Exam 3 Security

When should law enforcement be involved in an IR or DR action? What are the issues associated with law enforcement involvement?

If the incident is determined to be corporate espionage, sabotage, or theft. Issues include: When to inform law enforcement, what level of LE, what will happen to business?

Why do networking components need more examination from an information security perspective than from a systems development perspective?

Networking subsystems are often the focal point of attacks against the system, so they should be considered special cases rather than being combined with general hardware and software components. Additionally, some networking components require examination from an information security perspective because they must be reconfigured from their default settings to serve their required purpose and maintain security requirements. From the systems development perspective, a networking component may function perfectly out of the box. However, without information security oversight, potential vulnerabilities could go unnoticed.

Describe how the various types of firewalls interact with network traffic at various levels of the OSI model.

Packet-filtering firewalls scan network data packets looking for compliance with the rules of the firewall's database or violation of those rules. Filtering firewalls inspect packets at the network layer, or Layer 3, of the OSI model. MAC layer firewalls are designed to operate at the media access control layer (layer 2) of the OSI network mode. Application-level firewalls operate at OSI layers above layer 3, using specific knowledge of various protocols and applications to make more informed decisions about packet forwarding.

What are Pipkin's three categories of incident indicators?

Pipkin's categories are Possible, Probable, and Definite.

What's the difference between an asset's ability to generate revenue and its ability to generate profit?

Revenue is the recognition of income from an activity supported by the system. Profit is the amount of revenue that exceeds operating costs. Some systems may cost more to operate than what they contribute to revenue.

What is a DMZ? Is this really an appropriate name for the technology, considering the function this type of subnet performs?

A DMZ is the network segment that may be engineered between the external access to a network and the internal areas. It is named for the security buffer often found after an armed conflict. In fact it is a poor name, because the DMZ in a network is often home to the most heavily armored systems the organization can prepare.

What is a Next Generation Firewall (NextGen or NGFW)?

A Next-Generation Firewall (NGFW) is a part of the third generation of firewall technology, combining a traditional firewall with other network device filtering functionalities, such as an application firewall using in-line deep packet inspection (DPI), an intrusion prevention system (IPS)

When is the BC plan used? How do you determine when to use the IR, DR, and BC plans?

Business continuity planning (BCP) will be needed if a disaster has rendered the current location of the business unusable for continued operation. BCP outlines the reestablishment of critical business operations during a disaster that affects operations at the primary site. An incident response plan is used as soon as an incident in progress has been identified. An attack is identified as an incident if: 1. It is directed against information assets. 2. It has a realistic chance of success. 3. It could threaten the confidentiality, integrity, or availability of information resources. A disaster recovery plan is used if an incident escalates or is disastrous. The plan typically focuses on restoring systems at the original site after a disaster occurs. A business continuity plan is used concurrently with the disaster recovery plan when the damage is major, creates long-term consequences, or requires more than simple restoration of information and information resources.

According to Sun Tzu, what two key understandings must you achieve to be successful in battle?

Chinese general Sun Tzu Wu stated, "If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle." In short, know yourself and know the enemy.

What is containment, and why is it part of the planning process?

Containment is the process of determining which systems have been attacked and removing their ability to attack uncompromised systems. It is part of the planning process because containment of an attack could prevent it from escalating into a disaster. Containment is focused on stopping the incident and recovering control of the systems.

What is contingency planning? How is it different from routine management planning? What are the components of contingency planning?

Contingency planning encompasses all planning conducted by the organization to prepare for, react to, and recover from events that threaten its security of information and information assets. It wasn't also includes planning for subsequent restoration to normal modes of business operations. Each part of contingency planning is different in its scope, applicability, and design from routine management planning. Contingency planning is composed of three plans: incident response plans, disaster recovery plans, and business continuity plans

What is a cost-benefit analysis?

Cost-benefit analysis is the formal decision-making process an organization uses to evaluate whether the benefit gained from a given project is worth the expense.

What information attribute is often of great value for local networks that use static addressing?

The IP address is a useful attribute for networking equipment. Note that many organizations use the Dynamic Host Configuration Protocol (DHCP) within TCP/IP to reassign IP numbers to devices as needed, which creates a problem for using IP numbers as part of the asset identification process. As a result, IP address use in inventory is usually limited to devices that use static IP addresses.

What is RADIUS? What advantage does it have over TACACS?

The RADIUS (Remote Authentication Dial-In User Service) system centralizes the management of user authentication by placing the responsibility for authenticating each user in the central RADIUS server.

What is an after-action review? When is it performed? Why is it done?

The after-action review is part of the incident recovery process and is performed by the IR team. It is a detailed examination of the events that occurred, from first detection to final recovery. All key players review their notes and verify that the IR documentation is accurate and precise. This document serves as a training case for future actions.

How is an application layer proxy firewall different from a packet-filtering firewall?

The application layer firewall takes into consideration the nature of the applications that are being run, including the type and timing of the network connection requests as well as the type and nature of the traffic that is generated. The packet-filtering firewall simply looks at the packets as they are transferred. The application firewall is also known as a proxy server because it runs special software that acts as a proxy for a service request.

Describe the transference strategy for controlling risk. Describe how outsourcing can be used for this purpose.

The transfer strategy is the control approach that attempts to shift risk to other assets, other processes, or other organizations. These controls may be accomplished by rethinking how services are offered, revising deployment models, outsourcing to other organizations, purchasing insurance, or implementing service contracts with providers. Outsourcing allows an organization to transfer the risks associated with managing complex systems to another organization that is more experienced in dealing with such risks. A benefit of outsourcing is that the service provider is responsible for disaster recovery when needed.

What is the primary value of a firewall?

To protect something from unwanted network traffic.

What is the relationship between a TCP packet and UDP packet? Will any specific transaction usually involve both types of packets?

UDP packets are connectionless by design. TCP packets usually involve the creation of a connection from one host computer to another. It would be unusual for a single transaction to involve both TCP and UPD ports.

What is competitive disadvantage? Why has it emerged as a factor?

A competitive disadvantage occurs when a company falls behind the competition in its ability to maintain the highly responsive services required in today's marketplaces. Almost all modern organizations have an IT system, so organizations need to improve their own IT systems to avoid losing ground.

What are the elements of a business impact analysis?

Scope, Plan, Balance, Know the objective, Follow Up.

Explain the conceptual approach that should guide the creation of firewall rule sets.

That which is not permitted is prohibited.

Describe the defense strategy for controlling risk. List and describe the three common methods.

The defense control strategy attempts to prevent the exploitation of vulnerabilities. This strategy is the preferred approach to controlling risk. It is accomplished by countering threats, removing vulnerabilities from assets, limiting access to assets, and adding protective safeguards. The defense strategy includes three common methods: • Application of policy • Education and training • Application of technology

What special function does a cache server perform? Why is this useful for larger organizations?

These types of servers can store the most recently accessed Web pages in their internal cache memory, and thus can provide content for heavily accessed pages without the level of traffic required when pages are not cached. Larger organizations often find that just a few Web sites account for a large quantity of their traffic and that they can lower total network traffic measurably by using a cache server.

What is a sacrificial host? What is a bastion host?

They are synonyms. Because the bastion host stands as a sole defender on the network perimeter, it is also commonly referred to as the sacrificial host. To its advantage, this configuration requires the external attack to compromise two separate systems before it can access internal data.

How can a security framework assist in the design and implementation of a security infrastructure? What is information security governance? Who in the organization should plan for it?

A security framework provides a better view of the security strategies. It gives a clear idea about implementing security in an organization. Using various frameworks, the suitable strategies can be extracted and implemented. The framework provides a road map for the changes to be made. So using a framework, the tasks to be performed and changes required can be assessed. It makes the security plan easy. Information security governance is the process of handling various security measures. It involves safeguarding the information and providing security to information by applying various policies and procedures. It includes ensuring the security. The respective tasks must be monitored and should ensure security. The top management involving executives or managers of the organization must plan for information security governance. They must ensure that the task are being implemented and accomplished properly.

What Web resources can aid an organization in developing best practices as part of a security framework?

A U.S. government Web site, fasp.nist.gov, offers security frameworks and best practices. • The Internet Security Task Force site (www.ca.com/ISTF) offers a collection of parties interested in Internet security. • The Computer Emergency Response Team site (www.cert.org) offers a series of modules with links and practices of security methodologies. • The Technology Manager's Forum site (www.techforum.com) • The Information Security Forum site (www.isfsecuritystandard.com) • The Information Systems Audit and Control Association site (www.isaca.com) • The Professional Security Consultants site (www.iapsc.org) • The Global Grid Forum site (www.gridforum.org)

What is a content filter? Where is it placed in the network to gain the best result for the organization?

A content filter is a software filter—technically not a firewall—that allows administrators to restrict access to content from within a network. A content filter is essentially a set of scripts or programs that restricts user access to certain networking protocols and Internet locations, or that restricts users from receiving general types or specific examples of Internet content. Some people refer to content filters as reverse firewalls, as their primary focus is to restrict internal access to external material. For best results, the content filter should be placed on the primary connection used to access the Internet.

When is the DR plan used?

A disaster recovery plan addresses preparations for and recovery from a disaster, whether natural or man-made. The plan is used before a disaster in preparation for its occurrence, and then afterward to rebuild and recover the organization's functionality.

What are the issues associated with adopting a formal framework or model?

A framework must be customized to fit the individual enterprise's needs.

List and describe the six site and data contingency strategies identified in the text.

A hot site is a fully configured computer facility with all services, communications links, and physical plant operations, including heating and air conditioning. Hot sites duplicate computing resources, peripherals, phone systems, applications, and workstations. A hot site is the pinnacle of contingency planning; it is a duplicate facility that needs only the latest data backups and personnel to become a fully operational twin of the original. A hot site can be operational in a matter of minutes, and in some cases it may be built to perform a fail-over seamlessly by picking up the processing load from a failing site. The hot site is therefore the most expensive alternative available. A warm site provides many of the same services and options as a hot site. However, it typically does not include the actual applications the company needs, or the applications may not yet be installed and configured. A warm site frequently includes computing equipment and peripherals with servers, but not client workstations. A warm site has many of the advantages of a hot site, but at a lower cost. The downside is that a warm site requires hours, if not days, to become fully functional. A cold site provides only rudimentary services and facilities. No computer hardware or peripherals are provided. All communications services must be installed after the site is occupied. Basically, a cold site is an empty room with heating, air conditioning, and electricity. Everything else is an option. Although the obvious disadvantages may preclude its selection, a cold site is better than nothing. The main advantage of cold sites over hot and warm sites is the cost. A time-share is a hot, warm, or cold site that is leased in conjunction with a business partner or sister organization. The time-share allows the organization to maintain a disaster recovery and business continuity option at a reduced overall cost. The time-share has the same advantages as the type of site selected (hot, warm, or cold). The primary disadvantage is the possibility that more than one organization involved in the time-share may need the facility simultaneously. Other disadvantages include the need to stock the facility with equipment and data from all organizations involved, the negotiations for arranging the time-share, and additional agreements if one or more parties decide to cancel the agreement or sublease its options. A service bureau is an agency that provides a service for a fee. In the case of disaster recovery and continuity planning, the service is the agreement to provide physical facilities during and after a disaster. These types of agencies also frequently provide off-site data storage for a fee. Contracts can be carefully created with service bureaus to specify exactly what the organization needs without having to reserve dedicated facilities. A service agreement usually guarantees space when needed, even if the service bureau has to acquire additional space in the event of a widespread disaster. A mutual agreement is a contract between two or more organizations that specifies how each will assist the other in the event of a disaster. It stipulates that each organization is obligated to provide necessary facilities, resources, and services until the receiving organization can recover from the disaster. The problem with this approach is that many organizations balk at the idea of having to fund duplicate services and resources for other parties, even in the short term. Still, mutual agreements between divisions of the same parent company, between subordinate and superior organizations, or between business partners can be a cost-effective solution.

What is a hybrid firewall?

A hybrid is a firewall that combines features and functions from other types of firewalls. In practice, most firewalls are hybrids because most use multiple approaches within the same device.

What are the differences between a policy, a standard, and a practice? What are the three types of security policies? Where would each be used? What type of policy would be needed to guide use of the Web? E-mail? Office equipment for personal use?

