1. Home
  2. Networking
  3. CCSP Cisco Certified Security Professional Certification

Chapter Review

Chapter Review

This chapter looked at some of the more-advanced features of the PIX Firewall.

You saw the alternatives to establishing a console cable session with the router, including Telnet, HTTP, and SSH. The configuration and case sensitivity are more involved than working with routers.

Configuring AAA on the PIX Firewall is similar to working with AAA on the routers. First, the AAA server must be specified and the host key configured. This key must match the one configured on the AAA server. The key is used to get the AAA server to accept the AAA requests from the PIX device. The next step involves configuring the authentication, authorization, and accounting commands, so target users and resources are identified.

AAA support for all the console session methods and the enable command add a higher level of secure authentication to the activity. With PIX v6.2, AAA now supports command authorization, as well as the Local User Database for authentication and command authorization.

Advanced protocol handling involves application-layer inspection to maintain stateful table entries to allow return traffic from those applications and protocols that either embed IP addresses in the data payload or make dynamic port requests after the initial session setup. The fixup protocol commands are a portion of the advanced protocol handling that allows the PIX administrator to view, change, enable, or disable the use of a variety of common applications or protocols through the PIX Firewall. The specified ports define the ones the PIX Firewall will listen at for each respective service.

Attack guards are another implementation of application-layer inspection implemented to monitor for common network threats or undesirable traffic and to block them. Features like DNS Control, Flood Defender, TCP Intercept, FragGuard and Reverse Path Forwarding are examples of efforts to block common attack strategies. Three filter commands can be used to block potentially destructive or unpleasant web resources from the network: the Filter activex command blocks Active X objects from web pages, the Filter Java command does the same thing to Java applets, and the Filter URL command works with either an N2H2 or a Websense server to filter content based on an extensive database. URL filtering also offers web tracking and custom blocking features.

New IDS sensor capabilities extend the Cisco Secure IDS strategy to include the PIX Firewall, adding visibility to the Internet, intranet, and extranet. Shunning allows the PIX Firewall to receive dynamic commands from an IDS unit to block traffic that’s determined as a threat.

The SNMP server commands allow the PIX Firewall administrator to configure SNMP to be more secure, while still providing an easy-to-implement method of remote administration and monitoring for a wide variety of network devices.

Questions

1.?

Looking at the following output, what will be the result of the second statement?

Pix(config)# telnet 192.168.1.10 255.255.255.255 inside 
Pix(config)# telnet 192.168.1.47 255.255.255.255 
Pix(config)# telnet 192.168.2.0 255.255.255.0 inside 
Pix(config)# telnet 1.1.1.10 255.255.255.255 outside

  1. It will allow Telnetting from the host on the default outside interface.

  2. The command will fail because no interface is specified.

  3. It will enable Telnet from the host on all nonoutside interfaces.

  4. It will enable Telnet from the host only on the interface to that address.

C . It will enable Telnet from the host on all nonoutside interfaces.

2.?

The Telnet timeout 10 command does what?

  1. Gives the firewall a ten-minute break

  2. Sets the Telnet idle timer to ten seconds

  3. Sets the Telnet idle timer to ten minutes

  4. Sets the Telnet session limit to ten minutes

C . Sets the Telnet idle timer to ten minutes

3.?

A group_tag refers to which one of the following?

  1. AAA authentication protocol

  2. Pool of AAA servers

  3. The name of a AAA server

  4. A AAA header field

B . Pool of AAA servers

4.?

What does the following AAA command do? Pick the best answer.

Pix(config)# aaa-server radius host 192.168.1.4 4key

  1. It assigns server 192.168.1.4 to the default RADIUS group.

  2. It creates a new group radius—protocol RADIUS—and assigns server 192.168.1.4 to it.

  3. It will fail because no group radius exists.

  4. It creates a new group radius—protocol TACACS+—and assigns server 192.168.1.4 to it.

D . It creates a new group radius-protocol TACACS+-and assigns server 192.168.1.4 to it. Remember, group names are case sensitive, and if none matches the name used, a new TACACS+ group is formed.

5.?

What command displays the syntax and usage for the aaa authentication, aaa authorization, aaa accounting, and aaa proxy-limit commands in summary form?

  1. show aaa

  2. show aaa options

  3. help aaa

  4. show aaa help

C . Help aaa displays the syntax and usage for the aaa authentication, aaa authorization, aaa accounting, and aaa proxy-limit commands in summary form.

6.?

Which of the following statements is not true?

