Lesson 9

Question 1

_________ are used to look for certain things in the application - layer payload; they can be used to qualify a Layer 3/4 class map, which identifies the Layer 3 addresses, the protocol, and the port numbers of the application involved.

Answer 1

Application layer class maps

Question 2

Application layer class maps fall under two categories: _____ and ______ .

Answer 2

inspection class maps

regular expressions

Question 3

When using MPF, you can inspect at the application layer by using the ________ command and/or by using the _________ command .

Answer 3

class-map type inspect

policy-map type inspect

Question 4

Advanced Protocol Inspection (aka ______________ )

Answer 4

deep packet inspection

Question 5

App layer attacks:

Answer 5

–
Blocking .exe attachments
–
Prohibiting peer-to-peer file sharing
–
Setting limits on URL lengths (buffer overflow)
–
Prohibiting file transfer as part of IM sessions
–
Protecting web services by ensuring XML schema is valid
–
Resetting a TCP session if a string is known to be malicious
–
Dropping sessions with packets that are out of order (SIP).

Question 6

class-map type inspect =

Answer 6

used to match criteria specific to an application

Question 7

policy-map type inspect =

Answer 7

used to define special actions for inspection application traffic

Question 8

class-map supported apps

Answer 8

dns, ftp, h323, http, im , and sip

Question 9

The _________ parameter specifies that all the match commands must be matched to classify the traffic and associate a policy to it

Answer 9

match-all

Question 10

the _________ parameter specifies that only one match command has to be matched; if you omit it, the parameter defaults to match-all .

Answer 10

match-any

Question 11

Inspection Class Map config

Answer 11

fw1(config )# class-map type inspect http match-any EXAMINE- PUT-AND-POST
fw1( config-cmap )# match request method put
fw1( config-cmap )# match request method post

Question 12

policy-map supported apps

Answer 12

dcerpc , dns, esmtp, ftp, gtp , h323, http, im , mgcp , netbios, radius - accounting, rtsp, sip, skinny, and snmp .

Question 13

Policy Map Example

Answer 13

fw1(config )# policy - map type inspect http OUTPOL
fw1( config - pmap )# match request header length gt 512
fw1( config - pmap - c )# log
fw1( config - pmap - c )# exit
fw1( config - pmap )# match request header length gt 1024
fw1( config - pmap - c)# reset

Question 14

Regular Expressions

Answer 14

fw1( config )# regex

fw1( config )# class-map type regex match-any
fw1( config - cmap )# match regex

Question 15

If the policy is applied _______ , actions are applied to traffic in the ingress direction only

Answer 15

globally

Question 16

If the policy is applied to a ________ , actions are applied to all traffic bidirectionally . All traffic that enters or exits is affected if the traffic matches the class map for both directions.

Answer 16

specific interface

Question 17

QoS policing and priority queuing are always applied in the _____ direction, whether on a specific interface or globally .

Answer 17

egress

Question 18

To display statistics on the traffic being inspected on the ASA , use the ____________command

Answer 18

show service-policy

Question 19

The DNS Guard function

Answer 19

enforces one DNS response per query is enabled by default.

Question 20

________ is used to provide a way for DNS records to be trusted by whoever receives them.

Answer 20

DNSSEC

Question 21

The key component of DNSSEC is the use of ____________ to ensure that DNS records are authentic. DNSSEC not only allows a DNS server to prove the authenticity of the records it returns. It also allows the assertion of “non - existence of records ”.

Answer 21

public key cryptography

Question 22

With DNSSEC, many DNS packets will exceed____bytes

Answer 22

512 bytes and may approach 4096 bytes.

Question 23

(THis is for what?)
message - length maximum client auto
message - length maximum 512

Answer 23

the message - length maximum client auto command allows the firewall to reference the EDNS packets to properly set the message - length size. Non - DNSSEC traffic will still reference the message - length maximum 512 command to filter DNS packet size accordingly

Question 24

id - randomization

Answer 24

Enables id - randomization to generate unpredictable DNS transaction IDs in DNS messages and protect DNS servers and resolvers with poor randomization of DNS transaction IDs

Question 25

id - mismatch count 10 duration 2 action log

Answer 25

Enable id - mismatch to count DNS transaction ID mismatches within a specified period of time and generate a syslog when the defined threshold has been reached.

Question 26

match header - flag RD

drop

Answer 26

Check for DNS query messages with the recursion desired (RD) flag set in the DNS header and drop those packets to avoid being used as a recursive resolver