A network security engineer wants to prevent resource-consumption issues on the firewall.
Which strategy is consistent with decryption best practices to ensure consistent performance?
A network security engineer wants to prevent resource-consumption issues on the firewall.
Which strategy is consistent with decryption best practices to ensure consistent performance?
Use Perfect Forward Secrecy (PFS) in a Decryption profile for higher-priority and higher-risk traffic, and less processor-intensive decryption methods for lower-risk traffic. PFS provides a higher level of security, which is essential for sensitive data, but it is also more processor-intensive. By using it selectively for high-priority traffic and opting for less demanding decryption methods for other traffic, the firewall can maintain performance while ensuring that critical data remains secure.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/prepare-to-deploy-decryption/size-the-decryption-firewall-deployment
The correct answer is D. he combination of these factors determines how decryption consumes firewall processing resources. To best utilize the firewall’s resources, understand the risks of the data you’re protecting. If firewall resources are an issue, use stronger decryption for higher-priority traffic and use less processor-intensive decryption to decrypt and inspect lower-priority traffic until you can increase the available resources. For example, you could use RSA instead of ECDHE and ECDSA for traffic that isn’t sensitive or high-priority to preserve firewall resources for using PFS-based decryption for higher priority, sensitive traffic. (You’re still decrypting and inspecting the lower-priority traffic, but trading off consuming fewer computational resources with using algorithms that aren’t as secure as PFS.) The key is to understand the risks of different traffic types and treat them accordingly.
PFS is more secure but more resource intensive RSA less secure but saves resources.. so C
Perfect Forward Secrecy (PFS) ephemeral key exchange algorithms such as Diffie-Hellman Ephemeral (DHE) Elliptic-Curve Diffie-Hellman Exchange (ECDHE) consume more processing resources than Rivest-Shamir-Adleman (RSA) algorithms https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/prepare-to-deploy-decryption/size-the-decryption-firewall-deployment
Option C If firewall resources are an issue, use stronger decryption for higher-priority traffic and use less processor-intensive decryption to decrypt and inspect lower-priority traffic until you can increase the available resources https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/prepare-to-deploy-decryption/size-the-decryption-firewall-deployment
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/prepare-to-deploy-decryption/size-the-decryption-firewall-deployment
f firewall resources are an issue, use stronger decryption for higher-priority traffic and use less processor-intensive decryption to decrypt and inspect lower-priority traffic until you can increase the available resources. For example, you could use RSA instead of ECDHE and ECDSA for traffic that isn’t sensitive or high-priority to preserve firewall resources for using PFS-based decryption for higher priority, sensitive traffic.
I think C, PFS for high security traffic and RSA on low end stuff.
Answer is C. If firewall resources are an issue, use stronger decryption for higher-priority traffic and use less processor-intensive decryption to decrypt and inspect lower-priority traffic until you can increase the available resources.
Option A involves optimizing the decryption process by using less processor-intensive ciphers for traffic that doesn't require the highest level of security. This allows you to strike a balance between security and performance, ensuring that your firewall can handle the decryption workload efficiently without compromising security.
Definitely C A and B are not relevant As per the link and the text below Use RSA for traffic that isnt sensitive ( so D is wrong because you would use RSA for low risk /non sensitive traffic and not higher-priority and higher-risk traffic as in option D ) Which leaves C as the most correct The performance cost of PFS trades off against the higher security that PFS achieves, but PFS may not be needed for all types of traffic. You can save firewall CPU cycles by using RSA for traffic that you want to decrypt and inspect for threats but that isn’t sensitive. If firewall resources are an issue, use stronger decryption (such as PFS) for higher-priority traffic and use less processor-intensive decryption to decrypt and inspect lower-priority traffic until you can increase the available resources. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/prepare-to-deploy-decryption/size-the-decryption-firewall-deployment
C "For example, you could use RSA instead of ECDHE and ECDSA for traffic that isn’t sensitive or high-priority to preserve firewall resources for using PFS-based decryption for higher priority, sensitive traffic. (You’re still decrypting and inspecting the lower-priority traffic, but trading off consuming fewer computational resources with using algorithms that aren’t as secure as PFS.) "
based on the link that KAMBATA provided i think it is C
i thnik D You can save firewall CPU cycles by using RSA for traffic that you want to decrypt and inspect for threats but that isn’t sensitive.
Yes so the answer is C less processor-intensive decryption methods for lower-risk traffic = RSA