Опубликованный материал нарушает ваши авторские права? Сообщите нам.
Вуз: Предмет: Файл:
CCIE Self Study CCIE Security Exam Certification Guide - Cisco press.pdf
10.23 Mб

C H A P T E R 7

Security Technologies

This chapter covers some of today’s most widely used technologies that enable Network administrators to ensure that sensitive data is secured from unauthorized sources.

Cisco’s support for security is also covered, as are all the fundamental foundation topics you will need to master the security CCIE written exam.

This chapter covers the following topics:

Advanced security concepts—This section covers some the of the advanced security policies in demilitarized zones (DMZs).

Packet filtering, proxies, NAT, and PAT—This section covers some packet filtering, proxies, and how to hide addresses using Network Address Translation (NAT) and Port Address Translation (PAT).

Cisco Firewall routers and IOS feature set—This section covers the Cisco PIX Firewall and the IOS Firewall feature set available on Cisco routers.

Public Key infrastructure (PKI)—This section covers the Public Key infrastructure (PKI), followed by a description of VPN networks and a typical design example.

“Do I Know This Already?” Quiz

The purpose of this assessment quiz is to help you determine how to spend your limited study time. If you can answer most or all these questions, you might want to skim the “Foundation Topics” section and return to it later, as necessary. Review the “Foundation Summary” section and answer the questions at the end of the chapter to ensure that you have a strong grasp of the material covered. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now. If you find these assessment questions difficult, read through the entire “Foundation Topics” section and review it until you feel comfortable with your ability to answer all these and the Q & A questions at the end of the chapter.

316 Chapter 7: Security Technologies

Answers to these questions can be found in Appendix A, “Answers to Quiz Questions.”

1DMZ stands for what?

a.Demilitarized zone

b.Demitted zone

c.Domain main zone

d.Domain name

2When defining an extended access list, what TCP port numbers can you use?

a.Only predefined Cisco keywords

b.0 to –65,000

c.0 to –65,535

d.1 to 65,534

e.None of the above

3When defining an extended access list, what UDP port numbers can you use?

a.Only predefined Cisco keywords

b.0 to 65000

c.0 to 65535

d.1 to 65534

e.None of the above

4Which of the following is not a TCP service?






5Which of the following is not a UDP service?







“Do I Know This Already?” Quiz 317

6For how many translations does PAT allow you to use one IP address?






7PAT translates all private addresses based on what?

a.Source port

b.Destination port

c.Both source and destination


8NAT is which of the following?

a.Network Architectural Language

b.National anthem of Latvia

c.Network translation

d.Network Address Translation

9NAT is defined in which RFC?






10The following defines which NAT terminology: “A legitimate registered IP address as assigned by the InterNIC?”

a.Inside local address

b.Outside global address

c.Inside global address

d.Outside local address

318 Chapter 7: Security Technologies

11What IOS command defines a pool of addresses that will be translated to a registered IP address?

a.ip nat inside

b.ip nat outside

c.ip nat pool

d.ip nat inside pool

e.ip nat outside pool

12PIX stands for what?

a.Protocol interchange

b.Cisco Private Internet

c.Private Internet Exchange

d.Public Internet Exchange

13To define how a PIX will route IP data, what is the correct syntax for a PIX 520?

a.ip route


c.ip route enable


14What is the alias command’s function on a PIX Firewall?

a.To define a local host name

b.To define the DNS server

c.Used in NAT environments where one IP address is translated into another

d.Only applicable to Cisco IOS

15CBAC stands for what?

a.CBAC is not a valid term

b.Cisco Business architectural centre

c.Context-based Access Control

d.Context-based Accelerated controller

e.Content-based arch. Centre

“Do I Know This Already?” Quiz 319

16What is IKE used to accomplish?

a.NAT translations

b.Ensures that data is not sourced by the right sources

c.Ensures that data is not sourced by the wrong sources

d.No use

e.Both a and c

17To create a simple VPN tunnel (unencrypted) between two sites, what must you do on a Cisco router?

a.Create a GRE tunnel

b.Create a routing map

c.Nothing, use a PIX

d.Create an IPSec tunnel

Соседние файлы в предмете Сети и Телекоммуникации