Which of the following is something that only a firewall capable of stateful packet inspection can do?
"Which of the following statements is true regarding stateful firewalls? Show A. They can block traffic that contains specific web content B. They allow traffic into a network only if a corresponding request was sent from inside the network "You want to use ADSM to create an inspection rule that will drop and log SHOUTcast media streams. Which of the following inspection rules should you configure to achieve your goal? D. HTTP What is the ADSM path to configure HTTP inspect map? Configuration > Firewall > objects > Inspect Maps > HTTP When _____ is enabled in a service policy, such as the global service policy, you can opt to use the default inspection rules or you can customize the inspection rules by applying an HTTP inspect map. HTTP inspection How would you reset the inspection map to its default security level? by clicking the Default Level button on the Edit HTTP inspect Map screen What tab of the Edit HTTP Inspect Map dialog box allows you to enable protocol violation checks and to select the actions that the ASA should take if protocol violations are found? Parameters tab of the expanded "Edit HTTP Inspect Map"
How do you view the details of an inspection map in ADSM? Select the "Inspections" tab of the expanded Edit HTTP Inspect Map Names that begin with ____ are predefined in the system default configuration and can be referenced directly from ADSM or by the class command in a policy map. _default "Which of the following traffic can be statefully inspected by Cisco IOS ZFW? A. IPv4 unicast traffic A. IPv4 unicast traffic What does Cisco IOS ZFW mean. Cisco IOS zone-based policy firewall What was Cisco IOS ZFW formally called? Context-Based Access Control (CBAC) Can Cisco IOS ZFW statefully inspect IPv4 and IPv6 multicast traffic? No, as of IOS ZFW 12.4(15), ZFW is not capable of stateful inspection of any type of IPv6 traffic, nor is it capable of IPv4 multicast What are interfaces assigned to in ZFW? virtual security zones By default is traffic between zones allowed in ZFW? No, traffic between zones is blocked by default What is the default rule for traffic on different interfaces that are assigned to the same zone? By default traffic is implicitly premitted to flow between interfaces assigned to the same zone What happens by default when an interface is assigned to a zone? All traffic two and from the interface is implicitly blocked, when the interface is assigned to a zone, but there are a few exceptions. What must be done to allow traffic to flow between zones? Stateful packet inspection policies must be configured to explicitly permit traffic between zones. What is the basic process to allow traffic to flow between zones? "1. Define the required zones Since ZFW cannot perform stateful inspection of multicast traffic, which security feature can you use to inspect this type of traffic? One option is using Control Plane Policing (CoPP) "Which of the following statements is true regarding stateless packet-filtering firewall? A. It is not susceptible to IP spoofing attacks B. It can operate at Layer4 of the OSI model What is another name for static packet-filtering firewall? Stateless packet-filtering firewall How does a stateless packet-filtering firewall work? It evaluates and either blocks or allows individual packets based on Layer 3 and Layer 4 information in the packet header, these values are commonly known as 5-tuple. Why is a stateless packet-filtering firewall susceptible to IP spoofing attacks? Because a Stateless packet-filtering firewall allows all traffic from an approved IP address What is an IP spoofing attack? A type of attack wherein an attacker uses the source IP address of a trusted host to send messages to other computers. Can an Stateless Packet-Filtering firewall evaluate data streams or track connections? No, because a stateless packet-filtering firewall evaluates packets individually What layers do Stateful packet-filtering firewalls traditionally operate at? Layer 3, 4, and 5 Are stateful firewalls more secure than stateless? Yes, Stateful packet filtering firewalls are more secure, because of their versatility and ability to dynamically monitor and filter packets. Which type of firewall maintains session information? Stateful Packet-Filtering Firewalls Where do firewalls keep information regarding the state of a connection? State table How does a state table help firewalls? When a connections is permitted, Subsequent packets are verified against the state table to ensure that the packets are in the expected sequence. If the TCP packet sequence numbers are not in the expected range, the packets are dropped. What is Identity NAT? It is a NAT type that effectively exempts one or more addresses from translation. With Identity NAT, real addresses and mapped addresses are identical for a particular NAT rule. What is a common use for Identity NAT?
