Exam Professional Cloud Security Engineer topic 1 question 292 discussion

You need NGFW.

Google Cloud's Cloud Next Generation Firewall (NGFW) Enterprise includes TLS inspection capabilities, which allow you to decrypt and inspect encrypted traffic for threats before it reaches your web application. This is essential for protecting against malware and other threats embedded in encrypted traffic. A hierarchical firewall policy allows you to enforce firewall rules at the organization or folder level, ensuring consistent security policies across multiple projects. Why Not the Other Options? A. Secure Web Proxy + Load Balancer Google Cloud does not offer a native Secure Web Proxy with TLS interception for incoming traffic. Load balancers in Google Cloud do not provide deep TLS interception for security inspection.

Here’s why: Secure Web Proxy is specifically designed to provide advanced security measures, including TLS interception. It allows you to offload the TLS traffic from the load balancer, inspect it for threats, and then forward it to your web application. This method ensures that incoming traffic is thoroughly inspected for malware and other threats before reaching your application, providing a secure environment.

C is the right answer, you cannot enable TLS inspection for a simple firewall rule. You would need to add it to a Hierarchical Policy or a Global Firewall policy.

https://cloud.google.com/firewall/docs/about-firewalls Cloud NGFW implements network and hierarchical firewall policies that can be attached to a resource hierarchy node. These policies provide a consistent firewall experience across the Google Cloud resource hierarchy.

https://cloud.google.com/secure-web-proxy/docs/tls-inspection-overview Secure Web Proxy provides a TLS inspection service that allows you to intercept, inspect, and enforce security policies on TLS traffic. This approach ensures that incoming traffic is thoroughly inspected for threats before reaching your application.

Why C is Correct: Hierarchical Firewall Policy: A hierarchical firewall policy allows you to enforce consistent firewall rules across an organization, folders, or projects. Configuring TLS interception within this policy ensures that all relevant traffic passing through the policy can be decrypted, inspected, and then forwarded. A. Configure Secure Web Proxy. Offload the TLS traffic in the load balancer, inspect the traffic, and forward the traffic to the web application. Secure Web Proxy is not designed to handle incoming traffic for web applications in Google Cloud; it is typically used for outbound traffic filtering. This approach would not address the requirement to protect incoming traffic with TLS interception.

https://cloud.google.com/firewall/docs/about-tls-inspection

Secure Web Proxy: This setup allows you to intercept and inspect TLS traffic securely. By configuring a Secure Web Proxy, you can manage incoming traffic more effectively and implement security measures against threats. TLS Offloading at the Load Balancer: By offloading TLS traffic at the load balancer, you can decrypt and inspect the traffic before forwarding it to your web application.

C is Correct

With the Enterprise tier we can intercept TLS traffic

B is correct. Secure Web Proxy is typically used for external traffic, not internal traffic from an on-premises network.

I think it's A.