Exam SY0-601 All QuestionsBrowse all questions from this exam
Go to Exam
Question 158

After a recent security incident, a security analyst discovered that unnecessary ports were open on a firewall policy for a web server. Which of the following firewall polices would be MOST secure for a web server?

A.

B.

C.

D.

    Correct Answer:

    The most secure firewall policy for a web server would be to only allow traffic on necessary and secure ports, while blocking all other traffic. TCP ports 80 (HTTP) and 443 (HTTPS) are essential for web communication, as they are standard ports for web traffic. Allowing traffic on these ports while denying all other traffic would minimize the attack surface of the web server. Therefore, the best option is D. This policy allows TCP 80 and TCP 443 while denying any other traffic, ensuring that the web server only communicates over the required and secure ports.

Discussion
stoneface

D) Any -> Any -> TCP 80 Allow Any -> Any -> TCP 443 Allow Any -> Any -> ANY Deny Although allowing 80 is not secure, it is the best answer of all

banditring

why? if C is saying Deny for port 80?

jgp

Because in C you are opening any port by Allowing by default with the ANY -> ANY -> ANY -> Allow

fryderyk

Also worth to mention that port 80 open does not mean all data is leaked. It is a common practice to leave it open to allow for a redirect from 80 to 443.

Smeevil

Cause C allows any other traffic in the last line

Gigi42

ADDITIONALLY, you don't start at the top with a DENY, you end with a DENY

Protract8593

Option C allows any insecure port, which is not the best configuration for securing a web server. The correct answer is option D: [Source Destination Port Action] Any Any TCP 80 Allow Any Any TCP 443 Allow Any Any Any Deny Explanation: Option D: This policy allows access only to TCP ports 80 (HTTP) and 443 (HTTPS), which are the standard ports for web communication and are considered secure. All other traffic is denied, providing a more secure configuration for a web server. Option D is the most secure firewall policy for a web server because it restricts access to only the necessary and secure ports (80 and 443) while denying all other traffic that could potentially be insecure or unnecessary for web server operations.

chael88

This one was not in my exam but one very similar. It asked to allow web server, sftp, DHCP but specifically block FTP. The answer was the one with port 21 blocked.

inkedia3

Wrote the exams yesterday and passed. Please pay attention to these PBQs. they were all on the exams. Funny I wasnt paying must attention to them till about three hours before my exams. Anyway I passed with 785 score... I will say give these questions 90% of your attention and look for the 10% from other sources...

scarceanimal

D) implicit deny automatically makes it most secure of the rest imo.

SecurityArt

It's D Last line is Any --> Any --> Any --> Deny

DriftandLuna

A, B & C all allow anything to anywhere using any port. Whilst D is not ideal it is the best option

Iphy23

The most correct answer is D

roukettas

if you have a web server you configure your nginx to run in port 443 and handle request in port 80 any other ports should be blocked to protect your server not the application

Pele9

where ever you see "any - any - deny" or deny all as the last policy at the bottom, that is the most secure firewall policy configuration. It's a clean up rule.

Tariktarek2016

D is right

comeragh

D - I agree with D being the correct answer here