Ticsa

Root certificates are self-signed by the CA that created them. This means that the signing and issuing authority are the same.

All root certificates are signing certificates used to sign other certificates (usually subordinate Certificate Authorities).

If a root certificate is compromised, it can be used to sign anything in the name of the certificate authority. This means that all certificates issued in the entire Public Key Infrastructure (PKI) are invalidated because they can no longer be trusted (no one knows whether they are bogus).

Cross-certificates create lateral trust relationships between certificate authorities. These are special certificates that allow PKIs to be extended beyond their normal hierarchical configuration. These are not root certificates.

The root CA signs its own certificate because it is the top of the PKI infrastructure.

The CA should verify the identity of its subauthorities and certificate recipients, otherwise it isn't performing its job.

CAs must sign the digital certificates they issue, otherwise the CA and certificate are useless.

Root CAs can be government authorities, but this is not a requirement.

The Web server name is required for the user to verify identity.

The Certificate Authorities name is released so the user can determine whether to trust the server and verify the server's identity with the CA.

The user's application must receive/access a public key to communicate with the server.

One-time pad may be used in authentication and transferred over secure means, but that is not an absolute and certainly not a part of typical TLS communications.

Private keys are not released to the user's application; they are maintained on the server.

You install security patches after the installation of a new operating system because they often patch security holes.

Whenever possible, you should remove, disable or at a minimum, rename the built-in user accounts that are usually well-known by attackers.

Removing unnecessary services reduces the chances that your system will be running an exploitable service.

You should change default account names and passwords to increase security.

File Allocation Table (FAT) and its 32-bit version (FAT32) are not locally secure files systems and don't improve the security of your operating system.

inetd launches other server services.

hosts.allow and hosts.deny are used as tcpwrappers.

xinetd is an updated and more secure version of inetd; inetd launches other server services.

smbd is the Samba server daemon.

Ingress filtering is typically used to protect internal clients from external clients. For example, ingress filters on private IP ranges help to prevent a private internal IP network from being the victim of IP spoofing that originates outside of the internal network.

Egress filtering is used to control internal client access to the Internet, if your clients are infected with a virus that causes them to be used to attack other clients on the Internet and in other organizations.

Using a DHCP server is not really relevant to this question and more information would have to be added to this answer to make it relevant.

This is similar to ingress filtering, which helps to protect internal clients from external IP address spoofing.

An attack is an action conducted by an attacker/adversary against a target/victim. An attack does not have to succeed as in an intrusion.

TruSecure defines threat as the rate of potential security events in a given period (per month, hour, second, and so on). CERT.org categorizes threats as anything that might compromise an asset. This includes people, natural disasters, and accidental security events. Part of assessing threats involves determining how likely they are to occur.

Assets are items that have value that you want to protect. Examples of assets are information, hardware, software, and people.

An intrusion is an actual undesired and potentially illegal breach of an information system.

The correct answer is, "Uninstall unneeded applications and disable unnecessary services."

Services and applications that you don't need should be removed or disabled because future vulnerabilities may be found in them.

https Web sites are more secure than http, but removing unneeded applications and disabling unnecessary applications is more helpful in mitigating future risk.

Current security patches protect you from current threats and known attacks (not unknown attacks).

Digital signatures help to verify your identity, but are not the most effective way to reduce potential risks.

Explicit deny is used to keep out a specified person, group or host(s).

This is the exact opposite of the correct answer. Implicit allow means that anyone not specifically denied access will be able to get in.

Default Deny or Implicit Deny allows only those who are specifically listed/allowed to access a network or resource; the rest are denied access.

This is the exact opposite of the correct answer. Default allow means that anyone not specifically denied access will be able to get in.

Employees should be informed of specific use restrictions, such as not allowing employees to run personal businesses via company equipment.

Describing permitted uses for company equipment is the main purpose of the document.

Penalties for misuse should be clearly defined.

Recycling is usually placed in a different company policy or indoctrination document.

Spam filters on the email gateway protect spam from entering your internal network from the Internet.

Spam filtering on the email gateway prevents messages from reaching users and controls spam from a central location.

TCP port 25 is used for SMTP mail transfer; this would block all email transporting over the default TCP port, but not specifically target spam.

TCP port 80 is typically for Web communications.

Telephone calls to users requesting passwords, password changes or sensitive information that can help an attacker gain access to an information system is considered a social engineering attack.

Social engineering attacks frequently involve telephone calls or emails requesting password resets. The attacker may already know (or be able to easily ascertain) the reset password.

Brute force password guessing is called a brute force attack and is run against a computer authentication system. Social engineering attacks involve deceiving people.

Social engineering involves deception aimed against people; the Code Red Worm targets weaknesses in computer operating systems.

The formula, Risk = Threat x Vulnerability x Event Cost, shows that if any factor assessed is zero, the risk is zero. For more information, review the TruSecure Webinar: "Calculating Risk," which can be downloaded from their Web site http://www.trusecure.com.

A vulnerability assessment tool is similar to a virus scanner in this way because it is only as good as its latest update.

You shouldn't stop all services on the host to be scanned because it may mislead the assessment tool.

You shouldn't remove the network card of the host to be scanned because it may mislead the assessment tool.

Usually, you don't need to restart a system to scan it, and doing so may change its operational status.

Viruses and worms pose the highest risk to companies and individuals.

Social engineering attacks haven't caused as much trouble for as many people as viruses and worms.

Competitor hacking hasn't caused as much trouble for as many people as viruses and worms.

Data sniffing hasn't caused as much trouble for as many people as viruses and worms.

One-time tokens are good for preventing the sniffing of passwords on the network.

WinTrinoo is zombie software used for Distributed Denial of Service (DDoS) attacks.

Propfind is used to exploit Microsoft WebDAV for a Denial of Service (DoS) attack.

By configuring account lockout policies, you can limit the number of guesses that an attacker can make at a password.

Asking the person to come to your office with official indentification is the best method because you can verify the person's credentials and then reset their password. Although counterfeit ID is possible, it is the least likely to succeed given the answer set.

Reseting the password over the phone is the least secure method of performing a password reset and is vulnerable to social engineering attacks.

Call the person back at their assigned telephone number, confirm, and then reset the password. This is a fairly secure method, but phones can be forwarded more easily than ID can be faked.

Social Security Numbers and Employee IDs can be obtained more easily than fake IDs, Social Security cards and Employee ID cards.

Usually, buffer overflows are due to something the application programmer overlooked.

Programming issues, such as buffer overflows, are repairable.

The opposite is true; poor quality programming is a more likely cause of buffer overflow vulnerabilities.

TCP 137 is used for NetBIOS Name Services (NBNS), which can be used for enumeration attacks (searches for potential targets for attack).

TCP 139 is used for NetBIOS session services (SMB over NetBIOS), which can be used for enumeration attacks (searches for potential targets for attack).

TCP 161 is used for Simple Network Management Protocol services, which can be used for enumeration attacks (searches for potential targets for attack).

TCP/UDP 389 is used for Lightweight Directory Access Protocol (LDAP) services, which can be used for enumeration attacks (searches for potential targets for attack).

TCP/UDP 3268 is used for Global Catalog services, which can be used for enumeration attacks (searches for potential targets for attack).

A console cable to the serial port means that you are directly connected to the router and none of your configuration settings are traversing the network, so they cannot be sniffed.

Wireless 802.11b connections could be monitored; the console cable is more secure.

TFTP connections typically do not require authentication; the console cable is more secure.

FTP connections are not widely supported and typically do not transfer passwords in a secure manner; the console cable is more secure.

Data is transferred to a port that is dynamically defined by a client, which means that usually a range of ports must be open on the firewall to allow external access to FTP.

Data transfers are not encrypted over typical FTP sessions.

Passwords are not encrypted over typical FTP connections.

FTP does have authentication, but it isn't very secure.

802.11b wireless networks are the easiest to sniff because physical connections are not necessary.

RFC 1948 is titled "Defending Against Sequence Number Attacks" and it explains how TCP sessions could be hijacked if an attacker could guess the sequence number of a TCP connection. Many vendors added some type of pseudo random number generators into their TCP implementations to make TCP hijacking much more difficult.

Fraggle or pingpong attacks are accomplished by sending a spoofed UDP packet to the chargen port on an intermediate system with the source address set to a broadcast address. On many systems, the source port can also be set to the echo port and may cause a ping-pong effect between the chargen and the echo ports. This process can be repeated with multiple hosts generating a large stream of traffic and causing a denial of service.

Brute force attacks are targeted against password guessing.

Smurf attacks spoof ICMP packets.

A smurf attack (a.k.a., ICMP magnification attack) uses ICMP Echo/Reply packets to generate multiple ICMP Echo Replies. An ICMP Echo request with a spoofed source address (the target) is used with a broadcast-directed destination to generate an ICMP Echo Response from each host on a given subnet.

Chargen is a UDP magnification attack (a.k.a., fraggle or ping pong attack).

Social engineering attacks are focused on deceiving people to gain sensitive information or a situation that could be used to compromise an information system.

Fraggle or pingpong attacks are accomplished by sending a spoofed UDP packet to the chargen port on an intermediate system with the source address set to a broadcast address. On many systems, the source port can also be set to the echo port and may cause a ping-pong effect between the chargen and the echo ports. This process can be repeated with multiple hosts generating a large stream of traffic and causing a denial of service.

DNSSEC uses public key encryption and digital signatures to certify addresses resolved by the DNS system. Each domain has an assigned public key. When a client computer resolves a host name, it checks the signature on the host's response. This eliminates spoofing; attackers can still send bogus responses, but they cannot properly sign those responses.

fprot is an antivirus scanner.

LC4 is a vulnerability assessment tool.

SAINT (Security Administrator's Integrated Network Tool) is a vulnerability assessment tool.

Proxy firewalls always act on behalf of internal/external hosts, so they never allow a connection from outside to the internal private network.

Stateless packet filtering firewalls reject certain types of traffic based on their protocol and network-layer content. However, they do allow connections from outside the firewall to internal resources.

Although stateful packet inspection firewalls prevent many types of attacks from occurring, they do allow connections from outside to internal network resources.

Using two firewalls in series is a defense-in-depth. Using two different firewalls in series is referred to as a "belt-and-suspenders" architecture.

Using two different types of firewalls illustrates diversity of defense. Using two different firewalls in series is referred to as a "belt-and-suspenders" architecture.

Security by obscurity is the use of proprietary technology in hopes that it will be so obscure that no one will know how to attack it. This is usually only reasonable as a temporary solution.

Bootstrap is a startup term used for protocols and processes that deal with the initialization of an information system.

Tcpwrappers wrap around protected applications. They filter hosts that should not have the ability to connect and allow other hosts to connect. They log the connection requests by hosts.

Tcpwrappers provide logging and access control, but after that, they either block or allow access (no monitoring of packet states).

Tcpwrappers do not scan for viruses.

DMZ stands for demilitarized zone and is equivalent to a screened subnet. This configuration means that there is an external firewall protecting a segment (DMZ/screened subnet). Between that segment and the internal or private network is at least one more firewall.

SAINT (Security Administrator's Integrated Network Tool) is a vulnerability assessment tool.

LC4 is a vulnerability assessment tool.

Broadcast is a term that means a packet or segment is being sent to all hosts.

Unless the user is not authorized to utilize a service, tcpwrappers are typically unnoticed by users.

Personal firewalls, such as Zone Alarm, often require user interaction and often tell users that something is happening.

Many virus scanners (especially local ones) usually involve letting the user know that scanning is occurring or that they are protected by virus scanning.

Packet filters are usually transparent to the user, providing protection without any user interaction.

