CCNA Network Security Questions

75 of 104 questions · Page 1/2 · Network Security · Answers revealed

1
MCQeasy

Which attack technique involves an attacker intercepting and potentially modifying the communication between two parties without their knowledge?

A.Man-in-the-middle
B.Replay attack
C.Smurf attack
D.Phishing
AnswerA

This attack allows the attacker to intercept and alter communications between two parties.

Why this answer

A man-in-the-middle (MITM) attack is correct because it specifically involves an attacker secretly intercepting and potentially altering communications between two parties who believe they are directly communicating with each other. This is achieved by the attacker inserting themselves into the communication path, often by ARP spoofing, DNS spoofing, or rogue access points, allowing them to capture, decrypt, or modify packets in transit.

Exam trap

The trap here is that candidates often confuse a replay attack with a MITM attack because both involve capturing traffic, but a replay attack only retransmits captured data without real-time interception or modification of the ongoing session.

How to eliminate wrong answers

Option B (Replay attack) is wrong because a replay attack involves capturing a valid data transmission and retransmitting it later to trick the receiver, but it does not involve intercepting and modifying live communication between two parties in real time. Option C (Smurf attack) is wrong because a Smurf attack is a distributed denial-of-service (DDoS) technique that floods a target with ICMP echo replies by spoofing the victim's IP address and sending pings to a broadcast address, not intercepting or modifying communications between two parties.

2
MCQmedium

A network security analyst notices high CPU utilization on the core switch and detects a large volume of ARP replies from a single IP address that claims to be the default gateway for all local subnets. Which type of attack is MOST likely occurring?

A.ARP poisoning
B.DHCP starvation
C.MAC flooding
D.DNS amplification
AnswerA

Sending forged ARP replies to redirect traffic is the classic definition of ARP poisoning. The high volume of replies and claiming to be the gateway are strong indicators.

Why this answer

The attack described is ARP poisoning (also known as ARP spoofing), where an attacker sends forged ARP replies to associate their MAC address with the IP address of the default gateway. This causes all traffic destined for other subnets to be redirected to the attacker's machine, leading to high CPU utilization on the switch as it processes the flood of ARP packets and forwards the intercepted traffic.

Exam trap

Cisco often tests the distinction between ARP poisoning and MAC flooding by describing symptoms like 'high CPU utilization' and 'large volume of ARP replies,' which can mislead candidates into thinking MAC flooding is the answer because it also causes high CPU, but the key clue is the specific use of ARP replies targeting the default gateway IP.

How to eliminate wrong answers

Option B is wrong because DHCP starvation is a denial-of-service attack that exhausts the DHCP server's IP address pool by sending numerous DHCP discover messages, preventing legitimate clients from obtaining IP addresses; it does not involve sending ARP replies claiming to be the default gateway. Option C is wrong because MAC flooding is an attack that floods a switch with frames containing many different source MAC addresses to overflow the CAM table, forcing the switch into fail-open mode (hub-like behavior) for packet sniffing; it does not target the default gateway IP address with ARP replies.

3
MCQmedium

A network administrator is experiencing issues where unauthorized devices are offering IP addresses to clients, causing connectivity problems. Which security feature should be enabled on switches to prevent this?

A.Dynamic ARP Inspection (DAI)
B.IP Source Guard
C.DHCP Snooping
D.Port Security
AnswerC

DHCP Snooping allows only DHCP messages from trusted DHCP servers, blocking unauthorized DHCP offers.

Why this answer

C is correct because DHCP Snooping is a security feature that filters untrusted DHCP messages on a per-port basis, preventing unauthorized DHCP servers from offering IP addresses to clients. By configuring trusted ports (typically uplinks to legitimate DHCP servers) and untrusted ports (access ports), the switch drops DHCPOFFER and DHCPACK messages received on untrusted ports, directly stopping rogue DHCP server attacks.

Exam trap

The trap here is that candidates confuse the roles of DHCP Snooping, DAI, and IP Source Guard, often selecting DAI because they associate ARP with address assignment, but only DHCP Snooping directly filters unauthorized DHCP server messages.

How to eliminate wrong answers

Option A is wrong because Dynamic ARP Inspection (DAI) validates ARP packets to prevent ARP spoofing and man-in-the-middle attacks, but it does not filter DHCP messages or block unauthorized DHCP servers. Option B is wrong because IP Source Guard uses DHCP Snooping binding data to filter IP traffic based on source IP and MAC addresses, preventing IP spoofing, but it does not directly prevent rogue DHCP servers from offering addresses.

4
MCQhard

A security analyst is investigating a potential breach. A network device shows logs indicating that it received packets with a source IP address belonging to the internal network range on its external (internet-facing) interface. This is a classic indication of which type of attack?

A.Denial-of-service (DoS) attack
B.IP spoofing
C.Man-in-the-middle (MITM) attack
D.ARP poisoning
AnswerB

IP spoofing is when an attacker forges the source IP address to appear as a trusted host. Seeing an internal IP on an external interface is a clear sign of spoofing.

Why this answer

B is correct because receiving packets with a source IP address from the internal network range on an external (internet-facing) interface is a classic sign of IP spoofing. In IP spoofing, an attacker forges the source IP address in packet headers to impersonate a trusted internal host, often to bypass access controls or launch reflection attacks. This violates the expected behavior of ingress filtering, where external interfaces should never see internal source addresses.

Exam trap

The trap here is that candidates may confuse IP spoofing with a DoS attack because spoofing is often used in DDoS amplification, but the question's specific clue—internal source IP on an external interface—directly points to spoofing, not the volumetric nature of a DoS.

How to eliminate wrong answers

Option A is wrong because a Denial-of-service (DoS) attack focuses on overwhelming a target with traffic to disrupt service, but the key indicator here is the source IP mismatch, not traffic volume or resource exhaustion. Option C is wrong because a Man-in-the-middle (MITM) attack involves intercepting and potentially altering communications between two parties, often using ARP spoofing or proxy techniques, but it does not inherently cause packets with internal source IPs to appear on an external interface.

5
MCQhard

A security engineer notices that the company's web server is receiving an overwhelming number of HTTP GET requests from thousands of different IP addresses around the world. The requests are for legitimate pages and are well-formed. The server is becoming unresponsive. Which type of attack is most likely occurring?

A.ARP spoofing
B.SYN flood
C.DDoS attack
D.DNS amplification
AnswerC

A distributed denial-of-service attack uses many sources to send legitimate-looking requests to overload the server.

Why this answer

The attack involves a high volume of legitimate HTTP GET requests from many distinct IP addresses, overwhelming the web server. This is a classic distributed denial-of-service (DDoS) attack, where multiple compromised systems (a botnet) coordinate to flood the target with traffic, exhausting server resources and causing unresponsiveness. The key indicators are the distributed source IPs and the use of application-layer (HTTP) requests, which distinguishes it from network-layer floods.

Exam trap

The trap here is that candidates confuse a SYN flood (a TCP-level attack) with a DDoS attack that uses complete HTTP requests, but the question explicitly states the requests are 'well-formed' and for 'legitimate pages,' ruling out incomplete handshake attacks.

How to eliminate wrong answers

Option A is wrong because ARP spoofing is a local network attack that manipulates Address Resolution Protocol to intercept traffic between hosts on the same subnet, not a method to flood a web server from thousands of global IPs. Option B is wrong because a SYN flood exploits the TCP three-way handshake by sending incomplete SYN packets to exhaust connection state tables, whereas this attack uses complete, well-formed HTTP GET requests. Option D is wrong because DNS amplification is a reflection/amplification attack that uses open DNS resolvers to send large DNS response packets to a victim, not HTTP GET requests.

6
MCQeasy

A company wants to ensure that only authorized employee computers can connect to the wired network. Each computer must be authenticated before it is granted access to the network. Which technology is designed to provide this port-based authentication?

A.802.1X
B.WPA2
C.MAC filtering
D.VPN
AnswerA

802.1X provides port-based authentication for wired and wireless networks, requiring credentials before granting network access.

Why this answer

802.1X is the IEEE standard for port-based Network Access Control (NAC). It uses the Extensible Authentication Protocol (EAP) over LAN (EAPoL) to authenticate a device at the switch port before granting full network access. Only after successful authentication does the switch open the port, ensuring that unauthorized computers cannot connect.

Exam trap

CompTIA often tests the distinction between authentication (802.1X) and access control methods (MAC filtering), where candidates mistakenly choose MAC filtering because they think it 'authenticates' devices, but it only identifies by MAC address without verifying identity or credentials.

How to eliminate wrong answers

Option B (WPA2) is wrong because WPA2 is a wireless security protocol that provides encryption and authentication for Wi-Fi networks, not for wired port-based authentication. Option C (MAC filtering) is wrong because MAC filtering only checks the MAC address against an allowlist, which is easily spoofed and does not provide true authentication or encryption; it is not a port-based authentication protocol like 802.1X.

7
MCQhard

A security analyst is investigating a potential data exfiltration. The analyst notices that a server is sending DNS queries to an external IP address on TCP port 53, and the DNS responses are unusually large. The server is not a DNS server. Which technique is most likely being used?

A.DNS amplification attack
B.DNS tunneling
C.DNS zone transfer
D.DNS cache poisoning
AnswerB

DNS tunneling uses DNS protocol to encapsulate other data, often for command-and-control or data exfiltration. Large response sizes and unusual use of TCP port 53 are indicators.

Why this answer

DNS tunneling encodes non-DNS data (e.g., exfiltrated files) within DNS queries and responses, often using TCP port 53 to bypass firewalls. The unusually large responses are a hallmark of tunneled data being returned in DNS payloads, and the fact that the server is not a DNS server strongly indicates it is being used as a client for covert data transfer.

Exam trap

CompTIA often tests the distinction between DNS amplification (a DDoS attack using UDP reflection) and DNS tunneling (a covert channel using TCP or UDP for data exfiltration), and the trap here is that candidates see 'large responses' and immediately think amplification, ignoring the TCP port 53 and non-DNS server context.

How to eliminate wrong answers

Option A is wrong because a DNS amplification attack uses UDP (not TCP) and relies on spoofed source IPs to flood a victim with large responses, not to exfiltrate data from a non-DNS server. Option C is wrong because a DNS zone transfer is a legitimate administrative operation between authoritative DNS servers using TCP port 53, but it transfers zone data (not arbitrary data) and requires the server to be a DNS server. Option D is wrong because DNS cache poisoning corrupts a resolver's cache with forged records (e.g., to redirect traffic), not to exfiltrate data via large responses from a non-DNS server.

8
MCQhard

An organization needs to authenticate network administrators and control which commands each administrator can execute on routers and switches. The solution must support granular per-command authorization and encrypt the entire session. Which protocol is best suited for this requirement?

A.TACACS+
B.RADIUS
C.LDAP
D.Kerberos
AnswerA

Correct. TACACS+ encrypts the entire session and supports granular command authorization for device administration.

Why this answer

TACACS+ is the correct choice because it separates authentication, authorization, and accounting (AAA) functions, allowing granular per-command authorization on routers and switches. It encrypts the entire session, including the username, password, and all command traffic, unlike RADIUS which only encrypts the password. This makes TACACS+ ideal for environments requiring strict command-level control and full session encryption.

Exam trap

CompTIA often tests the distinction that RADIUS is commonly used for network access control (e.g., 802.1X) but fails for device administration because it lacks per-command authorization and full-session encryption, leading candidates to mistakenly choose RADIUS due to its familiarity.

How to eliminate wrong answers

Option B (RADIUS) is wrong because it only encrypts the password in the access-request packet, leaving the rest of the session (including commands) unencrypted, and it does not support per-command authorization—it only provides service-level authorization (e.g., permit/deny network access). Option C (LDAP) is wrong because it is a directory access protocol used for querying and modifying directory services (e.g., user attributes), not for AAA or session encryption; it lacks command authorization and full-session encryption capabilities. Option D (Kerberos) is wrong because it is a ticket-based authentication protocol designed for single sign-on in Windows domains, not for per-command authorization on network devices; it does not encrypt the entire session or provide granular command control.

9
MCQmedium

A network security analyst notices that a switch's CPU utilization is spiking and that the switch is flooding unicast frames to all ports. The analyst suspects a MAC address table overflow attack. Which of the following security features should be configured on the switch's access ports to mitigate this type of attack?

A.BPDU guard
B.Port security
C.DHCP snooping
D.Dynamic ARP Inspection (DAI)
AnswerB

Port security limits the number of MAC addresses per port, directly mitigating MAC flooding attacks.

Why this answer

Port security mitigates MAC address table overflow attacks by limiting the number of MAC addresses that can be learned on an access port. When the configured limit is exceeded, the switch can take action (e.g., shutdown or restrict) to prevent an attacker from flooding the CAM table with fake source MAC addresses, which would otherwise cause the switch to fail open and flood unicast frames out all ports.

Exam trap

The trap here is that candidates often confuse port security with other Layer 2 security features like BPDU guard or DHCP snooping, but only port security directly limits the number of MAC addresses learned on a port to prevent CAM table overflow.

How to eliminate wrong answers

Option A is wrong because BPDU guard is designed to protect against Spanning Tree Protocol (STP) manipulation by disabling a port if it receives a BPDU, not to limit MAC address learning or prevent CAM table overflow. Option C is wrong because DHCP snooping filters untrusted DHCP messages and builds a DHCP snooping binding table to prevent rogue DHCP servers, but it does not directly limit the number of MAC addresses learned on a port. Option D is wrong because Dynamic ARP Inspection (DAI) validates ARP packets against the DHCP snooping binding table to prevent ARP spoofing, but it does not restrict the number of MAC addresses that can be learned on a port.

10
MCQhard

A security analyst needs to deploy a device that can perform deep packet inspection and block specific application-layer attacks in real time. Which of the following devices is MOST appropriate for this purpose?

A.Stateful firewall
B.Intrusion Prevention System (IPS)
C.Proxy server
D.VPN concentrator
AnswerB

IPS sits inline, performs deep packet inspection, and can actively block malicious traffic, including application-layer attacks.

Why this answer

An Intrusion Prevention System (IPS) is designed to inspect traffic in real time, perform deep packet inspection (DPI) up to Layer 7, and automatically block malicious traffic, including application-layer attacks such as SQL injection or cross-site scripting. Unlike a passive IDS, an IPS sits inline and can drop or reset sessions based on signature or anomaly detection, making it the most appropriate device for this requirement.

Exam trap

The trap here is that candidates often confuse an IPS with a stateful firewall, assuming that stateful inspection includes deep packet inspection, but stateful firewalls only check packet headers and connection state, not application-layer payloads.

How to eliminate wrong answers

Option A is wrong because a stateful firewall operates at Layers 3 and 4, tracking connection state but lacking the ability to perform deep packet inspection at the application layer or block specific application-layer attacks like HTTP-based exploits. Option C is wrong because a proxy server primarily acts as an intermediary for client requests, caching content and filtering URLs, but it does not natively perform real-time deep packet inspection or automatically block application-layer attacks with the same inline prevention capabilities as an IPS. Option D is wrong because a VPN concentrator is designed to terminate encrypted tunnels and manage VPN connections, focusing on encryption and authentication, not on inspecting or blocking application-layer threats.

11
MCQeasy

A company wants to allow employees to securely access internal resources (email, file servers) when working from home over the internet. Which technology should be implemented to create an encrypted tunnel between the employee's remote computer and the corporate network?

A.VPN concentrator
B.Firewall
C.DMZ
D.Intrusion detection system (IDS)
AnswerA

A VPN concentrator terminates VPN connections from remote clients, providing encrypted tunnels for secure access to internal resources.

Why this answer

A VPN concentrator is the correct technology because it terminates VPN tunnels from remote users, creating an encrypted tunnel (using protocols like IPsec or TLS) between the employee's remote computer and the corporate network. This ensures that all traffic to internal resources such as email and file servers is securely encapsulated and protected from interception over the internet.

Exam trap

The trap here is that candidates may confuse a firewall's ability to allow or block VPN traffic (e.g., permitting UDP 500 for IPsec) with the firewall itself being the device that terminates the VPN tunnel, but only a VPN concentrator or VPN gateway performs the actual encryption and tunnel management.

How to eliminate wrong answers

Option B (Firewall) is wrong because a firewall filters traffic based on rules but does not create encrypted tunnels; it lacks the VPN termination and encryption capabilities required for secure remote access. Option C (DMZ) is wrong because a DMZ is a network segment that hosts public-facing services (e.g., web servers) and is not designed to establish encrypted tunnels from remote clients to internal resources. Option D (Intrusion detection system (IDS)) is wrong because an IDS monitors network traffic for malicious activity but does not provide encryption or tunnel establishment for remote access.

12
MCQhard

A network administrator is concerned about DHCP security. To prevent rogue DHCP servers from offering incorrect IP addresses, the administrator enables DHCP snooping on the switches. Additionally, the administrator wants to prevent DHCP starvation attacks that exhaust the DHCP pool. Which feature should be enabled on the switch to specifically mitigate DHCP starvation?

A.Dynamic ARP Inspection (DAI)
B.IP Source Guard (IPSG)
C.Port Security
D.Rate limiting on DHCP packets
AnswerD

DHCP rate limiting (often configured as part of DHCP snooping) restricts the number of DHCP packets per second from a port, mitigating starvation attacks.

Why this answer

Rate limiting on DHCP packets (option D) is the correct feature to mitigate DHCP starvation attacks. DHCP starvation works by flooding the network with fake DHCP discover messages, each using a different MAC address, to exhaust the DHCP server's address pool. By limiting the rate at which DHCP packets are accepted from a given interface, the switch can drop excessive requests before they reach the DHCP server, preventing pool exhaustion without blocking legitimate traffic.

Exam trap

Cisco often tests the distinction between DHCP snooping features: candidates confuse DHCP snooping's role in preventing rogue servers (by filtering DHCP server messages) with the need for a separate rate-limiting mechanism to prevent starvation attacks.

How to eliminate wrong answers

Option A is wrong because Dynamic ARP Inspection (DAI) validates ARP packets to prevent ARP spoofing and man-in-the-middle attacks, not DHCP starvation. Option B is wrong because IP Source Guard (IPSG) filters IP traffic based on the DHCP snooping binding table to prevent IP spoofing, but it does not limit the volume of DHCP requests. Option C is wrong because Port Security limits the number of MAC addresses allowed on a switch port to prevent MAC flooding attacks, but it does not rate-limit DHCP packets or directly prevent DHCP starvation.

13
MCQmedium

A company is implementing 802.1X port-based authentication on its wired network to ensure only authorized devices can connect. Which of the following servers is required to authenticate users and devices?

A.A) RADIUS server
B.B) Syslog server
C.C) TACACS+ server
D.D) NTP server
AnswerA

Correct. RADIUS is the most common protocol for 802.1X authentication and is widely supported.

Why this answer

802.1X port-based authentication relies on the Extensible Authentication Protocol (EAP) over LAN (EAPoL) between the supplicant (device) and the authenticator (switch), which then forwards authentication requests to a central authentication server. A RADIUS server is the required backend because it validates credentials (e.g., username/password or certificates) and returns an Accept/Reject decision to the switch, enabling or disabling the port. RADIUS is the standard protocol defined in IEEE 802.1X for this purpose, supporting EAP methods like PEAP, EAP-TLS, and EAP-FAST.

Exam trap

Cisco often tests the misconception that TACACS+ can replace RADIUS in 802.1X environments, but TACACS+ encrypts the entire packet body and is designed for device administration (e.g., CLI access), not for 802.1X port-based authentication, which mandates RADIUS per the IEEE 802.1X standard.

How to eliminate wrong answers

Option B is wrong because a Syslog server is used for centralized logging of network events (e.g., authentication failures or switch reboots) and does not perform authentication decisions; it only receives log messages via UDP port 514. Option C is wrong because TACACS+ is a Cisco-proprietary protocol that separates authentication, authorization, and accounting (AAA) and typically uses TCP port 49, but it is not designed for 802.1X port-based authentication; 802.1X specifically requires RADIUS as the authentication server per the IEEE standard.

14
MCQmedium

An employee plugs a personal laptop into a network jack and then the laptop is infected with malware that spreads to other devices on the network. Which security control would have most effectively prevented this scenario?

A.MAC filtering on the switch
B.802.1X authentication
C.VLAN segmentation
D.Access control lists on the router
AnswerB

802.1X requires devices to authenticate (e.g., via username/password or certificates) before the switch port becomes active, effectively blocking unauthorized devices from accessing the network.

Why this answer

802.1X authentication requires devices to authenticate before gaining network access, typically via EAP (Extensible Authentication Protocol) over RADIUS. In this scenario, the employee's personal laptop would be blocked at the port level because it lacks valid credentials, preventing the malware from ever reaching the internal network and spreading to other devices.

Exam trap

Cisco often tests the misconception that MAC filtering or VLAN segmentation alone can prevent unauthorized device access, when in fact 802.1X is the only option that provides per-port authentication and dynamic VLAN assignment based on credentials.

How to eliminate wrong answers

Option A is wrong because MAC filtering only checks the MAC address against an allowed list, but MAC addresses can be easily spoofed by an attacker or malware, and it does not authenticate the user or device identity. Option C is wrong because VLAN segmentation separates traffic into logical groups but does not prevent an unauthorized device from connecting to a switch port; once the laptop is plugged in and assigned to a VLAN, it can still spread malware within that VLAN unless additional access controls are applied.

15
MCQhard

A network administrator needs to ensure that only authorized devices can connect to the wired network. Each user must authenticate using their domain credentials. Which of the following should be implemented?

A.MAC filtering
B.802.1X with EAP-TLS
C.WPA2-PSK
D.Port security
AnswerB

802.1X with EAP-TLS provides user authentication using certificates, typically tied to domain credentials. It ensures that only authenticated users can gain access to the network, and it can be integrated with Active Directory.

Why this answer

802.1X with EAP-TLS is correct because it provides port-based network access control that requires each user to authenticate using their domain credentials (via a RADIUS server) before the switch port is opened for traffic. EAP-TLS uses mutual authentication with digital certificates, ensuring only authorized devices and users gain access to the wired network.

Exam trap

CompTIA often tests the distinction between port security (which is MAC-based and does not authenticate users) and 802.1X (which provides user authentication via RADIUS), leading candidates to mistakenly choose port security when the question explicitly requires domain credential authentication.

How to eliminate wrong answers

Option A is wrong because MAC filtering only checks the device's MAC address against a list, which can be easily spoofed and does not authenticate individual users with domain credentials. Option C is wrong because WPA2-PSK is a wireless security protocol that uses a pre-shared key, not suitable for wired networks and does not support per-user domain authentication. Option D is wrong because port security limits access based on MAC addresses and can enforce a maximum number of MACs per port, but it does not authenticate users with domain credentials and can be bypassed by MAC spoofing.

16
MCQhard

A security administrator observes that an employee's workstation is sending large amounts of data to an external IP address on TCP port 443. The workstation is not supposed to initiate outbound connections, and there is no business need for it. What is the most likely cause?

A.The workstation is part of a botnet and is communicating with a command-and-control server
B.A legitimate software update is being downloaded
C.The workstation is acting as a VPN client connecting to a corporate VPN server
D.The workstation is hosting a web server that is being accessed externally
AnswerA

Botnets commonly use HTTPS to blend in with normal encrypted web traffic. The large data volume and lack of business need make this the most likely explanation.

Why this answer

The workstation is sending large amounts of data to an external IP on TCP port 443, which is commonly used for HTTPS traffic. Since the workstation is not authorized to initiate outbound connections and has no business need for this traffic, the most likely cause is that it has been compromised and is part of a botnet, using HTTPS to communicate with a command-and-control (C2) server to evade detection by blending in with legitimate encrypted web traffic.

Exam trap

The trap here is that candidates may assume TCP 443 always indicates legitimate HTTPS traffic, such as a software update or VPN, without considering that attackers commonly use this port to hide malicious C2 communications, especially when the workstation has no business need for outbound connections.

How to eliminate wrong answers

Option B is wrong because a legitimate software update would typically be initiated by the workstation contacting a known update server (e.g., Microsoft, Adobe) on TCP 443, but the scenario states the workstation is not supposed to initiate outbound connections and has no business need for this traffic, making an unauthorized update or malware more likely. Option C is wrong because a VPN client connecting to a corporate VPN server would use a specific VPN protocol (e.g., IPsec, OpenVPN, or WireGuard) on a designated port, not necessarily TCP 443, and the traffic would be to a known internal or authorized external VPN endpoint, not an arbitrary external IP; moreover, the workstation is not authorized to initiate outbound connections, so a VPN client would violate policy.

17
MCQhard

A security administrator is configuring a wireless network to use WPA3-Enterprise. Which authentication server protocol is required for WPA3-Enterprise?

A.RADIUS
B.LDAP
C.TACACS+
D.Kerberos
AnswerA

Correct. WPA3-Enterprise uses 802.1X for authentication, which requires a RADIUS server to authenticate users against a database.

Why this answer

WPA3-Enterprise requires 802.1X/EAP authentication, which uses RADIUS as the backend authentication server protocol. RADIUS handles the exchange of EAP frames between the authenticator (access point) and the authentication server, enforcing per-user credentials and supporting the mandatory 192-bit security suite for WPA3-Enterprise. Without RADIUS, the 802.1X framework cannot operate, making it the only required protocol for this deployment.

Exam trap

The trap here is that candidates often confuse TACACS+ with RADIUS because both are AAA protocols, but TACACS+ is used for device administration (e.g., router login) while RADIUS is the only protocol that supports 802.1X/EAP for wireless network access.

How to eliminate wrong answers

Option B (LDAP) is wrong because LDAP is a directory access protocol used to query and modify directory services (e.g., Active Directory), not an authentication server protocol for 802.1X; it lacks the RADIUS attributes and EAP handling needed for WPA3-Enterprise. Option C (TACACS+) is wrong because TACACS+ is a Cisco-proprietary protocol designed for device administration (AAA for CLI/management access), not for network access authentication like 802.1X; it separates authentication, authorization, and accounting into different packets, which is incompatible with the RADIUS-based 802.1X flow. Option D (Kerberos) is wrong because Kerberos is a ticket-based authentication protocol used within a domain (e.g., Windows Active Directory) for single sign-on, not for wireless 802.1X; it cannot encapsulate EAP frames or communicate with access points as a RADIUS server does.

18
MCQhard

A security engineer is configuring a firewall to protect an internal network. The requirement is that internal users can initiate connections to the internet, but external hosts should not be able to initiate connections to internal hosts unless the internal host first requested the connection. Which firewall technology should be used?

A.Stateless packet filtering
B.Stateful inspection
C.Application proxy
D.Packet filtering based on ACL only
AnswerB

Stateful firewalls track the state of connections and permit inbound packets only if they match an existing session.

Why this answer

Stateful inspection (B) tracks the state of active connections by maintaining a state table that records source/destination IPs, ports, and sequence numbers. It allows return traffic for connections initiated from the internal network while blocking unsolicited inbound traffic, which directly matches the requirement that external hosts cannot initiate connections unless the internal host requested them first.

Exam trap

Cisco often tests the misconception that stateless packet filtering can handle return traffic by simply allowing inbound packets with a high source port, but without state tracking, it cannot verify that the packet actually belongs to an existing session, making stateful inspection the correct answer.

How to eliminate wrong answers

Option A is wrong because stateless packet filtering examines each packet in isolation based only on static rules (e.g., ACLs) without tracking connection state, so it cannot distinguish between a packet belonging to an established internal-initiated session and an unsolicited inbound packet. Option C is wrong because an application proxy acts as an intermediary that terminates and re-creates connections at the application layer, which provides deep inspection but is overkill for simply allowing return traffic; it also introduces higher latency and is not the standard technology for stateful connection tracking.

19
MCQmedium

An organization uses a AAA server for network device authentication. The security team requires that all authentication traffic be fully encrypted and that authorization commands be logged per user. Which protocol is best suited for this requirement?

A.RADIUS with EAP-TLS
B.TACACS+
C.LDAP over SSL
D.Kerberos
AnswerB

Correct. TACACS+ encrypts the entire authentication packet and separates AAA functions, enabling detailed command-level authorization logging.

Why this answer

TACACS+ is the best choice because it encrypts the entire authentication packet (including username, password, and all other fields) and supports per-user command authorization logging. This meets the requirement for fully encrypted authentication traffic and detailed audit trails for each user's commands.

Exam trap

The trap here is that candidates often confuse RADIUS's partial encryption (password only) with full encryption, or assume LDAP over SSL can handle device AAA, but TACACS+ is the only protocol that fully encrypts all traffic and logs per-user commands for network device administration.

How to eliminate wrong answers

Option A is wrong because RADIUS with EAP-TLS only encrypts the authentication exchange (EAP over RADIUS), but the rest of the RADIUS packet (including authorization attributes) is not fully encrypted—only the password is obfuscated with a shared secret. Option C is wrong because LDAP over SSL encrypts the LDAP session but does not provide network device command authorization or logging; it is a directory access protocol, not a AAA protocol for device administration. Option D is wrong because Kerberos provides strong authentication via tickets but does not include authorization or accounting for device commands; it is designed for single sign-on in a domain, not for per-user command logging on network devices.

20
MCQeasy

A company wants to allow external users to access a web server located in the DMZ. The firewall has three interfaces: inside, outside, and DMZ. Which firewall rule is necessary?

A.A
B.B
C.C
D.D
AnswerB

This rule permits external users to initiate connections to the web server in the DMZ on port 80.

Why this answer

Option B is correct because it allows traffic from the outside (external users) to the DMZ web server while keeping the inside network protected. In a three-legged firewall setup, the necessary rule permits inbound HTTP/HTTPS traffic from the outside interface to the DMZ interface, typically with a destination IP of the web server and port 80/443. This ensures external access is isolated from the internal network, adhering to the principle of least privilege.

Exam trap

The trap here is that candidates often confuse the direction of traffic flow, mistakenly selecting a rule that allows inside-to-DMZ traffic (Option A) thinking it enables external access, when in fact external users initiate from the outside interface.

How to eliminate wrong answers

Option A is wrong because it likely permits traffic from the inside to the DMZ, which is not needed for external user access and could inadvertently allow internal hosts to initiate connections to the DMZ without proper control. Option C is wrong because it probably allows traffic from the DMZ to the inside, which would expose the internal network to potential threats from the DMZ, violating security best practices that restrict DMZ-to-inside traffic unless explicitly required and inspected.

21
Matchingmedium

Match each network topology to its characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

All devices connect to a central hub or switch

Every device connects to every other device

All devices share a single communication line

Each device connects to two others, forming a closed loop

Why these pairings

These are basic network topologies.

22
MCQeasy

A company wants to prevent unauthorized devices from connecting to the corporate network. The policy requires that only specific MAC addresses are permitted on switch ports. Which security feature should be implemented on the switches?

A.802.1X authentication
B.MAC filtering / Port security
C.VLAN hopping prevention
D.DHCP snooping
AnswerB

Port security (MAC filtering) allows an administrator to define a list of allowed MAC addresses on a switch port. Any device with a MAC not on the list is blocked from sending traffic.

Why this answer

MAC filtering, also known as port security, is the correct feature because it allows the switch to restrict access to a port based on the source MAC address of incoming frames. By configuring a list of allowed MAC addresses, the switch will drop traffic from any unauthorized device, directly enforcing the policy that only specific MAC addresses are permitted on switch ports.

Exam trap

Cisco often tests the distinction between MAC-based port security and 802.1X authentication, where candidates mistakenly choose 802.1X because it is a more robust access control method, but the question specifically asks for a feature that permits only specific MAC addresses, which is exactly what port security does.

How to eliminate wrong answers

Option A is wrong because 802.1X authentication is a port-based network access control protocol that uses an authentication server (e.g., RADIUS) to validate user or device credentials, not MAC addresses; it does not inherently filter by MAC address and requires a supplicant and authentication server infrastructure. Option C is wrong because VLAN hopping prevention is a security measure to stop an attacker from gaining access to traffic on other VLANs by exploiting switch configuration weaknesses (e.g., double tagging or DTP abuse), and it does not control which devices can connect to a specific switch port based on MAC addresses.

23
MCQhard

A company wants to prevent unauthorized users from plugging into network jacks and gaining access to the wired network. Which of the following security mechanisms should be implemented at the switch level?

A.MAC address filtering
B.Port security
C.802.1X
D.Dynamic ARP Inspection
AnswerC

802.1X requires user or device authentication via an authentication server (RADIUS) before the switch port becomes active.

Why this answer

802.1X is a port-based Network Access Control (NAC) standard (IEEE 802.1X) that authenticates devices before granting full network access. When a device plugs into a switch port, the switch (as the authenticator) blocks all traffic except EAPoL (Extensible Authentication Protocol over LAN) frames until the device successfully authenticates via a RADIUS server. This prevents unauthorized users from gaining network access simply by connecting to a live jack.

Exam trap

The trap here is that candidates confuse port security (which only limits MAC addresses) with 802.1X (which provides actual authentication), leading them to pick port security because it sounds like it 'secures the port' at the switch level.

How to eliminate wrong answers

Option A is wrong because MAC address filtering only checks the source MAC against a static list and does not authenticate the user or device; MAC addresses can be easily spoofed, and it provides no per-session or credential-based security. Option B is wrong because port security limits the number of MAC addresses allowed on a port and can shut down the port on violation, but it does not authenticate the user or device; an attacker with a valid MAC address can still gain access without any authentication challenge.

24
MCQhard

A network security administrator is configuring authentication for network devices and wants to use a protocol that supports separate encryption of the entire authentication packet. Which of the following protocols is designed to encrypt the entire authentication packet and is commonly used with AAA services?

A.RADIUS
B.TACACS+
C.LDAP
D.Kerberos
AnswerB

TACACS+ encrypts the entire payload of the authentication packet, providing greater confidentiality for all authentication information.

Why this answer

TACACS+ is the correct answer because it encrypts the entire authentication packet, including the username, password, and all other fields, using a shared secret key. This full-packet encryption is a key differentiator from RADIUS, which only encrypts the password field. TACACS+ is commonly used with AAA services to provide separate authentication, authorization, and accounting processes.

Exam trap

Cisco often tests the misconception that RADIUS encrypts the entire packet because it uses a shared secret, but in reality, only the password is encrypted, whereas TACACS+ encrypts the full payload.

How to eliminate wrong answers

Option A (RADIUS) is wrong because it only encrypts the password field in the authentication packet, leaving other fields like username and service type in cleartext; it also combines authentication and authorization into a single process, unlike TACACS+. Option C (LDAP) is wrong because it is a directory access protocol used for querying and modifying directory services, not a AAA protocol; it does not encrypt the entire authentication packet by default and relies on external mechanisms like LDAPS for encryption.

25
Drag & Dropmedium

Drag and drop the steps for a disaster recovery procedure after a server failure into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Disaster recovery follows assessment, restore, rebuild, patch, test.

26
MCQhard

A security analyst is reviewing DHCP server logs and notices that a single MAC address is sending an extremely high number of DHCP discover packets. The DHCP server is responding, but the client never sends a DHCP request. Which type of attack is most likely occurring?

A.A) DHCP starvation
B.B) ARP poisoning
C.C) MAC flooding
D.D) DNS spoofing
AnswerA

Correct. This is a classic DHCP starvation attack, where the attacker sends many DHCP discovers to deplete the IP pool.

Why this answer

A DHCP starvation attack works by flooding the DHCP server with DHCPDISCOVER packets from spoofed MAC addresses, exhausting the server's IP address pool. In this scenario, a single MAC address sending excessive DHCPDISCOVER packets without completing the DORA handshake (no DHCPREQUEST) is a classic indicator of a starvation attack, as the attacker aims to consume all available leases and cause a denial of service for legitimate clients.

Exam trap

The trap here is confusing DHCP starvation with MAC flooding, as both involve 'flooding' and MAC addresses, but MAC flooding targets switch CAM tables at Layer 2, while DHCP starvation targets the DHCP server at Layer 7 (application layer) using DHCP protocol messages.

How to eliminate wrong answers

Option B is wrong because ARP poisoning involves sending forged ARP replies to associate the attacker's MAC address with the IP address of a legitimate host (e.g., the default gateway), enabling man-in-the-middle attacks; it does not involve DHCPDISCOVER packets or IP address pool exhaustion. Option C is wrong because MAC flooding targets a switch's CAM table by sending frames with many different source MAC addresses to overflow the table and force the switch into fail-open mode (hub behavior), not by sending DHCPDISCOVER packets to a DHCP server.

27
MCQmedium

A company's wireless network currently uses WPA2-PSK with a shared passphrase. A security audit identifies that the passphrase is weak and shared among all employees. Which of the following would provide the MOST secure wireless access while addressing the shared passphrase issue?

A.Implement WPA2-Enterprise with 802.1X
B.Upgrade to WPA3-Personal with a strong passphrase
C.Disable SSID broadcast
D.Enable MAC address filtering
AnswerA

WPA2-Enterprise uses individual user authentication via a RADIUS server, removing the shared key vulnerability.

Why this answer

WPA2-Enterprise with 802.1X eliminates the shared passphrase by using a RADIUS server to authenticate each user individually, typically via EAP methods such as PEAP or EAP-TLS. This provides per-user credentials (e.g., username/password or certificates), so compromising one user's credentials does not expose the entire network. It also supports dynamic per-session encryption keys, making it far more secure than any shared-passphrase solution.

Exam trap

The trap here is that candidates often assume upgrading to WPA3-Personal (with SAE) is sufficient, but the question specifically requires addressing the 'shared passphrase' issue, which only per-user authentication (802.1X) can solve.

How to eliminate wrong answers

Option B is wrong because WPA3-Personal still uses a shared passphrase (SAE handshake), which does not address the core issue of a single shared credential among all employees; if the passphrase is weak or leaked, all users are still at risk. Option C is wrong because disabling SSID broadcast only hides the network name from simple scans, but it does not change the authentication method or protect against a weak shared passphrase; attackers can easily discover hidden SSIDs using passive monitoring tools like airodump-ng.

28
MCQmedium

A company wants to allow inbound HTTPS traffic to a web server located in the DMZ from the Internet. The firewall has three interfaces: Inside (corporate network), Outside (Internet), and DMZ (web server). Which of the following firewall rules is required?

A.Allow traffic from Outside to DMZ on port 443
B.Allow traffic from DMZ to Outside on port 443
C.Allow traffic from Inside to DMZ on port 443
D.Allow traffic from Outside to Inside on port 443
AnswerA

This rule permits HTTPS traffic from the Internet (Outside) to the web server in the DMZ, which is the requirement.

Why this answer

The correct rule is to allow traffic from the Outside (Internet) interface to the DMZ interface on TCP port 443 (HTTPS). This permits inbound web requests to reach the web server while keeping the corporate Inside network isolated. The firewall must explicitly permit this traffic because the default implicit deny rule would otherwise block all inbound connections from the Outside zone.

Exam trap

The trap here is that candidates often confuse the direction of the traffic flow, mistakenly thinking the rule should allow traffic from the DMZ to the Outside (Option B) because they focus on the server sending responses, rather than the client initiating the connection.

How to eliminate wrong answers

Option B is wrong because it allows traffic from the DMZ to the Outside on port 443, which would permit outbound HTTPS requests from the web server to the Internet, not inbound client connections. Option C is wrong because it allows traffic from the Inside (corporate network) to the DMZ on port 443, which is unnecessary for external web access and could expose the DMZ server to internal threats, violating the principle of least privilege.

29
MCQmedium

A security administrator discovers that an attacker has intercepted data between two legitimate hosts by redirecting traffic through a rogue device. Which type of attack is this?

A.ARP poisoning
B.DNS poisoning
C.Man-in-the-middle
D.Replay attack
AnswerC

The scenario describes an attacker intercepting communications between two hosts by inserting themselves in the path. This is the classic definition of a man-in-the-middle attack.

Why this answer

This is a classic man-in-the-middle (MITM) attack, where the attacker intercepts and potentially alters communication between two legitimate hosts by inserting a rogue device into the data path. The key characteristic is the redirection of traffic through the attacker's device, which allows them to capture, inspect, or modify packets in transit.

Exam trap

CompTIA often tests the distinction between the attack type (MITM) and the technique used to achieve it (ARP poisoning), leading candidates to choose the method rather than the broader category.

How to eliminate wrong answers

Option A is wrong because ARP poisoning is a specific technique used to achieve a MITM attack on a local network by corrupting ARP caches, but the question describes the broader attack type (redirection through a rogue device), not the method. Option B is wrong because DNS poisoning corrupts DNS resolution to redirect traffic to a malicious IP, but the scenario explicitly states traffic is intercepted between two legitimate hosts via a rogue device, not through DNS manipulation. Option D is wrong because a replay attack involves capturing and retransmitting valid data to deceive a receiver, not intercepting and redirecting live traffic through a rogue device.

30
MCQmedium

A network administrator notices that several workstations on the network are receiving IP addresses from an unknown source, causing intermittent connectivity issues. The DHCP server is located in the server room and is the only authorized DHCP server. Which security feature should be implemented on the access switches to prevent rogue DHCP servers from distributing IP addresses?

A.DHCP Snooping
B.Dynamic ARP Inspection
C.IP Source Guard
D.Port Security
AnswerA

DHCP Snooping filters DHCP messages and only allows DHCP offers from trusted ports, blocking rogue DHCP servers.

Why this answer

DHCP Snooping is the correct security feature because it filters untrusted DHCP messages on access switches. By configuring ports connected to end-user workstations as untrusted, the switch drops DHCP server responses (OFFER, ACK) received on those ports, preventing rogue DHCP servers from distributing IP addresses. This ensures only the authorized DHCP server in the server room can provide IP configurations.

Exam trap

Cisco often tests the distinction between DHCP Snooping and Dynamic ARP Inspection, where candidates mistakenly choose DAI because they confuse DHCP spoofing with ARP spoofing, but DHCP Snooping is the specific mechanism to block rogue DHCP servers.

How to eliminate wrong answers

Option B (Dynamic ARP Inspection) is wrong because it validates ARP packets to prevent ARP spoofing and man-in-the-middle attacks, not DHCP server impersonation. Option C (IP Source Guard) is wrong because it uses DHCP Snooping binding table entries to filter IP traffic based on source IP and MAC addresses, but it does not directly block rogue DHCP server messages; it prevents IP spoofing by clients, not unauthorized DHCP offers.

31
MCQhard

A company wants to implement network access control that requires users to authenticate before gaining access to the network. The NAC solution uses a policy that checks for antivirus updates and OS patches. Which component enforces the policy?

A.Supplicant
B.Authenticator
C.Authentication server
D.Policy server
AnswerB

The authenticator (e.g., a switch) enforces the policy by controlling the port state based on the authentication result.

Why this answer

The Authenticator (typically a switch or wireless access point) is the component that enforces the NAC policy by controlling access to the network port or SSID. It receives the authentication result from the Authentication Server and applies the policy (e.g., placing the endpoint in a quarantine VLAN if antivirus or OS patch checks fail). This enforcement is defined in IEEE 802.1X, where the Authenticator acts as the gatekeeper between the Supplicant and the network.

Exam trap

The trap here is that candidates often confuse the Authentication Server (which makes the decision) with the Authenticator (which enforces the decision), especially when the question emphasizes 'policy checks' like antivirus updates, leading them to incorrectly select the server.

How to eliminate wrong answers

Option A is wrong because the Supplicant is the client software (e.g., the device requesting access) that provides credentials and posture information, but it does not enforce the policy—it only responds to authentication challenges. Option C is wrong because the Authentication Server (typically a RADIUS server like Cisco ISE) validates credentials and posture data and sends an Access-Accept or Access-Reject message, but the actual enforcement (e.g., blocking or restricting the port) is performed by the Authenticator, not the server.

32
MCQhard

A security analyst is investigating a user's complaint that their wireless connection keeps disconnecting. The analyst uses a wireless scanning tool and discovers two access points broadcasting the same SSID 'CorpNet' with different BSSIDs. One is the legitimate company AP on channel 1, and the other is on channel 11 with a strong signal and security set to 'Open'. Which of the following attacks is most likely occurring?

A.War driving
B.Rogue access point
C.Evil twin
D.Bluesnarfing
AnswerC

The presence of two APs with the same SSID, one with strong signal and open security, strongly indicates an evil twin attack designed to capture credentials and traffic.

Why this answer

The presence of two access points broadcasting the same SSID 'CorpNet' with different BSSIDs, where the second AP is on channel 11 with a strong signal and security set to 'Open', is characteristic of an evil twin attack. The attacker sets up a fraudulent AP with the same SSID as the legitimate network but without encryption, tricking users into connecting to it and exposing their credentials or traffic. This differs from a rogue AP, which typically mimics the corporate network but may not necessarily use an open security setting or a different channel to lure victims.

Exam trap

Cisco often tests the distinction between a rogue AP (an unauthorized device plugged into the wired network) and an evil twin (a standalone malicious AP that mimics the SSID without being connected to the corporate infrastructure), so candidates must remember that the key differentiator is the open security and different channel used to lure clients away from the legitimate AP.

How to eliminate wrong answers

Option A is wrong because war driving is the act of searching for Wi-Fi networks by moving around a location, not an attack that causes disconnections by presenting a malicious duplicate AP. Option B is wrong because a rogue access point is an unauthorized AP connected to the corporate network, often with the same security settings, whereas the described scenario involves an open, strong-signal AP on a different channel actively competing with the legitimate AP to cause client disconnections.

33
MCQhard

A company wants to ensure that only authorized users can access the internal network by requiring both a password and a one-time code from a mobile app. This is an example of:

A.Two-factor authentication
B.Single sign-on
C.Biometric authentication
D.Multifactor authentication with three factors
AnswerA

Two distinct factors (knowledge and possession) are required, making this two-factor authentication.

Why this answer

Two-factor authentication (2FA) requires exactly two distinct authentication factors from different categories: something you know (password) and something you have (one-time code from a mobile app). This matches the scenario precisely, as the password is a knowledge factor and the mobile app-generated code is a possession factor, satisfying the definition of 2FA.

Exam trap

CompTIA often tests the distinction between two-factor authentication and multifactor authentication, where candidates mistakenly think that using two different types of the same factor (e.g., two passwords) counts as 2FA, but the key is that the factors must come from different categories (knowledge, possession, inherence).

How to eliminate wrong answers

Option B is wrong because single sign-on (SSO) allows a user to authenticate once and access multiple systems without re-entering credentials, but it does not inherently require two different factors; it typically uses a single factor (e.g., password) or can be combined with 2FA, but the scenario explicitly describes two distinct factors, not just a single authentication event. Option C is wrong because biometric authentication uses a unique biological trait (e.g., fingerprint, face scan) as a single factor, not a combination of a password and a one-time code; the scenario does not involve any biometric element. Option D is wrong because multifactor authentication with three factors would require three distinct categories (e.g., knowledge, possession, and inherence), but the scenario only uses two factors (password and one-time code), so it is two-factor, not three-factor.

34
MCQmedium

A company wants to ensure that only authorized devices that comply with security policies (such as updated antivirus and OS patches) are allowed to connect to the internal network. Both wired and wireless connections are used. Which of the following security solutions would best enforce this requirement?

A.VPN
B.Network Access Control (NAC)
C.Access control list (ACL)
D.Intrusion prevention system (IPS)
AnswerB

NAC solutions like Cisco ISE or Aruba ClearPass can enforce security policies by scanning endpoints before allowing access and quarantining non-compliant devices.

Why this answer

Network Access Control (NAC) is the correct solution because it enforces security policies by inspecting the health and compliance of devices—such as checking for updated antivirus definitions and OS patches—before granting access to the network. NAC can operate on both wired (e.g., 802.1X) and wireless (e.g., WPA2-Enterprise with RADIUS) connections, blocking or quarantining non-compliant devices. This matches the requirement to ensure only authorized, policy-compliant devices connect.

Exam trap

The trap here is that candidates often confuse NAC with VPN or ACL, thinking VPN provides endpoint security or ACLs can enforce policy compliance, but NAC is the only solution that performs dynamic, policy-based admission control based on device health and authorization.

How to eliminate wrong answers

Option A (VPN) is wrong because a VPN provides encrypted tunnels for remote access or site-to-site connectivity, but it does not enforce endpoint compliance checks like antivirus or patch status; it assumes the device is already trusted or uses separate client checks that are not integrated into network admission. Option C (ACL) is wrong because an access control list filters traffic based on IP addresses, ports, or protocols at Layer 3/4, but it cannot assess device health or enforce security policies like antivirus updates or OS patch levels; ACLs are static and do not perform dynamic posture validation.

35
MCQeasy

A network administrator wants to ensure that only a specific laptop can connect to a particular switch port. The laptop's MAC address is known. Which security feature should be configured?

A.802.1X
B.Port security
C.DHCP snooping
D.BPDU guard
AnswerB

Port security allows the administrator to configure allowed MAC addresses per port, limiting access to specific devices. This directly meets the requirement.

Why this answer

Port security is the correct feature because it allows the administrator to statically configure the allowed MAC address on a specific switch port. Once configured, the switch will only forward traffic from that MAC address, dropping frames from any other source MAC. This directly fulfills the requirement to restrict access to a single known laptop.

Exam trap

Cisco often tests the distinction between port security (which controls MAC-level access on a single port) and 802.1X (which controls network access via authentication), leading candidates to mistakenly choose 802.1X because they associate it with 'security' and 'laptop access' without understanding the specific requirement of a static MAC binding.

How to eliminate wrong answers

Option A is wrong because 802.1X is a port-based network access control protocol that uses authentication (e.g., via RADIUS) to grant or deny access, but it does not statically bind a specific MAC address to a port; it authenticates the user or device dynamically. Option C is wrong because DHCP snooping is a security feature that filters untrusted DHCP messages and builds a DHCP snooping binding table, but it does not restrict which MAC address can connect to a specific switch port; it prevents rogue DHCP servers and IP spoofing.

36
MCQmedium

A company wants to enforce network access control such that only authenticated users can connect to the wired network. The authentication server will use RADIUS. Which IEEE standard should be implemented?

A.802.11i
B.802.1X
C.802.3af
D.802.1Q
AnswerB

802.1X provides port-based authentication for wired and wireless networks, using RADIUS or other authentication servers.

Why this answer

802.1X is the IEEE standard for port-based network access control (PNAC). It provides a framework for authenticating devices before granting access to a wired or wireless LAN, using an authentication server such as RADIUS. This directly meets the requirement to enforce network access control so that only authenticated users can connect to the wired network.

Exam trap

The trap here is that 802.11i sounds security-related and is often confused with 802.1X because both involve authentication, but 802.11i is strictly for wireless encryption (WPA2) and does not control port-based access on wired networks.

How to eliminate wrong answers

Option A (802.11i) is wrong because it is a wireless security standard that specifies encryption and authentication for Wi-Fi networks (WPA2), not wired network access control. Option C (802.3af) is wrong because it defines Power over Ethernet (PoE) delivery, which is unrelated to authentication or network access enforcement.

37
MCQmedium

A security analyst notices a large number of incoming TCP packets to a server with the FIN, PSH, and URG flags set. This pattern is characteristic of which type of network scan?

A.SYN scan
B.Xmas tree scan
C.Null scan
D.ACK scan
AnswerB

An Xmas tree scan sets the FIN, PSH, and URG flags. It is a stealthy technique used to probe open/closed ports.

Why this answer

An Xmas tree scan sends TCP packets with the FIN, PSH, and URG flags set (the packet 'lights up' like a Christmas tree). This is a stealth scan technique used to probe open or closed ports based on RFC 793 behavior: closed ports should respond with an RST packet, while open ports may ignore the packet (or respond differently depending on the OS). The pattern described—FIN, PSH, and URG all set—is the definitive signature of an Xmas tree scan.

Exam trap

CompTIA often tests the distinction between Xmas tree, Null, and SYN scans by focusing on the specific flag combinations, so the trap here is confusing the FIN/PSH/URG set (Xmas tree) with a Null scan (no flags) or a SYN scan (only SYN).

How to eliminate wrong answers

Option A is wrong because a SYN scan sends only the SYN flag set, not FIN, PSH, and URG. Option C is wrong because a Null scan sends a TCP packet with no flags set (all flags zero), not the combination of FIN, PSH, and URG. Option D is wrong because an ACK scan sends packets with only the ACK flag set, used to map firewall rules, not to detect open ports via the FIN/PSH/URG combination.

38
MCQhard

A company is implementing 802.1X port-based authentication on its wired network to control access. The network uses Active Directory for user accounts. Which type of server must be deployed to authenticate clients connecting to the switch ports?

A.A DNS server
B.A DHCP server
C.A RADIUS server
D.A Kerberos server
AnswerC

RADIUS is the standard protocol for 802.1X authentication. The switch acts as a RADIUS client, sending authentication requests to the RADIUS server, which validates credentials against an identity store (e.g., Active Directory).

Why this answer

802.1X port-based authentication requires a RADIUS server to act as the authentication server that validates client credentials against the identity store (Active Directory). The switch (authenticator) forwards EAP frames from the client (supplicant) to the RADIUS server, which checks the credentials and instructs the switch to grant or deny port access.

Exam trap

Cisco often tests the misconception that because Active Directory uses Kerberos, a Kerberos server can directly authenticate switch ports, but 802.1X mandates a RADIUS server as the intermediary that translates EAP frames into authentication requests the switch can process.

How to eliminate wrong answers

Option A is wrong because a DNS server resolves hostnames to IP addresses and plays no role in authenticating users or controlling port access. Option B is wrong because a DHCP server assigns IP addresses dynamically but does not perform authentication or enforce port-based access control. Option D is wrong because Kerberos is a ticket-based authentication protocol used within Active Directory for domain logon, but 802.1X requires a RADIUS server to mediate authentication between the switch and the identity store; the switch cannot directly process Kerberos tickets.

39
MCQmedium

A network security analyst notices that the firewall is logging traffic on the external interface that has a source IP address of 10.0.1.5, which is within the internal network range. This is most likely the result of which type of attack?

A.DNS poisoning
B.IP spoofing
C.ARP poisoning
D.VLAN hopping
AnswerB

IP spoofing involves crafting packets with a forged source IP address to impersonate an internal host.

Why this answer

The firewall is logging traffic on its external interface with a source IP address from the internal RFC 1918 range (10.0.1.5). This indicates the source IP has been forged, because private IP addresses should never appear as source addresses on a public-facing interface. This is the classic signature of an IP spoofing attack, where the attacker modifies the source IP in the packet header to impersonate an internal host.

Exam trap

The trap here is that candidates confuse IP spoofing with ARP poisoning, because both involve address impersonation, but ARP poisoning is a Layer 2 attack confined to the local subnet, whereas IP spoofing can originate from anywhere on the Internet and is visible on the external interface.

How to eliminate wrong answers

Option A is wrong because DNS poisoning involves corrupting DNS resolver caches or zone data to redirect traffic to malicious sites, not forging source IP addresses on firewall logs. Option C is wrong because ARP poisoning operates at Layer 2 within a broadcast domain, manipulating ARP tables to intercept traffic, and would not cause a private IP to appear on an external firewall interface. Option D is wrong because VLAN hopping exploits trunk port misconfigurations (e.g., double tagging or switch spoofing) to gain access to traffic on other VLANs, and does not involve forging source IP addresses on an external interface.

40
MCQhard

A security analyst has enabled DHCP snooping on all VLANs of the company's switches to mitigate the risk of rogue DHCP servers. After implementation, the analyst discovers that clients are still receiving IP addresses from an unauthorized DHCP server. The unauthorized server is connected to a switch port that is currently configured as a trusted port. What should the analyst do to stop the rogue DHCP server from offering addresses?

A.Enable Dynamic ARP Inspection on the VLAN.
B.Change the port connecting the unauthorized server to an untrusted port.
C.Configure port security on the unauthorized server's port to limit MAC addresses.
D.Increase the rate limit on the unauthorized server's port.
AnswerB

DHCP snooping treats trusted ports as authorized sources of DHCP offers. By making the port untrusted, the switch will drop any DHCP server messages received on that port.

Why this answer

DHCP snooping operates by designating switch ports as either trusted or untrusted. Trusted ports are allowed to send DHCP server messages (OFFER, ACK), while untrusted ports are blocked from sending such messages. Since the rogue server is connected to a trusted port, it can still offer IP addresses.

Changing the port to untrusted will cause the switch to drop all DHCP server messages from that port, stopping the rogue server.

Exam trap

CompTIA often tests the misconception that DHCP snooping alone blocks all rogue servers, but the trap is that it only works if the rogue server's port is correctly classified as untrusted; candidates may forget that a trusted port bypasses all DHCP snooping filtering.

How to eliminate wrong answers

Option A is wrong because Dynamic ARP Inspection (DAI) validates ARP packets, not DHCP messages; it does not prevent a rogue DHCP server from offering addresses. Option C is wrong because port security limits the number of MAC addresses on a port but does not inspect or block DHCP server messages; the rogue server could still send DHCPOFFERs. Option D is wrong because increasing the rate limit would allow more DHCP packets, not block them; rate limiting is used to prevent DoS attacks, not to enforce DHCP snooping trust boundaries.

41
MCQhard

An attacker intercepts communication between two parties and is able to modify the data in transit without either party's knowledge. Which type of attack is this?

A.Man-in-the-middle
B.ARP spoofing
C.DNS poisoning
D.Replay attack
AnswerA

A man-in-the-middle attack precisely describes an attacker intercepting and modifying communications between two endpoints without their knowledge.

Why this answer

A man-in-the-middle (MITM) attack occurs when an adversary secretly intercepts and potentially alters the communication between two parties who believe they are directly communicating with each other. The attacker can modify data in transit without either party's knowledge by placing themselves in the logical or physical path of the data flow, often by exploiting weaknesses in authentication or encryption. This matches the scenario described, where the attacker both intercepts and modifies the data.

Exam trap

Cisco often tests the distinction between the attack type (MITM) and the technique used to achieve it (ARP spoofing, DNS poisoning), so candidates mistakenly select the technique rather than the overarching attack described in the scenario.

How to eliminate wrong answers

Option B (ARP spoofing) is wrong because ARP spoofing is a specific technique used to achieve a man-in-the-middle position on a local network by sending forged ARP replies to associate the attacker's MAC address with the IP address of a legitimate host, but it is not the attack itself—it is a method to enable an MITM attack. Option C (DNS poisoning) is wrong because DNS poisoning corrupts the DNS cache to redirect traffic to a malicious server, which can facilitate an MITM attack, but the attack described is the interception and modification of data in transit, not the redirection itself. Option D (Replay attack) is wrong because a replay attack involves capturing and retransmitting valid data to trick the receiver, not modifying the data in transit; the attacker in a replay attack does not alter the payload.

42
MCQeasy

A network administrator wants to prevent unauthorized devices from being plugged into switch ports. Only devices with specific MAC addresses should be allowed on each port. Which switch security feature should be enabled?

A.DHCP snooping
B.Dynamic ARP inspection
C.Port security
D.802.1X
AnswerC

Correct. Port security limits the MAC addresses that can communicate through a switch port, preventing unauthorized devices from connecting.

Why this answer

Port security is the correct feature because it allows the administrator to restrict which MAC addresses can communicate through a switch port. By configuring allowed MAC addresses (sticky or static), any device with an unknown MAC address attempting to send traffic will trigger a security violation (shutdown, restrict, or protect). This directly addresses the requirement to prevent unauthorized devices from being plugged into switch ports.

Exam trap

CompTIA often tests the distinction between port security (MAC-based access control) and 802.1X (authentication-based access control), leading candidates to incorrectly choose 802.1X when the question explicitly mentions 'specific MAC addresses' rather than user credentials or certificates.

How to eliminate wrong answers

Option A is wrong because DHCP snooping is a security feature that filters untrusted DHCP messages and builds a DHCP snooping binding table, but it does not restrict which MAC addresses can be plugged into a port. Option B is wrong because Dynamic ARP Inspection (DAI) validates ARP packets against the DHCP snooping binding table to prevent ARP spoofing, but it does not control which devices are physically connected to a port. Option D is wrong because 802.1X is a port-based network access control (PNAC) protocol that uses authentication (EAP) to grant or deny network access, but it does not rely on a static list of MAC addresses; it requires a RADIUS server and credentials or certificates.

43
MCQhard

A security administrator is configuring a firewall to allow remote employees to access the company's internal web server (port 443) from the internet. The web server has an internal IP address of 10.0.0.5. The firewall has a public IP of 203.0.113.10. Which type of firewall rule should be created?

A.A) Port forwarding (DNAT) rule
B.B) Allow rule with source any, destination 10.0.0.5, port 443
C.C) Access control list on the internal interface
D.D) VPN rule to require remote access VPN
AnswerA

Correct. Port forwarding translates the destination IP and port of incoming traffic from the public IP to the private IP of the web server, allowing external access.

Why this answer

A port forwarding (DNAT) rule is required because the web server uses a private RFC 1918 IP address (10.0.0.5), which is not routable on the public internet. The firewall must translate the destination IP from its public address (203.0.113.10) to the internal server's private address, allowing inbound traffic on port 443 to reach the correct internal host.

Exam trap

The trap here is that candidates often confuse a simple 'allow' rule with the necessary NAT translation, failing to realize that without DNAT, the firewall has no way to forward the packet to the private IP address of the internal server.

How to eliminate wrong answers

Option B is wrong because a simple allow rule with destination 10.0.0.5 would never be matched by traffic arriving from the internet, as the packet's destination IP is the firewall's public IP (203.0.113.10), not the private IP. Option C is wrong because an access control list on the internal interface would only filter traffic already inside the network, not handle the necessary destination address translation for inbound internet traffic. Option D is wrong because a VPN rule is not required for this scenario; the question explicitly states the goal is to allow direct access to the web server from the internet, not to require a VPN tunnel.

44
MCQmedium

A security analyst notices that the DHCP server is responding to a large number of DHCP Discover messages from a single MAC address, but that client never sends a DHCP Request to complete the lease. This pattern repeats continuously. Which type of attack is most likely occurring?

A.ARP poisoning
B.DNS amplification
C.DHCP starvation
D.Rogue DHCP server
AnswerC

The scenario describes a classic DHCP starvation attack. The attacker floods the DHCP server with Discover messages, causing it to exhaust its address pool. Legitimate clients then cannot obtain IP addresses.

Why this answer

Option C is correct because the described behavior—a single MAC address sending continuous DHCP Discover messages without completing the lease with a DHCP Request—is the hallmark of a DHCP starvation attack. The attacker exhausts the DHCP server's IP address pool by claiming all available leases, preventing legitimate clients from obtaining IP addresses. This attack targets the DHCP protocol's four-step DORA (Discover, Offer, Request, Acknowledge) process by never completing the handshake.

Exam trap

The trap here is that candidates confuse DHCP starvation with a rogue DHCP server attack, but the key distinction is that starvation exhausts the legitimate server's pool via incomplete handshakes, while a rogue server offers its own IPs to intercept traffic.

How to eliminate wrong answers

Option A is wrong because ARP poisoning involves sending forged ARP replies to associate the attacker's MAC address with a legitimate IP, not flooding DHCP Discover messages. Option B is wrong because DNS amplification is a reflection-based DDoS attack that uses open DNS resolvers to flood a victim with amplified traffic, not DHCP messages. Option D is wrong because a rogue DHCP server attack involves an unauthorized server offering IP addresses to clients, not a single MAC address flooding Discover messages to exhaust the legitimate server's pool.

45
MCQeasy

A security analyst notices that the company's web server is receiving a high volume of TCP SYN packets from a single source IP address, but the server is not completing the three-way handshake. Which type of attack is most likely occurring?

A.A) SYN flood
B.B) Smurf attack
C.C) Ping of death
D.D) ARP poisoning
AnswerA

Correct. A SYN flood is a DoS attack that sends numerous SYN packets, leaving half-open connections and consuming server resources.

Why this answer

A SYN flood attack exploits the TCP three-way handshake by sending a high volume of SYN packets from a spoofed or single source IP without completing the handshake. The server allocates resources for each half-open connection, eventually exhausting its connection table and denying service to legitimate users. This matches the scenario where the server receives many SYN packets but never completes the handshake.

Exam trap

CompTIA often tests the distinction between a SYN flood and a Smurf attack by describing a flood of packets from a single source—candidates confuse the ICMP-based Smurf attack with the TCP-based SYN flood because both involve flooding, but the protocol and mechanism are completely different.

How to eliminate wrong answers

Option B (Smurf attack) is wrong because it uses ICMP echo requests sent to a broadcast address with a spoofed source IP, causing all hosts on the network to reply to the victim, overwhelming it with ICMP traffic—not TCP SYN packets. Option C (Ping of death) is wrong because it involves sending an oversized or malformed ICMP packet that causes a buffer overflow on the target, not a flood of TCP SYN packets. Option D (ARP poisoning) is wrong because it manipulates ARP tables to intercept traffic on a local network segment, not to overwhelm a server with TCP SYN packets.

46
MCQhard

A security analyst notices that an attacker is sending crafted packets with overlapping IP fragments to a target server, causing the server to crash. Which type of attack is described?

A.Teardrop attack
B.Smurf attack
C.Ping flood
D.SYN flood
AnswerA

The Teardrop attack exploits overlapping IP fragments, matching the description.

Why this answer

This is a Teardrop attack, which exploits a vulnerability in the IP fragmentation reassembly process. The attacker sends a series of fragmented IP packets with intentionally overlapping fragment offsets, causing the target system to miscalculate the size of the reassembled packet, leading to a buffer overflow and system crash. This attack specifically targets the IP stack's handling of fragment offset fields in the IP header.

Exam trap

CompTIA often tests the distinction between attacks that exploit protocol logic flaws (like Teardrop) versus volumetric or handshake-based attacks, so candidates may confuse Teardrop with a SYN flood because both can cause crashes, but the key difference is that Teardrop targets IP fragmentation, not TCP state exhaustion.

How to eliminate wrong answers

Option B is wrong because a Smurf attack uses ICMP echo requests (pings) sent to a network's broadcast address with a spoofed source IP, causing all hosts on that network to reply to the victim, overwhelming it with traffic — it does not involve IP fragmentation. Option C is wrong because a Ping flood is a simple volumetric denial-of-service attack that sends a high volume of ICMP echo request packets to consume bandwidth and CPU, not crafted overlapping fragments. Option D is wrong because a SYN flood exploits the TCP three-way handshake by sending a flood of TCP SYN packets with spoofed source IPs, leaving half-open connections and exhausting server resources — it does not manipulate IP fragmentation.

47
MCQhard

A security analyst detects a large number of DNS queries for the same domain from multiple internal hosts. The responses contain large payloads. Which type of attack is likely occurring?

A.DNS cache poisoning
B.DNS amplification
C.DNS tunneling
D.DNS zone transfer
AnswerB

DNS amplification uses small queries to trigger large responses, overwhelming the target with traffic.

Why this answer

DNS amplification is a type of reflection-based DDoS attack where an attacker sends a small query (e.g., ANY or DNSSEC-signed record request) with a spoofed source IP (the victim's address) to an open DNS resolver. The resolver responds with a large payload (often 50–100x larger than the query), flooding the victim's network. The scenario describes many internal hosts making queries to the same domain and receiving large responses, which matches the amplification effect from a compromised or misconfigured internal resolver.

Exam trap

CompTIA often tests the distinction between DNS amplification and DNS cache poisoning by describing 'large payloads' and 'many hosts' — the trap is that candidates confuse the reflection/amplification mechanism with the cache corruption of poisoning, but amplification focuses on traffic volume, not record integrity.

How to eliminate wrong answers

Option A is wrong because DNS cache poisoning (also called DNS spoofing) involves injecting forged DNS records into a resolver's cache to redirect traffic to malicious sites, not generating large payloads from many hosts. Option C is wrong because DNS tunneling encodes non-DNS data (e.g., SSH, HTTP) within DNS queries and responses to bypass firewalls, but it does not inherently produce large payloads from many hosts querying the same domain. Option D is wrong because a DNS zone transfer is a legitimate replication mechanism between authoritative DNS servers (using AXFR/IXFR), not an attack that causes large responses to multiple internal hosts.

48
MCQhard

A company's public web server is experiencing a flood of TCP SYN packets from multiple external IP addresses. The server's connection table is full, causing new legitimate connections to be dropped. Which of the following mitigation techniques should be implemented to protect the server while still allowing legitimate traffic?

A.Implement SYN cookies on the server.
B.Increase the server's TCP connection backlog.
C.Enable bogon filtering on the perimeter firewall.
D.Deploy an intrusion prevention system (IPS) with signature detection.
AnswerA

SYN cookies encode connection information in the SYN-ACK response, enabling the server to remain stateless until the handshake completes. This prevents the connection table from filling up.

Why this answer

SYN cookies allow the server to avoid storing connection state in the TCP backlog until the three-way handshake completes. When the SYN flood fills the connection table, the server encodes the initial sequence number (ISN) with cryptographic information about the connection, enabling it to verify the ACK from a legitimate client without consuming table entries. This technique preserves resources for legitimate traffic while dropping spoofed or incomplete handshakes.

Exam trap

Cisco often tests the misconception that increasing the TCP backlog (Option B) is a viable defense against SYN floods, but candidates must recognize that backlog tuning only delays exhaustion, whereas SYN cookies provide a stateless, scalable solution.

How to eliminate wrong answers

Option B is wrong because increasing the TCP connection backlog only raises the threshold for the queue size, but a SYN flood will still fill the larger queue and cause drops; it does not prevent resource exhaustion. Option C is wrong because bogon filtering blocks traffic from invalid or private IP addresses, but the attack uses multiple external IPs that are likely routable and legitimate-looking, so bogon filtering would not stop the flood. Option D is wrong because an IPS with signature detection can identify and block known attack patterns, but it may not keep pace with a high-volume SYN flood and can introduce latency; more importantly, it does not address the server's connection table exhaustion directly, whereas SYN cookies are a lightweight, stateless mitigation at the server itself.

49
MCQhard

A security engineer is configuring a site-to-site VPN between two branch offices. The requirement is to encrypt all traffic between the two networks using IPsec. Which IPsec mode should be used to encrypt the entire IP packet including the original header?

A.Transport mode
B.Tunnel mode
C.AH only
D.ESP only
AnswerB

Tunnel mode encapsulates the entire original IP packet with a new header, encrypting everything. This is the standard mode for site-to-site IPsec VPNs.

Why this answer

Tunnel mode is the correct choice because it encrypts the entire original IP packet, including the original header, and then encapsulates it within a new IP header. This is required for site-to-site VPNs where the original source and destination IP addresses must be hidden or protected, and the new header is used for routing between the two VPN gateways.

Exam trap

Cisco often tests the distinction between Transport and Tunnel modes by asking which mode encrypts the entire packet, and candidates mistakenly choose Transport mode because they confuse 'encrypting the payload' with 'encrypting the entire packet', or they think AH provides encryption.

How to eliminate wrong answers

Option A is wrong because Transport mode only encrypts the payload of the IP packet, leaving the original IP header intact and unencrypted, which does not meet the requirement to encrypt the entire packet including the header. Option C is wrong because AH (Authentication Header) provides integrity and authentication but does not encrypt the packet; it only adds an AH header after the IP header, leaving the payload and original header in plaintext. Option D is wrong because ESP (Encapsulating Security Payload) alone can be used in either Transport or Tunnel mode; specifying 'ESP only' does not indicate the mode, and in Transport mode it would not encrypt the original header, so it is not a complete answer to the question.

50
MCQhard

A network administrator reviews firewall logs and sees thousands of SYN packets coming from various source IP addresses to a single internal web server. No ACK or RST packets are observed from these sources. Which type of attack is most likely occurring?

A.DNS amplification attack
B.SYN flood attack
C.ARP spoofing attack
D.Man-in-the-middle attack
AnswerB

A SYN flood sends many SYN packets without completing the handshake, consuming server resources and causing denial of service.

Why this answer

A SYN flood attack exploits the TCP three-way handshake by sending a high volume of SYN packets to a target server without completing the handshake (no ACK or RST). This exhausts the server's connection table resources, preventing legitimate connections. The observed pattern of many SYN packets from various sources with no subsequent ACK or RST is the hallmark of a SYN flood.

Exam trap

Cisco often tests the distinction between a SYN flood (which targets the TCP handshake) and a DNS amplification attack (which uses UDP reflection), so candidates may confuse the two because both involve high packet volumes and spoofed sources.

How to eliminate wrong answers

Option A is wrong because a DNS amplification attack uses small queries to open DNS resolvers that send large responses to a victim, typically over UDP, not TCP SYN packets. Option C is wrong because ARP spoofing involves sending forged ARP replies to associate the attacker's MAC address with a legitimate IP address on a local network, not flooding SYN packets to a web server. Option D is wrong because a man-in-the-middle attack intercepts and potentially alters communications between two parties, often using ARP spoofing or rogue access points, not a flood of SYN packets.

51
MCQmedium

A network administrator discovers that client workstations are receiving IP addresses from an unknown device, causing network connectivity issues. Which security feature should be configured on switches to prevent rogue DHCP servers from assigning IP addresses?

A.DHCP snooping
B.Dynamic ARP Inspection
C.Port security
D.BPDU guard
AnswerA

DHCP snooping filters DHCP traffic and allows only trusted DHCP servers, preventing rogue DHCP servers from assigning IP addresses.

Why this answer

DHCP snooping is the correct security feature because it acts as a firewall between untrusted hosts and trusted DHCP servers. By configuring ports as trusted (where legitimate DHCP servers are connected) and untrusted (client-facing ports), the switch drops all DHCP server messages (OFFER, ACK, NAK) received on untrusted ports, effectively blocking rogue DHCP servers from assigning IP addresses.

Exam trap

The trap here is that candidates confuse DHCP snooping with Dynamic ARP Inspection (DAI) because both rely on the DHCP snooping binding table, but DAI only validates ARP packets, not DHCP server messages.

How to eliminate wrong answers

Option B (Dynamic ARP Inspection) is wrong because it validates ARP packets to prevent ARP spoofing and man-in-the-middle attacks, not DHCP server spoofing. Option C (Port security) is wrong because it restricts MAC addresses per port to prevent unauthorized device access, but does not inspect or filter DHCP messages. Option D (BPDU guard) is wrong because it protects against Layer 2 loop attacks by disabling ports that receive Bridge Protocol Data Units (BPDUs) on PortFast-enabled ports, and has no role in DHCP message validation.

52
MCQhard

A security analyst receives an alert that an internal user's workstation is sending a high volume of ARP requests for multiple IP addresses on the local subnet. The analyst suspects a man-in-the-middle attack. Which security mechanism is most effective at mitigating this type of attack on a switched network?

A.Port security
B.DHCP snooping
C.Dynamic ARP Inspection
D.MAC address filtering
AnswerC

DAI uses the DHCP snooping binding table to validate ARP packets and block spoofed ARP messages.

Why this answer

Dynamic ARP Inspection (DAI) is the correct answer because it validates ARP packets on a switched network, ensuring that only legitimate ARP replies are forwarded. In a man-in-the-middle attack, an attacker sends spoofed ARP replies to associate their MAC address with the IP address of a legitimate host. DAI intercepts all ARP packets and compares them against a trusted binding table (built by DHCP snooping), dropping any that are invalid, thus preventing ARP spoofing.

Exam trap

Cisco often tests the distinction between DHCP snooping and DAI, where candidates mistakenly choose DHCP snooping because it builds the binding table, but DAI is the actual mechanism that validates ARP packets to prevent man-in-the-middle attacks.

How to eliminate wrong answers

Option A is wrong because port security limits the number of MAC addresses allowed on a switch port or restricts specific MAC addresses, but it does not inspect the content of ARP packets or prevent ARP spoofing. Option B is wrong because DHCP snooping builds a DHCP snooping binding table by monitoring DHCP messages, but it does not directly inspect or validate ARP packets; it is a prerequisite for DAI but not the mitigation mechanism itself. Option D is wrong because MAC address filtering simply allows or denies traffic based on source MAC addresses, which can be easily spoofed by an attacker and does not validate the IP-to-MAC mapping in ARP packets.

53
MCQhard

A security analyst observes that a workstation on the network is sending unsolicited ARP replies stating that the workstation's MAC address corresponds to the default gateway IP for all subnets. This behavior is causing other devices to send traffic destined for external networks to the workstation instead of the legitimate gateway. Which type of attack is being performed?

A.A: ARP spoofing
B.B: DHCP starvation
C.C: DNS poisoning
D.D: MAC flooding
AnswerA

ARP spoofing involves sending fake ARP messages to associate the attacker's MAC with another IP, typically the gateway.

Why this answer

The workstation is sending unsolicited ARP replies that map the default gateway IP to its own MAC address. This poisons the ARP caches of other devices on the network, causing them to forward traffic destined for external networks to the attacker's workstation instead of the legitimate gateway. This is the classic behavior of an ARP spoofing (or ARP poisoning) attack, which exploits the lack of authentication in the ARP protocol (RFC 826).

Exam trap

The trap here is confusing ARP spoofing with MAC flooding, because both involve MAC addresses and network interception, but MAC flooding targets the switch's CAM table to capture traffic, while ARP spoofing targets host ARP caches to redirect traffic to a specific MAC address.

How to eliminate wrong answers

Option B (DHCP starvation) is wrong because that attack floods a DHCP server with fake DHCPDISCOVER messages to exhaust the IP address pool, preventing legitimate clients from obtaining IP addresses; it does not involve sending unsolicited ARP replies. Option C (DNS poisoning) is wrong because that attack corrupts DNS resolver caches or DNS server records to redirect domain names to malicious IP addresses, not by manipulating ARP tables with MAC-to-IP mappings. Option D (MAC flooding) is wrong because that attack floods a switch with frames containing many different source MAC addresses to overflow the CAM table, forcing the switch into fail-open mode (hub mode) for traffic sniffing; it does not involve sending unsolicited ARP replies to redirect default gateway traffic.

54
MCQhard

An organization wants to implement a security solution that uses a cloud-based service to inspect all incoming web traffic for malware and policy violations before it reaches the internal network. This type of solution is known as a:

A.Web application firewall (WAF)
B.Secure web gateway (SWG)
C.Intrusion detection system (IDS)
D.VPN concentrator
AnswerB

An SWG is a cloud-based or on-premises proxy that filters web traffic, blocks malware, and enforces policies.

Why this answer

A Secure Web Gateway (SWG) is a cloud-based security solution that inspects all outbound and inbound web traffic for malware, policy violations, and data loss. It operates at the application layer, typically using proxy-based or API-based inspection to enforce security policies before traffic reaches the internal network. This matches the requirement for a cloud service that inspects incoming web traffic for malware and policy violations.

Exam trap

The trap here is confusing a Secure Web Gateway (SWG) with a Web Application Firewall (WAF), as both deal with web traffic, but SWG focuses on user-to-web traffic inspection and policy enforcement, while WAF protects a specific web server from application-layer attacks.

How to eliminate wrong answers

Option A is wrong because a Web Application Firewall (WAF) protects specific web applications from attacks like SQL injection and XSS by filtering HTTP traffic to and from the application, not by inspecting all incoming web traffic for malware and policy violations. Option C is wrong because an Intrusion Detection System (IDS) monitors network traffic for suspicious activity and alerts administrators, but it does not actively inspect or block traffic for malware and policy violations in a cloud-based proxy manner. Option D is wrong because a VPN concentrator terminates VPN tunnels and encrypts/decrypts traffic, but it does not perform content inspection for malware or policy violations.

55
MCQhard

A security analyst is reviewing logs and finds that a single MAC address is rapidly requesting IP addresses from a DHCP server, each time with a different client ID. The DHCP server is exhausting its address pool. Which type of attack is occurring?

A.DHCP starvation attack
B.MAC flooding attack
C.ARP spoofing
D.DNS poisoning
AnswerA

This is exactly the description of a DHCP starvation attack, where the attacker floods the DHCP server with requests to deplete the address pool.

Why this answer

A DHCP starvation attack occurs when an attacker sends numerous DHCP discover messages, each with a unique client ID (chaddr), to exhaust the DHCP server's address pool. This prevents legitimate clients from obtaining IP addresses, as the server believes all leases are assigned. The rapid requests with different client IDs from a single MAC address are a hallmark of this attack.

Exam trap

The trap here is confusing DHCP starvation with MAC flooding, as both involve 'flooding' and MAC addresses, but MAC flooding targets switch CAM tables, not DHCP servers.

How to eliminate wrong answers

Option B is wrong because a MAC flooding attack targets network switches by flooding them with frames containing unique source MAC addresses to overflow the CAM table, causing the switch to fail open and act like a hub; it does not involve DHCP requests. Option C is wrong because ARP spoofing involves sending forged ARP replies to associate an attacker's MAC address with the IP address of a legitimate host, enabling man-in-the-middle attacks; it does not exhaust DHCP address pools. Option D is wrong because DNS poisoning corrupts the DNS resolver's cache with false mappings, redirecting users to malicious sites; it has no direct impact on DHCP address allocation.

56
MCQeasy

A security auditor is reviewing firewall logs and notices repeated login attempts from a single external IP address to the company's SSH server. Which type of attack is likely occurring?

A.Brute force attack
B.Man-in-the-middle attack
C.ARP poisoning
D.DDoS attack
AnswerA

A brute force attack systematically tries passwords or encryption keys. In this case, repeated SSH login attempts from one IP are classic signs of a password guessing attempt.

Why this answer

Repeated login attempts from a single external IP to an SSH server are characteristic of a brute force attack, where an attacker systematically tries many username/password combinations to gain unauthorized access. SSH (port 22) is a common target because it provides remote shell access, and automated tools like Hydra or Medusa can rapidly test credentials. The firewall logs show multiple failed authentication attempts from the same source, which is the hallmark of this attack type.

