ISACA CISM: Which is the BEST method for determining whether firewall has been configured to provide comprehensive perimeter defense

Question

Which of the following is the BEST method for determining whether a firewall has been configured to provide a comprehensive perimeter defense?

A. A port scan of the firewall from an internal source
B. A simulated denial of service (DoS) attack against the firewall
C. A validation of the current firewall rule set
D. A ping test from an external source

Answer

C. A validation of the current firewall rule set

Explanation

The correct answer is C. A validation of the current firewall rule set. This is the best method for determining whether a firewall has been configured to provide a comprehensive perimeter defense, because it allows the security manager to verify that the firewall is enforcing the desired security policy and blocking unauthorized traffic. A port scan of the firewall from an internal source (A) would only reveal the open ports on the firewall, but not whether they are being used for legitimate purposes or not. A simulated denial of service (DoS) attack against the firewall (B) would test the firewall’s resilience and performance, but not its effectiveness in filtering traffic. A ping test from an external source (D) would only show whether the firewall is responding to ICMP requests, but not whether it is allowing or denying other types of traffic.

Reference

Isaca Certified Information Security Manager CISM certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Isaca Certified Information Security Manager CISM exam and earn Isaca Certified Information Security Manager CISM certification.