354 Appendix ■ Answers
6 2. B. All stateful inspection firewalls enforce an implicit deny rule as the final rule of the
rulebase. It is designed to drop all inbound traffic that was not accepted by an earlier
rule. Stealth rules hide the firewall from external networks, but they are not included by
default. This firewall does not contain any egress filtering rules, and egress filtering is not
enforced by default. Connection proxying is an optional feature of stateful inspection
firewalls and would not be enforced without a rule explicitly implementing it.- A. SMTP uses ports 25 and 465. The presence of an inbound rule allowing SMTP traffic
indicates that this is an email server. - C. The HTTP connection will be allowed, despite the presence of rule #2, because it
matches rule #1. The HTTPS connection will be blocked because there is no rule allowing
HTTPS connections to this server. - D. The firewall should be configured to accept inbound connections from any port selected
by the source system. The vast majority of inbound firewall rules allow access from any
source port. - A. Data streams are associated with the Application, Presentation, and Session layers.
Once they reach the Transport layer, they become segments (TCP) or datagrams (UDP).
From there, they are converted to packets at the Network layer, frames at the Data Link
layer, and bits at the Physical layer.
6 7. C. A three-tier design separates three distinct protected zones and can be accomplished
with a single firewall that has multiple interfaces. Single- and two-tier designs don’t
support the number of protected networks needed in this scenario, while a four-tier design
would provide a tier that isn’t needed.- C. Software-defined networking provides a network architecture that can be defined
and configured as code or software. This will allow Lauren’s team to quickly change the
network based on organizational requirements. The 5-4-3 rule is an old design rule for
networks that relied on repeaters or hubs. A converged network carries multiple types of
traffic like voice, video, and data. A hypervisor-based network may be software defined,
but it could also use traditional network devices running as virtual machines. - B. ISDN, cable modems, DSL, and T1 and T3 lines are all examples of broadband
technology that can support multiple simultaneous signals. They are analog, not digital,
and are not broadcast technologies. - A. A single-tier firewall deployment is very simple and does not offer useful design options
like a DMZ or separate transaction subnets. - D. Network segmentation can reduce issues with performance as well as diminish the
chance of broadcast storms by limiting the number of systems in a segment. This decreases
broadcast traffic visible to each system and can reduce congestion. Segmentation can also
help provide security by separating functional groups who don’t need to be able to access
each other’s systems. Installing a firewall at the border would only help with inbound and
outbound traffic, not cross-network traffic. Spanning tree loop prevention helps prevent
loops in Ethernet networks (for example, when you plug a switch into a switch via two ports
on each), but it won’t solve broadcast storms that aren’t caused by a loop or security issues.
Encryption might help prevent some problems between functional groups, but it won’t stop
them from scanning other systems, and it definitely won’t stop a broadcast storm!