A security administrator is configuring a new network segment, which contains devices that will be accessed by external users, such as web and FTP server. Which of the following represents the MOST secure way to configure the new network segment?
A.
The segment should be placed on a separate VLAN, and the firewall rules should be configured to allow external traffic.
B.
The segment should be placed in the existing internal VLAN to allow internal traffic only.
C.
The segment should be placed on an intranet, and the firewall rules should be configured to allow external traffic.
D.
The segment should be placed on an extranet, and the firewall rules should be configured to allow both internal and external traffic.
'An extranet is a controlled private network that allows access to partners, vendors and suppliers or an authorized set of customers – normally to a subset of the information accessible from an organization's intranet.'
Answer is A as it does not define the type of external users; for intranet (as per above description) usage even external users have to be vetted in some form or another, which would be problematic if the network hosted a public facing web server intended for any type of external clientele (i.e. incl. those not known to the company prior to accessing the web-server | website).
Love this site and I hate Comptia. The answer is D, you'd use a DMZ if we're talking external public facing servers, but for an Extranet a vlan would be the way to go.
Extranet is definitely the MOST secure.
In scenario A) the only thing separating your production network and the pass-all network is a logical separation at layer 2. Using the pass-all VLAN I can easily traverse your network north-to-south past your edge router, firewall, DMZ. I now only need to pivot east-to-west to penetrate your production network.
In scenario D) the pass-all network is physically separated from production network there is no risk of me pivoting at all.
It is D. I says the network will contain devices that need to be accessed by external users. This very vague info but you must assume it also contains devices that are going to be accessed by internal users as well. Configuring the FW for external and internal users is the best option.
overthinking as always. who said internal users must access it? who said we should assume that the external users are teleworkers? who said external users are vendors/partners? they simply said - external users. this means - public servers. answer is A
dont overthink, dont assume, just read
I understand correctly that there are errors in the dumps and the correct answer on a real exam will be different. Just the one for which the majority voted? Right?
D.The segment should be placed on an extranet, and the firewall rules should be configured to allow both internal and external traffic is wrong. Why would I want to allow INTERNAL users to access the extranet? The question only referenced EXTERNAL users and D. states that it should be configured for external and internal? wrong
The answer is correct. Key work "extranet" . let me make it simple ,if you break down the word “extranet”, you get “extra” which in an organization's case simply means anything that is crucial to your organization, but existing outside of it. external users in this case are the organization employees that are not working in the main location of the company. how these employees will connected to the network securely . Read D and you will understand . It is 4 am and I am so tired ,sorry if there are a typing errors.
I hate to say it, but I think the answer is "A". Setup a new VLAN (the DMZ) and configure the firewall to allow external traffic. Isn't this the standard sort of deployment???
Extranets aren't accessible to the general public. They often require outside entities to connect using a VPN. This restricts unauthorized access and ensures that all communications with the extranet are secured.
An Extranet is a privately controlled network segment or subnet that functions as a DMZ for business-to-business transactions. It allows an organization to offer specialized services to business partners, suppliers, distributors, or customers. Extranets are based on TCP/IP and often use the common Internet information services, such as web browsing, FTP, and email.
The question asks the MOST secure way.
A private TCP/IP network that provides external entities (customers, vendors, etc.) access to their intranet is called an extranet (Mike Meyer’s CompTIA Security+ p. 293). With D, you are allowing both external and internal entities to access the devices.
VLANs contribute to security because they enable administrators to separate hosts from each other, usually based upon sensitivity. In other words, you can assign sensitive hosts to a VLAN and control which other hosts access them through the VLAN. Since VLANs are logical (and software-based), you can control other aspects of them from a security perspective. You can control what types of traffic can enter or exit the VLAN, and you can restrict access to hosts on that VLAN via a single policy. (Mike Meyer’s CompTIA Security+ p. 297).
With A you are isolating the devices in a better way.
In my opinion, the key words to answer this question are "FTP server". Usually the DMZ is for web and email servers since regular external users do not require additional access to a specific files in the company's internal network as vendors and suppliers do. Therefore, D should be the answer.
A. It asks "Which of the following represents the MOST secure way to configure the new network segment?" The most secure way is to isolate the new network segment so that external users have absolutely no way to breach the internal networks. That is the MOST secure way.
Question lacks context for who exactly is accessing the FTP and web server. If they specified that the servers were for vendors, than obviously an extranet, but it seemed the question really wanted a DMZ environment and the VLAN served as said DMZ, isolated from internal and available for external use.
Consulted another 3 sources and all agree with:
A. The segment should be placed on a separate VLAN, and the firewall rules should be configured to allow external traffic.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
mad
Highly Voted 5 years, 6 months agoHuh
3 years, 11 months agoHuh
3 years, 11 months agoFNavarro
3 years, 9 months agoDigitalJunkie
Highly Voted 5 years, 4 months agoslackbot
Most Recent 3 days, 2 hours agoKVetr
3 years, 5 months agoMortG7
3 years, 9 months agohlwo
4 years, 2 months agoNot_My_Name
4 years, 2 months agoDookyBoots
4 years, 2 months agoDookyBoots
4 years, 1 month agoCoRell
4 years, 4 months agovaxakaw829
4 years, 4 months agokdce
4 years, 5 months agoMonk16
4 years, 6 months agoCYBRSEC20
4 years, 6 months agoQabil
4 years, 8 months agoMelvinJohn
4 years, 10 months agonickyjohn
5 years agoAles
5 years, 1 month ago