Which of the following statements is true regarding a stateless packetfiltering firewall? (Select the best answer.)
A.
It can operate at Layer 4 of the OSI model.
B.
It is more secure than a stateful packetfiltering firewall.
C.
It tracks packets as a part of a stream.
D.
It is not susceptible to IP spoofing attacks.
Explanation:
A stateless packetfiltering firewall can operate at Layer 4 of the Open Systems Interconnection (OSI) model.
A stateless packetfiltering firewall, which is also referred to as a static packetfiltering firewall, evaluates and
either blocks or allows individual packets based on the Layer 3 and Layer 4 information in the packet header.
Specifically, stateless packetfiltering firewalls can use the source and destination IP addresses, source and
destination port numbers, and protocol type listed in the packet header? these values are commonly known as
the 5tuple. Because a stateless packetfiltering firewall allows all traffic from an approved IP address, stateless
packetfiltering firewalls are susceptible to IP spoofing attacks? an IP spoofing attack is a type of attack wherein
an attacker uses the source IP address of a trusted host to send messages to other computers. This allows the
attacker to send messages that appear to come from legitimate hosts on the network. In addition, because a
stateless packetfiltering firewall evaluates packets individually, it cannot evaluate data streams or track
connections.By contrast, stateful packetfiltering firewalls traditionally operate at Layers 3, 4, and 5 of the OSI model. Stateful
packetfiltering firewalls are more secure than stateless packetfiltering firewalls and are commonly used
because of their versatility and ability to dynamically monitor and filter packets. Session information is
maintained and tracked by stateful packetfiltering firewalls in order to determine whether packets should be
permitted or blocked. For example, when monitoring Transmission Control Protocol (TCP) traffic, the stateful
packet filter adds an entry to the state table when a TCP session is permitted. Subsequent packets are verified
against the state table to ensure that the packets are in the expected sequence. If the TCP packet sequence
numbers are not in the expected range, the packets are dropped.CCNA Security 210260 Official Cert Guide, Chapter 14, Static Packet Filtering, p. 362