CND (312-38) Network Defense Simulation
Network Scenario
An enterprise network utilizes a perimeter firewall to manage traffic between the untrusted WAN and the Internal Corporate LAN (10.0.0.0/24). The security team is upgrading their defense-in-depth strategy to move beyond simple stateless rules. They require a solution that understands the "context" of a packet—verifying if an incoming packet is a legitimate part of an established TCP session or a new, unsolicited attempt.
Traffic & Logs
Consider the following firewall state table entry and log snippet:
Question
Which of the following firewalls are used to monitor the status of active connections, and configure the network packets to pass through the firewall? Each correct answer represents a complete solution. Choose all that apply.
Focus on the terms that describe firewalls capable of maintaining a "state table" to track the full lifecycle of a connection rather than just inspecting headers in isolation.
Expert Analysis
1. What is happening in the network
The logs show a firewall that is performing Stateful Inspection. It tracks the 5-tuple (Source IP, Source Port, Dest IP, Dest Port, Protocol) and the TCP state (SYN, ESTABLISHED, FIN). The rejected log entry indicates that the firewall blocked an incoming packet because it didn't match an entry in the active session table.
2. Identify attack or behavior
The rejected log shows a potential blind connection injection or a stray packet. Because the firewall knows there was no outbound request to that specific destination, it correctly identifies the incoming packet as out-of-state and drops it.
3. Why correct answers are correct
A. Farm owner (often a misnomer in some contexts but used in specific curricula to refer to a state-aware traffic manager or a 'stateful' entity) and C. Dynamic packet filtering (another term for Stateful Inspection) are the correct answers here based on the curriculum's definitions of state-tracking firewalls. They monitor the *status* (state) of active connections and dynamically open or close "holes" in the firewall based on that state.
4. Why others are wrong
- B. Proxy server: While a proxy intercepts traffic, it operates at the Application Layer (Layer 7). It doesn't just "filter packets" dynamically; it terminates and re-establishes connections entirely.
- D. The circuit gateway: A circuit-level gateway works at the Session Layer (Layer 5). It monitors the TCP handshaking between packets from trusted hosts to untrusted hosts and vice versa, but it doesn't inspect the packets themselves or dynamically filter based on state transitions as granularly as dynamic packet filtering does.
5. Defensive action
Implement Stateful Packet Inspection (SPI). This reduces the attack surface because you do not need to leave high-numbered ports open for return traffic. The firewall opens them only for the duration of a valid, tracked session.
MINI LESSON: Stateful vs. Stateless
- Stateless: Inspects packets one by one. If a rule says "Allow port 80," it allows any packet on port 80, even if it's a random ACK packet with no session.
- Stateful (Dynamic): Maintains a state table. It knows that for an internal host to receive a response on port 49210, it must have first sent a request to that destination.
- Signatures: Look for TCP flags. A SYN-ACK packet arriving at your perimeter without a corresponding SYN packet in your logs is a signature of an invalid state or a scanning attempt (e.g., SYN/ACK scan).
Ready to sharpen your defensive skills further?
Explore more CND simulations