A P P E N D I X A
Answers to the “Do I Know This Already?” Quizzes and Q&A Questions
Chapter 1
Q&A
1True or false: Network security means locking your computer in a filing cabinet.
Answer: False
2What is the goal of a reconnaissance attack?
Answer: To determine what vulnerabilities can be exploited
3 True or false: A horizontal scan affects more hosts on a network than a vertical scan.
Answer: True. A horizontal scan scans all hosts across a specific network segment for a specific service (port). A vertical scan scans a specific host for a number of services.
4 True or false: To secure your network, you only need to install a firewall.
Answer: False. A firewall provides perimeter security, which is a piece of the puzzle. To secure the network, you need to implement security in depth.
5 What is the difference between a security policy and a security process?
Answer: The security policy is a written policy that spells out how security is implemented within a company. The security process is a four-step process that ensures that the security policy is constantly being improved.
Chapter 2
"Do I Know This Already?" Quiz
1What are the three basic firewall technologies?
Answer: Packet filtering, proxy, stateful inspection
332 Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Questions
2Of the three firewall technologies, which one generates a separate connection on behalf of the requestor and usually operates at the upper layers of the OSI model?
Answer: Proxy firewalls generate a new connection on behalf of the requestor and operate at the upper layers of the OSI model.
3 Which firewall technology is commonly implemented on a router?
Answer: The technology commonly applied to routers is packet filtering.
4What items does a packet filter look at to determine whether to allow the traffic?
Answer: Source address/port, destination address/port, protocol
5What firewall technology does the Cisco PIX Firewall use?
AProxy filtering
BPacket filtering
CStateful inspection
DProxy inspection
Answer: C
6 What are the advantages of the Cisco PIX Firewall over competing firewall products?
Answer: A single embedded operating environment, the Adaptive Security Algorithm, cut-through proxy, redundancy
7 How many PIX firewalls can you operate in a high-availability cluster?
Answer: The Cisco PIX Firewall can operate as a high-availability pair (two systems).
8 What is the ASA, and how does the Cisco PIX Firewall use it?
Answer: The Adaptive Security Algorithm is what the PIX uses to perform stateful inspection. It not only tracks the session information in the state table, but also randomly generates TCP sequence numbers to ensure that a session cannot be hijacked.
9 Why is cut-through proxy more efficient than traditional proxy?
Answer: Cut-through proxy is a feature that the Cisco PIX Firewall uses to authenticate and authorize a user before opening his or her connection. Cutthrough proxy uses the ASA to track session information but does not perform any proxy services. This greatly increases the firewall's performance as compared to traditional proxy firewalls.
334 Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Questions
Chapter 3
"Do I Know This Already?" Quiz
1 What is the ASA, and how does the Cisco PIX Firewall use it?
Answer: The Adaptive Security Algorithm is what the PIX uses to perform stateful inspection. It not only tracks the session information in the state table, but also randomly generates TCP sequence numbers to ensure that a session cannot be hijacked.
2What three authentication methods can the PIX Firewall use when performing cutthrough proxy?
Answer: Remote Authentication Dial-In User Service (RADIUS), Terminal Access Controller Access Control System (TACACS+), or a local user database on the PIX itself. Note that the local user database is a feature that became available with OS version 6.2.
3 Why does the ASA generate random TCP sequence numbers?
Answer: Because it makes it extremely difficult for a potential attacker to predict the initial sequence number when attempting to hijack a TCP session.
4If a user has successfully authenticated but cannot establish a connection to the server, what is most likely the problem?
Answer: The user is not authorized to access that server.
5 What is the best way to remove the ASA from a PIX Firewall?
Answer: The ASA is part of the embedded operating environment. It cannot be removed from the PIX.
6 What components of a TCP session does the ASA write to the state table?
Answer: Source and destination addresses, source and destination port numbers, TCP sequencing information, additional TCP/UDP flags
7 What can cause a session object to be deleted from the state table?
Answer: The connection is not authorized by the security policy, the connection is completed (the session has ended), or the session has timed out
8What are the three ways to initiate a cut-through proxy session?
Answer: HTTP, FTP, Telnet
9What happens to a reply that does not have the correct TCP sequence number?
Answer: The firewall drops it.
Chapter 3 335
10How many interfaces does a PIX 501 have, and how many network segments does it support?
Answer: The PIX 501 has five Ethernet interfaces but supports only two segments (inside and outside).
11What X509 certificates do all PIX firewalls support?
Answer:
Entrust Technologies, Inc.—Entrust/PKI 4.0
Microsoft Corporation—Windows 2000 Certificate Server 5.0 VeriSign—Onsite 4.5
Baltimore Technologies—UniCERT 3.05
12What is the maximum throughput of the PIX 535?
Answer: 1 Gbps
13How many interfaces can you install in a PIX 515?
Answer: Six
14What is the lowest model number of the PIX Firewall family to support failover?
Answer: PIX 515
15What are three methods of managing a Cisco PIX Firewall?
Answer: Command-line interface (CLI), PIX Device Manager (PDM), Cisco Secure Policy Manager
Q&A
1List four advantages of ASA.
Answer:
It is more secure than packet filtering.
It is more efficient than proxy services.
It can guard against session hijacking.
It is part of the embedded PIX operating environment.
2 What are the three firewall technologies?
APacket filtering, proxy, connection dropping
BStateful inspection, packet filtering, proxy