ch.10 Firewall Design and Management
A _______________ router determines whether to allow or deny packets based on their source and destination IP addresses.
Screening
a router placed between an untrusted network and an internal network
Screening Router
software that forwards packets to and from the network being protected and caches Web pages to speed up network performance
Proxy Server
A DMZ is a subnet of _____________ accessible servers placed outside the internal network
Publicly
a process that uses the source and destination TCP and UDP port addresses to map traffic between internal and external hosts
Many-to-one NAT
Which of the following is true about a screening router?
it should be combined with a firewall for better security
Which of the following is best described as software that prioritizes and schedules requests and then distributes them to servers based on each server's current load and processing power.
load-balancing software
software that prioritizes and schedules requests and then distributes them to servers in a server cluster based on each server's current load and processing power
load-balancing software
Which of the following is a disadvantage of using a proxy server?
may require client configuration
Which type of NAT is typically used on devices in the DMZ?
one-to-one NAT
the process of mapping one internal IP address to one external IP address
one-to-one NAT
Where should network management systems generally be placed?
out of band
Which type of translation should you use if you need 50 computers in the corporate network to be able to access the Internet using a single public IP address?
port address translation
Which network device works at the Application layer by reconstructing packets and forwarding them to Web servers?
proxy server
Which type of security device can speed up Web page retrieval and shield hosts on the internal network?
proxy server
What is a step you can take to harden a bastion host?
remove unnecessary services
What should you consider installing if you want to inspect packets as they leave the network?
reverse firewall
Which type of firewall configuration protects public servers by isolating them from the internal network
reverse firewall
a device that filters outgoing connections
reverse firewall
a host in which one interface is connected to an internal network and the other interface is connected to a router to an untrusted network
screened host
which of the following is true about a dual-homed host
serves as a single point of entry to the network
What do you call a firewall that is connected to the Internet, the internal network, and the DMZ?
three-pronged firewall
a firewall with separate interfaces connected to an untrusted network, a semitrusted network, and a trusted network
three-pronged firewall
A dual-homed host has a single NIC with two MAC addresses.
False
Proxy servers take action based only on IP header information.
False
Reverse firewalls allow all incoming traffic except what the ACLs are configured to deny.
False
The TCP normalization feature forwards abnormal packets to an administrator for further inspection.
False
A primary goal of proxy servers is to provide security at the _______________ layer.
Filter
In what type of attack are zombies usually put to use?
DDoS
You can ______________ a bastion host by removing unnecessary accounts and services.
Harden
In a screened ____________ setup, a router is added between the host and the Internet to carry out IP packet filtering.
Host
a group of servers connected in a subnet that work together to receive requests
Server Farm
A screened host has a router as part of the configuration.
True
Which of the following best describes a bastion host?
a computer on the perimeter network that is highly protected
3. Which of the following best describes a DMZ?
a subnet of publicly accessible servers placed outside the internal network
a computer configured with more than one network interface
dual-homed host
What is a critical step you should take on the OS you choose for a bastion host?
ensure all security patches are installed
What is the term used for a computer placed on the network perimeter that is meant to attract attackers?
honeypot
Why is a bastion host the system most likely to be attacked?
it is available to external users
Which of the following is true about private IP addresses?
they are not routable on the Internet