A policy is a plan or course of action intended to influence and determine decisions, actions, and other matters. Policies function like laws within an organization because they dictate acceptable and unacceptable behavior within the context of the organization's culture. A standard has the same requirement for compliance as a policy, but a standard provides more detail for what must be done to comply with policy. The level of acceptance for standards may be informal, as for de facto standards, or formal (as for de jure standards). Practices, procedures, and guidelines effectively explain how to comply with policy. Policies provide instructions for the proper use of technologies. Three criteria for shaping sound policies are to ensure they: • Never conflict with law. • Stand up in court, if challenged. • Are properly administered through dissemination and documented acceptance. For these reasons, it is important for policy to be adequately detailed to ensure proper implementation. Policy that is not well defined can cause significant liability if the company must defend its policy in a court of law. Unless a particular use is clearly prohibited, the organization cannot penalize an employee for misuse. Policy has the ultimate responsibility for managing technology. System administrators and users are responsible for enforcing policy. Based on NIST Special Publication 800-14, there are three types of information security policies. First are general or security program policies (SPPs), which are usually drafted by the chief information officer of the organization. SPPs are used to directly support the mission, vision, and direction of the organization and set the strategic direction, scope, and tone for its security efforts. Second are issue-specific security policies (ISSPs), which formally instruct employees how to properly use the organization's technologies, including the Internet, e-mail, and photocopy equipment. The ISSP requires frequent updates and must contain a statement for the organization's position on a specific issue. Third are system-specific security policies (SysSPs). They are not formal documents, but are usually codified as standards and procedures used when configuring or maintaining systems. The SysSPs fall into two groups: access control lists and configuration rules. When office equipment is for personal use, an ISSP is needed to guide use of the Web, e-mail, and office equipment. Policy - Written instructions that describe proper behavior. Standard - Detailed statement of what must be done to comply with policy. Practice - Examples of actions that would comply with policy. The 3 types of Sec. Policy are: Enterprise Information Sec. Policy (EISP) Issue Specific Sec. Policy (ISSP) System Specific Sec. Policy (SysSP)

What benefit can a private, for-profit agency derive from best practices designed for federal agencies?

A private organization can take advantage of best practices designed for federal agencies by adapting many of the same methodologies and practices into its own organization. These best practices can help an organization piece together the desired outcome of the security process and then work backward to an effective design BE advised on widely accepted standards, practices, and policies. Modify them to suit individual needs.

What is the ISO 27000 series of standards? Which individual standards make up the series?

A roadmap of planned standards related to information security issues and topics.

What is Port Address Translation (PAT) and how does it work?

A variation of NAT A technology in which multiple real, routable external ip address are converted to special ranges of internal IP addresses, usually on a one to MANY basis; adding a unique port number to the address when traffic leaves the private network and is placed on the public network. Assigns a unique port number to each external IP address and maps the address + port combination to the internal IP address

What is a VPN? Why is it becoming more widely used?

A virtual private network (VPN) is a private and secure network connection between systems that uses the data communication capability of an unsecured and public network. VPNs are popular because they are simple to set up and maintain, and they usually require only that the tunneling points be dual-homed—that is, connecting a private network to the Internet or to another outside connection point. VPN support is built into most Microsoft server software, including NT and 2000, and client support for VPN services is built into XP. While connections for true private network services can cost hundreds of thousands of dollars to lease, configure, and maintain, a VPN can cost next to nothing.

What value does an automated asset inventory system have during risk identification?

Automated tools can sometimes identify the system elements that make up hardware, software, and network components. The inventory listing is usually available in a database, or it can be exported to a database for custom information about security assets. Once stored, the inventory listing must be kept current, often by means of a tool that periodically refreshes the data. When you move to the later steps of risk management, which involve calculations of loss and projections of costs, the case for using automated risk management tools to track information assets becomes stronger.

In risk management strategies, why must periodic review be part of the process?

Frequently, organizations implement control mechanisms but then neglect the necessary periodic review, revision, and maintenance. The policies, education and training programs, and technologies that protect information must be carefully maintained and administered to ensure that they remain effective.

Where can a security administrator find information on established security frameworks?

ISO/IEC 27002

Who is responsible for risk management in an organization? Which community of interest usually takes the lead in information security risk management?

In an organization, each community of interest is responsible for managing the risks that the organization encounters. Because the members of the information security community best understand the threats and attacks that introduce risk into the organization, they often take a leadership role in addressing risk.

How do screened host architectures for firewalls differ from screened subnet firewall architectures? Which offers more security for the information assets that remain on the trusted network?

In fact, they operate in much the same way. The specialized design of the screened subnet is perceived to offer more security for the trusted network.

When is the IR plan used?

Incident response planning (IRP) covers the identification, classification, response to, and recovery from an incident. The plan should be used when an incident in progress is first detected by an organization. IRP is more reactive than proactive, except for the planning that must occur to prepare IR teams to be ready to react to an incident.

When devising a classification scheme for systems components, is it more important that the asset identification list be comprehensive or mutually exclusive?

It is more important that the list be comprehensive than mutually exclusive. A component assessed in an incorrect category is much less of a problem than having it go completely unrecognized during a risk assessment.

Briefly describe management, operational, and technical controls, and explain when each would be applied as part of a security framework.

Management controls cover security processes that are designed by strategic planners and implemented by an organization's security administration. These designs include setting the direction and scope of the security processes and provide detailed instruction for their conduct. Operational controls deal with the functionality of security in the organization, including disaster recovery and incident response planning. Technical controls address tactical and technical issues related to designing and implementing security in the organization, as well as issues related to examining and selecting appropriate technologies for protecting information.

What is risk appetite? Explain why it varies among organizations.

Risk appetite defines the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility. Risk appetite varies among organizations because they maintain different balances between the expense of controlling vulnerabilities and the possible losses if the vulnerabilities are exploited. The key for each organization is to find the proper balance in its decision-making and its feasibility analyses, which ensures that its risk appetite is based on experience and facts instead of ignorance or wishful thinking.

What is risk management? Why is the identification of risks and vulnerabilities to assets so important in risk management?

Risk management is the process of identifying vulnerabilities in an organization's information systems and taking carefully reasoned steps to ensure the confidentiality, integrity, and availability of all the components in those systems. Assets are defined in this context as information and the systems that use, store, and transmit information. To protect assets, you must understand what they are, how they add value to the organization, and the vulnerabilities to which they are susceptible. Once you know what you have, you can identify what you are already doing to protect it. Just because you have a control in place to protect an asset does not necessarily mean it is protected. Frequently, organizations implement control mechanisms but then neglect the necessary periodic review, revision, and maintenance. The policies, education and training programs, and technologies that protect information must be carefully maintained and administered to ensure that they remain effective.

Who is ultimately responsible for managing a technology? Who is responsible for enforcing policy that affects the use of a technology?

Senior management has the ultimate responsibility, although everyone in a supervisory position is somewhat responsible.

What is single loss expectancy? What is annualized loss expectancy?

Single loss expectancy (SLE) is the calculated value associated with a sole occurrence of the most likely loss from an attack. Annualized loss expectancy (ALE) is the calculated value associated with the most likely annual loss from an attack. ALE is often expressed as the SLE multiplied by the number of expected occurrences per year.

What is stateful inspection? How is state information maintained during a network connection or transaction?

Stateful inspection firewalls, also called stateful firewalls, keep track of each network connection between internal and external systems using a state table. A state table tracks the state and context of each packet in the conversation by recording which station sent what packet and when. Like first-generation firewalls, stateful inspection firewalls perform packet filtering, but they take it a step further. Whereas simple packet-filtering firewalls only allow or deny certain packets based on their address, a stateful firewall can block incoming packets that are not responses to internal requests. If the stateful firewall receives an incoming packet that it cannot match in its state table, it defaults to its ACL to determine whether to allow the packet to pass. The primary disadvantage of this type of firewall is the additional processing required to manage and verify packets against the state table, which can leave the system vulnerable to a DoS or DDoS attack. State information is preserved using a state table that looks similar to a firewall rule set, but it has additional information. The state table contains the familiar columns for source IP, source port, destination IP, and destination port, but it adds information for the protocol used (UDP or TCP), total time in seconds, and time remaining in seconds.

How is static filtering different from dynamic filtering of packets? Which is perceived to offer improved security?

Static filtering requires that the firewall's packet filtering rules are developed and installed with the firewall. This type of filtering is common in network routers and gateways. Dynamic filtering allows the firewall to react to an emergent event and update or create rules to deal with it. This reaction could be positive, as in allowing an internal user to engage in a specific activity upon request, or it could be negative, as in dropping all packets from a particular address when the system detects an increased presence of a particular type of malformed packet. While static-filtering firewalls allow entire sets of one type of packet to enter in response to authorized requests, the dynamic packet-filtering firewall allows only a particular packet with a particular source, destination, and port address to enter.

