Encryption and Network Security
 
Home Outline Lectures Tutorials Assignments Resources

Tutorial #8 - Firewall Basics

  1. Explain the differences between a router and a firewall. Why is a firewall an important part of network security infrastructure?
  2. At a certain tertiary college, the border router blocks all outgoing TCP connections except to ports 25, 80 and 443. What security purpose do you think this is intended to serve?
  3. When a (non-filtering) router drops a packet it normally sends an ICMP message of type "Host unreachable" or "Network Unreachable" to the source address in the packet. In the case of a filtering (firewall) router, these ICMP types do not reflect the true story: the host/network is reachable, but only under certain conditions. The IETF has subsequently introduced new ICMP "administratively prohibited" error types to better reflect the true situation. However, these are widely considered to effectively identify the fact that a firewall is in place, and as a result, are not widely used. Discuss the issues involved in sending any type of ICMP response in the situation of a dropped packet.
  4. It's usually desirable to check the source IP addresses of both inbound and outbound packets at an Internet gateway router. Why? Hint: think about forged source addresses.
  5. What is Stateful Packet Inspection (SPI)? What benefits does SPI provide over using basic permit/deny rules? Would it be possible to imitate SPI using standard ACLs?
  6. Why should you log details regarding packets that have been dropped by a firewall? How often should these logs be reviewed?
  7. In the lecture we stated that a firewall rulesets should be implemented using a "deny by default" policy. What does this mean and why would it be better than the alternative?
  8. Cisco ACL time! Consider the "forged source addresses" question, above. Now, imagine you had to configure a border router between the Bendigo class-B network (149.144.0.0) and the "outside" Internet. This can be done with two Basic ACLs. Give the configuration commands needed.
  9. The La Trobe University, Bendigo used to provide an undergrad dial-in facility, however it did not allow any Internet access outside the university. Dial-in hosts have IP addresses on subnet 8, that is (using CIDR notation) 149.144.8.0/24. Give a Cisco Basic ACL configuration command which would implement this policy.
  10. The La Trobe University border router does not allow outbound port 80 (HTTP) TCP connections except those emanating from the proxy servers. All inbound connections are permitted. Give Cisco Extended ACL configuration commands which would give effect to this policy on the border router.