- Is administration of the authentication database insourced or outsourced? (Many companies are looking to outsourcing even with the security risks.)
- How many points-of-presence are available on the ISPs network?
- What service levels are available?
- How scalable is the solution?
- Which encryption technology is used? Is the client built into the remote operating system, or must a disk/CD go to each user?
- How are keys managed?
Once the designer obtains answers to these questions, they can use the information to compare and select vendors and applications. For example, key management is a critical issue that may be best handled via outsourcing. However, it also requires trusting another party to control securitya direct security risk that most companies are unwilling to accept. Many companies manage their own keys on a certificate server maintained by the vendor, but this option is not universally available. As a result, the security requirements will need to match the services offered by the vendor, or another vendor will be required.
Summary
This chapter addressed a number of issues related to data security and network design. While the design of the network can certainly augment an overall security policy, the reality is that the network may or may not be an appropriate security device. Network designers need to consider both internal and external threats to the network, in addition to the different access methods that an attack may usemodems, networks, Internet connectivity, VPNs, and other conduits.
Incorporating the security needs of the enterprise into the overall design can certainly benefit the designer by centralizing resources, reducing costs, and maintaining a consistent plan. Designers should also consider the physical requirements of designing a secure network, including locked equipment rooms and fiber connections.
Review Questions
- 1. A firewall is aware of packets beyond which Layer?
- A. 3
- B. 4
- C. 5
- D. 6
- E. 7
- 2. A router acting as a firewall should:
- A. Deny Telnet on all interfaces
- B. Deny Telnet destined for the router itself on all interfaces and employ a directly connected console
- C. Permit Telnet on the external interface only
- D. Permit Telnet on the internal interface only
- 3. Most corporate security issues encompass which of the following three categories?
- A. Corruption, theft, and abuse of data
- B. TCP, UDP, and ICMP
- C. Audit, cracking, and phreaking
- D. Denial of service, SYN-ACK, and IP spoofing
- 4. Which of the following access methods operates with VPN technologies?
- A. ISDN
- B. Frame Relay
- C. Dial-up (POTS)
- D. Cable modems
- E. All of the above
- 5. Which of the following best defines a firewall?
- A. A router with an access list on each interface
- B. A specific device that blocks or permits traffic based on policy at all layers of the OSI model
- C. Any router with an access list
- D. Any access list that uses the established bit
- 6. The PIX firewall requires a minimum of:
- A. One IP address
- B. Two IP addresses
- C. One IP subnet
- D. Two IP subnets
- 7. IP address spoofing is best defined as:
- A. An internal host using the IP address of an external host
- B. An internal proxy
- C. An external host using the IP address of an internal host
- D. Mapping of IPX addresses to IP addresses
- 8. A well-configured firewall should:
- A. Provide TFTP services
- B. Use proxy ARP for security
- C. Deny encrypted passwords
- D. Implement the security policy
- 9. A security plan need not consider host security. True or false?
- A. True
- B. False
- 10. What do L2TP, L2F, and IPSec have in common?
- A. All are authentication protocols.
- B. All are virtual private networking protocols.
- C. All are Cisco proprietary protocols.
- D. They have nothing in common.
- 11. Corporations should:
- A. Hire a dedicated specialist for data security
- B. Outsource all security functions
- C. Incorporate data security into server administration
- D. All of the above
- 12. The PIX firewall is capable of providing NAT functions. True or false?
- A. True
- B. False
- 13. IP access lists can provide:
- A. Filtering through Layer 2
- B. Filtering at Layers 3 and 4
- C. Filtering at Layer 5
- D. Filtering through Layer 7
- 14. Implementation choices are determined by:
- A. Product availability
- B. Product price
- C. Product features
- D. Policy
- 15. Devices found in the DMZ might include:
- A. An anonymous FTP server
- B. A Web server
- C. A DNS server
- D. All of the above
- E. None of the above
- 16. An InterNIC-registered address (rather than an address defined in RFC 1918) is required:
- A. On all interfaces in the network
- B. On all internal interfaces in the network
- C. On all external interfaces in the network
- D. Only when using stateful inspection
- 17. In addition to a honey pot, what other security mechanism provides the best information to the administrator regarding attacks?
- A. Syslog entries
- B. Packet filters
- C. Proxy files
- D. DNS cache entries
- 18. Which service is responsible for maintaining a trail regarding system access?
- A. Authentication
- B. Authorization
- C. Accounting
- D. None of the above
- 19. Which of the following best describes Port Address Translation?
- A. A unique IP address is used for each session traversing the firewall.
- B. A unique IP address and port address is used for each session traversing the firewall.
- C. A non-unique IP address is used for each session traversing the firewall.
- D. A non-unique IP address is used for each session traversing the firewall, but the port address is unique.
- 20. Which of the following statements would most likely be part of a security policy?
- A. Telnet is permitted to the firewall from external hosts.
- B. Telnet is permitted to internal hosts from external hosts.
- C. Telnet is not permitted from the firewall to internal hosts.
- D. Telnet is not permitted from internal hosts to external hosts.
Answers to Review Questions
- 1. B.
- 2. B.
- 3. A.
- 4. E.
- 5. B.
- 6. B.
- 7. C.
- 8. D.
- 9. B.
- 10. B.
- 11. A.
- 12. A.
- 13. B.
- 14. D.
- 15. D.
- 16. C.
- 17. A.
- 18. C.
- 19. D.
- 20. C.