Securing a Web Server

teancum144

A company's security specialist is securing a web server that is reachable from the internet. The web server is located in the core internal corporate network. The network cannot be redesigned and the server cannot be moved. Which of the following should the security specialist implement to secure the web server?
A. Network-based IDS
B. Router with firewall rule set
C. Host-based firewall
D. Router with an IDS module
E. Network-based firewall
F. Host-based IDS

The answer is "F". However, I think this is a poorly worded question. If "F" said "Host-based IPS", then I would agree. So, given the choices, wouldn't "C" be the best choice?

ChooseLife

G. All of the above

I think the question is not worded properly. Comes from a guy who secures web servers for living..

paul78

That is a oddly worded question and answer. The question author uses the term "secure the web server" - so that should normally rule out any IDS techniques. I interpret the word "secure" as introducing a preventative control. An IDS is considered a detective control. So while an IDS is part of any defense in depth strategy - it's not a preventative control which could prevent an intrusion attempt.

Caveat though - I'm actually not familiar with Security+'s knowledge base so I do not know if there is an expectation that a candidate needs to be able to discern control types.

astorrs

Terrible question/answer. As paul78 said an IDS/IPS is only a detective control. If we can't have "All of the above" then I vote for:

H. Reverse proxy web application firewall