A database administrator contacts a security administrator to request firewall changes for a
connection to a new internal application. The security administrator notices that the new
application uses a port typically monopolized by a virus. The security administrator denies the
request and suggests a new port or service be used to complete the application’s task. Which of
the following is the security administrator practicing in this example?
A.
Explicit deny
B.
Port security
C.
Access control lists
D.
Implicit deny
Explanation:
Traffic that comes into the router is compared to ACL entries based on the order that the entries
occur in the router. New statements are added to the end of the list. The router continues to look
until it has a match. If no matches are found when the router reaches the end of the list, the traffic
is denied. For this reason, you should have the frequently hit entries at the top of the list. There is
an implied deny for traffic that is not permitted.
This question does not make sense. “Security Admin” denies the request so he is not practicing anything
0
0
yeah it doesn’t make sense. Also this person was denying an application that uses a port typically monopolized by a virus and is requesting and suggesting a new port or service be used to complete the application’s task……. that all sounds like answer B to me. He is practicing good port security measures. Please anyone correct me if I’m wrong and explain.
0
0
Port security fundamentally is done when the device is brought into the network. In terms of operations of routing and accesses, ACL is always the option for change.
0
0
It is Implicit deny. The internal app hits an implicit deny and the admin needs to check which port is accessed by that app.
0
0
captcaveman
September 20, 2017 at 11:20 am
Screw this question, the answer is A.
The point of the question isn’t about a new application, but moreover, the potential of the virus to propagate through the port the security administrator has previously blocked. If the requested port is opened for the database application, then the port could also be used by the virus. The security administrator doesn’t want that to happen so a different port for the database application has been suggested. The virus port remains EXPLICITLY denied.
1
0
Another example of a very badly written question. The only purpose these questions seem to have is to make us aware that there is a level of incongruence to be expected at the exam.
The question at hand should not read “Which of the following is the security administrator ‘practicing’”.
It should read Which of “the following is the security administrator ‘using’”
As pointed out, the “Security Admin” denies the request so he is not practicing anything.
ACL is not a “practice” as such, nor are any of the other answers for that matter
So we have a “new internal application” requiring a “firewall change”. It seems then to be a form of a web app.
A request to open a certain port is required. This request is denied by the security administrator based on his findings.
Now for the answers:
A– Explicit deny
CCNA and Network+ exams have the following definitions
• Implicit Denies are Automatically set by the System, such as a Firewall, this sort of a “Catch All, Safety Net” that forces the Security Administrator to allow traffic that they need while Implicitly Denying/blocking everything else.
• Explicit Allow/Deny, is when the Security Administrator Manually tells a System to Deny Access to a user, process, resources.
• Implicit Deny and Explicit Deny are literal terms. ACLs are not just firewall related, there is an ACL for every folder/file on a file server for example. In a windows domain, those ACLs represent an Implicit Deny, you have to be on the list to access it, if you don’t fall into a category then you are denied.
So we know that
(a) There is no implict deny set in place as far as we know
(b) That the security administratror decided to deny the request = explict deny
(c) And that both Explicit Allow/Deny are an integral part of the ACL
So I side with Robert on this one on two levels:
1) Screw this question
2) The best answer is “A- Explicit deny”
1
0