Firewall Rules and Security+

Posted by in Security+ | 4 comments

If you plan to take the Security+ exam, you should have a good understanding of firewall rules and access control lists (ACLs).  This is the second of three posts in a series showing how they’re used on routers and firewalls to restrict traffic. It ends with a challenge to create firewall rules.

Are you ready for the Security+ performance-based questions?

Can you create rules in an ACL?

Firewall Rules

Firewalls use rules implemented as ACLs to identify allowed and blocked traffic. This is similar to how a router uses rules. Firewalls use an implicit deny strategy to block all traffic that is not explicitly allowed. While rules within ACLs look a little different depending on what hardware you’re using, they generally take the following format:

Permission   Protocol   Source   Destination   Port

  • Permission. You’ll typically see this as PERMIT or ALLOW allowing the traffic. Most systems use DENY to block the traffic.
  • Protocol. Typically, you’ll see TCP or UDP here, especially when blocking specific TCP or UDP ports. If you want to block both TCP and UDP traffic using the same port, you can use IP instead. Using ICMP here blocks ICMP traffic effectively blocking ping and some other diagnostics that use ICMP.
  • Source. Traffic comes from a source IP address. You can identify a specific IP address to allow or block, or a range of IP addresses. Wildcards such as any or all include all IP addresses.
  • Destination. Traffic is addressed to a destination IP address. You can identify a specific IP address to allow or block, or a range of IP addresses, just as you can with the source. Wildcards such as any or all include all IP addresses.
  • Port or protocol. Typically you’ll see the well-known port such as port 80 for HTTP. However, some devices support codes such as www for HTTP traffic. Some system support the use of keywords such as eq for equal, lt for less than, and gt for greater than. For example, instead of just using port 80, it might indicate eq 80.

An important step when deploying a firewall is to determine what traffic you want to allow. You start by assuming you have an implicit deny rule and then you add exceptions for traffic that you want to allow. You then create a rule for each exception. As an example, imagine you have to create rules on a firewall to meet the following requirements:

  1. Allow all HTTP traffic to a web server with an IP of 192.168.1.25.
  2. Allow all HTTP and HTTPS traffic to a web server with an IP of 192.168.1.25.
  3. Allow DNS queries from any source to a computer with an IP of 192.168.1.10.
  4. Block DNS zone transfer traffic from any source to any destination.
  5. Block all DNS traffic from any source to any destination.
  6. Implement implicit deny.

How many rules would you create? What protocols would you use? What ports? The table in the next post shows the solution.

 Remember this

Firewalls use a deny any any, deny any, or a drop all statement at the end of the ACL to enforce an implicit deny strategy. The statement forces the firewall to block any traffic that wasn’t previously allowed in the ACL. The implicit deny strategy provides a secure starting point for a firewall.

Security+ Study Packages

Next page …. Previous page

Page 1 of 3 ACLs and Security+

Page 2 Firewall Rules and Security+  (this page)

Page 3 Firewall Rules Solution

Security+ Practice Test Questions

SY0-501 Practice Test Questions 

Over 300 realistic Security+ practice test questions

All questions include explanations so you'll know why the correct answers are correct,

and why the incorrect answers are incorrect.

Pass the Security+ Exam

the First Time You Take It

Multiple quiz formats to let you use these questions based on the way you learn.
  • Learn mode - randomized. View each of the questions in random order. Learn mode allows you to keep selecting answers until you select the correct answer. Once you select the correct answer, you'll see the explanation. Click here to see how learn mode works.
  • Learn mode - not randomized. View each of the questions in the same order. Use this if you want to make sure that you see all of the questions. Learn mode allows you to keep selecting answers until you select the correct answer. Once you select the correct answer, you'll see the explanation. Click here to see how learn mode works.
  • Test mode - randomized. View each of the questions in random order. In test mode, you can only see the correct answers and explanations after you complete the test. Click here to see how test mode works.
  • Test mode - not randomized. View each of the questions in the same order. In test mode, you can only see the correct answers and explanations after you complete the test. Click here to see how test mode works.
  • Test mode - 75 random questions. View 75 random questions from the full test bank similar to how the Security+ exam has a potential maximum of 75 multiple choice questions. In test mode, you can only see the correct answers and explanations after you complete the test. Click here to see how test mode works.

Get the full bank of SY0-501 Practice Test Questions Here

 SY0-501 Practice Test Questions


INCLUDES QUESTIONS TO HELP YOU PREPARE

FOR THE NEW PERFORMANCE BASED QUESTIONS 

Bonus - Performance Based Questions

Three sets of performance-based questions including over 30 questions. These questions show you what you can expect in the live exam. They include drag and drop, matching, sorting, and fill in the blank questions. See a demo here.

Bonus - Extra Practice Test Questions

New multiple-choice questions in the extra test bank. Questions are added occasionally. You can see what has been added recently here.

Get the full bank of Security+ (SYO-501) Practice Test Questions Here

Get the full bank of Security+ Practice Test Questions

Click here if you're looking for SY0-501 Full Study Package

Security+ Full Access Package

Get Certified Get Ahead Security+

Pass the First Time!

Up-to-date Content

New multiple-choice and performance-based questions added regularly

Pass the first time with quality practice test questions, performance-based questions, flashcards, and audio.

Buy The Full Access Study Package Today

60 Days Access

Need more time? You can easily renew for another 60 days at a significantly reduced price.

All materials are available online shortly after making your payment.

Get the Security+ Full Access Study Package Here

Our online Security+ study materials are the perfect complement to the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide. They can also be used to help ensure you're ready no matter what study guide you're using.

This exam is expensive.

Make sure you're ready before exam day. 

Here's what you'll get:
  • All of the multiple-choice questions from the best-selling CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide. See a demo here. All questions have full explanations so you'll know why the correct answers are correct and why the incorrect answers are incorrect.
  • Over 40 new multiple-choice questions we've added after publishing the study guide.
  • Over 30 performance-based questions. See a demo here.
  • All of the flashcards from the study guide. View them in any Web browser.
  • All of the audio from the study guide. Listen to a sample here.
  • Access to a free discount code for 10% off your Security+ voucher.

Buy The Full Access Study Package Today

60 Days Access

All materials are available online shortly after making your payment.

Get the Security+ Full Access Study Package Here

4 Comments

  1. Why do we need to specify traffic to be blocked if the implicit deny is going to block it anyways?

    • The point of the blog post is to help test takers familiarize themselves with content and possible questions that they might see on the live exam.

      Imagine you get a question that expects you to identify how to block certain traffic, but implicit deny is not given as a possible choice.

      You can’t ask for a different question. Instead, you much pick the best possible answer of the available choices.

      I understand you may not agree with the approach of some CompTIA test item developers.

      Still, my goal is to help people prepare for similar questions that they may see.

  2. Do I use /32 for every firewall rule that I need to identify a computer or server individually in the rule or is there an equation that I have to use to figure out the mask for the individual computer? For instance is it always /32 or is it sometimes /20 or / 17…? Also in the video here you show that the source and destination both have /32 but in the Performance Based problems on GetCertifiedGetAhead the destination address do not have a /32, why is that?

    • Here’s a cut and paste from the next page in this series. I’ve formatted it differently to stress what you’re asking.

      IP addresses and networks. You can add a rule in the ACL to block access from any single computer based on the IP address.

      If you want to block traffic from one subnet to another, you can use a rule to block traffic using the subnet IDs. For example, the sales department may be in the 192.168.1.0/24 network and the accounting department may be in the 192.168.5.0/24 network. You can ensure traffic from these two departments stays separate with an ACL on a router.

      If you want to block traffic to a single computer you would use /32. For example if you wanted to block traffic to a computer with an IP address of 192.168.1.1, you would use 192.168.1.1/32.

      The performance based questions have different scenarios. Also, they all have full explanations.

      If the scenario requires you to block access to the network, use /24 (or whatever the CIDR notation is that for that network).

      If the scenario requires you to block access to a computer, use /32.

      This is a great example of how a subtle change in the wording of a question is extremely important. CompTIA isn’t trying to trick people with these questions. Instead, they are simply trying to ensure that people understand the difference. People that memorize practice questions and answers have problems. People (like you right now) that try to understand the content, do better.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

CompTIA Security+ Get Certified Get Ahead: SY0-501 Study Guide

Subscribe To Our Newsletter

Join our mailing list and get a free excerpt of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide.  This excerpt includes the introduction and Chapter 1. 

You have Successfully Subscribed!

Get Certified Get Ahead is a participant in the Amazon Services LLC Associates Program,
an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com.

Copyright © 2015 Get Certified Get Ahead. All Rights Reserved.