Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCCDomainsNetwork Security
CCFree — No Signup

Network Security

Practice CC Network Security questions with full explanations on every answer.

120questions

Start practicing

Network Security — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CC Domains

Security PrinciplesBusiness Continuity, Disaster Recovery, and Incident ResponseAccess Controls ConceptsSecurity OperationsNetwork SecurityBusiness Continuity, DR & Incident Response

Practice Network Security questions

10Q20Q30Q50Q

All CC Network Security questions (120)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

Which OSI layer is responsible for routing packets across networks using IP addresses?

2

A security analyst notices unusual traffic from an internal workstation to an external IP address on port 25. Which protocol is most likely being used?

3

In the OSI model, which layer uses MAC addresses to forward frames and supports VLANs?

4

An attacker captures network traffic and forges the source IP address to impersonate a trusted host. Which type of network threat is this?

5

A security engineer is configuring a network security device that can block malicious HTTP requests based on application-layer inspection. Which device type is most suitable?

6

Which TCP segment is sent to initiate the three-way handshake?

7

An organization wants to place its public web server, email server, and DNS server in a network that is accessible from the internet but isolated from the internal corporate network. Which network design should be used?

8

Which firewall type inspects the entire packet, including application data, and can enforce rules based on user identity?

9

A security analyst detects an ARP spoofing attack on the local network. What is the primary goal of an ARP spoofing attack?

10

Which protocol is considered insecure because it transmits data in cleartext, including passwords?

11

During a DDoS attack, a company's web server is overwhelmed with a high volume of SYN packets from spoofed IP addresses, never completing the TCP handshake. Which type of attack is this?

12

Which security control would best mitigate the risk of network sniffing on a wired LAN segment?

13

A network administrator is designing a DMZ to host a web server, an email server, and a DNS server. Which TWO of the following principles should be applied to secure the DMZ? (Select TWO.)

14

An organization is selecting a network security solution to protect against advanced threats. Which THREE features are characteristic of a Next-Generation Firewall (NGFW)? (Select THREE.)

15

A security team is investigating a potential man-in-the-middle attack. Which TWO of the following are common techniques used in MITM attacks? (Select TWO.)

16

A security analyst notices unusual traffic on the network and wants to capture packets for analysis without altering traffic. Which device should they use?

17

A company wants to isolate its public web server from internal networks to reduce risk. The server must be accessible from the internet. Which network architecture should be used?

18

An attacker sends forged ARP messages to associate their MAC address with the IP address of a legitimate server. This allows the attacker to intercept traffic intended for that server. What is this attack?

19

Which transport layer protocol is used by voice over IP (VoIP) applications that require low latency and can tolerate some packet loss?

20

A firewall that filters traffic based solely on source and destination IP addresses and ports without considering the state of connections is known as a:

21

An organization wants to implement a network security device that can block malicious traffic in real-time and must be placed inline. Which device should be chosen?

22

Which of the following is a common mitigation technique for a SYN flood attack?

23

A technician is configuring a firewall to allow secure web traffic. Which port and protocol should be permitted?

24

Which layer of the OSI model is responsible for routing packets across networks?

25

An attacker intercepts communications between a client and server by establishing independent connections with each. The client believes it is talking to the server, but the attacker relays messages. What is this attack?

26

Which of the following is a characteristic of a stateful firewall that distinguishes it from a stateless firewall?

27

Which protocol is used to resolve IP addresses to MAC addresses on a local network?

28

A security analyst is investigating a potential DDoS attack on the company's web server. Which two symptoms are indicative of a SYN flood attack? (Select TWO.)

29

An organization wants to implement network segmentation to improve security. Which three methods are commonly used for network segmentation? (Select THREE.)

30

Which two of the following are best practices to mitigate man-in-the-middle attacks? (Select TWO.)

31

Which OSI layer is responsible for routing packets based on IP addresses?

32

An attacker captures network traffic using Wireshark and reads unencrypted emails. Which security goal is most directly compromised?

33

A network administrator wants to control traffic based on source and destination IP addresses and port numbers, while also tracking the state of connections. Which type of firewall should they choose?

34

A security analyst notices a high volume of ICMP Echo Reply packets from an external server to an internal host that never sent Echo Requests. Which type of attack is likely occurring?

35

Which protocol is used to resolve IP addresses to MAC addresses on a local network?

36

A company places a web server and an email server in a separate network segment that is accessible from the internet but isolated from the internal LAN. What is this segment called?

37

An organization wants to prevent malicious HTTP requests targeting a web application. Which security device is specifically designed for this purpose?

38

Which of the following is a connectionless, unreliable transport protocol?

39

An attacker intercepts communication between two parties by sending forged ARP messages. This is an example of which type of attack?

40

Which of the following ports is used by HTTPS for secure web traffic?

41

What is the primary difference between an IDS and an IPS?

42

A network engineer wants to mitigate ARP spoofing attacks. Which of the following is the most effective technique?

