You are a network administrator tasked with configuring a new firewall for your company’s internal network

/ Exams & Certification / By

You are a network administrator tasked with configuring a new firewall for your company’s internal network. The network includes various departments, such as HR, Finance, and IT, each with its own VLAN.
The company policy requires that the HR department should only be able to access the internet for HR-related cloud services and should not have access to the Finance department’s resources. You decide to implement ACLs on the firewall to meet these requirements.
Which of the following ACL configurations would BEST meet the company’s policy requirements?
A Allow all traffic from the HR VLAN to the Internet; block all traffic from the HR VLAN to the Finance VLAN
B Allow only HTTP and HTTPS traffic from the HR VLAN to the Internet; block all traffic from the HR VLAN to the Finance VLAN
C Block all traffic from the HR VLAN
D Block all traffic from the HR VLAN to the Internet; allow all traffic from the HR VLAN to the Finance VLAN

The correct answer and explanation is:

The correct answer is B: Allow only HTTP and HTTPS traffic from the HR VLAN to the Internet; block all traffic from the HR VLAN to the Finance VLAN.

Explanation:

In this scenario, the HR department needs to be able to access HR-related cloud services on the Internet but should not have access to resources in the Finance department. This requires two key configurations in the firewall:

  1. Internet Access Restriction: The HR VLAN should be able to access the Internet, but the access should be limited to only the services necessary for HR tasks. Typically, this would include HTTP (port 80) and HTTPS (port 443) traffic for web-based applications and cloud services. By explicitly allowing only these protocols, the firewall ensures that HR cannot access other Internet resources that may not be relevant to their duties. This aligns with the policy to allow access to HR-related services only.
  2. Traffic Isolation Between HR and Finance: The HR VLAN must not have any access to the Finance VLAN. This means all traffic between HR and Finance needs to be blocked. The firewall ACL should block all types of communication between these two VLANs, ensuring strict isolation. This prevents potential data leaks or unauthorized access to sensitive financial data.

By choosing option B, the firewall configuration allows HTTP and HTTPS traffic from the HR VLAN to the Internet while blocking all communication from the HR VLAN to the Finance VLAN. This meets both requirements outlined in the company policy: restricted access to the Internet (only HR-related services) and isolation from the Finance VLAN.

Why Other Options Are Incorrect:

  • Option A allows all traffic from HR to the Internet, which is too permissive and violates the policy of limiting access to HR-related cloud services.
  • Option C blocks all traffic from HR VLAN, which contradicts the requirement of providing HR with access to cloud services.
  • Option D allows HR VLAN traffic to Finance, which violates the policy of not allowing HR to access Finance resources.

Thus, B is the most suitable configuration for the firewall ACLs.

Related Posts

Scroll to Top