Domain 4 Capstone: Communication and Network Security
Domain 4 – Capstone Questions
Question 1
A cloud-native company runs all applications as microservices in a Kubernetes cluster. Each microservice communicates with multiple others over the internal network. A security assessment reveals that if one microservice is compromised, the attacker can reach every other microservice in the cluster because there are no internal traffic restrictions.
What control BEST addresses this finding?
A. Implement micro-segmentation using Kubernetes network policies to restrict each microservice to only its required communication paths
B. Deploy a perimeter firewall between the cluster and the internet
C. Encrypt all inter-service traffic using TLS
D. Install host-based antivirus on each container node
Answer & reasoning
Correct: A
The problem is unrestricted lateral movement within the cluster. Micro-segmentation via network policies restricts each microservice to communicating only with the specific services it needs, limiting blast radius. A perimeter firewall (B) does not control east-west traffic within the cluster. TLS (C) protects confidentiality but does not prevent unauthorized connections. Antivirus (D) does not address network access control.
Question 2
An organization deploys a next-generation firewall with SSL/TLS inspection enabled. After deployment, the legal department reports that SSL inspection is decrypting traffic to their external legal counsel’s portal, potentially violating attorney-client privilege.
What is the BEST approach?
A. Disable SSL inspection entirely to avoid legal complications
B. Create bypass rules that exempt traffic to approved legal counsel domains from SSL inspection while maintaining inspection for all other traffic
C. Route all legal department traffic through a separate internet connection without inspection
D. Require legal counsel to use an unencrypted connection so no decryption is needed
Answer & reasoning
Correct: B
SSL inspection should be maintained for security, but specific categories of traffic with legal protections (attorney-client, healthcare, financial) should be exempted through bypass rules. Disabling inspection entirely (A) eliminates visibility into encrypted threats. A separate connection (C) creates management complexity without solving the policy problem. Unencrypted legal traffic (D) exposes privileged communications.
Question 3
A bank’s security operations center detects unusual DNS query patterns — workstations are making thousands of DNS requests with long, encoded subdomain names to an external domain. The queries appear to be legitimate DNS traffic on port 53.
What type of attack is MOST likely occurring?
A. DNS cache poisoning targeting the bank’s internal resolver
B. A distributed denial of service attack against the DNS infrastructure
C. DNS tunneling — data exfiltration encoded within DNS queries to bypass firewall rules that allow port 53 traffic
D. A DNSSEC validation failure causing excessive query retries
Answer & reasoning
Correct: C
DNS tunneling encodes stolen data in DNS query subdomain names. The traffic appears to be normal DNS on port 53, which most firewalls permit without deep inspection. The pattern of long, encoded subdomain names to an external domain is the signature of DNS tunneling exfiltration. Cache poisoning (A) involves injecting false responses, not abnormal queries. DDoS (B) involves volume, not encoded data. DNSSEC failures (D) do not produce encoded subdomain patterns.
Question 4
A government agency needs to transmit classified documents between two facilities. The security team proposes an IPSec VPN using ESP in tunnel mode. A network engineer asks why AH in transport mode would not be sufficient.
What is the correct explanation?
A. AH is slower than ESP and would cause unacceptable latency
B. Transport mode cannot be used between two different facilities
C. AH in transport mode provides authentication and integrity but would still allow the classified content to be read by anyone intercepting the traffic
D. AH does not provide encryption — it provides only integrity and authentication. Classified documents require confidentiality, which only ESP provides. Tunnel mode hides the original addressing between facilities.
Answer & reasoning
Correct: D
AH provides integrity and authentication but no encryption. Classified documents require confidentiality in transit, which means the content must be encrypted. ESP provides encryption plus integrity and authentication. Tunnel mode encapsulates the entire original packet, hiding internal network addressing between the two facilities. The explanation in C is partially correct about the symptom but D provides the complete technical reasoning including why tunnel mode is preferred over transport mode.
Question 5
A company’s web application sits behind a reverse proxy that terminates TLS. The security team discovers that traffic between the reverse proxy and the backend application servers travels unencrypted across a shared data center network that also hosts development and staging environments.
What is the PRIMARY risk?
A. Anyone with access to the shared data center network — including developers and staging systems — could intercept sensitive application traffic in plaintext between the proxy and backend servers
B. The reverse proxy is creating a single point of failure
C. TLS termination at the proxy increases CPU load on the proxy servers
D. The backend application servers cannot validate the identity of connecting clients
Answer & reasoning
Correct: A
When TLS is terminated at the reverse proxy and not re-encrypted to the backend, all traffic between the proxy and application servers is plaintext. On a shared network with development and staging environments, any compromised or misconfigured system in those environments could capture sensitive production data. The fix is to re-encrypt traffic between the proxy and backend servers (TLS re-encryption) or to isolate the production backend on a dedicated network segment.
Question 6
An organization migrates from a traditional on-premises data center to a hybrid cloud architecture. The network team discovers that their existing firewall rules, which were based on static IP addresses for on-premises servers, do not work in the cloud because cloud instances receive dynamic IP addresses that change when instances are restarted or scaled.
What architectural approach should replace IP-based firewall rules?
A. Assign static IP addresses to all cloud instances to maintain the existing rule structure
B. Implement identity-aware security policies using tags, labels, or security groups that define access based on workload identity rather than IP addresses
C. Disable the firewall for cloud traffic and rely on cloud provider default security
D. Use NAT to map cloud instances to fixed internal addresses
Answer & reasoning
Correct: B
In dynamic cloud environments, IP-based rules are fragile because addresses change frequently. Identity-aware policies using tags, labels, or security groups tie access controls to workload identity and function rather than network address. This approach scales with cloud auto-scaling and instance replacement. Static IPs (A) are impractical at scale and defeat cloud elasticity. Disabling the firewall (C) eliminates protection. NAT (D) adds complexity without solving the dynamic nature of cloud addressing.
Question 7
A hospital deploys a new wireless network for medical devices. The devices require low latency and cannot tolerate the overhead of a full 802.1X authentication exchange. The IT team proposes using WPA2 with a shared pre-shared key across all medical devices.
What is the MOST significant security concern with this approach?
A. WPA2-PSK provides no encryption for medical device traffic
B. WPA2-PSK cannot support the required number of simultaneous devices
C. A shared PSK means all devices use the same key material — if one device is compromised or the key is extracted, all devices on that network are exposed, with no individual device accountability
D. WPA2-PSK is incompatible with medical IoT device chipsets
Answer & reasoning
Correct: C
A shared PSK provides no device-level authentication or accountability. If the key is extracted from any single device (through firmware analysis, theft, or compromise), every device on the network is exposed. There is no way to revoke access for one device without changing the key on all of them. WPA2-PSK does provide encryption (A is wrong). The better approach would be certificate-based 802.1X authentication with device certificates, accepting the overhead for the security benefit.
Question 8
An e-commerce company receives reports that customers are being redirected to a fake version of the company’s website when they click links in promotional emails. Investigation reveals that the company’s email domain is being spoofed — the attackers send emails that pass SPF checks because they use their own mail servers with a different envelope sender while spoofing the display From address.
What additional control would prevent this attack?
A. Deploy a WAF on the company’s web servers
B. Implement S/MIME encryption for all outbound marketing emails
C. Add stronger SPF records with more restrictive IP ranges
D. Implement DKIM and DMARC with a reject policy to enforce alignment between the envelope sender and the header From address
Answer & reasoning
Correct: D
SPF alone validates the envelope sender, not the header From address that users see. DKIM cryptographically signs messages, tying them to the sending domain. DMARC enforces alignment between these identifiers and tells receiving servers to reject messages that fail alignment checks. Together, DKIM and DMARC close the gap that SPF alone leaves open. S/MIME (B) encrypts content but does not prevent spoofing of the From address. Stricter SPF (C) does not address the header/envelope mismatch.
Question 9
A security architect reviews a network design where the DMZ hosts a web server, an email gateway, and a DNS server. The inner firewall allows the DMZ web server to initiate connections to the internal database server on port 1433. No other DMZ-to-internal traffic is permitted.
A penetration tester compromises the DMZ web server and uses the allowed port 1433 connection to access the database. What architectural improvement would BEST limit this risk?
A. Replace the direct database connection with an application-layer proxy or API gateway in a separate secure zone that mediates and validates all queries between the DMZ and the database
B. Add a second firewall between the DMZ and the internal network
C. Move the database server into the DMZ alongside the web server
D. Block port 1433 entirely and require the web server to cache all data locally
Answer & reasoning
Correct: A
A direct connection from the DMZ to the internal database, even on a single port, gives a compromised web server a direct path to sensitive data. An application-layer proxy or API gateway in a separate zone breaks this direct connection. The proxy validates and mediates queries, ensuring only properly formed requests reach the database. A second firewall (B) already exists in the design and did not prevent the allowed connection. Moving the database to the DMZ (C) increases its exposure. Blocking database access entirely (D) breaks the application.
Question 10
A multinational corporation discovers that its MPLS provider had a security breach. While the corporation’s MPLS circuits were not directly compromised, the incident raises concerns about the confidentiality of inter-office traffic that crosses the provider’s infrastructure.
What should the security team recommend?
A. Immediately terminate the MPLS contract and switch to dedicated fiber
B. Layer IPSec encryption over the MPLS circuits so that even if the provider’s infrastructure is compromised, the traffic content remains encrypted
C. Accept the risk since MPLS provides inherent encryption through label switching
D. Deploy DLP on all inter-office traffic to prevent data loss through the MPLS circuits
Answer & reasoning
Correct: B
MPLS provides traffic isolation through label switching but does not encrypt data. If the provider’s infrastructure is compromised, unencrypted traffic on MPLS circuits could be intercepted. Layering IPSec encryption ensures traffic confidentiality regardless of the provider’s security posture. MPLS does not provide encryption (C is incorrect). Terminating the contract (A) is disruptive and may not be necessary if encryption addresses the confidentiality concern. DLP (D) prevents data leakage but does not protect data in transit from interception.
Question 11
An organization’s SOC team notices that their NIPS is dropping legitimate database replication traffic between the primary and secondary data centers. The replication traffic pattern triggers the anomaly detection engine because it involves large, sustained data transfers that deviate from the baseline established during a low-traffic period.
What is the BEST remediation?
A. Disable the NIPS and rely on the NIDS for detection only
B. Switch from anomaly-based detection to signature-based detection exclusively
C. Re-baseline the anomaly detection engine during representative traffic conditions that include database replication and create a policy exception for the known replication traffic pattern
D. Move the NIPS from inline to a span port to prevent false positive blocking
Answer & reasoning
Correct: C
The anomaly detection baseline was established during unrepresentative conditions. Re-baselining during normal operations that include replication traffic will calibrate the engine to treat this pattern as normal. A specific policy exception for the replication traffic provides additional assurance. Disabling the NIPS (A) or moving it out of inline mode (D) eliminates prevention capability. Signature-only detection (B) would miss novel attacks.
Question 12
A remote employee connects to the corporate VPN from a hotel Wi-Fi network. The VPN uses split tunneling — only corporate-destined traffic goes through the VPN tunnel, while internet-bound traffic goes directly through the hotel network. The employee visits a compromised website that installs malware. The malware then uses the VPN tunnel to access internal corporate systems.
What VPN configuration change would have prevented this scenario?
A. Require certificate-based VPN authentication instead of username/password
B. Deploy a WAF at the VPN concentrator
C. Implement ZTNA instead of VPN to limit access to specific applications
D. Configure full tunneling so all traffic — including internet-bound traffic — passes through the corporate security stack for inspection before reaching the internet
Answer & reasoning
Correct: D
Split tunneling allowed the employee’s internet traffic to bypass corporate security controls, leading to malware infection. Full tunneling routes all traffic through the corporate network where it passes through the email gateway, proxy, IPS, and other security controls before reaching the internet. The malicious website would have been blocked or the download detected. Certificate authentication (A) strengthens VPN login but does not prevent web-based malware infection. A WAF (B) protects web applications, not VPN users. ZTNA (C) would limit post-compromise access scope but the question asks what would have prevented the infection.
Question 13
A data center uses FCoE (Fibre Channel over Ethernet) to converge storage traffic onto the same Ethernet infrastructure as regular data traffic. A security assessment identifies that storage traffic and general-purpose data traffic share the same VLANs.
What is the PRIMARY risk?
A. A compromise of any system on the shared VLAN could allow an attacker to intercept or manipulate storage traffic, potentially accessing raw block-level data from the SAN
B. FCoE traffic will consume all available bandwidth, causing denial of service
C. Storage traffic will be slower due to Ethernet overhead compared to dedicated Fibre Channel
D. FCoE is incompatible with standard Ethernet switches
Answer & reasoning
Correct: A
Converged protocol traffic that shares VLANs with general-purpose traffic is exposed to any attack that reaches that VLAN. Storage traffic carries raw block-level data — not files with access controls, but raw disk data. An attacker on the shared VLAN could capture or inject storage frames. FCoE should be isolated on dedicated VLANs with no general-purpose traffic, and access to those VLANs should be tightly controlled.
Question 14
A security team implements 802.1X port-based authentication on all switch ports in the corporate headquarters. After deployment, they discover that conference room printers, IP phones, and video conferencing equipment cannot authenticate because these devices do not support 802.1X supplicants.
What is the BEST approach to maintain security while accommodating these devices?
A. Disable 802.1X on all conference room ports
B. Configure MAC Authentication Bypass (MAB) for known device MAC addresses on specific ports, combined with placing these devices on a restricted VLAN with limited access
C. Replace all non-802.1X devices with newer models
D. Implement a guest VLAN with no authentication requirements for conference room ports
Answer & reasoning
Correct: B
MAB provides a fallback authentication method for devices that cannot run 802.1X supplicants. The switch recognizes known MAC addresses and places the devices on a restricted VLAN with limited access. This maintains the security posture (unknown devices are still blocked) while accommodating legitimate equipment. Disabling 802.1X (A) removes all port-level security. Replacing all devices (C) is expensive and may not be practical. A guest VLAN without authentication (D) opens the port to any device.
Question 15
An organization’s SDN controller uses a REST API for management. A penetration test reveals that the API accepts requests authenticated with a static API key that is shared among all administrators. The API is accessible from the general corporate network.
What are the TWO most critical findings?
A. The API uses REST instead of SOAP, which is inherently less secure
B. Static API keys cannot be easily rotated, so they should be replaced with stronger authentication
C. The SDN controller’s management API is accessible from the general corporate network with weak authentication — compromising it grants control over the entire network fabric, and shared static API keys provide no individual accountability and cannot be revoked per-administrator
D. The REST API should be replaced with SSH command-line access for better security
Answer & reasoning
Correct: C
The SDN controller is the single point of control for the entire network. Its management API being accessible from the general network with a shared static key creates two critical problems: any compromised corporate workstation could reach the controller, and the shared key provides no individual accountability (you cannot tell which administrator made a request) and cannot be revoked for one person without affecting all. The fix includes restricting API access to a dedicated management network and implementing per-administrator authentication with MFA.
Question 16
A financial institution requires its customer-facing API to support mobile banking applications. The API currently uses API keys for authentication. The security team wants to improve the authentication model to support delegated authorization, token expiration, and the ability for customers to revoke access from individual devices.
What authentication framework should replace the static API keys?
A. Basic authentication over TLS with longer passwords
B. Mutual TLS with client certificates issued to each mobile device
C. SAML 2.0 with browser-based SSO flows
D. OAuth 2.0 with short-lived access tokens and refresh tokens, enabling per-device token revocation
Answer & reasoning
Correct: D
OAuth 2.0 supports delegated authorization (the customer authorizes the mobile app to act on their behalf), short-lived tokens that expire automatically, refresh tokens for session continuity, and per-device token revocation. This matches all stated requirements. Basic auth (A) has no token management. Mutual TLS (B) provides strong authentication but lacks built-in delegated authorization and per-device revocation. SAML (C) is designed for browser-based SSO, not mobile API access.
Question 17
A company acquires a competitor and needs to integrate the two organizations’ networks. Both companies have overlapping internal IP address ranges (both use 10.0.0.0/8 internally). The integration must happen within 30 days while maintaining full connectivity for both organizations.
What is the MOST practical short-term approach while long-term re-addressing is planned?
A. Deploy NAT gateways at the interconnection point to translate overlapping addresses, allowing both organizations to maintain their current addressing while routing traffic between them
B. Immediately re-address one organization’s entire network to a non-overlapping range
C. Use VLANs to separate the two organizations’ traffic on a shared infrastructure
D. Deploy a CDN between the two networks to cache and proxy all inter-company traffic
Answer & reasoning
Correct: A
NAT at the interconnection point translates overlapping addresses into unique ranges for cross-organization routing. Both organizations keep their current addressing schemes, meeting the 30-day timeline. Full re-addressing (B) is a long-term project that cannot be safely completed in 30 days. VLANs (C) provide Layer 2 separation but do not resolve the Layer 3 routing conflicts from overlapping IP ranges. A CDN (D) is designed for content delivery, not network interconnection.
Question 18
A security team is reviewing the organization’s endpoint security strategy. Currently, all workstations run traditional signature-based antivirus. A recent incident involved a zero-day exploit delivered through a legitimate file-sharing service. The antivirus did not detect it because no signature existed. The security team discovered the breach three weeks later through unusual network traffic.
What endpoint security upgrade would BEST address both detection and investigation?
A. Deploy a network-based IPS at the perimeter with updated signatures
B. Replace signature-based antivirus with EDR that provides behavioral analysis, continuous monitoring, and forensic investigation capabilities
C. Add a sandbox environment to detonate all downloaded files before delivery
D. Implement application whitelisting to block all unauthorized executables
Answer & reasoning
Correct: B
EDR addresses both gaps: behavioral analysis can detect zero-day exploits by identifying suspicious activity patterns rather than relying on known signatures, and continuous endpoint telemetry recording enables forensic investigation to determine exactly what the attacker did and how long the breach lasted. A network IPS (A) has the same signature limitation and does not address endpoint visibility. Sandboxing (C) helps with file-based threats but does not provide endpoint monitoring or forensic capability. Application whitelisting (D) is a strong preventive control but does not provide investigation capabilities.
Question 19
An organization operates a load balancer that distributes traffic to five web application servers. The load balancer performs SSL/TLS offloading. A compliance audit notes that the PCI DSS requirement for end-to-end encryption of cardholder data is not met because traffic between the load balancer and the application servers is unencrypted.
What is the MOST appropriate remediation?
A. Remove the load balancer and terminate TLS directly on each application server
B. Encrypt the network between the load balancer and application servers using IPSec
C. Configure the load balancer to re-encrypt traffic using TLS between itself and the backend application servers (TLS re-encryption), maintaining encryption throughout the entire path
D. Move the application servers to the same physical chassis as the load balancer to eliminate network transit
Answer & reasoning
Correct: C
TLS re-encryption maintains the benefits of the load balancer (traffic distribution, health checking, SSL offloading from the client perspective) while re-encrypting traffic to the backend servers. This satisfies PCI DSS end-to-end encryption requirements. Removing the load balancer (A) eliminates its availability and performance benefits. IPSec (B) would encrypt the network path but adds unnecessary complexity when TLS re-encryption is the standard approach. Physical co-location (D) is impractical and does not address the compliance requirement for encrypted transit.
Question 20
An organization’s security policy requires that all remote access connections support multi-factor authentication, device posture checking, and application-specific access controls. The current VPN infrastructure only supports username/password authentication and grants full network access upon connection. The CISO wants a solution that can be deployed alongside the existing VPN during a transition period.
What approach BEST meets all requirements?
A. Upgrade the existing VPN with MFA and add network segmentation behind the VPN concentrator
B. Deploy a cloud-based CASB to monitor and control remote access to cloud applications
C. Implement network access control at the VPN entry point to check device posture
D. Deploy a Zero-Trust Network Access solution alongside the existing VPN, migrating applications to ZTNA incrementally while maintaining VPN access during the transition
Answer & reasoning
Correct: D
ZTNA natively provides all three requirements: MFA integration, device posture checking, and application-specific (not network-wide) access. Deploying it alongside the existing VPN allows incremental migration without disrupting current access. Upgrading the VPN (A) addresses MFA but cannot provide application-specific access — VPNs grant network access by design. A CASB (B) controls cloud application access but does not secure remote access to on-premises applications. NAC at the VPN (C) adds posture checking but does not provide application-level access controls.
Executive Pattern Summary
Domain 4 covers the most technical content on the CISSP exam, but it tests that content through a managerial lens. Before moving to Domain 5, internalize these five patterns that run through every question in this domain:
- Architecture determines breach scope. The architecture that exists before an attack determines how far the attacker can go after the initial compromise. Segmentation, micro-segmentation, DMZ design, and zone-based access controls are the decisions that limit blast radius. When a question describes unconstrained lateral movement, the answer is always an architecture change, not a component addition.
- Match the control to the layer. A WAF does not stop ARP spoofing. DHCP snooping does not prevent SQL injection. Every security component operates at a specific OSI layer and is effective only against threats at that layer. When you read a scenario, identify the threat layer first, then select the component that operates there.
- Encryption is not access control. Encrypting traffic protects confidentiality and integrity. Segmentation and access controls limit who can connect to what. These solve different problems. An encrypted connection to a system you should not have access to is still a security failure. Both are needed — neither replaces the other.
- Protocol selection is a security decision. Choosing between IPSec AH and ESP, between transport and tunnel mode, between split and full VPN tunneling, between WPA2-PSK and WPA3-Enterprise — each choice has specific security implications. The exam will present scenarios where the wrong protocol was selected and ask you to identify the gap or select the correct one.
- Trust boundaries require continuous enforcement. NAC checks devices before granting access. ZTNA evaluates posture continuously. NIPS inspects traffic in real time. The moment you stop verifying is the moment the boundary becomes a suggestion. Static, one-time checks create the illusion of security while leaving ongoing activity uninspected.