Question 1

Which kind of table will be used by most firewalls today to keep track of the connections through the firewall?

A. queuing B. netflow C. dynamic ACL D. reflexive ACL E. state

Explanation

There are four generations of rewall technologies developed between 1983 and 1995: static packetltering rewalls, circuit-level rewalls, application layer rewalls and dynamic packet-ltering rewalls.

The dynamic packet-ltering rewalls, sometimes called stateful rewalls, keeps track of the actual communication process through the use of a state table. The state table is part of the internal structure of the firewall and tracks all sessions and inspects all packets passing through the firewall. These rewalls operate at Layers 3, 4 and 5.

Question 2

On the basis of the show policy-map type inspect zone-pair session command output provided in the exhibit. What can be determined about this Cisco IOS zone based firewall policy?

Class-map: TEST-Class (match-all) Match: access-group 110 Match: protocol http Inspect Established Sessions Session 643BCF88 (10.0.2.12:3364) =>(172.26.26.51:80) http SIS_OPEN Created 00:00:10, Last heard 00:00:00 Bytes sent (initiator, responder) [1268:64324] Session 643BB9C8 (10.0.2.12:3361) =>(172.26.26.51:80) http SIS_OPEN Created 00:00:16, Last heard 00:00:06 Bytes sent (initiator, responder) [2734:38447] Session 643BD240 (10.0.2.12:3362) =>(172.26.26.51:80) http SIS_OPEN Created 00:00:14, Last heard 00:00:07 Bytes sent (initiator, responder) [2219:39813] Session 643BBF38 (10.0.2.12:3363) =>(172.26.26.51:80) http SIS_OPEN Created 00:00:14, Last heard 00:00:06 Bytes sent (initiator, responder) [2106:19895] Class-map: class-default (match-any) Match: any Drop (default action) 58 packets, 2104 bytes

A. This is an outbound policy (applied to traffic sourced from the more secured zone destined to the less secured zone). B. All packets will be dropped since the class-default traffic class is matching all traffic.

C. This is an inbound policy (applied to traffic sourced from the less secured zone destined to the more secured zone). D. Stateful packet inspection will be applied only to HTTP packets that also match ACL 110.

Question 3

Which statement best describes Cisco IOS Zone-Based Policy Firewall?

A. A router interface can belong to multiple zones. B. The pass action works in only one direction. C. Policy maps are used to classify traffic into different traffic classes, and class maps are used to assign action to the traffic classes. D. A zone-pair is bidirectional because it specifies traffic flowing among the interfaces within the zonepair in both directions.

Explanation

The Cisco IOS zone-based policy firewall can take three possible actions when you configure it using Cisco SDM:

Inspect: This action configures Cisco IOS stateful packet inspection. Drop: This action is analogous to deny in an ACL. Pass: This action is analogous to permit in an ACL. The pass action does not track the state of connections or sessions within the traffic; pass allows the traffic only in one direction. A corresponding policy must be applied to allow return traffic to pass in the opposite direction.

Question 4

When configuring Cisco IOS Zone-Based Policy Firewall, what are the three actions that can be applied to a traffic class? (Choose three)

A. Pass B. Police C. Inspect D. Drop E. Queue F. Shape

Explanation

Please read the explanation of question 3

Question 5

Which type of firewall is needed to open appropriate UDP ports required for RTP streams?

A. Proxy firewall B. Packet filtering firewall C. Stateful firewall D. Stateless firewall

Question 6

What is a static packet-filtering firewall used for ?

A. It analyzes network traffic at the network and transport protocol layers. B. It validates the fact that a packet is either a connection request or a data packet belonging to a connection. C. It keeps track of the actual communication process through the use of a state table. D. It evaluates network packets for valid data at the application layer before allowing connections.

Question 7

Which information is stored in the stateful session flow table while using a stateful firewall?

A. all TCP and UDP header information only B. the source and destination IP addresses, port numbers, TCP sequencing information, and additional flags for each TCP or UDP connection associated with a particular session C. the outbound and inbound access rules (ACL entries) D. the inside private IP address and the translated inside global IP address

Question 8

Which firewall best practices can help mitigate worm and other automated attacks?

A. Restrict access to firewalls B. Segment security zones C. Use logs and alerts D. Set connection limits

Question 9

Refer to Cisco IOS Zone-Based Policy Firewall, where will the inspection policy be applied?

A. to the interface B. to the zone-pair C. to the global service policy D. to the zone

Answer: B

Question 10

Which two actions can be configured to allow traffic to traverse an interface when zone-based security is being employed? (Choose two)

A. Flow B. Inspect C. Pass

D. Allow

Question 11

Which feature is a potential security weakness of a traditional stateful firewall?

A. It cannot ensure each TCP connection follows a legitimate TCP three-way handshake B. It cannot detect application-layer attacks C. It cannot support UDP flows D. The status of TCP sessions is retained in the state table after the sessions terminate

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11.

Answer: E Answer: D Answer: B Answer: A C D Answer: C Answer: A Answer: B Answer: D Answer: B Answer: B C Answer: B

Cisco IOS Zone based Firewall Tutorial September 8th, 2010 in CCNA Security Knowledge Base Go to comments

In this tutorial we will learn about Zone Based Firewall, but before digging into details lets start with basic concepts.

