A security engineer is configuring an Access Control Policy for multiple branch locations.
These locations share a common rule set and utilize a network object called INSIDE_NET which contains the locally significant internal network subnets at each location.
What technique will retain the policy consistency at each location but allow only the locally significant network subnet within the application rules?
Click on the arrows to vote for the correct answer
A. B. C. D.D.
The correct answer is D - creating an ACP with an INSIDE_NET network object and object overrides.
Explanation: When multiple branch locations share a common rule set, creating a unique ACP per device (answer B) is not scalable and can be difficult to manage. Utilizing a dynamic ACP that updates from Cisco Talos (answer A) provides additional security but does not address the requirement of allowing only the locally significant network subnet within the application rules.
Policy inheritance (answer C) is a feature that allows policies to be inherited from a parent policy, but it does not address the requirement of allowing only the locally significant network subnet within the application rules.
Creating an ACP with an INSIDE_NET network object and object overrides (answer D) is the most appropriate technique to retain policy consistency at each location while allowing only the locally significant network subnet within the application rules. By creating an ACP with an INSIDE_NET network object, the security engineer can define application rules that apply to this network object. Then, object overrides can be created at each location to limit the scope of the INSIDE_NET object to only the locally significant network subnet.
For example, suppose that there are two branch locations: Location A and Location B. At Location A, the INSIDE_NET object should include subnet 10.1.1.0/24, and at Location B, the INSIDE_NET object should include subnet 10.2.2.0/24. The security engineer can create an ACP with an INSIDE_NET network object that includes both subnets (10.1.1.0/24 and 10.2.2.0/24). Then, at Location A, an object override can be created to limit the scope of the INSIDE_NET object to only subnet 10.1.1.0/24, and at Location B, an object override can be created to limit the scope of the INSIDE_NET object to only subnet 10.2.2.0/24. This approach ensures policy consistency while allowing only the locally significant network subnet within the application rules.