Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

NetSec > Module 10 > Flashcards

Module 10 Flashcards

1
Q

There are two configuration models for Cisco IOS Firewall:

A

Classic Firewall - The traditional configuration model in which firewall policy is applied on interfaces.
Zone-based Policy Firewall (ZPF) - The configuration model in which interfaces are assigned to security zones, and firewall policy is applied to traffic moving between the zones.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

There are several benefits of a ZPF:

A

It is not dependent on ACLs.

The router security posture is to block unless explicitly allowed.

Policies are easy to read and troubleshoot with the Cisco Common Classification Policy Language (C3PL). C3PL is a structured method to create traffic policies based on events, conditions, and actions. This provides scalability because one policy affects any given traffic, instead of needing multiple ACLs and inspection actions for different types of traffic.

Virtual and physical interfaces can be grouped into zones.

Policies are applied to unidirectional traffic between zones.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Designing ZPFs involves several steps:

A

Step 1. Determine the zones

Step 2. Establish policies between zones

Step 3. Design the physical infrastructure

Step 4. Identify subsets within zones and merge traffic requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

examples of ZPF designs.

A

LAN-to-Internet

Firewall with public servers - 1

Firewall with public servers - 2

Redundant Firewalls

Complex Firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Three possible actions can be configured to process traffic by protocol, source and destination zones (zone pairs), and other criteria.

A

Inspect - This performs Cisco IOS stateful packet inspection.
Drop - This is analogous to a deny statement in an ACL. A log option is available to log the rejected packets.
Pass - This is analogous to a permit statement in an ACL. The pass action does not track the state of connections or sessions within the traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Zone-Based Policy Firewall Configuration Steps

A

Step 1: Create the zones.
Step 2: Identify traffic with a class-map.
Step 3: Define an action with a policy-map.
Step 4: Identify a zone pair and match it to a policy-map.
Step 5: Assign zones to the appropriate interfaces.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which statement accurately describes Cisco IOS zone-based policy firewall operation?

A

The pass action in CCP is similar to the permit parameter in an ACL entry. Pass allows traffic only in one direction.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How does ZPF handle traffic between an interface that is a zone member and another interface that does not belong to any zone?

A

The rules for a zone based policy firewall to handle transit traffic depend on whether or not the ingress and egress interfaces are members of zones. If one interface is a zone member, but the other is not, then the resulting action is to drop the traffic regardless of whether a zone-pair exists.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which statement describes a factor to be considered when configuring a zone-based policy firewall?

A

An interface cannot belong to multiple zones. A firewall never filters traffic between interfaces that have been configured for the same zone. The way that a zone-based policy firewall coexists with a class firewall configuration is that interfaces that are not members of a security zone can still have the classic firewall ip inspect command applied and operational.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which statement describes one of the rules that govern interface behavior in the context of implementing a zone-based policy firewall configuration?

A

An interface can belong to only one zone. Creating a zone is the first step in configuring a zone-based policy firewall. A zone cannot be assigned to an interface if the zone has not been created. Traffic can never flow between an interface that is assigned to a zone and an interface that has not been assigned to a zone.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Designing a ZPF requires several steps. Which step involves defining boundaries where traffic is subjected to policy restrictions as it crosses to another region of the network?

A

Designing ZPFs involves several steps:
Step 1. Determine the zones - The administrator focuses on the separation of the network into zones. Zones establish the security borders of a network.
Step 2. Establish policies between zones - For each pair of "source-destination" zones, define the sessions that clients in the source zones can request from servers in destination zones.
Step 3. Design the physical infrastructure - After the zones have been identified, and the traffic requirements between them documented, the administrator must design the physical infrastructure. This includes dictating the number of devices between most-secure and least-secure zones and determining redundant devices.
Step 4. Identify subsets within zones and merge traffic requirements - For each firewall device in the design, the administrator must identify zone subsets that are connected to its interfaces and merge the traffic requirements for those zones.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

When a Cisco IOS zone-based policy firewall is being configured, which two actions can be applied to a traffic class? (Choose two.)

A

The three actions that can be applied are inspect, drop,and pass. The inspect CCP action is similar to the classic firewall ip inspect command in that it inspects traffic going through the firewall and allowing return traffic that is part of the same flow to pass through the firewall. The drop action is similar to the deny parameter in an ACL. This action drops whatever traffic fits the defined policy. The pass action is similar to a permit ACL statement–traffic is allowed to pass through because it met the criteria of the defined policy statement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which three statements describe zone-based policy firewall rules that govern interface behavior and the traffic moving between zone member interfaces? (Choose three.)

A

Some of the rules that govern interfaces in zones are as follows:
Create a policy allowing or inspecting traffic so that traffic can flow between that zone and any other zone.
Create zones before assigning to an interface.
If traffic is to flow between all interfaces in a router, each interface must be a member of a zone.
Traffic cannot flow between an interface that has been assigned to a zone and one that has not been assigned to a zone. The actions of pass, inspect, or drop can only be applied between two zones.
Interfaces that belong to the same zone allow traffic flow between them by default.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which statement describes a feature of a zone-based policy firewall?

A

A zone-based policy firewall (ZPF) does not require the use of complex ACLs. By default, traffic traveling between zones is blocked unless specifically permitted, and different types of traffic can be inspected differently even on the same interface. ZPF uses C3PL for policy configuration, which is hierarchical and allows for easier configuration and troubleshooting.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

In what step of zone-based policy firewall configuration is traffic identified for policy application?

A

During the class maps configuration stage, interesting traffic is identified for later policy application.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

When configuring a class map for a zone-based policy firewall, how is the match criteria applied when using the match-all parameter?

A

In the Identifying traffic step of a ZPF configuration, the syntax for the class-map type inspect command has two parameters, match-any and match-all. The match-all parameter dictates that packets must meet all the match criteria to be considered a member of the class.

17
Q
A

The self zone is the router itself and includes all the IP addresses assigned to the router interfaces.

18
Q

Which statement describes a zone when implementing ZPF on a Cisco router?

A

The first step in implementing ZPF is determining the zones. Zones establish the security borders of a network. A zone defines a boundary where traffic is subjected to policy restrictions as it crosses to another region of the network. The policy between zones can be established to restrict multiple protocol sessions such as TCP, UDP, and ICMP. One design consideration is to identify subsets within zones and merge traffic requirements because multiple zones might be indirectly attached to a single interface of a firewall.

NetSec (21 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions