CAS-001 Question #392: Real Exam Question with Answer & Explanation

Question

Options

• AA dual firewall DMZ with remote logging where each firewall is managed by a separate
• BA single firewall DMZ where each firewall interface is managed by a separate administrator and
• CA SaaS based firewall which logs to the company's local storage via SSL, and is managed by the
• DA virtualized firewall, where each virtual instance is managed by a separate administrator and

Explanation

The requirements are security in depth, change management/configuration control, and incident reconstruction (logging). Option A - a dual firewall DMZ with remote logging, each firewall managed by a separate administrator - satisfies all three: (1) Security in depth is achieved by placing two distinct firewalls in series, so compromise of one does not expose the internal network; (2) Separate administrators enforce separation of duties for change management - neither administrator can unilaterally modify both firewall policies, reducing insider threat and enforcing a review/approval process; (3) Remote logging to a separate system ensures log integrity for incident reconstruction, since an attacker who compromises a firewall cannot tamper with logs stored elsewhere. Option B uses only a single firewall, failing the defense-in-depth requirement. Option C introduces SaaS dependency and third-party log handling, which may violate data handling requirements. Option D uses virtualized firewalls sharing the same physical hardware, creating a single point of hardware failure and complicating physical separation of duties.

No community discussion yet for this question.