  1. The local user database requires only a user name and a password.

  2. PIX Firewall v6.2 introduced the local user database command to firewalls.

  3. The local user database can be used to authenticate users.

  4. The local user database can be used for command authorization.

A . The local user database requires only a user name and a password is false because, on the firewall, the password is optional.

7.?

What feature does the PIX ASA use to establish and maintain its stateful access control and traffic-monitoring security?

  1. Application layer inspection

  2. Access control lists

  3. ip audit command

  4. The Filter command

A . Application layer inspection

8.?

With the Fixup Protocol command, what is typically the only variable?

  1. Source address

  2. Port number or port range

  3. Destination address

  4. Enable/disable

B . Port number or port range

9.?

The PIX Java and ActiveX filtering is an example of which one of the following?

  1. Fixup protocol

  2. Attack guards

  3. Shunning

  4. Flood defender

B . Attack guards

10.?

Which is not a Voice over IP (VoIP) fixup protocol?

  1. H.323

  2. Session Initiation Protocol (SIP)

  3. Skinny Client Control Protocol (SCCP)

  4. Internet Locator Service (ILS)

D . Internet Locator Service (ILS)

11.?

What does the FragGuard fragment size 1 command do?

  1. Limits fragments to 1 byte

  2. Limits fragments to 1 kilobyte

  3. Blocks fragmenting

  4. Limits fragmentation time to one minute

C . Blocks fragmenting

12.?

Which command specifies an SMTP trap level for logging messages?

  1. logging trap

  2. logging history

  3. logging on

  4. logging host

B . Logging history

13.?

What two additional security checks are added by the sysopt security fragguard command?

  1. Each noninitial IP fragment must be associated with known valid initial IP fragments.

  2. All IP fragments are blocked.

  3. IP fragments are limited to 100 per second to each internal host.

  4. Only RFC 1858 fragmentation protection is allowed.

A and C. Each noninitial IP fragment must be associated with known valid initial IP fragments, and IP fragments are limited to 100 per second to each internal host.

14.?

Which attack guard uses the firewall route table to look for spoofed addresses?

  1. Virtual Reassembly

  2. TCP Intercept

  3. Unicast Reverse Path Forwarding

  4. Flood Defender

C . Unicast Reverse Path Forwarding

15.?

Which command is an example of setting an IDS audit default action?

  1. ip audit name Audit.99 info action alarm drop reset

  2. ip audit signature 1001 disable

  3. ip audit attack action reset

  4. ip audit interface outside audit.99

C . ip audit attack action reset

Answers

1.?

C. It will enable Telnet from the host on all nonoutside interfaces.

2.?

C. Sets the Telnet idle timer to ten minutes

3.?

B. Pool of AAA servers

4.?

D. It creates a new group radius—protocol TACACS+—and assigns server 192.168.1.4 to it. Remember, group names are case sensitive, and if none matches the name used, a new TACACS+ group is formed.

5.?

C. Help aaa displays the syntax and usage for the aaa authentication, aaa authorization, aaa accounting, and aaa proxy-limit commands in summary form.

6.?

A. The local user database requires only a user name and a password is false because, on the firewall, the password is optional.

7.?

A. Application layer inspection

8.?

B. Port number or port range

9.?

B. Attack guards

10.?

D. Internet Locator Service (ILS)

11.?

C. Blocks fragmenting

12.?

B. Logging history

13.?

A and C. Each noninitial IP fragment must be associated with known valid initial IP fragments, and IP fragments are limited to 100 per second to each internal host.

14.?

C. Unicast Reverse Path Forwarding

15.?

C. ip audit attack action reset



BackCover
CCSP - Cisco Certified Security Professional Certification All-in-One Exam Guide
Introduction
Part I: Introduction to Network Security
Part II: Securing the Network Perimeter
Part III: Virtual Private Networks (VPNs)
Part IV: PIX Firewalls
Chapter 17: CiscoSecure PIX Firewalls
Chapter 18: Getting Started with the Cisco PIX Firewall
Chapter 19: Access Through the PIX Firewall
Chapter 20: Advanced PIX Firewall Features
Remote Access
AAA on the PIX Firewall
Advanced Protocol Handling
Attack Guards
Intrusion Detection
Shunning
Managing SNMP Services
Chapter Review
Chapter 21: Firewalls and VPN Features
Chapter 22: Managing and Maintaining the PIX Firewall
Part V: Intrusion Detection Systems (IDS)
Part VI: Cisco SAFE Implementation
Appendix A: Access Control Lists
Appendix B: About the CD
List of Figures
List of Tables
List of Sidebars