Exam trap

Cisco often tests the distinction between a brute force attack (repeated single-source login attempts) and a DDoS attack (traffic flood from multiple sources), so candidates mistakenly choose DDoS when they see 'repeated attempts' without recognizing the single-source, credential-guessing nature of the activity.

How to eliminate wrong answers

Option B is wrong because a man-in-the-middle attack involves intercepting and potentially altering communications between two parties, not repeated login attempts from a single IP; it would require the attacker to position themselves between the client and server, often using ARP spoofing or rogue certificates. Option C is wrong because ARP poisoning is a Layer 2 attack that manipulates the ARP cache to redirect traffic on a local network, not external SSH login attempts; it would not appear as repeated authentication failures from a single external IP. Option D is wrong because a DDoS attack aims to overwhelm a service with traffic from multiple sources (distributed) to cause denial of service, not to guess credentials; a single external IP making repeated login attempts does not constitute a distributed attack.

57
MCQmedium

A security engineer is configuring port security on a switch to prevent unauthorized devices from connecting. The requirement is that only the first device to connect to a port is allowed, and if a different device connects, the port should be disabled. Which port security violation mode should be configured?

A.Protect
B.Restrict
C.Shutdown
D.Sticky
AnswerC

Shutdown mode (or 'shutdown' violation) disables the port when a violation occurs, which is the most secure response and meets the requirement.

Why this answer

The 'shutdown' violation mode disables the port entirely when a violation occurs, which meets the requirement that the port be disabled if a different device connects. This is the only mode that physically err-disables the port, preventing any further traffic until manually re-enabled.

Exam trap

Cisco often tests the distinction that 'shutdown' is the only mode that physically disables the port, while 'restrict' and 'protect' only filter traffic but leave the port administratively up, leading candidates to mistakenly choose 'restrict' because it logs violations.

How to eliminate wrong answers

Option A is wrong because 'protect' mode drops packets from unauthorized devices but does not disable the port or generate an alert, allowing the unauthorized device to remain connected silently. Option B is wrong because 'restrict' mode drops packets from unauthorized devices and generates a syslog/SNMP alert but does not disable the port, so the port remains operational for the original authorized device.

58
MCQmedium

A small business uses a wireless network for employees and guests. The owner wants to ensure that guest devices cannot access internal resources such as file servers and printers. Which network security technique should be implemented?

A.VLAN segmentation with separate SSID for guests
B.MAC address filtering
C.WPA2 encryption
D.Disabling SSID broadcast
AnswerA

Placing guest traffic on a separate VLAN and configuring access control lists (ACLs) prevents guest devices from reaching internal subnets while still providing internet access.

Why this answer

VLAN segmentation with a separate SSID for guests is the correct approach because it creates a logical network boundary that isolates guest traffic from internal resources. By assigning the guest SSID to a distinct VLAN, the network can enforce access control lists (ACLs) at the Layer 3 switch or firewall, preventing guest devices from reaching file servers, printers, or other internal subnets while still allowing internet access.

Exam trap

The trap here is that candidates often confuse encryption (WPA2) with network segmentation, assuming that securing the wireless link inherently protects internal resources, when in fact encryption only protects data in transit and does not control east-west traffic between devices on the same SSID.

How to eliminate wrong answers

Option B is wrong because MAC address filtering only controls which devices can associate with the wireless network based on their hardware addresses; it does not restrict traffic between devices once they are connected, nor does it prevent a guest device from accessing internal resources if it is on the same subnet. Option C is wrong because WPA2 encryption secures the wireless link between the client and the access point, but it does not provide any Layer 2 or Layer 3 segmentation; all devices that authenticate with the same SSID and encryption key can communicate freely with each other and with any reachable internal resource.

59
MCQhard

An organization's security policy requires that all remote access VPN connections use two-factor authentication and that the VPN clients are compliant with the latest patch levels before gaining network access. Which technology combination provides these capabilities?

A.SSL VPN with client certificate authentication
B.IPsec VPN using preshared keys
C.NAC integrated with a reverse proxy
D.VPN with RADIUS authentication and posture assessment
AnswerD

RADIUS can enforce two-factor authentication (e.g., via OTP) and work with a NAC (posture) server to check client health (patch levels) before allowing full VPN access.

Why this answer

Option D is correct because RADIUS authentication can enforce two-factor authentication (e.g., via token or OTP), and posture assessment (often via Network Access Control or a VPN posture plugin) checks the client's patch level before granting network access. This combination directly satisfies the policy requirements for both multi-factor authentication and endpoint compliance verification.

Exam trap

The trap here is that candidates often confuse 'two-factor authentication' with simply using a certificate (Option A) or a preshared key (Option B), failing to recognize that posture assessment is a separate, critical requirement that RADIUS combined with a NAC or posture system uniquely fulfills.

How to eliminate wrong answers

Option A is wrong because SSL VPN with client certificate authentication provides only single-factor authentication (the certificate) and does not inherently perform posture assessment for patch compliance. Option B is wrong because IPsec VPN using preshared keys provides only a single shared secret for authentication, lacking two-factor authentication and any mechanism to verify client patch levels. Option C is wrong because NAC integrated with a reverse proxy focuses on access control at the application layer and does not natively provide VPN connectivity or the two-factor authentication required for remote access VPN connections.

60
MCQhard

A security analyst is reviewing firewall logs and sees many incoming packets with a source IP address that matches the internal IP range of the company (10.0.0.0/8) arriving on the external interface. Which type of attack is likely being attempted?

A.Smurf attack
B.IP spoofing attack
C.SYN flood
D.DNS amplification
AnswerB

Correct. The attacker is spoofing the source IP address to appear as an internal host, trying to bypass firewall rules that may allow internal traffic without inspection.

Why this answer

The correct answer is B because packets arriving on the external interface with a source IP address from the internal 10.0.0.0/8 range indicate that the attacker is forging (spoofing) the source address to impersonate an internal host. This is a classic IP spoofing attack, often used to bypass access control lists or to launch further attacks that rely on trust relationships based on source IP.

Exam trap

CompTIA often tests the distinction between IP spoofing and other attacks by focusing on the specific packet characteristic (source IP matching internal range on an external interface) rather than the attack's goal or volume, leading candidates to confuse it with a Smurf or SYN flood attack.

How to eliminate wrong answers

Option A is wrong because a Smurf attack uses ICMP echo requests with a spoofed source IP of the victim, sent to a network's broadcast address, causing all hosts to reply to the victim; it does not specifically involve internal IP ranges arriving on the external interface. Option C is wrong because a SYN flood targets the TCP three-way handshake by sending many SYN packets without completing the handshake, exhausting server resources; the source IP may be spoofed but the key indicator is a high volume of incomplete connections, not packets with internal source IPs on the external interface. Option D is wrong because a DNS amplification attack uses open DNS resolvers to send large responses to a spoofed victim IP, typically using UDP and small queries; the attack traffic is reflected from DNS servers, not characterized by internal source IPs on the external interface.

61
MCQmedium

A network administrator wants to prevent unauthorized devices from connecting to the network by limiting the number of MAC addresses allowed on a switch port. Which security feature should be configured?

A.802.1X
B.Port security
C.DHCP snooping
D.Dynamic ARP inspection
AnswerB

Port security restricts the number of MAC addresses allowed on a port, preventing unauthorized devices from connecting.

Why this answer

Port security is the correct feature because it directly restricts the number of unique MAC addresses that can be learned on a switch port, preventing unauthorized devices from connecting. When the configured limit is exceeded, the switch can take actions such as shutdown, restrict, or protect, effectively blocking the unauthorized device. This is a Layer 2 access control mechanism that operates on the switch port itself.

Exam trap

Cisco often tests the distinction between port security (MAC address limiting) and 802.1X (authentication), leading candidates to mistakenly choose 802.1X when the question explicitly asks about limiting the number of MAC addresses.

How to eliminate wrong answers

Option A is wrong because 802.1X is a port-based network access control protocol that authenticates devices via a RADIUS server, but it does not limit the number of MAC addresses on a port; it either grants or denies access based on credentials. Option C is wrong because DHCP snooping is a security feature that filters untrusted DHCP messages and builds a DHCP snooping binding table to prevent rogue DHCP servers, but it does not enforce a MAC address limit on a switch port.

62
MCQmedium

A company hosts a web server in a DMZ. The firewall has three interfaces: inside (corporate network), outside (Internet), and DMZ. Which firewall rule is necessary to allow external users to access the web server?

A.Allow traffic from the outside interface to the DMZ interface on port 80
B.Allow traffic from the inside interface to the DMZ interface on port 80
C.Allow traffic from the outside interface to the inside interface on port 80
D.Deny all traffic by default and create no specific rules
AnswerA

This rule permits external traffic to reach the web server in the DMZ while keeping the internal network isolated.

Why this answer

Option A is correct because external users on the Internet (outside interface) need to reach the web server located in the DMZ. The firewall must permit inbound traffic from the outside zone to the DMZ zone on TCP port 80 (HTTP) to allow web requests while keeping the corporate network (inside) isolated from direct external access.

Exam trap

The trap here is that candidates mistakenly choose Option B or C, confusing the direction of traffic or thinking that external users need access to the inside network, when the correct security design is to restrict external traffic only to the DMZ.

How to eliminate wrong answers

Option B is wrong because it allows traffic from the inside (corporate network) to the DMZ, which is not required for external user access; this rule would be for internal users, not Internet users. Option C is wrong because it allows traffic from the outside directly to the inside interface, bypassing the DMZ entirely and exposing the corporate network to external threats, which violates the security principle of placing the web server in a DMZ.

63
MCQmedium

A security analyst is configuring a firewall to allow HTTPS traffic from the internet to an internal web server with a private IP address. The firewall must translate the destination IP address of incoming packets to the private server IP. Which type of NAT should be configured?

A.Source NAT (SNAT)
B.Destination NAT (DNAT)
C.Static NAT
D.Port Address Translation (PAT)
AnswerB

DNAT modifies the destination IP address of incoming packets, allowing them to be forwarded to an internal server.

Why this answer

Destination NAT (DNAT) is used to translate the destination IP address of incoming packets from a public IP to a private IP, allowing external HTTPS traffic to reach an internal web server. This is exactly what the scenario requires: the firewall must rewrite the destination address of packets arriving from the internet to the private server IP. DNAT is commonly implemented using the 'ip nat inside source static' command in Cisco IOS, where the 'inside' keyword refers to the translation of destination addresses for inbound traffic.

Exam trap

CompTIA often tests the distinction between SNAT and DNAT by describing a scenario where traffic comes from the internet to an internal server, and candidates mistakenly choose SNAT because they think 'source' refers to the packet's origin (the internet), when in fact SNAT always translates the source address of outbound traffic, not the destination of inbound traffic.

How to eliminate wrong answers

Option A is wrong because Source NAT (SNAT) translates the source IP address of outbound packets, not the destination IP of inbound packets; it is used to allow internal hosts to access the internet using a public IP. Option C is wrong because Static NAT is a type of NAT that provides a one-to-one mapping between a public and private IP address, but it does not specify whether the translation applies to source or destination; in this context, the required behavior is specifically destination translation, which is DNAT, not just any static mapping. Option D is wrong because Port Address Translation (PAT) is a form of NAT that also translates port numbers to allow multiple internal hosts to share a single public IP, but it does not specifically address the requirement to translate the destination IP of incoming packets; PAT is typically used for outbound source translation (overloading) or inbound destination translation with port forwarding, but the question explicitly asks for the type of NAT that translates the destination IP, which is DNAT, not PAT.

64
MCQeasy

A network administrator wants to prevent unauthorized DHCP servers from offering IP addresses to clients on a switch. Which security feature should be enabled?

A.BPDU guard
B.DHCP snooping
C.Dynamic ARP inspection
D.Port security
AnswerB

DHCP snooping inspects DHCP traffic and allows only authorized DHCP servers on trusted ports, blocking any DHCP offers from untrusted ports.

Why this answer

DHCP snooping is the correct answer because it is a security feature specifically designed to filter untrusted DHCP messages on a switch. By configuring trusted and untrusted ports, DHCP snooping drops DHCP server responses (OFFER, ACK) received on untrusted ports, effectively preventing rogue DHCP servers from assigning IP addresses to clients.

Exam trap

The trap here is that candidates confuse DHCP snooping with Dynamic ARP Inspection, but DAI only validates ARP traffic, not DHCP offers, while BPDU guard is an STP mechanism unrelated to DHCP security.

How to eliminate wrong answers

Option A is wrong because BPDU guard is a Spanning Tree Protocol (STP) feature that disables a port upon receiving a Bridge Protocol Data Unit (BPDU), preventing bridge loops; it does not inspect or filter DHCP messages. Option C is wrong because Dynamic ARP Inspection (DAI) validates ARP packets by checking them against the DHCP snooping binding table to prevent ARP spoofing, but it does not block unauthorized DHCP server offers.

65
MCQmedium

A network administrator wants to prevent unauthorized devices from connecting to the company's Ethernet ports. The company uses a centralized authentication server. Which IEEE standard should be implemented?

A.802.1X
B.802.11i
C.802.3af
D.802.1Q
AnswerA

IEEE 802.1X provides authentication for devices connecting to a LAN port. It uses EAP exchanges between the supplicant (device), authenticator (switch), and authentication server (RADIUS) to permit or deny access.

Why this answer

802.1X is the IEEE standard for port-based Network Access Control (NAC) that authenticates devices before granting access to an Ethernet port. It uses a centralized authentication server (typically RADIUS) to verify credentials, preventing unauthorized devices from connecting to the network. This directly matches the requirement of controlling access at the port level with a centralized server.

Exam trap

The trap here is that candidates confuse 802.1X with wireless security standards like 802.11i, because both involve authentication, but 802.1X is specifically for wired port-based access control.

How to eliminate wrong answers

Option B is wrong because 802.11i (WPA2) is a wireless security standard that defines encryption and authentication for Wi-Fi networks, not for wired Ethernet ports. Option C is wrong because 802.3af is the Power over Ethernet (PoE) standard that delivers power over Ethernet cabling, and it has no authentication or access control capabilities.

66
MCQmedium

A company wants to protect its internal network by placing web servers that need to be accessible from the internet in a separate network segment. Which security architecture best describes this setup?

A.Intranet
B.VPN
C.DMZ
D.Extranet
AnswerC

A DMZ provides a buffer zone where public-facing servers are placed, allowing controlled access from the internet while keeping the internal network protected.

Why this answer

A DMZ (demilitarized zone) is a network segment that sits between the internal trusted network and the external untrusted internet. By placing web servers in the DMZ, the company ensures that external users can access the servers without directly exposing the internal network, as traffic must pass through a firewall that enforces strict access control policies. This architecture is specifically designed to isolate public-facing services from internal assets, reducing the attack surface.

Exam trap

The trap here is that candidates confuse a DMZ with a VPN, thinking that a VPN provides the same isolation for public servers, when in fact a VPN is designed for secure remote access to internal resources, not for hosting services accessible to the general internet.

How to eliminate wrong answers

Option A is wrong because an intranet is a private, internal network that is not directly accessible from the internet; it is used for internal communication and resources, not for hosting publicly accessible web servers. Option B is wrong because a VPN (Virtual Private Network) creates an encrypted tunnel for remote users to securely access the internal network, but it does not provide a separate network segment for public-facing servers; it is a connectivity method, not a security architecture for isolating internet-accessible services.

67
MCQmedium

A company wants to prevent unauthorized personal devices from connecting to the corporate wired network. Employees must authenticate using their domain credentials before gaining full network access. Which security measure should be implemented on the switch ports?

A.MAC filtering
B.802.1X
C.Port security with sticky MAC
D.VLAN hopping prevention
AnswerB

802.1X uses Extensible Authentication Protocol (EAP) to authenticate devices/users against a central authentication server, enforcing access based on credentials.

Why this answer

802.1X is the correct choice because it provides port-based network access control (PNAC) that requires end devices to authenticate using domain credentials (e.g., via RADIUS) before being granted full network access. This ensures that only authorized users, not just authorized devices, can connect to the corporate wired network, meeting the requirement to prevent unauthorized personal devices.

Exam trap

The trap here is that candidates often confuse port security with 802.1X, thinking that locking MAC addresses via sticky MAC provides user-based authentication, but it only controls device identity, not user credentials, and fails to meet the requirement for domain credential authentication.

How to eliminate wrong answers

Option A is wrong because MAC filtering only checks the MAC address of the connecting device, which can be easily spoofed and does not authenticate the user with domain credentials; it also does not prevent unauthorized personal devices if their MAC is cloned. Option C is wrong because port security with sticky MAC dynamically learns and locks MAC addresses to a port, but it only controls which MAC addresses are allowed based on the device, not user authentication via domain credentials, and it can be bypassed by spoofing a learned MAC.

68
MCQmedium

A security auditor recommends implementing a solution that authenticates users and devices before granting network access, regardless of the physical port they connect to. Which technology should be deployed?

A.Port security
B.802.1X
C.VLAN hopping
D.DHCP snooping
AnswerB

802.1X provides port-based authentication using EAP and requires credentials from the device or user.

Why this answer

802.1X is the correct technology because it provides port-based network access control (PNAC) that authenticates users and devices before granting network access, regardless of the physical port they connect to. It uses the Extensible Authentication Protocol (EAP) over LAN (EAPoL) to communicate with a RADIUS server, ensuring that only authenticated endpoints are allowed on the network. This meets the auditor's requirement for authentication at the port level, independent of the switch port used.

Exam trap

The trap here is that candidates often confuse port security with 802.1X because both control port access, but port security only filters by MAC address and does not provide user authentication or integration with a central authentication server, which is the key requirement in the question.

How to eliminate wrong answers

Option A is wrong because port security is a Layer 2 feature that restricts access based on MAC addresses, not user or device authentication; it can be bypassed by MAC spoofing and does not integrate with a central authentication server like RADIUS. Option C is wrong because VLAN hopping is an attack technique used to gain unauthorized access to VLANs, not a security solution for authenticating users and devices before network access.

69
MCQhard

During a security audit, a consultant discovers that encrypted traffic between a client and a web server is being decrypted and re-encrypted by an intermediate device on the network path. Which type of attack best describes this scenario?

A.ARP poisoning
B.SSL stripping
C.Man-in-the-middle
D.Rogue DHCP
AnswerC

An MITM attack intercepts traffic between two endpoints, often using a proxy to decrypt and re-encrypt, allowing the attacker to read or modify the data without the parties realizing.

Why this answer

Option C is correct because the scenario describes a classic man-in-the-middle (MITM) attack where an intermediary intercepts, decrypts, and re-encrypts traffic between the client and server. This allows the attacker to read or modify the data while both endpoints believe they have a secure TLS session. The key indicator is the decryption and re-encryption step, which is the hallmark of an active MITM proxy.

Exam trap

The trap here is that candidates confuse the method (e.g., ARP poisoning) with the attack type (MITM), or they mistake SSL stripping for any interception of encrypted traffic, not realizing that SSL stripping removes encryption entirely rather than re-encrypting it.

How to eliminate wrong answers

Option A is wrong because ARP poisoning is a specific technique used to redirect traffic on a local network by spoofing ARP replies, but it does not inherently involve decrypting and re-encrypting encrypted traffic; it is a method to achieve a MITM position, not the attack itself. Option B is wrong because SSL stripping downgrades a secure HTTPS connection to plain HTTP by preventing the initial TLS handshake, but the scenario explicitly states that encrypted traffic is being decrypted and re-encrypted, meaning TLS is still in use, just intercepted; SSL stripping would result in unencrypted traffic, not re-encrypted.

70
MCQhard

An attacker is eavesdropping on network traffic to capture sensitive data sent over an unencrypted HTTP connection. Which technology should be implemented to protect data in transit between clients and web servers?

A.SSL/TLS
B.IPSec
C.SSH
D.SNMPv3
AnswerA

SSL/TLS is the standard for encrypting web traffic (HTTPS).

Why this answer

SSL/TLS (Secure Sockets Layer/Transport Layer Security) operates at the application layer to encrypt HTTP traffic, creating HTTPS. This ensures that data transmitted between clients and web servers is encrypted, preventing eavesdroppers from reading sensitive information like passwords or credit card numbers. TLS is the standard protocol for securing HTTP communications, as defined in RFC 8446.

Exam trap

CompTIA often tests the distinction between encryption protocols by layering (e.g., IPSec at Layer 3 vs. TLS at Layer 4/Application), causing candidates to pick IPSec because it is a well-known security protocol, even though it does not directly protect HTTP traffic.

How to eliminate wrong answers

Option B is wrong because IPSec operates at the network layer (Layer 3) and is designed to secure IP packets between hosts or networks, not specifically for HTTP traffic between clients and web servers; it would require complex configuration and does not integrate natively with web browsers. Option C is wrong because SSH (Secure Shell) is used for secure remote login and command execution, typically over TCP port 22, and does not protect HTTP traffic; it can tunnel other protocols but is not the standard for web traffic encryption. Option D is wrong because SNMPv3 provides authentication and encryption for network management traffic (Simple Network Management Protocol), not for HTTP sessions between clients and web servers.

71
MCQmedium

A network engineer is deploying 802.1X authentication for a wireless network. The security policy requires mutual authentication between the client and the network using certificates on both ends. Which EAP method should the engineer select?

A.EAP-MD5
B.EAP-TLS
C.PEAP
D.EAP-FAST
AnswerB

EAP-TLS uses certificates on both the server and client, providing strong mutual authentication.

Why this answer

EAP-TLS (Transport Layer Security) is the correct choice because it provides mutual authentication using certificates on both the client and the server, satisfying the security policy requirement. Unlike other EAP methods, EAP-TLS requires a PKI with certificates installed on both endpoints, ensuring that each side validates the other's identity before establishing the connection.

Exam trap

CompTIA often tests the distinction between EAP methods that use certificates on both ends versus those that use certificates only on the server side, leading candidates to mistakenly choose PEAP or EAP-FAST when the question explicitly requires mutual certificate authentication.

How to eliminate wrong answers

Option A (EAP-MD5) is wrong because it only provides one-way authentication (server to client) using a simple MD5 hash challenge, does not support mutual authentication, and is vulnerable to dictionary attacks. Option C (PEAP) is wrong because although it creates a TLS tunnel for server-side certificate authentication, it typically authenticates the client via inner methods like MSCHAPv2 or GTC, not with a client certificate, so it does not meet the mutual certificate requirement. Option D (EAP-FAST) is wrong because it uses a Protected Access Credential (PAC) for authentication rather than certificates on both ends, and while it can support mutual authentication, it does not inherently require client certificates as specified in the policy.

72
MCQmedium

A company wants to prevent unauthorized devices from connecting to the wired network by authenticating users or devices before granting network access. Which of the following technologies should be implemented on the switch ports to achieve this?

A.A: 802.1X
B.B: Port security with MAC address sticky
C.C: Access control lists (ACLs)
D.D: DHCP snooping
AnswerA

802.1X provides port-based authentication, blocking access until credentials are verified.

Why this answer

802.1X is an IEEE standard (802.1X-2020) for port-based Network Access Control (NAC). It authenticates users or devices via EAP (Extensible Authentication Protocol) before the switch port transitions from the unauthorized (blocking) state to the authorized (forwarding) state, effectively preventing unauthorized devices from accessing the wired network.

Exam trap

CompTIA often tests the misconception that port security with sticky MAC addresses provides authentication, but it only restricts MAC addresses and does not verify user identity or credentials, making it a layer-2 control, not an authentication mechanism.

How to eliminate wrong answers

Option B is wrong because port security with MAC address sticky only learns and restricts MAC addresses on a port; it does not authenticate users or devices via credentials or certificates, and can be bypassed by MAC spoofing. Option C is wrong because ACLs filter traffic based on IP addresses, ports, or protocols after a device is already connected; they do not authenticate or prevent initial connection to the switch port. Option D is wrong because DHCP snooping is a security feature that filters untrusted DHCP messages to prevent rogue DHCP servers, but it does not authenticate or block unauthorized devices from connecting to the port.

73
MCQmedium

A network administrator is configuring a firewall to allow external users to securely access an internal web server. Which security technique should be used to place the web server in a separate, isolated network segment that is still accessible from the internet?

A.VLAN
B.DMZ
C.VPN
D.NAT
AnswerB

A DMZ is specifically designed to host public-facing services while isolating them from the internal network.

Why this answer

A DMZ (demilitarized zone) is a separate, isolated network segment that exposes internal services, such as a web server, to external users while keeping the internal LAN secure. By placing the web server in the DMZ, the firewall can allow inbound traffic from the internet to the DMZ while blocking direct access to the internal network, enforcing strict access control policies.

Exam trap

The trap here is that candidates often confuse VLANs with security isolation, assuming a VLAN alone provides the same protection as a DMZ, but VLANs lack the firewall-enforced access controls and segmentation from the internet that a DMZ requires.

How to eliminate wrong answers

Option A is wrong because a VLAN segments traffic at Layer 2 but does not inherently provide security isolation from the internet; a VLAN alone cannot control inbound access or protect the internal network from external threats. Option C is wrong because a VPN creates an encrypted tunnel for remote users to access the internal network, but it does not place the web server in an isolated segment; instead, it extends the internal network, which would expose internal resources to external users. Option D is wrong because NAT translates private IP addresses to public ones but does not create an isolated network segment; it only hides internal addresses and does not provide the security boundary that a DMZ offers.

74
MCQhard

A security analyst is investigating a network anomaly. The analyst notices that the company's web server is receiving a large number of TCP SYN packets from random source IP addresses, all destined for port 80. The web server is responding with SYN-ACK packets, but the connections are never completed. This is causing the server's connection table to fill up, degrading performance for legitimate users. Which type of attack is being described?

A.Ping of death
B.Smurf attack
C.SYN flood
D.DNS amplification
AnswerC

A SYN flood sends many TCP SYN packets with spoofed IPs, never completing the handshake, exhausting server resources. This matches the description.

Why this answer

The attack described is a SYN flood, a type of denial-of-service (DoS) attack that exploits the TCP three-way handshake. The attacker sends a high volume of TCP SYN packets with spoofed source IP addresses to the server's port 80. The server responds with SYN-ACK packets to each spoofed source and waits for the final ACK, which never arrives, causing the server's half-open connection table (backlog queue) to fill up and exhaust resources, degrading performance for legitimate users.

Exam trap

The trap here is that candidates confuse a SYN flood with a Smurf attack or DNS amplification because all three are volumetric DoS attacks, but the key differentiator is the protocol and mechanism: SYN flood uses TCP SYN packets targeting the three-way handshake, while Smurf uses ICMP and DNS amplification uses UDP.

How to eliminate wrong answers

Option A is wrong because a Ping of Death attack involves sending an oversized or malformed ICMP packet that causes a buffer overflow on the target system, not a flood of TCP SYN packets. Option B is wrong because a Smurf attack uses ICMP echo requests sent to a network's broadcast address with a spoofed source IP, causing all hosts on that network to reply to the victim, overwhelming it with ICMP traffic, not TCP SYN packets. Option D is wrong because a DNS amplification attack leverages open DNS resolvers to send large DNS response traffic to a victim by sending small queries with a spoofed source IP, typically over UDP, not TCP SYN packets to port 80.

75
Matchingmedium

Match each network attack to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Attacker sends fake ARP messages to associate their MAC with another IP

Corrupts DNS cache to redirect traffic to malicious sites

Overwhelms a target with traffic from multiple sources

Attacker intercepts communication between two parties

Why these pairings

These are common network security threats.

Page 1 of 2 · 104 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Network Security questions.