What is a functional difference between a Cisco ASA and Cisco IOS router with Zone-Based Policy Firewall?
A.
The Cisco ASA can be configured for high availability, whereas the Cisco IOS router with Zone-Based Policy Firewall cannot.
B.
The Cisco IOS router with Zone-Based Policy Firewall can be configured for high availability, whereas the Cisco ASA cannot.
C.
The Cisco ASA denies all traffic by default, whereas the Cisco IOS router with Zone-Based Policy Firewall starts out by allowing all traffic, even on untrusted interfaces.
D.
The Cisco IOS router with Zone-Based Policy Firewall denies all traffic by default, whereas Cisco ASA starts out by allowing traffic until rules are added.
Don't over think this one and only read the question and answer.
What is a functional difference between a Cisco ASA and Cisco IOS router with Zone-Based Policy Firewall?
A. The Cisco ASA can be configured for high availability, whereas the Cisco IOS router with Zone-Based Policy Firewall cannot.
B. The Cisco IOS router with Zone-Based Policy Firewall can be configured for high availability, whereas the Cisco ASA cannot.
C. The Cisco ASA denies all traffic by default, whereas the Cisco IOS router with Zone-Based Policy Firewall starts out by allowing all traffic, even on untrusted interfaces.
D. The Cisco IOS router with Zone-Based Policy Firewall denies all traffic by default, whereas Cisco ASA starts out by allowing traffic until rules are added.
First the question asks us the difference between an ASA and a Cisco IOS “router” with a zone-based policy firewall. The first hint is CISCO IOS router and the second hint is ASA firewall. However they are only saying the IOS router has the zone-based policy firewall feature and did not say the IOS router is currently using zone-based firewall functionality. They state "IOS router With Zone-based policy firewall" and did not say IOS router configured with zone-based policy firewall.
Answers cannot be A or B as this is a firewall and a router making me surprised if they could not be used for high availability. The answer cannot be D as we are dealing with two different devices that are not the same. A firewall explicit device (ASA) and a router device (IOS) but it has extra features aka firewall. a firewall by default will have an implicit deny which is the ASA, but a IOS router? It would not have an implicit deny. why? Because, it is still a router when you pull it out of the box and routing is the primary function of a router. Thus you will need to enable or utilize the zone-based firewall policy feature in order for firewall rules to start to apply. Don't let the words "firewall" or "zone-based policy firewall".
Now the Demon Queen will go drink some wine and continue planning for world domination.
https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html
All traffic to and from a given interface is implicitly blocked when the interface is assigned to a zone, except traffic to and from other interfaces in the same zone, and traffic to any interface on the router.
https://networklessons.com/cisco/asa-firewall/cisco-asa-access-list
Without any access-lists, the ASA will allow traffic from a higher security level to a lower security level
https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/217679-asa-access-control-list-configuration-ex.html
By default, traffic that passes from a lower security level interface to a higher security level interface is denied whereas traffic from a higher security level interface to a lower security level interface is allowed. This behavior can also be overridden with an ACL.
D) is the closest answer.
Based on my work experience with both ZFW and ASA, by default no traffic is allowed to pass between zones. Whereas ASA allows traffic from high level security interfaces to low level security interfaces by default.
D is correct - ASA starts perminting higher security level interface to access any ohter security level interfaces by default , until a access list applied
correct id D
https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html#anc11
search for the following : ZFW default policy between zones is deny all. If no policy is explicitly configured, all traffic that moves between zones is blocked.
"C" is the correct answer. Here is the link:
"One difference is that the IOS router starts out by allowing all traffic [on your untrusted interfaces], where as the ASA starts by denying all traffic. Consequently you have to configure the actual hardening of your IOS router. "
https://community.cisco.com/t5/network-security/ios-firewall-vs-asa/td-p/2133822#:~:text=One%20difference%20is%20that%20the,hardening%20of%20your%20IOS%20router.
Cisco ASA vs IOS Router with Zone-Based Firewall
Some prefer to have a single device do both routing and security, but others opt for dedicated security devices. The ASA denies all traffic by default, while the IOS router starts out by allowing all traffic, even on your untrusted interfaces.
The ASA denies all traffic by default, while the IOS router starts out by allowing all traffic, even on your untrusted interfaces. You can eliminate this disadvantage, however, by hardening your router.
Correct is C, why?
On ASA by default all interfaces with ip address and nameif are configured with security level 0. Without "same-security-level inter/intra-traffic" (which is not by default) all traffic through ASA is denied (traffic between interfaces with the same security level). On other hand, with ZBFW by default all interfaces with ip address are not assigned to a zone. Traffic between interfaces not assigned to a zone is allowed.
C - is not correct:
All traffic to and from a given interface is implicitly blocked when the interface is assigned to a zone, except traffic to and from other interfaces in the same zone, and traffic to any interface on the router.
https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html
only D make sense
D "whereas Cisco ASA starts out by allowing traffic until rules are added" proof DMZ to Inside interfaces is blocked by default. and Outside to Inside interface is blocked default.
C "The Cisco ASA denies all traffic by default" wrong, the Inside to DMZ, Inside to Outside is allowed.
bacsically A to D is wrong! the answers needs to be amended
D is completely wrong. the Cisco ASA does not allow traffic to move from a lower security zone to a higher one by default, and it does start out with a default deny all policy. so "whereas Cisco ASA starts out by allowing traffic until rules are added." is contradictory. They both can be configured for high-availability so A & B is out. now for C & D, I think this question was poorly worded, poor usage of the english language. The default behavior of a Cisco ASA is to block incoming traffic and allow outgoing traffic i.e. from High security zone to a low one, and the reverse is denied whereas the default behavior of a Cisco IOS router with ZFW is to block all traffic though it can be argued that it behaves like the ASA if you consider that it has two default zones i.e. the self-zone other zone
ZFW default policy between zones is deny all. If no policy is explicitly configured, all traffic that moves between zones is blocked.
By default, ASA allows a flow of traffic from higher security levels to lower security levels. If the traffic is initiated by the devices in higher security levels, then it will be passed to go through the firewall to reach the devices in lower security levels like outside or DMZ.
This section is not available anymore. Please use the main Exam Page.350-701 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Demon_Queen_Velverosa
7 months, 1 week agoDemon_Queen_Velverosa
7 months, 1 week agoDemon_Queen_Velverosa
7 months, 1 week agoPremium_Pils
6 months, 2 weeks agoluismg
7 months, 1 week agoPremium_Pils
8 months, 2 weeks agoXvidalX
1 year, 1 month agored_sparrow_Gr
1 year, 4 months agoXvidalX
1 year, 1 month agokylesam2017
1 year, 4 months agored_sparrow_Gr
1 year, 5 months agoPakawat
1 year, 7 months agofdl543
1 year, 9 months agoCokamaniako
1 year, 9 months agozamkljo
1 year, 10 months agomajster88
1 year, 11 months agoJessie45785
2 years agoKPzee
2 years agoKPzee
2 years agopsuoh
2 years, 3 months agoEmlia1
2 years, 3 months ago