Security – Page 2 – Network Interview QnA

How to do a load balance dual ISP on Cisco ASA?

If user has two ISPs terminating on the ASA, the ASA is configured for ISP redundancy. So in some cases users would like to use both ISP to send the traffic outside. In such scenarios the best solution would be to use the Router. Using route-map on the router, one can confgure routing in such [...]

How to get the pre-shared of VPN tunnels on the Cisco ASA?

The pre-shared on the Cisco ASA are encrypted to view them in plain text you need to use the command more system:running-config | beg tunnel-group

In Cisco ASA how to send the firewall traffic to AIP SSM module for inspection?

The traffic we want to be inspected is defined with the use of an access-list. In this example output, the access-list permits all IP traffic from any source to any destination. Therefore, to-be-inspected traffic can be anything that passes through the ASA. ciscoasa(config)#access-list traffic_for_ips permit ip any any ciscoasa(config)#class-map ips_class_map ciscoasa(config-cmap)#match access-list traffic_for_ips ciscoasa(config)#policy-map global_policy [...]

What are the IPSEC VPN parameters we can configure in the phase 1 & phase 2?

Following options are available for Phase 1 and Phase 2 configuration: Phase 1: Authentication <pre-share, rsa-encr, rsa-sig > Encryption <3des, aes, des> DH group < Diffie-Hellman group 1/2/5> Hash <md5, sha> Peer IP Shared secret Phase 2: ESP (with des/3des/aes and/or md5/sha ) AH ( with sha/md5) Get the amazing REDMI Note 4G at Rs.9999 [...]

How to run dynamic routing protocols over the VPN

IPSec supports the encryption of unicast IP traffic only. Therefore, dynamic routing protocols such as Enhanced Interior Gateway Routing Protocol (EIGRP) and Open Shortest Path First (OSPF) and non-IP traffic like Internetwork Packet Exchange (IPX) and AppleTalk are also unable to be encrypted using IPSec. There is workaround, encapsulate such traffic in Generic Routing Encapsulation [...]

What DCD feature does in the Cisco ASA firewall?

DCD (Dead Connection Detection) detects a dead connection and allows it to expire, without expiring connections that can still handle traffic. You can configure DCD when you want idle, but valid connections to persist. After a TCP connection times out, the ASA sends Dead Connection Detection probes to the end hosts to find out the [...]

What is IPSEC consist of and what are their functions?

IPSEC is a combination of three primary protocols ESP(protocol 50), AH(protocol 51) and IKE(UDP 500) Authentication: Authentication Header (AH) and Encapsulating Security Payload (ESP) Integrity: Encapsulating Security Payload (ESP) Confidentiality: Encapsulating Security Payload (ESP) Bringing it all together: Internet key Exchange (IKE)

Is it possible to setup Dead Peer Detection (DPD) on Cisco VPN client. If yes how it works?

Yes it is possible to setup Dead Peer Detection (DPD) on the Cisco VPN client (Cisco software client for connecting to remote VPN gateway). Cisco VPN Client sends its R-U-THERE message to a peer if it has sent traffic to the peer, but hasn’t received response back within ten seconds. This basically means that R-U-THERE [...]

What are the ports used in the Virtual Private Network (VPN)

Internet Protocol Security (IPSec) uses IP protocol 50 for Encapsulated Security Protocol (ESP), IP protocol 51 for Authentication Header (AH) .IPSEC uses UDP port 500 for IKE Phase 1 negotiation and Phase 2 negotiations. UDP ports 500 and 4500 are used, if NAT-T is used for IKE Phase 1 negotiation and Phase 2 negotiations Secure [...]

If Cisco IPS is showing 0.0.0.0 as victim or attacker ip what does it mean?

IPS summarisation is a process which enables the user to aggregate multiple events in a single alert. It is done because it reduces the number of alerts sent to the administrator. Anytime user see the 0.0.0.0 address used in the victim or attacker IP address field it is the result of multiple victim IP addresses [...]

What is hair-pinning on Cisco ASA firewall

Hair-pinning also called as ‘U-turn ‘.The ASA includes a feature that lets a VPN client send IPSec-protected traffic to another VPN user by allowing such traffic in and out of the same interface using the command ‘same-security-traffic permit intra-interface’ In another application, this feature can redirect incoming VPN traffic back out through the same interface [...]

In Site-to-site VPN tunnel if packets are exceeding mtu 1500 are getting dropped how you will fix it

Packets which are come in with the df bit set, and when they get encrypted, they exceed the 1500 MTU size limitation and they gets dropped.To overcome this issue there are two ways 1) DF bit override using the command You can use the command ‘crypto ipsec df-bit clear’ to override the df bit setting [...]

What are the difference between Main mode & Aggressive mode

Main Mode An IKE session begins with the initiator sending a proposal or proposals to the responder. The proposals define what encryption and authentication protocols are acceptable, how long keys should remain active, and whether perfect forward secrecy should be enforced,e.g. Multiple proposals can be sent in one offering. The first exchange between nodes establishes [...]

What is Anti-replay in IPSEC

IPSec provides anti-replay protection against an attacker who duplicates encrypted packets with the assignment of a monotonically increasing sequence number to each encrypted packet. The receiving IPSec endpoint keeps track of which packets it has already processed on the basis of these numbers with the use of a sliding window of all acceptable sequence numbers. [...]

Why can’t ESP packet pass through the PAT device?

It is because ESP is a protocol without ports that prevents it from passing through PAT devices.Because there is no port to change in the ESP packet, the binding database can’t assign a unique port to the packet at the time it changes to private address (10.0.0.0/8,172.16.0.0/12,192.168.0.0/16) address to the publically routable address. If the [...]

Can you give an overview of various components in IPSec?

The IPsec suite is an open standard. IPsec uses the following protocols Authentication Headers (AH)– provide connectionless integrity and data origin authentication for IP datagrams and provides protection against replay attacks. Encapsulating Security Payloads (ESP)– provide confidentiality, data-origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic-flow confidentiality. Security [...]

How to enable the antispoofing on the Cisco ASA firewalls?

Unicast Reverse Path Forwarding (uRPF) can be used to help limit malicious traffic on a network. This feature works by enabling a firewall to verify the reachability of the source address in packets being forwarded. This capability can limit the appearance of spoofed addresses on a network. If the source IP address is not valid, [...]

What is Symmetric & Asymmetric encryption?

Symmetric encryption-In symmetric encryption, a single key is used both to encrypt and decrypt traffic.Common symmetric encryption algorithms include DES, 3DES, AES, and RC4. 3DES and AES are commonly used in IPsec and other types of VPNs. Symmetric encryption algorithms are extremely fast & their relatively low complexity allows for easy implementation in hardware. However, [...]

What is the NAT order of execution in Cisco ASA?

The ASA does the nat in following order 1. NAT exemption (nat 0 access-list)—In order, till the first match. Identity NAT is not included in this category; it is included in the regular static NAT or regular NAT category. 2. Static NAT and Static PAT (regular and policy) (static)—In order, till the first match. Static [...]

What is Hairpinning in VPN?

The ASA supports a feature that lets a VPN client send IPsec-protected traffic to another VPN user by allowing such traffic in and out of the same interface is called “hairpinning”, this feature can be thought of as VPN spokes (clients) connecting through a VPN hub (Cisco ASA firewall). In another application, this feature can [...]

How to enable anti-spoofing on Cisco Router

Unicast Reverse Path Forwarding (Unicast RPF) to help in limit the malicious traffic on an enterprise network. This security feature will work by enabling a router to verify the reachability of the source address in packets being forwarded.This capability can limit the appearance of spoofed addresses on a network. If the source IP address is [...]

What is differences in the IPSEC VPN & SSL VPN

IPSEC: *It works on Layer 3 (Network Layer) of OSI Model. *Since, it works on Network Layer, it secures all data that travels between two end points without an association to any specific application. *Once, it gets connected then the person will be virtually connected to the respective entire network and able to access the [...]

What is FWSM?

Firewall Services Module (FWSM) is a integrated firewall module for Cisco Catalyst 6500 switches and Cisco 7600 Series routers.Up to four FWSMs can be installed in a single chassis, providing scalability to 20 Gbps per chassis. Based on Cisco PIX Firewall technology. Right now FWSM is end of sale & end of life.

In logging if Cisco ASA is showing “MSS Exceeded” error message what you will do?

We know that the Cisco ASA drops the packets that exceed the MSS value advertised by the client. We can bypass this behaviors by MPF (Modular Policy Framework) ================================================= Cisco-ASA(config)#access-list select_traffic permit tcp any host 192.168.9.2 Cisco-ASA#configure terminal Cisco-ASA(config)#class-map cm_allow_mss Cisco-ASA(config-cmap)#match access-list select_traffic Cisco-ASA(config-cmap)#exit Cisco-ASA(config)#tcp-map mss-map Cisco-ASA(config-tcp-map)#exceed-mss allow Cisco-ASA(config-tcp-map)#exit Cisco-ASA(config)#policy-map pm_allow_mss Cisco-ASA(config-pmap)#class cm_allow_mss Cisco-ASA(config-pmap-c)#set connection [...]

What is MPF in Cisco ASA?

Modular Policy Framework (MPF) configuration defines set of rules for applying firewall features, such as you can use Modular Policy Framework to create a timeout configuration that is specific to a particular TCP application, as opposed to one that applies to all TCP applications Modular Policy Framework features: *QoS input policing *TCP normalization, TCP and [...]

What is SSL VPN? How it is different from IPsec VPN?

SSL VPN provides remote access connectivity from almost any internet enabled device without any special client software at a remote site. You only need a standard web browser and its native SSL encryption.

What is Stateful failover?

Every time a session is created for a flow of traffic on the primary node, it is synced to the secondary node. When the primary node fails, sessions continue to send the traffic through the secondary node without having to re-establish. I found really cool book to learn Cisco ASA firewalls check out the Cisco [...]

What is the difference in Symmetric & Asymmetric Encryption

Symmetric encryption also known as shared key or shared secret encryption. In symmetric encryption, a single key is used both to encrypt and decrypt traffic. Common symmetric encryption algorithms include DES, 3DES, AES, and RC4. 3DES and AES are commonly used in IPsec and other types of VPNs Symmetric encryption algorithms can be extremely fast, [...]

How do you do authentication with message digest(MD5)?

MD5 is a cryptographic hash function with a 128-bit hash value output. It is used to check the integrity of input. It takes the variable-length input and converts it into a fixed length output of 128-bits called as MD5 hash. Any change in the message would result in a completely different hash. Hence, the message [...]

Can traceout command work across the firewall? If No then why? If Yes then why?

Traceroute uses ICMP(type 30) under Windows and UDP under UNIX. To be able to use traceroute via a firewall the firewall needs to allow echo replies/requests. The way traceroute works is by sending packets toward the final destination and incrementing ttl with each packet sent. As such, the first packet will have a ttl set [...]

What is the difference between router ACLs and Firewall ACLs?

Both the devices can block the traffic using the ACL’s. The main difference is -Routers are meant to do Routing they are not optimized to handle the ACL’s. -Firewalls are meant to allow/block access . Also most of the firewalls provide stateful packet inspection that Router don’t provide.

When you are getting asymmetric routing error message in Cisco ASA/Pix firewall what does it mean?

In Asymmetric routing, a packet traverses from a source to a destination in one path and takes a different path when it returns to the source. In Cisco ASA/Pix firewalls, state information is built when the packets flow from a higher security domain to a lower security domain. The firewall will be an exit point [...]

What is SIC?

Secure Internal Communication (SIC) is used when you integrate a Check Point product with Websense software.If Websense software is integrated with a FireWall-1 NG version, you can configure both programs to use Secure Internal Communication (SIC).

How many security protocols available and how that works?

There is nothing like security protocol. apply security using the routing protocols. access-lists is the main feature or you can say technology that is used to permit/deny the traffic in/out of the network.. -Firewall (ASA/PIX) is configured for security purpose. companies prefer to do the nat/pat on firewall it has different domains of higher security [...]

Good firewall secures a software from all security threats, True or False?

-> False There are many attacks from which firewalls can’t protect us. They help in some attacks but they are not perfect to protect from all security threats.

In Cisco ASA what is the NAT-T?

NAT traversal (NAT-T) is a feature that allows IPsec traffic to “traverse” through NAT or PAT points without the incompatibilities that would normally arise. NAT (or PAT) works by translating a local address or addresses to a public address or several public addresses. In the case of PAT, several local addresses are translated to one [...]

What is Vulnerability

In computer security, a vulnerability is a weakness which allows an attacker to reduce a system’s information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw.

In Cisco ASA firewall how to check if it’s under the TCP Syn Flood attack? If it’s under attack what are the counter measures?

In Cisco ASA by running ‘sh connection count’ we can check the number of open connections. By default value for half open connection is 100000 . ciscoasa# show conn count 1931 in use, 3139 most used We can configure the ASA to lower that value by creating class map to select the traffic class-map SYN_Flood_Attack [...]

What are the technologies used in DMVPN?

-Multipoint GRE (mGRE) -Next-Hop Resolution Protocol (NHRP) -Dynamic Routing Protocol (EIGRP, RIP, OSPF, BGP) -Dynamic IPsec encryption -Cisco Express Forwarding (CEF)

What are the parameters in Phase 1 in VPN

-An authentication method to ensure the identity of the peers. -An encryption method to protect the data and ensure privacy. -A Hashed Message Authentication Codes (HMAC) method to ensure the identity of the sender and to ensure that the message has not been modified in transit. -A Diffie-Hellman group to determine the strength of the [...]