PDA

View Full Version : CCSA R71 Practice Exam Question



securitynewbie
2011-02-18, 14:48
.

Barry J. Stiefel
2011-02-18, 15:18
Here is a question from Checkpoint's practice exam I downloaded from their website.


R71's INSPECT Engine inserts itself into the kernel between which two layers of the OSI model?

Presentation and App

Data and Net

Physical and Data

Session and Transport

According to the exam the correct answer is Presentation and Application layer. Is this correct? I thought that the INSPECT engine resided between the Data and Network layers? From my understanding when packet reaches the NIC, it's intercepted by the INSPECT engine before it gets to the network layer. Am I missing something here?It's always between layer 2 and 3, Data and Net. This is the only place it can go because this is where the OS (at the bottom of layer 3) binds with the NIC driver (the top of layer 2). Upon installation, Firewall-1 unbinds these two, inserts itself in the middle, and then rebinds to both Data and Net.

As for which answer will be scored "correct" on the actual exam, I don't know. It could either be the "right" answer, or this incorrect "Check Point" answer. Apparently the same Quality Assurance people who weren't hired to look at the code also weren't hired to look at the exam questions. Sigh.

securitynewbie
2011-02-18, 15:33
Barry, thanks for the clarification and quick response!

checkpointjim
2011-03-13, 12:55
I think part of the confusion is that Check Point defines the INSPECT Engine differently from the Inspection Module.

INSPECT Engine:

Check Pointís INSPECT Engine is the mechanism used for extracting
the state-related information from all application layers, and maintains
this information in these dynamic state tables needed for evaluating
subsequent connections.

Inspection Module:

Packets pass through the NIC, to the Inspection Module, and up through the network stack.
Some packets are destined for an operating systemís local processes. In
this case, the Inspection Module inspects the packets and passes them
through the TCP/IP stack.

http://www.checkpoint.com/services/education/training/courses/samples/ccsa-r70.pdf