Network Architecture Builder

Place security appliances into the correct network zones for two enterprise environments, then answer configuration questions about deployment mode, access restrictions, and failure scenarios. Wrong placements reveal the attack vector each misconfiguration enables.

What You’ll Practice

• Mapping security appliances (NGFW, WAF, IPS/IDS, jump server, proxy, load balancer) to the correct network zones based on defense-in-depth principles
• Understanding inline vs. monitor mode for detection and prevention appliances
• Identifying what attack vectors open up when devices are placed in the wrong zone or misconfigured
• Applying network segmentation concepts across DMZ, internal, management, and specialized zones

How the Exam Tests This

Objective 3.2 covers applying security principles to secure enterprise infrastructure. The exam presents network diagrams or deployment scenarios and asks where specific appliances belong, how they should be configured, and what happens when segmentation fails. You need to understand not just what each device does, but where it sits in the architecture and why — “place the IDS” is never the whole question; it’s “place the IDS and configure its mode.”

Scoring

Each scenario has two phases. Phase 1 scores zone placement accuracy — each appliance placed in the correct zone earns 1 point. Phase 2 asks 3-4 configuration questions about the deployed devices. Wrong answers in both phases include the specific attack or failure the misconfiguration enables. Final score combines placement and configuration accuracy across both scenarios.