The SecOps Group CNSP Exam - Topic 4 Question 15 Discussion

TCP (Transmission Control Protocol) uses a three-way handshake (SYN, SYN-ACK, ACK) to establish connections, as per RFC 793. When a client sends a SYN packet to a port:

Open Port: The server responds with SYN-ACK.

Closed Port (no firewall): The server sends an RST (Reset) packet, often with ACK, to terminate the attempt immediately.

However, when a firewall is present, its configuration dictates the response. Modern firewalls typically operate in stealth mode, using a 'drop' rule for closed ports rather than a 'reject' rule:

Drop: Silently discards the packet without replying, resulting in no response. The client experiences a timeout (e.g., 30 seconds), as no feedback is provided.

Reject: Sends an RST or ICMP 'Port Unreachable,' but this is less common for security reasons, as it confirms the firewall's presence.

For a closed TCP port behind a firewall, 'no response' (drop) is the standard behavior in secure configurations, minimizing information leakage to attackers. This aligns with CNSP's focus on firewall best practices to obscure network topology during port scanning (e.g., with Nmap).

Why other options are incorrect:

A . A FIN and an ACK packet: FIN-ACK is used to close an established TCP connection gracefully (e.g., after data transfer), not to respond to an initial SYN on a closed port.

B . RST and an ACK packet: RST-ACK is the host's response to a closed port without a firewall. A firewall's drop rule overrides this by silently discarding the packet.

C . A SYN and an ACK packet: SYN-ACK indicates an open port accepting a connection, the opposite of a closed port scenario.

Real-World Context: Tools like Nmap interpret 'no response' as 'filtered' (firewall likely present) vs. 'closed' (RST received), aiding in firewall detection.