CCNA Network and Communications Security Questions

75 of 79 questions · Page 1/2 · Network and Communications Security · Answers revealed

1
MCQhard

A security engineer is configuring a site-to-site VPN between two branch offices using IPsec in tunnel mode. Which protocol provides both authentication and encryption of the entire original IP packet?

A.IKEv2 in transport mode
B.ESP (Encapsulating Security Payload) in tunnel mode
C.L2TP in tunnel mode
D.AH (Authentication Header) in tunnel mode
AnswerB

ESP provides both encryption and authentication, encapsulating the entire original packet.

Why this answer

ESP in tunnel mode encrypts and authenticates the entire original IP packet, while AH only authenticates.

2
Multi-Selecthard

A security analyst is reviewing a TLS 1.3 deployment. Which THREE of the following are features of TLS 1.3?

Select 3 answers
A.Use of static RSA key exchange
B.Mandatory forward secrecy
C.Support for 0-RTT handshake
D.Removal of cipher suites like RC4 and DES
E.Support for SSL 3.0 compatibility
AnswersB, C, D

TLS 1.3 requires forward secrecy.

Why this answer

TLS 1.3 removed vulnerable cipher suites, mandates forward secrecy, and supports 0-RTT for faster handshakes.

3
MCQhard

During a wireless penetration test, an attacker captures the four-way handshake of a WPA2-PSK network and attempts to crack the passphrase offline. Which attack is the attacker likely using?

A.WPS PIN attack
B.KRACK attack
C.Evil twin attack
D.PMKID attack
AnswerD

PMKID allows offline cracking of the PSK using the PMKID from the beacon or probe response.

Why this answer

The PMKID attack targets WPA2-PSK by capturing the PMKID from the RSN IE, which can be computed offline to brute-force the passphrase without requiring a full handshake.

4
MCQmedium

An attacker sends a forged ARP reply associating the attacker's MAC address with the IP address of the default gateway. What type of attack is this?

A.ARP spoofing
B.MAC flooding
C.DHCP starvation
D.DNS poisoning
AnswerA

This is the classic ARP spoofing attack, where the attacker sends fake ARP messages to intercept traffic.

Why this answer

ARP spoofing involves sending gratuitous ARP replies to associate the attacker's MAC with another IP address, enabling man-in-the-middle attacks at Layer 2.

5
MCQeasy

Which TCP port is commonly used for secure web traffic (HTTPS) and is often allowed through firewalls for web browsing?

A.22
B.443
C.80
D.3389
AnswerB

Port 443 is the standard port for HTTPS.

Why this answer

HTTPS operates over TCP port 443, which is commonly open for secure web traffic.

6
MCQmedium

An organization wants to ensure that only authorized devices can connect to the corporate wired network. Which technology should they implement to enforce this?

A.Network Access Control (NAC) with 802.1X
B.VLAN segmentation
C.MAC address filtering
D.Firewall rules
AnswerA

NAC with 802.1X authenticates and authorizes devices on the network.

Why this answer

Network Access Control (NAC) with 802.1X authenticates devices before granting network access, enforcing compliance and authorization.

7
MCQmedium

A network administrator is tasked with segmenting the network to isolate a DMZ containing public-facing web servers from the internal corporate network. Which device should be placed between the DMZ and internal network, and what type of traffic should it allow?

A.Router; allow all traffic but use NAT.
B.IDS; monitor traffic but do not block.
C.Firewall; allow only specific traffic from internal to DMZ and block DMZ-initiated connections to internal.
D.Switch; allow all traffic between DMZ and internal network.
AnswerC

A firewall can enforce least privilege between segments.

Why this answer

A firewall should be used to control traffic; it should allow only necessary inbound and outbound traffic while blocking direct access from DMZ to internal network.

8
Multi-Selectmedium

A network administrator is troubleshooting a DNS poisoning attack. Which TWO countermeasures can help prevent such attacks? (Select two)

Select 2 answers
A.Implement DNSSEC to validate DNS responses
B.Configure firewall rules to block UDP port 53
C.Disable DNS recursion on authoritative servers
D.Use secure DNS resolvers that enforce DNSSEC validation
E.Enable DHCP snooping on switches
AnswersA, D

DNSSEC adds cryptographic signatures to DNS records.

Why this answer

DNSSEC validates DNS responses to prevent spoofing, and using secure DNS resolvers (like Quad9 or Cloudflare) can filter malicious domains. Disabling recursion is a best practice but not a direct countermeasure against poisoning. DHCP snooping is for DHCP attacks.

Firewalls don't prevent DNS poisoning.

9
MCQmedium

Which security control can prevent a rogue DHCP server from assigning incorrect gateway addresses to clients?

A.IP source guard
B.Dynamic ARP inspection
C.Port security
D.DHCP snooping
AnswerD

DHCP snooping allows only authorized DHCP servers to respond to client requests.

Why this answer

DHCP snooping is a switch feature that filters DHCP messages based on trusted ports, blocking rogue DHCP servers.

10
MCQhard

In IPsec VPNs, which protocol provides authentication and encryption of the entire IP packet, including the IP header, in tunnel mode?

A.L2TP
B.IKE
C.ESP
D.AH
AnswerC

ESP provides both authentication and encryption, and in tunnel mode protects the entire original packet.

Why this answer

ESP (Encapsulating Security Payload) in tunnel mode encrypts and authenticates the entire original IP packet, adding a new IP header. AH (Authentication Header) does not provide encryption.

11
MCQhard

Which of the following best describes the function of SYN cookies in mitigating SYN flood attacks?

A.They block all incoming SYN packets from suspicious sources.
B.They encode connection state in the SYN-ACK sequence number, allowing the server to avoid storing state until the ACK is received.
C.They increase the backlog queue size to accommodate more half-open connections.
D.They require clients to solve a computational puzzle before completing the handshake.
AnswerB

This is the correct description of SYN cookies.

Why this answer

SYN cookies allow the server to avoid allocating resources for half-open connections until the handshake completes, preventing resource exhaustion.

12
MCQeasy

Which attack sends a flood of forged ICMP echo requests to a network's broadcast address to overwhelm a target?

A.Ping of death
B.Smurf attack
C.SYN flood
D.DNS amplification
AnswerB

Smurf attack leverages broadcast amplification.

Why this answer

A Smurf attack sends ICMP echo requests with the victim's spoofed source IP to the broadcast address, causing all hosts to reply to the victim, amplifying traffic.

13
Multi-Selecthard

Which THREE of the following are valid considerations when deploying a remote access VPN using SSL/TLS? (Select THREE)

Select 3 answers
A.Typically uses UDP port 500
B.Supports endpoint security posture checks
C.Can be configured for split tunneling
D.Can traverse firewalls more easily than IPsec
E.Requires pre-shared keys for authentication
AnswersB, C, D

Many SSL VPNs can check for antivirus, updates, etc., before connecting.

Why this answer

SSL/TLS VPNs use standard ports (often 443) to bypass firewalls, can perform endpoint posture checks, and allow split tunneling for performance.

14
MCQmedium

During a security assessment, a penetration tester discovers that the network uses WPA2-PSK. Which attack could be used to recover the pre-shared key without interacting with the access point after capturing a single handshake?

A.Deauthentication attack
B.KRACK attack
C.Evil twin attack
D.PMKID attack
AnswerD

The PMKID is included in the first EAPOL frame and can be used to crack the PSK offline.

Why this answer

The PMKID attack allows offline cracking of the PSK using information from the first frame of the 4-way handshake, even without a full handshake.

15
MCQmedium

Which wireless security protocol uses the Simultaneous Authentication of Equals (SAE) handshake to replace the Pre-Shared Key (PSK) method and provides stronger protection against offline dictionary attacks?

A.WPA2
B.WPA
C.WPA3
D.WEP
AnswerC

WPA3 uses SAE to replace PSK.

Why this answer

WPA3 uses SAE for secure key exchange, replacing WPA2's PSK.

16
MCQeasy

Which of the following is a connectionless transport layer protocol primarily used for services like DNS and DHCP?

A.UDP
B.IP
C.TCP
D.ICMP
AnswerA

UDP is connectionless and used by DNS and DHCP.

Why this answer

UDP is connectionless and used by DNS (port 53) and DHCP (ports 67-68).

17
MCQmedium

A security administrator is configuring a VPN between two branch offices. The requirement is to encrypt the entire original IP packet and add a new IP header for routing over the internet. Which IPsec mode should be used?

A.Aggressive mode
B.Transport mode
C.Main mode
D.Tunnel mode
AnswerD

Tunnel mode encrypts the entire IP packet and adds a new header.

Why this answer

In tunnel mode, the entire original IP packet is encapsulated and encrypted, with a new IP header added, suitable for site-to-site VPNs.

18
MCQeasy

Which UDP port is used by the Domain Name System (DNS) for name resolution queries?

A.UDP 161
B.UDP 67
C.UDP 53
D.UDP 123
AnswerC

DNS uses UDP 53.

Why this answer

DNS uses UDP port 53 for queries by default.

19
MCQeasy

Which protocol and port combination is commonly used for secure remote administration of a server?

A.HTTPS on TCP 443
B.Telnet on TCP 23
C.RDP on TCP 3389
D.SSH on TCP 22
AnswerD

SSH is the standard secure remote administration protocol.

Why this answer

SSH operates on TCP port 22 and provides encrypted remote administration, while Telnet (port 23) is unencrypted. HTTPS (443) is for web traffic, and RDP (3389) is for remote desktop but not primarily for command-line administration.

20
MCQmedium

A company wants to deploy a network IDS that can analyze traffic patterns and detect anomalies. Where should the IDS sensor be placed to monitor all traffic on a network segment without introducing latency?

A.Inline between the router and the switch
B.At the core switch as a transparent bridge
C.On the same segment as the router
D.Connected to a switch SPAN port
AnswerD

SPAN port copies traffic for monitoring without affecting flow.

Why this answer

A passive tap or SPAN port allows the IDS to monitor traffic without being inline, avoiding latency.

21
MCQmedium

An attacker sends a gratuitous ARP reply associating the attacker's MAC address with the default gateway's IP address. Which attack is being performed, and what is the primary risk?

A.DNS poisoning; risk is traffic redirection to malicious sites.
B.DHCP starvation; risk is denial of service.
C.SYN flood; risk is resource exhaustion.
D.ARP spoofing; risk is man-in-the-middle traffic interception.
AnswerD

The attacker positions themselves between the victim and gateway.

Why this answer

ARP spoofing allows the attacker to intercept traffic meant for the gateway, performing a man-in-the-middle attack.

22
MCQhard

An organization deploys a firewall that examines the entire packet, including application-layer data, and can block specific commands or content. Which type of firewall is this?

A.Stateful firewall
B.Application proxy firewall
C.Next-generation firewall
D.Stateless packet filter
AnswerB

Application proxy firewalls terminate and inspect application-layer protocols, allowing granular control.

Why this answer

An application proxy firewall (also known as an application-layer gateway) performs deep inspection of application traffic and can filter based on application content.

23
MCQmedium

A company wants to deploy a firewall that can track the state of active connections and make decisions based on the context of traffic flows. Which firewall type should they choose?

A.Stateless packet filter
B.Stateful firewall
C.Application proxy firewall
D.Next-generation firewall
AnswerB

Stateful firewalls track connection state for context-aware filtering.

Why this answer

Stateful firewalls maintain a state table and track the state of connections, allowing them to make more intelligent filtering decisions compared to stateless packet filters.

24
MCQmedium

An attacker sends a flood of DHCP request packets with spoofed MAC addresses to exhaust the DHCP server's IP address pool, preventing legitimate clients from obtaining IP addresses. This attack is known as:

A.ARP poisoning
B.MAC flooding
C.DHCP starvation
D.DHCP spoofing
AnswerC

Correct description of the attack.

Why this answer

DHCP starvation exhausts the IP pool by sending many fake DHCP requests, leading to denial of service.

25
MCQmedium

Which wireless security standard introduced the Simultaneous Authentication of Equals (SAE) handshake to replace the pre-shared key (PSK) method?

A.802.11i
B.WEP
C.WPA3
D.WPA2
AnswerC

WPA3 introduces SAE (a variant of Dragonfly) for secure key exchange.

Why this answer

WPA3 replaced WPA2's PSK with SAE, which provides forward secrecy and is resistant to offline dictionary attacks.

26
Multi-Selectmedium

A company is designing a network with multiple security zones. Which TWO of the following are best practices for network segmentation? (Select TWO)

Select 2 answers
A.Place a firewall between each security zone to enforce traffic filtering.
B.Use a single flat network to reduce complexity.
C.Implement VLANs to logically separate traffic within a switch.
D.Disable logging on inter-zone firewalls to improve performance.
E.Place all servers in the same broadcast domain for easier management.
AnswersA, C

Firewalls enforce policies between zones.

Why this answer

Placing firewalls between zones and using VLANs for logical separation are key segmentation practices. DMZ is a specific zone, not a universal practice.

27
MCQmedium

A system administrator notices a high number of half-open TCP connections to the company's web server. The server is becoming unresponsive. Which attack is likely occurring, and which mitigation is effective?

A.ARP spoofing; mitigation: static ARP entries.
B.Smurf attack; mitigation: disable IP broadcasts.
C.SYN flood; mitigation: enable SYN cookies.
D.Ping of death; mitigation: block fragmented ICMP packets.
AnswerC

SYN cookies allow the server to maintain state without allocating resources until the handshake completes.

Why this answer

A SYN flood exploits the TCP three-way handshake by sending many SYN packets without completing the handshake. SYN cookies allow the server to avoid allocating resources until the handshake completes.

28
MCQeasy

Which protocol is used for secure web browsing and operates on TCP port 443?

A.HTTPS
B.HTTP
C.SSH
D.FTP
AnswerA

HTTPS is HTTP over TLS on port 443.

Why this answer

HTTPS (HTTP over TLS) uses TCP port 443 and provides encrypted communication for websites.

29
MCQmedium

A security analyst discovers that an attacker has set up a fake wireless access point with the same SSID as the corporate network. Users are unknowingly connecting to it. What is this attack called?

A.KRACK
B.Rogue AP
C.Evil twin
D.PMKID attack
AnswerC

An evil twin is a malicious AP with the same SSID as a trusted network.

