CISCO IOS FIREWALL FEATURE SET

Previous page
Table of content
Next page

  1. CBAC provides secure, per-application access control for all traffic across perimeters .

  2. CBAC intelligently filters TCP and UDP packets based on application layer protocol information.

  3. CBAC creates dynamic access control entries (ACEs) from information in the state table.

  4. CBAC inspects and monitors the control channels of sessions.

  5. CBAC only monitors the data channels of sessions.

  6. To re-enable alert messages to the router's console, use the command Router(config)# no ip inspect alert-off .

  7. CBAC audit trail messages are disabled by default. Use the ip inspect audit-trail command to enable them.

  8. By default, the TCP SYN wait time is 30 seconds.

  9. By default, the TCP FIN wait time is 5 seconds.

  10. By default, the DNS idle timeout is 5 seconds.

  11. By default, the TCP idle timeout is 3,600 seconds.

  12. By default, the UDP idle timeout is 30 seconds.

  13. The router takes measurements once per minute for the max-incomplete high and the max-incomplete low thresholds.

  14. The default ip inspect max-incomplete high threshold is 500 half- open sessions.

  15. The default ip inspect max-incomplete low threshold is 400 half-open sessions.

  16. CBAC goes into aggressive mode when the number of half-open sessions exceeds the ip inspect max-incomplete high threshold.

  17. The router measures the ip inspect one-minute threshold more frequently than once per minute, contrary to the command's name .

  18. ip inspect max-incomplete uses a one-minute sampling period.

  19. The default ip inspect tcp max-incomplete host number threshold is 50 half-open sessions.

  20. The default block-time value is 0 (zero) seconds.

  21. If the CBAC router receives noninitial packet fragments before the router receives the initial packet fragment, the router drops the noninitial fragment packets.

  22. CBAC Java inspection cannot detect, and therefore inspect or block, Java applets if the applet is encapsulated. An encapsulated Java applet might be contained in a Zip file, for example.

  23. CBAC does not inspect application traffic running on nonstandard application ports unless you use port-to-application mapping (PAM).

  24. Authentication is proving your identity.

  25. Authorization decides what resources you can access.

  26. Network-access sessions terminate at the corporate resource being accessed; the session does not terminate at a networking device.

  27. Remember, you can run either the TACACS+ protocol or the RADIUS protocol, or you can run both protocols simultaneously to provide AAA services.

  28. TACACS+ encrypts the entire packet for confidentiality when communicating between the TACACS+ server and the router.

  29. RADIUS is based on the client/server mode.

  30. AppleTalk Remote Access (ARA) and NetBEUI are not supported by RADIUS.

  31. The AAA daemon is disabled by default.

  32. The TACACS+ server can return three possible status messages: Pass, Fail, and Error. Pass means authentication was successful. Fail means authentication was not successful. Error means that there was some problem and authentication could not be determined.

  33. The aaa authentication login default method applies to all lines and interfaces by default unless overridden by a more specific method.

  34. service=shell means the user is attempting to access the router's EXEC shell. The command and keyword that were used to specify that authorization must be obtained for attempts to access the shell was aaa authorization exec .

  35. You can access Access Control Server (ACS) via a Web browser. You must specify the port number 2002 when connecting to the ACS. If you do not, you will not get to the ACS login screen.

  36. Cisco's premier identity product is Cisco Secure Access Control Server (CSACS). You use CSACS to ensure that users are who they say they are.

  37. CSACS v3.0.1 added the following major features:

    • 802.1x support

    • MS CHAPv2 support

    • MS CHAP password aging support

    • Command authorization sets

    • EAP-TLS and EAP-MD5 support

  38. The protocol used to communicate between the CSACS server and the token-card server is usually a proprietary protocol.

  39. CSACS also supports additional databases:

    • Generic LDAP

    • Novell NDS

    • ODBC “compliant relational databases

  40. CSUtil.exe is a command-line application that performs CSACS database backups and database restores .

  41. The ACS appliance does not support a Windows GUI login.

  42. If the ACS appliance crashes, it automatically reboots.

  43. The appliance monitors ACS services, and any failed service is restarted automatically.

  44. The first place to check is the Failed Attempts report when troubleshooting.

  45. You can only configure proxyacls that use the permit keyword. All users must be configured with a privileged level equal to 15.

  46. The Key Distribution Center (KDC) acts like a CA, and the KDC is a trusted third party.

  47. For the certification purposes only, Kerberos can use either a 40-bit or 56-bit DES key.

  48. The numbers of signatures that are predefined with the IOS Firewall are either 59 or 100. How many signatures you get depends upon the version of IOS Firewall that you are running.

  49. IDS on a router can be CPU intensive , can affect router performance, and may require memory for limited persistent storage.

  50. Cisco recommends that the drop and reset actions be used in conjunction to terminate an attack.

  51. The log keyword is enabled by default and sends events to a syslog server or the router's console.

  52. The default event queue size is 100 events.

  53. Events are overwritten on a FIFO (first-in, first-out) basis. If you configure a queue size of 200 events, and there are presently 200 events waiting to be transmitted, the very next new event will overwrite the first queued event, event number 1.

  54. The default global IDS action for both informational signatures and attack signatures is alarm.

  55. The default number of recipients is 250 if you do not change the threshold.

  56. Authentication proxy uses HTTP to authenticate users. Authentication proxy is HTTP-based authentication.

  57. The key concept of authentication proxy is that it is dynamic, per-user authentication and authorization using either a TACACS+ server or a RADIUS server.

  58. Only permit statements are allowed when configuring proxyacls.

  59. You must use the keyword any for the source IP address.

  60. It is important to configure the authentication proxy idle timeout to a higher value than the CBAC idle timeout value, if you are using CBAC. If you set the authentication proxy idle timeout to a value that is less than the CBAC idle timeout value, idle connections might hang.

  61. The permit entries in the IP ACL indicate that those hosts or networks that are specified with the permit keyword must authenticate using authentication proxy.

  62. Newer versions of the IOS allow for the use of both standard named or number and extended named or numbered IP access lists with authentication proxy. However, Cisco course curriculum for authentication proxy indicates that only standard numbered IP access lists can be used. If given a single answer selection question, go with standard numbered IP access lists.

  63. If the output of the show ip auth-proxy cache command displays HTTP_ESTAB , then that specific user has authenticated successfully.


Previous page
Table of content
Next page
CCSP SECUR Exam Cram 2
CCSP SECUR Exam Cram 2 (642-501)
ISBN: B000MU86IQ
EAN: N/A
Year: 2003
Pages: 291
Authors: Raman Sud
BUY ON AMAZON
ADO.NET 3.5 Cookbook (Cookbooks (OReilly))
Software Configuration Management
Cisco IP Communications Express: CallManager Express with Cisco Unity Express
Systematic Software Testing (Artech House Computer Library)
Microsoft WSH and VBScript Programming for the Absolute Beginner
The Lean Six Sigma Pocket Toolbook. A Quick Reference Guide to Nearly 100 Tools for Improving Process Quality, Speed, and Complexity
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy