Domain 4 of 8 · Chapter 2 of 3

Network Components

The component as a layer: resilient and trustworthy

Every network component is two things at once: a layer of defense in depth and a potential single point of failure. A switch, a cable run, or an endpoint can either harden the network or sink it, and that dual nature, read through the CIA triad you already know, is what tells you what securing a given piece means and which property each control defends. Secure Network Architecture (a sibling subtopic) decides the segments, trust zones, and protocol layers; this page picks up the physical and near-physical pieces inside that architecture: the power and support that keep gear running, the cabling the bits travel over, the gate that admits devices, and the endpoint that terminates the link.

The organizing idea, applied to every component below: each piece is simultaneously a layer of defense in depth and a potential single point of failure, so the security leader engineers it to be both resilient (it keeps working through faults) and trustworthy (only authorized, healthy devices and signals pass). That dual lens is the difference between a network-administration checklist and the manager-altitude reasoning the exam rewards. The (ISC)² CISSP exam outline[1] frames this domain as "Secure network components," grouping operation of infrastructure, transmission media, NAC systems, and endpoint security as design and operational decisions.

The authoritative control catalog behind these decisions is NIST's, in NIST SP 800-53 Rev. 5[2], Security and Privacy Controls for Information Systems and Organizations: its System and Communications Protection (SC) family governs transmission protection and boundary defense, and its Physical and Environmental Protection (PE) family governs the power and physical-media protections. Two scope lines keep this page distinct from its neighbours and are worth fixing now. Anything about how traffic is encrypted in transit (VPNs, TLS, IPsec) is Secure Communication Channels, not here: this page secures the media physically (tap resistance, emanation, conduits), not cryptographically. And anything about segments, zones, and zero-trust topology is Secure Network Architecture; here we secure the components that live inside whatever architecture that page defines.

Operating infrastructure: redundancy, power, and support

This section covers the operational controls that keep a network component available, and the precise vocabulary questions use for each. It assumes the layer/SPOF frame from the opening section. Lead with the model: hardware availability is engineered by removing single points of failure and keeping the component serviceable across its life, redundancy answers the first, vendor support and lifecycle answer the second.

Redundancy is sized as a cost-versus-availability decision

Redundancy is expressed on a scale from N+1 (one spare component beyond what the load actually needs, e.g. four power supplies for a three-supply load) up to 2N, a fully duplicated, independent path with no shared single point of failure. Intermediate levels like N+2 or 2N+1 exist; the point the exam tests is that the level chosen is a cost-versus-availability call driven by the cost of downtime, not a fixed standard. The same logic applies to whole devices: high-availability (HA) clustering runs paired devices so that if the active one fails, its partner takes over (failover), and load balancing spreads traffic across several so no one device is a bottleneck or a sole point of failure.

Redundant power is built in layers, in order

Utility power is never assumed clean or continuous, so it is built up in a deliberate order, and the order is the lesson. The figure below traces that build-up from the wall to sustained backup, each stage answering a failure the stage before it cannot:

  1. Dual power feeds and redundant power supplies remove the single-feed and single-supply failure points; a 2N power design routes a device's two supplies to two independent feeds.
  2. Power conditioning smooths line noise and clamps spikes so dirty utility power never reaches the load.
  3. UPS (uninterruptible power supply) carries the load on battery through the seconds-to-minutes gap between a utility failure and a generator coming up to speed. Its job is bridge power, not to run the site for hours: a site with a large UPS but no generator has only deferred the outage.
  4. Generator supplies sustained power for a prolonged outage, running on stored fuel.

The precise anomaly vocabulary maps each symptom to the layer that answers it: low voltage is a sag (momentary) or brownout (prolonged); complete loss is a fault (momentary) or blackout (prolonged); high voltage is a spike (momentary) or surge (prolonged). Conditioning and the UPS ride through sags, faults, and noise; surge protection clamps spikes and surges; only a generator answers a prolonged blackout. NIST catalogs the bridge-and-sustain pattern as PE-11 (Emergency Power) with uninterruptible-power and alternate-supply enhancements in NIST SP 800-53 Rev. 5[2]. (The facility-wide power plant, HVAC, and fire systems for the room belong to Facility Security Controls; this page covers power only as it keeps a network component running.)

Warranty, support, and lifecycle keep a component fixable

Resilience that ignores time fails slowly. A maintained warranty/support contract matters because it guarantees an SLA-bound replacement or response window and a supply of spare parts: the difference between a four-hour swap and a multi-week procurement when a switch dies. The harder exam point is end-of-life / end-of-support: once a vendor stops issuing security patches and firmware for a device, that device becomes an unpatchable vulnerability no matter how high its uptime, and the security-driven action is to plan its replacement before that date, not after it fails. Support and lifecycle planning are therefore security controls, not just procurement hygiene.

Redundant power, built up in orderDual feeds& suppliesremoves single feedPowerconditioningsmooths, clamps spikesUPS(battery)bridge power onlyGenerator(fuel)sustained outageclean sourcerides sag / faultrides blackout
Power protection built up in order; each stage answers a failure the prior cannot, and only a generator covers a prolonged blackout (NIST PE-11).

Transmission media: emanation, EMI, distance, and tapping

This section explains why the cable itself is a security control and how the media types differ on the threats they resist. It assumes the availability/confidentiality lens from the opening section and owns the media-specific facts later questions turn on. Lead with the model: a transmission medium leaks, distorts, and can be intercepted in proportion to whether it carries an electrical signal or light, that single contrast explains every row in the overview's media table. The figure groups the media by that one split: the electrical family on the left, light on the right.

Copper carries electricity, and electricity radiates

Twisted-pair copper (the dominant LAN cabling) carries an electrical signal, which has three security consequences. It radiates electromagnetic emanations that a nearby attacker can read without touching the wire, the concern the U.S. government addresses under the TEMPEST program of emanation security. It is susceptible to electromagnetic interference (EMI) from motors, fluorescent lights, and power lines, and to crosstalk, where the signal on one pair bleeds into an adjacent pair and corrupts it (an integrity and reliability problem). And it attenuates: the signal weakens with distance, limiting an unrepeated twisted-pair run to roughly 100 meters. Unshielded twisted pair (UTP) has no electromagnetic shield; shielded twisted pair (STP) and coaxial cable add a conductive shield that reduces EMI, crosstalk, and emanation, at higher cost and stiffness, but they still carry an electrical signal and can still be tapped by splicing the conductor.

Fiber carries light, so it leaks almost nothing

Fiber-optic cable transmits pulses of light through a glass or plastic core, which inverts copper's weaknesses. It emits no electromagnetic signal (nothing to read at a distance), is immune to EMI and crosstalk, carries far greater bandwidth over far greater distance (kilometers for single-mode, versus copper's ~100 m), and is the hardest medium to tap: intercepting the light means physically bending or breaking the fiber to bleed out a fraction of the signal, which degrades the light and is detectable by the optics monitoring it. Fiber is therefore the strongest confidentiality and availability choice for backbone runs and any link crossing an area you do not physically control. The cost is higher per port and the requirement for skilled splicing/termination.

Physical security of media is its own control

Because the medium is a confidentiality control, its physical security is too. Cabling terminates in distribution facilities: the central MDF (main distribution facility) and the floor-level IDF (intermediate distribution facility) closets, and an open patch panel is an unmonitored tap onto the network, so those closets are locked and access-logged restricted areas. Cable runs through uncontrolled space go in locked conduits, and signal propagation quality (keeping runs within distance limits, away from EMI sources, properly terminated) is both an availability and an integrity control. NIST groups transmission protection under the SC family: SC-8 (Transmission Confidentiality and Integrity) protects data crossing the media, and SC-8 is explicitly satisfied by physical or logical means: physical protection via a protected distribution system (a wireline or fiber-optic system with electromagnetic, acoustical, electrical, and physical controls), logical protection via encryption (NIST SP 800-53 Rev. 5[2]). This page owns SC-8's physical side: which medium leaks least and how the cabling plant is protected; the cryptographic (logical) side is Secure Communication Channels. The two are complementary layers, not substitutes.

Media grouped by what they carryElectrical signal: radiates, EMI, tappableUTPno shieldSTPshieldedCoaxialshieldedall attenuate near ~100 mcrosstalk between pairsshield cuts EMI, still tappableLight: no emanationFiber-opticglass core, pulses of lightimmune to EMI, crosstalkfar longer distancehardest to tap: a tap is detectable
One split explains every media row: electrical copper radiates and is tappable; fiber carries light, so it emits nothing and a tap disturbs the signal.

Network Access Control (NAC): authenticate, then check health

This section covers the gate that decides whether a device may join the network at all. It assumes the device-versus-user distinction (NAC admits devices; user identity is Identity & Access Management). Lead with the model: NAC enforces two independent questions at the moment a device connects, who are you? (authentication) and are you healthy? (posture), and a device must satisfy both to reach production resources. The figure traces a connecting device through both gates to its three outcomes. NIST defines NAC as access "based on a user's credentials and the results of health checks performed on" the connecting device (NIST SP 800-41 Rev. 1[3]), which captures exactly these two gates.

Authentication at the port: IEEE 802.1X

The rigorous way to authenticate a device before its switch port or wireless association opens is IEEE 802.1X port-based network access control. Three roles cooperate: the supplicant (software on the connecting device), the authenticator (the switch or wireless access point controlling the port), and the authentication server (typically a RADIUS server holding the policy and credentials). Until the supplicant authenticates (carried over EAP (Extensible Authentication Protocol)) the authenticator holds the port closed to everything except the authentication exchange. Only on success does the port open onto the network. This moves the trust decision to the edge, before an unauthenticated device can send a single production packet.

Posture assessment and the quarantine VLAN

Authentication proves identity; it says nothing about hygiene. Posture assessment (a health check) evaluates the device's patch level, antivirus/EDR state, firewall status, and configuration against policy. The behaviour questions test: a device that authenticates but fails its health check is not simply denied, it is steered into a quarantine / remediation VLAN with access limited to the resources it needs to fix itself (patch servers, AV updates), then re-checked and admitted once compliant. This keeps a known-but-unhealthy device from either being locked out entirely or let onto production dirty.

Agent-based vs. agentless: coverage versus depth

NAC reads posture in one of two ways, and the choice is a real trade:

  • Agent-based NAC installs a client (persistent or dissolvable) on the endpoint. It gives deep, continuous posture data and is the right call for managed corporate devices.
  • Agentless NAC reads the device from the network (scanning, fingerprinting, DHCP/RADIUS attributes) with no software on it. It is the only option for unmanaged, BYOD, or IoT devices that cannot run an agent, at the cost of shallower, point-in-time inspection. The rule: match the method to what you control, agent for managed fleets, agentless for the unmanaged and embedded devices that nonetheless must be admitted under policy.

Time-of-check vs. time-of-use

A subtle limit: posture is assessed at connection time, so a device that is healthy when admitted can drift out of compliance afterward. Strong NAC deployments therefore re-assess continuously rather than only at the door, which is also where NAC overlaps with the continuous-verification spirit of zero trust (the architecture sibling owns the zero-trust model itself).

DeviceconnectsWho are you?802.1X authAre you healthy?posture checkProductionadmittedQuarantineVLAN, remediateDeniedport stays closedpassfail authhealthyunhealthy
NAC's two gates: 802.1X proves identity, posture proves health; fail auth is denied, fail health goes to a quarantine VLAN, not a hard block (NIST SP 800-41).

Endpoint security: harden, firewall, detect, respond

This section covers the device where the network connection terminates, and where most compromise actually lands, so it gets a defensive stack independent of the network controls. It assumes the defense-in-depth principle that layers must fail independently: the endpoint must defend itself even after NAC, segmentation, and media controls have all been bypassed. Lead with the model: endpoint security runs front-to-back, reduce the attack surface before exposure (harden), constrain traffic at the device (host firewall), and detect-and-respond to what gets through (EDR). The figure lays out that front-to-back stack in the order an attack would meet it.

Hardening reduces the attack surface up front

Hardening is the provisioning-time work of removing what an attacker could use: uninstall unnecessary software, disable unused ports and services, close default accounts, and apply a secure configuration baseline (a benchmark such as a CIS Benchmark or DISA STIG). This is the least-functionality principle (configure the system to provide only mission-essential capabilities) which NIST catalogs as CM-7 in NIST SP 800-53 Rev. 5[2]. Fewer enabled features means fewer flaws to exploit, so hardening pays off before any monitoring is installed.

A host-based firewall enforces rules at the device

Where network firewalls and segmentation police traffic between zones, a host-based (personal) firewall enforces traffic rules at the individual device, so a host stays protected even when it is moved to an untrusted network or when internal segmentation is bypassed by a threat already inside. It is a per-device layer, not a replacement for the network firewall.

EDR detects and responds where signatures fail

Traditional antivirus matches files against signatures of known malware and misses novel or fileless attacks. Endpoint Detection and Response (EDR) instead continuously records endpoint activity (process, file, network, and registry events) and uses behavioural analytics to detect, investigate, and respond to threats, giving responders the telemetry to isolate a compromised host and reconstruct what happened. NIST describes EDR as tools that record endpoint activity and apply analysis to detect and respond to threats (NIST SP 1800-24[4]). The progression that questions reward: signature antivirus → EDR (behavioural, single endpoint) → XDR / managed detection (correlated across endpoints, network, and cloud), each broadens visibility, and the right answer tracks how much correlation and response the scenario demands.

The endpoint as an independent layer

The through-line: each of these defends the host on its own, which is exactly why endpoint security is not redundant with NAC or segmentation. NAC controls whether a device joins; segmentation controls where its traffic goes; endpoint controls protect the device after both have been crossed. Defense in depth only counts layers that fail independently, and the self-defending endpoint is that last independent layer.

The endpoint defends itself, front to backHardendisable ports, services;least-functionality (CM-7)Host firewallper-device traffic rules,even off the networkEDRrecord, detect, respond;isolate the hostbefore exposureat the devicewhat gets through
Endpoint defenses in the order an attack meets them: harden the surface, firewall at the device, then EDR detects and responds to what gets through.

Exam-pattern recognition

This section names the question shapes this subtopic produces and the discriminator that picks the right answer. It assumes every mechanic above.

"Which cable for an EMI-heavy or sensitive run?" → fiber

When the stem mentions heavy electromagnetic interference, a need to prevent eavesdropping, a long distance, or a run through an uncontrolled area, the answer is fiber-optic, it emits no signal, is immune to EMI and crosstalk, goes farther, and is the hardest to tap. Distractors: UTP (radiates, taps easily, ~100 m), and STP/coax (better than UTP but still electrical and tappable). If the question is specifically about eavesdropping resistance, fiber wins because a tap physically disturbs the light and is detectable.

"UPS or generator?" → match the outage duration

Map the described outage to its layer. A momentary sag or a few-second fault is covered by the UPS and conditioning; a prolonged blackout needs a generator. The classic trap pairs "installed a bigger UPS" with a prolonged outage, more battery still cannot replace a generator, because a UPS is bridge power, not long-run power.

"Device authenticates but is out of date" → quarantine VLAN, not deny

When a device passes 802.1X authentication but fails the posture/health check, the right answer is to place it in a quarantine/remediation VLAN for patching, not to deny it outright and not to admit it to production. The trap answers are "block the device" (too blunt, it is a known, owned device) and "allow it, then patch later" (lets a dirty device onto production).

"IoT / BYOD device that can't run software" → agentless NAC

If the stem says the devices are unmanaged, embedded, IoT, or personal and cannot have an agent installed, the answer is agentless NAC; agent-based is correct only for managed corporate endpoints where deep, continuous posture is needed. The discriminator is what you control, not which method inspects more.

"Antivirus missed it / need to investigate and contain" → EDR

When the stem describes a novel, fileless, or behaviourally-detected attack, or asks for the tool that lets responders investigate and isolate the host, the answer is EDR, not signature antivirus. If the scenario spans endpoints, network, and cloud and asks for correlated detection, that is XDR. Signature AV is the wrong answer whenever the threat is unknown to signatures.

"Out-of-support appliance" → replace it (it is unpatchable)

A device past end-of-support no longer receives security patches and is an unpatchable vulnerability regardless of uptime; the security-driven action is to plan its replacement, not to add compensating monitoring indefinitely. Treating a high-uptime but unsupported device as "fine because it still works" is the trap.

Scope discriminators (so you pick the right subtopic's answer)

  • Encrypting the traffic over the cable (VPN, TLS, IPsec) → Secure Communication Channels, not media security.
  • Designing the segments, zones, or zero-trust topology → Secure Network Architecture.
  • Proofing a human user's identity (SSO, MFA) → Identity & Access Management; NAC here authenticates the device.
  • The data-center power plant, HVAC, and fire systems for the roomFacility Security Controls. Network Components answers keep this hardware available and trustworthy: redundant and supported, on tap-resistant media, behind a health-checking gate, terminating on a self-defending endpoint.

Transmission media: security and propagation properties

PropertyUTP copperSTP / coax (shielded)Fiber-optic
Signal carriedElectricalElectrical (shielded)Light (optical)
EMI / crosstalk susceptibilityHighReduced by shieldingImmune
Electromagnetic emanation (eavesdrop risk)Emits, readableReducedNone
Tap resistanceEasiest to tapHarderHardest. Tap degrades/breaks signal, detectable
Practical segment distance~100 m~100 m (coax longer)Kilometers (single-mode)
Relative bandwidthLowerLower–moderateHighest

Decision tree

Device connects: 802.1X authentication? Fails Deny: port stays closed Authenticated Posture assessment: healthy? Fails health Quarantine / remediation VLAN, then re-check Healthy Admit to production network Remediated, re-checked How is posture read? Managed device Agent-based posture Unmanaged / IoT Agentless posture Always: re-assess posture continuously — a device healthy at the door can drift out of compliance.

Sharp facts the exam loves — give these one last read before exam day.

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Securing a network component means hardening the hardware layer, not the topology

Network Components owns the physical and near-physical pieces inside a network (power and support, transmission media, the NAC gate, and the endpoint) while segments, zones, and protocol layers belong to Secure Network Architecture. Treat each component as both a defense-in-depth layer and a potential single point of failure, so the goal for each is to make it resilient (keeps working through faults) and trustworthy (only authorized, healthy devices and signals pass). The exam tests these as engineering and operational decisions, not device configuration.

Redundancy runs from N+1 to 2N, and the level is a cost-versus-downtime call

Component redundancy is expressed from N+1 (one spare beyond what the load actually needs) up to 2N, a fully duplicated and independent path with no shared single point of failure. The level you pick is a cost-versus-availability decision driven by the cost of downtime, not a fixed standard, with intermediate options like N+2 or 2N+1. At the device level the same idea appears as high-availability clustering with failover (a partner takes over when the active unit dies) and load balancing (traffic spread so no one device is a bottleneck or sole failure point).

Trap Picking N+1 redundancy believing it removes the single point of failure, when only 2N gives a fully independent path with no shared component to fail.

A UPS bridges seconds to minutes; only a generator survives a prolonged outage

Redundant power is built in order: dual feeds and redundant supplies remove single-feed failure, power conditioning smooths noise and clamps spikes, a UPS (uninterruptible power supply) carries the load on battery through the seconds-to-minutes gap until the generator spins up, and the generator supplies sustained power for a prolonged outage from stored fuel. The UPS is bridge power, not long-run power, so its job is only to keep things alive until the generator takes over.

Trap Installing a larger UPS to ride out a prolonged blackout. More battery still cannot replace a generator, because a UPS only bridges the brief gap until sustained power arrives.

An out-of-support device is an unpatchable vulnerability. Plan its replacement

Once a vendor reaches end-of-life / end-of-support for a device, it stops receiving security patches and firmware, so it becomes an unfixable vulnerability no matter how high its uptime. The security-driven action is to plan the replacement before that date rather than wait for it to fail, which makes support contracts and lifecycle planning security controls, not just procurement hygiene. A maintained warranty matters because it guarantees an SLA-bound response window and a supply of spare parts.

Trap Keeping a high-uptime appliance in service past end-of-support because it still works. Uptime says nothing about whether it can still be patched against new vulnerabilities.

Copper carries electricity, so it radiates, suffers EMI and crosstalk, and attenuates

Twisted-pair copper carries an electrical signal, which has three security consequences: it radiates electromagnetic emanations a nearby attacker can read without touching the wire (the concern behind the U.S. TEMPEST emanation-security program), it is susceptible to electromagnetic interference (EMI) and to crosstalk where one pair's signal bleeds into an adjacent pair, and it attenuates so an unrepeated run is limited to roughly 100 meters. It can also be tapped by splicing the conductor.

Fiber carries light, so it emits nothing, ignores EMI, and is hardest to tap

Fiber-optic cable transmits pulses of light, inverting copper's weaknesses: it emits no electromagnetic signal (nothing to read at a distance), is immune to EMI and crosstalk, carries far greater bandwidth over far greater distance (kilometers for single-mode versus copper's ~100 m), and is the hardest medium to tap because intercepting the light means bending or breaking the fiber, which degrades the signal and is detectable. That makes fiber the strongest confidentiality and availability choice for backbone runs and links crossing space you do not physically control.

