The exam is comprised of some simulation-based questions (I received two) and advanced question types, such as pick-and-place or drag-and-drop; all other questions are of the standard multiple-choice format, with either select one or a designated number of correct answers. There are “exhibits of text” and network-logic diagrams for some questions which require you to analyze the output or access requirements and choose the correct answer. There were apx. 64 questions on my exam, with 75 minutes to complete and a passing score of 825.

While I haven't taken any other CCSP exams (I'm on that path now), I have taken all of the company's CCNP exams, and I can honestly say that I believe this exam is easier than any those. That doesn't mean this exam is a walk in the park, however. You'll want to make sure you're very familiar with the topics outlined in this exam's official objectives, available on Cisco's Web site (click here). We'll look at some of the major topic areas outlined in these objectives below.

Study Materials
To help you master all of the listed exam objectives, there are self-study guides, the official Cisco CSPFA course (if you prefer instructor-led training) and plenty of resources available for free at Cisco.com. To get you started, I recommend you study the information presented in the following links:

• Cisco PIX Firewall and VPN Configuration Guide
• Cisco PIX Firewall Command Reference, Version 6.3

Exam #642-521: Secure PIX Firewall Advanced (CSPFA) Vendor Cisco Systems Status Live, available at Pearson Vue and Prometric testing centers worldwide. Reviewer's Rating "Easier than the CCNP exams, but candidates must still be fully prepared. The simulator-based questions are challenging but can be answered without much hands-on." Test Information 55-65 questions, 75 minutes. Cost: $125 (U.S.). Who Should Take This Exam? Candidates for CCSP or the Cisco Firewall Specialist Certification Test Objectives Click here

Getting Started
Although the CSPFA exam, by name, aims to test your knowledge of Cisco’s PIX Firewall, it requires you to have a comprehensive understanding of firewall technologies. So before we get started, ask yourself some questions:

• Can you describe the major security threats to today’s networks?
• Are you familiar with all types of firewalls?
• How well do you know the current Cisco PIX Firewall product line?
• Are you comfortable with both the Command Line Interface (CLI) and Pix Device Manager (PDM)?
• Do you understand how access control lists (ACLs) differ between the PIX OS and the IOS?
• When is the last time you studied IP multicast configuration?
• Can you explain Cisco Secure Access Control Server (CSACS), CiscoWorks, and Firewall Management Console (MC)?

-- advertisement (story continued below) --

Basic Commands
Obviously, PIX Firewall configuration skills are crucial for this exam.So, you’ll have to thoroughly know the command set, which is different from the Cisco IOS one. One of the greatest features of the PIX OS command set is the ability to remain in the config mode and not have to exit to the privileged mode for show, copy and write commands.

There are a many primary PIX OS commands you should be familiar with for this exam:

• show version - displays OS version and installed options
• show ip address - displays addresses assigned to available interfaces
• show interface - displays the available interfaces
• copy tftp - copies config or flash files to or from a TFTP server
• write erase - erases config files
• write memory - saves config files
• write terminal - displays config files

  Tip: The reload command reboots the PIX Firewall.

Security Threats
You’ll also have to know about the major types of security threats to networks:

• reconnaissance attacks
• access attacks
• denial-of-service (DoS) attacks

The first of these is where the attacker collects information about a network using any means possible. Access attacks generally refer to some level of unauthorized data access. And DoS attacks occur when something or someone has overloaded a host or network to the point that it’s no longer usable for legitimate access. You won’t necessarily be asked to identify a particular type of attack on this exam but you should be familiar with the devices, methods and prevention techniques to thwart an attack.

Firewalls
Firewalls come in a variety of configurations and implementations:

• Packet-filtering firewalls limit the information transmitted into a network based on static packet-header information (routers with access control lists).
• Proxy-server firewalls control the connections between a client on an internal network and the Internet.
• Stateful packet-filtering firewalls combine the best of both worlds (Cisco PIX).

The Cisco PIX Firewall family includes the 501, 506E, 515E, 525, 535 and FWSM. The 501 is designed to support the SOHO (small office/home office) market segment. With the primary interfaces inside and outside, it supports most everything the bigger, higher-numbered models do with the exception of DMZ interfaces and failover. The 506E is similar in hardware limitations to the 501. It does however support additional VPNs, and it’s recommended for ROBO (remote office/branch office) implementations. The new 515E, which replaced the 515, supports multiple interfaces for DMZ connections and failover. As we continue to move up the model lineup, the 525 and 535 support greater throughput with additional interfaces. The 515E is recommended for small- to medium-sized businesses, whereas the 525, 535 and FWSM (Firewall Switching Module), which are installed in Cisco Catalyst 6500 and 7200 switches, are recommended for enterprise-sized businesses and service providers.

