Secure Network Architecture
The layered model: where every control and threat lives
Hand most network-architecture questions a protocol, an attack, or a control, and the single move that earns the point is naming the layer it operates at: ARP spoofing is Layer 2, IP spoofing is Layer 3, SQL injection is Layer 7, and the right countermeasure always lives on the same layer as the threat. That move only works once protocols are stacked in your head in a fixed order, so start with the model that orders them.
The OSI (Open Systems Interconnection) reference model divides communication into seven layers, each serving the one above and using the one below. From the bottom: Physical (1) moves bits over a medium; Data Link (2) frames bits and addresses them on the local segment (MAC addresses, Ethernet, ARP, VLANs); Network (3) routes packets between segments using logical addresses (IP, ICMP, and IPsec); Transport (4) delivers segments end to end (TCP, UDP); Session (5) sets up and tears down dialogs; Presentation (6) handles encoding and translation; and Application (7) is where user-facing protocols live (HTTP, DNS, SMTP). The model is a teaching and analysis tool, not the wire format - the practical stack is TCP/IP.
OSI maps onto the four-layer TCP/IP model
The protocols you actually run follow the TCP/IP model, which collapses OSI's seven into four: Link (OSI 1-2), Internet (OSI 3), Transport (OSI 4), and Application (OSI 5-7). The exam speaks OSI's seven-layer vocabulary when it places a threat or asks for a control, so learn both and the mapping between them; the comparison table on this page is the canonical crib. The reason layering matters for security is encapsulation: each layer wraps the data from the layer above, so a control added at a lower layer protects everything carried above it, and an attacker who can see only an outer wrapper cannot necessarily reach what is inside.
The design rule the model encodes: defense in depth across independent layers
Because threats appear at every layer, a sound architecture places controls at several layers so that defeating one does not defeat the rest - this is defense in depth, which NIST defines as a strategy that establishes "variable barriers across multiple layers" of an organization (NIST glossary, defense in depth[1]). The CISSP reading adds a sharp qualifier the exam tests: the layers must be independent. Two controls that share one chokepoint or one credential store fail together and count as a single layer, not two. So "add another firewall behind the first" is weaker than it looks if both trust the same management plane; genuine depth puts controls that fail for different reasons in the attacker's path.
Secure protocols: pick the layer that matches the requirement
Encryption added at a lower layer protects more traffic with less per-application work, while encryption added higher up protects exactly one application's session - that one idea decides between the two secure protocols CISSP tests most, IPsec and TLS. Building on the layer model from above, everything below is a delta from that shared mental model and the rule for choosing between them.
IPsec protects at the Network layer, so it covers all IP traffic
IPsec operates at OSI Layer 3, so it secures IP packets between two endpoints or gateways regardless of which application generated them - that breadth is its defining property and the reason it underpins site-to-site VPNs. It has two protocols and two modes, and questions turn on telling them apart. The two protocols: AH (Authentication Header) provides integrity and data-origin authentication but no confidentiality, while ESP (Encapsulating Security Payload) provides confidentiality (encryption) plus optional integrity (RFC 4301[2]). A predictable misread is that AH "encrypts" - it does not; if a stem wants confidentiality, the answer is ESP. RFC 4301 in fact downgraded AH support to optional because "most security requirements can be met through the use of ESP by itself" (RFC 4301[2]).
The two modes describe how much of the packet is wrapped. Tunnel mode "creates an additional outer IP header for each protected packet" (NIST SP 800-77 Rev. 1, tunnel mode[3]), encapsulating and protecting the entire original packet - this is the gateway-to-gateway VPN case where the inner addresses are hidden. Transport mode "does not create an additional IP header" (NIST SP 800-77 Rev. 1, transport mode[4]); it protects only the payload and leaves the original IP header exposed, fitting host-to-host protection where the endpoints route the packets themselves. One sentence to keep: tunnel mode hides the original header behind a new one; transport mode keeps the original header.
TLS protects at the Transport boundary, so it covers one application session
TLS (Transport Layer Security) sits just above the Transport layer and secures a single application's session - HTTPS is TLS protecting HTTP. Its strength is per-application confidentiality and integrity with no change to the underlying network, which is why it is the right tool when one service needs protection and re-architecting the network is unwarranted. Because it is per-session, it does NOT transparently protect every protocol the way network-layer IPsec does; choosing TLS to "secure all traffic between two sites" is the classic layer-mismatch error - that requirement is IPsec's.
The choice, stated as a decision
When the requirement is all traffic between two locations protected transparently to applications, choose IPsec (tunnel mode) at the network layer. When the requirement is one application's session protected, choose TLS above the transport layer. The deciding question is always the same: how much of the stack must the protection cover?
Segmentation, micro-segmentation, and zero trust
Zero trust changes the default from trust-by-location to verify-every-session, and it is the limit case of pushing segmentation down to the individual workload - so read segmentation first. Building on the layer model and the same defense-in-depth idea from the first section, this is how you carve a network into defensible zones.
Segmentation contains a breach; logical and physical differ in what they share
Segmentation divides a network into zones and controls traffic at the boundaries, so an attacker who lands in one zone cannot freely reach the next - it is the architectural answer to limiting lateral movement. Physical segmentation uses separate hardware or an air gap and shares nothing, giving the strongest isolation at the highest cost. Logical segmentation separates zones on shared hardware - a VLAN splits one physical switch into independent broadcast domains - which is cheaper and far more common. The trade-off the exam tests: because logical separation shares the underlying device, a compromise of that device (or a misconfiguration enabling VLAN hopping) can defeat it, whereas physical separation has no shared component to subvert. So the higher a zone's value or the lower its trust, the stronger the segmentation it earns.
Micro-segmentation pushes the boundary to the individual workload
Micro-segmentation enforces policy at the granularity of a single host or workload rather than a whole subnet, so even traffic between two servers in the same zone must pass a policy check. This is the mechanism that makes zero trust enforceable inside a data center: there is no implicitly trusted "inside" if every workload-to-workload flow is mediated. It is more work to define and maintain than subnet-level rules, which is the cost side of the trade.
Zero trust: no trust based on network location
Zero trust assumes the network is already compromised and grants no access based on where a request comes from - being inside the perimeter earns nothing. NIST defines it as minimizing uncertainty in "least privilege per-request access decisions ... in the face of a network viewed as compromised" (NIST SP 800-207[5]). Every session is authenticated, authorized, and granted least privilege against a dynamic policy weighing identity, device posture, and context, and authenticating to one resource never automatically grants another. SP 800-207 structures enforcement as a Policy Decision Point (PDP) that judges each request and a Policy Enforcement Point (PEP) that allows or blocks it, with the standing goal of keeping any implicit-trust zone as small as possible.
Two named patterns implement this and are easy to confuse. Zero-trust network access (ZTNA) and its underlying software-defined perimeter (SDP) hide resources from the network and broker a connection only after the requester is verified, so an attacker cannot even see, let alone attack, a resource they have not authenticated to. SASE (Secure Access Service Edge) is the cloud-delivered model that converges SD-WAN networking with security functions (secure web gateway, CASB, firewall-as-a-service) to enforce zero-trust access at the edge near the user (NIST glossary, SASE[6]). The reconciling point the exam exploits: SASE and SDP are delivery architectures for zero trust, not synonyms for the principle - you can adopt the zero-trust principle without buying a SASE product.
SDN, SD-WAN, and the VPC carve software-defined networks
Software-defined networking (SDN) decouples the control plane (the logic deciding where traffic goes) from the data plane (the devices forwarding it), centralizing policy in a controller so the network is programmable from one place rather than configured box by box. This enables consistent automated segmentation but concentrates risk: compromising the SDN controller compromises the whole network's forwarding decisions, so the controller is a crown-jewel asset. SD-WAN applies the same control-plane abstraction across wide-area links to steer and secure branch traffic (and is the networking half of SASE). A virtual private cloud (VPC) is the cloud expression of a logically isolated, software-defined network you carve from a provider's shared infrastructure and segment with subnets and security groups.
Multilayer and converged protocols widen what a control must see through
Multilayer protocols - TCP/IP being the archetype - permit encapsulation, carrying one protocol inside another; this is what makes tunneling and VPNs possible but also lets an attacker smuggle disallowed traffic inside an allowed protocol, or evade a filter that inspects only the outer layer. Converged protocols carry traditionally separate traffic over the data network: VoIP puts voice on IP, while FCoE and iSCSI put storage traffic onto Ethernet/IP. The security consequence is uniform - voice and storage now inherit every threat of the data network, so they must be segmented from it rather than trusted as a separate medium. The architectural takeaway: each layer of encapsulation is a layer your controls must be able to inspect through, so convergence is a reason to add segmentation and inspection, never to assume the carried traffic is safe.
Exam-pattern recognition
This section maps question shapes to the right answer; read the others first, because this is the pattern layer that reuses their vocabulary.
Pattern 1 - threat-to-layer-to-control. The stem names an attack and asks for the countermeasure. Place both on the OSI layer where they operate: ARP spoofing and VLAN hopping are Layer 2 (answer: port security, proper VLAN segmentation); IP spoofing and routing attacks are Layer 3 (answer: anti-spoofing filters, IPsec, ACLs); a TLS downgrade is at the Presentation/Transport boundary (answer: strong TLS configuration); SQL injection is Layer 7 (answer: input validation / WAF). The trap is an answer that is a real control but at the wrong layer.
Pattern 2 - IPsec vs TLS scope. "Protect ALL traffic between two sites, transparently to applications" - the answer is IPsec in tunnel mode, because Layer 3 protection covers every IP packet. "Secure one web application's sessions" - the answer is TLS. The distractor offers the other one; the deciding question is how much of the stack the protection must cover, not which is newer or stronger.
Pattern 3 - IPsec internals. A stem wanting confidentiality points to ESP, not AH - AH gives integrity and origin authentication only (RFC 4301[2]). A stem about hiding the original IP addresses across a gateway-to-gateway link points to tunnel mode (it adds an outer header); host-to-host protection that keeps the original header is transport mode (NIST SP 800-77 Rev. 1[3]). The classic distractor pairs "AH" with "encryption."
Pattern 4 - zero trust framing. A scenario with no clear perimeter (cloud, remote users, assume-breach) is a zero-trust prompt: the right answer verifies every session and grants least privilege by identity and context, never by network location (NIST SP 800-207[5]). The trap is treating SASE or SDP as a product that replaces segmentation and identity work, or assuming "inside the firewall" still confers trust. Zero trust complements segmentation; it does not retire it.
Pattern 5 - segmentation choice. "Limit lateral movement" or "contain a compromised host" points to segmentation; subnet/zone separation is VLANs, per-workload control is micro-segmentation/ZTNA. Beware the distractor that offers a logical VLAN where the stem demands true isolation of a high-value system - that is the case for physical segmentation, because a VLAN shares hardware an attacker could subvert.
OSI layers mapped to TCP/IP, with example protocols and threats
| OSI layer | TCP/IP layer | Example protocols | Representative threat | Layer-appropriate control |
|---|---|---|---|---|
| 7 Application | Application | HTTP, DNS, SMTP | Injection, DNS poisoning | Input validation, DNSSEC, app firewall (WAF) |
| 6 Presentation | Application | TLS handshake, encoding | Weak cipher / downgrade | Strong TLS configuration |
| 5 Session | Application | RPC, session setup | Session hijacking | Session tokens, re-authentication |
| 4 Transport | Transport | TCP, UDP, TLS record | SYN flood, port scan | TLS, stateful firewall |
| 3 Network | Internet | IP, ICMP, IPsec | IP spoofing, routing attack | IPsec, ACLs, anti-spoofing filters |
| 2 Data Link | Link | Ethernet, ARP, VLAN | ARP spoofing, VLAN hopping | Port security, VLAN segmentation |
| 1 Physical | Link | Cabling, signaling | Tapping, jamming | Physical access control, shielding |
Decision tree
Sharp facts the exam loves — give these one last read before exam day.
Cheat sheet
Sharp facts the exam loves — scan these before test day.
