Examice

Exam CAS-004 All QuestionsBrowse all questions from this exam

Question 155

An auditor is reviewing the logs from a web application to determine the source of an incident. The web application architecture includes an Internet-accessible application load balancer, a number of web servers in a private subnet, application servers, and one database server in a tiered configuration. The application load balancer cannot store the logs. The following are sample log snippets:

Which of the following should the auditor recommend to ensure future incidents can be traced back to the sources?

Enable the X-Forwarded-For header at the load balancer.

Install a software-based HIDS on the application servers.

Install a certificate signed by a trusted CA.

Use stored procedures on the database server.

Store the value of the $_SERVER['REMOTE_ADDR'] received by the web servers.

Correct Answer: A

To ensure future incidents can be traced back to their sources, enabling the X-Forwarded-For header at the load balancer is the best recommendation. This header helps identify the originating IP address of a client connecting through a load balancer, which is crucial for accurate traceability in a multi-tier web application architecture. Without this, logs would only show the IP address of the load balancer, not the actual client. Although storing the $_SERVER['REMOTE_ADDR'] value in web server logs can capture client IPs, it may not provide accurate results without the X-Forwarded-For header in cases where requests are proxied through the load balancer.

Discussion

Ckl22Option: A

The X-Forwarded-For (XFF) HTTP header field is a common method for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer.

Andre876

My concern is the load balancer does not store any logs....idkk

Mr_BuCk3th34DOption: A

Storing the value of the $_SERVER['REMOTE_ADDR'] received by the web servers (option E) may be useful for traceability, but it does not provide the IP address of the client if the request was proxied through a load balancer. Enabling the XFF header at the load balancer (option A) is the best option for ensuring that future incidents can be traced back to the sources.

javier051977

You are correct that storing the value of the $_SERVER['REMOTE_ADDR'] may not always provide the actual IP address of the client, especially if the request was proxied through a load balancer. However, the option E was recommended in this scenario because the web server logs are the only logs that show the IP address of the client, and storing the $_SERVER['REMOTE_ADDR'] value in the web server logs would allow for tracking the source of the incident. In contrast, enabling the X-Forwarded-For header at the load balancer, as suggested in option A, would provide the actual IP address of the client even if the request was proxied through the load balancer. However, since the load balancer cannot store logs, enabling the X-Forwarded-For header would not be sufficient to ensure future incidents can be traced back to their sources. Therefore, storing the $_SERVER['REMOTE_ADDR'] value in the web server logs, as suggested in option E, would be the best option to ensure future incidents can be traced back to their sources in this specific scenario.

FOURDUEOption: A

The X-Forwarded-For request header is automatically added and helps you identify the IP address of a client when you use an HTTP or HTTPS load balancer. Because load balancers intercept traffic between clients and servers, your server access logs contain only the IP address of the load balancer. from the https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwiik6rM4Yj9AhVrkIkEHWcrCIkQFnoECBsQAw&url=https%3A%2F%2Fdocs.aws.amazon.com%2Felasticloadbalancing%2Flatest%2Fclassic%2Fx-forwarded-headers.html%23%3A~%3Atext%3DThe%2520X%252DForwarded%252DFor%2520request%2Caddress%2520of%2520the%2520load%2520balancer.&usg=AOvVaw3HI4FaDDQAalY8R7oJMtTg

angryelvisOption: E

I have 2 problems with this question. I don't understand how C enables you to trace back to the source. Also, the X-Forwarded-For header is the answer for another question and I don't believe they would have 2 questions with that answer.

BiteSizeOption: A

Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)

23169fdOption: A

Explanation: The X-Forwarded-For (XFF) header is used to identify the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer. Enabling this header would allow the web servers to log the actual client IP addresses instead of the IP address of the load balancer. This is crucial for tracing the source of requests. Relevance: This would directly address the need to trace back to the source IP of the client making the requests, which is critical for incident investigation.

EAlonsoOption: A

A. agreed

imatherOption: A

X-Forwarded-For header adds the original IP to the packets sent to the server. https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/x-forwarded-headers.html

javier051977Option: E

The web server logs already contain IP addresses, so adding the X-Forwarded-For header may not provide additional value in this case. The X-Forwarded-For header can be easily spoofed, so relying solely on this header for tracing incidents may not be reliable. Storing the value of the $_SERVER['REMOTE_ADDR'] received by the web servers is a straightforward way to ensure that the actual IP address of the client is recorded, even if there are proxy servers in between the client and the web servers.

23169fd

Without the X-Forwarded-For header, this method would not provide the actual client IP address.