nerdexam
EC-Council

312-50V10 · Question #408

During a blackbox pen test you attempt to pass IRC traffic over port 80/TCP from a compromised web enabled host. The traffic gets blocked; however, outbound HTTP traffic is unimpeded. What type of fir

The correct answer is C. Stateful. This question tests the ability to identify which firewall type can detect non-HTTP application-layer traffic tunneled over a permitted port such as 80/TCP.

Evading IDS, Firewalls, and Honeypots

Question

During a blackbox pen test you attempt to pass IRC traffic over port 80/TCP from a compromised web enabled host. The traffic gets blocked; however, outbound HTTP traffic is unimpeded. What type of firewall is inspecting outbound traffic?

Options

  • AApplication
  • BCircuit
  • CStateful
  • DPacket Filtering

How the community answered

(39 responses)
  • A
    3% (1)
  • B
    10% (4)
  • C
    85% (33)
  • D
    3% (1)

Why each option

This question tests the ability to identify which firewall type can detect non-HTTP application-layer traffic tunneled over a permitted port such as 80/TCP.

AApplication

An application-layer proxy firewall also performs deep content inspection at layer 7, but CEH exam taxonomy places protocol-anomaly detection via session tracking under stateful inspection for this scenario.

BCircuit

A circuit-level gateway operates at the session layer and validates TCP handshake completion but does not inspect the actual application-layer content or protocol of the transmitted data.

CStatefulCorrect

A stateful inspection firewall tracks the full state of active network connections and inspects packet payloads to verify that traffic conforms to the expected protocol behavior for a given port. Because IRC traffic does not match HTTP protocol signatures, the stateful firewall detects the mismatch and blocks it even though port 80 is permitted. This capability goes beyond simple port-based filtering by analyzing session state and protocol compliance.

DPacket Filtering

A packet filtering firewall only examines layer 3 and 4 header fields such as IP addresses and port numbers, so it would permit any traffic on port 80 without verifying protocol compliance.

Concept tested: Stateful firewall protocol anomaly detection on port 80

Source: https://www.cisco.com/c/en/us/products/security/firewalls/what-is-a-firewall.html

Topics

#stateful firewall#deep packet inspection#port 80#traffic filtering

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice