nerdexam
EC-Council

312-50V11 · Question #750

During a blackbox pen test you attempt to pass IRC traffic over port 80/TCP from a compromised web enabled host. The traffic gets blocked; however, outbound HTTP traffic is unimpeded. What type of fir

The correct answer is C. Application. An application-layer firewall can distinguish IRC protocol traffic from HTTP even when both use port 80/TCP, allowing it to block the tunneled IRC session while permitting legitimate web traffic.

Evading IDS, Firewalls, and Honeypots

Question

During a blackbox pen test you attempt to pass IRC traffic over port 80/TCP from a compromised web enabled host. The traffic gets blocked; however, outbound HTTP traffic is unimpeded. What type of firewall is inspecting outbound traffic?

Options

  • ACircuit
  • BStateful
  • CApplication
  • DPacket Filtering

How the community answered

(15 responses)
  • A
    13% (2)
  • B
    7% (1)
  • C
    80% (12)

Why each option

An application-layer firewall can distinguish IRC protocol traffic from HTTP even when both use port 80/TCP, allowing it to block the tunneled IRC session while permitting legitimate web traffic.

ACircuit

A circuit-level gateway operates at the session layer and validates TCP handshake establishment, but it does not inspect application-layer payload content and cannot distinguish HTTP from IRC on the same port.

BStateful

A stateful firewall tracks TCP connection state and flow information at the transport layer, but it lacks the ability to parse and enforce application-protocol-specific rules needed to differentiate IRC from HTTP.

CApplicationCorrect

An application firewall (Layer 7) performs deep packet inspection and understands the syntax and semantics of specific application protocols such as HTTP and IRC. When IRC is tunneled over port 80/TCP, the application firewall inspects the payload content, recognizes that the traffic does not conform to the HTTP protocol specification, and blocks it - a decision that is impossible to make using only port numbers or TCP session state.

DPacket Filtering

A packet filtering firewall makes allow/deny decisions based solely on source/destination IP addresses and port numbers, so any traffic destined for port 80/TCP would be permitted regardless of the underlying application protocol.

Concept tested: Application layer firewall deep packet inspection of tunneled protocols

Source: https://www.cisco.com/c/en/us/products/security/firewalls/what-is-a-firewall.html

Topics

#application firewall#deep packet inspection#traffic filtering#IRC tunneling

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice