Security Fundamentals for CCNA

Sample Practice Questions

1. Question 1

   Which device permits or denies network traffic based on a set of rules?
   1. A. switch
   2. B. firewall
   3. C. wireless controller
   4. D. access point
   Explanation

   The correct answer is: B. firewall.

   A firewall is the network device whose primary function is to permit or deny traffic against a configured rule base — typically a stateful policy keyed on source/destination address, port, and connection state. B is correct. A (switch) forwards Ethernet frames using a MAC table; while it can carry ACLs, its defining role is forwarding, not policy enforcement. C (wireless controller) manages lightweight APs — authentication, RF, mobility — but it isn't a packet-filter device. D (access point) is the radio bridge between Wi-Fi clients and the wired LAN; it enforces association policy on its SSID, not packet-level traffic rules.

2. Question 2

   What is the role of a firewall in an enterprise network?
   1. A. determines which packets are allowed to cross from unsecured to secured networks
   2. B. processes unauthorized packets and allows passage to less secure segments of the network
   3. C. forwards packets based on stateless packet inspection
   4. D. explicitly denies all packets from entering an administrative domain
   Explanation

   The correct answer is: A. determines which packets are allowed to cross from unsecured to secured networks.

   A firewall enforces the policy at the boundary between security zones — typically between an unsecured network (the Internet) and one or more secured internal networks. A is correct because deciding which packets are allowed across that boundary is exactly the firewall's job, based on its rule set and connection state. B is wrong because passing unauthorised packets to less-secure segments is the opposite of what a firewall does. C is wrong because modern firewalls are stateful, tracking connection state to allow return traffic — not stateless. D is wrong because explicitly denying every packet would block all communication; firewalls allow specifically permitted flows while denying the rest.

3. Question 3

   Which technology is used to improve web traffic performance by proxy caching?
   1. A. WSA
   2. B. Firepower
   3. C. ASA
   4. D. FireSIGHT
   Explanation

   The correct answer is: A. WSA.

   Cisco's Web Security Appliance (WSA) is a forward proxy that inspects, filters, and caches outbound web traffic — improving performance via the cache, enforcing URL/category policy, and scanning for malware. A is correct. B (Firepower) is the Next-Generation Firewall/IPS platform — it does deep inspection and threat detection but isn't designed as a web-cache proxy. C (ASA) is Cisco's stateful firewall — also not a proxy/cache. D (FireSIGHT, now Firepower Management Center) is the management console for Firepower devices, not a proxy.

4. Question 4

   How do AAA operations compare regarding user identification, user services, and access control?
   1. A. Authorization provides access control, and authentication tracks user services
   2. B. Authentication identifies users, and accounting tracks user services
   3. C. Accounting tracks user services, and authentication provides access control
   4. D. Authorization identifies users, and authentication provides access control
   Explanation

   The correct answer is: B. Authentication identifies users, and accounting tracks user services.

   AAA covers three distinct functions. Authentication identifies the user — verifying who they claim to be (password, token, certificate). Authorization decides what that authenticated user is allowed to do — which commands, which resources, which privilege level. Accounting records what the user actually did — commands executed, sessions opened, bytes transferred. B is correct: authentication identifies users, and accounting tracks user services. A is wrong because authorization, not authentication, provides access control, and accounting (not authentication) tracks services. C is wrong because authentication does not provide access control — that is authorization's role. D is wrong because authorization does not identify users — authentication does.

5. Question 5

   What is the difference between RADIUS and TACACS+?
   1. A. RADIUS logs all commands that are entered by the administrator, but TACACS+ logs only start, stop, and interim commands.
   2. B. TACACS+ separates authentication and authorization, and RADIUS merges them.
   3. C. TACACS+ encrypts only password information, and RADIUS encrypts the entire payload.
   4. D. RADIUS is most appropriate for dial authentication, but TACACS+ can be used for multiple types of authentication.
   Explanation

   The correct answer is: B. TACACS+ separates authentication and authorization, and RADIUS merges them..

   TACACS+ and RADIUS are both AAA protocols, but they differ in how they handle the three A's. B is correct because TACACS+ treats authentication, authorization, and accounting as separate functions you can configure and apply independently, while RADIUS merges authentication and authorization into a single exchange — a successful Access-Accept also returns the authorisation attributes. A is wrong because logging granularity is a configuration choice in both protocols, not a defining difference. C is wrong because it inverts encryption: RADIUS encrypts only the password field of its packets, while TACACS+ encrypts the entire payload between client and server. D is wrong because both protocols support multiple authentication types — RADIUS isn't restricted to dial-up.

Other CCNA domains

• Automation and Programmability (83 questions)
• IP Connectivity (256 questions)
• Network Access (217 questions)
• Network Fundamentals (505 questions)
• Services (135 questions)