CISSP Question #1266: Real Exam Question with Answer & Explanation

Question

A security practitioner needs to implementation solution to verify endpoint security protections and operating system (0S) versions. Which of the following is the BEST solution to implement?

Options

• AAn intrusion prevention system (IPS)
• BAn intrusion prevention system (IPS)
• CNetwork Access Control (NAC)
• DA firewall

Explanation

Network Access Control (NAC) is a solution that verifies the security posture and compliance of endpoints before granting them access to the network. NAC can check the endpoint security protections, such as antivirus, firewall, patch level, and OS version, and enforce policies based on the results. NAC can also quarantine or remediate non-compliant endpoints to prevent them from compromising the network security. NAC is the best solution to implement among the given options, as it provides both verification and enforcement of endpoint security. An intrusion prevention system (IPS) is a device that monitors network traffic and blocks or alerts on malicious or suspicious activities. An IPS does not verify the endpoint security protections or OS versions, nor does it enforce any policies on the endpoints. An IPS is a reactive rather than proactive solution. A firewall is a device that controls the network traffic based on predefined rules. A firewall does not verify the endpoint security protections or OS versions, nor does it enforce any policies on the endpoints. A firewall is a preventive rather than detective solution. An intrusion detection system (IDS) is a device that monitors network traffic and alerts on malicious or suspicious activities. An IDS does not verify the endpoint security protections or OS versions, nor does it enforce any policies on the endpoints. An IDS is a passive rather than active solution.

No community discussion yet for this question.