[TABS_R id=8782]
For which of the following traffic types is stateful inspection not supported in a ZFW configuration? (Select the best answer.)
- DNS
- ICMP
- IGMP
- NetBIOS
- Sun RPC
Explanation:
Stateful inspection of Internet Group Management Protocol (IGMP) is not supported in a zonebased policy firewall (ZFW) configuration. ZFW is the latest iteration of Cisco’s stateful firewall implementation, which was formerly called ContextBased Access Control (CBAC). With ZFW, virtual security zones are specified and then interfaces are assigned to the appropriate zone. By default, all traffic is implicitly permitted to flow between interfaces that have been assigned to the same zone? however, all traffic between zones is blocked. In addition, all traffic to and from an interface is implicitly blocked by default when the interface is assigned to a zone, but there are a few exceptions. Traffic to or from other interfaces in the same zone is permitted as is traffic to or from the router itself.
In order for traffic to flow between zones, stateful packet inspection policies must be configured to explicitly permit traffic between zones. The basic process is as follows:
1. Define the required zones.
2. Create zonepairs for zones that will pass traffic between themselves.
3. Define class maps to match the appropriate traffic for each zonepair.
4. Define policy maps to specify the actions that should be performed on matching traffic.
5. Apply the policy maps to the zonepairs.
6. Assign interfaces to their appropriate zones.
Inspection rules can be created for a large number of traffic types, including the following:
– Domain Name System (DNS)
– Internet Control Message Protocol (ICMP)
– Network Basic Input/Output System (NetBIOS)
– Sun Remote Procedure Call (RPC)
However, stateful inspection of multicast traffic, such as IGMP, is not supported by ZFW and must be handled by other security features, such as Control Plane Policing (CoPP).
[TABS_R id=8782]