SY0-701 Question #624: Real Exam Question with Answer & Explanation

Question

A security team is in the process of hardening the network against externally crafted malicious packets. Which of the following is the most secure method to protect the internal network?

Options

• AAnti-malware solutions
• BHost-based firewalls
• CIntrusion prevention systems
• DNetwork access control
• ENetwork allow list

Explanation

Intrusion Prevention Systems (IPS) are purpose-built to inspect network traffic in real time, detect malicious or anomalous packets, and actively block them before they reach internal hosts - making them the strongest defense against externally crafted attacks at the network level.

• A (Anti-malware): Operates on endpoints after a file/process is already present; it doesn't inspect or block malicious packets in transit on the network.
• B (Host-based firewalls): Filter traffic per host using port/protocol rules, but they lack deep packet inspection and won't detect crafted payloads that arrive on allowed ports.
• D (Network access control): Governs who can join the network (identity/posture checks), not what traffic content looks like - it doesn't analyze packet payloads.
• E (Network allow list): Whitelisting IPs or domains restricts sources, but a trusted/allowed source can still send a malicious packet; content is never inspected.

Memory tip: Think "IPS = traffic inspector + bouncer." A firewall is just a bouncer checking IDs at the door; an IPS checks IDs and searches the bags - so it catches malicious payloads that slip through on legitimate ports or from allowed addresses.

No community discussion yet for this question.