This chapter looked at some of those features and commands required to allow data to pass efficiently through the firewall. The Adaptive Security Algorithm (ASA) was addressed to understand better how the PIX Firewall determines which traffic patterns to allow and which to deny. The basic higher-security to lower-security level flow was expanded to indicate that returning traffic is always approved, unless it’s specifically blocked by ACLs.
Static translations create a one-to-one permanent IP address xlate table entry, which can then be enabled with an ACL to create potentially many connections. Static translations are generally used to allow access to shared resources, such as servers. NAT and PAT are used to create temporary, one-to-one xlate table entries, allowing returning traffic from forays into lower security areas. If NAT and PAT are used together, any available NAT address is used before any PAT translations occur.
PIX access lists are created and applied much like those in the Cisco IOS, except they’re always implemented inbound on an interface.
Three filter commands can be used to block potentially destructive or unpleasant web resources from the network. The Filter ActiveX command blocks Active X objects from web pages. The Filter Java command does the same thing to Java applets. And, the Filter URL command works with either an N2H2 or a Websense server to filter content based on an extensive database. Filter URL also offers web tracking and custom blocking features.
PIX OS v6.2 introduced the concept of object groups that allows a group of similar items to be defined, and then uses ACLs to assign permissions and/or restrictions to the group. An object group can be networks, services, ICMP message types, or protocols. If you understand grouping, you can achieve tremendous savings in configuration time and space on large, complex configurations.
The PIX Firewall doesn’t support routing between the interfaces, but it does use a form of static and default routes to direct traffic. It’s possible to enable RIP on individual interfaces, allowing the firewall to learn about the attached networks.
1.? |
Return traffic from an internal user going out on the Internet requires which of the following?
|
|
2.? |
In assigning a security level to a DMZ interface, which would be the logical choice?
|
|
3.? |
In Cisco terminology, which TCP/IP layer is used in stateful filtering, which is not used in stateless?
|
|
4.? |
What is the relationship between translations and connections?
|
|
5.? |
Which one of the following is not true about connections?
|
|
6.? |
Which one of the following is easiest for the PIX to monitor the state?
|
|
7.? |
How many address translations result from the following command? Pix(config)# static (inside,outside) 10.1.1.32 192.168.2.32 netmask 255.255.255.240
|
|
8.? |
Setting the embryonic connection limit triggers what feature?
|
|
9.? |
The PIX filter command can be used to block which two of the following?
|
|
10.? |
Which command filters all outbound HTTP connections?
|
|
11.? |
In the following syntax, what would be the result of nat_id being 0? Pix(config)# nat (if_name) nat_id ip_address
|
|
12.? |
TurboACL applies to which two of the following?
|
|
13.? |
Which one of the following is not true about downloadable ACLs?
|
|
14.? |
Which one of the following will create an object group?
|
|
15.? |
Which statement is not true?
|
|
Answers
1.? |
D. None of the above. Returning traffic is always allowed, unless it’s specifically blocked. |
2.? |
C. 50 and 100 are reserved (outside/inside) and while 1 would work, it allows no flexibility in security assignment if another DMZ was added |
3.? |
D. Application layer. |
4.? |
D. One translation can support many connections. |
5.? |
B. All outbound connections are denied except those specifically allowed by access control lists. Just the opposite, all are allowed unless denied by an ACL. |
6.? |
B. TCS because it has a session setup and a termination routine. |
7.? |
C. 14. The mask includes 16 addresses, but one is the network and one is the broadcast. |
8.? |
C. TCP intercept. |
9.? |
B. and D. ActiveX objects and Java applets. |
10.? |
A. pix(config)#filter url 80 0 0 0 0. |
11.? |
C. The ip_address would not be translated. Nat 0 turns off NAT for that address. |
12.? |
A. and D. Compiled access lists and ACLs with at least 19 statements. |
13.? |
B. Supports TACACS+ servers with Cisco Secure ACS v3.0. Actually, it’s RADIUS. |
14.? |
A. Pix(config)# object-group service dmz_service tcp. |
15.? |
C. Cisco security strategy considers sending routing protocols across any firewall safe, but unnecessary, because of the route command. Cisco does not consider it safe. |