Please explain like I'm a 6 years old

coldbug · December 2017

I got this question wrong. I won't tell you what I answered, but I want to see what you will answer and get it wrong like me. Please also explain why you chose that answer as well. Thanks.

A database administrator contacts a security administrator to request firewall changes for a
connection to a new internal application. The security administrator notices that the new
application uses a port typically monopolized by a virus. The security administrator denies the
request and suggests a new port or service be used to complete the application’s task. Which of
the following is the security administrator practicing in this example?
A.
Explicit deny
B.
Port security
C.
Access control lists
D.
Implicit deny

McxRisley · December 2017

The answer is C. The question specifically calls out a firewall and ports and services. You have to read CompTIA questions very carefully.

NetworkNewb · December 2017

Access Control Lists, but I can see an argument for Implicit Deny too

mgeoffriau · December 2017

That's funny, I'd argue for Explicit Deny. The admin notices the port being used and chooses to deny it.

TechGuru80 · December 2017

That’s a terrible question...the admin is using access control lists to control traffic...but he or she specifically is explicitly denying that port request.

mgeoffriau · December 2017

That's why I chose "explicit deny" -- they are using ACLs, but they are "practicing" explicit deny.

TheFORCE · December 2017

Use next generation application layer firewall. Create a rule to allow application A on port xyz. Even if a virus ises that port it wont pass.

si20 · December 2017

coldbug wrote: »

I got this question wrong. I won't tell you what I answered, but I want to see what you will answer and get it wrong like me. Please also explain why you chose that answer as well. Thanks.

A database administrator contacts a security administrator to request firewall changes for a
connection to a new internal application. The security administrator notices that the new
application uses a port typically monopolized by a virus. The security administrator denies the
request and suggests a new port or service be used to complete the application’s task. Which of
the following is the security administrator practicing in this example?
A.
Explicit deny
B.
Port security
C.
Access control lists
D.
Implicit deny

Ok, so here's my thought process:

database administrator - not relevant. Security administrator - not too relevant. The key bits of info we see are: firewall change to block a port. The question is asking which of the 4 options describes blocking a port on a firewall.

I would go for A) Explicit deny.

However, some people in the thread are saying C. And that's because the exact same thing can be achieved via an Access control list OR Explicit Deny.

Let's take a look at an example:

access-list 102 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 102 deny ip any any

That first line is saying the firewall should permit any IP from those ranges.
Then the next rule is an explicit deny on any ip and on any port.

now going back to the question, the security admin wants to block a port on the firewall, well he can do that by
adding a line like this:

access-list 102 deny ip any 134 (I made up port 134, the question doesn't specify what port to block)

(example modified from https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html)

Now the firewall rules look like this:

access-list 102 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 102 deny ip any 134
access-list 102 deny ip any any

so the Answer would be C. BUT this is completely stupid because the line below says 'any any',
which means it's going to block any IP and any PORT that doesn't match.

To further complicate things, if the rule looked like this:

access-list 102 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 102 deny ip any 134

then the answer is 100% A) explicit deny. Even though you could argue my 3 liner is A) explicit deny as well.

In short: this is a completely ridiculous question and quite typical of what I see in the Sec+. I have to say,
I am not enjoying studying it myself.

An explicit deny and an ACL is basically the same thing - because you're denying the traffic EXPLICITLY.....using an ACL. Stupid question.

si20 · December 2017

NetworkNewb wrote: »

Access Control Lists, but I can see an argument for Implicit Deny too

That's the thing - it could be anything. Without seeing the rule and having more content it's just a best-guess. I'm finding there are lots of questions in the Sec+ like this and it's actually making me think the cert is a waste of time.

E Double U · December 2017

coldbug wrote: »

The security administrator denies the request...

A. Explicit deny

My vote is A because the text says he denies the request. I wouldn't say C because the text doesn't say the sec admin actually implemented anything on the fw. I'm looking at this like receiving a change request, reviewing it, and saying approved or rejected. If I reject, I state why and suggest an alternative.

McxRisley · December 2017

coldbug wrote: »

I got this question wrong. I won't tell you what I answered, but I want to see what you will answer and get it wrong like me. Please also explain why you chose that answer as well. Thanks.

A database administrator contacts a security administrator to request firewall changes for a
connection to a new internal application. The security administrator notices that the new
application uses a port typically monopolized by a virus. The security administrator denies the
request and suggests a new port or service be used to complete the application’s task. Which of
the following is the security administrator practicing in this example?
A.
Explicit deny
B.
Port security
C.
Access control lists
D.
Implicit deny

They key things here are "The security administrator notices that the new application uses a port typically monopolized by a virus." and "The security administrator denies the request and suggests a new port or service be used to complete the application’s task." The admin does not use Explicit Deny because the rule is already in place through the use of ACLs, he denied the DBA's request to change the ACL.

Also some quick googling will turn up that the Answer is C. LOL!

Mitechniq · December 2017

C is correct, the DBA is a making a request to open a port that currently is being blocked. This is normally done through a Firewall Exception request form - because it was rejected there was no changes made to the state of the firewall.

The firewall is currently configured with a implicit deny or whitelist however the Security administrator is 'practicing' ACL's or a document that tracks approvals/denials of firewall exceptions. A paper trail of why something was denied or more important why it was accepted is crucial if an attack originates from that port after it has been opened.

si20 · December 2017

McxRisley wrote: »

They key things here are "The security administrator notices that the new application uses a port typically monopolized by a virus." and "The security administrator denies the request and suggests a new port or service be used to complete the application’s task." The admin does not use Explicit Deny because the rule is already in place through the use of ACLs, he denied the DBA's request to change the ACL.

Also some quick googling will turn up that the Answer is C. LOL!

You mean an implicit deny, surely? The question itself doesn't say there's an explicit deny in the ACL

That's the problem with the question - it isn't black and white - it leaves you with more questions than answers.

The fact we're all debating this shows that the question is poor at best. I'd hate to fail an exam on this kind of question. The way it's worded makes it sound like A is the correct answer.

mgeoffriau · December 2017

Yup, I definitely didn't catch that the blocking rule was already in place by default.

So, there may indeed be a "best" answer, but it (like many exam questions) is ramping up the difficulty by obfuscating the point of the question. It is ultimately testing your ability to work your way through a poorly written question rather than testing your actual knowledge of the material.

McxRisley · December 2017

si20 wrote: »

You mean an implicit deny, surely? The question itself doesn't say there's an explicit deny in the ACL That's the problem with the question - it isn't black and white - it leaves you with more questions than answers.

The fact we're all debating this shows that the question is poor at best. I'd hate to fail an exam on this kind of question. The way it's worded makes it sound like A is the correct answer.

Nope I mean an ACL, this question is pretty cut and dry for me. These types of questions are designed to make you overthink the answer and CompTIA is VERY good at writing them, just take the CASP if you don't believe me lol

deadjoe · December 2017

The DB admin is requesting access to an internal application. Best practice for outside to inside is implicitly deny everything, then explicitly allow what you need (deny everything that is not explicitly allowed).

By making no changes the security admin is practicing implicit deny.

trueshrewkmc · December 2017

I'm zeroing in on the "using a port typically monopolized by a virus" part. Which answer best fits firewall rules to block known viruses? Implicit deny.

SteveLavoie · December 2017

I say the question is very bad

That's something that happen

It is a change request that was denied because the port requested is used by a virus,he even suggest another port or service, implying that he advise that another service (or protocol) could be choosen for the application.

So nothing technical happened, however the port is probably already not allowed at all. So the last rule of the firewall chain would apply.

If I had to choose an answer, I would choose D : Implicit Deny. It is the less worse answer to this bad question.

Please explain like I'm a 6 years old

Comments