A network administrator configures a stateless firewall with the rule 'allow inbound TCP from any source on port 80' to permit web browsing return traffic. What security vulnerability does this create?
AIt inadvertently blocks HTTPS traffic, which uses port 443
BIt slows down network performance because every inbound packet must be inspected against the full rule set
CIt permits any external host to initiate unsolicited connections to internal machines on port 80, because the stateless firewall cannot distinguish return traffic from attack traffic
DIt only creates a vulnerability for HTTP — HTTPS traffic is filtered independently
A stateless firewall evaluates each packet in isolation without knowing whether it is part of an established session. The rule 'allow inbound TCP from any source port 80' matches both legitimate web server responses AND packets crafted by an attacker to appear as if they originate from port 80. The firewall cannot tell the difference. A stateful firewall solves this by tracking which internal hosts initiated outbound connections and automatically allowing only the return packets that belong to those sessions — no permissive inbound rule is needed.
Question 2 Multiple Choice
A company places its public web server directly on the internal network and configures the firewall to allow inbound traffic on ports 80 and 443. What is the key security risk compared to placing the web server in a DMZ?
AThe web server will perform worse because traffic must traverse the firewall twice
BIf the web server is compromised, the attacker has direct access to the internal network — a DMZ would isolate the web server so a breach cannot directly reach internal systems
CPort 80 traffic is inherently insecure regardless of where the server is placed in the network
DAll architectures without a DMZ carry identical risk — only the firewall rules determine security, not network segmentation
The DMZ's purpose is blast radius limitation. A public-facing web server is an attractive attack target; if it is on the internal network, a successful compromise gives the attacker a foothold directly adjacent to sensitive internal systems. A DMZ places the web server in a separate segment that can receive inbound internet connections but cannot initiate connections to the internal network. Even if the web server is fully compromised, the attacker is still separated from the internal network by another firewall layer.
Question 3 True / False
A stateful firewall requires explicit allow rules for both the outbound request and the corresponding inbound response in order to permit employees to browse websites.
TTrue
FFalse
Answer: False
This describes stateless firewall behavior, not stateful. A stateful firewall maintains a connection table that records active sessions. When an employee's browser sends an outbound HTTP request, the firewall logs the session (source IP, destination IP, source port, destination port). When the web server's response arrives inbound, the firewall checks the connection table, recognizes it as belonging to an established session, and permits it automatically — without any explicit inbound rule. This is precisely the advantage of stateful inspection: return traffic is handled implicitly, eliminating the security hole that explicit inbound port rules create.
Question 4 True / False
In a firewall rule set evaluated top-to-bottom, placing a broad 'permit all TCP' rule before a specific 'deny port 23 (Telnet)' rule means that Telnet traffic will be permitted despite the deny rule.
TTrue
FFalse
Answer: True
Firewalls use first-match evaluation: the first rule in the list that matches a packet determines its fate. If 'permit all TCP' appears first, every TCP packet — including Telnet on port 23 — matches it and is permitted before the firewall even reaches the deny rule. The deny rule is dead code in this configuration. This is why firewall rules must be ordered from most specific to most general, with broad rules (like 'deny all') at the bottom as defaults. A misplaced broad permit rule can silently allow traffic you intended to block.
Question 5 Short Answer
Explain why stateful firewalls are considered more secure than stateless firewalls for protecting internal networks from unsolicited inbound connections.
Think about your answer, then reveal below.
Model answer: Stateful firewalls track connection state in a session table. When an internal host initiates an outbound connection, the firewall records the session details (IPs, ports, sequence numbers). Inbound packets are checked against this table: if they match an established outgoing session, they are permitted; otherwise they are dropped by default. This means no permissive inbound rules are needed — the firewall distinguishes legitimate responses from unsolicited attacks based on whether a session exists. Stateless firewalls evaluate each packet independently and cannot make this distinction, forcing administrators to write permissive inbound rules (e.g., 'allow source port 80') that any attacker can exploit by crafting packets with matching source ports.
The fundamental limitation of stateless firewalls is amnesia: each packet is evaluated as if no prior packets ever existed. Stateful firewalls have memory: they know which internal hosts reached out and expect a response, and they reject everything else. This transforms the security model from 'allow traffic that looks right' to 'allow only traffic that belongs to a known session.'