CCNA Cc Network Security Questions

45 of 120 questions · Page 2/2 · Cc Network Security topic · Answers revealed

76
Multi-Selecthard

Which of the following are effective defenses against man-in-the-middle attacks? (Choose THREE)

Select 3 answers
A.Using HTTP instead of HTTPS
B.Educating users to verify certificates
C.Disabling ARP
D.Implementing HTTPS with proper certificate validation
E.Using a VPN to encrypt all traffic
AnswersB, D, E

Users can detect invalid certificates.

Why this answer

HTTPS, VPNs, and certificate validation help prevent MITM.

77
MCQmedium

An IT administrator wants to inspect HTTP traffic for malicious payloads such as SQL injection. Which network security device is most appropriate?

A.IDS
B.WAF
C.Honeypot
D.IPS
AnswerB

WAF is designed for application-layer HTTP inspection.

Why this answer

A Web Application Firewall (WAF) specializes in filtering and monitoring HTTP/HTTPS traffic, often using OWASP rules to detect attacks like SQL injection.

78
MCQeasy

A security analyst notices unusual traffic on the network. Using Wireshark, they capture packets and see that an attacker is reading all unencrypted data from the network segment. Which type of attack is most likely being performed?

A.Spoofing
B.DoS
C.Sniffing / Eavesdropping
D.Man-in-the-middle
AnswerC

Correct. Sniffing captures unencrypted traffic, as seen in the scenario.

Why this answer

Sniffing or eavesdropping involves capturing network traffic to read data. In this scenario, unencrypted data is being read, which is characteristic of sniffing.

80
Multi-Selecthard

An organization wants to implement network segmentation to improve security. Which three methods are commonly used for network segmentation? (Select THREE.)

Select 3 answers
A.Subnetting
B.DMZs
C.Firewalls
D.VLANs
E.Intrusion Detection Systems
AnswersA, B, D

Subnetting divides IP address space.

Why this answer

VLANs, subnets, and DMZs are common segmentation methods. Firewalls enforce rules but are not segmentation methods themselves; IDS is a monitoring tool.

81
MCQeasy

Which of the following ports is commonly used for secure web traffic (HTTPS)?

A.53
B.80
C.22
D.443
AnswerD

Port 443 is for HTTPS.

Why this answer

HTTPS uses port 443 by default. HTTP uses port 80, and SSH uses port 22.

82
MCQeasy

An organization wants to segment its network so that public-facing servers are isolated from internal users. Which network design component should be used?

A.Honeypot
B.Subnet
C.DMZ
AnswerC

DMZ isolates public-facing servers from internal network.

Why this answer

A DMZ (demilitarized zone) is a separate network segment that hosts public-facing services, isolated from the internal LAN.

83
MCQmedium

An organization wants to allow external users to securely access internal web applications. Which network security device is specifically designed to inspect HTTP/HTTPS traffic and block malicious requests?

A.Stateful firewall
B.Web Application Firewall (WAF)
C.Intrusion Detection System (IDS)
D.Packet filtering firewall
AnswerB

WAF inspects HTTP/HTTPS and filters malicious payloads like SQL injection.

Why this answer

A Web Application Firewall (WAF) is specialized for filtering HTTP/HTTPS traffic and protecting web applications.

84
MCQhard

During a security assessment, a penetration tester captures network traffic and notices that the source IP address in packets appears to be from a different network. Which technique is the attacker likely using?

A.DNS spoofing
B.ARP spoofing
C.MAC spoofing
D.IP spoofing
AnswerD

IP spoofing forges the source IP address.

Why this answer

IP spoofing involves forging the source IP address in packets to impersonate another system or hide the true origin. This can be used in various attacks like DDoS or session hijacking.

85
MCQmedium

An attacker sends a flood of SYN packets to a server, never completing the three-way handshake, exhausting the server's resources and causing it to become unresponsive. What type of attack is this?

A.ICMP flood
B.SYN flood
C.UDP flood
D.ARP spoofing
AnswerB

Correct. SYN flood targets TCP handshake.

Why this answer

A SYN flood is a type of DoS attack that exploits the TCP three-way handshake by sending many SYN packets and not completing the handshake.

86
Multi-Selectmedium

A company wants to protect its internal web server from common web application attacks. Which two security measures are most appropriate? (Choose TWO.)

Select 2 answers
A.Deploy a Web Application Firewall (WAF)
B.Implement HTTPS with a valid certificate
C.Deploy an IDS in promiscuous mode
D.Use a stateful firewall only
E.Enable SNMP on the server
AnswersA, B

Correct. A WAF inspects HTTP/HTTPS traffic and blocks attacks.

Why this answer

A WAF specifically filters HTTP/HTTPS traffic, and HTTPS encryption protects data in transit. A firewall alone is not application-aware, and IDS/IPS are not specific to web applications.

87
MCQeasy

Which TCP segment is sent to initiate the three-way handshake?

A.ACK
B.SYN-ACK
C.FIN
D.SYN
AnswerD

Correct. Client sends SYN to start the handshake.

Why this answer

The three-way handshake starts with a SYN (synchronize) packet from the client.

88
MCQeasy

Which protocol operates at the Transport layer of the OSI model and is connectionless and unreliable?

A.TCP
C.IP
D.UDP
AnswerD

UDP is connectionless and unreliable.

Why this answer

UDP is connectionless and does not guarantee delivery, making it fast but unreliable.

89
MCQmedium

A security analyst detects a large number of half-open TCP connections targeting a web server. This is most likely indicative of what type of attack?

A.Smurf attack
B.SYN flood
C.ARP spoofing
D.DNS amplification
AnswerB

SYN flood targets TCP handshake to cause resource exhaustion.

Why this answer

A SYN flood attack exploits the TCP three-way handshake by sending many SYN packets without completing the handshake, exhausting server resources. This is a type of DoS attack.

90
Multi-Selectmedium

A security team is investigating a potential man-in-the-middle attack. Which TWO of the following are common techniques used in MITM attacks? (Select TWO.)

Select 2 answers
A.ARP poisoning
B.SYN flood
C.DNS amplification
D.Setting up a rogue Wi-Fi access point
E.ICMP flood
AnswersA, D

Poisoned ARP tables redirect traffic to the attacker.

Why this answer

ARP poisoning redirects traffic, and rogue Wi-Fi access points intercept communications.

91
MCQhard

An attacker sends forged ARP messages to associate their MAC address with the IP address of a legitimate server. This allows the attacker to intercept traffic intended for that server. What is this attack?

A.DNS poisoning
B.MAC flooding
C.ARP spoofing
D.IP spoofing
AnswerC

ARP spoofing uses forged ARP messages to redirect traffic.

Why this answer

ARP spoofing (or ARP poisoning) involves sending fake ARP replies to associate the attacker's MAC with a victim's IP, enabling man-in-the-middle attacks.

92
Multi-Selectmedium

A network administrator is planning to segment the network. Which of the following are valid segmentation methods? (Choose TWO)

Select 2 answers
A.Subnetting
B.Firewalls
C.VLANs
D.IDS
E.Honeypots
AnswersA, C

Subnetting divides IP address space.

Why this answer

VLANs and subnetting are common segmentation techniques.

93
Multi-Selectmedium

Which two of the following are best practices to mitigate man-in-the-middle attacks? (Select TWO.)

Select 2 answers
A.Disable SSL/TLS on web servers
B.Use HTTPS with proper certificate validation
C.Use ARP spoofing detection tools
D.Implement a VPN for remote connections
E.Use Telnet for remote administration
AnswersB, D

HTTPS encrypts and validates server identity.

Why this answer

HTTPS with certificate validation ensures secure communication, and VPNs encrypt traffic between endpoints. Disabling encryption increases risk, and using Telnet sends data in cleartext.

95
Multi-Selectmedium

Which THREE of the following are common mitigation techniques against Denial of Service (DoS) attacks?

Select 3 answers
A.Implementing rate limiting on servers
B.Disabling all firewall rules
C.Allowing all inbound traffic to avoid blocking legitimate users
D.Filtering traffic based on IP reputation
E.Using a Content Delivery Network (CDN) to absorb traffic
AnswersA, D, E

Rate limiting restricts the number of requests from a source.

Why this answer

DoS mitigation includes using DDoS protection services, rate limiting, and filtering traffic based on IP reputation.

96
MCQhard

An organization decides to implement an Intrusion Prevention System (IPS) to protect its network. Which statement about an IPS compared to an IDS is correct?

A.An IPS is placed inline and can automatically block malicious traffic.
B.An IPS is placed out of band and monitors traffic.
C.An IPS generates alerts but does not block traffic.
D.An IPS operates only at the application layer.
AnswerA

IPS can drop packets or reset connections in real time.

Why this answer

An IPS is inline and can actively block traffic, while an IDS is passive and only alerts.

97
MCQeasy

A security analyst notices unusual traffic from an internal workstation to an external IP address on port 25. Which protocol is most likely being used?

AnswerA

Correct. SMTP uses port 25 for email transmission.

Why this answer

Port 25 is the default port for SMTP (Simple Mail Transfer Protocol).

98
MCQmedium

Which of the following is a security concern associated with the Telnet protocol?

A.It transmits data in cleartext.
B.It requires certificate management.
C.It is vulnerable to DNS poisoning.
D.It uses encryption that is too weak.
AnswerA

Telnet sends all data unencrypted.

Why this answer

Telnet transmits data, including credentials, in cleartext, making it susceptible to sniffing. SSH is the secure alternative.

99
MCQmedium

An organization wants to securely manage network devices from remote locations. Which of the following protocols should be used for command-line access?

AnswerB

SSH provides encrypted remote access.

Why this answer

SSH (port 22) encrypts all traffic, including passwords and commands, making it secure for remote administration. Telnet transmits data in cleartext and should be avoided.

100
MCQmedium

Which firewall type reads packet headers and also tracks the state of active connections to make filtering decisions?

A.Stateful inspection
B.Packet filtering
C.Application proxy
AnswerA

Stateful firewalls track connection state.

Why this answer

Stateful inspection firewalls maintain a state table to track connections, allowing return traffic for permitted outbound connections.

101
MCQmedium

Which firewall type is capable of inspecting the contents of application-layer traffic, such as HTTP requests, to detect malicious patterns?

A.Next-generation firewall
B.Stateful inspection firewall
C.Application proxy firewall
D.Packet filtering firewall
AnswerC

Application proxy examines application-layer content.

Why this answer

An application proxy firewall (also known as an application-level gateway) performs deep packet inspection at the application layer, allowing it to filter based on content like URLs or SQL commands.

102
MCQmedium

Which common port is used by DNS and which transport layer protocol does it primarily use?

A.Port 53, UDP only
B.Port 161, UDP
C.Port 53, both UDP and TCP
D.Port 53, TCP only
AnswerC

Correct. DNS uses UDP for queries and TCP for zone transfers.

Why this answer

DNS uses port 53 and primarily uses UDP for queries, though TCP is used for zone transfers.

103
Multi-Selectmedium

A security analyst wants to detect and analyze attacker behavior by deploying a decoy system. Which three characteristics apply to a honeypot? (Choose THREE.)

Select 3 answers
A.It is a decoy system to attract attackers
B.It provides early warning of attacks
C.It contains sensitive production data
D.It is used for legitimate network traffic
E.It allows analysis of attacker tactics
AnswersA, B, E

Correct. Honeypots lure attackers away from real assets.

Why this answer

Honeypots are decoy systems designed to attract attackers, provide early warning, and allow analysis of attacker techniques. They do not contain real production data and are not used for legitimate traffic.

104
MCQmedium

Which transport layer protocol is used by voice over IP (VoIP) applications that require low latency and can tolerate some packet loss?

B.SCTP
C.TCP
D.UDP
AnswerD

UDP is low-latency and suitable for real-time traffic.

Why this answer

UDP is connectionless and faster, making it suitable for real-time applications like VoIP where occasional packet loss is acceptable.

105
MCQeasy

Which protocol is used to resolve IP addresses to MAC addresses on a local network?

AnswerA

ARP resolves IP addresses to MAC addresses.

Why this answer

ARP (Address Resolution Protocol) maps IP addresses to MAC addresses, operating at Layer 2/3 boundary.

106
MCQhard

Which of the following is a characteristic of a stateful firewall that distinguishes it from a stateless firewall?

A.It can decrypt SSL traffic
B.It examines each packet in isolation
C.It uses a state table to track connections
D.It can filter based on application-layer data
AnswerC

Stateful firewalls track connection states.

Why this answer

A stateful firewall maintains a state table to track active connections, allowing it to make decisions based on the context of the traffic.

107
MCQhard

A security team deploys a passive device that monitors network traffic and generates alerts when it detects suspicious patterns, but it does not take any action. This device is best described as a:

A.Web Application Firewall (WAF)
B.Intrusion Detection System (IDS)
C.Intrusion Prevention System (IPS)
D.Stateful firewall
AnswerB

Correct. IDS is passive, alerting only.

Why this answer

An Intrusion Detection System (IDS) is passive, monitoring and alerting without blocking traffic, unlike an IPS which is inline.

108
MCQmedium

An organization decides to implement a security control that can detect and block attacks in real-time by sitting inline in the network. Which of the following should be chosen to meet these requirements?

A.Intrusion Detection System (IDS)
B.Intrusion Prevention System (IPS)
C.Packet filtering firewall
D.Honeypot
AnswerB

Correct. IPS is inline and can block.

Why this answer

An IPS (Intrusion Prevention System) is inline and can block attacks. IDS is passive.

109
MCQhard

A company's network has multiple VLANs. An attacker on VLAN 10 sends a frame with a forged source MAC address to a switch, hoping to intercept traffic intended for the default gateway. Which attack is being executed?

A.ARP spoofing
B.IP spoofing
C.VLAN hopping
D.MAC flooding
AnswerA

Correct. ARP spoofing forges MAC-IP associations.

Why this answer

ARP spoofing (or ARP poisoning) involves sending forged ARP messages to associate the attacker's MAC with the IP of another device (e.g., default gateway), enabling traffic interception.

110
MCQeasy

Which port number is associated with HTTPS, and what protocol encrypts the communication?

A.Port 80, SSL/TLS
B.Port 8080, SSL/TLS
C.Port 443, SSL/TLS
D.Port 443, SSH
AnswerC

Correct. HTTPS on 443 uses SSL/TLS.

Why this answer

HTTPS uses port 443 and is encrypted using SSL/TLS.

111
MCQeasy

Which protocol is used to resolve IP addresses to MAC addresses on a local network?

AnswerD

ARP resolves IP to MAC.

Why this answer

ARP (Address Resolution Protocol) maps IP to MAC addresses.

112
Multi-Selecteasy

Which two of the following are characteristics of a stateful firewall? (Choose TWO.)

Select 2 answers
A.Inspects application-layer data
B.Tracks connection state
C.Operates only at Layer 3
D.Filters packets based on static rules only
E.Blocks unsolicited inbound traffic by default
AnswersB, E

Correct. Stateful firewalls maintain a state table.

Why this answer

A stateful firewall tracks the state of active connections and can block unsolicited inbound traffic. Packet filtering is stateless, and application inspection is typical of proxy firewalls.

113
Multi-Selecthard

A company is experiencing a distributed denial-of-service (DDoS) attack that is overwhelming the network bandwidth. Which THREE mitigation techniques are most effective?

Select 3 answers
A.Enable rate limiting on network devices
B.Disable ICMP on all devices
C.Change the public IP address of the server
D.Use a content delivery network (CDN) to absorb traffic
E.Implement traffic filtering at the perimeter
AnswersA, D, E

Rate limiting restricts the amount of traffic from a source.

Why this answer

Traffic filtering, rate limiting, and using a CDN can help absorb DDoS traffic. Changing IP addresses is reactive and not a standard mitigation; disabling ICMP may help against some attacks but is not a primary mitigation.

114
MCQmedium

An attacker captures network traffic using Wireshark and reads unencrypted emails. Which security goal is most directly compromised?

A.Integrity
B.Availability
C.Non-repudiation
D.Confidentiality
AnswerD

Confidentiality is breached when data is read by an unauthorized party.

Why this answer

Sniffing captures sensitive data, violating confidentiality.

115
MCQhard

An organization deploys a network security device that inspects application-layer payloads, can block malicious HTTP requests, and uses OWASP rules. Which type of device is this?

A.Intrusion Detection System (IDS)
B.Next-Generation Firewall (NGFW)
C.Web Application Firewall (WAF)
D.Intrusion Prevention System (IPS)
AnswerC

Correct. A WAF inspects HTTP/HTTPS and uses OWASP rules.

Why this answer

A Web Application Firewall (WAF) is designed to filter and monitor HTTP/HTTPS traffic, often using OWASP rules to protect against web vulnerabilities.

116
Multi-Selectmedium

A security analyst is reviewing network traffic and needs to identify which of the following protocols are inherently insecure because they transmit data in cleartext. (Select TWO.)

Select 2 answers
AnswersC, D

FTP transmits credentials and data in cleartext.

Why this answer

Telnet and FTP transmit data, including credentials, in cleartext. SSH and HTTPS encrypt all traffic.

117
MCQmedium

An organization wants to implement a network security device that can block malicious traffic in real-time and must be placed inline. Which device should be chosen?

A.Vulnerability scanner
B.Packet sniffer
C.Intrusion Detection System (IDS)
D.Intrusion Prevention System (IPS)
AnswerD

An IPS is inline and can block traffic.

Why this answer

An Intrusion Prevention System (IPS) is inline and can actively block threats, unlike an IDS which only alerts.

118
MCQhard

A security engineer is evaluating different firewall architectures. Which firewall type can decrypt SSL/TLS traffic, inspect the contents, and then re-encrypt it?

A.Application proxy firewall
B.Packet filtering firewall
C.Next-generation firewall (NGFW)
D.Stateful inspection firewall
AnswerC

NGFWs can perform deep packet inspection including SSL decryption.

Why this answer

NGFWs often include SSL inspection capabilities to examine encrypted traffic for threats.

119
MCQeasy

Which layer of the OSI model is responsible for routing packets across networks?

A.Network layer
B.Physical layer
C.Transport layer
D.Data Link layer
AnswerA

The Network layer routes packets.

Why this answer

The Network layer (Layer 3) handles routing and logical addressing (IP addresses).

120
MCQmedium

Which security control would best mitigate the risk of network sniffing on a wired LAN segment?

A.Using encryption protocols (e.g., IPsec, TLS)
B.Implementing VLANs
C.Disabling unused ports on the switch
AnswerA

Correct. Encryption renders sniffed data confidential.

Why this answer

Encrypting traffic (e.g., using HTTPS, VPN) makes sniffed data unreadable.

← PreviousPage 2 of 2 · 120 questions total

Ready to test yourself?

Try a timed practice session using only Cc Network Security questions.