Do I Know This Already Quiz

The purpose of this assessment quiz is to help you determine how to spend your limited study time.

If you can answer most or all of these questions, you might want to skim the "Foundation Topics" section and return to it later, as necessary. Review the "Foundation Summary" section and answer the questions at the end of the chapter to ensure that you have a strong grasp of the material covered.

If you already intend to read the entire chapter, you do not necessarily need to answer these questions now. If you find these assessment questions difficult, read through the entire "Foundation Topics" section and review it until you feel comfortable with your ability to answer all of these questions and the "Q & A" questions at the end of the chapter.

Answers to these questions can be found in Appendix A, "Answers to Quiz Questions."

1. DMZ stands for what?

a. Demilitarized zone b. Demitted zone c. Domain main zone d. Domain name

2. When defining an extended access list, what TCP port numbers can you use?

a. Only predefined Cisco keywords b. 0 to 65,000

e. None of these

3. When defining an extended access list, what UDP port numbers can you use?

a. Only predefined Cisco keywords b. 0 to 65,000

e. None of these

4. Which of the following is not a TCP service?

5. Which of the following is not a UDP service?

f. SNMP

6. For about how many translations does PAT (for a PIX Firewall) allow you to use one IP address?

7. PAT translates all private addresses based on what?

a. Source port b. Destination port c. Both source and destination ports d. None of these

8. NAT is which of the following?

a. Network Architectural Language b. National anthem of Latvia c. Network translation d. Network Address Translation

9. NAT is defined in which RFC?

a. 1700

b. 1701

c. 2002

d. 1631

e. 1613

10. The following defines which NAT terminology: "A legitimate registered IP address as assigned by the InterNIC"?

a. Inside local address b. Outside global address c. Inside global address d. Outside local address

11. NAT might often be broken in what common scenario?

a. Only with VoIP

b. With PAT only c. By traffic that carries the source/destination IP address in the application data fields d. Only with HTTPS

e. When all multimedia applications fail f. All of these g. Only with VoIP or when all multimedia applications fail

12. When will the command overload, applied to NAT configurations, possibly break a network application?

a. Never b. With some HTTP applications c. With all FTP connections d. With some UDP connections e. With some multimedia applications f. All of these

13. Firewalls can operate at what three layers of the OSI model?

14. What is the main advantage of using NAT on a firewall or Cisco IOS router?

a. No advantage; it makes a network complex b. Enables RFC 1918-based privately defined IP addresses to be configured and enables access to the Internet c. Ensures the device increases in performance d. Decreases performance e. Consumes CPU to allow IP packets to traverse the network forever f. All of these

15. When using the IOS NAT overload command, how many inside sessions can be translated?

e. None f. Depends on Cisco IOS revision

16. What IOS command defines a pool of IP addresses for Network Address Translation (NAT)?

a. ip nat inside b. ip nat outside c. ip nat pool d. ip nat inside pool e. ip nat outside pool

17. PIX stands for what?

a. Protocol interchange b. Cisco Private Internet c. Private Internet Exchange d. Public Internet Exchange

18. To define how a PIX will route IP data, what is the correct syntax for a PIX?

a. ip route b. route c. ip route enable d. default-network

19. If you configure NAT on a Cisco IOS router, what command is used to enable PAT?

20. Cisco IOS-based NAT provides all of the following functions except one; which one?

a. Provides safety for inside hosts from becoming an attack target b. It can be traced or viewed by an outside address c. Prevents the source from being traced from the Internet d. Prevents an inside host from becoming a reflector of an attack

21. Which of the following is not considered a security device?

b. Switch c. IDS appliance d. Microsoft Windows XP Professional e. VPN Concentrator f. All of these are security devices

22. What extended IP access list will prevent the internal subnet 10.0.0.0/8 from being spoofed on a Cisco IOS-enabled router? (Assume permit statements are applied to allow legitimate traffic.)

a. access-list 1 permit 10.0.0.0 0.0.0.255 0.0.0.0 255.255.255.255

b. access-list 100 deny 10.0.0.0 0.0.0.255 0.0.0.0 255.255.255.255 any c. access-list 99 tcp deny 10.0.0.0 0.0.0.255 0.0.0.0 any d. access-list 100 ip deny 10.0.0.0 0.0.0.255 0.0.0.0 any e. None of these

23. What is the alias command's function on a PIX Firewall?

a. To define a local host name.

b. To define the DNS server.

c. The alias command is used in NAT environments where one IP address is translated into another.

d. Only applicable to Cisco IOS.

