Professional Documents
Culture Documents
Mitigation
I. Access Control List Fundamentals and Benefits
1.
2.
3.
4.
5.
6.
7.
8.
5. Use the Move Up or Move Down buttons to change the order of the ACEs
6. Click OK to add the ACL to the router
9. Top portion shows where the ACL is applied (hasn't been applied yet)
10. Bottom portion shows details of each ACE
11. Apply the ACL during ACL editing, click the Associate button
13. Other option is to navigate to Configure > Interface Management > Interface and
Connections and edit the properties of the interface and select ACL
14. Let's now start in interface configuration to apply an ACL to the interface and create
it at the same time.
15. Configure > Interface Management > Interface and Connections click Edit
16. We are applying inbound, so select the Inbound button and create an ACL (This area
allows the deletion, creation, and choosing of an existing ACL
22. Visit the ACL Editor to see where your ACL is applied
23. Configure > Router > ACL > ACL Editor (You could also visit the ACL Summary
to see an overview)
24. f
message is generated after a waiting period showing the total number of hits during
the waiting period. This can be changed to every packet if you want.
2. How to configure syslog destination:
a. Configure > Router > Logging Click Edit
b. Configure Logging levels and destination
a.
Monitor > Router > Logging display Syslog tab and scroll through syslog
messages
b. Can search through the syslog messages and filter based on logging level as
well
c. Next tab over is the Firewall log tab. You can view details about denied
connections and also view Top Attack Ports or you can select top attackers
using the down arrow, both of which are viewed on the bottom part.
d.
traffic in a similar way as stateful firewall do by default today. You learn more
about stateful packet inspection in the upcoming firewall chapters.
g. You can filter on IPv6 extension headers
1-4
5-8
9-10
1. Which of the following are advantages of an extended access list over a standard
access list when used for packet filtering?
a. It can filter based on source address
b. It can filter based on destination address
c. It can filter based on application layer information
d. Logging can be performed
2. What method is used to indicate that a portion of an IP address in the source packet
does not need to be compared to an access list entry?
a. Subnet mask
b. Mask
c. Wildcard mask
d. Full IP address required
3. What technique enables you to match on a range of subnets using a single access list
entry, without using object groups?
a. Wildcard mask, so that matches are done only for the summary of those
networks
b. Reflexive ACLs
c. Time-based ACLs
d. Extended named ACLs
4. What happens when an access list has 100 lines and a match occurs on line 14?
a. Lines 15 through 100 are parsed as a group object
b. The ACL acts on the packet, and no further list processing is done for that packet
c. The ACL is processed all the way through line 100, to see whether there is a
more strict policy that should be applied
d. There cannot be a line 14 because the only lines permitted start with 10 and
increment by 10
5. Which of the following are valid options for creating and applying ACLs in CCP?
(Choose all that apply.)
a. Use the ACL Editor
b. Go to Interface Configuration
c. Use the ACL Wizard from the Tools menu
d. ACLs may be created in CCP, but they have to be applied using the CLI
Page
Number
Text
240
Text
241
Table 11-3
243
Text
Wildcard masks
244
Text
Object groups
244
Example 11-1
248
Example 11-2
249
Example 11-3
253
Example 11-4
253
Figure 11-11
254
Example 11-6
261
Certificate trust
Cost
Scalability/future growth
Available resources
Manageability/flexibility
Integration
Passphrase
Mandatory field used to enter the password for the local CA keystore. The password must by 7 characters in length.
Issuer Name
Enter the hostname or IP address you want to be used for the issuer
value in any certificates generated. By default, this is the ASA IP
address or hostname (where configured).
Enter the minimum key size the server will use (512, 768, 1024, or
2048 bits, default 1024).
Enter the minimum key size used by clients (512, 768, 1024, or
2048 bits, default 1024).
CA Certificate Life-time
Enter the lifetime of the local CA root certificate file (default 3650
days).
Enter the lifetime of issued client certificate files (default 365 days).
Enter the name or IP address of the SMTP server used to send Enrollment invitations through.
From Address
Enter the email address you want to use to send enrollment invitations from (default admin@asa-domain-name).
Subject
Enter the subject for enrollment certificate emails (default Certificate Enrollment Invitation).
Enter the interface and port to use for the CRL publishing.
CRL Lifetime
Enter the path and filename of the database stored on the ASA flash.
Enrollment Period
Default 72 hours.
Certificate Expiration
Reminder
Enter the value in days used to mark the reminder value for emails sent
to certificate owners about expiration deadlines (default 14 days).
Extended ACL
Numeric range
1-99, 1300-1999
100199, 20002699
Yes
Yes
Where to place
packet filtering spoofed address SYN-flood attack standard/extended ACL numbered/named ACL
Description
Ipv6 traffic-filter
BOGUS_SOURCE_FILTER in
Object-group network
A_Couple_Servers