CISSP PRACTICE QUESTIONS – 20200312

A session can be established based on connection-oriented or connectionless transport and other underlying services. Which of the following communications least requires a session?
A. An authenticated browser sending HTTP requests without the Keep-Alive header
B. The zone transfer between the primary and secondary DNS servers
C. Server cluster members periodically sending heartbeat
D. A user listening to his or her subscribed online music


Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Server cluster members periodically sending heartbeat.

What is a Session?

A session is a dialog between two parties (typically applications) within a timespan, where messages (typed data) are transmitted back and forth. So, two-way communication, either in either full-duplex or half-duplex mode, is the key feature of a session. As a result, it doesn’t matter if a session is supported by TCP or UDP. What really matters is two-way communication or dialog that can be started and ended within a period of time.

Session Features

  • Two-way data exchange (either connection/connectionless or full-duplex/half-duplex)
  • Limited period of time (session can be established and released)

A session between the web browser and webserver is established by the authentication and typically maintained through the cookie. Keep-Alive is an HTTP header to maintain the TCP connection after an HTTP request is processed to reduce the overhead of re-establishing the TCP connection. However, it hurts the scalability of the webserver. The web session is not lost even if the TCP connection is disconnected because it is maintained through the cookie.

A user listening to his or her subscribed online music requires a session between the client and the server to address billing and licensing concerns. There are a lot of controls and two-way communication between the client and the server. A session is undoubtedly required.

DNS zone transfer is based on TCP 53 and typically protected by an IP white list or even authentication. It is based on the TCP connection, authentication, and a request/response model.

There are a variety of heartbeat implementations for server clusters. When taking a heartbeat network or heartbeat protocol into consideration, they may entail sessions; however, most implementations that rely on periodically sending heartbeats don’t require confirmation of heartbeats. If heartbeats got lost and reached a certain threshold, another member node will take over. That is, if heartbeats are not received, there is no dialog happened by asking, say, “Hey, are you all right? Can you send the heartbeat again?” Series of heartbeat loss to a certain threshold is “assumed” that the active node got failed. As non-initial periodic heartbeats are typically one-way notifications that least require sessions compared with other options, I suggest C as the answer. 

Leave a Reply