Chap04 review
14. Oct 2012•0 gefällt mir•997 views
Melden
Más contenido relacionado
Was ist angesagt?
How to use packet sniffersDeepika Padmanabhan
Monitoramento transmissao hacje2014 03-07 00-50-27-_8.1Suemi Iarussi
Ip Spoofingarpit.arp
12 tcp-dnsCulverton Blessy
IpspoofingAkhil Kumar
AN ACTIVE HOST-BASED INTRUSION DETECTION SYSTEM FOR ARP-RELATED ATTACKS AND I...IJNSA Journal
Similar a Chap04 review
3.7.10 Lab Use Wireshark to View Network TrafficRio Ap
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wpOlli-Pekka Niemi
![Chapter_Five[1].ppt](https://cdn.slidesharecdn.com/ss_thumbnails/chapterfive1-230626115846-43722011-thumbnail.jpg?width=384&height=256&fit=bounds)
Chapter_Five[1].pptBachaSirata
ICMPV4rajshreemuthiah
Raphel 1 . A covert channel is a communication channel that vio.docxcatheryncouper
Firewalls (6)Bhargu Bhargavi
![Chapter_Five[1].ppt](https://cdn.slidesharecdn.com/ss_thumbnails/chapterfive1-230626115846-43722011-thumbnail.jpg?width=2048&height=1162&fit=bounds)
Chap04 review
- 1. Guide to Firewalls and Network Security Chapter 4 Solutions Review Questions 1. True or false: Application proxies do packet filtering, not just routers. Answer: True 2. What’s the primary difference between the way routers treat packets and the way application proxies handle packets? Answer: C 3. How do content-based filtering programs decide whether or not to allow packets into the protected network? Answer: D 4. Which of the following parts of a packet header can potentially be used to attack a network? Answer: D 5. What tells a firewall how to reassemble a data stream that has been divided into packets? Answer: B 6. Why is it important to be familiar with the fields in an IP packet header? Answer: Packet filtering works by examining the header fields. Knowing which fields can be filled by a hacker with false information can help you set up packet filtering rules to block unauthorized traffic. 7. What does stateful packet filtering do that stateless packet filtering does not do? Answer: It examines the state of communications between source and destination computers and only allows traffic to flow through the filter if a connection has successfully been established. 8. Which of the following is a function of an IP packet footer? (Choose all that apply.) Answer: A, C 9. While it’s true that stateless packet filters aren’t as sophisticated as stateful ones, they are useful in a particular situation. What is it? Answer: C 10. Which of the following is information that a hacker can insert into a TCP header and that can fool a stateless packet filter? Answer: B. The other three are all parts of an IP header. 11. What is the most effective security approach for a stateless packet filter? Answer: A 12. Why isn’t it practical to filter by the protocol ID field in an IP header? Answer: C. B is incorrect because you could block all UDP traffic on a server that does not use UDP, for instance. 13. How can ICMP packets be misused by a hacker to gain access to internal network resources? What weakness of ICMP packets enables such attacks? Answer: ICMP does not provide for authentication to verify the destination address, which enables a hacker to insert a false destination IP in the header. If a hacker sends a flood of ICMP Echo requests to a host that does not exist, some hosts may crash. If the host is one that performs important services Guide to Firewalls and Network Security Chapter 4 Solutions
- 2. such as DNS, the hacker can gain access to internal hosts and redirect them to his own computer, where he can then attempt to gather private information such as passwords. 14. How would you configure a firewall/packet filter to prevent ICMP attacks? Answer: Drop all ICMP Echo requests from external hosts. In addition, drop all ICMP Redirect requests from external hosts. 15. Which fragment numbers could be security risks because a packet filter might let them through? Answer: B 16. What kinds of packets can cause problems for even a stateful packet filter? Answer: B 17. State three legitimate reasons why internal clients need to be able to receive inbound ICMP packets from hosts on the Internet. Possible answers: 1. They need to be able to ping external hosts and then receive a response in order to check connectivity; 2. They need to know if a host is unavailable 3. They need to know if the network is saturated 4. They need to know if a destination is unreachable 18. Where should a packet be directed when it doesn’t match any host in the interior LAN? Answer: C 19. Which two ICMP messages are directly involved in blocking hack attempts? (Choose all that apply.) Answers: A, D 20. What is the difference between active and passive FTP that makes stateful packet filtering a good choice? Answer: Passive FTP uses a port that is determined on the fly, while active FTP uses two ports, one for data and one for control. 21. What is the purpose of blocking all ICMP packets after specifying a group of ICMP rules? It provides extra security for a firewall that has a “Deny-All” approach to filtering—all ICMP packets not specifically covered in the rules will be dropped. Hands-on Projects Project 1 “Any application” appears in the application column. Choosing TCP or UDP in the Protocol drop-down list lets you choose an application for this rule. Project 2 N/A Project 3 The author received four alert messages about UDP packets attempting to access port 67. Project 4 Binary data about the packet is listed at the bottom of the detailed information about the attempted connection. Project 5 Guide to Firewalls and Network Security Chapter 4 Solutions
- 3. N/A Project 6 The exact IP address will vary by network. The default gateway’s address also appears in the Gateway column in the routing list. Case Projects Case Project 1 The request has probably timed out because the site has set up a packet filtering rule blocking echo requests (Pings) from external clients like yourself—one of the ICMP rules that this chapter suggested you set up. You would add a rule prohibiting any outbound HTTP traffic to the destination IP 197.34.5.56 on port 80. Case Project 2 You can two one of two things (or both). First, you can add your computer to the firewall’s list of “trusted” machines. The exact method varies depending on the firewall program you are using. (See Hands-On Project 4-4). Alternatively, you could simply set up a rule enabling TCP, UDP, and ICMP communication between the two machines on all ports. Case Project 3 You have several options. You could set up a rule that blocks all connection attempts from this particular host, but as stated in the chapter, this is unreliable because the hacker will simply move to a new host (or insert a new false source IP address in packet headers). A better option is to block all ICMP packets from external hosts. You should, additionally, block all ICMP Redirect packets in case any have already managed to get through your firewall. Case Project 4 First, you could attempt to filter out recurring messages—unsolicited messages that are sent to recipients regularly the same host or sender. You would need to review your mail server’s logs or review individual e- mail inboxes to determine the IP address from which the message originated. You could then set up rules that would block packets from those IP addresses specifically. This would block only a small proportion of spam e-mail messages, however. A second, more effective strategy would be to install a special e-mail filtering program called MailMarshal which can be configured to filter messages based on content rather than IP address. Guide to Firewalls and Network Security Chapter 4 Solutions