nerdexam
(ISC)2

CISSP · Question #367

Which of the following is MOST effective in detecting information hiding in Transmission Control Protocol/internet Protocol (TCP/IP) traffic?

The correct answer is B. Application-level firewall. Detecting information hiding (steganography or covert channels) in TCP/IP traffic requires deep inspection of application-layer content, which only an application-level firewall can perform.

Submitted by thandi_sa· Mar 5, 2026Communication and Network Security

Question

Which of the following is MOST effective in detecting information hiding in Transmission Control Protocol/internet Protocol (TCP/IP) traffic?

Options

  • AStateful inspection firewall
  • BApplication-level firewall
  • CContent-filtering proxy
  • DPacket-filter firewall

How the community answered

(35 responses)
  • A
    3% (1)
  • B
    80% (28)
  • C
    11% (4)
  • D
    6% (2)

Why each option

Detecting information hiding (steganography or covert channels) in TCP/IP traffic requires deep inspection of application-layer content, which only an application-level firewall can perform.

AStateful inspection firewall

A stateful inspection firewall tracks TCP/IP connection state and header information but does not inspect application-layer payload content, making it blind to data hidden within legitimate protocol streams.

BApplication-level firewallCorrect

An application-level firewall (application proxy/gateway) operates at Layer 7 of the OSI model and can fully reconstruct and inspect the content of application-layer protocols such as HTTP, FTP, and DNS. This deep visibility allows it to detect anomalies in protocol usage, unexpected payloads, and covert channels where data is hidden within legitimate-looking traffic - capabilities not available to firewalls that only inspect headers or state.

CContent-filtering proxy

A content-filtering proxy can block known malicious or prohibited content categories but is not specifically designed to detect covert channels or steganographic techniques embedded within TCP/IP protocol fields or application data.

DPacket-filter firewall

A packet-filter firewall makes allow/deny decisions based solely on IP addresses, ports, and basic header fields (Layer 3/4), providing no ability to examine payload content where information hiding techniques operate.

Concept tested: Detecting TCP/IP covert channels with application-layer inspection

Source: https://csrc.nist.gov/publications/detail/sp/800-41/rev-1/final

Topics

#Application-level firewall#Information hiding#Network security#Deep packet inspection

Community Discussion

No community discussion yet for this question.

Full CISSP Practice