Comprehensive and Detailed in-Depth Explanation:
Problem Statement:
The organization needs tosecure legacy systemswhile maintaininginterconnectivitywith deployed assets.
Legacy systems are inherentlyvulnerableand canpose risksif directly connected to critical infrastructure.
Thegoalis to minimize risks withoutbreaking connectivity.
Why the Correct Answer is D (Screened Subnet):
Ascreened subnet(often called aDMZ - Demilitarized Zone) is anetwork segmentthat isolates potentially risky systems from theinternal network.
It is typically placedbetween two firewalls:
One firewall separates the DMZ from theexternal network (internet).
The other firewall isolates the DMZ from theinternal network.
This setup allowscontrolled communicationbetween legacy systems and internal assets while minimizing risk.
Key Benefits of a Screened Subnet:
Isolation:Separates legacy systems from the critical internal network.
Controlled Access:Usesfirewall rulesto restrictinbound and outbound traffic.
Reduced Attack Surface:Limits the potential impact of acompromised legacy system.
Interconnectivity Maintenance:Enables communication withdeployed assetswithout direct exposure.
Example Scenario:
A company haslegacy industrial control systems (ICS)that need to interact withmodern monitoring tools.
Placing the ICS within ascreened subnetensures:
Data flow is regulated.
Monitoring systems can still accessICS data without risking full network exposure.
Compromise of thelegacy systemdoes not automatically mean compromise of thecore network.
Why the Other Options Are Incorrect:
A: Software-defined networking (SDN):
SDN enablesdynamic network configuration, but it does not inherentlyisolate risky legacy systems.
While it can segment traffic, it is primarily used fornetwork flexibilityandmanagement, not isolation.
B: Containerization:
Containersisolate applications, but legacy systems often run ondedicated hardware or old OS environmentsthat are not container-compatible.
This approach does not meet the requirement of keeping thesystems interconnected.
C: Air gap:
Anair gapcompletelyisolates systems from any network.
This solutionbreaks interconnectivity, making itimpracticalfor the given requirement.
Ideal forhigh-security environmentsbut not whenintercommunicationis needed.
Real-World Example:
A healthcare organization haslegacy medical devicesthat must communicate with thepatient management system.
Placing these devices in ascreened subnetallows them to interact while beingisolatedfrom thecore hospital network, minimizingcyber risk.
Visual Representation:
less
CopyEdit
[Internet]
|
[Firewall 1]
|
[Screened Subnet/DMZ]
/ | \
[Legacy System 1] [Legacy System 2] [Monitoring Server]
|
[Firewall 2]
|
[Internal Network]
Thescreened subnetacts as abuffer zone, ensuringcontrolled communicationbetween the legacy systems and the internal network.
Extract from CompTIA SecurityX CAS-005 Study Guide:
TheCompTIA SecurityX CAS-005 Official Study Guideadvises using ascreened subnet (DMZ)when isolatinglegacy systemsthat still requirenetwork connectivity. The guide emphasizes that this approach significantlyreduces riskby minimizing theattack surfacewhile maintaining necessaryinter-system communication.