(ISC)² CBK Objectives
The 3 official learning areas of Domain 4. Click an objective for detail.
Assess and implement secure design principles in network architectures
OSI (7 layers) and TCP/IP (4 layers) models. Segmentation (VLAN, subnet, microsegmentation). Network defense in depth: perimeter, DMZ, internal, host hardening. Zero Trust Network Access (ZTNA): no trust by default.
Key points
- OSI mnemonic: All People Seem To Need Data Processing
- Segmentation limits lateral movement
- Zero Trust = verify always, assume breach
Secure network components
Components: routers, switches (VLAN, port security), firewalls (packet, stateful, NGFW), IDS/IPS (signature, heuristic), proxies, load balancers, WAF. Each must be hardened (disable unused services, patch, strong auth) and monitored.
Key points
- NGFW = DPI + IPS + app control
- IDS passive, IPS active - pick by risk
- WAF in front of public web apps
Implement secure communication channels
Secure protocols: TLS 1.3 (web), IPsec (site-to-site, tunnel), SSH (admin), WPA3 (wifi), DNSSEC (DNS integrity), DKIM/SPF/DMARC (email). Voice/Video: SRTP. Messaging: Signal Protocol. End-to-end encryption when sensitive.
Key points
- IPsec: AH (integrity) + ESP (encryption), Tunnel/Transport modes
- WPA3 resists dictionary attacks (SAE)
- TLS 1.3: 1-RTT handshake, mandatory forward secrecy
Key concepts
OSI model - 7 layers
L1 Physical (bits), L2 Data Link (frames, MAC), L3 Network (packets, IP), L4 Transport (segments, TCP/UDP), L5 Session, L6 Presentation (encryption/format), L7 Application. ISO reference model to decompose and troubleshoot communications. Bottom-up mnemonic: "All People Seem To Need Data Processing".
TCP/IP model - 4 layers
Network Access (≈ OSI L1-L2), Internet (≈ L3, IP/ICMP), Transport (≈ L4, TCP/UDP), Application (≈ L5-L7). The actual Internet model, more compact than OSI. Mapping OSI onto TCP/IP is a classic exam item.
Encapsulation and PDUs
Each layer adds its header (and sometimes trailer) to the data from the layer above: data → segment (L4) → packet (L3) → frame (L2) → bits (L1). On receipt, de-encapsulation runs in reverse. Security note: fragmentation and tunnelling abuse these boundaries.
Topologies, media and CSMA
Topologies: bus, star (dominant), ring, mesh. Media: copper (UTP/STP, EMI-prone), coax, fibre (EMI-immune, long reach). Media access: CSMA/CD (wired Ethernet, collision detection) vs CSMA/CA (Wi-Fi, collision avoidance).
IP addressing, subnetting and NAT
IPv4 = 32 bits (classes A/B/C, CIDR, masks). RFC 1918 private: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. IPv6 = 128 bits. NAT maps private↔public (PAT = port overload). APIPA 169.254.x.x when DHCP fails.
Routing and protocols
The router (L3) separates broadcast domains and forwards between networks. Protocols: RIP (distance-vector, legacy), OSPF (link-state, interior), BGP (path-vector, between Internet AS). Attacks: defensive route poisoning vs malicious route injection, BGP hijacking.
TCP, UDP and ports
TCP = connection-oriented, reliable, ordered (3-way handshake). UDP = connectionless, fast, best-effort (DNS, VoIP, streaming). Well-known ports 0-1023, registered 1024-49151, dynamic 49152-65535. Key: 22 SSH, 25 SMTP, 53 DNS, 80 HTTP, 443 HTTPS, 389 LDAP, 636 LDAPS.
TCP 3-way handshake
SYN → SYN/ACK → ACK to establish the session; FIN/ACK to close it gracefully. Exploited by the SYN Flood (half-open connections left pending, exhausting the connection table); mitigation: SYN cookies.
DHCP, DNS and DNSSEC
DHCP dynamically assigns IPs (UDP 67/68); threatened by rogue DHCP/DHCP starvation. DNS resolves name↔IP (53). DNSSEC signs records (integrity/authenticity) but does not encrypt. Attacks: DNS spoofing, cache poisoning, DNS tunnelling (exfiltration).
Secure management protocols
SSH (22) replaces Telnet/rlogin. SNMPv3 (device management) adds auth + encryption missing in v1/v2c. LDAP (389) / LDAPS (636) for directory. Kerberos (88) for ticket-based network authentication (KDC, TGT).
TLS / SSL
TLS encrypts the session above TCP (HTTPS, SMTPS, FTPS). Handshake: cipher negotiation, key exchange, X.509 certificate authentication, symmetric session key. SSLv2/v3 and TLS 1.0/1.1 are deprecated; target TLS 1.2/1.3.
