1. What is the primary purpose of a firewall?
A) To encrypt network traffic
B) To prevent unauthorized access to or from a private network
C) To scan and remove malware
D) To detect and respond to intrusions
✅ Answer: B) To prevent unauthorized access to or from a private network
Explanation: A firewall acts as a security barrier that monitors and controls incoming and outgoing network traffic based on predefined security rules.
2. Which type of firewall operates at the network layer of the OSI model?
A) Packet-filtering firewall
B) Application firewall
C) Proxy firewall
D) Host-based firewall
✅ Answer: A) Packet-filtering firewall
Explanation: Packet-filtering firewalls inspect packets at the network layer and filter them based on source and destination addresses, ports, and protocols.
3. Which of the following is a key advantage of an Intrusion Prevention System (IPS) over an Intrusion Detection System (IDS)?
A) IPS can block malicious traffic in real-time
B) IPS only monitors network traffic
C) IPS requires manual intervention to take action
D) IDS can prevent attacks while IPS only detects them
✅ Answer: A) IPS can block malicious traffic in real-time
Explanation: An IDS only detects and alerts about intrusions, while an IPS can actively block malicious activities by enforcing security policies.
4. What does a stateful firewall do differently than a stateless firewall?
A) It inspects packet headers only
B) It tracks and maintains the state of active connections
C) It cannot block malicious traffic
D) It only operates on Layer 2
✅ Answer: B) It tracks and maintains the state of active connections
Explanation: Stateful firewalls monitor active connections and use this information to make filtering decisions, offering better security than stateless firewalls.
5. Which IDS/IPS detection technique uses a database of known attack patterns?
A) Anomaly-based detection
B) Signature-based detection
C) Heuristic-based detection
D) Behavioral-based detection
✅ Answer: B) Signature-based detection
Explanation: Signature-based detection compares network traffic to a database of known attack signatures to identify threats.
6. Which of the following is a limitation of signature-based IDS?
A) High false-positive rates
B) Cannot detect zero-day attacks
C) High performance impact on network traffic
D) Does not require any updates
✅ Answer: B) Cannot detect zero-day attacks
Explanation: Since signature-based IDS relies on known attack patterns, it cannot detect new, unknown threats like zero-day attacks.
7. What does a Next-Generation Firewall (NGFW) provide that traditional firewalls do not?
A) Only packet filtering
B) Deep packet inspection and application-layer filtering
C) Only signature-based filtering
D) No additional security compared to traditional firewalls
✅ Answer: B) Deep packet inspection and application-layer filtering
Explanation: NGFWs provide advanced features like deep packet inspection (DPI), application awareness, and intrusion prevention, enhancing network security.
8. In a properly configured network, where should an IDS be placed?
A) Behind the firewall
B) Outside the firewall
C) On an isolated network
D) Only on endpoint devices
✅ Answer: A) Behind the firewall
Explanation: Placing an IDS behind the firewall allows it to monitor traffic that has already passed through some level of filtering.
9. What is a honeypot in the context of IDS/IPS?
A) A tool used to encrypt traffic
B) A decoy system designed to attract and analyze attackers
C) A type of firewall rule
D) A type of security patch
✅ Answer: B) A decoy system designed to attract and analyze attackers
Explanation: A honeypot is a deliberately vulnerable system used to detect, analyze, and learn from attacks.
10. Which of the following firewalls inspects traffic at the application layer?
A) Packet-filtering firewall
B) Proxy firewall
C) Stateless firewall
D) Circuit-level firewall
✅ Answer: B) Proxy firewall
Explanation: A proxy firewall filters traffic at the application layer, ensuring deeper inspection and control over protocols like HTTP and FTP.
11. What is the main purpose of a DMZ (Demilitarized Zone) in network security?
A) To provide encryption for all network traffic
B) To isolate public-facing services from the internal network
C) To slow down attackers
D) To store firewall logs
✅ Answer: B) To isolate public-facing services from the internal network
Explanation: A DMZ hosts public services like web and mail servers while preventing direct access to the internal network.
12. What type of firewall rule is often used to allow specific traffic while blocking everything else?
A) Allow-all rule
B) Default deny rule
C) Default allow rule
D) Any-any rule
✅ Answer: B) Default deny rule
Explanation: The default deny rule ensures only explicitly allowed traffic is permitted, reducing the attack surface.
13. Which of the following attacks is an IDS least effective at detecting?
A) SQL Injection
B) Buffer Overflow
C) Encrypted malware communication
D) Port scanning
✅ Answer: C) Encrypted malware communication
Explanation: Since IDS relies on analyzing packet data, encrypted communications can hide malicious content from detection.
14. What is the primary function of a Network-based IDS (NIDS)?
A) To monitor network traffic for suspicious activity
B) To protect a single host
C) To encrypt data transmissions
D) To authenticate users
✅ Answer: A) To monitor network traffic for suspicious activity
Explanation: NIDS inspects packets across the network to detect anomalies or known attack patterns.
15. What is the main advantage of anomaly-based detection in IDS?
A) It never produces false positives
B) It can detect unknown threats and zero-day attacks
C) It only detects attacks that match known signatures
D) It requires no training
✅ Answer: B) It can detect unknown threats and zero-day attacks
Explanation: Anomaly-based detection establishes a baseline of normal activity and alerts on deviations, helping identify new threats.
16. Which protocol is often used for remote firewall administration?
A) HTTP
B) SSH
C) Telnet
D) FTP
✅ Answer: B) SSH
Explanation: Secure Shell (SSH) provides encrypted communication for secure remote administration.
17. What is Deep Packet Inspection (DPI) primarily used for in firewalls?
A) Checking only IP addresses
B) Inspecting packet contents beyond headers
C) Blocking all inbound traffic
D) Encrypting network traffic
✅ Answer: B) Inspecting packet contents beyond headers
Explanation: DPI allows firewalls to analyze packet payloads to detect malware, intrusions, and policy violations.
18. What is the role of heuristic analysis in IDS/IPS?
A) It only detects known attack signatures
B) It uses predefined rules to block traffic
C) It identifies malicious behavior using pattern recognition
D) It is a type of firewall
✅ Answer: C) It identifies malicious behavior using pattern recognition
Explanation: Heuristic analysis examines behavior patterns to detect potential threats, even if they don’t match known signatures.
19. Which type of firewall is best for internal network segmentation?
A) Host-based firewall
B) Proxy firewall
C) Network firewall
D) VLAN-based firewall
✅ Answer: D) VLAN-based firewall
Explanation: VLAN firewalls help segment internal networks to control access and limit lateral movement.
20. What does IDS alert fatigue refer to?
A) Lack of IDS monitoring
B) Excessive false positives leading to ignored alerts
C) Slow IDS performance
D) Failure of IDS to detect attacks
✅ Answer: B) Excessive false positives leading to ignored alerts
Explanation: If an IDS generates too many alerts, analysts may overlook important ones, reducing its effectiveness.
21. What is the primary difference between a host-based IDS (HIDS) and a network-based IDS (NIDS)?
A) HIDS monitors an entire network, while NIDS monitors a single host
B) HIDS monitors activities on a specific device, while NIDS monitors network traffic
C) HIDS cannot detect malware, while NIDS can
D) NIDS is installed on endpoints, while HIDS is installed on routers
✅ Answer: B) HIDS monitors activities on a specific device, while NIDS monitors network traffic
Explanation: HIDS operates on individual hosts and analyzes system logs and activities, while NIDS inspects traffic flowing across the network.
22. Which of the following best describes an inline IPS?
A) It passively monitors network traffic
B) It actively blocks malicious traffic in real-time
C) It logs suspicious activities but does not block them
D) It only analyzes encrypted traffic
✅ Answer: B) It actively blocks malicious traffic in real-time
Explanation: Inline IPS is positioned directly in the traffic path, allowing it to inspect and drop malicious packets immediately.
23. What type of attack does a firewall not typically protect against?
A) Distributed Denial of Service (DDoS)
B) SQL Injection
C) IP Spoofing
D) Port Scanning
✅ Answer: B) SQL Injection
Explanation: Firewalls primarily filter network traffic, but SQL Injection targets application vulnerabilities that firewalls cannot directly mitigate.
24. What is the primary purpose of a bastion host in a firewall architecture?
A) To act as a secondary firewall
B) To provide a highly secured public-facing system
C) To encrypt internal network traffic
D) To serve as a honeypot
✅ Answer: B) To provide a highly secured public-facing system
Explanation: A bastion host is a hardened system placed outside or in the DMZ to handle external connections securely.
25. Which firewall type examines the entire packet, including its payload, for threats?
A) Packet-filtering firewall
B) Stateful firewall
C) Deep Packet Inspection (DPI) firewall
D) Circuit-level gateway
✅ Answer: C) Deep Packet Inspection (DPI) firewall
Explanation: DPI firewalls analyze both headers and payloads to detect malware, intrusions, and policy violations.
