312-50V11 · Question #196
A large mobile telephony and data network operator has a data that houses network elements. These are essentially large computers running on Linux. The perimeter of the data center is secured with fir
The correct answer is A. Network elements must be hardened with user ids and strong passwords. Regular security tests. Defense-in-depth requires that individual network elements be hardened independently, because perimeter controls alone cannot protect against insider threats, lateral movement, or physical-access bypass scenarios.
Question
A large mobile telephony and data network operator has a data that houses network elements. These are essentially large computers running on Linux. The perimeter of the data center is secured with firewalls and IPS systems. What is the best security policy concerning this setup?
Options
- ANetwork elements must be hardened with user ids and strong passwords. Regular security tests
- BAs long as the physical access to the network elements is restricted, there is no need for
- CThere is no need for specific security measures on the network elements as long as firewalls and
- DThe operator knows that attacks and down time are inevitable and should have a backup site.
How the community answered
(24 responses)- A75% (18)
- B17% (4)
- C4% (1)
- D4% (1)
Why each option
Defense-in-depth requires that individual network elements be hardened independently, because perimeter controls alone cannot protect against insider threats, lateral movement, or physical-access bypass scenarios.
Hardening each Linux-based network element with strong credentials, minimal user accounts, and regular security testing applies the principle of defense-in-depth. Perimeter firewalls and IPS systems protect the boundary but cannot stop threats that originate from within the network or from a compromised perimeter device, so host-level hardening is a required complementary control.
Physical access restrictions alone do not address logical attacks such as remote exploits, credential theft, or insider threats that can reach network elements through legitimate network paths.
Firewalls and IPS are perimeter controls and do not protect against threats already inside the network, misconfigurations on the host, or vulnerabilities in the OS and services running on the network elements themselves.
Assuming downtime is inevitable and relying solely on a backup site is a reactive continuity strategy, not a proactive security policy, and does not address the prevention of attacks or the hardening of assets.
Concept tested: Defense-in-depth and host hardening policy
Source: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-123.pdf
Topics
Community Discussion
No community discussion yet for this question.