In this simulation, you will analyze network traffic flow and identify the characteristics of modern defensive barriers. You will learn to distinguish between different firewall technologies and how they manage session-based communication.

CND (312-38) Network Defense Simulation

Network Scenario

You are managing a corporate perimeter network. The infrastructure includes an internal LAN, a DMZ hosting an Apache web server, and a primary edge security appliance. Users are reporting that their established TCP connections to the web server are occasionally being dropped, even though the initial handshake was successful.

Internal Gateway: 10.0.0.1

Web Server (DMZ): 192.168.10.50 (Port 80/443)

Traffic & Logs

2023-10-27 14:02:11 [ALLOW] SRC: 203.0.113.5:54221 -> DST: 192.168.10.50:443 [PROTO: TCP] [FLAGS: SYN]

2023-10-27 14:02:11 [ALLOW] SRC: 192.168.10.50:443 -> DST: 203.0.113.5:54221 [PROTO: TCP] [FLAGS: SYN-ACK] [STATE: NEW]

2023-10-27 14:02:12 [ALLOW] SRC: 203.0.113.5:54221 -> DST: 192.168.10.50:443 [PROTO: TCP] [FLAGS: ACK] [STATE: ESTABLISHED]

2023-10-27 14:02:15 [DENY] SRC: 203.0.113.5:54221 -> DST: 192.168.10.50:443 [PROTO: TCP] [FLAGS: PSH-ACK] [REASON: No state match]

Analysis: The appliance is tracking the 'state' of the connection. The packet at 14:02:15 was denied because the firewall could not find a corresponding entry in its internal connection table.

Question

Which of the following is also known as stateful firewall?

Expert Analysis

1. Network Activity: The logs show a standard TCP three-way handshake (SYN, SYN-ACK, ACK). The firewall is monitoring these transitions to ensure only valid sequences are allowed through.

2. Identification: The behavior observed is Stateful Inspection. The firewall maintains a "State Table" (or connection table). When a packet arrives, the firewall checks if it belongs to an existing, valid session before applying rule-base checks.

3. Why Choice D is Correct: Dynamic packet-filtering is synonymous with stateful firewalls. Unlike static filtering, which only checks headers against a fixed list (ACLs), dynamic filtering creates temporary rules to allow returning traffic for established sessions.

4. Why Others are Wrong:

PIX firewall: While Cisco PIX was a stateful firewall, it is a specific product name, not the general term for the technology.
Stateless firewall: These do not track session state and treat every packet in isolation, making them vulnerable to spoofing.
DMZ: This is a network architecture (Demilitarized Zone), not a filtering technology.

5. Defensive Action: As a defender, ensuring your firewall is performing stateful inspection prevents "out-of-state" packets (like a lone SYN-ACK or a DATA packet without a handshake) from penetrating the perimeter.

MINI LESSON: State vs. Stateless

Stateless: Fast, but "dumb." Checks Source IP, Dest IP, and Port. If the rule says allow Port 80, it allows any Port 80 packet, even if it's not part of a real conversation.

Stateful (Dynamic): Intelligent. It understands that a packet with the "ACK" flag should only exist if a "SYN" was seen previously. It provides better protection against scanning and session hijacking.

Explore more CND simulations