You are examining NetFlow records.
What is the state of the connection when you receive a packet with the RST flag set in response to a packet with the SYN flag set?
- the port is open
- the port is blocked by the firewall
- the connection is set up
- the port is closed
Receiving a packet with the RST flag in response to a packet with the SYN flag means the port is closed. When a port is closed, the device answers back with a TCP packet with the RST flag set.
If the port were open, the response packet would have the SYN and ACK flags set.
Transmission Control Protocol (TCP) is a session-oriented or connection-based protocol. It uses a three-way handshake to ensure that every packet sent is successfully received and acknowledged by the destination. The handshake is performed at the start of each session by TCP, and contains a set of three segments (TCP “packets”).
The sender sends the first segment to the receiver with the Synchronization (SYN) flag enabled.
Step two: The receiver sends the second segment back to the sender with both the Acknowledgement flag (ACK) and the Synchronization (SYN) flag enabled.
Step three: The sender sends the third segment back to the receiver with just the Acknowledgement (ACK) flag enabled (in response to the server’s Synchronization request).
Were the connection successfully set up, the response packet would have the ACK flag set.
If the port were blocked by the firewall, there would be no response. Firewalls do not send diagnostic or error messages when blocking a transmission.
Objective: Security Monitoring
Sub-Objective: Identify the types of data provided by these technologies: TCP Dump, NetFlow, Next-Gen firewall, Traditional stateful firewall, Application visibility and control, Web content filtering, Email content filtering.