How is an incident response plan different from a disaster recovery plan?

The disaster recovery plan focuses on preparations completed before a disaster or escalated incident and actions taken afterward to reestablish operations at the primary site. The incident response plan focuses on intelligence gathering, information analysis, coordinated decision making, and urgent, concrete actions taken while an incident is occurring.

Describe the mitigation strategy for controlling risk. What three planning approaches are discussed in the text as opportunities to mitigate risk?

The mitigation strategy is the control approach that attempts to reduce the impact of exploited vulnerabilities through planning and preparation. Mitigation begins with the early detection of an attack in progress and the organization's ability to respond quickly, efficiently, and effectively. This approach requires the creation of three types of plans: the incident response plan, the disaster recovery plan, and the business continuity plan. Each depends on the ability to detect and respond to an attack as quickly as possible and relies on the existence and quality of the other plans. The incident response plan (IRP) defines the actions an organization can take while an incident is in progress. The IRP focuses on intelligence gathering, information analysis, coordinated decision making, and urgent, concrete actions. The disaster recovery plan (DRP) includes the entire spectrum of activities used to prepare for an incident and recover from it. The DRP focuses on preparations completed before an incident and actions taken afterward. The business continuity plan (BCP) encompasses the continuation of business activities if a catastrophic event occurs. The BCP includes planning the steps necessary to ensure continuation when the scope or scale of a disaster exceeds the ability of the DRP to restore operations.

What is the typical relationship among the untrusted network, the firewall, and the trusted network?

The untrusted network is usually the Internet or another segment of a public access network, while the trusted network is typically a privately owned network. The firewall serves as a mechanism to filter traffic from the untrusted network into the trusted network to foster assurance that the traffic is legitimate.

Describe Unified Threat Management. Why might it be a better approach than singlepoint solutions that perform the same functions? How does UTM differ from Next Generation Firewalls?

Unified Threat Management (UTM) is a security approach that seeks a comprehensive solution for identifying and responding to network-based threats from a variety of sources. UTM brings together firewall and IDPS technology with antimalware, load balancing, content filtering, and data loss prevention. UTM integrates these tools with management, control, and reporting. A UTM approach may offer lower acquisition and operating costs and less complex administration. However, it may also expose the organization to risks from having a single point of failure across multiple control mechanisms.

What are vulnerabilities? How do you identify them?

Vulnerabilities are specific avenues that threat agents can exploit to attack an information asset. They are chinks in the armor—a flaw or weakness in an information asset, security procedure, design, or control that could be exploited accidentally or on purpose to breach security. Analyze all components of an information system and evaluate the risk to each component to identify any vulnerabilities.

What is residual risk?

When vulnerabilities have been controlled as much as possible, any remaining risk that has not been removed, shifted, or planned for is called residual risk.

What documents are available from the NIST Computer Security Resource Center, and how can they support the development of a security framework?

• SP 800-12: An Introduction to Computer Security: The NIST Handbook • SP 800-14: Generally Accepted Security Principles and Practices for Securing Information Technology Systems • SP 800-18 Rev. 1: Guide for Developing Security Plans for Federal Information Systems • SP 800-26: Security Self-Assessment Guide for Information Technology Systems • SP 800-30: Risk Management Guide for Information Technology Systems

What five strategies for controlling risk are described in this chapter?

• The defense control strategy attempts to prevent the exploitation of vulnerabilities. • The transfer control strategy attempts to shift risk to other assets, other processes, or other organizations. • The mitigation control strategy attempts to reduce the impact of exploited vulnerabilities through planning and preparation. • The acceptance control strategy is the choice to do nothing to protect against a vulnerability and accept the outcome of its exploitation. • The termination control strategy directs the organization to avoid business activities that introduce uncontrollable risks.

What questions must be addressed when selecting a firewall for a specific organization?

• What type of firewall technology offers the right balance between protection and cost for the organization's needs? • What features are included in the base price? What features are available at extra cost? Are all cost factors known? • How easy is it to set up and configure the firewall? How accessible are the staff technicians who can competently configure the firewall? • Can the candidate firewall adapt to the growing network in the target organization?