Exam CAS-003 All Questions

View all questions & answers for the CAS-003 exam

Exam CAS-003 topic 1 question 79 discussion

Actual exam question from CompTIA's CAS-003

Question #: 79
Topic #: 1

SIMULATION -
Compliance with company policy requires a quarterly review of firewall rules. You are asked to conduct a review on the internal firewall sitting between several internal networks. The intent of this firewall is to make traffic more secure. Given the following information perform the tasks listed below:

Untrusted zone: 0.0.0.0/0 -

User zone: USR 10.1.1.0/24 -

User zone: USR2 10.1.2.0/24 -

DB zone: 10.1.4.0/24 -
Web application zone: 10.1.5.0/24

Management zone: 10.1.10.0/24 -

Web server: 10.1.5.50 -

MS-SQL server: 10.1.4.70 -

MGMT platform: 10.1.10.250 -
Instructions: To perform the necessary tasks, please modify the DST port, SRC zone, Protocol, Action, and/or Rule Order columns. Type ANY to include all ports.
Firewall ACLs are read from the top down. Once you have met the simulation requirements, click Save. When you have completed the simulation, please select the Done button to submit. Once the simulation is submitted, please select the Next button to continue.

Task 1) A rule was added to prevent the management platform from accessing the internet. This rule is not working. Identify the rule and correct this issue.
Task 2) The firewall must be configured so that the SQL server can only receive requests from the web server.
Task 3) The web server must be able to receive unencrypted requests from hosts inside and outside the corporate network.
Task 4) Ensure the final rule is an explicit deny.
Task 5) Currently the user zone can access internet websites over an unencrypted protocol. Modify a rule so that user access to websites is over secure protocols only.

Show Suggested Answer

Suggested Answer: Please see the explanation below
Task 1: A rule was added to prevent the management platform from accessing the internet. This rule is not working. Identify the rule and correct this issue.
In Rule no. 1 edit the Action to Deny to block internet access from the management platform.

Task 2: The firewall must be configured so that the SQL server can only receive requests from the web server.
In Rule no. 6 from top, edit the Action to be Permit.

Task 3: The web server must be able to receive unencrypted requests from hosts inside and outside the corporate network.
In rule no. 5 from top, change the DST port to Any from 80 to allow all unencrypted traffic.

Task 4: Ensure the final rule is an explicit deny
Enter this at the bottom of the access list i.e. the line at the bottom of the rule:

Task 5: Currently the user zone can access internet websites over an unencrypted protocol. Modify a rule so that user access to websites is over secure protocols only.
In Rule number 4 from top, edit the DST port to 443 from 80

by D1960 at Feb. 25, 2021, 5:41 p.m.

Comments

Submit Cancel

D1960

3 years, 10 months ago

Task 1: Edit rule 1 to be SRC ZONE MGT, DST Zone Untrust, Action DENY Task 2: Change rule 2 to be a PERMIT Task 3: Change rule 5 SRC Zone to ANY Task 4: Move rule 3 down to the bottom of the list, change protocol to IP and action to DENY. Task 5: (Original rule 4) Change destination port from 80 to 443 on USER Zone rule https://vceguide.com/when-you-have-completed-the-simulation-please-select-the-done-button-to-submit-once-the-simulation-is-submitted-please-select-the-next-button-to-continue/#comment-68480

upvoted 2 times

...

D1960

3 years, 11 months ago

Task 2) The firewall must be configured so that the SQL server can only receive requests from the web server. Should line 2 have protocol changed from UDP to ANY Should line 2 be moved below line 6 The way the firewalls seem to work is: you put the DENY at the bottom, and it seems to mean "unless otherwise noted above." Permit the WEBAPP to send requests to the DB using ANY protocol. Then DENY anything else from sending requests to the DB.

upvoted 1 times

...

D1960

4 years, 4 months ago

> Task 3) The web server must be able to receive unencrypted requests from hosts inside and outside the corporate network. > In rule no. 5 from top, change the DST port to Any from 80 to allow all unencrypted traffic. Why not just leave the port set to 80? A webserver does not have to receive traffic on *any* port to be able to receive unencrypted traffic. Just using port 80 should be fine. Port 80 is usually where web hosts receive unencrypted traffic.

upvoted 1 times

D1960

3 years, 11 months ago

Should the web sever have every port open to every untrusted source in the world?

upvoted 1 times

...

D1960

4 years ago

In fact, should web server receive unencrypted traffic on port 443?

upvoted 1 times

...

D1960

4 years, 4 months ago

> Task 4: Ensure the final rule is an explicit deny > Enter this at the bottom of the access list i.e. the line at the bottom of the rule: Is this the only rule that needs to be moved?

upvoted 1 times

...

D1960

4 years, 4 months ago

> Task 2: The firewall must be configured so that the SQL server can only receive requests from the web server. > In Rule no. 6 from top, edit the Action to be Permit. This seems to be backwards. The DB SRC is 10.1.4.70 the WEBAPP DST is 10.1.5.50. This seems to be configured so the SQL server can only *send* requests *to* the web server. Not receive requests from the web server.

upvoted 4 times

D1960

3 years, 11 months ago

Maybe: In Rule no. 2 from the top, edit Action to Permit? It is the WEBAPP that is supposed to contact the DB, not the other way around.

upvoted 1 times

D1960

3 years, 11 months ago

Also change Protocol from UDP to TCP.

upvoted 1 times

...