Free CompTIA Network+ N10-010 Practice Questions: Network Security
Practice 10 free CompTIA Network+ V10 (CompTIA Network+ N10-010) questions on Network Security, with answers, explanations, and the IT Mastery next step.
Try the IT Mastery web app for a richer interactive practice experience with mixed sets, timed mocks, topic drills, explanations, and progress tracking.
Topic snapshot
| Field | Detail |
|---|---|
| Practice target | CompTIA Network+ N10-010 |
| Topic area | Network Security |
| Blueprint weight | 14% |
| Page purpose | Focused sample questions before returning to mixed practice |
How to use this topic drill
Use this page to isolate Network Security for CompTIA Network+ N10-010. Work through the 10 questions first, then review the explanations and return to mixed practice in IT Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 14% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
Sample questions
These are original IT Mastery practice questions aligned to this topic area. They are not official CompTIA questions, copied live-exam content, or exam dumps. Use them to preview question style and explanation depth before continuing with topic drills, mixed sets, and timed mocks in IT Mastery.
Question 1
Topic: Network Security
An online retailer is updating its mitigation plan after a DDoS attack. During the attack, inbound traffic saturated the ISP connection, order processing stopped for 90 minutes during a product launch, partner SLA credits applied after 30 minutes of outage, and logs showed no unauthorized access to customer data. The cyber insurance policy also requires using an approved DDoS mitigation provider. Which configuration choice best addresses the main attack impacts?
Options:
A. Move the public DNS zone to internal-only name servers
B. Enable database encryption at rest for customer records
C. Force password resets for all customers and employees
D. Route public traffic through approved DDoS scrubbing with failover
Best answer: D
Explanation: A DDoS attack that saturates the ISP connection is primarily an availability and performance event. In this scenario, the business impacts include lost order processing, SLA credits, launch timing against competitors, business continuity disruption, and an insurance requirement tied to an approved mitigation provider. Routing public traffic through DDoS scrubbing with failover addresses the traffic-flood condition and aligns with the policy requirement. Because the logs show no unauthorized access to customer data, controls focused mainly on data confidentiality or account compromise are not the best fit.
- Encryption at rest protects stored data confidentiality, but the stated problem is service availability during traffic saturation.
- Password resets are appropriate for suspected credential compromise, which is not shown in the logs.
- Internal-only DNS would make the public ordering site unreachable and worsen the business continuity impact.
Question 2
Topic: Network Security
A company wants to learn when attackers are probing its server network after other controls have failed. The control should attract suspicious connections and generate alerts for investigation, but the network team should not treat it as a way to block unauthorized access. Which defense technique best fits this requirement?
Options:
A. Apply a restrictive ACL
B. Deploy a monitored honeypot
C. Enable 802.1X on access ports
D. Disable unused switch ports
Best answer: B
Explanation: A honeypot is a deception and detection technique. It is intentionally made to look like a useful target so that probes, login attempts, or other suspicious activity can be logged and alerted on. In this scenario, the requirement is to detect activity after other controls have failed, not to enforce access decisions. Preventive controls such as ACLs, 802.1X, and disabling unused ports reduce or block unauthorized access paths. A honeypot can improve visibility, but it must be paired with preventive controls to protect production systems.
- Restrictive ACL fails because it is a preventive traffic-filtering control, not primarily a deception-based detection tool.
- 802.1X access fails because it prevents unauthorized devices from gaining network access.
- Unused port shutdown fails because it reduces physical access risk rather than attracting or detecting suspicious activity.
Question 3
Topic: Network Security
A branch office has one authorized DHCP server connected through the distribution switch. Users report intermittent loss of connectivity, and packet captures show DHCP offers coming from an unknown device on an access-port VLAN. Which switch configuration best addresses this issue?
Options:
A. Enable DHCP snooping and trust only the uplink toward the DHCP server
B. Enable port mirroring on all user access ports
C. Enable dynamic ARP inspection without a DHCP binding table
D. Configure 802.1X authentication for the DHCP server port only
Best answer: A
Explanation: DHCP snooping is the Layer 2 protection used when rogue DHCP servers or address assignment abuse are a concern. Access ports should normally be untrusted so they cannot send DHCP server responses such as offers or acknowledgments. The uplink or switchport that leads to the legitimate DHCP server is trusted so valid DHCP replies can reach clients. DHCP snooping also builds a binding table of legitimate client IP-to-MAC-to-port mappings, which other protections can use.
Port mirroring may help investigate traffic, but it does not stop bad DHCP offers. Dynamic ARP inspection is useful for ARP spoofing, but it commonly relies on DHCP snooping bindings.
- Monitoring only fails because port mirroring copies traffic for analysis but does not block rogue DHCP replies.
- Wrong scope fails because authenticating only the DHCP server port does not prevent a user access port from sending DHCP offers.
- Missing bindings fails because dynamic ARP inspection addresses ARP abuse and typically needs DHCP snooping bindings to validate clients.
Question 4
Topic: Network Security
A network technician is reviewing a request to harden access-layer switch ports in shared office areas. Which control best matches the requirement shown in the exhibit?
Exhibit: Access-control request
Locations: lobby, conference rooms, hot-desk area
Goal: Do not allow normal network access until the endpoint is authenticated
Authentication source: central RADIUS server
After authentication: place device in the correct VLAN
Unknown device: deny or place in restricted VLAN
Options:
A. Enable DHCP snooping on the access VLANs
B. Enable 802.1X on the access ports
C. Apply an outbound ACL on the default gateway
D. Configure static MAC addresses on each port
Best answer: B
Explanation: 802.1X is the standard choice for port-based network access control. It lets the switch act as an authenticator and use a RADIUS server to validate the connected endpoint or user before allowing normal network access. After successful authentication, the switch can permit access or assign the device to an appropriate VLAN. This matches the exhibit requirements for shared physical ports, centralized authentication, and restricted handling of unknown devices.
MAC-based controls and gateway ACLs can limit traffic, but they do not provide the same per-port authentication workflow before access is granted.
- DHCP snooping helps block rogue DHCP behavior, but it does not authenticate endpoints before granting port access.
- Static MAC addresses can restrict known devices, but they are harder to manage and do not use centralized RADIUS authentication.
- Gateway ACLs filter routed traffic, but the device may already have Layer 2 access to the local network.
Question 5
Topic: Network Security
A company is seeing repeated reconnaissance scans against a public DMZ web server. The server must stay online until the maintenance window, and the security team wants better visibility without treating a monitoring tool as a blocking control. Which decision best addresses the situation?
Options:
A. Use a honeypot for detection and add preventive controls
B. Rely on IDS alerts to stop exploit traffic
C. Run vulnerability scans and consider the server protected
D. Replace the firewall rules with a honeypot
Best answer: A
Explanation: Some defense techniques are mainly detective, not preventive. A honeypot can attract or observe suspicious activity and provide useful alerts, indicators, and attacker-behavior data. However, it does not stop an attacker from targeting the real DMZ server. The same distinction applies to many monitoring controls, such as IDS and vulnerability scanning: they improve visibility but do not, by themselves, block exploitation. For prevention, the team still needs controls such as firewall or ACL restrictions, patching, service hardening, segmentation, or an inline blocking control where appropriate. The key decision is to use detection as supporting evidence while maintaining separate preventive defenses.
- Honeypot replacement fails because a decoy does not enforce access control for the real server.
- Scanner as protection fails because vulnerability scanning identifies weaknesses but does not remediate or block them.
- IDS as blocking fails because a typical IDS alerts on suspicious traffic but is not an inline prevention device.
Question 6
Topic: Network Security
A firewall ACL is processed top to bottom with first-match behavior and an implicit deny at the end. A partner host 203.0.113.50 must reach only the internal SFTP server 10.20.30.10 on TCP port 22. Existing blocks for the partner subnet must remain in place.
| Order | Action | Source | Destination | Service |
|---|---|---|---|---|
| 10 | allow | any | 10.20.30.20 | HTTPS |
| 20 | deny | 203.0.113.0/24 | any | any |
| 30 | deny | any | any | any |
Which ACL change is the best professional decision?
Options:
A. Replace rule 20 with an allow from
203.0.113.0/24to TCP 22B. Insert an allow for
203.0.113.50to10.20.30.10TCP 22 before rule 20C. Remove rule 20 and rely on the implicit deny
D. Append an allow for
203.0.113.50to10.20.30.10TCP 22 after rule 30
Best answer: B
Explanation: ACL rule order matters because many firewalls evaluate rules from the top down and stop at the first match. The existing deny for 203.0.113.0/24 would block the partner host before any later allow rule could apply. The safest change is to add a narrow permit for the exact source host, destination server, and TCP port 22 above the broader subnet deny. That satisfies the access request while preserving the policy that blocks the rest of the partner subnet. A broader allow or removing the deny would weaken segmentation unnecessarily.
- Appending the permit fails because rule 20 or rule 30 would match and deny the traffic first.
- Allowing the whole subnet grants access beyond the single approved partner host.
- Removing the subnet deny changes the existing security policy and does not create the required specific allow.
Question 7
Topic: Network Security
A help desk receives multiple reports from employees in the lobby that their laptops automatically joined a network named Corp-WiFi and then displayed a login page requesting domain credentials. The wireless controller shows no managed access point using the observed BSSID, and the signal is strongest near a public seating area.
Which activity best matches these findings?
