CHAPTER SUMMARY
An essential element of network security, a firewall is a filtering service used to protect your network and hosts from a variety of threats, both internal and external. Several types of firewalls are available, including screening routers, hardware appliances, and host software products. Each of these firewalls can employ one or more features for ingress and egress filtering. The common filtering features include static packet filtering, stateful inspection or dynamic packet filtering, NAT, application proxy, and circuit proxy.
Firewalls are useful in many different situations. Every network infrastructure can benefit from proper use of a firewall. When making a choice about which firewall to deploy, consider a breadth of options, including the needs of both small and large network environments, host software firewalls, native OS firewalls, third-party OS firewall alternatives, ISP connection device firewalls, commercial firewall options, open-source firewalls, hardware firewalls, next-generation firewalls, and virtual firewalls.
KEY CONCEPTS AND TERMS
Border firewall
Deny by default/allow by exception
Next-generation firewall (NGFW)
Public key infrastructure (PKI)
Service set identifier (SSID)
CHAPTER 5 ASSESSMENT
- Which of the following is true of firewall rules?
- Rules follow the allow by default/deny by exception philosophy.
- No rules on a firewall are exceptions.
- All rules on a firewall are exceptions.
- The final rule is that anything that did not match one of the exceptions is allowed by default.
- Which of the following attacks is not stopped by a border firewall?
- Port scans
- Protocol abuses
- Inside client to internal host attack
- Flooding attacks
- Which of the following is not true of firewalls?
- A firewall is a type of authentication system.
- A firewall can filter traffic.
- A firewall can provide routing functions.
- A firewall is a traffic control device.
- Which of the following best defines ingress filtering?
- Blocking traffic leaving a network
- Limiting host activities to that host
- Monitoring traffic on its way into the network
- Denying all traffic to specific ports
- What is another name for dynamic packet filtering?
- Stateful inspection
- Static packet filtering
- Structured packet filtering
- Sequential inspection
- Which of the following is a method of filtering that automatically keeps track of sessions on a limited timeout basis to allow the responses to queries to reach internal systems?
- Application filtering
- Deep packet inspection
- Dynamic packet filtering
- Static packet filtering
- Which of the following is a form of filtering that allows communication, regardless of whether a session was previously established?
- Circuit proxy
- Dynamic packet filtering
- Deep packet inspection
- Stateless filtering
- Which activity differentiates a triple-homed firewall from a dual-homed firewall?
- Physical isolation of subnets
- Deployment of the device as an appliance
- Deployment of traffic from the Internet to a DMZ
- Filtering of content including attachment deletion
- When deploying software firewalls, what is the maximum number that should be operational on a single system at one time?
- 1
- 2
- 5
- 10
- Which of the following is not a content-filtering method?
- Domain name
- Source IP address
- Keywords in the packet
- Filename