nerdexam
EC-Council

312-50V10 · Question #800

To reach a bank web site, the traffic from workstations must pass through a firewall. You have been asked to review the firewall configuration to ensure that workstations in network 10.10.10.0/24 can

The correct answer is A. If (source matches 10.10.10.0/24 and destination matches 10.20.20.1 and port matches 443) then. The correct firewall rule must match the source subnet (10.10.10.0/24), the destination host (10.20.20.1), and port 443 (HTTPS) to permit only encrypted web traffic from workstations to the bank site.

Evading IDS, Firewalls, and Honeypots

Question

To reach a bank web site, the traffic from workstations must pass through a firewall. You have been asked to review the firewall configuration to ensure that workstations in network 10.10.10.0/24 can only reach the bank web site 10.20.20.1 using https. Which of the following firewall rules meets this requirement?

Options

  • AIf (source matches 10.10.10.0/24 and destination matches 10.20.20.1 and port matches 443) then
  • BIf (source matches 10.10.10.0/24 and destination matches 10.20.20.1 and port matches 80 or
  • CIf (source matches 10.20.20.1 and destination matches 10.10.10.0/24 and port matches 443) then
  • DIf (source matches 10.10.10.0 and destination matches 10.20.20.1 and port matches 443) then

How the community answered

(25 responses)
  • A
    76% (19)
  • B
    4% (1)
  • C
    12% (3)
  • D
    8% (2)

Why each option

The correct firewall rule must match the source subnet (10.10.10.0/24), the destination host (10.20.20.1), and port 443 (HTTPS) to permit only encrypted web traffic from workstations to the bank site.

AIf (source matches 10.10.10.0/24 and destination matches 10.20.20.1 and port matches 443) thenCorrect

This rule correctly identifies the source as the full subnet 10.10.10.0/24, the destination as 10.20.20.1, and port 443, which is the standard port for HTTPS. All three conditions must be satisfied simultaneously to precisely enforce the requirement that only those workstations can reach the bank site exclusively over an encrypted connection.

BIf (source matches 10.10.10.0/24 and destination matches 10.20.20.1 and port matches 80 or

This rule specifies port 80 (HTTP) instead of port 443 (HTTPS), which would permit unencrypted traffic rather than the required HTTPS-only access.

CIf (source matches 10.20.20.1 and destination matches 10.10.10.0/24 and port matches 443) then

The source and destination are reversed - 10.20.20.1 is the bank server, not the workstation network, so this rule would match traffic originating from the bank rather than from the workstations.

DIf (source matches 10.10.10.0 and destination matches 10.20.20.1 and port matches 443) then

The source is written as 10.10.10.0 (a single host address) rather than 10.10.10.0/24 (the entire subnet), so only one host would be matched instead of all workstations in the network.

Concept tested: Firewall ACL rule source, destination, and port matching

Source: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41rev1.pdf

Topics

#firewall rules#ACL configuration#HTTPS port 443#network access control

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice