Firewall Technologies

Module 3

Objectives
After completing this module, you will be able to:

Define the term firewall, list the main types of firewalls, explain how each firewall technology fits in the OSI model, and describe how firewalls are used to protect a computer network. Explain how packet-filter gateway technology works and list the advantages and disadvantages of packet-filter technology. Explain how firewall servers are used to protect a network, describe where firewall servers are typically placed in the network infrastructure, and describe the typical firewall server configurations. Explain how application-level firewalls work. Explain how stateful-inspection firewalls work. Explain how circuit-level firewalls work. List the criteria you should use when evaluating a firewall product. List the general steps you would use to deploy a firewall.

Rev. 0.11

3 1

Compaq Security Solutions

Overview of Firewall Technologies

Internal Netw ork Firew all External Netw ork

Internet

Firewalls are barriers created between trusted private networks and untrusted networks such as the Internet. Firewalls are used to:

Examine all inbound and outbound traffic, allowing only authorized traffic to pass. Protect internal networks from external networks. Form a security barrier between parts of an organization.

The major objective of a firewall is to protect one network from another. Firewalls are an important part of network security. Without a firewall, the possibility of security breaches from external and internal sources is greatly increased. To protect your network from attacks, installing and maintaining a firewall is an important part of network operations. The term firewall has many uses and is therefore often confusing. Firewall can mean a specific hardware component, such as a firewall server, a packet-filtering router, or a security software package. Alternatively, it can refer to the complete collection of components which are used to form a barrier between a trusted and an untrusted network, which is how this term is used in this course. Individual components are referred to in specific terms, such as firewall server, packet-filtering router, and firewall software.

3 2

Rev. 0.11

Module 3

What Is a Firewall?
In the simplest terms, a firewall is a set of components placed between two networks that have the following characteristics:

All traffic from inside to outside, and outside to inside, must pass through the firewall. Only authorized traffic, as defined by the security policy, will be allowed to pass through the firewall. The firewall itself must be immune from penetration.

The objective of a firewall is to protect an internal (trusted) network from an external (untrusted) network. An untrusted network is one from which unwanted network intrusions can originate. The goal of your firewall should be to prevent unauthorized access to sensitive data, while allowing legitimate users to have unencumbered access to network resources. Firewalls track and control data, deciding whether to pass, drop, reject, encrypt, or log the data. Firewalls ensure that data meets the rules of an enterprise's network security policy.

Important A firewall cannot protect the network against malicious authorized users. Research indicates that most network attacks occur from within an organization. A firewall cannot protect connections that do not pass through the firewall.

The firewall is the main tool for implementing an organization's network security policy. In addition to a solid firewall strategy, a network will likely need solid authentication, security, and privacy enhancement techniques to enhance the network security or implement other aspects of the network security policy.

Rev. 0.11

3 3

Compaq Security Solutions

Firewalls and the OSI Model

Application Presentation
Application Firew alls

OSI Model

Session Transport Netw ork Data Link Physical

Circuit-Level Gatew ays

Packet Filter Firew alls

The OSI model provides a detailed standard for describing a network. It is useful for describing how protocol suites, such as TCP/IP, handle network communications. The OSI model is used in this course to describe the features and functions of different types of security products. Firewall vendors differentiate themselves through the implementation of their firewall products. The differentiation lies in which layer of the OSI model the firewall exists and therefore where the packets are examined.

3 4

Rev. 0.11

Module 3

Firewall Components
A single firewall system has several components:

Software Two types of software are at the core of a firewall system: Application level software controls network traffic at the application level, tracking entire transactions related to mail, web, or file transfer services. Packet-filtering systems operate at the network level and examine each individual packet of data as it comes through the network, without regard to whether the packet is part of an approved application.

