Answer to Tutorial 8 – Information Security

1. What is the typical relationship among the untrusted network, the firewall, and the trustednetwork?

Answer:

The untrusted network is usually the Internet or another segment of public access networkwhile the trusted network is typically a privately owned network. The firewall serves as amechanism to filter traffic from the untrusted network that comes into the trusted networkto gain some assurance that that traffic is legitimate.

2. What is the relationship between a TCP (Transmission Control Protocol) and UDP (UserDatagram Protocol) packet?Will any specific transaction usually involve both types of packets?

Answer:

UDP packets are, by design, connectionless. TCP packets usually involve the creation of aconnection from one host computer to another.

It would be unusual for a single transaction to involve both TCP and UPD ports.

3. How is an application layer firewall different from a packet filtering firewall?Why is an application layer firewall sometimes called a proxy server?

Answer:

The application layer firewall takes into consideration the nature of the applications that arebeing run (the type and timing of the network connection requests, the type and nature ofthe traffic that is generated) whereas the packet filtering firewall simply looks at the packetsas they are transferred.

The application firewall is also known as a proxy server, since it runs special software thatacts as a proxy for a service request.

4. How is static filtering different from dynamic filtering of packets?Which is perceived to offer improved security?

Answer:

1

Static filtering requires that the filtering rules governing how the firewall decides which packetsare allowed and which are denied are developed and installed. This type of filtering is commonin network routers and gateways. Dynamic filtering allows the firewall to react to an emergentevent and update or create rules to deal with the event. This reaction could be positive, asin allowing an internal user to engage in a specific activity upon request, or negative, as indropping all packets from a particular address when an increase in the presence of a particulartype of malformed packet is detected.

While static filtering firewalls allow entire sets of one type of packet to enter in response toauthorized requests, the dynamic packet filtering firewall allows only a particular packet witha particular source, destination, and port address to enter through the firewall.

5. What is stateful inspection?How is state information maintained during a network connection or transaction?

Answer:

Stateful inspection firewalls, also called stateful firewalls, keep track of each network connec-tion between internal and external systems using a state table. A state table tracks the stateand context of each packet in the conversation by recording which station sent what packetand when. Like first generation firewalls, stateful inspection firewalls perform packet filtering,but they take it a step further. Whereas simple packet filtering firewalls only allow or denycertain packets based on their address, a stateful firewall can block incoming packets that arenot responses to internal requests. If the stateful firewall receives an incoming packet thatit cannot match in its state table, it defaults to its ACL to determine whether to allow thepacket to pass. The primary disadvantage of this type of firewall is the additional processingrequired to manage and verify packets against the state table, which can leave the systemvulnerable to a DoS or DDoS attack.

State information is preserved using a state table that looks similar to a firewall rule set buthas additional information. The state table contains the familiar source IP and port, anddestination IP and port, but adds information on the protocol used (i.e., UDP or TCP), totaltime in seconds, and time remaining in seconds.

6. Describe how the various types of firewalls interact with the network traffic at various levelsof the OSI (Open System Interconnection) model.

Answer:

Packet filtering firewalls scan network data packets looking for compliance with or violationof the rules of the firewall’s database. Filtering firewalls inspect packets at the network layer,or Layer 3, of the OSI model.

MAC layer firewalls are designed to operate at the media access control layer (layer 2) of theOSI network mode.

2

Application level firewalls will operate at OSI layers above layer 3, using specific knowledge ofvarious protocols and applications to make more informed decisions about packet forwarding.

7. List the five generations of firewall technology.Which generations are still in common use?

Answer:

At the present time, there are five generally recognized generations of firewalls, and thesegenerations can be implemented in a wide variety of architectures.

First Generation. First generation firewalls are static packet filtering firewalls –that is,simple networking devices that filter packets according to their headers as the packets travelto and from the organization’s networks.

Second Generation. Second generation firewalls are application-level firewalls or proxyservers –that is, dedicated systems that are separate from the filtering router and that pro-vide intermediate services for requestors.

Third Generation. Third generation firewalls are stateful inspection firewalls, which, asyou may recall, monitor network connections between internal and external systems usingstate tables.

Fourth Generation. While static filtering firewalls, such as first and third generation fire-walls, allow entire sets of one type of packet to enter in response to authorized requests,the fourth generation firewalls, which are also known as dynamic packet filtering firewalls,allow only a particular packet with a particular source, destination, and port address to enter.

Fifth Generation. The fifth generation firewall is the kernel proxy, a specialized form thatworks under the Windows NT Executive, which is the kernel of Windows NT.

Most modern firewalls combine features from more than one generation.

8. What is a sacrificial host?What is a bastion host?

Answer:

They are synonyms. Since the bastion host stands as a sole defender on the network perime-ter, it is also commonly referred to as the sacrificial host. To its advantage, this configurationrequires the external attack to compromise two separate systems, before the attack can access

3

internal data.

9. What is a content filter?Where is it placed in the network to gain the best result for the organization?

Answer:

A content filter is a software filter –technically not a firewall– that allows administrators torestrict access to content from within a network. It is essentially a set of scripts or programsthat restricts user access to certain networking protocols and Internet locations, or restrictsusers from receiving general types or specific examples of Internet content. Some refer tocontent filters as reverse firewalls, as their primary focus is to restrict internal access toexternal material.

To gain the best result, it should be placed on the primary connection used to gain access tothe Internet.

10. What is a VPN?What are some reasons it is widely popular in many organizations?

Answer:

A Virtual Private Network (VPN) is a private and secure network connection between systemsthat uses the data communication capability of an unsecured and public network.

VPNs are popular since they are simple to set up and maintain and usually require only thatthe tunneling points be dual-homed –that is, connecting a private network to the Internet orto another outside connection point. There is VPN support built into most Microsoft serversoftware, including NT and 2000, as well as client support for VPN services built into XP.While true private network services connections can cost hundreds of thousands of dollars tolease, configure, and maintain, a VPN can cost next to nothing.

4