Securing Networks with PIX and ASA (SNPA 642-522)
Cisco's newest version of the PIX exam tests your knowledge of AAA, failover, VPNs, setup, configuration and management of the PIX Firewall.
by Andy Barkl
6/5/2006 -- I've now taken all the latest versions of the Cisco Certified Security Professional (CCSP) exams and I can honestly the SNPA exam wasn't one of the easier ones. This exam has gone through a couple of revisions and now includes the newest question type and Cisco exam technology. There were simulator-based questions, drag-and-drop, multiple-question type, Adaptive Security Device Manager (ASDM) simulators, and a few multiple-choice questions. I received two simulation-based questions, one of the new multiple-question types, and one ASDM simulator. In total, I had 63 questions and was given 90 minutes to complete the exam. The passing score was 825. This exam is required for CCSP certification and can also be used alone to renew your Cisco Certified Network Associate (CCNA) certification, which is required prior to full CCSP certification.
| Exam |
 |
|
|
#642-522: Securing Networks with PIX and ASA (SNPA) |
|
|
| Vendor |
|
|
Cisco Systems |
|
|
| Status |
|
|
Live, recently updated. Available at Pearson Vue and Prometric testing centers worldwide. |
|
|
| Reviewer's Rating |
|
|
"The new PIX exam can be a challenge for those who are not fully prepared. The simulator-based questions are challenging and will require hands-on experience." |
|
|
| Test Information |
|
|
60-70 questions, 90 minutes. Cost: $125 (U.S.). |
|
|
| Who Should Take This Exam? |
|
|
Candidates for CCSP or the Cisco Firewall Specialist certification/recertification. |
|
|
| Test Objectives |
|
|
Click here |
|
|
|
|
|
|
|
The CCSP certification was created by Cisco in 2001, and while it isn't the most popular security certification in the industry, in the Cisco World, it's perfect for those who want to prove that they have what it takes to build, configure and manage secure Cisco-powered networks.
This exam and four others: SND (642-551), SNRS (642-502), IPS (642-532) and HIPS (642-513) or CSVPN (642-511) make up the requirements for the CCSP certification.
Study Materials
In preparing for the exam, there are self-study guides, the official Cisco SNPA (version 4.0) course if you prefer instructor-led training, and plenty of resources freely available at Cisco.com. To get you started, I recommend you study the information presented in the following links:
- Cisco PIX Firewall and VPN Configuration Guide
- Cisco PIX Firewall Command Reference, Version 6.3
- Cisco ASDM Release Notes Version 5.0(1)
Though this is an updated exam, there are still many similarities between this exam and its predecessor, which tested on PIX OS version 6.3. For that reason, I recommend the same references as noted above plus the ASDM release notes, which will help with the differences. Now, if you haven't taken the older CSPFA (642-521) exam, then you should study all the references above plus have practice test software and the latest Cisco Press study guide. For most of my studies, I used the ASA self-study guide from Cisco Press. There is also a free article on the Cisco Press Web site if all you need to know are the differences or knowledge of the new features of PIX OS 7.0.
Exam Objectives
According to the official Cisco SNPA exam objectives page, the exam "tests a candidate's knowledge and ability to describe, configure, verify and manage the Cisco PIX and ASA security appliance products." I highly recommend you use this as your template to prepare for the exam.
The SNPA exam requires knowledge of many firewall technologies. In this article I'll address some of the high points to study for this new exam by mapping to the official objectives.
You'll need to be able to:
- Describe the major security threats of today's networks.
- Be familiar with all types of firewalls.
- Know the current Cisco PIX Firewall product line.
- Be comfortable with both the CLI and ASDM.
- Understand how ACLs differ with the PIX OS and IOS.
- Study IP Multicast configurations.
- Know the terms CSACS, CiscoWorks and Firewall MC.
As this exam tests your knowledge of the PIX Firewall, you must master its command set, which is just different enough from the Cisco router IOS command set to drive one crazy! One of the greatest features of the PIX OS command set is the ability to remain in the config mode and not have to exit to the privileged mode for show, copy and write commands. These could be handy to know during the simulation-based questions.
These are some of the key PIX OS commands you should be familiar with:
Security Threats
Reconnaissance attacks, access attacks and denial-of-service (DoS) attacks are the major types of security threats to networks. The first of these is where the attacker collects information about a network using any means possible. Access attacks generally refer to some level of unauthorized data access. And DoS attacks occur when something or someone has overloaded a host or network to the point that it's no longer usable for legitimate access. You won't necessarily be asked to identify a particular type of attack on this exam, but you should be familiar with the devices, methods and prevention techniques to thwart an attack.
Firewalls
Firewalls come in a variety of configurations and implementations. Packet-filtering firewalls limit the information transmitted into a network based on static packet-header information (routers with access control lists). Proxy server firewalls control the connections between a client on the inside network and the Internet. Finally, stateful packet-filtering firewalls combine the best of both worlds (Cisco PIX).
Cisco PIX Firewalls
The Cisco PIX Firewall family includes the 501, 506E, 515E, 525, 535 and FWSM. The 501 is designed to support the SOHO (Small Office-Home Office) market segment. With the primary interfaces inside and outside, it supports most everything the bigger, higher-numbered models do with the exception of DMZ interfaces and failover. The 506E is similar in hardware limitations to the 501; it does however support additional VPNs, and it's recommended for ROBO (Remote Office-Branch Office) implementations. The new 515E, which replaced the 515, supports multiple interfaces for DMZ connections and failover. As we continue to move up the model lineup, the 525 and 535 support a greater throughput with additional interfaces. The 515E is recommended for small-to-medium businesses, where the 525, 535 and FWSM (Firewall Switching Module), which is installed in Cisco Catalyst 6500 or 7200 switches, is recommended for enterprise-sized businesses and service pSroviders.
Exam Tip: Using multiple FWSMs, you can support a network throughput of 12Gbps, where each unit supports 5Gbps.
CLI
The Cisco PIX Firewall runs the Finesse operating system. It's not Windows NT or Linux based, but it does include the popular CLI (Command Line Interface) modes and similar command set found in Cisco routers. The unprivileged mode, referred to as the User mode, is available when you first access the PIX through a console or Telnet session. After typing enable and the correct password, you enter the privileged mode of the CLI. From here you can issue most write, show and even copy commands. You must enter the Configuration mode with configuration terminal to perform any device configuration. As previously mentioned, you can remain in the configuration mode from this point on and issue any configuration command or privileged command, unless you need to perform a password recovery which is done in the Monitor mode.
PIX Commands
There are six basic commands to configure the PIX out of the box. They are nameif, interface, ip address, nat, global and route. I like to call these the "PIX Six."
The nameif command is used to assign the names inside, outside, dmz and so on to the physical ports of the PIX. It's also used to assign interface ASA (Adaptive Security Algorithm) security levels. For example: nameif ethernet2 dmz sec50. This assigns a name of dmz and security level of 50 to the third physical interface in the PIX. Interface numbering starts with E0 security level 0, which is the default for the outside interface, and E1 security level 100 for the inside. Did you catch that? E0, or "O," for outside, and E1, or "I," for inside. Know the default interfaces, names and security levels for the exam. Also know that network traffic cannot flow by default from a lower level security interface to a higher level! Traffic can never flow between interfaces with the same security level.
The interface command identifies hardware, sets the speed, and administratively enables an interface. For example, interface e0 100full enables the outside and configures it for 100Mbps, full duplex.
The ip address command assigns an address to a specified interface. For example: ip address dmz 172.16.0.1 255.255.255.0.
The nat command enables network address translation for hosts connecting from the inside to the outside of the PIX.
In most all configurations a nat command will be followed up and associated with a global command. For example: nat (inside) 1 0.0.0.0 0.0.0.0 and then global (outside) 1 192.168.0.20-192.168.0.254. This configures all inside host addresses to be converted to an address on the outside interface in the assigned global pool.
And for our last example: route outside 0.0.0.0 0.0.0.0 192.168.1.1 1. This command specifies a default route for all traffic leaving a PIX through the interface using a router for "remote" subnets.
Exam Tip: The nat 0 command disables address translation for a specific host. Also referred to as Identity NAT.
Port address translation, or PAT, is a combination of an IP address and source port number for each unique session. It uses the same IP address for all packets but different port numbers greater than 1024. PAT and NAT can be used together. The PAT address can be different from the outside interface IP address, or using the outside interface IP address, the PIX can support up to 64,000 connections for inside hosts. Know the command to enable PAT using the outside interface's IP address: global (outside) 1 interface.
Syslog configuration on the PIX is fairly straightforward. Using the output to a syslog server, you can trigger alerts and notifications using e-mail, for example. There are a few key syslog configuration commands you'll want to know for the exam:
- logging on - enable logging
- logging host - specifies a syslog server.
- logging trap - specifies the logging level.
- logging facility - specifies the messages from a specific device.
The PIX can be configured as both a DHCP server and client. Using the primary command dhcpd enable inside (you enable a DHCP server on the PIX). Then using dhcpd address, you can specify a range of addresses for the server to distribute. There are other commands for dns, wins, domain and so on. Read this great document to fully understand DHCP and PPPoE, and review to prepare for this exam. Pay particular attention to the scenarios and commands for configuring the PIX as a PPPoE client!
Exam Tip: Know how to configure the DHCP server from the CLI.
Cisco's ASA 5500 is one of the newest Cisco products in the firewall family, and this exam includes a couple of questions that require you to have experience with or study knowledge of this security appliance. Paying particular attention to AIP-SSM operation and troubleshooting, I recommend this Cisco.com reference.
Static inside translations allow you to configure the PIX when you want an inside host to always have the same global IP address on the outside interface. A command example would be: static (inside, outside) 192.168.0.18 10.0.0.10. Remember, it's inside-outside-outside-inside for interface names and IP addresses with the static command. The static command is also used to configure the PIX to allow traffic to flow from an interface with a lower security level to one with a higher, such as outside to inside. This, along with an access list, will allow internal servers to be accessible to outside users via SMTP, HTTP, FTP and so on. For example:
nat (inside) 1 0.0.0.0 0.0.0.0
global (dmz) 1 172.16.1.20-172.16.1.254 netmask 255.255.255.0
static (dmz, outside) 192.168.1.11 172.16.1.2
access-list 101 permit tcp any host 192.168.1.11 eq smtp
access-group 101 in interface outside
Exam Tip: The interface names in the brackets of the static statement must be separated by a comma, but the space after the comma is optional.
Access Lists
Access lists in the PIX operate and are configured much the same as they are in routers using the IOS, using the commands access-list and access-group. One of the differences is that in the PIX, access lists can only be applied as inbound to an interface. The no command precedes any statement or list you want to remove.
Exam Tip: Turbo ACLs improve the search time required for large access lists. It's only applied to ACLs of 19 entries or more. The command to enable is access-list compiled.
Object grouping is a fairly new feature supported by the PIX. It allows for simplified design, administration and troubleshooting of access lists. You want to be familiar with them for this exam. An ACL can apply to the following types of objects: client, server, subnet, service and ICMP. You can apply object groups to the following: network, protocol, service and ICMP. The primary command object-group is used to create object group types. For example:
object-group network CLIENTS
network-object host 10.0.1.11
network-object host 10.0.2.11
network-object 10.0.0.0 255.255.255.0
This will create a network object group names "CLIENTS," containing two hosts and a network. It can then be used in an access list as a single statement: access-list 101 permit tcp any object-group CLIENTS.
Routing
The Cisco PIX Firewall supports two types of routing -- static and dynamic -- and two kinds of protocols -- RIP and OSPF. Static routing is configured with the route command, as previously mentioned. Dynamic routing requires RIP version 1 or 2, and OSPF is configured using the commands rip and router ospf. Remember that static overrides dynamic routes! Be sure to review the operation and basic configuration of OSPF for the exam.
Exam Tip: Running RIP and OSPF together on the same PIX Firewall is not supported.
IP Multicast
IP multicast was a popular topic on my exam. Understand how to configure the PIX for support. Here are some key configuration commands:
- multicast interface - enables multicast forwarding on an interface.
- igmp forward - enables igmp forwarding on an interface.
- access-list xxx permit - configure an ACL that allows traffic to the destination class D address.
- mroute - creates a static route from the source to the next-hop router.
Advanced Protocol Handling
Advanced protocol handling is yet another layer of protection offered in the Cisco PIX Firewall. You may not see many detailed questions on the exam, but you should know your port numbers. The primary command fixup enables you to configure the PIX to restrict common protocols passing through its interfaces -- many protocols weren't designed with security in mind. Some of the more common examples when using the fixup command would be:
- no fixup protocol smtp - this would disable the default advanced protocol handling (also known as Mail Guard) and enable support for additional protocol commands often used with SMTP.
- fixup protocol http 5000 - this would allow http commands to use port 5000 in addition to 80 (unless disabled).
