Security question

EssendonEssendon Member Posts: 4,548 ■■■■■■■■■■
Question number 32 from
You are planning a network where in a Windows Server 2003 will act as router. You will be hosting a Web server that should not be placed in the internal network as you do not want public HTTP traffic to be entering your internal network. You also have an Intranet Web server that will not only be a part of the internal network but will also be integrated with the rest of the domain controllers for Windows Integrated authentication, as only employees will be allowed to access this Intranet Web server. All these employees will be using pre-assigned IP addresses. You are required to place these two servers and configure restrictions such that the rest of the networks? security is not compromised. All traffic entering the network will have to first pass through the firewall. Each of the choice represents a part of the solution. Choose all that apply to form a complete solution
A. Configure Port Address Translation (PAT) for the Intranet Web server.
B. Configure Network Address Translation (NAT) for the HTTP server.
C. Place the HTTP server in the DMZ.
D. Place the Intranet Web Server in the DMZ.
E. Configure external interface of the router or firewall to discard all inbound packets except from known IP address list.

C and D can be discounted right away as the question states that all traffic must pass through the firewall. That leaves us with A, B and E. I can understand E, as the security shouldnt be compromised. But choice A, what's PAT got to with security?? B looks kinda correct. Could some one please explain A and B to me.

BTW, they reckon A, B and E are the correct choices.

Might as well add another question here. Question 38>>
You have asked by your supervisor to arrive at a solution for authenticating users as well computers not only over the domain based LAN of the Windows Server 2003 network but also for the entire enterprise-wide network. Which of the following solutions best suits this scenario?
A. Use Certificate based authentication.
B. Use Kerberos.
C. Use token-based authentication.
D. Use smart cards

The question seems to mean that there are non-MS devices on the network as well. So out goes kerberos. What about the rest? Cant we use token-based and smart card based authentication? The stated answer is A.
NSX, NSX, more NSX..

Blog >>


  • MishraMishra Member Posts: 2,468 ■■■■□□□□□□
    "C and D can be discounted right away as the question states that all traffic must pass through the firewall."

    Usually DMZs have firewalls. :)

    PAT/NAT does provide security. You are masking your internal networks from the outside by filtering through 1 IP address. So they do give you security benefits.

    However I think the question is going beyond the scope of the 291. Just remember that NAT does provide better security for environments.
    My blog

    You may learn something!
  • EssendonEssendon Member Posts: 4,548 ■■■■■■■■■■
    Mishra, I thought I could discount both C and D as the question says "All traffic entering the network will have to first pass through the firewall". Correct me if I am wrong but isnt it like

    Internet > DMZ ( HTTP server, Intranet Web Server ) > Firewall > Rest of the network?

    Any ideas about the second question?
    NSX, NSX, more NSX..

    Blog >>
  • dave0212dave0212 Member Posts: 287
    Most DMZ's now sit in a zone on a firewall to secure them.

    Generally you want to limit traffic to your DMZ like HTTP and HTTPS and then allow no traffic to the other Secure zone on the firewall
    This week I have achieved unprecedented levels of unverifiable productivity

    Working on
    Learning Python and OSCP
  • EssendonEssendon Member Posts: 4,548 ■■■■■■■■■■
    Makes sense, dave.

    Second question?
    NSX, NSX, more NSX..

    Blog >>
  • MishraMishra Member Posts: 2,468 ■■■■□□□□□□
    Your DMZ should includes it's own firewall as well. For example if your have a DNS server in your DMZ then you still need to provide protection to that server through a firewall thus all traffic would pass through a firewall before getting to your servers in your DMZ.

    I'll answer question 2 with what I may think if I saw it on a test.

    Questions 2:

    C can be thrown out as that will never be an answer. D is only good for user authentication so it is gone. Kerberos is more of a behind the scenes style of authentication so you don't really implement it, plus it doesn't authenticate computers per say. So it should be A and you can kind of say that Users authenticate to websites using certificates and computers authenticate to resources using certificates but the question is a little weird.

    BTW: Kerberos is used in multiple operating systems, not just MS.
    My blog

    You may learn something!
Sign In or Register to comment.