Which statement describes the purpose of a firewall?
Modules 8 – 10: ACLs and Firewalls Group ExamNetwork Security (Version 1) – Network Security 1.0 Modules 8-10: ACLs and Firewalls Group Exam AnswersHow to find: Press “Ctrl + F” in the browser and fill in whatever wording is in the question to find that question/answer. If the question is not here, find it in Questions Bank. Show
NOTE: If you have the new question on this test, please comment Question and Multiple-Choice list in form below this article. We will update answers for you in the shortest time. Thank you! We truly value your contribution to the website. 1. When creating an ACL, which keyword should be used to document and interpret the purpose of the ACL statement on a Cisco device?
Explanation: In order to document the purpose of an ACL and identify its function more easily, the remark keyword is used when building the ACL. The established keyword is used to allow connections that were initially sourced from the current device. The eq operator is used to specify a port number for denying or permitting traffic. The description keyword is used when configuring and documenting interfaces. 2. Which two pieces of information are required when creating a standard access control list? (Choose two.)
Explanation: Standard ACLs can be numbered 1 to 99 and 1300 to 1999. Standard IP ACLs filter only on the source IP address. 3. What two steps provide the quickest way to completely remove an ACL from a router? (Choose two.)
Explanation: To completely remove an ACL from a router requires two steps. Removing the actual ACL with the no access-list command and removing the association of the ACL from the appropriate interface. 4. Which two types of addresses should be denied inbound on a router interface that attaches to the Internet? (Choose two.)
Explanation: The following addresses should not be permitted inbound from the Internet in order to mitigate IP spoofing and DoS attacks: 5. In the creation of an IPv6 ACL, what is the purpose of the implicit final command entries, permit icmp any any nd-na and permit icmp any any nd-ns ?
Explanation: IPv6 address to MAC address resolution is performed through the exchange of ICMPv6 neighbor discovery packets comprised of neighbor solicitation and neighbor advertisement packets. Unless these packets are permitted on a router interface, the interface will not be able to perform MAC address resolution. 6. What two statements describe characteristics of IPv6 access control lists? (Choose two.)
Explanation: IPv6 access lists have distinct characteristics that are different than IPv4 access lists: 7. Refer to the exhibit. A network administrator created an IPv6 ACL to block the Telnet traffic from the 2001:DB8:CAFE:10::/64 network to the 2001:DB8:CAFE:30::/64 network. What is a command the administrator could use to allow only a single host 2001:DB8:CAFE:10::A/64 to telnet to the 2001:DB8:CAFE:30::/64
network?
Explanation: When an IPv6 ACE is created and is to be processed before an existing ACE is processed, the next command entered must use the sequence argument with a number lower than the existing ACE. This allows an entry to be placed before an existing entry, as the default sequence numbers are commonly numbered by increments of 10. Thus, using a sequence number of 5 on an ACE will place it in front of a prior existing entry with a sequence number of 10. 8. When implementing components into an enterprise network, what is the purpose of a firewall?
Explanation: A firewall is a system that enforces an access control policy and prevents the exposure of sensitive hosts, resources, and applications to untrusted users. 9. What are two possible limitations of using a firewall in a network? (Choose two.)
Explanation:
Firewalls have some limitations: 10. Which type of firewall makes use of a proxy server to connect to remote servers on behalf of clients?
Explanation: An application gateway firewall, also called a proxy firewall, filters information at Layers 3, 4, 5, and 7 of the OSI model. It uses a proxy server to connect to remote servers on behalf of clients. Remote servers will see only a connection from the proxy server, not from the individual clients. 11. How does a firewall handle traffic when it is originating from the public network and traveling to the private network?
Explanation: When traffic is originating from the public network it will usually be blocked when traveling to the private network. Traffic that originates from the private network will be selectively allowed to be returned to the public network. 12. Which two statements describe the two configuration models for Cisco IOS firewalls? (Choose two.)
