Cyber Security Fundamentals Exam 2 Actual Exam
2026/2027 | 100% Accurate Answers | Complete
Questions | Pass Guaranteed - A+ Graded
Network Security & Access Controls
Q1: You are reviewing the baseline configuration for a new edge firewall. The security
team requests a solution that examines each packet individually, checking the header
information (source/destination IP, port, protocol) against a rule set, but does not track
the state of the connection. Which type of firewall is this describing?
A. Stateful Inspection Firewall
B. Next-Generation Firewall (NGFW)
C. Packet-Filtering Firewall [CORRECT]
D. Proxy Firewall
Correct Answer: C
Rationale: A packet-filtering firewall operates at the network layer and examines
headers individually without maintaining a state table or understanding the context of
the connection, unlike stateful firewalls.
Q2: A web server in your DMZ needs to communicate with a backend database server
on the internal network. You want the firewall to allow this return traffic automatically
without creating a specific rule for it. Which firewall capability is required?
A. Deep Packet Inspection (DPI)
B. Stateful Inspection [CORRECT]
C. Circuit-Level Gateway
D. Application Layer Filtering
Correct Answer: B
Rationale: Stateful inspection tracks the state of active connections (like TCP
handshakes) and automatically allows return traffic for established sessions, whereas
stateless filters require explicit rules for both directions.
Q3: Your organization is looking to upgrade its security infrastructure to inspect traffic at
the application layer (Layer 7), identify applications regardless of port, and integrate with
threat intelligence feeds. Which device should you recommend?
A. Traditional Stateful Firewall
B. Unified Threat Management (UTM) Appliance
C. Next-Generation Firewall (NGFW) [CORRECT]
D. Layer 3 Router with ACLs
Correct Answer: C
,Rationale: NGFWs provide deep packet inspection, application awareness (identifying
apps even on non-standard ports), and intrusion prevention capabilities, which basic
stateful firewalls and routers lack.
Q4: An administrator notices an alert from the Intrusion Detection System (IDS)
indicating a SQL injection attempt against the web server. While the IDS logs the
attempt, the attack traffic continues to reach the server. Which device would have
stopped the attack in real-time?
A. Network Intrusion Prevention System (NIPS) [CORRECT]
B. Host-based Intrusion Detection System (HIDS)
C. Protocol Analyzer
D. SIEM (Security Information and Event Management)
Correct Answer: A
Rationale: An Intrusion Prevention System (IPS) sits inline with the network and has the
capability to actively block or drop malicious traffic in real-time, unlike an IDS which is
passive and only generates alerts.
Q5: You need to configure a secure VPN connection between two branch offices so that
all traffic between their subnets is encrypted and routed automatically. Which VPN type
is best suited for this site-to-site requirement?
A. SSL/TLS VPN
B. IPsec VPN [CORRECT]
C. SSH Tunnel
D. PPTP VPN
Correct Answer: B
Rationale: IPsec is the standard protocol for site-to-site VPNs, providing secure
gateway-to-gateway encryption and routing for entire subnets, whereas SSL/TLS is
typically used for remote access client connections.
Q6: Why is it a security best practice to place a public-facing web server in a
Demilitarized Zone (DMZ) rather than the internal network?
A. To increase the bandwidth available to the server.
B. To allow employees to access it faster.
C. To isolate the server; if compromised, the attacker does not have direct access to the
internal LAN. [CORRECT]
D. To reduce the cost of licensing.
Correct Answer: C
Rationale: The DMZ acts as a buffer zone; if a server in the DMZ is breached, additional
security controls (like a second firewall) restrict the attacker's lateral movement into the
sensitive internal network.
, Q7: A junior administrator asks why you disabled Telnet on all network switches in favor
of SSH. What is the primary security reason for this decision?
A. SSH uses UDP, which is faster.
B. SSH encrypts the login credentials and session data, whereas Telnet sends
everything in cleartext. [CORRECT]
C. Telnet is not supported on modern hardware.
D. SSH requires a license, making it more secure.
Correct Answer: B
Rationale: Telnet transmits data, including usernames and passwords, in cleartext,
making it vulnerable to sniffing; SSH encrypts the entire session to protect
confidentiality and integrity.
Q8: You are configuring the wireless network for a high-security environment. Which
protocol provides the strongest encryption and authentication for modern Wi-Fi
networks?
A. WEP
B. WPA
C. WPA2-Enterprise
D. WPA3 [CORRECT]
Correct Answer: D
Rationale: WPA3 utilizes Simultaneous Authentication of Equals (SAE) for better
password protection and stronger 192-bit encryption, offering significant security
improvements over the deprecated WEP and older WPA2 standards.
Q9: To prevent unauthorized devices from accessing the network even if they have a
valid Ethernet cable, you implement a requirement that all devices must authenticate
with a username/password or certificate before the switch port grants access. What is
this standard called?
A. Port Security
B. MAC Filtering
C. 802.1X [CORRECT]
D. DHCP Snooping
Correct Answer: C
Rationale: 802.1X is the IEEE standard for port-based Network Access Control (NAC)
that requires authentication before a device can communicate on the network, unlike
simple MAC filtering which is easily spoofed.
Q10: A government agency handles classified information where access decisions are
based on a system of clearances (e.g., Top Secret, Secret) and data labels. Users
cannot write down to a lower classification. Which access control model is this?
A. Discretionary Access Control (DAC)
2026/2027 | 100% Accurate Answers | Complete
Questions | Pass Guaranteed - A+ Graded
Network Security & Access Controls
Q1: You are reviewing the baseline configuration for a new edge firewall. The security
team requests a solution that examines each packet individually, checking the header
information (source/destination IP, port, protocol) against a rule set, but does not track
the state of the connection. Which type of firewall is this describing?
A. Stateful Inspection Firewall
B. Next-Generation Firewall (NGFW)
C. Packet-Filtering Firewall [CORRECT]
D. Proxy Firewall
Correct Answer: C
Rationale: A packet-filtering firewall operates at the network layer and examines
headers individually without maintaining a state table or understanding the context of
the connection, unlike stateful firewalls.
Q2: A web server in your DMZ needs to communicate with a backend database server
on the internal network. You want the firewall to allow this return traffic automatically
without creating a specific rule for it. Which firewall capability is required?
A. Deep Packet Inspection (DPI)
B. Stateful Inspection [CORRECT]
C. Circuit-Level Gateway
D. Application Layer Filtering
Correct Answer: B
Rationale: Stateful inspection tracks the state of active connections (like TCP
handshakes) and automatically allows return traffic for established sessions, whereas
stateless filters require explicit rules for both directions.
Q3: Your organization is looking to upgrade its security infrastructure to inspect traffic at
the application layer (Layer 7), identify applications regardless of port, and integrate with
threat intelligence feeds. Which device should you recommend?
A. Traditional Stateful Firewall
B. Unified Threat Management (UTM) Appliance
C. Next-Generation Firewall (NGFW) [CORRECT]
D. Layer 3 Router with ACLs
Correct Answer: C
,Rationale: NGFWs provide deep packet inspection, application awareness (identifying
apps even on non-standard ports), and intrusion prevention capabilities, which basic
stateful firewalls and routers lack.
Q4: An administrator notices an alert from the Intrusion Detection System (IDS)
indicating a SQL injection attempt against the web server. While the IDS logs the
attempt, the attack traffic continues to reach the server. Which device would have
stopped the attack in real-time?
A. Network Intrusion Prevention System (NIPS) [CORRECT]
B. Host-based Intrusion Detection System (HIDS)
C. Protocol Analyzer
D. SIEM (Security Information and Event Management)
Correct Answer: A
Rationale: An Intrusion Prevention System (IPS) sits inline with the network and has the
capability to actively block or drop malicious traffic in real-time, unlike an IDS which is
passive and only generates alerts.
Q5: You need to configure a secure VPN connection between two branch offices so that
all traffic between their subnets is encrypted and routed automatically. Which VPN type
is best suited for this site-to-site requirement?
A. SSL/TLS VPN
B. IPsec VPN [CORRECT]
C. SSH Tunnel
D. PPTP VPN
Correct Answer: B
Rationale: IPsec is the standard protocol for site-to-site VPNs, providing secure
gateway-to-gateway encryption and routing for entire subnets, whereas SSL/TLS is
typically used for remote access client connections.
Q6: Why is it a security best practice to place a public-facing web server in a
Demilitarized Zone (DMZ) rather than the internal network?
A. To increase the bandwidth available to the server.
B. To allow employees to access it faster.
C. To isolate the server; if compromised, the attacker does not have direct access to the
internal LAN. [CORRECT]
D. To reduce the cost of licensing.
Correct Answer: C
Rationale: The DMZ acts as a buffer zone; if a server in the DMZ is breached, additional
security controls (like a second firewall) restrict the attacker's lateral movement into the
sensitive internal network.
, Q7: A junior administrator asks why you disabled Telnet on all network switches in favor
of SSH. What is the primary security reason for this decision?
A. SSH uses UDP, which is faster.
B. SSH encrypts the login credentials and session data, whereas Telnet sends
everything in cleartext. [CORRECT]
C. Telnet is not supported on modern hardware.
D. SSH requires a license, making it more secure.
Correct Answer: B
Rationale: Telnet transmits data, including usernames and passwords, in cleartext,
making it vulnerable to sniffing; SSH encrypts the entire session to protect
confidentiality and integrity.
Q8: You are configuring the wireless network for a high-security environment. Which
protocol provides the strongest encryption and authentication for modern Wi-Fi
networks?
A. WEP
B. WPA
C. WPA2-Enterprise
D. WPA3 [CORRECT]
Correct Answer: D
Rationale: WPA3 utilizes Simultaneous Authentication of Equals (SAE) for better
password protection and stronger 192-bit encryption, offering significant security
improvements over the deprecated WEP and older WPA2 standards.
Q9: To prevent unauthorized devices from accessing the network even if they have a
valid Ethernet cable, you implement a requirement that all devices must authenticate
with a username/password or certificate before the switch port grants access. What is
this standard called?
A. Port Security
B. MAC Filtering
C. 802.1X [CORRECT]
D. DHCP Snooping
Correct Answer: C
Rationale: 802.1X is the IEEE standard for port-based Network Access Control (NAC)
that requires authentication before a device can communicate on the network, unlike
simple MAC filtering which is easily spoofed.
Q10: A government agency handles classified information where access decisions are
based on a system of clearances (e.g., Top Secret, Secret) and data labels. Users
cannot write down to a lower classification. Which access control model is this?
A. Discretionary Access Control (DAC)
