Guide to Firewalls and Network Security Chapter 6 Solutions Review Questions 1. What distinguishes user authentication from the other security approaches used by firewalls? (Choose all that apply.) Answer: Answers: A and B. Packet filtering uses IP addresses and other device-specific criteria to determine whether traffic should be allowed to pass or not. C and D are incorrect because if machines are granted access through packet filtering or other means, they can be given access to multiple networked resources, not just one. 2. Which of the following is used first by a firewall: authentication, packet filtering rules, and proxy gateways? Answer: C 3. Two-factor authentication is based on ________... (Choose all that apply.) Answer: B, C 4. An authenticating server that responds to a login request by generating a random number or code and expecting to receive that code plus a secret password is making use of ______________... Answer: Challenge/response authentication 5. Name the three As associated with a AAA services. Answer: Authentication, Authorization, and Auditing (or Accounting). 6. Kerberos is not recommended for authenticating users who are on what kind of network? Answer: D. Kerberos is optimal for use on internal networks; you should not use it to authenticate individuals who are attempting to connect from the Internet. Answer B, an external private network, is not a network from which users would be attempting to connect—it's a network the public might connect to. 7. Why is Kerberos considered less than secure for the users mentioned in the previous question? Answer: B. It generates cleartext passwords which can be intercepted over the Internet. 8. Authentication systems such as Kerberos and RADIUS are more complex to set up and use than other systems, so what is the advantage of using them? Answer: They provide a centralized point from which to manage the authentication passwords and usernames in an organization. It's far easier to provide all the servers in the company with a centralized authentication server than having to establish a separate database on each machine. 9. A document that spells out correct use of passwords is called __________... Answer: A. An MOU covers the use of passwords as well as general network behavior. An Acceptable Use Policy (part of a security policy, as described in Chapter 2), is more concerned with the content of e-mail and newsgroup communications. Guide to Firewalls and Network Security Chapter 6 Solutions 10. A two-factor authentication system requires the user to submit a password and what other thing? (Choose all that apply.) Answers: B, C. Two-factor authentication requires a piece of knowledge, such as a password, and a physical object such as a token or smart card. 11. Which of the following is not a general type of authentication method? Answer: C. Electronic signatures can be scanned and used for identification but since they are easily forged they should not be used alone as a means of network authentication. 12. When does a firewall need to authenticate? Answer: When the firewall needs to apply its rule base to give a specific user or group access to a specific set of resources 13. Centralized authentication requires what kinds of trust? (Choose all that apply.) Answers: A, D. The client and the application server both need to trust the authentication server, which negotiates the original request for services. Once the authentication and authorization are complete, the client and the application server don’t need to trust one another directly. 14. Finish this sentence: Kerberos makes use of service-granting items called... Answer: B 15. Finish this sentence: Before you can obtain a ticket from a Kerberos server, you must first obtain a... Answer: Ticket-granting ticket (TGT) 16. Which of the following is an advantage of TACACS+ over RADIUS? (Choose all that apply.) Answer: D 17. Why is a one-time password system considered more secure than a basic authentication system? Provide at least two reasons. Answer: It creates a password that is only used once, that is unique to a particular user, and that is not stored on a system where it can be stolen. 18. If TACACS+ provides a much stronger level of security than RADIUS, why would you consider using a RADIUS server to authenticated dial-in users? Answer: Because RADIUS is more widely supported than TACACS+, and because, if you use both a firewall and an authentication server, the firewall will receive communications directly from the Internet; the firewall and authentication server will communicate with one another over a trusted network, so the benefits of TACACS+ aren’t so noticeable. 19. Which authentication protocol creates one-time passwords that consist of multiple words? Answer: C 20. Why is authentication important with wireless networks? Answer: Unauthorized users can easily connect if they are in the immediate proximity of the network and they have a laptop computer equipped with a wireless network card. If some form of authentication is not used they can quickly access network resources. Guide to Firewalls and Network Security Chapter 6 Solutions Hands-on Projects Project 1 N/A Project 2 N/A Project 3 N/A Project 4 N/A Project 5 N/A Project 6 N/A Case Projects Case Project 1 Set up single-user authentication for yourself. First, restrict all access for all users except the administrator to standard working hours. Then set up a different set of time-based access for yourself as the sole member of the Administrators group. Set up a unique username and password for yourself (for security purposes, don’t use the obvious username, Administrator, however.) Case Project 2 Use a firewall program that supports user and group authentication, such as NetProxy or FireWall-1. Set up a group of users called Designers. Each member of the group should be assigned a unique username and password. In addition, set up a centralized authentication server program such as RADIUS or TACACS+ that is designed for dial-in authentication. Case Project 3 1. Set up a Memorandum of Understanding (MOU) that covers good safety procedures regarding usernames and passwords. 2. Use smart cards or tokens that need to be read by a bar code reader. Equip each remote user with a bard cord reader so they can scan their ID card or token as well as entering their username and password to authenticate themselves. Guide to Firewalls and Network Security Chapter 6 Solutions