Q1. What does DHCP Snooping help prevent?
- A.DDoS attacks
- B.Rogue DHCP serversβ Correct
- C.MAC flooding
- D.IP spoofing
Explanation: DHCP Snooping prevents unauthorized DHCP servers from distributing IP addresses. Learn more.
CompTIA Network+ Practice Questions: Network Security
64 free, exam-style CompTIA Network+ (N10-009) practice questions covering Network Security. Each question shows the correct answer and a clear explanation. Ready for the real thing? Take the full timed quiz below.
Q2. Which port does SSH use by default?
- A.20
- B.21
- C.22β Correct
- D.23
Explanation: SSH (Secure Shell) uses TCP port 22 for secure remote access. Learn more.
Q3. What is the purpose of port security?
- A.Block specific IP addresses
- B.Limit MAC addresses per portβ Correct
- C.Encrypt port communications
- D.Prevent port scanning
Explanation: Port security restricts which MAC addresses can communicate through a switch port. Learn more.
Q4. What is the primary benefit of using SNMPv3 over SNMPv2?
- A.Faster polling
- B.Encryptionβ Correct
- C.Larger MIBs
- D.IPv6 support
Explanation: SNMPv3 adds message integrity, authentication, and encryption. Learn more.
Q5. Which firewall type operates at Layer 7 of the OSI model?
- A.Packet-filtering
- B.Stateful
- C.Proxyβ Correct
- D.NAT
Explanation: Proxy firewalls (application-layer firewalls) inspect Layer 7 content. Learn more.
Q6. What is the primary security risk of using Telnet?
- A.Slow performance
- B.No encryptionβ Correct
- C.Limited port options
- D.High bandwidth usage
Explanation: Telnet transmits data (including credentials) in plaintext. Learn more.
Q7. Which port does RDP (Remote Desktop Protocol) use?
- A.22
- B.80
- C.3389β Correct
- D.443
Explanation: RDP uses TCP port 3389 by default for remote connections. Learn more.
Q8. Which authentication protocol uses tickets and time stamps?
- A.RADIUS
- B.TACACS+
- C.Kerberosβ Correct
- D.LDAP
Explanation: Kerberos uses ticket-granting tickets (TGTs) with timestamps to prevent replay attacks. Learn more.
Q9. What is the primary purpose of NAC (Network Access Control)?
- A.Block DDoS attacks
- B.Enforce security policies on endpointsβ Correct
- C.Encrypt wireless traffic
- D.Filter SPAM
Explanation: NAC checks devices for compliance before granting network access. Learn more.
Q10. What does EAP-TLS use for authentication?
- A.Username/password
- B.Digital certificatesβ Correct
- C.One-time passwords
- D.Biometrics
Explanation: EAP-TLS provides mutual authentication using X.509 certificates. Learn more.
Q11. Which protocol provides secure file transfers over SSH?
- A.FTPS
- B.SFTPβ Correct
- C.TFTP
- D.SCP
Explanation: SFTP (SSH File Transfer Protocol) uses SSH encryption for file transfers. Learn more.
Q12. Which security control prevents tailgating?
- A.Firewall
- B.Mantrapβ Correct
- C.IDS
- D.VPN
Explanation: Mantraps are physical security controls that prevent unauthorized entry. Learn more.
Q13. What does a BPDU guard protect against?
- A.MAC flooding
- B.Rogue switchesβ Correct
- C.ARP poisoning
- D.DDoS attacks
Explanation: BPDU Guard blocks unauthorized switches from participating in spanning tree. Learn more.
Q14. What is the primary security risk of WPS (Wi-Fi Protected Setup)?
- A.Weak encryption
- B.Brute-force vulnerabilityβ Correct
- C.MAC spoofing
- D.Packet sniffing
Explanation: WPS's PIN authentication is vulnerable to brute-force attacks. Learn more.
Q15. What is the primary difference between IDS and IPS?
- A.IDS detects, IPS preventsβ Correct
- B.IPS encrypts, IDS monitors
- C.IDS uses signatures, IPS uses heuristics
- D.IPS operates at Layer 2, IDS at Layer 3
Explanation: IDS (Intrusion Detection System) monitors and alerts on suspicious activity, while IPS (Intrusion Prevention System) actively blocks or mitigates threats in real time. Learn more.
Q16. Which protocol uses port 3389?
- A.RDPβ Correct
- B.VNC
- C.SSH
- D.Telnet
Explanation: RDP (Remote Desktop Protocol) uses TCP port 3389 to allow users to connect to and control remote Windows desktops and servers. Learn more.
Q17. What is the purpose of a SIEM system?
