Quiz: Firewalls, IDS/IPS, and Network Access Control

DataField.Dev

Quiz: Firewalls, IDS/IPS, and Network Access Control

A 26-question self-check covering firewalls, intrusion detection and prevention, NAC, microsegmentation, and tuning. Questions tagged [Sec+] map to a CompTIA Security+ objective and [CISSP] to an (ISC)² CISSP domain. Answers and one-line explanations are at the end — try the whole quiz first.

Section 1 — Multiple choice (1 pt each)

1. [Sec+] A firewall that tracks the state of active connections and permits return traffic because it matches an existing connection — not because a port was pre-opened — is a: A. stateless firewall B. stateful firewall C. proxy D. packet sniffer

2. [Sec+] The defining capability a next-generation firewall adds over a stateful firewall is: A. tracking connection state B. application and user awareness C. routing D. NAT

3. A firewall ruleset configured to "deny everything except what is explicitly permitted" implements: A. default-allow B. default-deny C. blocklisting D. fail-open

4. [CISSP] Default-deny is the network embodiment of which foundational principle? A. separation of duties B. least privilege C. non-repudiation D. defense in diversity

5. [Sec+] A system that monitors a copy of network traffic and raises alerts but cannot drop packets is a(n): A. IPS B. IDS C. NGFW D. WAF

6. [Sec+] Which is true of an IPS but not an IDS? A. it is deployed out of band B. it can drop malicious packets in real time C. it cannot generate alerts D. it only inspects encrypted traffic

7. Signature-based detection's fundamental blind spot is: A. it is too noisy B. it cannot catch attacks for which no signature exists (zero-days) C. it requires no maintenance D. it only works in-line

8. Anomaly-based detection's characteristic weakness, relative to signatures, is: A. it cannot catch novel attacks B. a high false-positive rate C. it needs no baseline D. it only matches known patterns

9. [Sec+] The standard that requires a device to authenticate before a switch port is opened for general traffic is: A. 802.11 B. 802.1X C. WPA2 D. RADIUS-only

10. [Sec+] In 802.1X, the switch or access point that controls the port and relays credentials but does not itself validate identity is the: A. supplicant B. authenticator C. authentication server D. certificate authority

11. Authenticating network devices by MAC address alone (MAB) is weak primarily because: A. MAC addresses are encrypted B. MAC addresses are broadcast in plaintext and easily spoofed C. it requires certificates D. switches cannot read MAC addresses

12. [CISSP] Microsegmentation primarily defeats which attacker behavior? A. initial phishing B. east-west lateral movement C. password cracking D. denial of service

13. A hardened, monitored intermediary that administrators must connect through to reach a sensitive zone — so no direct path exists — is a: A. honeypot B. jump host / bastion host C. load balancer D. reverse proxy

14. [Sec+] An ACL is evaluated "first match wins." This means that: A. the most specific rule always wins B. rule order is semantically significant C. only the last rule matters D. order does not matter

15. The best single reason a firewall alone cannot secure a network against an attacker who is already inside is: A. firewalls are too slow B. a boundary control does nothing about east-west traffic that never crosses the boundary C. firewalls cannot be configured D. all attackers are insiders

Section 2 — True / False with justification (1 pt each)

For each, mark T or F and give a one-sentence reason.

16. "An IDS can stop an exploit in real time before it reaches the target."

17. [Sec+] "A default-allow firewall fails safe because anything new is blocked until reviewed."

18. "Because attacks are rare, even an IDS with a 0.1% false-positive rate can bury analysts in false alarms."

19. "Certificate-based 802.1X is no harder to spoof than MAC-based authentication."

20. "Putting all administrative access to the CDE through a single bastion host concentrates risk and is therefore a bad idea."

Section 3 — Fill in the blank (1 pt each)

21. The three 802.1X roles are the _ (the connecting device), the _ (the switch/AP), and the __ (the back-end RADIUS server).

22. [Sec+] A sound default-deny ruleset ends with an explicit _-and-_ rule so that blocked traffic is both stopped and recorded for investigation.

23. The phenomenon by which a low false-positive rate still yields mostly-false alerts when the event being detected is rare is called the __ problem.

24. Detection at scale becomes trustworthy when a _ ingests events from many sources and _ weak signals into one high-confidence alert.

Section 4 — Short answer (2 pts each)

25. [CISSP] Explain why a mature network deployment uses both signature-based and anomaly-based detection rather than choosing one. Reference what each covers that the other misses.

26. [Sec+] A junior engineer wants to switch the entire internal network to default-deny between all hosts over a single weekend. In two or three sentences, explain the disciplined sequence you would follow instead and why each step matters.

Answer Key

Click to reveal answers and explanations

1. **B** — stateful firewalls track connections and permit return traffic by state. 2. **B** — application/user awareness is the NGFW addition. 3. **B** — default-deny. 4. **B** — least privilege on the wire. 5. **B** — an IDS sees a copy and only alerts. 6. **B** — only an in-line IPS can drop packets in real time. 7. **B** — signatures cannot match what has no signature (zero-days). 8. **B** — anomaly detection is noisy (high false positives). 9. **B** — 802.1X is port-based access control. 10. **B** — the authenticator gatekeeps the port and relays, but the authentication server decides. 11. **B** — MACs are plaintext and spoofable. 12. **B** — microsegmentation strangles east-west lateral movement. 13. **B** — a jump host / bastion. 14. **B** — first-match-wins makes order significant. 15. **B** — a boundary firewall cannot see or stop east-west traffic that never crosses it. 16. **F** — an IDS only alerts; an *IPS* (in-line) can stop traffic. 17. **F** — default-*allow* fails *open* (new things are permitted until blocked); default-*deny* fails safe. 18. **T** — the base-rate problem: 0.1% of a million benign events is ~1,000 false alarms, dwarfing a handful of true ones. 19. **F** — a certificate requires a private key never transmitted, so it resists the cloning that defeats MAC-based auth. 20. **F** — the bastion is hardened, strongly authenticated, and fully recorded, replacing many uncontrolled paths with one well-defended, highly visible chokepoint, which *reduces* risk. 21. supplicant; authenticator; authentication server. 22. deny; log (deny-and-log). 23. base-rate. 24. SIEM; correlates. 25. Signatures catch *known* attacks precisely and with low noise but miss anything novel (zero-days, mutations); anomaly detection catches *novel/abnormal* behavior signatures can't but is noisy and misses attacks that look normal — so using both covers each method's blind spot, and correlation reduces the combined noise. 26. Observe/baseline real traffic first (using flow monitoring) so you know which flows are legitimate; *then* write least-privilege policy from that evidence; *then* enforce default-deny incrementally — because enabling default-deny without a flow map breaks production and forces broad, defeating exceptions. **Topics to review by question:** 1–4 → §7.1–7.2; 5–8, 16, 18, 25 → §7.3; 9–11, 19, 21 → §7.4; 12–13, 15, 20, 23 → §7.5; 14, 17, 22 → §7.2; 18, 23–24 → §7.6; 26 → §7.5–7.6.