• Home
  • Textbooks
  • CCSP: Cisco Certified Security Professional Certification
  • IOS Firewall Feature Set—CBAC

CCSP: Cisco Certified Security Professional Certification

Robert Larson, Lance Cockcroft

Chapter 6

IOS Firewall Feature Set—CBAC - all with Video Answers

Educators

Chapter Questions

Problem 1

True or False. IPSec is a part of the Cisco IOS Firewall feature set.
A. True
B. False

Check back soon!

Problem 2

True or False. The Cisco IOS Firewall feature set is implemented on all Cisco router series.
A. True
B. False

Check back soon!

Problem 3

Which of the following IOS features is not part of the Firewall feature set?
A. Intrusion detection
B. Context-Based Access Control (CBAC)
C. AAA
D. Java blocking

Check back soon!
01:03

Problem 4

True or False. CBAC can incorporate application layer information in its filtering.
A. True
B. False

Vishal Sharma
Vishal Sharma
Numerade Educator

Problem 5

In the following command, what does the 30 represent? Rtr1(config)\#ip inspect tcp idle-time 30
A. Minutes
B. Packets
C. Seconds
D. Hours

Check back soon!

Problem 6

True or False. CBAC can filter TCP, UDP, and ICMP traffic.
A. True
B. False

Check back soon!
02:00

Problem 7

The memory required for each CBAC connection is what?
A. 600 bits
B. 600 bytes
C. $600 \mathrm{~K}$
D. Varies with the data

Vysakh M
Vysakh M
Numerade Educator

Problem 8

Which of the following is not a step in configuring CBAC?
A. Set audit trails and alerts.
B. Set global timeouts and thresholds.
C. Define inspection rules.
D. Remove all nonstandard Port-to-Application Mapping.
E. Apply inspection rules and ACLs.

Check back soon!

Problem 9

Which of the following is a DoS protective measure?
A. RPC inspection
B. Fragment inspection
C. SMTP inspection
D. HTTP inspection

Check back soon!
01:27

Problem 10

Which of the following defines the number of seconds the software will wait for a TCP session to reach the established state before dropping the session?
A. Rtr1(config)\#ip inspect tcp synwait-time 20
B. Rtr1(config-if)\#ip inspect tcp synwait-time 20
C. Rtr1(config)\#ip inspect tcp finwait-time 20
D. Rtr1(config-if)\#ip inspect tcp finwait-time 20

James Kiss
James Kiss
Numerade Educator

Problem 11

In the following command, what does the number 800 represent? Rtr1(config)\#ip inspect max-incomplete high 800
A. Seconds
B. Minutes
C. Half-open TCP sessions
D. DNS-name lookup session

Check back soon!

Problem 12

What does the following command do? Rtr1(config)\#ip port-map realaudio port 21
A. Assigns port 21 to be used by Real Audio.
B. States a preference for port 21 to be used by Real Audio.
C. The command will fail because CBAC doesn't support Real Audio.
D. The command will fail because port 21 is reserved for FTP.

Check back soon!

Problem 13

True or False. ConfigMaker is an alternative for configuring Firewall features.
A. True
B. False

Check back soon!

Problem 14

Which two commands might be useful against DoS attacks?
A. Maximum Incomplete Sessions High/Low Threshold
B. UDP Session Inactivity Timer
C. TCP Session Termination Timer
D. One Minute Incomplete Sessions High/Low Threshold

Check back soon!

Problem 15

Which statement is not true about CBAC?
A. Only IP TCP and UDP traffic is inspected by CBAC.
B. CBAC doesn't normally protect against attacks from within the protected network.
C. CBAC and reflexive ACLs work well together.
D. CBAC can't inspect in-transit IPSec traffic.

Check back soon!