IPsec - AH, ESP, modes
IPsec secures IP (L3). AH = integrity/authentication, no confidentiality. ESP = encryption + integrity. IKE negotiates SAs and keys. Transport mode: only the payload is protected (host-to-host). Tunnel mode: the entire IP packet is encapsulated (gateway-to-gateway, site-to-site VPN).
VPN - PPTP / L2TP / IPsec / SSL-VPN
PPTP (L2, obsolete, weak). L2TP (L2, no encryption alone - paired with IPsec). IPsec (L3, robust, site-to-site). SSL/TLS VPN (application portal, clientless remote access). Choose by layer and use case.
Firewalls, IDS/IPS, WAF, NAC
Firewalls: 1) packet filter, 2) application/proxy, 3) stateful, 4) dynamic/DMZ, 5) kernel proxy, NGFW (DPI + IPS + identity). IDS = detect and alert (passive); IPS = detect and block (inline). WAF filters HTTP (L7, OWASP). NAC controls endpoint admission (posture, 802.1X).
SDN, SD-WAN, CDN, Zero Trust, DMZ
SDN separates control plane from data plane (programmable). SD-WAN orchestrates multiple WAN links by policy. CDN distributes content at the edge (latency, anti-DDoS). Zero Trust = "never trust, always verify", micro-segmentation, continuous verification (NIST SP 800-207). DMZ = buffer zone between the Internet and the LAN.
Wi-Fi, Bluetooth, RFID/NFC, cellular
Wi-Fi: WEP (RC4, broken) < WPA (TKIP) < WPA2 (AES-CCMP) < WPA3 (SAE, anti-bruteforce). Enterprise = 802.1X + EAP + RADIUS. Bluetooth: bluejacking/bluesnarfing. RFID/NFC: short range, eavesdrop/cloning. Zigbee: low-power IoT. Cellular 4G/5G: SIM, over-the-air encryption.
VoIP and converged networks
VoIP: SIP (signalling), RTP (media), SRTP (encrypted media). Threats: vishing, SPIT, RTP eavesdropping. Converged networks (data + storage): FCoE and iSCSI (SAN over IP), MPLS (label switching, carrier WAN). Isolate voice in a dedicated VLAN.
AAA and Root of Trust
AAA = Authentication, Authorization, Accounting. RADIUS (UDP, encrypts only the password, mixes authn/authz). TACACS+ (TCP, encrypts the whole payload, separates AAA - Cisco/network gear). Diameter = RADIUS successor (mobile). RoT/TPM anchors trust in hardware (keys, attestation, measured boot).
Network attacks
MITM, ARP poisoning/spoofing, DNS spoofing, session hijacking, replay. DoS/DDoS: SYN flood, Smurf (ICMP amplified via broadcast, spoofs the victim), Fraggle (same in UDP echo/chargen), Ping of Death, Teardrop (fragments). VLAN hopping, MAC flooding, eavesdropping. Mitigations: segmentation, encryption, anti-spoofing, rate limiting.
Frameworks & standards
| Framework | Role |
|---|---|
| Modèle OSI (ISO/IEC 7498-1) | 7-layer reference model to decompose and troubleshoot communications. |
| Modèle TCP/IP (DoD) | 4-layer model actually implemented on the Internet. |
| NIST SP 800-207 (Zero Trust) | Zero Trust Architecture: continuous verification, micro-segmentation, least trust. |
| Cyber Kill Chain (Lockheed Martin) | 7 intrusion stages: reconnaissance → weaponization → delivery → exploitation → installation → C2 → actions. |
| IEEE 802.x | LAN/WLAN standards family: 802.3 (Ethernet), 802.11 (Wi-Fi), 802.1X (NAC), 802.1Q (VLAN). |
| NIST SP 800-41 (Firewalls) | Firewall design and policy guidelines. |
| DOCSIS | Data-over-cable transmission standard (cable modems). |
Acronyms
| Acronym | Meaning |
|---|---|
| OSI | Open Systems Interconnection |
| ARP | Address Resolution Protocol (IP→MAC) |
| ICMP | Internet Control Message Protocol (ping, errors) |
| IGMP | Internet Group Management Protocol (multicast) |
| DHCP | Dynamic Host Configuration Protocol |
| DNS | Domain Name System (name↔IP) |
| DNSSEC | DNS Security Extensions (signs, does not encrypt) |
| NAT | Network Address Translation |
| PAT | Port Address Translation (overloaded NAT) |
| MPLS | Multiprotocol Label Switching |
| FCoE | Fibre Channel over Ethernet (SAN) |
| iSCSI | Internet Small Computer Systems Interface (SAN over IP) |
| SIP | Session Initiation Protocol (VoIP signalling) |
| RTP | Real-time Transport Protocol (media) |
| SRTP | Secure Real-time Transport Protocol (encrypted media) |
| EAP | Extensible Authentication Protocol |
| WPA | Wi-Fi Protected Access |
| SAE | Simultaneous Authentication of Equals (WPA3) |
| TACACS+ | Terminal Access Controller Access-Control System Plus |
| RADIUS | Remote Authentication Dial-In User Service |
| Diameter | RADIUS successor (mobile AAA) |
| AAA | Authentication, Authorization, Accounting |
| SDN | Software-Defined Networking |
| SD-WAN | Software-Defined Wide Area Network |
| NFV | Network Functions Virtualization |
| CDN | Content Delivery Network |
| VPC | Virtual Private Cloud |
| NAC | Network Access Control |
| WAF | Web Application Firewall |
| RoT | Root of Trust (hardware trust anchor) |
| TPM | Trusted Platform Module |
| MITM | Man-in-the-Middle |
| DDoS | Distributed Denial of Service |
| VLAN | Virtual Local Area Network |
| IPsec | Internet Protocol Security |
| AH | Authentication Header (integrity only) |
| ESP | Encapsulating Security Payload (encryption) |
| IKE | Internet Key Exchange |
| SSH | Secure Shell (replaces Telnet) |
| TLS | Transport Layer Security |
| LDAP | Lightweight Directory Access Protocol |
| SNMP | Simple Network Management Protocol (v3 secure) |
| BGP | Border Gateway Protocol (between AS) |
| OSPF | Open Shortest Path First (link-state) |
| RIP | Routing Information Protocol (distance-vector) |
| DMZ | Demilitarized Zone (buffer zone) |
| NGFW | Next-Generation Firewall |
| 802.1X | Port-based network authentication (NAC) |
| CSMA/CD | Carrier Sense Multiple Access / Collision Detection |
| CSMA/CA | Carrier Sense Multiple Access / Collision Avoidance |
| APIPA | Automatic Private IP Addressing (169.254.x.x) |
Mnemonics
OSI L1→L7: "All People Seem To Need Data Processing" (Physical, Data Link, Network, Transport, Session, Presentation, Application).
OSI L7→L1: "All People Seem To Need Data Processing" read backwards, or "Please Do Not Throw Sausage Pizza Away".
AH = integrity only (no confidentiality). ESP = encrypts AND protects. Tip: ESP has an E for "Encrypt".
Transport = protects the payload (host-to-host, IP header visible). Tunnel = encapsulates the whole packet (gateway-to-gateway, site-to-site VPN).
Wireless, worst to best: WEP (broken) < WPA (TKIP) < WPA2 (AES-CCMP) < WPA3 (SAE).
22 SSH · 25 SMTP · 53 DNS · 80 HTTP · 88 Kerberos · 389 LDAP · 443 HTTPS · 636 LDAPS · 3389 RDP.
RADIUS: UDP, encrypts only the password, blends AAA. TACACS+: TCP, encrypts everything, separates AAA. "TACACS+ = Total + TCP".
Firewall: 1-packet filter → 2-proxy → 3-stateful → 4-dynamic/DMZ → 5-kernel proxy → NGFW (DPI + IPS).
The protocol data unit (PDU) renames as you go down: Data (L5-L7) → Segment (L4 TCP) / Datagram (L4 UDP) → Packet (L3) → Frame (L2) → Bits (L1). "Do Sergeants Pay For Beer" (Data, Segment, Packet, Frame, Bits).
TCP open in 3 steps: SYN → SYN/ACK → ACK. Graceful close in 4 steps: FIN → ACK → FIN → ACK. "Client knocks (SYN), server answers (SYN/ACK), client confirms (ACK)".
Classes: A = /8 (1-126), B = /16 (128-191), C = /24 (192-223), D = multicast (224-239), E = experimental (240-255). Usable hosts = 2^h − 2 (drop the network + broadcast addresses).
Zero Trust mantra (NIST SP 800-207): "never trust, always verify". The perimeter dissolves: identity, posture and context are checked on every access, via micro-segmentation.
Formulas
Hôtes par sous-réseau = 2^h − 2
h = host bits. Subtract the network address and the broadcast address (hence −2).
Sous-réseaux = 2^s
s = bits borrowed from the mask for subnetting.
Espace IPv4 = 2^32 ≈ 4,29 milliards
32-bit address; exhaustion drove NAT and IPv6 adoption.
Espace IPv6 = 2^128
128 bits; about 3.4 × 10^38 addresses, removing the need for NAT.
Ports TCP/UDP : 0-1023 / 1024-49151 / 49152-65535
Well-known / registered / dynamic (ephemeral). 16 bits → 65,536 ports.
Exam pitfalls
AH does not encrypt
AH provides integrity and authentication but no confidentiality. To encrypt you need ESP. The exam often contrasts AH (integrity) with ESP (encryption).
Multicast vs broadcast vs unicast
Unicast = one-to-one. Multicast = one-to-group (IGMP). Broadcast = one-to-all (limited to the broadcast domain). Routers block broadcast, hence domain separation.
Smurf vs Fraggle
Smurf = ICMP (echo) amplification via broadcast, spoofed source = victim. Fraggle = same idea over UDP (echo/chargen). Confusing the protocol is a classic trap.
IDS detects, IPS blocks
IDS = passive (out-of-band, alerts). IPS = inline (can drop traffic). A mistuned IPS causes blocking false positives; an IDS alone never stops an attack.
TACACS+ vs RADIUS
RADIUS: UDP, encrypts only the password, combines authn/authz. TACACS+: TCP, encrypts the whole payload, separates A/A/A. Don't swap the transport protocol.
WEP and WPA(1) are broken
WEP (RC4, weak IVs) is trivially broken; WPA/TKIP too. Minimum acceptable: WPA2-AES; prefer WPA3 (SAE) against offline bruteforce.
Route poisoning is not an attack
Route poisoning is a defensive routing-protocol mechanism (advertise an unreachable route with infinite metric to avoid loops). Don't confuse it with malicious route injection.
PPTP and L2TP are layer 2
PPTP and L2TP operate at layer 2; IPsec at layer 3. L2TP alone does not encrypt: use L2TP/IPsec. PPTP is obsolete (weak MPPE encryption).
DNSSEC signs but does not encrypt
DNSSEC guarantees integrity and authenticity of DNS answers (signatures), not confidentiality. To encrypt queries: DoH (DNS over HTTPS) or DoT (DNS over TLS).
Switch (L2) vs Router (L3)
The switch creates collision domains and VLANs (L2) but forwards broadcast. The router separates broadcast domains (L3). MAC flooding targets the switch, not the router.
SNMP v1/v2c vs v3
SNMP v1/v2c sends the community string in clear (often "public"/"private"). Only SNMPv3 adds authentication and encryption. The exam favours v3.
TCP reliable, UDP fast
TCP guarantees delivery and ordering (handshake, retransmission); UDP does not. Voice, video and DNS use UDP for latency. Confusing their properties is a trap.
Real-world cases
Dual-firewall DMZ fronting a web server
Internet → external firewall → DMZ (web/reverse-proxy) → internal firewall → LAN. The exposed server lives in the DMZ: if compromised, the attacker cannot directly reach the LAN. Golden rule: no inbound Internet→LAN flow transits without passing through the DMZ.
Choosing IPsec Tunnel for a site-to-site VPN
Two branch offices to connect over the Internet. Deploy IPsec in Tunnel mode between the two gateways: ESP encrypts the entire inner IP packet, IKE negotiates keys. Endpoints need no configuration. Transport mode would have been for host-to-host, not gateway-to-gateway.
Containing a SYN Flood attack
A web server slows down: its connection table is flooded with half-open connections (SYNs received, ACKs never arriving). Diagnosis: SYN Flood (L4 DoS). Mitigations: SYN cookies, lower half-open timeout, upstream rate limiting and anti-spoofing filtering, even a CDN/anti-DDoS service.
Enterprise Wi-Fi with 802.1X
A company wants to avoid a shared Wi-Fi key (PSK) that is hard to revoke. Solution: WPA2/WPA3-Enterprise = 802.1X + EAP + RADIUS server. Each user authenticates with credentials or a certificate; revoke one account without changing the global key.
10-second recap
10-second recap
- OSI 7 layers (mnemonic APSTNDP), TCP/IP 4 layers; encapsulation at each layer.
- TCP handshake: SYN / SYN-ACK / ACK; UDP connectionless for DNS/VoIP.
- IPsec: AH = integrity, ESP = encryption; Transport (payload) vs Tunnel (whole packet).
- Modern VPN: IPsec (site-to-site) or SSL/TLS VPN (remote access); PPTP/L2TP at L2.
- Wi-Fi: minimum WPA2-AES, prefer WPA3 (SAE); Enterprise = 802.1X + EAP + RADIUS.
- Firewalls up to NGFW; IDS detects, IPS blocks; NAC controls admission.
- AAA: RADIUS (UDP, password only) vs TACACS+ (TCP, all encrypted, AAA separated).
- Zero Trust (SP 800-207): never trust, always verify, micro-segmentation.
- Attacks: Smurf (ICMP) vs Fraggle (UDP), SYN flood, ARP/DNS spoofing, MITM.
Domain quiz
Three levels available. Pick one based on the time you have.
🔒 Sign-up required for quizzes
Exam-style quizzes are members-only (free). Sign in with a magic link or a passkey to practise and save your scores.