Académique Documents
Professionnel Documents
Culture Documents
net
Certification
Abstract
This Study Guide will begin to guide you in preparing for the Cisco PIX Firewall
Fundamentals exam. This exam is part of a series of exams you will need to take to achieve
the Security Specialist designation from Cisco.
What to Know
What you need to know to be successful in obtaining the Security Designation:
Go over the necessary steps to obtaining the certification and what your steps will be
through the entire process. This will make your studying easier
You need a basic understanding of TCP/IP and a Valid CCNA
Then to obtain the Security Specialist Designation take the following exams:
640-442 MCNS
Managing Cisco Network Security (MCNS)
9E0-571 CSPFA
Cisco Secure PIX Firewall Advanced (CSPFA)
(See also prerequisite course Cisco Secure PIX Firewall Fundamentals CSPFF)
9E0-558 CSIDS
Cisco Secure Intrusion Detection System (CSIDS)
9E0-570 CSVPN
Cisco Secure VPN (CSVPN)
Note: Please take note where the PIX Fundamentals Sits in the line-up
Study Tips
DO not take this test lightly. The test covers a lot of information mainly on HOW TO
configure something. Use this study guide to get the main idea of the topic and then
use the online resources to go through all the configs to familiarize your self with
HOW TO set these configs up
You need to be a CCNA prior to starting this track. The track is for the Security
Specialist designation. The designation is passing 4 out of 5 different exams. This
guide is half of the PIX firewall track. You can take the first exam but the second
exam for the Advanced track counts for credit. All the information from the
Fundamentals track is a prerequisite for the advanced track. Use them both to pass
the last exam.
You no longer have to be a CCNP for this (The CCNP+Security track will be
discontinued this year) You MUST have your CCNA.
Make sure you use the links provided to aid your studies. Like most of Ciscos tests, a
lot of your information to study from is free and available on their web site. Use this
as a supplement to aid your studies.
Go through the above information and it should be all you need. Hands on
experience will make the above information stick harder and you will understand it
better
PIX Fundamentals
PIX Firewall
The PIX Firewall can protect one or more networks from an outer,
unprotected network
Connections between the networks can all be controlled by the PIX Firewall
Within this architecture, the PIX Firewall forms the boundary between the
protected networks and the unprotected networks
All traffic between the protected and unprotected networks must flow through
the firewall to maintain security
PIX Firewall lets you locate servers such as those for web access, SNMP,
electronic mail (SMTP) in the protected network and control who on the
outside can access these servers
The PIX Firewall also lets you implement your security policies for connection
to and from the inside network
INTERNET
1
2
3
In this diagram we can see the 3 major portions of a DMZ setup:
1. The Outside Filtering router with the Firewall feature set on it. This is generally
used to connect your company to the Internet and has major filtering going on at
this portion.
2. As you come into the DMZ, we see the first segment and thats where you DNS,
FTP and web servers sit. This is an Isolated segment. After this segment, we now
go through a set of PIX firewalls setup in a Failover situation with a Failover cable
in between them.
3. This is your internal network and anything can be here. You could put another
Firewall or nothing at all. This is where you protected network lies and all your
clients should be located here.
Note: This is very flexible and every setup will be different based on what you
need to implement. This is just a common setup.
If not, then the packet is for a new connection, and PIX Firewall creates a
translation slot in its state table for the connection
The information that PIX Firewall stores in the translation slot includes the
inside IP address and a globally unique IP address assigned by Network
Address Translation (NAT), Port Address Translation (PAT), or Identity (which
uses the inside address as the outside address)
The PIX Firewall then changes the packet's source IP address to the globally
unique address, modifies the checksum and other fields as required, and
forwards the packet to the lower security level interface
If the packet passes the security tests, the PIX Firewall removes the
destination IP address, and the internal IP address is inserted in its place. The
packet is forwarded to the protected interface
The PIX Firewall permits all outbound connections from the protected
networks to the unprotected networks, and rejects any connections inbound
from the unprotected network
16 MB
32,768 connections
32 MB
65,536 connections
128 MB
Access Lists
Can control which inside systems can establish connections to the outside
network
The default security policy can be modified to be consistent with the site
security policy by limiting outgoing connections based on inside source
address, outside destination address, or protocol
Configure access lists carefully if your security policy limits outgoing
connections
ActiveX Blocking
Conduits
Conduits allows connections from the outside network to the inside network
Failover
PIX Firewall failover allows you to configure two PIX Firewall units in a fully
redundant topology to provide fault tolerance
Both PIX Firewall units must be configured identically; failover does not
provide stateful redundancy. You need to set up specific cabling to provide
this failover as well
Java Filtering
Java applets are executable programs and can provide a vehicle through
which an inside system can be invaded. These attacks are VERY common and
any firewall implementation should provide applet blocking
Mail Guard
Provides a safe conduit for Simple Mail Transfer Protocol (SMTP) connections
from the outside to an inside electronic mail server
Allows a single mail server to be deployed within the internal network without
it being exposed to known security problems
Avoids the need for an external mail relay system (this is very cool!)
Enforces a safe minimal set of SMTP commands to avoid an SMTP server
system being compromised
Also logs all SMTP connections which is also a big plus
Multiple Interfaces
Additional network interfaces can be added to the PIX Firewall and this is
common with any firewall setup. You want multiple Ethernet interfaces so you
can separate many different segments
PIX Firewall supports up to six interfaces, four of which are on the optional 4port Ethernet card
Can provide a mixed Token Ring and Ethernet environment
Each interface has a unique security level that you specify with the
nameif command in your configuration:
The inside is always the highest at level 100 and the outside is
always 0
The perimeter interfaces can have a unique number between 1
and 99
Telnet:
If you set the perimeter interfaces to the same security level, the
two interfaces are completely isolated from each other, but each
could access the inside and outside interfaces
Locate servers on the lowest security level perimeter interface,
because if compromised, the attacker could only easily attack an
interface with a lower security level, the outside
The only exception to putting servers on the lowest perimeter
interface is the TFTP server where you download configurations
from the TFTP server must be on the inside interface
With these conditions and the needs of your security policy, you can decide
which network to connect to each interface
For inside systems, translates the source IP address of outgoing packets per
RFC 1631
Syslog Server
Provides syslog server for use on Windows NT system that accepts TCP and
UDP syslog messages from PIX Firewall
Syslog server can provide time stamped syslog messages, accept messages
on alternate ports, and be configured to stop PIX Firewall traffic if messages
cannot be received
Can stop PIX Firewall connections if Windows NT syslog server log disk fills or
server goes down
URL Filtering
The PIX Firewall URL filtering is provided in partnership with the NetPartners
WebSENSE product. PIX Firewall checks outgoing URL requests with the policy
defined on the WebSENSE server, which runs either on Windows NT or UNIX
Security Policy
The PIX Firewall separates the details of implementing a security policy from
providing network services such as Web, FTP, Telnet, and SMTP
A security policy provides:
o Much better scalability and performance
The PIX Firewall is dedicated to the security role and does not
incur the substantial overhead required to offer server
connections
o Greater security
Unless configured to do so, the PIX Firewall does not accept
connections from the outside network and is implemented using
a proprietary embedded system, rather than the full operating
system necessary to support server applications
o Reduced complexity
Each device performs a dedicated function
You should back up your configuration to both Flash memory and diskette
after making changes to the configuration
Flash memory is a special type of memory card that stores images without
the need for a battery or power source to maintain the image
nameif
enable
password
passwd
hostname
If you have more than two interfaces, you need to add a nameif
command to the configuration for each interface
Lists the encrypted privileged mode password
Lists the encrypted password for Telnet access to the PIX Firewall
console
Sets the PIX Firewall system name to "pixfirewall."
You can change this name or leave it as is
Specifies service port numbers at which the PIX Firewall listens
Lets you rename IP addresses with names from your native language
to add clarity to your configuration
fixup
names
logging
interface
mtu
ip address
failover
Supported Protocols
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
Terminology
Conduits
DNAT address
Global address
Local address
Protected network
Unprotected
network
Translation
The CSPFF 1.1 course is an introductory course for LAN or network administrators. It
introduces the Cisco Secure PIX Firewall and teaches the basic features needed to
get the PIX operational on a production network. Security professionals working at
all levels of the enterprise will gain knowledge from this class.
Course Outline
Last Tips
All you need to know to pass this exam is to have hands on experience if possible
and to read the online documentation at this URL:
Clcik here
Go through every piece of this documentation!
This is the PIX Firewall documentation on HOW TO set up a PIX firewall from scratch
It goes Systematically through everything. There really are no books or study guides
available for this topic but all you need are on the Cisco Documentation home page
Make sure you go through the step by step and do the hands on if possible