nerdexam
EC-Council

312-50V11 · Question #578

A company firewall engineer has configured a new DMZ to allow public systems to be located away from the internal network. The engineer has three security zones set: Untrust (Internet) - (Remote netwo

The correct answer is B. Permit 217.77.88.12 11.12.13.50 RDP 3389. Firewall rules should follow the principle of least privilege by matching only the specific source host and destination server required for the stated business need.

Evading IDS, Firewalls, and Honeypots

Question

A company firewall engineer has configured a new DMZ to allow public systems to be located away from the internal network. The engineer has three security zones set:

Untrust (Internet) - (Remote network = 217.77.88.0/24) DMZ (DMZ) - (11.12.13.0/24) Trust (Intranet) - (192.168.0.0/24) The engineer wants to configure remote desktop access from a fixed IP on the remote network to a remote desktop server in the DMZ. Which rule would best fit this requirement?

Options

  • APermit 217.77.88.0/24 11.12.13.0/24 RDP 3389
  • BPermit 217.77.88.12 11.12.13.50 RDP 3389
  • CPermit 217.77.88.12 11.12.13.0/24 RDP 3389
  • DPermit 217.77.88.0/24 11.12.13.50 RDP 3389

How the community answered

(36 responses)
  • A
    3% (1)
  • B
    75% (27)
  • C
    6% (2)
  • D
    17% (6)

Why each option

Firewall rules should follow the principle of least privilege by matching only the specific source host and destination server required for the stated business need.

APermit 217.77.88.0/24 11.12.13.0/24 RDP 3389

Permitting the entire /24 source subnet and the entire DMZ subnet is far too broad, allowing any host in the remote network to reach any DMZ host via RDP.

BPermit 217.77.88.12 11.12.13.50 RDP 3389Correct

The requirement specifies a 'fixed IP' source (217.77.88.12) connecting to a single 'remote desktop server' in the DMZ (11.12.13.50), so the rule must restrict both endpoints to those exact host addresses. Using host-specific addresses for both source and destination minimizes the attack surface and satisfies the principle of least privilege in firewall policy design.

CPermit 217.77.88.12 11.12.13.0/24 RDP 3389

Although the source is correctly scoped to the fixed host, the destination covers the entire DMZ subnet rather than the specific RDP server, granting unnecessary lateral access.

DPermit 217.77.88.0/24 11.12.13.50 RDP 3389

The destination is correctly scoped to the specific server, but the source permits the entire remote /24 subnet instead of just the designated fixed IP.

Concept tested: Least-privilege firewall rule host scoping

Source: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98986-asa-acl-config.html

Topics

#firewall rules#RDP#DMZ#least-privilege access control

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice