You are a network administrator tasked with configuring a new firewall for your company’s internal network. The network includes various departments, such as HR, Finance, and IT, each with its own VLAN.
The company policy requires that the HR department should only be able to access the internet for HR-related cloud services and should not have access to the Finance department’s resources. You decide to implement ACLs on the firewall to meet these requirements.
A Which of the following ACL configurations would BEST meet the company’s policy requirements?
B Allow all traffic from the HR VLAN to the Internet; block all traffic from the HR VLAN to the Finance VLAN
C Allow only HTTP and HTTPS traffic from the HR VLAN to the Internet; block all traffic from the HR VLAN to the Finance VLAN
D Block all traffic from the HR VLAN
E Block all traffic from the HR VLAN to the Internet; allow all traffic from the HR VLAN to the Finance VLAN
The correct answer and explanation is:
The correct answer is C: Allow only HTTP and HTTPS traffic from the HR VLAN to the Internet; block all traffic from the HR VLAN to the Finance VLAN.
Explanation:
The company policy specifies that the HR department should be able to access the internet for HR-related cloud services, but not have access to the Finance department’s resources. To achieve this, you need to configure access control lists (ACLs) to restrict traffic based on both destination and protocol.
- Allowing only HTTP and HTTPS traffic from the HR VLAN to the Internet:
HR needs access to cloud services, which are usually web-based (HTTP/HTTPS). Allowing only HTTP and HTTPS traffic ensures that HR can access these services while blocking other types of traffic (e.g., FTP, SSH, etc.) that may not be required for HR operations. - Blocking all traffic from the HR VLAN to the Finance VLAN:
The policy explicitly states that HR should not have access to the Finance department’s resources. To meet this requirement, an ACL must block any traffic originating from the HR VLAN to the Finance VLAN. This prevents HR from accessing sensitive finance-related data.
Now, let’s evaluate the other options:
- Option A (“Allow all traffic from the HR VLAN to the Internet; block all traffic from the HR VLAN to the Finance VLAN”) allows unrestricted access to the internet, which contradicts the policy that specifies access should only be for HR-related cloud services. This would grant HR more access than intended.
- Option B (“Allow only HTTP and HTTPS traffic from the HR VLAN to the Internet; block all traffic from the HR VLAN to the Finance VLAN”) is similar to Option C, and is the best choice as it fulfills both conditions: limited internet access and blocking access to the Finance VLAN.
- Option D (“Block all traffic from the HR VLAN”) completely blocks HR’s access, which is against the policy since HR must access the internet for cloud services.
- Option E (“Block all traffic from the HR VLAN to the Internet; allow all traffic from the HR VLAN to the Finance VLAN”) contradicts the policy by allowing HR to access the Finance department’s resources.
In summary, Option C is the best configuration to meet the policy requirements of limiting HR’s internet access to only HR-related cloud services while preventing access to the Finance department’s resources.