Domain 4 of 8 · Chapter 1 of 3

Secure Network Architecture

The layered model: where every control and threat lives

Hand most network-architecture questions a protocol, an attack, or a control, and the single move that earns the point is naming the layer it operates at: ARP spoofing is Layer 2, IP spoofing is Layer 3, SQL injection is Layer 7, and the right countermeasure always lives on the same layer as the threat. That move only works once protocols are stacked in your head in a fixed order, so start with the model that orders them.

The OSI (Open Systems Interconnection) reference model divides communication into seven layers, each serving the one above and using the one below. From the bottom: Physical (1) moves bits over a medium; Data Link (2) frames bits and addresses them on the local segment (MAC addresses, Ethernet, ARP, VLANs); Network (3) routes packets between segments using logical addresses (IP, ICMP, and IPsec); Transport (4) delivers segments end to end (TCP, UDP); Session (5) sets up and tears down dialogs; Presentation (6) handles encoding and translation; and Application (7) is where user-facing protocols live (HTTP, DNS, SMTP). The model is a teaching and analysis tool, not the wire format - the practical stack is TCP/IP.

OSI maps onto the four-layer TCP/IP model

The protocols you actually run follow the TCP/IP model, which collapses OSI's seven into four: Link (OSI 1-2), Internet (OSI 3), Transport (OSI 4), and Application (OSI 5-7). The exam speaks OSI's seven-layer vocabulary when it places a threat or asks for a control, so learn both and the mapping between them; the comparison table on this page is the canonical crib. The reason layering matters for security is encapsulation: each layer wraps the data from the layer above, so a control added at a lower layer protects everything carried above it, and an attacker who can see only an outer wrapper cannot necessarily reach what is inside.

The design rule the model encodes: defense in depth across independent layers

Because threats appear at every layer, a sound architecture places controls at several layers so that defeating one does not defeat the rest - this is defense in depth, which NIST defines as a strategy that establishes "variable barriers across multiple layers" of an organization (NIST glossary, defense in depth[1]). The CISSP reading adds a sharp qualifier the exam tests: the layers must be independent. Two controls that share one chokepoint or one credential store fail together and count as a single layer, not two. So "add another firewall behind the first" is weaker than it looks if both trust the same management plane; genuine depth puts controls that fail for different reasons in the attacker's path.

OSI model (7 layers)TCP/IP model (4 layers)7 Application (HTTP, DNS)6 Presentation5 Session4 Transport (TCP, UDP)3 Network (IP, IPsec)2 Data Link (Ethernet, ARP)1 PhysicalApplicationTransportInternetLink
OSI's seven layers collapse into the four-layer TCP/IP model the wire actually uses.

Secure protocols: pick the layer that matches the requirement

Encryption added at a lower layer protects more traffic with less per-application work, while encryption added higher up protects exactly one application's session - that one idea decides between the two secure protocols CISSP tests most, IPsec and TLS. Building on the layer model from above, everything below is a delta from that shared mental model and the rule for choosing between them.

IPsec protects at the Network layer, so it covers all IP traffic

IPsec operates at OSI Layer 3, so it secures IP packets between two endpoints or gateways regardless of which application generated them - that breadth is its defining property and the reason it underpins site-to-site VPNs. It has two protocols and two modes, and questions turn on telling them apart. The two protocols: AH (Authentication Header) provides integrity and data-origin authentication but no confidentiality, while ESP (Encapsulating Security Payload) provides confidentiality (encryption) plus optional integrity (RFC 4301[2]). A predictable misread is that AH "encrypts" - it does not; if a stem wants confidentiality, the answer is ESP. RFC 4301 in fact downgraded AH support to optional because "most security requirements can be met through the use of ESP by itself" (RFC 4301[2]).

The two modes describe how much of the packet is wrapped. Tunnel mode "creates an additional outer IP header for each protected packet" (NIST SP 800-77 Rev. 1, tunnel mode[3]), encapsulating and protecting the entire original packet - this is the gateway-to-gateway VPN case where the inner addresses are hidden. Transport mode "does not create an additional IP header" (NIST SP 800-77 Rev. 1, transport mode[4]); it protects only the payload and leaves the original IP header exposed, fitting host-to-host protection where the endpoints route the packets themselves. One sentence to keep: tunnel mode hides the original header behind a new one; transport mode keeps the original header.

TLS protects at the Transport boundary, so it covers one application session

TLS (Transport Layer Security) sits just above the Transport layer and secures a single application's session - HTTPS is TLS protecting HTTP. Its strength is per-application confidentiality and integrity with no change to the underlying network, which is why it is the right tool when one service needs protection and re-architecting the network is unwarranted. Because it is per-session, it does NOT transparently protect every protocol the way network-layer IPsec does; choosing TLS to "secure all traffic between two sites" is the classic layer-mismatch error - that requirement is IPsec's.

The choice, stated as a decision

When the requirement is all traffic between two locations protected transparently to applications, choose IPsec (tunnel mode) at the network layer. When the requirement is one application's session protected, choose TLS above the transport layer. The deciding question is always the same: how much of the stack must the protection cover?

How much of thestack to protect?All traffic, transparentto applicationsOne applicationsessionIPsec, tunnel modeNetwork layer (Layer 3)covers all IP packetsTLSabove the Transport layerone session only
The deciding question is scope: all traffic between two sites transparently to apps chooses IPsec tunnel mode (Layer 3); one app session chooses TLS.

Segmentation, micro-segmentation, and zero trust

Zero trust changes the default from trust-by-location to verify-every-session, and it is the limit case of pushing segmentation down to the individual workload - so read segmentation first. Building on the layer model and the same defense-in-depth idea from the first section, this is how you carve a network into defensible zones.

Segmentation contains a breach; logical and physical differ in what they share

Segmentation divides a network into zones and controls traffic at the boundaries, so an attacker who lands in one zone cannot freely reach the next - it is the architectural answer to limiting lateral movement. Physical segmentation uses separate hardware or an air gap and shares nothing, giving the strongest isolation at the highest cost. Logical segmentation separates zones on shared hardware - a VLAN splits one physical switch into independent broadcast domains - which is cheaper and far more common. The trade-off the exam tests: because logical separation shares the underlying device, a compromise of that device (or a misconfiguration enabling VLAN hopping) can defeat it, whereas physical separation has no shared component to subvert. So the higher a zone's value or the lower its trust, the stronger the segmentation it earns.

Micro-segmentation pushes the boundary to the individual workload

Micro-segmentation enforces policy at the granularity of a single host or workload rather than a whole subnet, so even traffic between two servers in the same zone must pass a policy check. This is the mechanism that makes zero trust enforceable inside a data center: there is no implicitly trusted "inside" if every workload-to-workload flow is mediated. It is more work to define and maintain than subnet-level rules, which is the cost side of the trade.

Zero trust: no trust based on network location

Zero trust assumes the network is already compromised and grants no access based on where a request comes from - being inside the perimeter earns nothing. NIST defines it as minimizing uncertainty in "least privilege per-request access decisions ... in the face of a network viewed as compromised" (NIST SP 800-207[5]). Every session is authenticated, authorized, and granted least privilege against a dynamic policy weighing identity, device posture, and context, and authenticating to one resource never automatically grants another. SP 800-207 structures enforcement as a Policy Decision Point (PDP) that judges each request and a Policy Enforcement Point (PEP) that allows or blocks it, with the standing goal of keeping any implicit-trust zone as small as possible.

Two named patterns implement this and are easy to confuse. Zero-trust network access (ZTNA) and its underlying software-defined perimeter (SDP) hide resources from the network and broker a connection only after the requester is verified, so an attacker cannot even see, let alone attack, a resource they have not authenticated to. SASE (Secure Access Service Edge) is the cloud-delivered model that converges SD-WAN networking with security functions (secure web gateway, CASB, firewall-as-a-service) to enforce zero-trust access at the edge near the user (NIST glossary, SASE[6]). The reconciling point the exam exploits: SASE and SDP are delivery architectures for zero trust, not synonyms for the principle - you can adopt the zero-trust principle without buying a SASE product.

SDN, SD-WAN, and the VPC carve software-defined networks

Software-defined networking (SDN) decouples the control plane (the logic deciding where traffic goes) from the data plane (the devices forwarding it), centralizing policy in a controller so the network is programmable from one place rather than configured box by box. This enables consistent automated segmentation but concentrates risk: compromising the SDN controller compromises the whole network's forwarding decisions, so the controller is a crown-jewel asset. SD-WAN applies the same control-plane abstraction across wide-area links to steer and secure branch traffic (and is the networking half of SASE). A virtual private cloud (VPC) is the cloud expression of a logically isolated, software-defined network you carve from a provider's shared infrastructure and segment with subnets and security groups.

Multilayer and converged protocols widen what a control must see through

Multilayer protocols - TCP/IP being the archetype - permit encapsulation, carrying one protocol inside another; this is what makes tunneling and VPNs possible but also lets an attacker smuggle disallowed traffic inside an allowed protocol, or evade a filter that inspects only the outer layer. Converged protocols carry traditionally separate traffic over the data network: VoIP puts voice on IP, while FCoE and iSCSI put storage traffic onto Ethernet/IP. The security consequence is uniform - voice and storage now inherit every threat of the data network, so they must be segmented from it rather than trusted as a separate medium. The architectural takeaway: each layer of encapsulation is a layer your controls must be able to inspect through, so convergence is a reason to add segmentation and inspection, never to assume the carried traffic is safe.

Network zone — segmentation (VLAN)SubnetWorkloadWorkloadmicro-segmentationchecks every flowZero trust: no implicitly trusted inside — every session verified
Granularity tightens inward: a zone (segmentation, VLAN) holds a subnet of workloads; micro-segmentation checks every flow, enacting zero trust.

Exam-pattern recognition

This section maps question shapes to the right answer; read the others first, because this is the pattern layer that reuses their vocabulary.

Pattern 1 - threat-to-layer-to-control. The stem names an attack and asks for the countermeasure. Place both on the OSI layer where they operate: ARP spoofing and VLAN hopping are Layer 2 (answer: port security, proper VLAN segmentation); IP spoofing and routing attacks are Layer 3 (answer: anti-spoofing filters, IPsec, ACLs); a TLS downgrade is at the Presentation/Transport boundary (answer: strong TLS configuration); SQL injection is Layer 7 (answer: input validation / WAF). The trap is an answer that is a real control but at the wrong layer.

Pattern 2 - IPsec vs TLS scope. "Protect ALL traffic between two sites, transparently to applications" - the answer is IPsec in tunnel mode, because Layer 3 protection covers every IP packet. "Secure one web application's sessions" - the answer is TLS. The distractor offers the other one; the deciding question is how much of the stack the protection must cover, not which is newer or stronger.

Pattern 3 - IPsec internals. A stem wanting confidentiality points to ESP, not AH - AH gives integrity and origin authentication only (RFC 4301[2]). A stem about hiding the original IP addresses across a gateway-to-gateway link points to tunnel mode (it adds an outer header); host-to-host protection that keeps the original header is transport mode (NIST SP 800-77 Rev. 1[3]). The classic distractor pairs "AH" with "encryption."

Pattern 4 - zero trust framing. A scenario with no clear perimeter (cloud, remote users, assume-breach) is a zero-trust prompt: the right answer verifies every session and grants least privilege by identity and context, never by network location (NIST SP 800-207[5]). The trap is treating SASE or SDP as a product that replaces segmentation and identity work, or assuming "inside the firewall" still confers trust. Zero trust complements segmentation; it does not retire it.

Pattern 5 - segmentation choice. "Limit lateral movement" or "contain a compromised host" points to segmentation; subnet/zone separation is VLANs, per-workload control is micro-segmentation/ZTNA. Beware the distractor that offers a logical VLAN where the stem demands true isolation of a high-value system - that is the case for physical segmentation, because a VLAN shares hardware an attacker could subvert.

OSI layers mapped to TCP/IP, with example protocols and threats

OSI layerTCP/IP layerExample protocolsRepresentative threatLayer-appropriate control
7 ApplicationApplicationHTTP, DNS, SMTPInjection, DNS poisoningInput validation, DNSSEC, app firewall (WAF)
6 PresentationApplicationTLS handshake, encodingWeak cipher / downgradeStrong TLS configuration
5 SessionApplicationRPC, session setupSession hijackingSession tokens, re-authentication
4 TransportTransportTCP, UDP, TLS recordSYN flood, port scanTLS, stateful firewall
3 NetworkInternetIP, ICMP, IPsecIP spoofing, routing attackIPsec, ACLs, anti-spoofing filters
2 Data LinkLinkEthernet, ARP, VLANARP spoofing, VLAN hoppingPort security, VLAN segmentation
1 PhysicalLinkCabling, signalingTapping, jammingPhysical access control, shielding

Decision tree

Protect ALL traffic betweentwo sites, transparently?No - one app sessionYes - whole networkTLS (above Transport)IPsec (Network layer)then pick mode + protocolHide the original IP headeracross a gateway link?YesNo - keep headerTunnel modeTransport modeNeed confidentiality(encryption), not just integrity?NoYesAHESP

Sharp facts the exam loves — give these one last read before exam day.

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Map any protocol, threat, or control to its OSI layer first

The OSI model's seven layers - Physical (1), Data Link (2), Network (3), Transport (4), Session (5), Presentation (6), Application (7) - exist so you can place any protocol, attack, or control at the layer it operates on. CISSP questions pair a threat to its layer and ask for the countermeasure that belongs there, so naming the layer is the move that selects the answer. Lower-numbered layers are closer to the physical medium; higher-numbered are closer to the application.

The four-layer TCP/IP model is what the wire actually uses

TCP/IP collapses OSI's seven layers into four: Link (OSI 1-2), Internet (OSI 3), Transport (OSI 4), and Application (OSI 5-7). The protocols you run follow TCP/IP, but the exam phrases threats and controls in OSI's seven-layer vocabulary, so you must hold both models and the mapping between them. The Internet layer is where IP and IPsec live; the Application layer absorbs OSI's session, presentation, and application functions.

Trap Mapping the TCP/IP Application layer to OSI Layer 7 alone - it actually absorbs OSI's Session, Presentation, and Application layers (5-7).

A control at a lower layer protects everything carried above it

Encapsulation means each layer wraps the data of the layer above, so security added at a lower layer covers all the protocols riding on top of it without per-application changes. That is exactly why network-layer IPsec protects every application's packets while transport-layer TLS protects only one application's session. The corollary for attackers: a filter that inspects only an outer wrapper cannot see traffic hidden in an inner layer.

Trap Assuming a higher-layer control protects the layers beneath it - protection flows upward from a lower layer, so a higher-layer control covers only its own session, not the traffic carrying it.

Defense-in-depth layers only count if they fail independently

Defense in depth places controls across multiple layers so defeating one does not defeat the rest, but the CISSP qualifier is that the layers must be independent. Two controls that share one chokepoint or one credential store fail together and count as a single layer, not two, so adding a second firewall that trusts the same management plane buys little real depth. Genuine depth puts controls that fail for different reasons in the attacker's path.

Trap Counting two controls behind one shared credential store or management plane as two layers - one compromise drops both, so they are really one layer.

1 question tests this
IPsec secures at Layer 3, so it covers all IP traffic between endpoints

IPsec operates at the Network layer, so it protects every IP packet between two endpoints or gateways regardless of the application that produced it - that breadth is why it underpins site-to-site VPNs. When a requirement is to protect all traffic between two locations transparently to applications, IPsec is the layer-correct answer. Per-application encryption cannot deliver that transparent, all-traffic coverage.

Trap Reaching for per-application TLS to cover all traffic between two sites - only network-layer IPsec protects every IP packet transparently regardless of the application.

Use ESP when you need confidentiality; AH gives integrity only

IPsec has two protocols: AH (Authentication Header) provides integrity and data-origin authentication but no encryption, while ESP (Encapsulating Security Payload) provides confidentiality plus optional integrity. So a requirement for confidentiality forces ESP, never AH. RFC 4301 even downgraded AH to optional because ESP alone meets most needs.

Trap Choosing AH to encrypt traffic - AH never provides confidentiality, only integrity and authentication; ESP is the encrypting protocol.

IPsec tunnel mode hides the original IP header; transport mode keeps it

Tunnel mode adds a new outer IP header and encapsulates the entire original packet, hiding the inner addresses - this is the gateway-to-gateway VPN case. Transport mode adds no new IP header and protects only the payload, leaving the original IP header exposed, which fits host-to-host protection where the endpoints route the packets themselves. The deciding question is whether the original addressing must be concealed across an intermediate link.

Trap Assuming transport mode hides the original IP header - it does not add an outer header, so the original source and destination remain visible; tunnel mode is what conceals them.

TLS protects one application's session above the Transport layer

TLS sits just above the Transport layer and secures a single application session - HTTPS is TLS protecting HTTP - giving per-application confidentiality and integrity with no change to the underlying network. It is the right tool when one service needs protection and re-architecting the network is unwarranted. Because it is per-session, it does not transparently protect every protocol the way network-layer IPsec does.

Trap Picking TLS to secure all traffic between two sites - TLS only protects per-application sessions, so blanket site-to-site protection is IPsec's job at the network layer.

Segmentation contains a breach by limiting lateral movement

Segmentation divides a network into zones and controls traffic at the boundaries, so an attacker who compromises one zone cannot freely reach the next. It is the architectural answer to limiting lateral movement after an initial foothold. The design heuristic is that the higher a zone's value or the lower its trust, the finer the segmentation it warrants.

Trap Expecting segmentation to prevent the initial breach - it contains and limits lateral movement after a foothold, it does not stop the first compromise.

1 question tests this
Logical segmentation shares hardware; physical segmentation shares nothing

Physical segmentation uses separate hardware or an air gap and shares no common component, giving the strongest isolation at the highest cost. Logical segmentation - a VLAN splitting one switch into separate broadcast domains - is cheaper and far more common but rides shared hardware, so a compromise or misconfiguration of that device (for example VLAN hopping) can defeat it. When a stem demands true isolation of a high-value system, physical separation is the stronger answer because there is no shared component to subvert.

Trap Treating a VLAN as equivalent to physical isolation for a high-value system - the VLAN shares switch hardware an attacker could subvert via VLAN hopping or a device compromise.

2 questions test this
Micro-segmentation pushes the boundary down to a single workload

Micro-segmentation enforces policy at the granularity of an individual host or workload rather than a whole subnet, so even server-to-server traffic inside one zone must pass a policy check. This is the mechanism that makes zero trust enforceable inside a data center, because there is no implicitly trusted inside if every workload-to-workload flow is mediated. The cost is the larger number of policies to define and maintain compared with subnet-level rules.

Trap Equating micro-segmentation with ordinary subnet or VLAN segmentation - micro-segmentation mediates every workload-to-workload flow, not just traffic crossing a zone boundary.

4 questions test this
Zero trust grants no access based on network location

Zero trust assumes the network is already compromised and grants nothing based on where a request originates, so being inside the perimeter earns no access. NIST SP 800-207 frames it as least-privilege, per-request access decisions made in the face of a network viewed as compromised; every session is authenticated, authorized, and granted least privilege against a dynamic policy weighing identity, device posture, and context. Authenticating to one resource never automatically grants access to another.

Trap Assuming a request from inside the firewall is trustworthy - zero trust explicitly removes location-based trust and verifies every session regardless of origin.

Zero trust enforces with a Policy Decision Point and a Policy Enforcement Point

NIST SP 800-207 structures zero-trust enforcement as a Policy Decision Point (PDP) that evaluates each access request against policy and a Policy Enforcement Point (PEP) that actually allows or blocks the connection. Separating the decision from the enforcement lets one policy engine govern many enforcement points consistently. The standing design goal is to keep any implicit-trust zone as small as possible.

Trap Swapping the roles of the PDP and PEP - the Policy Decision Point evaluates the request against policy, while the Policy Enforcement Point is what actually permits or blocks the connection.

2 questions test this
SDP and ZTNA hide a resource until the requester is verified

A software-defined perimeter (SDP), the mechanism behind zero-trust network access (ZTNA), hides resources from the network and brokers a connection only after the requester is authenticated, so an attacker cannot even see a resource they have not authenticated to, let alone attack it. This shrinks the attack surface to nearly nothing for unauthenticated parties. It contrasts with a traditional VPN that places a verified user broadly onto a network segment.

Trap Treating a traditional VPN as equivalent to ZTNA - the VPN drops a verified user broadly onto a network segment, whereas SDP keeps each resource hidden and brokers access per request.

2 questions test this
SASE is a delivery architecture for zero trust, not the principle itself

SASE (Secure Access Service Edge) is a cloud-delivered model that converges SD-WAN networking with security functions such as secure web gateway, CASB, and firewall-as-a-service to enforce zero-trust access at the edge near the user. It is a way to deliver zero-trust controls, so adopting the zero-trust principle does not require buying a SASE product, and buying SASE is not the same as having implemented zero trust. Treat SASE as the convergence of networking and security at the edge, not as a synonym for zero trust.

Trap Equating buying a SASE product with having achieved zero trust - SASE is a delivery architecture; the zero-trust principle still has to be designed and enforced.

SDN splits the control plane from the data plane, centralizing risk

Software-defined networking decouples the control plane (the logic deciding where traffic goes) from the data plane (the devices that forward it), centralizing policy in a controller so the network is programmable from one place. This enables consistent, automated segmentation but concentrates risk: compromising the SDN controller compromises the whole network's forwarding decisions, making the controller a crown-jewel asset to protect. SD-WAN applies the same control-plane abstraction across wide-area links and is the networking half of SASE.

A VPC is a logically isolated software-defined network in the cloud

A virtual private cloud (VPC) is the cloud expression of a logically isolated network carved from a provider's shared infrastructure, which you then segment with subnets and security groups. It is software-defined and logical, so the same logical-vs-physical caution applies: isolation is enforced by the provider's software, not by separate hardware you own. You design VPC segmentation the way you would design VLAN and zone boundaries on premises.

Trap Treating VPC isolation as physical, dedicated-hardware separation - it is logical isolation enforced by the provider's software over shared infrastructure, carrying the same caveats as a VLAN.

Multilayer protocols enable tunneling but also let traffic be smuggled

Multilayer protocols such as TCP/IP permit encapsulation, carrying one protocol inside another, which is what makes tunneling and VPNs possible. The same property lets an attacker smuggle disallowed traffic inside an allowed protocol or evade a filter that inspects only the outer layer. Each layer of encapsulation is therefore a layer your controls must be able to inspect through, not assume is benign.

