CNIT 455 Exam I

T/F A Packet Filter is hardware that limits connectivity

T/F A Packet Filter is hardware that limits connectivity

F (Software)

Packet filters block _______ and ______ traffic

ingress, egress

Packet filters use ____ based filtering

rule

Packet filter rules are combined into ________

rulesets

T/F A good practice with packet filters is to allow what you want then deny all else.

T

A firewall always includes a ______ ______

packet filter

T/F All packet filters are firewalls

F (Firewalls contain packet filters, not vice versa)

T/F Windows firewall, iptables, and pfsense are examples of software "firewalls"

T

T/F Packet filters are often used as a replacement in the IP stack on modern implementations.

F (uncommon)

T/F Packet filters are often implemented as a specialized network device.

T

One should always use __ rather than ___ when configuring a packet filter, as the latter is far easier to spoof.

IP, DNS

When filtering by IP, one should control access based on the ______/__________ IP address.

source/destination

T/F Packet filters are vulnerable to IP address spoofing via ARP.

T

LSRR stands for

Loose Source Record Routing

T/F LSRR tells packets specific routes to gain access to otherwise unreachable networks.

T

T/F LSRR prevents machines from spoofing addresses.

F (Enables spoofing, as net traffic can still find the machine)

T/F You should always enable LSRR on border routers and firewalls

F (DISABLE IT)

UDP and TCP communication is based on numbered _____

ports

T/F UDP and TCP source and destination ports are standardized.

F (only destination)

UDP and TCP ______ ports are chosen randomly, from port ____ and above

source, 1024

The two types of port filtering are ______ and ________

Static, dynamic

Static port filtering involves only allowing traffic based on ____ number or IP/____ number combination

port

In static port filtering, each packet is checked _____________

independently

Dynamic port filtering is also known as ________ ______ __________

stateful packet inspection

Dynamic port filtering checks the _______ of the packet as well as ______ and ___________ addresses

context, source, destination

T/F Destination Static Port Filtering involves examining and filtering based on source port number

F (destination you dip)

The major limitation of Destination Static Port Filtering is that it only works if a server responds to incoming messages on the _________ ____

receiving port

In source static port forwarding, source ports are typically randomly chosen from numbers above ____

1023

In source static port forwarding, after a server sends a message using a random port > 1023, the return traffic will be _______ by the firewall.

blocked

To work around the blocking caused by SSPF, you must ______ incoming traffic for ports > 1023

allow

T/F Allowing traffic for SSPF is a massive security problem.

T

By monitoring the source port for ingress traffic in SSPF, you have created a __-__________ static filter

bi-directional

TCP Static Source Port Filtering consists of performing a check on the ___ bit of outgoing TCP traffic

ACK

TCP SSPF does not work for flows that dynamically open ________ connections, such as FTP or H.323

Multiple

UDP source packet filtering can be done by denying ___ traffic

UDP

T/F UDP SPSF is essentially impossible due to the reliance on DNS

T

To solve the inherent problem with DNS in UDP SPSF, one can use DNS _________ and limit IP addresses to your upstream DNS server

forwarding

In _______ packet filtering, ports are closed until they are needed.

Dynamic

Dynamic Packet Filtering builds a _____ _____ of information about communications

state table

T/F The state table in DPF keeps track of sequence numbers of TCP packets and UDP data flows.

T

T/F Dynamic Packet Filtering cannot perform authentication upon session startup

F (it can)

T/F Dynamic packet filtering can examine the application layer to ensure the traffic is what it says it is.

T

The three things that can be done when a filter blocks traffic are:

1. Send ICMP host not reachable

2. Send ICMP host not administratively reachable

3. Send _______

Nothing

The safest solution when deciding to block traffic is to send ______

Nothing

The primary strength of a packet filter is how ____ it is

fast

T/F A packet filter can approach line speeds.

T

T/F Packet filters log everything that passes through them.

F (Too much data to collect)

T/F Packet filters are fully capable of perfectly authenticating all traffic passing through

F (very limited authentication)

T/F Once you allow traffic to pass through a filter, it likely cannot be tracked.

T

T/F Always ensure Loose Source Record Routing is disabled.

T

T/F Best practice is to send an ICMP host not reachable message when a packet is blocked by a firewall.

