PIX 防火墙 安全认证疑问解答

1 What is the ASA, and how does the Cisco PIX Firewall use it?
Answer: The Adaptive Security Algorithm is what the PIX uses to perform
stateful inspection. It not only tracks the session information in the state table,
but also randomly generates TCP sequence numbers to ensure that a session
cannot be hijacked.
 
2 What three authentication methods can the PIX Firewall use when performing cutthrough proxy?
Answer: Remote Authentication Dial-In User Service (RADIUS), Terminal
Access Controller Access Control System (TACACS+), or a local user database
on the PIX itself. Note that the local user database is a feature that became
available with OS version 6.2.

3 Why does the ASA generate random TCP sequence numbers?
Answer: Because it makes it extremely difficult for a potential attacker to
predict the initial sequence number when attempting to hijack a TCP session.

4 If a user has successfully authenticated but cannot establish a connection to the server, what is most likely the problem?
Answer: The user is not authorized to access that server.

5 What is the best way to remove the ASA from a PIX Firewall?
Answer: The ASA is part of the embedded operating environment. It cannot be
removed from the PIX.

6 What components of a TCP session does the ASA write to the state table?
Answer: Source and destination addresses, source and destination port
numbers, TCP sequencing information, additional TCP/UDP flags

7 What can cause a session object to be deleted from the state table?
Answer: The connection is not authorized by the security policy, the connection
is completed (the session has ended), or the session has timed out

8 What are the three ways to initiate a cut-through proxy session?
Answer: HTTP, FTP, Telnet

9 What happens to a reply that does not have the correct TCP sequence number?
Answer: The firewall drops it.

10 How many interfaces does a PIX 501 have, and how many network segments does it support?
Answer: The PIX 501 has five Ethernet interfaces but supports only two
segments (inside and outside).

11 What X509 certificates do all PIX firewalls support?
Answer:
Entrust Technologies, Inc.—Entrust/PKI 4.0
Microsoft Corporation—Windows 2000 Certificate Server 5.0
VeriSign—Onsite 4.5
Baltimore Technologies—UniCERT 3.05

12 What is the maximum throughput of the PIX 535?
Answer: 1 Gbps

13 How many interfaces can you install in a PIX 515?
Answer: Six

14 What is the lowest model number of the PIX Firewall family to support failover?
Answer: PIX 515

15 What are three methods of managing a Cisco PIX Firewall?
Answer: Command-line interface (CLI), PIX Device Manager (PDM), Cisco

16 Which of the following nat commands is/are correct?
A LabPIX(config)# nat (inside) 1 0.0.0.0 0.0.0.0
B LabPIX(config)# nat (inside) 1 0.0
C LabPIX(config)# nat (inside) 1 0 0
D A and B
E A and C
F All of the above
Answer: E

17 When would you want to configure NAT and PAT for the same inside segment?
Answer: When you have more users than addresses in your global pool.

18 What is RFC 1918?
Answer: It sets aside IP addresses for private networks.

19 True or false: By default, an embryonic connection terminates after 2 minutes.
Answer: False. The default timeout for an embryonic connection is unlimited.

20 What command shows all active TCP connections on the PIX?
Answer: show conn

21 Why is there an id field in the nat command?
Answer: So that the PIX can tell what nat statement applies to what global
statement.

21 How do you access privileged mode?
Answer: Enter enable and the enable password.

22 What is the function of the nameif command?
Answer: You use it to name a Cisco PIX Firewall interface and assign a security
level.

23 What six commands produce a basic working configuration for a Cisco PIX Firewall? 

Answer: nameif, interface, ip address, nat, global, route

24 Why is the route command important?
Answer: It tells the PIX where to send packets. It is important especially because
it is used to create the default route.

25 What is the command to flush out the ARP cache on a Cisco PIX Firewall?
Answer: clear arp

26 True or false: It is possible to configure the outside interface on a Cisco PIX Firewall to accept DHCP requests.
Answer: False. Only the inside interface can be configured to accept DHCP
requests and assign IP addresses.

27 What type of environment uses the PIX DHCP client feature?
Answer: Small office/home office (SOHO)

28 What command releases and renews an IP address on the PIX?
Answer: ip address outside dhcp

29 Give at least one reason why it is beneficial to use NTP on the Cisco PIX Firewall.
Answer: 1. For certificate revocation list (CRL) because it is time-stampsensitive.
2. Troubleshooting events is easier.

30 Why would you want to secure the NTP messages between the Cisco PIX Firewall
and the NTP server?
Answer: To prevent the Cisco PIX Firewall from synchronizing the
unauthorized NTP servers.

