Firewalls

Question 1

Firewall policies rarely concern themselves with the _______________ layer.

Answer 1

Data Link Layer

Question 2

NAT (is / is not) considered a firewall technology.

Answer 2

NAT is not considered a firewall technology.

Question 3

The network(s) that is on a firewall’s internal interface is sometimes referred to as the ________ interface (or network).

Answer 3

protected

Question 4

(True / False) Most firewalls sold today provide stateful packet filtering.

Answer 4

True

Question 5

The most common example of a pure packet filtering device is a router that employs _____________

Answer 5

Access Control Lists

Question 6

_________ ______ being blocked by firewalls is a common cause of VPN interoperability issues.

Answer 6

Fragmented Packets

Question 7

As a general rule, what should firewalls do with fragments?

a. Block them all
b. Permit them all
c. Reassemble them, then make the appropriate permit/deny decision
d. No general rule was provided, must consider on case-by-case basis.

Answer 7

d. No general rule was provided, must consider on case-by-case basis.

Question 8

Firewalls become stateful and track the state of connections by incorporating greater awareness of the _________ layer.

Answer 8

Transport

Question 9

What specific transport layer information do you think (or know) the firewall will use/reference to gather information about the state of a connection?

Answer 9

1. Flags
2. Socket Pairs
3. Seq Numbers
4. Ack Numbers

Question 10

What is said with regard to stateful inspection of UDP traffic?

a. UDP traffic simply cannot be filtered statefully because it’s a connectionless protocol.
b. UDP traffic can be filtered statefully the same way as TCP traffic.
c. Stateful filters will use matching IPs and port numbers to filter UDP statefully.
d. Stateful filters will use flags in the UDP header to filter statefully.

Answer 10

c. Stateful filters will use matching IPs and port numbers to filter UDP statefully.

Question 11

How does a stateful (non-application-level) firewall know when to remove a UDP (or other stateless protocol) session from its state table?

a. By observing the corresponding Fin/Ack session termination traffic.
b. By observing session payload information to determine when the transaction is complete.
c. By sending an ICMP message to the client to query for continued session usage.
d. It cannot know, and must resort to simple time-out.

Answer 11

d. It cannot know, and must resort to simple time-out.

Question 12

How does a stateful, application-level, firewall know when to remove a DNS UDP (i.e., specific instance of UDP traffic) session from its state table?

a. By observing the corresponding Fin/Ack session termination traffic.
b. By observing session payload information to determine when the transaction is complete.
c. By sending an ICMP message to the client to query for continued session usage.
d. It cannot know, and must resort to simple time-out.

Answer 12

b. By observing session payload information to determine when the transaction is complete.

Question 13

Application firewalls are referred to by some vendors as deep packet inspection firewall. What is meant/implied by “deep” ?

Answer 13

That the firewall blocks content that is abnormal at the application layer.

Question 14

Some application firewalls might employ a security-control feature that directly mitigates one of the principal threats for computer security: buffer overflow attacks. What is this security control?

Answer 14

Input Validation

Question 15

“Positivity” refers to the strategy of ensuring that the traffic/transactions involved in support of a particular protocol, follow the expected, (i.e. good, i.e. positive) behavior. This is in contrast to the (more typical) strategy of trying to identify all bad (“negative”) behavior. What is the term used for this concept?

Answer 15

RFC Compliance

Question 16

Firewall terminology—particularly with respect to capabilities—is quite confusing owing to differing names given to the same technology and differing technology descriptions given for the same technology name! I’ll have more to say on this in lecture. According to this section, what is/are the main distinction(s) between an application firewall (AF) and an application-proxy gateway (APG)?

a. APG better “isolates” the protected host, and can inspect encrypted traffic.
b. AF actually understands the application layer, whereas APG only looks for signatures.
c. APG will double as a Web cache server, whereas an AF won’t.
d. AFs can operate transparently, APG-based firewalls are by their nature non-transparent.

Answer 16

a. APG better “isolates” the protected host, and can inspect encrypted traffic.

Question 17

Aside from issues of traffic workload/throughput (affecting availability), which of these most succinctly addresses the main disadvantage of application-proxy gateways?

a. The requirement to have crypto keys installed.
b. “Generic agents”
c. The inability to install them in a manner that is transparent to the protected host(s).
d. The inability to require/check authentication of individual network users.

Answer 17

b. “Generic agents”

Question 18

Dedicated proxy servers are generally used to decrease firewall [the dedicated network firewall that is] workload and conduct __________________ filtering and __________________ that might be difficult to perform on the firewall itself.

Answer 18

Dedicated proxy servers are generally used to decrease firewall [the dedicated network firewall that is] workload and conduct SPECIALIZED filtering and LOGGING that might be difficult to perform on the firewall itself.

Question 19

The two most common VPN protocols are

a. SSL and L2TP
b. TLS and SSL
c. IPSec and SSL/TLS
d. IPSec and WPA

Answer 19

c. IPSec and SSL/TLS

Question 20

The two most common VPN architectures are

a. Authentication and Encryption
b. Site-to-site and end-to-end
c. Gateway-to-gateway and host-to-gateway
d. Tunneled and Direct

Answer 20

c. Gateway-to-gateway and host-to-gateway

Question 21

Many firewalls include _______________ _________________ for encryption to minimize the impact of VPN services. (FYI: this is very similar to previous lecture discussion regarding ASIC)

Answer 21

Hardware Acceleration

Question 22

What is NAC (Network Access Control)?

a. Just another fancy name for firewalling/filtering of network traffic.
b. Control of protected network access via more thorough ingress packet inspection.
c. A term used to describe a network that only permits access via VPN.
d. Limits network access contingent upon requestor’s “health check” and credentials.

Answer 22

d. Limits network access contingent upon requestor’s “health check” and credentials.

Question 23

All other things being equal… which of these would you think/intuit would be able to perform more reliable and accurate protection for a specific host (client or server)?

a. A network-based firewall
b. A host-based firewall

Answer 23

b. A host-based firewall

Question 24

What was the “bottom-line” security take-away regarding the use of UPnP?

a. It should be enabled for maximum security.
b. It should only be enabled for hosts that are being used remotely.
c. It should be off by default, due to risk of being subverted by a malicious application.
d. It should be on by default, then only de-activated if a known threat is discovered.

Answer 24

c. It should be off by default, due to risk of being subverted by a malicious application.

Question 25

Give the “classic” example where firewalls (aka “guards” or “diodes”) are used to permit traffic flow in only one direction.

Answer 25

LOW to HIGH transfer

Question 26

If NAT is configured to pinhole port 80 to the privately-addressed internal Web server (e.g., Web server’s IP is 10.10.10.7), then…

a. this Web server would not be allowed to communicate off of its network.
b. clients from outside this server’s network could reach it so long as they addressed their packets to the NAT router’s IP address and to port 80.
c. only clients in the same (private) network as the server could communicate with it.
d. the only external traffic that would be permitted into the private network would be that which was addressed to port 80.

Answer 26

b. clients from outside this server’s network could reach it so long as they addressed their packets to the NAT router’s IP address and to port 80.

Question 27

The typical usage for firewalls is the logical protection for an entire agency or organization from the rest of the “Internet”. This section addresses the use of firewalls for the logical protection (separation, isolating, filtering, POLPing, etc.) of different “domains” within an agency or organization. Which two examples of this were mentioned in this section of the SP800-41?
(choose 2)

a. Separation of internal users who have varying levels of trust.
b. Separating client networks from server networks.
c. Isolating unauthorized users from authorized users.
d. Isolating an organization’s visitor wireless subnet from the rest of its internal network.

Answer 27

a. Separation of internal users who have varying levels of trust.
d. Isolating an organization’s visitor wireless subnet from the rest of its internal network.

Question 28

This risk analysis should be based on an evaluation of ________, ____________, and _____________ in place to mitigate vulnerabilities; and the ___________ if systems or data are compromised. [All of the terms of the Risk Equation]

Answer 28

This risk analysis should be based on an evaluation of THREATS, VULNERABILITIES, and COUNTERMEASURES in place to mitigate vulnerabilities; and the IMPACT if systems or data are compromised.

Question 29

What is another (synonymous) term for countermeasures or safeguards?

Answer 29

Security Controls

Question 30

Which IPs or IP ranges should be filtered? Give three specific examples.

(1) _______________(Hint: “localhost”)
(2) _______________(Hint: the “I don’t have an IP” IP)
(3) _______________(Hint: “I couldn’t get an IP from DHCP IP, so I self-assigned one of these” IPs)

Answer 30

(1) 127.0.0.0 - 127.255.255.255
(Hint: “localhost”)

(2) 169.254.0.0 - 169.255.255.255
(Hint: the “I don’t have an IP” IP)

(3) 0.0.0.0
(Hint: “I couldn’t get an IP from DHCP IP, so I self-assigned one of these” IPs)

Question 31

The most prominent non-security benefit of HTTP proxies is ______ ___________ for increased speed and decreased bandwidth use.

Answer 31

Caching Webpages

Question 32

We can easily argue that caching can be considered a security benefit. Which of the three CIA Triad security objectives does it (or can it) support?

a. Confidentiality
b. Integrity
c. Availability

Answer 32

c. Availability

Question 33

Is defense-in-depth (D-I-D) deemed a waste of security time/effort; or is it considered by NIST to be a legitimate strategy for cyber defense? ( waste / legitimate )

Answer 33

legitimate

Question 34

Log analysis, particularly the cross-correlation of logs from multiple systems, is an important part of monitoring and problem/incident analysis. To make this endeavor more effective, all logged systems should __________ with an authoritative ______ source.

Answer 34

To make this endeavor more effective, all logged systems should SYNCHRONISE with an authoritative TIME source.

Question 35

Which of these is correct?

a. Lucky for us, all firewalls follow the same rules, and once we learn one, we know them all.
b. We can expect every firewall to check its ruleset in a top-down, sequential, manner.
c. All firewalls will check all deny rules before checking any permit rules.
d. We need to RTM every time as different ruleset processing methods are used by different vendors/systems, and we may introduce un-intended filtering errors if not careful.
(Note: RTM = Read The Manual)

Answer 35

d. We need to RTM every time as different ruleset processing methods are used by different vendors/systems, and we may introduce un-intended filtering errors if not careful.

Question 36

Self-documentation is an important part of IT/cyber maintenance and operations. It’s the boring, low-hanging fruit, that often gets ignored or insufficiently supported; but which can be of great benefit for the maintenance of “healthy” systems. Giving meaningful names to ACLs, vice assigning a random number is one of these. What is more granular notion of self-documentation?

Answer 36

Include a comment for each rule.