Guide to Firewalls and Network Security Chapter 2 Solutions Review Questions 1. IPSec: A set of standards and tools used to authenticate and/or secure communications. Application-level firewall: Software that functions as a proxy, running applications to access resources outside the network. In Order: The firewall processes requests by following rules in top to bottom order. Deny-All: All packets are denied except for a few that have been specifically identified as permissible. Best Fit: The firewall determines the order in which rules should be processed. Oakley: An algorithm used by IPSec to generate a security key needed to encrypt data IPv6: The latest version of Internet Protocol, developed by the IETF. 2. Which of the following rules should be conveyed to employees? (Choose all that apply) Answer: C, D 3. Which of the following describes aspects of a policy as opposed to a standard or a guide? (Check all that apply.) Answer: B, C 4. What is the name for the part of the security policy that spells out how employees dial in to the office network to access files? Answer: B 5. Explain what it means to “Start with the policy, not the firewall.” Answer: Rather than purchasing and installing one or more firewalls and then developing a policy, an organization should first identify what needs to be protected and develop a policy that addresses that protection in a comprehensive way, and then install a firewall as part of policy. 6. Why would you want to change a security policy? Answers: C 7. What amount of time should you expect to spend on the security policy development process? Answer: The exact time frame depends on the company, but development typically takes one to two weeks. The approval process, however, can take weeks or months depending on the size and complexity of the organization. 8. It’s important for security specialists to remember that rank-and-file employees’ primary concern is: Answer: B. Workers may be concerned about maintaining their privacy and that of the company’s customers, but their primary concern is to get access to files, forms, and data they need to complete their projects. 9. Why would you specify the use of IPSec in a security policy? Answer: If you need to transfer sensitive information that requires an extra level of security. 10. Which of the following provides for authentication? Answer: D. Answer B., tunnel mode, encapsulates and/or encrypts data but does not provide for authentication. 11. Finish this sentence: IPSec can save you the time and expense of installing... Answer: A. 12. What does an IPSec policy do? Answer: A. Guide to Firewalls and Network Security Chapter 2 Solutions 13. In what environment would you specify an IPSec policy in Group Policy? Answer: B. A is too vague; you only need IPSec for communications that require a heightened level of security.. 14. You are a security consultant assigned to improve the level of network security at a small university in the Midwest with about 2,500 students. Students need access to e-mail and the Web; they need to be able to download common word processing and other programs. The situation is complicated by faculty and commuting students who dial in to the network from home. Many students also want to create their own personal Web sites. How would you ensure that the far-flung and mobile student population knows that they should avoid publishing content online that is considered offensive, and to keep passwords private, and that they understand the university’s security policies (Choose all that apply.) Answers: Answers A, B, and C are all good ideas. However, answer D is probably the most effective way to ensure that the security policies are read and understood by students. 15. To the scenario described in Question 14, add this information: Your university has a second campus in a town 50 miles a way. Most communications between the campus do not need to be secure. But some, like grade reports and admissions files, do require an extra level of security. How would you set up a policy that provides for extra-secure communications on an as-needed basis? Be as specific as possible. Answer: In the security policy, specify that IPSec should be enabled on the computers that exchange grades and other sensitive information between the two campuses. Also specify that IPSec Server policy should be used so that hosts will request IPSec, but it is not necessary for communicating with computers that do not use IPSec. 16. When should a security policy be changed? Answer: It should change when the organization makes substantial changes in its hardware configuration, or when the firewall is reconfigured in response to security breaches. 17. Which of the following is a reason to audit network communications? Answer: C 18. You are hired by a company that employees a number of freelance transcriptionists who work at home. They need to access the network remotely so they can submit timesheets online and send the company transcriptions of medical tests that need to be confidential. What would you include in the Remote Access portion of the security policy for this company? Answer: [The Remote Access section should spell out what protocols should be used to dial in to the office (e.g., SLIP or PPP). It should also list applications that should not be used to connect to the network, such as Telnet. For users who have cable modem or DSL connections, who are required to have firewalls installed. Routers that use ISDN to connect to the network should meet Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP) authentication requirements.] 19. Explain what a Security User Awareness program is and how it can be implemented. Answer: A Security User Awareness program is a series of initiatives taken to help employees understand and accept their organization’s security strategy. It can be implemented by giving employees a formal briefing and handing out a security handbook. Employees can also be informed about what is expected of them as far as acceptable use of networked resources. Some companies print out their Acceptable Use Policies and require employees to read and sign them. Polices should also be published on the Web or in a database file where they can be reviewed any time. 20. Explain what can happen if a security policy is too strict. Answer: Staff people who are eager to access the information they need will rebel and find ways to get around the firewall and other aspects of the security policy. Guide to Firewalls and Network Security Chapter 2 Solutions Hands-on Projects Project 1 Answers will vary depending on the network connections available to the lab computer you are using. Project 2 Answers will vary depending on the network resources available to you. Project 3 No answer is necessary. Project 4 Answers will vary depending on what your university publishes. Project 5 One event per attempt. Project 6 Answers will vary, but on the author’s system, opening a single audited folder created 14 separate events in the security log. Case Projects Case Project 1 1. Notify other response team member of the problem and summon to the office. 2. Review log files and attempt to identify who is accessing the file. 3. Disconnect the internal network from the Internet. Case Project 2 You don’t need to invite all of the people in upper management such as the presidents, vice-presidents, and provosts. Rather, one member of senior management should be designated to serve on the committee and report to the other administrators. The committee should include a member of the legal staff, someone from the IT staff, an editor, and at least one end-user (since this is a university, a representative of the student body would be appropriate). Also be sure to include yourself. Case Project 3 You can come up with a wide variety of possible policies, but here are some suggestions: Each user should have a separate logon name and password. When each user finishes using the machine, he or she should log off, and the next user should use on. Opening and viewing another user’s e-mail is prohibited. Secure passwords should be used by each individual, and passwords should not be written down and posted on the computer itself but stored in a secure location. Virus protection software should be used. Avoid creating profane and offensive Web content. Each user should have his or her own directory on the machine. Logons to each folder can be audited to track unsuccessful attempts to view its contents Each user should use the machine for no more than an hour when others are waiting for it. Case Project 4 A security policy determines how a firewall is to be configured, so it is critical to the firewall’s operation. Employees can innocently give out passwords to hackers who deceive them. They can bring viruses in on floppy disks; they can use remote access to enter the network at a location not protected by the firewall. A security breach can result in substantial cost in terms of staff time, data, and productivity. Guide to Firewalls and Network Security Chapter 2 Solutions