nerdexam
EC-Council

312-50V10 · Question #750

During a blackbox pen test you attempt to pass IRC traffic over port 80/TCP from a compromised web enabled host. The traffic gets blocked; however, outbound HTTP traffic is unimpeded. What type of fir

The correct answer is C. Application. An application-layer firewall performs deep packet inspection, identifying the actual protocol in use regardless of port number, which is why it can block IRC traffic even when it is tunneled over port 80.

Evading IDS, Firewalls, and Honeypots

Question

During a blackbox pen test you attempt to pass IRC traffic over port 80/TCP from a compromised web enabled host. The traffic gets blocked; however, outbound HTTP traffic is unimpeded. What type of firewall is inspecting outbound traffic?

Options

  • ACircuit
  • BStateful
  • CApplication
  • DPacket Filtering

How the community answered

(24 responses)
  • A
    4% (1)
  • B
    8% (2)
  • C
    75% (18)
  • D
    13% (3)

Why each option

An application-layer firewall performs deep packet inspection, identifying the actual protocol in use regardless of port number, which is why it can block IRC traffic even when it is tunneled over port 80.

ACircuit

Circuit-level gateways operate at the session layer and validate TCP handshakes, but do not inspect packet contents or application-layer protocols.

BStateful

Stateful firewalls track connection state and allowed ports/IPs but do not perform deep protocol inspection to distinguish IRC from HTTP on the same port.

CApplicationCorrect

Application-layer firewalls (also called proxy firewalls or Layer 7 firewalls) inspect the full payload content of packets to determine the application protocol in use. Because IRC has a distinct protocol signature, the firewall identifies the traffic as IRC - not HTTP - even though it is transmitted over port 80/TCP, and enforces policy based on that protocol identification.

DPacket Filtering

Packet filtering firewalls make decisions based solely on port numbers, source/destination IPs, and protocol flags - they would not block IRC traffic on port 80 if that port is permitted.

Concept tested: Application-layer firewall deep packet protocol inspection

Source: https://www.cisco.com/c/en/us/products/security/firewalls/what-is-a-firewall.html

Topics

#application firewall#deep packet inspection#protocol tunneling#firewall types

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice