CHAPTER 6 False

1. Discretionary access control is an approach 13. Good policy and practice dictate that each
whereby the organization specifies use of firewall device, whether a filtering router,
resources based on the assignment of data bastion host, or other firewall
classification schemes to resources and implementation, must have its own set of
clearance levels to users. False configuration rules. True
2. Task-based controls are associated with the 14. Syntax errors in firewall policies are usually
assigned role a user performs in an difficult to identify. False
organization, such as a position or 15. When Web services are offered outside the
temporary assignment like project firewall, HTTP traffic should be blocked
manager. False from internal networks through the use of
3. Authentication is the process of validating some form of proxy access or DMZ
and verifying an unauthenticated entity's architecture. True
purported identity. True 16. Good firewall rules include denying all data
4. Accountability is the matching of an that is not verifiably authentic. True
authenticated entity to a list of information 17. Some firewalls can filter packets by protocol
assets and corresponding access levels. name. True
False 18. It is important that e-mail traffic reach your
5. Firewalls can be categorized by processing e-mail server and only your e-mail server.
mode, development era, or structure. True True
6. A firewall cannot be deployed as a separate 19. A content filter, also known as a reverse
network containing a number of supporting firewall, is a network device that allows
devices. False administrators to restrict access to external
7. Packet-filtering firewalls scan network data content from within a network. True
packets looking for compliance with the 20. A content filter is essentially a set of scripts
rules of the firewall's database or violations or programs that restricts user access to
of those rules. True certain networking protocols and Internet
8. The ability of a router to restrict traffic to a locations. True
specific service is an advanced capability 21. The RADIUS system decentralizes the
and not considered a standard feature for responsibility for authenticating each user
most routers. False by validating the user's credentials on the
9. The application layer proxy firewall is NAS server. False
capable of functioning both as a firewall 22. Even if Kerberos servers are subjected to
and an application layer proxy server. True denial-of-service attacks, a client can still
10. Using an application firewall means the request additional services. False
associated Web server must be exposed to 23. A VPN, used properly, allows use of the
a higher level of risk by placing it in the Internet as if it were a private network.
DMZ. False True
11. The DMZ can be a dedicated port on the 24. Authentication is a mechanism whereby
firewall device linking a single bastion host. unverified entities who seek access to a
True resource provide a label by which they are
12. The screened subnet protects the DMZ known to the system.
systems and information from outside _________________________ False
threats by providing a network with 25. The false reject rate describes the number
intermediate security, which means the of legitimate users who are denied access
network is less secure than the general- because of a failure in the biometric device.
public networks but more secure than the _________________________ True
internal network.
26. One of the biggest challenges in the use of 36. Most firewalls use packet header
the trusted computer base (TCB) is the information to determine whether a
existence of explicit channels. specific packet should be allowed to pass
_________________________ False through or should be dropped.
27. In static filtering, configuration rules must _________________________ True
be manually created, sequenced, and 37. Best practices in firewall rule set
modified within the firewall. configuration state that the firewall device
_________________________ True never allows administrative access directly
28. A routing table tracks the state and context from the public network.
of each packet in the conversation by _________________________True
recording which station sent what packet 38. Kerberos uses asymmetric key encryption to
and when. _________________________ validate an individual user to various
False network resources.
29. The primary disadvantage of stateful packet _________________________ False
inspection firewalls is the additional 39. Secure VPNs use security protocols and
processing required to manage and verify encrypt traffic transmitted across unsecured
packets against the state table. public networks like the Internet.
_________________________ True _________________________ True
30. The static packet filtering firewall can react 40. The popular use for tunnel mode VPNs is
to an emergent event and update or create the end-to-end transport of encrypted data.
rules to deal with that event. _________________________ False
_________________________ False 41. The restrictions most commonly
31. Port Address Translation assigns non- implemented in packet-filtering firewalls
routing local addresses to computer are based on __________. All of the above
systems in the local area network and uses 42. A __________ filtering firewall can react to
ISP-assigned addresses to communicate an emergent event and update or create
with the Internet on a one-to-one basis. rules to deal with the event. dynamic
_________________________ False 43. __________ inspection firewalls keep track
32. When a bastion host approach is used, the of each network connection between
host contains two NICs, forcing all traffic to internal and external systems. Stateful
go through the device. 44. The application layer proxy firewall is also
_________________________ False known as a(n) __________. application
33. Firewalls operate by examining a data firewall
packet and performing a comparison with 45. The proxy server is often placed in an
some predetermined logical rules. unsecured area of the network or is placed
_________________________ True in the __________ zone. demilitarized
34. A(n) intranet is a segment of the DMZ 46. The __________ is an intermediate area
where additional authentication and between a trusted network and an
authorization controls are put into place to untrusted network. DMZ
provide services that are not available to 47. __________ firewalls are designed to
the general public. operate at the media access control
_________________________ False sublayer of the data link layer of the OSI
35. When Web services are offered outside the network model. MAC layer
firewall, SMTP traffic should be blocked 48. Because the bastion host stands as a sole
from internal networks through the use of defender on the network perimeter, it is
some form of proxy access or DMZ commonly referred to as the __________
architecture. _________________________ host. sacrificial
False
 49. The dominant architecture used to secure
network access today is the __________
firewall. screened subnet
50. Known as the ping service, ICMP is a(n)
__________ and should be ___________.

common method for hacker reconnaissance, turned

off to prevent snooping

51. In most common implementation models,

the content filter has two components:
__________. rating and filtering
52. Which of the following versions of TACACS
is still in use? TACACS+
53. The service within Kerberos that generates
and issues session keys is known as
__________. KDC
54. Kerberos __________ provides tickets to
clients who request services. TGS
55. The primary benefit of a VPN that uses
_________ is that an intercepted packet
reveals nothing about the true destination
system. tunnel mode