Domaine 4 · 13% Exam weight

Communication and Network Security

Domain 4 covers designing, securing and operating networks: the OSI and TCP/IP layered models, encapsulation, IP addressing, secure protocols (TLS, IPsec, SSH), filtering devices (firewalls, IDS/IPS, NAC), modern architectures (Zero Trust, SDN, SD-WAN, CDN), wireless and cellular networks, voice and converged networks, plus network attacks and their countermeasures. It is 13% of the exam.

(ISC)² CBK Objectives

The 3 official learning areas of Domain 4. Click an objective for detail.

Objective A

Assess and implement secure design principles in network architectures

Diagramme — Assess and implement secure design principles in network architectures

OSI (7 layers) and TCP/IP (4 layers) models. Segmentation (VLAN, subnet, microsegmentation). Network defense in depth: perimeter, DMZ, internal, host hardening. Zero Trust Network Access (ZTNA): no trust by default.

Key points

  • OSI mnemonic: All People Seem To Need Data Processing
  • Segmentation limits lateral movement
  • Zero Trust = verify always, assume breach
Objective B

Secure network components

Diagramme — Secure network components

Components: routers, switches (VLAN, port security), firewalls (packet, stateful, NGFW), IDS/IPS (signature, heuristic), proxies, load balancers, WAF. Each must be hardened (disable unused services, patch, strong auth) and monitored.

Key points

  • NGFW = DPI + IPS + app control
  • IDS passive, IPS active - pick by risk
  • WAF in front of public web apps
Objective C

Implement secure communication channels

Diagramme — Implement secure communication channels

Secure protocols: TLS 1.3 (web), IPsec (site-to-site, tunnel), SSH (admin), WPA3 (wifi), DNSSEC (DNS integrity), DKIM/SPF/DMARC (email). Voice/Video: SRTP. Messaging: Signal Protocol. End-to-end encryption when sensitive.

Key points

  • IPsec: AH (integrity) + ESP (encryption), Tunnel/Transport modes
  • WPA3 resists dictionary attacks (SAE)
  • TLS 1.3: 1-RTT handshake, mandatory forward secrecy

Key concepts

OSI model - 7 layers

L1 Physical (bits), L2 Data Link (frames, MAC), L3 Network (packets, IP), L4 Transport (segments, TCP/UDP), L5 Session, L6 Presentation (encryption/format), L7 Application. ISO reference model to decompose and troubleshoot communications. Bottom-up mnemonic: "All People Seem To Need Data Processing".

TCP/IP model - 4 layers

Network Access (≈ OSI L1-L2), Internet (≈ L3, IP/ICMP), Transport (≈ L4, TCP/UDP), Application (≈ L5-L7). The actual Internet model, more compact than OSI. Mapping OSI onto TCP/IP is a classic exam item.

Encapsulation and PDUs

Each layer adds its header (and sometimes trailer) to the data from the layer above: data → segment (L4) → packet (L3) → frame (L2) → bits (L1). On receipt, de-encapsulation runs in reverse. Security note: fragmentation and tunnelling abuse these boundaries.

Topologies, media and CSMA

Topologies: bus, star (dominant), ring, mesh. Media: copper (UTP/STP, EMI-prone), coax, fibre (EMI-immune, long reach). Media access: CSMA/CD (wired Ethernet, collision detection) vs CSMA/CA (Wi-Fi, collision avoidance).

IP addressing, subnetting and NAT

IPv4 = 32 bits (classes A/B/C, CIDR, masks). RFC 1918 private: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. IPv6 = 128 bits. NAT maps private↔public (PAT = port overload). APIPA 169.254.x.x when DHCP fails.

Routing and protocols

The router (L3) separates broadcast domains and forwards between networks. Protocols: RIP (distance-vector, legacy), OSPF (link-state, interior), BGP (path-vector, between Internet AS). Attacks: defensive route poisoning vs malicious route injection, BGP hijacking.

TCP, UDP and ports

TCP = connection-oriented, reliable, ordered (3-way handshake). UDP = connectionless, fast, best-effort (DNS, VoIP, streaming). Well-known ports 0-1023, registered 1024-49151, dynamic 49152-65535. Key: 22 SSH, 25 SMTP, 53 DNS, 80 HTTP, 443 HTTPS, 389 LDAP, 636 LDAPS.

TCP 3-way handshake

SYN → SYN/ACK → ACK to establish the session; FIN/ACK to close it gracefully. Exploited by the SYN Flood (half-open connections left pending, exhausting the connection table); mitigation: SYN cookies.

DHCP, DNS and DNSSEC

DHCP dynamically assigns IPs (UDP 67/68); threatened by rogue DHCP/DHCP starvation. DNS resolves name↔IP (53). DNSSEC signs records (integrity/authenticity) but does not encrypt. Attacks: DNS spoofing, cache poisoning, DNS tunnelling (exfiltration).

Secure management protocols

SSH (22) replaces Telnet/rlogin. SNMPv3 (device management) adds auth + encryption missing in v1/v2c. LDAP (389) / LDAPS (636) for directory. Kerberos (88) for ticket-based network authentication (KDC, TGT).

TLS / SSL

TLS encrypts the session above TCP (HTTPS, SMTPS, FTPS). Handshake: cipher negotiation, key exchange, X.509 certificate authentication, symmetric session key. SSLv2/v3 and TLS 1.0/1.1 are deprecated; target TLS 1.2/1.3.

IPsec - AH, ESP, modes

IPsec secures IP (L3). AH = integrity/authentication, no confidentiality. ESP = encryption + integrity. IKE negotiates SAs and keys. Transport mode: only the payload is protected (host-to-host). Tunnel mode: the entire IP packet is encapsulated (gateway-to-gateway, site-to-site VPN).

VPN - PPTP / L2TP / IPsec / SSL-VPN

PPTP (L2, obsolete, weak). L2TP (L2, no encryption alone - paired with IPsec). IPsec (L3, robust, site-to-site). SSL/TLS VPN (application portal, clientless remote access). Choose by layer and use case.

Firewalls, IDS/IPS, WAF, NAC

Firewalls: 1) packet filter, 2) application/proxy, 3) stateful, 4) dynamic/DMZ, 5) kernel proxy, NGFW (DPI + IPS + identity). IDS = detect and alert (passive); IPS = detect and block (inline). WAF filters HTTP (L7, OWASP). NAC controls endpoint admission (posture, 802.1X).

SDN, SD-WAN, CDN, Zero Trust, DMZ

SDN separates control plane from data plane (programmable). SD-WAN orchestrates multiple WAN links by policy. CDN distributes content at the edge (latency, anti-DDoS). Zero Trust = "never trust, always verify", micro-segmentation, continuous verification (NIST SP 800-207). DMZ = buffer zone between the Internet and the LAN.

Wi-Fi, Bluetooth, RFID/NFC, cellular

Wi-Fi: WEP (RC4, broken) < WPA (TKIP) < WPA2 (AES-CCMP) < WPA3 (SAE, anti-bruteforce). Enterprise = 802.1X + EAP + RADIUS. Bluetooth: bluejacking/bluesnarfing. RFID/NFC: short range, eavesdrop/cloning. Zigbee: low-power IoT. Cellular 4G/5G: SIM, over-the-air encryption.

VoIP and converged networks

VoIP: SIP (signalling), RTP (media), SRTP (encrypted media). Threats: vishing, SPIT, RTP eavesdropping. Converged networks (data + storage): FCoE and iSCSI (SAN over IP), MPLS (label switching, carrier WAN). Isolate voice in a dedicated VLAN.

AAA and Root of Trust

AAA = Authentication, Authorization, Accounting. RADIUS (UDP, encrypts only the password, mixes authn/authz). TACACS+ (TCP, encrypts the whole payload, separates AAA - Cisco/network gear). Diameter = RADIUS successor (mobile). RoT/TPM anchors trust in hardware (keys, attestation, measured boot).

