CertHead

Security Architecture — Security+ practice questions

Domain 3 of the CompTIA Security+ (SY0-701) exam. 183 questions on this domain in the full bank — here are four free samples with answers and explanations.

Question 1 · Difficulty 2/5

Which network appliance is specifically designed to act as a controlled access point that administrators must connect through before reaching other systems in a secure or isolated network segment? (Select the best answer.)
  1. Proxy server
  2. Jump server
  3. Load balancer
  4. Intrusion prevention system
Show answer & explanation

Correct answer: B

Jump server
A jump server (also called a jump host or bastion host) is a hardened, monitored gateway that administrators must authenticate through before accessing devices in a restricted network segment, providing a single auditable choke point. A proxy server forwards client requests on behalf of users, primarily for content filtering or anonymity, not privileged administrative access control. A load balancer distributes traffic across multiple backend servers for availability and performance. An intrusion prevention system inspects traffic for malicious patterns and can block them inline, but it does not serve as an administrative access gateway.

Question 2 · Difficulty 3/5

A security team deploys a network appliance that sits inline between two segments and monitors traffic by comparing packet contents against a signature database. When a match is found, the appliance automatically drops the offending packets and resets the connection. Which appliance type is described? (Select the best answer.)
  1. Passive network sensor
  2. Intrusion detection system
  3. Intrusion prevention system
  4. Forward proxy server
Show answer & explanation

Correct answer: C

Intrusion prevention system
An intrusion prevention system (IPS) operates inline, inspects traffic in real time, and can actively block or drop malicious traffic when a signature match occurs. A passive network sensor (or an IDS in passive/promiscuous mode) receives a copy of traffic and generates alerts but cannot drop packets because it is not inline. An intrusion detection system (IDS) alerts on suspicious traffic but does not block it on its own. A forward proxy server intermediates client web requests for filtering or anonymity but does not perform signature-based threat blocking.

Question 3 · Difficulty 3/5

A network engineer configures a device in promiscuous mode on a core switch SPAN port. The device captures all traffic passing through the switch and forwards metadata (flow records, protocol statistics, and anomaly alerts) to a centralized security information and event management platform. Which appliance category does this device belong to? (Select the best answer.)
  1. Inline intrusion prevention system
  2. Network-based sensor
  3. Jump server
  4. Transparent proxy server
Show answer & explanation

Correct answer: B

Network-based sensor
A network-based sensor operates out-of-band (connected to a SPAN port or network tap), passively captures traffic, and feeds telemetry and metadata to a SIEM or monitoring platform without being in the traffic path. An inline IPS sits directly in the traffic path and can block packets; a SPAN-port device cannot drop traffic because it only receives a copy. A jump server is an administrative access gateway, not a passive traffic collection device. A transparent proxy intercepts and forwards client requests without client configuration, which is unrelated to passive traffic capture for security monitoring.

Question 4 · Difficulty 2/5

Which of the following best describes the shared responsibility model in cloud computing? (Select the best answer.)
  1. The cloud provider assumes full responsibility for all security controls, including customer data and applications.
  2. Security responsibilities are divided between the cloud provider and the customer, with each party owning a defined set of controls.
  3. The customer assumes full responsibility for all security controls, including physical infrastructure and hypervisor patching.
  4. A third-party auditor assumes responsibility for verifying that both the provider and customer meet all security obligations.
Show answer & explanation

Correct answer: B

Security responsibilities are divided between the cloud provider and the customer, with each party owning a defined set of controls.
The shared responsibility model defines which security controls the cloud provider manages (physical facilities, hypervisors, global network infrastructure) and which the customer manages (identity, data classification, application configuration). Neither party alone owns all security obligations. The customer never manages physical infrastructure in a public cloud model; that always belongs to the provider. Third-party auditors may verify compliance but do not assume operational responsibility for controls.

More Security+ domains

Ready to test yourself for real?

The free quiz pulls live questions from the same banks — no account required.

Start the free quiz