nerdexam
EC-Council

312-50V9 · Question #188

During a blackbox pen test you attempt to pass IRC traffic over port 80/TCP from a compromised web enabled host. The traffic gets blocked; however, outbound HTTP traffic is unimpeded. What type of fir

The correct answer is C. Stateful. A stateful inspection firewall tracks the state and context of network sessions, detecting when traffic on port 80 does not conform to expected HTTP protocol behavior.

Evading IDS, Firewalls, and Honeypots

Question

During a blackbox pen test you attempt to pass IRC traffic over port 80/TCP from a compromised web enabled host. The traffic gets blocked; however, outbound HTTP traffic is unimpeded. What type of firewall is inspecting outbound traffic?

Options

  • AApplication
  • BCircuit
  • CStateful
  • DPacket Filtering

How the community answered

(32 responses)
  • A
    3% (1)
  • B
    3% (1)
  • C
    84% (27)
  • D
    9% (3)

Why each option

A stateful inspection firewall tracks the state and context of network sessions, detecting when traffic on port 80 does not conform to expected HTTP protocol behavior.

AApplication

An application-layer proxy firewall performs full layer-7 deep packet inspection and content reconstruction, which is a higher and more granular level of inspection than state-tracking - the scenario describes state-based blocking, not content parsing.

BCircuit

Circuit-level gateways validate TCP handshakes and session establishment at the session layer but do not monitor ongoing protocol behavior once a connection is open.

CStatefulCorrect

Stateful inspection firewalls maintain a state table that records the full context of each network session, including expected protocol behavior for the connection. When IRC traffic appears on port 80, the firewall detects that the session's packet patterns and protocol handshakes do not match valid HTTP state transitions, causing it to block the connection. Unlike packet filters, stateful firewalls analyze traffic in the context of the entire flow, enabling protocol anomaly detection without full content inspection.

DPacket Filtering

A packet filtering firewall makes permit/deny decisions based solely on IP addresses and port numbers, so it would allow any traffic destined for port 80 regardless of the actual application protocol in use.

Concept tested: Stateful inspection firewall protocol anomaly detection

Source: https://www.cisco.com/c/en/us/products/security/firewalls/what-is-a-firewall.html

Topics

#firewall types#deep packet inspection#protocol identification#port evasion

Community Discussion

No community discussion yet for this question.

Full 312-50V9 Practice