Question

You have been contracted by Dion Training to conduct a penetration test against its Learning Management System (LMS). The LMS is a web application that is hosted in the organization's DMZ. Which of the following appliance allow lists should the organization add your source IP in before the engagement begins?

a) Web Application Firewall (WAF)

b) Intrusion Prevention System (IPS)

c) Network Access Control (NAC)

d) Proxy Server

Answer 1

a.Web Application Firewall (WAF) For a penetration test on a Learning Management System hosted in a DMZ, the penetration tester's source IP should be added to the allow list to prevent being blocked during testing.

Step-by-step explanation:

If you have been contracted to conduct a penetration test against Dion Training's Learning Management System (LMS), which is hosted in the organization's DMZ, the appliance to add your source IP to is the Web Application Firewall (WAF).

The WAF is specifically designed to monitor, filter, and block potentially harmful traffic to web applications and is the first line of defense against web-based attacks.

Adding your source IP to the WAF allow list ensures that the security measures in place do not hinder the penetration testing process, allowing you to thoroughly assess the system's vulnerabilities without being falsely identified as a threat and subsequently blocked.

While the other options like Intrusion Prevention System (IPS), Network Access Control (NAC), and Proxy Server play critical roles in security, they focus on monitoring internal traffic, controlling access to the network, and forwarding client requests, respectively, which are not directly relevant to the scope of a penetration test focusing on a web application.