Network Security: Access Controls and Firewalls

Questions and Answers

Inspection firewalls keep track of each network connection between internal and external systems.

True

A filtering firewall can react to an emergent event and update or create rules to deal with the event.

False

What is the dominant architecture used to secure network access today?

Screened Subnet

What is the role of the Transformation Procedure (TP) in the Clark-Wilson Model?

To ensure that data is transformed in a way that maintains integrity

Discretionary access control is an approach whereby the organization specifies use of resources based on the assignment of data classification schemes to resources and clearance levels to users.

False

Lattice-based access control is a form of access control in which users are assigned a matrix of authorizations for particular areas of access.

True

Task-based controls are associated with the assigned role a user performs in an organization, such as a position or temporary assignment like project manager.

True

Authentication is the process of validating and verifying an unauthenticated entity's purported identity.

True

Accountability is the matching of an authenticated entity to a list of information assets and corresponding access levels.

False

Firewalls fall into several major categories of processing modes: packet-filtering firewalls, application layer proxy firewalls, media access control layer firewalls, and hybrids.

True

The ability of a router to restrict traffic to a specific service is an advanced capability and not considered a standard feature for most routers.

False

The application layer proxy firewall is capable of functioning both as a firewall and an application layer proxy server.

True

Using an application layer firewall means the associated Web server must be exposed to a higher level of risk by placing it in the DMZ.

False

All organizations with a router at the boundary between the organization's internal networks and the external service provider will experience improved network performance due to the complexity of the ACLs used to filter the packets.

False

The DMZ can be a dedicated port on the firewall device linking a single bastion host.

True

The screened subnet protects the DMZ systems and information from outside threats by providing a network with intermediate security, which means the network is less secure than the general-public networks but more secure than the internal network.

False

An extranet is a segment of the DMZ where no authentication and authorization controls are put into place.

False

Good policy and practice dictates that each firewall device, whether a filtering router, bastion host, or other firewall implementation, must have its own set of configuration rules.

True

Syntax errors in firewall policies are usually difficult to identify.

True

When Web services are offered outside the firewall, HTTP traffic should be blocked from internal networks through the use of some form of proxy access or DMZ architecture.

True

Good firewall rules include denying all data that is not verifiably authentic.

True

Firewalls can only filter packets by port number.

False

It is important that e-mail traffic reach your e-mail server and only your e-mail server.

True

Though not used as much in Windows environments, terminal emulation is still useful to systems administrators on Unix/Linux systems.

True

A content filter, also known as a reverse firewall, is a network device that allows administrators to restrict access to internal content from external users.

True

The proxy server is often placed in an unsecured area of the network or is placed in the demilitarized zone.

True

The perimeter is an intermediate area between a trusted network and an untrusted network.

False

Media Access Control Layer firewalls operate on the specific host computer's identity, as represented by its network interface card (NIC) address, and operate at the data link layer of the OSI model or the subnet layer of the TCP/IP model.

True

A routing table tracks the state and context of each packet in a conversation by recording which station sent which packet and when.

False

The primary disadvantage of stateful packet inspection firewalls is the additional processing required to manage and verify packets against the state table.

True

The static packet filtering firewall can react to an emergent event and update or create rules to deal with that event.

False

Port Address Translation assigns non-routing local addresses to computer systems in the local area network and uses ISP-assigned addresses on a one-to-one basis.

False

When a bastion host approach is used, the host contains two CPUs, forcing all traffic to go through the device.

False

A common DMZ arrangement is a subnet firewall that consists of two or more internal bastion hosts behind a packet-filtering router, with each host protecting the trusted network.

True

Firewalls operate by examining a data packet and performing a comparison with some predetermined logical rules.

True

An intranet is a segment of the DMZ where additional authentication and authorization controls are put into place to provide services that are not available to the general public.

False

Most firewalls use packet header information to determine whether a specific packet should be allowed to pass through or should be dropped.

True

Best practices in firewall rule set configuration state that the firewall device never allows administrative access directly from the public network.

True

Traceroute, formally known as an ICMP Echo request, is used by internal systems administrators to ensure that clients and servers can communicate.

True

Most current operating systems require specialized software to connect to VPN servers, as support for VPN services is no longer built into the clients.

False

The false reject rate describes the number of legitimate users who are denied access because of a failure in the biometric device.

True

One of the biggest challenges in the use of the trusted computer base (TCB) is the existence of explicit channels.

False

In static filtering, configuration rules must be manually created, sequenced, and modified within the firewall.

True

A RADIUS system decentralizes the responsibility for authenticating each user by validating the user's credentials on the network accessserver.

False

Even if Kerberos servers are subjected to denial-of-service attacks, a client can still request additional services.

False

A VPN, used properly, allows communication across the Internet as if it were a private network.

True

An attacker who suspects that an organization has dial-up lines can use a device called a war dialer to locate the connection points.

True

Kerberos uses asymmetric key encryption to validate an individual user to various network resources.

False

RADIUS, as described in RFC 4120, keeps a database containing the private keys of clients and servers - in the case of a client, this key is simply the client's encrypted password.

False

Secure VPNs use security protocols and encrypt traffic transmitted across unsecured public networks like the Internet.

True

A popular use for tunnel mode VPNs is the end-to-end transport of encrypted data.

False

Access control in which users are assigned a matrix of authorizations for particular areas of access.

lattice-based, nondiscretionary

Which of the following is not a major processing mode category for firewalls?

Router Passthrough

Firewalls examine every incoming packet header and can selectively filter packets based on header information such as destination address, source address, packet type, and other key information.

Packet-filtering

The application layer proxy firewall is also known as a(n)

proxy firewall

The proxy server is often placed in an unsecured area of the network or is placed in the ______ zone.

demilitarized

______ is an intermediate area between a trusted network and an untrusted network.

DMZ

______ make filtering decisions based on the specific host computer's identity, as represented by its network interface card (NIC) address, and operate at the data link layer of the OSI model or the subnet layer of the TCP/IP model.

Media Access Control Layer

Because the bastion host stands as a sole defender on the network perimeter, it is commonly referred to as a(n) ______ host.

sacrificial

The dominant architecture used to secure network access today is the ______ firewall.

screened subnet

Configuring firewall ______ is viewed as much an art as it is a science.

policies

The architecture of a(n) ______ firewall protects a DMZ.

screened subnet

Both ______ and Next Generation Firewalls (NGFW) are hybrid firewalls categorized by their ability to perform the work of an SPI firewall, network IDPS, content filter, spam filter, and malware scanner and filter.

UTM

At the very least, ______ access to the organization's Domain Name System (DNS) server should be blocked to prevent illegal zone transfers and to prevent attackers from taking down the organization's entire network.

telnet

A firewall device must never be accessible directly from the ______ network.

True

A(n) ______ filter is a software filter-technically not a firewall-that allows administrators to restrict access to content from within a network.

True

Content filters are often called ______ firewalls.

True

A trusted ______ uses leased circuits from a service provider who gives contractual assurance that no one else is allowed to use these circuits and that they are properly maintained and protected.

True

A ______ mode VPN establishes two perimeter servers to encrypt all traffic that will traverse an unsecured network. The entire client packet is encrypted and added as the data portion of a packet addressed from one perimeter server to another.

True

Deperimeterization is the recognition that there is no clear information security boundary between an organization and the outside world, meaning that the organization must be prepared to protect its information both inside and outside its digital walls.

True

The Bell-LaPadula model is primarily concerned with:

True

The Biba Integrity Model focuses on:

True

The Graham-Denning Model defines how:

True

The Chinese Wall Model is designed to prevent:

True

In the Chinese Wall Model, access is restricted based on:

True

A key principle of the Chinese Wall Model is:

True

The Clark-Wilson Model is primarily concerned with:

True

In the Clark-Wilson Model, well-formed transactions are defined as:

True

What mechanism does the Clark-Wilson model use to enforce integrity?

True

Kerberos consists of three interacting services, all of which use a database library:

True

What must a VPN accomplish to offer a secure and reliable capability while relying on public networks?

True

Study Notes

Access Controls, Firewalls, and VPNs

• Stateful inspection firewalls track each network connection between internal and external systems.
• Dynamic firewalls react to emergent events by updating or creating rules.
• Screened subnet architecture is the dominant network access security architecture today.
• The Transformation Procedure (TP) in the Clark-Wilson model ensures data integrity.
• Discretionary access control allows the organization to specify the use of resources based on data classification.
• Lattice-based access control assigns authorization matrices to users for access areas.
• Task-based access control is related to a user's role within an organization.
• Authentication is the validation and verification of an entity's identity.
• Authentication factors include something the user knows, something the user has, and something the user is.
• Accountability matches an authenticated entity to a list of information assets and access levels.
• Firewalls use packet-filtering, application layer, media access control, and hybrid modes.
• Firewalls cannot be deployed as separate networks.
• Packet-filtering firewalls scan network data packets for compliance rules and violations.
• The ability of a router to restrict traffic to a specific service is an advanced capability that is not a standard feature.
• Application layer proxy firewalls can function as both firewalls and application layer proxy servers.
• Using an application layer firewall can expose the associated web server to a higher level of risk, hence the use of a DMZ.
• ACLs in routers may sometimes degrade network performance.
• The DMZ is a dedicated port connecting a single bastion host on the firewall device.
• The screened subnet provides intermediate security by protecting the DMZ from outside threats, placing it between the internal and general public networks.
• Extranets are a section of the DMZ with no authentication and authorization controls.
• Proper firewall configuration requires unique configuration rules for each device.
• Syntax errors in firewall policies can be hard to identify.
• HTTP traffic should be blocked from internal networks using proxy access or DMZ architecture when web services are offered outside the firewall.
• Firewall rules must ensure data authenticity.
• Firewalls limit traffic to designated ports.
• Firewall technologies are categorized by mode, configurations, and management.
• RADIUS systems decentralize user authentication on the network access server.
• Kerberos can still function even if servers are subjected to DoS attacks.
• VPNs enable communication across the internet as if it were a private network.
• War dialers are used to locate dial-up lines.

Description

Test your knowledge on access controls, firewalls, and VPNs. This quiz covers key concepts such as stateful inspection firewalls, dynamic firewalls, and various access control models. Prepare to delve into authentication methods and accountability measures in network security.