Network Security

A security analyst notices that an attacker is sending crafted packets with overlapping IP fragments to a target server, causing the server to crash. Which type of attack is described?

A company wants to implement network access control that requires users to authenticate before gaining access to the network. The NAC solution uses a policy that checks for antivirus updates and OS patches. Which component enforces the policy?

A security auditor is reviewing firewall logs and notices repeated login attempts from a single external IP address to the company's SSH server. Which type of attack is likely occurring?

A network administrator wants to prevent unauthorized devices from connecting to the company's Ethernet ports. The company uses a centralized authentication server. Which IEEE standard should be implemented?

A security analyst notices that a web server is receiving a large number of ICMP echo reply packets from many different external hosts. The server did not send any echo requests. Which type of attack is most likely occurring?

A company wants to ensure that only authorized employee computers can connect to the wired network. Each computer must be authenticated before it is granted access to the network. Which technology is designed to provide this port-based authentication?

A security analyst notices that the company's web server is receiving a high volume of TCP SYN packets from a single source IP address, but the server is not completing the three-way handshake. Which type of attack is most likely occurring?

A security administrator is configuring a firewall to allow remote employees to access the company's internal web server (port 443) from the internet. The web server has an internal IP address of 10.0.0.5. The firewall has a public IP of 203.0.113.10. Which type of firewall rule should be created?

A security analyst is reviewing firewall logs and sees many incoming packets with a source IP address that matches the internal IP range of the company (10.0.0.0/8) arriving on the external interface. Which type of attack is likely being attempted?

A security administrator is configuring a wireless network to use WPA3-Enterprise. Which authentication server protocol is required for WPA3-Enterprise?

A security analyst is reviewing DHCP server logs and notices that a single MAC address is sending an extremely high number of DHCP discover packets. The DHCP server is responding, but the client never sends a DHCP request. Which type of attack is most likely occurring?

A company is implementing 802.1X port-based authentication on its wired network to ensure only authorized devices can connect. Which of the following servers is required to authenticate users and devices?

A security analyst notices that the DHCP server is responding to a large number of DHCP Discover messages from a single MAC address, but that client never sends a DHCP Request to complete the lease. This pattern repeats continuously. Which type of attack is most likely occurring?

A company is implementing 802.1X port-based authentication on its wired network to control access. The network uses Active Directory for user accounts. Which type of server must be deployed to authenticate clients connecting to the switch ports?

A company is deploying a wireless network that requires the highest level of security for client authentication. The network must use a RADIUS server. Which wireless security standard should be implemented?

A security analyst is investigating a potential breach. A network device shows logs indicating that it received packets with a source IP address belonging to the internal network range on its external (internet-facing) interface. This is a classic indication of which type of attack?

A security analyst is reviewing logs and finds that a single MAC address is rapidly requesting IP addresses from a DHCP server, each time with a different client ID. The DHCP server is exhausting its address pool. Which type of attack is occurring?

A network administrator is configuring a firewall to allow external users to securely access an internal web server. Which security technique should be used to place the web server in a separate, isolated network segment that is still accessible from the internet?

A network security analyst notices that the firewall is logging traffic on the external interface that has a source IP address of 10.0.1.5, which is within the internal network range. This is most likely the result of which type of attack?

An organization wants to implement a security solution that uses a cloud-based service to inspect all incoming web traffic for malware and policy violations before it reaches the internal network. This type of solution is known as a:

A company wants to deploy a wireless network with the highest level of security for client authentication. The network will use a RADIUS server. Which authentication method should be used?

A network administrator reviews firewall logs and sees thousands of SYN packets coming from various source IP addresses to a single internal web server. No ACK or RST packets are observed from these sources. Which type of attack is most likely occurring?

A company wants to allow external users to access a web server located in the DMZ. The firewall has three interfaces: inside, outside, and DMZ. Which firewall rule is necessary?

A company hosts a web server in a DMZ. The firewall has three interfaces: inside (corporate network), outside (Internet), and DMZ. Which firewall rule is necessary to allow external users to access the web server?

A network administrator notices that a large number of ICMP echo request packets are being sent to the broadcast address of the network from a single host. This is causing performance degradation. Which type of attack is this?

A security analyst detects a large number of DNS queries for the same domain from multiple internal hosts. The responses contain large payloads. Which type of attack is likely occurring?

A company wants to allow inbound HTTPS traffic to a web server located in the DMZ from the Internet. The firewall has three interfaces: Inside (corporate network), Outside (Internet), and DMZ (web server). Which of the following firewall rules is required?

A network administrator wants to prevent unauthorized DHCP servers from offering IP addresses to clients on a switch. Which security feature should be enabled?

A security analyst needs to deploy a device that can perform deep packet inspection and block specific application-layer attacks in real time. Which of the following devices is MOST appropriate for this purpose?

A security analyst receives an alert that an internal user's workstation is sending a high volume of ARP requests for multiple IP addresses on the local subnet. The analyst suspects a man-in-the-middle attack. Which security mechanism is most effective at mitigating this type of attack on a switched network?

A network administrator wants to prevent unauthorized devices from connecting to the network through a switch port. Which security feature should be enabled on the switch?

A network security analyst notices high CPU utilization on the core switch and detects a large volume of ARP replies from a single IP address that claims to be the default gateway for all local subnets. Which type of attack is MOST likely occurring?

Which of the following security mechanisms requires a user to authenticate before gaining access to the wired network at a switch port?

A security analyst has enabled DHCP snooping on all VLANs of the company's switches to mitigate the risk of rogue DHCP servers. After implementation, the analyst discovers that clients are still receiving IP addresses from an unauthorized DHCP server. The unauthorized server is connected to a switch port that is currently configured as a trusted port. What should the analyst do to stop the rogue DHCP server from offering addresses?

A company's public web server is experiencing a flood of TCP SYN packets from multiple external IP addresses. The server's connection table is full, causing new legitimate connections to be dropped. Which of the following mitigation techniques should be implemented to protect the server while still allowing legitimate traffic?

A company wants to prevent unauthorized users from plugging into network jacks and gaining access to the wired network. Which of the following security mechanisms should be implemented at the switch level?

An IT security analyst is implementing a solution to detect malware on endpoints by monitoring system calls and file integrity. Which of the following types of controls is being deployed?

A security analyst is investigating a user's complaint that their wireless connection keeps disconnecting. The analyst uses a wireless scanning tool and discovers two access points broadcasting the same SSID 'CorpNet' with different BSSIDs. One is the legitimate company AP on channel 1, and the other is on channel 11 with a strong signal and security set to 'Open'. Which of the following attacks is most likely occurring?

A company wants to ensure that only authorized devices that comply with security policies (such as updated antivirus and OS patches) are allowed to connect to the internal network. Both wired and wireless connections are used. Which of the following security solutions would best enforce this requirement?

A security analyst observes that a workstation on the network is sending unsolicited ARP replies stating that the workstation's MAC address corresponds to the default gateway IP for all subnets. This behavior is causing other devices to send traffic destined for external networks to the workstation instead of the legitimate gateway. Which type of attack is being performed?

A company wants to prevent unauthorized devices from connecting to the wired network by authenticating users or devices before granting network access. Which of the following technologies should be implemented on the switch ports to achieve this?

A company wants to ensure that only users who have successfully authenticated Active Directory credentials can access the wired network. The network switches support IEEE 802.1X. Which additional component must be deployed to complete the solution?

A network administrator notices that several workstations on the network are receiving IP addresses from an unknown source, causing intermittent connectivity issues. The DHCP server is located in the server room and is the only authorized DHCP server. Which security feature should be implemented on the access switches to prevent rogue DHCP servers from distributing IP addresses?

A company's wireless network currently uses WPA2-PSK with a shared passphrase. A security audit identifies that the passphrase is weak and shared among all employees. Which of the following would provide the MOST secure wireless access while addressing the shared passphrase issue?

A network security analyst notices that a switch's CPU utilization is spiking and that the switch is flooding unicast frames to all ports. The analyst suspects a MAC address table overflow attack. Which of the following security features should be configured on the switch's access ports to mitigate this type of attack?

A network engineer is deploying 802.1X authentication for a wireless network. The security policy requires mutual authentication between the client and the network using certificates on both ends. Which EAP method should the engineer select?

An employee plugs a personal laptop into a network jack and then the laptop is infected with malware that spreads to other devices on the network. Which security control would have most effectively prevented this scenario?

During a security audit, a consultant discovers that encrypted traffic between a client and a web server is being decrypted and re-encrypted by an intermediate device on the network path. Which type of attack best describes this scenario?

A security analyst notices that the network has been flooded with packets that have the same source IP address as the company's internal DNS server. This is likely an example of which type of attack?

A company wants to ensure that only authorized users can access the internal network by requiring both a password and a one-time code from a mobile app. This is an example of:

A company wants to protect its internal network by placing web servers that need to be accessible from the internet in a separate network segment. Which security architecture best describes this setup?

