WOLF//SEC
← Domain 3
OBJECTIVE 3.2 Given a scenario (PBQ-likely)

Apply security principles to secure enterprise infrastructure

This is a PBQ objective. Expect to place devices, configure network security, and make infrastructure decisions for a described environment.

Device Placement and Security Zones

Network Zones

  • Internet/Untrusted: Public-facing. Everything here is hostile.
  • DMZ (Screened Subnet): Hosts public-facing services (web servers, email gateways, DNS). Accessible from internet but isolated from internal network. Protected by firewalls on both sides.
  • Internal/Trusted: Corporate network. User workstations, internal applications, file shares.
  • Management: Isolated network for device administration. Jump servers, out-of-band management (IPMI/iLO/iDRAC). Should never be accessible from the internet.
  • Guest: Isolated segment for visitors. Internet access only — no access to internal resources.

Device Placement Principles

  • Public-facing services go in the DMZ, never directly on the internal network
  • Database servers behind application servers — never directly accessible from DMZ
  • Management interfaces on a dedicated management network
  • Sensors (IDS) positioned to monitor traffic at key boundaries

Firewalls

Types

  • Packet Filtering: Examines headers (source/dest IP, port, protocol). Fast but no application awareness. Stateless.
  • Stateful Inspection: Tracks connection state. Allows return traffic for established connections. The baseline for modern firewalls.
  • Next-Generation Firewall (NGFW): Stateful + application awareness + deep packet inspection + integrated IPS + URL filtering. Can make decisions based on application identity, not just ports.
  • Web Application Firewall (WAF): Operates at Layer 7. Specifically protects web applications against OWASP Top 10 (SQLi, XSS, CSRF). Deployed in front of web servers.
  • Layer 4 vs. Layer 7: L4 firewalls filter based on transport layer (TCP/UDP ports). L7 firewalls inspect application layer content. L7 is more granular but more resource-intensive.

Firewall Rules

  • Processed top-down — first matching rule wins
  • Implicit deny: If no rule matches, traffic is blocked (default on most firewalls)
  • Rules should follow least privilege — allow only what’s needed, deny everything else
  • Exam tip: Questions will present a rule set and ask what traffic is allowed/blocked, or ask you to write rules for a scenario

Intrusion Detection and Prevention

IDS (Intrusion Detection System)

Passive — monitors and alerts but does not block.

  • Network-based (NIDS): Monitors network traffic at strategic points (span port, network tap)
  • Host-based (HIDS): Monitors activity on individual hosts (file integrity, log analysis)

IPS (Intrusion Prevention System)

Active — sits inline and can block malicious traffic in real-time.

  • Must be positioned inline (traffic flows through it)
  • Risk of false positives blocking legitimate traffic

Detection Methods

  • Signature-based: Matches known patterns. Effective against known threats, blind to novel attacks.
  • Anomaly-based: Establishes a baseline of normal behavior, alerts on deviations. Catches unknown threats but higher false positive rate.
  • Heuristic: Rule-based analysis of behavior patterns.

Inline vs. Monitor Mode

  • Inline (IPS): Traffic passes through the device. Can block. Introduces latency. Single point of failure if it fails closed.
  • Monitor/Tap (IDS): Receives a copy of traffic. Cannot block. No impact on traffic flow. No risk of blocking legitimate traffic.

Port Security

802.1X

Port-based Network Access Control. Requires authentication before granting network access.

Three roles:

  • Supplicant: Device requesting access (laptop, phone)
  • Authenticator: Network switch/AP that controls port access
  • Authentication Server: RADIUS server that validates credentials

EAP Methods

  • EAP-TLS: Mutual certificate-based authentication. Most secure. Both client and server present certificates.
  • PEAP: Server certificate + client password (inside TLS tunnel). Easier to deploy than EAP-TLS.
  • EAP-FAST: Cisco proprietary. Uses PAC (Protected Access Credential) instead of certificates.

MAC-Based Authentication (MAB)

Fallback for devices that don’t support 802.1X (printers, cameras, IoT).

  • Authenticates based on MAC address — easily spoofable, use only as fallback
  • Typically places devices on a restricted VLAN

Secure Communications

VPN

  • IPSec: Network-layer VPN. Two modes: transport (encrypts payload) and tunnel (encrypts entire packet). Uses IKE for key exchange.
  • SSL/TLS VPN: Application-layer VPN accessed through a browser or lightweight client. Easier to deploy for remote access.
  • Split tunneling: Only corporate-bound traffic goes through VPN; internet traffic goes direct. Reduces VPN load but means the endpoint is exposed to internet threats without corporate controls.
  • Full tunneling: All traffic goes through VPN. More secure but higher latency and bandwidth cost.

SD-WAN (Software-Defined WAN)

Centrally managed WAN that can dynamically route traffic across multiple links (MPLS, broadband, LTE).

  • Provides encryption, segmentation, and centralized policy
  • Replaces or supplements traditional MPLS circuits

SASE (Secure Access Service Edge)

Combines SD-WAN with cloud-delivered security (CASB, SWG, ZTNA, FWaaS) into a single service.

  • Security follows the user, not the network perimeter
  • Exam-relevant as a modern alternative to traditional VPN + firewall architectures

Jump Server / Bastion Host

Hardened server used as the sole access point to a secure network zone.

  • Admins connect to the jump server first, then to target systems
  • All administrative access is logged and monitored through this single point
  • Reduces attack surface by eliminating direct access to managed systems

Load Balancers

Distribute traffic across multiple servers for availability and performance.

  • Security role: Can perform SSL offloading, act as a reverse proxy, absorb DDoS traffic
  • Placement: typically between the firewall and web server farm

Sensors and Collectors

  • Network taps: Hardware devices that copy traffic for monitoring. Passive, no impact on traffic.
  • SPAN/mirror ports: Switch configuration that copies traffic from one port to another for IDS/monitoring.
  • Collectors: Aggregation points for logs and telemetry (syslog servers, SIEM collectors).

Offensive Context

When an attacker maps a target network, they’re looking for exactly the decisions you make in this objective: Where are the firewalls? Is the DMZ properly isolated or can I pivot from a web server to the database? Is 802.1X enforced or can I plug into a conference room jack? Is the management network segregated or can I reach iLO interfaces from the user VLAN? Every infrastructure decision either blocks an attack path or leaves one open.