ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

During final hardening of a new Linux server that will expose a single REST API on TCP port 8443, you decide to enable the host-based firewall even though an external network firewall already restricts traffic. Which host firewall rule set best supports a defense-in-depth strategy while enforcing a default-deny posture without disrupting the application's operation?

Set default DROP on INPUT and OUTPUT; allow inbound TCP 8443 from required sources; allow only RELATED and ESTABLISHED outbound traffic.
Set default ACCEPT on OUTPUT; set default DROP on INPUT but allow inbound TCP 8443 and SSH from any host.
Leave default ACCEPT on all chains; simply log all packets for audit purposes.
Disable the host-based firewall and rely on the network firewall, since it already permits only TCP 8443 inbound.

Report Issue

Answer Description

A defense-in-depth configuration assumes the network firewall could fail or be mis-configured, so the host itself must also restrict traffic. A true default-deny stance drops all packets except those explicitly required. The API only needs to accept inbound TCP connections on port 8443 and to send related response traffic back out. Setting the default policy to DROP for both inbound and outbound chains, then adding an explicit rule that allows inbound TCP 8443 (plus automatically permitting RELATED and ESTABLISHED return traffic) achieves this with minimal attack surface. Allowing all outbound traffic, keeping default ACCEPT policies, or disabling the host firewall would violate the least-privilege and default-deny principles or remove an important security layer.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.