Chapter Review

Chapter Review

The Cisco IOS Firewall feature set, a part of the Cisco Secure system, is made up of the following four interrelated features:

  • Cisco IOS Firewall Context-Based Access Control

  • Port to Application Mapping

  • Cisco IOS Firewall Intrusion Detection System

  • Cisco IOS Firewall Authentication Proxy

Context-Based Access Control (CBAC) allows the firewall to take the access list type filter to a much higher level. Whereas ACLs are limited to Layer 3 and Layer 4 information for filtering, the CBAC can incorporate knowledge of the operation of supported appli- cation protocols to make decisions. This allows for more flexibility in the number of and port addressing of communications channels through the firewall.

Other CBAC features allow for monitoring and reacting to common DoS attacks and e-mail attacks involving unauthorized SMTP commands.

Port to Application Mapping (PAM) allows the flexibility of incorporating nonstandard TCP and UDP port numbers in the secure openings through the firewall.

Questions

1.?

True or False. IPSec is a part of the Cisco IOS Firewall feature set.

  1. True

  2. False

 B . False. They re used together often, but they re separate feature sets.

2.?

True or False. The Cisco IOS Firewall feature set is implemented on all Cisco router series.

  1. True

  2. False

 B . False. It is implemented only on the Cisco 800, uBR900, 1400, 1600, 1700, 2500, 2600, 3600, 7100, 7200, and 7500 and RSM series routers.

3.?

Which of the following IOS features is not part of the Firewall feature set?

  1. Intrusion detection

  2. Context-Based Access Control (CBAC)

  3. AAA

  4. Java blocking

 C . AAA It is in the regular IOS feature set.

4.?

True or False. CBAC can incorporate application layer information in its filtering.

  1. True

  2. False

 A . True

5.?

In the following command, what does the 30 represent? Rtr1(config)#ip inspect tcp idle-time 30

  1. Minutes

  2. Packets

  3. Seconds

  4. Hours

 C . Seconds

6.?

True or False. CBAC can filter TCP, UDP, and ICMP traffic.

  1. True

  2. False

 A. False. It s limited to TCP and UDP traffic.

7.?

The memory required for each CBAC connection is what?

  1. 600 bits

  2. 600 bytes

  3. 600K

  4. Varies with the data

 B . 600 bytes

8.?

Which of the following is not a step in configuring CBAC?

  1. Set audit trails and alerts.

  2. Set global timeouts and thresholds.

  3. Define inspection rules.

  4. Remove all nonstandard Port-to-Application Mapping.

  5. Apply inspection rules and ACLs.

 D . Remove all nonstandard Port-to-Application Mapping.

9.?

Which of the following is a DoS protective measure?

  1. RPC inspection

  2. Fragment inspection

  3. SMTP inspection

  4. HTTP inspection

 B . Fragment inspection

10.?

Which of the following defines the number of seconds the software will wait for a TCP session to reach the established state before dropping the session?

  1. Rtr1(config)#ip inspect tcp synwait-time 20

  2. Rtr1(config-if)#ip inspect tcp synwait-time 20

  3. Rtr1(config)#ip inspect tcp finwait-time 20

  4. Rtr1(config-if)#ip inspect tcp finwait-time 20

 A . Rtr1(config)#ip inspect tcp synwait-time 20

11.?

In the following command, what does the number 800 represent? Rtr1(config)#ip inspect max-incomplete high 800

  1. Seconds

  2. Minutes

  3. Half-open TCP sessions

  4. DNS-name lookup session

 C . Half-open TCP session

12.?

What does the following command do? Rtr1(config)#ip port-map realaudio port 21

  1. Assigns port 21 to be used by Real Audio.

  2. States a preference for port 21 to be used by Real Audio.

  3. The command will fail because CBAC doesn’t support Real Audio.

  4. The command will fail because port 21 is reserved for FTP.

 D . The command will fail because port 21 is reserved for FTP.

13.?

True or False. ConfigMaker is an alternative for configuring Firewall features.

  1. True

  2. False

 A . True

14.?

Which two commands might be useful against DoS attacks?

  1. Maximum Incomplete Sessions High/Low Threshold

  2. UDP Session Inactivity Timer

  3. TCP Session Termination Timer

  4. One Minute Incomplete Sessions High/Low Threshold

 A . Maximum Incomplete Sessions High/Low Threshold and D . One Minute Incomplete Sessions High/Low Threshold

15.?

Which statement is not true about CBAC?

  1. Only IP TCP and UDP traffic is inspected by CBAC.

  2. CBAC doesn’t normally protect against attacks from within the protected network.

  3. CBAC and reflexive ACLs work well together.

  4. CBAC can’t inspect in-transit IPSec traffic.

 C . CBAC and reflexive ACLs work well together

Answers

1.?

B. False. They’re used together often, but they’re separate feature sets.

2.?

B. False. It is implemented only on the Cisco 800, uBR900, 1400, 1600, 1700, 2500, 2600, 3600, 7100, 7200, and 7500 and RSM series routers.

3.?

C. AAA It is in the regular IOS feature set.

4.?

A. True

5.?

C. Seconds

6.?

A. False. It’s limited to TCP and UDP traffic.

7.?

B. 600 bytes

8.?

D. Remove all nonstandard Port-to-Application Mapping.

9.?

B. Fragment inspection

10.?

A. Rtr1(config)#ip inspect tcp synwait-time 20

11.?

C. Half-open TCP session

12.?

D. The command will fail because port 21 is reserved for FTP.

13.?

A. True

14.?

A. Maximum Incomplete Sessions High/Low Threshold and D. One Minute Incomplete Sessions High/Low Threshold

15.?

C. CBAC and reflexive ACLs work well together




Part III: Virtual Private Networks (VPNs)