Chapter 5

Firewalls

Name: ________________________________________________

E-Mail: _______________________________________________

1. a) What are border firewalls?

b) Distinguish between ingress and egress filtering.

c) Name the types of firewall inspection.

d) Do commercial products normally limit themselves to a single type of

inspection?

2. a) What is the purpose of a screening router firewall?

b) Why are routers attractive as screening firewalls?

c) Why are routers not attractive?

3. a) Why are computer-based firewalls attractive to customers?

b) Why are they somewhat unattractive?

4. a) Why are firewall appliances attractive?

b) Why are they somewhat unattractive?

5. a) Why are host firewalls attractive?

b) Why are they somewhat unattractive?

6. a) Why is firewall performance important?

b) What determines performance requirements?

 Chapter 5: Firewalls

c) What do firewalls do if they cannot handle the stream of packets they

are to filter?

d) Why is it important to check firewall logs as a way to understand the

sufficiency of current firewall performance?

7. What are the two characteristics of static packet filter firewalls?

8. a) What is an ACL?

b) Why are so many errors made when ACLs are configured?

9. What types of ingress filtering are done on IP addresses in Figure 5-6?

10. a) What kind of ingress filtering tends to be done based on TCP

connection flags?

b) Why does Rule 7 have to come before Rule 8?

c) In general, why do exceptions usually have to come before general deny

rules?

11. a) What ports need to be allowed for webservers using SSL/TLS?

b) How does this change if SSL/TLS security will not be implemented?

c) What ports need to be allowed for FTP servers?

d) For Telnet access?

e) Why are FTP and Telnet dangerous?

f) Why are r commands dangerous?

g) On what operating system are r commands used?

h) What ports need to be blocked to prevent rlogin?

i) rsh?

j) SSH?

k) When might SSH be permitted?

12. a) What UDP service is denied? Why?

b) What usually is the single ICMP message type passed by ingress

filtering? Give its name and type value.

Page 2
 Chapter 5: Firewalls

13. Why is it a good policy to block anything not specifically permitted?

14. a) What rules based on IP addresses are included in Figure 5-7? Why?

b) What are the two ICMP rules?

c) Why were the ICMP rules set up in this order?

d) What do the ICMP rules allow?

e) Why?

f) Why are RST segments dropped?

g) Explain the rule for the webserver.

h) Explain how public webservers are handled in the ACL in general.

i) What general ports are stopped?

j) How are client connections to outside servers handled in the ACL?

k) What is the last rule in the ACL, and why is it important?

15. a) What is a state?

b) What is a connection (also called a session)?

c) How do stateful firewalls work for TCP?

d) Can stateful firewalls maintain state information for connectionless

protocols like UDP and ICMP?

e) If so, how do they do it?

16. a) Does NAT tend to be used alone or in concert with another type of
firewall?

b) What danger does NAT address?

c) How does a NAT firewall work?

d) What problems do NAT firewalls create?

17. a) Explain application firewall operation.

b) Distinguish between proxies and application firewalls.

c) In what sense is a firewall transparent to the client and server?

Page 3
 Chapter 5: Firewalls

18. a) Briefly explain the core protections offered by all application firewalls.

b) How can command filtering provide protection?

c) How can content filtering provide protection?

19. a) If you will proxy four applications, how many proxy programs will you
need?

b) Can an application firewall operate multiple proxies?

c) When is this a good idea?

d) Why is it not desirable?

20. a) Why are circuit firewalls needed?

b) How do they operate?

c) What protection do they provide?

d) What is the most important circuit firewall standard?

21. What is a firewall architecture?

22. a) Why are screening routers good?

b) Should the last rule of a screening firewall be Deny All or Permit All?
Explain.

c) Why is performance a concern?

23. Why are computer-based main firewalls better to work with than router-
based firewalls?

24. a) What is a tri-homed router?

b) What is a DMZ?

c) Why are DMZs good?

25. a) Why are public servers put in DMZs?

b) What are bastion hosts?

c) Why is an external DNS host often put in the DMZ?

d) What IP addresses does the DNS server know?

Page 4
 Chapter 5: Firewalls

e) Why are application firewalls usually placed in the DMZ?

26. a) Why are internal and host firewalls good?

b) How do they provide defense in depth?

27. Compare and contrast individual home computer firewall architectures and
SOHO firewall architectures.

28. a) Why are distributed firewall architectures good?

b) Why are they dangerous?

29. a) Why are configuring, testing, and maintaining firewalls critically

important?

b) Why is configuration difficult?

c) Why are policies crucial?

d) Why is audit testing necessary?

e) How is audit testing done?

f) Do policies drive configuration, testing, or both?

g) Why is it important to read firewall logs?

30. a) Who produces FireWall-1?

b) What protections does FireWall-1 provide?

c) Describe FireWall-1’s three management modules.

d) If you want only a single management machine to manage three

firewalls, where would you place the modules?

e) How does FireWall-1 integrate with third-party products for application

inspection?

f) What two products for firewall protection does Cisco offer?

g) Which is a better firewall?

h) What protections does PIX offer?

i) What is the basic PIX rule for creating connections, based on security
levels?

Page 5
 Chapter 5: Firewalls

j) How is this rule modified?

Thought Questions
1. In Figure 5-6 and Figure 5-7, some statements are redundant given the
final Deny All rule in each ACL. List the numbers of rules that can be
deleted without reducing protection.

2. Create policy statements that would be used to guide the ACLs shown in
Figure 5-6 and Figure 5-7.

3. Change the ACLs in Figure 5-6 and Figure 5-7 to add policies that
incoming DNS requests should be permitted at a particular DNS host,
60.47.3.4., and that SSH traffic should be allowed because it is needed to
manage firewalls.

4. Change the ACLs in Figure 5-6 and Figure 5-7 to add a policy that all
SMTP traffic (TCP Port 25) should pass through an SMTP application
proxy, 60.47.3.10.

5. Create a simple ACL for a packet filter firewall that serves a single
Windows client PC at home.

6. Change the ACLs in Figure 5-6 and Figure 5-7 to drop rules that would
not be needed for stateful inspection firewalls.

7. In the firewall architecture shown in Figure 5-17, what hosts should not be
protected by NAT?

8. In Figure 5-25, what would have to be done to create a connection a) from

an Inside client to an Outside server on the Internet? b) From an Outside
server on the Internet to an Internal client PC? c) From an Inside client to
a DMZ server? d) From a DMZ server to an Inside server? e) From a
DMZ server to a back-end database in the main site LAN?

Troubleshooting Question
1. You have a rule in your ACL to block a particular type of traffic.
However, when you do an audit, you find that the firewall is not blocking
this traffic. What is the problem likely to be?

Page 6