Chapter Review

Firewall devices can be broken up into the following three basic types:

Packet filter
Stateful packet filter
Proxy server

Most commercial firewalls incorporate two or more of these techniques. The Cisco PIX Firewall incorporates features from all three to become the heart of the Cisco security strategy.

Because particular models change, and features, such as CPU size, change frequently, using the Cisco web page to confirm or compare features is always best. For the same reason, it’s important not simply to assume the features of a unit in the field. Basically, with the 500 series PIX devices, the larger the product number, the more powerful, the larger the throughput, and the higher the cost.

Basic PIX configuration commands are quite similar to those of the IOS-based devices. The PIX has four modes: Unprivileged, Privileged, Configuration, and Monitor. Moving among the first three is much like working with their counterparts on routers.

The six basic configuration commands you saw include the following (each also has a show command to confirm the configuration was successful).

The nameif command
The interface command
The ip address command
The nat command
The global command
The route command

Questions

1.?	True or False. A firewall is always a single device. True False
2.?	True or False. PIX Firewalls rely exclusively on packet filtering to provide security. True False
3.?	Which of the following is not one of the basic firewall types? Intrusion detection Proxy filter Packet filter Stateful packet filter
4.?	True or False. Packet filtering uses Layers 3 through 5 for filtering decisions. True False
5.?	What does the acronym ASA stand for? _______________
6.?	True or False. PIX Firewalls are built on reliable UNIX technology. True False
7.?	What is the default security level for the outside interface? 100 50 25 0
8.?	What is the default security level for the inside interface? 0 50 100 200
9.?	If DMZ1 has a security level of 50 and DMZ2 has a level of 70, which is true? Data will flow from DMZ1 to DMZ2. Data will flow from DMZ2 to DMZ1. Data will flow freely in both directions. Data never flows between DMZs.
10.?	Which is the more powerful PIX Firewall? PIX 501 PIX 525 PIX 535 PIX 610
11.?	True or False. Data flows in both directions when two interfaces have the same security level. True False
12.?	Which command assigns the security level? ip address nat global nameif
13.?	True or False. The interface command sets both bandwidth and duplex. True False
14.?	What is the default IP address for PIX interfaces? There is none. 0.0.0.0 127.0.0.1 192.168.0.1
15.?	Which creates a pool of real IP addresses to be used by NAT? NAT Interface global route

Answers

1.?	B. False. A firewall can be an entire system of devices and services.
2.?	B. False. PIX devices use packet filtering, but they also use stateful filtering to incorporate application layer information.
3.?	A. Intrusion detection.
4.?	B. False. Packet filtering can use only Layers 3 and 4.
5.?	A. Adaptive Security Algorithm
6.?	B. False. PIX Firewalls use a proprietary OS.
7.?	D. 0
8.?	C. 100
9.?	B. Data will flow from DMZ2 to DMZ1.
10.?	C. PIX 535
11.?	B. False. Data won’t flow without help.
12.?	D. nameif
13.?	A. True
14.?	C. 127.0.0.1
15.?	C. global