Operating system Many firewalls run on standard but hardened operating systems and include support for Microsoft Windows NT and UNIX. Some run on modified versions or completely proprietary operating systems. Computer hardware Some firewall hardware is proprietary, but most use standard hardware. Network interfaces Most firewalls are multi-homed, using separate network interface cards to create a physical separation between networks.

Types of Firewalls
Firewalls can be categorized into the following types:

Packet filter gateways Application-level firewalls Stateful inspection firewalls Circuit-level gateways

Rev. 0.11

3 5

Compaq Security Solutions

Packet-Filter Gateways
Internal Netw ork External Netw ork

Packet Filtering Gatew ay/Router

Internet

A packet-filter gateway can play an important role in implementing an enterprise security policy by providing a first line of defense against unwanted intrusion. By monitoring each packet destined for the internal network, the gateway can filter out potentially dangerous packets. Also known as screening routers or packet filter routers, a packet-filter gateway is a router that selectively blocks and passes packets when routing them from one network to another. It distinguishes packets based on predefined parameters, such as the origination address or the port. Packet-filter gateways can provide an inexpensive and useful level of gateway security. Typically, the filtering abilities come with the router software. Because you will likely need a router to connect to the Internet, there is no extra charge for this capability. Packet-filtering technology is usually implemented through a router that has packetfiltering capabilities. (Most routers have packet-filtering technology.) As shown in the preceding graphic, a packet-filtering gateway is placed between an internal network and an external network such as the Internet.

3 6

Rev. 0.11

Module 3

How Packet-Filtering Technology Works

Ap lica ion p t Pre n a ion se t t Se ssion Tra sp n ort N t ork ew D t Lin aa k Ph ysica l Se r rve N tw e ork D t Lin aa k Ph ysica l Rou e tr Ap lica ion p t Pre n a ion se t t Se ssion Tra sp n ort N t ork ew D t Lin aa k Ph ysica l W st t ork a ion

Packet filters work by distinguishing packets based on IP addresses or specific bit patterns, and most come with router software. They reside at the network level on the OSI model. Packets are scanned and decisions about whether the packet should be allowed to pass are based on the fields within the packet. The scanned fields include the source IP address, destination IP address, TCP/UDP source port, and TCP/UDP destination port. Packet filters enforce their rules in an order-based manner. Packets are passed or dropped based on their source or destination addresses or ports. In general, decisions are based only on the content of the packet. Depending on the type of the router, filtering might be done at input time, at output time, or both. The network administrator makes an "allow" list of acceptable machines and services and a "deny" list of unacceptable machines and services. It is easy to permit or deny access at the host or network level with a packet filter. For example, you can permit any IP access between host A and B, or deny any access to B from any machine except A.

Rev. 0.11

3 7

Compaq Security Solutions

Most packet filter devices operate in the following manner: 1. 2. Packet filter rules are created for the device by the administrator. The rules are stored in a specific order. When a port receives a packet, the packet header is parsed. Most packet filter devices only examine the fields in the IP, TCP, or UDP headers. Some devices also filter on RIP, ICMP, and other layer 3 protocols. The rules are applied to the packet in the order specified by the administrator. If a rule blocks the transmission or reception of a packet, the packet is rejected. If a rule allows the transmission or reception of a packet, the packet is allowed to pass. If a packet does not satisfy any rule, it is blocked. (This rule follows the philosophy "that which is not expressly permitted is denied.")

3. 4. 5. 6.

3 8

Rev. 0.11

Module 3

Advantages and Disadvantages

The advantages of packet filtering include:

Cost In most cases the technology is included with the router. Ease of Implementation It is transparent to applications. No changes are required to client and host applications because it operates at the IP and TCP layers of the OSI model. Performance It provides relatively fast throughput. Limited Security It does not screen above the network layer in the OSI model. Packet filters are incapable of providing communication-derived or application-derived state information. They cannot recognize the context of a given communication, which makes them more vulnerable to allowing unauthorized access to a network. Administration It is difficult to configure, monitor, and manage. Without an in-depth knowledge of TCP and UDP port utilization, it is difficult to control access to individual services. Auditing It does not provides logging and alerting mechanisms. Vulnerability Packet-filtering systems are subject to IP spoofing attacks. They are unable to protect against application-level attacks and can be susceptible to sophisticated IP fragmentation and IP source routing attacks. Flexibility Packet-filtering technology does not handle services well that involve random port numbers. Performance As the number of rules are increased on a packet filter router, performance is degraded. Order-dependent rules Rules written for packet-filtering systems are highly order-dependent. If the rules are ordered incorrectly, unwanted connections might be allowed. Therefore, packet-filtering systems are subject to misconfiguration and the likelihood of misconfiguration increases as rules are added. Exposure Packet-filtering systems do not automatically hide network and system addresses from public view.

The disadvantages of packet filtering include:

Rev. 0.11

3 9

Compaq Security Solutions

Packet Filtering Summary

In summary, packet-filter gateways are often used as the first line of defense against an untrusted network. Packet filtering provides an efficient way to control network traffic. However, packet-filtering technologies do not address many security requirements because they have incomplete information to work with. Only network and transport layer information, such as IP addresses, port numbers, and TCP flags, is available for filtering decisions. Most security policies require a finer degree of control than that allowed by packetfilter gateways. In most cases, the security policy will require the ability to define access to specific services for hosts that are otherwise untrusted. For example, you might want to allow any host to connect to machine A, but only to send or receive mail. Other services might not be permitted. Although packet filtering will allow some control at this level, it is a risky and error-prone process. To do it correctly, you must have intimate knowledge of TCP and UDP port utilization on various operating systems. Packet-filtering devices such as screening routers are often augmented by other devices, such as firewall applications running on dedicated firewall servers.

3 10

Rev. 0.11

Module 3

Application-Level Firewalls
Te e ln t Ap lica ion p t Pre n a ion se t t Se ssion Tra sp n ort N t ork ew D t Lin aa k Ph ysica l Se r rve FTP Ap lica ion p t Pre n a ion se t t Se ssion Tra sp n ort N t ork ew D t Lin aa k Ph sica y l H TTP Ap lica ion p t Pre n a ion se t t Se ssion Tra sp n ort N t ork ew D t Lin aa k Ph ysica l W st t ork a ion

Application-level gateways (firewalls) are programmed to recognize the network traffic at the user application level of the OSI model. They can therefore provide access controls at a user level and application-protocol level. Application-level firewalls improve on security by examining all application layers, bringing context information into the decision process. Technically, this is accomplished by breaking the traditional client/server model because each client/server connection requires two connections:

One from the client to the firewall One from the firewall to the server

This process is known as proxying a connection. An application-level firewall provides a set of application-specific security proxies that evaluate all attempts to pass data into and out of the protected network. A proxy is a unique application that forwards and filters connections for services such as TELNET, FTP, and HTTP. The host computer running the proxy service or services is known as an application gateway. This type of firewall allows for the evaluation of each connection rather than each packet. Packets are only allowed to pass for an existing proxy with an established and authorized network connection. This also prevents other untrusted services from being implemented without the firewall administrators knowledge.

Rev. 0.11

3 11

Compaq Security Solutions

Protocols can also be filtered. For example, the FTP proxy might allow FTP GET connections, but deny the use of the FTP PUT command. Application-level gateways also include information hiding (or address translation), authentication, and logging. Although application-layer firewalls are more secure than packet-filter routers, they tend to perform slower than their counterparts working at other OSI levels. For each application that is relayed, application-level gateways use special-purpose code. Because of this special-purpose code, application-level firewalls provide a high level of security. For each new type of application added to the network that requires protection, new special-purpose code must be written. Therefore, most application-level gateways provide a limited subset of basic applications and services.

3 12

Rev. 0.11

Module 3

Advantages and Disadvantages

The main advantages of application-layer firewalls include:

No worry about interactions between different sets of filter rules The ability to log and control all incoming and outgoing traffic. Good security Full application-layer awareness Each service requires its own application layer gateway. A specialized user program or variant user interface is required for most services provided. The implementation at the application layer might be detrimental to performance. Proxies cannot provide for UDP, RPC, and other services from common protocol families. Most proxies are not transparent. The firewall is vulnerable to operating system and application level bugs. Information contained in lower layers of the OSI model is overlooked.

Disadvantages include:

Email is often passed through an application-level gateway, regardless of the technologies used to implement the rest of the overall firewall structure. Application gateways are often used in conjunction with other gateway designs, packet filters, and circuit-level relays.

Rev. 0.11

3 13

Compaq Security Solutions

Application-Level Firewalls Compared to Packet Filters

Packet Filter Application-Level Firewall

Packets from inside the network are passed outside unchanged This makes a packet filter susceptible to spoofing

Packets passed through the firewall are rewritten with the firewalls IP address All internal IP addresses are completely hidden

The following table provides a comparison of packet filter and application-level technologies.
Packet Filter
All packets compared to a list of rules All packets allowed unless explicitly denied No authentication of users Minimal logging

Application-Level Firewall
All network traffic forced to the application level for authorization No traffic allowed through unless explicitly allowed User and service authentication (ability to examine data and state) Extensive logging

3 14

Rev. 0.11

Module 3

Stateful-Inspection Firewalls
Ap lica ion p t Pre n a ion se t t

OSI Model

Se n ssio Tra sp n ort N t ork ew D t Lin aa k Ph sica y l

St t fu In e ionFire a a e l sp ct w lls

Stateful-inspection firewalls analyze all protocol layers and compare current sessions to previous sessions to detect suspicious activity. Stateful-inspection firewalls reside below the network layer, at the lowest software level. All packets are intercepted and analyzed before they reach the operating system. Stateful-inspection firewalls do not depend on predefined application information (proxies), but instead use business rules defined by the user. State information, derived from past communications and other applications, is a key factor in making the control decision for new communication attempts.

Rev. 0.11

3 15

Compaq Security Solutions

Advantages and Disadvantages

The advantages of stateful-inspection technology include:

Good security Full application-layer awareness High performance Scalability Extensibility Transparency IP-level controls do not offer protection against application-level attacks. Evaluation and logging of each packet against a list of open connections can be CPU-intensive and can result in degradation of network traffic through the firewall. Rules are highly order-dependent and can be difficult to configure.

The disadvantages of stateful-inspection technology include:

3 16

Rev. 0.11

Module 3

Circuit-Level Firewalls
A circuit-level gateway (also known as circuit-level proxies) relays TCP connections. It operates at the session level only. Incoming traffic connects to a TCP port on the gateway and the gateway then relays the connections to their destination. After a session has been established, the firewall might allow any type of traffic to pass through. No extra processing or filtering of the protocol occurs. The relay services do not examine the bytes that flow through them. Secure circuit-level gateways include controls such as time limits on the connection, a list of users allowed to access the port, and user authentication. Some circuit-level gateways distinguish what packets to pass by checking them against a memory-resident database to verify their validity. They might also provide protection for some common types of attacks, such as DNS and FTP attacks and IP address spoofing. Some circuit-level gateways can also perform network address translation. Because circuit-level gateways operate at the session level, they can allow any kind of traffic once a session has been established. This is the main disadvantage of circuit-level gateways.

Rev. 0.11

3 17

Compaq Security Solutions

Introduction to Firewall Servers

Internal Netw ork External Netw ork

Internet

Firew Server all

Firewall servers are widely used to give users access to the Internet in a secure fashion, as well as to separate a companys public web server from its internal network. Firewall servers are also used to keep internal network segments more secure. A firewall server lets authorized communication travel freely between internal and external networks A firewall server controls all traffic traveling between two networks and examines content as it comes through. Content is examined based on rules that specify the actions for the firewall to take on every packet it receives.

