Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

End of Chapter Solutions Template

advertisement 
Guide to Firewalls and Network Security
Chapter 3 Solutions
Review Questions
1.
What is the primary function of a router?
Answer: D
2.
What are the limitations of a single dual-homed computer that uses a software firewall installed on the
same computer for its security?
Answer: It’s generally less secure to use the same machine for everyday computing and for operating
the firewall; the firewall may have little or no logging capability, a simple setup presents hackers with
only one layer or protection to break through.
3.
Give three reasons why a set of packet filtering rules is important to a firewall.
Answer: Rules implement the approach in the security policy; rules tell the firewall how to respond to
specific types of traffic; rules establish an order that the firewall will follow.
4.
How would a firewall implement a “strict” approach to security?
Answer: D. Passwords are important no matter what level of security is being implemented;
application proxy gateways/proxy servers correspond to a “strict” approach to security specifically.
5.
A specialty firewall can be installed to work with what kind of network
feature/service?
Answer: B, D
6.
The ability of a firewall to grow in capacity to meet the changing needs of the organization it protects
is called...
Answer: B
7.
What’s the problem with letting the firewall process rules in top-to-bottom order?
Answer: B
8.
What’s the advantage of adding a second router between a firewall and the LAN it protects in addition
to a router outside the firewall? (Choose all that apply.)
Answers: A, B, D
9.
Consider the following scenario: Your company operates a Web server and is promoting a new line of
products. The server experiences a high number of visits from users on the Internet who want to place
orders. Yet, the server needs to provide protection from viruses and harmful programs both for users in
the company; however, for business reasons you are instructed that commerce and revenue should take
priority over security. Under these circumstances, the server should be positioned where?
Answer: B. Because the priority is business rather than security, the firewall should be placed outside
the protected network. However, placing it in a DMZ protected by two firewalls would place a heavy
load on the firewall that has an interface with the Internet.
10. What three networks have interfaces with a trihomed firewall? (Choose all that apply.)
Answers. A and C are correct. B is incorrect because, while a branch office may serve as the external
network component of a trihomed firewall, a home office would not be part of the firewall setup. d is
incorrect because it’s too specific—an accounting subnet is unlikely to serve as the publicly accessible
DMZ. Web and e-mail services are usually contained in the DMZ.
Guide to Firewalls and Network Security
Chapter 3 Solutions
11. Proxy servers, routers, and operating systems are all designed to perform IP forwarding. If your
security configuration includes a proxy server, why should IP forwarding be disabled on routers and
other devices that lie between the networks?
Answer. Having routers or other devices that lie between the external and internal networks do IP
forwarding defeats the purpose of having a proxy server do IP forwarding. Having the proxy server
perform this function is more secure.
12. The most important configuration file in a firewall is called...
Answer: B
13. A “Deny-All” approach would work under what circumstances?
Answer: Such an approach would block all traffic by default except for specific approved services. It
would be a good approach if the primary goal of the firewall is to block unauthorized access.
14. What is the concept of “least privilege?”
Answer: Least privilege is the practice of organizing a system so that users are given the lowest
possible level of privileges to perform operations.
15. If a firewall is primarily permissive, this places a greater burden on the network administrator to
perform what function?
Answer: A. Answer D is also important in a permissive environment, but a greater burden is placed
on the network admin to educate end-users.
16. Which of the following is a problem that can arise as a result of a “Deny-All” policy?
Answer: B
17. What is the primary difference between a screened host and a dual-homed gateway?
Answer: The screened host is dedicated to performing only security functions.
18. Name two enhancements that are added to a screened host machine.
Answers: packet filtering router, proxy server
19. Layers of protection add what benefits to a network? (Choose all that apply.)
Answers: A, C
20. Why place two routers with IDS at the perimeter of the network rather than one?
Answer: C
21. How does a reverse firewall protect against DDoS attacks?
Answer: It tracks where outbound traffic originates on the local network. If a large number of packets
are detected as coming from unexpected or unauthorized hosts, the network administrator is notified.
Hands-on Projects
Project 1
[The drawing should look like Figure 3-1.]
Project 2
The drawing should resemble Figure 3-5.
Project 3
You need to draw a diagram that shows traffic passing from the Internet through a router and then through
a network hub. The hub is connected to both the primary and failover firewalls and enables traffic to pass to
both. Each firewall also has a DMZ connected to it. The two firewalls need to be compatible—most likely,
they need to be from the same manufacturer and in a model line that supports stateful failovers.
Guide to Firewalls and Network Security
Chapter 3 Solutions
Project 4
Answers will vary depending on your network configuration.
Project 5
N/A
Project 6
N/A
Project 7
The dialog box that appears after IPv6 is installed states that ipv6 is attempting to send a packet. The
information that appears after you install IP forwarding lists various interfaces. The exact number of
interfaces and the detailed information about them will vary. On the author’s computer, four interfaces
were listed:
Interface 4: Ethernet: Local Area Connection
Interface 3: 6to4 Tunneling Pseudo-Interface
Interface 2: Automatic Tunneling Pseudo-Interface
Interface 1: Loopback Pseudo-Interface
Case Projects
Case Project 1
a) The request would be allowed under In Order because the first rule has an action of Allow
b) The request would be denied
c) The request would be allowed
d) The request would be allowed because the most specific rule (Rule 3) has an action of Allow
Case Project 2
Rule 1: All ports, Users: All, Time: Always, Action: Deny
Rule 2: Port 80 (HTTP), Users: All, Time: Always, Action: Allow
Rule 3: Port 21 (SMTP), Users: All, Time: Always, Action: Allow
Rule 4: Port 101 (POP3), Users: All, Time: Always, Action: Allow
Rule 5: Port 80/video, Users: All, Time: Night, Action: Deny
Case Project 3
See Figure 3-7 for a possible configuration that satisfies all of these requirements: it includes packet filters
that surround the firewall (at least one of which should perform packet filtering); two DMZs, one for the
public servers and one for the accounting department server; and a VPN tunnel that is installed on the
accounting department server, permitting the supplier with secure access.
Guide to Firewalls and Network Security
Chapter 3 Solutions
Related documents
The definition of a firewall
The definition of a firewall
Lecture 10
Lecture 10
Chapter 7 - Section 7.4
Chapter 7 - Section 7.4
Classroom PC Specs
Classroom PC Specs
Chapter 15
Chapter 15
Computer Firewalls
Computer Firewalls
Establishment of the VPN connection with the
Establishment of the VPN connection with the
Barracuda Web Application Firewall
Barracuda Web Application Firewall
A simple question of
A simple question of
File
File
Internet Firewall Security
Internet Firewall Security
DMZ Design Review Guidelines for a Corporation - 2001
DMZ Design Review Guidelines for a Corporation - 2001
Download
advertisement