Questions derived from the CISSP – CISSP ISC2 Self-Test Software Practice Test.
Objective: Telecommunications and Network Security
SubObjective: Develop and maintain secure networks
Item Number: CISSP.10.3.8
Single Answer, Multiple Choice
Which type of firewall most detrimentally affects network performance?
- Stateful firewall
- Circuit-level proxy firewall
- Packet-filtering firewall
- Application-level proxy firewall
D. Application-level proxy firewall
An application-level proxy firewall most detrimentally affects network performance because it requires more processing per packet.
The packet-filtering firewall provides high performance. Stateful and circuit-level proxy firewalls, while slower than packet-filtering firewalls, offer better performance than application-level firewalls.
Kernel proxy firewalls offer better performance than application-level firewalls.
An application-level firewall creates a virtual circuit between the firewall clients. Each protocol has its own dedicated portion of the firewall that is concerned only with how to properly filter that protocol’s data. Unlike a circuit-level firewall, an application-level firewall does not examine the IP address and port of the data packet. Often, these types of firewalls are implemented as a proxy server.
A proxy-based firewall provides greater network isolation than a stateful firewall. A stateful firewall provides greater throughput and performance than a proxy-based firewall. In addition, a stateful firewall provides some dynamic rule configuration with the use of the state table.
CISSP All-in-One Exam Guide, Chapter 7: Telecommunications and Network Security, Application- and Circuit-Level Proxies, pp. 488-490.