3 18

Rev. 0.11

Module 3

Firewall Server Placement

Intranet
Departm ental W Server eb IP: 10.10.10.5

Staging
Staging Server IP: 11.11.11.5

Production
Production Server IP: 122.201.55.5

Router IP: 130.210.30.1

Internet
Firew all Content Creation Client IP: 10.10.10.10 Firew all Firew all

Managem ent Console IP: 10.10.10.12

Managem ent Console IP: 11.11.11.12

Managem ent Console IP: 122.201.55.12

The preceding graphic illustrates that firewall servers can be located in various places throughout the network. Typically, firewall servers are placed between an organization and the outside world. However, firewalls can be used internally to isolate certain network segments.

Rev. 0.11

3 19

Compaq Security Solutions

Firewall Server Configurations

Internet

Firew all

Dual-Hom ed Host

Internal Netw ork

The term multi-homed host describes a host computer that has multiple NICs. Usually, each NIC is connected to a separate network or network segment. This multi-homed host can route traffic between the network segments, functioning in a router capacity. If the routing function in the multi-homed host is disabled, the host can provide network traffic isolation between the networks it connects to and yet each network will be able to process applications on the host. If the applications permit, the networks can share data. Consider two firewall configurations:

A dual-homed firewall system A tri-homed firewall system

3 20

Rev. 0.11

Module 3

Dual-Homed Firewall Configuration

Fire a w ll

N IC N IC

In e a t rn l N t ork ew

In e e t rn t

A dual-homed host architecture is built around the dual-homed host computer, which is a computer that has at least two network interfaces. This host can act as a router between the networks these interfaces are attached to. It is capable of routing IP packets from one network to another. A dual-homed firewall contains two network interfaces. One of these interfaces is attached to a trusted network. The other interface is attached to an untrusted network, such as the Internet.
Note An exposed gateway or firewall machine is often called a bastion host. A bastion host is any firewall host that is critical to network security. The bastion host gets its name from the highly fortified projections on the outer walls of medieval castles.

The dual-homed host is the basic configuration used in firewalls. To implement a dual-homed host architecture, disable the routing function. IP packets from one network (for example, the Internet) are not directly routed to the other network. Systems inside the firewall and outside the firewall can communicate with the dualhomed host, but these systems cannot communicate directly with each other. IP traffic between them is completely blocked. The only path between the networks is through an application layer function. If the routing is accidentally misconfigured so that IP forwarding is enabled, it is possible for the application layer functions of the dual-homed firewalls to be bypassed.

Rev. 0.11

3 21

Compaq Security Solutions

Security Risks with a Dual-Homed Firewall Because the firewall server is exposed to the Internet and is a main point of contact for internal network users, it is vulnerable to attack and therefore must be highly secured. The biggest threat to a dual-homed firewall is direct login access to the dual-homed host. If direct login at the host occurs, the intruder can reconfigure the host. Logins from external networks should require a strong authentication.

Important If users are allowed to log in to the firewall machine directly, the firewall security can be compromised.

The only access to the firewall host itself should be through either the console or secure remote access. To prevent circumvention of the firewall, no user accounts should be permitted on the system. To protect the dual-homed host, consider taking the following precautions:

Remove programming tools such as compilers. Use disk partitions so that an intrusion to fill all disk space on the partition will be confined to that partition. Remove unneeded system and special accounts. Delete unneeded network services.

3 22

Rev. 0.11

Module 3

Tri-Homed Firewall Configuration

Intranet

DMZ
Firew Server all Router

External Netw ork

Router

Internet

W eb Server

FTP Server

Mail Server

A tri-homed firewall contains three network interfaces. The third network interface creates a DMZ (demilitarized zone) that stands between the private and hostile networks. Typically, the DMZ will contain hosts whose information is less critical if compromised. The private network houses hosts whose information is most critical, and will probably be accessed only by other internal hosts.

