a. Correct. There is no visibility firewall parameter.

b. Incorrect. Rules can be set to only be active during a scheduled time.

c. Incorrect. A rule can be created that is unique for specific circumstances (contexts). For example, different rules may be in effect depending on whether a laptop is on-site or is remote (sometimes called geographical consideration).

d. Incorrect. The action setting indicates what the firewall should do when the conditions of the rule are met.

a. Incorrect. Force Allow permits traffic that would normally be denied by other rules.

b. Incorrect. This is fictitious and does not exist.

c. Incorrect. Bypass allows all traffic to bypass the firewall.

d. Correct. Allow implicitly denies all other traffic unless explicitly allowed.

a. Incorrect. Firewalls can also apply content/URL filtering. The firewall can be used to monitor websites accessed through HTTP to create custom filtering profiles. The filtering can be performed by assessing webpages by their content category, and then create whitelists and blacklists of specific URLs.

b. Correct. A more flexible type of firewall than a rule-based firewall is a policy-based firewall. This type of firewall allows for more generic statements to be used instead of specific rules.

c. Incorrect. Hardware firewalls are specialized separate devices that inspect traffic. Because they are specialized devices, hardware firewalls tend to have more features but are more expensive and can require more effort to configure and manage.

d. Incorrect. Firewalls that are owned by an entity that has an exclusive right to them are called proprietary firewalls.

a. Correct. Stateful packet filtering uses both the firewall rules and the state of the connection: that is, whether the internal device requested each packet. A stateful packet filtering firewall keeps a record of the state of a connection between an internal endpoint and an external device.

b. Incorrect. This is fictitious and does not exist.

c. Incorrect. This is fictitious and does not exist.

d. Incorrect. This is fictitious and does not exist.

a. Correct. A virtual firewall is one that runs in the cloud. Virtual firewalls are designed for settings, such as public cloud environments, in which deploying an appliance firewall would be difficult or even impossible.

b. Incorrect. A firewall that runs in an endpoint virtual machine is a host firewall.

c. Incorrect. Firewalls block both incoming and outgoing traffic.

d. Incorrect. An appliance firewall is typically a separate hardware device designed to protect an entire network.

a. Incorrect. Network address translation (NAT) is a technique that allows private IP addresses to be used on the public Internet. It does this by replacing a private IP address with a public IP address: as a packet leaves a network, NAT removes the private IP address from the sender’s packet, replaces it with an alias IP public address, and then maintains a record of the substitution; when a packet is returned, the process is reversed.

b. Incorrect. One specialized firewall is a web application firewall (WAF) that looks at the applications using HTTP. A web application firewall, which can be a separate hardware appliance or a software plug-in, can block specific websites or attacks that attempt to exploit known vulnerabilities in specific client software and can even block cross-site scripting and SQL injection attacks.

c. Correct. Unified threat management (UTM) is a device that combines several security functions. These include packet filtering, antispam, antiphishing, antispyware, encryption, intrusion protection, and web filtering.

d. Incorrect. A next generation firewall (NGFW) has additional functionality beyond a traditional firewall. NGFWs can filter packets based on applications. NGFWs have visibility of applications by using deep packet inspection and thus can examine the payloads of packets and determine if they are carrying malware. In addition to basic firewall protections, filtering by applications, and deep packet inspection, NGFWs can also perform URL filtering and intrusion prevention services.

a. Correct. A high-interaction honeypot is designed for capturing much more information from the threat actor. Usually, it is configured with a default login and loaded with software, data files that appear to be authentic but are actually imitations of real data files (honeyfiles), and fake telemetry.

b. Incorrect. This is fictitious and does not exist.

c. Incorrect. This is fictitious and does not exist.

d. Incorrect. This is fictitious and does not exist.