Network attacks

MITM, ARP poisoning/spoofing, DNS spoofing, session hijacking, replay. DoS/DDoS: SYN flood, Smurf (ICMP amplified via broadcast, spoofs the victim), Fraggle (same in UDP echo/chargen), Ping of Death, Teardrop (fragments). VLAN hopping, MAC flooding, eavesdropping. Mitigations: segmentation, encryption, anti-spoofing, rate limiting.

Frameworks & standards

FrameworkRole
Modèle OSI (ISO/IEC 7498-1) 7-layer reference model to decompose and troubleshoot communications.
Modèle TCP/IP (DoD) 4-layer model actually implemented on the Internet.
NIST SP 800-207 (Zero Trust) Zero Trust Architecture: continuous verification, micro-segmentation, least trust.
Cyber Kill Chain (Lockheed Martin) 7 intrusion stages: reconnaissance → weaponization → delivery → exploitation → installation → C2 → actions.
IEEE 802.x LAN/WLAN standards family: 802.3 (Ethernet), 802.11 (Wi-Fi), 802.1X (NAC), 802.1Q (VLAN).
NIST SP 800-41 (Firewalls) Firewall design and policy guidelines.
DOCSIS Data-over-cable transmission standard (cable modems).

Acronyms

AcronymMeaning
OSI Open Systems Interconnection
ARP Address Resolution Protocol (IP→MAC)
ICMP Internet Control Message Protocol (ping, errors)
IGMP Internet Group Management Protocol (multicast)
DHCP Dynamic Host Configuration Protocol
DNS Domain Name System (name↔IP)
DNSSEC DNS Security Extensions (signs, does not encrypt)
NAT Network Address Translation
PAT Port Address Translation (overloaded NAT)
MPLS Multiprotocol Label Switching
FCoE Fibre Channel over Ethernet (SAN)
iSCSI Internet Small Computer Systems Interface (SAN over IP)
SIP Session Initiation Protocol (VoIP signalling)
RTP Real-time Transport Protocol (media)
SRTP Secure Real-time Transport Protocol (encrypted media)
EAP Extensible Authentication Protocol
WPA Wi-Fi Protected Access
SAE Simultaneous Authentication of Equals (WPA3)
TACACS+ Terminal Access Controller Access-Control System Plus
RADIUS Remote Authentication Dial-In User Service
Diameter RADIUS successor (mobile AAA)
AAA Authentication, Authorization, Accounting
SDN Software-Defined Networking
SD-WAN Software-Defined Wide Area Network
NFV Network Functions Virtualization
CDN Content Delivery Network
VPC Virtual Private Cloud
NAC Network Access Control
WAF Web Application Firewall
RoT Root of Trust (hardware trust anchor)
TPM Trusted Platform Module
MITM Man-in-the-Middle
DDoS Distributed Denial of Service
VLAN Virtual Local Area Network
IPsec Internet Protocol Security
AH Authentication Header (integrity only)
ESP Encapsulating Security Payload (encryption)
IKE Internet Key Exchange
SSH Secure Shell (replaces Telnet)
TLS Transport Layer Security
LDAP Lightweight Directory Access Protocol
SNMP Simple Network Management Protocol (v3 secure)
BGP Border Gateway Protocol (between AS)
OSPF Open Shortest Path First (link-state)
RIP Routing Information Protocol (distance-vector)
DMZ Demilitarized Zone (buffer zone)
NGFW Next-Generation Firewall
802.1X Port-based network authentication (NAC)
CSMA/CD Carrier Sense Multiple Access / Collision Detection
CSMA/CA Carrier Sense Multiple Access / Collision Avoidance
APIPA Automatic Private IP Addressing (169.254.x.x)

Mnemonics

Memo · OSI montant

OSI L1→L7: "All People Seem To Need Data Processing" (Physical, Data Link, Network, Transport, Session, Presentation, Application).

Memo · OSI descendant

OSI L7→L1: "All People Seem To Need Data Processing" read backwards, or "Please Do Not Throw Sausage Pizza Away".

Memo · IPsec AH/ESP

AH = integrity only (no confidentiality). ESP = encrypts AND protects. Tip: ESP has an E for "Encrypt".

Memo · IPsec modes

Transport = protects the payload (host-to-host, IP header visible). Tunnel = encapsulates the whole packet (gateway-to-gateway, site-to-site VPN).

Memo · Wi-Fi

Wireless, worst to best: WEP (broken) < WPA (TKIP) < WPA2 (AES-CCMP) < WPA3 (SAE).

Memo · Ports clés

22 SSH · 25 SMTP · 53 DNS · 80 HTTP · 88 Kerberos · 389 LDAP · 443 HTTPS · 636 LDAPS · 3389 RDP.

Memo · RADIUS vs TACACS+

RADIUS: UDP, encrypts only the password, blends AAA. TACACS+: TCP, encrypts everything, separates AAA. "TACACS+ = Total + TCP".

Memo · Firewall générations

Firewall: 1-packet filter → 2-proxy → 3-stateful → 4-dynamic/DMZ → 5-kernel proxy → NGFW (DPI + IPS).

Memo · PDU par couche

The protocol data unit (PDU) renames as you go down: Data (L5-L7) → Segment (L4 TCP) / Datagram (L4 UDP) → Packet (L3) → Frame (L2) → Bits (L1). "Do Sergeants Pay For Beer" (Data, Segment, Packet, Frame, Bits).

Memo · Three-way handshake

TCP open in 3 steps: SYN → SYN/ACK → ACK. Graceful close in 4 steps: FIN → ACK → FIN → ACK. "Client knocks (SYN), server answers (SYN/ACK), client confirms (ACK)".

Memo · Classes IP & hôtes

Classes: A = /8 (1-126), B = /16 (128-191), C = /24 (192-223), D = multicast (224-239), E = experimental (240-255). Usable hosts = 2^h − 2 (drop the network + broadcast addresses).

Memo · Zero Trust

Zero Trust mantra (NIST SP 800-207): "never trust, always verify". The perimeter dissolves: identity, posture and context are checked on every access, via micro-segmentation.

Formulas

Remember

Hôtes par sous-réseau = 2^h − 2

h = host bits. Subtract the network address and the broadcast address (hence −2).

Remember

Sous-réseaux = 2^s

s = bits borrowed from the mask for subnetting.

Remember

Espace IPv4 = 2^32 ≈ 4,29 milliards

32-bit address; exhaustion drove NAT and IPv6 adoption.

Remember

Espace IPv6 = 2^128

128 bits; about 3.4 × 10^38 addresses, removing the need for NAT.

Remember

Ports TCP/UDP : 0-1023 / 1024-49151 / 49152-65535

Well-known / registered / dynamic (ephemeral). 16 bits → 65,536 ports.

Exam pitfalls

Pitfall

AH does not encrypt

AH provides integrity and authentication but no confidentiality. To encrypt you need ESP. The exam often contrasts AH (integrity) with ESP (encryption).

Pitfall

Multicast vs broadcast vs unicast

Unicast = one-to-one. Multicast = one-to-group (IGMP). Broadcast = one-to-all (limited to the broadcast domain). Routers block broadcast, hence domain separation.

Pitfall

Smurf vs Fraggle

Smurf = ICMP (echo) amplification via broadcast, spoofed source = victim. Fraggle = same idea over UDP (echo/chargen). Confusing the protocol is a classic trap.

Pitfall

IDS detects, IPS blocks

IDS = passive (out-of-band, alerts). IPS = inline (can drop traffic). A mistuned IPS causes blocking false positives; an IDS alone never stops an attack.

Pitfall

TACACS+ vs RADIUS

RADIUS: UDP, encrypts only the password, combines authn/authz. TACACS+: TCP, encrypts the whole payload, separates A/A/A. Don't swap the transport protocol.

Pitfall

WEP and WPA(1) are broken

WEP (RC4, weak IVs) is trivially broken; WPA/TKIP too. Minimum acceptable: WPA2-AES; prefer WPA3 (SAE) against offline bruteforce.

Pitfall

Route poisoning is not an attack

Route poisoning is a defensive routing-protocol mechanism (advertise an unreachable route with infinite metric to avoid loops). Don't confuse it with malicious route injection.

Pitfall

PPTP and L2TP are layer 2

PPTP and L2TP operate at layer 2; IPsec at layer 3. L2TP alone does not encrypt: use L2TP/IPsec. PPTP is obsolete (weak MPPE encryption).

Pitfall

DNSSEC signs but does not encrypt

DNSSEC guarantees integrity and authenticity of DNS answers (signatures), not confidentiality. To encrypt queries: DoH (DNS over HTTPS) or DoT (DNS over TLS).

Pitfall

Switch (L2) vs Router (L3)

The switch creates collision domains and VLANs (L2) but forwards broadcast. The router separates broadcast domains (L3). MAC flooding targets the switch, not the router.

Pitfall

SNMP v1/v2c vs v3

SNMP v1/v2c sends the community string in clear (often "public"/"private"). Only SNMPv3 adds authentication and encryption. The exam favours v3.

Pitfall

TCP reliable, UDP fast

TCP guarantees delivery and ordering (handshake, retransmission); UDP does not. Voice, video and DNS use UDP for latency. Confusing their properties is a trap.

Real-world cases

Case · Teaching scenario

Dual-firewall DMZ fronting a web server

Internet → external firewall → DMZ (web/reverse-proxy) → internal firewall → LAN. The exposed server lives in the DMZ: if compromised, the attacker cannot directly reach the LAN. Golden rule: no inbound Internet→LAN flow transits without passing through the DMZ.

Case · Real-inspired scenario

Choosing IPsec Tunnel for a site-to-site VPN

Two branch offices to connect over the Internet. Deploy IPsec in Tunnel mode between the two gateways: ESP encrypts the entire inner IP packet, IKE negotiates keys. Endpoints need no configuration. Transport mode would have been for host-to-host, not gateway-to-gateway.

Case · Teaching scenario

Containing a SYN Flood attack

A web server slows down: its connection table is flooded with half-open connections (SYNs received, ACKs never arriving). Diagnosis: SYN Flood (L4 DoS). Mitigations: SYN cookies, lower half-open timeout, upstream rate limiting and anti-spoofing filtering, even a CDN/anti-DDoS service.

Case · Teaching scenario

Enterprise Wi-Fi with 802.1X

A company wants to avoid a shared Wi-Fi key (PSK) that is hard to revoke. Solution: WPA2/WPA3-Enterprise = 802.1X + EAP + RADIUS server. Each user authenticates with credentials or a certificate; revoke one account without changing the global key.

10-second recap

10-second recap

  • OSI 7 layers (mnemonic APSTNDP), TCP/IP 4 layers; encapsulation at each layer.
  • TCP handshake: SYN / SYN-ACK / ACK; UDP connectionless for DNS/VoIP.
  • IPsec: AH = integrity, ESP = encryption; Transport (payload) vs Tunnel (whole packet).
  • Modern VPN: IPsec (site-to-site) or SSL/TLS VPN (remote access); PPTP/L2TP at L2.
  • Wi-Fi: minimum WPA2-AES, prefer WPA3 (SAE); Enterprise = 802.1X + EAP + RADIUS.
  • Firewalls up to NGFW; IDS detects, IPS blocks; NAC controls admission.
  • AAA: RADIUS (UDP, password only) vs TACACS+ (TCP, all encrypted, AAA separated).
  • Zero Trust (SP 800-207): never trust, always verify, micro-segmentation.
  • Attacks: Smurf (ICMP) vs Fraggle (UDP), SYN flood, ARP/DNS spoofing, MITM.

Domain quiz

Three levels available. Pick one based on the time you have.

🔒 Sign-up required for quizzes

Exam-style quizzes are members-only (free). Sign in with a magic link or a passkey to practise and save your scores.