CCNA Communication and Network Security Questions

73 questions · Communication and Network Security · All types, answers revealed

1
MCQeasy

An organization wants to ensure that only devices that meet security policies can connect to the network. Which technology should be deployed?

A.Firewall
B.SIEM
C.IDS
D.NAC
AnswerD

NAC controls network access based on device compliance.

Why this answer

Network Access Control (NAC) is the correct technology because it enforces security policies by assessing the compliance of devices (e.g., patch level, antivirus status, OS version) before granting network access. NAC can quarantine non-compliant devices, redirect them to a remediation network, or block them entirely, ensuring only authorized and policy-compliant endpoints connect.

Exam trap

The trap here is confusing NAC with a firewall or IDS, as candidates often think a firewall's access control lists (ACLs) are sufficient for device compliance, but NAC specifically performs pre-admission posture checking that firewalls cannot do.

How to eliminate wrong answers

Option A is wrong because a firewall controls traffic between network segments based on IP addresses, ports, and protocols, but it does not assess the security posture of individual devices before allowing them onto the network. Option B is wrong because a Security Information and Event Management (SIEM) system collects and analyzes logs from various sources for threat detection and incident response, but it does not enforce pre-connection device compliance. Option C is wrong because an Intrusion Detection System (IDS) monitors network traffic for malicious activity and alerts administrators, but it cannot block or conditionally allow devices based on security policy checks at the point of connection.

2
MCQeasy

A company is deploying a wireless network for guests. The security requirement is to provide internet access only, with no access to the internal corporate network. Which technology should be used?

A.WPA3-SAE
B.MAC address filtering
C.A separate guest VLAN with ACLs restricting access to internal networks
D.WPA2-Enterprise with 802.1X
AnswerC

A guest VLAN combined with ACLs that block access to internal subnets ensures guests can only reach the internet.

Why this answer

A separate guest VLAN with ACLs restricting access to internal networks is the correct choice because it provides network segmentation at Layer 2 (VLAN) and Layer 3/4 (ACLs), ensuring guest traffic is isolated from the corporate network while allowing internet access. This approach aligns with the principle of least privilege and is a standard best practice for guest wireless deployments, as it does not rely on authentication or encryption alone to enforce access control.

Exam trap

The trap here is that candidates often confuse strong authentication (WPA2-Enterprise or WPA3) with network segmentation, failing to realize that authentication alone does not enforce access boundaries between guest and corporate networks.

How to eliminate wrong answers

Option A is wrong because WPA3-SAE is an authentication and encryption protocol for securing wireless connections, but it does not inherently restrict which networks or resources a connected device can access; it only secures the wireless link. Option B is wrong because MAC address filtering is a weak, easily spoofed access control method that only controls which devices can associate with the access point, not what those devices can reach after association; it provides no network-level segmentation. Option D is wrong because WPA2-Enterprise with 802.1X provides strong per-user authentication and encryption, but it does not by itself prevent authenticated users from accessing internal corporate resources; it lacks the VLAN and ACL enforcement needed for network isolation.

3
MCQmedium

An organization is implementing IPsec VPN tunnels between multiple branch offices and the main office. The security team notices that the VPN tunnels are established successfully but no traffic passes through. Which of the following is the most likely cause?

A.Certificates expired
B.Mismatched encryption algorithm
C.Incorrect routing entries in the VPN routing table
D.Mismatched IKE version
AnswerC

If routes are missing or misconfigured, traffic will not be forwarded into the tunnel even though the tunnel is operational.

Why this answer

When IPsec VPN tunnels are established (IKE Phase 1 and Phase 2 complete) but no traffic passes, the most common cause is incorrect routing entries in the VPN routing table. The tunnel may be up, but if the branch office does not have a route pointing the destination subnet to the tunnel interface (e.g., a static route or policy-based route), packets will be sent out the physical interface unencrypted or dropped. This is distinct from authentication or encryption mismatches, which would prevent tunnel establishment entirely.

Exam trap

The trap here is that candidates assume a successful tunnel establishment (Phase 1 and Phase 2 UP) guarantees traffic flow, but ISC2 often tests the subtle distinction between control plane success and data plane forwarding, where routing misconfigurations silently drop traffic.

How to eliminate wrong answers

Option A is wrong because expired certificates would cause IKE authentication to fail during Phase 1, preventing the VPN tunnel from being established at all. Option B is wrong because a mismatched encryption algorithm would cause IKE Phase 2 negotiation to fail, so the tunnel would not reach an established state. Option D is wrong because a mismatched IKE version (e.g., IKEv1 vs IKEv2) would prevent the initial IKE SA from forming, again blocking tunnel establishment.

4
MCQhard

Refer to the exhibit. A network administrator sees that IPsec IKE negotiations fail between site A and site B. Site B's firewall has the above ACL applied inbound on the external interface. What is the most likely cause?

A.The ACL permits only TCP and UDP but not ESP packets.
B.The ACL permits only TCP and UDP but not IKE and IPsec traffic.
C.The ACL permits only TCP and UDP but not L2TP.
D.The ACL permits only TCP and UDP but not AH packets.
AnswerA

ESP uses IP protocol 50, not TCP or UDP.

Why this answer

The ACL permits TCP and UDP only. IPsec ESP uses IP protocol 50 (not TCP/UDP), so ESP packets are denied by the implicit deny rule. While IKE (UDP 500/4500) is permitted, the actual data traffic after IKE negotiation fails because ESP is blocked.

5
MCQhard

A security engineer is troubleshooting a site-to-site IPsec VPN between two firewalls. The tunnel status shows Phase 1 is up but Phase 2 is not. Which of the following is the most likely cause?

A.Incorrect pre-shared key
B.Mismatched authentication algorithm
C.Firewall rule blocking IKE traffic
D.Mismatched proxy IDs (traffic selectors)
AnswerD

Proxy IDs define which traffic should be encrypted; if they don't match, Phase 2 fails.

Why this answer

Phase 1 (IKE SA) establishes a secure channel for key exchange, while Phase 2 (IPsec SA) negotiates the specific traffic to be encrypted. If Phase 1 is up but Phase 2 fails, the most common cause is a mismatch in proxy IDs (traffic selectors), such as local/remote subnets or ports, which prevents the two peers from agreeing on which traffic to protect. This is distinct from authentication or encryption mismatches, which would typically cause Phase 1 to fail.

Exam trap

ISC2 often tests the distinction between Phase 1 and Phase 2 failures, and the trap here is that candidates mistakenly attribute Phase 2 failures to authentication or encryption mismatches, which actually affect Phase 1, not the traffic selector negotiation in Phase 2.

How to eliminate wrong answers

Option A is wrong because an incorrect pre-shared key would cause Phase 1 authentication to fail, preventing the IKE SA from being established. Option B is wrong because a mismatched authentication algorithm (e.g., SHA-1 vs SHA-256) would also cause Phase 1 negotiation to fail during the IKE proposal exchange. Option C is wrong because a firewall rule blocking IKE traffic (UDP 500/4500) would prevent Phase 1 from completing, not just Phase 2.

6
MCQmedium

A security analyst is reviewing network logs and sees repeated failed connection attempts from an external IP to the company's SSH server (port 22). The firewall has a rule allowing SSH from anywhere. What is the best immediate action to reduce risk?

A.Remove the firewall rule allowing SSH.
B.Disable SSH access entirely.
C.Change the SSH port to a high-numbered port and restrict source IPs if possible.
D.Block the offending IP address in the firewall.
AnswerC

Changing the port reduces automated scans, and restricting source IPs adds defense.

Why this answer

Option C is correct because changing the SSH port to a non-standard, high-numbered port reduces automated scanning and brute-force attacks by evading default port 22 scans, while restricting source IPs adds a layer of access control. This balances security with operational continuity, as SSH remains available for legitimate administrative use. The immediate risk reduction comes from making the service less discoverable and limiting the attack surface without fully disabling remote access.

Exam trap

The trap here is that candidates often choose Option D (block the offending IP) because it seems like a quick fix, but they fail to recognize that automated attacks rotate IPs constantly, making this a temporary and ineffective solution compared to changing the port and restricting sources.

How to eliminate wrong answers

Option A is wrong because removing the firewall rule entirely would block all SSH traffic, including legitimate administrative access, causing a denial of service and violating the principle of least disruption. Option B is wrong because disabling SSH access entirely is an extreme measure that would prevent all remote administration, which is often operationally necessary and not a proportional response to failed connection attempts. Option D is wrong because blocking only the offending IP address is a reactive, temporary measure that does not address the root cause—automated scanners will simply use a different source IP, and the SSH service remains exposed on the default port.

7
MCQhard

Refer to the exhibit. Which of the following is true regarding the wireless clients?

A.There is only one client on the Corporate WLAN.
B.The client with MAC cc:dd:ee:ff:00:11 is using 802.1X authentication.
C.All clients are using WPA2 encryption.
D.The client with MAC 66:77:88:99:aa:bb is using 802.1X authentication.
AnswerD

Correct. That client is on WLAN 2 which uses 802.1X.

Why this answer

Client with MAC 00:11:22:33:44:55 is associated to WLAN 1 (Guest) which uses Open authentication. Client 66:77:88:99:aa:bb is associated to WLAN 2 (Corporate) which uses 802.1X. Client cc:dd:ee:ff:00:11 is associated to WLAN 1.

Therefore, there are two clients on the Guest WLAN and one on the Corporate WLAN.

8
Multi-Selectmedium

Which two methods provide strong encryption and authentication for wireless networks? (Choose TWO.)

Select 2 answers
A.WEP
B.WPA2-PSK
C.WPA2-Enterprise
D.MAC filtering
E.WPA3
AnswersC, E

Uses 802.1X with RADIUS for strong authentication.

Why this answer

WPA2-Enterprise (C) is correct because it uses IEEE 802.1X authentication with a RADIUS server, providing mutual authentication and per-session dynamic encryption keys via the 4-way handshake using AES-CCMP. WPA3 (E) is correct because it introduces Simultaneous Authentication of Equals (SAE) to replace the pre-shared key (PSK) handshake, offering forward secrecy and stronger encryption with GCMP-256, and also supports 802.1X for enterprise deployments.

Exam trap

The trap here is that candidates often confuse WPA2-PSK with WPA2-Enterprise, assuming both provide strong authentication, but the exam tests the distinction that PSK lacks per-user authentication and is vulnerable to dictionary attacks, while Enterprise uses RADIUS for robust identity verification.

9
MCQhard

A financial institution is implementing a zero-trust network architecture (ZTNA) using micro-segmentation. They have a legacy accounting application that runs on a Windows Server and communicates with multiple client workstations using both TCP and UDP dynamic ports (49152-65535) for various features. After deploying strict host-based firewall rules that only allow specific ports, users report that the application frequently loses connection and fails to authenticate. The security team verified that the application's required ports are allowed, but the dynamic port negotiation fails because the application uses a proprietary protocol that includes ephemeral ports outside the allowed range. The application vendor is no longer supporting it. The organization cannot replace the application immediately. What is the MOST effective short-term solution?

A.Configure NAT traversal to translate the dynamic ports to static ones.
B.Create a firewall rule allowing all traffic from the application server to the client subnets.
C.Disable the host-based firewall on the application server to eliminate connectivity issues.
D.Deploy a reverse proxy in front of the application that performs deep packet inspection to negotiate and manage dynamic port allocations.
AnswerD

The proxy can understand the proprietary protocol and adjust firewall rules dynamically or relay traffic securely, maintaining segmentation.

Why this answer

Option D is correct because deploying a reverse proxy with deep packet inspection (DPI) can intercept the proprietary protocol's dynamic port negotiation, map the ephemeral ports (49152-65535) to static, predictable ports, and manage the connections transparently. This allows the legacy application to function without modifying its code or the host firewall rules, providing an immediate workaround while maintaining zero-trust micro-segmentation principles.

Exam trap

The trap here is that candidates may assume disabling the firewall (Option C) or opening broad rules (Option B) is acceptable for legacy compatibility, but the CISSP exam emphasizes that security controls must be preserved even during workarounds, and a reverse proxy with DPI is the correct architectural solution to handle dynamic port protocols.

How to eliminate wrong answers

Option A is wrong because NAT traversal (e.g., STUN, TURN, or UPnP) is designed for peer-to-peer communication across NAT devices, not for translating dynamic ports to static ones within a host firewall; it would not resolve the proprietary protocol's ephemeral port negotiation failure. Option B is wrong because allowing all traffic from the application server to client subnets violates the zero-trust principle of least privilege and would expose the network to unnecessary risk, effectively bypassing micro-segmentation. Option C is wrong because disabling the host-based firewall eliminates the security control entirely, leaving the server vulnerable to attacks and contradicting the zero-trust architecture's requirement for strict per-host enforcement.

10
MCQeasy

A company wants to secure its wireless network. Which approach provides the strongest authentication and encryption?

A.WEP
B.Disabling SSID broadcast
C.WPA2-Enterprise with RADIUS
D.WPA2-PSK with a strong passphrase
AnswerC

Provides per-user authentication and strong encryption.

Why this answer

WPA2-Enterprise with RADIUS provides the strongest authentication and encryption for wireless networks because it uses 802.1X/EAP for per-user authentication against a central RADIUS server, and AES-CCMP for encryption. This eliminates the shared passphrase vulnerability of PSK modes and supports dynamic, unique encryption keys per session, making it resistant to offline dictionary attacks and key reuse.

Exam trap

The trap here is that candidates often choose WPA2-PSK with a strong passphrase (Option D) because they think a long, complex passphrase is sufficient, but they overlook that PSK still lacks per-user authentication and is vulnerable to offline brute-force attacks once the 4-way handshake is captured.

How to eliminate wrong answers

Option A is wrong because WEP uses the flawed RC4 stream cipher with a static 40- or 104-bit key and weak IVs, making it trivially crackable in minutes with tools like aircrack-ng. Option B is wrong because disabling SSID broadcast is a security-by-obscurity measure that does not provide authentication or encryption; the SSID is still leaked in probe requests and management frames, and an attacker can easily discover it. Option D is wrong because WPA2-PSK relies on a single pre-shared key (PMK) derived from the passphrase, which is vulnerable to offline dictionary attacks if the passphrase is weak, and all users share the same key, preventing individual accountability and revocation.

11
MCQhard

Refer to the exhibit. A security analyst is reviewing the network ACL inbound rules. Which statement is true?

A.SSH access is limited to the 10.0.0.0/8 subnet.
B.Outbound rules are not shown.
C.The rule order is irrelevant.
D.All inbound HTTP traffic is denied.
AnswerA

SSH is allowed only from the specified source.

Why this answer

Option A is correct because the ACL inbound rule explicitly permits TCP port 22 (SSH) only from source IP addresses within the 10.0.0.0/8 range, and the implicit deny at the end of the ACL blocks all other traffic, including SSH from any other subnet. This restricts SSH administrative access to the private 10.0.0.0/8 network, enhancing security by preventing external SSH connections.

Exam trap

ISC2 often tests the implicit deny at the end of an ACL, leading candidates to overlook that even though a rule permits HTTP, the absence of a specific deny for HTTP does not mean it is denied—only the implicit deny blocks unmatched traffic, but here HTTP is explicitly permitted.

How to eliminate wrong answers

Option B is wrong because the exhibit only shows inbound rules, and the statement 'Outbound rules are not shown' is a factual observation that does not make any claim about the ACL's behavior; it is not a true statement about the ACL's effect. Option C is wrong because ACL rules are evaluated sequentially from top to bottom, and the first matching rule determines the action; rule order is critical, especially when there are both permit and deny entries. Option D is wrong because the ACL includes a permit rule for TCP port 80 (HTTP) from any source, so inbound HTTP traffic is explicitly allowed, not denied.

12
Multi-Selecthard

Which TWO of the following are common causes of network performance degradation that can be detected by network monitoring tools?

Select 2 answers
A.Incorrect default gateway
B.High CPU utilization on routers
C.Duplex mismatch on a link
D.Excessive broadcast traffic
E.DNS misconfiguration
AnswersC, D

Duplex mismatch causes collisions and retransmissions, significantly degrading performance.

Why this answer

Duplex mismatch occurs when one end of an Ethernet link is configured for full-duplex and the other for half-duplex, causing frame collisions, CRC errors, and severe performance degradation. Network monitoring tools detect this through interface error counters (e.g., runts, FCS errors, late collisions) and can alert on excessive errors. This is a common physical-layer issue that directly impacts throughput and latency.

Exam trap

ISC2 often tests duplex mismatch as a classic performance issue, and the trap here is that candidates confuse 'high CPU utilization on routers' (a symptom) with a direct cause of degradation, or they mistakenly think DNS misconfiguration affects network throughput rather than just name resolution.

13
MCQhard

In a software-defined network (SDN) architecture, the control plane is separated from the data plane. A network administrator is troubleshooting packet forwarding delays. Which plane is directly responsible for forwarding packets?

A.Data plane
B.Application plane
C.Control plane
D.Management plane
AnswerA

Directly responsible for forwarding packets based on flow tables.

Why this answer

In SDN, the data plane (also called the forwarding plane) is directly responsible for forwarding packets based on flow table entries installed by the controller. It handles per-packet operations like looking up destination addresses, applying actions (e.g., output to port, drop, modify header), and forwarding at line rate. Packet forwarding delays are typically caused by data plane issues such as flow table misses, hardware forwarding pipeline congestion, or inefficient TCAM lookups.

Exam trap

ISC2 often tests the misconception that the control plane is responsible for forwarding because it makes routing decisions, but in SDN the control plane only programs the data plane, which actually performs the forwarding.

How to eliminate wrong answers

Option B (Application plane) is wrong because it hosts network applications (e.g., load balancers, firewalls) that communicate with the controller via northbound APIs, but it does not directly forward packets. Option C (Control plane) is wrong because it makes forwarding decisions and populates flow tables (e.g., via OpenFlow or NETCONF), but the actual packet forwarding is executed by the data plane. Option D (Management plane) is wrong because it handles administrative tasks like configuration, monitoring, and fault management (e.g., SNMP, CLI), not real-time packet forwarding.

14
MCQeasy

Refer to the exhibit. A security team is reviewing switch configurations and notices that the native VLAN is set to VLAN 10. An attacker on an access port in VLAN 10 sends a frame with a VLAN tag of VLAN 20 inside another frame. Which type of attack does this configuration make possible?

A.DHCP starvation
B.VLAN hopping via double tagging
C.ARP spoofing
D.MAC flooding
AnswerB

Double tagging is possible when the native VLAN is used on trunk ports; the attacker can send frames with two tags to hop VLANs.

Why this answer

The configuration with native VLAN 10 allows an attacker on an access port in VLAN 10 to craft a frame with an outer 802.1Q tag for VLAN 20 and an inner tag for VLAN 10. When the switch receives this frame on a trunk port, it strips the outer tag (native VLAN) and forwards the inner tag, causing the frame to hop into VLAN 20. This is the classic VLAN hopping via double tagging attack, exploiting the native VLAN behavior.

Exam trap

ISC2 often tests the misconception that VLAN hopping only occurs via DTP (Dynamic Trunking Protocol) negotiation, but double tagging is a separate attack that exploits the native VLAN behavior on trunk ports.

How to eliminate wrong answers

Option A is wrong because DHCP starvation floods the DHCP server with fake requests to exhaust IP addresses, which is unrelated to VLAN tagging or native VLAN manipulation. Option C is wrong because ARP spoofing involves sending forged ARP replies to associate a malicious MAC with a legitimate IP, not exploiting double tagging or native VLANs. Option D is wrong because MAC flooding overwhelms the switch's MAC address table to force flooding of frames, which is a different Layer 2 attack that does not involve VLAN tag manipulation.

15
MCQeasy

A remote user needs to securely connect to the corporate network over the internet. Which protocol provides both encryption and authentication?

A.L2TP
B.PPTP
C.SSL
D.IPsec
AnswerD

IPsec provides encryption and authentication for VPNs.

Why this answer

IPsec is the correct answer because it is a suite of protocols (AH and ESP) that provides both encryption (confidentiality) and authentication (integrity and origin verification) at the network layer. It operates in either transport or tunnel mode, making it suitable for secure site-to-site or remote-access VPNs over the internet.

Exam trap

The trap here is that candidates often confuse L2TP or PPTP as providing encryption, when in fact L2TP requires IPsec for security and PPTP is deprecated due to weak encryption and authentication flaws.

How to eliminate wrong answers

Option A is wrong because L2TP is a tunneling protocol that provides only encapsulation, not encryption or authentication; it relies on an additional protocol like IPsec (L2TP/IPsec) to secure the connection. Option B is wrong because PPTP uses MPPE for encryption but has known vulnerabilities (e.g., weak authentication via MS-CHAPv2) and does not provide strong mutual authentication or integrity protection. Option C is wrong because SSL (now TLS) provides encryption and authentication at the transport layer, but it is typically used for securing web traffic (HTTPS) and not as a native network-layer VPN protocol for remote user connectivity to a corporate network; while SSL VPNs exist, the question asks for a protocol that provides both encryption and authentication, and IPsec is the direct answer in the context of network-layer security.

16
Multi-Selecthard

Which TWO security controls are most effective in preventing VLAN hopping attacks?

Select 2 answers
A.Set the native VLAN to an unused VLAN ID.
B.Disable Dynamic Trunking Protocol (DTP) on access ports.
C.Use VLAN access control lists (VACLs) to filter traffic between VLANs.
D.Implement DHCP snooping on all VLANs.
E.Enable Spanning Tree Protocol (STP) on all switches.
AnswersA, B

Prevents double-tagging attacks.

Why this answer

Setting the native VLAN to an unused VLAN ID prevents VLAN hopping via double-tagging attacks. In a double-tagging attack, an attacker sends frames with two 802.1Q tags; the first switch strips the outer tag, forwarding the frame on the native VLAN (which is typically VLAN 1). By changing the native VLAN to an unused ID, any double-tagged frame arriving on an access port will have its outer tag removed and be forwarded onto that unused VLAN, where no legitimate hosts exist, thus breaking the attack path.

Exam trap

ISC2 often tests the distinction between Layer 2 attacks and Layer 3/4 controls; the trap here is that candidates see 'VLAN' and 'ACL' in option C and assume VACLs can prevent VLAN hopping, when in fact VACLs operate after the VLAN has already been assigned and do not stop the initial trunk negotiation or double-tagging.

17
MCQmedium

Refer to the exhibit. An administrator reviews the logs on router1. Which statement describes the events?

A.The SSH service is disabled on router1.
B.A successful SSH login from 192.0.2.100 occurred.
C.The router is configured to allow unlimited SSH authentication attempts.
D.Two different IP addresses attempted brute-force SSH authentication.
AnswerD

Correct. Both IPs made multiple failed attempts.

Why this answer

The logs show repeated failed SSH login attempts for the user 'admin' from two different IP addresses (192.0.2.100 and 198.51.100.50). Each IP made three attempts before the connection was closed (likely due to authentication failure threshold). This pattern indicates a brute-force attack on the SSH service.

18
MCQmedium

Refer to the exhibit. The firewall rules above are applied to the outside interface. A penetration tester from the internet attempts to establish a connection to 192.168.1.10 on TCP port 8080. What will happen?

A.The connection is permitted only if the tester uses a VPN
B.The connection is permitted
C.The connection is denied because the destination is not reachable
D.The connection is denied because the port is not explicitly allowed
AnswerD

The firewall denies any traffic not matching a permit rule due to the implicit deny.

Why this answer

Option D is correct because firewall rules operate on an implicit-deny model: if no rule explicitly permits traffic, it is denied by default. Since the exhibit shows no rule allowing TCP port 8080 from the internet to 192.168.1.10, the connection is dropped. The destination is reachable (192.168.1.10 is a valid internal IP), but the lack of an explicit permit for port 8080 causes the denial.

Exam trap

The trap here is that candidates assume a destination IP is reachable if it exists on the network, but the question tests the understanding that firewall rules control access based on port and protocol, not just IP reachability.

How to eliminate wrong answers

Option A is wrong because VPN is irrelevant here; the firewall rules do not reference VPN, and a VPN would not override the implicit-deny for port 8080 unless a specific rule permits it. Option B is wrong because the connection is not permitted; there is no rule allowing TCP port 8080 from any source to 192.168.1.10, so the default deny action applies. Option C is wrong because the destination is reachable (192.168.1.10 is a routable internal address behind the firewall); the denial is due to the port not being allowed, not unreachability.

19
MCQeasy

A company uses VLANs to separate traffic between the IT, HR, and Finance departments. A user in the HR VLAN reports that she cannot access a file server located in the IT VLAN. The file server's default gateway is correctly set to the IT VLAN interface. All workstations have correct IP addresses and subnet masks. What is the most likely cause of this issue?

A.Spanning Tree Protocol (STP) is blocking the link between the HR and IT switches.
B.The HR workstation has an incorrect subnet mask.
C.The HR VLAN switch port is incorrectly configured with the wrong VLAN ID.
D.No routing is configured between the HR and IT VLANs.
AnswerD

VLANs are separate broadcast domains; inter-VLAN communication requires a router or Layer 3 switch with routing enabled.

Why this answer

VLANs create separate broadcast domains, so traffic between different VLANs must be routed. Since the HR workstation is in a different VLAN than the file server, and no routing is configured between the HR and IT VLANs, the HR workstation cannot reach the file server even though the server's default gateway is correctly set. This is the most likely cause because all other network settings (IP addresses, subnet masks, switch port configurations) are described as correct.

Exam trap

The trap here is that candidates often assume VLANs inherently block all cross-VLAN traffic, but the real issue is the absence of a Layer 3 routing mechanism; VLANs only separate broadcast domains, not routed traffic.

How to eliminate wrong answers

Option A is wrong because Spanning Tree Protocol (STP) blocks redundant links to prevent loops, not to isolate VLAN traffic; STP operates at Layer 2 and does not block links between different VLANs unless a loop exists. Option B is wrong because the question states that all workstations have correct IP addresses and subnet masks, so an incorrect subnet mask is not the issue. Option C is wrong because the question explicitly states that the HR workstation has correct IP settings, and a switch port with the wrong VLAN ID would prevent the workstation from communicating even within its own VLAN, not just across VLANs; the user can access other HR resources, so the port configuration is likely correct.

20
MCQhard

A security architect is designing a network for a high-security data center. The requirement is to ensure that even if an attacker compromises one server, they cannot easily move laterally to other servers in the same data center. Which network design principle should be applied?

A.Principle of least privilege
B.Defense in depth
C.Single point of failure elimination
D.Microsegmentation (e.g., using virtual firewalls on each hypervisor)
AnswerD

Microsegmentation divides the network into small, isolated zones to contain threats and block lateral movement.

Why this answer

Microsegmentation (D) is the correct network design principle because it enforces granular, per-workload firewall rules—often implemented via virtual firewalls on each hypervisor or using VXLAN/ACL policies—that restrict east-west traffic between servers. Even if an attacker compromises one server, microsegmentation prevents lateral movement by allowing only explicitly permitted inter-server communication, effectively isolating the breach to the compromised host.

Exam trap

The trap here is that candidates confuse the broad strategy of defense in depth (B) with the specific technical mechanism of microsegmentation, but the question explicitly asks for a network design principle that prevents lateral movement, which is exactly what microsegmentation enforces at the data center network layer.

How to eliminate wrong answers

Option A is wrong because the principle of least privilege governs user and process access rights (e.g., file permissions, RBAC), not network-level isolation between servers; it does not inherently restrict east-west traffic at the network layer. Option B is wrong because defense in depth is a broad security strategy that layers multiple controls (e.g., firewalls, IDS, encryption), but it is not a specific network design principle that directly prevents lateral movement within a data center segment. Option C is wrong because eliminating single points of failure focuses on redundancy and high availability (e.g., dual power supplies, redundant links), not on restricting lateral traffic between servers after a compromise.

21
MCQmedium

A security administrator is configuring a stateful firewall to allow HTTP traffic from the internet to a web server. The firewall uses a default-deny policy. What is the correct rule placement?

A.Place the allow rule after the deny all rule
B.Use a stateless firewall instead
C.Use an implicit deny rule
D.Place the allow rule before the deny all rule
AnswerD

Ensures the traffic is permitted before the default deny.

Why this answer

In a stateful firewall with a default-deny policy, rules are processed in sequential order from top to bottom. Placing the allow rule before the deny all rule ensures that HTTP traffic (TCP port 80) is explicitly permitted before the catch-all deny rule drops all unmatched packets. If the deny all rule were placed first, all traffic would be dropped, including the intended HTTP traffic, making the allow rule unreachable.

Exam trap

ISC2 often tests the misconception that a default-deny policy automatically allows traffic if a permit rule exists anywhere in the ACL, but in reality, rule order determines which rule is applied first, and a deny all placed before the permit will block all traffic.

How to eliminate wrong answers

Option A is wrong because placing the allow rule after the deny all rule would cause the deny all rule to match and drop all traffic first, rendering the allow rule ineffective and blocking legitimate HTTP traffic. Option B is wrong because a stateless firewall would not track connection state, making it unsuitable for allowing return traffic from the web server without explicit rules for ephemeral ports, whereas a stateful firewall automatically permits return traffic for established connections. Option C is wrong because an implicit deny rule is already the default behavior at the end of the rule set; the question asks for explicit rule placement, and relying solely on implicit deny does not solve the ordering requirement to allow HTTP traffic.

22
MCQmedium

Refer to the exhibit. Based on the output, which integrity algorithm is configured for the IPsec tunnel?

A.HMAC-MD5
B.HMAC-SHA256
C.HMAC-SHA1
D.AES-GCM
AnswerC

The 'sha' in esp-sha-hmac stands for SHA1.

Why this answer

The output shows 'esp-sha-hmac' under the transform set, which indicates the integrity algorithm is HMAC-SHA1 (SHA-1 hashing with HMAC). In Cisco IOS, 'esp-sha-hmac' specifically refers to HMAC-SHA1 (96-bit hash), not SHA-256 or MD5. This is the correct interpretation because the command 'crypto ipsec transform-set' uses 'esp-sha-hmac' to denote SHA-1-based integrity.

Exam trap

ISC2 often tests the specific naming convention in 'show crypto ipsec transform-set' output, where 'esp-sha-hmac' is easily mistaken for SHA-256 or generic SHA, but it strictly refers to HMAC-SHA1 (96-bit) in Cisco IOS.

How to eliminate wrong answers

Option A is wrong because HMAC-MD5 would appear as 'esp-md5-hmac' in the transform set output, not 'esp-sha-hmac'. Option B is wrong because HMAC-SHA256 would be displayed as 'esp-sha256-hmac' in Cisco IOS, requiring a different transform set configuration. Option D is wrong because AES-GCM is an authenticated encryption algorithm (providing both confidentiality and integrity) and would appear as 'esp-gcm' or 'esp-aes-gcm' in the output, not as a standalone integrity algorithm like 'esp-sha-hmac'.

23
MCQeasy

A security engineer notices that the IKE phase 1 lifetime is set to 3600 seconds. What is a potential security implication?

A.Longer lifetimes reduce rekeying overhead
B.Shorter lifetimes increase performance
C.Short lifetimes may cause frequent reauthentication and potential disruption
D.The lifetime should be at least 86400 seconds
AnswerC

Frequent rekeying increases overhead and risk of disruption if rekey fails.

Why this answer

IKE phase 1 establishes a secure authenticated channel for subsequent IKE phase 2 negotiations. A lifetime of 3600 seconds (1 hour) is relatively short, causing frequent reauthentication. This can lead to service disruption if the rekeying process fails or if the VPN peers experience transient network issues, potentially dropping active tunnels and impacting production traffic.

Exam trap

ISC2 often tests the trade-off between security and availability: candidates may incorrectly assume shorter lifetimes are always more secure without considering the operational risk of frequent reauthentication causing tunnel drops.

How to eliminate wrong answers

Option A is wrong because longer lifetimes reduce rekeying overhead, but the question asks for a security implication of the given short lifetime, not a benefit of longer lifetimes. Option B is wrong because shorter lifetimes do not increase performance; they increase computational overhead and latency due to more frequent Diffie-Hellman exchanges and authentication. Option D is wrong because there is no mandatory minimum of 86400 seconds (24 hours); RFC 7296 recommends a default of 3600 seconds for IKEv1 phase 1, and shorter lifetimes can actually improve security by limiting exposure of the session key, though they risk disruption.

24
MCQmedium

A remote user at 203.0.113.5 cannot access the internal web server at 10.0.0.10 over HTTPS. What is the most likely cause of the denial?

A.The ACL is missing a permit rule for the user's IP
B.The ACL is applied in the wrong direction
C.The firewall is not performing stateful inspection
D.The web server is not listening on port 443
AnswerA

The permit rule only allows 203.0.113.2, so traffic from 203.0.113.5 is denied.

Why this answer

The user at 203.0.113.5 is attempting to reach the internal web server at 10.0.0.10 over HTTPS (TCP/443). If an ACL is applied on the firewall or router interface that filters inbound traffic from the remote user, the most direct cause of denial is the absence of a permit rule for the source IP 203.0.113.5. ACLs process rules sequentially, and if no explicit permit matches the user's traffic, the implicit deny at the end of the ACL will drop the packet.

Exam trap

The trap here is that candidates often confuse ACL directionality (Option B) with the actual missing rule, but the symptom of a complete denial for a specific source IP points directly to a missing permit entry rather than a directional issue.

How to eliminate wrong answers

Option B is wrong because applying an ACL in the wrong direction (e.g., inbound vs. outbound) would cause traffic to be filtered incorrectly, but the question states the user cannot access the server at all, which is more consistent with a missing permit rule than a directional misapplication that might still allow some traffic. Option C is wrong because stateful inspection is a feature that tracks connection state; even without stateful inspection, a stateless ACL with a proper permit rule would allow the HTTPS traffic. Option D is wrong because if the web server were not listening on port 443, the user would receive a connection refused (RST) or timeout, not a denial caused by an ACL; the question implies a silent drop, which is characteristic of ACL filtering.

25
MCQeasy

Refer to the exhibit. The VPN tunnel is not coming up. What is the most likely configuration error?

A.The encryption algorithm AES 256 is not supported.
B.The crypto map is applied to the Tunnel interface instead of the physical interface.
C.The hash algorithm SHA256 is not supported.
D.The Diffie-Hellman group 14 is not strong enough.
AnswerB

Crypto map must be applied to the physical interface that connects to the peer.

Why this answer

The crypto map must be applied to the physical interface (e.g., GigabitEthernet0/0) that connects to the VPN peer, not to the Tunnel interface. The Tunnel interface is a logical construct used for overlay routing (e.g., GRE or IPsec VTI), but the crypto map defines the IPsec security associations on the actual egress interface. Applying it to the Tunnel interface prevents the IPsec process from matching outbound traffic to the correct physical path, so the tunnel never establishes.

Exam trap

ISC2 often tests the misconception that the crypto map should be applied to the Tunnel interface (since it 'protects' the tunnel), but the correct placement is always on the physical egress interface where the IPsec packets actually leave the router.

How to eliminate wrong answers

Option A is wrong because AES-256 is widely supported in modern VPN implementations (e.g., Cisco IOS, IKEv1/v2) and is not a cause of tunnel failure unless explicitly disabled. Option C is wrong because SHA-256 is a standard hash algorithm supported by IPsec (RFC 4868) and is not inherently unsupported in typical configurations. Option D is wrong because Diffie-Hellman group 14 (2048-bit MODP) is considered strong enough for secure key exchange; the issue is not about strength but about misapplication of the crypto map.

26
MCQeasy

A company has a headquarters and three branch offices connected via MPLS VPN. Recently, they deployed a new VoIP system across all sites. Users report intermittent call drops and poor voice quality during peak business hours. The network team suspects packet loss and jitter are the cause. The IT manager wants to verify the issue without affecting production traffic. Which of the following is the best course of action?

A.Deploy a full packet capture on all branch routers.
B.Use IP SLA to generate test traffic and measure jitter and packet loss.
C.Conduct a network assessment by duplicating traffic to a monitoring tool.
D.Increase the MPLS bandwidth immediately.
AnswerB

IP SLA allows non-intrusive performance measurement.

Why this answer

IP SLA can generate synthetic traffic to measure network performance metrics like jitter, latency, and packet loss without impacting production traffic. Creating a full packet capture is resource-intensive and may affect performance. Duplicating traffic requires additional configuration and may not reflect real-time issues.

Increasing bandwidth is a solution, not a diagnostic step.

27
MCQhard

A multinational corporation operates a private MPLS VPN network connecting 50 branch offices to a central data center. The network uses BGP as the routing protocol within the VPN, with each branch announcing its internal prefixes to the data center routers. Over the past week, several branch offices have reported intermittent connectivity issues, with traffic being routed to incorrect destinations before recovering. Network logs show that during these incidents, the data center router receives unexpected BGP updates from one of the branch routers, advertising prefixes that belong to other branches. BGP sessions remain established without flaps. The security team is concerned that this could be a route leak or intentional hijack. The network engineer has verified that all BGP sessions are authenticated with MD5 and that RPKI validation is not currently deployed. Which course of action should the engineer take first to mitigate the issue?

A.Configure inbound BGP prefix filtering on the data center routers.
B.Implement BGP Flowspec to rate-limit traffic to the affected prefixes.
C.Deploy RPKI validation across all routers.
D.Increase the BGP hold timer on data center routers.
AnswerA

Filters out unauthorized prefixes from branch routers, stopping the leak.

Why this answer

The intermittent connectivity issues are caused by a branch router advertising prefixes that belong to other branches, which is a classic route leak or hijack scenario. Configuring inbound BGP prefix filtering on the data center routers is the immediate and most effective mitigation because it allows the engineer to explicitly define which prefixes are accepted from each BGP neighbor, preventing unauthorized or incorrect routes from being installed in the routing table. This approach does not require additional infrastructure or protocol changes and directly addresses the root cause of the traffic misdirection.

Exam trap

The trap here is that candidates may assume RPKI is the best first step because it is a modern security mechanism, but the question explicitly states it is not deployed and asks for the first action to mitigate the issue, making immediate inbound filtering the correct answer over a longer-term deployment.

How to eliminate wrong answers

Option B is wrong because BGP Flowspec is designed to filter or rate-limit traffic based on flow specifications (e.g., source/destination IP, port) after routes are already installed, but it does not prevent the initial injection of invalid BGP routes; it is a reactive traffic engineering tool, not a proactive route validation mechanism. Option C is wrong because deploying RPKI validation is a longer-term, infrastructure-dependent solution that requires setting up RPKI caches, configuring routers to validate route origin, and potentially updating ROAs; it is not the first course of action when an immediate fix is needed, and it does not address the specific issue of a branch advertising other branches' prefixes (which could still pass RPKI if the AS origin is valid). Option D is wrong because increasing the BGP hold timer only affects how long a router waits for keepalive messages before declaring a peer down; it does not prevent the acceptance of invalid routes and would actually delay detection of session issues, making the problem worse.

28
MCQhard

Refer to the exhibit. Which of the following is true regarding the BGP routes received from neighbor 10.1.1.2?

A.The route to 10.30.0.0/16 is filtered out by an inbound route-map.
B.The route to 10.20.0.0/16 is preferred over 10.10.0.0/16 due to shorter AS path.
C.All three routes are installed in the routing table.
D.The route to 10.30.0.0/16 has a local preference of 100.
AnswerC

Correct. The '>' symbol next to each route indicates they are the best paths and thus installed in the routing table.

Why this answer

The received routes include 10.10.0.0/16, 10.20.0.0/16, and 10.30.0.0/16. The route to 10.30.0.0/16 is originated from AS 65001 (AS path shows only 65001). The other routes have longer AS paths.

The '>' symbol indicates the best path. All received routes are marked as best, meaning they are all installed in the routing table. The route to 10.30.0.0/16 has only one AS hop, so it is directly from AS 65001.

29
MCQeasy

A switch port is configured with port security that allows only one MAC address. The help desk reports that a user's device cannot connect after a laptop is replaced. What should the network administrator do to resolve the issue?

A.Clear the port security counters
B.Disable port security
C.Shut down the port and re-enable
D.Change the port security to sticky MAC
AnswerA

Clearing the counters removes the existing MAC address, allowing the new one to be learned.

Why this answer

When port security is configured to allow only one MAC address and a laptop is replaced, the new MAC address is automatically blocked because the switch has already learned and secured the old MAC address. Clearing the port security counters (e.g., using `clear port-security sticky` or `clear port-security dynamic`) resets the learned MAC address, allowing the switch to learn the new device's MAC address on the next link-up. This is the standard remediation without disabling security or causing unnecessary downtime.

Exam trap

ISC2 often tests the misconception that simply bouncing the port (shut/no shut) will fix the issue, but candidates forget that the learned MAC address persists in the secure MAC table until explicitly cleared, so the port remains in violation even after re-enabling.

How to eliminate wrong answers

Option B is wrong because disabling port security removes all MAC address filtering, exposing the port to unauthorized devices and violating the security policy; it is an overreaction when a simple clear of counters suffices. Option C is wrong because simply shutting down and re-enabling the port does not clear the learned MAC address from the switch's CAM table; the port will still reject the new MAC address until the security violation is explicitly cleared. Option D is wrong because changing to sticky MAC does not resolve the immediate issue—sticky MAC dynamically learns and saves MAC addresses to the running config, but the port is currently in an error-disabled or violation state due to the new MAC, and the sticky feature does not retroactively fix the mismatch; the counters must still be cleared first.

30
Drag & Dropmedium

Drag and drop the steps for a secure software development lifecycle (SDLC) in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Secure SDLC integrates security at each phase: requirements, design, implementation, testing, and deployment.

31
MCQhard

Refer to the exhibit. A security auditor is reviewing the network ACLs for a cloud VPC. Which of the following is the most significant security concern?

A.The outbound rules allow all traffic
B.SSH (port 22) is allowed from a large IP range
C.RDP (port 3389) is allowed from a trusted internal subnet
D.The VPC ID is exposed
AnswerB

Allowing SSH from 10.0.0.0/8 is overly broad and exposes administrative access to many potential attackers within that range.

Why this answer

Allowing SSH (port 22) from a large IP range (e.g., 0.0.0.0/0 or a wide CIDR) exposes the management interface to the entire internet, making it trivial for attackers to launch brute-force or credential-stuffing attacks. This violates the principle of least privilege and is a common misconfiguration that leads to unauthorized access.

Exam trap

The trap here is that candidates may focus on the outbound rule being too permissive (Option A) or the VPC ID exposure (Option D), but the most immediate and exploitable risk is the unrestricted inbound SSH access from a large IP range.

How to eliminate wrong answers

Option A is wrong because outbound rules allowing all traffic are often necessary for cloud VPCs to reach the internet for updates or external services, and while not ideal, it is less critical than exposing inbound management ports. Option C is wrong because RDP allowed from a trusted internal subnet is a proper security practice, as it restricts access to a known, controlled network segment. Option D is wrong because the VPC ID is not sensitive information; it is often visible in logs and network paths and does not directly enable an attack.

32
MCQmedium

A network analyst suspects a host on the internal network is sending abnormal amounts of traffic. Which tool should be used to capture and analyze the packets?

A.Wireshark
B.Nmap
C.Netstat
D.Traceroute
AnswerA

Wireshark captures and analyzes packets in detail.

Why this answer

Wireshark is the correct tool because it is a packet analyzer that captures live network traffic and provides deep inspection of individual packets, including headers and payloads. This allows the analyst to examine the abnormal traffic patterns, identify source/destination IPs, protocols, and payload content to diagnose the issue.

Exam trap

The trap here is that candidates often confuse Nmap's ability to send and receive packets for scanning with actual packet capture and analysis, but Nmap does not provide the deep packet inspection or continuous capture that Wireshark offers.

How to eliminate wrong answers

Option B (Nmap) is wrong because Nmap is a network scanning tool used for host discovery, port scanning, and service enumeration, not for capturing and analyzing live packet traffic. Option C (Netstat) is wrong because Netstat displays active network connections, routing tables, and interface statistics, but it does not capture or analyze packet contents. Option D (Traceroute) is wrong because Traceroute is a diagnostic tool that maps the path packets take to a destination by manipulating TTL values, not for capturing or analyzing packet payloads.

33
Multi-Selecteasy

Which three are network-layer security controls in a defense-in-depth strategy? (Choose THREE.)

Select 3 answers
A.Antivirus
B.Access control lists (ACLs)
C.Data encryption at rest
D.Firewall
E.Intrusion Detection System (IDS)
AnswersB, D, E

Filters traffic based on IP addresses and ports.

Why this answer

Access control lists (ACLs) operate at Layer 3 by filtering traffic based on source and destination IP addresses, using rules that permit or deny packets as they traverse a router or Layer 3 switch. This makes ACLs a fundamental network-layer security control in a defense-in-depth strategy, as they enforce traffic segmentation and restrict unauthorized network access.

Exam trap

The trap here is that candidates confuse network-layer controls with host-based or data-at-rest protections, mistakenly selecting antivirus or encryption at rest because they are common security measures, but they operate at different layers of the OSI model.

34
Multi-Selecteasy

Which TWO of the following are characteristics of a VPN that uses TLS?

Select 2 answers
A.Provides confidentiality
B.Requires a digital certificate on the server
C.Provides integrity
D.Operates at the network layer
E.Typically uses UDP port 500
AnswersA, C

TLS encrypts data, ensuring confidentiality.

Why this answer

TLS-based VPNs, such as OpenVPN in TLS mode, provide confidentiality through encryption of the tunneled traffic using symmetric ciphers (e.g., AES) negotiated during the TLS handshake. They also provide integrity via message authentication codes (e.g., HMAC) applied to each record, ensuring data has not been altered in transit. These are fundamental security services of the TLS protocol itself.

Exam trap

The trap here is that candidates confuse TLS VPNs with IPsec VPNs, incorrectly associating UDP port 500 or network layer operation with TLS, or assuming a digital certificate is mandatory for all TLS VPN deployments.

35
MCQeasy

A network administrator notices that users in the accounting department can access the internet but are unable to access the internal payroll server (10.10.10.50). The firewall rule allows traffic from the accounting subnet (10.10.20.0/24) to the payroll server. What is the most likely issue?

A.DNS is not resolving the payroll server's IP address.
B.The payroll server's default gateway does not have a route back to 10.10.20.0/24.
C.The firewall rule is applied to the outbound interface only.
D.The accounting subnet is blocked by an implicit deny rule.
AnswerB

Without a return route, packets from the server cannot reach the accounting subnet.

Why this answer

The most likely issue is that the payroll server's default gateway does not have a route back to the accounting subnet (10.10.20.0/24). Even if the firewall permits outbound traffic from the accounting subnet to the payroll server, the return traffic from the server must be routed back through the firewall or a router that knows how to reach 10.10.20.0/24. Without a return route, the server's response packets are dropped, causing a one-way communication failure.

Exam trap

The trap here is that candidates often focus on firewall rule direction (inbound vs. outbound) or DNS, overlooking the fundamental requirement for symmetric routing and the fact that the server's default gateway must know how to reach the source subnet.

How to eliminate wrong answers

Option A is wrong because DNS resolution is irrelevant when the user is accessing the payroll server by its IP address (10.10.10.50), not a hostname. Option C is wrong because firewall rules are typically applied to inbound and outbound interfaces; if the rule is applied only to the outbound interface, it would still allow traffic leaving the accounting subnet, but the real issue is the lack of a return route, not the firewall rule placement. Option D is wrong because an implicit deny rule would block all traffic not explicitly permitted, but the question states the firewall rule allows traffic from the accounting subnet to the payroll server, so the implicit deny is not the cause of the specific failure.

36
MCQhard

Refer to the exhibit. Which of the following statements is correct regarding the connections and access-list?

A.The access-list 'outside_in' is applied to the outside interface and is allowing the connections.
B.The UDP connection to 198.51.100.2:53 is being allowed by line 2 of the access-list.
C.The access-list 'outside_in' is not applied to any interface or is not the primary access-list governing inbound traffic.
D.The TCP connection to 203.0.113.5:443 is being denied by the implicit deny rule.
AnswerC

Correct. The connections exist but the access-list has 0 hits, implying either it is not applied or another rule is allowing traffic (e.g., an implicit permit for established connections).

Why this answer

The access-list 'outside_in' is applied to the outside interface for inbound traffic. However, the hit counts are all 0, meaning the access-list is not being hit. This suggests that the access-list is not applied to the interface, or the interface has another access-list that allows the traffic, or the connections are established through other means (like stateful inspection).

The connections are active, so traffic is passing through the ASA. The access-list with 0 hits indicates it is not the mechanism allowing the traffic.

37
MCQhard

A network architect is designing a network to comply with PCI DSS requirements that cardholder data must be encrypted during transmission over open networks. Which protocol should be used for encrypting traffic between a point-of-sale (POS) terminal and the payment gateway?

A.TLS 1.0
B.TLS 1.2
C.SSH
D.SSL 3.0
AnswerB

TLS 1.2 is secure and widely accepted for payment transactions.

Why this answer

TLS 1.2 is the correct choice because it is a widely accepted, secure protocol for encrypting data in transit, and it meets PCI DSS requirements for strong cryptography. PCI DSS explicitly prohibits the use of SSL and early TLS versions (1.0) due to known vulnerabilities, and TLS 1.2 provides robust cipher suites and forward secrecy.

Exam trap

The trap here is that candidates may confuse TLS 1.0 with TLS 1.2, assuming all TLS versions are equally secure, but PCI DSS explicitly requires TLS 1.2 or higher, and TLS 1.0 is considered weak and non-compliant.

How to eliminate wrong answers

Option A is wrong because TLS 1.0 is deprecated by PCI DSS as of June 30, 2018, due to vulnerabilities such as BEAST and POODLE, and does not meet the requirement for strong encryption. Option C is wrong because SSH is primarily used for secure remote administration and file transfer, not for encrypting POS-to-gateway traffic, and it operates at a different layer (application) than the transport-layer encryption needed for payment protocols. Option D is wrong because SSL 3.0 is completely broken and prohibited by PCI DSS since June 30, 2015, due to the POODLE attack and lack of secure cipher suites.

38
MCQhard

A company uses BGP to exchange routes with its ISP. To prevent prefix hijacking, which mechanism should be implemented?

A.BGP MD5 authentication
B.BGP community values
C.RPKI
D.AS-path filtering
AnswerC

Validates the origin AS of prefixes, mitigating hijacking.

Why this answer

RPKI (Resource Public Key Infrastructure) is the correct mechanism because it cryptographically validates the origin AS of a BGP route announcement, preventing prefix hijacking by ensuring that only the legitimate owner of an IP prefix can announce it. Unlike other options, RPKI provides a trust anchor based on the IP address allocation hierarchy, making it the only solution that directly addresses the root cause of hijacking—unauthorized origin AS claims.

Exam trap

ISC2 often tests BGP MD5 authentication as a security measure, but the trap here is confusing session-level authentication (MD5) with route-level validation (RPKI), leading candidates to choose A because they think 'authentication' covers route integrity, when it only protects the BGP session itself.

How to eliminate wrong answers

Option A is wrong because BGP MD5 authentication (RFC 2385) only secures the TCP session between BGP peers, preventing spoofed TCP resets or session hijacking, but does not validate the legitimacy of the route content itself, so it cannot stop a malicious AS from announcing a prefix it does not own. Option B is wrong because BGP community values are tags used for route policy and traffic engineering (e.g., prepending, local preference), but they are not authenticated or cryptographically bound to the origin AS, so they can be easily manipulated or ignored by an attacker. Option D is wrong because AS-path filtering relies on manually configured prefix lists or AS-path access lists to block routes based on AS-path patterns, which is static, error-prone, and cannot detect hijacks where the attacker uses a legitimate AS-path (e.g., via a compromised AS or by prepending a valid AS number).

39
MCQeasy

A network security analyst receives an alert from the intrusion detection system (IDS) indicating a high volume of TCP SYN packets to a single external IP address from a compromised internal host. This is characteristic of which type of attack?

A.SYN flood
B.Man-in-the-middle
C.ARP spoofing
D.DNS amplification
AnswerA

A SYN flood uses a high volume of TCP SYN packets to overwhelm the target's connection queue.

Why this answer

A SYN flood attack exploits the TCP three-way handshake by sending a high volume of SYN packets to a target, exhausting its connection table and preventing legitimate connections. The IDS alert specifically describes a compromised internal host generating many SYN packets to a single external IP, which matches the classic behavior of a SYN flood where the attacker spoofs the source IP or uses a bot to saturate the target's resources.

Exam trap

The trap here is that candidates confuse a SYN flood (which uses TCP SYN packets to exhaust resources) with a DNS amplification attack (which uses UDP and reflection), but the question's mention of 'TCP SYN packets' directly points to the SYN flood, not a volumetric reflection attack.

How to eliminate wrong answers

Option B is wrong because a man-in-the-middle attack involves intercepting and potentially altering communications between two parties, not generating a high volume of SYN packets to a single external IP. Option C is wrong because ARP spoofing operates at Layer 2 by associating an attacker's MAC address with a legitimate IP address on a local network, not by sending TCP SYN packets to an external IP. Option D is wrong because a DNS amplification attack uses small DNS queries with spoofed source IPs to generate large responses directed at a victim, relying on UDP and DNS servers, not TCP SYN packets from a compromised host.

40
MCQmedium

A multinational corporation maintains site-to-site IPsec VPN tunnels between its headquarters and three regional branch offices. Over the past week, the tunnels have been dropping intermittently, causing disruption to real-time applications. The network team checked logs and found frequent 'Phase 2 rekey failure' messages. The tunnels are configured with IKEv1 and preshared keys. The headquarters uses a Cisco ASA, and the branches use various vendors' firewalls. The team verified that firewall policies allow IPsec traffic, and there is no packet loss on the WAN links. Which action should the team take to resolve the issue most effectively?

A.Increase the MTU on the WAN interfaces to 1500 bytes on all firewalls.
B.Change the encryption algorithm from AES-256 to 3DES on all peers.
C.Migrate all VPN connections from IPsec to SSL VPN using clientless access.
D.Adjust the Dead Peer Detection (DPD) intervals and Phase 2 lifetime settings to be consistent across all sites.
AnswerD

Consistent DPD timers and lifetimes prevent premature rekey attempts or missed rekeys, stabilizing the tunnels.

Why this answer

The frequent 'Phase 2 rekey failure' messages indicate a mismatch in IPsec security association (SA) parameters between the Cisco ASA and the branch firewalls. IKEv1 Phase 2 lifetimes and Dead Peer Detection (DPD) intervals must be consistent across all peers; otherwise, one side may attempt to rekey or declare the peer dead while the other expects a different timing, causing intermittent tunnel drops. Adjusting these values to match across all sites resolves the rekey failures without compromising security or requiring a protocol migration.

Exam trap

ISC2 often tests the misconception that rekey failures are caused by encryption algorithm mismatches or MTU issues, but the real cause is almost always inconsistent Phase 2 lifetimes or DPD intervals when using IKEv1 with multiple vendor firewalls.

How to eliminate wrong answers

Option A is wrong because increasing MTU to 1500 bytes is the default for Ethernet and does not address Phase 2 rekey failures; MTU issues typically cause fragmentation or packet loss, not rekey mismatches. Option B is wrong because changing from AES-256 to 3DES weakens encryption and does not fix rekey failures; the problem is timing/parameter consistency, not cipher strength. Option C is wrong because migrating to SSL VPN with clientless access is a completely different architecture that would not resolve IPsec Phase 2 rekey failures and would introduce new complexity; the issue is specific to IKEv1 Phase 2 lifetime mismatches, not the VPN protocol type.

41
MCQmedium

Refer to the exhibit. What is the purpose of the NAT configuration on R1?

A.To translate internal private addresses to the IP address of the FastEthernet0/0 interface.
B.To translate internal private addresses to a pool of public addresses.
C.To translate internal private addresses to a static public address.
D.To translate internal private addresses to the IP address of the Serial0/0 interface using PAT.
AnswerD

Correct. The 'overload' keyword enables PAT, and the interface IP is used as the translated address.

Why this answer

The configuration uses dynamic NAT with PAT (overload). It translates source addresses from the inside network (192.168.1.0/24) to the IP address of the Serial0/0 interface (the outside interface). This allows multiple internal hosts to share the single public IP address.

42
Multi-Selecteasy

A network administrator is configuring switches to prevent VLAN hopping attacks. Which TWO of the following measures should be implemented?

Select 2 answers
A.Use private VLANs on all trunk ports.
B.Set the native VLAN to an unused VLAN.
C.Enable BPDU guard on all access ports.
D.Disable Dynamic Trunking Protocol (DTP) on trunk ports.
E.Implement port security on all access ports.
AnswersB, D

This prevents double-tagging attacks by ensuring the native VLAN is not used by any user traffic.

Why this answer

Setting the native VLAN to an unused VLAN prevents VLAN hopping via double-tagging attacks. In a double-tagging attack, an attacker sends frames with two 802.1Q tags; the first tag is stripped by the trunk's native VLAN, and the second tag allows the frame to hop to a different VLAN. By using an unused VLAN as the native VLAN, there are no hosts on that VLAN to receive or exploit the double-tagged traffic.

Exam trap

ISC2 often tests the distinction between access port security features (like BPDU guard and port security) and trunk-specific controls (like DTP disablement and native VLAN configuration), leading candidates to mistakenly select access port protections for a trunk-based attack.

43
MCQmedium

A security analyst receives an alert that a host in the internal network is sending abnormal amounts of traffic to an external IP. The traffic uses destination port 53. What is the most likely attack?

A.DNS cache poisoning
B.DNS amplification
C.DNS tunneling
D.DNS zone transfer
AnswerC

DNS tunneling encapsulates data in DNS queries to exfiltrate information, causing abnormal traffic patterns.

Why this answer

The alert describes a host sending abnormal traffic to an external IP on destination port 53, which is the default port for DNS. DNS tunneling exploits the DNS protocol to encapsulate non-DNS data (e.g., commands or exfiltrated files) within DNS queries and responses, allowing covert communication through firewalls that typically allow DNS traffic. The abnormal volume of traffic to a single external IP is a classic indicator of a DNS tunnel, as the compromised host continuously sends encoded data to an external command-and-control server.

Exam trap

The trap here is that candidates confuse the use of port 53 with DNS amplification attacks, but amplification requires a victim IP and open resolvers, not a single internal host sending traffic to an external IP.

How to eliminate wrong answers

Option A is wrong because DNS cache poisoning (also known as DNS spoofing) involves injecting forged DNS records into a resolver's cache to redirect traffic, not generating abnormal outbound traffic from a single host. Option B is wrong because DNS amplification is a distributed denial-of-service (DDoS) attack that uses open resolvers to flood a victim with large responses, but the alert describes a single internal host sending traffic outbound, not a reflector sending amplified traffic to a victim. Option D is wrong because a DNS zone transfer is a legitimate mechanism for replicating DNS zone data between authoritative servers, typically using TCP port 53, and is not an attack that causes a single host to send abnormal traffic to an external IP.

44
Multi-Selectmedium

Which THREE of the following are best practices for securing a wireless network?

Select 3 answers
A.Disable SSID broadcast.
B.Enable WPS (Wi-Fi Protected Setup).
C.Use WEP encryption.
D.Use WPA2-Enterprise with 802.1X authentication.
E.Implement MAC address filtering.
AnswersA, D, E

Makes the network less visible to casual scanners.

Why this answer

Disabling SSID broadcast prevents the access point from including the network name in beacon frames. While this does not hide the network from determined attackers using packet analyzers, it reduces casual discovery and is considered a basic security hardening step in defense-in-depth.

Exam trap

The trap here is that candidates often mistake 'security by obscurity' (disabling SSID broadcast) as a primary control, while overlooking that WPS and WEP are fundamentally broken protocols that should never be used in a secure deployment.

45
MCQmedium

A network engineer is troubleshooting a slow VPN connection between two sites. The link is symmetric 100 Mbps, but throughput tests show only 20 Mbps. The VPN uses AES-256 encryption. What is the most likely cause?

A.Packet loss due to link congestion
B.CPU bottleneck on the VPN endpoints
C.MTU mismatch causing fragmentation
D.Incorrect TCP window scaling
AnswerB

AES-256 encryption consumes CPU resources; if the devices are underpowered, throughput will be severely limited.

Why this answer

AES-256 encryption is computationally intensive, and the throughput of a VPN is often limited by the cryptographic processing capacity of the endpoint CPUs rather than the link bandwidth. A symmetric 100 Mbps link with only 20 Mbps throughput strongly indicates that the VPN endpoints cannot encrypt/decrypt fast enough, creating a CPU bottleneck.

Exam trap

The trap here is that candidates often assume a slow VPN is always due to network issues like congestion or MTU, but the CISSP exam tests the understanding that encryption overhead, especially with AES-256, can be a CPU-bound bottleneck on the endpoints.

How to eliminate wrong answers

Option A is wrong because packet loss due to link congestion would typically cause TCP throughput to drop, but the link is symmetric 100 Mbps and not reported as saturated; the symptom is a consistent throughput cap, not variable loss. Option C is wrong because MTU mismatch causing fragmentation would result in increased overhead and possibly packet drops, but it would not consistently cap throughput at exactly 20 Mbps; it would cause performance degradation with larger packets, not a fixed rate. Option D is wrong because incorrect TCP window scaling can limit throughput on high-latency links, but the question does not mention high latency, and a fixed 20 Mbps cap on a 100 Mbps link is more characteristic of a CPU processing limit than a window scaling issue.

46
MCQeasy

An organization wants to ensure that employees can securely access internal applications from home. They deploy a VPN solution. Which VPN type provides the strongest encryption and is most commonly used for remote access?

A.IPsec with IKEv2 and AES-256
B.MPLS Layer 3 VPN
C.L2TP without encryption
D.PPTP
AnswerA

This provides strong encryption and is widely used for remote access.

Why this answer

IPsec with IKEv2 and AES-256 provides the strongest encryption for remote access VPNs. IKEv2 offers improved security features like mobility and multi-homing support, while AES-256 is a symmetric cipher with a 256-bit key that is currently considered unbreakable by brute force. This combination is widely deployed for secure client-to-site connections.

Exam trap

The trap here is that candidates often confuse MPLS Layer 3 VPN (a site-to-site provider-based solution) with remote access VPNs, or they underestimate the weakness of PPTP and unencrypted L2TP, assuming any tunneling protocol provides adequate security.

How to eliminate wrong answers

Option B is wrong because MPLS Layer 3 VPN is a service provider technology used to connect multiple sites over a provider network, not a remote access VPN for individual employees; it does not encrypt user traffic. Option C is wrong because L2TP without encryption provides no confidentiality; it only tunnels traffic and relies on an additional protocol like IPsec for encryption, making it insecure on its own. Option D is wrong because PPTP uses the outdated MPPE encryption with RC4, which has known vulnerabilities and is considered weak and deprecated for secure remote access.

47
MCQmedium

A network engineer is troubleshooting an IPsec VPN tunnel between two sites. The tunnel is established but no traffic is passing. Which command should the engineer use to verify the phase 2 security associations?

A.Traceroute between site gateways
B.show crypto ipsec sa
C.Ping between site gateways
D.show crypto isakmp sa
AnswerB

This command displays phase 2 SAs.

Why this answer

The command 'show crypto ipsec sa' displays the IPsec security associations (SAs) for Phase 2, which include encryption and authentication parameters, SPI values, and packet counters. Since the tunnel is established but no traffic passes, this command reveals whether the Phase 2 SAs are properly negotiated and active, or if they are in a mismatch state (e.g., mismatched proxy IDs or transform sets).

Exam trap

ISC2 often tests the distinction between Phase 1 (IKE) and Phase 2 (IPsec) SAs, leading candidates to mistakenly choose 'show crypto isakmp sa' when the question specifically asks about Phase 2 security associations.

How to eliminate wrong answers

Option A is wrong because traceroute between site gateways tests Layer 3 path connectivity, not the state of IPsec Phase 2 SAs; it would succeed even if IPsec is misconfigured. Option C is wrong because ping between site gateways only verifies basic IP reachability and does not inspect the IPsec SA table; it may succeed if the tunnel is up but Phase 2 SAs are missing or mismatched. Option D is wrong because 'show crypto isakmp sa' shows Phase 1 (IKE) security associations, which are for key exchange and authentication; Phase 1 can be up while Phase 2 (IPsec) SAs are absent or broken.

48
MCQeasy

A company has multiple offices connected via a WAN. They want to ensure that all traffic between offices is encrypted and authenticated. Which technology is most appropriate?

A.MPLS
B.DMVPN
C.SSL VPN
D.IPsec VPN
AnswerD

IPsec VPN is the standard for site-to-site encryption and authentication.

Why this answer

IPsec VPN is the most appropriate technology because it operates at the network layer (Layer 3) and provides both encryption and authentication for all IP traffic between sites over an untrusted WAN. It uses protocols such as ESP (Encapsulating Security Payload) for confidentiality and AH (Authentication Header) or ESP for integrity and authentication, ensuring that all inter-office traffic is protected in transit.

Exam trap

ISC2 often tests the distinction between VPN technologies by presenting DMVPN as a tempting answer because it is a Cisco-specific solution for dynamic site-to-site VPNs, but the trap is that DMVPN is a framework that relies on IPsec for encryption and authentication, not a replacement for it.

How to eliminate wrong answers

Option A (MPLS) is wrong because MPLS is a label-switching technology that improves performance and traffic engineering but does not inherently provide encryption or authentication; it relies on underlying security mechanisms like IPsec for confidentiality. Option B (DMVPN) is wrong because DMVPN is a dynamic VPN architecture that simplifies hub-and-spoke or spoke-to-spoke VPN deployments, but it still requires IPsec for encryption and authentication; it is not a standalone encryption technology. Option C (SSL VPN) is wrong because SSL VPN typically operates at the application or transport layer and is designed for remote user access to specific applications or networks, not for site-to-site encryption of all traffic between offices; it lacks the network-layer transparency and scalability for full site-to-site connectivity.

49
MCQhard

A network engineer is configuring a firewall to allow HTTP traffic from the internet to a web server (10.0.0.10). The firewall has three interfaces: outside (ISP), DMZ (10.0.0.0/24), and inside (192.168.1.0/24). The web server is in the DMZ. Which rule is correct?

A.Rule: Source interface Inside, Source any, Destination 10.0.0.10, Port 80, Action allow
B.Rule: Source interface Outside, Source any, Destination 10.0.0.10, Port 80, Action allow
C.Rule: Source interface Outside, Source 192.168.1.0/24, Destination 10.0.0.10, Port 80, Action allow
D.Rule: Source interface DMZ, Source any, Destination 10.0.0.10, Port 80, Action allow
AnswerB

This correctly allows inbound HTTP from internet to DMZ web server.

Why this answer

Option B is correct because HTTP traffic from the internet arrives on the outside interface, and the firewall rule must match the source interface (Outside), allow any source IP, and specify the destination IP (10.0.0.10) and port 80. This permits inbound web traffic to the DMZ web server while maintaining security boundaries.

Exam trap

ISC2 often tests the concept that firewall rules must specify the correct source interface (ingress zone) rather than just the source IP, leading candidates to mistakenly choose rules that match the destination but not the traffic's entry point.

How to eliminate wrong answers

Option A is wrong because the source interface is Inside (192.168.1.0/24), which would allow traffic from the internal network, not from the internet. Option C is wrong because the source is restricted to 192.168.1.0/24, which is the internal subnet, not the internet; this would block legitimate external HTTP requests. Option D is wrong because the source interface is DMZ, which would only allow traffic originating from within the DMZ itself, not from the internet.

50
MCQhard

A network administrator has configured private VLANs on a switch. The host in this port is part of PVLAN 100, and its associated secondary PVLAN is 200. What is the expected behavior for traffic from this host to other hosts in the same primary VLAN 100?

A.It cannot communicate with any other host
B.It can communicate only with other hosts in the same secondary VLAN 200
C.It can communicate with the promiscuous port only
D.It can communicate with all hosts in primary VLAN 100
AnswerC

Private VLAN host ports can only communicate with the promiscuous port in the same primary VLAN.

Why this answer

In a private VLAN (PVLAN) configuration, a host in a community or isolated secondary VLAN cannot communicate with other hosts in the same primary VLAN unless they share the same secondary VLAN. However, the question specifies that the host is in PVLAN 100 and its associated secondary PVLAN is 200, but does not state that the host is in a community VLAN; the only way a host in a secondary VLAN can communicate with any other host is via the promiscuous port (typically connected to a router or firewall). Since the host is in an isolated secondary VLAN (or community without a matching community), it can only send traffic to the promiscuous port, which then forwards it as needed.

Exam trap

ISC2 often tests the misconception that a host in a private VLAN can communicate with all other hosts in the same primary VLAN, but the correct behavior is that host-to-host communication is restricted to the same secondary VLAN (if community) or only to the promiscuous port (if isolated), and the question's phrasing 'associated secondary PVLAN is 200' implies an isolated VLAN unless stated otherwise.

How to eliminate wrong answers

Option A is wrong because a host in a private VLAN can communicate with the promiscuous port, so it is not completely isolated from all hosts. Option B is wrong because the host is in secondary VLAN 200, but the question does not indicate that any other hosts are in the same secondary VLAN 200; even if they were, the host could communicate with them only if the secondary VLAN is a community VLAN, but the default behavior for an isolated VLAN (which is typical when only one secondary VLAN is assigned) is to block all host-to-host communication within the same secondary VLAN. Option D is wrong because private VLANs explicitly prevent hosts in different secondary VLANs from communicating with each other, and even hosts in the same secondary VLAN (if isolated) cannot communicate directly; only the promiscuous port can communicate with all hosts in the primary VLAN.

51
Multi-Selecthard

Which THREE are essential elements of a Transport Layer Security (TLS) handshake? (Choose three.)

Select 3 answers
A.Key generation
B.Cipher suite negotiation
C.Certificate exchange
D.User authentication
E.Session ticket exchange
AnswersA, B, C

The handshake derives symmetric encryption keys.

Why this answer

Key generation is essential because during a TLS handshake, the client and server derive session keys using the pre-master secret exchanged via asymmetric encryption (e.g., RSA or Diffie-Hellman). These keys are then used for symmetric encryption of the session, ensuring confidentiality and integrity. Without key generation, no secure communication channel can be established.

Exam trap

The trap here is that candidates often confuse optional features like session resumption (session tickets) or client authentication as mandatory handshake elements, when in fact the three essential components are cipher suite negotiation, certificate exchange, and key generation.

52
Multi-Selecteasy

Which TWO of the following are valid reasons to implement network segmentation?

Select 2 answers
A.To isolate sensitive data and systems from the rest of the network.
B.To eliminate single points of failure.
C.To contain broadcast traffic and improve performance.
D.To reduce network latency.
E.To simplify routing tables.
AnswersA, C

Limits exposure of critical assets.

Why this answer

Network segmentation isolates sensitive data and systems by creating separate broadcast domains or VLANs, restricting unauthorized access and lateral movement. This is a core security principle for protecting critical assets, as it limits the attack surface and enforces access controls between segments.

Exam trap

The trap here is that candidates confuse network segmentation with performance optimization techniques like load balancing or redundancy, leading them to incorrectly select options that address latency or fault tolerance rather than the primary security and broadcast containment benefits.

53
Multi-Selectmedium

Which TWO are common techniques to defend against VLAN hopping attacks? (Choose two.)

Select 2 answers
A.Disable DTP
B.Enable BPDU Guard
C.Use Private VLANs
D.Enable Port Security
E.Set access ports as static VLAN
AnswersA, E

DTP can be exploited to negotiate a trunk, enabling hopping.

Why this answer

Disabling Dynamic Trunking Protocol (DTP) on all switch ports prevents interfaces from automatically negotiating trunk links, which is the primary vector for VLAN hopping attacks. By setting ports to 'switchport mode access' and disabling DTP with 'switchport nonegotiate', an attacker cannot trick the switch into forming a trunk and gain access to traffic from multiple VLANs.

Exam trap

ISC2 often tests the distinction between DTP-related defenses (disabling DTP, setting static access) and other Layer 2 security features like BPDU Guard or Port Security, leading candidates to confuse STP or MAC-based protections with VLAN hopping countermeasures.

54
MCQmedium

A network engineer is configuring 802.1X authentication for wired network access. The authentication server supports EAP-TLS. What must be deployed to clients to support this authentication method?

A.Client certificate
B.Server certificate
C.RADIUS server
D.Shared secret
AnswerA

EAP-TLS requires both client and server certificates for mutual authentication.

Why this answer

EAP-TLS requires mutual authentication using digital certificates on both the client and the server. The client must present a certificate to prove its identity to the authentication server, which is validated against a trusted root CA. Without a client certificate, EAP-TLS cannot establish the TLS tunnel, as it relies on certificate-based client authentication per RFC 5216.

Exam trap

ISC2 often tests the distinction between what is deployed to clients versus the infrastructure; candidates mistakenly choose 'server certificate' because they know TLS requires certificates, but forget that EAP-TLS mandates client certificates for mutual authentication.

How to eliminate wrong answers

Option B is wrong because a server certificate is already required by the authentication server (RADIUS) for EAP-TLS, but the question asks what must be deployed to clients, not the server. Option C is wrong because a RADIUS server is the authentication server itself, not something deployed to clients; clients communicate with the RADIUS server via the authenticator (switch). Option D is wrong because a shared secret is used between the authenticator (switch) and the RADIUS server for secure communication, not between the client and the authentication server in EAP-TLS.

55
MCQeasy

A small company with 50 employees operates a flat network where all workstations, servers, and printers are on a single subnet without segmentation. The company recently suffered a ransomware outbreak that spread rapidly from an infected workstation to the file server and multiple other machines, causing significant downtime. The IT manager wants to redesign the network to contain future outbreaks and limit lateral movement. The budget is limited, and the environment uses a mixture of managed and unmanaged switches. Which course of action would BEST mitigate the risk of lateral spread while minimizing cost and complexity?

A.Implement VLANs with ACLs to separate departments and restrict traffic between them.
B.Enable full-disk encryption on all endpoints and servers.
C.Upgrade all endpoint antivirus to the latest version and enable real-time scanning.
D.Deploy a network-based intrusion detection system (IDS) to alert on suspicious traffic.
AnswerA

VLANs create logical segmentation; ACLs enforce policies to allow only necessary traffic, containing outbreaks to one segment.

Why this answer

Implementing VLANs with ACLs segments the flat network into separate broadcast domains, preventing lateral movement by restricting traffic between departments at Layer 2. This directly contains ransomware propagation without requiring new hardware, as VLANs can be configured on existing managed switches, making it cost-effective. ACLs further enforce least-privilege access between VLANs, blocking unauthorized inter-VLAN communication.

Exam trap

The trap here is that candidates often choose endpoint-focused solutions (like antivirus or encryption) because they seem directly related to malware, but the question specifically targets lateral movement containment, which requires network segmentation, not just endpoint protection.

How to eliminate wrong answers

Option B is wrong because full-disk encryption protects data at rest but does not prevent lateral movement or contain ransomware spread across the network. Option C is wrong because upgrading antivirus only improves endpoint detection but does not segment the network, so ransomware can still propagate laterally via SMB or other protocols. Option D is wrong because a network-based IDS only alerts on suspicious traffic after it occurs, lacking proactive containment to stop lateral movement in real time.

56
MCQmedium

A company uses WPA2-Enterprise with EAP-TLS for wireless access. An employee reports that a new laptop cannot connect to the wireless network, while older laptops work fine. The employee has installed the correct client certificate. What is the most likely cause?

A.The wireless network uses WPA2-PSK instead of WPA2-Enterprise.
B.The RADIUS server's certificate is not trusted by the new laptop.
C.The client certificate is not correctly associated with the user account.
D.The laptop does not support MSCHAPv2.
AnswerB

EAP-TLS mutual authentication requires the client to trust the server's certificate.

Why this answer

In WPA2-Enterprise with EAP-TLS, mutual authentication requires the client to validate the RADIUS server's certificate. If the new laptop does not trust the RADIUS server's certificate (e.g., its CA root certificate is missing or expired), the EAP-TLS handshake will fail, preventing connection. Older laptops likely have the necessary root CA installed, while the new laptop does not.

Exam trap

The trap here is that candidates may confuse EAP-TLS with EAP-PEAP or EAP-TTLS, which use MSCHAPv2 for inner authentication, and incorrectly assume the issue is MSCHAPv2 support, when in fact EAP-TLS relies solely on certificate trust.

How to eliminate wrong answers

Option A is wrong because the question explicitly states the network uses WPA2-Enterprise with EAP-TLS, not WPA2-PSK; a PSK mismatch would affect all clients, not just the new laptop. Option C is wrong because the employee has installed the correct client certificate, and EAP-TLS authenticates the client based on the certificate itself, not a user account association; the RADIUS server validates the client certificate against its trust store, not a user account. Option D is wrong because EAP-TLS does not use MSCHAPv2; it uses TLS-based certificate authentication, so MSCHAPv2 support is irrelevant.

57
Multi-Selectmedium

A security architect is designing a secure communication channel between two remote sites over the internet. Which TWO of the following protocols should be used to ensure confidentiality, integrity, and authentication?

Select 2 answers
A.PPTP
B.SSL/TLS
C.IPsec with ESP in tunnel mode
D.MPLS
E.L2TP over IPsec
AnswersC, E

IPsec ESP provides encryption and authentication.

Why this answer

Options B (IPsec with ESP in tunnel mode) and E (L2TP over IPsec) provide encryption and authentication for site-to-site VPNs. PPTP is outdated and insecure. SSL/TLS is primarily used for client-to-site VPNs.

MPLS does not provide encryption.

58
MCQhard

A security analyst is evaluating the impact of upgrading web servers from TLS 1.2 to TLS 1.3. Which advantage does TLS 1.3 offer in terms of handshake efficiency?

A.It supports the same cipher suites as TLS 1.2
B.Fewer round trips during handshake
C.More round trips during handshake
D.It eliminates the need for asymmetric encryption
AnswerB

TLS 1.3 handshake takes 1 RTT, down from 2 in TLS 1.2.

Why this answer

TLS 1.3 reduces the handshake from two round trips (2-RTT) in TLS 1.2 to one round trip (1-RTT) for a full handshake, and offers 0-RTT for resumed sessions. This is achieved by combining the ClientHello and ServerHello with key exchange parameters, eliminating the separate round trip for the ServerHello and Certificate exchange. The result is lower latency and faster connection establishment, which is critical for performance-sensitive applications.

Exam trap

The trap here is that candidates may confuse 'fewer round trips' with 'eliminating asymmetric encryption,' but TLS 1.3 still relies on asymmetric key exchange (e.g., ECDHE) for forward secrecy, just in a more streamlined handshake.

How to eliminate wrong answers

Option A is wrong because TLS 1.3 does not support the same cipher suites as TLS 1.2; it removes weak or obsolete ciphers (e.g., CBC-mode ciphers, RC4, 3DES) and mandates only AEAD ciphers like AES-GCM and ChaCha20-Poly1305. Option C is wrong because TLS 1.3 actually reduces the number of round trips compared to TLS 1.2, not increases them. Option D is wrong because TLS 1.3 still requires asymmetric encryption for the initial key exchange (e.g., ECDHE or DHE) to establish a shared secret; it does not eliminate asymmetric cryptography entirely.

59
MCQhard

Refer to the exhibit. The ACL is applied inbound on the DMZ interface. What is the effect of this configuration?

A.The ACL permits all HTTP traffic to the web server and blocks all other traffic.
B.The ACL allows HTTP requests to the web server and allows the web server to respond, but blocks it from initiating new connections to the inside.
C.The ACL permits the web server to respond to HTTP requests but blocks all other outbound traffic.
D.The ACL allows the web server to initiate connections to the internal network.
AnswerB

Correct as explained.

Why this answer

The ACL is applied inbound on the DMZ interface, meaning it filters traffic entering the DMZ from the outside. The specific permit statement allows HTTP (TCP port 80) traffic from any source to the web server's IP address. Because the ACL is inbound, it only controls traffic arriving at the DMZ interface; return traffic from the web server to the inside is not subject to this ACL (it is evaluated by the outbound ACL on the inside interface or by stateful inspection).

Thus, the web server can respond to HTTP requests (which are part of the same session), but it cannot initiate new connections to the inside because those would be outbound from the DMZ and not permitted by the inbound ACL on the DMZ interface.

Exam trap

ISC2 often tests the distinction between inbound and outbound ACL application, tricking candidates into thinking an inbound ACL on the DMZ interface controls outbound traffic from the DMZ, when in fact it only controls traffic entering the DMZ.

How to eliminate wrong answers

Option A is wrong because the ACL does not block all other traffic; it only permits HTTP traffic inbound to the web server, but other traffic (e.g., ICMP, SSH) is implicitly denied by the implicit deny all at the end of the ACL, but the ACL does not explicitly block all other traffic—it simply does not permit it. Option C is wrong because the ACL is applied inbound on the DMZ interface, so it controls traffic entering the DMZ, not outbound traffic from the web server; the web server's responses are part of the established session and are not blocked by this inbound ACL. Option D is wrong because the ACL does not permit the web server to initiate connections to the internal network; it only permits inbound HTTP traffic to the web server, and any new connection from the web server to the inside would be outbound from the DMZ and would be denied by the implicit deny unless a separate permit statement exists.

60
MCQmedium

A company recently suffered a data breach where an attacker was able to intercept network traffic and read sensitive data. Which network security control should be implemented to prevent this type of attack?

A.Encryption at the network layer (e.g., IPsec)
B.Network segmentation
C.Intrusion prevention system (IPS)
D.Strong password policies
AnswerA

IPsec encrypts IP packets, making intercepted data unreadable without decryption keys.

Why this answer

IPsec operates at the network layer (Layer 3) and provides encryption of the entire IP packet, including the payload, ensuring that even if an attacker intercepts the traffic, the data remains unreadable. This directly addresses the scenario where an attacker reads sensitive data from intercepted network traffic, as IPsec can be configured in transport mode for end-to-end encryption or tunnel mode for VPNs.

Exam trap

ISC2 often tests the misconception that network segmentation (Option B) prevents data interception, but segmentation only limits lateral movement, not the ability to read traffic within the same segment.

How to eliminate wrong answers

Option B is wrong because network segmentation (e.g., VLANs, subnets) limits the scope of traffic an attacker can reach but does not encrypt data; an attacker who intercepts traffic within a segment can still read it in plaintext. Option C is wrong because an intrusion prevention system (IPS) detects and blocks malicious patterns in traffic but does not encrypt data; it cannot prevent an attacker from reading already intercepted plaintext traffic. Option D is wrong because strong password policies control authentication and access but do not protect data in transit; an attacker who intercepts network traffic can bypass password controls entirely.

61
Matchingmedium

Match each threat type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Fraudulent emails to obtain sensitive info

Targeted phishing at specific individuals

Phishing targeting senior executives

Voice phishing over phone

Phishing via SMS

Why these pairings

These are common social engineering attacks.

62
MCQhard

An organization is designing a multicast network for live video streaming. They need to ensure that only authorized receivers can access the multicast group. Which technique should be implemented?

A.IGMP filtering
B.Multicast VLAN registration
C.Static IGMP entries
D.IGMP snooping with port security
AnswerA

IGMP filtering restricts which hosts can join multicast groups via IGMP messages.

Why this answer

IGMP filtering allows the network to control which hosts are permitted to join a multicast group by filtering IGMP membership reports at the access layer. This ensures that only authorized receivers can become members of the multicast group, providing access control for live video streaming. It is the most direct technique for enforcing authorization at the receiver level.

Exam trap

The trap here is that candidates confuse IGMP snooping (which optimizes multicast traffic delivery) with IGMP filtering (which enforces access control), leading them to pick IGMP snooping with port security as a security measure when it only controls traffic flooding, not authorization.

How to eliminate wrong answers

Option B is wrong because Multicast VLAN Registration (MVR) is designed to efficiently deliver multicast traffic across VLANs, not to enforce receiver authorization. Option C is wrong because static IGMP entries manually assign a host to a multicast group without any dynamic authorization check, which does not scale or enforce per-receiver access control. Option D is wrong because IGMP snooping with port security only monitors and restricts traffic based on MAC addresses or port-level security, not IGMP group membership authorization; it does not prevent an unauthorized host from sending a valid IGMP join.

63
Multi-Selecteasy

Which TWO options are valid methods for providing confidentiality in network communications? (Choose two.)

Select 2 answers
A.SSH
B.ESP in transport mode
C.HMAC
D.AH in tunnel mode
E.TLS 1.3
AnswersB, E

ESP provides encryption, thus confidentiality.

Why this answer

ESP (Encapsulating Security Payload) in transport mode provides confidentiality by encrypting the payload of an IP packet while leaving the original IP header intact. This is a core function of IPsec, where ESP can optionally include authentication but its primary role is encryption, making it a valid method for ensuring data confidentiality in network communications.

Exam trap

ISC2 often tests the distinction between protocols that provide confidentiality (encryption) versus those that provide integrity/authentication only, so candidates may mistakenly select AH or HMAC thinking they offer encryption when they do not.

64
Multi-Selectmedium

Which THREE of the following are valid methods for securing wireless networks against unauthorized access?

Select 3 answers
A.MAC address filtering
B.Implementing a wireless intrusion prevention system (WIPS)
C.WPA3-Enterprise with 802.1X
D.Using WEP with a complex key
E.Disabling SSID broadcast
AnswersA, B, C

MAC filtering can restrict which devices can connect, though it can be bypassed; it is a valid method.

Why this answer

MAC address filtering (A) can be used as a basic access control mechanism by configuring the wireless access point to only allow devices with specific MAC addresses to connect. However, it is not a strong security method because MAC addresses can be easily spoofed using tools like `macchanger` or `airmon-ng`, making it a weak defense against determined attackers.

Exam trap

The trap here is that candidates often believe disabling SSID broadcast or using WEP with a complex key provides meaningful security, but the CISSP exam expects you to recognize these as obsolete or easily bypassed controls that do not prevent unauthorized access.

65
MCQeasy

A company needs to provide secure remote access to employees using company-issued laptops. The solution must support both web applications and legacy client-server apps without installing client software on the laptops. Which VPN technology is best?

A.SSL VPN with clientless web access and port forwarding
B.L2TP over IPsec
C.MPLS Layer 3 VPN
D.IPsec tunnel mode
AnswerA

SSL VPN offers clientless access for web apps and port forwarding for legacy apps, meeting the requirement.

Why this answer

SSL VPN with clientless web access and port forwarding is the best choice because it meets the requirement of supporting both web applications and legacy client-server apps without installing client software. Clientless web access provides secure HTTPS-based access to internal web applications via a browser, while port forwarding allows legacy TCP-based client-server applications to be tunneled through the SSL VPN without requiring a full VPN client on the laptop. This approach leverages the existing browser and OS capabilities, eliminating the need for additional software installation.

Exam trap

The trap here is that candidates often assume IPsec (Option D) is the only 'secure' VPN option and overlook that SSL VPNs can provide equivalent security with clientless access, or they confuse MPLS (Option C) as a remote access solution when it is actually a WAN technology for site-to-site connectivity.

How to eliminate wrong answers

Option B (L2TP over IPsec) is wrong because it requires a native VPN client or OS-level configuration on the laptop, which contradicts the 'without installing client software' requirement; it also does not natively support clientless web access. Option C (MPLS Layer 3 VPN) is wrong because it is a service provider technology for connecting entire networks at Layer 3, not a remote access VPN for individual endpoints, and it requires MPLS-capable routers and no user-level authentication or clientless access. Option D (IPsec tunnel mode) is wrong because it requires a dedicated IPsec client or OS-level VPN stack to be installed or configured on the laptop, and it does not provide clientless web access or port forwarding for legacy apps without additional software.

66
MCQhard

A large hospital uses a wireless LAN (WLAN) for mobile medical devices and staff tablets. Recently, nurses reported intermittent connectivity drops and high retransmission rates specifically in the east wing near the elevator banks. The WLAN is based on 802.11ac in the 5 GHz band. The hospital's IT team has already checked for channel overlap, and the APs are configured to use non-overlapping channels with automatic channel selection. Signal strength in the area is adequate (-65 dBm). However, the retransmission rate spikes during peak hours. Which approach should the network team take FIRST to diagnose and resolve the issue?

A.Conduct a spectrum analysis to identify sources of interference and reposition APs away from the elevator shafts.
B.Enable frequency hopping on the APs to avoid interference.
C.Increase the transmit power of the APs in the east wing to improve signal-to-noise ratio.
D.Deploy additional APs in the elevator area to provide more capacity and redundancy.
AnswerA

Spectrum analysis reveals non-Wi-Fi interference (e.g., from elevator motors) and guides AP placement to minimize its impact.

Why this answer

The symptoms—intermittent connectivity drops and high retransmission rates near elevator banks during peak hours—strongly suggest external RF interference, likely from the elevator motors or other electrical equipment. A spectrum analysis is the correct first step because it can identify non-Wi-Fi interference sources (e.g., microwave ovens, motors, or radar) that cause packet corruption and retransmissions, even when signal strength is adequate and channels are non-overlapping. Repositioning APs away from the elevator shafts after identifying the interference source directly mitigates the physical cause.

Exam trap

The trap here is that candidates often assume retransmissions are caused by congestion or weak signal and jump to adding APs or increasing power, but the specific location (elevator banks) and intermittent nature point to external interference, which requires spectrum analysis first.

How to eliminate wrong answers

Option B is wrong because frequency hopping is not supported in 802.11ac (which uses OFDM with fixed channels); it is a legacy technique from Bluetooth or older 802.11 FHSS standards and would not resolve interference from continuous sources like elevator motors. Option C is wrong because increasing transmit power would only amplify the signal but also potentially amplify the interference or cause co-channel interference with other APs, and the issue is not weak signal (-65 dBm is adequate) but corrupted packets due to interference. Option D is wrong because deploying additional APs in the elevator area would add capacity but not address the root cause of interference; more APs could even worsen retransmissions if they contend for the same medium or pick up the same interference.

67
MCQhard

During a security audit, it is discovered that a network firewall is allowing traffic based on source IP address only, without inspecting application-layer data. Which type of firewall is this?

A.Packet filter
B.Circuit-level gateway
C.Application gateway
D.Stateful inspection
AnswerA

Packet filters examine only packet headers.

Why this answer

A packet filter firewall operates at Layer 3 (Network) and Layer 4 (Transport) of the OSI model, making decisions solely based on source and destination IP addresses, ports, and protocols. It does not inspect application-layer data (Layer 7), which matches the scenario where traffic is allowed based on source IP address only. This is the simplest and fastest type of firewall, but it lacks the ability to block attacks embedded in application payloads.

Exam trap

The trap here is that candidates often confuse 'stateful inspection' with 'packet filtering' because both examine IP addresses, but stateful inspection also tracks connection state, whereas the question explicitly states no application-layer inspection and only source IP filtering.

How to eliminate wrong answers

Option B is wrong because a circuit-level gateway operates at Layer 5 (Session layer) and validates TCP handshakes and session establishment (e.g., SOCKS proxy), not just source IP addresses. Option C is wrong because an application gateway (application-layer proxy) inspects application-layer data (Layer 7) such as HTTP headers or FTP commands, which contradicts the scenario of no application-layer inspection. Option D is wrong because stateful inspection tracks the state of active connections (e.g., TCP sequence numbers) and makes decisions based on both packet headers and connection state, not just source IP addresses.

68
MCQmedium

A company wants to implement 802.1X authentication on their wired network. Which components are required?

A.Supplicant and authenticator
B.Authenticator and authentication server
C.Supplicant, authenticator, and authentication server
D.Supplicant and authentication server
AnswerC

All three components are required for 802.1X.

Why this answer

802.1X requires three distinct roles to function: the supplicant (client software requesting access), the authenticator (network device like a switch that enforces port-based access control), and the authentication server (typically a RADIUS server that validates credentials). Without all three, the EAP (Extensible Authentication Protocol) exchange cannot complete, as the authenticator acts as a proxy between the supplicant and the authentication server. Option C is correct because it lists all three mandatory components.

Exam trap

The trap here is that candidates often assume the authenticator (switch) performs the actual authentication, leading them to pick Option B, but in 802.1X the authenticator only controls port state and relays messages—it never validates credentials itself.

How to eliminate wrong answers

Option A is wrong because omitting the authentication server leaves no entity to validate the supplicant's credentials; the authenticator alone cannot perform authentication. Option B is wrong because it omits the supplicant, which is the endpoint that initiates the authentication request and provides credentials; without a supplicant, there is no client to authenticate. Option D is wrong because it omits the authenticator, which is the network device (e.g., switch) that blocks or allows traffic on the port based on the authentication result and relays EAP frames between the supplicant and the authentication server.

69
MCQhard

You are the security architect for a global financial firm. The organization has recently deployed a new cloud-based application that requires low-latency connections between data centers in New York, London, and Tokyo. The existing WAN uses MPLS L3 VPNs with IPsec encryption. However, the application team reports excessive latency and packet loss during peak hours. The network team confirms that the MPLS links are underutilized, but the IPsec tunnels show high CPU usage on the edge routers. Additionally, the security policy mandates that all inter-data center traffic must be encrypted and authenticated. The firm has a budget for hardware upgrades but wants to minimize operational changes. Which of the following is the BEST course of action?

A.Reduce the IPsec encryption algorithm to AES-128 and the hash to SHA-1 to lower CPU usage.
B.Replace MPLS with dedicated point-to-point circuits and remove IPsec encryption.
C.Increase the MTU on the WAN interfaces to reduce packet fragmentation.
D.Upgrade the edge routers to models that support hardware-accelerated IPsec encryption.
AnswerD

Hardware offloading reduces CPU load and improves performance.

Why this answer

Option D is correct because the high CPU usage on edge routers is a classic symptom of software-based IPsec encryption overwhelming the router's CPU. Hardware-accelerated IPsec offloads the cryptographic operations to dedicated ASICs or crypto engines, reducing CPU load and eliminating the latency and packet loss caused by processing bottlenecks. This directly addresses the root cause without changing the security policy or requiring major operational changes.

Exam trap

The trap here is that candidates mistakenly think reducing encryption strength (Option A) will solve CPU issues, but the CISSP exam tests that hardware offload is the proper solution when CPU is the bottleneck, not the algorithm choice.

How to eliminate wrong answers

Option A is wrong because reducing encryption to AES-128 and hash to SHA-1 still leaves the processing burden on the CPU; the issue is not the algorithm strength but the lack of hardware offload, and SHA-1 is deprecated per NIST and RFC 6194, potentially violating security policy. Option B is wrong because removing IPsec encryption violates the mandatory security policy that all inter-data center traffic must be encrypted and authenticated, and dedicated circuits do not inherently provide encryption. Option C is wrong because increasing MTU does not address CPU exhaustion from IPsec encryption; fragmentation is not the reported issue, and larger MTUs can actually increase latency if packets are dropped and retransmitted.

70
Multi-Selecthard

Which three BGP security mechanisms help protect against route hijacking? (Choose THREE.)

Select 3 answers
A.Resource Public Key Infrastructure (RPKI)
B.BGP Flowspec
C.Prefix filtering on edge routers
D.BGP MED attribute
E.MD5 authentication between BGP peers
AnswersA, C, E

Validates the origin AS of IP prefixes.

Why this answer

RPKI is correct because it uses cryptographically signed Route Origin Authorizations (ROAs) to validate that an AS is authorized to originate specific IP prefixes. This prevents route hijacking by allowing routers to reject BGP announcements that do not match the registered origin AS.

Exam trap

ISC2 often tests the distinction between BGP security mechanisms that prevent hijacking (RPKI, prefix filtering, MD5 authentication) versus those that influence routing policy or traffic engineering (MED, Flowspec), leading candidates to mistakenly select MED or Flowspec as hijacking protections.

71
MCQmedium

A security engineer is troubleshooting a network where internal users can access internet websites but cannot reach the company's external VPN server (IP 203.0.113.50, UDP port 500). The firewall rule for VPN traffic is correctly configured. What is the most likely cause?

A.The VPN server is using TCP port 443 instead of UDP 500.
B.The firewall rule is applied to the wrong interface.
C.The firewall is stateful and blocking the return traffic.
D.The VPN server is not listening on UDP port 500.
AnswerD

If the server does not have the VPN service running, it won't respond, causing the client to time out.

Why this answer

Option D is correct because the symptom—internal users can reach internet websites but cannot reach the external VPN server—indicates a host-level issue rather than a network or firewall problem. Since the firewall rule for VPN traffic is correctly configured and other traffic flows normally, the most likely cause is that the VPN server itself is not listening on UDP port 500, which is the standard port for IPsec IKE (Internet Key Exchange) traffic. This could be due to a misconfiguration, service failure, or the server being configured to use a different port or protocol.

Exam trap

The trap here is that candidates often assume a firewall misconfiguration (like stateful blocking or wrong interface) is the cause, but the question explicitly states the firewall rule is correctly configured, forcing you to look at the endpoint itself—a classic CISSP test of reading comprehension and layered troubleshooting.

How to eliminate wrong answers

Option A is wrong because if the VPN server were using TCP port 443 instead of UDP 500, the firewall rule would still need to match that traffic, but the question states the rule is correctly configured for VPN traffic (implying UDP 500), and the symptom would be different (e.g., HTTPS-based VPNs like SSL VPN would work). Option B is wrong because if the firewall rule were applied to the wrong interface, internal users would likely have broader connectivity issues (e.g., inability to reach any external services), not just the VPN server, and the question explicitly states the rule is correctly configured. Option C is wrong because a stateful firewall automatically tracks UDP sessions and allows return traffic if the outbound rule permits the initial packet; blocking return traffic would affect all UDP-based services, not just the VPN server, and the question confirms other internet access works.

72
MCQhard

During a security assessment, a penetration tester successfully performed a VLAN hopping attack from a host in VLAN 10 to a host in VLAN 20. The switches are configured with IEEE 802.1Q trunking. Which misconfiguration likely allowed this attack?

A.The native VLAN is not used on any trunk ports
B.Spanning Tree Protocol is disabled
C.Port security is disabled on all ports
D.Dynamic Trunking Protocol (DTP) is enabled on access ports
AnswerD

With DTP enabled on an access port, an attacker can send DTP frames to negotiate a trunk, then tag frames to hop VLANs.

Why this answer

D is correct because VLAN hopping attacks exploit Dynamic Trunking Protocol (DTP) to negotiate a trunk link between an attacker's host and a switch port. If DTP is enabled on an access port, the attacker can spoof DTP messages to form a trunk, gaining access to traffic from multiple VLANs, including VLAN 20 from VLAN 10.

Exam trap

ISC2 often tests the distinction between the two types of VLAN hopping (switch spoofing vs. double-tagging), and the trap here is that candidates confuse disabling STP or port security as relevant mitigations, when the core issue is DTP-enabled access ports allowing trunk negotiation.

How to eliminate wrong answers

Option A is wrong because the native VLAN is used on trunk ports by default in IEEE 802.1Q, and not using it would not prevent VLAN hopping; in fact, a misconfigured native VLAN can be exploited for double-tagging attacks, but the question describes a switch spoofing attack, not double-tagging. Option B is wrong because disabling Spanning Tree Protocol (STP) can cause network loops but does not directly enable VLAN hopping; VLAN hopping relies on trunk negotiation, not STP state. Option C is wrong because disabling port security limits MAC address filtering but does not prevent an attacker from negotiating a trunk via DTP; port security is a separate control for MAC flooding and unauthorized devices, not for trunk negotiation.

73
MCQhard

A network architect is designing a secure connection between two data centers across an untrusted WAN. The requirement is to encrypt all traffic and authenticate both endpoints. Which protocol should be used?

A.SSH
B.IPsec tunnel mode
C.MPLS
D.SSL/TLS
AnswerB

IPsec tunnel mode encrypts and authenticates entire packets between gateways.

Why this answer

IPsec tunnel mode is the correct choice because it encrypts the entire IP packet, including the original IP header, and encapsulates it within a new IP header for secure transport across an untrusted WAN. It also provides mutual authentication of both endpoints using IKE (Internet Key Exchange) with pre-shared keys or certificates, satisfying the requirement for encrypting all traffic and authenticating both data centers.

Exam trap

ISC2 often tests the distinction between IPsec tunnel mode and transport mode, and candidates may confuse SSL/TLS (which secures individual sessions) with a full network-layer VPN solution, missing that IPsec tunnel mode is the only option that encrypts all traffic and authenticates both endpoints at the network layer.

How to eliminate wrong answers

Option A is wrong because SSH is a protocol for secure remote login and command execution, not designed for site-to-site VPN encryption of all traffic between networks; it operates at the application layer and cannot encrypt arbitrary IP traffic between two data centers. Option C is wrong because MPLS is a label-switching technology for traffic engineering and QoS, not an encryption protocol; it provides no confidentiality or authentication, and traffic traversing an MPLS WAN is typically sent in the clear unless combined with IPsec or another encryption layer. Option D is wrong because SSL/TLS operates at the transport layer and is designed for securing individual connections (e.g., HTTPS), not for encrypting all IP traffic between two networks; it cannot encapsulate and protect non-TCP/UDP traffic or provide the same level of network-layer authentication and encryption as IPsec tunnel mode.

Ready to test yourself?

Try a timed practice session using only Communication and Network Security questions.