Exam CAS-004 All QuestionsBrowse all questions from this exam
Go to Exam
Question 94

A security architect is reviewing the following proposed corporate firewall architecture and configuration:

Both firewalls are stateful and provide Layer 7 filtering and routing. The company has the following requirements:

✑ Web servers must receive all updates via HTTP/S from the corporate network.

Web servers should not initiate communication with the Internet.

✑ Web servers should only connect to preapproved corporate database servers.

✑ Employees' computing devices should only connect to web services over ports 80 and 443.

Which of the following should the architect recommend to ensure all requirements are met in the MOST secure manner? (Choose two.)

    Correct Answer: A, F

    To meet the company's requirements in the most secure manner, two specific firewall rules should be implemented. Employees' computing devices should connect to only web services over ports 80 and 443. To achieve this, Firewall_A should have a rule permitting traffic from the corporate network (10.0.0.0/16) to any destination over TCP ports 80 and 443. Additionally, web servers must receive updates via HTTP/S from the corporate network and should only connect to preapproved corporate database servers. Thus, Firewall_B should have a rule permitting traffic from the web server network (192.168.1.0/24) to a specific host in the corporate network (10.0.2.10/32) over TCP ports 80 and 443. These rules ensure compliance with the specified security measures and constraints.

Discussion
ccryptixOptions: AF

A -> you want people from the corporate network to access internet web servers B -> wrong, this would allow the web server to contact anything on the internet C -> wrong, this would allow corporate network to access anthing on the internet which is already covered in firewall_B rule 20 D -> wrong, this would allow internet to access anything on corporate network E -> wrong, this is a duplicate of Firewall_B rule 20 F -> This would allow the web servers to receive updates via HTTP/S from the corporate network.

Protocol0

Why F? F. Add the following to Firewall_B: 15 PERMIT FROM 192.168.1.0/24 TO 10.0.2.10/32 TCP 80,443 10.0.2.10 isnt mentioned anywhere

[Removed]

It isn't explicitly mentioned but the requirement state that: Web servers must receive all updates via HTTP/S from the corporate network. Web servers should only connect to preapproved corporate database servers. And the subnet 10.0.2.10/32 falls within the 10.0.0.0/16 corporate network leading us to conclude that F is the only answer that fulfills that requirement. Answers B, C, D, and E are all wrong because they are permitting the firewall to access the Internet or be accessed by the internet. This is a big No when you configure firewall rules. Firewall do not need to access or be accessed by anybody besides pre-defined internal systems that are in charge of configuring and updating them. so Only A and F are permittable answers in this case regardless of what conditions are stated.

Protocol0

thank you

FoxTrotDG

10.0.2.10/32 is a host subnet and represents only a single host. Rule 30 on Firewall_B already allows web servers to connect to the preapproved corporate database servers. A is really the only answer, but because we have to choose two, F it is. Even though it's redundant.

david124Options: AF

1-you want server to only update via corporate network 2-you want employees to surf the internet via port 443/80

23169fdOptions: AF

A. Add the following to Firewall_A: 15 PERMIT FROM 10.0.0.0/16 TO 0.0.0.0/0 TCP 80,443 This rule allows employees' computing devices in the 10.0.0.0/16 network to connect to web services on the Internet using ports 80 and 443, which fulfills the requirement that employees should only connect to web services over these ports. F. Add the following to Firewall_B: 15 PERMIT FROM 192.168.1.0/24 TO 10.0.2.0/32 TCP 80,443 This rule ensures that web servers in the 192.168.1.0/24 network can receive updates from a specific server (10.0.2.0/32) on ports 80 and 443, fulfilling the requirement that web servers must receive updates via HTTP/S from the corporate network.

23169fdOptions: AF

A. Add the following to Firewall_A: 15 PERMIT FROM 10.0.0.0/16 TO 0.0.0.0/0 TCP 80,443 F. Ensuring the updated specific database server rule.

ThatGuyOverThereOptions: AF

AF makes the most sense to me but don't these two rules count each other out? Firewall_B ACL 10 PERMIT FROM 10.0.0.0/16 TO 192.168.1.0/24 TCP 80,443 20 PERMIT FROM 10.0.0.0/16 TO 0.0.0.0/0 TCP/UDP 0-65535 Employees on the corporate network are going to be able to access web servers on the 192.168.1.0/24 network on any port based on that, or am I missing something? If they use a port besides 80 or 443, sure the first entry (10) won't allow it but the second (20) would. And the DENY (40) isn't until the bottom so it won't apply yet. Seems like we still don't meet the requirements.

ThatGuyOverThere

Sorry, the DENY (40) wouldn't apply anyway because it's not the right traffic direction for what I'm talking about.

BiteSizeOptions: AF

A, F A = Permitting External Firewall to send dest packets from Corporate network allowing users to connect to web traffic via 80, 443 (otherwise, you have no outbound rules in FW_A) F = Allows web traffic to get from external to Corporate Network (otherwise, your only inbound rule is to the databases) Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)

tineboy46Options: AD

AD are the correct choice. F IP address is not listed 10.0.2.10/32