Network Security for CompTIA Network+

Sample Practice Questions

1. Question 1

   Which of the following technologies are X.509 certificates most commonly associated with?
   1. A. PKI
   2. B. VLAN tagging
   3. C. LDAP
   4. D. MFA
   Explanation

   The correct answer is: A. PKI.

   X.509 is the ITU-T standard that defines the format of digital certificates used in a public-key infrastructure (PKI), specifying the fields (subject, issuer, validity, public key, signature, extensions) that make a certificate verifiable by any party that trusts the issuing certificate authority. PKI is therefore the technology most directly associated with X.509. VLAN tagging (B) inserts an 802.1Q tag in an Ethernet frame to identify which VLAN the frame belongs to and has nothing to do with certificates. LDAP (C) is a directory-access protocol that can store certificates as attributes but is not the certificate format itself. MFA (D) is multi-factor authentication, which can use certificates as one factor but is not the technology X.509 belongs to. PKI is the canonical answer for X.509.

2. Question 2

   Which of the following attacks utilizes a network packet that contains multiple network tags?
   1. A. MAC flooding
   2. B. VLAN hopping
   3. C. DNS spoofing
   4. D. ARP poisoning
   Explanation

   The correct answer is: B. VLAN hopping.

   VLAN hopping using double-tagging is the attack that crafts an Ethernet frame with two stacked 802.1Q VLAN tags. When a switch receives the frame on an access port whose native VLAN matches the outer tag, the switch strips that outer tag and forwards the frame on a trunk; the next switch then reads the inner tag and delivers the frame into the target VLAN, bypassing the segmentation that should have isolated it. MAC flooding (A) overwhelms a switch's CAM table to force it to flood unicast frames out of every port, but it does not manipulate VLAN tags. DNS spoofing (C) returns false DNS responses and operates at the application layer, not on Layer 2 tags. ARP poisoning (D) corrupts ARP caches on hosts to redirect traffic at Layer 2/3, again unrelated to VLAN tagging. The double-tagged-frame technique is unique to VLAN hopping, which is why a packet with multiple network tags points directly to that attack.

3. Question 3

   A client wants to increase overall security after a recent breach. Which of the following would be best to implement? (Choose two.)
   1. A. Least privilege network access
   2. B. Dynamic inventories
   3. C. Central policy management
   4. D. Zero-touch provisioning
   5. E. Configuration drift prevention
   6. F. Subnet range limits
   Explanation

   The correct answers are: A. Least privilege network access, C. Central policy management.

   Least privilege network access reduces the blast radius of any compromised account or device by ensuring users and systems can reach only the resources strictly required for their role, so even if attackers regain a foothold they cannot pivot freely across the environment. Central policy management complements least privilege by ensuring that the access rules, configurations, and security baselines are defined and maintained in one place, eliminating the configuration drift and inconsistency that breaches frequently exploit. Dynamic inventories (B) help with asset visibility but do not by themselves prevent access. Zero-touch provisioning (D) speeds up deployment of new devices but is an operations efficiency rather than a security gain. Configuration drift prevention (E) is a benefit central policy management provides, not a separate control. Subnet range limits (F) are useful for IP planning and do not constitute a primary post-breach security improvement. Least privilege plus central policy management deliver the strongest, most direct security uplift.

4. Question 4

   Which of the following attacks can cause users who are attempting to access a company website to be directed to an entirely different website?
   1. A. DNS poisoning
   2. B. Denial-of-service
   3. C. Social engineering
   4. D. ARP spoofing
   Explanation

   The correct answer is: A. DNS poisoning.

   DNS poisoning corrupts the cache of a DNS resolver so that responses for a legitimate hostname return an attacker-controlled IP, with the result that users typing or clicking the company URL are silently delivered to an entirely different site. Denial-of-service (B) overwhelms a target with traffic to make it unavailable; it does not reroute clients to a different working website. Social engineering (C) manipulates a person to take an action; the question describes traffic-routing redirection that occurs without user choice. ARP spoofing (D) operates at Layer 2 on a single LAN and cannot cause clients elsewhere to land on a different site for the corporate hostname. Only DNS poisoning produces site-wide redirection on the basis of the hostname lookup.

5. Question 5

   As part of an attack, a threat actor purposefully overflows the content-addressable memory (CAM) table on a switch. Which of the following types of attacks is this scenario an example of?
   1. A. ARP spoofing
   2. B. Evil twin
   3. C. MAC flooding
   4. D. DNS poisoning
   Explanation

   The correct answer is: C. MAC flooding.

   MAC flooding is the attack that purposefully overwhelms a switch's content-addressable memory (CAM) table by sending a stream of frames with random source MAC addresses; once the table is full, the switch can no longer learn legitimate mappings and falls back to flooding unicast frames out every port, allowing the attacker to capture traffic that would normally be switched only to the destination. ARP spoofing (A) sends forged ARP replies to poison hosts' ARP caches and redirect their IP traffic, but does not target the CAM table itself. Evil twin (B) is a wireless attack in which a rogue AP impersonates a legitimate SSID, unrelated to switch memory. DNS poisoning (D) injects false records into a DNS resolver's cache, which has nothing to do with Layer 2 switching tables. CAM-table exhaustion is the defining mechanism of MAC flooding.

Other CompTIA Network+ domains

• Network Implementations (136 questions)
• Network Operations (107 questions)
• Network Troubleshooting (168 questions)
• Networking Fundamentals (152 questions)