An information security manager is concerned that connectivity used to configure and troubleshoot critical network devices could be attacked.
The manager has tasked a network security engineer with meeting the following requirements: -> Encrypt all traffic between the network engineer and critical devices.
-> Segregate the different networking planes as much as possible.
-> Do not let access ports impact configuration tasks.
Which of the following would be the BEST recommendation for the network security engineer to present?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
The information security manager is concerned about the security of the connectivity used for configuring and troubleshooting critical network devices, and has given three requirements to the network security engineer: encrypt all traffic between the engineer and devices, segregate the networking planes as much as possible, and do not let access ports impact configuration tasks. The engineer must recommend a solution that meets these requirements.
Option A: Deploy control plane protections. Deploying control plane protections could help prevent attacks against the control plane of the network devices, which is responsible for managing device configurations and routing tables. However, it does not address the other two requirements, which are encryption of traffic and segregation of networking planes. Therefore, this option is not the best recommendation.
Option B: Use SSH over out-of-band management. Using SSH over out-of-band management would encrypt all traffic between the network engineer and the critical devices, meeting the first requirement. Out-of-band management uses a separate management network to access network devices, which would segregate the different networking planes as much as possible, meeting the second requirement. Lastly, it would not let access ports impact configuration tasks, as only SSH traffic would be allowed over the management network. This option meets all three requirements and is therefore the best recommendation.
Option C: Force only TACACS to be allowed. TACACS (Terminal Access Controller Access-Control System) is a protocol used for providing centralized authentication, authorization, and accounting services for network devices. However, while this option could help ensure that only authenticated and authorized users can access the critical devices, it does not address the encryption of traffic or segregation of networking planes requirements. Therefore, this option is not the best recommendation.
Option D: Require the use of certificates for AA. Certificates can be used for authentication and authorization (AA) of users accessing network devices. However, like option C, this option does not address the encryption of traffic or segregation of networking planes requirements. Therefore, this option is not the best recommendation.
In conclusion, the best recommendation for the network security engineer to meet the three requirements would be to use SSH over out-of-band management (option B).