Explanation: There are two configuration models for Cisco IOS Firewalls, IOS Classic Firewalls and zone-based policy firewalls (ZPF). Both configuration models can be enabled concurrently on a router but they cannot be combined on a single interface. One benefit of using ZPF is that ZPF is not dependent on ACLs. 13. Designing a ZPF requires several steps. Which step involves dictating the number of devices between most-secure and least-secure zones and determining redundant devices?
Explanation: Designing ZPFs involves several steps: 14. When a Cisco IOS zone-based policy firewall is being configured, which three actions can be applied to a traffic class? (Choose three.)
Explanation: The inspect CCP action is similar to the classic firewall ip inspect command in that it inspects traffic going through the firewall and allowing return traffic that is part of the same flow to pass through the firewall. The drop action is similar to the deny parameter in an ACL. This action drops whatever traffic fits the defined policy. The pass action is similar to a permit ACL statement–traffic is allowed to pass through because it met the criteria of the defined policy statement. 15. When using Cisco IOS zone-based policy firewall, where is the inspection policy applied?
Explanation: After configuring the firewall policy, apply the policy to traffic that would flow between a pair of zones. Use the zone-pair security command in global configuration mode. 16. What is the first step in configuring a Cisco IOS zone-based policy firewall via the CLI?
Explanation: The steps for configuring a Cisco IOS zone-based policy firewall are as follows: 17. What is one benefit of using a stateful firewall instead of a proxy server?
Explanation: A stateful firewall performs better than a proxy server. A stateful firewall cannot authenticate users or prevent Layer 7 attacks. Both a stateful firewall and a proxy server can filter packets. 18. Which statement describes a typical security policy for a DMZ firewall configuration?
Explanation: 19. What is one limitation of a stateful firewall?
Explanation: Limitations of stateful firewalls include the following: 20. Which statement describes Cisco IOS Zone-Based Policy Firewall operation?
Explanation: The pass action allows traffic only in one direction. Interfaces automatically become members of the self zone. Interfaces are assigned to zones in interface configuration mode, but most configuration takes place in global configuration mode and associated submodes. Interfaces can belong to only one zone at any time. 21. What is the result in the self zone if a router is the source or destination of traffic?
Explanation: All traffic is permitted in the self zone if the traffic originates from, or is destined for, the router. 22. What are two characteristics of ACLs? (Choose two.)
Explanation: Standard ACLs can only filter on source addresses. That is why they are normally placed closest to the destination. Extended ACLs can filter on source and destination IP addresses, port numbers, and specific message types within a particular protocol such as echo request within the ICMP protocol. 23. Which three statements describe ACL processing of packets? (Choose three.)
Explanation: When a packet comes into a router that has an ACL configured on the interface, the router compares the condition of each ACE to determine if the defined criteria has been met. If met, the router takes the action defined in the ACE (allows the packet through or discards it). If the defined criteria has not been met, the router proceeds to the next ACE. An implicit deny any statement is at the end of every standard ACL. 24. A network administrator configures an ACL with the command R1(config)# access-list 1 permit 172.16.0.0 0.0.15.255 . Which two IP addresses will match this ACL statement? (Choose two.)
Explanation: The wildcard mask indicates that any IP address within the range of 172.16.0.0 to 172.16.15.255 matches. 25. What single access list statement matches all of the following networks?
Explanation: The ACL statement access-list 10 permit 192.168.16.0 0.0.3.255 will match all four network prefixes. All four prefixes have the same 22 high order bits. These 22 high order bits are matched by the network prefix and wildcard mask of 192.168.16.0 0.0.3.255. 26. Which two characteristics are shared by both standard and extended ACLs? (Choose two.)
Explanation: Standard ACLs filter traffic based solely on a specified source IP address. Extended ACLs can filter by source or destination, protocol, or port. Both standard and extended ACLs contain an implicit deny as a final statement. Standard and extended ACLs can be identified by either names or numbers. 27. Refer to the exhibit. What is the result of adding the established argument to the end of the
ACE?
