In this simulation, you will analyze legacy network protocol behavior and identify potential policy violations. You will learn to recognize unexpected outbound traffic and understand the defensive posture required to restrict legacy application abuse.

CND (312-38) Network Defense Simulation

Network Scenario

During a routine review of perimeter firewall logs, you notice unexpected outbound TCP connections originating from a legacy engineering server (10.50.1.22). The traffic is destined for an unknown external IP address over an uncommon, older port.

Your organization has a strict "default-deny" egress policy, but a misconfiguration on the legacy network segment seems to have allowed this traffic to pass. You must identify the protocol in use to determine if this is unauthorized data exfiltration, shadow IT, or an acceptable use case.

Traffic & Logs

[FIREWALL] RULE_MATCH: Outbound_Legacy_Segment SRC: 10.50.1.22 DST: 203.0.113.88 PROTO: TCP DPORT: 119 ACTION: PERMIT SRC: 10.50.1.22 DST: 203.0.113.88 PROTO: TCP DPORT: 119 ACTION: PERMIT [IDS/IPS] ALERT ENABLED: SID 2002145 - ET POLICY Outbound Legacy Protocol Connection SRC_IP: 10.50.1.22 DPORT: 119 MESSAGE: "Potential Policy Violation - Usenet News Protocol"

Question

Which of the following is an Internet application protocol used for transporting Usenet news articles between news servers and for reading and posting articles by end-user client applications?

Hint: Focus on the "N" in the acronyms. You are looking for a protocol designed specifically for "News" networks.

Expert Analysis

1. What is happening in the network

Network monitoring controls have flagged outbound TCP traffic on port 119. This port is historically reserved for Usenet newsgroups. Its presence in a modern enterprise network is highly unusual and warrants immediate investigation.

2. Identify attack or behavior

While this protocol is legitimate, its appearance often indicates a policy violation (e.g., an employee accessing unapproved external forums/piracy boards via Usenet). In a worst-case scenario, advanced attackers or malware may use unmonitored legacy ports like TCP 119 to bypass modern firewall restrictions and exfiltrate data, hoping security teams have forgotten to block them.

3. Why correct answer is correct

NNTP (Network News Transfer Protocol) is the correct protocol. It uses TCP port 119 (or 563 for NNTPS) and was specifically designed for distributing, inquiring, retrieving, and posting news articles via Usenet.

4. Why others are wrong

BOOTP: Bootstrap Protocol assigns IP addresses to devices (UDP 67/68) and is the predecessor to DHCP. It is not used for newsgroups.
DCAP: Data Link Switching Client Access Protocol is used for transporting SNA/NetBIOS traffic over IP networks.
NTP: Network Time Protocol (UDP 123) is used for clock synchronization between computer systems over packet-switched networks.

5. Defensive action

To mitigate this risk, enforce a strict Default Deny policy for outbound traffic. Block TCP 119 and 563 at the perimeter firewall. If business requirements dictate Usenet access, implement Layer 7 (Application) filtering to inspect the NNTP payload, restrict access to specific authorized internal hosts, and require TLS encryption (NNTPS).

MINI LESSON: Legacy Protocol Abuse

Modern network defenders must aggressively manage the attack surface. Attackers frequently scan for and exploit "forgotten" ports and legacy protocols (e.g., NNTP, TFTP, Telnet, older versions of SMB).

Detection: Utilize Next-Generation Firewalls (NGFW) to identify traffic by application signature rather than just port number. Port 119 could be carrying disguised HTTP or SSH traffic.
Prevention: Only explicitly whitelist required outbound ports (e.g., TCP 80, 443). Everything else should be dropped and logged.

Explore more CND simulations to sharpen your network defense skills.

View Practice Tests