GDSA Practice Questions: Layer 1, Layer 2, and Layer 3 Defense Domain

Correct answer (A): The most defensible response is a secure routing architecture that includes prefix filtering, route source trust validation, management-plane protection, and monitoring for unexpected route changes. This directly addresses both prevention and detection for the stated problem. The other options are partial, misplaced, or assessment-only approaches that do not adequately protect internal routing decisions.

Why the other options are wrong:
- Option B: Bogon filtering is useful, but it focuses on invalid address space and does not solve the problem of unexpected internal route propagation.
- Option C: Summarization can simplify routing, but it does not establish trust in route sources or provide monitoring for suspicious changes.
- Option D: Auditing can identify weaknesses, but it does not replace routing controls or timely detection of active route manipulation.

Correct answer (A): Smaller VLANs and subnets reduce broadcast scope and shrink the set of hosts reachable from any single local compromise. Enforcing traffic between segments at Layer 3 creates a stronger control point for limiting lateral movement than keeping one large shared Layer 2 domain. This is the most defensible first improvement because it directly addresses the stated problem: a large blast radius caused by flat internal networking.

Why the other options are wrong:
- Option B: Perimeter firewalls mainly help with north-south traffic. They do not meaningfully reduce spoofing, scanning, and lateral movement inside one large local Layer 2 network.
- Option C: Application encryption is valuable, but it does not stop local scanning, broadcast abuse, or host-to-host pivoting across a flat internal network.
- Option D: Benchmarking and auditing can identify weak configurations, but they do not replace architectural controls such as segmentation and Layer 3 enforcement.

Correct answer (A): Accurate, trusted time is essential for forensic correlation, certificate validation, and reliable detection workflows. Using trusted enterprise time sources reduces integrity problems and makes monitoring data across infrastructure devices more dependable. This is stronger than compensating after the fact in a SIEM or relying on arbitrary external sources.

Why the other options are wrong:
- Option B: Arbitrary external sources may be reachable, but they do not provide the trust and consistency needed for reliable detection and validation workflows.
- Option C: Manual correction does not provide continuous accuracy and is not suitable for distributed enterprise infrastructure.
- Option D: SIEM normalization can help analysis, but it does not fix integrity problems caused by untrusted or inconsistent time sources on the devices themselves.

Correct answer (B): MAC-only trust is weak because attackers can spoof approved hardware addresses. A more defensible design bases network access on stronger identity signals, device posture, role, and placement, while providing alternate handling for devices that cannot authenticate normally. That shifts the architecture away from easily cloned MAC addresses and toward policy-driven access decisions that better fit mixed-capability environments.

Why the other options are wrong:
- Option A: This still treats the MAC address as the primary identity signal, which is the exact weakness the attacker exploited.
- Option C: A larger MAC allowlist increases administrative effort but does not solve the core problem that MAC addresses are weak identity evidence.
- Option D: Endpoint alerts may help detection, but the requirement is a more defensible access decision model that prevents or limits unauthorized attachment.

Correct answer (A): VLANs reduce broadcast domains, but they are not by themselves a strong security boundary. The actual problem in the stem is permissive inter-VLAN routing that still allows easy east-west movement. A routed policy boundary with ACLs or firewall enforcement is the best architecture change because it turns logical separation into enforceable trust boundaries and limits communication to explicitly required flows. This is a core GDSA lesson: segmentation is only strong when paired with policy enforcement.

Why the other options are wrong:
- Option B: Endpoint hardening is useful, but it does not correct the weak network trust boundary that allows lateral movement between segments.
- Option C: More VLANs still do not create strong isolation if routing between them remains broadly permitted.
- Option D: Bogon filtering helps at the Internet edge, not with internal east-west movement between engineering and plant networks.

Correct answer (A): The best long-term architecture response is to establish secure device benchmarks and audit against them regularly. That addresses configuration drift across switches and routers, helps remove risky defaults such as unused trunks or broad SNMP exposure, and creates a sustainable hardening program instead of one-time cleanup. Including trusted and restricted time configuration also improves confidence in log correlation and forensic timelines, which is critical for defensible operations and incident response.

Why the other options are wrong:
- Option B: Penetration testing is valuable, but annual testing does not replace configuration standards and recurring auditing.
- Option C: Centralized logging improves visibility, but it does not remediate insecure defaults or weak time-source trust.
- Option D: Perimeter filtering does not meaningfully solve internal device hardening, management-plane exposure, or time-service misconfiguration.

Correct answer (B): The blueprint makes two key points that drive this answer. First, benchmarking and auditing validate hardening baselines but are not substitutes for actual access control enforcement and ongoing monitoring. Second, a defensible architecture at Layers 1 through 3 should combine prevention controls with telemetry from network devices and infrastructure so unauthorized attachment and segmentation bypass attempts can be detected and investigated. Option B addresses both the prevention gap and the visibility gap.

Why the other options are wrong:
- Option A: More frequent audits still do not provide live enforcement or the telemetry needed to investigate unauthorized attachment and port activity.
- Option C: Perimeter-focused penetration testing does not replace internal access-layer enforcement or infrastructure telemetry for branch incidents.
- Option D: Removing restrictions increases risk and relies on response after compromise, which is the opposite of a defensible architecture goal in this scenario.

Correct answer (A): Dynamic ARP Inspection is effective only when the switch has a trusted source of IP-to-MAC bindings, commonly DHCP snooping tables. Because this environment mixes DHCP clients with static-IP clinical devices, a defensible design must account for both: use DHCP snooping and DAI for dynamically addressed systems, and provide explicit bindings or alternate handling for static-IP endpoints. This answer shows the dependency awareness and exception planning expected in GDSA-level architecture decisions.

Why the other options are wrong:
- Option B: Port security can limit some access misuse, but it does not validate ARP claims or stop gateway impersonation in the way DAI does.
- Option C: Separating devices into VLANs may reduce scope, but it does not solve ARP spoofing inside the affected segments if ARP validation is still absent.
- Option D: SNMPv3 and monitoring improve management security and visibility, but they do not provide the needed preventive control against ARP poisoning.

Correct answer (B): This incident combined DHCP starvation with rogue DHCP responses, so the best response is targeted access-layer enforcement. Layer 2 protections and port-level controls are designed to stop unauthorized systems from exhausting address pools or answering lease requests on user-facing ports. Increasing pool size or moving to static addressing changes operations, but it does not directly address the attacker path as effectively.

Why the other options are wrong:
- Option A: A larger pool or longer lease time may delay exhaustion, but it does not directly prevent unauthorized DHCP behavior from an attacker on the local network.
- Option C: Static addressing for all office devices is operationally heavy and still does not solve the broader issue of unauthorized attachment and access-layer abuse.
- Option D: Moving conference room ports into the primary corporate VLAN increases exposure and does not mitigate DHCP starvation or rogue DHCP behavior.

Correct answer (B): This is the strongest answer because it addresses both identified weaknesses. The blueprint states that SNMP should be minimized, strongly authenticated where possible, and restricted to authorized management paths. It also states that reliable and protected NTP sources are important for authentication consistency, log correlation, and incident investigation. Option B improves both management-plane exposure and the quality of response and investigation.

Why the other options are wrong:
- Option A: More frequent log forwarding does not fix weakly exposed management protocols or poor time-source trust.
- Option C: Disabling infrastructure monitoring removes useful telemetry and does not solve SNMP exposure or unreliable time synchronization.
- Option D: A separate VLAN may change placement, but it does not by itself minimize SNMP exposure or ensure protected reliable NTP.