ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
A company is migrating its web tier to a private cloud that uses a distributed virtual switch on each host. Policy requires that every inbound HTTP/HTTPS session be inspected and, if needed, blocked before reaching any web server. The network team also wants to avoid changing server IPs or routing tables. Which deployment option best meets these constraints for the new virtual web application firewall (vWAF)?
Attach the vWAF to a SPAN/mirror port on the distributed virtual switch to monitor traffic passively.
Install the vWAF software on the hypervisor management network so it can inspect traffic out of band for all virtual machines.
Deploy a vWAF agent inside each web server virtual machine to perform host-based inspection after packets are delivered.
Deploy the vWAF as a two-interface, layer-2 bridge VM connected between the external and web-tier port groups on the distributed virtual switch, operating inline.
To satisfy the requirement that all external traffic be inspected before it reaches the web servers, the vWAF must sit transparently in the traffic path between the Internet edge and the web-tier network. Deploying the appliance as a two-arm, layer-2 bridge (sometimes called transparent or bump-in-the-wire mode) on the distributed virtual switch places it directly inline. Because it operates at layer 2, it forwards frames without acting as the default gateway, so server IP addresses and routing tables remain unchanged.
A passive SPAN/mirror port lets the vWAF see packets but not block them. Installing the vWAF on the hypervisor management network or as agents inside each web server would either miss traffic before it reaches the server or change the security model, violating the requirement for centralized, inline inspection.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a distributed virtual switch?
Open an interactive chat with Bash
How does layer-2 bridging in a virtual appliance work?
Open an interactive chat with Bash
What is the difference between inline inspection and passive inspection in network security?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Network and Communication Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .