Guide to Firewalls and Network Security

Chapter 5 Solutions
Review Questions
1.

Why were application-level proxies originally developed?

Answer: B. The other three possibilities are all benefits of using proxy servers, but B was the original
reason they were developed.

2.

Name two things that application proxies do that are similar to packet filters.
Answer: They can filter out traffic from undesirable Web sites, and they can block harmful content.
Both create log files as well, and both read the header portion of IP packets.

3.

Name two things that application proxies do better than packet filters.
Answer: They inspect an entire IP packet, not just the header; they create more extensive log file
listings than packet filters; they completely break the connection between internal users and external
hosts, they rebuild packets before sending them to an outbound destination, thus inserting new IP
source information in order to shield internal users.

4.

Consider the following: you are asked to explain how the company proxy server functions to a group
of end-users. You create an analogy in which an individual makes a purchase and delivery on behalf of
someone else. The head of the IT department shakes his head to indicate that youve missed something.
Why is this analogy inadequate as a way of understanding how proxy servers function? What function
is missing from such an oversimplified description?
Answer: You should add that the person not only makes the purchase, but repackages the item before
delivering it.

5.

Reassembling IP packets adds more time to network communications, so there must be some benefit to
doing so. Give two reasons why its good for proxy servers to reassemble packets before sending them
on their way.
Answer: Reassembling packets with a new source IP address makes it impossible for external hosts to
determine the correct IP address of the host making the request. Also reassembling packets strips out
mangled data that could otherwise be used to initiate network intrusions.

6.

Complete this sentence: Proxy servers conceal internal clients by...

Answer: B. Completely regenerating new requests is the most secure of the four proxy server
functions mentioned. A, C, and D are all functions of proxy servers; A and C in particular help to
conceal internal clients, but they don't provide the level of protection that B does.

7.

Which of the following is not a disadvantage or complication of using an application proxy gateway?
Answer: A. Having a single point of configurationthe proxy server itselfreduces the security
administrator's work somewhat, but proxy servers still need multiple services and multiple clients to be
configured.

8.

Explain why you would want to use load balancing in conjunction with an application proxy gateway.
Answer: Because a proxy server provides a single gateway, it can also be a single point of failure; load
balancing can generate multiple proxies that are in use simultaneously so that, if one proxy goes down,
the others will still function.

9.

Finish this sentence: a proxy server that receives traffic from all services at a single port, such as a
SOCKS server, is called...
Answer: B, a non-transparent proxy. Answer A, a transparent proxy, uses multiple ports for multiple
services. D. is not specific enough: any kind of proxy server can be called an application proxy
gateway.

Guide to Firewalls and Network Security

Chapter 5 Solutions

10. When would you want to dedicate a proxy server to a single service?
Answer: C. A service that is particularly vulnerable, such as SMTP or POP, might warrant a dedicated
proxy server. The fact that a service operates on a server that is accessible to the public doesnt make it
any more or less critical to run a proxy server on it.
11. What does a proxy focus on in an HTTP header in order to redirect a request to a specific URL?
Answer: A, C
12. Consider the following: you run an external Web site that lists catalog items for sale. The
overwhelming number of requests your company receives from the Internet are HTTP requests. You
need to distribute the traffic load more evenly, and you need to protect sensitive client information
contained on your Web server. What kinds of proxy server approaches could help you achieve these
goals?
Answer: Installing a dedicated HTTP server would help you handle the heavy HTTP traffic load, as
would load balancing. Or you could install multiple HTTP proxy servers to balance the load. A reverse
HTTP proxy would provide extra protection for the client information held on the Web server. You
could place the reverse HTTP proxy in the DMZ so the public would access the reverse proxy directly.
It would then seem to be the real Web server. However, the actual Web server would be on the
protected internal network, and the public would never access it directly.
13. True or false: A proxy server should never be located so that it has a direct interface on the Internet.
Answer: False. There is one instance in which a proxy server should be directly accessible to the
Internet: if it is a reverse proxy acting on behalf of one or more Web servers. In this case the reverse
proxy receives HTTP requests from external clients and forwards them to the actual Web server(s). In
all other cases, though, its true that a proxy should not have a direct interface on the Internet because
if a hacker manages to compromise the proxy in some way it can have devastating results for the
organization being protected.
14. Which of the following functions the Session-layer of the OSI model?
Answer: C. Other proxies work at the application layer.
15. Which of the following is a downside of using a reverse proxy?
Answer: C. A is incorrect because the log files aren't actually valuable. B is incorrect because a reverse
proxy can actually improve network performance because it blocks unnecessary or suspicious requests
to the internal Web server. D is incorrect because a reverse proxy can act on behalf of multiple servers.
16. Which of the following is a disadvantage of using SOCKS?
Answer: B. It does not examine the data or payload part of a packet. It does provide other forms of
protection such as recreating packets, and the fact that it works with virtually any TCP/IP application
makes it valuable. Answer A is true, but its not a disadvantage, because other types of proxy servers
also need client configuration.
17. What feature is built in to the free Web server software Apache so that, as a result, it is unnecessary for
a proxy server to perform the same function?
Answer: D. A, B, and C are all features of Apache Web Server, but they are not features of a proxy
server.
18. Why consider using authentication if a proxy server completely separates internal clients from the
Internet?
Answer: B. A and C are functions of user authentication but they have nothing to do with application
proxy gateways.
19. How could you protect an internal network overnight when no employees are present?
Answer: C. A is technically true because it will protect the network but it is impractical to do this. B.
will work, but many e-mail messages will bounce back to their senders. C. is the best answer.

Guide to Firewalls and Network Security

Chapter 5 Solutions

20. What is the purpose of parameters such as time, IP address, or port number?
Answer: They help you establish rules that a proxy server can use to decide whether or not to allow
data to pass through the gateway.

Guide to Firewalls and Network Security

Chapter 5 Solutions