A security analyst discovers that an internal host is sending traffic to an external IP address known to be a command-and-control server. The analyst wants to block only that specific traffic without affecting other traffic. Which firewall rule should be implemented?
This provides a targeted block without affecting other traffic.
Why this answer
Option D is correct because it creates a specific deny rule that matches only the source IP of the internal host and the destination IP of the command-and-control server, blocking that exact traffic flow while allowing all other traffic to and from both hosts. This is the most precise and least disruptive approach, adhering to the principle of least privilege in firewall rule design.
Exam trap
The trap here is that candidates often choose a broad deny rule (like denying all traffic to the external IP) because they focus on the malicious destination, forgetting that such a rule would block all traffic to that IP from any source, potentially impacting other hosts or services.
How to eliminate wrong answers
Option A is wrong because denying all traffic from the internal host would block all outbound communications from that host, including legitimate traffic to other destinations, causing unnecessary disruption. Option B is wrong because denying all traffic to the external IP would block all inbound and outbound traffic to that IP from any host, potentially affecting other internal hosts that may need to communicate with that IP for legitimate reasons (though unlikely in this scenario, it is overly broad). Option C is wrong because denying traffic on the specific port used would block all traffic on that port to any destination, not just the command-and-control server, which could disrupt other services using the same port.