Domain 4 of 5

Network Security

Domain · 14% of the N10-009 exam

Defense in depth: layer independent controls so no single failure is fatal

Security on a network is never one device or one setting. It is a stack of independent controls, each covering a different layer, so that an attacker who defeats one still faces the next. A locked wiring closet does nothing against a stolen password, and a strong password does nothing against someone who walks out with the switch, which is exactly why both exist. Network Security is the smallest domain at 14% of the exam, yet it pulls on every other domain, because the controls live on the same switches, routers, and links you build and operate elsewhere. The trap this model helps you dodge is the most common one in this domain: matching a control to the wrong layer or the wrong goal. Almost every question reduces to naming where a threat lives and picking the control that sits at that same layer, so the first move on any item is to place the threat before you reach for a defense.

The domain unfolds in eight steps, from who gets in to how you lock it down

Read the subtopics as one path from identity to enforcement. Logical Security is the front door: encryption, PKI, and the authenticate-authorize-account (AAA) flow that proves who a user is and what they may touch, carried by RADIUS or TACACS+. Physical Security is the layer underneath it, because anyone in the room defeats every logical control, so gear lives behind locked doors and an access-control vestibule. Deception Technologies add an early-warning tripwire: a honeypot or honeynet is a decoy nobody should ever touch, so any contact is a high-fidelity alert. Security Terminology pins down the vocabulary the whole exam scores against, the threat-vulnerability-risk chain and the confidentiality, integrity, availability (CIA) triad. Audits and Compliance turn outside law and contract, such as PCI DSS and GDPR, into concrete network controls. Network Segmentation carves the flat network into zones so a breach in one cannot pivot into the rest. Network Attacks catalogs what goes wrong at each layer, from a SYN flood to ARP poisoning to phishing. Security Hardening then ships it: strip defaults, swap cleartext management protocols for encrypted ones, gate ports with network access control (NAC), and order ACLs deny-by-default.

When two answers both work, the exam rewards least privilege and deny-by-default

The default instinct that wins close calls is to grant the minimum and trust nothing by position. Least privilege gives an identity only the access a task needs, deny-by-default means traffic and access are blocked until a rule explicitly allows them, and zero trust extends that to never trusting a device just because it sits on the internal network. This same instinct shows up as RBAC tying permissions to job roles, as an ACL that ends in an implicit deny-all, as microsegmentation that blocks east-west server-to-server traffic, and as NAC that admits a device only after it proves identity and health. The second instinct to keep ready: read the stem's verb. A control that prevents an action (a lock, a firewall rule) is a different answer from one that only detects it (a camera, a honeypot, an audit log), and questions are written to punish confusing the two.

Network Security at a glance: each area, what it covers, when to reach for it, and where to drill

Area of the domainWhat it coversReach for it whenDrill into
Identity and accessEncryption, PKI, and AAA (authenticate, authorize, account) via RADIUS or TACACS+The question is about who may connect and what they may doLogical Security
Physical accessLocks, cameras, and an access-control vestibule guarding the room the gear lives inThe attacker is in the building or has the hardwarePhysical Security
Detection and intelligenceHoneypots and honeynets as decoys that turn any contact into an alertYou need early warning of an intruder already past other controlsDeception Technologies
Vocabulary and goalsThreat-vulnerability-risk, the CIA triad, attack surface versus attack vectorThe item turns on telling two close terms apartSecurity Terminology
Law and contractData locality, PCI DSS, and GDPR translated into network controlsA regulation or standard dictates how data must be handledAudits and Compliance
Network zoningVLANs, DMZ, microsegmentation, and zero trust to contain a breachYou must stop lateral movement between device classes or trust levelsNetwork Segmentation
Threats by layerDoS/DDoS, Layer 2 abuse, rogue wireless, on-path, and social engineeringThe stem describes how an attack works and asks what it is or how to stop itNetwork Attacks
Enforcement and lockdownRemoving defaults, encrypted management, NAC, and deny-by-default ACLsYou are securing a device or a topology against the threats aboveSecurity Hardening and Defense

Subtopics in this domain