Network Security
You cannot defend a network you cannot picture, so this domain teaches the network first, then its enemies, then its defenses
Almost a quarter of the CC exam lives here, and the questions reward one habit above all: place every fact on a mental map of how traffic actually moves. That map is the layered model. A request you make in a browser is wrapped layer by layer, pushed down a stack to the wire, then unwrapped layer by layer at the far end, and the Open Systems Interconnection (OSI) reference model names seven of those layers while the TCP/IP model the real internet runs on collapses them into four. Once that picture is in your head, the rest of the domain snaps into place: an attack is just something that abuses a specific layer, and a defense is a control placed at a specific layer to stop it. The trap to dodge is treating ports, attacks, and appliances as a flat list of trivia to memorize. They are not a list; they are positions on the map, and the exam is really asking where on that map a thing belongs.
The domain unfolds in three steps: understand the network, recognize what attacks it, then architect the defense
Read the subtopics in order and they trace a single arc from foundations to defense. Computer Networking comes first because it is the map everything else hangs on: the OSI seven layers and the four-layer TCP/IP model they map onto, IPv4 (32-bit) versus IPv6 (128-bit) addressing, the well-known ports that name each service, and why WiFi (the IEEE 802.11 wireless family) must be encrypted with WPA2 or WPA3 and never WEP. Network Threats & Attacks then turns the map against itself, classifying attacks by the part of the CIA triad (confidentiality, integrity, availability) they target, telling virus, worm, and Trojan apart by how they spread, and pairing each threat with the control that catches it, from an intrusion detection system (IDS) that alerts to an intrusion prevention system (IPS) that blocks inline. Network Infrastructure finishes by building the defended network itself: keeping the data-center room alive with clean power, cooling, and fire suppression, carving the network into zones with a demilitarized zone (DMZ), VLANs, and micro-segmentation, gating new devices with Network Access Control (NAC), and dividing the work with a cloud provider under the shared-responsibility model.
When two answers both work, the layered defender's instinct picks the one that adds a layer rather than trusting a single wall
The guiding idea that runs through the whole domain is defense in depth: no single control stops every threat, so you stack independent controls and let each one catch what slipped past the last. A firewall filters at the boundary, an IPS blocks recognized attacks inline, antivirus cleans hosts, segmentation contains a breach to one zone, and NAC keeps unhealthy devices off the network in the first place. The exam rewards this layered reflex over any one silver bullet. So when two options each seem to solve the problem, prefer the answer that assumes a control can fail and places another behind it: a DMZ in front of internal systems, encryption on top of a network you must treat as untrusted, a second sensor watching where the first cannot see. Trust nothing as the only safeguard, and you will pick the answer the exam is looking for.
Three steps to securing a network: know it, watch it, build it
| Step | Question it answers | Key ideas and terms | Drill into |
|---|---|---|---|
| Understand the network | How does traffic actually move? | OSI 7 layers and TCP/IP 4 layers, IPv4 vs IPv6, well-known ports, WiFi encrypted with WPA2/WPA3 | Computer Networking |
| Recognize what attacks it | What is the threat, and what control catches it? | CIA-targeted attacks (DDoS, MITM, side-channel), virus/worm/Trojan, IDS vs IPS, HIDS vs NIDS, firewalls, antivirus | Network Threats & Attacks |
| Architect the defense | How do we build and run a defended network? | Power/cooling/fire and redundancy, DMZ/VLAN/micro-segmentation, NAC for IoT, cloud IaaS/PaaS/SaaS shared responsibility | Network Infrastructure |