Security zone is a group of interfaces to which a policy can be applied. By default, traffic can flow freely within that zone but all traffic to and from that zone is dropped by default. To allow traffic pass between zones, administrators must explicitly declare by creating a zone-pair and a policy for that zone. Another notice is that traffic originated from the router itself is allowed to pass freely.

Zone-pair allows you to specify a uni-directional firewall policy between two zones. In other words, a zone-pair specifies the direction of the interesting traffic. This direction is defined by specifying a source and destination zone. Notice that we cant defined a zone as both source and destination zone.

Zone Policy defines what we want to allow or deny to go between zones. For example we just want to allow HTTP while dropping SMTP, ICMP We have 3 actions pass, drop and inspect. The pass and drop actions are self-explanatory. The action inspect tell the router to use a pre-defined classmap to filter the traffic.

Now enough theory! Its time for the configuration.

In this scenario, we are going to configure 2 zones inside and outside. In this example, we will configure two tasks:

+ Only allow ping (icmp) traffic from the INSIDE Zone to OUTSIDE Zone (not vice versa).

topology.jpg

Notice: you need to make sure all the networks are reachable with a routing protocol before configuring zone-based-firewall.

First we divide the networks into 2 zones: Inside and Outside.

Create Inside zone and Outside zone

Router(config)#zone security INSIDE Router(config)#zone security OUTSIDE

(In fact, we dont need to type exit before typing zone security OUTSIDE)

Assign IP addresses and apply zones to interfaces

Router(config)#interface fa0/0 Router(config-if)#ip address 10.0.1.1 255.255.255.0 Router(config-if)#no shutdown Router(config-if)#zone-member security INSIDE

Router(config)#interface fa0/1 Router(config-if)#ip address 10.0.2.1 255.255.255.0 Router(config-if)#no shutdown Router(config-if)#zone-member security INSIDE

Router(config)#interface fa1/0 Router(config-if)#ip address 12.12.12.1 255.255.255.0

Router(config-if)#no shutdown Router(config-if)#zone-member security OUTSIDE

Define interesting traffic with class-map

Router(config)#class-map type inspect match-any CLASS_MAP_IN_TO_OUT Router(config-cmap)#match protocol icmp

In the class-map configuration, we have two most used parameters: match-any and match-all. If matchany is used, trafc must meet only one of the match criteria in the class map. In contrast, if match-all is specied, trafc must match all the criteria of that class-map. In this example we just want to check if it is icmp protocol or not so we can use either match-any or match-all. Maybe you will ask: How can I use match-all as a packet cant match 2 or more protocols? The answer is we can use matchall in order from more specic to less specic protocol. For example:

match protocol http match protocol tcp

We defined what traffic we want to monitor. Now we need to specify what we want to do with that traffic.

Router(config)#policy-map type inspect POLICY_MAP_IN_TO_OUT Router(config-pmap)#class type inspect CLASS_MAP_IN_TO_OUT Router(config-pmap-c)#inspect

I want to explain more about the inspect action in the policy-map POLICY_MAP_IN_TO_OUT. Unlike the drop and pass actions, when using this action we need to tell the router which class-map the router must look up for the interesting traffic.

Notice that at the end of each policy-map there is a hidden class class-default that drops all other traffic by default, just like the implicit deny all at the end of each access list. Something like this:

class class-default drop

Ok, mostly done! The last thing is specifying the direction of this firewall (recall that the Zone based Firewall is uni-directional). We do this with a zone-pair.

Router(config)#zone-pair security ZONE_PAIR_IN_TO_OUT source INSIDE destination OUTSIDE Router(config-sec-zone-pair)#service-policy type inspect POLICY_MAP_IN_TO_OUT

As you see, we define the direction by specifying the source and destination. Of course traffic will flow from the source to the destination. In this case we only permit traffic from INSIDE to OUTSIDE.

A big notice is return trafc is allowed by default. So if a policy permits the traffic in the outbound direction, it also permits the return traffic in the inbound direction.

It is not possible for trafc to ow between an interface that is a member of a security zone and one that is not a member of a security zone, because a policy can be applied only between two zones. If an interface on a router cannot be part of a security zone or rewall policy, it may be necessary to put that interface in a security zone and congure a pass all policy between that zone and other zones where trafc should ow.

In conclusion to configure Zone Based Policy Firewall we need to do these steps:

+ Specify zones. + Specify what type of traffic (protocol) we want to monitor with a class-map. + Specify what action we want to do (drop, permit or inspect) with a policy-map.

+ Specify the direction we want to apply the filter with a zone-pair.

In this example we configured:

+ Zones: INSIDE and OUTSIDE + Type of traffic: icmp (ping) + Action: inspect (because we dont allow or deny all types of traffic so we must use inspect action) + Direction: INSIDE to OUTSIDE

We can say this firewall in plain text: only allow icmp traffic from INSIDE to OUTSIDE, drop other traffic.

Now if we make a ping from a PC (INSIDE) to 12.12.12.2 (OUTSIDE) then it works well

(INSIDE)#ping 12.12.12.2 !!!!!

but a ping from 12.12.12.2 (OUTSIDE) to a PC (INSIDE) will be dropped

(OUTSIDE)#ping 10.0.1.1 ..