Quiz: Network Security Fundamentals

A 26-question self-check covering the OSI/TCP-IP stack, ports and the handshake, segmentation, and the spoofing/MITM/DoS attack families. Questions tagged [Sec+] (CompTIA Security+) and [CISSP] ((ISC)² CISSP) map to certification domains. Answers and one-line explanations are at the end; try the whole quiz before checking.

Section 1 — Multiple choice (1 pt each)

1. [Sec+] The fundamental unit of data routed at the Network layer (Layer 3), carrying source and destination IP addresses, is a: A. frame B. packet C. segment D. socket

2. [Sec+] A socket is best defined as: A. a port number alone B. an IP address alone C. an IP address combined with a port D. a MAC address

3. The correct order of the TCP three-way handshake is: A. ACK → SYN → SYN-ACK B. SYN → ACK → SYN-ACK C. SYN → SYN-ACK → ACK D. SYN-ACK → SYN → ACK

4. [Sec+] A log shows one source sending lone SYN packets to ports 22, 23, 80, and 445 in one second, none completing a handshake. This is most likely a: A. SYN flood B. port scan C. man-in-the-middle D. ARP spoof

5. ARP spoofing operates at which OSI layer, and what makes it possible? A. Layer 3; IP has no checksum B. Layer 2; ARP has no authentication C. Layer 4; TCP is stateless D. Layer 7; HTTP is plaintext

6. [CISSP] A network zone that sits between the untrusted internet and the trusted internal network, hosting internet-facing systems so their compromise is contained, is called a: A. VLAN B. subnet C. DMZ D. NAT pool

7. Traffic moving laterally between systems inside a network is called: A. north-south B. east-west C. ingress D. egress

8. [Sec+] NAT (network address translation) primarily exists to: A. encrypt traffic B. authenticate users C. conserve public IPv4 addresses D. detect intrusions

9. A SYN flood is a denial-of-service attack that works by: A. encrypting the server's disk B. sending many SYNs and never completing the handshakes, exhausting the half-open connection table C. forging ARP replies D. guessing passwords

10. [CISSP] A man-in-the-middle attack against properly validated TLS-encrypted traffic allows the attacker to: A. read and alter the plaintext B. relay the encrypted bytes and see metadata, but not read or alter the contents C. decrypt everything instantly D. nothing at all, including relaying

11. Which is the most effective way to limit lateral (east-west) movement after an attacker gains a foothold? A. a stronger perimeter firewall B. NAT C. internal segmentation with default-deny between zones D. a longer password policy

12. [Sec+] A volumetric DDoS using spoofed source IPs should be mitigated: A. at your own edge firewall B. upstream, at the ISP or a scrubbing provider C. by blocking each source IP D. by rebooting the server

13. A VLAN provides isolation at: A. Layer 1 B. Layer 2 C. Layer 3 D. Layer 7

14. [CISSP] Encapsulation means that a control reading one layer's header: A. can read all deeper payloads B. is blind to the layers it does not inspect C. encrypts the data D. is unnecessary if a perimeter firewall exists

Section 2 — True / False with justification (1 pt each)

For each, mark T or F and give a one-sentence reason.

15. [Sec+] "Because internal hosts sit behind NAT, the internal network does not need segmentation or encryption."

16. "A perimeter firewall inspects east-west traffic between internal servers."

17. "Encrypting traffic with TLS protects it against a Layer 2 ARP-spoofing man-in-the-middle reading the contents."

18. "A SYN-ACK returned for every SYN proves a server is healthy and not under attack."

19. [CISSP] "Segmenting the cardholder data environment can reduce the systems that are in scope for PCI-DSS."

Section 3 — Fill in the blank (1 pt each)

20. A connection is uniquely identified by a four-value tuple: source IP, source _, destination IP, and destination _.

21. The principle of denying all traffic unless it is explicitly permitted is called __.

22. [Sec+] Forging the source IP address of a packet to impersonate another system is called IP __.

23. Traffic crossing the boundary between the internal network and the internet is called __ traffic.

Section 4 — Short answer (2 pts each)

24. [CISSP] Explain why "the perimeter is dead," using the north-south / east-west distinction and the "assume breach" principle. Reference what a perimeter firewall can and cannot see.

25. A defender must stop a man-in-the-middle attack on a branch network. Name one Layer 2 control and one Layer 5–7 control, and explain why using both (rather than either alone) is the stronger design and which recurring theme this illustrates.

26. [Sec+] Given the firewall log line action=DENY src=203.0.113.66 dst=192.0.2.10 dport=22 proto=tcp, state what was attempted, what the firewall did, and why a series of such denials to many different ports from one source would interest a SOC analyst.

Answer Key

Click to reveal answers and explanations 1. **B** — a packet is the Layer 3 unit with IP addressing. 2. **C** — a socket is IP + port. 3. **C** — SYN, SYN-ACK, ACK. 4. **B** — many *different* ports, no completion = port scan (a flood targets one port). 5. **B** — ARP is Layer 2 and unauthenticated. 6. **C** — DMZ. 7. **B** — east-west. 8. **C** — NAT conserves IPv4 addresses (and is not a security control). 9. **B** — SYN flood exhausts the half-open connection table. 10. **B** — validated TLS lets the MITM relay ciphertext and see metadata only. 11. **C** — internal segmentation with default-deny. 12. **B** — mitigate volumetric floods upstream. 13. **B** — VLANs isolate at Layer 2. 14. **B** — a control is blind to layers it does not inspect. 15. **F** — NAT only hides addresses; it does not stop lateral movement after a foothold or a MITM, so segmentation and internal encryption are still needed. 16. **F** — east-west traffic stays inside the network and never crosses the perimeter firewall. 17. **T** — validated TLS provides confidentiality and integrity, so the MITM cannot read or alter the contents even while relaying them. 18. **F** — a SYN-ACK per SYN is expected even during a SYN flood; the right measure is the *completion* (ACK) ratio. 19. **T** — isolating the CDE removes other systems from PCI-DSS scope, reducing both risk and audit burden. 20. port; port. 21. default-deny (deny by default / implicit deny). 22. spoofing. 23. north-south. 24. A perimeter firewall only inspects north-south traffic crossing the boundary; nearly every breach involves a foothold followed by east-west lateral movement that the perimeter never sees, so a strong perimeter is insufficient. "Assume breach" accepts that the attacker gets inside, so defense must continue internally via segmentation — making the perimeter one layer, not the whole defense. 25. Layer 2: dynamic ARP inspection or switch port security (blocks the ARP spoof that sets up the MITM). Layer 5–7: validated TLS (so even a successful MITM cannot read or alter the traffic). Using both is defense in depth (Theme 4): each layer is designed assuming the other may fail, so a gap in one is covered by the other. 26. A host at `203.0.113.66` attempted a TCP connection to port 22 (SSH) on `192.0.2.10`; the firewall denied it (default-deny). Many such denials to many different ports from one source is the signature of a port scan — reconnaissance enumerating which services are open — and warrants investigation. **Topics to review by question:** missed 1–3, 20 → §6.2; 4, 9, 18, 26 → §6.2/6.5; 5, 17, 25 → §6.5; 6, 11, 13, 19 → §6.4; 7, 23, 24 → §6.4; 8, 15 → §6.4 (NAT); 10 → §6.5 (MITM/TLS); 12 → §6.5 (DDoS); 14 → §6.1; 21, 22 → §6.4/6.5.