Which of the following is a type of packet filtering used by firewalls that retains memory of the packets that pass through the firewall?

Generally, a ______ inspects traffic that passes through it and permits or denies that traffic based on rules set by an administrator.

When dealing with firewalls, an ____ is a set of rules that applies to a list of network names, IP addresses, and port numbers. These rules can be configured to control inbound and outbound traffic. 

Access Control List (ACL)

If you decide that a specific type of traffic should be granted access to your network, you would _______ that traffic as a rule within an ACL. 

If you decide that a specific type of traffic should not be granted access, you would _________ that traffic within an ACL.

If a type of network traffic is not defined in the firewall’s rule set, it should be stopped by default. This is the concept of ______ and is usually a default rule found in a firewall’s ACL. It is often added automatically to the end of a firewall’s rule set (ACLs) and is also known as “block all.”

It is often added automatically to the end of a firewall’s rule set (ACLs) and is also known as “block all.”

The following ACL rule is usually found at the end of the access list. What is it called?
deny TCP any any port 53

What does the following ACL rule do?
deny TCP any any port 53

This rule can be used to restrict DNS zone transfers (as they run on top of TCP and use port 53), but other DNS traffic will still function properly. The rule is specific; it gives the transport layer protocol to be filtered, and the exact port, and also states that it applies to any computer’s IP address on the inbound and outbound side.

What are the types of firewalls?

1) Packet filtering 2) NAT filtering 3) Application-level Gateway (ALG) 4) Circuit-level Gateway

What is a packet filtering firewall?

Inspects each packet passing through the firewall and accepts or rejects it based on rules. However, there are two types: stateless packet inspection and stateful packet inspection (also known as SPI or a stateful firewall)

What is a stateless packet filter?

A stateless packet filter, also known as pure packet filtering, does not retain memory of packets that have passed through the firewall; due to this, a stateless packet filter can be vulnerable to IP spoofing attacks. 

A ___________ also known as pure packet filtering, does not retain memory of packets that have passed through the firewall; due to this, a ________________ can be vulnerable to IP spoofing attacks. 

A firewall running ______ is normally not vulnerable to IP spoofing because it keeps track of the state of network connections by examining the header in each packet. It can distinguish between legitimate and illegitimate packets. 

stateful packet inspection

Which firewall can distinguish between legitimate and illegitimate packets. 

Stateful packet inspection

Packet filtering operates at the _____ layer of the OSI model.

It filters traffic according to ports (TCP or UDP). This can be done in three ways: by way of basic endpoint connections, by matching incoming traffic to the corresponding outbound IP address connection, or by matching incoming traffic to the corresponding IP address and port.

Application-level Gateway (ALG)

Applies security mechanisms to specific applications, such as FTP or BitTorrent.
It supports address and port translation and checks whether the type of application traffic is allowed.

For example, your company might allow FTP traffic through the firewall, but might decide to disable Telnet traffic (probably a wise choice). The ___ checks each type of packet coming in and discards Telnet packets.
Although this adds a powerful layer of security, the price is that it is resource-intensive, which could lead to performance degradation.

Application-level Gateway (ALG )

Works at the session layer of the OSI model, and applies security mechanisms when a TCP or UDP connection is established; it acts as a go-between for the transport and application layers in TCP/IP. After the connection has been made, packets can flow between the hosts without further checking. ____ hide information about the private network, but they do not filter individual packets.

What is the firewall's local address that connects to the LAN?

What type of DMZ configuration this figure is called?    

back-to-back configuration (two firewalls surrounding the DMZ) or a 3-leg perimeter configuration

What is the first thing you do when an intrusion has been detected?

Firewall logs should be the first thing you check when an intrusion has been detected.

True or False: Can a firewall could also be incorporated into a server as a software package?

True: A firewall could also be incorporated into a server as a software package, which is a type of application firewall. 

What is an Application Firewall?

Application Firewall can control the traffic associated with specific applications. This is something a stateful network firewall cannot do, as this function operates at the application layer of the OSI model.

What are examples of Network Firewalls?

Examples of network firewalls include basic devices such as the D-Link DIR-655 SOHO router/firewall, and more advanced appliances such as Cisco PIX/ASA Security Appliances and Juniper NetScreens

What are Web Application Firewalls?

Some well-known application firewall tolls are designed specifically to protect HTTP sessions from XSS attacks and SQL injections. These tools are called Web Application Firewalls.

Describe the term "multihomed connection" in regards to network firewall

A network firewall usually has more than one network adapter so that it can connect to more than one network; this is known as a multihomed connection

True or False: An application firewall needs to be dual-homed at minimum 

True: An application firewall needs to be dual-homed at minimum (two adapters), and it is recommended that the server has three network adapters, in case that you want to implement a DMZ or another perimeter security technique.

What are ways to harden security when using a SOHO all-in-one multi-function network device?

This device has four ports for wired connections, plus a wireless antenna; it connects all the computers to the Internet, and finally has a firewall built-in. Because some users consider this to be simply a firewall, you should teach them about the benefits of disabling SSID broadcasting, and enabling MAC filtering. 

True or False: A firewall cannot act as, or in combination with, a proxy server.

False: Besides acting as an all-in-one device, firewalls can also act as, or in combination with, a proxy server.

A proxy server acts as an intermediary for clients, usually located on a LAN, and the servers that they want to access, usually located on the Internet. By definition, proxy means go-between, or mediator, acting as such a mediator in between a private network and a public network. The proxy server evaluates requests from clients and, if they meet certain criteria, forwards them to the appropriate server. 

What are the several types of proxies?

1) IP Proxy 2) Caching Proxy

Secures a network by keeping machines behind it anonymous; it does this through the use of NAT

A basic four-port router can act as an ______ for the clients on the LAN it protects.

Caching proxy attempts to serve client requests without actually contacting the remote server. Ex: FTP Proxy, SMTP Proxy, HTTP Proxy (Web proxy)

The most common caching proxy is the HTTP proxy, also known as a web proxy, which caches web pages from servers on the Internet for a set amount of time.

(Client A) accessed www.google.com, and that she was the first person to do so on the network. This client request will go through the HTTP proxy and be redirected to Google’s web server. As the data for Google’s home page comes in, the HTTP proxy will store or cache that information. When another person on your network (Client B) makes a subsequent request for www.google.com, the bulk of that information will come from the HTTP proxy instead of from Google’s web server. This is done to save bandwidth on the company’s Internet connection and to increase the speed at which client requests are carried out.

What is the purpose of a Reverse Proxy

Reverse proxies can also be implemented to protect a DMZ server’s identity or to provide authentication and other secure tasks. This is done when users on the Internet are accessing server resources on your network. Generally, a proxy server has more than one network adapter so that it can connect to the various networks it is acting as a mediator for. Each of the network adapters in a proxy should be periodically monitored for improper traffic and for possible network attacks and other vulnerabilities.

What is the purpose of Internet Content Filtering?

An Internet content filter, or simply a content filter, is usually applied as software at the application layer (layer 7) and can filter out various types of Internet activities such as websites accessed, e-mail, instant messaging, and more. It often functions as a content inspection device, and disallows access to inappropriate web material (estimated to be a big percentage of the Internet!) or websites that take up far too much of an organization’s Internet bandwidth.

True or False: Internet Content Filter is only found on individual computers

False: Internet content filters can be installed on individual clients, but by far the more efficient implementation is as an individual proxy that acts as a mediator between all the clients and the Internet. 

How does Internet Content Filtering secure the network?

1) by forbidding access to potentially malicious websites 2) by blocking access to objectionable material that employees might feel is offensive.
It can also act as a URL filter that filters any objectionable webpages.

True or False: Content filters analyzes all data including revoked certificates and CRL.

False: Internet filtering appliances analyze just about all the data that comes through them including Internet content, URLs, HTML tags, metadata, and security certificates such as the kind you would automatically receive when going to a secure site that starts with https. (However, revoked certificates and certificate revocation lists, or CRLs, will not be filtered because they are only published periodically.

What is the purpose of a Web Security Gateway

Web security gateways (such as Websense) act as go-between devices that scan for viruses, filter content, and act as data loss prevention (DLP) devices.
This type of content inspection/content filtering is accomplished by actively monitoring the users’ data streams in search of malicious code, bad behavior, or confidential data that should not be leaked outside the network.

Ways to mitigate "Internet-facing server"

The two most important security controls are: 1) Keep the application up to date 2) Review and apply vendor-provided hardening documentation.
Remember to do these things before putting the proxy server (or other Internet-facing servers) in a live environment.

Examples of "Internet-facing server"

Proxies, content filters, and web security gateways are examples of servers that probably face the Internet directly.

Purpose of Honeypots and Honeynets

Honeypots and honeynets attract and trap potential attackers to counteract any attempts at unauthorized access of the network. This isolates the potential attacker in a monitored area and contains dummy resources that look to be of value to the perpetrator. While an attacker is trapped in one of these, their methods can be studied and analyzed, and the results of those analyses can be applied to the general security of the functional network.

A honeypot is generally a single computer but could also be a file, group of files, or an area of unused IP address space that attract and trap potential attackers to counteract any attempts at unauthorized access of the network. This isolates the potential attacker in a monitored area and contains dummy resources that look to be of value to the perpetrator.

A honeynet is one or more computers, servers, or an area of a network; a honeynet is used when a single honeypot is not sufficient.
It attracts and traps potential attackers to counteract any attempts at unauthorized access of the network. This isolates the potential attacker in a monitored area and contains dummy resources that look to be of value to the perpetrator.

A centralized group of honeypots (or a honeynet), are known collectively as a honeyfarm.

What is Data Loss Prevention (DLP)?

Data loss prevention (DLP) systems are designed to protect data by way of content inspection. They are meant to stop the leakage of confidential data, often concentrating on communications. 

What are the 3 types of DLP Systems?

1) Network-based DLP 2) Endpoint-based DLP 3) Storage-based DLP

What is Network-based DLP?

These systems deal with data in motion and are usually located on the perimeter of the network. If particular data is classified in an organization’s policy as confidential and not to be read by outsiders, the DLP system detects it and prevents it from leaving the network. Network-based DLP systems can be hardware-based or software-based.
Ex: A network-based DLP system would be one that detects and prevents the transfer of confidential e-mail information outside the network.

What is Endpoint-based DLP?

These systems operate on individual client computers or servers, but to be effective, need to be installed to every computer on the network (if a network-based DLP is not used). In some cases the software that controls these systems can notify the user (or an administrator) of any attempted confidentiality breach, whether inadvertent or deliberate.

What are Storage-based DLP?

These systems are usually software-based and are used to find out whether confidential information has found its way into long-term storage and data centers where, according to policy, it is not supposed to be.

network intrusion detection system (NIDS) A type of IDS that attempts to detect malicious network activities such as port scans and DoS attacks, by constantly monitoring network traffic. It can also be instrumental in rogue machine detection, including rogue desktops, laptops, and mobile devices, as well as rogue access points, DHCP servers, and network sniffers.

True or False: A NIDS should be situated at the entrance or gateway to your network because it is a firewall.

False - A NIDS should be situated at the entrance or gateway to your network. It is not a firewall but should be used with a firewall. Because the NIDS inspects every packet that traverses your network, it needs to be fast

Regardless of where the NIDS is located, a network administrator should monitor traffic from time to time; to do so, the computer, server, or appliance that has the NIDS installed should have a network adapter configured to work in _________________. This passes all traffic to the CPU, not just the frames addressed to it.

What are the disadvantages of NIDS?

1) possible network performance issues 2) unable to read encrypted packets of information 3) will not detect problems that occur on an individual computer. 4) it only detects attacks; to protect against, or prevent, these attacks, you need a NIPS.

network intrusion prevention system (NIPS) Designed to inspect traffic and, based on its configuration or security policy, either remove, detain, or redirect malicious traffic that it becomes aware of.

The NIPS (as well as the NIDS) is considered to be an ____________ device, meaning it can define different types of packets, define what application they are based on, and ultimately permit or disallow that traffic on the network. 

If the NIPS blocks legitimate traffic, it would be known as a _________, and effectively could deny service to legitimate customers, creating a self-inflicted denial-of-service of sorts.

If the IPS does not have a particular attack’s signature in its database, and lets that attack through thinking it is legitimate traffic, it is known as a ___________

Another type of error that can occur with NIDS and NIPS is a ___________; this is when the NIDS/NIPS has been altered by an attacker to allow for false negatives, ultimately leading to attacks creeping into the network. 

NIPS has a "fail-close" policy when a NIPS fail. What does this mean?

Fail-close means that all data transfer is stopped, while fail-open means that data transfer (including potential attacks) are passed through.

Say that the NIPS was protecting an individual server (or router), and had a certain level of control over that system. Now let’s say that the NIPS failed. In a _____ scenario, it would disconnect the system that it is protecting, stopping all data transfer.

If the NIPS fails, it continues to pass all traffic to the “protected” system, which could include possible attacks. This is considered a _____ scenario.

Network Intrusion Detection System - Detects malicious network activities

Network Intrusion Prevention System (NIPS) - Detects, removes, detains and redirects traffic

What is the advantage of a NIDS?

Only a limited amount of NIDs are necessary on a network

What is the disadvantage of NIDS?

Only detects malicious activities

What are examples of NIDS?

What are the advantages of NIPS?

1) Detects and mitigates malicious activity 2) Can act as a protocol analyzer

What are the disadvantages of the NIPS?

1) Uses more resources 2) Possibility of false positives and false negatives

What are examples of NIPS?

Extreme Networks and Check Point Systems solution

Explain the Protocol Analyzer's Role in NIDS/NIPS.

Some very expensive NIDS/NIPS have built-in protocol analyzers, which can decode the application layer protocols, such as HTTP, FTP or SMTP and forward the results to the IDS/IPS analysis engine. Then the analysis engine studies the info for anomalous or behavioral exploits. This type of analysis can block many exploits based on a single signature.

Unified Threat Management - UTM providers simplify the whole situation by offering all-in-one devices that combine the various levels of defense into one solution. Companies such as Cisco, Fortinet, and McAfee (to name a few) offer UTM solutions

1. Which tool would you use if you want to view the contents of a packet?
A. TDR B. Port scanner C. Protocol analyzer D. Loopback adapter

C. A protocol analyzer has the capability to “drill” down through a packet and show the contents of that packet as they correspond to the OSI model.

The honeypot concept is enticing to administrators because
A. It enables them to observe attacks. B. It traps an attacker in a network. C. It bounces attacks back at the attacker. D. It traps a person physically between two locked doors.

A. By creating a honeypot, the administrator can monitor attacks without sustaining damage to a server or other computer. Don’t confuse this with a honeynet (answer B), which is meant to attract and trap malicious attackers in an entire false network. Answer C is not something that an administrator would normally do, and answer D is defining a man trap.

James has detected an intrusion in his company. What should he check first?
A. DNS logs B. Firewall logs C. The Event Viewer D. Performance logs

B. If there was an intrusion, you should check the firewall logs first. DNS logs in the Event Viewer and the performance logs will most likely not show intrusions to the company. The best place to look first is the firewall logs.

Which of the following devices should you employ to protect your network? (Select the best answer.)
A. Protocol analyzer B. Firewall C. DMZ D. Proxy server

B. Install a firewall to protect the network. Protocol analyzers do not help to protect a network but are valuable as vulnerability assessment and monitoring tools. Although a DMZ and a proxy server could possibly help to protect a portion of the network to a certain extent, the best answer is firewall.

Which device’s log file will show access control lists and who was allowed access and who wasn’t?
A. Firewall B. Smartphone C. Performance Monitor D. IP proxy

A. A firewall contains one or more access control lists (ACLs) defining who is enabled to access the network. The firewall can also show attempts at access and whether they succeeded or failed. A smartphone might list who called or e-mailed, but as of the writing of this book does not use ACLs. Performance Monitor analyzes the performance of a computer, and an IP proxy deals with network address translation, hiding many private IP addresses behind one public address. Although the function of an IP proxy is often built into a firewall, the best answer would be firewall.

Where are software firewalls usually located?
A. On routers B. On servers C. On clients D. On every computer

C. Software-based firewalls, such as Windows Firewall, are normally running on the client computers. Although a software-based firewall could also be run on a server, it is not as common. Also, a SOHO router might have a built-in firewall, but not all routers have firewalls

Where is the optimal place to have a proxy server?
A. In between two private networks B. In between a private network and a public network C. In between two public networks D. On all of the servers

B. Proxy servers should normally be between the private network and the public network. This way they can act as a go-between for all the computers located on the private network. This applies especially to IP proxy servers but might also include HTTP proxy servers.

A coworker has installed an SMTP server on the company firewall. What security principle does this violate?
A. Chain of custody B. Use of a device as it was intended C. Man trap D. Use of multifunction network devices

B. SMTP servers should not be installed on a company firewall. This is not the intention of a firewall device. The SMTP server should most likely be installed within a DMZ.

You are working on a server and are busy implementing a network intrusion detection system on the network. You need to monitor the network traffic from the server. What mode should you configure the network adapter to work in? A. Half-duplex mode B. Full-duplex mode C. Auto-configuration mode D. Promiscuous modem

D. To monitor the implementation of NIDS on the network, you should configure the network adapter to work in promiscuous mode; this forces the network adapter to pass all the traffic it receives to the processor, not just the frames that were addressed to that particular network adapter. The other three answers have to do with duplexing—whether the network adapter can send and receive simultaneously.

Which of the following displays a single public IP address to the Internet while hiding a group of internal private IP addresses? A. HTTP proxy B. Protocol analyzer C. IP proxy D. SMTP proxy

C. An IP proxy displays a single public IP address to the Internet while hiding a group of internal private IP addresses. It sends data back and forth between the IP addresses by using network address translation (NAT). This functionality is usually built into SOHO routers and is one of the main functions of those routers. HTTP proxies store commonly accessed Internet information. Protocol analyzers enable the capture and viewing of network data. SMTP proxies act as a go-between for e-mail.

If your ISP blocks objectionable material, what device would you guess has been implemented? A. Proxy server B. Firewall C. Internet content filter D. NIDS

C. An Internet content filter, usually implemented as content-control software, can block objectionable material before it ever gets to the user. This is common in schools, government agencies, and many companies.

Of the following, which is a collection of servers that was set up to attract hackers? A. DMZ B. Honeypot C. Honeynet D. VLAN

C. A honeynet is a collection of servers set up to attract hackers. A honeypot is usually one computer or one server that has the same purpose. A DMZ is the demilitarized zone that is in between the LAN and the Internet. A VLAN is a virtual LAN.

Which of the following will detect malicious packets and discard them?
A. Proxy server B. NIDS C. NIPS D. PAT

C. A NIPS, or network intrusion prevention system, detects and discards malicious packets. A NIDS only detects them and alerts the administrator. A proxy server acts as a go-between for clients sending data to systems on the Internet. PAT is port-based address translation.

Which of the following will an Internet filtering appliance analyze? (Select the three best answers.)
A. Content B. Certificates C. Certificate revocation lists D. URLs

A., B., and D. Internet filtering appliances will analyze content, certificates, and URLs. However, certificate revocation lists will most likely not be analyzed. Remember that CRLs are published only periodically.

Which of the following devices would detect but not react to suspicious behavior on the network?
A. NIPS B. Firewall C. NIDS D. HIDS

C. A NIDS, or network intrusion detection system, will detect suspicious behavior but most likely will not react to it. To prevent it and react to it, you would want a NIPS. Firewalls block certain types of traffic but by default do not check for suspicious behavior. HIDS is the host-based version of an IDS; it checks only the local computer, not the network.

One of the programmers in your organization complains that he can no longer transfer files to the FTP server. You check the network firewall and see that the proper FTP ports are open. What should you check next? A. ACLs B. NIDS C. AV definitions D. FTP permissions

A. Access control lists can stop particular network traffic (such as FTP transfers) even if the appropriate ports are open. A NIDS will detect traffic and report on it but not prevent it. Antivirus definitions have no bearing on this scenario. If the programmer was able to connect to the FTP server, the password should not be an issue. FTP permissions might be an issue, but since you are working in the firewall, you should check the ACL first; then later you can check on the FTP permissions, passwords, and so on.

Which of the following is likely to be the last rule contained within the ACLs of a firewall? A. Time of day restrictions B. Explicit allow C. IP allow any D. Implicit deny

D. Implicit deny (block all) is often the last rule in a firewall; it is added automatically by the firewall, not by the user. Any rules that allow traffic will be before the implicit deny/block all on the list. Time of day restrictions will probably be stored elsewhere but otherwise would be before the implicit deny as well.

