Network security isn't just a checkbox on the CompTIA Security+ exam—it's the foundation of everything you'll protect as a security professional. Whether you're monitoring traffic, blocking threats, or designing secure architectures, you need to understand how networks work and where attacks happen.
The Security+ SY0-701 exam dedicates significant coverage to network security concepts across Domains 3 and 4. This guide breaks down the essentials: the tools that defend networks, the design principles that limit damage, and the attacks you'll see on test day.
Why Network Knowledge Matters for Security+
Security is built in layers. You can't secure what you don't understand, and you can't defend a network if you don't know how traffic flows through it.
Security+ tests your ability to:
- Identify the right tool for the right threat. A firewall works differently than an IDS, and both are useless against DDoS if you don't understand the attack vector.
- Design networks defensively. Segmentation, zero trust, and network access control prevent lateral movement and contain breaches.
- Recognize common attack patterns. On-path attacks, DNS poisoning, and wireless attacks all leave signatures you need to spot.
Think of this guide as your network security toolkit. Each concept below appears on the exam, and each one has practical applications in real security work.
Network Defense Tools: Your First Line of Defense
Firewalls: Know the Types
Firewalls are your primary gateway control. The exam tests whether you understand what each type does.
Packet-Filtering Firewalls These work at Layer 3 (network) and Layer 4 (transport). They inspect packet headers—source/destination IP, ports, protocols—and allow or block based on rules. Fast, efficient, but stateless: they don't track connections.
Stateful Firewalls Stateful firewalls track active connections and understand context. An inbound packet is only allowed if it matches an established outgoing connection. This is why stateful firewalls catch more threats than packet-filters—they know the conversation history.
Next-Generation Firewalls (NGFW) NGFW add application-layer awareness (Layer 7). They understand what applications are doing and can block specific actions within allowed protocols. An NGFW can block specific websites over HTTPS, while a stateful firewall can only allow or block HTTPS traffic broadly. NGFWs also integrate threat intelligence, IPS capabilities, and user identity.
Web Application Firewalls (WAF) A WAF sits in front of web applications and understands HTTP/HTTPS. It blocks common web attacks like SQL injection, cross-site scripting (XSS), and command injection. WAFs are essential for protecting web apps, but they're specialized—they don't replace a perimeter firewall.
Exam Tip: Questions often ask which firewall type you'd use for a specific scenario. Remember: packet-filter = speed, stateful = context, NGFW = application awareness, WAF = web-specific threats.
IDS vs IPS: Detection vs Prevention
This distinction appears constantly on Security+, and it's critical.
Intrusion Detection Systems (IDS) An IDS monitors traffic and alerts when it detects something suspicious. It's passive—it watches and reports but doesn't block. IDS comes in two flavors:
- Network-based (NIDS): Monitors traffic on the network
- Host-based (HIDS): Monitors activity on individual systems
Intrusion Prevention Systems (IPS) An IPS does what an IDS does, plus it actively blocks threats. It sits inline in the traffic path and can drop malicious packets in real-time.
Detection Methods Both IDS and IPS use two approaches:
- Signature-based: Matches known attack patterns. Fast and accurate for known threats, useless against new ones.
- Anomaly-based: Learns normal behavior and flags deviations. Better for zero-day attacks, but prone to false positives.
Exam Tip: IDS = detection and alerting. IPS = detection and blocking. A common scenario: "An attack just happened. Which system would have blocked it?" Answer: IPS. "You need to monitor but not impact performance." Answer: IDS.
VPNs: Site-to-Site vs Remote Access
VPNs encrypt traffic over untrusted networks. The exam tests whether you know when to use each type.
Remote Access VPN A remote worker connects to corporate resources through a VPN. The worker's device becomes a temporary network endpoint. Common for work-from-home scenarios. Often uses SSL/TLS VPN (easier to deploy) or IPSec.
Site-to-Site VPN Two networks connect through a VPN tunnel. Branch offices, cloud environments, and partner networks all use site-to-site VPNs. Typically uses IPSec.
VPN Protocols
- IPSec (Internet Protocol Security): Industry standard for site-to-site and remote access. Operates at Layer 3. Modes matter:
- Tunnel mode: Encrypts entire packet (header + data). Used for site-to-site VPNs.
- Transport mode: Encrypts only payload. Used for host-to-host communication.
- SSL/TLS VPN: Easier to deploy (browser-based), works through most firewalls. Newer, but becoming more common.
Exam Tip: When questions mention "VPN," ask yourself: is this connecting two networks (site-to-site, likely IPSec tunnel mode) or a remote worker (remote access, likely IPSec or SSL/TLS)?
Network Design: Building Defensible Architectures
Network Segmentation: The Blast Radius Principle
Segmentation divides your network into smaller zones. If one zone is breached, the damage is contained.
VLANs (Virtual LANs) VLANs logically separate network traffic on the same physical switches. A finance VLAN is isolated from a manufacturing VLAN. VLANs are fast, flexible, but require proper access controls—they're not a security boundary by themselves.
DMZ (Demilitarized Zone) A DMZ is a separate network between the internet and your internal network. Public-facing servers (web servers, DNS, mail) live here. If a DMZ server is compromised, attackers still can't directly access internal systems.
Air Gaps An air-gapped system has no network connection. Completely secure from remote attacks, but operationally complex. Used for critical systems (industrial control, military networks).
Why Segmentation Matters Segmentation limits lateral movement. An attacker who breaches a web server can't automatically access databases, file shares, or administrative systems if they're on different segments with proper controls.
Zero Trust: Never Trust, Always Verify
Zero trust is the modern security model and appears heavily on Security+. Traditional network security trusts traffic inside the firewall. Zero trust trusts nothing by default.
Core Principles
- Verify every access request, regardless of source or location.
- Assume breach. Design your network assuming attackers are already inside.
- Least privilege. Users and systems get the minimum access needed.
- Continuous authentication. Trust isn't granted once; it's verified continuously.
Microsegmentation Zero trust uses microsegmentation—granular network divisions where each segment is a security boundary. Unlike traditional VLANs, microsegmentation is identity-based. A user sees different resources based on who they are, not just which VLAN they're on.
Implementation Zero trust requires:
- Identity and access management (IAM) systems
- Continuous monitoring and logging
- Network microsegmentation
- Encrypted communications
- Device compliance checking
Exam Tip: Zero trust shows up as scenario questions. "An attacker compromised an employee's laptop. In a zero trust network, what prevents them from accessing other systems?" Answer: Continuous verification, device compliance checking, and microsegmentation—not just firewall rules based on IP addresses.
Network Access Control (NAC): Gatekeeping at the Door
NAC ensures devices meet security standards before connecting to the network.
802.1X: The Standard 802.1X (also called Port-Based Network Access Control) is the industry standard. Before a device connects, it authenticates and the system verifies it meets security requirements (patches installed, antivirus active, etc.).
Agent-Based vs Agentless
- Agent-based: Software on the endpoint reports its state. More thorough, requires deployment.
- Agentless: Authentication only, no endpoint software. Easier to deploy, less detailed visibility.
Exam Context: NAC works with 802.1X to prevent non-compliant devices from accessing the network. Combined with segmentation, it's a key zero trust control.
Common Network Attacks: Knowing Your Enemy
On-Path (Man-in-the-Middle) Attacks
An attacker positions themselves between two communicating parties, intercepting and potentially modifying traffic.
ARP Poisoning Address Resolution Protocol (ARP) maps IP addresses to MAC addresses. An attacker sends spoofed ARP messages, telling the network "my MAC address is the gateway." Traffic flows through the attacker instead of the legitimate gateway. Common on local networks.
SSL Stripping HTTPS uses SSL/TLS to encrypt web traffic. An attacker intercepts the connection and downgrades it to HTTP with the victim while maintaining HTTPS with the server. The victim thinks they're secure; the attacker sees everything. HTTP Strict Transport Security (HSTS) mitigates this by forcing HTTPS.
Defense: Use HTTPS everywhere, implement HSTS, use ARP inspection on switches, and deploy micro-segmentation so attackers can't position themselves between critical systems.
DNS Attacks: Corrupting the Internet's Phone Book
DNS translates domain names to IP addresses. Attacks here redirect users to malicious sites.
DNS Poisoning An attacker injects false DNS records into a cache. When users query "bank.com," they get the attacker's IP address instead of the real bank.
DNS Amplification An attacker sends DNS queries with a spoofed source IP (the victim's). The DNS server responds to the victim's address with large responses. Multiply this by thousands of queries, and it's a DDoS attack.
Domain Hijacking An attacker gains control of a domain's registration, changing DNS records or transferring the domain to themselves.
Defense: Use DNSSEC (DNS Security Extensions), validate DNS responses, implement rate limiting on DNS servers, and use strong authentication for domain registrars.
DDoS Attacks: Overwhelming Capacity
A Distributed Denial of Service attack floods a target with traffic from many sources, making services unavailable.
Volumetric Attacks Raw traffic volume overwhelms capacity. Examples: UDP floods, ICMP floods, DNS amplification. Measured in gigabits per second.
