SC0-502 Security Certified Program (SCP) Training Course

Demo Question 7.

You go back through your notes to the day that you recommended that the company get a firewall in place. Purple had been convinced that the ISP protected the network, and that a firewall was too much technology on top of the router. Now that you have been given this responsibility, and since you have configured the router already, you wish to get the firewall in place as quickly as possible. You meet quickly with the CEO and mention that the network currently has no firewall, a serious problem. You inform the CEO that this must be fixed immediately, and that you have several firewall options. For this one instance, the CEO tells you to build the best solution;the decision is not going to be based on direct cost. Based on your knowledge of and the information you have from EliteCertify , select the best solution to the organization's firewall problem:}

A. You decide to take advantage of the features of Microsoft's ISA Server and Checkpoint's NG. You implement two firewalls, each with two network cards. From one Ethernet interface of the router, you connect to a Checkpoint firewall, and from the other Ethernet interface on the router, you connect to a Microsoft ISA firewall. The Checkpoint firewall is connected via one NIC to the router, and the other NIC is connected to the Web and FTP Server. The Microsoft ISA Server is connected via one NIC to the router and the other NIC is connected to the LAN switch. You perform the following steps and configurations to setup the firewalls: 1. First, you configure the IP Address on both network cards of both firewalls. 2. Second, you select the Floodgate-1, SMART Clients, and Policy Server as the only components to install and complete the installation of Checkpoint. 3. Third, you configure the Checkpoint firewall so only Web and FTP traffic are allowed inbound. 4. Fourth, you select the Cache Mode option during the install of ISA Server and complete the installation of Microsoft ISA Server. 5. Fifth, you allow all outbound traffic through the ISA Server. 6. Sixth, you allow only inbound traffic through the ISA Server that is in response to outbound requests.
B. After analysis, you decide to implement a firewall using Checkpoint's NG. You begin by installing a new machine, with a fresh hard drive, and the loading of NG. The new firewall will have four NICs. You connect the two Ethernet interfaces on the routers to two of the firewall NICs. You connect one firewall NIC to the Web and FTP server and one firewall NIC to the LAN switch. You perform the following steps and configurations to setup the firewall: 1. First, you configure the IP Addresses on all four network cards of the Checkpoint firewall. 2. Second, you select only the VPN-1 & Firewall-1 components to install and complete the installation of Checkpoint. 3. Third, you configure the only new inbound network traffic to be destined for the WWW and FTP services on the Web and FTP server 4. Fourth, you block all other incoming traffic. 5. Fifth, you create anti-spoofing rules to block inbound traffic that might be spoofed. 6. Sixth, you configure all traffic to be allowed in the outbound direction
C. After you analyze the network, you have decided that you are going to implement a firewall using Microsoft ISA Server. The new firewall will have four NICs. You connect the two Ethernet interfaces on the routers to two of the firewall NICs. You connect one NIC to the Web and FTP server and one NIC to the LAN switch. You perform the following steps and configurations to setup the firewall: 1. First, you format a new hard drive and install a new copy of Windows 2000 Server. 2. Second, you configure the correct IP Addresses on the four network cards. 3. Third, you install ISA Server into Firewall only mode, and complete the installation. 4. Fourth, you configure all inbound traffic to require the SYN flag to be set, all other inbound network traffic is denied 5. Fifth, you configure the network card towards the Web and FTP server will only allow ports 80, 20, and 21. 6. Sixth, you configure all outbound traffic to be allowed.
D. After you run an analysis on the network and the EliteCertify needs, you decide to implement a firewall using Checkpoint NG. The firewall will have three NICs. One NIC is connected to the router, one NIC is connected to the Web and FTP server and one NIC is connected to the LAN switch. You perform the following steps and configurations to setup the firewall: 1. First, you install a new version of Checkpoint NG, selecting the VPN-1 and Firewall-1 components, and complete the installation. 2. Second, you configure the inbound rules to allow only SYN packets that are destined for ports 80, 20, and 21 on the Web and FTP server. 3. Third, you disallow all inbound traffic for the internal network, unless it is in response to an outbound request. 4. Fourth, you configure anti-spoofing rules on the inbound interface and log those connections to a log server.
E. After you analyze the company, you decide to implement a firewall using Microsoft ISA Server. You create a DMZ with the Web and FTP server on the network segment between the router and the new firewall. The firewall will have two NICs, one connected to the router, and one connected to the LAN switch. You perform the following steps and configurations to setup the firewall: 1. First, you install a new version of ISA Server, installed in Firewall mode. 2. Second, you configure the inbound network card to disallow all network traffic that did not originate from inside the network or from the Web and FTP Server. 3. Third, you configure anti-spoofing rules to prevent spoofing attacks. 4. Fourth, you configure all outbound traffic to be allowed. 5. Fifth, you configure inbound traffic with the SYN flag on to be allowed, and to be logged to a SYSLOG server inside the network.


Display Answer

Answer: D

Explanation: