Which of the following is something that only a firewall capable of stateful packet inspection can do?

"Which of the following statements is true regarding stateful firewalls?

A. They can block traffic that contains specific web content
B. They allow traffic into a network only if a corresponding request was sent from inside the network
C. Their primary purpose is to hide the source of a network connection
D. They operate at the Application layer of the OSI model"

B. They allow traffic into a network only if a corresponding request was sent from inside the network

"You want to use ADSM to create an inspection rule that will drop and log SHOUTcast media streams. Which of the following inspection rules should you configure to achieve your goal?
A. H.323 H.225
B. IM
C. H.323 RAS
D. HTTP
E. RSTP"

D. HTTP

What is the ADSM path to configure HTTP inspect map?

Configuration > Firewall > objects > Inspect Maps > HTTP

When _____ is enabled in a service policy, such as the global service policy, you can opt to use the default inspection rules or you can customize the inspection rules by applying an HTTP inspect map.

HTTP inspection

How would you reset the inspection map to its default security level?

by clicking the Default Level button on the Edit HTTP inspect Map screen

What tab of the Edit HTTP Inspect Map dialog box allows you to enable protocol violation checks and to select the actions that the ASA should take if protocol violations are found?

Parameters tab of the expanded "Edit HTTP Inspect Map"

How do you view the details of an inspection map in ADSM?

Select the "Inspections" tab of the expanded Edit HTTP Inspect Map

Names that begin with ____ are predefined in the system default configuration and can be referenced directly from ADSM or by the class command in a policy map.

_default

"Which of the following traffic can be statefully inspected by Cisco IOS ZFW?

A. IPv4 unicast traffic
B. IPv6 multicast traffic
C. IPv4 multicast traffic
D. IPv6 unicast traffic"

A. IPv4 unicast traffic

What does Cisco IOS ZFW mean.

Cisco IOS zone-based policy firewall

What was Cisco IOS ZFW formally called?

Context-Based Access Control (CBAC)

Can Cisco IOS ZFW statefully inspect IPv4 and IPv6 multicast traffic?

No, as of IOS ZFW 12.4(15), ZFW is not capable of stateful inspection of any type of IPv6 traffic, nor is it capable of IPv4 multicast

What are interfaces assigned to in ZFW?

virtual security zones

By default is traffic between zones allowed in ZFW?

No, traffic between zones is blocked by default

What is the default rule for traffic on different interfaces that are assigned to the same zone?

By default traffic is implicitly premitted to flow between interfaces assigned to the same zone

What happens by default when an interface is assigned to a zone?

All traffic two and from the interface is implicitly blocked, when the interface is assigned to a zone, but there are a few exceptions.

What must be done to allow traffic to flow between zones?

Stateful packet inspection policies must be configured to explicitly permit traffic between zones.

What is the basic process to allow traffic to flow between zones?

"1. Define the required zones
2. Create Zone-pairs for zones that will pass traffic between themselves
3. Define class maps to match the appropriate traffic for each zone-pair
4. Define policy maps to specify the actions that should be performed on matching traffic
5. Apply the policy maps to the zone pair
6. Assign interfaces to their appropriate zones"

Since ZFW cannot perform stateful inspection of multicast traffic, which security feature can you use to inspect this type of traffic?

One option is using Control Plane Policing (CoPP)

"Which of the following statements is true regarding stateless packet-filtering firewall?

A. It is not susceptible to IP spoofing attacks
B. It can operate at Layer4 of the OSI model
C. It tracks packets as part of the stream
D. It is more secure than a stateful packet-filtering firewall"

B. It can operate at Layer4 of the OSI model

What is another name for static packet-filtering firewall?

Stateless packet-filtering firewall

How does a stateless packet-filtering firewall work?

It evaluates and either blocks or allows individual packets based on Layer 3 and Layer 4 information in the packet header, these values are commonly known as 5-tuple.

Why is a stateless packet-filtering firewall susceptible to IP spoofing attacks?

Because a Stateless packet-filtering firewall allows all traffic from an approved IP address

What is an IP spoofing attack?

A type of attack wherein an attacker uses the source IP address of a trusted host to send messages to other computers.

Can an Stateless Packet-Filtering firewall evaluate data streams or track connections?

No, because a stateless packet-filtering firewall evaluates packets individually

What layers do Stateful packet-filtering firewalls traditionally operate at?

Layer 3, 4, and 5

Are stateful firewalls more secure than stateless?

Yes, Stateful packet filtering firewalls are more secure, because of their versatility and ability to dynamically monitor and filter packets.

Which type of firewall maintains session information?

Stateful Packet-Filtering Firewalls

Where do firewalls keep information regarding the state of a connection?

State table

How does a state table help firewalls?

When a connections is permitted, Subsequent packets are verified against the state table to ensure that the packets are in the expected sequence. If the TCP packet sequence numbers are not in the expected range, the packets are dropped.

What is Identity NAT?

It is a NAT type that effectively exempts one or more addresses from translation. With Identity NAT, real addresses and mapped addresses are identical for a particular NAT rule.

What is a common use for Identity NAT?

It is to exempt remote access VPN client addresses from the NAT rules applied to the VPN Gateway interfaces.

Which of the following NAT types effectively exempt one or more addresses from translation?

- dynamic PAT
- Static NAT
- identity NAT
- dynamic NAT

Identity NAT

Which is easier to configure on a Cisco ASA, Network object NAT or twice NAT?

Network object NAT is easier to configure than twice NAT

What is Network Object NAT?

Network object NAT is one of the two ways to configure NAT on a Cisco ASA.

NAT is a parameter of a network object and the network object serves as the real address for the translation.

- Can apply to either a source or destination address
- would require 2 separate NAT rules to translate both a source and destination address

What is twice NAT?

twice NAT is one of two ways to configure NAT on a Cisco ASA.

Twice NAT can use network objects and groups to represent real and mapped addresses.

Network objects and groups are parameters of the NAT configuration and can represent source real, source mapped, destination real, and destination mapped addresses.

Twice NAT can specify both source and destination addresses in a single NAT rule, which makes it more scalable than network object NAT.

It is more difficult to configure

What checks does a Cisco ASA 8.2 perform when a packet arrives on the inbound interface?

1. Increment the input counter
2. Determines whether the packet is part of an established connection
3. If not an established connection, processes the packet by using the interface ACL
4. If not an established connection, verifies the packet for translation rules
5. Conducts an inspection of the packet to determine protocol compliance
6. Translates the IP header according to NAT rules
7. Forwards the packet to the outbound interface.

What checks does a Cisco ASA 8.3 perform when a packet arrives on the inbound interface?

1. Increment the input counter
2. Determines whether the packet is part of an established connection
3. Translates the IP header according to NAT rules
4. If not an established connection, processes the packet by using the interface ACL
5. If not an established connection, verifies the packet for translation rules
6. Conducts an inspection of the packet to determine protocol compliance
7. Forwards the packet to the outbound interface.

Which of the following would you most likely configure on a host to alert you about possible attacks without filtering traffic?

- a Honeypot
- a HIDS
- a botnet
- a personal firewall

a HIDS

Which of the following statements is correct regarding the traffic types that can be matched in
a class map on a Cisco ASA? (Select the best answer.)

A class map can match traffic by UDP port number but not by IP precedence.

B. A class map can match traffic by TCP port number but not by IP precedence.

C. A class map can match traffic by TCP port number, by UDP port number, and by IP precedence.

D. A class map can match traffic by UDP port number but not by TCP port number.

E. A class map can match traffic by TCP port number but not by UDP port number

C. A class map can match traffic by TCP port number, by UDP port number, and by IP precedence.

What is a class map?

A class map identifies a specific flow of traffic

Generally,
each class map can contain only a single match statement, and a packet can match only a
single class map within the policy map of a particular feature type. For example, if a packet
matched a class map for File Transfer Protocol (FTP) inspection and a class map for traffic
policing, the ASA would apply both policy map actions to the packet. However, if a packet
matched a class map for FTP inspection and a second, different class map that included FTP
inspection, the ASA would apply only the actions of the first matching policy map.

What command would you use to identify traffic based on specified characteristics.

You can use the match command from class map configuration mode to identify traffic based
on specified characteristics.

The keywords you can use to identify traffic in a class map are
closely tied to their respective characteristics. The match command supports the following
key words: access-list, port, default-inspection-traffic, dscp, precedence, rtp, tunnelgroup,
and any.

Which commands will you issue to create a class map named CLASS-MAP that identifies traffic using TCP port 25?

asa(config)#class-map CLASS-MAP
asa(config-cmap)#match port tcp eq 25

What action occurs after traffic has been identified by a class map?

The associated policy map can take action on that traffic.

What are the 3 components of Cisco Modular Policy Framework (MFA)?

- class maps
- policy maps
- service maps

What is Cisco MFA?

A Cisco ASA feature that provides a flexible method of enabling security policies on an interface.

A class map identifies a specific flow of traffic,
a policy map determines the action that will be
performed on the traffic,
and a service policy ties this action to a specific interface.

What does a policy map usually contain?

A policy map typically contains references to one or more class maps and defines
actions that should be performed on traffic matched by the specified class maps.

If traffic matches multiple class maps for different actions within a policy map—for instance, if traffic matches a class map for application inspection as well as a class map for priority queuing—the actions of both class maps will be applied to the traffic.

Which command configure a policy map named POLICY-MAP that
matches traffic specified by the class map named CLASS-MAP and then processes the traffic
with the Hypertext Transfer Protocol (HTTP) inspection engine:

asa(config)#policy-map POLICY-MAP
asa(config-pmap)#class CLASS-MAP
asa(config-pmap-c)#inspect http

When does a policy map act on traffic?

A policy map does not act on traffic until the map has been applied to an interface by a service
policy

What is a service policy?

a service policy ties the action of a policy map to a specific interface

Where can a service policy be applied?

A service policy can be applied globally to all interfaces, which will apply application
inspection to only traffic entering the appliance; alternatively, a service policy can be applied
to a single interface, which will apply application inspection to traffic entering and exiting the
interface. An interface service policy overrides a global service policy: if traffic matches both
an interface policy and a global policy, only the interface policy will be applied to that
particular traffic flow.

Which command will apply the POLICY-MAP policy map to the inside interface?

service-policy POLICY-MAP interface inside

For which of the following traffic types is stateful inspection not supported in a ZFW
configuration? (Select the best answer.)
A. Sun RPC
B. DNS
C. NetBIOS
D. ICMP
E. IGMP

E. IGMP

Which of the following is a reason to use the round-robin assignment feature of dynamic PAT
addresses? (Select the best answer.)
A. You want to send traffic to more than one remote device.
B. You want to map a single internal IP address to a single routable IP address.
C. You want to use a single mapped routable address.
D. You want to prevent the misinterpretation of traffic as a DoS attack.

D. You want to prevent the misinterpretation of traffic as a DoS attack

What is Dynamic PAT?

Dynamic PAT is capable of mapping internal source addresses to more than one routable IP
address. Some security appliances could mistake a large number of packets from a single IP
address as a DoS attack attempt. Therefore, dynamic PAT supports the use of round-robin to
enable internal IP source addresses to map to more than just one routable IP source address.
By using dynamic PAT's round-robin assignment of IP addresses, the risk of misidentification
of large amounts of traffic as a DoS attack can be mitigated.

What is Static NAT?

You would use static NAT to map a single internal IP address to a single routable IP address.
Static NAT translates a single inside local IP address to a single inside global IP address; the
static mapping is permanently present in the NAT translation table. It is therefore possible for
someone on an outside network to access a device on an inside network by using its inside
global IP address

You have been asked to use ASDM to change the global application inspection settings on an
ASA at the edge of your network.

Which of the following panes in the firewall configuration navigation tree can you use to
achieve this task? (Select the best answer.)

A. Service Policy Rules
B. Advanced
C. Access Rules
D. Filter Rules

A. Service Policy Rules

You can use the Service Policy Rules pane in the firewall configuration navigation tree of
Cisco Adaptive Security Device Manager (ASDM) to change the global application inspection
settings on a Cisco Adaptive Security Appliance (ASA) at the edge of your network. Application
inspection is one of the actions that can be applied to traffic with a policy map. Services that
embed IP addresses in the packet or that utilize dynamically assigned ports for secondary
channels require deep packet inspection, which is provided by Application layer protocol
inspection. Some traffic, such as Internet Control Message Protocol (ICMP) traffic, might be
dropped if inspection for that protocol is not enabled. You can use ASDM to make changes to
the global policy by navigating to the Service Policy Rules pane, highlighting the inspection
policy, and clicking Edit, as shown in the following exhibit:

Which of the following is a Cisco AMP for Endpoints feature that can prevent specific programs
from running on managed endpoints?

A. file reputation
B. device trajectory
C. outbreak control
D. file trajectory

C. outbreak control

What is File Reputation?

File reputation uses
information collected from a global network of security devices to analyze and detect malicious
traffic.

What is File Trajectory?

tracks the spread of suspicious files throughout the network, which can reduce the analysis time if a suspicious file is determined to be malicious

What is device trajectory?

tracks file and network activity on endpoints to reduce the overall analysis time
when malicious software is detected

You issue the following commands on a Cisco ASA with no other configured interfaces:
asa(config)#interface gigabitethernet 0/1
asa(config-if)#speed 1000
asa(config-if)#duplex full
asa(config-if)#nameif inside
asa(config-if)#ip address 10.1.1.1 255.255.255.0
asa(config-if)#no shutdown
asa(config-if)#exit
asa(config)#telnet 10.1.1.0 255.255.255.0 inside
asa(config)#telnet timeout 30

Which of the following statements is true regarding the resulting configuration? (Select the
best answer.)
A. Telnet sessions will be denied until a security level is manually assigned.
B. Telnet sessions will time out after 30 seconds of inactivity.
C. The ASA will assign the interface a security level of 100.
D. The ASA will assign the interface a security level of 0.

C. The ASA will assign the interface a security level of 100.

The default security level on an ASA is 0; however, the inside interface is an exception to
this rule because it is automatically assigned a security level of 100 if a security level is not
explicitly configured. An interface can be assigned any integer-valued security level from 0 through 100.

Telnet sessions will not be denied to the GigabitEthernet 0/1 interface until a security level is manually assigned

The telnet timeout 30
command specifies an inactivity timeout length of 30 minutes, not 30 seconds.

Which of the following actions is performed by dynamic NAT? (Select the best answer.)

A. mapping an inside local IP address to a specific global IP address
B. mapping an inside local IP address and port to a global IP address with a specific port
C. mapping an inside local IP address and port to a global IP address with a randomly
selected port
D. mapping an inside local IP address to a global IP address chosen from a pool

D. mapping an inside local IP address to a global IP address chosen from a pool

Which of the following statements are true regarding a ZFW?(select 2)

A. Stateful packet inspection is supported for IPv6 traffic.
B. Stateful packet inspection is supported for multicast traffic.
C. An interface can reside in more than one zone.
D. The firewall can operate in transparent mode.
E. A zone can contain more than one interface

D. The firewall can operate in transparent mode.
E. A zone can contain more than one interface

You are configuring manual NAT on a Cisco Firepower device.
Which of the following best describes the order in which the NAT rules will be
processed? (Select the best answer.)

A. static rules first followed by dynamic rules
B. on a first-match basis in the order that they appear in the configuration
C. shortest prefix first followed by longer prefixes
D. the most general rules first followed by the most specific rules

B. on a first-match basis in the order that they appear in the configuration

Explain how Cisco Firepower stores NAT rules?

