A security technician wants to implement stringent security controls over web traffic by restricting
the client source TCP ports allowed through the corporate firewall. Which of the following should
the technician implement?
A.
Deny port 80 and 443 but allow proxies
B.
Only allow port 80 and 443
C.
Only allow ports above 1024
D.
Deny ports 80 and allow port 443
Explanation:
D.
0
0
It is a strange question, why should they block 80 and not 443? they are both TCP. It would make more sense if they asked properly and say they only want to allow secure web access, HTTPS or something like that.
0
0
Even for secure web access or HTTPS, you can use any port on the client side including port 80. HTTPS runs over port 443 (by default) on the web server side regardless the running port on the client side.
Client (80) –> Web server (80) = HTTP
Client (80) –> Web server (443) = HTTPS
Client (443) –> Web server (80) = HTTP
Client (x) –> Web server (80) = HTTP
I would go with C.
See Ephemeral Source Port Selection Strategies.
https://www.cymru.com/jtk/misc/ephemeralports.html
0
0
Blocking all ports below 1024 will create a shitload of issues as you’re blocking most of the important ports. I don’t think this is a viable solution if you need to “implement stringent security controls over web traffic”. This sounds as proxy, adding the default web ports as imposed by the second section of the question.
0
0
If you clarify the wording, A sounds like a good answer.
Deny TCP ports 80 and 443 coming from client machines. Allow the same type of traffic only if it comes from a proxy.
0
0
Although I chose B. Not sure where are you guys coming from…
0
0
I agree with Dugan Nash on this one.
If you clarify the wording, A sounds like a good answer.
Simple and straight forward
•For all “HTTP” web sites, I need port 80
•For all “HTTPS” web sites, I require ports 443
•For all “HTTP” and “HTTPS” web sites, I can use a Proxy Server located in the DMZ, typically configured with port 8080.
So it is possible to block all traffic for port 80 and 443, and direct all traffic via the Proxy on port 8080. Via the Proxy I shall still be able to access al HTTP and HTTPS sites via port 8080.
So:
A. Deny port 80 and 443 but allow proxies- looks like a very good answer
B. Only allow port 80 and 443-This could completely bypass the proxy, which is not very “stringent” at all
C. Only allow ports above 1024 – This would cause all sorts of issues as already explained
D. Deny ports 80 and allow port 443 – This would (1) stop access to all HTTP web sites, (2) allow access to all HTTPS sites and (3) potentially bypass the Proxy
0
0