Security – Page 3 – Network Interview QnA

In logging if Cisco ASA is showing “MSS Exceeded” error message what you will do?

We know that the Cisco ASA drops the packets that exceed the MSS value advertised by the client. We can bypass this behaviors by MPF (Modular Policy Framework) ================================================= Cisco-ASA(config)#access-list select_traffic permit tcp any host 192.168.9.2 Cisco-ASA#configure terminal Cisco-ASA(config)#class-map cm_allow_mss Cisco-ASA(config-cmap)#match access-list select_traffic Cisco-ASA(config-cmap)#exit Cisco-ASA(config)#tcp-map mss-map Cisco-ASA(config-tcp-map)#exceed-mss allow Cisco-ASA(config-tcp-map)#exit Cisco-ASA(config)#policy-map pm_allow_mss Cisco-ASA(config-pmap)#class cm_allow_mss Cisco-ASA(config-pmap-c)#set connection [...]

What is MPF in Cisco ASA?

Modular Policy Framework (MPF) configuration defines set of rules for applying firewall features, such as you can use Modular Policy Framework to create a timeout configuration that is specific to a particular TCP application, as opposed to one that applies to all TCP applications Modular Policy Framework features: *QoS input policing *TCP normalization, TCP and [...]

What is SSL VPN? How it is different from IPsec VPN?

SSL VPN provides remote access connectivity from almost any internet enabled device without any special client software at a remote site. You only need a standard web browser and its native SSL encryption.

What is Stateful failover?

Every time a session is created for a flow of traffic on the primary node, it is synced to the secondary node. When the primary node fails, sessions continue to send the traffic through the secondary node without having to re-establish. I found really cool book to learn Cisco ASA firewalls check out the Cisco [...]

What is the difference in Symmetric & Asymmetric Encryption

Symmetric encryption also known as shared key or shared secret encryption. In symmetric encryption, a single key is used both to encrypt and decrypt traffic. Common symmetric encryption algorithms include DES, 3DES, AES, and RC4. 3DES and AES are commonly used in IPsec and other types of VPNs Symmetric encryption algorithms can be extremely fast, [...]

How do you do authentication with message digest(MD5)?

MD5 is a cryptographic hash function with a 128-bit hash value output. It is used to check the integrity of input. It takes the variable-length input and converts it into a fixed length output of 128-bits called as MD5 hash. Any change in the message would result in a completely different hash. Hence, the message [...]

Can traceout command work across the firewall? If No then why? If Yes then why?

Traceroute uses ICMP(type 30) under Windows and UDP under UNIX. To be able to use traceroute via a firewall the firewall needs to allow echo replies/requests. The way traceroute works is by sending packets toward the final destination and incrementing ttl with each packet sent. As such, the first packet will have a ttl set [...]

What is the difference between router ACLs and Firewall ACLs?

Both the devices can block the traffic using the ACL’s. The main difference is -Routers are meant to do Routing they are not optimized to handle the ACL’s. -Firewalls are meant to allow/block access . Also most of the firewalls provide stateful packet inspection that Router don’t provide.

When you are getting asymmetric routing error message in Cisco ASA/Pix firewall what does it mean?

In Asymmetric routing, a packet traverses from a source to a destination in one path and takes a different path when it returns to the source. In Cisco ASA/Pix firewalls, state information is built when the packets flow from a higher security domain to a lower security domain. The firewall will be an exit point [...]

What is SIC?

Secure Internal Communication (SIC) is used when you integrate a Check Point product with Websense software.If Websense software is integrated with a FireWall-1 NG version, you can configure both programs to use Secure Internal Communication (SIC).

How many security protocols available and how that works?

There is nothing like security protocol. apply security using the routing protocols. access-lists is the main feature or you can say technology that is used to permit/deny the traffic in/out of the network.. -Firewall (ASA/PIX) is configured for security purpose. companies prefer to do the nat/pat on firewall it has different domains of higher security [...]

Good firewall secures a software from all security threats, True or False?

-> False There are many attacks from which firewalls can’t protect us. They help in some attacks but they are not perfect to protect from all security threats.

In Cisco ASA what is the NAT-T?

NAT traversal (NAT-T) is a feature that allows IPsec traffic to “traverse” through NAT or PAT points without the incompatibilities that would normally arise. NAT (or PAT) works by translating a local address or addresses to a public address or several public addresses. In the case of PAT, several local addresses are translated to one [...]

What is Vulnerability

In computer security, a vulnerability is a weakness which allows an attacker to reduce a system’s information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw.

In Cisco ASA firewall how to check if it’s under the TCP Syn Flood attack? If it’s under attack what are the counter measures?

In Cisco ASA by running ‘sh connection count’ we can check the number of open connections. By default value for half open connection is 100000 . ciscoasa# show conn count 1931 in use, 3139 most used We can configure the ASA to lower that value by creating class map to select the traffic class-map SYN_Flood_Attack [...]

What are the technologies used in DMVPN?

-Multipoint GRE (mGRE) -Next-Hop Resolution Protocol (NHRP) -Dynamic Routing Protocol (EIGRP, RIP, OSPF, BGP) -Dynamic IPsec encryption -Cisco Express Forwarding (CEF)

What are the parameters in Phase 1 in VPN

-An authentication method to ensure the identity of the peers. -An encryption method to protect the data and ensure privacy. -A Hashed Message Authentication Codes (HMAC) method to ensure the identity of the sender and to ensure that the message has not been modified in transit. -A Diffie-Hellman group to determine the strength of the [...]

In IPSEC what is Main mode & Aggressive mode?

IKE phase 1 happens in two modes: main mode and aggressive mode. These modes are described in the following sections. Main Mode Main mode has three two-way exchanges between the initiator and the receiver. -First exchange: The algorithms and hashes applied to secure the IKE communications are agreed upon in matching IKE SAs in each [...]

In IPSec VPNs, what is diffie hellman?

The Diffie-Hellman key agreement is a public key encryption method that provides a way for two IPSec peers to establish a shared secret key that only they know, although they are communicating over an insecure channel. With Diffie Hellman, each peer generates a public and private key pair. The private key generated by each peer [...]

What are different types of ACLs

Standard ACL’s – check the source addresses of packets. IP Standard ACL’s: 1-99 and 1300-1999 Extended ACL’s – check both the source and destination also check for specific protocols port numbers and other parameters. IP Extended ACL’s: 100-199 and 2000-2699 Named ACL’s– feature gives network administrators the option of using names to identify their access [...]

What is DPD (Dead peer detection)

Dead Peer Detection (DPD) is a method of detecting a dead Internet Key Exchange (IKE) peer. The method uses IPsec traffic patterns to minimize the number of messages required to confirm the availability of a peer.

Can you explain dual homed architecture?

A dual-homed host architecture is built around the dual-homed host computer, a computer that has at least two network interfaces. Such a host could act as a router between the networks these interfaces are attached to it.

Can you explain the concept of demilitarized zone?

The concept of the DMZ, like many other network security concepts, was borrowed from military terminology. Geopolitically, a demilitarized zone (DMZ) is an area that runs between two territories that are hostile to one another or two opposing forces’ battle lines. The DMZ likewise provides a buffer zone that separates an internal network from the [...]

What is AAA?

AAA stands for authentication, authorization and accounting, used to control user’s rights to access network resources and to keep track of the activity of users over a network. The current standard by which devices or applications communicate with an AAA server is the Remote Authentication Dial-In User Service (RADIUS).

What are the security-levels in cisco ASA?

ASA uses security levels to determine the parameters of trust given to a network attached to the respective interface. The security level can be configured between 0 to 100 where higher number are more trusted than lower. By default, the ASA allows packets from a higher (trusted) security interface to a lower (untrusted) security interface [...]

What is SSL VPN? How it is different from IPsec VPN?

SSL VPN provides remote access connectivity from almost any internet enabled location without any special client software at a remote site. You only need a standard web browser and its native SSL encryption. IPsec is a dedicated point-to-point fixed VPN connection where SSL VPNs provides anywhere connectivity without any configuration or special software at remote [...]

What is Stateful inspection?

Stateful inspection is known as dynamic packet filtering and is a firewall technology that monitors the state of active connections and uses this information to determine which network packets are allowed through the firewall. Stateful inspection analyses packets down to the application layer.

How to configure Layer 2 security on Switch

Port Security Cat3750#show port-security interface fastEthernet 1/0/2 Port Security : Disabled Port Status : Secure-down Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 0 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source [...]

What are the types of Layer 2 attacks on Switches & how to migate them

Content Addressable Memory (CAM) Table Overflow Content Addressable Memory (CAM) tables are limited in size. If enough entries are entered into the CAM table before other entries are expired, the CAM table fills up to the point that no new entries can be accepted. Typically, a network intruder floods the switch with a large number [...]

What are different types of VPN

Deployment classification Site to Site VPN Remote VPN Classification based on OSI layers Layer 4/7 VPN – WebVPN Layer 3 VPN – IPSec, GREoIPSec Layer 2 VPN – L2TP, PPTP, MPPE Classification based on trust level Intranet VPN Extranet VPN Remote VPN Customer point of view classifications 1. Traditonal VPN Frame-relay (L2 VPN) ATM VPN [...]

Can you explain Stateful Inspection in Cisco ASA

A stateful firewall like the ASA, however, takes into consideration the state of a packet: •Is this a new connection? If it is a new connection, the ASA has to check the packet against access lists and perform other tasks to determine if the packet is allowed or denied. To perform this check, the first [...]

Access lists are numbered. Which of the following ranges could be used for an IP access list?

A. 600 – 699 B. 100 – 199 C. 1 – 99 D. 800 – 899 E. 1000 – 1099 Answer:wer: B & C

When using access lists, it is important where those access lists

When using access lists, it is important where those access lists are placed. Which statement best describes access list placement? A. Put standard access lists as near the destination as possible. Put extended access lists as close to the source as possible. B. Put extended access lists as near the destination as possible. Put standard access lists [...]

How many access lists are allowed per interface?

A. One per port, per protocol B. Two per interface, per protocol C. Unlimited D. Router interface +1 per port. –>B

Can you define in short what VPN is?

Can you define in short what VPN is? ->A Virtual Private Network (VPN) is a network technology that creates a secure network connection over a public network such as the Internet or a private network owned by a service provider. Large corporations, educational institutions, and government agencies use VPN technology to enable remote users to [...]

Can you explain what IPSec is

Can you explain what IPSec is ->ipsec is a suite of protocols which ensure the following: 1-confidentiality of data 2-integrity of data 3-anti-replay of data 4-non-repudiation contains the main cryptographic algorithms used in securing traffic between two networks over an un trusted network

Can you explain transport and tunnel mode in detail with datagram packets?

Can you explain transport and tunnel mode in detail with datagram packets? ->Tunnel Mode – Entire IPSEC process is transparent to end hosts, and specialized gateway handles the IPSEC Workload In Tunnel Mode, 1st Encrypts the entire IP packet and its placed into another IP packet. Means we have 2 IP addresses. 1.ip address on [...]