- Cisco Networking Academy

advertisement
Guide to Firewalls and Network Security
Chapter 5 Solutions
Review Questions
1.
Why were application-level proxies originally developed?
Answer: B. The other three possibilities are all benefits of using proxy servers, but B was the original
reason they were developed.
2.
Name two things that application proxies do that are similar to packet filters.
Answer: They can filter out traffic from “undesirable” Web sites, and they can block harmful content.
Both create log files as well, and both read the header portion of IP packets.
3.
Name two things that application proxies do better than packet filters.
Answer: They inspect an entire IP packet, not just the header; they create more extensive log file
listings than packet filters; they completely break the connection between internal users and external
hosts, they rebuild packets before sending them to an outbound destination, thus inserting new IP
source information in order to shield internal users.
4.
Consider the following: you are asked to explain how the company proxy server functions to a group
of end-users. You create an analogy in which an individual makes a purchase and delivery on behalf of
someone else. The head of the IT department shakes his head to indicate that you’ve missed
something. Why is this analogy inadequate as a way of understanding how proxy servers function?
What function is missing from such an oversimplified description?
Answer: You should add that the person not only makes the purchase, but repackages the item before
delivering it.
5.
Reassembling IP packets adds more time to network communications, so there must be some benefit to
doing so. Give two reasons why it’s good for proxy servers to reassemble packets before sending them
on their way.
Answer: Reassembling packets with a new source IP address makes it impossible for external hosts to
determine the correct IP address of the host making the request. Also reassembling packets strips out
mangled data that could otherwise be used to initiate network intrusions.
6.
Complete this sentence: Proxy servers conceal internal clients by...
Answer: B. Completely regenerating new requests is the most secure of the four proxy server
functions mentioned. A, C, and D are all functions of proxy servers; A and C in particular help to
conceal internal clients, but they don't provide the level of protection that B does.
7.
Which of the following is not a disadvantage or complication of using an application proxy gateway?
Answer: A. Having a single point of configuration—the proxy server itself—reduces the security
administrator's work somewhat, but proxy servers still need multiple services and multiple clients to be
configured.
8.
Explain why you would want to use load balancing in conjunction with an application proxy gateway.
Answer: Because a proxy server provides a single gateway, it can also be a single point of failure; load
balancing can generate multiple proxies that are in use simultaneously so that, if one proxy goes down,
the others will still function.
9.
Finish this sentence: a proxy server that receives traffic from all services at a single port, such as a
SOCKS server, is called...
Answer: B, a non-transparent proxy. Answer A, a transparent proxy, uses multiple ports for multiple
services. D. is not specific enough: any kind of proxy server can be called an application proxy
gateway.
Guide to Firewalls and Network Security
Chapter 5 Solutions
10. When would you want to dedicate a proxy server to a single service?
Answer: C. A service that is particularly vulnerable, such as SMTP or POP, might warrant a dedicated
proxy server. The fact that a service operates on a server that is accessible to the public doesn’t make it
any more or less critical to run a proxy server on it.
11. What does a proxy focus on in an HTTP header in order to redirect a request to a specific URL?
Answer: A, C
12. Consider the following: you run an external Web site that lists catalog items for sale. The
overwhelming number of requests your company receives from the Internet are HTTP requests. You
need to distribute the traffic load more evenly, and you need to protect sensitive client information
contained on your Web server. What kinds of proxy server approaches could help you achieve these
goals?
Answer: Installing a dedicated HTTP server would help you handle the heavy HTTP traffic load, as
would load balancing. Or you could install multiple HTTP proxy servers to balance the load. A reverse
HTTP proxy would provide extra protection for the client information held on the Web server. You
could place the reverse HTTP proxy in the DMZ so the public would access the reverse proxy directly.
It would then seem to be the “real” Web server. However, the actual Web server would be on the
protected internal network, and the public would never access it directly.
