OBJECTIVE 3.2 Given a scenario (PBQ-likely)
Apply security principles to secure enterprise infrastructure
This is a PBQ objective. Expect to place devices, configure network security, and make infrastructure decisions for a described environment.
Device Placement and Security Zones
Network Zones
- Internet/Untrusted: Public-facing. Everything here is hostile.
- DMZDemilitarized Zone — Network segment for public-facing services (Screened Subnet): Hosts public-facing services (web servers, email gateways, DNSDomain Name System — Port 53 (UDP/TCP). Resolves domain names to IP addresses). Accessible from internet but isolated from internal network. Protected by firewalls on both sides.
- Internal/Trusted: Corporate network. User workstations, internal applications, file shares.
- Management: Isolated network for device administration. Jump servers, out-of-band management (IPMI/iLO/iDRAC). Should never be accessible from the internet.
- Guest: Isolated segment for visitors. Internet access only — no access to internal resources.
Device Placement Principles
- Public-facing services go in the DMZDemilitarized Zone — Network segment for public-facing services, never directly on the internal network
- Database servers behind application servers — never directly accessible from DMZDemilitarized Zone — Network segment for public-facing services
- Management interfaces on a dedicated management network
- Sensors (IDSIntrusion Detection System — Monitors and alerts on suspicious activity (passive)) positioned to monitor traffic at key boundaries
Firewalls
Types
- Packet Filtering: Examines headers (source/dest IPInternet Protocol — Network layer addressing and routing, port, protocol). Fast but no application awareness. Stateless.
- Stateful Inspection: Tracks connection state. Allows return traffic for established connections. The baseline for modern firewalls.
- Next-Generation Firewall (NGFWNext-Generation Firewall — Stateful firewall with app awareness and DPI): Stateful + application awareness + deep packet inspection + integrated IPSIntrusion Prevention System — Detects and blocks suspicious activity (inline) + URLUniform Resource Locator — Web address for accessing resources filtering. Can make decisions based on application identity, not just ports.
- Web Application Firewall (WAFWeb Application Firewall — Layer 7 firewall protecting web applications): Operates at Layer 7. Specifically protects web applications against OWASPOpen Web Application Security Project — Nonprofit producing web security resources (Top 10) Top 10 (SQLiSQL Injection — Injecting malicious SQL into database queries, XSSCross-Site Scripting — Injection of malicious scripts into web pages, CSRFCross-Site Request Forgery — Tricking users into submitting unintended requests). Deployed in front of web servers.
- Layer 4 vs. Layer 7: L4 firewalls filter based on transport layer (TCPTransmission Control Protocol — Reliable, connection-oriented transport/UDPUser Datagram Protocol — Fast, connectionless transport ports). L7 firewalls inspect application layer content. L7 is more granular but more resource-intensive.
Firewall Rules
- Processed top-down — first matching rule wins
- Implicit deny: If no rule matches, traffic is blocked (default on most firewalls)
- Rules should follow least privilege — allow only what’s needed, deny everything else
- Exam tip: Questions will present a rule set and ask what traffic is allowed/blocked, or ask you to write rules for a scenario
Intrusion Detection and Prevention
IDS (Intrusion Detection System)
Passive — monitors and alerts but does not block.
- Network-based (NIDSNetwork Intrusion Detection System — IDS monitoring network traffic): Monitors network traffic at strategic points (span port, network tap)
- Host-based (HIDSHost Intrusion Detection System — IDS monitoring activity on individual hosts): Monitors activity on individual hosts (file integrity, log analysis)
IPS (Intrusion Prevention System)
Active — sits inline and can block malicious traffic in real-time.
- Must be positioned inline (traffic flows through it)
- Risk of false positives blocking legitimate traffic
Detection Methods
- Signature-based: Matches known patterns. Effective against known threats, blind to novel attacks.
- Anomaly-based: Establishes a baseline of normal behavior, alerts on deviations. Catches unknown threats but higher false positive rate.
- Heuristic: Rule-based analysis of behavior patterns.
Inline vs. Monitor Mode
- Inline (IPSIntrusion Prevention System — Detects and blocks suspicious activity (inline)): Traffic passes through the device. Can block. Introduces latency. Single point of failure if it fails closed.
- Monitor/Tap (IDSIntrusion Detection System — Monitors and alerts on suspicious activity (passive)): Receives a copy of traffic. Cannot block. No impact on traffic flow. No risk of blocking legitimate traffic.
