Checkpoint Exam: Firewalls, Cryptography, and Cloud Security Flashcards
Refer to the exhibit. An administrator has configured a standard ACL on R1 and applied it to interface serial 0/0/0 in the outbound direction. What happens to traffic leaving interface serial 0/0/0 that does not match the configured ACL statements?
Router(config)# ip access-list extended SECURE
Router(config-ext-nacl)# permit tcp any 192.168.254.0 0.01.255 established
Router(config0ext0nacl)# end
Router#
The resulting action is determined by the destination IP address and port number.
The resulting action is determined by the destination IP address.
The traffic is dropped.
The source IP address is checked and, if a match is not found, traffic is routed out interface serial 0/0/1.
The traffic is dropped.
When an inbound Internet-traffic ACL is being implemented, what should be included to prevent the spoofing of internal networks?
ACEs to prevent broadcast address traffic
ACEs to prevent traffic from private address spaces
ACEs to prevent ICMP traffic
ACEs to prevent SNMP traffic
ACEs to prevent HTTP traffic
ACEs to prevent traffic from private address spaces
Refer to the exhibit, What is the result of adding the establihed argument to the end of the ACE?
Router(config)# ip access-list extended SECURE
Router(config-ext-nacl)# permit tcp any 192.168.254.0 0.0.1.255 established
Router(config-ext-nacl)#exit
Router#
192.168.254.0 /23 traffic is allowed to reach any network.
Any IP traffic is allowed to reach the 192.168.254.0 255.255.254.0 network as long as it is in response to an originated request.
Any traffic is allowed to reach the 192.168.254.0 255.255.254.0 network.
Any TCP traffic is allowed to reach the 192.168.254.0 255.255.254.0 network if it is in response to an originated request.
Any TCP traffic is allowed to reach the 192.168.254.0 255.255.254.0 network if it is in response to an originated request.
What single access list statement maches all of the following networks?
192.168.16.0
192.168.17.0
192.168.18.0
192.168.19.0
access-list 10 permit 192.168.16.0 0.0.0.255
access-list 10 permit 192.168.16.0 0.0.3.255
access-list 10 permit 192.168.16.0 0.0.15.255
access-list 10 permit 192.168.0.0 0.0.15.255
access-list 10 permit 192.168.16.0 0.0.3.255
Refer to the exhibit. The IPv6 access list LIMITED_ACCESS is applied on the S0/0/0 interface of R1 in the inbound direction. Which IPv6 packets from the ISP will be dropped by the ACL on R1?
R1#show access-lists
IPv6 access list LIMITED_ACCESS
permit tcp any host 2001:DB8:11:10::10 eq www sequence 10
permit tcp any host 2001:DB8:11:10::10 eq 443 sequence 20
deny ipv6 any 2001:DB8:11:10::/64 sequence 30
neighbor advertisements that are received from the ISP router
HTTPS packets to PC1
ICMPv6 packets that are destined to PC1
packets that are destined to PC1 on port 80
ICMPv6 packets that are destined to PC1
What are two characteristics of a stateful firewall? (Choose two.)
uses static packet filtering techniques
uses connection information maintained in a state table
prevents Layer 7 attacks
analyzes traffic at Layers 3, 4 and 5 of the OSI model
uses complex ACLs which can be difficult to configure
uses connection information maintained in a state table
analyzes traffic at Layers 3, 4 and 5 of the OSI model
How does a firewall handle traffic when it is originating from the public network and traveling to the DMZ network?
Traffic that is originating from the public network is inspected and selectively permitted when traveling to the DMZ network.
Traffic that is originating from the public network is usually forwarded without inspection when traveling to the DMZ network.
Traffic that is originating from the public network is usually blocked when traveling to the DMZ network.
Traffic that is originating from the public network is usually permitted with little or no restriction when traveling to the DMZ network.
Traffic that is originating from the public network is inspected and selectively permitted when traveling to the DMZ network.
Which type of firewall is commonly part of a router firewall and allows or blocks traffic based on Layer 3 and Layer 4 information?
stateless firewall
proxy firewall
stateful firewall
application gateway firewall
Stateless Firewall
What is one limitation of a stateful firewall?
not as effective with UDP- or ICMP-based traffic
poor log information
cannot filter unnecessary traffic
weak user authentication
not as effective with UDP- or ICMP-based traffic
How does a firewall handle traffic when it is originating from the private network and traveling to the DMZ network?
The traffic is selectively denied based on service requirements.
The traffic is selectively permitted and inspected.
The traffic is usually blocked.
The traffic is usually permitted with little or no restrictions.
The traffic is usually permitted with little or no restrictions.
When a Cisco IOS zone-based policy firewall is being configured, which three actions can be applied to a traffic class? (Choose three.)
reroute
queue
drop
pass
shape
inspect
drop
pass
inspect
Which two statements describe the two configuration models for Cisco IOS firewalls? (Choose two.)
Both IOS Classic Firewall and ZPF models require ACLs to define traffic filtering policies.
ZPF must be enabled in the router configuration before enabling an IOS Classic Firewall.
The IOS Classic Firewall and ZPF cannot be combined on a single interface.
IOS Classic Firewalls and ZPF models can be enabled on a router concurrently.
IOS Classic Firewalls must be enabled in the router configuration before enabling ZPF.
The IOS Classic Firewall and ZPF cannot be combined on a single interface.
IOS Classic Firewalls and ZPF models can be enabled on a router concurrently.
What are two benefits of using a ZPF rather than a Classic Firewall? (Choose two.)
With ZPF, the router will allow packets unless they are explicitly blocked.
ZPF policies are easy to read and troubleshoot.
Multiple inspection actions are used with ZPF.
The ZPF is not dependent on ACLs.
ZPF allows interfaces to be placed into zones for IP inspection.
ZPF policies are easy to read and troubleshoot.
The ZPF is not dependent on ACLs.
When using Cisco IOS zone-based policy firewall, where is the inspection policy applied?
to a zone pair
to a global service
policy
to a zone
to an interface
to a zone pair
Which zone-based policy firewall zone is system-defined and applies to traffic destined for the router or originating from the router?
inside zone
outside zone
system zone
local zone
self zone
self zone
Which cloud security domain covers cloud-specific aspects of infrastructure security and foundations for operating securely in the cloud?
Application Security
Data Security and Encryption
Management Plane and Business Continuity
Infrastructure Security
Infrastructure Security
Which technique can be used to leverage virtual network topologies to run smaller and more isolated networks without incurring additional hardware costs?
shadow IT
microsegmentation
fog computing
edge computing
microsegmentation
Which algorithm is used with symmetric encryption to provide confidentiality?
RSA
MD5
AES
ECC
AES
In which phase of application development is new software verified to run under the required security settings?
testing
staging
developing
provisioning
staging
What is the description of VM sprawl?
The demand for VMs is greater than the ability to create VMs.
When a process breaks out of the VM and interacts with the host operating system.
VMs are spread over too large of a geographic area.
There are more VMs than can be effectively managed.
There are more VMs that can be effectively managed.
Which measure can a security analyst take to perform effective security monitoring against network traffic encrypted by SSL technology?
Use a Syslog server to capture network traffic.
Require remote access connections through IPsec VPN.
Deploy a Cisco ASA.
Deploy a Cisco SSL Appliance.
Deploy a Cisco SSL Appliance
What technology has a function of using trusted third-party protocols to issue credentials that are accepted as an authoritative identity?
hashing algorithms
PKI certificates
symmetric keys
digital signatures
PKI certificates
Match the description with the correct term
creating a message that says one thing but means something else to a specific audience
discovering that hidden information exists within a graphic file
making a message confuising so it is harder to understand
hiding data within a audio file
steganalysis
social stegranography
steganopgraphy
obfuscation
creating a message that says one thing but means something else to a specific audience
(Social Steganography)
discovering that hidden information exists within a graphic file
(Obfuscation)
making a message confuising so it is harder to understand
(Steganography)
hiding data within a audio file
(Steganlysis)
Which method tries all possible passwords until a match is found?
cloud
cryptographic
birthday
brute force
rainbow tables
dictionary
brute force
An IT enterprise is recommending the use of PKI applications to securely exchange information between the employees. In which two cases might an organization use PKI applications to securely exchange information between users? (Choose two.)
file and directory
access permission
HTTPS web service
local NTP server
802.1x authentication
FTP transfers
HTTPS web service
802.1x authentication
