Free GDSA IPv6 and Modern Network Risks Practice Test 2026 — GIAC Defensible Security Architect Questions

This free GDSA IPv6 and Modern Network Risks practice test covers IPv6 addressing and security risks, dual-stack threats, SLAAC/RA Guard, and modern network attack surfaces. Each question includes a detailed explanation with defensible-architecture context — perfect for GDSA exam prep.

Key Topics in GDSA IPv6 and Modern Network Risks

6 Free GDSA IPv6 and Modern Network Risks Practice Questions with Answers

Each question below includes 4 answer options, the correct answer, and a detailed explanation. These are real questions from the FlashGenius GDSA question bank for the IPv6 and Modern Network Risks domain (6% of the exam).

Sample Question 1 — IPv6 and Modern Network Risks

A financial firm says it does not use IPv6, but endpoint scans show dual-stack workstations with active IPv6 services and successful host-to-host connectivity over IPv6. Firewall reviews, ACL baselines, and segmentation standards currently cover only IPv4. The firm cannot risk breaking modern operating system functionality with an unvalidated enterprise-wide shutdown. What is the best first architecture action?

  1. A. Create explicit IPv6 ingress, egress, and east-west policy with logging and enforcement parity to the existing IPv4 design (Correct answer)
  2. B. Keep the current IPv4 deny rules because applications were validated only over IPv4 and should follow the same path
  3. C. Move all user systems into separate VLANs and postpone IPv6 policy work until the business requests formal IPv6 deployment
  4. D. Disable all IPv6 functions across the enterprise immediately and address application failures through exception requests afterward

Correct answer: A

Explanation: Correct answer (A): Dual-stack hosts create a second communication path even when the organization thinks it is IPv4-only. Because IPv4 controls do not automatically apply to IPv6, the first defensible step is to build explicit IPv6 policy parity for ingress, egress, and east-west traffic and include logging so the existing security design intent covers both protocol families. This reduces attack surface without taking the operational risk of an unvalidated enterprise-wide IPv6 shutdown. Why the other options are wrong: - Option B: Incorrect. Application validation over IPv4 does not constrain IPv6 behavior, and IPv4 deny rules do not automatically govern IPv6 traffic. - Option C: Incorrect. VLAN changes alone do not provide IPv6 policy enforcement, routing control, or logging parity. Hosts may still communicate over unmanaged IPv6 paths. - Option D: Incorrect. The stem explicitly says an unvalidated shutdown is too risky. Disabling core IPv6 everywhere without validation can break modern operating systems and services.

Sample Question 2 — IPv6 and Modern Network Risks

A remote-work environment uses IPv4 web proxies and IPv4 egress filtering as primary outbound controls. During an investigation, analysts find several laptops reaching external IPv6 destinations through Teredo, with little corresponding visibility in the existing proxy stack. Business applications do not require transition tunneling. What is the best architectural response?

  1. A. Disable unused transition mechanisms such as Teredo, 6to4, and ISATAP, and add monitoring for any remaining IPv6 transport paths (Correct answer)
  2. B. Keep transition mechanisms enabled but increase IPv4 proxy inspection depth for all remote user web sessions
  3. C. Disable all IPv6 features on every endpoint immediately and postpone review of application dependencies until later
  4. D. Accept the tunnel behavior for now and focus on additional malware analysis for files downloaded over the web

Correct answer: A

Explanation: Correct answer (A): The key issue is not generic web risk but unmanaged IPv6 transition tunneling bypassing IPv4-centric controls. When the business does not need Teredo, 6to4, or ISATAP, disabling those mechanisms is the best attack-surface reduction step. Adding monitoring for remaining IPv6 paths supports detection and response, which is important because simply strengthening IPv4 proxy inspection does not address the bypass channel. Why the other options are wrong: - Option B: Incorrect. Better IPv4 proxy inspection still leaves the actual problem in place because tunneled IPv6 traffic can bypass IPv4-only proxy assumptions. - Option C: Incorrect. Blanket disablement of all IPv6 is broader than necessary and risks breaking systems or services without validation. - Option D: Incorrect. Malware analysis may help with specific payloads, but it does not fix the architectural control bypass created by unmanaged transition tunnels.

Sample Question 3 — IPv6 and Modern Network Risks

A data center team successfully segmented application tiers with IPv4 ACLs and routing controls. During validation, testers show that several dual-stack servers in different security zones still communicate over IPv6 because no equivalent IPv6 routing boundaries or policy objects were defined. Which design change best restores the intended segmentation model?

  1. A. Add explicit IPv6 address planning, routing boundaries, and enforcement rules at the same control points used for the intended zone design (Correct answer)
  2. B. Keep the current VLAN design because separation by broadcast domain should prevent meaningful cross-zone communication on its own
  3. C. Disable IPv4 routing between the affected zones so the stronger existing protocol no longer creates a mixed-control environment
  4. D. Increase server hardening baselines and endpoint logging while leaving the current IPv6 path open between the application tiers

Correct answer: A

Explanation: Correct answer (A): Segmentation is only real if it applies to all active protocol paths. In a dual-stack environment, IPv4 ACLs and routing controls do not preserve zone isolation unless equivalent IPv6 address planning, routing boundaries, and enforcement points also exist. The best fix is to extend the intended zone model to IPv6 at the same control points rather than relying on VLANs or host controls to compensate for missing network enforcement. Why the other options are wrong: - Option B: Incorrect. VLAN separation alone is not equivalent to enforced segmentation, and the stem already shows cross-zone IPv6 communication is occurring. - Option C: Incorrect. Disabling IPv4 routing does not eliminate the unmanaged IPv6 path and would likely disrupt legitimate business traffic. - Option D: Incorrect. Hardening and logging are useful, but they do not replace missing segmentation controls when the design goal is zone isolation.

Sample Question 4 — IPv6 and Modern Network Risks

An enterprise has not intentionally deployed routable IPv6 internally, yet a red team on a conference-room port is able to interact with nearby dual-stack laptops over IPv6 on the local segment. The network team argues that strong internet perimeter controls should have blocked any meaningful IPv6 risk. What is the best architectural response?

  1. A. Apply access-layer IPv6 first-hop protections and monitor local-link IPv6 activity because local-segment trust must be controlled directly (Correct answer)
  2. B. Rely on the perimeter firewall because the absence of routable internal IPv6 means local host communication is not a practical concern
  3. C. Remove external DNS records that reference IPv6 so local segments cannot form working IPv6 communication paths
  4. D. Increase remote access MFA requirements because local-segment IPv6 behavior is mainly a VPN authentication issue

Correct answer: A

Explanation: Correct answer (A): IPv6 risk does not require a full routed internal deployment. Link-local addresses are automatically present on interfaces, and Neighbor Discovery creates local-segment trust relationships that perimeter internet controls do not govern. The defensible response is to apply first-hop protections and monitoring at the access layer, where local-link abuse actually occurs. Why the other options are wrong: - Option B: Incorrect. Perimeter controls do not stop hosts on the same segment from communicating over IPv6 link-local paths. - Option C: Incorrect. DNS records do not create or prevent local-link IPv6 communication between nearby systems. - Option D: Incorrect. MFA for VPN access is unrelated to the local-segment IPv6 exposure described in the stem.

Sample Question 5 — IPv6 and Modern Network Risks

A manufacturing company must keep limited IPv6 connectivity for several vendor-supported systems, but recent testing found unmanaged router advertisements on some floors, uneven IPv6 firewall coverage between production and support networks, and little IPv6 telemetry in the SOC. Leadership asks for the most defensible near-term architecture plan rather than a single tactical fix. Which option is best?

  1. A. Deploy first-hop protections on user-facing segments, enforce explicit IPv6 policy across required paths, enable IPv6-aware monitoring, and update dual-stack incident procedures (Correct answer)
  2. B. Rely on perimeter IPv6 deny rules for now, keep local switching unchanged, and defer SOC visibility improvements until broader IPv6 adoption occurs
  3. C. Focus on IPv6 monitoring first, accept current local-segment behavior temporarily, and postpone enforcement changes until the next network refresh
  4. D. Disable all IPv6 immediately across the company, including required vendor-supported systems, and handle outages as business exceptions

Correct answer: A

Explanation: Correct answer (A): Because IPv6 is required, the right answer is not avoidance but layered architecture. This scenario contains prevention gaps at the local segment, enforcement gaps across network paths, and detection gaps in the SOC. A defensible near-term plan therefore combines first-hop protections, explicit IPv6 policy, IPv6-aware monitoring, and dual-stack incident readiness. That approach aligns prevention, detection, and response instead of overrelying on any single control layer. Why the other options are wrong: - Option B: Incorrect. Perimeter deny rules do not solve rogue router advertisements or uneven internal IPv6 policy, and postponing visibility keeps major blind spots in place. - Option C: Incorrect. Monitoring helps, but the scenario describes active prevention gaps that should not be left open while waiting for a refresh cycle. - Option D: Incorrect. The stem explicitly says some IPv6 connectivity must remain available for vendor-supported systems.

Sample Question 6 — IPv6 and Modern Network Risks

A SOC can ingest some IPv6 firewall logs, but investigators still struggle to tie alerts to specific assets because the CMDB, endpoint inventory, and SIEM correlation rules primarily use IPv4 addresses as the host key. During a recent incident, the same dual-stack server appeared as multiple unrelated entities. What improvement should the architect prioritize?

  1. A. Normalize asset inventory and correlation so dual-stack hosts are tracked consistently across both IPv4 and IPv6 identifiers (Correct answer)
  2. B. Increase analyst staffing on the overnight shift so investigators can manually compare addresses across separate tools during incidents
  3. C. Turn off IPv6 logging until the organization has a complete asset refresh and can redesign the monitoring platform from scratch
  4. D. Move the affected servers into a new VLAN and keep the current CMDB and SIEM field structure unchanged for simplicity

Correct answer: A

Explanation: Correct answer (A): Telemetry collection alone is not enough if investigators cannot map IPv6 activity to the correct asset. In dual-stack environments, the same host may appear under multiple network identifiers unless the CMDB, endpoint inventory, and SIEM normalize those identities. Prioritizing asset and correlation normalization improves investigation quality, alert correlation, and response readiness without reducing visibility. Why the other options are wrong: - Option B: Incorrect. More staffing does not solve the underlying data-model problem and does not scale for enterprise operations. - Option C: Incorrect. Disabling IPv6 logging would make the visibility gap worse, not better. - Option D: Incorrect. VLAN changes do not fix how systems correlate IPv4 and IPv6 identities for the same asset.

How to Study GDSA IPv6 and Modern Network Risks

Combine these GDSA IPv6 and Modern Network Risks practice questions with hands-on lab work and the SANS SEC530 course. The GDSA exam emphasizes practical defensible-architecture decisions, so always ask which option is most defensible, most resilient, and aligned with Zero Trust principles.

About the GDSA Exam

Other GDSA Domains

Start the free GDSA IPv6 and Modern Network Risks practice test now | 10-question quick start | All GDSA domains | All Sample Tests