nerdexam
Cisco

400-007 · Question #261

An external edge router provides connectivity from a service provider to an enterprise. Which two Internet edge best practices meet compliance regulations? (Choose two.)

The correct answer is C. Enable and use only secure protocols D. Implement filtering to control traffic that is sourced from the infrastructure IP space. At the Internet edge, compliance regulations require enforcing secure communications and controlling traffic originating from infrastructure address space. Using only secure protocols and filtering infrastructure-sourced traffic are the two practices that directly satisfy these r

Designing Security

Question

An external edge router provides connectivity from a service provider to an enterprise. Which two Internet edge best practices meet compliance regulations? (Choose two.)

Options

  • ASend logs to a centralized logging collection server
  • BImplement EBGP to advertise all owned IP blocks
  • CEnable and use only secure protocols
  • DImplement filtering to control traffic that is sourced from the infrastructure IP space
  • EUse login banners and interface access lists to restrict administrative access to the system

How the community answered

(34 responses)
  • A
    18% (6)
  • B
    9% (3)
  • C
    71% (24)
  • E
    3% (1)

Why each option

At the Internet edge, compliance regulations require enforcing secure communications and controlling traffic originating from infrastructure address space. Using only secure protocols and filtering infrastructure-sourced traffic are the two practices that directly satisfy these regulatory controls.

ASend logs to a centralized logging collection server

Centralized log collection is an important auditing practice but is a logging infrastructure decision rather than a compliance control applied directly at the Internet edge router.

BImplement EBGP to advertise all owned IP blocks

Advertising owned IP blocks via EBGP is a routing reachability practice that ensures proper BGP route origination but is not a compliance-driven security control.

CEnable and use only secure protocolsCorrect

Enabling and using only secure protocols such as SSHv2, HTTPS, and SNMPv3 satisfies compliance mandates like PCI-DSS and HIPAA that prohibit cleartext protocols on systems handling sensitive or regulated traffic at the network boundary.

DImplement filtering to control traffic that is sourced from the infrastructure IP spaceCorrect

Filtering traffic sourced from the infrastructure IP space implements BCP38 anti-spoofing controls, preventing internal addresses from being used as spoofed sources in outbound traffic - a requirement in many compliance frameworks to ensure traffic integrity and accountability at the edge.

EUse login banners and interface access lists to restrict administrative access to the system

Login banners and management ACLs are administrative hardening measures that restrict device access but do not govern Internet-facing traffic flows as required by edge compliance controls.

Concept tested: Internet edge compliance - secure protocols and infrastructure ACLs

Source: https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/MDG-RouterSecurity/MDG-RouterSecurity.html

Topics

#internet edge#compliance#traffic filtering#secure protocols

Community Discussion

No community discussion yet for this question.

Full 400-007 Practice