nerdexam
Cisco

352-001 · Question #724

Refer to the exhibit. The operations team has identified that some of the multi-tiered e-commerce applications have slow performance, due to illegitimate inbound traffic from the Internet. On which ne

The correct answer is B. B. Illegitimate inbound internet traffic should be filtered at the network perimeter to drop malicious packets before they consume internal bandwidth or reach application tiers.

Designing Security

Question

Refer to the exhibit. The operations team has identified that some of the multi-tiered e-commerce applications have slow performance, due to illegitimate inbound traffic from the Internet. On which network device do you place traffic filtering to improve performance?

Exhibit

352-001 question #724 exhibit

Options

  • AA
  • BB
  • CC
  • DD

How the community answered

(19 responses)
  • A
    5% (1)
  • B
    74% (14)
  • C
    5% (1)
  • D
    16% (3)

Why each option

Illegitimate inbound internet traffic should be filtered at the network perimeter to drop malicious packets before they consume internal bandwidth or reach application tiers.

AA

Device A is the upstream internet-facing router or ISP handoff point where the operator typically lacks the authority or capability to enforce granular inbound filtering policies.

BBCorrect

Device B represents the perimeter firewall or edge security device positioned between the internet-facing router and the internal application tiers. Applying ACLs or firewall policies at this boundary drops illegitimate traffic at the earliest controllable point, preventing it from traversing internal links, consuming core bandwidth, or reaching web and database servers - directly resolving the application performance degradation caused by inbound floods.

CC

Device C is an internal distribution or aggregation layer device; filtering here allows illegitimate traffic to already traverse and consume edge and uplink bandwidth before being discarded.

DD

Device D is deep within the internal network at the server access tier; placing filtering here means malicious traffic travels across most of the infrastructure before being dropped, providing no meaningful performance improvement.

Concept tested: Perimeter traffic filtering placement for inbound threat mitigation

Source: https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/Baseline_Security/securebasebook/sec_chap2.html

Topics

#traffic filtering#DDoS mitigation#security placement#e-commerce

Community Discussion

No community discussion yet for this question.

Full 352-001 Practice