Try 10 focused CompTIA Network+ N10-009 questions on Network Security, with explanations, then continue with IT Mastery.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
Try CompTIA Network+ N10-009 on Web View full CompTIA Network+ N10-009 practice page
| Field | Detail |
|---|---|
| Exam route | CompTIA Network+ N10-009 |
| Topic area | Network Security |
| Blueprint weight | 19% |
| Page purpose | Focused sample questions before returning to mixed practice |
Use this page to isolate Network Security for CompTIA Network+ N10-009. Work through the 10 questions first, then review the explanations and return to mixed practice in IT Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 19% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
These questions are original IT Mastery practice items aligned to this topic area. They are designed for self-assessment and are not official exam questions.
Topic: Network Security
Which TWO statements about logging and audit trails are MOST appropriate for supporting change tracking and security investigations? (Select TWO.)
Options:
A. Forward logs from network devices and servers to a centralized system with restricted access.
B. Define and document a log retention period that is long enough for typical investigations and regulatory needs.
C. Rely only on local device clocks for timestamps; precise time synchronization is unnecessary for audits.
D. To reduce overhead, disable logging on devices that rarely change configuration.
E. Allow administrators to modify or delete log entries if they contain mistakes.
Correct answers: A and B
Explanation: Effective logging and audit trails are essential for both change tracking and security investigations. Good practice is to collect logs from many devices and applications in a central, controlled location and keep them for a period that is long enough to support typical investigations and any compliance requirements. Logs should be protected from tampering and use accurate timestamps so events can be reliably reconstructed.
In a small or medium enterprise, forwarding switch, router, firewall, server, and application logs to a central log server or SIEM makes it far easier to search for related events across multiple systems. Retaining these logs for an appropriate length of time ensures that evidence is available when you need to understand who made a change, when it was made, and how an attack unfolded.
Topic: Network Security
A company wants to tighten security around remote administration of its network devices. Policy states that administrators must connect through a single, controlled entry point and use hardened systems for management, instead of accessing devices directly from their everyday laptops. Which solution BEST meets this requirement?
Options:
A. Permit RDP access from any production server to all network devices so administrators can log into a server first, then manage devices
B. Deploy a hardened jump server in a management VLAN, require admins to VPN in first, and allow device management interfaces to accept connections only from the jump server network
C. Allow VPN users’ laptops to reach all network devices’ management interfaces directly once authenticated to the VPN
D. Open SSH on all network devices to the public internet and require administrators to use strong unique passwords
Best answer: B
Explanation: The key requirement in this scenario is that remote administration must occur through a single, controlled entry point using hardened systems, rather than from many ad hoc admin laptops. This is the idea behind jump hosts, bastion hosts, management VLANs, and privileged access workstations.
A hardened jump server placed in a dedicated management network and reachable only after a secure VPN connection centralizes access. Network devices are configured so their management interfaces accept connections only from that management segment. This sharply reduces the number of systems that can reach management planes and makes monitoring, hardening, and auditing easier.
Other approaches, such as allowing any VPN client or production server to connect to management interfaces, distribute trust across many devices. That contradicts the goal of using a small number of tightly controlled entry points and endpoints for administrative access, which is a common best practice in secure network management (Domain 4: Network Security).
Topic: Network Security
Your organization runs a hybrid network with two campuses and workloads in a public cloud VPC. A stateful firewall already controls traffic at each internet edge. After a recent security assessment, management sets two goals:
Which of the following actions/solutions will best address this issue or requirement? (Select TWO.)
Options:
A. Replace the stateful firewalls with stateless packet-filtering routers that deny all ports except 80 and 443.
B. Deploy a network detection and response (NDR) platform that ingests flow data and packet metadata from all sites and cloud VPCs and uses behavior analytics to detect anomalies.
C. Deploy a network IDS sensor on a SPAN port at each campus switch to alert on matching attack signatures only.
D. Install host-based antivirus on all web servers and schedule nightly full scans.
E. Deploy an inline IPS in front of the web server VLAN to drop packets that match known attack signatures.
Correct answers: B and E
Explanation: This scenario describes two distinct security goals. The first is detection: finding stealthy lateral movement and command-and-control traffic anywhere in a hybrid network using behavior/anomaly analytics. The second is prevention: automatically blocking known exploit signatures before they reach the public web servers, without depending on host agents.
An intrusion prevention system (IPS) is typically deployed inline so it can both detect and actively block attacks in real time. It is well suited for protecting specific segments such as a web server VLAN by dropping traffic that matches known exploit signatures.
A network detection and response (NDR) platform focuses on network-wide visibility and detection. It collects telemetry (for example, flow data and packet metadata) from many points across on-prem and cloud environments and uses analytics to find anomalous patterns that may indicate lateral movement or command-and-control. NDR systems are generally detect/advisory tools; they usually are not the primary inline enforcement device.
An intrusion detection system (IDS) is also detect-only, but is typically more limited in scope (for example, signature-based inspection from a SPAN port on a specific switch) and does not provide the broad, analytics-driven coverage described for NDR. Stateless packet filters and traditional antivirus do not satisfy either the behavior-analytics requirement or the inline blocking of exploit signatures in transit.
Topic: Network Security
A mid-sized company is deploying a cloud-based identity provider (IdP) to centralize authentication and enable single sign-on (SSO) to internal web apps and multiple SaaS services. The security team wants to strengthen access control and simplify user lifecycle management across the network.
Which of the following actions should you AVOID when designing this SSO and federation strategy? (Select TWO.)
Options:
A. Allow each department to create and manage its own local user accounts in SaaS applications instead of using the corporate IdP, to reduce dependence on central IT.
B. Share one generic administrator account for each federated application so that fewer individual identities need to be integrated with the IdP.
C. Configure the corporate IdP as the single authoritative identity source, synchronizing user objects and groups from the on-premises directory service.
D. Mandate that all new SaaS applications integrate with the corporate IdP for SSO instead of maintaining separate local user databases.
E. Use federation trusts so that a partner organization’s users authenticate with their own IdP, while your IdP controls which roles they receive in your ticketing system.
Correct answers: A and B
Explanation: This scenario focuses on how single sign-on (SSO), federation, and identity providers (IdPs) impact network and access design. A central IdP and SSO help enforce consistent authentication, authorization, and accounting (AAA) policies by consolidating identities, defining clear trust relationships, and reducing scattered local accounts.
Good designs use a single, authoritative identity store (often synchronized from an on-prem directory service) and require applications—both internal and SaaS—to trust that IdP for user authentication. Federation extends this concept across organizational boundaries, where different IdPs trust each other so users can authenticate once to their home IdP and still access partner resources, with access scoped by roles.
Poor practices include bypassing the IdP entirely by letting applications manage their own local accounts or sharing generic administrator accounts. These patterns undermine the benefits of SSO and federation: they make access harder to control, reduce accountability, and create security gaps when users change roles or leave the organization.
Topic: Network Security
Which option BEST describes the primary role of an identity provider (IdP) in a AAA architecture that supports both on‑premises resources and cloud/SaaS applications?
Options:
A. A protocol that encrypts administrator commands between network devices and a central server but does not integrate with cloud services
B. A local database of usernames and passwords configured separately on each network device
C. A centralized service that authenticates users and issues tokens or assertions that other applications use to grant or deny access
D. A directory query protocol used only to look up user attributes in an on‑premises LDAP database
Best answer: C
Explanation: An identity provider (IdP) is a core component of modern AAA architectures, especially when organizations use a mix of on‑premises and cloud/SaaS applications. The IdP centrally authenticates a user (checking their credentials or other factors such as MFA) and then issues a security token or assertion, such as a SAML assertion or an OpenID Connect (OIDC) ID token.
Applications—whether internal web apps, VPN portals, or SaaS services—trust the IdP and use the token it issues to decide whether to allow access and what the user is authorized to do. This enables single sign-on (SSO): the user signs in once to the IdP, and the IdP handles authentication for multiple applications, instead of each app maintaining its own separate credential store.
In Network+ terms, the IdP is the AAA “front end” for authentication and part of authorization, while directories like LDAP or Active Directory are often the backing stores. Protocols such as RADIUS or TACACS+ may still be used for network device access, but the IdP is what unifies authentication across on‑premises and cloud services via federation.
Topic: Network Security
A midsize company currently lets administrators manage internal servers from home by connecting directly over the internet (SSH/RDP) from personal laptops to each server’s public IP. A recent security audit flags unmanaged endpoints, many exposed management ports, and inconsistent logging as major risks. The company wants a more secure remote administration solution that: 1) reduces the servers’ exposed attack surface, 2) ensures admins connect only from hardened, company-managed devices, and 3) keeps admin traffic encrypted when offsite. Which solution is BEST?
Options:
A. Configure the firewall with port forwarding from random high-numbered external ports to SSH/RDP on each server, and keep allowing administrators to connect from their personal laptops over the internet.
B. Enable a cloud-hosted remote desktop service that can reach all internal servers and require administrators to use long, complex passwords when logging in from any device.
C. Disable RDP on all servers and require administrators to use SSH from their home PCs directly to each server’s public IP over the internet.
D. Deploy a VPN that only permits access from company-issued hardened admin workstations, require admins to first connect to the VPN and then use an internal jump host to reach servers, and close all direct internet management ports on the servers.
Best answer: D
Explanation: The scenario highlights three main concerns: too many exposed management ports on internet-facing servers, administrators connecting from unmanaged personal laptops, and a need for encrypted remote access when working offsite. Modern best practice is to tightly control where administrator sessions enter the network and what devices they originate from.
A common secure pattern is:
This approach minimizes direct exposure of management services to the internet, centralizes monitoring and logging on the jump host, and ensures that high-privilege sessions originate only from trusted, well-controlled endpoints. Simply hiding ports or switching protocols without this architecture leaves many of the underlying risks in place.
Topic: Network Security
A network administrator is reviewing how staff remotely manage the company’s edge firewall from off-site locations. Which of the following remote-management configurations is NOT appropriate and SHOULD be corrected?
Options:
A. Allowing HTTPS management access only over a user-authenticated IPsec VPN from an internal admin subnet
B. Allowing Telnet access to the firewall’s public WAN interface from any administrator’s home public IP
C. Requiring administrators to first connect to a full-tunnel SSL VPN before using RDP to an internal management server
D. Permitting SSH access to the firewall only from a dedicated jump host across an existing site-to-site VPN
Best answer: B
Explanation: Secure network management and remote access should minimize exposure of management interfaces and ensure that all administrative traffic is encrypted and strongly authenticated. Best practices include using secure protocols (such as SSH and HTTPS), placing management access behind VPNs, and limiting which hosts can initiate management sessions.
Allowing Telnet to a firewall’s public WAN interface violates these principles. Telnet sends usernames and passwords in cleartext and offers no encryption for commands or configuration data. Exposing this service directly to the internet from many possible home addresses significantly increases the chance that an attacker can intercept or brute-force credentials, or exploit the service.
In contrast, using HTTPS or SSH over VPNs, jump hosts, or internal management servers provides encrypted tunnels, tighter access controls, and reduced attack surface, aligning with secure network management guidelines in a modern enterprise environment.
Topic: Network Security
A company recently contained ransomware on one user PC, but logs show the malware tried to connect to file and database servers in other VLANs using random TCP ports. Inter-VLAN routing is performed on a Layer 3 switch with the following ACL:
ACL INTERVLAN
10 permit ip any any
Which change should the network technician implement to BEST limit future lateral movement between user and server VLANs while still allowing required business traffic?
Options:
A. Add a firewall rule at the Internet edge to block all outbound connections from the affected user VLAN
B. Move all servers into the same VLAN as the users so the ACL is no longer needed for internal communication
C. Disable inter-VLAN routing completely on the Layer 3 switch so VLANs cannot communicate at all
D. Replace the existing ACL with rules that only permit required ports from user VLANs to specific server VLANs and deny all other inter-VLAN traffic
Best answer: D
Explanation: The symptom shows that once a single user PC was compromised, the malware could attempt connections to internal servers in other VLANs over arbitrary ports. This indicates that internal segmentation between user and server networks is too permissive. The current ACL permit ip any any effectively creates a flat, routable network between VLANs, allowing almost unrestricted lateral movement.
Secure segmentation for east–west traffic requires limiting which VLANs can communicate and on which ports. By replacing the ACL with specific permit statements for only the required application ports between user and server VLANs, followed by an implicit or explicit deny for all other inter-VLAN traffic, the technician can significantly reduce the attacker’s ability to move laterally while preserving legitimate business access.
Topic: Network Security
Which TWO statements accurately describe the roles of authentication, authorization, and accounting (AAA) in controlling network access? (Select TWO.)
Options:
A. Authorization is responsible for keeping detailed logs of when users connect, what they access, and how long they stay connected.
B. Accounting’s primary purpose is to encrypt credentials in transit so attackers cannot read usernames and passwords.
C. Authentication verifies a user’s identity (for example, with a username and password or MFA) before granting access.
D. Authentication determines which resources and permissions a user has after logging in, such as read-only vs read/write access.
E. Authorization defines what an authenticated user is allowed to do, such as which files, network shares, or VLANs they can access.
Correct answers: C and E
Explanation: AAA stands for authentication, authorization, and accounting. These are three separate but related functions used to control and monitor access to network resources.
Authentication comes first and answers the question, “Who are you?” Examples include logging in with a username and password, using a smart card, or providing an MFA code. Until authentication succeeds, the user should not gain access to protected resources.
Authorization happens after authentication and answers, “What are you allowed to do?” It controls which files, applications, network segments, or commands a user can access. This is done with permissions, roles, and policies such as RBAC or ACLs.
Accounting answers, “What did you do, and when?” It records session start and end times, commands run, resources accessed, and bandwidth used. Accounting logs support auditing, troubleshooting, and sometimes billing.
Understanding the separation of these three functions helps correctly design and troubleshoot access controls in a network environment.
Topic: Network Security
A security analyst investigates reports that users who browse to https://portal.example.com are being sent to a fake login page hosted on an attacker-controlled server. The users’ hosts are correctly configured, but nslookup portal.example.com now returns an unfamiliar IP address that does not belong to the organization. Which type of attack is MOST likely occurring?
Options:
A. DNS poisoning
B. ARP poisoning
C. DHCP starvation
D. MAC flooding
Best answer: A
Explanation: In the scenario, users enter the correct URL but are redirected to a fake login page. The analyst verifies that client settings are correct but observes that DNS lookups for portal.example.com now return an IP address that does not belong to the organization.
This behavior indicates that the mapping of a domain name to an IP address has been maliciously altered. When DNS data is manipulated in this way—either on a DNS resolver, forwarder, or cache—the result is called DNS poisoning (also known as DNS cache poisoning or DNS spoofing).
Because DNS is responsible for translating human-friendly hostnames into IP addresses, corrupting its records allows an attacker to silently redirect users to malicious servers without changing the URL they type, making phishing and credential theft much easier.
Use the CompTIA Network+ N10-009 Practice Test page for the full IT Mastery route, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try CompTIA Network+ N10-009 on Web View CompTIA Network+ N10-009 Practice Test
Read the CompTIA Network+ N10-009 Cheat Sheet on Tech Exam Lexicon, then return to IT Mastery for timed practice.