26. What is an example of an evasion technique used by attackers to bypass IDS/IPS?
A) Network Address Translation (NAT)
B) Fragmenting malicious payloads into smaller packets
C) Using a proxy server
D) Encrypting all outbound traffic
✅ Answer: B) Fragmenting malicious payloads into smaller packets
Explanation: Attackers split attack payloads across multiple packets to evade detection by IDS/IPS.
27. What is the main function of a firewall rule “Deny Any Any”?
A) To allow all network traffic
B) To block all traffic that does not match prior rules
C) To enable unrestricted access to the internet
D) To block only incoming connections
✅ Answer: B) To block all traffic that does not match prior rules
Explanation: The “Deny Any Any” rule ensures that if no other rule matches, traffic is denied by default.
28. Which of the following firewall technologies dynamically opens and closes ports based on active connections?
A) Proxy firewall
B) Stateful firewall
C) Packet-filtering firewall
D) Application firewall
✅ Answer: B) Stateful firewall
Explanation: Stateful firewalls keep track of active connections and dynamically allow or deny traffic based on connection state.
29. What is a SYN flood attack, and how can firewalls help mitigate it?
A) It overwhelms a system with TCP connection requests; firewalls can limit connection rates
B) It encrypts traffic to bypass firewall inspection
C) It injects malicious SQL queries
D) It redirects traffic to a malicious website
✅ Answer: A) It overwhelms a system with TCP connection requests; firewalls can limit connection rates
Explanation: SYN flood attacks exhaust system resources by sending numerous TCP connection requests. Firewalls can limit connection attempts to mitigate this.
30. How does an IPS differ from an Anti-virus solution?
A) IPS scans files for viruses, while Anti-virus blocks network traffic
B) IPS monitors and stops network attacks, while Anti-virus detects and removes malware on hosts
C) IPS only detects attacks but does not block them
D) There is no difference between IPS and Anti-virus
✅ Answer: B) IPS monitors and stops network attacks, while Anti-virus detects and removes malware on hosts
Explanation: IPS is a network-based security solution, while Anti-virus is host-based and detects malicious software.
31. Which protocol is commonly used by firewalls to filter web traffic?
A) SSH
B) HTTP
C) ICMP
D) HTTP and HTTPS
✅ Answer: D) HTTP and HTTPS
Explanation: Firewalls filter HTTP and HTTPS traffic to control access to web resources.
32. Which method can IDS/IPS use to prevent false positives?
A) Increasing the number of rules
B) Fine-tuning signatures and anomaly thresholds
C) Disabling logging
D) Blocking all traffic
✅ Answer: B) Fine-tuning signatures and anomaly thresholds
Explanation: Proper configuration of IDS/IPS detection rules reduces false positives.
33. What is the role of whitelisting in firewall security?
A) It blocks all incoming traffic
B) It allows only predefined, trusted connections
C) It increases the attack surface
D) It prevents the use of encryption
✅ Answer: B) It allows only predefined, trusted connections
Explanation: Whitelisting permits only specified IP addresses, applications, or traffic types.
34. What is the primary function of a Web Application Firewall (WAF)?
A) To monitor emails for spam
B) To protect against web application attacks like XSS and SQL Injection
C) To encrypt all network traffic
D) To detect physical intrusions
✅ Answer: B) To protect against web application attacks like XSS and SQL Injection
Explanation: WAFs protect applications by filtering malicious web traffic.
35. What is a firewall “blacklist”?
A) A list of allowed IP addresses
B) A list of denied IP addresses or domains
C) A firewall log file
D) A VPN configuration file
✅ Answer: B) A list of denied IP addresses or domains
Explanation: Blacklists contain known malicious IPs, domains, or applications that are blocked.
36. How does an IDS detect a port scan?
A) By detecting a large number of connection attempts to different ports
B) By blocking all outgoing traffic
C) By analyzing only encrypted traffic
D) By scanning for malware signatures
✅ Answer: A) By detecting a large number of connection attempts to different ports
Explanation: IDS detects rapid sequential port probes as potential reconnaissance activity.
37. What is a “zero-trust” security model in firewalls?
A) It blocks all traffic by default and only allows verified access
B) It allows all internal traffic by default
C) It relies only on IDS for security
D) It does not use authentication
✅ Answer: A) It blocks all traffic by default and only allows verified access
Explanation: Zero-trust enforces strict access controls, assuming no trust for any request.
38. What is the purpose of an egress firewall rule?
A) To allow all inbound traffic
B) To filter outgoing network traffic
C) To monitor encrypted packets
D) To only block incoming threats
✅ Answer: B) To filter outgoing network traffic
Explanation: Egress rules restrict outgoing traffic, preventing unauthorized data leaks or connections to malicious sites.
39. Which firewall type is best suited for handling encrypted SSL/TLS traffic?
A) Packet-filtering firewall
B) Circuit-level firewall
C) SSL/TLS Inspection firewall
D) Proxy firewall
✅ Answer: C) SSL/TLS Inspection firewall
Explanation: SSL/TLS inspection firewalls decrypt, inspect, and re-encrypt traffic to detect hidden threats.
40. What is the role of a Unified Threat Management (UTM) firewall?
A) It combines multiple security features into a single device
B) It only functions as an IDS
C) It only provides antivirus protection
D) It operates only on local networks
✅ Answer: A) It combines multiple security features into a single device
Explanation: UTM firewalls integrate firewalls, IDS/IPS, anti-malware, and content filtering in one solution.
41. Which of the following can IDS/IPS solutions NOT detect effectively?
A) Brute force attacks
B) Malware hidden in encrypted traffic
C) SQL Injection attempts
D) Port scans
✅ Answer: B) Malware hidden in encrypted traffic
Explanation: IDS/IPS struggles with encrypted traffic unless it has decryption capabilities.
42. What does a firewall “implicit deny” rule do?
A) Allows all traffic unless explicitly blocked
B) Blocks all traffic unless explicitly allowed
C) Only logs suspicious traffic
D) Allows all internal network traffic
✅ Answer: B) Blocks all traffic unless explicitly allowed
Explanation: Implicit deny means any traffic not explicitly allowed by rules is blocked by default.
43. What is the main risk of using a default-allow firewall rule?
A) It blocks legitimate traffic
B) It slows down network performance
C) It can allow unauthorized access if no deny rules exist
D) It increases CPU load
✅ Answer: C) It can allow unauthorized access if no deny rules exist
Explanation: Default-allow rules permit all traffic unless explicitly blocked, leading to security gaps.
44. How does a firewall help prevent data exfiltration?
A) By detecting open ports
B) By blocking unauthorized outbound connections
C) By analyzing log files
D) By only inspecting inbound traffic
✅ Answer: B) By blocking unauthorized outbound connections
Explanation: Firewalls can prevent data leaks by controlling outbound traffic.
45. What is the primary advantage of a cloud-based firewall?
A) It only filters local network traffic
B) It scales dynamically and protects distributed networks
C) It replaces the need for IDS/IPS
D) It does not require rule configuration
✅ Answer: B) It scales dynamically and protects distributed networks
Explanation: Cloud firewalls offer security for cloud-based applications and scale with demand.
46. What type of intrusion detection uses predefined behavior rules to identify anomalies?
A) Signature-based IDS
B) Heuristic-based IDS
C) Passive IDS
D) Static IDS
✅ Answer: B) Heuristic-based IDS
Explanation: Heuristic IDS analyzes behavior and deviations from normal patterns to detect threats.
47. What is the function of an application-layer firewall?
A) It inspects only network headers
B) It filters traffic based on application-specific rules
C) It allows all encrypted traffic
D) It does not perform deep packet inspection
✅ Answer: B) It filters traffic based on application-specific rules
Explanation: Application-layer firewalls inspect and control traffic based on protocols like HTTP, FTP, and DNS.
48. How does a firewall handle fragmented packets in a potential attack?
A) It automatically allows them
B) It reassembles and inspects the full packet
C) It blocks all fragmented traffic
D) It only inspects the first fragment
✅ Answer: B) It reassembles and inspects the full packet
Explanation: Firewalls reassemble fragmented packets to detect malicious payloads hidden across multiple fragments.
49. Which attack attempts to overload an IDS with excessive false alarms?
A) SYN flood
B) Evasion attack
C) Alert flooding attack
D) Man-in-the-middle attack
✅ Answer: C) Alert flooding attack
Explanation: Attackers generate excessive false positives to overwhelm security teams and hide real attacks.
50. What is the role of Network Access Control (NAC) in conjunction with firewalls?
A) To authenticate and control device access to networks
B) To encrypt all outgoing data
C) To block all external connections
D) To only inspect web traffic
✅ Answer: A) To authenticate and control device access to networks
Explanation: NAC ensures only authorized and compliant devices connect to a network.
51. What is an example of a false negative in IDS detection?
A) Blocking legitimate traffic as an attack
B) Allowing a real attack to go undetected
C) Generating too many alerts
D) Identifying harmless traffic as suspicious
✅ Answer: B) Allowing a real attack to go undetected
Explanation: A false negative occurs when an IDS fails to detect a legitimate attack.
52. What is the benefit of implementing firewall rules with logging enabled?
A) It allows tracking of attempted attacks and policy violations
B) It slows down the network
C) It disables rule enforcement
D) It prevents all malware infections
✅ Answer: A) It allows tracking of attempted attacks and policy violations
Explanation: Logging helps in forensic analysis and identifying attack patterns.
53. Which type of firewall uses AI/ML for adaptive threat detection?
A) Packet-filtering firewall
B) Stateful firewall
C) Next-Generation Firewall (NGFW)
D) Proxy firewall
✅ Answer: C) Next-Generation Firewall (NGFW)
Explanation: NGFWs leverage AI/ML to dynamically detect and respond to evolving threats.
54. What attack exploits a misconfigured firewall by sending packets with a spoofed internal IP?
A) DDoS Attack
B) DNS Spoofing
C) IP Spoofing Attack
D) SQL Injection
✅ Answer: C) IP Spoofing Attack
Explanation: IP spoofing tricks the firewall into treating external traffic as trusted internal traffic.
55. What is a common way to bypass IDS/IPS detection?
A) Using fragmented payloads
B) Sending unencrypted traffic
C) Disabling firewall logging
D) Increasing packet size
✅ Answer: A) Using fragmented payloads
Explanation: Attackers fragment packets to evade IDS/IPS analysis.
56. Which firewall feature is used to limit the number of connections from a single IP?
A) Deep Packet Inspection (DPI)
B) Rate Limiting
C) Packet Logging
D) Port Forwarding
✅ Answer: B) Rate Limiting
Explanation: Rate limiting helps prevent brute force attacks and DoS attacks by limiting excessive connections.
57. How does an IDS generate an alert for an ongoing attack?
A) By blocking the traffic immediately
B) By logging the event and notifying administrators
C) By encrypting the traffic
D) By disconnecting all users
✅ Answer: B) By logging the event and notifying administrators
Explanation: IDS detects anomalies and notifies security teams but does not actively block threats.
58. Why should firewall rules be reviewed regularly?
A) To optimize network speed
B) To ensure outdated or insecure rules are removed
C) To disable all security features
D) To allow all incoming traffic
✅ Answer: B) To ensure outdated or insecure rules are removed
Explanation: Regular rule reviews help prevent security gaps and optimize firewall efficiency.
59. What is a major risk of overly permissive firewall rules?
A) Increased latency in packet processing
B) Higher chance of unauthorized access and exploitation
C) Blocking of all internal traffic
D) Firewall hardware failure
✅ Answer: B) Higher chance of unauthorized access and exploitation
Explanation: Permissive firewall rules (e.g., “Allow Any Any”) expose networks to unauthorized access and cyber threats.
60. How can an attacker use ICMP packets to evade detection?
A) By encrypting payload data
B) By embedding malicious code in ping requests
C) By using ICMP to establish direct connections
D) By blocking firewall logs
✅ Answer: B) By embedding malicious code in ping requests
Explanation: Attackers use ICMP tunneling to covertly send data or bypass firewall rules.
61. What technique does an attacker use to hide malicious traffic within legitimate packets?
A) Port forwarding
B) Packet fragmentation
C) DNS spoofing
D) MAC filtering
✅ Answer: B) Packet fragmentation
Explanation: Attackers fragment packets so that IDS/IPS cannot detect the full malicious payload.
62. Why is a default “Allow All” rule dangerous in firewall configurations?
A) It slows down traffic
B) It allows all traffic, including malicious traffic
C) It only affects outgoing traffic
D) It makes logging difficult
✅ Answer: B) It allows all traffic, including malicious traffic
Explanation: A default “Allow All” rule enables unrestricted access, leading to security risks.
63. What type of firewall rule is commonly used to prevent IP address spoofing?
A) Egress filtering
B) Static NAT
C) DHCP relay
D) VPN tunneling
✅ Answer: A) Egress filtering
Explanation: Egress filtering prevents internal devices from sending packets with spoofed source IP addresses.
64. How does an attacker exploit an IDS/IPS with an insertion attack?
A) By inserting fake attack signatures into IDS logs
B) By sending packets that the IDS sees but the target system ignores
C) By modifying IDS rules remotely
D) By inserting encrypted packets
✅ Answer: B) By sending packets that the IDS sees but the target system ignores
Explanation: An insertion attack manipulates how IDS perceives traffic to evade detection.
65. Which IDS detection method analyzes deviations from normal behavior?
A) Signature-based
B) Anomaly-based
C) Stateless detection
D) Proxy-based detection
✅ Answer: B) Anomaly-based
Explanation: Anomaly-based IDS flags activity that deviates from learned network behavior.
66. Which firewall technology can restrict applications from accessing the internet?
A) Circuit-level firewall
B) Application control firewall
C) Packet-filtering firewall
D) Stateful firewall
✅ Answer: B) Application control firewall
Explanation: Application control firewalls allow administrators to control specific applications’ internet access.
67. How does an attacker bypass a firewall using a tunneling attack?
A) By using encrypted packets
B) By encapsulating malicious traffic within a permitted protocol
C) By changing firewall rules
D) By sending oversized packets
✅ Answer: B) By encapsulating malicious traffic within a permitted protocol
Explanation: Tunneling (e.g., DNS tunneling) hides malicious data inside allowed protocols.
68. Which method can help reduce false positives in an IDS?
A) Disabling logging
B) Fine-tuning detection thresholds
C) Allowing all inbound traffic
D) Blocking all encrypted traffic
✅ Answer: B) Fine-tuning detection thresholds
Explanation: Properly configuring IDS rules minimizes false alarms while maintaining security.
69. What is the primary function of a circuit-level firewall?
A) Packet filtering
B) Application-layer filtering
C) Establishing virtual connections between internal and external hosts
D) Deep packet inspection
✅ Answer: C) Establishing virtual connections between internal and external hosts
Explanation: Circuit-level firewalls ensure session integrity without inspecting packet contents.
70. What is the key benefit of running an IDS in passive mode?
A) It actively blocks traffic
B) It does not introduce network latency
C) It replaces firewalls
D) It encrypts all detected attacks
✅ Answer: B) It does not introduce network latency
Explanation: Passive IDS monitors traffic without affecting network performance.
71. How does an IDS generate a “false positive” alert?
A) When an attack goes undetected
B) When legitimate activity is flagged as malicious
C) When a firewall blocks IDS alerts
D) When IDS logs are deleted
✅ Answer: B) When legitimate activity is flagged as malicious
Explanation: False positives occur when an IDS incorrectly identifies benign activity as a threat.
72. Which security control is used to prevent lateral movement inside a network?
A) Intrusion Prevention System (IPS)
B) Micro-segmentation
C) VPN encryption
D) DNS filtering
✅ Answer: B) Micro-segmentation
Explanation: Micro-segmentation isolates workloads to prevent attackers from moving laterally.
73. What is the purpose of a DMZ (Demilitarized Zone) in network security?
A) To provide unrestricted internet access
B) To isolate public-facing services from the internal network
C) To encrypt all outbound traffic
D) To disable firewall rules
✅ Answer: B) To isolate public-facing services from the internal network
Explanation: A DMZ protects the internal network by limiting access to exposed services.
74. What is a common method for preventing Denial of Service (DoS) attacks on firewalls?
A) Logging all packets
B) Implementing rate limiting and connection timeouts
C) Using proxy firewalls only
D) Allowing all traffic through
✅ Answer: B) Implementing rate limiting and connection timeouts
Explanation: Rate limiting prevents excessive connection requests from overwhelming a firewall.
75. How does an attacker use a replay attack against an IDS?
A) By replaying legitimate packets to bypass detection
B) By inserting attack signatures into IDS logs
C) By modifying IDS source code
D) By encrypting attack payloads
✅ Answer: A) By replaying legitimate packets to bypass detection
Explanation: Attackers replay valid packets to fool IDS into allowing malicious activity.
76. What feature of an IPS helps prevent data exfiltration?
A) Packet fragmentation
B) Deep packet inspection (DPI)
C) Port scanning
D) MAC filtering
✅ Answer: B) Deep packet inspection (DPI)
Explanation: DPI inspects packet content to detect and prevent sensitive data leaks.
