Chapter 12 359

8Which of the following is a prerequisites for access rules to be created?

A Hosts or networks must be defined before access rule creation.

B Dynamic or static translation must be defined before access rule creation.

C There are no prerequisites.

D A and B

Answer: D

9What is a translation exemption rule?

AA rule that exempts addresses from being encrypted or translated

BA rule that denies access to addresses

CA rule that increases security on selected addresses

DNone of the above

Answer: A

10PDM does not run on which of the following?

A Windows 3.1

B Windows 2000

C Linux 7.0

D Windows NT 4.0

Answer: A

Chapter 12

"Do I Know This Already?" Quiz

1What two URL filtering servers does the PIX work with?

Answer: Websense and N2H2

2What command filters out Java applets from HTML pages?

Answer: filter java port local_ip mask foreign_ip mask

3Why are Java applets and ActiveX objects considered a threat?

Answer: They can be used to execute malicious tasks on the network and the local machine.

360 Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Questions

4 How does PIX filter Java applets and ActiveX objects?

Answer: Java and ActiveX filtering of HTML files is performed by selectively replacing the <APPLET> and </APPLET> and <OBJECT CLASSID> and </ OBJECT> tags with comments.

5True or false: PIX blocks HTML tags split across network packets or tags longer than the number of bytes in the MTU.

Answer: False

6What is the command to designate or identify the filtering server?

Answer: url-server

7True or false: Cisco PIX Firewall version 5.3 supports N2H2.

Answer: False

8What PIX Firewall version supports the Websense filtering server?

Answer: Cisco PIX Firewall version 5.3 or later supports Websense.

9What is the longest URL filter, in bytes, that is possible with Cisco PIX Firewall version 6.1 and older?

Answer: 1159 bytes

10What is the longest URL filtering that is supported by Cisco PIX Firewall 6.2?

Answer: 6 KB

11What is the command to filter URLs?

Answer: filter url

12If the filtering server does not respond before the web content server does, the reply from the web content server is dropped. What can you do to avoid this problem?

Answer: Use the url-block block block-buffer-limit command so that replies from web content servers are buffered and are forwarded to the requesting user if the filtering server allows the connection.

Q&A

1 How does PIX filter Java applets and ActiveX objects?

ABy commenting out the <OBJECT> </OBJECT> or <APPLET> </APPLET> tags in the HTML page.

BBy deleting the <OBJECT> </OBJECT> or <APPLET> </APPLET> tags in the HTML page.