Frequently Asked Questions

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form.

Q:	What’s a “Grey Hat” hacker?
A:	A Grey Hat is someone who knows both sides of the security coin (Black Hat and White Hat) and will dabble with both. Like many things in life, “good” and “bad” distinctions are not so binary in the real world. Is it okay to use a malicious attack against an offensive site (hate crime, child porn, spam relay, and so on)? Is it okay to attack a host that attacked you first? Computer ethics classes are now a regular component of most security certification courses.
Q:	What’s a good setting for the (SYN|UDP|ICMP) flood threshold?
A:	There’s no universal setting that could be applied effectively to every network. Network activity, purpose, and traffic are different for each segment, and they need to be tweaked appropriately. Ideally, you’d want a setting that’s just above dropping normal volumes of legitimate flows, so when an actual flood occurs, the NetScreen can react immediately.
Q:	Why doesn’t DI have the same coverage as an IDP?
A:	NetScreen firewall devices have purpose-built Application-Specific Integrated Circuits (ASICs) that handle the majority of firewall operations, such as policy matching and data encryption. These are physical devices—hardware accelerators—that can’t be modified. Since DI is a relatively new feature, it has to run in software on the system’s CPU. Older NetScreen firewall CPUs were generously sufficient for device management, but were significantly slower than the ~3 GHz single and dual CPUs found on an IDP. This difference in computing power means that a full IDP would be impractical on the currently available platforms. Juniper is actively investigating a new ASIC that incorporates IDP functionality in hardware, and also ensures that new generations of NetScreen firewalls have beefier CPUs.
Q:	Why is SurfControl Integrated Mode only available on lower-end products?
A:	Many users of these more inexpensive products don’t have permanent or full-time onsite IT support personnel, and may not have the time, money, or expertise to configure, run, and maintain their own WebSense or SurfControl URL filtering software. Yet these customers still want (and need) URL filtering. The Integrated Mode utilizes SurfControl’s public servers that SurfControl maintains and supports. Also at risk is the performance impact (including latency) of sending large volumes of URL look-up requests over the Internet to a public server. The high-end products support speeds well over 10 Gb/s of sustained traffic. To look up every URL requested in real-time would waste significant bandwidth.
Q:	Why should I bother with egress filtering? It’s a lot of work, and my users are bound to complain about something not working.
A:	The initial effort of configuring egress filtering now will save you several orders of magnitude’s worth of work later. The majority of business-related software supports proxying or other filtering. Chances are, complaints from some end users regarding connectivity problems generally arise from software you don’t want running on your network anyway.
Q:	Why are there so many different license keys for features?
A:	Juniper, like any for-profit company, wants to make money. It also understands that it needs to be competitive in the market. If Juniper sold its devices at a high price with all features enabled (many of which you may or may not use), it would have a difficult time selling them to customers who only needed some of the features and were willing to buy them at a reduced price. This way, a compromise is reached—they will sell you a useful product for a reasonable price, but the flexibility is there for additional features (which you can buy a la carte). Time-limited license keys also facilitate subscriptions.