It is to exempt remote access VPN client addresses from the NAT rules applied to the VPN Gateway interfaces. Which of the following NAT types effectively exempt one or more addresses from translation? - dynamic PAT Identity NAT Which is easier to configure on a Cisco ASA, Network object NAT or twice NAT? Network object NAT is easier to configure than twice NAT What is Network Object NAT? Network object NAT is one of the two ways to configure NAT on a Cisco ASA. NAT is a parameter of a network object and the network object serves as the real address for the translation. - Can apply to either a source or destination address What is twice NAT? twice NAT is one of two ways to configure NAT on a Cisco ASA. Twice NAT can use network objects and groups to represent real and mapped addresses. Network objects and groups are parameters of the NAT configuration and can represent source real, source mapped, destination real, and destination mapped addresses. Twice NAT can specify both source and destination addresses in a single NAT rule, which makes it more scalable than network object NAT. It is more difficult to configure What checks does a Cisco ASA 8.2 perform when a packet arrives on the inbound interface? 1. Increment the input counter What checks does a Cisco ASA 8.3 perform when a packet arrives on the inbound interface? 1. Increment the input
counter Which of the following would you most likely configure on a host to alert you about possible attacks without filtering traffic? - a Honeypot a HIDS Which of the following statements is correct regarding the traffic types that can be matched in A class map can match traffic by UDP port number but not by IP precedence. B. A class map can match traffic by TCP port number but not by IP precedence. C. A class map can match traffic by TCP port number, by UDP port number, and by IP precedence. D. A class map can match traffic by UDP port number but not by TCP port number. E. A class map can match traffic by TCP port number but not by UDP port number C. A class map can match traffic by TCP port number, by UDP port number, and by IP precedence. What is a class map? A class map identifies a specific flow of traffic Generally, What command would you use to identify traffic based on specified characteristics. You can use the match command from class map configuration mode to identify traffic
based The keywords you can use to identify traffic in a class map are Which commands will you issue to create a class map named CLASS-MAP that identifies traffic using TCP port 25? asa(config)#class-map
CLASS-MAP What action occurs after traffic has been identified by a class map? The associated policy map can take action on that traffic. What are the 3 components of Cisco Modular Policy Framework (MFA)? - class maps
What is Cisco MFA? A Cisco ASA feature that provides a flexible method of enabling security policies on an interface. A class map identifies a specific flow of traffic, What does a policy map usually contain? A
policy map typically contains references to one or more class maps and defines If traffic matches multiple class maps for different actions within a policy map—for instance, if traffic matches a class map for application inspection as well as a class map for priority queuing—the actions of both class maps will be applied to the traffic. Which command configure
a policy map named POLICY-MAP that asa(config)#policy-map POLICY-MAP When does a policy map act on traffic? A policy map does not act on traffic
until the map has been applied to an interface by a service What is a service policy? a service policy ties the action of a policy map to a specific interface Where can a service policy be applied? A service policy can be applied globally to all interfaces, which will apply application Which command will apply the POLICY-MAP policy map to the inside interface? service-policy POLICY-MAP interface inside For which of the following traffic types is stateful inspection not supported in a ZFW E. IGMP Which of the following is a reason to use the round-robin
assignment feature of dynamic PAT D. You want to prevent the misinterpretation of traffic as a DoS attack
What is Dynamic PAT? Dynamic PAT is capable of mapping internal source addresses to more than one routable IP What is Static NAT? You would use static NAT to map a single internal IP address to a single routable IP address. You have been asked to use ASDM to change the global application inspection settings on an Which of the following panes in the firewall configuration navigation tree can you use to A. Service Policy Rules A. Service Policy Rules You can use the Service Policy Rules pane in the firewall configuration navigation tree of Which of the following is a Cisco AMP for Endpoints feature that can prevent specific programs A. file reputation C. outbreak control What is File Reputation? File reputation uses What is File Trajectory? tracks the spread of suspicious files throughout the network, which can reduce the analysis time if a suspicious file is determined to be malicious What is device trajectory? tracks file and network activity
on endpoints to reduce the overall analysis time You issue the following commands on a Cisco ASA with no other configured interfaces: Which of the following statements is true regarding the resulting configuration? (Select the C. The ASA will assign the interface a security level of 100. The default security level on an ASA is 0; however, the inside interface is an exception to Telnet sessions will not be denied to the GigabitEthernet 0/1 interface until a security level is manually assigned The telnet timeout
30 Which of the following actions is performed by dynamic NAT? (Select the best answer.) A. mapping an inside local IP address to a specific global IP address D. mapping an inside local IP address to a global IP address chosen from a pool Which of the following statements are true regarding a ZFW?(select 2) A. Stateful packet inspection is supported for IPv6 traffic. D. The firewall can operate in transparent mode. You are configuring manual NAT on a Cisco Firepower device. A. static rules first
followed by dynamic rules B. on a first-match basis in the order that they appear in the configuration Explain how Cisco Firepower stores NAT rules? There are two
methods of implementing NAT on a Cisco Firepower device: manual NAT and auto Both manual NAT rules and auto NAT rules are stored in the same translation table. The table Explain how Cisco Firepower processes NAT Rules? When the Firepower matches traffic to the NAT translation table, manual NAT rules in Section Is BPDU traffic permitted on a Cisco Zone Based Firewall in transparent mode? inbound or outbound? It is permitted in both inbound and outbound directions. Is ARP traffic permitted on a Cisco Zone Based Firewall in transparent mode? inbound or outbound? It is permitted in both inbound and outbound directions.
Which type of traffic is implicitly permitted when a Cisco Zone-Based firewall is operating in Transparent mode? The following layer 2 and layer 3 protocols: Which type of traffic is implicitly permitted when a Cisco Zone-Based firewall is operating in Routed mode? Only the following layer 3 protocols: What type of rule is required to permit layer 2 traffic? EtherType rule What is used to control ARP traffic? ARP inspection can control ARP traffic Can ACL control ARP traffic? No What layer(s) of the OSI model does stateless packet-filtering firewall operate? Layer 3 and 4 of OSI Model What is another name for stateless-filtering firewall? Static packet-filtering firewall Which type of firewall uses the values commonly known as 5 tuple for filtering? Stateless packet-filtering firewalls which values of the packet header are considered 5 tuple? - Source IP address What type of attack are stateless packet-filtering firewalls susceptible to? IP spoofing attacks, because all traffic from an approved IP address is allowed? Does stateless packet-filtering firewalls evaluate packets individually or in data streams? individually What layer(s) of the OSI model do stateful packet-filtering firewalls operate at? Layer 3,4, and 5 Which type of firewall maintains and tracks session information? stateful packet-filtering firewalls Which type of firewall is more secure? Stateful Packet-Filtering Firewall How are auto NAT rules ordered? Auto NAT rules are ordered automatically regardless of the order they were configured. Regarding Auto NAT; which rules are processed first? Static rules first and then dynamic rules Regarding Auto NAT, If two static rules are configured which one will be processed first? The rule with the longest address prefix, aka least amount of possible real ip addresses. Which type of ip address can you configured inline when configuring dynamic PAT? inside global What is a network object it is a data structure that is used in place of inline IP information. What is an object group? simply a group of network objects. What is an inside global address? Typically a public IP address assigned by the administrator of the outside network. What is an inside local address? Typically private IP address. An IP Address that represents an internal host to the inside network. Which RFC defines private IP addresses? RFC 1918 What is an outside local address? Is an IP Address that represents an external host to the inside network what is the outside global address? the address registered with the DNS server that maps a host's public IP address to a friendly name. What does the command show conn do? outputs the state of connctions in the connection database Which flag is added to a connection initiated from the inside? saA which means ASA is awaiting the ACK response segment to the SYN just initiated What does the s flag indicate regarding the ASA connection database? ASA is awaiting a SYN segment from the outside host. What does the a flag indicate regarding the ASA connection database? ASA is awaiting a ACK response segment What does the A flag indicate regarding the ASA connection database? awaiting Acknowledgement from inside host What does the U flag indicate regarding the ASA connection database? The three-way handshake is complete and TCP session is established What does the O flag indicate regarding the ASA connection database? data has passed through the session in the outbound direction What does the I flag indicate regarding the ASA connection database? data has passed through the session in the inbound direction What does the B flag indicate regarding the ASA connection database? Connection was initiated from the outside What checks does an ASA running 8.2 perform on packets which arrive on the inbound interface? - Increment the input counter Which type of NAT effectively exempts one or more addresses from translation? Identity NAT What is real address and mapped address in Identity NAT? they are both the same address, same exact value for both What is a common use for identity NAT>? to exempt remote access VPN clients addresses from the NAT rules applied to the VPN Gateway interface. What is Dynamic NAT? Provides unidirectional mapping between one or more real addresses and one or more mapped addresses, on a first come first server basis, mapping can only be initiated by host with real addresses. What is Dynamic PAT? mapping of one or more real addresses and a single mapped address. Source port of each real address is used to identify the associated mapped port and address. first come, first server basis. mapping can only be initiated by host with real addresses. What feature of Cisco AMP for Endpoint can use application blocking lists to contain compromised applications? Outbreak Control What does AMP for Endpoint do? Monitors network traffic and application behavior to protect a host from malicious traffic. Unlike many of its competitors, it continues analysis after a disposition has been assigned to a fire or traffic flow What does AMP for Endpoint use to ensure mission-critical software continues to run during an outbreak? whitelist Does AMP for Endpoint have to wait for a signature file update before it can block an application or specific file? No, it does not have to wait for signature updates Can AMP for Endpoint detect polymorphic malware? Yes, custom signatures can be created to detect polymorphic malware Which ASDM pane can you change the global application inspection settings? Service Policy Pane What can be configured on the Access Rules pane of ASDM? is used to configure security policies related to controlling access to the network.By default no traffic can pass unless an access rule is configured to permit it. What can be configured on the Filter Rules pan in ASDM? URL filtering Which addresses must be configured within network a network object or object group when configuring dynamic PAT on ASA running 8.3? Inside local What is multiple context mode? A single ASA can be divided into multiple security context, which function as individual virtual devices with unique policies Is RIP supported in multiple context mode? No Is OSPFv3 supported in multiple context mode? No Is Threat Detection supported in multiple context mode?
No Is Multicast Routing supported in multiple context mode? No Is Unified Communication Services supported in multiple context mode? No Is QOS supported in multiple context mode? No Is active/active failover supported in multiple context mode? yes Is active/standby failover supported in multiple context mode? Yes Is Telnet traffic permitted to the interface with the lowest security level? No What does the command telnet timeout 30 do? Times out inactive telnet sessions after 30 minutes. what is one reason you would use the round-robin assignment feature of Dynamic PAT addresses? You want to prevent the misinterpretation of traffic as DoS attack What is the implications of sharing a regular data interface with the stateful failover link? This configuration can leave the ASA vulnerable to replay attacks, a packet sniffer to capture legitimate network data, such as authentication tokens and preshared keys What does a stateful firewall inspect?Stateful inspection monitors communications packets over a period of time and examines both incoming and outgoing packets. The firewall tracks outgoing packets that request specific types of incoming packets and allows incoming packets to pass through only if they constitute a proper response.
Which of the following is a feature of a stateful packet filtering firewall?A stateful firewall can filter application layer information, while a packet-filtering firewall cannot filter beyond the network layer. A packet-filtering firewall typically can filter up to the transport layer, while a stateful firewall can filter up to the session layer.
Which of the following are benefits of a stateful firewall over a stateless firewall?Which one is the best choice to protect your business? Stateful firewalls are capable of monitoring and detecting states of all traffic on a network to track and defend based on traffic patterns and flows. Stateless firewalls, however, only focus on individual packets, using preset rules to filter traffic.
What does a stateful firewall do that a packet filtering firewall does not?While a packet filtering firewall only examines an individual packet out of context, a stateful firewall is able to watch the traffic over a given connection, generally defined by the source and destination IP addresses, the ports being used, and the already existing network traffic.
|