Cisco Certified Internetwork Expert (CCIE) Practice Test

Which statement about the Cisco ASA Identity Firewall is true?

• A. It identifies threats solely based on IP address
• B. It can apply security policies on individual user or user-group basis
• C. It operates only on the application layer
• D. It requires constant updates from the Internet to function

The correct answer is: It can apply security policies on individual user or user-group basis

The statement regarding the Cisco ASA Identity Firewall being able to apply security policies on an individual user or user-group basis is accurate. This feature showcases the Identity Firewall's capability to enforce specific security rules that are tailored to user profiles, roles, or access levels within an organization. By using identity information, such as Active Directory or RADIUS credentials, the ASA can effectively differentiate between users and apply policies that reflect their unique needs or positions. This functionality enhances network security by ensuring that users only have access to the resources they require, ultimately minimizing risk. In contrast, identifying threats solely based on IP addresses lacks the granularity needed for modern security measures, as it does not consider the identity of users behind those addresses. Operating only on the application layer would limit the firewall's functionality since it interacts across various layers to enforce security. Lastly, the claim about requiring constant updates from the Internet does not reflect its operational design, as while the ASA does benefit from updates for improved security and features, its core identity management capabilities do not rely on continuous Internet connectivity to enforce policies effectively.