ISC2 SSCP Exam - Topic 6 Question 44 Discussion

Actual exam question for ISC2's SSCP exam

Question #: 44
Topic #: 6

[All SSCP Questions]

Which of the following rules appearing in an Internet firewall policy is inappropriate?

ASource routing shall be disabled on all firewalls and external routers.

BFirewalls shall be configured to transparently allow all outbound and inbound services.

CFirewalls should fail to a configuration that denies all services, and require a firewall administrator to re-enable services after a firewall has failed.

DFirewalls shall not accept traffic on its external interfaces that appear to be coming from internal network addresses.

Show Suggested Answer

Suggested Answer: B

Unless approved by the Network Services manager, all in-bound services shall be intercepted and processed by the firewall. Allowing unrestricted services inbound and outbound is certainly NOT recommended and very dangerous.

Pay close attention to the keyword: all

All of the other choices presented are recommended practices for a firewall policy.

Reference(s) used for this question:

GUTTMAN,

Barbara & BAGWILL, Robert, NIST Special Publication 800-xx, Internet Security Policy: A Technical Guide, Draft Version, May 25, 2000 (page 78).

by Rolland at May 09, 2022, 02:13 AM

Limited Time Offer

25%

Off

Get Premium SSCP Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Mary

4 months ago

Wait, people actually allow all services? That sounds risky!

upvoted 0 times

...

Adrianna

4 months ago

D is a must-have rule, can't let internal traffic leak out!

upvoted 0 times

...

Jacki

4 months ago

C seems a bit extreme, what if there's an emergency?

upvoted 0 times

...

Annalee

4 months ago

Totally agree with A, source routing can be a huge risk!

upvoted 0 times

...

Vannessa

5 months ago

B is definitely inappropriate, that's just asking for trouble.

upvoted 0 times

...

Brice

5 months ago

Option D makes sense to me because accepting internal traffic on external interfaces could lead to spoofing attacks, so I think that's a good rule.

upvoted 0 times

...

Alline

5 months ago

I feel like we had a practice question about firewall configurations failing safely, so option C might be okay, but I'm not completely confident.

upvoted 0 times

...

Tamesha

5 months ago

I remember we discussed how allowing all services through a firewall is a huge security risk, so I think option B is definitely inappropriate.

upvoted 0 times

...

Luke

5 months ago

I'm not entirely sure, but I think source routing can be a vulnerability, so option A seems like a good rule to have.

upvoted 0 times

...

Hubert

5 months ago

Okay, let's think this through step-by-step. The question is asking about a feature found ONLY in sensor-based ML, so we need to eliminate the options that are also found in other types of ML. I'm going to go with option C - real-time offline protection.

upvoted 0 times

...

Tequila

5 months ago

The Meraki full stack, huh? I remember learning about that in class, but I can't quite recall the details. I'll have to eliminate the options I'm sure are wrong and then make an educated guess.

upvoted 0 times

...