Chapter 4. Firewall Practical Applications
Chapter Objectives
After reading this chapter and completing the exercises, you will be able to:
Explain the requirements of single machine, small office, network, and enterprise firewalls.
Evaluate the needs and constraints of an individual or company to determine what type of firewall solution is appropriate.
Compare popular firewall solutions.
Recommend an appropriate firewall solution for a given situation.
Introduction
Chapter 3 discussed the conceptual basis for the firewall. It described the various approaches to packet filtering used by different sorts of firewalls. This chapter examines the practical aspects of firewall selection. Firewalls can be classified based on a number of different criteria. In Chapter 3 these were classified based on configuration and type. This chapter classifies firewalls based on the practical situation in which they will be used.
Each section of this chapter examines the practical requirements of each category. We will look at the security needs, as well as budget limitations. Then we will examine one or more actual products designed for that environment. However, in no case am I specifically endorsing any product. I chose firewalls based on how widely they are used because the most widely used firewall solutions are the ones you are most likely to encounter in your career, regardless of their technical merits.
Using Single Machine Firewalls
A single machine firewall is a firewall solution running on an individual PC. Home users often protect their computers with single machine firewalls. In many cases, security-conscious organizations set up individual firewalls on all workstations on their network in addition to the firewall solution used for the network itself. I recommend that strategy over simply having a perimeter firewall. Regardless of which scenario you are working in, single machine firewalls have many things in common:
Most are packet filtering/screening firewalls.
All are software based.
Most are easy to configure and set up.
Most single machine firewalls were designed with the home user in mind. The idea is not to keep out a concerted breach attempt by a skilled hacker or to fend off a DoS attack but rather to give a higher level of security to a home user. This accounts for the fact that these firewalls are typically simple packet filtering solutions that are quite easy to configure. Nonetheless, they can be quite helpful in bolstering network security.
For example, more than one virus has spread by scanning nearby machines on a network, looking for open ports and connecting to that port. One version of the infamous MyDoom virus used port 1034 to facilitate its spread. A network that had all individual machines with their own firewalls blocking port 1034, would be immune to this avenue of attack (Canavan and Andres, 2004), even if one of the machines on the network was infected. In short, having individual firewalls on all workstations means that even if one machine is breached, the breach will not necessarily affect all machines on the network. We will examine the Windows 7 firewall, a Linux firewall, and a couple of commercial firewalls (i.e., ones that don’t come with the operating system but must be purchased separately). Note that the Windows 7 firewall is virtually identical to the Windows 8, Windows Server 2008, and Windows Server 2012 firewalls.
When you select a single machine firewall solution, keep in mind that most were designed with several assumptions. Since the home user is the primary target customer for these products, ease of use is generally a high priority. Secondly, most of these products are very low cost and in some cases free. Finally, you should keep in mind that they are not meant for highly secure situations but merely to provide essential security for a home user.
Windows 7
Windows 7 ships with a fully functioning firewall. Unlike previous Windows versions, this firewall can block inbound and outbound packets. The basics of the Windows 7 firewall can be seen in figure 4.1
Like most single machine firewalls, it is a packet filtering firewall. Although it is not as robust as a stateful packet inspection firewall, it is certainly better than no firewall. It is also likely that your router gateway has stateful packet inspection firewall. Realizing that the Windows 7 firewall was a tremendous improvement over previous Windows firewalls is important. The first improvement, we already mentioned, is that you can set different rules for outbound and inbound traffic. For example, your standard workstation will probably allow outbound HTTP traffic on port 80, but you might not want to allow inbound traffic (unless you are running a web server on that workstation).
Rules allow or block a given application or port. You can also have different rules for inbound and outbound traffic. The rules allow you to decide whether a particular type of communication is blocked or allowed. You can have different settings for inbound and outbound traffic. You can set rules for individual ports (all 65,554 available network ports) and for applications. The rules in the Windows 7 firewall give you a lot of flexibility.
More importantly, you can apply rules differently depending on where the traffic comes from. You can set up rules for three areas or profiles:
Domain: For those computers authenticated on your domain.
Public: For computers from outside your network. You would treat outside traffic more carefully than traffic coming from another machine in your domain.
Private: Private refers to traffic from your own computer, thus the term private.
Administrators should always follow these rules with all packet-filtering firewalls:
If you do not explicitly need a port, then block it. For example if you are not running a Web server on that machine, then block all inbound port 80 traffic. With home machines you can usually block all ports. With individual workstations on a network you may need to keep some ports open in order to allow for various network utilities to access the machine.
Unless you have a compelling reason not to, always block ICMP traffic because many utilities such as ping, tracert, and many port scanners use ICMP packets. If you block ICMP traffic, you will prevent many port scanners from scanning your system for vulnerabilities.
Occasionally, I would suggest continuing to write out acronyms such as ICMP just to make sure this is reinforced.
The Windows Firewall also has a logging feature, but it is disabled by default. Turn this feature on (when you configure the firewall you will see a place to turn on logging). Check this log periodically.
User Account Control
User account control (UAC) is not a firewall technology but is strongly related to security. Windows Vista first introduced it, and it has been expanded in Windows 7. UAC is a security feature that prompts the user for an administrative user’s credentials if the task requires administrative permissions. UAC was first introduced in Windows Vista, but with Windows Server 2008 and Windows Server 2012, it has become much more fine tunable. This feature allows you to decide how you want the user account controls to respond. It is not just an on or off proposition; degrees of filtering are available.
Linux Firewalls
Linux has firewall capabilities built into the operating system. This is has been a part of the Linux operating system for many years, with occasional improvements in the technology.
Iptables
The first widely used Linux firewall was called ipchains. It was essentially a chain of rules for filtering traffic, thus the name. It was first introduced in version 2.2 of the Linux kernel and superseded the previous ipfwadm (which was not widely used). The more modern iptables replaced ipchains and is the primary firewall for Linux. The iptables service was first introduced in Linux kernel 2.4.
On most Linux systems, iptables is installed as /usr/sbin/iptables. However if it was not included in your particular Linux installation, you can add it later as shown in Figure 4.2.
An iptables firewall is made up of three different kinds of objects: tables, chains, and rules. Basically the tables contain chains of rules. Put another way, iptables is an expansion on the concept of ipchains. Each chain has a series of rules that define how to filter packets. There are actually three tables and each has some standard rule chains in it. You can, of course, add your own custom rules. The three tables and their standard chains are as follow:
Packet filtering: This table is the essential part of the firewall. It is a packet filtering firewall and it contains three standard chains: INPUT, OUTPUT, and Forward. The INPUT chain processes incoming packets, and the OUTPUT chain processes traffic sent out from the machine. If the firewall system is also acting as a router, only the FORWARD chain applies to routed packets.
Network address translation: This table is used for performing network address translation on outbound traffic that initiates a new connection. This is used only if your machine is serving as a gateway or proxy server.
Packet alteration: This table is used only for specialized packet alteration. It is often called the mangle table because it alters, or mangles, packets. It contains two standard chains. This table might not even be needed for many standard firewalls.
IPTables Configuration
Iptables requires some configuration. You can do it through the GUI (KDE, GNOME, etc.) but the shell commands are common to most distributions. Let’s take a look at some common, basic configuration issues.
To cause iptables to function as a basic packet filtering firewall, you need these commands:
iptables -F
iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
Obviously, that is the most basic and essential iptables configuration. However, here are some others.
To list the current iptables rules you use:
iptables –L
To allow communication on a specific port, in this example using SSH port 22, you use:
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
Or perhaps you need to allow all incoming web/HTTP traffic:
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
Logging dropped packets is also a good idea. The following command does that:
iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: "
--log-level 7
As you can see there are flags that can be passed to the iptables command. The following is a list of the most common flags and what they do.
A: Append this rule to a rule chain.
-L: List the current filter rules.
-p: The connection protocol used.
--dport: The destination port(s) required for this rule. A single port may be given, or a range may be given as start:end.
--limit: The maximum matching rate, given as a number followed by “/second”, “/minute”, “/hour”, or “/day” depending on how often you want the rule to match. If this option is not used and -m limit is used, the default is “3/hour”.
--ctstate: Define the list of states for the rule to match on.
--log-prefix: When logging, put this text before the log message. Use double quotes around the text to use.
--log-level: Log using the specified syslog level.
-i: Only match if the packet is coming in on the specified interface.
-v: Verbose output.
-s --source: address[/mask] source specification.
-d --destination: address[/mask] destination specification.
-o --out-interface: output name[+] network interface name ([+] for wildcard).
This is not a complete list, just some of the common flags used. But it should be enough for you to get iptables basically configured and functioning.
Symantec Norton Firewall
The makers of Norton AntiVirus also sell a personal, single machine firewall. It can be purchased in a bundle along with Norton antivirus software. Like ICF, the Norton firewall is a basic packet filtering firewall. But Norton has an advantage over ICF: It enables you to also block outbound traffic. Blocking outbound traffic is a very significant feature in any firewall (and included in most network firewalls, but not in all personal firewalls) for the following reasons:
If an individual machine is infected with a virus that tries to spread via a particular port that will be blocked.
Many Trojan horses try to communicate via a certain port.
The Norton firewall also includes some additional features such as popup ad blocking and privacy protection. It accomplishes the latter task by preventing information about you from being transmitted via the browser without your knowledge. This firewall gives you a relatively easy-to-use interface, similar to Window’s Explorer, that also enables you to set browser security. It also has a feature that enables you to connect to Norton’s Web site and have that site scan your system for vulnerabilities. This feature is shown in Figure 4.3.
It should be noted that all of these tasks can be done without Norton. You can set your browser security settings, and you can scan your machine for vulnerabilities (even using free tools downloaded from the Internet, some of which will be discussed in Chapter 12). You can also use the built-in ICF to block incoming traffic. However, with Norton you can accomplish all of this via a simpler interface. This is particularly appealing to novice users. It should also be stressed that, unlike ICF, Norton’s firewall can block outgoing traffic as well.
The advantages and disadvantages of Norton Firewall are summarized in the following.
Advantages:
Norton firewall can be purchased as a bundle with Norton AntiVirus software.
Norton firewall is easy to use and set up.
Norton firewall has several extra features, such as the ability to scan your system for vulnerabilities.
Norton firewall also enables you to block outbound traffic.
Disadvantages:
Norton firewall costs almost $50 per copy.
Many of Norton firewall’s features can be done with separate, free tools.
McAfee Personal Firewall
McAfee and Norton are the most widely used antivirus software vendors. Both manufacturers offer personal firewalls for individual PCs. McAfee Personal Firewall offers a packet filtering firewall that is much like Norton and ICF. Like Norton’s firewall, the McAfee Personal Firewall can also block outbound traffic. It is also quite easy to use. Figure 4.4 shows the initial screen for McAfee firewall, and Figure 4.5 shows filtering with McAfee.
Unlike the Norton firewall, the McAfee firewall does not offer a feature that enables you to scan your system for vulnerabilities. However, it does offer a few interesting features that are not found in most personal firewall solutions:
Tracking: McAfee Personal Firewall has a utility that will show you on a map the path from which an attack is coming. It does this in much the same way as the traceroute command, but instead performing trace route commands on the incoming packets and then displaying those routes on a map.
Connected to HackerWatch.org: McAfee Personal Firewall is connected to HackerWatch.org, an anti-hacking Web site that enables you to get tips and news on the latest threats.
Like Norton and ICF, Personal firewall has advantages and disadvantages, listed below:
Advantages:
McAfee Personal Firewall blocks outbound and inbound traffic.
McAfee Personal Firewall is easy to use and set up.
McAfee Personal Firewall links to anti-hacking news and tips.
Disadvantages:
McAfee Personal Firewall costs from $30 to $50 depending on the version.
Some extra features in McAfee Personal Firewall (like the link to anti-hacking news) can be obtained without this product.
Wolverine
Wolverine is a robust commercial firewall solution for Linux available from www.coyotelinux.com/. Wolverine provides Stateful Packet Inspection, built-in VPN capabilities (VPNs are discussed in detail in Chapter 7), several encryption methods (AES, DES, and more), and offers a Web-based administration utility. This is an excellent solution for any network using Linux.
The advantages and disadvantages of the Wolverine firewall are summarized below.
Advantages:
Wolverine is a very low cost solution. The most expensive version of this product is under $200.
Wolverine includes built-in VPN capabilities.
Wolverine offers built-in encryption.
Wolverine provides Web-based administration.
Disadvantages:
Frankly, when compared to any other firewall in its price range, Wolverine only has two disadvantages.
Wolverine is Linux-based, and many organizations are standardized on Microsoft.
Wolverine is network host-based, which means that it is dependent upon the security of the underlying operating system.
Using Small Office/Home Office Firewalls
The small office/home office system (often referred to as SOHO) will frequently have needs similar to the individual PC firewall. The personnel maintaining the firewall will likely have limited network administration and security training. Both Norton and McAfee offer solutions designed to be perimeter firewalls for a small network. These products are quite similar to their individual PC firewalls, but with added features and a slightly higher cost. However, there are other solutions for the SOHO which we will examine here. Keep in mind that one critical consideration with any firewall for this environment is ease of installation and use.
SonicWALL
SonicWALL is a vendor of several firewall solutions. Their T170 series is made specifically for small networks with 10 to 25 users. It costs between $350 and $700, depending on the version and retailer. T170 is a router-based firewall, as shown in Figure 4.6.
Most importantly, this product uses Stateful Packet Inspection, which is significantly more secure than basic packet filtering.
One additional feature that SonicWALL products offer is built-in encryption so that all transmissions are encrypted. Currently their products offer AES and 3DES encryption. While not strictly a firewall feature, this is an important part of network security. When packets are being sent around a network and outside the network, it is not difficult to intercept those packets with a packet sniffer and get the data if the packets are not encrypted.
Management of the SonicWALL firewall should be easy to master for those familiar with Windows 2000 and later versions of Windows because the management is based on objects, such as users, groups, and even IP address ranges (SonicWALL Data Sheet, 2004). Once a group is defined, you can apply filtering/blocking properties to that group.
SonicWALL, as well as many other modern firewalls, offers built-in NAT. This technology is designed to replace proxy servers. It accomplishes the same goal of hiding internal network IP addresses from the external world.
The advantages and disadvantages of SonicWALL are briefly listed here.
Advantages:
SonicWALL firewalls provide stateful packet inspection.
SonicWALL firewalls provide built-in encryption.
SonicWALL firewalls provide management and configuration that is easy for Windows administrators.
SonicWALL firewalls provide built-in NAT.
Disadvantages:
The price of SonicWALL firewalls may be prohibitive for small offices on a tight budget.
SonicWALL firewalls require some skill to configure and are not intended for the complete novice.
D-Link DFL–300 Office Firewall
D-Link makes a number of products for home users and for small offices. Its Office firewall product is a router-based firewall that uses Stateful Packet Inspection to filter network traffic. It allows for remote users to connect to it using DES encryption, which is a widely used, very secure encryption method. It logs all Web traffic, and it also enables administrators to filter certain Web addresses. The DFL-300 is specifically designed to detect many common DoS attacks and to block that traffic. The DFL-300 is shown in Figure 4.7.
This firewall is fairly easy to configure and has a Web-based interface, similar to the type used by many home wireless router manufacturers. By using any computer connected directly to the router, you can enter the router’s IP address and you will be presented with a Web page that enables you to configure the router. Of course, one of the first things you should do is change the password to prevent other parties from reconfiguring your router-based firewall. This firewall solution can cost anywhere from $350 to $500. Unlike many firewall solutions, the vendor does not require any additional licenses for additional users, so if your company goes from 20 to 50 users, it need not purchase additional licenses (D-Link Data Sheet, 2004).
Here are the advantages and disadvantages of the DFL-300:
Advantages:
The DFL-300 includes built-in reliable encryption.
The DFL-300 is inexpensive compared to other SOHO firewalls.
The DFL-300 has a liberal licensing policy.
The DFL-300 is easy to configure.
The DFL-300 uses Stateful Packet Inspection.
DFL-300 combines multiple firewall types.
DFL-300 includes built-in NAT.
DFL-300 includes built-in VPN.
Using Medium-Sized Network Firewalls
Medium-sized networks can be defined as having as few as 25 users up to several hundred users all on a single LAN at a single location. Administrators of medium-sized networks face configuration and security issues beyond what an administrator in a home or small offices might encounter. To begin with, medium-sized networks are likely to have a more diverse group of users and applications running. Each of these presents different access needs and security requirements. On the other hand, medium-sized networks typically benefit from the support of dedicated network administration personnel. This means there is someone on site who has at least a basic understanding of computer security.
Check Point Firewall-1
Check Point is a well-known manufacturer of security equipment, and its Firewall-1 product is designed explicitly for use on medium- to large-sized networks. Firewall-1 features host-based configuration. Recall from Chapter 3 that this means the firewall must be installed on an existing server that will serve as the firewall. Firewall-1 is available for Windows 2000 (Server and Advanced Server editions), Sun Solaris (8 and 9), as well as Red Hat Linux.
In addition to filtering packets, Firewall-1 provides filtering based on application. It also requires that a computer connecting to the network from outside the firewall must be authenticated. This makes it a sort of hybrid between packet filtering and application gateway, but its packet filtering uses Stateful Packet Inspection, not simple packet screening. Perhaps most importantly, Firewall-1 automatically blocks and then logs any oversized packets or packets that appear to be part of a SYN flood. As you learned in Chapter 2, oversized packets and SYN floods are two common DoS techniques.
Check Point offers a number of other security products, including intrusion-detection systems (IDS will be discussed in detail in Chapter 5). Check Point sells many package solutions that include a firewall as well as some of these additional security products, though such packages can cost anywhere from $3000 to more than $50,000 (Checkpoint Firewall-1 Data Sheet, 2004).
The advantages and disadvantages of Firewall-1 are as follows:
Firewall-1 combines Stateful Packet Inspection with an application gateway.
Firewall-1 protects against common DoS techniques.
Disadvantages:
All host-based firewalls such as Firewall-1 are dependent on the security of the underlying operating system.
Firewall-1 requires at least moderate skill to administer and configure.
The cost of Firewall-1 can be prohibitive to some organizations.
Cisco PIX 515E
Cisco is a very well known manufacturer of networking equipment, especially routers, so it should come as no surprise that it also makes firewalls. It should also be stressed that their PIX series has multiple models, some for SOHO solutions and others for large-scale enterprise solutions. The 515E is designed for small- to medium-sized networks. The 515E is shown in Figure 4.8.
The PIX 515E firewall solution utilizes Stateful Packet Inspection to filter traffic. It also has built-in intrusion-detection software and NAT. All of the PIX series firewalls offer AES, DES, or 3DES encryption built in. The 515E model also has security features that monitor voice over IP and multimedia transmissions for potential threats.
Most importantly, the PIX 515E has a range of capabilities for identifying potentially malicious packets. It looks for oversized packets, malformed packets, packets from fake IP sources, and other telltale signs that a packet might be part of an attack. If it detects a probable attack, it blocks the traffic and logs the event. The PIX 515E sells for between $1800 and $2600, depending on whether you purchase a refurbished or new unit as well as the retail vendor.
One of the strengths of Cisco products is the extensive training available for their systems. Cisco sponsors a number of certifications for their products. Their highest certification, the Cisco Certified Internetworking Engineer (CCIE) is one of the most widely respected and most rigorous certifications in networking. This certification process enables you to easily identify qualified people to work with your Cisco equipment. It also enables you to identify appropriate training plans for your existing staff.
The advantages and disadvantages of the PIX 515E are listed below.
Advantages:
The PIX 515E uses SPI filtering.
The PIX 515E features built-in robust encryption.
Cisco product-specific training is available for the PIX 515E.
The PIX 515E includes NAT.
The PIX 515E includes voice over IP and multimedia security options.
Disadvantages:
The PIX 515E may be cost prohibitive for some organizations.
The PIX 515E requires at least moderate skill to configure and administer.
Using Enterprise Firewalls
An enterprise network is a large network that is often made up of several local networks connected over a wide area network, or WAN. Large corporations and government agencies frequently use this type of environment. The enterprise environment presents a number of challenges not found in smaller networks. First, each small local network that is connected to the enterprise must be secured. You should also recognize that most enterprise networks include many different types of users, applications, and even operating systems. You may have Unix, Linux, Windows, and Macintosh running a combination of hard wired and wireless network connections. In addition, your end users will probably be quite diverse, including everything from clerical workers to skilled IT professionals. This presents a very complex security challenge, but all enterprise networks are supported by multiple network administrators. Many enterprise networks are supported by a dedicated network security professional. This provides the skill set necessary to deal with such complex situations.
Fortigate 3600
The Fortigate 3600 received SearchNetworking.com’s Gold Award for 2003. It is a hardware (router-based) solution that provides total network protection. It provides virus scanning at the firewall before packets ever reach individual machines. This also means that non-e-mail packets such as FTP and TCP messages are scanned for virus infections before being allowed into your network. The Fortigate 3600 is shown in Figure 4.9.
The entire Fortigate series also has built-in intrusion-detection. And like many firewall solutions, it also enables administrators to configure content filtering to block certain Web sites and e-mail messages. Fortigate’s content filtering also enables them to set cookie handling, ActiveX handling, and script handling at the firewall. This can be very useful, as it prevents worries about the browser settings on each and every machine in an organization.
This firewall solution provides NAT and your choice of encryption using AES, DES, or 3DES. One very interesting feature is that Fortigate’s maintenance package includes a 24-hour-a-day service that constantly monitors new threats (new viruses, worms, etc.). This service pushes new patches to your firewall within hours of a new threat appearing on the Internet. The firewall implements user authentication as well as Stateful Packet Inspection, but the system is quite expensive and requires at least moderate knowledge to be able to configure and administer.
The advantages and disadvantages of the Fortigate firewall include the following:
Advantages:
The Fortigate firewall offers SPI and user authentication.
The Fortigate firewall has built-in IDS and virus scanning.
The Fortigate firewall features 24-hour update service.
The Fortigate firewall has built-in robust encryption.
The Fortigate firewall provides very extensive content filtering.
The Fortigate firewall itself can cost more than $20,000 depending on the model, and the service contracts cost several thousand dollars per year.
As all these very valuable descriptions and techniques are in place, I believe it might be appropriate to begin a dialogue on the subject of Attacking an Enterprise Site. I only say this because from the perspective of a book titled, Network Defense and Counter Measures it helps to approach the topic from the point of view of an attack. Sometimes we see this discussed under the title, “Anatomy of an Attack.”
Summary
The type of firewall that is most appropriate for a network depends, at least in part, on the size of the network. Within each size category there are a number of options for a firewall solution, each with its own advantages and disadvantages.
It is important to consider both the technical merits of a firewall solution and the ease of use. A firewall solution’s degree of user-friendliness is largely contingent upon the skill set of the support staff that will implement it. Administrators also must balance cost verses benefit. Clearly, the more expensive firewalls have some impressive features, but they may not be necessary for an organization and may negatively impact its overall IT budget.
May I suggest another element is the overall operation of firewall systems. My thoughts are to present a discussion on THE person who has responsibility to manage. It has been my experience too often that our systems of protection are relegated to a person who may not be analytically trained to discern various intricacies of firewall setup and maintenance. It is one thing to set up a firewall and quite another to manage a firewall. We are not only limited or at risk by the equipment and person but also by company policy. For your consideration.
Test Your Skills
Multiple Choice Questions
1. Which of the following is a common problem when seeking information on firewalls?
A. It is difficult to find information on the Web.
B. Unbiased information might be hard to find.
C. Documentation is often incomplete.
D. Information often emphasizes price rather than features.
2. Which of the following is not a common feature of most single PC firewalls?
A. Software-based
B. Packet filtering
C. Ease of use
D. Built-in NAT
A. Windows XP Internet Connection Firewall
B. Windows XP Internet Control Firewall
C. Windows 2000 Internet Connection Firewall
D. Windows 2000 Internet Control Firewall
4. Should a home user with a firewall block port 80, and why or why not?
A. She should not because it would prevent her from using Web pages.
B. She should because port 80 is a common attack point for hackers.
C. She should not because that will prevent her from getting updates and patches.
D. She should unless she is running a Web server on her machine.
5. Should a home user block ICMP traffic, and why or why not?
A. It should be blocked because such traffic is often used to transmit a virus.
B. It should be blocked because such traffic is often used to do port scans and flood attacks.
C. It should not be blocked because it is necessary for network operations.
D. It should not be blocked because it is necessary for using the Web.
6. Which of the following is found in Norton’s personal firewall but not in ICF?
A. NAT
B. A visual tool to trace attacks
C. Vulnerability scanning
D. Strong encryption
7. What tool does McAfee Personal Firewall offer?
A. A visual tool to trace attacks
B. NAT
C. Strong encryption
D. Vulnerability scanning
8. What type of firewall is SonicWALL T170?
A. Packet screening
B. Application gateway
C. Circuit-level gateway
D. Stateful Packet Inspection
9. Which type of encryption is included with the T170?
A. AES and 3DES
B. WEP and DES
C. PGP and AES
D. WEP and PGP
10. NAT is a replacement for what technology?
A. Firewall
B. Proxy server
C. Antivirus software
D. IDS
11. Which of the following is an important feature of D-Link DFL 300?
A. Built-in IDS
B. WEP encryption
C. Vulnerability scanning
D. Liberal licensing policy
12. Medium-sized networks have what problem?
A. Lack of skilled technical personnel
B. Diverse user group
C. Need to connect multiple LANs into a single WAN
D. Low budgets
13. What type of firewall is Check Point Firewall-1?
A. Application gateway
B. Packet filtering/application gateway hybrid
C. SPI/application gateway hybrid
D. Circuit-level gateway
14. What implementation is Check Point Firewall-1?
A. Router-based
B. Network-based
C. Switch-based
D. Host-based
15. Which of the following is a benefit of Cisco firewalls?
A. extensive training available on the product
B. very low cost
C. built-in IDS on all products
D. built-in virus scanning on all products
16. What is an advantage of an enterprise environment?
A. multiple operating systems to deal with
B. skilled technical personnel available
C. lower security needs
D. IDS systems not needed
17. What is one complexity found in enterprise environments that is unlikely in small networks or SOHO environments?
A. multiple operating systems
B. diverse user groups
C. users running different applications
D. Web vulnerabilities
18. Which of the following is not an advantage of the Fortigate firewall?
A. built-in virus scanning
B. content filtering
C. built-in encryption
D. low cost
Exercises
Note: Some of the exercises here use commercial tools. All of these exercises can also be completed using free software from the following sites:
http://www.techsupportalert.com/best-free-firewall-protection.htm
http://download.cnet.com/ZoneAlarm-Free-Firewall/3000-10435_4-10039884.html
www.firewallguide.com/freeware.htm
Exercise 4.1: The McAfee Firewall
1. Download the McAfee personal firewall. You may wish to download one copy to one machine for the entire class to take turns using, or contact McAfee and request an academic discount or free copy. http://download.mcafee.com/products/webhelp/4/3081/GUID-59074DB7-2897-418F-8ADC-00D75E2C3C62.html
2. Install and configure the McAfee firewall on your machine.
3. Examine the firewall’s configuration utilities.
4. Examine extra features such as its attack tracing utility.
5. Attempt to send packets to blocked ports on that firewall.
Exercise 4.2: The Norton Firewall
1. Download the Norton personal firewall from http://norton-personal-firewall.en.softonic.com/ for $49.95.
2. Install and configure the firewall on your machine.
3. Examine the firewall’s configuration utilities.
4. Pay particular attention to extra features such as its vulnerability scanning.
5. Attempt to send packets to blocked ports on that firewall.
Exercise 4.3: Router-Based Firewall
Note: For cost reasons a specific router is not mentioned here. Many companies and vendors will donate old routers they no longer use to academic labs. You can go to a used computer equipment outlet and find an older router-based firewall for use in the lab.
1. Using the firewall’s documentation, set up this firewall. It should be connected to at least one machine.
2. Attempt to send packets to blocked ports on that firewall.
Exercise 4.4: Zone Alarm Firewall
This product was not covered in this chapter, but you can work with it quite easily. Simply follow these steps:
1. Download the free version from http://www.zonealarm.com/security/en-us/zonealarm-pc-security-free-firewall.htm
2. Install and configure this firewall.
3. Observe how it works and compare it to Norton and McAfee.
Contact an organization you are associated with (an employer, your school, a local company, etc.). Explain to the organization that you are doing a school project and arrange to discuss its firewall solution with the network administrator. Determine why the organization selected its particular solution. Was cost a major factor? Was ease of use a major factor? What features were most important to them? Explain your findings and discuss whether you agree or disagree with that organization’s choice.
Project 4.2: Finding a Different SOHO Solution
Using the Web or other resources, find a SOHO firewall not mentioned in this chapter. Briefly compare and contrast it to the solutions that were mentioned in the chapter. Evaluate whether the firewall you found is a better choice than the ones mentioned in the chapter and discuss why or why not.
Project 4.3: Selecting the Proper Firewall
Analyze the environment of your academic institution. Is it a medium-sized network or enterprise? What types of users utilize the network? Are there multiple operating systems? Is there sensitive data that requires additional security? Based on the factors you analyze, write a brief essay describing the environment and recommending a firewall solution. Explain your recommendation.