1. Home
  2. Networking
  3. CCSP Cisco Certified Security Professional Certification

Chapter Review

Chapter Review

This chapter looked at some of those features and commands required to allow data to pass efficiently through the firewall. The Adaptive Security Algorithm (ASA) was addressed to understand better how the PIX Firewall determines which traffic patterns to allow and which to deny. The basic higher-security to lower-security level flow was expanded to indicate that returning traffic is always approved, unless it’s specifically blocked by ACLs.

Static translations create a one-to-one permanent IP address xlate table entry, which can then be enabled with an ACL to create potentially many connections. Static translations are generally used to allow access to shared resources, such as servers. NAT and PAT are used to create temporary, one-to-one xlate table entries, allowing returning traffic from forays into lower security areas. If NAT and PAT are used together, any available NAT address is used before any PAT translations occur.

PIX access lists are created and applied much like those in the Cisco IOS, except they’re always implemented inbound on an interface.

Three filter commands can be used to block potentially destructive or unpleasant web resources from the network. The Filter ActiveX command blocks Active X objects from web pages. The Filter Java command does the same thing to Java applets. And, the Filter URL command works with either an N2H2 or a Websense server to filter content based on an extensive database. Filter URL also offers web tracking and custom blocking features.

PIX OS v6.2 introduced the concept of object groups that allows a group of similar items to be defined, and then uses ACLs to assign permissions and/or restrictions to the group. An object group can be networks, services, ICMP message types, or protocols. If you understand grouping, you can achieve tremendous savings in configuration time and space on large, complex configurations.

The PIX Firewall doesn’t support routing between the interfaces, but it does use a form of static and default routes to direct traffic. It’s possible to enable RIP on individual interfaces, allowing the firewall to learn about the attached networks.

Questions

1.?

Return traffic from an internal user going out on the Internet requires which of the following?

  1. Static address translation

  2. Enabling access control entry

  3. Authenticated access

  4. None of the above

D. None of the above. Returning traffic is always allowed, unless it s specifically blocked.

2.?

In assigning a security level to a DMZ interface, which would be the logical choice?

  1. 0

  2. 1

  3. 50

  4. 100

C. 50 and 100 are reserved (outside/inside) and while 1 would work, it allows no flexibility in security assignment if another DMZ was added

3.?

In Cisco terminology, which TCP/IP layer is used in stateful filtering, which is not used in stateless?

  1. Data link

  2. Network

  3. Transport

  4. Application

D. Application layer.

4.?

What is the relationship between translations and connections?

  1. They’re synonymous.

  2. One translation equals one connection.

  3. One connection can support many translations.

  4. One translation can support many connections.

D. One translation can support many connections.

5.?

Which one of the following is not true about connections?

  1. No packets can pass through a PIX Firewall without a connection and a state table entry.

  2. All outbound connections are denied, except those specifically allowed by access control lists.

  3. All ICMP packets are denied unless specifically permitted with ACLs or conduits.

  4. Any packet dropped for failing to meet one of the rules triggers a syslog message to be sent.

B. All outbound connections are denied except those specifically allowed by access control lists. Just the opposite, all are allowed unless denied by an ACL.

6.?

Which one of the following is easiest for the PIX to monitor the state?

  1. UDP

  2. TCP

  3. ICMP

  4. Java

B. TCS because it has a session setup and a termination routine.

7.?

How many address translations result from the following command?

Pix(config)# static (inside,outside) 10.1.1.32 192.168.2.32 netmask 255.255.255.240

  1. 254

  2. 32

  3. 14

  4. 16

C. 14. The mask includes 16 addresses, but one is the network and one is the broadcast.

8.?

Setting the embryonic connection limit triggers what feature?

  1. Static PAT

  2. An All Hosts option

  3. TCP intercept

  4. Static NAT

C. TCP intercept.

9.?

The PIX filter command can be used to block which two of the following?

  1. Rogue FTP sessions

  2. ActiveX objects

  3. Bad e-mail commands

  4. Java applets

B. and D. ActiveX objects and Java applets.

10.?

Which command filters all outbound HTTP connections?

