312-50V11 · Question #227
A penetration test was done at a company. After the test, a report was written and given to the company's IT authorities. A section from the report is shown below: Access List should be written betwee
The correct answer is A. A stateful firewall can be used between intranet (LAN) and DMZ.. The report recommends placing a packet-filtering security solution between the LAN and DMZ, which accurately describes the function of a stateful firewall.
Question
A penetration test was done at a company. After the test, a report was written and given to the company's IT authorities. A section from the report is shown below:
Access List should be written between VLANs. Port security should be enabled for the intranet. A security solution which filters data packets should be set between intranet (LAN) and DMZ. A WAF should be used in front of the web applications. According to the section from the report, which of the following choice is true?
Options
- AA stateful firewall can be used between intranet (LAN) and DMZ.
- BThere is access control policy between VLANs.
- CMAC Spoof attacks cannot be performed.
- DPossibility of SQL Injection attack is eliminated.
How the community answered
(39 responses)- A85% (33)
- B3% (1)
- C5% (2)
- D8% (3)
Why each option
The report recommends placing a packet-filtering security solution between the LAN and DMZ, which accurately describes the function of a stateful firewall.
A stateful firewall inspects and filters data packets based on connection state and rule sets, making it the appropriate security solution to place between the intranet (LAN) and the DMZ as described. The report specifically calls for a solution that filters data packets in this network segment, which aligns directly with the core function of a stateful firewall. This is a standard network security architecture practice for segmenting trusted and semi-trusted zones.
The report states that an access list SHOULD BE written between VLANs, indicating that no such access control policy currently exists rather than confirming one is already in place.
Enabling port security reduces the risk of MAC-based attacks but does not fully prevent MAC spoofing, as an attacker can still forge a valid MAC address to circumvent port security controls.
A WAF reduces the attack surface for SQL injection but does not eliminate the possibility of such attacks, since misconfigurations or WAF bypass techniques can still allow exploitation.
Concept tested: Stateful firewall placement between LAN and DMZ
Source: https://csrc.nist.gov/publications/detail/sp/800-41/rev-1/final
Topics
Community Discussion
No community discussion yet for this question.