Free GDSA Network Defenses, Proxies, Firewalls, and Remote Access Practice Test 2026 — GIAC Defensible Security Architect Questions

This free GDSA Network Defenses, Proxies, Firewalls, and Remote Access practice test covers next-gen firewalls, forward and reverse proxies, VPN and remote access, IDS/IPS, and TLS inspection for network defense. Each question includes a detailed explanation with defensible-architecture context — perfect for GDSA exam prep.

Key Topics in GDSA Network Defenses, Proxies, Firewalls, and Remote Access

6 Free GDSA Network Defenses, Proxies, Firewalls, and Remote Access Practice Questions with Answers

Each question below includes 4 answer options, the correct answer, and a detailed explanation. These are real questions from the FlashGenius GDSA question bank for the Network Defenses, Proxies, Firewalls, and Remote Access domain (16% of the exam).

Sample Question 1 — Network Defenses, Proxies, Firewalls, and Remote Access

A hospital has perimeter next-generation firewalls and endpoint antivirus, but most internal systems still share a flat internal network. After a phishing compromise, an attacker moved from a user workstation to file servers before the SOC had enough evidence to respond. The security architect can fund one architecture change this quarter. Which change would BEST reduce similar lateral movement while also improving detection?

  1. A. Tighten internet-edge firewall rules and block more outbound ports from the campus network
  2. B. Add internal segmentation around workstation-to-server and server-to-server paths, with sensors at those boundaries (Correct answer)
  3. C. Require MFA on the VPN and force full-tunnel remote access for all employees
  4. D. Place a WAF in front of the hospital's public web applications and tune the signatures

Correct answer: B

Explanation: Correct answer (B): Internal segmentation at meaningful trust boundaries is the best choice because the problem is east-west movement inside the network, not just north-south exposure. Adding sensors at those internal choke points improves visibility into pivoting activity while the segmentation reduces how far a compromised workstation can reach. This is a core defensible architecture principle: containment and telemetry must exist inside the network, not only at the perimeter. Why the other options are wrong: - Option A: This improves north-south filtering, but it does not materially contain or reveal lateral movement that happens after an attacker is already inside the network. - Option C: VPN MFA is valuable for remote access, but the incident described began with phishing and then spread internally. It does not solve flat-network lateral movement. - Option D: A WAF helps protect published web applications from application-layer attacks, but it does not address workstation-to-server pivoting inside the hospital network.

Sample Question 2 — Network Defenses, Proxies, Firewalls, and Remote Access

Engineering contractors need remote access to one internal ticketing application. The current design gives them broad network-level VPN access after password and MFA, and the security team is concerned that a stolen contractor laptop could still be used for internal reconnaissance. Which redesign is the BEST fit for this use case?

  1. A. Keep the VPN design and require stronger password complexity rules for contractor accounts
  2. B. Keep the VPN design and move contractors to split-tunnel access for better performance
  3. C. Replace broad VPN access with application-specific remote access that enforces MFA and device trust for only the ticketing application (Correct answer)
  4. D. Replace the VPN with direct RDP access from the internet to an internal jump server for all contractors

Correct answer: C

Explanation: Correct answer (C): Application-specific remote access is best because the contractors only need one application. Broad VPN access extends network reachability after authentication, which increases reconnaissance and pivot risk if credentials or devices are compromised. Limiting access to the specific application and checking both identity and device posture better aligns with defensible remote access design than treating VPN access as equivalent to Zero Trust. Why the other options are wrong: - Option A: Better passwords help somewhat, but they do not address the main problem: excessive network reachability after login. - Option B: Split tunneling is mainly a routing decision here and does not reduce contractor access to internal subnets once the VPN session is established. - Option D: Direct internet exposure to remote desktop is not a good substitute for a controlled remote access architecture and increases attack surface.

Sample Question 3 — Network Defenses, Proxies, Firewalls, and Remote Access

A SOC currently relies on network IDS sensors at the internet edge. An incident review showed that an attacker used stolen VPN credentials, entered through the remote access concentrator, and then pivoted between user VLANs and server segments with little visibility. The network team does not want widespread inline blocking yet. Which telemetry improvement is the BEST first step?

  1. A. Add NetFlow at remote access concentrators and key internal segmentation boundaries, and centralize the analysis (Correct answer)
  2. B. Add full packet capture only at internet egress and retain the traffic for a longer period
  3. C. Add inline NIPS at every access switch and allow the devices to block suspicious sessions automatically
  4. D. Add more syslog from perimeter firewalls and keep the internal network telemetry unchanged

Correct answer: A

Explanation: Correct answer (A): The best first step is to instrument the remote access entry point and important internal choke points, because that is where the attacker entered and pivoted. NetFlow provides scalable visibility into communication paths and anomalies without the deployment risk of broad inline prevention. This matches a defensible architecture approach: place telemetry where attack paths cross trust boundaries, rather than relying on edge-only sensors. Why the other options are wrong: - Option B: Longer packet retention at internet egress still misses much of the east-west movement inside the network. - Option C: NIPS can block traffic, but deploying it pervasively inline without tuning and resilience planning creates operational risk and is not the stated first objective. - Option D: More perimeter firewall logs do not solve the visibility gap around VPN entry and internal pivoting.

Sample Question 4 — Network Defenses, Proxies, Firewalls, and Remote Access

System administrators currently connect from standard laptops over VPN and then use RDP or SSH directly to domain controllers and database servers. Leadership wants stronger accountability and reduced exposure of administrative interfaces without removing remote administration entirely. Which design is the BEST recommendation?

  1. A. Require MFA on the VPN and continue allowing direct administrative access from any managed laptop
  2. B. Require full-tunnel VPN and collect more edge firewall logs for all administrative sessions
  3. C. Route privileged access through hardened jump boxes or privileged workstations with session monitoring and controlled credential use (Correct answer)
  4. D. Route privileged access through a web proxy so outbound traffic can be inspected before it reaches the servers

Correct answer: C

Explanation: Correct answer (C): Hardened jump boxes or privileged access workstations are the strongest architectural improvement here because they reduce where administrative interfaces are exposed, concentrate privileged paths, and make monitoring and credential control more practical. Session monitoring improves accountability, but it is most effective when paired with restricted admin pathways and better credential handling. MFA helps, but by itself it does not control what a privileged user can reach or how those sessions are used. Why the other options are wrong: - Option A: MFA helps with authentication, but it does not reduce the broad exposure of admin interfaces or improve control of privileged sessions after login. - Option B: Full-tunnel VPN and edge logs do not materially limit which devices can directly reach sensitive admin services. - Option D: A web proxy is not the right control path for RDP and SSH administrative access.

Sample Question 5 — Network Defenses, Proxies, Firewalls, and Remote Access

A company forces all remote users through full-tunnel VPN for both internet and internal access. VPN concentrators are now overloaded, and leadership proposes split tunneling for everyone. Most users only need SaaS plus two internal web applications, and security wants to avoid losing visibility into user web traffic while also reducing unnecessary internal network exposure. Which redesign is the BEST recommendation?

  1. A. Move all users to split-tunnel VPN and depend on the perimeter firewall when they connect back to internal applications
  2. B. Keep all users on full-tunnel VPN and accept concentrator overload as the unavoidable cost of security
  3. C. Send user web traffic through a web proxy or secure web gateway, and provide application-specific remote access for the internal web applications instead of broad network VPN (Correct answer)
  4. D. Give all users direct inbound access to the internal web applications from the internet and rely on local host firewalls for protection

Correct answer: C

Explanation: Correct answer (C): This redesign reduces concentrator load, preserves visibility for user web traffic through the proxy path, and removes unnecessary network-level VPN reachability for users who only need a small number of internal applications. It is more defensible than simply switching from full tunnel to split tunnel because it addresses visibility and access-scope reduction at the same time. The architecture matches business use, limits attack surface, and avoids treating VPN routing choices as the only remote access decision. Why the other options are wrong: - Option A: Split tunneling alone may relieve load, but it does not preserve equivalent web visibility or reduce access scope to the internal applications. - Option B: Keeping an overloaded design just because it feels safer is not good architecture when better-scoped access and alternative visibility paths are available. - Option D: Direct inbound exposure of internal applications to the internet is not an appropriate replacement for controlled remote access.

Sample Question 6 — Network Defenses, Proxies, Firewalls, and Remote Access

An enterprise customer portal is already published through a reverse proxy in the DMZ. A recent assessment found repeated SQL injection and cross-site scripting attempts against the HTTPS application. The team needs the best additional control to reduce application-layer attack risk without immediately rewriting the application. What should the security architect recommend?

  1. A. Add a WAF to inspect and normalize inbound HTTP and HTTPS requests before they reach the application servers (Correct answer)
  2. B. Add a web proxy to filter employee outbound browsing activity from the DMZ segment
  3. C. Add an SMTP proxy to inspect message attachments sent to the portal operations team
  4. D. Add a perimeter ACL that allows only HTTPS traffic to the customer portal

Correct answer: A

Explanation: Correct answer (A): A WAF is the best fit because the problem is application-layer attack traffic against an HTTP/HTTPS service. The reverse proxy already brokers inbound connections and helps hide backend servers, but it does not replace a control focused on filtering and normalizing malicious web requests. This is a layered design: reverse proxy for brokering and exposure reduction, WAF for HTTP attack reduction, and firewalling for network policy. Why the other options are wrong: - Option B: A web proxy is primarily for controlling outbound user web access, URL filtering, malware inspection, and egress logging. It is not the right control for protecting an inbound customer-facing web application. - Option C: An SMTP proxy or secure mail gateway is for email flows, not for HTTP or HTTPS application protection. It does not address web attacks against the portal. - Option D: Restricting the service to HTTPS is reasonable baseline hygiene, but it does not inspect or block malicious application-layer payloads inside permitted HTTPS traffic.

How to Study GDSA Network Defenses, Proxies, Firewalls, and Remote Access

Combine these GDSA Network Defenses, Proxies, Firewalls, and Remote Access practice questions with hands-on lab work and the SANS SEC530 course. The GDSA exam emphasizes practical defensible-architecture decisions, so always ask which option is most defensible, most resilient, and aligned with Zero Trust principles.

About the GDSA Exam

Other GDSA Domains

Start the free GDSA Network Defenses, Proxies, Firewalls, and Remote Access practice test now | 10-question quick start | All GDSA domains | All Sample Tests