ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your organization operates a three-zone firewall: Untrusted (Internet), DMZ, and Internal. Security has mandated creation of a fourth Management zone that is reachable only after VPN authentication. A new bastion (jump) host will be used by administrators to manage web servers in the DMZ and file/database servers in the Internal zone. According to firewall security-zone best practices, in which zone should the bastion host be placed to minimize the attack surface while still allowing administration of the other zones?
Untrusted zone, with a public IP so administrators can connect without traversing the VPN.
DMZ, alongside the public web servers it will manage.
Management zone that is isolated from user traffic and accessible only after VPN authentication.
Internal zone, where the file and database servers are located.
A bastion used strictly for administration should reside in a dedicated management zone that is isolated from both user traffic and publicly reachable segments. Placing it in the Management zone allows administrators to reach it only after strong authentication (for example, via VPN), and the firewall can then permit tightly scoped outbound management sessions (SSH/RDP) from the Management zone to hosts in the DMZ or Internal zones. Locating the jump host in the Untrusted, DMZ, or general Internal zones would either expose it directly to the Internet or to user subnets, increasing the likelihood it could be probed or compromised, defeating the purpose of a hardened management plane.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a bastion host and how is it used in cybersecurity?
Open an interactive chat with Bash
What is the role of a DMZ in network security?
Open an interactive chat with Bash
What is a management zone and why is it important for security?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Network and Communication Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .