What is the correct answer?

[cetta]

You are the security administrator for Certkiller.com. Certkiller's security policy forces users to authenticate to the secuity gateway explicitly, before they can use any service. You are also reminded that your gateway does not allow the Telnet service to itself any location. How would you set up the authentication method?

A. With a client authentication rule using the manual sign-on method, using HTTP on port 900
B. With a Session Authentication Rule
C.With Client Authentication rule for Partially Automatic Sign-On
D.With a Client Authentication for fully automatic sign-on
E.With a User Authentication Rule

Testking says correct answer is A. I think B, because manual sign on using http or telnet and client authentication rule must be placed above the stealth rule. As for you what is the correct answer?

[godspeedcapri]

The answer 'A' seems most appropriate as users are expected to sign on explicitly(hence manual sign on method), to access firewall the rule has to be placed above stealth rule(where you specify who will connect using what service(http port900).

Configuring Client Authentication in the Rulebase

To allow client authentication, create a new rule above any rule that would block
ports 900 and 259 to the firewall (usually the Stealth Rule). In the source field,
select Add User Access, and then add the user group that will be able to authenticate,
and optionally restrict to a location, where that group can connect from.

Pg:314 Syngress CCSA NGX Book

Cheers,
Godspeedcapri