Free CISSP Certification Practice Questions:
Which of the following statements are true regarding firewall architecture and technologies?
A) A drawback of a screened-host firewall is that the host's routing capabilities must be disabled so that internal routing is not accidentally enabled
B) A multi-homed bastion host can translate between two network access protocols, such as Ethernet or Token Ring.
C) A dual-homed host firewall consists of a bastion host with two network cards and a single screening router.
D) Packet filtering firewalls maintain "state" tables in order to track the state and context of incoming data packets
E) None of the statements are true
Packet-filtering firewall blocks traffic at a gateway based on IP address and/or port numbers. It is also known as a "screening router." It blocks unwanted network traffic based either on its source address, destination, or its type (e-mail, FTP, etc.). Packet filtering is generally performed in a router. Unlike stateful inspection firewalls, packet filtering firewalls do NOT maintain state table in order to track the state and context of incoming data packets.
The dual-homed host firewall is an alternative to packet-filtering router firewalls. It has a host system with two network interfaces. This configuration has two network interfaces and is secure because it creates a complete physical break in your network. The host's IP forwarding ability should be disabled so it cannot route packets between the two connected networks. As a result, it blocks all IP traffic between the Internet and the secure network. One of the advantages of using a multi-homed bastion host is that is can translate between two network access protocols, such as Ethernet or Token Ring. However, a drawback of the dual-homed firewall (not screened-host firewall) is that the host's routing capabilities must be disabled so that internal routing is not accidentally enabled.
Unlike the dual-homed host firewall, a screened host firewall configuration uses a single homed bastion host in addition to a single screening router. This design uses packet filtering and the bastion host as security mechanisms and incorporates both network- and application-level security. The router performs the packet filtering, and the bastion host performs the application-side security. It is more flexible but less secure than a dual-homed gateway firewall. The screened host firewall has one network interface and does not require a subnet between the application gateway and the router. The gateway's proxy passes services to site systems.
BACK | NEXT