Domain 4 of 5 · Chapter 3 of 3

Network Infrastructure

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified in Cybersecurity premium course — no separate purchase.

Included in this chapter:

  • On-premises facilities: power, cooling, and fire
  • Redundancy and site agreements
  • Secure network design: segmentation, DMZ, and VPN
  • Network Access Control and IoT
  • Cloud models: service models, deployment models, and the SLA
  • Exam-pattern recognition

Cloud service models: who manages what

LayerIaaSPaaSSaaS
ApplicationCustomerCustomerProvider
Data, identity, access configCustomerCustomerCustomer
Runtime / platformCustomerProviderProvider
Operating systemCustomerProviderProvider
Servers, storage, networkingProviderProviderProvider
Physical facility / hardwareProviderProviderProvider

Decision tree

What is the design goal?Expose a server to theinternet, kept isolated?DMZ (screened subnet)YesProtected link over anuntrusted network?NoVPN tunnelYesAdmit only known,healthy devices (IoT)?NoNAC at the portYesLimit lateral movementper workload?NoMicro-segmentationYesVLAN (zone separation)No, by zone

Cheat sheet

  • A UPS bridges the gap; a generator carries a prolonged outage
  • Keep data-center humidity in a band, roughly 40 to 60 percent
  • A pre-action sprinkler is the data-center default because one broken head will not flood the room
  • CO2 fire suppression is for unoccupied spaces only
  • Express spare capacity as redundancy: N+1 adds one spare, 2N fully duplicates
  • An MOU states intent; an MOA spells out specific obligations
  • Put sensitive equipment in the building's interior core
  • Defense in depth layers independent controls
  • Segmentation limits lateral movement, with VLAN cheapest and physical strongest
  • Put internet-facing servers in a DMZ to isolate a compromise
  • A VPN gives a protected tunnel over an untrusted network
  • NAC enforces two gates: authentication and posture
  • NAC, not IAM, is the control for unmanaged IoT devices
  • Cloud responsibility slides with the service model
  • The provider secures of the cloud; the customer secures in the cloud
  • Know the cloud deployment models: public, private, hybrid, community
  • An SLA is the provider's measurable commitment, most visibly uptime
  • Outsourcing to an MSP does not outsource accountability
  • A TLS certificate proves the server's identity by chaining to a trusted root CA, blocking MitM
  • The root CA is the trust anchor, so compromising it invalidates every certificate beneath it
  • DNSSEC digitally signs DNS data to authenticate its origin and prove integrity
  • Subnetting and VLANs into security zones limit an attacker's lateral movement
  • VPN split tunneling sends internet traffic outside corporate security controls

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. https://csrc.nist.gov/glossary/term/uninterruptible_power_supply
  2. https://www.nist.gov/el/fire-research-division-73300
  3. https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final
  4. https://csrc.nist.gov/glossary/term/virtual_local_area_network
  5. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf
  6. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-77r1.pdf
  7. https://csrc.nist.gov/glossary/term/network_access_control
  8. https://1.ieee802.org/security/802-1x/
  9. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf