FIREWALL QUESTIONS

Describe TCP/IP?

TCP/IP

Short for Transmission Control Protocol/Internet Protocol, TCP/IP is a set of rules (protocols) governing communications among all computers on the Internet. More specifically, TCP/IP dictates how information should be packaged (turned into bundles of information called packets), sent, and received, as well as how to get to its destination. TCP/IP was developed in 1978 and driven by Bob Kahn and Vint Cerf.

How does TCP/IP work?

As the name implies, TCP/IP is a combination of two separate protocols: Transmission Control Protocol (TCP) and Internet Protocol (IP). The Internet Protocol standard dictates the logistics of packets sent out over networks; it tells packets where to go and how to get there. IP has a method that lets any computer on the Internet forward a packet to another computer that is one or more intervals closer to the packet's recipient. You can think of it like workers in a line passing boulders from a quarry to a mining cart.

The Transmission Control Protocol is responsible for ensuring the reliable transmission of data across Internet-connected networks. TCP checks packets for errors and submits requests for re-transmissions if any are found.

Three of the most common TCP/IP protocols

• HTTP - Used between a web client and a web server, for non-secure data transmissions. A web client (i.e. Internet browser on a computer) sends a request to a web server to view a web page. The web server receives that request and sends the web page information back to the web client.
• HTTPS - Used between a web client and a web server, for secure data transmissions. Often used for sending credit card transaction data or other private data from a web client (i.e. Internet browser on a computer) to a web server.
• FTP - Used between two or more computers. One computer sends data to or receives data from another computer directly.

Domain names and TCP/IP addresses

The TCP/IP address for a website or web server is typically not easy to remember. To remedy this issue, a domain name is used instead. For example, 45.79.151.23 is the IP address for the Computer Hope website and computerhope.com is the domain name. Using this method, instead of a set of numbers, makes it much easier for users to remember Computer Hope's web address.

Describe Arp table and Mac address table ?

ARP TABLE (Address Resolution Table) Resolves IP address to Mac Address's. (or Layer 3 Logical Addresses to Layer 2 Physical Address.)

Example  from "show arp". The IP address is matched to the Mac Address

Internet  192.168.200.3           3   0007.dddd.abc2  ARPA   Vlan4
Internet  192.168.200.10          6   000a.bbbb.a5ba  ARPA   Vlan4
Internet  192.168.200.17          -   0014.cccc.6c7b  ARPA   Vlan5
Internet  192.168.200.25        208   0005.aaaa.3b5a  ARPA   Vlan5

The mac-address-table Maps Mac Addresses to Physical Ports on a Switch

Example from "show mac-address-table" The Mac address is matched with the port Number.

MAC Address                                         Port the MAC was learned on

0021.d837.a6fc          Dynamic       1     FastEthernet3
0007.95dc.04c1          Dynamic       4     FastEthernet2
000a.95b0.a5aa          Dynamic       4     FastEthernet0

what is passive and active FTP?
Active and passive are the two modes that FTP can run in. FTP uses two channels between client and server, the command channel and the data channel, which are actually separate TCP connections. The command channel is for commands and responses, the data channel is for actually transferring files. It's a nifty way of sending commands to the server without having to wait for the current data transfer to finish.
In active mode, the client establishes the command channel (from client port X to server port 21^(b)) but the server establishes the data channel (from server port 20^(b) to client port Y, where Y has been supplied by the client).
In passive mode, the client establishes both channels. In that case, the server tells the client which port should be used for the data channel.
Passive mode is generally used in situations where the FTP server is not able to establish the data channel. One of the major reasons for this is network firewalls. While you may have a firewall rule which allows you to open up FTP channels to ftp.microsoft.com, Microsoft's servers may not have the power to open up the data channel back through your firewall.
Passive mode solves this by opening up both types of channel from the client side. In order to make this hopefully clearer:
Active mode:

• Client opens up command channel from client port 2000^(a) to server port 21^(b).
• Client sends PORT 2001^(a) to server and server acknowledges on command channel.
• Server opens up data channel from server port 20^(b) to client port 2001^(a).
• Client acknowledges on data channel.

Passive mode:

• Client opens up command channel from client port 2000^(a) to server port 21^(b).
• Client sends PASV to server on command channel.
• Server sends back (on command channel) PORT 1234^(a) after starting to listen on that port.
• Client opens up data channel from client 2001^(a) to server port 1234^(a).
• Server acknowledges on data channel.

At this point, the command and data channels are both open.

What is a Firewall

A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules.
Firewalls have been a first line of defense in network security for over 25 years. They establish a barrier between secured and controlled internal networks that can be trusted and untrusted outside networks, such as the Internet.
A firewall can be hardware, software, or both.

What is a firewall?

Firewalls and Their Evolution

A firewall is a network security device that grants or rejects network access to traffic flows between an untrusted zone (e.g., the Internet) and a trusted zone (e.g., a private or corporate network). The firewall acts as the demarcation point or “traffic cop” in the network, as all communication should flow through it and it is where traffic is granted or rejected access. Firewalls enforce access controls through a positive control model, which states that only traffic defined in the firewall policy is allowed onto the network; all other traffic is denied (known as “default deny”).

Access Control Lists

Early on, the firewall function was initially performed by Access Control Lists (ACLs), often on routers. ACLs are essentially rules written out that determine whether network access should be granted or rejected to specific IP addresses. For example, an ACL can have a line that states all traffic from IP 172.168.2.2 must be rejected, or to allow all traffic on port 80 from 172.168.2.2 to the web server at 10.10.10.201.
ACLs are advantageous due to scalability and high-performance, but cannot read past packet headers, which provides only rudimentary information about the traffic. Thus, ACL packet filtering alone does not have the capacity to keep threats out of the network.

Proxy firewalls

Proxy firewalls act as middlemen; they accept all traffic requests coming into the network by impersonating the true recipient of the traffic within the network. After an inspection, if it decides to grant access, the proxy firewall sends the information to destination computer. The destination computer’s reply is sent to the proxy, which repackages the information with the source address of the proxy server. Through this process, the proxy firewall breaks (or terminates) the connection between two computers so that it is the only machine on the network that talks to the outside world.
Proxy firewalls can which inspect content fully and make access decisions based on more specific, granular level of information. Access control this nuanced is attractive to network administrators, however each application needs its own proxy at the application-level. Proxy-firewalled networks also suffer degraded traffic performance and many limitations in application support and general functionality. This ultimately leads to scalability issues that make a successful implementation tricky to pull off. For this reason, proxy firewalls have not been widely adopted. In fact, even at the peak of the proxy firewall's popularity in the 90s, performance and scalability issues limited adoption to select verticals in niche deployments.

Stateful Inspection firewalls

Stateful inspection, or stateful filtering, is regarded as the third generation of firewalls. Stateful filtering does two things: first, it classifies traffic by looking at the destination port (e.g., tcp/80 = HTTP). Second, it tracks the state of the traffic by monitoring every interaction of each particular connection until that connection is closed.
These properties add more functionality to access control: stateful inspection firewalls have the ability to grant or reject access based not only on port and protocol, but also the packet’s history in the state table. When stateful firewalls receive a packet, they check the state table to find if a connection has already been established or if a request for the incoming packet has been made by an internal host. If neither is found, the packet’s access becomes subject to the ruling of the firewall security policy.
Though stateful filtering is scalable and transparent to users, the extra layer of protection adds complexity to network security infrastructure, and stateful firewalls face difficulty in handling dynamic applications such as SIP or H.323.
Unified Threat Management
Unified Threat Management (UTM) solutions were initially defined as the consolidation of stateful inspection firewalls, antivirus, and IPS into a single appliance. Over time, the UTM definition has expanded to include many other network security functions.
It is important to note that the success of UTMs relies on the effectiveness of the stateful inspection-based firewall decision that precedes all of its component functions. This is because UTM components, while in a single device, are effectively downstream security services. Thus, the workload of all security components behind the firewall (inside the network) will be determined by the strength of its access control. Though UTMs provide a number of security functions in one product, the fundamental access control technology of the firewall remains unchanged.

Next-generation firewalls

Next-generation firewalls (NGFWs) were created in response to the evolving sophistication of applications and malware. Application and malware developers have largely outwitted the long-standing port-based classification of traffic by building port evasion techniques into their programs. Today, malware piggybacks these applications to enter networks and became increasingly networked themselves (connected to each other on the computers they individually infected).
NGFWs act as a platform for network security policy enforcement and network traffic inspection. Per technology research firm Gartner Inc., They are defined by the following attributes:

• Standard capabilities of the first-generation firewall: This includes packet filtering, stateful protocol inspection, network-address translation (NAT), VPN connectivity, et cetera.
• Truly integrated intrusion prevention: this includes support for both vulnerability-facing and threat-facing signatures, and suggesting rules (or taking action) based on IPS activity. The sum of these two functions collaborating via the NGFW is greater than the individual parts.
• Full stack visibility and application identification: ability to enforce policy at the application layer independently from port and protocol.
• Extrafirewall intelligence: ability to take information from external sources and make improved decisions. Examples include creating blacklists or whitelists and being able to map traffic to users and groups using active directory.
• Adaptability to the modern threat landscape: support upgrade paths for integration of new information feeds and new techniques to address future threats.
• In-line support with minimum performance degradation or disruption to network operations.

Stateful vs. Stateless Firewalls

A firewall can be described as being either Stateful or Stateless.

STATELESS Firewalls
Stateless firewalls watch network traffic and restrict or block packets based on source and destination addresses or other static values. They’re not ‘aware’ of traffic patterns or data flows. A stateless firewall uses simple rule-sets that do not account for the possibility that a packet might be received by the firewall ‘pretending’ to be something you asked for.
A stateless firewall filter, also known as an access control list (ACL), does not statefully inspect traffic. Instead, it evaluates packet contents statically and does not keep track of the state of network connections.
Purpose of Stateless Firewall Filters
The basic purpose of a stateless firewall filter is to enhance security through the use of packet filtering. Packet filtering enables you to inspect the components of incoming or outgoing packets and then perform the actions you specify on packets that match the criteria you specify. The typical use of a stateless firewall filter is to protect the Routing Engine processes and resources from malicious or untrusted packets.

STATEFUL Firewall
Stateful firewalls can watch traffic streams from end to end. They are aware of communication paths and can implement various IP Security (IPsec) functions such as tunnels and encryption. In technical terms, this means that stateful firewalls can tell what stage a TCP connection is in (open, open sent, synchronized, synchronization acknowledge or established). It can tell if the MTU has changed and whether packets have fragmented. etc.
Neither is really superior and there are good arguments for both types of firewalls. Stateless firewalls are typically faster and perform better under heavier traffic loads. Stateful firewalls are better at identifying unauthorized and forged communications.

related to OSPF, TCP connection establishment, FTP control and data connections, stateful versus stateless firewalls, UDP versus TCP. The hiring manager asked me about ARP with respect to switches and routers, routing of HTTP traffic etc.

Firewall is between two devices and tcp handshake thing takes place and firewall doesnot recognize ACK bit in tcp hamdshake thing. What will happen??

troubleshooting techniques: ping, tracert, ip config , ns lookup, wireshark packet tracking...

....all one word techical plus hr questions on tcp ip handshake....ftp in detail...ping...icmp....and then after few days she arranged a managerial interview with a manager...not a pure technical one...questions asked were....customer oriented...like customer facing...what if a customer goes impatient...how will u handle it....what if a user not able to receive emails but is able to surf the internet.....questions on past work experience.....college projects....etc

TCP 

Answer Question

Syn flooding & SYN cookies 

Answer Question

IP fragmentation & path MTU discovery 

Answer Question

SSL VPN 

Answer Question

IPSec VPN 

Answer Question

PKI 

1. what is the size of a typical IP header?

2. name 3 component inside the IP header

3. process of a TCP handshake

4. what is NAT? sNAT, pNAT?

5. what is 404, 408, 200?

