CompTIA Security+network-security-and-secure-protocols

Network Security and Secure Protocols

Firewalls, segmentation, secure protocols, and defending the network perimeter and interior.

Network defense on the SY0-701 exam is about controlling where traffic can go and how it is protected in transit. You place filtering devices at the right boundaries, carve the network into isolated zones, swap insecure legacy protocols for encrypted equivalents, and recognize the classic attacks that abuse trust between hosts. Learn the placement and the port pairs and most questions become pattern matching.

Core Idea

  • Segment, filter, and encrypt. Firewalls and VLANs decide who can talk to whom; secure protocols protect the conversation itself.
  • Detection is not prevention. An IDS only alerts; an IPS sits inline and can drop malicious traffic — know which one acts.
  • Every insecure protocol has an encrypted replacement. The exam loves the swap: Telnet→SSH, HTTP→HTTPS, FTP→SFTP/FTPS, SNMPv1/2→SNMPv3, DNS→DNSSEC, LDAP→LDAPS.

Firewalls and Their Placement

Firewalls filter traffic against a ruleset. A stateful firewall tracks the state of connections (the session table) and allows return traffic automatically; a stateless packet filter judges each packet in isolation. A next-generation firewall (NGFW) adds deep packet inspection, application awareness, and often IPS and identity features. A web application firewall (WAF) is a Layer 7 device that inspects HTTP/HTTPS to block SQL injection, cross-site scripting, and other web attacks — it protects applications, not the whole network. Place perimeter firewalls at the internet edge and a WAF directly in front of web servers.

Segmentation, VLANs, and Zones

Segmentation divides the network so a compromise in one area cannot spread everywhere. VLANs create logical Layer 2 segments on shared switch hardware. A screened subnet (DMZ) is a buffer zone between the internet and the internal network that hosts public-facing services (web, mail, DNS) so external users never touch the internal LAN. Micro-segmentation pushes isolation down to individual workloads, enforcing per-host policy — a foundation of zero-trust designs.

Detection, Proxies, and Jump Servers

An IDS (intrusion detection system) monitors traffic and generates alerts but sits out-of-band and cannot stop an attack. An IPS (intrusion prevention system) sits inline and can block or drop malicious packets in real time. A proxy brokers connections on behalf of clients (forward proxy) or servers (reverse proxy), adding caching, filtering, and anonymity. A jump server (bastion host) is a hardened, monitored gateway administrators must connect through to reach sensitive segments, concentrating and logging privileged access.

VPNs, Secure Protocols, and Access Control

A VPN creates an encrypted tunnel over an untrusted network. IPsec VPNs (site-to-site or remote access) secure at Layer 3 using AH/ESP and IKE; TLS/SSL VPNs tunnel over HTTPS and are friendly to remote users through firewalls. Replace insecure protocols with encrypted ones: SSH (22) for Telnet, HTTPS/TLS (443) for HTTP, SFTP (22) or FTPS (990) for FTP, SNMPv3 for older SNMP, DNSSEC to authenticate DNS records, and LDAPS (636) for LDAP. On the access edge, 802.1X enforces port-based authentication so a device must prove identity (via a RADIUS server) before the switch port opens; NAC (network access control) extends this by checking device posture (patches, antivirus) before admitting a host, and port security limits which MAC addresses a switch port accepts.

High-Yield Exam Patterns

  • If the question says traffic must be blocked/dropped in real time, the answer is IPS, not IDS.
  • WAF is the answer for protecting a web application from SQL injection or XSS — a regular firewall is not.
  • Any "authenticate the device before it gets network access" scenario points to 802.1X / NAC.
  • Public-facing servers belong in the screened subnet (DMZ), never on the internal LAN.
  • When a legacy protocol appears, pick its encrypted twin and know the port pair (23→22, 80→443, 21→22/990).
  • On-path (man-in-the-middle) and DNS/ARP poisoning are mitigated by encryption, DNSSEC, and dynamic ARP inspection.

Common Traps to Avoid

  • Confusing IDS (alerts only) with IPS (blocks inline) — the exam tests which one acts.
  • Assuming a firewall stops web app attacks; Layer 7 attacks need a WAF.
  • Thinking a VLAN alone is strong security — VLAN hopping and misconfiguration can bypass it.
  • Forgetting that SSL/early TLS is deprecated — "secure" means current TLS, not SSLv3.
  • Treating SNMPv2 or FTPS/SFTP as interchangeable with their insecure originals.

Flashcards

Card 1 of 14

1/14

Keyboard: Space/Enter to flip • Arrow keys to navigate

Ready to Test Your Knowledge?

This quiz has 8 questions and each one has 4 options.

Quiz Details

8 Questions

Multiple choice with instant self-check

Final Review

See correct answers and explanations at the end

Build your own lesson in minutes.

Upload a source document and turn it into flashcards, quizzes, and a study-ready lesson bank.