Which of the following can be installed on a host to ensure that only specified inbound and outbound
connections are permitted? (Select the best answer.)

A.
antivirus software

B.
a HIPS

C.
a personal firewall

D.
a proxy server

Explanation:
A personal firewall can be installed on a host to ensure that only specified inbound and outbound connections
are permitted. A personal firewall can protect a host from malicious traffic by permitting or denying specific
applications or network ports access to the host or its network interface. Typically, a personal firewall provides
sufficient granularity to specify the direction of a particular flow of traffic. For example, you could permit
outbound web traffic but deny inbound Internet Control Message Protocol (ICMP) messages.
A Hostbased Intrusion Prevention System (HIPS) can be installed on a host to analyze and prevent malicious
traffic on that host. An Intrusion Prevention System (IPS) can be used to actively monitor, analyze, and block
malicious traffic before it infects devices. HIPS software can be installed on a host computer to protect that
computer against malicious traffic. By contrast, a Networkbased IPS (NIPS) is an independent operating
platform, often a standalone appliance or a hardware module installed in a chassis. A NIPS device can be
installed inline on a network to monitor and prevent malicious traffic from being sent to other devices on the
network. One advantage of using a NIPS over a HIPS is that a NIPS can detect lowlevel network events, such
as the scanning of random hosts on the network? a HIPS can only detect scans for which it is the target. HIPS
and a NIPS can be used together to provide an additional layer of protection.
You could not install antivirus software to ensure that only specified inbound and outbound connections are
permitted. Antivirus software monitors the file system and memory space on a host for malicious code.
Although the antivirus software might protect the host from malicious file execution, it would be unable to
protect the host from malicious traffic. Some antivirus vendors offer integrated security suites, which feature
personal firewall, HIPS, antivirus, and antimalware components.
You could not install a proxy server on a host to ensure that only specified inbound and outbound connections
are permitted. A proxy server is typically an application layer gateway that provides resource caching and traffic
filtering for a particular class of traffic, such as web content. Although you could install a proxy server locally on
a host and use it to process specified outbound connections, it would not be able to restrict outbound
connections that were not configured to use the proxy nor would it be able to restrict inbound connections.

CCNA Security 210260 Official Cert Guide, Chapter 19, Mitigation Technologies for Endpoint Threats, pp. 498-
499Category:
Cisco Firewall Technologies