Trap Choosing shielded copper (STP) for an eavesdropping-sensitive run because shielding cuts emanation. It still carries an electrical signal and can be spliced, whereas a fiber tap degrades the light and is detectable.

STP and coax reduce EMI but stay electrical and tappable; only the shield differs from UTP

Unshielded twisted pair (UTP) has no electromagnetic shield, while shielded twisted pair (STP) and coaxial cable add a conductive shield that reduces EMI, crosstalk, and emanation at higher cost and stiffness. The shield is the only real difference: all of them still carry an electrical signal that can be tapped by splicing the conductor, so shielding hardens copper against interference and eavesdropping but never makes it tap-proof the way fiber is.

Trap Assuming shielded copper (STP or coax) is tap-proof because the shield blocks emanation, when the conductor still carries an electrical signal that can be spliced.

Cabling is a confidentiality control, so its physical plant is locked and logged

Because the medium itself carries data, its physical security is a control: cabling terminates in the central MDF (main distribution facility) and floor-level IDF (intermediate distribution facility) closets, and an open patch panel is an unmonitored tap onto the network, so those closets are locked, access-logged restricted areas. Runs through uncontrolled space go in locked conduits; NIST calls a hardened wireline/fiber cabling run with electromagnetic, acoustical, and physical safeguards a protected distribution system (PDS). Signal propagation quality (keeping runs within distance limits, away from EMI sources, and properly terminated) is both an availability and an integrity control.

1 question tests this
NAC admits a device only after it answers two questions: who are you and are you healthy

Network Access Control (NAC) is the gate that decides whether a device may join the network at all, and it enforces two independent checks at connection time: authentication (who/what is this device?) and posture assessment (is it healthy?). A device must satisfy both to reach production resources; passing one is not enough. NAC admits devices, which is distinct from Identity & Access Management proving a human user's identity.

Trap Admitting a device the moment it authenticates, when NAC also requires a passing posture check and authentication alone is not enough to reach production.

1 question tests this
802.1X holds the port closed until the supplicant authenticates through the RADIUS server

IEEE 802.1X port-based network access control authenticates a device before its switch port or wireless association opens. Three roles cooperate: the supplicant (software on the connecting device), the authenticator (the switch or access point controlling the port), and the authentication server (typically RADIUS, holding policy and credentials). Until the supplicant authenticates (carried over EAP (Extensible Authentication Protocol)) the authenticator keeps the port closed to everything except the authentication exchange, moving the trust decision to the network edge.

4 questions test this
A device that authenticates but fails its health check goes to a quarantine VLAN, not denied

Authentication proves identity but says nothing about hygiene, so posture assessment separately evaluates patch level, antivirus/EDR state, firewall status, and configuration against policy. A device that authenticates yet fails the health check is steered into a quarantine / remediation VLAN with access limited to what it needs to fix itself (patch and AV servers), then re-checked and admitted once compliant, neither locked out entirely nor let onto production dirty.

Trap Outright blocking a known corporate device that fails its health check. It is owned and authenticated, so the correct move is remediation in a quarantine VLAN, not denial.

4 questions test this
Use agent-based NAC for managed fleets and agentless NAC for devices that can't run an agent

NAC reads posture two ways. Agent-based NAC installs a client (persistent or dissolvable) on the endpoint, giving deep, continuous posture data, the right call for managed corporate devices. Agentless NAC reads the device from the network (scanning, fingerprinting, DHCP/RADIUS attributes) with no software on it, which is the only option for unmanaged, BYOD, or IoT devices that cannot run an agent, at the cost of shallower, point-in-time inspection. Match the method to what you control, not to which inspects more.

Trap Mandating an agent for IoT or BYOD devices to get deeper posture. Those devices often cannot run one, so agentless inspection is the only way to admit them under policy.

2 questions test this
Posture is checked at the door, so strong NAC re-assesses continuously

Posture is assessed at connection time, which means a device healthy when admitted can drift out of compliance afterward, a time-of-check versus time-of-use gap. Strong NAC deployments therefore re-assess continuously rather than only at admission, which is where NAC overlaps with the continuous-verification spirit of zero trust, though the zero-trust model itself belongs to Secure Network Architecture.

Trap Treating the admission-time posture check as sufficient, when a device can drift out of compliance after it is admitted and only continuous reassessment closes the time-of-check to time-of-use gap.

2 questions test this
Hardening reduces attack surface up front via the least-functionality principle

Hardening is the provisioning-time work of removing what an attacker could use: uninstall unnecessary software, disable unused ports and services, close default accounts, and apply a secure configuration baseline such as a CIS Benchmark or DISA STIG. This is the least-functionality principle (configure a system to provide only mission-essential capabilities) and it pays off before any monitoring is installed because fewer enabled features means fewer flaws to exploit.

Trap Reaching for monitoring or detective controls to lower risk when the scenario calls for reducing attack surface up front, since hardening removes the vulnerable feature rather than just watching it.

1 question tests this
A host-based firewall enforces rules at the device, even when network segmentation is bypassed

Where network firewalls and segmentation police traffic between zones, a host-based (personal) firewall enforces traffic rules at the individual device. That keeps a host protected when it is moved to an untrusted network or when internal segmentation is bypassed by a threat already inside. It is a per-device layer that complements the network firewall rather than replacing it.

Trap Treating a host-based firewall as redundant once network segmentation is in place, when it still protects the device on an untrusted network or after internal segmentation is bypassed.

EDR records and analyzes endpoint activity to catch what signature antivirus misses

Traditional antivirus matches files against signatures of known malware and misses novel or fileless attacks. Endpoint Detection and Response (EDR) instead continuously records endpoint activity (process, file, network, and registry events) and applies behavioural analytics to detect, investigate, and respond, giving responders the telemetry to isolate a compromised host and reconstruct what happened. The escalation questions reward: signature antivirus → EDR (behavioural, single endpoint) → XDR / managed detection (correlated across endpoints, network, and cloud).

Trap Reaching for signature antivirus when the scenario describes a novel, fileless, or behaviour-only threat. Signatures only catch known malware, so EDR is the tool that detects and contains the unknown.

The endpoint is the last independent layer, so it must defend itself after the network is crossed

Defense in depth only counts layers that fail independently. NAC controls whether a device joins, segmentation controls where its traffic goes, and endpoint controls protect the device after both have been crossed, which is exactly why endpoint security is not redundant with them. The endpoint terminates the connection and is where most compromise lands, so hardening, a host firewall, and EDR together make it a self-defending last hop rather than a soft target behind the perimeter.

Trap Treating endpoint controls as redundant with NAC and segmentation, when they fail independently and defend the device after both of those layers have already been crossed.

A stateful firewall lets return traffic in via its state table, not an inbound rule

Stateful inspection records each permitted outbound connection (source/destination IP, ports, connection state) in a state table. Reply packets are allowed because they match an existing session entry, and packets that falsely claim to belong to an established connection are dropped because no entry exists. State entries also let the firewall enforce HA failover via session-state replication and expire on idle timeout.

Trap If permitted return traffic is suddenly blocked, the state-table entry likely timed out (idle timeout). For UDP there is no handshake, so the firewall tracks only addresses/ports as a pseudo-session.

10 questions test this
A correct firewall ends in implicit deny. Anything not explicitly permitted is blocked

Best practice is deny-by-default: the firewall blocks all inbound and outbound traffic not expressly permitted by an allow rule, implementing least privilege. This implicit deny sits at the end of the ruleset, so only traffic matching a specific permit statement passes.

Trap Default-deny is the policy; rule ordering is separate. A too-broad permit placed before a specific deny can still let unwanted traffic through despite the final implicit deny.

8 questions test this
Firewall and ACL rules are terminating and evaluated top-down. Order specific before general

Rules are processed sequentially (or by priority, lowest number first) and the first match wins, stopping further evaluation. Place specific rules (e.g. deny a malicious IP) before broader permits, and put high-hit rules early for performance. Layered firewalls also process by rule type (NAT first, then network, then application) so an early network-rule match can prevent Layer 7 application rules from ever running.

Trap A general permit placed above a specific deny silently overrides it; and a network-rule match terminates processing before application-layer filtering applies.

