CompTIA CNX-001 - CompTIA CloudNetX Exam

Comprehensive and Detailed Explanation From Exact Extract:

Adding video surveillance that is focused on the cabinet enhances physical security by providing monitoring, deterrence, and forensic evidence in case of unauthorized access. Video surveillance complements existing layered access controls and is a recognized best practice for protecting high-value network assets.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Physical Security Controls”:

“Video surveillance provides 24/7 monitoring and records of physical access to critical infrastructure, supporting audit and incident investigation processes.”

Other options:

A. A statement of work is administrative and does not enhance physical security.

C. CISO accompaniment is impractical and not scalable.

D. Background checks are useful but are generally a prerequisite and not a real-time security control.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

Quality of Service (QoS) rules at the internet router can prioritize VoIP traffic over other data, such as cloud document access. VoIP is sensitive to latency and jitter, and configuring QoS ensures that voice packets are prioritized during congestion. This is the most cost-effective solution that doesn’t require additional infrastructure.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Traffic Management and Prioritization”:

“QoS policies are essential for ensuring that latency-sensitive traffic, such as VoIP, is prioritized over other types of data, particularly in bandwidth-limited scenarios.”

Other options:

A. Adding a second internet link is effective but not cost-efficient.

C. VLANs provide segmentation but don’t guarantee bandwidth prioritization.

D. Changing the codec may reduce bandwidth usage, but doesn’t address prioritization directly.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

A. Least privilege – This Zero Trust principle ensures users can only access the resources necessary for their job roles. Role-based access control (RBAC), as mentioned in the scenario, is a textbook implementation of least privilege.

C. Microsegmentation – Deploying the application in a small subnet (192.168.77.32/30 provides only 2 usable host IPs) limits lateral movement and isolates the host at a network level. This is a key characteristic of microsegmentation, where resources are placed in small, tightly controlled network segments.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Zero Trust Security Architecture”:

“Least privilege enforces access permissions based on job responsibilities.”

“Microsegmentation applies granular isolation policies between resources to reduce the attack surface and lateral movement.”

Other options:

B. Device trust involves assessing device posture and compliance before granting access.

D. CASB (Cloud Access Security Broker) governs cloud access, not access control or subnetting.

E. WAF protects web applications but is not a Zero Trust element directly related to access control.

F. MFA supports identity verification but is not directly evidenced in the scenario.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

D includes all the key elements of Zero Trust:

MFA (Multi-Factor Authentication) supports secondary passkey-based authentication.

Geolocation settings enforce geo-restrictions.

SSO federation allows use of an existing SAML identity provider.

Continuous access policies support dynamic reauthentication based on changes in posture.

Trusted endpoint policies ensure only corporate-owned, compliant devices are allowed to connect.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Zero Trust Architecture and Identity Management”:

“ZTA enforces continuous access policies that monitor session state, posture, and user behavior.”

“Federated identity with SSO and posture-based trust evaluation are core ZTA components.”

“Geo-restrictions and trusted endpoint policies limit exposure and enforce device compliance.”

Other options:

A uses static session tokens and disables timely expiration, violating Zero Trust principles.

B allows BYOD and disables auditing, which conflicts with compliance and monitoring.

Comprehensive and Detailed Explanation From Exact Extract:

2.4GHz has longer range and better wall penetration than higher frequencies like 5GHz or 6GHz.A patch antenna (a type of directional antenna) focuses the signal in one direction, greatly improving range and reliability over long distances between buildings.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Wireless Deployment and Antenna Selection”:

“2.4GHz offers extended range over 5GHz. Directional antennas such as patch antennas concentrate signals toward a target, improving distance communication.”

Other options:

B & C. Higher frequencies provide faster speeds but shorter range.

D. Omnidirectional antennas spread signal in all directions, not ideal for point-to-point.

F. Built-in antennas are generally low gain and insufficient for building-to-building links.

Firewalls → VPN tunnel down

The IPsec tunnel between on-prem Firewall 1 and cloud Firewall 2 (ipip0/ipip2) is down, so no traffic can traverse to the cloud.

Application NSG → Misconfigured rule

There’s a “block” rule for 10.3.9.0/24 → 192.2.1.0/24, preventing legitimate on-prem clients from reaching Application A.

Comprehensive and Detailed Explanation From Exact Extract:

SD-WAN (Software-Defined Wide Area Networking) is ideal for enterprises that want to simplify WAN management, reduce operational overhead, and optimize connectivity to cloudservices. SD-WAN provides intelligent traffic routing, dynamic path selection, and direct-to-cloud access without backhauling traffic through a central data center.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “SD-WAN and Cloud Connectivity”:

“SD-WAN enables efficient cloud access from branch offices and simplifies management through centralized policy control. It is cost-effective and reduces the need for complex hardware configurations and manual routing.”

Other options:

B. Adds latency and overhead by backhauling through headquarters.

C. MPLS is expensive and less flexible than SD-WAN.

D. Dark fiber is high-cost and not scalable for cloud-first architectures.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

NAT64 allows IPv6-only devices to communicate with IPv4-only systems. It translates IPv6 addresses to IPv4 and vice versa. This is essential in mixed environments where backward compatibility is needed, and cannot be resolved simply by dual-stacking or bridging.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “IP Version Compatibility and Translation”:

“NAT64 allows seamless communication between IPv6-only clients and IPv4-only servers by translating address formats and protocol headers.”

Other options:

A. Adding IPv6 to internal servers requires changes to all internal devices and does not scale well.

B. Bridging does not handle protocol translation.

C. Changing IPv6 servers back to IPv4 violates the requirement for IPv6-only configuration.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

Video surveillance (A) provides continuous monitoring and allows for real-time, remote visibility of secure locations, such as computer rooms. When integrated with analytics, video surveillance systems can detect movement after hours or unauthorized access and generate immediate alerts. These systems also maintain video logs that can be audited later.

NFC access cards (B) allow controlled access to physical areas, generating time-stamped logs for each entry attempt. When connected to an access control system, these cards can trigger alerts for unauthorized access attempts, such as the use of expired credentials or access during restricted hours.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — Security Controls and Physical Security Section:

“Security access systems using NFC or smart cards allow traceability of personnel entry through electronic logs, while surveillance systems provide visibility and support forensic investigations.”

“Video surveillance allows real-time monitoring of physical environments and helps detect unauthorized presence or access in sensitive locations.”

================================================

Comprehensive and Detailed Explanation From Exact Extract:

A. CI/CD pipelines — Continuous Integration and Continuous Deployment (CI/CD) pipelines allow automated and repeatable deployments of infrastructure and application code. This ensures consistency across environments and supports rapid, reliable updates to multiple environments simultaneously.

B. Public code repository — A public repository (e.g., GitHub, GitLab public projects) allows sharing code with the broader community of practice, enabling collaboration, peer review, and reuse. It supports version control and standardized deployment scripts (e.g., Terraform, Ansible).

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Infrastructure as Code and Automation Pipelines”:

“CI/CD pipelines enable automated, consistent deployments across environments, reducing manual configuration errors.”

“Public repositories facilitate code sharing and collaboration, supporting standardized infrastructure templates.”

Other options:

C. Deployment runbooks are static and not inherently automated.

D. Private repositories restrict sharing, conflicting with the requirement to share code.

E. Image deployment refers to server builds, not full network configuration.

F. Deployment guides are manual documents, not automation tools.

================================================