CND (312-38) Network Defense Simulation

In this simulation, you will analyze enterprise network traffic patterns to identify active protocols and their defensive significance. Mastering protocol identification is fundamental for configuring firewalls, IDS signatures, and preventing data exfiltration via common communication channels.

Network Scenario

The enterprise network (10.0.0.0/24) consists of a DMZ hosting public-facing services and an Internal LAN. You are monitoring the outbound traffic from the Internal Mail Server (10.0.0.25) to external mail relays on the internet.

Internal Segment: Endpoints (10.0.0.50 - 10.0.0.200)
Mail Server (10.0.0.25)

Perimeter Defense: Next-Gen Firewall (NGFW)
Suricata IDS (Bridge Mode)

Traffic & Logs

NetFlow Extract (Internal -> External):

                    2023-10-27 14:02:11 | SRC: 10.0.0.25:58321 | DST: 203.0.113.44:25 | PROTO: TCP | LEN: 54 | FLAGS: SYN

                    2023-10-27 14:02:11 | SRC: 203.0.113.44:25 | DST: 10.0.0.25:58321 | PROTO: TCP | LEN: 54 | FLAGS: SA

                    2023-10-27 14:02:11 | SRC: 10.0.0.25:58321 | DST: 203.0.113.44:25 | PROTO: TCP | LEN: 124 | DATA: 220 relay.external.com ESMTP...

                    2023-10-27 14:02:12 | SRC: 10.0.0.25:58321 | DST: 203.0.113.44:25 | PROTO: TCP | LEN: 88 | DATA: EHLO mail.internal.com...

IDS Alert: SURICATA STREAM ESTABLISHED TCP Packet detected on Port 25. Payload indicates standard greeting exchange for an application-layer messaging protocol.

Question

Which of the following protocols is used for E-mail?

Expert Analysis

1. What is happening in the network

The logs show an internal host (10.0.0.25) initiating a 3-way handshake with an external IP (203.0.113.44) on Port 25. Following the handshake, a banner exchange occurs mentioning "ESMTP" (Extended Simple Mail Transfer Protocol).

2. Identify attack or behavior

This is standard outbound mail traffic. However, defenders monitor this to ensure only authorized mail servers use Port 25. If a regular workstation (e.g., 10.0.0.150) were seen connecting to Port 25, it would indicate a "SpamBot" infection or a misconfigured host.

3. Why correct answer is correct

SMTP (Simple Mail Transfer Protocol) is the industry-standard protocol for sending and relaying emails across IP networks. It typically operates on port 25 (unencrypted) or 587 (submission).

4. Why others are wrong

TELNET: Used for insecure remote terminal access (Port 23).
MIME (Multipurpose Internet Mail Extensions): This is a standard for formatting non-ASCII content (attachments, HTML) *within* an email, not the transmission protocol itself.
SSH (Secure Shell): Used for secure remote management and file transfers (Port 22).

5. Defensive action

Implement an Egress Filter on the perimeter firewall. Allow TCP/25 only from the known internal mail server IP (10.0.0.25) and deny it for all other internal IPs. This prevents internal compromised endpoints from being used as mail relays for spam or data exfiltration.

MINI LESSON: Traffic Pattern Recognition

Recognizing protocols by their port numbers is the first step in CND. SMTP (25), DNS (53), HTTP (80), and HTTPS (443) are the most common egress points. If you see SMTP traffic containing large encrypted attachments going to an unknown destination, it may indicate Data Exfiltration.

Explore more CND simulations

View More Tests