Which of the following type of traffic can easily be filtered with a stateful packet filter by enforcing the context or state of the request?
A. ICMP
B. TCP
C. UDP
D. IP
A. ICMP
B. TCP
C. UDP
D. IP
Correct Answer: B
Explanation:
The question is explict in asking *easily*. With TCP connection establishment there is a distinct state or sequence that can be expected. Consult the references for further details.
ICMP, IP and UDP don’t have any concept of a session; i.e. each packet or datagram is handled individually, with no reference to the contents of the previous one. With no sessions, these protocols usually cannot be filtered on the state of the session.
Some newer firewalls, however, simulate the concept of state for these protocols, and filter out unexpected packets based upon normal usage. Although these are commonly treated like normal stateful filters, they are more complex to program, and hence more prone to errors.
A stateful packet filter or stateful inspection inspects each packet and only allows known connection states through. So, if a SYN/ACK packet was recieved and there was not a prior SYN packet sent it would filter that packet and not let it in. The correct sequence of steps are known and if the sequence or state is incorrect then it is dropped.
The incorrect answers are: ICMP. ICMP is basically stateless so you could not easily filter them based on the state or sequence.
UDP. UDP has no real state so you could only partially filter them based on the state or sequence. The question was explicit in asking easily. While it is possible, UDP is not the best answer.
IP. IP would refer to the Internet Protocol and as such is stateless so you would not be able to filter it out easily.
The following reference(s) were used for this question: http://www.nwo.net/ipf/ipf-howto.pdf
ICMP, IP and UDP don’t have any concept of a session; i.e. each packet or datagram is handled individually, with no reference to the contents of the previous one. With no sessions, these protocols usually cannot be filtered on the state of the session.
Some newer firewalls, however, simulate the concept of state for these protocols, and filter out unexpected packets based upon normal usage. Although these are commonly treated like normal stateful filters, they are more complex to program, and hence more prone to errors.
A stateful packet filter or stateful inspection inspects each packet and only allows known connection states through. So, if a SYN/ACK packet was recieved and there was not a prior SYN packet sent it would filter that packet and not let it in. The correct sequence of steps are known and if the sequence or state is incorrect then it is dropped.
The incorrect answers are: ICMP. ICMP is basically stateless so you could not easily filter them based on the state or sequence.
UDP. UDP has no real state so you could only partially filter them based on the state or sequence. The question was explicit in asking easily. While it is possible, UDP is not the best answer.
IP. IP would refer to the Internet Protocol and as such is stateless so you would not be able to filter it out easily.
The following reference(s) were used for this question: http://www.nwo.net/ipf/ipf-howto.pdf