Welcome to today’s practice test!
Today’s practice test is based on subdomain 3.2 (Given a scenario, apply security principles to secure enterprise infrastructure) from the CompTIA Security+ SY0-701 objectives.
This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.
These questions are not official exam questions, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.
Click the button below to start today’s practice exam.
Results
#1. A security administrator at a healthcare provider is redesigning the internal network. To control lateral movement between departments, they recommend implementing segmentation using VLANs and access control lists. What primary security principle is this action supporting?
#2. An enterprise security engineer is implementing 802.1X on all access switches. Which benefit does this provide?
#3. An organization is choosing between deploying an NGFW or a traditional Layer 4 firewall. Which feature most differentiates the NGFW?
#4. A company requires remote employees to access internal systems securely. Which solution most effectively meets this need?
#5. An engineer configures a jump server for admins to access sensitive servers. Why is this approach recommended?
#6. Which configuration would most reduce the attack surface involving a new IoT device?
#7. A company deploys a SASE solution to improve remote access performance and security. What benefit does SASE primarily provide?
#8. A load balancer is implemented in front of a cluster of web servers. What availability principle is being enforced?
#9. What’s the primary difference between inline and tap/monitor devices in network security?
#10. What type of firewall inspects both Layer 4 and Layer 7 traffic?
Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.
To view CompTIA Security+ practice tests on other days, click here.To view answers and explanations for today’s questions, expand the Answers accordion below.
Answers
| Number | Answer | Explanation |
|---|---|---|
| 1 | C | Implementing segmentation with VLANs and ACLs to control lateral movement is a classic example of defense in depth. This strategy layers multiple security controls (like network segmentation, firewalls, and access controls) to create multiple barriers, so if one fails, others can still protect the system. Availability ensures systems and data are accessible when needed. While segmentation can contribute to availability by limiting the impact of a breach, its primary purpose here is security containment, not ensuring uptime. Least privilege is about granting users or systems only the minimum permissions necessary to perform their tasks. While ACLs can enforce least privilege for network access, the overarching strategy of also using segmentation to control lateral movement across an entire network aligns more broadly with defense in depth. Obfuscation makes information or code harder to understand to deter analysis. It has no direct relation to network segmentation or controlling lateral movement. |
| 2 | B | 802.1X is an IEEE standard for port-based Network Access Control (NAC). Its primary function is to authenticate users and devices (like computers, printers, IoT devices) against a central authentication server (e.g., RADIUS) before they are granted any access to the network. IP spoofing prevention is typically handled by routing protocols, firewalls, or specific anti-spoofing mechanisms at network perimeters, not primarily by 802.1X on access switches. While 802.1X can sometimes be part of securing wireless connections (e.g., WPA3 Enterprise), its core function on access switches for wired networks is authentication, not encrypting all data in transit at the hardware level. Data encryption is usually handled at higher layers or by VPNs. Blocking zero-day threats using AI is a capability of advanced security solutions like Next-Generation Firewalls (NGFWs) or Endpoint Detection and Response (EDR) systems, not 802.1X. |
| 3 | C | The most significant differentiating feature of a Next-Generation Firewall (NGFW) compared to a traditional Layer 4 firewall is its ability to perform application-layer filtering. It can identify, control, and inspect traffic based on the actual application being used (e.g., Facebook, Spotify, specific ERP modules) regardless of the port, rather than just IP addresses and ports. Both traditional Layer 4 firewalls and NGFWs support port forwarding; it’s a basic routing/NAT function. Both traditional Layer 4 firewalls and NGFWs perform stateful inspection, which tracks the state of network connections to allow legitimate return traffic. Both types of firewalls count packets as part of their basic operation; this is not a differentiating feature. |
| 4 | C | A Virtual Private Network (VPN) is specifically designed to create a secure, encrypted tunnel over an unsecure network (like the internet), allowing remote employees to access internal systems as if they were physically on the company’s private network. A Demilitarized Zone (DMZ) is a subnetwork that exposes public-facing services to the internet while isolating the internal network. It’s not primarily for secure remote employee access to internal systems. An Intrusion Detection System (IDS) monitors network traffic for suspicious activity and alerts on threats. It doesn’t provide secure remote access. Network Address Translation (NAT) maps private IP addresses to public ones (and vice versa) to conserve IP addresses and provide a basic layer of anonymity. It does not inherently provide secure, encrypted remote access. |
| 5 | B | A jump server (or bastion host) acts as a hardened, controlled intermediary. Its primary purpose is to isolate administrative access, centralizing, monitoring, and securing the pathway that administrators use to reach sensitive internal servers, thereby separating their direct access from the broader network and other users. A jump server is not designed for accelerating data transfers. Its role is secure access control. Load balancing distributes traffic across multiple servers to optimize resource use and availability, a function unrelated to a jump server’s purpose. Wi-Fi authentication is handled by specific wireless security protocols (like WPA3, 802.1X), not by a jump server which is for remote server access. |
| 6 | B | Placing an IoT device into a separate VLAN (Virtual Local Area Network) isolates it from other network segments. This directly reduces its attack surface by limiting what other devices or networks can communicate with it, thereby minimizing its exposure to potential threats. Installing a proxy server (often impractical on resource-constrained IoT devices) is for traffic management or filtering, not primarily for reducing the device’s inherent attack surface. Enabling dual-stack IPv6 is a networking configuration for addressing, and does not inherently reduce the attack surface. If misconfigured, it could even introduce new vectors. Passive monitoring is a detection control that observes threats, but it does not preventatively reduce the attack surface of the device itself. |
| 7 | A | SASE (Secure Access Service Edge) fundamentally merges wide area networking (WAN) and a full suite of network security functions (like firewalls, secure web gateways, Zero Trust Network Access) into a single, cloud-delivered platform. This provides consistent, optimized, and secure access for all users, regardless of location. EDR focuses on endpoint protection and is a separate security domain, not the primary benefit or core offering of SASE. Full-disk encryption is an endpoint security feature and falls outside the primary scope of what a SASE solution provides. While SASE does include DNS security, its benefits are far broader than just DNS filtering on local networks, extending to secure access for all users from anywhere. |
| 8 | B | Implementing a load balancer in front of web servers directly enforces resilience. By distributing traffic across multiple servers, it ensures that if one server fails, the others can continue to handle requests, maintaining service availability and making the system more resistant to failures. Segmentation divides a network or system into isolated parts for security or management. It’s not for distributing load to maintain availability. While load balancers enable scalability (by allowing you to add more servers), the principle primarily enforced by their existence for an existing cluster is resilience against failure, ensuring the service stays up. Scalability is about handling increased demand, while resilience is about handling failures. The question implies maintaining operations during a failure. Patch management is the process of updating software to fix vulnerabilities or improve performance. It’s unrelated to how a load balancer improves availability. |
| 9 | B | Inline devices (like firewalls, IPS) are placed directly in the network path, meaning all traffic flows through them, allowing them to actively inspect, modify, or block traffic in real-time. On the other hand, tap/monitor devices (like IDSes or packet sniffers connected to network taps/SPAN ports) receive a copy of the traffic and observe it only, without affecting the actual traffic flow. (Read IDS vs IPS for an example) The statement “Inline devices only log; tap/monitor devices can block traffic” is incorrect. This is the opposite of reality. Inline devices can block, while tap/monitor devices generally cannot. Both can log. Both types of devices typically require IP addresses for management, and many inline devices also require them for routing. This is not a primary differentiator. Both inline and tap/monitor devices can decrypt TLS traffic if properly configured (e.g., with corresponding private keys or through specialized decryption solutions). This capability is not exclusive to one type. |
| 10 | D | An NGFW inspects traffic beyond traditional ports and protocols (Layer 4), delving into application-layer (Layer 7) content to identify specific applications, users, and potential threats within the traffic stream. Read about types of firewalls for more information. A stateful firewall primarily inspects at Layer 3 (IP) and Layer 4 (ports/protocols), tracking connection states but not typically looking into application content. While a proxy firewall operates at the application layer, it typically acts as an intermediary for specific application protocols (like HTTP/S), rather than inspecting all Layer 7 traffic in the comprehensive way an NGFW does across various applications. NGFWs often incorporate proxy-like functions. A packet-filtering firewall operates at Layer 3 and Layer 4, making decisions based on IP addresses and ports only, without inspecting application content. |