7 questions test this
Signature detection catches known attacks; anomaly detection catches the unknown

Signature-based IDS/IPS matches traffic against a database of known attack patterns, so it has low false positives but cannot see zero-day or novel attacks with no signature. Anomaly-based detection flags deviations from a learned baseline, catching unknown attacks at the cost of more false positives. Combine both for the best coverage; counter known signature evasions with protocol normalization (decode encodings) and packet reassembly (defragment) before matching.

11 questions test this
Anomaly detection only works after a representative training baseline

Anomaly-based detection compares activity to a profile of normal behavior built during a training period. Excessive false positives usually mean the baseline was too short or unrepresentative. Extending the training period to capture more legitimate variation is the fix before disabling alerts.

Trap A dynamic/auto-adjusting profile is exploitable: an attacker can ramp malicious activity slowly so the baseline drifts and accepts it as normal (baseline poisoning).

4 questions test this
Stateful protocol analysis detects protocol misuse using vendor profiles

Stateful protocol analysis tracks the state of network, transport, and application protocols against vendor-developed profiles of how each protocol should behave, flagging deviations such as malformed requests or over-long arguments that span multiple events. It is the most resource-intensive detection method because of the per-session state tracking and deep inspection.

Trap It is not the same as a stateful firewall's connection table. Protocol analysis understands Layer 7 protocol semantics, not just connection state.

4 questions test this
WPA3-Personal uses SAE (dragonfly) to stop offline dictionary attacks and give forward secrecy

Simultaneous Authentication of Equals (SAE), the dragonfly handshake, replaces WPA2's PSK four-way handshake. Because authentication is interactive rather than derived from a captured handshake, attackers cannot run offline password guessing, and SAE provides forward secrecy so a later password compromise cannot decrypt previously captured traffic.

Trap SAE protects the password exchange and gives forward secrecy; protecting management frames against deauth is a separate WPA3 feature (PMF).

5 questions test this
WPA3 makes Protected Management Frames mandatory, blocking deauth/disassociation attacks

Protected Management Frames (PMF, IEEE 802.11w) are mandatory in WPA3 (optional in WPA2). PMF adds integrity protection to management frames so attackers cannot forge deauthentication or disassociation frames to knock clients off the network or force a WPA2 downgrade.

Trap PMF defends management frames; offline-dictionary and forward-secrecy protection come from SAE, not PMF.

4 questions test this
Harden SSH: disable v1, set PermitRootLogin no, use 3072-bit+ RSA keys

SSH v1 has known cryptographic weaknesses, so disable it and use only SSH v2 (modern OpenSSH supports protocol 2 only). Set PermitRootLogin no to force admins to log in as named users and escalate with sudo (accountability + least privilege), and use minimally 3072-bit RSA host keys (CISA/NSA guidance; FIPS requires at least 2048-bit) with SHA-2 signatures.

11 questions test this
Prefer SSH key authentication: PubkeyAuthentication yes, PasswordAuthentication no

Replace passwords with key-based auth by setting PubkeyAuthentication yes and PasswordAuthentication no, which eliminates brute-force password attacks since the private key never crosses the network. Store public keys in the user's ~/.ssh/authorized_keys (recommended 0600), and protect private keys with a passphrase so a stolen key is still useless without it.

Trap If the authorized_keys file, the ~/.ssh directory, or the home directory is group- or world-writable, sshd's StrictModes refuses key auth as a precaution against key injection.

7 questions test this
802.1X dynamic authorization places the same port into a VLAN by identity and posture

After 802.1X authentication, the RADIUS server returns Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-ID (the VLAN ID) so the switch dynamically assigns the port to a VLAN based on user identity and device compliance. The same physical port can land staff, students/guests, or non-compliant devices in different access levels; a failed or non-compliant device is steered to a guest/auth-fail/remediation VLAN rather than simply denied.

Trap Per-device certificates (not a shared network password) are what bind admission to enrolled, approved devices and stop credential sharing.

6 questions test this

References

  1. (ISC)² CISSP Certification Exam Outline
  2. NIST SP 800-53 Rev. 5: Security and Privacy Controls for Information Systems and Organizations (CM-7, PE-11, SC-8) Whitepaper
  3. NIST glossary: Network Access Control (NAC) (SP 800-41 Rev. 1) Whitepaper
  4. NIST glossary: Endpoint Detection and Response (EDR) (SP 1800-24) Whitepaper