OBJECTIVE 3.2 Given a scenario (PBQ-likely)
Apply security principles to secure enterprise infrastructure
This is a PBQ objective. Expect to place devices, configure network security, and make infrastructure decisions for a described environment.
Device Placement and Security Zones
Network Zones
- Internet/Untrusted: Public-facing. Everything here is hostile.
- DMZ (Screened Subnet): Hosts public-facing services (web servers, email gateways, DNS). Accessible from internet but isolated from internal network. Protected by firewalls on both sides.
- Internal/Trusted: Corporate network. User workstations, internal applications, file shares.
- Management: Isolated network for device administration. Jump servers, out-of-band management (IPMI/iLO/iDRAC). Should never be accessible from the internet.
- Guest: Isolated segment for visitors. Internet access only — no access to internal resources.
Device Placement Principles
- Public-facing services go in the DMZ, never directly on the internal network
- Database servers behind application servers — never directly accessible from DMZ
- Management interfaces on a dedicated management network
- Sensors (IDS) positioned to monitor traffic at key boundaries
Firewalls
Types
- Packet Filtering: Examines headers (source/dest IP, port, protocol). Fast but no application awareness. Stateless.
- Stateful Inspection: Tracks connection state. Allows return traffic for established connections. The baseline for modern firewalls.
- Next-Generation Firewall (NGFW): Stateful + application awareness + deep packet inspection + integrated IPS + URL filtering. Can make decisions based on application identity, not just ports.
- Web Application Firewall (WAF): Operates at Layer 7. Specifically protects web applications against OWASP Top 10 (SQLi, XSS, CSRF). Deployed in front of web servers.
- Layer 4 vs. Layer 7: L4 firewalls filter based on transport layer (TCP/UDP ports). L7 firewalls inspect application layer content. L7 is more granular but more resource-intensive.
Firewall Rules
- Processed top-down — first matching rule wins
- Implicit deny: If no rule matches, traffic is blocked (default on most firewalls)
- Rules should follow least privilege — allow only what’s needed, deny everything else
- Exam tip: Questions will present a rule set and ask what traffic is allowed/blocked, or ask you to write rules for a scenario
Intrusion Detection and Prevention
IDS (Intrusion Detection System)
Passive — monitors and alerts but does not block.
- Network-based (NIDS): Monitors network traffic at strategic points (span port, network tap)
- Host-based (HIDS): Monitors activity on individual hosts (file integrity, log analysis)
IPS (Intrusion Prevention System)
Active — sits inline and can block malicious traffic in real-time.
- Must be positioned inline (traffic flows through it)
- Risk of false positives blocking legitimate traffic
Detection Methods
- Signature-based: Matches known patterns. Effective against known threats, blind to novel attacks.
- Anomaly-based: Establishes a baseline of normal behavior, alerts on deviations. Catches unknown threats but higher false positive rate.
- Heuristic: Rule-based analysis of behavior patterns.
Inline vs. Monitor Mode
- Inline (IPS): Traffic passes through the device. Can block. Introduces latency. Single point of failure if it fails closed.
- Monitor/Tap (IDS): Receives a copy of traffic. Cannot block. No impact on traffic flow. No risk of blocking legitimate traffic.
Port Security
802.1X
Port-based Network Access Control. Requires authentication before granting network access.
Three roles:
- Supplicant: Device requesting access (laptop, phone)
- Authenticator: Network switch/AP that controls port access
- Authentication Server: RADIUS server that validates credentials
EAP Methods
- EAP-TLS: Mutual certificate-based authentication. Most secure. Both client and server present certificates.
- PEAP: Server certificate + client password (inside TLS tunnel). Easier to deploy than EAP-TLS.
- EAP-FAST: Cisco proprietary. Uses PAC (Protected Access Credential) instead of certificates.
MAC-Based Authentication (MAB)
Fallback for devices that don’t support 802.1X (printers, cameras, IoT).
- Authenticates based on MAC address — easily spoofable, use only as fallback
- Typically places devices on a restricted VLAN
Secure Communications
VPN
- IPSec: Network-layer VPN. Two modes: transport (encrypts payload) and tunnel (encrypts entire packet). Uses IKE for key exchange.
- SSL/TLS VPN: Application-layer VPN accessed through a browser or lightweight client. Easier to deploy for remote access.
- Split tunneling: Only corporate-bound traffic goes through VPN; internet traffic goes direct. Reduces VPN load but means the endpoint is exposed to internet threats without corporate controls.
- Full tunneling: All traffic goes through VPN. More secure but higher latency and bandwidth cost.
SD-WAN (Software-Defined WAN)
Centrally managed WAN that can dynamically route traffic across multiple links (MPLS, broadband, LTE).
- Provides encryption, segmentation, and centralized policy
- Replaces or supplements traditional MPLS circuits
SASE (Secure Access Service Edge)
Combines SD-WAN with cloud-delivered security (CASB, SWG, ZTNA, FWaaS) into a single service.
- Security follows the user, not the network perimeter
- Exam-relevant as a modern alternative to traditional VPN + firewall architectures
Jump Server / Bastion Host
Hardened server used as the sole access point to a secure network zone.
- Admins connect to the jump server first, then to target systems
- All administrative access is logged and monitored through this single point
- Reduces attack surface by eliminating direct access to managed systems
Load Balancers
Distribute traffic across multiple servers for availability and performance.
- Security role: Can perform SSL offloading, act as a reverse proxy, absorb DDoS traffic
- Placement: typically between the firewall and web server farm
Sensors and Collectors
- Network taps: Hardware devices that copy traffic for monitoring. Passive, no impact on traffic.
- SPAN/mirror ports: Switch configuration that copies traffic from one port to another for IDS/monitoring.
- Collectors: Aggregation points for logs and telemetry (syslog servers, SIEM collectors).
Infrastructure Decision Logic
Firewall Selection
| If the scenario says… | Choose… | Because… |
|---|---|---|
| ”Block traffic by IP and port only” | Packet filter | Simple L3/L4 filtering |
| ”Allow return traffic for established connections” | Stateful | Connection state tracking |
| ”Block specific applications regardless of port” | NGFW | Application-layer awareness |
| ”Protect web application from SQL injection” | WAF | L7 web-specific protection |
| ”Cloud-hosted web application protection” | WAF (cloud) | Cloudflare, AWS WAF, etc. |
| ”Inspect encrypted traffic” | NGFW with SSL inspection | Requires TLS decryption capability |
VPN Selection
| If the scenario says… | Choose… | Because… |
|---|---|---|
| ”Site-to-site connection between offices” | IPSec (tunnel mode) | Network-layer, full packet encryption |
| ”Remote worker accessing corporate resources” | SSL/TLS VPN | Easy deployment, browser or lightweight client |
| ”Need to encrypt only the payload, not the header” | IPSec (transport mode) | Host-to-host within trusted network |
| ”Zero-trust remote access” | ZTNA | Identity-based, per-application access (replaces traditional VPN) |
| “High performance, modern deployment” | WireGuard | Simpler, faster than IPSec, modern crypto |
Split vs. Full Tunnel
| If the scenario says… | Choose… | Because… |
|---|---|---|
| ”Minimize bandwidth on VPN” | Split tunnel | Only corporate traffic through VPN |
| ”Ensure all traffic is monitored/filtered” | Full tunnel | Everything goes through corporate security stack |
| ”User needs to access cloud apps directly” | Split tunnel | Direct cloud access avoids hairpin through corporate DC |
| ”High-security environment, prevent data leakage” | Full tunnel | All traffic inspectable |
IDS vs. IPS Placement
| If the scenario says… | Choose… | Because… |
|---|---|---|
| ”Monitor traffic without risk of blocking legitimate traffic” | IDS (tap/SPAN) | Passive, no inline risk |
| ”Automatically block attacks in real-time” | IPS (inline) | Active prevention |
| ”Sensitive environment where false positives are dangerous” | IDS first | Tune rules before going inline |
| ”Mature environment with well-tuned signatures” | IPS | Confidence in detection accuracy |
Offensive Context
When an attacker maps a target network, they’re looking for exactly the decisions you make in this objective: Where are the firewalls? Is the DMZ properly isolated or can I pivot from a web server to the database? Is 802.1X enforced or can I plug into a conference room jack? Is the management network segregated or can I reach iLO interfaces from the user VLAN? Every infrastructure decision either blocks an attack path or leaves one open.