One question on a quiz

roghan · February 2010

I didn't understand this question:

You examine your IDS Event Viewer and find that the IP address 192.168.15.10 keeps appearing. You determine that your web server is under attack from this IP and would like to resolve this permanently. What happens if you place this address at the bottom of the ACL?
a. Attacks from this IP address will be blocked because of the line you have added.
b. Attacks will continue. This line will never be reached, because above this line is a
permit any statement.
c. ACLs may not be used to block traffic originating outside your network address
range.
d. ACLs may not be modified after they are created.

(SOURCE: CCNA Security Official Exam Certification Guide, by Michael Watkins and Kevin Wallace)

The correct answer is "b", but why???? I would understand if the answer is "Attacks will continue. This line will never be reached, if above this line is a permit any statement.". The question don't specify what there is in this ACL, and ACL could be also empty (only implicit deny all, of course

). Suggestions??

Thanks!

mikem2te · February 2010

roghan wrote: »

I didn't understand this question:

You examine your IDS Event Viewer and find that the IP address 192.168.15.10 keeps appearing. You determine that your web server is under attack from this IP and would like to resolve this permanently. What happens if you place this address at the bottom of the ACL?
a. Attacks from this IP address will be blocked because of the line you have added.
b. Attacks will continue. This line will never be reached, because above this line is a
permit any statement.
c. ACLs may not be used to block traffic originating outside your network address
range.
d. ACLs may not be modified after they are created.

(SOURCE: CCNA Security Official Exam Certification Guide, by Michael Watkins and Kevin Wallace)

The correct answer is "b", but why???? I would understand if the answer is "Attacks will continue. This line will never be reached, if above this line is a permit any statement.". The question don't specify what there is in this ACL, and ACL could be also empty (only implicit deny all, of course ). Suggestions??

Thanks!

Yeah, good question. I'll try to explain my thoughts.

First it is not C&D, they are just not true.

Now look at answer A. "Attacks from this IP address will be blocked because of the line you have added.". Remebering the implicit deny at the end of the ACL, would adding a specific line at the end of this ACL to deny traffic from this source make any difference to the ACL? No.

Looking at answer B "Attacks will continue. This line will never be reached, because above this line is a permit any statement.". As traffic from this source is allready getting through to the web server there must be an allow somewhere in the ACL. It is not an "IF" as you say, there must be an allow.

Regarding your comment "The question don't specify what there is in this ACL, and ACL could be also empty", as traffic is hitting the web server there is either no ACL applied to the interface or it is safe to assume there is an ACL applied and there is a permit line for the web server.

Does that make sense.

Bl8ckr0uter · February 2010

roghan wrote: »

I didn't understand this question:

You examine your IDS Event Viewer and find that the IP address 192.168.15.10 keeps appearing. You determine that your web server is under attack from this IP and would like to resolve this permanently. What happens if you place this address at the bottom of the ACL?
a. Attacks from this IP address will be blocked because of the line you have added.
b. Attacks will continue. This line will never be reached, because above this line is a
permit any statement.
c. ACLs may not be used to block traffic originating outside your network address
range.
d. ACLs may not be modified after they are created.

(SOURCE: CCNA Security Official Exam Certification Guide, by Michael Watkins and Kevin Wallace)

The correct answer is "b", but why???? I would understand if the answer is "Attacks will continue. This line will never be reached, if above this line is a permit any statement.". The question don't specify what there is in this ACL, and ACL could be also empty (only implicit deny all, of course ). Suggestions??

Thanks!

It would depend on what the ACL has in it. Remember routers stop processing ACLs once they find a match. Does the book provide a sample ACL?

mikej412 · February 2010

It is a poorly worded question.

But I guess they want you to to remember that you should always place more specific ACLs statements at the top of an ACL. If you place a more specific deny at the end, the less specific permit above it allowing all web traffic to reach your web server will match and that deny statement will never be reached for the "attack traffic."

Answer A is what you'd like to happen, but B is more likely to happen if you place that line in the ACL at the wrong position.

impelse · February 2010

This is true, I happended a couple of times with some firewalls, we have to define especific statement at the beginning.

roghan · February 2010

knwminus wrote: »

It would depend on what the ACL has in it. Remember routers stop processing ACLs once they find a match. Does the book provide a sample ACL?

No, noting sample ACL

! However, I think I have understood after description made by mikem2te. We have to suppose that there is already the ACL (it don't be written in the question, but we can suppose that the ACL exists already because the question is "... at the bottom of the ACL", and not "... at the bottom of an ACL" or "...at the bottom of a new ACL"), otherwise the new ACL will be:

deny 192.168.15.10
deny any (default)

and the attacker will be blocked by it!

Besides, mikej412 is right: generic statement at the bottom, specific statement at the top, and... poorly worded question!

One question on a quiz

Comments