Explanation: The established argument allows TCP return traffic from established connections to be sent on an outgoing interface to a network. 28. Which two keywords can be used in an access control list to replace a wildcard mask or address and wildcard mask pair? (Choose two.)
Explanation: The host keyword is used when using a specific device IP address in an ACL. For example, the deny host 192.168.5.5 command is the same is the deny 192.168.5.5 0.0.0.0 command. The any keyword is used to allow any mask through that meets the criteria. For example, the permit any command is the same as permit 0.0.0.0 255.255.255.255 command. 29. If the provided ACEs are in the same ACL, which ACE should be listed first in the ACL according to best practice?
Explanation: A best practice for configuring an extended ACL is to ensure that the most specific ACE is placed higher in the ACL. Consider the two permit UDP statements. If both of these were in an ACL, the SNMP ACE is more specific than the UDP statement that permits a range of 10,001 UDP port numbers. The SNMP ACE would be entered before the other UDP ACE. The ACEs from most specific to least specific are as follows: permit udp 172.16.0.0
0.0.255.255 host 172.16.1.5 eq snmptrap 30. To facilitate the troubleshooting process, which inbound ICMP message should be permitted on an outside interface?
Explanation: By allowing the ICMP echo reply message inbound to the organization, internal users are allowed to ping external addresses (and the reply message allowed to return). 31. A security specialist designs an ACL to deny access to a web server from all sales staff. The sales staff are assigned addressing from the IPv6 subnet 2001:db8:48:2c::/64. The web server is assigned the address 2001:db8:48:1c::50/64. Configuring the WebFilter ACL on the LAN interface for the sales staff will require which three commands? (Choose three.)
Explanation: The ACL requires an ACE denying Telnet access from all users in the LAN to the file server at 2001:db8:48:1c::50/64. The IPv6 ACL also has an implicit deny, so a permit statement is required to allow all other traffic. With IPv6, the ipv6 traffic filter command is used to bind the ACL to the interface. 32. What are two characteristics of a stateful firewall? (Choose two.)
Explanation: Stateful firewalls are the most versatile and the most common firewall technologies in use. Stateful firewalls provide stateful packet filtering by using connection information maintained in a state table. Stateful filtering is a firewall architecture that is classified at the network layer. It also analyzes traffic at OSI Layers 4 and 5. Stateful firewalls cannot prevent application layer attacks because they do not examine the actual contents of an HTTP connection. 33. What are two differences between stateful and stateless firewalls? (Choose two.)
Explanation: There are many differences between a stateless and stateful firewall. 34. When implementing a ZPF, what is the default security setting when forwarding traffic between two interfaces in the same zone?
Explanation: A zone-based policy firewall uses the concept of zones to specify where firewall rules and policies should be applied. By default, the traffic between interfaces that exist in the same zone is not subject to any policy and passes freely. 35. Which two rules about interfaces are valid when implementing a Zone-Based Policy Firewall? (Choose two.)
Explanation: The rules
for traffic transiting through the router are as follows:If neither interface is a zone member, then the resulting action is to pass the traffic. Download Modules 8 – 10: ACLs and Firewalls Group Exam Answers PDF:What is the main purpose of a firewall?At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet. A firewall's main purpose is to allow non-threatening traffic in and to keep dangerous traffic out.
Which of the following describes a firewall?Detailed Solution. The correct answer is Preventing unauthorized access. A firewall is a kind of security-conscious type of hardware or software that stays between the computer and our network with a primary task: preventing malicious software from reaching us.
What is the purpose of a firewall quizlet?Firewalls are commonly used to protect private networks by filtering traffic from the network and internet. One of the main purposes of a firewall is to prevent attackers on the internet from gaining access to your private network.
Which of the following is the purpose of a firewall on a computer network?The correct answer is For security. A Firewall is a network security device that monitors incoming and outgoing network traffic and permits or blocks data packets based on a set of security rules.
|