Last Updated on November 1, 2019 by Admin
Implementing Network Security ( Version 2.0) – CCNAS Chapter 4 Exam Online
CCNAS – Chapter 4 Exam
Quiz-summary
0 of 23 questions completed
Questions:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
Information
CCNAS – Chapter 4 Exam
You have already completed the quiz before. Hence you can not start it again.
Quiz is loading...
You must sign in or sign up to start the quiz.
You have to finish following quiz, to start this quiz:
Results
0 of 23 questions answered correctly
Your time:
Time has elapsed
You have reached 0 of 0 points, (0)
Average score |
|
Your score |
|
Categories
- Not categorized 0%
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- Answered
- Review
-
Question 1 of 23
1. Question
1 pointsRefer to the exhibit. If a hacker on the outside network sends an IP packet with source address 172.30.1.50, destination address 10.0.0.3, source port 23, and destination port 2447, what does the Cisco IOS firewall do with the packet?
Correct
Incorrect
This ACL is denying all TCP/IP traffic coming into the outside interface. Because the source address matches the any parameter and because the access list line is filtering based on denying access (deny), the packet is dropped.
Hint
This ACL is denying all TCP/IP traffic coming into the outside interface. Because the source address matches the any parameter and because the access list line is filtering based on denying access (deny), the packet is dropped.
-
Question 2 of 23
2. Question
1 pointsTo facilitate the troubleshooting process, which inbound ICMP message should be permitted on an outside interface?
Correct
Incorrect
By allowing the ICMP echo reply message inbound to the organization, internal users are allowed to ping external addresses (and the reply message allowed to return).
Hint
By allowing the ICMP echo reply message inbound to the organization, internal users are allowed to ping external addresses (and the reply message allowed to return).
-
Question 3 of 23
3. Question
1 pointsWhich command is used to activate an IPv6 ACL named ENG_ACL on an interface so that the router filters traffic prior to accessing the routing table?
Correct
Incorrect
For the purpose of applying an access list to a particular interface, the ipv6 traffic-filter IPv6 command is equivalent to the access-group IPv4 command. The direction in which the traffic is examined (in or out) is also required.
Hint
For the purpose of applying an access list to a particular interface, the ipv6 traffic-filter IPv6 command is equivalent to the access-group IPv4 command. The direction in which the traffic is examined (in or out) is also required.
-
Question 4 of 23
4. Question
1 pointsWhich statement describes a typical security policy for a DMZ firewall configuration?
Correct
Incorrect
With a three interface firewall design that has internal, external, and DMZ connections, typical configurations include the following:Traffic originating from DMZ destined for the internal network is normally blocked.
Traffic originating from the DMZ destined for external networks is typically permitted based on what services are being used in the DMZ.
Traffic originating from the internal network destined from the DMZ is normally inspected and allowed to return.
Traffic originating from external networks (the public network) is typically allowed in the DMZ only for specific services.Hint
With a three interface firewall design that has internal, external, and DMZ connections, typical configurations include the following:Traffic originating from DMZ destined for the internal network is normally blocked.
Traffic originating from the DMZ destined for external networks is typically permitted based on what services are being used in the DMZ.
Traffic originating from the internal network destined from the DMZ is normally inspected and allowed to return.
Traffic originating from external networks (the public network) is typically allowed in the DMZ only for specific services. -
Question 5 of 23
5. Question
1 pointsRefer to the exhibit. Which statement describes the function of the ACEs?
Correct
Incorrect
The ICMP protocol is used for neighbor discovery. The two permit statements allow neighbor advertisement and neighbor solicitation messages between IPv6 devices.
Hint
The ICMP protocol is used for neighbor discovery. The two permit statements allow neighbor advertisement and neighbor solicitation messages between IPv6 devices.
-
Question 6 of 23
6. Question
1 pointsWhen an inbound Internet-traffic ACL is being implemented, what should be included to prevent the spoofing of internal networks?
Correct
Incorrect
Common ACEs to assist with antispoofing include blocking packets that have a source address in the 127.0.0.0/8 range, any private address, or any multicast addresses. Furthermore, the administrator should not allow any outbound packets with a source address other than a valid address that is used in the internal networks of the organization.
