Cisco-IINS Implementing Cisco IOS Network Security

Authentication ✘ Integrity ✘ Authorization ✘ Confidentiality ✔

It analyzes network traffic at the network and transport protocol layers. ✘ It validates the fact that a packet is either a connection request or a data packet belonging to a connection. ✘ It keeps track of the actual communication process through the use of a state table. ✘ It evaluates network packets for valid data at the application layer before allowing connections. ✔

all TCP and UDP header information only ✘ the source and destination IP addresses, port numbers, TCP sequencing information, and additional flagsfor each TCP or UDP connection associated with a particular session ✘ the outbound and inbound access rules (ACL entries) ✘ the inside private IP address and the translated inside global IP address ✔

Restrict access to firewalls ✘ Segment security zones ✘ Use logs and alerts ✘ Set connection limits ✔

to the interface ✘ to the zone-pair ✘ to the global service policy ✘ to the zone ✔

The Turbo ACL feature processes ACLs into lookup tables for greater efficiency. The Turbo ACL feature leads to increased latency, because the time it takes to match the packet isvariable. The Turbo ACL feature leads to reduced latency, because the time it takes to match the packet is fixed andconsistent. Turbo ACLs increase the CPU load by matching the packet to a predetermined list.

The ACL must be applied to each vty line individually. ✘ The ACL should be applied to all vty lines in the in direction to prevent an unwanted user from connecting toan unsecured port. ✘ The ACL is applied to the Telnet port with the ip access-group command. ✘ The ACL applied to the vty lines has no in or out option like ACL being applied to an interface. ✔

Create a parser view called "root view." ✘ Log in to the router as the root user. ✘ Enable role-based CLI globally on the router using the privileged EXEC mode Cisco IOS command. ✘ Enable the root view on the router. ✔

Signature-based detection ✘ Anomaly-based detection ✘ Honey pot detection ✘ Policy-based detection ✔

It cannot ensure each TCP connection follows a legitimate TCP three-way handshake. ✘ It cannot detect application-layer attacks. ✘ It cannot support UDP flows. ✘ The status of TCP sessions is retained in the state table after the sessions terminate. ✔