31 How do you enable the PIX's Mail Guard feature?
Answer: fixup protocol smtp

32 What is an embryonic connection?
Answer: An embryonic connection is a half-open TCP connection.

33 Which actions are available in the PIX IDS configuration?
Answer: Alarm, drop, reset

34 How does DNS Guard on the Cisco PIX Firewall prevent DoS attacks that exploit DNS?
Answer: The PIX allows only a single DNS response for outgoing DNS requests.
Any other responses are dropped.

35 How does ip verify reverse-path secure the PIX?
Answer: It provides a mechanism for checking source IP addresses before
receiving or sending packets.

36 How does the Mail Guard feature prevent SMTP-related attacks?
Answer: Mail Guard allows only a restricted set of SMTP commands—namely,
HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT.

37 What does the Flood Defender feature on the PIX Firewall do?
A It prevents the PIX from being flooded with water.
B It protects the inside network from being engulfed by rain.
C It protects against SYN flood attacks.
D It protects against AAA attacks.
Answer: C

38What PIX feature mitigates a DoS attack that uses an incomplete IP datagram?
A Floodguard
B Incomplete guard
C Fragguard
D Mail Guard
Answer: C

39 Which of the following multimedia application(s) is/are supported by the PIX
Firewall?
A CuSeeMe
B VDOLive
C Netmeeting
D Internet Video Phone
E All of the above
Answer: E

40 What is the default port that PIX inspects for H.323 traffic?
A 1628
B 1722
C 1720
D D.1408
Answer: C

41 How do you enable the Mail Guard feature on the PIX?
A mail guard on
B enable mail guard
C fixup protocol mailguard
D fixup protocol smtp
Answer: D

42 Which of the following describes how the Mail Guard works on the PIX Firewall?
A It lets all mail in except for mail described by an access list.
B It restricts SMTP requests to seven commands.
C It revokes mail messages that contain attacks.
D It performs virus checks on each mail message.
Answer: B

43 Which of the following statements about DNS Guard are true?
A It is disabled by default.
B It allows only a single DNS response for outgoing requests.
C It monitors the DNS servers for suspicious activities.
D It is enabled by default.
Answer: B, D

44 Which of the following are PIX Firewall attack mitigation features?
A DNS Guard
B Floodgate Guard
C Mail Guard
D Webguard
Answer: A, C

45 What command enables the PIX Firewall IDS feature?
A ids enable
B ip audit
C ip ids audit
D audit ip ids
Answer: B

46 What is the default action of the PIX IDS feature?
A Nothing
B Drop
C Alarm
D Reset
Answer: C

47 What does the reset action do in the PIX Firewall IDS configuration?
A Warns the source of the offending packet before it drops the packet.
B Drops the offending packet and closes the connection if it is part of an active
connection with a TCP RST.
C Waits 2000 offending packets and then permanently bans the connection to the
source host.
D Reports the incident to the syslog server and waits for more offending packets
from the same source to arrive.
Answer: B

48 Which of the following is true of the ip verify reverse-path command?
A It provides both ingress and egress filtering.
B It is disabled by default.
C It is very complicated to configure.
D It works only with the PIX 520 model.
Answer: A

other:-------------------------------------------------------

    1， www.space-power.info
> 
>  2, www.space-power.cn
> 
> 3, www.globe-power.com
> 
>  4, www.global-hawk.info
> 
>  5, www.global-dove.com
> 
>  6, www.globe-eye.net
> 
>  7, www.speed-spread.com
> 
>  8, www.powerspread.net

           有需要以上域名，请联系我：  bruce_ibm@hotmail.com

           if U need these Domain ,pls contact me:  bruce_ibm@hotmail.com

 

©著作权归作者所有：来自51CTO博客作者ibmbruce的原创作品，如需转载，请注明出处，否则将追究法律责任

防火墙 PIX 休闲

0

分享

微博 QQ 微信

收藏

上一篇：IT不是技术，IT是一个世界 下一篇：企业信息安全策略

ibmbruce

137篇文章，25W+人气，0粉丝

Ctrl+Enter 发布

发布

取消

猜你喜欢

我的友情链接 国际DR医疗影像巨头剑指DR低端市场 SoftEther 突破防火墙 向Kubernetes集群添加／删除Node 利open×××自带的http-proxy突破防火墙的封锁 华为USG防火墙恢复密码步骤 谈谈网站防盗链 Java线程：线程的调度-休眠 practice：在win2008R2上使用（NLB）网络负载均衡 ROS配置的导出/导入、系统的备份/恢复 linux的/etc/sysconfig/下找不到iptables文件 细说firewalld和iptables bartender 9.4 错误消息6670 无法链接到数据库的解决办法 中控考勤机二次开发小记 智能车间规划和实施建议 一位架构师用服务打动客户的故事 【51CTO学院】预热4周年庆，福利领领领！！！ iscsi工作原理 案例 - 一个IP切换引发的数据不一致 Iptables防火墙

扫一扫,领取大礼包

0

分享

ibmbruce

转载于:https://blog.51cto.com/brucewong/166376