CCNA Network Security Questions

70 questions · Network Security topic · All types, answers revealed

1
MCQmedium

An organization wants to detect and alert on potential network intrusions but does not want to risk blocking legitimate traffic. Which system should they deploy?

A.Network-based Intrusion Detection System (NIDS)
B.Unified Threat Management (UTM) appliance
C.Firewall with deep packet inspection
D.Network-based Intrusion Prevention System (NIPS)
AnswerA

A NIDS is passive and only alerts on potential intrusions without blocking traffic, avoiding false positives that block legitimate traffic.

Why this answer

A Network-based Intrusion Detection System (NIDS) passively monitors network traffic and generates alerts when suspicious patterns are detected, but it does not take any inline action to block traffic. This makes it the correct choice for an organization that wants to detect and alert on potential intrusions without any risk of blocking legitimate traffic, as the NIDS operates out-of-band and cannot drop packets.

Exam trap

ISC2 often tests the distinction between detection (IDS) and prevention (IPS) by emphasizing that an IDS is passive and out-of-band, while an IPS is inline and can block traffic, so the trap here is confusing the alert-only capability of NIDS with the active blocking of NIPS or UTM appliances.

How to eliminate wrong answers

Option B is wrong because a Unified Threat Management (UTM) appliance typically includes intrusion prevention, antivirus, and content filtering that can actively block traffic, which introduces the risk of blocking legitimate traffic. Option C is wrong because a firewall with deep packet inspection (DPI) is an inline device that can drop or reject packets based on application-layer analysis, which could inadvertently block legitimate traffic. Option D is wrong because a Network-based Intrusion Prevention System (NIPS) is an inline device that actively drops or resets malicious traffic, directly contradicting the requirement to avoid blocking legitimate traffic.

2
MCQhard

Refer to the exhibit. Based on the exhibit, which statement best describes the effect of this policy?

A.Allows all actions on EC2 instances from 10.0.0.0/16
B.Allows DescribeInstances action from any IP but with a condition
C.Denies DescribeInstances action from IPs outside 10.0.0.0/16
D.Allows DescribeInstances action only from IPs within 10.0.0.0/16
AnswerD

The Effect is Allow, the Action is ec2:DescribeInstances, and the Condition restricts the source IP to the 10.0.0.0/16 range.

Why this answer

The policy uses an 'Allow' effect with a condition that restricts the source IP to the 10.0.0.0/16 range. Since IAM policies default to implicit deny, only requests matching both the action (DescribeInstances) and the condition (source IP within 10.0.0.0/16) are allowed. This effectively permits DescribeInstances only from the specified CIDR block.

Exam trap

ISC2 often tests the distinction between an explicit 'Allow' with a condition and an explicit 'Deny' — candidates mistakenly think a conditional allow is equivalent to a deny for non-matching sources, but the actual behavior is that non-matching requests are implicitly denied, not explicitly denied.

How to eliminate wrong answers

Option A is wrong because the policy does not allow 'all actions' on EC2 instances; it only allows the DescribeInstances action. Option B is wrong because the policy does not allow DescribeInstances from 'any IP'; it explicitly restricts the source IP to 10.0.0.0/16 via a condition. Option C is wrong because the policy uses an 'Allow' effect, not a 'Deny' effect; it allows the action from the specified range rather than denying it from outside that range.

3
MCQmedium

A company's network uses 802.1X authentication for wired and wireless access. Which component authenticates the user credentials against an identity store?

A.Supplicant
B.Authenticator
C.Authentication server (RADIUS)
D.Access point
AnswerC

The authentication server performs the actual credential verification against the identity store.

Why this answer

In 802.1X, the authentication server (typically a RADIUS server) is the component that validates user credentials against an identity store such as LDAP, Active Directory, or a local database. The supplicant (client) provides credentials, the authenticator (switch or access point) relays EAP frames, but only the RADIUS server performs the actual authentication decision.

Exam trap

ISC2 often tests the misconception that the authenticator (switch or AP) performs authentication, but in 802.1X the authenticator only controls port access based on the RADIUS server's decision, not the credential validation itself.

How to eliminate wrong answers

Option A is wrong because the supplicant is the client software (e.g., on a laptop) that initiates authentication by sending credentials, but it does not validate them against any identity store. Option B is wrong because the authenticator (e.g., a switch or wireless controller) acts as a middleman, forwarding EAP messages between supplicant and RADIUS server, but it does not perform credential validation. Option D is wrong because an access point can act as an authenticator in wireless 802.1X, but it still does not authenticate credentials; it only relays EAP traffic to the RADIUS server.

4
MCQeasy

A security analyst notices repeated failed login attempts from a single external IP address targeting the company's VPN concentrator. Which type of attack is most likely occurring?

A.Spoofing
B.Brute force
C.Man-in-the-Middle (MITM)
D.Denial of Service (DoS)
AnswerB

Brute force attacks involve repeated guessing of credentials, matching this behavior.

Why this answer

Repeated failed login attempts from a single external IP targeting a VPN concentrator are the hallmark of a brute force attack. The attacker systematically tries many username/password combinations to gain unauthorized access, exploiting weak or common credentials rather than exploiting a protocol vulnerability.

Exam trap

ISC2 often tests the distinction between a brute force attack (focused on credential guessing) and a Denial of Service attack (focused on resource exhaustion), where candidates mistakenly choose DoS because repeated attempts seem to 'overwhelm' the system, but the core intent is unauthorized access, not service disruption.

How to eliminate wrong answers

Option A is wrong because spoofing involves falsifying the source IP address to impersonate a trusted host, not repeatedly attempting logins; the attack here originates from a single external IP, not a spoofed one. Option C is wrong because a Man-in-the-Middle (MITM) attack intercepts or alters communication between two parties, often requiring ARP spoofing or rogue certificates, not repeated login attempts against a VPN concentrator. Option D is wrong because a Denial of Service (DoS) attack aims to overwhelm the VPN concentrator with traffic to disrupt service, not to gain access via credential guessing; the repeated login attempts here are targeted at authentication, not resource exhaustion.

5
MCQmedium

During a security assessment, a penetration tester captures unencrypted credentials over the network. Which protocol is most likely being used?

A.SMTPS
B.SSH
C.FTP
AnswerC

FTP sends username and password in plaintext over the network.

Why this answer

FTP (File Transfer Protocol) transmits data, including credentials, in cleartext over the network. When a penetration tester captures unencrypted credentials, FTP is a likely candidate because it does not encrypt the authentication process, making it vulnerable to packet sniffing attacks.

Exam trap

ISC2 often tests the distinction between protocols that use encryption (like HTTPS, SSH, SMTPS) and those that do not (like FTP, Telnet, HTTP), and the trap here is that candidates may confuse FTP with its secure variants (FTPS or SFTP) or assume all file transfer protocols are encrypted.

How to eliminate wrong answers

Option A is wrong because SMTPS (SMTP over SSL/TLS) encrypts the entire communication channel, preventing credentials from being transmitted in cleartext. Option B is wrong because SSH (Secure Shell) provides encrypted remote login and file transfer, ensuring credentials are never sent unencrypted. Option D is wrong because HTTPS (HTTP over SSL/TLS) encrypts HTTP traffic, including any form-based authentication, so credentials are protected from sniffing.

6
Drag & Dropmedium

Drag and drop the steps for the incident response process according to NIST into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

NIST incident response lifecycle: Preparation, Detection and Analysis, Containment/Eradication/Recovery, Post-Incident Activity.

7
MCQmedium

A company uses a proxy server for internet access. Employees can browse websites (HTTP/HTTPS), but they cannot connect to external FTP servers using FTP client software (e.g., FileZilla). The proxy is configured to allow HTTP and HTTPS only. The security team wants to allow FTP while maintaining security (e.g., logging and filtering). The FTP traffic is used for occasional file transfers with partners. Which of the following is the BEST solution to meet both requirements?

A.Install a separate FTP proxy in the DMZ and adjust firewall rules to allow FTP traffic to that proxy.
B.Use SSH tunneling to encapsulate FTP traffic over SSH to a jump server.
C.Configure the proxy to allow FTP traffic by adding FTP as an allowed protocol.
D.Enable FTP passive mode on the proxy.
AnswerA

An FTP proxy can inspect and log FTP traffic, and being in the DMZ adds security; firewall rules can restrict access.

Why this answer

Option A is correct because deploying a dedicated FTP proxy in the DMZ allows the security team to inspect, log, and filter FTP traffic while keeping the existing HTTP/HTTPS proxy unchanged. Firewall rules can be tightened to permit FTP only to that proxy, which then forwards connections to external FTP servers, maintaining a secure, auditable chokepoint without exposing internal clients directly to FTP.

Exam trap

ISC2 often tests the misconception that a standard HTTP/HTTPS proxy can be extended to handle FTP by simply enabling a setting, when in reality FTP requires a separate application-layer proxy due to its distinct control/data channel architecture and protocol semantics.

How to eliminate wrong answers

Option B is wrong because SSH tunneling encapsulates FTP traffic but does not provide native logging or filtering of FTP commands and data; it bypasses the proxy and creates an encrypted tunnel that the security team cannot inspect, defeating the requirement for logging and filtering. Option C is wrong because standard HTTP/HTTPS proxies cannot natively proxy FTP protocol; they lack support for FTP command channels and data connections, and simply adding 'FTP as an allowed protocol' is not technically feasible without an FTP-specific proxy module or separate FTP proxy. Option D is wrong because enabling FTP passive mode on the proxy does not solve the core issue; passive mode is a client-server configuration that changes how data connections are established, but the proxy still cannot proxy FTP traffic unless it is specifically designed to handle FTP protocol.

8
Multi-Selectmedium

Which TWO technologies provide network segmentation? (Choose two.)

Select 2 answers
A.Firewalls
B.Hubs
C.Routers with ACLs
D.Switches
E.VLANs
AnswersC, E

Routers can segment networks based on IP addresses and ACLs.

Why this answer

Routers with ACLs (Access Control Lists) provide network segmentation by filtering traffic based on Layer 3 (IP addresses) and Layer 4 (port numbers) criteria, effectively dividing a network into separate security zones or subnets. VLANs (Virtual Local Area Networks) segment a network at Layer 2 by logically grouping devices into separate broadcast domains, even if they share the same physical switch. Both technologies isolate traffic to enforce security policies and reduce attack surfaces.

Exam trap

ISC2 often tests the misconception that switches inherently segment networks, but without VLANs, a standard switch creates a single broadcast domain; the trap is that candidates confuse switching (forwarding) with segmentation (isolation).

9
MCQhard

Refer to the exhibit. The network administrator configured NAT as shown. Internal hosts can access the internet, but no external hosts can access the company's web server (192.168.1.10). What is the issue?

A.The static NAT is being overridden by the dynamic NAT
B.The outside interface should be the inside interface
C.The web server is not in the access-list
D.The pool includes the static IP causing conflict
AnswerD

The pool range includes 200.100.50.1, which is already used by the static NAT, causing a conflict.

Why this answer

The correct answer is D because the dynamic NAT pool includes the IP address 192.168.1.10, which is also used for the static NAT mapping to the web server. When a packet arrives from the internet destined for the static NAT address, the router first checks dynamic NAT entries and may assign that address from the pool to an internal host, causing a conflict and preventing the static translation from being applied. This is a classic IP address overlap issue where the pool should exclude the static NAT address.

Exam trap

ISC2 often tests the misconception that static NAT always overrides dynamic NAT, but the trap here is that an overlapping pool address causes a conflict that prevents the static translation from being installed, not a priority issue.

How to eliminate wrong answers

Option A is wrong because static NAT entries have higher priority than dynamic NAT entries in Cisco IOS; the static mapping is not overridden by dynamic NAT unless there is an address conflict, which is the actual issue. Option B is wrong because the outside and inside interface designations are correct for NAT operation: the inside interface connects to the internal network (192.168.1.0/24) and the outside interface connects to the internet; swapping them would break internal host access. Option C is wrong because the access-list is used to match traffic for dynamic NAT translation, not for static NAT; static NAT does not require an access-list to permit the web server's traffic.

10
Multi-Selecthard

Which THREE of the following are characteristics of a stateful firewall? (Select exactly three.)

Select 3 answers
A.It can automatically allow return traffic for outbound connections
B.It maintains a state table of active connections
C.It inspects application-layer payloads
D.It filters packets based solely on source/destination IP and port
E.It makes filtering decisions based on the context of traffic flows
AnswersA, B, E

Stateful firewalls permit return traffic for established sessions.

Why this answer

A stateful firewall automatically allows return traffic for outbound connections because it tracks the state of each connection in a state table. When a packet from an internal host initiates an outbound TCP connection (e.g., SYN), the firewall creates an entry in the state table. When the corresponding return packet (e.g., SYN-ACK) arrives, the firewall checks the state table and permits it without needing an explicit inbound rule, as it recognizes the packet as part of an established session.

Exam trap

ISC2 often tests the distinction between stateful and stateless firewalls, and the trap here is that candidates confuse 'stateful' with 'application-layer inspection,' leading them to select option C, when in fact stateful firewalls only track session state at Layers 3 and 4, not the application payload.

11
Multi-Selecteasy

An organization wants to protect against man-in-the-middle attacks on a switched network. Which TWO measures should be implemented? (Choose two.)

Select 2 answers
AnswersC, E

DHCP Snooping builds a binding table to prevent rogue DHCP servers.

Why this answer

C is correct because DHCP Snooping filters untrusted DHCP messages on access ports, preventing a rogue DHCP server from assigning malicious IP configurations that enable man-in-the-middle attacks. D is correct because Dynamic ARP Inspection (DAI) validates ARP packets against the DHCP Snooping binding table, blocking spoofed ARP replies that would redirect traffic through an attacker.

Exam trap

ISC2 often tests the distinction between Layer 2 attack mitigation features, and the trap here is that candidates confuse BPDU guard or port security with ARP/DHCP protections, not realizing that MITM attacks specifically require validation of IP-to-MAC bindings.

12
MCQhard

A company uses a stateful firewall. A user reports that an application requiring multiple dynamic ports is not working. The firewall logs show that packets from the server are being dropped. What is the most likely cause?

A.The firewall is only allowing packets that match an established session, but the application's control channel is not being tracked correctly.
B.The firewall does not have a rule allowing inbound traffic for the application.
C.The firewall is not inspecting application-layer data.
D.The firewall's state table is full and cannot track new sessions.
AnswerA

The firewall may not associate the data channel with the control session if it does not inspect the application protocol.

Why this answer

A stateful firewall tracks sessions by monitoring the control channel. For applications like FTP that use dynamic ports, the firewall must inspect the control channel to dynamically open pinholes for data channels. If the control channel is not tracked correctly, the firewall will not recognize the data channel packets as part of an established session and will drop them, even if the initial control session was allowed.

Exam trap

ISC2 often tests the misconception that a stateful firewall automatically handles all dynamic port protocols, when in fact it requires proper ALG configuration to inspect control channel payloads for port negotiation.

How to eliminate wrong answers

Option B is wrong because if the firewall lacked a rule allowing inbound traffic for the application, the initial control channel packets would also be dropped, not just the data channel packets. Option C is wrong because while the firewall may not be inspecting application-layer data, the core issue is specifically about stateful tracking of the control channel; lack of application-layer inspection would affect other protocols like HTTP or SMTP, not the dynamic port negotiation. Option D is wrong because a full state table would prevent new sessions entirely, not selectively drop packets from an existing session's data channel.

13
MCQmedium

A network administrator is configuring a wireless network for a small office. Security requirements include strong encryption and pre-shared key authentication. Which protocol should be used?

A.WPA2-PSK with AES
B.WPA3-Enterprise with 802.1X
C.Open with MAC address filtering
D.WEP with TKIP
AnswerA

Provides strong encryption with PSK.

Why this answer

WPA2-PSK with AES is the correct choice because it provides strong encryption (AES-CCMP) and uses a pre-shared key for authentication, meeting the requirements for a small office without a RADIUS server. WPA2-PSK is widely supported and offers robust security against common attacks when a strong passphrase is used.

Exam trap

ISC2 often tests the distinction between PSK and Enterprise modes, where candidates mistakenly choose WPA3-Enterprise because it is newer, ignoring the explicit requirement for pre-shared key authentication.

How to eliminate wrong answers

Option B is wrong because WPA3-Enterprise with 802.1X requires a RADIUS server for authentication, which is unnecessary and overcomplicated for a small office using pre-shared key authentication. Option C is wrong because Open with MAC address filtering provides no encryption and can be easily bypassed by MAC spoofing, failing the strong encryption requirement. Option D is wrong because WEP with TKIP is deprecated and insecure—WEP uses RC4 encryption that can be cracked in minutes, and TKIP is a legacy protocol that does not meet strong encryption standards.

14
MCQeasy

An organization has multiple network segments for accounting, HR, and engineering. They want to prevent unauthorized traffic between segments while allowing necessary communication. Which security control should be implemented?

A.VLAN segmentation with ACLs
B.Intrusion Detection System (IDS)
C.Proxy server
D.Honeypot
AnswerA

VLANs logically segment networks, and ACLs enforce traffic rules between them, achieving the desired control.

Why this answer

VLAN segmentation with ACLs is the correct choice because VLANs create separate broadcast domains at Layer 2, isolating traffic between network segments (accounting, HR, engineering). ACLs applied to the Layer 3 interface (SVI) or trunk ports then enforce granular rules to permit only necessary inter-VLAN communication, such as allowing HR to access a shared server while blocking all other cross-segment traffic.

Exam trap

ISC2 often tests the distinction between passive detection (IDS) and active prevention (firewall/ACL), so candidates mistakenly choose IDS thinking it blocks traffic, but it only alerts.

How to eliminate wrong answers

Option B (Intrusion Detection System) is wrong because an IDS is a passive monitoring tool that detects and alerts on malicious activity but does not actively block or prevent unauthorized traffic between segments. Option C (Proxy server) is wrong because a proxy operates at Layer 7 (application layer) to mediate client-server requests, not to enforce Layer 2/3 segmentation or access control between network segments. Option D (Honeypot) is wrong because a honeypot is a decoy system designed to attract and analyze attackers, not a control to prevent unauthorized inter-segment traffic.

15
MCQmedium

A security administrator is concerned about MAC address spoofing on the network. Which technology can help mitigate this risk by associating a specific MAC address with a port?

AnswerA

Port security limits the number of MAC addresses on a port and can associate specific MACs, preventing spoofing.

Why this answer

Port security is the correct answer because it directly mitigates MAC address spoofing by allowing an administrator to statically or dynamically associate a specific MAC address with a switch port. When a device with a different MAC address attempts to use that port, port security can either disable the port (errdisable) or drop the traffic, preventing unauthorized access. This is a Layer 2 security feature that enforces MAC-to-port binding.

Exam trap

ISC2 often tests the distinction between features that prevent MAC spoofing (port security) versus features that prevent ARP spoofing (DAI) or DHCP attacks (DHCP snooping), leading candidates to confuse the purpose of each technology.

How to eliminate wrong answers

Option B (Dynamic ARP inspection) is wrong because it validates ARP packets based on DHCP snooping bindings to prevent ARP spoofing, not MAC address spoofing on a port. Option C (DHCP snooping) is wrong because it filters DHCP messages to prevent rogue DHCP servers and builds a binding table, but it does not directly associate a MAC address with a specific switch port. Option D (VLAN hopping prevention) is wrong because it protects against attacks that allow a device to jump to a different VLAN (e.g., via DTP or double tagging), not against MAC address spoofing on a single port.

16
MCQeasy

Refer to the exhibit. Based on the exhibit, why was the packet denied?

A.Source IP is internal
B.The packet was blocked by an outbound access list
C.Destination IP is external
D.The packet was blocked by an inbound access list
AnswerD

The message specifies 'due to access-group INTERNET_IN', which is applied inbound.

Why this answer

The exhibit shows an inbound access list applied to the interface, and the packet is denied because its source IP matches a deny entry in that inbound ACL. Inbound access lists filter traffic before it is processed by the router, so the packet is dropped upon arrival. The correct answer is D because the packet was blocked by an inbound access list, as indicated by the ACL configuration and the deny action.

Exam trap

ISC2 often tests the distinction between inbound and outbound ACLs, and the trap here is that candidates may confuse the direction of the ACL application (inbound vs. outbound) or assume that a packet is denied because of the source or destination IP alone, rather than focusing on the ACL rule that explicitly denies the traffic.

How to eliminate wrong answers

Option A is wrong because the source IP being internal is not a reason for denial; ACLs filter based on configured rules, not the mere fact that an IP is internal. Option B is wrong because the packet was blocked by an inbound access list, not an outbound one; outbound ACLs filter traffic leaving the interface, but the exhibit shows the ACL is applied inbound. Option C is wrong because the destination IP being external is irrelevant; ACLs can permit or deny traffic regardless of destination being internal or external, and the denial is due to the ACL rule, not the destination's location.

17
MCQmedium

A company recently experienced a DoS attack targeting their web server. They want to implement a solution that can differentiate between legitimate traffic and attack traffic based on behavior patterns. Which technology should they deploy?

A.Web Application Firewall (WAF)
C.Intrusion Prevention System (IPS)
D.Stateful firewall
AnswerC

An IPS can perform deep packet inspection and behavioral analysis to detect and block DoS patterns inline.

Why this answer

An Intrusion Prevention System (IPS) is the correct choice because it can analyze traffic patterns and behavior in real time, using signature-based and anomaly-based detection to distinguish legitimate traffic from DoS attack traffic. Unlike a WAF, which focuses on application-layer threats like SQL injection, an IPS can inspect network and transport layers to identify volumetric or protocol-based DoS patterns and actively block malicious flows.

Exam trap

ISC2 often tests the distinction between a WAF and an IPS, where candidates mistakenly choose WAF because they associate all web server attacks with application-layer defenses, but DoS attacks often operate at lower layers where IPS behavior analysis is required.

How to eliminate wrong answers

Option A is wrong because a Web Application Firewall (WAF) is designed to protect against application-layer attacks (e.g., SQLi, XSS) and cannot effectively differentiate behavior patterns at the network or transport layer for DoS attacks. Option B is wrong because a load balancer distributes traffic across servers for availability and performance, but it lacks the deep packet inspection and behavioral analysis needed to identify and block DoS attack patterns. Option D is wrong because a stateful firewall tracks connection states and enforces rules based on IP/port/protocol, but it does not perform behavioral or anomaly-based analysis to distinguish legitimate traffic from DoS traffic.

18
MCQhard

Refer to the exhibit. An IDS generates this alert for traffic from an internal server (10.1.1.50) to an external IP on port 443. The security team investigates and finds that the server is a web application that normally uses TLS 1.2. What does this alert most likely indicate?

A.An attacker is performing an SSL stripping attack, downgrading the connection to SSLv3
B.The server is experiencing a buffer overflow attack
C.The server's certificate has expired and the client is falling back to SSLv3
D.The server has been misconfigured to use SSLv3 instead of TLS
AnswerA

The alert signature suggests SSL stripping, and the use of SSLv3 is a red flag.

Why this answer

The alert indicates a downgrade from TLS 1.2 to SSLv3, which is the hallmark of an SSL stripping attack. In this attack, an adversary intercepts the client's TLS handshake request and forces the connection to use the weaker SSLv3 protocol, often by manipulating the ClientHello message to remove TLS options. This allows the attacker to exploit known vulnerabilities in SSLv3, such as POODLE, to decrypt or hijack the session.

Exam trap

ISC2 often tests the distinction between a server-side misconfiguration (which would cause consistent use of SSLv3) and an active downgrade attack (which shows a change from TLS to SSLv3), tricking candidates into choosing the misconfiguration answer when the evidence points to an attack.

How to eliminate wrong answers

Option B is wrong because a buffer overflow attack typically involves sending malformed data to exploit memory corruption, not a protocol version downgrade, and would not generate an alert specifically about SSLv3 usage. Option C is wrong because certificate expiration causes browser warnings or handshake failures, not a fallback to SSLv3; modern clients do not automatically downgrade to SSLv3 due to expired certificates. Option D is wrong because if the server were misconfigured to use SSLv3, it would consistently use that protocol, not suddenly switch from TLS 1.2 to SSLv3, and the alert would not indicate a downgrade event.

19
MCQhard

A security engineer is reviewing logs and notices that an internal server is receiving excessive SYN packets from an external IP, but never completing the three-way handshake. What type of attack is likely occurring?

A.Smurf attack
B.Ping of death
C.ARP poisoning
D.SYN flood
AnswerD

SYN flood sends many SYN packets, leaving half-open connections.

Why this answer

A SYN flood attack exploits the TCP three-way handshake by sending a high volume of SYN packets to a target server without completing the handshake (i.e., not sending the final ACK). This exhausts the server's connection table resources, preventing legitimate connections. The log evidence—excessive SYN packets from an external IP with no handshake completion—is the classic signature of a SYN flood.

Exam trap

ISC2 often tests the distinction between attacks that use ICMP (Smurf, Ping of death) versus TCP (SYN flood), so candidates may confuse the protocol layer or misremember that a Smurf attack involves SYN packets instead of ICMP echo requests.

How to eliminate wrong answers

Option A is wrong because a Smurf attack uses ICMP echo requests (pings) sent to a network's broadcast address with a spoofed source IP, causing all hosts to reply to the victim, overwhelming it with ICMP traffic—not TCP SYN packets. Option B is wrong because a Ping of death involves sending a malformed ICMP packet larger than the maximum allowed size (65535 bytes) to cause a buffer overflow or crash, not excessive SYN packets. Option C is wrong because ARP poisoning is a local network attack that manipulates ARP tables to intercept traffic between hosts on the same subnet; it does not involve external IPs sending TCP SYN packets.

20
MCQeasy

Refer to the exhibit. A network administrator configured the above on a switch port. After connecting a single workstation, the port goes into err-disabled state within minutes. What is the most likely cause?

A.The workstation is sending traffic with multiple source MAC addresses.
B.The port-security maximum is set to 2, so it should allow up to 2 MACs; the issue is elsewhere.
C.Sticky MAC learning is disabled.
D.The violation mode should be 'restrict' instead of 'shutdown'.
AnswerA

Exceeding the maximum MAC count triggers violation shutdown.

Why this answer

The port-security configuration with a maximum MAC address count of 2 and violation mode 'shutdown' causes the port to err-disable when a single workstation sends traffic with multiple source MAC addresses. This is a classic symptom of a device (e.g., a virtual machine host or a switch behind the port) generating frames from different MACs, exceeding the allowed limit and triggering the violation.

Exam trap

ISC2 often tests the misconception that the maximum MAC count is the only factor, when in reality a single device can generate multiple MAC addresses (e.g., via virtualization or bridging), causing a violation even with a seemingly generous limit like 2.

How to eliminate wrong answers

Option B is wrong because the port-security maximum is set to 2, which should allow up to 2 MAC addresses, but the issue is that a single workstation is generating more than 2 MACs, so the maximum is not the problem—the violation occurs due to exceeding the limit. Option C is wrong because sticky MAC learning is not required for port-security to function; it only dynamically learns and remembers MAC addresses, but its absence does not cause err-disable—the violation mode and maximum count are the active controls. Option D is wrong because changing the violation mode to 'restrict' would not prevent the err-disable state; 'restrict' only drops offending traffic and increments a counter, while 'shutdown' err-disables the port, but the root cause is the multiple MAC addresses, not the violation mode.

21
Multi-Selecteasy

A network security team is implementing a defense-in-depth strategy. Which TWO of the following controls are examples of network segmentation? (Choose two.)

Select 2 answers
A.Implementing firewall rules between internal zones.
B.Deploying an intrusion detection system (IDS) on the core switch.
C.Configuring VLANs to separate departmental traffic.
D.Placing public-facing servers in a DMZ.
E.Using VPN for remote access.
AnswersA, C

Firewalls enforce segmentation by controlling traffic between zones.

Why this answer

Option A is correct because implementing firewall rules between internal zones is a form of network segmentation. By creating distinct security zones (e.g., inside, outside, DMZ) and applying access control lists (ACLs) or stateful firewall policies between them, traffic is restricted to only what is explicitly permitted, thereby isolating network segments and limiting lateral movement.

Exam trap

ISC2 often tests the distinction between segmentation (which actively isolates traffic) and other security controls like monitoring (IDS), placement (DMZ), or encryption (VPN), leading candidates to confuse architectural placement or tunneling with the actual act of segmenting the network.

22
MCQmedium

An organization has implemented a network-based intrusion prevention system (IPS) in inline mode. After deployment, users report that legitimate web traffic is being blocked. What is the most likely cause?

A.The IPS is not receiving traffic due to a tap failure.
B.The IPS is placed behind the firewall instead of in front.
C.The IPS is configured in promiscuous mode.
D.The IPS signature set is too aggressive or includes false positives.
AnswerD

Aggressive signatures can flag legitimate traffic as malicious, causing blocks.

Why this answer

An inline IPS actively inspects and can block traffic based on its signature database. If the signature set is too aggressive or contains false positives, legitimate traffic matching those signatures will be incorrectly blocked. This is the most direct cause of blocking legitimate web traffic after deployment.

Exam trap

ISC2 often tests the distinction between inline and promiscuous modes, where candidates mistakenly think promiscuous mode can block traffic, but only inline mode allows active blocking.

How to eliminate wrong answers

Option A is wrong because a tap failure would cause the IPS to not receive traffic at all, resulting in no blocking (legitimate or otherwise), not the selective blocking of legitimate web traffic. Option B is wrong because placing the IPS behind the firewall does not inherently cause false positives; it affects traffic flow and security posture, but the blocking of legitimate traffic is a signature issue, not a placement issue. Option C is wrong because promiscuous mode means the IPS monitors traffic passively without being inline, so it cannot block traffic at all; blocking requires inline mode.

23
MCQhard

A company's network uses a perimeter firewall and an internal firewall. The DMZ sits between them. A new application server needs to be accessible from the internet on TCP port 8443 and must be able to make outbound HTTPS connections to an external license server. Which firewall rules should be implemented? (Assume default deny)

A.Allow inbound from internet to server on 8443; allow outbound from server to internet on 443; allow inbound from internet to server on 443 for license server response
B.Allow inbound from internet to server on 8443; allow outbound from server to internet on 443 with stateful inspection
C.Allow inbound from internet to server on 8443; allow outbound from server to internet on 443
D.Allow inbound from internet to server on 8443 and 443; allow outbound from server to internet on any
AnswerB

Stateful inspection automatically allows return traffic for the outbound connection.

Why this answer

Option B is correct because it allows inbound traffic on TCP 8443 to the server and outbound traffic on TCP 443 from the server to the internet. Stateful inspection automatically tracks the outbound HTTPS connection and permits the return traffic (the license server's response) without needing an explicit inbound rule. This matches the requirement while maintaining a default-deny posture.

Exam trap

ISC2 often tests the misconception that return traffic for outbound connections requires an explicit inbound allow rule, when in fact stateful inspection automatically permits the reply packets.

How to eliminate wrong answers

Option A is wrong because it adds an unnecessary explicit inbound rule for TCP 443 from the internet to the server for license server responses; stateful inspection handles return traffic automatically, and this rule would expose the server to unsolicited inbound connections on 443. Option C is wrong because it lacks stateful inspection; without stateful tracking, the firewall would drop the return packets from the license server, breaking the outbound HTTPS connection. Option D is wrong because it opens inbound ports 8443 and 443 (unnecessarily exposing the server) and allows outbound traffic on any port, violating the principle of least privilege and default-deny.

24
MCQeasy

A network engineer is configuring a firewall rule to allow inbound HTTPS traffic to a web server. Which port must be opened?

A.3389
B.22
C.80
D.443
AnswerD

Port 443 is the standard port for HTTPS traffic.

Why this answer

HTTPS (HTTP Secure) uses TLS/SSL encryption over TCP port 443 by default. To allow inbound HTTPS traffic to a web server, the firewall rule must permit TCP destination port 443. Port 80 is used for unencrypted HTTP, not HTTPS.

Exam trap

ISC2 often tests the distinction between HTTP (port 80) and HTTPS (port 443), and the trap here is that candidates confuse the two or assume HTTPS uses port 80 because both are web protocols.

How to eliminate wrong answers

Option A is wrong because port 3389 is used by Remote Desktop Protocol (RDP) for remote desktop access, not for web traffic. Option B is wrong because port 22 is used by SSH for secure remote administration, not for HTTPS. Option C is wrong because port 80 is used for HTTP (unencrypted web traffic), not HTTPS; HTTPS requires TLS encryption on port 443.

25
MCQmedium

A small company with 50 employees uses a flat network with no VLANs. They recently experienced a ransomware attack that spread from an infected workstation to a file server. The IT manager wants to implement network segmentation to prevent future lateral movement. The company uses a single /24 subnet (192.168.1.0/24) with a single switch and a router/firewall. They have three departments: Sales, HR, and IT. Each department has about 15-20 computers. The file server is in the IT department. The company has a limited budget and cannot purchase new hardware. Which of the following is the MOST effective and practical approach to segment the network given these constraints?

A.Replace the switch with three separate physical switches, each connected to a separate router interface.
B.Create three VLANs on the switch, one for each department, and configure ACLs on the router to allow only necessary inter-VLAN traffic.
C.Implement MAC address filtering on the switch to only allow authorized devices to communicate with the file server.
D.Install a software firewall on each workstation to block traffic from other subnets.
AnswerB

VLANs logically separate traffic, and ACLs enforce policy; uses existing hardware if the switch supports VLANs (most do).

Why this answer

Creating three VLANs on the existing switch segments the flat /24 network into separate broadcast domains, preventing lateral movement by default. Configuring ACLs on the router allows only necessary inter-VLAN traffic (e.g., Sales and HR can access the file server in IT), which stops the ransomware from spreading across departments without requiring new hardware.

Exam trap

ISC2 often tests the misconception that physical separation (Option A) is always required for segmentation, when in fact VLANs provide logical separation at no extra cost, and that MAC filtering (Option C) or host-based firewalls (Option D) can substitute for network-level segmentation, which they cannot because they fail to isolate broadcast domains or prevent Layer 2 attacks.

How to eliminate wrong answers

Option A is wrong because replacing the switch with three separate physical switches violates the budget constraint (no new hardware) and would require additional router interfaces or subinterfaces, which is more expensive and less practical than using VLANs. Option C is wrong because MAC address filtering only controls which devices can communicate with the file server at Layer 2, but it does not segment the network; all devices remain in the same broadcast domain, so ransomware can still spread laterally via ARP spoofing or broadcast-based attacks. Option D is wrong because installing a software firewall on each workstation is impractical to manage across 50 machines, does not prevent Layer 2 lateral movement within the same subnet, and adds no segmentation at the network level—traffic between departments still traverses the flat network without restriction.

26
MCQeasy

A network administrator notices unusual traffic from an internal workstation to an external IP address on port 443. The workstation has no business reason for such communication. Which action should the administrator take first?

A.Disable the workstation's network port.
B.Block all outbound traffic from that workstation immediately.
C.Investigate the workstation for possible malware.
D.Configure a firewall rule to allow the traffic and log it.
AnswerC

Investigating helps determine if the traffic is malicious or a false positive.

Why this answer

Option C is correct because the first priority when encountering unexpected outbound traffic to an external IP on port 443 (HTTPS) is to investigate the workstation for possible malware. This traffic could indicate a command-and-control (C2) beacon or data exfiltration, and immediate investigation allows the administrator to gather forensic evidence before taking disruptive actions. Disabling the port or blocking traffic without investigation could destroy evidence or alert an attacker, while allowing the traffic would be negligent.

Exam trap

ISC2 often tests the principle of 'investigate before acting' to avoid destroying evidence, and the trap here is that candidates may choose a reactive security measure (like blocking or disabling) instead of following proper incident response procedures.

How to eliminate wrong answers

Option A is wrong because disabling the network port immediately may destroy volatile evidence (e.g., active network connections, running processes) and could alert an attacker if malware is present, preventing further forensic analysis. Option B is wrong because blocking all outbound traffic without investigation is overly disruptive and may also destroy evidence; a more targeted approach (e.g., using ACLs to log but not block) is preferred initially. Option D is wrong because configuring a firewall rule to allow the traffic and log it would permit potentially malicious communication to continue, increasing risk of data exfiltration or further compromise, and is not a secure first step.

27
Multi-Selectmedium

Which three of the following are best practices for securing a network switch? (Choose three.)

Select 3 answers
A.Enable Telnet for remote management.
B.Disable unused ports.
C.Use VLANs to segment traffic.
D.Enable STP protection features like BPDU guard.
E.Set all ports to trunk mode by default.
AnswersB, C, D

Reduces attack surface.

Why this answer

Disabling unused ports on a network switch prevents unauthorized physical access and eliminates the risk of an attacker connecting to an open port to launch attacks such as ARP spoofing or DHCP starvation. This is a fundamental security best practice that reduces the attack surface by ensuring that only necessary ports are active and can be administratively controlled.

Exam trap

ISC2 often tests the misconception that Telnet is acceptable for management if a password is set, but the exam expects you to recognize that Telnet lacks encryption and is therefore never a best practice for securing a switch.

28
Multi-Selectmedium

Which TWO of the following are best practices for securing a wireless network? (Select exactly two.)

Select 2 answers
A.Use WEP encryption for compatibility
B.Disable SSID broadcast
C.Implement MAC address filtering
D.Disable DHCP and use static IP addressing
E.Enable WPA3 encryption
AnswersC, E

MAC filtering can restrict which devices can connect, though it can be spoofed.

Why this answer

Option C is correct because MAC address filtering restricts network access to devices with pre-approved MAC addresses, adding a layer of access control. While not foolproof (MACs can be spoofed), it is a recognized best practice for reducing the attack surface in small or home networks.

Exam trap

ISC2 often tests the misconception that hiding the SSID or using static IPs are effective security measures, when in fact they are easily bypassed and do not protect against modern wireless attacks.

29
MCQeasy

A network administrator needs to provide secure remote access to internal resources for employees working from home. The solution must encrypt all traffic and authenticate users before granting access. Which protocol should be used?

A.SSH
C.SSL/TLS VPN
D.SNMPv3
AnswerC

SSL/TLS VPN provides encrypted remote access with user authentication, suitable for this requirement.

Why this answer

C is correct because SSL/TLS VPNs (e.g., Cisco AnyConnect) provide encrypted tunnels over HTTPS (port 443) and support user authentication via certificates, RADIUS, or LDAP. This allows secure remote access to internal resources without requiring a persistent IPsec tunnel, making it ideal for home workers with dynamic IPs.

Exam trap

ISC2 often tests the distinction between site-to-site IPsec (which is network-layer and device-oriented) and remote-access SSL/TLS VPNs (which are user-oriented and firewall-friendly), leading candidates to pick IPsec for any 'secure remote access' scenario.

How to eliminate wrong answers

Option A is wrong because SSH provides encrypted remote shell access but is not designed to tunnel all traffic or authenticate users for broad internal resource access; it typically requires a separate VPN solution for full network-layer encryption. Option B is wrong because IPsec VPNs require client software and often complex configuration (e.g., IKEv1/IKEv2, pre-shared keys), and while they encrypt traffic, they are less flexible for user-based authentication over HTTPS and can be blocked by firewalls. Option D is wrong because SNMPv3 provides encrypted management of network devices (using AES/SHA) but is not a remote access protocol; it is used for monitoring, not for user authentication or tunneling traffic to internal resources.

30
MCQhard

During a penetration test, an analyst discovers that a company's internal network has a switch configured with port security that allows only one MAC address per port. However, the analyst is able to plug a rogue device into a wall jack and successfully gain network access. What is the most likely weakness in this configuration?

A.The administrator configured 'port-security maximum 1' but forgot to enable 'port-security' globally.
B.The switchport security violation mode is set to 'shutdown' instead of 'restrict'.
C.The switchport uses sticky MAC learning, and the attacker used a MAC spoofing attack to mimic an authorized device.
D.The switchport is configured as an access port but the rogue device is using a VLAN trunk.
AnswerC

Sticky MAC learns the first MAC; spoofing that MAC allows access.

Why this answer

Option C is correct because port security with sticky MAC learning records the first MAC address seen on a port and then restricts access to that address only. However, if an attacker spoofs the MAC address of an already-authorized device, the switch sees the spoofed MAC as valid and permits access, bypassing the one-MAC-per-port restriction. This is a common bypass when sticky MAC is used without additional protections like 802.1X or MAC authentication bypass (MAB).

Exam trap

ISC2 often tests the misconception that 'port-security maximum 1' alone prevents any unauthorized device, but the trap here is that sticky MAC learning does not prevent MAC spoofing—it only restricts the number of unique MACs, not the identity of the device using that MAC.

How to eliminate wrong answers

Option A is wrong because 'port-security maximum 1' is a per-interface command; port security does not require a global 'enable' command—it is enabled per interface with 'switchport port-security'. Option B is wrong because changing the violation mode from 'shutdown' to 'restrict' would still drop or log violations but not prevent the initial spoofing attack—the issue is that the spoofed MAC is not considered a violation at all. Option D is wrong because configuring the port as an access port with a rogue device using a VLAN trunk would cause a mismatch (native VLAN or DTP negotiation), but the question states the attacker gains access, implying successful communication; trunking does not bypass MAC address filtering.

31
Drag & Dropmedium

Drag and drop the steps to recover a system from a verified backup after a ransomware attack into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Recovery requires isolation, backup verification, wiping, restoration, and scanning.

32
MCQhard

A security analyst reviews firewall logs and notices a large number of outbound connections from a single internal IP to a known malicious IP on port 445. The analyst quarantines the workstation and runs an antivirus scan, which finds no malware. What should the analyst do next?

A.Conclude that the scan is clean and remove the quarantine.
B.Reimage the workstation immediately.
C.Block all outbound traffic on port 445 from the internal network.
D.Analyze network traffic to identify the process responsible for the connections.
AnswerD

Further investigation helps identify the root cause.

Why this answer

Option D is correct because the absence of malware detection does not rule out malicious activity; the connections could be caused by a legitimate process that has been abused (e.g., a vulnerable service or script) or by fileless malware that evades signature-based scans. Analyzing network traffic with tools like Wireshark or NetFlow can identify the source process (e.g., via Windows Event Logs or Sysmon), the exact data being sent, and whether the traffic is encrypted or uses SMB protocol specifics on port 445. This forensic step is essential before taking irreversible actions like reimaging or broad blocking.

Exam trap

ISC2 often tests the misconception that a clean antivirus scan means the system is secure, when in reality, fileless malware or living-off-the-land binaries (LOLBins) can evade traditional scans and require network-level forensics to detect.

How to eliminate wrong answers

Option A is wrong because a clean antivirus scan does not guarantee the system is safe—fileless malware, PowerShell-based attacks, or legitimate tools (e.g., PsExec) can generate malicious outbound connections without leaving traditional malware files. Option B is wrong because reimaging destroys forensic evidence and may be premature without understanding the root cause; the analyst should first confirm the process and data exfiltration to determine if containment or remediation is needed. Option C is wrong because blocking all outbound traffic on port 445 from the internal network could disrupt legitimate SMB-based services (e.g., file sharing, printer access) and does not address the specific compromised host; a more targeted block (e.g., only to the malicious IP) or process-level restriction is appropriate.

33
MCQeasy

A network administrator is troubleshooting a connectivity issue between two segments separated by a firewall. The firewall rule allows traffic from 10.1.1.0/24 to 10.2.2.0/24 on TCP 443. Users in 10.1.1.0/24 can access the web server at 10.2.2.10, but users in 10.2.2.0/24 cannot access a web server in 10.1.1.0/24. What is the most likely cause?

A.The web server in 10.1.1.0 is blocking the IP range of 10.2.2.0/24.
B.The firewall rule is incorrectly applied to the wrong interface.
C.The subnet masks are misconfigured, causing routing issues.
D.The firewall is not stateful and does not automatically allow return traffic; a separate rule is needed.
AnswerD

Without stateful inspection, each direction requires an explicit rule. The existing rule only covers one direction.

Why this answer

The firewall rule only permits traffic from 10.1.1.0/24 to 10.2.2.0/24 on TCP 443. When users in 10.2.2.0/24 initiate a connection to the web server in 10.1.1.0/24, the firewall sees a new session that does not match the existing rule (source/destination reversed). If the firewall is not stateful, it will not automatically allow the return traffic for the reverse direction, and no separate rule exists to permit that traffic, causing the connectivity failure.

Exam trap

ISC2 often tests the misconception that a single firewall rule allowing traffic in one direction automatically permits the return traffic, but in stateless firewalls or when stateful inspection is disabled, you must explicitly create a rule for the reverse direction.

How to eliminate wrong answers

Option A is wrong because the web server in 10.1.1.0/24 is not blocking the IP range; the issue is at the firewall, not the server's access control. Option B is wrong because the rule is correctly applied to allow traffic from 10.1.1.0/24 to 10.2.2.0/24, and the problem is the missing rule for the reverse direction, not an interface misapplication. Option C is wrong because subnet mask misconfiguration would cause routing issues for both directions, but users in 10.1.1.0/24 can reach 10.2.2.10 successfully, indicating routing is working; the issue is specifically the lack of a firewall rule for the reverse traffic.

34
Multi-Selecthard

Which THREE security mechanisms should be implemented to secure a network against ARP spoofing attacks? (Choose three.)

Select 3 answers
A.IP Source Guard
D.MAC address filtering
AnswersA, C, E

Prevents IP spoofing by filtering traffic based on DHCP snooping bindings.

Why this answer

IP Source Guard (A) is correct because it uses DHCP snooping binding table entries to filter traffic on a per-port basis, dropping packets where the source IP address does not match the binding. This prevents an attacker from spoofing a legitimate host's IP address in ARP spoofing attacks by ensuring only valid IP-to-MAC mappings are allowed on the port.

Exam trap

ISC2 often tests the misconception that port security or MAC filtering can prevent ARP spoofing, but these only control MAC addresses, not the IP-to-MAC bindings that ARP spoofing exploits.

35
MCQhard

A medium-sized enterprise uses a Cisco ASA firewall configured with multiple security zones (Inside, Outside, DMZ). The DMZ hosts a web server that must be accessible from the Internet on TCP 443. The Inside network (10.0.0.0/24) hosts internal clients. The web server has IP 172.16.0.10. The firewall's current rules: allow any from Outside to DMZ on TCP 443; allow any from Inside to Outside; deny all else. Recently, the security team noticed that an attacker compromised the web server and used it to launch an attack against an internal database server at 10.0.0.50. The attack was successful because the firewall allowed traffic from the DMZ to the Inside. The firewall's default behavior is to deny traffic from lower security zones to higher security zones (DMZ is lower than Inside). What is the MOST likely reason this traffic was allowed?

A.The firewall has an explicit permit rule for traffic from DMZ to Inside on any destination.
B.The firewall was configured in transparent mode, allowing all traffic.
C.The attacker used a VPN connection that bypassed the firewall.
D.The firewall's default behavior permits traffic from lower security level to higher if the connection is initiated from the higher level.
AnswerA

An explicit rule would override the default deny and allow the attack traffic.

Why this answer

The correct answer is A because the firewall's default behavior is to deny traffic from a lower security zone (DMZ) to a higher security zone (Inside). For the attack to succeed, an explicit permit rule must have been configured to allow traffic from DMZ to Inside. The existing rules only permit Outside to DMZ on TCP 443 and Inside to Outside; without an explicit DMZ-to-Inside rule, the default deny would have blocked the attack.

Thus, the most likely reason is that an administrator inadvertently or intentionally added such a permit rule.

Exam trap

ISC2 often tests the misconception that the ASA's default behavior allows traffic from lower to higher security levels if the connection is initiated from the higher level, but in reality, the ASA only permits return traffic for established connections; new connections from lower to higher are always denied by default.

How to eliminate wrong answers

Option B is wrong because transparent mode (Layer 2) forwards traffic based on MAC addresses and does not inherently allow all traffic; it still applies access control lists (ACLs) and security policies, so it would not bypass the zone-based security. Option C is wrong because a VPN connection would terminate on the firewall or a dedicated VPN concentrator, and traffic from the VPN would be subject to the same security zone policies; it would not bypass the firewall's rules unless explicitly permitted. Option D is wrong because the firewall's default behavior is to deny traffic from lower to higher security levels regardless of connection initiation; stateful inspection tracks connections, but a new connection from DMZ to Inside is still denied by default unless an explicit rule exists.

36
Matchingmedium

Match each risk management term to its meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Weakness in a system

Potential cause of harm

Likelihood and impact of a threat exploiting a vulnerability

Control to mitigate risk

Why these pairings

These are fundamental risk management definitions.

37
MCQeasy

Which of the following is a primary benefit of implementing network segmentation?

A.Reduced attack surface
B.Eliminates the need for firewalls
C.Increased bandwidth
D.Simplified IP address management
AnswerA

Limits scope of attacks.

Why this answer

Network segmentation divides a network into smaller, isolated segments, which limits an attacker's ability to move laterally after compromising a single host. By restricting traffic between segments using VLANs, ACLs, or firewall rules, the attack surface is reduced because fewer systems are exposed to potential threats. This is a primary security benefit, as it contains breaches and minimizes the impact of malware or unauthorized access.

Exam trap

ISC2 often tests the misconception that segmentation eliminates the need for firewalls, but in reality, segmentation and firewalls are complementary—firewalls enforce the segmentation policy, and segmentation reduces the attack surface by limiting exposure.

How to eliminate wrong answers

Option B is wrong because network segmentation does not eliminate the need for firewalls; instead, it often relies on firewalls (or ACLs on routers/L3 switches) to enforce segmentation policies and filter traffic between segments. Option C is wrong because segmentation does not increase bandwidth; it can actually introduce overhead from inter-segment routing and may require careful design to avoid bottlenecks. Option D is wrong because segmentation often complicates IP address management by requiring separate subnets or VLANs, not simplifying it.

38
MCQhard

A security auditor discovers that during a VLAN hopping attack, a threat actor was able to send frames from a workstation on VLAN 10 to a target on VLAN 20. Which configuration flaw is most likely responsible?

A.Dynamic Trunking Protocol (DTP) is enabled on access ports
B.The trunk port is set to native VLAN 1
C.The switch is using default VLAN 1 for management
D.Port security is not configured
AnswerA

DTP allows an attacker to negotiate a trunk and access other VLANs.

