Exam CISSP topic 1 question 420 discussion

The management traffic pathway should have separate physical network interface cards (NIC) and network

I go with C. ChatGPT said first, that B is the correct answer, but at the point I gave him HappyDay030303 answer he reassesed the answer and said I should go with C. ThX HappyDay030303

The question ask for BEST, the best among B and C. If it ask most easiest to deploy or cost effective than it would be B.

In practice, you almost never find an independent network interface just for management of the hypervisor management traffic in a physical server. You usually send that traffic in a separate VLAN

C. The management traffic pathway should have separate physical network interface cards (NIC) and network. In specific virtualization and hypervisor security contexts, the use of separate physical network interface cards (pNICs) and network connections for the management traffic pathway can provide an additional layer of isolation and security.

C: https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-125b.pdf Isolation of the hypervisor’s management network using virtual switches needs special configuration. In addition to dedicated virtual switches, the management traffic pathway should have separate pNICs and separate physical network connections

C) The management traffic pathway should have separate physical network interface cards (NICs) and network. The best way to protect hypervisor host administration functions is to physically separate management traffic from production traffic. This is achieved by using dedicated NICs and networks for management connections to the hypervisor. A) Host firewalls help but do not provide physical separation. B) Virtual network segmentation only provides logical separation. D) VM permissions only control individual VMs, not overall hypervisor access. By assigning hypervisor/host management to distinct NICs and networks, the management pathway is isolated from production VM traffic. This physical air gap limits attack surface and access from production workloads to the privileged hypervisor administration plane. It provides strong protection aligned to the principle of least privilege.

B. Deploy the management interface in a dedicated virtual network segment. The best way to achieve protection for hypervisor host and software administration functions is by deploying the management interface in a dedicated virtual network segment. This practice isolates the management traffic from other network traffic, reducing the attack surface and improving security. This dedicated network segment should be appropriately segmented and isolated from other segments to prevent unauthorized access and potential attacks on the hypervisor host and management functions.

Option C is correct

Option C is great but might be more expensive, so best answer is option B

C - The management traffic pathway should have separate physical network interface cards (NIC) and network.