- •Icons Used in This Book
- •Network Security
- •Vulnerabilities
- •Threats
- •Types of Attacks
- •Network Security Policy
- •AVVID and SAFE
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Firewall Technologies
- •Cisco PIX Firewall
- •Foundation Summary
- •The Cisco Secure PIX Firewall
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Overview of the Cisco PIX Firewall
- •Cisco PIX Firewall Models and Features
- •Foundation Summary
- •System Maintenance
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Accessing the Cisco PIX Firewall
- •Installing a New Operating System
- •Upgrading the Cisco PIX OS
- •Creating a Boothelper Diskette Using a Windows PC
- •Auto Update Support
- •Password Recovery
- •Foundation Summary
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •How the PIX Firewall Handles Traffic
- •Address Translation
- •Translation Versus Connection
- •Foundation Summary
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Access Modes
- •Foundation Summary
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •TurboACL
- •Object Grouping
- •Advanced Protocol Handling
- •Foundation Summary
- •Syslog
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •How Syslog Works
- •How Log Messages Are Organized
- •How to Read System Log Messages
- •Disabling Syslog Messages
- •Foundation Summary
- •Cisco PIX Firewall Failover
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •What Causes a Failover Event
- •What Is Required for a Failover Configuration
- •Failover Monitoring
- •Stateful Failover
- •LAN-Based Failover
- •Foundation Summary
- •Virtual Private Networks
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Overview of VPN Technologies
- •Cisco VPN Client
- •PPPoE Support
- •Foundation Summary
- •Scenario
- •Completed PIX Configurations
- •PIX Device Manager
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •PDM Overview
- •PIX Firewall Requirements to Run PDM
- •Foundation Summary
- •Content Filtering with the Cisco PIX Firewall
- •“Do I Know This Already?” Quiz
- •Filtering Java Applets
- •Filtering ActiveX Objects
- •Filtering URLs
- •Foundation Summary
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Overview of AAA and the Cisco PIX Firewall
- •Cisco Secure Access Control Server (CSACS)
- •Foundation Summary
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Specifying Your AAA Servers
- •Troubleshooting Your AAA Setup
- •Foundation Summary
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Multimedia Support on the Cisco PIX Firewall
- •Attack Guards
- •PIX Firewall’s Intrusion Detection Feature
- •ip verify reverse-path Command
- •Foundation Summary
- •Answers to the “Do I Know This Already?” Quizzes and Q&A Questions
- •Chapter 1
- •Chapter 2
- •Chapter 3
- •Chapter 4
- •Chapter 5
- •Chapter 6
- •Chapter 7
- •Chapter 8
- •Chapter 9
- •Chapter 10
- •Chapter 11
- •Chapter 12
- •Chapter 13
- •Chapter 14
- •Chapter 15
- •Appendix B
- •What’s Wrong with This Picture?
326 Chapter 15: Attack Guards and Multimedia Support
Foundation Summary
The Cisco PIX Firewall has built-in features that help it mitigate most known attacks:
•DNS Guard—DNS queries and responses are torn down as soon as a reply to a DNS query is received, dropping all other responses and averting a DoS attack.
•Mail Guard—The fixup protocol smtp command enables the Mail Guard feature. This restricts mail servers to receiving only the seven commands defined in RFC 821, section 4.5.1 (HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT). All other commands are rejected.
•Flood Defender—Protects inside systems from a DoS attack that floods an interface with half-open TCP (embryonic) connections, otherwise known as SYN flooding.
•AAA Floodguard—Monitors and recovers resources tied up in the user authentication (auth) subsystem, averting a DoS attack.
•Fragmentation guard—Prevents a DoS attack caused by fragmented IP datagrams overwhelming the hosts.
The Cisco PIX Firewall also includes an intrusion detection feature with 53 common attack signatures. The PIX supports both inbound and outbound auditing. When an attack signature is detected, the PIX can send an alarm, drop the packet, or reset the TCP connection.
Q&A 327
Q&A
As mentioned in the Introduction, the questions in this book are more difficult than what you should experience on the exam. The questions do not attempt to cover more breadth or depth than the exam; however, they are designed to make sure that you know the answer. Hopefully, these questions will help limit the number of exam questions on which you narrow your choices to two options and then guess. Be sure to use the CD and take the simulated exams.
The answers to these questions can be found in Appendix A.
1What does the Flood Defender feature on the PIX Firewall do?
A It prevents the PIX from being flooded with water.
BIt protects the inside network from being engulfed by rain.
CIt protects against SYN flood attacks.
DIt protects against AAA attacks.
2What PIX feature mitigates a DoS attack that uses an incomplete IP datagram?
A Floodguard
B Incomplete guard
C Fragguard
D Mail Guard
3Which of the following multimedia application(s) is/are supported by the PIX
Firewall?
ACuSeeMe
BVDOLive
CNetmeeting
DInternet Video Phone
EAll of the above
4What is the default port that PIX inspects for H.323 traffic?
A 1628
B 1722
C 1720
D 1408
328 Chapter 15: Attack Guards and Multimedia Support
5How do you enable the Mail Guard feature on the PIX?
A mail guard on
B enable mail guard
C fixup protocol mailguard
D fixup protocol smtp
6Which of the following describes how the Mail Guard works on the PIX Firewall?
A It lets all mail in except for mail described by an access list.
B It restricts SMTP requests to seven commands.
C It revokes mail messages that contain attacks.
D It performs virus checks on each mail message.
7Which of the following statements about DNS Guard are true?
AIt is disabled by default.
BIt allows only a single DNS response for outgoing requests.
CIt monitors the DNS servers for suspicious activities.
DIt is enabled by default.
8Which of the following are PIX Firewall attack mitigation features?
A DNS Guard
B Floodgate Guard
C Mail Guard
D Webguard
9What command enables the PIX Firewall IDS feature?
A ids enable
B ip audit
C ip ids audit
D audit ip ids
Q&A 329
10What is the default action of the PIX IDS feature?
A Nothing
B Drop
C Alarm
D Reset
11What does the reset action do in the PIX Firewall IDS configuration?
AWarns the source of the offending packet before it drops the packet.
BDrops the offending packet and closes the connection if it is part of an active connection with a TCP RST.
CWaits 2000 offending packets and then permanently bans the connection to the source host.
DReports the incident to the syslog server and waits for more offending packets from the same source to arrive.
12Which of the following is true of the ip verify reverse-path command?
A It provides both ingress and egress filtering.
B It is disabled by default.
C It is very complicated to configure.
D It works only with the PIX 520 model.