Ensurepass

 

 

 

QUESTION 121

The host A Layer 2 port is configured in VLAN 5 on switch 1, and the host B Layer 2 port is configured in VLAN 10 on switch 1. Which two actions you can take to enable the two hosts to communicate with each other? (Choose two.)

 

A.

Configure inter-VLAN routing.

B.

Connect the hosts directly through a hub.

C.

Configure switched virtual interfaces.

D.

Connect the hosts directly through a router.

 

Correct Answer: AC

Explanation:

VLANs divide broadcast domains in a LAN environment. Whenever hosts in one VLAN need to communicate with hosts in another VLAN, the traffic must be routed between them. This is known as inter-VLAN routing. On Catalyst switches it is accomplished by creating Layer 3 interfaces (Switch virtual interfaces (SVI) ).

Reference: http://www.cisco.com/c/en/us/support/docs/lan-switching/inter-vlan-routing/41860-howto-L3-intervlanrouting.html

 

 

QUESTION 122

Which two pieces of information should you acquire before you troubleshoot an STP loop? (Choose two.)

 

A.

topology of the routed network

B.

topology of the switched network

C.

location of the root bridge

D.

number of switches in the network

 

Correct Answer: BC

Explanation:

Forwarding loops vary greatly both in their origin (cause) and effect. Due to the wide variety of issues that can affect STP, this document can only provide general guidelines about how to troubleshoot forwarding loops.

Before you start to troubleshoot, you must obtain this information:

STP configuration details, such as which switch is the root and backup root, which links have a non-default cost or priority, and the location of blocking ports.

Reference: http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/28943-170.html

 

 

QUESTION 123

Which type of Cisco ASA access list entry can be configured to match multiple entries in a single statement?

 

A.

nested object-class

B.

class-map

C.

extended wildcard matching

D.

object groups

 

Correct Answer: D

Explanation:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/objectgroups.html

 

Information About Object Groups

By grouping like objects together, you can use the object group in an ACE instead of having to enter an ACE for each object separately. You can create the following types of object groups:

Protocol

Network

Service

ICMP type

For example, consider the following three object groups:

MyServices–Includes the TCP and UDP port numbers of the service requests that are allowed access to the internal network.

TrustedHosts–Includes the host and network addresses allowed access to the greatest range of services and servers.

PublicServers–Includes the host addresses of servers to which the greatest access is provided. After creating these groups, you could use a single ACE to allow trusted hosts to make specific service requests to a group of public servers.

You can also nest object groups in other object groups.

 

 

QUESTION 124

When Cisco IOS zone-based policy firewall is configured, which three actions can be applied to a traffic class? (Choose three.)

 

A.

pass

B.

police

C.

inspect

D.

drop

E.

queue

F.

shape

 

Correct Answer: ACD

Explanation:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

 

Zone-Based Policy Firewall Actions

ZFW provides three actions for traffic that traverses from one zone to another:

 

Drop–This is the default action for all traffic, as applied by the “class class-default” that terminates every inspect-type policy-map. Other class-maps within a policy-map can also be configured to drop unwanted traffic.

Traffic that is handled by the drop action is “silently” dropped (i.e., no notification of the drop is sent to the relevant end-host) by the ZFW, as opposed to an ACL’s behavior of sending an ICMP “host unreachable” message to the host that sent the denied traffic. Currently, there is not an option to change the “silent drop” behavior. The log option can be added with drop for syslog notification that traffic was dropped by the firewall.

 

Pass–This action allows the router to forward traffic from one zone to another. The pass action does not track the state of connections or sessions within the traffic. Pass only allows the traffic in one direction. A corresponding policy must be applied to allow return traffic to pass in the opposite direction. The pass action is useful for protocols such as IPSec ESP, IPSec AH, ISAKMP, and other inherently secure protocols with predictable behavior. However, most application traffic is better handled in the ZFW with the inspect action.

 

Inspect–The inspect action offers state-based traffic control. For example, if traffic from the private zone to the Internet zone in the earlier example network is inspected, the router maintains connection or session information for TCP and User Datagram Protocol (UDP) traffic. Therefore, the router permits return traffic sent from Internet-zone hosts in reply to private zone connection requests. Also, inspect can provide application inspection and control for certain service protocols that might carry vulnerable or sensitive application traffic.

Audit-trail can be applied with a parameter-map to record connection/session start, stop, duration, the data volume transferred, and source and destination addresses.

 

 

QUESTION 125

With Cisco IOS zone-based policy firewall, by default, which three types of traffic are permitted by the router when some of the router interfaces are assigned to a zone? (Choose three.)

 

A.

traffic flowing between a zone member interface and any interface that is not a zone member

B.

traffic flowing to and from the router interfaces (the self zone)

C.

traffic flowing among the interfaces that are members of the same zone

D.

traffic flowing among the interfaces that are not assigned to any zone

E.

traffic flowing between a zone member interface and another interface that belongs in a different zone

F.

traffic flowing to the zone member interface that is returned traffic

 

Correct Answer: BCD

Explanation:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

 

Rules For Applying Zone-Based Policy Firewall

Router network interfaces’ membership in zones is subject to several rules that govern interface behavior, as is the traffic moving between zone member interfaces:

A zone must be configured before interfaces can be assigned to the zone.

An interface can be assigned to only one security zone.

All traffic to and from a given interface is implicitly blocked when the interface is assigned to a zone, except traffic to and from other interfaces in the same zone, and traffic to any interface on the router.

 

Traffic is implicitly allowed to flow by default among interfaces that are members of the same zone. In order to permit traffic to and from a zone member interface, a policy allowing or inspecting traffic must be configured between that zone and any other zone.

The self zone is the only exception to the default deny all policy. All traffic to any router interface is allowed until traffic is explicitly denied.

Traffic cannot flow between a zone member interface and any interface that is not a zone member.

Pass, inspect, and drop actions can only be applied between two zones.

Interfaces that have not been assigned to a zone function as classical router ports and might still use classical stateful inspection/CBAC configuration.

If it is required that an interface on the box not be part of the zoning/firewall policy. It might still be necessary to put that interface in a zone and configure a pass all policy (sort of a dummy policy) between that zone and any other zone to which traffic flow is desired.

From the preceding it follows that, if traffic is to flow among all the interfaces in a router, all the interfaces must be part of the zoning model (each interface must be a member of one zone or another).

The only exception to the preceding deny by default appro
ach is the traffic to and from the router, which will be permitted by default. An explicit policy can be configured to restrict such traffic.

 

 

QUESTION 126

Which two options are advantages of an application layer firewall? (Choose two.)

 

A.

provides high-performance filtering

B.

makes DoS attacks difficult

C.

supports a large number of applications

D.

authenticates devices

E.

authenticates individuals

 

Correct Answer: BE

Explanation:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_white_paper0900aecd8058ec85.html

 

Adding Intrusion Prevention

Gartner’s definition of a next-generation firewall is one that combines firewall filtering and intrusion prevention systems (IPSs). Like firewalls, IPSs filter packets in real time. But instead of filtering based on user profiles and application policies, they scan for known malicious patterns in incoming code, called signatures. These signatures indicate the presence of malware, such as worms, Trojan horses, and spyware.

 

Malware can overwhelm server and network resources and cause denial of service (DoS) to internal employees, external Web users, or both. By filtering for known malicious signatures, IPSs add an extra layer of security to firewall capabilities; once the malware is detected by the IPS, the system will block it from the network.

Firewalls provide the first line of defense in any organization’s network security infrastructure.

 

They do so by matching corporate policies about users’ network access rights to the connection information surrounding each access attempt. If the variables don’t match, the firewall blocks the access connection. If the variables do match, the firewall allows the acceptable traffic to flow through the network.

 

In this way, the firewall forms the basic building block of an organization’s network security architecture. It pays to use one with superior performance to maximize network uptime for business-critical operations. The reason is that the rapid addition of voice, video, and collaborative traffic to corporate networks is driving the need for firewall engines that operate at very high speeds and that also support application-level inspection. While standard Layer 2 and Layer 3 firewalls prevent unauthorized access to internal and external networks, firewalls enhanced with application-level inspection examine, identify, and verify application types at Layer 7 to make sure unwanted or misbehaving application traffic doesn’t join the network. With these capabilities, the firewall can enforce endpoint user registration and authentication and provide administrative control over the use of multimedia applications.

 

 

 

 

 

QUESTION 127

Refer to the exhibit. Using a stateful packet firewall and given an inside ACL entry of permit ip 192.16.1.0 0.0.0.255 any, what would be the resulting dynamically configured ACL for the return traffic on the outside ACL?

 

clip_image002

 

A.

permit tcp host 172.16.16.10 eq 80 host 192.168.1.11 eq 2300

B.

permit ip 172.16.16.10 eq 80 192.168.1.0 0.0.0.255 eq 2300

C.

permit tcp any eq 80 host 192.168.1.11 eq 2300

D.

permit ip host 172.16.16.10 eq 80 host 192.168.1.0 0.0.0.255 eq 2300

 

Correct Answer: A

Explanation:

http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security _manager/4.1/user/guide/fwinsp.html

 

Understanding Inspection Rules

Inspection rules configure Context-Based Access Control (CBAC) inspection commands. CBAC inspects traffic that travels through the device to discover and manage state information for TCP and UDP sessions. The device uses this state information to create temporary openings to allow return traffic and additional data connections for permissible sessions.

CBAC creates temporary openings in access lists at firewall interfaces. These openings are created when inspected traffic exits your internal network through the firewall. The openings allow returning traffic (that would normally be blocked) and additional data channels to enter your internal network back through the firewall. The traffic is allowed back through the firewall only if it is part of the same session as the original traffic that triggered inspection when exiting through the firewall.

 

Inspection rules are applied after your access rules, so any traffic that you deny in the access rule is not inspected. The traffic must be allowed by the access rules at both the input and output interfaces to be inspected. Whereas access rules allow you to control connections at layer 3 (network, IP) or 4 (transport, TCP or UDP protocol), you can use inspection rules to control traffic using application-layer protocol session information.

 

For all protocols, when you inspect the protocol, the device provides the following functions:

Automatically opens a return path for the traffic (reversing the source and destination addresses), so that you do not need to create an access rule to allow the return traffic. Each connection is considered a session, and the device maintains session state information and allows return traffic only for valid sessions. Protocols that use TCP contain explicit session information, whereas for UDP applications, the device models the equivalent of a session based on the source and destination addresses and the closeness in time of a sequence of UDP packets.

 

These temporary access lists are created dynamically and are removed at the end of a session.

Tracks sequence numbers in all TCP packets and drops those packets with sequence numbers that are not within expected ranges.

Uses timeout and threshold values to manage session state information, helping to determine when to drop sessions that do not become fully established. When a session is dropped, or reset, the device informs both the source and destination of the session to reset the connection, freeing up resources and helping to mitigate potential Denial of Service (DoS) attacks.

 

 

QUESTION 128

Which option is the resulting action in a zone-based policy firewall configuration with these conditions?

 

clip_image004

 

A.

no impact to zoning or policy

B.

no policy lookup (pass)

C.

drop

D.

apply default policy

 

Correct Answer: C

Explanation:

< p class="MsoNormal" style="cursor: auto; margin: 0cm 0cm 0pt; line-height: normal; text-autospace: ; mso-layout-grid-align: none" align="left">http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/sec-zone-pol-fw.html

 

Zone Pairs

A zone pair allows you to specify a unidirectional firewall policy between two security zones. To define a zone pair, use the zone-pair security command. The direction of the traffic is specified by source and destination zones. The source and destination zones of a zone pair must be security zones.

 

You can select the default or self zone as either the source or the destination zone. The self zone is a systemdefined zone which does not have any interfaces as members. A zone pair that includes the self zone, along with the associated policy, applies to traffic directed to the device or traffic generated by the device. It does not apply to traffic through the device.

 

The most common usage of firewall is to apply them to traffic through a device, so you need at least two zones (that is, you cannot use the self zone).

 

To permit traffic between zone member interfaces, you must configure a policy permitting (or inspecting) traffic between that zone and another zone. To attach a firewall policy map to the target zone pair, use the servicepolicy type inspect command.

 

The figure below shows the application of a firewall policy to traffic flowing from zone Z1 to zone Z2, which means that the ingress interface for the traffic is a member of zone Z1 and the egress interface is a member of zone Z2.

 

Figure 2. Zone Pairs

clip_image006

 

If there are two zones and you require policies for traffic going in both directions (from Z1 to Z2 and Z2 to Z1), you must configure two zone pairs (one for each direction).

 

If a policy is not configured between zone pairs, traffic is dropped. However, it is not necessary to configure a zone pair and a service policy solely for t
he return traffic. By default, return traffic is not allowed. If a service policy inspects the traffic in the forward direction and there is no zone pair and service policy for the return traffic, the return traffic is inspected. If a service policy passes the traffic in the forward direction and there is no zone pair and service policy for the return traffic, the return traffic is dropped. In both these cases, you need to configure a zone pair and a service policy to allow the return traffic. In the above figure, it is not mandatory that you configure a zone pair source and destination for allowing return traffic from Z2 to Z1. The service policy on Z1 to Z2 zone pair takes care of it.

 

 

QUESTION 129

A Cisco ASA appliance has three interfaces configured. The first interface is the inside interface with a security level of 100. The second interface is the DMZ interface with a security level of 50. The third interface is the outside interface with a security level of 0. By default, without any access list configured, which five types of traffic are permitted? (Choose five.)

 

A.

outbound traffic initiated from the inside to the DMZ

B.

outbound traffic initiated from the DMZ to the outside

C.

outbound traffic initiated from the inside to the outside

D.

inbound traffic initiated from the outside to the DMZ

E.

inbound traffic initiated from the outside to the inside

F.

inbound traffic initiated from the DMZ to the inside

G.

HTTP return traffic originating from the inside network and returning via the outside interface

H.

HTTP return traffic originating from the inside network and returning via the DMZ interface

I.

HTTP return traffic originating from the DMZ network and returning via the inside interface

J.

HTTP return traffic originating from the outside network and returning via the inside interface

 

Correct Answer: ABCGH

Explanation:

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/intparam.html

 

Security Level Overview

Each interface must have a security level from 0 (lowest) to 100 (highest). For example, you should assign your most secure network, such as the inside host network, to level 100. While the outside network connected to the Internet can be level 0. Other networks, such as DMZs can be in between. You can assign interfaces to the same security level. See the “Allowing Communication Between Interfaces on the Same Security Level” section for more information.

The level controls the following behavior:

 

Network access–By default, there is an implicit permit from a higher security interface to a lower security interface (outbound). Hosts on the higher security interface can access any host on a lower security interface. You can limit access by applying an access list to the interface. If you enable communication for same security interfaces (see the “Allowing Communication Between Interfaces on the Same Security Level” section), there is an implicit permit for interfaces to access other interfaces on the same security level or lower.

 

Inspection engines–Some inspection engines are dependent on the security level. For same security interfaces, inspection engines apply to traffic in either direction.

-NetBIOS inspection engine–Applied only for outbound connections.

-OraServ inspection engine–If a control connection for the OraServ port exists between a pair of hosts, then only an inbound data connection is permitted through the security appliance.

Filtering–HTTP(S) and FTP filtering applies only for outbound connections (from a higher level to a lower level).

For same security interfaces, you can filter traffic in either direction.

NAT control–When you enable NAT control, you must configure NAT for hosts on a higher security interface (inside) when they access hosts on a lower security interface (outside).

Without NAT control, or for same security interfaces, you can choose to use NAT between any interface, or you can choose not to use NAT. Keep in mind that configuring NAT for an outside interface might require a special keyword.

established command–This command allows return connections from a lower security host to a higher security host if there is already an established connection from the higher level host to the lower level host.

For same security interfaces, you can configure established commands for both directions.

 

 

QUESTION 130

Which type of firewall technology is considered the versatile and commonly used firewall technology?

 

A.

static packet filter firewall

B.

application layer firewall

C.

stateful packet filter firewall

D.

proxy firewall

E.

adaptive layer firewall

 

Correct Answer: C

Explanation:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/product_implementation_design_guide09186a00800fd670.html

 

Cisco IOS Firewall includes multiple security features:

 

clip_image008Cisco IOS Firewall stateful packet inspection provides true firewall capabilities to protect networks against unauthorized traffic and control legitimate business-critical data.

clip_image008[1]Authentication proxy controls access to hosts or networks based on user credentials stored in an authentication, authorization, and accounting (AAA) server.

clip_image008[2]Multi-VRF firewall offers firewall services on virtual routers with virtual routing and forwarding (VRF), accommodating overlapping address space to provide multiple isolated private route spaces with a full range of security services.

clip_image008[3]Transparent firewall adds stateful inspection without time-consuming, disruptive IP addressing modifications.

clip_image008[4]Application inspection controls application activity to provide granular policy enforcement of application usage, protecting legitimate application protocols from rogue applications and malicious activity.

 

Free VCE & PDF File for Cisco 640-554 Real Exam

Instant Access to Free VCE Files: CCNA | CCNP | CCIE …
Instant A
ccess to Free PDF Files: CCNA | CCNP | CCIE …

 

Comments are closed.