Practice CC Network Security questions with full explanations on every answer.
Start practicing
Network Security — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
Which OSI layer is responsible for routing packets across networks using IP addresses?
2A security analyst notices unusual traffic from an internal workstation to an external IP address on port 25. Which protocol is most likely being used?
3In the OSI model, which layer uses MAC addresses to forward frames and supports VLANs?
4An attacker captures network traffic and forges the source IP address to impersonate a trusted host. Which type of network threat is this?
5A security engineer is configuring a network security device that can block malicious HTTP requests based on application-layer inspection. Which device type is most suitable?
6Which TCP segment is sent to initiate the three-way handshake?
7An organization wants to place its public web server, email server, and DNS server in a network that is accessible from the internet but isolated from the internal corporate network. Which network design should be used?
8Which firewall type inspects the entire packet, including application data, and can enforce rules based on user identity?
9A security analyst detects an ARP spoofing attack on the local network. What is the primary goal of an ARP spoofing attack?
10Which protocol is considered insecure because it transmits data in cleartext, including passwords?
11During a DDoS attack, a company's web server is overwhelmed with a high volume of SYN packets from spoofed IP addresses, never completing the TCP handshake. Which type of attack is this?
12Which security control would best mitigate the risk of network sniffing on a wired LAN segment?
13A network administrator is designing a DMZ to host a web server, an email server, and a DNS server. Which TWO of the following principles should be applied to secure the DMZ? (Select TWO.)
14An organization is selecting a network security solution to protect against advanced threats. Which THREE features are characteristic of a Next-Generation Firewall (NGFW)? (Select THREE.)
15A security team is investigating a potential man-in-the-middle attack. Which TWO of the following are common techniques used in MITM attacks? (Select TWO.)
16A security analyst notices unusual traffic on the network and wants to capture packets for analysis without altering traffic. Which device should they use?
17A company wants to isolate its public web server from internal networks to reduce risk. The server must be accessible from the internet. Which network architecture should be used?
18An attacker sends forged ARP messages to associate their MAC address with the IP address of a legitimate server. This allows the attacker to intercept traffic intended for that server. What is this attack?
19Which transport layer protocol is used by voice over IP (VoIP) applications that require low latency and can tolerate some packet loss?
20A firewall that filters traffic based solely on source and destination IP addresses and ports without considering the state of connections is known as a:
21An organization wants to implement a network security device that can block malicious traffic in real-time and must be placed inline. Which device should be chosen?
22Which of the following is a common mitigation technique for a SYN flood attack?
23A technician is configuring a firewall to allow secure web traffic. Which port and protocol should be permitted?
24Which layer of the OSI model is responsible for routing packets across networks?
25An attacker intercepts communications between a client and server by establishing independent connections with each. The client believes it is talking to the server, but the attacker relays messages. What is this attack?
26Which of the following is a characteristic of a stateful firewall that distinguishes it from a stateless firewall?
27Which protocol is used to resolve IP addresses to MAC addresses on a local network?
28A security analyst is investigating a potential DDoS attack on the company's web server. Which two symptoms are indicative of a SYN flood attack? (Select TWO.)
29An organization wants to implement network segmentation to improve security. Which three methods are commonly used for network segmentation? (Select THREE.)
30Which two of the following are best practices to mitigate man-in-the-middle attacks? (Select TWO.)
31Which OSI layer is responsible for routing packets based on IP addresses?
32An attacker captures network traffic using Wireshark and reads unencrypted emails. Which security goal is most directly compromised?
33A network administrator wants to control traffic based on source and destination IP addresses and port numbers, while also tracking the state of connections. Which type of firewall should they choose?
34A security analyst notices a high volume of ICMP Echo Reply packets from an external server to an internal host that never sent Echo Requests. Which type of attack is likely occurring?
35Which protocol is used to resolve IP addresses to MAC addresses on a local network?
36A company places a web server and an email server in a separate network segment that is accessible from the internet but isolated from the internal LAN. What is this segment called?
37An organization wants to prevent malicious HTTP requests targeting a web application. Which security device is specifically designed for this purpose?
38Which of the following is a connectionless, unreliable transport protocol?
39An attacker intercepts communication between two parties by sending forged ARP messages. This is an example of which type of attack?
40Which of the following ports is used by HTTPS for secure web traffic?
41What is the primary difference between an IDS and an IPS?
42A network engineer wants to mitigate ARP spoofing attacks. Which of the following is the most effective technique?
43A security analyst is investigating a potential DDoS attack. Which of the following are common indicators of a DDoS? (Choose TWO)
44Which of the following are effective defenses against man-in-the-middle attacks? (Choose THREE)
45A network administrator is planning to segment the network. Which of the following are valid segmentation methods? (Choose TWO)
46A network administrator needs to allow secure remote management of a router. Which protocol and port should be used?
47An organization wants to allow external users to securely access internal web applications. Which network security device is specifically designed to inspect HTTP/HTTPS traffic and block malicious requests?
48During a penetration test, an analyst uses a tool to intercept and modify traffic between a client and server by exploiting the Address Resolution Protocol (ARP). This attack is an example of which type of threat?
49Which firewall type operates at Layer 3 and Layer 4, making decisions based solely on source/destination IP and port numbers?
50A company's public web server is placed in a separate network segment that is accessible from the internet but isolated from the internal LAN. What is this network architecture called?
51A security analyst detects a large number of incomplete TCP connection requests (SYN segments) directed at a server. This is indicative of which type of attack?
52An organization decides to implement an Intrusion Prevention System (IPS) to protect its network. Which statement about an IPS compared to an IDS is correct?
53Which protocol operates at the Transport layer of the OSI model and is connectionless and unreliable?
54A network administrator is configuring a switch to logically separate the Accounting and HR departments on the same physical switch. Which technology should be used?
55An attacker sends an email to an employee that appears to come from the CEO, asking for sensitive data. This is an example of which type of threat?
56A security engineer is evaluating different firewall architectures. Which firewall type can decrypt SSL/TLS traffic, inspect the contents, and then re-encrypt it?
57Which OSI layer is responsible for logical addressing and routing?
58A security analyst is deploying network security devices. Which TWO of the following are characteristics of an Intrusion Detection System (IDS)?
59Which THREE of the following are common mitigation techniques against Denial of Service (DoS) attacks?
60A security team is analyzing network segmentation strategies. Which THREE of the following are benefits of using VLANs for network segmentation?
61A network administrator is troubleshooting connectivity issues and suspects a problem at the Data Link layer. Which of the following addresses would be most relevant to examine?
62Which of the following protocols operates at the Transport layer and provides reliable, connection-oriented communication?
63An organization wants to securely manage network devices from remote locations. Which of the following protocols should be used for command-line access?
64A security analyst detects a large number of half-open TCP connections targeting a web server. This is most likely indicative of what type of attack?
65Which firewall type is capable of inspecting the contents of application-layer traffic, such as HTTP requests, to detect malicious patterns?
66A company wants to host a public-facing web server and an email server while protecting the internal network. Which network architecture is best suited for this purpose?
67An organization experiences intermittent network outages. The security team notices that the ARP cache on several switches has entries pointing to an unknown MAC address for the default gateway. Which attack is most likely occurring?
68Which of the following ports is commonly used for secure web traffic (HTTPS)?
69A security analyst wants to detect malicious traffic on the network without affecting performance. Which type of device should be deployed?
70During a security assessment, a penetration tester captures network traffic and notices that the source IP address in packets appears to be from a different network. Which technique is the attacker likely using?
71A company deploys a device that inspects HTTP and HTTPS traffic to block SQL injection and cross-site scripting attacks. This device is best described as a:
72Which of the following is a benefit of using VLANs in a network?
73A security analyst is reviewing network traffic and needs to identify which of the following protocols are inherently insecure because they transmit data in cleartext. (Select TWO.)
74An organization wants to ensure that only authorized devices can connect to the wired network. Which TWO methods can be used to enforce this?
75A company is experiencing a distributed denial-of-service (DDoS) attack that is overwhelming the network bandwidth. Which THREE mitigation techniques are most effective?
76A network administrator is troubleshooting connectivity issues and notices that frames are being dropped due to excessive collisions. Which OSI layer is most directly associated with this issue?
77Which protocol is used to resolve IP addresses to MAC addresses on a local network?
78A security analyst detects a large volume of small ICMP echo request packets from multiple external sources targeting a single internal server, causing the server to become unresponsive. Which type of attack is this?
79Which firewall type reads packet headers and also tracks the state of active connections to make filtering decisions?
80An organization wants to segment its network so that public-facing servers are isolated from internal users. Which network design component should be used?
81Which of the following is a security concern associated with the Telnet protocol?
82An attacker sends a forged ARP response to a switch, associating the attacker's MAC address with the IP address of the default gateway. The switch updates its ARP cache accordingly. This is an example of which attack?
83An IT administrator wants to inspect HTTP traffic for malicious payloads such as SQL injection. Which network security device is most appropriate?
84Which protocol operates at the Transport layer and provides reliable, connection-oriented data delivery?
85A company deploys a network security device that can block malicious traffic in real-time by inspecting packet payloads and application data. However, the device occasionally blocks legitimate traffic. Which device is described?
86An organization uses a network segmentation strategy that creates separate broadcast domains on a single switch. Which technology is being used?
87Which of the following ports is used by HTTPS?
88A security analyst is reviewing network traffic and notices that some devices are using a protocol that does not guarantee delivery and has no error recovery. Which TWO transport layer protocols fit this description? (Select TWO)
89An organization wants to protect its internal network from unsolicited inbound traffic while allowing responses to outbound connections. Which TWO firewall features or types are best suited for this? (Select TWO)
90A network administrator is implementing a DMZ to host a web server and an email server. Which THREE security best practices should be followed? (Select THREE)
91A security analyst notices unusual traffic on the network. Using Wireshark, they capture packets and see that an attacker is reading all unencrypted data from the network segment. Which type of attack is most likely being performed?
92Which OSI layer is responsible for logical addressing, routing, and forwarding of packets, and where does an IP address operate?
93A company deploys a firewall that inspects packet headers and maintains a state table to track active connections. It drops any incoming packets that do not match an established connection. What type of firewall is this?
94An organization wants to separate its internal network from a publicly accessible web server. Which network segmentation technique should be used to isolate the web server while allowing controlled access?
95A security administrator is configuring a network device that monitors traffic and generates alerts when suspicious patterns are detected. The device does not block traffic. Which type of system is being deployed?
96An attacker sends a flood of SYN packets to a server, never completing the three-way handshake, exhausting the server's resources and causing it to become unresponsive. What type of attack is this?
97A company is deploying a security device that inspects HTTP and HTTPS traffic, applies OWASP rules, and can block malicious requests before they reach the web server. Which device best fits this description?
98An organization decides to implement a security control that can detect and block attacks in real-time by sitting inline in the network. Which of the following should be chosen to meet these requirements?
99Which protocol is considered insecure because it transmits data, including passwords, in cleartext, and its use should be avoided in favor of more secure alternatives?
100Which common port is used by DNS and which transport layer protocol does it primarily use?
101A company's network has multiple VLANs. An attacker on VLAN 10 sends a frame with a forged source MAC address to a switch, hoping to intercept traffic intended for the default gateway. Which attack is being executed?
102Which port number is associated with HTTPS, and what protocol encrypts the communication?
103A security analyst is investigating a potential man-in-the-middle attack. Which two techniques are commonly used by attackers to perform MITM attacks? (Choose two.)
104Which three of the following are benefits of using VLANs in a network? (Choose three.)
105An organization is planning to deploy a DMZ to host web and email servers accessible from the internet. Which three security best practices should be implemented for the DMZ? (Choose three.)
106Which layer of the OSI model is responsible for routing packets based on IP addresses?
107A security analyst notices an unusually high number of incomplete TCP connection requests. Which type of attack is most likely occurring?
108An organization deploys a network security device that inspects application-layer payloads, can block malicious HTTP requests, and uses OWASP rules. Which type of device is this?
109A network administrator needs to segment traffic between departments without additional hardware. Which technology allows this logical separation on a Layer 2 switch?
110Which protocol is considered insecure because it transmits data, including credentials, in cleartext?
111A security team deploys a passive device that monitors network traffic and generates alerts when it detects suspicious patterns, but it does not take any action. This device is best described as a:
112A company wants to protect its internal web server from common web application attacks. Which two security measures are most appropriate? (Choose TWO.)
113Which two protocols operate at the Transport layer of the OSI model? (Choose TWO.)
114A network engineer is designing a DMZ. Which three servers should typically be placed in the DMZ? (Choose THREE.)
115An organization is experiencing network attacks where the attacker forges the source IP address. Which two types of attacks commonly use IP spoofing? (Choose TWO.)
116Which two of the following are characteristics of a stateful firewall? (Choose TWO.)
117A security analyst wants to detect and analyze attacker behavior by deploying a decoy system. Which three characteristics apply to a honeypot? (Choose THREE.)
118A company wants to mitigate the risk of a man-in-the-middle (MITM) attack. Which three measures are effective? (Choose THREE.)
119Which three ports are commonly used by secure protocols? (Choose THREE.)
120A network administrator needs to segment traffic and isolate sensitive systems. Which two technologies can achieve this? (Choose TWO.)
The Network Security domain covers the key concepts tested in this area of the CC exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CC domains — no account required.
The Courseiva CC question bank contains 120 questions in the Network Security domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Network Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included