312-50V9 · Question #188
During a blackbox pen test you attempt to pass IRC traffic over port 80/TCP from a compromised web enabled host. The traffic gets blocked; however, outbound HTTP traffic is unimpeded. What type of fir
The correct answer is C. Stateful. A stateful inspection firewall tracks the state and context of network sessions, detecting when traffic on port 80 does not conform to expected HTTP protocol behavior.
Question
During a blackbox pen test you attempt to pass IRC traffic over port 80/TCP from a compromised web enabled host. The traffic gets blocked; however, outbound HTTP traffic is unimpeded. What type of firewall is inspecting outbound traffic?
Options
- AApplication
- BCircuit
- CStateful
- DPacket Filtering
How the community answered
(32 responses)- A3% (1)
- B3% (1)
- C84% (27)
- D9% (3)
Why each option
A stateful inspection firewall tracks the state and context of network sessions, detecting when traffic on port 80 does not conform to expected HTTP protocol behavior.
An application-layer proxy firewall performs full layer-7 deep packet inspection and content reconstruction, which is a higher and more granular level of inspection than state-tracking - the scenario describes state-based blocking, not content parsing.
Circuit-level gateways validate TCP handshakes and session establishment at the session layer but do not monitor ongoing protocol behavior once a connection is open.
Stateful inspection firewalls maintain a state table that records the full context of each network session, including expected protocol behavior for the connection. When IRC traffic appears on port 80, the firewall detects that the session's packet patterns and protocol handshakes do not match valid HTTP state transitions, causing it to block the connection. Unlike packet filters, stateful firewalls analyze traffic in the context of the entire flow, enabling protocol anomaly detection without full content inspection.
A packet filtering firewall makes permit/deny decisions based solely on IP addresses and port numbers, so it would allow any traffic destined for port 80 regardless of the actual application protocol in use.
Concept tested: Stateful inspection firewall protocol anomaly detection
Source: https://www.cisco.com/c/en/us/products/security/firewalls/what-is-a-firewall.html
Topics
Community Discussion
No community discussion yet for this question.