326 Chapter 15: Attack Guards and Multimedia Support
Foundation Summary
The Cisco PIX Firewall has built-in features that help it mitigate most known attacks:
•DNS Guard—DNS queries and responses are torn down as soon as a reply to a DNS query is received, dropping all other responses and averting a DoS attack.
•Mail Guard—The fixup protocol smtp command enables the Mail Guard feature. This restricts mail servers to receiving only the seven commands defined in RFC 821, section 4.5.1 (HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT). All other commands are rejected.
•Flood Defender—Protects inside systems from a DoS attack that floods an interface with half-open TCP (embryonic) connections, otherwise known as SYN flooding.
•AAA Floodguard—Monitors and recovers resources tied up in the user authentication (auth) subsystem, averting a DoS attack.
•Fragmentation guard—Prevents a DoS attack caused by fragmented IP datagrams overwhelming the hosts.
The Cisco PIX Firewall also includes an intrusion detection feature with 53 common attack signatures. The PIX supports both inbound and outbound auditing. When an attack signature is detected, the PIX can send an alarm, drop the packet, or reset the TCP connection.
Q&A 327
Q&A
As mentioned in the Introduction, the questions in this book are more difficult than what you should experience on the exam. The questions do not attempt to cover more breadth or depth than the exam; however, they are designed to make sure that you know the answer. Hopefully, these questions will help limit the number of exam questions on which you narrow your choices to two options and then guess. Be sure to use the CD and take the simulated exams.
The answers to these questions can be found in Appendix A.
1What does the Flood Defender feature on the PIX Firewall do?
A It prevents the PIX from being flooded with water.
BIt protects the inside network from being engulfed by rain.
CIt protects against SYN flood attacks.
DIt protects against AAA attacks.
2What PIX feature mitigates a DoS attack that uses an incomplete IP datagram?
A Floodguard
B Incomplete guard
C Fragguard
D Mail Guard
3Which of the following multimedia application(s) is/are supported by the PIX
Firewall?
ACuSeeMe
BVDOLive
CNetmeeting
DInternet Video Phone
EAll of the above
4What is the default port that PIX inspects for H.323 traffic?
A 1628
B 1722
C 1720
D 1408
328 Chapter 15: Attack Guards and Multimedia Support
5How do you enable the Mail Guard feature on the PIX?
A mail guard on
B enable mail guard
C fixup protocol mailguard
D fixup protocol smtp
6Which of the following describes how the Mail Guard works on the PIX Firewall?
A It lets all mail in except for mail described by an access list.
B It restricts SMTP requests to seven commands.
C It revokes mail messages that contain attacks.
D It performs virus checks on each mail message.
7Which of the following statements about DNS Guard are true?
AIt is disabled by default.
BIt allows only a single DNS response for outgoing requests.
CIt monitors the DNS servers for suspicious activities.
DIt is enabled by default.
8Which of the following are PIX Firewall attack mitigation features?
A DNS Guard
B Floodgate Guard
C Mail Guard
D Webguard
9What command enables the PIX Firewall IDS feature?
A ids enable
B ip audit
C ip ids audit
D audit ip ids
Q&A 329
10What is the default action of the PIX IDS feature?
A Nothing
B Drop
C Alarm
D Reset
11What does the reset action do in the PIX Firewall IDS configuration?
AWarns the source of the offending packet before it drops the packet.
BDrops the offending packet and closes the connection if it is part of an active connection with a TCP RST.
CWaits 2000 offending packets and then permanently bans the connection to the source host.
DReports the incident to the syslog server and waits for more offending packets from the same source to arrive.
12Which of the following is true of the ip verify reverse-path command?
A It provides both ingress and egress filtering.
B It is disabled by default.
C It is very complicated to configure.
D It works only with the PIX 520 model.
