Friday, June 25, 2010

ASA Interview Question

1. Adaptive Security Algorithm

Adaptive Security Algorithm (ASA) is a Cisco algorithm for managing stateful connections for PIX Firewalls. ASA controls all traffic flow through the PIX firewall, performs stateful inspection of packets, and creates remembered entries in connection and translations tables. These entries are referenced every time when traffic tries to flow back through from lower security levels to higher security levels. If a match is found, the traffic is allowed through. Finally, the ASA provides an extra level of security by randomizing the TCP sequence numbers of outgoing packets in an effort to make them more difficult to predict by hackers

2. Active FTP vs. Passive FTP, a Definitive Explanation

There are two types of FTP access:
user or authenticated FTP and anonymous

User or authenticated:
FTP. User FTP requires an account on the server (in general, it is for users who already have accounts on the machine and lets them access any files they could access if they were logged in).

Anonymous:
Anonymous FTP is for people who don't have an account and is used to provide access to specific files to the world at large.

FTP uses two separate TCP connections: one to carry commands and results between the client and the
server (commonly called the command channel ), and the other to carry any actual files and directory listings transferred (the data channel ).

Normal Mode or Active Mode

To start an FTP session in normal mode, a client first allocates two TCP ports for itself, each of them with a port number above 1024. It uses the first to open the command channel connection to the server and then issues FTP's PORT command to tell the server the number of the second port, which the client wants to use for the data channel. The server then opens the data channel connection. This data channel connection is backwards from most protocols, which open connections from the client to the server.

This backwards open complicates things for sites that are attempting to do start-of-connection packet filtering to ensure that all TCP connections are initiated from the inside, because external FTP servers will attempt to initiate data connections to internal clients, in response to command connections opened from those internal clients. Furthermore, these connections will be going to ports known to be in an unsafe range.





Figure 17.1. A normal-mode FTP connection





Passive Mode

To start a connection in passive mode, an FTP client allocates two TCP ports for its own use and uses the first port to contact the FTP server, just as when using normal mode. However, instead of issuing the PORT command to tell the server the client's second port, the client issues the PASV command. This causes the server to allocate a second port of its own for the data channel (for architectural reasons, servers use random ports above 1023 for this, not port 20 as in normal mode; you couldn't have two servers on the same machine simultaneously listening for incoming PASV-mode data connections on port 20) and tell the client the number of that port. The client then opens the data connection from its port to the data port the server has
just told it about.















Figure 17.2 shows a passive-mode FTP connection





Passive mode is useful because it allows you to avoid start-of-connection filtering problems. In passive mode, all connections will be opened from the inside, by the client.

(Or)

In passive mode, only the server is required to open up ports for incoming traffic.



3. How Trace route and Ping command working


Ping:

Ping relies on the ICMP protocol, which is used to diagnose transmission conditions. For this reason, it uses two types of protocol messages (out of the 18 offered by ICMP):

•Type 0, which corresponds to an "echo request" command, sent by the source machine;
•Type 8, which corresponds to an "echo reply" command, sent by the target machine.
At regular intervals (by default, every second), the source machine (the one running the ping command) sends an "echo request" to the target machine. When the "echo reply" packet is received, the source machine displays a line containing certain information. If the reply is not received, a line saying "request timed out" will be shown echo=source ip, source mac address


Trace Route:

Tracert works by incrementing the TTL value by one for each ICMP Echo Request it sends, then waiting for an ICMP Time Exceeded message. The TTL values of the Tracert packets start with an initial value of one; the TTL of each trace after the first is incremented by one. A packet sent out by Tracert travels one hop further on each successive trip.
Figure 3.2 shows how Tracert works. Tracert is being run on Host A, and is following the path to Host B. At Router 1 and Router 2, the TTL is decremented to 0, causing each router to send an ICMP Time Exceeded message. When the ICMP Echo Request is received at Host B, it sends back an ICMP Echo Reply.

Step-by-Step Operation of the Tracert Tool





Example:
When you execute a trace route command (ie trace route www.yahoo.com), your machine sends out 3 UDP packets with a TTL (Time-to-Live) of 1. When those packets reach the next hop router, it will decrease the TTL to 0 and thus reject the packet. It will send an ICMP Time-to-Live Exceeded (Type 11), TTL equal 0 during transit (Code 0) back to your machine - with a source address of itself, therefore you now know the address of the first router in the path.

Next your machine will send 3 UDP packets with a TTL of 2, thus the first router that you already know passes the packets on to the next router after reducing the TTL by 1 to 1. The next router decreases the TTL to 0, thus rejecting the packet and sending the same ICMP Time-to-Live
Exceeded with its address as the source back to your machine. Thus you now know the first 2 routers in the path.

This keeps going until you reach the destination. Since you are sending UDP packets with the destination address of the host you are concerned with, once it gets to the destination the UDP packet is wanting to connect to the port that you have sent as the destination port, since it is
an uncommon port, it will most like be rejected with an ICMP Destination Unreachable (Type 3), Port Unreachable (Code 3). This ICMP message is sent back to your machine, which will understand this as being the last hop, therefore trace route will exit, giving you the hops between you and the destination.

The UDP packet is sent on a high port, destined to another high port. On a Linux box, these ports were not the same, although usually in the 33000. The source port stayed the same throughout the session; however the destination port was increase by one for each packet sent out.

One note, trace route actually sends 1 UDP packet of TTL, waits for the return ICMP message, sends the second UDP packet, waits, sends the third, waits, etc, etc, etc.

If during the session, you receive * * *, this could mean that that router in the path does not return ICMP messages, it returns messages with a TTL too small to reach your machine or a router with buggy software. After a * * * within the path, trace route will still increment the TTL by 1, thus still continuing on in the path determination.


4. How many interface in ASA

Totally 5 Interfaces. 4 Ethernet Interfaces & 1 Ethernet Interface for Management

5. What is FWSW?
1. Cisco Firewall Services Module (FWSM)—a high-speed, integrated firewall module for Cisco Catalyst 6500 switches and Cisco 7600 Series routers—provides the fastest firewall data rates in the industry
2. Up to four FWSMs can be installed in a single chassis
3. Based on Cisco PIX Firewall technology
4. The Cisco FWSM includes a number of advanced features that help reduce costs and operational complexity while enabling organizations to manage multiple firewalls from the same management platform. Features such as resource manager helps organizations limit the resources allocated to any security context at any time thus ensuring that one security context does not interfere with another. The transparent firewall feature configures the FWSM to act as a Layer 2 bridging firewall resulting in minimal changes to network topology.



6. Difference between PIX and ASA
Cisco PIX:
 Is a dedicated hardware firewall appliance
 Act as a Stateful packet filtering firewall.
 Use PIX operating system similar in interface to Cisco IOS .
 Use PIX Device Manager (PDM) for a graphical interface.
 Provide stateful firewall protection and IP Security (IPSec) VPN capabilities
 To ensure the security PIX use inside interface , outside interface etc concepts
 Pix running in 6.3 v
 Not supported WebVPN
 Not support Transparent Firewall, Security Context and Modular Policy
 16 MB RAM
Cisco ASA:
 Is firewall and anti-malware security appliance
 The Enterprise Editions include four versions: Firewall, IPS, Anti-X, and VPN.
 ASA can also serve as an intrusion prevention system (IPS) and VPN concentrator.
 Also covers new threats to a network like viruses, worms, unwanted applications (e.g., P2P, games, instant messaging), phishing, and application-layer attacks.
 Act as an “all-in-one” device—or a unified threat management (UTM) device
 ASA running in 7.2 v
 Supporting Web VPN
 Supporting Transparent Firewall, Security Context and Modular Policy
 64 MB RAM
7. How translation happenings in ASA (TCP, UDP)
8. What is Modular Policy?
9. What are the Modules available in PIX and ASA?
10. Which IOS versions are you’re worked in PIX and ASA
11. Explain about Security Context. Explain about Active/Standby and Active/Active

12. Explain about Dynamic NAT, Static NAT, Identity NAT, Static PAT, Dynamic PAT and Policy Based Nat?
13. Explain about Packet Filtering, proxy server and stateful inspection
14. What is Firewall?
15. How to forcefully active secondary firewall to active firewall? Mean which command
16. Static NAT syntax?
17. About SSL VPN?
18. Command for disable anti-spoofing in ASA
19. Types of license in ASA
20. Fail-over commands
21. Explain about VPN Phase – I & Phase – II
22. How many packets are exchanging in Main mode and aggressive mode?
23. What is PFS?
24. Commands for vpn
25. Command for allow administrative access of SSH on firewall
26. How fail-over working (Mechanism)
27. How Stateful fail-over works?
28. Example of Packet Filtering, proxy server and stateful inspection (router,isa,checkpoint)
29. Default Security level for inside and outside
30. What are all routing protocol can support in asa
31. Port no for ESP and AH
32. What is the difference between ESP and AH
33. What is spoofing and what is anti-spoofing
34. Stateful firewall working architecture.
35. How firewall process the packet (rule, route, nat)
36. Edit the access-list using access-list line number.
36. IOS versions of pix and asa (6.0, 7.0, and 8.0) major release are enough.
37. Pix appliances series and ASA appliance series
38. How layer2 firewall (transparent firewall) works in ASA (FWSW)
39. ASA Can do vpn with other vendor firewall?
40. Default inspection protocol in asa?
41. IS it support ISP redundancy? Yes.
42. ICMP mechanism by-default in firewall.(high-low echo-req allow)
43.ASA IOS Name(finesse)
44. Integrating with 3 rd party devices
45. Difference between checkpoint and ASA
46. What is Data Confidentiality?
Data confidentiality This is done via encryption to protect data from eavesdropping attacks; supported encryption algorithms include DES, 3DES, and AES.
47. What is Data Integrity?
Data integrity and authentication This is done via HMAC functions to verify that packets haven't been tampered with and are being received from a valid peer; in other words, to prevent a man-in-the-middle or session hijacking attack. Supported HMAC functions include MD5 and SHA-1.
48. Anti-replay
Anti-replay detection This is done by including encrypted sequence numbers in data packets to ensure that a replay attack doesn't occur from a man-in-the-middle device.
49. Explain about Main mode and explain mode in Phase I?
ISAKMP/IKE Phase 1 is basically responsible for setting up the secure management connection. However, there are two modes for performing these three steps:
Main, Aggressive Modes
Main Mode: Main mode performs three two-way exchanges totaling six packets. The three exchanges are the three steps listed in the last section: negotiate the security policy to use for the management connection, use DH to encrypt the keys for the encryption algorithm and HMAC function negotiated in Step 1, and perform device authentication using either pre-shared keys, RSA encrypted nonces, or RSA signatures (digital certificates).
Main mode has one advantage: the device authentication step occurs across the secure management connection, because this connection was built in the first two steps. Therefore, any identity information that the two peers need to send to each other is protected from eavesdropping attacks. This is the Cisco default mode for site-to-site sessions and for remote access connections that use certificates for device authentication.
Aggressive Mode: In aggressive mode, two exchanges take place. The first exchange contains a list of possible policies to use to protect the management connection, the public key from the public/private key combination created by DH, identity information, and verification of the identity information (for example, a signature). All of this is squeezed into one packet. The second exchange is an acknowledgment of the receipt of the first packet, sharing the encrypted keys (done by DH), and whether or not the management connection has been established successfully.
Aggressive mode has one main advantage over main mode: it is quicker in establishing the secure management connection. However, its downside is that any identity information is sent in clear text; so if someone was eavesdropping on the transmission, they could see the actual identity information used to create the signature for device authentication. This shouldn't be a security issue, but if you are concerned about this, you can always use main mode.
As I mentioned in the last section, main mode is the default mode for Cisco VPNs with one exception: Aggressive mode is the default mode with the Cisco remote access VPN if the devices will be using group pre-shared keys for device authentication.
50. Explain about Transport mode and Tunnel mode in Phase II?
Phase 2 Connection Modes
As I mentioned in the last two sections, there are two types of modes that AH and ESP can use to transport protected information to a destination:
Transport mode, Tunnel mode
In transport mode, the real source and destination of the user data are performing the protection service. It becomes more difficult to manage as you add more and more devices using this connection mode. This mode is commonly used between two devices that need to protect specific information, like TFTP transfers of configuration files or syslog transfers of logging messages.
In tunnel mode, intermediate devices (typically) are performing the protection service for the user data. This connection mode is used for site-to-site and remote access connections. Because the original IP packet is protected and embedded in AH/ESP and an outer IP header is added, the internal IP packet can contain private IP addresses. Plus, if you're using ESP for encryption, the real source and destination of the user data is hidden from eavesdroppers. The main advantage of tunnel mode over transport mode is that the protection service function can be centralized on a small number of devices, reducing the amount of configuration and management required. Both of these modes were discussed in detail in Chapter 1, "Overview of VPNs."

51. PPTP?
PPTP: PPTP originally was developed by Microsoft to provide a secure remote access solution where traffic needed to be transported from a client, across a public network, to a Microsoft server (VPN gateway). One of the interesting items about PPTP's implementation is that it is an extension of the Point-to-Point Protocol (PPP). Because PPTP uses PPP, PPTP can leverage PPP's features. For example, PPTP allows the encapsulation of multiple protocols, such as IP, IPX, and NetBEUI, via the VPN tunnel. Also, PPP supports the use of authentication via PAP, CHAP, and MS-CHAP. PPTP can use this to authenticate devices.
52. L2TP?
L2TP: L2TP is a combination of PPTP and L2F. It is defined in RFCs 2661 and 3438. L2TP took the best of both PPTP and L2F and integrated them into a single protocol. Like PPTP, L2TP uses PPP to encapsulate user data, allowing the multiple protocols to be sent across a tunnel. L2TP, like PPTP, extends the PPP protocol. As an additional security enhancement, L2TP can be placed in the payload of an IPsec packet, combining the security advantages of IPsec and the benefits of user authentication, tunnel address assignment and configuration, and multiple protocol support with PPP. This combination is commonly referred to as L2TP over IPsec or L2TP/IPsec. The remainder of this chapter is devoted to an overview of L2TP, how it is implemented, and the advantages it has over PPTP.

14 comments: