Apply Your Knowledge
Exercises
5.1. Identify Firewall Features Required by a Small Business
A small business requires control over what Web sites users on the internal network can visit. In addition, some of the users require outbound access to PPTP VPN servers on the Internet. They have a single IP address assigned to them via their ISP.
Estimated Time: 15 minutes
1. | What firewall features are required to allow access control based on the URL entered in the users' browsers? |
2. | What firewall functionality is required to allow users on the internal network to access VPN servers on the Internet? |
3. | What firewall feature allows multiple users on the internal network to access the Internet through a single IP address on the firewall's external interface? |
5.2. VPN Protocols
There are two major VPN protocols in general use today: PPTP and L2TP/IPsec. Review the features of both of these protocols and consider the following:
Estimated Time: 15 minutes
1. | Which VPN protocol is easier to configure and supports more client machines in the world today? |
2. | What are the advantages of L2TP/IPSEc? What is the primary disadvantage of using L2TP/IPSec? |
3. | Compare and contrast the relative merits of VPNs and direct dial-up networks. |
5.3. Firewall Architectures
There are a number of different firewall architectures. Review the firewall architectures section of this chapter and consider the following:
Estimated Time: 15 minutes
1. | Is there mutual exclusivity in the different architectures or can they be used to complement one another? |
2. | What architecture would you consider the most secure? |
3. | What architecture would you use in a Web hosting environment? |
Review Questions
| 1: | All networks connected to the Internet require a firewall. But do firewalls provide complete protection from attack? What types of exploits are firewalls powerless to stop? |
| 2: | What is the difference between a stateful/dynamic packet-filtering firewall and an Application layer firewall? What is an example of an Application layer firewall only? |
| 3: | How should you configure a Bastion host? Do you believe it's realistic to remove all management tools from a Bastion host? How secure must a server be before you are willing to configure a Bastion host correctly? |
| 4: | Have you implemented an L2TP/IPSec VPN? If not, what stopped you from implementing one? Can you implement a simple L2TP/IPSec within the next two hours? Why or why not? |
| 5: | Under what circumstances would you prefer a direct-dial RAS solution over a VPN? |
Exam Questions
| 1: | From the firewall's standpoint, on which type of network is the internal network hosts?
|
| 2: | What are the three types of firewalls in general use today?
|
| 3: | A simple packet-filtering firewall uses which of the following two elements to base allow and deny decisions?
|
| 4: | You have created a packet filter to allow inbound access to your Web server's TCP port 80. You do not need to create a second packet filter to allow the Web server to respond to client requests. What type of packet-filtering firewall are you using?
|
| 5: | What type of firewall uses source and destination IP addresses, and source and destination port numbers in making allow or deny decisions?
|
| 6: | Your network security dictates that users must not be able to view Web pages that contain words deemed unacceptable by the Web security review committee. What type of firewall do you require to enforce such a policy?
|
| 7: | Your network security policies dictate that users must not receive email with attachments. What type of firewall would review the SMTP headers to determine whether the message contains an attachment?
|
| 8: | A business wants to connect all of its computers to the Internet but has been assigned only a single public IP address. What feature on the firewall is required to support such a setup?
|
| 9: | You have a server on your internal network with an IP address of 192.168.1.1 and you are concerned that a hacker on the Internet will be able to connect to the server by making a new inbound request. What prevents the hacker from making a new connection from his computer to your internal network server?
|
| 10: | Your organization is connected to the Internet via a router that has packet filtering enabled. A firewall separates the private network from the network segment between the router and the firewall. What role is the router taking in this scenario?
|
| 11: | A company has an SMTP relay and a public Web server that they want to make available to the general Internet. Where should they place these public resources?
|
| 12: | Which of the following tools should be available on a Windows 2000 server configured on a Bastion host?
|
| 13: | Which of the following are advantages of VPNs over direct dial-up lines?
|
| 14: | Which VPN protocol protects your network even if a user has divulged his password to an untrusted source?
|
| 15: | What encryption protocol is used by PPTP?
|
Answers to Exercises
Exercise 5.1
Application layer firewall, such as a Web Proxy service
Packet filtering to open VPN ports outbound on the firewall
Network Address Translation
Exercise 5.2
PPTP
More secure; not password dependent. Requires PKI to be in place for certificate distribution. (See Chapter 9, “Cryptography and Public Key Infrastructure,” for more details on PKI.)
VPN—Low cost
Dial-up—More secure, easier to implement
Exercise 5.3
No mutual exclusivity in the architectures
DMZ with Bastion hosts on the DMZ segment and a Multihomed firewall and screening router
A DMZ with Bastion hosts on the DMZ segment would fit this hosting scenario best.
Answers to Review Questions
| A1: | Firewalls can protect from unauthorized attempts to access the internal network, but they do not replace host-based access controls. Defense in depth requires that all participants in network communications be protected. See the section “Introduction to Firewalls.” |
| A2: | An Application layer firewall is able to analyze the contents of Application layer headers and data. Packet filters do not have this capability. See the sections “Packet Filtering” and “Application Layer Inspection.” |
| A3: | A Bastion host should have no management tools on it. If the Bastion host must be highly secured, the balance is weighed in favor of making the server unmanageable remotely. If you can withstand periodic intrusions of data compromise on the Bastion host, the balance may favor allowing tools on the server for remote access. See the section “Bastion Hosts.” |
| A4: | Most administrators who have not implemented L2TP/IPSec VPN have not done so because they are not comfortable with setting up the required PKI and certificate services. See the section “L2TP/IPSec.” |
| A5: | If all employees live within a local calling area, it may be more cost effective to allow direct dial-in RAS connections rather than VPN. Only a comparative cost analysis would be able to determine the best strategy. See the section “Introduction to VPNs.” |
Answers to Exam Questions
| A1: | A. A trusted network contains hosts that are under the administrative control of the corporation. See the section “Introduction to Firewalls.” |
| A2: | A, B, C. Packet filtering, circuit filter, and Application layer firewalls are all used today. There is no logical link layer firewall. See the section “Packet Filtering.” |
| A3: | A, C. Simple packet filters use only the source and destination address to make allow and deny decisions. See the section “Packet Filtering.” |
| A4: | B. A dynamic packet filter can automatically create response ports so that hosts on the internal network can respond to client requests. See the section “Packet Filtering.” |
| A5: | B. Circuit layer firewalls are able to evaluate both the IP and Transport layer headers to make allow and deny decisions. See the section “Circuit Layer Filtering.” |
| A6: | C. To read the data in the HTTP header, you must use an Application layer firewall. See the section “Application Layer Inspection.” |
| A7: | C. To read the contents of the SMTP header, you must use an Application layer firewall. See the section “Application Layer Inspection.” |
| A8: | B. A network address translator is able to replace the source IP address with its own public address. This allows all internal network clients to access the Internet. See the section “Network Address Translation (NAT).” |
| A9: | C. Hosts on private network IDs cannot be reached from the Internet because Internet routers drop requests to hosts with private network addresses. See the section “Network Address Translation (NAT).” |
| A10: | C. A screening router filters packets before they are passed through the router. See the section “Screening Router.” |
| A11: | C. In general, public resources should be placed on a DMZ segment to prevent Internet users from accessing resources on the private network. See the section “Screened Subnet or DMZ Segment.” |
| A12: | D. No utilities that can be used to manage the server should be left on the Bastion host. Tools should be removed so as to prevent Internet intruders from using them against you. See the section “Bastion Hosts.” |
| A13: | A. The only advantage of VPNs over direct dial-up is lower cost. See the section “Introduction to VPNs.” |
| A14: | C. Because L2TP/IPSec requires a machine certificate in addition to password authentication, loss of password security will not by itself compromise the L2TP/IPSec VPN. See the section “L2TP/IPSec.” |
| A15: | B. PPTP uses MPPE as its encryption algorithm. MPPE requires that Microsoft-CHAP or EAP/TLS be used as the PPP authentication protocol. See the section “PPTP.” |
Suggested Readings and Resources
1. Configuring ISA Server 2000: Building Firewalls with Windows 2000, Dr. Thomas W. Shinder and Debra Shinder .
2. Building Internet Firewalls, 2nd Ed., Elizabeth Zwicky, Simon Cooper, Brent Chapman, and Deborah Russell .
3. Microsoft VPN Resource Center, www.microsoft.com/vpn.
4. TCP/IP Illustrated, Volume 1: The Protocols, Richard Stevens .