400-007 · Question #261
An external edge router provides connectivity from a service provider to an enterprise. Which two Internet edge best practices meet compliance regulations? (Choose two.)
The correct answer is C. Enable and use only secure protocols D. Implement filtering to control traffic that is sourced from the infrastructure IP space. At the Internet edge, compliance regulations require enforcing secure communications and controlling traffic originating from infrastructure address space. Using only secure protocols and filtering infrastructure-sourced traffic are the two practices that directly satisfy these r
Question
An external edge router provides connectivity from a service provider to an enterprise. Which two Internet edge best practices meet compliance regulations? (Choose two.)
Options
- ASend logs to a centralized logging collection server
- BImplement EBGP to advertise all owned IP blocks
- CEnable and use only secure protocols
- DImplement filtering to control traffic that is sourced from the infrastructure IP space
- EUse login banners and interface access lists to restrict administrative access to the system
How the community answered
(34 responses)- A18% (6)
- B9% (3)
- C71% (24)
- E3% (1)
Why each option
At the Internet edge, compliance regulations require enforcing secure communications and controlling traffic originating from infrastructure address space. Using only secure protocols and filtering infrastructure-sourced traffic are the two practices that directly satisfy these regulatory controls.
Centralized log collection is an important auditing practice but is a logging infrastructure decision rather than a compliance control applied directly at the Internet edge router.
Advertising owned IP blocks via EBGP is a routing reachability practice that ensures proper BGP route origination but is not a compliance-driven security control.
Enabling and using only secure protocols such as SSHv2, HTTPS, and SNMPv3 satisfies compliance mandates like PCI-DSS and HIPAA that prohibit cleartext protocols on systems handling sensitive or regulated traffic at the network boundary.
Filtering traffic sourced from the infrastructure IP space implements BCP38 anti-spoofing controls, preventing internal addresses from being used as spoofed sources in outbound traffic - a requirement in many compliance frameworks to ensure traffic integrity and accountability at the edge.
Login banners and management ACLs are administrative hardening measures that restrict device access but do not govern Internet-facing traffic flows as required by edge compliance controls.
Concept tested: Internet edge compliance - secure protocols and infrastructure ACLs
Source: https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/MDG-RouterSecurity/MDG-RouterSecurity.html
Topics
Community Discussion
No community discussion yet for this question.