1. How is an application layer firewall different from a packet filtering firewall?

Why is an application layer firewall sometimes called a proxy server?

An application layer firewall, also known as a proxy server, operates at the application
layer of the OSI model. This means that it is able to inspect and monitor the contents of
incoming and outgoing traffic at the application level. In contrast, a packet filtering firewall
operates at a lower level of the OSI model, typically at the network or transport layer. This
means that it is only able to inspect the headers of incoming and outgoing packets and make
decisions based on that information.

One of the key advantages of an application layer firewall is that it is able to provide
more detailed and fine-grained control over network traffic. This is because it is able to inspect
the contents of the traffic, rather than just the headers of the packets. For example, an
application layer firewall can be configured to block certain types of traffic, such as specific file
types or URLs, based on the contents of the traffic.

Another reason why an application layer firewall is sometimes called a proxy server is
because it acts as an intermediary between the client and the server. When a client sends a
request to a server, the request is first sent to the proxy server. The proxy server then inspects
the request and either fulfills the request itself or forwards it on to the server. This provides an
additional layer of security, because the client's IP address is hidden from the server and the
server's IP address is hidden from the client.

2. How does screened-host firewall architecture differ from screened-subnet

firewall architecture? Which offers more security for the information assets
that remain on the trusted network?

In a screened-host firewall architecture, the firewall is placed between a single trusted

host and the untrusted network. All incoming and outgoing traffic to and from the trusted host
must pass through the firewall, which is responsible for filtering and blocking potentially
malicious traffic.
 In a screened-subnet firewall architecture, the firewall is placed between an entire
subnet of trusted hosts and the untrusted network. All incoming and outgoing traffic to and from
the trusted subnet must pass through the firewall, which is responsible for filtering and blocking
potentially malicious traffic.

In terms of security, a screened-subnet firewall architecture generally offers more

protection for the information assets that remain on the trusted network. This is because the
firewall is able to protect all of the hosts on the trusted subnet, rather than just a single host. In
addition, the screened-subnet architecture allows for the implementation of additional security
measures, such as network segmentation and access controls, which can further enhance the
security of the trusted network.
3. What is a DMZ? Is this really a good name for the function that this type of
subnet performs?

A DMZ, or demilitarized zone, is a subnet that is used to isolate an organization's

external-facing services from its internal network. This subnet is typically placed between the
organization's internal network and the Internet and is used to host services such as Web
servers, DNS servers, and other services that need to be accessible to external users.

The name "DMZ" comes from the term "demilitarized zone," which is used to describe an
area that is not intended for military operations. In the context of networking, the DMZ serves as
a neutral zone between the organization's internal network and the outside world, where
external-facing services can be hosted without exposing the organization's internal network to
potential security threats.

While the name "DMZ" accurately reflects the function of this type of subnet, some
people have questioned whether it is a good name because it may be confusing or misleading
to non-technical audiences. For example, the term "demilitarized zone" may not be immediately
intuitive to someone who is not familiar with the concept and may not accurately convey the
purpose of the subnet. As a result, some people have suggested that a more descriptive name,
such as "perimeter network" or "external network," may be more appropriate.

4. What is RADIUS? What advantage does it have over TACACS?

 RADIUS (Remote Authentication Dial-In User Service) is a networking protocol that is
used for remote user authentication and accounting. It is typically used by Internet Service
Providers (ISPs) and enterprises to authenticate users who are trying to access network
resources, such as the internet or a virtual private network (VPN).

One advantage of RADIUS over TACACS (Terminal Access Controller Access Control
System) is that RADIUS can authenticate users based on multiple factors, such as their
username and password, as well as their physical location or IP address. This allows for more
flexible and secure authentication compared to TACACS, which only authenticates based on
username and password. Additionally, RADIUS supports encryption of authentication
information, whereas TACACS does not.

5. How does a network-based IDS differ from a host-based IDS?

A network-based intrusion detection system (IDS) is a security tool that monitors network
traffic for suspicious activity and attempts to identify malicious behavior. This type of IDS is
installed on a network device, such as a router or firewall, and is used to monitor traffic on the
entire network.

In contrast, a host-based IDS is installed on a single host or device, such as a server or

workstation, and is used to monitor and protect that specific host. A host-based IDS is typically
more focused on protecting the host itself and is often used to monitor for malicious activity on
specific services or applications running on the host.

One key difference between the two types of IDS is the scope of their monitoring. A
network-based IDS is able to monitor all traffic on the network, whereas a host-based IDS can
only monitor traffic to and from the specific host it is installed on. This means that a network-
based IDS may be better at detecting network-wide attacks, while a host-based IDS may be
better at detecting attacks that are targeted at a specific host.

6. What is a VPN? Why are VPNs widely used?

 A virtual private network (VPN) is a technology that allows users to securely connect to a
private network over the internet. VPNs use a combination of encryption and tunneling to create
a secure and private connection, which can be used to access network resources and services
remotely, as if the user were directly connected to the private network.

VPNs are widely used because they provide a number of benefits over other types of
remote access methods. For example, VPNs can be used to securely access corporate
networks and resources from remote locations, such as when working from home. VPNs can
also be used to protect users' online privacy and security by encrypting their internet traffic and
hiding their IP address. Additionally, VPNs can be used to bypass internet censorship and
access restricted content. These benefits make VPNs an essential tool for many individuals and
organizations.