CCNA Security Practice Exam – 10 Questions on the IOS Firewall Set

Earning your CCNA Security certification is a incredible increase to your occupation and your profession potential customers! To enable you prepare for overall results on examination working day, in this article are 10 complimentary concerns on the IOS Firewall established. Answers are at the end of the posting. Appreciate!

1. Define the term “DMZ” as it pertains to network protection, and title three different popular network gadgets that are generally found there.

2. Detect the genuine statements.

A. Stateless packet filtering considers the TCP connection state.

B. Stateful packet filtering considers the TCP connection point out.

C. Neither stateless nor stateful packet filtering watch the TCP link point out.

D. Both equally stateless and stateful packet filtering check the TCP link state, and continue to keep a condition desk that contains that facts.

3. Does the Cisco IOS Firewall element established act as a stateful or stateless packet filter?

4. Which of the next are thought of parts of the IOS Firewall aspect established?

A. IOS Firewall
B. Intrusion Avoidance Technique
C. RADIUS
D. Authentication Proxy
E. Password Encryption

5. Detect the genuine statements relating to the Authentication Proxy.

A. It’s section of the IOS Firewall Function Set.
B. It lets creation of for every-user safety profiles, fairly than more normal profiles.
C. It enables development of general protection profiles, but not per-consumer profiles.
D. Profiles can be stored regionally, but not remotely.
E. Profiles can be saved on a RADIUS server.
F. Profiles can be stored on a TACACS + server.

6. Configuring ACLs is an essential section of doing work with the IOS Firewall. What wildcard masks are changed in ACLs by the words host and any?

7. What does the dollar indication in the subsequent ACL line suggest?

R1 (config) # $ 150 deny ip 172.50.50. …255 172.50.100. …255

8. Generally, how does an IOS Firewall prevent a TCP SYN attack?

9. What does the term “punch a gap in the firewall” refer to? (Logically, that is, not bodily.)

10. What exactly does the router-visitors alternative in the pursuing configuration do?

R4 (config) #ip examine name PASSCCNASECURITY tcp router-targeted visitors
R4 (config) #ip inspect name PASSCCNASECURITY udp router-visitors
R4 (config) #ip examine name PASSCCNASECURITY icmp router-traffic

In this article are the responses!

1. It’s easy to imagine of your network as the “inside”, and anything else as “outside”. Having said that, we’ve received a 3rd spot when it will come to firewalls – the DMZ.

From an IT standpoint, the DMZ is the portion of our network that is uncovered to outside networks. It’s widespread to discover the pursuing units in a DMZ:

FTP server
Electronic mail server
E-commerce server
DNS servers
World-wide-web servers

2. (B.) Stateful packet filtering does monitor the relationship condition, and that’s significantly significant when it arrives to preventing TCP assaults. A stateful firewall will not only keep an eye on the state of the TCP link, but also the sequence figures. Stateful firewalls accomplish this by holding a session table, or condition table.

3. The Cisco IOS Firewall is a stateful filter.

4. (A, B, D.) There are a few significant components to the IOS Firewall element established – the IOS Firewall, the Intrusion Prevention Procedure (IPS), and the Authentication Proxy.

5. (A, B, E, F. T he Authentication Proxy enables us to make protection profiles that will be applied on a for each-user foundation, instead than a for every-subnet or for every-tackle foundation. These profiles can be kept on either of the following:

RADIUS server

TACACS + server

On profitable authentication, that certain user’s stability plan is downloaded from the RADIUS or TACACS + server and utilized by the IOS Firewall router.

6. We have the solution of utilizing the term host to symbolize a wildcard mask of …. Look at a configuration where by only packets from IP supply 10.1.1.1 should be authorized and all other packets denied. The following ACLs both of those do that.

R3 # conf t

R3 (config) # obtain-list 6 allow 10.1.1.1 …

R3 (config) #conf t

R3 (config) # entry-list 7 permit host 10.1.1.1

The keyword any can be utilized to stand for a wildcard mask of 255.255.255.255. Equally of the pursuing strains permit all targeted visitors.

R3 (config) # obtain-record 15 allow any

R3 (config) # access-list 15 permit … 255.255.255.255

There’s no “proper” or “mistaken” choice to make when you’re configuring ACLs in the authentic globe. For your examination, although, I’d be extremely acquainted with the suitable use of host and any.

7. The dollar signal only signifies that part of the command you’re moving into or viewing can’t be shown mainly because the entry is so extended. It does not necessarily mean the command is unlawful.

8. The IOS Firewall can use any or all of the next values ​​to detect when a TCP SYN attack is underway:

Overall complete of incomplete TCP sessions

Selection of incomplete TCP periods in a specific amount of time

Quantity of incomplete TCP classes on a for each-host basis

When any of these thresholds are achieved, possibly of the subsequent steps can be taken:

Block all incoming SYN packets for a selected interval of time

Transmit a RST to equally events in the oldest incomplete session

We’ll look at unique scenarios in long term tutorials.

9. That time period simply refers to configuring the firewall to open up a port that was formerly shut. Don’t fail to remember to shut it when you no for a longer time will need it to be open up!

10. If you’re going to examine targeted traffic that is in fact produced on the router, you require to incorporate the router-site visitors solution at the finish of that specific ip examine statement.

Look for far more Cisco certification apply tests and thoroughly-illustrated tutorials on my web-site!

Leave a Reply

Your email address will not be published.