← Network Security – CompTIA Security+ Certification

CompTIA Security+ Certification Study Guide

Key concepts, definitions, and exam tips organized by topic.

33 cards covered

Network Security – CompTIA Security+ Study Guide


Overview

Network security forms a core domain of the CompTIA Security+ certification, covering how organizations protect infrastructure, data, and services from unauthorized access and attacks. This guide covers firewalls, network architecture, secure protocols, VPNs, wireless security, and common attack countermeasures. Mastering these concepts requires understanding not just definitions, but the why behind each control and how technologies interact.


---


Firewalls & Network Devices


Summary

Firewalls are the primary gatekeepers of network traffic. Security+ tests your ability to distinguish between firewall types, understand their limitations, and know which device is appropriate for a given scenario.


Firewall Types


| Type | OSI Layer | Key Capability |

|------|-----------|----------------|

| Stateless (Packet Filtering) | Layer 3–4 | Evaluates each packet independently by IP/port rules |

| Stateful | Layer 3–4 | Tracks active connection state/session context |

| Next-Generation Firewall (NGFW) | Layer 7 | Deep packet inspection, app awareness, IPS integration |

| Web Application Firewall (WAF) | Layer 7 | Filters HTTP/HTTPS; targets OWASP Top 10 threats |


Intrusion Detection vs. Prevention


  • IDS (Intrusion Detection System): Passive monitoring — generates alerts but does not block traffic
  • IPS (Intrusion Prevention System): Active inline device — detects and blocks malicious traffic in real time
  • NIPS (Network-based): Monitors traffic across a network segment
  • HIPS (Host-based): Monitors activity on an individual endpoint's OS and applications

    • Other Network Security Devices


  • Jump Server (Jump Box): Hardened intermediary host used to access devices in a separate, more sensitive security zone; reduces direct exposure
  • Load Balancer: Distributes traffic across servers; can also provide SSL termination and availability benefits
  • Proxy Server: Acts as an intermediary between clients and servers; can cache, filter, and anonymize traffic

    • Key Terms

  • Deep Packet Inspection (DPI): Inspecting packet payload content, not just headers
  • Application Awareness: NGFW capability to identify and control traffic by specific application (e.g., block Dropbox, allow SharePoint)
  • Inline vs. Passive: Inline devices (IPS) sit in the traffic path; passive devices (IDS) monitor a copy of traffic via span/tap

    • Watch Out For

    > ⚠️ Exam Trap: IDS alerts — it does not block. If a question asks which device "detects but does not prevent," the answer is IDS, not IPS.

    >

    > ⚠️ WAF vs. NGFW: A WAF specifically protects web applications (HTTP/HTTPS). An NGFW is broader but may not provide the same depth of web application inspection as a dedicated WAF.

    >

    > ⚠️ NIPS vs. HIPS: Location matters. Network-based = segment-level protection. Host-based = single endpoint protection.


    ---


    Network Segmentation & Architecture


    Summary

    Proper network architecture limits the blast radius of a breach. Security+ heavily tests segmentation concepts, zero trust principles, and the purpose of isolation techniques.


    Key Architectural Concepts


  • DMZ (Demilitarized Zone): A buffer network segment between the internet and internal LAN; hosts public-facing services (web servers, mail servers) while isolating them from sensitive internal resources
  • VLANs: Logically separate traffic at Layer 2; contain breaches within a segment and enforce access control between groups
  • Zero Trust Architecture: "Never trust, always verify" — security controls placed as close to the resource as possible; no implicit trust based on network location
  • Air Gap: Physical isolation — a secure system with zero network connections to untrusted networks; used in critical infrastructure and classified environments

    • Traffic Flow Concepts


  • North-South Traffic: Flows between the internal network and external networks (internet); traditionally where firewalls focused
  • East-West Traffic: Flows within a data center between servers/workloads; increasingly important as attackers move laterally after initial breach

    • Network Access Control (NAC)


    NAC enforces endpoint compliance before granting network access:

  • • Checks: patch level, antivirus status, OS version, certificate presence
  • • Prevents non-compliant or unauthorized devices from joining the network
  • • Often integrates with 802.1X for port-based authentication

    • Key Terms

  • Microsegmentation: Granular segmentation applied within a data center (often software-defined) to control East-West traffic
  • Attack Surface: The total number of entry points an attacker can exploit; segmentation reduces this
  • Security Zone: A logical grouping of assets with similar trust levels and security requirements

    • Watch Out For

    > ⚠️ Zero Trust ≠ No VPN: Zero Trust is an architecture philosophy, not a single product. It can coexist with VPNs, though cloud-based ZTNA solutions may replace them.

    >

    > ⚠️ VLANs are Layer 2: VLAN segmentation does not provide Layer 3 routing control by itself — you need ACLs or a firewall at Layer 3 to control inter-VLAN traffic.

    >

    > ⚠️ Air Gap is physical, not logical: An air-gapped system cannot be reached remotely; threats must be introduced physically (e.g., USB drive).


    ---


    Secure Protocols & Services


    Summary

    Knowing which protocols are secure versus insecure, and on which ports they operate, is essential for Security+ exam success. Focus on the protocol pairs (secure vs. insecure equivalents).


    Protocol Comparison Table


    | Insecure Protocol | Secure Replacement | Port (Insecure) | Port (Secure) | Protection |

    |---|---|---|---|---|

    | HTTP | HTTPS | 80 | 443 | TLS encryption |

    | Telnet | SSH | 23 | 22 | Full session encryption |

    | FTP | SFTP or FTPS | 21 | 22 (SFTP) / 990 (FTPS) | Encrypted transfer |

    | SNMP v1/v2c | SNMPv3 | 161 | 161 | Auth + encryption |

    | DNS | DNSSEC | 53 | 53 | Cryptographic record signing |

    | LDAP | LDAPS | 389 | 636 | TLS-encrypted directory queries |


    TLS (Transport Layer Security)


  • • Provides encryption, integrity, and authentication
  • • Operates between Layers 4–7 (commonly described as Session layer, Layer 5)
  • • Secures: HTTPS, SMTPS, LDAPS, IMAPS, and more
  • TLS 1.2 and 1.3 are current standards; TLS 1.0/1.1 and SSL are deprecated and insecure

    • Key Protocol Details


  • SFTP: Uses SSH (port 22) as its transport — not the same as FTPS (which uses SSL/TLS)
  • DNSSEC: Adds cryptographic signatures to DNS records; prevents DNS spoofing and cache poisoning; does not encrypt DNS queries (see DNS over HTTPS/DoH for that)
  • SNMPv3: Adds authentication (MD5/SHA) and encryption (DES/AES); v1 and v2c use community strings in cleartext

    • Key Terms

  • Certificate Authority (CA): Issues digital certificates used in TLS for server authentication
  • Forward Secrecy (Perfect Forward Secrecy): Session keys are not compromised even if long-term private key is exposed
  • Port 443: Universal identifier for HTTPS; know this cold for the exam

    • Watch Out For

    > ⚠️ SFTP ≠ FTPS: SFTP runs over SSH (port 22). FTPS is FTP with TLS (port 990/21). They are completely different protocols — the exam will try to confuse you.

    >

    > ⚠️ DNSSEC signs records but doesn't encrypt queries: It prevents tampering with DNS responses, but DNS queries are still visible. DNS over HTTPS (DoH) provides privacy.

    >

    > ⚠️ TLS ≠ SSL: SSL is deprecated and broken. Always refer to TLS as the current standard. Never recommend SSL on the exam.


    ---


    VPN & Remote Access


    Summary

    VPNs create encrypted tunnels for secure remote communication. Security+ tests your knowledge of VPN types, tunneling protocols, and the security trade-offs of each approach.


    VPN Types


    | Type | Use Case | Key Characteristic |

    |------|----------|--------------------|

    | Site-to-Site VPN | Permanent tunnel between offices/networks | Always-on, gateway-to-gateway |

    | Remote-Access VPN | Individual users connecting from anywhere | User-initiated, client software required |

    | Always-On VPN | Corporate devices outside trusted network | Auto-connects when off-network; no user action needed |


    Tunneling Trade-offs: Full vs. Split Tunnel


  • Full Tunnel: All traffic routes through the corporate VPN gateway

    • - ✅ Maximum visibility and control for the organization

    - ❌ Higher bandwidth consumption; can slow user experience

  • Split Tunnel: Only corporate-destined traffic goes through the VPN

    • - ✅ Better performance; reduces VPN bandwidth load

    - ❌ Internet traffic is unmonitored; potential security gap


    VPN Protocols & Ports


  • IPsec:

    • - UDP port 500 – IKE (Internet Key Exchange) for key negotiation

    - UDP port 4500 – NAT traversal (IKE NAT-T)

    - Commonly paired with L2TP (L2TP/IPsec) for remote access

  • SSL/TLS VPN (OpenVPN, Cisco AnyConnect): Operates over TCP port 443; easier to traverse firewalls
  • WireGuard: Modern, lightweight VPN protocol using UDP; known for speed and simplicity

    • Key Terms

  • IKE (Internet Key Exchange): Protocol used by IPsec to negotiate encryption keys and security associations
  • Tunnel Mode vs. Transport Mode: IPsec tunnel mode encrypts the entire packet (used for site-to-site); transport mode encrypts only the payload (used for host-to-host)
  • VPN Concentrator: Dedicated hardware/software device that manages multiple VPN connections

    • Watch Out For

    > ⚠️ Split tunneling is a security risk: An exam scenario about unmonitored internet traffic or a user bypassing corporate controls points toward split tunneling as the problem.

    >

    > ⚠️ L2TP alone is NOT secure: L2TP provides tunneling but no encryption. It must be paired with IPsec (L2TP/IPsec) for security.

    >

    > ⚠️ Always-on VPN benefits: Questions about ensuring consistent security policy enforcement for mobile/remote workers point to always-on VPN as the answer.


    ---


    Wireless Security


    Summary

    Wireless security requires understanding the evolution of Wi-Fi security protocols and recognizing common wireless attacks. Security+ expects you to rank protocols by security strength and understand specific attack mechanisms.


    Wireless Security Protocol Evolution


    | Protocol | Security | Key Weakness |

    |----------|----------|--------------|

    | WEP | ❌ Broken | Short 24-bit IVs repeat; static keys; crackable in minutes |

    | WPA (TKIP) | ⚠️ Weak | Improved on WEP but still uses RC4; deprecated |

    | WPA2 (AES/CCMP) | ✅ Good | PSK vulnerable to offline dictionary attacks |

    | WPA3 (SAE) | ✅✅ Strong | Forward secrecy; resistant to offline dictionary attacks |


    WPA2-Personal vs. WPA2-Enterprise


    | Feature | WPA2-Personal | WPA2-Enterprise |

    |---------|---------------|-----------------|

    | Authentication | Pre-Shared Key (PSK) | 802.1X + RADIUS server |

    | Per-user credentials | ❌ No | ✅ Yes |

    | Accountability | Limited | Full (individual user tracking) |

    | Best for | Home/small office | Corporate environments |


    WPA3 – SAE (Simultaneous Authentication of Equals)


  • • Replaces the WPA2 PSK handshake
  • • Provides forward secrecy: even if the password is later discovered, past sessions cannot be decrypted
  • Dragonfly handshake — resistant to offline dictionary attacks even if the 4-way handshake is captured

