Exam CISSP topic 1 question 66 discussion

NAC = Port Security

“Internal access” is key here. Port security.

Unauthorized "internal access" would insinuate they include insiders or employees who would already be authenticated. Port security is the best Network Access Control (NAC) capability to protect against unauthorized internal access because it enforces physical and data-link layer restrictions on network ports, preventing rogue devices from connecting to the network. This directly addresses the CISO’s goal of mitigating insider threats and unauthorized internal device proliferation.

Not B. Enhances user authentication, but doesn’t control device-level access to the internal network.

How 2FA relates to NAC: NAC systems can incorporate 2FA as a security measure to verify user identity and grant access to the network. By requiring users to provide a password and a second factor (like a code from a mobile app or a hardware token), 2FA strengthens the authentication process and makes it more difficult for unauthorized users to gain access. 2FA can be used to control access to specific resources or zones within a network, helping to protect sensitive data and systems

I trust deepseek The BEST Network Access Control (NAC) capability to protect the network from unauthorized internal access is: A. Port security Explanation: Port security is a NAC feature that restricts access to a network by limiting which devices can connect to specific switch ports based on their MAC addresses. This prevents unauthorized devices from gaining access to the network internally, even if they are physically connected to the network. Two-factor authentication (2FA) and strong passwords are important for securing user accounts but do not directly address unauthorized internal access at the network level. Application firewalls are designed to protect applications from external threats and are not specifically focused on controlling internal network access. Port security is the most effective NAC capability for mitigating risks from unauthorized internal access.

The best option for securing internal network access is: B. Two-factor authentication (2FA). While 2FA is typically seen as a defense for external access, it can also be crucial for internal access. In environments where insiders are given access to the network, 2FA ensures that even if an insider’s credentials are compromised (for instance, if someone gains access to a user's password), the second factor (like a time-based code or biometric scan) is required to access the system. This significantly reduces the risk of unauthorized internal access.

The correct answer is: B. Two-factor authentication (2FA) Explanation: Two-factor authentication (2FA) provides an additional layer of security beyond just relying on passwords or credentials. By requiring two separate factors (something the user knows, like a password, and something the user has, like a token or mobile device), 2FA significantly increases protection against unauthorized access, even if an attacker has compromised a user's password. Internal access control is a major focus here, and 2FA is especially effective in mitigating the risk of unauthorized access by internal users, as it strengthens the authentication process and ensures that access is granted only when both factors are verified.

Always check the protocol involved it will help

It read a NAC the answer is port security . Two factor is part of cloud security .

In this context, I think Port security is a network security feature that restricts access to a network port by limiting the number of MAC addresses allowed on a specific port. It's a layer-2 security mechanism that helps prevent unauthorized devices from accessing the network. This focus more on unauthorized external access. Unauthorized internal access is more likely would be coming from insider threats e.g., a disgruntled employee, or social engineering attack, contractors, etc.

To increase the vote and not confuse people, I will go for B anytime any day. Port security is for external access control

The objective of this question “protecting the network from unauthorized internal access” and to satisfy this requirements it is most likely 2FA ( MFA ). 2FA / MFA will be used for Authentication / Authorization, hence the answer is: B

MFA is not a capability of a NAC. So it should be A:

This says "An organization has implemented a protection strategy to secure the network from unauthorized external access." If it didn't say that I would have leaned to 2FA. But 2FA is relevant for both external and internal. We need to find something that's exclusive to internal. That's why I think it's Port security

The key word - increase . The question told us that control already been implemented. Now they want to increase. B is increase which from 1 to 2 ACD are all basic control which is from 0 to 1.

While Port security is good, 2FA is better as there are two steps to bypass. Also for port security, MAC spoofing is a thing which makes me doubt this could be the right answer