Application gateway, application proxy, application-level proxy, and proxy firewall are the same thing. This device acts on behalf of host computers on either side of the network preventing a direct connection from the external network to the internal network.

Default gateway is the host that host interface computers use to access the Internet or other networks.

Gateway of last resort is the host interface that routers use when they don't know a route to a given network.

Stateful packet inspection firewalls track connection information, often contained in sequence numbering of TCP packets.

Proxy-filtering firewalls act on behalf of other clients.

Standard packet-filtering firewalls do not track connection information as do stateful packet inspection firewalls.

Anomaly detection requires a baseline measure. An anomaly is something out of the ordinary, so an anomaly detector must first ascertain (or be configured with) a definition of normal. Detected events are then compared to this normal (baseline measure) to determine whether an anomaly report/alert should be issued.

Tcpwrappers is a host-based intrusion detection system that controls access to services and logs connection attempts, but doesn't require a baseline.

Virus signature files are used for virus scanners.

Signature recognition is used by stateful packet filters and doesn't require a baseline, just a recent attack signature database or definition file.

Both virus scanners and IDSs require updated signature/definition information to remain effective because they are only capable of recognizing defined attack or virus information.

IDSs can operate on clients, servers, at the perimeter of a network or outside a network.

There are IDSs that run on UNIX, but not all IDSs require UNIX.

Although there are IDS systems specifically for Windows products, not all IDSs require Microsoft Windows.

Tcpwrappers is configured on a host to provide access control and service request logging.

xinetd is a replacement for the inetd daemon on Linux and UNIX systems. It provides host-based access control and service protection.

PortSentry is a host-based intrusion detection software from psionic.com.

Snort is a network-based intrusion detection system available from snort.org.

Tripwire is a host-based intrusion detection system that monitors changes to system files available on most recent distributions of Linux and via tripwire.com.

Tcpwrappers control access to TCP services and log service requests.

LC4 is a vulnerability testing tool.

Snort is a network-based intrusion detection system.

LC4 will most certainly diagnose weak passwords, as will most other vulnerability testing tools.

Missing security patches are one of the main purposes of the MBSA.

Yes, old versions of applications are often recognizable IDSs.

Vulnerability testing tools usually do not report on virus definition files.

IDS signature files are not typically scanned by vulnerability testing tools.

Misuse (or intrusion) detection is one of the key items that IDSs are set to discover.

Anomalies are usually detected by IDSs, but they require system baselines to do so.

Weak passwords are most often discovered by vulnerability (penetration) testing.

Virus scanner definition files should be updated regularly, but IDSs aren't typically used to track these files.

You should try to preserve data so that you can analyze a system compromise. You can also use this information should you have to present evidence in court.

Rebooting the system changes the state of the system and may result in loss of evidence.

Clearing the log files changes the state of the system and may result in loss of evidence.

Logging off the current user changes the state of the system and may result in loss of evidence.

You should change the name of this account because the administrator account is a common target for system attackers. However, this will not fool skilled hackers because the default administrator account always has a Security ID (SID) that ends in 500. You can see this by using the whoami tool from the Windows NT/2000 Resource Kit on a Windows NT/2000 system.

You should give this account a complex password because it is a common target for system attackers.

You cannot and should not remove this account because it is the account that has ultimate privilege on a system. You are not supposed to be able to remove this account and if you do find a way (by seriously hacking the OS), you'll probably break a few things.

Changing the SID of this account sure would fool hackers, but it would probably also fool the system into not working properly. You shouldn't do this and you would have to seriously hack the system even to pull this one off because you cannot do this through the normal administrative interfaces.

The account should have the least privileges necessary to perform all the tasks that it needs to perform (nothing more).

You cannot be sure that a particular level of access is required in all cases; this may be higher than necessary access permissions. It's best to follow the rule of least privilege.

Configuring to log on with an encrypted password is neither critical nor possible on many systems. The account logs on locally and internally in most cases, so password sniffing is not a big concern.

Test patches on offline systems before placing them on any other systems.

Multiple security devices increase the number of security devices a hacker has to traverse to compromise your network (via that particular path).

Security devices in series is called defense-in-depth.

Increasing the number of security devices usually increases security.

Although it is possible to provide diversity of security by placing different security devices in series, this question stem did not specify different or similar devices in a series. Because you were supposed to choose only two, this should not have been one of your selections.

Adding another layer of protection increases security.

Some viruses may be embedded in an email, such as a link or code right inside the message.

Some attachments that are allowed in may be viruses or contain viruses.

Virus scanners can protect the rest of the world from viruses that might be sent out by your unsuspecting employees. This could save your company and you from an embarrassing situation.

Although you should track vendor updates to software and hardware, that isn't what your virus scanner is supposed to be doing.

Contact your colleague about the attachment. Don't immediately trust documents that come from a colleague because your colleague may have been fooled or your colleague's system may have been compromised by a virus that replicates via your colleague's mail account and address book.

Microsoft may offer this service for viruses they need to study, but you would have to contact them before doing so. Otherwise, you might not find them very receptive or appreciative.

Considering them safe because they came from a colleague is the worst solution because it could easily be the case that your colleague's system has been compromised.

You cannot read Word documents in Notepad.

Viruses move by "'hitching' or as a consequence of replication" (Nimda Post Mortem presentation). Furthermore, according to Symantec, a virus must meet two criteria: 1. It must execute itself and 2. It must replicate itself.

Symantec's definition of a worm provides the following: "Worms are programs that replicate themselves from system to system without the use of a host file. This is in contrast to viruses, which requires the spreading of an infected host file." - Symantec Knowledge Base, http://service2.symantec.com/SUPPORT/nav.nsf/pfdocs/1999041209131106.

A Trojan or Trojan Horse does not replicate itself, so it must be spread by people telling others that it is something desirable or interesting, when in reality it does something destructive or steals something.

Worms move by replicating themselves, usually through known weaknesses in applications or operating systems.

Viruses move by "'hitching' or as a consequence of replication" (Nimda Post Mortem presentation). Furthermore, according to Symantec, a virus must meet two criteria: 1. It must execute itself and 2. It must replicate itself.

A Trojan or Trojan Horse does not replicate itself, so it must be spread by people telling others that it is something desirable or interesting, when in reality it does something destructive or steals something.

This is likely a virus hoax. There are several Web sites that track virus hoaxes, one is hoaxbusters.org.

Forwarding that email immediately to CERT may be a bad idea because the message could very well be a hoax.

Forwarding that email to everyone in your address book may be a bad idea because the message could very well be a hoax.

This may be a bad idea because the message could very well be a hoax.

The Internet Corporation for Assigned Names and Numbers (ICANN) is responsible for Internet name registration.

The World Wide Web Consortium is responsible for WWW protocols, like HTTP.

The Institute of Electrical and Electronics Engineers, Inc. (IEEE) is not responsible for domains; check ieee.org for a full list of what this organization does.

LC4 is not an organization, but rather a password cracking and network penetration testing tool.

The International Organization for Standardization (ISO) policy 17799 addresses the following topics: information classification, training and awareness, incident response, licensing compliance, and access control.

This bill is concerned with security of financial data within the United States, specifically "to insure the security and confidentiality of customer records and information; to protect against any anticipated threats or hazards to the security or integrity of such records; and to protect against unauthorized access to or use of such.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) increases electronic security measures concerning the electronic transfer of medical records. For example, HIPPA mandates that a new electronic signature standard be used where an electronic signature is employed in the transmission of a HIPAA standard transaction.

"Passwords in the Marketing Department will be 7 characters, mixed case" is most likely a standards statement; standards vary by department.

"Passwords can be reset by pressing the CTRL, ALT, and DEL keys simultaneously in Windows NT/2000/XP" is most likely a procedure statement; procedure is a set of instructions (based on a particular OS, application or type of user).

"The organization will strive to protect the security of customer's data" is most likely a policy statement; policy is a higher-level statement that references standards.

