Options
MHProfessional Questions clarifications
sqadri2009
Registered Users Posts: 4 ■□□□□□□□□□
in SSCP
Q: If an external router filter traffic before it enters the network and another screening device monitors traffic before it enters the internal network, what type of architecture is this?
a) Screened Host
b) Screened Subnet
c) Dual-homed firewall
d) Dual Subnets
I believe the Answer is "a", but the MHProfessional site says the answer is "b".........could you please explain me how the "b" is correct?
a) Screened Host
b) Screened Subnet
c) Dual-homed firewall
d) Dual Subnets
I believe the Answer is "a", but the MHProfessional site says the answer is "b".........could you please explain me how the "b" is correct?
Comments
-
Options
dinhtq
Member Posts: 24 ■■■□□□□□□□
I think that Answer is B it's right .
Because : it's the same
Internet
(external router is the same firewall )
dmz
(another screening device the same firewall )
> Internal .
This is architecture Screened Subnet .
Anybody have another explanation ... -
OptionsBGavnG
Member Posts: 13 ■□□□□□□□□□
sqadri2009 wrote: »Q: If an external router filter traffic before it enters the network and another screening device monitors traffic before it enters the internal network, what type of architecture is this?
a) Screened Host
b) Screened Subnet
c) Dual-homed firewall
d) Dual Subnets
I believe the Answer is "a", but the MHProfessional site says the answer is "b".........could you please explain me how the "b" is correct?
I've learned to really dissect the questions. In my mind, I chose B as well.
Reason:
filter traffic before it enters the network
and another screening device monitors traffic before it enters the internal network
-
Options
mjsinhsv
Member Posts: 167
I agree with B.
I think the "other device" they are eluding to is a bastion host which is usually placed between the two routers. -
Options
beads
Member Posts: 1,531 ■■■■■■■■■□
sqadri2009;
This is a classic question to throw you off into analysis paralysis or to make you doubt yourself and your decision making. The answer is 'B'. Here's why.
'C' and 'D' are completely wrong. There is no mention of two cards in any device.
'A' is wrong as a screen host is another name or variation of dual-homed or dual subnets based DMZ technique.
This is a three-of-kind problem or as I like to say: "one of these things is not like the other..." Yes, exactly like the annoying song from your youth. Generally questions like this indicate the odd answer out as being the correct answer but not always the case. Another way questions are often written would be to have two closely related answers. Giving you the 50/50 shot you really look forward to answering, right? Yeah me too!
If your having difficultly keeping all this straight I suggest drawing some of these architectures out either in Visio or pen and paper. Sometimes a visual reference can go a long way to understanding. Lastly, you could look any of this up on Wikipedia as well. More drawings and examples. Haven't seen a non commercial appliance in years but you may want to search for some outlier as a comparison.
- beads
- beads -
Options
Spin Lock
Member Posts: 142
I've read the DMZ sections in AIO, The Official Guide to the CBK and Sybex. Of these three, DMZ's are covered most thoroughly by AIO. In fact, if this question confuses you, I'd recommend looking at the diagrams in Chapter 6. Harris describes screened hosts and screened subnets in that chapter.
If you'd rather not read all those books, I'll summarize my understanding:
1. A DMZ can be created by deploying one Firewall or two
2. A single-firewall configuration is also known as a "three-legged DMZ" and looks like this:
Internet => FW => DMZ
........................ =>Internal Network
3. The downside to the three-legged configuration is, if the FW is compromised, your internal network is vulnerable to threats from the Internet
4. A two-firewall configuration is called a "Screened Subnet" and looks like this:
Internet => FW1 => DMZ => FW2 => Internal Network
5. A "Firewall" can be a dedicated hardware appliance that performs firewall functionality (i.e. a Palo Alto Networks Box). But a firewall can also be a server with dual NICs running a firewall application (like the Vyatta firewall) or a router implementing an access control list (equivalent to a first generation packet filtering firewall).
So now going back to the question, the network they describe is the following:
"an external router filters traffic before it enters the network " = packet filtering FW = FW1
"another screening device monitors traffic before it enters the internal network" = FW2
So this describes a DMZ consisting of two "screening devices" (firewalls), one between the Internet and the DMZ and the second between the DMZ and the Internal Network. That is a screened subnet.