Intrusion Detection
The PIX Intrusion Detection is capable of detecting the three most common types of network attacks, as stated earlier. It can detect signatures and generate a response when a set of rules is matched. It can then send an alarm, log the event, drop the packet or reset the TCP connection. To configure the IDS, the primary command is ip audit.
Exam Tip: The shun command dynamically stops a source host from accessing a PIX interface.
AAA
Authentication, Authorization and Accounting, better known as AAA, is a set of services when used on a network provide secure access to devices and resources. You can't have authorization without authentication! Authentication determines a user's identity; authorization defines what the user can do; and accounting tracks the user's actions.
Exam Tip: Authorization is only supported by PIX and TACACS+.
Cisco's CSACS provides for standard AAA services. This exam requires that you be familiar with CSACS. You can download a trial version with a free Cisco.com registered account here.
The primary commands for configuring PIX to send AAA requests to a CSACS server are:
- aaa-server TACACS protocol tacacs+
- aaa-server RADIUS protocol radius
After this is done, you must create users in the CSACS console and configure the PIX for AAA authentication using either include or exclude statements.
Exam Tip: The command timeout uauth is used to specify how long the authentication cache should be kept after the user connections become idle.
Downloadable ACLs are supported per user, by which the user is authorized to do only what is permitted by the user's ACL. They can be entered into a CSACS server and downloaded by a number of PIX Firewalls.
Exam Tip: Downloadable ACLs are supported with RADIUS only. No support exists for TACACS+.
Failover
Failover comes in two forms in the Cisco PIX Firewall: standard and LAN-based. They both work the same way using two identical PIXes, for both software and hardware. The real difference comes in when using LAN-based failover: Users are not required to reconnect through the PIX; a dedicated Ethernet interface is required. Standard failover uses the failover ports and a specially wired cable between each PIX, labeled Primary and Secondary. LAN-based failover configurations don't require the specially wired cable but instead use either an Ethernet crossover cable or a dedicated switch, hub or VLAN between PIXes.
The primary PIX (the active unit) uses the configured system IP addresses and MAC addresses for client connections on the network. When the primary fails, the secondary becomes active and assumes the system IP addresses and MAC addresses for the network. Configuration replication between the two PIXes is mostly automatic, but can be forced with the command write standby.
Other commands required to configure the PIXes for a failover configuration are:
- failover active - makes a PIX the active firewall.
- failover ip address - specifies the IP address used for the standby PIX Firewall to communicate with the active PIX.
- failover link - specifies the interface where a fast LAN link is available for stateful failover.
Remote Access
Remote access for configuration management of the PIX can be accomplished in several ways. Telnet is one of the most common; the PIX does not allow telnet access to the outside interface (use SSH instead). To configure telnet access, the following commands are required:
- telnet ip address netmask interface - specifies the interface for telnet access.
- passwd password - sets the telnet password (also used as the PDM password).
Command authorization ties to remote access and is configured using the following commands, for example:
enable password password (sets the enable password)
privilege show level 8 command access-list (allows a user to issue the show commands for access lists)
aaa authorization command LOCAL (checks the PIX user database for authorization)
Cisco's Automatic Update Server (AUS) allows for support for up to 1,000 PIXes. Configured Firewalls periodically contact the AUS server to upgrade software images, configurations and PDM versions. AUS is a component of CiscoWorks and may be available for trial download by the time this article is published.
Exam Tip: PIXes contact the AUS server or port 443.
After passing the SNPA exam, you'll have a much greater appreciation and understanding of PIX Firewall implementation and configuration, as well as having an important piece toward CCSP certification. You'll also be able to support one of the most popular firewall devices on the market!
Andy Barkl, CCNP, CCDP, CISSP, MCT, MCSE:Security, MCSA:Security, A+, CTT+, i-Net+, Network+, Security+, Server+, CNA, has over 19 years of experience in the IT field. He's the owner of MCT & Associates LLC, a technical training and consulting firm in Phoenix, Arizona. He spends much of his time in the classroom but has also been responsible for many Microsoft Windows 2000, Exchange 2000, and Cisco networking deployments for many clients across Arizona. He's also the online editor for MCPMag.com, TCPMag.com, CertCities.com, and a contributing author and editor for Sybex and Cisco Press. He hosts a multitude of exam preparation chats monthly on MCPmag.com, TCPmag.com and CertCities.com. You can reach him at .
More articles by Andy Barkl:
|
