312-50V10 · Question #227
A penetration test was done at a company. After the test, a report was written and given to the company's IT authorities. A section from the report is shown below: Access List should be written betwee
The correct answer is A. A stateful firewall can be used between intranet (LAN) and DMZ.. The penetration test report lists recommendations for controls that do not yet exist; only choice A correctly matches one of those recommendations to a valid technical solution.
Question
A penetration test was done at a company. After the test, a report was written and given to the company's IT authorities. A section from the report is shown below:
Access List should be written between VLANs. Port security should be enabled for the intranet. A security solution which filters data packets should be set between intranet (LAN) and DMZ. A WAF should be used in front of the web applications. According to the section from the report, which of the following choice is true?
Options
- AA stateful firewall can be used between intranet (LAN) and DMZ.
- BThere is access control policy between VLANs.
- CMAC Spoof attacks cannot be performed.
- DPossibility of SQL Injection attack is eliminated.
How the community answered
(49 responses)- A78% (38)
- B6% (3)
- C4% (2)
- D12% (6)
Why each option
The penetration test report lists recommendations for controls that do not yet exist; only choice A correctly matches one of those recommendations to a valid technical solution.
The report states a security solution that 'filters data packets' should be placed between the intranet and DMZ. A stateful firewall inspects packets based on connection state and defined rules, making it precisely the type of solution recommended for this network boundary. Stateful inspection is the standard control used to regulate and filter traffic between a trusted LAN and a semi-trusted DMZ.
The report says Access Lists 'should be written' between VLANs, indicating that no access control policy currently exists - the opposite of what this choice claims.
Port security 'should be enabled' is a recommendation not yet implemented, meaning the intranet is currently vulnerable and MAC spoofing attacks can still be performed.
A WAF 'should be used' in front of web applications is an unimplemented recommendation, so SQL Injection vulnerabilities have not been eliminated.
Concept tested: Firewall placement between LAN and DMZ segments
Source: https://csrc.nist.gov/publications/detail/sp/800-41/rev-1/final
Topics
Community Discussion
No community discussion yet for this question.