Communication & Network Security
Place the control at the layer where the threat lives
The whole domain runs on one model the subtopics share: the OSI seven-layer reference model (Physical (1), Data Link (2), Network (3), Transport (4), Session (5), Presentation (6), Application (7)) and its practical four-layer TCP/IP collapse (Link, Internet, Transport, Application). For any protocol, attack, or countermeasure you first name the layer it operates at, because a control added at a lower layer protects everything carried above it: IPsec at the Network layer secures every IP packet regardless of application, while TLS just above Transport protects only the one application session it wraps. The recurring exam move is to pair a threat to its layer (ARP spoofing at Layer 2, IP spoofing at Layer 3, injection at Layer 7) and ask which countermeasure belongs there, and the recurring trap is reaching for an application-layer fix when the requirement to protect ALL traffic between two sites transparently actually calls for the network layer. Layer-thinking is what unifies the three subtopics: it tells you whether a problem is one of design, of hardware, or of the channel itself.
Assume the network is already hostile, then contain and verify
Two assumptions cut across every subtopic in this domain: any network outside your control (and increasingly the inside, too) is hostile, and the perimeter will eventually be crossed. The architectural answer is to stop trusting location: segmentation divides the network into zones so a breach in one cannot reach the next, micro-segmentation pushes that boundary down to a single workload, and zero trust (NIST SP 800-207) grants no access based on where a request originates, authenticating and authorizing every session against a Policy Decision Point that judges it and a Policy Enforcement Point that allows or blocks it. The channel answer mirrors it: encrypt the traffic AND mutually authenticate both endpoints, because confidentiality without endpoint authentication still lets a man-in-the-middle terminate the channel. "Verify, don't trust the location" is the single idea behind segmentation, zero trust, NAC's admit-only-the-known-and-healthy gate, and a VPN binding its tunnel to verified identities.
Stack independent layers so bypassing one does not bypass them all
Defense in depth is the design rule the domain encodes, and the load-bearing word is independent: layers only count if they fail independently, so the architecture, the hardware, and the channel each carry their own controls rather than relying on the one in front of them. This is why the endpoint runs its own host-based firewall and EDR even after NAC, segmentation, and media controls have all been bypassed; why voice and storage traffic that now ride the data network (VoIP, iSCSI/FCoE) must be segmented onto their own paths rather than trusted because they share the wire; and why every layer of encapsulation a multilayer protocol allows is a layer some control must still be able to inspect. The security leader's job is to make each component both resilient (it keeps working) and trustworthy (only authorized, healthy traffic passes) knowing any single layer can be the one that fails.
Choose the subtopic by what you are securing: the design, the box, or the channel
The domain's three subtopics divide cleanly by object. Secure Network Architecture owns the logical design: the OSI/TCP-IP layer map, where to encrypt, how to segment, zero trust, software-defined networking, and converged/multilayer protocols. Network Components owns the physical and near-physical hardware that carries and polices the traffic: redundant power and support, transmission media (copper versus fiber), the Network Access Control gate, and endpoint defense. Secure Communication Channels owns the implementation decision of which secure channel to build over that design: VPN type, remote-access model, voice/multimedia (VoIP) protection, and pushing requirements onto third-party carriers. A useful tell: "how is the network laid out and trusted" is architecture, "what hardware or cable carries it and what gets admitted" is components, and "which encrypted channel do I stand up for this connection" is channels.
Which subtopic owns the decision
| Decision axis | Secure Network Architecture | Network Components | Secure Communication Channels |
|---|---|---|---|
| What it secures | The logical design and trust topology | The physical hardware, media, and admission | The encrypted channel built over the design |
| Layer focus | All layers. The OSI/TCP-IP map itself | Physical (1) and Data Link (2): cabling, power, NAC | Network/Session: where the tunnel terminates |
| Core mechanisms | Segmentation, micro-segmentation, zero trust, SDN, VPC | Redundant power, fiber vs copper, 802.1X NAC, EDR | IPsec vs TLS VPN, remote-access models, SRTP/SIP-over-TLS |
| Governing assumption | Trust no location; layer controls independently | Each component is a defense layer and a single point of failure | Every external network and endpoint is hostile |
| Reach for it when | How is the network laid out and trusted? | What hardware/cable carries it and what gets admitted? | Which channel do I stand up for this connection? |