Ditch the Fluff: CompTIA Network+ (N10-009) Practice That Actually Works

SSO (Single Sign-On) allows an organization to use an identity provider (IdP) to centrally manage authentication and access across multiple SaaS applications. In the Network+ (N10-009) objectives, identity and access management concepts include federated authentication, centralized account control, and reducing password sprawl. With SSO, users authenticate once to the IdP, and the IdP then provides assertions/tokens to SaaS services (commonly using federation standards such as SAML or OIDC in real environments). This improves security (fewer reused passwords, easier MFA enforcement), streamlines user experience, and simplifies administration (provisioning/deprovisioning from one place).

PKI supports certificates and encryption/signing, but it is not the core mechanism for managing access across many SaaS apps via an IdP. TACACS+ is typically used for device administration (AAA) on network equipment, and RADIUS commonly supports network access (802.1X, VPN) AAA—both are important AAA protocols but do not describe the SaaS-wide “one login across many apps” capability. Therefore, SSO is the best answer.

===========

The correct answer is B. PAT . Port Address Translation allows many internal devices that use private IP addresses to share a small number of public IP addresses when accessing the internet. In this case, the question says all users can access the internet using only two public IPs , which is exactly the kind of situation PAT is designed for. The device performing PAT keeps track of each connection by using source port numbers, so multiple internal sessions can be translated and maintained at the same time without requiring a unique public IP for every user.

The other options do not match this function. EIGRP and BGP are routing protocols used to exchange routing information, not to translate addresses for outbound internet traffic. VIP refers to a virtual IP address, commonly used in high availability or load-balancing scenarios, but it does not provide the many-to-one address translation behavior described in the question.

For Network+ exam purposes, when the scenario talks about conserving public IPv4 addresses and allowing many users to reach external networks through a very small number of public IPs, the expected answer is PAT . This is one of the most common real-world uses of NAT technology at the network edge.

A site-to-site VPN is used to securely connect two networks over an untrusted network, most commonly the public internet. In Network+ (N10-009) objectives, VPNs are described as providing confidentiality and integrity for data in transit by creating an encrypted tunnel between sites (for example, headquarters and a branch office). This allows systems at both locations to communicate as if on the same private WAN, while preventing eavesdropping or tampering by intermediate networks. Typical implementations use IPsec tunneling and rely on negotiated encryption/authentication parameters to protect traffic end-to-end between VPN gateways.

Encrypting data at rest refers to storage encryption (disk/database), not VPN tunneling. Filtering traffic between two internal subnets is usually handled by ACLs, firewalls, or segmentation controls, not a site-to-site VPN. Hosting public-facing applications is a DMZ / reverse proxy / WAF design concern; a VPN is not the primary control for exposing public services (and generally you would not require the public to use a VPN to reach a public website). Therefore, securing site connectivity across an untrusted network is the best match.

===========

Changing default admin passwords is a fundamental first step in device hardening to prevent unauthorized access.

VLAN hopping occurs when an attacker tricks a switch into believing the host is another switch by generating tagged frames or exploiting trunk negotiation (DTP). This allows the attacker to access traffic from multiple VLANs, potentially stealing sensitive data.

B. Evil twin is a rogue wireless AP attack, unrelated to switch impersonation.

C. DNS poisoning corrupts name resolution, not VLAN access.

D. ARP spoofing is a Layer 2 on-path attack, not masquerading as a switch.

References (CompTIA Network+ N10-009):

Domain: Network Security — VLAN hopping attacks, switch spoofing techniques.

Network Functions Virtualization (NFV): NFV is a technology that virtualizes network services like routing, firewalls, and load balancers. It allows these services to run on virtual machines rather than requiring dedicated hardware. This is ideal for remote branch locations where deploying physical devices is costly and complex.

VRF (B): Virtual Routing and Forwarding is used for segmenting routing tables but does not virtualize services.

VLAN (C): Virtual Local Area Networks help segregate broadcast domains but are unrelated to virtualizing network functions.

VPC (D): Virtual Private Cloud is used for cloud computing but does not pertain to virtualizing network services.

APIPA (Automatic Private IP Addressing) assigns an IP address in the range 169.254.x.x when a DHCP server cannot be contacted, and it sets the default gateway to 0.0.0.0 because APIPA is designed only for local communication within the same subnet. The document states:

“APIPA allows for automatic, ad hoc network communication within a single subnet when a DHCP server is not available. In this state, the default gateway is typically set to 0.0.0.0 because APIPA does not provide routing to other networks.”

IPsec (Internet Protocol Security) is the most secure way to provide site-to-site connectivity. It provides robust security services, such as data integrity, authentication, and encryption, ensuringthat data sent across the network is protected from interception and tampering. Unlike other options, IPsec operates at the network layer and can secure all traffic that crosses the IP network, making it the most comprehensive and secure choice for site-to-site VPNs.References: CompTIA Network+ study materials and NIST Special Publication 800-77.

The correct answer is SSO (Single Sign-On) because it enables a user to authenticate once and gain access to multiple systems or resources without being prompted to log in again. According to CompTIA Network+ (N10-009) security objectives, SSO improves usability and productivity while maintaining centralized authentication control. After the initial authentication, a trust relationship between systems allows the user to access additional applications seamlessly.

MFA (Multi-Factor Authentication) enhances security by requiring two or more authentication factors (something you know, have, or are), but it does not inherently provide access to multiple systems without repeated authentication events.

SAML (Security Assertion Markup Language) is an authentication and authorization protocol commonly used to implement SSO in web-based environments. While SAML supports SSO functionality, it is the underlying protocol rather than the access method itself.

RADIUS is a centralized authentication, authorization, and accounting (AAA) protocol used for network access control but does not specifically provide seamless multi-resource authentication without additional logins.

Therefore, SSO best describes authentication to multiple resources without requiring additional passwords.

A /25 subnet mask means 25 bits are reserved for the network portion, leaving 7 bits for host addresses. In dotted decimal, that is:

11111111.11111111.11111111.10000000

Decimal equivalent: 255.255.255.128

A. 255.255.254.0 corresponds to /23.

B. 255.255.255.1 is invalid as a subnet mask.

D. 255.255.255.192 corresponds to /26.

Thus, the correct subnet mask for a /25 network is 255.255.255.128.

References (CompTIA Network+ N10-009):

Domain: Networking Concepts — Subnetting, CIDR notation, dotted decimal.

Comprehensive and Detailed Explanation (paraphrased, aligned to N10-009):

SSH provides secure, scriptable remote access used by automation/orchestration tools (e.g., leveraging CLI, NETCONF over SSH, or Ansible modules) to push configurations at scale.

A. RDP is primarily for Windows GUI sessions and is not commonly used for network device automation.

B. Telnet can be scripted but is insecure (plaintext); modern best practice is to use SSH.

D. GUI access is typically manual and not ideal for scalable, repeatable automation.

References (CompTIA Network+ N10-009):

Domain: Network Operations — Configuration management, automation/orchestration, secure management protocols (SSH vs. Telnet), change at scale.

===========

The netstat output shows that multiple ports are open, including Telnet (23), FTP (20), and TFTP (69), which are potential security risks. Disabling unused ports minimizes the attack surface, reducing security vulnerabilities.

Breakdown of Options:

A. Disable the unused ports – Correct answer. Unused ports should be closed to prevent unauthorized access.

B. Enforce access control lists – ACLs help control access but do not disable unnecessary services.

C. Perform content filtering – Content filtering controls web traffic, not port security.

D. Set up a screened subnet – A DMZ (screened subnet) improves security but does not address open ports.

Port security is a Layer 2 security feature that restricts the number of devices connecting to a network switch port. It helps prevent unauthorized devices, such as an unmanaged switch, from being connected to the network.

How Port Security Works:

Limits the number of MAC addresses that can connect to a port.

Can shut down or restrict the port if an unauthorized device is detected.

Prevents users from plugging in unauthorized networking equipment (e.g., unmanaged switches, hubs).

Incorrect Options:

A. Screened Subnet: A screened subnet (DMZ) is used for isolating external-facing servers, not for controlling unauthorized network connections.

B. 802.1X: Provides authentication for devices but requires a RADIUS server, which is a more complex solution than port security.

C. MAC Filtering: Controls which MAC addresses can connect but is difficult to manage and can be spoofed.

The correct answer is SAML (Security Assertion Markup Language). SAML is an XML-based standard used for single sign-on (SSO) and identity federation. It allows identity providers (IdPs) to share authentication and authorization data with service providers (SPs), passing secure tokens containing user attributes and credentials.

A. IAM (Identity and Access Management) is the broader framework, not specifically XML-based.

B. MFA enforces multiple factors for authentication but does not involve XML assertions.

C. RADIUS is an AAA protocol, but it uses UDP, not XML assertions.

SAML is widely used in federated identity systems, enabling secure authentication across different domains and applications without requiring multiple credentials.

References (CompTIA Network+ N10-009):

Domain: Network Security — Authentication methods, SAML, SSO.