Exam CS0-003 topic 1 question 121 discussion

This ones tough. D can be a good answer but I actually think this is A. If its that segmented and they want to minimize firewall rules, deploying a scanner sensor on every segment doesn't seem practical. It specifically says they're assessing systems, and if the option to deploy the agent directly to the systems is there, then it is less resource heavy and less maintenance to do an agent-based discovery.

The correct answer is: D. Deploy a scanner sensor on every segment and perform credentialed scans Explanation: In a highly segmented network, deploying a scanner sensor (or scanner appliance) on each segment allows scanning to occur within each network zone without requiring complex cross-segment firewall rules. This minimizes the number of unique firewall rules, since scanning traffic doesn’t need to traverse segments. Using credentialed scans provides more accurate and detailed results by allowing the scanner to log into systems and assess their configurations and vulnerabilities more thoroughly than non-credentialed scans.

It's not D. Key to eliminate it is credentialed scans, you often need to make exceptions in firewall rules for credentialed scans. B would need access to all network segments which would mean extensive firewall modifications.

Deploy a scanner sensor on every segment and perform credentialed scans: While this is a good approach for thorough scanning, deploying scanners on every segment increases the complexity and would likely require multiple firewall rules for communication between the scanner and the systems in each segment.

Option A, deploying agents on all systems to perform the scans, may be effective in some environments but can be resource-intensive and complex to manage, especially in highly segmented networks. Overall, Option D, deploying scanner sensors on every segment and performing credentialed scans locally, is the most efficient approach to minimizing the number of unique firewall rules while effectively scanning a highly segmented network.

This method involves installing scanning agents directly on the systems to be scanned. The agents can perform the scans locally and then report the results back to a central management server. This approach significantly reduces the need for extensive firewall rule configurations because the scanning traffic doesn't have to traverse the network segments. The communication between the agents and the central server can be streamlined, requiring minimal firewall rule changes.

This one is D in my opinion. As I read the question, the organization has already selected the software they are intending to use, and it will be a traditional network-based scanner. Often times in segmented environments, explicit firewall rules will need to be implemented to ensure the scanner isn't blocked by IPS as it conducts it's scan across hosts in other VLANs- or scanner sensors are deployed in said target VLANs. That's what they're getting at- is to have you come to that conclusion here, though like many questions from CompTIA it should be worded better or remove the agent option from potential answers.

we had the same scenario in the company where I work and we deployed a scanner sensor on every segment of the network.

I believe there is a slight difference in creating FW rules for: A. agent plug-in installed on existing IP, versus D. new sensors deployed on each segment. The first one you'll only need to allow the Manager node and port from the corporate supernet, versus allowing scanner to each sensor on each vlan. However, as this is convenient to the network team, it's a significant work for the security/system administrator to maintain each agent, unless through automation.

Going with A on this one. Better option than D since the question states it's "high segmented", so deploying a scanner sensor on every segment would be a lot of work.

We know little about the software. Both D and A can be argued that it will require the same amount of firewall rules, which is potentially none in the case that every agent/scanner sensor is checked directly for the results of the scans. Alternatively (and more likely), the info is sent to some management server after the scans are completed, which will mean an additional rule is added to the firewalls for every segment to allow either the agents of every segment or the scanner sensor of every segment to communicate the results back to the server. In both these cases, no other firewall rules will need to be opened as the scanners are already on each segment, very very tricky question. Comes down to that silly rhetorical question: "how long is a piece of string?"

Deploy agents on all systems to perform the scans (A): Agent-based scanning would be the most efficient for minimizing firewall rules because the agents would reside on each system, negating the need for network traffic to traverse the segmented network for scanning purposes. This minimizes the need for creating additional firewall rules to allow scan traffic.

Correct Deploying a scanner sensor on every segment allows for localized scanning within each segment, which can significantly reduce the need for complex and unique firewall rules. Credentialed scans involve using valid credentials (such as usernames and passwords) to assess the systems. This allows the scanner to gather more accurate and detailed information about vulnerabilities, software versions, and configurations without relying on excessive open ports that might be required for non-credentialed scans.