Network Security

Firewalls are broadly categorized by the layers of the OSI model they inspect and the degree of contextual awareness they maintain (Scarfone & Hoffman, 2009). Packet-filtering firewalls operate at Layers 3 and 4 and evaluate each packet independently without session context, making them fast but unable to detect attacks spread across multiple packets (Scarfone & Hoffman, 2009). Stateful inspection firewalls improve on this by maintaining a connection state table, tracking the full TCP handshake to distinguish legitimate session traffic from unsolicited packets (Stallings, 2017). Next-generation firewalls (NGFWs) extend stateful inspection with deep packet inspection and application-layer visibility, enabling policy enforcement based on application identity rather than port alone (Cisco, 2024). Web application firewalls (WAFs) specifically target Layer 7 HTTP/HTTPS traffic, protecting against OWASP Top 10 threats including SQL injection and cross-site scripting (OWASP Foundation, 2021). Host-based firewalls provide a final layer of defense on individual endpoints, complementing network-level controls (CompTIA, 2023).

Intrusion detection and prevention systems (IDPS) monitor network traffic for signs of malicious activity using two primary detection approaches (Scarfone & Mell, 2007). Signature-based detection compares traffic against a database of known attack patterns, offering high accuracy for documented threats but no coverage for zero-day exploits (Scarfone & Mell, 2007). Anomaly-based detection establishes a behavioral baseline and flags deviations, enabling detection of novel attacks at the cost of higher false-positive rates (Stallings, 2017). An IDS is deployed out-of-band — receiving a copy of traffic via a SPAN port or tap — and responds to threats with alerts only, leaving traffic unaffected (Scarfone & Mell, 2007). An IPS is placed inline so all traffic traverses it, enabling active blocking; however, a false positive in an IPS can disrupt legitimate services, a key operational trade-off tested on the Security+ exam (CompTIA, 2023).

A DMZ (Demilitarized Zone) is a network segment that sits between the public internet and the internal private network. Public-facing servers (web, email, DNS) live here so a compromise doesn't directly reach internal systems. The dual-firewall DMZ architecture is a foundational network security pattern, placing the outer firewall between the internet and DMZ and the inner firewall between the DMZ and the internal LAN (Scarfone & Hoffman, 2009).

VLANs logically segment a physical network — a compromised device in VLAN 10 (users) cannot directly reach VLAN 20 (servers) without going through a router/firewall (Stallings, 2017). Microsegmentation extends this principle to individual workloads, enforcing granular east-west traffic policies within a data center or cloud environment; this supports Zero Trust architectures in which no traffic is implicitly trusted regardless of its network origin (SANS Institute, 2024).

An air gap is physical isolation — no network connection at all. Used for top-secret or critical infrastructure systems where even a compromised network segment must not reach the protected asset (CompTIA, 2023).

IPSec is a framework of open standards that provides confidentiality, integrity, and authentication for IP-layer communications (Kent & Seo, 2005). The Internet Key Exchange (IKE) protocol is used to negotiate cryptographic parameters and establish security associations between peers (Barker et al., 2020). IPSec modes: Transport mode encrypts only the payload (used for host-to-host communications). Tunnel mode encapsulates the entire original IP packet under a new IP header, protecting both payload and original headers — the standard mode for site-to-site VPNs (Barker et al., 2020). SSL/TLS VPNs operate over port 443 using the TLS protocol; TLS 1.3 (RFC 8446) significantly reduces handshake latency and removes deprecated cipher suites compared to earlier versions (Rescorla, 2018).

NIST guidance on securing wireless LANs recommends WPA2 with AES-CCMP as a minimum standard, with WPA2-Enterprise (802.1X/EAP) preferred over WPA2-Personal for organizational deployments (Souppaya & Scarfone, 2012). WPA3 was introduced by the Wi-Fi Alliance in 2018 to address WPA2 weaknesses; it replaces the Pre-Shared Key (PSK) exchange with Simultaneous Authentication of Equals (SAE), which provides forward secrecy and resistance to offline dictionary attacks (Wi-Fi Alliance, 2018). The urgency for WPA3 was partly driven by the 2017 KRACK (Key Reinstallation Attack) disclosure, in which Vanhoef and Piessens demonstrated that the WPA2 four-way handshake is vulnerable to nonce reuse, enabling an attacker within radio range to decrypt traffic without knowing the pre-shared key (Vanhoef & Piessens, 2017). 802.1X provides port-based network access control, requiring successful EAP authentication to a RADIUS server before any traffic is forwarded — an effective mitigation against both evil twin attacks and unauthorized device access (IEEE, 2020).

Evil Twin attack: Attacker sets up a rogue AP with the same SSID as a legitimate network. Users connect thinking it's real — MitM. Mitigated by 802.1X enterprise auth, which requires mutual certificate validation (Souppaya & Scarfone, 2012).

Deauthentication attack: Attacker sends deauth frames to disconnect users. Part of WPA2 cracking workflow — forces reconnect to capture handshake for offline cracking (Vanhoef & Piessens, 2017).

The CompTIA Security+ SY0-701 exam requires candidates to identify insecure protocols and their secure replacements as part of network hardening (CompTIA, 2023). Port 443 carries HTTPS traffic secured by TLS; TLS 1.3 (Rescorla, 2018) is the current recommended version, having deprecated vulnerable cipher suites present in TLS 1.2 and earlier. Firewall policy should deny inbound access to high-risk ports such as 23 (Telnet), 21 (FTP), and 161/162 (SNMPv1/v2) at the network perimeter while permitting only necessary services (Scarfone & Hoffman, 2009). IPSec VPN traffic typically traverses UDP port 500 (IKE) and 4500 (NAT traversal), which must be permitted in firewall rules for site-to-site connectivity (Barker et al., 2020).