Evading IDS, Firewalls, and Honeypots

Correct Answer: Honeypot deployment

The correct answer is 'Honeypot deployment'. A honeypot is a security mechanism that creates a deliberately vulnerable system designed to attract attackers. The primary purpose is to monitor and analyze attacker behavior, techniques, and tools while keeping them away from actual production systems. This approach allows security professionals to study attack methodologies in a controlled environment. 'Network traffic baiting' is not a standard security term in the cybersecurity industry, particularly in the context of the CEH curriculum. 'Vulnerability scanning in passive mode' refers to scanning systems for vulnerabilities in a way that minimizes network traffic and impact, but it doesn't involve creating vulnerable systems to attract attackers. 'Intrusion signature collection through deliberately exposed network segments' describes a concept somewhat similar to honeypots but is not the standard terminology used in cybersecurity. While honeypots may collect intrusion signatures, this answer option uses overly technical language that doesn't accurately represent the standard technique.

Correct Answer: Tracks the state of network connections and makes decisions based on connection context

A stateful inspection firewall's primary function is to track the state of network connections and make decisions based on the connection context. This means it monitors all active connections and determines which network packets are permitted based on previously established connections. This type of firewall maintains a state table that contains information about all active connections, including source and destination IP addresses, ports, sequence numbers, and connection states. This allows the firewall to understand the context of each packet within ongoing communications. The other options are incorrect: Examining only IP headers is characteristic of packet filtering firewalls, which are less sophisticated than stateful inspection firewalls as they don't track connection state. Using signature-based detection to identify malicious traffic patterns is more characteristic of an intrusion detection system (IDS) or intrusion prevention system (IPS), not specifically a stateful inspection firewall. Creating extensive logs of network activities is a feature that many security devices have, including firewalls, but it's not the primary function of a stateful inspection firewall specifically.

Correct Answer: Normalizing traffic by reconstructing packets before inspection

Fragmentation overlap attacks are a technique used to evade IDS systems by sending overlapping IP fragments that may be reassembled differently by the target system versus the IDS. Normalizing traffic by reconstructing packets before inspection is the most effective countermeasure because it ensures the IDS sees the same reassembled packet as the end system will. This technique addresses the core problem by handling the fragmentation before analysis. Anti-spoofing filters (option 2) help prevent IP address spoofing but don't address how fragments are reassembled or interpreted. Deploying multiple sensors (option 3) provides redundancy but doesn't solve the fundamental issue of packet reassembly differences. Configuring TCP session timeout values (option 4) relates to connection state management but doesn't address how fragmented packets are interpreted or reassembled.