nerdexam
ExamsCAS-001Questions#123
CompTIA

CAS-001 · Question #123

CAS-001 Question #123: Real Exam Question with Answer & Explanation

The correct answer is C: The security administrator must reconfigure the network and place the IDS between the SSL. The critical architectural flaw revealed by this investigation is the placement of the IDS. The network path is: Internet → Gateway Firewall → IDS → Web SSL Accelerator → Web Server Farm. Because the SSL Accelerator sits after the IDS, all traffic the IDS sees is still encrypted

Question

A security administrator is conducting network forensic analysis of a recent defacement of the company's secure web payment server (HTTPS). The server was compromised around the New Year's holiday when all the company employees were off. The company's network diagram is summarized below: Internet Gateway Firewall IDS Web SSL Accelerator Web Server Farm Internal Firewall Company Internal Network The security administrator discovers that all the local web server logs have been deleted. Additionally, the Internal Firewall logs are intact but show no activity from the internal network to the web server farm during the holiday. Which of the following is true?

Options

  • AThe security administrator should review the IDS logs to determine the source of the attack and
  • BThe security administrator must correlate the external firewall logs with the intrusion detection
  • CThe security administrator must reconfigure the network and place the IDS between the SSL
  • DThe security administrator must correlate logs from all the devices in the network diagram to

Explanation

The critical architectural flaw revealed by this investigation is the placement of the IDS. The network path is: Internet → Gateway Firewall → IDS → Web SSL Accelerator → Web Server Farm. Because the SSL Accelerator sits after the IDS, all traffic the IDS sees is still encrypted (HTTPS). The IDS cannot inspect encrypted payloads, so it cannot detect or log the application-layer attack that defaced the server. The correct fix is to place the IDS between the SSL Accelerator and the Web Server Farm, where traffic has already been decrypted and the IDS can inspect it in plaintext. Option A is flawed because the IDS in its current position only sees encrypted traffic and therefore its logs would not reveal the attack source. Option B (correlating external firewall logs with IDS) is incomplete for the same reason - the IDS data is compromised by its placement. Option D sounds reasonable but is vague; the decisive finding here is specifically the IDS placement problem.

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-001 Practice