ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam SY0-501 All Questions

View all questions & answers for the SY0-501 exam
Go to Exam

Exam SY0-501 topic 1 question 747 discussion

Actual exam question from CompTIA's SY0-501
Question #: 747
Topic #: 1
[All SY0-501 Questions]

A systems administrator has installed a new UTM that is capable of inspecting SSL/TLS traffic for malicious payloads. All inbound network traffic coming from the
Internet and terminating on the company's secure web servers must be inspected. Which of the following configurations would BEST support this requirement?

  • A. The web servers' CA full certificate chain must be installed on the UTM.
  • B. The UTM certificate pair must be installed on the web servers.
  • C. The web servers' private certificate must be installed on the UTM.
  • D. The UTM and web servers must use the same certificate authority.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by JacobCrane at Aug. 4, 2020, 2:47 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
DERKOVITZ
Highly Voted 4 years, 7 months ago
One thing I find with these questions. When in doubt, choose 'A' if you need to go by luck. Most of the time I see 'A' pop up for stuff I don't know.
upvoted 7 times
...
carlo479
Highly Voted 4 years, 11 months ago
A is correct... In this the administrator of the system built the new UTM capable of reviewing the SSL / TLS flow for the suspicious payloads it see that the both inbound traffic flow originating from both the web and stopping on protected application server of the business .The full CA certificate sequence of web servers should be built on a UTM configuration will solve the problem .
upvoted 5 times
Teza
4 years, 11 months ago
Can someone please help explain what he is trying to say
upvoted 7 times
...
steven1
4 years, 11 months ago
Let me try to rephrase that: "The administrator of the system that installed the new UTM capable of reviewing the SSL / TLS flow for suspicious payloads sees that inbound traffic flow originating from the web is stopping on protected application server of the business. The full CA certificate sequence of web servers should be built on a UTM configuration and that will solve the problem." In other words, the root CA needs to be installed on UTM, not the other way around.
upvoted 5 times
...
...
YettiSpider
Most Recent 4 years, 2 months ago
I would say A since if the full certificate chain is installed on the UTM the UTM can decrypt, inspect then repackage, encrypt and send it along. The other answer like C. only talks about the private certificate being installed on the UTM. Option D where the CA has nothing to do with this process won't be the answer.
upvoted 2 times
...
JosePulickal
4 years, 7 months ago
In public-key cryptography the traffic is encrypted using a public key and traffic is decrypted using private key. If the UTM needs to decrypt the traffic destined to the web server - It needs the web servers "PRIVATE KEY". I have experience working with reverse proxies and decryption/SSL offloading which is very similar to what is being attempted using UTM. Answer should be D.
upvoted 4 times
...
DookyBoots
4 years, 9 months ago
As far as I know, the full chain needs to be on servers to make sure they are trusted and valid. If the proper certificates or chain is not established, connections to these servers will be not be trusted. SSL inspection requires a proxy or device to intercept and inspect traffic. (This is like a man in the middle attack, but for a positive use). The proxy DECRYPTS the SSL session, scans the content, and then repackages the SSL session and sends the transmission via an SSL tunnel.
upvoted 1 times
DookyBoots
4 years, 8 months ago
If private certificate translates into private key, then that is probably the answer. You must have a private key installed on an inspection device to decrypt the traffic for inspection.
upvoted 4 times
...
...
vaxakaw829
4 years, 11 months ago
Although none of the answers seemed right to me i am going with D according to this article: https://www.fastvue.co/sophos/blog/how-https-ssl-inspection-affects-logging-and-reporting-in-sophos-utm/ At "Deploying SSL Inspection with Sophos UTM" section it says that the UTM's certificate downloaded via device's admin interface must be both on the device and the Windows machine so that Windows machine can then trust any connection signed by your UTM.
upvoted 3 times
...
JacobCrane
4 years, 12 months ago
A makes no sense, how is the UTM going to deycrypt the payload and inspect it unless it has the private certificate from the webserver. I am going with C.
upvoted 4 times
Computerguy
4 years, 2 months ago
I agree the only way to decrypt is with the private key
upvoted 2 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel