Securing Web Traffic and Mitigating Risks | CAS-003: CompTIA CASP+

Effective Solutions for TLS Decryption and Endpoint Security Refresh

Question

A company's existing forward proxies support software-based TLS decryption, but are currently at 60% load just dealing with AV scanning and content analysis for HTTP traffic.

More than 70% outbound web traffic is currently encrypted.

The switching and routing network infrastructure precludes adding capacity, preventing the installation of a dedicated TLS decryption system.

The network firewall infrastructure is currently at 30% load and has software decryption modules that can be activated by purchasing additional license keys.

An existing project is rolling out agent updates to end-user desktops as part of an endpoint security refresh.

Which of the following is the BEST way to address these issues and mitigate risks to the organization?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

A.

The scenario describes a company with an existing forward proxy infrastructure that is facing challenges with regards to handling the increasing amount of encrypted traffic on the network. The current proxy infrastructure is already at 60% load, and adding more capacity is not feasible due to network infrastructure limitations. More than 70% of outbound web traffic is encrypted, and the existing firewalls have software decryption modules that can be activated by purchasing additional license keys. The company is also rolling out endpoint security updates to end-user desktops as part of an ongoing project.

In this scenario, the BEST way to address the issues and mitigate risks to the organization is to purchase the SSL decryption license for the firewalls and route traffic back to the proxies for end-user categorization and malware analysis. This option is the most appropriate because it addresses the challenges of increased encrypted traffic while leveraging existing network infrastructure.

Option A: Purchase the SSL decryption license for the firewalls and route traffic back to the proxies for end-user categorization and malware analysis.

This option leverages the existing firewall infrastructure and adds the capability to decrypt SSL traffic using software decryption modules. By routing the decrypted traffic back to the proxies for end-user categorization and malware analysis, the company can address the current challenges with the existing proxy infrastructure being overloaded. This option is cost-effective since it only requires purchasing additional license keys and does not require adding new infrastructure. It also ensures that the end-user desktops are protected from malware, which is critical in maintaining a secure network.

Option B: Roll out application whitelisting to end-user desktops and decommission the existing proxies, freeing up network ports.

This option is not the BEST way to address the current challenges as it does not address the issue of increasing encrypted traffic on the network. It also does not address the need for end-user categorization and malware analysis, which is critical in maintaining network security.

Option C: Use an EDP solution to address the malware issue and accept the diminishing role of the proxy for URL categorization in the short-term.

This option is not the BEST way to address the current challenges since it does not address the issue of increasing encrypted traffic on the network. While an EDP solution can be effective in addressing the malware issue, it does not provide the end-user categorization and malware analysis capabilities required for a secure network.

Option D: Accept the current risk and seek possible funding approval in the next budget cycle to replace the existing proxies with ones with more capacity.

This option is not the BEST way to address the current challenges as it does not provide any immediate solutions to the current overloaded proxy infrastructure. It also does not leverage the existing network infrastructure and requires additional funding to replace the existing proxies with new ones, which is not a cost-effective solution.

In conclusion, the BEST way to address the issues and mitigate risks to the organization is to purchase the SSL decryption license for the firewalls and route traffic back to the proxies for end-user categorization and malware analysis. This option leverages existing network infrastructure and is cost-effective while addressing the current challenges of increasing encrypted traffic on the network.