A database administrator contacts a security administrator to request firewall changes for a connection to
a new internal application. The security administrator notices that the new application uses a port
typically monopolized by a virus. The security administrator denies the request and suggests a new port
or service be used to complete the application’s task. Which of the following is the security administrator
practicing in this example?
A.
Explicit deny
B.
Port security
C.
Access control lists
D.
Implicit deny
Explanation:
Traffic that comes into the router is compared to ACL entries based on the order that the entries occur in
the router. New statements are added to the end of the list. The router continues to look until it has a
match. If no matches are found when the router reaches the end of the list, the traffic is denied. For this
reason, you should have the frequently hit entries at the top of the list. There is an implied deny for traffic
that is not permitted.
Incorrect Answers:
A: An explicit deny would block the application until it is added to the ACL.
B: Port security in IT can mean several things:
The physical control of all connection points, such as RJ-45 wall jacks or device ports, so that no
unauthorized users or unauthorized devices can attempt to connect into an open port.The management of TCP and User Datagram Protocol (UDP) ports. If a service is active and assigned to a
port, then that port is open. All the other 65,535 ports (of TCP or UDP) are closed if a service isn’t actively
using them.
Port knocking is a security system in which all ports on a system appear closed. However, if the client
sends packets to a specific set of ports in a certain order, a bit like a secret knock, then the desired service
port becomes open and allows the client software to connect to the service.
C: Implicit deny is the default security stance that says if you aren’t specifically granted access or
privileges for a resource, you’re denied access by default.http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 24, 26
The answer is A.
The point of the question isn’t about a new application, but moreover, the potential of the virus to propagate through the port the security administrator has previously blocked. If the requested port is opened for the database application, then the port could also be used by the virus. The security administrator doesn’t want that to happen so a different port for the database application has been suggested. The virus port remains EXPLICITLY denied.
0
2