Chapter Review

Chapter Review

Firewall devices can be broken up into the following three basic types:

  • Packet filter

  • Stateful packet filter

  • Proxy server

Most commercial firewalls incorporate two or more of these techniques. The Cisco PIX Firewall incorporates features from all three to become the heart of the Cisco security strategy.

Because particular models change, and features, such as CPU size, change frequently, using the Cisco web page to confirm or compare features is always best. For the same reason, it’s important not simply to assume the features of a unit in the field. Basically, with the 500 series PIX devices, the larger the product number, the more powerful, the larger the throughput, and the higher the cost.

Basic PIX configuration commands are quite similar to those of the IOS-based devices. The PIX has four modes: Unprivileged, Privileged, Configuration, and Monitor. Moving among the first three is much like working with their counterparts on routers.

The six basic configuration commands you saw include the following (each also has a show command to confirm the configuration was successful).

  • The nameif command

  • The interface command

  • The ip address command

  • The nat command

  • The global command

  • The route command

Questions

1.?

True or False. A firewall is always a single device.

  1. True

  2. False

 B. False. A firewall can be an entire system of devices and services.

2.?

True or False. PIX Firewalls rely exclusively on packet filtering to provide security.

  1. True

  2. False

 B. False. PIX devices use packet filtering, but they also use stateful filtering to incorporate application layer information.

3.?

Which of the following is not one of the basic firewall types?

  1. Intrusion detection

  2. Proxy filter

  3. Packet filter

  4. Stateful packet filter

 A. Intrusion detection.

4.?

True or False. Packet filtering uses Layers 3 through 5 for filtering decisions.

  1. True

  2. False

 B. False. Packet filtering can use only Layers 3 and 4.

5.?

What does the acronym ASA stand for? _______________

 A. Adaptive Security Algorithm

6.?

True or False. PIX Firewalls are built on reliable UNIX technology.

  1. True

  2. False

 B. False. PIX Firewalls use a proprietary OS.

7.?

What is the default security level for the outside interface?

  1. 100

  2. 50

  3. 25

  4. 0

 D. 0

8.?

What is the default security level for the inside interface?

  1. 0

  2. 50

  3. 100

  4. 200

 C. 100

9.?

If DMZ1 has a security level of 50 and DMZ2 has a level of 70, which is true?

  1. Data will flow from DMZ1 to DMZ2.

  2. Data will flow from DMZ2 to DMZ1.

  3. Data will flow freely in both directions.

  4. Data never flows between DMZs.

 B. Data will flow from DMZ2 to DMZ1.

10.?

Which is the more powerful PIX Firewall?

  1. PIX 501

  2. PIX 525

  3. PIX 535

  4. PIX 610

 C. PIX 535

11.?

True or False. Data flows in both directions when two interfaces have the same security level.

  1. True

  2. False

 B. False. Data won t flow without help.

12.?

Which command assigns the security level?

  1. ip address

  2. nat

  3. global

  4. nameif

 D. nameif

13.?

True or False. The interface command sets both bandwidth and duplex.

  1. True

  2. False

 A. True

14.?

What is the default IP address for PIX interfaces?

  1. There is none.

  2. 0.0.0.0

  3. 127.0.0.1

  4. 192.168.0.1

 C. 127.0.0.1

15.?

Which creates a pool of real IP addresses to be used by NAT?

  1. NAT

  2. Interface

  3. global

  4. route

 C. global

Answers

1.?

B. False. A firewall can be an entire system of devices and services.

2.?

B. False. PIX devices use packet filtering, but they also use stateful filtering to incorporate application layer information.

3.?

A. Intrusion detection.

4.?

B. False. Packet filtering can use only Layers 3 and 4.

5.?

A. Adaptive Security Algorithm

6.?

B. False. PIX Firewalls use a proprietary OS.

7.?

D. 0

8.?

C. 100

9.?

B. Data will flow from DMZ2 to DMZ1.

10.?

C. PIX 535

11.?

B. False. Data won’t flow without help.

12.?

D. nameif

13.?

A. True

14.?

C. 127.0.0.1

15.?

C. global




Part III: Virtual Private Networks (VPNs)