F (Send nothing)

T/F A properly configured packet filter is immune to IP address spoofing

F (Not immune)

T/F All modern packet filters implement stateful (dynamic) packet inspection

T

T/F Your mail server is delivering a message to an external address. The source port address will be TCP 25.

F (The source address will be randomly chosen from a value of 1024 or higher, up to 2^16)

T/F Stateful packet inspection is another term for application layer gateway.

F (Stateful packet inspection is a filtering method. As such packets are delivered from the source to the destination. An application layer gateway breaks the data flow into two separate sessions: one between the target and the ALG and one from the requester and the ALG)

T/F To simplify writing packet filter rules you should use DNS domain names instead of IP addresses.

F

T/F The biggest disadvantage of packet filtering is that a direct connection is made between the source and destination hosts.

T

T/F Using UDP static filtering and allowing outgoing connections effectively opens up all non-reserved UDP ports for incoming traffic.

T

IPsec adds security to the IPv4 or IPv6 ________ layer

network

IPsec reduces the need for __________ layer security

Application

T/F IPsec can provide a layer of security to inherently insecure application layer protocols.

T

IPsec runs at a ___ layer of the operating system

low

T/F IPsec does not support filtering

F (it does)

T/F IPsec will filter all traffic across the network at all times.

F (some traffic is handled natively by IP/TCP/UDP, etc)

The two modes of IPsec operation are __________ and ______

Transport, Tunnel

The two protocols utilized in IPsec are the ____________ _______ protocol, and the ____________ _______ _______.

Authentication Header, Encapsulating Security Payload

T/F IPsec AH and ESP can be used simultaneously.

T

T/F The authentication header can be used for encryption of network traffic.

F (only authentication)

T/F Both transport and tunnel mode can work with AH and ESP.

T

Transport mode is used to secure any layer _ or above protocol set.

4

T/F Transport mode can be used with virtually all application layer protocols

T

T/F IPsec does not require the communication endpoint to be the cryptographic endpoint.

F (comm endpoint must be cryptographic endpoint)

Transport mode is used to protect standard application layer data during transmission across an _______ network.

insecure

T/F Tunnel mode requires an entire IP packet to be encapsulated into the IPsec data field.

T

Tunnel mode is utilized for the creation of ___ connections.

VPN

Authentication Header protocol was established with RFC ____.

4301

AH in included in IP Protocol __.

51

AH provides authentication of the entire IPv4 _______

datagram

AH ensures a packet is not _______ or _______.

spoofed, munged

T/F Authentication Headers provide an anti-replay service with optional sequence numbers.

T

T/F Even when using Authentication Headers, the source address could be spoofed.

F (theoretically the source address cannot be spoofed)

Authentication Headers doe not ______ data.

encrypt

Encapsulating Security Payload is included in RFC ____, ____ et. al.

2460, 4303

ESP is included in IP Protocol __

50

ESP provides for ___________ and/or _________

authentication, encryption

T/F ESP allows implementation of authentication and encryption, but neither have to be enabled when configuring IPsec.

F (one must be specified, otherwise why enable it to begin with)

IPsec supports many block ciphers using ______ _____ _______ (CBC)

Cipher Block Chaining

An IPsec ________ defines the set of cryptographic tools used by IPsec

transform

PIX/ASA implementations of IPsec refer to crypto tools as _______ ____

transform sets

In cryptography, a _______ __________ is a one way set of security information used to facilitate a logical connection between nodes

security association

___ security associations are required for duplex communication.

two

A Security Association contains cryptographic information, including __________, _________ information, and ___ information

authenticators, Encryption, MAC

T/F Before two nodes can communicate securely, they must sort out their security associations

T

Transforms that can be performed in IPsec include ___/__, ______ with key, and ___ with key

ESP/AH, Cipher, MAC

Both nodes must agree on the _______ of interest

traffic

T/F Both nodes must agree on the path MTU.

T

The _______ ________ _____ is a unique 32 bit value identifying each individual data flow.

Security Parameter Index

T/F IPsec security associations are usually manually configured

F (Rarely done, as it is less secure than automatic)

IPsec security associations are configured automatically via a ___ _______ ______

key exchange protocol

ISAKMP stands for

Internet Security Association Key management protocol