Guide to Firewalls and Network Security Chapter 3 Solutions Review Questions 1. What is the primary function of a router? Answer: D 2. What are the limitations of a single dual-homed computer that uses a software firewall installed on the same computer for its security? Answer: It’s generally less secure to use the same machine for everyday computing and for operating the firewall; the firewall may have little or no logging capability, a simple setup presents hackers with only one layer or protection to break through. 3. Give three reasons why a set of packet filtering rules is important to a firewall. Answer: Rules implement the approach in the security policy; rules tell the firewall how to respond to specific types of traffic; rules establish an order that the firewall will follow. 4. How would a firewall implement a “strict” approach to security? Answer: D. Passwords are important no matter what level of security is being implemented; application proxy gateways/proxy servers correspond to a “strict” approach to security specifically. 5. A specialty firewall can be installed to work with what kind of network feature/service? Answer: B, D 6. The ability of a firewall to grow in capacity to meet the changing needs of the organization it protects is called... Answer: B 7. What’s the problem with letting the firewall process rules in top-to-bottom order? Answer: B 8. What’s the advantage of adding a second router between a firewall and the LAN it protects in addition to a router outside the firewall? (Choose all that apply.) Answers: A, B, D 9. Consider the following scenario: Your company operates a Web server and is promoting a new line of products. The server experiences a high number of visits from users on the Internet who want to place orders. Yet, the server needs to provide protection from viruses and harmful programs both for users in the company; however, for business reasons you are instructed that commerce and revenue should take priority over security. Under these circumstances, the server should be positioned where? Answer: B. Because the priority is business rather than security, the firewall should be placed outside the protected network. However, placing it in a DMZ protected by two firewalls would place a heavy load on the firewall that has an interface with the Internet. 10. What three networks have interfaces with a trihomed firewall? (Choose all that apply.) Answers. A and C are correct. B is incorrect because, while a branch office may serve as the external network component of a trihomed firewall, a home office would not be part of the firewall setup. d is incorrect because it’s too specific—an accounting subnet is unlikely to serve as the publicly accessible DMZ. Web and e-mail services are usually contained in the DMZ. Guide to Firewalls and Network Security Chapter 3 Solutions 11. Proxy servers, routers, and operating systems are all designed to perform IP forwarding. If your security configuration includes a proxy server, why should IP forwarding be disabled on routers and other devices that lie between the networks? Answer. Having routers or other devices that lie between the external and internal networks do IP forwarding defeats the purpose of having a proxy server do IP forwarding. Having the proxy server perform this function is more secure. 12. The most important configuration file in a firewall is called... Answer: B 13. A “Deny-All” approach would work under what circumstances? Answer: Such an approach would block all traffic by default except for specific approved services. It would be a good approach if the primary goal of the firewall is to block unauthorized access. 14. What is the concept of “least privilege?” Answer: Least privilege is the practice of organizing a system so that users are given the lowest possible level of privileges to perform operations. 15. If a firewall is primarily permissive, this places a greater burden on the network administrator to perform what function? Answer: A. Answer D is also important in a permissive environment, but a greater burden is placed on the network admin to educate end-users. 16. Which of the following is a problem that can arise as a result of a “Deny-All” policy? Answer: B 17. What is the primary difference between a screened host and a dual-homed gateway? Answer: The screened host is dedicated to performing only security functions. 18. Name two enhancements that are added to a screened host machine. Answers: packet filtering router, proxy server 19. Layers of protection add what benefits to a network? (Choose all that apply.) Answers: A, C 20. Why place two routers with IDS at the perimeter of the network rather than one? Answer: C 21. How does a reverse firewall protect against DDoS attacks? Answer: It tracks where outbound traffic originates on the local network. If a large number of packets are detected as coming from unexpected or unauthorized hosts, the network administrator is notified. Hands-on Projects Project 1 [The drawing should look like Figure 3-1.] Project 2 The drawing should resemble Figure 3-5. Project 3 You need to draw a diagram that shows traffic passing from the Internet through a router and then through a network hub. The hub is connected to both the primary and failover firewalls and enables traffic to pass to both. Each firewall also has a DMZ connected to it. The two firewalls need to be compatible—most likely, they need to be from the same manufacturer and in a model line that supports stateful failovers. Guide to Firewalls and Network Security Chapter 3 Solutions Project 4 Answers will vary depending on your network configuration. Project 5 N/A Project 6 N/A Project 7 The dialog box that appears after IPv6 is installed states that ipv6 is attempting to send a packet. The information that appears after you install IP forwarding lists various interfaces. The exact number of interfaces and the detailed information about them will vary. On the author’s computer, four interfaces were listed: Interface 4: Ethernet: Local Area Connection Interface 3: 6to4 Tunneling Pseudo-Interface Interface 2: Automatic Tunneling Pseudo-Interface Interface 1: Loopback Pseudo-Interface Case Projects Case Project 1 a) The request would be allowed under In Order because the first rule has an action of Allow b) The request would be denied c) The request would be allowed d) The request would be allowed because the most specific rule (Rule 3) has an action of Allow Case Project 2 Rule 1: All ports, Users: All, Time: Always, Action: Deny Rule 2: Port 80 (HTTP), Users: All, Time: Always, Action: Allow Rule 3: Port 21 (SMTP), Users: All, Time: Always, Action: Allow Rule 4: Port 101 (POP3), Users: All, Time: Always, Action: Allow Rule 5: Port 80/video, Users: All, Time: Night, Action: Deny Case Project 3 See Figure 3-7 for a possible configuration that satisfies all of these requirements: it includes packet filters that surround the firewall (at least one of which should perform packet filtering); two DMZs, one for the public servers and one for the accounting department server; and a VPN tunnel that is installed on the accounting department server, permitting the supplier with secure access. Guide to Firewalls and Network Security Chapter 3 Solutions