Logout Open In App
Open In App
Warning: foreach() argument must be of type array|object, bool given in /var/www/html/web/app/themes/studypress-core-theme/template-parts/header/mobile-offcanvas.php on line 20

Chapter 8: Problem 25

Provide a filter table and a connection table for a stateful firewall that is as restrictive as possible but accomplishes the following: a. Allows all internal users to establish Telnet sessions with external hosts. b. Allows external users to surf the company Web site at 222.22.0.12. c. But otherwise blocks all inbound and outbound traffic. The internal network is 222.22/16. In your solution, suppose that the connection table is currently caching three connections, all from inside to outside. You’ll need to invent appropriate IP addresses and port numbers.

Short Answer

Expert verified
The filter table allows outbound Telnet and inbound HTTP to 222.22.0.12; all else is blocked. The connection table tracks three active Telnet connections.

Step by step solution

01

Analyze Requirements

Identify that we need to allow Telnet sessions from internal users to external hosts, allow web surfing from external users to a specific internal IP (222.22.0.12), and block other traffics.
02

Define Internal Network Address

The internal network is given as 222.22/16, which comprises addresses from 222.22.0.0 to 222.22.255.255.
03

Create Filter Table for Outbound Telnet

Since Telnet uses TCP port 23, create a rule allowing outbound connections with source IP from 222.22/16, destination IP as any external address, protocol TCP, and destination port 23. Set the default action to block all other outbound connections.
04

Create Filter Table for Inbound HTTP

Allow inbound HTTP connections on TCP port 80 with destination IP as 222.22.0.12. Use any source IP (external). Set the default action to block all other inbound connections.
05

Compile Filter Table

Compile the filter table as follows: - Outbound: Allow TCP, source: 222.22/16, dest: any, dest port: 23 - Inbound: Allow TCP, source: any, dest: 222.22.0.12, dest port: 80 - Default rule: Block all other traffic
06

Establish Connection Table

Create a connection table to track active stateful connections from inside to outside. Assume three connections: 1. Source: 222.22.1.10:5000, Dest: 203.0.113.5:23 2. Source: 222.22.1.11:5001, Dest: 203.0.113.6:23 3. Source: 222.22.1.12:5002, Dest: 203.0.113.7:23
07

Verify Restrictions

Ensure the filter table fulfills the restrictions: Telnet is allowed outbound, HTTP is allowed inbound to 222.22.0.12, and all other traffics are blocked as planned.

Unlock Step-by-Step Solutions & Ace Your Exams!

  • Full Textbook Solutions

    Get detailed explanations and key concepts

  • Unlimited Al creation

    Al flashcards, explanations, exams and more...

  • Ads-free access

    To over 500 millions flashcards

  • Money-back guarantee

    We refund you if you fail your exam.

Start your free trial

Over 30 million students worldwide already upgrade their learning with Vaia!

Key Concepts

These are the key concepts you need to understand to accurately answer the question.

Network Security
Network security is a critical aspect of protecting an organization's data and resources. It involves creating measures to safeguard the integrity, confidentiality, and availability of information across networks.

A stateful firewall is one of the tools used in network security. It keeps track of the state of active connections and makes decisions based on the context of the traffic, such as the established sessions.

For instance, in a company network using a stateful firewall, the firewall can allow internal users to start Telnet sessions with external hosts securely. At the same time, it can ensure that only authorized traffic, like incoming web requests to the company site, is allowed through, while blocking other malicious or unauthorized traffic.

By implementing stringent network security measures, companies reduce the risk of cyber attacks and unauthorized access.
Filter Table
A filter table in network security contains a set of rules that control incoming and outgoing traffic through a firewall. These rules determine which packets can pass and which should be blocked, based on attributes such as IP addresses and port numbers.

Creating a filter table for a stateful firewall involves defining specific rules to achieve desired security outcomes.
  • For outbound Telnet, a rule might allow traffic with a source from an internal network to any external destination on TCP port 23.
  • For inbound HTTP traffic, another rule might allow traffic with a destination at a specific IP, say 222.22.0.12, on TCP port 80.
The filter table also includes default rules that block any traffic not explicitly allowed by other rules, ensuring that network security is maintained at all times.
Connection Table
A connection table is a vital part of a stateful firewall. It keeps a record of established connections, allowing the firewall to recognize expected traffic related to those connections and permit its passage, while potentially rejecting others.

This allows for efficient management of ongoing sessions, crucial in scenarios where connections are initiated by trusted sources, such as internal users accessing external networks.

For example, a connection table might track three Telnet connections initiated from internal IPs to external IPs. This includes details such as:
  • Source IP and port (e.g., 222.22.1.10:5000)
  • Destination IP and port (e.g., 203.0.113.5:23)
By maintaining this table, a firewall accurately manages legitimate traffic and halts unexpected attempts to breach network security.
TCP Ports
TCP ports serve as endpoints for communicating devices. They help determine the type of service requested or provided by a device over the network.

In a stateful firewall setup, different services use different TCP ports to enable secured communication. Telnet, for example, uses TCP port 23, which can be specified in firewall rules to allow or block Telnet traffic.

For web traffic, HTTP commonly uses TCP port 80. By explicitly permitting incoming traffic on this port, a firewall allows the web server to receive data from the internet, enhancing user accessibility while maintaining security standards.

It is important to set up these ports correctly in firewall configurations to ensure both usability and protection.
Internal Network Configuration
Internal network configuration involves defining a network's internal IP address range, which allows an organization to efficiently manage network resources and security policies.

In the example given, an internal network could be defined by the range 222.22/16. This implies all IP addresses from 222.22.0.0 to 222.22.255.255 are part of the internal network.

Such configuration enables a network administrator to establish rules guiding how internal devices interact with external networks, determining which types of connections are permitted.

Properly configured internal networks are crucial for implementing secure firewall rules and ensuring seamless, safe connectivity both within an organization and with the outside world.

One App. One Place for Learning.

All the tools & learning materials you need for study success - in one app.

Get started for free

Most popular questions from this chapter

Suppose Alice wants to visit the Web site activist.com using a TOR-like service. This service uses two non-colluding proxy servers, Proxy1 and Proxy2. Alice first obtains the certificates (each containing a public key) for Proxy1 and Proxy2 from some central server. Denote K1 +( ), K2 +( ), K1 –( ), and K2 –( ) for the encryption/decryption with public and private RSA keys. a. Using a timing diagram, provide a protocol (as simple as possible) that enables Alice to establish a shared session key S1 with Proxy1. Denote S1(m) for encryption/decryption of data m with the shared key S1. b. Using a timing diagram, provide a protocol (as simple as possible) that allows Alice to establish a shared session key S2 with Proxy2 without revealing her IP address to Proxy2. c. Assume now that shared keys S1 and S2 are now established. Using a timing diagram, provide a protocol (as simple as possible and not using public-key cryptography) that allows Alice to request an html page from activist.com without revealing her IP address to Proxy2 and without revealing to Proxy1 which site she is visiting. Your diagram should end with an HTTP request arriving at activist.com.

Suppose Bob initiates a TCP connection to Trudy who is pretending to be Alice. During the handshake, Trudy sends Bob Alice’s certificate. In what step of the SSL handshake algorithm will Bob discover that he is not communicating with Alice?

What are the differences between message confidentiality and message integrity? Can you have confidentiality without integrity? Can you have integrity without confidentiality? Justify your answer

Consider the following pseudo-WEP protocol. The key is 4 bits and the IV is 2 bits. The IV is appended to the end of the key when generating the keystream. Suppose that the shared secret key is 1010. The keystreams for the four possible inputs are as follows: 101000: 0010101101010101001011010100100 . . . 101001: 1010011011001010110100100101101 . . . 101010: 0001101000111100010100101001111 . . . 101011: 1111101010000000101010100010111 . . . Suppose all messages are 8-bits long. Suppose the ICV (integrity check) is 4-bits long, and is calculated by XOR-ing the first 4 bits of data with the last 4 bits of data. Suppose the pseudo-WEP packet consists of three fields: first the IV field, then the message field, and last the ICV field, with some of these fields encrypted. a. We want to send the message m = 10100000 using the IV = 11 and using WEP. What will be the values in the three WEP fields? b. Show that when the receiver decrypts the WEP packet, it recovers the message and the ICV. c. Suppose Trudy intercepts a WEP packet (not necessarily with the IV = 11) and wants to modify it before forwarding it to the receiver. Suppose Trudy flips the first ICV bit. Assuming that Trudy does not know the keystreams for any of the IVs, what other bit(s) must Trudy also flip so that the received packet passes the ICV check? d. Justify your answer by modifying the bits in the WEP packet in part (a), decrypting the resulting packet, and verifying the integrity check.

Consider RSA with p = 5 and q = 11. a. What are n and z? b. Let e be 3. Why is this an acceptable choice for e? c. Find d such that de = 1 (mod z) and d < 160. d. Encrypt the message m = 8 using the key (n, e). Let c denote the corresponding ciphertext. Show all work. Hint: To simplify the calculations, use the fact: [(a mod n) • (b mod n)] mod n = (a • b) mod n
See all solutions

Recommended explanations on Computer Science Textbooks

Game Design in Computer Science

Read Explanation

Data Representation in Computer Science

Read Explanation

Issues in Computer Science

Read Explanation

Theory of Computation

Read Explanation

Functional Programming

Read Explanation

Computer Organisation and Architecture

Read Explanation
View all explanations

What do you think about this solution?

We value your feedback to improve our textbook solutions.

Study anywhere. Anytime. Across all devices.

Sign-up for free