- Map any protocol, threat, or control to its OSI layer first
The OSI model's seven layers - Physical (1), Data Link (2), Network (3), Transport (4), Session (5), Presentation (6), Application (7) - exist so you can place any protocol, attack, or control at the layer it operates on. CISSP questions pair a threat to its layer and ask for the countermeasure that belongs there, so naming the layer is the move that selects the answer. Lower-numbered layers are closer to the physical medium; higher-numbered are closer to the application.
- The four-layer TCP/IP model is what the wire actually uses
TCP/IP collapses OSI's seven layers into four: Link (OSI 1-2), Internet (OSI 3), Transport (OSI 4), and Application (OSI 5-7). The protocols you run follow TCP/IP, but the exam phrases threats and controls in OSI's seven-layer vocabulary, so you must hold both models and the mapping between them. The Internet layer is where IP and IPsec live; the Application layer absorbs OSI's session, presentation, and application functions.
Trap Mapping the TCP/IP Application layer to OSI Layer 7 alone - it actually absorbs OSI's Session, Presentation, and Application layers (5-7).
- A control at a lower layer protects everything carried above it
Encapsulation means each layer wraps the data of the layer above, so security added at a lower layer covers all the protocols riding on top of it without per-application changes. That is exactly why network-layer IPsec protects every application's packets while transport-layer TLS protects only one application's session. The corollary for attackers: a filter that inspects only an outer wrapper cannot see traffic hidden in an inner layer.
Trap Assuming a higher-layer control protects the layers beneath it - protection flows upward from a lower layer, so a higher-layer control covers only its own session, not the traffic carrying it.
- Defense-in-depth layers only count if they fail independently
Defense in depth places controls across multiple layers so defeating one does not defeat the rest, but the CISSP qualifier is that the layers must be independent. Two controls that share one chokepoint or one credential store fail together and count as a single layer, not two, so adding a second firewall that trusts the same management plane buys little real depth. Genuine depth puts controls that fail for different reasons in the attacker's path.
Trap Counting two controls behind one shared credential store or management plane as two layers - one compromise drops both, so they are really one layer.
- IPsec secures at Layer 3, so it covers all IP traffic between endpoints
IPsec operates at the Network layer, so it protects every IP packet between two endpoints or gateways regardless of the application that produced it - that breadth is why it underpins site-to-site VPNs. When a requirement is to protect all traffic between two locations transparently to applications, IPsec is the layer-correct answer. Per-application encryption cannot deliver that transparent, all-traffic coverage.
Trap Reaching for per-application TLS to cover all traffic between two sites - only network-layer IPsec protects every IP packet transparently regardless of the application.
- Use ESP when you need confidentiality; AH gives integrity only
IPsec has two protocols: AH (Authentication Header) provides integrity and data-origin authentication but no encryption, while ESP (Encapsulating Security Payload) provides confidentiality plus optional integrity. So a requirement for confidentiality forces ESP, never AH. RFC 4301 even downgraded AH to optional because ESP alone meets most needs.
Trap Choosing AH to encrypt traffic - AH never provides confidentiality, only integrity and authentication; ESP is the encrypting protocol.
- IPsec tunnel mode hides the original IP header; transport mode keeps it
Tunnel mode adds a new outer IP header and encapsulates the entire original packet, hiding the inner addresses - this is the gateway-to-gateway VPN case. Transport mode adds no new IP header and protects only the payload, leaving the original IP header exposed, which fits host-to-host protection where the endpoints route the packets themselves. The deciding question is whether the original addressing must be concealed across an intermediate link.
Trap Assuming transport mode hides the original IP header - it does not add an outer header, so the original source and destination remain visible; tunnel mode is what conceals them.
- TLS protects one application's session above the Transport layer
TLS sits just above the Transport layer and secures a single application session - HTTPS is TLS protecting HTTP - giving per-application confidentiality and integrity with no change to the underlying network. It is the right tool when one service needs protection and re-architecting the network is unwarranted. Because it is per-session, it does not transparently protect every protocol the way network-layer IPsec does.
Trap Picking TLS to secure all traffic between two sites - TLS only protects per-application sessions, so blanket site-to-site protection is IPsec's job at the network layer.
- Segmentation contains a breach by limiting lateral movement
Segmentation divides a network into zones and controls traffic at the boundaries, so an attacker who compromises one zone cannot freely reach the next. It is the architectural answer to limiting lateral movement after an initial foothold. The design heuristic is that the higher a zone's value or the lower its trust, the finer the segmentation it warrants.