43

A security analyst is investigating a potential DDoS attack. Which of the following are common indicators of a DDoS? (Choose TWO)

44

Which of the following are effective defenses against man-in-the-middle attacks? (Choose THREE)

45

A network administrator is planning to segment the network. Which of the following are valid segmentation methods? (Choose TWO)

46

A network administrator needs to allow secure remote management of a router. Which protocol and port should be used?

47

An organization wants to allow external users to securely access internal web applications. Which network security device is specifically designed to inspect HTTP/HTTPS traffic and block malicious requests?

48

During a penetration test, an analyst uses a tool to intercept and modify traffic between a client and server by exploiting the Address Resolution Protocol (ARP). This attack is an example of which type of threat?

49

Which firewall type operates at Layer 3 and Layer 4, making decisions based solely on source/destination IP and port numbers?

50

A company's public web server is placed in a separate network segment that is accessible from the internet but isolated from the internal LAN. What is this network architecture called?

51

A security analyst detects a large number of incomplete TCP connection requests (SYN segments) directed at a server. This is indicative of which type of attack?

52

An organization decides to implement an Intrusion Prevention System (IPS) to protect its network. Which statement about an IPS compared to an IDS is correct?

53

Which protocol operates at the Transport layer of the OSI model and is connectionless and unreliable?

54

A network administrator is configuring a switch to logically separate the Accounting and HR departments on the same physical switch. Which technology should be used?

55

An attacker sends an email to an employee that appears to come from the CEO, asking for sensitive data. This is an example of which type of threat?

56

A security engineer is evaluating different firewall architectures. Which firewall type can decrypt SSL/TLS traffic, inspect the contents, and then re-encrypt it?

57

Which OSI layer is responsible for logical addressing and routing?

58

A security analyst is deploying network security devices. Which TWO of the following are characteristics of an Intrusion Detection System (IDS)?

59

Which THREE of the following are common mitigation techniques against Denial of Service (DoS) attacks?

60

A security team is analyzing network segmentation strategies. Which THREE of the following are benefits of using VLANs for network segmentation?

61

A network administrator is troubleshooting connectivity issues and suspects a problem at the Data Link layer. Which of the following addresses would be most relevant to examine?

62

Which of the following protocols operates at the Transport layer and provides reliable, connection-oriented communication?

63

An organization wants to securely manage network devices from remote locations. Which of the following protocols should be used for command-line access?

64

A security analyst detects a large number of half-open TCP connections targeting a web server. This is most likely indicative of what type of attack?

65

Which firewall type is capable of inspecting the contents of application-layer traffic, such as HTTP requests, to detect malicious patterns?

66

A company wants to host a public-facing web server and an email server while protecting the internal network. Which network architecture is best suited for this purpose?

67

An organization experiences intermittent network outages. The security team notices that the ARP cache on several switches has entries pointing to an unknown MAC address for the default gateway. Which attack is most likely occurring?

68

Which of the following ports is commonly used for secure web traffic (HTTPS)?

69

A security analyst wants to detect malicious traffic on the network without affecting performance. Which type of device should be deployed?

70

During a security assessment, a penetration tester captures network traffic and notices that the source IP address in packets appears to be from a different network. Which technique is the attacker likely using?

71

A company deploys a device that inspects HTTP and HTTPS traffic to block SQL injection and cross-site scripting attacks. This device is best described as a:

72

Which of the following is a benefit of using VLANs in a network?

73

A security analyst is reviewing network traffic and needs to identify which of the following protocols are inherently insecure because they transmit data in cleartext. (Select TWO.)

74

An organization wants to ensure that only authorized devices can connect to the wired network. Which TWO methods can be used to enforce this?

75

A company is experiencing a distributed denial-of-service (DDoS) attack that is overwhelming the network bandwidth. Which THREE mitigation techniques are most effective?

76

A network administrator is troubleshooting connectivity issues and notices that frames are being dropped due to excessive collisions. Which OSI layer is most directly associated with this issue?

77

Which protocol is used to resolve IP addresses to MAC addresses on a local network?

78

A security analyst detects a large volume of small ICMP echo request packets from multiple external sources targeting a single internal server, causing the server to become unresponsive. Which type of attack is this?

79

Which firewall type reads packet headers and also tracks the state of active connections to make filtering decisions?

80

An organization wants to segment its network so that public-facing servers are isolated from internal users. Which network design component should be used?

81

Which of the following is a security concern associated with the Telnet protocol?

82

An attacker sends a forged ARP response to a switch, associating the attacker's MAC address with the IP address of the default gateway. The switch updates its ARP cache accordingly. This is an example of which attack?

83

An IT administrator wants to inspect HTTP traffic for malicious payloads such as SQL injection. Which network security device is most appropriate?

84

Which protocol operates at the Transport layer and provides reliable, connection-oriented data delivery?

85

A company deploys a network security device that can block malicious traffic in real-time by inspecting packet payloads and application data. However, the device occasionally blocks legitimate traffic. Which device is described?

