CISSP Domain 4 Summary
4.0 Implement Secure Design Principles in Network Architectures
Domain 4 begins by establishing how data moves across networks and how security controls align to that movement. The CISSP exam does not test protocol configuration or packet mechanics; it tests your ability to identify where security controls belong, where attacks occur, and which architectural decision best reduces risk.
The OSI and TCP/IP models provide this foundation.
4.0.1 OSI and TCP/IP Models – CISSP Perspective
The OSI and TCP/IP models are conceptual frameworks used to understand network communication. For the CISSP exam, their value lies in risk analysis, control placement, and attack identification, not technical implementation.
Core Networking Concepts (Must-Know)
Encapsulation
Data is wrapped with protocol-specific headers as it moves down the network stack. This explains why attacks and controls can target different layers.
Abstraction
Network communication is divided into layers, allowing each layer to perform a specific function while hiding internal complexity. This separation enables layered security controls.
OSI vs TCP/IP
OSI Model: Conceptual, security-analysis focused
TCP/IP Model: Practical, implementation focused
OSI Layers vs TCP/IP Layer — CISSP Security View | ||
OSI Layers | TCP/IP Layer | CISSP Security View |
|---|---|---|
Layers 7–5 (Application, Presentation, Session) | Application | Application attacks, encryption, session security |
Layer 4 (Transport) | Transport | Ports, TCP vs UDP, DoS attacks |
Layer 3 (Network) | Internet | IP addressing, routing, IPsec |
Layers 2–1 (Data Link, Physical) | Link | MAC attacks, VLANs, physical access |
Exam rule: CISSP questions often reference TCP/IP but expect you to reason using OSI.
OSI Layers
Layer 7 – Application
Focus: User-facing services and protocols
Key Risks: SQL Injection, XSS, DNS attacks
Security View: Input validation, secure protocols (HTTPS, SSH)
Layer 6 – Presentation
Focus: Data formatting and encryption
Key Role: Encryption and decryption
Security View: TLS/SSL, cipher weaknesses
Layer 5 – Session
Focus: Session establishment and management
Key Risks: Session hijacking, weak authentication
Security View: Session control, legacy protocol risk (PAP, NetBIOS)
Layer 4 – Transport
Focus: End-to-end communication
Key Risks: SYN floods, session abuse
Security View: TCP reliability vs UDP speed
Layer 3 – Network
Focus: Logical addressing and routing
Key Risks: IP spoofing, routing attacks
Security View: IPsec, packet filtering, ICMP misuse
Layer 2 – Data Link
Focus: Local network delivery
Key Risks: ARP poisoning, MAC flooding, VLAN hopping
Security View: Switch security, segmentation
Layer 1 – Physical
Focus: Physical transmission
Key Risks: Cable tapping, jamming, destruction
Security View: Physical access controls
4.0.2 IP Addressing and Core Network Services
Secure network architecture begins with correct addressing, segmentation, and protection of core network services. For the CISSP exam, the focus is not on memorizing configurations, but on understanding how addressing and services impact security, visibility, and risk containment.
IPv4 vs IPv6 — Security Perspective
The transition from IPv4 to IPv6 was driven by address exhaustion, but it also introduces meaningful security differences that CISSP candidates must understand.
IPv4
Relies heavily on NAT and private addressing (RFC 1918)
IPsec is optional
Entire subnets can be scanned by attackers
IPv6
Vast address space makes traditional scanning impractical
Eliminates the operational need for NAT
IPsec support is built into the protocol stack
Supports better end-to-end visibility and policy enforcement
CISSP Exam Focus: IPv6 improves scalability and visibility, but does not eliminate the need for firewalls, monitoring, or access controls.
Subnetting — Security and Management Value
Subnetting divides a large network into smaller logical segments.
From a security standpoint, subnetting:
Limits broadcast traffic, improving performance
Contains breaches by restricting lateral movement
Enables security zoning based on role, function, or sensitivity
CISSP Exam Focus: Subnetting is primarily about segmentation and containment, not just IP efficiency.
Network Address Translation (NAT)
NAT translates internal private IP addresses into public IP addresses for external communication. While originally created to conserve IPv4 addresses, it also provides a layer of abstraction between internal networks and the internet.
Types of NAT:
Static NAT: One-to-one mapping, commonly used for public-facing servers
Dynamic NAT: Maps internal addresses to a pool of public IPs
PAT (NAT Overload): Multiple internal hosts share one public IP using port numbers
CISSP Exam Focus: NAT provides address masking, not true security. It must not be treated as a firewall.
DNS — A Critical Network Service
The Domain Name System (DNS) translates human-readable names into IP addresses and is foundational to almost all network communication.
Because DNS is trusted by default, it is a high-value attack target.
Common DNS Threats:
DNS cache poisoning
DNS amplification attacks
DNS tunneling
DNS hijacking / pharming
DNSSEC — Protecting DNS Integrity
DNSSEC enhances DNS by using cryptographic signatures to validate responses.
Provides integrity and authenticity
Prevents spoofing and cache poisoning
Does NOT provide confidentiality
Does NOT encrypt DNS traffic
CISSP Exam Focus: DNSSEC protects what DNS says, not who is listening.
DNS Security Best Practices
Effective DNS security relies on architectural controls, not just protocol features.
Key practices include:
Split-Brain DNS: Separate internal and external DNS zones
DNSSEC: Sign public DNS zones
Restricted Zone Transfers: Allow transfers only to authorized secondary servers
DDoS Protection: Protect public DNS servers from amplification attack
4.0.3 Network Topologies and Architectures
Network topology and architecture decisions directly impact availability, fault tolerance, traffic visibility, and security control placement. For the CISSP exam, the emphasis is on understanding risk exposure and design intent, not physical cabling layouts.
Physical Network Topologies — Security Perspective
Physical topology defines how devices and transmission media are arranged.
Bus: Shared medium with no isolation; high risk and poor fault tolerance
Star: Centralized control; failure of the core device affects availability
Tree: Scalable hierarchical design; increases operational complexity
Mesh: High redundancy and fault tolerance; expensive and complex
Ring: Legacy design; single break can disrupt communication
CISSP Exam Focus: Topologies influence resilience and blast radius. More redundancy reduces availability risk but increases cost and complexity.
Three-Tier Network Architecture Model
Modern enterprise networks commonly adopt a layered architecture to improve scalability, control, and fault isolation.
Access Layer:
Provides connectivity for users and devices. This is where initial access controls such as VLANs and Network Access Control (NAC) are enforced.Distribution Layer:
Acts as the policy enforcement boundary. Performs routing, filtering, and traffic control between access and core layers.Core Layer:
Designed for speed and availability, not inspection. Security filtering should not slow core traffic.
CISSP Exam Focus: Security controls belong primarily in the access and distribution layers, not the core.
Traffic Flow Analysis
Understanding traffic direction is essential for correct control placement.
North–South Traffic:
Traffic entering or leaving the enterprise (e.g., users accessing public services).
Primary controls: firewalls, gateways, IDS/IPS.East–West Traffic:
Internal traffic within the data center or between internal segments.
Primary controls: segmentation, internal firewalls, microsegmentation.
CISSP Exam Focus: Modern breaches spread laterally using East–West traffic, making internal segmentation critical.
4.0.4 Wireless Networking Principles
Wireless networks expand the attack surface by extending access beyond physical boundaries. CISSP focuses on protocol strength, authentication models, and attack recognition.
Wireless Security Protocol Hierarchy
Wireless security protocols have evolved to correct earlier cryptographic failures.
WEP: Broken and insecure — must never be used
WPA: Transitional fix using TKIP — deprecated
WPA2: Long-standing enterprise standard
WPA3: Current best practice with stronger protection against offline attacks
CISSP Exam Focus: WPA2 is the minimum acceptable standard. WPA3 represents current best practice.
Common Wireless Attacks and Defenses
War Driving / War Chalking
Attackers scan for open or weak wireless networks.
Mitigation:
Use strong encryption (WPA2/WPA3), disable open authentication, enforce strong credentials.
SSID hiding is a minor deterrent, not a security control.
Evil Twin Attack
A rogue access point mimics a legitimate network to intercept credentials.
Mitigation:
Implement 802.1X authentication, requiring both user and device validation.
User awareness is critical to prevent accidental connections.
CISSP Exam Focus: 802.1X prevents rogue access points by enforcing mutual authentication.
4.1 Secure Network Components
Secure network components form the first and most visible line of defense in enterprise architectures. CISSP evaluates your ability to select the right control for the right location, not your ability to configure devices.
Perimeter and Internal Defense Strategies
Enterprise network defense relies on layered architectural controls that limit exposure, reduce blast radius, and enforce security policy consistently.
Core Defense Concepts
Defense in Depth:
Uses multiple overlapping administrative, technical, and physical controls so that failure of one layer does not result in compromise.Perimeter Defense:
Focuses on controlling ingress and egress at the network edge where inspection, filtering, and policy enforcement occur.Demilitarized Zone (DMZ):
A segmented buffer network hosting public-facing services (web, mail, DNS) to protect the internal trusted network.Bastion Host:
A hardened system placed at the perimeter or DMZ, designed to run a single critical service and withstand attack.Network Segmentation:
Divides networks into isolated zones to restrict lateral movement using physical or logical separation (VLANs, subnets).Microsegmentation:
Provides workload-level isolation and is a key Zero Trust control to restrict unnecessary east–west traffic.
EXAM FOCUS:
Segmentation limits blast radius. Microsegmentation protects east–west traffic.
Firewall Technologies — Conceptual Comparison
Firewalls enforce network security policy by filtering traffic between trust boundaries. CISSP focuses on capability, scope, and placement, not configuration.
Packet Filtering (Layer 3):
Stateless filtering based on IP and ports; fast but easily spoofed.Stateful Inspection (Layer 4):
Tracks connection state; more intelligent filtering without payload inspection.Circuit-Level Gateway (Layer 5):
Validates session establishment (e.g., TCP handshake) without inspecting content.Application Proxy Firewall (Layer 7):
Terminates connections and inspects payloads; granular but resource-intensive.Next-Generation Firewall (NGFW):
Combines stateful inspection, deep packet inspection, IPS, and application awareness.
EXAM FOCUS:
Choose firewalls based on risk, location, and traffic type, not “most advanced.”
Firewall Rule Management Principles
Effective firewall security depends on disciplined rule management.
Default deny (whitelisting)
Most specific rules evaluated first
Regular audits and cleanup
Removal of obsolete rules
Formal change management for all updates
EXAM FOCUS:
Misconfigured rules are a primary cause of firewall failure.
Intrusion Detection, Prevention, and Deception
IDS vs IPS
IDS: Passive, detects and alerts only
IPS: Inline, actively blocks malicious traffic
Detection Methods
Signature-based: Accurate for known attacks, blind to zero-days
Anomaly-based: Detects unknown attacks but prone to false positives
Alert Accuracy
True Positive: Correct detection
True Negative: Correct ignore
False Positive: Benign flagged as attack
False Negative: Attack missed (most dangerous)
EXAM FOCUS:
False negatives pose the greatest risk.
Honeypots and Honeynets
Honeypots and honeynets are deception-based detective controls designed to attract attackers and study their behavior.
Honeypot: Single decoy system
Honeynet: Network of decoys
They contain no production data and serve as early-warning and intelligence tools.
Enticement (Legal): Making a vulnerable system available
Entrapment (Illegal): Actively luring someone to commit a crime
EXAM FOCUS:
Honeypots are detective controls, not preventive.
4.1.1 Endpoint and Access Control
Endpoint and access control mechanisms ensure that only authorized, trusted, and compliant devices are allowed to access network resources. CISSP evaluates your ability to select the right access control strategy, not configure endpoint tools.
Network Access Control (NAC)
Network Access Control (NAC) is a policy-driven framework that enforces access decisions based on identity and device posture. It integrates authentication, endpoint compliance checks, and network enforcement to prevent untrusted devices from accessing the network.
NAC commonly relies on IEEE 802.1X for port-based authentication and evaluates endpoints before granting access.
Access Decision Logic
Authenticated & Compliant: Full network access
Authenticated but Non-Compliant: Restricted or quarantine access for remediation
Authentication Failure: Access denied
EXAM FOCUS:
NAC enforces who can connect and under what conditions, not just credentials.
Endpoint Security Controls
Endpoints are frequent attack targets and must be protected with layered host-level controls.
Antimalware: Detects and blocks malicious software
Host-Based Firewall / IDPS: Controls inbound and outbound traffic at the device level
Data Loss Prevention (DLP): Prevents unauthorized data exfiltration
Endpoint Detection and Response (EDR): Provides behavioral analysis, threat hunting, and rapid response beyond traditional antivirus
EXAM FOCUS:
EDR focuses on detection and response, not prevention alone.
Mobile Device Management (MDM) and MAM
Mobile devices extend the network perimeter and require centralized control.
MDM: Manages and secures the entire device (encryption, passwords, remote wipe, app control)
MAM: Secures only corporate applications and data, commonly used in BYOD environments
EXAM FOCUS:
MDM controls the device.
MAM controls the application and data.
4.2 Implement Secure Communication Channels
Secure communication channels protect data as it traverses untrusted networks, such as the public internet. CISSP evaluates your ability to select appropriate protocols and architectures that ensure confidentiality, integrity, and authenticity for data in transit.
Remote Access and Tunneling Concepts
Remote users commonly access enterprise resources over untrusted networks, making encrypted tunnels essential.
A Virtual Private Network (VPN) creates a secure, encrypted tunnel over a public network. The underlying mechanism is tunneling, which encapsulates one protocol inside another. Tunneling alone provides transport, not security — encryption and authentication must be added to make the channel secure.
IPsec Modes of Operation
IPsec is a primary VPN technology and operates in two modes:
Transport Mode:
Encrypts only the payload. Used for host-to-host communication within trusted environments.Tunnel Mode:
Encrypts the entire original packet and encapsulates it in a new one. Used for site-to-site and remote-access VPNs across untrusted networks.
EXAM FOCUS:
Transport mode = trusted internal communication
Tunnel mode = crossing the internet
VPN Traffic Routing Decisions
When implementing remote access VPNs, traffic routing impacts both security and performance.
Full Tunnel:
All traffic flows through the VPN. More secure, but higher bandwidth and latency impact.Split Tunnel:
Only corporate traffic uses the VPN. Better performance, but higher risk due to bypassed security controls.
EXAM FOCUS:
Full tunnel prioritizes security.
Split tunnel prioritizes performance.
IPsec Security Components (Conceptual)
IPsec uses multiple components to secure traffic:
Authentication Header (AH):
Provides integrity and authentication only. No encryption.Encapsulating Security Payload (ESP):
Provides confidentiality, integrity, and authentication. Most commonly used.Security Association (SA):
Defines the parameters of protection. One-way; two are required for full communication.Internet Key Exchange (IKE):
Automates key negotiation and SA creation.
EXAM FOCUS:
ESP = full protection
AH ≠ encryption
SSL/TLS Secure Communication
TLS (the successor to SSL) provides secure client-to-server communication and is widely used for HTTPS, email, and application services.
TLS uses asymmetric cryptography to establish trust and exchange keys, then switches to symmetric encryption for performance during the session.
EXAM FOCUS:
SSL is obsolete.
TLS is the standard.
Secure Shell (SSH)
SSH provides a secure alternative to Telnet for remote system access.
It ensures:
Encrypted communication
Strong authentication
Integrity protection
Secure tunneling of other protocols
EXAM FOCUS:
SSH replaces Telnet.
Email Security Protocols
Email lacks built-in authentication, making spoofing and phishing common threats. Three protocols work together to address this risk:
SPF: Verifies authorized sending servers
DKIM: Verifies message integrity and sender authenticity
DMARC: Defines enforcement policy and reporting
EXAM FOCUS (Golden Line):
SPF checks where mail came from
DKIM checks whether it was altered
DMARC decides what to do if checks fail