Firewall Rules Question

teancum144teancum144 Member Posts: 229 ■■■□□□□□□□
I found a question worded similarly to the following:

Which of the following best describes the following firewall configuration issues?
  • Current firewall logs are excessively large with useless data
  • Currently, the “any-any” rule type is in place
A. Clean-up rule, stealth rule
B. Stealth rule, silent rule
C. Silent rule, negate rule
D. Stealth rule, silent rule

The answer is "C" with the an explanation similar to the following:
  • Silent rule: Drop "noisy" traffic without logging it. This reduces log sizes by not responding to packets that are deemed unimportant.
  • Stealth rule: Disallows access to firewall software from unauthorized systems.
  • Cleanup rule: The last rule in the rule base, which drops and logs any traffic that does not meet preceding rules.
  • Negate rule: Used instead of the broad and permissive "any rules." Negate rules provide tighter permission rights by specifying what system can be accessed and how.
Please help me understand the logic behind answer "C".

Edit: If you want to review the original verbiage of the question, it is based on #33 from the AIO book on page 751.
If you like my comments or questions, you can show appreciation by clicking on the reputation badge/star icon near the lower left of my post. :D

Comments

  • JDMurrayJDMurray Admin Posts: 13,023 Admin
    The first bullet point is referring to a problem where the firewall logs are recording a lot of events that the operations people might not find useful, such as session opened, session closed, and connection dropped. The explanation indicates this situation is mitigated by the "silent rule," by configuring the firewall not to log the specific events you don't want to see in the logs.

    The second bullet point indicates that the last firewall rule is "any any", which allows all traffic through the firewall that isn't dropped by the preceding rules. The explanation indicates the "negate rule" is a better configuration by having the firewall explicitly accept only traffic that it is expecting and drop all other traffic by using a final "deny deny" rule.

    I think these rules are from Check Point firewall documentation.
  • aftereffectoraftereffector Member Posts: 525 ■■■■□□□□□□
    I must be confused too. I understand what you're saying, JD, but the question seems to be asking what the original configuration is (not what should be implemented to mitigate the issues). The Shon Harris question is "Which of the following best describes the firewall configuration issues [described]?", which as I interpret the answers, would be Stealth / Cleanup, or answer A.
    CCIE Security - this one might take a while...
  • JDMurrayJDMurray Admin Posts: 13,023 Admin
    I keyed on the word "issues" in the question as indicating "things that need to be fixed." I agree that it could be better worded to be more clear about what the question is asking.
  • teancum144teancum144 Member Posts: 229 ■■■□□□□□□□
    This is another example of the question I raised in the following thread: Although the AIO book discusses these rules (i.e. cleanup, negate, silent, stealth), a search in the OG produces no results. Because these rules are not mentioned in the OG, is it safe to assume these rules will not be included in the CISSP test?
    If you like my comments or questions, you can show appreciation by clicking on the reputation badge/star icon near the lower left of my post. :D
  • JDMurrayJDMurray Admin Posts: 13,023 Admin
    I do believe those terms are vendor-specific, and I don't believe you will find any Shon Harris publications listed in the CISSP CIB, so I think you only need to understand the basic concepts of firewall configuration/troubleshooting and not the specific details.
  • f0rgiv3nf0rgiv3n Member Posts: 598 ■■■■□□□□□□
    I have never heard the terms silent rule, negate rule or clean-up rule in my CISSP, CCNA-Sec or CCNP studies. That might give you an idea of how applicable those terms are.
  • teancum144teancum144 Member Posts: 229 ■■■□□□□□□□
    f0rgiv3n wrote: »
    I have never heard the terms silent rule, negate rule or clean-up rule in my CISSP, CCNA-Sec or CCNP studies. That might give you an idea of how applicable those terms are.
    Thanks. Having read over 750 pages of the AIO book, I do think it is a good resource to help broaden my understanding. However, I plan to shift my strategy. I'll finish reading it, but I won't use it to develop flash cards. Instead, I'll use the OG for that. Interestingly, now that I've started reading the OG, I find it a pretty easy read. While the AIO goes into greater depth -which makes it challenging. However, the AIO is also challenging because the sentence structure/organization and word choices are often not concise and often not easily readable. I find myself rereading sentences. However, I do enjoy the greater technical depth of the AIO book. I guess you could say I have a kind-of love/hate relationship with the AIO book.
    If you like my comments or questions, you can show appreciation by clicking on the reputation badge/star icon near the lower left of my post. :D
Sign In or Register to comment.