77. How can an attacker use port knocking to bypass a firewall?
A) By sending a specific sequence of connection attempts
B) By modifying firewall logs
C) By encrypting all network traffic
D) By using fragmented packets
✅ Answer: A) By sending a specific sequence of connection attempts
Explanation: Port knocking allows access by triggering hidden firewall rules with a predefined sequence.
78. What is a key characteristic of a Zero Trust Architecture?
A) Implicit trust for internal users
B) Continuous verification of all access requests
C) Only allowing inbound traffic
D) Relying solely on IDS/IPS
✅ Answer: B) Continuous verification of all access requests
Explanation: Zero Trust assumes no inherent trust and verifies all users and devices continuously.
79. What is the benefit of IDS log correlation with SIEM systems?
A) It enhances real-time attack detection and analysis
B) It automatically blocks all network traffic
C) It only stores logs without analyzing them
D) It prevents firewall rule changes
✅ Answer: A) It enhances real-time attack detection and analysis
Explanation: Security Information and Event Management (SIEM) correlates IDS logs to detect complex threats.
80. How does an attacker use a blind attack against an IDS?
A) By sending encrypted payloads IDS cannot inspect
B) By deleting IDS logs
C) By modifying firewall rules
D) By spoofing MAC addresses
✅ Answer: A) By sending encrypted payloads IDS cannot inspect
Explanation: Blind attacks use encryption to bypass IDS detection, preventing packet inspection.
81. What is the primary purpose of logging in a firewall or IDS/IPS system?
A) To slow down network traffic
B) To record and analyze security events
C) To automatically block all unauthorized users
D) To delete old security rules
✅ Answer: B) To record and analyze security events
Explanation: Logging provides visibility into security incidents, aiding forensic analysis and compliance monitoring.
82. What does an IDS/IPS system use to identify and classify threats?
A) Only source IP addresses
B) Only firewall rules
C) Predefined signatures and behavioral analysis
D) MAC address filtering
✅ Answer: C) Predefined signatures and behavioral analysis
Explanation: IDS/IPS detects threats using signature-based and anomaly-based methods.
83. Which of the following is an advantage of a cloud-based firewall over a traditional firewall?
A) It requires no internet connection
B) It scales dynamically and provides distributed protection
C) It does not support rule-based filtering
D) It only protects against malware
✅ Answer: B) It scales dynamically and provides distributed protection
Explanation: Cloud-based firewalls offer scalability, centralized management, and security for cloud-based environments.
84. What is an IDS evasion technique that splits attack traffic across multiple packets?
A) Packet reassembly
B) Traffic filtering
C) Fragmentation attack
D) Stateful inspection
✅ Answer: C) Fragmentation attack
Explanation: Attackers fragment malicious payloads to bypass IDS/IPS detection.
85. Why is an IDS/IPS less effective against encrypted threats?
A) Encrypted traffic hides malicious payloads from detection
B) IDS/IPS cannot analyze network packets
C) Encrypted traffic is always secure
D) IDS/IPS only operates at Layer 2 of the OSI model
✅ Answer: A) Encrypted traffic hides malicious payloads from detection
Explanation: Without decryption capabilities, IDS/IPS cannot inspect encrypted malicious content.
86. What is the function of a Web Application Firewall (WAF)?
A) To filter network traffic at the router level
B) To protect applications from attacks like SQL Injection and XSS
C) To inspect only email traffic
D) To monitor DNS traffic
✅ Answer: B) To protect applications from attacks like SQL Injection and XSS
Explanation: WAFs protect web applications by filtering and monitoring HTTP/HTTPS traffic.
87. How does an attacker use a polymorphic attack to evade IDS/IPS?
A) By using multiple source IP addresses
B) By continuously changing the attack payload
C) By increasing the packet size
D) By disabling IDS logging
✅ Answer: B) By continuously changing the attack payload
Explanation: Polymorphic malware changes its code structure to evade signature-based detection.
88. What is a key challenge of deploying an IDS in a high-speed network?
A) Increased latency in encrypted traffic
B) Limited ability to detect malware
C) High data volume may overwhelm the IDS, leading to missed detections
D) IDS cannot inspect DNS queries
✅ Answer: C) High data volume may overwhelm the IDS, leading to missed detections
Explanation: High-speed networks generate massive traffic, which may cause performance issues for IDS systems.
89. What is a limitation of a stateful firewall?
A) It cannot track active connections
B) It cannot filter based on application-level rules
C) It cannot filter based on IP addresses
D) It cannot log network traffic
✅ Answer: B) It cannot filter based on application-level rules
Explanation: Stateful firewalls track session states but lack deep packet inspection for application filtering.
90. What is an example of a heuristic-based IDS approach?
A) Comparing network traffic to known malware signatures
B) Detecting suspicious behavior that deviates from normal activity
C) Blocking all outbound traffic
D) Filtering only HTTP and HTTPS traffic
✅ Answer: B) Detecting suspicious behavior that deviates from normal activity
Explanation: Heuristic-based IDS detects anomalies by learning and identifying abnormal patterns.
91. Which firewall type acts as an intermediary between users and the internet?
A) Packet-filtering firewall
B) Proxy firewall
C) Stateful firewall
D) Circuit-level firewall
✅ Answer: B) Proxy firewall
Explanation: Proxy firewalls intercept and filter user requests before passing them to the destination.
92. Why is a rule-based approach sometimes insufficient for IDS detection?
A) It can generate false positives and fail to detect new attacks
B) It only detects outbound traffic
C) It automatically blocks all network activity
D) It does not require frequent updates
✅ Answer: A) It can generate false positives and fail to detect new attacks
Explanation: Rule-based detection relies on known signatures, making it ineffective against zero-day threats.
93. What is a primary advantage of an Intrusion Prevention System (IPS) over an IDS?
A) IPS actively blocks threats in real-time
B) IPS only monitors network logs
C) IPS does not analyze network packets
D) IPS does not require maintenance
✅ Answer: A) IPS actively blocks threats in real-time
Explanation: Unlike IDS, an IPS can block malicious activities before they affect the network.
94. Which of the following firewall configurations is the most restrictive?
A) Default deny all, allow specific services
B) Default allow all, block specific services
C) Open all ports by default
D) Only allow outbound traffic
✅ Answer: A) Default deny all, allow specific services
Explanation: This rule ensures that only explicitly allowed traffic is permitted, enhancing security.
95. What is a risk of failing to update firewall rules regularly?
A) Increased vulnerability to new attack techniques
B) Slower internet speeds
C) Increased number of false positives
D) Increased CPU usage
✅ Answer: A) Increased vulnerability to new attack techniques
Explanation: Attackers evolve, and outdated firewall rules leave systems exposed to emerging threats.
96. How does an attacker use a firewalking technique?
A) By discovering which ports are open beyond a firewall
B) By brute-forcing firewall credentials
C) By modifying firewall rules
D) By injecting SQL queries
✅ Answer: A) By discovering which ports are open beyond a firewall
Explanation: Firewalking identifies open ports and firewall rules to craft further attacks.
97. Why should firewall administrators monitor outbound traffic?
A) To detect and prevent data exfiltration
B) To optimize bandwidth usage
C) To allow faster network speeds
D) To block all incoming connections
✅ Answer: A) To detect and prevent data exfiltration
Explanation: Monitoring outbound traffic helps identify data leaks or unauthorized data transfers.
98. What is the main purpose of a honeypot in cybersecurity?
A) To act as a real firewall
B) To lure attackers into interacting with a decoy system
C) To monitor only outbound connections
D) To replace an IDS
✅ Answer: B) To lure attackers into interacting with a decoy system
Explanation: Honeypots attract attackers, allowing analysts to study their methods.
99. What is the role of a Security Information and Event Management (SIEM) system in IDS?
A) To collect, analyze, and correlate security event logs
B) To replace firewalls
C) To encrypt network traffic
D) To disable IDS logging
✅ Answer: A) To collect, analyze, and correlate security event logs
Explanation: SIEM platforms help aggregate and analyze logs to detect threats more effectively.
100. Which IDS/IPS evasion technique involves sending fragmented attack payloads at irregular intervals?
A) Traffic replay
B) Low-and-slow attack
C) MAC flooding
D) ICMP redirection
✅ Answer: B) Low-and-slow attack
Explanation: Low-and-slow attacks avoid detection by sending small amounts of malicious traffic over time.
101. What is a key disadvantage of signature-based IDS detection?
A) It has a high detection rate for zero-day attacks
B) It requires frequent updates to detect new threats
C) It generates no false positives
D) It does not need a database of attack patterns
✅ Answer: B) It requires frequent updates to detect new threats
Explanation: Since signature-based IDS relies on predefined attack patterns, it must be updated regularly to detect new vulnerabilities.