86

An organization uses a network segmentation strategy that creates separate broadcast domains on a single switch. Which technology is being used?

87

Which of the following ports is used by HTTPS?

88

A security analyst is reviewing network traffic and notices that some devices are using a protocol that does not guarantee delivery and has no error recovery. Which TWO transport layer protocols fit this description? (Select TWO)

89

An organization wants to protect its internal network from unsolicited inbound traffic while allowing responses to outbound connections. Which TWO firewall features or types are best suited for this? (Select TWO)

90

A network administrator is implementing a DMZ to host a web server and an email server. Which THREE security best practices should be followed? (Select THREE)

91

A security analyst notices unusual traffic on the network. Using Wireshark, they capture packets and see that an attacker is reading all unencrypted data from the network segment. Which type of attack is most likely being performed?

92

Which OSI layer is responsible for logical addressing, routing, and forwarding of packets, and where does an IP address operate?

93

A company deploys a firewall that inspects packet headers and maintains a state table to track active connections. It drops any incoming packets that do not match an established connection. What type of firewall is this?

94

An organization wants to separate its internal network from a publicly accessible web server. Which network segmentation technique should be used to isolate the web server while allowing controlled access?

95

A security administrator is configuring a network device that monitors traffic and generates alerts when suspicious patterns are detected. The device does not block traffic. Which type of system is being deployed?

96

An attacker sends a flood of SYN packets to a server, never completing the three-way handshake, exhausting the server's resources and causing it to become unresponsive. What type of attack is this?

97

A company is deploying a security device that inspects HTTP and HTTPS traffic, applies OWASP rules, and can block malicious requests before they reach the web server. Which device best fits this description?

98

An organization decides to implement a security control that can detect and block attacks in real-time by sitting inline in the network. Which of the following should be chosen to meet these requirements?

99

Which protocol is considered insecure because it transmits data, including passwords, in cleartext, and its use should be avoided in favor of more secure alternatives?

100

Which common port is used by DNS and which transport layer protocol does it primarily use?

101

A company's network has multiple VLANs. An attacker on VLAN 10 sends a frame with a forged source MAC address to a switch, hoping to intercept traffic intended for the default gateway. Which attack is being executed?

102

Which port number is associated with HTTPS, and what protocol encrypts the communication?

103

A security analyst is investigating a potential man-in-the-middle attack. Which two techniques are commonly used by attackers to perform MITM attacks? (Choose two.)

104

Which three of the following are benefits of using VLANs in a network? (Choose three.)

105

An organization is planning to deploy a DMZ to host web and email servers accessible from the internet. Which three security best practices should be implemented for the DMZ? (Choose three.)

106

Which layer of the OSI model is responsible for routing packets based on IP addresses?

107

A security analyst notices an unusually high number of incomplete TCP connection requests. Which type of attack is most likely occurring?

108

An organization deploys a network security device that inspects application-layer payloads, can block malicious HTTP requests, and uses OWASP rules. Which type of device is this?

109

A network administrator needs to segment traffic between departments without additional hardware. Which technology allows this logical separation on a Layer 2 switch?

110

Which protocol is considered insecure because it transmits data, including credentials, in cleartext?

111

A security team deploys a passive device that monitors network traffic and generates alerts when it detects suspicious patterns, but it does not take any action. This device is best described as a:

112

A company wants to protect its internal web server from common web application attacks. Which two security measures are most appropriate? (Choose TWO.)

113

Which two protocols operate at the Transport layer of the OSI model? (Choose TWO.)

114

A network engineer is designing a DMZ. Which three servers should typically be placed in the DMZ? (Choose THREE.)

115

An organization is experiencing network attacks where the attacker forges the source IP address. Which two types of attacks commonly use IP spoofing? (Choose TWO.)

116

Which two of the following are characteristics of a stateful firewall? (Choose TWO.)

117

A security analyst wants to detect and analyze attacker behavior by deploying a decoy system. Which three characteristics apply to a honeypot? (Choose THREE.)

118

A company wants to mitigate the risk of a man-in-the-middle (MITM) attack. Which three measures are effective? (Choose THREE.)

119

Which three ports are commonly used by secure protocols? (Choose THREE.)

120

A network administrator needs to segment traffic and isolate sensitive systems. Which two technologies can achieve this? (Choose TWO.)

Practice all 120 Network Security questions

Other CC exam domains

Security PrinciplesBusiness Continuity, Disaster Recovery, and Incident ResponseAccess Controls ConceptsSecurity OperationsBusiness Continuity, DR & Incident Response

Frequently asked questions

What does the Network Security domain cover on the CC exam?

The Network Security domain covers the key concepts tested in this area of the CC exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CC domains — no account required.

How many Network Security questions are in the CC question bank?

The Courseiva CC question bank contains 120 questions in the Network Security domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Network Security for CC?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Network Security questions for CC?

Yes — the session launcher on this page draws questions exclusively from the Network Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CC domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

SY0-701CISSPSSCP