Question 79 of 270 from exam CAS-003: CompTIA CASP+

Question 79 of 270 from exam CAS-003: CompTIA CASP+

Prev Question Next Question

Question

SIMULATION - Compliance with company policy requires a quarterly review of firewall rules.

You are asked to conduct a review on the internal firewall sitting between several internal networks.

The intent of this firewall is to make traffic more secure.

Given the following information perform the tasks listed below: Untrusted zone: 0.0.0.0/0 - User zone: USR 10.1.1.0/24 - User zone: USR2 10.1.2.0/24 - DB zone: 10.1.4.0/24 - Web application zone: 10.1.5.0/24 Management zone: 10.1.10.0/24 - Web server: 10.1.5.50 - MS-SQL server: 10.1.4.70 - MGMT platform: 10.1.10.250 - Instructions: To perform the necessary tasks, please modify the DST port, SRC zone, Protocol, Action, and/or Rule Order columns.

Type ANY to include all ports.

Firewall ACLs are read from the top down.

Once you have met the simulation requirements, click Save.

When you have completed the simulation, please select the Done button to submit.

Once the simulation is submitted, please select the Next button to continue.

SRC Zone | SRC SRC [DST Zone [DST [DST | Protocol | Action | Rule Port Port Order UNTRUST | 10.110250/aNy [MGMT [ANY ANY [ANY |PERMIT | y WEBAPP [10.15.50 [ANY |DB 10.1470 [1433 [UDP [DENY [ay UNTRUST | ANY ANY | ANY ANY [ANY [TCP PERMIT |g USER 10.11.0724, [ANY [UNTRUST[ANY | 80 TCP PERMIT 10.1.2.0/24 a4 UNTRUST | ANY ANY | WEBAPP | 10.15.50 | 80 TCP PERMIT |g DB 10.14.70 [ANY |WEBAPP [10.1550/ANY |ANY | DENY

Task 1) A rule was added to prevent the management platform from accessing the internet.

This rule is not working.

Identify the rule and correct this issue.

Task 2) The firewall must be configured so that the SQL server can only receive requests from the web server.

Task 3) The web server must be able to receive unencrypted requests from hosts inside and outside the corporate network.

Task 4) Ensure the final rule is an explicit deny.

Task 5) Currently the user zone can access internet websites over an unencrypted protocol.

Modify a rule so that user access to websites is over secure protocols only.

Explanations

Please see the explanation below.

Task 1: A rule was added to prevent the management platform from accessing the internet.

This rule is not working.

Identify the rule and correct this issue.

In Rule no.

1 edit the Action to Deny to block internet access from the management platform.

‘SRC Zone SRC ‘SRC Port DST Zone DsT DST Port Protocol Action UNTRUST 10.1.10.250 ANY MGMT ANY ANY ANY DENY

Task 2: The firewall must be configured so that the SQL server can only receive requests from the web server.

In Rule no.

6 from top, edit the Action to be Permit.

‘SRC Zone ‘SRC ‘SRC Port DST Zone DsT DST Port Protocol ‘Action DB 10.1.4.70 ANY WEBAPP 10.1.5.50 ANY ANY PERMIT

Task 3: The web server must be able to receive unencrypted requests from hosts inside and outside the corporate network.

In rule no.

5 from top, change the DST port to Any from 80 to allow all unencrypted traffic.

‘SRC Zone ‘SRC ‘SRC Port DST Zone DsT DST Port Protocol Action UNTRUST ‘ANY ANY WEBAPP 10.1.5.50 ANY cP PERMIT

Task 4: Ensure the final rule is an explicit deny Enter this at the bottom of the access list i.e.

the line at the bottom of the rule:

‘SRC Zone ‘SRC ‘SRC Port DST Zone DsT DST Port Protocol Action ANY ‘ANY ANY ANY ANY ANY Top DENY

Task 5: Currently the user zone can access internet websites over an unencrypted protocol.

Modify a rule so that user access to websites is over secure protocols only.

In Rule number 4 from top, edit the DST port to 443 from 80

‘SRC Zone SRC ‘SRC Port DST Zone DST DST Port Protocol ‘Action USER 10.1.1.0/24 10.1.2.0/24 ANY UNTRUST ANY Te PERMIT
Prev Question Next Question