Exam CAS-004 topic 1 question 320 discussion

The answer is D. If you are only allowing traffic over 80 and 443, then standard DNS over port 53 will break. You therefore must implement DoH to ensure DNS goes over HTTPS and therefore port 443.

MDM. DoH only uses HTTPS. No use of HTTP

Agree with D. Implement DoH compatible DNS server and use MDM to push configuration update to mobile devices.

ANS is B. Mobile Device Management (MDM). It allows administrators to enforce security policies and network configurations on managed devices. By using MDM, the organization can configure the devices to ensure that all network traffic adheres to the required ports (80 and 443) and handle exceptions or adjustments needed for applications that require internet access. MDM can also help with deploying necessary updates and monitoring compliance with the new policy. However, DoH (DNS over HTTPS): This is a protocol for encrypting DNS queries to enhance privacy and security. While DoH can be part of a broader security strategy, it does not directly manage or restrict outbound traffic to specific ports like 80 and 443. Therefore, MDM is the appropriate solution to manage and enforce the new traffic policy effectively.

Implementing DoH on mobile devices can be done through dedicated apps or manual settings on the device itself. For enterprises, using MDM to centrally configure and enforce DoH ensures compliance with security policies and simplifies the management process. This approach secures DNS queries by encrypting them and ensures they adhere to the network restrictions, providing enhanced security and privacy for mobile users.

I'ts D since the devices are already managed. This rules out MDM

Hey Guys, Maybe try not to out-clever yourself into the wrong answer. The question asks how to restrict traffic to 80/443 on mobile devices--without an ACL on the network, the ONLY answer here is MDM. "Oh, wait, but what about all those DNS queries?!" That's an obvious red herring. MOST DNS queries are routed through a local proxy or simply through the gateway (It's not uncommon--and I've set up may times--DNS forwarding through the local gateway. i.e. to your device, it's gateway is its DNS server, which would mean that you're making port 53 calls LOCALLY and the gateway is either calling a local DNS or just going to 8.8.8.8 or whatever because it's not a mobile device and has no restriction). Without MDM on the devices, what's to stop you from installing some telnet software and opening a port home, or hitting up an old school FTP server for a new game? The only thing that can place a restriction that even comes close to meeting the question requirements is MDM in this scenario.

Changing answer to D. DoH (DNS over HTTPS) DoH (DNS over HTTPS) - Option D: DoH allows DNS resolution over HTTPS, and while it doesn't directly control outbound traffic ports, it is relevant for ensuring secure DNS queries. In a scenario where all outbound traffic must go over TCP ports 80 and 443, using DoH ensures that DNS queries can be securely resolved over these ports, aligning with the policy. MDM (Mobile Device Management) - Option B: MDM solutions provide centralized control and management of mobile devices, but they may not directly enforce restrictions on outbound traffic based on specific ports. Source ChatGPT

In the scenario provided, the organization is concerned about controlling outbound traffic and limiting it to specific TCP ports

D. DoH (DNS over HTTPS). DNS over HTTPS (DoH) allows DNS queries to be sent over the standard HTTPS port (443). By implementing DoH, the organization can ensure that DNS queries from mobile devices are tunneled over the secure port 443, complying with the policy, while maintaining internet access. This ensures that DNS requests do not violate the policy even when using different ports for DNS queries. The other options mentioned (CYOD, MDM, and WPA3) do not directly address the specific requirement of enforcing traffic over TCP ports 80 and 443 while allowing internet access.

DOH: DNS requests are tunneled with TLS traffic

D. DoH Implementing DNS over HTTPS (DoH) can help ensure internet access continues without interruption while enforcing a policy in which all outbound traffic must go over TCP ports 80 and 443. DoH encrypts DNS queries, allowing devices to resolve domain names over HTTPS, typically using port 443. This means that DNS traffic, which would normally use UDP or TCP port 53, can be routed over port 443 without violating the policy.

B. MDM (Mobile Device Management) Mobile Device Management (MDM) is a solution that allows organizations to manage and enforce policies on mobile devices. In this scenario, where the company wants to restrict outbound traffic to specific TCP ports (80 and 443), MDM would be the most suitable option. Here's why: Policy Enforcement: MDM solutions can enforce policies on managed mobile devices, including network access policies. It can ensure that all outbound traffic goes over the specified ports (80 and 443) and block other traffic.