Options:
A. Malicious code
B. Evil twin
C. Vandalism
D. Hijacking
Best answer: B
Explanation: An evil twin attack uses a rogue wireless access point that imitates a trusted SSID, often with a stronger or more convenient signal, to trick users into connecting. The fake captive portal requesting domain credentials is a common way to steal usernames and passwords. The unrecognized BSSID and location-specific signal strength point to an unauthorized AP rather than an issue on the legitimate wireless controller.
Hijacking can involve taking over a session or connection, but the key evidence here is impersonation of the wireless network itself.
- Malicious code would involve malware running on endpoints, not primarily a fake SSID and rogue login portal.
- Vandalism is damage or defacement, which is not shown by the wireless evidence.
- Hijacking focuses on taking over an existing session or system, while this scenario shows users being lured to a spoofed wireless network.
Question 8
Topic: Network Security
A technician is preparing a newly installed access switch for production. The device will be managed only from the network team’s jump box and does not need file-transfer services.
Exhibit: Hardening review
| Item | Current state |
|---|---|
| Local admin password | Vendor default still active |
| Enabled management services | SSH, HTTPS, Telnet, FTP |
| Required management method | SSH from jump box only |
| File-transfer requirement | None |
Which action best addresses the basic hardening findings?
Options:
A. Change the default password and disable Telnet, HTTPS, and FTP
B. Change the default password and disable Telnet, FTP, and unused HTTPS access
C. Disable SSH and manage the switch through Telnet only
D. Keep the default password and restrict management to the jump box
Best answer: B
Explanation: Basic device hardening includes replacing vendor-default credentials and reducing the exposed management surface. In this case, SSH is the only required management method, so Telnet and FTP should be disabled because they are unnecessary. HTTPS is also not required by the stated management method, so unused web management access should be disabled unless the organization explicitly needs it. Changing only access rules would not fix the default password, and keeping insecure or unnecessary services increases attack surface.
The key takeaway is to remove default credentials and turn off services or ports that do not support a defined operational requirement.
- Leaving default credentials fails because an access restriction does not remove the risk of a known vendor password.
- Telnet-only management fails because Telnet is not the required method and is less secure than SSH.
- Keeping extra services fails when those services are not needed for the stated management requirement.
Question 9
Topic: Network Security
A company wants to centralize administrator access to routers and switches. The network team must authenticate admins, authorize different privilege levels, and keep an accounting record of management commands. The solution should apply to network device administration, not end-user Wi-Fi access. Which configuration concept best meets this requirement?
Options:
A. AAA using TACACS+ for device administration
B. RADIUS for 802.1X client authentication
C. Geofencing based on administrator location
D. SAML SSO for web application portals
Best answer: A
Explanation: AAA separates authentication, authorization, and accounting so network devices can use a central service to validate administrators, assign privileges, and log activity. TACACS+ is commonly used for router and switch administration because it supports granular command authorization and accounting. RADIUS is also an AAA protocol, but it is more commonly used for network access scenarios such as VPN, wireless, and 802.1X client authentication. SAML SSO helps users sign in across applications, and geofencing can restrict access by location, but neither directly provides command-level device administration control.
- Client access focus makes RADIUS less suitable here because the requirement is device administration with command authorization.
- Application SSO does not provide router and switch command accounting by itself.
- Location restriction can be a supplemental control, but it does not authenticate, authorize, and account for device commands.
Question 10
Topic: Network Security
A small company is adding IP security cameras to existing access switches. The cameras must reach only the recording server and NTP, should not be able to initiate connections to office workstations, and the company wants to avoid new cabling. Which design is the BEST professional decision?
Options:
A. Assign static IP addresses to the cameras
B. Put cameras on the same VLAN and update firmware
C. Place cameras in a separate VLAN with ACLs
D. Enable port security on camera switch ports
Best answer: C
Explanation: Segmentation is the right control when the main requirement is isolation, scope reduction, or containment. In this scenario, the cameras are less-trusted endpoints that share physical switches with office users, but they need tightly limited connectivity. A separate VLAN creates a distinct Layer 2 segment, and ACLs or firewall rules can restrict inter-VLAN traffic so cameras reach only the recording server and NTP. This satisfies the security requirement without installing new cabling. Device hardening, such as firmware updates, is useful but does not provide the required traffic containment by itself.
- Port security limits which MAC addresses can use a switch port, but it does not define allowed camera destinations.
- Static addressing may simplify management, but it does not isolate traffic or prevent workstation access.
- Firmware updates reduce device vulnerabilities, but cameras would still share the office broadcast domain and connectivity scope.
Continue in the web app
Use IT Mastery for interactive CompTIA Network+ N10-010 practice with mixed sets, timed mocks, topic drills, explanations, and progress tracking.
Try CompTIA Network+ N10-010 on Web