Deck 6: Security Technology: Firewalls and Vpns

One method of protecting the residential user is to install a software firewall directly on the user's system.

All organizations with an Internet connection have some form of a router at the boundary between the organization's internal networks and the external service provider.

Firewall Rule Set 1 states that responses to internal requests are not allowed.

The screened subnet protects the DMZ systems and information from outside threats by providing a network of intermediate security.

There are limits to the level of configurability and protection that software firewalls can provide.

Internal computers are always visible to the public network.

Firewalls can be categorized by processing mode,development era,or structure.

Packet filtering firewalls scan network data packets looking for compliance with or violation of the rules of the firewall's database.

When Web services are offered outside the firewall,HTTP traffic should be blocked from internal networks through the use of some form of proxy access or DMZ architecture.

Syntax errors in firewall policies are usually difficult to identify.

The SMC Barricade residential broadband router does not have an intrusion detection feature.

The DMZ cannot be a dedicated port on the firewall device linking a single bastion host.

The firewall can often be deployed as a separate network containing a number of supporting devices.

Good policy and practice dictates that each firewall device,whether a filtering router,bastion host,or other firewall implementation,must have its own set of configuration rules.

A Web server is often exposed to higher levels of risk when placed in the DMZ than when it is placed in the untrusted network.

A packet's structure is independent from the nature of the packet.

Circuit gateway firewalls usually look at data traffic flowing between one network and another.

The ability to restrict a specific service is now considered standard in most routers and is invisible to the user.

The application firewall runs special software that acts as a proxy for a service request.

The static packet filtering firewall allows only a particular packet with a particular source,destination,and port address to enter through the firewall._________________________

Access control is achieved by means of a combination of policies,programs,and technologies._________________________

Even if Kerberos servers are subjected to denial-of-service attacks,a client can request additional services.

The Extended TACACS version uses dynamic passwords and incorporates two-factor authentication.

Address grants prohibit packets with certain addresses or partial addresses from passing through the device._________________________

It is important that e-mail traffic reach your e-mail server and only your e-mail server.

When a dual-homed host approach is used,the bastion host contains four NICs._________________________

Static filtering is common in network routers and gateways._________________________

A VPN allows a user to turn the Internet into a private network.

Though not used much in Windows environments,Telnet is still useful to systems administrators on Unix/Linux systems.

On the client end,a user with Windows 2000 or XP can establish a VPN by configuring his or her system to connect to a VPN server.

The outside world is known as the trusted network (e.g. ,the Internet)._________________________

Circuit gateway firewalls prevent direct connections between one network and another._________________________

First generation firewalls are application-level firewalls._________________________

A content filter is essentially a set of scripts or programs that restricts user access to certain networking protocols and Internet locations.

SOHO assigns non-routing local addresses to the computer systems in the local area network and uses the single ISP-assigned address to communicate with the Internet._________________________

In addition to recording intrusion attempts,a(n)router can be configured to use the contact information to notify the firewall administrator of the occurrence of an intrusion attempt._________________________

A content filter is technically a firewall.

Internet connections via dial-up and leased lines are becoming more popular.

Some firewalls can filter packets by protocol name.

In order to keep the Web server inside the internal network,direct all HTTP requests to the proxy server and configure the internal filtering router/firewall only to allow the proxy server to access the internal Web server._________________________

Best practices in firewall rule set configuration state that the firewall device is never accessible directly from the public network._________________________

When Web services are offered outside the firewall,SMTP traffic should be blocked from internal networks through the use of some form of proxy access or DMZ architecture._________________________

Most firewalls use packet header information to determine whether a specific packet should be allowed to pass through or should be dropped._________________________

A benefit of a(n)dual-homed host is its ability to translate between many different protocols at their respective data link layers,including Ethernet,token ring,Fiber Distributed Data Interface,and asynchronous transfer mode._________________________

The filtering component of a content filter is like a set of firewall rules for Web sites,and is common in residential content filters._________________________

Kerberos uses asymmetric key encryption to validate an individual user to various network resources._________________________

In a DMZ configuration,connections into the trusted internal network are allowed only from the DMZ bastion host servers._________________________

An attacker who suspects that an organization has dial-up lines can use a device called a(n)war dialer to locate the connection points._________________________

Traces,formally known as ICMP Echo requests,are used by internal systems administrators to ensure that clients and servers can communicate._________________________

SESAME may be obtained free of charge from MIT._________________________

The popular use for tunnel mode VPNs is the end-to-end transport of encrypted data._________________________

The presence of external requests for Telnet services can indicate a potential attack._________________________

A(n)perimeter is a segment of the DMZ where additional authentication and authorization controls are put into place to provide services that are not available to the general public._________________________

Secure VPNs use security protocols and encrypt traffic transmitted across unsecured public networks like the Internet._________________________