nerdexam
(ISC)2

CISSP · Question #791

How is protection for hypervisor host and software administration functions BEST achieved?

The correct answer is C. The management traffic pathway should have separate physical network interface cards (NIC). To best protect hypervisor host and software administration functions, the management traffic should utilize separate physical network interface cards (NICs). This approach ensures strong isolation of administrative traffic from other network flows, such as virtual machine or sto

Submitted by carlos_mx· Mar 5, 2026Security Architecture and Engineering

Question

How is protection for hypervisor host and software administration functions BEST achieved?

Options

  • AEnforce network controls using a host-based firewall.
  • BDeploy the management interface in a dedicated virtual network segment.
  • CThe management traffic pathway should have separate physical network interface cards (NIC)
  • DDeny permissions to specific virtual machines (VM) groups and objects.

How the community answered

(50 responses)
  • A
    4% (2)
  • B
    8% (4)
  • C
    72% (36)
  • D
    16% (8)

Why each option

To best protect hypervisor host and software administration functions, the management traffic should utilize separate physical network interface cards (NICs). This approach ensures strong isolation of administrative traffic from other network flows, such as virtual machine or storage traffic.

AEnforce network controls using a host-based firewall.

Enforcing network controls with a host-based firewall is a crucial security layer, but it does not provide the same level of physical isolation for the management traffic pathway as dedicated NICs.

BDeploy the management interface in a dedicated virtual network segment.

Deploying the management interface in a dedicated virtual network segment provides logical separation but still relies on the same underlying physical network infrastructure, which can be a single point of failure or compromise.

CThe management traffic pathway should have separate physical network interface cards (NIC)Correct

Dedicated physical network interface cards (NICs) for management traffic provide the strongest form of network isolation for hypervisor administration functions. This physical separation prevents unauthorized access from other network segments, reduces the attack surface, and ensures management traffic stability by avoiding contention with guest VM or storage network traffic.

DDeny permissions to specific virtual machines (VM) groups and objects.

Denying permissions to specific virtual machines (VM) groups and objects is an access control measure within the hypervisor's management plane, not a method for protecting the network pathway to those administration functions.

Concept tested: Hypervisor management network isolation and physical separation

Source: https://learn.microsoft.com/en-us/windows-server/virtualization/hyper-v/best-practices-for-physical-network-adapter-configurations-in-hyper-v

Topics

#hypervisor security#virtualization#management plane isolation#network segmentation

Community Discussion

No community discussion yet for this question.

Full CISSP Practice