312-50V11 · Question #750
During a blackbox pen test you attempt to pass IRC traffic over port 80/TCP from a compromised web enabled host. The traffic gets blocked; however, outbound HTTP traffic is unimpeded. What type of fir
The correct answer is C. Application. An application-layer firewall can distinguish IRC protocol traffic from HTTP even when both use port 80/TCP, allowing it to block the tunneled IRC session while permitting legitimate web traffic.
Question
During a blackbox pen test you attempt to pass IRC traffic over port 80/TCP from a compromised web enabled host. The traffic gets blocked; however, outbound HTTP traffic is unimpeded. What type of firewall is inspecting outbound traffic?
Options
- ACircuit
- BStateful
- CApplication
- DPacket Filtering
How the community answered
(15 responses)- A13% (2)
- B7% (1)
- C80% (12)
Why each option
An application-layer firewall can distinguish IRC protocol traffic from HTTP even when both use port 80/TCP, allowing it to block the tunneled IRC session while permitting legitimate web traffic.
A circuit-level gateway operates at the session layer and validates TCP handshake establishment, but it does not inspect application-layer payload content and cannot distinguish HTTP from IRC on the same port.
A stateful firewall tracks TCP connection state and flow information at the transport layer, but it lacks the ability to parse and enforce application-protocol-specific rules needed to differentiate IRC from HTTP.
An application firewall (Layer 7) performs deep packet inspection and understands the syntax and semantics of specific application protocols such as HTTP and IRC. When IRC is tunneled over port 80/TCP, the application firewall inspects the payload content, recognizes that the traffic does not conform to the HTTP protocol specification, and blocks it - a decision that is impossible to make using only port numbers or TCP session state.
A packet filtering firewall makes allow/deny decisions based solely on source/destination IP addresses and port numbers, so any traffic destined for port 80/TCP would be permitted regardless of the underlying application protocol.
Concept tested: Application layer firewall deep packet inspection of tunneled protocols
Source: https://www.cisco.com/c/en/us/products/security/firewalls/what-is-a-firewall.html
Topics
Community Discussion
No community discussion yet for this question.