"Passwords in the Marketing Department will be 7 characters, mixed case" is most likely a standards statement; standards vary by department.

"User accounts in Linux can be added with the useradd utility" is most likely a procedure statement; procedure is a set of instructions (based on a particular OS, application or type of user).

Local and regional laws are the most important to follow.

You cannot be sure if using nothing more than 128-bit encryption; Deploying PPTP; Utilize Kerberos authentication and encryption or abstaining from L2TP/IPSec encryption is the way to go without checking local and regional laws.

LC4 is the fourth-generation of L0phtcrack from @stake http://www.atstake.com/.

Change Owner chown is a Linux/UNIX command to change the owner of a file or directory.

Nimda is a mass-mailing worm that utilizes multiple methods to propagate.

Happy99 is actually a worm, not a Trojan Horse, and it is also known by the following aliases: I-Worm.Happy, W32.Ska, and Happy00.

Smart cards utilize digital certificate authentication and require smart card readers to be installed. Users provide the smart card and a personal identification number (PIN) in order to access information systems.

Point-to-Point Tunneling Protocol doesn't require certificates or a reader to set up a Virtual Private Network (VPN).

Internet Protocol Security over Transport Layer Security does require certificates, but that is it. No readers are required to set up a Virtual Private Network (VPN).

Biometrics use a biological part, such as retina, finger, palm, etc. and hopefully a Personal Identification Number (PIN) as well. Systems that only require biometrics open their users up to a potential dismemberment. Such dismemberments have already occurred in cases where biometrics were the only security measure.

Sniffing a one-time password is futile because it is only good once. Someone may make the case that they may somehow discover a pattern or possibly a user PIN from sniffing a one-time password. Although that may be true for some one-time passwords, that should not be the case for all of them. Resistance to eavesdropping (sniffing, monitoring or packet capturing) is the main reason one-time passwords are used.

Uncrackable is not necessarily the case with one-time passwords. Even if they can be cracked, they are useless because they are only good once.

One-time passwords may or may not be easier to remember than reusable passwords.

Some, but not all, one-time passwords require a PIN. The ones that do require PINs are usually a combination of a unique authentication token and a PIN.

Computer users are often expected to choose passwords that are difficult to guess, meaning they are obscure.

Storing passwords in /etc/passwd file is a well-known file on Linux/UNIX systems, so it is not obscure and isn't secure unless shadow or MD5 encryption is also enabled.

Open source is exactly the opposite of security through obscurity because "everyone" is allowed to see "how a program works" if it is open source.

Java coding embedded in Web pages can easily be seen with most Web browsers. Therefore, it isn't obscure.

A user's private key is stored on a smart card, which is unique to the user.

Microsoft network operating systems and SMB clients and Samba servers use LM hashing.

Public keys are usually stored on the information system and used to verify the user's identity.

A user's private key is stored on a smart card, which is unique to the user.

Digital signatures provide authentication, data integrity, and nonrepudiation.

Nonrepudiation is the opposite of deniability.

LC4 is able to sniff and crack LM and NTLM passwords off the wire.

SMB clients (and even SAMBA server) authentication depends on LM and NTLM authentication, which LC3 and LC4 can crack.

LC4 and earlier are unable to crack NTLMv2 or Kerberos authentication.

In this case, the first factor is something the user has (smart card) and the second is something the user knows [personal Identification Number (PIN)] .

Smart cards hold the user's private key, which uniquely identifies the user.

PIN authentication is a two-factor authentication.

Smart cards hold the user's private key, not the user's public key.

TLS provides entity authentication, data authentication, and confidentiality.

Repudiation is the ability to deny that an event took place and is not desirable in Web commerce.

Nonrepudiation (not being able to deny that an event took place) is desirable and can only be provided by a trusted third-party (TTP) verification entity.

Guest accounts are a common target for attackers.

Default administrator or root accounts are common targets for attack.

User accounts with easily compromised passwords, such as null passwords, passwords equal to the username or passwords of "password" are common targets.

L2TP/IPSec communications are encrypted, authentication through an encrypted tunnel is not a typical attacker target.

Digital certificates have an expiration date; when they expire, they are invalid and a new certificate is required.

If a certification authority is compromised, then all certificates that it issued should be considered invalid.

If a root certification authority is compromised, then all of the certificates that root CA issued should be considered compromised. This includes all certificates used to authorize subordinate CAs (meaning that all subordinate CA certificates should be considered compromised).

If a digital certificate passes an integrity check, then it is okay. If it fails an integrity check, then it was probably altered and should be considered invalid.

Certificate Trust Lists (CTLs) keep track of trusted Certification Authorities, so a Certification Authority published in a CTL is a good thing.

A switch performs micro-segmentation. This means that communications from one point to another are switched between two points directly. This reduces the amount of traffic on the wire and the ability of someone to eavesdrop on communications not destined for their port. Hubs take information incoming on one port and duplicate that information on multiple ports. This means that communications coming through a hub for one station are broadcast to all other stations attached to the hub. Bridges take communications from one side and send it out to the other, which offers segmentation, but not micro-segmentation.

NAT does query port 139, which is used for NetBIOS session services (SMB over NetBIOS).

Redbutton also uses port 139, which is used for NetBIOS session services (SMB over NetBIOS).

nbtstat is built-in to Microsoft networking and can be used to view NetBIOS name tables. Other Microsoft tools and commands, such as nltest and net view, can be used to exploit NetBIOS ports.

nbtscan by Alla Bezroutchko can be used to nbtstat an entire network.

c2config is used to evaluate the security of Windows NT 3.51 and later operating systems, but doesn't target NetBIOS security issues. c2config can also be used to remove the OS/2 and POSIX subsystems.

Before making changes to your firewall configuration, you should perform a risk analysis to be sure that your changes will not increase risk or if they do, that the increase is acceptable.

This is important, but should be done regularly. This is not a typical part of making a firewall change.

This is not necessary and is not as important as analyzing risk.

This is time consuming and not more important that analyzing risk.

Rivest Shamir Adleman (RSA) is an asymmetric (public key) cryptographic Technique.

Diffie-Hellman was the first asymmetric (public key) cryptographic technique.

Triple-DES is a symmetric encryption technique.

Advanced Encryption Standard (AES; a.k.a., Rijndael) is a symmetric key algorithm.

Perimeter firewalls do centralize security between the external and internal networks.

There is data to suggest that client security actually becomes more lax after the installation of a firewall because people feel protected.

Perimeter firewalls protect your private network from the Internet or an external network. They don't protect you from attacks from within the company[md]that is a personal firewall.

Perimeter firewalls don't typically use encryption, unless you are managing them over a Virtual Private Network (VPN).

To configure a secure firewall, block all ports except those which are necessary for communication between your internal and the external network.

Although blocking all confirmed ports of attack protects you from currently known exploits, what about future exploits? Also, this philosophy doesn't consider the needs of your organization because it is possible that you need an application that uses a port that has (at one time) been the focus of an attack.

Although blocking all reported ports of attack protects you from reported exploits, what about future exploits? Also, this philosophy doesn't consider the needs of your organization because it is possible that you need an application that uses a port that has (at one time) been the focus of an attack.

TCP ports 135-139 are common ports of attack against networks with Microsoft clients. They are usually recommended for blocking at the firewall. This answer doesn't consider the needs of your organization, nor does it block ports that are commonly used for attacks.

Using two firewalls in series is a defense-in-depth. Using two different firewalls in series is referred to as a "belt-and-suspenders" architecture.

Using two different types of firewalls illustrates diversity of defense. Using two different firewalls in series is referred to as a "belt-and-suspenders" architecture.

Security by obscurity is the use of proprietary technology in hopes that it will be so obscure that no one will know how to attack it. This is usually only reasonable as a temporary solution.

Bootstrap is a startup term used for protocols and processes that deal with the initialization of an information system.