This chapter looked at some of the more-advanced features of the PIX Firewall.
You saw the alternatives to establishing a console cable session with the router, including Telnet, HTTP, and SSH. The configuration and case sensitivity are more involved than working with routers.
Configuring AAA on the PIX Firewall is similar to working with AAA on the routers. First, the AAA server must be specified and the host key configured. This key must match the one configured on the AAA server. The key is used to get the AAA server to accept the AAA requests from the PIX device. The next step involves configuring the authentication, authorization, and accounting commands, so target users and resources are identified.
AAA support for all the console session methods and the enable command add a higher level of secure authentication to the activity. With PIX v6.2, AAA now supports command authorization, as well as the Local User Database for authentication and command authorization.
Advanced protocol handling involves application-layer inspection to maintain stateful table entries to allow return traffic from those applications and protocols that either embed IP addresses in the data payload or make dynamic port requests after the initial session setup. The fixup protocol commands are a portion of the advanced protocol handling that allows the PIX administrator to view, change, enable, or disable the use of a variety of common applications or protocols through the PIX Firewall. The specified ports define the ones the PIX Firewall will listen at for each respective service.
Attack guards are another implementation of application-layer inspection implemented to monitor for common network threats or undesirable traffic and to block them. Features like DNS Control, Flood Defender, TCP Intercept, FragGuard and Reverse Path Forwarding are examples of efforts to block common attack strategies. Three filter commands can be used to block potentially destructive or unpleasant web resources from the network: the Filter activex command blocks Active X objects from web pages, the Filter Java command does the same thing to Java applets, and the Filter URL command works with either an N2H2 or a Websense server to filter content based on an extensive database. URL filtering also offers web tracking and custom blocking features.
New IDS sensor capabilities extend the Cisco Secure IDS strategy to include the PIX Firewall, adding visibility to the Internet, intranet, and extranet. Shunning allows the PIX Firewall to receive dynamic commands from an IDS unit to block traffic that’s determined as a threat.
The SNMP server commands allow the PIX Firewall administrator to configure SNMP to be more secure, while still providing an easy-to-implement method of remote administration and monitoring for a wide variety of network devices.
1.? |
Looking at the following output, what will be the result of the second statement? Pix(config)# telnet 192.168.1.10 255.255.255.255 inside Pix(config)# telnet 192.168.1.47 255.255.255.255 Pix(config)# telnet 192.168.2.0 255.255.255.0 inside Pix(config)# telnet 1.1.1.10 255.255.255.255 outside
|
|
2.? |
The Telnet timeout 10 command does what?
|
|
3.? |
A group_tag refers to which one of the following?
|
|
4.? |
What does the following AAA command do? Pick the best answer. Pix(config)# aaa-server radius host 192.168.1.4 4key
|
|
5.? |
What command displays the syntax and usage for the aaa authentication, aaa authorization, aaa accounting, and aaa proxy-limit commands in summary form?
|
|
6.? |
Which of the following statements is not true?
|
|
7.? |
What feature does the PIX ASA use to establish and maintain its stateful access control and traffic-monitoring security?
|
|
8.? |
With the Fixup Protocol command, what is typically the only variable?
|
|
9.? |
The PIX Java and ActiveX filtering is an example of which one of the following?
|
|
10.? |
Which is not a Voice over IP (VoIP) fixup protocol?
|
|
11.? |
What does the FragGuard fragment size 1 command do?
|
|
12.? |
Which command specifies an SMTP trap level for logging messages?
|
|
13.? |
What two additional security checks are added by the sysopt security fragguard command?
|
|
14.? |
Which attack guard uses the firewall route table to look for spoofed addresses?
|
|
15.? |
Which command is an example of setting an IDS audit default action?
|
|
Answers
1.? |
C. It will enable Telnet from the host on all nonoutside interfaces. |
2.? |
C. Sets the Telnet idle timer to ten minutes |
3.? |
B. Pool of AAA servers |
4.? |
D. It creates a new group radius—protocol TACACS+—and assigns server 192.168.1.4 to it. Remember, group names are case sensitive, and if none matches the name used, a new TACACS+ group is formed. |
5.? |
C. Help aaa displays the syntax and usage for the aaa authentication, aaa authorization, aaa accounting, and aaa proxy-limit commands in summary form. |
6.? |
A. The local user database requires only a user name and a password is false because, on the firewall, the password is optional. |
7.? |
A. Application layer inspection |
8.? |
B. Port number or port range |
9.? |
B. Attack guards |
10.? |
D. Internet Locator Service (ILS) |
11.? |
C. Blocks fragmenting |
12.? |
B. Logging history |
13.? |
A and C. Each noninitial IP fragment must be associated with known valid initial IP fragments, and IP fragments are limited to 100 per second to each internal host. |
14.? |
C. Unicast Reverse Path Forwarding |
15.? |
C. ip audit attack action reset |