Exam CAS-004 topic 1 question 49 discussion

To meet the requirements, the network architect should implement the following solutions: DoS protection at the hub site: To ensure the network supports core applications with 99.99% uptime, the network architect should implement DoS (denial of service) protection at the hub site. This can help to prevent DoS attacks, which can disrupt the availability of the network and its applications. Mutual certificate authentication: To ensure that configuration updates to the SD-WAN routers can only be initiated from the management service, the network architect should implement mutual certificate authentication. This involves requiring the management service to present a valid certificate before it can initiate configuration updates, and requiring the SD-WAN routers to present a valid certificate before they can accept updates. Cloud proxy: To ensure that documents downloaded from websites are scanned for malware, the network architect should implement a cloud proxy. A cloud proxy is a security service that is hosted in the cloud and can be used to inspect traffic for malware and other threats before it reaches the network.

I'm leaning towards C. Any thoughts? 1. "applications that have 99.99% uptime" = DoS protection 3. "must be scanned for malware" = Cloud Proxy (Ex: zscaler)

ANS C. DoS protection at the hub site: This solution helps to prevent and mitigate Denial of Service (DoS) attacks, ensuring that the network remains available and responsive. - Mutual certificate authentication: This solution enhances security by requiring both parties (client and server) to authenticate each other using digital certificates, ensuring secure communication. - Cloud proxy: A cloud proxy acts as an intermediary between users and the internet, providing additional security measures such as content filtering, threat detection, and data loss prevention. Together, these solutions provide a comprehensive approach to network security, protecting against various threats and ensuring secure and reliable communication.

we are talking about a SaaS model. Cloud proxy even should prove that C is the answer. Nothing else in the answer helps what so ever with the scenario

C Meets all of the requirements Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)

I believe the answer is C

c is the correct answer

Option A (reverse proxy, stateful firewalls, and VPNs at the local sites) does not include DoS protection or a cloud proxy, which are necessary to meet the requirements. Option B (IDSs, WAFs, and forward proxy IDS) does not include mutual certificate authentication or a cloud proxy, which are necessary to meet the requirements. Option D (IPSs at the hub, Layer 4 firewalls, and DLP) does not include DoS protection or mutual certificate authentication, which are necessary to meet the requirements. Overall, the network architect should implement DoS protection at the hub site, mutual certificate authentication, and a cloud proxy to meet the requirements.

Answer B: IDS can support applications that have an up time of 99% since no prevention is happening. WAF will scan documents for malware and stop them from being downloaded if malware is detected. {The hub is then responsible for redirecting traffic to public cloud and datacenter applications} can be handled by Proxy IDS answer B doesn't really handle {2. The hub is then responsible for redirecting traffic to public cloud and datacenter applications.} but it is still the best option Nevertheless, answer B is still the one that makes more sense compared to D which relies on IPS for preventing everything suspicious which goes against 99% availability and DLP has nothing to do with requirements 1, 2 and 3

D is the correct answer as we need DLP and IPS for SDWAN to fulfill the requirements.

99.99 Availability so IDS over IPS when it comes to that requirement and other options seem less secured to me than IDS or IPS. WAFs since it will need react to specific application traffic from management service. Forward proxy to an IDS allow any download connection to be proxy and scan properly prior to download with an IDS. Yeah B is the best answer

As someone who works extensively with DLP it has nothing to do with downloading documents. The DLP solutions I've mainly used block data from being transferred from system to system using say a flash drive. A forward proxy will block certain sites which would help with that more I think.

I will select B: Documents downloaded from websites must be scanned for malware.An (IDS) is a monitoring system that detects suspicious activities and generates alerts when they are detected https://www.checkpoint.com/cyber-hub/network-security/what-is-an-intrusion-detection-system-ids/

Answer is D. IPSs prevent malwares

Any thoughts about this? I think that it is D.