What are the characteristics of DMZ?

What are the 4 general types/configuration?

Demiliterized Zone - segregated from rest of network due to nature of devices in it (public access servers).

1. 3-legged FW

2. DMZ outside FW between public network & FW

3. DMZ outside FW, not on path between public network & FW. AKA "Dirty DMZ"

4. Between two stacked FW

What is the range of values for trust on a PIX firewall interface and their relative level of trust?

What is the default level of trust?

0-100

where 0 is untrusted and 100 is most trusted

Default is 100

What are the characteristics of a proxy server?

(purpose, transport, transparency)

Examines packets at application layer.

Intercepts and performs functions for applications inside.

Not transparent to end users

How does PIX ASA treat TCP connections?

(for integrity, preventing TCP hijacking, SYN floods)

Tracks each session and only allow packets conforming to correct state of connection.

Calculate more random initial sequence number (ISN) and stores difference from original from inside application to prevent TCP hijacking.

Tracks SYN requests and limits half-open connections to prevent SYN flood.

Tracks session based on timer.

On new sessions, creates connection slot with src/dst IP & port and idle timer. Traffic allowed on connection until timer ends.

All ICMP requests through PIX (dynamic translation slots) are denied.

Requests to PIX static translation slots are answered by PIX itself.

1. Verifies if traffic is permitted.

2. Check if connection already exists. If not, then create translation slot (xlate) for new connection.

3. NAT (PAT) translation

1. Pass the ASA criteria (check for existing connection, check against various rules, etc)

2. NAT occurs

How does ActiveX filtering work?

How does Java filtering work?

Active X: Looks for <OBJECT ID> </OBJECT> in HTML header tags

Java: Looks for < applet > < /applet > with CAFEBABE header in HTML tags

Checks for matches against untrusted list, and replaced with comment tags <!-- and -->

Which layers does CBAC inspection apply to?

For which protocols can CBAC filter invalid commands?

Transport layer

Application layer for specific protocols (cuseeme, ftp, h323, MS netshow, rcmd smtp, sqlnet, streamworks, tftp, rdolive)

Can filter SMTP & FTP commands

Total number of half-open TCP/UDP connections allowed

Number of half-open sessions allowed based over time interval

Number of half-open sessions allowed per host

IOS FW does not do reassembly at all.

Initial fragment checked at transport layer; must pass for subsequent fragments to pass

Non-initial fragments are inspected at IP layer (also for length and offset)

All out of sequence fragments dropped

How does CBAC treat ICMP?

IPSec?

All forms of ICMP are dropped.

IPSec (and all encrypted) packets are not inspected.

IOS FW - no redundancy

PIX - stateful redundancy in 2 modes:

1. Active/Standby - only one ASA box passing traffic

2. Active/Active - failover occurs for failover groups (composed of a set of contexts); also used for load-balance

Performs NAT on destination IP.

For external DNS to resolve hosts on DMZ.

What is the purpose of the Flood Guard feature for PIX?

What is its default state?

Limits number of failed AAA authentication attempts

Enabled by default.

What is the purpose of the Frag Guard feature for PIX?

(What are the exceptions?)

Control tolerance and treatment of fragments.

Does not apply for ICMP (always fully reassembled)

What is the purpose of mailguard feature for PIX?

How does it work?

Restrict incoming SMTP messages.

Allows only HELO, MAIL, RCPT, DATA, RSET, NOOP, QUIT commands to be sent to mail server on inside.

All other commands are intercepted and returned OK.

Port Adapter Module on CBAC/IOS FW

Security server feature that allows customized TCP or UDP port numbers for network services

What are the characteristics of single/multiple security contexts for ASA?

How are they configured?

single context mode = runs as single FW device

multiple context mode = runs as multiple virtual FWs

mode [single | multiple]

system config - console login state; contains basic settings and list of contexts

admin context - has full admin access to all contexts; contains network interfaces for system config

security context config - each context has a cfg on flash; contains own policies, (sub)interfaces, config

supported: routing table, FW features, IPS features, management

not supported: VPN, dynamic routing, multicast

static (read_ifc,mapped_ifc) ... tcp <max_conns> <emb_lim> ...

max_conns - maximum number of simultaneous TCP connections for entire subnet (default 0/unlimited)

emb_lim - maximum allowed half-open TCP connections (default 0/unlimited)

How does PIX/ASA firewalls process multicast?

What configurations are required?

PIX/ASA 7.x and above support PIM sparse mode & bi-directional dynamic multicast routing

Configuration:

multicast-routing

-- enables IGMP & PIM on all interfaces

mroute <ip> <mask> outside

-- does not drop packets if no reverse route found

Allow TCP 169

Static NAT mapping to allow outside routers to initiate BGP session with inside routers

(No NAT translation for inside to outside)

all packets from inside to outside interface MUST match NAT rule

if dynamic NAT/PAT configured, all packets from outside to inside or between same security interfaces must match NAT rule

(if no dynamic NAT/PAT, NAT not required)

static NAT exempted/not affected

1. Identity NAT: "nat 0 ..."

2. Static identity NAT: "static ..."

3. NAT exemption: "nat 0 access-list ..."

Default "self" zone for traffic to/from the router itself

Logical interfaces must be explicitly assigned to an existing zone, and can each only belong to one zone

Zone pairs consist of a source zone, destination zone, and the policy that is applied to it. By default, traffic between different zones is implicitly blocked