CCNA Network and Communications Security Questions

12 of 87 questions · Page 2/2 · Network and Communications Security · Answers revealed

76
MCQhard

A security analyst discovers that an internal host is sending traffic to an external IP address known to be a command-and-control server. The analyst wants to block only that specific traffic without affecting other traffic. Which firewall rule should be implemented?

A.Deny all traffic from the internal host.
B.Deny all traffic to the external IP.
C.Deny traffic on the specific port used.
D.Deny traffic from the internal host to the external IP.
AnswerD

This provides a targeted block without affecting other traffic.

Why this answer

Option D is correct because it creates a specific deny rule that matches only the source IP of the internal host and the destination IP of the command-and-control server, blocking that exact traffic flow while allowing all other traffic to and from both hosts. This is the most precise and least disruptive approach, adhering to the principle of least privilege in firewall rule design.

Exam trap

The trap here is that candidates often choose a broad deny rule (like denying all traffic to the external IP) because they focus on the malicious destination, forgetting that such a rule would block all traffic to that IP from any source, potentially impacting other hosts or services.

How to eliminate wrong answers

Option A is wrong because denying all traffic from the internal host would block all outbound communications from that host, including legitimate traffic to other destinations, causing unnecessary disruption. Option B is wrong because denying all traffic to the external IP would block all inbound and outbound traffic to that IP from any host, potentially affecting other internal hosts that may need to communicate with that IP for legitimate reasons (though unlikely in this scenario, it is overly broad). Option C is wrong because denying traffic on the specific port used would block all traffic on that port to any destination, not just the command-and-control server, which could disrupt other services using the same port.

77
MCQhard

During a security audit, it is discovered that network devices are using Telnet for management. Which of the following is the most secure replacement to ensure encrypted remote access?

A.SNMPv3 with authentication and encryption
B.SSH with public key authentication
C.HTTPS with self-signed certificate
D.SSH with password authentication
AnswerB

Public key authentication is more secure and supports encryption.

Why this answer

SSH (Secure Shell) provides encrypted remote access and authentication, replacing the insecure Telnet protocol. Public key authentication adds a second factor (the private key) and is resistant to brute-force password attacks, making it the most secure option for managing network devices.

Exam trap

The trap here is that candidates often confuse SNMPv3's encryption capabilities with remote shell access, or they assume that any encrypted protocol (like HTTPS) is a direct replacement for Telnet, ignoring that SSH is the standard for secure command-line management.

How to eliminate wrong answers

Option A is wrong because SNMPv3 is designed for network management monitoring and trap notifications, not for interactive remote shell access or device configuration. Option C is wrong because HTTPS with a self-signed certificate encrypts the session but does not provide a trusted identity verification and is typically used for web-based management interfaces, not for command-line remote access. Option D is wrong because SSH with password authentication still relies on a shared secret that can be guessed, intercepted via keylogging, or compromised in transit if weak ciphers are used, whereas public key authentication eliminates password transmission.

78
MCQeasy

A small medical office has 10 employees who use laptops to access electronic health records (EHR) via a web application hosted at a colocation facility. The office currently uses a consumer-grade wireless router with WPA2-PSK for internet access. The EHR vendor requires all connections to be encrypted with TLS 1.2 and recommends using a VPN for remote access. The office manager wants to ensure secure connections from the office to the EHR system, while keeping costs low. The network consultant proposes several options. Which option best balances security and cost?

A.Upgrade the wireless router to one that supports WPA3-Enterprise.
B.Install a dedicated SSL VPN appliance at the office for clientless access.
C.Configure an IPsec site-to-site VPN between the office router and the colocation firewall.
D.Use only HTTPS with TLS 1.2 and disable HTTP access on the EHR server.
AnswerC

IPsec VPN provides end-to-end encryption and is cost-effective with existing hardware.

Why this answer

Option C is correct because an IPsec site-to-site VPN creates an encrypted tunnel between the office router and the colocation firewall, securing all EHR traffic without requiring per-user software or high ongoing costs. This directly satisfies the EHR vendor's VPN recommendation while using existing infrastructure (the office router and colocation firewall) and avoiding the expense of a dedicated appliance or complex client management.

Exam trap

The trap here is that candidates often focus on securing the wireless link (WPA3) or the application layer (HTTPS), forgetting that the EHR vendor explicitly requires a VPN to protect data across the untrusted internet path, not just at the endpoints.

How to eliminate wrong answers

Option A is wrong because upgrading to WPA3-Enterprise only secures the wireless link within the office, not the traffic between the office and the colocation facility; the EHR vendor requires encryption for the entire path, and WPA3 does not address internet transit. Option B is wrong because installing a dedicated SSL VPN appliance at the office adds significant hardware and licensing costs, which contradicts the office manager's goal of keeping costs low; clientless access is also unnecessary since employees use laptops that can run a VPN client. Option D is wrong because using only HTTPS with TLS 1.2 protects the web application session but does not encrypt traffic between the office network and the colocation facility at the network layer; it leaves the connection vulnerable to LAN-side attacks and does not meet the vendor's VPN recommendation.

79
MCQmedium

A company wants to enforce network access control (NAC) for both wired and wireless devices. Which protocol is used for this purpose?

A.802.1X
B.SNMP (Simple Network Management Protocol)
C.EAP (Extensible Authentication Protocol)
D.PAP (Password Authentication Protocol)
AnswerA

802.1X provides port-based authentication for NAC.

Why this answer

802.1X is the IEEE standard for port-based network access control (NAC) that authenticates devices before granting access to both wired and wireless networks. It operates at the data link layer and uses an authentication server (e.g., RADIUS) to validate credentials, ensuring only authorized devices connect to the network.

Exam trap

The trap here is confusing EAP (a framework) with 802.1X (the protocol that enforces NAC), leading candidates to pick EAP because it is directly involved in authentication, but it does not control network access itself.

How to eliminate wrong answers

Option B (SNMP) is wrong because it is a management protocol for monitoring and configuring network devices, not for enforcing access control or authentication. Option C (EAP) is wrong because it is an authentication framework used within 802.1X, not a standalone NAC protocol; it provides the transport for authentication methods but does not enforce port-based access control. Option D (PAP) is wrong because it is a simple, unencrypted password authentication protocol used in PPP, not designed for network access control in modern wired/wireless environments.

80
MCQeasy

Refer to the exhibit. A security analyst notices that multiple internal hosts are using the same inside global IP address but different port numbers. Which technology is being used?

A.Dynamic NAT
B.Static NAT
C.PAT (Port Address Translation)
D.Port forwarding
AnswerC

PAT allows many internal hosts to share a single public IP by differentiating via port numbers.

Why this answer

The scenario describes multiple internal hosts sharing a single inside global IP address but using different port numbers. This is the defining behavior of Port Address Translation (PAT), also known as NAT overload. PAT maps multiple private IP addresses to one public IP by differentiating sessions based on the transport-layer port number (TCP/UDP), allowing many hosts to share a single public address.

Exam trap

The trap here is that candidates often confuse PAT with Dynamic NAT, not realizing that Dynamic NAT requires a pool of public IPs and does not allow port-level multiplexing, whereas PAT is specifically designed to allow many-to-one address sharing using port differentiation.

How to eliminate wrong answers

Option A is wrong because Dynamic NAT maps private IPs to public IPs from a pool on a one-to-one basis, so multiple internal hosts cannot share the same inside global IP; each would require a unique public IP. Option B is wrong because Static NAT provides a fixed one-to-one mapping between a private IP and a public IP, which also prevents multiple hosts from using the same global address. Option D is wrong because Port forwarding is a manual configuration that directs external traffic to a specific internal host and port, not a mechanism for multiple internal hosts to share a single public IP with different source ports.

81
Multi-Selecteasy

Which TWO are common methods to secure a wireless network against unauthorized access?

Select 2 answers
A.Implement WPA2-Enterprise
B.Enable SSID broadcast
C.Disable DHCP
D.Use MAC filtering
E.Deploy a wireless intrusion prevention system (WIPS)
AnswersA, E

Provides strong authentication per user.

Why this answer

WPA2-Enterprise uses IEEE 802.1X authentication with a RADIUS server, requiring unique credentials per user rather than a shared pre-shared key (PSK). This eliminates the risk of PSK compromise and provides centralized authentication, making it highly resistant to unauthorized access. It is the recommended method for securing wireless networks in enterprise environments.

Exam trap

The trap here is that candidates often mistake MAC filtering or disabling DHCP as effective security controls, when in fact they are easily bypassed and provide only a false sense of security, while the exam expects recognition of enterprise-grade authentication and active monitoring as the correct methods.

82
MCQeasy

A small business uses MAC address filtering on its wireless network to prevent unauthorized access. Which attack is most likely to bypass this control?

A.Deauthentication attack
B.Man-in-the-middle attack
C.Evil twin attack
D.MAC spoofing
AnswerD

An attacker can capture a valid MAC and use it to connect.

Why this answer

MAC address filtering is a weak access control because MAC addresses are transmitted in plaintext over the air and can be easily captured using a wireless sniffer (e.g., Wireshark). An attacker can then change their network interface's MAC address to match an allowed client via MAC spoofing, thereby bypassing the filter and gaining access to the network. This attack directly defeats the filtering mechanism without needing to crack encryption keys or impersonate the access point.

Exam trap

The trap here is that candidates confuse MAC spoofing with deauthentication attacks, thinking that disconnecting a client is the primary method to bypass filtering, when in fact the attacker must spoof the allowed MAC to actually authenticate and gain network access.

How to eliminate wrong answers

Option A is wrong because a deauthentication attack disconnects clients from the access point but does not bypass MAC filtering—it only disrupts service, not authenticate the attacker. Option B is wrong because a man-in-the-middle attack intercepts traffic between two parties but requires the attacker to already be associated with the network, so it does not bypass the initial MAC filter. Option C is wrong because an evil twin attack creates a rogue access point with the same SSID to trick clients into connecting, but the attacker still needs to associate with the legitimate network or bypass its MAC filter to access internal resources.

83
MCQeasy

An analyst notices unusual outbound traffic from a workstation to an external IP on port 445. Which protocol is likely being used?

A.HTTP
B.SMB
C.FTP
D.DNS
AnswerB

SMB uses port 445 for direct TCP communication, often associated with file sharing.

Why this answer

Port 445 is the default port for Microsoft-DS (Direct Hosting of SMB over TCP/IP), which is used by the Server Message Block (SMB) protocol for file and printer sharing. Unusual outbound traffic on this port often indicates SMB activity, such as a workstation attempting to connect to a remote share or, in a security context, potential data exfiltration or lateral movement using SMB.

Exam trap

ISC2 often tests the association of well-known ports with their protocols, and the trap here is that candidates may confuse port 445 with NetBIOS (ports 137-139) or assume SMB only uses ports 137-139, forgetting that modern SMB over TCP/IP uses port 445 directly.

How to eliminate wrong answers

Option A is wrong because HTTP typically uses ports 80 (unencrypted) or 443 (TLS), not port 445. Option C is wrong because FTP uses ports 20 (data) and 21 (control), not port 445. Option D is wrong because DNS uses port 53 (UDP primarily, with TCP for zone transfers), not port 445.

84
MCQmedium

A company uses a hub-and-spoke VPN topology with a central site and multiple branch offices. The central site's firewall is being upgraded. Which technology can provide link redundancy with automatic failover for the VPN connections?

A.STP
B.VRRP
C.OSPF
D.BGP
AnswerD

BGP can be used to manage multiple VPN paths and failover automatically.

Why this answer

BGP is correct because it supports dynamic routing and can be configured with multiple paths to provide automatic failover for VPN connections in a hub-and-spoke topology. When the central site's firewall is upgraded, BGP can reroute traffic through alternate paths without manual intervention, ensuring link redundancy. This is achieved through BGP's path selection algorithm and the ability to advertise multiple routes via different VPN tunnels.

Exam trap

The trap here is that candidates confuse VRRP (a first-hop redundancy protocol) with VPN failover, but VRRP only provides gateway redundancy at the local subnet, not dynamic routing or failover across multiple VPN tunnels between sites.

How to eliminate wrong answers

Option A is wrong because STP (Spanning Tree Protocol) is a Layer 2 protocol designed to prevent loops in Ethernet networks, not to provide link redundancy or automatic failover for VPN connections. Option B is wrong because VRRP (Virtual Router Redundancy Protocol) provides gateway redundancy at Layer 3 by allowing multiple routers to share a virtual IP, but it does not handle VPN-specific failover or dynamic routing across multiple sites. Option C is wrong because OSPF is an interior gateway protocol that can provide dynamic routing and failover within a single autonomous system, but it is not typically used for hub-and-spoke VPN redundancy across multiple branch offices without additional configuration like DMVPN, and it lacks the policy-based path control and scalability of BGP for this scenario.

85
MCQmedium

Refer to the exhibit. A user at IP 10.0.0.1 reports that they cannot access a web server at 203.0.113.5 on port 443. What is the most likely cause?

A.The firewall only permits inbound traffic to specific IPs.
B.The firewall rule order is incorrect.
C.The firewall blocks all outbound traffic.
D.The firewall does not have a rule permitting outbound traffic.
AnswerD

Without an explicit permit for outbound traffic, the implicit deny blocks it.

Why this answer

Option D is correct because the user at 10.0.0.1 cannot reach 203.0.113.5:443, which indicates that outbound traffic to that destination is not permitted. Firewalls by default block all traffic unless explicitly allowed; if no rule permits outbound HTTPS (TCP/443) traffic, the connection will be dropped. The symptom (inability to access an external web server) points to a missing outbound rule, not an inbound rule issue.

Exam trap

The trap here is that candidates often focus on inbound rules when a user cannot reach an external server, forgetting that outbound traffic must also be explicitly permitted by the firewall's egress policy.

How to eliminate wrong answers

Option A is wrong because the problem is outbound from 10.0.0.1 to 203.0.113.5; inbound rules control traffic coming into the network, not traffic leaving it. Option B is wrong because rule order matters only when multiple rules conflict or overlap; here, there is no indication of any rule at all for outbound traffic, so order is irrelevant. Option C is wrong because if the firewall blocked all outbound traffic, no user could reach any external resource, but the question specifies only this user and this destination are affected, implying a selective block or missing rule.

86
MCQmedium

A company has segmented its network into VLANs for different departments: HR, Finance, and IT. The router interconnecting the VLANs has ACLs configured to block traffic from HR to Finance. However, IT has noticed that traffic from HR VLAN is reaching the Finance VLAN. The network uses managed switches with 802.1Q trunking. All access ports are configured as untagged members of their respective VLANs. What is the most likely cause of this unauthorized traffic flow?

A.DHCP snooping disabled
B.VLAN hopping attack via double tagging
C.Default gateway misconfiguration
D.STP misconfiguration
AnswerB

Double tagging can allow an attacker to send frames to a VLAN other than the source VLAN, potentially bypassing ACLs.

Why this answer

The most likely cause is a VLAN hopping attack via double tagging. In this attack, an attacker on the HR VLAN sends a frame with two 802.1Q tags: the outer tag matches the native VLAN of the trunk (often VLAN 1), and the inner tag is the target VLAN (Finance). When the switch receives the frame on an access port, it strips the outer tag (as it is the native VLAN) and forwards the frame with the inner tag over the trunk, allowing the traffic to bypass the ACLs and reach the Finance VLAN.

Exam trap

ISC2 often tests the distinction between VLAN hopping via double tagging versus switch spoofing; the trap here is that candidates may confuse this with a simple ACL misconfiguration or assume the router is the only point of control, overlooking that the attack occurs at Layer 2 before the router even sees the traffic.

How to eliminate wrong answers

Option A is wrong because DHCP snooping is a security feature that prevents rogue DHCP servers and does not control inter-VLAN traffic flow or prevent VLAN hopping. Option C is wrong because a default gateway misconfiguration would cause traffic to be sent to the wrong router or not routed at all, but it would not allow traffic to bypass ACLs and reach a different VLAN; the router still enforces ACLs on routed traffic. Option D is wrong because STP misconfiguration can cause loops or broadcast storms but does not enable an attacker to inject frames into a different VLAN or bypass ACLs.

87
MCQhard

A financial firm has deployed network-based IDS/IPS sensors at key points to detect and prevent intrusions. During a recent security audit, it was discovered that an attacker exfiltrated sensitive data using DNS over HTTPS (DoH) queries. The IDS/IPS did not generate any alerts. The firm's network policy allows all outbound HTTPS traffic to any destination. To prevent such exfiltration in the future, what is the most effective corrective action?

A.Deploy TLS termination at the network perimeter
B.Enable deep packet inspection on all encrypted traffic
C.Implement a DNS sinkhole and block non-corporate DNS servers
D.Configure the IDS/IPS to inspect DNS traffic on standard port 53 only
AnswerA

Terminating TLS allows the IDS/IPS to inspect decrypted traffic, including DoH, before re-encrypting it for transit.

Why this answer

Deploying TLS termination at the network perimeter allows the organization to decrypt inbound and outbound HTTPS traffic, inspect the plaintext content, and re-encrypt it before forwarding. This enables the IDS/IPS to detect malicious payloads, such as DNS over HTTPS (DoH) queries, that would otherwise be hidden inside encrypted tunnels. Since the firm's policy allows all outbound HTTPS, TLS termination is the most effective way to regain visibility into that traffic without blocking it outright.

Exam trap

The trap here is that candidates often assume deep packet inspection (DPI) can magically inspect encrypted traffic, but DPI requires decryption first, which is exactly what TLS termination provides.

How to eliminate wrong answers

Option B is wrong because enabling deep packet inspection on all encrypted traffic is not possible without first decrypting that traffic; DPI cannot inspect encrypted payloads unless TLS termination or similar decryption is performed. Option C is wrong because a DNS sinkhole and blocking non-corporate DNS servers only affect traditional DNS (port 53/UDP), but DoH operates over HTTPS (port 443) and bypasses standard DNS controls entirely. Option D is wrong because configuring the IDS/IPS to inspect DNS traffic on standard port 53 only will miss DoH traffic, which uses port 443 and is encrypted, so no alerts would be generated.

← PreviousPage 2 of 2 · 87 questions total

Ready to test yourself?

Try a timed practice session using only Network and Communications Security questions.