Exam SY0-701 topic 1 question 66 discussion

A. Compensating control w, the keyword in the question is "legacy". Suppose that you have a legacy Linux server which is not compatible with those network-based firewalls, routers and multi-layer switches which is preventing you not just from building VLANs (Network Segmentation), but also from applying white-listing ACL technique against malicious IP addresses. So, what you're going to do is you are going to use host-based firewalls as a compensation for network appliances to be able to accomplish the similar end-result

It is not mentioned that internal IP addresses have been separated from other network IP addresses, but that the host-based firewall is only allowed to communicate with, & protect specific internal IP addresses, this would compensate for threats by mitigating possible attack surfaces that those internal addresses might be vulnerable to from OUTSIDE the network.

The correct answer is: A. Compensating control Explanation: A compensating control is a security measure implemented to meet security requirements when the primary control is not feasible due to technical or business constraints. In this case, since the system is a legacy Linux system, it might not support modern security features like centralized firewall management. Instead, a host-based firewall is used to restrict access to specific internal IP addresses, serving as an alternative security control. B. Network segmentation refers to dividing a network into separate segments to enhance security and performance, but it is not directly related to a host-based firewall rule. C. Transfer of risk involves shifting risk to another entity, such as purchasing cybersecurity insurance, which is not relevant here. D. SNMP traps are notifications sent from network devices for monitoring and alerting, which also do not apply in this context.

A. Compensating control A compensating control is a security measure that is put in place to satisfy the requirements of a security policy or standard when the primary control cannot be implemented. In this case, the host-based firewall on a legacy Linux system allowing connections from only specific internal IP addresses serves as a compensating control to protect the system by limiting access to trusted sources. Therefore, the correct answer is: A. Compensating control

The implementation of a host-based firewall to restrict access is a compensating control because it mitigates the risks associated with potential vulnerabilities in a legacy system by providing an additional layer of protection.

Compensating control

Whenever there is legacy mentioned it is 99% always going to be compensating controls or compensation.

In the context of the question, which involves a host-based firewall on a legacy Linux system allowing connections from only specific internal IP addresses, the primary goal is to enhance security by limiting access. This is a direct control measure rather than a compensating one. The firewall is not compensating for the inability to implement another control; it is the control itself, enforcing access restrictions based on IP addresses. Configuring the firewall to only allow connections to specific IP addresses, it is segmenting its network.

A. Compensating control

Answer B.

logical network segmentation includes ACL implementation to allow or dissallow specific IP addresses to communicate with a particular device.

B. Network segmentation. Network segmentation involves dividing a computer network into smaller, isolated networks to improve security and reduce the impact of potential security breaches. By configuring the host-based firewall to allow connections only from specific internal IP addresses, the system is effectively segmenting the network to limit communication to authorized entities, thus enhancing security. Options such as compensating control (A), transfer of risk (C), and SNMP traps (D) do not accurately describe the scenario of restricting connections to specific internal IP addresses through a host-based firewall