Rev. 0.11

3 23

Compaq Security Solutions

Multiple Firewall Configuration

Intranet

DMZ
Firew all

External Netw ork

Firew all

Internet
Router

W eb Server

Many sites that perform e-commerce or other types of customer transactions use a two-layered firewall approach. In this configuration, the web server is on a protected, outside network that is isolated from the main corporate network. This type of network is referred to as a DMZ network. The advantage of a DMZ configuration is that if the web server outside is compromised, it does not provide a foothold for attacking the protected network.

3 24

Rev. 0.11

Module 3

Firewall Server Behind a Packet-Filtering Router

Internal Netw ork

External Netw ork

Packet Filtering Gatew ay/Router

Internet

Firew Server all

A common strategy is to place a packet-filtering router between a firewall server and the untrusted network, which introduces another line of defense. In this configuration, you configure the packet-filtering router so that it sends all network traffic to the firewall server after applying its filter rules to the network traffic. Only traffic that passes the filter rules is diverted to the firewall server. All other traffic is rejected. An intruder must first penetrate the packet-filtering router before contending with the firewall server.

Rev. 0.11

3 25

Compaq Security Solutions

The path of network traffic as applied to the OSI model is illustrated as follows:
Firew all Application Presentation Session Transport Netw ork Data Link Internal Netw ork Physical Netw ork Data Link Physical External Netw ork Packet-Filter Router

3 26

Rev. 0.11

Module 3

Evaluating Firewalls
When evaluating firewall implementations, at a minimum the implementation should include the following features:

Authentication Protection from common attacks Activity logging Rules Alerting Suspicious activity monitoring Virtual private networking URL/news blocking Code scanning and virus scanning Address translation

Additional firewall features might include:

Rev. 0.11

3 27

Compaq Security Solutions

Authentication
Authentication is the process of determining that a user is who he or she claims to be. This might be a user logging on to a machine or one host machine communicating with another host machine. Several types of authentication exist. The types of authentication measures you take will be based on the importance of the resource you are trying to protect. A firewall should provide authentication services so only specific users can enter. Authentication can be either weak or strong. Weak authentication allows the same password to be used repeatedly and is more typically associated with internal users accessing the Internet. Strong authentication uses a different password every time and is best for external users accessing the intranet. For users accessing a particular device, your authentication options (in order of complexity and security) include:

Passwords One-time passwords Smart cards Biometrics Cryptography Authorization

3 28

Rev. 0.11

Module 3

Protection from Common Attacks

Most firewalls protect against common Internet attacks that occur at the network level, such as IP spoofing, SYN Flood, or the Ping of Death. Attacks that occur at the application level, such as buffer overrun, specific application commands, and filtering of URLs, can only be prevented by application-level firewalls, which examine the application data streams. Packet-filtering firewalls cannot prevent these attacks because they only see parts of the stream. The International Computer Security Association (ISCA) is an independent body that certifies firewalls for minimum functionality.
For more information about ISCA, refer to www.isca.net.

To receive certification, a product must resist all common attacks in accordance with these criteria:

No measure of administrative control of the firewall or underlying operating system may become available to the attacker. Protocol or data content other than TELNET, FTP, HTTP, SSL/SHTTP, SMTP, and DNS must not be passed through the firewall and be carried on the internal network. The product must not be trivially rendered inoperable by network-based denial of service attacks, with these exceptions: The product must have a documented fail-safe mechanism for removing itself from service according to a declared policy. If a denial of service attack is widely recognized as having no defense, the product must provide a log-based alert prior to failing.

Rev. 0.11

3 29

Compaq Security Solutions

Activity Logging
A firewall should provide a log of each request it receives. At a minimum, the entry will include the source of the request, the destination, the protocol, a time stamp, and the result of the request. Of primary concern is the readability of the logs, the ability to scan or query the logs, and the ability to compress the logs. For the greatest security, place the log file on a separate drive partition or machine. Examining the log can reveal whether the firewall is withstanding probes and attacks, and determines whether the controls on the firewall are adequate.

