Please explain like I'm a 6 years old
I got this question wrong. I won't tell you what I answered, but I want to see what you will answer and get it wrong like me. Please also explain why you chose that answer as well. Thanks.
A database administrator contacts a security administrator to request firewall changes for a
connection to a new internal application. The security administrator notices that the new
application uses a port typically monopolized by a virus. The security administrator denies the
request and suggests a new port or service be used to complete the application’s task. Which of
the following is the security administrator practicing in this example?
A.
Explicit deny
B.
Port security
C.
Access control lists
D.
Implicit deny
A database administrator contacts a security administrator to request firewall changes for a
connection to a new internal application. The security administrator notices that the new
application uses a port typically monopolized by a virus. The security administrator denies the
request and suggests a new port or service be used to complete the application’s task. Which of
the following is the security administrator practicing in this example?
A.
Explicit deny
B.
Port security
C.
Access control lists
D.
Implicit deny
"If you want to kick the tiger in his ass, you'd better have a plan for dealing with his teeth."
Comments
M.S. Cybersecurity and Information Assurance, WGU
M.S. Cybersecurity and Information Assurance, WGU
Ok, so here's my thought process:
database administrator - not relevant. Security administrator - not too relevant. The key bits of info we see are: firewall change to block a port. The question is asking which of the 4 options describes blocking a port on a firewall.
I would go for A) Explicit deny.
However, some people in the thread are saying C. And that's because the exact same thing can be achieved via an Access control list OR Explicit Deny.
Let's take a look at an example:
access-list 102 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 102 deny ip any any
That first line is saying the firewall should permit any IP from those ranges.
Then the next rule is an explicit deny on any ip and on any port.
now going back to the question, the security admin wants to block a port on the firewall, well he can do that by
adding a line like this:
access-list 102 deny ip any 134 (I made up port 134, the question doesn't specify what port to block)
(example modified from https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html)
Now the firewall rules look like this:
access-list 102 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 102 deny ip any 134
access-list 102 deny ip any any
so the Answer would be C. BUT this is completely stupid because the line below says 'any any',
which means it's going to block any IP and any PORT that doesn't match.
To further complicate things, if the rule looked like this:
access-list 102 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 102 deny ip any 134
then the answer is 100% A) explicit deny. Even though you could argue my 3 liner is A) explicit deny as well.
In short: this is a completely ridiculous question and quite typical of what I see in the Sec+. I have to say,
I am not enjoying studying it myself.
An explicit deny and an ACL is basically the same thing - because you're denying the traffic EXPLICITLY.....using an ACL. Stupid question.
That's the thing - it could be anything. Without seeing the rule and having more content it's just a best-guess. I'm finding there are lots of questions in the Sec+ like this and it's actually making me think the cert is a waste of time.
My vote is A because the text says he denies the request. I wouldn't say C because the text doesn't say the sec admin actually implemented anything on the fw. I'm looking at this like receiving a change request, reviewing it, and saying approved or rejected. If I reject, I state why and suggest an alternative.
They key things here are "The security administrator notices that the new application uses a port typically monopolized by a virus." and "The security administrator denies the request and suggests a new port or service be used to complete the application’s task." The admin does not use Explicit Deny because the rule is already in place through the use of ACLs, he denied the DBA's request to change the ACL.
Also some quick googling will turn up that the Answer is C. LOL!
The firewall is currently configured with a implicit deny or whitelist however the Security administrator is 'practicing' ACL's or a document that tracks approvals/denials of firewall exceptions. A paper trail of why something was denied or more important why it was accepted is crucial if an attack originates from that port after it has been opened.
You mean an implicit deny, surely? The question itself doesn't say there's an explicit deny in the ACL
The fact we're all debating this shows that the question is poor at best. I'd hate to fail an exam on this kind of question. The way it's worded makes it sound like A is the correct answer.
So, there may indeed be a "best" answer, but it (like many exam questions) is ramping up the difficulty by obfuscating the point of the question. It is ultimately testing your ability to work your way through a poorly written question rather than testing your actual knowledge of the material.
M.S. Cybersecurity and Information Assurance, WGU
Nope I mean an ACL, this question is pretty cut and dry for me. These types of questions are designed to make you overthink the answer and CompTIA is VERY good at writing them, just take the CASP if you don't believe me lol
By making no changes the security admin is practicing implicit deny.
It is a change request that was denied because the port requested is used by a virus,he even suggest another port or service, implying that he advise that another service (or protocol) could be choosen for the application.
So nothing technical happened, however the port is probably already not allowed at all. So the last rule of the firewall chain would apply.
If I had to choose an answer, I would choose D : Implicit Deny. It is the less worse answer to this bad question.