nerdexam
(ISC)2

CISSP-ISSAP · Question #63

You work as a Chief Security Officer for Tech Perfect Inc. The company has a TCP/IP based network. You want to use a firewall that can track the state of active connections of the network and then det

The correct answer is C. Dynamic packet-filtering firewall. Dynamic packet-filtering firewalls earn their name from their ability to dynamically open and close ports based on the state of active TCP/IP connections - they maintain a session table that tracks established connections and use that context to decide which return packets are le

Infrastructure Security

Question

You work as a Chief Security Officer for Tech Perfect Inc. The company has a TCP/IP based network. You want to use a firewall that can track the state of active connections of the network and then determine which network packets are allowed to enter through the firewall. Which of the following firewalls has this feature?

Options

  • AStateful packet inspection firewall
  • BProxy-based firewall
  • CDynamic packet-filtering firewall
  • DApplication gateway firewall

How the community answered

(34 responses)
  • A
    9% (3)
  • B
    3% (1)
  • C
    85% (29)
  • D
    3% (1)

Explanation

Dynamic packet-filtering firewalls earn their name from their ability to dynamically open and close ports based on the state of active TCP/IP connections - they maintain a session table that tracks established connections and use that context to decide which return packets are legitimate and which should be blocked.

Why the others are wrong:

  • A (Stateful packet inspection): In this exam's framework, SPI goes further - it inspects packet contents/payload against known attack patterns, not just connection state; it's a superset, not the specific state-tracking mechanism described.
  • B (Proxy-based): Acts as a middleman that terminates and re-initiates connections on behalf of clients; it's focused on anonymizing/mediating traffic, not on session-state tracking.
  • D (Application gateway): Operates at Layer 7 and inspects application-specific protocols (HTTP, FTP, etc.); it's content-aware, not connection-state-aware.

Memory tip: Think of the word dynamic - unlike static packet filters that blindly apply fixed rules to every packet in isolation, dynamic filters adapt by remembering which connections are active, letting legitimate return traffic through automatically.

Real-world note: In most modern security literature, "stateful inspection" and "dynamic packet filtering" are treated as synonymous. If your exam uses CompTIA or ISC² materials, verify which term your specific study guide pairs with connection-state tracking, as A is the answer in many other frameworks.

Topics

#Stateful firewall#Packet filtering#Connection tracking#Network security

Community Discussion

No community discussion yet for this question.

Full CISSP-ISSAP Practice