D488 | D488 Cybersecurity Architecture and
Engineering Exam 2 Version 1 | Questions with
Correct Answers and Expert Explanation for Each
Question | WGU
1. Which IPsec mode encrypts both the original IP header and the data payload,
encapsulating them into a new IP packet?
A. Transport Mode
B. Authentication Header (AH)
C. Tunnel Mode
D. Passive Mode
Correct Answer: C
Expert Explanation: Tunnel mode is used to protect the entire IP packet by
encapsulating it into a new IP packet. In this mode, the original IP header is
encrypted along with the payload. This is commonly used for site-to-site VPNs
where the gateways act as the endpoints. It provides higher security compared to
transport mode, which only encrypts the payload. The new IP header added by
tunnel mode contains the addresses of the VPN gateways.
2. A stateful inspection firewall is superior to a simple packet-filtering firewall because
it:
A. Analyzes the application layer data exclusively.
,B. Operates at the Physical layer of the OSI model.
C. Only filters traffic based on source and destination IP addresses.
D. Tracks the state of active connections and makes decisions based on the context
of traffic.
Correct Answer: D
Expert Explanation: Stateful inspection firewalls maintain a table that tracks the
state of all active network connections. This allows the firewall to distinguish
between legitimate return traffic and unauthorized incoming packets. Unlike static
packet filtering, it understands if a packet is part of an existing session. This context-
aware approach significantly reduces the attack surface for external threats. It
effectively prevents many types of scanning and spoofing attacks by validating
session flow.
3. What is the primary purpose of a Demilitarized Zone (DMZ) in network
architecture?
A. To isolate public-facing services from the internal private network.
B. To provide a secure storage area for internal databases.
C. To encrypt all traffic leaving the local area network.
D. To act as a backup for the primary domain controller.
,Correct Answer: A
Expert Explanation: A DMZ acts as a buffer zone between an organization’s private
network and the untrusted internet. Public-facing services like web and email
servers are placed here to limit exposure. If a server in the DMZ is compromised, the
internal network remains protected behind another firewall. This design
implements a layered defense strategy to mitigate risk from external attacks. It
ensures that external users can only access necessary services without reaching
sensitive internal resources.
4. Which type of intrusion detection system (IDS) identifies threats by comparing
traffic patterns against a database of known attack patterns?
A. Anomaly-based IDS
B. Heuristic-based IDS
C. Signature-based IDS
D. Behavior-based IDS
Correct Answer: C
Expert Explanation: Signature-based detection relies on specific predefined
patterns or strings known as signatures. These signatures represent known
malware, exploits, or malicious activities previously identified by researchers. The
system is highly effective at catching established threats with very low false-positive
, rates. However, it is generally unable to detect zero-day attacks that do not yet have
a signature. Regular updates to the signature database are critical to maintaining the
effectiveness of this security control.
5. In the TCP three-way handshake, what is the second packet sent to initiate a
connection?
A. SYN
B. ACK
C. SYN-ACK
D. FIN
Correct Answer: C
Expert Explanation: The three-way handshake begins with a SYN packet from the
client to the server. The server responds with a SYN-ACK packet to acknowledge the
request and synchronize its own sequence number. Finally, the client sends an ACK
packet back to the server to establish the connection. This process ensures that both
parties are ready to communicate and have agreed upon initial sequence numbers.
It is a fundamental mechanism for reliable transport in the TCP/IP protocol suite.
6. Which protocol should be used for remote command-line access to ensure that all
data, including credentials, is encrypted?
A. SSH
Engineering Exam 2 Version 1 | Questions with
Correct Answers and Expert Explanation for Each
Question | WGU
1. Which IPsec mode encrypts both the original IP header and the data payload,
encapsulating them into a new IP packet?
A. Transport Mode
B. Authentication Header (AH)
C. Tunnel Mode
D. Passive Mode
Correct Answer: C
Expert Explanation: Tunnel mode is used to protect the entire IP packet by
encapsulating it into a new IP packet. In this mode, the original IP header is
encrypted along with the payload. This is commonly used for site-to-site VPNs
where the gateways act as the endpoints. It provides higher security compared to
transport mode, which only encrypts the payload. The new IP header added by
tunnel mode contains the addresses of the VPN gateways.
2. A stateful inspection firewall is superior to a simple packet-filtering firewall because
it:
A. Analyzes the application layer data exclusively.
,B. Operates at the Physical layer of the OSI model.
C. Only filters traffic based on source and destination IP addresses.
D. Tracks the state of active connections and makes decisions based on the context
of traffic.
Correct Answer: D
Expert Explanation: Stateful inspection firewalls maintain a table that tracks the
state of all active network connections. This allows the firewall to distinguish
between legitimate return traffic and unauthorized incoming packets. Unlike static
packet filtering, it understands if a packet is part of an existing session. This context-
aware approach significantly reduces the attack surface for external threats. It
effectively prevents many types of scanning and spoofing attacks by validating
session flow.
3. What is the primary purpose of a Demilitarized Zone (DMZ) in network
architecture?
A. To isolate public-facing services from the internal private network.
B. To provide a secure storage area for internal databases.
C. To encrypt all traffic leaving the local area network.
D. To act as a backup for the primary domain controller.
,Correct Answer: A
Expert Explanation: A DMZ acts as a buffer zone between an organization’s private
network and the untrusted internet. Public-facing services like web and email
servers are placed here to limit exposure. If a server in the DMZ is compromised, the
internal network remains protected behind another firewall. This design
implements a layered defense strategy to mitigate risk from external attacks. It
ensures that external users can only access necessary services without reaching
sensitive internal resources.
4. Which type of intrusion detection system (IDS) identifies threats by comparing
traffic patterns against a database of known attack patterns?
A. Anomaly-based IDS
B. Heuristic-based IDS
C. Signature-based IDS
D. Behavior-based IDS
Correct Answer: C
Expert Explanation: Signature-based detection relies on specific predefined
patterns or strings known as signatures. These signatures represent known
malware, exploits, or malicious activities previously identified by researchers. The
system is highly effective at catching established threats with very low false-positive
, rates. However, it is generally unable to detect zero-day attacks that do not yet have
a signature. Regular updates to the signature database are critical to maintaining the
effectiveness of this security control.
5. In the TCP three-way handshake, what is the second packet sent to initiate a
connection?
A. SYN
B. ACK
C. SYN-ACK
D. FIN
Correct Answer: C
Expert Explanation: The three-way handshake begins with a SYN packet from the
client to the server. The server responds with a SYN-ACK packet to acknowledge the
request and synchronize its own sequence number. Finally, the client sends an ACK
packet back to the server to establish the connection. This process ensures that both
parties are ready to communicate and have agreed upon initial sequence numbers.
It is a fundamental mechanism for reliable transport in the TCP/IP protocol suite.
6. Which protocol should be used for remote command-line access to ensure that all
data, including credentials, is encrypted?
A. SSH
