GIAC GSNA Exam - Topic 1 Question 9 Discussion

Packet filtering firewalls work on the first three layers of the OSI reference model, which means all the work is done between the network and

physical layers. When a packet originates from the sender and filters through a firewall, the device checks for matches to any of the packet

filtering rules that are configured in the firewall and drops or rejects the packet accordingly. In a software firewall, packet filtering is done by a

program called a packet filter. The packet filter examines the header of each packet based on a specific set of rules, and on that basis, decides

to prevent it from passing (called DROP) or allow it to pass (called ACCEPT). A packet filter passes or blocks packets at a network interface

based on source and destination addresses, ports, or protocols. The process is used in conjunction with packet mangling and Network

Address Translation (NAT). Packet filtering is often part of a firewall program for protecting a local network from unwanted intrusion. This type

of firewall can be best used for network perimeter security.

Answer B is incorrect. An Intrusion detection system (IDS) is software and/or hardware designed to detect unwanted attempts at

accessing, manipulating, and/or disabling of computer systems, mainly through a network, such as the Internet. These attempts may take the

form of attacks, as examples, by crackers, malware and/or disgruntled employees. An IDS cannot directly detect attacks within properly

encrypted traffic. An intrusion detection system is used to detect several types of malicious behaviors that can compromise the security and

trust of a computer system. This includes network attacks against vulnerable services, data driven attacks on applications, host based attacks

such as privilege escalation, unauthorized logins and access to sensitive files, and malware (viruses, trojan horses, and worms).

Answer A is incorrect. A proxy server exists between a client's Web-browsing program and a real Internet server. The purpose of the

proxy server is to enhance the performance of user requests and filter requests. A proxy server has a database called cache where the most

frequently accessed Web pages are stored. The next time such pages are requested, the proxy server is able to suffice the request locally,

thereby greatly reducing the access time. Only when a proxy server is unable to fulfill a request locally does it forward the request to a real

Internet server. The proxy server can also be used for filtering user requests. This may be done in order to prevent the users from visiting

non-genuine sites.

Answer D is incorrect. A honeypot is a term in computer terminology used for a trap that is set to detect, deflect, or in some manner

counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to

be part of a network, but is actually isolated, and monitored, and which seems to contain information or a resource of value to attackers.