Hint
Common ACEs to assist with antispoofing include blocking packets that have a source address in the 127.0.0.0/8 range, any private address, or any multicast addresses. Furthermore, the administrator should not allow any outbound packets with a source address other than a valid address that is used in the internal networks of the organization.
-
Question 7 of 23
7. Question
1 pointsIn addition to the criteria used by extended ACLs, what conditions are used by a classic firewall to filter traffic?
Correct
Incorrect
The classic firewall provides stateful inspection including protocols that require multiple channels for communication such as FTP and H.323. Protocol numbers, port numbers, and source and destination IP addresses are all standard filters for extended ACLs.
Hint
The classic firewall provides stateful inspection including protocols that require multiple channels for communication such as FTP and H.323. Protocol numbers, port numbers, and source and destination IP addresses are all standard filters for extended ACLs.
-
Question 8 of 23
8. Question
1 pointsA router has been configured as a classic firewall and an inbound ACL applied to the external interface. Which action does the router take after inbound-to-outbound traffic is inspected and a new entry is created in the state table?
Correct
Incorrect
The traffic flow from the internal network to the public network is commonly inspected. The traffic flows cause dynamic entries to be added to the external interface for inbound traffic so that traffic that originates from the internal network going to the public network is allowed to return to the internal source.
Hint
The traffic flow from the internal network to the public network is commonly inspected. The traffic flows cause dynamic entries to be added to the external interface for inbound traffic so that traffic that originates from the internal network going to the public network is allowed to return to the internal source.
-
Question 9 of 23
9. Question
1 pointsIf the provided ACEs are in the same ACL, which ACE should be listed first in the ACL according to best practice?
Correct
Incorrect
A best practice for configuring an extended ACL is to ensure that the most specific ACE is placed higher in the ACL. Consider the two permit UDP statements. If both of these were in an ACL, the SNMP ACE is more specific than the UDP statement that permits a range of 10,001 UDP port numbers. The SNMP ACE would be entered before the other UDP ACE. The ACEs from most specific to least specific are as follows:
- permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq snmptrap
- deny udp any host 172.16.1.5 eq snmptrap
- permit tcp 172.16.0.0 0.0.3.255 any established
- deny tcp any any eq telnet
- permit udp any any range 10000 20000
- permit ip any any
Hint
A best practice for configuring an extended ACL is to ensure that the most specific ACE is placed higher in the ACL. Consider the two permit UDP statements. If both of these were in an ACL, the SNMP ACE is more specific than the UDP statement that permits a range of 10,001 UDP port numbers. The SNMP ACE would be entered before the other UDP ACE. The ACEs from most specific to least specific are as follows:
- permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq snmptrap
- deny udp any host 172.16.1.5 eq snmptrap
- permit tcp 172.16.0.0 0.0.3.255 any established
- deny tcp any any eq telnet
- permit udp any any range 10000 20000
- permit ip any any
-
Question 10 of 23
10. Question
1 pointsA company is deploying a new network design in which the border router has three interfaces. Interface Serial0/0/0 connects to the ISP, GigabitEthernet0/0 connects to the DMZ, and GigabitEthernet/01 connects to the internal private network. Which type of traffic would receive the least amount of inspection (have the most freedom of travel)?
Correct
Incorrect
Most traffic within an organization originates from a private IP address. The amount of inspection done to that traffic depends on its destination or whether traffic that is going to that private IP address originated the connection. The demilitarized zone typically holds servers. Traffic that is destined to those servers is filtered based on what services are being provided by the server (HTTP, HTTPS, DNS, etc.).
Hint
Most traffic within an organization originates from a private IP address. The amount of inspection done to that traffic depends on its destination or whether traffic that is going to that private IP address originated the connection. The demilitarized zone typically holds servers. Traffic that is destined to those servers is filtered based on what services are being provided by the server (HTTP, HTTPS, DNS, etc.).
-
Question 11 of 23
11. Question
2 pointsRefer to the exhibit. The ACL statement is the only one explicitly configured on the router. Based on this information, which two conclusions can be drawn regarding remote access network connections? (Choose two.)
Correct
Incorrect
The extended access list in the exhibit is permitting SSH (TCP port 22) traffic that is sourced from the 192.168.1.0/24 network and traveling to the 192.168.2.0/24 network. The packets meeting this criteria are logged to the local logging buffer (the default), a syslog server, or both depending on how the router is configured for syslog settings. All other traffic is denied because of the implicit deny at the end of every ACL.
Hint
The extended access list in the exhibit is permitting SSH (TCP port 22) traffic that is sourced from the 192.168.1.0/24 network and traveling to the 192.168.2.0/24 network. The packets meeting this criteria are logged to the local logging buffer (the default), a syslog server, or both depending on how the router is configured for syslog settings. All other traffic is denied because of the implicit deny at the end of every ACL.
-
Question 12 of 23
12. Question
2 pointsConsider the following access list.
access-list 100 permit ip host 192.168.10.1 any
access-list 100 deny icmp 192.168.10.0 0.0.0.255 any echo
access-list 100 permit ip any anyWhich two actions are taken if the access list is placed inbound on a router Gigabit Ethernet port that has the IP address 192.168.10.254 assigned? (Choose two.)
Correct
Incorrect
The first ACE allows the 192.168.10.1 device to do any TCP/IP-based transactions with any other destination. The second ACE stops devices on the 192.168.10.0/24 network from issuing any pings to any other location. Everything else is permitted by the third ACE. Therefore, a Telnet/SSH session or ping reply is allowed from a device on the 192.168.10.0/24 network.
Hint
The first ACE allows the 192.168.10.1 device to do any TCP/IP-based transactions with any other destination. The second ACE stops devices on the 192.168.10.0/24 network from issuing any pings to any other location. Everything else is permitted by the third ACE. Therefore, a Telnet/SSH session or ping reply is allowed from a device on the 192.168.10.0/24 network.
-
Question 13 of 23
13. Question
1 pointsWhat is one benefit of using a stateful firewall instead of a proxy server?
Correct
Incorrect
A stateful firewall performs better than a proxy server. A stateful firewall cannot authenticate users or prevent Layer 7 attacks. Both a stateful firewall and a proxy server can filter packets.
Hint
A stateful firewall performs better than a proxy server. A stateful firewall cannot authenticate users or prevent Layer 7 attacks. Both a stateful firewall and a proxy server can filter packets.
-
Question 14 of 23
14. Question
1 pointsWhat is one limitation of a stateful firewall?
Correct
Incorrect
Limitations of stateful firewalls include the following:
- Stateful firewalls cannot prevent application layer attacks.
- Protocols such as UDP and ICMP are not stateful and do not generate information needed for a state table.
- An entire range of ports must sometimes be opened in order to support specific applications that open multiple ports.
- Stateful firewalls lack user authentication.
Hint
Limitations of stateful firewalls include the following:
- Stateful firewalls cannot prevent application layer attacks.
- Protocols such as UDP and ICMP are not stateful and do not generate information needed for a state table.
- An entire range of ports must sometimes be opened in order to support specific applications that open multiple ports.
- Stateful firewalls lack user authentication.
-
Question 15 of 23
15. Question
1 pointsWhen a Cisco IOS Zone-Based Policy Firewall is being configured via CLI, which step must be taken after zones have been created?
Correct
Incorrect
The steps for configuring zones in a Zone-Based Policy Firewall are as follows:
Step 1. Determine the zones.
Step 2. Establish policies between zones.
Step 3. Design the physical infrastructure.
Step 4. Identify subsets within zones and merge traffic requirements.Hint
The steps for configuring zones in a Zone-Based Policy Firewall are as follows:
Step 1. Determine the zones.
Step 2. Establish policies between zones.
Step 3. Design the physical infrastructure.
Step 4. Identify subsets within zones and merge traffic requirements. -
Question 16 of 23
16. Question
1 pointsA network administrator is implementing a Classic Firewall and a Zone-Based Firewall concurrently on a router. Which statement best describes this implementation?
Correct
Incorrect
Both a Classic Firewall and Zone-Based Firewall can be implemented concurrently on a router, but they cannot both be configured on a single interface.
Hint
Both a Classic Firewall and Zone-Based Firewall can be implemented concurrently on a router, but they cannot both be configured on a single interface. -
Question 17 of 23
17. Question
2 pointsWhich two rules about interfaces are valid when implementing a Zone-Based Policy Firewall? (Choose two.)
