nerdexam
(ISC)2

CISSP · Question #312

Which of the following provides the MOST comprehensive filtering of Peer-to-Peer (P2P) traffic?

The correct answer is A. Application proxy. P2P traffic is notoriously difficult to filter because it uses dynamic ports and can disguise itself as legitimate traffic; an application proxy operates at Layer 7 and can inspect actual application content to identify and block P2P protocols regardless of port.

Submitted by kim_seoul· Mar 5, 2026Communication and Network Security

Question

Which of the following provides the MOST comprehensive filtering of Peer-to-Peer (P2P) traffic?

Options

  • AApplication proxy
  • BPort filter
  • CNetwork boundary router
  • DAccess layer switch

How the community answered

(26 responses)
  • A
    73% (19)
  • B
    8% (2)
  • C
    4% (1)
  • D
    15% (4)

Why each option

P2P traffic is notoriously difficult to filter because it uses dynamic ports and can disguise itself as legitimate traffic; an application proxy operates at Layer 7 and can inspect actual application content to identify and block P2P protocols regardless of port.

AApplication proxyCorrect

An application proxy (Layer 7 proxy) performs deep packet inspection by examining the full application-layer payload, allowing it to identify P2P protocols like BitTorrent or eDonkey based on their signatures, behavioral patterns, and content-even when they use non-standard or randomized ports to evade simpler filtering methods. This makes it the most comprehensive solution because it is not fooled by port-hopping or protocol obfuscation techniques that defeat lower-layer controls.

BPort filter

A port filter blocks traffic based solely on TCP/UDP port numbers, but P2P applications are specifically designed to bypass this by using dynamic, randomized, or well-known ports (e.g., port 80), making port-based filtering largely ineffective against modern P2P software.

CNetwork boundary router

A network boundary router can apply ACLs and basic packet filtering, but it operates primarily at Layers 3–4 and lacks the application-layer visibility needed to reliably identify and block P2P traffic that disguises itself on allowed ports.

DAccess layer switch

An access layer switch operates at Layers 2–3 and is designed for network connectivity and VLAN segmentation, not traffic content inspection; it has no mechanism to analyze or filter application-layer P2P protocols.

Concept tested: Application-layer proxy filtering of P2P traffic

Source: https://www.cisco.com/c/en/us/products/security/what-is-application-layer-filtering.html

Topics

#P2P filtering#application proxy#network security controls#firewall types

Community Discussion

No community discussion yet for this question.

Full CISSP Practice