Network Security
The perimeter is dead. Understand what replaced it.
Overview
Network security is one of the largest Security+ domains. You need to understand not just what tools exist, but when and why to use them — and what the tradeoffs are. Answer the five questions below with explanation and reasoning.
Read before you answer
Network security is the practice of protecting the infrastructure — physical, logical, and procedural — that data travels across. Security+ focuses on both the architectural controls that prevent attackers from reaching systems and the monitoring capabilities that detect when they do. The most fundamental architectural concept is network segmentation: dividing a network into zones with controlled communication between them, so that a compromise in one zone does not automatically spread to all others. The DMZ (demilitarised zone) is the classic example — a network segment for public-facing services (web servers, mail servers) that sits between the internet and the internal network.
Firewalls are the primary enforcement point for network segmentation. Packet-filtering firewalls inspect individual packets against rules; stateful firewalls track connection state and can make more intelligent decisions; next-generation firewalls (NGFWs) add application awareness, intrusion prevention, and deep packet inspection. VPNs (Virtual Private Networks) extend private network access over public infrastructure using encryption. Network Access Control (NAC) systems enforce policies on what devices can connect — checking patch level, certificate validity, or endpoint security posture before granting access. IDS/IPS systems (Intrusion Detection/Prevention Systems) monitor traffic for known attack signatures or anomalous behaviour.
Common network attacks include: port scanning and enumeration (reconnaissance); ARP poisoning and MAC flooding (attacks against Layer 2 switching); DNS poisoning (redirecting legitimate queries to malicious destinations); VLAN hopping (escaping network segmentation through switch misconfiguration); and distributed denial-of-service (DDoS), which overwhelms services with traffic. Wireless networks introduce additional attack surfaces: WEP is cryptographically broken and should never be used; WPA2 with strong passphrases is the minimum acceptable standard for most environments; WPA3 provides improved protection against offline password attacks. Rogue access points and evil twin attacks — where an attacker creates a WiFi network that mimics a legitimate one — are persistent threats in public and corporate environments.