"When hiring a security engineer, employers want to make sure they select candidates who have the technical knowledge of information security software and hardware to ensure their data will be kept safe in the event of a disaster, whether it be an earthquake or a hacker attack. Before attending an interview for this position, prepare to answer a lot of technical questions that will determine the extent of your understanding of information security systems and how they can be used to protect important data."
During the technical interview, the second interview asked, "How would you configure trace route in a cisco firewall for a group of windows users?" I repeated the question to make sure I heard it correctly, and he responded with, "Windows fundamentally handles trace route differently than Unix does."
The answer to the question is obviously, You configure ICMP through the cisco appropriate syntax for the windows users. I was thrown off by him saying what he did about Unix and was not even given a chance to actually answer the initial question. so my question is, If you wanted to know the answer to the first question, why would you even ask the second one basically replacing the first question? How is anyone supposed to know which to answer or what the person asking the question is actually looking for?
The problem is that your answer of "You configure ICMP through the Cisco appropriate syntax for the windows users" is incorrect. (Or, at best, incredibly vague.) It's definitely a fair question. While Windows uses ICMP for traceroute, it's important to note that Linux technically uses UDP. Therefore, the responses they get from the devices along the path is different, depending on which source device you used to initiate the trace. As such, the required configuration is equally different on the Cisco device. For Windows, you'd need an inbound rule allowing icmp time-exceeded. For Linux, you'd need an inbound rule allowing icmp unreachable. For both, you'd also need to add an "inspect icmp" statement. Looking at his question as well as his explanation after you repeated it, it's safe to say that there was nothing wrong with the way he asked it. The problem is that you didn't know the answer. In fairness though, it IS a trick question that gets asked of all of us, even myself when I applied.
Here is my problem with the question. I know that linux/unix/solaris/AIX all utilize UDP. some of the more modern and updated unix based operating systems do utilize icmp instead of UDP. My issue is not with the fact that he asked this. Yes I did get quite flustered and it threw me off, but had he simply stated how would you configure a cisco firewall for a specific group of windows users, I would have quickly and easily stated that you would create the appropriate network object group containing the subnet(s)/IP(s) of the users and allow icmp time-exceeded. I could have easily sat down in front of a cisco ASA or PIX and had it implemented and working, I would say, easily in less than 15 mins. That would also be dependent on the subtnet(s)/IP(s) that needed to be added after creating the network object group. So yes it is a trick question, and was very confused as it seemed he wanted to know how to configure it for linux/unix, not windows even though that is what he asked. I have worked with numerous network devices from numerous vendors and so the exact syntax for each one sometimes escapes me, but I am more than technically competent enough to find the syntax and implement it with no help. I guess the most insulting part of the interview process is that based off of this interview, the recruiter stated, "You are just average, and we need someone that is exceptional. so we can't proceed with your submission." That is a direct quote. I have made it further in my career with no degree, minimal college education and through my blood, sweet and tears, metaphorically, in less time than most hope to with a bachelors degree. I work with SMEs and collegues with 15+ years experience as their equal. That is not "Just average." I have written SLAs, OLAs, technical manuals, disaster recovery plans, training plans, training material, and numerous other things for the DoD, TSA, Banks, and municipalities. I have been working on global networks for over 5 years as well. I have solved problems that engineers with at least twice as much experience as myself, that they were unable to solve. I have run into issues that have stumped Microsoft themselves for over two weeks. If this is the career of an "Average" engineer, then by all means, I am just average.