Department of Electrical Engineering, National Cheng Kung University Midterm (2) of the Network EngineeringCourse

Instructor: Prof. Chu-Sing Yang Student ID: Student Name: Part I. Choose the best answer or answers for each question. (44%) 1. If we say User fantasymew accessed host serverMP using SSH for 1 hour, then which component in AAA accomplishes it? (A) Authentication (B) Accessibility (C) Authorization (D) Accounting 2. AAA can be used to authenticate users for administrative access or it can be used to authenticate users for remote network access. These two access methods use different modes to request AAA services. If a user sends a request to establish a connection through the router with a device on the network, then what mode does the access method use? (A) Packet mode (B) Character mode (C) Privileged mode (D) Router mode 3. Refer to this figure. Which statement is true about the characteristics of this kind of authentication processes? Date: 2009.12.28 9:10 - 11:00

(A) It separates AAA according to the AAA architecture. (B) It usually utilizes TCP port 49. (C) It encrypts only the password, not the entire packet. (D) It provides authorization of router commands on a per-user or per-group basis. 4. Which Cisco Secure ACS menu is required to set menu display options for TACACS+ and RADIUS? (A) Network configuration

(B) System configuration (C) Interface configuration (D) External user databases 5. When configuring a method list for AAA authentication, what is the effect of the keyword local-case? (A) It accepts a locally configured username with case-sensitivity. (B) It uses the enable password for authentication. (C) It uses the line password for authentication. (D) The login succeeds even if all methods return an error. 6. Refer to this configuration on R2 with the resulting log message. On the basis of the information presented, which two AAA authentication statements are true? (Choose two.) R2(config)# enable secret Pa55w0rd R2(config)# username Admin secret Str0ngPa55w0rd R2(config)# aaa new-model R2(config)# aaa authentication login default local-case enable R2(config)# aaa local authentication attempts max-fail 1 R2(config)# exit R2# Dec 28 09:41:12.317: %SYS-5-CONFIG_I Configured from console by Admin on console R2# Dec 28 09:50:55.912: %AAA-5-USER_LOCKED: User Admin locked out on authentication failure R2# (A) The locked-out user failed authentication. (B) The locked-out user is locked out for one day by default. (C) The locked-out user should have used the username admin and password Str0ngPa55w0rd. (D) If the user account has one unsuccessful attempt, it will be locked out due to failed authentication. (E) The locked-out user stays locked out until the clear aaa local user lockout Admin command is issued in user EXEC mode. 7. Refer to this figure. To meet the following needs, which three commands are required after the AAA is enabled and authentication is configured on R1? (Choose three.) (1) Allow authenticated users administrative access to commands such as show version. (2) Log the use of EXEC sessions. (3) Log the use of network connections.

(A) aaa authentication exec default group tacacs+ (B) aaa authorization exec default group tacacs+ (C) aaa accounting connection start-stop group tacacs+ (D) aaa accounting exec start-stop group tacacs+ (E) aaa accounting network start-stop group tacacs+ 8. Which two statements are true about server-based AAA? (Choose two.) (A) It is usually used in small or simple networks for AAA authentication. (B) AAA servers can use TACACS+ or RADIUS protocols to communicate with client routers. (C) It uses the local database of the router for authentication. (D) It requires the services of an external server such as the Cisco Secure ACS for Windows Server. (E) Server-based AAA authentication is less scalable than local AAA authentication. 9. What is the limitation of standard IP ACLs? (A) It can only filter on source IP address. (B) It can only filter on destination IP address. (C) It can only filter on source TCP and UDP port. (D) It can only filter on destination TCP and UDP port. 10. Which two statements are false about ACLs? (Choose two.) (A) ACLs are created globally and then applied to interfaces. (B) ACLs have a policy of multiple matches. (C) ACLs have a directional filter that determines whether inbound packets or outbound packets are examined. (D) ACLs are processed top-down. (E) ACLs have an implicit permit all statement at the end. 11. Refer to this figure. What can we conclude according to this configuration on R1? (Choose two.)

R1(config)# access-list 102 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21 R1(config)# access-list 102 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20 R1(config)# access-list 102 permit ip any any R1(config)# interface fastethernet 0/1 R1(config-if)# ip access-group 102 in

(A) R1 is configured with standard IP ACLs to restrict FTP traffic. (B) FTP access is denied from subnet 172.16.4.0/24 to subnet 172.16.3.0/24. (C) FTP access is denied from subnet 172.16.3.0/24 to subnet 172.16.4.0/24. (D) FTP access is permitted from the subnet 172.16.4.0/24 destined for any network other than the subnet 172.16.3.0/24. (E) FTP access is permitted from the subnet 172.16.3.0/24 destined for any network other than the subnet 172.16.4.0/24. 12. Which three statements describe the characteristics of the keyword established when configuring ACLs? (Choose three.) (A) It can be applied to extended ACLs. (B) It forces the router to check whether the TCP ACK or RST control flag is set. (C) It opens a hole in the router which could be exploited by hackers. (D) It implements a stateful firewall on a router. (E) It applies to TCP, UDP or ICMP traffic. 13. Refer to this configuration on R3. Which three statements are true? (Choose three.) R3(config)# username Student password 0 cisco R3(config)# access-list 103 permit tcp any host 10.2.3.4 eq 23 R3(config)# access-list 103 dynamic dynamicACL timeout 20 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 R3(config)# interface serial 0/0/1 R3(config-if)# ip access-group 103 in R3(config-if)# exit R3(config)# line vty 0 4 R3(config-line)# login local R3(config-line)# autocommand access-enable host timeout 5 (A) The remote user can open an SSH connection to the router for access. (B) The dynamic ACL entry is applied to the extended ACL. (C) The dynamic ACL entry is ignored until lock-and-key is triggered. (D) The autocommand access-enable command specifies lock-and-key authentication. (E) The absolute timeout is specified in the autocommand command. 14. Which command cannot be used to display the ACL configuration information on the CLI of the router? (A) show access-lists (B) show ip access-lists (C) show running-config (D) show interfaces (E) show ip interface 15. Which type of firewalls can expand the number of IP addresses available and hide network addressing design?

(A) Packet-filtering firewall (B) Stateful firewall (C) Address-translation firewall (D) Transparent firewall 16. Which three statements best describe the characteristics of stateful firewalls? (Choose three.) (A) They monitor the state of connections, whether the connection is in an initiation, data transfer, or termination state. (B) They are susceptible to IP spoofing and DoS attacks. (C) They are a firewall architecture that is classified at the Session Layer. (D) They cannot prevent Application Layer attacks because they do not examine the actual contents of the HTTP connections. (E) They do not support user authentication. 17. What parameter is tracked by CBAC for TCP traffic to detect and prevent SYN-flooding attacks? (A) Source port number (B) SYN and ACK flags (C) Sequence number (D) Window size 18. Which command can be used to create a CBAC inspection rule at the interface of the router? (A) ip inspect alert-off (B) ip inspect audit-trail (C) ip inspect name (D) show ip inspect name 19. Refer to this configuration on R4. Which two statements are false? (Choose two.) R4(config)# ip access-list extended OUT-IN R4(config-ext-nacl)# deny ip any any R4(config-ext-nacl)# exit R4(config)# interface s0/0/1 R4(config-if)# ip access-group OUT-IN in R4(config-if)# exit R4(config)# ip inspect name IN-OUT-IN telnet R4(config)# ip inspect audit-trail R4(config)# interface s0/0/1 R4(config-if)# ip inspect IN-OUT-IN out (A) All HTTP traffics entering interface Serial 0/0/1 are denied. (B) All Telnet traffics entering interface Serial 0/0/1 are allowed. (C) OUT-IN is the name of a CBAC inspection rule. (D) The command ip inspect audit-trail is used to enable the logging of session information. (E) The inspection rule is applied to egress traffic on interface Serial 0/0/1.

20. When the CBAC configuration is finished and applied at the interface on a router, which command can be used to display the CBAC inspection configuration? (A) show ip inspect interfaces (B) show ip inspect sessions (C) show ip inspect statistics (D) show interfaces 21. What is the first step in configuring a Cisco IOS zone-based policy firewall using the CLI? (A) Create firewall zones. (B) Define traffic classes and access lists. (C) Specify firewall policies. (D) Apply firewall policies. 22. Refer to this configuration on R5 that the exit commands have been skipped. The IP address for Fa0/1 on R5 is 192.168.3.1 with subnet mask 255.255.255.0, and for S0/0/1 is 10.2.2.1 with subnet mask 255.255.255.252. Which three statements are true? (Choose three.) R5(config)# zone security IN-ZONE R5(config)# zone security OUT-ZONE R5(config)# access-list 105 permit ip 192.168.3.0 0.0.0.255 any R5(config)# class-map type inspect match-all IN-NET-CLASS-MAP R5(config-cmap)# match access-group 105 R5(config)# policy-map type inspect IN-2-OUT-PMAP R5(config-pmap)# class type inspect IN-NET-CLASS-MAP R5(config-pmap-c)# inspect R5(config)# zone-pair security IN-2-OUT-ZPAIR source IN-ZONE destination OUT-ZONE R5(config-sec-zone-pair)# service-policy type inspect IN-2-OUT-PMAP R5(config)# interface fa0/1 R5(config-if)# zone-member security IN-ZONE R5(config)# interface s0/0/1 R5(config-if)# zone-member security OUT-ZONE (A) The zone security command is used to create the firewall zones. (B) The match access-group command is used to match standard ACL 105. (C) The use of the inspect command invokes CBAC. (D) After configuring the zone-based policy firewall, the internal hosts (in IN-ZONE) can still access external resources (in OUT-ZONE). (E) After configuring the zone-based policy firewall, the external hosts (in OUT-ZONE) can still access internal resources (in IN-ZONE).

Part II. Answer the following questions. (56%) 1. In homework 2, we use Packet Tracer to configure AAA authentication on Cisco Routers. Today, we want to configure server-based AAA authentication using TACACS+ on R2. Given the topology diagram and addressing table, please answer the following questions. (15%) Topology Diagram

Addressing Table

(1) After entering the privileged EXEC mode on R2 (R2#), if we want to enter global configuration mode (R2(config)#), what command can we use to accomplish it? (2%) configure terminal (2) Given the secret key tacacspa55, what commands can we use to configure the AAA TACACS+ server IP address and secret key on R2? (4%) tacacs-server host 192.168.2.2 tacacs-server key tacacspa55

(3) After configuring the TACACS+ server specifics on R2, to what purposes the command aaa new-model is needed? (2%) To enable AAA. (4) To configure all logins to authenticate using the AAA TACACS+ server with default authentication list, the aaa authentication login default command is required. But if we want to list all arguments which can follow that command, how can we deal with it? (3%) aaa authentication login default ? (5) Refer to this figure. To complete configuring all logins to authenticate using AAA TACACS+ server and if not available, then use the local database, what command can we use? (4%) R2(config)# Command A which is the answer of Question (4) enable group local none Use enable password for authentication. Use Server-group. Use local username authentication. No authentication.

R2(config)# Command B radius Use list of all Radius hosts. tacacs+ Use list of all Tacacs+ hosts. R2(config)# aaa authentication login default group tacacs+ local

2. Please describe the differences between inbound ACLs and outbound ACLs. (6%) Inbound ACLs is examined prior to the routing table being accessed when a packet enters into the router. Outbound ACLs is examined prior to the packet being forwarded out of the destined interface when a packet has been processed by the router to determine where to forward that packet.

3. A firewall is a system or group of systems that enforces an access control policy between networks. It can include options such as a packet filtering router, a switch with two VLANs, and multiple hosts with firewall software. Using a firewall in a network adds more security, but there are still some limitations. Please list at least three limitations in using a firewall. (6%) (1) If misconfigured, a firewall can have serious consequences (single point of failure). (2) Many applications cannot be passed over firewalls securely. (3) Users might proactively search for ways around the firewall to receive blocked material, exposing the network to potential attack. (4) Network performance can slow down. (5) Unauthorized traffic can be tunneled or hidden as legitimate traffic through the firewall.

4. Assume that a user initiates an outbound connection, such as Telnet, from a protected network to an external network, and CBAC is enabled to inspect Telnet traffic. Also assume that an ACL is applied on the external interface preventing Telnet traffic from entering the protected network. Please describe the CBAC operation for this Telnet connection from initiation to termination. (10%) (1) Examine the inbound ACL of the internal interface to determine if Telnet requests are permitted to leave the network. (2) Compare packet type to inspection rules to determine if Telnet should be tracked. (3) Add information to the state type to track the Telnet session. (4) Add a dynamic entry to the inbound ACL on external interface to allow reply packets back into the internal network. (5) Remove the state entry and dynamic ACL entry when the session is terminated.

5. When configuring CBAC inspection rules, alerts are enabled by default and automatically display on the console line of the router. If alerts have been disabled using the ip inspect alert-off command, and there is no other commands such as ip inspect alert-on to use, what can we do when the alerts are required to be re-enabled? (3%) no ip inspect alert-off

6. Designing zone-based policy firewalls involves a few steps as follows. (a) Design the physical infrastructure. (b) Identify subset within zones and merge traffic requirements. (c) Determine the zones. (d) Establish policies between zones. What is the most appropriate order in common zone-based policy firewall design? (4%) (c) -> (d) -> (a) -> (b)

7. Please list three actions that can be applied to a traffic class when configuring a Cisco IOS zone-based policy firewall. (6%) Drop, inspect, and pass.

8. What is DMZ (demilitarized zone)? (6%) A DMZ is a physical or logical subnetwork that contains and exposes an organizations external services to a large untrusted network. The purpose of a DMZ is to add an additional layer of security to an organizations LAN.