Communications security and techniques are the best area for addressing this objective.
“Information security management and techniques” is incorrect. While the overall information security program would include this objective, communications security is the more specific and better answer.
“Client security management and techniques” is incorrect. While client security plays a part in this overall objective, communications security is the more specific and better answer.
“Server security management and techniques” is incorrect. While server security plays a part in this overall objective, communications security is the more specific and better answer.
References: CBK, p. 408

Communications security is the discipline of preventing unauthorized interceptors from accessing telecommunications in an intelligible form, while still delivering content to the intended recipients. In the United States Department of Defense culture, it is often referred to by the abbreviation COMSEC. The field includes cryptosecurity, transmission security, emission security, traffic-flow security and physical security of COMSEC equipment.
All of the other answers are incorrect answers:
Information security Information security would be the overall program but communications security is the more specific and better answer. Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.
The terms information security, computer security and information assurance are frequently incorrectly used interchangeably. These fields are interrelated often and share the common goals of protecting the confidentiality, integrity and availability of information; however, there are some subtle differences between them.
These differences lie primarily in the approach to the subject, the methodologies used, and the areas of concentration. Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms. Computer security can focus on ensuring the availability and correct operation of a computer system without concern for the information stored or processed by the computer.
Server security While server security plays a part in the overall information security program, communications security is a better answer when talking about data over the network and preventing interception. See publication 800-123 listed in the reference below to learn more.
Client security While client security plays a part in the overall information security program, communications security is a better answer. Securing the client would not prevent interception of data or capture of data over the network. Today people referred to this as endpoint security.
References: http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf and https://en.wikipedia.org/wiki/Information_security and https://en.wikipedia.org/wiki/Communications_security

This is another name for the demilitarized zone (DMZ) of a network.
“Three legged firewall” is incorrect. While a DMZ can be implemented on one leg of such a device, this is not the best answer.
“A place to attract hackers” is incorrect. The DMZ is a way to provide limited public access to an organization’s internal resources (DNS, EMAIL, public web, etc) not as an attractant for hackers.
“Bastion host” is incorrect. A bastion host serves as a gateway between trusted and untrusted network.
References: CBK, p. 434 AIO3, pp. 495 -496

This the best of the four answers as a defense that depends on multiple layers is superior to one where all protection is embedded in a single layer (e.g., a firewall). Defense in depth would include all categories of controls.
The Following answers are incorrect:
“Concept of a pass through device that only allows certain traffic in and out” is incorrect. This is one definition of a firewall which can be a component of a defense in depth strategy in combination with other measures.
“Concept of preventative controls” is incorrect. This is a component of a defense in depth strategy but the core concept is that there must be multiple layers of defenses.
“Concept of defensive controls” is incorrect. This is a component of a defense in depth strategy but the core concept is that there must be multiple layers of defenses.
References: http://en.wikipedia.org/wiki/Defense_in_depth_(computing) http://www.nsa.gov/snac/support/defenseindepth.pdf

While the purpose of systems in the DMZ is to allow public access to certain internal network resources (EMAIL, DNS, Web), it is a good practice to restrict that access to the minimum necessary to provide those services through use of a firewall.
In computer security, a DMZ or Demilitarized Zone (sometimes referred to as a perimeter network) is a physical or logical subnetwork that contains and exposes an organization’s external-facing services to a larger and untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization’s local area network (LAN); an external attacker only has direct access to equipment in the DMZ, rather than any other part of the network. The name is derived from the term “demilitarized zone”, an area between nation states in which military operation is not permitted.
The following are incorrect answers:
“Right in front of your first Internet facing firewall” While the purpose of systems in the DMZ is to allow public access to certain internal network resources (EMAIL, DNS, Web), it is a good practice to restrict that access to the minimum necessary to provide those services through use of a firewall.
“Right behind your first network active firewall” This is an almost-right-sounding answer meant to distract the unwary.
“Right behind your first network passive Internet http firewall” This is an almost-right-sounding answer meant to distract the unwary.
References: CBK, p. 434 and AIO3, p. 483 and http://en.wikipedia.org/wiki/DMZ_%28computing%29

Because the DMZ systems are accessible from the Internet, they are more at risk for attacka nd compromise and must be hardened appropriately.
“Any system on the DMZ cannot be compromised because it’s not accessible from the Internet” is incorrect. The reason a system is placed in the DMZ is so it can be accessible from the Internet.
“Some systems on the DMZ can be compromised because they are accessible from the Internet” is incorrect. All systems in the DMZ face an increased risk of attack and compromise because they are accessible from the Internet.
“Any system on the DMZ cannot be compromised because it’s by definition 100 percent safe and not accessible from the Internet” is incorrect. Again, a system is placed in the DMZ because it must be accessible from the Internet.
References: CBK, p. 434 AIO3, p. 483

The dynamic packet filtering firewall is able to create ACL’s on the fly to allow replies on dynamic ports (higher than 1023).
Packet filtering is incorrect. The packet filtering firewall usually requires that the dynamic ports be left open as a group in order to handle this situiation.
Circuit level proxy is incorrect. The circuit level proxy builds a conduit between the trusted and untrusted hosts and does not work by dynamically creating ACL’s.
Application level proxy is incorrect. The application level proxy “proxies” for the trusted host in its communications with the untrusted host. It does not dynamically create ACL’s to control traffic.

Many times when a connection is opened, the firewall will inspect all layers of the packet. While this inspection is scaled back for subsequent packets to improve performance, this is the best of the four answers.
When packet filtering is used, a packet arrives at the firewall, and it runs through its ACLs to determine whether this packet should be allowed or denied. If the packet is allowed, it is passed on to the destination host, or to another network device, and the packet filtering device forgets about the packet. This is different from stateful inspection, which remembers and keeps track of what packets went where until each particular connection is closed. A stateful firewall is like a nosy neighbor who gets into people’s business and conversations. She keeps track of the suspicious cars that come into the neighborhood, who is out of town for the week, and the postman who stays a little too long at the neighbor lady’s house. This can be annoying until your house is burglarized. Then you and the police will want to talk to the nosy neighbor, because she knows everything going on in the neighborhood and would be the one most likely to know something unusual happened.
“Inspected at only one Open Systems Interconnetion (OSI) layer” is incorrect. To perform stateful packet inspection, the firewall must consider at least the network and transport layers.
“Decapsulated at all Open Systems Interconnection (OSI) layers” is incorrect. The headers are not stripped (“decapsulated” if there is such a word) and are passed through in their entirety IF the packet is passed.
“Encapsulated at all Open Systems Interconnect (OSI) layers” is incorrect. Encapsulation refers to the adding of a layer’s header/trailer to the information received from the above level. This is done when the packet is assembled not at the firewall.
Reference(s) used for this question: CBK, p. 466 Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (pp. 632-633). McGraw-Hill. Kindle Edition.

Most stateful packet inspection firewalls work at the network or transport layers. For the TCP/IP protcol, this allows the firewall to make decisions both on IP addresses, protocols and TCP/UDP port numbers
Application layer is incorrect. This is too high in the OSI stack for this type of firewall.
Inspection layer is incorrect. There is no such layer in the OSI stack.
“Data link layer” is incorrect. This is too low in the OSI stack for this type of firewall.
References: CBK, p. 466 AIO3, pp. 485 -486

Since the circuit level proxy does not anayze the application content of the packet in making its decisions, it has lower overhead than an application level proxy.
“More difficult to maintain” is incorrect. Circuit level proxies are typicall easier to configure and simpler to maintain that an application level proxy.
“More secure” is incorrect. A circuit level proxy is not necessarily more secure than an application layer proxy.
“Slower” is incorrect. Because it is lower in overhead, a circuit level proxy is typically faster than an application level proxy.
References: CBK,pp. 466 -467 AIO3, pp.488 -490