A systems engineer is designing a wide area network (WAN) environment for a new organization. The WAN will connect sites holding information at various levels of sensitivity, from publicly available to highly confidential. The organization requires a high degree of interconnectedness to support existing business processes.
What is the BEST design approach to securing this environment?
The best design approach for securing a WAN environment with varying sensitivity levels and high interconnectedness is to align risk across all interconnected elements to ensure critical threats are detected and handled. This approach allows the organization to prioritize security measures based on the criticality of systems while maintaining necessary connectivity. Unlike isolated or perimeter-focused strategies, aligning risk ensures comprehensive coverage and appropriate security controls tailored to each system's importance, thus supporting both security and business process continuity.
Going with D
Think like a manager/consultant. Choose a process over technical implementation.
B. Perimeter doesn’t factor need for internal protection
B should be the correct answer - Place firewalls around critical devices, isolating them from the rest of the environment. Key words is firewall around critical devices and isolation meaning physical/virtual segmentation. Not neccesary just DMZ, it can be multi-layer segment, i.e level 0 that has access to the WAN. From level 0 to level 1 need to pass through an firewall etc. This is typical design for some secure site.
The answer is D Explain: Since high interconnectedness is required, attempting to isolate systems or create separate environments is not feasible. Instead, a unified risk-based approach should be taken to implement layered controls prioritized based on criticality across all systems and tiers. This allows tailoring security to system criticality while still enabling connectivity through integrating compensating controls. Options A and B take an isolation approach that hinders integration. Option C proposes just hardened perimeters rather than alignment across assets.
C includes A,B,D
B is correct
This is CISSP, not some technical exams, the answer is D for sure.
I vote for C. Use layered security such as, IPS, IDS, WAF, FW, AI/MC, etc, at the perimeter level. So this will make sure traffic destined to critical assets will be properly inspected. Firewall at the end is not advanced security solutions.
B is correct
C. Perimeter FW or Router that can simple ACL will be able to accomplish this very easily. ACL will permit only what is allowed in and prevent what is not. if it is FW, even better. Defense in Depth - will add all the above Router, FW, IDS, Group Policy if part AD.
C is the best answer - If the organization requires a high degree of interconnectedness, definitely defence in is required for seamless connectivity of all sites.
"Layered" = Defense in Depth. I think that is the point of the question.
Depending on the reading, you can fit all the answers. Security recommends a multi-layered defense, so I choose C. By the way, those in the C camp, switch to the voting comments after selecting your answer and then leave a comment. The D camp is doing a solid job of voting, aren't they?
Answer D) Think like a manager. A, B, and C are all technical approaches and may not be the best solution for each network joined to the WAN. D is the only one that will look across all systems and create something that addresses them all.
But the question is asking what is the best design approach for the system's engineer, not the manager. Not saying this is wrong, just debating myself
multi-layered defense in depth is the best DESIGN
at first I thought the answer was C, but then there are a couple things to think about. The first is that it says only at the perimeter. Second is it only mentions preventive and detective controls. When properly implementing layered defense it should include a complete control (detective, preventive, and recovery)
D is a gimme. It's the only thing that's comprehensive. It's not about just picking one technical protection over another.