COM221 Module9

a. Correct. There is no visibility firewall parameter.

b. Incorrect. Rules can be set to only be active during a scheduled time.

c. Incorrect. A rule can be created that is unique for specific circumstances (contexts). For example, different rules may be in effect depending on whether a laptop is on-site or is remote (sometimes called geographical consideration).

d. Incorrect. The action setting indicates what the firewall should do when the conditions of the rule are met.

a. Incorrect. Force Allow permits traffic that would normally be denied by other rules.

b. Incorrect. This is fictitious and does not exist.

c. Incorrect. Bypass allows all traffic to bypass the firewall.

d. Correct. Allow implicitly denies all other traffic unless explicitly allowed.

a. Incorrect. Firewalls can also apply content/URL filtering. The firewall can be used to monitor websites accessed through HTTP to create custom filtering profiles. The filtering can be performed by assessing webpages by their content category, and then create whitelists and blacklists of specific URLs.

b. Correct. A more flexible type of firewall than a rule-based firewall is a policy-based firewall. This type of firewall allows for more generic statements to be used instead of specific rules.

c. Incorrect. Hardware firewalls are specialized separate devices that inspect traffic. Because they are specialized devices, hardware firewalls tend to have more features but are more expensive and can require more effort to configure and manage.

d. Incorrect. Firewalls that are owned by an entity that has an exclusive right to them are called proprietary firewalls.

a. Correct. Stateful packet filtering uses both the firewall rules and the state of the connection: that is, whether the internal device requested each packet. A stateful packet filtering firewall keeps a record of the state of a connection between an internal endpoint and an external device.

b. Incorrect. This is fictitious and does not exist.

c. Incorrect. This is fictitious and does not exist.

d. Incorrect. This is fictitious and does not exist.

a. Correct. A virtual firewall is one that runs in the cloud. Virtual firewalls are designed for settings, such as public cloud environments, in which deploying an appliance firewall would be difficult or even impossible.

b. Incorrect. A firewall that runs in an endpoint virtual machine is a host firewall.

c. Incorrect. Firewalls block both incoming and outgoing traffic.

d. Incorrect. An appliance firewall is typically a separate hardware device designed to protect an entire network.

a. Incorrect. Network address translation (NAT) is a technique that allows private IP addresses to be used on the public Internet. It does this by replacing a private IP address with a public IP address: as a packet leaves a network, NAT removes the private IP address from the sender’s packet, replaces it with an alias IP public address, and then maintains a record of the substitution; when a packet is returned, the process is reversed.

b. Incorrect. One specialized firewall is a web application firewall (WAF) that looks at the applications using HTTP. A web application firewall, which can be a separate hardware appliance or a software plug-in, can block specific websites or attacks that attempt to exploit known vulnerabilities in specific client software and can even block cross-site scripting and SQL injection attacks.

c. Correct. Unified threat management (UTM) is a device that combines several security functions. These include packet filtering, antispam, antiphishing, antispyware, encryption, intrusion protection, and web filtering.

d. Incorrect. A next generation firewall (NGFW) has additional functionality beyond a traditional firewall. NGFWs can filter packets based on applications. NGFWs have visibility of applications by using deep packet inspection and thus can examine the payloads of packets and determine if they are carrying malware. In addition to basic firewall protections, filtering by applications, and deep packet inspection, NGFWs can also perform URL filtering and intrusion prevention services.

a. Correct. A high-interaction honeypot is designed for capturing much more information from the threat actor. Usually, it is configured with a default login and loaded with software, data files that appear to be authentic but are actually imitations of real data files (honeyfiles), and fake telemetry.

b. Incorrect. This is fictitious and does not exist.

c. Incorrect. This is fictitious and does not exist.

d. Incorrect. This is fictitious and does not exist.

a. Incorrect. This is fictitious and does not exist.

b. Correct. A DNS sinkhole changes a normal DNS request to a pre-configured IP address that points to a firewall that has a rule of Deny set for all packets so that every packet is dropped with no return information provided to the sender. DNS sinkholes are commonly used to counteract DDoS attacks. Many enterprises contract with a DDoS mitigation service that helps identify DDoS traffic so that it is sent to a sinkhole while allowing legitimate traffic to reach its destination.

c. Incorrect. This is fictitious and does not exist.

d. Incorrect. This is fictitious and does not exist.

a. Incorrect. Behavioral monitoring attempts to overcome the limitations of both anomaly-based monitoring and signature-based monitoring by being adaptive and proactive instead of reactive. Rather than using statistics or signatures as the standard by which comparisons are made, behavior-based monitoring uses the “normal” processes and actions as the standard. Behavior-based monitoring continuously analyzes the behavior of processes and programs on a system and alerts the user if it detects any abnormal actions, at which point the user can decide whether to allow or block the activity.

b. Incorrect. Signature-based monitoring compares activities against a predefined signature. Signature-based monitoring requires access to an updated database of signatures along with a means to actively compare and match current behavior against a collection of signatures.

c. Correct. Anomaly monitoring is designed for detecting statistical anomalies.

d. Incorrect. Heuristic monitoring attempts to answer the question, will this do something harmful if it is allowed to execute?

a. Incorrect. This statement is accurate.

b. Incorrect. This statement is accurate.

c. Incorrect. This statement is accurate.

d. Correct. It contains servers that are used only by external and not internal network users.