Tip: Using multiple FWSMs, you can support a network throughput of 12Gbps, where each unit supports 5Gbps.

PIX Operating System
At the heart of the Cisco PIX Firewall is the Finesse operating system. It’s not Windows NT- or Linux-based, but it does include the popular CLI modes and similar command set found in Cisco routers. The Unprivileged mode, referred to as the User mode, is available when you first access the PIX through a console or Telnet session. After typing enable and the correct password, you enter the Privileged mode of the CLI. From here you can issue most write, show and even copy commands. You must enter the Configuration mode with configuration terminal to perform any device configuration. As previously mentioned, you can remain in the configuration mode from this point on and issue any configuration or privileged commands, unless you need to perform a password recovery, which is done in the Monitor mode.

The PIX Six
There are six basic commands to configure the PIX out of the box:

• nameif
• interface
• ip address
• nat
• global
• route

I like to call these the “PIX Six.” The nameif command is used to assign the names inside, outside, dmz and so on to the physical ports of the PIX. It’s also used to assign interface Adaptive Security Algorithm (ASA) security levels; for example: nameif ethernet2 dmz sec50. This assigns a name of “dmz” and a security level of 50 to the third physical interface in the PIX. Interface numbering starts with E0 security level 0, which is the default for the outside interface and E1 security level 100 for the inside. Did you catch that? The “0” in “E0” can stand for “o,” as in “outside,” and the “1” in “E1” for “i” as in “inside.”

Also, know the default interfaces, names and security levels for the exam. Remember that network traffic cannot flow by default from a lower-level security interface to a higher level! In addition, traffic can never flow between interfaces with the same security level.

The interface command identifies hardware, sets the speed and administratively enables an interface. For example, the command interface e0 100full enables the outside and configures it for 100Mpbs, full duplex.

The ip address command assigns an address to a specified interface. For example: ip address dmz 172.16.0.1 255.255.255.0.

The nat command enables network address translation for hosts connecting from the inside to the outside of the PIX. In most configurations, the nat command will be followed up and associated with a global command. For example, the commands nat (inside) 1 0.0.0.0 0.0.0.0 and then global (outside) 1 192.168.0.20-192.168.0.254 configure all inside host addresses to be converted to an address on the outside interface in the assigned global pool.

To illustrate the route command, consider the command route outside 0.0.0.0 0.0.0.0 192.168.1.1 1. This specifies a default route for all traffic leaving a PIX through the interface using a router for “remote” subnets.

Tip: The nat 0 command disables address translation for a specific host. Also referred to as Identity NAT.

PAT is a combination of an IP address and source port number for each unique session. It uses the same IP address for all packets but different port numbers that are greater than 1024. PAT and NAT can be used together. The PAT address can be different from the outside interface IP address or it can use the outside interface IP address -- in either case, the PIX can support up to 64,000 connections for inside hosts. Know the command to enable PAT using the outside interface’s IP address: global (outside) 1 interface.

PIX Configuration
Syslog configuration on the PIX is fairly straightforward. Using the output to a Syslog server, you can trigger alerts and notifications, via e-mail, for example. There are a few key Syslog configuration commands you’ll want to know for the exam:

• logging on - enable logging
• logging host - specifies a Syslog server
• logging trap - specifies the logging level
• logging facility - specifies the messages from a specific device

The PIX can be configured as both a DHCP server and client. Using the primary command dhcpd enable inside (you enable a DHCP server on the PIX), then applying dhcpd address, you can specify a range of addresses for the server to distribute. There are other commands for dns, wins, domain and so on. To help you fully understand DHCP and PPPoE, read the Cisco Documentation “Using PIX Firewall in SOHO Networks.”

Pay particular attention to the scenarios and commands for configuring the PIX as a PPPoE client!

Tip: Using the command dhcpd option 150, you can specify the address of a TFTP server that Cisco IP phones will use.

PIX Device Manager
The Cisco PIX Device Manager is one of the alternatives to configuring the PIX from the CLI. This exam expects you to be familiar with it, plus it comes preloaded on each and every PIX. Providing a graphical interface using a PC Web browser and Java, the PDM is also a great learning tool. You can use it to create configurations and view the resulting CLI commands needed to configure the PIX for advanced scenarios such as VPNs.

Tip: The PDM runs on Windows, Sun Solaris and Linux.

To configure the PIX for PDM access you must have a DES or 3DES key installed, which is required for SSL support. The show version command will display installed keys. To configure the PIX for a PDM connection, you can use the PIX Startup Wizard to configure primary interface IPs, domain name, hostname and system time via the console port. Once complete, connecting a PC to the inside interface and assign it an IP address from the subnet 192.168.1.0/24, you can then access the PIX by typing https://192.168.1.1 in the PC’s Web browser. The PDM includes both a startup and VPN wizard found under the Tools drop-down menu. There are five tabs available in the PDM: Access Rules, Translation Rules, VPN, Hosts/Networks and System Properties. In the final tab, you’ll find the configuration for Routing and Failover, among others.

Static Statements
Static inside translations allow you to configure the PIX when you want an inside host to always have the same global IP address on the outside interface. An example of this command is static (inside, outside) 192.168.0.18 10.0.0.10. Remember its inside, outside, outside, inside for interface names and IP addresses with the static command. The static command is also used to configure the PIX to allow traffic to flow from an interface with a lower security level to one with a higher one, such as outside to inside. This along with an access list will allow internal servers to be accessible to outside users, via SMTP, HTTP, FTP and so on. For example:

nat (inside) 1 0.0.0.0 0.0.0.0
global (dmz) 1 172.16.1.20-172.16.1.254 netmask 255.255.255.0
static (dmz, outside) 192.168.1.11 172.16.1.2
access-list 101 permit tcp any host 192.168.1.11 eq smtp
access-group 101 in interface outside

Tip: The interface names in the brackets of the static statement must be separated by a comma, but the space after the comma is optional.

Access Lists
Access lists in the PIX operate and are configured much the same as they are in routers using the IOS using the commands access-list and access-group. One of the differences is that in the PIX, access lists can only be applied as inbound to an interface. The no command precedes any statement or list you want to remove.

Tip: Turbo ACLs improve the search time required for large access lists. It’s only applied to ACLs of 19 entries or more. The command to enable is access-list compiled.

Object Grouping
Object Grouping is a fairly new feature supported by the PIX. It allows for simplified design, administration, and troubleshooting of access lists. You want to be familiar with them for this exam. An ACL can apply to the following types of objects: Client, Server, Subnet, Service and ICMP. You can apply object groups to the following: Network, Protocol, Service and ICMP. The primary command object-group is used to create object group types. For example:

object-group network CLIENTS
network-object host 10.0.1.11
network-object host 10.0.2.11
network-object 10.0.0.0 255.255.255.0

This will create a network object group names CLIENTS, containing two hosts and a network. It can then be used in an access list as a single statement, as in access-list 101 permit tcp any object-group CLIENTS.

Routing
The Cisco PIX Firewall supports two types of routing (static, dynamic) and protocols (RIP and OSPF). Static routing is configured with the route command, as previously mentioned. Dynamic routing using RIP version 1 or 2, and OSPF is configured using the commands rip and router ospf. Remember that static routes override dynamic ones! Be sure and review the operation and basic configuration of OSPF for the exam.

Tip: Running RIP and OSPF together on the same PIX Firewall is not supported.

IP Multicast
IP multicast was a popular topic on my exam. Understand how to configure the PIX for support:

• multicast interface - enables multicast forwarding on an interface
• igmp forward - enables IGMP (Internet Group Management Protocol) forwarding on an interface
• access-list xxx permit - configure an ACL that allows traffic to the destination class D address
• mroute - creates a static route from the source to the next-hop router

Advanced Protocol Handling
Advanced Protocol Handling is yet another layer of protection offered in the Cisco PIX Firewall. You may not see many detailed questions on the exam about this, but you should know your port numbers. The primary command fixup enables you to configure the PIX to restrict common protocols passing through its interfaces; many protocols weren’t designed with security in mind. Some of the more common examples when using the fixup command would be:

• no fixup protocol smtp - disables the default advanced protocol handling (also known as Mail Guard) and enable support for additional protocol commands often used with SMTP
• fixup protocol http 5000 - allows http commands to use port 5000 in addition to 80 (unless disabled)

PIX Intrusion Detection
The PIX Intrusion Detection is capable of detecting the three most common types of network attacks, as stated earlier. It can detect signatures and generate a response when a set of rules is matched. It can then send an alarm, log the event, drop the packet or reset the TCP connection. To configure the IDS, the primary command is ip audit.