Why this answer

An evil twin is a rogue AP that impersonates a legitimate SSID to capture credentials and traffic.

30
Multi-Selectmedium

A security administrator is hardening a wireless network. Which TWO of the following should be avoided due to known vulnerabilities?

Select 2 answers
A.WPA3-Enterprise
B.WPA3-Personal
C.WEP
D.WPA2-PSK
E.WPA2-Enterprise
AnswersC, D

WEP is broken and should not be used.

Why this answer

WEP and WPA2-PSK have known vulnerabilities; WEP is broken, and WPA2-PSK is vulnerable to offline dictionary attacks (PMKID, KRACK).

31
MCQhard

An organization is setting up a site-to-site VPN between two branch offices. They require encryption of the entire IP packet, including the original IP header, and plan to use IPsec. Which mode should they configure?

A.Transport mode
B.Tunnel mode
C.ESP mode
D.AH mode
AnswerB

Tunnel mode encrypts the entire original packet for site-to-site VPN.

Why this answer

IPsec tunnel mode encrypts the entire original IP packet and adds a new IP header, suitable for site-to-site VPNs.

32
Multi-Selecthard

An organization is deploying a network-based intrusion detection system (NIDS). The security team must decide on placement and configuration. Which THREE considerations are critical for effective NIDS deployment?

Select 3 answers
A.Using a network tap or SPAN port to monitor traffic without introducing latency
B.Placing the NIDS inline to block malicious traffic immediately
C.Configuring the NIDS to drop packets that match attack signatures
D.Placing the NIDS on the internal network behind the firewall to detect insider threats
E.Tuning signatures to reduce false positives relevant to the environment
AnswersA, D, E

Passive monitoring avoids impact on network performance.

Why this answer

Placing the NIDS on a network tap ensures visibility without affecting traffic; tuning signatures reduces false positives; and placing it outside the firewall captures attacks before filtering.

33
MCQeasy

Which UDP port is used by the Dynamic Host Configuration Protocol (DHCP) for server communication?

A.161
B.69
C.53
D.67
AnswerD

DHCP servers use UDP port 67 to receive client requests.

Why this answer

DHCP servers listen on UDP port 67, and clients use UDP port 68. DNS uses UDP port 53, TFTP uses UDP port 69, and SNMP uses UDP ports 161-162.

34
Multi-Selectmedium

A company is migrating from WPA2-PSK to WPA3 for its wireless network. Which THREE benefits does WPA3 provide compared to WPA2?

Select 3 answers
A.Mandatory use of Protected Management Frames (PMF)
B.Use of TKIP as the mandatory encryption protocol
C.Support for 192-bit security suite in Enterprise mode
D.Resistance to offline dictionary attacks through SAE
E.Backward compatibility with WEP devices
AnswersA, C, D

PMF prevents deauthentication and disassociation attacks.

Why this answer

WPA3 uses Simultaneous Authentication of Equals (SAE) to resist offline dictionary attacks, mandates Protected Management Frames (PMF) to prevent deauth attacks, and offers 192-bit security for Enterprise mode.

35
MCQeasy

Which of the following wireless security protocols uses AES-CCMP and is based on the 802.11i standard?

A.WEP
B.WPA
C.WPA2
D.WPA3
AnswerC

WPA2 uses AES-CCMP per 802.11i.

Why this answer

WPA2 (Wi-Fi Protected Access 2) uses AES-CCMP encryption, as defined in 802.11i.

36
Multi-Selecthard

A security engineer is designing a network segmentation strategy to isolate a DMZ containing public-facing web servers from the internal corporate network. Which TWO controls should be implemented? (Select two)

Select 2 answers
A.Separate VLANs for DMZ and internal networks
B.A firewall that only permits necessary inbound traffic to the DMZ and restricts outbound traffic from the DMZ to internal
C.Network Access Control (NAC) on all endpoints
D.A separate IP subnet for the DMZ
E.An intrusion detection system (IDS) monitoring traffic between segments
AnswersA, B

VLANs provide logical segmentation at Layer 2.

Why this answer

A firewall with rules restricting traffic between DMZ and internal networks, and separate VLANs for DMZ and internal networks, are key segmentation controls. IDS/IPS are detection, not segmentation. NAC controls access, not segmentation.

DMZ subnet is a concept, not a control.

37
MCQeasy

Which wireless security standard replaces WPA2 and mandates Protected Management Frames (PMF) to prevent certain types of attacks?

A.802.1X
B.WPA3
C.WEP
D.WPA2
AnswerB

WPA3 requires PMF and uses SAE for secure key exchange.

Why this answer

WPA3 mandates PMF, making it resistant to offline dictionary attacks and key recovery attacks like KRACK.

38
MCQmedium

A network administrator wants to block all inbound traffic except for web and email services. Which firewall rule configuration would achieve this?

A.Default-deny with allow rules for HTTP, HTTPS, and SMTP
B.Stateful inspection without default policy
C.Stateless packet filtering with a rule per service
D.Default-allow with deny rules for unwanted services
AnswerA

Default-deny blocks everything; allow rules enable only required services.

Why this answer

A default-deny rule blocks all traffic by default, and then explicit allow rules for specific services (HTTP, HTTPS, SMTP) permit desired inbound traffic.

39
MCQmedium

A network administrator wants to prevent unauthorized devices from connecting to the wired network. Which technology can be used to enforce authentication at the switch port level before granting network access?

A.MAC address filtering
B.WPA2-Enterprise
C.VLAN segmentation
D.802.1X
AnswerD

802.1X authenticates devices at the port level.

Why this answer

802.1X is a port-based access control standard used in NAC to authenticate devices before network access.

40
MCQmedium

A company is deploying a VPN for remote employees. They require strong encryption and authentication, and the solution must be compatible with native OS clients without additional software. Which VPN protocol is most appropriate?

A.PPTP
B.SSL VPN with proprietary client
C.IPsec with IKEv2
D.L2TP/IPsec with pre-shared keys
AnswerC

IKEv2/IPsec is natively supported on Windows, macOS, iOS, and Android.

Why this answer

IKEv2 with IPsec is widely supported natively on major operating systems, provides strong security, and is suitable for remote access VPNs.

41
MCQeasy

What is the default port for Microsoft SQL Server?

A.443
B.3389
C.1433
D.3306
AnswerC

Port 1433 is the default listener for MSSQL.

Why this answer

MSSQL defaults to TCP port 1433. MySQL uses 3306.

42
MCQhard

Which attack exploits the lack of IV (Initialization Vector) randomness in the RC4 algorithm to recover the Wi-Fi password, and is considered completely broken?

A.WEP IV attack
B.PMKID attack
C.Evil twin attack
D.KRACK attack
AnswerA

WEP's use of weak IVs in RC4 allows key recovery.

Why this answer

WEP uses RC4 with weak IVs that can be captured and analyzed to recover the key, making WEP completely insecure.

43
MCQhard

Which of the following is a characteristic of TLS 1.3 that improves security over previous versions?

A.Reduced cipher suite options including CBC mode
B.Use of RC4 cipher
C.Support for static RSA key exchange
D.Mandatory forward secrecy
AnswerD

TLS 1.3 requires ephemeral key exchange, providing forward secrecy.

Why this answer

TLS 1.3 mandates forward secrecy by requiring ephemeral Diffie-Hellman key exchange, ensuring that session keys cannot be derived if the server's private key is compromised later.

44
MCQmedium

An attacker sends a large number of DHCP request messages with spoofed MAC addresses to a network's DHCP server, causing the server to exhaust its IP address pool and deny service to legitimate clients. This attack is known as:

A.ARP spoofing
B.DNS poisoning
C.DHCP spoofing
D.DHCP starvation
AnswerD

DHCP starvation exhausts the IP pool by sending many fake DHCP requests.

Why this answer

DHCP starvation floods the DHCP server with fake requests to deplete the IP address pool.

45
MCQmedium

An organization wants to ensure that only corporate-managed devices can connect to the internal network. Non-compliant devices should be placed in a restricted VLAN with limited access. Which technology should be deployed?

A.Virtual Private Network (VPN)
B.Network Access Control (NAC)
C.Stateful firewall
D.Intrusion Prevention System (IPS)
AnswerB

NAC integrates with authentication to enforce compliance and VLAN assignment.

Why this answer

Network Access Control (NAC) with 802.1X can enforce policies, quarantine non-compliant devices, and assign appropriate VLANs.

46
MCQeasy

Which of the following protocols operates on TCP port 443 and provides encrypted communication between a web browser and a web server?

A.HTTPS
B.SMTP
C.SSH
D.HTTP
AnswerA

HTTPS uses TCP port 443 with TLS/SSL encryption.

Why this answer

HTTPS uses TLS/SSL over TCP port 443 to secure HTTP traffic.

47
MCQeasy

Which of the following is a common defense against ARP spoofing attacks on a local area network?

A.DHCP snooping
B.Port security
C.MAC filtering
D.Dynamic ARP Inspection
AnswerD

DAI validates ARP packets to prevent spoofing.

Why this answer

Dynamic ARP Inspection (DAI) validates ARP packets against a trusted database (DHCP snooping binding), preventing spoofed ARP messages.

48
MCQmedium

An organization wants to deploy a firewall that can inspect the payload of application-layer protocols such as HTTP and FTP, and make access decisions based on application data. Which type of firewall best meets this requirement?

A.Application proxy firewall
B.Stateless packet filter
C.Next-generation firewall
D.Stateful packet filter
AnswerA

Application proxies terminate and inspect application-layer traffic.

Why this answer

An application proxy firewall (or application-layer gateway) performs deep inspection of application payloads, unlike stateless or stateful packet filters.

49
MCQeasy

Which of the following is a secure remote access VPN protocol that uses TLS for encryption and is commonly used with Cisco AnyConnect?

A.IPsec
B.SSL/TLS VPN
C.L2TP/IPsec
D.PPTP
AnswerB

SSL/TLS VPN uses TLS and is used by AnyConnect.

Why this answer

SSL/TLS VPNs use TLS to provide secure remote access, often with AnyConnect client.

50
MCQmedium

A network administrator notices that legitimate clients are unable to obtain IP addresses from the DHCP server. The network logs show a high volume of DHCP Discover messages from different MAC addresses. Which attack is most likely occurring?

A.DHCP starvation
B.DHCP spoofing
C.ARP spoofing
D.DNS amplification
AnswerA

A high volume of DHCP Discover messages from fake MACs is characteristic of a DHCP starvation attack.

Why this answer

DHCP starvation floods the network with fake DHCP Discover messages to exhaust the IP address pool, preventing legitimate clients from obtaining addresses.

51
MCQmedium

A company wants to implement a firewall that can track the state of network connections and make decisions based on the context of traffic (e.g., allowing return packets for an established connection). Which type of firewall should they choose?

A.Application proxy firewall
B.Stateless packet filter
C.Next-generation firewall
D.Stateful firewall
AnswerD

Stateful firewall tracks connection state and allows return traffic accordingly.

Why this answer

Stateful firewalls maintain connection state tables and allow return traffic for established sessions.

52
MCQmedium

A security team is implementing Network Access Control (NAC) to enforce endpoint compliance before granting network access. Which technology allows port-based authentication on wired networks?

A.RADIUS
B.WPA2-Enterprise
C.802.1X
D.MAC filtering
AnswerC

802.1X provides port-based authentication for wired networks.

Why this answer

802.1X is the IEEE standard for port-based network access control, commonly used with RADIUS for authentication.

53
Multi-Selectmedium

During a wireless site survey, a security engineer identifies several security weaknesses. Which TWO measures should be implemented to improve wireless security for a corporate network using WPA2-Enterprise?

Select 2 answers
A.Use 802.1X authentication with EAP-TLS and certificate-based authentication
B.Implement MAC address filtering to allow only known devices
C.Disable SSID broadcast to hide the network
D.Ensure the RADIUS server uses a trusted certificate and validate client certificates
E.Enable WPS for easy client configuration
AnswersA, D

EAP-TLS provides strong mutual authentication.

Why this answer

Using 802.1X with EAP-TLS and disabling WPS are key improvements. WPA2-PSK is weaker than Enterprise, and MAC filtering is ineffective against determined attackers.

54
MCQmedium

An attacker is performing a man-in-the-middle attack at Layer 2 by sending forged ARP messages to associate their MAC address with the IP address of a legitimate host on the same subnet. This attack is known as:

A.ARP spoofing
B.DNS poisoning
C.DHCP spoofing
D.MAC flooding
AnswerA

ARP spoofing sends fake ARP messages to perform MitM.

Why this answer

ARP spoofing involves sending gratuitous ARP replies to poison the ARP cache of other hosts.

55
MCQeasy

Which protocol is used to securely transfer files between a client and server, typically over TCP port 22?

A.SMTP
B.TFTP
C.SSH
D.FTP
AnswerC

SSH provides secure file transfer over TCP port 22.

Why this answer

SSH (Secure Shell) provides encrypted file transfer capabilities via SCP or SFTP, using port 22.

56
MCQhard

A security analyst is reviewing firewall logs and notices a high rate of TCP SYN packets to multiple ports on a server, but no corresponding ACK or RST packets. This is characteristic of which type of attack?

A.UDP flood
B.SYN flood
C.Smurf attack
D.Ping of death
AnswerB

SYN flood uses incomplete TCP handshakes to exhaust resources.

Why this answer

SYN flood sends many SYN packets without completing the handshake, exhausting server resources.

57
MCQhard

A security analyst discovers that an internal DNS server is returning incorrect IP addresses for legitimate domains. The analyst suspects that an attacker has compromised the DNS resolver's cache. Which type of attack has likely occurred?

A.DNS amplification attack
B.SYN flood
C.DNS tunneling
D.DNS poisoning
AnswerD

The attacker corrupted the cache to redirect traffic.

Why this answer

DNS poisoning involves inserting false DNS records into a resolver's cache, redirecting users to malicious sites.

58
MCQmedium

A security analyst notices an unusual number of ARP replies on the network where one MAC address is claiming to be multiple IP addresses. Which type of attack is most likely occurring?

A.ARP spoofing
B.SYN flood
C.DNS poisoning
D.DHCP starvation
AnswerA

Attacker sends gratuitous ARP replies to poison the ARP cache.

Why this answer

ARP spoofing involves sending forged ARP replies to associate the attacker's MAC with the victim's IP, enabling man-in-the-middle attacks at Layer 2.

