End of Chapter Solutions Template

Guide to Firewalls and Network Security
Chapter 6 Solutions
Review Questions
What distinguishes user authentication from the other security approaches used by
firewalls? (Choose all that apply.)
Answer: Answers: A and B. Packet filtering uses IP addresses and other device-specific criteria to
determine whether traffic should be allowed to pass or not. C and D are incorrect because if machines
are granted access through packet filtering or other means, they can be given access to multiple
networked resources, not just one.
Which of the following is used first by a firewall: authentication, packet filtering
rules, and proxy gateways?
Answer: C
Two-factor authentication is based on ________... (Choose all that apply.)
Answer: B, C
An authenticating server that responds to a login request by generating a random
number or code and expecting to receive that code plus a secret password is making
use of ______________...
Answer: Challenge/response authentication
Name the three As associated with a AAA services.
Answer: Authentication, Authorization, and Auditing (or Accounting).
Kerberos is not recommended for authenticating users who are on what kind of
Answer: D. Kerberos is optimal for use on internal networks; you should not use it to authenticate
individuals who are attempting to connect from the Internet. Answer B, an external private network, is
not a network from which users would be attempting to connect—it's a network the public might
connect to.
Why is Kerberos considered less than secure for the users mentioned in the previous
Answer: B. It generates cleartext passwords which can be intercepted over the Internet.
Authentication systems such as Kerberos and RADIUS are more complex to set up
and use than other systems, so what is the advantage of using them?
Answer: They provide a centralized point from which to manage the authentication passwords and
usernames in an organization. It's far easier to provide all the servers in the company with a centralized
authentication server than having to establish a separate database on each machine.
A document that spells out correct use of passwords is called __________...
Answer: A. An MOU covers the use of passwords as well as general network behavior. An
Acceptable Use Policy (part of a security policy, as described in Chapter 2), is more concerned with
the content of e-mail and newsgroup communications.
Guide to Firewalls and Network Security
Chapter 6 Solutions
A two-factor authentication system requires the user to submit a password and what
other thing? (Choose all that apply.)
Answers: B, C. Two-factor authentication requires a piece of knowledge, such as a password, and a
physical object such as a token or smart card.
Which of the following is not a general type of authentication method?
Answer: C. Electronic signatures can be scanned and used for identification but since
they are easily forged they should not be used alone as a means of network
12. When does a firewall need to authenticate?
Answer: When the firewall needs to apply its rule base to give a specific user or group access to a
specific set of resources
Centralized authentication requires what kinds of trust? (Choose all that apply.)
Answers: A, D. The client and the application server both need to trust the authentication server,
which negotiates the original request for services. Once the authentication and authorization are
complete, the client and the application server don’t need to trust one another directly.
Finish this sentence: Kerberos makes use of service-granting items called...
Answer: B
15. Finish this sentence: Before you can obtain a ticket from a Kerberos server, you must first obtain a...
Answer: Ticket-granting ticket (TGT)
Which of the following is an advantage of TACACS+ over RADIUS? (Choose all
that apply.)
Answer: D
Why is a one-time password system considered more secure than a basic
authentication system? Provide at least two reasons.
Answer: It creates a password that is only used once, that is unique to a particular user, and that is not
stored on a system where it can be stolen.
If TACACS+ provides a much stronger level of security than RADIUS, why would
you consider using a RADIUS server to authenticated dial-in users?
Answer: Because RADIUS is more widely supported than TACACS+, and because, if you use both
a firewall and an authentication server, the firewall will receive communications
directly from the Internet; the firewall and authentication server will communicate
with one another over a trusted network, so the benefits of TACACS+ aren’t so
Which authentication protocol creates one-time passwords that consist of multiple
Answer: C
Why is authentication important with wireless networks?
Answer: Unauthorized users can easily connect if they are in the immediate proximity
of the network and they have a laptop computer equipped with a wireless network
card. If some form of authentication is not used they can quickly access network
Guide to Firewalls and Network Security
Chapter 6 Solutions
Hands-on Projects
Project 1
Project 2
Project 3
Project 4
Project 5
Project 6
Case Projects
Case Project 1
Set up single-user authentication for yourself. First, restrict all access for all users except the administrator
to standard working hours. Then set up a different set of time-based access for yourself as the sole member
of the Administrators group. Set up a unique username and password for yourself (for security purposes,
don’t use the obvious username, Administrator, however.)
Case Project 2
Use a firewall program that supports user and group authentication, such as NetProxy or FireWall-1. Set up
a group of users called Designers. Each member of the group should be assigned a unique username and
password. In addition, set up a centralized authentication server program such as RADIUS or TACACS+
that is designed for dial-in authentication.
Case Project 3
1. Set up a Memorandum of Understanding (MOU) that covers good safety procedures regarding
usernames and passwords. 2. Use smart cards or tokens that need to be read by a bar code reader. Equip
each remote user with a bard cord reader so they can scan their ID card or token as well as entering their
username and password to authenticate themselves.
Guide to Firewalls and Network Security
Chapter 6 Solutions