312-50V11 · Question #578
A company firewall engineer has configured a new DMZ to allow public systems to be located away from the internal network. The engineer has three security zones set: Untrust (Internet) - (Remote netwo
The correct answer is B. Permit 217.77.88.12 11.12.13.50 RDP 3389. Firewall rules should follow the principle of least privilege by matching only the specific source host and destination server required for the stated business need.
Question
A company firewall engineer has configured a new DMZ to allow public systems to be located away from the internal network. The engineer has three security zones set:
Untrust (Internet) - (Remote network = 217.77.88.0/24) DMZ (DMZ) - (11.12.13.0/24) Trust (Intranet) - (192.168.0.0/24) The engineer wants to configure remote desktop access from a fixed IP on the remote network to a remote desktop server in the DMZ. Which rule would best fit this requirement?
Options
- APermit 217.77.88.0/24 11.12.13.0/24 RDP 3389
- BPermit 217.77.88.12 11.12.13.50 RDP 3389
- CPermit 217.77.88.12 11.12.13.0/24 RDP 3389
- DPermit 217.77.88.0/24 11.12.13.50 RDP 3389
How the community answered
(36 responses)- A3% (1)
- B75% (27)
- C6% (2)
- D17% (6)
Why each option
Firewall rules should follow the principle of least privilege by matching only the specific source host and destination server required for the stated business need.
Permitting the entire /24 source subnet and the entire DMZ subnet is far too broad, allowing any host in the remote network to reach any DMZ host via RDP.
The requirement specifies a 'fixed IP' source (217.77.88.12) connecting to a single 'remote desktop server' in the DMZ (11.12.13.50), so the rule must restrict both endpoints to those exact host addresses. Using host-specific addresses for both source and destination minimizes the attack surface and satisfies the principle of least privilege in firewall policy design.
Although the source is correctly scoped to the fixed host, the destination covers the entire DMZ subnet rather than the specific RDP server, granting unnecessary lateral access.
The destination is correctly scoped to the specific server, but the source permits the entire remote /24 subnet instead of just the designated fixed IP.
Concept tested: Least-privilege firewall rule host scoping
Source: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98986-asa-acl-config.html
Topics
Community Discussion
No community discussion yet for this question.