Writing Assignment: Module 08 Exercises
Suppose management wants to create a "server farm" for the configuration in Figure 8-14 that allows a proxy firewall in the DMZ to access an internal Web server (rather than a Web server in the DMZ). Do you foresee any technical difficulties in deploying this architecture? What are the advantages and disadvantages of this implementation?
Deploying a "server farm" where a proxy firewall in the DMZ accesses an internal Web server, rather than having the Web server within the DMZ itself, presents several technical challenges and design considerations: Technical Challenges: Security Risks: The DMZ is designed to add an additional layer of security by isolating services that need to be accessible from the internet. Placing the Web server inside the trusted network increases the risk of exposing the internal network to threats. Traffic Bottleneck: All traffic to the Web server will need to be routed through the proxy firewall, which could become a bottleneck if not properly scaled. Complexity of Configuration: The proxy firewall must be meticulously configured to ensure it can communicate with the internal Web server without exposing the internal network to unnecessary risks. Performance Impact: The additional hop in traffic routing through the proxy firewall can add latency, which might impact the performance of the Web server. Network Design: Careful network design is required to ensure that appropriate routing, NAT configurations, and access control lists are in place to support this architecture. Advantages: Enhanced Security: A proxy firewall can provide a high level of inspection and control over the content being delivered, potentially improving security. Centralized Control: Managing a single entry point into the internal network can simplify security policies and monitoring. Server Protection: The internal Web server is not directly exposed to the internet, which can protect it from direct attacks.
Look at the network devices used in Figure 8-14, and create one or more rules necessary for both the internal and external firewalls to allow a remote user to access an internal machine from the Internet using the Timbuktu software. Your answer requires researching the ports used by this type of data packet and the software.
For Timbuktu versions 5.1 and earlier, you need to allow UDP port 407 for initiating connections. For Timbuktu versions 5.2 and later, TCP port 407 is used instead. In addition to the initial connection port, the Timbuktu Pro Windows software requires several TCP ports to be forwarded: 1417, 1418, 1419, and 1420. These are used for the following services: Control (TCP 1417) Observe (TCP 1418) Send (TCP 1419) Exchange (TCP 1420) Dynamic TCP ports are also used for Chat, Notify, and Intercom features. Given this information, the following rules should be implemented on both the internal and external firewalls: Allow inbound and outbound traffic on UDP port 407 for versions 5.1 and earlier of Timbuktu. Allow inbound and outbound traffic on TCP port 407 for versions 5.2 and later of Timbuktu. Allow inbound and outbound traffic on TCP ports 1417 through 1420 for the Timbuktu services.
Using the Web, search for "Personal VPN." Examine the various alternatives available and compare their functionality, cost, features, and type of protection. Create a weighted ranking according to your own evaluation of the features and specifications of each software package.
NordVPN (Best security): Known for its robust security features, NordVPN offers a dynamic IP address and a large number of server options . Security: 10 Speed: 9 Price: 8 Features: 9 User-Friendliness: 9 ExpressVPN (Best for most people): Offers a balance of speed, security, and user-friendly interface . Security: 9 Speed: 9 Price: 7 Features: 8 User-Friendliness: 9 CyberGhost (Best value): A good number of servers and competitive pricing for long-term plans . Security: 8 Speed: 8 Price: 9 Features: 8 User-Friendliness: 8 Private Internet Access (Best web browsing features): Large server count and includes ad and malware blockers . Security: 8 Speed: 7 Price: 9 Features: 9 User-Friendliness: 8 Hotspot Shield (Best for Netflix): Fast speeds and free 1Password subscription but collects some user data . Security: 7 Speed: 10 Price: 7 Features: 7 User-Friendliness: 8 Surfshark (Best for beginners): Unlimited device connections and beginner-friendly interface but uses static IPs . Security: 7 Speed: 6 Price: 8 Features: 8 User-Friendliness: 10 IPVanish (Best for unlimited devices): Unlimited simultaneous devices but lacks some advanced features . Security: 7 Speed: 7 Price: 8 Features: 6 User-Friendliness: 7 PureVPN (Best for BBC iPlayer): Good for streaming UK content and offers a large number of servers . Security: 7 Speed: 7 Price: 8 Features: 7 User-Friendliness: 7 TunnelBear (Best free ad blocker): Offers a fun and easy-to-use interface with a free ad blocker but limited server locations . Security: 6 Speed: 6 Price: 7 Features: 8 User-Friendliness: 9 ProtonVPN (Best for torrenting): Specialized in secure torrenting with high-quality security features but more expensive . Security: 9 Speed: 7 Price: 6 Features: 8 User-Friendliness: 7
Continue
Scalability: It is easier to scale the server farm without changing the external-facing architecture since the proxy firewall can manage connections to multiple internal servers. Disadvantages: Increased Internal Exposure: If the proxy is compromised, attackers could gain access to the internal network, which is generally considered a high-security zone. Maintenance Complexity: The added complexity of routing and managing traffic through the proxy can make the network more difficult to manage and troubleshoot. Single Point of Failure: The proxy firewall becomes a single point of failure for all Web traffic, potentially impacting availability. Cost: The need for higher-specification hardware for the proxy to handle all traffic can increase costs. In conclusion, while this architecture can centralize control and potentially increase security for the internal Web server, it also increases complexity and potential exposure of the internal network. It is crucial to perform a detailed risk assessment and to consider the implementation of additional security measures such as intrusion detection/prevention systems, robust firewall rules, and regular security audits to mitigate potential risks associated with this setup.
Using the Internet, determine what applications are commercially available to enable secure remote access to a PC.
TeamViewer: Is a widely trusted remote control software that is used by businesses of various sizes. It allows full access to any device from anywhere, making it a versatile tool for remote access and work. Chrome Remote Desktop: This is highlighted as one of the best remote desktop software applications, appreciated for its ease of use and the fact that it is free. It is compatible across different operating systems and offers a straightforward setup. AnyDesk: Known for being a fast, easy, and secure solution for remote support, access, and work. AnyDesk is recognized for its innovative approach to remote desktop software and has a broad customer base. Parallels Secure Workspace: Offers built-in multi-factor authentication (MFA) and supports TOTP and HOTP, which are compatible with apps like Microsoft and Google Authenticator. This feature ensures an additional layer of security for remote access to apps, desktops, and files.
Using a Microsoft Windows system, open the Edge browser. Click the Settings and More button in the upper-right corner, or press Alt+F. Select the Settings option. From the menu on the left side of the window, choose "Privacy, search, and services." Examine the contents of the section. How can these options be configured to provide content filtering and protection from unwanted items like trackers?
Tracking Prevention: "Balanced" is recommended as it blocks most trackers across sites without affecting the functionality of most websites. The "Strict" setting provides more robust protection but might interfere with the functioning of some sites. Services: This section might include options to block potentially unwanted apps or downloads, which can help prevent accidental downloads of harmful software. Clear Browsing Data: This option allows you to clear cookies, cached data, and history, which can help remove trackers that have already been placed on your computer. Personalize your web experience: You can turn off personalization if you do not want your browsing data to be used to personalize your web experience.
