You are a network administrator tasked with configuring a new firewall for your company’s internal network

/ Exams & Certification / By

You are a network administrator tasked with configuring a new firewall for your company’s internal network. The network includes various departments, such as HR, Finance, and IT, each with its own VLAN.
The company policy requires that the HR department should only be able to access the internet for HR-related cloud services and should not have access to the Finance department’s resources. You decide to implement ACLs on the firewall to meet these requirements.
Which of the following ACL configurations would BEST meet the company’s policy requirements?
A Allow all traffic from the HR VLAN to the Internet; block all traffic from the HR VLAN to the Finance VLAN
B Allow only HTTP and HTTPS traffic from the HR VLAN to the Internet; block all traffic from the HR VLAN to the Finance VLAN
C Block all traffic from the HR VLAN
D Block all traffic from the HR VLAN to the Internet; allow all traffic from the HR VLAN to the Finance VLAN

The correct answer and explanation is:

The correct answer is B: Allow only HTTP and HTTPS traffic from the HR VLAN to the Internet; block all traffic from the HR VLAN to the Finance VLAN.

Explanation:

To meet the company’s policy requirements, the firewall’s ACL configuration must:

  1. Allow limited Internet access for HR: The HR department needs to access specific HR-related cloud services on the Internet. These services are typically accessed over HTTP or HTTPS protocols. Therefore, the ACL should allow only HTTP and HTTPS traffic from the HR VLAN to the Internet, ensuring that HR can access the cloud services while preventing unnecessary or potentially harmful traffic.
  2. Block access to the Finance VLAN: The policy also specifies that the HR department should not have access to the Finance department’s resources. To enforce this, the ACL must block all traffic from the HR VLAN to the Finance VLAN, ensuring that HR cannot access sensitive financial data or systems.

The other options do not fully meet the requirements:

  • Option A: Allowing all traffic from the HR VLAN to the Internet is too broad because it does not restrict the traffic to HR-related services. This would permit HR to access any external site or service, which is not aligned with the company’s policy of limited Internet access.
  • Option C: Blocking all traffic from the HR VLAN would prevent HR from accessing any resources, both internal and external, which is not what the policy requires. HR needs Internet access for cloud services and must not be entirely restricted.
  • Option D: Blocking all traffic from the HR VLAN to the Internet while allowing HR to access the Finance VLAN contradicts the policy, which requires HR to have no access to the Finance department’s resources.

Therefore, Option B best matches the policy requirements by ensuring HR has restricted Internet access and no access to Finance resources.

Related Posts

Scroll to Top