CCNA Safety Practice Exam
Earning your CCNA Safety certification is a tremendous increase to your profession and your profession prospects! To assistance you prepare for total accomplishment on exam day, right here are 10 complimentary concerns on the IOS Firewall set. Answers are at the finish of the report. Get pleasure from!
1. Define the term “DMZ” as it pertains to network safety, and name 3 various typical network devices that are commonly identified there.
2. Recognize the accurate statements.
A. Stateless packet filtering considers the TCP connection state.
B. Stateful packet filtering considers the TCP connection state.
C. Neither stateless nor stateful packet filtering monitor the TCP connection state.
D. Each stateless and stateful packet filtering monitor the TCP connection state, and maintain a state table containing that info.
3. Does the Cisco IOS Firewall function set act as a stateful or stateless packet filter?
4. Which of the following are regarded as components of the IOS Firewall function set?
A. IOS Firewall B. Intrusion Prevention Technique C. RADIUS D. Authentication Proxy E. Password Encryption
5. Recognize the accurate statements relating to the Authentication Proxy.
A. It really is portion of the IOS Firewall Function Set. B. It permits creation of per-user safety profiles, rather than a lot more basic profiles. C. It permits creation of basic safety profiles, but not per-user profiles. D. Profiles can be stored locally, but not remotely. E. Profiles can be stored on a RADIUS server. F. Profiles can be stored on a TACACS+ server.
6. Configuring ACLs is an vital portion of functioning with the IOS Firewall. What wildcard masks are replaced in ACLs by the words host and any?
7. What does the dollar sign in the following ACL line indicate?
R1(config)#$ 150 deny ip 172.50.50. …255 172.50.100. …255
8. Fundamentally, how does an IOS Firewall avert a TCP SYN attack?
9. What does the term “punch a hole in the firewall” refer to? (Logically, that is, not physically.)
10. What precisely does the router-site visitors choice in the following configuration do?
R4(config)#ip inspect name PASSCCNASECURITY tcp router-site visitors R4(config)#ip inspect name PASSCCNASECURITY udp router-site visitors R4(config)#ip inspect name PASSCCNASECURITY icmp router-site visitors
Right here are the answers!
1. It really is straightforward to assume of your network as the “inside”, and almost everything else as “outdoors”. Nonetheless, we've got a third region when it comes to firewalls – the DMZ.
From an IT standpoint, the DMZ is the portion of our network that is exposed to outdoors networks. It really is typical to come across the following devices in a DMZ:
FTP server E mail server E-commerce server DNS servers Net servers
2. (B.) Stateful packet filtering does monitor the connection state, and that is especially vital when it comes to stopping TCP attacks. A stateful firewall will not only monitor the state of the TCP connection, but also the sequence numbers. Stateful firewalls achieve this by maintaining a session table, or state table.
3. The Cisco IOS Firewall is a stateful filter.
4. (A, B, D.) There are 3 important elements to the IOS Firewall function set – the IOS Firewall, the Intrusion Prevention Technique (IPS), and the Authentication Proxy.
5. (A, B, E, F. T he Authentication Proxy permits us to develop safety profiles that will be applied on a per-user basis, rather than a per-subnet or per-address basis. These profiles can be kept on either of the following:
Upon profitable authentication, that specific user's safety policy is downloaded from the RADIUS or TACACS+ server and applied by the IOS Firewall router.
6. We have the choice of employing the word host to represent a wildcard mask of …. Contemplate a configuration exactly where only packets from IP supply 10.1.1.1 ought to be permitted and all other packets denied. The following ACLs each do that.
R3(config)#access-list six permit 10.1.1.1 …
R3(config)#access-list 7 permit host 10.1.1.1
The keyword any can be applied to represent a wildcard mask of 255.255.255.255. Each of the following lines permit all site visitors.
R3(config)#access-list 15 permit any
R3(config)#access-list 15 permit … 255.255.255.255
There is no “ideal” or “incorrect” selection to make when you happen to be configuring ACLs in the actual globe. For your exam, although, I'd be extremely familiar with the appropriate use of host and any.
7. The dollar sign just indicates that portion of the command you happen to be getting into or viewing cannot be shown since the entry is so extended. It does not imply the command is illegal.
8. The IOS Firewall can use any or all of the following values to detect when a TCP SYN attack is underway:
All round total of incomplete TCP sessions
Quantity of incomplete TCP sessions in a particular quantity of time
Quantity of incomplete TCP sessions on a per-host basis
When any of these thresholds are reached, either of the following actions can be taken:
Block all incoming SYN packets for a particular period of time
Transmit a RST to each parties in the oldest incomplete session
We'll appear at precise situations in future tutorials.
9. That term just refers to configuring the firewall to open a port that was previously closed. Never neglect to close it when you no longer will need it to be open!
10. If you happen to be going to inspect site visitors that is really generated on the router, you will need to consist of the router-site visitors choice at the finish of that specific ip inspect statement.
Appear for a lot more Cisco certification practice exams and totally-illustrated tutorials on my internet site!