nerdexam
EC-Council

312-50V10 · Question #578

A company firewall engineer has configured a new DMZ to allow public systems to be located away from the internal network. The engineer has three security zones set: Untrust (Internet) - (Remote netwo

The correct answer is B. Permit 217.77.88.12 11.12.13.50 RDP 3389. The principle of least privilege requires firewall rules to use the most specific source and destination identifiers, meaning the exact fixed IP and the exact RDP server address should be specified.

Evading IDS, Firewalls, and Honeypots

Question

A company firewall engineer has configured a new DMZ to allow public systems to be located away from the internal network. The engineer has three security zones set:

Untrust (Internet) - (Remote network = 217.77.88.0/24) DMZ (DMZ) - (11.12.13.0/24) Trust (Intranet) - (192.168.0.0/24) The engineer wants to configure remote desktop access from a fixed IP on the remote network to a remote desktop server in the DMZ. Which rule would best fit this requirement?

Options

  • APermit 217.77.88.0/24 11.12.13.0/24 RDP 3389
  • BPermit 217.77.88.12 11.12.13.50 RDP 3389
  • CPermit 217.77.88.12 11.12.13.0/24 RDP 3389
  • DPermit 217.77.88.0/24 11.12.13.50 RDP 3389

How the community answered

(35 responses)
  • A
    6% (2)
  • B
    77% (27)
  • C
    3% (1)
  • D
    14% (5)

Why each option

The principle of least privilege requires firewall rules to use the most specific source and destination identifiers, meaning the exact fixed IP and the exact RDP server address should be specified.

APermit 217.77.88.0/24 11.12.13.0/24 RDP 3389

This rule permits the entire remote subnet to the entire DMZ subnet, which is far too permissive and violates least privilege since both the source and destination requirements call for single specific hosts.

BPermit 217.77.88.12 11.12.13.50 RDP 3389Correct

Rule B (Permit 217.77.88.12 11.12.13.50 RDP 3389) correctly applies least privilege by specifying the exact fixed source IP (217.77.88.12) from the remote network and the exact destination IP of the single RDP server (11.12.13.50) in the DMZ on port 3389. This minimizes attack surface by ensuring only that one host can reach only that one server, precisely matching the stated requirement of a single fixed remote IP accessing a single RDP server. Any broader rule would grant unnecessary access beyond what was requested.

CPermit 217.77.88.12 11.12.13.0/24 RDP 3389

This rule correctly specifies the fixed source IP but targets the entire DMZ subnet rather than the specific RDP server, unnecessarily exposing all DMZ hosts to remote desktop traffic.

DPermit 217.77.88.0/24 11.12.13.50 RDP 3389

This rule correctly targets the specific RDP server but allows the entire remote network subnet as the source, failing to restrict access to the single fixed IP as required.

Concept tested: Firewall least-privilege rule specificity for DMZ RDP access

Source: https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html

Topics

#firewall rules#RDP access control#DMZ configuration#least privilege firewall policy

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice