Department of Electrical Engineering, National Cheng Kung

University
Midterm (2) of the 「Network Engineering」Course
Instructor: Prof. Chu-Sing Yang Date: 2009.12.28 9:10 -
11:00
Student ID:
Student Name:

Part I. Choose the best answer or answers for each question. (44%)

1. If we say “User ‘fantasymew’ accessed host serverMP using SSH for 1 hour,” then
which component in AAA accomplishes it?
(A)Authentication
(B)Accessibility
(C)Authorization
(D) Accounting

2. AAA can be used to authenticate users for administrative access or it can be used
to authenticate users for remote network access. These two access methods use
different modes to request AAA services. If a user sends a request to establish a
connection through the router with a device on the network, then what mode does
the access method use?
(A)Packet mode
(B)Character mode
(C)Privileged mode
(D) Router mode

3. Refer to this figure. Which statement is true about the characteristics of this kind
of authentication processes?

(A)It separates AAA according to the AAA architecture.

(B)It usually utilizes TCP port 49.
(C)It encrypts only the password, not the entire packet.
(D) It provides authorization of router commands on a per-user or per-group basis.
4. Which Cisco Secure ACS menu is required to set menu display options for TACACS+
and RADIUS?
(A)Network configuration
(B)System configuration
(C)Interface configuration
(D) External user databases

5. When configuring a method list for AAA authentication, what is the effect of the
keyword local-case?
(A)It accepts a locally configured username with case-sensitivity.
(B)It uses the enable password for authentication.
(C)It uses the line password for authentication.
(D) The login succeeds even if all methods return an error.

6. Refer to this configuration on R2 with the resulting log message. On the basis of
the information presented, which two AAA authentication statements are true?
(Choose two.)
R2(config)# enable secret Pa55w0rd
R2(config)# username Admin secret Str0ngPa55w0rd
R2(config)# aaa new-model
R2(config)# aaa authentication login default local-case enable
R2(config)# aaa local authentication attempts max-fail 1
R2(config)# exit
R2#
Dec 28 09:41:12.317: %SYS-5-CONFIG_I Configured from console by Admin on
console
R2#
Dec 28 09:50:55.912: %AAA-5-USER_LOCKED: User Admin locked out on
authentication failure
R2#
(A)The locked-out user failed authentication.
(B)The locked-out user is locked out for one day by default.
(C)The locked-out user should have used the username admin and password
Str0ngPa55w0rd.
(D) If the user account has one unsuccessful attempt, it will be locked out due to
failed authentication.
(E)The locked-out user stays locked out until the clear aaa local user lockout
Admin command is issued in user EXEC mode.

7. Refer to this figure. To meet the following needs, which three commands are
required after the AAA is enabled and authentication is configured on R1? (Choose
 three.)
(1)Allow authenticated users administrative access to commands such as show
version.
(2)Log the use of EXEC sessions.
(3)Log the use of network connections.

(A)aaa authentication exec default group tacacs+

(B)aaa authorization exec default group tacacs+
(C)aaa accounting connection start-stop group tacacs+
(D) aaa accounting exec start-stop group tacacs+
(E)aaa accounting network start-stop group tacacs+

8. Which two statements are true about server-based AAA? (Choose two.)
(A)It is usually used in small or simple networks for AAA authentication.
(B)AAA servers can use TACACS+ or RADIUS protocols to communicate with client
routers.
(C)It uses the local database of the router for authentication.
(D) It requires the services of an external server such as the Cisco Secure ACS for
Windows Server.
(E)Server-based AAA authentication is less scalable than local AAA authentication.

9. What is the limitation of standard IP ACLs?

(A)It can only filter on source IP address.
(B)It can only filter on destination IP address.
(C)It can only filter on source TCP and UDP port.
(D) It can only filter on destination TCP and UDP port.

10. Which two statements are false about ACLs? (Choose two.)
(A)ACLs are created globally and then applied to interfaces.
(B)ACLs have a policy of multiple matches.
(C)ACLs have a directional filter that determines whether inbound packets or
outbound packets are examined.
(D) ACLs are processed top-down.
(E)ACLs have an implicit “permit all” statement at the end.

11. Refer to this figure. What can we conclude according to this configuration on R1?
 (Choose two.)

R1(config)# access-list 102 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255

eq 21
R1(config)# access-list 102 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255
eq 20
R1(config)# access-list 102 permit ip any any
R1(config)# interface fastethernet 0/1
R1(config-if)# ip access-group 102 in
(A)R1 is configured with standard IP ACLs to restrict FTP traffic.
(B)FTP access is denied from subnet 172.16.4.0/24 to subnet 172.16.3.0/24.
(C)FTP access is denied from subnet 172.16.3.0/24 to subnet 172.16.4.0/24.
(D) FTP access is permitted from the subnet 172.16.4.0/24 destined for any
network other than the subnet 172.16.3.0/24.
(E)FTP access is permitted from the subnet 172.16.3.0/24 destined for any network
other than the subnet 172.16.4.0/24.

