View the diagram. What is the most restrictive, yet fully functional rule, to allow general Internet and SSH traffic into both the DMZ and Untrust/Internet zones from each of the IOT/Guest and Trust Zones? A. B. C. D.
The answer is B.
A is incorrect - no internet access, DST addresses are too strictly definedd;
C is incorrect - SRC and DST addresses do not correspond to Zones;
D is incorrect - the SRC address does not match the SRC zone.
The correct answer is A
Requirement: Restrictive but Functional Rule
- The rule must allow only general Internet (web browsing) and SSH traffic from the IOT/Guest and Trust Zones to the DMZ and Untrust Zones.
- It must also limit access to only necessary zones and services to be restrictive while remaining functional.
Why A Works:
- Source Zone: The source zones (IOT-Guest and Trust) are correctly specified to allow traffic from those zones.
- Source Address: The source addresses (172.16.16.0/24 and 192.168.0.0/24) match the subnets for devices in the IOT/Guest and Trust Zones.
- Destination Zone: The destination zones are limited to DMZ and Untrust, which are the only zones allowed to receive the traffic.
- Destination Address: The destination addresses (1.1.1.0/24 for Untrust and 10.0.1.0/24 for DMZ) are correctly specified.
- Application: It explicitly allows only SSH and web-browsing, which meets the requirement for Internet and SSH traffic.
- Restrictive and Functional: It does not allow unnecessary traffic, making it restrictive yet functional.
Please, fix this. C has the wrong Source Subnet IP address for the Trust. It is wrong.
The only possible answer is B. A only allows traffic to 1.1.1.0/24 instead of all Internet, which would be correct if we use NAT policy, but the question does not mention NAT.
I think the answer B is good but not restrictive, however A could be a better choice as it is more restrictive and if we allow it to the destination address of 1.1.1.0/24 using services "SSL,SSH and web-browsing will it be able to use the internet? if this is a yes then A would be the best answer if not its going to have to be B. please respond anyone.
C has the wring address and mask /12 for the source zones. B does not specify the destination address, so it is functional but it is not restrict. A is the answer because restricts to only the shown subnets.
The answer is A because the question is asking for the most restrictive means to access the DMZ and untrust zones from the Guest and Trust zones. In answer A, the rule restricts access to the destination IP address subnet ranges of the DMZ and Untrust zone destination addresses, whereas answer B pretty much says you can connect to any address in the DMZ and Untrust subnets. A is the correct answer.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
DlaEdu_Ex
Highly Voted 2 years agoAredus
Highly Voted 11 months, 2 weeks agoDIG_Tofu
11 months, 2 weeks agoCatza
Most Recent 1 month, 1 week agomirko1976
1 month, 1 week agoALCOSTA35
4 months agowesth4m1234
4 months agoALCOSTA35
4 months agoALCOSTA35
5 months, 1 week agodc6a988
8 months, 1 week agoJanhattal
8 months, 2 weeks agocjace
9 months, 2 weeks agoNotimig
1 year, 3 months agoclaudio392
1 year, 6 months agoclaudio392
1 year, 6 months agoSanjug2022
1 year, 8 months agoKalender
1 year, 9 months agoSly04
1 year, 3 months agomadt
1 year, 10 months agoDatITGuyTho1337
1 year, 11 months ago