Deck 6: Security Technology: Access Controls, Firewalls, and VPNS

An extranet is a segment of the DMZ where no authentication and authorization controls are put into place.

Packet-filtering firewalls scan network data packets looking for compliance with the rules of the firewall's database or violations of those rules.

​Lattice-based access control is a form of access control in which users are assigned a matrix of authorizations for particular areas of access.

Good policy and practice dictates that each firewall device, whether a filtering router, bastion host, or other firewall implementation, must have its own set of configuration rules.

​Task-based controls are associated with the assigned role a user performs in an organization, such as a position or temporary assignment like project manager.

The application layer proxy firewall is capable of functioning both as a firewall and an application layer proxy server.

Good firewall rules include denying all data that is not verifiably authentic.

The screened subnet protects the DMZ systems and information from outside threats by providing a network with intermediate security, which means the network is less secure than the general-public networks but more secure than the internal network.

A firewall cannot be deployed as a separate network containing a number of supporting devices.

Using an application firewall means the associated Web server must be exposed to a higher level of risk by placing it in the DMZ.

Firewalls can be categorized by processing mode, development era, or structure.

Authentication is the process of validating and verifying an unauthenticated entity's purported identity.

All organizations with a router at the boundary between the organization's internal networks and the external service provider will experience improved network performance due to the complexity of the ACLs used to filter the packets.

The DMZ can be a dedicated port on the firewall device linking a single bastion host.

The ability of a router to restrict traffic to a specific service is an advanced capability and not considered a standard feature for most routers.

When Web services are offered outside the firewall, HTTP traffic should be blocked from internal networks through the use of some form of proxy access or DMZ architecture.

Syntax errors in firewall policies are usually difficult to identify.

Some firewalls can filter packets by protocol name.

Discretionary access control is an approach whereby the organization specifies use of resources based on the assignment of data classification schemes to resources and clearance levels to users.

The static packet filtering firewall can react to an emergent event and update or create rules to deal with that event. _________________________

A routing table tracks the state and context of each packet in the conversation by recording which station sent what packet and when. _________________________

A common DMZ arrangement is a subnet firewall that consists of two or more internal bastion hosts behind a packet-filtering router, with each host protecting the trusted network. _________________________

Firewalls operate by examining a data packet and performing a comparison with some predetermined logical rules. _________________________

When a bastion host approach is used, the host contains two NICs, forcing all traffic to go through the device. _________________________

A content filter is essentially a set of scripts or programs that restricts user access to certain networking protocols and Internet locations.

Port Address Translation assigns non-routing local addresses to computer systems in the local area network and uses ISP-assigned addresses to communicate with the Internet on a one-to-one basis. _________________________

A content filter, also known as a reverse firewall, is a network device that allows administrators to restrict access to external content from within a network.

One of the biggest challenges in the use of the trusted computer base (TCB) is the existence of explicit channels. _________________________

The primary disadvantage of stateful packet inspection firewalls is the additional processing required to manage and verify packets against the state table. _________________________

Authentication is a mechanism whereby unverified entities who seek access to a resource provide a label by which they are known to the system. _________________________

In static filtering, configuration rules must be manually created, sequenced, and modified within the firewall. _________________________

Internet connections via dial-up lines are regaining popularity due to recent technological developments.

Though not used as much in Windows environments, terminal emulation is still useful to systems administrators on Unix/Linux systems.

The RADIUS system decentralizes the responsibility for authenticating each user by validating the user's credentials on the NAS server.

The false reject rate describes the number of legitimate users who are denied access because of a failure in the biometric device. _________________________

It is important that e-mail traffic reach your e-mail server and only your e-mail server.

A VPN, used properly, allows use of the Internet as if it were a private network.

Access control is achieved by means of a combination of policies, programs, and technologies. _________________________

Even if Kerberos servers are subjected to denial-of-service attacks, a client can still request additional services.

The popular use for tunnel mode VPNs is the end-to-end transport of encrypted data. _________________________

Secure VPNs use security protocols and encrypt traffic transmitted across unsecured public networks like the Internet. _________________________

The filtering component of a content filter is like a set of firewall rules for Web sites, and is common in residential content filters. _________________________

In order to keep the Web server inside the internal network, direct all HTTP requests to the internal filtering firewall and configure the internal filtering router/firewall to allow only that device to access the internal Web server. _________________________

The presence of external requests for Telnet services can indicate a potential attack. _________________________

Traceroute, formally known as an ICMP Echo request, is used by internal systems administrators to ensure that clients and servers can communicate. _________________________

Kerberos uses asymmetric key encryption to validate an individual user to various network resources. _________________________

Most firewalls use packet header information to determine whether a specific packet should be allowed to pass through or should be dropped. _________________________

Best practices in firewall rule set configuration state that the firewall device never allows administrative access directly from the public network. _________________________

A(n) intranet ​is a segment of the DMZ where additional authentication and authorization controls are put into place to provide services that are not available to the general public. _________________________

An attacker who suspects that an organization has dial-up lines can use a device called a(n) war dialer to locate the connection points. _________________________

SESAME, as described in RFC 4120, keeps a database containing the private keys of clients and servers-in the case of a client, this key is simply the client's encrypted password. _________________________

When Web services are offered outside the firewall, SMTP traffic should be blocked from internal networks through the use of some form of proxy access or DMZ architecture. _________________________

The ____________________ describes the number of legitimate users who are denied access because of a failure in the biometric device. This failure is known as a Type I error.

A(n) ____________________ contains a computer chip that can verify and validate several pieces of information instead of just a PIN.