The Cisco IOS Firewall feature set, a part of the Cisco Secure system, is made up of the following four interrelated features:
Cisco IOS Firewall Context-Based Access Control
Port to Application Mapping
Cisco IOS Firewall Intrusion Detection System
Cisco IOS Firewall Authentication Proxy
Context-Based Access Control (CBAC) allows the firewall to take the access list type filter to a much higher level. Whereas ACLs are limited to Layer 3 and Layer 4 information for filtering, the CBAC can incorporate knowledge of the operation of supported appli- cation protocols to make decisions. This allows for more flexibility in the number of and port addressing of communications channels through the firewall.
Other CBAC features allow for monitoring and reacting to common DoS attacks and e-mail attacks involving unauthorized SMTP commands.
Port to Application Mapping (PAM) allows the flexibility of incorporating nonstandard TCP and UDP port numbers in the secure openings through the firewall.
1.? |
True or False. IPSec is a part of the Cisco IOS Firewall feature set.
|
|
2.? |
True or False. The Cisco IOS Firewall feature set is implemented on all Cisco router series.
|
|
3.? |
Which of the following IOS features is not part of the Firewall feature set?
|
|
4.? |
True or False. CBAC can incorporate application layer information in its filtering.
|
|
5.? |
In the following command, what does the 30 represent? Rtr1(config)#ip inspect tcp idle-time 30
|
|
6.? |
True or False. CBAC can filter TCP, UDP, and ICMP traffic.
|
|
7.? |
The memory required for each CBAC connection is what?
|
|
8.? |
Which of the following is not a step in configuring CBAC?
|
|
9.? |
Which of the following is a DoS protective measure?
|
|
10.? |
Which of the following defines the number of seconds the software will wait for a TCP session to reach the established state before dropping the session?
|
|
11.? |
In the following command, what does the number 800 represent? Rtr1(config)#ip inspect max-incomplete high 800
|
|
12.? |
What does the following command do? Rtr1(config)#ip port-map realaudio port 21
|
|
13.? |
True or False. ConfigMaker is an alternative for configuring Firewall features.
|
|
14.? |
Which two commands might be useful against DoS attacks?
|
|
15.? |
Which statement is not true about CBAC?
|
|
Answers
1.? |
B. False. They’re used together often, but they’re separate feature sets. |
2.? |
B. False. It is implemented only on the Cisco 800, uBR900, 1400, 1600, 1700, 2500, 2600, 3600, 7100, 7200, and 7500 and RSM series routers. |
3.? |
C. AAA It is in the regular IOS feature set. |
4.? |
A. True |
5.? |
C. Seconds |
6.? |
A. False. It’s limited to TCP and UDP traffic. |
7.? |
B. 600 bytes |
8.? |
D. Remove all nonstandard Port-to-Application Mapping. |
9.? |
B. Fragment inspection |
10.? |
A. Rtr1(config)#ip inspect tcp synwait-time 20 |
11.? |
C. Half-open TCP session |
12.? |
D. The command will fail because port 21 is reserved for FTP. |
13.? |
A. True |
14.? |
A. Maximum Incomplete Sessions High/Low Threshold and D. One Minute Incomplete Sessions High/Low Threshold |
15.? |
C. CBAC and reflexive ACLs work well together |