CompTIA
CAS-002 · Question #692
CAS-002 Question #692: Real Exam Question with Answer & Explanation
The correct answer is C: Implement host intrusion prevention on all machines at the bank.. Host intrusion prevention deployed on every machine provides the broadest defense-in-depth coverage because it protects each endpoint regardless of attack origin or vector.
Question
A small bank is introducing online banking to its customers through its new secured website. The firewall has three interfaces: one for the Internet connection, another for the DMZ, and the other for the internal network. Which of the following will provide the MOST protection from all likely attacks on the bank?
Options
- AImplement NIPS inline between the web server and the firewall.
- BImplement a web application firewall inline between the web server and the firewall.
- CImplement host intrusion prevention on all machines at the bank.
- DConfigure the firewall policy to only allow communication with the web server using SSL.
Explanation
Host intrusion prevention deployed on every machine provides the broadest defense-in-depth coverage because it protects each endpoint regardless of attack origin or vector.
Common mistakes.
- A. A network IPS inline between only the web server and the firewall leaves all other network segments and internal machines unprotected from attack.
- B. A web application firewall only protects against application-layer HTTP/S attacks targeting the web server and does not address network-level, insider, or non-web attack vectors.
- D. Restricting firewall policy to SSL only enforces encrypted transport but does not inspect or block malicious content within SSL sessions or attacks originating from inside the network.
Concept tested. Host-based intrusion prevention for comprehensive endpoint defense
Reference. https://csrc.nist.gov/publications/detail/sp/800-94/final
Community Discussion
No community discussion yet for this question.