Exam Weight: 13%
Domain 4 is the plumbing of the digital world. It focuses on the secure design and protection of network architectures, ensuring data remains confidential and available while moving across wires, airwaves, or fiber.
1. The OSI and TCP/IP Models
This is the most critical foundation for the exam. You must know which protocols and devices operate at which layer and the threats associated with them.
| Layer | Name | PDU | Key Protocols/Concepts | Common Threats |
| 7 | Application | Data | HTTP/S, DNS, SSH, SNMP, FTP | Malware, XSS, SQLi |
| 6 | Presentation | Data | JPEG, GIF, TLS, ASCII | Format-based attacks |
| 5 | Session | Data | RPC, SQL, NFS | Session Hijacking |
| 4 | Transport | Segment | TCP (Reliable), UDP (Fast) | SYN Flooding |
| 3 | Network | Packet | IP, ICMP, IPsec, OSPF | IP Spoofing, MITM |
| 2 | Data Link | Frame | ARP, PPP, L2TP, VLANs | ARP Poisoning, MAC Spoofing |
| 1 | Physical | Bits | Cables, Hubs, WiFi signals | Wiretapping, Jamming |
2. Network Components & Security
- Switches (Layer 2): Connect devices within a network.
- Security: Port Security (MAC filtering), VLANs for logical segmentation, and DHCP Snooping to block rogue DHCP servers.
- Routers (Layer 3): Connect different networks.
- Security: Access Control Lists (ACLs) and secure routing protocols (OSPF with authentication).
- Firewalls:
- Packet Filtering (Stateless): Inspects headers only (IP/Port).
- Stateful Inspection: Tracks the state of active connections.
- Next-Gen (NGFW): Adds application-level awareness and deep packet inspection.
- WAF: Specifically protects web applications (Layer 7).
3. Secure Communication Channels
- VPNs (Virtual Private Networks):
- IPsec: Operating at Layer 3, it provides Authentication Header (AH) for integrity and Encapsulating Security Payload (ESP) for confidentiality. It has two modes: Transport (payload encrypted) and Tunnel (whole packet encrypted).
- TLS VPNs: Increasingly popular because they use the browser and are easier to manage than IPsec.
- Wireless Security (IEEE 802.11):
- WPA2: Uses AES/CCMP. Vulnerable to KRACK.
- WPA3: The current standard; uses SAE (Simultaneous Authentication of Equals) to prevent offline password guessing.
4. Advanced Network Architectures
- SDN (Software-Defined Networking): Separates the Control Plane (decides where traffic goes) from the Data Plane (forwards the traffic).
- CDN (Content Delivery Network): Distributes data to edge servers closer to the user to improve availability and mitigate DDoS.
- Micro-segmentation: A security technique that enables fine-grained security policies to be assigned to data center applications, down to the workload level.
5. Network Attacks & Countermeasures
- DoS/DDoS: Flooding a system to make it unavailable. Mitigation: Traffic scrubbing, rate limiting.
- Man-in-the-Middle (MITM): An attacker intercepts communication between two parties. Mitigation: Strong encryption (TLS) and mutual authentication.
- DNS Attacks: DNS Cache Poisoning sends users to fake sites. Mitigation: DNSSEC (adds digital signatures to DNS data).