24. CBAC stands for what?

a. CBAC is not a valid term.

b. Cisco Business Architectural Center.

c. Context-Based Access Control.

d. Context-Based Accelerated Controller.

e. Content-Based Arch. Centre.

25. What is IKE used to accomplish?

a. NAT translations b. To ensure that data is not sourced by the right sources c. To ensure that data is not viewable by unauthorized sources d. No use e. NAT translations and to ensure that data is not sourced by the wrong sources

26. To create a simple VPN tunnel (unencrypted) between two sites, what must you do on a Cisco router?

a. Create a GRE tunnel b. Create a routing map c. Nothing; use a PIX

d. Create an IPSec tunnel

27. PIX Firewall software version 6.3 can support which of the following routing protocols? (Choose the best three answers.)

b. OSPF

c. RIP version 1

d. RIP version 2

e. EIGRP

28. To support OSPF on a PIX Firewall version 6.3-capable firewall, what additional OSPF authentication mechanisms are possible? (Choose the best two answers.)

a.

MD5

b.

Area

c.

Password

d.

RADIUS

e.

TACACS+

f.

Kerberos

29. What PIX command can be used for a dual NAT environment?

a.

conduit

b.

pix

c.

alias

d.

sysopt permit dnat

e.

pat [dnat] ip address alias

f.

None of these

30. What PIX command is used on a PIX Firewall to view address mappings when NAT is enabled?

a.

show nat

b.

show pat

c.

show late

d.

show xlate

e.

show ip nat

f.

show ip pat

g.

None of these

31. If a PIX Firewall is configured without a conduit or an access list, data from the inside interface is dropped. In effect, the PIX Firewall is acting like which of the following? (Select the best two answers.)

a. Router b. Bridge c. Bridge and router d. Bit bucket e. Black hole router f. None of these

32. After viewing the PIX syslog with the command show logging, the following output is discovered:

14:25:02 10.1.1.1 : %PIX-7-7100006: TCP request discarded from 6.3.62.119/ 57000 to inside:10.1.1.1/www

Assuming the inside interface on the PIX is configured for the IP address 10.1.1.1/24, which of the following answers best describes what might be going on in the network?

a. Nothing, this level is normal as the level is 7.

b. IP addresses on the inside have all launched an attack against the PIX outside address.

c. A host on the inside has launched a denial of service (DoS) attack generating random source addresses aimed at the PIX inside interface.

d. Several zombie hosts have been activated on the outside of the PIX and are trying to crash the PIX HTTP server.

e. A host on the outside has been compromised and is attempting to log onto the PIX HTTP server.

33. Which of the following statements best describes Cisco Threat Response (CTR)?

a. CTR reads IDS alarms and performs automated forensics on hosts or servers that may have been compromised.

b. CTR logs into real devices and searches for log entries.

c. CTR determines if network IDS alarms are valid or invalid by using Telnet.

d. CTR is an inline device that does deep packet inspection looking for attacks on Cisco network devices such as routers and switches.

e. CTR is not an application but a hardware IDS device.

34. Which of the following best describes Cisco Security Agent (CSA)?

a. CSA is the best antivirus tool available.

b. CSA uses a set of predefined rules to protect host-based systems such as PCs or servers.

c. CSA is a server-based system only that recognizes network attacks.

d. CSA takes no action when an attack occurs.

e. CSA is a passive device and does little besides stop the IP stream.

35. Which of the following describes the default rules a host version of the Cisco Security Agent accomplishes? (Choose the best three answers.)

a. Prevents writing to the system directory b. Stops unauthorized systems from initiating network connections to the CSA-protected host c. Provides deep packet inspection to prevent Internet viruses d. Provides deep packet inspection to prevent worms e. Prevents updates to the system registry

36. IEEE 802.1X is primarily used for what purpose?

a. Prevent writing to the system directory b. Authenticate MAC or Layer 3 addresses c. Layer 7 authentication d. Allow Layer 3 communication and authenticate clients e. VLAN assignment f. Prevent updates to the system registry

37. What device initiates the first communication in IEEE 802.1X?

a. The IOS router b. The IOS switch c. The end workstation connected to the switch d. The RADIUS server e. The TACACS+ server f. None of these

38. CSA is supported on what two platforms?

a. Windows b. UNIX

c. Macintosh d. Printers e. PDAs

39. How does anomaly-based intrusion detection recognize that a network attack is in progress?

a. Packets are matched with a signature and then logged.

b. The IDS normalizes network traffic and sends alarms when sampled traffic falls out of that norm.

c. Protocol adherence rules are established by the administrator and any deviation from that is flagged as a potential attack.

d. The IDS normalizes network traffic.

Was this article helpful?

0 0

Post a comment