312-50V10 · Question #578
A company firewall engineer has configured a new DMZ to allow public systems to be located away from the internal network. The engineer has three security zones set: Untrust (Internet) - (Remote netwo
The correct answer is B. Permit 217.77.88.12 11.12.13.50 RDP 3389. The principle of least privilege requires firewall rules to use the most specific source and destination identifiers, meaning the exact fixed IP and the exact RDP server address should be specified.
Question
A company firewall engineer has configured a new DMZ to allow public systems to be located away from the internal network. The engineer has three security zones set:
Untrust (Internet) - (Remote network = 217.77.88.0/24) DMZ (DMZ) - (11.12.13.0/24) Trust (Intranet) - (192.168.0.0/24) The engineer wants to configure remote desktop access from a fixed IP on the remote network to a remote desktop server in the DMZ. Which rule would best fit this requirement?
Options
- APermit 217.77.88.0/24 11.12.13.0/24 RDP 3389
- BPermit 217.77.88.12 11.12.13.50 RDP 3389
- CPermit 217.77.88.12 11.12.13.0/24 RDP 3389
- DPermit 217.77.88.0/24 11.12.13.50 RDP 3389
How the community answered
(35 responses)- A6% (2)
- B77% (27)
- C3% (1)
- D14% (5)
Why each option
The principle of least privilege requires firewall rules to use the most specific source and destination identifiers, meaning the exact fixed IP and the exact RDP server address should be specified.
This rule permits the entire remote subnet to the entire DMZ subnet, which is far too permissive and violates least privilege since both the source and destination requirements call for single specific hosts.
Rule B (Permit 217.77.88.12 11.12.13.50 RDP 3389) correctly applies least privilege by specifying the exact fixed source IP (217.77.88.12) from the remote network and the exact destination IP of the single RDP server (11.12.13.50) in the DMZ on port 3389. This minimizes attack surface by ensuring only that one host can reach only that one server, precisely matching the stated requirement of a single fixed remote IP accessing a single RDP server. Any broader rule would grant unnecessary access beyond what was requested.
This rule correctly specifies the fixed source IP but targets the entire DMZ subnet rather than the specific RDP server, unnecessarily exposing all DMZ hosts to remote desktop traffic.
This rule correctly targets the specific RDP server but allows the entire remote network subnet as the source, failing to restrict access to the single fixed IP as required.
Concept tested: Firewall least-privilege rule specificity for DMZ RDP access
Source: https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html
Topics
Community Discussion
No community discussion yet for this question.