IOS Firewall Feature Set—CBAC Questions and Answers

1. 

True or False. IPSec is a part of the Cisco IOS Firewall feature set.

1. True

2. False

2. 

True or False. The Cisco IOS Firewall feature set is implemented on all Cisco router series.

1. True

2. False

3. 

Which of the following IOS features is not part of the Firewall feature set?

1. Intrusion detection

2. Context-Based Access Control (CBAC)

3. AAA

4. Java blocking

4. 

True or False. CBAC can incorporate application layer information in its filtering.

1. True

2. False

5. 

In the following command, what does the 30 represent? Rtr1(config)#ip inspect tcp idle-time 30

1. Minutes

2. Packets

3. Seconds

4. Hours

6. 

True or False. CBAC can filter TCP, UDP, and ICMP traffic.

1. True

2. False

7. 

The memory required for each CBAC connection is what?

1. 600 bits

2. 600 bytes

3. 600K

4. Varies with the data

8. 

Which of the following is not a step in configuring CBAC?

1. Set audit trails and alerts.

2. Set global timeouts and thresholds.

3. Define inspection rules.

4. Remove all nonstandard Port-to-Application Mapping.

5. Apply inspection rules and ACLs.

9. 

Which of the following is a DoS protective measure?

1. RPC inspection

2. Fragment inspection

3. SMTP inspection

4. HTTP inspection

10. 

Which of the following defines the number of seconds the software will wait for a TCP session to reach the established state before dropping the session?

1. Rtr1(config)#ip inspect tcp synwait-time 20

2. Rtr1(config-if)#ip inspect tcp synwait-time 20

3. Rtr1(config)#ip inspect tcp finwait-time 20

4. Rtr1(config-if)#ip inspect tcp finwait-time 20

11. 

In the following command, what does the number 800 represent? Rtr1(config)#ip inspect max-incomplete high 800

1. Seconds

2. Minutes

3. Half-open TCP sessions

4. DNS-name lookup session

12. 

What does the following command do? Rtr1(config)#ip port-map realaudio port 21

1. Assigns port 21 to be used by Real Audio.

2. States a preference for port 21 to be used by Real Audio.

3. The command will fail because CBAC doesn’t support Real Audio.

4. The command will fail because port 21 is reserved for FTP.

13. 

True or False. ConfigMaker is an alternative for configuring Firewall features.

1. True

2. False

14. 

Which two commands might be useful against DoS attacks?

1. Maximum Incomplete Sessions High/Low Threshold

2. UDP Session Inactivity Timer

3. TCP Session Termination Timer

4. One Minute Incomplete Sessions High/Low Threshold

15. 

Which statement is not true about CBAC?

1. Only IP TCP and UDP traffic is inspected by CBAC.

2. CBAC doesn’t normally protect against attacks from within the protected network.

3. CBAC and reflexive ACLs work well together.

4. CBAC can’t inspect in-transit IPSec traffic.