Which of the following best describes an IPS? A. A system that identifies attacks B. A system that stops attacks in progress C. A system that is designed to attract and trap attackers D. A system that logs attacks for later analysis

B. An IPS (intrusion prevention system) is a system that prevents or stops attacks in progress. A system that only identifies attacks would be an IDS. A system designed to attract and trap attackers would be a honeypot. A system that logs attacks would also be an IDS or one of several other devices or servers.

What is a device doing when it actively monitors data streams for malicious code? A. Content inspection B. URL filtering C. Load balancing D. NAT

A. A device that is actively monitoring data streams for malicious code is inspecting the content. URL filtering is the inspection of the URL only (for example, www.comptia.org). Load balancing is the act of dividing up workload between multiple computers. NAT is network address translation, which is often accomplished by a firewall or IP proxy.

Allowing or denying traffic based on ports, protocols, addresses, or direction of data is an example of what? A. Port security B. Content inspection C. Firewall rules D. Honeynet

C. Firewall rules (ACLs) are generated to allow or deny traffic. They can be based on ports, protocols, IP addresses, or which way the data is headed. Port security deals more with switches and the restriction of MAC addresses that are allowed to access particular physical ports. Content inspection is the filtering of web content, checking for inappropriate or malicious material. A honeynet is a group of computers or other systems designed to attract and trap an attacker.

Which of the following should a security administrator implement to limit web-based traffic that is based on the country of origin? (Select the three best answers.) A. AV software B. Proxy server C. Spam filter D. Load balancer E. Firewall F. URL filter G. NIDS

B., E., and F. The security administrator should implement a proxy server, a firewall, and/or a URL filter. These can all act as tools to reduce or limit the amount of traffic based on a specific country. AV software checks for, and quarantines, malware. Spam filters will reduce the amount of spam that an e-mail address or entire e-mail server receives. A load balancer spreads out the network load to various switches, routers, and servers. A NIDS is used to detect anomalies in network traffic.

You have implemented a technology that enables you to review logs from computers located on the Internet. The information gathered is used to find out about new malware attacks. What have you implemented? A. Honeynet B. Protocol analyzer C. Firewall D. Proxy

A. A honeynet has been employed. This is a group of computers on the Internet, or on a DMZ (and sometimes on the LAN), that is used to trap attackers and analyze their attack methods, whether they are network attacks or malware attempts. A protocol analyzer captures packets on a specific computer in order to analyze them but doesn’t capture logs per se. A firewall is used to block network attacks but not malware. A proxy is used to cache websites and act as a filter for clients.

Which of the following is a layer 7 device used to prevent specific types of HTML tags from passing through to the client computer? A. Router B. Firewall C. Content filter D. NIDS

C. A content filter is an application layer (layer 7) device that is used to prevent undesired HTML tags, URLs, certificates, and so on, from passing through to the client computers. A router is used to connect IP networks. A firewall blocks network attacks. A NIDS is used to detect anomalous traffic.

Your boss has asked you to implement a solution that will monitor users and limit their access to external websites. Which of the following is the best solution? A. NIDS B. Proxy server C. Block all traffic on port 80 D. Honeypot

B. You should implement a proxy server. This can limit access to specific websites, and monitor who goes to which websites. Also, it can often filter various HTML and website content. A NIDS is used to report potentially unwanted data traffic that is found on the network. Blocking all traffic on port 80 is something you would accomplish at a firewall, but that would stop all users from accessing any websites that use inbound port 80 (the great majority of them!). A honeypot is a group of computers used to lure attackers in and trap them for later analysis.

Which of the following firewall rules only denies DNS zone transfers? A. deny IP any any B. deny TCP any any port 53 C. deny UDP any any port 53 D. deny all dns packets

B. The firewall rule listed that only denies DNS zone transfers is deny TCP any any port 53. DNS uses port 53, and DNS zone transfers specifically use TCP. This rule will apply to any computer’s IP address initiating zone transfers on the inbound and outbound sides. If we configured the rule for UDP, other desired DNS functionality would be lost. Denying IP in general would have additional unwanted results. When creating a firewall rule (or ACL), you need to be very specific so that you do not filter out desired traffic.

What type of firewall is a packet filtering firewall?

What are the types of packet filtering?

What is stateful packet filter firewall?

What is stateful and stateless packet filtering?