This chapter focused on the IOS features that could be used on the perimeter router as a first line of defense against security threats. The perimeter configuration of the network often includes both a perimeter router and a firewall as the second line of defense. The firewall separates the inside network from the DMZs. The dirty DMZ is protected only by the perimeter router, while the protected DMZ has the firewall and perimeter router between it and the outside.
Network security can be enhanced by disabling unused services, such as CDP, finger, and TCP and UDP small services.
Cisco IOS offers a rich selection of routing and route security tools, such as controlling directed broadcasts, blocking ICMP redirects, routing protocol authentication, and flooding control.
Controlling network access and traffic using address filtering, dynamic access lists, and reflexive access lists can all contribute to increased security.
1.? |
True or False. In the screened subnet architecture network model, the inside network is everything from the perimeter router in to the corporate network.
|
|
2.? |
Which one of the following is considered the trusted network?
|
|
3.? |
Which of the following would not be a function of a perimeter router in a screened subnet architecture network?
|
|
4.? |
True or False. CDP facilitates a secure environment on a perimeter router.
|
|
5.? |
Which one is not true about IP directed broadcast?
|
|
6.? |
True or False. Filtering incoming ICMP redirects on a perimeter router should never cause any problems.
|
|
7.? |
Which two of the following reduces spoofing attacks?
|
|
8.? |
Which of the following is most like the TCP established option?
|
|
9.? |
In NAT terminology, what’s the IP address of a network member computer?
|
|
10.? |
Which statement is not true about Network Address Translation (NAT)?
|
|
11.? |
True or False. Static NAT entries appear in the translation table the first time they’re used.
|
|
12.? |
Which command shows the NAT table?
|
|
13.? |
What one word changes dynamic NAT to PAT?
|
|
14.? |
Which command sets the idle timeout for a dynamic (lock-and-key) access list?
|
|
15.? |
Which statement is true about reflexive access lists?
|
|
Answers
1.? |
B. False. It’s everything in from the inside interface of the firewall. |
2.? |
A. Inside |
3.? |
C. Providing LAN routing |
4.? |
B. False. It announces to any system on a directly connected segment that the router is a Cisco device, the model number, and the Cisco IOS version being run. |
5.? |
D. It can be blocked by a smurf defense. |
6.? |
A. True. They shouldn’t come from outside the segment. |
7.? |
A. RFC 2827 filtering and C. RFC 1918 filtering |
8.? |
C. Reflexive ACL |
9.? |
A. Inside local |
10.? |
C. It provides good security by hiding internal IP addresses. It provides limited privacy. |
11.? |
B. False. They appear when created. |
12.? |
C. show ip nat translations |
13.? |
C. Overload |
14.? |
C. autocommand access-enable host timeout 30 |
15.? |
C. They create temporary holes in the network security–based specific outbound traffic. |