CND (312-38) Network Defense Simulation
Network Scenario
Livewire Technologies has recently faced a series of complex attacks originating from both external threat actors and compromised internal devices. The attackers are utilizing MAC spoofing to bypass basic internal ACLs, IP spoofing to evade perimeter routing rules, and application-layer payloads (like SQL injection and malformed HTTP requests) to target web servers.
Leslie, the network administrator, is proposing a migration from their legacy packet-filtering firewall to a new multilayer inspection firewall appliance. She is presenting the business case to the CISO, explaining exactly how deep into the TCP/IP model this new appliance can enforce security policies to stop these multi-vector attacks.
Traffic & Logs
[10:14:02] ACTION: DROP - Src MAC 00:1A:2B:3C:4D:5E not mapped to authorized VLAN.
[10:14:05] FW-POLICY-TEST: Rule 'Ingress-IP-Filter' triggered.
[10:14:05] ACTION: DROP - Src IP 10.0.0.5 arriving on external interface (Spoofing Detected).
[10:14:12] FW-DPI-ENGINE: Deep Packet Inspection engaged on Flow ID 99281.
[10:14:12] ACTION: ALERT/DROP - HTTP GET /login?user=admin' OR 1=1--
[10:14:12] REASON: Malicious Application Payload (SQLi Signature Match).
Question
Leslie, the network administrator of Livewire Technologies, has been recommending multilayer inspection firewalls to deploy the company’s infrastructure. What layers of the TCP/IP model can it protect?
Look at the firewall logs provided in the scenario. What layers handle MAC filtering, logical addressing, and HTTP payload inspection in the TCP/IP model?
Expert Analysis
1. What is happening in the network: The network is experiencing attacks that span from physical/data-link spoofing to application-level exploitation. The legacy firewall cannot correlate or inspect traffic across all these depths simultaneously.
2. Identify behavior: Multilayer inspection (often tied to Stateful Multilayer Inspection or DPI) requires analyzing a packet's journey from the physical wire up to the application payload.
3. Why correct answer (D) is correct: Multilayer inspection firewalls provide comprehensive security by filtering traffic at the Application layer (inspecting payloads like HTTP/FTP for malicious content), the IP layer / Internet layer (verifying source/destination addresses and routing logic), and the Network Interface layer (enforcing MAC address filtering and physical port security). This provides a true defense-in-depth posture.
4. Why others are wrong: While TCP (Transport layer) is inspected in stateful firewalls, the options limiting protection to just TCP/IP or omitting the Application or Network Interface layers fail to describe the full multilayer capabilities defined in this specific TCP/IP model mapping. Option D provides the most comprehensive top-to-bottom coverage represented in the provided architecture.
5. Defensive Action: Implement the multilayer inspection firewall. Configure strict Layer 2 (Network Interface) MAC bindings, Layer 3 (IP) anti-spoofing drop rules, and Layer 7 (Application) deep packet inspection signatures to secure the perimeter and internal zones.
- Application Layer: WAFs and DPI engines inspect payload data (HTTP, SMTP) for exploits.
- Transport Layer: Stateful firewalls track connection states (TCP SYN/ACK).
- Internet (IP) Layer: Packet filters allow/deny based on IP addresses and routing headers.
- Network Interface Layer: Enforces physical boundaries, MAC addressing, and ARP spoofing prevention.
Ready for more challenges?
Explore more CND simulations