Network Security and Infrastructure Explained for ISC2 Certified in Cybersecurity (CC)

Firewalls filter network traffic based on rules. A packet filtering firewall examines individual packets (source IP, destination IP, port, protocol) and allows or blocks them based on static rules. A stateful inspection firewall tracks the state of active connections and makes filtering decisions based on context, not just individual packets. An application layer firewall (or next-generation firewall) inspects the content of traffic, not just headers, enabling it to detect threats embedded in legitimate protocols.

Network segmentation divides a network into isolated zones. A DMZ (Demilitarized Zone) is a semi-trusted segment that sits between the internet and the internal network, typically hosting servers that must be publicly accessible (web servers, email servers) without exposing the internal network. VLANs (Virtual Local Area Networks) segment traffic at the switch level, creating logical boundaries within a physical network. Segmentation limits how far an attacker can move once inside the network.

VPNs (Virtual Private Networks) encrypt network traffic over untrusted networks, allowing remote users or branch offices to access internal resources as if they were directly connected. Intrusion Detection Systems (IDS) monitor network traffic for signs of attack and generate alerts. Intrusion Prevention Systems (IPS) monitor and actively block detected attacks. The CC exam tests the IDS/IPS distinction: detection generates alerts, prevention takes action.

Physical security controls protect the hardware. Preventive controls stop unauthorized physical access: locks, key cards, security guards, mantraps (a small room with two doors where a person must be authenticated before the inner door opens). Detective controls identify when physical access has occurred: security cameras (CCTV), motion sensors, access logs. The principle of defense in depth applies physically: multiple barriers mean a single control failure does not compromise everything.

Encryption protects data confidentiality by transforming readable data into ciphertext. Symmetric encryption uses the same key to encrypt and decrypt (fast, used for bulk data). Asymmetric encryption uses a public key to encrypt and a private key to decrypt (slower, used for key exchange and digital signatures). HTTPS uses asymmetric encryption to exchange a symmetric session key, then encrypts the session traffic with that symmetric key. TLS (Transport Layer Security) is the protocol behind HTTPS.

Secure protocols replace insecure ones. HTTPS replaces HTTP (encrypted vs. unencrypted web traffic). SSH replaces Telnet (encrypted vs. unencrypted remote administration). SFTP replaces FTP (encrypted vs. unencrypted file transfer). The CC exam often presents pairs of secure and insecure protocols and asks which should be used to protect data in transit.

Firewall types: packet filtering (headers only), stateful (connection tracking), application layer (content inspection). Each catches what previous levels miss.

DMZ: publicly accessible servers between internet and internal network. Limits exposure of internal resources.

IDS: detects and alerts. IPS: detects and blocks. Both monitor traffic; IPS takes action.

VPN: encrypted tunnel over untrusted network. Used for remote access and site-to-site connections.

Mantrap (access control vestibule): two-door entry that prevents tailgating by requiring authentication before inner door opens.

Symmetric: same key for encrypt/decrypt (fast). Asymmetric: public/private key pair (slower, key exchange, signatures).

HTTPS = HTTP + TLS. SSH = encrypted Telnet. SFTP = encrypted FTP. Always use the encrypted version.