ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your company uses a legacy application that performs active FTP transfers to a partner site on the public Internet. The perimeter device is a stateful firewall with no FTP helper or ALG enabled. To keep the application functional while following the principle of least privilege, which pair of TCP rules should you configure on the firewall?
Allow outbound TCP from any high client port to destination ports 20 and 21 only; block all inbound traffic from the FTP server.
Allow outbound TCP from any high client port to destination port 21, and allow inbound TCP with source port 20 to client high ports; deny all other FTP-related traffic.
Allow outbound TCP from any high client port to destination port 21 and allow inbound TCP to destination port 21 from any source; deny all other FTP traffic.
Allow outbound TCP from source port 20 to destination port 20 and inbound TCP from source port 21 to destination port 21; deny all others.
Active FTP establishes two separate TCP connections. The internal client initiates the control channel from an ephemeral source port (>1023) to the server's well-known port 21, so an outbound rule allowing traffic to destination port 21 is required. After authentication, the server opens the data channel from its own port 20 to the client's chosen high-numbered port, so an inbound rule that permits traffic with a source port of 20 destined to high ports on the client network is also essential. The other options either allow the wrong directions, omit the necessary inbound data-channel rule, or open unnecessary ports, violating least-privilege principles.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is active FTP and how does it differ from passive FTP?
Open an interactive chat with Bash
What is the principle of least privilege and how does it apply to network firewall rules?
Open an interactive chat with Bash
What is a stateful firewall and how does it affect FTP traffic?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Network and Communication Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .