Exam CS0-003 topic 1 question 182 discussion

The use of a Web Application Firewall (WAF) can help mitigate the risk associated with the identified vulnerability. WAFs are specifically designed to protect web applications and servers from various attacks, including those that target specific ports or services. In this case, the WAF is likely to inspect and filter traffic on port 3389, reducing the likelihood of the identified vulnerability being exploited. While network firewalls play a role in securing the network perimeter, the WAF, being a specialized tool for web application security, is more directly relevant to the specific vulnerability associated with port 3389 on the web server. Therefore, the risk would decrease because a web application firewall is in place.

Port 3389 is used for Remote Desktop Protocol (RDP), which isn't typically something a Web Application Firewall (WAF) would protect against. A WAF primarily filters and monitors HTTP/HTTPS traffic, and RDP doesn't fall into this category. The fact that the host is external facing and the vulnerability is over an exposed service (like RDP) increases the overall risk because it could potentially be exploited from the internet. While firewalls might block RDP access, the mere presence of the vulnerability on an external-facing server increases risk, especially if the firewall rules or protections could be bypassed or misconfigured.

I worked with Cloud Armor which is GCP's WAF, you could do a lot L7 filtering with it, but under no circumstances could you block ports on it. Also, the question does not state the RDP is blocked by the firewall.

Correct Answer: B. The risk would decrease because RDP is blocked by the firewall Analysis: Blocking the port 3389 (used by Remote Desktop Protocol, RDP) on the firewall significantly reduces the risk associated with this vulnerability. Even though the web server is facing externally and protected by a Web Application Firewall (WAF), the specific control of blocking the RDP port prevents exploitation through that vector.

The answer is C with out a doubt

The firewall blocking port 3389 is surely better protection than the WAF, even if the WAF can mitigate the vulnerability isn't it better to just block the port entirely? The host being externally facing isn't as much of a problem anymore with the firewall active, I would say the overall risk decreases with the firewall, yes it does increase due to the host being externally facing but more importantly, the host is protected by a firewall.

I changed my mind to D after a bit of thought. If the web server is external-facing and has a vulnerability on port 3389 (which is related to RDP), D. The risk would increase because the host is external facing is a strong answer because it correctly identifies the heightened risk due to the server's exposure. C is generally not the best fit unless there's a specific reason to believe the WAF would protect against RDP-based vulnerabilities, which is unusual.

B. The risk would decrease because RDP is blocked by the firewall Explanation: Port 3389 is typically associated with Remote Desktop Protocol (RDP). If a vulnerability is identified that can be exploited over this port, the risk could be significant if the port is exposed. Web Application Firewalls (WAF): A WAF is primarily designed to protect web applications from common web-based attacks (like SQL injection, XSS, etc.). It does not generally protect non-web protocols like RDP, which uses port 3389. Network Firewalls: If the network firewall is configured to block port 3389 (RDP), then the risk associated with this vulnerability is significantly reduced because the vulnerable service would not be accessible externally.

I originally thought C because the wording of the question is tricky. The only answer that makes sense is that the risk would increase upon discovery of a new vulnerability. If the question said that a server which was found vulnerable to a vulnerability over 3389 and THEN a WAF was deployed as a compensating control, that would decrease the risk. However, that is not the case. This is a new vulnerability on an external facing device so the risk is increased.

If the scan can see RDP open and it's public facing as its stated on a "perimeter network" then the WAF isn't doing anything. If you leave ports open on any firewall it isn't going to stop the traffic.

As far as i know a WAF cant protect against RDP vulnerabilities

D. The risk would increase because the host is external facing This answer is more accurate because an external-facing host increases the likelihood of an attack. The presence of a WAF does not mitigate risks associated with non-web vulnerabilities such as those on port 3389. Therefore, the overall risk is higher due to the exposure of the host to the internet.

WAF don't necessarily protect against RDP vulnerabilities.

WAF is web application firewall however, vulnerability is found with 3389 i.e. RDP port which means the host is external facing and the risk would increase. Hence corrcet answer is D

With WAF protection, it will decrease the risk.

I agree with everyone saying option C

I also think the answer is C. The Web Application Firewall would decrease the overall risk of the vulnerability on the RDP 3389.