Port Security
802.1X
Port-based Network Access Control. Requires authentication before granting network access.
Three roles:
- Supplicant: Device requesting access (laptop, phone)
- Authenticator: Network switch/APAccess Point — Device providing wireless network connectivity that controls port access
- Authentication Server: RADIUSRemote Authentication Dial-In User Service — Port 1812/1813 (UDP). Protocol for centralized authentication (AAA) server that validates credentials
EAP Methods
- EAP-TLSEAP Transport Layer Security — EAP using mutual TLS certificates (most secure): Mutual certificate-based authentication. Most secure. Both client and server present certificates.
- PEAPProtected Extensible Authentication Protocol — EAP method using TLS tunnel + password: Server certificate + client password (inside TLSTransport Layer Security — Port 443 (HTTPS). Encryption protocol for data in transit tunnel). Easier to deploy than EAP-TLSEAP Transport Layer Security — EAP using mutual TLS certificates (most secure).
- EAP-FASTEAP Flexible Authentication via Secure Tunneling — Cisco EAP replacement for LEAP: Cisco proprietary. Uses PACProxy Auto-Configuration — File directing browser proxy settings (Protected Access Credential) instead of certificates.
MAC-Based Authentication (MAB)
Fallback for devices that don’t support 802.1X (printers, cameras, IoTInternet of Things — Connected devices (cameras, sensors, appliances)).
- Authenticates based on MACMandatory Access Control — System-enforced access based on security labels address — easily spoofable, use only as fallback
- Typically places devices on a restricted VLANVirtual Local Area Network — Logical network segmentation at Layer 2
Secure Communications
VPN
- IPSecInternet Protocol Security — Network-layer VPN protocol suite: Network-layer VPNVirtual Private Network — Encrypted tunnel over public networks. Two modes: transport (encrypts payload) and tunnel (encrypts entire packet). Uses IKEInternet Key Exchange — Protocol for establishing IPSec security associations for key exchange.
- SSLSecure Sockets Layer — Deprecated predecessor to TLS/TLSTransport Layer Security — Port 443 (HTTPS). Encryption protocol for data in transit VPNVirtual Private Network — Encrypted tunnel over public networks: Application-layer VPNVirtual Private Network — Encrypted tunnel over public networks accessed through a browser or lightweight client. Easier to deploy for remote access.
- Split tunneling: Only corporate-bound traffic goes through VPNVirtual Private Network — Encrypted tunnel over public networks; internet traffic goes direct. Reduces VPNVirtual Private Network — Encrypted tunnel over public networks load but means the endpoint is exposed to internet threats without corporate controls.
- Full tunneling: All traffic goes through VPNVirtual Private Network — Encrypted tunnel over public networks. More secure but higher latency and bandwidth cost.
SD-WAN (Software-Defined WAN)
Centrally managed WAN that can dynamically route traffic across multiple links (MPLSMultiprotocol Label Switching — High-performance WAN routing using labels, broadband, LTE).
- Provides encryption, segmentation, and centralized policy
- Replaces or supplements traditional MPLSMultiprotocol Label Switching — High-performance WAN routing using labels circuits
SASE (Secure Access Service Edge)
Combines SD-WANSoftware-Defined Wide Area Network — Centrally managed WAN with dynamic routing with cloud-delivered security (CASBCloud Access Security Broker — Enforces security policies for cloud services, SWGSecure Web Gateway — Filters web traffic for threats and policy enforcement, ZTNAZero Trust Network Access — Identity-based access replacing traditional VPN, FWaaSFirewall as a Service — Cloud-delivered firewall) into a single service.
- Security follows the user, not the network perimeter
- Exam-relevant as a modern alternative to traditional VPNVirtual Private Network — Encrypted tunnel over public networks + firewall architectures
Jump Server / Bastion Host
Hardened server used as the sole access point to a secure network zone.
- Admins connect to the jump server first, then to target systems
- All administrative access is logged and monitored through this single point
- Reduces attack surface by eliminating direct access to managed systems
Load Balancers
Distribute traffic across multiple servers for availability and performance.
- Security role: Can perform SSLSecure Sockets Layer — Deprecated predecessor to TLS offloading, act as a reverse proxy, absorb DDoSDistributed Denial of Service — Attack overwhelming target from multiple sources traffic
- Placement: typically between the firewall and web server farm
Sensors and Collectors
- Network taps: Hardware devices that copy traffic for monitoring. Passive, no impact on traffic.
- SPAN/mirror ports: Switch configuration that copies traffic from one port to another for IDSIntrusion Detection System — Monitors and alerts on suspicious activity (passive)/monitoring.
- Collectors: Aggregation points for logs and telemetry (syslog servers, SIEMSecurity Information and Event Management — Centralized log collection, correlation, and alerting collectors).
Infrastructure Decision Logic
Firewall Selection
| If the scenario says… | Choose… | Because… |
|---|---|---|
| ”Block traffic by IPInternet Protocol — Network layer addressing and routing and port only” | Packet filter | Simple L3/L4 filtering |
| ”Allow return traffic for established connections” | Stateful | Connection state tracking |
| ”Block specific applications regardless of port” | NGFWNext-Generation Firewall — Stateful firewall with app awareness and DPI | Application-layer awareness |
| ”Protect web application from SQLStructured Query Language — Language for database queries injection” | WAFWeb Application Firewall — Layer 7 firewall protecting web applications | L7 web-specific protection |
| ”Cloud-hosted web application protection” | WAFWeb Application Firewall — Layer 7 firewall protecting web applications (cloud) | Cloudflare, AWS WAFWeb Application Firewall — Layer 7 firewall protecting web applications, etc. |
| ”Inspect encrypted traffic” | NGFWNext-Generation Firewall — Stateful firewall with app awareness and DPI with SSLSecure Sockets Layer — Deprecated predecessor to TLS inspection | Requires TLSTransport Layer Security — Port 443 (HTTPS). Encryption protocol for data in transit decryption capability |
VPN Selection
| If the scenario says… | Choose… | Because… |
|---|---|---|
| ”Site-to-site connection between offices” | IPSecInternet Protocol Security — Network-layer VPN protocol suite (tunnel mode) | Network-layer, full packet encryption |
| ”Remote worker accessing corporate resources” | SSLSecure Sockets Layer — Deprecated predecessor to TLS/TLSTransport Layer Security — Port 443 (HTTPS). Encryption protocol for data in transit VPNVirtual Private Network — Encrypted tunnel over public networks | Easy deployment, browser or lightweight client |
| ”Need to encrypt only the payload, not the header” | IPSecInternet Protocol Security — Network-layer VPN protocol suite (transport mode) | Host-to-host within trusted network |
| ”Zero-trust remote access” | ZTNAZero Trust Network Access — Identity-based access replacing traditional VPN | Identity-based, per-application access (replaces traditional VPNVirtual Private Network — Encrypted tunnel over public networks) |
| “High performance, modern deployment” | WireGuard | Simpler, faster than IPSecInternet Protocol Security — Network-layer VPN protocol suite, modern crypto |
Split vs. Full Tunnel
| If the scenario says… | Choose… | Because… |
|---|---|---|
| ”Minimize bandwidth on VPN” | Split tunnel | Only corporate traffic through VPNVirtual Private Network — Encrypted tunnel over public networks |
| ”Ensure all traffic is monitored/filtered” | Full tunnel | Everything goes through corporate security stack |
| ”User needs to access cloud apps directly” | Split tunnel | Direct cloud access avoids hairpin through corporate DC |
| ”High-security environment, prevent data leakage” | Full tunnel | All traffic inspectable |
IDS vs. IPS Placement
| If the scenario says… | Choose… | Because… |
|---|---|---|
| ”Monitor traffic without risk of blocking legitimate traffic” | IDSIntrusion Detection System — Monitors and alerts on suspicious activity (passive) (tap/SPAN) | Passive, no inline risk |
| ”Automatically block attacks in real-time” | IPSIntrusion Prevention System — Detects and blocks suspicious activity (inline) (inline) | Active prevention |
| ”Sensitive environment where false positives are dangerous” | IDSIntrusion Detection System — Monitors and alerts on suspicious activity (passive) first | Tune rules before going inline |
| ”Mature environment with well-tuned signatures” | IPSIntrusion Prevention System — Detects and blocks suspicious activity (inline) | Confidence in detection accuracy |
Offensive Context
When an attacker maps a target network, they’re looking for exactly the decisions you make in this objective: Where are the firewalls? Is the DMZDemilitarized Zone — Network segment for public-facing services properly isolated or can I pivot from a web server to the database? Is 802.1X enforced or can I plug into a conference room jack? Is the management network segregated or can I reach iLO interfaces from the user VLANVirtual Local Area Network — Logical network segmentation at Layer 2? Every infrastructure decision either blocks an attack path or leaves one open.