Chapter Review

Chapter Review

This chapter focused on the IOS features that could be used on the perimeter router as a first line of defense against security threats. The perimeter configuration of the network often includes both a perimeter router and a firewall as the second line of defense. The firewall separates the inside network from the DMZs. The dirty DMZ is protected only by the perimeter router, while the protected DMZ has the firewall and perimeter router between it and the outside.

Network security can be enhanced by disabling unused services, such as CDP, finger, and TCP and UDP small services.

Cisco IOS offers a rich selection of routing and route security tools, such as controlling directed broadcasts, blocking ICMP redirects, routing protocol authentication, and flooding control.

Controlling network access and traffic using address filtering, dynamic access lists, and reflexive access lists can all contribute to increased security.

Questions

1.?

True or False. In the screened subnet architecture network model, the inside network is everything from the perimeter router in to the corporate network.

  1. True

  2. False

 B. False. It s everything in from the inside interface of the firewall.

2.?

Which one of the following is considered the trusted network?

  1. Inside

  2. Outside

  3. Dirty DMZ

  4. Protected DMZ

 A. Inside

3.?

Which of the following would not be a function of a perimeter router in a screened subnet architecture network?

  1. Providing a serial connection to the outside world

  2. Providing any filtering of outside traffic

  3. Providing LAN routing

  4. Implementing basic security for the dirty DMZ

 C. Providing LAN routing

4.?

True or False. CDP facilitates a secure environment on a perimeter router.

  1. True

  2. False

 B. False. It announces to any system on a directly connected segment that the router is a Cisco device, the model number, and the Cisco IOS version being run.

5.?

Which one is not true about IP directed broadcast?

  1. It’s a datagram sent to the subnet broadcast addresIt’s routed through the network as a unicast packet.

  2. Only the router directly connected to the target subnet can positively identify iIt can be blocked by a smurf defens

 D. It can be blocked by a smurf defense.

6.?

True or False. Filtering incoming ICMP redirects on a perimeter router should never cause any problems.

  1. True

  2. False

 A. True. They shouldn t come from outside the segment.

7.?

Which two of the following reduces spoofing attacks?

  1. RFC 2827 filtering

  2. Weighted fair queuing

  3. RFC 1918 filtering

  4. Routing protocol authentication

 A. RFC 2827 filtering and C . RFC 1918 filtering

8.?

Which of the following is most like the TCP established option?

  1. Dynamic ACL

  2. Lock and key

  3. Reflexive ACL

  4. Finger ACL

 C. Reflexive ACL

9.?

In NAT terminology, what’s the IP address of a network member computer?

  1. Inside local

  2. Outside local

  3. Inside global

  4. Outside global

 A. Inside local

10.?

Which statement is not true about Network Address Translation (NAT)?

  1. It’s a mechanism that allows private addresses to be translated to use the InterneIt can be configured both static and dynamic on the same routeIt provides good security by hiding internal IP addresses.

  2. It reduces the cost of IP addresse

 C. It provides good security by hiding internal IP addresses. It provides limited privacy.

11.?

True or False. Static NAT entries appear in the translation table the first time they’re used.

  1. True

  2. False

 B. False. They appear when created.

12.?

Which command shows the NAT table?

  1. show ip nat statistics

  2. show run

  3. show ip nat translations

  4. show ip nat table

 C. show ip nat translations

13.?

What one word changes dynamic NAT to PAT?

  1. PAT

  2. Overflow

  3. Overload

  4. Rotary

 C. Overload

14.?

Which command sets the idle timeout for a dynamic (lock-and-key) access list?

  1. access-list 101 dynamic temp-in timeout 30 permit ip any any

  2. ip dynamic-list timeout 30

  3. autocommand access-enable host timeout 30

  4. ip reflexive-list timeout 30

 C. autocommand access-enable host timeout 30

15.?

Which statement is true about reflexive access lists?

  1. They create temporary holes into the network security, based on a successful Telnet authenticatioThey only work with TCP traffiThey create temporary holes in the network security–based specific outbound traffiThey rely on named standard access list

 C. They create temporary holes in the network security based specific outbound traffic.

Answers

1.?

B. False. It’s everything in from the inside interface of the firewall.

2.?

A. Inside

3.?

C. Providing LAN routing

4.?

B. False. It announces to any system on a directly connected segment that the router is a Cisco device, the model number, and the Cisco IOS version being run.

5.?

D. It can be blocked by a smurf defense.

6.?

A. True. They shouldn’t come from outside the segment.

7.?

A. RFC 2827 filtering and C. RFC 1918 filtering

8.?

C. Reflexive ACL

9.?

A. Inside local

10.?

C. It provides good security by hiding internal IP addresses. It provides limited privacy.

11.?

B. False. They appear when created.

12.?

C. show ip nat translations

13.?

C. Overload

14.?

C. autocommand access-enable host timeout 30

15.?

C. They create temporary holes in the network security–based specific outbound traffic.




Part III: Virtual Private Networks (VPNs)