Guide to Firewalls and VPNs, 3rd Edition 2611 chapter 5 review 1. How do content
ID: 3670550 • Letter: G
Question
Guide to Firewalls and VPNs, 3rd Edition 2611 chapter 5 review
1. How do content-based filtering programs decide whether to allow packets into the protected network? Through the evaluation of information in packet headers and compare it to one or more sets of rules that have been established to conform to network usage policy.
2. Why is it important to be familiar with the structure of the fields in an IP packet header?
Packet filtering works by examining the header fields. Knowing which fields can be filled by a hacker with false information can help you set up packet filtering rules to block unauthorized traffic.
3. What are the functions of an IP packet footer?
-error checking
-They indicates the end of the packet.
4. What type of data can an attacker insert into a TCP header to fool a stateless packet filter?
5. Why isn’t it practical to filter by the protocol ID field in an IP header?
6. What is the primary weakness in the ICMP protocol that makes it subject to attacker?
7. Which fragment numbers could be security risk because a packet filter might let them through?
8. State the reason internal clients need to be able to send outbound ICMP packets to hosts on the internet.
9. Which types of ICMP messages are directly involved in blocking hack attempts?
10. What is the purpose of blocking all ICMP packets after specifying a group of ICMP rules?
Explanation / Answer
1)On the Internet, content filtering (also known as information filtering) is the use of a program to screen and exclude from access or availability Web pages or e-mail that is deemed objectionable. Content filtering is used by corporations as part of Internetfirewall computers and also by home computer owners, especially by parents to screen the content their children have access to from a computer.
2)The IPv4 packet header consists of 14 fields, of which 13 are required. The 14th field is optional (red background in table) and aptly named: options. The fields in the header are packed with the most significant byte first (big endian), and for the diagram and discussion, the most significant bits are considered to come first (MSB 0 bit numbering). The most significant bit is numbered 0, so the version field is actually found in the four most significant bits of the first byte.
3)
A frame check sequence (FCS) refers to the extra error-detecting code added to aframe in a communications protocol. Frames are used to send upper-layer data and ultimately the application data from a source to a destination.
The detection does not imply error recovery; for example, Ethernet specifies that a damaged frame should be discarded, but at the same time does not specify any action to cause the frame to be retransmitted. Other protocols, notably the Transmission Control Protocol (TCP), can notice the data loss and initiate error recovery.
4)
All network traffic is sent in the form of packets. Large amounts of traffic is split up into small packets for easy handling and then reassembled when it arrives at its destination. In the packet header every packet contains information on how and where it should be delivered. And this information is exactly what a packing filtering firewall uses. Filtering is based on:Allow or disallow packets based on source/destination IP address.Allow or disallow packets based on source/destination port.Allow or disallow packets based on protocol.Allow or disallow packetsbased on flags within a specific protocol.
5)
Hosts on the Internet are usually known by names, e.g., www.example.com, not primarily by their IP address, which is used for routing and network interface identification. The use of domain names requires translating, called resolving, them to addresses and vice versa. This is analogous to looking up a phone number in a phone book using the recipient's name.
The translation between addresses and domain names is performed by the Domain Name System (DNS), a hierarchical, distributed naming system which allows for subdelegation of name spaces to other DNS servers.
6)After the ARP and IP were drafted, a subtle weakness in the Address Resolution Protocol was discovered. Unlike TCP, ARP relies on raw sockets and like UDP; ARP provides no means to establish the authenticity of the source of incoming packets. Although this problem can be resolved in case of UDP packets by considering alternate approaches such as DNS replies being sent over TCP rather than UDP using the DNSSEC architecture so that false DNS replies may not be accepted by a host; ARP is still prone to similar attacks. This paper identifies known weaknesses of the ARP and analyses the impact of a network flooding utility developed by us, the underlying ideology of which is this very weakness of the ARP. The purpose of our implementation is to extend what conventional tools can do, by incorporating a network flooding module in it, and to simulate a flooded network where hosts are forced to broadcast outgoing packets to the entire network. In some network conditions, the gateway may also be brought into broadcast mode, leading to undesired results. Various attack strategies are considered and the network performance during these attacks is measured. We also reveal a strategy by which ICMP replies are received by a host trying to PING a destination, but the host fails to recognize these replies. Such a weakness in the ICMP can lead to erroneous network management.
7)To set the IP datagram size equal or smaller than the directly attached medium (in our case 802.3) and delegate all further fragmentation of datagrams to routers, meaning that routers decide if the current datagram should be re-fragmented or not. This offloads a lot of work on to routers, and can also result in packets being segmented by several IP routers one after another, resulting in very peculiar fragmentation.
8)because they were not allowed to access the server ip addresses
9)ICMP or The Internet Control Message Protocol is the de facto protocol used to communicate error messages reporting errors that might have occurred while transferring data over networks. Besides, the normal use of reporting error messages, ICMP also plays an extremely important role in gathering information about the remote system. This manual explores everything about ICMP, its uses and how to use ICMP to gather more information on the target system and of course, countermeasures.
The ICMP protocol communicates error messages and other malfunctions or problems that might have occurred while the data transactions between two systems were taking place. Thus, it can also be called the ‘Network Problem Diagnosis’ protocol. It is basically the protocol, which reports any error that might have occurred while the data transfer was still taking place.
10)
ICMP allows things like "traceroute" and "ping" (ICMP echo request) to work. Thus that part is quite useful for normal diagnostics. It also is used for feedback when you run a DNS server (port unreachable) which, in a modern DNS server, may actually help select a different machine to query faster.
ICMP is used for path MTU discovery. Chances are your OS sets "DF" (do not fragment) on TCP packets it sends. It is expecting to get an ICMP "fragmentation required" packet back if something along the path fails to handle that size of packet. If you block all ICMP, your machine will have to use other fallback mechanisms, which basically use a timeout to detect a PMTU "black hole" and will never optimize correctly.
Related Questions
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.