6. which one is more secure SSL or VPN (tricky questions as they are not mutually related)

7. what is the difference between an HIDS and a NIDS? (security) 

PORT     TYPE     SERVICE DESCRIPTION

21           TCP       ftp File transfer Protocol (control)

21           UDP      ftp File transfer Protocol (control)

22           Both      ssh SSH remote login

25           Both      SMTP Simple Mail transfer Protocol

50                         Encryption IP protocols esp – IPSEC Encapsulation Security Payload

51                         Encryption IP protocols ah – IPSEC Authentication Header Protocol

53           Both      Domain Name Server

69           Both      TFTP Trivial File Transfer Protocol

94           TCP      Encryption IP protocols fwz_encapsulation (FW1_Eencapsulation)

137         Both      Netbios-ns NETBIOS Name Service

138         Both      netbios-dgm NETBIOS Datagram

139         Both      netbios-ssn NETBIOS Session

256         TCP      FW1 (fwd) policy install port FWD_SVC_PORT

257         TCP      FW1_log FW1_log FWD_LOG_PORT

258         TCP      FW1_mgmt FWM_SSVVC_PORT

259         TCP      FW1_clientauth_telnet

259         UDP      RDP Reliable Datagram Protocol

260         TCP      sync

260         UDP      FW1_snmp FWD_SNMP_PORT

261         TCP      FW1_snauth Session Authentication Daemon

262         TCP      MDQ – mail dequer

263         TCP      dbs

264         TCP      FW1_topop Check Point SecureClient Topology Requests

265         TCP      FW1_key Check Point VPN-1 Public key transfer protocol

389         Both      LDAP Secure Client connecting to LDAP without SSL

443                       SNX VPN can use 443 too

444         TCP      SNX VPN SNX VPN tunnel in connectra only

500         UDP      IPSEC IKE Protocol (formerly ISAKMP/Oakley)

500         TCP      IKE over TCP

500         UDP      ISAKMPD_SPORT & ISAKMPD_DPORT

514         UDP     Syslog Syslog

636         LDAP   Secure Client connecting to LDAP with SSL

900         TCP      FW1_clntauth_http Client Authentication Daemon

981                       Management https on the edge

1247               

1494       TCP      Winframe Citrix

1645       TCP       Radius

1719       UDP      VOIP

1720       TCP       VOIP

2040       TCP       MIP meta Ip admin server

2746    UDP   UDP encapsualtion for SR VPN1_IPSEC_encapsulation VPN1_IPSEC    encapsulation

2746       TCP       CPUDPENCap

4000                      Policy Server Port (Redmond)

4433       TCP       Connectra Admin HTTPS Connectra admin port

4500       UDP       NAT-T NAT Traversal

4532       TCP       SNDAEMON_PORT sn_auth_trap: sn_auth daemon Sec.Serv comm,

5001       TCP       Meta IP Web Connection, MIP

5002       TCP       Meta IP DHCP Failover

5004       TCP       Meta IP UAM

5005       TCP       Meta IP SMC

6969       UDP       KP_PORT KeyProt

8116       UDP       Check Point HA SyncMode= CPHAP (new sync mode)

8116       UDP       Connection table synchronization between firewalls

8989       TCP       CPIS Messaging MSG_DEFAULT_PORT

8998       TCP       MDS_SERVER_PORT

9000                      Command Line Port for Secure Client

10001     TCP       Default CPRSM listener port for coms with RealSecure Console

18181     TCP       FW1_cvp Check Point OPSEC Content Vectoring Protocol

18182     TCP       FW1_ufp Check Point OPSEC URL Filtering Protocol

18183     TCP     FW1_sam Check Point OPSEC Suspicious Activity monitoring Proto (SAM API)

18184     TCP       FW1_lea Check Point OPSEC Log Export API

18185     TCP       FW1_omi Check Point OPSEC Objects Management Interface

18186    TCP     FW1_omi-sic Check Point OPSEC Objects management Interface with Secure Internal Communication

18187     TCP       FW1_ela Check Point OPSEC Event Loging API

18190     TCP       CPMI Check Point Management Interface

18191     TCP       CPD Check Point Daemon Proto NG

18192     TCP       CPD_amon Check Point Internal Application Monitoring NG

18193     TCP       FW1_amon Check Point OPSEC Appication Monitoring NG

18201     TCP       FGD_SVC_PORT

18202     TCP       CP_rtm Check Point Real time Monitoring

18203     TCP       FGD_RTMP_PORT

18204     TCP       CE communication

18205     TCP       CP_reporting Check Point Reporting Client Protocol

18207     TCP       FW1_pslogon Check Point Policy Server logon Protocol

18208     TCP       FW1_CPRID (SmartUpdate) Check Point remote Installation Protocol

18209     TCP       FWM CA for establishing SIC communication

18210     TCP       FW1_ica_pull Check Point Internal CA Pull Certificate Service

18211     TCP       FW1_ica_pull Check Point Internal CA Push Certificate Service

18212     UDP       Connect Control – Load Agent port

18213     TCP       cpinp: inp (admin server)

18214     TCP       cpsmc: SMC

18214     UDP       cpsmc: SMC Connectionless

18221     TCP       CP_redundant Check Point Redundant Management Protocol NG

18231     TCP       FW1_pslogon_NG Check Point NG Policy Server Logon Protocol

18231     TCP       NG listens on this port by default dtps.exe

18232     TCP       FW1_sds_logon Check Point SecuRemote Distribution Server Protocol

18233 UDP    Check Point SecureClient Verification Keepalive Protocol FW1_scv_keep_alive

18241     UDP      e2ecp

18262     TCP      CP_Exnet_PK Check Point Public Key Resolution

18263     TCP      CP_Exnet_resolve Check Point Extranet remote objects resolution

18264     TCP     FW1_ica_services Check Point Internal CA Fetch CRL and User Registration Services

19190     TCP     FW1_netso Check Point OPSEC User Authority Simple Protocol

19191     TCP      FW1_uaa Check point OPSEC User Authority API

65524            FW1_sds_logon_NG Secure Client Distribution Server Protocol (VC and Higher)

Connection establishment

To establish a connection, TCP uses a three-way handshake. Before a client attempts to connect with a server, the server must first bind to and listen at a port to open it up for connections: this is called a passive open. Once the passive open is established, a client may initiate an active open. To establish a connection, the three-way (or 3-step) handshake occurs:

SYN: The active open is performed by the client sending a SYN to the server. The client sets the segment's sequence number to a random value A.

SYN-ACK: In response, the server replies with a SYN-ACK. The acknowledgment number is set to one more than the received sequence number i.e. A+1, and the sequence number that the server chooses for the packet is another random number, B.

ACK: Finally, the client sends an ACK back to the server. The sequence number is set to the received acknowledgement value i.e. A+1, and the acknowledgement number is set to one more than the received sequence number i.e. B+1.

At this point, both the client and server have received an acknowledgment of the connection. The steps 1, 2 establish the connection parameter (sequence number) for one direction and it is acknowledged. The steps 2, 3 establish the connection parameter (sequence number) for the other direction and it is acknowledged. With these, a full-duplex communication is established.

Give me a specific example of a time when you used good judgement and logic in solving a problem.

User Submitted Interview Answers

1. 1) We had a trouble setting up VPN between branch Network. I set up a lab environment with the permission of the company and then tried every different way possible in order to build Phase 1 and Phase 2 . 2) We were having a problem with packet drops due to unknown reason and intermittent traffic.I coordinated with the MPLS providers and did captures using Monitor interface of Palo Alto. After deep dive troubleshooting I realized that due to high traffic some of the bigger packets were being dropped due to fragmentation.When I set do not fragment bit . The throughput has increased significantly.    2. Three days ago I have solved an issue at our customer in five minutes because of my experience.  

User Submitted Interview Answers

1. The time when we had a big project and because of my small mistake my TL removes me form that project. At that time I was too much depressed.

When interviewing for a job as a Cisco Network Engineer, come armed with compelling stories of how your networking saved the day – or didn’t. It’s OK to talk about efforts that didn’t turn out so well, as long as you describe what you learned along the way. To many hiring managers, the learning is the key.

Servers The Cisco certification is designed to demonstrate that you can plan, implement, verify  and troubleshoot local and wide area enterprise networks. Interviewers want to gauge your experience level and technical knowledge, which in most cases calls for brief, detailed stories. If you can talk security, voice, wireless and video, you’re bound to have some compelling tales.

Have you managed heterogeneous networks and environments, supporting both Linux and Windows-based networking?

What most people say: This is not a yes or no question. Elaborate on your experience. (Note to interviewers: Open ended questions yield better answers than yes-or-no queries.)

What you should say: Describe the challenges hybrid environments pose, but don’t gloss over the problems or your struggles. Explain how you managed a tough situation or found an innovative solution.

Why you should say it: The Linux Foundation’s Enterprise End User

study has found that companies are deploying more Linux while keeping their Windows servers. That means you need to show proficiency in both.

What are some examples of troubleshooting methods you’ve successfully used in the past?

What most people say: Someone who’s never been in charge of a troubleshooting project and simply did what they were told might give a generic answer or outline some more traditional troubleshooting methods. That doesn’t make them stand out.

What you should say: Every network issue is different, and say so. Then be specific about how you identified a particular problem and went about fixing it. For example, just mentioning that you’ve used the Top Down or Bottom Up approach is helpful, but offer specific details.

Why you should say it: The details show the interviewer that you have specific and successful troubleshooting experience.

What tools do you typically use to isolate and troubleshoot network issues?

What many people say: They list the names of the tools.

What you should say: Explain your selection process and throw in something illustrating your diligence and attention to detail.

Why you should say it: The interviewer wants to know more than the names, but also why you prefer them. This allows the manager to get a deeper understanding of your real knowledge of networking in all environments.

What are some ways you’ve improved network performance in the past?

What most people say: They talk about problems they’ve fixed in the past, but not necessarily how they’ve improved performance.

What you should say: Qualified candidates usually have crowning moments to talk about, instances where they’ve taken on a project and seriously improved the network’s performance. You should jump on this question and answer it with strength and excitement.

Why you should say it: Most companies are looking not only for network engineers who are not only problem-solvers, but people who can strengthen they networks and organization.

How much experience do you have working with the development team as well as the sysadmin/networking team?

What most people say: The DevOps concept of integrating the development and operations teams is fairly new, so don’t fudge it if you’ve been on only one side or the other. These teams focus on shrinking development time, saving money and eliminating conflicts between developed projects and operational integration, and rely heavily on open communication.

What you should say: Even if you haven’t been on such a team, here’s an opportunity to tell a story about a related skill, such as your ability to work closely with other units or to communicate effectively.

Why you should say it: As these teams become more common, you’ll need to be able to articulate this experience or your willingness to dive in.

What things should be considered when designing an enterprise network?

What most people say: They mention some of the more generic things to be considered (which  can easily be found through a basic Internet search. Managers know that.).

What you should say: Begin with, “That depends, because a cookie-cutter approach just won’t work when it comes to enterprise network design.” Then outline a specific enterprise network you’ve designed and its particular concerns.

Why you should say it: This type of answer lets the interviewer know more about your specific level of experience rather than just your level of technical knowledge. In just about every case, experience trumps knowledge.

Describe your experience with software-defined networks (SDNs).

What most people say: They provide very granular and specific answers.

What you should say: Respond with a detailed, but high-level approach.

Why you should say it: The company may not yet have decided which way to go, since there are some pretty specific technological disagreements about SDNs.

Describe how you’ve met the challenges associated with IPv6.

What most people say: Usually that IPv6 is a problem that can be worked around with approaches like network address translation.

What you should say: IPv6 is a real and definite channel that needs to be met head on.

Why you should say it: It’s true and the answer sounds proactive.

We compiled these questions and answers with the Linux Foundation’s training

Share on FacebookPlus on Google+

SUBSCRIBE MORE CONTENTS