312-50V9 · Question #282
A penetration test was done at a company. After the test, a report was written and given to the company's IT authorities. A section from the report is shown below: - Access List should be written betw
The correct answer is C. A stateful firewall can be used between intranet (LAN) and DMZ.. The report recommends a packet-filtering security solution between the LAN and DMZ, which accurately describes the role of a stateful firewall, making C the only technically valid inference from the listed recommendations.
Question
A penetration test was done at a company. After the test, a report was written and given to the company's IT authorities. A section from the report is shown below:
- Access List should be written between VLANs.
- Port security should be enabled for the intranet.
- A security solution which filters data packets should be set between
intranet (LAN) and DMZ.
- A WAF should be used in front of the web applications.
According to the section from the report, which of the following choice is true?
Options
- AMAC Spoof attacks cannot be performed.
- BPossibility of SQL Injection attack is eliminated.
- CA stateful firewall can be used between intranet (LAN) and DMZ.
- DThere is access control policy between VLANs.
How the community answered
(30 responses)- A10% (3)
- B3% (1)
- C70% (21)
- D17% (5)
Why each option
The report recommends a packet-filtering security solution between the LAN and DMZ, which accurately describes the role of a stateful firewall, making C the only technically valid inference from the listed recommendations.
Port security limits MAC addresses per port to reduce MAC spoofing risk, but it cannot fully prevent MAC spoofing attacks - it only raises the difficulty, so the claim that they 'cannot be performed' is false.
A WAF reduces the attack surface for SQL injection by filtering malicious input, but it does not eliminate the possibility entirely since WAF bypass techniques exist.
The report explicitly recommends 'a security solution which filters data packets' between the intranet and DMZ. A stateful firewall inspects and filters packets based on connection state and packet headers, which directly matches this description, making it a valid and appropriate solution for that network segment.
The report states that access lists 'should be written' between VLANs, meaning this control does not yet exist - it is a recommendation, not a current implemented policy.
Concept tested: Stateful firewall placement between LAN and DMZ
Source: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/200203-Configure-a-DMZ-on-an-ASA.html
Topics
Community Discussion
No community discussion yet for this question.