SY0-701 Question #673: Real Exam Question with Answer & Explanation

Question

A Chief Information Security Officer (CISO) wants to: - Prevent employees from downloading malicious content. - Establish controls based on departments and users. - Map internet access for business applications to specific service accounts. - Restrict content based on categorization. Which of the following should the CSO implement?

Options

• AWeb application firewall
• BSecure DNS server
• CJump server
• DNext-generation firewall

Explanation

A Next-generation firewall (NGFW) satisfies all four requirements simultaneously: it inspects traffic deeply to block malicious downloads, enforces identity-aware policies tied to users and departments (via AD/LDAP integration), maps application traffic to specific service accounts, and filters content by URL/category. No other option on the list covers all four capabilities in a single solution.

• A (WAF) is wrong - a Web Application Firewall protects inbound traffic against attacks targeting your own web apps (SQLi, XSS); it does not govern outbound employee internet access or content categories.
• B (Secure DNS) is wrong - DNS filtering can block known malicious domains but cannot enforce per-user/department policies, inspect file downloads, or map application traffic to service accounts.
• C (Jump server) is wrong - a jump server (bastion host) controls administrative remote access to internal systems; it has no role in filtering employee internet content.

Memory tip: When you see a combo of user-based policies + application awareness + content categorization, think NGFW - it's the "Swiss Army knife" that goes beyond traditional firewalls by adding identity, application, and content intelligence in one device.

No community discussion yet for this question.