Comprehensive Study Guide
---
Overview
Network security is a critical domain of the CompTIA Network+ exam, covering how to identify threats, implement defensive technologies, secure communications, and enforce access policies. This guide covers attack types, defensive architectures, VPN/encryption technologies, authentication protocols, wireless security, and security best practices. Mastery of these concepts is essential for both the exam and real-world network administration.
---
1. Threats & Attack Types
Summary
Network attacks can target any layer of the OSI model, exploit human behavior, or abuse legitimate protocols. Understanding the mechanism, target layer, and mitigation for each attack type is essential for the exam.
Key Attack Types
#### Man-in-the-Middle (MitM)
• Definition: An attacker secretly intercepts, relays, and potentially modifies communications between two parties who believe they are communicating directly.
• Common enablers: ARP poisoning, rogue APs, DNS spoofing
• Mitigation: Encryption (TLS), mutual authentication, certificate pinning
#### DNS Poisoning (Cache Poisoning)
• Definition: Malicious DNS records are injected into a resolver's cache, redirecting clients to fraudulent IP addresses.
• Target: DNS infrastructure
• Impact: Enables phishing, credential theft, malware distribution
• Mitigation: DNSSEC, trusted resolvers, monitoring for cache anomalies
#### DoS vs. DDoS
• DoS (Denial-of-Service): Originates from a single source; floods a target to exhaust resources
• DDoS (Distributed DoS): Uses a botnet (many compromised systems) to flood a target simultaneously
• Mitigation: Rate limiting, traffic scrubbing, upstream filtering, CDN protection
#### ARP Poisoning
• Definition: Forged ARP replies associate the attacker's MAC address with a legitimate IP, redirecting Layer 2 traffic
• Target Layer: Layer 2 (Data Link layer)
• Enables: MitM attacks, traffic sniffing
• Mitigation: Dynamic ARP Inspection (DAI), static ARP entries, VLAN segmentation
#### VLAN Hopping
• Definition: Attacker sends traffic to an unauthorized VLAN via two methods:
- Switch Spoofing: Attacker's device negotiates a trunk link with the switch
- Double Tagging: Attacker embeds a second 802.1Q VLAN tag inside the first
• Mitigation: Disable auto-trunking (DTP), change native VLANs, use dedicated trunk ports
#### Rogue Access Point
• Definition: An unauthorized wireless AP connected to the network without administrator approval
• Threat: Intercepts traffic, bypasses perimeter controls, enables MitM
• Mitigation: Wireless intrusion detection, NAC, physical security, AP inventory audits
#### Social Engineering
• Definition: Exploiting human psychology rather than technical vulnerabilities to obtain sensitive information or access
• Common forms: Phishing (email-based deception), pretexting (fabricated scenario), vishing (voice), smishing (SMS)
• Mitigation: Security awareness training, email filtering, verification procedures
---
Key Terms – Threats
• Botnet – Network of compromised machines controlled by an attacker
• Phishing – Fraudulent emails designed to steal credentials or deliver malware
• IV (Initialization Vector) – A value used to initialize encryption algorithms; flawed implementation leads to cryptographic vulnerabilities
• 802.1Q – The IEEE standard for VLAN tagging on Ethernet frames
---
⚠️ Watch Out For – Threats
• ARP poisoning vs. DNS poisoning: ARP targets Layer 2 (local network); DNS targets name resolution (Layer 7 application layer)
• DoS vs. DDoS: The exam distinguishes these by source count — single source = DoS, multiple sources (botnet) = DDoS
• VLAN hopping methods: Know both switch spoofing AND double tagging as distinct techniques
• Social engineering is NOT a technical exploit — it targets humans, not systems
---
2. Firewall & Network Defense
Summary
Network defense relies on layered tools that inspect, control, and monitor traffic at different points in the network. Understanding where each tool sits and what it can/cannot do is critical for exam scenarios.
Core Defense Technologies
#### Stateful vs. Stateless Firewalls
| Feature | Stateless (Packet Filtering) | Stateful |
|---|---|---|
| Inspection method | Individual packets only | Tracks connection state |
| Context awareness | None | Maintains session table |
| Rules basis | Static ACLs | ACLs + connection state |
| Performance | Faster | Slightly more overhead |
| Security level | Basic | Higher |
#### DMZ (Demilitarized Zone)
• Definition: A perimeter network segment that hosts publicly accessible services while isolating them from the internal network
• Common DMZ hosts: Web servers, email servers, DNS servers, FTP servers
• Architecture: Typically implemented with two firewalls (outside firewall → DMZ → inside firewall)
• Key principle: If a DMZ host is compromised, the internal network remains protected
#### IDS vs. IPS
• IDS (Intrusion Detection System): Monitors and alerts — passive, out-of-band; does NOT block traffic
• IPS (Intrusion Prevention System): Monitors and blocks — inline with traffic; can drop malicious packets in real time
• Detection methods: Signature-based (known patterns) vs. Anomaly-based (deviation from baseline)
• False positive: Legitimate traffic flagged as malicious
• False negative: Malicious traffic NOT detected (more dangerous)
#### Honeypot
• Definition: A decoy system designed to lure attackers away from real assets
• Purpose: Detect intrusions, study attack techniques, gather threat intelligence
• Honeynet: A network of multiple honeypot systems
• Must be isolated — a compromised honeypot should not provide a pivot point to real systems
#### Network Access Control (NAC)
• Definition: Enforces security policy compliance before granting network access
• Checks: Patch level, antivirus status, OS version, device identity/certificates
• Outcomes: Full access, limited access, or quarantine to a remediation VLAN
• Often integrated with 802.1X for port-level enforcement
#### Port Security (Managed Switches)
• Definition: Limits the number and/or identity of MAC addresses permitted on a switch port
• Prevents: MAC flooding attacks (which overwhelm the CAM table, forcing the switch to broadcast all traffic)
• Violation modes: Protect (drop packets), Restrict (drop + log), Shutdown (disable port)
• Sticky MAC: Dynamically learned MAC addresses are retained in configuration
---
Key Terms – Firewall & Defense
• ACL (Access Control List) – Rules that permit or deny traffic based on defined criteria
• Inline – Positioned directly in the traffic path (required for IPS)
• Out-of-band – Monitoring traffic via a copy/tap, not in the traffic path (IDS)
• CAM Table – Content Addressable Memory; a switch's MAC address table
• Quarantine VLAN – An isolated VLAN for non-compliant devices pending remediation
---
⚠️ Watch Out For – Firewall & Defense
• IDS vs. IPS placement: IPS must be inline; IDS is out-of-band — this is a frequent exam question
• Stateful vs. stateless: Stateful tracks connections; stateless only looks at individual packet headers
• DMZ purpose: It ISOLATES public-facing servers — the internal network remains unreachable from the DMZ directly
• Honeypot vs. honeypot network: A single honeypot ≠ a honeynet; know the distinction
---
3. VPN & Encryption
Summary
VPNs create encrypted tunnels over untrusted networks. The exam tests knowledge of VPN types, IPsec modes, specific protocols, and cryptographic concepts like PFS.
VPN Types
#### Site-to-Site vs. Remote-Access VPN
| Feature | Site-to-Site | Remote-Access |
|---|---|---|
| Purpose | Connect two networks | Connect individual user to network |
| Endpoints | Two VPN gateways | Client software + gateway |
| Persistence | Always-on tunnel | On-demand connection |
| Use case | Branch office connectivity | Work-from-home users |
IPsec Deep Dive
#### IPsec Modes
• Transport Mode:
- Encrypts only the payload (data portion)
- Original IP header remains intact and visible
- Used for host-to-host communication
• Tunnel Mode:
- Encrypts the entire original IP packet (header + payload)
- Encapsulates it within a new IP header
- Used for network-to-network (site-to-site) VPNs
#### IPsec Protocols
• AH (Authentication Header):
- Provides: Data integrity, authentication, anti-replay protection
- Does NOT encrypt — payload is visible
- Protocol number: 51
• ESP (Encapsulating Security Payload):
- Provides: Encryption + integrity + authentication + anti-replay
- Protocol number: 50
- Most commonly used in VPN implementations
#### VPN Protocols Comparison
| Protocol | Layer | Encryption | Notes |
|---|---|---|---|
| IPsec | Layer 3 | Yes (ESP) | Industry standard for site-to-site |
| L2TP | Layer 2 | No (alone) | Tunnels PPP; paired with IPsec for security |
| SSL/TLS VPN | Layer 7 | Yes | Browser-based; uses port 443 |
| OpenVPN | Layer 3 | Yes | Open source; uses SSL/TLS |
#### Perfect Forward Secrecy (PFS)
• Definition: Session keys are derived independently for each session using ephemeral key exchange (e.g., Diffie-Hellman)
• Benefit: Compromise of the long-term private key does not allow decryption of previously captured session traffic
• Without PFS: Past sessions are vulnerable if the private key is ever compromised
---
Key Terms – VPN & Encryption
• Tunnel – An encapsulated, encrypted connection through an untrusted network
• IKE (Internet Key Exchange) – Protocol used to establish the security association (SA) for IPsec
• Security Association (SA) – A negotiated set of parameters defining an IPsec connection
• Ephemeral Keys – Temporary keys generated per session, discarded after use (enables PFS)
• Split Tunneling – VPN configuration where only traffic destined for the corporate network goes through the VPN
---
⚠️ Watch Out For – VPN & Encryption
• L2TP alone is NOT secure — it provides tunneling but no encryption; always paired with IPsec
• Transport vs. Tunnel mode: Transport = host-to-host (header visible); Tunnel = network-to-network (full packet encrypted)
• AH vs. ESP: AH = integrity only (no encryption); ESP = encryption + integrity — most scenarios require ESP
• PFS does not protect future sessions — it protects past sessions from future key compromise
---
4. Authentication & Access Control
Summary
Authentication verifies identity; authorization controls what that identity can access. The AAA framework (Authentication, Authorization, Accounting) is fundamental to network access control. The exam heavily tests AAA protocols and MFA concepts.
Core Concepts
#### Authentication vs. Authorization
• Authentication: "Who are you?" — verifying identity (username/password, certificates, biometrics)
• Authorization: "What can you do?" — defining permissions after identity is confirmed
• Accounting: "What did you do?" — logging activity for audit and compliance
#### AAA Protocols: RADIUS vs. TACACS+
| Feature | RADIUS | TACACS+ |
|---|---|---|
| Transport | UDP 1812 (auth) / 1813 (acct) | TCP port 49 |
| Encryption | Password only | Entire payload |
| AAA separation | Auth + authz combined | Auth, authz, acct separated |
| Primary use | Network access (VPN, wireless) | Device administration (routers, switches) |
| Vendor | Open standard | Cisco proprietary |
#### 802.1X Port-Based NAC
• Definition: IEEE standard for port-based access control; devices must authenticate before gaining network access
• Components:
- Supplicant – The client device requesting access
- Authenticator – The switch or wireless AP enforcing access
- Authentication Server – RADIUS server verifying credentials
• Protocol used: EAP (Extensible Authentication Protocol) carried over 802.1X
• Solves: Unauthorized device access through physical switch ports or wireless networks
#### Multi-Factor Authentication (MFA)
• Definition: Requires two or more verification factors from different categories
• Three factor categories:
1. Something you know – Password, PIN, security question
2. Something you have – Hardware token, smart card, authenticator app, OTP
3. Something you are – Fingerprint, retina scan, facial recognition (biometrics)
• Rule: MFA requires factors from different categories — two passwords = NOT MFA
• Benefit: Compromised passwords alone are insufficient for access
---
Key Terms – Authentication & Access Control
• AAA – Authentication, Authorization, and Accounting framework
• EAP – Extensible Authentication Protocol; flexible framework used with 802.1X
• OTP (One-Time Password) – A temporary password valid for a single session or short time window
• Smart Card – A physical card containing a certificate or credential (something you have)
• Supplicant – The device/client requesting network access in an 802.1X exchange
---
⚠️ Watch Out For – Authentication & Access Control
• RADIUS uses UDP; TACACS+ uses TCP — this is a frequently tested distinction
• TACACS+ encrypts the FULL payload; RADIUS encrypts only the password — TACACS+ is more secure for device administration
• Two passwords ≠ MFA — factors must come from different categories to qualify as multi-factor
• 802.1X vs. NAC: 802.1X is the standard; NAC is the broader concept — 802.1X is often the mechanism used to implement NAC
---
5. Wireless Security
Summary
Wireless networks introduce unique vulnerabilities due to the broadcast nature of radio frequency transmission. The exam tests knowledge of security protocols, their weaknesses, and wireless-specific attacks.
Wireless Security Protocols
| Protocol | Encryption | Key Exchange | Status |
|---|---|---|---|
| WEP | RC4 (flawed) | Static keys | Broken – do not use |
| WPA | TKIP | PSK or 802.1X | Deprecated |
| WPA2 | AES-CCMP | PSK or 802.1X | Current standard |
| WPA3 | AES-GCMP | SAE or 802.1X | Current best practice |
#### WEP – Why It's Broken
• Uses RC4 cipher with short, static keys
• Flawed IV (Initialization Vector) implementation — IVs are only 24-bit and repeat frequently
• Attackers can passively capture sufficient traffic to mathematically recover the key
• Key recovery possible in minutes using tools — never use WEP
#### WPA3 Improvements Over WPA2
• SAE (Simultaneous Authentication of Equals): Replaces PSK handshake; protects against offline dictionary attacks
• 192-bit encryption in enterprise mode (WPA3-Enterprise)
• Forward secrecy: Session keys are not derivable from the long-term password
• Enhanced Open: Encrypts traffic on open networks using OWE (Opportunistic Wireless Encryption)
Wireless Attacks
#### Evil Twin Attack
• Definition: A fraudulent AP configured with the same SSID as a legitimate network
• Mechanism: Clients auto-connect or are tricked into connecting to the attacker's AP
• Impact: Traffic interception, credential theft, MitM positioning
• Mitigation: Certificate-based authentication (802.1X/EAP), user education, wireless IDS
#### Rogue Access Point
• Unauthorized AP attached to the wired network by an insider or attacker
• Distinguished from