Tip: The shun command dynamically stops a source host from accessing a PIX interface.

AAA
Authentication, Authorization and Accounting, better known as AAA, is a set of services when used on a network provide secure access to devices and resources. You can’t have authorization without authentication! Authentication determines a user’s identity; authorization defines what the user can do; and accounting tracks the user’s actions.

Tip: Authorization is only supported by the PIX and TACACS+.

The CSACS provides for standard AAA services and this exam requires that you be familiar with it. You can download a trial, with a free Cisco.com registered account, here.

The primary commands for configuring the PIX to send AAA requests to a CSACS server are:

• aaa-server TACACS protocol tacacs+
• aaa-server RADIUS protocol radius

After this is done, you must create users in the CSACS console and configure the PIX for AAA authentication using either include or exclude statements.

Tip: The command timeout uauth is used to specify how long the authentication cache should be kept after the user connections become idle.

Downloadable ACLs are supported per user, by which the user is authorized to do only what is permitted by the user’s ACL. They can be entered into a CSACS server and downloaded by a number of PIX Firewalls.

Tip: Downloadable ACLs are supported with RADIUS only. No support exists for TACACS+.

Failover
Failover comes in two forms in the Cisco PIX Firewall -- standard and LAN-based. They both work the same way using two identical PIXs, for both software and hardware. The real difference comes in when using LAN-based failover: Users are not required to reconnect through the PIX; a dedicated Ethernet interface is required. Standard failover uses the failover ports and a specially wired cable between each of the two PIXs, labeled Primary and Secondary. LAN-based failover configurations don’t require the specially wired cable but instead use an Ethernet crossover cable or a dedicated switch, hub or VLAN between PIXs. The primary PIX (the active unit) uses the configured system IP addresses and MAC addresses for client connections on the network. When the primary fails, the secondary becomes active and assumes the system IP addresses and MAC addresses for the network. Configuration replication between the two PIXs is mostly automatic, but can be forced with the command write standby. Other commands required to configure the PIXes for a failover configuration are:

• failover active - makes a PIX the active firewall
• failover ip address - specifies the IP address used by the standby to communicate with the active PIX
• failover link - specifies the interface where a fast LAN link is available for stateful failover

Remote Access
Remote access for configuration management of the PIX can be accomplished in several ways. Telnet is one of the most common: The PIX does not allow telnet access to the outside interface (use SSH instead). To configure telnet access, the following commands are required:

• telnet ip address netmask interface - specifies the interface for telnet access
• passwd password - sets the telnet password (also used as the PDM password)

Command authorization is tied to remote access and is configured using the following commands, for example:

• enable password password - sets the enable password
• privilege show level 8 command access-list - allows a user to issue the show commands for access lists
• aaa authorization command LOCAL - checks the PIX user database for authorization

Firewall MC
The Cisco Firewall MC is very similar in layout and operation to that of the PDM. It centralizes the management of multiple PIX Firewalls.

Tip: The Firewall MC supports up to 1 thousand PIX Firewalls.

Cisco’s Automatic Update Server (AUS) allows for support for up to 1 thousand PIX Firewalls. Configured firewalls periodically contact the AUS server to upgrade software images, configurations and PDM versions. AUS is a component of CiscoWorks and may be available for trial download by the time this article is published.

Tip: PIXs contact the AUS server or port 443.

Life After the Firewall Exam
After passing the CSPFA exam, you’ll have a much greater appreciation and understanding of PIX Firewall implementation and configuration. Most candidates take this exam and then the SECUR. This means that after passing this exam, you’re halfway to being a Cisco Firewall Specialist, or one-fifth of the way to being CCSP-certified. And with the certification, you’ll be recognized as being able to support one of the most popular firewall devices on the market!

Andy Barkl, CCNP, CCDP, CISSP, MCT, MCSE:Security, MCSA:Security, A+, CTT+, i-Net+, Network+, Security+, Server+, CNA, has over 19 years of experience in the IT field. He's the owner of MCT & Associates LLC, a technical training and consulting firm in Phoenix, Arizona. He spends much of his time in the classroom but has also been responsible for many Microsoft Windows 2000, Exchange 2000, and Cisco networking deployments for many clients across Arizona. He's also the online editor for MCPMag.com, TCPMag.com, CertCities.com, and a contributing author and editor for Sybex and Cisco Press. He hosts a multitude of exam preparation chats monthly on MCPmag.com, TCPmag.com and CertCities.com. You can reach him at andy.barkl@wetrainit.com.