Tuesday, July 7, 2015

CCIE Security 350-018 Quiz and QA - Security Technologies

1 DMZ stands for what?
a. Demilitarized zone
b. Demitted zone
c. Domain main zone
d. Domain name

2 When defining an extended access list, what TCP port numbers can you use?
a. Only predefined Cisco keywords
b. 0 to –65,000
c. 0 to –65,535
d. 1 to 65,534
e. None of the above

TCP port numbers from 0 to –65,535; devices such as PCs go from 1025 to 65535.

3 When defining an extended access list, what UDP port numbers can you use?
a. Only predefined Cisco keywords
b. 0 to 65000
c. 0 to 65535
d. 1 to 65534
e. None of the above

UDP port numbers from 0 to 65535.

4 Which of the following is not a TCP service?
a. who
b. whois
c. finger
d. ftp
e. pop3

who is a UDP service.

5 Which of the following is not a UDP service?
a. BGP
b. echo
c. domain
d. discard
e. rip
f. snmp

BGP runs over TCP port 179.

6 For how many translations does PAT allow you to use one IP address?
a. 32,000
b. 64,000
c. 96,000
d. 128,000
e. 256,000

Port Address Translation (PAT) occurs when the local port number is modified,
allowing more than one host the ability to share one public address, for example. The
Port number in a TCP frame can be numbered from 0 to –65,535, so answer b is
closet to the actual number of allowed translations.

7 PAT translates all private addresses based on what?
a. Source port
b. Destination port
c. Both source and destination
d. None

PAT is based on source port; the destination port is not altered. For example, a Telnet
connection is based on the local port number (a random number generated by the
device between 0 and –65,535) and the destination port number 23.

8 NAT is which of the following?
a. Network Architectural Language
b. National anthem of Latvia
c. Network translation
d. Network Address Translation

9 NAT is defined in which RFC?
a. 1700
b. 1701
c. 2002
d. 1631
e. 1613

NAT is defined by Request for comment (RFC) number 1631.

10 The following defines which NAT terminology: “A legitimate registered IP address as
assigned by the InterNIC?”
a. Inside local address
b. Outside global address
c. Inside global address
d. Outside local address

11 What IOS command defines a pool of addresses that will be translated to a registered IP
a. ip nat inside
b. ip nat outside
c. ip nat pool
d. ip nat inside pool
e. ip nat outside pool

12 PIX stands for what?
a. Protocol interchange
b. Cisco Private Internet
c. Private Internet Exchange
d. Public Internet Exchange

13 To define how a PIX will route IP data, what is the correct syntax for a PIX 520?
a. ip route
b. route
c. ip route enable
d. default-network

A PIX can run RIP or be configured for static routing; a default route is typically
required so that end-user data can be sent to the Internet, for example.

14 What is the alias command’s function on a PIX firewall?
a. To define a local host name
b. To define the DNS server
c. Used in NAT environments where one IP address is translated into another.
d. Only applicable to Cisco IOS

The PIX alias command is used for NAT configurations. The alias command
translates one IP address into another address. For example, one private network
might be using unregistered IP address space, and to allow users access to outside
address space, the alias command is used. This command is applied differently on a
Cisco IOS router.

15 CBAC stands for what?
a. CBAC is not a valid term
b. Cisco Business architectural centre
c. Context-based Access Control
d. Context-based Accelerated controller
e. Content-based arch. Centre

16 What is IKE used to accomplish?
a. NAT translations
b. Ensures that data is not sourced by the right sources
c. Ensures that data is not sourced by the wrong sources
d. No use
e. Both a and c

Internet Key Exchange (IKE) allows a network confidentially from unauthorized

17 To create a simple VPN tunnel (unencrypted) between two sites, what must you do on a
Cisco router?
a. Create a GRE tunnel
b. Create a routing map
c. Nothing, use a PIX
d. Create an IPSec tunnel

A simple VPN tunnel requires a generic routing encapsulation (GRE) tunnel
between two Cisco routers.

Q & A
1 What does the term DMZ refer to?
Answer: The DMZ, or demilitarized zone, is defined as an isolated part of the
network that is easily accessible to hosts on the outside (Internet, for example).

2 What is the perimeter router’s function in a DMZ?
Answer: The perimeter router sits between the DMZ and the public domain. It is
typically a high performance router or routers that perform a number of duties,
including the following:
• Access lists to ensure access to IP is restricted
• Restrictions to TCP services
• Restrictions on what applications can be run
• Routing protocols (typically, BGP)

3 What two main transport layer protocols do extended access lists filter traffic through?
Answer: Extended access lists filter both TCP and UDP transport layer services.

4 Which of the following is not a TCP service?
a. Ident
b. ftp
c. pop3
d. pop2
e. echo

Echo is part of the UDP protocol suite. Ident, ftp, and pop2/pop3 are TCP services.

5 Name five UDP services that can be filtered with an extended access-list.
Answer: Cisco IOS can filter a number of UDP services, including the following:
• biff—Biff (mail notification, comsat, 512)
• bootpc—Bootstrap Protocol (BOOTP) client (68)
• bootps—Bootstrap Protocol (BOOTP) server (67)
• discard—Discard (9)
• dnsix—DNSIX security protocol auditing (195)
• domain—Domain Name Service (DNS, 53)
• echo—Echo (7)
• isakmp—Internet Security Association and Key Management Protocol (500)
• mobile-ip—Mobile IP registration (434)
• nameserver—IEN116 name service (obsolete, 42)
• netbios-dgm—NetBIOS datagram service (138)
• netbios-ns—NetBIOS name service (137)
• netbios-ss—NetBIOS session service (139)
• ntp—Network Time Protocol (123)
• pim-auto-rp—PIM Auto-RP (496)
• rip—Routing Information Protocol (router, in.routed, 520)
• snmp—Simple Network Management Protocol (161)
• snmptrap—SNMP traps (162)
• sunrpc—Sun Remote Procedure Call (111)
• syslog—System Logger (514)
• tacacs—TAC Access Control System (49)
• talk—Talk (517)
• tftp—Trivial File Transfer Protocol (69)
• time—Time (37)
• who—Who service (rwho, 513)
• xdmcp—X Display Manager Control Protocol (177)

6 What RFC defines NAT?
Answer: Network Address Translation (NAT) is defined in RFC 1631.

7 In NAT, what is the inside local address used for?
Answer: The inside local address refers to the IP address that is assigned to a host on
the internal network, that is, the logical address that is not being advertised to the
Internet. A local administrator generally assigns this address. This address is NOT a
legitimate Internet address.

8 What does the IOS command ip nat inside source list accomplish?
Answer: It defines the addresses that will be allowed to access the Internet. This
command enables the network address translation of the inside source addresses.
The “list” keyword helps define the access list to be used for determining the source

9 What are the four possible NAT translations on a Cisco IOS router?
Answer: The four NAT translation versions are as follows:
• Static NAT—Maps an unregistered IP address to a registered IP address on a
one-to-one basis.
• Dynamic NAT—Maps an unregistered IP address to a registered IP address
from a group of registered IP addresses.
• Overloading—A form of dynamic NAT that maps multiple unregistered IP
addresses to a single registered IP address using different ports. Known also
as Port Address Translation (PAT), single address NAT, or port-level multiplexed
• Overlapping—When the IP addresses used on your internal network are
registered IP addresses in use on another network, the router must maintain a
lookup table of these addresses so that it can intercept them and replace them
with registered unique IP addresses.

10 How many connections can be translated with a PIX firewall for the following RAM
configurations: 16 MB, 32MB, or 128MB?
Answer: You can support up to 260,000 connections with 128MB, 16MB can support
up to 32,768 connections, and 32MB of memory can support up to 65,536

11 When the alias command is applied to a PIX, what does it accomplish?
Answer: The alias command translates one address into another, and is used for
translating unregistered IP addresses in a NAT environment.

12 What security features does the Cisco IOS Firewall feature set allow a network
administrator to accomplish?
Answer: The Cisco IOS features set consists of the following:
• Context-based Access Control (CBAC) provides internal users secure, perapplication-
based access control for all traffic across perimeters, such as
between private enterprise networks and the Internet.
• Java blocking protects against unidentified, malicious Java applets.
• Denial-of-service detection and prevention defends and protects router
resources against common attacks, checking packet headers and dropping
suspicious packets.
• Audit trail details transactions, recording time stamp, source host, destination
host, ports, duration, and total number of bytes transmitted.
• Real-time alerts log alerts in case of denial-of-service attacks or other
preconfigured conditions.

13 What does CBAC stand for?
Answer: Context-based Access Control

14 Name the eight possible steps to take when configuring CBAC.
Answer: To configure CBAC, the following tasks are required or optional:
• Pick an internal or external interface. (Required)
• Configure IP access lists at the interface. (Required)
• Configure global timeouts and thresholds. (Required)
• Define an inspection rule. (Required)
• Apply the inspection rule to an interface. (Required)
• Configure logging and audit trail. (Required)
• Follow other guidelines for configuring a firewall. (Required)
• Verify CBAC. (Optional)

15 What is a virtual private network?
Answer: A virtual private network (VPN) enables IP traffic to travel securely over a
public TCP/IP network by encrypting all traffic from one network to another. A VPN
uses tunneling to encrypt all information at the IP level.

No comments:

Post a Comment