102. How does an attacker use a “session hijacking” attack to bypass firewalls?
A) By blocking all firewall logs
B) By injecting malicious packets into an existing session
C) By modifying firewall rule sets
D) By scanning for open ports
✅ Answer: B) By injecting malicious packets into an existing session
Explanation: Session hijacking involves intercepting or injecting packets into a legitimate session to gain unauthorized access.
103. What is the main function of a transparent firewall?
A) It encrypts all network traffic
B) It filters traffic without changing network topology
C) It replaces IDS functionality
D) It blocks all outbound connections
✅ Answer: B) It filters traffic without changing network topology
Explanation: Transparent firewalls operate at Layer 2, filtering traffic without requiring reconfiguration of the network.
104. Which firewall feature can prevent attackers from scanning for open ports?
A) MAC address filtering
B) Port knocking
C) Application-layer filtering
D) Static routing
✅ Answer: B) Port knocking
Explanation: Port knocking hides open ports until a specific sequence of connection attempts is made.
105. What is the purpose of rate limiting in an IPS?
A) To slow down the network
B) To prevent brute-force attacks and DoS attempts
C) To encrypt all network traffic
D) To allow all traffic through the firewall
✅ Answer: B) To prevent brute-force attacks and DoS attempts
Explanation: Rate limiting controls the number of requests from a source, reducing the impact of DoS and brute-force attacks.
106. What is the primary function of a Deception Technology system in network security?
A) To replace firewalls
B) To mislead attackers with fake assets like honeypots
C) To encrypt network traffic
D) To provide firewall rule updates
✅ Answer: B) To mislead attackers with fake assets like honeypots
Explanation: Deception Technology uses fake systems (honeypots, honeytokens) to detect and analyze attacks.
107. What type of attack does a DNS firewall help prevent?
A) SQL Injection
B) Malware-infected domains and command-and-control (C2) communication
C) Brute-force attacks
D) Port scanning
✅ Answer: B) Malware-infected domains and command-and-control (C2) communication
Explanation: DNS firewalls block access to malicious domains to prevent malware infections and C2 communication.
108. What is the main benefit of implementing firewall rule groups based on user identity?
A) It increases network latency
B) It allows granular access control based on roles
C) It disables all traffic filtering
D) It only applies to outbound traffic
✅ Answer: B) It allows granular access control based on roles
Explanation: Identity-based firewall rules enforce access controls per user, improving security.
109. What does a “zero-day attack” refer to in the context of IDS/IPS?
A) An attack using outdated malware
B) An attack exploiting an unknown vulnerability before a fix is available
C) A simulated penetration test
D) An attack that only affects web applications
✅ Answer: B) An attack exploiting an unknown vulnerability before a fix is available
Explanation: Zero-day attacks target vulnerabilities that have not yet been patched or publicly disclosed.
110. Why are outbound firewall rules as important as inbound rules?
A) They prevent unauthorized data exfiltration
B) They slow down internet connections
C) They block all incoming traffic
D) They replace the need for IDS/IPS
✅ Answer: A) They prevent unauthorized data exfiltration
Explanation: Outbound rules stop malware from sending stolen data to an attacker’s server.
111. What is the main function of a Security Gateway Firewall?
A) To encrypt all network traffic
B) To apply security policies to network traffic entering or leaving a protected environment
C) To replace all IDS functionality
D) To store firewall logs indefinitely
✅ Answer: B) To apply security policies to network traffic entering or leaving a protected environment
Explanation: Security gateway firewalls enforce security policies on traffic between trusted and untrusted networks.
112. How does an attacker use a “low-and-slow” attack to evade IDS detection?
A) By sending traffic in small amounts over a long period
B) By encrypting the attack payload
C) By overloading IDS logs
D) By disabling firewall rules
✅ Answer: A) By sending traffic in small amounts over a long period
Explanation: Low-and-slow attacks operate under the radar by slowly executing an attack over time.
113. What is the primary role of a bastion host in network security?
A) To act as a highly secured public-facing system
B) To disable all firewall protections
C) To act as a personal computer firewall
D) To bypass firewall filtering
✅ Answer: A) To act as a highly secured public-facing system
Explanation: A bastion host is a hardened server exposed to untrusted networks to handle secure communication.
114. What is a key security risk of allowing outbound connections on all ports?
A) It increases the attack surface for data exfiltration
B) It prevents unauthorized access
C) It improves IDS detection
D) It allows only encrypted traffic
✅ Answer: A) It increases the attack surface for data exfiltration
Explanation: Attackers can exploit unrestricted outbound connections to exfiltrate data or communicate with command-and-control servers.
115. Which of the following technologies is commonly used to detect insider threats?
A) Application firewall
B) User and Entity Behavior Analytics (UEBA)
C) Static firewall rules
D) VPN encryption
✅ Answer: B) User and Entity Behavior Analytics (UEBA)
Explanation: UEBA monitors user behavior patterns to detect suspicious activities indicative of insider threats.
116. What is an advantage of implementing a dual-homed firewall?
A) It isolates internal networks from external threats
B) It disables all incoming traffic
C) It automatically updates all firewall rules
D) It functions as an IDS replacement
✅ Answer: A) It isolates internal networks from external threats
Explanation: A dual-homed firewall has two network interfaces, acting as a barrier between internal and external networks.
117. How does an attacker use a SYN flood to disrupt network services?
A) By sending excessive TCP handshake requests without completing them
B) By encrypting attack payloads
C) By spoofing DNS responses
D) By modifying firewall logs
✅ Answer: A) By sending excessive TCP handshake requests without completing them
Explanation: SYN floods exhaust system resources by overwhelming a server with half-open TCP connections.
118. What is the purpose of a “default deny” rule in firewalls?
A) To block all traffic that is not explicitly allowed
B) To allow all traffic by default
C) To replace intrusion detection systems
D) To slow down malicious traffic
✅ Answer: A) To block all traffic that is not explicitly allowed
Explanation: A “default deny” policy ensures only authorized traffic passes through the firewall.
119. How does an attacker use a watering hole attack to bypass IDS?
A) By compromising a trusted website to infect visitors
B) By modifying firewall rules
C) By encrypting attack payloads
D) By sending brute-force login attempts
✅ Answer: A) By compromising a trusted website to infect visitors
Explanation: Watering hole attacks target frequently visited websites to infect victims indirectly.
120. What is a main benefit of integrating IDS logs with SIEM platforms?
A) Enhanced correlation and analysis of security events
B) Slower network speeds
C) Reduced firewall effectiveness
D) Automatic IDS rule generation
✅ Answer: A) Enhanced correlation and analysis of security events
Explanation: SIEM platforms centralize security event data for better threat detection and response.
121. Which of the following is a primary advantage of network-based IDS (NIDS)?
A) It protects individual hosts directly
B) It monitors network traffic in real-time
C) It only scans encrypted traffic
D) It replaces the need for firewalls
✅ Answer: B) It monitors network traffic in real-time
Explanation: NIDS analyzes network traffic across multiple systems, detecting threats in real-time.
122. What is an example of an advanced persistent threat (APT) evading IDS detection?
A) Launching a DDoS attack
B) Using slow and stealthy data exfiltration over time
C) Sending an immediate mass phishing campaign
D) Randomly scanning for open ports
✅ Answer: B) Using slow and stealthy data exfiltration over time
Explanation: APTs avoid detection by using low-and-slow attack techniques to remain undetected for extended periods.
123. What type of IDS detection mechanism is most effective for detecting zero-day attacks?
A) Signature-based detection
B) Anomaly-based detection
C) Static rule-based detection
D) MAC filtering
✅ Answer: B) Anomaly-based detection
Explanation: Anomaly-based IDS can detect new threats by identifying deviations from normal network behavior.
124. What is a key advantage of a stateful firewall over a stateless firewall?
A) It does not require rule configuration
B) It can track the state of active connections
C) It does not inspect packet headers
D) It allows all inbound traffic
✅ Answer: B) It can track the state of active connections
Explanation: Stateful firewalls maintain session information, providing more security than simple stateless filtering.
125. Which technique helps prevent SYN flood attacks?
A) Deep packet inspection (DPI)
B) SYN cookies
C) DNS filtering
D) MAC address blocking
✅ Answer: B) SYN cookies
Explanation: SYN cookies help mitigate SYN flood attacks by validating and limiting TCP handshake requests.
126. What is a potential risk of a poorly configured IPS?
A) It may slow down encrypted traffic
B) It may block legitimate network activity (false positives)
C) It does not affect network traffic
D) It automatically detects all zero-day threats
✅ Answer: B) It may block legitimate network activity (false positives)
Explanation: Overly aggressive IPS rules may lead to false positives, disrupting legitimate network services.
127. Which firewall technology can inspect SSL-encrypted traffic?
A) Packet-filtering firewall
B) Circuit-level firewall
C) SSL/TLS decryption firewall
D) Proxy-based firewall
✅ Answer: C) SSL/TLS decryption firewall
Explanation: SSL decryption firewalls decrypt traffic to inspect for threats before re-encrypting and forwarding it.