59
MCQmedium

Which of the following is a primary advantage of using TLS 1.3 over earlier versions?

A.Mandatory forward secrecy
B.Reduced handshake latency with 0-RTT
C.Support for RC4 cipher suites
D.Backward compatibility with SSL 3.0
AnswerA

All TLS 1.3 cipher suites use ephemeral Diffie-Hellman, providing forward secrecy.

Why this answer

TLS 1.3 requires forward secrecy for all cipher suites, meaning that session keys are not derived from the server's private key, protecting past sessions if the private key is compromised.

60
MCQeasy

Which protocol is used to securely transfer files over a network and operates on TCP port 22?

A.Telnet
B.SFTP
C.FTP
D.SSH
AnswerD

SSH uses TCP port 22 and provides secure encrypted communications for file transfer and remote administration.

Why this answer

SSH (Secure Shell) is used for secure remote login and file transfer, and it operates on TCP port 22. FTP uses ports 20-21, Telnet uses port 23, and SFTP (which runs over SSH) also uses port 22.

61
MCQhard

Which network security control can enforce that only authorized devices with current antivirus and patches can connect to the network?

A.Firewall rules
B.Network Access Control
C.Intrusion Prevention System
D.Port security
AnswerB

NAC assesses device health (e.g., antivirus, patches) before allowing network access.

Why this answer

Network Access Control (NAC) enforces security policies by checking device compliance before granting access, typically using 802.1X for authentication and quarantine for non-compliant devices.

62
Multi-Selecthard

A network administrator is designing a secure remote access solution for employees using company laptops. The solution must support strong authentication, encryption, and be resistant to man-in-the-middle attacks. Which THREE components should be included?

Select 3 answers
A.L2TP tunneling protocol
B.EAP-TLS for authentication
C.IPsec in tunnel mode
D.PPTP with MPPE encryption
E.IKEv2 key exchange protocol
AnswersB, C, E

EAP-TLS uses certificates for mutual authentication, preventing MITM.

Why this answer

IKEv2 supports strong authentication and mobility; EAP-TLS provides certificate-based authentication; IPsec provides encryption and authentication.

63
Multi-Selecthard

Which THREE of the following are security features of WPA3 compared to WPA2? (Select THREE)

Select 3 answers
A.Backward compatibility with WEP
B.Protected Management Frames (PMF) mandatory
C.192-bit security suite for Enterprise mode
D.Simultaneous Authentication of Equals (SAE) replaces PSK
E.Use of TKIP encryption
AnswersB, C, D

PMF is required in WPA3.

Why this answer

WPA3 introduces SAE (Simultaneous Authentication of Equals) to replace PSK, provides 192-bit security in Enterprise mode, and mandates PMF (Protected Management Frames).

64
Multi-Selectmedium

A company is migrating from WPA2 to WPA3 for wireless security. Which THREE features does WPA3 introduce? (Select three)

Select 3 answers
A.192-bit security suite for Enterprise networks
B.Wi-Fi Protected Setup (WPS)
C.Simultaneous Authentication of Equals (SAE)
D.Protected Management Frames (PMF) mandatory
E.CCMP encryption as mandatory
AnswersA, C, D

WPA3-Enterprise offers 192-bit minimum security strength.

Why this answer

WPA3 introduces SAE (Simultaneous Authentication of Equals) to replace PSK, mandates PMF (Protected Management Frames), and offers 192-bit security for Enterprise mode. WPS is removed in WPA3. CCMP is used in WPA2 as well.

65
Multi-Selectmedium

A security analyst is investigating a network incident. Which TWO of the following are indicators of a man-in-the-middle attack using ARP spoofing? (Select TWO)

Select 2 answers
A.High number of TCP retransmissions from a single host.
B.An ARP entry for the default gateway points to an unknown MAC address.
C.The ARP cache shows two different MAC addresses for the same IP address (e.g., gateway IP).
D.The switch's CAM table has multiple MAC entries on the same port.
E.Multiple IP addresses resolve to the same MAC address in the ARP cache.
AnswersB, C

The attacker's MAC is associated with the gateway IP.

Why this answer

Duplicate MAC addresses for the same IP (since attacker claims the IP) and an entry matching the attacker's MAC with the gateway IP indicate ARP spoofing.

66
MCQmedium

Which UDP port is used by the Simple Network Management Protocol (SNMP) for receiving traps?

A.UDP 161
B.UDP 162
C.UDP 123
D.UDP 514
AnswerB

UDP 162 is used for SNMP traps.

Why this answer

SNMP traps are sent from agents to managers on UDP port 162, while SNMP queries typically use port 161.

67
MCQhard

A security analyst is investigating a network where an attacker successfully redirected traffic from a legitimate web server to a malicious server by corrupting the target domain's DNS records in a local resolver cache. Which attack technique was used?

A.SYN flood
B.DNS poisoning
C.ARP spoofing
D.Smurf attack
AnswerB

DNS poisoning corrupts DNS cache to redirect traffic.

Why this answer

DNS poisoning injects false DNS records into a resolver's cache, redirecting traffic to malicious sites.

68
Multi-Selectmedium

Which TWO of the following are methods to defend against SYN flood attacks? (Select TWO)

Select 2 answers
A.Enabling IP routing
B.Using UDP instead of TCP
C.Increasing the SYN backlog queue size
D.SYN cookies
E.Disabling TCP timestamps
AnswersC, D

A larger backlog allows more pending connections, mitigating exhaustion.

Why this answer

SYN cookies avoid resource exhaustion by not allocating memory until the handshake completes, and increasing the backlog queue allows more half-open connections before reaching capacity.

69
MCQmedium

An organization is planning to deploy a remote access VPN for employees. The solution must support strong encryption, mutual authentication, and work through firewalls without requiring additional ports. Which technology is most suitable?

A.L2TP/IPsec
B.PPTP
C.IPsec tunnel mode
D.SSL/TLS VPN
AnswerD

SSL VPN uses port 443, widely allowed, and provides strong security.

Why this answer

SSL/TLS VPNs (e.g., Cisco AnyConnect) operate over port 443 (HTTPS), which is commonly allowed through firewalls, and provide strong encryption and authentication.

70
MCQeasy

Which transport layer protocol is used by DNS for its queries and responses, and why is it appropriate?

A.UDP, because it guarantees packet ordering.
B.TCP, because it provides error checking and retransmission.
C.TCP, because reliability is critical for DNS resolution.
D.UDP, because it is connectionless and fast, suitable for short exchanges.
AnswerD

DNS queries are typically small and benefit from UDP's low overhead.

Why this answer

DNS primarily uses UDP for its fast, low-overhead queries. TCP is used for zone transfers or when responses exceed 512 bytes.

71
Multi-Selectmedium

A security auditor is reviewing the configuration of a remote access VPN. Which TWO features are considered best practices for securing the VPN connection?

Select 2 answers
A.Using IKEv2 with pre-shared keys only
B.Disabling encryption to reduce latency
C.Implementing multi-factor authentication (MFA)
D.Enabling split tunneling for all traffic to improve performance
E.Using TLS 1.3 with mandatory forward secrecy
AnswersC, E

MFA adds an extra layer of security beyond passwords.

Why this answer

Using TLS 1.3 (which mandates forward secrecy) and enforcing split tunneling only for trusted networks are security best practices.

72
Multi-Selectmedium

An organization is designing network segmentation to protect sensitive data. Which TWO of the following are effective methods for implementing network segmentation?

Select 2 answers
A.Honeypots
B.NAT
C.Firewalls
D.Port security
E.VLANs
AnswersC, E

Firewalls enforce policies between segments.

Why this answer

VLANs segment traffic at Layer 2, and firewalls control traffic between segments at Layer 3+.

73
Multi-Selectmedium

A security analyst is investigating a potential ARP spoofing attack on a local network segment. Which TWO network security controls would be most effective in preventing or detecting such an attack at Layer 2?

Select 2 answers
A.Configure DHCP snooping on switches
B.Use IPsec transport mode between hosts
C.Implement Port Security with MAC address binding
D.Deploy a network-based IDS monitoring ARP traffic
E.Enable Dynamic ARP Inspection (DAI) on switches
AnswersC, E

Port Security limits MAC addresses per port, making it harder for an attacker to spoof multiple IPs.

Why this answer

Dynamic ARP Inspection (DAI) validates ARP packets on trusted ports and drops invalid ones. Port Security with MAC address binding limits the number of MAC addresses per port, reducing the effectiveness of ARP spoofing.

74
Multi-Selectmedium

Which TWO of the following are characteristics of a Smurf attack? (Select TWO)

Select 2 answers
A.Requires fragmented packets
B.Uses ICMP echo requests
C.Exploits TCP SYN handshake
D.Targets DNS resolvers
E.Amplifies traffic by using broadcast addresses
AnswersB, E

Smurf attack uses ICMP echo request (ping) packets.

Why this answer

Smurf attacks send ICMP echo requests to a broadcast address with a spoofed source IP, causing all hosts to reply to the victim, leading to amplification.

75
MCQhard

During a penetration test, a security analyst captures a packet containing a gratuitous ARP reply that associates the attacker's MAC address with the default gateway's IP address. This is a classic indicator of which attack?

A.ARP spoofing
B.DHCP spoofing
C.MAC cloning
D.DNS poisoning
AnswerA

Gratuitous ARP is the key technique for ARP spoofing.

Why this answer

ARP spoofing (or ARP poisoning) sends gratuitous ARP replies to redirect traffic, enabling man-in-the-middle attacks.

Page 1 of 2 · 79 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Network and Communications Security questions.