FuturevisionIA
Back to Domain 3 · Security Architecture & Engineering
CISSP Mastery

CISSP Mastery · Module 4 / 8

Domain 4: Communication & Network Security

Securing the backbone of digital interaction: protocols, architecture, and threat mitigation.

Your progress

Domain 4 of 8 50%

Module 4
  1. Domain 1
  2. Domain 2
  3. Domain 3
  4. Domain 4
  5. Domain 5
  6. Domain 6
  7. Domain 7
  8. Domain 8

13%

Exam weight

OSI

7-layer fluency

4 / 8

Domain focus

Zero Trust

Modern perimeter

Open preview · Domain overview

Why Domain 4 is the connective tissue of the CISSP

Every other domain ultimately speaks across a network. Domain 4 trains you to read traffic at every OSI layer, design segmentation that contains blast radius, pick the right cryptographic channel for each link, and recognize the attack patterns that target the wire.

Domain 4 sits between the architecture of Domain 3 and the identity controls of Domain 5. Master OSI fluency, segmentation, secure protocols and Zero Trust here — every later domain assumes you can place a control at the right network layer.

  • Architecture = layered defense

    OSI / TCP-IP fluency, VLANs, DMZs and microsegmentation are how you enforce least-privilege at the network plane.

  • Channels = trust on the wire

    TLS, IPsec and SSH each protect a different scope (application, network, session). Knowing which to pick is half the battle.

  • Attacks = predictable patterns

    DDoS, spoofing, MITM, ARP poisoning, DNS hijacking. The exam tests recognition and the right control, not memorization.

  • Wireless & Zero Trust

    Wi-Fi (WPA3, EAP-TLS) and VPNs are evolving toward Zero Trust: never trust the network, always verify identity and posture.

Module 1 · Network architecture

Secure design, OSI mapping & segmentation

A secure network is not a stack of products — it's a stack of layers. The OSI model gives you the language to design controls at the right altitude, and segmentation contains the blast radius when (not if) something fails.

  • Defense in depth

    Layered controls: edge firewall, IDS/IPS, WAF, host firewall, EDR, segmented VLANs. No single point of failure stops the next attacker move.

  • OSI vs TCP/IP

    OSI is the conceptual reference (7 layers). TCP/IP is the operational stack (4 layers). The exam expects fluency in both, especially mapping protocols to layers.

  • VLANs & microsegmentation

    VLANs split a switch into logical broadcast domains; microsegmentation enforces per-workload firewall rules even within the same VLAN.

  • DMZ pattern

    Public-facing services (web, mail, DNS) live in the DMZ between two firewalls. The internal LAN is never directly reachable from the Internet.

Segmentation Internet → DMZ → Internal VLANs
Internet untrusted Edge FW stateful DMZ Web reverse proxy Mail SMTP relay DNS authoritative Inner FW L7 / IPS INTERNAL VLAN 10 · Users VLAN 20 · Apps VLAN 30 · DB

Rule of thumb: the DMZ is reachable from the Internet, the internal LAN is not. Each VLAN gets its own ACL on the inner firewall.

Module 2 · Secure communication channels

TLS, IPsec & SSH — pick the right scope

Each protocol protects a different scope of traffic. Knowing which one to apply is the difference between encrypting a single API call and encrypting an entire site-to-site link.

Application layer · L7

TLS / SSL

Wraps any TCP-based protocol (HTTPS, SMTPS, IMAPS). TLS 1.3 only — older versions are deprecated. Forward secrecy by default with ECDHE.

Network layer · L3

IPsec

Protects entire IP packets (ESP for confidentiality + integrity, AH for integrity-only). Two modes: transport (host-to-host) and tunnel (gateway-to-gateway VPN).

Session layer · L5–7

SSH

Encrypted remote shell + secure file transfer (SCP/SFTP) + tunneling. Public-key authentication is preferred over passwords; rotate host keys on every rebuild.

TLS 1.3 handshake From hello to encrypted traffic in 1 round-trip
Client Server ① ClientHello · supported ciphers · key share ② ServerHello · Certificate · Encrypted Extensions · Finished ③ Client Finished · session keys derived ④ Encrypted application data 🔒

Pro tip: TLS 1.3 removes RSA key transport entirely — ephemeral Diffie-Hellman gives forward secrecy by default.

Module 3 · Network attacks

DDoS, spoofing, MITM — recognize the pattern, pick the control

The exam tests pattern recognition more than memorization. Read the scenario for the layer being targeted, then map it to the right defensive control.

  • DDoS / amplification

    Volumetric (saturate bandwidth), protocol (TCP SYN floods), or application (slow HTTP). Defense: upstream scrubbing, anycast CDN, BCP 38 ingress filtering.

  • IP / MAC spoofing

    Forging the source address to evade ACLs or impersonate a host. Defense: anti-spoofing ACLs at the edge, DHCP snooping, dynamic ARP inspection on switches.

  • Man-in-the-middle (MITM)

    Attacker intercepts and relays traffic. Defense: mutual TLS, strict certificate pinning, HSTS, DNSSEC for resolution integrity.

  • ARP poisoning & DNS hijacking

    Local-network ARP cache poisoning redirects L2 traffic; DNS hijacking redirects L7. Defense: dynamic ARP inspection, port security, DNSSEC, DoH/DoT.

DDoS amplification Botnet → reflectors → victim
Bot Bot Bot Botnet spoofed source IP DNS NTP Memcached Open reflectors · ×100 amplification Victim link saturated target server / CDN edge

Defenses: ingress filtering (BCP 38), upstream scrubbing, anycast CDN, rate-limiting per source AS, and disabling open recursive services.

Module 4 · Wireless & remote access

Wi-Fi, VPN & the Zero Trust shift

The perimeter is wherever the user is. Wireless and remote-access controls are how you re-establish trust at the edge — and Zero Trust is how the industry is replacing « trust the network » entirely.

  • Wi-Fi: WPA3 + EAP-TLS

    WPA3 mandates SAE (Simultaneous Authentication of Equals) — resistant to offline dictionary attacks. Enterprise mode pairs it with 802.1X / EAP-TLS for per-user certificates.

  • VPN modes

    Site-to-site (IPsec tunnel mode between gateways) for branch interconnect; remote-access (IPsec, SSL/TLS, WireGuard) for road warriors. Split-tunneling vs full-tunnel is a policy choice.

  • Zero Trust principles

    Never trust the network, always verify. Identity + device posture + per-resource auth, evaluated continuously. NIST SP 800-207 is the reference framework.

  • NAC & posture checks

    Network Access Control gates corporate Wi-Fi / VPN on device hygiene (patch level, EDR present, disk encryption). Quarantine VLAN for non-compliant endpoints.

VPN tunnel IPsec / WireGuard — encrypted overlay across an untrusted network
ENCRYPTED TUNNEL · ESP / IKEv2 · 🔒 Remote Client VPN agent ⌁ INTERNET (untrusted) ⌁ VPN Gateway corporate edge Files Apps

Trade-off: a classic VPN trusts the network once you're inside. Zero Trust replaces that with continuous identity, device posture and per-resource auth.

Exam-grade takeaways

CISSP Exam Pro-Tip — the OSI lens

The OSI model is the single most useful mental model in Domain 4. Use it as your default lens for troubleshooting, control placement, and answer-elimination.

Exam cue

OSI is your troubleshooting compass

When a question describes a connectivity issue or a control failure, name the layer first. Cable / link → L1-2. Routing / IP → L3. Port reachability → L4. Cert / app behavior → L7. The layer almost always reveals the right answer.

Pro tip

Match policy to layer

Security policy lives at every layer. ACLs at L3-4, application policies at L7, MAC port-security at L2. The CISSP rewards candidates who place each control at the right altitude rather than stacking everything at L7.

Trap

TLS does not protect against everything

TLS protects confidentiality and integrity in transit — not the endpoint. A compromised client or a misconfigured certificate (no validation, no pinning) defeats the entire chain.

Concept map

The OSI model — your architectural blueprint

Every Domain 4 control sits at one of these seven layers. Top-down for traffic, bottom-up for troubleshooting.

OSI 7-layer stack

Top-down for traffic. Bottom-up for troubleshooting. Map every security control to the right altitude.

  1. L 7

    Application

    Data exchanged with users / apps

    • HTTPS
    • DNSSEC
    • SAML
    • OAuth 2.0
  2. L 6

    Presentation

    Encoding · encryption · compression

    • TLS 1.3
    • JWT
    • JPEG
    • MIME
  3. L 5

    Session

    Session lifecycle · keep-alive

    • NetBIOS
    • RPC
    • PAP
    • L2TP
  4. L 4

    Transport

    Reliable delivery · ports · windowing

    • TCP
    • UDP
    • TLS
    • QUIC
  5. L 3

    Network

    Routing · IP addressing · packets

    • IPv4
    • IPv6
    • IPsec
    • ICMP
  6. L 2

    Data Link

    Frames · MAC addressing · LAN

    • Ethernet
    • ARP
    • 802.1X
    • WPA3
  7. L 1

    Physical

    Bits on the wire / radio

    • Cabling
    • Fiber
    • NIC
    • RF
Mnemonic: All People Seem To Need Data Processing.

Quick check

Domain 4 quiz

One question at a time — instant feedback. Pair it with the diagrams and Pro-Tip callouts above.

Quiz progress

Question 1 of 5 · 20%

Q 1

Question 1 of 5

1.What is the defining security philosophy of ZTNA?

Ready for Domain 5?

Module 4 connects network architecture, secure channels, and Zero Trust patterns to the controls examiners expect. Continue to Domain 5 when you are ready. All domain lessons stay open — unlock the Final Mock Exam when you want the full simulator and diagnostic report.

Back to Domain 3 · Security Architecture & Engineering Final Mock Exam Continue · Domain 5 · Identity & Access Management