Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCISSPDomainsCommunication and Network Security
CISSPFree — No Signup

Communication and Network Security

Practice CISSP Communication and Network Security questions with full explanations on every answer.

73questions

Start practicing

Communication and Network Security — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CISSP Domains

Software Development SecuritySecurity Assessment and TestingIdentity and Access ManagementSecurity and Risk ManagementSecurity Architecture and EngineeringCommunication and Network SecurityAsset SecuritySecurity Operations

Practice Communication and Network Security questions

10Q20Q30Q50Q

All CISSP Communication and Network Security questions (73)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A security engineer is troubleshooting a network where internal users can access internet websites but cannot reach the company's external VPN server (IP 203.0.113.50, UDP port 500). The firewall rule for VPN traffic is correctly configured. What is the most likely cause?

2

A network architect is designing a secure connection between two data centers across an untrusted WAN. The requirement is to encrypt all traffic and authenticate both endpoints. Which protocol should be used?

3

A network administrator notices that users in the accounting department can access the internet but are unable to access the internal payroll server (10.10.10.50). The firewall rule allows traffic from the accounting subnet (10.10.20.0/24) to the payroll server. What is the most likely issue?

4

A company uses WPA2-Enterprise with EAP-TLS for wireless access. An employee reports that a new laptop cannot connect to the wireless network, while older laptops work fine. The employee has installed the correct client certificate. What is the most likely cause?

5

A network engineer is configuring a firewall to allow HTTP traffic from the internet to a web server (10.0.0.10). The firewall has three interfaces: outside (ISP), DMZ (10.0.0.0/24), and inside (192.168.1.0/24). The web server is in the DMZ. Which rule is correct?

6

An organization wants to ensure that employees can securely access internal applications from home. They deploy a VPN solution. Which VPN type provides the strongest encryption and is most commonly used for remote access?

7

A security analyst is reviewing network logs and sees repeated failed connection attempts from an external IP to the company's SSH server (port 22). The firewall has a rule allowing SSH from anywhere. What is the best immediate action to reduce risk?

8

Which TWO security controls are most effective in preventing VLAN hopping attacks?

9

Which THREE of the following are best practices for securing a wireless network?

10

Which TWO of the following are valid reasons to implement network segmentation?

11

Refer to the exhibit. The ACL is applied inbound on the DMZ interface. What is the effect of this configuration?

12

Refer to the exhibit. The VPN tunnel is not coming up. What is the most likely configuration error?

13

You are the security architect for a global financial firm. The organization has recently deployed a new cloud-based application that requires low-latency connections between data centers in New York, London, and Tokyo. The existing WAN uses MPLS L3 VPNs with IPsec encryption. However, the application team reports excessive latency and packet loss during peak hours. The network team confirms that the MPLS links are underutilized, but the IPsec tunnels show high CPU usage on the edge routers. Additionally, the security policy mandates that all inter-data center traffic must be encrypted and authenticated. The firm has a budget for hardware upgrades but wants to minimize operational changes. Which of the following is the BEST course of action?

14

Drag and drop the steps for a secure software development lifecycle (SDLC) in the correct order.

15

Match each threat type to its description.

16

A company uses VLANs to separate traffic between the IT, HR, and Finance departments. A user in the HR VLAN reports that she cannot access a file server located in the IT VLAN. The file server's default gateway is correctly set to the IT VLAN interface. All workstations have correct IP addresses and subnet masks. What is the most likely cause of this issue?

17

A network security analyst receives an alert from the intrusion detection system (IDS) indicating a high volume of TCP SYN packets to a single external IP address from a compromised internal host. This is characteristic of which type of attack?

18

A company is deploying a wireless network for guests. The security requirement is to provide internet access only, with no access to the internal corporate network. Which technology should be used?

19

An organization is implementing IPsec VPN tunnels between multiple branch offices and the main office. The security team notices that the VPN tunnels are established successfully but no traffic passes through. Which of the following is the most likely cause?

20

A company recently suffered a data breach where an attacker was able to intercept network traffic and read sensitive data. Which network security control should be implemented to prevent this type of attack?

21

A network engineer is configuring 802.1X authentication for wired network access. The authentication server supports EAP-TLS. What must be deployed to clients to support this authentication method?

22

During a security assessment, a penetration tester successfully performed a VLAN hopping attack from a host in VLAN 10 to a host in VLAN 20. The switches are configured with IEEE 802.1Q trunking. Which misconfiguration likely allowed this attack?

23

A security architect is designing a network for a high-security data center. The requirement is to ensure that even if an attacker compromises one server, they cannot easily move laterally to other servers in the same data center. Which network design principle should be applied?

24

A security engineer is troubleshooting a site-to-site IPsec VPN between two firewalls. The tunnel status shows Phase 1 is up but Phase 2 is not. Which of the following is the most likely cause?

25

Which TWO of the following are characteristics of a VPN that uses TLS?

26

Which THREE of the following are valid methods for securing wireless networks against unauthorized access?

27

Which TWO of the following are common causes of network performance degradation that can be detected by network monitoring tools?

28

Refer to the exhibit. A security team is reviewing switch configurations and notices that the native VLAN is set to VLAN 10. An attacker on an access port in VLAN 10 sends a frame with a VLAN tag of VLAN 20 inside another frame. Which type of attack does this configuration make possible?

29

Refer to the exhibit. The firewall rules above are applied to the outside interface. A penetration tester from the internet attempts to establish a connection to 192.168.1.10 on TCP port 8080. What will happen?

30

Refer to the exhibit. A security auditor is reviewing the network ACLs for a cloud VPC. Which of the following is the most significant security concern?

31

A company needs to provide secure remote access to employees using company-issued laptops. The solution must support both web applications and legacy client-server apps without installing client software on the laptops. Which VPN technology is best?

32

A network engineer is troubleshooting a slow VPN connection between two sites. The link is symmetric 100 Mbps, but throughput tests show only 20 Mbps. The VPN uses AES-256 encryption. What is the most likely cause?

33

An organization is designing a multicast network for live video streaming. They need to ensure that only authorized receivers can access the multicast group. Which technique should be implemented?

34

A company has multiple offices connected via a WAN. They want to ensure that all traffic between offices is encrypted and authenticated. Which technology is most appropriate?

35

A security analyst receives an alert that a host in the internal network is sending abnormal amounts of traffic to an external IP. The traffic uses destination port 53. What is the most likely attack?

36

A network architect is designing a network to comply with PCI DSS requirements that cardholder data must be encrypted during transmission over open networks. Which protocol should be used for encrypting traffic between a point-of-sale (POS) terminal and the payment gateway?

37

A switch port is configured with port security that allows only one MAC address. The help desk reports that a user's device cannot connect after a laptop is replaced. What should the network administrator do to resolve the issue?

38

A company wants to implement 802.1X authentication on their wired network. Which components are required?

39

During a security audit, it is discovered that a network firewall is allowing traffic based on source IP address only, without inspecting application-layer data. Which type of firewall is this?

40

Which TWO options are valid methods for providing confidentiality in network communications? (Choose two.)

41

Which TWO are common techniques to defend against VLAN hopping attacks? (Choose two.)

42

Which THREE are essential elements of a Transport Layer Security (TLS) handshake? (Choose three.)

43

A security engineer notices that the IKE phase 1 lifetime is set to 3600 seconds. What is a potential security implication?

44

A remote user at 203.0.113.5 cannot access the internal web server at 10.0.0.10 over HTTPS. What is the most likely cause of the denial?

45

A network administrator has configured private VLANs on a switch. The host in this port is part of PVLAN 100, and its associated secondary PVLAN is 200. What is the expected behavior for traffic from this host to other hosts in the same primary VLAN 100?

46

A network engineer is troubleshooting an IPsec VPN tunnel between two sites. The tunnel is established but no traffic is passing. Which command should the engineer use to verify the phase 2 security associations?

47

A company wants to secure its wireless network. Which approach provides the strongest authentication and encryption?

48

In a software-defined network (SDN) architecture, the control plane is separated from the data plane. A network administrator is troubleshooting packet forwarding delays. Which plane is directly responsible for forwarding packets?

49

A security administrator is configuring a stateful firewall to allow HTTP traffic from the internet to a web server. The firewall uses a default-deny policy. What is the correct rule placement?

50

A security analyst is evaluating the impact of upgrading web servers from TLS 1.2 to TLS 1.3. Which advantage does TLS 1.3 offer in terms of handshake efficiency?

51

A remote user needs to securely connect to the corporate network over the internet. Which protocol provides both encryption and authentication?

52

A network analyst suspects a host on the internal network is sending abnormal amounts of traffic. Which tool should be used to capture and analyze the packets?

53

A company uses BGP to exchange routes with its ISP. To prevent prefix hijacking, which mechanism should be implemented?

54

An organization wants to ensure that only devices that meet security policies can connect to the network. Which technology should be deployed?

55

Which two methods provide strong encryption and authentication for wireless networks? (Choose TWO.)

56

Which three are network-layer security controls in a defense-in-depth strategy? (Choose THREE.)

57

Which three BGP security mechanisms help protect against route hijacking? (Choose THREE.)

58

Refer to the exhibit. Based on the output, which integrity algorithm is configured for the IPsec tunnel?

59

Refer to the exhibit. A security analyst is reviewing the network ACL inbound rules. Which statement is true?

60

A multinational corporation operates a private MPLS VPN network connecting 50 branch offices to a central data center. The network uses BGP as the routing protocol within the VPN, with each branch announcing its internal prefixes to the data center routers. Over the past week, several branch offices have reported intermittent connectivity issues, with traffic being routed to incorrect destinations before recovering. Network logs show that during these incidents, the data center router receives unexpected BGP updates from one of the branch routers, advertising prefixes that belong to other branches. BGP sessions remain established without flaps. The security team is concerned that this could be a route leak or intentional hijack. The network engineer has verified that all BGP sessions are authenticated with MD5 and that RPKI validation is not currently deployed. Which course of action should the engineer take first to mitigate the issue?

61

A network administrator is configuring switches to prevent VLAN hopping attacks. Which TWO of the following measures should be implemented?

62

A small company with 50 employees operates a flat network where all workstations, servers, and printers are on a single subnet without segmentation. The company recently suffered a ransomware outbreak that spread rapidly from an infected workstation to the file server and multiple other machines, causing significant downtime. The IT manager wants to redesign the network to contain future outbreaks and limit lateral movement. The budget is limited, and the environment uses a mixture of managed and unmanaged switches. Which course of action would BEST mitigate the risk of lateral spread while minimizing cost and complexity?

63

A multinational corporation maintains site-to-site IPsec VPN tunnels between its headquarters and three regional branch offices. Over the past week, the tunnels have been dropping intermittently, causing disruption to real-time applications. The network team checked logs and found frequent 'Phase 2 rekey failure' messages. The tunnels are configured with IKEv1 and preshared keys. The headquarters uses a Cisco ASA, and the branches use various vendors' firewalls. The team verified that firewall policies allow IPsec traffic, and there is no packet loss on the WAN links. Which action should the team take to resolve the issue most effectively?

64

A financial institution is implementing a zero-trust network architecture (ZTNA) using micro-segmentation. They have a legacy accounting application that runs on a Windows Server and communicates with multiple client workstations using both TCP and UDP dynamic ports (49152-65535) for various features. After deploying strict host-based firewall rules that only allow specific ports, users report that the application frequently loses connection and fails to authenticate. The security team verified that the application's required ports are allowed, but the dynamic port negotiation fails because the application uses a proprietary protocol that includes ephemeral ports outside the allowed range. The application vendor is no longer supporting it. The organization cannot replace the application immediately. What is the MOST effective short-term solution?

65

A large hospital uses a wireless LAN (WLAN) for mobile medical devices and staff tablets. Recently, nurses reported intermittent connectivity drops and high retransmission rates specifically in the east wing near the elevator banks. The WLAN is based on 802.11ac in the 5 GHz band. The hospital's IT team has already checked for channel overlap, and the APs are configured to use non-overlapping channels with automatic channel selection. Signal strength in the area is adequate (-65 dBm). However, the retransmission rate spikes during peak hours. Which approach should the network team take FIRST to diagnose and resolve the issue?

66

A security architect is designing a secure communication channel between two remote sites over the internet. Which TWO of the following protocols should be used to ensure confidentiality, integrity, and authentication?

67

Refer to the exhibit. A network administrator sees that IPsec IKE negotiations fail between site A and site B. Site B's firewall has the above ACL applied inbound on the external interface. What is the most likely cause?

68

A company has a headquarters and three branch offices connected via MPLS VPN. Recently, they deployed a new VoIP system across all sites. Users report intermittent call drops and poor voice quality during peak business hours. The network team suspects packet loss and jitter are the cause. The IT manager wants to verify the issue without affecting production traffic. Which of the following is the best course of action?

69

Refer to the exhibit. Which of the following is true regarding the BGP routes received from neighbor 10.1.1.2?

70

Refer to the exhibit. Which of the following statements is correct regarding the connections and access-list?

71

Refer to the exhibit. What is the purpose of the NAT configuration on R1?

72

Refer to the exhibit. Which of the following is true regarding the wireless clients?

73

Refer to the exhibit. An administrator reviews the logs on router1. Which statement describes the events?

Practice all 73 Communication and Network Security questions

Other CISSP exam domains

Software Development SecuritySecurity Assessment and TestingIdentity and Access ManagementSecurity and Risk ManagementSecurity Architecture and EngineeringAsset SecuritySecurity Operations

Frequently asked questions

What does the Communication and Network Security domain cover on the CISSP exam?

The Communication and Network Security domain covers the key concepts tested in this area of the CISSP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CISSP domains — no account required.

How many Communication and Network Security questions are in the CISSP question bank?

The Courseiva CISSP question bank contains 73 questions in the Communication and Network Security domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Communication and Network Security for CISSP?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Communication and Network Security questions for CISSP?

Yes — the session launcher on this page draws questions exclusively from the Communication and Network Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CISSP domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CCCCSPCAS-004CISM