Chapter 13: Network Security and Protective Technologies (Set-3)
To reduce rule mistakes, firewall policies should follow
A Maximum openness
B Random allowance
C Least privilege
D No documentation
Least privilege means allow only required ports, IPs, and services, and block the rest. This reduces attack surface, limits unauthorized access, and makes firewall rules easier to review and audit.
An “implicit deny” firewall approach means
A Allow everything
B Block by default
C Encrypt all traffic
D Disable logging
With implicit deny, any traffic not explicitly allowed by rules is blocked. This is safer than allowing all by default, because unknown services and unexpected ports remain closed.
For public web servers, safest placement is usually
A DMZ network
B Internal LAN
C User VLAN
D Printer subnet
A web server exposed to the internet is better placed in a DMZ. If it is compromised, segmentation prevents direct access to internal systems, reducing lateral movement inside the LAN.
Stateful firewall tables mainly store
A File hashes
B Password history
C Session state
D Printer queues
Stateful firewalls maintain connection tables containing session information like source/destination IPs, ports, and connection status. This helps them allow valid return traffic and block unsolicited packets.
A proxy firewall can block threats by
A Increasing router speed
B Inspecting HTTP content
C Changing DNS zone
D Formatting disks
Proxy firewalls can understand application protocols like HTTP. They inspect requests and responses, block malicious content or unsafe methods, and enforce detailed rules beyond simple port filtering.
NAT with firewall helps mainly to
A Increase disk space
B Remove malware
C Boost CPU clock
D Hide internal hosts
NAT masks internal private IP addresses behind a public IP. This reduces direct visibility of internal devices and works well with firewall rules, though NAT alone is not complete security.
Port-based blocking is weakest against
A Basic port scans
B Known service ports
C Encrypted malware traffic
D Simple inbound rules
When malicious traffic uses allowed ports like 443 and is encrypted, simple port rules may not detect it. Additional controls like IDS/IPS, TLS inspection, or endpoint security are needed.
IDS placed “out of band” usually means
A Monitors a copy
B Inline blocking device
C Works without power
D Replaces firewall
Out-of-band IDS monitors mirrored traffic from a SPAN port or network tap. It detects suspicious activity and alerts, but it cannot directly block traffic like an inline IPS.
IPS is typically deployed to
A Detect only
B Prevent actively
C Store backups
D Manage VLANs
IPS is placed inline so it can stop threats in real time. It can drop packets, block IPs, or reset sessions, helping prevent exploitation before damage spreads.
Best reason to enable firewall logging is
A Improve ping speed
B Increase Wi-Fi signal
C Trace suspicious access
D Reduce file size
Firewall logs help identify attack sources, blocked services, and unusual connection patterns. During troubleshooting or security incidents, logs provide evidence for investigation and rule tuning.
“Encryption at rest” protects data
A During transmission
B While printed
C While scanned
D While stored
Encryption at rest protects stored data on disks, SSDs, or cloud storage. If a device is stolen or a disk is copied, attackers cannot read data without the decryption key.
“Encryption in transit” protects data
A Stored on disk
B Moving over network
C Inside CPU cache
D Printed on paper
Encryption in transit secures data traveling across networks, preventing eavesdropping and tampering. Technologies like TLS and VPN tunnels protect sensitive information on public or shared networks.
Symmetric encryption is preferred for
A Public key sharing
B Identity proof only
C Large data transfer
D Certificate issuing
Symmetric encryption is fast and efficient, making it ideal for encrypting large amounts of data. Many secure systems use asymmetric methods only to exchange keys, then switch to symmetric encryption.
Asymmetric encryption is commonly used for
A Fast bulk encryption
B Key exchange tasks
C Disk defragmentation
D Screen protection
Asymmetric encryption is slower but solves safe key distribution. It is used in TLS to establish session keys and to support digital signatures and certificate-based authentication.
A digital certificate warning in a browser usually indicates
A Trust problem
B Stronger encryption
C Faster connection
D More RAM usage
Certificate warnings often mean the certificate is expired, mismatched, self-signed, or untrusted. This can indicate misconfiguration or a possible man-in-the-middle risk, so users should be cautious.
Hashing passwords is safer because it
A Is reversible easily
B Speeds login always
C Stores no plaintext
D Removes MFA need
Hashing stores a one-way digest instead of the actual password. If the database leaks, attackers cannot directly read passwords, though strong hashing and salting are required to resist cracking.
A hash function should have strong
A Reversibility
B Collision resistance
C Screen scaling
D File compression
Collision resistance means it is very hard to find two different inputs producing the same hash. This is important for integrity checks and signatures, where collisions could allow data tampering.
Digital signatures are mainly verified using
A Sender private key
B Shared VPN key
C Router admin key
D Sender public key
A signature created by a private key is verified with the matching public key. Successful verification confirms the signer’s identity and shows the content was not changed after signing.
TLS helps prevent eavesdropping by
A Using compression only
B Blocking all ports
C Encrypting traffic
D Changing IP address
TLS encrypts data between client and server so interceptors cannot read it. It also provides integrity checks and server authentication using certificates, reducing interception and tampering risks.
A VPN tunnel mainly protects
A Traffic to VPN server
B Local screen settings
C Printer sharing only
D USB file copying
VPN encryption protects data from the device to the VPN server. After exiting the VPN server to the internet, protection depends on the destination protocol, such as HTTPS for secure websites.
VPN “remote access” is best described as
A Network-to-network link
B User-to-network link
C Switch-to-router link
D Server-to-printer link
Remote-access VPN allows an individual user device to securely connect to a private network from outside, such as home or travel. It is common for accessing internal systems safely.
VPN “site-to-site” is best described as
A User phone VPN
B Browser cookie security
C Network-to-network link
D Antivirus update channel
Site-to-site VPN connects two entire networks securely over the internet. Offices can share resources as if on one private network, while traffic is encrypted between gateway devices.
VPN anonymization is limited because
A VPN shows real IP
B Provider can log usage
C VPN blocks all DNS
D VPN removes cookies
A VPN can hide your IP from websites, but the provider may still see connection metadata and traffic patterns. True anonymity is not guaranteed; trust and policies of the provider matter.
SIEM correlation is valuable because it
A Links events together
B Speeds up gaming
C Removes encryption keys
D Prints audit reports
SIEM combines logs from many systems to detect patterns, like repeated failed logins plus unusual network traffic. Correlation helps identify attacks that would be missed when logs are viewed separately.
Log “retention” in security means
A Delete logs quickly
B Encrypt logs always
C Keep logs for time
D Print logs daily
Retention defines how long logs are stored. Longer retention helps investigations and compliance, but needs storage planning and access controls to protect sensitive log data from tampering.
A packet sniffer is risky if used by
A Authorized admin
B Network engineer
C Security analyst
D Unauthorized user
Sniffers can capture sensitive data like credentials and session tokens on insecure networks. If attackers use them, they can steal information, so sniffing tools should be restricted and monitored.
Vulnerability scanning should be followed by
A Ignoring results
B Fixing high risks
C Sharing admin passwords
D Disabling firewall rules
Scans only identify weaknesses. Security improves when teams prioritize critical findings, patch systems, close unnecessary ports, and correct misconfigurations, then rescan to confirm issues are resolved.
Patch management reduces risk mainly from
A Unknown hardware faults
B Slow internet speed
C Known vulnerabilities
D Power fluctuations
Many attacks exploit known flaws with available patches. Applying updates promptly closes these holes, reducing the chance of compromise, especially for exposed systems like browsers, VPNs, and servers.
Authentication factors are commonly grouped as
A Cost and speed
B LAN and WAN
C TCP and UDP
D Know, have, are
Factors include something you know (password), something you have (OTP device), and something you are (biometric). Using multiple factors reduces account takeover from password theft.
Authorization checks are performed after
A DNS lookup
B Authentication
C Backup scheduling
D Virus scanning
First, the system verifies identity through authentication. Then authorization decides what the verified user can access, such as reading files or using admin functions, based on roles and permissions.
Auditing helps most when it is
A Regularly reviewed
B Disabled for speed
C Kept on paper only
D Shared publicly
Auditing is useful only if logs and reports are checked. Regular review helps detect misuse, policy violations, and suspicious activity early, supporting compliance and improving incident response readiness.
A full backup plus daily incrementals is called
A Mirror setup
B VLAN design
C Backup chain
D Proxy pattern
Incremental backups depend on earlier backups, creating a chain. Restoring often requires the full backup and all incrementals in order, so integrity and verification of each link is important.
Backup “verification” is important because
A Backups always work
B Backups can be corrupt
C It reduces encryption
D It blocks malware
Backups may fail silently due to storage errors, permissions, or incomplete files. Verification through checksums and test restores ensures data can actually be recovered during real emergencies.
Differential backup restore typically needs
A Full plus differential
B Only last differential
C Only last incremental
D Full plus all incrementals
Differential backups store changes since the last full backup. To restore, you usually need the last full backup and the latest differential, making recovery simpler than long incremental chains.
3-2-1 rule protects best against
A Only viruses
B Faster internet plans
C Local disasters
D Screen failures
Keeping an offsite backup protects data if the main location suffers fire, flood, theft, or ransomware. Multiple copies across different media reduce the chance that one failure destroys all backups.
Cloud backup security should include
A Public shared links
B Default passwords
C No encryption used
D Strong access control
Cloud backups must be protected with strong authentication, least privilege, and encryption. Misconfigured cloud storage can leak sensitive backup data, so access policies and monitoring are essential.
Backup scheduling should consider
A Monitor size
B Recovery requirements
C Keyboard layout
D Mouse sensitivity
Scheduling depends on how much data loss is acceptable and how quickly systems must recover. Critical data may need frequent backups, while less critical systems can be backed up less often.
Disaster recovery planning should define
A Wallpaper themes
B Browser bookmarks
C RTO and RPO
D Email signatures
RTO is the target time to restore service, and RPO is the maximum acceptable data loss period. Defining both helps choose backup frequency, replication, and recovery procedures.
Network segmentation reduces risk of
A Faster printing
B Lateral movement
C Screen glare
D Battery drain
Attackers often move from one compromised device to others. Segmentation limits cross-network access, so even if one segment is breached, reaching critical servers becomes harder.
VLAN hopping attacks are reduced by
A Proper switch config
B Open trunk ports
C Default VLAN everywhere
D Disabling all VLANs
VLAN hopping exploits misconfigured switch ports and trunks. Disabling unused ports, limiting trunks, and setting correct VLAN tagging reduces chances of attackers jumping between VLANs.
Router security improves most by disabling
A Strong encryption
B Firmware updates
C Remote admin access
D Firewall rules
Remote administration exposed to the internet can be brute-forced or exploited. Disabling it, or restricting it via VPN and MFA, reduces risk while keeping safe management access.
A secure Wi-Fi network should use
A WEP encryption
B Open hotspot
C No password
D WPA2 or WPA3
WPA2/WPA3 provide strong encryption and better protection than older WEP. Combined with a strong passphrase and updated router firmware, they help prevent unauthorized access and traffic snooping.
HTTPS enforcement can be implemented using
A VLAN tagging
B HSTS policy
C DMZ routing
D DNS caching
HSTS tells browsers to always use HTTPS for a domain, preventing downgrade attacks to HTTP. It strengthens secure browsing by ensuring encrypted connections even if users type an HTTP link.
Endpoint security is important because endpoints
A Never get infected
B Are always offline
C Face phishing and malware
D Only store public data
Endpoints interact with email, web links, USB devices, and downloads, making them common entry points. Strong endpoint security reduces infections and prevents attackers from gaining a foothold.
Device encryption is especially critical for
A Lost laptops
B Desktop wallpapers
C Faster browsing
D Better sound quality
If a laptop is lost or stolen, disk encryption prevents attackers from reading stored files by removing the drive. It protects sensitive data when physical security fails.
Secure remote desktop should also enforce
A Weak passwords
B Account lockout
C Open ports public
D No logging
Lockout policies reduce brute-force attempts by limiting repeated failed logins. Combined with VPN, MFA, strong passwords, and logging, it significantly lowers the risk of remote desktop compromise.
A good security policy should be
A Unwritten and secret
B Changed daily
C Clear and enforced
D Shared on social media
Policies help users and admins follow consistent security practices. Clear rules for passwords, updates, backups, and incident reporting reduce confusion and errors, but enforcement and training are necessary.
Incident response “eradication” means
A Identify the threat
B Inform all users
C Schedule backups
D Remove root cause
After containment, eradication removes malware, closes exploited vulnerabilities, and deletes malicious accounts or persistence methods. Without eradication, the attacker can return even after systems appear normal.
Incident response “lessons learned” helps to
A Hide evidence
B Improve future defenses
C Reduce backups
D Disable SIEM
Reviewing an incident after recovery identifies what failed and what worked. Teams update controls, policies, training, and monitoring to prevent similar incidents and shorten response time next time.
A common sign of misconfigured firewall rules is
A Unexpected open services
B No internet anywhere
C Faster Wi-Fi always
D Smaller log files
Misconfigurations may unintentionally expose services like RDP or databases to the internet. Regular rule reviews, port scans, and log monitoring help detect unexpected exposure and correct risky rules quickly.