Direction confusion
Controls and traffic flow have directions (ingress vs egress, north-south vs east-west, inbound vs outbound). The trap offers an answer that's correct for the opposite direction.
The Trap in One Sentence
You confused ingress with egress, or north-south with east-west. The direction of traffic flow determines which control point applies.
Pairs Candidates Confuse
Outbound (data exfil prevention) vs inbound (external attack)
Perimeter traffic vs internal/lateral
Port-forward vs hide-source
How to Avoid It
- →Identify the source and destination of the traffic flow in the stem before picking.
- →Data exfiltration prevention = egress; perimeter defense = ingress.
- →Lateral movement = east-west; remote attacker = north-south.
Frequently Asked Questions
How do I recognize a direction-confusion trap in an exam question?
When the choices involve traffic flow (ingress vs egress), network paths (north-south vs east-west), or NAT directions (inbound vs outbound), the question is testing whether you identified which way the traffic is moving. The trap offers a control that's correct for the opposite direction.
What's the tell-tale stem phrasing that signals this trap?
Data-flow keywords: "data exfiltration" (egress), "external attack" (ingress), "lateral movement" (east-west), "perimeter intrusion" (north-south), "compromised host calling out" (egress), "port-forward to a backend service" (inbound NAT). Match the keyword to the direction first.
If two directions both seem to fit, how do I decide?
Identify the source and destination of the traffic in the stem. Data leaving the network = egress. External attacker reaching in = ingress. Traffic between internal hosts = east-west. Remote attacker to internet-facing service = north-south. Don't conflate concepts: an inbound attack often leads to outbound exfil, but the question is asking about one specific direction.
What's a real example of a direction-confusion trap?
Stem: "To prevent data exfiltration to attacker-controlled domains, the BEST control is…?" Choices: (a) ingress filtering, (b) egress filtering with DNS controls, (c) perimeter firewall ACLs, (d) inbound IDS. (a) and (d) are for inbound traffic; (c) addresses general perimeter. Data exfiltration is outbound, so (b) egress filtering is the answer.
How is direction-confusion different from scope-confusion?
Direction-confusion is about WHICH WAY traffic flows. Scope-confusion is at WHICH LEVEL the control applies (org/system/user). They co-occur in cloud scenarios but are distinct dimensions.
Why do item writers love this distractor mechanism?
Network engineers often conflate direction concepts in real work (especially as zero-trust blurs the perimeter), but cert exams test the clean textbook direction. Item writers exploit that gap to discriminate candidates who memorized control names from those who internalized when each direction matters.
Where does this trap show up most often?
Network+ across most domains. Sec+ Domain 4 (Operations) for firewall/IDS questions. CISSP Domain 4 (Communication and Network Security). CCSP for cloud-network architecture questions where directions matter for managed-service ACLs.
How do I deliberately drill against this archetype?
Use the trap drill linked above when it's available for this archetype. Practice reading every network-control stem with explicit direction tagging: "this is [ingress/egress/east-west/north-south] traffic." The labeling habit defuses the archetype.
Practice Against This Trap
5 cert-prep questions currently use this archetype as a distractor. Run a trap drill to face them in a row.
Run a Direction confusion trap drill →Related Traps
- Layer confusionYou conflated OSI or architecture layers. TLS at L4 vs L7, IPsec vs TLS, application vs transport — these distinctions decide which control actually applies.
- Scope confusionYou picked an answer from the wrong scope level. Organizational, system, and user/asset scopes look similar in stems but trigger different controls.
- Protocol confusionYou picked the wrong protocol from a similar set. TLS vs IPsec, SAML vs OAuth vs OIDC, RADIUS vs TACACS+ — they sit at the same layer but solve different problems.