Network Defense (NetDef) Course Final Exam Answers
How to find: Press “Ctrl + F” in the browser and fill in whatever wording is in the question to find that question/answer. If the question is not here, find it in Questions Bank.
NOTE: If you have the new question on this test, please comment Question and Multiple-Choice list in form below this article. We will update answers for you in the shortest time. Thank you! We truly value your contribution to the website.
1. What is a characteristic of a layered defense-in-depth security approach?
- When one device fails, another one takes over.
- One safeguard failure does not affect the effectiveness of other safeguards.
- Three or more devices are used.
- Routers are replaced with firewalls.
Explanation: When a layered defense-in-depth security approach is used, layers of security are placed through the organization-at the edge, within the network, and on endpoints. The layers work together to create the security architecture. In this environment, a failure of one safeguard does not affect the effectiveness of other safeguards.
2. What device would be used as the third line of defense in a defense-in-depth approach?
- internal router
- edge router
- host
- firewall
Explanation: In a defense-in-depth approach, the edge router would form the first line of defense. The firewall would be the second line of defense followed by the internal router making up the third line of defense.
3. Match the Security Onion tool with the description.

Network Defense (NetDef) Course Final Exam
Explanation: Place the options in the following order:
network-based intrusion detection system |
Snort |
packet capture application |
Wireshark |
host-based intrusion detection system |
OSSEC |
high-level cybersecurity analysis console |
Sguil |
4. Which wireless standard made AES and CCM mandatory?
Explanation: Wireless security depends on several industry standards and has progressed from WEP to WPA and finally WPA2.
5. In a comparison of biometric systems, what is the crossover error rate?
- rate of acceptability and rate of false negatives
- rate of rejection and rate of false negatives
- rate of false negatives and rate of false positives
- rate of false positives and rate of acceptability
Explanation: In comparing biometric systems, there are several important factors to consider including accuracy, speed or throughput rate, and acceptability to users.
6. What are two recommended steps to protect and secure a wireless network? (Choose two.)
- Use WPA2-AES encryption.
- Use the default SSID.
- Update firmware.
- Locate the wireless router where it is accessible to users.
- Enable remote management.
Explanation: Two best practices for securing wireless networks are to encrypt the wireless traffic with WPA2 encryption and to keep the wireless router firmware updated. This prevents data from being readable by an attacker and fixes any known bugs and vulnerabilities in the router.
7. What is a feature of virtual LANs (VLANs)?
- A single collision domain is enabled on a switch that is shared between VLANs.
- Communication between different VLANs on the one switch is enabled by default.
- Switch port utilization is decreased because each port is only associated with one broadcast domain.
- Logical segmentation is provided by creating multiple broadcast domains on a single switch.
Explanation: Virtual LANs (VLANs) provide a logical segmentation by creating multiple broadcast domains on the same network switch. VLANs provide higher utilization of switch ports because a port could be associated to the necessary broadcast domain, and multiple broadcast domains can reside on the same switch. Network devices in one VLAN cannot communicate with devices in a different VLAN without the implementation of inter-VLAN routing.
8. What is an example of privilege escalation attack?
- A DDoS attack is launched against a government server and causes the server to crash.
- A port scanning attack finds that the FTP service is running on a server that allows anonymous access.
- A threat actor sends an email to an IT manager to request the root access.
- A threat actor performs an access attack and gains the administrator password.
Explanation: With the privilege escalation exploit, vulnerabilities in servers or access control systems are exploited to grant an unauthorized user, or software process, higher levels of privilege than either should have. After the higher privilege is granted, the threat actor can access sensitive information or take control of a system.
9. What is the principle behind the nondiscretionary access control model?
- It applies the strictest access control possible.
- It allows access based on attributes of the object be to accessed.
- It allows access decisions to be based on roles and responsibilities of a user within the organization.
- It allows users to control access to their data as owners of that data.
Explanation: The nondiscretionary access control model used the roles and responsibilities of the user as the basis for access decisions.
10. Which two features are included by both TACACS+ and RADIUS protocols? (Choose two.)
- utilization of transport layer protocols
- separate authentication and authorization processes
- password encryption
- 802.1X support
- SIP support
Explanation: Both TACACS+ and RADIUS support password encryption (TACACS+ encrypts all communication) and use Layer 4 protocol (TACACS+ uses TCP and RADIUS uses UDP). TACACS+ supports separation of authentication and authorization processes, while RADIUS combines authentication and authorization as one process. RADIUS supports remote access technology, such as 802.1x and SIP; TACACS+ does not.
11. Refer to the exhibit. A router has an existing ACL that permits all traffic from the 172.16.0.0 network. The administrator attempts to add a new ACE to the ACL that denies packets from host 172.16.0.1 and receives the error message that is shown in the exhibit. What action can the administrator take to block packets from host 172.16.0.1 while still permitting all other traffic from the 172.16.0.0 network?

- Create a second access list denying the host and apply it to the same interface.
- Manually add the new deny ACE with a sequence number of 15.
- Manually add the new deny ACE with a sequence number of 5.
- Add a deny any any ACE to access-list 1.
Explanation: Because the new deny ACE is a host address that falls within the existing 172.16.0.0 network that is permitted, the router rejects the command and displays an error message. For the new deny ACE to take effect, it must be manually configured by the administrator with a sequence number that is less than 10.
12. Which command is used to activate an IPv6 ACL named ENG_ACL on an interface so that the router filters traffic prior to accessing the routing table?
- ipv6 traffic-filter ENG_ACL in
- ipv6 traffic-filter ENG_ACL out
- ipv6 access-class ENG_ACL out
- ipv6 access-class ENG_ACL in
Explanation: For the purpose of applying an access list to a particular interface, the ipv6 traffic-filter IPv6 command is equivalent to the access-group IPv4 command. The direction in which the traffic is examined (in or out) is also required.
13. In which configuration would an outbound ACL placement be preferred over an inbound ACL placement?
- when the ACL is applied to an outbound interface to filter packets coming from multiple inbound interfaces before the packets exit the interface
- when an outbound ACL is closer to the source of the traffic flow
- when an interface is filtered by an outbound ACL and the network attached to the interface is the source network being filtered within the ACL
- when a router has more than one ACL
Explanation: An outbound ACL should be utilized when the same ACL filtering rules will be applied to packets coming from more than one inbound interface before exiting a single outbound interface. The outbound ACL will be applied on the single outbound interface.
14. What are two differences between stateful and stateless firewalls? (Choose two.)
- A stateless firewall is able to filter sessions that use dynamic port negotiations while a stateful firewall cannot.
- A stateless firewall will examine each packet individually while a stateful firewall observes the state of a connection.
- stateless firewall provides more stringent control over security than a stateful firewall.
- A stateless firewall will provide more logging information than a stateful firewall.
- A stateful firewall will prevent spoofing by determining whether packets belong to an existing connection while a stateless firewall follows pre-configured rule sets.
Explanation: There are many differences between a stateless and stateful firewall.
Stateless firewalls:
- are susceptible to IP spoofing
- do not reliably filter fragmented packets
- use complex ACLs, which can be difficult to implement and maintain
- cannot dynamically filter certain services
- examine each packet individually rather than in the context of the state of a connection
Stateful firewalls:
- are often used as a primary means of defense by filtering unwanted, unnecessary, or undesirable traffic
- strengthen packet filtering by providing more stringent control over security
- improve performance over packet filters or proxy servers
- defend against spoofing and DoS attacks by determining whether packets belong to an existing connection or are from an unauthorized source
- provide more log information than a packet filtering firewall
15. Which statement describes a typical security policy for a DMZ firewall configuration?
- Traffic that originates from the inside interface is generally blocked entirely or very selectively permitted to the outside interface.
- Traffic that originates from the DMZ interface is selectively permitted to the outside interface.
- Return traffic from the inside that is associated with traffic originating from the outside is permitted to traverse from the inside interface to the outside interface.
- Traffic that originates from the outside interface is permitted to traverse the firewall to the inside interface with few or no restrictions.
- Return traffic from the outside that is associated with traffic originating from the inside is permitted to traverse from the outside interface to the DMZ interface.
Explanation: With a three interface firewall design that has internal, external, and DMZ connections, typical configurations include the following:
Traffic originating from DMZ destined for the internal network is normally blocked.
Traffic originating from the DMZ destined for external networks is typically permitted based on what services are being used in the DMZ.
Traffic originating from the internal network destined from the DMZ is normally inspected and allowed to return.
Traffic originating from external networks (the public network) is typically allowed in the DMZ only for specific services.
16. Which type of firewall makes use of a proxy server to connect to remote servers on behalf of clients?
- stateless firewall
- application gateway firewall
- stateful firewall
- packet filtering firewall
Explanation: An application gateway firewall, also called a proxy firewall, filters information at Layers 3, 4, 5, and 7 of the OSI model. It uses a proxy server to connect to remote servers on behalf of clients. Remote servers will see only a connection from the proxy server, not from the individual clients.
17. What is the result in the self zone if a router is the source or destination of traffic?
- Only traffic that is destined for the router is permitted.
- Only traffic that originates in the router is permitted.
- No traffic is permitted.
- All traffic is permitted.
Explanation: All traffic is permitted in the self zone if the traffic originates from, or is destined for, the router.
18. Designing a ZPF requires several steps. Which step involves dictating the number of devices between most-secure and least-secure zones and determining redundant devices?
- identify subsets within zones and merge traffic requirements
- design the physical infrastructure
- establish policies between zones
- determine the zones
Explanation: Designing ZPFs involves several steps:
Step 1 . Determine the zones – The administrator focuses on the separation of the network into zones. Zones establish the security borders of a network.
Step 2 . Establish policies between zones – For each pair of “source-destination” zones, define the sessions that clients in the source zones can request from servers in destination zones.
Step 3 . Design the physical infrastructure – After the zones have been identified, and the traffic requirements between them documented, the administrator must design the physical infrastructure. This includes dictating the number of devices between most-secure and least-secure zones and determining redundant devices.
Step 4 . Identify subsets within zones and merge traffic requirements – For each firewall device in the design, the administrator must identify zone subsets that are connected to its interfaces and merge the traffic requirements for those zones.
19. Which statement describes Cisco IOS Zone-Based Policy Firewall operation?
- The pass action works in only one direction.
- Router management interfaces must be manually assigned to the self zone.
- Service policies are applied in interface configuration mode.
- A router interface can belong to multiple zones.
Explanation: The pass action allows traffic only in one direction. Interfaces automatically become members of the self zone. Interfaces are assigned to zones in interface configuration mode, but most configuration takes place in global configuration mode and associated submodes. Interfaces can belong to only one zone at any time.
20. Which cloud security domain describes controls related to securing the data itself?
- Data Security and Encryption
- Application Security
- Security as a Service
- Infrastructure Security
Explanation: The Security Guidance for Critical Areas of Focus in Cloud Computing v4 document developed by the Cloud Security Alliance (CSA) covers 14 domains of cloud security. Some of these domains are:
- Infrastructure Security – describes cloud-specific aspects of infrastructure security and the foundation for operating securely in the cloud.
- Data Security and Encryption – describes those controls related to securing the data itself, of which encryption is one of the most important.
- Application Security – provides guidance on how to securely build and deploy applications in cloud computing environments, specifically for PaaS and IaaS.
- Security as a Service – covers the continually evolving security services delivered from the cloud.
21. Which two advantages in security controls are provided by software-defined networks (SDN) over traditional network security solutions? (Choose two.)
- offer more security features than hardware firewalls
- easier insertion into the traffic path
- apply to assets based on more flexible criteria than hardware firewalls
- easier network isolation without constraints of physical hardware
- higher performance than hardware firewalls
Explanation: Software-defined networks (SDN) enable new types of security controls and provide an overall gain for network security including:
- easy network isolation without the constraints of physical hardware
- SDN firewalls (security groups in cloud computing) apply to assets based on more flexible criteria than hardware firewalls
22. What is the function of SDKs in application development?
- to provide a repository of code to reduce time and cost of application development
- to maintain data integrity and identify malicious input
- to store precompiled SQL statements that execute tasks
- to verify software can run under required security settings
- to prevent software from being reverse engineered by replacing sensitive data with fictional data
Explanation: SDKs, or Software Development Kits, provide a repository of useful code to make application development faster and cheaper.
23. A company is using a public cloud provider to host its software development and distribution processes. What two cloud resources is the company solely responsible for in the shared security responsibility model? (Choose two.)
- network control
- customer endpoints
- application
- data
- identity management
Explanation: Hosting software development and distribution processes is an example of the PaaS model. In the shared security responsibility model, the cloud customer is responsible for data and endpoints security.
24. A company implements a security policy that ensures that a file sent from the headquarters office to the branch office can only be opened with a predetermined code. This code is changed every day. Which two algorithms can be used to achieve this task? (Choose two.)
Explanation: The task to ensure that only authorized personnel can open a file is data confidentiality, which can be implemented with encryption. AES and 3DES are two encryption algorithms. HMAC can be used for ensuring origin authentication. MD5 and SHA-1 can be used to ensure data integrity.
25. What are two methods to maintain certificate revocation status? (Choose two.)
- CRL
- OCSP
- subordinate CA
- LDAP
- DNS
Explanation: A digital certificate might need to be revoked if its key is compromised or it is no longer needed. The certificate revocation list (CRL) and Online Certificate Status Protocol (OCSP), are two common methods to check a certificate revocation status.
26. Before data is sent out for analysis, which technique can be used to replace sensitive data in nonproduction environments to protect the underlying information?
- steganography
- steganalysis
- software obfuscation
- data masking substitution
Explanation: Technologies exist to confuse attackers by changing data and using techniques to hide the original data.
27. Which technology would be used to create the server logs generated by network devices and reviewed by an entry level network person who works the night shift at a data center?
Explanation: Syslog is a daemon or service run on a server that accepts messages sent by network devices. These logs are frequently examined to detect inconsistencies and issues within the network.
28. Which two application layer protocols manage the exchange of messages between a client with a web browser and a remote web server? (Choose two.)
Explanation: Hypertext Transfer Protocol (HTTP) and HTTP Secure (HTTPS) are two application layer protocols that manage the content requests from clients and the responses from the web server. HTML (Hypertext Mark-up Language) is the encoding language that describes the content and display features of a web page. DNS is for domain name to IP address resolution. DHCP manages and provides dynamic IP configurations to clients.
29. How can IMAP be a security threat to a company?
- It can be used to encode stolen data and send to a threat actor.
- An email can be used to bring malware to a host.
- Encrypted data is decrypted.
- Someone inadvertently clicks on a hidden iFrame.
Explanation: IMAP, SMTP, and POP3 are email protocols. SMTP is used to send data from a host to a server or to send data between servers. IMAP and POP3 are used to download email messages and can be responsible for bringing malware to the receiving host.
30. Refer to the exhibit. Which technology generated the event log?

- web proxy
- syslog
- Netflow
- Wireshark
Explanation: The source of the output is Netflow.
31. Which two tools have a GUI interface and can be used to view and analyze full packet captures? (Choose two.)
- Wireshark
- Splunk
- Cisco Prime Network Analysis Module
- nfdump
- tcpdump
Explanation: The Network Analysis Module of the Cisco Prime Infrastructure system and Wireshark have GUI interfaces and can display full packet captures. The tcpdump tool is a command-line packet analyzer.
32. Which information can be provided by the Cisco NetFlow utility?
- source and destination UDP port mapping
- security and user account restrictions
- peak usage times and traffic routing
- IDS and IPS capabilities
Explanation: NetFlow efficiently provides an important set of services for IP applications including network traffic accounting, usage-based network billing, network planning, security, denial of service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing.
33. A network administrator is reviewing server alerts because of reports of network slowness. The administrator confirms that an alert was an actual security incident. What is the security alert classification of this type of scenario?
- false positive
- true negative
- true positive
- false negative
Explanation: True Positive: The alert has been verified to be an actual security incident.
False Positive: The alert does not indicate an actual security incident. Benign activity that results in a false positive is sometimes referred to as a benign trigger.
True Negative: No security incident has occurred. The activity is benign.
False Negative: An undetected incident has occurred.
34. A network administrator is trying to download a valid file from an internal server. However, the process triggers an alert on a NMS tool. What condition describes this alert?
- false positive
- true positive
- false negative
- true negative
Explanation: Alerts can be classified as follows:
True Positive: The alert has been verified to be an actual security incident.
False Positive: The alert does not indicate an actual security incident. Benign activity that results in a false positive is sometimes referred to as a benign trigger.
An alternative situation is that an alert was not generated. The absence of an alert can be classified as:
True Negative: No security incident has occurred. The activity is benign.
False Negative: An undetected incident has occurred.
35. What is indicated by a Snort signature ID that is below 3464?
- This is a custom signature developed by the organization to address locally observed rules.
- The SID was created by Sourcefire and distributed under a GPL agreement.
- The SID was created by the Snort community and is maintained in Community Rules.
- The SID was created by members of EmergingThreats.
Explanation: Snort is an open source network intrusion prevention system (NIPS) and network intrusion detection system (NIDS) developed by Sourcefire. It has the ability to perform real time traffic analysis and packet logging on Internet Protocol (IP) networks and can also be used to detect probes or attacks.
36. A network administrator is setting up a web server for a small advertising office and is concerned with data availability. The administrator wishes to implement disk fault tolerance using the minimum number of disks required. Which RAID level should the administrator choose?
- RAID 5
- RAID 0
- RAID 1
- RAID 6
Explanation: Both RAID 0 and RAID 1 require at least 2 disks. However, RAID 0 does not provide fault tolerance. The minimum numbers of disks for RAID 5 and RAID 6 are 3 and 4 respectively.
37. Which three security services are provided by digital signatures? (Choose three.)
- authenticates the source
- guarantees data has not changed in transit
- provides data encryption
- provides nonrepudiation using HMAC functions
- provides confidentiality of digitally signed data
- authenticates the destination
Explanation: Digital signatures are a mathematical technique used to provide three basic security services. Digital signatures have specific properties that enable entity authentication and data integrity. In addition, digital signatures provide nonrepudiation of the transaction. In other words, the digital signature serves as legal proof that the data exchange did take place.
38. A company is deploying a customer service web application on AWS. A network administrator is installing and configuring a VM instance. Which three actions should the administrator take to protect the VM? (Choose three.)
- Disable unneeded ports and services.
- Enforce account management policies.
- Configure RAID to ensure storage fault tolerance.
- Plan subnet placement.
- Deploy an advanced firewall appliance.
- Install an IPS appliance in the VM.
A company is deploying a customer service web application on AWS. A network administrator is installing and configuring a VM instance. Which three actions should the administrator take to protect the VM? (Choose three.)
Which three security services are provided by digital signatures? (Choose three.)
A network administrator is setting up a web server for a small advertising office and is concerned with data availability. The administrator wishes to implement disk fault tolerance using the minimum number of disks required. Which RAID level should the administrator choose?
RAID 1
RAID 0
RAID 5
RAID 6