Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Vivus
Participant

Conflict on Exception - Why is the most liberal action taken?

Jump to solution

Hi there guys,

I'm currently looking over some material for the CCSA (have been particularly aided by ExamTopics - excellent for practice exam questions and actually free, thank God) and have come across a questions regarding conflict resolution within Security Policies. 

 

Question

"What are the three conflict resolution rules in the Threat Prevention Policy Layers?"

Answer

"Conflict on action, conflict on exception, and conflict on settings"

 

Description 

After doing a bit of reading up on these conflict resolution rules, I was particularly perplexed by the description for the Conflict on Exception which reads (CCSA R80.10 guide page 407 - I know this is a bit outdated as we're at R81.10 now... maybe this has changed?):

"Conflict on exception: The exceptions for a specified scope is different between layers. The action taken will be the most liberal, or least restrictive."

 

Any Ideas?

Can anyone explain why, if the conflict on action opts for the most restrictive option when a conflict occurs, the conflict on exception vouches for the least restrictive option? This seems to me like it might dangerously expose the system? Any insight is greatly appreciated. 

 

Thanks Check Mates, 🍻

Vivus

0 Kudos
1 Solution

Accepted Solutions
Jason_Tugwell
Employee
Employee

As a FYI, the source material is not up to date as that question is no longer on the exam. 🙂

Regards,

Tug 

View solution in original post

3 Replies
PhoneBoy
Admin
Admin

Thinking about it logically, an exception is generally to give you the option to reduce the level of enforcement for a specific protection, not increase it.
Therefore, to me at least, it would make sense that if there was a conflict for an exception, the least restrictive one would apply. 
Not sure that's the official reason, but that's my take.

Vivus
Participant

Hi PhoneBoy, thanks for the response. I had considered that, but then thought that if there was a lack of exception in one rule base it would imply that there may be reason to keep 'exceptional individuals' out, which compromises security if the two rule bases are merged and the least restrictive option is held.

I don't really know, maybe I'm overthinking it, haha.

0 Kudos
Jason_Tugwell
Employee
Employee

As a FYI, the source material is not up to date as that question is no longer on the exam. 🙂

Regards,

Tug 

View solution in original post