Network Access Control (NAC)

Correct Answer: Posture assessment

Posture assessment checks the status of devices before they access the network. In this case, it can verify if devices have updated antivirus software. The other options don't have the capabilities required for this specific scenario.

Correct Answer: Endpoint Compliance Enforcement.

To prevent unauthorized devices from connecting to your network, you need to deploy an 'Endpoint Compliance Enforcement' Network Access Control (NAC) system. This type of NAC system scans and authenticates every device that attempts to access the network against a predefined security policy. If the device does not comply with the security policy, it will be blocked from accessing the network. This makes it the best option for preventing rogue devices from connecting to the network. The 'ARP Inspection' answer is incorrect because ARP Inspection is a security feature that validates ARP packets in your network. Although it can prevent certain types of attacks, it won't specifically prevent rogue devices from connecting to your network. The 'IPsec transport mode' answer is incorrect because IPsec Transport Mode is a protocol used for encrypting IP packets. While it can provide a secure connection, it does not specifically prevent unauthorized devices from connecting to the network. The 'Firewall rules' answer is incorrect because while firewall rules can block unauthorized access to specific ports or IP addresses, they may not be sufficient to prevent an unauthorized device from connecting to the network without additional controls like Network Access Control (NAC).

Correct Answer: DHCP Snooping

The best mitigation for DHCP spoofing is DHCP snooping. DHCP snooping is a security feature that provides security by filtering untrusted DHCP messages. It can prevent DHCP Spoofing by only allowing DHCP responses from trusted DHCP servers. It does this by building a table of legitimate IP addresses from successful DHCP transactions and thus can enforce IP/MAC bindings. The other answers are less effective: 802.1X is an IEEE standard for port-based Network Access Control (PNAC), not directly addressing DHCP spoofing. VLAN trunking does not inherently protect against DHCP spoofing. It is a method of sending traffic for multiple VLANs over a single link, but does not prevent DHCP spoofing by itself. Finally, ARP Inspection is also not inherently designed to prevent DHCP spoofing but is instead a security feature used to validate ARP packets in a network and can prevent ARP spoofing.