one periodic and one absolute time.

C. A time range can have multiple periodic and one absolute time

16.?

Which one of the following is true about the Established option in a TCP access list?

  1. Outbound traffic is limited to established customers.

  2. Outbound traffic is limited to sessions originating outside the network.

  3. Inbound traffic is limited to sessions originating outside the network.

  4. Inbound traffic is limited to sessions originating inside the network.

D. Inbound traffic is limited to sessions originating inside the network.

17.?

In the following ACL, what is the impact of the third statement?

access-list 101 deny tcp 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 
access-list 101 deny tcp 192.168.3.0 0.0.0.255 any eq ftp
access-list 101 permit tcp 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 eq www
access-list 101 deny tcp any 192.168.1.0 0.0.0.255 any eq telnet
access-list 101 permit ip any any

  1. It allows network 192.168.3.0 to access 192.168.1.0 for web access.

  2. It allows network 192.168.1.0 to access 192.168.2.0 for web access.

  3. It allows network 192.168.3.0 to access any network for web access.

  4. The line does nothing at all.

D. The line does nothing at all. All TCP traffic from 192.168.3.0 to 192.168.1.0 was denied in the first statement

Answers

1.?

B. Serial. Firewall device, such as the PIX box, use LAN interfaces

2.?

B. Setting a MOTD banner to welcome the user to the device

3.?

D. New statements are always added to the top of the list statements (They’re actually appended to the bottom of the list.)

4.?

B. Rtr1(config)#access-list 15 deny 192.168.1.0 0.0.0.255

5.?

C. access-list 15 deny 192.168.1.16 0.0.0.15

6.?

B. Five minutes

7.?

C. access-class 15 in

8.?

B. no ip http server; c. ip http access-class 90

9.?

C. TCP

10.?

B. Global Configuration mode

11.?

D. All processes that use access lists can use a named ACL.

12.?

C. Rtr1(config)#ip access-list extended tcp-control

13.?

C. The router clock. If the router clock is wrong, the statements will be implemented wrong.

14.?

A. Router(config-time-range)#periodic tuesday thursday 17:00 to 22:00

15.?

C. A time range can have multiple periodic and one absolute time

16.?

D. Inbound traffic is limited to sessions originating inside the network.

17.?

D. The line does nothing at all. All TCP traffic from 192.168.3.0 to 192.168.1.0 was denied in the first statement



BackCover
CCSP - Cisco Certified Security Professional Certification All-in-One Exam Guide
Introduction
Part I: Introduction to Network Security
Chapter 1: Understanding Network Security Threats
Chapter 2: Securing the Network
Secure Network Design Example
Securing Network Devices
Using Access Control Lists to Secure the Network
Chapter Review
Part II: Securing the Network Perimeter
Part III: Virtual Private Networks (VPNs)
Part IV: PIX Firewalls
Part V: Intrusion Detection Systems (IDS)
Part VI: Cisco SAFE Implementation
Appendix A: Access Control Lists
Appendix B: About the CD
List of Figures
List of Tables
List of Sidebars