128. Why is network segmentation important for firewall security?
A) It allows all devices to communicate freely
B) It reduces the spread of malware and limits attack impact
C) It eliminates the need for firewalls
D) It disables IDS alerts
✅ Answer: B) It reduces the spread of malware and limits attack impact
Explanation: Network segmentation isolates critical systems, reducing lateral movement by attackers.
129. What does a firewall “blacklist” do?
A) Blocks specific IP addresses or domains
B) Allows all network traffic
C) Encrypts all network traffic
D) Only logs traffic without blocking it
✅ Answer: A) Blocks specific IP addresses or domains
Explanation: Blacklists prevent traffic from known malicious IPs, domains, or applications.
130. How does an attacker use a DNS tunneling attack to bypass firewalls?
A) By encrypting all data traffic
B) By hiding malicious payloads in DNS queries
C) By modifying firewall rules
D) By using only TCP traffic
✅ Answer: B) By hiding malicious payloads in DNS queries
Explanation: DNS tunneling exploits DNS requests to bypass security controls and communicate with remote attackers.
131. What is the function of a firewall “whitelist”?
A) Blocks all unknown traffic
B) Allows only approved IPs, applications, or domains
C) Filters network packets randomly
D) Increases false positives
✅ Answer: B) Allows only approved IPs, applications, or domains
Explanation: Whitelists enhance security by only allowing traffic from explicitly trusted sources.
132. What is a key benefit of deploying a host-based firewall?
A) It provides protection for a specific device regardless of the network
B) It replaces all network security controls
C) It only inspects inbound traffic
D) It requires a network gateway to function
✅ Answer: A) It provides protection for a specific device regardless of the network
Explanation: Host-based firewalls protect individual endpoints, offering security even in untrusted networks.
133. How does a Web Application Firewall (WAF) differ from a network firewall?
A) WAF focuses on securing web applications, while network firewalls secure overall network traffic
B) WAF does not analyze HTTP traffic
C) WAF can replace an IDS
D) Network firewalls only detect malware
✅ Answer: A) WAF focuses on securing web applications, while network firewalls secure overall network traffic
Explanation: WAFs protect web applications from threats like SQL injection and XSS.
134. What security risk does an open SMTP relay pose?
A) It can be used to send spam emails or launch phishing attacks
B) It slows down IDS detection
C) It encrypts all outgoing messages
D) It only affects internal traffic
✅ Answer: A) It can be used to send spam emails or launch phishing attacks
Explanation: Open SMTP relays allow attackers to send spam and malicious emails without authentication.
135. Which security measure helps prevent brute-force attacks against login pages?
A) Implementing account lockout policies
B) Allowing unlimited login attempts
C) Blocking all outbound traffic
D) Filtering DNS traffic
✅ Answer: A) Implementing account lockout policies
Explanation: Lockout policies restrict failed login attempts, preventing brute-force attacks.
136. What is the role of Security Information and Event Management (SIEM) in relation to IDS?
A) It aggregates and analyzes security logs for better threat detection
B) It replaces IDS
C) It only stores logs without analysis
D) It disables network encryption
✅ Answer: A) It aggregates and analyzes security logs for better threat detection
Explanation: SIEM integrates with IDS/IPS to correlate security events and detect complex attacks.
137. What is the primary purpose of a honeypot in cybersecurity?
A) To act as a decoy system to detect and study attacks
B) To encrypt network traffic
C) To replace firewalls
D) To monitor employee productivity
✅ Answer: A) To act as a decoy system to detect and study attacks
Explanation: Honeypots lure attackers into interacting with fake systems to analyze their methods.
138. Why are overly broad firewall rules a security risk?
A) They can allow unauthorized access to sensitive resources
B) They improve network performance
C) They encrypt all network traffic
D) They reduce firewall maintenance
✅ Answer: A) They can allow unauthorized access to sensitive resources
Explanation: Broad firewall rules create security gaps, making networks vulnerable to attacks.
139. How does an attacker use a reverse shell to bypass firewall restrictions?
A) By establishing an outbound connection from the compromised system
B) By scanning open ports
C) By modifying firewall logs
D) By sending large data packets
✅ Answer: A) By establishing an outbound connection from the compromised system
Explanation: Reverse shells allow attackers to bypass inbound firewall rules by initiating outbound communication.
140. Why is regular firewall rule auditing important?
A) To remove outdated or unnecessary rules that could be exploited
B) To allow all traffic without inspection
C) To disable all IDS alerts
D) To prevent encryption failures
✅ Answer: A) To remove outdated or unnecessary rules that could be exploited
Explanation: Regular audits ensure that firewall rules align with security policies and do not introduce vulnerabilities.
141. What is the purpose of an Intrusion Detection and Prevention System (IDPS)?
A) To monitor and block potential security threats in real-time
B) To replace firewall functionality
C) To allow all encrypted traffic without inspection
D) To slow down network connections
✅ Answer: A) To monitor and block potential security threats in real-time
Explanation: An IDPS monitors network activity for threats and can actively block malicious traffic.
142. How does an attacker use a TCP ACK scan to bypass a firewall?
A) By sending TCP packets with the ACK flag set to bypass stateful filtering
B) By encrypting malicious payloads
C) By using DNS tunneling
D) By modifying firewall rules
✅ Answer: A) By sending TCP packets with the ACK flag set to bypass stateful filtering
Explanation: ACK scans exploit stateful firewall behavior by assuming the connection is already established.
143. What is the primary role of a firewall in a corporate network?
A) To control incoming and outgoing traffic based on security rules
B) To replace all endpoint security solutions
C) To scan internal files for malware
D) To only monitor DNS queries
✅ Answer: A) To control incoming and outgoing traffic based on security rules
Explanation: Firewalls enforce security policies by allowing or blocking traffic based on predefined rules.
144. Which type of firewall enforces security at the application layer?
A) Packet-filtering firewall
B) Proxy firewall
C) Circuit-level firewall
D) Stateful firewall
✅ Answer: B) Proxy firewall
Explanation: Proxy firewalls filter traffic at the application layer, providing deep inspection and control.
145. What is the main function of a fail-open mechanism in an IPS?
A) It blocks all traffic when an error occurs
B) It allows traffic to pass through if the IPS fails
C) It increases the IPS sensitivity
D) It prevents malware infections
✅ Answer: B) It allows traffic to pass through if the IPS fails
Explanation: A fail-open system ensures network continuity but can introduce security risks.
146. What technique does an attacker use to avoid detection by an anomaly-based IDS?
A) Sending traffic that mimics normal network behavior
B) Encrypting attack payloads
C) Spoofing IP addresses
D) Modifying firewall rules
✅ Answer: A) Sending traffic that mimics normal network behavior
Explanation: Attackers evade anomaly-based IDS by making their activities appear normal.
147. How does an IDS detect a reconnaissance attack?
A) By monitoring a large number of connection attempts to various ports
B) By scanning files for viruses
C) By encrypting suspicious traffic
D) By analyzing email attachments
✅ Answer: A) By monitoring a large number of connection attempts to various ports
Explanation: Reconnaissance attacks involve scanning multiple ports to identify open services.
148. What is the role of deep packet inspection (DPI) in network security?
A) To analyze packet headers only
B) To inspect packet contents beyond headers to detect threats
C) To slow down encrypted traffic
D) To filter only HTTP requests
✅ Answer: B) To inspect packet contents beyond headers to detect threats
Explanation: DPI enables firewalls and IPS to analyze entire packet payloads for advanced threat detection.
149. Which technique is used to reduce false positives in an IDS?
A) Tuning detection thresholds based on normal traffic patterns
B) Allowing all traffic through the firewall
C) Increasing the number of alerts
D) Blocking all outbound connections
✅ Answer: A) Tuning detection thresholds based on normal traffic patterns
Explanation: Proper IDS configuration helps minimize false positives while maintaining security.
150. What is the purpose of a firewall DMZ (Demilitarized Zone)?
A) To host public-facing services while protecting internal networks
B) To provide unrestricted internet access
C) To replace network segmentation
D) To store firewall logs
✅ Answer: A) To host public-facing services while protecting internal networks
Explanation: A DMZ isolates publicly accessible services, preventing direct access to the internal network.
151. Which firewall technology inspects traffic at both Layer 3 and Layer 7 of the OSI model?
A) Stateful firewall
B) Next-Generation Firewall (NGFW)
C) Packet-filtering firewall
D) Circuit-level firewall
✅ Answer: B) Next-Generation Firewall (NGFW)
Explanation: NGFWs inspect both network-layer and application-layer traffic, offering advanced security features.
152. What is the main disadvantage of a signature-based IDS?
A) It cannot detect unknown attacks
B) It generates too many false negatives
C) It only inspects encrypted traffic
D) It does not require updates
✅ Answer: A) It cannot detect unknown attacks
Explanation: Signature-based IDS relies on predefined signatures and cannot identify new or evolving threats.
153. How can an attacker use an HTTP smuggling attack to bypass an IDS?
A) By manipulating HTTP headers to confuse security devices
B) By sending multiple SYN packets
C) By using ICMP tunneling
D) By modifying firewall logs
✅ Answer: A) By manipulating HTTP headers to confuse security devices
Explanation: HTTP smuggling exploits parsing inconsistencies to bypass security mechanisms.
154. Which security measure can help protect against brute-force password attacks?
A) Implementing account lockout policies
B) Disabling firewall logs
C) Blocking all outbound traffic
D) Allowing unlimited login attempts
✅ Answer: A) Implementing account lockout policies
Explanation: Lockout policies prevent excessive login attempts, mitigating brute-force attacks.
155. What is the role of a Security Information and Event Management (SIEM) system in IDS?
A) To correlate and analyze security events from multiple sources
B) To replace firewall functionality
C) To block all incoming traffic
D) To slow down network performance
✅ Answer: A) To correlate and analyze security events from multiple sources
Explanation: SIEM enhances threat detection by aggregating and analyzing IDS and other security logs.
156. Why is it important to regularly update firewall rules?
A) To adapt to new threats and remove outdated policies
B) To slow down network speed
C) To block all traffic by default
D) To disable IDS alerts
✅ Answer: A) To adapt to new threats and remove outdated policies
Explanation: Regular updates keep firewall rules relevant to current security threats.
157. What attack technique uses small, non-standard packet sizes to evade IDS detection?
A) Packet fragmentation attack
B) Brute-force attack
C) SYN flood attack
D) MAC spoofing
✅ Answer: A) Packet fragmentation attack
Explanation: Attackers split malicious payloads into small fragments to bypass IDS inspection.
158. How does an attacker use a reverse shell to bypass firewall restrictions?
A) By establishing an outbound connection from the compromised system
B) By sending brute-force login attempts
C) By modifying firewall rules
D) By scanning for open ports
✅ Answer: A) By establishing an outbound connection from the compromised system
Explanation: Reverse shells allow attackers to initiate connections from inside a network, bypassing inbound restrictions.
159. Why should firewall logs be regularly monitored?
A) To detect security incidents and unauthorized access attempts
B) To slow down network traffic
C) To allow all connections
D) To reduce firewall rule complexity
✅ Answer: A) To detect security incidents and unauthorized access attempts
Explanation: Regular log monitoring helps identify potential attacks and suspicious activities.
160. What is a key limitation of a traditional packet-filtering firewall?
A) It cannot inspect traffic beyond Layer 3 of the OSI model
B) It automatically updates all security rules
C) It encrypts all network traffic
D) It replaces IDS functionality
✅ Answer: A) It cannot inspect traffic beyond Layer 3 of the OSI model
Explanation: Packet-filtering firewalls only inspect headers and lack application-layer filtering.
161. Which of the following best describes a honeynet?
A) A single compromised system for attacker analysis
B) A network of honeypots designed to study attacker behavior
C) A collection of IDS rules to detect malware
D) A firewall rule that blocks all traffic
✅ Answer: B) A network of honeypots designed to study attacker behavior
Explanation: A honeynet consists of multiple honeypots set up to attract and analyze attackers.
162. What is a primary characteristic of a firewall rule using an implicit deny policy?
A) All traffic is allowed by default
B) Only traffic that matches explicit allow rules is permitted
C) It prevents logging of network activity
D) It only blocks encrypted traffic
✅ Answer: B) Only traffic that matches explicit allow rules is permitted
Explanation: Implicit deny ensures that any traffic not explicitly allowed is blocked.
163. Which IDS detection technique is most likely to produce false positives?
A) Signature-based detection
B) Anomaly-based detection
C) Stateful filtering
D) Deep packet inspection
✅ Answer: B) Anomaly-based detection
Explanation: Anomaly-based IDS detects deviations from normal activity, which may incorrectly flag legitimate traffic as malicious.
164. What is a major risk of using weak firewall authentication methods?
A) Attackers can gain unauthorized access to firewall configurations
B) The firewall will block all traffic
C) It will slow down internet connections
D) It will generate too many alerts
✅ Answer: A) Attackers can gain unauthorized access to firewall configurations
Explanation: Weak authentication can lead to unauthorized changes in firewall rules, exposing networks to attacks.
165. How does a firewall with deep packet inspection (DPI) differ from a standard packet-filtering firewall?
A) DPI examines the full packet, including payload data
B) DPI only inspects the source and destination IP
C) DPI does not analyze encrypted traffic
D) DPI blocks all traffic by default
✅ Answer: A) DPI examines the full packet, including payload data
Explanation: DPI enables firewalls to inspect payloads for malware, policy violations, and attacks.
166. Which security control is effective in preventing lateral movement of malware inside a network?
A) Micro-segmentation
B) Stateful firewalls
C) Packet filtering
D) DNS blacklisting
✅ Answer: A) Micro-segmentation
Explanation: Micro-segmentation isolates workloads to restrict lateral movement within the network.
167. What is the main function of an intrusion detection system (IDS) in a cloud environment?
A) To detect and alert on suspicious activity within cloud-based resources
B) To replace cloud firewalls
C) To block all incoming traffic
D) To encrypt cloud storage
✅ Answer: A) To detect and alert on suspicious activity within cloud-based resources
Explanation: Cloud-based IDS monitors activity in cloud environments to detect threats.
168. How does an attacker use a replay attack to evade IDS detection?
A) By capturing and retransmitting legitimate packets
B) By modifying firewall rules
C) By scanning for open ports
D) By encrypting attack payloads
✅ Answer: A) By capturing and retransmitting legitimate packets
Explanation: Replay attacks involve resending captured network packets to exploit authentication processes.
169. What is a key advantage of a hybrid IDS that combines signature-based and anomaly-based detection?
A) It reduces the number of alerts
B) It provides a balance between known threat detection and zero-day attack detection
C) It only monitors encrypted traffic
D) It does not require updates
✅ Answer: B) It provides a balance between known threat detection and zero-day attack detection
Explanation: Hybrid IDS benefits from both accurate signature-based detection and proactive anomaly-based analysis.
170. Which protocol is commonly exploited in firewall evasion techniques?
A) ICMP
B) DNS
C) SMTP
D) HTTPS
✅ Answer: A) ICMP
Explanation: Attackers use ICMP tunneling to bypass firewalls and transmit unauthorized data.
171. What is the purpose of an IDS sensor in a distributed network?
A) To collect and analyze network traffic across different locations
B) To block all traffic by default
C) To replace firewall filtering
D) To prevent all outbound connections
✅ Answer: A) To collect and analyze network traffic across different locations
Explanation: IDS sensors monitor multiple network segments for suspicious activity.
172. Which type of firewall is best suited for cloud-based applications?
A) Next-Generation Firewall (NGFW)
B) Packet-filtering firewall
C) Host-based firewall
D) Circuit-level firewall
✅ Answer: A) Next-Generation Firewall (NGFW)
Explanation: NGFWs offer advanced cloud security features like application awareness, DPI, and IPS.
173. How does an attacker use a low-bandwidth DoS attack to bypass an IDS?
A) By sending small amounts of malicious traffic over time
B) By flooding the network with high traffic
C) By using a botnet to amplify attack traffic
D) By modifying IDS rule sets
✅ Answer: A) By sending small amounts of malicious traffic over time
Explanation: Low-bandwidth DoS attacks evade detection by operating slowly over extended periods.
174. What is a key advantage of deploying an inline IPS over a passive IDS?
A) Inline IPS can block malicious traffic in real-time
B) IPS does not generate logs
C) Passive IDS blocks all network traffic
D) IPS only monitors inbound traffic
✅ Answer: A) Inline IPS can block malicious traffic in real-time
Explanation: Unlike passive IDS, inline IPS actively prevents malicious activity.
175. What is the function of a Web Application Firewall (WAF) in API security?
A) To protect APIs from injection attacks, DDoS, and authentication bypasses
B) To replace all other network firewalls
C) To encrypt API responses
D) To scan APIs for malware
✅ Answer: A) To protect APIs from injection attacks, DDoS, and authentication bypasses
Explanation: WAFs secure APIs from threats like SQL injection, API abuse, and credential stuffing.
176. Why is outbound firewall filtering important for enterprise security?
A) To prevent data exfiltration and malicious outbound connections
B) To allow unrestricted access to the internet
C) To block all incoming traffic
D) To replace SIEM systems
✅ Answer: A) To prevent data exfiltration and malicious outbound connections
Explanation: Controlling outbound traffic helps stop malware from communicating with external threats.
177. What is a potential weakness of firewall-based access control?
A) Firewalls cannot prevent attacks originating from inside the network
B) Firewalls replace the need for IDS
C) Firewalls slow down encrypted traffic
D) Firewalls automatically block all malware
✅ Answer: A) Firewalls cannot prevent attacks originating from inside the network
Explanation: Firewalls primarily filter external traffic but do not inherently stop insider threats.
178. What is the function of an egress firewall rule?
A) To control outbound traffic leaving the network
B) To block all incoming connections
C) To replace intrusion detection systems
D) To monitor VPN activity
✅ Answer: A) To control outbound traffic leaving the network
Explanation: Egress filtering helps prevent unauthorized data transmission and malware communication.
179. How does an attacker use a rogue access point to bypass firewalls?
A) By creating an unauthorized Wi-Fi network that bypasses security controls
B) By modifying firewall rules
C) By using encrypted payloads
D) By sending spoofed emails
✅ Answer: A) By creating an unauthorized Wi-Fi network that bypasses security controls
Explanation: Rogue access points allow attackers to intercept traffic and bypass security mechanisms.
180. What is a firewall’s role in preventing command-and-control (C2) attacks?
A) It blocks outbound connections to known C2 servers
B) It replaces all endpoint security measures
C) It encrypts all C2 traffic
D) It only monitors incoming traffic
✅ Answer: A) It blocks outbound connections to known C2 servers
Explanation: Firewalls prevent compromised systems from communicating with remote attacker-controlled C2 servers.
181. What is the primary function of a firewall in Zero Trust security architecture?
A) To enforce least-privilege access by strictly controlling network traffic
B) To allow all internal traffic without inspection
C) To replace endpoint security solutions
D) To scan internal files for malware
✅ Answer: A) To enforce least-privilege access by strictly controlling network traffic
Explanation: Firewalls in Zero Trust models apply strict access controls, allowing only authenticated and authorized traffic.
182. How does an attacker use an HTTP parameter pollution attack to evade IDS?
A) By injecting additional parameters into a URL request to bypass security rules
B) By modifying firewall logging rules
C) By encrypting attack payloads
D) By flooding the IDS with junk traffic
✅ Answer: A) By injecting additional parameters into a URL request to bypass security rules
Explanation: HTTP Parameter Pollution manipulates URL parameters to confuse security mechanisms and evade detection.
183. What is a key advantage of using an anomaly-based IDS in an enterprise network?
A) It can detect zero-day attacks and unknown threats
B) It only relies on predefined signatures
C) It requires no configuration
D) It never generates false positives
✅ Answer: A) It can detect zero-day attacks and unknown threats
Explanation: Anomaly-based IDS learns normal network behavior and identifies deviations that could indicate new attacks.
184. What technique can be used to prevent firewall rule bloat?
A) Regular rule audits and consolidation of redundant rules
B) Adding more rules to block potential threats
C) Disabling all security logging
D) Allowing all inbound traffic
✅ Answer: A) Regular rule audits and consolidation of redundant rules
Explanation: Regularly reviewing and optimizing firewall rules prevents unnecessary complexity and performance degradation.
185. Which attack involves injecting malicious code into an IDS log to manipulate security analysis?
A) Log injection attack
B) SYN flood attack
C) DNS poisoning attack
D) HTTP smuggling attack
✅ Answer: A) Log injection attack
Explanation: Attackers use log injection to manipulate IDS records, misleading security teams.
186. How does an attacker use a cloaking attack to bypass an IDS?
A) By delivering different content to security tools than to regular users
B) By encrypting attack payloads
C) By modifying IDS rule sets
D) By scanning for open ports
✅ Answer: A) By delivering different content to security tools than to regular users
Explanation: Cloaking disguises malicious content by presenting different data to security solutions than to actual victims.
187. What is the primary advantage of a host-based IDS (HIDS) compared to a network-based IDS (NIDS)?
A) HIDS can detect local attacks that do not generate network traffic
B) HIDS replaces firewall functionality
C) HIDS is immune to false positives
D) HIDS does not require updates
✅ Answer: A) HIDS can detect local attacks that do not generate network traffic
Explanation: HIDS monitors activity on a specific host, identifying file changes, unauthorized access, and malware.
188. What is the role of a deception-based firewall security mechanism?
A) To create false attack surfaces and mislead attackers
B) To replace signature-based IDS
C) To block all outbound connections
D) To automatically encrypt network traffic
✅ Answer: A) To create false attack surfaces and mislead attackers
Explanation: Deception techniques, such as honeypots, lure attackers into interacting with fake resources.
189. Which IDS/IPS evasion technique involves sending multiple small packets to reconstruct a malicious payload at the destination?
A) Traffic fragmentation
B) Reverse shell attack
C) DNS tunneling
D) Cross-site scripting (XSS)
✅ Answer: A) Traffic fragmentation
Explanation: Attackers fragment malicious payloads across multiple packets to bypass IDS detection.
190. What is a potential weakness of an IDS when analyzing encrypted network traffic?
A) It cannot inspect the encrypted payload without decryption
B) It slows down all network activity
C) It generates more false positives
D) It automatically decrypts all data
✅ Answer: A) It cannot inspect the encrypted payload without decryption
Explanation: IDS solutions struggle to detect threats in encrypted traffic unless combined with decryption tools.
191. What is the purpose of firewall geo-blocking?
A) To restrict access based on geographic locations
B) To allow all traffic from trusted countries
C) To encrypt all data leaving the network
D) To block encrypted connections
✅ Answer: A) To restrict access based on geographic locations
Explanation: Geo-blocking prevents traffic from high-risk regions, reducing exposure to threats.
192. How can an attacker use a slowloris attack to bypass IDS and firewall protections?
A) By keeping multiple HTTP connections open but sending data very slowly
B) By sending an overwhelming number of requests in a short time
C) By modifying firewall logs
D) By using DNS poisoning
✅ Answer: A) By keeping multiple HTTP connections open but sending data very slowly
Explanation: Slowloris attacks exhaust server resources while staying under IDS rate limits.
193. What is the purpose of an outbound firewall rule for securing cloud environments?
A) To prevent unauthorized data exfiltration
B) To block all internet traffic
C) To slow down cloud applications
D) To allow all internal traffic
✅ Answer: A) To prevent unauthorized data exfiltration
Explanation: Outbound filtering ensures sensitive data does not leave the network without proper authorization.
194. What is an IDS signature in the context of threat detection?
A) A predefined pattern used to identify known attacks
B) A log file containing IDS alerts
C) An encryption key for securing IDS logs
D) A configuration setting in a firewall
✅ Answer: A) A predefined pattern used to identify known attacks
Explanation: Signature-based IDS detects threats by matching network activity against known attack patterns.
195. How does an attacker use an IDS evasion technique called session splicing?
A) By splitting malicious payloads across multiple packets sent over time
B) By modifying IDS rule sets
C) By scanning for open ports
D) By injecting malware into encrypted tunnels
✅ Answer: A) By splitting malicious payloads across multiple packets sent over time
Explanation: Session splicing avoids detection by breaking up attack payloads into multiple small packets.
196. What is the primary purpose of an endpoint firewall in enterprise security?
A) To protect individual devices from external and internal threats
B) To replace IDS functionality
C) To encrypt all network traffic
D) To disable security logging
✅ Answer: A) To protect individual devices from external and internal threats
Explanation: Endpoint firewalls control traffic on individual devices, adding an extra layer of defense.
197. Which attack method involves injecting false DNS records to redirect users to malicious sites?
A) DNS spoofing
B) SQL injection
C) SYN flood attack
D) MAC address spoofing
✅ Answer: A) DNS spoofing
Explanation: DNS spoofing manipulates DNS responses to direct users to attacker-controlled websites.
198. How does a distributed firewall system enhance security in large networks?
A) By enforcing security policies across multiple locations
B) By replacing all IDS functionality
C) By encrypting all outbound connections
D) By disabling all logging
✅ Answer: A) By enforcing security policies across multiple locations
Explanation: Distributed firewalls apply security controls at different network points, improving security.
199. What is the primary purpose of rate limiting in an IPS?
A) To prevent excessive connection requests from a single source
B) To slow down all network traffic
C) To replace deep packet inspection
D) To allow all traffic
✅ Answer: A) To prevent excessive connection requests from a single source
Explanation: Rate limiting mitigates brute-force attacks and DoS attempts by restricting excessive requests.
200. What is a common use of firewall access control lists (ACLs)?
A) To allow or deny traffic based on specified criteria
B) To encrypt network packets
C) To scan files for malware
D) To modify IDS logs
✅ Answer: A) To allow or deny traffic based on specified criteria
Explanation: ACLs define security rules that permit or block traffic based on IPs, ports, and protocols.