Trap Expecting segmentation to prevent the initial breach - it contains and limits lateral movement after a foothold, it does not stop the first compromise.
- Logical segmentation shares hardware; physical segmentation shares nothing
Physical segmentation uses separate hardware or an air gap and shares no common component, giving the strongest isolation at the highest cost. Logical segmentation - a VLAN splitting one switch into separate broadcast domains - is cheaper and far more common but rides shared hardware, so a compromise or misconfiguration of that device (for example VLAN hopping) can defeat it. When a stem demands true isolation of a high-value system, physical separation is the stronger answer because there is no shared component to subvert.
Trap Treating a VLAN as equivalent to physical isolation for a high-value system - the VLAN shares switch hardware an attacker could subvert via VLAN hopping or a device compromise.
- Micro-segmentation pushes the boundary down to a single workload
Micro-segmentation enforces policy at the granularity of an individual host or workload rather than a whole subnet, so even server-to-server traffic inside one zone must pass a policy check. This is the mechanism that makes zero trust enforceable inside a data center, because there is no implicitly trusted inside if every workload-to-workload flow is mediated. The cost is the larger number of policies to define and maintain compared with subnet-level rules.
Trap Equating micro-segmentation with ordinary subnet or VLAN segmentation - micro-segmentation mediates every workload-to-workload flow, not just traffic crossing a zone boundary.
4 questions test this
- A security team is designing network access policies for their zero trust implementation using microsegmentation. Which traffic flow does…
- A company is implementing a zero trust network architecture and must decide between traditional network segmentation and microsegmentation.…
- A security architect is implementing microsegmentation to support zero trust principles. Which traffic flow pattern does microsegmentation…
- A security architect is evaluating microsegmentation as part of the organization's zero trust strategy. Which security objective is…
- Zero trust grants no access based on network location
Zero trust assumes the network is already compromised and grants nothing based on where a request originates, so being inside the perimeter earns no access. NIST SP 800-207 frames it as least-privilege, per-request access decisions made in the face of a network viewed as compromised; every session is authenticated, authorized, and granted least privilege against a dynamic policy weighing identity, device posture, and context. Authenticating to one resource never automatically grants access to another.
Trap Assuming a request from inside the firewall is trustworthy - zero trust explicitly removes location-based trust and verifies every session regardless of origin.
- Zero trust enforces with a Policy Decision Point and a Policy Enforcement Point
NIST SP 800-207 structures zero-trust enforcement as a Policy Decision Point (PDP) that evaluates each access request against policy and a Policy Enforcement Point (PEP) that actually allows or blocks the connection. Separating the decision from the enforcement lets one policy engine govern many enforcement points consistently. The standing design goal is to keep any implicit-trust zone as small as possible.
Trap Swapping the roles of the PDP and PEP - the Policy Decision Point evaluates the request against policy, while the Policy Enforcement Point is what actually permits or blocks the connection.
- SDP and ZTNA hide a resource until the requester is verified
A software-defined perimeter (SDP), the mechanism behind zero-trust network access (ZTNA), hides resources from the network and brokers a connection only after the requester is authenticated, so an attacker cannot even see a resource they have not authenticated to, let alone attack it. This shrinks the attack surface to nearly nothing for unauthenticated parties. It contrasts with a traditional VPN that places a verified user broadly onto a network segment.
Trap Treating a traditional VPN as equivalent to ZTNA - the VPN drops a verified user broadly onto a network segment, whereas SDP keeps each resource hidden and brokers access per request.
- SASE is a delivery architecture for zero trust, not the principle itself
SASE (Secure Access Service Edge) is a cloud-delivered model that converges SD-WAN networking with security functions such as secure web gateway, CASB, and firewall-as-a-service to enforce zero-trust access at the edge near the user. It is a way to deliver zero-trust controls, so adopting the zero-trust principle does not require buying a SASE product, and buying SASE is not the same as having implemented zero trust. Treat SASE as the convergence of networking and security at the edge, not as a synonym for zero trust.
