Guide to Firewalls and Network Security
Chapter 7 Solutions
Review Questions
1.
Encryption is used to protect data at what point?
Answer: A. Firewalls are unable to encrypt data in transit on the Internet. Also, it makes no sense to
encrypt data arriving on the external interface from the Internet.
2.
Encryption preserves what aspect of digital data passing between networks? (Choose all that apply.)
Answer: A, B, and C are correct. Encryption has nothing to do with the usefulness or truthfulness of
the content of communications—that is the responsibility of the author.
3.
Which function of a firewall might not be compatible with encryption?
Answer: C. Some protocols and modes that are part IPSec, for instance, encrypt the IP source and
destination header information of packets, which makes it impossible for NAT to work.
4.
Which of the following aspects of firewalls is made worse by encryption?
Answer: B. Encryption is a very CPU-intensive process that can slow down communications through
a firewall even more than they already are.
5.
Complete this sentence: An attack in which a hacker intercepts a public key is called a
______________…
Answer: C
6.
What is the difference between a digital signature and a digital certificate?
Answer: A digital signature is part of a digital certificate. A digital signature is just an encrypted code.
A digital certificate includes information about the holder of the certificate, the CA that issued it, and
so on.
7.
What is the main advantage of using symmetrical cryptography?
Answer: D. Symmetrical cryptography is not as secure as public-private key cryptography; however, it
is much faster and requires fewer system resources.
8.
What is the advantage of using asymmetrical cryptography?
Answer: C. Asymmetrical cryptography is more secure than symmetrical because the user’s private
key is never exchanged and cannot be intercepted in transit.
9.
You handle security for a corporation with 10 branch offices and 5,000 employees. You are tasked
with issuing security keys to each of these employees. How would you handle this?
Answer: Don’t try to do the key management manually; turn instead to a Certification Authority (CA)
to handle the issuance and management—to function as a Key Distribution Center (KDC), in other
words.
10. Which of the following provides for authentication?
Answers: D. Answer B., tunnel mode, encapsulates and/or encrypts data but does not provide for
authentication.
11. Finish this sentence: IPSec can save you the time and expense of installing...
Answer: A.
12. What does an IPSec policy do?
Answer: A.
Guide to Firewalls and Network Security
Chapter 7 Solutions
13. In what environment would you specify an IPSec policy in Group Policy?
Answer: B. A is too vague; you only need IPSec for communications that require a heightened
level of security..
14. X.509 certificates make use of what entity?
Answer: B
15. Finish the following sentence: IPSec is not a security method that provides __________....
Answer: ...end-to-end (in other words, end-user to end-user) security.
16. What can digital certificates authenticate that IPSec cannot?
Answer: D
17. Digital certificates contain digital signatures and public keys as well as detailed information about the
certificate holder. However, the quality of all that information depends on one thing that neither you nor the
certificate holder can control. What is it?
Answer: C. You need to place trust in the Certification Authority that the holder of the certificate is
indeed who he or she claims to be.
18. What function of PGP can effectively erase unencrypted files from hard disks?
Answer: A
19. Which of the following is a “hybrid” security scheme that uses both symmetric and asymmetric encryption?
(Choose all that apply.)
Answer: C, D
20. What do the terms “thumbprint” or “fingerprint” mean in the context of encryption?
Answer: They describe the digital signature that is part of a digital certificate.
Hands-on Projects
Project 1
The digital “fingerprint of your PGP signing key consists of a hexadecimal code that can also be expressed
in English. The hexadecimal code consists of ten groups with four characters each. The English version
consists of twenty separate words. You toggle between the two versions of the fingerprint by checking or
un-checking the Hexadecimal box.
Project 2
You get the size in data bits of the key; the KeyID; the date the key was issued; the user’s name, and the
user’s e-mail address.
Project 3
N/A
Project 4
You see the original file plus an encrypted version, which has the file extension .pgp as well as the label
PGP Encrypted File
Project 5
You can select a standard key size (768, 1024, 1536, 2048, or 3072 bits), or enter a custom key size up to
4096 bits.
Project 6
The name of the certificate is now listed in the
Guide to Firewalls and Network Security
Root Certificate box.
Chapter 7 Solutions
Case Projects
Case Project 1
As a prerequisite for accessing your files, require all of the members of the company that are to be given
access to obtain digital certificates. Have them digitally sign all e-mail messages that they exchange with
you.
Case Project 2
Both individuals should obtain a public/private key pair generated by an encryption program (The freeware
version of PGP would be an obvious choice.) You would obtain each other’s public key from a key server.
Then, attach the key to an e-mail address and use the key to encrypt your communications. The recipient
can then use his or her private key to decrypt the communications.
Case Project 3
Change the subkey associated with the signing key and use the new subkey to generate encryption keys.
You can then use the encryption keys to encrypt your e-mail or individual files.
Case Project 4
Right-click the file, point to PGP in the popup menu, and choose Encrypt to encrypt the file. Then rightclick the unencrypted version of the file, point to PGP, and choose Wipe, which erases the file completely
from your hard disk.
Guide to Firewalls and Network Security
Chapter 7 Solutions