End of Chapter Solutions Template

advertisement
Guide to Firewalls and Network Security
Chapter 8 Solutions
Review Questions
1.
Finish this sentence: In order to minimize the chance that security vulnerabilities will arise, a bastion
host should ideally be limited to ____________ ...
Answer: B. The host should certainly have two network interfaces. Whether one or more processors
are used isn’t as important as the combination of processor speed and the bandwidth of the host’s
connection to the Internet.
2.
True or False: A bastion host provides only one network service, and that service is a firewall.
Answer: False: While it’s ideal to run only one service on the bastion host, it may not be economically
feasible to do so. And the service does not have to include a firewall: bastion hosts can be configured
to run a Web server, DNS server, and other services.
3.
Which of the following is a function that is required to a greater degree with configuring a bastion host
than with other firewall-related tasks? (Choose all that apply.)
Answer: B, C. Auditing and making backups are essential. Setting up rules and testing are important
as well, but not to a higher degree: you need to set up rules and test the system defenses when
configuring a firewall as well as a bastion host.
4.
If it’s ideal to run only one service on a bastion host, what is the obstacle to configuring multiple hosts
on a network? What’s to stop you from recommending the installation of as many bastion hosts as you
have services? (Choose all that apply.)
Answer: A, D. Configuring multiple bastion hosts requires the purchase of multiple dedicated
services, and the complexity of configuration increases with each bastion host.
5.
5. Finish this sentence: the speed with which a bastion host works is a function of ___________...
Answer: B, C
6.
What’s the purpose of going through the time and effort of documenting every step involved in bastion
host configuration?
Answer: In case of a system crash, you need to get up and running again quickly, and having
documentation at hand can help you identify what systems to check.
7.
What is the name given to a server that is placed on the DMZ and whose sole purpose is to direct
hackers away from bastion host servers?
Answer: C. You might also see this called a “victim host” or a “sacrificial lamb.”
8.
What are the primary characteristics of the attitude of “healthy paranoia” that you should adopt when
configuring a bastion host? Name three specific qualities.
Answer: You assume that you will be attacked at some point, that you don’t know where the attack
will come from, and that you cannot trust even resources with which you are normally familiar.
9.
Processor speed becomes an even more critical consideration when choosing a bastion host if you plan
to perform what security-related operation on it?
Answer: B. Encryption adds latency to the host machine; the other approaches listed do not.
10. Finish this sentence: The ideal operating system for a bastion host is ________________...
Answer: A. The actual choice of operating system is not as important as the administrator’s familiarity
with it, so configuration or recovery can be performed quickly and efficiently.
Guide to Firewalls and Network Security
Chapter 8 Solutions
11. Name two benefits of establish a bare bones configuration on a bastion host
Answer: B, C. Answer A, less work for the administrator, is not a desirable goal in a corporate
environment. Answer D, less memory consumption, should not be a primary consideration—RAM is
becoming less expensive all the time and you should simply purchase more if needed.
12. What characteristics should you look for when finding a room where the bastion host will be
physically located?
Answer: Find a room that has limited access (perhaps with a security system), that is air conditioned,
and has a backup power system.
13. A honey pot bastion host is set up like any other bastion host, but with two notable exceptions. What
are they? (Choose all that apply.)
Answer: A, C. Answer B might seem clever but it would be extremely harmful to the organization: it
might infect legitimate users as well as hackers.
14. Which of the following is among the criteria for grouping services on the same bastion host? (Choose
all that apply.)
Answer: B, D
15. Complete this sentence: Among the most important services you can disable on the bastion host are...
(Choose all that apply.)
Answer: A, D. These are actually two different terms for the same thing.
16. When working on a bastion host configuration, you are asked by a manager: “Why are you spending so
much time securing a single computer?” Give a good, comprehensive reply.
Answer: The bastion host is the organization’s public face on the Internet. It is in a highly exposed
position on the perimeter of the network, and therefore, it needs to be highly secured.
17. What are dependency services?
Answer: D
18. Why back up the system after you configure it?
Answer: In case of infection by a virus or other harmful program, you can restore it from scratch using
the backup you made earlier.
19. Give at least three important considerations when choosing a bastion host OS—and put the most
important one first.
Answer: 1. Familiarity on the part of the administrator
2. Compatibility with other computers on the network
3. Availability of needed services
4. Stability
5. Security
20. What do you need to consider when evaluating the effectiveness of the bastion host configuration
during the audit process? (Choose all that apply.)
Answer: B, C. Security is the uppermost consideration with a bastion host—though performance is
important too, particularly with a public Web server on a bastion host.
Hands-on Projects
Project 1
At the screen of the wizard that asks you to identify a location where you want to save the image of the disk
you want to copy, click Browse. Then locate a disk drive or partition on your network where you can save
the disk image.
Guide to Firewalls and Network Security
Chapter 8 Solutions
Project 2
‘Answers may vary’ or ‘not available.’
Project 3
The files copied are: BOOTSECT.DOS, CLASSES.1ST, CONFIG.DOS, CONFIG.SYS, MSDOS.BAK,
MSDOS.SYS, NAVOPTX.DAT, RESETLOG.TXT, AND SSCANDISK.LOG.
Project 4
On the author's workstation, ports 81-83 were listed as active but running an "unknown" service.
Project 5
Answers will vary depending on the operating system installed.
Project 6
The Up-Time column gives a percentage that indicates how often the workstation was online since
IPSentry was started.
Case Projects
Case Project 1
1. Choose an operating system with which you are familiar
2. Purchase a computer with as much memory and processor speed as you can afford
3. Install the system from scratch
4. Install a minimal version of the system
5. Install only the most essential services
6. Remove any unnecessary services
7. Remove any unnecessary permissions
8. Install any security patches or hotfixes
9. Set up logging and auditing
10. Install the latest version of the server or other application you want to run on the bastion host
11. Audit the host after installation to monitor performance
Case Project 2
You can move the FTP services to the other bastion host, but that will obviously increase the load on the
second bastion host. A better option would be to purchase a third bastion host and put FTP on it. A third
option: use the new bastion host as a second Web server for load balancing.
Case Project 3
You could set up a "honey pot" Administrator account—one that has the name Administrator but no actual
administrative privileges.
Case Project 4
Please type the compete solution to Case Project 4 here.
Etc.
Guide to Firewalls and Network Security
Chapter 8 Solutions
Download