Tutorial 6

Question 1

(4) Which statement describes the characteristics of packet filtering and stateful firewalls as they relate to the OSI model?

a. Both stateful and packet filtering firewalls can filter at the application layer.

b. A stateful firewall can filter application-layer information, whereas a packet filtering firewall cannot filter beyond the network layer.

c. A packet-filtering firewall typically can filter up to the transport layer, whereas a stateful firewall can filter up to the session layer

d. A packet filtering firewall uses session layer information to track the state of a connection, whereas a stateful firewall uses application layer information to track the state of a connection

Answer 1

c. A packet-filtering firewall typically can filter up to the transport layer, whereas a stateful firewall can filter up to the session layer

Explanation:

Packet filtering firewalls can always filter layer 3 content and sometimes TCP and UDP based content. Stateful firewalls monitor connections and thus have to be able to support up to the session layer of the OSI model.

Question 2

When a IOS Zone Based Firewall Policy is being configured via CLI, which step must be taken after zones are created?

a. Design the Physical Infrastructure

b. Establish policies between zones

c. Identify subsets within zones

d. Assign interfaces to zones

Answer 2

b. Establish policies between zones

Question 3

A firewall is a filtering device that watches for traffic that fails to comply with rules defined by the firewall administrator. What does the firewall inspect?

a. Packet header
b. Packet trailer
c. Packet encryption
d. Packet latency

Answer 3

a. Packet header

Explanation:
Firewalls can focus on the packet header, the packet payload (the essential data of the packet), or both. Firewalls can also focus on the content of a session, the establishment of a circuit, and possibly other assets. Most firewalls focus on only one of these.

Question 4

Which of the following is a common firewall philosophy?

a. Allow by default
b. Deny by exception
c. Deny by default
d. Fail by exception

Answer 4

c. Deny by default

Explanation:
Firewalls follow a philosophy or stance of security known as deny by default/allow by exception. All the rules on a firewall are exceptions. Some exception rules define what you allow.

Some exception rules define what you wish to deny. The final option, sometimes called the final rule, is that anything that did not match one of the exceptions is denied by default.

Question 5

(Fred is an IT technician. He is studying a threat that holds the communication channel open when a TCP handshake does not conclude. What kind of attack does this involve?

a. Denial of service (DoS) attack

b. Hackers accessing information on a server

c. The interception of transaction data

d. Unauthorized persons breaching a server’s document tree

Answer 5

a. Denial of service (DoS) attack

Explanation:
Many different types of DoS attacks are possible, such as when a TCP handshake attack does not conclude and holds the communication channel open. Hundreds of these incomplete sessions in a short time can consume substantial resources on a server and even crash it.

Question 6

(A network infrastructure supervisor is designing a firewall placement strategy that will protect the organization’s Internet-facing web and email servers and the internal network. Which design will best protect both?

a. Placing the firewall between the Internet and a single network hosting both the servers and the internal network, using port forwarding to direct traffic to the servers

b. Placing the web and email servers, configured with the latest patches and anti-malware applications, on the Internet in front of the firewall, while placing the internal network behind the firewall

c. Using a perimeter network design where all Internet traffic enters the firewall; one interface of the firewall connects to a perimeter network hosting the web and email servers, while the internal network receives traffic from a separate firewall interface

d. Using two firewalls to create a demilitarized zone (DMZ); one firewall is placed between the Internet and the servers, the other firewall is located behind the first firewall and the servers protecting the internal network

Answer 6

d. Using two firewalls to create a demilitarized zone (DMZ); one firewall is placed between the Internet and the servers, the other firewall is located behind the first firewall and the servers protecting the internal network

Explanation:

The best design choice is to use two firewalls to create a DMZ. This provides several benefits. The two firewalls provide an additional layer of security for the internal network. If the web server requires access to a database server, the database server can be placed in the internal network for better protection. Internet users will not be able to access the database server directly.

Question 7

Which of the following two statements are true about packet filtering firewalls? (Choose two)

a. Filter traffic at the session, transport & network layer

b. Filter traffic at application transport & network layers

c. Filter traffic at the transport & network layers

d. They are stateless firewalls

e. They are stateful firewalls

Answer 7

c. Filter traffic at the transport & network layers

d. They are stateless firewalls

Question 8

Briefly explain the three actions that can be specified in a ZPF operation?

Answer 8

ZFW provides three actions for traffic that traverses from one zone to another:

Drop — This is the default action for all traffic, as applied by the class class-default that terminates every inspect-type policy-map. Other class-maps within a policy-map can also be configured to drop unwanted traffic. Traffic that is handled by the drop action is silently dropped (that is, no notification of the drop is sent to the relevant end-host) by the ZFW, as opposed to an ACL behavior when it sends an ICMP “host unreachable” message to the host that sent the denied traffic.

Pass — This action allows the router to forward traffic from one zone to another. The pass action does not track the state of connections or sessions within the traffic. Pass only allows the traffic in one direction. A parallel policy must be applied to allow return traffic to pass in the opposite direction. The pass action is useful for protocols such as IPSec ESP, IPSec AH, ISAKMP, and other inherently secure protocols with predictable behavior. However, most application traffic is better handled in the ZFW with the inspect action.

Inspect — The inspect action offers state-based traffic control. For example, if traffic from the private zone to the Internet zone is inspected, the ZPF maintains connection or session information for TCP and User Datagram Protocol (UDP) traffic. Therefore, the router permits return traffic sent from Internet-zone hosts in reply to private zone connection requests.

Question 9

A pre-defined zone exists on a ZPF. Briefly explain what this zone is and its purpose?

Answer 9

Answer
Most network security engineers are uncomfortable if they expose the router’s management interfaces (for example, SSH, Telnet, HTTP, HTTPS, SNMP, ICMP and so on) to the public Internet, and under certain circumstances, control is needed for LAN access to the router as well.

Cisco IOS Software has a self-zone, the self zone is a system-level zone and includes all the routers IP addresses. By default, traffic to and from this zone is permitted to support management

When an interface is configured to be a zone member, the hosts connected to the interface are included in the zone. However, traffic that flows to and from the IP addresses of the router’s interfaces is not controlled by the zone policies. Instead, all of the IP interfaces on the router are automatically made part of the self-zone when ZFW is configured. In order to control IP traffic that moves to the router’s interfaces from the various zones on a router, policies must be applied to block or allow/inspect traffic between the zone and the router’s self-zone, and vice versa. One such policy that should be configured is to block certain protocols from as stated the public Internet.

Question 10

Briefly explain three common properties that a good firewall should possess?

Answer 10

Answer
* It must be resistant to attack

• Traffic between networks must be forced through the firewall
• The firewall must enforce the access control policy of the organisation

Question 11

Briefly explain the benefits and limitations in deploying a stateful firewall?

Answer 11

Answer:

Stateful firewalls are the most versatile and the most common firewall technologies in use. Stateful firewalls provide stateful packet filtering by using connection information maintained in a state table. Stateful filtering is a firewall architecture that is classified at the network layer. It also analyses traffic at OSI Layer 4 and Layer 5

Benefits
* Act as a primary means of defence
* Provide strong packet filtering capabilities
* Improved performance over packet filters
* Defend against spoofing and DoS attacks
* Rich data logs

Limitations

• No Application Layer Inspection
• Limited tracking of stateless protocols
• Difficult to defend against dynamic port negotiation
• No authentication support