12. Which three statements describe the characteristics of the keyword established
when configuring ACLs? (Choose three.)
(A)It can be applied to extended ACLs.
(B)It forces the router to check whether the TCP ACK or RST control flag is set.
(C)It opens a hole in the router which could be exploited by hackers.
(D) It implements a stateful firewall on a router.
(E)It applies to TCP, UDP or ICMP traffic.

13. Refer to this configuration on R3. Which three statements are true? (Choose
three.)
R3(config)# username Student password 0 cisco
R3(config)# access-list 103 permit tcp any host 10.2.3.4 eq 23
R3(config)# access-list 103 dynamic dynamicACL timeout 20 permit ip
192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
R3(config)# interface serial 0/0/1
R3(config-if)# ip access-group 103 in
 R3(config-if)# exit
R3(config)# line vty 0 4
R3(config-line)# login local
R3(config-line)# autocommand access-enable host timeout 5
(A)The remote user can open an SSH connection to the router for access.
(B)The dynamic ACL entry is applied to the extended ACL.
(C)The dynamic ACL entry is ignored until lock-and-key is triggered.
(D) The autocommand access-enable command specifies lock-and-key
authentication.
(E)The absolute timeout is specified in the autocommand command.

14. Which command cannot be used to display the ACL configuration information on
the CLI of the router?
(A)show access-lists
(B)show ip access-lists
(C)show running-config
(D) show interfaces
(E)show ip interface

15. Which type of firewalls can expand the number of IP addresses available and hide
network addressing design?
(A)Packet-filtering firewall
(B)Stateful firewall
(C)Address-translation firewall
(D) Transparent firewall

16. Which three statements best describe the characteristics of stateful firewalls?
(Choose three.)
(A)They monitor the state of connections, whether the connection is in an
initiation, data transfer, or termination state.
(B)They are susceptible to IP spoofing and DoS attacks.
(C)They are a firewall architecture that is classified at the Session Layer.
(D) They cannot prevent Application Layer attacks because they do not examine
the actual contents of the HTTP connections.
(E)They do not support user authentication.

17. What parameter is tracked by CBAC for TCP traffic to detect and prevent SYN-
flooding attacks?
(A)Source port number
(B)SYN and ACK flags
(C)Sequence number
 (D) Window size

18. Which command can be used to create a CBAC inspection rule at the interface of
the router?
(A)ip inspect alert-off
(B)ip inspect audit-trail
(C) ip inspect name
(D) show ip inspect name

19. Refer to this configuration on R4. Which two statements are false? (Choose two.)
R4(config)# ip access-list extended OUT-IN
R4(config-ext-nacl)# deny ip any any
R4(config-ext-nacl)# exit
R4(config)# interface s0/0/1
R4(config-if)# ip access-group OUT-IN in
R4(config-if)# exit
R4(config)# ip inspect name IN-OUT-IN telnet
R4(config)# ip inspect audit-trail
R4(config)# interface s0/0/1
R4(config-if)# ip inspect IN-OUT-IN out
(A)All HTTP traffics entering interface Serial 0/0/1 are denied.
(B)All Telnet traffics entering interface Serial 0/0/1 are allowed.
(C)OUT-IN is the name of a CBAC inspection rule.
(D) The command ip inspect audit-trail is used to enable the logging of session
information.
(E)The inspection rule is applied to egress traffic on interface Serial 0/0/1.

20. When the CBAC configuration is finished and applied at the interface on a router,
which command can be used to display the CBAC inspection configuration?
(A)show ip inspect interfaces
(B)show ip inspect sessions
(C)show ip inspect statistics
(D) show interfaces

21. What is the first step in configuring a Cisco IOS zone-based policy firewall using
the CLI?
(A)Create firewall zones.
(B)Define traffic classes and access lists.
(C)Specify firewall policies.
(D) Apply firewall policies.
22. Refer to this configuration on R5 that the exit commands have been skipped. The
IP address for Fa0/1 on R5 is 192.168.3.1 with subnet mask 255.255.255.0, and for
S0/0/1 is 10.2.2.1 with subnet mask 255.255.255.252. Which three statements are
true? (Choose three.)
R5(config)# zone security IN-ZONE
R5(config)# zone security OUT-ZONE
R5(config)# access-list 105 permit ip 192.168.3.0 0.0.0.255 any
R5(config)# class-map type inspect match-all IN-NET-CLASS-MAP
R5(config-cmap)# match access-group 105
R5(config)# policy-map type inspect IN-2-OUT-PMAP
R5(config-pmap)# class type inspect IN-NET-CLASS-MAP
R5(config-pmap-c)# inspect
R5(config)# zone-pair security IN-2-OUT-ZPAIR source IN-ZONE destination OUT-
ZONE
R5(config-sec-zone-pair)# service-policy type inspect IN-2-OUT-PMAP
R5(config)# interface fa0/1
R5(config-if)# zone-member security IN-ZONE
R5(config)# interface s0/0/1
R5(config-if)# zone-member security OUT-ZONE
(A)The zone security command is used to create the firewall zones.
(B)The match access-group command is used to match standard ACL 105.
(C)The use of the inspect command invokes CBAC.
(D) After configuring the zone-based policy firewall, the internal hosts (in IN-
ZONE) can still access external resources (in OUT-ZONE).
(E)After configuring the zone-based policy firewall, the external hosts (in OUT-
ZONE) can still access internal resources (in IN-ZONE).

