nerdexam
ExamsCAS-001Questions#65
CompTIA

CAS-001 · Question #65

CAS-001 Question #65: Real Exam Question with Answer & Explanation

The correct answer is C: A NIPS on the switch in Zone C, an antivirus server in Zone A, and a patch server in Zone B. The question tests knowledge of appropriate security control placement across segregated network zones with different risk profiles.

Question

A corporation relies on a server running a trusted operating system to broker data transactions between different security zones on their network. Each zone is a separate domain and the only connection between the networks is via the trusted server. The three zones at the corporation are as followed. - Zone A connects to a network, which is also connected to the Internet through a router. - Zone B to a closed research and development network. - Zone C to an intermediary switch supporting a SAN, dedicated to long- term audit log and file storage, so the corporation meets compliance requirements. A firewall is deployed on the inside edge of the Internet connected router. Which of the following is the BEST location to place other security equipment?

Options

  • AHIPS on all hosts in Zone A and B, and an antivirus and patch server in Zone C
  • BA WAF on the switch in Zone C, an additional firewall in Zone A, and an antivirus server in Zone B
  • CA NIPS on the switch in Zone C, an antivirus server in Zone A, and a patch server in Zone B
  • DA NIDS on the switch in Zone C, a WAF in Zone A, and a firewall in Zone B

Explanation

The question tests knowledge of appropriate security control placement across segregated network zones with different risk profiles.

Common mistakes.

  • A. HIPS is host-based and does not provide network-level protection; placing antivirus and patch servers in Zone C wastes resources on a storage zone that hosts compliance data rather than active computing endpoints.
  • B. A WAF is designed for web application traffic and is entirely inappropriate for a switch in Zone C supporting a SAN with no web-facing services.
  • D. A NIDS is passive and cannot block attacks, making it less effective than a NIPS for protecting Zone C; a WAF in Zone A is misapplied unless web applications are specifically deployed there.

Concept tested. Security control placement across network security zones

Reference. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-94.pdf

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-001 Practice