Chapter 31 Quiz: Network Security Architecture¶

Test your knowledge of network segmentation, defense-in-depth zones, firewall engineering, intrusion detection and prevention, and network forensics.

Questions¶

1. An organization places its public-facing web servers in a network segment between two firewalls — one between the internet and the segment, one between the segment and the internal network. Traffic from the web servers to internal databases is strictly controlled. What is this network architecture called?

A) Zero Trust Network
B) Screened Subnet (DMZ — Demilitarized Zone)
C) Flat Network with ACLs
D) Software-Defined Perimeter

Answer

B — Screened Subnet (DMZ — Demilitarized Zone)

A DMZ (Demilitarized Zone), also called a screened subnet, is a network segment positioned between two firewalls. The outer firewall controls internet-to-DMZ traffic; the inner firewall controls DMZ-to-internal traffic. This architecture ensures that even if a DMZ host is compromised, the attacker cannot directly reach internal systems — they must also breach the inner firewall.

2. A firewall administrator adds rules in the following order: (1) Permit HTTP from any to DMZ web server, (2) Deny all from RFC1918 to internet, (3) Permit DNS from internal to external DNS, (4) Implicit deny all. A host at 192.168.1.50 attempts to browse the internet directly. What happens?

A) The connection is allowed by rule 1
B) The connection is blocked by rule 2
C) The connection is blocked by the implicit deny
D) The connection is allowed because no rule explicitly blocks it

Answer

B — The connection is blocked by rule 2

Firewall rules are evaluated top-down and the first match wins. Rule 1 only permits HTTP to the DMZ web server (not arbitrary internet browsing). Rule 2 explicitly denies all traffic from RFC1918 private address space (which includes 192.168.1.0/24) to the internet — this matches and blocks the connection. First-match processing means rule 2 catches this before the implicit deny.

3. What is the key operational difference between an IDS (Intrusion Detection System) and an IPS (Intrusion Prevention System) in a network security deployment?

A) IDS uses signatures; IPS uses anomaly detection only
B) IDS is deployed inline and blocks traffic; IPS is deployed out-of-band and only alerts
C) IDS passively monitors traffic and generates alerts; IPS is deployed inline and can actively block malicious traffic
D) IDS and IPS are functionally identical — the terms are interchangeable

Answer

C — IDS passively monitors traffic and generates alerts; IPS is deployed inline and can actively block malicious traffic

An IDS (sensor/tap deployment) receives a copy of traffic, analyzes it, and generates alerts — it cannot block in real time. An IPS is deployed inline (in the traffic path), analyzes traffic, and can drop or reset malicious connections before they reach the destination. The trade-off: IPS introduces latency risk and if it fails it may block legitimate traffic (fail-open vs. fail-close modes).

4. A Next-Generation Firewall (NGFW) is selected over a traditional stateful firewall. Which capability present in NGFWs is absent from traditional stateful firewalls?

A) Source and destination IP filtering
B) TCP state tracking across connection sessions
C) Application-layer visibility and control (Layer 7 — identifying applications regardless of port)
D) Network address translation (NAT)

Answer

C — Application-layer visibility and control (Layer 7 — identifying applications regardless of port)

Traditional stateful firewalls operate at Layers 3–4 (IP, TCP/UDP, ports). NGFWs add Layer 7 inspection: they identify applications by their behavior/signatures regardless of port (e.g., detect Tor on port 443, identify Slack vs. generic HTTPS), apply user-identity-based policies, and integrate IPS, URL filtering, and SSL inspection in a single platform.

5. An organization implements microsegmentation in their data center. Which statement best describes what microsegmentation achieves beyond traditional VLAN-based segmentation?

A) Microsegmentation replaces firewalls with software-defined access control lists on switches
B) Microsegmentation enforces granular east-west traffic policies between individual workloads, not just between network zones
C) Microsegmentation is only applicable to cloud environments, not on-premises data centers
D) Microsegmentation eliminates the need for network monitoring tools

Answer

B — Microsegmentation enforces granular east-west traffic policies between individual workloads, not just between network zones

Traditional segmentation (VLANs, firewall zones) controls north-south traffic (in/out of segments) but allows lateral movement within a segment. Microsegmentation applies policies at the individual workload level — a web server in the same VLAN as a database can still be blocked from communicating with that database unless explicitly permitted. This limits blast radius when a host is compromised.

6. A security analyst detects unusual traffic patterns suggesting lateral movement between internal hosts. Which monitoring approach provides the best visibility into east-west traffic without decrypting TLS?

A) Web Application Firewall (WAF) logs
B) NetFlow/IPFIX analysis for traffic metadata (source, destination, ports, volume, timing)
C) Full packet capture (PCAP) of all encrypted east-west sessions
D) Endpoint DLP agent logs

Answer

B — NetFlow/IPFIX analysis for traffic metadata (source, destination, ports, volume, timing)

NetFlow/IPFIX captures flow metadata: source/destination IPs, ports, protocol, byte/packet counts, duration — without capturing payload content. This is effective for detecting lateral movement patterns (unusual new connections, scanning behavior, beaconing) without requiring TLS decryption. Full PCAP (C) of all east-west traffic at scale is storage-prohibitive, and payload content is encrypted anyway.

7. RPKI (Resource Public Key Infrastructure) is a security mechanism deployed to protect which internet routing protocol?

A) OSPF (Open Shortest Path First)
B) BGP (Border Gateway Protocol)
C) EIGRP (Enhanced Interior Gateway Routing Protocol)
D) IS-IS (Intermediate System to Intermediate System)

Answer

B — BGP (Border Gateway Protocol)

RPKI is a cryptographic framework that validates BGP route originations — it verifies that an Autonomous System (AS) is authorized to originate a specific IP prefix. Without RPKI, BGP hijacking attacks (like the 2018 MyEtherwallet hijack and 2019 China Telecom incidents) allow attackers to redirect internet traffic. RPKI Route Origin Validation (ROV) prevents accepting hijacked prefixes.

8. An organization deploys SSL/TLS inspection (TLS decryption) on their NGFW. A privacy-conscious employee raises concerns. Which technical concern about TLS inspection is operationally valid?

A) TLS inspection increases available bandwidth since compressed content is inspected
B) TLS inspection breaks certificate pinning for applications that pin to the original server certificate
C) TLS inspection makes all traffic visible to attackers on the network
D) TLS inspection is prohibited by all major compliance frameworks

Answer

B — TLS inspection breaks certificate pinning for applications that pin to the original server certificate

TLS inspection works by re-encrypting traffic with the organization's CA certificate — the endpoint sees the firewall's cert rather than the server's. Applications that implement certificate pinning (some mobile apps, banking apps) will reject the substituted certificate and fail. Organizations must create bypass rules for pinned-certificate applications. Compliance concerns depend on scope and industry, not a universal prohibition.

9. What is the primary difference between NetFlow analysis and full PCAP (packet capture) in network forensics?

A) NetFlow provides richer content analysis; PCAP only captures headers
B) NetFlow captures flow metadata (who talked to whom, when, how much) at high scale; PCAP captures full packet payloads enabling deep content inspection but at much greater storage cost
C) NetFlow is only available in cloud environments; PCAP only works on-premises
D) NetFlow replaces PCAP — modern NDR tools no longer require full packet capture

Answer

B — NetFlow captures flow metadata (who talked to whom, when, how much) at high scale; PCAP captures full packet payloads enabling deep content inspection but at much greater storage cost

NetFlow/IPFIX: lightweight flow records, scalable to 10Gbps+, ideal for behavioral analytics and lateral movement detection. PCAP: full payload capture, enables malware extraction, credential recovery, and deep forensic reconstruction, but requires 10–100× more storage. Best-practice architectures use NetFlow everywhere with selective PCAP on critical segments or triggered by alerts.

10. A network detection and response (NDR) platform flags a host making DNS requests to randomly generated 32-character domain names every 60 seconds, with very low response TTLs. What technique does this most likely indicate?

A) Normal CDN behavior — content delivery networks use random subdomains for load balancing
B) DNS-based command and control (C2) using domain generation algorithms (DGA)
C) IPv6 transition mechanism (6to4 tunneling)
D) DNSSEC validation failure causing retry storms

Answer

B — DNS-based command and control (C2) using domain generation algorithms (DGA)

Domain Generation Algorithms (DGAs) produce large numbers of pseudo-random domain names. Malware queries many of these, and only the attacker — who controls a few registered DGA domains — can respond. The periodic, regular timing (60s) with random 32-character names and low TTLs (C2 agility) are classic DGA C2 indicators. NDR platforms detect DGA patterns through entropy analysis and ML-based domain scoring.

Scoring¶

Score	Performance
9–10	Expert — Network security architecture and defense-in-depth principles fully mastered
7–8	Proficient — Ready to design and defend enterprise network architectures
5–6	Developing — Review Chapter 31 sections on firewall rule processing, microsegmentation, and NDR
<5	Foundational — Re-read Chapter 31 before proceeding

Return to Chapter 31 | Next: Chapter 32