    • Common Wireless Attacks


  • Evil Twin Attack: Rogue AP mimics a legitimate SSID to trick users into connecting; enables MITM interception
  • Deauthentication/Disassociation Attack: Attacker sends spoofed 802.11 deauth frames to forcibly disconnect clients; enables DoS and handshake capture for offline cracking
  • WEP IV Attack: Collecting enough packets to statistically recover the WEP key (tools: Aircrack-ng)
  • WPS PIN Attack: WPS (Wi-Fi Protected Setup) PIN brute force; mitigation: disable WPS

    • Key Terms

  • SSID (Service Set Identifier): Network name broadcast by an access point
  • 802.1X: Port-based Network Access Control standard used in WPA2/WPA3-Enterprise
  • RADIUS: Remote Authentication Dial-In User Service — centralized authentication server used in Enterprise wireless
  • IV (Initialization Vector): Random value used with encryption keys; weak/short IVs (as in WEP) lead to key recovery

    • Watch Out For

    > ⚠️ WEP is always wrong: Any exam scenario asking for a secure wireless recommendation — WEP is never the answer. If it appears in a scenario, it's the problem to fix.

    >

    > ⚠️ Evil Twin ≠ Rogue AP: A rogue AP is any unauthorized AP. An Evil Twin specifically mimics a legitimate SSID to deceive users — the distinction matters for scenario questions.

    >

    > ⚠️ Deauth attacks enable handshake capture: The goal isn't just disconnection — it forces a reconnection event that exposes the 4-way handshake for offline cracking.


    ---


    Network Attacks & Countermeasures


    Summary

    Security+ tests both attack recognition and appropriate countermeasure selection. For every attack, know the mechanism, the protocol or technology exploited, and the specific defense.


    Attack & Countermeasure Pairs


    | Attack | Mechanism | Countermeasure |

    |--------|-----------|----------------|

    | ARP Spoofing/Poisoning | Forged ARP replies link attacker MAC to legitimate IP; enables MITM | Dynamic ARP Inspection (DAI) |

    | DNS Spoofing/Cache Poisoning | Injects false DNS records to redirect traffic | DNSSEC, DNS sinkhole |

    | Rogue DHCP Server | Attacker's DHCP server assigns malicious gateway/DNS | DHCP Snooping |

    | DDoS Amplification | Small spoofed requests generate large responses overwhelming victim | Rate limiting, BCP38 filtering, upstream scrubbing |

    | MITM (Man-in-the-Middle) | Attacker intercepts communication between two parties | Encryption (TLS), certificate pinning, DAI |


    Defense Technologies


    #### DNS Sinkhole

  • • Redirects DNS queries for known malicious domains to a controlled, non-routable IP
  • • Blocks malware from communicating with Command and Control (C2) servers
  • • Bonus benefit: identifies infected hosts by logging which systems attempted the query

    • #### Dynamic ARP Inspection (DAI)

  • • Operates on managed switches
  • • Validates ARP packets against the DHCP snooping binding table (trusted IP-to-MAC mappings)
  • • Drops ARP responses that don't match known bindings
  • Dependency: Requires DHCP snooping to be configured first

    • #### DHCP Snooping

  • • Designates switch ports as trusted (connected to legitimate DHCP servers) or untrusted (client ports)
  • • Blocks DHCP server responses from untrusted ports, preventing rogue DHCP servers
  • Building block for DAI and IP Source Guard

    • #### Honeypot

  • • A decoy system intentionally configured to attract attackers
  • • Provides threat intelligence about attacker techniques and tools
  • • Generates very low false positive rates — any interaction is inherently suspicious
  • Honeynet: A network of multiple honeypots

    • DDoS Amplification Details


  • • Attacker spoofs victim's IP address as the
    • 📝

    Take a Practice Test

    Test yourself with multiple choice questions
    📇

    Study with Flashcards

    Flip through all 33 cards

    Want more study tools?

    Subscribe for $7.99/mo and turn your own notes into personalized flashcards and study guides.

    View Pricing