Question 1
Which kind of table will be used by most firewalls today to keep track of the connections through the firewall?
A. queuing
B. netflow
C. dynamic ACL
D. reflexive ACL
E. state
Answer: E
Explanation
There are four generations of firewall technologies developed between 1983 and 1995: static packet-filtering firewalls, circuit-level firewalls, application layer firewalls and dynamic packet-filtering firewalls.
The dynamic packet-filtering firewalls, sometimes called stateful firewalls, keeps track of the actual communication process through the use of a state table. The state table is part of the internal structure of the firewall and tracks all sessions and inspects all packets passing through the firewall. These firewalls operate at Layers 3, 4 and 5.
Question 2
On the basis of the show policy-map type inspect zone-pair session command output provided in the exhibit. What can be determined about this Cisco IOS zone based firewall policy?
Class-map: TEST-Class (match-all) Match: access-group 110 Match: protocol http Inspect Established Sessions Session 643BCF88 (10.0.2.12:3364) =>(172.26.26.51:80) http SIS_OPEN Created 00:00:10, Last heard 00:00:00 Bytes sent (initiator, responder) [1268:64324] Session 643BB9C8 (10.0.2.12:3361) =>(172.26.26.51:80) http SIS_OPEN Created 00:00:16, Last heard 00:00:06 Bytes sent (initiator, responder) [2734:38447] Session 643BD240 (10.0.2.12:3362) =>(172.26.26.51:80) http SIS_OPEN Created 00:00:14, Last heard 00:00:07 Bytes sent (initiator, responder) [2219:39813] Session 643BBF38 (10.0.2.12:3363) =>(172.26.26.51:80) http SIS_OPEN Created 00:00:14, Last heard 00:00:06 Bytes sent (initiator, responder) [2106:19895] Class-map: class-default (match-any) Match: any Drop (default action) 58 packets, 2104 bytes |
A. This is an outbound policy (applied to traffic sourced from the more secured zone destined to the less secured zone).
B. All packets will be dropped since the class-default traffic class is matching all traffic.
C. This is an inbound policy (applied to traffic sourced from the less secured zone destined to the more secured zone).
D. Stateful packet inspection will be applied only to HTTP packets that also match ACL 110.
Answer: D
Question 3
Which statement best describes Cisco IOS Zone-Based Policy Firewall?
A. A router interface can belong to multiple zones.
B. The pass action works in only one direction.
C. Policy maps are used to classify traffic into different traffic classes, and class maps are used to assign action to the traffic classes.
D. A zone-pair is bidirectional because it specifies traffic flowing among the interfaces within the zone-pair in both directions.
Answer: B
Explanation
The Cisco IOS zone-based policy firewall can take three possible actions when you configure it using Cisco SDM:
- Inspect: This action configures Cisco IOS stateful packet inspection.
- Drop: This action is analogous to deny in an ACL.
- Pass: This action is analogous to permit in an ACL. The pass action does not track the state of connections or sessions within the traffic; pass allows the traffic only in one direction. A corresponding policy must be applied to allow return traffic to pass in the opposite direction.
Question 4
When configuring Cisco IOS Zone-Based Policy Firewall, what are the three actions that can be applied to a traffic class? (Choose three)
A. Pass
B. Police
C. Inspect
D. Drop
E. Queue
F. Shape
Answer: A C D
Explanation
Please read the explanation of question 3
Question 5
Which type of firewall is needed to open appropriate UDP ports required for RTP streams?
A. Proxy firewall
B. Packet filtering firewall
C. Stateful firewall
D. Stateless firewall
Answer: C
Question 6
What is a static packet-filtering firewall used for ?
A. It analyzes network traffic at the network and transport protocol layers.
B. It validates the fact that a packet is either a connection request or a data packet belonging to a connection.
C. It keeps track of the actual communication process through the use of a state table.
D. It evaluates network packets for valid data at the application layer before allowing connections.
Answer: A
Question 7
Which information is stored in the stateful session flow table while using a stateful firewall?
A. all TCP and UDP header information only
B. the source and destination IP addresses, port numbers, TCP sequencing information, and additional flags for each TCP or UDP connection associated with a particular session
C. the outbound and inbound access rules (ACL entries)
D. the inside private IP address and the translated inside global IP address
Answer: B
Question 8
Which firewall best practices can help mitigate worm and other automated attacks?
A. Restrict access to firewalls
B. Segment security zones
C. Use logs and alerts
D. Set connection limits
Answer: D
Question 9
Refer to Cisco IOS Zone-Based Policy Firewall, where will the inspection policy be applied?
A. to the interface
B. to the zone-pair
C. to the global service policy
D. to the zone
Answer: B
Question 10
Which two actions can be configured to allow traffic to traverse an interface when zone-based security is being employed? (Choose two)
A. Flow
B. Inspect
C. Pass
D. Allow
Answer: B C
Question 11
Which feature is a potential security weakness of a traditional stateful firewall?
A. It cannot ensure each TCP connection follows a legitimate TCP three-way handshake
B. It cannot detect application-layer attacks
C. It cannot support UDP flows
D. The status of TCP sessions is retained in the state table after the sessions terminate
Answer: B