13. True or false: A proxy server should never be located so that it has a direct interface on the Internet.
Answer: False. There is one instance in which a proxy server should be directly accessible to the
Internet: if it is a reverse proxy acting on behalf of one or more Web servers. In this case the reverse
proxy receives HTTP requests from external clients and forwards them to the actual Web server(s). In
all other cases, though, it’s true that a proxy should not have a direct interface on the Internet because
if a hacker manages to compromise the proxy in some way it can have devastating results for the
organization being protected.
14. Which of the following functions the Session-layer of the OSI model?
Answer: C. Other proxies work at the application layer.
15. Which of the following is a downside of using a reverse proxy?
Answer: C. A is incorrect because the log files aren't actually valuable. B is incorrect because a
reverse proxy can actually improve network performance because it blocks unnecessary or suspicious
requests to the internal Web server. D is incorrect because a reverse proxy can act on behalf of multiple
servers.
16. Which of the following is a disadvantage of using SOCKS?
Answer: B. It does not examine the data or payload part of a packet. It does provide other forms of
protection such as recreating packets, and the fact that it works with virtually any TCP/IP application
makes it valuable. Answer A is true, but it’s not a disadvantage, because other types of proxy servers
also need client configuration.
17. What feature is built in to the free Web server software Apache so that, as a result, it is unnecessary for
a proxy server to perform the same function?
Answer: D. A, B, and C are all features of Apache Web Server, but they are not features of a
proxy server.
18. Why consider using authentication if a proxy server completely separates internal clients from the
Internet?
Answer: B. A and C are functions of user authentication but they have nothing to do with application
proxy gateways.
19. How could you protect an internal network overnight when no employees are present?
Answer: C. A is technically true because it will protect the network but it is impractical to do this. B.
will work, but many e-mail messages will bounce back to their senders. C. is the best answer.
Guide to Firewalls and Network Security
Chapter 5 Solutions
20. What is the purpose of parameters such as time, IP address, or port number?
Answer: They help you establish rules that a proxy server can use to decide whether or not to allow
data to pass through the gateway.
Hands-on Projects
Project 1
Anywhere from 5 to 12 separate entries might be recorded every time you access a Web site. The
difference is that each file downloaded from the Web page you access is recorded in a separate log file
entry, and each file enters through a different port.
Project 2
You see the status bar message that your browser is connecting to your proxy server’s IP-not the external Web site’s IP.
Project 3
N/A
Project 4
Your firewall program should present you with an alert message stating that an application is attempting to
access the Internet. Depending on the application and firewall program, you may get a message such as
"MSN Messenger is attempting to access the Internet." Because the program is running under SocksCap,
however, you may also see the message "SocksCap is attempting to access the Internet" because the proxy
server is acting on the application's behalf.
Project 5
The email header should indicate that the mail message originated from the IP address of the proxy server
rather than the computer's IP address.
Project 6
The first time you connect you see the message: Welcome to the NetProxy gateway. The second time you
attempt to connect, you should see the message: No connection could be made because the target
machine actively refused it.
Case Projects
Case Project 1
Set up a proxy server so that it uses an IP address in one of the reserved ranges, such as 192.168.0.0/24.
Assign private IP addresses to the individual workstations.
Case Project 2
Configure WinGate so all external access is blocked, including port 808. Look at the log files and record
the addresses of any machines that are accessing the machine and contact their ISPs to complain (you can
find the ISPs by using tracert and doing a search with InterNIC, an organization that holds domain name
registration information. Also be sure to disable the WinSock proxy.
Case Project 3
You have several alternatives for improving performance. You can install the proxy server on a faster
computer that has all other services disabled, for one thing. You can also install multiple proxies on
different machines to balance load. Many organizations also install a reverse proxy to handle outbound
HTTP requests, and dedicate a proxy such as Squid to handling inbound HTTP requests. Since Web traffic
is usually a big part of any organization’s traffic, it makes sense to do load balancing with this service.
Guide to Firewalls and Network Security
Chapter 5 Solutions
Case Project 4
Set up an automatic configuration file for the proxy server. (Virtually all proxy server applications include
such a file that you can customize to your own network.) Send an e-mail to all employees with simple
instructions on how to configure their Web browsers to access the file.
Guide to Firewalls and Network Security
Chapter 5 Solutions
Download