Rules
Usually a firewall determines what traffic may pass through by applying rules. These rules express the security policy to the firewall in one of two ways:

That which is not expressly permitted is prohibited. That which is not expressly prohibited is permitted.

3 30

Rev. 0.11

Module 3

Additional Features
Additional features that to consider depending upon your organizations needs include:

Alerting The firewall alerts the administrator when an attack occurs. Suspicious activity monitoring The firewall detects unusual activity and alerts the administrator. In some cases, the administrator might be able to define the activities that are considered suspicious. Virtual private networking The firewall provides the ability to establish secure, private communication with another network through the Internet. VPNs use encryption and encapsulation technology to create a private passageway, or tunnel, through the Internet. URL/news blocking The firewall provides the ability to restrict information that is not appropriate for a business environment. Code scanning and virus scanning The firewall provides the ability to scan for malicious code or viruses being introduced into the private network from the Internet. Address translation On many networks, it is necessary to hide internal network addresses from external users to make internal nodes less vulnerable to attack. This also allows the internal network to use IP addresses indiscriminately. From the outside, it looks like the network only has only one or just a few IP addresses.

Rev. 0.11

3 31

Compaq Security Solutions

Firewall Deployment Procedures

To deploy a firewall, you should use the following general steps: 1. Create a security policy that defines what, why, and how computing resources are to be protected. This includes well-defined access rules such as: 2. 3. 4. Allow inside users access to the Internet using web protocols (HTTP). Allow email traffic in both directions using Internet mail protocols (SMTP). Allow inside users to access Internet servers using FTP. Deny all other access.

Choose the right firewall components to enforce the security policy. The firewall system must be capable of supporting the access rules you defined. Reconfigure the network's domain name system (DNS) to accommodate the placement of the firewall. Configure the firewall's access rules, logging, notification, and address translation features to match the security policy. Some firewalls can be plugged in with little configuration. Perform a security scan against the firewall system. In other words, try to invade your own network. Some scanning tools, such as ISS and SATAN, break into the firewall, not through it. Other tools try to break through a firewall.

5.

After you have a firewall in place, perform periodic security scans and audits to ensure continuous firewall integrity.

3 32

Rev. 0.11

Module 3

Review Questions
1. List the main types of firewalls. ................................................................................................................................. ................................................................................................................................. ................................................................................................................................. 2. Describe how packet-filtering gateways work. ................................................................................................................................. ................................................................................................................................. ................................................................................................................................. ................................................................................................................................. 3. Briefly explain how application-level firewalls work. ................................................................................................................................. ................................................................................................................................. ................................................................................................................................. ................................................................................................................................. 4. Briefly explain how stateful inspection firewalls work. ................................................................................................................................. ................................................................................................................................. ................................................................................................................................. ................................................................................................................................. 5. Briefly explain how circuit-level firewalls work. ................................................................................................................................. ................................................................................................................................. ................................................................................................................................. ................................................................................................................................. 6. Describe how a DMZ is created with a firewall server. ................................................................................................................................. ................................................................................................................................. ................................................................................................................................. .................................................................................................................................

Rev. 0.11

3 33

Compaq Security Solutions

7.

What is the advantage of placing a firewall server behind a packet filtering gateway? ................................................................................................................................. ................................................................................................................................. ................................................................................................................................. .................................................................................................................................

8.

What key features would you evaluate when deciding upon a firewall solution? ................................................................................................................................. ................................................................................................................................. ................................................................................................................................. .................................................................................................................................

9.

List the general steps you would follow to deploy a firewall. ................................................................................................................................. ................................................................................................................................. ................................................................................................................................. ................................................................................................................................. .................................................................................................................................

3 34

Rev. 0.11