ISC2 CISSP Practice Question

The correct answer is Next-Generation Firewall. NGFWs extend traditional firewall capabilities by using deep packet inspection to identify the actual application in use, regardless of port or protocol, and by tying rules to user identities obtained from directory services such as LDAP or Active Directory. This lets administrators create granular policies like "allow radiology staff to use the imaging system but block social-media posting," while simultaneously scanning the packet payload for malware or policy violations.

Layer 3 gateways (basic routers or network firewalls) decide primarily on IP addresses and ports and have no application or user awareness. Application proxies (application-layer gateways) can authenticate users and enforce detailed checks for a single protocol (for example, HTTP or FTP), but they do not provide a unified, multi-protocol control plane or the breadth of integrated threat-prevention features of an NGFW. Stateful packet filters track connection state, improving on static filters, yet their decisions are still made on network- and transport-layer information, not on the application or content itself.