Which of the following statements are true regarding po…

Which of the following statements are true regarding policies in Cisco Security Manager? (Select 2 choices.)

Which of the following statements are true regarding policies in Cisco Security Manager? (Select 2 choices.)

A.
Rule-based policies can contain hundreds of rules containing values for the same set of parameters.

B.
Settings-based policies can define only one set of parameters for each settings based policy defined on a
device.

C.
Local policies are well-suited to smaller networks and to devices requiring standard configurations.

D.
Any changes that you make to a shared policy are not automatically applied to all the devices to which it is
assigned.

E.
The Default section of a shared policy contains rules that cannot be overridden by local rules.

Explanation:
In Cisco Security Manager (CSM), rulebased policies can contain hundreds of rules containing values for the
same set of parameters and settingsbased policies can define only one set of parameters for each
settingsbased policy defined on a device. CSM is a graphicsbased management application that can be used to
configure a wide variety of Cisco devices, such as routers, switches, firewall appliances, Intrusion Prevention
System (IPS) appliances, and Catalyst service modules. One of the advantages of CSM is its ability to
centralize the administration of security policies across a large number of Cisco devices. CSM categorizes
policies into two general types: rulebased policies and settingsbased policies. Rulesbased policies, such as
access control lists (ACLs) and inspection rules, are stored in a tabular fashion and can contain many different
values for the same set of parameters. These policies are processed in order and the first matching table entry
will be applied, even if there are other matching table entries farther down the table. Because of the nature in
which rulesbased policies are processed, they can contain hundreds of rules with values for the same set of
parameters. By contrast, settingsbased policies can define only a single set of parameters for each
settingsbased policy defined on a device. Settingsbased policies, such as Quality of Service (QoS) policies and
IP Security (IPSec) policies, contain a set of parameters that, as a whole, define a particular hardware or
security configuration feature.
CSM policies can be either local or shared. A local policy is specific to a particular device, and any changes
affect only its associated device. By contrast, a shared policy is applicable to a group of devices and any
changes are automatically applied to all of its associated devices. Because local policies are specific to
individual devices, it can become cumbersome to manage the policies in a network with a large number of
devices? therefore, local policies are better suited to smaller networks and shared policies are better suited to
larger networks.
Shared policies use an inheritance hierarchy to determine which policy rules are implemented on a particular
device. There are two kinds of shared policy rules: mandatory and default. Mandatory rules cannot be
overridden by either child policy rules or local rules. By contrast, default rules can be overridden by both child
policy rules and local rules. Inheritance enables you to nest multiple shared rules and ensure that certain
policies cannot be overridden while still maintaining the flexibility to override some default settings.

Cisco: Managing Policies: Understanding Policies



Leave a Reply 0

Your email address will not be published. Required fields are marked *