CCNA Cissp Network Security Questions

60 questions · Cissp Network Security topic · All types, answers revealed

1
MCQhard

During a penetration test, an ethical hacker sets up a rogue access point with the same SSID as the corporate network and broadcasts a stronger signal. Users inadvertently connect to the rogue AP, allowing the hacker to capture credentials. What is this attack called?

A.Deauthentication attack
B.ARP spoofing
C.Evil twin attack
D.Karma attack
AnswerC

This is the correct term for a rogue AP impersonating a legitimate one.

Why this answer

The correct answer is C, Evil twin attack. This attack involves setting up a rogue access point that broadcasts the same SSID as a legitimate corporate network but with a stronger signal, causing users to connect to it instead. Once connected, the attacker can capture credentials or other sensitive data through man-in-the-middle techniques, exploiting the lack of mutual authentication in many Wi-Fi implementations.

Exam trap

The trap here is that candidates confuse 'Evil twin' with 'Karma attack' because both involve rogue APs, but Karma attack specifically targets probe requests to impersonate any SSID the client has previously trusted, whereas an evil twin broadcasts a specific SSID to mimic a known network.

How to eliminate wrong answers

Option A is wrong because a deauthentication attack specifically sends deauth frames (management frames) to disconnect clients from an access point, often used to force reconnection for capturing handshakes, not to set up a rogue AP with the same SSID. Option B is wrong because ARP spoofing (or ARP poisoning) operates at Layer 2 by sending forged ARP replies to associate the attacker's MAC address with the IP of a legitimate host, typically on a wired or bridged network, not by broadcasting a rogue wireless SSID. Option D is wrong because a Karma attack is a specific type of evil twin that responds to probe requests from clients by impersonating any SSID the client has previously connected to, rather than broadcasting a single corporate SSID with a stronger signal.

2
MCQeasy

Which of the following is a secure protocol for transferring files that uses SSH for authentication and encryption?

A.FTPS
B.SCP
D.SFTP
AnswerD

SFTP is the SSH-based file transfer protocol.

Why this answer

SFTP (SSH File Transfer Protocol) is the correct answer because it is a secure file transfer protocol that operates over the SSH (Secure Shell) protocol, typically on TCP port 22. It leverages SSH's strong authentication and encryption mechanisms to protect both the data in transit and the credentials, making it a secure alternative to FTP.

Exam trap

The trap here is confusing SFTP with FTPS or SCP, as both involve secure file transfer, but only SFTP is explicitly defined as a protocol that uses SSH for authentication and encryption, while SCP is a command-line tool that also uses SSH but is not a full protocol, and FTPS uses TLS/SSL instead of SSH.

How to eliminate wrong answers

Option A (FTPS) is wrong because FTPS (FTP over SSL/TLS) uses SSL/TLS for encryption, not SSH; it is an extension of FTP that adds security via TLS/SSL, but it does not use SSH for authentication or encryption. Option B (SCP) is wrong because while SCP (Secure Copy) does use SSH for authentication and encryption, it is a protocol for copying files, not a full file transfer protocol; it lacks features like directory listing, file deletion, and resuming transfers that SFTP provides. Option C (TFTP) is wrong because TFTP (Trivial File Transfer Protocol) uses UDP port 69 and has no built-in security mechanisms; it does not use SSH or any encryption, making it inherently insecure.

3
MCQmedium

An organization wants to secure email communications by providing encryption and digital signatures. They require a solution that uses a web of trust model rather than a hierarchical PKI. Which protocol should they implement?

A.S/MIME
B.TLS
C.SSH
D.PGP/GPG
AnswerD

PGP/GPG employs a decentralized web of trust for key verification.

Why this answer

PGP/GPG implements a web of trust model where users sign each other's keys to establish trust, rather than relying on a centralized Certificate Authority (CA). It provides both encryption and digital signatures for email, making it the correct choice for an organization that explicitly wants to avoid hierarchical PKI.

Exam trap

The trap here is that candidates often confuse S/MIME and PGP because both provide email security, but the key differentiator is the trust model—S/MIME uses a hierarchical PKI, while PGP uses a web of trust—and the question explicitly requires the latter.

How to eliminate wrong answers

Option A (S/MIME) is wrong because it relies on a hierarchical PKI with X.509 certificates issued by a Certificate Authority, not a web of trust. Option B (TLS) is wrong because it secures transport-layer communications (e.g., web traffic) and does not provide end-to-end email encryption or digital signatures; it also uses hierarchical PKI. Option C (SSH) is wrong because it is designed for secure remote login and command execution, not for email encryption or digital signatures.

4
MCQeasy

A security engineer is configuring a firewall that makes decisions based on source/destination IP addresses and port numbers without tracking the state of connections. Which type of firewall is this?

A.Stateful inspection firewall
B.Application proxy firewall
C.Packet filter firewall
D.Next-generation firewall
AnswerC

Packet filter is stateless and uses IP/port rules.

Why this answer

A packet filter firewall operates at Layers 3 and 4 of the OSI model, making forwarding decisions solely based on static fields such as source/destination IP addresses and port numbers. It does not maintain any connection state table, meaning each packet is evaluated independently without reference to previous packets. This stateless behavior is the defining characteristic that distinguishes it from stateful inspection firewalls.

Exam trap

The trap here is that candidates often confuse 'stateless packet filtering' with 'stateful inspection' because both examine IP addresses and ports, but the key differentiator is the absence of connection tracking in packet filters.

How to eliminate wrong answers

Option A is wrong because a stateful inspection firewall tracks the state of active connections using a state table, which allows it to make decisions based on the context of the traffic flow, not just individual packet headers. Option B is wrong because an application proxy firewall operates at Layer 7, inspecting and filtering application-layer data (e.g., HTTP, FTP) and terminates connections, rather than simply checking IP addresses and ports. Option D is wrong because a next-generation firewall (NGFW) integrates additional features such as deep packet inspection (DPI), intrusion prevention (IPS), and application awareness, going far beyond basic stateless packet filtering.

5
MCQmedium

An organization is implementing DNSSEC to protect against DNS spoofing attacks. Which of the following best describes the primary security function provided by DNSSEC?

A.Providing anonymous DNS resolution
B.Authenticating the origin and ensuring integrity of DNS responses
C.Encrypting DNS queries to prevent eavesdropping
D.Blocking malicious DNS queries at the resolver
AnswerB

DNSSEC uses digital signatures to validate the source and integrity of DNS data.

Why this answer

DNSSEC (Domain Name System Security Extensions) provides data origin authentication and data integrity for DNS responses using digital signatures based on public-key cryptography. It does not encrypt DNS data or provide anonymity; instead, it allows a resolver to verify that a DNS response has not been modified in transit and that it originates from the authoritative source. This directly counters DNS spoofing attacks by ensuring the response is authentic and untampered.

Exam trap

The trap here is confusing DNSSEC's authentication and integrity functions with encryption or anonymity, leading candidates to incorrectly select encryption (Option C) or anonymity (Option A) when DNSSEC explicitly does not provide confidentiality.

How to eliminate wrong answers

Option A is wrong because DNSSEC does not provide anonymity; it uses digital signatures that can be linked to the signing zone, and DNS queries themselves are still sent in plaintext. Option C is wrong because DNSSEC does not encrypt DNS queries or responses; encryption of DNS traffic is provided by protocols like DNS over TLS (DoT) or DNS over HTTPS (DoH), not by DNSSEC. Option D is wrong because DNSSEC does not block malicious queries at the resolver; it only validates the authenticity and integrity of responses, while blocking is typically done by DNS firewalls or filtering resolvers.

6
MCQhard

A network administrator is configuring SNMPv3 for monitoring network devices. The organization requires both authentication and encryption of SNMP traffic. Which combination of protocols should be used to meet this requirement?

A.MD5 for authentication, no privacy
B.SHA for authentication, no privacy
C.SHA for authentication, AES for privacy
D.MD5 for authentication, DES for privacy
AnswerC

SHA and AES are the strongest options available in SNMPv3.

Why this answer

SNMPv3 supports both authentication and encryption via separate User-based Security Model (USM) parameters. To meet the requirement for both, you must select an authentication protocol (e.g., SHA) and a privacy (encryption) protocol (e.g., AES). Option C correctly pairs SHA for authentication with AES for privacy, providing integrity verification and confidentiality of SNMP messages.

Exam trap

The trap here is that candidates may think DES is acceptable because it provides encryption, but CISSP emphasizes that DES is cryptographically weak and not considered secure for modern use, making AES the correct privacy choice.

How to eliminate wrong answers

Option A is wrong because MD5 for authentication with no privacy provides only integrity verification, not encryption, so SNMP traffic remains in plaintext. Option B is wrong because SHA for authentication with no privacy also lacks encryption, failing the confidentiality requirement. Option D is wrong because while MD5 for authentication with DES for privacy provides both, DES is a deprecated, weak encryption algorithm (56-bit key) that does not meet modern security standards; AES is the recommended choice.

7
MCQmedium

An organization is implementing network segmentation to enhance security. They create a DMZ to host public-facing servers and want to ensure that if a server is compromised, the attacker cannot pivot to the internal network. Which firewall placement best achieves this?

A.Place the DMZ on the internal network side with a strong host-based firewall on each server
B.Place a single firewall between the internet and the DMZ, and allow traffic from DMZ to internal network
C.Use a stateful firewall that only allows return traffic from internal to DMZ
D.Implement a screened subnet with two firewalls: one between internet and DMZ, and one between DMZ and internal network
AnswerD

This is the classic DMZ architecture that provides defense in depth; internal traffic must pass through the second firewall, preventing direct access from DMZ.

Why this answer

Option D is correct because a screened subnet architecture uses two firewalls to create a DMZ that is logically isolated from both the internet and the internal network. The first firewall (internet-facing) controls inbound traffic to the DMZ, while the second firewall (internal-facing) strictly controls outbound traffic from the DMZ to the internal network, typically allowing only specific return traffic. This prevents an attacker who compromises a DMZ server from directly initiating connections to internal hosts, as the internal firewall would block such traffic unless explicitly permitted.

Exam trap

The trap here is that candidates often assume a single firewall with a DMZ interface (three-legged firewall) provides sufficient isolation, but without a second firewall or strict egress filtering, the DMZ can still be used as a pivot point to the internal network.

How to eliminate wrong answers

Option A is wrong because placing the DMZ on the internal network side with only host-based firewalls does not provide network-level isolation; if a server is compromised, the attacker can still pivot to other internal hosts by bypassing or disabling the host firewall. Option B is wrong because a single firewall between the internet and the DMZ, while allowing traffic from the DMZ to the internal network, creates a flat trust model where a compromised DMZ server can directly initiate connections to internal hosts, violating the principle of least privilege. Option C is wrong because a stateful firewall that only allows return traffic from internal to DMZ does not prevent an attacker from using the DMZ server to initiate new outbound connections to the internal network; stateful inspection tracks connection state but does not enforce application-layer or direction-based restrictions on new sessions.

8
MCQmedium

A security engineer is recommending a VPN protocol for remote access. The requirements are: strong encryption, perfect forward secrecy, use of elliptic curve cryptography, and minimal overhead. Which VPN protocol best meets these requirements?

A.L2TP/IPsec
B.IPsec with ESP in tunnel mode
C.WireGuard
D.SSL/TLS VPN
AnswerC

WireGuard uses ECC, provides forward secrecy, and has a lightweight design.

Why this answer

WireGuard is the correct choice because it uses modern elliptic curve cryptography (Curve25519) for key exchange, provides perfect forward secrecy by default through ephemeral session keys, and has minimal overhead due to its streamlined codebase (roughly 4,000 lines of code) and lack of stateful configuration. It operates over UDP with a simple cryptographic design that meets all specified requirements without the complexity of IPsec or SSL/TLS.

Exam trap

The trap here is that candidates often default to IPsec (options A or B) as the 'standard' VPN protocol, overlooking that WireGuard is a modern, lightweight alternative that natively integrates elliptic curve cryptography and PFS with minimal overhead, which IPsec does not guarantee without additional configuration.

How to eliminate wrong answers

Option A is wrong because L2TP/IPsec relies on IPsec for encryption, which typically uses Diffie-Hellman with finite field groups (e.g., MODP) rather than elliptic curve cryptography by default, and introduces significant overhead from the dual encapsulation (L2TP over IPsec). Option B is wrong because IPsec with ESP in tunnel mode, while supporting strong encryption and PFS, does not natively mandate elliptic curve cryptography and has higher overhead due to complex IKEv2 handshakes and multiple protocol layers. Option D is wrong because SSL/TLS VPNs (e.g., OpenVPN) can use elliptic curve cryptography and PFS, but they typically have higher overhead from the TLS handshake and certificate management, and are not as lightweight as WireGuard.

9
MCQhard

An organization is deploying a VPN solution for remote employees. The security team requires a modern protocol with perfect forward secrecy, uses elliptic curve cryptography, and is known for its efficient, minimal codebase. Which VPN protocol should they choose?

A.WireGuard
B.L2TP/IPsec
C.PPTP
D.IPsec with IKEv2
AnswerA

WireGuard uses ECC, provides PFS, and is designed to be simple and fast.

Why this answer

WireGuard is the correct choice because it is a modern VPN protocol that uses elliptic curve cryptography (Curve25519) for key exchange, provides perfect forward secrecy by default through its ephemeral session keys, and is designed with a minimal, auditable codebase (around 4,000 lines) for efficiency and security. These features directly match the organization's requirements for a modern protocol with PFS, ECC, and a lean implementation.

Exam trap

Cisco often tests the distinction between 'modern' and 'secure' protocols, where candidates may incorrectly choose IPsec with IKEv2 because it supports ECC and PFS, but overlook the explicit requirement for an 'efficient, minimal codebase' that uniquely identifies WireGuard.

How to eliminate wrong answers

Option B (L2TP/IPsec) is wrong because it relies on IPsec for encryption, which often uses Diffie-Hellman with finite-field groups rather than elliptic curve cryptography by default, and its codebase is not minimal or efficient due to the layered architecture and multiple components. Option C (PPTP) is wrong because it uses outdated RC4 encryption and MS-CHAPv2 authentication, lacks perfect forward secrecy, and is considered insecure due to known vulnerabilities (e.g., MS-CHAPv2 cracking). Option D (IPsec with IKEv2) is wrong because while it can support ECC and PFS, it is not known for a minimal codebase; its implementation is complex with many configuration options and a larger attack surface compared to WireGuard.

10
MCQmedium

A company wants to secure email communications for its employees. They need to ensure message confidentiality and integrity, and also verify the sender's identity. Which protocol uses a hierarchical public key infrastructure (PKI) for email encryption and signing?

A.S/MIME
B.PGP
C.TLS
D.SSH
AnswerA

S/MIME relies on X.509 certificates issued by CAs, forming a hierarchical PKI.

Why this answer

S/MIME (Secure/Multipurpose Internet Mail Extensions) is the correct answer because it is specifically designed to provide email encryption and digital signing using a hierarchical public key infrastructure (PKI) based on X.509 certificates. This allows the company to ensure message confidentiality (via encryption), integrity (via hashing and signing), and sender authentication (via certificate validation against a trusted root CA).

Exam trap

The trap here is confusing PGP's Web of Trust with S/MIME's hierarchical PKI, as both can encrypt and sign emails, but only S/MIME relies on a formal CA hierarchy as described in the question.

How to eliminate wrong answers

Option B (PGP) is wrong because it uses a decentralized 'Web of Trust' model rather than a hierarchical PKI, relying on user-signed keys instead of a formal certificate authority hierarchy. Option C (TLS) is wrong because it secures the transport layer (e.g., SMTP, HTTP) between servers or clients, not the email message itself end-to-end, and does not inherently provide sender authentication for individual emails. Option D (SSH) is wrong because it is a protocol for secure remote shell access and file transfer, not for email encryption or signing.

11
Multi-Selecthard

An organization is deploying a wireless network with WPA3-Enterprise. Which THREE of the following are features or improvements of WPA3 compared to WPA2? (Select THREE.)

Select 3 answers
A.Protected Management Frames (PMF)
B.Forward secrecy
C.Use of TKIP for encryption
D.Simultaneous Authentication of Equals (SAE)
E.Support for WEP compatibility
AnswersA, B, D

WPA3 requires PMF to protect management frames.

Why this answer

Protected Management Frames (PMF) are mandatory in WPA3, whereas in WPA2 they were optional. PMF provides integrity and replay protection for management frames (e.g., deauthentication and disassociation frames), preventing attacks such as deauth floods that can force clients to reconnect and expose handshake data.

Exam trap

The trap here is that candidates often confuse TKIP as a valid encryption option in WPA3 because it was present in WPA2, but WPA3 strictly prohibits TKIP and mandates AES-based ciphers only.

12
MCQmedium

A company wants to securely transfer files between systems over SSH. Which protocol should they use to leverage the existing SSH infrastructure and provide both authentication and encryption?

A.FTPS
B.SFTP
D.SCP
AnswerB

SFTP runs over SSH, leveraging its authentication and encryption, and is widely supported.

Why this answer

SFTP (SSH File Transfer Protocol) is the correct choice because it operates over the SSH protocol (typically port 22), leveraging its existing authentication and encryption mechanisms. Unlike FTPS, which adds SSL/TLS to FTP, SFTP is designed as a secure file transfer subsystem of SSH, providing both confidentiality and integrity without requiring additional infrastructure.

Exam trap

The trap here is confusing SFTP with FTPS or SCP, as many candidates assume 'SSH' implies SCP is the only option, but SFTP is the modern, feature-rich protocol that fully leverages SSH infrastructure for secure file transfers.

How to eliminate wrong answers

Option A (FTPS) is wrong because it uses FTP over SSL/TLS, which requires separate certificates and typically operates on port 990, not leveraging the existing SSH infrastructure. Option C (TFTP) is wrong because it is a trivial, unauthenticated, and unencrypted protocol (UDP port 69) used for simple file transfers, with no security features. Option D (SCP) is wrong because while it uses SSH for authentication and encryption, it is a legacy protocol that lacks the advanced features of SFTP (e.g., directory listing, resume, and file deletion) and is being deprecated in favor of SFTP.

13
MCQeasy

Which of the following is a key feature of TLS 1.3 that enhances security compared to earlier versions?

A.Backward compatibility with SSL 3.0
B.Use of RSA key exchange for authentication
C.Support for RC4 stream cipher
D.Mandatory forward secrecy via ephemeral Diffie-Hellman
AnswerD

TLS 1.3 requires PFS; all key exchanges use ephemeral keys.

Why this answer

TLS 1.3 mandates forward secrecy by requiring ephemeral Diffie-Hellman (DHE or ECDHE) key exchange for all sessions. This ensures that even if a server's long-term private key is compromised, past session keys cannot be derived, protecting historical communications. In contrast, earlier TLS versions allowed static RSA key exchange, which does not provide forward secrecy.

Exam trap

The trap here is that candidates may associate 'forward secrecy' only with optional configurations in TLS 1.2, not realizing that TLS 1.3 makes it mandatory and eliminates static RSA entirely, which is a key architectural change defined in RFC 8446.

How to eliminate wrong answers

Option A is wrong because TLS 1.3 explicitly removed backward compatibility with SSL 3.0 and older TLS versions to eliminate insecure fallback attacks and protocol downgrade vulnerabilities. Option B is wrong because TLS 1.3 removed static RSA key exchange entirely due to its lack of forward secrecy and vulnerability to passive decryption if the private key is compromised. Option C is wrong because TLS 1.3 removed all support for RC4, which is a broken stream cipher with known biases, and only allows AEAD ciphers (e.g., AES-GCM, ChaCha20-Poly1305).

14
MCQmedium

A security architect is designing a zero-trust network. Which principle is fundamental to a zero-trust architecture (ZTA) such as BeyondCorp?

A.Never trust, always verify
B.Trust but verify
C.Trust internal users implicitly
D.Trust network location as a primary factor
AnswerA

This is the core principle of zero trust.

Why this answer

In a zero-trust architecture (ZTA) like Google's BeyondCorp, the foundational principle is 'never trust, always verify.' This means no entity—user, device, or network—is trusted by default, regardless of its location (inside or outside the corporate perimeter). Every access request must be authenticated, authorized, and continuously validated before granting access to resources, eliminating implicit trust based on network location.

Exam trap

The trap here is that candidates may confuse 'trust but verify' (a common security mantra) with zero-trust, but the key distinction is that zero-trust removes all implicit trust, including for internal users and devices.

How to eliminate wrong answers

Option B is wrong because 'trust but verify' still assumes an initial level of trust, which contradicts zero-trust's requirement of no implicit trust; it is a legacy perimeter-based model. Option C is wrong because trusting internal users implicitly is the opposite of zero-trust, which treats all users as potential threats until verified. Option D is wrong because zero-trust explicitly rejects network location as a primary factor for trust; instead, it relies on identity, device health, and context for access decisions.

15
MCQmedium

A security analyst discovers an attack where an attacker sets up a rogue wireless access point with a legitimate SSID to trick users into connecting. Once connected, the attacker captures credentials. This type of attack is known as:

A.Deauthentication attack
B.Rogue AP attack
C.Evil twin attack
D.Karma attack
AnswerC

An evil twin is a fraudulent AP with the same SSID as a legitimate network.

Why this answer

This is an evil twin attack because the attacker creates a rogue access point that broadcasts the same SSID as a legitimate network, tricking users into connecting to it. Once connected, the attacker can capture credentials or other sensitive data by acting as a man-in-the-middle. The key differentiator is the impersonation of a legitimate SSID to deceive users, not just the presence of an unauthorized AP.

Exam trap

The trap here is that candidates confuse 'rogue AP' (any unauthorized AP) with 'evil twin' (a specific type of rogue AP that impersonates a legitimate SSID), leading them to choose option B instead of C.

How to eliminate wrong answers

Option A is wrong because a deauthentication attack involves sending deauth frames (typically from a tool like aireplay-ng) to disconnect clients from a legitimate AP, often as a precursor to an evil twin attack, but it is not the attack itself. Option B is wrong because a rogue AP attack is a broader category that includes any unauthorized AP on the network, but it does not specifically require the AP to impersonate a legitimate SSID to trick users; a rogue AP might simply be a misconfigured or malicious device connected to the wired network. Option D is wrong because a Karma attack exploits the probe request behavior of wireless clients that automatically connect to any network with a previously saved SSID, but it does not involve setting up an AP with a legitimate SSID to trick users; instead, it responds to any probe request with a matching SSID.

16
MCQhard

A network engineer is configuring an IPsec VPN in tunnel mode. Which IPsec protocol provides both authentication and encryption of the entire IP packet?

A.ESP (Encapsulating Security Payload)
B.IKE (Internet Key Exchange)
C.ISAKMP
D.AH (Authentication Header)
AnswerA

ESP provides both encryption and authentication.

Why this answer

ESP (Encapsulating Security Payload) in tunnel mode provides both authentication and encryption for the entire original IP packet, including the original header and payload. It encapsulates the packet with a new IP header and ESP trailer, ensuring confidentiality via encryption and integrity via authentication. This makes it the correct choice for a VPN requiring both security services.

Exam trap

The trap here is that candidates often confuse AH with ESP, assuming AH can provide encryption because it offers authentication, but AH never encrypts data—it only provides integrity and origin authentication, making ESP the only correct choice for both authentication and encryption.

How to eliminate wrong answers

Option B (IKE) is wrong because IKE is a key exchange protocol used to establish security associations (SAs) for IPsec, not a protocol that directly provides authentication and encryption of IP packets. Option C (ISAKMP) is wrong because ISAKMP defines the framework for key exchange and SA negotiation, but it does not itself encrypt or authenticate packets; it relies on protocols like IKE for actual keying material. Option D (AH) is wrong because AH provides authentication and integrity but no encryption, so it cannot encrypt the entire IP packet as required by the question.

17
MCQmedium

An organization is implementing network segmentation. They need to place publicly accessible servers (e.g., web and email) in a separate network that is isolated from the internal LAN but still allows controlled access from the internet. Which architecture should they use?

A.DMZ
B.Micro-segmentation
C.VPN
AnswerA

A DMZ is designed to host public-facing services with controlled access.

Why this answer

A DMZ (demilitarized zone) is a network segment that sits between the internet and the internal LAN, hosting publicly accessible servers like web and email. It uses firewall rules to allow inbound traffic from the internet to the DMZ servers while blocking direct access to the internal network, and typically permits only specific outbound responses or updates from the DMZ to the internal LAN. This architecture provides the isolation and controlled access required by the scenario.

Exam trap

The trap here is that candidates confuse VLANs with DMZs, assuming that a VLAN alone provides security isolation from the internet, when in fact VLANs only segment Layer 2 traffic and require additional firewall rules to control access—unlike a DMZ which is specifically designed for public-facing servers with explicit security policies.

How to eliminate wrong answers

Option B (Micro-segmentation) is wrong because it focuses on granular east-west traffic control within a data center or internal network using software-defined policies, not on isolating public-facing servers from the internet and internal LAN. Option C (VPN) is wrong because it creates an encrypted tunnel for remote users to access an internal network, not for hosting publicly accessible servers with controlled internet access. Option D (VLAN) is wrong because it segments traffic at Layer 2 within a broadcast domain but does not inherently provide security isolation or firewall-based access control from the internet; a VLAN alone cannot enforce the required inbound/outbound filtering.

18
MCQhard

During a security assessment, a penetration tester successfully performs an ARP spoofing attack, redirecting traffic through their machine. This attack exploits which protocol vulnerability?

A.Stateless nature of ARP with no authentication
B.Lack of encryption in ARP packets
C.Weakness in the IP address resolution algorithm
D.Use of broadcast frames for all requests
AnswerA

ARP does not verify the authenticity of ARP replies, making it trivial to spoof.

Why this answer

ARP spoofing succeeds because ARP is a stateless protocol that does not authenticate or verify the legitimacy of ARP replies. Any host on a local network can send an unsolicited ARP reply (gratuitous ARP) to associate any IP address with any MAC address, allowing an attacker to redirect traffic without any validation mechanism.

Exam trap

Cisco often tests the distinction between the stateless nature of ARP (no authentication) and the use of broadcast frames, tricking candidates into thinking the broadcast mechanism is the vulnerability rather than the lack of validation of unsolicited replies.

How to eliminate wrong answers

Option B is wrong because ARP packets are not encrypted by design, but the lack of encryption is not the fundamental vulnerability exploited in spoofing; the core issue is the absence of authentication, not confidentiality. Option C is wrong because the IP address resolution algorithm itself is not weak; the vulnerability lies in the protocol's trust model, not in the algorithm used to map IP to MAC addresses. Option D is wrong because while ARP requests use broadcast frames, the attack exploits the acceptance of unsolicited replies, not the broadcast nature of requests; broadcast is a normal operational characteristic, not the security flaw.

19
MCQeasy

Which IPsec protocol provides both authentication and encryption of the packet payload, but does not encrypt the IP header?

A.AH in transport mode
B.ESP in transport mode
C.AH in tunnel mode
D.ESP in tunnel mode
AnswerB

ESP provides encryption and authentication for the payload, with the IP header in clear.

Why this answer

ESP in transport mode encrypts the payload and provides authentication (via an optional ICV), but it does not encrypt the IP header. This matches the question's requirement of payload authentication and encryption without header encryption. In contrast, AH authenticates the entire packet (including the IP header) but provides no encryption.

Exam trap

The trap here is that candidates often confuse 'encryption of the payload' with 'encryption of the entire packet,' leading them to choose ESP in tunnel mode, which encrypts the inner IP header, or AH, which provides no encryption at all.

How to eliminate wrong answers

Option A is wrong because AH in transport mode provides authentication of the payload and parts of the IP header, but it does not offer any encryption of the payload. Option C is wrong because AH in tunnel mode authenticates the entire inner IP packet and parts of the outer header, but still lacks encryption. Option D is wrong because ESP in tunnel mode encrypts the entire inner IP packet (including the inner header), which goes beyond the question's requirement of not encrypting the IP header (the outer header remains unencrypted, but the inner header is encrypted, making it incorrect for the specific condition stated).

20
Multi-Selecthard

A security administrator is evaluating secure file transfer protocols. Which THREE of the following protocols provide encryption for data in transit? (Select THREE.)

Select 3 answers
A.FTP
B.SFTP
D.SCP
E.FTPS
AnswersB, D, E

SFTP runs over SSH and encrypts all traffic.

Why this answer

SFTP (SSH File Transfer Protocol) is correct because it operates over the SSH protocol (typically port 22), which provides strong encryption for both authentication and data in transit. Unlike FTP, SFTP encrypts all commands and data, ensuring confidentiality and integrity during file transfers.

Exam trap

The trap here is that candidates often confuse SFTP with FTPS or assume FTP is secure because it is widely used, but the CISSP exam tests the distinction that only protocols like SFTP, SCP, and FTPS provide encryption for data in transit.

21
MCQmedium

A company is implementing TLS 1.3 to secure web communications. Which of the following features is unique to TLS 1.3 compared to earlier versions?

A.Mandatory forward secrecy using ephemeral Diffie-Hellman
B.Support for RSA key exchange
C.Only server-side authentication
D.Use of RC4 for encryption
AnswerA

TLS 1.3 requires ephemeral key exchanges (DHE or ECDHE) providing forward secrecy.

Why this answer

TLS 1.3 (RFC 8446) mandates forward secrecy by requiring ephemeral Diffie-Hellman (DHE or ECDHE) key exchange for all handshakes. This ensures that session keys are never derived from long-term static keys, so compromising the server's private key does not compromise past session keys. Earlier TLS versions allowed static RSA key exchange, which lacks forward secrecy.

Exam trap

The trap here is that candidates may confuse 'mandatory forward secrecy' with optional forward secrecy in earlier TLS versions, or mistakenly think RSA key exchange is still supported in TLS 1.3.

How to eliminate wrong answers

Option B is wrong because TLS 1.3 removed support for RSA key exchange entirely; RSA key transport does not provide forward secrecy and is vulnerable to decryption if the private key is compromised. Option C is wrong because TLS 1.3 supports mutual authentication (client and server certificates) via CertificateRequest and CertificateVerify messages, not only server-side authentication. Option D is wrong because RC4 is a deprecated stream cipher that was removed from TLS 1.2 and is not supported in TLS 1.3; TLS 1.3 uses AEAD ciphers like AES-GCM and ChaCha20-Poly1305.

22
Multi-Selectmedium

An incident responder is analyzing a network compromise that involved ICMP attacks. Which THREE types of ICMP attacks could have been used to disrupt network operations? (Select three.)

Select 3 answers
A.Smurf attack
B.ICMP redirect attack
C.ARP poisoning
D.SYN flood
E.Ping of Death
AnswersA, B, E

A Smurf attack sends ICMP echo requests to a broadcast address with a spoofed source IP, causing many responses to flood the victim.

Why this answer

A Smurf attack is correct because it exploits ICMP echo requests (ping) sent to a network's broadcast address with a spoofed source IP of the victim. This causes all hosts on the network to reply to the victim, overwhelming it with ICMP echo replies and disrupting network operations.

Exam trap

The trap here is that candidates confuse ARP poisoning and SYN flood with ICMP attacks because they are common network attacks, but they operate at different layers (Layer 2 and Layer 4, respectively) and do not use ICMP as the attack vector.

23
MCQeasy

Which of the following is a key feature of TLS 1.3 that enhances security compared to earlier versions?

A.Support for RC4 encryption
B.Support for DES and 3DES
C.Mandatory forward secrecy
D.Use of static RSA key exchange
AnswerC

TLS 1.3 enforces forward secrecy by using ephemeral Diffie-Hellman.

Why this answer

TLS 1.3 mandates forward secrecy by requiring ephemeral Diffie-Hellman (DHE or ECDHE) key exchange for all sessions, eliminating static RSA and static DH key exchanges. This ensures that even if the server's long-term private key is compromised, past session keys cannot be derived, protecting historical traffic. Earlier TLS versions allowed static key exchanges, making them vulnerable to retrospective decryption.

Exam trap

The trap here is that candidates often confuse 'forward secrecy' with 'encryption strength' or 'cipher support,' and may incorrectly think that simply using a strong cipher like AES provides forward secrecy, when in fact it is the key exchange mechanism (ephemeral vs. static) that determines whether past sessions remain secure after key compromise.

How to eliminate wrong answers

Option A is wrong because RC4 is a stream cipher with known biases (e.g., in the first output bytes) and has been deprecated in all TLS versions since 1.1; TLS 1.3 completely removes RC4 and all other non-AEAD ciphers. Option B is wrong because DES and 3DES are block ciphers with small block sizes (64-bit) and are vulnerable to Sweet32 birthday attacks; TLS 1.3 eliminates them entirely, requiring AEAD ciphers like AES-GCM or ChaCha20-Poly1305. Option D is wrong because static RSA key exchange does not provide forward secrecy—if the server's RSA private key is compromised, all past session keys can be decrypted; TLS 1.3 removes static RSA entirely.

24
MCQmedium

After a recent security audit, a network administrator discovers that an attacker has been intercepting traffic by associating with a legitimate access point's MAC address and broadcasting a stronger signal. Which type of attack has occurred?

A.Rogue access point
B.Karma attack
C.Evil twin attack
D.ARP spoofing
AnswerC

An evil twin is a rogue AP that impersonates a legitimate AP, often by using the same SSID and MAC, and broadcasting a stronger signal to lure victims.

Why this answer

The correct answer is C, Evil twin attack. This attack involves an attacker setting up a rogue access point that mimics a legitimate access point by spoofing its MAC address (BSSID) and broadcasting a stronger signal, causing clients to associate with the attacker's device instead of the legitimate AP. The key distinction is the active impersonation of a specific legitimate AP, not just the presence of an unauthorized AP.

Exam trap

The trap here is that candidates often confuse 'rogue access point' (any unauthorized AP) with 'evil twin' (a specific impersonation of a legitimate AP), but the key differentiator is the active spoofing of the legitimate AP's MAC address and signal strength to intercept traffic, not just the presence of an unauthorized device.

How to eliminate wrong answers

Option A is wrong because a rogue access point is any unauthorized AP connected to the network, but it does not necessarily spoof a legitimate AP's MAC address or broadcast a stronger signal to intercept traffic; it is simply an unapproved device on the network. Option B is wrong because a Karma attack exploits probe requests from clients by responding with a fake AP that matches any SSID the client has previously connected to, but it does not involve spoofing a specific legitimate AP's MAC address or broadcasting a stronger signal from that same AP. Option D is wrong because ARP spoofing is a Layer 2 attack that manipulates ARP tables to redirect traffic on a local network, not an attack that uses a fake access point or wireless signal strength to intercept traffic.

25
Multi-Selectmedium

A company is migrating from WPA2 to WPA3 to improve wireless security. Which THREE of the following are features of WPA3 compared to WPA2?

Select 3 answers
A.Backward compatibility with WPA2 clients without security reduction
B.Protected Management Frames (PMF)
C.Use of SAE instead of PSK for key exchange
D.Forward secrecy
E.Mandatory use of TKIP for encryption
AnswersB, C, D

PMF is mandatory in WPA3 to protect management frames.

Why this answer

Protected Management Frames (PMF) are mandatory in WPA3, whereas in WPA2 they were optional. PMF provides integrity and replay protection for management frames, preventing attacks such as deauthentication and disassociation that can be used to disrupt wireless connections.

Exam trap

Cisco often tests the misconception that WPA3 is fully backward compatible with WPA2, but in reality, mixed-mode operation (WPA3 transition mode) forces all clients to use the weaker WPA2 security when any legacy device connects.

26
MCQhard

A security engineer is configuring SNMPv3 on network devices. The policy requires both authentication and encryption of SNMP messages. Which combination of protocols should be used to meet this requirement?

A.authPriv with MD5 and DES
B.noAuthNoPriv with no security
C.authNoPriv with SHA and no encryption
D.authPriv with SHA and AES
AnswerD

authPriv provides both authentication (SHA) and privacy (AES).

Why this answer

Option D is correct because SNMPv3's authPriv security level requires both authentication and encryption. SHA (or SHA-2) provides message authentication via HMAC, and AES provides symmetric encryption for the message payload. This combination satisfies the policy requirement for both confidentiality and integrity.

Exam trap

The trap here is that candidates see 'authPriv' and assume any combination of authentication and encryption protocols will work, but the CISSP exam expects you to recognize that MD5 and DES are deprecated and insecure, making option A a distractor despite the correct security level.

How to eliminate wrong answers

Option A is wrong because MD5 is deprecated due to known collision vulnerabilities and DES is a weak, 56-bit cipher that is no longer considered secure; while authPriv technically provides both authentication and encryption, the specific protocols violate modern security standards. Option B is wrong because noAuthNoPriv provides no security at all—no authentication and no encryption—which directly contradicts the policy requirement. Option C is wrong because authNoPriv provides authentication (e.g., SHA) but no encryption, so the message payload is sent in cleartext, failing the encryption requirement.

27
MCQeasy

An attacker sends a flood of SYN packets to a server, consuming its resources and preventing legitimate connections. Which OSI layer is this attack targeting?

A.Layer 4
B.Layer 2
C.Layer 7
D.Layer 3
AnswerA

SYN flood is a Layer 4 (Transport) attack exploiting TCP connection handling.

Why this answer

A SYN flood attack targets the TCP three-way handshake at the transport layer (Layer 4). By sending a high volume of SYN packets without completing the handshake, the attacker exhausts the server's connection queue, preventing legitimate TCP connections from being established. This directly exploits the stateful nature of TCP, which is a Layer 4 protocol.

Exam trap

The trap here is confusing the network layer (Layer 3) with the transport layer (Layer 4), because IP addresses are involved in routing the packets, but the attack specifically targets TCP's connection management at Layer 4.

How to eliminate wrong answers

Option B is wrong because Layer 2 (Data Link) handles MAC addresses and frame switching, not TCP connection state or port exhaustion. Option C is wrong because Layer 7 (Application) involves protocols like HTTP or DNS, whereas SYN floods operate below the application layer at the transport layer. Option D is wrong because Layer 3 (Network) deals with IP routing and packet forwarding, not the TCP handshake mechanics that SYN floods exploit.

28
MCQmedium

A security administrator is configuring SNMPv3 for network device monitoring. The requirement is to provide both authentication and encryption of SNMP traffic. Which combination of options should be used?

A.AuthNoPriv
B.AuthPriv with MD5 and DES
C.AuthPriv with SHA and AES
D.NoAuthNoPriv
AnswerC

SHA and AES are the recommended stronger algorithms for authentication and privacy, respectively.

Why this answer

SNMPv3 defines three security levels: NoAuthNoPriv, AuthNoPriv, and AuthPriv. The requirement for both authentication and encryption corresponds to the AuthPriv level. The recommended modern cryptographic algorithms for AuthPriv are SHA (for authentication) and AES (for encryption), as specified in RFC 3826 and RFC 3414.

Option C correctly pairs SHA and AES to meet the requirement.

Exam trap

The trap here is that candidates may choose AuthPriv with MD5 and DES (Option B) because it technically provides both authentication and encryption, but they overlook that MD5 and DES are deprecated and insecure, making them unacceptable in a modern security context.

How to eliminate wrong answers

Option A (AuthNoPriv) is wrong because it provides authentication but no encryption, failing the encryption requirement. Option B (AuthPriv with MD5 and DES) is wrong because MD5 and DES are deprecated and considered cryptographically weak; DES uses a 56-bit key and is easily broken, while MD5 is vulnerable to collision attacks. Option D (NoAuthNoPriv) is wrong because it provides neither authentication nor encryption, failing both requirements.

29
MCQhard

An organization is implementing DNSSEC to protect its DNS infrastructure. Which of the following best describes the primary security benefit of DNSSEC?

A.Authentication of DNS data origin and integrity
B.Prevention of DDoS attacks on DNS servers
C.Anonymization of DNS queries
D.Encryption of DNS queries and responses
AnswerA

DNSSEC uses digital signatures to ensure that DNS responses are authentic and have not been tampered with.

Why this answer

DNSSEC (Domain Name System Security Extensions) provides origin authentication and data integrity verification for DNS responses through digital signatures. It uses public-key cryptography to sign DNS resource record sets (RRSIG records), allowing resolvers to verify that the data has not been modified in transit and originates from the authoritative source. This prevents attacks such as DNS cache poisoning and man-in-the-middle spoofing, but does not provide confidentiality or availability protections.

Exam trap

The trap here is that candidates confuse DNSSEC's authentication and integrity features with encryption or anonymity, mistakenly thinking it secures DNS by hiding data, when in fact it only signs data and leaves it readable.

How to eliminate wrong answers

Option B is wrong because DNSSEC does not prevent DDoS attacks; in fact, it can increase the attack surface by enabling amplification attacks due to larger response sizes (e.g., DNSSEC-signed responses). Option C is wrong because DNSSEC does not anonymize queries; it explicitly adds signatures and keys that can be used to identify the source, and query privacy is addressed by protocols like DNS over TLS (DoT) or DNS over HTTPS (DoH). Option D is wrong because DNSSEC does not encrypt queries or responses; it only signs data for integrity and authentication, leaving the payload in cleartext.

30
MCQeasy

Which wireless security protocol replaces the pre-shared key (PSK) authentication with Simultaneous Authentication of Equals (SAE) to provide stronger security and forward secrecy?

B.WEP
C.WPA2 with TKIP
D.WPA2 with CCMP
AnswerA

WPA3 introduces SAE for more secure key exchange.

Why this answer

WPA3 replaces the Pre-Shared Key (PSK) authentication used in WPA2 with Simultaneous Authentication of Equals (SAE), defined in IEEE 802.11-2016 and specified in RFC 7664. SAE provides forward secrecy by using a Diffie-Hellman key exchange that ensures even if the long-term password is compromised, past session keys remain secure. This eliminates vulnerabilities to offline dictionary attacks that plague WPA2-PSK.

Exam trap

Cisco often tests the misconception that WPA2 with CCMP is the most secure option because of its AES encryption, but the question specifically targets authentication improvements, not encryption, so candidates overlook that SAE is unique to WPA3.

How to eliminate wrong answers

Option B (WEP) is wrong because it uses the RC4 stream cipher with a static key and no authentication mechanism like SAE, making it completely insecure and deprecated. Option C (WPA2 with TKIP) is wrong because TKIP is a legacy encryption protocol that still relies on PSK authentication and does not implement SAE or forward secrecy; it was designed as a temporary fix for WEP. Option D (WPA2 with CCMP) is wrong because while CCMP uses AES-based encryption, WPA2 still uses PSK or 802.1X for authentication, not SAE, and lacks forward secrecy.

31
MCQhard

During a security assessment, a consultant discovers that a legacy VPN solution uses MS-CHAPv2 for authentication and does not support IKE. The protocol is known to be vulnerable to dictionary attacks. Which VPN protocol is most likely being used?

A.PPTP
B.IPsec with IKEv2
C.SSL/TLS VPN
D.L2TP/IPsec
AnswerA

PPTP uses MS-CHAPv2 and lacks IKE, making it vulnerable.

Why this answer

MS-CHAPv2 is a Microsoft proprietary authentication protocol used by PPTP (Point-to-Point Tunneling Protocol). PPTP does not support IKE (Internet Key Exchange) and relies on MS-CHAPv2, which is vulnerable to dictionary attacks due to its weak hashing and lack of mutual authentication. The combination of MS-CHAPv2 authentication and the absence of IKE support directly points to PPTP as the VPN protocol in use.

Exam trap

The trap here is that candidates may confuse L2TP/IPsec with PPTP because both can use MS-CHAPv2, but L2TP/IPsec requires IKE and typically uses IPsec for encryption, whereas PPTP does not support IKE and relies solely on MS-CHAPv2 for authentication.

How to eliminate wrong answers

Option B is wrong because IPsec with IKEv2 uses IKE (Internet Key Exchange) for key management and authentication, and it does not use MS-CHAPv2; it typically relies on certificates, pre-shared keys, or EAP. Option C is wrong because SSL/TLS VPNs use TLS for encryption and authentication, not MS-CHAPv2, and they do not involve IKE. Option D is wrong because L2TP/IPsec uses IKE for key exchange and typically authenticates via IPsec mechanisms (e.g., certificates or PSK), not MS-CHAPv2; L2TP itself is a tunneling protocol that requires IPsec for encryption, and MS-CHAPv2 is not a standard authentication method for L2TP/IPsec.

32
Multi-Selectmedium

A security team is reviewing network segmentation strategies. Which TWO of the following are benefits of using VLANs? (Select TWO.)

Select 2 answers
A.They provide encryption of network traffic
B.They allow logical grouping of devices regardless of physical location
C.They can reduce broadcast traffic
D.They eliminate the need for firewalls
E.They provide inherent protection against ARP spoofing
AnswersB, C

VLANs group devices based on configuration, not physical location.

Why this answer

VLANs operate at Layer 2 (Data Link Layer) and allow network administrators to segment devices into distinct broadcast domains based on logical criteria such as department or function, regardless of their physical location on the network. This logical grouping reduces the scope of broadcast traffic because broadcasts are confined to the VLAN, not the entire physical network. By containing broadcasts, VLANs improve network performance and security by limiting unnecessary traffic and isolating potential threats.

Exam trap

The trap here is that candidates often confuse VLANs with security mechanisms like encryption or firewalls, mistakenly believing VLANs provide confidentiality or replace perimeter defenses, when in fact VLANs only offer logical segmentation at Layer 2.

33
MCQmedium

A security analyst observes a network attack where an attacker sends forged ARP messages to associate the attacker's MAC address with the IP address of the default gateway. This attack occurs at which layer of the OSI model?

A.Layer 3 – Network
B.Layer 1 – Physical
C.Layer 4 – Transport
D.Layer 2 – Data Link
AnswerD

ARP operates at Layer 2, and ARP spoofing manipulates MAC-to-IP mappings.

Why this answer

ARP operates at Layer 2 (Data Link) because it maps IP addresses (Layer 3) to MAC addresses (Layer 2) and is encapsulated directly within an Ethernet frame, not an IP packet. The attack described—ARP spoofing—forges ARP replies to poison the target's ARP cache, which is a Layer 2 function. Therefore, the attack occurs at Layer 2 of the OSI model.

Exam trap

The trap here is that candidates see 'IP address' in the question and incorrectly associate it with Layer 3 (Network), forgetting that ARP is a Layer 2 protocol that resolves Layer 3 addresses to Layer 2 addresses.

How to eliminate wrong answers

Option A is wrong because Layer 3 (Network) handles IP routing and packet forwarding, not MAC address resolution; ARP is not an IP protocol and does not use IP headers. Option B is wrong because Layer 1 (Physical) deals with raw bit transmission over media (e.g., voltage, cables), not with logical addressing or frame-level manipulation. Option C is wrong because Layer 4 (Transport) manages end-to-end communication (e.g., TCP/UDP ports, segmentation), and ARP has no concept of ports or transport-layer headers.

34
MCQmedium

A network administrator is deploying a wireless network for a small business and wants to ensure strong security. Which of the following is the best choice for authentication in a WPA3 Personal network?

A.EAP-TLS
B.TKIP
C.Simultaneous Authentication of Equals (SAE)
D.Pre-shared key (PSK)
AnswerC

SAE provides forward secrecy and protects against offline dictionary attacks.

Why this answer

Simultaneous Authentication of Equals (SAE) is the correct choice because WPA3 Personal replaces the vulnerable Pre-Shared Key (PSK) handshake with SAE, which provides a secure key exchange resistant to offline dictionary attacks. SAE uses a Dragonfly handshake based on a zero-knowledge proof, ensuring that even if an attacker captures the handshake, they cannot brute-force the password without being present for each guess.

Exam trap

The trap here is that candidates often confuse WPA2 Personal (PSK) with WPA3 Personal, assuming PSK is still acceptable, but the exam expects you to know that WPA3 Personal mandates SAE as the authentication method, not PSK.

How to eliminate wrong answers

Option A is wrong because EAP-TLS is an enterprise authentication method requiring a RADIUS server and client certificates, which is overkill and not designed for WPA3 Personal (home/small business) mode. Option B is wrong because TKIP is a legacy encryption protocol deprecated by Wi-Fi Alliance since 2012; it is not used in WPA3 and is vulnerable to attacks like MIC key recovery. Option D is wrong because Pre-shared key (PSK) is the WPA2 Personal method that uses a 4-way handshake vulnerable to offline dictionary attacks, whereas WPA3 Personal mandates SAE to eliminate that vulnerability.

35
MCQeasy

A network administrator is configuring a firewall that examines the source and destination IP addresses, port numbers, and protocol (TCP/UDP) of each packet without considering the state of the connection. Which type of firewall is being deployed?

A.Packet filter firewall
B.Next-generation firewall
C.Stateful inspection firewall
D.Application proxy firewall
AnswerA

Packet filter firewalls are stateless and filter based on L3/L4 headers only.

Why this answer

A packet filter firewall operates at Layer 3 (Network) and Layer 4 (Transport) of the OSI model, making decisions based solely on static header fields such as source/destination IP addresses, port numbers, and protocol type (TCP/UDP). It does not track connection state or session context, which matches the description of examining each packet independently. This is the defining characteristic of a stateless packet filter, as opposed to stateful or application-layer firewalls.

Exam trap

The trap here is that candidates often confuse 'stateless packet filtering' with 'stateful inspection' because both examine IP/port/protocol, but the key differentiator is the lack of connection state tracking, which the question explicitly states by saying 'without considering the state of the connection.'

How to eliminate wrong answers

Option B is wrong because a next-generation firewall (NGFW) integrates deep packet inspection (DPI), intrusion prevention (IPS), and application-level awareness beyond simple header fields, which is not described in the scenario. Option C is wrong because a stateful inspection firewall maintains a connection state table and tracks the state of active sessions (e.g., TCP handshake sequence numbers), which the question explicitly says is not being considered. Option D is wrong because an application proxy firewall (or application-level gateway) terminates and re-creates connections at Layer 7, inspecting application payloads (e.g., HTTP, FTP commands), far exceeding the simple header-only examination described.

36
MCQhard

During a penetration test, the tester successfully performs a VLAN hopping attack by sending packets with a specific tag. Which mitigation technique is most effective at preventing double-tagging VLAN hopping?

A.Use VLAN access control lists (VACLs) only
B.Implement port security with sticky MAC
C.Disable the native VLAN and explicitly tag all VLANs
D.Enable Dynamic Trunking Protocol (DTP) on all ports
AnswerC

By not using a native VLAN (i.e., tagging all traffic including the default), double-tagging attacks fail because the switch strips the outer tag and expects no tag for native VLAN.

Why this answer

Option C is correct because double-tagging VLAN hopping exploits the native VLAN (typically VLAN 1) on a trunk link. By disabling the native VLAN and explicitly tagging all VLANs, including the native VLAN, the switch will not forward untagged frames or frames with a single 802.1Q tag that can be misinterpreted by the next switch, thus preventing the attacker from injecting frames into a different VLAN.

Exam trap

The trap here is that candidates often confuse VLAN hopping with MAC flooding or ARP spoofing, or they assume that VACLs or port security can stop Layer 2 tagging attacks, when in fact the root cause is the untagged native VLAN behavior on trunk ports.

How to eliminate wrong answers

Option A is wrong because VLAN access control lists (VACLs) filter traffic based on Layer 3/4 criteria within a VLAN but do not prevent the underlying frame-tagging manipulation used in double-tagging attacks. Option B is wrong because port security with sticky MAC addresses limits the number of MAC addresses on an access port and prevents MAC flooding, but it has no effect on 802.1Q tag manipulation across trunk links. Option D is wrong because enabling Dynamic Trunking Protocol (DTP) on all ports actually increases the attack surface by allowing an attacker to negotiate a trunk link, which is a prerequisite for launching a VLAN hopping attack; DTP should be disabled on all ports that are not intended to trunk.

37
Multi-Selecteasy

A security analyst is evaluating secure email protocols. Which TWO of the following provide both encryption and digital signing of email messages?

Select 2 answers
A.S/MIME
B.SSL/TLS
C.PGP/GPG
D.SSH
AnswersA, C

S/MIME uses certificates to encrypt and sign emails.

Why this answer

S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard for public key encryption and digital signing of MIME data. It uses X.509 certificates for key exchange and provides both confidentiality (encryption) and non-repudiation (digital signing) for email messages, making it a correct choice.

Exam trap

The trap here is confusing transport-layer security (SSL/TLS) with end-to-end message security; candidates often select SSL/TLS because it encrypts email in transit, but it does not provide digital signing or protect the message after delivery.

38
Multi-Selecthard

An organization is reviewing its use of SSH for remote administration. Which TWO features of SSH should be disabled or carefully managed to reduce security risks? (Select two.)

Select 2 answers
A.Port forwarding
B.Using SSH protocol version 1
C.X11 forwarding
D.Public-key authentication
E.Using SSH protocol version 2
AnswersA, C

Port forwarding can create tunnels that bypass network security controls; it should be restricted to authorized users.

Why this answer

Port forwarding (option A) allows SSH to tunnel arbitrary TCP connections, which can bypass network firewalls and expose internal services to external attackers if misconfigured or left enabled for non-administrative users. Disabling or restricting port forwarding reduces the risk of unauthorized tunneling and lateral movement within the network.

Exam trap

Cisco often tests the distinction between features that are inherently insecure (like SSHv1) versus features that are secure by default but introduce risk when misused (like port forwarding and X11 forwarding), leading candidates to incorrectly select SSHv1 as a feature to 'carefully manage' rather than outright disable.

39
MCQmedium

Which type of firewall can inspect the contents of application-layer traffic, such as HTTP requests, and block malicious payloads?

A.Packet filter firewall
B.Circuit-level gateway
C.Application proxy firewall
D.Stateful inspection firewall
AnswerC

Application proxies terminate and re-establish connections, allowing full inspection.

Why this answer

An application proxy firewall (also known as an application-level gateway) operates at Layer 7 of the OSI model and can fully inspect the content of application-layer protocols such as HTTP, FTP, and SMTP. By terminating the client connection and establishing a separate connection to the server, it can parse and validate the payload—for example, examining HTTP request bodies for SQL injection strings or malicious scripts—and block them before they reach the internal server. This deep inspection capability distinguishes it from lower-layer firewalls that only examine headers or connection states.

Exam trap

The trap here is that candidates often confuse a stateful inspection firewall (which tracks connection state) with an application proxy firewall, mistakenly believing that stateful inspection includes deep payload analysis, when in fact stateful inspection only monitors packet headers and connection state at Layers 3 and 4.

How to eliminate wrong answers

Option A is wrong because a packet filter firewall operates at Layer 3 (and sometimes Layer 4), inspecting only source/destination IP addresses, ports, and protocol types; it cannot examine the application-layer payload of an HTTP request. Option B is wrong because a circuit-level gateway operates at Layer 5 (session layer) and validates TCP handshakes and session establishment (e.g., SOCKS proxy), but it does not inspect the contents of application-layer traffic. Option D is wrong because a stateful inspection firewall tracks the state of network connections (e.g., TCP sequence numbers) at Layers 3 and 4, but it does not perform deep packet inspection of application-layer payloads like HTTP bodies.

40
Multi-Selectmedium

A security architect is designing a network segmentation strategy for a financial institution. Which TWO techniques are best suited for implementing micro-segmentation in a data center environment? (Select two.)

Select 2 answers
A.VLANs (Virtual Local Area Networks)
B.Software-Defined Networking (SDN)
C.Hypervisor-based firewalls
D.Physical network firewalls
E.DMZ (screened subnet)
AnswersB, C

SDN enables dynamic, granular control over network flows, allowing per-application or per-tenant segmentation.

Why this answer

Software-Defined Networking (SDN) decouples the control plane from the data plane, enabling centralized, programmable network policies. This allows granular, dynamic micro-segmentation at the virtual network level, where traffic flows can be isolated based on application identity or workload attributes, not just IP addresses or VLANs.

Exam trap

The trap here is that candidates often confuse VLANs (a Layer 2 broadcast domain technique) with micro-segmentation, but VLANs lack the granularity and dynamic policy enforcement needed for workload-level isolation in modern data centers.

41
MCQmedium

A security analyst notices that an attacker is sending forged ARP messages onto a local area network, linking the attacker's MAC address with the IP address of the default gateway. This allows the attacker to intercept traffic destined for the gateway. Which OSI layer is directly targeted by this attack?

A.Layer 4 – Transport
B.Layer 3 – Network
C.Layer 1 – Physical
D.Layer 2 – Data Link
AnswerD

ARP is a Layer 2 protocol used for MAC address resolution; ARP spoofing directly targets this layer.

Why this answer

ARP spoofing (or ARP poisoning) operates at Layer 2 (Data Link) because ARP messages are encapsulated directly within Ethernet frames and rely on MAC addresses, not IP routing. By forging ARP replies, the attacker corrupts the IP-to-MAC mapping in the victim's ARP cache, causing frames destined for the default gateway to be sent to the attacker's MAC address instead. This attack exploits the lack of authentication in the ARP protocol (RFC 826) and directly targets the Data Link layer's addressing and frame delivery mechanism.

Exam trap

The trap here is that candidates often confuse ARP's role in resolving IP addresses (Layer 3) with the layer at which the attack actually occurs, mistakenly choosing Layer 3 instead of recognizing that ARP operates at Layer 2 and exploits the Data Link layer's addressing scheme.

How to eliminate wrong answers

Option A is wrong because Layer 4 (Transport) handles end-to-end communication, segmentation, and port-based services (TCP/UDP), not MAC-to-IP address resolution or frame forwarding. Option B is wrong because Layer 3 (Network) deals with logical addressing and routing (e.g., IP, ICMP), but ARP itself is a Layer 2 protocol that maps IP addresses to MAC addresses and does not involve routing tables or IP header manipulation. Option C is wrong because Layer 1 (Physical) concerns the electrical, mechanical, and procedural interface to the transmission medium (e.g., cables, signals, hubs), not the addressing or frame-level manipulation used in ARP spoofing.

42
MCQmedium

A security architect is designing a zero trust network. Which principle is fundamental to a zero trust architecture?

A.Trust but verify
B.Rely on perimeter defenses
C.Never trust, always verify
D.Trust internal traffic implicitly
AnswerC

This is the core principle of zero trust.

Why this answer

Zero trust architecture (ZTA) fundamentally rejects implicit trust based on network location. The principle 'never trust, always verify' mandates continuous authentication and authorization for every access request, regardless of whether it originates from inside or outside the network perimeter. This is enforced through micro-segmentation, least-privilege access, and per-session verification, often using technologies like identity-aware proxies and software-defined perimeters (SDP).

Exam trap

The trap here is that candidates may confuse 'trust but verify' (Option A) with zero trust, but zero trust explicitly removes the initial trust assumption, making 'never trust, always verify' the correct principle.

How to eliminate wrong answers

Option A is wrong because 'trust but verify' is the traditional perimeter-based model that assumes trust once a user or device is inside the network, which is the opposite of zero trust's assumption of breach. Option B is wrong because relying on perimeter defenses is a castle-and-moat approach that fails once an attacker breaches the boundary; zero trust eliminates the concept of a trusted internal network. Option D is wrong because trusting internal traffic implicitly is the exact vulnerability zero trust aims to remove; internal traffic must be subject to the same verification as external traffic.

43
Multi-Selecthard

A network administrator is reviewing the security of the company's VPN solution. They discover that the current VPN uses PPTP. Which TWO of the following are significant security weaknesses associated with PPTP?

Select 2 answers
A.It uses MS-CHAPv2 authentication which is susceptible to brute-force attacks
B.It relies on IKE for key exchange
C.It uses MPPE encryption which is considered weak
D.It supports strong authentication with digital certificates
E.It provides perfect forward secrecy
AnswersA, C

MS-CHAPv2 has known vulnerabilities and can be cracked.

Why this answer

PPTP uses Microsoft Point-to-Point Encryption (MPPE), which relies on the RC4 stream cipher. RC4 has known weaknesses, including statistical biases and the ability to recover plaintext after encrypting a large volume of traffic, making it considered weak for modern security requirements. Additionally, PPTP's default authentication protocol is MS-CHAPv2, which is vulnerable to offline brute-force attacks because its challenge-response mechanism uses a weak DES-based hash that can be cracked with tools like Asleap or ChapCrack.

Exam trap

The trap here is that candidates may confuse PPTP's use of MPPE with stronger encryption protocols like IPsec, or mistakenly think that MS-CHAPv2 is secure because it uses a challenge-response mechanism, overlooking its fundamental reliance on weak DES encryption and the NT hash.

44
MCQmedium

An organization is migrating from WPA2 to WPA3 for its wireless network. Which improvement does WPA3 provide over WPA2?

A.Use of TKIP for backward compatibility
B.Mandatory use of WPS for easy setup
C.Simultaneous Authentication of Equals (SAE) providing forward secrecy
D.Support for 802.1X only, no personal mode
AnswerC

SAE protects against offline dictionary attacks and provides forward secrecy, a major improvement over WPA2 PSK.

Why this answer

WPA3 replaces WPA2's Pre-Shared Key (PSK) handshake with Simultaneous Authentication of Equals (SAE), defined in IEEE 802.11-2016 and RFC 7664. SAE uses a Dragonfly key exchange based on discrete logarithm cryptography, which provides forward secrecy: even if an attacker captures the handshake and later obtains the pre-shared key, they cannot decrypt past session traffic. This eliminates the vulnerability to offline dictionary attacks that plagued WPA2-PSK.

Exam trap

The trap here is that candidates confuse WPA3's mandatory use of SAE with the older WPA2-PSK handshake, and mistakenly think WPA3 still supports TKIP or WPS, or that it only works in Enterprise mode, when in fact SAE is the core personal mode enhancement.

How to eliminate wrong answers

Option A is wrong because TKIP (Temporal Key Integrity Protocol) is deprecated and not used in WPA3; WPA3 mandates CCMP (AES) and removes TKIP for security reasons. Option B is wrong because WPS (Wi-Fi Protected Setup) is not mandatory in WPA3; in fact, WPS is often disabled due to its known PIN brute-force vulnerability, and WPA3 does not require it. Option D is wrong because WPA3 supports both Personal mode (SAE) and Enterprise mode (with 802.1X and EAP), not only 802.1X; the personal mode is a key improvement over WPA2.

45
MCQmedium

During a security assessment, a penetration tester sends TCP SYN packets to various ports on a target server. Based on the responses, the tester determines which ports are open. This technique is commonly used at which OSI layer?

A.Layer 7 – Application
B.Layer 3 – Network
C.Layer 4 – Transport
D.Layer 2 – Data Link
AnswerC

Port scanning uses TCP or UDP at Layer 4 to probe ports.

Why this answer

The TCP SYN scan operates at Layer 4 (Transport) of the OSI model because it manipulates TCP segment headers, specifically the SYN flag, to probe port states. The tester sends SYN packets and interprets the response (SYN-ACK for open, RST for closed) to infer port availability, which is a transport-layer function defined by RFC 793.

Exam trap

The trap here is that candidates confuse the OSI layer of the scanning technique with the layer of the protocol being scanned (e.g., thinking a web server scan is Layer 7), but the SYN scan itself operates at Layer 4 regardless of the application running on the target port.

How to eliminate wrong answers

Option A is wrong because Layer 7 (Application) deals with application-specific protocols like HTTP or FTP, not raw TCP segment manipulation; SYN scanning does not involve application-layer payloads. Option B is wrong because Layer 3 (Network) handles IP addressing and routing, not the TCP flags or port numbers used in SYN scanning; the scan relies on transport-layer port numbers, not IP addresses. Option D is wrong because Layer 2 (Data Link) manages framing and MAC addresses on a local network segment; SYN scanning operates above this layer and does not interact with Ethernet frames or switches.

46
MCQmedium

A security team is implementing a zero trust architecture. Which component is essential to enforce access decisions based on user identity, device posture, and context before granting access to resources?

A.Virtual private network (VPN)
B.Network Access Control (NAC)
C.Next-generation firewall (NGFW)
D.Software-defined perimeter (SDP)
AnswerD

SDP creates a dynamically provisioned perimeter that authenticates users and devices before granting access to specific resources.

Why this answer

A software-defined perimeter (SDP) is the essential component for enforcing access decisions based on user identity, device posture, and context in a zero trust architecture. SDP creates a dynamic, encrypted micro-perimeter around each resource, requiring authentication and authorization before any connection is established, effectively hiding the resource from unauthorized users. This aligns with the zero trust principle of 'never trust, always verify' by evaluating identity, device health, and contextual factors (e.g., location, time) before granting access.

Exam trap

The trap here is that candidates often confuse Network Access Control (NAC) with zero trust because both involve device posture checks, but NAC is a pre-admission network-level control, whereas SDP provides per-session, application-level access control that is fundamental to zero trust architecture.

How to eliminate wrong answers

Option A is wrong because a VPN provides encrypted tunnels for remote access but typically grants broad network-level access after authentication, lacking granular, per-request context-based authorization and device posture checks required for zero trust. Option B is wrong because Network Access Control (NAC) focuses on pre-admission authentication and endpoint compliance at the network edge (e.g., 802.1X), but does not enforce per-session, application-level access decisions based on continuous context after initial admission. Option C is wrong because a next-generation firewall (NGFW) performs deep packet inspection and application-level filtering, but it operates at the network perimeter and does not inherently integrate identity- and device-posture-based access control for each resource request in a zero trust model.

47
MCQhard

A network administrator is configuring DNSSEC to protect against DNS spoofing. Which record type is used to provide cryptographic verification of DNS data origins?

A.RRSIG
B.DS
C.DNSKEY
D.NSEC
AnswerA

RRSIG contains the digital signature for a set of records, allowing verification of origin.

Why this answer

RRSIG (Resource Record Signature) is the DNSSEC record type that contains the cryptographic signature for a DNS record set. It provides data origin authentication and integrity verification by allowing resolvers to validate that the DNS data came from the authoritative source and was not modified in transit.

Exam trap

The trap here is that candidates confuse the role of DNSKEY (the key) with RRSIG (the signature), mistakenly thinking the public key itself provides verification, when in fact the signature record (RRSIG) is what cryptographically binds the data to the zone.

How to eliminate wrong answers

Option B (DS) is wrong because DS (Delegation Signer) records are used to create a chain of trust between DNS zones, not to directly sign or verify individual DNS data origins. Option C (DNSKEY) is wrong because DNSKEY records hold the public signing key used to verify RRSIG signatures, but they do not themselves provide cryptographic verification of data origins. Option D (NSEC) is wrong because NSEC (Next Secure) records are used for authenticated denial of existence, proving that a DNS name does not exist, and have no role in verifying data origin signatures.

48
MCQmedium

A company uses SSH for remote administration. To enhance security, they want to implement public-key authentication. Which statement about SSH public-key authentication is true?

A.The private key must be kept secret by the user
B.The public key is used to decrypt the session
C.Public-key authentication does not require a passphrase
D.The private key is stored on the server
AnswerA

The private key should never be shared or stored on the server.

Why this answer

In SSH public-key authentication, the private key is the secret half of the asymmetric key pair and must be kept confidential by the user. The server stores only the public key, and authentication is proven by the client signing a challenge with the private key, which the server verifies using the stored public key. This ensures that even if the server is compromised, the private key remains safe on the client side.

Exam trap

The trap here is that candidates often confuse the roles of public and private keys, mistakenly thinking the public key is used for decryption or that the private key is stored on the server, when in fact the private key is kept secret by the user and used only for signing.

How to eliminate wrong answers

Option B is wrong because the public key is used to verify a signature from the client, not to decrypt the session; session encryption is established via a symmetric key negotiated during the key exchange (e.g., Diffie-Hellman). Option C is wrong because while a passphrase is not strictly required, it is strongly recommended to protect the private key at rest; without a passphrase, the private key file is stored in plaintext and can be used by anyone who gains access to it. Option D is wrong because the private key is never stored on the server; only the public key is placed in the user's authorized_keys file on the server.

49
MCQhard

A security engineer is evaluating VPN protocols for a remote access solution. The requirements are: strong encryption with perfect forward secrecy, support for mutual authentication, and no reliance on pre-shared keys that could be brute-forced. Which protocol best meets these requirements?

A.L2TP/IPsec with pre-shared keys
B.PPTP with MS-CHAPv2
C.WireGuard
D.IPsec with IKEv2 using pre-shared keys
AnswerC

WireGuard meets all requirements: ECC key exchange provides perfect forward secrecy, public-key authentication is mutual, and no PSK is needed.

Why this answer

WireGuard is the correct choice because it uses modern cryptographic primitives (Curve25519, ChaCha20, Poly1305, BLAKE2s) that inherently provide perfect forward secrecy via ephemeral Diffie-Hellman key exchanges, supports mutual authentication through public-key-based handshakes, and eliminates pre-shared keys as the sole authentication factor—though an optional PSK can be added for post-quantum resistance, it is not required and does not weaken security if omitted.

Exam trap

Cisco often tests the misconception that IPsec with IKEv2 is always secure regardless of authentication method, but the trap here is that pre-shared keys (even with IKEv2) violate the 'no reliance on pre-shared keys' requirement and can be brute-forced if weak, whereas WireGuard's public-key-based mutual authentication avoids this vulnerability entirely.

How to eliminate wrong answers

Option A is wrong because L2TP/IPsec with pre-shared keys relies on a static PSK that can be brute-forced if weak, and does not inherently enforce perfect forward secrecy unless IKEv2 with ephemeral Diffie-Hellman is explicitly configured, which is not guaranteed by the option. Option B is wrong because PPTP with MS-CHAPv2 uses the RC4 cipher and MS-CHAPv2 authentication, both of which are cryptographically broken and lack perfect forward secrecy; additionally, PPTP does not support mutual authentication in a strong sense and relies on passwords that can be brute-forced. Option D is wrong because IPsec with IKEv2 using pre-shared keys still depends on a static PSK that can be brute-forced, and while IKEv2 can support perfect forward secrecy, the use of a PSK as the primary authentication method contradicts the requirement of no reliance on pre-shared keys.

50
Multi-Selecteasy

Which TWO features are true of IPsec tunnel mode compared to transport mode? (Select two.)

Select 2 answers
A.It provides better performance than transport mode
B.A new IP header is added to the packet
C.The entire original IP packet is encapsulated and encrypted
D.It is used for end-to-end communication between hosts
E.Only the payload of the packet is encrypted
AnswersB, C

Tunnel mode adds a new outer IP header; transport mode does not.

Why this answer

In IPsec tunnel mode, the entire original IP packet (including the original IP header) is encapsulated within a new IP packet. A new outer IP header is added, and the entire inner packet is encrypted and optionally authenticated. This is why option B is correct: a new IP header is added to the packet.

Exam trap

Cisco often tests the misconception that tunnel mode is faster because it 'tunnels' traffic, but the added encapsulation and encryption overhead actually makes it slower than transport mode; the trap is confusing the purpose (hiding internal addresses) with performance characteristics.

51
MCQmedium

A company is designing a network segmentation strategy to isolate a public-facing web server from the internal corporate network. Which of the following is the most appropriate architecture?

A.Micro-segmentation using SDN
B.VLAN with no firewall
C.Direct connection to internet without segmentation
D.DMZ (screened subnet)
AnswerD

The DMZ is specifically designed to host externally accessible services while protecting the internal network.

Why this answer

A DMZ (screened subnet) is the most appropriate architecture because it places the public-facing web server in a separate, isolated network segment that sits between the internal corporate network and the untrusted internet. Traffic from the internet is allowed only to the DMZ (typically via stateful firewall rules permitting HTTP/HTTPS on TCP ports 80/443), and traffic from the DMZ to the internal network is strictly controlled or proxied, preventing direct lateral movement. This aligns with the principle of defense in depth and is a standard CISSP-recommended design for securing publicly accessible services.

Exam trap

The trap here is that candidates often confuse VLANs with security boundaries, assuming a VLAN alone provides sufficient isolation, when in fact VLANs lack access control and are vulnerable to Layer 2 attacks, making a DMZ with firewalls the correct answer for network segmentation of public-facing services.

How to eliminate wrong answers

Option A is wrong because micro-segmentation using SDN is an advanced, granular isolation technique typically used within data centers or east-west traffic control, but it is not the standard or most appropriate architecture for isolating a single public-facing web server from the internal network; a DMZ is simpler, more established, and directly addresses the requirement. Option B is wrong because a VLAN without a firewall provides only Layer 2 separation and no access control or traffic filtering, leaving the web server and internal network vulnerable to attacks that bypass VLAN segmentation (e.g., VLAN hopping via DTP or double-tagging). Option C is wrong because a direct connection to the internet without segmentation exposes the web server and the entire internal network to unrestricted inbound and outbound traffic, violating the fundamental security principle of least privilege and offering no isolation.

52
MCQeasy

Which VPN technology operates at Layer 2 of the OSI model and is often used in combination with IPsec to provide encryption?

A.L2TP
B.WireGuard
D.PPTP
AnswerA

L2TP is a Layer 2 protocol often used with IPsec for security.

Why this answer

L2TP (Layer 2 Tunneling Protocol) operates at Layer 2 of the OSI model, encapsulating PPP frames to create a virtual point-to-point link. It is commonly combined with IPsec (specifically ESP in tunnel mode) to provide encryption, authentication, and integrity, as L2TP itself offers no confidentiality. This combination is defined in RFC 3193 and is widely used for remote-access VPNs.

Exam trap

Cisco often tests the misconception that IPsec itself is a Layer 2 protocol, when in fact it operates at Layer 3, and that L2TP provides encryption, which it does not—candidates must remember that L2TP is unencrypted and relies on IPsec for security.

How to eliminate wrong answers

Option B (WireGuard) is wrong because it operates at Layer 3 (network layer) and uses its own cryptographic protocol (Noise_IK) for encryption, not Layer 2, and is not typically combined with IPsec. Option C (IPsec) is wrong because it operates at Layer 3 and provides encryption natively; it is the security layer added to L2TP, not the Layer 2 tunneling protocol itself. Option D (PPTP) is wrong because, although it operates at Layer 2, it uses MPPE for encryption and is not commonly combined with IPsec; it is considered deprecated due to known security vulnerabilities (e.g., MS-CHAPv2 weaknesses).

53
MCQhard

A company is migrating from WPA2 to WPA3 to enhance wireless security. Which of the following cryptographic changes does WPA3 introduce compared to WPA2?

A.WPA3 replaces PSK with SAE and uses GCMP-256 encryption.
B.WPA3 uses TKIP for backward compatibility.
C.WPA3 uses AES-CCMP as the mandatory encryption method.
D.WPA3 eliminates the need for 802.1X authentication.
AnswerA

SAE provides forward secrecy and resistance to offline dictionary attacks; GCMP-256 is the required encryption.

Why this answer

WPA3 introduces the Simultaneous Authentication of Equals (SAE) handshake, defined in IEEE 802.11-2016, to replace the Pre-Shared Key (PSK) method used in WPA2, providing forward secrecy and resistance to offline dictionary attacks. Additionally, WPA3 mandates the use of GCMP-256 (Galois/Counter Mode Protocol with a 256-bit key) for encryption, which is stronger than the AES-CCMP (128-bit) used in WPA2.

Exam trap

The trap here is that candidates often confuse the mandatory encryption method of WPA3 (GCMP-256) with that of WPA2 (AES-CCMP), or incorrectly assume WPA3 still relies on TKIP for backward compatibility, when in fact TKIP is completely removed from the WPA3 specification.

How to eliminate wrong answers

Option B is wrong because WPA3 does not use TKIP; TKIP is a legacy protocol from WPA1 and is explicitly deprecated in WPA3, which requires CCMP or GCMP. Option C is wrong because while AES-CCMP is mandatory in WPA2, WPA3 mandates GCMP-256 as the default encryption method, with AES-CCMP only allowed as a fallback for backward compatibility in WPA3-Transition mode. Option D is wrong because WPA3 does not eliminate 802.1X authentication; it still supports 802.1X (Enterprise mode) using SAE or EAP, and the Personal mode simply replaces PSK with SAE.

54
MCQeasy

In IPsec, which protocol provides both authentication and encryption for the packet payload, but does not encrypt the IP header?

A.IKE (Internet Key Exchange)
B.ISAKMP (Internet Security Association and Key Management Protocol)
C.ESP (Encapsulating Security Payload)
D.AH (Authentication Header)
AnswerC

ESP offers both encryption and authentication; in transport mode, it encrypts the payload only.

Why this answer

ESP (Encapsulating Security Payload) provides both authentication and encryption for the packet payload, while leaving the IP header unencrypted. This allows intermediate routers to process the packet normally, as the header remains in plaintext, but the payload is protected for confidentiality and integrity.

Exam trap

Cisco often tests the distinction between ESP and AH by emphasizing that AH authenticates the entire packet (including the IP header) but provides no encryption, while ESP encrypts the payload but leaves the IP header unencrypted, leading candidates to mistakenly choose AH when encryption is required.

How to eliminate wrong answers

Option A is wrong because IKE (Internet Key Exchange) is a protocol used to establish security associations (SAs) and exchange cryptographic keys, not to directly encrypt or authenticate packet payloads. Option B is wrong because ISAKMP (Internet Security Association and Key Management Protocol) provides a framework for SA negotiation and key management, but does not itself perform payload encryption or authentication. Option D is wrong because AH (Authentication Header) provides integrity and authentication for the entire packet (including the IP header) but does not offer encryption, so it cannot encrypt the payload.

55
MCQeasy

Which type of firewall is capable of inspecting application-layer data, performing SSL decryption, and integrating intrusion prevention capabilities?

A.Packet filter firewall
B.Next-generation firewall
C.Application proxy firewall
D.Stateful firewall
AnswerB

NGFW combines L7 inspection, SSL decryption, and IPS.

Why this answer

A next-generation firewall (NGFW) goes beyond traditional stateful inspection by incorporating deep packet inspection (DPI) of application-layer data, the ability to decrypt and inspect SSL/TLS traffic, and integrated intrusion prevention system (IPS) capabilities. This convergence allows NGFWs to identify and block threats within encrypted sessions and enforce policies based on application identity rather than just ports and protocols.

Exam trap

The trap here is that candidates often confuse an application proxy firewall with an NGFW, but the key differentiator is that an NGFW integrates SSL decryption and IPS into a single engine, whereas a proxy firewall typically handles only specific application protocols without inline threat prevention.

How to eliminate wrong answers

Option A is wrong because a packet filter firewall operates only at Layers 3 and 4, inspecting source/destination IP addresses and port numbers without any application-layer awareness or SSL decryption capability. Option C is wrong because an application proxy firewall can inspect application-layer data but typically does not perform SSL decryption natively at line rate and lacks integrated intrusion prevention; it acts as an intermediary for specific protocols (e.g., HTTP, FTP) rather than providing unified threat management. Option D is wrong because a stateful firewall tracks connection state (e.g., TCP handshake) at Layers 3 and 4 but cannot inspect application payloads, decrypt SSL, or run an IPS engine.

56
MCQhard

A company deploys DNSSEC to protect its DNS infrastructure. Which cryptographic operation does DNSSEC primarily use to ensure the authenticity and integrity of DNS data?

A.Hashing of DNS responses without keys
B.Digital signatures of DNS records
D.Symmetric encryption of DNS queries
AnswerB

DNSSEC adds RRSIG records that are digital signatures over DNS data.

Why this answer

DNSSEC primarily uses digital signatures to ensure the authenticity and integrity of DNS data. Each DNS zone is signed with a private key, and resolvers verify the signatures using the corresponding public key, which is published as a DNSKEY record. This process allows the resolver to cryptographically confirm that the data has not been modified in transit and originates from the authoritative source.

Exam trap

The trap here is confusing DNSSEC's use of digital signatures for data origin authentication with encryption or transport-layer security, leading candidates to incorrectly select TLS or symmetric encryption options.

How to eliminate wrong answers

Option A is wrong because hashing without keys provides integrity but not authenticity; an attacker can modify both the data and the hash, so DNSSEC requires asymmetric cryptography (digital signatures) to bind the hash to the signer. Option C is wrong because DNSSEC operates at the DNS protocol layer using resource records (RRSIG, DNSKEY, DS) and does not rely on Transport Layer Security (TLS); TLS secures the transport channel (e.g., DNS over TLS), not the DNS data itself. Option D is wrong because DNSSEC uses asymmetric cryptography (public/private key pairs) for signing, not symmetric encryption; symmetric encryption would require shared secrets and does not provide non-repudiation or scalable key distribution for DNS.

57
Multi-Selecthard

A company is deploying a VPN solution for remote employees using SSL/TLS VPN. Which TWO security considerations are important when implementing this type of VPN? (Select two.)

Select 2 answers
A.Use IPsec in transport mode for better performance
B.Implement strong authentication mechanisms such as multi-factor authentication
C.Ensure the SSL VPN gateway is patched and hardened against web application attacks
D.Use pre-shared keys for authentication
E.Disable encryption to improve speed
AnswersB, C

Strong authentication is critical to prevent unauthorized access via the VPN portal.

Why this answer

SSL/TLS VPNs operate at the application layer and are exposed to the internet, making them vulnerable to web-based attacks such as SQL injection and cross-site scripting. Strong authentication, including multi-factor authentication (MFA), is critical to prevent unauthorized access even if credentials are compromised. Patching and hardening the SSL VPN gateway against web application attacks is equally important to mitigate vulnerabilities in the underlying web server or VPN appliance.

Exam trap

The trap here is that candidates confuse SSL/TLS VPNs with IPsec VPNs, leading them to select IPsec-specific options like transport mode or pre-shared keys, when the question explicitly focuses on SSL/TLS VPN security considerations.

58
MCQeasy

Which type of firewall operates at Layer 7 and can inspect application payloads, such as blocking specific SQL commands or HTTP methods?

A.Stateful inspection
B.Application proxy
D.Circuit-level gateway
AnswerB

Application proxies terminate the connection and re-establish it, inspecting the application data.

Why this answer

An application proxy firewall (also known as an application-level gateway) operates at Layer 7 (Application Layer) of the OSI model. It can inspect the full application payload, allowing it to block specific SQL commands, HTTP methods (e.g., PUT, DELETE), or other application-layer content by terminating the connection and re-establishing it after deep inspection.

Exam trap

The trap here is that candidates often confuse 'stateful inspection' (Layer 4) with application-layer inspection, assuming stateful firewalls can inspect payloads, but they only track session state, not application content.

How to eliminate wrong answers

Option A is wrong because a stateful inspection firewall operates at Layers 3 and 4, tracking connection state (SYN, ACK) but not inspecting application payloads. Option C is wrong because a packet filter firewall works at Layers 3 and 4, filtering based on source/destination IPs, ports, and protocols, without any payload inspection. Option D is wrong because a circuit-level gateway operates at Layer 5 (Session Layer), validating TCP handshakes and session establishment (e.g., SOCKS proxy) but does not examine application data.

59
MCQeasy

A security analyst is configuring a firewall to allow HTTP traffic (TCP port 80) from the internet to a web server in the DMZ. The firewall should also allow return traffic from the server back to the internet. Which type of firewall is best suited to handle this traffic while maintaining security?

A.Application proxy firewall
B.Circuit-level gateway
C.Stateful inspection firewall
D.Packet filter firewall
AnswerC

Stateful firewalls maintain connection state and automatically allow return traffic for established connections.

Why this answer

A stateful inspection firewall (C) is best suited because it tracks the state of active connections, allowing return traffic for established sessions (e.g., HTTP responses from the server to the internet) while blocking unsolicited inbound packets. It inspects packets at Layers 3 and 4, maintaining a state table that matches return packets to the original outbound request, ensuring only legitimate responses are permitted. This provides better security than a simple packet filter by preventing spoofed or out-of-context packets.

Exam trap

The trap here is that candidates often choose packet filter firewalls (D) because they are simpler and can technically allow HTTP traffic on port 80, but they fail to recognize that stateful inspection is required to securely handle return traffic without manually creating complex, insecure rules for ephemeral ports.

How to eliminate wrong answers

Option A is wrong because an application proxy firewall operates at Layer 7, terminating and re-establishing connections, which adds latency and complexity for simple HTTP traffic; it is overkill and not the best fit for just allowing HTTP with return traffic. Option B is wrong because a circuit-level gateway operates at Layer 5 (session layer), validating TCP handshakes but not inspecting packet contents or maintaining state for individual HTTP requests; it cannot reliably handle return traffic for dynamic ports or session tracking. Option D is wrong because a packet filter firewall only examines packet headers (source/destination IP, port, protocol) without maintaining connection state, making it vulnerable to spoofed return packets and unable to distinguish legitimate responses from malicious traffic.

60
MCQmedium

A security analyst detects an attack where the attacker sends forged ARP messages to associate the attacker's MAC address with the IP address of the default gateway. Which OSI layer is primarily targeted by this attack?

A.Layer 4 – Transport
B.Layer 3 – Network
C.Layer 1 – Physical
D.Layer 2 – Data Link
AnswerD

ARP is a Layer 2 protocol used for MAC address resolution.

Why this answer

ARP operates at Layer 2 (Data Link) because it maps IP addresses (Layer 3) to MAC addresses (Layer 2) within a single broadcast domain. By forging ARP replies, the attacker poisons the ARP cache of hosts, causing frames destined for the default gateway to be sent to the attacker's MAC address. This directly targets the address resolution process that bridges Layer 2 and Layer 3, but the attack itself is executed at the Data Link layer.

Exam trap

The trap here is that candidates see 'IP address' in the question and immediately think Layer 3 (Network), forgetting that ARP is a Layer 2 protocol that resolves Layer 3 addresses to Layer 2 addresses.

How to eliminate wrong answers

Option A is wrong because Layer 4 (Transport) handles end-to-end communication, segmentation, and flow control (e.g., TCP/UDP ports), and ARP has no involvement with transport-layer headers or port numbers. Option B is wrong because Layer 3 (Network) deals with logical addressing and routing (e.g., IP packets), but ARP is not a routed protocol; it is confined to a single subnet and operates below IP. Option C is wrong because Layer 1 (Physical) concerns the physical transmission of bits over media (e.g., cables, signals), and ARP is a protocol that uses frames, not raw bit-level manipulation.

Ready to test yourself?

Try a timed practice session using only Cissp Network Security questions.

CCNA Cissp Network Security Questions | Courseiva