There are two methods of implementing NAT on a Cisco Firepower device: manual NAT and auto
NAT.

Both manual NAT rules and auto NAT rules are stored in the same translation table. The table
is divided into three sections. Section 1 and Section 3 contain manual NAT rules, with Section
1 containing the most specific manual NAT rules and Section 3 containing the most general
NAT rules. Section 2 contains auto NAT rules.

Explain how Cisco Firepower processes NAT Rules?

When the Firepower matches traffic to the NAT translation table, manual NAT rules in Section
1 are processed first and in the order in which they were configured. Manual NAT rules are
added to Section 1 by default. If a match is found, rules in Section 2 and Section 3 are
ignored. If the traffic does not match any of the manual NAT rules in Section 1, the auto NAT
rules in Section 2 are processed

Is BPDU traffic permitted on a Cisco Zone Based Firewall in transparent mode? inbound or outbound?

It is permitted in both inbound and outbound directions.

Is ARP traffic permitted on a Cisco Zone Based Firewall in transparent mode? inbound or outbound?

It is permitted in both inbound and outbound directions.

Which type of traffic is implicitly permitted when a Cisco Zone-Based firewall is operating in Transparent mode?

The following layer 2 and layer 3 protocols:
- IPv4 (higher sec int to lower sec int)
- IPv6 (higher sec int to lower sec int)
- ARP traffic in both directions
- BPDU traffic in both directions

Which type of traffic is implicitly permitted when a Cisco Zone-Based firewall is operating in Routed mode?

Only the following layer 3 protocols:
- IPv4 (higher sec int to lower sec int)
- IPv6 (higher sec int to lower sec int)

What type of rule is required to permit layer 2 traffic?

EtherType rule

What is used to control ARP traffic?

ARP inspection can control ARP traffic

Can ACL control ARP traffic?

No

What layer(s) of the OSI model does stateless packet-filtering firewall operate?

Layer 3 and 4 of OSI Model

What is another name for stateless-filtering firewall?

Static packet-filtering firewall

Which type of firewall uses the values commonly known as 5 tuple for filtering?

Stateless packet-filtering firewalls

which values of the packet header are considered 5 tuple?

- Source IP address
- Destination IP address
- Source port
- Destination port
- Protocol type

What type of attack are stateless packet-filtering firewalls susceptible to?

IP spoofing attacks, because all traffic from an approved IP address is allowed?

Does stateless packet-filtering firewalls evaluate packets individually or in data streams?

individually

What layer(s) of the OSI model do stateful packet-filtering firewalls operate at?

Layer 3,4, and 5

Which type of firewall maintains and tracks session information?

stateful packet-filtering firewalls

Which type of firewall is more secure?

Stateful Packet-Filtering Firewall

How are auto NAT rules ordered?

Auto NAT rules are ordered automatically regardless of the order they were configured.

Regarding Auto NAT; which rules are processed first?

Static rules first and then dynamic rules

Regarding Auto NAT, If two static rules are configured which one will be processed first?

The rule with the longest address prefix, aka least amount of possible real ip addresses.

Which type of ip address can you configured inline when configuring dynamic PAT?

inside global

What is a network object

it is a data structure that is used in place of inline IP information.

What is an object group?

simply a group of network objects.

What is an inside global address?

Typically a public IP address assigned by the administrator of the outside network.

What is an inside local address?

Typically private IP address. An IP Address that represents an internal host to the inside network.

Which RFC defines private IP addresses?

RFC 1918

What is an outside local address?

Is an IP Address that represents an external host to the inside network

what is the outside global address?

the address registered with the DNS server that maps a host's public IP address to a friendly name.

What does the command show conn do?

outputs the state of connctions in the connection database

Which flag is added to a connection initiated from the inside?

saA

which means ASA is awaiting the ACK response segment to the SYN just initiated

What does the s flag indicate regarding the ASA connection database?