Why this answer

Option A is correct because a VLAN hopping attack exploits the Dynamic Trunking Protocol (DTP) to negotiate a trunk link between the attacker's workstation and the switch. If DTP is enabled on an access port, the attacker can send DTP frames to form a trunk, allowing frames from VLAN 10 to be tagged and forwarded to VLAN 20. Disabling DTP on all access ports with the 'switchport nonegotiate' command prevents this attack.

Exam trap

ISC2 often tests the distinction between VLAN hopping via DTP (trunk negotiation) and double-tagging attacks (native VLAN manipulation), so candidates may confuse the two and incorrectly choose the native VLAN option.

How to eliminate wrong answers

Option B is wrong because setting the native VLAN to 1 is a default configuration, but it does not directly enable VLAN hopping; native VLAN attacks (e.g., double-tagging) require the attacker to be on the native VLAN and the trunk to forward untagged frames, which is a different attack vector. Option C is wrong because using default VLAN 1 for management is a security best practice violation (it should be changed to a dedicated VLAN), but it does not allow a workstation to send frames across VLANs; management VLAN misconfiguration does not enable trunk negotiation. Option D is wrong because port security limits MAC addresses on a port but does not prevent DTP-based trunk negotiation; VLAN hopping can occur even with port security enabled if DTP is active.

39
MCQmedium

A security engineer is designing a DMZ for a web server that must be accessible from the internet. The web server needs to query an internal database server. Which network security approach best limits exposure?

A.Use a single firewall with rules that allow all traffic from the internet to the internal network.
B.Place both servers in the same subnet with a firewall allowing all traffic.
C.Place the database server in the DMZ with the web server.
D.Place the web server in the DMZ and the database server in the internal network, with a firewall allowing only specific traffic from the web server to the database.
AnswerD

This provides proper segmentation and least privilege.

Why this answer

Option D is correct because it implements a true DMZ architecture: the web server resides in the DMZ (a semi-trusted zone) while the database server remains in the internal network, protected by a firewall that permits only specific traffic (e.g., TCP/3306 for MySQL or TCP/1433 for MSSQL) from the web server. This minimizes the attack surface by ensuring that even if the web server is compromised, the database server is not directly reachable from the internet, and the firewall enforces strict stateful inspection and access control.

Exam trap

ISC2 often tests the misconception that placing both servers in the DMZ simplifies security, but the trap is that the database server should never be in the DMZ because it contains sensitive data and must be isolated behind an additional firewall layer to enforce defense in depth.

How to eliminate wrong answers

Option A is wrong because allowing all traffic from the internet to the internal network bypasses any security boundary, exposing the entire internal network to direct attack and violating the principle of least privilege. Option B is wrong because placing both servers in the same subnet with a firewall allowing all traffic eliminates network segmentation; if the web server is compromised, the database server is on the same broadcast domain and can be attacked laterally without any firewall restriction. Option C is wrong because placing the database server in the DMZ with the web server exposes the database to the internet (even if indirectly), as the DMZ is a less trusted zone; an attacker who compromises the web server can then directly access the database without traversing an additional firewall layer.

40
MCQeasy

A security analyst notices that an internal web server is receiving a high volume of TCP SYN packets from a single external IP address, but the server is not sending SYN-ACK replies. The server's CPU and memory usage are normal. What is the most likely cause?

A.A firewall rule is blocking inbound SYN-ACK packets
B.The server is under a SYN flood attack, filling the connection queue
C.The server's TCP/IP stack has crashed
D.The server is experiencing a distributed denial-of-service (DDoS) attack
AnswerB

SYN flood attacks fill the server's half-open connection queue, preventing it from sending SYN-ACKs.

Why this answer

The correct answer is B because a SYN flood attack works by sending a high volume of TCP SYN packets to a server, filling its half-open connection queue (the backlog) and preventing it from completing the three-way handshake. Since the server's CPU and memory are normal, the issue is not resource exhaustion but rather the queue being saturated, causing the server to stop sending SYN-ACK replies to new connection requests.

Exam trap

ISC2 often tests the distinction between a SYN flood (which fills the connection queue) and a DDoS (which involves multiple sources), so candidates mistakenly choose D when the key detail is the single external IP address.

How to eliminate wrong answers

Option A is wrong because a firewall rule blocking inbound SYN-ACK packets would not prevent the server from sending SYN-ACK replies; it would only block those replies from reaching the client, and the server would still generate them. Option C is wrong because if the server's TCP/IP stack had crashed, the server would likely stop all network communication, not just SYN-ACK replies, and CPU/memory usage would typically be abnormal. Option D is wrong because a DDoS attack involves multiple sources, but the question specifies a single external IP address, making it a simple SYN flood rather than a distributed attack.

41
MCQmedium

Refer to the exhibit. Based on the exhibit, which traffic will be permitted?

A.All traffic from 192.168.1.100
B.All traffic from 10.0.1.0/24
C.SSH traffic from any source to 192.168.1.100
D.HTTP traffic from any source to 192.168.1.100
AnswerD

The permit statement allows TCP port 80 (HTTP) traffic to host 192.168.1.100 from any source.

Why this answer

The exhibit shows an access control list (ACL) that permits TCP traffic from any source to destination host 192.168.1.100 on port 80 (HTTP). The ACL entry is `permit tcp any host 192.168.1.100 eq 80`, which matches only HTTP traffic. Therefore, only HTTP traffic from any source to 192.168.1.100 is permitted.

Exam trap

ISC2 often tests the distinction between source and destination in ACL statements, and the trap here is that candidates misread the ACL as permitting traffic from 192.168.1.100 (source) rather than to it (destination), or confuse the port number (80 for HTTP vs. 22 for SSH).

How to eliminate wrong answers

Option A is wrong because the ACL does not permit all traffic from 192.168.1.100; it only permits inbound HTTP traffic to that host, and the source is 'any', not a specific source. Option B is wrong because the ACL does not reference the 10.0.1.0/24 network at all; the source is 'any', and the destination is a single host, not a subnet. Option C is wrong because SSH uses TCP port 22, not port 80; the ACL explicitly matches port 80 (HTTP), so SSH traffic would be denied.

42
Matchingmedium

Match each network security concept to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Filters traffic based on rules

Segments public-facing servers

Maps private to public IPs

Encrypts data over public networks

Monitors for suspicious activity

Why these pairings

These are fundamental network security components.

43
MCQmedium

Refer to the exhibit. A network administrator configured the following firewall rules. After implementation, users from the internal network cannot browse the internet. Which element is causing the issue?

A.Rule id=30
B.Rule id=10
C.Rule id=20
D.The rule order
AnswerD

The deny rule should be after the allow rule to permit internal traffic first.

Why this answer

The issue is that firewall rules are processed in sequential order from top to bottom, and the implicit deny-all rule at the end blocks any traffic that does not match an explicit permit rule. Since rule id=10 permits HTTP/HTTPS from internal to external, but rule id=20 blocks all traffic from the internal network, the deny rule (id=20) is evaluated before any later permit rule (id=30) and thus blocks all internet-bound traffic. The correct answer is D because the rule order causes the deny to override the intended permit.

Exam trap

ISC2 often tests the concept that ACL rule order is critical — candidates mistakenly think that a permit rule later in the list can override an earlier deny, but the first-match principle means the deny is evaluated first and blocks the traffic permanently.

How to eliminate wrong answers

Option A is wrong because rule id=30 (permit from internal to DMZ) is irrelevant to internet browsing and would not cause the block. Option B is wrong because rule id=10 (permit HTTP/HTTPS from internal to external) is actually the intended permit rule, but it is placed before the problematic deny rule; however, the deny rule (id=20) still overrides it due to order. Option C is wrong because rule id=20 (deny all from internal) is the direct cause of the block, but the root issue is its placement before the permit rule (id=30) — the rule itself is not inherently wrong, but its position in the sequence is.

44
MCQeasy

A network technician is setting up a remote access VPN for employees using IPsec. The company's firewall is configured to allow IPsec traffic. Employees report that they can successfully establish the VPN connection (tunnel appears up), but they cannot ping or access any internal resources (e.g., file servers). The firewall logs show that packets from the VPN client IP addresses are being dropped at the firewall interface. Which of the following is the MOST likely cause of this issue?

A.The VPN client is not assigned a correct IP address from the pool.
B.The firewall's access control list does not permit traffic from the VPN subnet to the internal network.
C.The firewall's intrusion prevention system is blocking the traffic.
D.The IPsec encryption algorithm is incompatible between client and firewall.
AnswerB

The tunnel being up indicates IPsec negotiation succeeded, but the firewall still needs ACL to allow forwarded traffic.

Why this answer

The VPN tunnel is established, meaning Phase 1 and Phase 2 of IPsec are complete and the client has a valid IP from the pool. However, packets from the VPN subnet are being dropped at the firewall interface, which indicates that the firewall's access control list (ACL) does not include a permit statement for traffic sourced from the VPN client subnet destined to the internal network. Without this ACL entry, the firewall will drop the traffic even though the tunnel is up.

Exam trap

ISC2 often tests the distinction between tunnel establishment (IPsec Phase 1 and Phase 2) and traffic forwarding (ACL/permit rules), leading candidates to mistakenly blame encryption mismatches or client IP assignment when the real issue is a missing firewall rule.

How to eliminate wrong answers

Option A is wrong because if the VPN client were not assigned a correct IP address from the pool, the tunnel would not establish successfully (the client would fail Phase 2 or not receive a usable IP), and the logs would show authentication or address assignment failures, not dropped packets at the firewall interface. Option C is wrong because an intrusion prevention system (IPS) typically blocks traffic based on signatures or anomalies, not by default for all traffic from a VPN subnet; the logs would show IPS alerts, not simple drops at the interface. Option D is wrong because if the IPsec encryption algorithm were incompatible, the tunnel would fail to establish (Phase 2 would fail), and the VPN connection would not appear up.

45
MCQmedium

A company's remote access VPN uses IPsec with pre-shared keys. Employees report that they cannot connect from home. The VPN server logs show 'IKE authentication failed.' The help desk confirms the pre-shared keys are correct. Which of the following is the most likely cause?

A.The client is behind a NAT device that blocks IPsec traffic
B.The VPN server is not responding to IKE requests
C.The client's certificate has expired
D.The IKE phase 1 parameters (encryption, hash, DH group) do not match
AnswerD

Mismatched parameters cause authentication failure despite correct keys.

Why this answer

Option D is correct because 'IKE authentication failed' specifically indicates a failure during IKE phase 1, where the peers negotiate security parameters. Even if the pre-shared key is correct, mismatched encryption (e.g., AES vs. 3DES), hash (e.g., SHA-1 vs. SHA-256), or Diffie-Hellman group (e.g., group 2 vs. group 14) will cause the IKE SA to fail, preventing phase 1 authentication from completing.

Exam trap

ISC2 often tests the distinction between 'IKE authentication failed' (which points to phase 1 parameter mismatch or PSK error) and 'no response' (which points to firewall/NAT blocking), trapping candidates who assume NAT is always the culprit without reading the log message carefully.

How to eliminate wrong answers

Option A is wrong because NAT devices typically block ESP/AH traffic, which would cause 'no response' or 'timeout' errors, not 'IKE authentication failed' — IKE itself uses UDP port 500/4500 and can often traverse NAT with NAT-T. Option B is wrong because if the VPN server were not responding, the client would see 'no response' or 'timeout' messages, not a specific 'IKE authentication failed' log entry, which requires the server to have received and processed the IKE request. Option C is wrong because certificates are not used with pre-shared keys; the error message explicitly references IKE authentication, which for PSK uses the pre-shared key, not a certificate — certificate expiration would cause a different error like 'certificate validation failed'.

46
MCQmedium

A company uses WPA2-Enterprise for wireless authentication. What additional security measure should be implemented to protect against rogue access points?

A.Enable MAC filtering
B.Deploy a wireless intrusion prevention system (WIPS)
C.Implement 802.1X with mutual authentication
D.Use WPA3
AnswerB

WIPS detects and prevents rogue access points.

Why this answer

WPA2-Enterprise uses 802.1X for authentication, but it does not inherently detect or block rogue access points (APs) that mimic legitimate SSIDs. A Wireless Intrusion Prevention System (WIPS) continuously monitors the RF spectrum, identifies unauthorized APs by analyzing beacon frames, probe responses, and MAC addresses, and can automatically contain them by sending deauthentication frames or alerting administrators. This is the most direct and effective measure to protect against rogue APs in an enterprise WLAN.

Exam trap

ISC2 often tests the misconception that WPA2-Enterprise or 802.1X alone can prevent rogue APs, but the trap is that these protocols authenticate users and servers, not the physical AP device itself, leaving the network vulnerable to rogue APs that broadcast the same SSID.

How to eliminate wrong answers

Option A is wrong because MAC filtering is a weak, static access control that can be easily bypassed by MAC spoofing and does not detect or prevent rogue APs from operating. Option C is wrong because 802.1X with mutual authentication (EAP-TLS, for example) already authenticates both the client and the RADIUS server, but it does not monitor the airwaves for unauthorized APs; a rogue AP can still broadcast the same SSID and trick clients into connecting before any 802.1X exchange completes. Option D is wrong because WPA3, while more secure than WPA2, still does not include built-in rogue AP detection or containment; it only improves encryption and authentication (e.g., SAE) but does not replace the need for a dedicated WIPS.

47
MCQhard

A company's network uses 802.1X authentication with PEAP-MSCHAPv2 on wired ports. Users report that after a recent switch firmware update, some workstations fail to authenticate intermittently, while others work fine. The authentication server logs show 'Authentication failed: Unknown CA certificate' for affected workstations. What is the most likely cause?

A.The switch is now using a different certificate that is not trusted by the clients
B.The switch is not forwarding EAP packets properly due to a firmware bug
C.The RADIUS shared secret was changed during the firmware update
D.The authentication server (NPS) is overloaded and dropping requests
AnswerA

The firmware update may have changed the certificate presented by the switch, and clients do not trust it.

Why this answer

The error 'Unknown CA certificate' indicates that the client does not trust the certificate presented by the RADIUS server during PEAP-MSCHAPv2 authentication. After a switch firmware update, the switch may have been reconfigured to use a different server certificate (e.g., a self-signed or internally issued certificate) that is not in the trusted root store of the affected workstations. Since PEAP requires the client to validate the server certificate, a mismatch causes intermittent authentication failures.

Exam trap

ISC2 often tests the distinction between authentication failures caused by certificate trust issues versus RADIUS shared secret mismatches, trapping candidates who confuse server-side RADIUS configuration with client-side certificate validation.

How to eliminate wrong answers

Option B is wrong because if the switch were not forwarding EAP packets properly, the authentication would fail consistently for all clients, not intermittently, and the error would likely be a timeout or EAP failure, not a certificate-specific error. Option C is wrong because the RADIUS shared secret is used for encrypting RADIUS traffic between the switch (NAS) and the authentication server; changing it would cause authentication failures for all users, not just some workstations, and the error would be a RADIUS authentication failure, not a certificate error. Option D is wrong because an overloaded NPS would result in timeouts or dropped requests, not a specific 'Unknown CA certificate' error, which is a client-side certificate validation issue.

48
MCQmedium

A security engineer is designing a network for a small business that needs to segregate guest Wi-Fi from the internal corporate network. The guest network should have internet access only, with no access to internal resources. Which of the following is the BEST design approach?

A.Implement MAC address filtering on the access point to allow only known devices.
B.Connect the guest Wi-Fi to the internet through a separate router that does not have routes to the internal network.
C.Use a single VLAN with a DHCP server that assigns different IP ranges to guests and employees.
D.Place the guest Wi-Fi on a separate VLAN with a firewall rule blocking traffic to internal subnets.
AnswerD

This creates logical isolation and allows granular control over traffic between VLANs.

Why this answer

Option D is the best approach because placing the guest Wi-Fi on a separate VLAN and applying a firewall rule to block traffic to internal subnets provides both logical segmentation and access control. This ensures that guest traffic is isolated at Layer 2 (VLAN) and Layer 3/4 (firewall), preventing any unauthorized access to the corporate network while still allowing internet connectivity through a default route.

Exam trap

ISC2 often tests the misconception that simply using different IP subnets on the same VLAN provides security, when in fact true isolation requires separate VLANs or firewall rules to prevent Layer 2 communication.

How to eliminate wrong answers

Option A is wrong because MAC address filtering only controls which devices can associate with the access point; it does not prevent those devices from accessing internal resources once connected, nor does it scale or provide security against MAC spoofing. Option B is wrong because using a separate router for guest Wi-Fi is unnecessarily complex and costly for a small business; it also fails to leverage existing infrastructure and can lead to routing misconfigurations if not carefully managed, whereas a single router with VLANs and firewall rules achieves the same goal more efficiently. Option C is wrong because a single VLAN with different IP ranges does not provide Layer 2 isolation; devices on the same VLAN can communicate directly via ARP and broadcasts, so guests could still reach internal hosts if they are on the same broadcast domain.

49
MCQeasy

A company wants to allow remote employees to securely access internal resources over the internet. Which technology is most appropriate?

A.NAT
C.DMZ
D.VPN
AnswerD

VPN provides secure remote connectivity.

Why this answer

A VPN (Virtual Private Network) creates an encrypted tunnel over the internet, typically using protocols like IPsec or TLS, to securely connect remote users to internal resources. This ensures confidentiality, integrity, and authentication of data in transit, making it the standard solution for remote access security.

Exam trap

ISC2 often tests the misconception that NAT or a DMZ alone can secure remote access, but candidates must recognize that only VPN provides the required encryption and tunneling for secure internet-based connectivity.

How to eliminate wrong answers

Option A (NAT) is wrong because Network Address Translation only modifies IP addresses in packet headers to enable private-to-public address mapping; it does not provide encryption or secure remote access. Option B (VLAN) is wrong because a Virtual LAN segments a local network at Layer 2 to isolate traffic within a switch, but it cannot extend secure connectivity across the internet. Option C (DMZ) is wrong because a Demilitarized Zone is a perimeter network that hosts public-facing services (e.g., web servers) while isolating them from the internal LAN; it does not create encrypted tunnels for remote users.

50
MCQhard

You are the network security lead for a medium-sized financial firm with 500 employees. The network consists of a core switch, distribution switches, and access switches. There are three main VLANs: VLAN 10 (Management - 192.168.10.0/24), VLAN 20 (Finance - 192.168.20.0/24), and VLAN 30 (Guest Wi-Fi - 192.168.30.0/24). The network uses a single firewall with three interfaces: inside (trusted), outside (untrusted), and DMZ. The firewall is configured with default-deny rules. Recently, the helpdesk reported that employees in the Finance VLAN cannot access a web-based accounting application hosted on a server at 10.0.0.5, which is in the DMZ. The server's default gateway is the firewall's DMZ interface (10.0.0.1). The accounting application runs on HTTPS (TCP 443). Employees in the Management VLAN can access the application without issue. You have verified that the Finance VLAN has connectivity to the firewall's inside interface (192.168.20.1). The firewall's inside interface has an IP of 192.168.20.1. There is no ACL on the inside interface. The firewall's DMZ interface has an ACL permitting TCP/443 from any to 10.0.0.5. The firewall's routing table shows a route to 10.0.0.0/24 via DMZ interface. What is the most likely cause of the issue?

A.The routing table on the firewall does not have a return route to the Finance subnet.
B.The firewall lacks a policy permitting traffic from the inside zone to the DMZ zone.
C.The DMZ ACL is blocking traffic from the Finance subnet because it only permits from Management subnet.
D.An ACL applied inbound on the inside interface is blocking Finance traffic but allowing Management traffic.
AnswerB

Firewall policies are zone-based; the inside-to-DMZ policy is missing, blocking Finance traffic.

Why this answer

The firewall uses a default-deny policy between zones. Even though the inside interface has no ACL and the DMZ ACL permits HTTPS from any source, the firewall still requires an explicit policy rule allowing traffic from the inside (Finance) zone to the DMZ zone. Without this policy, packets from VLAN 20 to the DMZ server are dropped by the firewall's stateful inspection engine, regardless of interface ACLs or routing.

Exam trap

ISC2 often tests the distinction between interface ACLs and zone-based firewall policies, trapping candidates into thinking that permissive ACLs alone allow traffic, when in fact a zone-pair policy is required for inter-zone communication.

How to eliminate wrong answers

Option A is wrong because the firewall's routing table already has a route to 10.0.0.0/24 via the DMZ interface, and the Finance VLAN can reach the inside interface; the issue is not a missing return route but a missing zone-based policy. Option C is wrong because the DMZ ACL permits TCP/443 from any to 10.0.0.5, so it does not restrict based on source subnet; the problem is not an ACL on the DMZ interface. Option D is wrong because the question explicitly states there is no ACL on the inside interface, so no inbound ACL is blocking Finance traffic while allowing Management traffic.

51
MCQmedium

A network administrator needs to allow secure remote access for teleworkers. Which VPN protocol provides the best confidentiality and integrity while using a single UDP port?

A.PPTP
B.SSL/TLS (OpenVPN)
C.L2TP/IPsec
D.IKEv2
AnswerB

OpenVPN uses a single UDP port and provides strong encryption.

Why this answer

SSL/TLS (OpenVPN) is correct because it provides robust confidentiality and integrity through TLS encryption (e.g., AES-256-GCM) and HMAC authentication, while operating over a single UDP port (typically 1194). This makes it ideal for teleworkers as it can traverse NAT and firewalls easily, unlike protocols that require multiple ports or IPsec's complex port/protocol handling.

Exam trap

ISC2 often tests the misconception that L2TP/IPsec is the best for secure remote access because it is commonly used in site-to-site VPNs, but the key constraint here is 'single UDP port,' which eliminates L2TP/IPsec and IKEv2, and PPTP is insecure.

How to eliminate wrong answers

Option A (PPTP) is wrong because it uses MPPE for encryption, which is based on RC4 and is considered weak, and it does not provide strong integrity (no HMAC); it also uses TCP port 1723 and GRE protocol 47, not a single UDP port. Option C (L2TP/IPsec) is wrong because it requires two UDP ports (500 for IKE and 4500 for NAT-T) plus ESP (protocol 50) or AH, and while it offers strong security, it does not use a single UDP port. Option D (IKEv2) is wrong because it uses UDP ports 500 and 4500 for IKE and ESP for data, and although it can be efficient, it does not operate over a single UDP port; it also typically requires IPsec for encryption, not a standalone VPN protocol on one port.

52
MCQhard

Refer to the exhibit. A security analyst runs the above iptables command on a Linux server. The server is configured with a default policy of DROP on the INPUT chain. Users report they can SSH to the server but cannot ping it. What is the most likely reason?

A.The default policy DROP on the INPUT chain drops echo replies, but they should be matched by the ESTABLISHED,RELATED rule.
B.The ICMP rule is placed after the ESTABLISHED,RELATED rule, so it is never evaluated for new ICMP packets.
C.The ACCEPT rule for ICMP only permits echo request (type 8), but ping requires echo reply (type 0) which is not allowed.
D.The ICMP rule only allows incoming echo requests; outgoing echo replies are not covered by the displayed rules and must be allowed by the OUTPUT chain.
AnswerD

Outgoing echo replies require an OUTPUT chain rule to be allowed.

Why this answer

Option D is correct because the displayed iptables rules only govern the INPUT chain, which controls incoming packets. While the rule allows incoming ICMP echo requests (type 8), the server's response—an ICMP echo reply (type 0)—is an outgoing packet that must traverse the OUTPUT chain. If the OUTPUT chain has a default policy of DROP or lacks an explicit ACCEPT rule for ICMP echo replies, the replies are dropped, preventing ping from working even though SSH succeeds (since SSH uses TCP, which is handled differently).

Exam trap

ISC2 often tests the misconception that a single chain (INPUT) controls all traffic to and from the server, leading candidates to overlook the fact that outgoing packets (like ICMP echo replies) are filtered by the OUTPUT chain, not the INPUT chain.

How to eliminate wrong answers

Option A is wrong because the default policy DROP on the INPUT chain does drop unmatched packets, but echo replies are not incoming packets from the server's perspective; they are outgoing. The ESTABLISHED,RELATED rule would only match incoming packets that are part of an established connection, but ICMP is connectionless, and the echo reply is not considered RELATED to the echo request in the context of iptables' conntrack module unless explicitly configured. Option B is wrong because the order of rules is irrelevant here; the ICMP rule is evaluated for new ICMP packets, but the issue is that the echo reply is not an incoming packet on the INPUT chain—it is an outgoing packet on the OUTPUT chain.

Option C is wrong because the ACCEPT rule for ICMP permits echo request (type 8) correctly, but ping requires the server to send echo replies (type 0), which are outgoing and not governed by the INPUT chain; the rule does not need to allow echo replies on INPUT.

53
Multi-Selecthard

A network administrator is implementing a defense-in-depth strategy. Which THREE of the following are considered network security controls? (Select THREE)

Select 3 answers
A.Virtual Private Network (VPN)
B.Intrusion Detection System (IDS)
C.Full disk encryption
D.Network firewall
E.Antivirus software
AnswersA, B, D

VPN provides encrypted tunnels for secure communication over untrusted networks, a network security control.

Why this answer

A Virtual Private Network (VPN) is a network security control because it creates an encrypted tunnel (using protocols such as IPsec or TLS) between a remote user and the corporate network, ensuring data confidentiality and integrity over untrusted networks like the internet. This protects data in transit and authenticates endpoints, which is a core network-layer security function.

Exam trap

ISC2 often tests the distinction between network-layer controls (VPN, IDS, firewall) and host/endpoint controls (disk encryption, antivirus), so the trap is that candidates mistakenly classify host-based security measures as network security controls.

54
Multi-Selectmedium

A security administrator is reviewing network security controls. Which TWO of the following are examples of network segmentation technologies? (Select TWO)

Select 2 answers
A.Proxy servers
B.Honeypots
C.Subnetting
D.VLANs
E.Firewalls
AnswersC, D

Subnetting divides a network into smaller IP subnetworks, providing Layer 3 segmentation.

Why this answer

Subnetting divides a larger network into smaller, logical subnetworks by manipulating the subnet mask (e.g., using VLSM or CIDR). This creates separate broadcast domains at Layer 3, allowing administrators to isolate traffic and apply distinct security policies between subnets, which is a core function of network segmentation.

Exam trap

ISC2 often tests the distinction between technologies that create segmentation (subnetting, VLANs) and technologies that enforce security policies between segments (firewalls, ACLs), leading candidates to mistakenly select firewalls as a segmentation technology.

55
Multi-Selectmedium

Which two of the following are common methods to secure a virtual private network (VPN) connection? (Choose two.)

Select 2 answers
B.LDAP
C.SSL/TLS
AnswersC, E

SSL/TLS is used for secure web-based VPNs.

Why this answer

SSL/TLS is a common method to secure VPN connections, typically used in SSL VPNs. It operates at the transport layer (Layer 4) and provides encryption, authentication, and integrity for data transmitted over the internet, often using port 443 to bypass firewalls. This makes it ideal for remote access VPNs where clients connect via a web browser or a lightweight client.

Exam trap

ISC2 often tests the distinction between VPN security protocols (IPsec, SSL/TLS) and unrelated network protocols (ICMP, SNMP, LDAP) to see if candidates confuse management or authentication protocols with encryption/tunneling mechanisms.

56
MCQeasy

A security engineer is configuring a network intrusion detection system (NIDS) to monitor traffic on a critical subnet. To minimize false positives, which of the following should the engineer baseline first?

A.The results of a recent vulnerability scan
B.The normal traffic patterns during peak business hours
C.The latest attack signatures from the vendor
D.The firewall logs from the past 24 hours
AnswerB

Baseline normal traffic to identify anomalies.

Why this answer

Baselining normal traffic patterns during peak business hours establishes a reference of legitimate network behavior, which is essential for a NIDS to distinguish benign anomalies from actual threats. Without this baseline, the NIDS may generate false positives by flagging legitimate peak-hour traffic spikes as malicious. This aligns with the principle that anomaly-based detection relies on a statistical model of normal activity to reduce noise.

Exam trap

ISC2 often tests the distinction between anomaly-based and signature-based detection, and the trap here is that candidates mistakenly think vulnerability scans or firewall logs provide a sufficient baseline, when in fact only observed normal traffic patterns during representative periods (like peak hours) can minimize false positives in an anomaly-based NIDS.

How to eliminate wrong answers

Option A is wrong because vulnerability scan results identify known weaknesses but do not define normal traffic behavior, so they cannot help the NIDS differentiate benign from malicious traffic patterns. Option C is wrong because attack signatures are used for signature-based detection, not for establishing a baseline to minimize false positives in anomaly-based detection; relying solely on signatures can miss novel attacks and still generate false positives if traffic matches signatures incorrectly. Option D is wrong because firewall logs from the past 24 hours provide only a limited snapshot of traffic and may not capture the full range of normal patterns, especially during peak hours, leading to an incomplete baseline.

57
MCQmedium

A network administrator is designing a DMZ to host a public-facing web server and a database server that should only be accessible from the web server. Which of the following firewall rule sets best achieves this design?

A.Allow inbound HTTP/HTTPS to web server; allow web server to database on port 3306; deny all else
B.Allow web server to initiate outbound connections to internet; allow database to initiate connections to web server; deny all else
C.Allow inbound HTTP/HTTPS to web server; allow all traffic from web server to database; deny all else
D.Allow inbound HTTP/HTTPS to web server; allow inbound SQL from internet to database; deny all else
AnswerA

This permits necessary traffic and restricts database access to only the web server.

Why this answer

Option A is correct because it implements the principle of least privilege for a DMZ: it allows inbound HTTP/HTTPS traffic (ports 80/443) to the public-facing web server, then permits only the web server to initiate outbound connections to the database server on port 3306 (MySQL/MariaDB default), and denies all other traffic. This ensures the database is not directly accessible from the internet, reducing the attack surface while still supporting the required application flow.

Exam trap

ISC2 often tests the principle of least privilege by including options that allow overly broad access (like 'all traffic' from web to database) or reverse the direction of connections, so the trap here is assuming that any traffic between the web server and database is acceptable without specifying the exact protocol and port.

How to eliminate wrong answers

Option B is wrong because it allows the web server to initiate outbound connections to the internet, which is unnecessary and could be used for data exfiltration or command-and-control traffic; it also incorrectly allows the database to initiate connections to the web server, which violates the design requirement that the database should only be accessible from the web server. Option C is wrong because it allows all traffic from the web server to the database, not just the specific SQL port (3306), which could permit other protocols or services to reach the database, increasing the attack surface. Option D is wrong because it allows inbound SQL traffic from the internet directly to the database server, which directly contradicts the requirement that the database should only be accessible from the web server and exposes the database to external attacks.

58
Multi-Selecteasy

Which TWO of the following are common methods to authenticate users on a wireless network? (Select TWO)

Select 2 answers
A.WEP
B.WPA3-SAE
C.802.1X with RADIUS
D.WPA2-PSK
E.MAC address filtering
AnswersB, C

WPA3-SAE provides secure password-based authentication for personal mode.

Why this answer

WPA3-SAE (Simultaneous Authentication of Equals) is a common method to authenticate users on a wireless network because it replaces the pre-shared key (PSK) exchange with a secure password-based authentication protocol that is resistant to offline dictionary attacks. It uses a Diffie-Hellman key exchange combined with a shared password to derive a Pairwise Master Key (PMK), ensuring forward secrecy and mutual authentication.

Exam trap

ISC2 often tests the distinction between encryption protocols (like WEP and WPA2-PSK) and actual authentication methods, leading candidates to mistakenly select WPA2-PSK or MAC address filtering as user authentication mechanisms when they are only device-based access controls.

59
MCQmedium

Refer to the exhibit. An administrator configures the above ACLs on a router. The goal is to allow internal users (192.168.1.0/24) to browse the web, and to allow SSH management from the internet to a server at 10.0.0.10. However, users report that they cannot browse external websites. What is the most likely reason?

A.ACL 100 is applied outbound on the internal interface, so it does not filter outbound traffic from internal users
B.ACL 100 does not permit DNS traffic, so users cannot resolve domain names
C.ACL 110 blocks the return traffic from the internet
D.The implicit deny at the end of ACL 100 blocks established connections
AnswerA

The access-group is applied outbound on Gi0/1; traffic from internal users to the internet exits Gi0/1 inbound, so ACL 100 is not checked.

Why this answer

ACL 100 is applied outbound on the internal interface (e.g., GigabitEthernet0/0). Outbound ACLs filter traffic leaving the interface, but internal users' web traffic originates from the internal network and must be allowed inbound on the internal interface (or outbound on the external interface). Since ACL 100 is applied outbound on the internal interface, it only filters traffic that has already been routed out of that interface, which is not the path for internal users' outbound web requests.

The correct approach is to apply the ACL inbound on the internal interface or outbound on the external interface.

Exam trap

ISC2 often tests the concept that ACL direction is relative to the interface, not the traffic source; the trap here is that candidates assume an outbound ACL on the internal interface will filter traffic leaving the internal network, but it actually filters traffic leaving the router through that interface, which is the opposite direction for internal users' outbound traffic.

How to eliminate wrong answers

Option B is wrong because DNS traffic (UDP/TCP port 53) is not explicitly required for web browsing if users use IP addresses or if a separate DNS resolver is configured; the issue is about ACL placement, not missing DNS permit statements. Option C is wrong because ACL 110 is likely applied inbound on the external interface to permit SSH from the internet to 10.0.0.10, and it does not block return traffic for web sessions because return traffic is matched by established connections or stateful inspection, not by ACL 110. Option D is wrong because the implicit deny at the end of ACL 100 would only affect traffic that is evaluated by that ACL; since ACL 100 is applied outbound on the internal interface, it does not evaluate the outbound web traffic from internal users at all, so the implicit deny is irrelevant to the problem.

60
MCQhard

During a security audit, a penetration tester captures network traffic and finds that some packets have the IP ID field set to 0 and the DF (Don't Fragment) flag set. What is this technique attempting to do?

A.Spoof the source IP address of the attacker's machine
B.Launch a denial-of-service attack against the target
C.Perform a stealth scan using a zombie host to hide the attacker's identity
D.Evade a firewall by fragmenting packets
AnswerC

Idle scan uses IP ID to map a zombie's activity and infer port states.

Why this answer

Setting the IP ID field to 0 and the DF flag in packets is characteristic of an idle scan (also known as a stealth scan). This technique uses a zombie host (with an incremental IP ID) to probe a target; by sending packets with DF set and IP ID 0 to the zombie, the attacker can observe changes in the zombie's IP ID to infer open ports on the target, thereby hiding the attacker's true IP address.

Exam trap

ISC2 often tests the idle scan by focusing on the combination of IP ID 0 and DF flag, leading candidates to mistakenly think it is about fragmentation evasion or simple spoofing, rather than the stealthy reconnaissance technique using a zombie host.

How to eliminate wrong answers

Option A is wrong because spoofing the source IP address does not require setting the IP ID to 0 or the DF flag; spoofing simply falsifies the source address field in the IP header. Option B is wrong because a denial-of-service attack aims to overwhelm a target with traffic, not to stealthily probe ports using a zombie's IP ID behavior. Option D is wrong because evading a firewall by fragmenting packets would involve setting the MF (More Fragments) flag or using small fragment sizes, not setting DF (which prevents fragmentation) and IP ID 0.

61
MCQhard

A medium-sized company uses a network with three VLANs: VLAN 10 (Users, 192.168.10.0/24), VLAN 20 (Servers, 192.168.20.0/24), and VLAN 30 (DMZ, 192.168.30.0/24). A Layer 3 switch with an ACL is used for inter-VLAN routing. The company has a web server in the DMZ that must be accessible from the internet (via a public IP mapped to 192.168.30.10). Users in VLAN 10 need to access the web server on its private IP (192.168.30.10) for internal testing. The ACL is applied inbound on the VLAN 10 SVI. The ACL currently has the following entries: permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255; deny ip any 192.168.20.0 0.0.0.255; permit ip any any. Recently, the security team noticed that users can access the web server on its private IP, but they cannot access the web server via the public IP (which goes through the firewall and then to the DMZ). The firewall logs show that traffic from the users to the public IP is allowed and reaches the DMZ web server, but the return traffic is blocked. The web server's default gateway is the Layer 3 switch (192.168.30.1). Which of the following is the most likely cause of the problem?

A.The web server's default gateway should be set to the firewall, not the Layer 3 switch
B.The ACL on the DMZ SVI (VLAN 30) is blocking the return traffic from the web server to the firewall
C.The ACL on the VLAN 10 SVI is blocking the traffic to the public IP because it only allows private IP ranges
D.The firewall is blocking the return traffic due to a stateful inspection rule
AnswerB

The return traffic from the web server to the firewall must traverse the DMZ SVI. If the ACL on that SVI does not permit the firewall's IP or the traffic, it will be blocked.

Why this answer

The correct answer is B. The web server's default gateway is the Layer 3 switch (192.168.30.1). When users access the web server via the public IP, traffic enters the DMZ through the firewall, but the web server sends return traffic to its default gateway (the Layer 3 switch) instead of back to the firewall.

The ACL applied inbound on the VLAN 30 SVI (the DMZ SVI) blocks this return traffic because the source is the web server (192.168.30.10) and the destination is the user's IP (192.168.10.x), which is not explicitly permitted by the ACL (the ACL only permits traffic from VLAN 10 to DMZ, not the reverse).

Exam trap

ISC2 often tests the concept of asymmetric routing and the importance of ACL directionality, where candidates mistakenly focus on the inbound ACL on the user VLAN (VLAN 10) instead of realizing that the return traffic is blocked by the ACL on the DMZ SVI (VLAN 30) due to the web server's default gateway pointing to the Layer 3 switch.

How to eliminate wrong answers

Option A is wrong because the web server's default gateway should remain the Layer 3 switch for internal routing; changing it to the firewall would break internal access from VLAN 10 to the web server's private IP, which is currently working. Option C is wrong because the ACL on the VLAN 10 SVI permits traffic from 192.168.10.0/24 to 192.168.30.0/24, which includes the public IP traffic that is NATed to the private IP; the issue is not with the inbound ACL on VLAN 10 but with the return path. Option D is wrong because the firewall logs show that traffic from users to the public IP is allowed and reaches the DMZ web server, and the firewall is stateful, so it would expect return traffic; the blockage is occurring after the traffic leaves the firewall, specifically on the Layer 3 switch's DMZ SVI ACL.

62
MCQmedium

Refer to the exhibit. A security engineer applies this S3 bucket policy to restrict access. Users outside the 10.0.0.0/16 network report being denied access, which is expected. However, users inside that network also report access denied. What is the likely issue?

A.The condition syntax is incorrect and causes all requests to be evaluated incorrectly.
B.The Deny statement overrides the Allow statement for all requests.
C.The policy only allows GetObject; users likely need ListBucket or other actions.
D.The resource ARN includes a wildcard, causing a mismatch with the bucket name.
AnswerC

Only GetObject is allowed; any other action is implicitly denied.

Why this answer

Option C is correct because the S3 bucket policy only grants the s3:GetObject action, but users inside the 10.0.0.0/16 network are likely performing other actions such as s3:ListBucket (e.g., listing objects) or s3:PutObject. Even though the source IP condition allows access from the trusted network, the explicit Allow statement is scoped solely to GetObject. Any request for a different action (like listing the bucket) will be implicitly denied by default, as IAM and S3 policies are deny-by-default unless an explicit Allow exists for that specific action.

Exam trap

ISC2 often tests the misconception that a single Allow statement for one action (like GetObject) implicitly permits all other actions for users who satisfy the condition, when in reality each action requires its own explicit Allow.

How to eliminate wrong answers

Option A is wrong because the condition syntax (IpAddress with aws:SourceIp) is valid and correctly structured; an incorrect syntax would cause a policy parsing error, not a selective denial for both inside and outside users. Option B is wrong because the Deny statement only applies to requests originating outside the 10.0.0.0/16 network (due to the NotIpAddress condition), so it does not override the Allow for internal users; the Deny is scoped correctly and does not affect internal traffic. Option D is wrong because the resource ARN 'arn:aws:s3:::example-bucket/*' with a wildcard is standard for matching all objects in the bucket; it does not cause a mismatch with the bucket name, and the bucket name itself is explicitly stated.

63
MCQeasy

A helpdesk technician receives a report that a user in the finance department cannot access a shared folder on the server. The same server is accessible from other departments. What is the most likely cause?

A.The server is down
B.A firewall rule is blocking traffic from the finance VLAN to the server
C.The network cable is unplugged
D.The user's account is disabled
AnswerB

This explains why only the finance department is affected.

Why this answer

The scenario describes a user in the finance department unable to access a shared folder on a server that is reachable from other departments. This points to a segmentation or access control issue specific to the finance VLAN. A firewall rule blocking traffic from the finance VLAN to the server is the most likely cause because it would selectively prevent access for that subnet while allowing other VLANs to reach the server, matching the symptom of partial connectivity.

Exam trap

ISC2 often tests the concept of VLAN segmentation and firewall rules by presenting a symptom of partial connectivity, leading candidates to mistakenly focus on client-side issues (like a disabled account or cable problem) rather than network-layer access controls.

How to eliminate wrong answers

Option A is wrong because if the server were down, no users from any department would be able to access it, but the report states other departments can access the server. Option C is wrong because an unplugged network cable would cause a complete loss of network connectivity for the user, not just an inability to access a specific shared folder while other services might still work. Option D is wrong because a disabled user account would prevent authentication to the server entirely, affecting access from any location, not just the finance department, and the user can still reach the server (as implied by the scenario).

64
MCQmedium

A network administrator is configuring a DMZ for a company's web and email servers. Which firewall rule is most appropriate for traffic from the internet to the DMZ?

A.Deny all inbound traffic to DMZ but allow outbound
B.Allow inbound HTTP, HTTPS, SMTP, and DNS to DMZ
C.Allow inbound only to the web server on ports 80 and 443
D.Allow all inbound traffic to DMZ
AnswerB

These are the required services for web and email servers.

Why this answer

Option B is correct because a DMZ must selectively permit essential services from the internet to the public-facing servers while blocking all other inbound traffic. HTTP (80), HTTPS (443), SMTP (25), and DNS (53) are the standard protocols required for web and email servers to function. This rule implements the principle of least privilege by allowing only the necessary traffic to the DMZ.

Exam trap

ISC2 often tests the misconception that a DMZ should allow only web traffic (HTTP/HTTPS) and forget that email servers require SMTP and DNS, leading candidates to choose option C instead of the more complete option B.

How to eliminate wrong answers

Option A is wrong because denying all inbound traffic to the DMZ would prevent external users from accessing the web and email servers, defeating the purpose of a DMZ. Option C is wrong because it omits SMTP and DNS, which are required for email delivery and name resolution; a real-world DMZ hosting both web and email servers must allow SMTP (port 25) for inbound email and DNS (port 53) for queries. Option D is wrong because allowing all inbound traffic to the DMZ violates security best practices and would expose internal servers to attacks such as port scanning and exploitation of non-essential services.

65
MCQeasy

A company wants to segment its network into separate broadcast domains to improve performance and security. Which device should be used to achieve this?

A.Switch
B.Hub
C.Repeater
D.Router
AnswerD

Routers segment broadcast domains by forwarding packets based on IP addresses.

Why this answer

A router is the correct device because it operates at Layer 3 (Network layer) of the OSI model and can segment a network into separate broadcast domains by forwarding packets based on IP addresses while blocking broadcast traffic (e.g., ARP requests) from crossing between interfaces. This isolation improves performance by reducing broadcast overhead and enhances security by controlling traffic flow between segments.

Exam trap

ISC2 often tests the misconception that a switch with VLANs can create separate broadcast domains, but the trap is that a switch alone (without a Layer 3 device) cannot route between those VLANs—it still requires a router to forward traffic between broadcast domains.

How to eliminate wrong answers

Option A is wrong because a switch operates at Layer 2 and forwards frames based on MAC addresses, but it does not block broadcast traffic—all ports in the same VLAN belong to the same broadcast domain, so a switch alone cannot create separate broadcast domains without VLANs. Option B is wrong because a hub is a Layer 1 device that simply repeats electrical signals to all ports, creating a single collision domain and a single broadcast domain, offering no segmentation. Option C is wrong because a repeater is also a Layer 1 device that regenerates signals to extend cable distance but does not filter or segment traffic, so it cannot create separate broadcast domains.

66
Multi-Selecthard

A security team is investigating a potential ARP spoofing attack on the local network. Which two measures can effectively detect or prevent such attacks? (Choose two.)

Select 2 answers
A.Disable ICMP redirects on hosts.
C.Use MAC address filtering on switches.
D.Enable STP BPDU guard.
E.Configure static ARP entries on critical servers.
AnswersB, E

DHCP snooping with DAI validates ARP packets against DHCP bindings.

Why this answer

Dynamic ARP Inspection (DAI) uses DHCP snooping binding tables to validate ARP packets, ensuring that only legitimate IP-to-MAC address mappings are accepted. This directly prevents ARP spoofing by dropping malicious ARP replies that do not match the binding table. Configuring static ARP entries on critical servers hardcodes the IP-to-MAC mapping, so the server will ignore any spoofed ARP replies attempting to redirect traffic.

Exam trap

ISC2 often tests the distinction between Layer 2 security features (like DAI and DHCP snooping) and Layer 3 or other mitigation techniques (like ICMP redirects or BPDU guard), leading candidates to confuse unrelated security controls with ARP-specific defenses.

67
MCQeasy

A small company has a single flat network with no segmentation. They recently experienced a malware outbreak that spread quickly across all devices. The IT manager wants to implement network segmentation to contain future outbreaks with minimal cost and complexity. The company currently has a single switch and a router/firewall appliance. The network consists of three departments: Sales, HR, and Engineering. After analyzing the requirements, what is the best course of action?

A.Deploy a next-generation firewall between the switch and the router to inspect traffic
B.Replace the single switch with multiple managed switches and create VLANs for each department, then connect them to the firewall
C.Implement 802.1X authentication on the switch to control device access
D.Install host-based firewalls on all endpoints
AnswerB

This provides logical segmentation using VLANs, containing outbreaks.

Why this answer

Option B is correct because VLANs logically segment the flat network into separate broadcast domains for Sales, HR, and Engineering, containing malware spread at Layer 2. Using multiple managed switches with VLANs and trunking to the firewall allows inter-VLAN traffic to be inspected and controlled by the firewall, providing segmentation with minimal cost and complexity. This approach leverages existing hardware (router/firewall) and avoids the expense of additional appliances.

Exam trap

ISC2 often tests the misconception that adding a firewall or security appliance alone provides segmentation, when in fact segmentation requires separating Layer 2 broadcast domains (via VLANs or physical separation) before applying access controls.

How to eliminate wrong answers

Option A is wrong because deploying a next-generation firewall between the switch and router inspects traffic but does not create network segmentation; the flat network remains, so malware can still spread laterally across all devices at Layer 2. Option C is wrong because 802.1X authentication controls device access to the network port but does not segment traffic between departments; once authenticated, devices are still on the same flat network and vulnerable to lateral movement. Option D is wrong because host-based firewalls on endpoints provide per-device protection but do not segment the network; malware can still propagate via broadcast traffic or direct Layer 2 communication between hosts.

68
Multi-Selecthard

Which TWO of the following are recognized as benefits of network segmentation?

Select 2 answers
A.Reduced attack surface
B.Easier monitoring
C.Increased broadcast domains
D.Simplified IP address management
E.Containment of breaches
AnswersA, E

Segmentation limits access to sensitive resources, reducing the attack surface.

Why this answer

Option A (Reduced attack surface) and Option D (Containment of breaches) are correct. Segmentation limits the scope of attacks and reduces exposure. Option B (Increased broadcast domains) is not a security benefit; it can cause performance issues.

Option C (Simplified IP address management) is not directly related to security. Option E (Easier monitoring) is subjective and not a primary benefit.

69
MCQmedium

Based on the exhibit, what is the most likely result of the client's HTTP request?

A.The HTTP request is permitted because the ACL is applied to the wrong interface.
B.The HTTP request is permitted because the ACL only blocks traffic from the router's own IP.
C.The HTTP request is blocked, and all other traffic from the client is also blocked.
D.The HTTP request is blocked, but other traffic from the client is allowed.
AnswerD

The ACL denies TCP port 80, then permits all other IP traffic.

Why this answer

The exhibit shows an extended ACL applied inbound on the client's interface that permits TCP traffic from the client to the server on port 80 (HTTP) but denies all other IP traffic from the client. Therefore, the HTTP request is permitted, but any other traffic from the client (e.g., DNS, ICMP) is blocked. Option D correctly states that the HTTP request is blocked, but other traffic is allowed, which matches the ACL behavior.

Exam trap

ISC2 often tests the misconception that an ACL blocking all traffic from a client means no traffic is allowed, but here the ACL explicitly permits HTTP while denying other traffic, so candidates may incorrectly choose Option C thinking all traffic is blocked.

How to eliminate wrong answers

Option A is wrong because the ACL is applied to the correct interface (the client's ingress interface) and direction (inbound), so it does affect traffic from the client. Option B is wrong because the ACL does not block traffic from the router's own IP; it filters traffic based on source and destination IP addresses and ports, not the router's IP. Option C is wrong because the ACL specifically permits HTTP traffic (TCP port 80) from the client to the server, so not all traffic is blocked; only non-HTTP traffic is denied.

70
MCQeasy

Which of the following protocols provides secure remote administration of a network device over an untrusted network?

A.SNMPv1
D.SSH
AnswerD

SSH provides encrypted remote access, securing the session.

Why this answer

SSH (Secure Shell) is correct because it encrypts all traffic, including authentication credentials and commands, using strong cryptographic algorithms, making it safe for remote administration over untrusted networks. It operates on TCP port 22 and provides confidentiality, integrity, and authentication, unlike cleartext protocols. SSH is the standard for secure CLI access to network devices such as routers and switches.

Exam trap

ISC2 often tests the distinction between 'secure' and 'insecure' protocols, and the trap here is that candidates may confuse Telnet with SSH because both provide remote CLI access, forgetting that Telnet lacks encryption entirely.

How to eliminate wrong answers

Option A is wrong because SNMPv1 uses community strings in cleartext and lacks encryption or authentication, making it insecure for remote administration over untrusted networks. Option B is wrong because Telnet transmits all data, including usernames and passwords, in plaintext, allowing anyone with packet capture access to intercept credentials and commands. Option C is wrong because HTTP transmits data unencrypted, and while HTTPS exists, the question specifies HTTP, which provides no security for remote administration.

Ready to test yourself?

Try a timed practice session using only Network Security questions.