A company's chief cybersecurity architect wants to configure mutual authentication to access an internal payroll website.
The architect has asked the administration team to determine the configuration that would provide the best defense against MITM attacks.
Which of the following implementation approaches would BEST support the architect's goals?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
Out of the given options, Option B, "Implement TLS and require the client to use its own certificate during handshake," would BEST support the chief cybersecurity architect's goal of configuring mutual authentication to access the internal payroll website and provide the best defense against MITM attacks.
Here's a detailed explanation of each option and why option B is the best choice:
Option A: Utilize a challenge-response prompt as required input at username/password entry.
This option refers to using a mechanism where the user is prompted with a challenge or question that they must answer before entering their username and password. While this method can provide additional security by adding an extra layer of authentication, it is not the best option for defending against MITM attacks.
MITM attacks can intercept network traffic and steal user credentials, including answers to challenge questions. Therefore, this option does not provide adequate protection against MITM attacks.
Option B: Implement TLS and require the client to use its own certificate during handshake.
Transport Layer Security (TLS) is a cryptographic protocol that provides secure communication over a network. By implementing TLS, the data transmitted between the client and the server is encrypted, providing protection against MITM attacks.
In addition, requiring the client to use its own certificate during the handshake process provides mutual authentication. This means that the server and the client both authenticate each other, making it difficult for an attacker to impersonate either party.
This option provides the best defense against MITM attacks and is the most secure option among the given choices.
Option C: Configure a web application proxy and institute monitoring of HTTPS transactions.
This option involves using a web application proxy that intercepts HTTPS traffic and monitors transactions for any suspicious activity. While this approach can provide additional security, it is not the best option for defending against MITM attacks.
A web application proxy can only monitor HTTPS traffic if it can decrypt the traffic. However, if the traffic is encrypted using TLS, the proxy cannot decrypt it without the private key. This makes it difficult to monitor HTTPS traffic without compromising security.
Option D: Install a reverse proxy in the corporate DMZ configured to decrypt TLS sessions.
This option refers to installing a reverse proxy that decrypts TLS sessions. While this approach can provide additional security, it is not the best option for defending against MITM attacks.
Decrypting TLS sessions can compromise the security of the communication between the client and the server. This approach can also introduce additional vulnerabilities, making it easier for an attacker to carry out MITM attacks.
In conclusion, option B, "Implement TLS and require the client to use its own certificate during handshake," is the best choice for configuring mutual authentication and defending against MITM attacks.