A network security administrator is configuring authentication for network devices and wants to use a protocol that supports separate encryption of the entire authentication packet. Which of the following protocols is designed to encrypt the entire authentication packet and is commonly used with AAA services?

A security analyst observes that an internal server is sending a large volume of TCP SYN packets to various external IP addresses, but never completing the three-way handshake. This behavior is indicative of which type of attack?

A company wants to prevent unauthorized devices from connecting to the corporate network. The policy requires that only specific MAC addresses are permitted on switch ports. Which security feature should be implemented on the switches?

A security analyst is investigating a network anomaly. The analyst notices that the company's web server is receiving a large number of TCP SYN packets from random source IP addresses, all destined for port 80. The web server is responding with SYN-ACK packets, but the connections are never completed. This is causing the server's connection table to fill up, degrading performance for legitimate users. Which type of attack is being described?

A company wants to allow employees to securely access internal resources (email, file servers) when working from home over the internet. Which technology should be implemented to create an encrypted tunnel between the employee's remote computer and the corporate network?

A security analyst notices that a user's workstation is sending encrypted DNS queries to an external IP address over TCP port 853. This traffic is being used to establish a covert communication channel to bypass the company's security controls. Which technique is being employed?

A security team is deploying a new intrusion detection system (IDS) and wants to analyze all traffic entering and exiting the network without introducing latency or a single point of failure. How should the IDS be connected to the network?

An organization uses a AAA server for network device authentication. The security team requires that all authentication traffic be fully encrypted and that authorization commands be logged per user. Which protocol is best suited for this requirement?

A network administrator wants to prevent unauthorized devices from being plugged into switch ports. Only devices with specific MAC addresses should be allowed on each port. Which switch security feature should be enabled?

An organization's security policy requires that all remote access VPN connections use two-factor authentication and that the VPN clients are compliant with the latest patch levels before gaining network access. Which technology combination provides these capabilities?

A security analyst notices a large number of incoming TCP packets to a server with the FIN, PSH, and URG flags set. This pattern is characteristic of which type of network scan?

A security analyst is investigating a potential data exfiltration. The analyst notices that a server is sending DNS queries to an external IP address on TCP port 53, and the DNS responses are unusually large. The server is not a DNS server. Which technique is most likely being used?

A security engineer is configuring port security on a switch to prevent unauthorized devices from connecting. The requirement is that only the first device to connect to a port is allowed, and if a different device connects, the port should be disabled. Which port security violation mode should be configured?

An organization has separate VLANs for the HR and Finance departments. Both VLANs use a single Layer 3 switch to route between them. The HR department needs access to a shared printer located in the Finance VLAN, but all other traffic between the VLANs should be blocked. Which of the following should be configured?

An organization needs to authenticate network administrators and control which commands each administrator can execute on routers and switches. The solution must support granular per-command authorization and encrypt the entire session. Which protocol is best suited for this requirement?

A security analyst detects that an attacker is sending forged ARP replies to associate the attacker's MAC address with the IP address of the default gateway. What is this attack called?

A security administrator observes that an employee's workstation is sending large amounts of data to an external IP address on TCP port 443. The workstation is not supposed to initiate outbound connections, and there is no business need for it. What is the most likely cause?

A security engineer notices that the company's web server is receiving an overwhelming number of HTTP GET requests from thousands of different IP addresses around the world. The requests are for legitimate pages and are well-formed. The server is becoming unresponsive. Which type of attack is most likely occurring?

Which security feature on a switch can prevent an attacker from sending forged ARP messages to redirect traffic?

A security analyst is configuring a firewall to allow HTTPS traffic from the internet to an internal web server with a private IP address. The firewall must translate the destination IP address of incoming packets to the private server IP. Which type of NAT should be configured?

A security engineer is configuring a site-to-site VPN between two branch offices. The requirement is to encrypt all traffic between the two networks using IPsec. Which IPsec mode should be used to encrypt the entire IP packet including the original header?

A network administrator wants to prevent unauthorized devices from connecting to the network by limiting the number of MAC addresses allowed on a switch port. Which security feature should be configured?

A network administrator wants to prevent rogue DHCP servers from offering IP addresses to clients on the network. Which security feature should be enabled on the switches?

A company is implementing network access control to ensure only authenticated users can connect to the wired network. Users must authenticate using their domain credentials before gaining full network access. Which standard should be implemented?

A security analyst discovers that users on the network are receiving ARP replies that map the default gateway IP address to an unknown MAC address. This is causing intermittent connectivity issues. Which type of attack is occurring, and what security feature should be implemented to prevent it?

A security engineer is configuring a firewall to protect an internal network. The requirement is that internal users can initiate connections to the internet, but external hosts should not be able to initiate connections to internal hosts unless the internal host first requested the connection. Which firewall technology should be used?

A security analyst discovers that an attacker is sending large numbers of incomplete TCP connection requests to a server, causing the server to run out of resources and stop responding to legitimate requests. Which type of attack is this, and which mitigation should be implemented?

A small business uses a wireless network for employees and guests. The owner wants to ensure that guest devices cannot access internal resources such as file servers and printers. Which network security technique should be implemented?

A security analyst discovers that an unauthorized device is sending forged ARP replies to poison the ARP caches of other devices on the network. Which security feature should be implemented on the switches to prevent this?

A company wants to ensure that only devices with known MAC addresses can connect to the guest Wi-Fi network. Which security feature should be configured on the wireless controller?

A security administrator discovers that an attacker has intercepted data between two legitimate hosts by redirecting traffic through a rogue device. Which type of attack is this?

A network administrator needs to ensure that only authorized devices can connect to the wired network. Each user must authenticate using their domain credentials. Which of the following should be implemented?

A security analyst discovers that an unauthorized device is sending forged ARP replies, causing other devices to map the default gateway IP address to the attacker's MAC address. Which security feature should be implemented on the switches to prevent this attack?

A company wants to prevent unauthorized personal devices from connecting to the corporate wired network. Employees must authenticate using their domain credentials before gaining full network access. Which security measure should be implemented on the switch ports?

An attacker sends ICMP echo request packets to the broadcast address of a network, with the source IP address spoofed to be the target's IP address. This causes all hosts on the network to send ICMP echo replies to the target, overwhelming it. Which type of attack is this?

A security auditor discovers that several unused switch ports are in default configuration. The auditor recommends implementing a security measure that will disable the port if an unauthorized device is connected, and then automatically re-enable the port after a specified time period. Which feature should be configured on the switch ports?

A security analyst notices that a network switch is receiving DHCP discover messages from a rogue device offering IP addresses. The rogue device is causing clients to obtain invalid IP addresses and lose network connectivity. Which security feature should be implemented on the switch to prevent this type of attack?

A security auditor discovers that an unauthorized switch has been connected to an access port in the wiring closet. The rogue switch caused a network loop and disrupted connectivity. Which security feature, if enabled on the access port, would have prevented this by disabling the port when a BPDU is received?

Which attack technique involves an attacker intercepting and potentially modifying the communication between two parties without their knowledge?

A network administrator wants to ensure that only authorized devices can access the network on a switch port. The administrator has a list of allowed MAC addresses. Which security feature should be enabled on the switch port?

A network administrator discovers that client workstations are receiving IP addresses from an unknown device, causing network connectivity issues. Which security feature should be configured on switches to prevent rogue DHCP servers from assigning IP addresses?

A network administrator is experiencing issues where unauthorized devices are offering IP addresses to clients, causing connectivity problems. Which security feature should be enabled on switches to prevent this?

A network administrator wants to ensure that only a specific laptop can connect to a particular switch port. The laptop's MAC address is known. Which security feature should be configured?

An attacker intercepts communication between two parties and is able to modify the data in transit without either party's knowledge. Which type of attack is this?

An attacker is launching a DHCP starvation attack by sending a large number of DHCP discover messages with spoofed MAC addresses. This exhausts the DHCP pool and causes legitimate clients to fail to obtain IP addresses. Which security feature should be implemented on the switch to mitigate this attack?

A security auditor recommends implementing a solution that authenticates users and devices before granting network access, regardless of the physical port they connect to. Which technology should be deployed?

An attacker is eavesdropping on network traffic to capture sensitive data sent over an unencrypted HTTP connection. Which technology should be implemented to protect data in transit between clients and web servers?

A company wants to enforce network access control such that only authenticated users can connect to the wired network. The authentication server will use RADIUS. Which IEEE standard should be implemented?

A network administrator is concerned about DHCP security. To prevent rogue DHCP servers from offering incorrect IP addresses, the administrator enables DHCP snooping on the switches. Additionally, the administrator wants to prevent DHCP starvation attacks that exhaust the DHCP pool. Which feature should be enabled on the switch to specifically mitigate DHCP starvation?