  1. pix(config)#filter url 80 0 0 0 0

  2. pix#filter url 80 0 0 0 0

  3. pix(config-if)#filter url 80 0 0 0 0

  4. pix(config)#filter url N2H2 80 0 0 0 0

A. pix(config)#filter url 80 0 0 0 0 .

11.?

In the following syntax, what would be the result of nat_id being 0?

Pix(config)# nat (if_name) nat_id ip_address

  1. The ip_address would be reserved for static mapping.

  2. The ip_address would be used for PAT translations.

  3. The ip_address would not be translated.

  4. The ip_address would be dropped from the global pool.

C. The ip_address would not be translated. Nat 0 turns off NAT for that address.

12.?

TurboACL applies to which two of the following?

  1. Compiled access lists

  2. Short, quick ACLs

  3. ACLs with many repeated statements

  4. ACLs with at least 19 statements

A. and D. Compiled access lists and ACLs with at least 19 statements.

13.?

Which one of the following is not true about downloadable ACLs?

  1. Introduced PIX Firewall version 6.2.

  2. Supports TACACS+ servers with Cisco Secure ACS v3.0.

  3. Are based on either user or group profile entries.

  4. Requires no additional configuration for the firewall once AAA authorization is configured.

B. Supports TACACS+ servers with Cisco Secure ACS v3.0. Actually, it s RADIUS.

14.?

Which one of the following will create an object group?

  1. Pix(config)# object-group service dmz_service tcp

  2. Pix(config)# object group service dmz_service udp

  3. Pix(config)# object-group service dmz_service icmp

  4. Pix# object-group service dmz_service icmp

A. Pix(config)# object-group service dmz_service tcp.

15.?

Which statement is not true?

  1. The PIX Firewall is not a router.

  2. The PIX Firewall does not forward broadcast or multicast packets.

  3. Cisco security strategy considers sending routing protocols across any firewall safe, but unnecessary, because of the route commanD.

  4. The PIX interfaces do not support VLAN trunk link

C. Cisco security strategy considers sending routing protocols across any firewall safe, but unnecessary, because of the route command. Cisco does not consider it safe.

Answers

1.?

D. None of the above. Returning traffic is always allowed, unless it’s specifically blocked.

2.?

C. 50 and 100 are reserved (outside/inside) and while 1 would work, it allows no flexibility in security assignment if another DMZ was added

3.?

D. Application layer.

4.?

D. One translation can support many connections.

5.?

B. All outbound connections are denied except those specifically allowed by access control lists. Just the opposite, all are allowed unless denied by an ACL.

6.?

B. TCS because it has a session setup and a termination routine.

7.?

C. 14. The mask includes 16 addresses, but one is the network and one is the broadcast.

8.?

C. TCP intercept.

9.?

B. and D. ActiveX objects and Java applets.

10.?

A. pix(config)#filter url 80 0 0 0 0.

11.?

C. The ip_address would not be translated. Nat 0 turns off NAT for that address.

12.?

A. and D. Compiled access lists and ACLs with at least 19 statements.

13.?

B. Supports TACACS+ servers with Cisco Secure ACS v3.0. Actually, it’s RADIUS.

14.?

A. Pix(config)# object-group service dmz_service tcp.

15.?

C. Cisco security strategy considers sending routing protocols across any firewall safe, but unnecessary, because of the route command. Cisco does not consider it safe.



BackCover
CCSP - Cisco Certified Security Professional Certification All-in-One Exam Guide
Introduction
Part I: Introduction to Network Security
Part II: Securing the Network Perimeter
Part III: Virtual Private Networks (VPNs)
Part IV: PIX Firewalls
Chapter 17: CiscoSecure PIX Firewalls
Chapter 18: Getting Started with the Cisco PIX Firewall
Chapter 19: Access Through the PIX Firewall
Adaptive Security Algorithm
Translations and Connections
Access Control Lists (ACLs)
Content Filtering
Object Grouping
Conduit Statements
PIX Routing Configuration
Chapter Review
Chapter 20: Advanced PIX Firewall Features
Chapter 21: Firewalls and VPN Features
Chapter 22: Managing and Maintaining the PIX Firewall
Part V: Intrusion Detection Systems (IDS)
Part VI: Cisco SAFE Implementation
Appendix A: Access Control Lists
Appendix B: About the CD
List of Figures
List of Tables
List of Sidebars