Please explain like I'm a 6 years old

coldbugcoldbug Member Posts: 189
I got this question wrong. I won't tell you what I answered, but I want to see what you will answer and get it wrong like me. Please also explain why you chose that answer as well. Thanks.

A database administrator contacts a security administrator to request firewall changes for a
connection to a new internal application. The security administrator notices that the new
application uses a port typically monopolized by a virus. The security administrator denies the
request and suggests a new port or service be used to complete the application’s task. Which of
the following is the security administrator practicing in this example?
A.
Explicit deny
B.
Port security
C.
Access control lists
D.
Implicit deny
"If you want to kick the tiger in his ass, you'd better have a plan for dealing with his teeth."

Comments

  • McxRisleyMcxRisley OSCP, CASP, CySA+, CPT+, Sec+, CEH, Splunk Admin Member Posts: 494 ■■■■■□□□□□
    The answer is C. The question specifically calls out a firewall and ports and services. You have to read CompTIA questions very carefully.
    I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.
  • NetworkNewbNetworkNewb Member Posts: 3,298 ■■■■■■■■■□
    Access Control Lists, but I can see an argument for Implicit Deny too
  • mgeoffriaumgeoffriau Member Posts: 162 ■■■□□□□□□□
    That's funny, I'd argue for Explicit Deny. The admin notices the port being used and chooses to deny it.
    CISSP || A+ || Network+ || Security+ || Project+ || Linux+ || Healthcare IT Technician || ITIL Foundation v3 || CEH || CHFI
    M.S. Cybersecurity and Information Assurance, WGU
  • TechGuru80TechGuru80 Member Posts: 1,539 ■■■■■■□□□□
    That’s a terrible question...the admin is using access control lists to control traffic...but he or she specifically is explicitly denying that port request.
  • mgeoffriaumgeoffriau Member Posts: 162 ■■■□□□□□□□
    That's why I chose "explicit deny" -- they are using ACLs, but they are "practicing" explicit deny.
    CISSP || A+ || Network+ || Security+ || Project+ || Linux+ || Healthcare IT Technician || ITIL Foundation v3 || CEH || CHFI
    M.S. Cybersecurity and Information Assurance, WGU
  • TheFORCETheFORCE Senior Member Member Posts: 2,298 ■■■■■■■■□□
    Use next generation application layer firewall. Create a rule to allow application A on port xyz. Even if a virus ises that port it wont pass.
  • si20si20 Member Posts: 523 ■■■■□□□□□□
    coldbug wrote: »
    I got this question wrong. I won't tell you what I answered, but I want to see what you will answer and get it wrong like me. Please also explain why you chose that answer as well. Thanks.

    A database administrator contacts a security administrator to request firewall changes for a
    connection to a new internal application. The security administrator notices that the new
    application uses a port typically monopolized by a virus. The security administrator denies the
    request and suggests a new port or service be used to complete the application’s task. Which of
    the following is the security administrator practicing in this example?
    A.
    Explicit deny
    B.
    Port security
    C.
    Access control lists
    D.
    Implicit deny

    Ok, so here's my thought process:

    database administrator - not relevant. Security administrator - not too relevant. The key bits of info we see are: firewall change to block a port. The question is asking which of the 4 options describes blocking a port on a firewall.

    I would go for A) Explicit deny.

    However, some people in the thread are saying C. And that's because the exact same thing can be achieved via an Access control list OR Explicit Deny.

    Let's take a look at an example:


    access-list 102 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
    access-list 102 deny ip any any

    That first line is saying the firewall should permit any IP from those ranges.
    Then the next rule is an explicit deny on any ip and on any port.

    now going back to the question, the security admin wants to block a port on the firewall, well he can do that by
    adding a line like this:

    access-list 102 deny ip any 134 (I made up port 134, the question doesn't specify what port to block)

    (example modified from https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html)

    Now the firewall rules look like this:

    access-list 102 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
    access-list 102 deny ip any 134
    access-list 102 deny ip any any

    so the Answer would be C. BUT this is completely stupid because the line below says 'any any',
    which means it's going to block any IP and any PORT that doesn't match.

    To further complicate things, if the rule looked like this:

    access-list 102 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
    access-list 102 deny ip any 134

    then the answer is 100% A) explicit deny. Even though you could argue my 3 liner is A) explicit deny as well.


    In short: this is a completely ridiculous question and quite typical of what I see in the Sec+. I have to say,
    I am not enjoying studying it myself.

    An explicit deny and an ACL is basically the same thing - because you're denying the traffic EXPLICITLY.....using an ACL. Stupid question.
  • si20si20 Member Posts: 523 ■■■■□□□□□□
    Access Control Lists, but I can see an argument for Implicit Deny too

    That's the thing - it could be anything. Without seeing the rule and having more content it's just a best-guess. I'm finding there are lots of questions in the Sec+ like this and it's actually making me think the cert is a waste of time.
  • E Double UE Double U Member Posts: 1,855 ■■■■■■■■■□
    coldbug wrote: »

    The security administrator denies the request...

    A. Explicit deny

    My vote is A because the text says he denies the request. I wouldn't say C because the text doesn't say the sec admin actually implemented anything on the fw. I'm looking at this like receiving a change request, reviewing it, and saying approved or rejected. If I reject, I state why and suggest an alternative.
    Alphabet soup from (ISC)2, ISACA, GIAC, EC-Council, Microsoft, ITIL, Cisco, Scrum, and more.

    2021 goals: AZ-303, AZ-304, maybe TOGAF and more ISACA

    "You tried your best and you failed miserably. The lesson is, never try." - Homer Simpson
  • McxRisleyMcxRisley OSCP, CASP, CySA+, CPT+, Sec+, CEH, Splunk Admin Member Posts: 494 ■■■■■□□□□□
    coldbug wrote: »
    I got this question wrong. I won't tell you what I answered, but I want to see what you will answer and get it wrong like me. Please also explain why you chose that answer as well. Thanks.

    A database administrator contacts a security administrator to request firewall changes for a
    connection to a new internal application. The security administrator notices that the new
    application uses a port typically monopolized by a virus. The security administrator denies the
    request and suggests a new port or service be used to complete the application’s task. Which of
    the following is the security administrator practicing in this example?
    A.
    Explicit deny
    B.
    Port security
    C.
    Access control lists
    D.
    Implicit deny

    They key things here are "The security administrator notices that the new application uses a port typically monopolized by a virus." and "The security administrator denies the request and suggests a new port or service be used to complete the application’s task." The admin does not use Explicit Deny because the rule is already in place through the use of ACLs, he denied the DBA's request to change the ACL.

    Also some quick googling will turn up that the Answer is C. LOL!
    I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.
  • MitechniqMitechniq Member Posts: 286 ■■■■□□□□□□
    C is correct, the DBA is a making a request to open a port that currently is being blocked. This is normally done through a Firewall Exception request form - because it was rejected there was no changes made to the state of the firewall.

    The firewall is currently configured with a implicit deny or whitelist however the Security administrator is 'practicing' ACL's or a document that tracks approvals/denials of firewall exceptions. A paper trail of why something was denied or more important why it was accepted is crucial if an attack originates from that port after it has been opened.
  • si20si20 Member Posts: 523 ■■■■□□□□□□
    McxRisley wrote: »
    They key things here are "The security administrator notices that the new application uses a port typically monopolized by a virus." and "The security administrator denies the request and suggests a new port or service be used to complete the application’s task." The admin does not use Explicit Deny because the rule is already in place through the use of ACLs, he denied the DBA's request to change the ACL.

    Also some quick googling will turn up that the Answer is C. LOL!

    You mean an implicit deny, surely? The question itself doesn't say there's an explicit deny in the ACL icon_lol.gif That's the problem with the question - it isn't black and white - it leaves you with more questions than answers.

    The fact we're all debating this shows that the question is poor at best. I'd hate to fail an exam on this kind of question. The way it's worded makes it sound like A is the correct answer.
  • mgeoffriaumgeoffriau Member Posts: 162 ■■■□□□□□□□
    Yup, I definitely didn't catch that the blocking rule was already in place by default.

    So, there may indeed be a "best" answer, but it (like many exam questions) is ramping up the difficulty by obfuscating the point of the question. It is ultimately testing your ability to work your way through a poorly written question rather than testing your actual knowledge of the material.
    CISSP || A+ || Network+ || Security+ || Project+ || Linux+ || Healthcare IT Technician || ITIL Foundation v3 || CEH || CHFI
    M.S. Cybersecurity and Information Assurance, WGU
  • McxRisleyMcxRisley OSCP, CASP, CySA+, CPT+, Sec+, CEH, Splunk Admin Member Posts: 494 ■■■■■□□□□□
    si20 wrote: »
    You mean an implicit deny, surely? The question itself doesn't say there's an explicit deny in the ACL icon_lol.gif That's the problem with the question - it isn't black and white - it leaves you with more questions than answers.

    The fact we're all debating this shows that the question is poor at best. I'd hate to fail an exam on this kind of question. The way it's worded makes it sound like A is the correct answer.

    Nope I mean an ACL, this question is pretty cut and dry for me. These types of questions are designed to make you overthink the answer and CompTIA is VERY good at writing them, just take the CASP if you don't believe me lol
    I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.
  • deadjoedeadjoe Member Posts: 24 ■■■□□□□□□□
    The DB admin is requesting access to an internal application. Best practice for outside to inside is implicitly deny everything, then explicitly allow what you need (deny everything that is not explicitly allowed).

    By making no changes the security admin is practicing implicit deny.
  • trueshrewkmctrueshrewkmc Member Posts: 107
    I'm zeroing in on the "using a port typically monopolized by a virus" part. Which answer best fits firewall rules to block known viruses? Implicit deny.
  • SteveLavoieSteveLavoie Member Posts: 950 ■■■■■■■■□□
    I say the question is very bad :) That's something that happen :)

    It is a change request that was denied because the port requested is used by a virus,he even suggest another port or service, implying that he advise that another service (or protocol) could be choosen for the application.

    So nothing technical happened, however the port is probably already not allowed at all. So the last rule of the firewall chain would apply.

    If I had to choose an answer, I would choose D : Implicit Deny. It is the less worse answer to this bad question.
Sign In or Register to comment.