- A.Monitor performance
- B.Centralize security event analysisβ Correct
- C.Manage backups
- D.Configure switches
Explanation: SIEM (Security Information and Event Management) solutions collect, analyze, and correlate logs and events across the IT infrastructure to detect and respond to threats. Learn more.
Q18. What is the purpose of a Faraday cage in networking?
- A.Block EMIβ Correct
- B.Prevent physical access
- C.Cool equipment
- D.Enhance wireless signals
Explanation: A Faraday cage blocks electromagnetic interference (EMI) by surrounding equipment with a conductive enclosure. This prevents data leaks or unauthorized wireless access. Learn more.
Q19. What is the primary purpose of 802.1X authentication?
- A.Encrypt wireless traffic
- B.Control port accessβ Correct
- C.Prevent IP spoofing
- D.Block DDoS attacks
Explanation: 802.1X provides port-based Network Access Control (PNAC). Learn more.
Q20. Which DNS security feature prevents cache poisoning attacks?
- A.DNSSECβ Correct
- B.DMARC
- C.SPF
- D.DKIM
Explanation: DNSSEC adds cryptographic signatures to DNS records for authentication. Learn more.
Q21. What does TACACS+ provide that RADIUS does not?
- A.Encryption of entire payloadβ Correct
- B.Centralized authentication
- C.Accounting features
- D.Network access control
Explanation: TACACS+ encrypts entire packets vs RADIUS' partial encryption. Learn more.
Q22. Which security technique hides internal IP addresses from external networks?
- A.NATβ Correct
- B.BGP
- C.STP
- D.QoS
Explanation: Network Address Translation (NAT) translates private internal IP addresses to a public IP, masking the internal network structure from outside observers. Learn more.
Q23. What is the purpose of a forward proxy?
- A.Filter outbound trafficβ Correct
- B.Accelerate website performance
- C.Balance server load
- D.Prevent DDoS attacks
Explanation: A forward proxy sits between client devices and the internet, allowing filtering, caching, and monitoring of outbound requests to external resources. Learn more.
Q24. What is the primary security benefit of FDE (Full Disk Encryption)?
- A.Prevent network eavesdropping
- B.Protect data at restβ Correct
- C.Block malware downloads
- D.Stop phishing attacks
Explanation: FDE (Full Disk Encryption) secures all data on a storage device by encrypting it, ensuring that if the physical device is lost or stolen, the data remains inaccessible without the correct decryption key. Learn more.
Q25. Which protocol is used for secure management of network devices?
- A.Telnet
- B.SSHβ Correct
- C.HTTP
- D.SNMPv1
Explanation: SSH (Secure Shell) provides encrypted command-line access to network devices, replacing insecure protocols like Telnet. It ensures confidentiality and integrity of management sessions. Learn more.
Q26. Which security framework focuses on industrial control systems?
- A.PCI DSS
- B.NIST CSF
- C.ISO 27001
- D.ISA/IEC 62443β Correct
Explanation: ISA/IEC 62443 is a set of standards specifically designed for securing Industrial Automation and Control Systems (IACS), providing guidance on secure system design and maintenance. Learn more.
Q27. What is the purpose of a salt in password hashing?
- A.Increase hash complexity
- B.Prevent rainbow table attacksβ Correct
- C.Accelerate encryption
- D.Reduce storage requirements
Explanation: A salt is a random value added to passwords before hashing to ensure each hash is unique. This defeats precomputed rainbow tables and enhances the security of stored passwords. Learn more.
Q28. What is the primary security benefit of HSTS (HTTP Strict Transport Security)?
- A.Prevent clickjacking
- B.Enforce HTTPS connectionsβ Correct
- C.Block SQL injection
- D.Filter malicious cookies
Explanation: HSTS forces browsers to use secure HTTPS connections. Learn more.
Q29. Which network component enables microsegmentation?
- A.Firewall
- B.VLAN
- C.SDN Controller
- D.NGFWβ Correct
Explanation: Next-Gen Firewalls enable granular microsegmentation policies. Learn more.
Q30. Which security concept uses deception techniques to detect attackers?
- A.Honeypotβ Correct
- B.DMZ
- C.Air gap
- D.MAC filtering
Explanation: Honeypots mimic real systems to study attack patterns. Learn more.
Q31. What is the primary benefit of ZTNA (Zero Trust Network Access)?
- A.Faster VPN connections
- B.Implicit trust verification
- C.Continuous authenticationβ Correct
- D.Free public Wi-Fi access
Explanation: ZTNA enforces strict identity verification and least-privilege access. Learn more.
Q32. What is the purpose of a RPKI (Resource Public Key Infrastructure)?
- A.Secure BGP routingβ Correct
- B.Encrypt DNS queries
- C.Authenticate VPN users
- D.Protect email servers
Explanation: RPKI validates BGP route origins to prevent hijacking. Learn more.
Q33. Which network design principle limits blast radius during breaches?
- A.Least privilege
- B.Segmentationβ Correct
- C.Redundancy
- D.Load balancing
Explanation: Network segmentation contains potential security incidents. Learn more.
Q34. Which technology enables network segmentation at the application layer?
- A.VLAN
- B.SD-WAN
- C.API Gatewayβ Correct
- D.ACL
Explanation: API gateways act as intermediaries for requests between clients and services, enforcing security policies and segmenting access based on application logic. Learn more.
Q35. What is the primary security risk of SSID broadcasting?
- A.Deauthentication attacks
- B.Rogue AP detection
- C.War drivingβ Correct
- D.Evil twin attacks
Explanation: When a wireless network broadcasts its SSID, it becomes visible to unauthorized users, increasing the likelihood of reconnaissance activities like war driving. Learn more.
Q36. Which DNS feature prevents subdomain takeover attacks?
- A.CAA recordsβ Correct
- B.DNSSEC
- C.NSEC3
- D.DMARC
Explanation: CAA (Certification Authority Authorization) records specify which certificate authorities are permitted to issue certificates for a domain, preventing unauthorized SSL issuance. Learn more.
Q37. What is the primary benefit of MACsec (Media Access Control Security)?
- A.Encrypt Layer 2 trafficβ Correct
- B.Prevent ARP spoofing
- C.Block DDoS attacks
- D.Authenticate wireless clients
Explanation: MACsec encrypts traffic at Layer 2 (Ethernet), protecting against LAN attacks such as sniffing or man-in-the-middle on wired networks. Learn more.
Q38. What is the purpose of a Faraday cage in network security?
- A.Block EMI
- B.Prevent physical tampering
- C.Stop wireless signalsβ Correct
- D.Cool network equipment
Explanation: A Faraday cage is an enclosure made of conductive material that blocks external electromagnetic fields, preventing wireless signals from escaping or entering the enclosed space. Learn more.
Q39. What is the primary security benefit of certificate pinning?
- A.Prevent MITM attacksβ Correct
- B.Block phishing
- C.Stop DDoS
- D.Detect malware
Explanation: Certificate pinning associates hosts with specific SSL certificates. Learn more.
Q40. What is the purpose of a TACACS+ server?
- A.Centralized authenticationβ Correct
- B.DNS resolution
- C.IP address allocation
- D.Traffic shaping
Explanation: TACACS+ provides AAA services for network devices. Learn more.
Q41. Which protocol is used for industrial control system security?
- A.Modbus/TCP
- B.DNP3
- C.OPC UAβ Correct
- D.BACnet
Explanation: OPC UA includes built-in security features for ICS. Learn more.
Q42. Which protocol is used for secure network time synchronization?
- A.NTPsec
- B.PTP
- C.SNTP
- D.All of the aboveβ Correct
Explanation: All provide time synchronization with varying security levels. Learn more.
Q43. What is the primary security risk of LLMNR?
- A.DNS poisoning
- B.NTLM relay attacksβ Correct
- C.ARP spoofing
- D.MAC flooding
Explanation: Link-Local Multicast Name Resolution is vulnerable to spoofing. Learn more.
Q44. Which wireless encryption standard is considered the most secure?
- A.WEP
- B.WPA
- C.WPA2
- D.WPA3β Correct
Explanation: WPA3 is the most secure wireless encryption standard, offering forward secrecy, improved protection against brute-force attacks, and secure public Wi-Fi with SAE (Simultaneous Authentication of Equals). It replaces WPA2 with stronger encryption protocols. Learn more.
Q45. What is the purpose of a VPN?
- A.Encrypt network trafficβ Correct
- B.Monitor network performance
- C.Route packets between networks
- D.Connect devices within a LAN
Explanation: A VPN (Virtual Private Network) creates a secure, encrypted tunnel between a user's device and the destination network, protecting data from interception on public or unsecured networks. It also hides the userβs IP address to enhance privacy. Learn more.
Q46. Which WPA3 mode is designed for enterprise networks and typically uses a RADIUS server for authentication?
- A.WPA3-Personal
- B.WPA3-Enterpriseβ Correct
- C.WPA3-PSK
- D.WPA3-Transition Mode
Explanation: WPA3-Enterprise uses 802.1X authentication, typically with a RADIUS server, to provide robust, individual user authentication suitable for enterprise environments. Learn more.
Q47. A small office has a SOHO router connected to the internet. To protect the internal network from unsolicited inbound traffic, which feature of the SOHO router is PRIMARILY responsible?
- A.DHCP server
- B.Wireless access point
- C.Built-in firewall (NAT functionality)β Correct
- D.DNS relay
Explanation: SOHO routers typically include a built-in stateful firewall and use Network Address Translation (NAT). NAT inherently blocks unsolicited inbound connections by not having explicit mappings for them, and the firewall provides additional rule-based filtering. Learn more.
Q48. A company policy states that all passwords must be a minimum of 12 characters, include uppercase, lowercase, numbers, and symbols, and be changed every 90 days. This is an example of what type of security control?
- A.Physical security control
- B.Technical security control
- C.Administrative security control (Policy)β Correct
- D.Detective security control
Explanation: Password complexity and rotation requirements are defined in security policies, which are administrative controls. The enforcement of these policies might be technical, but the rule itself is administrative. Learn more.
Q49. An attacker configures a malicious wireless access point with the same SSID as a legitimate corporate AP to trick users into connecting to it. This type of attack is known as:
- A.War driving
- B.Evil twinβ Correct
- C.Bluejacking
- D.MAC spoofing
Explanation: An evil twin attack involves setting up a rogue AP that mimics a legitimate one, often with a stronger signal, to entice users to connect. Once connected, the attacker can eavesdrop on traffic or launch further attacks. Learn more.
Q50. In the context of network security, what does the 'Authorization' component of AAA (Authentication, Authorization, and Accounting) primarily determine?
- A.Verifying a user's identity
- B.Tracking a user's network activity and resource consumption
- C.Granting or denying access to specific network resources or services based on policiesβ Correct
- D.Encrypting user credentials during transmission
Explanation: Authorization is the process that occurs after successful authentication. It determines what permissions an authenticated user or device has, such as which network resources, services, or commands they are allowed to access or execute. Learn more.
Q51. An attacker positions themselves between two communicating parties, secretly intercepting and relaying messages, potentially altering the data without the parties' knowledge. What type of attack is this?
- A.Distributed Denial-of-Service (DDoS) attack
- B.Phishing attack
- C.Man-in-the-Middle (MitM) attackβ Correct
- D.SQL injection attack
Explanation: A Man-in-the-Middle (MitM) attack occurs when an attacker intercepts network communication between two parties. The attacker can then eavesdrop on, or even modify, the data being exchanged, all while the two parties believe they are communicating directly and securely. Learn more.
Q52. WPA2-Enterprise mode for wireless security typically requires which of the following components for robust client authentication?
- A.A single pre-shared key (PSK) known to all authorized devices.
- B.An 802.1X authentication server, such as a RADIUS server.β Correct
- C.MAC address filtering configured on the access point.
- D.Open authentication with no password, relying on captive portal for access.
Explanation: WPA2-Enterprise (and WPA3-Enterprise) leverages the IEEE 802.1X standard for port-based network access control. This involves an authenticator (the AP), a supplicant (the client device), and an authentication server (commonly RADIUS) to verify credentials individually for each user or device. Learn more.
Q53. What is a key characteristic that distinguishes a stateful firewall from a stateless packet-filtering firewall?
- A.A stateful firewall only inspects packet headers (source/destination IP, ports) based on static ACLs.
- B.A stateful firewall maintains a table of active network connections and makes filtering decisions based on the context of traffic flows and connection state.β Correct
- C.A stateful firewall operates primarily at the Application layer (Layer 7) to filter web content and malicious payloads.
- D.A stateful firewall cannot prevent IP spoofing attacks, whereas a stateless firewall can.
Explanation: A stateful firewall tracks the state of active network connections (e.g., TCP connection establishment, data transfer, termination). It can make more intelligent filtering decisions by understanding the context of a traffic flow, such as allowing return traffic for an internally initiated connection without needing a specific inbound rule. Learn more.
Q54. Which of the following is a suite of protocols that provides a secure, encrypted connection between two endpoints over an IP network, commonly used for VPNs, by offering services like authentication, data integrity, and confidentiality?
- A.PPTP (Point-to-Point Tunneling Protocol)
- B.L2TP (Layer 2 Tunneling Protocol)
- C.IPsec (Internet Protocol Security)β Correct
- D.SSL/TLS (Secure Sockets Layer/Transport Layer Security)
Explanation: IPsec is a framework of open standards developed by the IETF for ensuring private, secure communications over IP networks. It operates at the Network layer (Layer 3) and can be used to create VPNs. It uses protocols like Authentication Header (AH) and Encapsulating Security Payload (ESP). Learn more.
Q55. A disgruntled employee with legitimate access credentials intentionally accesses and deletes critical company data from a server. This is an example of what type of security threat actor?
- A.Script kiddie
- B.Hacktivist
- C.Insider threatβ Correct
- D.Nation-state actor
Explanation: An insider threat originates from individuals within an organizationβsuch as current or former employees, contractors, or business partnersβwho have authorized access to the organization's network, systems, or data and misuse that access to negatively affect the confidentiality, integrity, or availability of the organization's information or information systems. Learn more.
Q56. An employee receives an email that appears to be from their bank, urging them to click a link to verify their account details due to a supposed security alert. The link, however, directs them to a fraudulent website designed to capture their login credentials. What type of social engineering attack is this?
- A.Distributed Denial-of-Service (DDoS) attack
- B.Man-in-the-Middle (MitM) attack
- C.Phishing attackβ Correct
- D.Zero-day exploit
Explanation: Phishing is a type of social engineering attack where attackers send deceptive emails, text messages, or other communications that appear to come from a legitimate and trustworthy source (like a bank, company, or government agency). The goal is to trick individuals into revealing sensitive information such as login credentials, credit card numbers, or personal identification information, often by directing them to a fake website. Learn more.
Q57. A user reports that all their important files have been encrypted and are now inaccessible. They also see a message on their screen demanding a monetary payment in cryptocurrency to receive a decryption key. What type of malware is MOST likely responsible for this situation?
- A.Computer virus
- B.Network worm
- C.Spyware
- D.Ransomwareβ Correct
Explanation: Ransomware is a type of malicious software that, once it infects a system, encrypts the victim's files, making them unusable. The attackers then demand a ransom payment (often in cryptocurrency) in exchange for the decryption key needed to recover the files. Some ransomware may also threaten to publish stolen data if the ransom is not paid. Learn more.
Q58. Which security model or framework operates on the core principle of "never trust, always verify," requiring strict identity verification and contextual authorization for every person and device attempting to access resources on a private network, regardless of whether they are located inside or outside the traditional network perimeter?
- A.Defense in Depth
- B.Zero Trust Architecture (ZTA)β Correct
- C.Perimeter Security Model (Castle-and-Moat)
- D.Principle of Least Privilege
Explanation: Zero Trust Architecture (ZTA) is a security model based on the principle that no implicit trust is granted to users or devices based solely on their physical or network location. Instead, ZTA requires continuous verification of identity, device security posture, and other contextual factors before granting access to resources, and enforces least-privilege access. This contrasts with traditional perimeter-based security, which often trusts entities once they are inside the network. Learn more.
Q59. Which protocol is used to secure communication between a web browser and a web server, utilizing TCP port 443?
- A.HTTP
- B.SSH
- C.HTTPSβ Correct
- D.SFTP
Explanation: HTTPS (Hypertext Transfer Protocol Secure) uses SSL/TLS to encrypt traffic between the client and server, ensuring data confidentiality and integrity. It operates on port 443. Learn more.
Q60. Which attack involves an attacker sending falsified ARP messages over a LAN to link their MAC address with the IP address of a legitimate computer or server?
- A.DNS Poisoning
- B.ARP Poisoning/Spoofingβ Correct
- C.VLAN Hopping
- D.Smurf Attack
Explanation: ARP Poisoning (or Spoofing) allows an attacker to intercept data frames on a network, modify the traffic, or stop all traffic (DoS) by associating their MAC address with a target's IP. Learn more.
Q61. Which secure management protocol should replace Telnet?
- A.SSHβ Correct
- B.FTP
- C.TFTP
- D.HTTP
Explanation: SSH encrypts remote management sessions, unlike Telnet, which sends data in plaintext. Learn more.
Q62. Which 802.1X component makes the access decision after checking credentials?
- A.Authentication serverβ Correct
- B.Supplicant
- C.Unmanaged hub
- D.Patch panel
Explanation: In 802.1X, the authentication server, often RADIUS, validates credentials and returns authorization decisions. Learn more.
Q63. A switch port shuts down after learning too many MAC addresses. Which feature most likely triggered?
- A.Port securityβ Correct
- B.DHCP relay
- C.DNS recursion
- D.NTP authentication
Explanation: Port security can limit the number of MAC addresses on a switch port and shut the port when violated. Learn more.
Q64. Which security control verifies device compliance before allowing network access?
- A.NAC posture assessmentβ Correct
- B.Static DNS record
- C.Patch panel label
- D.Cable certifier
Explanation: Network Access Control can check device posture before granting access. Learn more.