Опубликованный материал нарушает ваши авторские права? Сообщите нам.
Вуз: Предмет: Файл:
Cisco Secure PIX Firewall Advanced Exam Certification Guide - Cisco press.pdf
15.78 Mб

326 Chapter 15: Attack Guards and Multimedia Support

Foundation Summary

The Cisco PIX Firewall has built-in features that help it mitigate most known attacks:

DNS Guard—DNS queries and responses are torn down as soon as a reply to a DNS query is received, dropping all other responses and averting a DoS attack.

Mail Guard—The fixup protocol smtp command enables the Mail Guard feature. This restricts mail servers to receiving only the seven commands defined in RFC 821, section 4.5.1 (HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT). All other commands are rejected.

Flood Defender—Protects inside systems from a DoS attack that floods an interface with half-open TCP (embryonic) connections, otherwise known as SYN flooding.

AAA Floodguard—Monitors and recovers resources tied up in the user authentication (auth) subsystem, averting a DoS attack.

Fragmentation guard—Prevents a DoS attack caused by fragmented IP datagrams overwhelming the hosts.

The Cisco PIX Firewall also includes an intrusion detection feature with 53 common attack signatures. The PIX supports both inbound and outbound auditing. When an attack signature is detected, the PIX can send an alarm, drop the packet, or reset the TCP connection.

Q&A 327


As mentioned in the Introduction, the questions in this book are more difficult than what you should experience on the exam. The questions do not attempt to cover more breadth or depth than the exam; however, they are designed to make sure that you know the answer. Hopefully, these questions will help limit the number of exam questions on which you narrow your choices to two options and then guess. Be sure to use the CD and take the simulated exams.

The answers to these questions can be found in Appendix A.

1What does the Flood Defender feature on the PIX Firewall do?

A It prevents the PIX from being flooded with water.

BIt protects the inside network from being engulfed by rain.

CIt protects against SYN flood attacks.

DIt protects against AAA attacks.

2What PIX feature mitigates a DoS attack that uses an incomplete IP datagram?

A Floodguard

B Incomplete guard

C Fragguard

D Mail Guard

3Which of the following multimedia application(s) is/are supported by the PIX





DInternet Video Phone

EAll of the above

4What is the default port that PIX inspects for H.323 traffic?

A 1628

B 1722

C 1720

D 1408

328 Chapter 15: Attack Guards and Multimedia Support

5How do you enable the Mail Guard feature on the PIX?

A mail guard on

B enable mail guard

C fixup protocol mailguard

D fixup protocol smtp

6Which of the following describes how the Mail Guard works on the PIX Firewall?

A It lets all mail in except for mail described by an access list.

B It restricts SMTP requests to seven commands.

C It revokes mail messages that contain attacks.

D It performs virus checks on each mail message.

7Which of the following statements about DNS Guard are true?

AIt is disabled by default.

BIt allows only a single DNS response for outgoing requests.

CIt monitors the DNS servers for suspicious activities.

DIt is enabled by default.

8Which of the following are PIX Firewall attack mitigation features?

A DNS Guard

B Floodgate Guard

C Mail Guard

D Webguard

9What command enables the PIX Firewall IDS feature?

A ids enable

B ip audit

C ip ids audit

D audit ip ids

Q&A 329

10What is the default action of the PIX IDS feature?

A Nothing

B Drop

C Alarm

D Reset

11What does the reset action do in the PIX Firewall IDS configuration?

AWarns the source of the offending packet before it drops the packet.

BDrops the offending packet and closes the connection if it is part of an active connection with a TCP RST.

CWaits 2000 offending packets and then permanently bans the connection to the source host.

DReports the incident to the syslog server and waits for more offending packets from the same source to arrive.

12Which of the following is true of the ip verify reverse-path command?

A It provides both ingress and egress filtering.

B It is disabled by default.

C It is very complicated to configure.

D It works only with the PIX 520 model.