Correct
Incorrect
The rules for traffic transiting through the router are as follows:
- If neither interface is a zone member, then the resulting action is to pass the traffic.
- If both interfaces are members of the same zone, then the resulting action is to pass the traffic.
- If one interface is a zone member, but the other is not, then the resulting action is to drop the traffic regardless of whether a zone-pair exists.
- If both interfaces belong to the same zone-pair and a policy exists, then the resulting action is inspect, allow, or drop as defined by the policy.
Hint
The rules for traffic transiting through the router are as follows:
- If neither interface is a zone member, then the resulting action is to pass the traffic.
- If both interfaces are members of the same zone, then the resulting action is to pass the traffic.
- If one interface is a zone member, but the other is not, then the resulting action is to drop the traffic regardless of whether a zone-pair exists.
- If both interfaces belong to the same zone-pair and a policy exists, then the resulting action is inspect, allow, or drop as defined by the policy.
-
Question 18 of 23
18. Question
1 pointsWhich command will verify a Zone-Based Policy Firewall configuration?
Correct
Incorrect
The ZPF configuration can be verified with the show running-config, show policy-map, show class-map, show zone security, and show zone-pair security commands.Hint
The ZPF configuration can be verified with the show running-config, show policy-map, show class-map, show zone security, and show zone-pair security commands. -
Question 19 of 23
19. Question
1 pointsRefer to the exhibit. The network “A” contains multiple corporate servers that are accessed by hosts from the Internet for information about the corporation. What term is used to describe the network marked as “A”?
Correct
Incorrect
A demilitarized zone or DMZ is a network area protected by one or more firewalls. The DMZ typically contains servers that are commonly accessed by external users. A web server is commonly contained in a DMZ.Hint
A demilitarized zone or DMZ is a network area protected by one or more firewalls. The DMZ typically contains servers that are commonly accessed by external users. A web server is commonly contained in a DMZ. -
Question 20 of 23
20. Question
1 pointsWhich type of packet is unable to be filtered by an outbound ACL?
Correct
Incorrect
Traffic that originates within a router such as pings from a command prompt, remote access from a router to another device, or routing updates are not affected by outbound access lists. The traffic must flow through the router in order for the router to apply the ACEs.
Hint
Traffic that originates within a router such as pings from a command prompt, remote access from a router to another device, or routing updates are not affected by outbound access lists. The traffic must flow through the router in order for the router to apply the ACEs.
-
Question 21 of 23
21. Question
2 pointsWhen a Cisco IOS Zone-Based Policy Firewall is being configured, which two actions can be applied to a traffic class? (Choose two.)
Correct
Incorrect
The three actions that can be applied are inspect, drop,and pass.
Inspect – This action offers state-based traffic control.
Drop – This is the default action for all traffic. Similar to the implicit deny any at the end of every ACL, there is an explicit drop applied by the IOS to the end of every policy map.
Pass – This action allows the router to forward traffic from one zone to another.Hint
The three actions that can be applied are inspect, drop,and pass.
Inspect – This action offers state-based traffic control.
Drop – This is the default action for all traffic. Similar to the implicit deny any at the end of every ACL, there is an explicit drop applied by the IOS to the end of every policy map.
Pass – This action allows the router to forward traffic from one zone to another. -
Question 22 of 23
22. Question
1 pointsWhich security tool monitors network traffic as it flows into and out of the organization and determines whether packets belong to an existing connection or are from an unauthorized source?
Correct
Incorrect
A stateful firewall filters packets based on state information maintained in a state table. Because it uses state information, the stateful firewall can analyze traffic at OSI Layers 4 and 5.
Hint
A stateful firewall filters packets based on state information maintained in a state table. Because it uses state information, the stateful firewall can analyze traffic at OSI Layers 4 and 5.
-
Question 23 of 23
23. Question
1 pointsWhat is the function of the pass action on a Cisco IOS Zone-Based Policy Firewall?
Correct
Incorrect
The pass action performed by Cisco IOS ZPF permits forwarding of traffic in a manner similar to the permit statement in an access control list.
Hint
The pass action performed by Cisco IOS ZPF permits forwarding of traffic in a manner similar to the permit statement in an access control list.