Explanation From HCIA-Security documents:

In ESP transport mode, the authentication function provides data integrity and origin authentication for specific parts of the IP packet. The authentication calculation covers the ESP header, TCP/UDP header, user data, and ESP tail (including padding, Pad Length, and Next Header fields) . However, it does not include the outer IP header, because some IP header fields (such as TTL) may change during packet forwarding. It also does not include the ESP Authentication Data field itself, since that field stores the integrity check value result of the calculation.

In the diagram, range 3 correctly represents the portion starting from the ESP header up to the ESP tail, excluding the IP header and excluding the ESP Authentication Data field.

Range 1 only covers part of the payload, range 2 does not include the ESP header, and range 4 incorrectly includes the IP header. Therefore, option 3 accurately describes the authentication scope of ESP in transport mode.

Explanation From HCIA-Security documents:

IPS works by identifying malicious traffic patterns and behaviors in network data. An IPS signature is a set of detection rules that describe known attack characteristics, such as specific byte sequences in payloads, abnormal protocol fields, exploit patterns, or behavior indicators that match a recognized threat. When traffic passes through the firewall with IPS enabled, the device performs protocol decoding and (when needed) stream or application data reassembly so it can inspect complete content instead of isolated packets. After that, it compares the reconstructed traffic against the IPS signature database. If a match is found, the firewall determines the traffic is malicious and then takes the configured action, such as blocking packets, resetting the connection, discarding the session, and generating logs/alarms for visibility and auditing. This signature-based comparison is a core detection method of IPS and is why keeping the signature library updated is important: new attack techniques require new or improved signatures. Therefore, the statement is correct: the firewall detects and defends by comparing data flows with IPS signatures.

Explanation From HCIA-Security documents:

This scenario states two key conditions: (1) there are only a small number of users accessing the Internet, and (2) the number of available public IP addresses is equal to the number of concurrent Internet users. That means the organization has enough public addresses to assign a dedicated public IP to each internal user at the same time. In such a case, the most suitable NAT type is NAT No-PAT, which is also commonly understood as traditional one-to-one address translation (no port translation). The internal source IP is translated to a unique public source IP, and the transport-layer port number is not multiplexed to share a single public IP among many users.

By contrast, NAPT and Easy IP are used when public addresses are scarce, because they translate multiple internal users to one or a few public IP addresses by also translating port numbers (PAT). 3-tuple NAT is a more specific translation method involving matching/translation with additional parameters, but it is not the standard choice described by the given “equal number of public IPs and concurrent users” condition. Therefore, NAT No-PAT is correct.