Part II. Answer the following questions. (56%)

1. In homework 2, we use Packet Tracer to configure AAA authentication on Cisco

Routers. Today, we want to configure server-based AAA authentication using
TACACS+ on R2. Given the topology diagram and addressing table, please answer
the following questions. (15%)
Topology Diagram
Addressing Table

(1)After entering the privileged EXEC mode on R2 (R2#), if we want to enter global
configuration mode (R2(config)#), what command can we use to accomplish
it? (2%)
configure terminal

(2)Given the secret key tacacspa55, what commands can we use to configure the
AAA TACACS+ server IP address and secret key on R2? (4%)
tacacs-server host 192.168.2.2
tacacs-server key tacacspa55

(3)After configuring the TACACS+ server specifics on R2, to what purposes the
command aaa new-model is needed? (2%)
To enable AAA.

(4)To configure all logins to authenticate using the AAA TACACS+ server with
 default authentication list, the aaa authentication login default command is
required. But if we want to list all arguments which can follow that command,
how can we deal with it? (3%)
aaa authentication login default ?

(5)Refer to this figure. To complete configuring all logins to authenticate using AAA
TACACS+ server and if not available, then use the local database, what
command can we use? (4%)
R2(config)# Command A which is the answer of Question (4)
enable Use enable password for authentication.
group Use Server-group.
local Use local username authentication.
none No authentication.
R2(config)# Command B
radius Use list of all Radius hosts.
tacacs+ Use list of all Tacacs+ hosts.
R2(config)#
aaa authentication login default group tacacs+ local

2. Please describe the differences between inbound ACLs and outbound ACLs. (6%)
Inbound ACLs is examined prior to the routing table being accessed when a packet
enters into the router.
Outbound ACLs is examined prior to the packet being forwarded out of the destined
interface when a packet has been processed by the router to determine where to
forward that packet.

3. A firewall is a system or group of systems that enforces an access control policy

between networks. It can include options such as a packet filtering router, a switch
with two VLANs, and multiple hosts with firewall software. Using a firewall in a
network adds more security, but there are still some limitations. Please list at least
three limitations in using a firewall. (6%)
(1)If misconfigured, a firewall can have serious consequences (single point of
failure).
(2)Many applications cannot be passed over firewalls securely.
(3)Users might proactively search for ways around the firewall to receive blocked
material, exposing the network to potential attack.
(4)Network performance can slow down.
(5)Unauthorized traffic can be tunneled or hidden as legitimate traffic through the
 firewall.

4. Assume that a user initiates an outbound connection, such as Telnet, from a

protected network to an external network, and CBAC is enabled to inspect Telnet
traffic. Also assume that an ACL is applied on the external interface preventing
Telnet traffic from entering the protected network. Please describe the CBAC
operation for this Telnet connection from initiation to termination. (10%)
(1)Examine the inbound ACL of the internal interface to determine if Telnet
requests are permitted to leave the network.
(2)Compare packet type to inspection rules to determine if Telnet should be
tracked.
(3)Add information to the state type to track the Telnet session.
(4)Add a dynamic entry to the inbound ACL on external interface to allow reply
packets back into the internal network.
(5)Remove the state entry and dynamic ACL entry when the session is terminated.

5. When configuring CBAC inspection rules, alerts are enabled by default and
automatically display on the console line of the router. If alerts have been disabled
using the ip inspect alert-off command, and there is no other commands such as
ip inspect alert-on to use, what can we do when the alerts are required to be re-
enabled? (3%)
no ip inspect alert-off

6. Designing zone-based policy firewalls involves a few steps as follows.

(a) Design the physical infrastructure.
(b)Identify subset within zones and merge traffic requirements.
(c) Determine the zones.
(d)Establish policies between zones.
What is the most appropriate order in common zone-based policy firewall design?
(4%)
(c) -> (d) -> (a) -> (b)

7. Please list three actions that can be applied to a traffic class when configuring a
Cisco IOS zone-based policy firewall. (6%)
Drop, inspect, and pass.

8. What is DMZ (demilitarized zone)? (6%)

A DMZ is a physical or logical subnetwork that contains and exposes an
organization’s external services to a large untrusted network. The purpose of a
DMZ is to add an additional layer of security to an organization’s LAN.