Protocol Attacks Exploit weaknesses in network protocols. SYN floods (overwhelming TCP connection requests), Fragmented Packet attacks, and Ping of Death.
Application-Layer Attacks Target specific applications rather than network infrastructure. HTTP floods (thousands of legitimate-looking web requests), Slowloris (holding connections open to exhaust resources).
Mitigation: Rate limiting, traffic filtering, DDoS scrubbing services, and redundancy. For application-layer attacks, WAF and load balancing help.
Exam Tip: Know the attack types and where to stop them. Volumetric attacks need ISP-level filtering or DDoS mitigation services. Application-layer attacks need WAF or application-level controls.
Wireless Attacks
Wireless networks are particularly vulnerable.
Evil Twin An attacker creates a fake WiFi network with a legitimate name (like "Airport_WiFi"). Users connect, and the attacker intercepts all traffic.
Rogue Access Point An unauthorized access point on your network. Gives attackers a foothold and a path to internal systems.
Deauthentication Attacks An attacker sends deauth frames, forcibly disconnecting users from legitimate access points. Users then connect to the attacker's evil twin.
Defense: Use strong encryption (WPA3), implement wireless intrusion detection, disable broadcast of SSIDs, use 802.1X for authentication, and regularly scan for rogue APs.
Secure Protocols: Know the Insecure Predecessors
The exam tests whether you know which protocols are insecure and what replaces them.
| Insecure Protocol | Secure Replacement | Layer |
|---|---|---|
| Telnet | SSH | Application (Layer 7) |
| HTTP | HTTPS | Application (Layer 7) |
| FTP | SFTP / FTPS | Application (Layer 7) |
| SNMP v1, v2c | SNMP v3 | Application (Layer 7) |
| HTTP | TLS | Transport (Layer 6-7) |
Why It Matters: Telnet and HTTP send credentials in cleartext. SSH and HTTPS encrypt everything. SNMP v3 adds authentication and encryption. The exam expects you to recommend secure protocols and spot insecure ones.
Email Security: SPF, DKIM, and DMARC
Email is a primary attack vector. Three protocols work together to prevent spoofing and phishing.
SPF (Sender Policy Framework) SPF tells receiving mail servers which IP addresses are authorized to send mail for your domain. An attacker can't easily send email appearing to come from your domain if SPF is configured correctly. Limitation: SPF doesn't encrypt or sign messages.
DKIM (DomainKeys Identified Mail) DKIM adds a cryptographic signature to emails. The sender signs with a private key, and receivers verify with a public key (published in DNS). This proves the email genuinely came from your domain and wasn't modified in transit.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) DMARC is the policy layer. It says "if SPF or DKIM fail, reject the email or quarantine it." DMARC also provides reporting, showing you where spoofing is happening.
How They Work Together SPF says "this IP is authorized." DKIM says "I signed this email." DMARC says "enforce these rules." All three together provide strong email authentication.
Exam Context: Know what each protocol does and their limitations. SPF is easy to circumvent (forwarded emails fail SPF). DKIM is stronger. DMARC enforces policy. Understand when each is used and why all three matter.
Study Tips for Network Security on Security+
Understand the "why," not just the "what." Why does stateful inspection catch threats packet-filtering doesn't? Why is zero trust better than perimeter security? The exam tests understanding.
Use scenarios, not definitions. When you see "IDS," ask "who benefits from this tool?" Defenders who want to see threats. When you see "WAF," ask "what does this protect?" Web applications from HTTP-layer attacks.
Draw diagrams. Sketch a network with VLANs, a DMZ, and internal systems. Mark where firewalls, IDS, and WAF sit. See how segmentation contains breaches.
Practice attack sequences. An attacker uses DNS poisoning to redirect users to a fake site. What defenses stop this? DNSSEC, DNS validation, site certificates, HSTS. Understand the chain.
Review the official CompTIA objectives. Network security spans Domains 3 and 4. Make sure you've covered firewalls, IDS/IPS, VPNs, segmentation, zero trust, NAC, and common attacks.
Ready to Master Network Security?
Network security is one of the most heavily tested domains on Security+. The concepts here—firewalls, IDS/IPS, VPNs, segmentation, zero trust, and attack types—appear in multiple formats on the SY0-701 exam.
LearnZapp's Security+ prep includes 320+ articles, 1,543 practice questions, and detailed explanations for every concept. Our Wiley-sourced content is aligned with the official CompTIA objectives and updated for the current exam.
Take a free Security+ diagnostic test to see where you stand. No signup required. In 15 minutes, you'll get a personalized report showing which topics to focus on—including network security.
The more you understand these fundamentals now, the more prepared you'll be for exam day—and for real security work.