ASA is awaiting a SYN segment from the outside host.

What does the a flag indicate regarding the ASA connection database?

ASA is awaiting a ACK response segment

What does the A flag indicate regarding the ASA connection database?

awaiting Acknowledgement from inside host

What does the U flag indicate regarding the ASA connection database?

The three-way handshake is complete and TCP session is established

What does the O flag indicate regarding the ASA connection database?

data has passed through the session in the outbound direction

What does the I flag indicate regarding the ASA connection database?

data has passed through the session in the inbound direction

What does the B flag indicate regarding the ASA connection database?

Connection was initiated from the outside

What checks does an ASA running 8.2 perform on packets which arrive on the inbound interface?

- Increment the input counter
- Determine if packets is part of established connection
- If Not, process packet using ACL
- If NOT, verifies packet translation rules
- Conducts inspection of packet to determine compliance
- Translates the IP header according to NAT
- Forward the packet to the outbound interface

Which type of NAT effectively exempts one or more addresses from translation?

Identity NAT

What is real address and mapped address in Identity NAT?

they are both the same address, same exact value for both

What is a common use for identity NAT>?

to exempt remote access VPN clients addresses from the NAT rules applied to the VPN Gateway interface.

What is Dynamic NAT?

Provides unidirectional mapping between one or more real addresses and one or more mapped addresses, on a first come first server basis, mapping can only be initiated by host with real addresses.

What is Dynamic PAT?

mapping of one or more real addresses and a single mapped address. Source port of each real address is used to identify the associated mapped port and address. first come, first server basis. mapping can only be initiated by host with real addresses.

What feature of Cisco AMP for Endpoint can use application blocking lists to contain compromised applications?

Outbreak Control

What does AMP for Endpoint do?

Monitors network traffic and application behavior to protect a host from malicious traffic. Unlike many of its competitors, it continues analysis after a disposition has been assigned to a fire or traffic flow

What does AMP for Endpoint use to ensure mission-critical software continues to run during an outbreak?

whitelist

Does AMP for Endpoint have to wait for a signature file update before it can block an application or specific file?

No, it does not have to wait for signature updates

Can AMP for Endpoint detect polymorphic malware?

Yes, custom signatures can be created to detect polymorphic malware

Which ASDM pane can you change the global application inspection settings?

Service Policy Pane

What can be configured on the Access Rules pane of ASDM?

is used to configure security policies related to controlling access to the network.By default no traffic can pass unless an access rule is configured to permit it.

What can be configured on the Filter Rules pan in ASDM?

URL filtering

Which addresses must be configured within network a network object or object group when configuring dynamic PAT on ASA running 8.3?

Inside local

What is multiple context mode?

A single ASA can be divided into multiple security context, which function as individual virtual devices with unique policies

Is RIP supported in multiple context mode?

No

Is OSPFv3 supported in multiple context mode?

No

Is Threat Detection supported in multiple context mode?

No

Is Multicast Routing supported in multiple context mode?

No

Is Unified Communication Services supported in multiple context mode?

No

Is QOS supported in multiple context mode?

No

Is active/active failover supported in multiple context mode?

yes

Is active/standby failover supported in multiple context mode?

Yes

Is Telnet traffic permitted to the interface with the lowest security level?

No

What does the command telnet timeout 30 do?

Times out inactive telnet sessions after 30 minutes.

what is one reason you would use the round-robin assignment feature of Dynamic PAT addresses?

You want to prevent the misinterpretation of traffic as DoS attack

What is the implications of sharing a regular data interface with the stateful failover link?

This configuration can leave the ASA vulnerable to replay attacks, a packet sniffer to capture legitimate network data, such as authentication tokens and preshared keys

What does a stateful firewall inspect?

Which of the following is a feature of a stateful packet filtering firewall?

Which of the following are benefits of a stateful firewall over a stateless firewall?

What does a stateful firewall do that a packet filtering firewall does not?