CISSP Question #791: Real Exam Question with Answer & Explanation

Question

How is protection for hypervisor host and software administration functions BEST achieved?

Options

• AEnforce network controls using a host-based firewall.
• BDeploy the management interface in a dedicated virtual network segment.
• CThe management traffic pathway should have separate physical network interface cards (NIC)
• DDeny permissions to specific virtual machines (VM) groups and objects.

Explanation

To best protect hypervisor host and software administration functions, the management traffic should utilize separate physical network interface cards (NICs). This approach ensures strong isolation of administrative traffic from other network flows, such as virtual machine or storage traffic.

Common mistakes.

• A. Enforcing network controls with a host-based firewall is a crucial security layer, but it does not provide the same level of physical isolation for the management traffic pathway as dedicated NICs.
• B. Deploying the management interface in a dedicated virtual network segment provides logical separation but still relies on the same underlying physical network infrastructure, which can be a single point of failure or compromise.
• D. Denying permissions to specific virtual machines (VM) groups and objects is an access control measure within the hypervisor's management plane, not a method for protecting the network pathway to those administration functions.

Concept tested. Hypervisor management network isolation and physical separation

Reference. https://learn.microsoft.com/en-us/windows-server/virtualization/hyper-v/best-practices-for-physical-network-adapter-configurations-in-hyper-v

No community discussion yet for this question.