Trap Trusting a filter that inspects only the outer protocol - encapsulation lets disallowed traffic ride inside an allowed protocol, so controls must inspect through each layer.

Converged protocols inherit the data network's threats and must be segmented

Converged protocols carry traditionally separate traffic over the data network: VoIP puts voice on IP, while FCoE and iSCSI put storage traffic onto Ethernet/IP. Once voice or storage rides the data network it inherits every threat of that network, so it must be segmented from general data traffic rather than trusted as a separate medium. Convergence is a reason to add segmentation and inspection, not a reason to assume the carried traffic is safe.

Trap Treating VoIP or iSCSI storage traffic as a trusted, separate medium once it shares the IP network - it now carries the same exposure as any other data traffic and needs segmenting.

Private VLAN isolated ports reach only the promiscuous port, never each other

A private VLAN gives Layer 2 isolation inside one IP subnet. Isolated ports can talk only to promiscuous ports (where the gateway, DHCP, or shared services sit) and never to other isolated or community ports, ideal for multi-tenant or web-server hosting where peers must not see each other but all need the gateway.

Trap VLAN-to-VLAN separation alone does not stop same-subnet peer traffic; that is what isolated private-VLAN ports add.

8 questions test this
VLANs are Layer 2 only; restrict inter-VLAN traffic with a routed firewall, ACLs, or VACLs

VLANs segment broadcast domains at Layer 2 but do nothing to filter traffic routed between them. Unauthorized cross-VLAN reachability means a Layer 3 device is routing without controls; the fix is to route inter-VLAN traffic through a firewall or apply ACLs / VLAN ACLs (VACLs) that default-deny and log, so traffic between segments is explicitly authorized.

Trap Traffic crossing VLANs without passing a router points to a Layer 2 leak (e.g. trunk misconfiguration), but the standard control to enforce policy is still a VACL or routed ACL.

4 questions test this
Pick uRPF mode by routing symmetry: strict for symmetric, loose/feasible for asymmetric

Unicast Reverse Path Forwarding drops spoofed packets by checking the source address against the FIB. Strict mode requires the source route to point back out the arrival interface (best anti-spoofing, symmetric routing only). Loose mode accepts the packet if any route to the source exists, and feasible-path mode accepts it via any valid alternate path, both tolerate the asymmetric routing of multihomed networks.

Trap Strict uRPF will drop legitimate traffic on asymmetric/multihomed links; that is when loose or feasible-path mode is required.

7 questions test this
SDP has three components: Controller, Initiating Hosts, and Accepting Hosts

Per the CSA Software-Defined Perimeter spec, the Controller makes the policy/authentication decisions, Initiating Hosts (clients) request access, and Accepting Hosts (protected resources/gateways) reject all connections until the Controller authorizes them. This delivers zero-trust 'authenticate first, connect second' access.

Trap Resources stay invisible to scanning via Single Packet Authorization (SPA). The Accepting Host stays dark until it receives a valid SPA packet.

4 questions test this
A DMZ sits between two firewalls; DMZ hosts may reach out but never initiate into the internal network

Place public-facing servers (web, mail) in a DMZ between an external and an internal firewall. Permitted flows are external-to-DMZ and internal-to-DMZ; DMZ hosts may only initiate connections outward to the external network, never inward to the internal network, so a compromised DMZ host cannot pivot to internal systems.

5 questions test this

Also tested in

References

  1. NIST glossary: Defense in depth Whitepaper
  2. RFC 4301: Security Architecture for the Internet Protocol (IPsec; AH vs ESP) Whitepaper
  3. NIST glossary: IPsec tunnel mode (NIST SP 800-77 Rev. 1) Whitepaper
  4. NIST glossary: IPsec transport mode (NIST SP 800-77 Rev. 1) Whitepaper
  5. NIST SP 800-207: Zero Trust Architecture Whitepaper
  6. NIST glossary: Secure Access Service Edge (SASE) Whitepaper