Networking Chapter 4

1. Why is centralized firewall architecture critical?

A) Complete elimination of endpoint security needs
B) Consolidated traffic inspection and policy enforcement
C) Reduction in overall network bandwidth
D) Replacement of all authentication systems

ANS: B) Consolidated traffic inspection and policy enforcement
Explanation:
The chapter emphasizes (pg 132) that centralized firewalls serve as strategic control points that:

• Filter all inbound/outbound traffic ("packets of digital information")

• Enable uniform security policy application across network segments

• Provide comprehensive logging for incident investigation

• Reduce attack surface by funneling traffic through inspection chokepoints
  This aligns with the defense-in-depth approach while working alongside other security layers (making A and D incorrect)

2. What are the two foundational firewall capabilities?

A) Data loss prevention and encryption
B) Intrusion detection and antivirus
C) Packet filtering and application proxying
D) User behavior analytics and training

ANS: C) Packet filtering and application proxying
Explanation:
The text specifies (pg 132) these core functions:

1. Packet Filtering:

   • Examines Layer 3/4 headers (IPs, ports, protocols)

   • Uses allow/deny rules based on network-layer information

   • Can be stateless or stateful

2. Application Proxying:

   • Analyzes Layer 7 content ("application layer gateways")

   • Understands application protocols (HTTP, FTP, etc.)

   • Provides deeper inspection than packet filtering alone
     These remain essential even in next-gen firewalls with added features.

3. Which advanced functionality might NGFWs include?

A) Automatic password rotation
B) Cloud access security brokering
C) Integrated SSL/TLS decryption
D) Physical access control

ANS: C) Integrated SSL/TLS decryption
Explanation:
Modern firewalls have evolved to include (pg 132):

• Encrypted traffic inspection: "Some firewalls can encrypt traffic"

• Threat intelligence integration: Real-time feeds of known malicious IPs/Domains

• Sandboxing: Detonate suspicious files in isolated environments

• User/Device identity integration: AD/LDAP synchronization
  These capabilities address modern threats like encrypted malware C2 channels.

4. What technology characterized first-generation firewalls?

A) Behavioral anomaly detection
B) Deep packet inspection
C) Packet header filtering
D) Signature-less detection

ANS: C) Packet header filtering
Explanation:
The chapter's historical perspective notes (pg 132):

• Earliest firewalls were simple packet filters

• Only inspected basic network layer information:

  • Source/destination IPs

  • Port numbers

  • Protocol types (TCP/UDP/ICMP)

• Lacked awareness of:

  • Application content

  • Connection state

  • User identity

5. Which component is essential in enterprise firewalls?

A) Email spam filtering
B) NAT/PAT translation engines
C) Screen recording tools
D) Website development kits

ANS: B) NAT/PAT translation engines
Explanation:
Critical firewall components (pg 132) include:

• NAT (Network Address Translation):

  • Masks internal IP addresses ("invisible to outside computers")

  • Conserves public IPv4 space

• PAT (Port Address Translation):

  • Allows multiple internal hosts to share one public IP

  • Tracks sessions by port numbers
    These provide both security and operational benefits for network architecture

6. Why can't basic packet filtering stop modern threats?

A) It blocks all cloud application traffic
B) It fails to inspect encrypted payloads
C) It increases latency excessively
D) It requires specialized hardware

ANS: B) It fails to inspect encrypted payloads
Explanation:
Key limitations of pure packet filtering (pg 132):

• Blind to application content: Can't detect malware in HTTP payloads

• No protocol validation: Won't catch protocol anomalies/exploits

• Limited against evasion: IP fragmentation, tunneling, etc.

• No user awareness: Only sees IPs, not who's using them
  This necessitates deeper inspection methods like those in stateful firewalls and proxies.

7. When would packet filtering be preferred over proxies?

A) High-volume DDoS mitigation
B) Medical record transfers
C) PCI-compliant transactions
D) Zero-day threat prevention

ANS: A) High-volume DDoS mitigation
Explanation:
Performance vs. security tradeoffs (pg 132):

• Packet Filters:

  • Throughput: 10-100Gbps+

  • Latency: <100μs

  • Best for: Volumetric attacks, backbone filtering

• Proxies:

  • Throughput: 1-10Gbps

  • Latency: 1-10ms

  • Best for: Application-layer protection
    This balance informs deployment decisions based on network requirements.

8. What's the default TCP port for unencrypted web traffic?

A) 21 (FTP)
B) 25 (SMTP)
C) 80 (HTTP)
D) 443 (HTTPS)

ANS: C) 80 (HTTP)
Explanation:
Essential port knowledge for:

• Firewall rule creation: Allow web traffic while blocking risks

• Service identification: During incident response

• Network segmentation: Isolate web servers
  The chapter references these concepts in architecture discussion

9. What TCP capability is crucial for stateful firewalls?

A) Broadcast delivery
B) Connection establishment
C) Header compression
D) Multicast support

ANS: B) Connection establishment
Explanation:
TCP's features enable (pg 132):

• 3-way handshake: SYN/SYN-ACK/ACK sequence

• State tracking: Sequence numbers, ACKs

• Session integrity: Prevents hijacking
  These allow stateful firewalls to:

• Build connection tables

• Validate packet sequences

• Detect abnormal termination
  Unlike connectionless UDP traffic

10. Proper firewall configuration for a DMZ web server?

A) Allow all ports from any source
B) Block all inbound IPv6 traffic
C) Open only TCP 80/443 from external
D) Permit UDP 53 from internal only

ANS: C) Open only TCP 80/443 from external
Explanation:
Security best practices require:

• Least privilege: Only necessary services

• Segregation: DMZ vs internal zones

• Default-deny: Block all then allow specific
  As demonstrated in the "screened subnet" architecture (pg 132

11. How is a firewall configured to allow Web access to a Web server?

A) By opening TCP port 80 and enabling inbound traffic to the server
B) By disabling all inbound traffic except UDP port 53
C) By blocking all HTTP requests and only allowing HTTPS
D) By restricting access to only internal IP addresses

✅ Correct Answer: A
Explanation:

• Web traffic uses TCP port 80 (HTTP) or 443 (HTTPS) by default.

• To allow external access, the firewall must permit inbound traffic to the server on these ports (Chapter 4).

• Distractors:

  • B (UDP 53 is for DNS, not web traffic)

  • C (blocks standard HTTP, which is unrealistic)

  • D (defeats the purpose of a public web server

12. At how many ports can a computer offer services?

A) Only one port per IP address
B) Up to 65,535 ports
C) Exactly 1,024 ports
D) Only ports below 1024

✅ Correct Answer: B
Explanation:

• TCP/IP supports 0 to 65,535 ports (Chapter 3).

• Well-known ports (0–1023) are reserved for standard services (e.g., HTTP, FTP).

• Distractors:

  • A (incorrect; multiple services can run on different ports)

  • C (arbitrary limit)

  • D (ignores ephemeral ports)

13. What is a stateless firewall?

A) A firewall that tracks active connections and session states
B) A firewall that filters packets without context or connection history
C) A firewall that only blocks inbound traffic
D) A firewall that requires manual approval for each packet

✅ Correct Answer: B
Explanation:

• Stateless firewalls inspect packets individually without tracking sessions (Chapter 5).

• Faster but less secure than stateful firewalls.

• Distractors:

  • A (describes a stateful firewall)

  • C (misleading; stateless can filter both directions)

  • D (describes manual rule-based filtering

14. What is a stateful firewall?

A) A firewall that only filters based on IP addresses
B) A firewall that monitors and records connection states (e.g., TCP handshakes)
C) A firewall that cannot block UDP traffic
D) A firewall that requires daily reboots

✅ Correct Answer: B
Explanation:

• Stateful firewalls track active connections (e.g., SYN/ACK flags in TCP) for better security (Chapter 5).

• Distractors:

  • A (too limited; stateful firewalls analyze layers 3–4)

  • C (incorrect; UDP can be tracked via time-based rules)

  • D (nonsensical

5. List the benefits of locating your firewall on the perimeter of a network.

A) Reduces latency for internal traffic
B) Blocks all internal threats completely
C) Provides a single choke point for incoming/outgoing traffic
D) Eliminates the need for antivirus software

✅ Correct Answer: C
Explanation:

• Perimeter placement centralizes security monitoring (Chapter 6).

• Distractors:

  • A (firewalls add minimal latency but aren’t for internal traffic)

  • B (firewalls don’t stop insider threats)

  • D (false; firewalls and AV serve different purposes)

16. What network information do attackers initially try to find?

A) Employee salaries
B) Open ports, IP ranges, and service versions
C) Firewall manufacturer names
D) The company’s legal documents

✅ Correct Answer: B
Explanation:

• Attackers perform reconnaissance to map networks (Chapter 7).

• Tools like Nmap scan for open ports and services.

• Distractors:

  • A/D (irrelevant to initial attacks)

  • C (rarely useful unless targeting a specific vulnerability)

17. Name two reasons a hardware firewall solution is a good choice compared with software-only solutions.

A) Lower cost and easier to configure
B) Dedicated processing power and higher throughput
C) No need for updates and unlimited port availability
D) Slower performance but better logging

✅ Correct Answer: B
Explanation:

• Hardware firewalls (e.g., Cisco ASA) offer ASIC-based filtering and handle high traffic (Chapter 6).

• Distractors:

  • A (software firewalls are often cheaper)

  • C (hardware firewalls still require updates)

  • D (contradicts hardware firewall advantages

18. Which protocol is connectionless?

A) TCP
B) HTTP
C) UDP
D) FTP

✅ Correct Answer: C
Explanation:

• UDP is connectionless (no handshake), unlike TCP (Chapter 3).

• Used for DNS, VoIP, and streaming.

• Distractors:

  • A/B/D (all rely on TCP or connections)

19. For what kinds of communications is a connectionless protocol useful?

A) Transactions requiring guaranteed delivery
B) Real-time applications where speed matters more than reliability
C) Encrypted file transfers
D) Authentication processes

✅ Correct Answer: B
Explanation:

• UDP is ideal for video calls, gaming, and live broadcasts (Chapter 3).

• Distractors:

  • A/C/D (require reliability, handled by TCP)

20. What is a proxy server and what can it do?

A) A device that amplifies network signals
B) An intermediary that filters and forwards requests (e.g., caching web pages)
C) A tool for physically securing cables
D) A backup power supply for servers

✅ Correct Answer: B
Explanation:

• Proxy servers act as intermediaries, providing anonymity, caching, and content filtering (Chapter 5).

• Distractors:

  • A (describes a repeater)

  • C/D (unrelated to proxies