Trap Equating buying a SASE product with having achieved zero trust - SASE is a delivery architecture; the zero-trust principle still has to be designed and enforced.
- SDN splits the control plane from the data plane, centralizing risk
Software-defined networking decouples the control plane (the logic deciding where traffic goes) from the data plane (the devices that forward it), centralizing policy in a controller so the network is programmable from one place. This enables consistent, automated segmentation but concentrates risk: compromising the SDN controller compromises the whole network's forwarding decisions, making the controller a crown-jewel asset to protect. SD-WAN applies the same control-plane abstraction across wide-area links and is the networking half of SASE.
- A VPC is a logically isolated software-defined network in the cloud
A virtual private cloud (VPC) is the cloud expression of a logically isolated network carved from a provider's shared infrastructure, which you then segment with subnets and security groups. It is software-defined and logical, so the same logical-vs-physical caution applies: isolation is enforced by the provider's software, not by separate hardware you own. You design VPC segmentation the way you would design VLAN and zone boundaries on premises.
Trap Treating VPC isolation as physical, dedicated-hardware separation - it is logical isolation enforced by the provider's software over shared infrastructure, carrying the same caveats as a VLAN.
- Multilayer protocols enable tunneling but also let traffic be smuggled
Multilayer protocols such as TCP/IP permit encapsulation, carrying one protocol inside another, which is what makes tunneling and VPNs possible. The same property lets an attacker smuggle disallowed traffic inside an allowed protocol or evade a filter that inspects only the outer layer. Each layer of encapsulation is therefore a layer your controls must be able to inspect through, not assume is benign.
Trap Trusting a filter that inspects only the outer protocol - encapsulation lets disallowed traffic ride inside an allowed protocol, so controls must inspect through each layer.
- Converged protocols inherit the data network's threats and must be segmented
Converged protocols carry traditionally separate traffic over the data network: VoIP puts voice on IP, while FCoE and iSCSI put storage traffic onto Ethernet/IP. Once voice or storage rides the data network it inherits every threat of that network, so it must be segmented from general data traffic rather than trusted as a separate medium. Convergence is a reason to add segmentation and inspection, not a reason to assume the carried traffic is safe.
Trap Treating VoIP or iSCSI storage traffic as a trusted, separate medium once it shares the IP network - it now carries the same exposure as any other data traffic and needs segmenting.
- Private VLAN isolated ports reach only the promiscuous port, never each other
A private VLAN gives Layer 2 isolation inside one IP subnet. Isolated ports can talk only to promiscuous ports (where the gateway, DHCP, or shared services sit) and never to other isolated or community ports, ideal for multi-tenant or web-server hosting where peers must not see each other but all need the gateway.
Trap VLAN-to-VLAN separation alone does not stop same-subnet peer traffic; that is what isolated private-VLAN ports add.
8 questions test this
- A data center architect needs to isolate web servers so that each server can only communicate with the default gateway and not with other…
- A cloud service provider hosts multiple tenants on shared infrastructure and needs to isolate web servers so they cannot communicate with…
- A managed service provider hosts servers for multiple customers on the same physical network infrastructure. The provider needs to ensure…
- An organization deploying a multi-tenant hosting environment wants to prevent hosts within the same IP subnet from communicating directly…
- An organization needs to isolate customer traffic on a shared network infrastructure where customers should not communicate directly with…
- A data center administrator needs to provide Layer 2 isolation between web servers belonging to different customers while still allowing…
- A data center administrator needs to ensure that web servers on the same subnet cannot communicate directly with each other but can all…
- A hosting provider needs to isolate multiple customer web servers that share the same IP subnet while allowing all servers to communicate…
- VLANs are Layer 2 only; restrict inter-VLAN traffic with a routed firewall, ACLs, or VACLs
VLANs segment broadcast domains at Layer 2 but do nothing to filter traffic routed between them. Unauthorized cross-VLAN reachability means a Layer 3 device is routing without controls; the fix is to route inter-VLAN traffic through a firewall or apply ACLs / VLAN ACLs (VACLs) that default-deny and log, so traffic between segments is explicitly authorized.
Trap Traffic crossing VLANs without passing a router points to a Layer 2 leak (e.g. trunk misconfiguration), but the standard control to enforce policy is still a VACL or routed ACL.
4 questions test this
- A healthcare organization uses VLANs to segment its network into administrative, clinical, and medical device zones. After a security…
- An organization operates a network with multiple security zones including an external-facing DMZ, internal corporate network, and a…
- A network administrator discovers that traffic from one VLAN can unexpectedly reach devices in another VLAN without passing through a…
- A network security team is implementing segmentation controls and wants to ensure that traffic cannot flow between VLANs without explicit…
- Pick uRPF mode by routing symmetry: strict for symmetric, loose/feasible for asymmetric
Unicast Reverse Path Forwarding drops spoofed packets by checking the source address against the FIB. Strict mode requires the source route to point back out the arrival interface (best anti-spoofing, symmetric routing only). Loose mode accepts the packet if any route to the source exists, and feasible-path mode accepts it via any valid alternate path, both tolerate the asymmetric routing of multihomed networks.
Trap Strict uRPF will drop legitimate traffic on asymmetric/multihomed links; that is when loose or feasible-path mode is required.
7 questions test this
- A security engineer is configuring ACLs on border routers and must decide on the appropriate uRPF mode for a network with asymmetric…
- A network engineer is implementing source address validation on border routers for a multihomed enterprise network. The engineer is…
- A network administrator wants to implement anti-spoofing controls on a border router to prevent attackers from using forged source…
- A network administrator wants to implement anti-spoofing controls on border routers to prevent DDoS attacks that use forged source IP…
- A network security architect is implementing anti-spoofing controls on edge routers connecting to the Internet. The organization has…
- A security administrator needs to implement anti-spoofing controls on routers but is concerned about asymmetric routing in the multihomed…
- An organization is configuring unicast Reverse Path Forwarding (uRPF) on its border router to prevent IP address spoofing. In strict mode,…
- SDP has three components: Controller, Initiating Hosts, and Accepting Hosts
Per the CSA Software-Defined Perimeter spec, the Controller makes the policy/authentication decisions, Initiating Hosts (clients) request access, and Accepting Hosts (protected resources/gateways) reject all connections until the Controller authorizes them. This delivers zero-trust 'authenticate first, connect second' access.
Trap Resources stay invisible to scanning via Single Packet Authorization (SPA). The Accepting Host stays dark until it receives a valid SPA packet.
4 questions test this
- A security architect is implementing a Software-Defined Perimeter (SDP) architecture to support zero trust principles. The architect needs…
- An organization is implementing Software-Defined Perimeter (SDP) to achieve zero trust network access. Which component is responsible for…
- An enterprise is deploying a Software-Defined Perimeter solution. The security team needs to understand the core architectural components.…
- An organization is implementing a Software-Defined Perimeter (SDP) solution to achieve zero trust network access. Which three components…
- A DMZ sits between two firewalls; DMZ hosts may reach out but never initiate into the internal network
Place public-facing servers (web, mail) in a DMZ between an external and an internal firewall. Permitted flows are external-to-DMZ and internal-to-DMZ; DMZ hosts may only initiate connections outward to the external network, never inward to the internal network, so a compromised DMZ host cannot pivot to internal systems.
5 questions test this
- An organization is designing a screened subnet architecture using two firewalls. The security team is determining the appropriate rules for…
- An organization is designing its network architecture and wants to deploy public-facing web servers that external users can access while…
- A company needs to provide access to its web application from the internet while protecting backend systems. The security team is designing…
- An organization operates a web application that requires public internet access. The security architect is designing the network…
- A security engineer is designing a DMZ architecture for an organization that hosts critical web applications. The design must provide…
Also tested in
References
- NIST glossary: Defense in depth Whitepaper
- RFC 4301: Security Architecture for the Internet Protocol (IPsec; AH vs ESP) Whitepaper
- NIST glossary: IPsec tunnel mode (NIST SP 800-77 Rev. 1) Whitepaper
- NIST glossary: IPsec transport mode (NIST SP 800-77 Rev. 1) Whitepaper
- NIST SP 800-207: Zero Trust Architecture Whitepaper
- NIST glossary: Secure Access Service Edge (SASE) Whitepaper