Answer to Tutorial 8 – Information Security

1. What is the typical relationship among the untrusted network, the firewall, and the trusted
network?

Answer:

The untrusted network is usually the Internet or another segment of public access network
while the trusted network is typically a privately owned network. The firewall serves as a
mechanism to filter traffic from the untrusted network that comes into the trusted network
to gain some assurance that that traffic is legitimate.

2. What is the relationship between a TCP (Transmission Control Protocol) and UDP (User
Datagram Protocol) packet?
Will any specific transaction usually involve both types of packets?

Answer:

UDP packets are, by design, connectionless. TCP packets usually involve the creation of a
connection from one host computer to another.
It would be unusual for a single transaction to involve both TCP and UPD ports.

3. How is an application layer firewall different from a packet filtering firewall?

Why is an application layer firewall sometimes called a proxy server?

Answer:

The application layer firewall takes into consideration the nature of the applications that are
being run (the type and timing of the network connection requests, the type and nature of
the traffic that is generated) whereas the packet filtering firewall simply looks at the packets
as they are transferred.
The application firewall is also known as a proxy server, since it runs special software that
acts as a proxy for a service request.

4. How is static filtering different from dynamic filtering of packets?

Which is perceived to offer improved security?

Answer:

1
 Static filtering requires that the filtering rules governing how the firewall decides which packets
are allowed and which are denied are developed and installed. This type of filtering is common
in network routers and gateways. Dynamic filtering allows the firewall to react to an emergent
event and update or create rules to deal with the event. This reaction could be positive, as
in allowing an internal user to engage in a specific activity upon request, or negative, as in
dropping all packets from a particular address when an increase in the presence of a particular
type of malformed packet is detected.
While static filtering firewalls allow entire sets of one type of packet to enter in response to
authorized requests, the dynamic packet filtering firewall allows only a particular packet with
a particular source, destination, and port address to enter through the firewall.

5. What is stateful inspection?

How is state information maintained during a network connection or transaction?

Answer:

Stateful inspection firewalls, also called stateful firewalls, keep track of each network connec-
tion between internal and external systems using a state table. A state table tracks the state
and context of each packet in the conversation by recording which station sent what packet
and when. Like first generation firewalls, stateful inspection firewalls perform packet filtering,
but they take it a step further. Whereas simple packet filtering firewalls only allow or deny
certain packets based on their address, a stateful firewall can block incoming packets that are
not responses to internal requests. If the stateful firewall receives an incoming packet that
it cannot match in its state table, it defaults to its ACL to determine whether to allow the
packet to pass. The primary disadvantage of this type of firewall is the additional processing
required to manage and verify packets against the state table, which can leave the system
vulnerable to a DoS or DDoS attack.
State information is preserved using a state table that looks similar to a firewall rule set but
has additional information. The state table contains the familiar source IP and port, and
destination IP and port, but adds information on the protocol used (i.e., UDP or TCP), total
time in seconds, and time remaining in seconds.

6. Describe how the various types of firewalls interact with the network traffic at various levels
of the OSI (Open System Interconnection) model.

Answer:

Packet filtering firewalls scan network data packets looking for compliance with or violation
of the rules of the firewall’s database. Filtering firewalls inspect packets at the network layer,
or Layer 3, of the OSI model.
MAC layer firewalls are designed to operate at the media access control layer (layer 2) of the
OSI network mode.

2
 Application level firewalls will operate at OSI layers above layer 3, using specific knowledge of
various protocols and applications to make more informed decisions about packet forwarding.

7. List the five generations of firewall technology.

Which generations are still in common use?

Answer:

At the present time, there are five generally recognized generations of firewalls, and these
generations can be implemented in a wide variety of architectures.

First Generation. First generation firewalls are static packet filtering firewalls –that is,
simple networking devices that filter packets according to their headers as the packets travel
to and from the organization’s networks.

Second Generation. Second generation firewalls are application-level firewalls or proxy

servers –that is, dedicated systems that are separate from the filtering router and that pro-
vide intermediate services for requestors.

Third Generation. Third generation firewalls are stateful inspection firewalls, which, as
you may recall, monitor network connections between internal and external systems using
state tables.

Fourth Generation. While static filtering firewalls, such as first and third generation fire-
walls, allow entire sets of one type of packet to enter in response to authorized requests,
the fourth generation firewalls, which are also known as dynamic packet filtering firewalls,
allow only a particular packet with a particular source, destination, and port address to enter.

Fifth Generation. The fifth generation firewall is the kernel proxy, a specialized form that
works under the Windows NT Executive, which is the kernel of Windows NT.

Most modern firewalls combine features from more than one generation.

8. What is a sacrificial host?

What is a bastion host?

Answer:

They are synonyms. Since the bastion host stands as a sole defender on the network perime-
ter, it is also commonly referred to as the sacrificial host. To its advantage, this configuration
requires the external attack to compromise two separate systems, before the attack can access

3
 internal data.

9. What is a content filter?

Where is it placed in the network to gain the best result for the organization?

Answer:

A content filter is a software filter –technically not a firewall– that allows administrators to
restrict access to content from within a network. It is essentially a set of scripts or programs
that restricts user access to certain networking protocols and Internet locations, or restricts
users from receiving general types or specific examples of Internet content. Some refer to
content filters as reverse firewalls, as their primary focus is to restrict internal access to
external material.
To gain the best result, it should be placed on the primary connection used to gain access to
the Internet.

10. What is a VPN?

What are some reasons it is widely popular in many organizations?

Answer:

A Virtual Private Network (VPN) is a private and secure network connection between systems
that uses the data communication capability of an unsecured and public network.
VPNs are popular since they are simple to set up and maintain and usually require only that
the tunneling points be dual-homed –that is, connecting a private network to the Internet or
to another outside connection point. There is VPN support built into most Microsoft server
software, including NT and 2000, as well as client support for VPN services built into XP.
While true private network services connections can cost hundreds of thousands of dollars to
lease, configure, and maintain, a VPN can cost next to nothing.