312-50V10 · Question #800
To reach a bank web site, the traffic from workstations must pass through a firewall. You have been asked to review the firewall configuration to ensure that workstations in network 10.10.10.0/24 can
The correct answer is A. If (source matches 10.10.10.0/24 and destination matches 10.20.20.1 and port matches 443) then. The correct firewall rule must match the source subnet (10.10.10.0/24), the destination host (10.20.20.1), and port 443 (HTTPS) to permit only encrypted web traffic from workstations to the bank site.
Question
To reach a bank web site, the traffic from workstations must pass through a firewall. You have been asked to review the firewall configuration to ensure that workstations in network 10.10.10.0/24 can only reach the bank web site 10.20.20.1 using https. Which of the following firewall rules meets this requirement?
Options
- AIf (source matches 10.10.10.0/24 and destination matches 10.20.20.1 and port matches 443) then
- BIf (source matches 10.10.10.0/24 and destination matches 10.20.20.1 and port matches 80 or
- CIf (source matches 10.20.20.1 and destination matches 10.10.10.0/24 and port matches 443) then
- DIf (source matches 10.10.10.0 and destination matches 10.20.20.1 and port matches 443) then
How the community answered
(25 responses)- A76% (19)
- B4% (1)
- C12% (3)
- D8% (2)
Why each option
The correct firewall rule must match the source subnet (10.10.10.0/24), the destination host (10.20.20.1), and port 443 (HTTPS) to permit only encrypted web traffic from workstations to the bank site.
This rule correctly identifies the source as the full subnet 10.10.10.0/24, the destination as 10.20.20.1, and port 443, which is the standard port for HTTPS. All three conditions must be satisfied simultaneously to precisely enforce the requirement that only those workstations can reach the bank site exclusively over an encrypted connection.
This rule specifies port 80 (HTTP) instead of port 443 (HTTPS), which would permit unencrypted traffic rather than the required HTTPS-only access.
The source and destination are reversed - 10.20.20.1 is the bank server, not the workstation network, so this rule would match traffic originating from the bank rather than from the workstations.
The source is written as 10.10.10.0 (a single host address) rather than 10.10.10.0/24 (the entire subnet), so only one host would be matched instead of all workstations in the network.
Concept tested: Firewall ACL rule source, destination, and port matching
Source: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41rev1.pdf
Topics
Community Discussion
No community discussion yet for this question.